Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-8335-02
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn,
and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel,
EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard,
LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect,
RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or
its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0601R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Per-Wireless LAN Assignment1-10
Per-Interface Assignment1-10
Security Considerations1-10
Cisco WLAN Solution Wired Connections1-11
Cisco WLAN Solution Wireless LANs1-11
Access Control Lists1-12
Identity Networking1-12
Enhanced Integration with Cisco Secure ACS1-13
File Transfers1-13
Power over Ethernet1-14
Pico Cell Functionality1-14
Intrusion Detection Service (IDS)1-15
Wireless LAN Controller Platforms1-15
Cisco 2000 Series Wireless LAN Controllers1-16
Cisco 4100 Series Wireless LAN Controllers1-16
Cisco 4400 Series Wireless LAN Controllers1-17
Cisco 2000 Series Wireless LAN Controller Model Numbers1-17
Cisco 4100 Series Wireless LAN Controller Model Numbers1-18
Cisco 4400 Series Wireless LAN Controller Model Numbers1-18
Startup Wizard1-19
Cisco Wireless LAN Controller Memory1-20
Cisco Wireless LAN Controller Failover Protection1-20
Cisco Wireless LAN Controller Automatic Time Setting1-21
Cisco Wireless LAN Controller Time Zones1-21
Network Connections to Cisco Wireless LAN Controllers1-21
Cisco 2000 Series Wireless LAN Controllers1-22
Cisco 4100 Series Wireless LAN Controllers1-22
Cisco 4400 Series Wireless LAN Controllers1-23
VPN and Enhanced Security Modules for 4100 Series Controllers1-24
iv
Rogue Access Points1-24
Rogue Access Point Location, Tagging, and Containment1-25
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Web User Interface and the CLI1-25
Web User Interface1-25
Command Line Interface1-26
Contents
CHAPTER
CHAPTER
2Using the Web-Browser and CLI Interfaces2-1
Using the Web-Browser Interface2-2
Guidelines for Using the GUI2-2
Opening the GUI2-2
Enabling Web and Secure Web Modes2-2
Configuring the GUI for HTTPS2-2
Loading an Externally Generated HTTPS Certificate2-3
Disabling the GUI2-5
Using Online Help2-5
Using the CLI2-5
Logging into the CLI2-5
Using a Local Serial Connection2-6
Using a Remote Ethernet Connection2-6
Logging Out of the CLI2-7
Navigating the CLI2-7
Enabling Wireless Connections to the Web-Browser and CLI Interfaces2-8
3Configuring Ports and Interfaces3-1
OL-8335-02
Overview of Ports and Interfaces3-2
Ports3-2
Distribution System Ports3-3
Service Port3-4
Interfaces3-5
Management Interface3-5
AP-Manager Interface3-6
Virtual Interface3-6
Service-Port Interface3-7
Dynamic Interface3-7
WLANs3-8
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces3-9
Using the GUI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces3-9
Using the CLI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces3-12
Using the CLI to Configure the Management Interface3-12
Using the CLI to Configure the AP-Manager Interface3-12
Cisco Wireless LAN Controller Configuration Guide
v
Contents
Using the CLI to Configure the Virtual Interface3-13
Using the CLI to Configure the Service-Port Interface3-14
Configuring Dynamic Interfaces3-14
Using the GUI to Configure Dynamic Interfaces3-14
Using the CLI to Configure Dynamic Interfaces3-16
Configuring Ports3-17
Configuring Port Mirroring3-20
Configuring Spanning Tree Protocol3-21
Using the GUI to Configure Spanning Tree Protocol3-22
Using the CLI to Configure Spanning Tree Protocol3-26
Enabling Link Aggregation3-27
Link Aggregation Guidelines3-28
Using the GUI to Enable Link Aggregation3-29
Using the CLI to Enable Link Aggregation3-30
Configuring Neighbor Devices to Support LAG3-30
CHAPTER
Configuring a 4400 Series Controller to Support More Than 48 Access Points3-30
Using Link Aggregation3-31
Using Multiple AP-Manager Interfaces3-31
Connecting Additional Ports3-36
4Configuring Controller Settings4-1
Using the Configuration Wizard4-2
Before You Start4-2
Resetting the Device to Default Settings4-3
Resetting to Default Settings Using the CLI4-3
Resetting to Default Settings Using the GUI4-3
Running the Configuration Wizard on the CLI4-4
Managing the System Time and Date4-5
Configuring Time and Date Manually4-5
Configuring NTP4-5
Configuring a Country Code4-5
Enabling and Disabling 802.11 Bands4-6
Configuring Administrator Usernames and Passwords4-7
vi
Configuring RADIUS Settings4-7
Configuring SNMP Settings4-7
Enabling 802.3x Flow Control4-8
Enabling System Logging4-8
Enabling Dynamic Transmit Power Control4-8
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Configuring Multicast Mode4-9
Understanding Multicast Mode4-9
Guidelines for Using Multicast Mode4-9
Enabling Multicast Mode4-10
Configuring the Supervisor 720 to Support the WiSM4-10
General WiSM Guidelines4-10
Configuring the Supervisor4-11
Using the Wireless LAN Controller Network Module4-12
Displaying, Creating, Disabling, and Deleting Wireless LANs6-2
Activating Wireless LANs6-3
Assigning a Wireless LAN to a DHCP Server6-3
Configuring MAC Filtering for Wireless LANs6-3
Enabling MAC Filtering6-3
Creating a Local MAC Filter6-3
Configuring a Timeout for Disabled Clients6-4
Assigning Wireless LANs to VLANs6-4
Configuring Layer 2 Security6-4
Dynamic 802.1X Keys and Authorization6-4
WEP Keys6-5
Dynamic WPA Keys and Encryption6-5
Configuring a Wireless LAN for Both Static and Dynamic WEP6-6
Configuring Layer 3 Security6-6
IPSec6-6
IPSec Authentication6-6
IPSec Encryption6-6
IKE Authentication6-7
IKE Diffie-Hellman Group6-7
IKE Phase 1 Aggressive and Main Modes6-7
IKE Lifetime Timeout6-7
IPSec Passthrough6-8
Web-Based Authentication6-8
Local Netuser6-8
Configuring Quality of Service6-8
Configuring QoS Enhanced BSS (QBSS)6-9
viii
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Contents
CHAPTER
7Controlling Lightweight Access Points7-1
Lightweight Access Point Overview7-2
Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Points7-2
Cisco 1030 Remote Edge Lightweight Access Points7-3
Cisco 1000 Series Lightweight Access Point Part Numbers7-4
Cisco 1000 Series Lightweight Access Point External and Internal Antennas7-4
External Antenna Connectors7-5
Antenna Sectorization7-5
Cisco 1000 Series Lightweight Access Point LEDs7-5
Cisco 1000 Series Lightweight Access Point Connectors7-6
Cisco 1000 Series Lightweight Access Point Power Requirements7-6
Cisco 1000 Series Lightweight Access Point External Power Supply7-7
Cisco 1000 Series Lightweight Access Point Mounting Options7-7
Cisco 1000 Series Lightweight Access Point Physical Security7-7
Cisco 1000 Series Lightweight Access Point Monitor Mode7-7
Using the DNS for Controller Discovery7-7
Dynamic Frequency Selection7-8
Autonomous Access Points Converted to Lightweight Mode7-9
Guidelines for Using Access Points Converted to Lightweight Mode7-9
Reverting from Lightweight Mode to Autonomous Mode7-9
Using a Controller to Return to a Previous Release7-10
Using the MODE Button and a TFTP Server to Return to a Previous Release7-10
Controllers Accept SSCs from Access Points Converted to Lightweight Mode7-11
Using DHCP Option 437-11
Using a Controller to Send Debug Commands to Access Points Converted to Lightweight Mode7-11
Converted Access Points Send Crash Information to Controller7-12
Converted Access Points Send Radio Core Dumps to Controller7-12
Enabling Memory Core Dumps from Converted Access Points7-12
Display of MAC Addresses for Converted Access Points7-12
Disabling the Reset Button on Access Points Converted to Lightweight Mode7-13
Configuring a Static IP Address on an Access Point Converted to Lightweight Mode7-13
CHAPTER
OL-8335-02
8Managing Controller Software and Configurations8-1
Transferring Files to and from a Controller8-2
Upgrading Controller Software8-2
Saving Configurations8-4
Clearing the Controller Configuration8-4
Cisco Wireless LAN Controller Configuration Guide
ix
Contents
Erasing the Controller Configuration8-4
Resetting the Controller8-5
CHAPTER
9Configuring Radio Resource Management9-1
Overview of Radio Resource Management9-2
Radio Resource Monitoring9-2
Dynamic Channel Assignment9-3
Dynamic Transmit Power Control9-4
Coverage Hole Detection and Correction9-4
Client and Network Load Balancing9-4
RRM Benefits9-5
Overview of RF Groups9-5
RF Group Leader9-5
RF Group Name9-6
Configuring an RF Group9-6
Using the GUI to Configure an RF Group9-7
Using the CLI to Configure RF Groups9-8
Viewing RF Group Status9-8
Using the GUI to View RF Group Status9-8
Using the CLI to View RF Group Status9-11
Enabling Rogue Access Point Detection9-12
Using the GUI to Enable Rogue Access Point Detection9-12
Using the CLI to Enable Rogue Access Point Detection9-15
Configuring Dynamic RRM9-15
Using the GUI to Configure Dynamic RRM9-16
Using the CLI to Configure Dynamic RRM9-22
Overriding Dynamic RRM9-23
Statically Assigning Channel and Transmit Power Settings to Access Point Radios9-24
Using the GUI to Statically Assign Channel and Transmit Power Settings9-24
Using the CLI to Statically Assign Channel and Transmit Power Settings9-26
Disabling Dynamic Channel and Power Assignment Globally for a Controller9-27
Using the GUI to Disable Dynamic Channel and Power Assignment9-27
Using the CLI to Disable Dynamic Channel and Power Assignment9-27
Viewing Additional RRM Settings Using the CLI9-28
Cisco Wireless LAN Controller Configuration Guide
x
OL-8335-02
Contents
CHAPTER
APPENDIX
10Configuring Mobility Groups10-1
Overview of Mobility10-2
Overview of Mobility Groups10-5
Determining When to Include Controllers in a Mobility Group10-7
Configuring Mobility Groups10-7
Prerequisites10-7
Using the GUI to Configure Mobility Groups10-8
Using the CLI to Configure Mobility Groups10-11
Configuring Auto-Anchor Mobility10-11
Guidelines for Using Auto-Anchor Mobility10-12
Using the GUI to Configure Auto-Anchor Mobility10-12
Using the CLI to Configure Auto-Anchor Mobility10-14
ASafety Considerations and Translated Safety WarningsA-1
Safety ConsiderationsA-2
Warning DefinitionA-2
Class 1 Laser Product WarningA-5
Ground Conductor WarningA-7
APPENDIX
Chassis Warning for Rack-Mounting and ServicingA-9
Battery Handling Warning for 4400 Series ControllersA-18
Equipment Installation WarningA-20
More Than One Power Supply Warning for 4400 Series ControllersA-23
BDeclarations of Conformity and Regulatory InformationB-1
Regulatory Information for 1000 Series Access PointsB-2
Manufacturers Federal Communication Commission Declaration of Conformity StatementB-2
Department of Communications—CanadaB-3
Canadian Compliance StatementB-3
European Community, Switzerland, Norway, Iceland, and LiechtensteinB-4
Declaration of Conformity with Regard to the R&TTE Directive 1999/5/ECB-4
Declaration of Conformity for RF ExposureB-5
Guidelines for Operating Cisco Aironet Access Points in JapanB-6
Administrative Rules for Cisco Aironet Access Points in TaiwanB-7
Access Points with IEEE 802.11a RadiosB-7
All Access PointsB-7
Declaration of Conformity StatementsB-8
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
xi
Contents
FCC Statements for Cisco 2000 Series Wireless LAN ControllersB-8
FCC Statements for Cisco 4100 Series Wireless LAN Controllers and Cisco 4400 Series Wireless LAN
Controllers
B-9
APPENDIX
APPENDIX
I
NDEX
CEnd User License and WarrantyC-1
End User License AgreementC-2
Limited WarrantyC-4
Disclaimer of WarrantyC-6
General Terms Applicable to the Limited Warranty Statement and End User License AgreementC-6
Additional Open Source TermsC-7
DSystem Messages and Access Point LED PatternsD-1
System MessagesD-2
Using Client Reason and Status Codes in Trap LogsD-4
Client Reason CodesD-4
Client Status CodesD-5
Using Lightweight Access Point LEDsD-6
xii
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
This preface provides an overview of the Cisco Wireless LAN Controller Configuration Guide
(OL-8335-02), references related publications, and explains how to obtain other documentation and
technical assistance, if necessary. It contains these sections:
• Audience, page xiv
• Purpose, page xiv
• Organization, page xiv
• Conventions, page xv
• Related Publications, page xvii
• Obtaining Documentation, page xvii
• Documentation Feedback, page xviii
• Cisco Product Security Overview, page xix
• Obtaining Technical Assistance, page xx
• Obtaining Additional Publications and Information, page xxi
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
xiii
Audience
Audience
This guide describes Cisco Wireless LAN Controllers and Cisco Lightweight Access Points. This guide
is for the networking professional who installs and manages these devices. To use this guide, you should
be familiar with the concepts and terminology of wireless LANs.
Purpose
This guide provides the information you need to set up and configure wireless LAN controllers.
Organization
This guide is organized into these chapters:
Chapter 1, “Overview,” provides an overview of the network roles and features of wireless LAN
controllers.
Preface
Chapter 2, “Using the Web-Browser and CLI Interfaces,” describes how to use the controller GUI and
CLI.
Chapter 3, “Configuring Ports and Interfaces,” describes the controller’s physical ports and interfaces
and provides instructions for configuring them.
Chapter 4, “Configuring Controller Settings,” describes how to configure settings on the controllers.
Chapter 5, “Configuring Security Solutions,” describes application-specific solutions for wireless
LANs.
Chapter 6, “Configuring WLANs,” describes how to configure wireless LANs and SSIDs on your
system.
Chapter 7, “Controlling Lightweight Access Points,” explains how to connect access points to the
controller and manage access point settings.
Chapter 8, “Managing Controller Software and Configurations,” describes how to upgrade and manage
controller software and configurations.
Chapter 9, “Configuring Radio Resource Management,” describes radio resource management (RRM)
and explains how to configure it on the controllers.
Chapter 10, “Configuring Mobility Groups,” describes mobility groups and explains how to configure
them on the controllers.
Appendix A, “Safety Considerations and Translated Safety Warnings,” lists safety considerations and
translations of the safety warnings that apply to the Cisco Unified Wireless Network Solution products.
Appendix B, “Declarations of Conformity and Regulatory Information,” provides declarations of
conformity and regulatory information for the products in the Cisco Unified Wireless Network Solution.
xiv
Appendix C, “End User License and Warranty,” describes the end user license and warranty that apply
to the Cisco Unified Wireless Network Solution products.
Appendix D, “System Messages and Access Point LED Patterns,” lists system messages that can appear
on the Cisco Unified Wireless Network Solution interfaces and describes the LED patterns on
lightweight access points.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
Conventions
This publication uses these conventions to convey instructions and information:
Command descriptions use these conventions:
Interactive examples use these conventions:
Notes, cautions, and timesavers use these conventions and symbols:
Conventions
• Commands and keywords are in boldface text.
• Arguments for which you supply values are in italic.
• Square brackets ([ ]) mean optional elements.
• Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
• Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional
element.
• Terminal sessions and system displays are in screen font.
• Information you enter is in boldface screen font.
• Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).
TipMeans the following will help you solve a problem. The tips information might not be troubleshooting
NoteMeans reader take note. Notes contain helpful suggestions or references to materials not contained in
CautionMeans reader be careful. In this situation, you might do something that could result equipment damage
Warning
Waarschuwing
or even an action, but could be useful information.
this manual.
or loss of data.
This warning symbol means danger. You are in a situation that could cause bodily injury. Before you
work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar
with standard practices for preventing accidents. (To see translations of the warnings that appear
in this publication, refer to the appendix “Translated Safety Warnings.”)
Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan
veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij
elektrische schakelingen betrokken risico’s en dient u op de hoogte te zijn van standaard
maatregelen om ongelukken te voorkomen. (Voor vertalingen van de waarschuwingen die in deze
publicatie verschijnen, kunt u het aanhangsel “Translated Safety Warnings” (Vertalingen van
veiligheidsvoorschriften) raadplegen.)
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
xv
Conventions
Preface
Varoitus
Attention
Warnung
Avvertenza
Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen
kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja
tavanomaisista onnettomuuksien ehkäisykeinoista. (Tässä julkaisussa esiintyvien varoitusten
käännökset löydät liitteestä "Translated Safety Warnings" (käännetyt turvallisuutta koskevat
varoitukset).)
Ce symbole d’avertissement indique un danger. Vous vous trouvez dans une situation pouvant
entraîner des blessures. Avant d’accéder à cet équipement, soyez conscient des dangers posés par
les circuits électriques et familiarisez-vous avec les procédures courantes de prévention des
accidents. Pour obtenir les traductions des mises en garde figurant dans cette publication, veuillez
consulter l’annexe intitulée « Translated Safety Warnings » (Traduction des avis de sécurité).
Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer
Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie
sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur
Vermeidung von Unfällen bewußt. (Übersetzungen der in dieser Veröffentlichung enthaltenen
Warnhinweise finden Sie im Anhang mit dem Titel “Translated Safety Warnings” (Übersetzung der
Warnhinweise).)
Questo simbolo di avvertenza indica un pericolo. Si è in una situazione che può causare infortuni.
Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti
elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione
delle avvertenze riportate in questa pubblicazione si trova nell’appendice, “Translated Safety
Warnings” (Traduzione delle avvertenze di sicurezza).
Advarsel
Aviso
¡Advertencia!
Varning!
Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du
utfører arbeid på utstyr, må du være oppmerksom på de faremomentene som elektriske kretser
innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. (Hvis du vil se
oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i vedlegget "Translated
Safety Warnings" [Oversatte sikkerhetsadvarsler].)
Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos
fisicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos
relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir
possíveis acidentes. (Para ver as traduções dos avisos que constam desta publicação, consulte o
apêndice “Translated Safety Warnings” - “Traduções dos Avisos de Segurança”).
Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular
cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los
procedimientos estándar de prevención de accidentes. (Para ver traducciones de las advertencias
que aparecen en esta publicación, consultar el apéndice titulado “Translated Safety Warnings.”)
Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada.
Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och
känna till vanligt förfarande för att förebygga skador. (Se förklaringar av de varningar som
förekommer i denna publikation i appendix "Translated Safety Warnings" [Översatta
säkerhetsvarningar].)
xvi
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
Related Publications
These documents provide complete information about the Cisco Unified Wireless Network Solution:
• Cisco Wireless LAN Controller Command Reference
• Quick Start Guide: Cisco 2000 Series Wireless LAN Controllers
• Quick Start Guide: Cisco 4100 Series Wireless LAN Controllers
• Quick Start Guide: Cisco 4400 Series Wireless LAN Controllers
• Quick Start Guide: VPN Termination Module for Cisco 4400 Series Wireless LAN Controllers
• Quick Start Guide: VPN/Enhanced Security Modules for Cisco 4100 Series Wireless LAN
Controllers
• Cisco Wireless Control System Configuration Guide
• Quick Start Guide: Cisco Wireless Control System for Microsoft Windows
• Quick Start Guide: Cisco Wireless Control System for Linux
• Quick Start Guide: Cisco Aironet 1000 Series Lightweight Access Points with Internal Antennas
• Quick Start Guide: Cisco Aironet 1000 Series Lightweight Access Points with External Antennas
Related Publications
Click this link to browse to user documentation for the Cisco Unified Wireless Network Solution:
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/techsupport
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
The Product Documentation DVD is a comprehensive library of technical product documentation on a
portable medium. The DVD enables you to access multiple versions of installation, configuration, and
command guides for Cisco hardware and software products. With the DVD, you have access to the same
HTML documentation that is found on the Cisco website without being connected to the Internet.
Certain products also have .PDF versions of the documentation available.
The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com
users (Cisco direct customers) can order a Product Documentation DVD (product number
DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Ordering Documentation
Registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the
Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Preface
Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m.
(0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by
calling 011 408 519-5055. You can also order documentation by e-mail at
tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada,
or elsewhere at 011 408 519-5001.
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback
form that appears with the technical documents on Cisco.com.
You can submit comments about Cisco documentation by using the response card (if present) behind the
front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
xviii
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
From this site, you will find information about how to:
• Report security vulnerabilities in Cisco products.
• Obtain assistance with security incidents that involve Cisco products.
• Register to receive security information from Cisco.
A current list of security advisories, security notices, and security responses for Cisco products is
available at this URL:
http://www.cisco.com/go/psirt
To see security advisories, security notices, and security responses as they are updated in real time, you
can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS)
feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:
Cisco is committed to delivering secure products. We test our products internally before we release
them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a
vulnerability in a Cisco product, contact PSIRT:
• For Emergencies only—security-alert@cisco.com
An emergency is either a condition in which a system is under active attack or a condition for which
a severe and urgent security vulnerability should be reported. All other conditions are considered
nonemergencies.
• For Nonemergencies—psirt@cisco.com
In an emergency, you can also reach PSIRT by telephone:
• 1 877 228-7302
• 1 408 525-6532
TipWe encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to
encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been
encrypted with PGP versions 2.x through 9.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page
at this URL:
The link on this page has the current PGP key ID in use.
If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone numbers
before sending any sensitive material to find other means of encrypting the data.
Cisco Wireless LAN Controller Configuration Guide
xix
Obtaining Technical Assistance
Obtaining Technical Assistance
Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco
Technical Support & Documentation website on Cisco.com features extensive online support resources.
In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC)
engineers provide telephone support. If you do not have a valid Cisco service contract, contact your
reseller.
Cisco Technical Support & Documentation Website
The Cisco Technical Support & Documentation website provides online documents and tools for
troubleshooting and resolving technical issues with Cisco products and technologies. The website is
available 24 hours a day, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user
ID and password. If you have a valid service contract but do not have a user ID or password, you can
register at this URL:
Preface
http://tools.cisco.com/RPF/register/register.do
NoteUse the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support &
Documentation website by clicking the Tools & Resources link under Documentation & Tools.Choose
Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco
Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by
product ID or model name; by tree view; or for certain products, by copying and pasting show command
output. Search results show an illustration of your product with the serial number label location
highlighted. Locate the serial number label on your product and record the information before placing a
service call.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3
and S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC Service Request Tool provides
recommended solutions. If your issue is not resolved using the recommended resources, your service
request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.
xx
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.
Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations.
You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operations are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.
Obtaining Additional Publications and Information
Severity 3 (S3)—Operational performance of the network is impaired, while most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.
• The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief
product overviews, key features, sample part numbers, and abbreviated technical specifications for
many Cisco products that are sold through channel partners. It is updated twice a year and includes
the latest Cisco offerings. To order and find out more about the Cisco Product Quick Reference
Guide, go to this URL:
http://www.cisco.com/go/guide
• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo
merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
• Cisco Press publishes a wide range of general networking, training and certification titles. Both new
and experienced users will benefit from these publications. For current Cisco Press titles and other
information, go to Cisco Press at this URL:
OL-8335-02
http://www.ciscopress.com
Cisco Wireless LAN Controller Configuration Guide
xxi
Obtaining Additional Publications and Information
• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and
networking investments. Each quarter, Packet delivers coverage of the latest industry trends,
technology breakthroughs, and Cisco products and solutions, as well as network deployment and
troubleshooting tips, configuration examples, customer case studies, certification and training
information, and links to scores of in-depth online resources. You can access Packet magazine at
this URL:
http://www.cisco.com/packet
• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies
learn how they can use technology to increase revenue, streamline their business, and expand
services. The publication identifies the challenges facing these companies and the technologies to
help solve them, using real-world case studies and business strategies to help readers make sound
technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
or view the digital edition at this URL:
http://ciscoiq.texterity.com/ciscoiq/sample/
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
Preface
• Networking products offered by Cisco Systems, as well as customer support services, can be
obtained at this URL:
http://www.cisco.com/en/US/products/index.html
• Networking Professionals Connection is an interactive website for networking professionals to
share questions, suggestions, and information about networking products and technologies with
Cisco experts and other networking professionals. Join a discussion at this URL:
http://www.cisco.com/discuss/networking
• World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html
xxii
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
CHAPTER
Overview
This chapter describes the controller components and features. Its contains these sections:
The Cisco Wireless LAN Solution is designed to provide 802.11 wireless networking solutions for
enterprises and service providers. The Cisco Wireless LAN Solution simplifies deploying and managing
large-scale wireless LANs and enables a unique best-in-class security infrastructure. The operating
system manages all data client, communications, and system administration functions, performs Radio
Resource Management (RRM) functions, manages system-wide mobility policies using the operating
system Security solution, and coordinates all security functions using the operating system security
framework.
The Cisco Wireless LAN Solution consists of Cisco Wireless LAN Controllers and their associated
lightweight access points controlled by the operating system, all concurrently managed by any or all of
the operating system user interfaces:
• An HTTP and/or HTTPS full-featured Web User Interface hosted by Cisco Wireless LAN
Controllers can be used to configure and monitor individual controllers. See the “Web User
Interface and the CLI” section on page 1-25.
• A full-featured command-line interface (CLI) can be used to configure and monitor individual Cisco
Wireless LAN Controllers. See the “Web User Interface and the CLI” section on page 1-25.
• The Cisco Wireless Control System (WCS), which you use to configure and monitor one or more
Cisco Wireless LAN Controllers and associated access points. WCS has tools to facilitate
large-system monitoring and control. WCS runs on Windows 2000, Windows 2003, and Red Hat
Enterprise Linux ES servers.
• An industry-standard SNMP V1, V2c, and V3 interface can be used with any SNMP-compliant
third-party network management system.
Chapter 1 Overview
The Cisco Wireless LAN Solution supports client data services, client monitoring and control, and all
rogue access point detection, monitoring, and containment functions. The Cisco Wireless LAN Solution
uses lightweight access points, Cisco Wireless LAN Controllers, and the optional Cisco WCS to provide
wireless services to enterprises and service providers.
NoteThis document refers to Cisco Wireless LAN Controllers throughout. Unless specifically called out, the
descriptions herein apply to all Cisco Wireless LAN Controllers, including but not limited to Cisco 2000
Series Wireless LAN Controllers, Cisco 4100 Series Wireless LAN Controllers, Cisco 4400 Series
Wireless LAN Controllers, and the controllers on the Wireless Services Module (WiSM).
Figure 1-1 shows the Cisco Wireless LAN Solution components, which can be simultaneously deployed
across multiple floors and buildings.
1-2
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Cisco Wireless LAN Solution Overview
Figure 1-1Cisco WLAN Solution Components
Single-Controller Deployments
A standalone controller can support lightweight access points across multiple floors and buildings
simultaneously, and supports the following features:
• Autodetecting and autoconfiguring lightweight access points as they are added to the network.
• Full control of lightweight access points.
• Full control of up to 16 wireless LAN (SSID) policies for Cisco 1000 series access points.
NoteLWAPP-enabled access points support up to 8 wireless LAN (SSID) policies.
• Lightweight access points connect to controllers through the network. The network equipment may
or may not provide Power over Ethernet to the access points.
Note that some controllers use redundant Gigabit Ethernet connections to bypass single network failures.
NoteSome controllers can connect through multiple physical ports to multiple subnets in the network. This
feature can be helpful when Cisco WLAN Solution operators want to confine multiple VLANs to
separate subnets.
Figure 1-2 shows a typical single-controller deployment.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-3
Cisco Wireless LAN Solution Overview
Figure 1-2Single-Controller Deployment
Multiple-Controller Deployments
Each controller can support lightweight access points across multiple floors and buildings
simultaneously. However, full functionality of the Cisco Wireless LAN Solution is realized when it
includes multiple controllers. A multiple-controller system has the following additional features:
• Autodetecting and autoconfiguring RF parameters as the controllers are added to the network.
Chapter 1 Overview
• Same-Subnet (Layer 2) Roaming and Inter-Subnet (Layer 3) Roaming.
• Automatic access point failover to any redundant controller with a reduced access point load (refer
to the “Cisco Wireless LAN Controller Failover Protection” section on page 1-20).
The following figure shows a typical multiple-controller deployment. The figure also shows an optional
dedicated Management Network and the three physical connection types between the network and the
controllers.
1-4
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Operating System Software
Figure 1-3Typical Multi-Controller Deployment
Operating System Software
The operating system software controls Cisco Wireless LAN Controllers and Cisco 1000 Series
Lightweight Access Points. It includes full operating system security and Radio Resource Management
(RRM) features.
Operating System Security
Operating system security bundles Layer 1, Layer 2, and Layer 3 security components into a simple,
Cisco WLAN Solution-wide policy manager that creates independent security policies for each of up to
16 wireless LANs. (Refer to the “Cisco WLAN Solution Wireless LANs” section on page 1-11.)
The 802.11 Static WEP weaknesses can be overcome using robust industry-standard security solutions,
such as:
• 802.1X dynamic keys with extensible authentication protocol (EAP).
WEP keys, with or without Pre-Shared key Passphrase.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-5
Operating System Security
The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as:
Chapter 1 Overview
• RSN with or without Pre-Shared key.
• Cranite FIPS140-2 compliant passthrough.
• Fortress FIPS140-2 compliant passthrough.
• Optional MAC Filtering.
• Terminated and passthrough VPNs
• Terminated and passthrough Layer Two Tunneling Protocol (L2TP), which uses the IP Security
(IPSec) protocol.
• Terminated and pass-through IPSec protocols. The terminated Cisco WLAN Solution IPSec
implementation includes:
–
Internet key exchange (IKE)
–
Diffie-Hellman (DH) groups, and
–
Three optional levels of encryption: DES (ANSI X.3.92 data encryption standard), 3DES (ANSI
X9.52-1998 data encryption standard), or AES/CBC (advanced encryption standard/cipher
block chaining).
The Cisco WLAN Solution IPSec implementation also includes industry-standard authentication
using:
–
Message digest algorithm (MD5), or
–
Secure hash algorithm-1 (SHA-1)
• The Cisco Wireless LAN Solution supports local and RADIUS MAC Address filtering.
• The Cisco Wireless LAN Solution supports local and RADIUS user/password authentication.
• The Cisco Wireless LAN Solution also uses manual and automated Disabling to block access to
network services. In manual Disabling, the operator blocks access using client MAC addresses. In
automated Disabling, which is always active, the operating system software automatically blocks
access to network services for an operator-defined period of time when a client fails to authenticate
for a fixed number of consecutive attempts. This can be used to deter brute-force login attacks.
These and other security features use industry-standard authorization and authentication methods to
ensure the highest possible security for your business-critical wireless LAN traffic.
Cisco WLAN Solution Wired Security
Many traditional access point vendors concentrate on security for the Wireless interface similar to that
described in the “Operating System Security” section on page 1-5. However, for secure Cisco Wireless
LAN Controller Service Interfaces, Cisco Wireless LAN Controller to access point, and inter-Cisco
Wireless LAN Controller communications during device servicing and client roaming, the operating
system includes built-in security.
1-6
Each Cisco Wireless LAN Controller and Cisco 1000 series lightweight access point is manufactured
with a unique, signed X.509 certificate. This certificate is used to authenticate IPSec tunnels between
devices. These IPSec tunnels ensure secure communications for mobility and device servicing.
Cisco Wireless LAN Controllers and Cisco 1000 series lightweight access points also use the signed
certificates to verify downloaded code before it is loaded, ensuring that hackers do not download
malicious code into any Cisco Wireless LAN Controller or Cisco 1000 series lightweight access point.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Layer 2 and Layer 3 LWAPP Operation
The LWAPP communications between Cisco Wireless LAN Controller and Cisco 1000 series
lightweight access points can be conducted at ISO Data Link Layer 2 or Network Layer 3.
NoteThe IPv4 network layer protocol is supported for transport through an LWAPP controller system. IPv6
(for clients only) and Appletalk are also supported but only on 4400 series controllers and the Cisco
WiSM. Other Layer 3 protocols (such as IPX, DECnet Phase IV, OSI CLNP, and so on) and Layer 2
(bridged) protocols (such as LAT and NetBeui) are not supported.
Operational Requirements
The requirement for Layer 2 LWAPP communications is that the Cisco Wireless LAN Controller and
Cisco 1000 series lightweight access points must be connected to each other through Layer 2 devices on
the same subnet. This is the default operational mode for the Cisco Wireless LAN Solution. Note that
when the Cisco Wireless LAN Controller and Cisco 1000 series lightweight access points are on
different subnets, these devices must be operated in Layer 3 mode.
Layer 2 and Layer 3 LWAPP Operation
The requirement for Layer 3 LWAPP communications is that the Cisco Wireless LAN Controllers and
Cisco 1000 series lightweight access points can be connected through Layer 2 devices on the same
subnet, or connected through Layer 3 devices across subnets.
Note that all Cisco Wireless LAN Controllers in a mobility group must use the same LWAPP Layer 2 or
Layer 3 mode, or you will defeat the Mobility software algorithm.
Configuration Requirements
When you are operating the Cisco Wireless LAN Solution in Layer 2 mode, you must configure a
management interface to control your Layer 2 communications.
When you are operating the Cisco Wireless LAN Solution in Layer 3 mode, you must configure an
AP-manager interface to control Cisco 1000 series lightweight access points and a management interface
as configured for Layer 2 mode.
Cisco Wireless LAN Controllers
When you are adding Cisco 1000 series lightweight access points to a multiple Cisco Wireless LAN
Controller deployments network, it is convenient to have all Cisco 1000 series lightweight access points
associate with one master controller on the same subnet. That way, the operator does not have to log into
multiple controllers to find out which controller newly-added Cisco 1000 series lightweight access
points associated with.
One controller in each subnet can be assigned as the master controller while adding lightweight access
points. As long as a master controller is active on the same subnet, all new access points without a
primary, secondary, and tertiary controller assigned automatically attempt to associate with the master
Cisco Wireless LAN Controller. This process is described in the “Cisco Wireless LAN Controller
Failover Protection” section on page 1-20.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-7
Client Roaming
The operator can monitor the master controller using the WCS Web User Interface and watch as access
points associate with the master controller. The operator can then verify access point configuration and
assign a primary, secondary, and tertiary controller to the access point, and reboot the access point so it
reassociates with its primary, secondary, or tertiary controller.
NoteLightweight access points without a primary, secondary, and tertiary controller assigned always search
for a master controller first upon reboot. After adding lightweight access points through the master
controller, assign primary, secondary, and tertiary controllers to each access point. Cisco recommends
that you disable the master setting on all controllers after initial configuration.
Primary, Secondary, and Tertiary Controllers
In multiple-controller networks, lightweight access points can associate with any controller on the same
subnet. To ensure that each access point associates with a particular controller, the operator can assign
primary, secondary, and tertiary controllers to the access point.
When a primed access point is added to a network, it looks for its primary, secondary, and tertiary
controllers first, then a master controller, then the least-loaded controller with available access point
ports. Refer to the “Cisco Wireless LAN Controller Failover Protection” section on page 1-20 for more
information.
Chapter 1 Overview
Client Roaming
The Cisco Wireless LAN Solution supports seamless client roaming across Cisco 1000 series
lightweight access points managed by the same Cisco Wireless LAN Controller, between Cisco Wireless
LAN Controllers in the same Cisco WLAN Solution Mobility Group on the same subnet, and across
controllers in the same Mobility Group on different subnets.
Same-Subnet (Layer 2) Roaming
Each Cisco Wireless LAN Controller supports same-controller client roaming across access points
managed by the same controller. This roaming is transparent to the client as the session is sustained and
the client continues using the same DHCP-assigned or client-assigned IP Address. The controller
provides DHCP functionality with a relay function. Same-controller roaming is supported in
single-controller deployments and in multiple-controller deployments.
Inter-Controller (Layer 2) Roaming
In multiple-controller deployments, the Cisco Wireless LAN Solution supports client roaming across
access points managed by controllers in the same mobility group and on the same subnet. This roaming
is also transparent to the client, as the session is sustained and a tunnel between controllers allows the
client to continue using the same DHCP- or client-assigned IP Address as long as the session remains
active. Note that the tunnel is torn down and the client must reauthenticate when the client sends a DHCP
Discover with a 0.0.0.0 client IP Address or a 169.254.*.* client auto-IP Address, or when the
operator-set session timeout is exceeded.
1-8
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Loading...
+ 226 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.