Cisco Release 3.2 User Manual

Cisco Wireless LAN Controller
Configuration Guide

Software Release 3.2
March 2006

Corporate Headquarters

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

Text Part Number: OL-8335-02

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn,
and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel,
EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard,
LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect,
RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or
its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0601R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco Wireless LAN Controller Configuration Guide

Copyright © 2005-2006 Cisco Systems, Inc.
All rights reserved.

Preface xiii

Audience xiv

Purpose xiv

Organization xiv

Conventions xv

Related Publications xvii

Obtaining Documentation xvii

Cisco.com xvii
Product Documentation DVD xviii
Ordering Documentation xviii

Documentation Feedback xviii

CONTENTS

CHAPTER

Cisco Product Security Overview xix

Reporting Security Problems in Cisco Products xix

Obtaining Technical Assistance xx

Cisco Technical Support & Documentation Website xx
Submitting a Service Request xx
Definitions of Service Request Severity xxi

Obtaining Additional Publications and Information xxi

1 Overview 1-1

Cisco Wireless LAN Solution Overview 1-2

Single-Controller Deployments 1-3
Multiple-Controller Deployments 1-4

Operating System Software 1-5

Operating System Security 1-5

Cisco WLAN Solution Wired Security 1-6

Layer 2 and Layer 3 LWAPP Operation 1-7

Operational Requirements 1-7
Configuration Requirements 1-7

OL-8335-02

Cisco Wireless LAN Controllers 1-7

Primary, Secondary, and Tertiary Controllers 1-8

Cisco Wireless LAN Controller Configuration Guide

iii

Contents

Client Roaming 1-8

Same-Subnet (Layer 2) Roaming 1-8
Inter-Controller (Layer 2) Roaming 1-8
Inter-Subnet (Layer 3) Roaming 1-9

Special Case: Voice Over IP Telephone Roaming 1-9

Client Location 1-9

External DHCP Servers 1-10

Per-Wireless LAN Assignment 1-10
Per-Interface Assignment 1-10
Security Considerations 1-10

Cisco WLAN Solution Wired Connections 1-11

Cisco WLAN Solution Wireless LANs 1-11

Access Control Lists 1-12

Identity Networking 1-12

Enhanced Integration with Cisco Secure ACS 1-13

File Transfers 1-13

Power over Ethernet 1-14

Pico Cell Functionality 1-14

Intrusion Detection Service (IDS) 1-15

Wireless LAN Controller Platforms 1-15

Cisco 2000 Series Wireless LAN Controllers 1-16
Cisco 4100 Series Wireless LAN Controllers 1-16
Cisco 4400 Series Wireless LAN Controllers 1-17
Cisco 2000 Series Wireless LAN Controller Model Numbers 1-17
Cisco 4100 Series Wireless LAN Controller Model Numbers 1-18
Cisco 4400 Series Wireless LAN Controller Model Numbers 1-18
Startup Wizard 1-19
Cisco Wireless LAN Controller Memory 1-20
Cisco Wireless LAN Controller Failover Protection 1-20
Cisco Wireless LAN Controller Automatic Time Setting 1-21

Cisco Wireless LAN Controller Time Zones 1-21

Network Connections to Cisco Wireless LAN Controllers 1-21

Cisco 2000 Series Wireless LAN Controllers 1-22
Cisco 4100 Series Wireless LAN Controllers 1-22
Cisco 4400 Series Wireless LAN Controllers 1-23

VPN and Enhanced Security Modules for 4100 Series Controllers 1-24

iv

Rogue Access Points 1-24

Rogue Access Point Location, Tagging, and Containment 1-25

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

Web User Interface and the CLI 1-25

Web User Interface 1-25
Command Line Interface 1-26

Contents

CHAPTER

CHAPTER

2 Using the Web-Browser and CLI Interfaces 2-1

Using the Web-Browser Interface 2-2

Guidelines for Using the GUI 2-2
Opening the GUI 2-2

Enabling Web and Secure Web Modes 2-2

Configuring the GUI for HTTPS 2-2

Loading an Externally Generated HTTPS Certificate 2-3
Disabling the GUI 2-5
Using Online Help 2-5

Using the CLI 2-5

Logging into the CLI 2-5

Using a Local Serial Connection 2-6

Using a Remote Ethernet Connection 2-6
Logging Out of the CLI 2-7
Navigating the CLI 2-7

Enabling Wireless Connections to the Web-Browser and CLI Interfaces 2-8

3 Configuring Ports and Interfaces 3-1

OL-8335-02

Overview of Ports and Interfaces 3-2

Ports 3-2

Distribution System Ports 3-3

Service Port 3-4
Interfaces 3-5

Management Interface 3-5

AP-Manager Interface 3-6

Virtual Interface 3-6

Service-Port Interface 3-7

Dynamic Interface 3-7
WLANs 3-8

Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces 3-9

Using the GUI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces 3-9
Using the CLI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces 3-12

Using the CLI to Configure the Management Interface 3-12

Using the CLI to Configure the AP-Manager Interface 3-12

Cisco Wireless LAN Controller Configuration Guide

v

Contents

Using the CLI to Configure the Virtual Interface 3-13
Using the CLI to Configure the Service-Port Interface 3-14

Configuring Dynamic Interfaces 3-14

Using the GUI to Configure Dynamic Interfaces 3-14
Using the CLI to Configure Dynamic Interfaces 3-16

Configuring Ports 3-17

Configuring Port Mirroring 3-20
Configuring Spanning Tree Protocol 3-21

Using the GUI to Configure Spanning Tree Protocol 3-22
Using the CLI to Configure Spanning Tree Protocol 3-26

Enabling Link Aggregation 3-27

Link Aggregation Guidelines 3-28
Using the GUI to Enable Link Aggregation 3-29
Using the CLI to Enable Link Aggregation 3-30
Configuring Neighbor Devices to Support LAG 3-30

CHAPTER

Configuring a 4400 Series Controller to Support More Than 48 Access Points 3-30

Using Link Aggregation 3-31
Using Multiple AP-Manager Interfaces 3-31
Connecting Additional Ports 3-36

4 Configuring Controller Settings 4-1

Using the Configuration Wizard 4-2

Before You Start 4-2
Resetting the Device to Default Settings 4-3

Resetting to Default Settings Using the CLI 4-3
Resetting to Default Settings Using the GUI 4-3

Running the Configuration Wizard on the CLI 4-4

Managing the System Time and Date 4-5

Configuring Time and Date Manually 4-5
Configuring NTP 4-5

Configuring a Country Code 4-5

Enabling and Disabling 802.11 Bands 4-6

Configuring Administrator Usernames and Passwords 4-7

vi

Configuring RADIUS Settings 4-7

Configuring SNMP Settings 4-7

Enabling 802.3x Flow Control 4-8

Enabling System Logging 4-8

Enabling Dynamic Transmit Power Control 4-8

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

Configuring Multicast Mode 4-9

Understanding Multicast Mode 4-9
Guidelines for Using Multicast Mode 4-9
Enabling Multicast Mode 4-10

Configuring the Supervisor 720 to Support the WiSM 4-10

General WiSM Guidelines 4-10
Configuring the Supervisor 4-11

Using the Wireless LAN Controller Network Module 4-12

Contents

CHAPTER

5 Configuring Security Solutions 5-1

Cisco WLAN Solution Security 5-2

Security Overview 5-2
Layer 1 Solutions 5-2
Layer 2 Solutions 5-2
Layer 3 Solutions 5-3
Rogue Access Point Solutions 5-3

Rogue Access Point Challenges 5-3

Tagging and Containing Rogue Access Points 5-3
Integrated Security Solutions 5-4

Configuring the System for SpectraLink NetLink Telephones 5-4

Using the GUI to Enable Long Preambles 5-5
Using the CLI to Enable Long Preambles 5-5

Using Management over Wireless 5-6

Using the GUI to Enable Management over Wireless 5-6
Using the CLI to Enable Management over Wireless 5-7

Configuring DHCP 5-7

Using the GUI to Configure DHCP 5-7
Using the CLI to Configure DHCP 5-8

OL-8335-02

Customizing the Web Authentication Login Screen 5-8

Default Web Authentication Operation 5-9
Customizing Web Authentication Operation 5-11

Hiding and Restoring the Cisco WLAN Solution Logo 5-11

Changing the Web Authentication Login Window Title 5-11

Changing the Web Message 5-12

Changing the Logo 5-12

Creating a Custom URL Redirect 5-14

Verifying Web Authentication Changes 5-14
Example: Sample Customized Web Authentication Login Window 5-15

Cisco Wireless LAN Controller Configuration Guide

vii

Contents

Configuring Identity Networking 5-16

Identity Networking Overview 5-16
RADIUS Attributes Used in Identity Networking 5-17

QoS-Level 5-17
ACL-Name 5-17
Interface-Name 5-18
VLAN-Tag 5-18
Tunnel Attributes 5-19

CHAPTER

6 Configuring WLANs 6-1

Wireless LAN Overview 6-2

Configuring Wireless LANs 6-2

Displaying, Creating, Disabling, and Deleting Wireless LANs 6-2
Activating Wireless LANs 6-3
Assigning a Wireless LAN to a DHCP Server 6-3
Configuring MAC Filtering for Wireless LANs 6-3

Enabling MAC Filtering 6-3
Creating a Local MAC Filter 6-3

Configuring a Timeout for Disabled Clients 6-4
Assigning Wireless LANs to VLANs 6-4
Configuring Layer 2 Security 6-4

Dynamic 802.1X Keys and Authorization 6-4

WEP Keys 6-5

Dynamic WPA Keys and Encryption 6-5

Configuring a Wireless LAN for Both Static and Dynamic WEP 6-6
Configuring Layer 3 Security 6-6

IPSec 6-6

IPSec Authentication 6-6

IPSec Encryption 6-6

IKE Authentication 6-7

IKE Diffie-Hellman Group 6-7

IKE Phase 1 Aggressive and Main Modes 6-7

IKE Lifetime Timeout 6-7

IPSec Passthrough 6-8

Web-Based Authentication 6-8

Local Netuser 6-8
Configuring Quality of Service 6-8

Configuring QoS Enhanced BSS (QBSS) 6-9

viii

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

Contents

CHAPTER

7 Controlling Lightweight Access Points 7-1

Lightweight Access Point Overview 7-2

Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Points 7-2
Cisco 1030 Remote Edge Lightweight Access Points 7-3
Cisco 1000 Series Lightweight Access Point Part Numbers 7-4
Cisco 1000 Series Lightweight Access Point External and Internal Antennas 7-4

External Antenna Connectors 7-5

Antenna Sectorization 7-5
Cisco 1000 Series Lightweight Access Point LEDs 7-5
Cisco 1000 Series Lightweight Access Point Connectors 7-6
Cisco 1000 Series Lightweight Access Point Power Requirements 7-6

Cisco 1000 Series Lightweight Access Point External Power Supply 7-7
Cisco 1000 Series Lightweight Access Point Mounting Options 7-7
Cisco 1000 Series Lightweight Access Point Physical Security 7-7
Cisco 1000 Series Lightweight Access Point Monitor Mode 7-7

Using the DNS for Controller Discovery 7-7

Dynamic Frequency Selection 7-8

Autonomous Access Points Converted to Lightweight Mode 7-9

Guidelines for Using Access Points Converted to Lightweight Mode 7-9
Reverting from Lightweight Mode to Autonomous Mode 7-9

Using a Controller to Return to a Previous Release 7-10

Using the MODE Button and a TFTP Server to Return to a Previous Release 7-10
Controllers Accept SSCs from Access Points Converted to Lightweight Mode 7-11
Using DHCP Option 43 7-11
Using a Controller to Send Debug Commands to Access Points Converted to Lightweight Mode 7-11
Converted Access Points Send Crash Information to Controller 7-12
Converted Access Points Send Radio Core Dumps to Controller 7-12
Enabling Memory Core Dumps from Converted Access Points 7-12
Display of MAC Addresses for Converted Access Points 7-12
Disabling the Reset Button on Access Points Converted to Lightweight Mode 7-13
Configuring a Static IP Address on an Access Point Converted to Lightweight Mode 7-13

CHAPTER

OL-8335-02

8 Managing Controller Software and Configurations 8-1

Transferring Files to and from a Controller 8-2

Upgrading Controller Software 8-2

Saving Configurations 8-4

Clearing the Controller Configuration 8-4

Cisco Wireless LAN Controller Configuration Guide

ix

Contents

Erasing the Controller Configuration 8-4

Resetting the Controller 8-5

CHAPTER

9 Configuring Radio Resource Management 9-1

Overview of Radio Resource Management 9-2

Radio Resource Monitoring 9-2
Dynamic Channel Assignment 9-3
Dynamic Transmit Power Control 9-4
Coverage Hole Detection and Correction 9-4
Client and Network Load Balancing 9-4
RRM Benefits 9-5

Overview of RF Groups 9-5

RF Group Leader 9-5
RF Group Name 9-6

Configuring an RF Group 9-6

Using the GUI to Configure an RF Group 9-7
Using the CLI to Configure RF Groups 9-8

Viewing RF Group Status 9-8

Using the GUI to View RF Group Status 9-8
Using the CLI to View RF Group Status 9-11

Enabling Rogue Access Point Detection 9-12

Using the GUI to Enable Rogue Access Point Detection 9-12
Using the CLI to Enable Rogue Access Point Detection 9-15

Configuring Dynamic RRM 9-15

Using the GUI to Configure Dynamic RRM 9-16
Using the CLI to Configure Dynamic RRM 9-22

Overriding Dynamic RRM 9-23

Statically Assigning Channel and Transmit Power Settings to Access Point Radios 9-24

Using the GUI to Statically Assign Channel and Transmit Power Settings 9-24
Using the CLI to Statically Assign Channel and Transmit Power Settings 9-26

Disabling Dynamic Channel and Power Assignment Globally for a Controller 9-27

Using the GUI to Disable Dynamic Channel and Power Assignment 9-27
Using the CLI to Disable Dynamic Channel and Power Assignment 9-27

Viewing Additional RRM Settings Using the CLI 9-28

Cisco Wireless LAN Controller Configuration Guide

x

OL-8335-02

Contents

CHAPTER

APPENDIX

10 Configuring Mobility Groups 10-1

Overview of Mobility 10-2

Overview of Mobility Groups 10-5

Determining When to Include Controllers in a Mobility Group 10-7

Configuring Mobility Groups 10-7

Prerequisites 10-7
Using the GUI to Configure Mobility Groups 10-8
Using the CLI to Configure Mobility Groups 10-11

Configuring Auto-Anchor Mobility 10-11

Guidelines for Using Auto-Anchor Mobility 10-12
Using the GUI to Configure Auto-Anchor Mobility 10-12
Using the CLI to Configure Auto-Anchor Mobility 10-14

A Safety Considerations and Translated Safety Warnings A-1

Safety Considerations A-2

Warning Definition A-2

Class 1 Laser Product Warning A-5

Ground Conductor Warning A-7

APPENDIX

Chassis Warning for Rack-Mounting and Servicing A-9

Battery Handling Warning for 4400 Series Controllers A-18

Equipment Installation Warning A-20

More Than One Power Supply Warning for 4400 Series Controllers A-23

B Declarations of Conformity and Regulatory Information B-1

Regulatory Information for 1000 Series Access Points B-2

Manufacturers Federal Communication Commission Declaration of Conformity Statement B-2
Department of Communications—Canada B-3

Canadian Compliance Statement B-3
European Community, Switzerland, Norway, Iceland, and Liechtenstein B-4

Declaration of Conformity with Regard to the R&TTE Directive 1999/5/EC B-4
Declaration of Conformity for RF Exposure B-5
Guidelines for Operating Cisco Aironet Access Points in Japan B-6
Administrative Rules for Cisco Aironet Access Points in Taiwan B-7

Access Points with IEEE 802.11a Radios B-7

All Access Points B-7
Declaration of Conformity Statements B-8

OL-8335-02

Cisco Wireless LAN Controller Configuration Guide

xi

Contents

FCC Statements for Cisco 2000 Series Wireless LAN Controllers B-8

FCC Statements for Cisco 4100 Series Wireless LAN Controllers and Cisco 4400 Series Wireless LAN
Controllers

B-9

APPENDIX

APPENDIX

I

NDEX

C End User License and Warranty C-1

End User License Agreement C-2

Limited Warranty C-4

Disclaimer of Warranty C-6

General Terms Applicable to the Limited Warranty Statement and End User License Agreement C-6

Additional Open Source Terms C-7

D System Messages and Access Point LED Patterns D-1

System Messages D-2

Using Client Reason and Status Codes in Trap Logs D-4

Client Reason Codes D-4
Client Status Codes D-5

Using Lightweight Access Point LEDs D-6

xii

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

Preface

This preface provides an overview of the Cisco Wireless LAN Controller Configuration Guide
(OL-8335-02), references related publications, and explains how to obtain other documentation and
technical assistance, if necessary. It contains these sections:

• Audience, page xiv

• Purpose, page xiv

• Organization, page xiv

• Conventions, page xv

• Related Publications, page xvii

• Obtaining Documentation, page xvii

• Documentation Feedback, page xviii

• Cisco Product Security Overview, page xix

• Obtaining Technical Assistance, page xx

• Obtaining Additional Publications and Information, page xxi

OL-8335-02

Cisco Wireless LAN Controller Configuration Guide

xiii

Audience

Audience

This guide describes Cisco Wireless LAN Controllers and Cisco Lightweight Access Points. This guide
is for the networking professional who installs and manages these devices. To use this guide, you should
be familiar with the concepts and terminology of wireless LANs.

Purpose

This guide provides the information you need to set up and configure wireless LAN controllers.

Organization

This guide is organized into these chapters:

Chapter 1, “Overview,” provides an overview of the network roles and features of wireless LAN

controllers.

Preface

Chapter 2, “Using the Web-Browser and CLI Interfaces,” describes how to use the controller GUI and

CLI.

Chapter 3, “Configuring Ports and Interfaces,” describes the controller’s physical ports and interfaces

and provides instructions for configuring them.

Chapter 4, “Configuring Controller Settings,” describes how to configure settings on the controllers.
Chapter 5, “Configuring Security Solutions,” describes application-specific solutions for wireless

LANs.

Chapter 6, “Configuring WLANs,” describes how to configure wireless LANs and SSIDs on your

system.

Chapter 7, “Controlling Lightweight Access Points,” explains how to connect access points to the

controller and manage access point settings.

Chapter 8, “Managing Controller Software and Configurations,” describes how to upgrade and manage

controller software and configurations.

Chapter 9, “Configuring Radio Resource Management,” describes radio resource management (RRM)

and explains how to configure it on the controllers.

Chapter 10, “Configuring Mobility Groups,” describes mobility groups and explains how to configure

them on the controllers.

Appendix A, “Safety Considerations and Translated Safety Warnings,” lists safety considerations and

translations of the safety warnings that apply to the Cisco Unified Wireless Network Solution products.

Appendix B, “Declarations of Conformity and Regulatory Information,” provides declarations of

conformity and regulatory information for the products in the Cisco Unified Wireless Network Solution.

xiv

Appendix C, “End User License and Warranty,” describes the end user license and warranty that apply

to the Cisco Unified Wireless Network Solution products.

Appendix D, “System Messages and Access Point LED Patterns,” lists system messages that can appear

on the Cisco Unified Wireless Network Solution interfaces and describes the LED patterns on
lightweight access points.

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

Preface

Conventions

This publication uses these conventions to convey instructions and information:
Command descriptions use these conventions:

Interactive examples use these conventions:

Notes, cautions, and timesavers use these conventions and symbols:

Conventions

• Commands and keywords are in boldface text.

• Arguments for which you supply values are in italic.

• Square brackets ([ ]) mean optional elements.

• Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.

• Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional

element.

• Terminal sessions and system displays are in screen font.

• Information you enter is in boldface screen font.

• Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).

Tip Means the following will help you solve a problem. The tips information might not be troubleshooting

Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in

Caution Means reader be careful. In this situation, you might do something that could result equipment damage

Warning

Waarschuwing

or even an action, but could be useful information.

this manual.

or loss of data.

This warning symbol means danger. You are in a situation that could cause bodily injury. Before you
work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar
with standard practices for preventing accidents. (To see translations of the warnings that appear
in this publication, refer to the appendix “Translated Safety Warnings.”)

Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan
veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij
elektrische schakelingen betrokken risico’s en dient u op de hoogte te zijn van standaard
maatregelen om ongelukken te voorkomen. (Voor vertalingen van de waarschuwingen die in deze
publicatie verschijnen, kunt u het aanhangsel “Translated Safety Warnings” (Vertalingen van
veiligheidsvoorschriften) raadplegen.)

OL-8335-02

Cisco Wireless LAN Controller Configuration Guide

xv

Conventions

Preface

Varoitus

Attention

Warnung

Avvertenza

Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen
kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja
tavanomaisista onnettomuuksien ehkäisykeinoista. (Tässä julkaisussa esiintyvien varoitusten
käännökset löydät liitteestä "Translated Safety Warnings" (käännetyt turvallisuutta koskevat
varoitukset).)

Ce symbole d’avertissement indique un danger. Vous vous trouvez dans une situation pouvant
entraîner des blessures. Avant d’accéder à cet équipement, soyez conscient des dangers posés par
les circuits électriques et familiarisez-vous avec les procédures courantes de prévention des
accidents. Pour obtenir les traductions des mises en garde figurant dans cette publication, veuillez
consulter l’annexe intitulée « Translated Safety Warnings » (Traduction des avis de sécurité).

Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer
Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie
sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur
Vermeidung von Unfällen bewußt. (Übersetzungen der in dieser Veröffentlichung enthaltenen
Warnhinweise finden Sie im Anhang mit dem Titel “Translated Safety Warnings” (Übersetzung der
Warnhinweise).)

Questo simbolo di avvertenza indica un pericolo. Si è in una situazione che può causare infortuni.
Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti
elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione
delle avvertenze riportate in questa pubblicazione si trova nell’appendice, “Translated Safety
Warnings” (Traduzione delle avvertenze di sicurezza).

Advarsel

Aviso

¡Advertencia!

Varning!

Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du
utfører arbeid på utstyr, må du være oppmerksom på de faremomentene som elektriske kretser
innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. (Hvis du vil se
oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i vedlegget "Translated
Safety Warnings" [Oversatte sikkerhetsadvarsler].)

Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos
fisicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos
relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir
possíveis acidentes. (Para ver as traduções dos avisos que constam desta publicação, consulte o
apêndice “Translated Safety Warnings” - “Traduções dos Avisos de Segurança”).

Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular
cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los
procedimientos estándar de prevención de accidentes. (Para ver traducciones de las advertencias
que aparecen en esta publicación, consultar el apéndice titulado “Translated Safety Warnings.”)

Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada.
Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och
känna till vanligt förfarande för att förebygga skador. (Se förklaringar av de varningar som
förekommer i denna publikation i appendix "Translated Safety Warnings" [Översatta
säkerhetsvarningar].)

xvi

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

Preface

Related Publications

These documents provide complete information about the Cisco Unified Wireless Network Solution:

• Cisco Wireless LAN Controller Command Reference

• Quick Start Guide: Cisco 2000 Series Wireless LAN Controllers

• Quick Start Guide: Cisco 4100 Series Wireless LAN Controllers

• Quick Start Guide: Cisco 4400 Series Wireless LAN Controllers

• Quick Start Guide: VPN Termination Module for Cisco 4400 Series Wireless LAN Controllers

• Quick Start Guide: VPN/Enhanced Security Modules for Cisco 4100 Series Wireless LAN

Controllers

• Cisco Wireless Control System Configuration Guide

• Quick Start Guide: Cisco Wireless Control System for Microsoft Windows

• Quick Start Guide: Cisco Wireless Control System for Linux

• Quick Start Guide: Cisco Aironet 1000 Series Lightweight Access Points with Internal Antennas

• Quick Start Guide: Cisco Aironet 1000 Series Lightweight Access Points with External Antennas

Related Publications

Click this link to browse to user documentation for the Cisco Unified Wireless Network Solution:

http://www.cisco.com/en/US/products/hw/wireless/tsd_products_support_category_home.html

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

OL-8335-02

Cisco Wireless LAN Controller Configuration Guide

xvii

Documentation Feedback

Product Documentation DVD

The Product Documentation DVD is a comprehensive library of technical product documentation on a
portable medium. The DVD enables you to access multiple versions of installation, configuration, and
command guides for Cisco hardware and software products. With the DVD, you have access to the same
HTML documentation that is found on the Cisco website without being connected to the Internet.
Certain products also have .PDF versions of the documentation available.

The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com
users (Cisco direct customers) can order a Product Documentation DVD (product number
DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Ordering Documentation

Registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the
Cisco Marketplace at this URL:

http://www.cisco.com/go/marketplace/

Preface

Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m.
(0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by
calling 011 408 519-5055. You can also order documentation by e-mail at

tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada,

or elsewhere at 011 408 519-5001.

Documentation Feedback

You can rate and provide feedback about Cisco technical documents by completing the online feedback
form that appears with the technical documents on Cisco.com.

You can submit comments about Cisco documentation by using the response card (if present) behind the
front cover of your document or by writing to the following address:

Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883

We appreciate your comments.

xviii

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

Preface

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you will find information about how to:

• Report security vulnerabilities in Cisco products.

• Obtain assistance with security incidents that involve Cisco products.

• Register to receive security information from Cisco.

A current list of security advisories, security notices, and security responses for Cisco products is
available at this URL:

http://www.cisco.com/go/psirt

To see security advisories, security notices, and security responses as they are updated in real time, you
can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS)
feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release
them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a
vulnerability in a Cisco product, contact PSIRT:

• For Emergencies only—security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which
a severe and urgent security vulnerability should be reported. All other conditions are considered
nonemergencies.

• For Nonemergencies—psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

• 1 408 525-6532

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to

encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been
encrypted with PGP versions 2.x through 9.x.

Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page
at this URL:

OL-8335-02

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone numbers
before sending any sensitive material to find other means of encrypting the data.

Cisco Wireless LAN Controller Configuration Guide

xix

Obtaining Technical Assistance

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco
Technical Support & Documentation website on Cisco.com features extensive online support resources.
In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC)
engineers provide telephone support. If you do not have a valid Cisco service contract, contact your
reseller.

Cisco Technical Support & Documentation Website

The Cisco Technical Support & Documentation website provides online documents and tools for
troubleshooting and resolving technical issues with Cisco products and technologies. The website is
available 24 hours a day, at this URL:

http://www.cisco.com/techsupport

Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user
ID and password. If you have a valid service contract but do not have a user ID or password, you can
register at this URL:

Preface

http://tools.cisco.com/RPF/register/register.do

Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting

a web or phone request for service. You can access the CPI tool from the Cisco Technical Support &
Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose

Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco
Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by

product ID or model name; by tree view; or for certain products, by copying and pasting show command
output. Search results show an illustration of your product with the serial number label location
highlighted. Locate the serial number label on your product and record the information before placing a
service call.

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3
and S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC Service Request Tool provides
recommended solutions. If your issue is not resolved using the recommended resources, your service
request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.

xx

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

Preface

To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)

EMEA: +32 2 704 55 55
USA: 1 800 553-2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.

Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations.
You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operations are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.

Obtaining Additional Publications and Information

Severity 3 (S3)—Operational performance of the network is impaired, while most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.

• The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief

product overviews, key features, sample part numbers, and abbreviated technical specifications for
many Cisco products that are sold through channel partners. It is updated twice a year and includes
the latest Cisco offerings. To order and find out more about the Cisco Product Quick Reference
Guide, go to this URL:

http://www.cisco.com/go/guide

• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo

merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training and certification titles. Both new

and experienced users will benefit from these publications. For current Cisco Press titles and other
information, go to Cisco Press at this URL:

OL-8335-02

http://www.ciscopress.com

Cisco Wireless LAN Controller Configuration Guide

xxi

Obtaining Additional Publications and Information

• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and

networking investments. Each quarter, Packet delivers coverage of the latest industry trends,
technology breakthroughs, and Cisco products and solutions, as well as network deployment and
troubleshooting tips, configuration examples, customer case studies, certification and training
information, and links to scores of in-depth online resources. You can access Packet magazine at
this URL:

http://www.cisco.com/packet

• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies

learn how they can use technology to increase revenue, streamline their business, and expand
services. The publication identifies the challenges facing these companies and the technologies to
help solve them, using real-world case studies and business strategies to help readers make sound
technology investment decisions. You can access iQ Magazine at this URL:

http://www.cisco.com/go/iqmagazine

or view the digital edition at this URL:

http://ciscoiq.texterity.com/ciscoiq/sample/

• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering

professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

Preface

• Networking products offered by Cisco Systems, as well as customer support services, can be

obtained at this URL:

http://www.cisco.com/en/US/products/index.html

• Networking Professionals Connection is an interactive website for networking professionals to

share questions, suggestions, and information about networking products and technologies with
Cisco experts and other networking professionals. Join a discussion at this URL:

http://www.cisco.com/discuss/networking

• World-class networking training is available from Cisco. You can view current offerings at

this URL:

http://www.cisco.com/en/US/learning/index.html

xxii

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

CHAPTER

Overview

This chapter describes the controller components and features. Its contains these sections:

• Cisco Wireless LAN Solution Overview, page 1-2

• Operating System Software, page 1-5

• Operating System Security, page 1-5

• Layer 2 and Layer 3 LWAPP Operation, page 1-7

• Cisco Wireless LAN Controllers, page 1-7

• Client Roaming, page 1-8

• External DHCP Servers, page 1-10

• Cisco WLAN Solution Wired Connections, page 1-11

• Cisco WLAN Solution Wireless LANs, page 1-11

• Access Control Lists, page 1-12

• Identity Networking, page 1-12

1

• File Transfers, page 1-13

• Power over Ethernet, page 1-14

• Pico Cell Functionality, page 1-14

• Intrusion Detection Service (IDS), page 1-15

• Wireless LAN Controller Platforms, page 1-15

• Rogue Access Points, page 1-24

• Web User Interface and the CLI, page 1-25

OL-8335-02

Cisco Wireless LAN Controller Configuration Guide

1-1

Cisco Wireless LAN Solution Overview

Cisco Wireless LAN Solution Overview

The Cisco Wireless LAN Solution is designed to provide 802.11 wireless networking solutions for
enterprises and service providers. The Cisco Wireless LAN Solution simplifies deploying and managing
large-scale wireless LANs and enables a unique best-in-class security infrastructure. The operating
system manages all data client, communications, and system administration functions, performs Radio
Resource Management (RRM) functions, manages system-wide mobility policies using the operating
system Security solution, and coordinates all security functions using the operating system security
framework.

The Cisco Wireless LAN Solution consists of Cisco Wireless LAN Controllers and their associated
lightweight access points controlled by the operating system, all concurrently managed by any or all of
the operating system user interfaces:

• An HTTP and/or HTTPS full-featured Web User Interface hosted by Cisco Wireless LAN

Controllers can be used to configure and monitor individual controllers. See the “Web User

Interface and the CLI” section on page 1-25.

• A full-featured command-line interface (CLI) can be used to configure and monitor individual Cisco

Wireless LAN Controllers. See the “Web User Interface and the CLI” section on page 1-25.

• The Cisco Wireless Control System (WCS), which you use to configure and monitor one or more

Cisco Wireless LAN Controllers and associated access points. WCS has tools to facilitate
large-system monitoring and control. WCS runs on Windows 2000, Windows 2003, and Red Hat
Enterprise Linux ES servers.

• An industry-standard SNMP V1, V2c, and V3 interface can be used with any SNMP-compliant

third-party network management system.

Chapter 1 Overview

The Cisco Wireless LAN Solution supports client data services, client monitoring and control, and all
rogue access point detection, monitoring, and containment functions. The Cisco Wireless LAN Solution
uses lightweight access points, Cisco Wireless LAN Controllers, and the optional Cisco WCS to provide
wireless services to enterprises and service providers.

Note This document refers to Cisco Wireless LAN Controllers throughout. Unless specifically called out, the

descriptions herein apply to all Cisco Wireless LAN Controllers, including but not limited to Cisco 2000
Series Wireless LAN Controllers, Cisco 4100 Series Wireless LAN Controllers, Cisco 4400 Series
Wireless LAN Controllers, and the controllers on the Wireless Services Module (WiSM).

Figure 1-1 shows the Cisco Wireless LAN Solution components, which can be simultaneously deployed

across multiple floors and buildings.

1-2

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

Chapter 1 Overview

Cisco Wireless LAN Solution Overview

Figure 1-1 Cisco WLAN Solution Components

Single-Controller Deployments

A standalone controller can support lightweight access points across multiple floors and buildings
simultaneously, and supports the following features:

• Autodetecting and autoconfiguring lightweight access points as they are added to the network.

• Full control of lightweight access points.

• Full control of up to 16 wireless LAN (SSID) policies for Cisco 1000 series access points.

Note LWAPP-enabled access points support up to 8 wireless LAN (SSID) policies.

• Lightweight access points connect to controllers through the network. The network equipment may

or may not provide Power over Ethernet to the access points.

Note that some controllers use redundant Gigabit Ethernet connections to bypass single network failures.

Note Some controllers can connect through multiple physical ports to multiple subnets in the network. This

feature can be helpful when Cisco WLAN Solution operators want to confine multiple VLANs to
separate subnets.

Figure 1-2 shows a typical single-controller deployment.

OL-8335-02

Cisco Wireless LAN Controller Configuration Guide

1-3

Cisco Wireless LAN Solution Overview

Figure 1-2 Single-Controller Deployment

Multiple-Controller Deployments

Each controller can support lightweight access points across multiple floors and buildings
simultaneously. However, full functionality of the Cisco Wireless LAN Solution is realized when it
includes multiple controllers. A multiple-controller system has the following additional features:

• Autodetecting and autoconfiguring RF parameters as the controllers are added to the network.

Chapter 1 Overview

• Same-Subnet (Layer 2) Roaming and Inter-Subnet (Layer 3) Roaming.

• Automatic access point failover to any redundant controller with a reduced access point load (refer

to the “Cisco Wireless LAN Controller Failover Protection” section on page 1-20).

The following figure shows a typical multiple-controller deployment. The figure also shows an optional
dedicated Management Network and the three physical connection types between the network and the
controllers.

1-4

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

Chapter 1 Overview

Operating System Software

Figure 1-3 Typical Multi-Controller Deployment

Operating System Software

The operating system software controls Cisco Wireless LAN Controllers and Cisco 1000 Series
Lightweight Access Points. It includes full operating system security and Radio Resource Management
(RRM) features.

Operating System Security

Operating system security bundles Layer 1, Layer 2, and Layer 3 security components into a simple,
Cisco WLAN Solution-wide policy manager that creates independent security policies for each of up to
16 wireless LANs. (Refer to the “Cisco WLAN Solution Wireless LANs” section on page 1-11.)

The 802.11 Static WEP weaknesses can be overcome using robust industry-standard security solutions,
such as:

• 802.1X dynamic keys with extensible authentication protocol (EAP).

• Wi-Fi protected access (WPA) dynamic keys. The Cisco WLAN Solution WPA implementation

includes:

–

Temporal key integrity protocol (TKIP) + message integrity code checksum (Michael) dynamic
keys, or

–

WEP keys, with or without Pre-Shared key Passphrase.

OL-8335-02

Cisco Wireless LAN Controller Configuration Guide

1-5

Operating System Security

The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as:

Chapter 1 Overview

• RSN with or without Pre-Shared key.

• Cranite FIPS140-2 compliant passthrough.

• Fortress FIPS140-2 compliant passthrough.

• Optional MAC Filtering.

• Terminated and passthrough VPNs

• Terminated and passthrough Layer Two Tunneling Protocol (L2TP), which uses the IP Security

(IPSec) protocol.

• Terminated and pass-through IPSec protocols. The terminated Cisco WLAN Solution IPSec

implementation includes:

–

Internet key exchange (IKE)

–

Diffie-Hellman (DH) groups, and

–

Three optional levels of encryption: DES (ANSI X.3.92 data encryption standard), 3DES (ANSI
X9.52-1998 data encryption standard), or AES/CBC (advanced encryption standard/cipher
block chaining).

The Cisco WLAN Solution IPSec implementation also includes industry-standard authentication
using:

–

Message digest algorithm (MD5), or

–

Secure hash algorithm-1 (SHA-1)

• The Cisco Wireless LAN Solution supports local and RADIUS MAC Address filtering.

• The Cisco Wireless LAN Solution supports local and RADIUS user/password authentication.

• The Cisco Wireless LAN Solution also uses manual and automated Disabling to block access to

network services. In manual Disabling, the operator blocks access using client MAC addresses. In
automated Disabling, which is always active, the operating system software automatically blocks
access to network services for an operator-defined period of time when a client fails to authenticate
for a fixed number of consecutive attempts. This can be used to deter brute-force login attacks.

These and other security features use industry-standard authorization and authentication methods to
ensure the highest possible security for your business-critical wireless LAN traffic.

Cisco WLAN Solution Wired Security

Many traditional access point vendors concentrate on security for the Wireless interface similar to that
described in the “Operating System Security” section on page 1-5. However, for secure Cisco Wireless
LAN Controller Service Interfaces, Cisco Wireless LAN Controller to access point, and inter-Cisco
Wireless LAN Controller communications during device servicing and client roaming, the operating
system includes built-in security.

1-6

Each Cisco Wireless LAN Controller and Cisco 1000 series lightweight access point is manufactured
with a unique, signed X.509 certificate. This certificate is used to authenticate IPSec tunnels between
devices. These IPSec tunnels ensure secure communications for mobility and device servicing.

Cisco Wireless LAN Controllers and Cisco 1000 series lightweight access points also use the signed
certificates to verify downloaded code before it is loaded, ensuring that hackers do not download
malicious code into any Cisco Wireless LAN Controller or Cisco 1000 series lightweight access point.

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02

Chapter 1 Overview

Layer 2 and Layer 3 LWAPP Operation

The LWAPP communications between Cisco Wireless LAN Controller and Cisco 1000 series
lightweight access points can be conducted at ISO Data Link Layer 2 or Network Layer 3.

Note The IPv4 network layer protocol is supported for transport through an LWAPP controller system. IPv6

(for clients only) and Appletalk are also supported but only on 4400 series controllers and the Cisco
WiSM. Other Layer 3 protocols (such as IPX, DECnet Phase IV, OSI CLNP, and so on) and Layer 2
(bridged) protocols (such as LAT and NetBeui) are not supported.

Operational Requirements

The requirement for Layer 2 LWAPP communications is that the Cisco Wireless LAN Controller and
Cisco 1000 series lightweight access points must be connected to each other through Layer 2 devices on
the same subnet. This is the default operational mode for the Cisco Wireless LAN Solution. Note that
when the Cisco Wireless LAN Controller and Cisco 1000 series lightweight access points are on
different subnets, these devices must be operated in Layer 3 mode.

Layer 2 and Layer 3 LWAPP Operation

The requirement for Layer 3 LWAPP communications is that the Cisco Wireless LAN Controllers and
Cisco 1000 series lightweight access points can be connected through Layer 2 devices on the same
subnet, or connected through Layer 3 devices across subnets.

Note that all Cisco Wireless LAN Controllers in a mobility group must use the same LWAPP Layer 2 or
Layer 3 mode, or you will defeat the Mobility software algorithm.

Configuration Requirements

When you are operating the Cisco Wireless LAN Solution in Layer 2 mode, you must configure a
management interface to control your Layer 2 communications.

When you are operating the Cisco Wireless LAN Solution in Layer 3 mode, you must configure an
AP-manager interface to control Cisco 1000 series lightweight access points and a management interface
as configured for Layer 2 mode.

Cisco Wireless LAN Controllers

When you are adding Cisco 1000 series lightweight access points to a multiple Cisco Wireless LAN
Controller deployments network, it is convenient to have all Cisco 1000 series lightweight access points
associate with one master controller on the same subnet. That way, the operator does not have to log into
multiple controllers to find out which controller newly-added Cisco 1000 series lightweight access
points associated with.

One controller in each subnet can be assigned as the master controller while adding lightweight access
points. As long as a master controller is active on the same subnet, all new access points without a
primary, secondary, and tertiary controller assigned automatically attempt to associate with the master
Cisco Wireless LAN Controller. This process is described in the “Cisco Wireless LAN Controller

Failover Protection” section on page 1-20.

OL-8335-02

Cisco Wireless LAN Controller Configuration Guide

1-7

Client Roaming

The operator can monitor the master controller using the WCS Web User Interface and watch as access
points associate with the master controller. The operator can then verify access point configuration and
assign a primary, secondary, and tertiary controller to the access point, and reboot the access point so it
reassociates with its primary, secondary, or tertiary controller.

Note Lightweight access points without a primary, secondary, and tertiary controller assigned always search

for a master controller first upon reboot. After adding lightweight access points through the master
controller, assign primary, secondary, and tertiary controllers to each access point. Cisco recommends
that you disable the master setting on all controllers after initial configuration.

Primary, Secondary, and Tertiary Controllers

In multiple-controller networks, lightweight access points can associate with any controller on the same
subnet. To ensure that each access point associates with a particular controller, the operator can assign
primary, secondary, and tertiary controllers to the access point.

When a primed access point is added to a network, it looks for its primary, secondary, and tertiary
controllers first, then a master controller, then the least-loaded controller with available access point
ports. Refer to the “Cisco Wireless LAN Controller Failover Protection” section on page 1-20 for more
information.

Chapter 1 Overview

Client Roaming

The Cisco Wireless LAN Solution supports seamless client roaming across Cisco 1000 series
lightweight access points managed by the same Cisco Wireless LAN Controller, between Cisco Wireless
LAN Controllers in the same Cisco WLAN Solution Mobility Group on the same subnet, and across
controllers in the same Mobility Group on different subnets.

Same-Subnet (Layer 2) Roaming

Each Cisco Wireless LAN Controller supports same-controller client roaming across access points
managed by the same controller. This roaming is transparent to the client as the session is sustained and
the client continues using the same DHCP-assigned or client-assigned IP Address. The controller
provides DHCP functionality with a relay function. Same-controller roaming is supported in
single-controller deployments and in multiple-controller deployments.

Inter-Controller (Layer 2) Roaming

In multiple-controller deployments, the Cisco Wireless LAN Solution supports client roaming across
access points managed by controllers in the same mobility group and on the same subnet. This roaming
is also transparent to the client, as the session is sustained and a tunnel between controllers allows the
client to continue using the same DHCP- or client-assigned IP Address as long as the session remains
active. Note that the tunnel is torn down and the client must reauthenticate when the client sends a DHCP
Discover with a 0.0.0.0 client IP Address or a 169.254.*.* client auto-IP Address, or when the
operator-set session timeout is exceeded.

1-8

Cisco Wireless LAN Controller Configuration Guide

OL-8335-02