Cisco Wireless Controller Configuration Guide, Release 8.0 Americas Headquarters

Cisco Wireless Controller Configuration Guide, Release 8.0 Americas Headquarters

Cisco Wireless Controller Configuration Guide, Release 8.0

First Published: August 18, 2014

Last Modified: July 27, 2015

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,

INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,

EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH

THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,

CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright

©

1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.

CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT

LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS

HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http:// www.cisco.com/go/trademarks

. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

©

2002-2015 Cisco Systems, Inc. All rights reserved.

C O N T E N T S

P r e f a c e

P A R T I

C H A P T E R 1

C H A P T E R 2

Preface liii

Audience

liii

Conventions

liii

Related Documentation

liv

Obtaining Documentation and Submitting a Service Request

lv

System Management 1

Cisco Wireless Solution Overview

3

Introduction

3

Single-Controller Deployments

4

Multiple-Controller Deployments

5

Operating System Software

5

Operating System Security

6

Layer 2 and Layer 3 Operation

6

Operational Requirements

7

Configuration Requirements

7

Cisco Wireless Controllers

7

Client Location

7

Cisco WLC Platforms

8

Cisco Wireless Solution WLANs

8

File Transfers

8

Power over Ethernet

8

Cisco Wireless Controller Memory

9

Cisco Wireless Controller Failover Protection

9

Getting Started 11

Cisco Wireless Controller Configuration Guide, Release 8.0 iii

Contents

Configuring the Controller Using the Configuration Wizard

11

Connecting the Console Port of the Controller

12

Configuring the Controller (GUI)

12

Configuring the Controller—Using the CLI Configuration Wizard

23

Using the Controller GUI

26

Guidelines and Limitations

26

Logging On to the GUI

27

Logging out of the GUI

27

Enabling Web and Secure Web Modes

27

Enabling Web and Secure Web Modes (GUI)

27

Enabling Web and Secure Web Modes (CLI)

28

Loading an Externally Generated SSL Certificate

29

Information About Externally Generated SSL Certificates

29

Loading an SSL Certificate (GUI)

30

Loading an SSL Certificate (CLI)

31

Cisco WLAN Express for Cisco Wireless Controllers

32

Overview of Cisco WLAN Express

32

Restrictions for Cisco WLAN Express

35

Setting up Cisco Wireless Controller using Cisco WLAN Express (Wired Method)

35

RF Profile Configurations

37

Setting up Cisco Wireless Controller using Cisco WLAN Express (Wireless

Method)

37

Default Configurations

37

Using the Controller CLI

39

Logging on to the Controller CLI

39

Guidelines and Limitations

39

Using a Local Serial Connection

39

Using a Remote Ethernet Connection

40

Logging Out of the CLI

41

Navigating the CLI

41

Using the AutoInstall Feature for Controllers Without a Configuration

42

Information About the AutoInstall Feature

42

Restrictions on AutoInstall

43

Obtaining an IP Address Through DHCP and Downloading a Configuration File from a TFTP Server

43

iv

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 3

Selecting a Configuration File

44

Example: AutoInstall Operation

45

Managing the Controller System Date and Time

46

Information About Controller System Date and Time

46

Restrictions on Configuring the Cisco WLC Date and Time

46

Configuring an NTP/SNTP Server to Obtain the Date and Time

46

Configuring NTP/SNTP Authentication (GUI)

47

Configuring NTP/SNTP Authentication (CLI)

47

Configuring the Date and Time (GUI)

48

Configuring the Date and Time (CLI)

49

Telnet and Secure Shell Sessions

51

Information About Telnet and SSH

51

Restrictions for Telnet and SSH

51

Configuring Telnet and SSH Sessions (GUI)

51

Configuring Telnet and SSH Sessions (CLI)

52

Configuring Telnet Privileges for Selected Management Users (GUI)

54

Configuring Telnet Privileges for Selected Management Users (CLI)

54

Troubleshooting Access Points Using Telnet or SSH

54

Troubleshooting Access Points Using Telnet or SSH (GUI)

55

Troubleshooting Access Points Using Telnet or SSH (CLI)

55

Managing the Controller Wirelessly

56

Enabling Wireless Connections (GUI)

56

Enabling Wireless Connections (CLI)

56

Managing Licenses 57

Installing and Configuring Licenses

57

Information About Installing and Configuring Licenses

57

Restrictions for Using Licenses

58

Obtaining an Upgrade or Capacity Adder License

58

Information About Obtaining an Upgrade or Capacity Adder License

58

Obtaining and Registering a PAK Certificate

59

Installing a License

60

Installing a License (GUI)

60

Installing a License (CLI)

61

Viewing Licenses

61

Cisco Wireless Controller Configuration Guide, Release 8.0 v

Contents

C H A P T E R 4

Viewing Licenses (GUI)

61

Viewing Licenses (CLI)

62

Configuring the Maximum Number of Access Points Supported

65

Configuring Maximum Number of Access Points to be Supported (GUI)

65

Configuring Maximum Number of Access Points to be Supported (CLI)

65

Troubleshooting Licensing Issues

65

Activating an AP-Count Evaluation License

66

Information About Activating an AP-Count Evaluation License

66

Activating an AP-Count Evaluation License (GUI)

66

Activating an AP-Count Evaluation License (CLI)

67

Configuring Right to Use Licensing

68

Information About Right to Use Licensing

68

Configuring Right to Use Licensing (GUI)

69

Configuring Right to Use Licensing (CLI)

69

Rehosting Licenses

70

Information About Rehosting Licenses

70

Rehosting a License

71

Rehosting a License (GUI)

71

Rehosting a License (CLI)

72

Transferring Licenses to a Replacement Controller after an RMA

73

Information About Transferring Licenses to a Replacement Controller after an

RMA

73

Transferring a License to a Replacement Controller after an RMA

74

Configuring the License Agent

74

Information About Configuring the License Agent

74

Configuring the License Agent (GUI)

75

Configuring the License Agent (CLI)

75

Configuring 802.11 Bands

77

Configuring 802.11 Bands

77

Information About Configuring 802.11 Bands

77

Configuring the 802.11 Bands (GUI)

77

Configuring the 802.11 Bands (CLI)

79

Configuring Band Selection

81

Information About Configuring Band Selection

81

vi

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 5

C H A P T E R 6

C H A P T E R 7

Band Selection Algorithm

81

Restrictions on Band Selection

82

Configuring Band Selection

82

Configuring Band Selection (GUI)

82

Configuring Band Selection (CLI)

83

Configuring 802.11 Parameters 85

Configuring the 802.11n Parameters

85

Information About Configuring the 802.11n Parameters

85

Configuring the 802.11n Parameters (GUI)

86

Configuring the 802.11n Parameters (CLI)

87

Configuring 802.11h Parameters

88

Information About Configuring 802.11h Parameters

88

Configuring the 802.11h Parameters (GUI)

89

Configuring the 802.11h Parameters (CLI)

89

Configuring the 802.11ac Parameters

90

Information About Configuring the 802.11ac Parameters

90

Restrictions for 802.11ac Support

91

Configuring the 802.11ac High-Throughput Parameters (GUI)

92

Configuring the 802.11ac High-Throughput Parameters (CLI)

92

Configuring DHCP Proxy 93

Information About Configuring DHCP Proxy

93

Restrictions on Using DHCP Proxy

93

Configuring DHCP Proxy (GUI)

94

Configuring DHCP Proxy (GUI)

94

Configuring DHCP Proxy (CLI)

94

Configuring DHCP Proxy (CLI)

95

Configuring a DHCP Timeout (GUI)

95

Configuring a DHCP Timeout (CLI)

95

Configuring DHCP Link Select and VPN Select 97

Prerequisites for Configuring DHCP Link Select and VPN Select

97

Information About Configuring DHCP Link Select and VPN Select

97

DHCP Link Select

98

Cisco Wireless Controller Configuration Guide, Release 8.0 vii

Contents

C H A P T E R 8

C H A P T E R 9

C H A P T E R 1 0

C H A P T E R 1 1

C H A P T E R 1 2

DHCP VPN Select

98

Mobility Considerations

98

Configuring DHCP Link Select and VPN Select (CLI)

99

Configuring DHCP Link Select and VPN Select (GUI)

100

Configuring SNMP

101

Configuring SNMP (CLI)

101

SNMP Community Strings

103

Changing the SNMP Community String Default Values (GUI)

103

Changing the SNMP Community String Default Values (CLI)

104

Configuring Real Time Statistics (CLI)

105

SNMP Trap Enhancements

105

Configuring SNMP Trap Receiver (GUI)

105

Configuring Aggressive Load Balancing 107

Information About Configuring Aggressive Load Balancing

107

Configuring Aggressive Load Balancing (GUI)

108

Configuring Aggressive Load Balancing (CLI)

109

Configuring Fast SSID Changing 111

Information About Configuring Fast SSID Changing

111

Configuring Fast SSID Changing (GUI)

111

Configuring Fast SSID Changing (CLI)

111

Configuring 802.3 Bridging

113

Configuring 802.3 Bridging

113

Information About Configuring 802.3 Bridging

113

Restrictions on 802.3 Bridging

113

Configuring 802.3 Bridging

114

Configuring 802.3 Bridging (GUI)

114

Configuring 802.3 Bridging (CLI)

114

Enabling 802.3X Flow Control

114

Configuring Multicast 115

Configuring Multicast Mode

115

viii

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 1 3

Information About Multicast Mode

115

Restrictions for Configuring Multicast Mode

117

Enabling Multicast Mode (GUI)

119

Enabling Multicast Mode (CLI)

120

Viewing Multicast Groups (GUI)

121

Viewing Multicast Groups (CLI)

121

Viewing an Access Point’s Multicast Client Table (CLI)

122

Configuring Bridging of Link Local Traffic

122

Configuring Bridging of Link Local Traffic (GUI)

122

Configuring Bridging of Link Local Traffic (CLI)

122

Configuring Multicast Domain Name System

122

Information About Multicast Domain Name System

122

Restrictions for Configuring Multicast DNS

125

Configuring Multicast DNS (GUI)

125

Configuring Multicast DNS (CLI)

127

Information about Bonjour gateway based on access policy

129

Restrictions to the Bonjour gateway based on access policy

130

Creating Bonjour Access Policy through Prime Infrastructure

131

Configuring mDNS Service Groups (GUI)

131

Configuring mDNS Service Groups (CLI)

132

Multicast Configuration for Cisco vWLC, Flex 7510, 5520, 8510, and 8540 WLCs

132

Switching from Multicast-Unicast Mode to Multicast-Multicast Mode

132

Switching from Multicast-Multicast Mode to Multicast-Unicast Mode

132

Restrictions

133

Troubleshooting

133

Configuring Client Roaming 135

Information About Client Roaming

135

Inter-Controller Roaming

135

Intra-Controller Roaming

135

Inter-Subnet Roaming

136

Voice-over-IP Telephone Roaming

136

CCX Layer 2 Client Roaming

136

Restrictions on Client Roaming

137

Configuring CCX Client Roaming Parameters (GUI)

137

Cisco Wireless Controller Configuration Guide, Release 8.0 ix

Contents

C H A P T E R 1 4

C H A P T E R 1 5

C H A P T E R 1 6

C H A P T E R 1 7

Configuring CCX Client Roaming Parameters (CLI)

138

Obtaining CCX Client Roaming Information (CLI)

138

Debugging CCX Client Roaming Issues (CLI)

139

Configuring IP-MAC Address Binding

141

Information About Configuring IP-MAC Address Binding

141

Configuring IP-MAC Address Binding (CLI)

141

Configuring Quality of Service 143

Configuring Quality of Service

143

Information About Quality of Service

143

Configuring Quality of Service Profiles

144

Configuring QoS Profiles (GUI)

144

Configuring QoS Profiles (CLI)

145

Configuring Quality of Service Roles

147

Information About Quality of Service Roles

147

Configuring QoS Roles

147

Configuring QoS Roles (GUI)

147

Configuring QoS Roles (CLI)

148

Configuring Application Visibility and Control 151

Information About Application Visibility and Control

151

Restrictions for Application Visibility and Control

152

Configuring Application Visibility and Control (GUI)

153

Configuring Application Visibility and Control (CLI)

154

Configuring NetFlow

155

Information About NetFlow

155

Configuring NetFlow (GUI)

156

Configuring NetFlow (CLI)

156

Configuring Media and EDCA Parameters

159

Configuring Voice and Video Parameters

159

Information About Configuring Voice and Video Parameters

159

Call Admission Control

159

Bandwidth-Based CAC

160

x

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 1 8

Load-Based CAC

160

Expedited Bandwidth Requests

160

U-APSD

161

Traffic Stream Metrics

161

Configuring Voice Parameters

162

Configuring Voice Parameters (GUI)

162

Configuring Voice Parameters (CLI)

164

Configuring Video Parameters

165

Configuring Video Parameters (GUI)

165

Configuring Video Parameters (CLI)

166

Viewing Voice and Video Settings

167

Viewing Voice and Video Settings (GUI)

167

Viewing Voice and Video Settings (CLI)

168

Configuring SIP-Based CAC

171

Restrictions for SIP-Based CAC

171

Configuring SIP-Based CAC (GUI)

171

Configuring SIP-Based CAC (CLI)

172

Configuring Media Parameters

173

Configuring Media Parameters (GUI)

173

Configuring Voice Prioritization Using Preferred Call Numbers

173

Information About Configuring Voice Prioritization Using Preferred Call Numbers

173

Prerequisites for Configuring Voice Prioritization Using Preferred Call Numbers

174

Configuring a Preferred Call Number (GUI)

174

Configuring a Preferred Call Number (CLI)

174

Configuring EDCA Parameters

175

Information About EDCA Parameters

175

Configuring EDCA Parameters (GUI)

175

Configuring EDCA Parameters (CLI)

176

Configuring the Cisco Discovery Protocol 179

Information About Configuring the Cisco Discovery Protocol

179

Restrictions for Configuring the Cisco Discovery Protocol

179

Configuring the Cisco Discovery Protocol

181

Configuring the Cisco Discovery Protocol (GUI)

181

Configuring the Cisco Discovery Protocol (CLI)

182

Cisco Wireless Controller Configuration Guide, Release 8.0 xi

Contents

C H A P T E R 1 9

C H A P T E R 2 0

C H A P T E R 2 1

C H A P T E R 2 2

Viewing Cisco Discovery Protocol Information

183

Viewing Cisco Discovery Protocol Information (GUI)

183

Viewing Cisco Discovery Protocol Information (CLI)

185

Getting CDP Debug Information

186

Configuring Authentication for the Controller and NTP/SNTP Server

187

Information About Configuring Authentication for the Controller and NTP/SNTP

Server

187

Configuring the NTP/SNTP Server for Authentication (GUI)

187

Configuring the NTP/SNTP Server for Authentication (CLI)

188

Configuring RFID Tag Tracking

189

Information About Configuring RFID Tag Tracking

189

Configuring RFID Tag Tracking (CLI)

190

Viewing RFID Tag Tracking Information (CLI)

191

Debugging RFID Tag Tracking Issues (CLI)

191

Resetting the Controller to Default Settings 193

Information About Resetting the Controller to Default Settings

193

Resetting the Controller to Default Settings (GUI)

193

Resetting the Controller to Default Settings (CLI)

194

Managing Controller Software and Configurations 195

Upgrading the Controller Software

195

Restrictions for Upgrading Controller Software

195

Upgrading Controller Software (GUI)

198

Upgrading Controller Software (CLI)

200

Predownloading an Image to an Access Point

202

Access Point Predownload Process

203

Restrictions for Predownloading an Image to an Access Point

204

Predownloading an Image to Access Points—Global Configuration (GUI)

205

Predownloading an Image to Access Points (CLI)

206

Transferring Files to and from a Controller

209

Downloading a Login Banner File

209

Downloading a Login Banner File (GUI)

210

xii

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 2 3

Downloading a Login Banner File (CLI)

210

Clearing the Login Banner (GUI)

211

Downloading Device Certificates

211

Downloading Device Certificates (GUI)

212

Downloading Device Certificates (CLI)

213

Uploading Device Certificates

214

Uploading Device Certificates (GUI)

214

Uploading Device Certificates (CLI)

215

Downloading CA Certificates

215

Download CA Certificates (GUI)

216

Downloading CA Certificates (CLI)

217

Uploading CA Certificates

218

Uploading CA Certificates (GUI)

218

Uploading CA Certificates (CLI)

218

Uploading PACs

219

Uploading PACs (GUI)

220

Uploading PACs (CLI)

220

Uploading and Downloading Configuration Files

221

Uploading Configuration Files

222

Uploading the Configuration Files (GUI)

222

Uploading the Configuration Files (CLI)

222

Downloading Configuration Files

223

Downloading the Configuration Files (GUI)

224

Downloading the Configuration Files (CLI)

224

Saving Configurations

226

Editing Configuration Files

226

Clearing the Controller Configuration

227

Erasing the Controller Configuration

228

Resetting the Controller

228

Managing User Accounts 229

Configuring Guest User Accounts

229

Information About Creating Guest Accounts

229

Restrictions on Managing User Accounts

229

Creating a Lobby Ambassador Account

230

Cisco Wireless Controller Configuration Guide, Release 8.0 xiii

Contents

C H A P T E R 2 4

Creating a Lobby Ambassador Account (GUI)

230

Creating a Lobby Ambassador Account (CLI)

230

Creating Guest User Accounts as a Lobby Ambassador (GUI)

231

Viewing Guest User Accounts

232

Viewing the Guest Accounts (GUI)

232

Viewing the Guest Accounts (CLI)

232

Configuring Administrator Usernames and Passwords

232

Information About Configuring Administrator Usernames and Passwords

232

Configuring Usernames and Passwords (GUI)

232

Configuring Usernames and Passwords (CLI)

233

Restoring Passwords

233

Changing the Default Values for SNMP v3 Users

234

Information About Changing the Default Values for SNMP v3 Users

234

Changing the SNMP v3 User Default Values (GUI)

234

Changing the SNMP v3 User Default Values (CLI)

235

Generating a Certificate Signing Request

235

Downloading Third-Party Certificate (GUI)

237

Downloading Third-Party Certificate (CLI)

238

Managing Web Authentication 239

Obtaining a Web Authentication Certificate

239

Information About Web Authentication Certificates

239

Support for Chained Certificate

240

Obtaining a Web Authentication Certificate (GUI)

240

Obtaining a Web Authentication Certificate (CLI)

241

Web Authentication Process

242

Disabling Security Alert for Web Authentication Process

243

Choosing the Default Web Authentication Login Page

245

Information About Default Web Authentication Login Page

245

Choosing the Default Web Authentication Login Page (GUI)

246

Choosing the Default Web Authentication Login Page (CLI)

246

Example: Creating a Customized Web Authentication Login Page

248

Example: Modified Default Web Authentication Login Page Example

251

Using a Customized Web Authentication Login Page from an External Web Server

251

Information About Customized Web Authentication Login Page

251

xiv

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 2 5

C H A P T E R 2 6

Choosing a Customized Web Authentication Login Page from an External Web Server

(GUI)

252

Choosing a Customized Web Authentication Login Page from an External Web Server

(CLI)

252

Downloading a Customized Web Authentication Login Page

252

Prerequisites for Downloading a Customized Web Authentication Login Page

253

Downloading a Customized Web Authentication Login Page (GUI)

253

Downloading a Customized Web Authentication Login Page (CLI)

254

Example: Customized Web Authentication Login Page

255

Verifying the Web Authentication Login Page Settings (CLI)

255

Assigning Login, Login Failure, and Logout Pages per WLAN

256

Information About Assigning Login, Login Failure, and Logout Pages per WLAN

256

Assigning Login, Login Failure, and Logout Pages per WLAN (GUI)

256

Assigning Login, Login Failure, and Logout Pages per WLAN (CLI)

257

Configuring Authentication for Sleeping Clients

258

Information About Authenticating Sleeping Clients

258

Restrictions for Authenticating Sleeping Clients

259

Configuring Authentication for Sleeping Clients (GUI)

260

Configuring Authentication for Sleeping Clients (CLI)

260

Configuring Wired Guest Access 261

Information About Wired Guest Access

261

Prerequisites for Configuring Wired Guest Access

262

Restrictions for Configuring Wired Guest Access

262

Configuring Wired Guest Access (GUI)

263

Configuring Wired Guest Access (CLI)

264

Supporting IPv6 Client Guest Access

266

Troubleshooting 269

Interpreting LEDs

269

Information About Interpreting LEDs

269

Interpreting Controller LEDs

270

Interpreting Lightweight Access Point LEDs

270

System Messages

270

Information About System Messages

270

Cisco Wireless Controller Configuration Guide, Release 8.0 xv

Contents

Viewing System Resources

273

Information About Viewing System Resources

273

Viewing System Resources (GUI)

274

Viewing System Resources (CLI)

274

Using the CLI to Troubleshoot Problems

274

Configuring System and Message Logging

276

Information About System and Message Logging

276

Configuring System and Message Logging (GUI)

276

Viewing Message Logs (GUI)

278

Configuring System and Message Logging (CLI)

278

Viewing System and Message Logs (CLI)

282

Viewing Access Point Event Logs

282

Information About Access Point Event Logs

282

Viewing Access Point Event Logs (CLI)

282

Uploading Logs and Crash Files

283

Prerequisites to Upload Logs and Crash Files

283

Uploading Logs and Crash Files (GUI)

284

Uploading Logs and Crash Files (CLI)

284

Uploading Core Dumps from the Controller

285

Information About Uploading Core Dumps from the Controller

285

Configuring the Controller to Automatically Upload Core Dumps to an FTP Server

(GUI)

286

Configuring the Controller to Automatically Upload Core Dumps to an FTP Server

(CLI)

286

Uploading Core Dumps from Controller to a Server (CLI)

287

Uploading Packet Capture Files

288

Information About Uploading Packet Capture Files

288

Restrictions for Uploading Packet Capture Files

289

Uploading Packet Capture Files (GUI)

290

Uploading Packet Capture Files (CLI)

290

Monitoring Memory Leaks

291

Monitoring Memory Leaks (CLI)

291

Troubleshooting CCXv5 Client Devices

292

Information About Troubleshooting CCXv5 Client Devices

292

Restrictions for CCXv5 Client Devices

292

xvi

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

P A R T I I

C H A P T E R 2 7

Configuring Diagnostic Channel

293

Configuring the Diagnostic Channel (GUI)

293

Configuring the Diagnostic Channel (CLI)

294

Configuring Client Reporting

298

Configuring Client Reporting (GUI)

298

Configuring Client Reporting (CLI)

298

Configuring Roaming and Real-Time Diagnostics

299

Configuring Roaming and Real-Time Diagnostics (CLI)

299

Using the Debug Facility

302

Information About Using the Debug Facility

302

Configuring the Debug Facility (CLI)

303

Configuring Wireless Sniffing

307

Information About Wireless Sniffing

307

Prerequisites for Wireless Sniffing

307

Restrictions for Wireless Sniffing

307

Configuring Sniffing on an Access Point (GUI)

308

Configuring Sniffing on an Access Point (CLI)

308

Troubleshooting Access Points Using Telnet or SSH

309

Information About Troubleshooting Access Points Using Telnet or SSH

309

Troubleshooting Access Points Using Telnet or SSH (GUI)

310

Troubleshooting Access Points Using Telnet or SSH (CLI)

310

Debugging the Access Point Monitor Service

311

Information About Debugging the Access Point Monitor Service

311

Debugging Access Point Monitor Service Issues (CLI)

311

Troubleshooting Memory Leaks

312

Troubleshooting Memory Leaks

312

Troubleshooting OfficeExtend Access Points

312

Information About Troubleshooting OfficeExtend Access Points

312

Interpreting OfficeExtend LEDs

312

Positioning OfficeExtend Access Points for Optimal RF Coverage

313

Troubleshooting Common Problems

313

Ports and Interfaces

315

Overview of Ports and Interfaces

317

Cisco Wireless Controller Configuration Guide, Release 8.0 xvii

Contents

C H A P T E R 2 8

C H A P T E R 2 9

C H A P T E R 3 0

C H A P T E R 3 1

C H A P T E R 3 2

Information About Ports

317

Information About Distribution System Ports

318

Restrictions for Configuring Distribution System Ports

318

Information About Service Port

319

Information About Interfaces

320

Restrictions for Configuring Interfaces

320

Information About Dynamic AP Management

321

Information About WLANs

322

Configuring the Management Interface

325

Information About the Management Interface

325

Configuring the Management Interface (GUI)

327

Configuring the Management Interface (CLI)

328

Configuring the AP-Manager Interface 331

Information About AP-Manager Interface

331

Restrictions for Configuring AP Manager Interface

332

Configuring the AP-Manager Interface (GUI)

332

Configuring the AP Manager Interface (CLI)

333

Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller

334

Configuring Virtual Interfaces 337

Information About the Virtual Interface

337

Configuring Virtual Interfaces (GUI)

338

Configuring Virtual Interfaces (CLI)

338

Configuring Service-Port Interfaces 339

Information About Service-Port Interfaces

339

Restrictions for Configuring Service-Port Interfaces

340

Configuring Service-Port Interfaces Using IPv4 (GUI)

340

Configuring Service-Port Interfaces Using IPv4 (CLI)

340

Configuring Service-Port Interface Using IPv6 (GUI)

341

Configuring Service-Port Interfaces Using IPv6 (CLI)

341

Configuring Dynamic Interfaces 343

xviii

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 3 3

C H A P T E R 3 4

C H A P T E R 3 5

C H A P T E R 3 6

C H A P T E R 3 7

Information About Dynamic Interface

343

Prerequisites for Configuring Dynamic Interfaces

344

Restrictions for Configuring Dynamic Interfaces

344

Configuring Dynamic Interfaces (GUI)

344

Configuring Dynamic Interfaces (CLI)

346

Configuring Ports 349

Configuring Ports (GUI)

349

Information About Using Cisco 5500 Series Controller USB Console Port 351

USB Console OS Compatibility

351

Changing the Cisco USB Systems Management Console COM Port to an Unused Port

352

Configuring Link Aggregation 353

Information About Link Aggregation

353

Restrictions for Link Aggregation

353

Configuring Link Aggregation (GUI)

355

Configuring Link Aggregation (CLI)

356

Verifying Link Aggregation Settings (CLI)

356

Configuring Neighbor Devices to Support Link Aggregation

356

Choosing Between Link Aggregation and Multiple AP-Manager Interfaces

356

Configuring Multiple AP-Manager Interfaces 359

Information About Multiple AP-Manager Interfaces

359

Restrictions for Configuring Multiple AP Manager Interfaces

359

Creating Multiple AP-Manager Interfaces (GUI)

360

Creating Multiple AP-Manager Interfaces (CLI)

360

Configuring VLAN Select 363

Information About VLAN Select

363

Restrictions for Configuring VLAN Select

364

Configuring Interface Groups

364

Information About Interface Groups

364

Restrictions for Configuring Interface Groups

364

Creating Interface Groups (GUI)

365

Cisco Wireless Controller Configuration Guide, Release 8.0 xix

Contents

C H A P T E R 3 8

C H A P T E R 3 9

C H A P T E R 4 0

P A R T I I I

C H A P T E R 4 1

Creating Interface Groups (CLI)

365

Adding Interfaces to Interface Groups (GUI)

365

Adding Interfaces to Interface Groups (CLI)

366

Viewing VLANs in Interface Groups (CLI)

366

Adding an Interface Group to a WLAN (GUI)

366

Adding an Interface Group to a WLAN (CLI)

366

Configuring Interface Groups 367

Information About Interface Groups

367

Restrictions for Configuring Interface Groups

368

Creating Interface Groups (GUI)

368

Creating Interface Groups (CLI)

369

Adding Interfaces to Interface Groups (GUI)

369

Adding Interfaces to Interface Groups (CLI)

369

Viewing VLANs in Interface Groups (CLI)

369

Adding an Interface Group to a WLAN (GUI)

369

Adding an Interface Group to a WLAN (CLI)

370

Configuring Multicast Optimization 371

Information About Multicast Optimization

371

Configuring a Multicast VLAN (GUI)

371

Configuring a Multicast VLAN (CLI)

372

High Availability

373

Information About High Availability

373

Restrictions on High Availability

377

Configuring High Availability (GUI)

380

Configuring High Availability (CLI)

382

Monitoring High Availability Standby WLC

384

VideoStream

387

VideoStream 389

Information about VideoStream

389

Prerequisites for VideoStream

389

xx

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

P A R T I V

C H A P T E R 4 2

C H A P T E R 4 3

C H A P T E R 4 4

C H A P T E R 4 5

Restrictions for Configuring VideoStream

389

Configuring VideoStream (GUI)

390

Configuring VideoStream (CLI)

393

Viewing and Debugging Media Streams

394

Security Solutions

397

Cisco Unified Wireless Network Solution Security 399

Security Overview

399

Layer 1 Solutions

399

Layer 2 Solutions

399

Restrictions for Layer 2 Solutions

400

Layer 3 Solutions

400

Integrated Security Solutions

400

Configuring RADIUS 401

Information About RADIUS

401

Restrictions on Configuring RADIUS

403

Configuring RADIUS on the ACS

403

Configuring RADIUS (GUI)

404

Configuring RADIUS (CLI)

409

RADIUS Authentication Attributes Sent by the Controller

414

Authentication Attributes Honored in Access-Accept Packets (Airespace)

416

RADIUS Accounting Attributes

424

Configuring TACACS+

427

Information About TACACS+

427

TACACS+ VSA

429

Configuring TACACS+ on the ACS

430

Configuring TACACS+ (GUI)

432

Configuring TACACS+ (CLI)

434

Viewing the TACACS+ Administration Server Logs

435

Configuring FIPS, CC, and UCAPL 439

Information About FIPS

439

Cisco Wireless Controller Configuration Guide, Release 8.0 xxi

Contents

C H A P T E R 4 6

C H A P T E R 4 7

C H A P T E R 4 8

C H A P T E R 4 9

C H A P T E R 5 0

C H A P T E R 5 1

FIPS Self-Tests

440

Information About CC

440

Information About UCAPL

441

Configuring FIPS (CLI)

441

Configuring CC (CLI)

441

Configuring UCAPL (CLI)

442

Configuring Maximum Local Database Entries 443

Information About Configuring Maximum Local Database Entries

443

Configuring Maximum Local Database Entries (GUI)

443

Configuring Maximum Local Database Entries (CLI)

444

Configuring Local Network Users on the Controller 445

Information About Local Network Users on Controller

445

Configuring Local Network Users for the Controller (GUI)

445

Configuring Local Network Users for the Controller (CLI)

446

Configuring Password Policies

449

Information About Password Policies

449

Configuring Password Policies (GUI)

450

Configuring Password Policies (CLI)

450

Configuring LDAP 453

Information About LDAP

453

Configuring LDAP (GUI)

454

Configuring LDAP (CLI)

456

Configuring Local EAP 459

Information About Local EAP

459

Restrictions on Local EAP

460

Configuring Local EAP (GUI)

461

Configuring Local EAP (CLI)

465

Configuring the System for SpectraLink NetLink Telephones 471

Information About SpectraLink NetLink Telephones

471

xxii

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 5 2

C H A P T E R 5 3

C H A P T E R 5 4

Configuring SpectraLink NetLink Phones

471

Enabling Long Preambles (GUI)

471

Enabling Long Preambles (CLI)

472

Configuring Enhanced Distributed Channel Access (CLI)

472

Configuring RADIUS NAC Support

475

Information About RADIUS NAC Support

475

Device Registration

476

Central Web Authentication

476

Local Web Authentication

476

Restrictions for RADIUS NAC Support

476

Configuring RADIUS NAC Support (GUI)

477

Configuring RADIUS NAC Support (CLI)

478

Configuring RADIUS VSA and Realm 479

Configuring RADIUS VSA

479

Information About RADIUS VSA

479

Sample RADIUS AVP List XML File

479

Downloading RADIUS AVP List (GUI)

480

Uploading RADIUS AVP List (GUI)

481

Uploading and Downloading RADIUS AVP List (CLI)

481

Configuring RADIUS Realm

482

Information About RADIUS Realm

482

Prerequisites for Configuring RADIUS Realm

483

Restrictions for Configuring RADIUS Realm

483

Configuring Realm on a WLAN (GUI)

483

Configuring Realm on a WLAN (CLI)

483

Configuring Realm on a RADIUS Authentication Server (GUI)

484

Configuring Realm on a RADIUS Authentication Server (CLI)

484

Configuring Realm on a RADIUS Accounting Server (GUI)

484

Configuring Realm on a RADIUS Accounting Server (CLI)

485

Using Management Over Wireless 487

Information About Management over Wireless

487

Enabling Management over Wireless (GUI)

487

Cisco Wireless Controller Configuration Guide, Release 8.0 xxiii

Contents

C H A P T E R 5 5

C H A P T E R 5 6

C H A P T E R 5 7

Enabling Management over Wireless (CLI)

488

Using Dynamic Interfaces for Management 489

Information About Using Dynamic Interfaces for Management

489

Configuring Management using Dynamic Interfaces (CLI)

490

Configuring DHCP Option 82

491

Information About DHCP Option 82

491

Restrictions on DHCP Option 82

492

Configuring DHCP Option 82 (GUI)

492

Configuring DHCP Option 82 (CLI)

492

Configuring DHCP Option 82 Insertion in Bridge Mode (CLI)

493

Configuring and Applying Access Control Lists 495

Information About Access Control Lists

495

Restrictions for Access Control Lists

495

Configuring and Applying Access Control Lists (GUI)

497

Configuring Access Control Lists

497

Applying an Access Control List to an Interface

499

Applying an Access Control List to the Controller CPU

499

Applying an Access Control List to a WLAN

500

Applying a Preauthentication Access Control List to a WLAN

500

Configuring and Applying Access Control Lists (CLI)

501

Configuring Access Control Lists

501

Applying Access Control Lists

501

Configuring Layer 2 Access Control Lists

502

Information About Configuring Layer 2 Access Control Lists

502

Restrictions for Layer 2 Access Control Lists

503

Configuring Layer 2 Access Control Lists (CLI)

504

Mapping of Layer 2 ACLs with WLANs (CLI)

504

Mapping of Layer 2 ACLs with Locally Switched WLANs Using FlexConnect

Access Points (CLI)

504

Configuring Layer 2 Access Control Lists (GUI)

505

Applying a Layer2 Access Control List to a WLAN (GUI)

506

Applying a Layer2 Access Control List to an AP on a WLAN (GUI)

506

xxiv

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 5 8

C H A P T E R 5 9

C H A P T E R 6 0

C H A P T E R 6 1

C H A P T E R 6 2

Configuring DNS-based Access Control Lists

507

Information About DNS-based Access Control Lists

507

Restrictions on DNS-based Access Control Lists

507

Configuring DNS-based Access Control Lists (CLI)

507

Configuring DNS-based Access Control Lists (GUI)

509

Configuring Management Frame Protection 511

Information About Management Frame Protection

511

Restrictions for Management Frame Protection

513

Configuring Management Frame Protection (GUI)

513

Viewing the Management Frame Protection Settings (GUI)

513

Configuring Management Frame Protection (CLI)

514

Viewing the Management Frame Protection Settings (CLI)

514

Debugging Management Frame Protection Issues (CLI)

514

Configuring Client Exclusion Policies 517

Configuring Client Exclusion Policies (GUI)

517

Configuring Client Exclusion Policies (CLI)

518

Configuring Identity Networking 521

Information About Identity Networking

521

RADIUS Attributes Used in Identity Networking

522

Configuring AAA Override

527

Information About AAA Override

527

Restrictions for AAA Override

527

Updating the RADIUS Server Dictionary File for Proper QoS Values

528

Configuring AAA Override (GUI)

529

Configuring AAA Override (CLI)

530

Managing Rogue Devices

531

Information About Rogue Devices

531

Configuring Rogue Detection (GUI)

536

Configuring Rogue Detection (CLI)

538

Cisco Wireless Controller Configuration Guide, Release 8.0 xxv

Contents

C H A P T E R 6 3

C H A P T E R 6 4

C H A P T E R 6 5

C H A P T E R 6 6

Classifying Rogue Access Points 543

Information About Classifying Rogue Access Points

543

Restrictions on Classifying Rogue Access Points

545

Configuring Rogue Classification Rules (GUI)

546

Viewing and Classifying Rogue Devices (GUI)

549

Configuring Rogue Classification Rules (CLI)

552

Viewing and Classifying Rogue Devices (CLI)

554

Configuring Cisco TrustSec SXP 559

Information About Cisco TrustSec SXP

559

Restrictions for Cisco TrustSec SXP

560

Configuring Cisco TrustSec SXP (GUI)

561

Creating a New SXP Connection (GUI)

561

Configuring Cisco TrustSec SXP (CLI)

562

Configuring Local Policies 565

Information About Local Policies

565

Restrictions for Local Policy Classification

566

Configuring Local Policies (GUI)

567

Configuring Local Policies (CLI)

568

Updating Organizationally Unique Identifier List

570

Updating Organizationally Unique Identifier List (GUI)

570

Updating Organizationally Unique Identifier List (CLI)

570

Updating Device Profile List

571

Updating Device Profile List (GUI)

571

Updating Device Profile List (CLI)

571

Configuring Cisco Intrusion Detection System 573

Information About Cisco Intrusion Detection System

573

Shunned Clients

573

Configuring IDS Sensors (GUI)

574

Viewing Shunned Clients (GUI)

574

Configuring IDS Sensors (CLI)

575

Viewing Shunned Clients (CLI)

576

xxvi

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 6 7

C H A P T E R 6 8

C H A P T E R 6 9

C H A P T E R 7 0

C H A P T E R 7 1

P A R T V

Configuring IDS Signatures 577

Information About IDS Signatures

577

Configuring IDS Signatures (GUI)

579

Uploading or Downloading IDS Signatures

579

Enabling or Disabling IDS Signatures

580

Viewing IDS Signature Events (GUI)

582

Configuring IDS Signatures (CLI)

583

Viewing IDS Signature Events (CLI)

584

Configuring wIPS

587

Information About wIPS

587

Restrictions for wIPS

593

Configuring wIPS on an Access Point (GUI)

594

Configuring wIPS on an Access Point (CLI)

594

Viewing wIPS Information (CLI)

595

Cisco Adaptive wIPS Alarms

596

Configuring the Wi-Fi Direct Client Policy

597

Information About the Wi-Fi Direct Client Policy

597

Restrictions for the Wi-Fi Direct Client Policy

597

Configuring the Wi-Fi Direct Client Policy (GUI)

598

Configuring the Wi-Fi Direct Client Policy (CLI)

598

Monitoring and Troubleshooting the Wi-Fi Direct Client Policy (CLI)

599

Configuring Web Auth Proxy

601

Information About the Web Authentication Proxy

601

Configuring the Web Authentication Proxy (GUI)

602

Configuring the Web Authentication Proxy (CLI)

603

Detecting Active Exploits

605

Detecting Active Exploits

605

WLANs 607

Cisco Wireless Controller Configuration Guide, Release 8.0 xxvii

Contents

C H A P T E R 7 2

C H A P T E R 7 3

C H A P T E R 7 4

Configuring WLANs 609

Prerequisites for WLANs

609

Restrictions for WLANs

609

Information About WLANs

611

Creating and Removing WLANs (GUI)

611

Enabling and Disabling WLANs (GUI)

612

Editing WLAN SSID or Profile Name for WLANs (GUI)

612

Creating and Deleting WLANs (CLI)

613

Enabling and Disabling WLANs (CLI)

613

Editing WLAN SSID or Profile Name for WLANs (CLI)

614

Viewing WLANs (CLI)

615

Searching WLANs (GUI)

615

Assigning WLANs to Interfaces

615

Configuring Network Access Identifier (CLI)

616

Setting the Client Count per WLAN

617

Restrictions for Setting Client Count for WLANs

617

Information About Setting the Client Count per WLAN

618

Configuring the Client Count per WLAN (GUI)

618

Configuring the Maximum Number of Clients per WLAN (CLI)

618

Configuring the Maximum Number of Clients for each AP Radio per WLAN (GUI)

619

Configuring the Maximum Number of Clients for each AP Radio per WLAN (CLI)

619

Deauthenticating Clients (CLI)

619

Configuring DHCP 621

Restrictions for Configuring DHCP for WLANs

621

Information About the Dynamic Host Configuration Protocol

621

Internal DHCP Servers

621

External DHCP Servers

622

DHCP Assignments

622

Configuring DHCP (GUI)

623

Configuring DHCP (CLI)

624

Debugging DHCP (CLI)

624

DHCP Client Handling

625

xxviii

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 7 5

C H A P T E R 7 6

C H A P T E R 7 7

C H A P T E R 7 8

C H A P T E R 7 9

C H A P T E R 8 0

Configuring DHCP Scopes 627

Restrictions for Configuring DHCP Scopes

627

Information About DHCP Scopes

627

Configuring DHCP Scopes (GUI)

627

Configuring DHCP Scopes (CLI)

628

Configuring MAC Filtering for WLANs 631

Restrictions for MAC Filtering

631

Information About MAC Filtering of WLANs

631

Enabling MAC Filtering

631

Configuring Local MAC Filters

633

Prerequisites for Configuring Local MAC Filters

633

Information About Local MAC Filters

633

Configuring Local MAC Filters (CLI)

633

Configuring Timeouts 635

Configuring a Timeout for Disabled Clients

635

Information About Configuring a Timeout for Disabled Clients

635

Configuring Timeout for Disabled Clients (CLI)

635

Configuring Session Timeout

635

Information About Session Timeouts

635

Configuring a Session Timeout (GUI)

636

Configuring a Session Timeout (CLI)

636

Configuring the User Idle Timeout

637

Information About the User Idle Timeout Per WLAN

637

Configuring Per-WLAN User Idle Timeout (CLI)

637

Configuring the DTIM Period 639

Information About DTIM Period

639

Configuring the DTIM Period (GUI)

640

Configuring the DTIM Period (CLI)

640

Configuring Peer-to-Peer Blocking 641

Cisco Wireless Controller Configuration Guide, Release 8.0 xxix

Contents

C H A P T E R 8 1

C H A P T E R 8 2

Restrictions for Peer-to-Peer Blocking

641

Information About Peer-to-Peer Blocking

641

Configuring Peer-to-Peer Blocking (GUI)

642

Configuring Peer-to-Peer Blocking (CLI)

642

Configuring Layer2 Security

645

Prerequisites for Layer 2 Security

645

Configuring Static WEP Keys (CLI)

646

Configuring Dynamic 802.1X Keys and Authorization (CLI)

646

Configuring 802.11r BSS Fast Transition

647

Restrictions for 802.11r Fast Transition

647

Information About 802.11r Fast Transition

648

Configuring 802.11r Fast Transition (GUI)

650

Configuring 802.11r Fast Transition (CLI)

651

Troubleshooting 802.11r BSS Fast Transition

652

Configuring MAC Authentication Failover to 802.1X Authentication

652

Configuring MAC Authentication Failover to 802.1x Authentication (GUI)

652

Configuring MAC Authentication Failover to 802.1X Authentication (CLI)

653

Configuring 802.11w

653

Restrictions for 802.11w

653

Information About 802.11w

653

Configuring 802.11w (GUI)

654

Configuring 802.11w (CLI)

655

Configuring 802.11v

655

Prerequisites for Configuring 802.11v

655

Restrictions for Configuring 802.11v

655

Information About 802.11v

656

Configuring 802.11v Network Assisted Power Savings (CLI)

657

Monitoring 802.11v Network Assisted Power Savings (CLI)

657

Configuration Examples for 802.11v Network Assisted Power Savings

657

Configuring a WLAN for Both Static and Dynamic WEP 659

Restrictions for Configuring Static and Dynamic WEP

659

Information About WLAN for Both Static and Dynamic WEP

659

WPA1 and WPA2

660

xxx

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 8 3

C H A P T E R 8 4

C H A P T E R 8 5

C H A P T E R 8 6

C H A P T E R 8 7

C H A P T E R 8 8

Configuring WPA1+WPA2

661

Configuring WPA1+WPA2 (GUI)

661

Configuring WPA1+WPA2 (CLI)

661

Configuring Sticky Key Caching

665

Information About Sticky Key Caching

665

Restrictions for Sticky Key Caching

665

Configuring Sticky Key Caching (CLI)

666

Configuring CKIP 669

Information About CKIP

669

Configuring CKIP (GUI)

670

Configuring CKIP (CLI)

670

Configuring Layer 3 Security 673

Configuring Layer 3 Security Using Web Authentication

673

Prerequisites for Configuring Web Authentication on a WLAN

673

Restrictions for Configuring Web Authentication on a WLAN

674

Information About Web Authentication

674

Configuring Web Authentication

675

Configuring Web Authentication (GUI)

675

Configuring Web Authentication (CLI)

675

Configuring Captive Bypassing

677

Information About Captive Bypassing

677

Configuring Captive Bypassing (CLI)

678

Configuring a Fallback Policy with MAC Filtering and Web Authentication 679

Information About Fallback Policy with MAC Filtering and Web Authentication

679

Configuring a Fallback Policy with MAC Filtering and Web Authentication (GUI)

680

Configuring a Fallback Policy with MAC Filtering and Web Authentication (CLI)

680

Assigning QoS Profiles

683

Information About QoS Profiles

683

Assigning a QoS Profile to a WLAN (GUI)

684

Cisco Wireless Controller Configuration Guide, Release 8.0 xxxi

Contents

C H A P T E R 8 9

C H A P T E R 9 0

C H A P T E R 9 1

C H A P T E R 9 2

C H A P T E R 9 3

Assigning a QoS Profile to a WLAN (CLI)

685

Configuring QoS Enhanced BSS 687

Prerequisites for Using QoS Enhanced BSS on Cisco 7921 and 7920 Wireless IP

Phones

687

Restrictions for QoS Enhanced BSS

688

Information About QoS Enhanced BSS

688

Configuring QBSS (GUI)

689

Configuring QBSS (CLI)

689

Configuring Media Session Snooping and Reporting 691

Information About Media Session Snooping and Reporting

691

Restrictions for Media Session Snooping and Reporting

691

Configuring Media Session Snooping (GUI)

692

Configuring Media Session Snooping (CLI)

692

Configuring Key Telephone System-Based CAC 697

Restrictions for Key Telephone System-Based CAC

697

Information About Key Telephone System-Based CAC

697

Configuring KTS-based CAC (GUI)

698

Configuring KTS-based CAC (CLI)

698

Related Commands

699

Configuring Reanchoring of Roaming Voice Clients 701

Restrictions for Configuring Reanchoring of Roaming Voice Clients

701

Information About Reanchoring of Roaming Voice Clients

701

Configuring Reanchoring of Roaming Voice Clients (GUI)

702

Configuring Reanchoring of Roaming Voice Clients (CLI)

702

Configuring Seamless IPv6 Mobility 703

Prerequisites for Configuring IPv6 Mobility

703

Restrictions for Configuring IPv6 Mobility

703

Information About IPv6 Mobility

704

Configuring IPv6 Globally

705

Configuring IPv6 Globally (GUI)

705

xxxii

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 9 4

C H A P T E R 9 5

C H A P T E R 9 6

Configuring IPv6 Globally (CLI)

705

Configuring RA Guard for IPv6 Clients

705

Information About RA Guard

705

Configuring RA Guard (GUI)

706

Configuring RA Guard (CLI)

706

Configuring RA Throttling for IPv6 Clients

706

Information about RA Throttling

706

Configuring RA Throttling (GUI)

706

Configuring the RA Throttle Policy (CLI)

707

Configuring IPv6 Neighbor Discovery Caching

707

Information About IPv6 Neighbor Discovery

707

Configuring Neighbor Binding (GUI)

708

Configuring Neighbor Binding (CLI)

708

Configuring Cisco Client Extensions 709

Prerequisites for Configuring Cisco Client Extensions

709

Restrictions for Configuring Cisco Client Extensions

709

Information About Cisco Client Extensions

710

Configuring CCX Aironet IEs (GUI)

710

Viewing a Client’s CCX Version (GUI)

710

Configuring CCX Aironet IEs (CLI)

710

Viewing a Client’s CCX Version (CLI)

711

Configuring Remote LANs

713

Prerequisites for Configuring Remote LANs

713

Restrictions for Configuring Remote LANs

713

Information About Remote LANs

713

Configuring a Remote LAN (GUI)

714

Configuring a Remote LAN (CLI)

714

Configuring AP Groups 717

Prerequisites for Configuring AP Groups

717

AP Groups Supported on Controller Platforms

717

Restrictions for Configuring Access Point Groups

718

Information About Access Point Groups

718

Cisco Wireless Controller Configuration Guide, Release 8.0 xxxiii

Contents

C H A P T E R 9 7

C H A P T E R 9 8

C H A P T E R 9 9

C H A P T E R 1 0 0

Configuring Access Point Groups

719

Creating Access Point Groups (GUI)

719

Creating Access Point Groups (CLI)

721

Viewing Access Point Groups (CLI)

721

Configuring RF Profiles

723

Prerequisites for Configuring RF Profiles

723

Restrictions for Configuring RF Profiles

723

Information About RF Profiles

724

Configuring an RF Profile (GUI)

727

Configuring an RF Profile (CLI)

728

Applying an RF Profile to AP Groups (GUI)

730

Applying RF Profiles to AP Groups (CLI)

731

Configuring Web Redirect with 8021.X Authentication 733

Information About Web Redirect with 802.1X Authentication

733

Conditional Web Redirect

733

Splash Page Web Redirect

734

Configuring the RADIUS Server (GUI)

734

Configuring Web Redirect

735

Configuring Web Redirect (GUI)

735

Configuring Web Redirect (CLI)

735

Disabling Accounting Servers per WLAN (GUI)

736

Disabling Coverage Hole Detection per WLAN

736

Disabling Coverage Hole Detection on a WLAN (GUI)

737

Disabling Coverage Hole Detection on a WLAN (CLI)

737

Configuring NAC Out-of-Band Integration 739

Prerequisites for NAC Out Of Band

739

Restrictions for NAC Out of Band

740

Information About NAC Out-of-Band Integration

740

Configuring NAC Out-of-Band Integration (GUI)

741

Configuring NAC Out-of-Band Integration (CLI)

743

Configuring Passive Clients 745

xxxiv

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 1 0 1

C H A P T E R 1 0 2

C H A P T E R 1 0 3

Restrictions for Passive Clients

745

Information About Passive Clients

745

Configuring Passive Clients (GUI)

746

Enabling the Multicast-Multicast Mode (GUI)

747

Enabling the Global Multicast Mode on Controllers (GUI)

747

Enabling the Passive Client Feature on the Controller (GUI)

748

Configuring Passive Clients (CLI)

748

Configuring Client Profiling 751

Prerequisites for Configuring Client Profiling

751

Restrictions for Configuring Client Profiling

752

Information About Client Profiling

752

Configuring Client Profiling

753

Configuring Client Profiling (GUI)

753

Configuring Client Profiling (CLI)

753

Configuring Per-WLAN RADIUS Source Support

755

Prerequisites for Per-WLAN RADIUS Source Support

755

Information About Per-WLAN RADIUS Source Support

755

Configuring Per-WLAN RADIUS Source Support (GUI)

756

Configuring Per-WLAN RADIUS Source Support (CLI)

756

Monitoring the Status of Per-WLAN RADIUS Source Support (CLI)

757

Configuring Mobile Concierge

759

Information About Mobile Concierge

759

Configuring Mobile Concierge (802.11u)

760

Configuring Mobile Concierge (802.11u) (GUI)

760

Configuring Mobile Concierge (802.11u) (CLI)

761

Configuring 802.11u Mobility Services Advertisement Protocol

762

Information About 802.11u MSAP

762

Configuring 802.11u MSAP (GUI)

762

Configuring MSAP (CLI)

762

Configuring 802.11u HotSpot

762

Information About 802.11u HotSpot

762

Configuring 802.11u HotSpot (GUI)

763

Cisco Wireless Controller Configuration Guide, Release 8.0 xxxv

Contents

C H A P T E R 1 0 4

C H A P T E R 1 0 5

P A R T V I

Configuring HotSpot 2.0 (CLI)

764

Configuring Access Points for HotSpot2 (GUI)

765

Configuring Access Points for HotSpot2 (CLI)

766

Downloading the Icon File (CLI)

769

Information About 802.1Q-in-Q VLAN Tagging

770

Restrictions for 802.1Q-in-Q VLAN Tagging

770

Configuring 802.1Q-in-Q VLAN Tagging (GUI)

771

Configuring 802.1Q-in-Q VLAN Tagging (CLI)

771

Configuring Assisted Roaming

773

Restrictions for Assisted Roaming

773

Information About Assisted Roaming

773

Configuring Assisted Roaming (CLI)

774

Configuring 802.1Q-in-Q VLAN Tagging 777

Information About 802.1Q-in-Q VLAN Tagging

777

Restrictions for 802.1Q-in-Q VLAN Tagging

778

Configuring 802.1Q-in-Q VLAN Tagging (GUI)

779

Configuring 802.1Q-in-Q VLAN Tagging (CLI)

779

Lightweight Access Points 781

C H A P T E R 1 0 6

Using Access Point Communication Protocols 783

Information About Access Point Communication Protocols

783

Restrictions for Access Point Communication Protocols

784

Configuring Data Encryption

784

Guidelines for Data Encryption

785

Upgrading or Downgrading DTLS Images for Cisco 5500 Series Controllers

786

Guidelines When Upgrading to or from a DTLS Image

786

Configuring Data Encryption (GUI)

786

Configuring Data Encryption (CLI)

787

Viewing CAPWAP Maximum Transmission Unit Information

787

Debugging CAPWAP

788

Controller Discovery Process

788

Restrictions for Controller Discovery Process

789

xxxvi

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 1 0 7

C H A P T E R 1 0 8

C H A P T E R 1 0 9

C H A P T E R 1 1 0

Verifying that Access Points Join the Controller

789

Verifying that Access Points Join the Controller (GUI)

790

Verifying that Access Points Join the Controller (CLI)

790

Configuring CAPWAP Preferred Mode

791

Information About Prefer Mode

791

Guidelines for Configuring Preferred Mode

791

Configuring CAPWAP Preferred Mode (GUI)

792

Configuring CAPWAP Preferred Mode (CLI)

792

Searching for Access Points

795

Information About Searching for Access Points

795

Searching the AP Filter (GUI)

795

Monitoring the Interface Details

798

Searching for Access Point Radios

800

Information About Searching for Access Point Radios

800

Searching for Access Point Radios (GUI)

800

Configuring Global Credentials for Access Points

803

Information About Configuring Global Credentials for Access Points

803

Restrictions for Global Credentials for Access Points

804

Configuring Global Credenitals for Access Points

804

Configuring Global Credentials for Access Points (GUI)

804

Configuring Global Credentials for Access Points (CLI)

805

Configuring Telnet and SSH for Access Points

806

Configuring Telnet and SSH for APs (GUI)

806

Configuring Telnet and SSH for APs (CLI)

806

Configuring Authentication for Access Points 807

Information About Configuring Authentication for Access Points

807

Prerequisites for Configuring Authentication for Access Points

807

Restrictions for Authenticating Access Points

808

Configuring Authentication for Access Points (GUI)

808

Configuring Authentication for Access Points (CLI)

809

Configuring the Switch for Authentication

810

Cisco Wireless Controller Configuration Guide, Release 8.0 xxxvii

Contents

C H A P T E R 1 1 1

C H A P T E R 1 1 2

Configuring Embedded Access Points 811

Information About Embedded Access Points

811

Converting Autonomous Access Points to Lightweight Mode

813

Information About Converting Autonomous Access Points to Lightweight Mode

813

Restrictions for Converting Autonomous Access Points to Lightweight Mode

814

Converting Autonomous Access Points to Lightweight Mode

814

Reverting from Lightweight Mode to Autonomous Mode

815

Reverting to a Previous Release (CLI)

815

Reverting to a Previous Release Using the MODE Button and a TFTP Server

816

Authorizing Access Points

816

Authorizing Access Points Using SSCs

816

Authorizing Access Points for Virtual Controllers Using SSC

816

Configuring SSC (GUI)

817

Configuring SSC (CLI)

817

Authorizing Access Points Using MICs

817

Authorizing Access Points Using LSCs

818

Configuring Locally Significant Certificates (GUI)

818

Configuring Locally Significant Certificates (CLI)

819

Authorizing Access Points (GUI)

821

Authorizing Access Points (CLI)

821

Configuring VLAN Tagging for CAPWAP Frames from Access Points

822

Information About VLAN Tagging for CAPWAP Frames from Access Points

822

Configuring VLAN Tagging for CAPWAP Frames from Access Points (GUI)

822

Configuring VLAN Tagging for CAPWAP Frames from Access Points (CLI)

823

Using DHCP Option 43 and DHCP Option 60

823

Troubleshooting the Access Point Join Process

824

Configuring the Syslog Server for Access Points (CLI)

825

Viewing Access Point Join Information

826

Viewing Access Point Join Information (GUI)

826

Viewing Access Point Join Information (CLI)

827

Sending Debug Commands to Access Points Converted to Lightweight Mode

829

Understanding How Converted Access Points Send Crash Information to the Controller

829

xxxviii

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 1 1 3

C H A P T E R 1 1 4

Understanding How Converted Access Points Send Radio Core Dumps to the Controller

829

Retrieving Radio Core Dumps (CLI)

829

Uploading Radio Core Dumps (GUI)

830

Uploading Radio Core Dumps (CLI)

830

Uploading Memory Core Dumps from Converted Access Points

831

Uploading Access Point Core Dumps (GUI)

831

Uploading Access Point Core Dumps (CLI)

831

Viewing the AP Crash Log Information

832

Viewing the AP Crash Log information (GUI)

832

Viewing the AP Crash Log information (CLI)

832

Displaying MAC Addresses for Converted Access Points

833

Disabling the Reset Button on Access Points Converted to Lightweight Mode

833

Configuring a Static IP Address on a Lightweight Access Point

833

Configuring a Static IP Address (GUI)

834

Configuring a Static IP Address (CLI)

834

Supporting Oversized Access Point Images

835

Recovering the Access Point—Using the TFTP Recovery Procedure

836

Configuring Packet Capture

837

Information About Packet Capture

837

Restrictions for Packet Capture

838

Configuring Packet Capture (CLI)

838

Configuring OfficeExtend Access Points 841

Information About OfficeExtend Access Points

841

OEAP 600 Series Access Points

842

OEAP in Local Mode

842

Supported WLAN Settings for 600 Series OfficeExtend Access Point

843

WLAN Security Settings for the 600 Series OfficeExtend Access Point

843

Authentication Settings

847

Supported User Count on 600 Series OfficeExtend Access Point

848

Remote LAN Settings

848

Channel Management and Settings

849

Firewall Settings

850

Additional Caveats

851

Cisco Wireless Controller Configuration Guide, Release 8.0 xxxix

Contents

C H A P T E R 1 1 5

C H A P T E R 1 1 6

Implementing Security

851

Licensing for an OfficeExtend Access Point

852

Configuring OfficeExtend Access Points

852

Configuring OfficeExtend Access Points (GUI)

852

Configuring OfficeExtend Access Points (CLI)

854

Configuring Split Tunneling for a WLAN or a Remote LAN

856

Configuring Split Tunneling for a WLAN or a Remote LAN (GUI)

856

Configuring Split Tunneling for a WLAN or a Remote LAN (CLI)

857

Configuring OEAP ACLs

857

Configuring OEAP ACLs (GUI)

857

Configuring OEAP ACLs (CLI)

859

Configuring a Personal SSID on an OfficeExtend Access Point Other than 600 Series

OEAP

860

Viewing OfficeExtend Access Point Statistics

860

Viewing Voice Metrics on OfficeExtend Access Points

861

Running Network Diagnostics

862

Information About Running Network Diagnostics

862

Running Network Diagnostics (GUI)

862

Running Network Diagnostics on the Controller

862

Running Network Diagnostics (CLI)

862

Configuring Cisco 700 Series Access Points 863

Information About Cisco 700 Series Access Points

863

Configuring Cisco 700 Series Access Points

863

Enabling the LAN Ports (CLI)

863

Enabling 702W LAN Ports

864

Using Cisco Workgroup Bridges 865

Information About Cisco Workgroup Bridges

865

Restrictions for Cisco Workgroup Bridges

867

WGB Configuration Example

868

Viewing the Status of Workgroup Bridges (GUI)

869

Viewing the Status of Workgroup Bridges (CLI)

869

Debugging WGB Issues (CLI)

870

xl

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 1 1 7

C H A P T E R 1 1 8

C H A P T E R 1 1 9

C H A P T E R 1 2 0

C H A P T E R 1 2 1

C H A P T E R 1 2 2

C H A P T E R 1 2 3

Using Non-Cisco Workgroup Bridges 871

Information About Non-Cisco Workgroup Bridges

871

Restrictions for Non-Cisco Workgroup Bridges

872

Configuring Backup Controllers

873

Information About Configuring Backup Controllers

873

Restrictions for Configuring Backup Controllers

874

Configuring Backup Controllers (GUI)

874

Configuring Backup Controllers (CLI)

875

Configuring Failover Priority for Access Points

879

Information About Configuring Failover Priority for Access Points

879

Configuring Failover Priority for Access Points (GUI)

880

Configuring Failover Priority for Access Points (CLI)

880

Viewing Failover Priority Settings (CLI)

880

Configuring AP Retransmission Interval and Retry Count 883

Information About Configuring the AP Retransmission Interval and Retry Count

883

Restrictions for Access Point Retransmission Interval and Retry Count

883

Configuring the AP Retransmission Interval and Retry Count (GUI)

884

Configuring the Access Point Retransmission Interval and Retry Count (CLI)

884

Country Codes 887

Information About Configuring Country Codes

887

Restrictions for Configuring Country Codes

888

Configuring Country Codes (GUI)

888

Configuring Country Codes (CLI)

889

Optimizing RFID Tracking on Access Points 891

Information About Optimizing RFID Tracking on Access Points

891

Optimizing RFID Tracking on Access Points (GUI)

891

Optimizing RFID Tracking on Access Points (CLI)

892

Configuring Probe Request Forwarding 893

Cisco Wireless Controller Configuration Guide, Release 8.0 xli

Contents

C H A P T E R 1 2 4

C H A P T E R 1 2 5

C H A P T E R 1 2 6

C H A P T E R 1 2 7

C H A P T E R 1 2 8

C H A P T E R 1 2 9

C H A P T E R 1 3 0

Information About Configuring Probe Request Forwarding

893

Configuring Probe Request Forwarding (CLI)

893

Retrieving the Unique Device Identifier on Controllers and Access Points

895

Information About Retrieving the Unique Device Identifier on Controllers and Access

Points

895

Retrieving the Unique Device Identifier on Controllers and Access Points (GUI)

895

Retrieving the Unique Device Identifier on Controllers and Access Points (CLI)

896

Performing a Link Test 897

Information About Performing a Link Test

897

Performing a Link Test (GUI)

898

Performing a Link Test (CLI)

898

Configuring Link Latency 901

Information About Configuring Link Latency

901

Restrictions for Link Latency

902

Configuring Link Latency (GUI)

902

Configuring Link Latency (CLI)

902

Configuring the TCP MSS

905

Information About Configuring the TCP MSS

905

Configuring TCP MSS (GUI)

905

Configuring TCP MSS (CLI)

906

Configuring Power Over Ethernet

907

Information About Configuring Power over Ethernet

907

Configuring Power over Ethernet (GUI)

909

Configuring Power over Ethernet (CLI)

910

Viewing Clients 913

Viewing Clients (GUI)

913

Viewing Clients (CLI)

914

Configuring LED States for Access Points

915

xlii

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 1 3 1

C H A P T E R 1 3 2

P A R T V I I

C H A P T E R 1 3 3

Configuring LED States

915

Information About Configuring LED States for Access Points

915

Configuring the LED State for Access Points in a Network Globally (GUI)

915

Configuring the LED State for Access Point in a Network Globally (CLI)

915

Configuring LED State on a Specific Access Point (GUI)

916

Configuring LED State on a Specific Access Point (CLI)

916

Configuring Flashing LEDs

916

Information About Configuring Flashing LEDs

916

Configuring Flashing LEDs (CLI)

916

Configuring LED Flash State on a Specific Access Point (GUI)

917

Configuring Access Points with Dual-Band Radios

919

Configuring Access Points with Dual-Band Radios (GUI)

919

Configuring Access Points with Dual-Band Radios (CLI)

920

Configuring the UDP Lite 921

Information About UDP Lite

921

Configuring UDP Lite Globally (GUI)

922

Configuring UDP Lite on AP (GUI)

922

Configuring the UDP Lite (CLI)

922

Radio Resource Management 925

Configuring RRM

927

Information About Radio Resource Management

927

Radio Resource Monitoring

928

Transmit Power Control

928

Overriding the TPC Algorithm with Minimum and Maximum Transmit Power

Settings

929

Dynamic Channel Assignment

929

Coverage Hole Detection and Correction

931

Benefits of RRM

931

Information About RRM NDP and RF Grouping

931

Information About Configuring RRM

932

Restrictions for Configuring RRM

932

Cisco Wireless Controller Configuration Guide, Release 8.0 xliii

Contents

C H A P T E R 1 3 4

C H A P T E R 1 3 5

Configuring the RF Group Mode (GUI)

932

Configuring the RF Group Mode (CLI)

933

Configuring Transmit Power Control (GUI)

934

Configuring Off-Channel Scanning Defer

935

Information About Off-Channel Scanning Defer

935

Configuring Off-Channel Scanning Defer for WLANs

936

Configuring Off-Channel Scanning Defer for a WLAN (GUI)

936

Configuring Off Channel Scanning Defer for a WLAN (CLI)

936

Configuring Dynamic Channel Assignment (GUI)

936

Configuring Coverage Hole Detection (GUI)

939

Configuring RRM Profile Thresholds, Monitoring Channels, and Monitor Intervals

(GUI)

941

Configuring RRM (CLI)

942

Viewing RRM Settings (CLI)

946

Debug RRM Issues (CLI)

946

Configuring RRM Neighbor Discovery Packets

949

Information About RRM NDP and RF Grouping

949

Configuring RRM NDP (CLI)

949

Configuring RF Groups 951

Information About RF Groups

951

RF Group Leader

952

RF Group Name

953

Controllers and APs in RF Groups

953

Configuring RF Groups

954

Configuring an RF Group Name (GUI)

954

Configuring an RF Group Name (CLI)

954

Viewing the RF Group Status

955

Viewing the RF Group Status (GUI)

955

Viewing the RF Group Status (CLI)

955

Configuring Rogue Access Point Detection in RF Groups

956

Information About Rogue Access Point Detection in RF Groups

956

Configuring Rogue Access Point Detection in RF Groups

956

Enabling Rogue Access Point Detection in RF Groups (GUI)

956

xliv

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 1 3 6

C H A P T E R 1 3 7

C H A P T E R 1 3 8

C H A P T E R 1 3 9

Configuring Rogue Access Point Detection in RF Groups (CLI)

957

Overriding RRM 959

Information About Overriding RRM

959

Prerequisites for Overriding RRM

959

Statically Assigning Channel and Transmit Power Settings to Access Point Radios

960

Statically Assigning Channel and Transmit Power Settings (GUI)

960

Statically Assigning Channel and Transmit Power Settings (CLI)

961

Disabling Dynamic Channel and Power Assignment Globally for a Cisco Wireless LAN

Controller

964

Disabling Dynamic Channel and Power Assignment (GUI)

964

Disabling Dynamic Channel and Power Assignment (CLI)

965

Configuring CCX Radio Management Features 967

Information About CCX Radio Management Features

967

Radio Measurement Requests

967

Location Calibration

968

Configuring CCX Radio Management

968

Configuring CCX Radio Management (GUI)

968

Configuring CCX Radio Management (CLI)

969

Viewing CCX Radio Management Information (CLI)

969

Debugging CCX Radio Management Issues (CLI)

970

Configuring Optimized Roaming

971

Information About Optimized Roaming

971

Restrictions for Optimized Roaming

971

Configuring Optimized Roaming (GUI)

972

Configuring Optimized Roaming (CLI)

972

Configuring Receiver Start of Packet Detection Threshold 975

Information About Receiver Start of Packet Detection Threshold

975

Restrictions for Rx SOP

975

Configuring Rx SOP (GUI)

976

Configuring RxSOP (CLI)

976

Cisco Wireless Controller Configuration Guide, Release 8.0 xlv

Contents

P A R T V I I I

C H A P T E R 1 4 0

C H A P T E R 1 4 1

C H A P T E R 1 4 2

C H A P T E R 1 4 3

Cisco CleanAir 979

Information About CleanAir 981

Information About CleanAir

981

Role of the Cisco Wireless LAN Controller in a Cisco CleanAir System

982

Interference Types that Cisco CleanAir Can Detect

982

Persistent Devices

983

Persistent Devices Detection

983

Persistent Devices Propagation

983

Detecting Interferers by an Access Point

984

Prerequisites and Restrictions for CleanAir

985

Prerequisites for CleanAir

985

Restrictions for CleanAir

986

Cisco CleanAir 987

Configuring Cisco CleanAir on the Controller

987

Configuring Cisco CleanAir on the Cisco Wireless LAN Controller (GUI)

987

Configuring Cisco CleanAir on the Cisco Wireless LAN Controller (CLI)

989

Configuring Cisco CleanAir on an Access Point

993

Configuring Cisco CleanAir on an Access Point (GUI)

993

Configuring Cisco CleanAir on an Access Point (CLI)

994

Monitoring the Interference Devices

995

Prerequisites for Monitoring the Interference Devices

995

Monitoring the Interference Device (GUI)

995

Monitoring the Interference Device (CLI)

997

Detecting Interferers by an Access Point

997

Detecting Interferers by Device Type

997

Detecting Persistent Sources of Interference

998

Monitoring Persistent Devices (GUI)

998

Monitoring Persistent Devices (CLI)

998

Monitoring the Air Quality of Radio Bands

999

Monitoring the Air Quality of Radio Bands (GUI)

999

xlvi

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 1 4 4

P A R T I X

C H A P T E R 1 4 5

Monitoring the Air Quality of Radio Bands (CLI)

999

Viewing a Summary of the Air Quality

999

Viewing Air Quality for all Access Points on a Radio Band

999

Viewing Air Quality for an Access Point on a Radio Band

1000

Monitoring the Worst Air Quality of Radio Bands (GUI)

1000

Monitoring the Worst Air Quality of Radio Bands (CLI)

1000

Viewing a Summary of the Air Quality (CLI)

1000

Viewing the Worst Air Quality Information for all Access Points on a Radio Band

(CLI)

1001

Viewing the Air Quality for an Access Point on a Radio Band (CLI)

1001

Viewing the Air Quality for an Access Point by Device Type (CLI)

1001

Detecting Persistent Sources of Interference (CLI)

1002

Configuring a Spectrum Expert Connection 1003

Information About Spectrum Expert Connection

1003

Configuring Spectrum Expert (GUI)

1003

FlexConnect

1007

FlexConnect

1009

Information About FlexConnect

1009

FlexConnect Authentication Process

1011

Restrictions on FlexConnect

1014

Configuring FlexConnect

1016

Configuring the Switch at a Remote Site

1016

Configuring the Controller for FlexConnect

1017

Configuring the Controller for FlexConnect for a Centrally Switched WLAN Used for Guest Access

1018

Configuring the Controller for FlexConnect (GUI)

1019

Configuring the Controller for FlexConnect (CLI)

1021

Configuring an Access Point for FlexConnect

1023

Configuring an Access Point for FlexConnect (GUI)

1023

Configuring an Access Point for FlexConnect (CLI)

1025

Configuring an Access Point for Local Authentication on a WLAN (GUI)

1027

Configuring an Access Point for Local Authentication on a WLAN (CLI)

1027

Cisco Wireless Controller Configuration Guide, Release 8.0 xlvii

Contents

C H A P T E R 1 4 6

C H A P T E R 1 4 7

Connecting Client Devices to WLANs

1028

Configuring FlexConnect Ethernet Fallback

1028

Information About FlexConnect Ethernet Fallback

1028

Restrictions for FlexConnect Ethernet Fallback

1029

Configuring FlexConnect Ethernet Fallback (GUI)

1029

Configuring FlexConnect Ethernet Fallback (CLI)

1029

VideoStream for FlexConnect

1030

Information About VideoStream for FlexConnect

1030

Configuring VideoStream for FlexConnect (GUI)

1030

Configuring VideoStream for FlexConnect (CLI)

1032

Viewing and Debugging Media Streams

1033

FlexConnect plus Bridge Mode

1033

Information about FlexConnect plus Bridge Mode

1033

Configuring FlexConnect plus Bridge Mode (GUI)

1035

Configuring FlexConnect plus Bridge Mode (CLI)

1035

Configuring FlexConnect ACLs

1037

Information About Access Control Lists

1037

Restrictions for FlexConnect ACLs

1037

Configuring FlexConnect ACLs (GUI)

1038

Configuring FlexConnect ACLs (CLI)

1040

Viewing and Debugging FlexConnect ACLs (CLI)

1041

Configuring FlexConnect Groups

1043

Information About FlexConnect Groups

1043

FlexConnect Groups and Backup RADIUS Servers

1044

FlexConnect Groups and CCKM

1044

FlexConnect Groups and Opportunistic Key Caching

1045

FlexConnect Groups and Local Authentication

1045

Configuring FlexConnect Groups

1046

Configuring FlexConnect Groups (GUI)

1046

Configuring FlexConnect Groups (CLI)

1049

Configuring VLAN-ACL Mapping on FlexConnect Groups

1051

Configuring VLAN-ACL Mapping on FlexConnect Groups (GUI)

1051

Configuring VLAN-ACL Mapping on FlexConnect Groups (CLI)

1051

xlviii

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 1 4 8

Viewing VLAN-ACL Mappings (CLI)

1052

Configuring WLAN-VLAN Mappings on FlexConnect Groups

1052

Configuring WLAN-VLAN Mapping on FlexConnect Groups (GUI)

1052

Configuring WLAN-VLAN Mapping on FlexConnect Groups (CLI)

1053

Configuring AAA Overrides for FlexConnect

1055

Information About Authentication, Authorization, Accounting Overrides

1055

Restrictions for AAA Overrides for FlexConnect

1056

Configuring AAA Overrides for FlexConnect on an Access Point (GUI)

1057

Configuring VLAN Overrides for FlexConnect on an Access Point (CLI)

1058

C H A P T E R 1 4 9

P A R T X

Configuring FlexConnect AP Upgrades for FlexConnect APs

1059

Information About FlexConnect AP Upgrades

1059

Restrictions for FlexConnect AP Upgrades for FlexConnect Access Points

1059

Configuring FlexConnect AP Upgrades (GUI)

1060

Configuring FlexConnect AP Upgrades (CLI)

1061

Mobility Groups

1063

C H A P T E R 1 5 0

C H A P T E R 1 5 1

C H A P T E R 1 5 2

Mobility Groups

1065

Information About Mobility

1065

Information About Mobility Groups

1069

Messaging Among Mobility Groups

1072

Using Mobility Groups with NAT Devices

1073

Rogue Detection Behavior in Mobility Groups

1073

Prerequisites for Configuring Mobility Groups

1074

Configuring Mobility Groups (GUI)

1076

Configuring Mobility Groups (CLI)

1077

Viewing Mobility Group Statistics 1079

Viewing Mobility Group Statistics (GUI)

1079

Viewing Mobility Group Statistics (CLI)

1080

Configuring Auto-Anchor Mobility 1081

Information About Auto-Anchor Mobility

1081

Cisco Wireless Controller Configuration Guide, Release 8.0 xlix

Contents

C H A P T E R 1 5 3

C H A P T E R 1 5 4

C H A P T E R 1 5 5

C H A P T E R 1 5 6

C H A P T E R 1 5 7

C H A P T E R 1 5 8

Restrictions on Auto-Anchor Mobility

1082

Configuring Auto-Anchor Mobility (GUI)

1083

Configuring Auto-Anchor Mobility (CLI)

1083

Validating WLAN Mobility Security Values

1087

Information About WLAN Mobility Security Values

1087

Using Symmetric Mobility Tunneling 1089

Information About Symmetric Mobility Tunneling

1089

Guidelines and Limitations

1090

Verifying Symmetric Mobility Tunneling (GUI)

1090

Verifying if Symmetric Mobility Tunneling is Enabled (CLI)

1090

Running Mobility Ping Tests 1091

Information About Mobility Ping Tests

1091

Guidelines and Limitations

1091

Running Mobility Ping Tests (CLI)

1092

Configuring Dynamic Anchoring for Clients with Static IP Addresses

1093

Information About Dynamic Anchoring for Clients with Static IP

1093

How Dynamic Anchoring of Static IP Clients Works

1093

Restrictions on Dynamic Anchoring for Clients With Static IP Addresses

1094

Configuring Dynamic Anchoring of Static IP Clients (GUI)

1095

Configuring Dynamic Anchoring of Static IP Clients (CLI)

1095

Configuring Foreign Mappings

1097

Information About Foreign Mappings

1097

Configuring Foreign Controller MAC Mapping (GUI)

1097

Configuring Foreign Controller MAC Mapping (CLI)

1097

Configuring Proxy Mobile IPv6 1099

Information About Proxy Mobile IPv6

1099

Restrictions on Proxy Mobile IPv6

1101

Configuring Proxy Mobile IPv6 (GUI)

1102

Configuring Proxy Mobile IPv6 (CLI)

1104

l

Cisco Wireless Controller Configuration Guide, Release 8.0

Contents

C H A P T E R 1 5 9

Configuring New Mobility 1107

Information About New Mobility

1107

Restrictions for New Mobility

1107

Configuring New Mobility (GUI)

1108

Configuring New Mobility (CLI)

1109

Cisco Wireless Controller Configuration Guide, Release 8.0 li

Contents lii

Cisco Wireless Controller Configuration Guide, Release 8.0

Preface

This preface describes the audience, organization, and conventions of this document. It also provides information on how to obtain other documentation. This chapter includes the following sections:

Audience, page liii

Conventions, page liii

Related Documentation, page liv

Obtaining Documentation and Submitting a Service Request, page lv

Audience

This publication is for experienced network administrators who configure and maintain Cisco wireless controllers and Cisco lightweight access points.

Conventions

This document uses the following conventions:

Table 1: Conventions

Convention

bold font

italic font

[ ]

{x | y | z }

[ x | y | z ]

Indication

Commands and keywords and user-entered text appear in bold font.

Document titles, new or emphasized terms, and arguments for which you supply values are in italic font.

Elements in square brackets are optional.

Required alternative keywords are grouped in braces and separated by vertical bars.

Optional alternative keywords are grouped in brackets and separated by vertical bars.

Cisco Wireless Controller Configuration Guide, Release 8.0 liii

Preface

Related Documentation

Convention

string courier font

<>

[]

!, #

Indication

A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.

Terminal sessions and information the system displays appear in courier font.

Nonprinting characters such as passwords are in angle brackets.

Default responses to system prompts are in square brackets.

An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.

Note

Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

Tip

Means the following information will help you solve a problem.

Caution

Means reader be careful. In this situation, you might perform an action that could result in equipment damage or loss of data.

Related Documentation

These documents provide complete information about Cisco Wireless:

• Cisco Wireless Controller configuration guides: http://www.cisco.com/c/en/us/support/wireless/5500-series-wireless-controllers/products-installation-and-configuration-guides-list.html

• Cisco Wireless Controller command references: http://www.cisco.com/en/US/products/ps10315/prod_command_reference_list.html

Cisco Wireless Controller System Message Guide: http://www.cisco.com/en/US/products/ps10315/products_system_message_guides_list.html

Release Notes for Cisco Wireless Controllers and Lightweight Access Points: http://www.cisco.com/c/en/us/support/wireless/5500-series-wireless-controllers/products-release-notes-list.html

Cisco Wireless Mesh Access Points, Design and Deployment Guide: http://www.cisco.com/c/en/us/support/wireless/aironet-1550-series/products-implementation-design-guides-list.html

• Cisco Prime Infrastructure documentation: http://www.cisco.com/c/en/us/support/cloud-systems-management/prime-infrastructure/products-documentation-roadmaps-list.html

• Cisco Mobility Services Engine documentation: http://www.cisco.com/c/en/us/support/wireless/context-aware-software/tsd-products-support-series-home.html

liv

Cisco Wireless Controller Configuration Guide, Release 8.0

Preface

Obtaining Documentation and Submitting a Service Request

Click this link to access user documentation pertaining to Cisco Wireless solution: http://www.cisco.com/cisco/web/psa/default.html?mode=prod

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What's New in Cisco Product Documentation .

To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What's

New in Cisco Product Documentation RSS feed . RSS feeds are a free service.

Cisco Wireless Controller Configuration Guide, Release 8.0 lv

Obtaining Documentation and Submitting a Service Request

Preface lvi

Cisco Wireless Controller Configuration Guide, Release 8.0

P A R T

I

System Management

Cisco Wireless Solution Overview, page 3

Getting Started, page 11

Managing Licenses, page 57

Configuring 802.11 Bands, page 77

Configuring 802.11 Parameters, page 85

Configuring DHCP Proxy, page 93

Configuring DHCP Link Select and VPN Select, page 97

Configuring SNMP, page 101

Configuring Aggressive Load Balancing, page 107

Configuring Fast SSID Changing, page 111

Configuring 802.3 Bridging, page 113

Configuring Multicast, page 115

Configuring Client Roaming, page 135

Configuring IP-MAC Address Binding, page 141

Configuring Quality of Service, page 143

Configuring Application Visibility and Control, page 151

Configuring Media and EDCA Parameters, page 159

Configuring the Cisco Discovery Protocol, page 179

Configuring Authentication for the Controller and NTP/SNTP Server, page 187

Configuring RFID Tag Tracking, page 189

Resetting the Controller to Default Settings, page 193

Managing Controller Software and Configurations, page 195

Managing User Accounts, page 229

Managing Web Authentication, page 239

Configuring Wired Guest Access, page 261

Troubleshooting, page 269

C H A P T E R

1

Cisco Wireless Solution Overview

Introduction, page 3

Operating System Software, page 5

Operating System Security, page 6

Layer 2 and Layer 3 Operation, page 6

Cisco Wireless Controllers, page 7

Cisco Wireless Solution WLANs, page 8

File Transfers, page 8

Power over Ethernet, page 8

Cisco Wireless Controller Memory, page 9

Cisco Wireless Controller Failover Protection, page 9

Introduction

Cisco Wireless is designed to provide 802.11 wireless networking solutions for enterprises and service providers. Cisco Wireless simplifies deploying and managing large-scale wireless LANs and enables a unique best-in-class security infrastructure. The operating system manages all data client, communications, and system administration functions, performs radio resource management (RRM) functions, manages system-wide mobility policies using the operating system security solution, and coordinates all security functions using the operating system security framework.

Cisco Wireless solution consists of Cisco wireless controllers (Cisco WLCs) and their associated lightweight access points controlled by the operating system, all concurrently managed by any or all of the operating system user interfaces:

• An HTTP and/or HTTPS full-featured Web User Interface hosted by Cisco WLCs can be used to configure and monitor individual Cisco WLCs.

• A full-featured command-line interface (CLI) can be used to configure and monitor individual Cisco

Cisco WLCs.

• The Cisco Prime Infrastructure, which you use to configure and monitor one or more Cisco WLCs and associated access points. The Prime Infrastructure has tools to facilitate large-system monitoring and

Cisco Wireless Controller Configuration Guide, Release 8.0

3

Introduction

control. For more information about Cisco Prime Infrastructure, see http://www.cisco.com/c/en/us/support/cloud-systems-management/prime-infrastructure/tsd-products-support-series-home.html

.

• An industry-standard SNMP V1, V2c, and V3 interface can be used with any SNMP-compliant third-party network management system.

The Cisco Wireless solution supports client data services, client monitoring and control, and all rogue access point detection, monitoring, and containment functions. It uses lightweight access points, Cisco WLCs, and the optional Cisco Prime Infrastructure to provide wireless services to enterprises and service providers.

For detailed information about Cisco Wireless solution, see the Enterprise Mobility Design Guide at http:// www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_

Mobility_8-1_Deployment_Guide.html

.

Single-Controller Deployments

A standalone controller can support lightweight access points across multiple floors and buildings simultaneously and support the following features:

• Autodetecting and autoconfiguring lightweight access points as they are added to the network.

• Full control of lightweight access points.

• Lightweight access points connect to controllers through the network. The network equipment may or may not provide Power over Ethernet (PoE) to the access points.

Some controllers use redundant Gigabit Ethernet connections to bypass single network failures.

Note

Some controllers can connect through multiple physical ports to multiple subnets in the network. This feature can be helpful when you want to confine multiple VLANs to separate subnets.

This figure shows a typical single-controller deployment.

Figure 1: Single-Controller Deployment

4

Cisco Wireless Controller Configuration Guide, Release 8.0

Operating System Software

Multiple-Controller Deployments

Each controller can support lightweight access points across multiple floors and buildings simultaneously.

However, full functionality of the Cisco wireless LAN solution occurs when it includes multiple controllers.

A multiple-controller system has the following additional features:

• Autodetecting and autoconfiguring RF parameters as the controllers are added to the network.

• Same-subnet (Layer 2) roaming and inter-subnet (Layer 3) roaming.

• Automatic access point failover to any redundant controller with a reduced access point load.

The following figure shows a typical multiple-controller deployment. The figure also shows an optional dedicated management network and the three physical connection types between the network and the controllers.

Figure 2: Typical Multiple-Controller Deployment

Operating System Software

The operating system software controls controllers and lightweight access points. It includes full operating system security and radio resource management (RRM) features.

Cisco Wireless Controller Configuration Guide, Release 8.0

5

Operating System Security

Operating System Security

Operating system security bundles Layer 1, Layer 2, and Layer 3 security components into a simple, Cisco

WLAN solution-wide policy manager that creates independent security policies for each of up to 16 wireless

LANs.

The 802.11 Static WEP weaknesses can be overcome using the following robust industry-standard security solutions:

• 802.1X dynamic keys with extensible authentication protocol (EAP).

• Wi-Fi protected access (WPA) dynamic keys. The Cisco WLAN solution WPA implementation includes:

◦Temporal key integrity protocol (TKIP) and message integrity code checksum dynamic keys

◦WEP keys, with or without a preshared key passphrase

• RSN with or without a preshared key

• Optional MAC filtering

The WEP problem can be further solved using the following industry-standard Layer 3 security solutions:

• Passthrough VPNs

• Local and RADIUS MAC address filtering

• Local and RADIUS user/password authentication

• Manual and automated disabling to block access to network services. In manual disabling, you block access using client MAC addresses. In automated disabling, which is always active, the operating system software automatically blocks access to network services for a user-defined period of time when a client fails to authenticate for a fixed number of consecutive attempts. This feature can be used to deter brute-force login attacks.

These and other security features use industry-standard authorization and authentication methods to ensure the highest possible security for your business-critical wireless LAN traffic.

Layer 2 and Layer 3 Operation

Lightweight Access Point Protocol (LWAPP) communications between the controller and lightweight access points can be conducted at Layer 2 or Layer 3. Control and Provisioning of Wireless Access Points protocol

(CAPWAP) communications between the controller and lightweight access points are conducted at Layer 3.

Layer 2 mode does not support CAPWAP.

Note

The IPv4 network layer protocol is supported for transport through a CAPWAP or LWAPP controller system. IPv6 (for clients only) and AppleTalk are also supported but only on Cisco 5500 Series Controllers and the Cisco WiSM2. Other Layer 3 protocols (such as IPX, DECnet Phase IV, OSI CLNP, and so on) and Layer 2 (bridged) protocols (such as LAT and NetBeui) are not supported.

6

Cisco Wireless Controller Configuration Guide, Release 8.0

Cisco Wireless Controllers

Operational Requirements

The requirement for Layer 3 LWAPP communications is that the controller and lightweight access points can be connected through Layer 2 devices on the same subnet or connected through Layer 3 devices across subnets.

Another requirement is that the IP addresses of access points should be either statically assigned or dynamically assigned through an external DHCP server.

The requirement for Layer 3 CAPWAP communications is that the controller and lightweight access points can be connected through Layer 2 devices on the same subnet or connected through Layer 3 devices across subnets.

Configuration Requirements

When you are operating the Cisco wireless LAN solution in Layer 2 mode, you must configure a management interface to control your Layer 2 communications.

When you are operating the Cisco wireless LAN solution in Layer 3 mode, you must configure an AP-manager interface to control lightweight access points and a management interface as configured for Layer 2 mode.

Cisco Wireless Controllers

When you are adding lightweight access points to a multiple-Cisco WLC deployment network, it is convenient to have all lightweight access points associate with one master Cisco WLC on the same subnet. That way, the you do not have to log into multiple Cisco WLCs to find out which controller newly-added lightweight access points associated with.

One Cisco WLC in each subnet can be assigned as the master Cisco WLC while adding lightweight access points. As long as a master Cisco WLC is active on the same subnet, all new access points without a primary, secondary, and tertiary controller assigned automatically attempt to associate with the master Cisco WLC.

You can monitor the master Cisco WLC using the Cisco Prime Infrastructure Web User Interface and watch as access points associate with the master Cisco WLC. You can then verify the access point configuration and assign a primary, secondary, and tertiary Cisco WLC to the access point, and reboot the access point so it reassociates with its primary, secondary, or tertiary Cisco WLC.

Note

Lightweight access points without a primary, secondary, and tertiary Cisco WLC assigned always search for a master Cisco WLC first upon reboot. After adding lightweight access points through the master Cisco

WLC, you should assign primary, secondary, and tertiary Cisco WLCs to each access point. We recommend that you disable the master setting on all Cisco WLCs after initial configuration.

Client Location

When you use Cisco Prime Infrastructure in your Cisco wireless LAN solution, controllers periodically determine the client, rogue access point, rogue access point client, radio frequency ID (RFID) tag location and store the locations in the Cisco Prime Infrastructure database.

Cisco Wireless Controller Configuration Guide, Release 8.0

7

Cisco Wireless Solution WLANs

Cisco WLC Platforms

Cisco WLCs are enterprise-class high-performance wireless switching platforms that support 802.11a/n/ac and 802.11b/g/n protocols. They operate under control of the operating system, which includes the radio resource management (RRM), creating a Cisco Wireless solution that can automatically adjust to real-time changes in the 802.11 RF environment. Cisco WLCs are built around high-performance network and security hardware, resulting in highly reliable 802.11 enterprise networks with unparalleled security.

The following Cisco WLCs are supported:

• Cisco 2504 Wireless Controller

• Cisco 5508 Wireless Controller

• Cisco Flex 7510 Wireless Controller

• Cisco 8510 Wireless Controller

• Cisco Virtual Wireless Controller

• Catalyst Wireless Services Module 2 (WiSM2)

Cisco Wireless Solution WLANs

The Cisco Wireless solution can control up to 512 WLANs for lightweight access points. Each WLAN has a separate WLAN ID (1 through 512), a separate profile name, and a WLAN SSID and can be assigned with unique security policies. The lightweight access points broadcast all active Cisco Wireless solution WLAN

SSIDs and enforce the policies defined for each WLAN.

Note

We recommend that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that controllers operate with optimum performance and ease of management.

If management over wireless is enabled across the Cisco Wireless solution, you can manage the system across the enabled WLAN using CLI and Telnet, HTTP/HTTPS, and SNMP.

File Transfers

You can upload and download operating system code, configuration, and certificate files to and from the controller using the GUI, CLI, or Cisco Prime Infrastructure.

Power over Ethernet

Lightweight access points can receive power through their Ethernet cables from 802.3af-compatible Power over Ethernet (PoE) devices, which can reduce the cost of discrete power supplies, additional wiring, conduits, outlets, and installation time. The 802.11ac radio on the 3600 series access points have to depend on

803.at-compatible PoE devices because the 803.af power source is not sufficient. PoE frees you from having to mount lightweight access points or other powered equipment near AC outlets, which provides greater flexibility in positioning the access points for maximum coverage.

8

Cisco Wireless Controller Configuration Guide, Release 8.0

Cisco Wireless Controller Memory

When you are using PoE, you run a single CAT-5 cable from each lightweight access point to PoE-equipped network elements, such as a PoE power hub or a Cisco WLAN solution single-line PoE injector. When the

PoE equipment determines that the lightweight access point is PoE-enabled, it sends 48 VDC over the unused pairs in the Ethernet cable to power the access point.

The PoE cable length is limited by the 100BASE-T or 10BASE-T specification to 100 m or 200 m, respectively.

Cisco Wireless Controller Memory

The controller contains two kinds of memory: volatile RAM, which holds the current, active controller configuration, and NVRAM (nonvolatile RAM), which holds the reboot configuration. When you are configuring the operating system in the controller, you are modifying volatile RAM; you must save the configuration from the volatile RAM to the NVRAM to ensure that the controller reboots in the current configuration.

Knowing which memory you are modifying is important when you are doing the following tasks:

• Using the configuration wizard

• Clearing the controller configuration

• Saving configurations

• Resetting the controller

• Logging out of the CLI

Cisco Wireless Controller Failover Protection

During installation, we recommend that you connect all lightweight access points to a dedicated controller, and configure each lightweight access point for final operation. This step configures each lightweight access point for a primary, secondary, and tertiary controller and allows it to store the configured mobility group information.

During the failover recovery, the following tasks are performed:

• The configured access point attempts to contact the primary, secondary, and tertiary controllers, and then attempts to contact the IP addresses of the other controllers in the mobility group.

• DNS is resolved with the controller IP address.

• DHCP servers get the controller IP addresses (vendor-specific option 43 in DHCP offer).

In multiple-controller deployments, if one controller fails, the access points perform the following tasks:

• If the lightweight access point has a primary, secondary, and tertiary controller assigned, it attempts to associate with that controller.

• If the access point has no primary, secondary, or tertiary controllers assigned or if its primary, secondary, or tertiary controllers are unavailable, it attempts to associate with a master controller.

• If the access point finds no master controller, it attempts to contact stored mobility group members by the IP address.

Cisco Wireless Controller Configuration Guide, Release 8.0

9

Cisco Wireless Controller Failover Protection

• If the mobility group members are available, and if the lightweight access point has no primary, secondary, and tertiary controllers assigned and there is no master controller active, it attempts to associate with the least-loaded controller to respond to its discovery messages.

When controllers are deployed, if one controller fails, active access point client sessions are momentarily dropped while the dropped access point associates with another controller, allowing the client device to immediately reassociate and reauthenticate.

To know more about high availability, see http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/107250-ha-wlc.html

.

10

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

2

Getting Started

Configuring the Controller Using the Configuration Wizard, page 11

Connecting the Console Port of the Controller, page 12

Configuring the Controller (GUI), page 12

Configuring the Controller—Using the CLI Configuration Wizard, page 23

Using the Controller GUI, page 26

Loading an Externally Generated SSL Certificate, page 29

Information About Externally Generated SSL Certificates, page 29

Loading an SSL Certificate (GUI), page 30

Loading an SSL Certificate (CLI), page 31

Cisco WLAN Express for Cisco Wireless Controllers, page 32

Using the Controller CLI, page 39

Using the AutoInstall Feature for Controllers Without a Configuration, page 42

Information About the AutoInstall Feature, page 42

Restrictions on AutoInstall, page 43

Managing the Controller System Date and Time, page 46

Telnet and Secure Shell Sessions, page 51

Managing the Controller Wirelessly, page 56

Configuring the Controller Using the Configuration Wizard

The configuration wizard enables you to configure basic settings on the controller. You can run the wizard after you receive the controller from the factory or after the controller has been reset to factory defaults. The configuration wizard is available in both GUI and CLI formats.

Cisco Wireless Controller Configuration Guide, Release 8.0

11

Connecting the Console Port of the Controller

Connecting the Console Port of the Controller

Before you can configure the controller for basic operations, you need to connect it to a PC that uses a VT-100 terminal emulation program (such as HyperTerminal, ProComm, Minicom, or Tip).

Note

On Cisco 5500 Series Controllers, you can use either the RJ-45 console port or the USB console port. If you use the USB console port, plug the 5-pin mini Type B connector into the controller’s USB console port and the other end of the cable into the PC’s USB Type A port. The first time that you connect a

Windows PC to the USB console port, you are prompted to install the USB console driver. Follow the installation prompts to install the driver. The USB console driver maps to a COM port on your PC; you then need to map the terminal emulator application to the COM port.

Step 1

Step 2

Step 3

Step 4

Connect one end of a null-modem serial cable to the controller’s console port and the other end to your PC’s serial port.

Start the PC’s VT-100 terminal emulation program.

Configure the terminal emulation program for these parameters:

• 9600 baud

• 8 data bits

• 1 stop bit

• No parity

• No hardware flow control

Plug the AC power cord into the controller and a grounded 100 to 240 VAC, 50/60-Hz electrical outlet.Turn on the power supply. The bootup script displays operating system software initialization (code download and power-on self test verification) and basic configuration.

If the controller passes the power-on self test, the bootup script runs the configuration wizard, which prompts you for basic configuration input.

Configuring the Controller (GUI)

Step 1

Step 2

Connect your PC to the service port and configure it to use the same subnet as the controller.

Note

In case of Cisco 2504 WLC, connect your PC to the port 2 on the controller and configure to use the same subnet.

Start Internet Explorer 6.0 SP1 (or later) or Firefox 2.0.0.11 (or later) on your PC and browse to http://192.168.1.1. The configuration wizard appears.

Note

You can use both HTTP and HTTPS when using the service port interface. HTTPS is enabled by default and

HTTP can also be enabled. The default IP address to connect to the service port interface is 192.168.1.1.

12

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring the Controller (GUI)

Note

For the initial GUI Configuration Wizard only, you cannot access the Cisco WLC using IPv6 address.

Figure 3: Configuration Wizard System Information Page

Step 3

Step 4

Step 5

In the System Name box, enter the name that you want to assign to this Cisco WLC. You can enter up to 31 ASCII characters.

In the User Name box, enter the administrative username to be assigned to this Cisco WLC. You can enter up to 24

ASCII characters. The default username is admin.

In the Password and Confirm Password boxes, enter the administrative password to be assigned to this Cisco WLC.

You can enter up to 24 ASCII characters. The default password is admin.

Starting in release 7.0.116.0, the following password policy has been implemented:

• The password must contain characters from at least three of the following classes:

◦Lowercase letters

◦Uppercase letters

◦Digits

◦Special characters

• No character in the password must be repeated more than three times consecutively.

• The new password must not be the same as the associated username and not be the username reversed.

• The password must not be cisco, ocsic, or any variant obtained by changing the capitalization of letters of the word

Cisco. In addition, you cannot substitute 1, I, or ! for i, 0 for o, or $ for s.

Cisco Wireless Controller Configuration Guide, Release 8.0

13

Configuring the Controller (GUI)

Step 6

Click Next. The SNMP Summary page is displayed.

Figure 4: Configuration WizardSNMP Summary Page

Step 7

Step 8

Step 9

Step 10

Step 11

If you want to enable Simple Network Management Protocol (SNMP) v1 mode for this Cisco WLC, choose Enable from the SNMP v1 Mode drop-down list. Otherwise, leave this parameter set to Disable.

Note

SNMP manages nodes (servers, workstations, routers, switches, and so on) on an IP network. Currently, there are three versions of SNMP: SNMPv1, SNMPv2c, and SNMPv3.

If you want to enable SNMPv2c mode for this Cisco WLC, leave this parameter set to Enable. Otherwise, choose Disable from the SNVP v2c Mode drop-down list.

If you want to enable SNMPv3 mode for this Cisco WLC, leave this parameter set to Enable. Otherwise, choose Disable from the SNVP v3 Mode drop-down list.

Click Next.

When the following message appears, click OK:

Default values are present for v1/v2c community strings.

Please make sure to create new v1/v2c community strings once the system comes up.

Please make sure to create new v3 users once the system comes up.

The Service Interface Configuration page is displayed.

14

Cisco Wireless Controller Configuration Guide, Release 8.0

Figure 5: Configuration Wizard-Service Interface Configuration Page

Configuring the Controller (GUI)

Step 12

Step 13

Step 14

If you want the Cisco WLC’s service-port interface to obtain an IP address from a DHCP server, check the DHCP

Protocol Enabled check box. If you do not want to use the service port or if you want to assign a static IP address to the service port, leave the check box unchecked.

Note

The service-port interface controls communications through the service port. Its IP address must be on a different subnet from the management interface. This configuration enables you to manage the controller directly or through a dedicated management network to ensure service access during network downtime.

Perform one of the following:

• If you enabled DHCP, clear out any entries in the IP Address and Netmask text boxes, leaving them blank.

• If you disabled DHCP, enter the static IP address and netmask for the service port in the IP Address and Netmask text boxes.

Click Next.

Cisco Wireless Controller Configuration Guide, Release 8.0

15

Configuring the Controller (GUI)

The LAG Configuration page is displayed.

Figure 6: Configuration WizardLAG Configuration Page

Step 15

Step 16

To enable link aggregation (LAG), choose Enabled from the Link Aggregation (LAG) Mode drop-down list. To disable

LAG, leave this text box set to Disabled.

Click Next.

The Management Interface Configuration page is displayed.

Note

The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers.

16

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring the Controller (GUI)

Step 17

Step 18

Step 19

Step 20

Step 21

Step 22

Step 23

Step 24

Step 25

Step 26

Step 27

In the VLAN Identifier box, enter the VLAN identifier of the management interface (either a valid VLAN identifier or

0 for an untagged VLAN). The VLAN identifier should be set to match the switch interface configuration.

In the IP Address box, enter the IP address of the management interface.

In the Netmask box, enter the IP address of the management interface netmask.

In the Gateway box, enter the IP address of the default gateway.

In the Port Number box, enter the number of the port assigned to the management interface. Each interface is mapped to at least one primary port.

In the Backup Port box, enter the number of the backup port assigned to the management interface. If the primary port for the management interface fails, the interface automatically moves to the backup port.

In the Primary DHCP Server box, enter the IP address of the default DHCP server that will supply IP addresses to clients, the controller’s management interface, and optionally, the service port interface.

In the Secondary DHCP Server box, enter the IP address of an optional secondary DHCP server that will supply IP addresses to clients, the controller’s management interface, and optionally, the service port interface.

Click Next. The AP-Manager Interface Configuration page is displayed.

Note

This screen does not appear for Cisco 5508 WLCs because you are not required to configure an AP-manager interface. The management interface acts like an AP-manager interface by default.

In the IP Address box, enter the IP address of the AP-manager interface.

Click Next. The Miscellaneous Configuration page is displayed.

Figure 7: Configuration WizardMiscellaneous Configuration Page

Step 28

In the RF Mobility Domain Name box, enter the name of the mobility group/RF group to which you want the controller to belong.

Note

Although the name that you enter here is assigned to both the mobility group and the RF group, these groups are not identical. Both groups define clusters of controllers, but they have different purposes. All of the controllers in an RF group are usually also in the same mobility group and vice versa. However, a mobility group facilitates scalable, system-wide mobility and controller redundancy while an RF group facilitates scalable, system-wide dynamic RF management.

Cisco Wireless Controller Configuration Guide, Release 8.0

17

Configuring the Controller (GUI)

Step 29

Step 30

Step 31

The Configured Country Code(s) box shows the code for the country in which the controller will be used. If you want to change the country of operation, check the check box for the desired country.

Note

You can choose more than one country code if you want to manage access points in multiple countries from a single controller. After the configuration wizard runs, you must assign each access point joined to the controller to a specific country.

Click Next.

When the following message appears, click OK:

Warning! To maintain regulatory compliance functionality, the country code setting may only be modified by a network administrator or qualified IT professional.

Ensure that proper country codes are selected before proceeding.?

The Virtual Interface Configuration page is displayed.

Figure 8: Configuration Wizard Virtual Interface Configuration Page

Step 32

Step 33

In the IP Address box, enter the IP address of the Cisco WLC’s virtual interface. You should enter a fictitious, unassigned

IP address.

Note

The virtual interface is used to support mobility management, DHCP relay, and embedded Layer 3 security such as guest web authentication and VPN termination. All controllers within a mobility group must be configured with the same virtual interface IP address.

In the DNS Host Name box, enter the name of the Domain Name System (DNS) gateway used to verify the source of certificates when Layer 3 web authorization is enabled.

Note

To ensure connectivity and web authentication, the DNS server should always point to the virtual interface. If a DNS hostname is configured for the virtual interface, then the same DNS hostname must be configured on the DNS servers used by the client.

18

Cisco Wireless Controller Configuration Guide, Release 8.0

Step 34

Click Next. The WLAN Configuration page is displayed.

Figure 9: Configuration Wizard WLAN Configuration Page

Configuring the Controller (GUI)

Step 35

Step 36

Step 37

Step 38

In the Profile Name box, enter up to 32 alphanumeric characters for the profile name to be assigned to this WLAN.

In the WLAN SSID box, enter up to 32 alphanumeric characters for the network name, or service set identifier (SSID).

The SSID enables basic functionality of the Cisco WLC and allows access points that have joined the controller to enable their radios.

Click Next.

When the following message appears, click OK:

Default Security applied to WLAN is: [WPA2(AES)][Auth(802.1x)]. You can change this after the wizard is complete and the system is rebooted.?

Cisco Wireless Controller Configuration Guide, Release 8.0

19

Configuring the Controller (GUI)

The RADIUS Server Configuration page is displayed.

Figure 10: Configuration Wizard-RADIUS Server Configuration Page

Step 39

Step 40

In the Server IP Address box, enter the IP address of the RADIUS server.

From the Shared Secret Format drop-down list, choose ASCII or Hex to specify the format of the shared secret.

Note

Due to security reasons, the RADIUS shared secret key reverts to ASCII mode even if you have selected HEX as the shared secret format from the Shared Secret Format drop-down list.

20

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring the Controller (GUI)

Step 41

Step 42

Step 43

Step 44

In the Shared Secret and Confirm Shared Secret boxes, enter the secret key used by the RADIUS server.

In the Port Number box, enter the communication port of the RADIUS server. The default value is 1812.

To enable the RADIUS server, choose Enabled from the Server Status drop-down list. To disable the RADIUS server, leave this box set to Disabled.

Click Apply. The 802.11 Configuration page is displayed.

Figure 11: Configuration Wizard802.11 Configuration Page

Step 45

Step 46

To enable the 802.11a, 802.11b, and 802.11g lightweight access point networks, leave the 802.11a Network Status,

802.11b Network Status, and 802.11g Network Status check boxes checked. To disable support for any of these networks, uncheck the check boxes.

To enable the controller’s radio resource management (RRM) auto-RF feature, leave the Auto RF check box selected.

To disable support for the auto-RF feature, uncheck this check box.

Note

The auto-RF feature enables the controller to automatically form an RF group with other controllers. The group dynamically elects a leader to optimize RRM parameter settings, such as channel and transmit power assignment, for the group.

Cisco Wireless Controller Configuration Guide, Release 8.0

21

Configuring the Controller (GUI)

Step 47

Click Next. The Set Time page is displayed.

Figure 12: Configuration Wizard Set Time Screen

Step 48

Step 49

To manually configure the system time on your controller, enter the current date in Month/DD/YYYY format and the current time in HH:MM:SS format.

To manually set the time zone so that Daylight Saving Time (DST) is not set automatically, enter the local hour difference from Greenwich Mean Time (GMT) in the Delta Hours box and the local minute difference from GMT in the Delta

Mins box.

Note

When manually setting the time zone, enter the time difference of the local current time zone with respect to

GMT (+/–). For example, Pacific time in the United States is 8 hours behind GMT. Therefore, it is entered as

–8.

22

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring the ControllerUsing the CLI Configuration Wizard

Step 50

Click Next. The Configuration Wizard Completed page is displayed.

Figure 13: Configuration WizardConfiguration Wizard Completed Page

Step 51

Step 52

Click Save and Reboot to save your configuration and reboot the Cisco WLC.

When the following message appears, click OK:

Configuration will be saved and the controller will be rebooted. Click ok to confirm.?

The Cisco WLC saves your configuration, reboots, and prompts you to log on.

Configuring the ControllerUsing the CLI Configuration Wizard

Before You Begin

• The available options appear in brackets after each configuration parameter. The default value appears in all uppercase letters.

• If you enter an incorrect response, the controller provides you with an appropriate error message, such as “Invalid Response,” and returns you to the wizard prompt.

• Press the hyphen key if you ever need to return to the previous command line.

Step 1

When prompted to terminate the AutoInstall process, enter yes. If you do not enter yes, the AutoInstall process begins after 30 seconds.

Cisco Wireless Controller Configuration Guide, Release 8.0

23

Configuring the ControllerUsing the CLI Configuration Wizard

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

Note

The AutoInstall feature downloads a configuration file from a TFTP server and then loads the configuration onto the controller automatically.

Enter the system name, which is the name that you want to assign to the controller. You can enter up to 31 ASCII characters.

Enter the administrative username and password to be assigned to this controller. You can enter up to 24 ASCII characters for each.

Starting in release 7.0.116.0, the following password policy has been implemented:

• The password must contain characters from at least three of the following classes:

• Lowercase letters

• Uppercase letters

• Digits

• Special characters

• No character in the password must be repeated more than three times consecutively.

• The new password must not be the same as the associated username and not be the username reversed.

• The password must not be cisco, ocsic, or any variant obtained by changing the capitalization of letters of the word

Cisco. In addition, you cannot substitute 1, I, or ! for i, 0 for o, or $ for s.

If you want the controller’s service-port interface to obtain an IP address from a DHCP server, enter DHCP. If you do not want to use the service port or if you want to assign a static IP address to the service port, enter none.

Note

The service-port interface controls communications through the service port. Its IP address must be on a different subnet from the management interface. This configuration enables you to manage the controller directly or through a dedicated management network to ensure service access during network downtime.

If you entered none in Step 4, enter the IP address and netmask for the service-port interface on the next two lines.

Enable or disable link aggregation (LAG) by choosing yes or NO.

Enter the IP address of the management interface.

Note

The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers.

Enter the IP address of the management interface netmask.

Enter the IP address of the default router.

Enter the VLAN identifier of the management interface (either a valid VLAN identifier or 0 for an untagged VLAN).

The VLAN identifier should be set to match the switch interface configuration.

Enter the IP address of the default DHCP server that will supply IP addresses to clients, the management interface of the controller, and optionally, the service port interface. Enter the IP address of the AP-manager interface.

Note

This prompt does not appear for Cisco 5500 Series Controllers because you are not required to configure an

AP-manager interface. The management interface acts like an AP-manager interface by default.

Enter the IP address of the controller’s virtual interface. You should enter a fictitious unassigned IP address.

Note

The virtual interface is used to support mobility management, DHCP relay, and embedded Layer 3 security such as guest web authentication and VPN termination. All controllers within a mobility group must be configured with the same virtual interface IP address.

If desired, enter the name of the mobility group/RF group to which you want the controller to belong.

24

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring the ControllerUsing the CLI Configuration Wizard

Step 14

Step 15

Step 16

Step 17

Step 18

Step 19

Step 20

Step 21

Step 22

Step 23

Step 24

Step 25

Step 26

Step 27

Step 28

Step 29

Note

Although the name that you enter here is assigned to both the mobility group and the RF group, these groups are not identical. Both groups define clusters of controllers, but they have different purposes. All of the controllers in an RF group are usually also in the same mobility group and vice versa. However, a mobility group facilitates scalable, system-wide mobility and controller redundancy while an RF group facilitates scalable, system-wide dynamic RF management.

Enter the network name or service set identifier (SSID). The SSID enables basic functionality of the controller and allows access points that have joined the controller to enable their radios.

Enter YES to allow clients to assign their own IP address or no to require clients to request an IP address from a DHCP server.

To configure a RADIUS server now, enter YES and then enter the IP address, communication port, and secret key of the RADIUS server. Otherwise, enter no. If you enter no, the following message appears: “Warning! The default WLAN security policy requires a RADIUS server. Please see the documentation for more details.”

Enter the code for the country in which the controller will be used.

Note

Enter help to view the list of available country

Note

codes.

You can enter more than one country code if you want to manage access points in multiple countries from a single controller. To do so, separate the country codes with a comma (for example, US,CA,MX). After the configuration wizard runs, you need to assign each access point joined to the controller to a specific country.

Enable or disable the 802.11b, 802.11a, and 802.11g lightweight access point networks by entering YES or no.

Enable or disable the controller’s radio resource management (RRM) auto-RF feature by entering YES or no.

Note

The auto-RF feature enables the controller to automatically form an RF group with other controllers. The group dynamically elects a leader to optimize RRM parameter settings, such as channel and transmit power assignment, for the group.

If you want the controller to receive its time setting from an external Network Time Protocol (NTP) server when it powers up, enter YES to configure an NTP server. Otherwise, enter no.

Note

The controller network module installed in a Cisco Integrated Services Router does not have a battery and cannot save a time setting. Therefore, it must receive a time setting from an external NTP server when it powers up.

If you entered no in Step 20 and want to manually configure the system time on your controller now, enter YES. If you do not want to configure the system time now, enter no.

If you entered YES in Step 21, enter the current date in the MM/DD/YY format and the current time in the HH:MM:SS format.

After you have completed step 22, the wizard prompts you to configure IPv6 parameters. Enter yes to proceed.

Enter the service port interface IPv6 address configuration. You can enter either static or SLAAC.

• If you entered, SLAAC, then IPv6 address is autoconfigured.

• If you entered, static, you need to enter the IPv6 address and its prefix length of the service interface.

Enter the IPv6 address of the management interface.

Enter the IPv6 address prefix length of the management interface.

Enter the gateway IPv6 address of the management interface .

Once the management interface configuration is complete, the wizard prompts to configure IPv6 parameters for RADIUS server. Enter yes.

Enter the IPv6 address of the RADIUS server.

Enter the communication port number of the RADIUS server. The default value is 1812.

Enter the secret key for IPv6 address of the RADIUS server.

Cisco Wireless Controller Configuration Guide, Release 8.0

25

Using the Controller GUI

Step 30

Step 31

Once the RADIUS server configuration is complete, the wizard prompts to configure IPv6 NTP server. Enter yes.

Enter the IPv6 address of the NTP server.

When prompted to verify that the configuration is correct, enter yes or NO.

The Cisco WLC saves your configuration when you enter yes, reboots, and prompts you to log on.

Using the Controller GUI

A browser-based GUI is built into each controller.

It allows up to five users to simultaneously browse into the controller HTTP or HTTPS (HTTP + SSL) management pages to configure parameters and monitor the operational status for the controller and its associated access points.

For detailed descriptions of the Controller GUI, see the Online Help. To access the online help, click Help on the Controller GUI.

Note

We recommend that you enable the HTTPS interface and disable the HTTP interface to ensure more robust security.

Guidelines and Limitations

Follow these guidelines when using the controller GUI:

• The GUI must be used on a PC running Windows 7, Windows XP SP1 (or later releases), or Windows

2000 SP4 (or later releases).

• The controller Web UI is compatible with the following web browsers

• Microsoft Internet Explorer 10 and later versions

• Mozilla Firefox 32 and later versions

• To view the Main Dashboard that is introduced in Release 8.1.102.0, you must enable JavaScript on the web browser.

• You can use either the service port interface or the management interface to access the GUI. We recommend that you use the service-port interface.

• You can use both HTTP and HTTPS when using the service port interface. HTTPS is enabled by default and HTTP can also be enabled. The default IP address to connect to the service port interface is

192.168.1.1.

• Click Help at the top of any page in the GUI to display online help. You might need to disable your browser’s pop-up blocker to view the online help.

26

Cisco Wireless Controller Configuration Guide, Release 8.0

Using the Controller GUI

Logging On to the GUI

Note

Do not configure TACACS authentication when the controller is set to use local authentication.

Step 1

Step 2

Enter the controller IP address in your browser’s address bar. For a secure connection, enter https://ip-address. For a less secure connection, enter http://ip-address.

When prompted, enter a valid username and password, and click OK.

The Summary page is displayed.

Note

The administrative username and password that you created in the configuration wizard are case sensitive. The default username is admin, and the default password is admin.

Logging out of the GUI

Step 1

Step 2

Step 3

Click Logout in the top right corner of the page.

Click Close to complete the log out process and prevent unauthorized users from accessing the controllercontroller GUI.

When prompted to confirm your decision, click Yes.

Enabling Web and Secure Web Modes

This section provides instructions to enable the distribution system port as a web port (using HTTP) or as a secure web port (using HTTPS). You can protect communication with the GUI by enabling HTTPS. HTTPS protects HTTP browser sessions by using the Secure Sockets Layer (SSL) protocol. When you enable HTTPS, the controller generates its own local web administration SSL certificate and automatically applies it to the

GUI. You also have the option of downloading an externally generated certificate.

You can configure web and secure web mode using the controller GUI or CLI.

Enabling Web and Secure Web Modes (GUI)

Step 1

Choose Management > HTTP-HTTPS.

Cisco Wireless Controller Configuration Guide, Release 8.0

27

Using the Controller GUI

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

The HTTP-HTTPS Configuration page is displayed.

To enable web mode, which allows users to access the controller GUI using “http://ip-address,” choose Enabled from the HTTP Access drop-down list. Otherwise, choose Disabled. The default value is Disabled. Web mode is not a secure connection.

To enable secure web mode, which allows users to access the controller GUI using “https://ip-address,” choose Enabled from the HTTPS Access drop-down list. Otherwise, choose Disabled. The default value is Enabled. Secure web mode is a secure connection.

In the Web Session Timeout text box, enter the amount of time, in minutes, before the web session times out due to inactivity. You can enter a value between 10 and 160 minutes (inclusive). The default value is 30 minutes.

Click Apply.

If you enabled secure web mode in Step 3, the controller generates a local web administration SSL certificate and automatically applies it to the GUI. The details of the current certificate appear in the middle of the HTTP-HTTPS

Configuration page.

Note

If desired, you can delete the current certificate by clicking Delete Certificate and have the controller generate a new certificate by clicking Regenerate Certificate.

Choose Controller > General to open the General page.

Choose one of the following options from the Web Color Theme drop-down list:

Default—Configures the default web color theme for the controller GUI.

Red—Configures the web color theme as red for the controller GUI.

Click Apply.

Click Save Configuration.

Enabling Web and Secure Web Modes (CLI)

Step 1

Step 2

Step 3

Enable or disable web mode by entering this command:

config network webmode {enable | disable}

This command allows users to access the controller GUI using "http://ip-address." The default value is disabled. Web mode is not a secure connection.

Configure the web color theme for the controller GUI by entering this command:

config network webcolor {default | red}

The default color theme for the controller GUI is enabled. You can change the default color scheme as red using the red option. If you are changing the color theme from the controller CLI, you need to reload the controller GUI screen to apply your changes.

Enable or disable secure web mode by entering this command:

config network secureweb {enable | disable}

This command allows users to access the controller GUI using “https://ip-address.” The default value is enabled. Secure web mode is a secure connection.

28

Cisco Wireless Controller Configuration Guide, Release 8.0

Loading an Externally Generated SSL Certificate

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Enable or disable secure web mode with increased security by entering this command:

config network secureweb cipher-option high {enable | disable}

This command allows users to access the controller GUI using “https://ip-address” but only from browsers that support

128-bit (or larger) ciphers. The default value is disabled.

Enable or disable SSLv2 for web administration by entering this command:

config network secureweb cipher-option sslv2 {enable | disable}

If you disable SSLv2, users cannot connect using a browser configured with SSLv2 only. They must use a browser that is configured to use a more secure protocol such as SSLv3 or later. The default value is disabled.

Enable or disable preference for RC4-SHA (Rivest Cipher 4-Secure Hash Algorithm) cipher suites (over CBC cipher suites) for web authentication and web administration by entering this command:

config network secureweb cipher-option rc4-preference {enable | disable}

Verify that the controller has generated a certificate by entering this command:

show certificate summary

Information similar to the following appears:

Web Administration Certificate................. Locally Generated

Web Authentication Certificate................. Locally Generated

Certificate compatibility mode:................ off

(Optional) Generate a new certificate by entering this command:

config certificate generate webadmin

After a few seconds, the controller verifies that the certificate has been generated.

Save the SSL certificate, key, and secure web password to nonvolatile RAM (NVRAM) so that your changes are retained across reboots by entering this command:

save config

Reboot the controller by entering this command:

reset system

Loading an Externally Generated SSL Certificate

This section describes how to load an externally generated SSL certificate.

Information About Externally Generated SSL Certificates

You can use a TFTP server to download an externally generated SSL certificate to the controller. Follow these guidelines for using TFTP:

• If you load the certificate through the service port, the TFTP server must be on the same subnet as the controller because the service port is not routable, or you must create static routes on the controller.

Also, if you load the certificate through the distribution system network port, the TFTP server can be on any subnet.

Cisco Wireless Controller Configuration Guide, Release 8.0

29

Loading an SSL Certificate (GUI)

• A third-party TFTP server cannot run on the same PC as the Cisco Prime Infrastructure because the

Prime Infrastructure built-in TFTP server and the third-party TFTP server require the same communication port.

Note

Chained certificates are supported for web authentication only and not for the management certificate.

Note

Every HTTPS certificate contains an embedded RSA key. The length of the key can vary from 512 bits, which is relatively insecure, to thousands of bits, which is very secure. When you obtain a new certificate from a Certificate Authority, make sure that the RSA key embedded in the certificate is at least 768 bits long.

Loading an SSL Certificate (GUI)

Step 1

On the HTTP Configuration page, select the Download SSL Certificate check box.

Figure 14: HTTP Configuration Page

30

Cisco Wireless Controller Configuration Guide, Release 8.0

Loading an SSL Certificate (CLI)

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

In the Server IP Address text box, enter the IP address of the TFTP server.

In the Maximum Retries text box, enter the maximum number of times that the TFTP server attempts to download the certificate.

In the Timeout text box, enter the amount of time (in seconds) that the TFTP server attempts to download the certificate.

In the Certificate File Path text box, enter the directory path of the certificate.

In the Certificate File Name text box, enter the name of the certificate (webadmincert_name.pem).

(Optional) In the Certificate Password text box, enter a password to encrypt the certificate.

Click Apply.

Click Save Configuration.

Choose Commands > Reboot > Reboot > Save and Reboot to reboot the controller for your changes to take effect,

Loading an SSL Certificate (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Use a password to encrypt the HTTPS certificate in a .PEM-encoded file. The PEM-encoded file is called a web administration certificate file (webadmincert_name.pem).

Move the webadmincert_name.pem file to the default directory on your TFTP server.

To view the current download settings, enter this command and answer n to the prompt:

transfer download start

Information similar to the following appears:

Mode........................................... TFTP

Data Type...................................... Admin Cert

TFTP Server IP................................. xxx.xxx.xxx.xxx

TFTP Path...................................... <directory path>

TFTP Filename..................................

Are you sure you want to start? (y/n) n

Transfer Canceled

Use these commands to change the download settings:

transfer download mode tftp

transfer download datatype webauthcert

transfer download serverip TFTP_server IP_address

transfer download path absolute_TFTP_server_path_to_the_update_file

transfer download filename webadmincert_name.pem

To set the password for the .PEM file so that the operating system can decrypt the web administration SSL key and certificate, enter this command:

transfer download certpassword private_key_password

To confirm the current download settings and start the certificate and key download, enter this command and answer y to the prompt:

Cisco Wireless Controller Configuration Guide, Release 8.0

31

Cisco WLAN Express for Cisco Wireless Controllers

Step 7

Step 8 transfer download start

Information similar to the following appears:

Mode........................................... TFTP

Data Type...................................... Site Cert

TFTP Server IP................................. xxx.xxx.xxx.xxx

TFTP Path...................................... directory path

TFTP Filename.................................. webadmincert_name

Are you sure you want to start? (y/n) y

TFTP Webadmin cert transfer starting.

Certificate installed.

Please restart the switch (reset system) to use the new certificate.

To save the SSL certificate, key, and secure web password to NVRAM so that your changes are retained across reboots, enter this command:

save config

To reboot the controller, enter this command:

reset system

Cisco WLAN Express for Cisco Wireless Controllers

Overview of Cisco WLAN Express

Cisco WLAN Express is a simplified, out-of-the-box installation and configuration interface for Cisco Wireless

Controllers. This section provides instructions to set up a Cisco WLC to operate in a small, medium, or large network wireless environment, where access points can join and together as a simple solution provide various services such as corporate employee or guest wireless access on the network.

There are two methods:

• Wired method

• Wireless method

With this, there are three ways to set up Cisco WLC:

• Cisco WLAN Express

• Traditional command line interface (CLI) via serial console

• Updated method using network connection directly to the WLC GUI setup wizard

Note

Cisco WLAN Express can be used only for the first time in out-of-the-box installations or when WLC configuration is reset to factory defaults.

32

Cisco Wireless Controller Configuration Guide, Release 8.0

Cisco WLAN Express for Cisco Wireless Controllers

Feature History

• Release 7.6.120.0—This feature was introduced and supported only on Cisco 2500 Series Wireless

Controller. It includes an easy-to-use GUI Configuration Wizard, an intuitive monitoring dashboard and several Cisco Wireless LAN best practices enabled by default.

• Release 8.0.110.0—The following enhancements were made:

• Connect to any port—You can connect a client device to any port on the Cisco 2500 Series WLC and access the GUI configuration wizard to run Cisco WLAN Express. Previously, you were required to connect the client device to only port 2.

• Wireless Support to run Cisco WLAN Express—You can connect an AP to any of the ports on the Cisco 2500 Series WLC, associate a client device with the AP, and run Cisco WLAN Express.

When the AP is associated with the Cisco 2500 Series WLC, only 802.11b and 802.11g radios are enabled; the 802.11a radio is disabled. The AP broadcasts an SSID named “CiscoAirProvision,” which is of WPA2-PSK type with the key being “password.” After a client device associates with this SSID, the client device automatically gets an IP address in the 192.168.x.x range. On the web browser of the client device, go to http://192.168.1.1 to open the GUI configuration wizard.

This feature is supported only on the following web browsers:

• Microsoft Internet Explorer 10 and later versions

• Mozilla Firefox 32 and later versions

Note

This feature is not supported on mobile devices such as smartphones and tablet computers.

• Release 8.1—The following enhancements are made:

• Added support for the Cisco WLAN Express using the wired method to Cisco 5500, Flex 7500,

8500 Series Wireless Controllers and Virtual Controller.

• Introduced the Main Dashboard view and compliance assessment and best practices. For more details, see the Cisco WLC Online Help.

Configuration Checklist

The following checklist is for your reference to make the installation process easy. Ensure that you have these requirements ready before you proceed:

1

Network switch requirements:

1

WLC switch port number assigned

2

WLC assigned switch port

3

Is the switch port configured as trunk or access?

4

Is there a management VLAN? If yes, Management VLAN ID

5

Is there a guest VLAN? If yes, Guest VLAN ID

Cisco Wireless Controller Configuration Guide, Release 8.0

33

Cisco WLAN Express for Cisco Wireless Controllers

2

WLC Settings:

1

New admin account name

2

Admin account password

3

System name for the WLC

4

Current time zone

5

Is there an NTP server available? If yes, NTP server IP address

6

WLC Management Interface:

1

IP address

2

Subnet Mask

3

Default gateway

7

Management VLAN ID

3

Corporate wireless network

4

Corporate wireless name/SSID

5

Is a RADIUS server required?

6

Security authentication option to select:

1

WPA/WPA2 Personal

2

Corporate passphrase (PSK)

3

WPA/WPA2 (Enterprise)

4

RADIUS server IP address and shared secret

7

Is a DHCP server known? If yes, DHCP server IP address

8

Guest Wireless Network - optional

1

Guest wireless name/SSID

2

Is a password required for guest?

3

Guest passphrase (PSK)

4

Guest VLAN ID

5

Guest networking

1

IP address

2

Subnet Mask

3

Default gateway

9

Advanced option—Configure RF Parameters for Client Density as Low, Medium, or High.

34

Cisco Wireless Controller Configuration Guide, Release 8.0

Cisco WLAN Express for Cisco Wireless Controllers

Preparing for Setup Using Cisco WLAN Express

• Do not auto-configure the WLC or use the wizard for configuration.

• Do not use console interface; the only connection to the WLC should be client connected to service port.

• Configure DHCP or assign static IP 192.168.1.X to laptop interface connected to service port.

Related Documentation

For more information about Cisco WLAN Express, see the WLAN Express Setup and Best Practices

Deployment Guide .

Restrictions for Cisco WLAN Express

• As of Release 8.1, the Cisco WLAN Express using the wireless method is supported only on Cisco 2500

Series WLC.

• If you use the CLI configuration wizard or AutoInstall, Cisco WLAN Express is bypassed and associated features are enabled.

• If you upgrade to Release 7.6.120.0 or a later release and do not perform a new configuration of the controller using the GUI Configuration Wizard, Cisco WLAN Express is not enabled. You must use the

GUI Configuration Wizard to enable the Cisco WLAN Express features.

• After you upgrade to Release 7.6.120.0 or a later release, you can clear the controller configuration and use the GUI Configuration Wizard to enable Cisco WLAN Express features.

• If you downgrade from Release 7.6.120.0 or a later release to an older release, Cisco WLAN Express features are disabled. However, the configurations generated through Cisco WLAN Express are not removed.

Setting up Cisco Wireless Controller using Cisco WLAN Express (Wired Method)

Step 1

Step 2

Step 3

Connect a laptop's wired Ethernet port directly to the Service port of the WLC. The port LEDs blink to indicate that both the machines are properly connected.

Note

It may take several minutes for the WLC to fully power on to make the GUI available to the PC. Do not auto-configure the WLC.

The LEDs on the front panel provide the system status:

• If the LED is off, it means that the WLC is not ready.

• If the LED is solid green, it means that the WLC is ready.

Configure DHCP option on the laptop that you have connected to the Service port. This assigns an IP address to the laptop from the WLC Service port 192.168.1.X, or you can assign a static IP address 192.168.1.X to the laptop to access the WLC GUI; both options are supported.

Open any one of the following supported web browsers and type http://192.168.1.1 in the address bar.

• Mozilla Firefox version 32 or later (Windows, MAC)

Cisco Wireless Controller Configuration Guide, Release 8.0

35

Cisco WLAN Express for Cisco Wireless Controllers

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

• Microsoft Internet Explorer version 10 or later (Windows)

• Google Chrome version 38.x or later (Windows, MAC)

• Apple Safari version 7 or later (MAC)

Note

This feature is not supported on mobile devices such as smartphones and tablet computers.

Create an administrator account by providing the name and password. Click Start to continue.

In the Set Up Your Controller dialog box, enter the following details:

1

System Name for the WLC

2

Current time zone

3

NTP Server (optional)

4

Management IP Address

5

Subnet Mask

6

Default Gateway

7

Management VLAN ID—If left unchanged or set to 0, the network switch port must be configured with a native

VLAN 'X0'

Note

The setup attempts to import the clock information (date and time) from the computer via JavaScript. We recommend that you confirm this before continuing. Access points rely on correct clock settings to be able to join the WLC.

In the Create Your Wireless Networks dialog box, in the Employee Network area, use the checklist to enter the following data: a) Network name/SSID b) Security c) Pass Phrase, if Security is set to WPA/WPA2 Personal d) DHCP Server IP Address—If left empty, the DHCP processing is bridged to the management interface

(Optional) In the Create Your Wireless Networks dialog box, in the Guest Network area, use the checklist to enter the following data: a) Network name/SSID b) Security c) VLAN IP Address, VLAN Subnet Mask, VLAN Default Gateway, VLAN ID d) DHCP Server IP Address—If left empty, the DHCP processing is bridged to the management interface

In the Advanced Setting dialog box, in the RF Parameter Optimization area, do the following: a) Select the client density as Low, Typical, or High.

b) Configure the RF parameters for RF Traffic Type, such as Data and Voice.

c) Change the Service port IP address and subnet mask, if necessary.

Click Next.

Review your settings and then click Apply to confirm.

The WLC reboots automatically. You will be prompted that the WLC is fully configured and will be restarted. Sometimes, you might not be prompted with this message. In this scenario, do the following: a) Disconnect the laptop from the WLC service port and connect it to the Switch port.

36

Cisco Wireless Controller Configuration Guide, Release 8.0

Cisco WLAN Express for Cisco Wireless Controllers

b) Connect the WLC port 1 to the switch configured trunk port.

c) Connect access points to the switch if not already connected.

d) Wait until the access points join the WLC.

RF Profile Configurations

Step 1

Step 2

After a successful login as an administrator, choose Wireless > RF Profiles to verify whether the Cisco WLAN Express features are enabled by checking that the predefined RF profiles are created on this page.

You can define AP Groups and apply appropriate profile to a set of APs.

Choose Wireless > Advanced > Network Profile, verify the client density and traffic type details.

Note

We recommend that you use RF and Network profiles configuration even if Cisco WLAN Express was not used initially or if the WLC was upgraded from a release that is earlier than Release 8.1.

Setting up Cisco Wireless Controller using Cisco WLAN Express (Wireless Method)

This wireless method applies only to Cisco 2500 Series Wireless Controller.

Step 1

Step 2

Step 3

Step 4

Step 5

Plug in a Cisco AP to any one of the ports of Cisco 2500 Series WLC. If you do not have a separate power supply for the AP, you can use Port 3 or Port 4, which supports PoE.

After the AP boots up, the AP associates with the WLC and downloads the WLC software.

The AP starts provisioning a WPA2-PSK SSID "CiscoAirProvision" with the key "password."

Associate a client device to the "CiscoAirProvision" SSID.

The client device is assigned an IP address in the 192.168.x.x range.

On the web browser of the client device, go to http://192.168.1.1 to open the GUI configuration wizard.

Default Configurations

When you configure your Cisco Wireless Controller, the following parameters are enabled or disabled. These settings are different from the default settings obtained when you configure the controller using the CLI wizard.

Parameters in New Interface

Aironet IE

DHCP Address Assignment (Guest SSID)

Client Band Select

Value

Disabled

Enabled

Enabled

Cisco Wireless Controller Configuration Guide, Release 8.0

37

Cisco WLAN Express for Cisco Wireless Controllers

Parameters in New Interface

Local HTTP and DHCP Profiling

Guest ACL

CleanAir

EDRRM

EDRRM Sensitivity Threshold

Channel Bonding (5 GHz)

DCA Channel Width mDNS Global Snooping

Default mDNS profile

AVC (only AV)

Management

Virtual IP Address

Multicast Address

Mobility Domain Name

RF Group Name

38

Cisco Wireless Controller Configuration Guide, Release 8.0

Value

Enabled

Applied.

Note

Guest ACL denies traffic to the management subnet.

Enabled

Enabled

• Low sensitivity for 2.4 GHz.

• Medium sensitivity for 5 GHz.

Enabled

40 MHz

Enabled

Two new services added:

• Better printer support

• HTTP

Enabled only with following prerequisites:

• Bootloader version—1.0.18

Or

• Field Upgradable Software version—1.8.0.0

and above

Note

If you upgrade the bootloader after you have setup the Cisco 2500 Series Controller using the GUI Wizard, you have to manually enable AVC on the previously created

WLAN.

• Via Wireless Clients—Enabled

• HTTP/HTTPS Access—Enabled

• WebAuth Secure Web—Enabled

192.0.2.1

Not configured

Name of employee SSID

Default

Using the Controller CLI

Using the Controller CLI

A Cisco UWN solution command-line interface (CLI) is built into each controller. The CLI enables you to use a VT-100 terminal emulation program to locally or remotely configure, monitor, and control individual controllers and its associated lightweight access points. The CLI is a simple text-based, tree-structured interface that allows up to five users with Telnet-capable terminal emulation programs to access the controller.

Note

See the Cisco Wireless LAN Controller Command Reference for information on specific commands.

Note

If you want to input any strings from the XML configuration into CLI commands, you must enclose the strings in quotation marks.

Logging on to the Controller CLI

You can access the controller CLI using one of the following two methods:

• A direct serial connection to the controller console port

• A remote console session over Ethernet through the preconfigured service port or the distribution system ports

Before you log on to the CLI, configure your connectivity and environment variables based on the type of connection you use.

Guidelines and Limitations

On Cisco 5500 Series Controllers, you can use either the RJ-45 console port or the USB console port. If you use the USB console port, plug the 5-pin mini Type B connector into the controller’s USB console port and the other end of the cable into the PC’s USB Type A port. The first time that you connect a Windows PC to the USB console port, you are prompted to install the USB console driver. Follow the installation prompts to install the driver. The USB console driver maps to a COM port on your PC; you then need to map the terminal emulator application to the COM port.

See the

Telnet and Secure Shell Sessions

section for information on enabling Telnet sessions.

Using a Local Serial Connection

Before You Begin

You need these items to connect to the serial port:

• A PC that is running a VT-100 terminal emulation program (such as HyperTerminal, ProComm, Minicom, or Tip)

• A null-modem serial cable

Cisco Wireless Controller Configuration Guide, Release 8.0

39

Using the Controller CLI

To log on to the controller CLI through the serial port, follow these steps:

Step 1

Step 2

Step 3

Connect one end of a null-modem serial cable to the controller’s console port and the other end to your PC’s serial port.

Start the PC’s VT-100 terminal emulation program. Configure the terminal emulation program for these parameters:

• 9600 baud

• 8 data bits

• 1 stop bit

• No parity

• No hardware flow control

Note

Note

Minimum serial timeout on Controller is 15 seconds instead of 1 minute.

The controller serial port is set for a 9600 baud rate and a short timeout. If you would like to change either of these values, enter config serial baudrate baudrate and config serial timeout timeout to make your changes. If you enter config serial timeout 0, serial sessions never time out.

When prompted, enter a valid username and password to log into the controller. The administrative username and password that you created in the configuration wizard are case sensitive.

Note

The default username is admin, and the default password is admin.

The CLI displays the root level system prompt:

#(system prompt)>

Note

The system prompt can be any alphanumeric string up to 31 characters. You can change it by entering the config

prompt command.

Using a Remote Ethernet Connection

Before You Begin

You need these items to connect to a controller remotely:

• A PC with access to the controller over the Ethernet network

• The IP address of the controller

• A VT-100 terminal emulation program or a DOS shell for the Telnet session

40

Cisco Wireless Controller Configuration Guide, Release 8.0

Using the Controller CLI

Note

By default, controllers block Telnet sessions. You must use a local connection to the serial port to enable

Telnet sessions.

Step 1

Step 2

Step 3

Verify that your VT-100 terminal emulation program or DOS shell interface is configured with these parameters:

• Ethernet address

• Port 23

Use the controller IP address to Telnet to the CLI.

When prompted, enter a valid username and password to log into the controller. The administrative username and password that you created in the configuration wizard are case sensitive.

Note

The default username is admin, and the default password is admin.

The CLI displays the root level system prompt.

Note

The system prompt can be any alphanumeric string up to 31 characters. You can change it by entering the config

prompt command.

Logging Out of the CLI

When you finish using the CLI, navigate to the root level and enter logout. The system prompts you to save any changes you made to the volatile RAM.

Note

The CLI automatically logs you out without saving any changes after 5 minutes of inactivity. You can set the automatic logout from 0 (never log out) to 160 minutes using the config serial timeout command.

Navigating the CLI

The CLI is organized into five levels:

• Root Level

• Level 2

• Level 3

• Level 4

• Level 5

When you log into the CLI, you are at the root level. From the root level, you can enter any full command without first navigating to the correct command level.

The following table lists commands you use to navigate the CLI and to perform common tasks.

Cisco Wireless Controller Configuration Guide, Release 8.0

41

Using the AutoInstall Feature for Controllers Without a Configuration

Table 2: Commands for CLI Navigation and Common Tasks

Command

help

?

command ?

exit

Ctrl-Z save config reset system

Action

At the root level, view system wide navigation commands

View commands available at the current level

View parameters for a specific command

Move down one level

Return from any level to the root level

At the root level, save configuration changes from active working RAM to nonvolatile RAM (NVRAM) so they are retained after reboot

At the root level, reset the controller without logging out

Using the AutoInstall Feature for Controllers Without a Configuration

This section describes how to use the AutoInstall feature for controllers without a configuration.

Information About the AutoInstall Feature

When you boot up a controller that does not have a configuration, the AutoInstall feature can download a configuration file from a TFTP server and then load the configuration onto the controller automatically.

If you create a configuration file on a controller that is already on the network (or through a Prime Infrastructure filter), place that configuration file on a TFTP server, and configure a DHCP server so that a new controller can get an IP address and TFTP server information, the AutoInstall feature can obtain the configuration file for the new controller automatically.

When the controller boots, the AutoInstall process starts. The controller does not take any action until

AutoInstall is notified that the configuration wizard has started. If the wizard has not started, the controller has a valid configuration.

If AutoInstall is notified that the configuration wizard has started (which means that the controller does not have a configuration), AutoInstall waits for an additional 30 seconds. This time period gives you an opportunity to respond to the first prompt from the configuration wizard:

Would you like to terminate autoinstall? [yes]:

When the 30-second abort timeout expires, AutoInstall starts the DHCP client. You can abort the AutoInstall task even after this 30-second timeout if you enter Yes at the prompt. However, AutoInstall cannot be aborted if the TFTP task has locked the flash and is in the process of downloading and installing a valid configuration file.

42

Cisco Wireless Controller Configuration Guide, Release 8.0

Restrictions on AutoInstall

Note

The AutoInstall process and manual configuration using both the GUI and CLI of Cisco WLC can occur in parallel. As part of the AutoInstall cleanup process, the service port IP address is set to 192.168.1.1 and the service port protocol configuration is modified. Because the AutoInstall process takes precedence over the manual configuration, whatever manual configuration is performed is overwritten by the AutoInstall process.

Restrictions on AutoInstall

• In Cisco 5508 WLCs, the following interfaces are used:

◦eth0—Service port (untagged)

◦dtl0—Gigabit port 1 through the NPU (untagged)

• AutoInstall is not supported on Cisco 2504 WLC.

Obtaining an IP Address Through DHCP and Downloading a Configuration File from a TFTP

Server

AutoInstall attempts to obtain an IP address from the DHCP server until the DHCP process is successful or until you abort the AutoInstall process. The first interface to successfully obtain an IP address from the DHCP server registers with the AutoInstall task. The registration of this interface causes AutoInstall to begin the process of obtaining TFTP server information and downloading the configuration file.

Following the acquisition of the DHCP IP address for an interface, AutoInstall begins a short sequence of events to determine the host name of the controller and the IP address of the TFTP server. Each phase of this sequence gives preference to explicitly configured information over default or implied information and to explicit host names over explicit IP addresses.

The process is as follows:

• If at least one Domain Name System (DNS) server IP address is learned through DHCP, AutoInstall creates a /etc/resolv.conf file. This file includes the domain name and the list of DNS servers that have been received. The Domain Name Server option provides the list of DNS servers, and the Domain Name option provides the domain name.

• If the domain servers are not on the same subnet as the controller, static route entries are installed for each domain server. These static routes point to the gateway that is learned through the DHCP Router option.

• The host name of the controller is determined in this order by one of the following:

◦If the DHCP Host Name option was received, this information (truncated at the first period [.]) is used as the host name for the controller.

◦A reverse DNS lookup is performed on the controller IP address. If DNS returns a hostname, this name (truncated at the first period [.]) is used as the hostname for the controller.

• The IP address of the TFTP server is determined in this order by one of the following:

Cisco Wireless Controller Configuration Guide, Release 8.0

43

Restrictions on AutoInstall

◦If AutoInstall received the DHCP TFTP Server Name option, AutoInstall performs a DNS lookup on this server name. If the DNS lookup is successful, the returned IP address is used as the IP address of the TFTP server.

◦If the DHCP Server Host Name (sname) text box is valid, AutoInstall performs a DNS lookup on this name. If the DNS lookup is successful, the IP address that is returned is used as the IP address of the TFTP server.

◦If AutoInstall received the DHCP TFTP Server Address option, this address is used as the IP address of the TFTP server.

◦AutoInstall performs a DNS lookup on the default TFTP server name (cisco-wlc-tftp). If the DNS lookup is successful, the IP address that is received is used as the IP address of the TFTP server.

◦If the DHCP server IP address (siaddr) text box is nonzero, this address is used as the IP address of the TFTP server.

◦The limited broadcast address (255.255.255.255) is used as the IP address of the TFTP server.

• If the TFTP server is not on the same subnet as the controller, a static route (/32) is installed for the IP address of the TFTP server. This static route points to the gateway that is learned through the DHCP

Router option.

Selecting a Configuration File

After the hostname and TFTP server have been determined, AutoInstall attempts to download a configuration file. AutoInstall performs three full download iterations on each interface that obtains a DHCP IP address. If the interface cannot download a configuration file successfully after three attempts, the interface does not attempt further.

The first configuration file that is downloaded and installed successfully triggers a reboot of the controller.

After the reboot, the controller runs the newly downloaded configuration.

AutoInstall searches for configuration files in the order in which the names are listed:

• The filename that is provided by the DHCP Boot File Name option

• The filename that is provided by the DHCP File text box

host name-confg

host name.cfg

base MAC address-confg (for example, 0011.2233.4455-confg)

serial number-confg

• ciscowlc-confg

• ciscowlc.cfg

AutoInstall runs through this list until it finds a configuration file. It stops running if it does not find a configuration file after it cycles through this list three times on each registered interface.

44

Cisco Wireless Controller Configuration Guide, Release 8.0

Restrictions on AutoInstall

Note

The downloaded configuration file can be a complete configuration, or it can be a minimal configuration that provides enough information for the controller to be managed by the Cisco Prime Infrastructure. Full configuration can then be deployed directly from the Prime Infrastructure.

Note

AutoInstall does not expect the switch connected to the controller to be configured for either channels.

AutoInstall works with a service port in LAG configuration.

Note

Cisco Prime Infrastructure provides AutoInstall capabilities for controllers. A Cisco Prime Infrastructure administrator can create a filter that includes the host name, the MAC address, or the serial number of the controller and associate a group of templates (a configuration group) to this filter rule. The Prime

Infrastructure pushes the initial configuration to the controller when the controller boots up initially. After the controller is discovered, the Prime Infrastructure pushes the templates that are defined in the configuration group. For more information about the AutoInstall feature and Cisco Prime Infrastructure, see the Cisco Prime Infrastructure documentation.

Example: AutoInstall Operation

The following is an example of an AutoInstall process from start to finish:

Welcome to the Cisco Wizard Configuration Tool

Use the '-' character to backup

Would you like to terminate autoinstall? [yes]:

AUTO-INSTALL: starting now...

AUTO-INSTALL: interface 'service-port' - setting DHCP TFTP Filename ==> 'abcd-confg'

AUTO-INSTALL: interface 'service-port' - setting DHCP TFTP Server IP ==> 1.100.108.2

AUTO-INSTALL: interface 'service-port' - setting DHCP siaddr ==> 1.100.108.2

AUTO-INSTALL: interface 'service-port' - setting DHCP Domain Server[0] ==> 1.100.108.2

AUTO-INSTALL: interface 'service-port' - setting DHCP Domain Name ==> 'engtest.com'

AUTO-INSTALL: interface 'service-port' - setting DHCP yiaddr ==> 172.19.29.253

AUTO-INSTALL: interface 'service-port' - setting DHCP Netmask ==> 255.255.255.0

AUTO-INSTALL: interface 'service-port' - setting DHCP Gateway ==> 172.19.29.1

AUTO-INSTALL: interface 'service-port' registered

AUTO-INSTALL: interation 1 -- interface 'service-port'

AUTO-INSTALL: DNS reverse lookup 172.19.29.253 ===> 'wlc-1'

AUTO-INSTALL: hostname 'wlc-1'

AUTO-INSTALL: TFTP server 1.100.108.2 (from DHCP Option 150)

AUTO-INSTALL: attempting download of 'abcd-confg'

AUTO-INSTALL: TFTP status - 'TFTP Config transfer starting.' (2)

AUTO-INSTALL: interface 'management' - setting DHCP file ==> 'bootfile1'

AUTO-INSTALL: interface 'management' - setting DHCP TFTP Filename ==> 'bootfile2-confg'

AUTO-INSTALL: interface 'management' - setting DHCP siaddr ==> 1.100.108.2

AUTO-INSTALL: interface 'management' - setting DHCP Domain Server[0] ==> 1.100.108.2

AUTO-INSTALL: interface 'management' - setting DHCP Domain Server[1] ==> 1.100.108.3

AUTO-INSTALL: interface 'management' - setting DHCP Domain Server[2] ==> 1.100.108.4

AUTO-INSTALL: interface 'management' - setting DHCP Domain Name ==> 'engtest.com'

AUTO-INSTALL: interface 'management' - setting DHCP yiaddr ==> 1.100.108.238

AUTO-INSTALL: interface 'management' - setting DHCP Netmask ==> 255.255.254.0

AUTO-INSTALL: interface 'management' - setting DHCP Gateway ==> 1.100.108.1

AUTO-INSTALL: interface 'management' registered

AUTO-INSTALL: TFTP status - 'Config file transfer failed - Error from server: File not found' (3)

AUTO-INSTALL: attempting download of 'wlc-1-confg'

AUTO-INSTALL: TFTP status - 'TFTP Config transfer starting.' (2)

AUTO-INSTALL: TFTP status - 'TFTP receive complete... updating configuration.' (2)

Cisco Wireless Controller Configuration Guide, Release 8.0

45

Managing the Controller System Date and Time

AUTO-INSTALL: TFTP status - 'TFTP receive complete... storing in flash.' (2)

AUTO-INSTALL: TFTP status - 'System being reset.' (2)

Resetting system

Managing the Controller System Date and Time

This section describes how to manage the date and time of a controller system.

Information About Controller System Date and Time

You can configure the controller system date and time at the time of configuring the controller using the configuration wizard. If you did not configure the system date and time through the configuration wizard or if you want to change your configuration, you can follow the instructions in this section to configure the controller to obtain the date and time from a Network Time Protocol (NTP) server or to configure the date and time manually. Greenwich Mean Time (GMT) is used as the standard for setting the time zone on the controller.

You can also configure an authentication mechanism between various NTP servers.

Restrictions on Configuring the Cisco WLC Date and Time

• If you are configuring wIPS, you must set the controller time zone to UTC.

• Cisco Aironet lightweight access points might not connect to the controller if the date and time are not set properly. Set the current date and time on the controller before allowing the access points to connect to it.

• You can configure an authentication channel between the controller and the NTP server.

Configuring an NTP/SNTP Server to Obtain the Date and Time

Each NTP/SNTP server IP address is added to the controller database. Each controller searches for an

NTP/SNTP server and obtains the current time upon reboot and at each user-defined polling interval (daily to weekly).

Use these commands to configure an NTP/SNTP server to obtain the date and time:

• To specify the NTP/SNTP server for the controller, enter this command:

config time ntp server index ip_address

• To specify the polling interval (in seconds), enter this command:

config time ntp interval

46

Cisco Wireless Controller Configuration Guide, Release 8.0

Managing the Controller System Date and Time

Configuring NTP/SNTP Authentication (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Choose Controller > NTP > Servers to open the NTP Servers page.

Click New to add an NTP server.

Choose a server priority from the Server Index (Priority) drop-down list.

Enter the NTP server IPv4/IPv6 address in the Server IP Address (IPv4/IPv6) text box.

Enable NTP server authentication by checking the NTP Server Authentication check box.

Click Apply.

Choose Controller > NTP > Keys.

Click New to create a key.

Enter the key index in the Key Index text box.

Choose the key format from the Key Format drop-down list.

Enter the key in the Key text box.

Click Apply.

Configuring NTP/SNTP Authentication (CLI)

Note

By default, MD5 is used.

config time ntp auth enable server-index key-index

config time ntp auth disable server-index

config time ntp key-auth add key-index md5 key-format key

• Delete an authentication key by entering this command:

config time ntp key-auth delete key-index

• View the list of NTP/SNTP key Indices by entering this command:

show ntp-keys

Cisco Wireless Controller Configuration Guide, Release 8.0

47

Managing the Controller System Date and Time

Configuring the Date and Time (GUI)

Step 1

Choose Commands > Set Time to open the Set Time page.

Figure 15: Set Time Page

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

The current date and time appear at the top of the page.

In the Timezone area, choose your local time zone from the Location drop-down list.

Note

When you choose a time zone that uses Daylight Saving Time (DST), the controller automatically sets its system clock to reflect the time change when DST occurs. In the United States, DST starts on the second Sunday in

March and ends on the first Sunday in November.

Note

You cannot set the time zone delta on the controller GUI. However, if you do so on the Cisco WLC CLI, the change is reflected in the Delta Hours and Mins boxes on the Cisco WLC GUI.

Click Set Timezone to apply your changes.

In the Date area, choose the current local month and day from the Month and Day drop-down lists, and enter the year in the Year box.

In the Time area, choose the current local hour from the Hour drop-down list, and enter the minutes and seconds in the

Minutes and Seconds boxes.

Note

If you change the time zone location after setting the date and time, the values in the Time area are updated to reflect the time in the new time zone location. For example, if the controller is currently configured for noon

Eastern time and you change the time zone to Pacific time, the time automatically changes to 9:00 a.m.

Click Set Date and Time to apply your changes.

Click Save Configuration.

48

Cisco Wireless Controller Configuration Guide, Release 8.0

Managing the Controller System Date and Time

Configuring the Date and Time (CLI)

Step 1

Step 2

Configure the current local date and time in GMT on the controller by entering this command:

config time manual mm/dd/yy hh:mm:ss

Note

When setting the time, the current local time is entered in terms of GMT and as a value between 00:00 and

24:00. For example, if it is 8:00 a.m. Pacific time in the United States, you would enter 16:00 because the Pacific time zone is 8 hours behind GMT.

Perform one of the following to set the time zone for the controller:

• Set the time zone location in order to have Daylight Saving Time (DST) set automatically when it occurs by entering this command:

config time timezone location location_index where location_index is a number representing one of the following time zone locations:

1

(GMT-12:00) International Date Line West

2

(GMT-11:00) Samoa

3

(GMT-10:00) Hawaii

4

(GMT-9:00) Alaska

5

(GMT-8:00) Pacific Time (US and Canada)

6

(GMT-7:00) Mountain Time (US and Canada)

7

(GMT-6:00) Central Time (US and Canada)

8

(GMT-5:00) Eastern Time (US and Canada)

9

(GMT-4:00) Atlantic Time (Canada)

10 (GMT-3:00) Buenos Aires (Argentina)

11 (GMT-2:00) Mid-Atlantic

12 (GMT-1:00) Azores

13 (GMT) London, Lisbon, Dublin, Edinburgh (default value)

14 (GMT +1:00) Amsterdam, Berlin, Rome, Vienna

15 (GMT +2:00) Jerusalem

16 (GMT +3:00) Baghdad

17 (GMT +4:00) Muscat, Abu Dhabi

18 (GMT +4:30) Kabul

19 (GMT +5:00) Karachi, Islamabad, Tashkent

20 (GMT +5:30) Colombo, Kolkata, Mumbai, New Delhi

21 (GMT +5:45) Katmandu

22 (GMT +6:00) Almaty, Novosibirsk

Cisco Wireless Controller Configuration Guide, Release 8.0

49

Managing the Controller System Date and Time

Step 3

Step 4

23 (GMT +6:30) Rangoon

24 (GMT +7:00) Saigon, Hanoi, Bangkok, Jakarta

25 (GMT +8:00) Hong Kong, Beijing, Chongqing

26 (GMT +9:00) Tokyo, Osaka, Sapporo

27 (GMT +9:30) Darwin

28 (GMT+10:00) Sydney, Melbourne, Canberra

29 (GMT+11:00) Magadan, Solomon Is., New Caledonia

30 (GMT+12:00) Kamchatka, Marshall Is., Fiji

31 (GMT+12:00) Auckland (New Zealand)

Note

If you enter this command, the controller automatically sets its system clock to reflect DST when it occurs.

In the United States, DST starts on the second Sunday in March and ends on the first Sunday in November.

• Manually set the time zone so that DST is not set automatically by entering this command:

config time timezone delta_hours delta_mins where delta_hours is the local hour difference from GMT, and delta_mins is the local minute difference from GMT.

When manually setting the time zone, enter the time difference of the local current time zone with respect to GMT

(+/–). For example, Pacific time in the United States is 8 hours behind GMT. Therefore, it is entered as –8.

Note

You can manually set the time zone and prevent DST from being set only on the controller

CLI.

Save your changes by entering this command:

save config

Verify that the controller shows the current local time with respect to the local time zone by entering this command:

show time

Information similar to the following appears:

Time.................................... Thu Apr 7 13:56:37 2011

Timezone delta........................... 0:0

Timezone location....................... (GMT +5:30) Colombo, New Delhi, Chennai, Kolkata

NTP Servers

NTP Polling Interval.........................

3600

Note

Index NTP Key Index NTP Server NTP Msg Auth Status

---------------------------------------------------------------------

1 1 209.165.200.225

AUTH SUCCESS

If you configured the time zone location, the Timezone Delta value is set to “0:0.” If you manually configured the time zone using the time zone delta, the Timezone Location is blank.

50

Cisco Wireless Controller Configuration Guide, Release 8.0

Telnet and Secure Shell Sessions

Telnet and Secure Shell Sessions

Information About Telnet and SSH

Telnet is a network protocol used to provide access to the controller’s CLI. Secure Shell (SSH) is a more secure version of Telnet that uses data encryption and a secure channel for data transfer. You can use the controller GUI or CLI to configure Telnet and SSH sessions.

Restrictions for Telnet and SSH

• Only the FIPS approved algorithm aes128-cbc is supported when using SSH to control WLANs.

• The controller does not support raw Telnet mode.

Configuring Telnet and SSH Sessions (GUI)

Step 1

Choose Management > Telnet-SSH to open the Telnet-SSH Configuration page.

Figure 16: Telnet-SSH Configuration Page

Cisco Wireless Controller Configuration Guide, Release 8.0

51

Telnet and Secure Shell Sessions

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

In the Telnet Login Timeout text box, enter the number of minutes that a Telnet session is allowed to remain inactive before being terminated. The valid range is 0 to 160 minutes (inclusive), and the default value is 5 minutes. A value of

0 indicates no timeout.

From the Maximum Number of Sessions drop-down list, choose the number of simultaneous Telnet or SSH sessions allowed. The valid range is 0 to 5 sessions (inclusive), and the default value is 5 sessions. A value of zero indicates that

Telnet/SSH sessions are disallowed.

To forcefully close current login sessions, choose Management > User Sessions > close from the CLI session drop-down list.

From the Allow New Telnet Sessions drop-down list, choose Yes or No to allow or disallow new Telnet sessions on the controller. The default value is No.

From the \ drop-down list, choose Yes or No to allow or disallow new SSH sessions on the controller. The default value is Yes.

Click Apply.

Click Save Configuration.

To see a summary of the Telnet configuration settings, choose Management > Summary. The Summary page appears.

Figure 17: Summary Page

This page shows whether additional Telnet and SSH sessions are permitted.

Note

If you are unable to create a new telnet session, close the existing sessions by following the steps:

Configuring Telnet and SSH Sessions (CLI)

Step 1

Allow or disallow new Telnet sessions on the controller by entering this command:

config network telnet {enable | disable}

52

Cisco Wireless Controller Configuration Guide, Release 8.0

Telnet and Secure Shell Sessions

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

The default value is disabled.

Allow or disallow new SSH sessions on the controller by entering this command:

config network ssh {enable | disable}

The default value is enabled.

Note

Use the config network ssh cipher-option high {enable | disable} command to enable sha2 which is supported in WLC.

Specify the number of minutes that a Telnet session is allowed to remain inactive before being terminated by entering this command:

config sessions timeout timeout where timeout is a value between 0 and 160 minutes (inclusive). The default value is 5 minutes. A value of 0 indicates no timeout.

Specify the number of simultaneous Telnet or SSH sessions allowed by entering this command:

config sessions maxsessions session_num where session_num is a value between 0 and 5 (inclusive). The default value is 5 sessions. A value of zero indicates that

Telnet/SSH sessions are disallowed.

Save your changes by entering this command:

save config

See the Telnet and SSH configuration settings by entering this command:

show network summary

Information similar to the following appears:

RF-Network Name............................. TestNetwork1

Web Mode.................................... Enable

Secure Web Mode............................. Enable

Secure Web Mode Cipher-Option High.......... Disable

Secure Web Mode Cipher-Option SSLv2......... Disable

Secure Shell (ssh).......................... Enable

Telnet................................... Disable

...

See the Telnet session configuration settings by entering this command:

show sessions

Information similar to the following appears:

CLI Login Timeout (minutes)............ 5

Maximum Number of CLI Sessions....... 5

See all active Telnet sessions by entering this command:

show login-session

Information similar to the following appears:

ID User Name Connection From Idle Time Session Time

-- ---------------------------------------------------

Cisco Wireless Controller Configuration Guide, Release 8.0

53

Telnet and Secure Shell Sessions

Step 9

Step 10

00 admin EIA-232 00:00:00 00:19:04

You can clear Telnet or SSH sessions by entering this command:

clear session session-id

The session-id for the clearing the session should be taken from the show login-session command.

You can close all the Telnet or SSH sessions by entering this command:

config loginsession close {session-id | all}

The session-id can be taken from the show login-session command.

Configuring Telnet Privileges for Selected Management Users (GUI)

Using the controller, you can configure Telnet privileges to selected management users. To do this, you must have enabled Telnet privileges at the global level. By default, all management users have Telnet privileges enabled.

Note

SSH sessions are not affected by this feature.

Step 1

Step 2

Step 3

Step 4

Choose Management > Local Management Users.

On the Local Management Users page, select or unselect the Telnet Capable check box for a management user.

Click Apply.

Click Save Configuration.

Configuring Telnet Privileges for Selected Management Users (CLI)

• Configure Telnet privileges for a selected management user by entering this command:

config mgmtuser telnet user-name {enable | disable}

Troubleshooting Access Points Using Telnet or SSH

The controller supports the use of the Telnet and Secure Shell (SSH) protocols to troubleshoot lightweight access points. Using these protocols makes debugging easier, especially when the access point is unable to connect to the controller.

• To avoid potential conflicts and security threats to the network, the following commands are unavailable while a Telnet or SSH session is enabled: config terminal, telnet, ssh, rsh, ping, traceroute, clear,

clock, crypto, delete, fsck, lwapp, mkdir, radius, release, reload, rename, renew, rmdir, save, set,

test, upgrade.

54

Cisco Wireless Controller Configuration Guide, Release 8.0

Telnet and Secure Shell Sessions

• Commands available during a Telnet or SSH session include debug, disable, enable, help, led, login,

logout, more, no debug, show, systat, undebug and where.

Note

For instructions on configuring Telnet or SSH SSH sessions on the controller, see the

Telnet and Secure Shell Sessions

section.

Troubleshooting Access Points Using Telnet or SSH (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Wireless > Access Points > All APs to open the All APs page.

Click the name of the access point for which you want to enable Telnet or SSH.

Choose the Advanced tab to open the All APs > Details for (Advanced) page.

Select the Telnet check box to enable Telnet connectivity on this access point. The default value is unchecked.

Select the SSH check box to enable SSH connectivity on this access point. The default value is unchecked.

Click Apply.

Click Save Configuration.

Troubleshooting Access Points Using Telnet or SSH (CLI)

Step 1

Step 2

Step 3

Enable Telnet or SSH connectivity on an access point by entering this command:

config ap {telnet | ssh} enable Cisco_AP

The default value is disabled.

Note

Disable Telnet or SSH connectivity on an access point by entering this command: config ap {telnet | ssh}

disable Cisco_AP

Save your changes by entering this command:

save config

See whether Telnet or SSH is enabled on an access point by entering this command:

show ap config general Cisco_AP

Information similar to the following appears:

Cisco AP Identifier.............................. 5

Cisco AP Name.................................... AP33

Country code..................................... Multiple Countries:US,AE,AR,AT,AU,BH

Reg. Domain allowed by Country................... 802.11bg:-ABCENR 802.11a:-ABCEN

AP Country code.................................. US - United States

AP Regulatory Domain............................. 802.11bg:-A 802.11a:-A

Switch Port Number .............................. 2

MAC Address...................................... 00:19:2f:11:16:7a

IP Address Configuration......................... Static IP assigned

Cisco Wireless Controller Configuration Guide, Release 8.0

55

Managing the Controller Wirelessly

IP Address....................................... 10.22.8.133

IP NetMask....................................... 255.255.248.0

Gateway IP Addr.................................. 10.22.8.1

Domain...........................................

Name Server......................................

Telnet State..................................... Enabled

Ssh State........................................ Enabled

...

Managing the Controller Wirelessly

You can monitor and configure controllers using a wireless client. This feature is supported for all management tasks except uploads from and downloads to the controller.

Before you can open the GUI or the CLI from a wireless client device, you must configure the controller to allow the connection.

Enabling Wireless Connections (GUI)

Step 1

Step 2

Step 3

Step 4

Log onto the GUI.

Choose Management > Mgmt Via Wireless page.

Enable the Controller Management to be accessible from wireless clients.

Click Apply.

Enabling Wireless Connections (CLI)

Step 1

Step 2

Step 3

Step 4

Log onto the CLI.

Enter the config network mgmt-via-wireless enable command.

Use a wireless client to associate to a lightweight access point connected to the controller.

On the wireless client, open a Telnet session to the controller, or browse to the controller GUI.

56

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

3

Managing Licenses

Installing and Configuring Licenses, page 57

Rehosting Licenses, page 70

Configuring the License Agent, page 74

Installing and Configuring Licenses

Information About Installing and Configuring Licenses

You can order Cisco 5500 Series Controllers with support for 12, 25, 50, 100, 250 or 500 access points as the controller’s base capacity. You can add additional access point capacity through capacity adder licenses available at 25, 50, 100 and 250 access point capacities. You can add the capacity adder licenses to any base license in any combination to arrive at the maximum capacity of 500 access points. The base and adder licenses are supported through both rehosting and RMAs.

The base license supports the standard base software set, and the premium software set is included as part of the base feature set, which includes this functionality:

• Datagram Transport Layer Security (DTLS) data encryption for added security across remote WAN and

LAN links.

• The availability of data DTLS is as follows:

• Cisco 5500 Series Controller—The Cisco 5500 Series Controller is available with two licensing options: One with data DTLS capabilities and another image without data DTLS.

• 2500, WiSM2—These platforms by default do not contain DTLS. To turn on data DTLS, you must install a license. These platforms will have a single image with data DTLS turned off. To use data

DTLS, you must have a license.

• Cisco Flex 7500 and Cisco 8500 Series Controllers—The DTLS license is in-built. You are not required to install DTLS license separately.

• Support for OfficeExtend access points, which are used for secure mobile teleworking.

Cisco Wireless Controller Configuration Guide, Release 8.0

57

Installing and Configuring Licenses

All features included in a Wireless LAN Controller WPLUS license are now included in the base license.

There are no changes to Cisco Prime Infrastructure BASE and PLUS licensing. These WPlus license features are included in the base license:

• OfficeExtend AP

• Enterprise Mesh

• CAPWAP Data Encryption

For information about upgrade and capacity adder licenses, see the product data sheet of your controller model.

Restrictions for Using Licenses

The following are the restrictions you must keep in mind when using licenses for the controllers:

• The licensing change can affect features on your wireless LAN when you upgrade or downgrade software releases, so you should be aware of these guidelines:

◦If you have a WPlus license and you upgrade from 6.0.x.x to 7.x.x.x, your license file contains both Basic and WPlus license features. There is no disruption in feature availability and operation.

◦If you have a WPlus license and you downgrade from 7.x.x.x to 6.0.196.0 or 6.0.188.0 or 6.0.182.0, your license file contains only base license, and you will lose all WPlus features.

◦If you have a base license and you downgrade from 6.0.196.0 to 6.0.188.0 or 6.0.182.0, when you downgrade, you lose all WPlus features.

• In the controller software 7.0.116.0 and later releases, the AP association trap is ciscoLwappApAssociated.

In prior releases, the trap was bsnAPAssociated.

• The ap-count licenses and their corresponding image-based licenses are installed together. The controller keeps track of the licensed access point count and does not allow more than the number of access points to associate to it.

• The Cisco 5500 Series Controller is shipped with both permanent and evaluation base and base-ap-count licenses. If desired, you can activate the evaluation licenses, which are designed for temporary use and set to expire after 60 days.

• No licensing steps are required after you receive your Cisco 5500 Series Controller because the licenses you ordered are installed at the factory. In addition, licenses and product authorization keys (PAKs) are preregistered to serial numbers. However, as your wireless network evolves, you might want to add support for additional access points or upgrade from the standard software set to the base software set.

To do so, you must obtain and install an upgrade license.

Obtaining an Upgrade or Capacity Adder License

This section describes how to get an upgrade or capacity adder license.

Information About Obtaining an Upgrade or Capacity Adder License

A certificate with a product authorization key (PAK) is required before you can obtain an upgrade license.

58

Cisco Wireless Controller Configuration Guide, Release 8.0

Installing and Configuring Licenses

You can use the capacity adder licenses to increase the number of access points supported by the controller up to a maximum of 500 access points. The capacity adder licenses are available in access point capacities of

10, 25, 50, 100 and 250 access points. You can add these licenses to any of the base capacity licenses of 12,

25, 50, 100 and 250 access points.

For example, if your controller was initially ordered with support for 100 access points (base license

AIR-CT5508-100-K9), you could increase the capacity to 500 access points by purchasing a 250 access point,

100 access point, and a 50 access point additive capacity license (LIC-CT5508-250A, LIC-CT5508-100A, and LIC-CT5508-50A).

You can find more information on ordering capacity adder licenses at this URL: http://www.cisco.com/c/en/us/products/wireless/5500-series-wireless-controllers/datasheet-listing.html

Note

If you skip any tiers when upgrading (for example, if you do not install the -25U and -50U licenses along with the -100U), the license registration for the upgraded capacity fails.

For a single controller, you can order different upgrade licenses in one transaction (for example, -25U, -50U,

-100U, and -250U), for which you receive one PAK with one license. Then you have only one license (instead of four) to install on your controller.

If you have multiple controllers and want to upgrade all of them, you can order multiple quantities of each upgrade license in one transaction (for example, you can order 10 each of the -25U, -50U, -100U, and -250 upgrade licenses), for which you receive one PAK with one license. You can continue to register the PAK for multiple controllers until it is exhausted.

For more information about the base license SKUs and capacity adder licenses, see the respective controller’s data sheet.

Obtaining and Registering a PAK Certificate

Step 1

Step 2

Order the PAK certificate for an upgrade license through your Cisco channel partner or your Cisco sales representative, or order it online at this URL: http://www.cisco.com/go/ordering

If you are ordering online, begin by choosing the primary upgrade SKU L-LIC-CT5508-UPG or LIC CT5508-UPG.

Then, choose any number of the following options to upgrade one or more controllers under one PAK. After you receive the certificate, use one of the following methods to register the PAK:

Cisco License Manager (CLM)—This method automates the process of obtaining licenses and deploying them on Cisco devices. For deployments with more than five controllers, we recommend using CLM to register PAKs and install licenses. You can also use CLM to rehost or RMA a license.

Note

Note

You cannot use CLM to change the licensed feature set or activate an ap-count evaluation license. To perform these operations, you must follow the instructions in the Activating an AP-Count Evaluation

License section. Because you can use CLM to perform all other license operations, you can disregard the remaining licensing information in this chapter except these two sections and the Configuring the License

Agent section if you want your controller to use HTTP to communicate with CLM.

You can download the CLM software and access user documentation at this URL: http://www.cisco.com/ go/clm

Cisco Wireless Controller Configuration Guide, Release 8.0

59

Installing and Configuring Licenses

Step 3

Licensing portal—This alternative method enables you to manually obtain and install licenses on your controller.

If you want to use the licensing portal to register the PAK, follow the instructions in Step 3.

Use the licensing portal to register the PAK as follows: a) Go to http://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet b) On the main Product License Registration page, enter the PAK mailed with the certificate in the Product Authorization

Key (PAK) text box and click Submit.

c) On the Validate Features page, enter the number of licenses that you want to register in the Qty text box and click

Update.

d) To determine the controller’s product ID and serial number, choose Controller > Inventory on the controller GUI or enter the show license udi command on the controller CLI.

Information similar to the following appears on the controller CLI:

Device# PID SN UDI

------------------------- -------------------------------------

*0 AIR-CT5508-K9 CW1308L030 AIR-CT5508-K9:FCW1308L030 e) On the Designate Licensee page, enter the product ID and serial number of the controller on which you plan to install the license, read and accept the conditions of the end-user license agreement (EULA), complete the rest of the text boxes on this page, and click Submit.

f) On the Finish and Submit page, verify that all information is correct and click Submit.

g) When a message appears indicating that the registration is complete, click Download License. The license is e-mailed within 1 hour to the address that you specified.

h) When the e-mail arrives, follow the instructions provided.

i) Copy the license file to your TFTP server.

Installing a License

Installing a License (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Management > Software Activation > Commands to open the License Commands page.

From the Action drop-down list, choose Install License. The Install License from a File section appears.

In the File Name to Install text box, enter the path to the license (*.lic) on the TFTP server.

Click Install License. A message appears to show whether the license was installed successfully. If the installation fails, the message provides the reason for the failure, such as the license is an existing license, the path was not found, the license does not belong to this device, you do not have correct permissions for the license, and so on.

If the end-user license agreement (EULA) acceptance dialog box appears, read the agreement and click Accept to accept the terms of the agreement.

Note

Typically, you are prompted to accept the EULA for evaluation, extension, and rehost licenses. The EULA is also required for permanent licenses, but it is accepted during license generation.

Save a backup copy of all installed licenses as follows:

60

Cisco Wireless Controller Configuration Guide, Release 8.0

Installing and Configuring Licenses

Step 7

a) From the Action drop-down list, choose Save License.

b) In the File Name to Save text box, enter the path on the TFTP server where you want the licenses to be saved.

Note

You cannot save evaluation licenses.

c) Click Save Licenses.

Reboot the controller.

Note

We recommend that you reset the system to ensure that the newly installed license file is saved in the

WLC.

Installing a License (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Install a license on the controller by entering this command:

license install url where url is tftp://server_ip/path/filename.

Note

To remove a license from the controller, enter the license clear license_name command. For example, you might want to delete an expired evaluation license or any unused license. You cannot delete unexpired evaluation licenses, the permanent base image license, or licenses that are in use by the controller.

If you are prompted to accept the end-user license agreement (EULA), read and accept the terms of the agreement.

Note

Typically, you are prompted to accept the EULA for evaluation, extension, and rehost licenses. The EULA is also required for permanent licenses, but it is accepted during license generation.

Add comments to a license or delete comments from a license by entering this command:

license comment {add | delete} license_name comment_string

Save a backup copy of all installed licenses by entering this command:

license save url where url is tftp://server_ip/path/filename.

Reboot the controller by entering this command:

reset system.

Note

We recommend that you reset the system to ensure that the newly installed license file is saved in the

WLC.

Viewing Licenses

Viewing Licenses (GUI)

Step 1

Choose Management > Software Activation > Licenses to open the Licenses page.

Cisco Wireless Controller Configuration Guide, Release 8.0

61

Installing and Configuring Licenses

Step 2

Step 3

Step 4

This page lists all of the licenses installed on the controller. For each license, it shows the license type, expiration, count

(the maximum number of access points allowed for this license), priority (low, medium, or high), and status (in use, not in use, inactive, or EULA not accepted).

Note

Note

Controller platforms do not support the status of “grace period” or “extension” as a license type. The license status will always show “evaluation” even if a grace period or an extension evaluation license is installed.

If you ever want to remove a license from the controller, hover your cursor over the blue drop-down arrow for the license and click Remove. For example, you might want to delete an expired evaluation license or any unused license. You cannot delete unexpired evaluation licenses, the permanent base image license, or licenses that are in use by the controller.

Click the link for the desired license to view more details for a particular license. The License Detail page appears.

This page shows the following additional information for the license:

• The license type (permanent, evaluation, or extension)

• The license version

• The status of the license (in use, not in use, inactive, or EULA not accepted)

• The length of time before the license expires

Note

Permanent licenses never expire.

• Whether the license is a built-in license

• The maximum number of access points allowed for this license

• The number of access points currently using this license

If you want to enter a comment for this license, type it in the Comment text box and click Apply.

Click Save Configuration to save your changes.

Viewing Licenses (CLI)

Before You Begin

• See the license level, license type, and number of access points licensed on the controller by entering this command:

show sysinfo

Information similar to the following appears:

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 7.0

RTOS Version..................................... 7.0

Bootloader Version............................... 5.2

Emergency Image Version.......................... N/A

Build Type....................................... DATA + WPS

System Name...................................... Cisco 69

System Location.................................. na

System Contact................................... [email protected]

System ObjectID.................................. 1.3.6.1.4.1.14179.1.1.4.3

62

Cisco Wireless Controller Configuration Guide, Release 8.0

Installing and Configuring Licenses

IP Address....................................... 10.10.10.10

System Up Time................................... 3 days 1 hrs 12 mins 42 secs

System Timezone Location.........................

CurrentBoot License Level..........................base

CurrentBoot License Type...........................Permanent

NextBoot License Level............................base

NextBoot License Type.............................Permanent

Operating Environment............................ Commercial (0 to 40 C)

Internal Temp Alarm Limits....................... 0 to 65 C

Internal Temperature............................. +40 C

State of 802.11b Network......................... Enabled

State of 802.11a Network......................... Enabled

Number of WLANs.................................. 4

Number of Active Clients......................... 0

Burned-in MAC Address............................ 00:1A:6D:DD:1E:40

Crypto Accelerator 1............................. Absent

Crypto Accelerator 2............................. Absent

Power Supply 1................................... Absent

Power Supply 2................................... Present, OK

Maximum number of APs supported.................. 12

Note

The Operating Environment and Internal Temp Alarm Limits data are not displayed for

Cisco Flex 7500 Series Controllers.

• See a brief summary of all active licenses installed on the controller by entering this command:

show license summary

Information similar to the following appears:

Index 1 Feature: wplus

Period left: 0 minute 0 second

Index 2 Feature: wplus-ap-count

Period left: 0 minute 0 second

Index3 Feature: base

Period left: Life time

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

Index 4 Feature: base-ap-count

Period left: 6 weeks, 4 days

License Type: Evaluation

License State: Active, In Use

License Count: 250/250/0

License Priority: High

• See all of the licenses installed on the controller by entering this command:

show license all

Information similar to the following appears:

License Store: Primary License Storage

StoreIndex: 1 Feature: base Version: 1.0

License Type: Permanent

License State: Active, Not in Use

License Count: Non-Counted

License Priority: Medium

StoreIndex: 3 Feature: base-ap-count Version: 1.0

License Type: Evaluation

License State: Active, In Use

Evaluation total period: 8 weeks 4 days

Evaluation period left: 8 weeks 3 days

Cisco Wireless Controller Configuration Guide, Release 8.0

63

Installing and Configuring Licenses

License Count: 250/0/0

License Priority: High

• See the details for a particular license by entering this command:

show license detail license_name

Information similar to the following appears:

Index: 1 Feature: base-ap-count Version: 1.0

License Type: Permanent

License State: Active, Not in Use

License Count: 12/0/0

License Priority: Medium

Store Index: 0

Store Name: Primary License Storage

Index: 2 Feature: base-ap-count Version: 1.0

License Type: Evaluation

License State: Inactive

Evaluation total period: 8 weeks 4 days

Evaluation period left: 8 weeks 4 days

License Count: 250/0/0

License Priority: Low

Store Index: 3

Store Name: Evaluation License Storage

• See all expiring, evaluation, permanent, or in-use licenses by entering this command:

show license {expiring | evaluation | permanent | in-use}

Information similar to the following appears for the show license in-use command:

StoreIndex: 2 Feature: base-ap-count Version: 1.0

License Type: Permanent

License State: Active, In Use

License Count: 12/12/0

License Priority: Medium

StoreIndex: 3 Feature: base Version: 1.0

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted License Priority: Medium

Note

Controller platforms do not support the status of “grace period” or “extension” as a license type. The license status will always show “evaluation” even if a grace period or an extension evaluation license is installed.

• See the maximum number of access points allowed for this license on the controller, the number of access points currently joined to the controller, and the number of access points that can still join the controller by entering this command:

show license capacity

Information similar to the following appears:

Licensed Feature

----------------

AP Count

Max Count

---------

250

Current Count

-------------

4

Remaining Count

---------------

246

• See statistics for all licenses on the controller by entering this command:

show license statistics

64

Cisco Wireless Controller Configuration Guide, Release 8.0

Installing and Configuring Licenses

• See a summary of license-enabled features by entering this command:

show license feature

Configuring the Maximum Number of Access Points Supported

Configuring Maximum Number of Access Points to be Supported (GUI)

You can configure the maximum number APs that can be supported on a controller. The controller limits the number of APs that are supported based on the licensing information and the controller model. The maximum number of APs supported that is specified in the licensing information overrides the number that you configure if the configured value is greater than the licensed value. By default, this feature is disabled. You must reboot the controller if you change the configuration.

Step 1

Step 2

Step 3

Step 4

Choose Controller > General.

Enter a value in the Maximum Allowed APs text box.

Click Apply.

Click Save Configuration.

Configuring Maximum Number of Access Points to be Supported (CLI)

• Configure the maximum number of access points to be supported on a controller by entering this command:

config ap max-count count

• See the maximum number of access points that are supported on the controller by entering this command:

show ap max-count summary

Troubleshooting Licensing Issues

• Configure debugging of license agent by entering this command:

debug license agent {errors | all} {enable | disable}

• Configure debugging of licensing core events and core errors by entering this command:

debug license core {all | errors | events} {enable | disable}

• Configure debugging of licensing errors by entering this command:

debug license errors {enable | disable}

• Configure debugging of licensing events by entering this command:

debug license events {enable | disable}

Cisco Wireless Controller Configuration Guide, Release 8.0

65

Installing and Configuring Licenses

Activating an AP-Count Evaluation License

Information About Activating an AP-Count Evaluation License

If you are considering upgrading to a license with a higher access point count, you can try an evaluation license before upgrading to a permanent version of the license. For example, if you are using a permanent license with a 50-access-point count and want to try an evaluation license with a 100-access-point count, you can try out the evaluation license for 60 days.

AP-count evaluation licenses are set to low priority by default so that the controller uses the ap-count permanent license. If you want to try an evaluation license with an increased access point count, you must change its priority to high. If you no longer want to have this higher capacity, you can lower the priority of the ap-count evaluation license, which forces the controller to use the permanent license.

Note

To prevent disruptions in operation, the controller does not switch licenses when an evaluation license expires. You must reboot the controller in order to return to a permanent license. Following a reboot, the controller defaults to the same feature set level as the expired evaluation license. If no permanent license at the same feature set level is installed, the controller uses a permanent license at another level or an unexpired evaluation license.

Activating an AP-Count Evaluation License (GUI)

Step 1

Step 2

Step 3

Choose Management > Software Activation > Licenses to open the Licenses page.

The Status column shows which licenses are currently in use, and the Priority column shows the current priority of each license.

Activate an ap-count evaluation license as follows: a) Click the link for the ap-count evaluation license that you want to activate. The License Detail page appears.

b) Choose High from the Priority drop-down list and click Set Priority.

Note

You can set the priority only for ap-count evaluation licenses. AP-count permanent licenses always have a medium priority, which cannot be configured.

c) Click OK when prompted to confirm your decision about changing the priority of the license.

d) When the EULA appears, read the terms of the agreement and then click Accept.

e) When prompted to reboot the controller, click OK.

f) Reboot the controller in order for the priority change to take effect.

g) Click Licenses to open the Licenses page and verify that the ap-count evaluation license now has a high priority and is in use. You can use the evaluation license until it expires.

If you decide to stop using the ap-count evaluation license and want to revert to using an ap-count permanent license, follow these steps: a) On the Licenses page, click the link for the ap-count evaluation license that is in use.

b) Choose Low from the Priority drop-down list and click Set Priority.

Note

You can set the priority only for ap-count evaluation licenses. AP-count permanent licenses always have a medium priority, which cannot be configured.

c) Click OK when prompted to confirm your decision about changing the priority of the license.

66

Cisco Wireless Controller Configuration Guide, Release 8.0

Installing and Configuring Licenses

d) When the EULA appears, read the terms of the agreement and then click Accept.

e) When prompted to reboot the controller, click OK.

f) Reboot the controller in order for the priority change to take effect.

g) Click Licenses to open the Licenses page and verify that the ap-count evaluation license now has a low priority and is not in use. Instead, the ap-count permanent license should be in use.

Activating an AP-Count Evaluation License (CLI)

Step 1

Step 2

See the current status of all the licenses on your controller by entering this command:

show license all

Information similar to the following appears:

License Store: Primary License Storage

StoreIndex: 0 Feature: base-ap-count Version: 1.0

License Type: Permanent

License State: Active, In Use

License Count: 12/0/0

License Priority: Medium

StoreIndex: 1 Feature: base Version: 1.0

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

StoreIndex: 2 Feature: base Version: 1.0

License Type: Evaluation

License State: Inactive

Evaluation total period: 8 weeks 4 days

Evaluation period left: 8 weeks 4 days

License Count: Non-Counted

License Priority: Low

StoreIndex: 3 Feature: base-ap-count Version: 1.0

License Type: Evaluation

License State: Inactive

Evaluation total period: 8 weeks 4 days

Evaluation period left: 8 weeks 4 days

License Count: 250/0/0

License Priority: Low

The License State text box shows the licenses that are in use, and the License Priority text box shows the current priority of each license.

Note

In the 7.2.110.0 release, the command output displays the full in-use count for active base-ap-count license even though there are no APs connected.

Activate an ap-count evaluation license as follows: a) Raise the priority of the base-ap-count evaluation license by entering this command:

license modify priority license_name high

Cisco Wireless Controller Configuration Guide, Release 8.0

67

Installing and Configuring Licenses

Step 3

Note

You can set the priority only for ap-count evaluation licenses. AP-count permanent licenses always have a medium priority, which cannot be configured.

b) Reboot the controller in order for the priority change to take effect by entering this command:

reset system

c) Verify that the ap-count evaluation license now has a high priority and is in use by entering this command:

show license all

You can use the evaluation license until it expires.

If you decide to stop using the ap-count evaluation license and want to revert to using an ap-count permanent license, follow these steps: a) Lower the priority of the ap-count evaluation license by entering this command:

license modify priority license_name low b) Reboot the controller in order for the priority change to take effect by entering this command:

reset system

c) Verify that the ap-count evaluation license now has a low priority and is not in use by entering this command:

show license all

Instead, the ap-count permanent license should be in use.

Configuring Right to Use Licensing

Information About Right to Use Licensing

Right to Use (RTU) licensing is a model in which licenses are not tied to a unique device identifier (UDI), product ID, or serial number. Use RTU licensing to enable a desired AP license count on the controller after you accept the End User License Agreement (EULA). This allows you to add AP counts on a controller interacting with external tools.

RTU licensing is supported only on the following Cisco Wireless Controller platforms:

• Cisco 5520 Wireless Controller

• Cisco Flex 7510 Wireless Controller

• Cisco 8510 Wireless Controller

• Cisco 8540 Wireless Controller

• Cisco Virtual Wireless Controller

In the RTU licensing model, the following types of licenses are available:

• Permanent or base licenses—These licenses are programmed into the controller hardware at the time of manufacturing. These licenses are base count licenses that cannot be deleted or transferred.

• Adder licenses—These licenses are wireless access point count licenses that you can activate by accepting the RTU EULA. The EULA states that you are obliged to purchase the specified access point count

68

Cisco Wireless Controller Configuration Guide, Release 8.0

Installing and Configuring Licenses

licenses at the time of activation. You must activate these licenses for the purchased access points count and accept the EULA.

You can remove an adder license from one controller and transfer the license to another controller in the same product family. For example, an adder license such as LIC-CT7500-100A can be transferred

(partially or fully) from one Cisco Flex 7500 Series Controller to another Cisco Flex 7500 Series

Controller.

Note

Licenses embedded in the controller at the time of shipment is not transferrable.

• Evaluation licenses—These licenses are demo or trial mode licenses that are valid for 90 days. Fifteen days prior to the expiry of the 90-day period, you are notified about the requirement to buy the permanent license. These evaluation licenses are installed with the license image. You can activate the evaluation licenses anytime with a command. A EULA is prompted after you run the activation command on the controller CLI. The EULA states that you are obligated to pay for the specified license count within 90 days of usage. The countdown starts after you accept the EULA.

Whenever you add or delete an access point adder license on the controller, you are prompted with an RTU

EULA. You can either accept or decline the RTU EULA for each add or delete operation.

For high-availability (HA) controllers when you enable HA, the controllers synchronize with the enabled license count of the primary controller and support high availability for up to the license count enabled on the primary controller.

You can view the RTU licenses through the controller GUI or CLI. You can also view these licenses across multiple wireless controllers through Cisco Prime Infrastructure.

With Release 8.1, the license management for Cisco Virtual Wireless Controller is changed from license-file based management to Right-to-Use-based management. The previous licenses are still valid, and when you upgrade to Release 8.1 from an earlier release, you are required to only accept an end-user license agreement again to the quantity installed before.

Configuring Right to Use Licensing (GUI)

Step 1

Step 2

Step 3

Choose Management > Software Activation > Licenses to open the Licenses page.

In the Adder License area, choose to add or delete the number of APs that an AP license can support, enter a value, and click Set Count.

Click Save Configuration.

Configuring Right to Use Licensing (CLI)

• Add or delete the number of APs that an AP license can support by entering this command:

license {add | delete} ap-count count

• Add or delete a license for a feature by entering this command:

license {add | delete} feature license_name

Cisco Wireless Controller Configuration Guide, Release 8.0

69

Rehosting Licenses

• Activate or deactivate an evaluation AP count license by entering this command:

license {activate | deactivate} ap-count eval

Note

When you activate the license, you are prompted to accept or reject the End User License

Agreement (EULA) for the given license. If you activate a license that supports fewer number of APs than the current number of APs connected to the controller, the activation command fails.

• Activate or deactivate a feature license by entering this command:

license {activate | deactivate} feature license_name

• See the licensing information by entering this command:

show license all

Rehosting Licenses

This section describes how to rehost licenses.

Information About Rehosting Licenses

Revoking a license from one controller and installing it on another is called rehosting. You might want to rehost a license in order to change the purpose of a controller. For example, if you want to move your

OfficeExtend or indoor mesh access points to a different controller, you could transfer the adder license from one controller to another controller of the same model (intramodel transfer). This can be done in the case of

RMA or a network rearchitecture that requires you to transfer licenses from one appliance to another. It is not possible to rehost base licenses in normal scenarios of network rearchitecture. The only exception where the transfer of base licenses is allowed is for RMA when you get a replacement hardware when your existing appliance has a failure.

Evaluation licenses cannot be rehosted.

In order to rehost a license, you must generate credential information from the controller and use it to obtain a permission ticket to revoke the license from the Cisco licensing site. Next, you must obtain a rehost ticket and use it to obtain a license installation file for the controller on which you want to install the license.

Note

A revoked license cannot be reinstalled on the same controller.

Note

Starting in the release 7.3, the Right-to-Use licensing is supported on the Cisco Flex 7500 Series Controllers, thereby the rehosting behavior changes on these controllers. If you require to rehost licenses, you need to plan rehosting the installed adder licenses prior to an upgrade.

70

Cisco Wireless Controller Configuration Guide, Release 8.0

Rehosting Licenses

Rehosting a License

Rehosting a License (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Management > Software Activation > Commands to open the License Commands page.

From the Action drop-down list, choose Rehost. The Revoke a License from the Device and Generate Rehost Ticket area appears.

In the File Name to Save Credentials text box, enter the path on the TFTP server where you want the device credentials to be saved and click Save Credentials.

To obtain a permission ticket to revoke the license, follow these steps: a) Click Cisco Licensing ( https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet).

b) On the Product License Registration page, click Look Up a License under Manage Licenses.

c) Enter the product ID and serial number for your controller.

Note

To find the controller’s product ID and serial number, choose Controller > Inventory on the controller

GUI.

d) Open the device credential information file that you saved in

Step 3

and copy and paste the contents of the file into the Device Credentials text box.

e) Enter the security code in the blank box and click Continue.

f) Choose the licenses that you want to revoke from this controller and click Start License Transfer.

g) On the Rehost Quantities page, enter the number of licenses that you want to revoke in the To Rehost text box and click Continue.

h) On the Designate Licensee page, enter the product ID and serial number of the controller for which you plan to revoke the license, read and accept the conditions of the End User License Agreement (EULA), complete the rest of the text boxes on this page, and click Continue.

i) On the Review and Submit page, verify that all information is correct and click Submit.

j) When a message appears indicating that the registration is complete, click Download Permission Ticket. The rehost permission ticket is e-mailed within 1 hour to the address that you specified.

k) After the e-mail arrives, copy the rehost permission ticket to your TFTP server.

Use the rehost permission ticket to revoke the license from this controller and generate a rehost ticket as follows: a) In the Enter Saved Permission Ticket File Name text box, enter the TFTP path and filename (*.lic) for the rehost permission ticket that you generated in

Step 4 .

b) In the Rehost Ticket File Name text box, enter the TFTP path and filename (*.lic) for the ticket that will be used to rehost this license on another controller.

c) Click Generate Rehost Ticket.

d) When the End User License Agreement (EULA) acceptance dialog box appears, read the agreement and click Accept to accept the terms of the agreement.

Use the rehost ticket generated in

Step 5

to obtain a license installation file, which can then be installed on another controller as follows: a) Click Cisco Licensing.

b) On the Product License Registration page, click Upload Rehost Ticket under Manage Licenses.

c) On the Upload Ticket page, enter the rehost ticket that you generated in

Step 5

in the Enter Rehost Ticket text box and click Continue.

Cisco Wireless Controller Configuration Guide, Release 8.0

71

Rehosting Licenses

Step 7

d) On the Validate Features page, verify that the license information for your controller is correct, enter the rehost quantity, and click Continue.

e) On the Designate Licensee page, enter the product ID and serial number of the controller on which you plan to use the license, read and accept the conditions of the End User License Agreement (EULA), complete the rest of the text boxes on this page, and click Continue.

f) On the Review and Submit page, verify that all information is correct and click Submit.

g) When a message appears indicating that the registration is complete, click Download License. The rehost license key is e-mailed within 1 hour to the address that you specified.

h) After the e-mail arrives, copy the rehost license key to your TFTP server.

i) Follow the instructions in the Installing a License section to install this on another controller.

After revoking the license on original controller, correspondent evaluation licence appear with High pritority. Lower the priority of the evaluation license so that the parmanent license is in "In Use" status.

Rehosting a License (CLI)

Step 1

Step 2

Step 3

Save device credential information to a file by entering this command:

license save credential url where url is tftp://server_ip/path/filename.

Obtain a permission ticket to revoke the license as follows: a) Go to https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet . The Product License Registration page appears.

b) Under Manage Licenses, click Look Up a License.

c) Enter the product ID and serial number for your controller.

Note

To find the controller’s product ID and serial number, enter the show license udi command on the controller

CLI.

d) Open the device credential information file that you saved in

Step 1

and copy and paste the contents of the file into the Device Credentials text box.

e) Enter the security code in the blank box and click Continue.

f) Choose the licenses that you want to revoke from this controller and click Start License Transfer.

g) On the Rehost Quantities page, enter the number of licenses that you want to revoke in the To Rehost text box and click Continue.

h) On the Designate Licensee page, enter the product ID and serial number of the controller for which you plan to revoke the license, read and accept the conditions of the End-User License Agreement (EULA), complete the rest of the text boxes on this page, and click Continue.

i) On the Review and Submit page, verify that all information is correct and click Submit.

j) When a message appears indicating that the registration is complete, click Download Permission Ticket. The rehost permission ticket is e-mailed within 1 hour to the address that you specified.

k) After the e-mail arrives, copy the rehost permission ticket to your TFTP server.

Use the rehost permission ticket to revoke the license from this controller and generate a rehost ticket as follows: a) Revoke the license from the controller by entering this command:

license revoke permission_ticket_url

72

Cisco Wireless Controller Configuration Guide, Release 8.0

Rehosting Licenses

Step 4

Step 5

where permission_ticket_url is tftp://server_ip/path/filename.

b) Generate the rehost ticket by entering this command:

license revoke rehost rehost_ticket_url where rehost_ticket_url is tftp://server_ip/path/filename.

c) If prompted, read and accept the terms of the End-User License Agreement (EULA).

Use the rehost ticket generated in

Step 3

to obtain a license installation file, which can then be installed on another controller as follows: a) Go to https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet.

b) On the Product License Registration page, click Upload Rehost Ticket under Manage Licenses.

c) On the Upload Ticket page, enter the rehost ticket that you generated in

Step 3

in the Enter Rehost Ticket text box and click Continue.

d) On the Validate Features page, verify that the license information for your controller is correct, enter the rehost quantity, and click Continue.

e) On the Designate Licensee page, enter the product ID and serial number of the controller on which you plan to use the license, read and accept the conditions of the End-User License Agreement (EULA), complete the rest of the text boxes on this page, and click Continue.

f) On the Review and Submit page, verify that all information is correct and click Submit.

g) When a message appears indicating that the registration is complete, click Download License. The rehost license key is e-mailed within 1 hour to the address that you specified.

h) After the e-mail arrives, copy the rehost license key to your TFTP server.

i) Follow the instructions in the

Installing a License (GUI), on page 60

section to install this license on another controller.

After revoking the license on original controller, correspondent evaluation licence appear with High pritority. Lower the priority of the evaluation license so that the parmanent license is in "In Use" status.

Transferring Licenses to a Replacement Controller after an RMA

Information About Transferring Licenses to a Replacement Controller after an RMA

If you return a Cisco 5500 Series Controller to Cisco as part of the Return Material Authorization (RMA) process, you must transfer that controller’s licenses within 60 days to a replacement controller that you receive from Cisco.

Replacement controllers come preinstalled with the following licenses: permanent base and evaluation base, base-ap-count. No other permanent licenses are installed. The SKU for replacement controllers is

AIR-CT5508-CA-K9.

Because licenses are registered to the serial number of a controller, you can use the licensing portal on

Cisco.com to request that the license from your returned controller be revoked and authorized for use on the replacement controller. After your request is approved, you can install the old license on the replacement controller. Any additional ap-count licenses if installed in the returned controller has to be rehosted on the replacement controller. Before you begin, you need the product ID and serial number of both the returned controller and the replacement controller. This information is included in your purchase records.

Cisco Wireless Controller Configuration Guide, Release 8.0

73

Configuring the License Agent

Note

The evaluation licenses on the replacement controller are designed for temporary use and expire after 60 days. To prevent disruptions in operation, the controller does not switch licenses when an evaluation license expires. You must reboot the controller in order to return to a permanent license. If the evaluation licenses expire before you transfer the permanent licenses from your defective controller to your replacement controller, the replacement controller remains up and running using the permanent base license, but access points are no longer able to join the controller.

Transferring a License to a Replacement Controller after an RMA

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Browse to https://tools.cisco.com/SWIFT/LicensingUI/Quickstart .

Log on to the site.

In the Manage tab, click Devices.

Choose Actions > Rehost/Transfer.

Follow the on-screen instructions to generate the license file.

The license is provided online or in an e-mail.

Copy the license file to the TFTP server.

Install the license by choosing Management > Software Activation > Commands > Action > Install License.

Configuring the License Agent

Information About Configuring the License Agent

If your network contains various Cisco-licensed devices, you might want to consider using the Cisco License

Manager (CLM) to manage all of the licenses using a single application. CLM is a secure client/server application that manages Cisco software licenses network wide.

The license agent is an interface module that runs on the controller and mediates between CLM and the controller’s licensing infrastructure. CLM can communicate with the controller using various channels, such as HTTP, Telnet, and so on. If you want to use HTTP as the communication method, you must enable the license agent on the controller.

The license agent receives requests from CLM and translates them into license commands. It also sends notifications to CLM. It uses XML messages over HTTP or HTTPS to receive the requests and send the notifications. For example, CLM sends a license install command, and the agent notifies CLM after the license expires.

Note

You can download the CLM software and access user documentation at http://www.cisco.com/go/clm.

74

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring the License Agent

Configuring the License Agent (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Management > Software Activation > License Agent to open the License Agent Configuration page.

Select the Enable Default Authentication check box to enable the license agent, or leave it unselected to disable this feature. The default value is unselected.

In the Maximum Number of Sessions text box, enter the maximum number of sessions for the license agent. The valid range is 1 to 25 sessions (inclusive).

Configure the license agent to listen for requests from the CLM as follows: a) Select the Enable Listener check box to enable the license agent to receive license requests from the CLM, or unselect this check box to disable this feature. The default value is unselected.

b) In the Listener Message Processing URL text box, enter the URL where the license agent receives license requests

(for example, http://209.165.201.30/licenseAgent/custom). The Protocol parameter indicates whether the URL requires

HTTP or HTTPS.

Note

You can specify the protocol to use on the HTTP Configuration page.

c) Select the Enable Authentication for Listener check box to enable authentication for the license agent when it is receiving license requests, or unselect this check box to disable this feature. The default value is unselected.

d) In the Max HTTP Message Size text box, enter the maximum size for license requests. The valid range is 0 to 9999 bytes, and the default value is 0.

Configure the license agent to send license notifications to the CLM as follows: a) Select the Enable Notification check box to enable the license agent to send license notifications to the CLM, or unselect this check box to disable this feature. The default value is unselected.

b) In the URL to Send the Notifications text box, enter the URL where the license agent sends the notifications (for example, http://www.cisco.com/license/notify).

c) In the User Name text box, enter the username required in order to view the notification messages at this URL.

d) In the Password and Confirm Password text boxes, enter the password required in order to view the notification messages at this URL.

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Configuring the License Agent (CLI)

Step 1

Enable the license agent by entering one of these commands:

config license agent default authenticate—Enables the license agent default listener with authentication.

config license agent default authenticate none—Enables the license agent default listener without authentication.

Note

To disable the license agent default listener, enter the config license agent default disable command.

The default value is disabled.

Cisco Wireless Controller Configuration Guide, Release 8.0

75

Configuring the License Agent

Step 2

Step 3

Step 4

Step 5

Step 6

Specify the maximum number of sessions for the license agent by entering this command:

config license agent max-sessions sessions

The valid range for the sessions parameter is 1 to 25 (inclusive), and the default value is 9.

Enable the license agent to receive license requests from the CLM and to specify the URL where the license agent receives the requests by entering this command:

config license agent listener http {plaintext | encrypt} url authenticate [none] [max-message size] [acl acl]

The valid range for the size parameter is 0 to 65535 bytes, and the default value is 0.

Note

To prevent the license agent from receiving license requests from the CLM, enter the config license agent

listener http disable command. The default value is disabled.

Configure the license agent to send license notifications to the CLM and to specify the URL where the license agent sends the notifications by entering this command:

config license agent notify url username password

Note

To prevent the license agent from sending license notifications to the CLM, enter the config license agent notify

disable username password command. The default value is disabled.

Enter the save config command to save your changes.

See statistics for the license agent’s counters or sessions by entering this command:

show license agent {counters | sessions}

Information similar to the following appears for the show license agent counters command:

License Agent Counters

Request Messages Received:10: Messages with Errors:1

Request Operations Received:9: Operations with Errors:0

Notification Messages Sent:12: Transmission Errors:0: Soap Errors:0

Information similar to the following appears for the show license agent sessions command:

License Agent Sessions: 1 open, maximum is 9

Note

To clear the license agent’s counter or session statistics, enter the clear license agent {counters | sessions} command.

76

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

4

Configuring 802.11 Bands

Configuring 802.11 Bands, page 77

Configuring Band Selection, page 81

Configuring 802.11 Bands

Information About Configuring 802.11 Bands

You can configure the 802.11b/g/n (2.4-GHz) and 802.11a/n/ac (5-GHz) bands for the controller to comply with the regulatory requirements in your country. By default, both 802.11b/g/n and 802.11a/n/ac are enabled.

When a controller is configured to allow only 802.11g traffic, 802.11b client devices are able to successfully connect to an access point but cannot pass traffic. When you configure the controller for 802.11g traffic only, you must mark 11g rates as mandatory.

Configuring the 802.11 Bands (GUI)

Step 1

Step 2

Step 3

Step 4

Choose Wireless > 802.11a/n/ac or 802.11b/g/n > Network to open the Global Parameters page.

Select the 802.11a (or 802.11b/g) Network Status check box to enable the 802.11a or 802.11b/g band. To disable the band, unselect the check box. The default value is enabled. You can enable both the 802.11a and 802.11b/g bands.

If you enabled the 802.11b/g band in Step 2, select the 802.11g Support check box if you want to enable 802.11g network support. The default value is enabled. If you disable this feature, the 802.11b band is enabled without 802.11g support.

Specify the period at which the SSID is broadcast by the access point by entering a value between 20 and 1000 milliseconds

(inclusive) in the Beacon Period text box. The default value is 100 milliseconds.

Note

The beacon period in controllers is listed in terms of milliseconds. The beacon period can also be measured in time units, where one time unit equals 1024 microseconds or 102.4 milliseconds. If a beacon interval is listed as 100 milliseconds in a controller, it is only a rounded off value for 102.4 milliseconds. Due to hardware limitation in certain radios, even though the beacon interval is, say 100 time units, it is adjusted to 102 time units, which roughly equals 104.448 milliseconds. When the beacon period is to be represented in terms of time units, the value is adjusted to the nearest multiple of 17.

Cisco Wireless Controller Configuration Guide, Release 8.0

77

Configuring 802.11 Bands

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Specify the size at which packets are fragmented by entering a value between 256 and 2346 bytes (inclusive) in the

Fragmentation Threshold text box. Enter a low number for areas where communication is poor or where there is a great deal of radio interference.

Make access points advertise their channel and transmit power level in beacons and probe responses for CCX clients.

Select the DTPC Support check box. Otherwise, unselect this check box. The default value is enabled.

Client devices using dynamic transmit power control (DTPC) receive the channel and power level information from the access points and adjust their settings automatically. For example, a client device used primarily in Japan could rely on

DTPC to adjust its channel and power settings automatically when it travels to Italy and joins a network there.

Note

Note

On access points that run Cisco IOS software, this feature is called world

mode.

DTPC and 801.11h power constraint cannot be enabled simultaneously.

Specify the maximum allowed clients by entering a value between 1 to 200 in the Maximum Allowed Client text box.

The default value is 200.

Select or unselect the RSSI Low Check check box to enable or disable the RSSI Low Check feature.

Service providers can use the RSSI Low Check feature to prevent clients from connecting to their Wi-Fi network unless the client has a viable connection. In many scenarios, even though clients can hear beacons and connect to Wi-Fi, the signal might not be strong enough to support a stable connection. Use this feature to determine how strong a client must be heard for it to associate with the Wi-Fi network.

If you enable the RSSI Low Check feature, when a client sends an association request to the AP, the controller gets the

RSSI value from the association message and compares it with the RSSI threshold that is configured. If the RSSI value from the association message is less than the RSSI threshold value, the controller rejects the association request. Note that this is only for association frames, and not for other messages.

The default RSSI Low Check value is –80 dBm, which means an association request from a client can be rejected if the

AP hears a client with a signal that is weaker than –80 dBm. If you lower the value to –90 dBm, clients are allowed to connect at a further distance, but there is also a higher probability of the connection quality being poor. We recommend that you do not go higher than –80 dBm, for example –70 dBm, because this makes the cell size significantly smaller.

Enter the RSSI Threshold value.

The default value is –80 dBm.

Use the Data Rates options to specify the rates at which data can be transmitted between the access point and the client.

These data rates are available:

• 802.11a—6, 9, 12, 18, 24, 36, 48, and 54 Mbps

• 802.11b/g—1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps

For each data rate, choose one of these options:

Mandatory—Clients must support this data rate in order to associate to an access point on the controller.

Supported—Any associated clients that support this data rate may communicate with the access point using that rate. However, the clients are not required to be able to use this rate in order to associate.

Disabled—The clients specify the data rates used for communication.

Click Apply.

Click Save Configuration.

78

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring 802.11 Bands

Configuring the 802.11 Bands (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Disable the 802.11a band by entering this command:

config 802.11a disable network

Note

The 802.11a band must be disabled before you can configure the 802.11a network parameters in this section.

Disable the 802.11b/g band by entering this command:

config 802.11b disable network

Note

The 802.11b band must be disabled before you can configure the 802.11b network parameters in this section.

Specify the rate at which the SSID is broadcast by the access point by entering this command:

config {802.11a | 802.11b} beaconperiod time_unit where time_unit is the beacon interval in time units (TUs). One TU is 1024 microseconds. You can configure the access point to send a beacon every 20 to 1000 milliseconds.

Specify the size at which packets are fragmented by entering this command:

config {802.11a | 802.11b} fragmentation threshold where threshold is a value between 256 and 2346 bytes (inclusive). Specify a low number for areas where communication is poor or where there is a great deal of radio interference.

Make access points advertise their channel and transmit power level in beacons and probe responses by entering this command:

config {802.11a | 802.11b } dtpc {enable | disable}

The default value is enabled. Client devices using dynamic transmit power control (DTPC) receive the channel and power level information from the access points and adjust their settings automatically. For example, a client device used primarily in Japan could rely on DTPC to adjust its channel and power settings automatically when it travels to Italy and joins a network there.

Note

On access points that run Cisco IOS software, this feature is called world

mode.

Specify the maximum allowed clients that can be configured by entering this command:

config {802.11a | 802.11b} max-clients max_allow_clients

The valid range is between 1 to 200.

Configure the RSSI Low Check feature by entering this command:

config 802.11{a | b} rssi-check {enable | disable}

Configure the RSSI Threshold value by entering this command:

config 802.11{a | b} rssi-threshold value-in-dBm

Note

The default value is –80 dBm.

Specify the rates at which data can be transmitted between the controller and the client by entering this command:

config {802.11a | 802.11b} rate {disabled | mandatory | supported} rate where

disabled—Clients specify the data rates used for communication.

Cisco Wireless Controller Configuration Guide, Release 8.0

79

Configuring 802.11 Bands

mandatory—Clients support this data rate in order to associate to an access point on the controller.

supported—Any associated clients that support this data rate may communicate with the access point using that rate. However, the clients are not required to be able to use this rate in order to associate.

rate—The rate at which data is transmitted:

◦6, 9, 12, 18, 24, 36, 48, and 54 Mbps (802.11a)

◦1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps (802.11b/g)

Step 10

Step 11

Step 12

Step 13

Step 14

Enable the 802.11a band by entering this command:

config 802.11a enable network

The default value is enabled.

Enable the 802.11b band by entering this command:

config 802.11b enable network

The default value is enabled.

Enable or disable 802.11g network support by entering this command:

config 802.11b 11gSupport {enable | disable}

The default value is enabled. You can use this command only if the 802.11b band is enabled. If you disable this feature, the 802.11b band is enabled without 802.11g support.

Enter the save config command to save your changes.

View the configuration settings for the 802.11a or 802.11b/g band by entering this command:

show {802.11a | 802.11b}

Information similar to the following appears:

802.11a Network............................... Enabled

11nSupport.................................... Enabled

802.11a Low Band........................... Enabled

802.11a Mid Band........................... Enabled

802.11a High Band.......................... Enabled

802.11a Operational Rates

802.11a 6M Rate.............................. Mandatory

802.11a 9M Rate.............................. Supported

802.11a 12M Rate............................. Mandatory

802.11a 18M Rate............................. Supported

802.11a 24M Rate............................. Mandatory

802.11a 36M Rate............................. Supported

802.11a 48M Rate............................. Supported

802.11a 54M Rate............................. Supported

...

Beacon Interval.................................. 100

...

Default Channel............................... 36

Default Tx Power Level........................ 1

DTPC Status................................... Enabled

Fragmentation Threshold....................... 2346

80

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Band Selection

Maximum Number of Clients per AP................. 200

Configuring Band Selection

Information About Configuring Band Selection

Band selection enables client radios that are capable of dual-band (2.4- and 5-GHz) operation to move to a less congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band typically experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel interference from other access points because of the 802.11b/g limit of three nonoverlapping channels. To prevent these sources of interference and improve overall network performance, you can configure band selection on the controller.

Band selection works by regulating probe responses to clients and it can be enabled on a per-WLAN basis.

It makes 5-GHz channels more attractive to clients by delaying probe responses to clients on 2.4-GHz channels.

In the access point, the band select table can be viewed by giving show dot11 band-select command. It can also be viewed from show cont d0/d1 | begin Lru.

Band Selection Algorithm

The band selection algorithm affects clients that use 2.4-GHz band. Initially, when a client sends a probe request to the access point, the corresponding client probe’s Active and Count values (as seen from the band select table) become 1. The algorithm functions based on the following scenarios:

• Scenario - 1: Client RSSI (as seen from show cont d0/d1 | begin RSSI) is greater than both Mid-RSSI and Acceptable Client RSSI.

• Dual band clients—No 2.4-GHz probe responses are seen at any time; 5-GHz probe responses are seen for all 5-GHz probe requests.

• Single band (2.4-GHz) clients— 2.4-GHz probe responses are seen only after the probe suppression cycle.

• After the client’s probe count reaches the configured probe cycle count, the algorithm waits for the Age Out Suppression time and then marks the client probe’s Active value as 0. Then, the algorithm is restarted.

• Scenario - 2: Client RSSI (as seen from show cont d0/d1 | begin RSSI) lies between Mid-RSSI and

Acceptable Client RSSI.

• All 2.4-GHz and 5-GHz probe requests are responded without any restrictions.

• This scenario is similar to the band select disabled.

Cisco Wireless Controller Configuration Guide, Release 8.0

81

Configuring Band Selection

Note

The client RSSI value (seen as sh cont d0 | begin RSSI) is the average of the client packets received, and the Mid-RSSI feature is the instantaneous RSSI value of the probe packets. As a result, the client RSSI is seen as weaker than the configured Mid-RSSI value (7 dB delta). The 802.11b probes from the client are suppressed to push the client to associate with the 802.11a band.

Restrictions on Band Selection

• Band-selection enabled WLANs do not support time-sensitive applications like voice and video because of roaming delays.

• Band selection can be used only with Cisco Aironet 1140, 1250, 1260, 1530, 1550, 1570, 1600, 1700,

2600, 2700, 3500, 3600 and 3700 series access points.

• Mid RSSI is not supported on Cisco Aironet 1600 Series access points.

• Band selection is not supported in Cisco Aironet 1040, OEAP 600 series access points.

• Band selection operates only on access points that are connected to a controller. A FlexConnect access point without a controller connection does not perform band selection after a reboot.

• The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios are up and running.

• You can enable both band selection and aggressive load balancing on the controller. They run independently and do not impact one another.

• It is not possible to enable or disable band selection and client load balancing globally through the controller GUI or CLI. You can, however, enable or disable band selection and client load balancing for a particular WLAN. Band selection and client load balancing are enabled globally by default.

Configuring Band Selection

Configuring Band Selection (GUI)

Step 1

Step 2

Step 3

Choose Wireless > Advanced > Band Select to open the Band Select page.

In the Probe Cycle Count text box, enter a value between 1 and 10. This cycle count sets the number of 2.4 GHz probe suppression cycles. The cycle count sets the number of suppression cycles for a new client. The default cycle count is

2.

In the Scan Cycle Period Threshold (milliseconds) text box, enter a value between 1 and 1000 milliseconds for the scan cycle period threshold. This setting determines the time threshold during which new probe requests from a client come from a new scanning cycle (i.e. only if the time difference between the successive probe requests is greater than

82

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Band Selection

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

this configured value, then the count value in the band select table increases). The default cycle threshold is 200 milliseconds.

In the Age Out Suppression (seconds) text box, enter a value between 10 and 200 seconds. Age-out suppression sets the expiration time for pruning previously known 802.11b/g/n clients. The default value is 20 seconds. After this time elapses, clients become new and are subject to probe response suppression.

In the Age Out Dual Band (seconds) text box, enter a value between 10 and 300 seconds. The age-out period sets the expiration time for pruning previously known dual-band clients. The default value is 60 seconds. After this time elapses, clients become new and are subject to probe response suppression.

In the Acceptable Client RSSI (dBm) text box, enter a value between –20 and –90 dBm. This parameter sets the minimum RSSI for a client to respond to a probe. The default value is –80 dBm.

In the Acceptable Client Mid RSSI (dBm) text box, enter a value between –20 and –90 dBm. This parameter sets the mid-RSSI, whose value can be used for toggling 2.4 GHz probe suppression based on the RSSI value. The default value is –60 dBm.

Click Apply.

Click Save Configuration.

To enable or disable band selection on specific WLANs, choose WLANs > WLAN ID. The WLANs > Edit page appears.

Click the Advanced tab.

In the Load Balancing and Band Select text area, if you want to enable band selection, select the Client Band Select check box. If you want to disable band selection, leave the check box unselected. The default value is disabled.

Click Save Configuration.

Configuring Band Selection (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Set the probe cycle count for band select by entering this command:

config band-select cycle-count cycle_count

You can enter a value between 1 and 10 for the cycle_count parameter.

Set the time threshold for a new scanning cycle period by entering this command:

config band-select cycle-threshold milliseconds

You can enter a value for threshold between 1 and 1000 for the milliseconds parameter.

Set the suppression expire to the band select by entering this command:

config band-select expire suppression seconds

You can enter a value for suppression between 10 to 200 for the seconds parameter.

Set the dual band expire by entering this command:

config band-select expire dual-band seconds

You can enter a value for dual band between 10 and 300 for the seconds parameter.

Set the client RSSI threshold by entering this command:

config band-select client-rssi client_rssi

Cisco Wireless Controller Configuration Guide, Release 8.0

83

Configuring Band Selection

Step 6

Step 7

Step 8

Step 9

Step 10

You can enter a value for minimum dBm of a client RSSI to respond to a probe between -20 and -90 for the client_rssi parameter.

Set the client mid RSSI threshold by entering this command:

config band-select client-mid-rssi client_mid_rssi

You can enter a value for mid RSSI between -20 and -90 for the client_mid_rssi parameter.

Enter the save config command to save your changes.

Enable or disable band selection on specific WLANs by entering this command:

config wlan band-select allow {enable | disable} wlan_ID

You can enter a value between 1 and 512 for wlan_ID parameter.

Verify your settings by entering this command:

show band-select

Information similar to the following appears:

Band Select Probe Response....................... Enabled

Cycle Count................................... 3 cycles

Cycle Threshold............................... 300 milliseconds

Age Out Suppression........................... 20 seconds

Age Out Dual Band............................. 20 seconds

Client RSSI................................... -30 dBm

Client Mid RSSI............................... -80 dBm

Enter the save config command to save your changes.

84

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

5

Configuring 802.11 Parameters

Configuring the 802.11n Parameters, page 85

Configuring 802.11h Parameters, page 88

Configuring the 802.11ac Parameters, page 90

Configuring the 802.11n Parameters

Information About Configuring the 802.11n Parameters

This section provides instructions for managing 802.11n devices such as the Cisco Aironet 1140 and 3600

Series Access Points on your network. The 802.11n devices support the 2.4- and 5-GHz bands and offer high-throughput data rates.

The 802.11n high-throughput rates are available on all 802.11n access points for WLANs using WMM with no Layer 2 encryption or with WPA2/AES encryption enabled.

Starting in release 7.4, the 802.11n-only access points can filter out clients without high-throughput information element on the association request. The 802.11n-only access points access points reject association requests from clients without high-throughput information element (11n).

In the 802.11n high-throughput mode, there are no 802.11a/b/g stations using the same channel. The 802.11a/b/g devices cannot communicate with the 802.11n high-throughput mode access point, where as the 802.11n-only mode access point uses 802.11a/g rates for beacons or management frames.

Note

Some Cisco 802.11n APs may intermittently emit incorrect beacon frames, which can trigger false wIPS alarms. We recommend that you ignore these alarms. The issue is observed in the following Cisco 802.11n

APs: 1140, 1250, 2600, 3500, and 3600.

Cisco Wireless Controller Configuration Guide, Release 8.0

85

Configuring the 802.11n Parameters

Configuring the 802.11n Parameters (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Wireless > 802.11a/n/ac or 802.11b/g/n > High Throughput to open the (5 GHz or 2.4 GHz) High Throughput page.

Select the 11n Mode check box to enable 802.11n support on the network. The default value is enabled.

If you want to disable 802.11n mode when both 802.11n and 802.11ac modes are enabled, you must disable the 802.11ac

mode first.

Select the check boxes of the desired rates to specify the modulation and coding scheme (MCS) rates at which data can be transmitted between the access point and the client. These data rates, which are calculated for a 20-MHz channel width using a short guard interval, are available:

• 0 (7 Mbps)

• 1 (14 Mbps)

• 2 (21 Mbps)

• 3 (29 Mbps)

• 4 (43 Mbps)

• 5 (58 Mbps)

• 6 (65 Mbps)

• 7 (72 Mbps)

• 8 (14 Mbps)

• 9 (29 Mbps)

• 10 (43 Mbps)

• 11 (58 Mbps)

• 12 (87 Mbps)

• 13 (116 Mbps)

• 14 (130 Mbps)

• 15 (144 Mbps)

Any associated clients that support the selected rates may communicate with the access point using those rates.

However, the clients are not required to be able to use this rate in order to associate. The MCS settings determine the number of spatial streams, the modulation, the coding rate, and the data rate values that are used.

Click Apply.

Use the 802.11n data rates that you configured by enabling WMM on the WLAN as follows: a) Choose WLANs to open the WLANs page.

b) Click the ID number of the WLAN for which you want to configure WMM mode.

c) When the WLANs > Edit page appears, choose the QoS tab to open the WLANs > Edit (Qos) page.

d) From the WMM Policy drop-down list, choose Required or Allowed to require or allow client devices to use WMM.

Devices that do not support WMM cannot join the WLAN.

86

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring the 802.11n Parameters

Step 6

If you choose Allowed, devices that cannot support WMM can join the WLAN but will not benefit from the 802.11n

rates.

e) Click Apply.

Click Save Configuration.

Note

To determine if an access point supports 802.11n, look at the 11n Supported text box on either the 802.11a/n/ac

(or 802.11b/g/n) Cisco APs > Configure page or the 802.11a/n/ac (or 802.11b/g/n) AP Interfaces > Details page.

Configuring the 802.11n Parameters (CLI)

• Enable 802.11n support on the network by entering this command:

config {802.11a | 802.11b} 11nsupport {enable | disable}

• Specify the modulation and coding scheme (MCS) rates at which data can be transmitted between the access point and the client by entering this command:

config {802.11a | 802.11b} 11nsupport mcs tx {0-15} {enable | disable}

• Use the 802.11n data rates that you configured by enabling WMM on the WLAN as follows:

config wlan wmm {allow | disable | require} wlan_id

The require parameter requires client devices to use WMM. Devices that do not support WMM cannot join the WLAN.

If set to allow, devices that cannot support WMM can join the WLAN but do not benefit from 802.11n

rates.

• Specify the aggregation method used for 802.11n packets as follows: a) Disable the network by entering this command:

config {802.11a | 802.11b} disable network b) Specify the aggregation method entering this command:

config {802.11a | 802.11b} 11nsupport {a-mpdu | a-msdu} tx priority {0-7 | all} {enable | disable}

Aggregation is the process of grouping packet data frames together rather than transmitting them separately. Two aggregation methods are available: Aggregated MAC Protocol Data Unit (A-MPDU) and Aggregated MAC Service Data Unit (A-MSDU). A-MSDU is performed in hardware and therefore is the default method.

Note

For 802.11ac, all packets are A-MPDU. The A-MSDU option does not apply for 802.11ac.

You can specify the aggregation method for various types of traffic from the access point to the clients. This table defines the priority levels (0-7) assigned per traffic type.

Table 3: Traffic Type Priority Levels

User Priority

0

Traffic Type

Best effort

Cisco Wireless Controller Configuration Guide, Release 8.0

87

Configuring 802.11h Parameters

3

4

5

6

7

User Priority

1

2

Traffic Type

Background

Spare

Excellent effort

Controlled load

Video, less than 100-ms latency and jitter

Voice, less than 10-ms latency and jitter

Network control

You can configure each priority level independently, or you can use the all parameter to configure all of the priority levels at once. When you use the enable command, the traffic associated with that priority level uses A-MPDU transmission. When you use the disable command, the traffic associated with that priority level uses A-MSDU transmission. Configure the priority levels to match the aggregation method used by the clients. By default, A-MPDU is enabled for priority level 0, 4 and

5 and the rest are disabled. By default, A-MSDU is enabled for all priorities except 6 and 7.

c) Reenable the network by entering this command:

config {802.11a | 802.11b} enable network

• Configure the 802.11n-5 GHz A-MPDU transmit aggregation scheduler by entering this command:

config 802.11{a | b} 11nsupport a-mpdu tx scheduler {enable | disable | timeout rt timeout-value}

The timeout value is in milliseconds. The valid range is between 1 millisecond to 1000 milliseconds.

• Configure the guard interval for the network by entering this command:

config 802.11{a | b} 11nsupport guard_interval {any | long}

• Configure the Reduced Interframe Space (RIFS) for the network by entering this command:

config 802.11{a | b} 11nsupport rifs rx {enable | disable}

• Save your changes by entering this command:

save config

• View the configuration settings for the 802.11 networks by entering this command:

show {802.11a | 802.11b}

Configuring 802.11h Parameters

Information About Configuring 802.11h Parameters

802.11h informs client devices about channel changes and can limit the transmit power of those client devices.

88

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring 802.11h Parameters

Configuring the 802.11h Parameters (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Disable the 802.11 band as follows: a) Choose Wireless > 802.11a/n/ac > Network to open the 802.11a Global Parameters page.

b) Unselect the 802.11a Network Status check box.

c) Click Apply.

Choose Wireless > 802.11a/n/ac > DFS (802.11h) to open the 802.11h Global Parameters page.

In the Power Constraint area, enter the local power constraint. The valid range is between 0 dBm and 30 dBm.

In the Channel Switch Announcement area, select the Channel Announcement check box if you want the access point to announce when it is switching to a new channel and the new channel number, or unselect this check box to disable the channel announcement. The default value is disabled.

If you enabled the channel announcement, the Channel Quiet Mode check box appears. Select this check box if you want the access point to stop transmitting on the current channel, or unselect this check box to disable quiet mode. The default value is disabled.

Click Apply.

Reenable the 802.11a band as follows: a) Choose Wireless > 802.11a/n/ac > Network to open the 802.11a Global Parameters page.

b) Select the 802.11a Network Status check box.

c) Click Apply.

Click Save Configuration.

Configuring the 802.11h Parameters (CLI)

Step 1

Step 2

Step 3

Step 4

Disable the 802.11a network by entering this command:

config 802.11a disable network

Enable or disable an access point to announce when it is switching to a new channel, and the new channel number by entering this command:

config 802.11h channelswitch {enable {loud | quiet} | disable}

Enter either quiet or loud for the enable parameter. When the quiet mode is enabled, all the clients who can enable

802.11h channel switch announcements should stop transmitting packets immediately because the AP detects that the radar and client devices should also quit transmitting to reduce interference. By default, the Channel Switch feature is in disabled state.

Configure a new channel using the 802.11h channel announcement by entering this command:

config 802.11h setchannel channel channel

Configure the 802.11h power constraint value by entering this command:

config 802.11h powerconstraint value

Use increments of 3 dB for the value so that the AP goes down one power level at a time.

Cisco Wireless Controller Configuration Guide, Release 8.0

89

Configuring the 802.11ac Parameters

Step 5

Step 6

Reenable the 802.11a network by entering this command:

config 802.11a enable network

View the status of the 802.11h parameters by entering this command:

show 802.11h

Information similar to the following appears:

Power Constraint................................. 0

Channel Switch................................... Disabled

Channel Switch Mode.............................. 0

Configuring the 802.11ac Parameters

Information About Configuring the 802.11ac Parameters

The 802.11ac radio module for the Cisco Aironet 3600 Series access point and Cisco Aironet 3700 Series access point provides enterprise-class reliability and wired-network-like performance. It supports three spatial streams and 80 MHz-wide channels for a maximum data rate of 1.3 Gbps. This is three times the maximum data rate of today's high-end enterprise 802.11n access point.

The 802.11ac radio in slot 2 is a slave radio for which you can configure specific parameters. Because the

802.11ac is a slave radio, it inherits many properties from the main 802.11a/n radio on slot 1. The parameters that you can configure for the 802.11ac radio are as follows:

• Admin status—Interface status of the radio that you can enable or disable. By default, the Admin status is in an enabled state. If you disable 802.11n, the 802.11ac radio is also disabled.

• Channel width—You can choose the RF channel width as 20 MHz, 40 MHz, or 80 MHz. If you choose the channel width as 80 MHz, you must enable the 802.11ac mode on the High Throughput page.

Note

The 11ac Supported field is a nonconfigurable parameter that appears for the 802.11ac

slave radio in slot 2.

Note

When the Cisco Aironet 3600 Series access point with 802.11ac radio module is in unsupported mode such as Monitor and Sniffer, Admin Status and Channel Width will not be configured.

This section provides instructions to manage 802.11ac devices such as the Cisco Aironet 3600 Series Access

Points and Cisco Aironet 3700 Series Access Point on your network.

Note

AP3600 and AP3700 with the 802.11ac module can advertise only the first 8 WLANs on the 5-GHz radios.

90

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring the 802.11ac Parameters

Changing the 802.11n radio channel also changes the 802.11ac channels.

On the Cisco WLC GUI, the 802.11ac clients that are connected to the 802.11n radio are displayed 802.11an

clients, and the 802.11ac clients that are connected to the 802.11ac radio are displayed as 802.11ac clients.

Ensure that your WLAN has WMM enabled and open or WPA2/AES for 802.11ac to be supported. Otherwise, the speed of 802.11ac is not available, even on 802.11ac clients.

For more information about the 802.11ac module on the Cisco Aironet 3600 Series access point, see http:// www.cisco.com/c/en/us/products/wireless/aironet-3600-series/relevant-interfaces-and-modules.html

.

Restrictions for 802.11ac Support

• The 802.11ac module is supported only on the Cisco Aironet 3600 Series Access Points.

• The 802.11ac module is turned off if the built-in 5-GHz radio is turned off.

• You must ensure that the configuration of the channel, power values, and the mode of the 802.11ac

module is the same as those of the built-in 5-GHz radio on the AP. Also, the 802.11ac module serves only 802.11ac clients.

• The 802.11ac module main channel cannot be changed individually.

• This 802.11ac support is applicable only to the following controller platforms:

• Cisco 2504 Wireless Controller

• Cisco 5508 Wireless Controller

• Cisco 5520 Wireless Controller

• Cisco Flex 7510 Wireless Controller

• Cisco 8510 Wireless Controller

• Cisco 8540 Wireless Controller

• Controllers do not support High availability for 802.11ac modules. The 802.11ac configuration (802.11ac

Data Rates and 802.11ac Global mode) on the controller is not synchronized with the standby controller.

This might result in client throughput fluctuations and reassociations when you explicitly disable those configurations on the active controller.

In addition, the 802.11ac Global mode configuration controls whether the radio module is enabled. If

802.11ac Global mode is enabled on one controller but not on another, the 802.11ac module might be disabled if the access point associates with a controller on which 802.11ac Global mode is disabled.

• When changing AP from static to auto channel assignment, by default AP moves to best possible bandwidth supported by the radio and a valid channel. Channel number and width assignment may be suboptimal until next DCA cycle gets started.

• SSIDs with TKIP and SSIDs with TKIP+AES are not enabled on the 802.11ac radios. Therefore, all the

5-GHz clients are expected to associate with the 802.11n radios.

Cisco Wireless Controller Configuration Guide, Release 8.0

91

Configuring the 802.11ac Parameters

Configuring the 802.11ac High-Throughput Parameters (GUI)

Step 1

Step 2

Step 3

Step 4

Choose Wireless > 802.11a/n/ac > High Throughput (802.11n/ac).

Select the 11ac mode check box to enable the 802.11ac support on the network.

Note

You can modify the 802.11ac status only if the 802.11n mode is enabled.

Check the check boxes of the desired rates to specify the Modulation and Coding Scheme (MCS) rates at which data can be transmitted between the access point and the client.

MCS index 8 and 9 are specific to 802.11ac. Enabling MCS data rate with index 9 automatically enables data rate with

MCS index 8. You can enable or disable MCS index 8 only when MCS index 9 is disabled.

Save the configuration.

Configuring the 802.11ac High-Throughput Parameters (CLI)

• Enable or disable 802.11ac support by entering this command:

config 802.11a 11acSupport {enable | disable}

• Configure MCS transmit rates by entering this command:

config 802.11a 11acSupport mcs tx {rate-8 | rate-9} ss spatial-stream-value {enable | disable}

Note

Enabling MCS data rate with MCS index 9 automatically enables data rate with MCS index 8.

92

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

6

Configuring DHCP Proxy

Information About Configuring DHCP Proxy, page 93

Restrictions on Using DHCP Proxy, page 93

Configuring DHCP Proxy (GUI), page 94

Configuring DHCP Proxy (CLI), page 94

Configuring a DHCP Timeout (GUI), page 95

Configuring a DHCP Timeout (CLI), page 95

Information About Configuring DHCP Proxy

When DHCP proxy is enabled on the controller, the controller unicasts DHCP requests from the client to the configured servers. At least one DHCP server must be configured on either the interface associated with the

WLAN or the WLAN itself.

When DHCP proxy is disabled on the controller, those DHCP packets transmitted to and from the clients are bridged by the controller without any modification to the IP portion of the packet. Packets received from the client are removed from the CAPWAP tunnel and transmitted on the upstream VLAN. DHCP packets directed to the client are received on the upstream VLAN, converted to 802.11, and transmitted through a CAPWAP tunnel toward the client. As a result, the internal DHCP server cannot be used when DHCP proxy is disabled.

The ability to disable DHCP proxy allows organizations to use DHCP servers that do not support Cisco’s native proxy mode of operation. It should be disabled only when required by the existing infrastructure.

Note

DHCP proxy is enabled by default.

Restrictions on Using DHCP Proxy

• DHCP proxy must be enabled in order for DHCP option 82 to operate correctly.

• All controllers that will communicate must have the same DHCP proxy setting.

• DHCP v6 Proxy is not supported.

Cisco Wireless Controller Configuration Guide, Release 8.0

93

Configuring DHCP Proxy (GUI)

Configuring DHCP Proxy (GUI)

Step 1

Step 2

Step 3

Step 4

Choose Controller > Advanced > DHCP to open the DHCP Parameters page.

Select the Enable DHCP Proxy check box to enable DHCP proxy on a global basis. Otherwise, unselect the check box.

The default value is selected.

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Configuring DHCP Proxy (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Controller > Interfaces.

Select the interface you want to configure the DHCP proxy.

You can configure the DHCP proxy on the management, virtual, ap manager, or dynamic interfaces in the controller.

The Interfaces > Edit page is displayed with DHCP information on the primary and secondary DHCP servers configured in the controller. If the primary and secondary servers are not listed, you must enter values for the IP address of the

DHCP servers in the text boxes displayed in this window.

Select from the following option of the proxy mode drop-down to enable DHCP proxy on the selected management interface:Global—Uses the global DHCP proxy mode on the controller.Enabled—Enables the DHCP proxy mode on the interface. When you enable DHCP proxy on the controller; the controller unicasts the DHCP requests from the client to the configured servers. You must configure at least one DHCP server on either the interface associated with the WLAN or on the WLAN.Disabled—Disables the DHCP proxy mode on the interface. When you disable the DHCP proxy on the controller, the DHCP packets transmitted to and from the clients are bridged by the controller without any modification to the IP portion of the packet. Packets received from the client are removed from the CAPWAP tunnel and transmitted on the upstream VLAN. DHCP packets directed to the client are received on the upstream VLAN, converted to 802.11, and transmitted through a CAPWAP tunnel toward the client. As a result, the internal DHCP server cannot be used when

DHCP proxy is disabled.

Check the Enable DHCP option 82 checkbox to ensure additional security when DHCP is used to allocate network addresses, check the Enable DHCP option 82 checkbox.

Click Apply to save the configuration.

Configuring DHCP Proxy (CLI)

Step 1

Step 2

Enable or disable DHCP proxy by entering this command:

config dhcp proxy {enable | disable}

View the DHCP proxy configuration by entering this command:

94

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring a DHCP Timeout (GUI) show dhcp proxy

Information similar to the following appears:

DHCP Proxy Behavior: enabled

Configuring DHCP Proxy (CLI)

Step 1

Step 2

Step 3

Step 4

Configure the DHCP primary and secondary servers on the interface. To do this, enter the following commands:

config interface dhcp management primary primary-server

config interface dhcp dynamic-interface interface-name primary primary-s

Configure DHCP proxy on the management or dynamic interface of the controller. To do this, enter the following command:

config interface dhcp management proxy-mode enableglobaldisable

config interface dhcp dynamic-interface interface-name proxy-mode enableglobaldisable.

Note

To ensure additional security when DHCP is configured, use the config interface dhcpinterface typeoption-82

enable command.

Enter the save config command.

To view the proxy settings of the controller interface enter the show dhcp proxy command.

Configuring a DHCP Timeout (GUI)

Step 1

Step 2

Step 3

Step 4

Choose Controller > Advanced > DHCP to open the DHCP Parameters page.

Select the DHCP Timeout (5 - 120 seconds) check box to enable a DHCP timeout on a global basis. Otherwise, unselect the check box. The valid range is 5 through 120 seconds.

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Configuring a DHCP Timeout (CLI)

Configure a DHCP timeout by entering this command:

config dhcp timeout seconds

Cisco Wireless Controller Configuration Guide, Release 8.0

95

Configuring a DHCP Timeout (CLI)

96

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

7

Configuring DHCP Link Select and VPN Select

Prerequisites for Configuring DHCP Link Select and VPN Select, page 97

Information About Configuring DHCP Link Select and VPN Select, page 97

Configuring DHCP Link Select and VPN Select (CLI), page 99

Configuring DHCP Link Select and VPN Select (GUI), page 100

Prerequisites for Configuring DHCP Link Select and VPN Select

• The DHCP mode should be set to proxy.

• The DHCP external server should be configured.

• DHCP Option 82 must be enabled on the controller.

• The interface being configured should not be of type service or virtual.

• The relay source interface name should be a valid interface with IP address configured.

Note

Proxy mode is not supported for IPv6.

Information About Configuring DHCP Link Select and VPN Select

In a wireless environment, when a client requests a DHCP address, specify to the DHCP server the subnet from which the IP address has to be assigned, using the giaddr field in the DHCP DISCOVER packet. You can also use the giaddr field to specify the address that the DHCP server can use to communicate with the

DHCP relay agent (controller). It is difficult to determine that the controller IP address in the subnet is reachable from the DHCP server. Hence, there is a need to send link-selection information that is distinct from the controller-reachable address to the DHCP server. Using the DHCP link select (DHCP option 82, suboption

5) configured on the controller interface, the link selection information distinct from controller's reachable address is sent to the DHCP server.

Cisco Wireless Controller Configuration Guide, Release 8.0

97

Information About Configuring DHCP Link Select and VPN Select

In a large network's wireless environment, the Cisco Network Registrar (CNR) server, which is a DHCP server, has multiple pools created based on VPN IDs or VRF names. Using these pools, you can assign IP address to a client with the help of the DHCP VPN Select option (DHCP option 82 and suboption 151). When you enable DHCP VPN Select (DHCP option 82 and suboption 151) on the controller interface, the controller sends the VPN ID or VRF name of the pool from which the IP address has to be assigned to the client. The

DHCP VPN Select option enables easy-to-operate, shared usage of a centralized DHCP server, resulting in cost savings.

DHCP Link Select

Configure DHCP Link Select (DHCP option 82, suboption 5) on the management and dynamic interfaces of the controller. Before configuring DHCP Link Select on the controller interface, enable the DHCP proxy and

DHCP option 82 on that interface.

When the Link Select option is enabled on the controller interface, suboption 5 is added to the packet with the IP address information that contains the desired subnet address for the corresponding client. The subnet address is the controller interface address mapped to the client VLAN interface. The DHCP server uses the subnet address to assign the IP address to the DHCP client.

DHCP VPN Select

Configure DHCP VPN Select (DHCP option 82, suboption 151) on the management and dynamic interfaces of the controller. Before configuring DHCP VPN Select on the controller interface, enable the DHCP proxy and DHCP option 82 on that interface.

You can configure different VPN IDs or VRF names on the same controller or different controllers using the

VPN Select feature configured on the controller interface. Configuring the VPN Select feature, results in the

DHCP server VPN pools having nonoverlapping addresses.

You must add VSS Control suboption 152 every time VSS suboption 151 is sent to the DHCP server. If the

DHCP server understands and acts on VSS suboption 151, VSS Control suboption 152 is removed from the

DHCP acknowledgment. If the DHCP server copies back VSS Control suboption 152 in the DHCP acknowledgment, it means that the DHCP server does not have the required support for the VSS suboption.

Mobility Considerations

Same Subnet

VPN ID or VRF name mapping to a WLAN should be the same on all the controllers in a mobility group.

For example, if WLAN1 interface maps to VPN ID 1 and WLAN2 interface maps to VPN ID 2 maps on WLC

A, then WLC B should also have WLAN1 interface mapping to VPN ID 1 and WLAN2 interface mapping to VPN ID 2. This way, when client L2 roams to another WLC, the roamed WLC's DHCP configuration will ensure that the client is assigned an address from the same VPN.

Different subnet mobility

With L3 mobility, all the DHCP DISCOVER packets are sent to the anchor and the assignment of the original

VPN is ensured.

Auto anchor mobility

All the DHCP DISCOVER packets are sent to the anchor and the assignment of the original VPN is ensured.

98

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring DHCP Link Select and VPN Select (CLI)

Configuring DHCP Link Select and VPN Select (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Configure the dynamic interface using the following commands:

config interface dhcp dynamic-interface interface-name { option-82 | primary | proxy-mode}

Configure DHCP option 82 on a dynamic interface using the following commands:

config interface dhcp dynamic-interface interface-name option-82 {enable | disable | linksel | vpnsel}

Configure Link Select suboption 5 on a dynamic interface using the following commands:

config interface dhcp dynamic-interface interface-name option-82 linksel {enable | disable | relaysrc}

• To enable link select on the dynamic interface, first you need to enter the config interface dhcp dynamic-interface

interface-name option-82 linksel relaysrc command followed by the config interface dhcp dynamic-interface

interface-name option-82 linksel enable command.

Configure VPN Select suboption 151 on a dynamic interface using the following commands:

config interface dhcp dynamic-interface interface-name option-82 vpnsel {enable | disable | vrfname vrf-name

| vpnid vpn-id}

The value of vpn-id is denoted in the oui:vpn-ndex format xxxxxx:xxxxxxxx.

You can configure either VPN ID or VRF name for VPN Select on the dynamic interface. If VPN ID is already configured and you try to configure VRF name, then the earlier configuration is cleared when VPN select is disabled.

VRF name is denoted as a string of seven octets.

To enable VPN select on a dynamic interface, first you need to enter the config interface dhcp dynamic-interface

interface-name option-82 vpnsel vpnid vpn-id or config interface dhcp dynamic-interface interface-name

option-82 vpnsel vrfname vrfname command followed by the config interface dhcp dynamic-interface

interface-name option-82 vpnsel enable command.

Configure Link Select suboption 5 on a management interface using the following commands:

config interface dhcp management option-82 linkselect {enable | disable | relaysrc}interface-name

• To enable link select on the management interface, enter the config interface dhcp management option-82

linkselect relaysrc command followed by the config interface dhcp management option-82 linkselect enable command.

Configure VPN Select suboption 151 on a management interface using the following commands:

config interface dhcp management option-82 vpnselect {enable | disable | vpnid vpn-id | vrfname vrf-name}

VPN ID value is denoted in the oui:vpn-ndex format xxxxxx:xxxxxxxx.

You can configure either VPN ID or VRF name for VPN select on the management interface. If VPN ID is already configured and you try to configure VRF name, then the earlier configuration is cleared when VPN select is disabled.

VRF name is denoted as a string of seven octets.

Cisco Wireless Controller Configuration Guide, Release 8.0

99

Configuring DHCP Link Select and VPN Select (GUI)

Step 7

Step 8

To enable VPN select on the management interface, enter the config interface dhcp management option-82

vpnsel vpnid vpn-id or config interface dhcp management option-82 vpnselect vrfname vrf-name command followed by the config interface dhcp management option-82 vpnsel enable command.

Save the configuration using the following command: save config

To view the details of the Link Select settings or the VPN Select interface settings, enter the following command: show

interface detailed

Configuring DHCP Link Select and VPN Select (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Choose Controller > Interfaces.

Select the interface you want to configure the DHCP option-82 link select or VPN select.

You can configure the DHCP option-82 link select on the management or dynamic interfaces in the controller.

The Interfaces > Edit page is displayed with DHCP information on the primary and secondary DHCP servers configured in the controller. If the primary and secondary servers are not listed, you must enter values for the IP address of the

DHCP servers in the text boxes displayed in this window.

Select the Enable DHCP Option 82 check box to enable DHCP option 82 on the interface.

Select the Enable DHCP Option 82-Link Select check box to enable link select on the interface.

From the Link Select relay source drop-down list, choose management or dynamic to enable link select on the interface.

When link select is enabled, you can select any interface as relay source management and dynamic interface configured on the controller.

Select the Enable DHCP Option 82-VPN Select check box to enable VPN select on the management interface.

When VPN select is enabled, you can configure either VRF Name or VPN ID. If you try to configure both the options, you are prompted with an error message.

In the VPN Select - VRF name text box, enter the VRF name.

In the VPN Select - VPN ID text box, enter the VPN ID.

VPN ID should be provided in format of xxxxxx:xxxxxxxx.

Click Apply to save the configuration.

100

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

8

Configuring SNMP

Configuring SNMP (CLI), page 101

SNMP Community Strings, page 103

Configuring Real Time Statistics (CLI), page 105

Configuring SNMP Trap Receiver (GUI), page 105

Configuring SNMP (CLI)

• Create an SNMP community name by entering this command:

config snmp community create name

• Delete an SNMP community name by entering this command:

config snmp community delete name

• Configure an SNMP community name with read-only privileges by entering this command:

config snmp community accessmode ro name

• Configure an SNMP community name with read-write privileges by entering this command:

config snmp community accessmode rw name

• For IPv4 configuration—Configure an IPv4 address and subnet mask for an SNMP community by entering this command:

config snmp community ipaddr ip-address ip-mask name

Note

This command behaves like an SNMP access list. It specifies the IP address from which the device accepts

SNMP packets with the associated community. An AND operation is performed between the requesting entity’s IP address and the subnet mask before being compared to the IP address. If the subnet mask is set to 0.0.0.0, an IP address of 0.0.0.0 matches to all IP addresses. The default value is 0.0.0.0.

Note

The controller can use only one IP address range to manage an SNMP community.

• For IPv6 configuration—Configure an IPv6 address and prefix-length for an SNMP community by entering this command:

Cisco Wireless Controller Configuration Guide, Release 8.0

101

Configuring SNMP (CLI)

config snmp community ipaddr ipv6-address ip-mask name

• Enable or disable a community name by entering this command:

config snmp community mode {enable | disable}

• Enable or disable a community name by entering this command:

config snmp community ipsec {enable | disable}

• Configure the IKE authentication methods by entering this command:

config snmp community ipsec ike auth-mode {certificate | pre-shared-key ascii/hex secret}

Authentication mode can be configured per trap receiver. By default, the authentication mode is set to certificate.

• Configure a destination for a trap by entering this command:

config snmp trapreceiver create name ip-address

• Delete a trap by entering this command:

config snmp trapreceiver delete name

• Change the destination for a trap by entering this command:

config snmp trapreceiver ipaddr old-ip-address name new-ip-address

• Configure the trap receiver IPSec session entering this command:

config snmp trapreceiver ipsec {enable | disable} community-name

Trap receiver IPSec must be in the disabled state to change the authentication mode.

• Configure the IKE authentication methods by entering this command:

config snmp trapreceiver ipsec ike auth-mode {certificate | pre-shared-key ascii/hex secret

community-name}

Authentication mode can be configured per trap receiver. By default, the authentication mode is set to certificate.

• Enable or disable the traps by entering this command:

config snmp trapreceiver mode {enable | disable}

• Configure the name of the SNMP contact by entering this command:

config snmp syscontact syscontact-name

Enter up to 31 alphanumeric characters for the contact name.

• Configure the SNMP system location by entering this command:

config snmp syslocation syslocation-name

Enter up to 31 alphanumeric characters for the location.

• Verify that the SNMP traps and communities are correctly configured by entering these commands:

show snmpcommunity show snmptrap

• See the enabled and disabled trap flags by entering this command:

show trapflags

If necessary, use the config trapflags command to enable or disable trap flags.

• Configure when the warning message should be displayed after the number of clients or RFID tags associated with the controller hover around the threshold level by entering this command:

config trapflags {client | rfid} max-warning-threshold {threshold-between-80-to-100 | enable | disable}

102

Cisco Wireless Controller Configuration Guide, Release 8.0

SNMP Community Strings

The warning message is displayed at an interval of 600 seconds (10 minutes).

• Configure the SNMP engine ID by entering this command:

config snmp engineID engine-id-string

Note

The engine ID string can be a maximum of 24 characters.

• View the engine ID by entering this command:

show snmpengineID

• Configure the SNMP version by entering this command:

config snmp version {v1 | v2c | v3} {enable | disable}

SNMP Community Strings

The controller has commonly known default values of "public" and "private" for the read-only and read-write

SNMP community strings. Using these standard values presents a security risk. If you use the default community names, and since these are known, the community names could be used to communicate to the controller using SNMP. Therefore, we strongly advise that you change these values.

Changing the SNMP Community String Default Values (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Choose Management and then Communities under SNMP. The SNMP v1 / v2c Community page appears.

If “public” or “private” appears in the Community Name column, hover your cursor over the blue drop-down arrow for the desired community and choose Remove to delete this community.

Click New to create a new community. The SNMP v1 / v2c Community > New page appears.

In the Community Name text box, enter a unique name containing up to 16 alphanumeric characters. Do not enter “public” or “private.”

In the next two text boxes, enter the IPv4/IPv6 address and IP Mask/Prefix Length from which this device accepts SNMP packets with the associated community and the IP mask.

Choose Read Only or Read/Write from the Access Mode drop-down list to specify the access level for this community.

Choose Enable or Disable from the Status drop-down list to specify the status of this community.

Click Apply to commit your changes.

Click Save Configuration to save your settings.

Repeat this procedure if a “public” or “private” community still appears on the SNMP v1 / v2c Community page.

Cisco Wireless Controller Configuration Guide, Release 8.0

103

SNMP Community Strings

Changing the SNMP Community String Default Values (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

See the current list of SNMP communities for this controller by entering this command:

show snmp community

If "public" or "private" appears in the SNMP Community Name column, enter this command to delete this community:

config snmp community delete name

The name parameter is the community name (in this case, “public” or “private”).

Create a new community by entering this command:

config snmp community create name

Enter up to 16 alphanumeric characters for the name parameter. Do not enter “public” or “private.”

For IPv4 specific configuration, enter the IPv4 address from which this device accepts SNMP packets with the associated community by entering this command:

config snmp community ipaddr ip_address ip_mask name

For IPv6 specific configuration, enter the IPv6 address from which this device accepts SNMP packets with the associated community by entering this command:

config snmp community ipaddr ip_address prefix_length name

Specify the access level for this community by entering this command, where ro is read-only mode and rw is read/write mode:

config snmp community accessmode {ro | rw} name

Enable or disable this SNMP community by entering this command:

config snmp community mode {enable | disable} name

Enable or disable SNMP IPSec sessions for all SNMP communities by entering this command:

config snmp community ipsec {enable | disable} name

By default SNMP IPSec session is disabled. SNMP IPSec session must be disabled state to change the authentication mode.

Configure the IKE authentication methods by entering this command:

config snmp community ipsec ike auth-mode {certificate | pre-shared-key ascii/hex secret}

• If authentication mode is configured as pre-shared-key, then enter a secret value. The secret value can either be an

ASCII or a hexadecimal value. If auth-mode configured is certificate, then WLC will use the ipsecCaCert and ipsecDevCerts for SNMP over IPSEC.

• If authentication mode is configured as certificate, then controller uses the IPSEC CA and IPSEC device certificates for SNMP sessions. You need to download these certificates to the controller using the transfer download datatype

{ipseccacert | ipsecdevcert} command.

Save your changes by entering this command:

save config

Repeat this procedure if you still need to change the default values for a “public” or “private” community string.

104

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Real Time Statistics (CLI)

Configuring Real Time Statistics (CLI)

SNMP traps are defined for CPU and memory utilization of AP and controller. The SNMP trap is sent out when the threshold is crossed. The sampling period and statistics update interval can be configured using

SNMP and CLI.

Note

To get the right value for the current memory usage, you should configure either sampling interval or statistics interval.

• Configure the sampling interval by entering this command:

config service statistics sampling-interval seconds

• Configure the statistics interval by entering this command:

config service statistics statistics-interval seconds

• See sampling and service interval statistics by entering this command:

show service statistics interval

SNMP Trap Enhancements

This feature provides soaking of SNMP traps and resending of traps after a threshold that you can configure called the hold time. The hold time helps in suppressing false traps being generated. The traps that are supported are for CPU and memory utilization of AP and controller. The retransmission of the trap occurs until the trap is cleared.

• Configure the hold time after which the SNMP traps are to be resent by entering this command:

config service alarm hold-time seconds

• Configure the retransmission interval of the trap by entering this command:

config service alarm trap retransmit-interval seconds

• Configure debugging of the traps by entering this command:

debug service alarm {enable | disable}

Configuring SNMP Trap Receiver (GUI)

Step 1

Step 2

Step 3

Choose Management > SNMP > Trap Receivers.

Click New.

On the SNMP Trap Receiver > New page, specify the trap receiver details: a) In the Community Name box, enter the SNMP trap receiver name.

b) In the IP Address(Ipv4/Ipv6) box, enter the IP address of the receiver. Both IPv4 and IPv6 address formats are supported.

c) From the Status drop-down list, choose to Enable or Disable the trap receiver.

Cisco Wireless Controller Configuration Guide, Release 8.0

105

Configuring SNMP Trap Receiver (GUI)

Step 4

d) Check the IPSec check box if you want to configure IPSec parameters for the trap receiver.

e) From the Auth Method drop-down list, choose the IKE authentication method as either Certificate or PSK.

• If authentication mode is configured as certificate, then Cisco WLC uses the IPSEC CA and IPSEC device certificates for SNMP sessions.

• If authentication mode is configured as pre-shared-key, then enter a secret value. The secret value can either be an ASCII or a hexadecimal value. If auth-mode configured is certificate, then Cisco WLC uses the ipsecCaCert and ipsecDevCerts for SNMP over IPSEC.

You can create a maximum of 6 such SNMP trap receivers.

Save the configuration.

106

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

9

Configuring Aggressive Load Balancing

Information About Configuring Aggressive Load Balancing, page 107

Configuring Aggressive Load Balancing (GUI), page 108

Configuring Aggressive Load Balancing (CLI), page 109

Information About Configuring Aggressive Load Balancing

Enabling aggressive load balancing on the controller allows lightweight access points to load balance wireless clients across access points. You can enable aggressive load balancing using the controller.

Note

Clients are load balanced between access points on the same controller. Load balancing does not occur between access points on different controllers.

When a wireless client attempts to associate to a lightweight access point, association response packets are sent to the client with an 802.11 response packet including status code 17. The code 17 indicates that the AP is busy. The AP does not respond with an association response bearing 'success' if the AP threshold is not met, and with code 17 (AP busy) if the AP utilization threshold is exceeded, and another less busy AP heard the client request.

For example, if the number of clients on AP1 is more than the number of clients on AP2 plus the load-balancing window, then AP1 is considered to be busier than AP2. When a client attempts to associate to AP1, it receives an 802.11 response packet with status code 17, indicating that the access point is busy, and the client attempts to associate to a different access point.

You can configure the controller to deny client associations up to 10 times (if a client attempted to associate

11 times, it would be allowed to associate on the 11th try). You can also enable or disable load balancing on a particular WLAN, which is useful if you want to disable load balancing for a select group of clients (such as time-sensitive voice clients).

Note

Voice Client does not authenticate when delay is configured more than 300 ms. To avoid this configure a Central-Auth, Local Switching WLAN with CCKM, configure a Pagent Router between AP and WLC with a delay of 600 ms (300 ms UP and 300 ms DOWN and try associating the voice client

Cisco Wireless Controller Configuration Guide, Release 8.0

107

Configuring Aggressive Load Balancing (GUI)

Passive scanning clients will be able to associate to an AP irrespective of whether load balancing is enabled or not.

Note

Cisco 600 Series OfficeExtend Access Points do not support client load balancing.

With the 7.4 release, FlexConnect access points do support client load balancing.

You can configure the controller to analyze the WAN interface utilization of neighboring APs and then load balance the clients across the lightly loaded APs. You can configure this by defining a load balancing threshold.

By defining the threshold, you can measure the WAN interface utilization percentage. For example, a threshold value of 50 triggers the load balancing upon detecting utilization of 50% or more on an AP-WAN interface.

Note

For a FlexConnect AP the association is locally handled. The load-balancing decisions are taken at the

Cisco WLC. A FlexConnect AP initially responds to the client before knowing the result of calculations at the Cisco WLC. Load-balancing doesn't take effect when the FlexConnect AP is in standalone mode.

FlexConnect AP does not send (re)association response with status 17 for Load-Balancing as Local mode

APs do; instead, it first sends (re)association with status 0 (success) and then deauth with reason 5.

Configuring Aggressive Load Balancing (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Wireless > Advanced > Load Balancing to open the Load Balancing page.

In the Client Window Size text box, enter a value between 1 and 20.

The window size becomes part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations:

load-balancing window + client associations on AP with the lightest load = load-balancing threshold

In the group of access points accessible to a client device, each access point has a different number of client associations.

The access point with the lowest number of clients has the lightest load. The client window size plus the number of clients on the access point with the lightest load forms the threshold. Access points with more client associations than this threshold is considered busy, and clients can associate only to access points with client counts lower than the threshold.

In the Maximum Denial Count text box, enter a value between 0 and 10.

The denial count sets the maximum number of association denials during load balancing.

Click Apply.

Click Save Configuration.

To enable or disable aggressive load balancing on specific WLANs, do the following: a) Choose WLANs > WLAN ID. The WLANs > Edit page appears.

b) In the Advanced tab, select or unselect the Client Load Balancing check box.

c) Click Apply.

d) Click Save Configuration.

108

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Aggressive Load Balancing (CLI)

Configuring Aggressive Load Balancing (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Set the client window for aggressive load balancing by entering this command:

config load-balancing window client_count

You can enter a value between 0 and 20 for the client_count parameter.

Set the denial count for load balancing by entering this command:

config load-balancing denial denial_count

You can enter a value between 1 and 10 for the denial_count parameter.

Save your changes by entering this command:

save config

Enable or disable aggressive load balancing on specific WLANs by entering this command:

config wlan load-balance allow {enable | disable} wlan_ID

You can enter a value between 1 and 512 for wlan_ID parameter.

Verify your settings by entering this command:

show load-balancing

Save your changes by entering this command:

save config

Configure the load balance mode on a WLAN by entering this command:

config wlan load-balance mode {client-count | uplink-usage} wlan-id

This feature requires the AP to upload its uplink usage statistics to the controller periodically. Check these statistics by entering this command:

show ap stats system cisco-AP

Cisco Wireless Controller Configuration Guide, Release 8.0

109

Configuring Aggressive Load Balancing (CLI)

110

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

10

Configuring Fast SSID Changing

Information About Configuring Fast SSID Changing, page 111

Configuring Fast SSID Changing (GUI), page 111

Configuring Fast SSID Changing (CLI), page 111

Information About Configuring Fast SSID Changing

When fast SSID changing is enabled, the controller allows clients to move faster between SSIDs. When fast

SSID is enabled, the client entry is not cleared and the delay is not enforced.

When fast SSID changing is disabled, the controller enforces a delay before clients are allowed to move to a new SSID. When fast SSID is disabled and the client sends a new association for a different SSID, the client entry in the controller connection table is cleared before the client is added to the new SSID.

Configuring Fast SSID Changing (GUI)

Step 1

Step 2

Step 3

Step 4

Choose Controller to open the General page.

From the Fast SSID Change drop-down list, choose Enabled to enable this feature or Disabled to disable it. The default value is disabled.

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Configuring Fast SSID Changing (CLI)

Step 1

Enable or disable fast SSID changing by entering this command:

Cisco Wireless Controller Configuration Guide, Release 8.0

111

Configuring Fast SSID Changing (CLI)

Step 2

config network fast-ssid-change {enable | disable}

Save your changes by entering this command:

save config

112

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

11

Configuring 802.3 Bridging

Configuring 802.3 Bridging, page 113

Enabling 802.3X Flow Control, page 114

Configuring 802.3 Bridging

Information About Configuring 802.3 Bridging

The controller supports 802.3 frames and the applications that use them, such as those typically used for cash registers and cash register servers. However, to make these applications work with the controller, the 802.3

frames must be bridged on the controller.

You can also configure 802.3 bridging using the Cisco Prime Network Control System. See the Cisco Prime

Network Control System Configuration Guide for instructions.

Restrictions on 802.3 Bridging

• Support for raw 802.3 frames allows the controller to bridge non-IP frames for applications not running over IP.

The raw 802.3 frame contains destination MAC address, source MAC address, total packet length, and payload.

• By default, Cisco 5500 Series Controllers bridge all non-IPv4 packets (such as AppleTalk, IPv6, and so on). You can also use ACLs to block the bridging of these protocols.

Cisco Wireless Controller Configuration Guide, Release 8.0

113

Enabling 802.3X Flow Control

Configuring 802.3 Bridging

Configuring 802.3 Bridging (GUI)

Step 1

Step 2

Step 3

Step 4

Choose Controller > General to open the General page.

From the 802.3 Bridging drop-down list, choose Enabled to enable 802.3 bridging on your controller or Disabled to disable this feature. The default value is Disabled.

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Configuring 802.3 Bridging (CLI)

Step 1

Step 2

Step 3

See the current status of 802.3 bridging for all WLANs by entering this command:

show network

Enable or disable 802.3 bridging globally on all WLANs by entering this command:

config network 802.3-bridging {enable | disable}

The default value is disabled.

Save your changes by entering this command:

save config

Enabling 802.3X Flow Control

802.3X Flow Control is disabled by default. To enable it, enter the config switchconfig flowcontrol enable command.

114

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

12

Configuring Multicast

Configuring Multicast Mode, page 115

Configuring Bridging of Link Local Traffic, page 122

Configuring Multicast Domain Name System, page 122

Multicast Configuration for Cisco vWLC, Flex 7510, 5520, 8510, and 8540 WLCs, page 132

Configuring Multicast Mode

Information About Multicast Mode

If your network supports packet multicasting, you can configure the multicast method that the controller uses.

The controller performs multicasting in two modes:

• Unicast mode—In this mode, the controller unicasts every multicast packet to every access point associated to the controller. This mode is inefficient but might be required on networks that do not support multicasting.

• Multicast mode—In this mode, the controller sends multicast packets to a CAPWAP multicast group.

This method reduces overhead on the controller processor and shifts the work of packet replication to your network, which is much more efficient than the unicast method.

When you enable multicast mode and the controller receives a multicast packet from the wired LAN, the controller encapsulates the packet using CAPWAP and forwards the packet to the CAPWAP multicast group address. The controller always uses the management interface for sending multicast packets. Access points in the multicast group receive the packet and forward it to all the BSSIDs mapped to the interface on which clients receive multicast traffic. From the access point perspective, the multicast appears to be a broadcast to all SSIDs.

Note

Until Release 7.5, the port number used for CAPWAP multicast was 12224. From Release 7.6 onwards, the port number used for CAPWAP is changed to 5247.

Cisco Wireless Controller Configuration Guide, Release 8.0

115

Configuring Multicast Mode

The controller supports Multicast Listener Discovery (MLD) v1 snooping for IPv6 multicast. This feature keeps track of and delivers IPv6 multicast flows to the clients that request them. To support IPv6 multicast, you must enable Global Multicast Mode.

Note

When you disable the Global Multicast Mode, the controller still forwards the IPv6 ICMP multicast messages, such as router announcements and DHCPv6 solicits, as these are required for IPv6 to work. As a result, enabling the Global Multicast Mode on the controller does not impact the ICMPv6 and the

DHCPv6 messages. These messages will always be forwarded irrespective of whether or not the Global

Multicast Mode is enabled.

In controller software 4.2 or later releases, Internet Group Management Protocol (IGMP) snooping is introduced to better direct multicast packets. When this feature is enabled, the controller gathers IGMP reports from the clients, processes them, creates unique multicast group IDs (MGIDs) from the IGMP reports after selecting the Layer 3 multicast address and the VLAN number, and sends the IGMP reports to the infrastructure switch.

The controller sends these reports with the source address as the interface address on which it received the reports from the clients. The controller then updates the access point MGID table on the access point with the client MAC address. When the controller receives multicast traffic for a particular multicast group, it forwards it to all the access points, but only those access points that have active clients listening or subscribed to that multicast group send multicast traffic on that particular WLAN. IP packets are forwarded with an MGID that is unique for an ingress VLAN and the destination multicast group. Layer 2 multicast packets are forwarded with an MGID that is unique for the ingress interface.

When IGMP snooping is disabled, the following is true:

• The controller always uses Layer 2 MGID when it sends multicast data to the access point. Every interface created is assigned one Layer 2 MGID. For example, the management interface has an MGID of 0, and the first dynamic interface created is assigned an MGID of 8, which increments as each dynamic interface is created.

• The IGMP packets from clients are forwarded to the router. As a result, the router IGMP table is updated with the IP address of the clients as the last reporter.

When IGMP snooping is enabled, the following is true:

• The controller always uses Layer 3 MGID for all Layer 3 multicast traffic sent to the access point. For all Layer 2 multicast traffic, it continues to use Layer 2 MGID.

• IGMP report packets from wireless clients are consumed or absorbed by the controller, which generates a query for the clients. After the router sends the IGMP query, the controller sends the IGMP reports with its interface IP address as the listener IP address for the multicast group. As a result, the router

IGMP table is updated with the controller IP address as the multicast listener.

• When the client that is listening to the multicast groups roams from one controller to another, the first controller transmits all the multicast group information for the listening client to the second controller.

As a result, the second controller can immediately create the multicast group information for the client.

The second controller sends the IGMP reports to the network for all multicast groups to which the client was listening. This process aids in the seamless transfer of multicast data to the client.

• If the listening client roams to a controller in a different subnet, the multicast packets are tunneled to the anchor controller of the client to avoid the reverse path filtering (RPF) check. The anchor then forwards the multicast packets to the infrastructure switch.

116

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Multicast Mode

Note

The MGIDs are controller specific. The same multicast group packets coming from the same VLAN in two different controllers may be mapped to two different MGIDs.

Note

If Layer 2 multicast is enabled, a single MGID is assigned to all the multicast addresses coming from an interface.

Note

The number of multicast addresses supported per VLAN for a Cisco WLC is 100.

Restrictions for Configuring Multicast Mode

• The Cisco Unified Wireless Network solution uses some IP address ranges for specific purposes, and you should keep these ranges in mind when configuring a multicast group:

◦224.0.0.0 through 224.0.0.255—Reserved link local addresses

◦224.0.1.0 through 238.255.255.255—Globally scoped addresses

◦239.0.0.0 through 239.255.x.y /16—Limited scope addresses

• When you enable multicast mode on the controller, you also must configure a CAPWAP multicast group address. Access points subscribe to the CAPWAP multicast group using IGMP.

• Cisco 1100, 1130, 1200, 1230, and 1240 access points use IGMP versions 1, 2, and 3.

• Access points in monitor mode, sniffer mode, or rogue detector mode do not join the CAPWAP multicast group address.

• The CAPWAP multicast group configured on the controllers should be different for different controllers.

• Lightweight Access Points transmit multicast packets at the highest configured mandatory data rate.

Because multicast frames are not retransmitted at the MAC layer, clients at the edge of the cell might fail to receive them successfully. If reliable reception is a goal, multicast frames should be transmitted at a low data rate. If support for high data rate multicast frames is required, it might be useful to shrink the cell size and disable all lower data rates.

Depending on your requirements, you can take the following actions:

• If you need to transmit multicast data with the greatest reliability and if there is no need for great multicast bandwidth, then configure a single basic rate, that is low enough to reach the edges of the wireless cells.

• If you need to transmit multicast data at a certain data rate in order to achieve a certain throughput, you can configure that rate as the highest basic rate. You can also set a lower basic rate for coverage of nonmulticast clients.

• Multicast mode does not operate across intersubnet mobility events such as guest tunneling. It does, however, operate with interface overrides using RADIUS (but only when IGMP snooping is enabled) and with site-specific VLANs (access point group VLANs).

Cisco Wireless Controller Configuration Guide, Release 8.0

117

Configuring Multicast Mode

• For LWAPP, the controller drops multicast packets sent to UDP control port 12223. For CAPWAP, the controller drops multicast packets sent to UDP control and data ports 5246 and 5247, respectively.

Therefore, you may want to consider not using these port numbers with the multicast applications on your network.

• We recommend that any multicast applications on your network not use the multicast address configured as the CAPWAP multicast group address on the controller.

• For multicast to work on Cisco 2500 Series WLC, you have to configure the multicast IP address.

• Multicast mode is not supported on Cisco Flex 7500 Series WLCs.

• IGMP and MLD snooping is not supported on Cisco Flex 7500 Series WLCs.

• For Cisco 8500 Series WLCs:

• You must enable multicast-unicast if IPv6 support is required on FlexConnect APs with central switching clients.

• You can change from multicast mode to multicast-unicast mode only if global multicast is disabled, which means IGMP or MLD snooping is not supported.

• FlexConnect APs do not associate with a multicast-mulitcast group.

• IGMP or MLD snooping is not supported on FlexConnect APs. IGMP and MLD snooping is allowed only for local mode APs in multicast-multicast mode.

• Because VideoStream requires IGMP or MLD snooping, the VideoStream feature works only on local mode APs if multicast-multicast mode and snooping are enabled.

• In a multicast group, when multicast audio is initiated, the recipients do not hear the first two seconds of the multicast audio. As a workaround, we recommend that you set the Cisco APs to FlexConnect +

Local Switching mode for small-scale deployments.

• To reduce join latency, we recommend disabling IPv6 on the Cisco WLC.

• For 8.0 Release, there is a limitation - the FlexConnect APs do not join the multicast group when the

Multicast mode is Multicast-Multicast and CAPWAP has IPV4 and IPV6. For Cisco 5500 and 8500

Series WLC, you can disable the Multicast-Multicast mode and enable the Multicast-Unicast mode. For

Cisco 7500 Series WLC, there is no Multicast-Multicast configuration. For FlexConnect APs in

Multicast-Multicast mode joined with central switching clients, there is reduction of 0-13% in data throughput.

• While using Local and Flexconnect AP mode the WLC platform's multicast support differs for different platforms.

The parameters that affect Multicast forwarding are:

• WLC Platform.

• Global AP multicast mode configuration at WLC.

• Mode of the AP - Local, Flexconnect central switching.

• For Local switching, it does not send/receive the packet to/from WLC, so it does not matter which

Multicast mode is configured on WLC.

• We recommend that you do not use Broadcast-Unicast or Multicast-Unicast mode on Cisco WLC setup where there are more than 50 APs connected together.

118

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Multicast Mode

If a Cisco WLC setup has more than 50 APs, the CAPWAP control messages between Cisco WLC and

AP may be delayed due to duplication of each Multicast or Broadcast traffic to each of the APs. The delay in the CAPWAP control messages causes client association or 802.1X authentication to be delayed for 1 to 3 seconds. As a result of this, the client receives repeated authentication prompts or failure messages.

• Multicast support on different WLC platform are:

• WLC 5500/WiSM2/8500 supports both Multicast and Unicast mode.

• WLC 2500 supports Multicast to Multicast only.

• WLC 7500 & vWLC supports Multicast to Unicast only. It supports only Flex AP's.

Note

Flexconnect mode AP cannot join Multicast group address configured at WLC, so it cannot receive Multicast packets that are sent by WLC(Multicast packets sent by flex central switching is received by local mode AP's). If Multicast needs to be forwarded for flexconnect central switching you must configure AP mode Multicast to Unicast.

This configuration is global since it is applicable to local mode AP.

Enabling Multicast Mode (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Choose Controller > Multicast to open the Multicast page.

Select the Enable Global Multicast Mode check box to configure sending multicast packets. The default value is disabled.

Note

FlexConnect supports unicast mode only.

If you want to enable IGMP snooping, select the Enable IGMP Snooping check box. If you want to disable IGMP snooping, leave the check box unselected. The default value is disabled.

To set the IGMP timeout, enter a value between 30 and 7200 seconds in the IGMP Timeout text box. The controller sends three queries in one timeout value at an interval of timeout/ 3 to see if any clients exist for a particular multicast group. If the controller does not receive a response through an IGMP report from the client, the controller times out the client entry from the MGID table. When no clients are left for a particular multicast group, the controller waits for the

IGMP timeout value to expire and then deletes the MGID entry from the controller. The controller always generates a general IGMP query (that is, to destination address 224.0.0.1) and sends it on all WLANs with an MGID value of 1.

Enter the IGMP Query Interval (seconds).

Select the Enable MLD Snooping check box to support IPv6 forwarding decisions.

Note

To enable MLD Snooping, you must enable Global Multicast Mode of the controller.

In the MLD Timeout text box, enter a value between 30 and 7200 seconds to set the MLD timeout.

Enter the MLD Query Interval (seconds). The valid range is between 15 and 2400 seconds.

Click Apply.

Click Save Configuration.

Cisco Wireless Controller Configuration Guide, Release 8.0

119

Configuring Multicast Mode

Enabling Multicast Mode (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Enable or disable multicasting on the controller by entering this command:

config network multicast global {enable | disable}

The default value is disabled.

Note

The config network broadcast {enable | disable} command allows you to enable or disable broadcasting without enabling or disabling multicasting as well. This command uses the multicast mode currently on the controller to operate.

Perform either of the following: a) Configure the controller to use the unicast method to send multicast packets by entering this command:

config network multicast mode unicast

b) Configure the controller to use the multicast method to send multicast packets to a CAPWAP multicast group by entering this command:

config network multicast mode multicast multicast_group_ip_address

Enable or disable IGMP snooping by entering this command:

config network multicast igmp snooping {enable | disable}

The default value is disabled.

Set the IGMP timeout value by entering this command:

config network multicast igmp timeout timeout

You can enter a timeout value between 30 and 7200 seconds. The controller sends three queries in one timeout value at an interval of timeout/3 to see if any clients exist for a particular multicast group. If the controller does not receive a response through an IGMP report from the client, the controller times out the client entry from the MGID table. When no clients are left for a particular multicast group, the controller waits for the IGMP timeout value to expire and then deletes the MGID entry from the controller. The controller always generates a general IGMP query (that is, to destination address 224.0.0.1) and sends it on all WLANs with an MGID value of 1.

Enable or disable Layer 2 Multicast by entering this command:

config network multicast l2mcast {enable {all | interface-name} | disable}

Enable or disable MLD snooping by entering this command:

config network multicast mld snooping {enable | disable}

The default value is disabled.

Note

To enable MLD snooping, you must enable global multicast mode of the controller.

Set the MLD timeout value by entering this command:

config network multicast mld timeout timeout

Enter the MLD Query Interval (seconds). The valid range is between 15 and 2400 seconds.

Save your changes by entering this command:

save config

120

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Multicast Mode

Viewing Multicast Groups (GUI)

Step 1

Step 2

Choose Monitor > Multicast. The Multicast Groups page appears.

This page shows all the multicast groups and their corresponding MGIDs.

Click the link for a specific MGID (such as MGID 550) to see a list of all the clients joined to the multicast group in that particular MGID.

Viewing Multicast Groups (CLI)

Before You Begin

• See all the multicast groups and their corresponding MGIDs by entering this command:

show network multicast mgid summary

Information similar to the following appears:

Layer2 MGID Mapping:

-------------------

InterfaceName vlanId MGID

-------------------------------- --------management 0 0 test wired

0

20

9

8

Layer3 MGID Mapping:

-------------------

Number of Layer3 MGIDs........................... 1

Group address Vlan MGID

---------------------

239.255.255.250

0 550

• See all the clients joined to the multicast group in a specific MGID by entering this command:

show network multicast mgid detail mgid_value where the mgid_value parameter is a number between 550 and 4095.

Information similar to the following appears:

Mgid........................................ 550

Multicast Group Address..................... 239.255.255.250

Vlan........................................ 0

Rx Packet Count............................. 807399588

No of clients............................... 1

Client List.................................

Client MAC Expire Time (mm:ss)

00:13:02:23:82:ad 0:20

Cisco Wireless Controller Configuration Guide, Release 8.0

121

Configuring Bridging of Link Local Traffic

Viewing an Access Points Multicast Client Table (CLI)

To help troubleshoot roaming events, you can view an access point’s multicast client table from the controller by performing a remote debug of the access point.

Step 1

Step 2

Step 3

Initiate a remote debug of the access point by entering this command:

debug ap enable Cisco_AP

See all of the MGIDs on the access point and the number of clients per WLAN by entering this command:

debug ap command show capwap mcast mgid allCisco_AP

See all of the clients per MGID on the access point and the number of clients per WLAN by entering this command:

debug ap command show capwap mcast mgid id mgid_valueCisco_AP

Configuring Bridging of Link Local Traffic

Configuring Bridging of Link Local Traffic (GUI)

Configure bridging of link local traffic at the local site by following these steps:

Step 1

Step 2

Step 3

Step 4

Choose Controller > General.

From the Link Local Bridging drop-down list, choose Enabled or Disabled.

Click Apply.

Click Save Configuration.

Configuring Bridging of Link Local Traffic (CLI)

• Configure bridging of link local traffic at the local site by using this command:

config network link-local-bridging {enable | disable}

Configuring Multicast Domain Name System

Information About Multicast Domain Name System

Multicast Domain Name System (mDNS) service discovery provides a way to announce and discover the services on the local network. The mDNS service discovery enables wireless clients to access Apple services such as Apple Printer and Apple TV advertised in a different Layer 3 network. mDNS performs DNS queries

122

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Multicast Domain Name System

over IP multicast. mDNS supports zero-configuration IP networking. As a standard, mDNS uses multicast IP address 224.0.0.251 as the destination address and 5353 as the UDP destination port.

Location Specific Services

The processing of mDNS service advertisements and mDNS query packets support Location-Specific Services

(LSS). All the valid mDNS service advertisements that are received by the controller are tagged with the MAC address of the AP that is associated with the service advertisement from the service provider while inserting the new entry into the service provider database. The response formulation to the client query filters the wireless entries in the SP-DB using the MAC address of the AP associated with the querying client. The wireless service provider database entries are filtered based on the AP-NEIGHBOR-LIST if LSS is enabled for the service. If LSS is disabled for any service, the wireless service provider database entries are not filtered when they respond to any query from a wireless client for the service.

LSS applies only to wireless service provider database entries. There is no location awareness for wired service provider devices.

The status of LSS cannot be enabled for services with ORIGIN set to wired and vice-versa.

mDNS AP

The mDNS AP feature allows the controller to have visibility of wired service providers that are on VLANs that are not visible to the controller. You can configure any AP as an mDNS AP and enable the AP to forward mDNS packets to the controller. VLAN visibility on the controller is achieved by APs that forward the mDNS advertisements to the controller. The mDNS packets between the AP and the controller are forwarded in

Control and Provisioning of Wireless Access Points (CAPWAP) data tunnel that is similar to the mDNS packets from a wireless client. Only CAPWAP v4 tunnels are supported. APs can be in either the access port or the trunk port to learn the mDNS packets from the wired side and forward them to the controller.

You can use the configurable knob that is provided on the controller to start or stop mDNS packet forwarding from a specific AP. You can also use this configuration to specify the VLANs from which the AP should snoop the mDNS advertisements from the wired side. The maximum number of VLANs that an AP can snoop is 10.

If the AP is in the access port, you should not configure any VLANs on the AP to snoop. The AP sends untagged packets when a query is to be sent. When an mDNS advertisement is received by the mDNS AP, the VLAN information is not passed on to the controller. The service provider's VLAN that is learned through the mDNS AP's access VLAN is maintained as 0 in the controller.

By default, the mDNS AP snoops in native VLAN. When an mDNS AP is enabled, native VLAN snooping is enabled by default and the VLAN information is passed as 0 for advertisements received on the native

VLAN.

The mDNS AP feature is supported only on local mode and monitor mode APs.

The mDNS AP configuration is retained on those mDNS APs even if global mDNs snooping is disabled.

Note

There is no check to ensure that no two mDNS APs are duplicating the same traffic for the same service.

But, for the same VLAN, there is such a check.

If an mDNS AP is reset or associated with the same controller or another controller, one of the following occurs:

• If the global snooping is disabled on the controller, a payload is sent to the AP to disable mDNS snooping.

Cisco Wireless Controller Configuration Guide, Release 8.0

123

Configuring Multicast Domain Name System

• If the global snooping is enabled on the controller, the configuration of the AP before the reset or the association procedure is retained.

The process flow for the mDNS AP feature is as follows:

• Uplink (Wired infrastructure to AP to Controller):

1

Receives the 802.3 mDNS packet on configured VLANs.

2

Forwards the received mDNS packet over CAPWAP.

3

Populates multicast group ID (MGID) based on the received VLAN.

• Downlink (Controller to AP to Wired Infrastructure):

1

Receives an mDNS query over CAPWAP from the controller.

2

Forwards the query as 802.3 packet to wired infrastructure.

3

The VLAN is identified from dedicated MGIDs.

Per-Service SP Count Limit

The following list shows the global service provider limit per controller model:

• Cisco 8500 Series Wireless LAN Controller—16000

• Cisco Flex 7500 Series Wireless LAN Controller—16000

• Cisco 5500 Series Wireless LAN Controller—6400

• Cisco 2500 Series Wireless LAN Controller—6400

If the total number of service providers for all services is within the specified limit, any service is free to learn or discover as many other services. There is no per service reservation or restriction, which allows flexibility to accommodate more service providers for any service with respect to other services.

Priority MAC Support

You can configure up to 50 MAC addresses per service; these MAC addresses are the service provider MAC addresses that require priority. This guarantees that any service advertisements originating from these MAC addresses for the configured services are learned even if the service provider database is full by deleting the last nonpriority service provider from the service that has the highest number of service providers. When you configure the priority MAC address for a service, there is an optional parameter called ap-group, which is applicable only to wired service providers to associate a sense of location to the wired service provider devices.

When a client mDNS query originates from this ap-group, the wired entries with priority MAC and ap-group are looked up and the wired entries are listed first in the aggregated response.

Origin-Based Service Discovery

You can configure a service to filter inbound traffic that is based on its origin, that is either wired or wireless.

All the services that are learned from an mDNS AP are treated as wired. When the learn origin is wired, the

LSS cannot be enabled for the service because LSS applies only to wireless services.

A service that has its origin set to wireless cannot be changed to wired if the LSS status is enabled for the service because LSS is applicable only to wireless service provider database. If you change the origin between wired and wireless, the service provider database entries with the prior origin type is cleared.

124

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Multicast Domain Name System

Restrictions for Configuring Multicast DNS

• mDNS over IPv6 is not supported.

• mDNS is not supported on access points in FlexConnect mode in a locally switched WLAN and mesh access points.

• mDNS is not supported on remote LANs.

• mDNS is not supported on Cisco AP1240 and Cisco AP1130.

• Third-party mDNS servers or applications are not supported on the Cisco WLC using the mDNS feature.

Devices that are advertised by the third-party servers or applications are not populated on the mDNS service or device table correctly on the Cisco WLC.

• In a Layer2 network, if Apple servers and clients are in the same subnet, mDNS snooping is not required on the Cisco WLC. However, this relies on the switching network to work. If you use switches that do not work as expected with mDNS snooping, you must enable mDNS on the Cisco WLC.

• Video is not supported on Apple iOS 6 with WMM in enabled state.

• mDNS APs cannot duplicate the same traffic for the same service or VLAN.

• LSS filtering is restricted to only wireless services.

• The LSS, mDNS AP, Priority MAC address, and origin-based discovery features cannot be configured using the controller GUI.

• mDNS-AP feature is not supported in CAPWAP V6.

• ISE dynamic mDNS policy mobility is not supported.

• mDNS user profile mobility is not supported in guest anchors.

• Mobility: ISE dynamic mDNS policy creation in foreign controllers is inconsistent.

• Apple devices such as iPads and iPhones can discover Apple TV through Bluetooth. This might result in Apple TVs being visible to end users. Because Apple TVs are not supported on mDNS access policy, we recommend that you disable Bluetooth on Apple TVs.

Configuring Multicast DNS (GUI)

Step 1

Configure the global mDNS parameters and the Master Services Database by following these steps: a) Choose Controller > mDNS > General.

b) Select or unselect the mDNS Global Snooping check box to enable or disable snooping of mDNS packets, respectively.

c) Enter the mDNS query interval in minutes. The query interval is the frequency at which the controller queries for a service.

d) Choose a service from the Select Service drop-down list.

Note

To add a new mDNS-supported service to the list, choose Other. Specify the service name and the service string. The controller snoops and learns about the mDNS service advertisements only if the service is available in the Master Services Database. The controller can snoop and learn a maximum of 64 services.

e) Select or unselect the Query Status check box to enable or disable an mDNS query for a service, respectively.

Cisco Wireless Controller Configuration Guide, Release 8.0

125

Configuring Multicast Domain Name System

Step 2

Step 3

f) Click Add.

g) Click Apply.

h) To view the details of an mDNS service, hover your cursor over the blue drop-down arrow of a service, and choose

Details.

Configure an mDNS profile by following these steps: a) Choose Controller > mDNS > Profiles.

The controller has a default mDNS profile, which is default-mdns-profile. It is not possible to delete the default profile.

b) To create a new profile, click New, enter a profile name, and click Apply.

c) To edit a profile, click a profile name on the mDNS Profiles page; from the Service Name drop-down list, choose a service to be associated with the profile, and click Apply.

You can add multiple services to a profile.

Click Save Configuration.

What to Do Next

After creating a new profile, you must map the profile to an interface group, an interface, or a WLAN. Clients receive service advertisements only for the services associated with the profile. The highest priority is given to the profiles associated with interface groups, followed by the interface profiles, and then the WLAN profiles.

Each client is mapped to a profile based on the order of priority.

• Map an mDNS profile to an interface group by following these steps:

1

Choose Controller > Interface Groups.

2

Click the corresponding interface group name.

The Interface Groups > Edit page is displayed.

3

From the mDNS Profile drop-down list, choose a profile.

• Map an mDNS profile to an interface by following these steps:

1

Choose Controller > Interfaces.

2

Click the corresponding interface name.

The Interfaces > Edit page is displayed.

3

From the mDNS Profile drop-down list, choose a profile.

• Map an mDNS profile to a WLAN by following these steps:

1

Choose WLANs. click the WLAN ID to open the WLANs > Edit page.

2

Click the corresponding WLAN ID.

The WLANs > Edit page is displayed.

3

Click the Advanced tab.

4

Select the mDNS Snooping check box.

5

From the mDNS Profile drop-down list, choose a profile.

126

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Multicast Domain Name System

Configuring Multicast DNS (CLI)

• Configure mDNS snooping by entering this command:

config mdns snooping {enable | disable}

• Configure mDNS services by entering this command:

config mdns service {{create service-name service-string origin {wireless | wired | all} lss {enable |

disable} [query] [enable | disable]} | delete service-name}

• Configure a query for an mDNS service by entering this command:

config mdns service query {enable | disable} service-name

• Configure a query interval for mDNS services by entering this command:

config mdns query interval value-in-minutes

• Configure an mDNS profile by entering this command:

config mdns profile {create | delete} profile-name

Note

If you try to delete an mDNS profile that is already associated with an interface group, an interface, or a WLAN, an error message is displayed.

• Configure mDNS services to a profile by entering this command:

config mdns profile service {add | delete} profile-name service-name

• Map an mDNS profile to an interface group by entering this command:

config interface group mdns-profile {interface-group-name | all} {mdns-profile-name | none}

Note

If the mDNS profile name is none, no profiles are attached to the interface group. Any existing profile that is attached is removed.

• View information about an mDNS profile that is associated with an interface group by entering this command:

show interface group detailed interface-group-name

• Map an mDNS profile to an interface by entering this command:

config interface mdns-profile {management | {interface-name | all}} {mdns-profile-name | none}

• View information about the mDNS profile that is associated with an interface by entering this command:

show interface detailed interface-name

• Configure mDNS for a WLAN by entering this command:

config wlan mdns {enable | disable} {wlan-id | all}

• Map an mDNS profile to a WLAN by entering this command:

config wlan mdns profile {wlan-id | all} {mdns-profile-name | none}

• View information about an mDNS profile that is associated with a WLAN by entering this command:

Cisco Wireless Controller Configuration Guide, Release 8.0

127

Configuring Multicast Domain Name System

show wlan wlan-id

• View information about all mDNS profiles or a particular mDNS profile by entering this command:

show mdns profile {summary | detailed mdns-profile-name}

• View information about all mDNS services or a particular mDNS service by entering this command:

show mdns service {summary | detailed mdns-service-name}

• View information about the mDNS domain names that are learned by entering this command:

show mdns domain-name-ip summary

• View the mDNS profile for a client by entering this command:

show client detail client-mac-address

• View the mDNS details for a network by entering this command:

show network summary

• Clear the mDNS service database by entering this command:

clear mdns service-database {all | service-name}

• View events related to mDNS by entering this command:

debug mdns message {enable | disable}

• View mDNS details of the events by entering this command:

debug mdns detail {enable | disable}

• View errors related to mDNS processing by entering this command:

debug mdns error {enable | disable}

• Configure debugging of all mDNS details by entering this command:

debug mdns all {enable | disable}

• Location Specific Service-related commands:

◦Enable or disable location specific service on a specific mDNS service or all mDNS services by entering this command:

config mdns service lss {enable | disable} {service-name | all}

Note

By default, LSS is in disabled state.

Impact on High Availability: Requires to be synchronized with the standby controller.

◦View the status of LSS by entering these commands:

Summary—show mdns service summary

Detailed—show mdns service detailed service-name

◦Configure troubleshooting HA-related mDNS by entering this command:

debug mdns ha {enable | disable}

• Origin-based service discovery-related commands:

128

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Multicast Domain Name System

◦ Configure learning of services from wired, wireless, or both by entering this command:

config mdns service origin {Wireless | Wired | All} {service-name | all}

It is not possible to configure wired services if LSS is enabled and vice versa. It is not possible to enable LSS for wired-only service learn origin.

Impact on High Availability: Requires to be synchronized with the standby controller.

◦View the status of origin-based service discovery by entering this command:

Summary—show mdns service summary

Detailed—show mdns service detailed service-name

◦View all the service advertisements that are present in the controller, but not discovered because of restrictions on learning those services, by entering this command:

show mdns service not-learnt

Service advertisements across all VLANs and origin types that are not learned are displayed.

• Priority MAC address-related commands:

◦Configure per-service MAC addresses of service-providing devices to ensure that they are snooped and discovered even if the service provider database is full, by entering this command:

config mdns service priority-mac {add | delete} priority-mac-addr service-name ap-group

ap-group-name

The optional AP group is applicable only to wired service provider devices to give them a sense of location; these service providers are placed higher in the order than the other wired devices.

◦View the status of Priority MAC address by entering this command:

Detailed—show mdns service detailed service-name

• mDNS AP-related commands:

◦Enable or disable mDNS forwarding on an AP that is associated with the controller by entering this command:

config mdns ap {enable | disable} {ap-name | all} vlan vlan-id

There is no default mDNS AP. VLAN ID is an optional node.

Impact on High Availability: The static configuration is synchronized to the standby controller.

◦Configure the VLAN on which the AP should snoop, and forward the mDNS packets by entering this command:

config mdns ap vlan {add | delete} vlan-id ap-name

◦View all the APs for which mDNS forwarding is enabled by entering this command:

show mdns ap summary

Information about Bonjour gateway based on access policy

From 7.4 release WLC supports Bonjour gateway functionality on WLC itself for which you need not even enable multicast on the controller. The WLC explores all Bonjour discovery packets and does not forward them on AIR or Infra network.

Bonjour is Apple's version of Zeroconf - it is Multicast Domain Name System (mDNS) with DNS-SD (Domain

Name System-Service Discovery). Apple devices will advertise their services via IPv4 and IPv6 simultaneously

Cisco Wireless Controller Configuration Guide, Release 8.0

129

Configuring Multicast Domain Name System

(IPv6 link local and Globally Unique). To address this issue Cisco WLC acts as a Bonjour Gateway. The

WLC listens for Bonjour services and by caching those Bonjour advertisements (AirPlay, AirPrint etc) from the source/host e.g. AppleTV and responds to Bonjour clients when they ask/request for a service.

Bonjour gateway has inadequate capabilities to filter cached wired or wireless service instances based on the credentials of the querying client and its location.

Currently the limitations are:

• Location-Specific Services (LSS) filters the wireless service instances only while responding to a query from wireless clients. The filtering is based on the radio neighborhood of the querying client.

• LSS cannot filter wired service instance because of no sense of location.

• LSS filtering is per service type and not per client. It means that all clients receive the location based filtered response if LSS is enabled for the service type and clients cannot override the behavior.

• There is no other filtering mechanism based on client role or user-id.

The requirement is to have configuration per service instance.

Following are the three criteria of the service instance sharing:

• User-id

• Client-role

• Client location

The configuration can be applied to wired and wireless service instances. The response to any query is on the policy configured for each service instance. The response enables the selective sharing of service instances based on the location, user-id or role.

As the most service publishing devices are wired, the configuration allows filtering of wired services at par with the wireless service instances.

There are two levels of filtering client queries:

1

At the service type level by using the mDNS profile

2

At the service instance level using the access policy associated with the service.

Restrictions to the Bonjour gateway based on access policy

• The total number of policies that can be created is same as the number of service instances that are supported on the platform. Hundred policies can be supported; 99 policies and one default policy.

• The number of rules per policy is limited to one.

• Policy and rules can be created irrespective of the service instances. The policy is applied only when it is complete and discovers the target service instances.

• A service instance can be associated with a maximum of five policies.

• Five service groups can be assigned for a MAC address.

130

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Multicast Domain Name System

Creating Bonjour Access Policy through Prime Infrastructure

The admin user can create the Bonjour access policy using the GUI of the Prime Infrastructure (PI).

Step 1

Step 2

Step 3

Step 4

Step 5

Log in to the Cisco Prime Infrastructure using the Admin credentials.

Choose Administration > AAA > Users > Add User.

Choose mDNS Policy Admin.

Add or remove the devices in the mDNS Device Filter. Click Save.

Add the users for a device in the Users list dialog box. Click Save.

Note

See Cisco Prime Infrastructure Administrator Guide for the release 2.2 for more details.

Configuring mDNS Service Groups (GUI)

Step 1

Step 2

Step 3

Step 4

Choose Controller > mDNS > mDNS Policies.

Select service group from the list of Group Names.

Under Service Instance List perform the following steps: a) Enter the service provider MAC address in MAC address.

b) Enter the name of service provider in Name. Click Add.

c) From the Location Type drop-down list, choose the type of location.

Note

If the location is selected as 'Any', the policy checks on the location attribute are not performed.

Note

The list of current service instances associated with the service group is shown in a table.

Under Policy / Rule enter the role names and the user names as the criteria of enforcing the policy.

Cisco Wireless Controller Configuration Guide, Release 8.0

131

Multicast Configuration for Cisco vWLC, Flex 7510, 5520, 8510, and 8540 WLCs

Configuring mDNS Service Groups (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Enable or disable the mDNS policy by entering this command: config mdns policy enable | disable

Create or delete a mDNS policy service group by entering this command: config mdns policy service-group create |

delete <service-group-name>

Configure the parameters of a service group by entering this command: config mdns policy service-group device-mac

add <service-group-name> <mac-addr> <device name> location-type [<AP_LOCATION | AP_NAME | AP_GROUP>]

device-location [<location string | any | same>]

Configure the user role for a service-group by entering this command: config mdns policy service-group user-role add

| delete <service-group-name> <user-role-name>

Configure the user name for a service-group by entering this command: config mdns policy service-group user-name

add | delete <service-group-name> <user-name>

Multicast Configuration for Cisco vWLC, Flex 7510, 5520, 8510, and 8540 WLCs

Switching from Multicast-Unicast Mode to Multicast-Multicast Mode

Step 1

Step 2

Assign both IPv4 and IPv6 (required only if IPv6 is enabled) multicast addresses by entering this command: a) config network multicast mode multicast IPv4-multicast-address b) config ipv6 multicast mode multicast IPv6-multicast-address

Enable global multicast by entering this command:

config network multicast global enable

Switching from Multicast-Multicast Mode to Multicast-Unicast Mode

Step 1

Step 2

Disable global multicast by entering this command:

config network multicast global disable

Configure the Multicast-Unicast mode by entering this command (IPv6 configuration is required only when IPv6 is enabled): a) config network multicast mode unicast b) config ipv6 multicast mode unicast

132

Cisco Wireless Controller Configuration Guide, Release 8.0

Multicast Configuration for Cisco vWLC, Flex 7510, 5520, 8510, and 8540 WLCs

Restrictions

• We recommend that you do not switch from Multicast-Multicast mode to Multicast-Unicast mode on a loaded network because it can burden the network. We recommend that you use Multicast-Multicast mode on these platforms because of the scale factor.

• IGMP and MLD snooping cannot be enabled unless global multicast is enabled, and multicast mode is

Multicast-Multicast.

• Global multicast can be enabled only when Multicast-Multicast mode is configured.

• Switching from Multicast-Multicast mode to Multicast-Unicast mode is not allowed if the global multicast is enabled. You must disable global multicast before switching the mode in this case.

• FlexConnect APs:

• Can join in Multicast-Multicast mode from Release 8.0 onwards.

• Multicast-Unicast mode has to be enabled if IPv6 support is required on FlexConnect APs by the central-switching clients. Therefore, IGMP or MLD snooping is not supported.

• VideoStream is not supported because it requires IGMP or MLD snooping.

Troubleshooting

Unable to switch to Multicast-Multicast mode as Global Multicast is not getting enabled

Possible issue—IPv6 is configured but not in use. Check if IPv6 is still in Multicast-Unicast mode.

Solution—Disable IPv6 if it is not being used or switch Multicast-Unicast to Multicast-Multicast mode for

IPv6.

Cisco Wireless Controller Configuration Guide, Release 8.0

133

Multicast Configuration for Cisco vWLC, Flex 7510, 5520, 8510, and 8540 WLCs

134

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

13

Configuring Client Roaming

Information About Client Roaming, page 135

Restrictions on Client Roaming, page 137

Configuring CCX Client Roaming Parameters (GUI), page 137

Configuring CCX Client Roaming Parameters (CLI), page 138

Obtaining CCX Client Roaming Information (CLI), page 138

Debugging CCX Client Roaming Issues (CLI), page 139

Information About Client Roaming

The Cisco UWN solution supports seamless client roaming across lightweight access points managed by the same controller, between controllers in the same mobility group on the same subnet, and across controllers in the same mobility group on different subnets. Also, in controller software release 4.1 or later releases, client roaming with multicast packets is supported.

You can adjust the default RF settings (RSSI, hysteresis, scan threshold, and transition time) to fine-tune the operation of client roaming using the controller GUI or CLI.

Inter-Controller Roaming

Multiple-controller deployments support client roaming across access points managed by controllers in the same mobility group and on the same subnet. This roaming is also transparent to the client because the session is sustained and a tunnel between controllers allows the client to continue using the same DHCP- or client-assigned IP address as long as the session remains active. The tunnel is torn down, and the client must reauthenticate when the client sends a DHCP Discover with a 0.0.0.0 client IP address or a 169.254.*.* client auto-IP address or when the operator-set session timeout is exceeded.

Intra-Controller Roaming

Each controller supports same-controller client roaming across access points managed by the same controller.

This roaming is transparent to the client as the session is sustained, and the client continues using the same

DHCP-assigned or client-assigned IP address. The controller provides DHCP functionality with a relay

Cisco Wireless Controller Configuration Guide, Release 8.0

135

Information About Client Roaming

function. Same-controller roaming is supported in single-controller deployments and in multiple-controller deployments.

Inter-Subnet Roaming

Multiple-controller deployments support client roaming across access points managed by controllers in the same mobility group on different subnets. This roaming is transparent to the client because the session is sustained and a tunnel between the controllers allows the client to continue using the same DHCP-assigned or client-assigned IP address as long as the session remains active. The tunnel is torn down, and the client must reauthenticate when the client sends a DHCP Discover with a 0.0.0.0 client IP address or a 169.254.*.* client auto-IP address or when the operator-set user timeout is exceeded.

Voice-over-IP Telephone Roaming

802.11 voice-over-IP (VoIP) telephones actively seek out associations with the strongest RF signal to ensure the best quality of service (QoS) and the maximum throughput. The minimum VoIP telephone requirement of 20-millisecond or shorter latency time for the roaming handover is easily met by the Cisco Wireless solution, which has an average handover latency of 5 or fewer milliseconds when open authentication is used. This short latency period is controlled by controllers rather than allowing independent access points to negotiate roaming handovers.

The Cisco Wireless solution supports 802.11 VoIP telephone roaming across lightweight access points managed by controllers on different subnets, as long as the controllers are in the same mobility group. This roaming is transparent to the VoIP telephone because the session is sustained and a tunnel between controllers allows the VoIP telephone to continue using the same DHCP-assigned IP address as long as the session remains active. The tunnel is torn down, and the VoIP client must reauthenticate when the VoIP telephone sends a

DHCP Discover with a 0.0.0.0 VoIP telephone IP address or a 169.254.*.* VoIP telephone auto-IP address or when the operator-set user timeout is exceeded.

CCX Layer 2 Client Roaming

The controller supports five CCX Layer 2 client roaming enhancements:

• Access point assisted roaming—This feature helps clients save scanning time. When a CCXv2 client associates to an access point, it sends an information packet to the new access point listing the characteristics of its previous access point. Roaming time decreases when the client recognizes and uses an access point list built by compiling all previous access points to which each client was associated and sent (unicast) to the client immediately after association. The access point list contains the channels,

BSSIDs of neighbor access points that support the client’s current SSID(s), and time elapsed since disassociation.

• Enhanced neighbor list—This feature focuses on improving a CCXv4 client’s roam experience and network edge performance, especially when servicing voice applications. The access point provides its associated client information about its neighbors using a neighbor-list update unicast message.

• Enhanced neighbor list request (E2E)—The End-2-End specification is a Cisco and Intel joint program that defines new protocols and interfaces to improve the overall voice and roaming experience. It applies only to Intel clients in a CCX environment. Specifically, it enables Intel clients to request a neighbor list at will. When this occurs, the access point forwards the request to the controller. The controller receives the request and replies with the current CCX roaming sublist of neighbors for the access point to which the client is associated.

136

Cisco Wireless Controller Configuration Guide, Release 8.0

Restrictions on Client Roaming

Note

To see whether a particular client supports E2E, choose Wireless > Clients on the controller GUI, click the Detail link for the desired client, and look at the E2E Version text box in the Client Properties area.

• Roam reason report—This feature enables CCXv4 clients to report the reason why they roamed to a new access point. It also allows network administrators to build and monitor a roam history.

• Directed roam request—This feature enables the controller to send directed roam requests to the client in situations when the controller can better service the client on an access point different from the one to which it is associated. In this case, the controller sends the client a list of the best access points that it can join. The client can either honor or ignore the directed roam request. Non-CCX clients and clients running CCXv3 or below must not take any action. No configuration is required for this feature.

Restrictions on Client Roaming

• Controller software release 4.2 or later releases support CCX versions 1 through 5. CCX support is enabled automatically for every WLAN on the controller and cannot be disabled. The controller stores the CCX version of the client in its client database and uses it to generate and respond to CCX frames appropriately. Clients must support CCXv4 or v5 (or CCXv2 for access point assisted roaming) in order to utilize these roaming enhancements.

The roaming enhancements mentioned above are enabled automatically, with the appropriate CCX support.

• FlexConnect access points in standalone mode do not support CCX Layer 2 roaming.

• Client roaming between 600 Series Access points is not supported.

• Seamless L2 and L3 roaming is not supported between a Cisco and a third-party wireless infrastructure, which also includes a Cisco IOS access point.

Configuring CCX Client Roaming Parameters (GUI)

Step 1

Step 2

Step 3

Choose Wireless > 802.11a/n/ac or 802.11b/g/n > Client Roaming. The 802.11a (802.11b) > Client Roaming page appears.

If you want to fine-tune the RF parameters that affect client roaming, choose Custom from the Mode drop-down list and go to Step 3. If you want to leave the RF parameters at their default values, choose Default and go to Step 8.

In the Minimum RSSI text box, enter a value for the minimum received signal strength indicator (RSSI) required for the client to associate to an access point. If the client’s average received signal power dips below this threshold, reliable communication is usually impossible. Therefore, clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.

The range is –90 to –50 dBm.

The default is –85 dBm.

Cisco Wireless Controller Configuration Guide, Release 8.0

137

Configuring CCX Client Roaming Parameters (CLI)

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

In the Hysteresis text box, enter a value to indicate how much greater the signal strength of a neighboring access point must be in order for the client to roam to it. This parameter is intended to reduce the amount of roaming between access points if the client is physically located on or near the border between two access points.

The range is 3 to 20 dB.

The default is 3 dB.

In the Scan Threshold text box, enter the minimum RSSI that is allowed before the client should roam to a better access point. When the RSSI drops below the specified value, the client must be able to roam to a better access point within the specified transition time. This parameter also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when the RSSI is below the threshold.

The range is –90 to –50 dBm.

The default is –72 dBm.

In the Transition Time text box, enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the client’s associated access point is below the scan threshold.

The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless

LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.

The range is 1 to 5 seconds.

The default is 5 seconds.

Click Apply.

Click Save Configuration.

Repeat this procedure if you want to configure client roaming for another radio band.

Configuring CCX Client Roaming Parameters (CLI)

Configure CCX Layer 2 client roaming parameters by entering this command:

config {802.11a | 802.11b} l2roam rf-params {default | custom min_rssi roam_hyst scan_thresh trans_time}

Obtaining CCX Client Roaming Information (CLI)

Step 1

Step 2

View the current RF parameters configured for client roaming for the 802.11a or 802.11b/g network by entering this command:

show {802.11a | 802.11b} l2roam rf-param

View the CCX Layer 2 client roaming statistics for a particular access point by entering this command:

show {802.11a | 802.11b} l2roam statistics ap_mac

This command provides the following information:

138

Cisco Wireless Controller Configuration Guide, Release 8.0

Debugging CCX Client Roaming Issues (CLI)

Step 3

• The number of roam reason reports received

• The number of neighbor list requests received

• The number of neighbor list reports sent

• The number of broadcast neighbor updates sent

View the roaming history for a particular client by entering this command:

show client roam-history client_mac

This command provides the following information:

• The time when the report was received

• The MAC address of the access point to which the client is currently associated

• The MAC address of the access point to which the client was previously associated

• The channel of the access point to which the client was previously associated

• The SSID of the access point to which the client was previously associated

• The time when the client disassociated from the previous access point

• The reason for the client roam

Debugging CCX Client Roaming Issues (CLI)

If you experience any problems with CCX Layer 2 client roaming, enter this command:

debug l2roam [detail | error | packet | all] {enable | disable}

Cisco Wireless Controller Configuration Guide, Release 8.0

139

Debugging CCX Client Roaming Issues (CLI)

140

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

14

Configuring IP-MAC Address Binding

Information About Configuring IP-MAC Address Binding, page 141

Configuring IP-MAC Address Binding (CLI), page 141

Information About Configuring IP-MAC Address Binding

In the controller software Release 5.2 or later releases, the controller enforces strict IP address-to-MAC address binding in client packets. The controller checks the IP address and MAC address in a packet, compares them to the addresses that are registered with the controller, and forwards the packet only if they both match. In previous releases, the controller checks only the MAC address of the client and ignores the IP address.

You must disable IP-MAC address binding to use an access point in sniffer mode if the access point is associated with a 5500 series controller, a 2500 series controller, or a controller network module. To disable

IP-MAC address binding, enter the config network ip-mac-binding disable.

WLAN must be enabled to use an access point in sniffer mode if the access point is associated with a 5500 series controller, a 2500 series controller, or a controller network module. If WLAN is disabled, the access point cannot send packets.

Note

If the IP address or MAC address of the packet has been spoofed, the check does not pass, and the controller discards the packet. Spoofed packets can pass through the controller only if both the IP and MAC addresses are spoofed together and changed to that of another valid client on the same controller.

Configuring IP-MAC Address Binding (CLI)

Step 1

Enable or disable IP-MAC address binding by entering this command:

config network ip-mac-binding {enable | disable}

The default value is enabled.

Note

You might want to disable this binding check if you have a routed network behind a workgroup bridge (WGB).

Cisco Wireless Controller Configuration Guide, Release 8.0

141

Configuring IP-MAC Address Binding (CLI)

Step 2

Step 3

Note

You must disable this binding check in order to use an access point in sniffer mode if the access point is joined to a Cisco 5500 Series Controller.

Save your changes by entering this command:

save config

View the status of IP-MAC address binding by entering this command:

show network summary

Information similar to the following appears:

RF-Network Name............................. ctrl4404

Web Mode.................................... Disable

Secure Web Mode............................. Enable

Secure Web Mode Cipher-Option High.......... Disable

Secure Web Mode Cipher-Option SSLv2......... Disable

...

IP/MAC Addr Binding Check ............... Enabled

...<?Line-Break?><?HardReturn?>

142

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

15

Configuring Quality of Service

Configuring Quality of Service, page 143

Configuring Quality of Service Roles, page 147

Configuring Quality of Service

Information About Quality of Service

Quality of service (QoS) refers to the capability of a network to provide better service to selected network traffic over various technologies. The primary goal of QoS is to provide priority including dedicated bandwidth, controlled jitter and latency (required by some real-time and interactive traffic), and improved loss characteristics.

The controller supports four QoS levels:

• Platinum/Voice—Ensures a high quality of service for voice over wireless.

• Gold/Video—Supports high-quality video applications.

• Silver/Best Effort—Supports normal bandwidth for clients. This is the default setting.

• Bronze/Background—Provides the lowest bandwidth for guest services.

Note

VoIP clients should be set to Platinum.

You can configure the bandwidth of each QoS level using QoS profiles and then apply the profiles to WLANs.

The profile settings are pushed to the clients associated to that WLAN. In addition, you can create QoS roles to specify different bandwidth levels for regular and guest users. Follow the instructions in this section to configure QoS profiles and QoS roles. You can also define the maximum and default QoS levels for unicast and multicast traffic when you assign a QoS profile to a WLAN.

The wireless rate limits can be defined on both upstream and downstream traffic. Rate limits can be defined per SSID and/or specified as a maximum rate limit for all clients. These rate limits can be individually configured.

Cisco Wireless Controller Configuration Guide, Release 8.0

143

Configuring Quality of Service

Configuring Quality of Service Profiles

You can configure the Platinum, Gold, Silver, and Bronze QoS profiles.

Configuring QoS Profiles (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Disable the 802.11a and 802.11b/g networks so that you can configure the QoS profiles.

To disable the radio networks, choose Wireless > 802.11a/n/ac or 802.11b/g/n > Network, unselect the 802.11a (or

802.11b/g) Network Status check box, and click Apply.

Choose Wireless > QoS > Profiles to open the QoS Profiles page.

Click the name of the profile that you want to configure to open the Edit QoS Profile page.

Change the description of the profile by modifying the contents of the Description text box.

Define the data rates on a per-user basis as follows: a) Define the average data rate for TCP traffic per user by entering the rate in Kbps in the Average Data Rate text boxes.

A value of 0 indicates that the value specified in the selected QoS profile will take effect.

b) Define the peak data rate for TCP traffic per user by entering the rate in Kbps in the Burst Data Rate text boxes. A value of 0 indicates that the value specified in the selected QoS profile will take effect.

Note

The burst data rate should be greater than or equal to the average data rate. Otherwise, the QoS policy may block traffic to and from the wireless client.

Ensure that you configure the average data rate before you configure the burst data rate.

c) Define the average real-time rate for UDP traffic per user by entering the rate in Kbps in the Average Real-Time

Rate text boxes. A value of 0 indicates that the value specified in the selected QoS profile will take effect.

Note

Average Data Rate is used to measure TCP traffic while Average Real-time rate is used for UDP traffic.

They are measured in kbps for all the entries. The values for Average Data Rate and Average Real-time rate can be different because they are applied to different upper layer protocols such as TCP and UDP. These different values for the rates do not impact the bandwidth.

d) Define the peak real-time rate for UDP traffic per user by entering the rate in Kbps in the Burst Real-Time Rate text boxes. A value of 0 indicates that the value specified in the selected QoS profile will take effect.

Note

The burst real-time rate should be greater than or equal to the average real-time rate. Otherwise, the QoS policy may block traffic to and from the wireless client.

Define the data rates on a per-SSID basis as follows: a) Define the average data rate TCP traffic per SSID by entering the rate in Kbps in the Average Data Rate text boxes.

A value of 0 indicates that the value specified in the selected QoS profile will take effect.

b) Define the peak data rate for TCP traffic per SSID by entering the rate in Kbps in the Burst Data Rate text boxes. A value of 0 indicates that the value specified in the selected QoS profile will take effect.

Note

The burst data rate should be greater than or equal to the average data rate. Otherwise, the QoS policy may block traffic in the WLANs.

c) Define the average real-time rate for UDP traffic per SSID by entering the rate in Kbps in the Average Real-Time

Rate text boxes. A value of 0 indicates that the value specified in the selected QoS profile will take effect.

d) Define the peak real-time rate for UDP traffic per SSID by entering the rate in Kbps in the Burst Real-Time Rate text boxes. A value of 0 indicates that the value specified in the selected QoS profile will take effect.

Note

The burst real-time rate should be greater than or equal to the average real-time rate. Otherwise, the QoS policy may block traffic in the WLANs.

144

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Quality of Service

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

Step 14

Step 15

Define the maximum and default QoS levels for unicast and multicast traffic when you assign a QoS profile to a WLAN.

a) From the Maximum Priority drop-down list, choose the maximum QoS priority for any data frames transmitted by the AP to any station in the WLAN.

For example, a QoS profile named ‘gold’ targeted for video applications has the maximum priority set to video by default.

b) From the Unicast Default Priority drop-down list, choose the QoS priority for unicast data frames transmitted by the

AP to non-WMM stations in the WLAN c) From the Multicast Default Priority drop-down list, choose the QoS priority for multicast data frames transmitted by the AP to stations in the WLAN,

Note

The default unicast priority cannot be used for non-WMM clients in a mixed WLAN.

Choose 802.1p from the Protocol Type drop-down list and enter the maximum priority value in the 802.1p Tag text box to define the maximum value (0–7) for the priority tag associated with packets that fall within the profile.

The tagged packets include CAPWAP data packets (between access points and the controller) and packets sent toward the core network.

Note

If a QoS profile has 802.1p tagging configured and if this QoS profile is assigned to a WLAN that uses an untagged interface on the controller, the client traffic will be blocked.

Click Apply.

Click Save Configuration.

Reenable the 802.11 networks.

To enable the radio networks, choose Wireless > 802.11a/n/ac or 802.11b/g/n > Network, select the 802.11a (or

802.11b/g) Network Status check box, and click Apply.

Choose WLANs and select a WLAN ID to apply the new QoS profile to it.

In the WLAN > Edit page, go to the QoS tab and select the QoS Profile type from the Quality of Service drop-down list. The QoS profile will add the rate limit values configured on the controller on per WLAN, per radio and per AP basis.

For example, if upstream rate limit of 5Mbps is configured for a QoS profile of type silver, then every WLAN that has silver profile will limit traffic to 5Mbps (5Mbps for each wlan) on each radio and on each AP where the WLAN is applicable.

Click Apply.

Click Save Configuration.

Configuring QoS Profiles (CLI)

Step 1

Step 2

Step 3

Disable the 802.11a and 802.11b/g networks so that you can configure the QoS profiles by entering these commands:

config 802.11{a | b} disable network

Change the profile description by entering this command:

config qos description {bronze | silver | gold | platinum }description

Define the average data rate for TCP traffic per user or per SSID by entering this command:

Cisco Wireless Controller Configuration Guide, Release 8.0

145

Configuring Quality of Service

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

config qos average-data-rate {bronze | silver | gold | platinum} {per-ssid | per-client} {downstream | upstream}

rate

Note

For the rate parameter, you can enter a value between 0 and 512,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS profile.

Define the peak data rate for TCP traffic per user or per SSID by entering this command:

config qos burst-data-rate {bronze | silver | gold | platinum} {per-ssid | per-client} {downstream | upstream} rate

Define the average real-time data rate for UDP traffic per user or per SSID by entering this command:

config qos average-realtime-rate {bronze | silver | gold | platinum} {per-ssid | per-client} {downstream | upstream}

rate

Define the peak real-time data rate for UDP traffic per user or per SSID by entering this command:

config qos burst-realtime-rate {bronze | silver | gold | platinum} {per-ssid | per-client} {downstream | upstream}

rate

Define the maximum and default QoS levels for unicast and multicast traffic when you assign a QoS profile to a WLAN by entering this command:

config qos priority {bronze | gold | platinum | silver} {maximum priority} {default unicast priority} {default multicast

priority}

You choose from the following options for the maximum priority, default unicast priority, and default multicast priority parameters:

• besteffort

• background

• video

• voice

Define the maximum value (0–7) for the priority tag associated with packets that fall within the profile, by entering these commands:

config qos protocol-type {bronze | silver | gold | platinum} dot1p

config qos dot1p-tag {bronze | silver | gold | platinum} tag

The tagged packets include CAPWAP data packets (between access points and the controller) and packets sent toward the core network.

Note

The 802.1p tagging has impact only on wired packets. Wireless packets are impacted only by the maximum priority level set for a QoS profile.

Note

If a QoS profile has 802.1p tagging configured and if this QoS profile is assigned to a WLAN that uses an untagged interface on the controller, the client traffic will be blocked.

Reenable the 802.11a and 802.11b/g networks so that you can configure the QoS profiles by entering these commands:

config 802.11{a | b} enable network

Apply the new QoS profile to a WLAN, by entering these commands:

config wlan qos <WLAN ID> {bronze | silver | gold | platinum}

146

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Quality of Service Roles

Configuring Quality of Service Roles

Information About Quality of Service Roles

After you configure a QoS profile and apply it to a WLAN, it limits the bandwidth level of clients associated to that WLAN. Multiple WLANs can be mapped to the same QoS profile, which can result in bandwidth contention between regular users (such as employees) and guest users. In order to prevent guest users from using the same level of bandwidth as regular users, you can create QoS roles with different (and presumably lower) bandwidth contracts and assign them to guest users.

You can configure up to ten QoS roles for guest users.

Note

If you choose to create an entry on the RADIUS server for a guest user and enable RADIUS authentication for the WLAN on which web authentication is performed rather than adding a guest user to the local user database from the controller, you need to assign the QoS role on the RADIUS server itself. To do so, a

“guest-role” Airespace attribute needs to be added on the RADIUS server with a datatype of “string” and a return value of “11.” This attribute is sent to the controller when authentication occurs. If a role with the name returned from the RADIUS server is found configured on the controller, the bandwidth associated to that role is enforced for the guest user after authentication completes successfully.

Configuring QoS Roles

Configuring QoS Roles (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Wireless > QoS > Roles to open the QoS Roles for the Guest Users page.

This page shows any existing QoS roles for guest users.

Note

If you want to delete a QoS role, hover your cursor over the blue drop-down arrow for that role and choose

Remove.

Click New to create a new QoS role. The QoS Role Name > New page appears.

In the Role Name text box, enter a name for the new QoS role. The name should uniquely identify the role of the QoS user (such as Contractor, Vendor, and so on).

Click Apply.

Click the name of the QoS role to edit the bandwidth of a QoS role. The Edit QoS Role Data Rates page appears.

Note

The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic

(from the client to the access point).

Note

The Access Points that support per-user bandwidth contracts for upstream (from the client to the access point) are - AP1140, AP1040, AP3500, AP3600, AP1250, and AP1260.

Cisco Wireless Controller Configuration Guide, Release 8.0

147

Configuring Quality of Service Roles

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Define the average data rate for TCP traffic on a per-user basis by entering the rate in Kbps in the Average Data Rate text box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS role.

Define the peak data rate for TCP traffic on a per-user basis by entering the rate in Kbps in the Burst Data Rate text box.

You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS role.

Note

The burst data rate should be greater than or equal to the average data rate. Otherwise, the QoS policy may block traffic to and from the wireless client.

Ensure that you configure the average data rate before you configure the burst data rate.

Define the average real-time rate for UDP traffic on a per-user basis by entering the rate in Kbps in the Average Real-Time

Rate text box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS role.

Define the peak real-time rate for UDP traffic on a per-user basis by entering the rate in Kbps in the Burst Real-Time

Rate text box. You can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS role.

Note

The burst real-time rate should be greater than or equal to the average real-time rate. Otherwise, the QoS policy may block traffic to and from the wireless client.

Click Apply.

Click Save Configuration.

Apply a QoS role to a guest user by following the instructions in the Configuring Local Network Users for the Controller

(GUI) section.

Configuring QoS Roles (CLI)

Step 1

Step 2

Create a QoS role for a guest user by entering this command:

config netuser guest-role create role_name

Note

If you want to delete a QoS role, enter the config netuser guest-role delete role_name command.

Configure the bandwidth contracts for a QoS role by entering these commands:

config netuser guest-role qos data-rate average-data-rate role_name rate—Configures the average data rate for TCP traffic on a per-user basis.

config netuser guest-role qos data-rate burst-data-rate role_name rate—Configures the peak data rate for TCP traffic on a per-user basis.

Note

The burst data rate should be greater than or equal to the average data rate. Otherwise, the QoS policy may block traffic to and from the wireless client.

config netuser guest-role qos data-rate average-realtime-rate role_name rate—Configures the average real-time rate for UDP traffic on a per-user basis.

config netuser guest-role qos data-rate burst-realtime-rate role_name rate—Configures the peak real-time rate for UDP traffic on a per-user basis.

148

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Quality of Service Roles

Step 3

Step 4

Step 5

Note

Note

The burst real-time rate should be greater than or equal to the average real-time rate. Otherwise, the QoS policy may block traffic to and from the wireless client.

For the role_name parameter in each of these commands, enter a name for the new QoS role. The name should uniquely identify the role of the QoS user (such as Contractor, Vendor, and so on). For the rate parameter, you can enter a value between 0 and 60,000 Kbps (inclusive). A value of 0 imposes no bandwidth restriction on the QoS role.

Apply a QoS role to a guest user by entering this command:

config netuser guest-role apply username role_name

For example, the role of Contractor could be applied to guest user jsmith.

Note

Note

If you do not assign a QoS role to a guest user, the Role text box in the User Details shows the role as “default.”

The bandwidth contracts for this user are defined in the QoS profile for the WLAN.

If you want to unassign a QoS role from a guest user, enter the config netuser guest-role apply username

default command. This user now uses the bandwidth contracts defined in the QoS profile for the WLAN.

Save your changes by entering this command:

save config

See a list of the current QoS roles and their bandwidth parameters by entering this command:

show netuser guest-roles

Information similar to the following appears:

Role Name........................................ Contractor

Average Data Rate........................... 10

Burst Data Rate............................. 10

Average Realtime Rate....................... 100

Burst Realtime Rate......................... 100

Role Name........................................ Vendor

Average Data Rate........................... unconfigured

Burst Data Rate............................. unconfigured

Average Realtime Rate....................... unconfigured

Burst Realtime Rate...................... unconfigured

Cisco Wireless Controller Configuration Guide, Release 8.0

149

Configuring Quality of Service Roles

150

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

16

Configuring Application Visibility and Control

Information About Application Visibility and Control, page 151

Restrictions for Application Visibility and Control, page 152

Configuring Application Visibility and Control (GUI), page 153

Configuring Application Visibility and Control (CLI), page 154

Configuring NetFlow, page 155

Information About Application Visibility and Control

Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques with the Network-Based Application Recognition (NBAR) engine, and provides application-level visibility and control (QoS) in wireless networks. After the applications are recognized, the AVC feature enables you to either drop, mark, or police the data traffic.

Using AVC, we can detect more than 1000 applications. AVC enables you to perform real-time analysis and create policies to reduce network congestion, costly network link usage, and infrastructure upgrades.

Note

You can view list of 30 applications in Top Applications in Monitor Summary section of the UI.

AVC DSCP marks only the DSCP of the original packet in the controller in both directions (upstream and downstream). It does not affect the outer CAPWAP DCSP. AVC DSCP is applicable only when the application is classified. For example, based on the AVC profile configuration, if an application is classified as ftp or http, the corresponding DSCP marking is applied irrespective of the WLAN QoS. For downstream, the DSCP value of outer CAPWAP header and inner packet’s DSCP are taken from AVC DSCP. WLAN QoS is only applicable for all traffic from WLC to AP through CAPWAP. It does not change the DSCP of the original packet.

Using AVC rule, you can limit the bandwidth of a particular application for all the clients joined on the WLAN.

These bandwidth contracts coexist with per-client downstream rate limiting with per client downstream rate limits that takes precedence over the per-application rate limits.

Cisco Wireless Controller Configuration Guide, Release 8.0

151

Restrictions for Application Visibility and Control

Note

When you downgrade the controller from 8.0 to any earlier version, the AVC rate limit rules display the action as drop. This action is expected since the AVC rate limit rule is introduced in the controller version

8.0.

AVC is supported in central switching mode on the following controller platforms: Cisco 2500 Series Wireless

LAN Controllers, Cisco 5500 Series Wireless LAN Controllers, Cisco Flex 7500 Series Wireless LAN

.

Controllers, Cisco 8500 Series Wireless LAN Controllers, and Cisco Wireless Services Module 2 (WiSM2)

The number of concurrent flows supported for AVC classification on different controller platforms for 8.0

release are noted in the following table. The absolute maximum number of flows supported on one platform cannot exceed more than 110% of the numbers shown in the following table and this 10% extra flows support will happen based on availability of the free memory in the system.

Controller Flow

Cisco 5500 Series Wireless LAN Controller

Cisco 2500 Series Wireless LAN Controller

1,75,000

25,000

WISM-2

Cisco 8500 Series Wireless LAN Controller

3,75,000

3,50,000

Application Visibility and Control Protocol Packs

Protocol packs are a means to distribute protocol updates outside the controller software release trains, and can be loaded on the controller without replacing the controller software.

The Application Visibility and Control Protocol Pack (AVC Protocol Pack) is a single compressed file that contains multiple Protocol Description Language (PDL) files and a manifest file. A set of required protocols can be loaded, which helps AVC to recognize additional protocols for classification on your network. The manifest file gives information about the protocol pack, such as the protocol pack name, version, and some information about the available PDLs in the protocol pack.

The AVC Protocol Packs are released to specific AVC engine versions. You can load a protocol pack if the engine version on the controller platform is the same or higher than the version required by the protocol pack.

AAA override for AVC profiles

The AAA attribute for client or user profile is configured on the AAA server using authentication from

RADIUS server or Cisco ACS or ISE. The AAA attribute is processed during layer 2 or layer 3 authentication by the controller and the same is overridden by what is configured on the WLAN.

The AAA AVC profile is defined as a Cisco AV air. The string option is defined as avc-profile-name and this value has to be configured for any AVC profile available in the controller.

Restrictions for Application Visibility and Control

• IPv6 packet classification is not supported.

• Layer 2 roaming is not supported across controllers.

152

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Application Visibility and Control (GUI)

• Multicast traffic is not supported.

• Controller GUI support is not present for the AVC Protocol Pack feature.

• Downloading the AVC Protocol Pack is not supported on the Cisco 2500 Series Wireless LAN Controllers.

• The number of applications that you can apply rate limit is 3.

• Only one rule can be configured per application. An application cannot have both a rate limit as well as a Mark rule.

• If the standby controller has a different protocol pack version installed before pairing, then the active and standby controllers will have different protocol packs versions after pairing, in a HA environment.

In the standby controller, the transferred protocol pack takes the preference over default protocol pack.

For example, the controller with the software release 8.0 contains Protocol Pack version 9.0 by default.

Before pairing, if one of the controllers has a Protocol Pack version 11.0 installed, then after pairing one controller contains Protocol Pack version 9.0 and the other controller contains Protocol Pack 11.0

installed.

• AVC rate limiting is not supported on Cisco 2504 WLC.

Configuring Application Visibility and Control (GUI)

Step 1

Create and configure an AVC profile by following these steps: a) Choose Wireless > Application Visibility and Control > AVC Profiles.

b) Click New.

c) Enter the AVC profile name.

d) Click Apply.

e) On the AVC Profile Name page, click the corresponding AVC profile name.

The AVC Profile > Edit page is displayed.

f) Click Add New Rule.

g) Choose the application group and the application name from the respective drop-down lists.

View the list of default AVC applications available by choosing Wireless > Application Visibility and Control >

AVC Applications.

h) From the Action drop-down list, choose either of the following:

Drop—Drops the upstream and downstream packets that correspond to the chosen application.

Mark—Marks the upstream and downstream packets that correspond to the chosen application with the

Differentiated Services Code Point (DSCP) value that you specify in the DSCP (0 to 63) drop-down list. The

DSCP value helps you provide differentiated services based on the QoS levels.

Note

The default action is to give permission to all applications.

i) If you choose Mark from the Action drop-down list, choose a DSCP value from the DSCP (0 to 63) drop-down list.

The DSCP value is a packet header code that is used to define QoS across the Internet. The DSCP values are mapped to the following QoS levels:

Cisco Wireless Controller Configuration Guide, Release 8.0

153

Configuring Application Visibility and Control (CLI)

Step 2

Platinum (Voice)—Assures a high QoS for Voice over Wireless.

Gold (Video)—Supports high-quality video applications.

Silver (Best Effort)—Supports normal bandwidth for clients.

Bronze (Background)—Provides the lowest bandwidth for guest services.

You can also choose Custom and specify the DSCP value. The valid range is from 0 to 63.

j) Click Apply.

k) Click Save Configuration.

Associate an AVC profile to a WLAN by following these steps: a) Choose WLANs and click the corresponding WLAN ID.

The WLANs > Edit page is displayed.

b) Click the QoS tab.

c) Choose the AVC profile from the AVC Profile drop-down list.

d) Click Apply.

e) Click Save Configuration.

Configuring Application Visibility and Control (CLI)

• Create or delete an AVC profile by entering this command:

config avc profile avc-profile-name {create | delete}

• Add a rule for an AVC profile by entering this command:

config avc profile avc-profile-name rule add application application-name {drop | mark dscp-value

| ratelimit Average Ratelimit value Burst Ratelimit value}

• Remove a rule for an AVC profile by entering this command:

config avc profile avc-profile-name rule remove application application-name

• Configure an AVC profile to a WLAN by entering this command:

config wlan avc wlan-id profile avc-profile-name {enable | disable}

• Configure application visibility for a WLAN by entering this command:

config wlan avc wlan-id visibility {enable | disable}

Note

Application visibility is the subset of an AVC profile. Therefore, visibility is automatically enabled when you configure an AVC profile on the WLAN.

• Download an AVC Protocol Pack to the controller by entering these commands:

1 transfer download datatype avc-protocol-pack

2 transfer download start

154

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring NetFlow

• View information about all AVC profile or a particular AVC profile by entering this command:

show avc profile {summary | detailed avc-profile-name}

• View information about AVC applications by entering these commands:

show avc applications [application-group]—Displays all the supported AVC applications for the application group.

show avc statistics application application_name top-users [downstream wlan | upstream wlan

| wlan] [wlan_id ]} —Displays AVC statistics for the top users of an application.

show avc statistics top-apps [upstream | downstream]—Displays the AVC statistics for the most used application.

show avc statistics wlan wlan_id {application application_name | top-app-groups [upstream

| downstream] | top-apps [upstream | downstream]}—Displays the AVC statistics of a WLAN per application or top applications or top application groups.

show avc statistics client client_MAC {application application_name | top-apps [upstream |

downstream]}—Displays the client AVC statistics per application or top applications.

Note

You can view list of 30 applications using the show avc applications and show avc

statistics commands.

• View the protocol pack that is used on the controller by entering this command:

show avc protocol-pack version

• View the AVC engine version information by entering this command:

show avc engine version

• Configure troubleshooting for AVC events by entering this command:

debug avc events {enable | disable}

• Configure troubleshooting for AVC errors by entering this command:

debug avc error {enable | disable}

Configuring NetFlow

Information About NetFlow

NetFlow is an embedded instrumentation within the Cisco Wireless Controller (WLC) software to characterize wireless network flows. NetFlow monitors each IP flow and exports the aggregated flow data to the external

NetFlow collectors.

The NetFlow architecture consists of the following components:

• Collector—Entity that collects all the IP traffic information from various NetFlow exporters.

• Exporter—Network entity that exports the template with the IP traffic information. The Cisco WLC acts as an exporter.

Cisco Wireless Controller Configuration Guide, Release 8.0

155

Configuring NetFlow

Note

Cisco WLC does not support IPv6 address format when acting as an exporter for

NetFlow.

Configuring NetFlow (GUI)

Step 1

Step 2

Step 3

Configure the Exporter by performing these steps: a) Choose Wireless > Netflow > Exporter. b) Click New.

c) Enter the Exporter name, IP address, and the port number.

The valid range for the port number is from 1 to 65535.

d) Click Apply.

e) Click Save Configuration.

Configure the NetFlow Monitor by performing these steps: a) Choose Wireless > Netflow > Monitor. b) Click New and enter a Monitor name.

c) On the Monitor List window, click the Monitor name to open the Netflow Monitor > Edit window.

d) Choose the exporter name and the record name from the respective drop-down lists.

• Client App Record—Better Performance e) Click Apply.

f) Click Save Configuration.

Associate a NetFlow Monitor to a WLAN by performing these steps: a) Choose WLANs and click a WLAN ID to open the WLANs > Edit page. b) In the QoS tab, choose a NetFlow monitor from the Netflow Monitor drop-down list.

c) Click Apply.

d) Click Save Configuration.

Configuring NetFlow (CLI)

• Create an Exporter by entering this command:

config flow create exporter exporter-name ip-addr port-number

• Create a NetFlow Monitor by entering this command:

config flow create monitor monitor-name

• Associate or dissociate a NetFlow monitor with an exporter by entering this command:

config flow {add | delete} monitor monitor-name exporter exporter-name

156

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring NetFlow

• Associate or dissociate a NetFlow monitor with a record by entering this command:

config flow {add | delete} monitor monitor-name record ipv4_client_app_flow_record

• Associate or dissociate a NetFlow monitor with a WLAN by entering this command:

config wlan flow wlan-id monitor monitor-name {enable | disable}

• View a summary of NetFlow monitors by entering this command:

show flow monitor summary

• View information about the Exporter by entering this command:

show flow exporter {summary | statistics}

• Configure NetFlow debug by entering this command:

debug flow {detail | error | info} {enable | disable}

Cisco Wireless Controller Configuration Guide, Release 8.0

157

Configuring NetFlow

158

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

17

Configuring Media and EDCA Parameters

Configuring Voice and Video Parameters, page 159

Configuring SIP-Based CAC, page 171

Configuring Media Parameters, page 173

Configuring Voice Prioritization Using Preferred Call Numbers, page 173

Configuring EDCA Parameters, page 175

Configuring Voice and Video Parameters

Information About Configuring Voice and Video Parameters

Three parameters on the controller affect voice and/or video quality:

• Call admission control

• Expedited bandwidth requests

• Unscheduled automatic power save delivery

Each of these parameters is supported in Cisco Compatible Extensions (CCX) v4 and v5.

Note

Traffic stream metrics (TSM) can be used to monitor and report issues with voice quality.

Call Admission Control

Call admission control (CAC) enables an access point to maintain controlled quality of service (QoS) when the wireless LAN is experiencing congestion. The Wi-Fi Multimedia (WMM) protocol deployed in CCXv3 ensures sufficient QoS as long as the wireless LAN is not congested. However, in order to maintain QoS under differing network loads, CAC in CCXv4 is required. Two types of CAC are available: bandwidth-based

CAC and load-based CAC.

Cisco Wireless Controller Configuration Guide, Release 8.0

159

Configuring Voice and Video Parameters

Note

CAC is not supported in Flexconnect local auth, resulting in voice traffic not getting properly tagged.

Bandwidth-Based CAC

Bandwidth-based, or static, CAC enables the client to specify how much bandwidth or shared medium time is required to accept a new call and in turn enables the access point to determine whether it is capable of accommodating this particular call. The access point rejects the call if necessary in order to maintain the maximum allowed number of calls with acceptable quality.

The QoS setting for a WLAN determines the level of bandwidth-based CAC support. To use bandwidth-based

CAC with voice applications, the WLAN must be configured for Platinum QoS. To use bandwidth-based

CAC with video applications, the WLAN must be configured for Gold QoS. Also, make sure that WMM is enabled for the WLAN. See the

Information About Configuring 802.3 Bridging, on page 113

section for QoS and WMM configuration instructions.

Note

You must enable admission control (ACM) for CCXv4 clients that have WMM enabled. Otherwise, bandwidth-based CAC does not operate properly.

Load-Based CAC

Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types (including that from clients), co-channel access point loads, and collocated channel interference, for voice applications. Load-based CAC also covers the additional bandwidth consumption resulting from

PHY and channel impairment.

In load-based CAC, the access point continuously measures and updates the utilization of the RF channel

(that is, the percentage of bandwidth that has been exhausted), channel interference, and the additional calls that the access point can admit. The access point admits a new call only if the channel has enough unused bandwidth to support that call. By doing so, load-based CAC prevents oversubscription of the channel and maintains QoS under all conditions of WLAN loading and interference.

Note

Load-based CAC is supported only on lightweight access points. If you disable load-based CAC, the access points start using bandwidth-based CAC.

Expedited Bandwidth Requests

The expedited bandwidth request feature enables CCXv5 clients to indicate the urgency of a WMM traffic specifications (TSPEC) request (for example, an e911 call) to the WLAN. When the controller receives this request, it attempts to facilitate the urgency of the call in any way possible without potentially altering the quality of other TSPEC calls that are in progress.

You can apply expedited bandwidth requests to both bandwidth-based and load-based CAC. Expedited bandwidth requests are disabled by default. When this feature is disabled, the controller ignores all expedited requests and processes TSPEC requests as normal TSPEC requests.

This table lists examples of TSPEC request handling for normal TSPEC requests and expedited bandwidth requests.

160

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Voice and Video Parameters

Table 4: TSPEC Request Handling Examples

CAC Mode

Bandwidth-based

CAC

Reserved bandwidth for voice calls

1

Usage

2

75%

(default setting)

Less than 75%

Between 75% and 90%

(reserved bandwidth for voice calls exhausted)

Load-based CAC

More than 90%

Less than 75%

Between 75% and 85%

(reserved bandwidth for voice calls exhausted)

More than 85%

Normal

TSPEC

Request

Admitted

Rejected

Rejected

Admitted

Rejected

Rejected

TSPEC with Expedited

Bandwidth Request

Admitted

Admitted

Rejected

Admitted

Admitted

Rejected

1 For bandwidth-based CAC, the voice call bandwidth usage is per access point and does not take into account co-channel access points. For load-based CAC, the voice call bandwidth usage is measured for the entire channel.

2 Bandwidth-based CAC (consumed voice and video bandwidth) or load-based CAC (channel utilization [Pb]).

Note

Admission control for TSPEC g711-40ms codec type is supported.

Note

When video ACM is enabled, the controller rejects a video TSPEC if the non-MSDU size in the TSPEC is greater than 149 or the mean data rate is greater than 1 Kbps.

U-APSD

Unscheduled automatic power save delivery (U-APSD) is a QoS facility defined in IEEE 802.11e that extends the battery life of mobile clients. In addition to extending battery life, this feature reduces the latency of traffic flow delivered over the wireless media. Because U-APSD does not require the client to poll each individual packet buffered at the access point, it allows delivery of multiple downlink packets by sending a single uplink trigger packet. U-APSD is enabled automatically when WMM is enabled.

Traffic Stream Metrics

In a voice-over-wireless LAN (VoWLAN) deployment, traffic stream metrics (TSM) can be used to monitor voice-related metrics on the client-access point air interface. It reports both packet latency and packet loss.

You can isolate poor voice quality issues by studying these reports.

Cisco Wireless Controller Configuration Guide, Release 8.0

161

Configuring Voice and Video Parameters

The metrics consist of a collection of uplink (client side) and downlink (access point side) statistics between an access point and a client device that supports CCX v4 or later releases. If the client is not CCX v4 or CCXv5 compliant, only downlink statistics are captured. The client and access point measure these metrics. The access point also collects the measurements every 5 seconds, prepares 90-second reports, and then sends the reports to the controller. The controller organizes the uplink measurements on a client basis and the downlink measurements on an access point basis and maintains an hour’s worth of historical data. To store this data, the controller requires 32 MB of additional memory for uplink metrics and 4.8 MB for downlink metrics.

TSM can be configured through either the GUI or the CLI on a per radio-band basis (for example, all 802.11a

radios). The controller saves the configuration in flash memory so that it persists across reboots. After an access point receives the configuration from the controller, it enables TSM on the specified radio band.

Note

Access points support TSM entries in both local and FlexConnect modes.

This table shows the upper limit for TSM entries in different controller series.

TSM Entries

MAX AP TSM entries

5500

100

7500

100

MAX Client TSM entries 250 250

MAX TSM entries 100*250=25000 100*250=25000

Note

Once the upper limit is reached, additional TSM entries cannot be stored and sent to Cisco Prime

Infrastructure. If client TSM entries are full and AP TSM entries are available, then only the AP entries are stored, and vice versa. This leads to partial output. TSM cleanup occurs every one hour. Entries are removed only for those APs and clients that are not in the system.

Configuring Voice Parameters

Configuring Voice Parameters (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Ensure that the WLAN is configured for WMM and the Platinum QoS level.

Disable all WLANs with WMM enabled and click Apply.

Choose Wireless and then Network under 802.11a/n/ac or 802.11b/g/n, unselect the 802.11a (or 802.11b/g) Network

Status check box, and click Apply to disable the radio network.

Choose Wireless > 802.11a/n/ac or 802.11b/g/n > Media. The 802.11a (or 802.11b) > Media page appears. The Voice tab is displayed by default.

Select the Admission Control (ACM) check box to enable bandwidth-based CAC for this radio band. The default value is disabled.

Select the Admission Control (ACM) you want to use by choosing from the following choices:

162

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Voice and Video Parameters

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

Step 14

Load-based—To enable channel-based CAC. This is the default option.

Static—To enable radio-based CAC.

In the Max RF Bandwidth text box, enter the percentage of the maximum bandwidth allocated to clients for voice applications on this radio band. Once the client reaches the value specified, the access point rejects new calls on this radio band.

The range is 5% to 85%. The sum of maximum bandwidth percentage of voice and video should not exceed 85%.

The default is 75%.

In the Reserved Roaming Bandwidth text box, enter the percentage of maximum allocated bandwidth that is reserved for roaming voice clients. The controller reserves this bandwidth from the maximum allocated bandwidth for roaming voice clients.

The range is 0% to 25%.

The default is 6%.

To enable expedited bandwidth requests, select the Expedited Bandwidth check box. By default, this text box is disabled.

To enable SIP CAC support, select the SIP CAC Support check box. By default, SIP CAC support is disabled.

From the SIP Codec drop-down list, choose one of the following options to set the codec name. The default value is

G.711. The options are as follows:

• User Defined

• G.711

• G.729

In the SIP Bandwidth (kbps) text box, enter the bandwidth in kilobits per second.

The possible range is 8 to 64.

The default value is 64.

Note

The SIP Bandwidth (kbps) text box is highlighted only when you select the SIP codec as User-Defined. If you choose the SIP codec as G.711, the SIP Bandwidth (kbps) text box is set to 64. If you choose the SIP codec as G.729, the SIP Bandwidth (kbps) text box is set to 8.

In the SIP Voice Sample Interval (msecs) text box, enter the value for the sample interval.

In the Maximum Calls text box, enter the maximum number of calls that can be made to this radio. The maximum call limit includes both direct and roaming-in calls. If the maximum call limit is reached, the new or roaming-in calls result in failure.

The possible range is 0 to 25.

The default value is 0, which indicates that there is no check for maximum call limit.

Note

If SIP CAC is supported and the CAC method is static, the Maximum Possible Voice Calls and Maximum

Possible Roaming Reserved Calls fields appear.

Cisco Wireless Controller Configuration Guide, Release 8.0

163

Configuring Voice and Video Parameters

Step 15

Step 16

Step 17

Step 18

Step 19

Step 20

Select the Metrics Collection check box to collect traffic stream metrics. By default, this box is unselected. That is, the traffic stream metrics is not collected by default.

Click Apply.

Reenable all WMM WLANs and click Apply.

Choose Network under 802.11a/n/ac or 802.11b/g/n, select the 802.11a (or 802.11b/g) Network Status check box, and click Apply to reenable the radio network.

Click Save Configuration.

Repeat this procedure if you want to configure voice parameters for another radio band.

Configuring Voice Parameters (CLI)

Before You Begin

Ensure that you have configured SIP-based CAC.

Step 3

Step 4

Step 5

Step 6

Step 7

Step 1

Step 2

Step 8

See all of the WLANs configured on the controller by entering this command:

show wlan summary

Make sure that the WLAN that you are planning to modify is configured for WMM and the QoS level is set to Platinum by entering this command:

show wlan wlan_id

Disable all WLANs with WMM enabled prior to changing the voice parameters by entering the command:

config wlan disable wlan_id

Disable the radio network by entering this command:

config {802.11a | 802.11b} disable network

Save your settings by entering this command:

save config

Enable or disable bandwidth-based voice CAC for the 802.11a or 802.11b/g network by entering this command:

config {802.11a | 802.11b} cac voice acm {enable | disable}

Set the percentage of maximum bandwidth allocated to clients for voice applications on the 802.11a or 802.11b/g network by entering this command:

config {802.11a | 802.11b} cac voice max-bandwidth bandwidth

The bandwidth range is 5 to 85%, and the default value is 75%. Once the client reaches the value specified, the access point rejects new calls on this network.

Set the percentage of maximum allocated bandwidth reserved for roaming voice clients by entering this command:

config {802.11a | 802.11b} cac voice roam-bandwidth bandwidth

The bandwidth range is 0 to 25%, and the default value is 6%. The controller reserves this much bandwidth from the maximum allocated bandwidth for roaming voice clients.

164

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Voice and Video Parameters

Step 9

Step 10

Step 11

Step 12

Step 13

Step 14

Configure the codec name and sample interval as parameters and to calculate the required bandwidth per call by entering this command:

config {802.11a | 802.11b} cac voice sip codec {g711 | g729} sample-interval number_msecs

Configure the bandwidth that is required per call by entering this command:

config {802.11a | 802.11b} cac voice sip bandwidth bandwidth_kbps sample-interval number_msecs

Reenable all WLANs with WMM enabled by entering this command:

config wlan enable wlan_id

Reenable the radio network by entering this command:

config {802.11a | 802.11b} enable network

View the TSM voice metrics by entering this command:

show [802.11a | 802.11b] cu-metrics AP_Name

The command also displays the channel utilization metrics.

Enter the save config command to save your settings.

Configuring Video Parameters

Configuring Video Parameters (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Ensure that the WLAN is configured for WMM and the Gold QoS level.

Disable all WLANs with WMM enabled and click Apply.

Choose Wireless and then Network under 802.11a/n/ac or 802.11b/g/n, unselect the 802.11a (or 802.11b/g) Network

Status check box, and click Apply to disable the radio network.

Choose Wireless > 802.11a/n/ac or 802.11b/g/n > Media. The 802.11a (or 802.11b) > Media page appears.

In the Video tab, select the Admission Control (ACM) check box to enable video CAC for this radio band. The default value is disabled.

From the CAC Method drop-down list, choose between Static and Load Based methods.

The static CAC method is based on the radio and the load-based CAC method is based on the channel.

Note

For TSpec and SIP based CAC for video calls, only Static method is supported.

In the Max RF Bandwidth text box, enter the percentage of the maximum bandwidth allocated to clients for video applications on this radio band. When the client reaches the value specified, the access point rejects new requests on this radio band.

The range is 5% to 85%. The sum of maximum bandwidth percentage of voice and video should not exceed 85%. The default is 0%.

In the Reserved Roaming Bandwidth text box, enter the percentage of the maximum RF bandwidth that is reserved for roaming clients for video.

Configure the SIP CAC Support by selecting or unselecting the SIP CAC Support check box.

SIP CAC is supported only if SIP Snooping is enabled.

Cisco Wireless Controller Configuration Guide, Release 8.0

165

Configuring Voice and Video Parameters

Step 10

Step 11

Step 12

Step 13

Step 14

Note

You cannot enable SIP CAC if you have selected the Load Based CAC method.

Click Apply.

Reenable all WMM WLANs and click Apply.

Choose Network under 802.11a/n/ac or 802.11b/g/n, select the 802.11a (or 802.11b/g) Network Status check box, and click Apply to reenable the radio network.

Click Save Configuration.

Repeat this procedure if you want to configure video parameters for another radio band.

Configuring Video Parameters (CLI)

Before You Begin

Ensure that you have configured SIP-based CAC.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

See all of the WLANs configured on the controller by entering this command:

show wlan summary

Make sure that the WLAN that you are planning to modify is configured for WMM and the QoS level is set to Gold by entering this command:

show wlan wlan_id

Disable all WLANs with WMM enabled prior to changing the video parameters by entering this command:

config wlan disable wlan_id

Disable the radio network by entering this command:

config {802.11a | 802.11b} disable network

Save your settings by entering this command:

save config

Enable or disable video CAC for the 802.11a or 802.11b/g network by entering this command:

config {802.11a | 802.11b} cac video acm {enable | disable}

To configure the CAC method as either static or load-based, enter this command:

config {802.11a | 802.11b} cac video cac-method {static | load-based}

Set the percentage of maximum bandwidth allocated to clients for video applications on the 802.11a or 802.11b/g network by entering this command:

config {802.11a | 802.11b} cac video max-bandwidth bandwidth

The bandwidth range is 5 to 85%, and the default value is 5%. However, the maximum RF bandwidth cannot exceed

85% for voice and video. Once the client reaches the value specified, the access point rejects new calls on this network.

Note

If this parameter is set to zero (0), the controller assumes that you do not want to do any bandwidth allocation and, therefore, allows all bandwidth requests.

To configure the percentage of the maximum RF bandwidth that is reserved for roaming clients for video, enter this command:

166

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Voice and Video Parameters

Step 10

Step 11

Step 12

Step 13

Step 14

config {802.11a | 802.11b} cac video roam-bandwidth bandwidth

To configure the CAC parameters for SIP-based video calls, enter this command:

config {802.11a | 802.11b} cac video sip {enable | disable}

Process or ignore the TSPEC inactivity timeout received from an access point by entering this command:

config {802.11a | 802.11b} cac video tspec-inactivity-timeout {enable | ignore}

Reenable all WLANs with WMM enabled by entering this command:

config wlan enable wlan_id

Reenable the radio network by entering this command:

config {802.11a | 802.11b} enable network

Enter the save config command to save your settings.

Viewing Voice and Video Settings

Viewing Voice and Video Settings (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Monitor > Clients to open the Clients page.

Click the MAC address of the desired client to open the Clients > Detail page.

This page shows the U-APSD status (if enabled) for this client under Quality of Service Properties.

Click Back to return to the Clients page.

See the TSM statistics for a particular client and the access point to which this client is associated as follows: a) Hover your cursor over the blue drop-down arrow for the desired client and choose 802.11aTSM or 802.11b/g TSM.

The Clients > AP page appears.

b) Click the Detail link for the desired access point to open the Clients > AP > Traffic Stream Metrics page.

This page shows the TSM statistics for this client and the access point to which it is associated. The statistics are shown in 90-second intervals. The timestamp text box shows the specific interval when the statistics were collected.

See the TSM statistics for a particular access point and a particular client associated to this access point, as follows: a) Choose Wireless > Access Points > Radios > 802.11a/n/ac or 802.11b/g/n. The 802.11a/n/ac Radios or 802.11b/g/n

Radios page appears.

b) Hover your cursor over the blue drop-down arrow for the desired access point and choose 802.11aTSM or 802.11b/g

TSM. The AP > Clients page appears.

c) Click the Detail link for the desired client to open the AP > Clients > Traffic Stream Metrics page.

This page shows the TSM statistics for this access point and a client associated to it. The statistics are shown in

90-second intervals. The timestamp text box shows the specific interval when the statistics were collected.

Cisco Wireless Controller Configuration Guide, Release 8.0

167

Configuring Voice and Video Parameters

Viewing Voice and Video Settings (CLI)

Step 1

Step 2

Step 3

Step 4

See the CAC configuration for the 802.11 network by entering this command:

show ap stats {802.11a | 802.11b}

See the CAC statistics for a particular access point by entering this command:

show ap stats {802.11a | 802.11b} ap_name

Information similar to the following appears:

Call Admission Control (CAC) Stats

Voice Bandwidth in use(% of config bw)......... 0

Total channel MT free........................ 0

Total voice MT free.......................... 0

Na Direct.................................... 0

Na Roam...................................... 0

Video Bandwidth in use(% of config bw)......... 0

Total num of voice calls in progress........... 0

Num of roaming voice calls in progress......... 0

Total Num of voice calls since AP joined....... 0

Total Num of roaming calls since AP joined..... 0

Total Num of exp bw requests received.......... 5

Total Num of exp bw requests admitted.......... 2

Num of voice calls rejected since AP joined...... 0

Num of roam calls rejected since AP joined..... 0

Num of calls rejected due to insufficient bw....0

Num of calls rejected due to invalid params.... 0

Num of calls rejected due to PHY rate.......... 0

Num of calls rejected due to QoS policy..... 0

In the example above, “MT” is medium time, “Na” is the number of additional calls, and “exp bw” is expedited bandwidth.

Note

Suppose an AP has to be rebooted when a voice client associated with the AP is on an active call. After the AP is rebooted, the client continues to maintain the call, and during the time the AP is down, the database is not refreshed by the controller. Therefore, we recommend that all active calls are ended before the AP is taken down.

See the U-APSD status for a particular client by entering this command:

show client detail client_mac

See the TSM statistics for a particular client and the access point to which this client is associated by entering this command:

show client tsm {802.11a | 802.11b} client_mac {ap_mac | all}

The optional all command shows all access points to which this client has associated. Information similar to the following appears:

Client Interface Mac:

Measurement Duration:

Timestamp

00:01:02:03:04:05

90 seconds

1st Jan 2006, 06:35:80

168

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Voice and Video Parameters

Step 5

UpLink Stats

================

Average Delay (5sec intervals)............................35

Delay less than 10 ms.....................................20

Delay bet 10 - 20 ms......................................20

Delay bet 20 - 40 ms......................................20

Delay greater than 40 ms..................................20

Total packet Count.........................................80

Total packet lost count (5sec).............................10

Maximum Lost Packet count(5sec)............................5

Average Lost Packet count(5secs)...........................2

DownLink Stats

================

Average Delay (5sec intervals)............................35

Delay less than 10 ms.....................................20

Delay bet 10 - 20 ms......................................20

Delay bet 20 - 40 ms......................................20

Delay greater than 40 ms..................................20

Total packet Count.........................................80

Total packet lost count (5sec).............................10

Maximum Lost Packet count(5sec)............................5

Average Lost Packet count(5secs)...........................2

Note

Note

The statistics are shown in 90-second intervals. The timestamp text box shows the specific interval when the statistics were collected.

Clear the TSM statistics for a particular access point or all the access points to which this client is associated by entering this clear client tsm {802.11a | 802.11b} client_mac {ap_mac | all} command.

See the TSM statistics for a particular access point and a particular client associated to this access point by entering this command:

show ap stats {802.11a | 802.11b} ap_name tsm {client_mac | all}

The optional all command shows all clients associated to this access point. Information similar to the following appears:

AP Interface Mac:

Client Interface Mac:

Measurement Duration:

00:0b:85:01:02:03

00:01:02:03:04:05

90 seconds

Timestamp

UpLink Stats

================

1st Jan 2006, 06:35:80

Average Delay (5sec intervals)............................35

Delay less than 10 ms.....................................20

Delay bet 10 - 20 ms......................................20

Delay bet 20 - 40 ms......................................20

Delay greater than 40 ms..................................20

Total packet Count.........................................80

Total packet lost count (5sec).............................10

Maximum Lost Packet count(5sec)............................5

Average Lost Packet count(5secs)...........................2

DownLink Stats

================

Average Delay (5sec intervals)............................35

Delay less than 10 ms.....................................20

Cisco Wireless Controller Configuration Guide, Release 8.0

169

Configuring Voice and Video Parameters

Step 6

Step 7

Step 8

Delay bet 10 - 20 ms......................................20

Delay bet 20 - 40 ms......................................20

Delay greater than 40 ms..................................20

Total packet Count.........................................80

Total packet lost count (5sec).............................10

Maximum Lost Packet count(5sec)............................5

Average Lost Packet count(5secs)...........................2

Note

The statistics are shown in 90-second intervals. The timestamp text box shows the specific interval when the statistics were collected.

Enable or disable debugging for call admission control (CAC) messages, events, or packets by entering this command:

debug cac {all | event | packet}{enable | disable} where all configures debugging for all CAC messages, event configures debugging for all CAC events, and packet configures debugging for all CAC packets.

Use the following command to perform voice diagnostics and to view the debug messages between a maximum of two

802.11 clients:

debug voice-diag {enable | disable} mac-id mac-id2 [verbose]

The verbose mode is an optional argument. When the verbose option is used, all debug messages are displayed in the console. You can use this command to monitor a maximum of two 802.11 clients. If one of the clients is a non-WiFi client, only the 802.11 client is monitored for debug messages.

Note

Note

It is implicitly assumed that the clients being monitored are on call.

The debug command automatically stops after 60 minutes.

Use the following commands to view various voice-related parameters:

show client voice-diag status

Displays information about whether voice diagnostics is enabled or disabled. If enabled, will also displays information about the clients in the watch list and the time remaining for the diagnostics of the voice call.

If voice diagnostics is disabled when the following commands are entered, a message indicating that voice diagnostics is disabled appears.

show client voice-diag tspec

Displays the TSPEC information sent from the clients that are enabled for voice diagnostics.

show client voice-diag qos-map

Displays information about the QoS/DSCP mapping and packet statistics in each of the four queues: VO, VI, BE,

BK. The different DSCP values are also displayed.

show client voice-diag avrg_rssi

Display the client’s RSSI values in the last 5 seconds when voice diagnostics is enabled.

show client voice-diag roam-history

Displays information about the last three roaming calls. The output contains the timestamp, access point associated with roaming, roaming reason, and if there is a roaming failure, the reason for the roaming-failure.

show client calls {active | rejected} {802.11a | 802.11bg | all}

This command lists the details of active TSPEC and SIP calls on the controller.

170

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring SIP-Based CAC

Step 9

Use the following commands to troubleshoot video debug messages and statistics:

debug ap show stats {802.11b | 802.11a} ap-name multicast—Displays the access point’s supported multicast rates.

debug ap show stats {802.11b | 802.11a} ap-name load—Displays the access point’s QBSS and other statistics.

debug ap show stats {802.11b | 802.11a} ap-name tx-queue—Displays the access point’s transmit queue traffic statistics.

debug ap show stats {802.11b | 802.11a} ap-name client {all | video | client-mac}—Displays the access point’s client metrics.

debug ap show stats {802.11b | 802.11a} ap-name packet—Displays the access point’s packet statistics.

debug ap show stats {802.11b | 802.11a} ap-name video metrics—Displays the access point’s video metrics.

debug ap show stats video ap-name multicast mgid number —Displays an access point’s Layer 2 MGID database number.

debug ap show stats video ap-name admission—Displays an access point’s admission control statistics.

debug ap show stats video ap-name bandwidth—Displays an access point’s video bandwidth.

Configuring SIP-Based CAC

Restrictions for SIP-Based CAC

• SIPs are available only on the Cisco 5500 Series Controllers, Cisco 8500 Series Controllers, and on the

1240, 1130, and 11n access points.

• SIP CAC should only be used for phones that support status code 17 and do not support TSPEC-based admission control.

• SIP CAC will be supported only if SIP snooping is enabled.

Configuring SIP-Based CAC (GUI)

Before You Begin

• Ensure that you have set the voice to the platinum QoS level.

• Ensure that you have enabled call snooping for the WLAN.

Cisco Wireless Controller Configuration Guide, Release 8.0

171

Configuring SIP-Based CAC

• Ensure that you have enabled the Admission Control (ACM) for this radio.

Step 1

Step 2

Step 3

Choose Wireless > Advanced > SIP Snooping to open the SIP Snooping page.

Specify the call-snooping ports by entering the starting port and the ending port.

Click Apply and then click Save Configuration.

Configuring SIP-Based CAC (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Set the voice to the platinum QoS level by entering this command:

config wlan qos wlan-id Platinum

Enable the call-snooping feature for a particular WLAN by entering this command:

config wlan call-snoop enable wlan-id

Enable the ACM to this radio by entering this command:

config {802.11a | 802.11b} cac {voice | video} acm enable

To configure the call snooping ports, enter this command:

config advanced sip-snooping-ports starting-port ending-port

To troubleshoot SIP-based CAC events, enter this command:

debug sip event {enable | disable}

172

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Media Parameters

Configuring Media Parameters

Configuring Media Parameters (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

Ensure that the WLAN is configured for WMM and the Gold QoS level.

Disable all WLANs with WMM enabled and click Apply.

Choose Wireless and then Network under 802.11a/n/ac or 802.11b/g/n, unselect the 802.11a (or 802.11b/g) Network

Status check box, and click Apply to disable the radio network.

Choose Wireless > 802.11a/n/ac or 802.11b/g/n > Media. The 802.11a (or 802.11b) > Media > Parameters page appears.

Choose the Media tab to open the Media page.

Select the Unicast Video Redirect check box to enable Unicast Video Redirect. The default value is disabled.

In the Maximum Media Bandwidth (0-85%) text box, enter the percentage of the maximum bandwidth to be allocated for media applications on this radio band. Once the client reaches the specified value, the access point rejects new calls on this radio band.

The default value is 85%; valid values are from 0 to 85%.

In the Client Phy Rate text box, enter the value for the rate in kilobits per second at which the client operates.

In the Maximum Retry Percent (0-100%) text box, enter the percentage of the maximum retry. The default value is

80.

Select the Multicast Direct Enable check box to enable the Multicast Direct Enable text box. The default value is enabled.

From the Max Streams per Radio drop-down list, choose the maximum number of allowed multicast direct streams per radio. Choose a value between 1 to 20 or No Limit. The default value is set to No Limit.

From the Max Streams per Client drop-down list, choose the maximum number of allowed clients per radio. Choose a value between 1 to 20 or No Limit. The default value is set to No Limit.

If you want to enable the best radio queue for this radio, select the Best Effort QoS Admission check box. The default value is disabled.

Configuring Voice Prioritization Using Preferred Call Numbers

Information About Configuring Voice Prioritization Using Preferred Call Numbers

You can configure a controller to support calls from clients that do not support TSPEC-based calls. This feature is known as voice prioritization. These calls are given priority over other clients utilizing the voice pool. Voice prioritization is available only for SIP-based calls and not for TSPEC-based calls. If the bandwidth is available, it takes the normal flow and allocates the bandwidth to those calls.

You can configure up to six preferred call numbers. When a call comes to one of the configured preferred numbers, the controller does not check on the maximum call limit. It invokes the CAC to allocate bandwidth for the preferred call. The bandwidth allocation is 85 percent of the entire bandwidth pool, not just from the maximum configured voice pool. The bandwidth allocation is the same even for roaming calls.

Cisco Wireless Controller Configuration Guide, Release 8.0

173

Configuring Voice Prioritization Using Preferred Call Numbers

Prerequisites for Configuring Voice Prioritization Using Preferred Call Numbers

You must configure the following before configuring voice prioritization:

• Set WLAN QoS to platinum.

• Enable ACM for the radio.

• Enable SIP call snooping on the WLAN.

Configuring a Preferred Call Number (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Set the WLAN QoS profile to Platinum.

Enable ACM for the WLAN radio.

Enable SIP call snooping for the WLAN.

Choose Wireless > Advanced > Preferred Call to open the Preferred Call page.

All calls configured on the controller appear.

Note

To remove a preferred call, hover your cursor over the blue drop-down arrow and choose Remove.

Click Add Number to add a new preferred call.

In the Call Index text box, enter the index that you want to assign to the call. Valid values are from 1 through 6.

In the Call Number text box, enter the number.

Click Apply to add the new number.

Configuring a Preferred Call Number (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Set the voice to the platinum QoS level by entering this command:

config wlan qos wlan-id Platinum

Enable the ACM to this radio by entering this command:

config {802.11a | 802.11b} cac {voice | video} acm enable

Enable the call-snooping feature for a particular WLAN by entering this command:

config wlan call-snoop enable wlan-id

Add a new preferred call by entering this command:

config advanced sip-preferred-call-no call_index {call_number | none}

Remove a preferred call by entering this command:

config advanced sip-preferred-call-no call_index none

View the preferred call statistics by entering the following command:

show ap stats {802.11{a | b} | wlan} ap_name

174

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring EDCA Parameters

Step 7

Enter the following command to list the preferred call numbers:

show advanced sip-preferred-call-no

Configuring EDCA Parameters

Information About EDCA Parameters

Enhanced distributed channel access (EDCA) parameters are designed to provide preferential wireless channel access for voice, video, and other quality-of-service (QoS) traffic.

Configuring EDCA Parameters (GUI)

Step 1

Step 2

Step 3

Step 4

Choose Wireless and then Network under 802.11a/n/ac or 802.11b/g/n, unselect the 802.11a (or 802.11b/g) Network

Status check box, and click Apply to disable the radio network.

Choose EDCA Parametersunder 802.11a/n/ac or 802.11b/g/n. The 802.11a (or 802.11b/g) > EDCA Parameters page appears.

Choose one of the following options from the EDCA Profile drop-down list:

WMM—Enables the Wi-Fi Multimedia (WMM) default parameters. This is the default value. Choose this option when voice or video services are not deployed on your network.

Spectralink Voice Priority—Enables SpectraLink voice priority parameters. Choose this option if SpectraLink phones are deployed on your network to improve the quality of calls.

Voice Optimized—Enables EDCA voice-optimized profile parameters. Choose this option when voice services other than SpectraLink are deployed on your network.

Voice & Video Optimized—Enables EDCA voice- and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.

Custom Voice—Enables custom voice EDCA parameters for 802.11a. The EDCA parameters under this option also match the 6.0 WMM EDCA parameters when this profile is applied.

Note

If you deploy video services, admission control (ACM) must be disabled.

If you want to enable MAC optimization for voice, select the Enable Low Latency MAC check box. Otherwise, leave this check box unselected, which is the default value. This feature enhances voice performance by controlling packet retransmits and appropriately aging out voice packets on lightweight access points, which improves the number of voice calls serviced per access point.

Note

We do not recommend you to enable low latency MAC. You should enable low latency MAC only if the WLAN allows WMM clients. If WMM is enabled, then low latency MAC can be used with any of the EDCA profiles.

Cisco Wireless Controller Configuration Guide, Release 8.0

175

Configuring EDCA Parameters

Step 5

Step 6

Step 7

Click Apply to commit your changes.

To reenable the radio network, choose Network under 802.11a/n/ac or 802.11b/g/n, select the 802.11a (or 802.11b/g)

Network Status check box, and click Apply.

Click Save Configuration.

Configuring EDCA Parameters (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Disable the radio network by entering this command:

config {802.11a | 802.11b} disable network

Save your settings by entering this command:

save config

Enable a specific EDCA profile by entering this command:

config advanced {802.11a | 802.11b} edca-parameters {wmm-default | svp-voice | optimized-voice |

optimzed-voice-video | custom-voice }

wmm-default—Enables the Wi-Fi Multimedia (WMM) default parameters. This is the default value. Choose this option when voice or video services are not deployed on your network.

svp-voice—Enables SpectraLink voice priority parameters. Choose this option if SpectraLink phones are deployed on your network to improve the quality of calls.

optimized-voice—Enables EDCA voice-optimized profile parameters. Choose this option when voice services other than SpectraLink are deployed on your network.

optimized-video-voice—Enables EDCA voice- and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.

custom-voice—Enables custom voice EDCA parameters for 802.11a. The EDCA parameters under this option also match the 6.0 WMM EDCA parameters when this profile is applied.

Note

If you deploy video services, admission control (ACM) must be disabled.

View the current status of MAC optimization for voice by entering this command:

show {802.11a | 802.11b}

Information similar to the following appears:

Voice-mac-optimization...................Disabled

Enable or disable MAC optimization for voice by entering this command:

config advanced {802.11a | 802.11b} voice-mac-optimization {enable | disable}

This feature enhances voice performance by controlling packet retransmits and appropriately aging out voice packets on lightweight access points, which improves the number of voice calls serviced per access point. The default value is disabled.

176

Cisco Wireless Controller Configuration Guide, Release 8.0

Step 6

Step 7

Reenable the radio network by entering this command:

config {802.11a | 802.11b} enable network

Enter the save config command to save your settings.

Configuring EDCA Parameters

Cisco Wireless Controller Configuration Guide, Release 8.0

177

Configuring EDCA Parameters

178

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

18

Configuring the Cisco Discovery Protocol

Information About Configuring the Cisco Discovery Protocol, page 179

Restrictions for Configuring the Cisco Discovery Protocol, page 179

Configuring the Cisco Discovery Protocol, page 181

Viewing Cisco Discovery Protocol Information, page 183

Getting CDP Debug Information, page 186

Information About Configuring the Cisco Discovery Protocol

The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs on all Cisco-manufactured equipment. A device enabled with CDP sends out periodic interface updates to a multicast address in order to make itself known to neighboring devices.

The default value for the frequency of periodic transmissions is 60 seconds, and the default advertised time-to-live value is 180 seconds. The second and latest version of the protocol, CDPv2, introduces new time-length-values (TLVs) and provides a reporting mechanism that allows for more rapid error tracking, which reduces downtime.

Note

Cisco recommends that you disable Cisco Discovery Protocol on the controller and access point when connected to non-Cisco switches as CDP is unsupported on non-Cisco switches and network elements.

Restrictions for Configuring the Cisco Discovery Protocol

• CDPv1 and CDPv2 are supported on the following devices:

◦Cisco 2504 Wireless Controller

◦Cisco 5508 Wireless Controller

◦Cisco 5520 Wireless Controller

◦Cisco 8510 Wireless Controller

Cisco Wireless Controller Configuration Guide, Release 8.0

179

Restrictions for Configuring the Cisco Discovery Protocol

◦Cisco 8540 Wireless Controller

◦CAPWAP-enabled access points

◦An access point connected directly to a Cisco 2504 Wireless Controller

Note

To use the Intelligent Power Management feature, ensure that CDPv2 is enabled on the

Cisco 2504 Wireless Controller. CDP v2 is enabled by default.

• The Cisco 600 Series OEAP access points do not support CDP.

• The support of CDPv1 and CDPv2 enables network management applications to discover Cisco devices.

• The following TLVs are supported by both the controller and the access point:

◦Device-ID TLV: 0x0001—The hostname of the controller, the access point, or the CDP neighbor.

◦Address TLV: 0x0002—The IP address of the controller, the access point, or the CDP neighbor.

◦Port-ID TLV: 0x0003—The name of the interface on which CDP packets are sent out.

◦Capabilities TLV: 0x0004—The capabilities of the device. The controller sends out this TLV with a value of Host: 0x10, and the access point sends out this TLV with a value of Transparent Bridge:

0x02.

◦Version TLV: 0x0005—The software version of the controller, the access point, or the CDP neighbor.

◦Platform TLV: 0x0006—The hardware platform of the controller, the access point, or the CDP neighbor.

◦Power Available TLV: 0x001a— The amount of power available to be transmitted by power sourcing equipment to permit a device to negotiate and select an appropriate power setting.

◦Full/Half Duplex TLV: 0x000b—The full- or half-duplex mode of the Ethernet link on which CDP packets are sent out.

• These TLVs are supported only by the access point:

◦Power Consumption TLV: 0x0010—The maximum amount of power consumed by the access point.

◦Power Request TLV:0x0019—The amount of power to be transmitted by a powerable device in order to negotiate a suitable power level with the supplier of the network power.

• Changing the CDP configuration on the controller does not change the CDP configuration on the access points that are connected to the controller. You must enable and disable CDP separately for each access point.

• You can enable or disable the CDP state on all or specific interfaces and radios. This configuration can be applied to all access points or a specific access point.

• The following is the behavior assumed for various interfaces and access points:

◦CDP is disabled on radio interfaces on indoor (nonindoor mesh) access points.

180

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring the Cisco Discovery Protocol

◦Nonmesh access points have CDPs disabled on radio interfaces when they join the controller. The persistent CDP configuration is used for the APs that had CDP support in its previous image.

◦CDP is enabled on radio interfaces on indoor-mesh and mesh access points.

◦Mesh access points will have CDP enabled on their radio interfaces when they join the controller.

The persistent CDP configuration is used for the access points that had CDP support in a previous image. The CDP configuration for radio interfaces is applicable only for mesh APs.

Configuring the Cisco Discovery Protocol

Configuring the Cisco Discovery Protocol (GUI)

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 1

Step 2

Choose Controller > CDP > Global Configuration to open the CDP > Global Configuration page.

Select the CDP Protocol Status check box to enable CDP on the controller or unselect it to disable this feature. The default value is selected.

Note

Enabling or disabling this feature is applicable to all controller ports.

From the CDP Advertisement Version drop-down list, choose v1 or v2 to specify the highest CDP version supported on the controller. The default value is v1.

In the Refresh-time Interval text box, enter the interval at which CDP messages are to be generated. The range is 5 to

254 seconds, and the default value is 60 seconds.

In the Holdtime text box, enter the amount of time to be advertised as the time-to-live value in generated CDP packets.

The range is 10 to 255 seconds, and the default value is 180 seconds.

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Perform one of the following:

• To enable or disable CDP on a specific access point, follow these steps:

Choose Wireless > Access Points > All APs to open the All APs page.

Click the link for the desired access point.

Choose the Advanced tab to open the All APs > Details for (Advanced) page.

Select the Cisco Discovery Protocol check box to enable CDP on this access point or unselect it to disable this feature. The default value is enabled.

Note

If CDP is disabled in Step 2, a message indicating that the Controller CDP is disabled appears.

• Enable CDP for a specific Ethernet interface, radio, or slot as follows:

Choose Wireless > Access Points > All APs to open the All APs page.

Click the link for the desired access point.

Choose the Interfaces tab and select the corresponding check boxes for the radios or slots from the CDP

Configuration section.

Cisco Wireless Controller Configuration Guide, Release 8.0

181

Configuring the Cisco Discovery Protocol

Step 9

Note

Configuration for radios is only applicable for mesh access points.

Click Apply to commit your changes.

• To enable or disable CDP on all access points currently associated to the controller, follow these steps:

Choose Wireless > Access Points > Global Configuration to open the Global Configuration page.

Select the CDP State check box to enable CDP on all access points associated to the controller or unselect it to disable CDP on all access points. The default value is selected. You can enable CDP on a specific Ethernet interface, radio, or slot by selecting the corresponding check box. This configuration will be applied to all access points associated with the controller.

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Configuring the Cisco Discovery Protocol (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Enable or disable CDP on the controller by entering this command:

config cdp {enable | disable}

CDP is enabled by default.

Specify the interval at which CDP messages are to be generated by entering this command:

config cdp timer seconds

The range is 5 to 254 seconds, and the default value is 60 seconds.

Specify the amount of time to be advertised as the time-to-live value in generated CDP packets by entering this command:

config cdp holdtime seconds

The range is 10 to 255 seconds, and the default value is 180 seconds.

Specify the highest CDP version supported on the controller by entering this command:

config cdp advertise {v1 | v2}

The default value is v1.

Enable or disable CDP on all access points that are joined to the controller by entering the config ap cdp {enable |

disable} all command.

The config ap cdp disable all command disables CDP on all access points that are joined to the controller and all access points that join in the future. CDP remains disabled on both current and future access points even after the controller or access point reboots. To enable CDP, enter the config ap cdp enable all command.

Note

After you enable CDP on all access points joined to the controller, you may disable and then reenable CDP on individual access points using the command in Step 6. After you disable CDP on all access points joined to the controller, you may not enable and then disable CDP on individual access points.

Enable or disable CDP on a specific access point by entering this command:

config ap cdp {enable | disable} Cisco_AP

182

Cisco Wireless Controller Configuration Guide, Release 8.0

Viewing Cisco Discovery Protocol Information

Step 7

Step 8

Configure CDP on a specific or all access points for a specific interface by entering this command:

config ap cdp {ethernet | radio} interface_number slot_id {enable | disable} {all | Cisco_AP}

Note

When you use the config ap cdp command to configure CDP on radio interfaces, a warning message appears indicating that the configuration is applicable only for mesh access points.

Save your changes by entering this command:

save config

Viewing Cisco Discovery Protocol Information

Viewing Cisco Discovery Protocol Information (GUI)

Step 1

Step 2

Choose Monitor > CDP > Interface Neighbors to open the CDP > Interface Neighbors page appears.

This page shows the following information:

• The controller port on which the CDP packets were received

• The name of each CDP neighbor

• The IP address of each CDP neighbor

• The port used by each CDP neighbor for transmitting CDP packets

• The time left (in seconds) before each CDP neighbor entry expires

• The functional capability of each CDP neighbor, defined as follows: R - Router, T - Trans Bridge, B - Source Route

Bridge, S - Switch, H - Host, I - IGMP, r - Repeater, or M - Remotely Managed Device

• The hardware platform of each CDP neighbor device

Click the name of the desired interface neighbor to see more detailed information about each interface’s CDP neighbor.

The CDP > Interface Neighbors > Detail page appears.

This page shows the following information:

• The controller port on which the CDP packets were received

• The name of the CDP neighbor

• The IP address of the CDP neighbor

• The port used by the CDP neighbor for transmitting CDP packets

• The CDP version being advertised (v1 or v2)

• The time left (in seconds) before the CDP neighbor entry expires

• The functional capability of the CDP neighbor, defined as follows: Router, Trans Bridge,?Source Route Bridge,

Switch, Host, IGMP, Repeater, or Remotely Managed Device

• The hardware platform of the CDP neighbor device

Cisco Wireless Controller Configuration Guide, Release 8.0

183

Viewing Cisco Discovery Protocol Information

Step 3

Step 4

Step 5

Step 6

• The software running on the CDP neighbor

Choose AP Neighbors to see a list of CDP neighbors for all access points connected to the controller. The CDP AP

Neighbors page appears.

Click the CDP Neighbors link for the desired access point to see a list of CDP neighbors for a specific access point.

The CDP > AP Neighbors page appears.

This page shows the following information:

• The name of each access point

• The IP address of each access point

• The name of each CDP neighbor

• The IP address of each CDP neighbor

• The port used by each CDP neighbor

• The CDP version being advertised (v1 or v2)

Click the name of the desired access point to see detailed information about an access point’s CDP neighbors. The CDP

> AP Neighbors > Detail page appears.

This page shows the following information:

• The name of the access point

• The MAC address of the access point’s radio

• The IP address of the access point

• The interface on which the CDP packets were received

• The name of the CDP neighbor

• The IP address of the CDP neighbor

• The port used by the CDP neighbor

• The CDP version being advertised (v1 or v2)

• The time left (in seconds) before the CDP neighbor entry expires

• The functional capability of the CDP neighbor, defined as follows: R - Router, T - Trans Bridge,?B - Source Route

Bridge, S - Switch, H - Host, I - IGMP, r - Repeater, or M - Remotely Managed Device

• The hardware platform of the CDP neighbor device

• The software running on the CDP neighbor

Choose Traffic Metrics to see CDP traffic information. The CDP > Traffic Metrics page appears.

This page shows the following information:

• The number of CDP packets received by the controller

• The number of CDP packets sent from the controller

• The number of packets that experienced a checksum error

• The number of packets dropped due to insufficient memory

184

Cisco Wireless Controller Configuration Guide, Release 8.0

Viewing Cisco Discovery Protocol Information

• The number of invalid packets

Viewing Cisco Discovery Protocol Information (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

See the status of CDP and to view CDP protocol information by entering this command:

show cdp

See a list of all CDP neighbors on all interfaces by entering this command:

show cdp neighbors [detail]

The optional detail command provides detailed information for the controller’s CDP neighbors.

Note

This command shows only the CDP neighbors of the controller. It does not show the CDP neighbors of the controller’s associated access points. Additional commands are provided below to show the list of CDP neighbors per access point.

See all CDP entries in the database by entering this command:

show cdp entry all

See CDP traffic information on a given port (for example, packets sent and received, CRC errors, and so on) by entering this command:

show cdp traffic

See the CDP status for a specific access point by entering this command:

show ap cdp ap-name Cisco_AP

See the CDP status for all access points that are connected to the controller by entering this command:

show ap cdp all

See a list of all CDP neighbors for a specific access point by entering these commands:

show ap cdp neighbors ap-name Cisco_AP

show ap cdp neighbors detail Cisco_AP

Note

The access point sends CDP neighbor information to the controller only when the information changes.

See a list of all CDP neighbors for all access points connected to the controller by entering these commands:

show ap cdp neighbors all

show ap cdp neighbors detail all

Note

The access point sends CDP neighbor information to the controller only when the information changes.

Cisco Wireless Controller Configuration Guide, Release 8.0

185

Getting CDP Debug Information

Getting CDP Debug Information

• Get debug information related to CDP packets by entering by entering this command:

debug cdp packets

• Get debug information related to CDP events by entering this command:

debug cdp events

186

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

19

Configuring Authentication for the Controller and

NTP/SNTP Server

Information About Configuring Authentication for the Controller and NTP/SNTP Server, page 187

Configuring the NTP/SNTP Server for Authentication (GUI), page 187

Configuring the NTP/SNTP Server for Authentication (CLI), page 188

Information About Configuring Authentication for the Controller and NTP/SNTP

Server

Cisco WLCs must synchronize time with an NTP/SNTP server by authentication. By default, an MD5 checksum is used.

Configuring the NTP/SNTP Server for Authentication (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Controller > NTP > Server to open the NTP Severs page.

Click New to add a new NTP/SNTP Server.

In the Server Index (Priority) text box, enter the NTP/SNTP server index.

The controller tries Index 1 first, then Index 2 through 3, in a descending order. Set this to 1 if your network is using only one NTP/SNTP server.

Enter the server IP address.

Enable or disable the NTP/SNTP Authentication.

If you enable the NTP/SNTP Authentication, enter the Key Index.

Click Apply.

Cisco Wireless Controller Configuration Guide, Release 8.0

187

Configuring the NTP/SNTP Server for Authentication (CLI)

Configuring the NTP/SNTP Server for Authentication (CLI)

config time ntp auth enable server-index key-index—Enables NTP/SNTP authentication on a given

NTP/SNTP server.

config time ntp key-auth add key-index md5 key-format key—Adds an authentication key. By default

MD5 is used. The key format can be "ascii" or "hex".

config time ntp key-auth delete key-index—Deletes authentication keys.

config time ntp auth disable server-index—Disables NTP/SNTP authentication.

show ntp-keys—Displays the NTP/SNTP authentication related parameter.

188

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

20

Configuring RFID Tag Tracking

Information About Configuring RFID Tag Tracking, page 189

Configuring RFID Tag Tracking (CLI), page 190

Viewing RFID Tag Tracking Information (CLI), page 191

Debugging RFID Tag Tracking Issues (CLI), page 191

Information About Configuring RFID Tag Tracking

The controller enables you to configure radio-frequency identification (RFID) tag tracking. RFID tags are small wireless devices that are affixed to assets for real-time location tracking. They operate by advertising their location using special 802.11 packets, which are processed by access points, the controller, and the mobility services engine.

To know more about the tags supported by controller, see http://www.cisco.com/c/en/us/products/wireless/compatible-extensions.html

. The mobility services engine receives telemetry and chokepoint information from tags that are compliant with this CCX specification.

Table 5: Cisco Compatible Extensions for RFID Tags Summary

AeroScout

T2 T3

WhereNet

Wheretag IV

Pango (InnerWireless)

V3

Partners

Product Name

Telemetry

Temperature

Pressure

Humidity

Status

Fuel

X

X

X

Cisco Wireless Controller Configuration Guide, Release 8.0

189

Configuring RFID Tag Tracking (CLI)

Partners

Quantity

Distance

Motion Detection

Number of Panic Buttons

Tampering

1

Battery Information

Multiple-Frequency Tags

3

X

X

X

AeroScout

— —

X

2

X

X

X

3 For chokepoint systems, note that the tag can work only with chokepoints coming from the same vendor.

0

X

X

X

WhereNet

Pango (InnerWireless)

X

1

X

X

Note

The Network Mobility Services Protocol (NMSP) runs on the mobility services engine. For NMSP to function, the TCP port (16113) over which the controller and the mobility services engine communicate must be open (not blocked) on any firewall that exists between these two devices.

The Cisco-approved tags support these capabilities:

Information notifications—Enables you to view vendor-specific and emergency information.

Information polling—Enables you to monitor battery status and telemetry data. Many telemetry data types provide support for sensory networks and a large range of applications for RFID tags.

Measurement notifications—Enables you to deploy chokepoints at strategic points within your buildings or campuses. Whenever an RFID tag moves to within a defined proximity of a chokepoint, the tag begins transmitting packets that advertise its location in relation to the chokepoint.

You can configure and view RFID tag tracking information through the controller CLI.

Configuring RFID Tag Tracking (CLI)

Step 1

Step 2

Enable or disable RFID tag tracking by entering this command:

config rfid status {enable | disable}

The default value is enabled.

Specify a static timeout value (between 60 and 7200 seconds) by entering this command:

config rfid timeout seconds

190

Cisco Wireless Controller Configuration Guide, Release 8.0

Viewing RFID Tag Tracking Information (CLI)

Step 3

The static timeout value is the amount of time that the controller maintains tags before expiring them. For example, if a tag is configured to beacon every 30 seconds, we recommend that you set the timeout value to 90 seconds (approximately three times the beacon value). The default value is 1200 seconds.

Enable or disable RFID tag mobility for specific tags by entering these commands:

config rfid mobility vendor_name enable—Enables client mobility for a specific vendor’s tags. When you enter this command, tags are unable to obtain a DHCP address for client mode when attempting to select and/or download a configuration.

config rfid mobility vendor_name disable—Disables client mobility for a specific vendor’s tags. When you enter this command, tags can obtain a DHCP address. If a tag roams from one subnet to another, it obtains a new address rather than retaining the anchor state.

Note

These commands can be used only for Pango tags. Therefore, the only valid entry for vendor_name is

“pango” in all lowercase letters.

Viewing RFID Tag Tracking Information (CLI)

Step 1

Step 2

Step 3

Step 4

See the current configuration for RFID tag tracking by entering this command:

show rfid config

See detailed information for a specific RFID tag by entering this command:

show rfid detail mac_address where mac_address is the tag’s MAC address.

See a list of all RFID tags currently connected to the controller by entering this command:

show rfid summary

See a list of RFID tags that are associated to the controller as clients by entering this command:

show rfid client

Debugging RFID Tag Tracking Issues (CLI)

If you experience any problems with RFID tag tracking, use these debug commands.

• Configure MAC address debugging by entering this command:

debug mac addr mac_address

Cisco Wireless Controller Configuration Guide, Release 8.0

191

Debugging RFID Tag Tracking Issues (CLI)

Note

We recommend that you perform the debugging on a per-tag basis. If you enable debugging for all of the tags, the console or Telnet screen is inundated with messages.

• Enable or disable debugging for the 802.11 RFID tag module by entering this command:

debug dot11 rfid {enable | disable}

• Enable or disable RFID debug options by entering this command:

debug rfid {all | detail | error | nmsp | receive} {enable | disable} where

all configures debugging of all RFID messages.

detail configures debugging of RFID detailed messages.

error configures debugging of RFID error messages.

nmsp configures debugging of RFID NMSP messages.

receive configures debugging of incoming RFID tag messages.

192

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

21

Resetting the Controller to Default Settings

Information About Resetting the Controller to Default Settings, page 193

Resetting the Controller to Default Settings (GUI), page 193

Resetting the Controller to Default Settings (CLI), page 194

Information About Resetting the Controller to Default Settings

You can return the controller to its original configuration by resetting the controller to factory-default settings.

Resetting the Controller to Default Settings (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Start your Internet browser.

Enter the controller IP address in the browser address line and press Enter. An Enter Network Password dialog box appears.

Enter your username in the User Name text box. The default username is admin.

Enter the wireless device password in the Password text box and press Enter. The default password is admin.

Choose Commands > Reset to Factory Default.

Click Reset.

When prompted, confirm the reset.

Reboot the controller without saving the configuration.

Use the configuration wizard to enter configuration settings. See the

Configuring the Controller—Using the CLI

Configuration Wizard

section for more information.

Cisco Wireless Controller Configuration Guide, Release 8.0

193

Resetting the Controller to Default Settings (CLI)

Resetting the Controller to Default Settings (CLI)

Step 1

Step 2

Step 3

Enter the reset system command. At the prompt that asks whether you need to save changes to the configuration, enter

N. The unit reboots.

When you are prompted for a username, enter the recover-config command to restore the factory-default configuration.

The controller reboots and displays this message:

Welcome to the Cisco WLAN Solution Wizard Configuration Tool

Use the configuration wizard to enter configuration settings. See the

Configuring the Controller—Using the CLI

Configuration Wizard

section for more information.

194

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

22

Managing Controller Software and

Configurations

Upgrading the Controller Software, page 195

Transferring Files to and from a Controller, page 209

Saving Configurations, page 226

Editing Configuration Files, page 226

Clearing the Controller Configuration, page 227

Erasing the Controller Configuration, page 228

Resetting the Controller, page 228

Upgrading the Controller Software

When you upgrade the controller software, the software on the access points associated with the controller is also automatically upgraded. When an access point is loading software, each of its LEDs blinks in succession.

Up to 10 access points can be concurrently upgraded from the controller.

Caution

Do not power down the controller or any access point during this process; otherwise, you might corrupt the software image. Upgrading a controller with a large number of access points can take as long as 30 minutes, depending on the size of your network. However, with the increased number of concurrent access point upgrades supported in the controller software release, the upgrade time should be significantly reduced. The access points must remain powered, and the controller must not be reset during this time.

Restrictions for Upgrading Controller Software

• If you require a downgrade from one release to another, you might lose the configuration from your current release. The workaround is to reload the previous controller configuration files saved on the backup server or to reconfigure the controller.

• It is not possible to directly upgrade to this release from a release that is older than 6.0.182.0.

Cisco Wireless Controller Configuration Guide, Release 8.0

195

Upgrading the Controller Software

• You can upgrade or downgrade the controller software only between certain releases. In some instances, you must first install an intermediate release prior to upgrading to the latest software release.

• When you upgrade the controller to an intermediate software release, you must wait until all of the access points that are associated with the controller are upgraded to the intermediate release before you install the latest controller software. In large networks, it can take some time to download the software on each access point.

• When you upgrade to the latest software release, the software on the access points associated with the controller is also automatically upgraded. When an access point is loading software, each of its LEDs blinks in succession.

• We recommend that you access the controller GUI using Microsoft Internet Explorer 6.0 SP1 (or a later release) or Mozilla Firefox 2.0.0.11 (or a later release).

• Cisco controllers support standard SNMP Management Information Base (MIB) files. MIBs can be downloaded from the Software Center on Cisco.com.

• The controller software is factory installed on your controller and automatically downloaded to the access points after a release upgrade and whenever an access point joins a controller. We recommend that you install the latest software version available for maximum operational benefit.

• We recommend that you install Wireless LAN Controller Field Upgrade Software for Release 1.7.0.0-FUS, which is a special AES package that contains several system-related component upgrades. These include the bootloader, field recovery image, and FPGA/MCU firmware. Installing the FUS image requires special attention because it installs some critical firmware. The FUS image is independent of the runtime image. For more information, see http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/fus_rn_1_7_0_0.html

.

• Ensure that you have a TFTP or FTP server available for the software upgrade. Follow these guidelines when setting up a TFTP or FTP server:

◦Ensure that your TFTP server supports files that are larger than the size of the controller software release. Some TFTP servers that support files of this size are tftpd32 and the TFTP server within the Cisco Prime Infrastructure. If you attempt to download the controller software and your TFTP server does not support files of this size, the following error message appears: “TFTP failure while storing in flash.”

◦If you are upgrading through the distribution system network port, the TFTP or FTP server can be on the same or a different subnet because the distribution system port is routable

• When you plug a controller into an AC power source, the bootup script and power-on self-test run to initialize the system. During this time, you can press Esc to display the bootloader Boot Options Menu.

The menu options for the 5500 and Flex 7500 series controllers are different than for other controller platforms.

Bootloader menu for 5500 Series Controllers:

Boot Options

Please choose an option from below:

1. Run primary image

2. Run backup image

3. Change active boot image

4. Clear Configuration

5. Format FLASH Drive

6. Manually update images

Please enter your choice:

196

Cisco Wireless Controller Configuration Guide, Release 8.0

Upgrading the Controller Software

Bootloader menu for other controller platforms:

Boot Options

Please choose an option from below:

1. Run primary image

2. Run backup image

3. Manually update images

4. Change active boot image

5. Clear Configuration

Please enter your choice:

Enter 1 to run the current software, enter 2 to run the previous software, enter 4 (on a 5500 series controller), or enter 5 (on another controller platform) to run the current software and set the controller configuration to factory defaults. Do not choose the other options unless directed to do so.

Note

See the Installation Guide or the Quick Start Guide for your controller for more details on running the bootup script and power-on self-test.

• Control which address(es) are sent in CAPWAP discovery responses when NAT is enabled on the

Management Interface using the following command:

config network ap-discovery nat-ip-only {enable | disable} where

enable—Enables use of NAT IP only in Discovery response. This is the default. Use this command if all APs are outside of the NAT gateway.

disable—Enables use of both NAT IP and non-NAT IP in discovery response. Use this command if APs are on the inside and outside of the NAT gateway; for example, Local Mode and OfficeExtend

APs on the same controller.

Note

To avoid stranding APs, you must disable AP link-latency (if enabled) before you use the disable option for the config network ap-discovery nat-ip-only command. To disable AP link-latency, use the config ap link-latency disable all command.

• You can configure 802.1p tagging by using the config qos dot1p-tag {bronze | silver | gold | platinum} tag. For the 7.2.103.0 and later releases, if you tag 802.1p packets, the tagging has impact only on wired packets. Wireless packets are impacted only by the maximum priority level set for QoS.

• You can reduce the network downtime using the following options:

• You can predownload the AP image.

• For FlexConnect access points, use the FlexConnect Efficient AP upgrade feature to reduce traffic between the controller and the AP (main site and the branch).

• Do not power down the controller or any access point during the upgrade process; otherwise, you might corrupt the software image. Upgrading a controller with a large number of access points can take as long as 30 minutes, depending on the size of your network. However, with the increased number of concurrent access point upgrades supported, the upgrade time should be significantly reduced. The access points must remain powered, and the controller must not be reset during this time.

• If you want to downgrade to a previous release, do either of the following:

Cisco Wireless Controller Configuration Guide, Release 8.0

197

Upgrading the Controller Software

• Delete all WLANs that are mapped to interface groups and create new ones.

• Ensure that all WLANs are mapped to interfaces rather than interface groups.

• After you perform these functions on the controller, you must reboot the controller for the changes to take effect:

• Enable or disable link aggregation (LAG)

• Enable a feature that is dependent on certificates (such as HTTPS and web authentication)

• Add new or modify existing SNMP v3 users

• Modify an existing SNMP v3 engine ID

• Add a new license or modify an existing license

• Increase the priority for a license

• The controller bootloader stores a copy of the active primary image and the backup image. If the primary image becomes corrupted, you can use the bootloader to boot with the backup image.

With the backup image stored before rebooting, be sure to choose Option 2: Run Backup Image from the boot menu to boot from the backup image. Then, upgrade with a known working image and reboot the controller.

• The recovery image provides a backup image that can be used if an access point power-cycles during an image upgrade. The best way to avoid the need for access point recovery is to prevent an access point from power-cycling during a system upgrade. If a power-cycle occurs during an upgrade to an oversized access point image, you can recover the access point using the TFTP recovery procedure.

To recover the access point using the TFTP recovery procedure, follow these steps:

1

Download the required recovery image from Cisco.com (c1100-rcvk9w8-mx, c1200-rcvk9w8-mx, or c1310-rcvk9w8-mx) and install it in the root directory of your TFTP server.

2

Connect the TFTP server to the same subnet as the target access point and power-cycle the access point. The access point boots from the TFTP image and then joins the controller to download the oversized access point image and complete the upgrade procedure.

3

After the access point has been recovered, you can remove the TFTP server.

• You can upgrade to a new release of the controller software or downgrade to an older release even if

Federal Information Processing Standard (FIPS) is enabled.

• If you upgrade from a release that is prior to Release 7.5 directly to Release 7.6.X or a later release, the predownload process on Cisco AP2600 and AP3600 fails. After the Cisco WLC is upgraded to Release

7.6.X or a later release, the new image is loaded on Cisco AP2600 and AP3600. After the upgrade to a

Release 7.6.X image, the predownload functionality works as expected. The predownload failure is only a one-time failure.

Upgrading Controller Software (GUI)

Step 1

Upload your controller configuration files to a server to back them up.

198

Cisco Wireless Controller Configuration Guide, Release 8.0

Upgrading the Controller Software

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Note

We highly recommend that you back up your configuration files of the controller prior to upgrading the controller software. Otherwise, you must manually reconfigure the controller.

Get the controller software image by following these steps: a) Browse to the Cisco Software Center: http://www.cisco.com/cisco/software/navigator.html

.

b) Choose Wireless > Wireless LAN Controller.

The following options are available: Integrated Controllers and Controller Modules and Standalone Controllers.

c) Depending on your controller platform, click one of the above options.

d) Click the controller model number or name. The Download Software page is displayed.

e) Click a controller software release. The software releases are labeled as follows to help you determine which release to download:

Early Deployment (ED)—These software releases provide new features, new hardware platform support, and bug fixes.

Maintenance Deployment (MD)—These software releases provide bug fixes and ongoing software maintenance.

Deferred (DF)—These software releases have been deferred. We recommend that you migrate to an upgraded release.

f) Choose a software release number.

g) Click the filename (filename.aes).

h) Click Download.

i) Read Cisco’s End User Software License Agreement and then click Agree.

j) Save the file to your hard drive.

k) Repeat steps a through k to download the remaining file.

Copy the controller software image (filename.aes) to the default directory on your TFTP or FTP server.

(Optional) Disable the 802.11 networks.

Note

For busy networks, controllers on high utilization, or small controller platforms, we recommend that you disable the 802.11 networks as a precautionary measure.

Disable any WLANs on the controller.

Choose Commands > Download File to open the Download File to Controller page.

From the File Type drop-down list, choose Code.

From the Transfer Mode drop-down list, choose from the following options:

TFTP

FTP

SFTP (available in 7.4 and later releases)

HTTP (available in 8.1 and later releases)

In the IP Address text box, enter the IP address of the server.

If you are using a TFTP server, the default values of 10 retries and 6 seconds for the Maximum Retries and Timeout text boxes should work correctly without any adjustment. However, you can change these values.

If you are using a TFTP server, the default values of 10 retries for the Maximum Retries text field, and 6 seconds for the

Timeout text field should work correctly without any adjustment. However, you can change these values if desired. To do so, enter the maximum number of times that the TFTP server attempts to download the software in the Maximum

Cisco Wireless Controller Configuration Guide, Release 8.0

199

Upgrading the Controller Software

Step 11

Step 12

Step 13

Step 14

Step 15

Step 16

Step 17

Step 18

Step 19

Step 20

Step 21

Step 22

Retries text box and the amount of time (in seconds) that the TFTP server attempts to download the software in the

Timeout text box.

In the File Path text box, enter the directory path of the software.

In the File Name text box, enter the name of the controller software file (filename.aes).

If you are using an FTP server, follow these steps: a) In the Server Login Username text box, enter the username to log into the FTP server.

b) In the Server Login Password text box, enter the password to log into the FTP server.

c) In the Server Port Number text box, enter the port number on the FTP server through which the download occurs.

The default value is 21.

Click Download to download the software to the controller. A message appears indicating the status of the download.

After the download is complete, click Reboot.

If prompted to save your changes, click Save and Reboot.

Click OK to confirm.

After the controller reboots, repeat step 6 to step 17 to install the remaining file.

Reenable the WLANs.

For Cisco WiSM2, reenable the controller port channel on the Catalyst switch.

If you have disabled the 802.11 networks in Step 4, reenable them.

To verify the controller software version, choose Monitor on the controller GUI and see Software Version in the

Controller Summary area.

Upgrading Controller Software (CLI)

Step 1

Step 2

Upload your controller configuration files to a server to back them up.

Note

We highly recommend that you back up your controller's configuration files prior to upgrading the controller software. Otherwise, you must manually reconfigure the controller.

Get the controller software image by following these steps: a) Browse to the Cisco Software Center: http://www.cisco.com/cisco/software/navigator.html

.

b) Choose Wireless > Wireless LAN Controller.

The following options are available: Integrated Controllers and Controller Modules and Standalone Controllers.

c) Depending on your controller platform, click one of the above options.

d) Click the controller model number or name. The Download Software page is displayed.

e) Click a controller software release. The software releases are labeled as follows to help you determine which release to download:

Early Deployment (ED)—These software releases provide new features, new hardware platform support, and bug fixes.

Maintenance Deployment (MD)—These software releases provide bug fixes and ongoing software maintenance.

Deferred (DF)—These software releases have been deferred. We recommend that you migrate to an upgraded release.

f) Choose a software release number.

200

Cisco Wireless Controller Configuration Guide, Release 8.0

Upgrading the Controller Software

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

g) Click the filename (filename.aes).

h) Click Download.

i) Read Cisco’s End User Software License Agreement and then click Agree.

j) Save the file to your hard drive.

k) Repeat steps a through k to download the remaining file.

Copy the controller software image (filename.aes) to the default directory on your TFTP or FTP server.

(Optional) Disable the 802.11 networks.

Note

For busy networks, controllers on high utilization, or small controller platforms, we recommend that you disable the 802.11 networks as a precautionary measure.

Disable any WLANs on the controller (using the config wlan disable wlan_id command).

Log onto the controller CLI.

Enter the ping server-ip-address command to verify that the controller can contact the TFTP or FTP server.

View current download settings by entering the transfer download start command. Answer n to the prompt to view the current download settings.

Change the download settings, if necessary by entering these commands:

transfer download mode {tftp | ftp | sftp}

transfer download datatype code

transfer download serverip server-ip-address

transfer download filename filename

transfer download path server-path-to-file

Note

Pathnames on a TFTP or FTP server are relative to the server’s default or root directory. For example, in the case of the Solaris TFTP server, the path is “/”.

If you are using a TFTP server, also enter these commands:

transfer download tftpMaxRetries retries

transfer download tftpPktTimeout timeout

Note

The default values of 10 retries and a 6-second timeout should work correctly without any adjustment.

However, you can change these values. To do so, enter the maximum number of times that the TFTP server attempts to download the software for the retries parameter and the amount of time (in seconds) that the TFTP server attempts to download the software for the timeout parameter.

If you are using an FTP server, also enter these commands:

transfer download username username

transfer download password password

transfer download port port

Note

The default value for the port parameter is

21.

View the current updated settings by entering the transfer download start command. Answer y to the prompt to confirm the current download settings and start the software download.

Save the code update to nonvolatile NVRAM and reboot the controller by entering this command:

Cisco Wireless Controller Configuration Guide, Release 8.0

201

Upgrading the Controller Software

Step 12

Step 13

Step 14

Step 15

Step 16

Step 17 reset system

The controller completes the bootup process.

After the controller reboots, repeat Steps 6 through 11 to install the remaining file.

Reenable the WLANs by entering this command:

config wlan enable wlan_id

For Cisco WiSMs, re-enable the controller port channel on the Catalyst switch.

If you have disabled the 802.11 networks in Step 4, renable them.

To verify the controller software that is installed, enter the show sysinfo command and see Product Version.

To verify the Cisco Unified Wireless Network Controller Boot Software file that is installed on the controller, enter the

show sysinfo command on the controller CLI and see Recovery Image Version or Emergency Image Version.

Note

If a Cisco Unified Wireless Network Controller Boot Software ER.aes file is not installed, Recovery Image

Version or Emergency Image Version show 'N/A.'

Predownloading an Image to an Access Point

To minimize network outages, you can download an upgrade image to the access point from the Cisco WLC without resetting the access point or losing network connectivity. Previously, you would download an upgrade image to the controller and reset it, which causes the access point to go into discovery mode. After the access point discovers the Cisco WLC with the new image, the access point downloads the new image, resets, goes into discovery mode, and rejoins the Cisco WLC.

You can now download the upgrade image to the Cisco WLC and then download the image to the access point while the network is still operational. You can also schedule a reboot of the Cisco WLC and access points, either after a specified amount of time or at a specific date and time. When both devices are up, the access point discovers and rejoins the Cisco WLC.

Concurrent Cisco WLC to AP Image Upgrade

This table lists the Cisco WLCs and their maximum concurrent AP image download support.

Cisco WLC Maximum Number of Concurrent AP Image Download

Supported

Cisco 2504 WLC 75

Cisco 5508 WLC 500

Cisco 5520 WLC

Cisco Flex 7510 WLC

Cisco 8510 WLC

Cisco 8540 WLC

Cisco WiSM2

1000

1000

1000

1000

500

202

Cisco Wireless Controller Configuration Guide, Release 8.0

Upgrading the Controller Software

Cisco WLC

Cisco vWLC

Maximum Number of Concurrent AP Image Download

Supported

1000

Flash Memory Requirements on Access Points

This table lists the Cisco AP models and the minimum amount of free flash memory required for the predownload process to work:

Cisco AP Minimum Free Flash Memory Required

3502(I/E) 14 MB

2602(I/E)

1602(I/E)

14 MB

12 MB

1262

1142

14 MB

12 MB

Note

• The required flash memory can vary based on the radio type and the number of antennas used.

• This predownload feature is not supported on 1242 and 1131 Cisco AP models.

• Cisco AP1142 has 32 MB of total flash memory and can support the predownload feature.

Access Point Predownload Process

The access point predownload feature works as follows:

• The controller image is downloaded.

◦The primary image becomes the backup image of the controller and the downloaded image becomes the new primary image. Change the current boot image as the backup image by using the config

boot backup command to ensure that if a system failure occurs, the controller boots with the last working image of the controller.

◦To switch over to the new downloaded image, start predownload of the upgraded image using the

config ap image predownload primary all command.

◦The upgrade image is downloaded as the backup image on the access points. You can verify this by using the show ap image all command.

◦Change the boot image to primary image manually using the config boot primary command and reboot the controller for the upgrade image to be activated.

or

Cisco Wireless Controller Configuration Guide, Release 8.0

203

Upgrading the Controller Software

◦You issue a scheduled reboot with the swap keyword. The swap keyword has the following importance: The swapping occurs to the primary and backup images on the access point and the currently active image on controller with the backup image.

◦When the controller reboots, the access points are disassociated and eventually come up with an upgraded image. Once the controller responds to the discovery request sent by an access point with its discovery response packet, the access point sends a join request.

• The actual upgrade of the images occur. The following sequence of actions occur:

◦During boot time, the access point sends a join request.

◦The controller responds with the join response with the image version that the controller is running.

◦The access point compares its running image with the running image on the controller. If the versions match, the access point joins the controller.

◦If the versions do not match, the access point compares the version of the backup image and if they match, the access point swaps the primary and backup images and reloads and subsequently joins the controller.

◦If the primary image of the access point is the same as the controller image, the access point reloads and joins the controller.

◦If none of the above conditions are true, the access point sends an image data request to the controller, downloads the latest image, reloads, and joins the controller.

Restrictions for Predownloading an Image to an Access Point

• The maximum number of concurrent predownloads is limited to half the number of concurrent normal image downloads. This limitation allows new access points to join the controller during image downloading.

If you reach the predownload limit, then the access points that cannot get an image sleep for a time between 180 to 600 seconds and then reattempt the predownload.

• Before you predownload, you should change the active controller boot image to the backup image to ensure that if the controller reboots for some reason, it comes back up with the earlier running image, not the partially downloaded upgrade image.

• This predownload feature is not supported on 1242 and 1131 Cisco AP models.

• When the system time is changed by using the config time command, the time set for a scheduled reset is not valid and the scheduled system reset is canceled. You are given an option either to cancel the scheduled reset before configuring the time or retain the scheduled reset and not configure the time.

• All the primary, secondary, and tertiary controllers should run the same images as the primary and backup images. That is, the primary image of all three controllers should be X and the secondary image of all three controllers should be Y or the feature is not effective.

• At the time of the reset, if any AP is downloading the controller image, the scheduled reset is canceled.

The following message appears with the reason why the scheduled reset was canceled:

%OSAPI-3-RESETSYSTEM_FAILED: osapi_task.c:4458 System will not reset as software is being upgraded.

204

Cisco Wireless Controller Configuration Guide, Release 8.0

Upgrading the Controller Software

• Predownloading a 7.2 or later version of image on a Cisco Aironet 1240 access point is not supported when upgrading from a previous controller release. If predownloading is attempted to the Cisco Aironet

1240 access point, the AP gets disconnected.

• There are two images for the1550 Mesh AP - 1550 with 64 MB memory and 1550 with 128 MB memory.

During the controller upgrade to 7.6 and higher versions, the AP images are downloaded and there are two reboots.

• If you upgrade from a release that is prior to Release 7.5 directly to Release 7.6.X or a later release, the predownload process on Cisco AP2600 and AP3600 fails. After the Cisco WLC is upgraded to Release

7.6.X or a later release, the new image is loaded on Cisco AP2600 and AP3600. After the upgrade to a

Release 7.6.X image, the predownload functionality works as expected. The predownload failure is only a one-time failure.

Predownloading an Image to Access PointsGlobal Configuration (GUI)

Step 1

Step 2

Step 3

Step 4

Upload your controller configuration files to a server to back them up.

Note

We highly recommend that you back up your controller's configuration files prior to upgrading the controller software. Otherwise, you must manually reconfigure the controller.

Follow these steps to obtain the controller software: a) Browse to the Cisco Software Center: http://www.cisco.com/cisco/software/navigator.html

b) Choose Wireless from the center selection window.

c) Click Wireless LAN Controllers.

The following options are available: Integrated Controllers and Controller Modules and Standalone Controllers.

d) Depending on your controller platform, click one of the above options.

e) Click the controller model number or name. The Download Software page is displayed.

f) Click a controller software release. The software releases are labeled as follows to help you determine which release to download:

Early Deployment (ED)—These software releases provide new features, new hardware platform support, and bug fixes.

Maintenance Deployment (MD)—These software releases provide bug fixes and ongoing software maintenance.

Deferred (DF)—These software releases have been deferred. We recommend that you migrate to an upgraded release.

g) Choose a software release number.

h) Click the filename (filename.aes).

i) Click Download.

j) Read Cisco’s End User Software License Agreement and then click Agree.

k) Save the file to your hard drive.

l) Repeat steps a through k to download the remaining file.

Copy the controller software file (filename.aes) to the default directory on your TFTP or FTP server.

(Optional) Disable the controller 802.11X networks.

Note

For busy networks, controllers on high utilization, or small controller platforms, we recommend that you disable the 802.11X networks as a precautionary measure.

Cisco Wireless Controller Configuration Guide, Release 8.0

205

Upgrading the Controller Software

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

Step 14

Step 15

Step 16

Step 17

Choose Commands > Download File to open the Download File to Controller page.

From the File Type drop-down list, choose Code.

From the Transfer Mode drop-down list, choose from the following options:

TFTP

FTP

SFTP (available in 7.4 and later releases)

In the IP Address text box, enter the IP address of the server.

If you are using a TFTP server, the default values of 10 retries and 6 seconds for the Maximum Retries and Timeout text boxes should work correctly without any adjustment. However, you can change these values.

Enter the maximum number of times that the TFTP server attempts to download the software in the Maximum Retries text box and the amount of time (in seconds) that the TFTP server attempts to download the software in the Timeout text box.

In the File Path text box, enter the directory path of the software.

In the File Name text box, enter the name of the controller software file (filename.aes).

If you are using an FTP server, follow these steps: a) In the Server Login Username text box, enter the username to log into the FTP server.

b) In the Server Login Password text box, enter the password to log into the FTP server.

c) In the Server Port Number text box, enter the port number on the FTP server through which the download occurs.

The default value is 21.

Click Download to download the software to the controller. A message appears indicating the status of the download.

To configure the predownloading of access point images globally, choose Wireless > Access Points > Global

Configuration to open the Global Configuration page.

In the AP Image Pre-download section, perform one of the following:

• To instruct all the access points to predownload a primary image from the controller, click Download Primary under the AP Image Pre-download.

• To instruct all the access points to swap their primary and backup images, click Interchange Image.

• To download an image from the controller and store it as a backup image, click Download Backup.

• To abort the predownload operation, click Abort Predownload.

Click OK.

Click Apply.

Predownloading an Image to Access Points (CLI)

Using the CLI, you can predownload an image to a specific access point or to all access points.

Step 1

Follow these steps to obtain the controller software:

206

Cisco Wireless Controller Configuration Guide, Release 8.0

Upgrading the Controller Software

Step 2

Step 3

Step 4

Step 5

Step 6

a) Browse to the Cisco Software Center: http://www.cisco.com/cisco/software/navigator.html

b) Select Wireless from the center selection window.

c) Click Wireless LAN Controllers.

The following options are available: Integrated Controllers and Controller Modules and Standalone Controllers.

d) Depending on your controller platform, click one of the above options.

e) Click the controller model number or name. The Download Software page is displayed.

f) Click a controller software release. The software releases are labeled as follows to help you determine which release to download:

Early Deployment (ED)—These software releases provide new features, new hardware platform support, and bug fixes.

Maintenance Deployment (MD)—These software releases provide bug fixes and ongoing software maintenance.

Deferred (DF)—These software releases have been deferred. We recommend that you migrate to an upgraded release.

g) Choose a software release number.

h) Click the filename (filename.aes).

i) Click Download.

j) Read Cisco’s End User Software License Agreement and then click Agree.

k) Save the file to your hard drive.

l) Repeat steps a through n to download the remaining file.

Copy the controller software file (filename.aes) to the default directory on your TFTP or FTP server.

(Optional) Disable the 802.11 networks.

Note

For busy networks, controllers on high utilization, or small controller platforms, we recommend that you disable the 802.11a/n or 802.11b/g/n networks as a precautionary measure.

For Cisco WiSM2, shut down the controller port channel on the Catalyst switch to allow the controller to reboot before the access points start downloading the software.

Disable any WLANs on the controller using the config wlan disable wlan_id command.

Specify access points that will receive the predownload image.

Use one of these commands to specify access points for predownload:

• Specify access points for predownload by entering this command:

config ap image predownload {primary | backup} {ap_name | all}

The primary image is the new image; the backup image is the existing image. Access points always boot with the primary image.

• Swap an access point’s primary and backup images by entering this command:

config ap image swap {ap_name | all}

• Display detailed information on access points specified for predownload by entering this command:

show ap image {all | ap-name}

The output lists access points that are specified for predownloading and provides for each access point, primary and secondary image versions, the version of the predownload image, the predownload retry time (if necessary), and the number of predownload attempts. The output also includes the predownload status for each device. The status of the access points is as follows:

• None—The access point is not scheduled for predownload.

Cisco Wireless Controller Configuration Guide, Release 8.0

207

Upgrading the Controller Software

Step 7

• Predownloading—The access point is predownloading the image.

• Not supported—The access point (1120, 1230, and 1310) does not support predownloading.

• Initiated—The access point is waiting to get the predownload image because the concurrent download limit has been reached.

• Failed—The access point has failed 64 predownload attempts.

• Complete—The access point has completed predownloading.

Set a reboot time for the controller and the access points.

Use one of these commands to schedule a reboot of the controller and access points:

• Specify the amount of time delay before the devices reboot by entering this command:

reset system in HH:MM:SS image {swap | no-swap} reset-aps [save-config]

Note

The swap operand in the reset command will result in the swapping of the primary and backup images on both the controller and the access point.

The controller sends a reset message to all joined access points, and then the controller resets.

• Specify a date and time for the devices to reboot by entering this command:

reset system at YYYY-MM-DD HH:MM:SS image {swap | no-swap} reset-aps [save-config]

The controller sends a reset message to all joined access points, and then the controller resets.

Note

The swap operand in the reset command will result in the swapping of the primary and backup images on both the controller and the access point.

• Set up an SNMP trap message that announces the upcoming reset by entering this command:

reset system notify-time minutes

The controller sends the announcement trap the configured number of minutes before the reset.

• Cancel the scheduled reboot by entering this command:

reset system cancel

Note

If you configure reset times and then use the config time command to change the system time on the controller, the controller notifies you that any scheduled reset times will be canceled and must be reconfigured after you set the system time.

Use the show reset command to display scheduled resets.

Information similar to the following appears:

System reset is scheduled for Apr 08 01:01:01 2010.

Current local time and date is Apr 07 02:57:44 2010.

A trap will be generated 10 minutes before each scheduled system reset.

Use 'reset system cancel' to cancel the reset.

Configuration will be saved before the system reset.

208

Cisco Wireless Controller Configuration Guide, Release 8.0

Transferring Files to and from a Controller

Transferring Files to and from a Controller

Controllers have built-in utilities for uploading and downloading various files. Follow the instructions in these sections to import files using either the controller GUI or CLI:

Downloading a Login Banner File

You can download a login banner file using either the GUI or the CLI. The login banner is the text that appears on the page before user authentication when you access the controller GUI or CLI using Telnet, SSH, or a console port connection.

You save the login banner information as a text (*.txt) file. The text file cannot be larger than 1296 characters and cannot have more than 16 lines of text.

Note

The ASCII character set consists of printable and nonprintable characters. The login banner supports only printable characters.

Here is an example of a login banner:

Welcome to the Cisco Wireless Controller!

Unauthorized access prohibited.

Contact [email protected] for access.

Follow the instructions in this section to download a login banner to the controller through the GUI or CLI.

However, before you begin, make sure that you have a TFTP or FTP server available for the file download.

Follow these guidelines when setting up a TFTP or FTP server:

• If you are downloading through the service port, the TFTP or FTP server must be on the same subnet as the service port because the service port is not routable, or you must create static routes on the controller.

• If you are downloading through the distribution system network port, the TFTP or FTP server can be on the same or a different subnet because the distribution system port is routable.

• A third-party TFTP or FTP server cannot run on the same computer as Cisco Prime Infrastructure because the Prime Infrastructure built-in TFTP or FTP server and the third-party TFTP or FTP server require the same communication port.

Note

Clearing the controller configuration does not remove the login banner. See the

Clearing the Login Banner (GUI)

section for information about clearing the login banner using the controller GUI or CLI.

Note

The controller can have only one login banner file. If you download another login banner file to the controller, the first login banner file is overwritten.

Cisco Wireless Controller Configuration Guide, Release 8.0

209

Transferring Files to and from a Controller

Downloading a Login Banner File (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Copy the login banner file to the default directory on your server.

Choose Commands > Download File to open the Download File to Controller page.

From the File Type drop-down list, choose Login Banner.

From the Transfer Mode drop-down list, choose from the following options:

TFTP

FTP

SFTP (available in 7.4 and later releases)

In the IP Address text box, enter the IP address of the server type you chose in Step 4.

If you are using a TFTP server, the default values of 10 retries and 6 seconds for the Maximum Retries and Timeout text boxes should work correctly without any adjustment. However, you can change these values.

Enter the maximum number of times that the TFTP server attempts to download the certificate in the Maximum Retries text box and the amount of time (in seconds) that the TFTP server attempts to download the certificate in the Timeout text box.

In the File Path text box, enter the directory path of the login banner file.

In the File Name text box, enter the name of the login banner text (*.txt) file.

If you are using an FTP server, follow these steps: a) In the Server Login Username text box, enter the username to log into the FTP server.

b) In the Server Login Password text box, enter the password to log into the FTP server.

c) In the Server Port Number text box, enter the port number on the FTP server through which the download occurs.

The default value is 21.

Click Download to download the login banner file to the controller. A message appears indicating the status of the download.

Downloading a Login Banner File (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Log into the controller CLI.

Specify the transfer mode used to download the config file by entering this command:

transfer download mode {tftp | ftp | sftp}

Download the controller login banner by entering this command:

transfer download datatype login-banner

Specify the IP address of the TFTP or FTP server by entering this command:

transfer download serverip server-ip-address

Specify the name of the config file to be downloaded by entering this command:

210

Cisco Wireless Controller Configuration Guide, Release 8.0

Transferring Files to and from a Controller

Step 6

Step 7

Step 8

Step 9

transfer download path server-path-to-file

Specify the directory path of the config file by entering this command:

transfer download filenamefilename.txt

If you are using a TFTP server, enter these commands:

transfer download tftpMaxRetries retries

transfer download tftpPktTimeout timeout

Note

The default values of 10 retries and a 6-second timeout should work correctly without any adjustment.

However, you can change these values. To do so, enter the maximum number of times that the TFTP server attempts to download the software for the retries parameter and the amount of time (in seconds) that the TFTP server attempts to download the software for the timeout parameter.

If you are using an FTP server, enter these commands:

transfer download username username

transfer download password password

transfer download port port

Note

The default value for the port parameter is

21.

View the download settings by entering the transfer download start command. Enter y when prompted to confirm the current settings and start the download process.

Clearing the Login Banner (GUI)

Step 1

Step 2

Step 3

Choose Commands > Login Banner to open the Login Banner page.

Click Clear.

When prompted, click OK to clear the banner.

To clear the login banner from the controller using the controller CLI, enter the clear login-banner command.

Downloading Device Certificates

Each wireless device (controller, access point, and client) has its own device certificate. For example, the controller is shipped with a Cisco-installed device certificate. This certificate is used by EAP-FAST (when not using PACs), EAP-TLS, PEAP-GTC, and PEAP-MSCHAPv2 to authenticate wireless clients during local

EAP authentication. However, if you want to use your own vendor-specific device certificate, it must be downloaded to the controller.

Cisco Wireless Controller Configuration Guide, Release 8.0

211

Transferring Files to and from a Controller

Note

For more information about configuring local EAP, see the Configuring Local EAP section.

Follow the instructions in this section to download a vendor-specific device certificate to the controller through the GUI or CLI. However, before you begin, make sure you have a TFTP or FTP server available for the certificate download. Follow these guidelines when setting up a TFTP or FTP server:

• If you are downloading through the service port, the TFTP or FTP server must be on the same subnet as the service port because the service port is not routable, or you must create static routes on the controller.

• If you are downloading through the distribution system network port, the TFTP or FTP server can be on the same or a different subnet because the distribution system port is routable.

• A third-party TFTP or FTP server cannot run on the same computer as Cisco Prime Infrastructure because the Prime Infrastructure built-in TFTP or FTP server and the third-party TFTP or FTP server require the same communication port.

Note

All certificates downloaded to the controller must be in PEM format.

Downloading Device Certificates (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Copy the device certificate to the default directory on your server.

Choose Commands > Download File to open the Download File to Controller page.

From the File Type drop-down list, choose Vendor Device Certificate.

In the Certificate Password text box, enter the password that was used to protect the certificate.

From the Transfer Mode drop-down list, choose from the following options:

TFTP

FTP

SFTP (available in 7.4 and later releases)

In the IP Address text box, enter the IP address of the server.

If you are using a TFTP server, the default values of 10 retries and 6 seconds for the Maximum Retries and Timeout text boxes should work correctly without any adjustment. However, you can change these values.

Enter the maximum number of times that the TFTP server attempts to download the certificate in the Maximum Retries text box and the amount of time (in seconds) that the TFTP server attempts to download the certificate in the Timeout text box.

In the File Path text box, enter the directory path of the certificate.

In the File Name text box, enter the name of the certificate.

If you are using an FTP server, follow these steps: a) In the Server Login Username text box, enter the username to log into the FTP server.

212

Cisco Wireless Controller Configuration Guide, Release 8.0

Transferring Files to and from a Controller

Step 11

Step 12

Step 13

Step 14

b) In the Server Login Password text box, enter the password to log into the FTP server.

c) In the Server Port Number text box, enter the port number on the FTP server through which the download occurs.

The default value is 21.

Click Download to download the device certificate to the controller. A message appears indicating the status of the download.

After the download is complete, choose Commands > Reboot > Reboot.

If prompted to save your changes, click Save and Reboot.

Click OK to confirm your decision to reboot the controller.

Downloading Device Certificates (CLI)

Step 5

Step 6

Step 7

Step 8

Step 1

Step 2

Step 3

Step 4

Step 9

Log onto the controller CLI.

Specify the transfer mode used to download the config file by entering this command:

transfer download mode {tftp | ftp | sftp}

Specify the type of the file to be downloaded by entering this command:

transfer download datatype eapdevcert

Specify the certificate’s private key by entering this command:

transfer download certpassword password

Specify the IP address of the TFTP or FTP server by entering this command:

transfer download serverip server-ip-address

Specify the name of the config file to be downloaded by entering this command:

transfer download path server-path-to-file

Specify the directory path of the config file by entering this command:

transfer download filename filename.pem

If you are using a TFTP server, enter these commands:

transfer download tftpMaxRetries retries

transfer download tftpPktTimeout timeout

Note

The default values of 10 retries and a 6-second timeout should work correctly without any adjustment.

However, you can change these values. To do so, enter the maximum number of times that the TFTP server attempts to download the software for the retries parameter and the amount of time (in seconds) that the TFTP server attempts to download the software for the timeout parameter.

If you are using an FTP server, enter these commands:

transfer download username username

transfer download password password

transfer download port port

Cisco Wireless Controller Configuration Guide, Release 8.0

213

Transferring Files to and from a Controller

Step 10

Step 11

Note

The default value for the port parameter is

21.

View the updated settings by entering the transfer download start command. Answer y when prompted to confirm the current settings and start the download process.

Reboot the controller by entering this command:

reset system

Uploading Device Certificates

Uploading Device Certificates (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Choose Commands > Upload File to open the Upload File from Controller page.

From the File Type drop-down list, choose IPSec Device Certificate.

From the Transfer Mode drop-down list, choose from the following options:

TFTP

FTP

SFTP

In the IP Address text box, enter the IP address of the server.

In the File Path text box, enter the directory path of the certificate.

In the File Name text box, enter the name of the certificate.

If you are using an FTP server, follow these steps: a) In the Server Login Username text box, enter the username to log on to the FTP server.

b) In the Server Login Password text box, enter the password to log on to the FTP server.

c) In the Server Port Number text box, enter the port number on the FTP server through which the download occurs.

The default value is 21. For SFTP, the default value is 22.

Click Upload to upload the CA certificate from the controller. A message appears indicating the status of the upload.

After the upload is complete, choose Commands > Reboot > Reboot.

If prompted to save your changes, click Save and Reboot.

Click OK to confirm your decision to reboot the controller.

214

Cisco Wireless Controller Configuration Guide, Release 8.0

Transferring Files to and from a Controller

Uploading Device Certificates (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Log on to the controller CLI.

Specify the type of the file to be uploaded by entering this command:

transfer upload datatype ipsecdevcert

Specify the transfer mode used to upload the file by entering this command:

transfer upload mode {tftp | ftp | sftp}

Specify the IP address of the TFTP or FTP server by entering this command:

transfer upload serverip server-ip-address

Specify the directory path of the file by entering this command:

transfer upload path server-path-to-file

Specify the name of the file to be uploaded by entering this command:

transfer upload filename filename

If you are using an FTP server, enter these commands:

transfer upload username username

transfer upload password password

transfer upload port port

Note

The default value for the port parameter for is 21. For SFTP, the default value is

22.

View the updated settings by entering the transfer upload start command. Answer y when prompted to confirm the current settings and start the upload process.

Reboot the controller by entering the reset system command.

Downloading CA Certificates

Controllers and access points have a Certificate Authority (CA) certificate that is used to sign and validate device certificates. The controller is shipped with a Cisco-installed CA certificate. This certificate may be used by EAP-FAST (when not using PACs), EAP-TLS, PEAP-GTC, and PEAP-MSCHAPv2 to authenticate wireless clients during local EAP authentication. However, if you want to use your own vendor-specific CA certificate, it must be downloaded to the controller.

Note

For more information about configuring local EAP, see the Configuring Local EAP section.

Follow the instructions in this section to download CA certificates to the controller through the GUI or CLI.

However, before you begin, make sure that you have a TFTP or FTP server available for the certificate download. Follow these guidelines when setting up a TFTP or FTP server:

Cisco Wireless Controller Configuration Guide, Release 8.0

215

Transferring Files to and from a Controller

• If you are downloading through the service port, the TFTP or FTP server must be on the same subnet as the service port because the service port is not routable, or you must create static routes on the controller.

• If you are downloading through the distribution system network port, the TFTP or FTP server can be on the same or a different subnet because the distribution system port is routable.

• A third-party TFTP or FTP server cannot run on the same computer as Cisco Prime Infrastructure because the Prime Infrastructure built-in TFTP or FTP server and the third-party TFTP or FTP server require the same communication port.

Note

All certificates downloaded to the controller must be in PEM format.

Download CA Certificates (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Copy the CA certificate to the default directory on your server.

Choose Commands > Download File to open the Download File to Controller page.

From the File Type drop-down list, choose Vendor CA Certificate.

From the Transfer Mode drop-down list, choose from the following options:

TFTP

FTP

SFTP (available in 7.4 and later releases)

In the IP Address text box, enter the IP address of the server.

If you are using a TFTP server, the default values of 10 retries and 6 seconds for the Maximum Retries and Timeout text boxes should work correctly without any adjustment. However, you can change these values.

Enter the maximum number of times that the TFTP server attempts to download the certificate in the Maximum Retries text box and the amount of time (in seconds) that the TFTP server attempts to download the certificate in the Timeout text box.

In the File Path text box, enter the directory path of the certificate.

In the File Name text box, enter the name of the certificate.

If you are using an FTP server, follow these steps: a) In the Server Login Username text box, enter the username to log on to the FTP server.

b) In the Server Login Password text box, enter the password to log on to the FTP server.

216

Cisco Wireless Controller Configuration Guide, Release 8.0

Transferring Files to and from a Controller

Step 10

Step 11

Step 12

Step 13

c) In the Server Port Number text box, enter the port number on the FTP server through which the download occurs.

The default value is 21.

Click Download to download the CA certificate to the controller. A message appears indicating the status of the download.

After the download is complete, choose Commands > Reboot > Reboot.

If prompted to save your changes, click Save and Reboot.

Click OK to confirm your decision to reboot the controller.

Downloading CA Certificates (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Log on to the controller CLI.

Specify the transfer mode used to download the config file by entering this command:

transfer download mode {tftp | ftp | sftp}

Specify the type of the file to be downloaded by entering this command:

transfer download datatype eapdevcert

Specify the IP address of the TFTP or FTP server by entering this command:

transfer download serverip server-ip-address

Specify the directory path of the config file by entering this command:

transfer download path server-path-to-file

Specify the name of the config file to be downloaded by entering this command:

transfer download filename filename

If you are using a TFTP server, enter these commands:

transfer download tftpMaxRetries retries

transfer download tftpPktTimeout timeout

Note

The default values of 10 retries and a 6-second timeout should work correctly without any adjustment.

However, you can change these values. To do so, enter the maximum number of times that the TFTP server attempts to download the software for the retries parameter and the amount of time (in seconds) that the TFTP server attempts to download the software for the timeout parameter.

If you are using an FTP server, enter these commands:

transfer download username username

transfer download password password

transfer download port port

Note

The default value for the port parameter is

21.

Cisco Wireless Controller Configuration Guide, Release 8.0

217

Transferring Files to and from a Controller

Step 9

Step 10

View the updated settings by entering the transfer download start command. Answer y when prompted to confirm the current settings and start the download process.

Reboot the controller by entering the reset system command.

Uploading CA Certificates

Uploading CA Certificates (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Choose Commands > Upload File to open the Upload File from Controller page.

From the File Type drop-down list, choose IPSec CA Certificate.

From the Transfer Mode drop-down list, choose from the following options:

TFTP

FTP

SFTP

In the IP Address text box, enter the IP address of the server.

In the File Path text box, enter the directory path of the certificate.

In the File Name text box, enter the name of the certificate.

If you are using an FTP server, follow these steps: a) In the Server Login Username text box, enter the username to log on to the FTP server.

b) In the Server Login Password text box, enter the password to log on to the FTP server.

c) In the Server Port Number text box, enter the port number on the FTP server through which the download occurs.

The default value is 21. For SFTP, the default value is 22.

Click Upload to upload the CA certificate from the controller. A message appears indicating the status of the upload.

After the upload is complete, choose Commands > Reboot > Reboot.

If prompted to save your changes, click Save and Reboot.

Click OK to confirm your decision to reboot the controller.

Uploading CA Certificates (CLI)

Step 1

Step 2

Step 3

Log on to the controller CLI.

Specify the type of the file to be uploaded by entering this command:

transfer upload datatype ipseccacert

Specify the transfer mode used to upload the file by entering this command:

218

Cisco Wireless Controller Configuration Guide, Release 8.0

Transferring Files to and from a Controller

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

transfer upload mode {tftp | ftp | sftp}

Specify the IP address of the TFTP or FTP server by entering this command:

transfer upload serverip server-ip-address

Specify the directory path of the file by entering this command:

transfer upload path server-path-to-file

Specify the name of the file to be uploaded by entering this command:

transfer upload filename filename

If you are using an FTP server, enter these commands:

transfer upload username username

transfer upload password password

transfer upload port port

Note

The default value for the port parameter is 21. For SFTP, the default value is

22.

View the updated settings by entering the transfer upload start command. Answer y when prompted to confirm the current settings and start the upload process.

Reboot the controller by entering the reset system command.

Uploading PACs

Protected access credentials (PACs) are credentials that are either automatically or manually provisioned and used to perform mutual authentication with a local EAP authentication server during EAP-FAST authentication.

When manual PAC provisioning is enabled, the PAC file is manually generated on the controller.

Follow the instructions in this section to generate and load PACs from the controller through the GUI or CLI.

However, before you begin, make sure you have a TFTP or FTP server available for the PAC upload. Follow these guidelines when setting up a TFTP or FTP server:

• If you are uploading through the service port, the TFTP or FTP server must be on the same subnet as the service port because the service port is not routable, or you must create static routes on the controller.

• If you are uploading through the distribution system network port, the TFTP or FTP server can be on the same or a different subnet because the distribution system port is routable.

• A third-party TFTP or FTP server cannot run on the same computer as Cisco Prime Infrastructure because the Prime Infrastructure built-in TFTP or FTP server and the third-party TFTP or FTP server require the same communication port.

Cisco Wireless Controller Configuration Guide, Release 8.0

219

Transferring Files to and from a Controller

Uploading PACs (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Choose Commands > Upload File to open the Upload File from Controller page.

From the File Type drop-down list, choose PAC (Protected Access Credential).

In the User text box, enter the name of the user who will use the PAC.

In the Validity text box, enter the number of days for the PAC to remain valid. The default setting is zero (0).

In the Password and Confirm Password text boxes, enter a password to protect the PAC.

From the Transfer Mode drop-down list, choose from the following options:

TFTP

FTP

SFTP (available in 7.4 and later releases)

In the IP Address (IPv4/IPv6) text box, enter the IPv4/IPv6 address of the server.

In the File Path text box, enter the directory path of the PAC.

In the File Name text box, enter the name of the PAC file. PAC files have a .pac extension.

If you are using an FTP server, follow these steps: a) In the Server Login Username text box, enter the username to log into the FTP server.

b) In the Server Login Password text box, enter the password to log into the FTP server.

c) In the Server Port Number text box, enter the port number on the FTP server through which the upload occurs. The default value is 21.

Click Upload to upload the PAC from the controller. A message appears indicating the status of the upload.

Follow the instructions for your wireless client to load the PAC on your client devices. Make sure to use the password that you entered above.

Uploading PACs (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Log on to the controller CLI.

Specify the transfer mode used to upload the config file by entering this command:

transfer upload mode {tftp | ftp | sftp}

Upload a Protected Access Credential (PAC) by entering this command:

transfer upload datatype pac

Specify the identification of the user by entering this command:

transfer upload pac username validity password

Specify the IP address of the TFTP or FTP server by entering this command:

transfer upload serverip server-ip-address

220

Cisco Wireless Controller Configuration Guide, Release 8.0

Transferring Files to and from a Controller

Step 6

Step 7

Step 8

Step 9

Step 10

Note

The server supports both, IPv4 and

IPv6.

Specify the directory path of the config file by entering this command:

transfer upload path server-path-to-file

Specify the name of the config file to be uploaded by entering this command:

transfer upload filename manual.pac.

If you are using an FTP server, enter these commands:

transfer upload username username

transfer upload password password

transfer upload port port

Note

The default value for the port parameter is

21.

View the updated settings by entering the transfer upload start command. Answer y when prompted to confirm the current settings and start the upload process.

Follow the instructions for your wireless client to load the PAC on your client devices. Make sure to use the password that you entered above.

Uploading and Downloading Configuration Files

We recommend that you upload your controller’s configuration file to a server to back it up. If you lose your configuration, you can then download the saved configuration to the controller.

Note

Do not download a configuration file to your controller that was uploaded from a different controller platform. For example, a Cisco 5500 Series Controller does not support the configuration file from a Cisco

2500 Series Controller.

Follow these guidelines when working with configuration files:

• Any CLI with an invalid value is filtered out and set to default by the XML validation engine. Validation occurs during bootup. A configuration may be rejected if the validation fails. A configuration may fail if you have an invalid CLI. For example, if you have a CLI where you try to configure a WLAN without adding appropriate commands to add the WLAN.

• A configuration may be rejected if the dependencies are not addressed. For example, if you try to configure dependent parameters without using the add command. The XML validation may succeed but the configuration download infrastructure will immediately reject the configuration with no validation errors.

• An invalid configuration can be verified by using the show invalid-config command. The show

invalid-config command reports the configuration that is rejected by the controller either as part of download process or by XML validation infrastructure.

Cisco Wireless Controller Configuration Guide, Release 8.0

221

Transferring Files to and from a Controller

Note

You can also read and modify the configuration file.

• The FTP or the TFTP servers for transfer of configuration, image, and so on, must be reachable over a wired connection. The transfer cannot be performed over one of the wireless clients of the Cisco WLC.

If you try to use a wireless client of the Cisco WLC, you are prompted with a system message saying that the server is not reachable. However, if you use a wireless client that is associated with another

Cisco WLC, the FTP or the TFTP servers are reachable.

Uploading Configuration Files

You can upload configuration files using either the GUI or the CLI.

Uploading the Configuration Files (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Choose Commands > Upload File to open the Upload File from Controller page.

From the File Type drop-down list, choose Configuration.

Encrypt the configuration file by selecting the Configuration File Encryption check box and entering the encryption key in the Encryption Key text box.

From the Transfer Mode drop-down list, choose from the following options:

TFTP

FTP

SFTP (available in 7.4 and later releases)

In the IP Address text box, enter the IP address of the server.

In the File Path text box, enter the directory path of the configuration file.

In the File Name text box, enter the name of the configuration file.

If you are using an FTP server, follow these steps: a) In the Server Login Username text box, enter the username to log into the FTP server.

b) In the Server Login Password text box, enter the password to log into the FTP server.

c) In the Server Port Number text box, enter the port number on the FTP server through which the upload occurs. The default value is 21.

Click Upload to upload the configuration file to the server. A message appears indicating the status of the upload. If the upload fails, repeat this procedure and try again.

Uploading the Configuration Files (CLI)

Step 1

Step 2

Specify the transfer mode used to upload the configuration file by entering this command:

transfer upload mode {tftp | ftp | sftp}

Specify the type of file to be uploaded by entering this command:

222

Cisco Wireless Controller Configuration Guide, Release 8.0

Transferring Files to and from a Controller

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9 transfer upload datatype config

Encrypt the configuration file by entering these commands:

transfer encrypt enable

transfer encrypt set-key key, where key is the encryption key used to encrypt the file.

Specify the IP address of the server by entering this command:

transfer upload serverip server-ip-address

Specify the directory path of the configuration file by entering this command:

transfer upload path server-path-to-file

Specify the name of the configuration file to be uploaded by entering this command:

transfer upload filename filename

If you are using an FTP server, enter these commands to specify the username and password used to log into the FTP server and the port number through which the upload occurs:

transfer upload username username

transfer upload password password

transfer upload port port

Note

The default value for the port parameter is

21.

Initiate the upload process by entering this command:

transfer upload start

When prompted to confirm the current settings, answer y.

Information similar to the following appears:

Mode............................................. TFTP

TFTP Server IP................................... 10.10.10.4

TFTP Path........................................ Config/

TFTP Filename.................................... AS_4402_4_2_55_8_Config.xml

Data Type........................................ Config File

Encryption....................................... Disabled

**************************************************

*** WARNING: Config File Encryption Disabled ***

**************************************************

Are you sure you want to start? (y/N)

Y

File transfer operation completed successfully.

If the upload fails, repeat this procedure and try again.

Downloading Configuration Files

You can download configuration files using either the GUI or the CLI.

Cisco Wireless Controller Configuration Guide, Release 8.0

223

Transferring Files to and from a Controller

Downloading the Configuration Files (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Choose Commands > Download File to open the Download File to Controller page.

From the File Type drop-down list, choose Configuration.

If the configuration file is encrypted, select the Configuration File Encryption check box and enter the encryption key used to decrypt the file in the Encryption Key text box.

Note

The key that you enter here should match the one entered during the upload process.

From the Transfer Mode drop-down list, choose from the following options:

TFTP

FTP

SFTP (available in 7.4 and later releases)

In the IP Address text box, enter the IP address of the server.

If you are using a TFTP server, the default values of 10 retries and 6 seconds for the Maximum Retries and Timeout text boxes should work correctly without any adjustment. However, you can change these values.

Enter the maximum number of times that the TFTP server attempts to download the configuration file in the Maximum

Retries text box and the amount of time (in seconds) that the TFTP server attempts to download the configuration file in the Timeout text box.

In the File Path text box, enter the directory path of the configuration file.

In the File Name text box, enter the name of the configuration file.

If you are using an FTP server, follow these steps: a) In the Server Login Username text box, enter the username to log into the FTP server.

b) In the Server Login Password text box, enter the password to log into the FTP server.

c) In the Server Port Number text box, enter the port number on the FTP server through which the download occurs.

The default value is 21.

Click Download to download the file to the controller. A message appears indicating the status of the download, and the controller reboots automatically. If the download fails, repeat this procedure and try again.

Downloading the Configuration Files (CLI)

Note

The controller does not support incremental configuration downloads. The configuration file contains all mandatory commands (all interface address commands, mgmtuser with read-write permission commands, and interface port or LAG enable or disable commands) required to successfully complete the download.

For example, if you download only the config time ntp server index server_address command as part of the configuration file, the download fails. Only the commands present in the configuration file are applied to the controller, and any configuration in the controller prior to the download is removed.

Step 1

Specify the transfer mode used to download the configuration file by entering this command:

224

Cisco Wireless Controller Configuration Guide, Release 8.0

Transferring Files to and from a Controller

Step 2

Step 3

transfer download mode {tftp | ftp | sftp}

Specify the type of file to be downloaded by entering this command:

transfer download datatype config

If the configuration file is encrypted, enter these commands:

transfer encrypt enable

transfer encrypt set-key key, where key is the encryption key used to decrypt the file.

Note

The key that you enter here should match the one entered during the upload process.

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Specify the IP address of the TFTP or FTP server by entering this command:

transfer download serverip server-ip-address

Specify the directory path of the configuration file by entering this command:

transfer download path server-path-to-file

Specify the name of the configuration file to be downloaded by entering this command:

transfer download filename filename

If you are using a TFTP server, enter these commands:

transfer download tftpMaxRetries retries

transfer download tftpPktTimeout timeout

Note

The default values of 10 retries and a 6-second timeout should work correctly without any adjustment.

However, you can change these values. To do so, enter the maximum number of times that the TFTP server attempts to download the software for the retries parameter and the amount of time (in seconds) that the TFTP server attempts to download the software for the timeout parameter.

If you are using an FTP server, enter these commands to specify the username and password used to log into the FTP server and the port number through which the download occurs:

transfer upload username username

transfer upload password password

transfer upload port port

Note

The default value for the port parameter is

21.

View the updated settings by entering this command:

transfer download start

When prompted to confirm the current settings and start the download process, answer y.

Information similar to the following appears:

Mode............................................. TFTP

TFTP Server IP................................... 10.10.10.4

TFTP Path........................................ Config/

TFTP Filename.................................... AS_4402_4_2_55_8_Config.xml

Data Type........................................ Config File

Encryption....................................... Disabled

Cisco Wireless Controller Configuration Guide, Release 8.0

225

Saving Configurations

**************************************************

*** WARNING: Config File Encryption Disabled ***

**************************************************

Are you sure you want to start? (y/N)

y

File transfer operation completed successfully.

If the download fails, repeat this procedure and try again.

Saving Configurations

Controllers contain two kinds of memory: volatile RAM and NVRAM. At any time, you can save the configuration changes from active volatile RAM to nonvolatile RAM (NVRAM) using one of these commands:

save config—Saves the configuration from volatile RAM to NVRAM without resetting the controller.

reset system—Prompts you to confirm that you want to save configuration changes before the controller reboots.

logout—Prompts you to confirm that you want to save configuration changes before you log out.

Editing Configuration Files

When you save the controller’s configuration, the controller stores it in XML format in flash memory. Controller software release 5.2 or later releases enable you to easily read and modify the configuration file by converting it to CLI format. When you upload the configuration file to a TFTP/FTP/SFTP server, the controller initiates the conversion from XML to CLI. You can then read or edit the configuration file in a CLI format on the server. When you are finished, you download the file back to the controller, where it is reconverted to an

XML format and saved.

Step 1

Step 2

Step 3

Step 4

Upload the configuration file to a TFTP/FTP/SFTP server by performing one of the following:

• Upload the file using the controller GUI.

• Upload the file using the controller CLI.

Read or edit the configuration file on the server. You can modify or delete existing CLI commands and add new CLI commands to the file.

Note

To edit the configuration file, you can use either Notepad or WordPad on Windows or the VI editor on

Linux.

Save your changes to the configuration file on the server.

Download the configuration file to the controller by performing one of the following:

• Download the file using the controller GUI.

226

Cisco Wireless Controller Configuration Guide, Release 8.0

Clearing the Controller Configuration

Step 5

Step 6

Step 7

• Download the file using the controller CLI.

The controller converts the configuration file to an XML format, saves it to flash memory, and then reboots using the new configuration. CLI commands with known keywords and proper syntax are converted to XML while improper CLI commands are ignored and saved to flash memory. Any CLI commands that have invalid values are replaced with default values. To see any ignored commands or invalid configuration values, enter this command:

show invalid-config

Note

You cannot execute this command after the clear config or save config command.

If the downloaded configuration contains a large number of invalid CLI commands, you might want to upload the invalid configuration to the TFTP or FTP server for analysis. To do so, perform one of the following:

• Upload the invalid configuration using the controller GUI. Follow the instructions in the Uploading Configuration

Files (GUI) section but choose Invalid Config from the File Type drop-down list in Step 2 and skip Step 3.

• Upload the invalid configuration using the controller CLI. Follow the instructions in the Uploading Configuration

Files (CLI) section but enter the transfer upload datatype invalid-config command in Step 2 and skip Step 3.

The controller does not support the uploading and downloading of port configuration CLI commands. If you want to configure the controller ports, enter these commands:

config port linktrap {port | all} {enable | disable}—Enables or disables the up and down link traps for a specific controller port or for all ports.

config port adminmode {port | all} {enable | disable}—Enables or disables the administrative mode for a specific controller port or for all ports.

Save your changes by entering this command:

save config

Clearing the Controller Configuration

Step 1

Step 2

Step 3

Clear the configuration by entering this command:

clear config

Enter y at the confirmation prompt to confirm the action.

Reboot the system by entering this command:

reset system

Enter n to reboot without saving configuration changes. When the controller reboots, the configuration wizard starts automatically.

Follow the instructions in the Configuring the Controller-Using the Configuration Wizard section to complete the initial configuration.

Cisco Wireless Controller Configuration Guide, Release 8.0

227

Erasing the Controller Configuration

Erasing the Controller Configuration

Step 1

Step 2

Step 3

Reset the configuration by entering this command:

reset system

At the confirmation prompt, enter y to save configuration changes to NVRAM. The controller reboots.

When you are prompted for a username, restore the factory-default settings by entering this command:

recover-config

The controller reboots and the configuration wizard starts automatically.

Follow the instructions in the Configuring the Controller-Using the Configuration Wizard section to complete the initial configuration.

Resetting the Controller

You can reset the controller and view the reboot process on the CLI console using one of the following two methods:

• Turn the controller off and then turn it back on.

• On the CLI, enter reset system. At the confirmation prompt, enter y to save configuration changes to

NVRAM. The controller reboots.

When the controller reboots, the CLI console displays the following reboot information:

• Initializing the system.

• Verifying the hardware configuration.

• Loading microcode into memory.

• Verifying the operating system software load.

• Initializing with its stored configurations.

• Displaying the login prompt.

228

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

23

Managing User Accounts

Configuring Guest User Accounts, page 229

Configuring Administrator Usernames and Passwords, page 232

Changing the Default Values for SNMP v3 Users, page 234

Generating a Certificate Signing Request, page 235

Configuring Guest User Accounts

Information About Creating Guest Accounts

The controller can provide guest user access on WLANs. The first step in creating guest user accounts is to create a lobby administrator user, also known as a lobby ambassador account. Once this account has been created, a lobby ambassador can create and manage guest user accounts on the controller. The lobby ambassador has limited configuration privileges and access only to the web pages used to manage the guest accounts.

The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.

Restrictions on Managing User Accounts

• The local user database is limited to a maximum of 2048 entries, which is also the default value. This database is shared by local management users (including lobby ambassadors), local network users

(including guest users), MAC filter entries, exclusion list entries, and access point authorization list entries. Together they cannot exceed the configured maximum value.

• For net user accounts or guest user accounts, the following special characters are allowed along with alphanumeric characters: ~, @, #, $, %, ^, &, (, ), !, _, -, `, ., [, ], =, +, *, :, ;, {, }, ,, /, and \.

Cisco Wireless Controller Configuration Guide, Release 8.0

229

Configuring Guest User Accounts

Creating a Lobby Ambassador Account

Creating a Lobby Ambassador Account (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Management > Local Management Users to open the Local Management Users page.

This page lists the names and access privileges of the local management users.

Note

If you want to delete any of the user accounts from the controller, hover your cursor over the blue drop-down arrow and choose Remove. However, deleting the default administrative user prohibits both GUI and CLI access to the controller. Therefore, you must create a user with administrative privileges (ReadWrite) before you remove the default user.

Click New to create a lobby ambassador account. The Local Management Users > New page appears.

In the User Name text box, enter a username for the lobby ambassador account.

Note

Management usernames must be unique because they are stored in a single database.

In the Password and Confirm Password text boxes, enter a password for the lobby ambassador account.

Note

Passwords are case sensitive. The settings for the management User Details parameters depends on the settings that you make in the Password Policy page. The following requirements are enforced on the password

• The password should contain characters from at least three of the following classes: lowercase letters, uppercase letters, digits, and special characters.

• No character in the password can be repeated more than three times consecutively.

• The password should not contain a management username or the reverse letters of a username.

• The password should not contain words like Cisco, oscic, admin, nimda, or any variant obtained by changing the capitalization of letters by substituting 1, |, or ! or substituting 0 for o or substituting $ for s.

Choose LobbyAdmin from the User Access Mode drop-down list. This option enables the lobby ambassador to create guest user accounts.

Note

The ReadOnly option creates an account with read-only privileges, and the ReadWrite option creates an administrative account with both read and write privileges.

Click Apply to commit your changes. The new lobby ambassador account appears in the list of local management users.

Click Save Configuration to save your changes.

Creating a Lobby Ambassador Account (CLI)

To create a lobby ambassador account use the following command:

config mgmtuser add lobbyadmin_username lobbyadmin_pwd lobby-admin

Note

Replacing lobby-admin with read-only creates an account with read-only privileges. Replacing

lobby-admin with read-write creates an administrative account with both read and write privileges.

230

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Guest User Accounts

Creating Guest User Accounts as a Lobby Ambassador (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Log into the controller as the lobby ambassador, using the username and password. The Lobby Ambassador Guest

Management > Guest Users List page appears.

Click New to create a guest user account. The Lobby Ambassador Guest Management > Guest Users List > New page appears.

In the User Name text box, enter a name for the guest user. You can enter up to 24 characters.

Perform one of the following:

• If you want to generate an automatic password for this guest user, select the Generate Password check box. The generated password is entered automatically in the Password and Confirm Password text boxes.

• If you want to create a password for this guest user, leave the Generate Password check box unselected and enter a password in both the Password and Confirm Password text boxes.

Note

Passwords can contain up to 24 characters and are case sensitive.

From the Lifetime drop-down lists, choose the amount of time (in days, hours, minutes, and seconds) that this guest user account is to remain active. A value of zero (0) for all four text boxes creates a permanent account.

Default: 1 day

Range: 5 minutes to 30 days

Note

Note

The smaller of this value or the session timeout for the guest WLAN, which is the WLAN on which the guest account is created, takes precedence. For example, if a WLAN session timeout is due to expire in 30 minutes but the guest account lifetime has 10 minutes remaining, the account is deleted in 10 minutes upon guest account expiry. Similarly, if the WLAN session timeout expires before the guest account lifetime, the client experiences a recurring session timeout that requires reauthentication.

You can change a guest user account with a nonzero lifetime to another lifetime value at any time while the account is active. However, to make a guest user account permanent using the controller GUI, you must delete the account and create it again. If desired, you can use the config netuser lifetime user_name 0 command to make a guest user account permanent without deleting and recreating it.

From the WLAN SSID drop-down list, choose the SSID that will be used by the guest user. The only WLANs that are listed are those WLANs for which Layer 3 web authentication has been configured.

Note

We recommend that you create a specific guest WLAN to prevent any potential conflicts. If a guest account expires and it has a name conflict with an account on the RADIUS server and both are on the same WLAN, the users associated with both accounts are disassociated before the guest account is deleted.

In the Description text box, enter a description of the guest user account. You can enter up to 32 characters.

Click Apply to commit your changes. The new guest user account appears in the list of guest users on the Guest Users

List page.

From this page, you can see all of the guest user accounts, their WLAN SSID, and their lifetime. You can also edit or remove a guest user account. When you remove a guest user account, all of the clients that are using the guest WLAN and are logged in using that account’s username are deleted.

Repeat this procedure to create any additional guest user accounts.

Cisco Wireless Controller Configuration Guide, Release 8.0

231

Configuring Administrator Usernames and Passwords

Viewing Guest User Accounts

Viewing the Guest Accounts (GUI)

To view guest user accounts using the controller GUI, choose Security > AAA > Local Net Users. The Local

Net Users page appears.

From this page, you can see all of the local net user accounts (including guest user accounts) and can edit or remove them as desired. When you remove a guest user account, all of the clients that are using the guest

WLAN and are logged in using that account’s username are deleted.

Viewing the Guest Accounts (CLI)

To see all of the local net user accounts (including guest user accounts) using the controller CLI, enter this command:

show netuser summary

Configuring Administrator Usernames and Passwords

Information About Configuring Administrator Usernames and Passwords

You can configure administrator usernames and passwords to prevent unauthorized users from reconfiguring the controller and viewing configuration information. This section provides instructions for initial configuration and for password recovery.

Configuring Usernames and Passwords (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Management > Local Management Users.

Click New.

Enter the username and password, and confirm the password.

Usernames and passwords are case-sensitive and can contain up to 24 ASCII characters. Usernames and passwords cannot contain spaces.

Choose the User Access Mode as one of the following:

ReadOnly

ReadWrite

LobbyAdmin

Click Apply.

232

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Administrator Usernames and Passwords

Configuring Usernames and Passwords (CLI)

Step 1

Step 2

Configure a username and password by entering one of these commands:

config mgmtuser add username password read-write—Creates a username-password pair with read-write privileges.

config mgmtuser add username password read-only—Creates a username-password pair with read-only privileges.

Usernames and passwords are case-sensitive and can contain up to 24 ASCII characters. Usernames and passwords cannot contain spaces.

Note

If you ever need to change the password for an existing username, enter the config mgmtuser password

username new_password command.

List the configured users by entering this command:

show mgmtuser

Restoring Passwords

Before You Begin

Ensure that you are accessing the controller CLI through the console port.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

After the controller boots up, enter Restore-Password at the User prompt.

Note

For security reasons, the text that you enter does not appear on the controller console.

At the Enter User Name prompt, enter a new username.

At the Enter Password prompt, enter a new password.

At the Re-enter Password prompt, reenter the new password. The controller validates and stores your entries in the database.

When the User prompt reappears, enter your new username.

When the Password prompt appears, enter your new password. The controller logs you in with your new username and password.

Cisco Wireless Controller Configuration Guide, Release 8.0

233

Changing the Default Values for SNMP v3 Users

Changing the Default Values for SNMP v3 Users

Information About Changing the Default Values for SNMP v3 Users

The controller uses a default value of “default” for the username, authentication password, and privacy password for SNMP v3 users. Using these standard values presents a security risk. Therefore, Cisco strongly advises that you change these values.

Note

SNMP v3 is time sensitive. Ensure that you configure the correct time and time zone on your controller.

Changing the SNMP v3 User Default Values (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Choose Management > SNMP > SNMP V3 Users to open the SNMP V3 Users page.

If “default” appears in the User Name column, hover your cursor over the blue drop-down arrow for the desired user and choose Remove to delete this SNMP v3 user.

Click New to add a new SNMP v3 user. The SNMP V3 Users > New page appears.

In the User Profile Name text box, enter a unique name. Do not enter “default.”

Choose Read Only or Read Write from the Access Mode drop-down list to specify the access level for this user. The default value is Read Only.

From the Authentication Protocol drop-down list, choose the desired authentication method: None, HMAC-MD5 (Hashed

Message Authentication Coding-Message Digest 5), or HMAC-SHA (Hashed Message Authentication Coding-Secure

Hashing Algorithm). The default value is HMAC-SHA.

In the Auth Password and Confirm Auth Password text boxes, enter the shared secret key to be used for authentication.

You must enter at least 12 characters that include both letters and numbers.

From the Privacy Protocol drop-down list, choose the desired encryption method: None, CBC-DES (Cipher Block

Chaining-Digital Encryption Standard), or CFB-AES-128 (Cipher Feedback Mode-Advanced Encryption Standard-128).

The default value is CFB-AES-128.

Note

In order to configure CBC-DES or CFB-AES-128 encryption, you must have selected either HMAC-MD5 or

HMAC-SHA as the authentication protocol in

Step 6 .

In the Priv Password and Confirm Priv Password text boxes, enter the shared secret key to be used for encryption. You must enter at least 12 characters that include both letters and numbers.

Click Apply.

Click Save Configuration.

Reboot the controller so that the SNMP v3 user that you added takes effect.

234

Cisco Wireless Controller Configuration Guide, Release 8.0

Generating a Certificate Signing Request

Changing the SNMP v3 User Default Values (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

See the current list of SNMP v3 users for this controller by entering this command:

show snmpv3user

If “default” appears in the SNMP v3 User Name column, enter this command to delete this user:

config snmp v3user delete username

The username parameter is the SNMP v3 username (in this case, “default”).

Create a new SNMP v3 user by entering this command:

config snmp v3user create username {ro | rw} {none | hmacmd5 | hmacsha} {none | des | aescfb128} auth_key

encrypt_key

where

username is the SNMP v3 username.

ro is read-only mode and rw is read-write mode.

none, hmacmd5, and hmacsha are the authentication protocol options.

none, des, and aescfb128 are the privacy protocol options.

auth_key is the authentication shared secret key.

encrypt_key is the encryption shared secret key.

Do not enter “default” for the username, auth_key, and encrypt_key parameters.

Enter the save config command.

Reboot the controller so that the SNMP v3 user that you added takes effect by entering reset system command.

Generating a Certificate Signing Request

Step 1

Step 2

Install and open the OpenSSL application.

Enter the command:

OpenSSL>

req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

Controllers support a maximum key size of 2048 bits.

Note

You must provide the correct Common Name. Ensure that the host name that is used to create the certificate

(Common Name) matches the Domain Name System (DNS) host name entry for the virtual interface IP on the controller. This name should exist in the DNS as well. Also, after you make the change to the VIP interface, you must reboot the system in order for this change to take effect.

After you issue the command, you are prompted to enter information such as country name, state, city, and so on.

Cisco Wireless Controller Configuration Guide, Release 8.0

235

Generating a Certificate Signing Request

Step 3

Step 4

Information similar to the following appears:

OpenSSL>

req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

Loading 'screen' into random state - done

Generating a 1024 bit RSA private key

................................................................++++++

...................................................++++++ writing new private key to 'mykey.pem'

-----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:CA

Locality Name (eg, city) []:San Jose

Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC

Organizational Unit Name (eg, section) []:CDE

Common Name (eg, YOUR name) []:XYZ.ABC

Email Address []:[email protected]

Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password []:Test123

An optional company name []:

OpenSSL>

After you provide all the required details two files are generated:

• A new private key that includes the name mykey.pem

• A CSR that includes the name myreq.pem

Copy and paste the Certificate Signing Request (CSR) information into any CA enrollment tool. After you submit the

CSR to a third party CA, the third party CA digitally signs the certificate and sends back the signed certificate chain through e-mail. In case of chained certificates, you receive the entire chain of certificates from the CA. If you only have one intermediate certificate similar to the example above, you will receive the following three certificates from the CA:

• Root certificate.pem

• Intermediate certificate.pem

• Device certificate.pem

Note

Ensure that the certificate is Apache-compatible with SHA1 encryption.

Once you have all the three certificates, copy and paste into another file the contents of each .pem file in this order:

------BEGIN CERTIFICATE------

*Device cert*

------END CERTIFICATE------

------BEGIN CERTIFICATE------

*Intermediate CA cert *

------END CERTIFICATE--------

------BEGIN CERTIFICATE------

*Root CA cert *

236

Cisco Wireless Controller Configuration Guide, Release 8.0

Generating a Certificate Signing Request

Step 5

Step 6

Step 7

------END CERTIFICATE------

Save the file as All-certs.pem.

Combine the All-certs.pem certificate with the private key that you generated along with the CSR (the private key of the device certificate, which is mykey.pem in this example), and save the file as final.pem.

Create the All-certs.pem and final.pem files by entering these commands: openssl>

pkcs12 -export -in All-certs.pem -inkey mykey.pem

-out All-certs.p12 -clcerts -passin pass:check123

-passout pass:check123

openssl>

pkcs12 -in All-certs.p12 -out final.pem

-passin pass:check123 -passout pass:check123

final.pem is the file that we need to download to the controller.

Note

You must enter a password for the parameters -passin and -passout. The password that is configured for the

-passout parameter must match the certpassword parameter that is configured on the controller. In the above example, the password that is configured for both the -passin and -passout parameters is check123.

What to Do Next

Download the final.pem file to the controller either using CLI or GUI.

Downloading Third-Party Certificate (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Copy the device certificate final.pem to the default directory on your TFTP server.

Choose Security > Web Auth > Certificate to open the Web Authentication Certificate page.

Check the Download SSL Certificate check box to view the Download SSL Certificate From Server parameters.

In the Server IP Address text box, enter the IP address of the TFTP server.

In the File Path text box, enter the directory path of the certificate.

In the File Name text box, enter the name of the certificate.

In the Certificate Password text box, enter the password to protect the certificate.

Click Apply.

After the download is complete, choose Commands > Reboot and click Save and Reboot.

Click OK in order to confirm your decision to reboot the controller.

Cisco Wireless Controller Configuration Guide, Release 8.0

237

Generating a Certificate Signing Request

Downloading Third-Party Certificate (CLI)

Step 1

Step 2

Step 3

Step 4

Move the final.pem file to the default directory on your TFTP server. Change the download settings by entering the following commands:

(Cisco Controller) >

transfer download mode tftp

(Cisco Controller) >

transfer download datatype webauthcert

(Cisco Controller) >

transfer download serverip <TFTP server IP address>

(Cisco Controller) >

transfer download path <absolute TFTP server path to the update file>

(Cisco Controller) >

transfer download filename final.pem

Enter the password for the .pem file so that the operating system can decrypt the SSL key and certificate.

(Cisco Controller) >

transfer download certpassword password

Note

Ensure that the value for certpassword is the same as the -passout parameter when you generate a

CSR.

Start the certificate and key download by entering the this command:

transfer download start

Example:

(Cisco Controller) >

transfer download start

Mode............................................. TFTP

Data Type........................................ Site Cert

TFTP Server IP................................... 10.77.244.196

TFTP Packet Timeout.............................. 6

TFTP Max Retries................................. 10

TFTP Path........................................./

TFTP Filename.................................... final.pem

This may take some time.

Are you sure you want to start? (y/N)

y

TFTP EAP Dev cert transfer starting.

Certificate installed.

Reboot the switch to use new certificate.

Reboot the controller.

238

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

24

Managing Web Authentication

Obtaining a Web Authentication Certificate, page 239

Web Authentication Process, page 242

Choosing the Default Web Authentication Login Page, page 245

Using a Customized Web Authentication Login Page from an External Web Server, page 251

Downloading a Customized Web Authentication Login Page, page 252

Assigning Login, Login Failure, and Logout Pages per WLAN, page 256

Configuring Authentication for Sleeping Clients, page 258

Obtaining a Web Authentication Certificate

Information About Web Authentication Certificates

The operating system of the controller automatically generates a fully functional web authentication certificate, so you do not need to do anything in order to use certificates with Layer 3 web authentication. However, if desired, you can prompt the operating system to generate a new web authentication certificate, or you can download an externally generated SSL certificate.

Starting with 7.0.250.0 and 7.3.101.0 releases (but not in 7.2.x release), SHA2 certificates are supported.

Note

The WEB UI home page may not load when ip http access class command is enabled. When you encounter this issue, we recommend that you do the following:

1

Run the show iosd liin command.

2

Get the internet-address and configure the same ip as permit in the access-list.

Cisco Wireless Controller Configuration Guide, Release 8.0

239

Obtaining a Web Authentication Certificate

Note

For WEB UI access using TACACS+ server, custom method-list for authentication and authorization pointing to the TACACS+ server group does not work. You should use the default authorization method-list pointing to the same TACACS+ server group for the WEB UI to work.

Support for Chained Certificate

Cisco WLC allows the device certificate to be downloaded as a chained certificate (up to a level of 2) for web authentication. Wildcard certificates are also supported. For more information about chained certificates, see the Generate CSR for Third-Party Certificates and Download Chained Certificates to the WLC document at http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/

109597-csr-chained-certificates-wlc-00.html

.

Note

While installing certificate for web authentication for Release 7.6, certificate load fails due to Missing

Root CA cert error. Please download a chained certificate that includes intermediate Certificate Authority

(CA) & root CA and install it on the Cisco WLC.

Obtaining a Web Authentication Certificate (GUI)

Step 1

Step 2

Step 3

Choose Security > Web Auth > Certificate to open the Web Authentication Certificate page.

This page shows the details of the current web authentication certificate.

If you want to use a new operating system-generated web authentication certificate, follow these steps: a) Click Regenerate Certificate. The operating system generates a new web authentication certificate, and a successfully generated web authentication certificate message appears.

b) Reboot the controller to register the new certificate.

If you prefer to use an externally generated web authentication certificate, follow these steps: a) Verify that the controller can ping the TFTP server.

b) Select the Download SSL Certificate check box.

c) In the Server IP Address text box, enter the IP address of the TFTP server.

The default values of 10 retries and 6 seconds for the Maximum Retries and Timeout text boxes should work correctly without any adjustment. However, you can change these values.

d) Enter the maximum number of times that each download can be attempted in the Maximum Retries text box and the amount of time (in seconds) allowed for each download in the Timeout text box.

e) In the Certificate File Path text box, enter the directory path of the certificate.

f) In the Certificate File Name text box, enter the name of the certificate (certname.pem).

g) In the Certificate Password text box, enter the password for the certificate.

h) Click Apply to commit your changes. The operating system downloads the new certificate from the TFTP server.

i) Reboot the controller to register the new certificate.

240

Cisco Wireless Controller Configuration Guide, Release 8.0

Obtaining a Web Authentication Certificate

Obtaining a Web Authentication Certificate (CLI)

Step 1

Step 2

Step 3

See the current web authentication certificate by entering this command:

show certificate summary

Information similar to the following appears:

Web Administration Certificate................... Locally Generated

Web Authentication Certificate................... Locally Generated

Certificate compatibility mode:............... off

If you want the operating system to generate a new web authentication certificate, follow these steps: a) To generate the new certificate, enter this command:

config certificate generate webauth

b) To reboot the controller to register the new certificate, enter this command:

reset system

If you prefer to use an externally generated web authentication certificate, follow these steps:

Note

We recommend that the Common Name (CN) of the externally generated web authentication certificate be

1.1.1.1 (or the equivalent virtual interface IP address) in order for the client’s browser to match the domains of the web authentication URL and the web authentication certificate.

1

Specify the name, path, and type of certificate to be downloaded by entering these commands:

transfer download mode tftp transfer download datatype webauthcert

transfer download serverip server_ip_address

transfer download path server_path_to_file

transfer download filename certname.pem

transfer download certpassword password

transfer download tftpMaxRetries retries

transfer download tftpPktTimeout timeout

Note

The default values of 10 retries and a 6-second timeout should work correctly without any adjustment.

However, you can change these values. To do so, enter the maximum number of times that each download can be attempted for the retries parameter and the amount of time (in seconds) allowed for each download for the timeout parameter.

2

Start the download process by entering this command:

transfer download start

3

Reboot the controller to register the new certificate by entering this command:

reset system

Cisco Wireless Controller Configuration Guide, Release 8.0

241

Web Authentication Process

Web Authentication Process

Web authentication is a Layer 3 security feature that causes the controller to not allow IP traffic (except

DHCP-related packets) from a particular client until that client has correctly supplied a valid username and password. When you use web authentication to authenticate clients, you must define a username and password for each client. When the clients attempt to join the wireless LAN, their users must enter the username and password when prompted by a login page.

Note

If a client uses more than 20 DNS resolved addresses, the controller overwrites the 21st address in the first address space in the Mobile Station Control Block (MSCB) table, but the first address is still retained in the client. If the client again tries to use the first address, it will not be reachable because the controller does not have this address in the list of allowed addresses for the client's MSCB table.

Note

One-Time Passwords (OTP) are not supported on web authentication.

When a client is associated with 802.1X + WebAuth Security and when the client roams, the 802.1X username is updated in the client information.

Note

Web Authentication does not work with IPv6 URL when WLAN is LS however IPv4 with LS and IPv6 with CS works.. The re-directed web-auth page is not displayed when IPv6 URL is typed in the browser and WLAN is in Local Switching.

242

Cisco Wireless Controller Configuration Guide, Release 8.0

Web Authentication Process

Disabling Security Alert for Web Authentication Process

When web authentication is enabled (under Layer 3 Security), users might receive a web-browser security alert the first time that they attempt to access a URL.

Figure 18: Typical Web-Browser Security Alert

Note

When clients connect to a WebAuth SSID with preauthorization ACL configured to allow VPN users, the clients will get disconnected from the SSID every few minutes. Webauth SSIDs must not connect without authenticating on the web page.

After the user clicks Yes to proceed (or if the client’s browser does not display a security alert), the web authentication system redirects the client to a login page.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Click View Certificate on the Security Alert page.

Click Install Certificate.

When the Certificate Import Wizard appears, click Next.

Choose Place all certificates in the following store and click Browse.

Expand the Trusted Root Certification Authorities folder and choose Local Computer.

Click OK.

Click Next > Finish.

When the “The import was successful” message appears, click OK.

Because the issuer text box is blank on the controller self-signed certificate, open Internet Explorer, choose Tools >

Internet Options > Advanced, unselect the Warn about Invalid Site Certificates check box under Security, and click

OK.

Cisco Wireless Controller Configuration Guide, Release 8.0

243

Web Authentication Process

Step 9

Reboot the PC. On the next web authentication attempt, the login page appears.

The following figure shows the default web authentication login page.

Figure 19: Default Web Authentication Login Page

The default login page contains a Cisco logo and Cisco-specific text. You can choose to have the web authentication system display one of the following:

• The default login page

• A modified version of the default login page

• A customized login page that you configure on an external web server

• A customized login page that you download to the controller

The Choosing the Default Web Authentication Login Page section provides instructions for choosing how the web authentication login page appears.

244

Cisco Wireless Controller Configuration Guide, Release 8.0

Choosing the Default Web Authentication Login Page

When the user enters a valid username and password on the web authentication login page and clicks Submit, the web authentication system displays a successful login page and redirects the authenticated client to the requested URL.

Figure 20: Successful Login Page

The default successful login page contains a pointer to a virtual gateway address URL in the https://<IP

address>/logout.html format. The IP address that you set for the controller virtual interface serves as the redirect address for the login page

Choosing the Default Web Authentication Login Page

Information About Default Web Authentication Login Page

If you are using a custom web-auth bundle that is served by the internal controller web server, the page should not contain more than 5 elements (including HTML, CSS, and Images). This is because the internal controller web server implements a DoS protection mechanism that limits each client to open a maximum of 5 (five) concurrent TCP connections depending on the load. Some browsers may try to open more than 5 TCP sessions at the same time (For example Firefox 4) if the page contains more elements and this may result in the page loading slowly depending on how the browser handles the DoS protection.

If you do not want users to connect to a web page using a browser that is configured with SSLv2 only, you can disable SSLv2 for web authentication by entering the config network secureweb cipher-option sslv2

Cisco Wireless Controller Configuration Guide, Release 8.0

245

Choosing the Default Web Authentication Login Page

disable command. If you enter this command, users must use a browser that is configured to use a more secure protocol such as SSLv3 or later releases. The default value is disabled.

Note

Cisco TAC is not responsible for creating a custom webauth bundle.

If you have a complex custom web authentication module, it is recommended that you use an external web-auth config on the controller, where the full login page is hosted at an external web server.

Choosing the Default Web Authentication Login Page (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Choose Security > Web Auth > Web Login Page to open the Web Login page.

From the Web Authentication Type drop-down list, choose Internal (Default).

If you want to use the default web authentication login page as is, go to

Step 8 . If you want to modify the default login

page, go to

Step 4

.

If you want to hide the Cisco logo that appears in the top right corner of the default page, choose the Cisco Logo Hide option. Otherwise, click the Show option.

If you want the user to be directed to a particular URL (such as the URL for your company) after login, enter the desired

URL in the Redirect URL After Login text box. You can enter up to 254 characters.

If you want to create your own headline on the login page, enter the desired text in the Headline text box. You can enter up to 127 characters. The default headline is “Welcome to the Cisco wireless network.”

If you want to create your own message on the login page, enter the desired text in the Message text box. You can enter up to 2047 characters. The default message is “Cisco is pleased to provide the Wireless LAN infrastructure for your network. Please login and put your air space to work.”

Click Apply to commit your changes.

Click Preview to view the web authentication login page.

If you are satisfied with the content and appearance of the login page, click Save Configuration to save your changes.

Otherwise, repeat any of the previous steps as necessary to achieve your desired results.

Choosing the Default Web Authentication Login Page (CLI)

Step 1

Step 2

Step 3

Step 4

Specify the default web authentication type by entering this command:

config custom-web webauth_type internal

If you want to use the default web authentication login page as is, go to Step 7. If you want to modify the default login page, go to Step 3.

To show or hide the Cisco logo that appears in the top right corner of the default login page, enter this command:

config custom-web weblogo {enable | disable}

If you want the user to be directed to a particular URL (such as the URL for your company) after login, enter this command:

246

Cisco Wireless Controller Configuration Guide, Release 8.0

Choosing the Default Web Authentication Login Page

Step 5

Step 6

Step 7

Step 8

Step 9

config custom-web redirecturl url

You can enter up to 130 characters for the URL. To change the redirect back to the default setting, enter the clear

redirecturl command.

If you want to create your own headline on the login page, enter this command:

config custom-web webtitle title

You can enter up to 130 characters. The default headline is “Welcome to the Cisco wireless network.” To reset the headline to the default setting, enter the clear webtitle command.

If you want to create your own message on the login page, enter this command:

config custom-web webmessage message

You can enter up to 130 characters. The default message is “Cisco is pleased to provide the Wireless LAN infrastructure for your network. Please login and put your air space to work.” To reset the message to the default setting, enter the clear

webmessage command.

To enable or disable the web authentication logout popup window, enter this command:

config custom-web logout-popup {enable | disable}

Enter the save config command to save your settings.

Import your own logo into the web authentication login page as follows:

1

Make sure that you have a Trivial File Transfer Protocol (TFTP) server available for the file download. Follow these guidelines when setting up a TFTP server:

• If you are downloading through the service port, the TFTP server must be on the same subnet as the service port because the service port is not routable, or you must create static routes on the controller.

• If you are downloading through the distribution system network port, the TFTP server can be on the same or a different subnet because the distribution system port is routable.

• A third-party TFTP server cannot run on the same computer as the Cisco Prime Infrastructure because the Prime

Infrastructure built-in TFTP server and the third-party TFTP server require the same communication port.

2

Ensure that the controller can contact the TFTP server by entering this command:

ping ip-address

3

Copy the logo file (in .jpg, .gif, or .png format) to the default directory on your TFTP server. The maximum file size is 30 kilobits. For an optimal fit, the logo should be approximately 180 pixels wide and 360 pixels high.

4

Specify the download mode by entering this command:

transfer download mode tftp

5

Specify the type of file to be downloaded by entering this command:

transfer download datatype image

6

Specify the IP address of the TFTP server by entering this command:

transfer download serverip tftp-server-ip-address

Note

Some TFTP servers require only a forward slash (/) as the TFTP server IP address, and the TFTP server automatically determines the path to the correct directory.

7

Specify the download path by entering this command:

transfer download path absolute-tftp-server-path-to-file

Cisco Wireless Controller Configuration Guide, Release 8.0

247

Choosing the Default Web Authentication Login Page

Step 10

8

Specify the file to be downloaded by entering this command:

transfer download filename {filename.jpg | filename.gif | filename.png}

9

View your updated settings and answer y to the prompt to confirm the current download settings and start the download by entering this command:

transfer download start

10 Save your settings by entering this command:

save config

Note

If you ever want to remove this logo from the web authentication login page, enter the clear webimage command.

Follow the instructions in the

Verifying the Web Authentication Login Page Settings (CLI), on page 255

section to verify your settings.

Example: Creating a Customized Web Authentication Login Page

This section provides information on creating a customized web authentication login page, which can then be accessed from an external web server.

Here is a web authentication login page template. It can be used as a model when creating your own customized page:

<html>

<head>

<meta http-equiv="Pragma" content="no-cache">

<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">

<title>Web Authentication</title>

<script> function submitAction(){ var link = document.location.href; var searchString = "redirect="; var equalIndex = link.indexOf(searchString); var redirectUrl = ""; if (document.forms[0].action == "") { var url = window.location.href; var args = new Object(); var query = location.search.substring(1); var pairs = query.split("&"); for(var i=0;i<pairs.length;i++){ var pos = pairs[i].indexOf('='); if(pos == -1) continue; var argname = pairs[i].substring(0,pos); var value = pairs[i].substring(pos+1); args[argname] = unescape(value);

}

} document.forms[0].action = args.switch_url; if(equalIndex >= 0) { equalIndex += searchString.length; redirectUrl = ""; redirectUrl += link.substring(equalIndex);

} if(redirectUrl.length > 255) redirectUrl = redirectUrl.substring(0,255);

248

Cisco Wireless Controller Configuration Guide, Release 8.0

Choosing the Default Web Authentication Login Page

} document.forms[0].redirect_url.value = redirectUrl; document.forms[0].buttonClicked.value = 4; document.forms[0].submit(); function loadAction(){ var url = window.location.href; var args = new Object(); var query = location.search.substring(1); var pairs = query.split("&"); for(var i=0;i<pairs.length;i++){ var pos = pairs[i].indexOf('='); if(pos == -1) continue; var argname = pairs[i].substring(0,pos); var value = pairs[i].substring(pos+1); args[argname] = unescape(value);

}

//alert( "AP MAC Address is " + args.ap_mac);

//alert( "The Switch URL to post user credentials is " + args.switch_url); document.forms[0].action = args.switch_url;

}

// This is the status code returned from webauth login action

// Any value of status code from 1 to 5 is error condition and user

// should be shown error as below or modify the message as it suits

// the customer if(args.statusCode == 1){ alert("You are already logged in. No further action is required on your part.");

} else if(args.statusCode == 2){ alert("You are not configured to authenticate against web portal. No further action is required on your part.");

} else if(args.statusCode == 3){ alert("The username specified cannot be used at this time. Perhaps the username is already logged into the system?");

} else if(args.statusCode == 4){ alert("The User has been excluded. Please contact the administrator.");

} else if(args.statusCode == 5){ alert("Invalid username and password. Please try again.");

} else if(args.statusCode == 6){ alert("Invalid email address format. Please try again.");

}

</script>

</head>

<body topmargin="50" marginheight="50" onload="loadAction();">

<form method="post" action="https://209.165.200.225/login.html">

<input TYPE="hidden" NAME="buttonClicked" SIZE="16" MAXLENGTH="15" value="0">

<input TYPE="hidden" NAME="redirect_url" SIZE="255" MAXLENGTH="255" VALUE="">

<input TYPE="hidden" NAME="err_flag" SIZE="16" MAXLENGTH="15" value="0">

<div align="center">

<table border="0" cellspacing="0" cellpadding="0">

<tr> <td>&nbsp;</td></tr>

<tr align="center"> <td colspan="2"><font size="10" color="#336699">Web

Authentication</font></td></tr>

<tr align="center">

<td colspan="2"> User Name &nbsp;&nbsp;&nbsp;<input type="TEXT" name="username" SIZE="25"

MAXLENGTH="63" VALUE="">

</td>

</tr>

<tr align="center" >

<td colspan="2"> Password &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="Password" name="password"

SIZE="25" MAXLENGTH="24">

</td>

</tr>

Cisco Wireless Controller Configuration Guide, Release 8.0

249

Choosing the Default Web Authentication Login Page

<tr align="center">

<td colspan="2"><input type="button" name="Submit" value="Submit" class="button" onclick="submitAction();">

</td>

</tr>

</table>

</div>

</form>

</body>

</html>

These parameters are added to the URL when the user’s Internet browser is redirected to the customized login page:

ap_mac—The MAC address of the access point to which the wireless user is associated.

switch_url—The URL of the controller to which the user credentials should be posted.

redirect—The URL to which the user is redirected after authentication is successful.

statusCode—The status code returned from the controller’s web authentication server.

wlan—The WLAN SSID to which the wireless user is associated.

The available status codes are as follows:

• Status Code 1: “You are already logged in. No further action is required on your part.”

• Status Code 2: “You are not configured to authenticate against web portal. No further action is required on your part.”

• Status Code 3: “The username specified cannot be used at this time. Perhaps the username is already logged into the system?”

• Status Code 4: “You have been excluded.”

• Status Code 5: “The User Name and Password combination you have entered is invalid. Please try again.”

Note

For additional information, see the External Web Authentication with Wireless LAN Controllers

Configuration Example at http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71881-ext-web-auth-wlc.html

.

250

Cisco Wireless Controller Configuration Guide, Release 8.0

Using a Customized Web Authentication Login Page from an External Web Server

Example: Modified Default Web Authentication Login Page Example

This figure shows an example of a modified default web authentication login page.

Figure 21: Modified Default Web Authentication Login Page Example

These CLI commands were used to create this login page:

config custom-web weblogo disable

config custom-web webtitle Welcome to the AcompanyBC Wireless LAN!

config custom-web webmessage Contact the System Administrator for a Username and Password.

transfer download start

config custom-web redirecturl url

Using a Customized Web Authentication Login Page from an External Web

Server

Information About Customized Web Authentication Login Page

You can customize the web authentication login page to redirect to an external web server. When you enable this feature, the user is directed to your customized login page on the external web server.

Cisco Wireless Controller Configuration Guide, Release 8.0

251

Downloading a Customized Web Authentication Login Page

You must configure a preauthentication access control list (ACL) on the WLAN for the external web server and then choose this ACL as the WLAN preauthentication ACL under Security Policies > Web Policy on the

WLANs > Edit page.

Choosing a Customized Web Authentication Login Page from an External Web Server (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Choose Security > Web Auth > Web Login Page to open the Web Login page.

From the Web Authentication Type drop-down list, choose External (Redirect to external server).

In the Redirect URL after login text box, enter the URL that you want the user to be redirected after a login.

For example, you may enter your company's URL here and the users will be directed to that URL after login. The maximum length is 254 characters. By default, the user is redirected to the URL that was entered in the user's browser before the login page was served. of the customized web authentication login page on your web server. You can enter up to 252 characters.

In the External Webauth URL text box, enter the URL that is to be used for external web authentication.

Click Apply.

Click Save Configuration.

Choosing a Customized Web Authentication Login Page from an External Web Server (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Specify the web authentication type by entering this command:

config custom-web webauth_type external

Specify the URL of the customized web authentication login page on your web server by entering this command:

config custom-web ext-webauth-url url

You can enter up to 252 characters for the URL.

Specify the IP address of your web server by entering this command:

config custom-web ext-webserver {add | delete} server_IP_address

Enter the save config command to save your settings.

Follow the instructions in the

Verifying the Web Authentication Login Page Settings (CLI), on page 255

section to verify your settings.

Downloading a Customized Web Authentication Login Page

You can compress the page and image files used for displaying a web authentication login page into a.tar file for download to a controller. These files are known as the webauth bundle. The maximum allowed size of the files in their uncompressed state is 1 MB. When the .tar file is downloaded from a local TFTP server, it enters the controller’s file system as an untarred file.

252

Cisco Wireless Controller Configuration Guide, Release 8.0

Downloading a Customized Web Authentication Login Page

You can download a login page example from Cisco Prime Infrastructure and use it as a starting point for your customized login page. For more information, see the Cisco Prime Infrastructure documentation.

Note

If you load a webauth bundle with a .tar compression application that is not GNU compliant, the controller cannot extract the files in the bundle and the following error messages appear: “Extracting error” and

“TFTP transfer failed.” Therefore, we recommend that you use an application that complies with GNU standards, such as PicoZip, to compress the .tar file for the webauth bundle.

Note

Configuration backups do not include extra files or components, such as the webauth bundle or external licenses, that you download and store on your controller, so you should manually save external backup copies of those files or components.

Note

If the customized webauth bundle has more than 3 separated elements, we advise you to use an external server to prevent page load issues that may be caused because of TCP rate-limiting policy on the controller.

Prerequisites for Downloading a Customized Web Authentication Login Page

• Name the login page login.html. The controller prepares the web authentication URL based on this name. If the server does not find this file after the webauth bundle has been untarred, the bundle is discarded, and an error message appears.

• Include input text boxes for both a username and password.

• Retain the redirect URL as a hidden input item after extracting from the original URL.

• Extract and set the action URL in the page from the original URL.

• Include scripts to decode the return status code.

• Make sure that all paths used in the main page (to refer to images, for example).

• Ensure that no filenames within the bundle are greater than 30 characters.

Downloading a Customized Web Authentication Login Page (GUI)

Step 1

Step 2

Step 3

Step 4

Copy the .tar file containing your login page to the default directory on your server.

Choose Commands > Download File to open the Download File to Controller page.

From the File Type drop-down list, choose Webauth Bundle.

From the Transfer Mode drop-down list, choose from the following options:

TFTP

FTP

Cisco Wireless Controller Configuration Guide, Release 8.0

253

Downloading a Customized Web Authentication Login Page

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 13

Step 14

Step 15

Step 16

SFTP (available in the 7.4 and later releases)

In the IP Address text box, enter the IP address of the server.

If you are using a TFTP server, enter the maximum number of times the controller should attempt to download the .tar

file in the Maximum Retries text box.

The range is 1 to 254.

The default is 10.

If you are using a TFTP server, enter the amount of time in seconds before the controller times out while attempting to download the *.tar file in the Timeout text box.

The range is 1 to 254 seconds.

The default is 6 seconds.

In the File Path text box, enter the path of the .tar file to be downloaded. The default value is “/.”

In the File Name text box, enter the name of the .tar file to be downloaded.

If you are using an FTP server, follow these steps:

1

In the Server Login Username text box, enter the username to log into the FTP server.

2

In the Server Login Password text box, enter the password to log into the FTP server.

3

In the Server Port Number text box, enter the port number on the FTP server through which the download occurs.

The default value is 21.

Click Download to download the .tar file to the controller.

Choose Security > Web Auth > Web Login Page to open the Web Login page.

From the Web Authentication Type drop-down list, choose Customized (Downloaded).

Click Apply.

Click Preview to view your customized web authentication login page.

If you are satisfied with the content and appearance of the login page, click Save Configuration.

Downloading a Customized Web Authentication Login Page (CLI)

Step 1

Step 2

Step 3

Step 4

Copy the .tar file containing your login page to the default directory on your server.

Specify the download mode by entering this command:

transfer download mode {tftp | ftp | sftp}

Specify the type of file to be downloaded by entering this command:

transfer download datatype webauthbundle

Specify the IP address of the TFTP server by entering this command:

transfer download serverip tftp-server-ip-address.

Note

Some TFTP servers require only a forward slash (/) as the TFTP server IP address, and the TFTP server automatically determines the path to the correct directory.

254

Cisco Wireless Controller Configuration Guide, Release 8.0

Downloading a Customized Web Authentication Login Page

Step 5

Step 6

Step 7

Step 8

Step 9

Specify the download path by entering this command:

transfer download path absolute-tftp-server-path-to-file

Specify the file to be downloaded by entering this command:

transfer download filename filename.tar

View your updated settings and answer y to the prompt to confirm the current download settings and start the download by entering this command:

transfer download start

Specify the web authentication type by entering this command:

config custom-web webauth_type customized

Enter the save config command to save your settings.

Example: Customized Web Authentication Login Page

This figure shows an example of a customized web authentication login page.

Figure 22: Customized Web Authentication Login Page Example

Verifying the Web Authentication Login Page Settings (CLI)

Verify your changes to the web authentication login page by entering this command:

show custom-web

Cisco Wireless Controller Configuration Guide, Release 8.0

255

Assigning Login, Login Failure, and Logout Pages per WLAN

Assigning Login, Login Failure, and Logout Pages per WLAN

Information About Assigning Login, Login Failure, and Logout Pages per WLAN

You can display different web authentication login, login failure, and logout pages to users per WLAN. This feature enables user-specific web authentication pages to be displayed for a variety of network users, such as guest users or employees within different departments of an organization.

Different login pages are available for all web authentication types (internal, external, and customized).

However, different login failure and logout pages can be specified only when you choose customized as the web authentication type.

Assigning Login, Login Failure, and Logout Pages per WLAN (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose WLANs to open the WLANs page.

Click the ID number of the WLAN to which you want to assign a web login, login failure, or logout page.

Choose Security > Layer 3.

Make sure that Web Policy and Authentication are selected.

To override the global authentication configuration web authentication pages, select the Override Global Config check box.

When the Web Auth Type drop-down list appears, choose one of the following options to define the web authentication pages for wireless guest users:

Internal—Displays the default web login page for the controller. This is the default value.

Customized—Displays custom web login, login failure, and logout pages. If you choose this option, three separate drop-down lists appear for login, login failure, and logout page selection. You do not need to define a customized page for all three options. Choose None from the appropriate drop-down list if you do not want to display a customized page for that option.

Note

These optional login, login failure, and logout pages are downloaded to the controller as webauth.tar

files.

External—Redirects users to an external server for authentication. If you choose this option, you must also enter the URL of the external server in the URL text box.

You can choose specific RADIUS or LDAP servers to provide external authentication on the WLANs > Edit

(Security > AAA Servers) page. Additionally, you can define the priority in which the servers provide authentication.

If you chose External as the web authentication type in

Step 6

, choose AAA Servers and choose up to three RADIUS and LDAP servers using the drop-down lists.

Note

The RADIUS and LDAP external servers must already be configured in order to be selectable options on the

WLANs > Edit (Security > AAA Servers) page. You can configure these servers on the RADIUS Authentication

Servers page and LDAP Servers page.

Establish the priority in which the servers are contacted to perform web authentication as follows:

Note

The default order is local, RADIUS,

LDAP.

256

Cisco Wireless Controller Configuration Guide, Release 8.0

Assigning Login, Login Failure, and Logout Pages per WLAN

Step 9

Step 10

1

Highlight the server type (local, RADIUS, or LDAP) that you want to be contacted first in the box next to the Up and Down buttons.

2

Click Up and Down until the desired server type is at the top of the box.

3

Click the < arrow to move the server type to the priority box on the left.

4

Repeat these steps to assign priority to the other servers.

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Assigning Login, Login Failure, and Logout Pages per WLAN (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Determine the ID number of the WLAN to which you want to assign a web login, login failure, or logout page by entering this command:

show wlan summary

If you want wireless guest users to log into a customized web login, login failure, or logout page, enter these commands to specify the filename of the web authentication page and the WLAN for which it should display:

config wlan custom-web login-page page_name wlan_idDefines a customized login page for a given WLAN.

config wlan custom-web loginfailure-page page_name wlan_idDefines a customized login failure page for a given WLAN.

Note

To use the controller’s default login failure page, enter the config wlan custom-web loginfailure-page

none wlan_id command.

config wlan custom-web logout-page page_name wlan_idDefines a customized logout page for a given WLAN.

Note

To use the controller’s default logout page, enter the config wlan custom-web logout-page none wlan_id command.

Redirect wireless guess users to an external server before accessing the web login page by entering this command to specify the URL of the external server:

config wlan custom-web ext-webauth-url ext_web_url wlan_id

Define the order in which web authentication servers are contacted by entering this command:

config wlan security web-auth server-precedence wlan_id {local | ldap | radius} {local | ldap | radius} {local | ldap

| radius}

The default order of server web authentication is local, RADIUS and LDAP.

Note

All external servers must be preconfigured on the controller. You can configure them on the RADIUS

Authentication Servers page and the LDAP Servers page.

Define which web authentication page displays for a wireless guest user by entering this command:

config wlan custom-web webauth-type {internal | customized | external} wlan_id where

Cisco Wireless Controller Configuration Guide, Release 8.0

257

Configuring Authentication for Sleeping Clients

Step 6

Step 7

internal displays the default web login page for the controller. This is the default value.

customized displays the custom web login page that was configured in Step 2.

Note

You do not need to define the web authentication type in Step 5 for the login failure and logout pages as they are always customized.

external redirects users to the URL that was configured in Step 3.

Use a WLAN-specific custom web configuration rather than a global custom web configuration by entering this command:

config wlan custom-web global disable wlan_id

Note

If you enter the config wlan custom-web global enable wlan_id command, the custom web authentication configuration at the global level is used.

Save your changes by entering this command:

save config

Configuring Authentication for Sleeping Clients

Information About Authenticating Sleeping Clients

Clients with guest access that have had successful web authentication are allowed to sleep and wake up without having to go through another authentication process through the login page. You can configure the duration for which the sleeping clients are to be remembered for before reauthentication becomes necessary. The valid range is 10 minutes to 43200 minutes, with the default being 720 minutes. You can configure the duration on a WLAN and on a user group policy that is mapped to the WLAN. The sleeping timer becomes effective after the idle timeout. If the client timeout is lesser than the time configured on the sleeping timer of the WLAN, then the lifetime of the client is used as the sleeping time.

Note

The sleeping timer expires every 6 minutes.

This feature is supported in the following FlexConnect scenario: local switching and central authentication.

Caution

If the MAC address of a client that goes to sleep mode is spoofed, the fake device such as a laptop can be authenticated.

Following are some guidelines in a mobility scenario:

• L2 roaming in the same subnet is supported.

• Anchor sleeping timer is applicable.

• The sleeping client information is shared between multiple autoanchors when a sleeping client moves from one anchor to another.

From release 8.0 and later, in a High Availability scenario, the sleeping timer is synchronized between active and standby.

258

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Authentication for Sleeping Clients

Supported Mobility Scenarios

A sleeping client does not require reauthentication in the following scenarios:

• Suppose there are two controllers in a mobility group. A client that is associated with one controller goes to sleep and then wakes up and gets associated with the other controller.

• Suppose there are three controllers in a mobility group. A client that is associated with the second controller that is anchored to the first controller goes to sleep, wakes up, and gets associated with the third controller.

• A client sleeps, wakes up and gets associated with the same or different export foreign controller that is anchored to the export anchor.

Restrictions for Authenticating Sleeping Clients

• The sleep client feature works only for WLAN configured with WebAuth security. Web passthrough is supported on Release 8.0 and later.

• You can configure the sleeping clients only on a per-WLAN basis.

• The authentication of sleeping clients feature is not supported with Layer 2 security and web authentication enabled.

• The authentication of sleeping clients feature is supported only on WLANs that have Layer 3 security enabled.

• With Layer 3 security, the Authentication, Passthrough, and On MAC Filter failure web policies are supported. The Conditional Web Redirect and Splash Page Web Redirect web policies are not supported.

• The central web authentication of sleeping clients is not supported.

• The authentication of sleeping clients feature is not supported on guest LANs and remote LANs.

• If the Cisco WLC does not get username or password of the client, the sleep client feature may not work as expected.

• A guest access sleeping client that has a local user policy is not supported. In this case, the WLAN-specific timer is applied.

• In a High Availability scenario, the client entry is synchronized between active and standby, but the sleeping timer is not synchronized. If the active controller fails, the client has to get reauthenticated when it associates with the standby controller.

• The number of sleeping clients that are supported depends on the controller platform:

• Cisco 2504 Wireless Controller—500

• Cisco 5508 Wireless Controller—1000

• Cisco 5520 Wireless Controller—25000

• Cisco Flex 7510 Wireless Controller—25000 with Release 7.6 and later; 9000 in earlier releases

• Cisco 8510 Wireless Controller—25000 with Release 7.6 and later; 9000 in earlier releases

• Cisco 8540 Wireless Controller—64000

• Cisco WiSM2—1000

Cisco Wireless Controller Configuration Guide, Release 8.0

259

Configuring Authentication for Sleeping Clients

• Cisco Virtual Wireless LAN Controller—500

• Cisco Wireless Controller on Cisco Services-Ready Engine (SRE)—500

• New mobility is not supported.

Configuring Authentication for Sleeping Clients (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose WLANs.

Click the corresponding WLAN ID.

The WLANs > Edit page is displayed.

Click the Security tab and then click the Layer 3 tab.

Select the Sleeping Client check box to enable authentication for sleeping clients.

Enter the Sleeping Client Timeout, which is the duration for which the sleeping clients are to be remembered before reauthentication becomes necessary.

The default timeout is 12 hours.

Click Apply.

Click Save Configuration.

Configuring Authentication for Sleeping Clients (CLI)

• Enable or disable authentication for sleeping clients on a WLAN by entering this command:

config wlan custom-web sleep-client {enable | disable} wlan-id

• Configure the sleeping client timeout on a WLAN by entering this command:

config wlan custom-web sleep-client timeout wlan-id duration

• View the sleeping client configuration on a WLAN by entering this command:

show wlan wlan-id

• Delete any unwanted sleeping client entries by entering this command:

config custom-web sleep-client delete client-mac-addr

• View a summary of all the sleeping client entries by entering this command:

show custom-web sleep-client summary

• View the details of a sleeping client entry based on the MAC address of the client by entering this command:

show custom-web sleep-client detail client-mac-addr

260

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

25

Configuring Wired Guest Access

Information About Wired Guest Access, page 261

Prerequisites for Configuring Wired Guest Access, page 262

Restrictions for Configuring Wired Guest Access, page 262

Configuring Wired Guest Access (GUI), page 263

Configuring Wired Guest Access (CLI), page 264

Supporting IPv6 Client Guest Access, page 266

Information About Wired Guest Access

Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Wired guest access ports might be available in a guest office or through specific ports in a conference room. Like wireless guest user accounts, wired guest access ports are added to the network using the lobby ambassador feature.

Wired guest access can be configured in a standalone configuration or in a dual-controller configuration that uses both an anchor controller and a foreign controller. This latter configuration is used to further isolate wired guest access traffic but is not required for deployment of wired guest access.

Wired guest access ports initially terminate on a Layer 2 access switch or switch port configured with VLAN interfaces for wired guest access traffic. The wired guest traffic is then trunked from the access switch to a controller. This controller is configured with an interface that is mapped to a wired guest access VLAN on the access switch.

Note

Although wired guest access is managed by anchor and foreign anchors when two controllers are deployed, mobility is not supported for wired guest access clients. In this case, DHCP and web authentication for the client are handled by the anchor controller.

Note

You can specify the amount of bandwidth allocated to a wired guest user in the network by configuring a QoS role and a bandwidth contract.

Cisco Wireless Controller Configuration Guide, Release 8.0

261

Prerequisites for Configuring Wired Guest Access

You can create a basic peer to peer WLAN ACL and apply it to the wired guest WLAN. This will not block peer to peer traffic and the guest users can still communicate with each other.

Prerequisites for Configuring Wired Guest Access

To configure wired guest access on a wireless network, you must perform the following:

1

Configure a dynamic interface (VLAN) for wired guest user access

2

Create a wired LAN for guest user access

3

Configure the controller

4

Configure the anchor controller (if terminating traffic on another controller)

5

Configure security for the guest LAN

6

Verify the configuration

Restrictions for Configuring Wired Guest Access

• Wired guest access interfaces must be tagged.

• Wired guest access ports must be in the same Layer 2 network as the foreign controller.

• Up to five wired guest access LANs can be configured on a controller. Also in a wired guest access

LAN, multiple anchors are supported.

• Layer 3 web authentication and web passthrough are supported for wired guest access clients. Layer 2 security is not supported.

• Do not trunk a wired guest VLAN to multiple foreign controllers, as it might produce unpredictable results.

• The controller does not use the callStationIDType parameter configured for the Radius server while authenticating wired clients, instead the controller uses the system MAC address configured for the callStationIDType parameter.

262

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Wired Guest Access (GUI)

Configuring Wired Guest Access (GUI)

Step 13

Step 14

Step 15

Step 16

Step 17

Step 18

Step 19

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Step 12

Step 20

Step 21

Step 22

To create a dynamic interface for wired guest user access, choose Controller > Interfaces. The Interfaces page appears.

Click New to open the Interfaces > New page.

Enter a name and VLAN ID for the new interface.

Click Apply to commit your changes.

In the Port Number text box, enter a valid port number. You can enter a number between 0 and 25 (inclusive).

Select the Guest LAN check box.

Click Apply to commit your changes.

To create a wired LAN for guest user access, choose WLANs.

On the WLANs page, choose Create New from the drop-down list and click Go. The WLANs > New page appears.

From the Type drop-down list, choose Guest LAN.

In the Profile Name text box, enter a name that identifies the guest LAN. Do not use any spaces.

From the WLAN ID drop-down list, choose the ID number for this guest LAN.

Note

You can create up to five guest LANs, so the WLAN ID options are 1 through 5 (inclusive).

Click Apply to commit your changes.

Select the Enabled check box for the Status parameter.

Web authentication (Web-Auth) is the default security policy. If you want to change this to web passthrough, choose the Security tab after completing Step 16 and Step 17.

From the Ingress Interface drop-down list, choose the VLAN that you created in Step 3. This VLAN provides a path between the wired guest client and the controller by way of the Layer 2 access switch.

From the Egress Interface drop-down list, choose the name of the interface. This WLAN provides a path out of the controller for wired guest client traffic.

If you want to change the authentication method (for example, from web authentication to web passthrough), choose

Security > Layer 3. The WLANs > Edit (Security > Layer 3) page appears.

From the Layer 3 Security drop-down list, choose one of the following:

None—Layer 3 security is disabled.

Web Authentication—Causes users to be prompted for a username and password when connecting to the wireless network. This is the default value.

Web Passthrough—Allows users to access the network without entering a username and password.

Note

There should not be a Layer 3 gateway on the guest wired VLAN, as this would bypass the web authentication done through the controller.

If you choose the Web Passthrough option, an Email Input check box appears. Select this check box if you want users to be prompted for their e-mail address when attempting to connect to the network.

To override the global authentication configuration set on the Web Login page, select the Override Global Config check box.

When the Web Auth Type drop-down list appears, choose one of the following options to define the web authentication pages for wired guest users:

Cisco Wireless Controller Configuration Guide, Release 8.0

263

Configuring Wired Guest Access (CLI)

Step 23

Step 24

Step 25

Step 26

Step 27

Internal—Displays the default web login page for the controller. This is the default value.

Customized—Displays custom web login, login failure, and logout pages. If you choose this option, three separate drop-down lists appear for login, login failure, and logout page selection. You do not need to define a customized page for all three options. Choose None from the appropriate drop-down list if you do not want to display a customized page for that option.

Note

These optional login, login failure, and logout pages are downloaded to the controller as webauth.tar

files.

External—Redirects users to an external server for authentication. If you choose this option, you must also enter the URL of the external server in the URL text box.

You can choose specific RADIUS or LDAP servers to provide external authentication on the WLANs > Edit

(Security > AAA Servers) page. Additionally, you can define the priority in which the servers provide authentication.

If you chose External as the web authentication type in Step 22, choose Security > AAA Servers and choose up to three

RADIUS and LDAP servers using the drop-down lists.

Note

You can configure the Authentication and LDAP Server using both IPv4 and IPv6 addresses.

Note

The RADIUS and LDAP external servers must already be configured in order to be selectable options on the

WLANs > Edit (Security > AAA Servers) page. You can configure these servers on the RADIUS Authentication

Servers page and LDAP Servers page.

To establish the priority in which the servers are contacted to perform web authentication as follows:

Note

The default order is local, RADIUS,

LDAP.

1

Highlight the server type (local, RADIUS, or LDAP) that you want to be contacted first in the box next to the Up and Down buttons.

2

Click Up and Down until the desired server type is at the top of the box.

3

Click the < arrow to move the server type to the priority box on the left.

4

Repeat these steps to assign priority to the other servers.

Click Apply.

Click Save Configuration.

Repeat this process if a second (anchor) controller is being used in the network.

Configuring Wired Guest Access (CLI)

Step 1

Step 2

Step 3

Create a dynamic interface (VLAN) for wired guest user access by entering this command:

config interface create interface_name vlan_id

If link aggregation trunk is not configured, enter this command to map a physical port to the interface:

config interface port interface_name primary_port {secondary_port}

Enable or disable the guest LAN VLAN by entering this command:

264

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Wired Guest Access (CLI)

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

config interface guest-lan interface_name {enable | disable}

This VLAN is later associated with the ingress interface created in Step 5.

Create a wired LAN for wired client traffic and associate it to an interface by entering this command:

config guest-lan create guest_lan_id interface_name

The guest LAN ID must be a value between 1 and 5 (inclusive).

Note

To delete a wired guest LAN, enter the config guest-lan delete guest_lan_id command.

Configure the wired guest VLAN’s ingress interface, which provides a path between the wired guest client and the controller by way of the Layer 2 access switch by entering this command:

config guest-lan ingress-interface guest_lan_id interface_name

Configure an egress interface to transmit wired guest traffic out of the controller by entering this command:

config guest-lan interface guest_lan_id interface_name

Note

If the wired guest traffic is terminating on another controller, repeat Step 4 and Step 6 for the terminating (anchor) controller and Step 1 through Step 5 for the originating (foreign) controller. Additionally, configure the config

mobility group anchor add {guest-lan guest_lan_id | wlan wlan_id} IP_address command for both controllers.

Configure the security policy for the wired guest LAN by entering this command:

config guest-lan security {web-auth enable guest_lan_id | web-passthrough enable guest_lan_id}

Note

Web authentication is the default setting.

Enable or disable a wired guest LAN by entering this command:

config guest-lan {enable | disable} guest_lan_id

If you want wired guest users to log into a customized web login, login failure, or logout page, enter these commands to specify the filename of the web authentication page and the guest LAN for which it should display:

config guest-lan custom-web login-page page_name guest_lan_idDefines a web login page.

config guest-lan custom-web loginfailure-page page_name guest_lan_idDefines a web login failure page.

Note

To use the controller’s default login failure page, enter the config guest-lan custom-web loginfailure-page

none guest_lan_id command.

config guest-lan custom-web logout-page page_name guest_lan_id—Defines a web logout page.

Note

To use the controller’s default logout page, enter the config guest-lan custom-web logout-page none

guest_lan_id command.

If you want wired guest users to be redirected to an external server before accessing the web login page, enter this command to specify the URL of the external server:

config guest-lan custom-web ext-webauth-url ext_web_url guest_lan_id

If you want to define the order in which local (controller) or external (RADIUS, LDAP) web authentication servers are contacted, enter this command:

config wlan security web-auth server-precedence wlan_id {local | ldap | radius} {local | ldap | radius} {local | ldap

| radius}

The default order of server web authentication is local, RADIUS, LDAP.

Note

All external servers must be preconfigured on the controller. You can configure them on the RADIUS

Authentication Servers page or the LDAP Servers page.

Cisco Wireless Controller Configuration Guide, Release 8.0

265

Supporting IPv6 Client Guest Access

Step 12

Step 13

Step 14

Step 15

Step 16

Step 17

Step 18

Step 19

Define the web login page for wired guest users by entering this command:

config guest-lan custom-web webauth-type {internal | customized | external} guest_lan_id where

internal displays the default web login page for the controller. This is the default value.

customized displays the custom web pages (login, login failure, or logout) that were configured in Step 9.

external redirects users to the URL that was configured in Step 10.

Use a guest-LAN specific custom web configuration rather than a global custom web configuration by entering this command:

config guest-lan custom-web global disable guest_lan_id

Note

If you enter the config guest-lan custom-web global enable guest_lan_id command, the custom web authentication configuration at the global level is used.

Save your changes by entering this command:

save config

Note

Information on the configured web authentication appears in both the show run-config and show running-config commands.

Display the customized web authentication settings for a specific guest LAN by entering this command:

show custom-web {all | guest-lan guest_lan_id}

Note

If internal web authentication is configured, the Web Authentication Type displays as internal rather than external

(controller level) or customized (WLAN profile level).

Display a summary of the local interfaces by entering this command:

show interface summary

Note

The interface name of the wired guest LAN in this example is wired-guest and its VLAN ID is

236.

Display detailed interface information by entering this command:

show interface detailed interface_name

Display the configuration of a specific wired guest LAN by entering this command:

show guest-lan guest_lan_id

Note

Enter the show guest-lan summary command to see all wired guest LANs configured on the controller.

Display the active wired guest LAN clients by entering this command:

show client summary guest-lan

Display detailed information for a specific client by entering this command:

show client detail client_mac

Supporting IPv6 Client Guest Access

The client is in WebAuth Required state until the client is authenticated. The controller intercepts both IPv4 and IPv6 traffic in this state and redirects it to the virtual IP address of the controller. Once authenticated, the user's MAC address is moved to the run state and both IPv4 and IPv6 traffic is allowed to pass.

266

Cisco Wireless Controller Configuration Guide, Release 8.0

Supporting IPv6 Client Guest Access

In order to support the redirection of IPv6-only clients, the controller automatically creates an IPv6 virtual address based on the IPv4 virtual address configured on the controller. The virtual IPv6 address follows the convention of [::ffff:<virtual IPv4 address>]. For example, a virtual IP address of 192.0.2.1 would translate into [::ffff:192.0.2.1]. For an IPv6 captive portal to be displayed, the user must request an IPv6 resolvable

DNS entry such as ipv6.google.com which returns a DNSv6 (AAAA) record.

Cisco Wireless Controller Configuration Guide, Release 8.0

267

Supporting IPv6 Client Guest Access

268

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

26

Troubleshooting

Interpreting LEDs, page 269

System Messages, page 270

Viewing System Resources, page 273

Using the CLI to Troubleshoot Problems, page 274

Configuring System and Message Logging, page 276

Viewing Access Point Event Logs, page 282

Uploading Logs and Crash Files, page 283

Uploading Core Dumps from the Controller, page 285

Uploading Packet Capture Files, page 288

Monitoring Memory Leaks, page 291

Troubleshooting CCXv5 Client Devices, page 292

Using the Debug Facility, page 302

Configuring Wireless Sniffing, page 307

Troubleshooting Access Points Using Telnet or SSH, page 309

Debugging the Access Point Monitor Service, page 311

Troubleshooting Memory Leaks, page 312

Troubleshooting OfficeExtend Access Points, page 312

Interpreting LEDs

Information About Interpreting LEDs

This section describes how to interpret controller LEDs and lightweight access point LEDs.

Cisco Wireless Controller Configuration Guide, Release 8.0

269

System Messages

Interpreting Controller LEDs

See the quick start guide for your specific controller for a description of the LED patterns. See the list of controllers and the respective documentation at http://www.cisco.com/c/en/us/products/wireless/index.html

.

Interpreting Lightweight Access Point LEDs

See the quick start guide or hardware installation guide for your specific access point for a description of the

LED patterns. See the list of access points and the respective documentation at http://www.cisco.com/c/en/us/products/wireless/index.html

.

System Messages

Information About System Messages

This table lists some common system messages and their descriptions. For a complete list of system messages, see the Cisco Wireless LAN Controller System Message Guide, Release 7.0.

Table 6: System Messages and Descriptions

Error Message Description

apf_utils.c 680: Received a CIF field without the protected bit set from mobile xx:xx:xx:xx:xx:xx

A client is sending an association request on a security-enabled

WLAN with the protected bit set to 0 (in the Capability field of the association request). As designed, the controller rejects the association request, and the client sees an association failure.

dtl_arp.c 480: Got an idle-timeout message from an unknown client xx:xx:xx:xx:xx:xx

The controller’s network processing unit (NPU) sends a timeout message to the central processing unit (CPU) indicating that a particular client has timed out or aged out. This situation typically occurs when the CPU has removed a wireless client from its internal database but has not notified the NPU. Because the client remains in the NPU database, it ages out on the network processor and notifies the CPU. The CPU finds the client that is not present in its database and then sends this message.

STATION_DISASSOCIATE

STATION_DEAUTHENTICATE

The client may have intentionally terminated usage or may have experienced a service disruption.

The client may have intentionally terminated usage or this message could indicate an authentication issue.

STATION_AUTHENTICATION_FAIL Check disable, key mismatch, or other configuration issues.

STATION_ASSOCIATE_FAIL

LRAD_ASSOCIATED

Check load on the Cisco radio or signal quality issues.

The associated lightweight access point is now managed by this controller.

270

Cisco Wireless Controller Configuration Guide, Release 8.0

System Messages

Error Message

LRAD_DISASSOCIATED

LRAD_UP

LRAD_DOWN

LRADIF_UP

LRADIF_DOWN

Description

The lightweight access point may have associated to a different controller or may have become completely unreachable.

The lightweight access point is operational; no action required.

The lightweight access point may have a problem or is administratively disabled.

The Cisco radio is UP.

The Cisco radio may have a problem or is administratively disabled.

LRADIF_LOAD_PROFILE_FAILED

LRADIF_NOISE_PROFILE_FAILED

The client density may have exceeded system capacity.

The non-802.11 noise has exceeded the configured threshold.

LRADIF_INTERFERENCE_PROFILE_FAILED 802.11 interference has exceeded threshold on channel; check channel assignments.

LRADIF_COVERAGE_PROFILE_FAILED A possible coverage hole has been detected. Check the lightweight access point history to see if it is a common problem and add lightweight access points if necessary.

LRADIF_LOAD_PROFILE_PASSED

LRADIF_NOISE_PROFILE_PASSED

The load is now within threshold limits.

The detected noise is now less than threshold.

LRADIF_INTERFERENCE_PROFILE_PASSED The detected interference is now less than threshold.

LRADIF_COVERAGE_PROFILE_PASSED The number of clients receiving a poor signal are within threshold.

LRADIF_CURRENT_TXPOWER_CHANGED Informational message.

LRADIF_CURRENT_CHANNEL_CHANGED Informational message.

LRADIF_RTS_THRESHOLD_CHANGED Informational message.

LRADIF_ED_THRESHOLD_CHANGED Informational message.

LRADIF_FRAGMENTATION_THRESHOLD_

CHANGED

Informational message.

RRM_DOT11_A_GROUPING_DONE Informational message.

RRM_DOT11_B_GROUPING_DONE Informational message.

ROGUE_AP_DETECTED May be a security issue. Use maps and trends to investigate.

Cisco Wireless Controller Configuration Guide, Release 8.0

271

System Messages

Error Message

ROGUE_AP_REMOVED

Description

A detected rogue access point has timed out. The unit might have shut down or moved out of the coverage area.

AP_MAX_ROGUE_COUNT_EXCEEDED The current number of active rogue access points has exceeded system threshold.

LINK_UP

LINK_DOWN

LINK_FAILURE

Positive confirmation message.

A port may have a problem or is administratively disabled.

A port may have a problem or is administratively disabled.

AUTHENTICATION_FAILURE

STP_NEWROOT

STP_TOPOLOGY_CHANGE

IPSEC_ESP_AUTH_FAILURE

IPSEC_ESP_REPLAY_FAILURE

IPSEC_ESP_POLICY_FAILURE

IPSEC_ESP_INVALID_SPI

IPSEC_OTHER_POLICY_FAILURE

IPSEC_IKE_NEG_FAILURE

An attempted security breech has occurred. Investigate.

Informational message.

Informational message.

Check WLAN IPsec configuration.

Check for an attempt to spoof an IP address.

Check for a IPsec configuration mismatch between WLAN and client.

Informational message.

Check for a IPsec configuration mismatch between WLAN and client.

Check for a IPsec IKE configuration mismatch between WLAN and client.

IPSEC_SUITE_NEG_FAILURE

IPSEC_INVALID_COOKIE

RADIOS_EXCEEDED

SENSED_TEMPERATURE_HIGH

SENSED_TEMPERATURE_LOW

Check for a IPsec IKE configuration mismatch between WLAN and client.

Informational message.

The maximum number of supported Cisco radios has been exceeded. Check for a controller failure in the same Layer 2 network or add another controller.

Check fan, air conditioning, and/or other cooling arrangements.

Check room temperature and/or other reasons for low temperature.

TEMPERATURE_SENSOR_FAILURE Replace temperature sensor as soon as possible.

272

Cisco Wireless Controller Configuration Guide, Release 8.0

Viewing System Resources

Error Message

TEMPERATURE_SENSOR_CLEAR

POE_CONTROLLER_FAILURE

MULTIPLE_USERS

FAN_FAILURE

Description

The temperature sensor is operational.

Check ports; a possible serious failure has been detected.

MAX_ROGUE_COUNT_EXCEEDED The current number of active rogue access points has exceeded system threshold.

SWITCH_UP

SWITCH_DOWN

The controller is responding to SNMP polls.

The controller is not responding to SNMP polls; check controller and SNMP settings.

RADIUS_SERVERS_FAILED

CONFIG_SAVED

Check network connectivity between RADIUS and the controller.

The running configuration has been saved to flash; it will be active after a reboot.

Another user with the same username has logged in.

Monitor controller temperature to avoid overheating.

POWER_SUPPLY_CHANGE

COLD_START

WARM_START

Check for a power-supply malfunction.

The controller may have been rebooted.

The controller may have been rebooted.

Viewing System Resources

Information About Viewing System Resources

You can determine the amount of system resources being used by the controller. Specifically, you can view the current controller CPU usage, system buffers, and web server buffers.

The Cisco 5500 Series Controllers have multiple CPUs, so you can view individual CPU usage. For each

CPU, you can see the percentage of the CPU in use and the percentage of the CPU time spent at the interrupt level (for example, 0%/3%).

Cisco Wireless Controller Configuration Guide, Release 8.0

273

Using the CLI to Troubleshoot Problems

Viewing System Resources (GUI)

On the controller GUI, choose Management > Tech Support > System Resource Information. The System

Resource Information page appears.

Figure 23: System Resource Information Page

Viewing System Resources (CLI)

On the controller CLI, enter these commands:

show cpu

Where the first number is the CPU percentage that the controller spent on the user application and the second number is the CPU percentage that the controller spent on the OS services.

show tech-support

show system top

Provides an ongoing look at processor activity in real time. It displays a list of the most CPU-intensive tasks performed on the system.

show system iostat summary

Provides CPU statistics, input and output statistics for devices and partitions.

show system iostat detail

Provides CPU statistics, input and output statistics for devices and partitions with extended statistics.

Using the CLI to Troubleshoot Problems

If you experience any problems with your controller, you can use the commands in this section to gather information and debug issues.

274

Cisco Wireless Controller Configuration Guide, Release 8.0

Using the CLI to Troubleshoot Problems

show process cpu—Shows how various tasks in the system are using the CPU at that instant in time.

This command is helpful in understanding if any single task is monopolizing the CPU and preventing other tasks from being performed.

The Priority field shows two values: 1) the original priority of the task that was created by the actual function call and 2) the priority of the task divided by a range of system priorities.

The CPU Use field shows the CPU usage of a particular task.

The Reaper field shows three values: 1) the amount of time for which the task is scheduled in user mode operation, 2) the amount of time for which the task is scheduled in system mode operation, and 3) whether the task is being watched by the reaper task monitor (indicated by a “T”). If the task is being watched by the reaper task monitor, this field also shows the timeout value (in seconds) before which the task needs to alert the task monitor.

Note

If you want to see the total CPU usage as a percentage, enter the show cpu command.

show process memory—Shows the allocation and deallocation of memory from various processes in the system at that instant in time.

In the example above, the following fields provide information:

The Name field shows the tasks that the CPU is to perform.

The Priority field shows two values: 1) the original priority of the task that was created by the actual function call and 2) the priority of the task divided by a range of system priorities.

The BytesInUse field shows the actual number of bytes used by dynamic memory allocation for a particular task.

The BlocksInUse field shows the chunks of memory that are assigned to perform a particular task.

The Reaper field shows three values: 1) the amount of time for which the task is scheduled in user mode operation, 2) the amount of time for which the task is scheduled in system mode operation, and 3) whether the task is being watched by the reaper task monitor (indicated by a “T”). If the task is being watched by the reaper task monitor, this field also shows the timeout value (in seconds) before which the task needs to alert the task monitor.

show tech-support—Shows an array of information related to the state of the system, including the current configuration, last crash file, CPU utilization, and memory utilization.

show run-config—Shows the complete configuration of the controller. To exclude access point configuration settings, use the show run-config no-ap command.

Note

If you want to see the passwords in clear text, enter the config passwd-cleartext enable command. To execute this command, you must enter an admin password. This command is valid only for this particular session. It is not saved following a reboot.

show run-config commands—Shows the list of configured commands on the controller. This command shows only values configured by the user. It does not show system-configured default values.

Cisco Wireless Controller Configuration Guide, Release 8.0

275

Configuring System and Message Logging

Configuring System and Message Logging

Information About System and Message Logging

System logging allows controllers to log their system events to up to three remote syslog servers. The controller sends a copy of each syslog message as it is logged to each syslog server configured on the controller. Being able to send the syslog messages to multiple servers ensures that the messages are not lost due to the temporary unavailability of one syslog server. Message logging allows system messages to be logged to the controller buffer or console.

Configuring System and Message Logging (GUI)

Step 1

Choose Management > Logs > Config. The Syslog Configuration page appears.

Figure 24: Syslog Configuration Page

Step 2

Step 3

In the Syslog Server IP Address (IPv4/IPv6) text box, enter the IPv4/IPv6 address of the server to which to send the syslog messages and click Add. You can add up to three syslog servers to the controller. The list of syslog servers that have already been added to the controller appears below this text box.

Note

If you want to remove a syslog server from the controller, click Remove to the right of the desired server.

To set the severity level for filtering syslog messages to the syslog servers, choose one of the following options from the Syslog Level drop-down list:

Emergencies = Severity level 0

Alerts = Severity level 1 (default value)

276

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring System and Message Logging

Step 4

Critical = Severity level 2

Errors = Severity level 3

Warnings = Severity level 4

Notifications = Severity level 5

Informational = Severity level 6

Debugging = Severity level 7

If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the syslog servers. For example, if you set the syslog level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are sent to the syslog servers.

To set the facility for outgoing syslog messages to the syslog servers, choose one of the following options from the

Syslog Facility drop-down list :

Kernel = Facility level 0

User Process = Facility level 1

Mail = Facility level 2

System Daemons = Facility level 3

Authorization = Facility level 4

Syslog = Facility level 5 (default value)

Line Printer = Facility level 6

USENET = Facility level 7

Unix-to-Unix Copy = Facility level 8

Cron = Facility level 9

FTP Daemon = Facility level 11

System Use 1 = Facility level 12

System Use 2 = Facility level 13

System Use 3 = Facility level 14

System Use 4 = Facility level 15

Local Use 0 = Facility level 16

Local Use 2 = Facility level 17

Local Use 3 = Facility level 18

Local Use 4 = Facility level 19

Local Use 5 = Facility level 20

Local Use 5 = Facility level 21

Local Use 5 = Facility level 22

Cisco Wireless Controller Configuration Guide, Release 8.0

277

Configuring System and Message Logging

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Local Use 5 = Facility level 23

Click Apply.

To set the severity level for logging messages to the controller buffer and console, choose one of the following options from both the Buffered Log Level and Console Log Level drop-down lists:

Emergencies = Severity level 0

Alerts = Severity level 1

Critical = Severity level 2

Errors = Severity level 3 (default value)

Warnings = Severity level 4

Notifications = Severity level 5

Informational = Severity level 6

Debugging = Severity level 7

Disable— This option is available only for Console Log level. Select this option to disable console logging.

If you set a logging level, only those messages whose severity is equal to or less than that level are logged by the controller.

For example, if you set the logging level to Warnings (severity level 4), only those messages whose severity is between

0 and 4 are logged.

Select the File Info check box if you want the message logs to include information about the source file. The default value is enabled.

Select the Trace Info check box if you want the message logs to include traceback information. The default is disabled.

Click Apply.

Click Save Configuration.

Viewing Message Logs (GUI)

To view message logs using the controller GUI, choose Management > Logs > Message Logs. The Message

Logs page appears.

Note

To clear the current message logs from the controller, click Clear.

Configuring System and Message Logging (CLI)

Step 1

Enable system logging and set the IP address of the syslog server to which to send the syslog messages by entering this command:

278

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring System and Message Logging

Step 2

Step 3

Step 4

config logging syslog host server_IP_address

You can add up to three syslog servers to the controller.

Note

To remove a syslog server from the controller by entering this command: config logging syslog host

server_IP_address delete

Set the severity level for filtering syslog messages to the syslog server by entering this command:

config logging syslog level severity_level where severity_level is one of the following:

• emergencies = Severity level 0

• alerts = Severity level 1

• critical = Severity level 2

• errors = Severity level 3

• warnings = Severity level 4

• notifications = Severity level 5

• informational = Severity level 6

• debugging = Severity level 7

Note

As an alternative, you can enter a number from 0 through 7 for the severity_level parameter.

Note

If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the syslog server. For example, if you set the syslog level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are sent to the syslog server.

Set the severity level for filtering syslog messages for a particular access point or for all access points by entering this command:

config ap logging syslog level severity_level {Cisco_AP | all} where severity_level is one of the following:

• emergencies = Severity level 0

• alerts = Severity level 1

• critical = Severity level 2

• errors = Severity level 3

• warnings = Severity level 4

• notifications = Severity level 5

• informational = Severity level 6

• debugging = Severity level 7

Note

If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the access point. For example, if you set the syslog level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are sent to the access point.

Set the facility for outgoing syslog messages to the syslog server by entering this command:

config logging syslog facility facility_code

Cisco Wireless Controller Configuration Guide, Release 8.0

279

Configuring System and Message Logging

Step 5

Step 6

where Cleint is one of the following:

• authorization = Authorization system. Facility level = 4.

• auth-private = Authorization system (private). Facility level = 10.

• cron = Cron/at facility. Facility level = 9.

• daemon = System daemons. Facility level = 3.

• ftp = FTP daemon. Facility level = 11.

• kern = Kernel. Facility level = 0.

• local0 = Local use. Facility level = 16.

• local1 = Local use. Facility level = 17.

• local2 = Local use. Facility level = 18.

• local3 = Local use. Facility level = 19.

• local4 = Local use. Facility level = 20.

• local5 = Local use. Facility level = 21.

• local6 = Local use. Facility level = 22.

• local7 = Local use. Facility level = 23.

• lpr = Line printer system. Facility level = 6.

• mail = Mail system. Facility level = 2.

• news = USENET news. Facility level = 7.

• sys12 = System use. Facility level = 12.

• sys13 = System use. Facility level = 13.

• sys14 = System use. Facility level = 14.

• sys15 = System use. Facility level = 15.

• syslog = The syslog itself. Facility level = 5.

• user = User process. Facility level = 1.

• uucp = Unix-to-Unix copy system. Facility level = 8.

Configure the syslog facility for AP using the following command:

config logging syslog facility AP where AP can be:

• associate= Associated sys log for AP

• disassociate=Disassociate sys log for AP

Configure the syslog facility for Client using the following command:

config logging syslog facility Client where Cleint can be:

280

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring System and Message Logging

Step 7

Step 8

Step 9

• assocfail Dot11= association fail syslog for clients

• associate Dot11=association syslog for clients

• authentication=authentication success syslog for clients

• authfail Dot11=authentication fail syslog for clients

• deauthenticate Dot11=deauthentication syslog for clients

• disassociate Dot11=disassociation syslog for clients

• excluded Excluded=syslog for clients

Set the severity level for logging messages to the controller buffer and console, enter these commands:

config logging buffered severity_level

config logging console severity_level where severity_level is one of the following:

• emergencies = Severity level 0

• alerts = Severity level 1

• critical = Severity level 2

• errors = Severity level 3

• warnings = Severity level 4

• notifications = Severity level 5

• informational = Severity level 6

• debugging = Severity level 7

Note

As an alternative, you can enter a number from 0 through 7 for the severity_level parameter.

Note

If you set a logging level, only those messages whose severity is equal to or less than that level are logged by the controller. For example, if you set the logging level to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are logged.

Save debug messages to the controller buffer, the controller console, or a syslog server by entering these commands:

config logging debug buffered {enable | disable}

config logging debug console {enable | disable}

config logging debug syslog {enable | disable}

By default, the console command is enabled, and the buffered and syslog commands are disabled.

To cause the controller to include information about the source file in the message logs or to prevent the controller from displaying this information by entering this command:

config logging fileinfo {enable | disable}

The default value is enabled.

Cisco Wireless Controller Configuration Guide, Release 8.0

281

Viewing Access Point Event Logs

Step 10

Step 11

Step 12

Configure the controller to include process information in the message logs or to prevent the controller from displaying this information by entering this command:

config logging procinfo {enable | disable}

The default value is disabled.

Configure the controller to include traceback information in the message logs or to prevent the controller from displaying this information by entering this command:

config logging traceinfo {enable | disable}

The default value is disabled.

Enable or disable timestamps in log messages and debug messages by entering these commands:

config service timestamps log {datetime | disable}

config service timestamps debug {datetime | disable} where

datetime = Messages are timestamped with the standard date and time. This is the default value.

disable = Messages are not timestamped.

Step 13

Save your changes by entering this command:

save config

Viewing System and Message Logs (CLI)

To see the logging parameters and buffer contents, enter this command:

show logging

Viewing Access Point Event Logs

Information About Access Point Event Logs

Access points log all system messages (with a severity level greater than or equal to notifications) to the access point event log. The event log can contain up to 1024 lines of messages, with up to 128 characters per line.

When the event log becomes filled, the oldest message is removed to accommodate a new event message.

The event log is saved in a file on the access point flash, which ensures that it is saved through a reboot cycle.

To minimize the number of writes to the access point flash, the contents of the event log are written to the event log file during normal reload and crash scenarios only.

Viewing Access Point Event Logs (CLI)

Use these CLI commands to view or clear the access point event log from the controller:

282

Cisco Wireless Controller Configuration Guide, Release 8.0

Uploading Logs and Crash Files

• To see the contents of the event log file for an access point that is joined to the controller, enter this command:

show ap eventlog Cisco_AP

Information similar to the following appears:

AP event log download has been initiated

Waiting for download to complete

AP event log download completed.

======================= AP Event log Contents =====================

*Sep 22 11:44:00.573: %CAPWAP-5-CHANGED: CAPWAP changed state to IMAGE

*Sep 22 11:44:01.514: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down

*Sep 22 11:44:01.519: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down

*Sep 22 11:44:53.539: *** Access point reloading. Reason: NEW IMAGE DOWNLOAD ***

*Mar 1 00:00:39.078: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

*Mar 1 00:00:42.142: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source

*Mar 1 00:00:42.151: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up

*Mar 1 00:00:42.158: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up

*Mar 1 00:00:43.143: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up

*Mar 1 00:00:43.151: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up

*Mar 1 00:00:48.078: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER

*Mar 1 00:01:42.144: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source

*Mar 1 00:01:48.121: %CAPWAP-3-CLIENTERRORLOG: Set Transport Address: no more AP manager

IP addresses remain

*Mar 1 00:01:48.122: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN

*Mar 1 00:01:48.122: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down

*Mar 1 00:01:48.122: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down

• To delete the existing event log and create an empty event log file for a specific access point or for all access points joined to the controller, enter this command:

clear ap-eventlog {specific Cisco_AP | all}

Uploading Logs and Crash Files

Prerequisites to Upload Logs and Crash Files

• Follow the instructions in this section to upload logs and crash files from the controller. However, before you begin, ensure you have a TFTP or FTP server available for the file upload. Follow these guidelines when setting up a TFTP or FTP server:

◦If you are uploading through the service port, the TFTP or FTP server must be on the same subnet as the service port because the service port is not routable, or you must create static routes on the controller.

◦If you are uploading through the distribution system network port, the TFTP or FTP server can be on the same or a different subnet because the distribution system port is routable.

◦A third-party TFTP or FTP server cannot run on the same computer as Cisco Prime Infrastructure because the Prime Infrastructure built-in TFTP or FTP server and the third-party TFTP or FTP server require the same communication port.

Cisco Wireless Controller Configuration Guide, Release 8.0

283

Uploading Logs and Crash Files

Uploading Logs and Crash Files (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Choose Command > Upload File. The Upload File from Controller page appears.

From the File Type drop-down list, choose one of the following:

Event Log

Message Log

Trap Log

Crash File

From the Transfer Mode drop-down list, choose from the following options:

TFTP

FTP

SFTP (available in the 7.4 and later releases)

In the IP Address text box, enter the IP address of the server.

In the File Path text box, enter the directory path of the log or crash file.

In the File Name text box, enter the name of the log or crash file.

If you chose FTP as the Transfer Mode, follow these steps:

1

In the Server Login Username text box, enter the FTP server login name.

2

In the Server Login Password text box, enter the FTP server login password.

3

In the Server Port Number text box, enter the port number of the FTP server. The default value for the server port is 21.

Click Upload to upload the log or crash file from the controller. A message appears indicating the status of the upload.

Uploading Logs and Crash Files (CLI)

Step 1

Step 2

To transfer the file from the controller to a server, enter this command:

transfer upload mode {tftp | ftp | sftp}

To specify the type of file to be uploaded, enter this command:

transfer upload datatype datatype where datatype is one of the following options:

crashfile—Uploads the system’s crash file.

284

Cisco Wireless Controller Configuration Guide, Release 8.0

Uploading Core Dumps from the Controller

Step 3

Step 4

Step 5

Step 6

errorlog—Uploads the system’s error log.

panic-crash-file—Uploads the kernel panic information if a kernel panic occurs.

systemtrace—Uploads the system’s trace file.

traplog—Uploads the system’s trap log.

watchdog-crash-file—Uploads the console dump resulting from a software-watchdog-initiated reboot of the controller following a crash. The software watchdog module periodically checks the integrity of the internal software and makes sure that the system does not stay in an inconsistent or nonoperational state for a long period of time.

To specify the path to the file, enter these commands:

transfer upload serverip server_ip_address

transfer upload path server_path_to_file

transfer upload filename filename

If you are using an FTP server, also enter these commands:

transfer upload username username

transfer upload password password

transfer upload port port

Note

The default value for the port parameter is

21.

To see the updated settings, enter this command:

transfer upload start

When prompted to confirm the current settings and start the software upload, answer y.

Uploading Core Dumps from the Controller

Information About Uploading Core Dumps from the Controller

To help troubleshoot controller crashes, you can configure the controller to automatically upload its core dump file to an FTP server after experiencing a crash. However, you cannot automatically send crash files to an

FTP server.

Cisco Wireless Controller Configuration Guide, Release 8.0

285

Uploading Core Dumps from the Controller

Configuring the Controller to Automatically Upload Core Dumps to an FTP Server (GUI)

Step 1

Choose Management > Tech Support > Core Dump to open the Core Dump page.

Figure 25: Core Dump Page

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

To enable the controller to generate a core dump file following a crash, select the Core Dump Transfer check box.

To specify the type of server to which the core dump file is uploaded, choose FTP from the Transfer Mode drop-down list.

In the IP Address text box, enter the IP address of the FTP server.

Note

The controller must be able to reach the FTP server.

In the File Name text box, enter the name that the controller uses to label the core dump file.

In the User Name text box, enter the username for FTP login.

In the Password text box, enter the password for FTP login.

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Configuring the Controller to Automatically Upload Core Dumps to an FTP Server (CLI)

Step 1

Step 2

To enable or disable the controller to generate a core dump file following a crash, enter this command:

config coredump {enable | disable}

To specify the FTP server to which the core dump file is uploaded, enter this command:

286

Cisco Wireless Controller Configuration Guide, Release 8.0

Uploading Core Dumps from the Controller

Step 3

Step 4

Step 5

config coredump ftp server_ip_address filename where

server_ip_address is the IP address of the FTP server to which the controller sends its core dump file.

Note

The controller must be able to reach the FTP server.

filename is the name that the controller uses to label the core dump file.

To specify the username and password for FTP login, enter this command:

config coredump username ftp_username password ftp_password

To save your changes, enter this command:

save config

To see a summary of the controller’s core dump file, enter this command:

show coredump summary

Example:

Information similar to the following appears:

Core Dump is enabled

FTP Server IP.................................... 10.10.10.17

FTP Filename..................................... file1

FTP Username..................................... ftpuser

FTP Password.................................. *********

Uploading Core Dumps from Controller to a Server (CLI)

Step 1

Step 2

To see information about the core dump file in flash memory, enter this command:

show coredump summary

Information similar to the following appears:

Core Dump is disabled

Core Dump file is saved on flash

Sw Version.................................... 6.0.83.0

Time Stamp.................................... Wed Feb 4 13:23:11 2009

File Size..................................... 9081788

File Name Suffix........................... filename.gz

To transfer the file from the controller to a server, enter these commands:

Cisco Wireless Controller Configuration Guide, Release 8.0

287

Uploading Packet Capture Files

Step 3

Step 4

Step 5

transfer upload mode {tftp | ftp | sftp}

transfer upload datatype coredump

transfer upload serverip server_ip_address

transfer upload path server_path_to_file

transfer upload filename filename

Note

After the file is uploaded, it ends with a .gz suffix. If desired, you can upload the same core dump file multiple times with different names to different servers.

If you are using an FTP server, also enter these commands:

transfer upload username username

transfer upload password password

transfer upload port port

Note

The default value for the port parameter is

21.

To view the updated settings, enter this command:

transfer upload start

When prompted to confirm the current settings and start the software upload, answer y.

Uploading Packet Capture Files

Information About Uploading Packet Capture Files

When a Cisco 5500 Series Controller’s data plane crashes, it stores the last 50 packets that the controller received in flash memory. This information can be useful in troubleshooting the crash.

When a crash occurs, the controller generates a new packet capture file (*.pcap) file, and a message similar to the following appears in the controller crash file:

Last 5 packets processed at each core are stored in

"last_received_pkts.pcap" captured file.

- Frame 36,38,43,47,49, processed at core #0.

- Frame 14,27,30,42,45, processed at core #1.

- Frame 15,18,20,32,48, processed at core #2.

- Frame 11,29,34,37,46, processed at core #3.

- Frame 7,8,12,31,35, processed at core #4.

- Frame 21,25,39,41,50, processed at core #5.

- Frame 16,17,19,22,33, processed at core #6.

- Frame 6,10,13,23,26, processed at core #7.

- Frame 9,24,28,40,44, processed at core #8.

- Frame 1,2,3,4,5, processed at core #9.

You can use the controller GUI or CLI to upload the packet capture file from the controller. You can then use

Wireshark or another standard packet capture tool to view and analyze the contents of the file.

288

Cisco Wireless Controller Configuration Guide, Release 8.0

This figure shows a sample output of the packet capture in Wireshark.

Figure 26: Sample Output of Packet Capture File in Wireshark

Uploading Packet Capture Files

Restrictions for Uploading Packet Capture Files

• Only Cisco 5500 Series Controllers generate packet capture files. This feature is not available on other controller platforms.

• Ensure that you have a TFTP or FTP server available for the file upload. Follow these guidelines when setting up a TFTP or FTP server:

◦If you are uploading through the service port, the TFTP or FTP server must be on the same subnet as the service port because the service port is not routable, or you must create static routes on the controller.

◦If you are uploading through the distribution system network port, the TFTP or FTP server can be on the same or a different subnet because the distribution system port is routable.

◦A third-party TFTP or FTP server cannot run on the same computer as Cisco Prime Infrastructure because the Prime Infrastructure built-in TFTP or FTP server and the third-party TFTP or FTP server require the same communication port.

Cisco Wireless Controller Configuration Guide, Release 8.0

289

Uploading Packet Capture Files

Uploading Packet Capture Files (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Choose Commands > Upload File to open the Upload File from Controller page.

From the File Type drop-down list, choose Packet Capture.

From the Transfer Mode drop-down list, choose from the following options:

TFTP

FTP

SFTP (available in the 7.4 and later releases)

In the IP Address text box, enter the IP address of the server.

In the File Path text box, enter the directory path of the packet capture file.

In the File Name text box, enter the name of the packet capture file. These files have a .pcap extension.

If you are using an FTP server, follow these steps: a) In the Server Login Username text box, enter the username to log into the FTP server.

b) In the Server Login Password text box, enter the password to log into the FTP server.

c) In the Server Port Number text box, enter the port number on the FTP server through which the upload occurs. The default value is 21.

Click Upload to upload the packet capture file from the controller. A message appears indicating the status of the upload.

Use Wireshark or another standard packet capture tool to open the packet capture file and see the last 50 packets that were received by the controller.

Uploading Packet Capture Files (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Log on to the controller CLI.

Enter the transfer upload mode {tftp | ftp | sftp} command.

Enter the transfer upload datatype packet-capture command.

Enter the transfer upload serverip server-ip-address command.

Enter the transfer upload path server-path-to-file command.

Enter the transfer upload filename last_received_pkts.pcap command.

If you are using an FTP server, enter these commands:

transfer upload username username

transfer upload password password

transfer upload port port

Note

The default value for the port parameter is

21.

290

Cisco Wireless Controller Configuration Guide, Release 8.0

Monitoring Memory Leaks

Step 8

Step 9

Enter the transfer upload start command to see the updated settings and then answer y when prompted to confirm the current settings and start the upload process.

Use Wireshark or another standard packet capture tool to open the packet capture file and see the last 50 packets that were received by the controller.

Monitoring Memory Leaks

This section provides instructions for troubleshooting hard-to-solve or hard-to-reproduce memory problems.

Caution

The commands in this section can be disruptive to your system and should be run only when you are advised to do so by the Cisco Technical Assistance Center (TAC).

Monitoring Memory Leaks (CLI)

Step 1

Step 2

Step 3

To enable or disable monitoring for memory errors and leaks, enter this command:

config memory monitor errors {enable | disable}

The default value is disabled.

Note

Your changes are not saved across reboots. After the controller reboots, it uses the default setting for this feature.

If you suspect that a memory leak has occurred, enter this command to configure the controller to perform an auto-leak analysis between two memory thresholds (in kilobytes):

config memory monitor leaks low_thresh high_thresh

If the free memory is lower than the low_thresh threshold, the system crashes, generating a crash file. The default value for this parameter is 10000 kilobytes, and you cannot set it below this value.

Set the high_thresh threshold to the current free memory level or higher so that the system enters auto-leak-analysis mode. After the free memory reaches a level lower than the specified high_thresh threshold, the process of tracking and freeing memory allocation begins. As a result, the debug memory events enable command shows all allocations and frees, and the show memory monitor detail command starts to detect any suspected memory leaks. The default value for this parameter is 30000 kilobytes.

To see a summary of any discovered memory issues, enter this command:

show memory monitor

Information similar to the following appears:

Memory Leak Monitor Status: low_threshold(10000), high_threshold(30000), current status(disabled)

-------------------------------------------

Memory Error Monitor Status:

Cisco Wireless Controller Configuration Guide, Release 8.0

291

Troubleshooting CCXv5 Client Devices

Step 4

Step 5

Crash-on-error flag currently set to (disabled)

No memory error detected.

To see the details of any memory leaks or corruption, enter this command:

show memory monitor detail

Information similar to the following appears:

Memory error detected. Details:

------------------------------------------------

Corruption detected at pmalloc entry address: (0x179a7ec0)

Corrupt entry:headerMagic(0xdeadf00d),trailer(0xabcd),poison(0xreadceef), entrysize(128),bytes(100),thread(Unknown task name, task id = (332096592)), file(pmalloc.c),line(1736),time(1027)

Previous 1K memory dump from error location.

------------------------------------------------

(179a7ac0): 00000000 00000000 00000000 ceeff00d readf00d 00000080 00000000 00000000

(179a7ae0): 17958b20 00000000 1175608c 00000078 00000000 readceef 179a7afc 00000001

(179a7b00): 00000003 00000006 00000001 00000004 00000001 00000009 00000009 0000020d

(179a7b20): 00000001 00000002 00000002 00000001 00000004 00000000 00000000 5d7b9aba

(179a7b40): cbddf004 192f465e 7791acc8 e5032242 5365788c a1b7cee6 00000000 00000000

(179a7b60): 00000000 00000000 00000000 00000000 00000000 ceeff00d readf00d 00000080

(179a7b80): 00000000 00000000 17958dc0 00000000 1175608c 00000078 00000000 readceef

(179a7ba0): 179a7ba4 00000001 00000003 00000006 00000001 00000004 00000001 00003763

(179a7bc0): 00000002 00000002 00000010 00000001 00000002 00000000 0000001e 00000013

(179a7be0): 0000001a 00000089 00000000 00000000 000000d8 00000000 00000000 17222194

(179a7c00): 1722246c 1722246c 00000000 00000000 00000000 00000000 00000000 ceeff00d

(179a7c20): readf00d 00000080 00000000 00000000 179a7b78 00000000 1175608c 00000078

If a memory leak occurs, enter this command to enable debugging of errors or events during memory allocation:

debug memory {errors | events} {enable | disable}

Troubleshooting CCXv5 Client Devices

Information About Troubleshooting CCXv5 Client Devices

The controller supports three features designed to help troubleshoot communication problems with CCXv5 clients: diagnostic channel, client reporting, and roaming and real-time diagnostics.

Restrictions for CCXv5 Client Devices

Diagnostic channel, client reporting, and roaming and real-time diagnostics features are supported only on

CCXv5 clients. They are not supported for use with non-CCX clients or with clients running an earlier version of CCX.

292

Cisco Wireless Controller Configuration Guide, Release 8.0

Troubleshooting CCXv5 Client Devices

Configuring Diagnostic Channel

You can choose a diagnostic channel to troubleshoot why the client is having communication problems with a WLAN. You can test the client and access points to identify the difficulties that the client is experiencing and allow corrective measures to be taken to make the client operational on the network. You can use the controller GUI or CLI to enable the diagnostic channel, and you can use the controller CLI to run the diagnostic tests.

Note

We recommend that you enable the diagnostic channel feature only for nonanchored SSIDs that use the management interface. CCX Diagnostic feature has been tested only with clients having Cisco ADU card

Configuring the Diagnostic Channel (GUI)

Step 1

Step 2

Step 3

Choose WLANs to open the WLANs page.

Create a new WLAN or click the ID number of an existing WLAN.

Note

We recommend that you create a new WLAN on which to run the diagnostic tests.

When the WLANs > Edit page appears, choose the Advanced tab to open the WLANs > Edit (Advanced) page.

Figure 27: WLANs > Edit (Advanced) Page

Step 4

Step 5

Step 6

If you want to enable diagnostic channel troubleshooting on this WLAN, select the Diagnostic Channel check box.

Otherwise, leave this check box unselected, which is the default value.

Note

You can use the CLI to initiate diagnostic tests on the client.

Click Apply to commit your changes.

Click Save Configuration to save your changes.

Cisco Wireless Controller Configuration Guide, Release 8.0

293

Troubleshooting CCXv5 Client Devices

Configuring the Diagnostic Channel (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

To enable diagnostic channel troubleshooting on a particular WLAN, enter this command:

config wlan diag-channel {enable | disable} wlan_id

To verify that your change has been made, enter this command:

show wlan wlan_id

Information similar to the following appears:

WLAN Identifier.................................. 1

Profile Name..................................... employee1

Network Name (SSID).............................. employee

Status........................................... Disabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. Infinity

Interface........................................ virtual

WLAN ACL......................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Quality of Service............................... Silver (best effort)

WMM.............................................. Disabled

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Enabled

...

To send a request to the client to perform the DHCP test, enter this command:

config client ccx dhcp-test client_mac_address

Note

This test does not require the client to use the diagnostic channel.

To send a request to the client to perform the default gateway ping test, enter this command:

config client ccx default-gw-ping client_mac_address

Note

This test does not require the client to use the diagnostic channel.

To send a request to the client to perform the DNS server IP address ping test, enter this command:

config client ccx dns-ping client_mac_address

Note

This test does not require the client to use the diagnostic channel.

To send a request to the client to perform the DNS name resolution test to the specified host name, enter this command:

config client ccx dns-resolve client_mac_address host_name

Note

This test does not require the client to use the diagnostic channel.

294

Cisco Wireless Controller Configuration Guide, Release 8.0

Troubleshooting CCXv5 Client Devices

Step 7

Step 8

Step 9

Step 10

Step 11

To send a request to the client to perform the association test, enter this command:

config client ccx test-association client_mac_address ssid bssid {802.11a | 802.11b | 802.11g} channel

To send a request to the client to perform the 802.1X test, enter this command:

config client ccx test-dot1x client_mac_address profile_id bssid {802.11a | 802.11b | 802.11g} channel

To send a request to the client to perform the profile redirect test, enter this command:

config client ccx test-profile client_mac_address profile_id

The profile_id should be from one of the client profiles for which client reporting is enabled.

Note

Users are redirected back to the parent WLAN, not to any other profile. The only profile shown is the user’s parent profile. Note however that parent WLAN profiles can have one child diagnostic WLAN.

Use these commands if necessary to abort or clear a test:

• To send a request to the client to abort the current test, enter this command:

config client ccx test-abort client_mac_address

Only one test can be pending at a time, so this command aborts the current pending test.

• To clear the test results on the controller, enter this command:

config client ccx clear-results client_mac_address

To send a message to the client, enter this command:

config client ccx send-message client_mac_address message_id where message_id is one of the following:

• 1 = The SSID is invalid.

• 2 = The network settings are invalid.

• 3 = There is a WLAN credibility mismatch.

• 4 = The user credentials are incorrect.

• 5 = Please call support.

• 6 = The problem is resolved.

• 7 = The problem has not been resolved.

• 8 = Please try again later.

• 9 = Please correct the indicated problem.

• 10 = Troubleshooting is refused by the network.

• 11 = Retrieving client reports.

• 12 = Retrieving client logs.

• 13 = Retrieval complete.

• 14 = Beginning association test.

• 15 = Beginning DHCP test.

• 16 = Beginning network connectivity test.

• 17 = Beginning DNS ping test.

Cisco Wireless Controller Configuration Guide, Release 8.0

295

Troubleshooting CCXv5 Client Devices

Step 12

Step 13

Step 14

• 18 = Beginning name resolution test.

• 19 = Beginning 802.1X authentication test.

• 20 = Redirecting client to a specific profile.

• 21 = Test complete.

• 22 = Test passed.

• 23 = Test failed.

• 24 = Cancel diagnostic channel operation or select a WLAN profile to resume normal operation.

• 25 = Log retrieval refused by the client.

• 26 = Client report retrieval refused by the client.

• 27 = Test request refused by the client.

• 28 = Invalid network (IP) setting.

• 29 = There is a known outage or problem with the network.

• 30 = Scheduled maintenance period.

• 31 = The WLAN security method is not correct.

• 32 = The WLAN encryption method is not correct.

• 33 = The WLAN authentication method is not correct.

To see the status of the last test, enter this command:

show client ccx last-test-status client_mac_address

Information similar to the following appears for the default gateway ping test:

Test Type........................................ Gateway Ping Test

Test Status...................................... Pending/Success/Timeout

Dialog Token..................................... 15

Timeout.......................................... 15000 ms

Request Time..................................... 1329 seconds since system boot

To see the status of the last test response, enter this command:

show client ccx last-response-status client_mac_address

Information similar to the following appears for the 802.1X authentication test:

Test Status...................................... Success

Response Dialog Token............................ 87

Response Status.................................. Successful

Response Test Type............................... 802.1x Authentication Test

Response Time.................................... 3476 seconds since system boot

To see the results from the last successful diagnostics test, enter this command:

show client ccx results client_mac_address

Information similar to the following appears for the 802.1X authentication test: dot1x Complete................................... Success

EAP Method....................................... *1,Host OS Login Credentials

296

Cisco Wireless Controller Configuration Guide, Release 8.0

Troubleshooting CCXv5 Client Devices

Step 15

dot1x Status.................................. 255

To see the relevant data frames captured by the client during the previous test, enter this command:

show client ccx frame-data client_mac_address

Information similar to the following appears:

LOG Frames:

Frame Number:.................................... 1

Last Frame Number:............................... 1120

Direction:....................................... 1

Timestamp:....................................... 0d 00h 50m 39s 863954us

Frame Length:.................................... 197

Frame Data:

00000000: 80 00 00 00 ff ff ff ff ff ff 00 12 44 bd bd b0 ............D...

00000010: 00 12 44 bd bd b0 f0 af 43 70 00 f2 82 01 00 00 ..D.....Cp......

00000020: 64 00 11 08 00 01 00 01 08 8c 12 98 24 b0 48 60 d...........$.H`

00000030: 6c 05 04 01 02 00 00 85 1e 00 00 89 00 0f 00 ff l...............

00000040: 03 19 00 41 50 32 33 2d 31 30 00 00 00 00 00 00 ...AP23-10......

00000050: 00 00 00 00 00 00 26 96 06 00 40 96 00 ff ff dd ......&[email protected]

00000060: 18 00 50 f2 01 01 00 00 50 f2 05 01 00 00 50 f2 ..P.....P.....P.

00000070: 05 01 00 00 40 96 00 28 00 dd 06 00 40 96 01 01 [email protected]([email protected]

00000080: 00 dd 05 00 40 96 03 04 dd 16 00 40 96 04 00 02 [email protected]@....

00000090: 07 a4 00 00 23 a4 00 00 42 43 00 00 62 32 00 00 ....#...BC..b2..

000000a0: dd 05 00 40 96 0b 01 dd 18 00 50 f2 02 01 01 82 [email protected]

000000b0: 00 03 a4 00 00 27 a4 00 00 42 43 5e 00 62 32 2f .....'...BC^.b2/

LOG Frames:

Frame Number:.................................... 2

Last Frame Number:............................... 1120

Direction:....................................... 1

Timestamp:....................................... 0d 00h 50m 39s 878289us

Frame Length:.................................... 147

Frame Data:

00000000: 80 00 00 00 ff ff ff ff ff ff 00 0d ed c3 a0 22 ..............."

00000010: 00 0d ed c3 a0 22 00 bd 4d 50 a5 f7 78 08 00 00 ....."..MP..x...

00000020: 64 00 01 00 00 01 00 01 08 8c 12 98 24 b0 48 60 d...........$.H`

00000030: 6c 05 04 01 02 00 00 85 1e 00 00 84 00 0f 00 ff l...............

00000040: 03 19 00 72 6f 67 75 65 2d 74 65 73 74 31 00 00 ...rogue-test1..

00000050: 00 00 00 00 00 00 23 96 06 00 40 96 00 10 00 dd ......#[email protected]

00000060: 06 00 40 96 01 01 00 dd 05 00 40 96 03 04 dd 05 [email protected]@.....

00000070: 00 40 96 0b 01 dd 18 00 50 f2 02 01 01 81 00 03 [email protected]

00000080: a4 00 00 27 a4 00 00 42 43 5e 00 62 32 2f 00 d2 ...'...BC^.b2/..

00000090: b4 ab 84 ...

LOG Frames:

Frame Number:.................................... 3

Last Frame Number:............................... 1120

Direction:....................................... 1

Timestamp:....................................... 0d 00h 50m 39s 881513us

Frame Length:.................................... 189

Frame Data:

00000000: 80 00 00 00 ff ff ff ff ff ff 00 12 44 bd 80 30 ............D..0

00000010: 00 12 44 bd 80 30 60 f7 46 c0 8b 4b d1 05 00 00 ..D..0`.F..K....

00000020: 64 00 11 08 00 01 00 01 08 8c 12 98 24 b0 48 60 d...........$.H`

00000030: 6c 05 04 00 02 00 00 85 1e 00 00 89 00 0f 00 ff l...............

00000040: 03 19 00 41 50 34 30 2d 31 37 00 00 00 00 00 00 ...AP40-17......

00000050: 00 00 00 00 00 00 26 dd 18 00 50 f2 01 01 00 00 ......&...P.....

00000060: 50 f2 05 01 00 00 50 f2 05 01 00 00 40 96 00 28 [email protected](

00000070: 00 dd 06 00 40 96 01 01 00 dd 05 00 40 96 03 04 [email protected]@...

00000080: dd 16 00 40 96 04 00 05 07 a4 00 00 23 a4 00 00 [email protected]#...

00000090: 42 43 00 00 62 32 00 00 dd 05 00 40 96 0b 01 dd [email protected]

000000a0: 18 00 50 f2 02 01 01 85 00 03 a4 00 00 27 a4 00 ..P..........'..

Cisco Wireless Controller Configuration Guide, Release 8.0

297

Troubleshooting CCXv5 Client Devices

000000b0: 00 42 43 5e 00 62 32 2f 00 0b 9a 1d 6f

...

.BC^.b2/....o

Configuring Client Reporting

The client reporting protocol is used by the client and the access point to exchange client information. Client reports are collected automatically when the client associates. You can use the controller GUI or CLI to send a client report request to any CCXv5 client any time after the client associates. There are four types of client reports:

Client profile—Provides information about the configuration of the client.

Operating parameters—Provides the details of the client’s current operational modes.

Manufacturersinformation—Provides data about the wireless LAN client adapter in use.

Client capabilities—Provides information about the client’s capabilities.

Configuring Client Reporting (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Monitor > Clients to open the Clients page.

Click the MAC address of the desired client. The Clients > Detail page appears.

To send a report request to the client, click Send CCXV5 Req.

Note

You must create a Trusted Profile using ACAU for Cisco CB21AG or equivalent software from your CCXv5 vendor.

To view the parameters from the client, click Display. The Client Reporting page appears.

Click the link for the desired client profile. The Profile Details page appears displaying the client profile details, including the SSID, power save mode, radio channel, data rates, and 802.11 security settings.

Configuring Client Reporting (CLI)

Step 1

Step 2

Step 3

Step 4

To send a request to the client to send its profiles, enter this command:

config client ccx get-profiles client_mac_address

To send a request to the client to send its current operating parameters, enter this command:

config client ccx get-operating-parameters client_mac_address

To send a request to the client to send the manufacturer’s information, enter this command:

config client ccx get-manufacturer-info client_mac_address

To send a request to the client to send its capability information, enter this command:

config client ccx get-client-capability client_mac_address

298

Cisco Wireless Controller Configuration Guide, Release 8.0

Troubleshooting CCXv5 Client Devices

Step 5

Step 6

Step 7

Step 8

Step 9

To clear the client reporting information, enter this command:

config client ccx clear-reports client_mac_address

To see the client profiles, enter this command:

show client ccx profiles client_mac_address

To see the client operating parameters, enter this command:

show client ccx operating-parameters client_mac_address

To see the client manufacturer information, enter this command:

show client ccx manufacturer-info client_mac_address

To see the client’s capability information, enter this command:

show client ccx client-capability client_mac_address

Note

This command displays the client’s available capabilities, not current settings for the capabilities.

Configuring Roaming and Real-Time Diagnostics

You can use roaming and real-time logs and statistics to solve system problems. The event log enables you to identify and track the behavior of a client device. It is especially useful when attempting to diagnose difficulties that a user may be having on a WLAN. The event log provides a log of events and reports them to the access point. There are three categories of event logs:

• Roaming log—This log provides a historical view of the roaming events for a given client. The client maintains a minimum of five previous roaming events including failed attempts and successful roams.

• Robust Security Network Association ( RSNA) log—This log provides a historical view of the authentication events for a given client. The client maintains a minimum of five previous authentication attempts including failed attempts and successful ones.

• Syslog—This log provides internal system information from the client. For example, it may indicate problems with 802.11 operation, system operation, and so on.

The statistics report provides 802.1X and security information for the client. You can use the controller CLI to send the event log and statistics request to any CCXv5 client any time after the client associates.

Configuring Roaming and Real-Time Diagnostics (CLI)

Step 1

Step 2

To send a log request, enter this command:

config client ccx log-request log_type client_mac_address where log_type is roam, rsna, or syslog.

To view a log response, enter this command:

show client ccx log-response log_type client_mac_address where log_type is roam, rsna, or syslog.

Cisco Wireless Controller Configuration Guide, Release 8.0

299

Troubleshooting CCXv5 Client Devices

Information similar to the following appears for a log response with a log_type of roam:

Tue Jun 26 18:28:48 2007 Roaming Response LogID=133: Status=Successful

Event Timestamp=0d 00h 00m 13s 322396us

Source BSSID=00:0b:85:81:06:c2, Target BSSID=00:0b:85:81:06:c2, Transition

Time=3125(ms)

Transition Reason: Normal roam, poor link

Transition Result: Success

Tue Jun 26 18:28:48 2007 Roaming Response LogID=133: Status=Successful

Event Timestamp=0d 00h 00m 16s 599006us

Source BSSID=00:0b:85:81:06:c2, Target BSSID=00:0b:85:81:06:c2, Transition

Time=3235(ms)

Transition Reason: Normal roam, poor link

Transition Result: Success

Event Timestamp=0d 00h 00m 19s 882921us

Source BSSID=00:0b:85:81:06:c2, Target BSSID=00:0b:85:81:06:c2, Transition

Time=3234(ms)

Tue Jun 26 18:28:48 2007 Roaming Response LogID=133: Status=Successful

Event Timestamp=0d 00h 00m 08s 815477us

Source BSSID=00:0b:85:81:06:c2, Target BSSID=00:0b:85:81:06:d2, Transition

Time=3281(ms)

Transition Reason: Normal roam, poor link

Transition Result: Success

Transition Reason: First association to WLAN

Transition Result: Success

Event Timestamp=0d 00h 00m 26s 637084us

Source BSSID=00:0b:85:81:06:d2, Target BSSID=00:0b:85:81:06:c2, Transition

Time=3313(ms)

Information similar to the following appears for a log response with a log_type of rsna:

Tue Jun 26 18:24:09 2007 RSNA Response LogID=132: Status=Successful

Event Timestamp=0d 00h 00m 00s 246578us

Target BSSID=00:14:1b:58:86:cd

RSNA Version=1

Group Cipher Suite=00-0f-ac-02

Pairwise Cipher Suite Count = 1

Pairwise Cipher Suite 0 = 00-0f-ac-04

AKM Suite Count = 1

AKM Suite 0 = 00-0f-ac-01

RSN Capability = 0x0

RSNA Result: Success

Tue Jun 26 18:24:09 2007 RSNA Response LogID=132: Status=Successful

Event Timestamp=0d 00h 00m 00s 246625us

Target BSSID=00:14:1b:58:86:cd

RSNA Version=1

Group Cipher Suite=00-0f-ac-02

Pairwise Cipher Suite Count = 1

Pairwise Cipher Suite 0 = 00-0f-ac-04

AKM Suite Count = 1

AKM Suite 0 = 00-0f-ac-01

RSN Capability = 0x0

RSNA Result: Success

300

Cisco Wireless Controller Configuration Guide, Release 8.0

Troubleshooting CCXv5 Client Devices

Step 3

Step 4

Tue Jun 26 18:24:09 2007 RSNA Response LogID=132: Status=Successful

Event Timestamp=0d 00h 00m 01s 624375us

Target BSSID=00:14:1b:58:86:cd

RSNA Version=1

Group Cipher Suite=00-0f-ac-02

Pairwise Cipher Suite Count = 1

Pairwise Cipher Suite 0 = 00-0f-ac-04

AKM Suite Count = 1

AKM Suite 0 = 00-0f-ac-01

RSN Capability = 0x0

RSNA Result: Success

Information similar to the following appears for a log response with a log_type of syslog:

Tue Jun 26 18:07:48 2007 SysLog Response LogID=131: Status=Successful

Event Timestamp=0d 00h 19m 42s 278987us

Client SysLog = '<11> Jun 19 11:49:47 uraval3777 Mandatory elements missing in the OID response'

Event Timestamp=0d 00h 19m 42s 278990us

Client SysLog = '<11> Jun 19 11:49:50 uraval3777 Mandatory elements missing in the OID response'

Tue Jun 26 18:07:48 2007 SysLog Response LogID=131: Status=Successful

Event Timestamp=0d 00h 19m 42s 278993us

Client SysLog = '<11> Jun 19 11:49:53 uraval3777 Mandatory elements missing in the OID response'

Event Timestamp=0d 00h 19m 42s 278996us

Client SysLog = '<11> Jun 19 11:49:56 uraval3777 Mandatory elements missing in the OID response'

Tue Jun 26 18:07:48 2007 SysLog Response LogID=131: Status=Successful

Event Timestamp=0d 00h 19m 42s 279000us

Client SysLog = '<11> Jun 19 11:50:00 uraval3777 Mandatory elements missing in the OID response'

Event Timestamp=0d 00h 19m 42s 279003us

Client SysLog = '<11> Jun 19 11:50:03 uraval3777 Mandatory elements missing in the OID response'

Tue Jun 26 18:07:48 2007 SysLog Response LogID=131: Status=Successful

Event Timestamp=0d 00h 19m 42s 279009us

Client SysLog = '<11> Jun 19 11:50:09 uraval3777 Mandatory elements missing in the OID response'

Event Timestamp=0d 00h 19m 42s 279012us

Client SysLog = '<11> Jun 19 11:50:12 uraval3777 Mandatory elements missing in the OID response'

To send a request for statistics, enter this command:

config client ccx stats-request measurement_duration stats_name client_mac_address where stats_name is dot11 or security.

To view the statistics response, enter this command:

show client ccx stats-report client_mac_address

Information similar to the following appears:

Measurement duration = 1

Cisco Wireless Controller Configuration Guide, Release 8.0

301

Using the Debug Facility

dot11TransmittedFragmentCount = 1 dot11MulticastTransmittedFrameCount = 2 dot11FailedCount dot11RetryCount dot11MultipleRetryCount dot11FrameDuplicateCount

= 3

= 4

= 5

= 6 dot11RTSSuccessCount dot11RTSFailureCount dot11ACKFailureCount dot11ReceivedFragmentCount

= 7

= 8

= 9

= 10 dot11MulticastReceivedFrameCount dot11FCSErrorCount dot11TransmittedFrameCount

= 11

= 12

= 13

Using the Debug Facility

Information About Using the Debug Facility

The debug facility enables you to display all packets going to and from the controller CPU. You can enable it for received packets, transmitted packets, or both. By default, all packets received by the debug facility are displayed. However, you can define access control lists (ACLs) to filter packets before they are displayed.

Packets not passing the ACLs are discarded without being displayed.

Each ACL includes an action (permit, deny, or disable) and one or more fields that can be used to match the packet. The debug facility provides ACLs that operate at the following levels and on the following values:

• Driver ACL

◦NPU encapsulation type

◦Port

• Ethernet header ACL

◦Destination address

◦Source address

◦Ethernet type

◦VLAN ID

• IP header ACL

◦Source address

◦Destination address

◦Protocol

◦Source port (if applicable)

302

Cisco Wireless Controller Configuration Guide, Release 8.0

Using the Debug Facility

◦Destination port (if applicable)

• EoIP payload Ethernet header ACL

◦Destination address

◦Source address

◦Ethernet type

◦VLAN ID

• EoIP payload IP header ACL

◦Source address

◦Destination address

◦Protocol

◦Source port (if applicable)

◦Destination port (if applicable)

• CAPWAP payload 802.11 header ACL

◦Destination address

◦Source address

◦BSSID

◦SNAP header type

• CAPWAP payload IP header ACL

◦Source address

◦Destination address

◦Protocol

◦Source port (if applicable)

◦Destination port (if applicable)

At each level, you can define multiple ACLs. The first ACL that matches the packet is the one that is selected.

Configuring the Debug Facility (CLI)

Step 1

To enable the debug facility, enter this command:

debug packet logging enable {rx | tx | all} packet_count display_size where

Cisco Wireless Controller Configuration Guide, Release 8.0

303

Using the Debug Facility

rx displays all received packets, tx displays all transmitted packets, and all displays both transmitted and received packets.

packet_count is the maximum number of packets to log. You can enter a value between 1 and 65535 packets, and the default value is 25 packets.

display_size is the number of bytes to display when printing a packet. By default, the entire packet is displayed.

Note

To disable the debug facility, enter this command: debug packet logging disable.

debug packet logging acl driver rule_index action npu_encap port where

rule_index is a value between 1 and 6 (inclusive).

action is permit, deny, or disable.

npu_encap specifies the NPU encapsulation type, which determines how packets are filtered. The possible values include dhcp, dot11-mgmt, dot11-probe, dot1x, eoip-ping, iapp, ip, lwapp, multicast, orphan-from-sta, orphan-to-sta, rbcp, wired-guest, or any.

port is the physical port for packet transmission or reception.

• Use these commands to configure packet-logging ACLs:

debug packet logging acl eth rule_index action dst src type vlan where

rule_index is a value between 1 and 6 (inclusive).

action is permit, deny, or disable.

dst is the destination MAC address.

src is the source MAC address.

type is the two-byte type code (such as 0x800 for IP, 0x806 for ARP). This parameter also accepts a few common string values such as “ip” (for 0x800) or “arp” (for 0x806).

vlan is the two-byte VLAN ID.

debug packet logging acl ip rule_index action src dst proto src_port dst_port where

proto is a numeric or any string recognized by getprotobyname(). The controller supports the following strings: ip, icmp, igmp, ggp, ipencap, st, tcp, egp, pup, udp, hmp, xns-idp, rdp, iso-tp4, xtp, ddp, idpr-cmtp, rspf, vmtp, ospf, ipip, and encap.

src_port is the UDP/TCP two-byte source port (for example, telnet, 23) or “any.” The controller accepts a numeric or any string recognized by getservbyname(). The controller supports the following strings: tcpmux, echo, discard, systat, daytime, netstat, qotd, msp, chargen, ftp-data, ftp, fsp, ssh, telnet, smtp, time, rlp, nameserver, whois, re-mail-ck, domain, mtp, bootps, bootpc, tftp, gopher, rje, finger, www, link, kerberos, supdup, hostnames, iso-tsap, csnet-ns, 3com-tsmux, rtelnet, pop-2, pop-3, sunrpc, auth, sftp, uucp-path, nntp, ntp, netbios-ns, netbios-dgm, netbios-ssn, imap2, snmp, snmp-trap, cmip-man, cmip-agent, xdmcp, nextstep,

304

Cisco Wireless Controller Configuration Guide, Release 8.0

Using the Debug Facility

Step 2

bgp, prospero, irc, smux, at-rtmp, at-nbp, at-echo, at-zis, qmtp, z3950, ipx, imap3, ulistserv, https, snpp, saft, npmp-local, npmp-gui, and hmmp-ind.

dst_port is the UDP/TCP two-byte destination port (for example, telnet, 23) or “any.” The controller accepts a numeric or any string recognized by getservbyname(). The controller supports the same strings as those for the src_port.

debug packet logging acl eoip-eth rule_index action dst src type vlan

debug packet logging acl eoip-ip rule_index action src dst proto src_port dst_port

debug packet logging acl lwapp-dot11 rule_index action dst src bssid snap_type where

bssid is the Basic Service Set Identifier.

snap_type is the Ethernet type.

debug packet logging acl lwapp-ip rule_index action src dst proto src_port dst_port

Note

To remove all configured ACLs, enter this command: debug packet logging acl clear-all.

To configure the format of the debug output, enter this command:

debug packet logging format {hex2pcap | text2pcap}

The debug facility supports two output formats: hex2pcap and text2pcap. The standard format used by IOS supports the use of hex2pcap and can be decoded using an HTML front end. The text2pcap option is provided as an alternative so that a sequence of packets can be decoded from the same console log file.

This figure shows an example of hex2pcap output.

Figure 28: Sample Hex2pcap Output

Cisco Wireless Controller Configuration Guide, Release 8.0

305

Using the Debug Facility

This figure shows an example of text2pcap output.

Figure 29: Sample Text2pcap Output

Step 3

Step 4

To determine why packets might not be displayed, enter this command:

debug packet error {enable | disable}

To display the status of packet debugging, enter this command:

show debug packet

Information similar to the following appears:

Status........................................... disabled

Number of packets to display..................... 25

Bytes/packet to display.......................... 0

Packet display format............................ text2pcap

Driver ACL:

[1]: disabled

[2]: disabled

[3]: disabled

[4]: disabled

[5]: disabled

[6]: disabled

Ethernet ACL:

[1]: disabled

[2]: disabled

[3]: disabled

[4]: disabled

[5]: disabled

[6]: disabled

IP ACL:

[1]: disabled

[2]: disabled

[3]: disabled

[4]: disabled

[5]: disabled

[6]: disabled

EoIP-Ethernet ACL:

[1]: disabled

[2]: disabled

[3]: disabled

[4]: disabled

306

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Wireless Sniffing

[5]: disabled

[6]: disabled

EoIP-IP ACL:

[1]: disabled

[2]: disabled

[3]: disabled

[4]: disabled

[5]: disabled

[6]: disabled

LWAPP-Dot11 ACL:

[1]: disabled

[2]: disabled

[3]: disabled

[4]: disabled

[5]: disabled

[6]: disabled

LWAPP-IP ACL:

[1]: disabled

[2]: disabled

[3]: disabled

[4]: disabled

[5]: disabled

[6]: disabled?

Configuring Wireless Sniffing

Information About Wireless Sniffing

The controller enables you to configure an access point as a network “sniffer,” which captures and forwards all the packets on a particular channel to a remote machine that runs packet analyzer software. These packets contain information on time stamps, signal strength, packet sizes, and so on. Sniffers allow you to monitor and record network activity and to detect problems.

Prerequisites for Wireless Sniffing

To perform wireless sniffing, you need the following hardware and software:

• A dedicated access point—An access point configured as a sniffer cannot simultaneously provide wireless access service on the network. To avoid disrupting coverage, use an access point that is not part of your existing wireless network.

• A remote monitoring device—A computer capable of running the analyzer software.

• Windows XP or Linux operating system—The controller supports sniffing on both Windows XP and

Linux machines.

• Software and supporting files, plug-ins, or adapters—Your analyzer software may require specialized files before you can successfully enable

Restrictions for Wireless Sniffing

• Supported third-party network analyzer software applications are as follows:

Cisco Wireless Controller Configuration Guide, Release 8.0

307

Configuring Wireless Sniffing

◦Wildpackets Omnipeek or Airopeek

◦AirMagnet Enterprise Analyzer

◦Wireshark

• The latest version of Wireshark can decode the packets by going to the Analyze mode. Select decode

as, and switch UDP5555 to decode as AIROPEEK.

• You must disable IP-MAC address binding in order to use an access point in sniffer mode if the access point is joined to a Cisco 5500 Series Controller. To disable IP-MAC address binding, enter the config

network ip-mac-binding disable command in the controller CLI.

• You must enable WLAN 1 in order to use an access point in sniffer mode if the access point is joined to a Cisco 5500 Series Controller. If WLAN 1 is disabled, the access point cannot send packets.

Configuring Sniffing on an Access Point (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Choose Wireless > Access Points > All APs to open the All APs page.

Click the name of the access point that you want to configure as the sniffer. The All APs > Details for page appears.

From the AP Mode drop-down list, choose Sniffer.

Click Apply.

Click OK when prompted that the access point will be rebooted.

Choose Wireless > Access Points > Radios > 802.11a/n/ac (or 802.11b/g/n) to open the 802.11a/n (or 802.11b/g/n)

Radios page.

Hover your cursor over the blue drop-down arrow for the desired access point and choose Configure. The 802.11a/n/ac

(or 802.11b/g/n) Cisco APs > Configure page appears.

Select the Sniff check box to enable sniffing on this access point, or leave it unselected to disable sniffing. The default value is unchecked.

If you enabled sniffing in Step 8, follow these steps: a) From the Channel drop-down list, choose the channel on which the access point sniffs for packets.

b) In the Server IP Address text box, enter the IP address of the remote machine running Omnipeek, Airopeek,

AirMagnet, or Wireshark.

Click Apply.

Click Save Configuration.

Configuring Sniffing on an Access Point (CLI)

Step 1

Configure the access point as a sniffer by entering this command:

config ap mode sniffer Cisco_AP where Cisco_AP is the access point configured as the sniffer.

308

Cisco Wireless Controller Configuration Guide, Release 8.0

Troubleshooting Access Points Using Telnet or SSH

Step 2

Step 3

Step 4

Step 5

When warned that the access point will be rebooted and asked if you want to continue, enter Y. The access point reboots in sniffer mode.

Enable sniffing on the access point by entering this command:

config ap sniff {802.11a | 802.11b} enable channel server_IP_address Cisco_AP where

channel is the radio channel on which the access point sniffs for packets. The default values are 36 (802.11a/n/ac) and 1 (802.11b/g/n).

server_IP_address is the IP address of the remote machine running Omnipeek, Airopeek, AirMagnet, or Wireshark.

Cisco_AP is the access point configured as the sniffer.

Note

To disable sniffing on the access point, enter the config ap sniff {802.11a | 802.11b} disable Cisco_AP command.

Save your changes by entering this command:

save config

See the sniffer configuration settings for an access point by entering this command:

show ap config {802.11a | 802.11b} Cisco_AP

Troubleshooting Access Points Using Telnet or SSH

The controller supports the use of the Telnet and Secure Shell (SSH) protocols to troubleshoot lightweight access points. Using these protocols makes debugging easier, especially when the access point is unable to connect to the controller.

• To avoid potential conflicts and security threats to the network, the following commands are unavailable while a Telnet or SSH session is enabled: config terminal, telnet, ssh, rsh, ping, traceroute, clear,

clock, crypto, delete, fsck, lwapp, mkdir, radius, release, reload, rename, renew, rmdir, save, set,

test, upgrade.

• Commands available during a Telnet or SSH session include debug, disable, enable, help, led, login,

logout, more, no debug, show, systat, undebug and where.

Note

For instructions on configuring Telnet or SSH SSH sessions on the controller, see the

Telnet and Secure Shell Sessions

section.

Information About Troubleshooting Access Points Using Telnet or SSH

The controller supports the use of the Telnet and Secure Shell (SSH) protocols to troubleshoot lightweight access points. Using these protocols makes debugging easier, especially when the access point is unable to connect to the controller.

• To avoid potential conflicts and security threats to the network, the following commands are unavailable while a Telnet or SSH session is enabled: config terminal, telnet, ssh, rsh, ping, traceroute, clear,

Cisco Wireless Controller Configuration Guide, Release 8.0

309

Troubleshooting Access Points Using Telnet or SSH clock, crypto, delete, fsck, lwapp, mkdir, radius, release, reload, rename, renew, rmdir, save, set,

test, upgrade.

• Commands available during a Telnet or SSH session include debug, disable, enable, help, led, login,

logout, more, no debug, show, systat, undebug and where.

Note

For instructions on configuring Telnet or SSH sessions on the controller, see the

Telnet and Secure Shell Sessions

section.

• You can enable a Telnet or SSH session on unjoined access points with non default credentials.

Note

For information on enabling Telnet or SSH sessions on unjoined access points, see

Lightwieght Access Point Commands chapter in Cisco Wireless LAN Controller

Command Reference, Release 8.0.

You can configure Telnet or SSH by using the controller CLI in software release 5.0 or later releases or using the controller GUI in software release 6.0 or later releases.

Troubleshooting Access Points Using Telnet or SSH (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Choose Wireless > Access Points > All APs to open the All APs page.

Click the name of the access point for which you want to enable Telnet or SSH.

Choose the Advanced tab to open the All APs > Details for (Advanced) page.

Select the Telnet check box to enable Telnet connectivity on this access point. The default value is unchecked.

Select the SSH check box to enable SSH connectivity on this access point. The default value is unchecked.

Click Apply.

Click Save Configuration.

Troubleshooting Access Points Using Telnet or SSH (CLI)

Step 1

Step 2

Step 3

Enable Telnet or SSH connectivity on an access point by entering this command:

config ap {telnet | ssh} enable Cisco_AP

The default value is disabled.

Note

Disable Telnet or SSH connectivity on an access point by entering this command: config ap {telnet | ssh}

disable Cisco_AP

Save your changes by entering this command:

save config

See whether Telnet or SSH is enabled on an access point by entering this command:

310

Cisco Wireless Controller Configuration Guide, Release 8.0

Debugging the Access Point Monitor Service

show ap config general Cisco_AP

Information similar to the following appears:

Cisco AP Identifier.............................. 5

Cisco AP Name.................................... AP33

Country code..................................... Multiple Countries:US,AE,AR,AT,AU,BH

Reg. Domain allowed by Country................... 802.11bg:-ABCENR 802.11a:-ABCEN

AP Country code.................................. US - United States

AP Regulatory Domain............................. 802.11bg:-A 802.11a:-A

Switch Port Number .............................. 2

MAC Address...................................... 00:19:2f:11:16:7a

IP Address Configuration......................... Static IP assigned

IP Address....................................... 10.22.8.133

IP NetMask....................................... 255.255.248.0

Gateway IP Addr.................................. 10.22.8.1

Domain...........................................

Name Server......................................

Telnet State..................................... Enabled

Ssh State........................................ Enabled

...

Debugging the Access Point Monitor Service

Information About Debugging the Access Point Monitor Service

The controller sends access point status information to the Cisco 3300 Series Mobility Services Engine (MSE) using the access point monitor service.

The MSE sends a service subscription and an access point monitor service request to get the status of all access points currently known to the controller. When any change is made in the status of an access point, a notification is sent to the MSE.

Debugging Access Point Monitor Service Issues (CLI)

If you experience any problems with the access point monitor service, enter this command:

debug service ap-monitor {all | error | event | nmsp | packet} {enable | disable}

where

all configures debugging of all access point status messages.

error configures debugging of access point monitor error events.

event configures debugging of access point monitor events.

nmsp configures debugging of access point monitor NMSP events.

packet configures debugging of access point monitor packets.

Cisco Wireless Controller Configuration Guide, Release 8.0

311

Troubleshooting Memory Leaks

enable enables the debub service ap-monitor mode.

disable disables the debug service ap-monitor mode.

Troubleshooting Memory Leaks

Troubleshooting Memory Leaks

To investigate the cause for low memory state, follow these steps:

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6 show memory statistics

test system cat /proc/meminfo

show system top

PID

1078 root

1081 root

18 0 4488 888 756 S

20 0 980m 557m 24m S

In this example, the PID to focus on is 1081.

0 0.1

0:00.00 gettyOrMwar

0 56.9

41:33.32 switchdrvr

test system cat /proc/1081/smaps

show system timers ticks-exhausted

Timer Ticks ..................................... 3895180 ticks (779036 seconds)

Here focus on the seconds value 779036.

show memory allocations [all/<pid>] [all/<pool-size>] [<start_time>] [<end_time>]

If you see any allocations, they are probable memory leak candidates. You need to check if these are valid allocations made earlier to the low memory state issue.

Troubleshooting OfficeExtend Access Points

Information About Troubleshooting OfficeExtend Access Points

This section provides troubleshooting information if you experience any problems with your OfficeExtend access points.

Interpreting OfficeExtend LEDs

The LED patterns are different for 1130 series and 1140 series OfficeExtend access points. For a description of the LED patterns, see the Cisco OfficeExtend Access Point Quick Start Guide at http://www.cisco.com/c/en/us/products/wireless/index.html

.

312

Cisco Wireless Controller Configuration Guide, Release 8.0

Troubleshooting OfficeExtend Access Points

Positioning OfficeExtend Access Points for Optimal RF Coverage

When positioning your OfficeExtend access point, consider that its RF signals are emitted in a cone shape spreading outward from the LED side of the access point. Ensure to mount the access point so that air can flow behind the metal back plate and prevent the access point from overheating.

Figure 30: OfficeExtend Access Point Radiation Patterns

Troubleshooting Common Problems

Most of the problems experienced with OfficeExtend access points are one of the following:

• The access point cannot join the controller because of network or firewall issues.

Resolution: Follow the instructions in the Viewing Access Point Join Information section to see join statistics for the OfficeExtend access point, or find the access point’s public IP address and perform pings of different packet sizes from inside the company.

• The access point joins but keeps dropping off. This behavior usually occurs because of network problems or when the network address translation (NAT) or firewall ports close because of short timeouts.

Resolution: Ask the teleworker for the LED status.

• Clients cannot associate because of NAT issues.

Resolution: Ask the teleworker to perform a speed test and a ping test. Some servers do not return big packet pings.

• Clients keep dropping data. This behavior usually occurs because the home router closes the port because of short timeouts.

Resolution: Perform client troubleshooting in Cisco Prime Infrastructure to determine if the problem is related to the OfficeExtend access point or the client.

• The access point is not broadcasting the enterprise WLAN.

Resolution: Ask the teleworker to check the cables, power supply, and LED status. If you still cannot identify the problem, ask the teleworker to try the following:

◦Connect to the home router directly and see if the PC is able to connect to an Internet website such as http://www.cisco.com/ . If the PC cannot connect to the Internet, check the router or modem. If the PC can connect to the Internet, check the home router configuration to see if a firewall or

MAC-based filter is enabled that is blocking the access point from reaching the Internet.

◦Log on to the home router and check to see if the access point has obtained an IP address. If it has, the access point’s LED normally blinks orange.

Cisco Wireless Controller Configuration Guide, Release 8.0

313

Troubleshooting OfficeExtend Access Points

• The access point cannot join the controller, and you cannot identify the problem.

Resolution: A problem could exist with the home router. Ask the teleworker to check the router manual and try the following:

◦Assign the access point a static IP address based on the access point’s MAC address.

◦Put the access point in a demilitarized zone (DMZ), which is a small network inserted as a neutral zone between a company’s private network and the outside public network. It prevents outside users from getting direct access to a server that has company data.

◦If problems still occur, contact your company’s IT department for assistance.

• The teleworker experiences problems while configuring a personal SSID on the access point.

Resolution: Clear the access point configuration and return it to factory default settings by clicking

Clear Config on the access point GUI or by entering the clear ap config Cisco_AP command and then configuring a personal SSID on an OfficeExtend Access Point. If problems still occur, contact your company’s IT department for assistance.

• The home network needs to be rebooted.

Resolution: Ask the teleworker to follow these steps:

Leave all devices networked and connected, and then power down all the devices.

Turn on the cable or DSL modem, and then wait for 2 minutes. (Check the LED status.)

Turn on the home router, and then wait for 2 minutes. (Check the LED status.)

Turn on the access point, and then wait for 5 minutes. (Check the LED status.)

Turn on the client.

314

Cisco Wireless Controller Configuration Guide, Release 8.0

P A R T

II

Ports and Interfaces

Overview of Ports and Interfaces, page 317

Configuring the Management Interface, page 325

Configuring the AP-Manager Interface, page 331

Configuring Virtual Interfaces, page 337

Configuring Service-Port Interfaces, page 339

Configuring Dynamic Interfaces, page 343

Configuring Ports, page 349

Information About Using Cisco 5500 Series Controller USB Console Port, page 351

Configuring Link Aggregation, page 353

Configuring Multiple AP-Manager Interfaces, page 359

Configuring VLAN Select, page 363

Configuring Interface Groups, page 367

Configuring Multicast Optimization, page 371

High Availability, page 373

C H A P T E R

27

Overview of Ports and Interfaces

Three concepts are key to understanding how controllers connect to a wireless network: ports, interfaces, and WLANs.

Information About Ports, page 317

Information About Distribution System Ports, page 318

Information About Interfaces, page 320

Information About Dynamic AP Management, page 321

Information About WLANs, page 322

Information About Ports

A port is a physical entity that is used for connections on the controller platform. Controllers have two types of ports: distribution system ports and a service port.

Figure 31: Ports on the Cisco 5500 Series Wireless LAN Controllers

1

Redundant port (RJ-45)

2 Service port (RJ-45)

3 Console port (RJ-45)

6 SFP distribution system ports 1–8

7 Management port LEDs

8 SFP distribution port Link and Activity LEDs

Cisco Wireless Controller Configuration Guide, Release 8.0

317

Information About Distribution System Ports

4 USB ports 0 and 1 (Type A) 9 Power supply (PS1 and PS2), System (SYS), and

Alarm (ALM) LEDs

5 Console port (Mini USB Type B)

Note

You can use only one console port

(either RJ-45 or mini USB). When you connect to one console port, the other is disabled.

10 Expansion module slot

Information About Distribution System Ports

A distribution system port connects the controller to a neighbor switch and serves as the data path between these two devices.

Restrictions for Configuring Distribution System Ports

• Cisco 5508 Controllers have eight Gigabit Ethernet distribution system ports, through which the Controller can manage multiple access points. The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller. Cisco 5508 controllers have no restrictions on the number of access points per port. However, we recommend using link aggregation

(LAG) or configuring dynamic AP-manager interfaces on each Gigabit Ethernet port to automatically balance the load. If more than 100 access points are connected to the Cisco 5500 Series Controller, make sure that more than one Gigabit Ethernet interface is connected to the upstream switch.

Note

The Gigabit Ethernet ports on the Cisco 5508 Controllers accept these SX/LC/T small form-factor plug-in (SFP) modules: -

• 1000BASE-SX SFP modules, which provide a 1000-Mbps wired connection to a network through an 850nM (SX) fiber-optic link using an LC physical connector

• 1000BASE-LX SFP modules, which provide a 1000-Mbps wired connection to a network through a 1300nM (LX/LH) fiber-optic link using an LC physical connector

• 1000BASE-T SFP modules, which provide a 1000-Mbps wired connection to a network through a copper link using an RJ-45 physical connector

• GLC-SX-MM, a 1000BASE-SX connector should be in auto-negotiation mode to function as desired because all SFP modules using LC physical connecters must ideally be in auto-negotiation mode on

Cisco 5508 Series Controllers to function properly. However, when Cisco ASR is connected using the fiber port, GLC-SX-MM does not come up between Cisco ASR and Cisco 5508 as Cisco ASR requires the connector to be in fixed mode to function properly.

• Each distribution system port is, by default, an 802.1Q VLAN trunk port. The VLAN trunking characteristics of the port are not configurable.

318

Cisco Wireless Controller Configuration Guide, Release 8.0

Information About Distribution System Ports

Note

Some controllers support link aggregation (LAG), which bundles all of the controller’s distribution system ports into a single 802.3ad port channel. Cisco 5500 Series Controllers support LAG, and LAG is enabled automatically on the controllers within the Cisco

WiSM2.

• Cisco WLC configuration in access mode is not supported. We recommend that you configure Cisco

WLC in trunk mode when you configure Cisco WLC ports on a switch.

• In Cisco Flex 7500 and 8500 Series Controllers:

• If a port is unresponsive after a soaking period of 5 seconds, all the interfaces for which the port is the primary and the active port, fail over to the backup port, if a backup is configured and is operational. Similarly, if the unresponsive port is the backup port, then all the interfaces fail over to the primary port if it is operational.

• After the unresponsive port is restored, there is a soaking period of 60 seconds after which if the port is still operational, then all the interfaces fall back to this port, which was the primary port. If the port was the backup port, then no change is done.

• You must ensure that you configure the port before you connect a switch or distribution system in the Cisco Wireless LAN Controller 2500 series.

• If an IPv6 packet is destined to controller management IPv6 address and the client VLAN is different from the controller management VLAN, then the IPv6 packet is switched out of the WLC box. If the same IPv6 packet comes as a network packet to the WLC, management access is not denied.

Information About Service Port

Cisco 5500 Series Controllers also have a 10/100/1000 copper Ethernet service port. The service port is controlled by the service-port interface and is reserved for out-of-band management of the controller and system recovery and maintenance in the event of a network failure. It is also the only port that is active when the controller is in boot mode. The service port is not capable of carrying 802.1Q tags, so it must be connected to an access port on the neighbor switch. Use of the service port is optional.

The service port of the Cisco Wireless Controller 7510 and 8510 models is a one Gigabit Ethernet port. To verify the speed of service port, you must connect the service port to a Gigabit Ethernet port on the switch.

Note

The service port is not auto-sensing. You must use the correct straight-through or crossover Ethernet cable to communicate with the service port.

Caution

Do not configure wired clients in the same VLAN or subnet of the service port of the controller on the network. If you configure wired clients on the same subnet or VLAN as the service port, it is not possible to access the management interface of the controller.

Cisco Wireless Controller Configuration Guide, Release 8.0

319

Information About Interfaces

Information About Interfaces

An interface is a logical entity on the controller. An interface has multiple parameters associated with it, including an IP address, default gateway (for the IP subnet), primary physical port, secondary physical port,

VLAN identifier, and DHCP server.

These five types of interfaces are available on the controller. Four of these are static and are configured at setup time:

• Management interface (static and configured at setup time; mandatory)

• AP-manager interface (static and configured at setup time; mandatory)

Note

You are not required to configure an AP-manager interface on Cisco 5500 Series

Controllers.

• Virtual interface (static and configured at setup time; mandatory)

• Service-port interface (static and configured at setup time; optional)

• Dynamic interface (user-defined)

Note

Typically, you define the management, AP-manager, virtual, and service-port interface parameters using the Startup Wizard. However, you can display and configure interface parameters through either the GUI or CLI after the controller is running.

When LAG is disabled, each interface is mapped to at least one primary port, and some interfaces (management and dynamic) can be mapped to an optional secondary (or backup) port. If the primary port for an interface fails, the interface automatically moves to the backup port. In addition, multiple interfaces can be mapped to a single controller port.

In Cisco Wireless LAN Controller 5508 Series, the controller marks packets greater than 1500 bytes as long.

However, the packets are not dropped. The workaround to this is to configure the MTU on a switch to less than 1500 bytes.

Note

Interfaces that are quarantined are not displayed on the Controller > Interfaces page. For example, if there are 6 interfaces and one of them is quarantined, the quarantined interface is not displayed and the details of the other 5 interfaces are displayed on the GUI. You can get the total number of interfaces that is inclusive of quarantined interfaces through the count displayed on the top-right corner of the GUI.

Restrictions for Configuring Interfaces

• Each physical port on the wireless controller can have only one AP-manager configured with it. For the

Cisco 5500 Series Controllers, the management interface with AP-management enabled cannot fail over to the backup port, which is primary for the AP-manager on the management or dynamic VLAN interface.

320

Cisco Wireless Controller Configuration Guide, Release 8.0

Information About Dynamic AP Management

• Cisco 5500 Series Controllers do not support fragmented pings on any interface.

• When the port comes up in VMware ESXi with configuration for NIC teaming, the vWLC may lose connectivity. However, the virtual wireless LAN controller (vWLC) resumes connectivity after a while.

Information About Dynamic AP Management

A dynamic interface is created as a WLAN interface by default. However, any dynamic interface can be configured as an AP-manager interface, with one AP-manager interface allowed per physical port. A dynamic interface with the Dynamic AP Management option enabled is used as the tunnel source for packets from the controller to the access point and as the destination for CAPWAP packets from the access point to the controller.

The dynamic interfaces for AP management must have a unique IP address and are usually configured on the same subnet as the management interface.

Note

If link aggregation (LAG) is enabled, there can be only one AP-manager interface.

We recommend having a separate dynamic AP-manager interface per controller port.

Cisco Wireless Controller Configuration Guide, Release 8.0

321

Information About WLANs

Information About WLANs

A WLAN associates a service set identifier (SSID) to an interface or an interface group. It is configured with security, quality of service (QoS), radio policies, and other wireless network parameters. Up to 512 WLANs can be configured per controller.

Figure 32: Relationship between Ports, Interfaces, and WLANs

Each controller port connection is an 802.1Q trunk and should be configured as such on the neighbor switch.

On Cisco switches, the native VLAN of an 802.1Q trunk is an untagged VLAN. If you configure an interface to use the native VLAN on a neighboring Cisco switch, make sure you configure the interface on the controller to be untagged.

Note

A zero value for the VLAN identifier (on the Controller > Interfaces page) means that the interface is untagged.

322

Cisco Wireless Controller Configuration Guide, Release 8.0

Information About WLANs

The default (untagged) native VLAN on Cisco switches is VLAN 1. When controller interfaces are configured as tagged (meaning that the VLAN identifier is set to a nonzero value), the VLAN must be allowed on the

802.1Q trunk configuration on the neighbor switch and not be the native untagged VLAN.

We recommend that tagged VLANs be used on the controller. You should also allow only relevant VLANs on the neighbor switch’s 802.1Q trunk connections to controller ports. All other VLANs should be disallowed or pruned in the switch port trunk configuration. This practice is extremely important for optimal performance of the controller.

Note

We recommend that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that controllers properly route VLAN traffic.

Cisco Wireless Controller Configuration Guide, Release 8.0

323

Information About WLANs

324

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

28

Configuring the Management Interface

Information About the Management Interface, page 325

Configuring the Management Interface (GUI), page 327

Configuring the Management Interface (CLI), page 328

Information About the Management Interface

The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. It is also used for communications between the controller and access points. The management interface has the only consistently “pingable” in-band interface IP address on the controller. You can access the GUI of the controller by entering the management interface IP address of the controller in the address field of your browser.

For CAPWAP, the controller requires one management interface to control all inter-controller communications and one AP-manager interface to control all controller-to-access point communications, regardless of the number of ports.

If the service port is in use, the management interface must be on a different supernet from the service-port interface.

Note

To prevent or block a wired or wireless client from accessing the management network on a controller

(from the wireless client dynamic interface or VLAN), the network administrator must ensure that only authorized clients gain access to the management network through proper CPU ACLs, or use a firewall between the client dynamic interface and the management network.

Caution

Do not map a guest WLAN to the management interface. If the EoIP tunnel breaks, the client could obtain an IP and be placed on the management subnet.

Cisco Wireless Controller Configuration Guide, Release 8.0

325

Information About the Management Interface

Caution

Do not configure wired clients in the same VLAN or subnet of the service port of the controller on the network. If you configure wired clients on the same subnet or VLAN as the service port, it is not possible to access the management interface of the controller.

Authentication Type for Management Interfaces

For any type of management access to the controller, bet it SSH, Telnet, or HTTP, we recommend that you use any one authentication type, which can be TACACS+, RADIUS, or Local, and not a mix of these authentication types. Ensure that you take care of the following:

• Authentication type (TACACS+, RADIUS, or Local), must be the same for all management access and for all AAA authentication and authorization parameters.

• The method list must be explicitly specified in the HTTP authentication.

Example

Follow these steps to configure Telnet:

1

Configure TACACS+ server by entering these commands:

a

tacacs server server-name

b address ipv4 ip-address

c

key key-name

2

Configure the server group name by entering these commands:

a

aaa group server tacacs+ group-name

b server name name

3

Configure authentication and authorization by entering these commands:

a

aaa authentication login method-list group server-group

b aaa authorization exec method-list group server-group

Note

These and all the other authentication and authorization parameters must be using the same database, be it RADIUS, TACACS+, or Local. For example, if command authorization has to be enabled, it also needs to be pointing to the same database.

4

Configure HTTP to use the above method lists:

1

ip http authentication aaa login-auth method-list

You must explicitly specify the method list, even if the method list is "default".

2

ip http authentication aaa exec-auth method-list

326

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring the Management Interface (GUI)

Note

• Do not configure any method-lists on the "line vty" configuration parameters. If the above steps and the line vty have different configurations, then line vty configurations take precedence.

• The database should be the same across all management configuration types such as SSH/Telnet and webui.

• You must explicitly define the method list for HTTP authentication.

Workaround

As a workaround, enter the following commands:

1

aaa authentication login default group server-group local

2

aaa authorization exec default group server-group local

Configuring the Management Interface (GUI)

Step 1

Step 2

Step 3

Choose Controller > Interfaces to open the Interfaces page.

Click the management link.

The Interfaces > Edit page appears.

Set the management interface parameters:

Note

The management interface uses the controller’s factory-set distribution system MAC address.

• Quarantine and quarantine VLAN ID, if applicable

Note

Select the Quarantine check box if you want to configure this VLAN as unhealthy or you want to configure network access control (NAC) out-of-band integration. Doing so causes the data traffic of any client that is assigned to this VLAN to pass through the controller.

• NAT address (only Cisco 2500 Series Controllers and Cisco 5500 Series Controllers are configured for dynamic

AP management.)

Note

Note

Note

Select the Enable NAT Address check box and enter the external NAT IP address if you want to be able to deploy your Cisco 2500 Series Controllers or Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT). NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In this case, it maps the controller’s intranet IP addresses to a corresponding external address. The controller’s dynamic

AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct IP address in the Discovery Response.

If a Cisco 2500 Series Controllers or Cisco 5500 Series Controller is configured with an external NAT IP address under the management interface, the APs in local mode cannot associate with the controller. The workaround is to either ensure that the management interface has a globally valid IP address or ensure that external NAT IP address is valid internally for the local APs.

The NAT parameters are supported for use only with one-to-one-mapping NAT, where each private client has a direct and fixed mapping to a global address. The NAT parameters do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.

• VLAN identifier

Cisco Wireless Controller Configuration Guide, Release 8.0

327

Configuring the Management Interface (CLI)

Step 4

Step 5

Note

Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged

VLANs for the management interface.

• Configuring Management Interface using IPv4— Fixed IP address, IP netmask, and default gateway.

◦Configuring Management Interface using IPv6— Fixed IPv6 address, prefix-length (interface subnet mask for IPv6) and the link local address of the IPv6 gateway router.

Note

• In a setup where IPv6 is used, we recommend the APs to be at least one hop away from the Cisco

WLC. As the IPv6 packets are always sent to the Gateway, if the AP and WLC are in the same subnet, it increases the packet hops and impacts the performance.

• Once the Primary IPv6 Address, Prefix Length, and Primary IPv6 Gateway are configured on the management interface, they cannot be changed back to default values (:: /128).

• A configuration backup must be carried out before configuring IPv6 in case the user wants to revert back to IPv4 only management interface.

• When more than 1300 IPv6 APs are in use, on a single Catalyst 6000 Switch, then assign APs on multiple VLANs.

• In 8500 controller running a ha-pair,IPv6 primary gateway(link local) configured though 3600 AP joined with the IPv6 address tears down the capwap. Using the command test capwap though the

AP joined with ipv6 address, it is seen that when the Link local address is not reachable capwap should not be formed.

If APs are joined on V6 tunnel and if IPv6 gateway is misconfigured then v6 tunnel will not be teared down. The APs will still be on v6 tunnel and will not fall back to v4 tunnel.

• Dynamic AP management (for Cisco 2500 Series Controllers or Cisco 5500 Series Controller only)

Note

For Cisco 5500 Series Controllers, the management interface acts like an AP-manager interface by default.

If desired, you can disable the management interface as an AP-manager interface and create another dynamic interface as an AP manager.

• Physical port assignment (for all controllers except the Cisco 2500 Series Controllers or Cisco 5500 Series Controller)

• Primary and secondary DHCP servers

• Access control list (ACL) setting, if required

Click Save Configuration.

If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.

Configuring the Management Interface (CLI)

Step 1

Enter the show interface detailed management command to view the current management interface settings.

Note

The management interface uses the controller’s factory-set distribution system MAC address.

328

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring the Management Interface (CLI)

Step 2

Step 3

Enter the config wlan disable wlan-number command to disable each WLAN that uses the management interface for distribution system communication.

Enter these commands to define the management interface: a) Using IPv4 Address

config interface address management ip-addr ip-netmask gateway

config interface quarantine vlan management vlan_id

Note

Use the config interface quarantine vlan management vlan_id command to configure a quarantine

VLAN on the management interface.

config interface vlan management {vlan-id | 0}

Note

Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged

VLANs for the management interface.

config interface ap-manager management {enable | disable} (for Cisco 5500 Series Controllers only)

Note

Use the config interface ap-manager management {enable | disable} command to enable or disable dynamic AP management for the management interface. For Cisco 5500 Series Controllers, the management interface acts like an AP-manager interface by default. If desired, you can disable the management interface as an AP-manager interface and create another dynamic interface as an AP manager.

config interface port management physical-ds-port-number (for all controllers except the 5500 series)

config interface dhcp management ip-address-of-primary-dhcp-server [ip-address-of-secondary-dhcp-server]

config interface acl management access-control-list-name b) Using IPv6 Address

Note

we recommend the APs to be at least one hop away from the Cisco WLC. As the IPv6 packets are always sent to the Gateway, if the AP and WLC are in same subnet, it increases the packet hops and impacts the performance.

config ipv6 interface address management primary ip-address prefix-length IPv6_Gateway_Address

Note

Once the Primary IPv6 Address, Prefix Length, and Primary IPv6 Gateway are configured on the management interface, they cannot be changed back to default values (:: /128). A configuration backup must be carried out before configuring IPv6 in case the user wants to revert back to IPv4 only management interface.

config interface quarantine vlan management vlan_id

Note

Use the config interface quarantine vlan management vlan_id command to configure a quarantine

VLAN on the management interface.

config interface vlan management {vlan-id | 0}

Note

Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged

VLANs for the management interface.

config interface ap-manager management {enable | disable} (for Cisco 5500 Series Controllers only)

Note

Use the config interface ap-manager management {enable | disable} command to enable or disable dynamic AP management for the management interface. For Cisco 5500 Series Controllers, the management interface acts like an AP-manager interface by default. If desired, you can disable the management interface as an AP-manager interface and create another dynamic interface as an AP manager.

Cisco Wireless Controller Configuration Guide, Release 8.0

329

Configuring the Management Interface (CLI)

Step 4

Step 5

Step 6

Step 7

config interface port management physical-ds-port-number (for all controllers except the 5500 series)

config interface dhcp management ip-address-of-primary-dhcp-server [ip-address-of-secondary-dhcp-server]

config ipv6 interface acl management access-control-list-name

Enter these commands if you want to be able to deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT):

config interface nat-address management {enable | disable}

config interface nat-address management set public_IP_address

NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In this case, it maps the controller’s intranet IP addresses to a corresponding external address. The controller’s dynamic

AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct

IP address in the Discovery Response.

Note

These commands are supported for use only with one-to-one-mapping NAT, where each private client has a direct and fixed mapping to a global address. These commands do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.

Enter the save config command.

Enter the show interface detailed management command to verify that your changes have been saved.

If you made any changes to the management interface, enter the reset system command to reboot the controller in order for the changes to take effect.

330

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

29

Configuring the AP-Manager Interface

Information About AP-Manager Interface, page 331

Restrictions for Configuring AP Manager Interface, page 332

Configuring the AP-Manager Interface (GUI), page 332

Configuring the AP Manager Interface (CLI), page 333

Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller, page 334

Information About AP-Manager Interface

A controller configured with IPv4 has one or more AP-manager interfaces, which are used for all Layer 3 communications between the controller and lightweight access points after the access points have joined the controller.

Note

Release 8.2 does not support multiple non-AP Manager dynamic interfaces, untagged management interfaces, management interfaces mapped to physical ports, and non-LAG scenarios.

Note

A controller configured with IPv6 has only one AP-manager and is applicable on management interface.

You cannot remove the AP-manager configured on management interface.

The AP-manager IP address is used as the tunnel source for CAPWAP packets from the controller to the access point and as the destination for CAPWAP packets from the access point to the controller.

Note

The controller does not support transmitting the jumbo frames. To avoid having the controller transmit

CAPWAP packets to the AP that will necessitate fragmentation and reassembly, reduce MTU/MSS on the client side.

The AP-manager interface communicates through any distribution system port by listening across the Layer

3 network for access point CAPWAP or LWAPP join messages to associate and communicate with as many lightweight access points as possible.

Cisco Wireless Controller Configuration Guide, Release 8.0

331

Restrictions for Configuring AP Manager Interface

A controller configured with IPv6 does not support Dynamic AP-Manager. By default, the management interface acts like an AP-manager interface. Link Aggregation (LAG) is used for IPv6 AP load balancing.

Restrictions for Configuring AP Manager Interface

• For IPv4—The MAC address of the management interface and the AP-manager interface is the same as the base LAG MAC address.

• If only one distribution system port can be used, you should use distribution system port 1.

• An AP-manager interface is not required to be configured. The management interface acts like an

AP-manager interface by default, and the access points can join on this interface.

• If link aggregation (LAG) is enabled, there can be only one AP-manager interface. But when LAG is disabled, one or more AP-manager interfaces can be created, generally one per physical port.

◦When LAG is enabled—Supports only one AP Manager, which can either be on the management or dynamic interface with AP management.

◦When LAG is disabled—Supports one AP Manager per port. The Dynamic Interface tied to a

VLAN can act as an AP Manager (when enabled).

Note

When you enable LAG, all the ports would lose their AP Manager status and the AP management reverts back onto the Management interface.

• Port redundancy for the AP-manager interface is not supported. You cannot map the AP-manager interface to a backup port.

Configuring the AP-Manager Interface (GUI)

Step 1

Step 2

Step 3

Choose Controller > Interfaces to open the Interfaces page.

Click AP-Manager Interface.

The Interface > Edit page appears.

Note

For IPv6 only—A controller configured with IPv6 address does not support Dynamic AP-Manager. By default, the management interface acts like an AP-manager interface.

Set the AP-Manager Interface parameters:

Note

For Cisco 5500 Series Controllers, you are not required to configure an AP-manager interface. The management interface acts like an AP-manager interface by default.

• Physical port assignment

• VLAN identifier

Note

Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged

VLANs for the AP-manager interface.

332

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring the AP Manager Interface (CLI)

Step 4

Step 5

Note

The gig/wired subinterface is numbered with VLAN number and dot11 subinterface is numbered with the

WLAN ID. The first configured WLAN becomes dot11 0.1 & dot11 1.1 and second WLAN ID subinterface becomes dot11 0.2 & dot11 1.2 onwards. This dot11 sub interface number cannot be mapped with a VLAN

ID because multiple WLAN can be assigned with a same VLAN number. We cannot have duplicate subinterface created in the system. The native subinterface configuration in wired interface is the AP native

VLAN configuration, if VLAN support is enabled in FlexConnect mode or else the native interface is always gig prime interface in AP(Local / Flex with no VLAN support).

• Fixed IP address, IP netmask, and default gateway

• Primary and secondary DHCP servers

• Access control list (ACL) name, if required

Click Save Configuration to save your changes.

If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.

Configuring the AP Manager Interface (CLI)

Before You Begin

For Cisco 5500 Series Controllers, you are not required to configure an AP-manager interface. The management interface acts like an AP-manager interface by default.

Note

A controller configured with IPv6 address does not support Dynamic AP-Manager. The management interface acts like an AP-manager interface by default.

Step 1

Step 2

Step 3

Step 4

Enter the show interface summary command to view the current interfaces.

Note

If the system is operating in Layer 2 mode, the AP-manager interface is not listed.

Enter the show interface detailed ap-manager command to view the current AP-manager interface settings.

Enter the config wlan disable wlan-number command to disable each WLAN that uses the AP-manager interface for distribution system communication.

Enter these commands to define the AP-manager interface:

config interface address ap-manager ip-addr ip-netmask gateway

config interface vlan ap-manager {vlan-id | 0}

Note

Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged

VLANs for the AP-manager interface.

config interface port ap-manager physical-ds-port-number

config interface dhcp ap-manager ip-address-of-primary-dhcp-server [ip-address-of-secondary-dhcp-server]

Cisco Wireless Controller Configuration Guide, Release 8.0

333

Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller

Step 5

Step 6

config interface acl ap-manager access-control-list-name

Enter the save config command to save your changes.

Enter the show interface detailed ap-manager command to verify that your changes have been saved.

Configuration Example: Configuring AP-Manager on a Cisco 5500 Series

Controller

For a Cisco 5500 Series Controller, we recommend that you have eight dynamic AP-manager interfaces and associate them to the eight Gigabit ports of the controller when LAG is not used. If you are using the management interface, which acts like an AP-manager interface by default, you must create only seven more dynamic AP-manager interfaces and associate them to the remaining seven Gigabit ports.

Note

For IPv6 only—A controller configured with IPv6 address does not support Dynamic AP-Manager. By default, the management interface acts like an AP-manager interface. Use LAG for IPv6 AP load balancing.

334

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller

This figure shows a dynamic interface that is enabled as a dynamic AP-manager interface and associated to port number 2.

Figure 33: Dynamic Interface Example with Dynamic AP Management

Cisco Wireless Controller Configuration Guide, Release 8.0

335

Configuration Example: Configuring AP-Manager on a Cisco 5500 Series Controller

This figure shows a Cisco 5500 Series Controller with LAG disabled, the management interface used as one dynamic AP-manager interface, and seven additional dynamic AP-manager interfaces, each mapped to a different Gigabit port.

Figure 34: Cisco 5500 Series Controller Interface Configuration Example

336

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

30

Configuring Virtual Interfaces

Information About the Virtual Interface, page 337

Configuring Virtual Interfaces (GUI), page 338

Configuring Virtual Interfaces (CLI), page 338

Information About the Virtual Interface

The virtual interface is used to support mobility management, Dynamic Host Configuration Protocol (DHCP) relay, and embedded Layer 3 security such as guest web authentication and VPN termination. It also maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify the source of certificates when Layer 3 web authorization is enabled.

Specifically, the virtual interface plays these two primary roles:

• Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP server.

• Serves as the redirect address for the web authentication login page.

The virtual interface IP address is used only in communications between the controller and wireless clients.

It never appears as the source or destination address of a packet that goes out a distribution system port and onto the switched network. For the system to operate correctly, the virtual interface IP address must be set (it cannot be 0.0.0.0), and no other device on the network can have the same address as the virtual interface.

Therefore, the virtual interface must be configured with an unassigned and unused gateway IP address. The virtual interface IP address is not pingable and should not exist in any routing table in your network. In addition, the virtual interface cannot be mapped to a physical port.

Note

All controllers within a mobility group must be configured with the same virtual interface IP address.

Otherwise, inter-controller roaming may appear to work, but the handoff does not complete, and the client loses connectivity for a period of time.

Cisco Wireless Controller Configuration Guide, Release 8.0

337

Configuring Virtual Interfaces (GUI)

Configuring Virtual Interfaces (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Controller > Interfaces to open the Interfaces page.

Click Virtual.

The Interfaces > Edit page appears.

Enter the following parameters:

• Any valid unassigned, and unused gateway IP address

• DNS gateway hostname

Note

To ensure connectivity and web authentication, the DNS server should always point to the virtual interface.

If a DNS hostname is configured for the virtual interface, then the same DNS host name must be configured on the DNS server(s) used by the client.

Click Save Configuration.

If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.

Configuring Virtual Interfaces (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Enter the show interface detailed virtual command to view the current virtual interface settings.

Enter the config wlan disable wlan-number command to disable each WLAN that uses the virtual interface for distribution system communication.

Enter these commands to define the virtual interface:

config interface address virtual ip-address

Note

For ip-address, enter a valid, unassigned, and unused gateway IP address.

config interface hostname virtual dns-host-name

Enter the reset system command. At the confirmation prompt, enter Y to save your configuration changes to NVRAM.

The controller reboots.

Enter the show interface detailed virtual command to verify that your changes have been saved.

338

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

31

Configuring Service-Port Interfaces

Information About Service-Port Interfaces, page 339

Restrictions for Configuring Service-Port Interfaces, page 340

Configuring Service-Port Interfaces Using IPv4 (GUI), page 340

Configuring Service-Port Interfaces Using IPv4 (CLI), page 340

Configuring Service-Port Interface Using IPv6 (GUI), page 341

Configuring Service-Port Interfaces Using IPv6 (CLI), page 341

Information About Service-Port Interfaces

The service-port interface controls communications through and is statically mapped by the system to the service port.

The service port can obtain an IPv4 address using DHCP, or it can be assigned a static IPv4 address, but a default gateway cannot be assigned to the service-port interface. Static IPv4 routes can be defined through the controller for remote network access to the service port.

If the service port is in use, the management interface must be on a different supernet from the service-port interface.

Similarly, the service port can be statically assigned an IPv6 address or select an IPv6 address using Stateless

Address Auto-Configuration (SLAAC). The default gateway cannot be assigned to the service-port interface.

Static IPv6 routes can be defined through the controller for remote network access to the service port.

Note

While IPv6 addressing is used along with stateless address auto-configuration, the controller does not perform the subnet verification; however, you must not connect the service-port in the same subnet as the other interfaces in the controller.

Note

This is the only SLAAC interface on the controller, all other interfaces must be statically assigned (just like for IPv4).

Cisco Wireless Controller Configuration Guide, Release 8.0

339

Restrictions for Configuring Service-Port Interfaces

Note

User does not require IPv6 static routes to reach service port from the same network, but IPv6 routes requires to access service port from different network. The IPv6 static routes should be as same as IPv4.

Restrictions for Configuring Service-Port Interfaces

• Only Cisco 7500 Series Controllers and Cisco 5500 Series Controllers have a physical service-port interface that is reachable from the external network.

• You must not use the service-port for continuous SNMP polling and management functions except when the management interface of the controller is unreachable.

Configuring Service-Port Interfaces Using IPv4 (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Controller > Interfaces to open the Interfaces page.

Click the service-port link to open the Interfaces > Edit page.

Enter the Service-Port Interface parameters:

Note

The service-port interface uses the controller’s factory-set service-port MAC address.

• DHCP protocol (enabled)

• DHCP protocol (disabled) and IP address and IP netmask

Click Save Configuration to save your changes.

If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.

Configuring Service-Port Interfaces Using IPv4 (CLI)

Step 1

Step 2

To view the current service-port interface settings, enter this command:

show interface detailed service-port

Note

The service-port interface uses the controller’s factory-set service-port MAC address.

Enter these commands to define the service-port interface:

• To configure the DHCP server, enter this command:

config interface dhcp service-port enable

• To disable the DHCP server, enter this command:

340

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Service-Port Interface Using IPv6 (GUI)

Step 3

Step 4

Step 5

Step 6 config interface dhcp service-port disable

• To configure the IPv4 address, enter this command:

config interface address service-port ip-addr ip-netmask

The service port is used for out-of-band management of the controller. If the management workstation is in a remote subnet, you may need to add a IPv4 route on the controller in order to manage the controller from that remote workstation.

To do so, enter this command:

config route add network-ip-addr ip-netmask gateway

To remove the IPv4 route on the controller, enter this command:

config route delete ip_address

Enter the save config command to save your changes.

Enter the show interface detailed service-port command to verify that your changes have been saved.

Configuring Service-Port Interface Using IPv6 (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Controller > Interfaces to open the Interfaces page.

Click the service-port link to open the Interfaces > Edit page.

Enter the Service-Port Interface parameters:

Note

The service-port interface uses the controller’s factory-set service-port MAC address. Service Port can be statically assigned an address or select an address using SLAAC.

• SLACC(enabled)

• SLACC (disabled) and Primary Address and Prefix Length

Click Save Configuration to save your changes.

If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.

Configuring Service-Port Interfaces Using IPv6 (CLI)

Step 1

Step 2

To view the current service-port interface settings, enter this command:

show interface detailed service-port

Note

The service-port interface uses the controller’s factory-set service-port MAC address.

Enter these commands to define the service-port interface:

Cisco Wireless Controller Configuration Guide, Release 8.0

341

Configuring Service-Port Interfaces Using IPv6 (CLI)

Step 3

Step 4

Step 5

Step 6

• To configure the service port using SLACC , enter this command:

config ipv6 interface slacc service-port enable

• To disable the service port from using SLACC, enter this command:

config ipv6 interface slacc service-port disable

• To configure the IPv6 address, enter this command:

config ipv6 interface address service-port iipv6_address prefix-length

The service port is used for out-of-band management of the controller. If the management workstation is in a remote subnet, you may need to add a route on the controller in order to manage the controller from that remote workstation.

To do so, enter this command:

config ipv6 route add network_ipv6_addr prefix-len ipv6_gw_addr

To remove the IPv6 route on the controller, enter this command:

config ipv6 route delete network _ipv6 addr

Enter the save config command to save your changes.

Enter the show interface detailed service-port command to verify that your changes have been saved.

342

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

32

Configuring Dynamic Interfaces

Information About Dynamic Interface, page 343

Prerequisites for Configuring Dynamic Interfaces, page 344

Restrictions for Configuring Dynamic Interfaces, page 344

Configuring Dynamic Interfaces (GUI), page 344

Configuring Dynamic Interfaces (CLI), page 346

Information About Dynamic Interface

Dynamic interfaces, also known as VLAN interfaces, are created by users and designed to be analogous to

VLANs for wireless LAN clients. A controller can support up to 512 dynamic interfaces (VLANs). Each dynamic interface is individually configured and allows separate communication streams to exist on any or all of a controller’s distribution system ports. Each dynamic interface controls VLANs and other communications between controllers and all other network devices, and each acts as a DHCP relay for wireless clients associated to WLANs mapped to the interface. You can assign dynamic interfaces to distribution system ports, WLANs, the Layer 2 management interface, and the Layer 3 AP-manager interface, and you can map the dynamic interface to a backup port.

You can configure zero, one, or multiple dynamic interfaces on a distribution system port. However, all dynamic interfaces must be on a different VLAN or IP subnet from all other interfaces configured on the port.

If the port is untagged, all dynamic interfaces must be on a different IP subnet from any other interface configured on the port.

This table lists the maximum number of VLANs supported on the various controller platforms.

Table 7: Maximum number of VLANs supported on Cisco Wireless Controllers

Wireless Controllers

Cisco Virtual Wireless Controller

Cisco Wireless Controller Module for ISR G2

Cisco 2500 Series Wireless Controllers

Maximum VLANs

512

16

16

Cisco Wireless Controller Configuration Guide, Release 8.0

343

Prerequisites for Configuring Dynamic Interfaces

Wireless Controllers

Cisco 5500 Series Wireless Controller

Cisco Catalyst 6500 Series Wireless Services

Module2 (WiSM2)

Cisco Flex 7500 Series Cloud Controller

Cisco 8500 Series Controller

Maximum VLANs

512

512

4,096

4,096

Note

You must not configure a dynamic interface in the same network as that of Local Mobility Anchor (LMA).

If you do so, the GRE tunnel between the controller and LMA does not come up.

Prerequisites for Configuring Dynamic Interfaces

While configuring on the dynamic interface of the controller, you must ensure the following:

• You must use tagged VLANs for dynamic interfaces.

Restrictions for Configuring Dynamic Interfaces

The following restrictions apply for configuring the dynamic interfaces on the controller:

• You must not configure a dynamic interface in the same subnetwork as a server that is reachable by the controller CPU, such as a RADIUS server, as it might cause asymmetric routing issues.

• Wired clients cannot access management interface of the Cisco WLC 2500 series using the IP address of the AP Manager interface – when Dynamic AP Management is enabled on a dynamic VLAN.

• For SNMP requests that come from a subnet that is configured as a dynamic interface, the controller responds but the response does not reach the device that initiated the conversation.

• If you are using DHCP proxy and/or a RADIUS source interface, ensure that the dynamic interface has a valid routable address. Duplicate or overlapping addresses across controller interfaces are not supported.

Configuring Dynamic Interfaces (GUI)

Step 1

Step 2

Choose Controller > Interfaces to open the Interfaces page.

Perform one of the following:

344

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Dynamic Interfaces (GUI)

Step 3

Step 4

Step 5

• To create a new dynamic interface, click New. The Interfaces > New page appears. Go to Step 3.

• To modify the settings of an existing dynamic interface, click the name of the interface. The Interfaces > Edit page for that interface appears. Go to Step 5.

• To delete an existing dynamic interface, hover your cursor over the blue drop-down arrow for the desired interface and choose Remove.

Enter an interface name and a VLAN identifier, as shown in the figure above.

Click Apply to commit your changes. The Interfaces > Edit page appears.

Configure the following parameters:

• Guest LAN, if applicable

• Quarantine and quarantine VLAN ID, if applicable

Note

Select the Quarantine check box if you want to configure this VLAN as unhealthy or you want to configure network access control (NAC) out-of-band integration. Doing so causes the data traffic of any client that is assigned to this VLAN to pass through the controller.

• Physical port assignment (for all controllers except the 5500 series)

• NAT address (only for Cisco 5500 Series Controllers configured for dynamic AP management)

Note

Note

Select the Enable NAT Address check box and enter the external NAT IP address if you want to be able to deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT). NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In this case, it maps the controller’s intranet

IP addresses to a corresponding external address. The controller’s dynamic AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct IP address in the Discovery Response.

The NAT parameters are supported for use only with one-to-one-mapping NAT, where each private client has a direct and fixed mapping to a global address. The NAT parameters do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.

• Dynamic AP management

Note

Note

When you enable this feature, this dynamic interface is configured as an AP-manager interface (only one

AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.

Set the APs in a VLAN that is different than the dynamic interface configured on the controller. If the APs are in the same VLAN as the dynamic interface, the APs are not registered on the controller and the

“LWAPP discovery rejected” and “Layer 3 discovery request not received on management VLAN” errors are logged on the controller.

• VLAN identifier

• Fixed IP address, IP netmask, and default gateway

Note

Enter valid IP addresses in these fields.

• Primary and secondary DHCP servers

• Access control list (ACL) name, if required

Note

To ensure proper operation, you must set the Port Number and Primary DHCP Server parameters.

Cisco Wireless Controller Configuration Guide, Release 8.0

345

Configuring Dynamic Interfaces (CLI)

Step 6

Step 7

Click Save Configuration to save your changes.

Repeat this procedure for each dynamic interface that you want to create or edit.

Configuring Dynamic Interfaces (CLI)

Step 1

Step 2

Step 3

Step 4

Step 5

Enter the show interface summary command to view the current dynamic interfaces.

View the details of a specific dynamic interface by entering this command:

show interface detailed operator_defined_interface_name.

Note

Interface names that contain spaces must be enclosed in double quotes. For example: config interface create

"vlan 25"

Enter the config wlan disable wlan_id command to disable each WLAN that uses the dynamic interface for distribution system communication.

Enter these commands to configure dynamic interfaces:

config interface create operator_defined_interface_name {vlan_id | x}

config interface address interface ip_addr ip_netmask [gateway]

config interface vlan operator_defined_interface_name {vlan_id | o}

config interface port operator_defined_interface_name physical_ds_port_number

config interface ap-manager operator_defined_interface_name {enable | disable}

Note

Use the config interface ap-manager operator_defined_interface_name {enable | disable} command to enable or disable dynamic AP management. When you enable this feature, this dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.

config interface dhcp operator_defined_interface_name ip_address_of_primary_dhcp_server

[ip_address_of_secondary_dhcp_server]

config interface quarantine vlan interface_name vlan_id

Note

Use the config interface quarantine vlan interface_name vlan_id command to configure a quarantine

VLAN on any interface.

config interface acl operator_defined_interface_name access_control_list_name

Enter these commands if you want to be able to deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT):

config interface nat-address dynamic-interface operator_defined_interface_name {enable | disable}

config interface nat-address dynamic-interface operator_defined_interface_name set public_IP_address

NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In this case, it maps the controller’s intranet IP addresses to a corresponding external address. The controller’s dynamic

346

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Dynamic Interfaces (CLI)

Step 6

Step 7

Step 8

AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct

IP address in the Discovery Response.

Note

These commands are supported for use only with one-to-one-mapping NAT, whereby each private client has a direct and fixed mapping to a global address. These commands do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.

Enter the config wlan enable wlan_id command to reenable each WLAN that uses the dynamic interface for distribution system communication.

Enter the save config command to save your changes.

Enter the show interface detailed operator_defined_interface_name command and show interface summary command to verify that your changes have been saved.

Note

If desired, you can enter the config interface delete operator_defined_interface_name command to delete a dynamic interface.

Cisco Wireless Controller Configuration Guide, Release 8.0

347

Configuring Dynamic Interfaces (CLI)

348

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

33

Configuring Ports

Configuring Ports (GUI), page 349

Configuring Ports (GUI)

The controller’s ports are configured with factory-default settings designed to make the controllers’ ports operational without additional configuration. However, you can view the status of the controller’s ports and edit their configuration parameters at any time.

Step 1

Choose Controller > Ports to open the Ports page.

This page shows the current configuration for each of the controller’s ports.

If you want to change the settings of any port, click the number for that specific port. The Port > Configure page appears.

Note

Note

If the management and AP-manager interfaces are mapped to the same port and are members of the same VLAN, you must disable the WLAN before making a port-mapping change to either interface. If the management and

AP-manager interfaces are assigned to different VLANs, you do not need to disable the WLAN.

The number of parameters available on the Port > Configure page depends on your controller type.

The following show the current status of the port:

• Port Number—Number of the current port.

• Admin Status—Current state of the port. Values: Enable or Disable

• Physical Mode—Configuration of the port physical interface. The mode varies by the controller type.

• Physical Status—The data rate being used by the port. The available data rates vary based on controller type.

◦2500 series - 1 Gbps full duplex

◦WiSM2 - 10 Gbps full duplex

◦7500 series - 10 Gbps full duplex

• Link Status—Link status of the port. Values: Link Up or Link Down

Cisco Wireless Controller Configuration Guide, Release 8.0

349

Configuring Ports (GUI)

Step 2

Step 3

Step 4

Step 5

• Link Trap—Whether the port is set to send a trap when the link status changes. Values: Enable or Disable

• Power over Ethernet (PoE)—If the connecting device is equipped to receive power through the Ethernet cable and if so, provides –48 VDC. Values: Enable or Disable

Note

Some older Cisco access points do not draw PoE even if it is enabled on the controller port. In such cases, contact the Cisco Technical Assistance Center (TAC).

The following is a list of the port’s configurable parameters.

1

Admin Status—Enables or disables the flow of traffic through the port. Options: Enable or Disable, with default option of Enable.

Note

When a primary port link goes down, messages may get logged internally only and not be posted to a syslog server. It may take up to 40 seconds to restore logging to the syslog server.

2

Physical Mode—Determines whether the port’s data rate is set automatically or specified by the user. The supported data rates vary based on the controller type. Default: Auto.

3

Link Trap—Causes the port to send a trap when the port’s link status changes. Options: Enable or Disable, with default option of Enable.

Click Apply.

Click Save Configuration.

Click Back to return to the Ports page and review your changes.

Repeat this procedure for each additional port that you want to configure.

350

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

34

Information About Using Cisco 5500 Series

Controller USB Console Port

The USB console port on the Cisco 5500 Series Controllers connects directly to the USB connector of a PC using a USB Type A-to-5-pin mini Type B cable.

Note

The 4-pin mini Type B connector is easily confused with the 5-pin mini Type B connector. They are not compatible. Only the 5-pin mini Type B connector can be used.

For operation with Microsoft Windows, the Cisco Windows USB console driver must be installed on any

PC connected to the console port. With this driver, you can plug and unplug the USB cable into and from the console port without affecting Windows HyperTerminal operations.

Note

Only one console port can be active at a time. When a cable is plugged into the USB console port, the

RJ-45 port becomes inactive. Conversely, when the USB cable is removed from the USB port, the RJ-45 port becomes active.

USB Console OS Compatibility, page 351

Changing the Cisco USB Systems Management Console COM Port to an Unused Port, page 352

USB Console OS Compatibility

Before You Begin

These operating systems are compatible with the USB console:

• Microsoft Windows 2000, Windows XP, Windows Vista, Windows 7 (Cisco Windows USB console driver required)

• Apple Mac OS X 10.5.2 (no driver required)

Cisco Wireless Controller Configuration Guide, Release 8.0

351

Changing the Cisco USB Systems Management Console COM Port to an Unused Port

• Linux (no driver required)

Step 1

Step 2

Step 3

Step 4

Download the USB_Console.inf driver file as follows: a) Click this URL to go to the Software Center: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278875243 b) Click Wireless LAN Controllers.

c) Click Standalone Controllers.

d) Click Cisco 5500 Series Wireless LAN Controllers.

e) Click Cisco 5508 Wireless LAN Controller.

f) Choose the USB driver file.

g) Save the file to your hard drive.

Connect the Type A connector to a USB port on your PC.

Connect the mini Type B connector to the USB console port on the controller.

When prompted for a driver, browse to the USB_Console.inf file on your PC. Follow the prompts to install the USB driver.

Note

Some systems might also require an additional system file. You can download the Usbser.sys file from Microsoft's

Website.

Changing the Cisco USB Systems Management Console COM Port to an Unused

Port

Before You Begin

The USB driver is mapped to COM port 6. Some terminal emulation programs do not recognize a port higher than COM 4. If necessary, you must change the Cisco USB systems management console COM port to an unused port of COM 4 or lower.

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

From your Windows desktop, right-click My Computer and choose Manage.

From the list on the left side, choose Device Manager.

From the device list on the right side, double-click Ports (COM & LPT).

Right-click Cisco USB System Management Console 0108 and choose Properties.

Click the Port Settings tab and click the Advanced button.

From the COM Port Number drop-down list, choose an unused COM port of 4 or lower.

Click OK to save and then close the Advanced Settings dialog box.

Click OK to save and then close the Communications Port Properties dialog box.

352

Cisco Wireless Controller Configuration Guide, Release 8.0

C H A P T E R

35

Configuring Link Aggregation

Information About Link Aggregation, page 353

Restrictions for Link Aggregation, page 353

Configuring Link Aggregation (GUI), page 355

Configuring Link Aggregation (CLI), page 356

Verifying Link Aggregation Settings (CLI), page 356

Configuring Neighbor Devices to Support Link Aggregation, page 356

Choosing Between Link Aggregation and Multiple AP-Manager Interfaces, page 356

Information About Link Aggregation

Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles all of the controller’s distribution system ports into a single 802.3ad port channel, thereby reducing the number of IP addresses needed to configure the ports on your controller. When LAG is enabled, the system dynamically manages port redundancy and load balances access points transparently to the user.

LAG simplifies controller configuration because you no longer need to configure primary and secondary ports for each interface. If any of the controller ports fail, traffic is automatically migrated to one of the other ports.

As long as at least one controller port is functioning, the system continues to operate, access points remain connected to the network, and wireless clients continue to send and receive data.

Cisco WLC does not send CDP advertisements on a LAG interface.

Note

LAG is supported across switches.

Restrictions for Link Aggregation

• You can bundle all eight ports on a Cisco 5508 Controller into a single link.

Cisco Wireless Controller Configuration Guide, Release 8.0

353

Restrictions for Link Aggregation

• Terminating on two different modules within a single Catalyst 6500 series switch provides redundancy and ensures that connectivity between the switch and the controller is maintained when one module fails. The controller’s port 1 is connected to Gigabit interface 3/1, and the controller’s port 2 is connected to Gigabit interface 2/1 on the Catalyst 6500 series switch. Both switch ports are assigned to the same channel group.

• LAG requires the EtherChannel to be configured for 'mode on' on both the controller and the Catalyst switch.

• Once the EtherChannel is configured as on at both ends of the link, the Catalyst switch should not be configured for either Link Aggregation Control Protocol (LACP) or Cisco proprietary Port Aggregation

Protocol (PAgP) but be set unconditionally to LAG. Because no channel negotiation is done between the controller and the switch, the controller does not answer to negotiation frames and the LAG is not formed if a dynamic form of LAG is set on the switch. Additionally, LACP and PAgP are not supported on the controller.

• If the recommended load-balancing method cannot be configured on the Catalyst switch, then configure the LAG connection as a single member link or disable LAG on the controller.

Figure 35: Link Aggregation with the Catalyst 6500 Series Neighbor Switch

• You cannot configure the controller’s ports into separate LAG groups. Only one LAG group is supported per controller. Therefore, you can connect a controller in LAG mode to only one neighbor device.

• When you enable LAG or make any changes to the LAG configuration, you must immediately reboot the controller.

• When you enable LAG, you can configure only one AP-manager interface because only one logical port is needed. LAG removes the requirement for supporting multiple AP-manager interfaces.

• When you enable LAG, all dynamic AP-manager interfaces and untagged interfaces are deleted, and all

WLANs are disabled and mapped to the management interface. Also, the management, static AP-manager, and VLAN-tagged dynamic interfaces are moved to the LAG port.

• Multiple untagged interfaces to the same port are not allowed.

• When you enable LAG, you cannot create interfaces with a primary port other than 29.

354

Cisco Wireless Controller Configuration Guide, Release 8.0

Configuring Link Aggregation (GUI)

• When you enable LAG, all ports participate in LAG by default. You must configure LAG for all of the connected ports in the neighbor switch.

• When you enable LAG, if any single link goes down, traffic migrates to the other links.

• When you enable LAG, only one functional physical port is needed for the controller to pass client traffic.

• When you enable LAG, access points remain connected to the controller until you reboot the controller, which is needed to activate the LAG mode change, and data service for users continues uninterrupted.

• When you enable LAG, you eliminate the need to configure primary and secondary ports for each interface.

• When you enable LAG, the controller sends packets out on the same port on which it received them. If a CAPWAP packet from an access point enters the controller on physical port 1, the controller removes the CAPWAP wrapper, processes the packet, and forwards it to the network on physical port 1. This may not be the case if you disable LAG.

• When you disable LAG, the management, static AP-manager, and dynamic interfaces are moved to port

1.

• When you disable LAG, you must configure primary and secondary ports for all interfaces.

• When you disable LAG, you must assign an AP-manager interface to each port on the controller.

Otherwise, access points are unable to join.

• Cisco 5500 Series Controllers support a single static link aggregation bundle.

• LAG is typically configured using the Startup Wizard, but you can enable or disable it at any time through either the GUI or CLI.

• When you enable LAG on Cisco 2500 Series Controller to which the direct-connect access point is associated, the direct connect access point is disconnected since LAG enabling is still in the transition state. You must reboot the controller immediately after enabling LAG.

• In 8500 when more than 1000 APs joining WLC flapping occurs, to avoid this do not add more than

1000 Aps on a single catalyst switch for Capwap IPv6.

Configuring Link Aggregation (GUI)

Step 1

Step 2

Step 3

Step 4

Step 5

Choose Controller > General to open the General page.

Set the LAG Mode on Next Reboot parameter to Enabled.

Save the configuration.

Reboot Cisco WLC.

Assign the WLAN to the appropriate VLAN.

Cisco Wireless Controller Configuration Guide, Release 8.0

355

Configuring Link Aggregation (CLI)

Configuring Link Aggregation (CLI)

Step 1

Step 2

Step 3

Enter the config lag enable command to enable LAG.

Note

Enter the config lag disable command if you want to disable

LAG.

Enter the save config command to save your settings.

Reboot Cisco WLC.

Verifying Link Aggregation Settings (CLI)

To verify your LAG settings, enter this command:

show lag summary

Information similar to the following appears:

LAG Enabled

Configuring Neighbor Devices to Support Link Aggregation

The controller’s neighbor devices must also be properly configured to support LAG.

• Each neighbor port to which the controller is connected should be configured as follows: interface GigabitEthernet <interface id> switchport channel-group <id> mode on no shutdown

• The port channel on the neighbor switch should be configured as follows: interface port-channel <id> switchport switchport trunk encapsulation dot1q switchport trunk native vlan <native vlan id> switchport trunk allowed vlan <allowed vlans> switchport mode trunk no shutdown

Choosing Between Link Aggregation and Multiple AP-Manager Interfaces

Cisco 5500 Series Controllers have no restrictions on the number of access points per port, but we recommend using LAG or multiple AP-manager interfaces on each Gigabit Ethernet port to automatically balance the load.

The following factors should help you decide which method to use if your controller is set for Layer 3 operation:

356

Cisco Wireless Controller Configuration Guide, Release 8.0

Choosing Between Link Aggregation and Multiple AP-Manager Interfaces

• With LAG, all of the controller ports need to connect to the same neighbor switch. If the neighbor switch goes down, the controller loses connectivity.

• With multiple AP-manager interfaces, you can connect your ports to different neighbor devices. If one of the neighbor switches goes down, the controller still has connectivity. However, using multiple

AP-manager interfaces presents certain challenges when port redundancy is a concern.

Cisco Wireless Controller Configuration Guide, Release 8.0

357

Choosing Between Link Aggregatio