Cisco Release 3.2 User Manual

Cisco Wireless LAN Controller Configuration Guide
Software Release 3.2 March 2006
Corporate Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
Fax: 408 526-4100
Text Part Number: OL-8335-02
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0601R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco Wireless LAN Controller Configuration Guide
Copyright © 2005-2006 Cisco Systems, Inc. All rights reserved.
Preface xiii
Audience xiv
Purpose xiv
Organization xiv
Conventions xv
Related Publications xvii
Obtaining Documentation xvii
Cisco.com xvii Product Documentation DVD xviii Ordering Documentation xviii
Documentation Feedback xviii
CONTENTS
CHAPTER
Cisco Product Security Overview xix
Reporting Security Problems in Cisco Products xix
Obtaining Technical Assistance xx
Cisco Technical Support & Documentation Website xx Submitting a Service Request xx Definitions of Service Request Severity xxi
Obtaining Additional Publications and Information xxi
1 Overview 1-1
Cisco Wireless LAN Solution Overview 1-2
Single-Controller Deployments 1-3 Multiple-Controller Deployments 1-4
Operating System Software 1-5
Operating System Security 1-5
Cisco WLAN Solution Wired Security 1-6
Layer 2 and Layer 3 LWAPP Operation 1-7
Operational Requirements 1-7 Configuration Requirements 1-7
OL-8335-02
Cisco Wireless LAN Controllers 1-7
Primary, Secondary, and Tertiary Controllers 1-8
Cisco Wireless LAN Controller Configuration Guide
iii
Contents
Client Roaming 1-8
Same-Subnet (Layer 2) Roaming 1-8 Inter-Controller (Layer 2) Roaming 1-8 Inter-Subnet (Layer 3) Roaming 1-9
Special Case: Voice Over IP Telephone Roaming 1-9
Client Location 1-9
External DHCP Servers 1-10
Per-Wireless LAN Assignment 1-10 Per-Interface Assignment 1-10 Security Considerations 1-10
Cisco WLAN Solution Wired Connections 1-11
Cisco WLAN Solution Wireless LANs 1-11
Access Control Lists 1-12
Identity Networking 1-12
Enhanced Integration with Cisco Secure ACS 1-13
File Transfers 1-13
Power over Ethernet 1-14
Pico Cell Functionality 1-14
Intrusion Detection Service (IDS) 1-15
Wireless LAN Controller Platforms 1-15
Cisco 2000 Series Wireless LAN Controllers 1-16 Cisco 4100 Series Wireless LAN Controllers 1-16 Cisco 4400 Series Wireless LAN Controllers 1-17 Cisco 2000 Series Wireless LAN Controller Model Numbers 1-17 Cisco 4100 Series Wireless LAN Controller Model Numbers 1-18 Cisco 4400 Series Wireless LAN Controller Model Numbers 1-18 Startup Wizard 1-19 Cisco Wireless LAN Controller Memory 1-20 Cisco Wireless LAN Controller Failover Protection 1-20 Cisco Wireless LAN Controller Automatic Time Setting 1-21
Cisco Wireless LAN Controller Time Zones 1-21
Network Connections to Cisco Wireless LAN Controllers 1-21
Cisco 2000 Series Wireless LAN Controllers 1-22 Cisco 4100 Series Wireless LAN Controllers 1-22 Cisco 4400 Series Wireless LAN Controllers 1-23
VPN and Enhanced Security Modules for 4100 Series Controllers 1-24
iv
Rogue Access Points 1-24
Rogue Access Point Location, Tagging, and Containment 1-25
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Web User Interface and the CLI 1-25
Web User Interface 1-25 Command Line Interface 1-26
Contents
CHAPTER
CHAPTER
2 Using the Web-Browser and CLI Interfaces 2-1
Using the Web-Browser Interface 2-2
Guidelines for Using the GUI 2-2 Opening the GUI 2-2
Enabling Web and Secure Web Modes 2-2
Configuring the GUI for HTTPS 2-2
Loading an Externally Generated HTTPS Certificate 2-3 Disabling the GUI 2-5 Using Online Help 2-5
Using the CLI 2-5
Logging into the CLI 2-5
Using a Local Serial Connection 2-6
Using a Remote Ethernet Connection 2-6 Logging Out of the CLI 2-7 Navigating the CLI 2-7
Enabling Wireless Connections to the Web-Browser and CLI Interfaces 2-8
3 Configuring Ports and Interfaces 3-1
OL-8335-02
Overview of Ports and Interfaces 3-2
Ports 3-2
Distribution System Ports 3-3
Service Port 3-4 Interfaces 3-5
Management Interface 3-5
AP-Manager Interface 3-6
Virtual Interface 3-6
Service-Port Interface 3-7
Dynamic Interface 3-7 WLANs 3-8
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces 3-9
Using the GUI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces 3-9 Using the CLI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces 3-12
Using the CLI to Configure the Management Interface 3-12
Using the CLI to Configure the AP-Manager Interface 3-12
Cisco Wireless LAN Controller Configuration Guide
v
Contents
Using the CLI to Configure the Virtual Interface 3-13 Using the CLI to Configure the Service-Port Interface 3-14
Configuring Dynamic Interfaces 3-14
Using the GUI to Configure Dynamic Interfaces 3-14 Using the CLI to Configure Dynamic Interfaces 3-16
Configuring Ports 3-17
Configuring Port Mirroring 3-20 Configuring Spanning Tree Protocol 3-21
Using the GUI to Configure Spanning Tree Protocol 3-22 Using the CLI to Configure Spanning Tree Protocol 3-26
Enabling Link Aggregation 3-27
Link Aggregation Guidelines 3-28 Using the GUI to Enable Link Aggregation 3-29 Using the CLI to Enable Link Aggregation 3-30 Configuring Neighbor Devices to Support LAG 3-30
CHAPTER
Configuring a 4400 Series Controller to Support More Than 48 Access Points 3-30
Using Link Aggregation 3-31 Using Multiple AP-Manager Interfaces 3-31 Connecting Additional Ports 3-36
4 Configuring Controller Settings 4-1
Using the Configuration Wizard 4-2
Before You Start 4-2 Resetting the Device to Default Settings 4-3
Resetting to Default Settings Using the CLI 4-3 Resetting to Default Settings Using the GUI 4-3
Running the Configuration Wizard on the CLI 4-4
Managing the System Time and Date 4-5
Configuring Time and Date Manually 4-5 Configuring NTP 4-5
Configuring a Country Code 4-5
Enabling and Disabling 802.11 Bands 4-6
Configuring Administrator Usernames and Passwords 4-7
vi
Configuring RADIUS Settings 4-7
Configuring SNMP Settings 4-7
Enabling 802.3x Flow Control 4-8
Enabling System Logging 4-8
Enabling Dynamic Transmit Power Control 4-8
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Configuring Multicast Mode 4-9
Understanding Multicast Mode 4-9 Guidelines for Using Multicast Mode 4-9 Enabling Multicast Mode 4-10
Configuring the Supervisor 720 to Support the WiSM 4-10
General WiSM Guidelines 4-10 Configuring the Supervisor 4-11
Using the Wireless LAN Controller Network Module 4-12
Contents
CHAPTER
5 Configuring Security Solutions 5-1
Cisco WLAN Solution Security 5-2
Security Overview 5-2 Layer 1 Solutions 5-2 Layer 2 Solutions 5-2 Layer 3 Solutions 5-3 Rogue Access Point Solutions 5-3
Rogue Access Point Challenges 5-3
Tagging and Containing Rogue Access Points 5-3 Integrated Security Solutions 5-4
Configuring the System for SpectraLink NetLink Telephones 5-4
Using the GUI to Enable Long Preambles 5-5 Using the CLI to Enable Long Preambles 5-5
Using Management over Wireless 5-6
Using the GUI to Enable Management over Wireless 5-6 Using the CLI to Enable Management over Wireless 5-7
Configuring DHCP 5-7
Using the GUI to Configure DHCP 5-7 Using the CLI to Configure DHCP 5-8
OL-8335-02
Customizing the Web Authentication Login Screen 5-8
Default Web Authentication Operation 5-9 Customizing Web Authentication Operation 5-11
Hiding and Restoring the Cisco WLAN Solution Logo 5-11
Changing the Web Authentication Login Window Title 5-11
Changing the Web Message 5-12
Changing the Logo 5-12
Creating a Custom URL Redirect 5-14
Verifying Web Authentication Changes 5-14 Example: Sample Customized Web Authentication Login Window 5-15
Cisco Wireless LAN Controller Configuration Guide
vii
Contents
Configuring Identity Networking 5-16
Identity Networking Overview 5-16 RADIUS Attributes Used in Identity Networking 5-17
QoS-Level 5-17 ACL-Name 5-17 Interface-Name 5-18 VLAN-Tag 5-18 Tunnel Attributes 5-19
CHAPTER
6 Configuring WLANs 6-1
Wireless LAN Overview 6-2
Configuring Wireless LANs 6-2
Displaying, Creating, Disabling, and Deleting Wireless LANs 6-2 Activating Wireless LANs 6-3 Assigning a Wireless LAN to a DHCP Server 6-3 Configuring MAC Filtering for Wireless LANs 6-3
Enabling MAC Filtering 6-3 Creating a Local MAC Filter 6-3
Configuring a Timeout for Disabled Clients 6-4 Assigning Wireless LANs to VLANs 6-4 Configuring Layer 2 Security 6-4
Dynamic 802.1X Keys and Authorization 6-4
WEP Keys 6-5
Dynamic WPA Keys and Encryption 6-5
Configuring a Wireless LAN for Both Static and Dynamic WEP 6-6 Configuring Layer 3 Security 6-6
IPSec 6-6
IPSec Authentication 6-6
IPSec Encryption 6-6
IKE Authentication 6-7
IKE Diffie-Hellman Group 6-7
IKE Phase 1 Aggressive and Main Modes 6-7
IKE Lifetime Timeout 6-7
IPSec Passthrough 6-8
Web-Based Authentication 6-8
Local Netuser 6-8 Configuring Quality of Service 6-8
Configuring QoS Enhanced BSS (QBSS) 6-9
viii
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Contents
CHAPTER
7 Controlling Lightweight Access Points 7-1
Lightweight Access Point Overview 7-2
Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Points 7-2 Cisco 1030 Remote Edge Lightweight Access Points 7-3 Cisco 1000 Series Lightweight Access Point Part Numbers 7-4 Cisco 1000 Series Lightweight Access Point External and Internal Antennas 7-4
External Antenna Connectors 7-5
Antenna Sectorization 7-5 Cisco 1000 Series Lightweight Access Point LEDs 7-5 Cisco 1000 Series Lightweight Access Point Connectors 7-6 Cisco 1000 Series Lightweight Access Point Power Requirements 7-6
Cisco 1000 Series Lightweight Access Point External Power Supply 7-7 Cisco 1000 Series Lightweight Access Point Mounting Options 7-7 Cisco 1000 Series Lightweight Access Point Physical Security 7-7 Cisco 1000 Series Lightweight Access Point Monitor Mode 7-7
Using the DNS for Controller Discovery 7-7
Dynamic Frequency Selection 7-8
Autonomous Access Points Converted to Lightweight Mode 7-9
Guidelines for Using Access Points Converted to Lightweight Mode 7-9 Reverting from Lightweight Mode to Autonomous Mode 7-9
Using a Controller to Return to a Previous Release 7-10
Using the MODE Button and a TFTP Server to Return to a Previous Release 7-10 Controllers Accept SSCs from Access Points Converted to Lightweight Mode 7-11 Using DHCP Option 43 7-11 Using a Controller to Send Debug Commands to Access Points Converted to Lightweight Mode 7-11 Converted Access Points Send Crash Information to Controller 7-12 Converted Access Points Send Radio Core Dumps to Controller 7-12 Enabling Memory Core Dumps from Converted Access Points 7-12 Display of MAC Addresses for Converted Access Points 7-12 Disabling the Reset Button on Access Points Converted to Lightweight Mode 7-13 Configuring a Static IP Address on an Access Point Converted to Lightweight Mode 7-13
CHAPTER
OL-8335-02
8 Managing Controller Software and Configurations 8-1
Transferring Files to and from a Controller 8-2
Upgrading Controller Software 8-2
Saving Configurations 8-4
Clearing the Controller Configuration 8-4
Cisco Wireless LAN Controller Configuration Guide
ix
Contents
Erasing the Controller Configuration 8-4
Resetting the Controller 8-5
CHAPTER
9 Configuring Radio Resource Management 9-1
Overview of Radio Resource Management 9-2
Radio Resource Monitoring 9-2 Dynamic Channel Assignment 9-3 Dynamic Transmit Power Control 9-4 Coverage Hole Detection and Correction 9-4 Client and Network Load Balancing 9-4 RRM Benefits 9-5
Overview of RF Groups 9-5
RF Group Leader 9-5 RF Group Name 9-6
Configuring an RF Group 9-6
Using the GUI to Configure an RF Group 9-7 Using the CLI to Configure RF Groups 9-8
Viewing RF Group Status 9-8
Using the GUI to View RF Group Status 9-8 Using the CLI to View RF Group Status 9-11
Enabling Rogue Access Point Detection 9-12
Using the GUI to Enable Rogue Access Point Detection 9-12 Using the CLI to Enable Rogue Access Point Detection 9-15
Configuring Dynamic RRM 9-15
Using the GUI to Configure Dynamic RRM 9-16 Using the CLI to Configure Dynamic RRM 9-22
Overriding Dynamic RRM 9-23
Statically Assigning Channel and Transmit Power Settings to Access Point Radios 9-24
Using the GUI to Statically Assign Channel and Transmit Power Settings 9-24 Using the CLI to Statically Assign Channel and Transmit Power Settings 9-26
Disabling Dynamic Channel and Power Assignment Globally for a Controller 9-27
Using the GUI to Disable Dynamic Channel and Power Assignment 9-27 Using the CLI to Disable Dynamic Channel and Power Assignment 9-27
Viewing Additional RRM Settings Using the CLI 9-28
Cisco Wireless LAN Controller Configuration Guide
x
OL-8335-02
Contents
CHAPTER
APPENDIX
10 Configuring Mobility Groups 10-1
Overview of Mobility 10-2
Overview of Mobility Groups 10-5
Determining When to Include Controllers in a Mobility Group 10-7
Configuring Mobility Groups 10-7
Prerequisites 10-7 Using the GUI to Configure Mobility Groups 10-8 Using the CLI to Configure Mobility Groups 10-11
Configuring Auto-Anchor Mobility 10-11
Guidelines for Using Auto-Anchor Mobility 10-12 Using the GUI to Configure Auto-Anchor Mobility 10-12 Using the CLI to Configure Auto-Anchor Mobility 10-14
A Safety Considerations and Translated Safety Warnings A-1
Safety Considerations A-2
Warning Definition A-2
Class 1 Laser Product Warning A-5
Ground Conductor Warning A-7
APPENDIX
Chassis Warning for Rack-Mounting and Servicing A-9
Battery Handling Warning for 4400 Series Controllers A-18
Equipment Installation Warning A-20
More Than One Power Supply Warning for 4400 Series Controllers A-23
B Declarations of Conformity and Regulatory Information B-1
Regulatory Information for 1000 Series Access Points B-2
Manufacturers Federal Communication Commission Declaration of Conformity Statement B-2 Department of Communications—Canada B-3
Canadian Compliance Statement B-3 European Community, Switzerland, Norway, Iceland, and Liechtenstein B-4
Declaration of Conformity with Regard to the R&TTE Directive 1999/5/EC B-4 Declaration of Conformity for RF Exposure B-5 Guidelines for Operating Cisco Aironet Access Points in Japan B-6 Administrative Rules for Cisco Aironet Access Points in Taiwan B-7
Access Points with IEEE 802.11a Radios B-7
All Access Points B-7 Declaration of Conformity Statements B-8
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
xi
Contents
FCC Statements for Cisco 2000 Series Wireless LAN Controllers B-8
FCC Statements for Cisco 4100 Series Wireless LAN Controllers and Cisco 4400 Series Wireless LAN Controllers
B-9
APPENDIX
APPENDIX
I
NDEX
C End User License and Warranty C-1
End User License Agreement C-2
Limited Warranty C-4
Disclaimer of Warranty C-6
General Terms Applicable to the Limited Warranty Statement and End User License Agreement C-6
Additional Open Source Terms C-7
D System Messages and Access Point LED Patterns D-1
System Messages D-2
Using Client Reason and Status Codes in Trap Logs D-4
Client Reason Codes D-4 Client Status Codes D-5
Using Lightweight Access Point LEDs D-6
xii
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
This preface provides an overview of the Cisco Wireless LAN Controller Configuration Guide (OL-8335-02), references related publications, and explains how to obtain other documentation and technical assistance, if necessary. It contains these sections:
Audience, page xiv
Purpose, page xiv
Organization, page xiv
Conventions, page xv
Related Publications, page xvii
Obtaining Documentation, page xvii
Documentation Feedback, page xviii
Cisco Product Security Overview, page xix
Obtaining Technical Assistance, page xx
Obtaining Additional Publications and Information, page xxi
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
xiii
Audience
Audience
This guide describes Cisco Wireless LAN Controllers and Cisco Lightweight Access Points. This guide is for the networking professional who installs and manages these devices. To use this guide, you should be familiar with the concepts and terminology of wireless LANs.
Purpose
This guide provides the information you need to set up and configure wireless LAN controllers.
Organization
This guide is organized into these chapters:
Chapter 1, “Overview,” provides an overview of the network roles and features of wireless LAN
controllers.
Preface
Chapter 2, “Using the Web-Browser and CLI Interfaces,” describes how to use the controller GUI and
CLI.
Chapter 3, “Configuring Ports and Interfaces,” describes the controller’s physical ports and interfaces
and provides instructions for configuring them.
Chapter 4, “Configuring Controller Settings,” describes how to configure settings on the controllers. Chapter 5, “Configuring Security Solutions,” describes application-specific solutions for wireless
LANs.
Chapter 6, “Configuring WLANs,” describes how to configure wireless LANs and SSIDs on your
system.
Chapter 7, “Controlling Lightweight Access Points,” explains how to connect access points to the
controller and manage access point settings.
Chapter 8, “Managing Controller Software and Configurations,” describes how to upgrade and manage
controller software and configurations.
Chapter 9, “Configuring Radio Resource Management,” describes radio resource management (RRM)
and explains how to configure it on the controllers.
Chapter 10, “Configuring Mobility Groups,” describes mobility groups and explains how to configure
them on the controllers.
Appendix A, “Safety Considerations and Translated Safety Warnings,” lists safety considerations and
translations of the safety warnings that apply to the Cisco Unified Wireless Network Solution products.
Appendix B, “Declarations of Conformity and Regulatory Information,” provides declarations of
conformity and regulatory information for the products in the Cisco Unified Wireless Network Solution.
xiv
Appendix C, “End User License and Warranty,” describes the end user license and warranty that apply
to the Cisco Unified Wireless Network Solution products.
Appendix D, “System Messages and Access Point LED Patterns,” lists system messages that can appear
on the Cisco Unified Wireless Network Solution interfaces and describes the LED patterns on lightweight access points.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
Conventions
This publication uses these conventions to convey instructions and information: Command descriptions use these conventions:
Interactive examples use these conventions:
Notes, cautions, and timesavers use these conventions and symbols:
Conventions
Commands and keywords are in boldface text.
Arguments for which you supply values are in italic.
Square brackets ([ ]) mean optional elements.
Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional
element.
Terminal sessions and system displays are in screen font.
Information you enter is in boldface screen font.
Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).
Tip Means the following will help you solve a problem. The tips information might not be troubleshooting
Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in
Caution Means reader be careful. In this situation, you might do something that could result equipment damage
Warning
Waarschuwing
or even an action, but could be useful information.
this manual.
or loss of data.
This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. (To see translations of the warnings that appear in this publication, refer to the appendix “Translated Safety Warnings.”)
Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico’s en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen. (Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen, kunt u het aanhangsel “Translated Safety Warnings” (Vertalingen van veiligheidsvoorschriften) raadplegen.)
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
xv
Conventions
Preface
Varoitus
Attention
Warnung
Avvertenza
Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. (Tässä julkaisussa esiintyvien varoitusten käännökset löydät liitteestä "Translated Safety Warnings" (käännetyt turvallisuutta koskevat varoitukset).)
Ce symbole d’avertissement indique un danger. Vous vous trouvez dans une situation pouvant entraîner des blessures. Avant d’accéder à cet équipement, soyez conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures courantes de prévention des accidents. Pour obtenir les traductions des mises en garde figurant dans cette publication, veuillez consulter l’annexe intitulée « Translated Safety Warnings » (Traduction des avis de sécurité).
Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewußt. (Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Anhang mit dem Titel “Translated Safety Warnings” (Übersetzung der Warnhinweise).)
Questo simbolo di avvertenza indica un pericolo. Si è in una situazione che può causare infortuni. Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione delle avvertenze riportate in questa pubblicazione si trova nell’appendice, “Translated Safety Warnings” (Traduzione delle avvertenze di sicurezza).
Advarsel
Aviso
¡Advertencia!
Varning!
Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du utfører arbeid på utstyr, må du være oppmerksom på de faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. (Hvis du vil se oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i vedlegget "Translated Safety Warnings" [Oversatte sikkerhetsadvarsler].)
Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos fisicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes. (Para ver as traduções dos avisos que constam desta publicação, consulte o apêndice “Translated Safety Warnings” - “Traduções dos Avisos de Segurança”).
Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de accidentes. (Para ver traducciones de las advertencias que aparecen en esta publicación, consultar el apéndice titulado “Translated Safety Warnings.”)
Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och känna till vanligt förfarande för att förebygga skador. (Se förklaringar av de varningar som förekommer i denna publikation i appendix "Translated Safety Warnings" [Översatta säkerhetsvarningar].)
xvi
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
Related Publications
These documents provide complete information about the Cisco Unified Wireless Network Solution:
Cisco Wireless LAN Controller Command Reference
Quick Start Guide: Cisco 2000 Series Wireless LAN Controllers
Quick Start Guide: Cisco 4100 Series Wireless LAN Controllers
Quick Start Guide: Cisco 4400 Series Wireless LAN Controllers
Quick Start Guide: VPN Termination Module for Cisco 4400 Series Wireless LAN Controllers
Quick Start Guide: VPN/Enhanced Security Modules for Cisco 4100 Series Wireless LAN
Controllers
Cisco Wireless Control System Configuration Guide
Quick Start Guide: Cisco Wireless Control System for Microsoft Windows
Quick Start Guide: Cisco Wireless Control System for Linux
Quick Start Guide: Cisco Aironet 1000 Series Lightweight Access Points with Internal Antennas
Quick Start Guide: Cisco Aironet 1000 Series Lightweight Access Points with External Antennas
Related Publications
Click this link to browse to user documentation for the Cisco Unified Wireless Network Solution:
http://www.cisco.com/en/US/products/hw/wireless/tsd_products_support_category_home.html
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/techsupport
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
xvii
Documentation Feedback
Product Documentation DVD
The Product Documentation DVD is a comprehensive library of technical product documentation on a portable medium. The DVD enables you to access multiple versions of installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .PDF versions of the documentation available.
The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com users (Cisco direct customers) can order a Product Documentation DVD (product number DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Ordering Documentation
Registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Preface
Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m. (0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by calling 011 408 519-5055. You can also order documentation by e-mail at
tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada,
or elsewhere at 011 408 519-5001.
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback form that appears with the technical documents on Cisco.com.
You can submit comments about Cisco documentation by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems Attn: Customer Document Ordering 170 West Tasman Drive San Jose, CA 95134-9883
We appreciate your comments.
xviii
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you will find information about how to:
Report security vulnerabilities in Cisco products.
Obtain assistance with security incidents that involve Cisco products.
Register to receive security information from Cisco.
A current list of security advisories, security notices, and security responses for Cisco products is available at this URL:
http://www.cisco.com/go/psirt
To see security advisories, security notices, and security responses as they are updated in real time, you can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability in a Cisco product, contact PSIRT:
For Emergencies only—security-alert@cisco.com
An emergency is either a condition in which a system is under active attack or a condition for which a severe and urgent security vulnerability should be reported. All other conditions are considered nonemergencies.
For Nonemergencies—psirt@cisco.com
In an emergency, you can also reach PSIRT by telephone:
1 877 228-7302
1 408 525-6532
Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to
encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been encrypted with PGP versions 2.x through 9.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page at this URL:
OL-8335-02
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The link on this page has the current PGP key ID in use.
If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone numbers before sending any sensitive material to find other means of encrypting the data.
Cisco Wireless LAN Controller Configuration Guide
xix
Obtaining Technical Assistance
Obtaining Technical Assistance
Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.
Cisco Technical Support & Documentation Website
The Cisco Technical Support & Documentation website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
Preface
http://tools.cisco.com/RPF/register/register.do
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support & Documentation website by clicking the Tools & Resources link under Documentation & Tools. Choose
Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by
product ID or model name; by tree view; or for certain products, by copying and pasting show command output. Search results show an illustration of your product with the serial number label location highlighted. Locate the serial number label on your product and record the information before placing a service call.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
xx
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
To open a service request by telephone, use one of the following numbers: Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55 USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Obtaining Additional Publications and Information
Severity 3 (S3)—Operational performance of the network is impaired, while most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief
product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL:
http://www.cisco.com/go/guide
Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo
merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
Cisco Press publishes a wide range of general networking, training and certification titles. Both new
and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:
OL-8335-02
http://www.ciscopress.com
Cisco Wireless LAN Controller Configuration Guide
xxi
Obtaining Additional Publications and Information
Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and
networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:
http://www.cisco.com/packet
iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies
learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
or view the digital edition at this URL:
http://ciscoiq.texterity.com/ciscoiq/sample/
Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
Preface
Networking products offered by Cisco Systems, as well as customer support services, can be
obtained at this URL:
http://www.cisco.com/en/US/products/index.html
Networking Professionals Connection is an interactive website for networking professionals to
share questions, suggestions, and information about networking products and technologies with Cisco experts and other networking professionals. Join a discussion at this URL:
http://www.cisco.com/discuss/networking
World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html
xxii
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
CHAPTER
Overview
This chapter describes the controller components and features. Its contains these sections:
Cisco Wireless LAN Solution Overview, page 1-2
Operating System Software, page 1-5
Operating System Security, page 1-5
Layer 2 and Layer 3 LWAPP Operation, page 1-7
Cisco Wireless LAN Controllers, page 1-7
Client Roaming, page 1-8
External DHCP Servers, page 1-10
Cisco WLAN Solution Wired Connections, page 1-11
Cisco WLAN Solution Wireless LANs, page 1-11
Access Control Lists, page 1-12
Identity Networking, page 1-12
1
File Transfers, page 1-13
Power over Ethernet, page 1-14
Pico Cell Functionality, page 1-14
Intrusion Detection Service (IDS), page 1-15
Wireless LAN Controller Platforms, page 1-15
Rogue Access Points, page 1-24
Web User Interface and the CLI, page 1-25
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-1
Cisco Wireless LAN Solution Overview
Cisco Wireless LAN Solution Overview
The Cisco Wireless LAN Solution is designed to provide 802.11 wireless networking solutions for enterprises and service providers. The Cisco Wireless LAN Solution simplifies deploying and managing large-scale wireless LANs and enables a unique best-in-class security infrastructure. The operating system manages all data client, communications, and system administration functions, performs Radio Resource Management (RRM) functions, manages system-wide mobility policies using the operating system Security solution, and coordinates all security functions using the operating system security framework.
The Cisco Wireless LAN Solution consists of Cisco Wireless LAN Controllers and their associated lightweight access points controlled by the operating system, all concurrently managed by any or all of the operating system user interfaces:
An HTTP and/or HTTPS full-featured Web User Interface hosted by Cisco Wireless LAN
Controllers can be used to configure and monitor individual controllers. See the “Web User
Interface and the CLI” section on page 1-25.
A full-featured command-line interface (CLI) can be used to configure and monitor individual Cisco
Wireless LAN Controllers. See the “Web User Interface and the CLI” section on page 1-25.
The Cisco Wireless Control System (WCS), which you use to configure and monitor one or more
Cisco Wireless LAN Controllers and associated access points. WCS has tools to facilitate large-system monitoring and control. WCS runs on Windows 2000, Windows 2003, and Red Hat Enterprise Linux ES servers.
An industry-standard SNMP V1, V2c, and V3 interface can be used with any SNMP-compliant
third-party network management system.
Chapter 1 Overview
The Cisco Wireless LAN Solution supports client data services, client monitoring and control, and all rogue access point detection, monitoring, and containment functions. The Cisco Wireless LAN Solution uses lightweight access points, Cisco Wireless LAN Controllers, and the optional Cisco WCS to provide wireless services to enterprises and service providers.
Note This document refers to Cisco Wireless LAN Controllers throughout. Unless specifically called out, the
descriptions herein apply to all Cisco Wireless LAN Controllers, including but not limited to Cisco 2000 Series Wireless LAN Controllers, Cisco 4100 Series Wireless LAN Controllers, Cisco 4400 Series Wireless LAN Controllers, and the controllers on the Wireless Services Module (WiSM).
Figure 1-1 shows the Cisco Wireless LAN Solution components, which can be simultaneously deployed
across multiple floors and buildings.
1-2
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Cisco Wireless LAN Solution Overview
Figure 1-1 Cisco WLAN Solution Components
Single-Controller Deployments
A standalone controller can support lightweight access points across multiple floors and buildings simultaneously, and supports the following features:
Autodetecting and autoconfiguring lightweight access points as they are added to the network.
Full control of lightweight access points.
Full control of up to 16 wireless LAN (SSID) policies for Cisco 1000 series access points.
Note LWAPP-enabled access points support up to 8 wireless LAN (SSID) policies.
Lightweight access points connect to controllers through the network. The network equipment may
or may not provide Power over Ethernet to the access points.
Note that some controllers use redundant Gigabit Ethernet connections to bypass single network failures.
Note Some controllers can connect through multiple physical ports to multiple subnets in the network. This
feature can be helpful when Cisco WLAN Solution operators want to confine multiple VLANs to separate subnets.
Figure 1-2 shows a typical single-controller deployment.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-3
Cisco Wireless LAN Solution Overview
Figure 1-2 Single-Controller Deployment
Multiple-Controller Deployments
Each controller can support lightweight access points across multiple floors and buildings simultaneously. However, full functionality of the Cisco Wireless LAN Solution is realized when it includes multiple controllers. A multiple-controller system has the following additional features:
Autodetecting and autoconfiguring RF parameters as the controllers are added to the network.
Chapter 1 Overview
Same-Subnet (Layer 2) Roaming and Inter-Subnet (Layer 3) Roaming.
Automatic access point failover to any redundant controller with a reduced access point load (refer
to the “Cisco Wireless LAN Controller Failover Protection” section on page 1-20).
The following figure shows a typical multiple-controller deployment. The figure also shows an optional dedicated Management Network and the three physical connection types between the network and the controllers.
1-4
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Operating System Software
Figure 1-3 Typical Multi-Controller Deployment
Operating System Software
The operating system software controls Cisco Wireless LAN Controllers and Cisco 1000 Series Lightweight Access Points. It includes full operating system security and Radio Resource Management (RRM) features.
Operating System Security
Operating system security bundles Layer 1, Layer 2, and Layer 3 security components into a simple, Cisco WLAN Solution-wide policy manager that creates independent security policies for each of up to 16 wireless LANs. (Refer to the “Cisco WLAN Solution Wireless LANs” section on page 1-11.)
The 802.11 Static WEP weaknesses can be overcome using robust industry-standard security solutions, such as:
802.1X dynamic keys with extensible authentication protocol (EAP).
Wi-Fi protected access (WPA) dynamic keys. The Cisco WLAN Solution WPA implementation
includes:
Temporal key integrity protocol (TKIP) + message integrity code checksum (Michael) dynamic keys, or
WEP keys, with or without Pre-Shared key Passphrase.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-5
Operating System Security
The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as:
Chapter 1 Overview
RSN with or without Pre-Shared key.
Cranite FIPS140-2 compliant passthrough.
Fortress FIPS140-2 compliant passthrough.
Optional MAC Filtering.
Terminated and passthrough VPNs
Terminated and passthrough Layer Two Tunneling Protocol (L2TP), which uses the IP Security
(IPSec) protocol.
Terminated and pass-through IPSec protocols. The terminated Cisco WLAN Solution IPSec
implementation includes:
Internet key exchange (IKE)
Diffie-Hellman (DH) groups, and
Three optional levels of encryption: DES (ANSI X.3.92 data encryption standard), 3DES (ANSI X9.52-1998 data encryption standard), or AES/CBC (advanced encryption standard/cipher block chaining).
The Cisco WLAN Solution IPSec implementation also includes industry-standard authentication using:
Message digest algorithm (MD5), or
Secure hash algorithm-1 (SHA-1)
The Cisco Wireless LAN Solution supports local and RADIUS MAC Address filtering.
The Cisco Wireless LAN Solution supports local and RADIUS user/password authentication.
The Cisco Wireless LAN Solution also uses manual and automated Disabling to block access to
network services. In manual Disabling, the operator blocks access using client MAC addresses. In automated Disabling, which is always active, the operating system software automatically blocks access to network services for an operator-defined period of time when a client fails to authenticate for a fixed number of consecutive attempts. This can be used to deter brute-force login attacks.
These and other security features use industry-standard authorization and authentication methods to ensure the highest possible security for your business-critical wireless LAN traffic.
Cisco WLAN Solution Wired Security
Many traditional access point vendors concentrate on security for the Wireless interface similar to that described in the “Operating System Security” section on page 1-5. However, for secure Cisco Wireless LAN Controller Service Interfaces, Cisco Wireless LAN Controller to access point, and inter-Cisco Wireless LAN Controller communications during device servicing and client roaming, the operating system includes built-in security.
1-6
Each Cisco Wireless LAN Controller and Cisco 1000 series lightweight access point is manufactured with a unique, signed X.509 certificate. This certificate is used to authenticate IPSec tunnels between devices. These IPSec tunnels ensure secure communications for mobility and device servicing.
Cisco Wireless LAN Controllers and Cisco 1000 series lightweight access points also use the signed certificates to verify downloaded code before it is loaded, ensuring that hackers do not download malicious code into any Cisco Wireless LAN Controller or Cisco 1000 series lightweight access point.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Layer 2 and Layer 3 LWAPP Operation
The LWAPP communications between Cisco Wireless LAN Controller and Cisco 1000 series lightweight access points can be conducted at ISO Data Link Layer 2 or Network Layer 3.
Note The IPv4 network layer protocol is supported for transport through an LWAPP controller system. IPv6
(for clients only) and Appletalk are also supported but only on 4400 series controllers and the Cisco WiSM. Other Layer 3 protocols (such as IPX, DECnet Phase IV, OSI CLNP, and so on) and Layer 2 (bridged) protocols (such as LAT and NetBeui) are not supported.
Operational Requirements
The requirement for Layer 2 LWAPP communications is that the Cisco Wireless LAN Controller and Cisco 1000 series lightweight access points must be connected to each other through Layer 2 devices on the same subnet. This is the default operational mode for the Cisco Wireless LAN Solution. Note that when the Cisco Wireless LAN Controller and Cisco 1000 series lightweight access points are on different subnets, these devices must be operated in Layer 3 mode.
Layer 2 and Layer 3 LWAPP Operation
The requirement for Layer 3 LWAPP communications is that the Cisco Wireless LAN Controllers and Cisco 1000 series lightweight access points can be connected through Layer 2 devices on the same subnet, or connected through Layer 3 devices across subnets.
Note that all Cisco Wireless LAN Controllers in a mobility group must use the same LWAPP Layer 2 or Layer 3 mode, or you will defeat the Mobility software algorithm.
Configuration Requirements
When you are operating the Cisco Wireless LAN Solution in Layer 2 mode, you must configure a management interface to control your Layer 2 communications.
When you are operating the Cisco Wireless LAN Solution in Layer 3 mode, you must configure an AP-manager interface to control Cisco 1000 series lightweight access points and a management interface as configured for Layer 2 mode.
Cisco Wireless LAN Controllers
When you are adding Cisco 1000 series lightweight access points to a multiple Cisco Wireless LAN Controller deployments network, it is convenient to have all Cisco 1000 series lightweight access points associate with one master controller on the same subnet. That way, the operator does not have to log into multiple controllers to find out which controller newly-added Cisco 1000 series lightweight access points associated with.
One controller in each subnet can be assigned as the master controller while adding lightweight access points. As long as a master controller is active on the same subnet, all new access points without a primary, secondary, and tertiary controller assigned automatically attempt to associate with the master Cisco Wireless LAN Controller. This process is described in the “Cisco Wireless LAN Controller
Failover Protection” section on page 1-20.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-7
Client Roaming
The operator can monitor the master controller using the WCS Web User Interface and watch as access points associate with the master controller. The operator can then verify access point configuration and assign a primary, secondary, and tertiary controller to the access point, and reboot the access point so it reassociates with its primary, secondary, or tertiary controller.
Note Lightweight access points without a primary, secondary, and tertiary controller assigned always search
for a master controller first upon reboot. After adding lightweight access points through the master controller, assign primary, secondary, and tertiary controllers to each access point. Cisco recommends that you disable the master setting on all controllers after initial configuration.
Primary, Secondary, and Tertiary Controllers
In multiple-controller networks, lightweight access points can associate with any controller on the same subnet. To ensure that each access point associates with a particular controller, the operator can assign primary, secondary, and tertiary controllers to the access point.
When a primed access point is added to a network, it looks for its primary, secondary, and tertiary controllers first, then a master controller, then the least-loaded controller with available access point ports. Refer to the “Cisco Wireless LAN Controller Failover Protection” section on page 1-20 for more information.
Chapter 1 Overview
Client Roaming
The Cisco Wireless LAN Solution supports seamless client roaming across Cisco 1000 series lightweight access points managed by the same Cisco Wireless LAN Controller, between Cisco Wireless LAN Controllers in the same Cisco WLAN Solution Mobility Group on the same subnet, and across controllers in the same Mobility Group on different subnets.
Same-Subnet (Layer 2) Roaming
Each Cisco Wireless LAN Controller supports same-controller client roaming across access points managed by the same controller. This roaming is transparent to the client as the session is sustained and the client continues using the same DHCP-assigned or client-assigned IP Address. The controller provides DHCP functionality with a relay function. Same-controller roaming is supported in single-controller deployments and in multiple-controller deployments.
Inter-Controller (Layer 2) Roaming
In multiple-controller deployments, the Cisco Wireless LAN Solution supports client roaming across access points managed by controllers in the same mobility group and on the same subnet. This roaming is also transparent to the client, as the session is sustained and a tunnel between controllers allows the client to continue using the same DHCP- or client-assigned IP Address as long as the session remains active. Note that the tunnel is torn down and the client must reauthenticate when the client sends a DHCP Discover with a 0.0.0.0 client IP Address or a 169.254.*.* client auto-IP Address, or when the operator-set session timeout is exceeded.
1-8
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Note that the Cisco 1030 remote edge lightweight access points at a remote location must be on the same subnet to support roaming.
Inter-Subnet (Layer 3) Roaming
In multiple-controller deployments, the Cisco Wireless LAN Solution supports client roaming across access points managed by controllers in the same mobility group on different subnets. This roaming is transparent to the client, because the session is sustained and a tunnel between the controllers allows the client to continue using the same DHCP-assigned or client-assigned IP Address as long as the session remains active. Note that the tunnel is torn down and the client must reauthenticate when the client sends a DHCP Discover with a 0.0.0.0 client IP Address or a 169.254.*.* client auto-IP Address or when the operator-set user timeout is exceeded.
Note that the Cisco 1030 remote edge lightweight access points at a remote location must be on the same subnet to support roaming.
Special Case: Voice Over IP Telephone Roaming
802.11 VoIP telephones actively seek out associations with the strongest RF signal to ensure best Quality of Service (QoS) and maximum throughput. The minimum VoIP telephone requirement of 20 millisecond or shorter latency time for the roaming handover is easily met by the Cisco Wireless LAN Solution, which has an average handover latency of nine or fewer milliseconds.
Client Roaming
Client Location
This short latency period is controlled by Cisco Wireless LAN Controllers, rather than allowing independent access points to negotiate roaming handovers.
The Cisco Wireless LAN Solution supports 802.11 VoIP telephone roaming across Cisco 1000 series lightweight access points managed by Cisco Wireless LAN Controllers on different subnets, as long as the controllers are in the same mobility group. This roaming is transparent to the VoIP telephone, because the session is sustained and a tunnel between controllers allows the VoIP telephone to continue using the same DHCP-assigned IP Address as long as the session remains active. Note that the tunnel is torn down and the VoIP client must reauthenticate when the VoIP telephone sends a DHCP Discover with a 0.0.0.0 VoIP telephone IP Address or a 169.254.*.* VoIP telephone auto-IP Address or when the operator-set user timeout is exceeded.
When you use Cisco WCS in your Cisco Wireless LAN Solution, controllers periodically determine client, rogue access point, rogue access point client, radio frequency ID (RFID) tag location and store the locations in the Cisco WCS database. For more information on location solutions, refer to the Cisco Wireless Control System Configuration Guide and the Cisco Location Appliance Configuration Guide at these URLs:
Cisco Wireless Control System Configuration Guide:
http://www.cisco.com/en/US/products/ps6305/products_installation_and_configuration_guides_list.ht ml
Cisco Location Appliance Configuration Guide:
http://www.cisco.com/en/US/products/ps6386/products_installation_and_configuration_guides_list.ht ml
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-9
External DHCP Servers
External DHCP Servers
The operating system is designed to appear as a DHCP Relay to the network and as a DHCP Server to clients with industry-standard external DHCP Servers that support DHCP Relay. This means that each Cisco Wireless LAN Controller appears as a DHCP Relay agent to the DHCP Server. This also means that the Cisco Wireless LAN Controller appears as a DHCP Server at the virtual IP Address to wireless clients.
Because the Cisco Wireless LAN Controller captures the client IP Address obtained from a DHCP Server, it maintains the same IP Address for that client during same-Cisco Wireless LAN Controller, inter-Cisco Wireless LAN Controller, and inter-subnet client roaming.
Per-Wireless LAN Assignment
All Cisco WLAN Solution wireless LANs can be configured to use the same or different DHCP Servers, or no DHCP Server. This allows operators considerable flexibility in configuring their Wireless LANs, as further described in the “Cisco WLAN Solution Wireless LANs” section on page 1-11.
Note that Cisco WLAN Solution wireless LANs that support management over wireless must allow the management (device servicing) clients to obtain an IP Address from a DHCP Server. See the“Using
Management over Wireless” section on page 5-6 for instructions on configuring management over
wireless.
Chapter 1 Overview
Per-Interface Assignment
You can assign DHCP servers for individual interfaces. The Layer 2 management interface, Layer 3 AP-manager interface, and dynamic interfaces can be configured for a primary and secondary DHCP server, and the service-port interface can be configured to enable or disable DHCP servers.
Note Refer to Chapter 3 for information on configuring the controller’s interfaces.
Security Considerations
For enhanced security, Cisco recommends that operators require all clients to obtain their IP Addresses from a DHCP server. To enforce this requirement, all wireless LANs can be configured with a DHCP Required setting and a valid DHCP Server IP Address, which disallows client static IP Addresses. If a client associating with a wireless LAN with DHCP Required set does not obtain its IP Address from the designated DHCP Server, it is not allowed access to any network services.
Note that if DHCP Required is selected, clients must obtain an IP address via DHCP. Any client with a static IP address will not be allowed on the network. The Cisco Wireless LAN Controller monitors DHCP traffic because it acts as a DHCP proxy for the clients.
If slightly less security is tolerable, operators can create wireless LANs with DHCP Required disabled and a valid DHCP Server IP Address. Clients then have the option of using a static IP Address or obtaining an IP Address from the designated DHCP Server.
Operators are also allowed to create separate wireless LANs with DHCP Required disabled and a DHCP Server IP Address of 0.0.0.0. These wireless LANs drop all DHCP requests and force clients to use a static IP Address. Note that these wireless LANs do not support management over wireless connections.
1-10
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Cisco WLAN Solution Wired Connections
The Cisco Wireless LAN Solution components communicate with each other using industry-standard Ethernet cables and connectors. The following paragraphs contain details of the Cisco WLAN Solution wired connections.
The Cisco 2000 Series Wireless LAN Controller connects to the network using from one to four
10/100BASE-T Ethernet cables.
The Cisco 4100 Series Wireless LAN Controller connects to the network using one or two
fiber-optic Gigabit Ethernet cables: two redundant Gigabit Ethernet connections to bypass single network failures.
The Cisco 4402 Wireless LAN Controller connects to the network using one or two fiber-optic
Gigabit Ethernet cables, and the 4404 Wireless LAN Controller connects to the network using up to four fiber-optic Gigabit Ethernet cables: two redundant Gigabit Ethernet connections to bypass single network failures.
The controllers on the Wireless Services Module (WiSM), installed in a Cisco Catalyst 6500 Series
Switch, connect to the network through switch ports on the switch.
The Wireless LAN Controller Network Module, installed in a Cisco Integrated Services Router,
connects to the network through the ports on the router.
Cisco WLAN Solution Wired Connections
Cisco 1000 series lightweight access points connects to the network using 10/100BASE-T Ethernet
cables. The standard CAT-5 cable can also be used to conduct power for the Cisco 1000 series lightweight access points from a network device equipped with Power over Ethernet (PoE) capability. This power distribution plan can be used to reduce the cost of individual AP power supplies and related cabling.
Cisco WLAN Solution Wireless LANs
The Cisco Wireless LAN Solution can control up to 16 Wireless LANs for lightweight access points. Each wireless LAN has a separate wireless LAN ID (1 through 16), a separate wireless LAN SSID (wireless LAN name), and can be assigned unique security policies. Using software release 3.2 and later you can configure both static and dynamic WEP on the same wireless LAN.
The Cisco 1000 series lightweight access points broadcast all active Cisco WLAN Solution wireless LAN SSIDs and enforce the policies defined for each wireless LAN.
Note Cisco recommends that you assign one set of VLANs for wireless LANs and a different set of VLANs
for management interfaces to ensure that controllers operate with optimum performance and ease of management.
If management over wireless is enabled across Cisco Wireless LAN Solution, the Cisco Wireless LAN Solution operator can manage the System across the enabled wireless LAN using CLI and Telnet, http/https, and SNMP.
To configure the Cisco WLAN Solution wireless LANs, refer to Chapter 6, “Configuring WLANs.”
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-11
Access Control Lists
Access Control Lists
The operating system allows you to define up to 64 Access Control Lists (ACLs), similar to standard firewall Access Control Lists. Each ACL can have up to 64 Rules (filters).
Operators can use ACLs to control client access to multiple VPN servers within a given wireless LAN. If all the clients on a wireless LAN must access a single VPN server, use the IPSec/VPN Gateway Passthrough setting, described in the “Security Overview” section on page 5-2.
After they are defined, the ACLs can be applied to the management interface, the AP-Manager interface, or any of the operator-defined interfaces.
Refer to Access Control Lists > New in the Web User Interface Online Help for instructions on configuring Access Control Lists.
Identity Networking
Cisco Wireless LAN Controllers can have the following parameters applied to all clients associating with a particular wireless LAN: QoS, global or Interface-specific DHCP server, Layer 2 and Layer 3 Security Policies, and default Interface (which includes physical port, VLAN and ACL assignments).
However, the Cisco Wireless LAN Controller can also have individual clients (MAC addresses) override the preset wireless LAN parameters by using MAC Filtering or by Allowing AAA Override parameters. This configuration can be used, for example, to have all company clients log into the corporate wireless LAN, and then have clients connect using different QoS, DHCP server, Layer 2 and Layer 3 Security Policies, and Interface (which includes physical port, VLAN and ACL assignments) settings on a per-MAC Address basis.
Chapter 1 Overview
When Cisco Wireless LAN Solution operators configure MAC Filtering for a client, they can assign a different VLAN to the MAC Address, which can be used to have operating system automatically reroute the client to the management interface or any of the operator-defined interfaces, each of which have their own VLAN, ACL, DHCP server, and physical port assignments. This MAC Filtering can be used as a coarse version of AAA Override, and normally takes precedence over any AAA (RADIUS or other) Override.
However, when Allow AAA Override is enabled, the RADIUS (or other AAA) server can alternatively be configured to return QoS and ACL on a per-MAC Address basis. Allow AAA Override gives the AAA Override precedence over the MAC Filtering parameters set in the Cisco Wireless LAN Controller; if there are no AAA Overrides available for a given MAC Address, the operating system uses the MAC Filtering parameters already in the Cisco Wireless LAN Controller. This AAA (RADIUS or other) Override can be used as a finer version of AAA Override, but only takes precedence over MAC Filtering when Allow AAA Override is enabled.
Note that in all cases, the Override parameters (Operator-Defined Interface and QoS, for example) must already be defined in the Cisco Wireless LAN Controller configuration.
In all cases, the operating system will use QoS and ACL provided by the AAA server or MAC Filtering regardless of the Layer 2 and/or Layer 3 authentication used.
Also note that the operating system will only move clients from the default Cisco WLAN Solution wireless LAN VLAN to a different VLAN when configured for MAC filtering, 802.1X, and/or WPA Layer 2 authentication.
To configure the Cisco WLAN Solution wireless LANs, refer to the “Configuring Wireless LANs”
section on page 6-2.
1-12
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Enhanced Integration with Cisco Secure ACS
The identity-based networking feature uses authentication, authorization, and accounting (AAA) override. When the following vendor-specific attributes are present in the RADIUS access accept message, the values override those present in the wireless LAN profile:
QoS level
802.1p value
VLAN interface name
Access control list (ACL) name
In this release, support is being added for the AAA server to return the VLAN number or name using the standard “RADIUS assigned VLAN name/number” feature defined in IETF RFC 2868 (RADIUS Attributes for Tunnel Protocol Support). To assign a wireless client to a particular VLAN, the AAA server sends the following attributes to the controller in the access accept message:
IETF 64 (Tunnel Type): VLAN
IETF 65 (Tunnel Medium Type): 802
IETF 81 (Tunnel Private Group ID): VLAN # or VLAN Name String
This enables Cisco Secure ACS to communicate a VLAN change that may be a result of a posture analysis. Benefits of this new feature include:
File Transfers
Integration with Cisco Secure ACS reduces installation and setup time
Cisco Secure ACS operates smoothly across both wired and wireless networks
This feature supports 2000, 4100, and 4400 series controllers and 1000, 1130, 1200 and 1500 series lightweight access points.
File Transfers
The Cisco Wireless LAN Solution operator can upload and download operating system code, configuration, and certificate files to and from a Cisco Wireless LAN Controller using CLI commands, Web User Interface commands, or Cisco WCS.
To use CLI commands, refer to the “Transferring Files to and from a Controller” section on
To use Cisco WCS to upgrade software, refer to the Cisco Wireless Control System Configuration
page 8-2.
Guide. Click this URL to browse to this document:
http://www.cisco.com/en/US/products/ps6305/products_installation_and_configuration_guides_lis t.html
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-13
Power over Ethernet
Power over Ethernet
Lightweight access points can receive power via their Ethernet cables from 802.3af-compatible Power over Ethernet (PoE) devices, which can reduce the cost of discrete power supplies, additional wiring, conduits, outlets, and installer time. PoE also frees installers from having to mount Cisco 1000 series lightweight access points or other powered equipment near AC outlets, providing greater flexibility in positioning Cisco 1000 series lightweight access points for maximum coverage.
When you are using PoE, the installer runs a single CAT-5 cable from each lightweight access point to PoE-equipped network elements, such as a PoE power hub or a Cisco WLAN Solution Single-Line PoE Injector. When the PoE equipment determines that the lightweight access point is PoE-enabled, it sends 48 VDC over the unused pairs in the Ethernet cable to power the lightweight access point.
The PoE cable length is limited by the 100BASE-T or 10BASE-T specification to 100 m or 200 m, respectively.
Lightweight access points can receive power from an 802.3af-compliant device or from the external power supply.
Chapter 1 Overview
Pico Cell Functionality
A Pico Cell is a small area of wireless provisioning provided by antenna, which allows for a dense high-bandwidth deployment for installations such as stock exchanges. Pico Cell wireless configurations require a specific supplicant to function correctly with Pico Cell environments. Off-the-shelf laptop supplicants are not supported.
Note Do not attempt to configure Pico Cell functionality within your wireless LAN without consulting your
sales team. Non-standard installation is not supported.
Note Do not change the configuration database setting unless you are committing to a Pico Cell installation
or without the advice of Cisco technical support.
Pico Cell functionality includes optimization of the operating system (operating system) to support this functionality as follows:
The Cisco WCS Pico Cell Mode parameter reconfigures operating system parameters, allowing
operating system to function efficiently in pico cell deployments. Note that when the operator is deploying a pico cell network the operating system must also have more memory allocated (512 to 2048 MB) using the config database size 2048 CLI command.
Client mobility between multiple mobility domains when such exist.
Addition of a WPA2 VFF extension to eliminate the need to re-key after every association. This
allows the re-use of existing PTK and GTK.
With WPA2 PMK caching and VFF, the PMK cache is transferred as part of context transfer prior
to the authentication phase. This allows expedited handoffs to work for both intra- and inter-Cisco Wireless LAN Controller roaming events.
1-14
A beacon/probe response that allows a Cisco 1000 Series lightweight access point to indicate which
Cisco Wireless LAN Controller it is attached to so that reauthorization events only occur when needed, minimizing inter-Cisco Wireless LAN Controller handoffs and thus reducing CPU usage.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Allows changes to Cisco 1000 series lightweight access point sensitivity for pico cells.
Allows control of Cisco 1000 series lightweight access point fallback behavior to optimize pico cell
use.
Supports heat maps for directional antennas.
Allows specific control over blacklisting events
Allows configuring and viewing basic LWAPP configuration using the Cisco 1000 series lightweight
access point CLI.
Intrusion Detection Service (IDS)
Intrusion Detection Service includes the following:
Sensing Clients probing for “ANY” SSID
Sensing if Cisco 1000 series lightweight access points are being contained
Notification of MiM Attacks, NetStumbler, Wellenreiter
Management Frame Detection and RF Jamming Detection
Spoofed Deauthentication Detection (AirJack, for example)
Intrusion Detection Service (IDS)
Broadcast Deauthorization Detection
Null Probe Response Detection
Fake AP Detection
Detection of Weak WEP Encryption
MAC Spoofing Detection
AP Impersonation Detection
Honeypot AP Detection
Valid Station Protection
Misconfigured AP Protection
Rogue Access Point Detection
AD-HOC Detection and Protection
Wireless Bridge Detection
Asleep Detection / Protection
Wireless LAN Controller Platforms
Cisco controllers are enterprise-class high-performance wireless switching platforms that support
802.11a and 802.11b/802.11g protocols. They operate under control of the operating system, which includes the Radio Resource Management (RRM), creating a Cisco WLAN Solution that can automatically adjust to real-time changes in the 802.11 RF environment. The controllers are built around high-performance network and security hardware, resulting in highly-reliable 802.11 enterprise networks with unparalleled security.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-15
Wireless LAN Controller Platforms
Cisco 2000 Series Wireless LAN Controllers
The Cisco 2000 Series Wireless LAN Controller is part of the Cisco Wireless LAN Solution. Each 2000 series controller controls up to six Cisco 1000 series lightweight access points, making it ideal for smaller enterprises and low-density applications.
The Cisco 2000 Series Wireless LAN Controller is a slim 9.5 x 6.0 x 1.6 in. (241 x 152 x 41 mm) chassis that can be desktop or shelf mounted. The Cisco 2000 Series Wireless LAN Controller front panel has one POWER LED and four sets of Ethernet LAN Port status LEDs, which indicate 10 MHz or 100 MHz connections and transmit/receive Activity for the four corresponding back-panel Ethernet LAN connectors. The Cisco 2000 Series Wireless LAN Controller is shipped with four rubber desktop/shelf mounting feet.
Cisco 4100 Series Wireless LAN Controllers
The Cisco 4100 Series Wireless LAN Controllers are part of the Cisco Wireless LAN Solution. Each Cisco 4100 Series Wireless LAN Controller controls up to 36 Cisco 1000 series lightweight access points, making it ideal for medium-sized enterprises and medium-density applications.
Chapter 1 Overview
Figure 1-4 shows the Cisco 4100 Series Wireless LAN Controller, which has two redundant front-panel
SX/LC jacks. Note that the 1000BASE-SX circuits provides a 100/1000 Mbps wired connection to a network through an 850nM (SX) fiber-optic link using an LC physical connector.
Figure 1-4 4100 Series Controller
The Cisco 4100 Series Wireless LAN Controller can be factory-ordered with a VPN/Enhanced Security Module (Crypto Card) to support VPN, IPSec and other processor-intensive tasks, and contains two (Cisco 4100 Series Wireless LAN Controller) 1000BASE-SX network connectors that allow the Cisco 4100 Series Wireless LAN Controller to communicate with the network at Gigabit Ethernet speeds. The 1000BASE-SX network connectors provides 100/1000 Mbps wired connections to a network through 850nM (SX) fiber-optic links using LC physical connectors.
The two redundant Gigabit Ethernet connections on the Cisco 4100 Series Wireless LAN Controller allow the Cisco 4100 Series Wireless LAN Controller to bypass single network failures.
1-16
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Cisco 4400 Series Wireless LAN Controllers
Cisco 4400 Series Wireless LAN Controllers are part of the Cisco Wireless LAN Solution. Each Cisco 4400 Series Wireless LAN Controller controls up to 100 Cisco 1000 series lightweight access points, making it ideal for large-sized enterprises and large-density applications.
The 4402 Cisco 4400 Series Wireless LAN Controller has one set of two redundant front-panel SX/LC/T SFP modules (SFP transceiver, or Small Form-factor Plug-in), and the 4404 Cisco 4400 Series Wireless LAN Controller has two sets of two redundant front-panel SX/LC/T SFP modules:
1000BASE-SX SFP modules provide a 1000 Mbps wired connection to a network through an
850nM (SX) fiber-optic link using an LC physical connector.
1000BASE-LX SFP modules provide a 1000 Mbps wired connection to a network through a
1300nM (LX/LH) fiber-optic link using an LC physical connector.
1000BASE-T SFP modules provide a 1000 Mbps wired connection to a network through a copper
link using an RJ-45 physical connector.
The one or two sets of redundant Gigabit Ethernet connections on the Cisco 4400 Series Wireless LAN Controller allow the Cisco 4400 Series Wireless LAN Controller to bypass single network failures.
The Cisco 4400 Series Wireless LAN Controller can be equipped with one or two Cisco 4400 series power supplies. When the Cisco Wireless LAN Controller is equipped with two Cisco 4400 series power supplies, the power supplies are redundant and either power supply can continue to power the Cisco 4400 Series Wireless LAN Controller if the other power supply fails.
Wireless LAN Controller Platforms
One Cisco 4400 series power supply is included standard with the Cisco Wireless LAN Controller, and is installed in Slot 1 at the factory. For redundancy, a second Cisco 4400 series power supply can be ordered from the factory and may be installed in Slot 2. The same power supply also fits in Slot 1 and can be used to replace a failed power supply in the field.
Cisco 2000 Series Wireless LAN Controller Model Numbers
Cisco 2000 Series Wireless LAN Controller model number is as follows:
AIR-WLC2006-K9 — The Cisco 2000 Series Wireless LAN Controller communicates with up to
six Cisco 1000 series lightweight access points.
Note Cisco 2000 Series Wireless LAN Controllers come from the factory with tabletop mounting feet.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-17
Wireless LAN Controller Platforms
Cisco 4100 Series Wireless LAN Controller Model Numbers
Cisco 4100 Series Wireless LAN Controller model numbers are as follows:
AIR-WLC4112-K9 — The Cisco 4100 Series Wireless LAN Controller uses two redundant Gigabit
Ethernet connections to bypass single network failures, and communicates with up to 12 Cisco 1000 series lightweight access points. The 1000BASE-SX Network Adapters provide 100/1000 Mbps wired connections to a network through 850nM (SX) fiber-optic links using LC physical connectors.
AIR-WLC4124-K9 — The Cisco 4100 Series Wireless LAN Controller uses two redundant Gigabit
Ethernet connections to bypass single network failures, and communicates with up to 24 Cisco 1000 series lightweight access points.
AIR-WLC4136-K9 — The Cisco 4100 Series Wireless LAN Controller uses two redundant Gigabit
Ethernet connections to bypass single network failures, and communicates with up to 36 Cisco 1000 series lightweight access points.
Note Cisco 4100 Series Wireless LAN Controller models come from the factory with 19-inch EIA equipment
rack flush-mount ears.
Chapter 1 Overview
The following upgrade module is also available:
AIR-VPN-4100 — VPN/Enhanced Security Module: Supports VPN, L2TP, IPSec and other
processor-intensive security options. This is a field-installable option for all Cisco 4100 Series Wireless LAN Controllers.
Cisco 4400 Series Wireless LAN Controller Model Numbers
Cisco 4400 Series Wireless LAN Controller model numbers are as follows:
AIR-WLC4402-12-K9 — The 4402 Cisco 4400 Series Wireless LAN Controller uses two redundant
Gigabit Ethernet connections to bypass single network failures, and communicates with up to 12 Cisco 1000 series lightweight access points.
AIR-WLC4402-25-K9 — The 4402 Cisco Wireless LAN Controller uses two redundant Gigabit
Ethernet connections to bypass single network failures, and communicates with up to 25 Cisco 1000 series lightweight access points.
AIR-WLC4402-50-K9 — The 4402 Cisco Wireless LAN Controller uses two redundant Gigabit
Ethernet connections to bypass single network failures, and communicates with up to 50 Cisco 1000 series lightweight access points.
AIR-WLC4404-100-K9 — The 4404 Cisco Wireless LAN Controller uses four redundant Gigabit
Ethernet connections to bypass one or two single network failures, and communicates with up to 100 Cisco 1000 series lightweight access points.
1-18
Note Cisco 4400 Series Wireless LAN Controller models come from the factory with integral 19-inch EIA
equipment rack flush-mount ears.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Startup Wizard
Wireless LAN Controller Platforms
The 4402 Cisco 4400 Series Wireless LAN Controller uses one set of two redundant front-panel SX/LC/T SFP modules (SFP transceiver, or Small Form-factor Plug-in), and the 4404 Cisco 4400 Series Wireless LAN Controller uses two sets of two redundant front-panel SX/LC/T SFP modules:
1000BASE-SX SFP modules provide a 1000 Mbps wired connection to a network through an
850nM (SX) fiber-optic link using an LC physical connector.
1000BASE-LX SFP modules provide a 1000 Mbps wired connection to a network through a
1300nM (LX/LH) fiber-optic link using an LC physical connector.
1000BASE-T SFP modules provide a 1000 Mbps wired connection to a network through a copper
link using an RJ-45 physical connector.
The following power supply module is also available:
AIR-PWR-4400-AC — All Cisco 4400 series power supplies. One Cisco 4400 series power supply
can power Cisco 4400 series power supplies can power Cisco 4400 series power supplies, the Cisco 4400 series power supplies are redundant.
When an Cisco Wireless LAN Controller is powered up with a new factory operating system software load or after being reset to factory defaults, the bootup script runs the Startup Wizard, which prompts the installer for initial configuration. The Startup Wizard:
Ensures that the Cisco Wireless LAN Controller has a System Name, up to 32 characters.
Adds an Administrative username and password, each up to 24 characters.
Ensures that the Cisco Wireless LAN Controller can communicate with the CLI, Cisco WCS, or Web
User interfaces (either directly or indirectly) through the service port by accepting a valid IP configuration protocol (none or DHCP), and if none, IP Address and netmask. If you do not want to use the Service port, enter 0.0.0.0 for the IP Address and netmask.
Ensures that the Cisco Wireless LAN Controller can communicate with the network (802.11
Distribution System) through the management interface by collecting a valid static IP Address, netmask, default router IP address, VLAN identifier, and physical port assignment.
Prompts for the IP address of the DHCP server used to supply IP addresses to clients, the Cisco
Wireless LAN Controller Management Interface, and optionally to the Service Port Interface.
Asks for the LWAPP Transport Mode, described in the “Layer 2 and Layer 3 LWAPP Operation”
section on page 1-7.
Collects the Virtual Gateway IP Address; any fictitious, unassigned IP address (such as 1.1.1.1) to
be used by Layer 3 Security and Mobility managers.
Allows you to enter the Mobility Group (RF Group) Name.
Collects the wireless LAN 1 802.11 SSID, or Network Name.
OL-8335-02
Asks you to define whether or not clients can use static IP addresses. Yes = more convenient, but
lower security (session can be hijacked), clients can supply their own IP Address, better for devices that cannot use DHCP. No = less convenient, higher security, clients must DHCP for an IP Address, works well for Windows XP devices.
If you want to configure a RADIUS server from the Startup Wizard, the RADIUS server IP address,
communication port, and Secret.
Collects the Country Code.
Cisco Wireless LAN Controller Configuration Guide
1-19
Wireless LAN Controller Platforms
Enables and/or disables the 802.11a, 802.11b and 802.11g Cisco 1000 series lightweight access
point networks.
Enables or disables Radio Resource Management (RRM).
To use the Startup Wizard, refer to the “Using the Configuration Wizard” section on page 4-2.
Cisco Wireless LAN Controller Memory
The Cisco Wireless LAN Controller contain two kinds of memory: volatile RAM, which holds the current, active Cisco Wireless LAN Controller configuration, and NVRAM (non-volatile RAM), which holds the reboot configuration. When you are configuring the operating system in a Cisco Wireless LAN Controller, you are modifying volatile RAM; you must save the configuration from the volatile RAM to the NVRAM to ensure that the Cisco Wireless LAN Controller reboots in the current configuration.
Knowing which memory you are modifying is important when you are:
Using the Configuration Wizard
Clearing the Controller Configuration
Saving Configurations
Resetting the Controller
Chapter 1 Overview
Logging Out of the CLI
Cisco Wireless LAN Controller Failover Protection
Each Cisco Wireless LAN Controller has a defined number of communication ports for Cisco 1000 series lightweight access points. This means that when multiple controllers with unused access point ports are deployed on the same network, if one controller fails, the dropped access points automatically poll for unused controller ports and associate with them.
During installation, Cisco recommends that you connect all lightweight access points to a dedicated controller, and configure each lightweight access point for final operation. This step configures each lightweight access point for a primary, secondary, and tertiary controller, and allows it to store the configured WLAN Solution Mobility Group information.
During failover recovery, the configured lightweight access points obtain an IP address from the local DHCP server (only in Layer 3 Operation), attempt to contact their primary, secondary, and tertiary controllers, and then attempt to contact the IP addresses of the other controllers in the Mobility group. This prevents the access points from spending time sending out blind polling messages, resulting in a faster recovery period.
In multiple-controller deployments, this means that if one controller fails, its dropped access points reboot and do the following under direction of the Radio Resource Management (RRM):
Obtain an IP address from a local DHCP server (one on the local subnet).
If the Cisco 1000 series lightweight access point has a primary, secondary, and tertiary controller
assigned, it attempts to associate with that controller.
1-20
If the access point has no primary, secondary, or tertiary controllers assigned or if its primary,
secondary, or tertiary controllers are unavailable, it attempts to associate with a master controller on the same subnet.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
If the access point finds no master controller on the same subnet, it attempts to contact stored
Mobility Group members by IP address.
Should none of the Mobility Group members be available, and if the Cisco 1000 series lightweight
access point has no Primary, Secondary, and Tertiary Cisco Wireless LAN Controllers assigned and there is no master Cisco Wireless LAN Controller active, it attempts to associate with the least-loaded Cisco Wireless LAN Controller on the same subnet to respond to its discovery messages with unused ports.
This means that when sufficient controllers are deployed, should one controller fail, active access point client sessions are momentarily dropped while the dropped access point associates with an unused port on another controller, allowing the client device to immediately reassociate and reauthenticate.
Cisco Wireless LAN Controller Automatic Time Setting
Each controller can have its time manually set or can be configured to obtain the current time from one or more Network Time Protocol (NTP) servers. Each NTP server IP address is added to the controller database. Each controller searches for an NTP server and obtains the current time upon reboot and at each user-defined polling interval (daily to weekly).
Wireless LAN Controller Platforms
Cisco Wireless LAN Controller Time Zones
Each Cisco Wireless LAN Controller can have its time zone manually set or can be configured to obtain the current time from one or more Network Time Protocol (NTP) servers. Each NTP server IP address is added to the Cisco Wireless LAN Controller database. Each Cisco Wireless LAN Controller can search for an NTP server and obtain the current time zone upon reboot and at each user-defined (daily to weekly) polling interval.
Network Connections to Cisco Wireless LAN Controllers
Regardless of operating mode, all Cisco Wireless LAN Controllers use the network as an 802.11 Distribution System. Regardless of the Ethernet port type or speed, each controller monitors and communicates with its related controllers across the network. The following sections give details of these network connections:
Cisco 2000 Series Wireless LAN Controllers, page 1-16
Cisco 4100 Series Wireless LAN Controllers, page 1-16
Cisco 4400 Series Wireless LAN Controllers, page 1-17
Note Chapter 3 provides information on configuring the controller’s ports and assigning interfaces to them.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-21
Wireless LAN Controller Platforms
Cisco 2000 Series Wireless LAN Controllers
Cisco 2000 Series Wireless LAN Controllers can communicate with the network through any one of its physical data ports, as the logical management interface can be assigned to one of the ports. The physical port description follows:
Up to four 10/100BASE-T cables can plug into the four back-panel data ports on the Cisco 2000
Series Wireless LAN Controller chassis.
Figure 1-5 shows connections to the 2000 series controller.
Figure 1-5 Physical Network Connections to the 2000 Series Controller
Chapter 1 Overview
Cisco 4100 Series Wireless LAN Controllers
Cisco 4100 Series Wireless LAN Controllers can communicate with the network through one or two physical data ports, as the logical management interface can be assigned to one or both ports. The physical port description follows:
Two Gigabit Ethernet 1000BASE-SX fiber-optic cables can plug into the LC connectors on the front
of the Cisco 4100 Series Wireless LAN Controller, and they must be connected to the same subnet. Note that the two Gigabit Ethernet ports are redundant--the first port that becomes active is the master, and the second port becomes the backup port. If the first connection fails, the standby connection becomes the master, and the failed connection becomes the backup port.
Note The 1000BASE-SX circuits provide 100/1000 Mbps wired connections to the network through 850nM
(SX) fiber-optic links using LC physical connectors.
1-22
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Wireless LAN Controller Platforms
Figure 1-6 shows connections to the 4100 series controller.
Figure 1-6 Physical Network Connections to the 4100 Series Controller
Cisco 4400 Series Wireless LAN Controllers
Cisco 4400 Series Wireless LAN Controllers can communicate with the network through one or two pairs of physical data ports, and the logical management interface can be assigned to the ports. The physical port descriptions follows:
For the 4402 Cisco Wireless LAN Controller, up to two of the following connections are supported
in any combination:
1000BASE-T (Gigabit Ethernet, front panel, RJ-45 physical port, UTP cable).
1000BASE-SX (Gigabit Ethernet, front panel, LC physical port, multi-mode 850nM (SX) fiber-optic links using LC physical connectors).
1000BASE-LX (Gigabit Ethernet, front panel, LC physical port, multi-mode 1300nM (LX/LH) fiber-optic links using LC physical connectors).
For the 4404 Cisco Wireless LAN Controller, up to four of the following connections are supported
in any combination:
1000BASE-T (Gigabit Ethernet, front panel, RJ-45 physical port, UTP cable).
1000BASE-SX (Gigabit Ethernet, front panel, LC physical port, multi-mode 850nM (SX) fiber-optic links using LC physical connectors).
1000BASE-LX (Gigabit Ethernet, front panel, LX physical port, multi-mode 1300nM (LX/LH) fiber-optic links using LC physical connectors).
Figure 1-7 shows connections to the 4400 series controller.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-23
Rogue Access Points
Figure 1-7 Physical Network Connections to 4402 and 4404 Series Controllers
VPN and Enhanced Security Modules for 4100 Series Controllers
Chapter 1 Overview
All 4100 series controllers can be equipped with an optional module that slides into the rear panel of the controller. The 4100 Series VPN/Enhanced Security Module adds significant hardware encryption acceleration to the controller, which enables the following through the management interface:
Provide a built-in VPN server for mission-critical traffic.
Sustain up to 1 Gbps throughput with Layer 2 and Layer 3 encryption enabled.
Support high-speed, processor-intensive encryption, such as L2TP, IPSec and 3DES.
Rogue Access Points
Because they are inexpensive and readily available, employees sometimes plug unauthorized rogue access points into existing LANs and build ad hoc wireless networks without IT department knowledge or consent.
These rogue access points can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions. Even more alarming, wireless users and war chalkers frequently publish unsecure access point locations, increasing the odds of having the enterprise security breached.
Rather than using a person with a scanner to manually detect rogue access point, the Cisco Wireless LAN Solution automatically collects information on rogue access point detected by its managed access points, by MAC and IP Address, and allows the system operator to locate, tag and monitor them. The operating system can also be used to discourage rogue access point clients by sending them deauthenticate and disassociate messages from one to four Cisco 1000 series lightweight access points. Finally, the operating system can be used to automatically discourage all clients attempting to authenticate with all rogue access point on the enterprise subnet. Because this real-time detection is automated, it saves labor costs used for detecting and monitoring rogue access point while vastly improving LAN security. Note that peer-to-peer, or ad-hoc, clients can also be considered rogue access points.
1-24
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Rogue Access Point Location, Tagging, and Containment
This built-in detection, tagging, monitoring, and containment capability allows system administrators to take required actions:
Locate rogue access point as described in the Cisco Wireless Control System Configuration Guide.
Receive new rogue access point notifications, eliminating hallway scans.
Monitor unknown rogue access point until they are eliminated or acknowledged.
Determine the closest authorized access point, making directed scans faster and more effective.
Contain rogue access points by sending their clients deauthenticate and disassociate messages from
one to four Cisco 1000 series lightweight access points. This containment can be done for individual rogue access points by MAC address, or can be mandated for all rogue access points connected to the enterprise subnet.
Tag rogue access points:
Acknowledge rogue access point when they are outside of the LAN and do not compromise the LAN or wireless LAN security.
Accept rogue access point when they do not compromise the LAN or wireless LAN security.
Tag rogue access point as unknown until they are eliminated or acknowledged.
Web User Interface and the CLI
Tag rogue access point as contained and discourage clients from associating with the rogue access point by having between one and four Cisco 1000 series lightweight access points transmit deauthenticate and disassociate messages to all rogue access point clients. This function contains all active channels on the same rogue access point.
Rogue Detector mode detects whether or not a rogue access point is on a trusted network. It does not provide RF service of any kind, but rather receives periodic rogue access point reports from the Cisco Wireless LAN Controller, and sniffs all ARP packets. If it finds a match between an ARP request and a MAC address it receives from the Cisco Wireless LAN Controller, it generates a rogue access point alert to the Cisco Wireless LAN Controller.
To facilitate automated rogue access point detection in a crowded RF space, Cisco 1000 series lightweight access points can be configured to operate in monitor mode, allowing monitoring without creating unnecessary interference.
Web User Interface and the CLI
This section describes the controller GUI and CLI.
Web User Interface
The Web User Interface is built into each Cisco Wireless LAN Controller. The Web User Interface allows up to five users to simultaneously browse into the built-in Cisco Wireless LAN Controller http or https (http + SSL) Web server, configure parameters, and monitor operational status for the Cisco Wireless LAN Controller and its associated Access Points.
OL-8335-02
Note Cisco recommends that you enable the https: and disable the http: interfaces to ensure more robust
security for your Cisco WLAN Solution.
Cisco Wireless LAN Controller Configuration Guide
1-25
Web User Interface and the CLI
Because the Web User Interface works with one Cisco Wireless LAN Controller at a time, the Web User Interface is especially useful when you wish to configure or monitor a single Cisco Wireless LAN Controller and its associated Cisco 1000 series lightweight access points.
Refer to the “Using the Web-Browser Interface” section on page 2-2 for more information on the Web User Interface.
Command Line Interface
The Cisco Wireless LAN Solution command line interface (CLI) is built into each Cisco Wireless LAN Controller. The CLI allows operators to use a VT-100 emulator to locally or remotely configure, monitor and control individual Cisco Wireless LAN Controllers, and to access extensive debugging capabilities.
Because the CLI works with one Cisco Wireless LAN Controller at a time, the command line interface is especially useful when you wish to configure or monitor a single Cisco Wireless LAN Controller.
The Cisco Wireless LAN Controller and its associated Cisco 1000 series lightweight access points can be configured and monitored using the command line interface (CLI), which consists of a simple text-based, tree-structured interface that allows up to five users with Telnet-capable terminal emulators to simultaneously configure and monitor all aspects of the Cisco Wireless LAN Controller and associated Cisco 1000 series lightweight access points.
Refer to “Using the CLI” section on page 2-5 and the Cisco Wireless LAN Solution CLI Reference for more information.
Chapter 1 Overview
1-26
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
CHAPTER
2
Using the Web-Browser and CLI Interfaces
This chapter describes the web-browser and CLI interfaces that you use to configure the controllers. It contains these sections:
Using the Web-Browser Interface, page 2-2
Enabling Web and Secure Web Modes, page 2-2
Using the CLI, page 2-5
Enabling Wireless Connections to the Web-Browser and CLI Interfaces, page 2-8
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
2-1
Using the Web-Browser Interface
Using the Web-Browser Interface
The web-browser interface (hereafter called the GUI) allows up to five users to browse simultaneously into the controller http or https (http + SSL) management pages to configure parameters and monitor operational status for the controller and its associated access points.
Guidelines for Using the GUI
Keep these guidelines in mind when using the GUI:
The GUI must be used on a PC running Windows XP SP1 or higher or Windows 2000 SP4 or higher.
The GUI is fully compatible with Microsoft Internet Explorer version 6.0 SP1 or higher.
Note Opera, Mozilla, and Netscape are not supported.
You can use either the service port interface or the management interface to open the GUI. Cisco
recommends that you use the service-port interface. Refer to the Configuring the Service Port section on page x for instructions on configuring the service port interface.
You might need to disable your browser’s pop-up blocker to view the online help.
Chapter 2 Using the Web-Browser and CLI Interfaces
Opening the GUI
To open the GUI, enter the controller IP address in the browser’s address line. For an unsecure connection enter http://ip-address. For a secure connection, enter https://ip-address. See the
“Configuring the GUI for HTTPS” section on page 2-2 for instructions on setting up HTTPS.
Enabling Web and Secure Web Modes
Use these commands to enable or disable the distribution system port as a web port or as a secure web port:
config network webmode {enable | disable}
config network secureweb {enable | disable}
Web and secure web modes are enabled by default.
Configuring the GUI for HTTPS
You can protect communication with the GUI by enabling HTTPS. HTTPS protects HTTP browser sessions by using the Secure Socket Layer (SSL) protocol. When you enable HTTPS, the controller generates its own local Web Administration SSL certificate and automatically applies it to the GUI.
You can also load an externally generated certificate. Follow the instructions in the “Loading an
Externally Generated HTTPS Certificate” section on page 2-3 for instructions on loading an externally
generated certificate.
2-2
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 2 Using the Web-Browser and CLI Interfaces
Using the CLI, follow these steps to enable HTTPS:
Step 1 Enter show certificate summary to verify that the controller has generated a certificate:
>show certificate summary
Web Administration Certificate................. Locally Generated
Web Authentication Certificate................. Locally Generated
Certificate compatibility mode:................ off
Step 2 (Optional) If you need to generate a new certificate, enter this command:
>config certificate generate webadmin
After a few seconds the controller verifies that the certificate is generated:
Web Administration certificate has been generated
Step 3 Enter this command to enable HTTPS:
>config network secureweb enable
Step 4 Save the SSL certificate, key, and secure web password to NVRAM (non-volatile RAM) so your changes
are retained across reboots:
>save config Are you sure you want to save? (y/n) y Configuration Saved!
Enabling Web and Secure Web Modes
Step 5 Reboot the controller:
>reset system Are you sure you would like to reset the system? (y/n) y System will now restart!
The controller reboots.
Loading an Externally Generated HTTPS Certificate
You use a TFTP server to load the certificate. Follow these guidelines for using TFTP:
If you load the certificate through the service port, the TFTP server must be on the same subnet as
the controller because the service port is not routable. However, if you load the certificate through the distribution system (DS) network port, the TFTP server can be on any subnet.
The TFTP server cannot run on the same computer as the Cisco Wireless Control System (WCS)
because WCS and the TFTP server use the same communication port.
Note Every HTTPS certificate contains an embedded RSA Key. The length of the RSA key can vary from 512
bits, which is relatively insecure, through thousands of bits, which is very secure. When you obtain a new certificate from a Certificate Authority, make sure the RSA key embedded in the certificate is at least 768 bits long.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
2-3
Enabling Web and Secure Web Modes
Follow these steps to load an externally generated HTTPS certificate:
Step 1 Use a password to encrypt the HTTPS certificate in a .PEM-encoded file. The PEM-encoded file is called
a Web Administration Certificate file (webadmincert_name.pem).
Step 2 Move the webadmincert_name.pem file to the default directory on your TFTP server. Step 3 In the CLI, enter transfer download start and answer n to the prompt to view the current download
settings:
>transfer download start
Mode........................................... TFTP
Data Type...................................... Admin Cert
TFTP Server IP................................. xxx.xxx.xxx.xxx
TFTP Path...................................... <directory path>
TFTP Filename..................................
Are you sure you want to start? (y/n) n Transfer Canceled
Step 4 Use these commands to change the download settings:
>transfer download mode tftp >transfer download datatype webauthcert >transfer download serverip >transfer download path >transfer download filename
Chapter 2 Using the Web-Browser and CLI Interfaces
TFTP server IP address
absolute TFTP server path to the update file
webadmincert_name.pem
Step 5 Enter the password for the .PEM file so the operating system can decrypt the Web Administration SSL
key and certificate:
>transfer download certpassword >Setting password to
private_key_password
Step 6 Enter transfer download start to view the updated settings, and answer y to the prompt to confirm the
private_key_password
current download settings and start the certificate and key download:
>transfer download start
Mode........................................... TFTP
Data Type...................................... Site Cert
TFTP Server IP................................. xxx.xxx.xxx.xxx
TFTP Path...................................... directory path
TFTP Filename.................................. webadmincert_name
Are you sure you want to start? (y/n) y TFTP Webadmin cert transfer starting. Certificate installed. Please restart the switch (reset system) to use the new certificate.
Step 7 Enter this command to enable HTTPS:
>config network secureweb enable
Step 8 Save the SSL certificate, key, and secure web password to NVRAM (non-volatile RAM) so your changes
are retained across reboots:
>save config Are you sure you want to save? (y/n) y Configuration Saved!
2-4
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 2 Using the Web-Browser and CLI Interfaces
Step 9 Reboot the controller:
>reset system Are you sure you would like to reset the system? (y/n) y System will now restart!
The controller reboots.
Disabling the GUI
To prevent all use of the GUI, select the Disable Web-Based Management check box on the Services: HTTP-Web Server page and click Apply.
To re-enable the GUI, enter this command on the CLI:
>ip http server
Using the CLI
Using Online Help
Click the help icon at the top of any page in the GUI to display online help. You might have to disable the browser pop-up blocker to view online help.
Using the CLI
The CLI allows you to use a VT-100 emulator to locally or remotely configure, monitor, and control a WLAN controller and its associated lightweight access points. The CLI is a simple text-based, tree-structured interface that allows up to five users with Telnet-capable terminal emulators to access the controller.
Logging into the CLI
You access the CLI using either of two methods:
A direct ASCII serial connection to the controller console port
A remote console session over Ethernet through the pre-configured Service Port or through
Distribution System Ports
Before you log into the CLI, configure your connectivity and environment variables based on the type of connection you use.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
2-5
Using the CLI
Using a Local Serial Connection
You need these items to connect to the serial port:
A computer that has a DB-9 serial port and is running a terminal emulation program
A DB-9 male-to-female null-modem serial cable
Follow these steps to log into the CLI through the serial port.
Step 1 Connect your computer to the controller using the DB-9 null-modem serial cable. Step 2 Open a terminal emulator session using these settings:
9600 baud
8 data bits
1 stop bit
no parity
no hardware flow control
Step 3 At the prompt, log into the CLI. The default username is admin, and the default password is admin.
Chapter 2 Using the Web-Browser and CLI Interfaces
Note The controller serial port is set for a 9600 baud rate and a short timeout. If you would like to change
either of these values, enter config serial baudrate baudrate and config serial timeout timeout to make your changes. If you enter config serial timeout 0, serial sessions never time out.
Using a Remote Ethernet Connection
You need these items to connect to a controller remotely:
A computer with access to the controller over the Ethernet network
The IP Address of the controller
A terminal emulation program or a DOS shell for the Telnet session
Note By default, controllers block Telnet sessions. You must use a local connection to the serial port to enable
Telnet sessions.
Follow these steps to log into the CLI through the serial port:
Step 1 Verify that your terminal emulator or DOS shell interface is configured with these parameters:
Ethernet address
2-6
Port 23 Step 2 Use the controller IP address to Telnet to the CLI. Step 3 At the prompt, log into the CLI. The default username is admin and the default password is admin.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 2 Using the Web-Browser and CLI Interfaces
Logging Out of the CLI
When you finish using the CLI, navigate to the root level and enter logout. The system prompts you to save any changes you made to the volatile RAM.
Navigating the CLI
The is organized around five levels: Root Level Level 2 Level 3 Level 4 Level 5 When you log into the CLI, you are at the root level. From the root level, you can enter any full command
without first navigating to the correct command level. Table 2-1 lists commands you use to navigate the CLI and to perform common tasks.
Using the CLI
Table 2-1 Commands for CLI Navigation and Common Tasks
Command Action
help At the root level, view systemwide navigation
commands
? View commands available at the current level
command ? View parameters for a specific command exit Move down one level Ctrl-Z Return from any level to the root level save config At the root level, save configuration changes from
active working RAM to non-volatile RAM (NVRAM) so they are retained after reboot
reset system At the root level, reset the controller without
logging out
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
2-7
Chapter 2 Using the Web-Browser and CLI Interfaces
Enabling Wireless Connections to the Web-Browser and CLI Interfaces
Enabling Wireless Connections to the Web-Browser and CLI Interfaces
You can monitor and configure controllers using a wireless client. This feature is supported for all management tasks except uploads from and downloads to the controller.
Before you can open the GUI or the CLI from a wireless client device you must configure the controller to allow the connection. Follow these steps to enable wireless connections to the GUI or CLI:
Step 1 Log into the CLI. Step 2 Enter config network mgmt-via-wireless enable Step 3 Use a wireless client to associate to a lightweight access point connected to the controller. Step 4 On the wireless client, open a Telnet session to the controller, or browse to the controller GUI.
Tip To use the controller GUI to enable wireless connections, browse to the Management Via Wireless page
and select the Enable Controller Management to be accessible from Wireless Clients check box.
2-8
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
CHAPTER
3
Configuring Ports and Interfaces
This chapter describes the controller’s physical ports and interfaces and provides instructions for configuring them. It contains these sections:
Overview of Ports and Interfaces, page 3-2
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces, page 3-9
Configuring Dynamic Interfaces, page 3-14
Configuring Ports, page 3-17
Enabling Link Aggregation, page 3-27
Configuring a 4400 Series Controller to Support More Than 48 Access Points, page 3-30
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-1
Overview of Ports and Interfaces
Overview of Ports and Interfaces
Three concepts are key to understanding how controllers connect to a wireless network: ports, interfaces, and WLANs.
Ports
A port is a physical entity that is used for connections on the controller platform. Controllers have two types of ports: distribution system ports and a service port. The following figures show the ports available on each controller.
Note The controller in a Cisco Integrated Services Router and the controllers on the Cisco WiSM do not have
external physical ports. They connect to the network through ports on the router or switch, respectively.
Figure 3-1 Ports on the Cisco 2000 Series Wireless LAN Controllers
Chapter 3 Configuring Ports and Interfaces
Serial console
port
Distribution
system ports 1-3
Figure 3-2 Ports on the Cisco 4100 Series Wireless LAN Controllers
Link Activity
Service
Service
port
Console
Serial
console port
Status
1000Base-X Activity
Alarm
In Use
Distribution system
ports 1-2
Figure 3-3 Ports on the Cisco 4400 Series Wireless LAN Controllers
LINK
ACT
SERVICE
CONSOLE
STATUS
ALARM
LINK
PS1
PS2
ACT
UTILITY
LINK
ACT
1
2 3 4
LINK
ACT
Service
port
Serial
console port
Distribution system
ports 1-4
155242
Distribution
system port 4
LinkIn Use
146993
146999
3-2
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Note Figure 3-3 shows a Cisco 4404 controller. The Cisco 4402 controller is similar but has only two
distribution system ports.
Table 3- 1 provides a list of ports per controller.
Table 3-1 Controller Ports
Controller Service Ports
2000 series None 4 1 4100 series 1 2 1 4402 1 2 1 4404 1 4 1 Cisco WiSM 2 (ports 9 and 10) 8 (ports 1-8) 2 Controller Network Module
within the Cisco 28/37/38xx Series Integrated Services Routers
Overview of Ports and Interfaces
Distribution System Ethernet Ports Serial Console Port
None 1 1
Distribution System Ports
A distribution system port connects the controller to a neighbor switch and serves as the data path between these two devices.
Cisco 2000 series controllers have four 10/100 copper Ethernet distribution system ports through
which the controller can support up to six access points.
Cisco 4100 series controllers have two fiber gigabit Ethernet distribution system ports through
which the controller can support up to 36 access points.
Cisco 4402 controllers have two gigabit Ethernet distribution system ports, each of which is capable
of managing up to 48 access points. However, Cisco recommends no more than 25 access points per port due to bandwidth constraints. The 4402-25 and 4402-50 models allow a total of 25 or 50 access points to join the controller.
Cisco 4404 controllers have four gigabit Ethernet distribution system ports, each of which is capable
of managing up to 48 access points. However, Cisco recommends no more than 25 access points per port due to bandwidth constraints. The 4404-25, 4404-50, and 4404-100 models allow a total of 25, 50, or 100 access points to join the controller.
Note The gigabit Ethernet ports on the 4402 and 4404 controllers accept these SX/LC/T small
form-factor plug-in (SFP) modules:
- 1000BASE-SX SFP modules, which provide a 1000-Mbps wired connection to a network through an 850nM (SX) fiber-optic link using an LC physical connector
- 1000BASE-LX SFP modules, which provide a 1000-Mbps wired connection to a network through a 1300nM (LX/LH) fiber-optic link using an LC physical connector
- 1000BASE-T SFP modules, which provide a 1000-Mbps wired connection to a network through a copper link using an RJ-45 physical connector
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-3
Overview of Ports and Interfaces
The Cisco WiSM has eight gigabit Ethernet distribution system ports, which are located on the
Catalyst 6500 switch backplane. Through these ports, the controller can support up to 300 access points.
The Controller Network Module within the Cisco 28/37/38xx Series Integrated Services Routers has
one Fast Ethernet distribution system port, which is located on the router backplane. Through this port, the controller can support up to six access points.
Note Refer to the “Configuring a 4400 Series Controller to Support More Than 48 Access Points” section on
page 3-30 if you want to configure your Cisco 4400 series controller to support more than 48 access
points.
Each distribution system port is, by default, an 802.1Q VLAN trunk port. The VLAN trunking characteristics of the port are not configurable.
Note Some controllers support link aggregation (LAG), which bundles all of the controller’s distribution
system ports into a single 802.3ad port channel. Cisco 4400 series controllers support LAG in software release 3.2 and higher, and LAG is enabled automatically on the Cisco WiSM controllers. Refer to the
“Enabling Link Aggregation” section on page 3-27 for more information.
Chapter 3 Configuring Ports and Interfaces
Service Port
Cisco 4100 and 4400 series controllers also have a 10/100 copper Ethernet service port. The service port is controlled by the service-port interface and is reserved for out-of-band management of the controller and system recovery and maintenance in the event of a network failure. It is also the only port that is active when the controller is in boot mode. The service port is not capable of carrying 802.1Q tags, so it must be connected to an access port on the neighbor switch. Use of the service port is optional.
Note The Cisco WiSM’s 4404 controllers use the service port for internal protocol communication between
the controllers and the Supervisor 720.
Note The Cisco 2000 series controller and the controller in the Cisco Integrated Services Router do not have
a service port.
Note The service port is not auto-sensing. You must use the correct straight-through or crossover Ethernet
cable to communicate with the service port.
3-4
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Interfaces
An interface is a logical entity on the controller. An interface has multiple parameters associated with it, including an IP address, default-gateway (for the IP subnet), primary physical port, secondary physical port, VLAN identifier, and DHCP server.
These five types of interfaces are available on the controller. Four of these are static and are configured at setup time:
Management interface (Static and configured at setup time; mandatory)
AP-manager interface (When using Layer 3 LWAPP, static and configured at setup time; mandatory)
Virtual interface (Static and configured at setup time; mandatory)
Service-port interface (Static and configured at setup time; optional)
Dynamic interface (User-defined)
Each interface is mapped to at least one primary port, and some interfaces (management and dynamic) can be mapped to an optional secondary (or backup) port. If the primary port for an interface fails, the interface automatically moves to the backup port. In addition, multiple interfaces can be mapped to a single controller port.
Overview of Ports and Interfaces
Note Refer to the “Enabling Link Aggregation” section on page 3-27 if you want to configure the controller
to dynamically map the interfaces to a single port channel rather than having to configure primary and secondary ports for each interface.
Management Interface
The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. The management interface has the only consistently “pingable” in-band interface IP address on the controller. You can access the controller’s GUI by entering the controller’s management interface IP address in Internet Explorer’s Address field.
The management interface is also used for Layer 2 communications between the controller and Cisco 1000 series lightweight access points. It must be assigned to distribution system port 1 but can also be mapped to a backup port and can be assigned to WLANs if desired. It may be on the same VLAN or IP subnet as the AP-manager interface. However, the management interface can also communicate through the other distribution system ports as follows:
Sends messages through the Layer 2 network to autodiscover and communicate with other
controllers through all distribution system ports.
Listens across the Layer 2 network for Cisco 1000 series lightweight access point LWAPP polling
messages to autodiscover, associate to, and communicate with as many Cisco 1000 series lightweight access points as possible.
When LWAPP communications are set to Layer 2 (same subnet) mode, the controller requires one management interface to control all inter-controller and all controller-to-access point communications, regardless of the number of ports. When LWAPP communications are set to Layer 3 (different subnet) mode, the controller requires one management interface to control all inter-controller communications and one AP-manager interface to control all controller-to-access point communications, regardless of the number of ports.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-5
Overview of Ports and Interfaces
Note If the service port is in use, the management interface must be on a different subnet from the service-port
interface.
AP-Manager Interface
A controller has one or more AP-manager interfaces, which are used for all Layer 3 communications between the controller and lightweight access points after the access points have joined the controller. The AP-manager IP address is used as the tunnel source for LWAPP packets from the controller to the access point and as the destination for LWAPP packets from the access point to the controller.
The static (or permanent) AP-manager interface must be assigned to distribution system port 1 and must have a unique IP address. It cannot be mapped to a backup port. It is usually configured on the same VLAN or IP subnet as the management interface, but this is not a requirement. The AP-manager interface can communicate through any distribution system port as follows:
Sends Layer 3 messages through the network to autodiscover and communicate with other
Listens across the network for Layer 3 lightweight access point LWAPP polling messages to
Chapter 3 Configuring Ports and Interfaces
controllers.
autodiscover, associate to, and communicate with as many lightweight access points as possible.
Note Refer to the “Using Multiple AP-Manager Interfaces” section on page 3-31 for information on creating
Note When LAG is disabled, you must assign an AP-manager interface to each port on the controller.
Virtual Interface
and using multiple AP-manager interfaces.
The virtual interface is used to support mobility management, Dynamic Host Configuration Protocol (DHCP) relay, and embedded Layer 3 security such as guest web authentication and VPN termination. It also maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify the source of certificates when Layer 3 web authorization is enabled.
Specifically, the virtual interface plays these three primary roles:
Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP
server.
Serves as the redirect address for the Web Authentication Login window.
Note See Chapter 5 for additional information on web authentication.
Acts as part of the IPSec configuration when the controller is used to terminate IPSec tunnels
between wireless clients and the controller.
3-6
The virtual interface IP address is used only in communications between the controller and wireless clients. It never appears as the source or destination address of a packet that goes out a distribution system port and onto the switched network. For the system to operate correctly, the virtual interface IP address must be set (it cannot be 0.0.0.0), and no other device on the network can have the same address as the virtual interface. Therefore, the virtual interface must be configured with an unassigned and
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
unused gateway IP address, such as 1.1.1.1. The virtual interface IP address is not pingable and should not exist in any routing table in your network. In addition, the virtual interface cannot be mapped to a backup port.
Note All controllers within a mobility group must be configured with the same virtual interface IP address.
Otherwise, inter-controller roaming may appear to work, but the hand-off does not complete, and the client loses connectivity for a period of time.
Service-Port Interface
The service-port interface controls communications through and is statically mapped by the system to the service port. It must have an IP address on a different subnet from the management, AP-manager, and any dynamic interfaces, and it cannot be mapped to a backup port. This configuration enables you to manage the controller directly or through a dedicated operating system network, such as 10.1.2.x, which can ensure service access during network downtime.
The service port can obtain an IP address using DHCP, or it can be assigned a static IP address, but a default gateway cannot be assigned to the service-port interface. Static routes can be defined through the controller for remote network access to the service port.
Overview of Ports and Interfaces
Note Only Cisco 4100 and 4400 series controllers have a service-port interface.
Note You must configure an IP address on the service-port interface of both Cisco WiSM controllers.
Dynamic Interface
Note Tagged VLANs must be used for dynamic interfaces.
Otherwise, the neighbor switch is unable to check the status of each controller.
Dynamic interfaces, also known as VLAN interfaces, are created by users and designed to be analogous to VLANs for wireless LAN clients. A controller can support up to 512 dynamic interfaces (VLANs). Each dynamic interface is individually configured and allows separate communication streams to exist on any or all of a controller’s distribution system ports. Each dynamic interface controls VLAN and other communications between controllers and all other network devices, and each acts as a DHCP relay for wireless clients associated to WLANs mapped to the interface. You can assign dynamic interfaces to distribution system ports, WLANs, the Layer 2 management interface, and the Layer 3 AP-manager interface, and you can map the dynamic interface to a backup port.
You can configure zero, one, or multiple dynamic interfaces on a distribution system port. However, all dynamic interfaces must be on a different VLAN or IP subnet from all other interfaces configured on the port. If the port is untagged, all dynamic interfaces must be on a different IP subnet from any other interface configured on the port.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-7
Overview of Ports and Interfaces
WLANs
Note Chapter 6 provides instructions for configuring WLANs.
Chapter 3 Configuring Ports and Interfaces
A WLAN associates a service set identifier (SSID) to an interface. It is configured with security, quality of service (QoS), radio policies, and other wireless network parameters. Up to 16 access point WLANs can be configured per controller.
Figure 3-4 illustrates the relationship between ports, interfaces, and WLANs.
Figure 3-4 Ports, Interfaces, and WLANs
3-8
As shown in Figure 3-4, each controller port connection is an 802.1Q trunk and should be configured as such on the neighbor switch. On Cisco switches, the native VLAN of an 802.1Q trunk is an untagged VLAN. Therefore, if you configure an interface to use the native VLAN on a neighboring Cisco switch, make sure you configure the interface on the controller to be untagged.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Note A zero value for the VLAN identifier (on the Controller > Interfaces page) means that the interface is
untagged.
The default (untagged) native VLAN on Cisco switches is VLAN 1. When controller interfaces are configured as tagged (meaning that the VLAN identifier is set to a non-zero value), the VLAN must be allowed on the 802.1Q trunk configuration on the neighbor switch and not be the native untagged VLAN.
Cisco recommends that only tagged VLANs be used on the controller. You should also allow only relevant VLANs on the neighbor switch’s 802.1Q trunk connections to controller ports. All other VLANs should be disallowed or pruned in the switch port trunk configuration. This practice is extremely important for optimal performance of the controller.
Note Cisco recommends that you assign one set of VLANs for WLANs and a different set of VLANs for
management interfaces to ensure that controllers properly route VLAN traffic.
Follow the instructions on the pages indicated to configure your controller’s interfaces and ports:
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces, page 3-9
Configuring Dynamic Interfaces, page 3-14
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces
Configuring Ports, page 3-17
Enabling Link Aggregation, page 3-27
Configuring a 4400 Series Controller to Support More Than 48 Access Points, page 3-30
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces
Typically, you define the management, AP-manager, virtual, and service-port interface parameters using the Startup Wizard. However, you can display and configure interface parameters through either the GUI or CLI after the controller is running.
Using the GUI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces
Follow these steps to display and configure the management, AP-manager, virtual, and service-port interface parameters using the GUI.
Step 1 Click Controller > Interfaces to access the Interfaces page (see Figure 3-5).
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-9
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces
Figure 3-5 Interfaces Page
This page shows the current controller interface settings.
Chapter 3 Configuring Ports and Interfaces
Step 2 If you want to modify the settings of a particular interface, click the interface’s Edit link. The Interfaces
> Edit page for that interface appears.
Step 3 Configure the following parameters for each interface type:
Management Interface
Note The management interface uses the controller’s factory-set distribution system MAC address.
VLAN identifier
Note Enter 0 for an untagged VLAN or a non-zero value for a tagged VLAN. Cisco recommends
that only tagged VLANs be used on the controller.
Fixed IP address, IP netmask, and default gateway
Physical port assignment
Primary and secondary DHCP servers
Access control list (ACL) setting, if required
Note To create ACLs, follow the instructions in Chapter 5.
3-10
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
AP-Manager Interface
VLAN identifier
Note Enter 0 for an untagged VLAN or a non-zero value for a tagged VLAN. Cisco recommends
that only tagged VLANs be used on the controller.
Fixed IP address, IP netmask, and default gateway
Note The AP-manager interface’s IP address must be different from the management interface’s
IP address but must be on the same subnet as the management interface.
Physical port assignment
Primary and secondary DHCP servers
Access control list (ACL) name, if required
Note To create ACLs, follow the instructions in Chapter 5.
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces
Virtual Interface
Any fictitious, unassigned, and unused gateway IP address, such as 1.1.1.1
DNS gateway host name
Service-Port Interface
Note The service-port interface uses the controller’s factory-set service-port MAC address.
DHCP protocol (enabled) or
DHCP protocol (disabled) and IP address and IP netmask Step 4 Click Save Configuration to save your changes. Step 5 If you made any changes to the virtual interface, reboot the controller so your changes take effect.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-11
Chapter 3 Configuring Ports and Interfaces
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces
Using the CLI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces
This section provides instructions for displaying and configuring the management, AP-manager, virtual, and service-port interfaces using the CLI.
Using the CLI to Configure the Management Interface
Follow these steps to display and configure the management interface parameters using the CLI.
Step 1 Enter show interface detailed management to view the current management interface settings.
Note The management interface uses the controller’s factory-set distribution system MAC address.
Step 2 Enter config wlan disable wlan-number to disable each WLAN that uses the management interface for
distribution system communication.
Step 3 Enter these commands to define the management interface:
config interface address management ip-addr ip-netmask gateway
config interface vlan management {vlan-id | 0}
Note Enter 0 for an untagged VLAN or a non-zero value for a tagged VLAN. Cisco recommends
that only tagged VLANs be used on the controller.
config interface port management physical-ds-port-number
config interface dhcp management ip-address-of-primary-dhcp-server
[ip-address-of-secondary-dhcp-server]
config interface acl management access-control-list-name
Note To create ACLs, follow the instructions in Chapter 5.
Step 4 Enter show interface detailed management to verify that your changes have been saved.
Using the CLI to Configure the AP-Manager Interface
Follow these steps to display and configure the AP-manager interface parameters using the CLI.
3-12
Step 1 Enter show interface summary to view the current interfaces.
Note If the system is operating in Layer 2 mode, the AP-manager interface is not listed.
Step 2 Enter show interface detailed ap-manager to view the current AP-manager interface settings.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Step 3 Enter config wlan disable wlan-number to disable each WLAN that uses the AP-manager interface for
distribution system communication.
Step 4 Enter these commands to define the AP-manager interface:
config interface address ap-manager ip-addr ip-netmask gateway
config interface vlan ap-manager {vlan-id | 0}
Note Enter 0 for an untagged VLAN or a non-zero value for a tagged VLAN. Cisco recommends
that only tagged VLANs be used on the controller.
config interface port ap-manager physical-ds-port-number
config interface dhcp ap-manager ip-address-of-primary-dhcp-server
[ip-address-of-secondary-dhcp-server]
config interface acl ap-manager access-control-list-name
Note To create ACLs, follow the instructions in Chapter 5.
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces
Step 5 Enter show interface detailed ap-manager to verify that your changes have been saved.
Using the CLI to Configure the Virtual Interface
Follow these steps to display and configure the virtual interface parameters using the CLI.
Step 1 Enter show interface detailed virtual to view the current virtual interface settings. Step 2 Enter config wlan disable wlan-number to disable each WLAN that uses the virtual interface for
distribution system communication.
Step 3 Enter these commands to define the virtual interface:
config interface address virtual ip-address
Note For ip-address, enter any fictitious, unassigned, and unused gateway IP address, such as
1.1.1.1.
config interface hostname virtual dns-host-name Step 4 Enter reset system. At the confirmation prompt, enter Y to save your configuration changes to NVRAM.
The controller reboots.
Step 5 Enter show interface detailed virtual to verify that your changes have been saved.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-13
Configuring Dynamic Interfaces
Using the CLI to Configure the Service-Port Interface
Follow these steps to display and configure the service-port interface parameters using the CLI.
Step 1 Enter show interface detailed service-port to view the current service-port interface settings.
Note The service-port interface uses the controller’s factory-set service-port MAC address.
Step 2 Enter these commands to define the service-port interface:
To configure the DHCP server: config interface dhcp service-port ip-address-of-primary-dhcp-
server [ip-address-of-secondary-dhcp-server]
To disable the DHCP server: config interface dhcp service-port none
To configure the IP address: config interface address service-port ip-addr ip-netmask gateway
Step 3 The service port is used for out-of-band management of the controller. If the management workstation
is in a remote subnet, you may need to add a route on the controller in order to manage the controller from that remote workstation. To do so, enter this command:
config route network-ip-addr ip-netmask gateway
Chapter 3 Configuring Ports and Interfaces
Step 4 Enter show interface detailed service-port to verify that your changes have been saved.
Configuring Dynamic Interfaces
This section provides instructions for configuring dynamic interfaces using either the GUI or CLI.
Using the GUI to Configure Dynamic Interfaces
Follow these steps to create new or edit existing dynamic interfaces using the GUI.
Step 1 Click Controller > Interfaces to access the Interfaces page (see Figure 3-5). Step 2 Perform one of the following:
To create a new dynamic interface, click New. The Interfaces > New page appears (see Figure 3-6).
Go to Step 3.
To modify the settings of an existing dynamic interface, click the interface’s Edit link. The
Interfaces > Edit page for that interface appears (see Figure 3-7). Go to Step 5.
To delete an existing dynamic interface, click the interface’s Remove link.
3-14
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Figure 3-6 Interfaces > New Page
Step 3 Enter an interface name and a VLAN identifier, as shown in Figure 3-6.
Configuring Dynamic Interfaces
Note Enter a non-zero value for the VLAN identifier. Tagged VLANs must be used for dynamic
interfaces.
Step 4 Click Apply to commit your changes. The Interfaces > Edit page appears (see Figure 3-7).
Figure 3-7 Interfaces > Edit Page
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-15
Configuring Dynamic Interfaces
Step 5 Configure the following parameters:
VLAN identifier
Fixed IP address, IP netmask, and default gateway
Physical port assignment
Primary and secondary DHCP servers
Access control list (ACL) name, if required
Note To ensure proper operation, you must set the Port Number and Primary DHCP Server
Step 6 Click Save Configuration to save your changes. Step 7 Repeat this procedure for each dynamic interface that you want to create or edit.
Chapter 3 Configuring Ports and Interfaces
Note To create ACLs, follow the instructions in Chapter 5.
parameters.
Using the CLI to Configure Dynamic Interfaces
Follow these steps to configure dynamic interfaces using the CLI.
Step 1 Enter show interface summary to view the current dynamic interfaces. Step 2 To view the details of a specific dynamic interface, enter show interface detailed
operator-defined-interface-name.
Step 3 Enter config wlan disable wlan-number to disable each WLAN that uses the dynamic interface for
distribution system communication.
Step 4 Enter these commands to configure dynamic interfaces:
config interface create operator-defined-interface-name {vlan-id | x }
Note Enter a non-zero value for the VLAN identifier. Tagged VLANs must be used for dynamic
interfaces.
config interface address operator-defined-interface-name ip-addr ip-netmask [gateway]
config interface vlan operator-defined-interface-name {vlan-id | 0}
config interface port operator-defined-interface-name physical-ds-port-number
config interface dhcp operator-defined-interface-name ip-address-of-primary-dhcp-server
[ip-address-of-secondary-dhcp-server]
3-16
config interface acl operator-defined-interface-name access-control-list-name
Note To create ACLs, follow the instructions in Chapter 5.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Step 5 Enter show interface detailed operator-defined-interface-name and show interface summary to verify
that your changes have been saved.
Note If desired, you can enter config interface delete operator-defined-interface-name to delete a dynamic
interface.
Configuring Ports
The controller’s ports are preconfigured with factory default settings designed to make the controllers’ ports operational without additional configuration. However, you can view the status of the controller’s ports and edit their configuration parameters at any time.
Follow these steps to use the GUI to view the status of the controller’s ports and make any configuration changes if necessary.
Configuring Ports
Step 1 Click Controller > Ports to access the Ports page (see Figure 3-8).
Figure 3-8 Ports Page
This page shows the current configuration for each of the controller’s ports.
Step 2 If you want to change the settings of any port, click the Edit link for that specific port. The Port >
Configure page appears (see Figure 3-9).
OL-8335-02
Note The number of parameters available on the Port > Configure page depends on your controller
type. For instance, Cisco 2000 series controllers and the controller in a Cisco Integrated Services Router have fewer configurable parameters than a Cisco 4400 series controller, which is shown in Figure 3-9.
Cisco Wireless LAN Controller Configuration Guide
3-17
Configuring Ports
Chapter 3 Configuring Ports and Interfaces
Figure 3-9 Port > Configure Page
Table 3- 2 interprets the current status of the port.
Ta b l e 3 - 2 P o r t S t a tu s
Parameter Description
Port Number The number of the current port. Physical Status The data rate being used by the port. The available data rates vary based
on controller type.
Controller Available Data Rates
4400 and
1000 Mbps full duplex
4100 series 2000 series 10 or 100 Mbps, half or full duplex WiSM 1000 Mbps full duplex Integrated
100 Mbps full duplex Services Routers
Link Status The port’s link status.
Val ue s: Link Up or Link Down
3-18
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Ta b l e 3 - 2 P o r t S t a tu s
Parameter Description
Power Over Ethernet (PoE) Determines if the connecting device is equipped to receive power
Step 3 Table 3- 3 lists and describes the port’s configurable parameters. Follow the instructions in the table to
make any desired changes.
Table 3-3 Port Parameters
Parameter Description
Admin Status Enables or disables the flow of traffic through the port.
Configuring Ports
through the Ethernet cable and if so provides -48 VDC. Val ue s: Enable or Disable
Note Some older Cisco access points do not draw PoE even if it is
enabled on the controller port. In such cases, contact the Cisco Technical Assistance Center (TAC).
Options: Enable or Disable Default: Enable
Note Administratively disabling the port does not affect the port’s
link status.The link can be brought down only by other Cisco devices.
Physical Mode Determines whether the port’s data rate is set automatically or specified
by the user. The supported data rates vary based on controller type. Default: Auto
Controller Supported Data Rates
4400 and
Auto or 1000 Mbps full duplex
4100 series 2000 series Auto or 10 or 100 Mbps, half or full duplex WiSM Auto or 1000 Mbps full duplex Integrated
Auto or 100 Mbps full duplex Services Routers
Link Trap Causes the port to send a trap when the port’s link status changes.
Options: Enable or Disable Default: Enable
Multicast Appliance Mode Enables or disables the multicast appliance service for this port.
Options: Enable or Disable
OL-8335-02
Default: Enable
Cisco Wireless LAN Controller Configuration Guide
3-19
Configuring Ports
Step 4 Click Save Configuration to save your changes. Step 5 Click Back to return to the Ports page and review your changes. Step 6 Repeat this procedure for each additional port that you want to configure. Step 7 Go to the following sections if you want to configure the controller’s ports for these advanced features:
Port mirroring, see below
Spanning Tree Protocol (STP), page 3-21
Configuring Port Mirroring
Mirror mode enables you to duplicate to another port all of the traffic originating from or terminating at a single client device or access point. It is useful in diagnosing specific network problems. Mirror mode should be enabled only on an unused port as any connections to this port become unresponsive.
Note 4100 series and WiSM controllers do not support mirror mode. Also, a controller’s service port cannot
be used as a mirrored port.
Chapter 3 Configuring Ports and Interfaces
Note Port mirroring is not supported when link aggregation (LAG) is enabled on the controller.
Note Cisco recommends that you do not mirror traffic from one controller port to another as this setup could
cause network problems.
Follow these steps to enable port mirroring.
Step 1 Click Controller > Ports to access the Ports page (see Figure 3-8). Step 2 Click Edit for the unused port for which you want to enable mirror mode. The Port > Configure page
appears (see Figure 3-9).
Step 3 Set the Mirror Mode parameter to Enable. Step 4 Click Save Configuration to save your changes. Step 5 Perform one of the following:
Follow these steps if you want to choose a specific client device that will mirror its traffic to the port
you selected on the controller:
a. Click Wireless > Clients to access the Clients page. b. Click Detail for the client on which you want to enable mirror mode. The Clients > Detail page
appears.
c. Under Client Details, set the Mirror Mode parameter to Enable.
Follow these steps if you want to choose an access point that will mirror its traffic to the port you
selected on the controller:
3-20
a. Click Wireless > All APs to access the All APs page.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
b. Click Detail for the access point on which you want to enable mirror mode. The All APs > Details
page appears.
c. Under General, set the Mirror Mode parameter to Enable.
Step 6 Click Save Configuration to save your changes.
Configuring Spanning Tree Protocol
Spanning Tree Protocol (STP) is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two network devices. STP allows only one active path at a time between network devices but establishes redundant links as a backup if the initial link should fail.
The spanning-tree algorithm calculates the best loop-free path throughout a Layer 2 network. Infrastructure devices such as controllers and switches send and receive spanning-tree frames, called bridge protocol data units (BPDUs), at regular intervals. The devices do not forward these frames but use them to construct a loop-free path.
Configuring Ports
Multiple active paths among end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages. Infrastructure devices might also learn end-station MAC addresses on multiple Layer 2 interfaces. These conditions result in an unstable network.
STP defines a tree with a root bridge and a loop-free path from the root to all infrastructure devices in the Layer 2 network.
Note STP discussions use the term root to describe two concepts: the controller on the network that serves as
a central point in the spanning tree is called the root bridge, and the port on each controller that provides the most efficient path to the root bridge is called the root port. The root bridge in the spanning tree is called the spanning-tree root.
STP forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and activates the standby path.
When two ports on a controller are part of a loop, the spanning-tree port priority and path cost settings determine which port is put in the forwarding state and which is put in the blocking state. The port priority value represents the location of a port in the network topology and how well it is located to pass traffic. The path cost value represents media speed.
The controller maintains a separate spanning-tree instance for each active VLAN configured on it. A bridge ID, consisting of the bridge priority and the controller’s MAC address, is associated with each instance. For each VLAN, the controller with the lowest controller ID becomes the spanning-tree root for that VLAN.
OL-8335-02
STP is disabled for the controller’s distribution system ports by default. The following sections provide instructions for configuring STP for your controller using either the GUI or CLI.
Cisco Wireless LAN Controller Configuration Guide
3-21
Configuring Ports
Using the GUI to Configure Spanning Tree Protocol
Follow these steps to configure STP using the GUI.
Step 1 Click Controller > Ports to access the Ports page (see Figure 3-8). Step 2 Click Edit for the specific port for which you want to configure STP. The Port > Configure page appears
(see Figure 3-9). This page shows the STP status of the port and enables you to configure STP parameters.
Table 3- 4 interprets the current STP status of the port.
Table 3-4 Port Spanning Tree Status
Parameter Description
STP Port ID The number of the port for which STP is enabled or disabled. STP State The port’s current STP state. It controls the action that a port takes upon
receiving a frame. Val ue s: Disabled, Blocking, Listening, Learning, Forwarding, and
Chapter 3 Configuring Ports and Interfaces
Broken
STP State Description
Disabled The port is not participating in spanning tree because the
port is shut down, the link is down, or STP is not enabled
for this port. Blocking The port does not participate in frame forwarding. Listening The first transitional state after the blocking state when
STP determines that the port should participate in frame
forwarding. Learning The port prepares to participate in frame forwarding. Forwarding The port forwards frames. Broken The port is malfunctioning.
STP Port Designated Root The unique identifier of the root bridge in the configuration BPDUs. STP Port Designated Cost The path cost of the designated port. STP Port Designated Bridge The identifier of the bridge that the port considers to be the designated
bridge for this port.
STP Port Designated Port The port identifier on the designated bridge for this port. STP Port Forward Transitions
Count
Step 3 Table 3-5 lists and describes the port’s configurable STP parameters. Follow the instructions in the table
The number of times that the port has transitioned from the learning state to the forwarding state.
to make any desired changes.
3-22
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Table 3-5 Port Spanning Tree Parameters
Parameter Description
STP Mode The STP administrative mode associated with this port.
Configuring Ports
Options: Off, 802.1D, or Fast Default: Off
STP Mode Description
Off Disables STP for this port.
802.1D Enables this port to participate in the spanning tree and go through all of the spanning tree states when the link state transitions from down to up.
Fast Enables this port to participate in the
spanning tree and puts it in the forwarding state when the link state transitions from down to up more quickly than when the STP mode is set to 802.1D.
Note In this state, the forwarding delay
timer is ignored on link up.
STP Port Priority The location of the port in the network topology and how well the port
is located to pass traffic.
Range: 0 to 255 Default: 128
STP Port Path Cost Mode Determines whether the STP port path cost is set automatically or
specified by the user. If you choose User Configured, you also need to set a value for the STP Port Path Cost parameter.
Range: Auto or User Configured Default: Auto
STP Port Path Cost The speed at which traffic is passed through the port. This parameter
must be set if the STP Port Path Cost Mode parameter is set to User Configured.
Options: 0 to 65535 Default: 0, which causes the cost to be adjusted for the speed of the
port when the link comes up.
Note Typically, a value of 100 is used for 10-Mbps ports and 19 for
100-Mbps ports.
OL-8335-02
Step 4 Click Save Configuration to save your changes. Step 5 Click Back to return to the Ports page. Step 6 Repeat Step 2 through Step 5 for each port for which you want to enable STP. Step 7 Click Controller > Spanning Tree to access the Controller Spanning Tree Configuration page (see
Figure 3-10).
Cisco Wireless LAN Controller Configuration Guide
3-23
Configuring Ports
Chapter 3 Configuring Ports and Interfaces
Figure 3-10 Controller Spanning Tree Configuration Page
This page allows you to enable or disable the spanning tree algorithm for the controller, modify its characteristics, and view the STP status.Ta ble 3-6 interprets the current STP status for the controller.
Table 3-6 Controller Spanning Tree Status
Parameter Description
Spanning Tree Specification The STP version being used by the controller. Currently, only an IEEE
802.1D implementation is available.
Base MAC Address The MAC address used by this bridge when it must be referred to in a
unique fashion. When it is concatenated with dot1dStpPriority, a unique bridge identifier is formed that is used in STP.
Topology Change Count The total number of topology changes detected by this bridge since the
management entity was last reset or initialized.
Time Since Topology Changed
The time (in days, hours, minutes, and seconds) since a topology change was detected by the bridge.
Designated Root The bridge identifier of the spanning tree root. This value is used as the
Root Identifier parameter in all configuration BPDUs originated by this node.
Root Port The number of the port that offers the lowest cost path from this bridge
to the root bridge.
Root Cost The cost of the path to the root as seen from this bridge.
3-24
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Table 3-6 Controller Spanning Tree Status (continued)
Parameter Description
Max Age (seconds) The maximum age of STP information learned from the network on any
Hello Time (seconds) The amount of time between the transmission of configuration BPDUs
Forward Delay (seconds) This value controls how fast a port changes its spanning tree state when
Hold Time (seconds) The minimum time period to elapse between the transmission of
Configuring Ports
port before it is discarded.
by this node on any port when it is the root of the spanning tree or trying to become so. This is the actual value that this bridge is currently using.
moving toward the forwarding state. It determines how long the port stays in each of the listening and learning states that precede the forwarding state. This value is also used, when a topology change has been detected and is underway, to age all dynamic entries in the forwarding database.
Note This is the actual value that this bridge is currently using, in
contrast to Stp Bridge Forward Delay, which is the value that this bridge and all others would start using if this bridge were to become the root.
configuration BPDUs through a given LAN port.
Note At most, one configuration BPDU can be transmitted in any
hold time period.
Step 8 Table 3- 7 lists and describes the controller’s configurable STP parameters. Follow the instructions in the
table to make any desired changes.
Table 3-7 Controller Spanning Tree Parameters
Parameter Description
Spanning Tree Algorithm Enables or disables STP for the controller.
Options: Enable or Disable Default: Disable
Priority The location of the controller in the network topology and how well the
controller is located to pass traffic.
Range: 0 to 65535 Default: 32768
Maximum Age (seconds) The length of time that the controller stores protocol information
received on a port.
Range: 6 to 40 seconds Default: 20 seconds
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-25
Configuring Ports
Table 3-7 Controller Spanning Tree Parameters (continued)
Parameter Description
Hello Time (seconds) The length of time that the controller broadcasts hello messages to
other controllers.
Options: 1 to 10 seconds Default: 2 seconds
Forward Delay (seconds) The length of time that each of the listening and learning states lasts
before the port begins forwarding.
Options: 4 to 30 seconds Default: 15 seconds
Step 9 Click Save Configuration to save your changes.
Using the CLI to Configure Spanning Tree Protocol
Chapter 3 Configuring Ports and Interfaces
Follow these steps to configure STP using the CLI.
Step 1 Enter show spanningtree port and show spanningtree switch to view the current STP status. Step 2 If STP is enabled, you must disable it before you can change STP settings. Enter config spanningtree
switch mode disable to disable STP on all ports.
Step 3 Enter one of these commands to configure the STP port administrative mode:
config spanningtree port mode 802.1d {port-number | all}
config spanningtree port mode fast {port-number | all}
config spanningtree port mode off {port-number | all}
Step 4 Enter one of these commands to configure the STP port path cost on the STP ports:
config spanningtree port pathcost 1-65535 {port-number | all}—Specifies a path cost from 1 to
65535 to the port.
config spanningtree port mode pathcost auto {port-number | all}—Enables the STP algorithm to
automatically assign the path cost. This is the default setting.
Step 5 Enter config spanningtree port priority 0-255 port-number to configure the port priority on STP ports.
The default priority is 128.
Step 6 If necessary, enter config spanningtree switch bridgepriority 0-65535 to configure the controller’s
STP bridge priority. The default bridge priority is 32768.
Step 7 If necessary, enter config spanningtree switch forwarddelay 4-30 to configure the controller’s STP
forward delay in seconds. The default forward delay is 15 seconds.
3-26
Step 8 If necessary, enter config spanningtree switch hellotime 1-10 to configure the controller’s STP hello
time in seconds. The default hello time is 2 seconds.
Step 9 If necessary, enter config spanningtree switch maxage 6-40 to configure the controller’s STP maximum
age. The default maximum age is 20 seconds.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Step 10 After you configure STP settings for the ports, enter config spanningtree switch mode enable to enable
STP for the controller. The controller automatically detects logical network loops, places redundant ports on standby, and builds a network with the most efficient pathways.
Step 11 Enter show spanningtree port and show spanningtree switch to verify that your changes have been
saved.
Enabling Link Aggregation
Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles all of the controller’s distribution system ports into a single 802.3ad port channel, thereby reducing the number of IP addresses needed to configure the ports on your controller. When LAG is enabled, the system dynamically manages port redundancy and load balances access points transparently to the user.
Cisco 4400 series controllers support LAG in software release 3.2 and higher, and LAG is enabled automatically on the Cisco WiSM controllers. Without LAG, each distribution system port on the controller supports up to 48 access points. With LAG enabled, a 4402 controller’s logical port supports up to 50 access points, a 4404 controller’s logical port supports up to 100 access points, and the logical port on each Cisco WiSM controller supports up to 150 access points.
Enabling Link Aggregation
Figure 3-11 illustrates LAG.
Figure 3-11 Link Aggregation
OL-8335-02
LAG simplifies controller configuration because you no longer need to configure primary and secondary ports for each interface. If any of the controller ports fail, traffic is automatically migrated to one of the other ports. As long as at least one controller port is functioning, the system continues to operate, access points remain connected to the network, and wireless clients continue to send and receive data.
Cisco Wireless LAN Controller Configuration Guide
3-27
Enabling Link Aggregation
When configuring bundled ports, you may want to consider spanning modules with your port channel when you connect to a modular switch such as the Catalyst 6500. This practice provides protection in the case of a module failure. Figure 3-12 illustrates a scenario where a 4402-50 controller is connected to a Catalyst 6500 with gigabit modules in slots 2 and 3. The controller’s port 1 is connected to gigabit interface 3/1, and the controller’s port 2 is connected to gigabit interface 2/1 on the Catalyst 6500. On the Catalyst switch, the two interfaces are assigned to the same channel group.
Figure 3-12 Link Aggregation with Catalyst 6500 Neighbor Switch
Chapter 3 Configuring Ports and Interfaces
Link Aggregation Guidelines
Keep these guidelines in mind when using LAG:
You cannot configure the controller’s ports into separate LAG groups. Only one LAG group is
supported per controller. Therefore, you can connect a controller in LAG mode to only one neighbor device.
When LAG is enabled, any change to the LAG configuration requires a controller reboot.
When you enable LAG, you can configure only one AP-manager interface because only one logical
port is needed.
When you enable LAG, all dynamic AP-manager interfaces and untagged interfaces are deleted, and
all WLANs are disabled and mapped to the management interface.
When you enable LAG, you cannot create interfaces with a primary port other than 29.
When you enable LAG, all ports participate in LAG by default. Therefore, you must configure LAG
for all of the connected ports in the neighbor switch.
When you enable LAG, port mirroring is not supported.
Make sure the port-channel on the switch is configured for the IEEE standard Link Aggregation
Control Protocol (LACP), not the Cisco proprietary Port Aggregation Protocol (PAgP).
When you disable LAG, you must configure primary and secondary ports for all interfaces.
When you disable LAG, you must assign an AP-manager interface to each port on the controller.
3-28
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
LAG is typically configured using the Startup Wizard, but you can enable or disable it at any time through either the GUI or CLI.
Using the GUI to Enable Link Aggregation
Follow these steps to enable LAG on your controller using the GUI.
Step 1 Click Controller > General to access the General page (see Figure 3-13).
Figure 3-13 General Page
Enabling Link Aggregation
OL-8335-02
Step 2 Set the LAG Mode on Next Reboot parameter to Enabled.
Note Choose Disabled if you want to disable LAG.
Step 3 Click Save Configuration to save your changes. Step 4 Reboot the controller.
Cisco Wireless LAN Controller Configuration Guide
3-29
Configuring a 4400 Series Controller to Support More Than 48 Access Points
Using the CLI to Enable Link Aggregation
Follow these steps to enable LAG on your controller using the CLI.
Step 1 Enter config lag enable to enable LAG.
Note Enter config lag disable if you want to disable LAG.
Step 2 Enter show lag to verify that your change has been saved. Step 3 Reboot the controller.
Configuring Neighbor Devices to Support LAG
The controller’s neighbor devices must also be properly configured to support LAG.
Chapter 3 Configuring Ports and Interfaces
Each neighbor port to which the controller is connected should be configured as follows:
interface GigabitEthernet <interface id>
switchport channel-group <id> mode on no shutdown
The port channel on the neighbor switch should be configured as follows:
interface port-channel <id>
switchport switchport trunk encapsulation dot1q switchport trunk native vlan <native vlan id> switchport trunk allowed vlan <allowed vlans> switchport mode trunk no shutdown
Configuring a 4400 Series Controller to Support More Than 48 Access Points
As noted earlier, 4400 series controllers can support up to 48 access points per port. However, you can configure your 4400 series controller to support more access points using one of the following methods:
Link aggregation (for controllers in Layer 3 mode), page 3-31
Multiple AP-manager interfaces (for controllers in Layer 3 mode), page 3-31
Connecting additional ports (for controllers in Layer 2 mode), page 3-36
3-30
Follow the instructions on the page indicated for the method you want to use.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
The following factors should help you decide which method to use if your controller is set for Layer 3 operation:
With link aggregation, all of the controller ports need to connect to the same neighbor switch. If the
neighbor switch goes down, the controller loses connectivity.
With multiple AP-manager interfaces, you can connect your ports to different neighbor devices. If
one of the neighbor switches goes down, the controller still has connectivity. However, using multiple AP-manager interfaces presents certain challenges (as discussed in the “Using Multiple
AP-Manager Interfaces” section below) when port redundancy is a concern.
Using Link Aggregation
See the “Enabling Link Aggregation” section on page 3-27 for more information and instructions on enabling link aggregation.
Note Link aggregation is the only method that can be used for the Cisco WiSM controllers.
Configuring a 4400 Series Controller to Support More Than 48 Access Points
Using Multiple AP-Manager Interfaces
Note This method can be used only with Cisco 4400 series stand-alone controllers.
When you create two or more AP-manager interfaces, each one is mapped to a different port (see
Figure 3-14). The ports should be configured in sequential order such that AP-manager interface 2 is on
port 2, AP-manager interface 3 is on port 3, and AP-manager interface 4 is on port 4. In addition, all AP-manager interfaces must be on the same VLAN or IP subnet, and they may or may not be on the same VLAN or IP subnet as the management interface.
Note You must assign an AP-manager interface to each port on the controller.
Before an access point joins a controller, it sends out a discovery request. From the discovery response that it receives, the access point can tell the number of AP-manager interfaces on the controller and the number of access points on each AP-manager interface. The access point generally joins the AP-manager with the least number of access points. In this way, the access point load is dynamically distributed across the multiple AP-manager interfaces.
Note Access points may not be distributed completely evenly across all of the AP-manager interfaces, but a
certain level of load balancing occurs.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-31
Configuring a 4400 Series Controller to Support More Than 48 Access Points
Figure 3-14 Two AP-Manager Interfaces
Chapter 3 Configuring Ports and Interfaces
Note Cisco recommends that you configure all AP-manager interfaces on the same VLAN and IP subnet.
Before implementing multiple AP-manager interfaces, you should consider how they would impact your controller’s port redundancy.
Examples:
1. The 4402-50 controller supports a maximum of 50 access points and has two ports. To support the
maximum number of access points, you would need to create two AP-manager interfaces. A problem arises, however, if you want to support port redundancy. As shown in Figure 3-14, the static AP-manager interface has port 1 assigned as the primary port and port 2 as the secondary, or backup, port. The second AP-manager interface has port 2 assigned as the primary and port 1 as the secondary. If either port fails, the controller would be left trying to support 50 access points on a port that supports only 48. As a result, two access points would be unable to communicate with the controller and would be forced to look for an alternate controller.
2. The 4404-100 controller supports up to 100 access points and has four ports. To support the
maximum number of access points, you would need to create three (or more) AP-manager interfaces. Figure 3-15 illustrates three AP-manager interfaces, each with a unique primary port and sharing the same secondary port. If the primary port of one of the AP-manager interfaces fails, the controller clears the access points’ state, and the access points must reboot to reestablish communication with the controller using the normal controller join process. The controller no longer includes the failed AP-manager interface in the LWAPP discovery responses. The access points then rejoin the controller and are load balanced among the available AP-manager interfaces.
3-32
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Figure 3-15 Three AP-Manager Interfaces
Configuring a 4400 Series Controller to Support More Than 48 Access Points
Figure 3-16 illustrates the use of four AP-manager interfaces to support 100 access points. Each has
a unique primary port, but each port is also a secondary port for one of the AP-manager interfaces.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-33
Configuring a 4400 Series Controller to Support More Than 48 Access Points
Figure 3-16 Four AP-Manager Interfaces
Chapter 3 Configuring Ports and Interfaces
This configuration has the advantage of load-balancing all 100 access points evenly across all four AP-manager interfaces. If one of the AP-manager interfaces fails, all of the access points connected to the controller would be evenly distributed among the three available AP-manager interfaces. For example, if AP-manager interface 2 fails, the remaining AP-manager interfaces (1, 3, and 4) would each manage approximately 33 access points.
Follow these steps to create multiple AP-manager interfaces.
Step 1 Click Controller > Interfaces to access the Interfaces page. Step 2 Click New. The Interfaces > New page appears (see Figure 3-18).
3-34
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Figure 3-17 Interfaces > New Page
Step 3 Enter an AP-manager interface name and a VLAN identifier, as shown above. Step 4 Click Apply to commit your changes. The Interfaces > Edit page appears (see Figure 3-18).
Configuring a 4400 Series Controller to Support More Than 48 Access Points
Figure 3-18 Interfaces > Edit Page
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-35
Configuring a 4400 Series Controller to Support More Than 48 Access Points
Step 5 Enter the appropriate interface parameters. Step 6 To make the interface an AP-manager interface, check the Enable Dynamic AP Management check
box.
Step 7 Click Save Configuration to save your settings. Step 8 Repeat this procedure for each additional AP-manager interface that you want to create.
Connecting Additional Ports
To support more than 48 access points with a 4400 series controller in Layer 2 mode, you must connect more controller ports to individual broadcast domains that are completely separated. Table 3-8 provides an example in which each controller port is connected to an individual switch.
Table 3-8 Example Port Configuration on a 4404 Controller in Layer 2 Mode
[Distribution Switch 1]=Trunk=[Distribution Switch 2] dot1q access access access VLAN 250 VLAN 992 VLAN 993 VLAN 994 port 1 port 2 port 3 port 4
Chapter 3 Configuring Ports and Interfaces
VLANs 992, 993, and 994 (used here as VLAN examples) are access VLANs, and you can assign them any VLAN IDs that you choose. An IP address is not allocated to these VLANs, and these ports are access ports only. To connect additional access points, assign the access port connecting the access point to VLAN 992, 993, or 994. The access point then joins the controller using that isolated VLAN with Layer 2 LWAPP. All Layer 2 LWAPP traffic received on ports 2, 3, and 4 egresses the management port (configured as port 1) on VLAN 250 with a dot1q tag of 250.
With a Layer 2 LWAPP configuration, you should distribute access points across VLANs 250, 992, 993, and 994 manually. Ideally, you should distribute 25 access points per port to balance a total of 100 access points. If you have less than 100 access points, divide the number of access points by 4 and distribute that number. For example, 48 total access points divided by 4 equals 12 access points per 4404 port. You could connect 48 access points to port 1, 48 to port 2, and only 2 to port 3, but this unbalanced distribution does not provide the best throughput performance for wireless clients and is not recommended.
It does not matter where you connect ports 2, 3, and 4 as long as they can communicate with the access points configured for their isolated VLANs. If VLAN 250 is a widely used infrastructure VLAN within your network and you notice network congestion, redistribute all of the access points connected to VLAN 250 to ports 2, 3, and 4. Port 1 still remains connected to VLAN 250 as the management network interface but transports data only from wireless clients proxied by the controller.
3-36
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
CHAPTER
4
Configuring Controller Settings
This chapter describes how to configure settings on the controllers. This chapter contains these sections:
Using the Configuration Wizard, page 4-2
Managing the System Time and Date, page 4-5
Configuring a Country Code, page 4-5
Enabling and Disabling 802.11 Bands, page 4-6
Configuring Administrator Usernames and Passwords, page 4-7
Configuring RADIUS Settings, page 4-7
Configuring SNMP Settings, page 4-7
Enabling 802.3x Flow Control, page 4-8
Enabling System Logging, page 4-8
Enabling Dynamic Transmit Power Control, page 4-8
Configuring Multicast Mode, page 4-9
Configuring the Supervisor 720 to Support the WiSM, page 4-10
Using the Wireless LAN Controller Network Module, page 4-12
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
4-1
Using the Configuration Wizard
Using the Configuration Wizard
This section describes how to configure basic settings on a controller for the first time or after the configuration has been reset to factory defaults. The contents of this chapter are similar to the instructions in the quick start guide that shipped with your controller.
You use the configuration wizard to configure basic settings. You can run the wizard on the CLI or the GUI. This section explains how to run the wizard on the CLI.
This section contains these sections:
Before You Start, page 4-2
Resetting the Device to Default Settings, page 4-3
Running the Configuration Wizard on the CLI, page 4-4
Before You Start
You should collect these basic configuration parameters before configuring the controller:
Chapter 4 Configuring Controller Settings
System name for the controller
802.11 protocols supported: 802.11a and/or 802.11b/g
Administrator usernames and passwords (optional)
Distribution System (network) port static IP Address, netmask, and optional default gateway IP
Address
Service port static IP Address and netmask (optional)
Distribution System physical port (1000BASE-T, 1000BASE-SX, or 10/100BASE-T)
Note Each 1000BASE-SX connector provides a 100/1000 Mbps wired connection to a network
through an 850nM (SX) fiber-optic link using an LC physical connector.
Distribution System port VLAN assignment (optional)
Distribution System port Web and Secure Web mode settings: enabled or disabled
Distribution System port Spanning Tree Protocol: enabled/disabled, 802.1D/fast/off mode per port,
path cost per port, priority per port, bridge priority, forward delay, hello time, maximum age
WLAN Configuration: SSID, VLAN assignments, Layer 2 Security settings, Layer 3 Security
settings, QoS assignments
Mobility Settings: Mobility Group Name (optional)
RADIUS Settings
4-2
SNMP Settings
NTP server settings (the wizard prompts you for NTP server settings only when you run the wizard
on a wireless controller network module installed in a Cisco Integrated Services router)
Other port and parameter settings: service port, Radio Resource Management (RRM), third-party
access points, console port, 802.3x flow control, and system logging
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 4 Configuring Controller Settings
Resetting the Device to Default Settings
If you need to start over during the initial setup process, you can reset the controller to factory default settings.
Note After resetting the configuration to defaults, you need a serial connection to the controller to use the
configuration wizard.
Resetting to Default Settings Using the CLI
Follow these steps to reset the configuration to factory default settings using the CLI:
Step 1 Enter reset system. At the prompt that asks whether you need to save changes to the configuration,
enter Y or N. The unit reboots.
Step 2 When you are prompted for a username, enter recover-config to restore the factory default
configuration. The Cisco Wireless LAN Controller reboots and displays this message:
Welcome to the Cisco WLAN Solution Wizard Configuration Tool
Using the Configuration Wizard
Step 3 Use the configuration wizard to enter configuration settings.
Resetting to Default Settings Using the GUI
Follow these steps to return to default settings using the GUI:
Step 1 Open your Internet browser. The GUI is fully compatible with Microsoft Internet Explorer version 6.0
or later on Windows platforms.
Step 2 Enter the controller IP address in the browser address line and press Enter. An Enter Network Password
window appears.
Step 3 Enter your username in the User Name field. The default username is admin. Step 4 Enter the wireless device password in the Password field and press Enter. The default password is
admin.
Step 5 Browse to the Commands/Reset to Factory Defaults page. Step 6 Click Reset. At the prompt, confirm the reset. Step 7 Reboot the unit and do not save changes. Step 8 Use the configuration wizard to enter configuration settings.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
4-3
Using the Configuration Wizard
Running the Configuration Wizard on the CLI
When the controller boots at factory defaults, the bootup script runs the configuration wizard, which prompts the installer for initial configuration settings. Follow these steps to enter settings using the wizard on the CLI:
Step 1 Connect your computer to the controller using a DB-9 null-modem serial cable. Step 2 Open a terminal emulator session using these settings:
9600 baud
8 data bits
1 stop bit
no parity
no hardware flow control Step 3 At the prompt, log into the CLI. The default username is admin and the default password is admin. Step 4 If necessary, enter reset system to reboot the unit and start the wizard. Step 5 The first wizard prompt is for the system name. Enter up to 32 printable ASCII characters.
Chapter 4 Configuring Controller Settings
Step 6 Enter an administrator username and password, each up to 24 printable ASCII characters. Step 7 Enter the service-port interface IP configuration protocol: none or DHCP. If you do not want to use the
service port or if you want to assign a static IP Address to the service port, enter none.
Step 8 If you entered none in step 7 and need to enter a static IP address for the service port, enter the
service-port interface IP address and netmask for the next two prompts. If you do not want to use the service port, enter 0.0.0.0 for the IP address and netmask.
Step 9 Enter the management interface IP Address, netmask, default router IP address, and optional VLAN
identifier (a valid VLAN identifier, or 0 for untagged).
Step 10 Enter the Network Interface (Distribution System) Physical Port number. For the controller, the possible
ports are 1 through 4 for a front panel GigE port.
Step 11 Enter the IP address of the default DHCP Server that will supply IP Addresses to clients, the
management interface, and the service port interface if you use one.
Step 12 Enter the LWAPP Transport Mode, LAYER2 or LAYER3 (refer to the Layer 2 and Layer 3 LWAPP
Operation chapter for an explanation of this setting).
Step 13 Enter the Virtual Gateway IP Address. This address can be any fictitious, unassigned IP address (such
as 1.1.1.1) to be used by Layer 3 Security and Mobility managers.
Step 14 Enter the Cisco WLAN Solution Mobility Group (RF group) name. Step 15 Enter the WLAN 1 SSID, or network name. This is the default SSID that lightweight access points use
to associate to a controller.
Step 16 Allow or disallow Static IP Addresses for clients. Enter yes to allow clients to supply their own IP
addresses. Enter no to require clients to request an IP Address from a DHCP server.
Step 17 If you need to configure a RADIUS Server, enter yes, and enter the RADIUS server IP address, the
communication port, and the shared secret. If you do not need to configure a RADIUS server or you want to configure the server later, enter no.
4-4
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 4 Configuring Controller Settings
Step 18 Enter a country code for the unit. Enter help to list the supported countries.
Note When you run the wizard on a wireless controller network module installed in a Cisco Integrated
Services Router, the wizard prompts you for NTP server settings. The controller network module does not have a battery and cannot save a time setting. It must receive a time setting from an NTP server when it powers up.
Step 19 Enable and disable support for 802.11b, 802.11a, and 802.11g. Step 20 Enable or disable radio resource management (RRM) (auto RF).
When you answer the last prompt, the controller saves the configuration, reboots with your changes, and prompts you to log in or to enter recover-config to reset to the factory default configuration and return to the wizard.
Managing the System Time and Date
Managing the System Time and Date
You can configure the controller to obtain the time and date from an NTP server or you can configure the time and date manually.
Configuring Time and Date Manually
On the CLI, enter show time to check the system time and date. If necessary, enter config time mm/dd/yy hh:mm:ss to set the time and date.
To enable Daylight Saving Time, enter config time timezone enable.
Configuring NTP
On the CLI, enter config time ntp server-ip-address to specify the NTP server for the controller. Enter config time ntp interval to specify, in seconds, the polling interval.
Configuring a Country Code
Controllers are designed for use in many countries with varying regulatory requirements. You can configure a country code for the controller to ensure that it complies with your country’s regulations.
On the CLI, enter config country code to configure the country code. Enter show country to check the configuration.
OL-8335-02
Note The controller must be installed by a network administrator or qualified IT professional and the proper
country code must be selected. Following installation, access to the unit should be password protected by the installer to maintain compliance with regulatory requirements and to ensure proper unit functionality.
Cisco Wireless LAN Controller Configuration Guide
4-5
Enabling and Disabling 802.11 Bands
Table 4- 1 lists commonly used country codes and the 802.11 bands that they allow. For a complete list
of country codes supported per product, refer to www.ciscofax.com or
http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html.
Table 4-1 Commonly Used Country Codes
Country Code Country 802.11 Bands Allowed
US United States of America 802.11b, 802.11g, and 802.11a low, medium,
USL US Low 802.11b, 802.11g, and 802.11a low and
AU Australia 802.11b, 802.11g, and 802.11a AT Austria 802.11b, 802.11g, and 802.11a BE Belgium 802.11b, 802.11g, and 802.11a CA Canada 802.11b and 802.11g DK Denmark 802.11b, 802.11g, and 802.11a FI Finland 802.11b, 802.11g, and 802.11a FR France 802.11b, 802.11g, and 802.11a DE Germany 802.11b, 802.11g, and 802.11a GR Greece 802.11b and 802.11g IE Ireland 802.11b, 802.11g, and 802.11a IN India 802.11b and 802.11a IT Italy 802.11b, 802.11g, and 802.11a JP Japan 802.11b, 802.11g, and 802.11a KR Republic of Korea 802.11b, 802.11g, and 802.11a LU Luxembourg 802.11b, 802.11g, and 802.11a NL Netherlands 802.11b, 802.11g, and 802.11a PT Portugal 802.11b, 802.11g, and 802.11a ES Spain 802.11b, 802.11g, and 802.11a SE Sweden 802.11b, 802.11g, and 802.11a GB United Kingdom 802.11b, 802.11g, and 802.11a
Chapter 4 Configuring Controller Settings
and high bands
medium bands (used for legacy 802.11a interface cards that do not support 802.11a high band)
Enabling and Disabling 802.11 Bands
You can enable or disable the 802.11b/g (2.4-GHz) and the 802.11a (5-GHz) bands for the controller to comply with the regulatory requirements in your country. By default, both 802.11b/g and 802.11a are enabled.
On the CLI, enter config 80211b disable network to disable 802.11b/g operation on the controller. Enter config 80211b enable network to re-enable 802.11b/g operation.
Cisco Wireless LAN Controller Configuration Guide
4-6
OL-8335-02
Chapter 4 Configuring Controller Settings
Configuring Administrator Usernames and Passwords
Enter config 80211a disable network to disable 802.11a operation on the controller. Enter config 80211a enable network to re-enable 802.11a operation.
Configuring Administrator Usernames and Passwords
You can configure administrator usernames and passwords to prevent unauthorized users from reconfiguring the controller and viewing configuration information.
On the CLI, enter config mgmtuser add username password read-write to create a username-password pair with read-write privileges. Enter config mgmtuser add username password read-only to create a username-password pair with read-only privileges. Usernames and passwords are case-sensitive and can contain up to 24 ASCII characters. Usernames and passwords cannot contain spaces.
To change the password for an existing username, enter
config mgmtuser password username new_password To list configured users, enter show mgmtuser.
Configuring RADIUS Settings
If you need to use a RADIUS server for accounting or authentication, follow these steps on the CLI to configure RADIUS settings for the controller:
Step 1 Enter config radius acct ip-address to configure a RADIUS server for accounting. Step 2 Enter config radius acct port to specify the UDP port for accounting. Step 3 Enter config radius acct secret to configure the shared secret. Step 4 Enter config radius acct enable to enable accounting. Enter config radius acct disable to disable
accounting. Accounting is disabled by default.
Step 5 Enter config radius auth ip-address to configure a RADIUS server for authentication. Step 6 Enter config radius auth port to specify the UDP port for authentication. Step 7 Enter config radius auth secret to configure the shared secret. Step 8 Enter config radius auth enable to enable authentication. Enter config radius acct disable to disable
authentication. Authentication is disabled by default.
Step 9 Use the show radius acct statistics, show radius auth statistics, and show radius summary
commands to verify that the RADIUS settings are correctly configured.
Configuring SNMP Settings
Cisco recommends that you use the GUI to configure SNMP settings on the controller. To use the CLI, follow these steps:
Step 1 Enter config snmp community create name to create an SNMP community name. Step 2 Enter config snmp community delete name to delete an SNMP community name.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
4-7
Enabling 802.3x Flow Control
Step 3 Enter config snmp community accessmode ro name to configure an SNMP community name with
read-only privileges. Enter config snmp community accessmode rw name to configure an SNMP community name with read-write privileges.
Step 4 Enter config snmp community ipaddr ip-address ip-mask name to configure an IP address and subnet
mask for an SNMP community.
Step 5 Enter config snmp community mode enable to enable a community name. Enter config snmp
community mode disable to disable a community name.
Step 6 Enter config snmp trapreceiver create name ip-address to configure a destination for a trap. Step 7 Enter config snmp trapreceiver delete name to delete a trap. Step 8 Enter config snmp trapreceiver ipaddr old-ip-address name new-ip-address to change the destination
for a trap.
Step 9 Enter config snmp trapreceiver mode enable to enable traps. Enter config snmp trapreceiver mode
disable to disable traps.
Step 10 Enter config snmp syscontact syscontact-name to configure the name of the SNMP contact. Enter up to
31 alphanumeric characters for the contact name.
Step 11 Enter config snmp syslocation syslocation-name to configure the SNMP system location. Enter up to
31 alphanumeric characters for the location.
Chapter 4 Configuring Controller Settings
Step 12 Use the show snmpcommunity and show snmptrap commands to verify that the SNMP traps and
communities are correctly configured.
Step 13 Use the show trapflags command to see the enabled and disabled trapflags. If necessary, use the
config trapflags commands to enable or disable trapflags.
Enabling 802.3x Flow Control
802.3x Flow Control is disabled by default. To enable it, enter config switchconfig flowcontrol enable.
Enabling System Logging
System logging is disabled by default. Enter show syslog to view the current syslog status. Enter config syslog to send a controller log to a remote IP Address or hostname.
Enabling Dynamic Transmit Power Control
When you enable Dynamic Transmit Power Control (DTPC), access points add channel and transmit power information to beacons. (On access points that run Cisco IOS software, this feature is called world mode.) Client devices using DTPC receive the information and adjust their settings automatically. For example, a client device used primarily in Japan could rely on DTPC to adjust its channel and power settings automatically when it travels to Italy and joins a network there. DTPC is enabled by default.
4-8
Enter this command to disable or enable DTPC: config {802.11a | 802.11bg} dtpc {enable | disable}
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Loading...