Cisco Wireless LAN Controller Configuration Guide Software Release 3.2 March 2006 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C ON T E N T S Preface xiii Audience Purpose xiv xiv Organization xiv Conventions xv Related Publications xvii Obtaining Documentation xvii Cisco.
Contents Client Roaming 1-8 Same-Subnet (Layer 2) Roaming 1-8 Inter-Controller (Layer 2) Roaming 1-8 Inter-Subnet (Layer 3) Roaming 1-9 Special Case: Voice Over IP Telephone Roaming Client Location 1-9 1-9 External DHCP Servers 1-10 Per-Wireless LAN Assignment 1-10 Per-Interface Assignment 1-10 Security Considerations 1-10 Cisco WLAN Solution Wired Connections Cisco WLAN Solution Wireless LANs Access Control Lists 1-11 1-11 1-12 Identity Networking 1-12 Enhanced Integration with Cisco Secure ACS File
Contents Web User Interface and the CLI 1-25 Web User Interface 1-25 Command Line Interface 1-26 CHAPTER 2 Using the Web-Browser and CLI Interfaces 2-1 Using the Web-Browser Interface 2-2 Guidelines for Using the GUI 2-2 Opening the GUI 2-2 Enabling Web and Secure Web Modes 2-2 Configuring the GUI for HTTPS 2-2 Loading an Externally Generated HTTPS Certificate Disabling the GUI 2-5 Using Online Help 2-5 2-3 Using the CLI 2-5 Logging into the CLI 2-5 Using a Local Serial Connection 2-6 Using a Remote
Contents Using the CLI to Configure the Virtual Interface 3-13 Using the CLI to Configure the Service-Port Interface 3-14 Configuring Dynamic Interfaces 3-14 Using the GUI to Configure Dynamic Interfaces 3-14 Using the CLI to Configure Dynamic Interfaces 3-16 Configuring Ports 3-17 Configuring Port Mirroring 3-20 Configuring Spanning Tree Protocol 3-21 Using the GUI to Configure Spanning Tree Protocol 3-22 Using the CLI to Configure Spanning Tree Protocol 3-26 Enabling Link Aggregation 3-27 Link Aggregatio
Contents Configuring Multicast Mode 4-9 Understanding Multicast Mode 4-9 Guidelines for Using Multicast Mode Enabling Multicast Mode 4-10 4-9 Configuring the Supervisor 720 to Support the WiSM General WiSM Guidelines 4-10 Configuring the Supervisor 4-11 Using the Wireless LAN Controller Network Module CHAPTER 5 Configuring Security Solutions 4-10 4-12 5-1 Cisco WLAN Solution Security 5-2 Security Overview 5-2 Layer 1 Solutions 5-2 Layer 2 Solutions 5-2 Layer 3 Solutions 5-3 Rogue Access Point Solu
Contents Configuring Identity Networking 5-16 Identity Networking Overview 5-16 RADIUS Attributes Used in Identity Networking QoS-Level 5-17 ACL-Name 5-17 Interface-Name 5-18 VLAN-Tag 5-18 Tunnel Attributes 5-19 CHAPTER 6 Configuring WLANs 5-17 6-1 Wireless LAN Overview 6-2 Configuring Wireless LANs 6-2 Displaying, Creating, Disabling, and Deleting Wireless LANs 6-2 Activating Wireless LANs 6-3 Assigning a Wireless LAN to a DHCP Server 6-3 Configuring MAC Filtering for Wireless LANs 6-3 Enabling MA
Contents CHAPTER 7 Controlling Lightweight Access Points 7-1 Lightweight Access Point Overview 7-2 Cisco 1000 Series IEEE 802.
Contents Erasing the Controller Configuration Resetting the Controller CHAPTER 9 8-4 8-5 Configuring Radio Resource Management 9-1 Overview of Radio Resource Management 9-2 Radio Resource Monitoring 9-2 Dynamic Channel Assignment 9-3 Dynamic Transmit Power Control 9-4 Coverage Hole Detection and Correction 9-4 Client and Network Load Balancing 9-4 RRM Benefits 9-5 Overview of RF Groups 9-5 RF Group Leader 9-5 RF Group Name 9-6 Configuring an RF Group 9-6 Using the GUI to Configure an RF Group 9-7 Us
Contents CHAPTER 10 Configuring Mobility Groups Overview of Mobility 10-1 10-2 Overview of Mobility Groups 10-5 Determining When to Include Controllers in a Mobility Group 10-7 Configuring Mobility Groups 10-7 Prerequisites 10-7 Using the GUI to Configure Mobility Groups 10-8 Using the CLI to Configure Mobility Groups 10-11 Configuring Auto-Anchor Mobility 10-11 Guidelines for Using Auto-Anchor Mobility 10-12 Using the GUI to Configure Auto-Anchor Mobility 10-12 Using the CLI to Configure Auto-Ancho
Contents FCC Statements for Cisco 2000 Series Wireless LAN Controllers B-8 FCC Statements for Cisco 4100 Series Wireless LAN Controllers and Cisco 4400 Series Wireless LAN Controllers B-9 APPENDIX End User License and Warranty C End User License Agreement Limited Warranty C-4 Disclaimer of Warranty C-1 C-2 C-6 General Terms Applicable to the Limited Warranty Statement and End User License Agreement Additional Open Source Terms APPENDIX D C-7 System Messages and Access Point LED Patterns System
Preface This preface provides an overview of the Cisco Wireless LAN Controller Configuration Guide (OL-8335-02), references related publications, and explains how to obtain other documentation and technical assistance, if necessary.
Preface Audience Audience This guide describes Cisco Wireless LAN Controllers and Cisco Lightweight Access Points. This guide is for the networking professional who installs and manages these devices. To use this guide, you should be familiar with the concepts and terminology of wireless LANs. Purpose This guide provides the information you need to set up and configure wireless LAN controllers.
Preface Conventions Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: • Commands and keywords are in boldface text. • Arguments for which you supply values are in italic. • Square brackets ([ ]) mean optional elements. • Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
Preface Conventions Varoitus Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. (Tässä julkaisussa esiintyvien varoitusten käännökset löydät liitteestä "Translated Safety Warnings" (käännetyt turvallisuutta koskevat varoitukset).) Attention Ce symbole d’avertissement indique un danger.
Preface Related Publications Related Publications These documents provide complete information about the Cisco Unified Wireless Network Solution: • Cisco Wireless LAN Controller Command Reference • Quick Start Guide: Cisco 2000 Series Wireless LAN Controllers • Quick Start Guide: Cisco 4100 Series Wireless LAN Controllers • Quick Start Guide: Cisco 4400 Series Wireless LAN Controllers • Quick Start Guide: VPN Termination Module for Cisco 4400 Series Wireless LAN Controllers • Quick Start Guide:
Preface Documentation Feedback Product Documentation DVD The Product Documentation DVD is a comprehensive library of technical product documentation on a portable medium. The DVD enables you to access multiple versions of installation, configuration, and command guides for Cisco hardware and software products. With the DVD, you have access to the same HTML documentation that is found on the Cisco website without being connected to the Internet. Certain products also have .
Preface Cisco Product Security Overview Cisco Product Security Overview Cisco provides a free online Security Vulnerability Policy portal at this URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html From this site, you will find information about how to: • Report security vulnerabilities in Cisco products. • Obtain assistance with security incidents that involve Cisco products. • Register to receive security information from Cisco.
Preface Obtaining Technical Assistance Obtaining Technical Assistance Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The Cisco Technical Support & Documentation website on Cisco.com features extensive online support resources. In addition, if you have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not have a valid Cisco service contract, contact your reseller.
Preface Obtaining Additional Publications and Information To open a service request by telephone, use one of the following numbers: Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447 For a complete list of Cisco TAC contacts, go to this URL: http://www.cisco.com/techsupport/contacts Definitions of Service Request Severity To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Preface Obtaining Additional Publications and Information • Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources.
C H A P T E R 1 Overview This chapter describes the controller components and features.
Chapter 1 Overview Cisco Wireless LAN Solution Overview Cisco Wireless LAN Solution Overview The Cisco Wireless LAN Solution is designed to provide 802.11 wireless networking solutions for enterprises and service providers. The Cisco Wireless LAN Solution simplifies deploying and managing large-scale wireless LANs and enables a unique best-in-class security infrastructure.
Chapter 1 Overview Cisco Wireless LAN Solution Overview Figure 1-1 Cisco WLAN Solution Components Single-Controller Deployments A standalone controller can support lightweight access points across multiple floors and buildings simultaneously, and supports the following features: • Autodetecting and autoconfiguring lightweight access points as they are added to the network. • Full control of lightweight access points.
Chapter 1 Overview Cisco Wireless LAN Solution Overview Figure 1-2 Single-Controller Deployment Multiple-Controller Deployments Each controller can support lightweight access points across multiple floors and buildings simultaneously. However, full functionality of the Cisco Wireless LAN Solution is realized when it includes multiple controllers.
Chapter 1 Overview Operating System Software Figure 1-3 Typical Multi-Controller Deployment Operating System Software The operating system software controls Cisco Wireless LAN Controllers and Cisco 1000 Series Lightweight Access Points. It includes full operating system security and Radio Resource Management (RRM) features.
Chapter 1 Overview Operating System Security • RSN with or without Pre-Shared key. • Cranite FIPS140-2 compliant passthrough. • Fortress FIPS140-2 compliant passthrough. • Optional MAC Filtering. The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as: • Terminated and passthrough VPNs • Terminated and passthrough Layer Two Tunneling Protocol (L2TP), which uses the IP Security (IPSec) protocol. • Terminated and pass-through IPSec protocols.
Chapter 1 Overview Layer 2 and Layer 3 LWAPP Operation Layer 2 and Layer 3 LWAPP Operation The LWAPP communications between Cisco Wireless LAN Controller and Cisco 1000 series lightweight access points can be conducted at ISO Data Link Layer 2 or Network Layer 3. Note The IPv4 network layer protocol is supported for transport through an LWAPP controller system. IPv6 (for clients only) and Appletalk are also supported but only on 4400 series controllers and the Cisco WiSM.
Chapter 1 Overview Client Roaming The operator can monitor the master controller using the WCS Web User Interface and watch as access points associate with the master controller. The operator can then verify access point configuration and assign a primary, secondary, and tertiary controller to the access point, and reboot the access point so it reassociates with its primary, secondary, or tertiary controller.
Chapter 1 Overview Client Roaming Note that the Cisco 1030 remote edge lightweight access points at a remote location must be on the same subnet to support roaming. Inter-Subnet (Layer 3) Roaming In multiple-controller deployments, the Cisco Wireless LAN Solution supports client roaming across access points managed by controllers in the same mobility group on different subnets.
Chapter 1 Overview External DHCP Servers External DHCP Servers The operating system is designed to appear as a DHCP Relay to the network and as a DHCP Server to clients with industry-standard external DHCP Servers that support DHCP Relay. This means that each Cisco Wireless LAN Controller appears as a DHCP Relay agent to the DHCP Server. This also means that the Cisco Wireless LAN Controller appears as a DHCP Server at the virtual IP Address to wireless clients.
Chapter 1 Overview Cisco WLAN Solution Wired Connections Cisco WLAN Solution Wired Connections The Cisco Wireless LAN Solution components communicate with each other using industry-standard Ethernet cables and connectors. The following paragraphs contain details of the Cisco WLAN Solution wired connections. • The Cisco 2000 Series Wireless LAN Controller connects to the network using from one to four 10/100BASE-T Ethernet cables.
Chapter 1 Overview Access Control Lists Access Control Lists The operating system allows you to define up to 64 Access Control Lists (ACLs), similar to standard firewall Access Control Lists. Each ACL can have up to 64 Rules (filters). Operators can use ACLs to control client access to multiple VPN servers within a given wireless LAN.
Chapter 1 Overview File Transfers Enhanced Integration with Cisco Secure ACS The identity-based networking feature uses authentication, authorization, and accounting (AAA) override. When the following vendor-specific attributes are present in the RADIUS access accept message, the values override those present in the wireless LAN profile: • QoS level • 802.
Chapter 1 Overview Power over Ethernet Power over Ethernet Lightweight access points can receive power via their Ethernet cables from 802.3af-compatible Power over Ethernet (PoE) devices, which can reduce the cost of discrete power supplies, additional wiring, conduits, outlets, and installer time.
Chapter 1 Overview Intrusion Detection Service (IDS) • Allows changes to Cisco 1000 series lightweight access point sensitivity for pico cells. • Allows control of Cisco 1000 series lightweight access point fallback behavior to optimize pico cell use. • Supports heat maps for directional antennas. • Allows specific control over blacklisting events • Allows configuring and viewing basic LWAPP configuration using the Cisco 1000 series lightweight access point CLI.
Chapter 1 Overview Wireless LAN Controller Platforms Cisco 2000 Series Wireless LAN Controllers The Cisco 2000 Series Wireless LAN Controller is part of the Cisco Wireless LAN Solution. Each 2000 series controller controls up to six Cisco 1000 series lightweight access points, making it ideal for smaller enterprises and low-density applications. The Cisco 2000 Series Wireless LAN Controller is a slim 9.5 x 6.0 x 1.6 in. (241 x 152 x 41 mm) chassis that can be desktop or shelf mounted.
Chapter 1 Overview Wireless LAN Controller Platforms Cisco 4400 Series Wireless LAN Controllers Cisco 4400 Series Wireless LAN Controllers are part of the Cisco Wireless LAN Solution. Each Cisco 4400 Series Wireless LAN Controller controls up to 100 Cisco 1000 series lightweight access points, making it ideal for large-sized enterprises and large-density applications.
Chapter 1 Overview Wireless LAN Controller Platforms Cisco 4100 Series Wireless LAN Controller Model Numbers Cisco 4100 Series Wireless LAN Controller model numbers are as follows: Note • AIR-WLC4112-K9 — The Cisco 4100 Series Wireless LAN Controller uses two redundant Gigabit Ethernet connections to bypass single network failures, and communicates with up to 12 Cisco 1000 series lightweight access points.
Chapter 1 Overview Wireless LAN Controller Platforms The 4402 Cisco 4400 Series Wireless LAN Controller uses one set of two redundant front-panel SX/LC/T SFP modules (SFP transceiver, or Small Form-factor Plug-in), and the 4404 Cisco 4400 Series Wireless LAN Controller uses two sets of two redundant front-panel SX/LC/T SFP modules: • 1000BASE-SX SFP modules provide a 1000 Mbps wired connection to a network through an 850nM (SX) fiber-optic link using an LC physical connector.
Chapter 1 Overview Wireless LAN Controller Platforms • Enables and/or disables the 802.11a, 802.11b and 802.11g Cisco 1000 series lightweight access point networks. • Enables or disables Radio Resource Management (RRM). To use the Startup Wizard, refer to the “Using the Configuration Wizard” section on page 4-2.
Chapter 1 Overview Wireless LAN Controller Platforms • If the access point finds no master controller on the same subnet, it attempts to contact stored Mobility Group members by IP address.
Chapter 1 Overview Wireless LAN Controller Platforms Cisco 2000 Series Wireless LAN Controllers Cisco 2000 Series Wireless LAN Controllers can communicate with the network through any one of its physical data ports, as the logical management interface can be assigned to one of the ports. The physical port description follows: • Up to four 10/100BASE-T cables can plug into the four back-panel data ports on the Cisco 2000 Series Wireless LAN Controller chassis.
Chapter 1 Overview Wireless LAN Controller Platforms Figure 1-6 shows connections to the 4100 series controller. Figure 1-6 Physical Network Connections to the 4100 Series Controller Cisco 4400 Series Wireless LAN Controllers Cisco 4400 Series Wireless LAN Controllers can communicate with the network through one or two pairs of physical data ports, and the logical management interface can be assigned to the ports.
Chapter 1 Overview Rogue Access Points Figure 1-7 Physical Network Connections to 4402 and 4404 Series Controllers VPN and Enhanced Security Modules for 4100 Series Controllers All 4100 series controllers can be equipped with an optional module that slides into the rear panel of the controller.
Chapter 1 Overview Web User Interface and the CLI Rogue Access Point Location, Tagging, and Containment This built-in detection, tagging, monitoring, and containment capability allows system administrators to take required actions: • Locate rogue access point as described in the Cisco Wireless Control System Configuration Guide. • Receive new rogue access point notifications, eliminating hallway scans. • Monitor unknown rogue access point until they are eliminated or acknowledged.
Chapter 1 Overview Web User Interface and the CLI Because the Web User Interface works with one Cisco Wireless LAN Controller at a time, the Web User Interface is especially useful when you wish to configure or monitor a single Cisco Wireless LAN Controller and its associated Cisco 1000 series lightweight access points. Refer to the “Using the Web-Browser Interface” section on page 2-2 for more information on the Web User Interface.
C H A P T E R 2 Using the Web-Browser and CLI Interfaces This chapter describes the web-browser and CLI interfaces that you use to configure the controllers.
Chapter 2 Using the Web-Browser and CLI Interfaces Using the Web-Browser Interface Using the Web-Browser Interface The web-browser interface (hereafter called the GUI) allows up to five users to browse simultaneously into the controller http or https (http + SSL) management pages to configure parameters and monitor operational status for the controller and its associated access points.
Chapter 2 Using the Web-Browser and CLI Interfaces Enabling Web and Secure Web Modes Using the CLI, follow these steps to enable HTTPS: Step 1 Enter show certificate summary to verify that the controller has generated a certificate: >show certificate summary Web Administration Certificate................. Locally Generated Web Authentication Certificate................. Locally Generated Certificate compatibility mode:................
Chapter 2 Using the Web-Browser and CLI Interfaces Enabling Web and Secure Web Modes Follow these steps to load an externally generated HTTPS certificate: Step 1 Use a password to encrypt the HTTPS certificate in a .PEM-encoded file. The PEM-encoded file is called a Web Administration Certificate file (webadmincert_name.pem). Step 2 Move the webadmincert_name.pem file to the default directory on your TFTP server.
Chapter 2 Using the Web-Browser and CLI Interfaces Using the CLI Step 9 Reboot the controller: >reset system Are you sure you would like to reset the system? (y/n) y System will now restart! The controller reboots. Disabling the GUI To prevent all use of the GUI, select the Disable Web-Based Management check box on the Services: HTTP-Web Server page and click Apply.
Chapter 2 Using the Web-Browser and CLI Interfaces Using the CLI Using a Local Serial Connection You need these items to connect to the serial port: • A computer that has a DB-9 serial port and is running a terminal emulation program • A DB-9 male-to-female null-modem serial cable Follow these steps to log into the CLI through the serial port. Step 1 Connect your computer to the controller using the DB-9 null-modem serial cable.
Chapter 2 Using the Web-Browser and CLI Interfaces Using the CLI Logging Out of the CLI When you finish using the CLI, navigate to the root level and enter logout. The system prompts you to save any changes you made to the volatile RAM. Navigating the CLI The is organized around five levels: Root Level Level 2 Level 3 Level 4 Level 5 When you log into the CLI, you are at the root level. From the root level, you can enter any full command without first navigating to the correct command level.
Chapter 2 Using the Web-Browser and CLI Interfaces Enabling Wireless Connections to the Web-Browser and CLI Interfaces Enabling Wireless Connections to the Web-Browser and CLI Interfaces You can monitor and configure controllers using a wireless client. This feature is supported for all management tasks except uploads from and downloads to the controller. Before you can open the GUI or the CLI from a wireless client device you must configure the controller to allow the connection.
C H A P T E R 3 Configuring Ports and Interfaces This chapter describes the controller’s physical ports and interfaces and provides instructions for configuring them.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces Overview of Ports and Interfaces Three concepts are key to understanding how controllers connect to a wireless network: ports, interfaces, and WLANs. Ports A port is a physical entity that is used for connections on the controller platform. Controllers have two types of ports: distribution system ports and a service port. The following figures show the ports available on each controller.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces Note Figure 3-3 shows a Cisco 4404 controller. The Cisco 4402 controller is similar but has only two distribution system ports. Table 3-1 provides a list of ports per controller.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces Note • The Cisco WiSM has eight gigabit Ethernet distribution system ports, which are located on the Catalyst 6500 switch backplane. Through these ports, the controller can support up to 300 access points. • The Controller Network Module within the Cisco 28/37/38xx Series Integrated Services Routers has one Fast Ethernet distribution system port, which is located on the router backplane.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces Interfaces An interface is a logical entity on the controller. An interface has multiple parameters associated with it, including an IP address, default-gateway (for the IP subnet), primary physical port, secondary physical port, VLAN identifier, and DHCP server. These five types of interfaces are available on the controller.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces Note If the service port is in use, the management interface must be on a different subnet from the service-port interface. AP-Manager Interface A controller has one or more AP-manager interfaces, which are used for all Layer 3 communications between the controller and lightweight access points after the access points have joined the controller.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces unused gateway IP address, such as 1.1.1.1. The virtual interface IP address is not pingable and should not exist in any routing table in your network. In addition, the virtual interface cannot be mapped to a backup port. Note All controllers within a mobility group must be configured with the same virtual interface IP address.
Chapter 3 Configuring Ports and Interfaces Overview of Ports and Interfaces WLANs A WLAN associates a service set identifier (SSID) to an interface. It is configured with security, quality of service (QoS), radio policies, and other wireless network parameters. Up to 16 access point WLANs can be configured per controller. Note Chapter 6 provides instructions for configuring WLANs. Figure 3-4 illustrates the relationship between ports, interfaces, and WLANs.
Chapter 3 Configuring Ports and Interfaces Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces Note A zero value for the VLAN identifier (on the Controller > Interfaces page) means that the interface is untagged. The default (untagged) native VLAN on Cisco switches is VLAN 1. When controller interfaces are configured as tagged (meaning that the VLAN identifier is set to a non-zero value), the VLAN must be allowed on the 802.
Chapter 3 Configuring Ports and Interfaces Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces Figure 3-5 Interfaces Page This page shows the current controller interface settings. Step 2 If you want to modify the settings of a particular interface, click the interface’s Edit link. The Interfaces > Edit page for that interface appears.
Chapter 3 Configuring Ports and Interfaces Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces AP-Manager Interface • VLAN identifier Note • Enter 0 for an untagged VLAN or a non-zero value for a tagged VLAN. Cisco recommends that only tagged VLANs be used on the controller.
Chapter 3 Configuring Ports and Interfaces Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces Using the CLI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces This section provides instructions for displaying and configuring the management, AP-manager, virtual, and service-port interfaces using the CLI. Using the CLI to Configure the Management Interface Follow these steps to display and configure the management interface parameters using the CLI.
Chapter 3 Configuring Ports and Interfaces Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces Step 3 Enter config wlan disable wlan-number to disable each WLAN that uses the AP-manager interface for distribution system communication.
Chapter 3 Configuring Ports and Interfaces Configuring Dynamic Interfaces Using the CLI to Configure the Service-Port Interface Follow these steps to display and configure the service-port interface parameters using the CLI. Step 1 Enter show interface detailed service-port to view the current service-port interface settings. Note Step 2 Step 3 The service-port interface uses the controller’s factory-set service-port MAC address.
Chapter 3 Configuring Ports and Interfaces Configuring Dynamic Interfaces Figure 3-6 Step 3 Enter an interface name and a VLAN identifier, as shown in Figure 3-6. Note Step 4 Interfaces > New Page Enter a non-zero value for the VLAN identifier. Tagged VLANs must be used for dynamic interfaces. Click Apply to commit your changes. The Interfaces > Edit page appears (see Figure 3-7).
Chapter 3 Configuring Ports and Interfaces Configuring Dynamic Interfaces Step 5 Configure the following parameters: • VLAN identifier • Fixed IP address, IP netmask, and default gateway • Physical port assignment • Primary and secondary DHCP servers • Access control list (ACL) name, if required Note Note To create ACLs, follow the instructions in Chapter 5. To ensure proper operation, you must set the Port Number and Primary DHCP Server parameters.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Step 5 Note Enter show interface detailed operator-defined-interface-name and show interface summary to verify that your changes have been saved. If desired, you can enter config interface delete operator-defined-interface-name to delete a dynamic interface. Configuring Ports The controller’s ports are preconfigured with factory default settings designed to make the controllers’ ports operational without additional configuration.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Figure 3-9 Port > Configure Page Table 3-2 interprets the current status of the port. Table 3-2 Port Status Parameter Description Port Number The number of the current port. Physical Status The data rate being used by the port. The available data rates vary based on controller type.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Table 3-2 Port Status Parameter Description Power Over Ethernet (PoE) Determines if the connecting device is equipped to receive power through the Ethernet cable and if so provides -48 VDC. Values: Enable or Disable Note Step 3 Some older Cisco access points do not draw PoE even if it is enabled on the controller port. In such cases, contact the Cisco Technical Assistance Center (TAC).
Chapter 3 Configuring Ports and Interfaces Configuring Ports Step 4 Click Save Configuration to save your changes. Step 5 Click Back to return to the Ports page and review your changes. Step 6 Repeat this procedure for each additional port that you want to configure.
Chapter 3 Configuring Ports and Interfaces Configuring Ports b. Click Detail for the access point on which you want to enable mirror mode. The All APs > Details page appears. c. Under General, set the Mirror Mode parameter to Enable. Step 6 Click Save Configuration to save your changes. Configuring Spanning Tree Protocol Spanning Tree Protocol (STP) is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Using the GUI to Configure Spanning Tree Protocol Follow these steps to configure STP using the GUI. Step 1 Click Controller > Ports to access the Ports page (see Figure 3-8). Step 2 Click Edit for the specific port for which you want to configure STP. The Port > Configure page appears (see Figure 3-9). This page shows the STP status of the port and enables you to configure STP parameters.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Table 3-5 Port Spanning Tree Parameters Parameter Description STP Mode The STP administrative mode associated with this port. Options: Off, 802.1D, or Fast Default: Off STP Mode Description Off Disables STP for this port. 802.1D Enables this port to participate in the spanning tree and go through all of the spanning tree states when the link state transitions from down to up.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Figure 3-10 Controller Spanning Tree Configuration Page This page allows you to enable or disable the spanning tree algorithm for the controller, modify its characteristics, and view the STP status.Table 3-6 interprets the current STP status for the controller. Table 3-6 3-24 Controller Spanning Tree Status Parameter Description Spanning Tree Specification The STP version being used by the controller. Currently, only an IEEE 802.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Table 3-6 Controller Spanning Tree Status (continued) Parameter Description Max Age (seconds) The maximum age of STP information learned from the network on any port before it is discarded. Hello Time (seconds) The amount of time between the transmission of configuration BPDUs by this node on any port when it is the root of the spanning tree or trying to become so. This is the actual value that this bridge is currently using.
Chapter 3 Configuring Ports and Interfaces Configuring Ports Table 3-7 Controller Spanning Tree Parameters (continued) Parameter Description Hello Time (seconds) The length of time that the controller broadcasts hello messages to other controllers. Options: 1 to 10 seconds Default: 2 seconds Forward Delay (seconds) The length of time that each of the listening and learning states lasts before the port begins forwarding.
Chapter 3 Configuring Ports and Interfaces Enabling Link Aggregation Step 10 After you configure STP settings for the ports, enter config spanningtree switch mode enable to enable STP for the controller. The controller automatically detects logical network loops, places redundant ports on standby, and builds a network with the most efficient pathways. Step 11 Enter show spanningtree port and show spanningtree switch to verify that your changes have been saved.
Chapter 3 Configuring Ports and Interfaces Enabling Link Aggregation When configuring bundled ports, you may want to consider spanning modules with your port channel when you connect to a modular switch such as the Catalyst 6500. This practice provides protection in the case of a module failure. Figure 3-12 illustrates a scenario where a 4402-50 controller is connected to a Catalyst 6500 with gigabit modules in slots 2 and 3.
Chapter 3 Configuring Ports and Interfaces Enabling Link Aggregation LAG is typically configured using the Startup Wizard, but you can enable or disable it at any time through either the GUI or CLI. Using the GUI to Enable Link Aggregation Follow these steps to enable LAG on your controller using the GUI. Step 1 Click Controller > General to access the General page (see Figure 3-13). Figure 3-13 General Page Step 2 Set the LAG Mode on Next Reboot parameter to Enabled.
Chapter 3 Configuring Ports and Interfaces Configuring a 4400 Series Controller to Support More Than 48 Access Points Using the CLI to Enable Link Aggregation Follow these steps to enable LAG on your controller using the CLI. Step 1 Enter config lag enable to enable LAG. Note Enter config lag disable if you want to disable LAG. Step 2 Enter show lag to verify that your change has been saved. Step 3 Reboot the controller.
Chapter 3 Configuring Ports and Interfaces Configuring a 4400 Series Controller to Support More Than 48 Access Points The following factors should help you decide which method to use if your controller is set for Layer 3 operation: • With link aggregation, all of the controller ports need to connect to the same neighbor switch. If the neighbor switch goes down, the controller loses connectivity. • With multiple AP-manager interfaces, you can connect your ports to different neighbor devices.
Chapter 3 Configuring Ports and Interfaces Configuring a 4400 Series Controller to Support More Than 48 Access Points Figure 3-14 Two AP-Manager Interfaces Note Cisco recommends that you configure all AP-manager interfaces on the same VLAN and IP subnet. Before implementing multiple AP-manager interfaces, you should consider how they would impact your controller’s port redundancy. Examples: 3-32 1. The 4402-50 controller supports a maximum of 50 access points and has two ports.
Chapter 3 Configuring Ports and Interfaces Configuring a 4400 Series Controller to Support More Than 48 Access Points Figure 3-15 Three AP-Manager Interfaces Figure 3-16 illustrates the use of four AP-manager interfaces to support 100 access points. Each has a unique primary port, but each port is also a secondary port for one of the AP-manager interfaces.
Chapter 3 Configuring Ports and Interfaces Configuring a 4400 Series Controller to Support More Than 48 Access Points Figure 3-16 Four AP-Manager Interfaces This configuration has the advantage of load-balancing all 100 access points evenly across all four AP-manager interfaces. If one of the AP-manager interfaces fails, all of the access points connected to the controller would be evenly distributed among the three available AP-manager interfaces.
Chapter 3 Configuring Ports and Interfaces Configuring a 4400 Series Controller to Support More Than 48 Access Points Figure 3-17 Interfaces > New Page Step 3 Enter an AP-manager interface name and a VLAN identifier, as shown above. Step 4 Click Apply to commit your changes. The Interfaces > Edit page appears (see Figure 3-18).
Chapter 3 Configuring Ports and Interfaces Configuring a 4400 Series Controller to Support More Than 48 Access Points Step 5 Enter the appropriate interface parameters. Step 6 To make the interface an AP-manager interface, check the Enable Dynamic AP Management check box. Step 7 Click Save Configuration to save your settings. Step 8 Repeat this procedure for each additional AP-manager interface that you want to create.
C H A P T E R 4 Configuring Controller Settings This chapter describes how to configure settings on the controllers. This chapter contains these sections: • Using the Configuration Wizard, page 4-2 • Managing the System Time and Date, page 4-5 • Configuring a Country Code, page 4-5 • Enabling and Disabling 802.11 Bands, page 4-6 • Configuring Administrator Usernames and Passwords, page 4-7 • Configuring RADIUS Settings, page 4-7 • Configuring SNMP Settings, page 4-7 • Enabling 802.
Chapter 4 Configuring Controller Settings Using the Configuration Wizard Using the Configuration Wizard This section describes how to configure basic settings on a controller for the first time or after the configuration has been reset to factory defaults. The contents of this chapter are similar to the instructions in the quick start guide that shipped with your controller. You use the configuration wizard to configure basic settings. You can run the wizard on the CLI or the GUI.
Chapter 4 Configuring Controller Settings Using the Configuration Wizard Resetting the Device to Default Settings If you need to start over during the initial setup process, you can reset the controller to factory default settings. Note After resetting the configuration to defaults, you need a serial connection to the controller to use the configuration wizard.
Chapter 4 Configuring Controller Settings Using the Configuration Wizard Running the Configuration Wizard on the CLI When the controller boots at factory defaults, the bootup script runs the configuration wizard, which prompts the installer for initial configuration settings. Follow these steps to enter settings using the wizard on the CLI: Step 1 Connect your computer to the controller using a DB-9 null-modem serial cable.
Chapter 4 Configuring Controller Settings Managing the System Time and Date Step 18 Enter a country code for the unit. Enter help to list the supported countries. Note When you run the wizard on a wireless controller network module installed in a Cisco Integrated Services Router, the wizard prompts you for NTP server settings. The controller network module does not have a battery and cannot save a time setting. It must receive a time setting from an NTP server when it powers up.
Chapter 4 Configuring Controller Settings Enabling and Disabling 802.11 Bands Table 4-1 lists commonly used country codes and the 802.11 bands that they allow. For a complete list of country codes supported per product, refer to www.ciscofax.com or http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html. Table 4-1 Commonly Used Country Codes Country Code Country 802.11 Bands Allowed US United States of America 802.11b, 802.11g, and 802.11a low, medium, and high bands USL US Low 802.
Chapter 4 Configuring Controller Settings Configuring Administrator Usernames and Passwords Enter config 80211a disable network to disable 802.11a operation on the controller. Enter config 80211a enable network to re-enable 802.11a operation. Configuring Administrator Usernames and Passwords You can configure administrator usernames and passwords to prevent unauthorized users from reconfiguring the controller and viewing configuration information.
Chapter 4 Configuring Controller Settings Enabling 802.3x Flow Control Step 3 Enter config snmp community accessmode ro name to configure an SNMP community name with read-only privileges. Enter config snmp community accessmode rw name to configure an SNMP community name with read-write privileges. Step 4 Enter config snmp community ipaddr ip-address ip-mask name to configure an IP address and subnet mask for an SNMP community.
Chapter 4 Configuring Controller Settings Configuring Multicast Mode Configuring Multicast Mode If your network supports packet multicasting you can configure the multicast method that the controller uses. The controller performs multicasting in two modes: • Unicast mode—In this mode the controller unicasts every multicast packet to every access point associated to the controller. This mode is inefficient but might be required on networks that do not support multicasting.
Chapter 4 Configuring Controller Settings Configuring the Supervisor 720 to Support the WiSM • When using Multiple controllers on the network, make sure that the same multicast address is configured on all the controllers. • Multicast mode does not work across intersubnet mobility events such as guest tunneling, site-specific VLANs, or interface override using RADIUS.
Chapter 4 Configuring Controller Settings Configuring the Supervisor 720 to Support the WiSM General WiSM Guidelines Keep these general guidelines in mind when you add a WiSM to your network: Note • The switch ports leading to the controller service port are automatically configured and cannot be manually configured. • The switch ports leading to the controller data ports should be configured as edge ports to avoid sending unnecessary BPDUs.
Chapter 4 Configuring Controller Settings Configuring the Supervisor 720 to Support the WiSM Step 7 Step 8 Step 9 Command Purpose interface port-channel 2 Configure a port-channel to bundle the automatically created Gigabit interfaces 5-8 into an etherchannel. a. switchport trunk encapsulation dot1q b. switchport trunk native vlan vlan c. switchport mode trunk d. end interface GigabitEthernet9/1-4 a. switchport trunk encapsulation dot1q b. switchport trunk native vlan vlan c.
Chapter 4 Configuring Controller Settings Using the Wireless LAN Controller Network Module Using the Wireless LAN Controller Network Module Keep these guidelines in mind when using a wireless LAN controller network module (CNM) installed in a Cisco Integrated Services Router: • The controller network module does not support IPSec. To use IPSec with the CNM, configure IPSec on the router in which the CNM is installed. Click this link to browse to IPSec configuration instructions for routers: http://www.
Chapter 4 Configuring Controller Settings Using the Wireless LAN Controller Network Module Cisco Wireless LAN Controller Configuration Guide 4-14 OL-8335-02
C H A P T E R 5 Configuring Security Solutions This chapter describes security solutions for wireless LANs.
Chapter 5 Configuring Security Solutions Cisco WLAN Solution Security Cisco WLAN Solution Security Cisco WLAN Solution Security includes the following sections: • Security Overview, page 5-2 • Layer 1 Solutions, page 5-2 • Layer 2 Solutions, page 5-2 • Layer 3 Solutions, page 5-3 • Rogue Access Point Solutions, page 5-3 • Integrated Security Solutions, page 5-4 Security Overview The Cisco WLAN Solution Security solution bundles potentially complicated Layer 1, Layer 2, and Layer 3 802.
Chapter 5 Configuring Security Solutions Cisco WLAN Solution Security Layer 3 Solutions The WEP problem can be further solved using industry-standard Layer 3 security solutions, such as VPNs (virtual private networks), L2TP (Layer Two Tunneling Protocol), and IPSec (IP security) protocols. The Cisco WLAN Solution L2TP implementation includes IPSec, and the IPSec implementation includes IKE (internet key exchange), DH (Diffie-Hellman) groups, and three optional levels of encryption: DES (ANSI X.3.
Chapter 5 Configuring Security Solutions Configuring the System for SpectraLink NetLink Telephones for and notify when active), or marking them as Contained rogue access points (have between one and four Cisco 1000 Series lightweight access points discourage rogue access point clients by sending the clients deauthenticate and disassociate messages whenever they associate with the rogue access point).
Chapter 5 Configuring Security Solutions Configuring the System for SpectraLink NetLink Telephones Using the GUI to Enable Long Preambles Use this procedure to use the GUI to enable long preambles to optimize the operation of SpectraLink NetLink phones on your wireless LAN. Step 1 Log into the controller GUI. Step 2 Follow this path to navigate to the 802.11b/g Global Parameters page: Wireless > Global RF > 802.11b/g Network If the Short Preamble Enabled box is checked, continue with this procedure.
Chapter 5 Configuring Security Solutions Using Management over Wireless Step 3 Enter config 802.11b disable network to disable the 802.11b/g network. (You cannot enable long preambles on the 802.11a network.) Step 4 Enter config 802.11b preamble long to enable long preambles. Step 5 Enter config 802.11b enable network to re-enable the 802.11b/g network. Step 6 Enter reset system to reboot the controller. Enter y when this prompt appears: The system has unsaved changes.
Chapter 5 Configuring Security Solutions Configuring DHCP Using the CLI to Enable Management over Wireless Step 1 In the CLI, use the show network command to verify whether the Mgmt Via Wireless Interface is Enabled or Disabled. If Mgmt Via Wireless Interface is Disabled, continue with Step 2. Otherwise, continue with Step 3. Step 2 To Enable Management over Wireless, enter config network mgmt-via-wireless enable.
Chapter 5 Configuring Security Solutions Customizing the Web Authentication Login Screen Using the CLI to Configure DHCP Follow these steps to use the CLI to configure DHCP. Step 1 In the CLI, enter show wlan to verify whether you have a valid DHCP server assigned to the WLAN. If you have no DHCP server assigned to the WLAN, continue with Step 2. Otherwise, continue with Step 4.
Chapter 5 Configuring Security Solutions Customizing the Web Authentication Login Screen Default Web Authentication Operation When web authentication is enabled, clients might receive a web-browser security alert the first time that they attempt to access a URL. Figure 5-1 shows a typical security alert.
Chapter 5 Configuring Security Solutions Customizing the Web Authentication Login Screen Figure 5-2 Typical Web Authentication Login Window The client must respond with a username and password that you define using the Local Net Users > New Web User page, or using the config netuser add CLI command. The default Web Authentication Login window contains Cisco WLAN Solution-specific text and a logo in four customizable areas: • The Cisco WLAN Solution logo in the upper-right corner can be hidden.
Chapter 5 Configuring Security Solutions Customizing the Web Authentication Login Screen Figure 5-3 Typical Successful Login Window The default login successful window contains a pointer to a virtual gateway address URL, redirect https://1.1.1.1/logout.html. You define this redirect through the Virtual Gateway IP Address parameter in the configuration wizard, the Virtual Gateway Address parameter on the Interfaces GUI page, or by entering the config interface create command in the CLI.
Chapter 5 Configuring Security Solutions Customizing the Web Authentication Login Screen Changing the Web Message Use this command to change the Web Authentication Login window message: config custom-web webmessage message To reset the Web Authentication Login window message to the Cisco WLAN Solution default (“Cisco WLAN Solution is pleased to provide the Wireless LAN infrastructure for your network.
Chapter 5 Configuring Security Solutions Customizing the Web Authentication Login Screen Downloading the Logo or Graphic Follow these steps to download the image file to the controller: Step 1 On the CLI, enter transfer download start and answer n to the prompt to view the current download settings: transfer download start Mode........................................... TFTP Data Type...................................... Code TFTP Server IP................................. xxx.xxx.xxx.xxx TFTP Path.....
Chapter 5 Configuring Security Solutions Customizing the Web Authentication Login Screen Creating a Custom URL Redirect Creating a Custom URL Redirect Use this command to redirect all web authentication clients to a specific URL (including http:// or https://) after they authenticate: config custom-web redirecturl url For example, if you want to redirect all clients to www.AcompanyBC.com, use this command: config custom-web redirecturl www.AcompanyBC.
Chapter 5 Configuring Security Solutions Customizing the Web Authentication Login Screen Example: Sample Customized Web Authentication Login Window Figure 5-4 shows a customized Web Authentication Login window and the CLI commands used to create it.
Chapter 5 Configuring Security Solutions Configuring Identity Networking Configuring Identity Networking These sections explain the Identity Networking feature, how it is configured, and the expected behavior for various security policies: • Identity Networking Overview, page 5-16 • RADIUS Attributes Used in Identity Networking, page 5-17 Identity Networking Overview In most wireless LAN systems, each WLAN has a static policy that applies to all clients associated with an SSID.
Chapter 5 Configuring Security Solutions Configuring Identity Networking RADIUS Attributes Used in Identity Networking This section explains the RADIUS attributes used in Identity Networking. QoS-Level This attribute indicates the Quality of Service level to be applied to the mobile client's traffic within the switching fabric, as well as over the air. This example shows a summary of the QoS-Level Attribute format. The fields are transmitted from left to right.
Chapter 5 Configuring Security Solutions Configuring Identity Networking Interface-Name This attribute indicates the VLAN Interface a client is to be associated to. A summary of the Interface-Name Attribute format is shown below. The fields are transmitted from left to right.
Chapter 5 Configuring Security Solutions Configuring Identity Networking • Tag – The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel. If the value of the Tag field is greater than 0x00 and less than or equal to 0x1F, it should be interpreted as indicating which tunnel (of several alternatives) this attribute pertains.
Chapter 5 Configuring Security Solutions Configuring Identity Networking Cisco Wireless LAN Controller Configuration Guide 5-20 OL-8335-02
C H A P T E R 6 Configuring WLANs This chapter describes how to configure up to 16 wireless LANs for your Cisco Wireless LAN Solution.
Chapter 6 Configuring WLANs Wireless LAN Overview Wireless LAN Overview The Cisco Wireless LAN Solution can control up to 16 wireless LANs for lightweight access points. Each wireless LAN has a separate wireless LAN ID (1 through 16), a separate wireless LAN SSID (wireless LAN name), and can be assigned unique security policies. Lightweight access points broadcast all active Cisco Wireless LAN Solution wireless LAN SSIDs and enforce the policies that you define for each wireless LAN.
Chapter 6 Configuring WLANs Configuring Wireless LANs Activating Wireless LANs After you have completely configured your wireless LAN settings, enter config wlan enable wlan-id to activate the wireless LAN. Assigning a Wireless LAN to a DHCP Server Each wireless LAN can be assigned to a DHCP server. Any or all wireless LANs can be assigned to the same DHCP server, and each wireless LAN can be assigned to different DHCP servers.
Chapter 6 Configuring WLANs Configuring Wireless LANs Configuring a Timeout for Disabled Clients You can configure a timeout for disabled clients. Clients who fail to authenticate three times when attempting to associate are automatically disabled from further association attempts. After the timeout period expires, the client is allowed to retry authentication until it associates or fails authentication and is excluded again.
Chapter 6 Configuring WLANs Configuring Wireless LANs • If you want to change the 802.1X encryption level for a wireless LAN, use this command: config wlan security 802.1X encryption wlan-id [40 | 104 | 128] – Use the 40 option to specify 40/64-bit encryption. – Use the 104 option to specify 104/128-bit encryption. (This is the default encryption setting.) – Use the 128 option to specify 128/152-bit encryption. WEP Keys Cisco Wireless LAN Controllers can control static WEP keys across access points.
Chapter 6 Configuring WLANs Configuring Wireless LANs Configuring a Wireless LAN for Both Static and Dynamic WEP You can configure up to four wireless LANs to support static WEP keys, and you can also configure dynamic WEP on any of these static-WEP wireless LANs. Follow these guidelines when configuring a wireless LAN for both static and dynamic WEP: • The static WEP key and the dynamic WEP key must be the same length.
Chapter 6 Configuring WLANs Configuring Wireless LANs IKE Authentication IPSec IKE (Internet Key Exchange) uses pre-shared key exchanges, x.509 (RSA Signatures) certificates, and XAuth-psk for authentication. Enter these commands to enable IPSec IKE on a wireless LAN that uses IPSec: • config wlan security ipsec ike authentication certificates wlan-id – Use the certificates option to specify RSA signatures.
Chapter 6 Configuring WLANs Configuring Wireless LANs IPSec Passthrough IPSec IKE uses IPSec Passthrough to allow IPSec-capable clients to communicate directly with other IPSec equipment. IPSec Passthrough is also known as VPN Passthrough. Enter this command to enable IPSec Passthrough for a wireless LAN: • config wlan security passthru {enable | disable} wlan-id gateway – For gateway, enter the IP address of the IPSec (VPN) passthrough gateway.
Chapter 6 Configuring WLANs Configuring Wireless LANs Table 6-1 Access Point QoS Translation Values AVVID 802.1p UP-Based Traffic Type AVVID IP DSCP AVVID 802.1p UP IEEE 802.11e UP Network control – 7 – Inter-network control (LWAPP control, 802.
Chapter 6 Configuring WLANs Configuring Wireless LANs Enabling 7920 Support Mode The 7920 support mode contains two options: • Support for 7920 phones that require call admission control (CAC) to be configured on and advertised by the client device (these are typically older 7920 phones) • Support for 7920 phones that require CAC to be configured on and advertised by the access point (these are typically newer 7920 phones) Note When access-point-controlled CAC is enabled, the access point sends out
C H A P T E R 7 Controlling Lightweight Access Points This chapter describes how to connect access points to the controller and manage access point settings.
Chapter 7 Controlling Lightweight Access Points Lightweight Access Point Overview Lightweight Access Point Overview This section describes Cisco lightweight access points. Cisco 1000 Series IEEE 802.11a/b/g Lightweight Access Points The Cisco 1000 series lightweight access point is a part of the innovative Cisco Wireless LAN Solution (Cisco Wireless LAN Solution). When associated with controllers as described below, the Cisco 1000 series lightweight access point provides advanced 802.11a and/or 802.
Chapter 7 Controlling Lightweight Access Points Lightweight Access Point Overview Cisco 1030 Remote Edge Lightweight Access Points The only exception to the general rule of lightweight access points being continuously controlled by Cisco Wireless LAN Controllers is the Cisco 1030 IEEE 802.11a/b/g remote edge lightweight access point (Cisco 1030 remote edge lightweight access point).
Chapter 7 Controlling Lightweight Access Points Lightweight Access Point Overview Note that the Cisco 1030 remote edge lightweight access point must have a DHCP server available on its local subnet, so it can obtain an IP address upon reboot. Also note that the Cisco 1030 remote edge lightweight access points at each remote location must be on the same subnet to allow client roaming. Cisco 1000 Series Lightweight Access Point Part Numbers The Cisco 1000 series lightweight access point includes one 802.
Chapter 7 Controlling Lightweight Access Points Lightweight Access Point Overview Note that the wireless LAN operator can disable either one of each pair of the Cisco 1000 series lightweight access point internal antennas to produce a 180-degree sectorized coverage area. This feature can be useful, for instance, for outside-wall mounting locations where coverage is only desired inside the building, and in a back-to-back arrangement that can allow twice as many clients in a given area.
Chapter 7 Controlling Lightweight Access Points Lightweight Access Point Overview Cisco 1000 Series Lightweight Access Point Connectors The AP1020 and AP1030 Cisco 1000 series lightweight access points have the following external connectors: • One RJ-45 Ethernet jack, used for connecting the Cisco 1000 series lightweight access point to the network. • One 48 VDC power input jack, used to plug in an optional factory-supplied external power adapter.
Chapter 7 Controlling Lightweight Access Points Using the DNS for Controller Discovery Cisco 1000 Series Lightweight Access Point External Power Supply The Cisco 1000 series lightweight access point can receive power from an external 110-220 VACto-48 VDC power supply or from Power over Ethernet equipment. The external power supply (AIR-PWR-1000) plugs into a secure 110 through 220 VAC electrical outlet. The converter produces the required 48 VDC output for the Cisco 1000 series lightweight access point.
Chapter 7 Controlling Lightweight Access Points Dynamic Frequency Selection Dynamic Frequency Selection The Cisco Wireless LAN solution complies with regulations in Europe and Singapore that require radio devices to use Dynamic Frequency Selection (DFS) to detect radar signals and avoid interfering with them.
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode Autonomous Access Points Converted to Lightweight Mode You can use an upgrade conversion tool to convert autonomous Cisco Aironet 1130AG, 1200, and 1240AG Series Access Points to lightweight mode. When you upgrade one of these access points to lightweight mode, the access point communicates with a wireless LAN controller and receives a configuration and software image from the controller.
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode Using a Controller to Return to a Previous Release Follow these steps to revert from lightweight mode to autonomous mode using a wireless LAN controller: Step 1 Log into the CLI on the controller to which the access point is associated.
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode Controllers Accept SSCs from Access Points Converted to Lightweight Mode The lightweight access point protocol (LWAPP) secures the control communication between the access point and controller by means of a secure key distribution requiring X.509 certificates on both the access point and controller. LWAPP relies on a priori provisioning of the X.509 certificates.
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode Converted Access Points Send Crash Information to Controller When a converted access point unexpectedly reboots, the access point stores a crash file on its local flash memory at the time of crash. After the unit reboots, it sends the reason for the reboot to the controller.
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode Disabling the Reset Button on Access Points Converted to Lightweight Mode You can disable the reset button on access points converted to lightweight mode. The reset button is labeled MODE on the outside of the access point.
Chapter 7 Controlling Lightweight Access Points Autonomous Access Points Converted to Lightweight Mode 7-14 Cisco Wireless LAN Controller Configuration Guide OL-8335-02
C H A P T E R 8 Managing Controller Software and Configurations This chapter describes how to manage configurations and software versions on the controllers.
Chapter 8 Managing Controller Software and Configurations Transferring Files to and from a Controller Transferring Files to and from a Controller Controllers have built-in utilities for uploading and downloading software, certificates, and configuration files.
Chapter 8 Managing Controller Software and Configurations Upgrading Controller Software Step 5 Enter transfer download start and answer n to the prompt to view the current download settings. This example shows the command output: >transfer download start Mode........................................... Data Type...................................... TFTP Server IP................................. TFTP Path...................................... TFTP Filename..................................
Chapter 8 Managing Controller Software and Configurations Saving Configurations Step 8 The controller now has the code update in active volatile RAM, but you must enter reset system to save the code update to non-volatile NVRAM and reboot the Cisco Wireless LAN Controller: reset system The system has unsaved changes. Would you like to save them now? (y/n) y The controller completes the bootup process. Saving Configurations Controllers contain two kinds of memory: volatile RAM and NVRAM.
Chapter 8 Managing Controller Software and Configurations Resetting the Controller Step 3 Follow the instructions in the “Using the Configuration Wizard” section on page 4-2 to complete the initial configuration. Resetting the Controller You can reset the controller and view the reboot process on the CLI console using one of the following two methods: • Turn the controller off and then turn it back on. • On the CLI, enter reset system.
Chapter 8 Managing Controller Software and Configurations Resetting the Controller Cisco Wireless LAN Controller Configuration Guide 8-6 OL-8335-02
C H A P T E R 9 Configuring Radio Resource Management This chapter describes radio resource management (RRM) and explains how to configure it on the controllers.
Chapter 9 Configuring Radio Resource Management Overview of Radio Resource Management Overview of Radio Resource Management The radio resource management (RRM) software embedded in the controller acts as a built-in RF engineer to consistently provide real-time RF management of your wireless network. RRM enables controllers to continually monitor their associated lightweight access points for the following information: • Traffic load—The total bandwidth used for transmitting and receiving traffic.
Chapter 9 Configuring Radio Resource Management Overview of Radio Resource Management Dynamic Channel Assignment Two adjacent access points on the same channel can cause either signal contention or signal collision. In the case of a collision, data is simply not received by the access point. This functionality can become a problem, for example, when someone reading e-mail in a café affects the performance of the access point in a neighboring business.
Chapter 9 Configuring Radio Resource Management Overview of Radio Resource Management The controller combines this RF characteristic information with RRM algorithms to make system-wide decisions. Conflicting demands are resolved using soft-decision metrics that guarantee the best choice for minimizing network interference.
Chapter 9 Configuring Radio Resource Management Overview of RF Groups RRM Benefits RRM produces a network with optimal capacity, performance, and reliability while enabling you to avoid the cost of laborious historical data interpretation and individual lightweight access point reconfiguration. It also frees you from having to continually monitor the network for noise and interference problems, which can be transient and difficult to troubleshoot.
Chapter 9 Configuring Radio Resource Management Configuring an RF Group The RF group leader analyzes real-time radio data collected by the system and calculates the master power and channel plan. The RRM algorithms try to optimize around a signal strength of –65 dBm between all access points and to avoid 802.11 co-channel interference and contention as well as non-802.11 interference. The RRM algorithms employ dampening calculations to minimize system-wide dynamic changes.
Chapter 9 Configuring Radio Resource Management Configuring an RF Group Using the GUI to Configure an RF Group Follow these steps to create an RF group using the GUI. Step 1 Click Controller > General to access the General page (see Figure 9-1). Figure 9-1 General Page Step 2 Enter a name for the RF group in the RF-Network Name field. The name can contain up to 19 ASCII characters. Step 3 Click Save Configuration to save your changes.
Chapter 9 Configuring Radio Resource Management Viewing RF Group Status Using the CLI to Configure RF Groups Follow these steps to configure an RF group using the CLI. Step 1 Enter config network rf-network-name name to create an RF group. Note Enter up to 19 ASCII characters for the group name. Step 2 Enter show network to view the RF group. Step 3 Repeat this procedure for each controller that you want to include in the RF group.
Chapter 9 Configuring Radio Resource Management Viewing RF Group Status Step 2 Under Global RF, click either 802.11a Network or 802.11b/g Network to access the Global Parameters page (see Figure 9-3). Figure 9-3 Step 3 Global Parameters Page Click Auto RF to access the Global Parameters > Auto RF page (see Figure 9-4).
Chapter 9 Configuring Radio Resource Management Viewing RF Group Status Figure 9-4 Global Parameters > Auto RF Page Cisco Wireless LAN Controller Configuration Guide 9-10 OL-8335-02
Chapter 9 Configuring Radio Resource Management Viewing RF Group Status The top of this page shows the details of the RF group, specifically how often the group information is updated (600 seconds by default), the MAC address of the RF group leader, whether this particular controller is the group leader, the last time the group information was updated, and the MAC addresses of all group members. Note Step 4 Automatic RF grouping, which is set through the Group Mode check box, is enabled by default.
Chapter 9 Configuring Radio Resource Management Enabling Rogue Access Point Detection Enabling Rogue Access Point Detection After you have created an RF group of controllers, you need to configure the access points connected to the controllers to detect rogue access points. The access points will then check the beacon/ probe-response frames in neighboring access point messages to see if they contain an authentication information element (IE) that matches that of the RF group.
Chapter 9 Configuring Radio Resource Management Enabling Rogue Access Point Detection Figure 9-6 All APs > Details Page Step 4 Choose either local or monitor from the AP Mode drop-down box and click Save Configuration to save your changes. Step 5 Repeat Step 2 through Step 4 for every access point connected to the controller. Step 6 Click Security > AP Authentication (under Wireless Protection Policies) to access the AP Authentication Policy page (see Figure 9-7).
Chapter 9 Configuring Radio Resource Management Enabling Rogue Access Point Detection Figure 9-7 AP Authentication Policy Page The name of the RF group to which this controller belongs appears at the bottom of the page. Step 7 Check the Enable AP Neighbor Authentication check box to enable rogue access point detection. Step 8 Enter a number in the Alarm Trigger Threshold edit box to specify when a rogue access point alarm is generated.
Chapter 9 Configuring Radio Resource Management Configuring Dynamic RRM Using the CLI to Enable Rogue Access Point Detection Follow these steps to enable rogue access point detection using the CLI. Step 1 Make sure that each controller in the RF group has been configured with the same RF group name. Note The name is used to verify the authentication IE in all beacon frames. If the controllers have different names, false alarms will occur.
Chapter 9 Configuring Radio Resource Management Configuring Dynamic RRM Using the GUI to Configure Dynamic RRM Follow these steps to configure dynamic RRM parameters using the GUI. Step 1 Access the Global Parameters > Auto RF page (see Figure 9-4). Note Step 2 Click Set to Factory Default at the bottom of the page if you want to return all of the controller’s RRM parameters to their factory default values. Table 9-1 lists and describes the configurable RRM parameters.
Chapter 9 Configuring Radio Resource Management Configuring Dynamic RRM Table 9-1 RRM Parameters (continued) Parameter Description RF Channel Assignment Channel Assignment Method The controller’s dynamic channel assignment mode. Options: Automatic, On Demand, or Off Default: Automatic Channel Assignment Method Automatic Description Causes the controller to periodically evaluate and, if necessary, update the channel assignment for all joined access points.
Chapter 9 Configuring Radio Resource Management Configuring Dynamic RRM Table 9-1 RRM Parameters (continued) Parameter Avoid Cisco AP Load Description Causes the controller’s RRM algorithms to consider 802.11 traffic from Cisco lightweight access points in your wireless network when assigning channels. For example, RRM can assign better reuse patterns to access points that carry a heavier traffic load. Options: Enabled or Disabled Default: Disabled Avoid Non-802.11a (802.
Chapter 9 Configuring Radio Resource Management Configuring Dynamic RRM Table 9-1 RRM Parameters (continued) Parameter Description Tx Power Level Assignment Power Level Assignment The controller’s dynamic power assignment mode. Method Options: Automatic, On Demand, or Fixed Default: Automatic Power Level Assignment Method Description Automatic Causes the controller to periodically evaluate and, if necessary, update the transmit power for all joined access points.
Chapter 9 Configuring Radio Resource Management Configuring Dynamic RRM Table 9-1 RRM Parameters (continued) Parameter Description The following non-configurable transmit power level parameter settings are also shown: • Power Threshold and Power Neighbor Count—These parameters are used to fine tune the power control. The objective is to limit power so that at most the neighbor count access points receive the signal of each access point above a power threshold.
Chapter 9 Configuring Radio Resource Management Configuring Dynamic RRM Table 9-1 RRM Parameters (continued) Parameter Client Min Exception Level (1 to 75) Description The minimum number of clients on an access point with a signal-to-noise ratio (SNR) below the Coverage threshold. This threshold works in conjunction with the Coverage and Coverage Exception Level thresholds.
Chapter 9 Configuring Radio Resource Management Configuring Dynamic RRM Table 9-1 RRM Parameters (continued) Parameter Signal Measurement Description How frequently the access point measures signal strength and how frequently neighbor packets (messages) are sent, which eventually builds the neighbor list. Range: 60 to 3600 seconds Default: 60 seconds Coverage Measurement How frequently the access point measures the coverage area and passes this information to the controller.
Chapter 9 Configuring Radio Resource Management Overriding Dynamic RRM Step 3 Perform one of the following: • To have RRM automatically set the transmit power for all 802.11a or 802.11b/g radios at periodic intervals, enter one of these commands: – config 802.11a txPower global auto – config 802.11b txPower global auto • To have RRM automatically reset the transmit power for all 802.11a or 802.11b/g radios one time, enter one of these commands: – config 802.11a txPower global once – config 802.
Chapter 9 Configuring Radio Resource Management Overriding Dynamic RRM Statically Assigning Channel and Transmit Power Settings to Access Point Radios This section provides instructions for statically assigning channel and power settings using the GUI or CLI. Note Cisco recommends that you assign different nonoverlapping channels to access points that are within close proximity to each other. The nonoverlapping channels in the U.S. are 36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, and 161 in an 802.
Chapter 9 Configuring Radio Resource Management Overriding Dynamic RRM Figure 9-9 Cisco APs > Configure Page Step 4 To assign an RF channel to the access point radio, choose Custom for the Assignment Method under RF Channel Assignment and choose a channel from the drop-down box. Step 5 To assign a transmit power level to the access point radio, choose Custom for the Assignment Method under Tx Power Level Assignment and choose a transmit power level from the drop-down box.
Chapter 9 Configuring Radio Resource Management Overriding Dynamic RRM Using the CLI to Statically Assign Channel and Transmit Power Settings Follow these steps to statically assign channel and/or power settings on a per access point radio basis using the CLI. Step 1 Step 2 Enter one of these commands to disable the 802.11a or 802.11b/g network: • config 802.11a disable • config 802.
Chapter 9 Configuring Radio Resource Management Overriding Dynamic RRM Disabling Dynamic Channel and Power Assignment Globally for a Controller This section provides instructions for disabling dynamic channel and power assignment using the GUI or CLI. Using the GUI to Disable Dynamic Channel and Power Assignment Follow these steps to configure disable dynamic channel and power assignment using the GUI. Step 1 Click Wireless to access the All APs page (see Figure 9-2).
Chapter 9 Configuring Radio Resource Management Viewing Additional RRM Settings Using the CLI Viewing Additional RRM Settings Using the CLI Use these commands to view additional 802.11a and 802.11b/g RRM settings: • show advanced 802.11a ? • show advanced 802.11b ? where ? is one of the following: CCX—Shows the Cisco Compatible Extensions (CCX) RRM configuration. channel—Shows the channel assignment configuration and statistics. logging—Shows the RF event and performance logging.
C H A P T E R 10 Configuring Mobility Groups This chapter describes mobility groups and explains how to configure them on the controllers.
Chapter 10 Configuring Mobility Groups Overview of Mobility Overview of Mobility Mobility, or roaming, is a wireless LAN client’s ability to maintain its association seamlessly from one access point to another securely and with as little latency as possible. This section explains how mobility works when controllers are included in a wireless network.
Chapter 10 Configuring Mobility Groups Overview of Mobility The process becomes more complicated, however, when a client roams from an access point joined to one controller to an access point joined to a different controller. It also varies based on whether the controllers are operating on the same subnet. Figure 10-2 illustrates inter-controller roaming, which occurs when the controllers’ wireless LAN interfaces are on the same IP subnet.
Chapter 10 Configuring Mobility Groups Overview of Mobility Figure 10-3 Inter-Subnet Roaming Inter-subnet roaming is similar to inter-controller roaming in that the controllers exchange mobility messages on the client roam. However, instead of moving the client database entry to the new controller, the original controller marks the client with an “Anchor” entry in its own client database.
Chapter 10 Configuring Mobility Groups Overview of Mobility Groups Note Both inter-controller roaming and inter-subnet roaming require the controllers to be in the same mobility group. See the next two sections for a description of mobility groups and instructions for configuring them. Overview of Mobility Groups A set of controllers can be configured as a mobility group to allow seamless client roaming within a group of controllers.
Chapter 10 Configuring Mobility Groups Overview of Mobility Groups As shown above, each controller is configured with a list of the other members of the mobility group. Whenever a new client joins a controller, the controller sends out a unicast message to all of the controllers in the mobility group. The controller to which the client was previously connected passes on the status of the client. All mobility exchange traffic between controllers is carried over an LWAPP tunnel.
Chapter 10 Configuring Mobility Groups Configuring Mobility Groups Note Clients may roam between access points in different mobility groups, provided they can hear them. However, their session information is not carried between controllers in different mobility groups.
Chapter 10 Configuring Mobility Groups Configuring Mobility Groups • • All controllers must be configured with the same virtual interface IP address. Note If necessary, you can change the virtual interface IP address by editing the virtual interface name on the Controller > Interfaces page. See Chapter 3 for more information on the controller’s virtual interface.
Chapter 10 Configuring Mobility Groups Configuring Mobility Groups This page shows the mobility group name in the Default Mobility Group field and lists the MAC address and IP address of each controller that is currently a member of the mobility group. The first entry is the local controller, which cannot be deleted. Note Step 2 Click Remove if you want to delete any of the remote controllers from the mobility group.
Chapter 10 Configuring Mobility Groups Configuring Mobility Groups Step 4 e. Repeat Step a through Step d to add all of the controllers in the mobility group. f. Repeat this procedure on every controller to be included in the mobility group. All controllers in the mobility group must be configured with the MAC address and IP address of all other mobility group members.
Chapter 10 Configuring Mobility Groups Configuring Auto-Anchor Mobility Using the CLI to Configure Mobility Groups Follow these steps to configure mobility groups using the CLI. Step 1 Enter show mobility summary to check the current mobility settings. Step 2 Enter config mobility group name group_name to create a mobility group. Note Step 3 Enter up to 31 case-sensitive ASCII characters for the group name. Spaces are not allowed in mobility group names.
Chapter 10 Configuring Mobility Groups Configuring Auto-Anchor Mobility WLAN and creates a foreign session for the client on the local switch. Packets from the client are encapsulated through a mobility tunnel using EtherIP and sent to the anchor controller, where they are decapsulated and delivered to the wired network. Packets to the client are received by the anchor controller and forwarded to the foreign controller through a mobility tunnel using EtherIP.
Chapter 10 Configuring Mobility Groups Configuring Auto-Anchor Mobility Figure 10-9 WLANs Page Step 2 On the WLANs page, click the Mobility Anchors link for the desired WLAN. The Mobility Anchors page for that WLAN appears (see Figure 10-10). Figure 10-10 Mobility Anchors Page Step 3 Select the IP address of the controller to be designated a mobility anchor in the Switch IP Address (Anchor) drop-down box. Step 4 Click Mobility Anchor Create. The selected controller becomes an anchor for this WLAN.
Chapter 10 Configuring Mobility Groups Configuring Auto-Anchor Mobility Using the CLI to Configure Auto-Anchor Mobility Use these commands to configure auto-anchor mobility using the CLI. 1. Enter config wlan disable wlan-id to disable the WLAN for which you are configuring anchor controllers. 2.
A P P E N D I X A Safety Considerations and Translated Safety Warnings This appendix lists safety considerations and translations of the safety warnings that apply to the Cisco Unified Wireless Network Solution products.
Appendix A Safety Considerations and Translated Safety Warnings Safety Considerations Safety Considerations Keep these guidelines in mind when installing Cisco Wireless LAN Solution products: • The Cisco 1000 Series lightweight access points with or without external antenna ports are only intended for installation in Environment A as defined in IEEE 802.3af. All interconnected equipment must be contained within the same building including the interconnected equipment's associated LAN connections.
Appendix A Safety Considerations and Translated Safety Warnings Warning Definition Varoitus TÄRKEITÄ TURVALLISUUSOHJEITA Tämä varoitusmerkki merkitsee vaaraa. Tilanne voi aiheuttaa ruumiillisia vammoja. Ennen kuin käsittelet laitteistoa, huomioi sähköpiirien käsittelemiseen liittyvät riskit ja tutustu onnettomuuksien yleisiin ehkäisytapoihin.
Appendix A Safety Considerations and Translated Safety Warnings Warning Definition Aviso INSTRUÇÕES IMPORTANTES DE SEGURANÇA Este símbolo de aviso significa perigo. Você está em uma situação que poderá ser causadora de lesões corporais. Antes de iniciar a utilização de qualquer equipamento, tenha conhecimento dos perigos envolvidos no manuseio de circuitos elétricos e familiarize-se com as práticas habituais de prevenção de acidentes.
Appendix A Safety Considerations and Translated Safety Warnings Class 1 Laser Product Warning Class 1 Laser Product Warning Note Warning Waarschuwing Varoitus The 1000BASE-SX and 1000BASE-LX SFP modules and AIR-WLC4112-K9, AIR-WLC4124-K9, and AIR-WLC4136-K9 Cisco 4100 Series Wireless LAN Controllers contain Class 1 Lasers (Laser Klasse 1) according to EN 60825-1+A1+A2. Class 1 laser product. Statement 1008 Klasse-1 laser produkt. Luokan 1 lasertuote. Attention Produit laser de classe 1.
Appendix A Safety Considerations and Translated Safety Warnings Class 1 Laser Product Warning Aviso Advarsel Produto a laser de classe 1. Klasse 1 laserprodukt.
Appendix A Safety Considerations and Translated Safety Warnings Ground Conductor Warning Ground Conductor Warning Warning This equipment must be grounded. Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground conductor. Contact the appropriate electrical inspection authority or an electrician if you are uncertain that suitable grounding is available. Statement 1024 Waarschuwing Deze apparatuur dient geaard te zijn.
Appendix A Safety Considerations and Translated Safety Warnings Ground Conductor Warning Warnung Dieses Gerät muss geerdet sein. Auf keinen Fall den Erdungsleiter unwirksam machen oder das Gerät ohne einen sachgerecht installierten Erdungsleiter verwenden. Wenn Sie sich nicht sicher sind, ob eine sachgerechte Erdung vorhanden ist, wenden Sie sich an die zuständige Inspektionsbehörde oder einen Elektriker. Avvertenza Questa apparecchiatura deve essere dotata di messa a terra.
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing Chassis Warning for Rack-Mounting and Servicing Warning Waarschuwing To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety: • This unit should be mounted at the bottom of the rack if it is the only unit in the rack.
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing Varoitus Attention Warnung Avvertenza Advarsel Kun laite asetetaan telineeseen tai huolletaan sen ollessa telineessä, on noudatettava erityisiä varotoimia järjestelmän vakavuuden säilyttämiseksi, jotta vältytään loukkaantumiselta. Noudata seuraavia turvallisuusohjeita: • Jos telineessä ei ole muita laitteita, aseta laite telineen alaosaan.
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing Aviso ¡Advertencia! Varning! Para se prevenir contra danos corporais ao montar ou reparar esta unidade numa estante, deverá tomar precauções especiais para se certificar de que o sistema possui um suporte estável.
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing • • • Aviso Advarsel Para evitar lesões corporais ao montar ou dar manutenção a esta unidade em um rack, é necessário tomar todas as precauções para garantir a estabilidade do sistema. As seguintes orientações são fornecidas para garantir a sua segurança: • Se esta for a única unidade, ela deverá ser montada na parte inferior do rack.
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing Cisco Wireless LAN Controller Configuration Guide OL-8335-02 A-13
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing Cisco Wireless LAN Controller Configuration Guide A-14 OL-8335-02
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing • • • • • • • • • Cisco Wireless LAN Controller Configuration Guide OL-8335-02 A-15
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing Cisco Wireless LAN Controller Configuration Guide A-16 OL-8335-02
Appendix A Safety Considerations and Translated Safety Warnings Chassis Warning for Rack-Mounting and Servicing Cisco Wireless LAN Controller Configuration Guide OL-8335-02 A-17
Appendix A Safety Considerations and Translated Safety Warnings Battery Handling Warning for 4400 Series Controllers Battery Handling Warning for 4400 Series Controllers Warning Waarschuwing There is the danger of explosion if the Cisco 4400 Series Wireless LAN Controller battery is replaced incorrectly. Replace the battery only with the same or equivalent type recommended by the manufacturer. Dispose of used batteries according to the manufacturer’s instructions.
Appendix A Safety Considerations and Translated Safety Warnings Battery Handling Warning for 4400 Series Controllers Warnung Bei Einsetzen einer falschen Batterie besteht Explosionsgefahr. Ersetzen Sie die Batterie nur durch den gleichen oder vom Hersteller empfohlenen Batterietyp. Entsorgen Sie die benutzten Batterien nach den Anweisungen des Herstellers. Avvertenza Pericolo di esplosione se la batteria non è installata correttamente.
Appendix A Safety Considerations and Translated Safety Warnings Equipment Installation Warning Equipment Installation Warning Warning Waarschuwing Varoitus Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030 Deze apparatuur mag alleen worden geïnstalleerd, vervangen of hersteld door bevoegd geschoold personeel. Tämän laitteen saa asentaa, vaihtaa tai huoltaa ainoastaan koulutettu ja laitteen tunteva henkilökunta.
Appendix A Safety Considerations and Translated Safety Warnings Equipment Installation Warning ¡Advertencia! Varning! Aviso Advarsel Solamente el personal calificado debe instalar, reemplazar o utilizar este equipo. Endast utbildad och kvalificerad personal bör få tillåtelse att installera, byta ut eller reparera denna utrustning. Somente uma equipe treinada e qualificada tem permissão para instalar, substituir ou dar manutenção a este equipamento.
Appendix A Safety Considerations and Translated Safety Warnings Equipment Installation Warning Cisco Wireless LAN Controller Configuration Guide A-22 OL-8335-02
Appendix A Safety Considerations and Translated Safety Warnings More Than One Power Supply Warning for 4400 Series Controllers More Than One Power Supply Warning for 4400 Series Controllers Warning The Cisco 4400 Series Wireless LAN Controller might have more than one power supply connection. All connections must be removed to de-energize the unit. Statement 1028 Waarschuwing Deze eenheid kan meer dan één stroomtoevoeraansluiting bevatten.
Appendix A Safety Considerations and Translated Safety Warnings More Than One Power Supply Warning for 4400 Series Controllers Aviso Esta unidade pode ter mais de uma conexão de fonte de alimentação. Todas as conexões devem ser removidas para interromper a alimentação da unidade. Advarsel Denne enhed har muligvis mere end en strømforsyningstilslutning. Alle tilslutninger skal fjernes for at aflade strømmen fra enheden.
Appendix A Safety Considerations and Translated Safety Warnings More Than One Power Supply Warning for 4400 Series Controllers Cisco Wireless LAN Controller Configuration Guide OL-8335-02 A-25
Appendix A Safety Considerations and Translated Safety Warnings More Than One Power Supply Warning for 4400 Series Controllers Cisco Wireless LAN Controller Configuration Guide A-26 OL-8335-02
A P P E N D I X B Declarations of Conformity and Regulatory Information This appendix provides declarations of conformity and regulatory information for the products in the Cisco Unified Wireless Network Solution.
Appendix B Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points Regulatory Information for 1000 Series Access Points This section contains regulatory information for 1000 series access points.
Appendix B Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points occur. If this equipment does cause interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to correct the interference by one of the following measures: • Reorient or relocate the receiving antenna. • Increase separation between the equipment and receiver.
Appendix B Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points European Community, Switzerland, Norway, Iceland, and Liechtenstein Model: AIR-AP1010-E-K9, AIR-AP1020-E-K9, AIR-AP1030-E-K9 Declaration of Conformity with Regard to the R&TTE Directive 1999/5/EC English: This equipment is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC.
Appendix B Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points Note This equipment is intended to be used in all EU and EFTA countries. Outdoor use may be restricted to certain frequencies and/or may require a license for operation. For more details, contact Cisco Corporate Compliance. For 54 Mbps, 5 GHz access points, the following standards were applied: • Radio: EN 301.893 • EMC: EN 301.489-1, EN 301.
Appendix B Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points Guidelines for Operating Cisco Aironet Access Points in Japan This section provides guidelines for avoiding interference when operating Cisco Aironet access points in Japan. These guidelines are provided in both Japanese and English.
Appendix B Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points Administrative Rules for Cisco Aironet Access Points in Taiwan This section provides administrative rules for operating Cisco Aironet access points in Taiwan. The rules are provided in both Chinese and English. Access Points with IEEE 802.11a Radios Chinese Translation English Translation This equipment is limited for indoor use.
Appendix B Declarations of Conformity and Regulatory Information FCC Statements for Cisco 2000 Series Wireless LAN Controllers English Translation Administrative Rules for Low-power Radio-Frequency Devices Article 12 For those low-power radio-frequency devices that have already received a type-approval, companies, business units or users should not change its frequencies, increase its power or change its original features and functions.
Appendix B Declarations of Conformity and Regulatory Information FCC Statements for Cisco 4100 Series Wireless LAN Controllers and Cisco 4400 Series Wireless LAN Controllers FCC Statements for Cisco 4100 Series Wireless LAN Controllers and Cisco 4400 Series Wireless LAN Controllers FCC Statements for Cisco 4100 Series Wireless LAN Controllers and Cisco 4400 Series Wireless LAN Controllers The Cisco 4100 Series Wireless LAN Controller and Cisco 4400 Series Wireless LAN Controller equipment has been tested
Appendix B Declarations of Conformity and Regulatory Information FCC Statements for Cisco 4100 Series Wireless LAN Controllers and Cisco 4400 Series Wireless LAN Controllers Cisco Wireless LAN Controller Configuration Guide B-10 OL-8335-02
A P P E N D I X C End User License and Warranty This appendix describes the end user license and warranty that apply to the Cisco Unified Wireless Network Solution products: • Cisco 1000 Series Lightweight Access Points • Cisco 2000 Series Wireless LAN Controllers • Cisco 2700 Series Location Appliances • Cisco 4100 Series Wireless LAN Controllers • Cisco 4400 Series Wireless LAN Controllers • Cisco Wireless Services Modules This appendix contains these sections: • End User License Agreement,
Appendix C End User License and Warranty End User License Agreement End User License Agreement End User License Agreement IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. DOWNLOADING, INSTALLING OR USING CISCO OR CISCO-SUPPLIED SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT. CISCO IS WILLING TO LICENSE THE SOFTWARE TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT.
Appendix C End User License and Warranty End User License Agreement (ii) make error corrections to or otherwise modify or adapt the Software or create derivative works based upon the Software, or permit third parties to do the same; (iii) reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human-readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction; (iv) use or permit the Software to be used to perform se
Appendix C End User License and Warranty Limited Warranty Term and Termination. This Agreement and the license granted herein shall remain effective until terminated. Customer may terminate this Agreement and the license at any time by destroying all copies of Software and any Documentation. Customer’s rights under this Agreement will terminate immediately without notice from Cisco if Customer fails to comply with any provision of this Agreement.
Appendix C End User License and Warranty Limited Warranty replacement parts used in Hardware replacement may be new or equivalent to new. Cisco's obligations hereunder are conditioned upon the return of affected Hardware in accordance with Cisco's or its service center's then-current Return Material Authorization (RMA) procedures.
Appendix C End User License and Warranty General Terms Applicable to the Limited Warranty Statement and End User License Agreement Disclaimer of Warranty DISCLAIMER OF WARRANTY EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, SATISFACTORY QUALITY, NON-INTERFERENCE, ACCURACY OF INFORMATIONAL CONTENT, OR ARISING FRO
Appendix C End User License and Warranty Additional Open Source Terms the parties with respect to the license of the Software and Documentation and supersedes any conflicting or additional terms contained in any purchase order or elsewhere, all of which terms are excluded. This Agreement has been written in the English language, and the parties agree that the English version will govern.
Appendix C End User License and Warranty Additional Open Source Terms Cisco Wireless LAN Controller Configuration Guide C-8 OL-8335-02
A P P E N D I X D System Messages and Access Point LED Patterns This appendix lists system messages that can appear on the Cisco Unified Wireless Network Solution interfaces and describes the LED patterns on lightweight access points.
Appendix D System Messages and Access Point LED Patterns System Messages System Messages Table D-1 lists system messages and descriptions. Table D-1 System Messages and Descriptions Error Message Description STATION_DISASSOCIATE Client may have intentionally terminated usage or may have experienced a service disruption. STATION_DEAUTHENTICATE Client may have intentionally terminated usage or it could indicate an authentication issue.
Appendix D System Messages and Access Point LED Patterns System Messages Table D-1 System Messages and Descriptions (continued) Error Message Description LRADIF_CURRENT_CHANNEL_CHANGED Informational message. LRADIF_RTS_THRESHOLD_CHANGED Informational message. LRADIF_ED_THRESHOLD_CHANGED Informational message. LRADIF_FRAGMENTATION_THRESHOLD_ CHANGED Informational message. RRM_DOT11_A_GROUPING_DONE Informational message. RRM_DOT11_B_GROUPING_DONE Informational message.
Appendix D System Messages and Access Point LED Patterns Using Client Reason and Status Codes in Trap Logs Table D-1 System Messages and Descriptions (continued) Error Message Description SENSED_TEMPERATURE_LOW Check room temperature and/or other reasons for low temperature. TEMPERATURE_SENSOR_FAILURE Replace temperature sensor ASAP. TEMPERATURE_SENSOR_CLEAR Temperature sensor is operational. POE_CONTROLLER_FAILURE Check ports — possible serious failure detected.
Appendix D System Messages and Access Point LED Patterns Using Client Reason and Status Codes in Trap Logs Table D-2 Client Reason Code Descriptions and Meanings (continued) Client Reason Code Description Meaning 2 previousAuthNotValid Client associated but not authorized. 3 deauthenticationLeaving The access point went offline, deauthenticating the client. 4 disassociationDueToInactivity Client session timeout exceeded.
Appendix D System Messages and Access Point LED Patterns Using Lightweight Access Point LEDs Using Lightweight Access Point LEDs This table describes the meaning of LED patterns on lightweight access points. Table D-4 Cisco 1000 Series Lightweight Access Point LED Conditions and Status LED Conditions Power Alarm 2.4 GHz 5 GHz Status Green on off on or off on or off Controller found, code OK, normal status. Green on off Yellow on on or off 802.11b/g activity.
I N D EX authentication information element (IE) Numerics 9-12 auto-anchor mobility 7920 support mode 6-9 802.11 bands, enabling and disabling 802.1X dynamic key settings 802.
Index Cisco 4400 Series Wireless LAN Controllers config interface vlan management config lag configuring to support more than 48 access points 3-30 to 3-36 models ports 10-14 config mobility group member 3-2, 3-3 config mobility group name Cisco APs > Configure page Cisco WiSM, ports client location 3-30 config mobility group anchor 3-3 9-25 config route 1-9 Client Min Exception Level threshold parameter 9-21 9-20 commands config 802.11a channel 9-26 config 802.
Index config 802.11b txPower command coverage hole, detection 9-26 config 802.
Index inter-subnet roaming F 10-3 to 10-4 intra-controller roaming FCC Declaration of Conformity flow control B-2 10-2 Invoke Channel Update Now button 4-8 Invoke Power Update Now button foreign controller, in inter-subnet roaming Forward Delay parameter 10-4 3-25, 3-26 IPSec, enabling 9-19 6-6 IPSec passthrough G 9-17 6-8 L General page 3-29, 9-7 LAG Global Parameters > Auto RF page 9-10 See link aggregation (LAG) 3-27 Global Parameters page 9-9 LAG Mode on Next Reboot paramet
Index Max Age parameter Port Number parameter 3-25 Maximum Age parameter ports 3-25 mirror mode See port mirroring mobility, overview 3-20 10-2 to 10-5 Mobility Anchor Create button 3-3 4400 series controllers 3-3 3-3 mobility group name, entering 10-9 mobility groups 10-11 configuring using the GUI 10-8 to 10-10 determining when to include controllers difference from RF groups illustrated 10-5, 10-6 overview 10-5 to 10-7 3-2 on Cisco 4100 series controllers 3-2 on Cisco 4400 serie
Index debug commands rogue access point detection 9-28 disabling dynamic channel and power assignment using the CLI 9-27 disabling dynamic channel and power assignment using the GUI 9-27 overriding dynamic RRM overview 9-15 enabling using the GUI 9-12 to 9-14 rogue access points, solutions for root bridge 9-23 to 9-27 9-2 to 9-5 overview of dynamic RRM enabling using the CLI 9-15 statically assigning channel and transmit power settings using the CLI 9-26 3-21 Root Cost parameter 3-24 Root
Index show wlan mobility anchor command Signal Measurement parameter Topology Change Count parameter 9-22 Signal Strength Contribution parameter SNMP alert 4-7 statically assigning using the GUI 9-24 to 9-25 3-26 to 3-27 configuring using the GUI 3-22 to 3-26 5-19 3-21 username, default Spanning Tree Specification parameter SpectraLink NetLink phones 9-27 U 3-21 spanning-tree root 9-25 Tx Power Level Assignment parameter configuring using the CLI SSL 9-26 tunnel attributes 3-25 Spa
Index wireless LANs, configuring both static and dynamic WEP 6-6 WiSM guidelines wizard, startup 4-10 4-2 WLANs, described WLANs page WMM 10-12 6-9 world mode WPA 3-8 to 3-9 4-8 6-5 Cisco Wireless LAN Controller Configuration Guide IN-8 OL-8335-02
