Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-8335-02
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn,
and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel,
EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard,
LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect,
RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or
its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0601R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Per-Wireless LAN Assignment1-10
Per-Interface Assignment1-10
Security Considerations1-10
Cisco WLAN Solution Wired Connections1-11
Cisco WLAN Solution Wireless LANs1-11
Access Control Lists1-12
Identity Networking1-12
Enhanced Integration with Cisco Secure ACS1-13
File Transfers1-13
Power over Ethernet1-14
Pico Cell Functionality1-14
Intrusion Detection Service (IDS)1-15
Wireless LAN Controller Platforms1-15
Cisco 2000 Series Wireless LAN Controllers1-16
Cisco 4100 Series Wireless LAN Controllers1-16
Cisco 4400 Series Wireless LAN Controllers1-17
Cisco 2000 Series Wireless LAN Controller Model Numbers1-17
Cisco 4100 Series Wireless LAN Controller Model Numbers1-18
Cisco 4400 Series Wireless LAN Controller Model Numbers1-18
Startup Wizard1-19
Cisco Wireless LAN Controller Memory1-20
Cisco Wireless LAN Controller Failover Protection1-20
Cisco Wireless LAN Controller Automatic Time Setting1-21
Cisco Wireless LAN Controller Time Zones1-21
Network Connections to Cisco Wireless LAN Controllers1-21
Cisco 2000 Series Wireless LAN Controllers1-22
Cisco 4100 Series Wireless LAN Controllers1-22
Cisco 4400 Series Wireless LAN Controllers1-23
VPN and Enhanced Security Modules for 4100 Series Controllers1-24
iv
Rogue Access Points1-24
Rogue Access Point Location, Tagging, and Containment1-25
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Web User Interface and the CLI1-25
Web User Interface1-25
Command Line Interface1-26
Contents
CHAPTER
CHAPTER
2Using the Web-Browser and CLI Interfaces2-1
Using the Web-Browser Interface2-2
Guidelines for Using the GUI2-2
Opening the GUI2-2
Enabling Web and Secure Web Modes2-2
Configuring the GUI for HTTPS2-2
Loading an Externally Generated HTTPS Certificate2-3
Disabling the GUI2-5
Using Online Help2-5
Using the CLI2-5
Logging into the CLI2-5
Using a Local Serial Connection2-6
Using a Remote Ethernet Connection2-6
Logging Out of the CLI2-7
Navigating the CLI2-7
Enabling Wireless Connections to the Web-Browser and CLI Interfaces2-8
3Configuring Ports and Interfaces3-1
OL-8335-02
Overview of Ports and Interfaces3-2
Ports3-2
Distribution System Ports3-3
Service Port3-4
Interfaces3-5
Management Interface3-5
AP-Manager Interface3-6
Virtual Interface3-6
Service-Port Interface3-7
Dynamic Interface3-7
WLANs3-8
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces3-9
Using the GUI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces3-9
Using the CLI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces3-12
Using the CLI to Configure the Management Interface3-12
Using the CLI to Configure the AP-Manager Interface3-12
Cisco Wireless LAN Controller Configuration Guide
v
Contents
Using the CLI to Configure the Virtual Interface3-13
Using the CLI to Configure the Service-Port Interface3-14
Configuring Dynamic Interfaces3-14
Using the GUI to Configure Dynamic Interfaces3-14
Using the CLI to Configure Dynamic Interfaces3-16
Configuring Ports3-17
Configuring Port Mirroring3-20
Configuring Spanning Tree Protocol3-21
Using the GUI to Configure Spanning Tree Protocol3-22
Using the CLI to Configure Spanning Tree Protocol3-26
Enabling Link Aggregation3-27
Link Aggregation Guidelines3-28
Using the GUI to Enable Link Aggregation3-29
Using the CLI to Enable Link Aggregation3-30
Configuring Neighbor Devices to Support LAG3-30
CHAPTER
Configuring a 4400 Series Controller to Support More Than 48 Access Points3-30
Using Link Aggregation3-31
Using Multiple AP-Manager Interfaces3-31
Connecting Additional Ports3-36
4Configuring Controller Settings4-1
Using the Configuration Wizard4-2
Before You Start4-2
Resetting the Device to Default Settings4-3
Resetting to Default Settings Using the CLI4-3
Resetting to Default Settings Using the GUI4-3
Running the Configuration Wizard on the CLI4-4
Managing the System Time and Date4-5
Configuring Time and Date Manually4-5
Configuring NTP4-5
Configuring a Country Code4-5
Enabling and Disabling 802.11 Bands4-6
Configuring Administrator Usernames and Passwords4-7
vi
Configuring RADIUS Settings4-7
Configuring SNMP Settings4-7
Enabling 802.3x Flow Control4-8
Enabling System Logging4-8
Enabling Dynamic Transmit Power Control4-8
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Configuring Multicast Mode4-9
Understanding Multicast Mode4-9
Guidelines for Using Multicast Mode4-9
Enabling Multicast Mode4-10
Configuring the Supervisor 720 to Support the WiSM4-10
General WiSM Guidelines4-10
Configuring the Supervisor4-11
Using the Wireless LAN Controller Network Module4-12
Displaying, Creating, Disabling, and Deleting Wireless LANs6-2
Activating Wireless LANs6-3
Assigning a Wireless LAN to a DHCP Server6-3
Configuring MAC Filtering for Wireless LANs6-3
Enabling MAC Filtering6-3
Creating a Local MAC Filter6-3
Configuring a Timeout for Disabled Clients6-4
Assigning Wireless LANs to VLANs6-4
Configuring Layer 2 Security6-4
Dynamic 802.1X Keys and Authorization6-4
WEP Keys6-5
Dynamic WPA Keys and Encryption6-5
Configuring a Wireless LAN for Both Static and Dynamic WEP6-6
Configuring Layer 3 Security6-6
IPSec6-6
IPSec Authentication6-6
IPSec Encryption6-6
IKE Authentication6-7
IKE Diffie-Hellman Group6-7
IKE Phase 1 Aggressive and Main Modes6-7
IKE Lifetime Timeout6-7
IPSec Passthrough6-8
Web-Based Authentication6-8
Local Netuser6-8
Configuring Quality of Service6-8
Configuring QoS Enhanced BSS (QBSS)6-9
viii
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Contents
CHAPTER
7Controlling Lightweight Access Points7-1
Lightweight Access Point Overview7-2
Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Points7-2
Cisco 1030 Remote Edge Lightweight Access Points7-3
Cisco 1000 Series Lightweight Access Point Part Numbers7-4
Cisco 1000 Series Lightweight Access Point External and Internal Antennas7-4
External Antenna Connectors7-5
Antenna Sectorization7-5
Cisco 1000 Series Lightweight Access Point LEDs7-5
Cisco 1000 Series Lightweight Access Point Connectors7-6
Cisco 1000 Series Lightweight Access Point Power Requirements7-6
Cisco 1000 Series Lightweight Access Point External Power Supply7-7
Cisco 1000 Series Lightweight Access Point Mounting Options7-7
Cisco 1000 Series Lightweight Access Point Physical Security7-7
Cisco 1000 Series Lightweight Access Point Monitor Mode7-7
Using the DNS for Controller Discovery7-7
Dynamic Frequency Selection7-8
Autonomous Access Points Converted to Lightweight Mode7-9
Guidelines for Using Access Points Converted to Lightweight Mode7-9
Reverting from Lightweight Mode to Autonomous Mode7-9
Using a Controller to Return to a Previous Release7-10
Using the MODE Button and a TFTP Server to Return to a Previous Release7-10
Controllers Accept SSCs from Access Points Converted to Lightweight Mode7-11
Using DHCP Option 437-11
Using a Controller to Send Debug Commands to Access Points Converted to Lightweight Mode7-11
Converted Access Points Send Crash Information to Controller7-12
Converted Access Points Send Radio Core Dumps to Controller7-12
Enabling Memory Core Dumps from Converted Access Points7-12
Display of MAC Addresses for Converted Access Points7-12
Disabling the Reset Button on Access Points Converted to Lightweight Mode7-13
Configuring a Static IP Address on an Access Point Converted to Lightweight Mode7-13
CHAPTER
OL-8335-02
8Managing Controller Software and Configurations8-1
Transferring Files to and from a Controller8-2
Upgrading Controller Software8-2
Saving Configurations8-4
Clearing the Controller Configuration8-4
Cisco Wireless LAN Controller Configuration Guide
ix
Contents
Erasing the Controller Configuration8-4
Resetting the Controller8-5
CHAPTER
9Configuring Radio Resource Management9-1
Overview of Radio Resource Management9-2
Radio Resource Monitoring9-2
Dynamic Channel Assignment9-3
Dynamic Transmit Power Control9-4
Coverage Hole Detection and Correction9-4
Client and Network Load Balancing9-4
RRM Benefits9-5
Overview of RF Groups9-5
RF Group Leader9-5
RF Group Name9-6
Configuring an RF Group9-6
Using the GUI to Configure an RF Group9-7
Using the CLI to Configure RF Groups9-8
Viewing RF Group Status9-8
Using the GUI to View RF Group Status9-8
Using the CLI to View RF Group Status9-11
Enabling Rogue Access Point Detection9-12
Using the GUI to Enable Rogue Access Point Detection9-12
Using the CLI to Enable Rogue Access Point Detection9-15
Configuring Dynamic RRM9-15
Using the GUI to Configure Dynamic RRM9-16
Using the CLI to Configure Dynamic RRM9-22
Overriding Dynamic RRM9-23
Statically Assigning Channel and Transmit Power Settings to Access Point Radios9-24
Using the GUI to Statically Assign Channel and Transmit Power Settings9-24
Using the CLI to Statically Assign Channel and Transmit Power Settings9-26
Disabling Dynamic Channel and Power Assignment Globally for a Controller9-27
Using the GUI to Disable Dynamic Channel and Power Assignment9-27
Using the CLI to Disable Dynamic Channel and Power Assignment9-27
Viewing Additional RRM Settings Using the CLI9-28
Cisco Wireless LAN Controller Configuration Guide
x
OL-8335-02
Contents
CHAPTER
APPENDIX
10Configuring Mobility Groups10-1
Overview of Mobility10-2
Overview of Mobility Groups10-5
Determining When to Include Controllers in a Mobility Group10-7
Configuring Mobility Groups10-7
Prerequisites10-7
Using the GUI to Configure Mobility Groups10-8
Using the CLI to Configure Mobility Groups10-11
Configuring Auto-Anchor Mobility10-11
Guidelines for Using Auto-Anchor Mobility10-12
Using the GUI to Configure Auto-Anchor Mobility10-12
Using the CLI to Configure Auto-Anchor Mobility10-14
ASafety Considerations and Translated Safety WarningsA-1
Safety ConsiderationsA-2
Warning DefinitionA-2
Class 1 Laser Product WarningA-5
Ground Conductor WarningA-7
APPENDIX
Chassis Warning for Rack-Mounting and ServicingA-9
Battery Handling Warning for 4400 Series ControllersA-18
Equipment Installation WarningA-20
More Than One Power Supply Warning for 4400 Series ControllersA-23
BDeclarations of Conformity and Regulatory InformationB-1
Regulatory Information for 1000 Series Access PointsB-2
Manufacturers Federal Communication Commission Declaration of Conformity StatementB-2
Department of Communications—CanadaB-3
Canadian Compliance StatementB-3
European Community, Switzerland, Norway, Iceland, and LiechtensteinB-4
Declaration of Conformity with Regard to the R&TTE Directive 1999/5/ECB-4
Declaration of Conformity for RF ExposureB-5
Guidelines for Operating Cisco Aironet Access Points in JapanB-6
Administrative Rules for Cisco Aironet Access Points in TaiwanB-7
Access Points with IEEE 802.11a RadiosB-7
All Access PointsB-7
Declaration of Conformity StatementsB-8
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
xi
Contents
FCC Statements for Cisco 2000 Series Wireless LAN ControllersB-8
FCC Statements for Cisco 4100 Series Wireless LAN Controllers and Cisco 4400 Series Wireless LAN
Controllers
B-9
APPENDIX
APPENDIX
I
NDEX
CEnd User License and WarrantyC-1
End User License AgreementC-2
Limited WarrantyC-4
Disclaimer of WarrantyC-6
General Terms Applicable to the Limited Warranty Statement and End User License AgreementC-6
Additional Open Source TermsC-7
DSystem Messages and Access Point LED PatternsD-1
System MessagesD-2
Using Client Reason and Status Codes in Trap LogsD-4
Client Reason CodesD-4
Client Status CodesD-5
Using Lightweight Access Point LEDsD-6
xii
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
This preface provides an overview of the Cisco Wireless LAN Controller Configuration Guide
(OL-8335-02), references related publications, and explains how to obtain other documentation and
technical assistance, if necessary. It contains these sections:
• Audience, page xiv
• Purpose, page xiv
• Organization, page xiv
• Conventions, page xv
• Related Publications, page xvii
• Obtaining Documentation, page xvii
• Documentation Feedback, page xviii
• Cisco Product Security Overview, page xix
• Obtaining Technical Assistance, page xx
• Obtaining Additional Publications and Information, page xxi
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
xiii
Audience
Audience
This guide describes Cisco Wireless LAN Controllers and Cisco Lightweight Access Points. This guide
is for the networking professional who installs and manages these devices. To use this guide, you should
be familiar with the concepts and terminology of wireless LANs.
Purpose
This guide provides the information you need to set up and configure wireless LAN controllers.
Organization
This guide is organized into these chapters:
Chapter 1, “Overview,” provides an overview of the network roles and features of wireless LAN
controllers.
Preface
Chapter 2, “Using the Web-Browser and CLI Interfaces,” describes how to use the controller GUI and
CLI.
Chapter 3, “Configuring Ports and Interfaces,” describes the controller’s physical ports and interfaces
and provides instructions for configuring them.
Chapter 4, “Configuring Controller Settings,” describes how to configure settings on the controllers.
Chapter 5, “Configuring Security Solutions,” describes application-specific solutions for wireless
LANs.
Chapter 6, “Configuring WLANs,” describes how to configure wireless LANs and SSIDs on your
system.
Chapter 7, “Controlling Lightweight Access Points,” explains how to connect access points to the
controller and manage access point settings.
Chapter 8, “Managing Controller Software and Configurations,” describes how to upgrade and manage
controller software and configurations.
Chapter 9, “Configuring Radio Resource Management,” describes radio resource management (RRM)
and explains how to configure it on the controllers.
Chapter 10, “Configuring Mobility Groups,” describes mobility groups and explains how to configure
them on the controllers.
Appendix A, “Safety Considerations and Translated Safety Warnings,” lists safety considerations and
translations of the safety warnings that apply to the Cisco Unified Wireless Network Solution products.
Appendix B, “Declarations of Conformity and Regulatory Information,” provides declarations of
conformity and regulatory information for the products in the Cisco Unified Wireless Network Solution.
xiv
Appendix C, “End User License and Warranty,” describes the end user license and warranty that apply
to the Cisco Unified Wireless Network Solution products.
Appendix D, “System Messages and Access Point LED Patterns,” lists system messages that can appear
on the Cisco Unified Wireless Network Solution interfaces and describes the LED patterns on
lightweight access points.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
Conventions
This publication uses these conventions to convey instructions and information:
Command descriptions use these conventions:
Interactive examples use these conventions:
Notes, cautions, and timesavers use these conventions and symbols:
Conventions
• Commands and keywords are in boldface text.
• Arguments for which you supply values are in italic.
• Square brackets ([ ]) mean optional elements.
• Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
• Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional
element.
• Terminal sessions and system displays are in screen font.
• Information you enter is in boldface screen font.
• Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).
TipMeans the following will help you solve a problem. The tips information might not be troubleshooting
NoteMeans reader take note. Notes contain helpful suggestions or references to materials not contained in
CautionMeans reader be careful. In this situation, you might do something that could result equipment damage
Warning
Waarschuwing
or even an action, but could be useful information.
this manual.
or loss of data.
This warning symbol means danger. You are in a situation that could cause bodily injury. Before you
work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar
with standard practices for preventing accidents. (To see translations of the warnings that appear
in this publication, refer to the appendix “Translated Safety Warnings.”)
Dit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan
veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij
elektrische schakelingen betrokken risico’s en dient u op de hoogte te zijn van standaard
maatregelen om ongelukken te voorkomen. (Voor vertalingen van de waarschuwingen die in deze
publicatie verschijnen, kunt u het aanhangsel “Translated Safety Warnings” (Vertalingen van
veiligheidsvoorschriften) raadplegen.)
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
xv
Conventions
Preface
Varoitus
Attention
Warnung
Avvertenza
Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen
kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja
tavanomaisista onnettomuuksien ehkäisykeinoista. (Tässä julkaisussa esiintyvien varoitusten
käännökset löydät liitteestä "Translated Safety Warnings" (käännetyt turvallisuutta koskevat
varoitukset).)
Ce symbole d’avertissement indique un danger. Vous vous trouvez dans une situation pouvant
entraîner des blessures. Avant d’accéder à cet équipement, soyez conscient des dangers posés par
les circuits électriques et familiarisez-vous avec les procédures courantes de prévention des
accidents. Pour obtenir les traductions des mises en garde figurant dans cette publication, veuillez
consulter l’annexe intitulée « Translated Safety Warnings » (Traduction des avis de sécurité).
Dieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer
Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie
sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur
Vermeidung von Unfällen bewußt. (Übersetzungen der in dieser Veröffentlichung enthaltenen
Warnhinweise finden Sie im Anhang mit dem Titel “Translated Safety Warnings” (Übersetzung der
Warnhinweise).)
Questo simbolo di avvertenza indica un pericolo. Si è in una situazione che può causare infortuni.
Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti
elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione
delle avvertenze riportate in questa pubblicazione si trova nell’appendice, “Translated Safety
Warnings” (Traduzione delle avvertenze di sicurezza).
Advarsel
Aviso
¡Advertencia!
Varning!
Dette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du
utfører arbeid på utstyr, må du være oppmerksom på de faremomentene som elektriske kretser
innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. (Hvis du vil se
oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i vedlegget "Translated
Safety Warnings" [Oversatte sikkerhetsadvarsler].)
Este símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos
fisicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos
relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir
possíveis acidentes. (Para ver as traduções dos avisos que constam desta publicação, consulte o
apêndice “Translated Safety Warnings” - “Traduções dos Avisos de Segurança”).
Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular
cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los
procedimientos estándar de prevención de accidentes. (Para ver traducciones de las advertencias
que aparecen en esta publicación, consultar el apéndice titulado “Translated Safety Warnings.”)
Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada.
Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och
känna till vanligt förfarande för att förebygga skador. (Se förklaringar av de varningar som
förekommer i denna publikation i appendix "Translated Safety Warnings" [Översatta
säkerhetsvarningar].)
xvi
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
Related Publications
These documents provide complete information about the Cisco Unified Wireless Network Solution:
• Cisco Wireless LAN Controller Command Reference
• Quick Start Guide: Cisco 2000 Series Wireless LAN Controllers
• Quick Start Guide: Cisco 4100 Series Wireless LAN Controllers
• Quick Start Guide: Cisco 4400 Series Wireless LAN Controllers
• Quick Start Guide: VPN Termination Module for Cisco 4400 Series Wireless LAN Controllers
• Quick Start Guide: VPN/Enhanced Security Modules for Cisco 4100 Series Wireless LAN
Controllers
• Cisco Wireless Control System Configuration Guide
• Quick Start Guide: Cisco Wireless Control System for Microsoft Windows
• Quick Start Guide: Cisco Wireless Control System for Linux
• Quick Start Guide: Cisco Aironet 1000 Series Lightweight Access Points with Internal Antennas
• Quick Start Guide: Cisco Aironet 1000 Series Lightweight Access Points with External Antennas
Related Publications
Click this link to browse to user documentation for the Cisco Unified Wireless Network Solution:
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/techsupport
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
The Product Documentation DVD is a comprehensive library of technical product documentation on a
portable medium. The DVD enables you to access multiple versions of installation, configuration, and
command guides for Cisco hardware and software products. With the DVD, you have access to the same
HTML documentation that is found on the Cisco website without being connected to the Internet.
Certain products also have .PDF versions of the documentation available.
The Product Documentation DVD is available as a single unit or as a subscription. Registered Cisco.com
users (Cisco direct customers) can order a Product Documentation DVD (product number
DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Ordering Documentation
Registered Cisco.com users may order Cisco documentation at the Product Documentation Store in the
Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Preface
Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m.
(0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by
calling 011 408 519-5055. You can also order documentation by e-mail at
tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada,
or elsewhere at 011 408 519-5001.
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback
form that appears with the technical documents on Cisco.com.
You can submit comments about Cisco documentation by using the response card (if present) behind the
front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
xviii
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
From this site, you will find information about how to:
• Report security vulnerabilities in Cisco products.
• Obtain assistance with security incidents that involve Cisco products.
• Register to receive security information from Cisco.
A current list of security advisories, security notices, and security responses for Cisco products is
available at this URL:
http://www.cisco.com/go/psirt
To see security advisories, security notices, and security responses as they are updated in real time, you
can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS)
feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:
Cisco is committed to delivering secure products. We test our products internally before we release
them, and we strive to correct all vulnerabilities quickly. If you think that you have identified a
vulnerability in a Cisco product, contact PSIRT:
• For Emergencies only—security-alert@cisco.com
An emergency is either a condition in which a system is under active attack or a condition for which
a severe and urgent security vulnerability should be reported. All other conditions are considered
nonemergencies.
• For Nonemergencies—psirt@cisco.com
In an emergency, you can also reach PSIRT by telephone:
• 1 877 228-7302
• 1 408 525-6532
TipWe encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to
encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been
encrypted with PGP versions 2.x through 9.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page
at this URL:
The link on this page has the current PGP key ID in use.
If you do not have or use PGP, contact PSIRT at the aforementioned e-mail addresses or phone numbers
before sending any sensitive material to find other means of encrypting the data.
Cisco Wireless LAN Controller Configuration Guide
xix
Obtaining Technical Assistance
Obtaining Technical Assistance
Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco
Technical Support & Documentation website on Cisco.com features extensive online support resources.
In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC)
engineers provide telephone support. If you do not have a valid Cisco service contract, contact your
reseller.
Cisco Technical Support & Documentation Website
The Cisco Technical Support & Documentation website provides online documents and tools for
troubleshooting and resolving technical issues with Cisco products and technologies. The website is
available 24 hours a day, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support & Documentation website requires a Cisco.com user
ID and password. If you have a valid service contract but do not have a user ID or password, you can
register at this URL:
Preface
http://tools.cisco.com/RPF/register/register.do
NoteUse the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support &
Documentation website by clicking the Tools & Resources link under Documentation & Tools.Choose
Cisco Product Identification Tool from the Alphabetical Index drop-down list, or click the Cisco
Product Identification Tool link under Alerts & RMAs. The CPI tool offers three search options: by
product ID or model name; by tree view; or for certain products, by copying and pasting show command
output. Search results show an illustration of your product with the serial number label location
highlighted. Locate the serial number label on your product and record the information before placing a
service call.
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3
and S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC Service Request Tool provides
recommended solutions. If your issue is not resolved using the recommended resources, your service
request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.
xx
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Preface
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.
Severity 1 (S1)—An existing network is down, or there is a critical impact to your business operations.
You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operations are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.
Obtaining Additional Publications and Information
Severity 3 (S3)—Operational performance of the network is impaired, while most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.
• The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief
product overviews, key features, sample part numbers, and abbreviated technical specifications for
many Cisco products that are sold through channel partners. It is updated twice a year and includes
the latest Cisco offerings. To order and find out more about the Cisco Product Quick Reference
Guide, go to this URL:
http://www.cisco.com/go/guide
• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo
merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
• Cisco Press publishes a wide range of general networking, training and certification titles. Both new
and experienced users will benefit from these publications. For current Cisco Press titles and other
information, go to Cisco Press at this URL:
OL-8335-02
http://www.ciscopress.com
Cisco Wireless LAN Controller Configuration Guide
xxi
Obtaining Additional Publications and Information
• Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and
networking investments. Each quarter, Packet delivers coverage of the latest industry trends,
technology breakthroughs, and Cisco products and solutions, as well as network deployment and
troubleshooting tips, configuration examples, customer case studies, certification and training
information, and links to scores of in-depth online resources. You can access Packet magazine at
this URL:
http://www.cisco.com/packet
• iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies
learn how they can use technology to increase revenue, streamline their business, and expand
services. The publication identifies the challenges facing these companies and the technologies to
help solve them, using real-world case studies and business strategies to help readers make sound
technology investment decisions. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
or view the digital edition at this URL:
http://ciscoiq.texterity.com/ciscoiq/sample/
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
Preface
• Networking products offered by Cisco Systems, as well as customer support services, can be
obtained at this URL:
http://www.cisco.com/en/US/products/index.html
• Networking Professionals Connection is an interactive website for networking professionals to
share questions, suggestions, and information about networking products and technologies with
Cisco experts and other networking professionals. Join a discussion at this URL:
http://www.cisco.com/discuss/networking
• World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html
xxii
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
CHAPTER
Overview
This chapter describes the controller components and features. Its contains these sections:
The Cisco Wireless LAN Solution is designed to provide 802.11 wireless networking solutions for
enterprises and service providers. The Cisco Wireless LAN Solution simplifies deploying and managing
large-scale wireless LANs and enables a unique best-in-class security infrastructure. The operating
system manages all data client, communications, and system administration functions, performs Radio
Resource Management (RRM) functions, manages system-wide mobility policies using the operating
system Security solution, and coordinates all security functions using the operating system security
framework.
The Cisco Wireless LAN Solution consists of Cisco Wireless LAN Controllers and their associated
lightweight access points controlled by the operating system, all concurrently managed by any or all of
the operating system user interfaces:
• An HTTP and/or HTTPS full-featured Web User Interface hosted by Cisco Wireless LAN
Controllers can be used to configure and monitor individual controllers. See the “Web User
Interface and the CLI” section on page 1-25.
• A full-featured command-line interface (CLI) can be used to configure and monitor individual Cisco
Wireless LAN Controllers. See the “Web User Interface and the CLI” section on page 1-25.
• The Cisco Wireless Control System (WCS), which you use to configure and monitor one or more
Cisco Wireless LAN Controllers and associated access points. WCS has tools to facilitate
large-system monitoring and control. WCS runs on Windows 2000, Windows 2003, and Red Hat
Enterprise Linux ES servers.
• An industry-standard SNMP V1, V2c, and V3 interface can be used with any SNMP-compliant
third-party network management system.
Chapter 1 Overview
The Cisco Wireless LAN Solution supports client data services, client monitoring and control, and all
rogue access point detection, monitoring, and containment functions. The Cisco Wireless LAN Solution
uses lightweight access points, Cisco Wireless LAN Controllers, and the optional Cisco WCS to provide
wireless services to enterprises and service providers.
NoteThis document refers to Cisco Wireless LAN Controllers throughout. Unless specifically called out, the
descriptions herein apply to all Cisco Wireless LAN Controllers, including but not limited to Cisco 2000
Series Wireless LAN Controllers, Cisco 4100 Series Wireless LAN Controllers, Cisco 4400 Series
Wireless LAN Controllers, and the controllers on the Wireless Services Module (WiSM).
Figure 1-1 shows the Cisco Wireless LAN Solution components, which can be simultaneously deployed
across multiple floors and buildings.
1-2
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Cisco Wireless LAN Solution Overview
Figure 1-1Cisco WLAN Solution Components
Single-Controller Deployments
A standalone controller can support lightweight access points across multiple floors and buildings
simultaneously, and supports the following features:
• Autodetecting and autoconfiguring lightweight access points as they are added to the network.
• Full control of lightweight access points.
• Full control of up to 16 wireless LAN (SSID) policies for Cisco 1000 series access points.
NoteLWAPP-enabled access points support up to 8 wireless LAN (SSID) policies.
• Lightweight access points connect to controllers through the network. The network equipment may
or may not provide Power over Ethernet to the access points.
Note that some controllers use redundant Gigabit Ethernet connections to bypass single network failures.
NoteSome controllers can connect through multiple physical ports to multiple subnets in the network. This
feature can be helpful when Cisco WLAN Solution operators want to confine multiple VLANs to
separate subnets.
Figure 1-2 shows a typical single-controller deployment.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-3
Cisco Wireless LAN Solution Overview
Figure 1-2Single-Controller Deployment
Multiple-Controller Deployments
Each controller can support lightweight access points across multiple floors and buildings
simultaneously. However, full functionality of the Cisco Wireless LAN Solution is realized when it
includes multiple controllers. A multiple-controller system has the following additional features:
• Autodetecting and autoconfiguring RF parameters as the controllers are added to the network.
Chapter 1 Overview
• Same-Subnet (Layer 2) Roaming and Inter-Subnet (Layer 3) Roaming.
• Automatic access point failover to any redundant controller with a reduced access point load (refer
to the “Cisco Wireless LAN Controller Failover Protection” section on page 1-20).
The following figure shows a typical multiple-controller deployment. The figure also shows an optional
dedicated Management Network and the three physical connection types between the network and the
controllers.
1-4
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Operating System Software
Figure 1-3Typical Multi-Controller Deployment
Operating System Software
The operating system software controls Cisco Wireless LAN Controllers and Cisco 1000 Series
Lightweight Access Points. It includes full operating system security and Radio Resource Management
(RRM) features.
Operating System Security
Operating system security bundles Layer 1, Layer 2, and Layer 3 security components into a simple,
Cisco WLAN Solution-wide policy manager that creates independent security policies for each of up to
16 wireless LANs. (Refer to the “Cisco WLAN Solution Wireless LANs” section on page 1-11.)
The 802.11 Static WEP weaknesses can be overcome using robust industry-standard security solutions,
such as:
• 802.1X dynamic keys with extensible authentication protocol (EAP).
WEP keys, with or without Pre-Shared key Passphrase.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-5
Operating System Security
The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as:
Chapter 1 Overview
• RSN with or without Pre-Shared key.
• Cranite FIPS140-2 compliant passthrough.
• Fortress FIPS140-2 compliant passthrough.
• Optional MAC Filtering.
• Terminated and passthrough VPNs
• Terminated and passthrough Layer Two Tunneling Protocol (L2TP), which uses the IP Security
(IPSec) protocol.
• Terminated and pass-through IPSec protocols. The terminated Cisco WLAN Solution IPSec
implementation includes:
–
Internet key exchange (IKE)
–
Diffie-Hellman (DH) groups, and
–
Three optional levels of encryption: DES (ANSI X.3.92 data encryption standard), 3DES (ANSI
X9.52-1998 data encryption standard), or AES/CBC (advanced encryption standard/cipher
block chaining).
The Cisco WLAN Solution IPSec implementation also includes industry-standard authentication
using:
–
Message digest algorithm (MD5), or
–
Secure hash algorithm-1 (SHA-1)
• The Cisco Wireless LAN Solution supports local and RADIUS MAC Address filtering.
• The Cisco Wireless LAN Solution supports local and RADIUS user/password authentication.
• The Cisco Wireless LAN Solution also uses manual and automated Disabling to block access to
network services. In manual Disabling, the operator blocks access using client MAC addresses. In
automated Disabling, which is always active, the operating system software automatically blocks
access to network services for an operator-defined period of time when a client fails to authenticate
for a fixed number of consecutive attempts. This can be used to deter brute-force login attacks.
These and other security features use industry-standard authorization and authentication methods to
ensure the highest possible security for your business-critical wireless LAN traffic.
Cisco WLAN Solution Wired Security
Many traditional access point vendors concentrate on security for the Wireless interface similar to that
described in the “Operating System Security” section on page 1-5. However, for secure Cisco Wireless
LAN Controller Service Interfaces, Cisco Wireless LAN Controller to access point, and inter-Cisco
Wireless LAN Controller communications during device servicing and client roaming, the operating
system includes built-in security.
1-6
Each Cisco Wireless LAN Controller and Cisco 1000 series lightweight access point is manufactured
with a unique, signed X.509 certificate. This certificate is used to authenticate IPSec tunnels between
devices. These IPSec tunnels ensure secure communications for mobility and device servicing.
Cisco Wireless LAN Controllers and Cisco 1000 series lightweight access points also use the signed
certificates to verify downloaded code before it is loaded, ensuring that hackers do not download
malicious code into any Cisco Wireless LAN Controller or Cisco 1000 series lightweight access point.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Layer 2 and Layer 3 LWAPP Operation
The LWAPP communications between Cisco Wireless LAN Controller and Cisco 1000 series
lightweight access points can be conducted at ISO Data Link Layer 2 or Network Layer 3.
NoteThe IPv4 network layer protocol is supported for transport through an LWAPP controller system. IPv6
(for clients only) and Appletalk are also supported but only on 4400 series controllers and the Cisco
WiSM. Other Layer 3 protocols (such as IPX, DECnet Phase IV, OSI CLNP, and so on) and Layer 2
(bridged) protocols (such as LAT and NetBeui) are not supported.
Operational Requirements
The requirement for Layer 2 LWAPP communications is that the Cisco Wireless LAN Controller and
Cisco 1000 series lightweight access points must be connected to each other through Layer 2 devices on
the same subnet. This is the default operational mode for the Cisco Wireless LAN Solution. Note that
when the Cisco Wireless LAN Controller and Cisco 1000 series lightweight access points are on
different subnets, these devices must be operated in Layer 3 mode.
Layer 2 and Layer 3 LWAPP Operation
The requirement for Layer 3 LWAPP communications is that the Cisco Wireless LAN Controllers and
Cisco 1000 series lightweight access points can be connected through Layer 2 devices on the same
subnet, or connected through Layer 3 devices across subnets.
Note that all Cisco Wireless LAN Controllers in a mobility group must use the same LWAPP Layer 2 or
Layer 3 mode, or you will defeat the Mobility software algorithm.
Configuration Requirements
When you are operating the Cisco Wireless LAN Solution in Layer 2 mode, you must configure a
management interface to control your Layer 2 communications.
When you are operating the Cisco Wireless LAN Solution in Layer 3 mode, you must configure an
AP-manager interface to control Cisco 1000 series lightweight access points and a management interface
as configured for Layer 2 mode.
Cisco Wireless LAN Controllers
When you are adding Cisco 1000 series lightweight access points to a multiple Cisco Wireless LAN
Controller deployments network, it is convenient to have all Cisco 1000 series lightweight access points
associate with one master controller on the same subnet. That way, the operator does not have to log into
multiple controllers to find out which controller newly-added Cisco 1000 series lightweight access
points associated with.
One controller in each subnet can be assigned as the master controller while adding lightweight access
points. As long as a master controller is active on the same subnet, all new access points without a
primary, secondary, and tertiary controller assigned automatically attempt to associate with the master
Cisco Wireless LAN Controller. This process is described in the “Cisco Wireless LAN Controller
Failover Protection” section on page 1-20.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-7
Client Roaming
The operator can monitor the master controller using the WCS Web User Interface and watch as access
points associate with the master controller. The operator can then verify access point configuration and
assign a primary, secondary, and tertiary controller to the access point, and reboot the access point so it
reassociates with its primary, secondary, or tertiary controller.
NoteLightweight access points without a primary, secondary, and tertiary controller assigned always search
for a master controller first upon reboot. After adding lightweight access points through the master
controller, assign primary, secondary, and tertiary controllers to each access point. Cisco recommends
that you disable the master setting on all controllers after initial configuration.
Primary, Secondary, and Tertiary Controllers
In multiple-controller networks, lightweight access points can associate with any controller on the same
subnet. To ensure that each access point associates with a particular controller, the operator can assign
primary, secondary, and tertiary controllers to the access point.
When a primed access point is added to a network, it looks for its primary, secondary, and tertiary
controllers first, then a master controller, then the least-loaded controller with available access point
ports. Refer to the “Cisco Wireless LAN Controller Failover Protection” section on page 1-20 for more
information.
Chapter 1 Overview
Client Roaming
The Cisco Wireless LAN Solution supports seamless client roaming across Cisco 1000 series
lightweight access points managed by the same Cisco Wireless LAN Controller, between Cisco Wireless
LAN Controllers in the same Cisco WLAN Solution Mobility Group on the same subnet, and across
controllers in the same Mobility Group on different subnets.
Same-Subnet (Layer 2) Roaming
Each Cisco Wireless LAN Controller supports same-controller client roaming across access points
managed by the same controller. This roaming is transparent to the client as the session is sustained and
the client continues using the same DHCP-assigned or client-assigned IP Address. The controller
provides DHCP functionality with a relay function. Same-controller roaming is supported in
single-controller deployments and in multiple-controller deployments.
Inter-Controller (Layer 2) Roaming
In multiple-controller deployments, the Cisco Wireless LAN Solution supports client roaming across
access points managed by controllers in the same mobility group and on the same subnet. This roaming
is also transparent to the client, as the session is sustained and a tunnel between controllers allows the
client to continue using the same DHCP- or client-assigned IP Address as long as the session remains
active. Note that the tunnel is torn down and the client must reauthenticate when the client sends a DHCP
Discover with a 0.0.0.0 client IP Address or a 169.254.*.* client auto-IP Address, or when the
operator-set session timeout is exceeded.
1-8
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Note that the Cisco 1030 remote edge lightweight access points at a remote location must be on the same
subnet to support roaming.
Inter-Subnet (Layer 3) Roaming
In multiple-controller deployments, the Cisco Wireless LAN Solution supports client roaming across
access points managed by controllers in the same mobility group on different subnets. This roaming is
transparent to the client, because the session is sustained and a tunnel between the controllers allows the
client to continue using the same DHCP-assigned or client-assigned IP Address as long as the session
remains active. Note that the tunnel is torn down and the client must reauthenticate when the client sends
a DHCP Discover with a 0.0.0.0 client IP Address or a 169.254.*.* client auto-IP Address or when the
operator-set user timeout is exceeded.
Note that the Cisco 1030 remote edge lightweight access points at a remote location must be on the same
subnet to support roaming.
Special Case: Voice Over IP Telephone Roaming
802.11 VoIP telephones actively seek out associations with the strongest RF signal to ensure best Quality
of Service (QoS) and maximum throughput. The minimum VoIP telephone requirement of
20 millisecond or shorter latency time for the roaming handover is easily met by the Cisco Wireless LAN
Solution, which has an average handover latency of nine or fewer milliseconds.
Client Roaming
Client Location
This short latency period is controlled by Cisco Wireless LAN Controllers, rather than allowing
independent access points to negotiate roaming handovers.
The Cisco Wireless LAN Solution supports 802.11 VoIP telephone roaming across Cisco 1000 series
lightweight access points managed by Cisco Wireless LAN Controllers on different subnets, as long as
the controllers are in the same mobility group. This roaming is transparent to the VoIP telephone,
because the session is sustained and a tunnel between controllers allows the VoIP telephone to continue
using the same DHCP-assigned IP Address as long as the session remains active. Note that the tunnel is
torn down and the VoIP client must reauthenticate when the VoIP telephone sends a DHCP Discover with
a 0.0.0.0 VoIP telephone IP Address or a 169.254.*.* VoIP telephone auto-IP Address or when the
operator-set user timeout is exceeded.
When you use Cisco WCS in your Cisco Wireless LAN Solution, controllers periodically determine
client, rogue access point, rogue access point client, radio frequency ID (RFID) tag location and store
the locations in the Cisco WCS database. For more information on location solutions, refer to the Cisco Wireless Control System Configuration Guide and the Cisco Location Appliance Configuration Guide at
these URLs:
Cisco Wireless Control System Configuration Guide:
http://www.cisco.com/en/US/products/ps6305/products_installation_and_configuration_guides_list.ht
ml
Cisco Location Appliance Configuration Guide:
http://www.cisco.com/en/US/products/ps6386/products_installation_and_configuration_guides_list.ht
ml
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-9
External DHCP Servers
External DHCP Servers
The operating system is designed to appear as a DHCP Relay to the network and as a DHCP Server to
clients with industry-standard external DHCP Servers that support DHCP Relay. This means that each
Cisco Wireless LAN Controller appears as a DHCP Relay agent to the DHCP Server. This also means
that the Cisco Wireless LAN Controller appears as a DHCP Server at the virtual IP Address to wireless
clients.
Because the Cisco Wireless LAN Controller captures the client IP Address obtained from a DHCP
Server, it maintains the same IP Address for that client during same-Cisco Wireless LAN Controller,
inter-Cisco Wireless LAN Controller, and inter-subnet client roaming.
Per-Wireless LAN Assignment
All Cisco WLAN Solution wireless LANs can be configured to use the same or different DHCP Servers,
or no DHCP Server. This allows operators considerable flexibility in configuring their Wireless LANs,
as further described in the “Cisco WLAN Solution Wireless LANs” section on page 1-11.
Note that Cisco WLAN Solution wireless LANs that support management over wireless must allow the
management (device servicing) clients to obtain an IP Address from a DHCP Server. See the“Using
Management over Wireless” section on page 5-6 for instructions on configuring management over
wireless.
Chapter 1 Overview
Per-Interface Assignment
You can assign DHCP servers for individual interfaces. The Layer 2 management interface, Layer 3
AP-manager interface, and dynamic interfaces can be configured for a primary and secondary DHCP
server, and the service-port interface can be configured to enable or disable DHCP servers.
NoteRefer to Chapter 3 for information on configuring the controller’s interfaces.
Security Considerations
For enhanced security, Cisco recommends that operators require all clients to obtain their IP Addresses
from a DHCP server. To enforce this requirement, all wireless LANs can be configured with a DHCP
Required setting and a valid DHCP Server IP Address, which disallows client static IP Addresses. If a
client associating with a wireless LAN with DHCP Required set does not obtain its IP Address from the
designated DHCP Server, it is not allowed access to any network services.
Note that if DHCP Required is selected, clients must obtain an IP address via DHCP. Any client with a
static IP address will not be allowed on the network. The Cisco Wireless LAN Controller monitors
DHCP traffic because it acts as a DHCP proxy for the clients.
If slightly less security is tolerable, operators can create wireless LANs with DHCP Required disabled
and a valid DHCP Server IP Address. Clients then have the option of using a static IP Address or
obtaining an IP Address from the designated DHCP Server.
Operators are also allowed to create separate wireless LANs with DHCP Required disabled and a DHCP
Server IP Address of 0.0.0.0. These wireless LANs drop all DHCP requests and force clients to use a
static IP Address. Note that these wireless LANs do not support management over wireless connections.
1-10
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Cisco WLAN Solution Wired Connections
The Cisco Wireless LAN Solution components communicate with each other using industry-standard
Ethernet cables and connectors. The following paragraphs contain details of the Cisco WLAN Solution
wired connections.
• The Cisco 2000 Series Wireless LAN Controller connects to the network using from one to four
10/100BASE-T Ethernet cables.
• The Cisco 4100 Series Wireless LAN Controller connects to the network using one or two
fiber-optic Gigabit Ethernet cables: two redundant Gigabit Ethernet connections to bypass single
network failures.
• The Cisco 4402 Wireless LAN Controller connects to the network using one or two fiber-optic
Gigabit Ethernet cables, and the 4404 Wireless LAN Controller connects to the network using up to
four fiber-optic Gigabit Ethernet cables: two redundant Gigabit Ethernet connections to bypass
single network failures.
• The controllers on the Wireless Services Module (WiSM), installed in a Cisco Catalyst 6500 Series
Switch, connect to the network through switch ports on the switch.
• The Wireless LAN Controller Network Module, installed in a Cisco Integrated Services Router,
connects to the network through the ports on the router.
Cisco WLAN Solution Wired Connections
• Cisco 1000 series lightweight access points connects to the network using 10/100BASE-T Ethernet
cables. The standard CAT-5 cable can also be used to conduct power for the Cisco 1000 series
lightweight access points from a network device equipped with Power over Ethernet (PoE)
capability. This power distribution plan can be used to reduce the cost of individual AP power
supplies and related cabling.
Cisco WLAN Solution Wireless LANs
The Cisco Wireless LAN Solution can control up to 16 Wireless LANs for lightweight access points.
Each wireless LAN has a separate wireless LAN ID (1 through 16), a separate wireless LAN SSID
(wireless LAN name), and can be assigned unique security policies. Using software release 3.2 and later
you can configure both static and dynamic WEP on the same wireless LAN.
The Cisco 1000 series lightweight access points broadcast all active Cisco WLAN Solution wireless
LAN SSIDs and enforce the policies defined for each wireless LAN.
NoteCisco recommends that you assign one set of VLANs for wireless LANs and a different set of VLANs
for management interfaces to ensure that controllers operate with optimum performance and ease of
management.
If management over wireless is enabled across Cisco Wireless LAN Solution, the Cisco Wireless LAN
Solution operator can manage the System across the enabled wireless LAN using CLI and Telnet,
http/https, and SNMP.
To configure the Cisco WLAN Solution wireless LANs, refer to Chapter 6, “Configuring WLANs.”
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-11
Access Control Lists
Access Control Lists
The operating system allows you to define up to 64 Access Control Lists (ACLs), similar to standard
firewall Access Control Lists. Each ACL can have up to 64 Rules (filters).
Operators can use ACLs to control client access to multiple VPN servers within a given wireless LAN.
If all the clients on a wireless LAN must access a single VPN server, use the IPSec/VPN Gateway
Passthrough setting, described in the “Security Overview” section on page 5-2.
After they are defined, the ACLs can be applied to the management interface, the AP-Manager interface,
or any of the operator-defined interfaces.
Refer to Access Control Lists > New in the Web User Interface Online Help for instructions on
configuring Access Control Lists.
Identity Networking
Cisco Wireless LAN Controllers can have the following parameters applied to all clients associating with
a particular wireless LAN: QoS, global or Interface-specific DHCP server, Layer 2 and Layer 3 Security
Policies, and default Interface (which includes physical port, VLAN and ACL assignments).
However, the Cisco Wireless LAN Controller can also have individual clients (MAC addresses) override
the preset wireless LAN parameters by using MAC Filtering or by Allowing AAA Override parameters.
This configuration can be used, for example, to have all company clients log into the corporate wireless
LAN, and then have clients connect using different QoS, DHCP server, Layer 2 and Layer 3 Security
Policies, and Interface (which includes physical port, VLAN and ACL assignments) settings on a
per-MAC Address basis.
Chapter 1 Overview
When Cisco Wireless LAN Solution operators configure MAC Filtering for a client, they can assign a
different VLAN to the MAC Address, which can be used to have operating system automatically reroute
the client to the management interface or any of the operator-defined interfaces, each of which have their
own VLAN, ACL, DHCP server, and physical port assignments. This MAC Filtering can be used as a
coarse version of AAA Override, and normally takes precedence over any AAA (RADIUS or other)
Override.
However, when Allow AAA Override is enabled, the RADIUS (or other AAA) server can alternatively
be configured to return QoS and ACL on a per-MAC Address basis. Allow AAA Override gives the AAA
Override precedence over the MAC Filtering parameters set in the Cisco Wireless LAN Controller; if
there are no AAA Overrides available for a given MAC Address, the operating system uses the MAC
Filtering parameters already in the Cisco Wireless LAN Controller. This AAA (RADIUS or other)
Override can be used as a finer version of AAA Override, but only takes precedence over MAC Filtering
when Allow AAA Override is enabled.
Note that in all cases, the Override parameters (Operator-Defined Interface and QoS, for example) must
already be defined in the Cisco Wireless LAN Controller configuration.
In all cases, the operating system will use QoS and ACL provided by the AAA server or MAC Filtering
regardless of the Layer 2 and/or Layer 3 authentication used.
Also note that the operating system will only move clients from the default Cisco WLAN Solution
wireless LAN VLAN to a different VLAN when configured for MAC filtering, 802.1X, and/or WPA
Layer 2 authentication.
To configure the Cisco WLAN Solution wireless LANs, refer to the “Configuring Wireless LANs”
section on page 6-2.
1-12
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Enhanced Integration with Cisco Secure ACS
The identity-based networking feature uses authentication, authorization, and accounting (AAA)
override. When the following vendor-specific attributes are present in the RADIUS access accept
message, the values override those present in the wireless LAN profile:
• QoS level
• 802.1p value
• VLAN interface name
• Access control list (ACL) name
In this release, support is being added for the AAA server to return the VLAN number or name using the
standard “RADIUS assigned VLAN name/number” feature defined in IETF RFC 2868 (RADIUS
Attributes for Tunnel Protocol Support). To assign a wireless client to a particular VLAN, the AAA
server sends the following attributes to the controller in the access accept message:
• IETF 64 (Tunnel Type): VLAN
• IETF 65 (Tunnel Medium Type): 802
• IETF 81 (Tunnel Private Group ID): VLAN # or VLAN Name String
This enables Cisco Secure ACS to communicate a VLAN change that may be a result of a posture
analysis. Benefits of this new feature include:
File Transfers
• Integration with Cisco Secure ACS reduces installation and setup time
• Cisco Secure ACS operates smoothly across both wired and wireless networks
This feature supports 2000, 4100, and 4400 series controllers and 1000, 1130, 1200 and 1500 series
lightweight access points.
File Transfers
The Cisco Wireless LAN Solution operator can upload and download operating system code,
configuration, and certificate files to and from a Cisco Wireless LAN Controller using CLI commands,
Web User Interface commands, or Cisco WCS.
• To use CLI commands, refer to the “Transferring Files to and from a Controller” section on
• To use Cisco WCS to upgrade software, refer to the Cisco Wireless Control System Configuration
Lightweight access points can receive power via their Ethernet cables from 802.3af-compatible Power
over Ethernet (PoE) devices, which can reduce the cost of discrete power supplies, additional wiring,
conduits, outlets, and installer time. PoE also frees installers from having to mount Cisco 1000 series
lightweight access points or other powered equipment near AC outlets, providing greater flexibility in
positioning Cisco 1000 series lightweight access points for maximum coverage.
When you are using PoE, the installer runs a single CAT-5 cable from each lightweight access point to
PoE-equipped network elements, such as a PoE power hub or a Cisco WLAN Solution Single-Line PoE
Injector. When the PoE equipment determines that the lightweight access point is PoE-enabled, it sends
48 VDC over the unused pairs in the Ethernet cable to power the lightweight access point.
The PoE cable length is limited by the 100BASE-T or 10BASE-T specification to 100 m or 200 m,
respectively.
Lightweight access points can receive power from an 802.3af-compliant device or from the external
power supply.
Chapter 1 Overview
Pico Cell Functionality
A Pico Cell is a small area of wireless provisioning provided by antenna, which allows for a dense
high-bandwidth deployment for installations such as stock exchanges. Pico Cell wireless configurations
require a specific supplicant to function correctly with Pico Cell environments. Off-the-shelf laptop
supplicants are not supported.
NoteDo not attempt to configure Pico Cell functionality within your wireless LAN without consulting your
sales team. Non-standard installation is not supported.
NoteDo not change the configuration database setting unless you are committing to a Pico Cell installation
or without the advice of Cisco technical support.
Pico Cell functionality includes optimization of the operating system (operating system) to support this
functionality as follows:
• The Cisco WCS Pico Cell Mode parameter reconfigures operating system parameters, allowing
operating system to function efficiently in pico cell deployments. Note that when the operator is
deploying a pico cell network the operating system must also have more memory allocated (512 to
2048 MB) using the config database size 2048 CLI command.
• Client mobility between multiple mobility domains when such exist.
• Addition of a WPA2 VFF extension to eliminate the need to re-key after every association. This
allows the re-use of existing PTK and GTK.
• With WPA2 PMK caching and VFF, the PMK cache is transferred as part of context transfer prior
to the authentication phase. This allows expedited handoffs to work for both intra- and inter-Cisco
Wireless LAN Controller roaming events.
1-14
• A beacon/probe response that allows a Cisco 1000 Series lightweight access point to indicate which
Cisco Wireless LAN Controller it is attached to so that reauthorization events only occur when
needed, minimizing inter-Cisco Wireless LAN Controller handoffs and thus reducing CPU usage.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
• Allows changes to Cisco 1000 series lightweight access point sensitivity for pico cells.
• Allows control of Cisco 1000 series lightweight access point fallback behavior to optimize pico cell
use.
• Supports heat maps for directional antennas.
• Allows specific control over blacklisting events
• Allows configuring and viewing basic LWAPP configuration using the Cisco 1000 series lightweight
access point CLI.
Intrusion Detection Service (IDS)
Intrusion Detection Service includes the following:
• Sensing Clients probing for “ANY” SSID
• Sensing if Cisco 1000 series lightweight access points are being contained
• Notification of MiM Attacks, NetStumbler, Wellenreiter
• Management Frame Detection and RF Jamming Detection
• Spoofed Deauthentication Detection (AirJack, for example)
Intrusion Detection Service (IDS)
• Broadcast Deauthorization Detection
• Null Probe Response Detection
• Fake AP Detection
• Detection of Weak WEP Encryption
• MAC Spoofing Detection
• AP Impersonation Detection
• Honeypot AP Detection
• Valid Station Protection
• Misconfigured AP Protection
• Rogue Access Point Detection
• AD-HOC Detection and Protection
• Wireless Bridge Detection
• Asleep Detection / Protection
Wireless LAN Controller Platforms
Cisco controllers are enterprise-class high-performance wireless switching platforms that support
802.11a and 802.11b/802.11g protocols. They operate under control of the operating system, which
includes the Radio Resource Management (RRM), creating a Cisco WLAN Solution that can
automatically adjust to real-time changes in the 802.11 RF environment. The controllers are built around
high-performance network and security hardware, resulting in highly-reliable 802.11 enterprise
networks with unparalleled security.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-15
Wireless LAN Controller Platforms
Cisco 2000 Series Wireless LAN Controllers
The Cisco 2000 Series Wireless LAN Controller is part of the Cisco Wireless LAN Solution. Each 2000
series controller controls up to six Cisco 1000 series lightweight access points, making it ideal for
smaller enterprises and low-density applications.
The Cisco 2000 Series Wireless LAN Controller is a slim 9.5 x 6.0 x 1.6 in. (241 x 152 x 41 mm) chassis
that can be desktop or shelf mounted. The Cisco 2000 Series Wireless LAN Controller front panel has
one POWER LED and four sets of Ethernet LAN Port status LEDs, which indicate 10 MHz or 100 MHz
connections and transmit/receive Activity for the four corresponding back-panel Ethernet LAN
connectors. The Cisco 2000 Series Wireless LAN Controller is shipped with four rubber desktop/shelf
mounting feet.
Cisco 4100 Series Wireless LAN Controllers
The Cisco 4100 Series Wireless LAN Controllers are part of the Cisco Wireless LAN Solution. Each
Cisco 4100 Series Wireless LAN Controller controls up to 36 Cisco 1000 series lightweight access
points, making it ideal for medium-sized enterprises and medium-density applications.
Chapter 1 Overview
Figure 1-4 shows the Cisco 4100 Series Wireless LAN Controller, which has two redundant front-panel
SX/LC jacks. Note that the 1000BASE-SX circuits provides a 100/1000 Mbps wired connection to a
network through an 850nM (SX) fiber-optic link using an LC physical connector.
Figure 1-44100 Series Controller
The Cisco 4100 Series Wireless LAN Controller can be factory-ordered with a VPN/Enhanced Security
Module (Crypto Card) to support VPN, IPSec and other processor-intensive tasks, and contains two
(Cisco 4100 Series Wireless LAN Controller) 1000BASE-SX network connectors that allow the Cisco
4100 Series Wireless LAN Controller to communicate with the network at Gigabit Ethernet speeds. The
1000BASE-SX network connectors provides 100/1000 Mbps wired connections to a network through
850nM (SX) fiber-optic links using LC physical connectors.
The two redundant Gigabit Ethernet connections on the Cisco 4100 Series Wireless LAN Controller
allow the Cisco 4100 Series Wireless LAN Controller to bypass single network failures.
1-16
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Cisco 4400 Series Wireless LAN Controllers
Cisco 4400 Series Wireless LAN Controllers are part of the Cisco Wireless LAN Solution. Each Cisco
4400 Series Wireless LAN Controller controls up to 100 Cisco 1000 series lightweight access points,
making it ideal for large-sized enterprises and large-density applications.
The 4402 Cisco 4400 Series Wireless LAN Controller has one set of two redundant front-panel SX/LC/T
SFP modules (SFP transceiver, or Small Form-factor Plug-in), and the 4404 Cisco 4400 Series Wireless
LAN Controller has two sets of two redundant front-panel SX/LC/T SFP modules:
• 1000BASE-SX SFP modules provide a 1000 Mbps wired connection to a network through an
850nM (SX) fiber-optic link using an LC physical connector.
• 1000BASE-LX SFP modules provide a 1000 Mbps wired connection to a network through a
1300nM (LX/LH) fiber-optic link using an LC physical connector.
• 1000BASE-T SFP modules provide a 1000 Mbps wired connection to a network through a copper
link using an RJ-45 physical connector.
The one or two sets of redundant Gigabit Ethernet connections on the Cisco 4400 Series Wireless LAN
Controller allow the Cisco 4400 Series Wireless LAN Controller to bypass single network failures.
The Cisco 4400 Series Wireless LAN Controller can be equipped with one or two Cisco 4400 series
power supplies. When the Cisco Wireless LAN Controller is equipped with two Cisco 4400 series power
supplies, the power supplies are redundant and either power supply can continue to power the Cisco 4400
Series Wireless LAN Controller if the other power supply fails.
Wireless LAN Controller Platforms
One Cisco 4400 series power supply is included standard with the Cisco Wireless LAN Controller, and
is installed in Slot 1 at the factory. For redundancy, a second Cisco 4400 series power supply can be
ordered from the factory and may be installed in Slot 2. The same power supply also fits in Slot 1 and
can be used to replace a failed power supply in the field.
Cisco 2000 Series Wireless LAN Controller Model Numbers
Cisco 2000 Series Wireless LAN Controller model number is as follows:
• AIR-WLC2006-K9 — The Cisco 2000 Series Wireless LAN Controller communicates with up to
six Cisco 1000 series lightweight access points.
NoteCisco 2000 Series Wireless LAN Controllers come from the factory with tabletop mounting feet.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-17
Wireless LAN Controller Platforms
Cisco 4100 Series Wireless LAN Controller Model Numbers
Cisco 4100 Series Wireless LAN Controller model numbers are as follows:
• AIR-WLC4112-K9 — The Cisco 4100 Series Wireless LAN Controller uses two redundant Gigabit
Ethernet connections to bypass single network failures, and communicates with up to 12 Cisco 1000
series lightweight access points. The 1000BASE-SX Network Adapters provide 100/1000 Mbps
wired connections to a network through 850nM (SX) fiber-optic links using LC physical connectors.
• AIR-WLC4124-K9 — The Cisco 4100 Series Wireless LAN Controller uses two redundant Gigabit
Ethernet connections to bypass single network failures, and communicates with up to 24 Cisco 1000
series lightweight access points.
• AIR-WLC4136-K9 — The Cisco 4100 Series Wireless LAN Controller uses two redundant Gigabit
Ethernet connections to bypass single network failures, and communicates with up to 36 Cisco 1000
series lightweight access points.
NoteCisco 4100 Series Wireless LAN Controller models come from the factory with 19-inch EIA equipment
rack flush-mount ears.
Chapter 1 Overview
The following upgrade module is also available:
• AIR-VPN-4100 — VPN/Enhanced Security Module: Supports VPN, L2TP, IPSec and other
processor-intensive security options. This is a field-installable option for all Cisco 4100 Series
Wireless LAN Controllers.
Cisco 4400 Series Wireless LAN Controller Model Numbers
Cisco 4400 Series Wireless LAN Controller model numbers are as follows:
• AIR-WLC4402-12-K9 — The 4402 Cisco 4400 Series Wireless LAN Controller uses two redundant
Gigabit Ethernet connections to bypass single network failures, and communicates with up to 12
Cisco 1000 series lightweight access points.
• AIR-WLC4402-25-K9 — The 4402 Cisco Wireless LAN Controller uses two redundant Gigabit
Ethernet connections to bypass single network failures, and communicates with up to 25 Cisco 1000
series lightweight access points.
• AIR-WLC4402-50-K9 — The 4402 Cisco Wireless LAN Controller uses two redundant Gigabit
Ethernet connections to bypass single network failures, and communicates with up to 50 Cisco 1000
series lightweight access points.
• AIR-WLC4404-100-K9 — The 4404 Cisco Wireless LAN Controller uses four redundant Gigabit
Ethernet connections to bypass one or two single network failures, and communicates with up to 100
Cisco 1000 series lightweight access points.
1-18
NoteCisco 4400 Series Wireless LAN Controller models come from the factory with integral 19-inch EIA
equipment rack flush-mount ears.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Startup Wizard
Wireless LAN Controller Platforms
The 4402 Cisco 4400 Series Wireless LAN Controller uses one set of two redundant front-panel
SX/LC/T SFP modules (SFP transceiver, or Small Form-factor Plug-in), and the 4404 Cisco 4400 Series
Wireless LAN Controller uses two sets of two redundant front-panel SX/LC/T SFP modules:
• 1000BASE-SX SFP modules provide a 1000 Mbps wired connection to a network through an
850nM (SX) fiber-optic link using an LC physical connector.
• 1000BASE-LX SFP modules provide a 1000 Mbps wired connection to a network through a
1300nM (LX/LH) fiber-optic link using an LC physical connector.
• 1000BASE-T SFP modules provide a 1000 Mbps wired connection to a network through a copper
link using an RJ-45 physical connector.
The following power supply module is also available:
• AIR-PWR-4400-AC — All Cisco 4400 series power supplies. One Cisco 4400 series power supply
can power Cisco 4400 series power supplies can power Cisco 4400 series power supplies, the Cisco
4400 series power supplies are redundant.
When an Cisco Wireless LAN Controller is powered up with a new factory operating system software
load or after being reset to factory defaults, the bootup script runs the Startup Wizard, which prompts
the installer for initial configuration. The Startup Wizard:
• Ensures that the Cisco Wireless LAN Controller has a System Name, up to 32 characters.
• Adds an Administrative username and password, each up to 24 characters.
• Ensures that the Cisco Wireless LAN Controller can communicate with the CLI, Cisco WCS, or Web
User interfaces (either directly or indirectly) through the service port by accepting a valid IP
configuration protocol (none or DHCP), and if none, IP Address and netmask. If you do not want to
use the Service port, enter 0.0.0.0 for the IP Address and netmask.
• Ensures that the Cisco Wireless LAN Controller can communicate with the network (802.11
Distribution System) through the management interface by collecting a valid static IP Address,
netmask, default router IP address, VLAN identifier, and physical port assignment.
• Prompts for the IP address of the DHCP server used to supply IP addresses to clients, the Cisco
Wireless LAN Controller Management Interface, and optionally to the Service Port Interface.
• Asks for the LWAPP Transport Mode, described in the “Layer 2 and Layer 3 LWAPP Operation”
section on page 1-7.
• Collects the Virtual Gateway IP Address; any fictitious, unassigned IP address (such as 1.1.1.1) to
be used by Layer 3 Security and Mobility managers.
• Allows you to enter the Mobility Group (RF Group) Name.
• Collects the wireless LAN 1 802.11 SSID, or Network Name.
OL-8335-02
• Asks you to define whether or not clients can use static IP addresses. Yes = more convenient, but
lower security (session can be hijacked), clients can supply their own IP Address, better for devices
that cannot use DHCP. No = less convenient, higher security, clients must DHCP for an IP Address,
works well for Windows XP devices.
• If you want to configure a RADIUS server from the Startup Wizard, the RADIUS server IP address,
communication port, and Secret.
• Collects the Country Code.
Cisco Wireless LAN Controller Configuration Guide
1-19
Wireless LAN Controller Platforms
• Enables and/or disables the 802.11a, 802.11b and 802.11g Cisco 1000 series lightweight access
point networks.
• Enables or disables Radio Resource Management (RRM).
To use the Startup Wizard, refer to the “Using the Configuration Wizard” section on page 4-2.
Cisco Wireless LAN Controller Memory
The Cisco Wireless LAN Controller contain two kinds of memory: volatile RAM, which holds the
current, active Cisco Wireless LAN Controller configuration, and NVRAM (non-volatile RAM), which
holds the reboot configuration. When you are configuring the operating system in a Cisco Wireless LAN
Controller, you are modifying volatile RAM; you must save the configuration from the volatile RAM to
the NVRAM to ensure that the Cisco Wireless LAN Controller reboots in the current configuration.
Knowing which memory you are modifying is important when you are:
• Using the Configuration Wizard
• Clearing the Controller Configuration
• Saving Configurations
• Resetting the Controller
Chapter 1 Overview
• Logging Out of the CLI
Cisco Wireless LAN Controller Failover Protection
Each Cisco Wireless LAN Controller has a defined number of communication ports for Cisco 1000
series lightweight access points. This means that when multiple controllers with unused access point
ports are deployed on the same network, if one controller fails, the dropped access points automatically
poll for unused controller ports and associate with them.
During installation, Cisco recommends that you connect all lightweight access points to a dedicated
controller, and configure each lightweight access point for final operation. This step configures each
lightweight access point for a primary, secondary, and tertiary controller, and allows it to store the
configured WLAN Solution Mobility Group information.
During failover recovery, the configured lightweight access points obtain an IP address from the local
DHCP server (only in Layer 3 Operation), attempt to contact their primary, secondary, and tertiary
controllers, and then attempt to contact the IP addresses of the other controllers in the Mobility group.
This prevents the access points from spending time sending out blind polling messages, resulting in a
faster recovery period.
In multiple-controller deployments, this means that if one controller fails, its dropped access points
reboot and do the following under direction of the Radio Resource Management (RRM):
• Obtain an IP address from a local DHCP server (one on the local subnet).
• If the Cisco 1000 series lightweight access point has a primary, secondary, and tertiary controller
assigned, it attempts to associate with that controller.
1-20
• If the access point has no primary, secondary, or tertiary controllers assigned or if its primary,
secondary, or tertiary controllers are unavailable, it attempts to associate with a master controller on
the same subnet.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
• If the access point finds no master controller on the same subnet, it attempts to contact stored
Mobility Group members by IP address.
• Should none of the Mobility Group members be available, and if the Cisco 1000 series lightweight
access point has no Primary, Secondary, and Tertiary Cisco Wireless LAN Controllers assigned and
there is no master Cisco Wireless LAN Controller active, it attempts to associate with the
least-loaded Cisco Wireless LAN Controller on the same subnet to respond to its discovery
messages with unused ports.
This means that when sufficient controllers are deployed, should one controller fail, active access point
client sessions are momentarily dropped while the dropped access point associates with an unused port
on another controller, allowing the client device to immediately reassociate and reauthenticate.
Cisco Wireless LAN Controller Automatic Time Setting
Each controller can have its time manually set or can be configured to obtain the current time from one
or more Network Time Protocol (NTP) servers. Each NTP server IP address is added to the controller
database. Each controller searches for an NTP server and obtains the current time upon reboot and at
each user-defined polling interval (daily to weekly).
Wireless LAN Controller Platforms
Cisco Wireless LAN Controller Time Zones
Each Cisco Wireless LAN Controller can have its time zone manually set or can be configured to obtain
the current time from one or more Network Time Protocol (NTP) servers. Each NTP server IP address
is added to the Cisco Wireless LAN Controller database. Each Cisco Wireless LAN Controller can
search for an NTP server and obtain the current time zone upon reboot and at each user-defined (daily
to weekly) polling interval.
Network Connections to Cisco Wireless LAN Controllers
Regardless of operating mode, all Cisco Wireless LAN Controllers use the network as an 802.11
Distribution System. Regardless of the Ethernet port type or speed, each controller monitors and
communicates with its related controllers across the network. The following sections give details of
these network connections:
• Cisco 2000 Series Wireless LAN Controllers, page 1-16
• Cisco 4100 Series Wireless LAN Controllers, page 1-16
• Cisco 4400 Series Wireless LAN Controllers, page 1-17
NoteChapter 3 provides information on configuring the controller’s ports and assigning interfaces to them.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-21
Wireless LAN Controller Platforms
Cisco 2000 Series Wireless LAN Controllers
Cisco 2000 Series Wireless LAN Controllers can communicate with the network through any one of its
physical data ports, as the logical management interface can be assigned to one of the ports. The physical
port description follows:
• Up to four 10/100BASE-T cables can plug into the four back-panel data ports on the Cisco 2000
Series Wireless LAN Controller chassis.
Figure 1-5 shows connections to the 2000 series controller.
Figure 1-5Physical Network Connections to the 2000 Series Controller
Chapter 1 Overview
Cisco 4100 Series Wireless LAN Controllers
Cisco 4100 Series Wireless LAN Controllers can communicate with the network through one or two
physical data ports, as the logical management interface can be assigned to one or both ports. The
physical port description follows:
• Two Gigabit Ethernet 1000BASE-SX fiber-optic cables can plug into the LC connectors on the front
of the Cisco 4100 Series Wireless LAN Controller, and they must be connected to the same subnet.
Note that the two Gigabit Ethernet ports are redundant--the first port that becomes active is the
master, and the second port becomes the backup port. If the first connection fails, the standby
connection becomes the master, and the failed connection becomes the backup port.
NoteThe 1000BASE-SX circuits provide 100/1000 Mbps wired connections to the network through 850nM
(SX) fiber-optic links using LC physical connectors.
1-22
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Wireless LAN Controller Platforms
Figure 1-6 shows connections to the 4100 series controller.
Figure 1-6Physical Network Connections to the 4100 Series Controller
Cisco 4400 Series Wireless LAN Controllers
Cisco 4400 Series Wireless LAN Controllers can communicate with the network through one or two
pairs of physical data ports, and the logical management interface can be assigned to the ports. The
physical port descriptions follows:
• For the 4402 Cisco Wireless LAN Controller, up to two of the following connections are supported
in any combination:
–
1000BASE-T (Gigabit Ethernet, front panel, RJ-45 physical port, UTP cable).
–
1000BASE-SX (Gigabit Ethernet, front panel, LC physical port, multi-mode 850nM (SX)
fiber-optic links using LC physical connectors).
–
1000BASE-LX (Gigabit Ethernet, front panel, LC physical port, multi-mode 1300nM (LX/LH)
fiber-optic links using LC physical connectors).
• For the 4404 Cisco Wireless LAN Controller, up to four of the following connections are supported
in any combination:
–
1000BASE-T (Gigabit Ethernet, front panel, RJ-45 physical port, UTP cable).
–
1000BASE-SX (Gigabit Ethernet, front panel, LC physical port, multi-mode 850nM (SX)
fiber-optic links using LC physical connectors).
–
1000BASE-LX (Gigabit Ethernet, front panel, LX physical port, multi-mode 1300nM (LX/LH)
fiber-optic links using LC physical connectors).
Figure 1-7 shows connections to the 4400 series controller.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
1-23
Rogue Access Points
Figure 1-7Physical Network Connections to 4402 and 4404 Series Controllers
VPN and Enhanced Security Modules for 4100 Series Controllers
Chapter 1 Overview
All 4100 series controllers can be equipped with an optional module that slides into the rear panel of the
controller. The 4100 Series VPN/Enhanced Security Module adds significant hardware encryption
acceleration to the controller, which enables the following through the management interface:
• Provide a built-in VPN server for mission-critical traffic.
• Sustain up to 1 Gbps throughput with Layer 2 and Layer 3 encryption enabled.
• Support high-speed, processor-intensive encryption, such as L2TP, IPSec and 3DES.
Rogue Access Points
Because they are inexpensive and readily available, employees sometimes plug unauthorized rogue
access points into existing LANs and build ad hoc wireless networks without IT department knowledge
or consent.
These rogue access points can be a serious breach of network security because they can be plugged into
a network port behind the corporate firewall. Because employees generally do not enable any security
settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept
network traffic and hijack client sessions. Even more alarming, wireless users and war chalkers
frequently publish unsecure access point locations, increasing the odds of having the enterprise security
breached.
Rather than using a person with a scanner to manually detect rogue access point, the Cisco Wireless LAN
Solution automatically collects information on rogue access point detected by its managed access points,
by MAC and IP Address, and allows the system operator to locate, tag and monitor them. The operating
system can also be used to discourage rogue access point clients by sending them deauthenticate and
disassociate messages from one to four Cisco 1000 series lightweight access points. Finally, the
operating system can be used to automatically discourage all clients attempting to authenticate with all
rogue access point on the enterprise subnet. Because this real-time detection is automated, it saves labor
costs used for detecting and monitoring rogue access point while vastly improving LAN security. Note
that peer-to-peer, or ad-hoc, clients can also be considered rogue access points.
1-24
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 1 Overview
Rogue Access Point Location, Tagging, and Containment
This built-in detection, tagging, monitoring, and containment capability allows system administrators to
take required actions:
• Locate rogue access point as described in the Cisco Wireless Control System Configuration Guide.
• Receive new rogue access point notifications, eliminating hallway scans.
• Monitor unknown rogue access point until they are eliminated or acknowledged.
• Determine the closest authorized access point, making directed scans faster and more effective.
• Contain rogue access points by sending their clients deauthenticate and disassociate messages from
one to four Cisco 1000 series lightweight access points. This containment can be done for individual
rogue access points by MAC address, or can be mandated for all rogue access points connected to
the enterprise subnet.
• Tag rogue access points:
–
Acknowledge rogue access point when they are outside of the LAN and do not compromise the
LAN or wireless LAN security.
–
Accept rogue access point when they do not compromise the LAN or wireless LAN security.
–
Tag rogue access point as unknown until they are eliminated or acknowledged.
Web User Interface and the CLI
–
Tag rogue access point as contained and discourage clients from associating with the rogue
access point by having between one and four Cisco 1000 series lightweight access points
transmit deauthenticate and disassociate messages to all rogue access point clients. This
function contains all active channels on the same rogue access point.
Rogue Detector mode detects whether or not a rogue access point is on a trusted network. It does not
provide RF service of any kind, but rather receives periodic rogue access point reports from the Cisco
Wireless LAN Controller, and sniffs all ARP packets. If it finds a match between an ARP request and a
MAC address it receives from the Cisco Wireless LAN Controller, it generates a rogue access point alert
to the Cisco Wireless LAN Controller.
To facilitate automated rogue access point detection in a crowded RF space, Cisco 1000 series
lightweight access points can be configured to operate in monitor mode, allowing monitoring without
creating unnecessary interference.
Web User Interface and the CLI
This section describes the controller GUI and CLI.
Web User Interface
The Web User Interface is built into each Cisco Wireless LAN Controller. The Web User Interface allows
up to five users to simultaneously browse into the built-in Cisco Wireless LAN Controller http or https
(http + SSL) Web server, configure parameters, and monitor operational status for the Cisco Wireless
LAN Controller and its associated Access Points.
OL-8335-02
NoteCisco recommends that you enable the https: and disable the http: interfaces to ensure more robust
security for your Cisco WLAN Solution.
Cisco Wireless LAN Controller Configuration Guide
1-25
Web User Interface and the CLI
Because the Web User Interface works with one Cisco Wireless LAN Controller at a time, the Web User
Interface is especially useful when you wish to configure or monitor a single Cisco Wireless LAN
Controller and its associated Cisco 1000 series lightweight access points.
Refer to the “Using the Web-Browser Interface” section on page 2-2 for more information on the Web
User Interface.
Command Line Interface
The Cisco Wireless LAN Solution command line interface (CLI) is built into each Cisco Wireless LAN
Controller. The CLI allows operators to use a VT-100 emulator to locally or remotely configure, monitor
and control individual Cisco Wireless LAN Controllers, and to access extensive debugging capabilities.
Because the CLI works with one Cisco Wireless LAN Controller at a time, the command line interface
is especially useful when you wish to configure or monitor a single Cisco Wireless LAN Controller.
The Cisco Wireless LAN Controller and its associated Cisco 1000 series lightweight access points can
be configured and monitored using the command line interface (CLI), which consists of a simple
text-based, tree-structured interface that allows up to five users with Telnet-capable terminal emulators
to simultaneously configure and monitor all aspects of the Cisco Wireless LAN Controller and
associated Cisco 1000 series lightweight access points.
Refer to “Using the CLI” section on page 2-5 and the Cisco Wireless LAN Solution CLI Reference for
more information.
Chapter 1 Overview
1-26
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
CHAPTER
2
Using the Web-Browser and CLI Interfaces
This chapter describes the web-browser and CLI interfaces that you use to configure the controllers. It
contains these sections:
• Using the Web-Browser Interface, page 2-2
• Enabling Web and Secure Web Modes, page 2-2
• Using the CLI, page 2-5
• Enabling Wireless Connections to the Web-Browser and CLI Interfaces, page 2-8
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
2-1
Using the Web-Browser Interface
Using the Web-Browser Interface
The web-browser interface (hereafter called the GUI) allows up to five users to browse simultaneously
into the controller http or https (http + SSL) management pages to configure parameters and monitor
operational status for the controller and its associated access points.
Guidelines for Using the GUI
Keep these guidelines in mind when using the GUI:
• The GUI must be used on a PC running Windows XP SP1 or higher or Windows 2000 SP4 or higher.
• The GUI is fully compatible with Microsoft Internet Explorer version 6.0 SP1 or higher.
NoteOpera, Mozilla, and Netscape are not supported.
• You can use either the service port interface or the management interface to open the GUI. Cisco
recommends that you use the service-port interface. Refer to the Configuring the Service Port
section on page x for instructions on configuring the service port interface.
• You might need to disable your browser’s pop-up blocker to view the online help.
Chapter 2 Using the Web-Browser and CLI Interfaces
Opening the GUI
To open the GUI, enter the controller IP address in the browser’s address line. For an unsecure
connection enter http://ip-address. For a secure connection, enter https://ip-address. See the
“Configuring the GUI for HTTPS” section on page 2-2 for instructions on setting up HTTPS.
Enabling Web and Secure Web Modes
Use these commands to enable or disable the distribution system port as a web port or as a secure web
port:
• config network webmode {enable | disable}
• config network secureweb {enable | disable}
Web and secure web modes are enabled by default.
Configuring the GUI for HTTPS
You can protect communication with the GUI by enabling HTTPS. HTTPS protects HTTP browser
sessions by using the Secure Socket Layer (SSL) protocol. When you enable HTTPS, the controller
generates its own local Web Administration SSL certificate and automatically applies it to the GUI.
You can also load an externally generated certificate. Follow the instructions in the “Loading an
Externally Generated HTTPS Certificate” section on page 2-3 for instructions on loading an externally
generated certificate.
2-2
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 2 Using the Web-Browser and CLI Interfaces
Using the CLI, follow these steps to enable HTTPS:
Step 1Enter show certificate summary to verify that the controller has generated a certificate:
>show certificate summary
Web Administration Certificate................. Locally Generated
Web Authentication Certificate................. Locally Generated
Certificate compatibility mode:................ off
Step 2(Optional) If you need to generate a new certificate, enter this command:
>config certificate generate webadmin
After a few seconds the controller verifies that the certificate is generated:
Web Administration certificate has been generated
Step 3Enter this command to enable HTTPS:
>config network secureweb enable
Step 4Save the SSL certificate, key, and secure web password to NVRAM (non-volatile RAM) so your changes
are retained across reboots:
>save config
Are you sure you want to save? (y/n) y
Configuration Saved!
Enabling Web and Secure Web Modes
Step 5Reboot the controller:
>reset system
Are you sure you would like to reset the system? (y/n) y
System will now restart!
The controller reboots.
Loading an Externally Generated HTTPS Certificate
You use a TFTP server to load the certificate. Follow these guidelines for using TFTP:
• If you load the certificate through the service port, the TFTP server must be on the same subnet as
the controller because the service port is not routable. However, if you load the certificate through
the distribution system (DS) network port, the TFTP server can be on any subnet.
• The TFTP server cannot run on the same computer as the Cisco Wireless Control System (WCS)
because WCS and the TFTP server use the same communication port.
NoteEvery HTTPS certificate contains an embedded RSA Key. The length of the RSA key can vary from 512
bits, which is relatively insecure, through thousands of bits, which is very secure. When you obtain a
new certificate from a Certificate Authority, make sure the RSA key embedded in the certificate is at
least 768 bits long.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
2-3
Enabling Web and Secure Web Modes
Follow these steps to load an externally generated HTTPS certificate:
Step 1Use a password to encrypt the HTTPS certificate in a .PEM-encoded file. The PEM-encoded file is called
a Web Administration Certificate file (webadmincert_name.pem).
Step 2Move the webadmincert_name.pem file to the default directory on your TFTP server.
Step 3In the CLI, enter transfer download start and answer n to the prompt to view the current download
Are you sure you want to start? (y/n) y
TFTP Webadmin cert transfer starting.
Certificate installed.
Please restart the switch (reset system) to use the new certificate.
Step 7Enter this command to enable HTTPS:
>config network secureweb enable
Step 8Save the SSL certificate, key, and secure web password to NVRAM (non-volatile RAM) so your changes
are retained across reboots:
>save config
Are you sure you want to save? (y/n) y
Configuration Saved!
2-4
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 2 Using the Web-Browser and CLI Interfaces
Step 9Reboot the controller:
>reset system
Are you sure you would like to reset the system? (y/n) y
System will now restart!
The controller reboots.
Disabling the GUI
To prevent all use of the GUI, select the Disable Web-Based Management check box on the Services:
HTTP-Web Server page and click Apply.
To re-enable the GUI, enter this command on the CLI:
>ip http server
Using the CLI
Using Online Help
Click the help icon at the top of any page in the GUI to display online help. You might have to disable
the browser pop-up blocker to view online help.
Using the CLI
The CLI allows you to use a VT-100 emulator to locally or remotely configure, monitor, and control a
WLAN controller and its associated lightweight access points. The CLI is a simple text-based,
tree-structured interface that allows up to five users with Telnet-capable terminal emulators to access the
controller.
Logging into the CLI
You access the CLI using either of two methods:
• A direct ASCII serial connection to the controller console port
• A remote console session over Ethernet through the pre-configured Service Port or through
Distribution System Ports
Before you log into the CLI, configure your connectivity and environment variables based on the type
of connection you use.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
2-5
Using the CLI
Using a Local Serial Connection
You need these items to connect to the serial port:
• A computer that has a DB-9 serial port and is running a terminal emulation program
• A DB-9 male-to-female null-modem serial cable
Follow these steps to log into the CLI through the serial port.
Step 1Connect your computer to the controller using the DB-9 null-modem serial cable.
Step 2Open a terminal emulator session using these settings:
• 9600 baud
• 8 data bits
• 1 stop bit
• no parity
• no hardware flow control
Step 3At the prompt, log into the CLI. The default username is admin, and the default password is admin.
Chapter 2 Using the Web-Browser and CLI Interfaces
NoteThe controller serial port is set for a 9600 baud rate and a short timeout. If you would like to change
either of these values, enter config serial baudratebaudrate and config serial timeout timeout to make
your changes. If you enter config serial timeout 0, serial sessions never time out.
Using a Remote Ethernet Connection
You need these items to connect to a controller remotely:
• A computer with access to the controller over the Ethernet network
• The IP Address of the controller
• A terminal emulation program or a DOS shell for the Telnet session
NoteBy default, controllers block Telnet sessions. You must use a local connection to the serial port to enable
Telnet sessions.
Follow these steps to log into the CLI through the serial port:
Step 1Verify that your terminal emulator or DOS shell interface is configured with these parameters:
• Ethernet address
2-6
• Port 23
Step 2Use the controller IP address to Telnet to the CLI.
Step 3At the prompt, log into the CLI. The default username is admin and the default password is admin.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 2 Using the Web-Browser and CLI Interfaces
Logging Out of the CLI
When you finish using the CLI, navigate to the root level and enter logout. The system prompts you to
save any changes you made to the volatile RAM.
Navigating the CLI
The is organized around five levels:
Root Level
Level 2
Level 3
Level 4
Level 5
When you log into the CLI, you are at the root level. From the root level, you can enter any full command
without first navigating to the correct command level. Table 2-1 lists commands you use to navigate the
CLI and to perform common tasks.
Using the CLI
Table 2-1Commands for CLI Navigation and Common Tasks
CommandAction
helpAt the root level, view systemwide navigation
commands
?View commands available at the current level
command ?View parameters for a specific command
exitMove down one level
Ctrl-ZReturn from any level to the root level
save configAt the root level, save configuration changes from
active working RAM to non-volatile RAM
(NVRAM) so they are retained after reboot
reset systemAt the root level, reset the controller without
logging out
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
2-7
Chapter 2 Using the Web-Browser and CLI Interfaces
Enabling Wireless Connections to the Web-Browser and CLI Interfaces
Enabling Wireless Connections to the Web-Browser and
CLI Interfaces
You can monitor and configure controllers using a wireless client. This feature is supported for all
management tasks except uploads from and downloads to the controller.
Before you can open the GUI or the CLI from a wireless client device you must configure the controller
to allow the connection. Follow these steps to enable wireless connections to the GUI or CLI:
Step 1Log into the CLI.
Step 2Enter config network mgmt-via-wireless enable
Step 3Use a wireless client to associate to a lightweight access point connected to the controller.
Step 4On the wireless client, open a Telnet session to the controller, or browse to the controller GUI.
TipTo use the controller GUI to enable wireless connections, browse to the Management Via Wireless page
and select the Enable Controller Management to be accessible from Wireless Clients check box.
2-8
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
CHAPTER
3
Configuring Ports and Interfaces
This chapter describes the controller’s physical ports and interfaces and provides instructions for
configuring them. It contains these sections:
• Overview of Ports and Interfaces, page 3-2
• Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces, page 3-9
• Configuring Dynamic Interfaces, page 3-14
• Configuring Ports, page 3-17
• Enabling Link Aggregation, page 3-27
• Configuring a 4400 Series Controller to Support More Than 48 Access Points, page 3-30
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-1
Overview of Ports and Interfaces
Overview of Ports and Interfaces
Three concepts are key to understanding how controllers connect to a wireless network: ports, interfaces,
and WLANs.
Ports
A port is a physical entity that is used for connections on the controller platform. Controllers have two
types of ports: distribution system ports and a service port. The following figures show the ports
available on each controller.
NoteThe controller in a Cisco Integrated Services Router and the controllers on the Cisco WiSM do not have
external physical ports. They connect to the network through ports on the router or switch, respectively.
Figure 3-1Ports on the Cisco 2000 Series Wireless LAN Controllers
Chapter 3 Configuring Ports and Interfaces
Serial console
port
Distribution
system ports 1-3
Figure 3-2Ports on the Cisco 4100 Series Wireless LAN Controllers
LinkActivity
Service
Service
port
Console
Serial
console port
Status
1000Base-X Activity
Alarm
In Use
Distribution system
ports 1-2
Figure 3-3Ports on the Cisco 4400 Series Wireless LAN Controllers
LINK
ACT
SERVICE
CONSOLE
STATUS
ALARM
LINK
PS1
PS2
ACT
UTILITY
LINK
ACT
1
234
LINK
ACT
Service
port
Serial
console port
Distribution system
ports 1-4
155242
Distribution
system port 4
LinkIn Use
146993
146999
3-2
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
NoteFigure 3-3 shows a Cisco 4404 controller. The Cisco 4402 controller is similar but has only two
distribution system ports.
Table 3- 1 provides a list of ports per controller.
within the Cisco 28/37/38xx
Series Integrated Services
Routers
Overview of Ports and Interfaces
Distribution System
Ethernet PortsSerial Console Port
None11
Distribution System Ports
A distribution system port connects the controller to a neighbor switch and serves as the data path
between these two devices.
• Cisco 2000 series controllers have four 10/100 copper Ethernet distribution system ports through
which the controller can support up to six access points.
• Cisco 4100 series controllers have two fiber gigabit Ethernet distribution system ports through
which the controller can support up to 36 access points.
• Cisco 4402 controllers have two gigabit Ethernet distribution system ports, each of which is capable
of managing up to 48 access points. However, Cisco recommends no more than 25 access points per
port due to bandwidth constraints. The 4402-25 and 4402-50 models allow a total of 25 or 50 access
points to join the controller.
• Cisco 4404 controllers have four gigabit Ethernet distribution system ports, each of which is capable
of managing up to 48 access points. However, Cisco recommends no more than 25 access points per
port due to bandwidth constraints. The 4404-25, 4404-50, and 4404-100 models allow a total of 25,
50, or 100 access points to join the controller.
NoteThe gigabit Ethernet ports on the 4402 and 4404 controllers accept these SX/LC/T small
form-factor plug-in (SFP) modules:
- 1000BASE-SX SFP modules, which provide a 1000-Mbps wired connection to a network
through an 850nM (SX) fiber-optic link using an LC physical connector
- 1000BASE-LX SFP modules, which provide a 1000-Mbps wired connection to a network
through a 1300nM (LX/LH) fiber-optic link using an LC physical connector
- 1000BASE-T SFP modules, which provide a 1000-Mbps wired connection to a network
through a copper link using an RJ-45 physical connector
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-3
Overview of Ports and Interfaces
• The Cisco WiSM has eight gigabit Ethernet distribution system ports, which are located on the
Catalyst 6500 switch backplane. Through these ports, the controller can support up to 300 access
points.
• The Controller Network Module within the Cisco 28/37/38xx Series Integrated Services Routers has
one Fast Ethernet distribution system port, which is located on the router backplane. Through this
port, the controller can support up to six access points.
NoteRefer to the “Configuring a 4400 Series Controller to Support More Than 48 Access Points” section on
page 3-30 if you want to configure your Cisco 4400 series controller to support more than 48 access
points.
Each distribution system port is, by default, an 802.1Q VLAN trunk port. The VLAN trunking
characteristics of the port are not configurable.
NoteSome controllers support link aggregation (LAG), which bundles all of the controller’s distribution
system ports into a single 802.3ad port channel. Cisco 4400 series controllers support LAG in software
release 3.2 and higher, and LAG is enabled automatically on the Cisco WiSM controllers. Refer to the
“Enabling Link Aggregation” section on page 3-27 for more information.
Chapter 3 Configuring Ports and Interfaces
Service Port
Cisco 4100 and 4400 series controllers also have a 10/100 copper Ethernet service port. The service port
is controlled by the service-port interface and is reserved for out-of-band management of the controller
and system recovery and maintenance in the event of a network failure. It is also the only port that is
active when the controller is in boot mode. The service port is not capable of carrying 802.1Q tags, so it
must be connected to an access port on the neighbor switch. Use of the service port is optional.
NoteThe Cisco WiSM’s 4404 controllers use the service port for internal protocol communication between
the controllers and the Supervisor 720.
NoteThe Cisco 2000 series controller and the controller in the Cisco Integrated Services Router do not have
a service port.
NoteThe service port is not auto-sensing. You must use the correct straight-through or crossover Ethernet
cable to communicate with the service port.
3-4
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Interfaces
An interface is a logical entity on the controller. An interface has multiple parameters associated with
it, including an IP address, default-gateway (for the IP subnet), primary physical port, secondary
physical port, VLAN identifier, and DHCP server.
These five types of interfaces are available on the controller. Four of these are static and are configured
at setup time:
• Management interface (Static and configured at setup time; mandatory)
• AP-manager interface (When using Layer 3 LWAPP, static and configured at setup time; mandatory)
• Virtual interface (Static and configured at setup time; mandatory)
• Service-port interface (Static and configured at setup time; optional)
• Dynamic interface (User-defined)
Each interface is mapped to at least one primary port, and some interfaces (management and dynamic)
can be mapped to an optional secondary (or backup) port. If the primary port for an interface fails, the
interface automatically moves to the backup port. In addition, multiple interfaces can be mapped to a
single controller port.
Overview of Ports and Interfaces
NoteRefer to the “Enabling Link Aggregation” section on page 3-27 if you want to configure the controller
to dynamically map the interfaces to a single port channel rather than having to configure primary and
secondary ports for each interface.
Management Interface
The management interface is the default interface for in-band management of the controller and
connectivity to enterprise services such as AAA servers. The management interface has the only
consistently “pingable” in-band interface IP address on the controller. You can access the controller’s
GUI by entering the controller’s management interface IP address in Internet Explorer’s Address field.
The management interface is also used for Layer 2 communications between the controller and Cisco
1000 series lightweight access points. It must be assigned to distribution system port 1 but can also be
mapped to a backup port and can be assigned to WLANs if desired. It may be on the same VLAN or IP
subnet as the AP-manager interface. However, the management interface can also communicate through
the other distribution system ports as follows:
• Sends messages through the Layer 2 network to autodiscover and communicate with other
controllers through all distribution system ports.
• Listens across the Layer 2 network for Cisco 1000 series lightweight access point LWAPP polling
messages to autodiscover, associate to, and communicate with as many Cisco 1000 series
lightweight access points as possible.
When LWAPP communications are set to Layer 2 (same subnet) mode, the controller requires one
management interface to control all inter-controller and all controller-to-access point communications,
regardless of the number of ports. When LWAPP communications are set to Layer 3 (different subnet)
mode, the controller requires one management interface to control all inter-controller communications
and one AP-manager interface to control all controller-to-access point communications, regardless of the
number of ports.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-5
Overview of Ports and Interfaces
NoteIf the service port is in use, the management interface must be on a different subnet from the service-port
interface.
AP-Manager Interface
A controller has one or more AP-manager interfaces, which are used for all Layer 3 communications
between the controller and lightweight access points after the access points have joined the controller.
The AP-manager IP address is used as the tunnel source for LWAPP packets from the controller to the
access point and as the destination for LWAPP packets from the access point to the controller.
The static (or permanent) AP-manager interface must be assigned to distribution system port 1 and must
have a unique IP address. It cannot be mapped to a backup port. It is usually configured on the same
VLAN or IP subnet as the management interface, but this is not a requirement. The AP-manager
interface can communicate through any distribution system port as follows:
• Sends Layer 3 messages through the network to autodiscover and communicate with other
• Listens across the network for Layer 3 lightweight access point LWAPP polling messages to
Chapter 3 Configuring Ports and Interfaces
controllers.
autodiscover, associate to, and communicate with as many lightweight access points as possible.
NoteRefer to the “Using Multiple AP-Manager Interfaces” section on page 3-31 for information on creating
NoteWhen LAG is disabled, you must assign an AP-manager interface to each port on the controller.
Virtual Interface
and using multiple AP-manager interfaces.
The virtual interface is used to support mobility management, Dynamic Host Configuration Protocol
(DHCP) relay, and embedded Layer 3 security such as guest web authentication and VPN termination.
It also maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify
the source of certificates when Layer 3 web authorization is enabled.
Specifically, the virtual interface plays these three primary roles:
• Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP
server.
• Serves as the redirect address for the Web Authentication Login window.
NoteSee Chapter 5 for additional information on web authentication.
• Acts as part of the IPSec configuration when the controller is used to terminate IPSec tunnels
between wireless clients and the controller.
3-6
The virtual interface IP address is used only in communications between the controller and wireless
clients. It never appears as the source or destination address of a packet that goes out a distribution
system port and onto the switched network. For the system to operate correctly, the virtual interface IP
address must be set (it cannot be 0.0.0.0), and no other device on the network can have the same address
as the virtual interface. Therefore, the virtual interface must be configured with an unassigned and
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
unused gateway IP address, such as 1.1.1.1. The virtual interface IP address is not pingable and should
not exist in any routing table in your network. In addition, the virtual interface cannot be mapped to a
backup port.
NoteAll controllers within a mobility group must be configured with the same virtual interface IP address.
Otherwise, inter-controller roaming may appear to work, but the hand-off does not complete, and the
client loses connectivity for a period of time.
Service-Port Interface
The service-port interface controls communications through and is statically mapped by the system to
the service port. It must have an IP address on a different subnet from the management, AP-manager,
and any dynamic interfaces, and it cannot be mapped to a backup port. This configuration enables you
to manage the controller directly or through a dedicated operating system network, such as 10.1.2.x,
which can ensure service access during network downtime.
The service port can obtain an IP address using DHCP, or it can be assigned a static IP address, but a
default gateway cannot be assigned to the service-port interface. Static routes can be defined through the
controller for remote network access to the service port.
Overview of Ports and Interfaces
NoteOnly Cisco 4100 and 4400 series controllers have a service-port interface.
NoteYou must configure an IP address on the service-port interface of both Cisco WiSM controllers.
Dynamic Interface
NoteTagged VLANs must be used for dynamic interfaces.
Otherwise, the neighbor switch is unable to check the status of each controller.
Dynamic interfaces, also known as VLAN interfaces, are created by users and designed to be analogous
to VLANs for wireless LAN clients. A controller can support up to 512 dynamic interfaces (VLANs).
Each dynamic interface is individually configured and allows separate communication streams to exist
on any or all of a controller’s distribution system ports. Each dynamic interface controls VLAN and other
communications between controllers and all other network devices, and each acts as a DHCP relay for
wireless clients associated to WLANs mapped to the interface. You can assign dynamic interfaces to
distribution system ports, WLANs, the Layer 2 management interface, and the Layer 3 AP-manager
interface, and you can map the dynamic interface to a backup port.
You can configure zero, one, or multiple dynamic interfaces on a distribution system port. However, all
dynamic interfaces must be on a different VLAN or IP subnet from all other interfaces configured on the
port. If the port is untagged, all dynamic interfaces must be on a different IP subnet from any other
interface configured on the port.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-7
Overview of Ports and Interfaces
WLANs
NoteChapter 6 provides instructions for configuring WLANs.
Chapter 3 Configuring Ports and Interfaces
A WLAN associates a service set identifier (SSID) to an interface. It is configured with security, quality
of service (QoS), radio policies, and other wireless network parameters. Up to 16 access point WLANs
can be configured per controller.
Figure 3-4 illustrates the relationship between ports, interfaces, and WLANs.
Figure 3-4Ports, Interfaces, and WLANs
3-8
As shown in Figure 3-4, each controller port connection is an 802.1Q trunk and should be configured as
such on the neighbor switch. On Cisco switches, the native VLAN of an 802.1Q trunk is an untagged
VLAN. Therefore, if you configure an interface to use the native VLAN on a neighboring Cisco switch,
make sure you configure the interface on the controller to be untagged.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
NoteA zero value for the VLAN identifier (on the Controller > Interfaces page) means that the interface is
untagged.
The default (untagged) native VLAN on Cisco switches is VLAN 1. When controller interfaces are
configured as tagged (meaning that the VLAN identifier is set to a non-zero value), the VLAN must be
allowed on the 802.1Q trunk configuration on the neighbor switch and not be the native untagged VLAN.
Cisco recommends that only tagged VLANs be used on the controller. You should also allow only
relevant VLANs on the neighbor switch’s 802.1Q trunk connections to controller ports. All other
VLANs should be disallowed or pruned in the switch port trunk configuration. This practice is extremely
important for optimal performance of the controller.
NoteCisco recommends that you assign one set of VLANs for WLANs and a different set of VLANs for
management interfaces to ensure that controllers properly route VLAN traffic.
Follow the instructions on the pages indicated to configure your controller’s interfaces and ports:
• Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces, page 3-9
• Configuring Dynamic Interfaces, page 3-14
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces
• Configuring Ports, page 3-17
• Enabling Link Aggregation, page 3-27
• Configuring a 4400 Series Controller to Support More Than 48 Access Points, page 3-30
Configuring the Management, AP-Manager, Virtual, and
Service-Port Interfaces
Typically, you define the management, AP-manager, virtual, and service-port interface parameters using
the Startup Wizard. However, you can display and configure interface parameters through either the GUI
or CLI after the controller is running.
Using the GUI to Configure the Management, AP-Manager, Virtual, and
Service-Port Interfaces
Follow these steps to display and configure the management, AP-manager, virtual, and service-port
interface parameters using the GUI.
Step 1Click Controller > Interfaces to access the Interfaces page (see Figure 3-5).
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-9
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces
Figure 3-5Interfaces Page
This page shows the current controller interface settings.
Chapter 3 Configuring Ports and Interfaces
Step 2If you want to modify the settings of a particular interface, click the interface’s Edit link. The Interfaces
> Edit page for that interface appears.
Step 3Configure the following parameters for each interface type:
Management Interface
NoteThe management interface uses the controller’s factory-set distribution system MAC address.
• VLAN identifier
NoteEnter 0 for an untagged VLAN or a non-zero value for a tagged VLAN. Cisco recommends
that only tagged VLANs be used on the controller.
• Fixed IP address, IP netmask, and default gateway
• Physical port assignment
• Primary and secondary DHCP servers
• Access control list (ACL) setting, if required
NoteTo create ACLs, follow the instructions in Chapter 5.
3-10
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
AP-Manager Interface
• VLAN identifier
NoteEnter 0 for an untagged VLAN or a non-zero value for a tagged VLAN. Cisco recommends
that only tagged VLANs be used on the controller.
• Fixed IP address, IP netmask, and default gateway
NoteThe AP-manager interface’s IP address must be different from the management interface’s
IP address but must be on the same subnet as the management interface.
• Physical port assignment
• Primary and secondary DHCP servers
• Access control list (ACL) name, if required
NoteTo create ACLs, follow the instructions in Chapter 5.
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces
Virtual Interface
• Any fictitious, unassigned, and unused gateway IP address, such as 1.1.1.1
• DNS gateway host name
Service-Port Interface
NoteThe service-port interface uses the controller’s factory-set service-port MAC address.
• DHCP protocol (enabled) or
• DHCP protocol (disabled) and IP address and IP netmask
Step 4Click Save Configuration to save your changes.
Step 5If you made any changes to the virtual interface, reboot the controller so your changes take effect.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-11
Chapter 3 Configuring Ports and Interfaces
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces
Using the CLI to Configure the Management, AP-Manager, Virtual, and
Service-Port Interfaces
This section provides instructions for displaying and configuring the management, AP-manager, virtual,
and service-port interfaces using the CLI.
Using the CLI to Configure the Management Interface
Follow these steps to display and configure the management interface parameters using the CLI.
Step 1Enter show interface detailed management to view the current management interface settings.
NoteThe management interface uses the controller’s factory-set distribution system MAC address.
Step 2Enter config wlan disablewlan-number to disable each WLAN that uses the management interface for
distribution system communication.
Step 3Enter these commands to define the management interface:
NoteTo create ACLs, follow the instructions in Chapter 5.
Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces
Step 5Enter show interface detailed ap-manager to verify that your changes have been saved.
Using the CLI to Configure the Virtual Interface
Follow these steps to display and configure the virtual interface parameters using the CLI.
Step 1Enter show interface detailed virtual to view the current virtual interface settings.
Step 2Enter config wlan disablewlan-number to disable each WLAN that uses the virtual interface for
distribution system communication.
Step 3Enter these commands to define the virtual interface:
• config interface address virtual ip-address
NoteFor ip-address, enter any fictitious, unassigned, and unused gateway IP address, such as
1.1.1.1.
• config interface hostname virtual dns-host-name
Step 4Enter reset system. At the confirmation prompt, enter Y to save your configuration changes to NVRAM.
The controller reboots.
Step 5Enter show interface detailed virtual to verify that your changes have been saved.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-13
Configuring Dynamic Interfaces
Using the CLI to Configure the Service-Port Interface
Follow these steps to display and configure the service-port interface parameters using the CLI.
Step 1Enter show interface detailed service-port to view the current service-port interface settings.
NoteThe service-port interface uses the controller’s factory-set service-port MAC address.
Step 2Enter these commands to define the service-port interface:
• To configure the DHCP server: config interface dhcp service-port ip-address-of-primary-dhcp-
server [ip-address-of-secondary-dhcp-server]
• To disable the DHCP server: config interface dhcp service-port none
• To configure the IP address: config interface address service-port ip-addr ip-netmaskgateway
Step 3The service port is used for out-of-band management of the controller. If the management workstation
is in a remote subnet, you may need to add a route on the controller in order to manage the controller
from that remote workstation. To do so, enter this command:
config routenetwork-ip-addr ip-netmaskgateway
Chapter 3 Configuring Ports and Interfaces
Step 4Enter show interface detailed service-port to verify that your changes have been saved.
Configuring Dynamic Interfaces
This section provides instructions for configuring dynamic interfaces using either the GUI or CLI.
Using the GUI to Configure Dynamic Interfaces
Follow these steps to create new or edit existing dynamic interfaces using the GUI.
Step 1Click Controller > Interfaces to access the Interfaces page (see Figure 3-5).
Step 2Perform one of the following:
• To create a new dynamic interface, click New. The Interfaces > New page appears (see Figure 3-6).
Go to Step 3.
• To modify the settings of an existing dynamic interface, click the interface’s Edit link. The
Interfaces > Edit page for that interface appears (see Figure 3-7). Go to Step 5.
• To delete an existing dynamic interface, click the interface’s Remove link.
3-14
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Figure 3-6Interfaces > New Page
Step 3Enter an interface name and a VLAN identifier, as shown in Figure 3-6.
Configuring Dynamic Interfaces
NoteEnter a non-zero value for the VLAN identifier. Tagged VLANs must be used for dynamic
interfaces.
Step 4Click Apply to commit your changes. The Interfaces > Edit page appears (see Figure 3-7).
Figure 3-7Interfaces > Edit Page
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-15
Configuring Dynamic Interfaces
Step 5Configure the following parameters:
• VLAN identifier
• Fixed IP address, IP netmask, and default gateway
• Physical port assignment
• Primary and secondary DHCP servers
• Access control list (ACL) name, if required
NoteTo ensure proper operation, you must set the Port Number and Primary DHCP Server
Step 6Click Save Configuration to save your changes.
Step 7Repeat this procedure for each dynamic interface that you want to create or edit.
Chapter 3 Configuring Ports and Interfaces
NoteTo create ACLs, follow the instructions in Chapter 5.
parameters.
Using the CLI to Configure Dynamic Interfaces
Follow these steps to configure dynamic interfaces using the CLI.
Step 1Enter show interface summary to view the current dynamic interfaces.
Step 2To view the details of a specific dynamic interface, enter show interface detailed
operator-defined-interface-name.
Step 3Enter config wlan disable wlan-number to disable each WLAN that uses the dynamic interface for
distribution system communication.
Step 4Enter these commands to configure dynamic interfaces:
• config interface createoperator-defined-interface-name {vlan-id | x }
NoteEnter a non-zero value for the VLAN identifier. Tagged VLANs must be used for dynamic
NoteTo create ACLs, follow the instructions in Chapter 5.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Step 5Enter show interface detailed operator-defined-interface-name and show interface summary to verify
that your changes have been saved.
NoteIf desired, you can enter config interface deleteoperator-defined-interface-name to delete a dynamic
interface.
Configuring Ports
The controller’s ports are preconfigured with factory default settings designed to make the controllers’
ports operational without additional configuration. However, you can view the status of the controller’s
ports and edit their configuration parameters at any time.
Follow these steps to use the GUI to view the status of the controller’s ports and make any configuration
changes if necessary.
Configuring Ports
Step 1Click Controller > Ports to access the Ports page (see Figure 3-8).
Figure 3-8Ports Page
This page shows the current configuration for each of the controller’s ports.
Step 2If you want to change the settings of any port, click the Edit link for that specific port. The Port >
Configure page appears (see Figure 3-9).
OL-8335-02
NoteThe number of parameters available on the Port > Configure page depends on your controller
type. For instance, Cisco 2000 series controllers and the controller in a Cisco Integrated Services
Router have fewer configurable parameters than a Cisco 4400 series controller, which is shown
in Figure 3-9.
Cisco Wireless LAN Controller Configuration Guide
3-17
Configuring Ports
Chapter 3 Configuring Ports and Interfaces
Figure 3-9Port > Configure Page
Table 3- 2 interprets the current status of the port.
Ta b l e 3 - 2P o r t S t a tu s
ParameterDescription
Port NumberThe number of the current port.
Physical StatusThe data rate being used by the port. The available data rates vary based
on controller type.
ControllerAvailable Data Rates
4400 and
1000 Mbps full duplex
4100 series
2000 series10 or 100 Mbps, half or full duplex
WiSM1000 Mbps full duplex
Integrated
100 Mbps full duplex
Services
Routers
Link StatusThe port’s link status.
Val ue s: Link Up or Link Down
3-18
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Ta b l e 3 - 2P o r t S t a tu s
ParameterDescription
Power Over Ethernet (PoE)Determines if the connecting device is equipped to receive power
Step 3Table 3- 3 lists and describes the port’s configurable parameters. Follow the instructions in the table to
make any desired changes.
Table 3-3Port Parameters
ParameterDescription
Admin StatusEnables or disables the flow of traffic through the port.
Configuring Ports
through the Ethernet cable and if so provides -48 VDC.
Val ue s: Enable or Disable
NoteSome older Cisco access points do not draw PoE even if it is
enabled on the controller port. In such cases, contact the Cisco
Technical Assistance Center (TAC).
Options: Enable or Disable
Default: Enable
NoteAdministratively disabling the port does not affect the port’s
link status.The link can be brought down only by other Cisco
devices.
Physical ModeDetermines whether the port’s data rate is set automatically or specified
by the user. The supported data rates vary based on controller type.
Default: Auto
ControllerSupported Data Rates
4400 and
Auto or 1000 Mbps full duplex
4100 series
2000 seriesAuto or 10 or 100 Mbps, half or full duplex
WiSMAuto or 1000 Mbps full duplex
Integrated
Auto or 100 Mbps full duplex
Services
Routers
Link TrapCauses the port to send a trap when the port’s link status changes.
Options: Enable or Disable
Default: Enable
Multicast Appliance ModeEnables or disables the multicast appliance service for this port.
Options: Enable or Disable
OL-8335-02
Default: Enable
Cisco Wireless LAN Controller Configuration Guide
3-19
Configuring Ports
Step 4Click Save Configuration to save your changes.
Step 5Click Back to return to the Ports page and review your changes.
Step 6Repeat this procedure for each additional port that you want to configure.
Step 7Go to the following sections if you want to configure the controller’s ports for these advanced features:
• Port mirroring, see below
• Spanning Tree Protocol (STP), page 3-21
Configuring Port Mirroring
Mirror mode enables you to duplicate to another port all of the traffic originating from or terminating at
a single client device or access point. It is useful in diagnosing specific network problems. Mirror mode
should be enabled only on an unused port as any connections to this port become unresponsive.
Note4100 series and WiSM controllers do not support mirror mode. Also, a controller’s service port cannot
be used as a mirrored port.
Chapter 3 Configuring Ports and Interfaces
NotePort mirroring is not supported when link aggregation (LAG) is enabled on the controller.
NoteCisco recommends that you do not mirror traffic from one controller port to another as this setup could
cause network problems.
Follow these steps to enable port mirroring.
Step 1Click Controller > Ports to access the Ports page (see Figure 3-8).
Step 2Click Edit for the unused port for which you want to enable mirror mode. The Port > Configure page
appears (see Figure 3-9).
Step 3Set the Mirror Mode parameter to Enable.
Step 4Click Save Configuration to save your changes.
Step 5Perform one of the following:
• Follow these steps if you want to choose a specific client device that will mirror its traffic to the port
you selected on the controller:
a. Click Wireless > Clients to access the Clients page.
b. Click Detail for the client on which you want to enable mirror mode. The Clients > Detail page
appears.
c. Under Client Details, set the Mirror Mode parameter to Enable.
• Follow these steps if you want to choose an access point that will mirror its traffic to the port you
selected on the controller:
3-20
a. Click Wireless > All APs to access the All APs page.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
b. Click Detail for the access point on which you want to enable mirror mode. The All APs > Details
page appears.
c. Under General, set the Mirror Mode parameter to Enable.
Step 6Click Save Configuration to save your changes.
Configuring Spanning Tree Protocol
Spanning Tree Protocol (STP) is a Layer 2 link management protocol that provides path redundancy
while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one
active path can exist between any two network devices. STP allows only one active path at a time
between network devices but establishes redundant links as a backup if the initial link should fail.
The spanning-tree algorithm calculates the best loop-free path throughout a Layer 2 network.
Infrastructure devices such as controllers and switches send and receive spanning-tree frames, called
bridge protocol data units (BPDUs), at regular intervals. The devices do not forward these frames but
use them to construct a loop-free path.
Configuring Ports
Multiple active paths among end stations cause loops in the network. If a loop exists in the network, end
stations might receive duplicate messages. Infrastructure devices might also learn end-station MAC
addresses on multiple Layer 2 interfaces. These conditions result in an unstable network.
STP defines a tree with a root bridge and a loop-free path from the root to all infrastructure devices in
the Layer 2 network.
NoteSTP discussions use the term root to describe two concepts: the controller on the network that serves as
a central point in the spanning tree is called the root bridge, and the port on each controller that provides
the most efficient path to the root bridge is called the root port. The root bridge in the spanning tree is
called the spanning-tree root.
STP forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree
fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology
and activates the standby path.
When two ports on a controller are part of a loop, the spanning-tree port priority and path cost settings
determine which port is put in the forwarding state and which is put in the blocking state. The port
priority value represents the location of a port in the network topology and how well it is located to pass
traffic. The path cost value represents media speed.
The controller maintains a separate spanning-tree instance for each active VLAN configured on it. A
bridge ID, consisting of the bridge priority and the controller’s MAC address, is associated with each
instance. For each VLAN, the controller with the lowest controller ID becomes the spanning-tree root
for that VLAN.
OL-8335-02
STP is disabled for the controller’s distribution system ports by default. The following sections provide
instructions for configuring STP for your controller using either the GUI or CLI.
Cisco Wireless LAN Controller Configuration Guide
3-21
Configuring Ports
Using the GUI to Configure Spanning Tree Protocol
Follow these steps to configure STP using the GUI.
Step 1Click Controller > Ports to access the Ports page (see Figure 3-8).
Step 2Click Edit for the specific port for which you want to configure STP. The Port > Configure page appears
(see Figure 3-9). This page shows the STP status of the port and enables you to configure STP
parameters.
Table 3- 4 interprets the current STP status of the port.
Table 3-4Port Spanning Tree Status
ParameterDescription
STP Port IDThe number of the port for which STP is enabled or disabled.
STP StateThe port’s current STP state. It controls the action that a port takes upon
receiving a frame.
Val ue s: Disabled, Blocking, Listening, Learning, Forwarding, and
Chapter 3 Configuring Ports and Interfaces
Broken
STP StateDescription
DisabledThe port is not participating in spanning tree because the
port is shut down, the link is down, or STP is not enabled
for this port.
BlockingThe port does not participate in frame forwarding.
ListeningThe first transitional state after the blocking state when
STP determines that the port should participate in frame
forwarding.
LearningThe port prepares to participate in frame forwarding.
ForwardingThe port forwards frames.
BrokenThe port is malfunctioning.
STP Port Designated RootThe unique identifier of the root bridge in the configuration BPDUs.
STP Port Designated CostThe path cost of the designated port.
STP Port Designated BridgeThe identifier of the bridge that the port considers to be the designated
bridge for this port.
STP Port Designated PortThe port identifier on the designated bridge for this port.
STP Port Forward Transitions
Count
Step 3Table 3-5 lists and describes the port’s configurable STP parameters. Follow the instructions in the table
The number of times that the port has transitioned from the learning
state to the forwarding state.
to make any desired changes.
3-22
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Table 3-5Port Spanning Tree Parameters
ParameterDescription
STP ModeThe STP administrative mode associated with this port.
Configuring Ports
Options: Off, 802.1D, or Fast
Default: Off
STP ModeDescription
OffDisables STP for this port.
802.1DEnables this port to participate in the
spanning tree and go through all of the
spanning tree states when the link state
transitions from down to up.
FastEnables this port to participate in the
spanning tree and puts it in the forwarding
state when the link state transitions from
down to up more quickly than when the
STP mode is set to 802.1D.
NoteIn this state, the forwarding delay
timer is ignored on link up.
STP Port PriorityThe location of the port in the network topology and how well the port
is located to pass traffic.
Range: 0 to 255
Default: 128
STP Port Path Cost ModeDetermines whether the STP port path cost is set automatically or
specified by the user. If you choose User Configured, you also need to
set a value for the STP Port Path Cost parameter.
Range: Auto or User Configured
Default: Auto
STP Port Path CostThe speed at which traffic is passed through the port. This parameter
must be set if the STP Port Path Cost Mode parameter is set to User
Configured.
Options: 0 to 65535
Default: 0, which causes the cost to be adjusted for the speed of the
port when the link comes up.
NoteTypically, a value of 100 is used for 10-Mbps ports and 19 for
100-Mbps ports.
OL-8335-02
Step 4Click Save Configuration to save your changes.
Step 5Click Back to return to the Ports page.
Step 6Repeat Step 2 through Step 5 for each port for which you want to enable STP.
Step 7Click Controller > Spanning Tree to access the Controller Spanning Tree Configuration page (see
Figure 3-10).
Cisco Wireless LAN Controller Configuration Guide
3-23
Configuring Ports
Chapter 3 Configuring Ports and Interfaces
Figure 3-10 Controller Spanning Tree Configuration Page
This page allows you to enable or disable the spanning tree algorithm for the controller, modify its
characteristics, and view the STP status.Ta ble 3-6 interprets the current STP status for the controller.
Table 3-6Controller Spanning Tree Status
ParameterDescription
Spanning Tree SpecificationThe STP version being used by the controller. Currently, only an IEEE
802.1D implementation is available.
Base MAC AddressThe MAC address used by this bridge when it must be referred to in a
unique fashion. When it is concatenated with dot1dStpPriority, a
unique bridge identifier is formed that is used in STP.
Topology Change CountThe total number of topology changes detected by this bridge since the
management entity was last reset or initialized.
Time Since Topology
Changed
The time (in days, hours, minutes, and seconds) since a topology
change was detected by the bridge.
Designated RootThe bridge identifier of the spanning tree root. This value is used as the
Root Identifier parameter in all configuration BPDUs originated by this
node.
Root PortThe number of the port that offers the lowest cost path from this bridge
to the root bridge.
Root CostThe cost of the path to the root as seen from this bridge.
3-24
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Table 3-6Controller Spanning Tree Status (continued)
ParameterDescription
Max Age (seconds)The maximum age of STP information learned from the network on any
Hello Time (seconds)The amount of time between the transmission of configuration BPDUs
Forward Delay (seconds)This value controls how fast a port changes its spanning tree state when
Hold Time (seconds)The minimum time period to elapse between the transmission of
Configuring Ports
port before it is discarded.
by this node on any port when it is the root of the spanning tree or trying
to become so. This is the actual value that this bridge is currently using.
moving toward the forwarding state. It determines how long the port
stays in each of the listening and learning states that precede the
forwarding state. This value is also used, when a topology change has
been detected and is underway, to age all dynamic entries in the
forwarding database.
NoteThis is the actual value that this bridge is currently using, in
contrast to Stp Bridge Forward Delay, which is the value that
this bridge and all others would start using if this bridge were
to become the root.
configuration BPDUs through a given LAN port.
NoteAt most, one configuration BPDU can be transmitted in any
hold time period.
Step 8Table 3- 7 lists and describes the controller’s configurable STP parameters. Follow the instructions in the
table to make any desired changes.
Table 3-7Controller Spanning Tree Parameters
ParameterDescription
Spanning Tree AlgorithmEnables or disables STP for the controller.
Options: Enable or Disable
Default: Disable
PriorityThe location of the controller in the network topology and how well the
controller is located to pass traffic.
Range: 0 to 65535
Default: 32768
Maximum Age (seconds)The length of time that the controller stores protocol information
received on a port.
Range: 6 to 40 seconds
Default: 20 seconds
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-25
Configuring Ports
Table 3-7Controller Spanning Tree Parameters (continued)
ParameterDescription
Hello Time (seconds)The length of time that the controller broadcasts hello messages to
other controllers.
Options: 1 to 10 seconds
Default: 2 seconds
Forward Delay (seconds)The length of time that each of the listening and learning states lasts
before the port begins forwarding.
Options: 4 to 30 seconds
Default: 15 seconds
Step 9Click Save Configuration to save your changes.
Using the CLI to Configure Spanning Tree Protocol
Chapter 3 Configuring Ports and Interfaces
Follow these steps to configure STP using the CLI.
Step 1Enter show spanningtree port and show spanningtree switch to view the current STP status.
Step 2If STP is enabled, you must disable it before you can change STP settings. Enter config spanningtree
switch mode disable to disable STP on all ports.
Step 3Enter one of these commands to configure the STP port administrative mode:
• config spanningtree port mode 802.1d {port-number | all}
• config spanningtree port mode fast {port-number | all}
• config spanningtree port mode off {port-number | all}
Step 4Enter one of these commands to configure the STP port path cost on the STP ports:
• config spanningtree port pathcost1-65535 {port-number | all}—Specifies a path cost from 1 to
65535 to the port.
• config spanningtree port mode pathcost auto {port-number | all}—Enables the STP algorithm to
automatically assign the path cost. This is the default setting.
Step 5Enter config spanningtree port priority 0-255port-number to configure the port priority on STP ports.
The default priority is 128.
Step 6If necessary, enter config spanningtree switch bridgepriority 0-65535 to configure the controller’s
STP bridge priority. The default bridge priority is 32768.
Step 7If necessary, enter config spanningtree switch forwarddelay 4-30 to configure the controller’s STP
forward delay in seconds. The default forward delay is 15 seconds.
3-26
Step 8If necessary, enter config spanningtree switch hellotime1-10 to configure the controller’s STP hello
time in seconds. The default hello time is 2 seconds.
Step 9If necessary, enter config spanningtree switch maxage6-40 to configure the controller’s STP maximum
age. The default maximum age is 20 seconds.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Step 10After you configure STP settings for the ports, enter config spanningtree switch mode enable to enable
STP for the controller. The controller automatically detects logical network loops, places redundant
ports on standby, and builds a network with the most efficient pathways.
Step 11Enter show spanningtree port and show spanningtree switch to verify that your changes have been
saved.
Enabling Link Aggregation
Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles
all of the controller’s distribution system ports into a single 802.3ad port channel, thereby reducing the
number of IP addresses needed to configure the ports on your controller. When LAG is enabled, the system
dynamically manages port redundancy and load balances access points transparently to the user.
Cisco 4400 series controllers support LAG in software release 3.2 and higher, and LAG is enabled
automatically on the Cisco WiSM controllers. Without LAG, each distribution system port on the
controller supports up to 48 access points. With LAG enabled, a 4402 controller’s logical port supports
up to 50 access points, a 4404 controller’s logical port supports up to 100 access points, and the logical
port on each Cisco WiSM controller supports up to 150 access points.
Enabling Link Aggregation
Figure 3-11 illustrates LAG.
Figure 3-11 Link Aggregation
OL-8335-02
LAG simplifies controller configuration because you no longer need to configure primary and secondary
ports for each interface. If any of the controller ports fail, traffic is automatically migrated to one of the
other ports. As long as at least one controller port is functioning, the system continues to operate, access
points remain connected to the network, and wireless clients continue to send and receive data.
Cisco Wireless LAN Controller Configuration Guide
3-27
Enabling Link Aggregation
When configuring bundled ports, you may want to consider spanning modules with your port channel
when you connect to a modular switch such as the Catalyst 6500. This practice provides protection in
the case of a module failure. Figure 3-12 illustrates a scenario where a 4402-50 controller is connected
to a Catalyst 6500 with gigabit modules in slots 2 and 3. The controller’s port 1 is connected to gigabit
interface 3/1, and the controller’s port 2 is connected to gigabit interface 2/1 on the Catalyst 6500. On
the Catalyst switch, the two interfaces are assigned to the same channel group.
Figure 3-12 Link Aggregation with Catalyst 6500 Neighbor Switch
Chapter 3 Configuring Ports and Interfaces
Link Aggregation Guidelines
Keep these guidelines in mind when using LAG:
• You cannot configure the controller’s ports into separate LAG groups. Only one LAG group is
supported per controller. Therefore, you can connect a controller in LAG mode to only one neighbor
device.
• When LAG is enabled, any change to the LAG configuration requires a controller reboot.
• When you enable LAG, you can configure only one AP-manager interface because only one logical
port is needed.
• When you enable LAG, all dynamic AP-manager interfaces and untagged interfaces are deleted, and
all WLANs are disabled and mapped to the management interface.
• When you enable LAG, you cannot create interfaces with a primary port other than 29.
• When you enable LAG, all ports participate in LAG by default. Therefore, you must configure LAG
for all of the connected ports in the neighbor switch.
• When you enable LAG, port mirroring is not supported.
• Make sure the port-channel on the switch is configured for the IEEE standard Link Aggregation
Control Protocol (LACP), not the Cisco proprietary Port Aggregation Protocol (PAgP).
• When you disable LAG, you must configure primary and secondary ports for all interfaces.
• When you disable LAG, you must assign an AP-manager interface to each port on the controller.
3-28
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
LAG is typically configured using the Startup Wizard, but you can enable or disable it at any time
through either the GUI or CLI.
Using the GUI to Enable Link Aggregation
Follow these steps to enable LAG on your controller using the GUI.
Step 1Click Controller > General to access the General page (see Figure 3-13).
Figure 3-13 General Page
Enabling Link Aggregation
OL-8335-02
Step 2Set the LAG Mode on Next Reboot parameter to Enabled.
NoteChoose Disabled if you want to disable LAG.
Step 3Click Save Configuration to save your changes.
Step 4Reboot the controller.
Cisco Wireless LAN Controller Configuration Guide
3-29
Configuring a 4400 Series Controller to Support More Than 48 Access Points
Using the CLI to Enable Link Aggregation
Follow these steps to enable LAG on your controller using the CLI.
Step 1Enter config lag enable to enable LAG.
NoteEnter config lagdisable if you want to disable LAG.
Step 2Enter show lag to verify that your change has been saved.
Step 3Reboot the controller.
Configuring Neighbor Devices to Support LAG
The controller’s neighbor devices must also be properly configured to support LAG.
Chapter 3 Configuring Ports and Interfaces
• Each neighbor port to which the controller is connected should be configured as follows:
interface GigabitEthernet <interface id>
switchport
channel-group <id> mode on
no shutdown
• The port channel on the neighbor switch should be configured as follows:
Configuring a 4400 Series Controller to Support More Than 48
Access Points
As noted earlier, 4400 series controllers can support up to 48 access points per port. However, you can
configure your 4400 series controller to support more access points using one of the following methods:
• Link aggregation (for controllers in Layer 3 mode), page 3-31
Follow the instructions on the page indicated for the method you want to use.
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
The following factors should help you decide which method to use if your controller is set for Layer 3
operation:
• With link aggregation, all of the controller ports need to connect to the same neighbor switch. If the
neighbor switch goes down, the controller loses connectivity.
• With multiple AP-manager interfaces, you can connect your ports to different neighbor devices. If
one of the neighbor switches goes down, the controller still has connectivity. However, using
multiple AP-manager interfaces presents certain challenges (as discussed in the “Using Multiple
AP-Manager Interfaces” section below) when port redundancy is a concern.
Using Link Aggregation
See the “Enabling Link Aggregation” section on page 3-27 for more information and instructions on
enabling link aggregation.
NoteLink aggregation is the only method that can be used for the Cisco WiSM controllers.
Configuring a 4400 Series Controller to Support More Than 48 Access Points
Using Multiple AP-Manager Interfaces
NoteThis method can be used only with Cisco 4400 series stand-alone controllers.
When you create two or more AP-manager interfaces, each one is mapped to a different port (see
Figure 3-14). The ports should be configured in sequential order such that AP-manager interface 2 is on
port 2, AP-manager interface 3 is on port 3, and AP-manager interface 4 is on port 4. In addition, all
AP-manager interfaces must be on the same VLAN or IP subnet, and they may or may not be on the same
VLAN or IP subnet as the management interface.
NoteYou must assign an AP-manager interface to each port on the controller.
Before an access point joins a controller, it sends out a discovery request. From the discovery response
that it receives, the access point can tell the number of AP-manager interfaces on the controller and the
number of access points on each AP-manager interface. The access point generally joins the AP-manager
with the least number of access points. In this way, the access point load is dynamically distributed
across the multiple AP-manager interfaces.
NoteAccess points may not be distributed completely evenly across all of the AP-manager interfaces, but a
certain level of load balancing occurs.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-31
Configuring a 4400 Series Controller to Support More Than 48 Access Points
Figure 3-14 Two AP-Manager Interfaces
Chapter 3 Configuring Ports and Interfaces
NoteCisco recommends that you configure all AP-manager interfaces on the same VLAN and IP subnet.
Before implementing multiple AP-manager interfaces, you should consider how they would impact your
controller’s port redundancy.
Examples:
1. The 4402-50 controller supports a maximum of 50 access points and has two ports. To support the
maximum number of access points, you would need to create two AP-manager interfaces. A problem
arises, however, if you want to support port redundancy. As shown in Figure 3-14, the static
AP-manager interface has port 1 assigned as the primary port and port 2 as the secondary, or backup,
port. The second AP-manager interface has port 2 assigned as the primary and port 1 as the
secondary. If either port fails, the controller would be left trying to support 50 access points on a
port that supports only 48. As a result, two access points would be unable to communicate with the
controller and would be forced to look for an alternate controller.
2. The 4404-100 controller supports up to 100 access points and has four ports. To support the
maximum number of access points, you would need to create three (or more) AP-manager
interfaces. Figure 3-15 illustrates three AP-manager interfaces, each with a unique primary port and
sharing the same secondary port. If the primary port of one of the AP-manager interfaces fails, the
controller clears the access points’ state, and the access points must reboot to reestablish
communication with the controller using the normal controller join process. The controller no longer
includes the failed AP-manager interface in the LWAPP discovery responses. The access points then
rejoin the controller and are load balanced among the available AP-manager interfaces.
3-32
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Figure 3-15 Three AP-Manager Interfaces
Configuring a 4400 Series Controller to Support More Than 48 Access Points
Figure 3-16 illustrates the use of four AP-manager interfaces to support 100 access points. Each has
a unique primary port, but each port is also a secondary port for one of the AP-manager interfaces.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-33
Configuring a 4400 Series Controller to Support More Than 48 Access Points
Figure 3-16 Four AP-Manager Interfaces
Chapter 3 Configuring Ports and Interfaces
This configuration has the advantage of load-balancing all 100 access points evenly across all four
AP-manager interfaces. If one of the AP-manager interfaces fails, all of the access points connected
to the controller would be evenly distributed among the three available AP-manager interfaces. For
example, if AP-manager interface 2 fails, the remaining AP-manager interfaces (1, 3, and 4) would
each manage approximately 33 access points.
Follow these steps to create multiple AP-manager interfaces.
Step 1Click Controller > Interfaces to access the Interfaces page.
Step 2Click New. The Interfaces > New page appears (see Figure 3-18).
3-34
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Figure 3-17 Interfaces > New Page
Step 3Enter an AP-manager interface name and a VLAN identifier, as shown above.
Step 4Click Apply to commit your changes. The Interfaces > Edit page appears (see Figure 3-18).
Configuring a 4400 Series Controller to Support More Than 48 Access Points
Figure 3-18 Interfaces > Edit Page
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
3-35
Configuring a 4400 Series Controller to Support More Than 48 Access Points
Step 5Enter the appropriate interface parameters.
Step 6To make the interface an AP-manager interface, check the Enable Dynamic AP Management check
box.
Step 7Click Save Configuration to save your settings.
Step 8Repeat this procedure for each additional AP-manager interface that you want to create.
Connecting Additional Ports
To support more than 48 access points with a 4400 series controller in Layer 2 mode, you must connect
more controller ports to individual broadcast domains that are completely separated. Table 3-8 provides
an example in which each controller port is connected to an individual switch.
Table 3-8Example Port Configuration on a 4404 Controller in Layer 2 Mode
VLANs 992, 993, and 994 (used here as VLAN examples) are access VLANs, and you can assign them
any VLAN IDs that you choose. An IP address is not allocated to these VLANs, and these ports are
access ports only. To connect additional access points, assign the access port connecting the access point
to VLAN 992, 993, or 994. The access point then joins the controller using that isolated VLAN with
Layer 2 LWAPP. All Layer 2 LWAPP traffic received on ports 2, 3, and 4 egresses the management port
(configured as port 1) on VLAN 250 with a dot1q tag of 250.
With a Layer 2 LWAPP configuration, you should distribute access points across VLANs 250, 992, 993,
and 994 manually. Ideally, you should distribute 25 access points per port to balance a total of 100 access
points. If you have less than 100 access points, divide the number of access points by 4 and distribute
that number. For example, 48 total access points divided by 4 equals 12 access points per 4404 port. You
could connect 48 access points to port 1, 48 to port 2, and only 2 to port 3, but this unbalanced
distribution does not provide the best throughput performance for wireless clients and is not
recommended.
It does not matter where you connect ports 2, 3, and 4 as long as they can communicate with the access
points configured for their isolated VLANs. If VLAN 250 is a widely used infrastructure VLAN within
your network and you notice network congestion, redistribute all of the access points connected to
VLAN 250 to ports 2, 3, and 4. Port 1 still remains connected to VLAN 250 as the management network
interface but transports data only from wireless clients proxied by the controller.
3-36
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
CHAPTER
4
Configuring Controller Settings
This chapter describes how to configure settings on the controllers. This chapter contains these sections:
• Using the Configuration Wizard, page 4-2
• Managing the System Time and Date, page 4-5
• Configuring a Country Code, page 4-5
• Enabling and Disabling 802.11 Bands, page 4-6
• Configuring Administrator Usernames and Passwords, page 4-7
• Configuring RADIUS Settings, page 4-7
• Configuring SNMP Settings, page 4-7
• Enabling 802.3x Flow Control, page 4-8
• Enabling System Logging, page 4-8
• Enabling Dynamic Transmit Power Control, page 4-8
• Configuring Multicast Mode, page 4-9
• Configuring the Supervisor 720 to Support the WiSM, page 4-10
• Using the Wireless LAN Controller Network Module, page 4-12
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
4-1
Using the Configuration Wizard
Using the Configuration Wizard
This section describes how to configure basic settings on a controller for the first time or after the
configuration has been reset to factory defaults. The contents of this chapter are similar to the
instructions in the quick start guide that shipped with your controller.
You use the configuration wizard to configure basic settings. You can run the wizard on the CLI or the
GUI. This section explains how to run the wizard on the CLI.
This section contains these sections:
• Before You Start, page 4-2
• Resetting the Device to Default Settings, page 4-3
• Running the Configuration Wizard on the CLI, page 4-4
Before You Start
You should collect these basic configuration parameters before configuring the controller:
• Mobility Settings: Mobility Group Name (optional)
• RADIUS Settings
4-2
• SNMP Settings
• NTP server settings (the wizard prompts you for NTP server settings only when you run the wizard
on a wireless controller network module installed in a Cisco Integrated Services router)
• Other port and parameter settings: service port, Radio Resource Management (RRM), third-party
access points, console port, 802.3x flow control, and system logging
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 4 Configuring Controller Settings
Resetting the Device to Default Settings
If you need to start over during the initial setup process, you can reset the controller to factory default
settings.
NoteAfter resetting the configuration to defaults, you need a serial connection to the controller to use the
configuration wizard.
Resetting to Default Settings Using the CLI
Follow these steps to reset the configuration to factory default settings using the CLI:
Step 1Enter reset system. At the prompt that asks whether you need to save changes to the configuration,
enter Y or N. The unit reboots.
Step 2When you are prompted for a username, enter recover-config to restore the factory default
configuration. The Cisco Wireless LAN Controller reboots and displays this message:
Welcome to the Cisco WLAN Solution Wizard Configuration Tool
Using the Configuration Wizard
Step 3Use the configuration wizard to enter configuration settings.
Resetting to Default Settings Using the GUI
Follow these steps to return to default settings using the GUI:
Step 1Open your Internet browser. The GUI is fully compatible with Microsoft Internet Explorer version 6.0
or later on Windows platforms.
Step 2Enter the controller IP address in the browser address line and press Enter. An Enter Network Password
window appears.
Step 3Enter your username in the User Name field. The default username is admin.
Step 4Enter the wireless device password in the Password field and press Enter. The default password is
admin.
Step 5Browse to the Commands/Reset to Factory Defaults page.
Step 6Click Reset. At the prompt, confirm the reset.
Step 7Reboot the unit and do not save changes.
Step 8Use the configuration wizard to enter configuration settings.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
4-3
Using the Configuration Wizard
Running the Configuration Wizard on the CLI
When the controller boots at factory defaults, the bootup script runs the configuration wizard, which
prompts the installer for initial configuration settings. Follow these steps to enter settings using the
wizard on the CLI:
Step 1Connect your computer to the controller using a DB-9 null-modem serial cable.
Step 2Open a terminal emulator session using these settings:
• 9600 baud
• 8 data bits
• 1 stop bit
• no parity
• no hardware flow control
Step 3At the prompt, log into the CLI. The default username is admin and the default password is admin.
Step 4If necessary, enter reset system to reboot the unit and start the wizard.
Step 5The first wizard prompt is for the system name. Enter up to 32 printable ASCII characters.
Chapter 4 Configuring Controller Settings
Step 6Enter an administrator username and password, each up to 24 printable ASCII characters.
Step 7Enter the service-port interface IP configuration protocol: none or DHCP. If you do not want to use the
service port or if you want to assign a static IP Address to the service port, enter none.
Step 8If you entered none in step 7 and need to enter a static IP address for the service port, enter the
service-port interface IP address and netmask for the next two prompts. If you do not want to use the
service port, enter 0.0.0.0 for the IP address and netmask.
Step 9Enter the management interface IP Address, netmask, default router IP address, and optional VLAN
identifier (a valid VLAN identifier, or 0 for untagged).
Step 10Enter the Network Interface (Distribution System) Physical Port number. For the controller, the possible
ports are 1 through 4 for a front panel GigE port.
Step 11Enter the IP address of the default DHCP Server that will supply IP Addresses to clients, the
management interface, and the service port interface if you use one.
Step 12Enter the LWAPP Transport Mode, LAYER2 or LAYER3 (refer to the Layer 2 and Layer 3 LWAPP
Operation chapter for an explanation of this setting).
Step 13Enter the Virtual Gateway IP Address. This address can be any fictitious, unassigned IP address (such
as 1.1.1.1) to be used by Layer 3 Security and Mobility managers.
Step 14Enter the Cisco WLAN Solution Mobility Group (RF group) name.
Step 15Enter the WLAN 1 SSID, or network name. This is the default SSID that lightweight access points use
to associate to a controller.
Step 16Allow or disallow Static IP Addresses for clients. Enter yes to allow clients to supply their own IP
addresses. Enter no to require clients to request an IP Address from a DHCP server.
Step 17If you need to configure a RADIUS Server, enter yes, and enter the RADIUS server IP address, the
communication port, and the shared secret. If you do not need to configure a RADIUS server or you want
to configure the server later, enter no.
4-4
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 4 Configuring Controller Settings
Step 18Enter a country code for the unit. Enter help to list the supported countries.
NoteWhen you run the wizard on a wireless controller network module installed in a Cisco Integrated
Services Router, the wizard prompts you for NTP server settings. The controller network module
does not have a battery and cannot save a time setting. It must receive a time setting from an NTP
server when it powers up.
Step 19Enable and disable support for 802.11b, 802.11a, and 802.11g.
Step 20Enable or disable radio resource management (RRM) (auto RF).
When you answer the last prompt, the controller saves the configuration, reboots with your changes, and
prompts you to log in or to enter recover-config to reset to the factory default configuration and return
to the wizard.
Managing the System Time and Date
Managing the System Time and Date
You can configure the controller to obtain the time and date from an NTP server or you can configure
the time and date manually.
Configuring Time and Date Manually
On the CLI, enter show time to check the system time and date. If necessary, enter
config time mm/dd/yy hh:mm:ss to set the time and date.
To enable Daylight Saving Time, enter config time timezone enable.
Configuring NTP
On the CLI, enter config time ntp server-ip-address to specify the NTP server for the controller. Enter
config time ntp interval to specify, in seconds, the polling interval.
Configuring a Country Code
Controllers are designed for use in many countries with varying regulatory requirements. You can
configure a country code for the controller to ensure that it complies with your country’s regulations.
On the CLI, enter config countrycode to configure the country code. Enter show country to check the
configuration.
OL-8335-02
NoteThe controller must be installed by a network administrator or qualified IT professional and the proper
country code must be selected. Following installation, access to the unit should be password protected
by the installer to maintain compliance with regulatory requirements and to ensure proper unit
functionality.
Cisco Wireless LAN Controller Configuration Guide
4-5
Enabling and Disabling 802.11 Bands
Table 4- 1 lists commonly used country codes and the 802.11 bands that they allow. For a complete list
of country codes supported per product, refer to www.ciscofax.com or
USUnited States of America802.11b, 802.11g, and 802.11a low, medium,
USLUS Low802.11b, 802.11g, and 802.11a low and
AUAustralia802.11b, 802.11g, and 802.11a
ATAustria802.11b, 802.11g, and 802.11a
BEBelgium802.11b, 802.11g, and 802.11a
CACanada802.11b and 802.11g
DKDenmark802.11b, 802.11g, and 802.11a
FIFinland802.11b, 802.11g, and 802.11a
FRFrance802.11b, 802.11g, and 802.11a
DEGermany802.11b, 802.11g, and 802.11a
GRGreece802.11b and 802.11g
IEIreland802.11b, 802.11g, and 802.11a
INIndia802.11b and 802.11a
ITItaly802.11b, 802.11g, and 802.11a
JPJapan802.11b, 802.11g, and 802.11a
KRRepublic of Korea802.11b, 802.11g, and 802.11a
LULuxembourg802.11b, 802.11g, and 802.11a
NLNetherlands802.11b, 802.11g, and 802.11a
PTPortugal802.11b, 802.11g, and 802.11a
ESSpain802.11b, 802.11g, and 802.11a
SESweden802.11b, 802.11g, and 802.11a
GBUnited Kingdom802.11b, 802.11g, and 802.11a
Chapter 4 Configuring Controller Settings
and high bands
medium bands (used for legacy 802.11a
interface cards that do not support 802.11a
high band)
Enabling and Disabling 802.11 Bands
You can enable or disable the 802.11b/g (2.4-GHz) and the 802.11a (5-GHz) bands for the controller to
comply with the regulatory requirements in your country. By default, both 802.11b/g and 802.11a are
enabled.
On the CLI, enter config 80211b disable network to disable 802.11b/g operation on the controller.
Enter config 80211b enable network to re-enable 802.11b/g operation.
Cisco Wireless LAN Controller Configuration Guide
4-6
OL-8335-02
Chapter 4 Configuring Controller Settings
Configuring Administrator Usernames and Passwords
Enter config 80211a disable network to disable 802.11a operation on the controller. Enter
config 80211a enable network to re-enable 802.11a operation.
Configuring Administrator Usernames and Passwords
You can configure administrator usernames and passwords to prevent unauthorized users from
reconfiguring the controller and viewing configuration information.
On the CLI, enter config mgmtuser add usernamepasswordread-write to create a username-password
pair with read-write privileges. Enter config mgmtuser addusername passwordread-only to create a
username-password pair with read-only privileges. Usernames and passwords are case-sensitive and can
contain up to 24 ASCII characters. Usernames and passwords cannot contain spaces.
To change the password for an existing username, enter
config mgmtuser password username new_passwordTo list configured users, enter show mgmtuser.
Configuring RADIUS Settings
If you need to use a RADIUS server for accounting or authentication, follow these steps on the CLI to
configure RADIUS settings for the controller:
Step 1Enter config radius acctip-address to configure a RADIUS server for accounting.
Step 2Enter config radius acctport to specify the UDP port for accounting.
Step 3Enter config radius acctsecret to configure the shared secret.
Step 4Enter config radius acctenable to enable accounting. Enter config radius acct disable to disable
accounting. Accounting is disabled by default.
Step 5Enter config radius authip-address to configure a RADIUS server for authentication.
Step 6Enter config radius authport to specify the UDP port for authentication.
Step 7Enter config radius authsecret to configure the shared secret.
Step 8Enter config radius authenable to enable authentication. Enter config radius acct disable to disable
authentication. Authentication is disabled by default.
Step 9Use the show radius acct statistics, show radius auth statistics, and show radius summary
commands to verify that the RADIUS settings are correctly configured.
Configuring SNMP Settings
Cisco recommends that you use the GUI to configure SNMP settings on the controller. To use the CLI,
follow these steps:
Step 1Enter config snmp community createname to create an SNMP community name.
Step 2Enter config snmp community deletename to delete an SNMP community name.
OL-8335-02
Cisco Wireless LAN Controller Configuration Guide
4-7
Enabling 802.3x Flow Control
Step 3Enter config snmp community accessmode roname to configure an SNMP community name with
read-only privileges. Enter config snmp community accessmode rw name to configure an SNMP
community name with read-write privileges.
Step 4Enter config snmp community ipaddrip-addressip-maskname to configure an IP address and subnet
mask for an SNMP community.
Step 5Enter config snmp community mode enable to enable a community name. Enter config snmp
community mode disable to disable a community name.
Step 6Enter config snmp trapreceiver create nameip-address to configure a destination for a trap.
Step 7Enter config snmp trapreceiver delete name to delete a trap.
Step 8Enter config snmp trapreceiver ipaddr old-ip-address name new-ip-address to change the destination
for a trap.
Step 9Enter config snmp trapreceiver mode enable to enable traps. Enter config snmp trapreceiver mode
disable to disable traps.
Step 10Enter config snmp syscontact syscontact-name to configure the name of the SNMP contact. Enter up to
31 alphanumeric characters for the contact name.
Step 11Enter config snmp syslocationsyslocation-name to configure the SNMP system location. Enter up to
31 alphanumeric characters for the location.
Chapter 4 Configuring Controller Settings
Step 12Use the show snmpcommunity and show snmptrap commands to verify that the SNMP traps and
communities are correctly configured.
Step 13Use the show trapflags command to see the enabled and disabled trapflags. If necessary, use the
config trapflags commands to enable or disable trapflags.
Enabling 802.3x Flow Control
802.3x Flow Control is disabled by default. To enable it, enter config switchconfig flowcontrol enable.
Enabling System Logging
System logging is disabled by default. Enter show syslog to view the current syslog status. Enter config
syslog to send a controller log to a remote IP Address or hostname.
Enabling Dynamic Transmit Power Control
When you enable Dynamic Transmit Power Control (DTPC), access points add channel and transmit
power information to beacons. (On access points that run Cisco IOS software, this feature is called world
mode.) Client devices using DTPC receive the information and adjust their settings automatically. For
example, a client device used primarily in Japan could rely on DTPC to adjust its channel and power
settings automatically when it travels to Italy and joins a network there. DTPC is enabled by default.
4-8
Enter this command to disable or enable DTPC:
config {802.11a | 802.11bg} dtpc {enable | disable}
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.