Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E
(Cisco 5700 Series WLC)
First Published: 2014-06-30
Last Modified: 2015-05-25
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-32363-01
Contents
CONTENTS
PREFACE
Preface lxxv
Document Conventions
lxxv
Related Documentation lxxvii
Obtaining Documentation and Submitting a Service Request lxxvii
CHAPTER 1
Using the Command-Line Interface 1
Information About Using the Command-Line Interface 1
Command Modes 1
Understanding Abbreviated Commands 3
No and Default Forms of Commands 4
CLI Error Messages 4
Configuration Logging 4
Using the Help System 5
How to Use the CLI to Configure Features 6
Configuring the Command History 6
Changing the Command History Buffer Size 6
Recalling Commands 6
Disabling the Command History Feature 7
Enabling and Disabling Editing Features 7
Editing Commands Through Keystrokes 8
Editing Command Lines That Wrap 9
Searching and Filtering Output of show and more Commands 10
Accessing the CLI
10
Accessing the CLI Through a Console Connection or Through Telnet 11
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
ii
OL-32363-01
Contents
CHAPTER 2
Using the Web Graphical User Interface 13
Prerequisites for Using the Web GUI 13
Information About Using The Web GUI 14
Web GUI Features 14
Connecting the Console Port of the Controller
15
Logging On to the GUI 15
Enabling Web and Secure Web Modes
16
Configuring the Controller Web GUI 16
PART I
System Management 21
CHAPTER 3
Administering the System 23
Finding Feature Information 23
Finding Feature Information 23
Information About Administering the Controller 24
System Time and Date Management 24
System Clock 24
Network Time Protocol 24
NTP Stratum 26
NTP Associations 26
NTP Security 26
NTP Implementation 26
NTP Version 4 27
DNS 28
Default DNS Settings 28
Login Banners 28
Default Banner Configuration 28
MAC Address Table 29
MAC Address Table Creation 29
MAC Addresses and VLANs 29
Default MAC Address Table Settings 29
ARP Table Management 30
How to Administer the Controller 30
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
iii
Contents
Configuring the Time and Date Manually 30
Setting the System Clock 30
Configuring the Time Zone 31
Configuring Summer Time (Daylight Saving Time) 32
Configuring a System Name 35
Setting Up DNS 37
Configuring a Message-of-the-Day Login Banner 38
Configuring a Login Banner 40
Managing the MAC Address Table 41
Changing the Address Aging Time 41
Configuring MAC Address Change Notification Traps 42
Configuring MAC Address Move Notification Traps 44
Configuring MAC Threshold Notification Traps 46
Adding and Removing Static Address Entries 48
Configuring Unicast MAC Address Filtering 49
Monitoring and Maintaining Administration of the Controller 51
Configuration Examples for Controller Administration 52
Example: Setting the System Clock 52
Examples: Configuring Summer Time 52
Example: Configuring a MOTD Banner 52
Example: Configuring a Login Banner 53
Example: Configuring MAC Address Change Notification Traps 53
Example: Configuring MAC Threshold Notification Traps 53
Example: Adding the Static Address to the MAC Address Table 53
Example: Configuring Unicast MAC Address Filtering 54
Additional References for Controller Administration 54
Additional References for Controller Administration 56
Feature History and Information for Controller Administration 57
CHAPTER 4
Performing Controller Setup Configuration 59
Finding Feature Information 59
Finding Feature Information 59
Information About Performing Controller Setup Configuration 60
Controller Boot Process 60
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
iv
OL-32363-01
Contents
Software Installer Features 60
Software Boot Modes 61
Installed Boot Mode 61
Bundle Boot Mode 61
Controllers Information Assignment 62
DHCP-Based Autoconfiguration Overview 62
DHCP Client Request Process 63
DHCP Server Configuration Guidelines 64
Purpose of the TFTP Server 65
Purpose of the DNS Server 65
How to Obtain Configuration Files 65
How to Control Environment Variables 66
Scheduled Reload of the Software Image 67
How to Perform Controller Setup Configuration 67
Configuring DHCP Autoconfiguration (Only Configuration File) 67
Manually Assigning IP Information to Multiple SVIs 69
Modifying the Controller Startup Configuration 71
Specifying the Filename to Read and Write the System Configuration 71
Booting the Controller in Installed Mode 72
Booting the Controller in Bundle Mode 74
Configuring a Scheduled Software Image Reload 75
Monitoring Controller Setup Configuration 77
Example: Verifying the Controller Running Configuration 77
Examples: Displaying Software Bootup in Install Mode 77
Example: Emergency Installation 79
Configuration Examples for Performing Controller Setup 81
Example: Configuring a Controller to Download Configurations from a DHCP Server 81
Examples: Scheduling Software Image Reload 82
Additional References For Performing Controller Setup 82
Additional References For Performing Controller Setup 84
Feature History and Information For Performing Controller Setup Configuration 85
CHAPTER 5
Configuring Right-To-Use Licenses 87
Finding Feature Information 87
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
v
Contents
Restrictions for Right-To-Use AP-Count Licenses 87
Information About Configuring RTU Licenses 88
Right-To-Use AP-Count Licensing 88
Right-to-Use AP-Count Evaluation Licenses 88
Right-To-Use Adder AP-Count Rehosting Licenses 89
How to Configure RTU Licenses 89
Activating an AP-Count Evaluation License (CLI) 89
Activating an AP-Count Permanent License 89
Obtaining an Upgrade or Capacity Adder License 90
Transferring Licenses to a Replacement Controller after an RMA 90
Configuring Right-To-Use Licenses (GUI) 91
Monitoring and Maintaining RTU Licenses 91
Viewing Right-To-Use AP-Count Licenses (GUI) 91
Viewing Right-To-Use AP-Count Licenses (CLI) 92
Examples: RTU Licenses Configuration 94
Additional References for RTU Licensing 95
Feature History and Information for RTU Licensing 96
CHAPTER 6
Configuring Administrator Usernames and Passwords 97
Finding Feature Information 97
Information About Configuring Administrator Usernames and Passwords 97
Configuring Administrator Usernames and Passwords 98
Examples: Administrator Usernames and Passwords Configuration 100
Additional References for Administrator Usernames and Passwords 101
Feature History and Information For Performing Administrator Usernames and Passwords
Configuration 102
CHAPTER 7
802.11 parameters and Band Selection 103
Finding Feature Information 103
Restrictions on Band Selection, 802.11 Bands, and Parameters 103
Information About Configuring Band Selection, 802.11 Bands, and Parameters 104
Band Selection 104
802.11 Bands 105
802.11n Parameters 105
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
vi
OL-32363-01
Contents
802.11h Parameters 105
How to Configure 802.11 Bands and Parameters 106
Configuring Band Selection (CLI) 106
Configuring the 802.11 Bands (CLI) 107
Configuring the 802.11 Bands (GUI) 109
Configuring 802.11n Parameters (CLI) 110
Configuring the 802.11n Parameters (GUI) 113
Configuring 802.11h Parameters (CLI) 114
Configuring the 802.11h Parameters (GUI) 115
Monitoring Configuration Settings for Band Selection, 802.11 Bands, and Parameters 116
Monitoring Configuration Settings Using Band Selection and 802.11 Bands Commands 116
Example: Viewing the Configuration Settings for the 5-GHz Band 116
Example: Viewing the Configuration Settings for the 24-GHz Band 118
Example: Viewing the status of 802.11h Parameters 119
Example: Verifying the Band-Selection Settings 120
Configuration Examples for Band Selection, 802.11 Bands, and Parameters 120
Examples: Band Selection Configuration 120
Examples: 802.11 Bands Configuration 121
Examples: 802.11n Configuration 121
Examples: 802.11h Configuration 122
Additional References for 802.11 Parameters and Band Selection 122
Feature History and Information For Performing 802.11 parameters and Band Selection
Configuration 123
CHAPTER 8
Configuring Aggressive Load Balancing 125
Finding Feature Information 125
Restrictions for Aggressive Load Balancing 125
Information for Configuring Aggressive Load Balancing Parameters 126
Aggressive Load Balancing 126
How to Configure Aggressive Load Balancing 127
Configuring Aggressive Load Balancing 127
Monitoring Aggressive Load Balancing 128
Examples: Aggressive Load Balancing Configuration 128
Additional References for Aggressive Load Balancing 129
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
vii
Contents
Feature History and Information For Performing Aggressive Load Balancing Configuration
CHAPTER 9
130
Configuring Client Roaming 131
Finding Feature Information 131
Prerequisites for Configuring Client Roaming 131
Restrictions for Configuring Client Roaming 131
Information About Client Roaming 132
Inter-Subnet Roaming 133
Voice-over-IP Telephone Roaming 133
CCX Layer 2 Client Roaming 133
How to Configure Layer 2 or Layer 3 Roaming 134
Configuring Layer 2 or Layer 3 Roaming 134
Configuring CCX Client Roaming Parameters (CLI) 135
Configuring Mobility Oracle 137
Configuring Mobility Controller 137
Configuring Mobility Agent 140
Monitoring Client Roaming Parameters 141
Monitoring Mobility Configurations 141
Additional References for Configuring Client Roaming 142
Feature History and Information For Performing Client Roaming Configuration
CHAPTER 10
143
Configuring Application Visibility and Control 145
Finding Feature Information 145
Information About Application Visibility and Control 145
Supported AVC Class Map and Policy Map Formats 147
Prerequisites for Application Visibility and Control 149
Guidelines for Inter-Controller Roaming with Application Visibility and Control 149
Restrictions for Application Visibility and Control 149
How to Configure Application Visibility and Control 151
Configuring Application Visibility and Control (CLI) 151
Creating a Flow Record 151
Creating a Flow Exporter (Optional) 153
Creating a Flow Monitor 155
Creating AVC QoS Policy 156
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
viii
OL-32363-01
Contents
Configuring WLAN to Apply Flow Monitor in IPV4 Input/Output Direction 166
Configuring Application Visibility and Control (GUI) 167
Configuring Application Visibility (GUI) 167
Configuring Application Visibility and Control (GUI) 167
Monitoring Application Visibility and Control 169
Monitoring Application Visibility and Control (CLI) 169
Monitoring Application Visibility and Control (GUI) 170
Monitoring SSID and Client Policies Statistics (GUI) 171
Examples: Application Visibility and Control 171
Examples: Application Visibility Configuration 171
Examples: Application Visibility and Control QoS Configuration 172
Example: Configuring QoS Attribute for Local Profiling Policy
174
Additional References for Application Visibility and Control 174
Feature History and Information For Application Visibility and Control 175
CHAPTER 11
Configuring Voice and Video Parameters 177
Finding Feature Information 177
Prerequisites for Voice and Video Parameters 177
Restrictions for Voice and Video Parameters 177
Information About Configuring Voice and Video Parameters 178
Call Admission Control 178
Static-Based CAC 179
Load-Based CAC 179
IOSd Call Admission Control 179
Expedited Bandwidth Requests 180
U-APSD 181
Traffic Stream Metrics 181
Information About Configuring Voice Prioritization Using Preferred Call Numbers 182
Information About Enhanced Distributed Channel Access Parameters 182
How to Configure Voice and Video Parameters 183
Configuring Voice Parameters (CLI)
183
Configuring Video Parameters (CLI)
186
Configuring SIP-Based CAC (CLI) 189
Configuring a Preferred Call Number (CLI) 190
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
ix
Contents
Configuring EDCA Parameters (CLI) 192
Configuring EDCA Parameters (GUI) 193
Monitoring Voice and Video Parameters 194
Configuration Examples for Voice and Video Parameters 196
Example: Configuring Voice and Video 196
Additional References for Voice and Video Parameters 197
Feature History and Information For Performing Voice and Video Parameters Configuration 198
CHAPTER 12
Configuring RFID Tag Tracking 199
Finding Feature Information 199
Information About Configuring RFID Tag Tracking 199
How to Configure RFID Tag Tracking 199
Configuring RFID Tag Tracking (CLI) 199
Monitoring RFID Tag Tracking Information 200
Additional References RFID Tag Tracking 201
Feature History and Information For Performing RFID Tag Tracking Configuration
CHAPTER 13
202
Configuring Location Settings 203
Finding Feature Information 203
Information About Configuring Location Settings 203
How to Configure Location Settings 204
Configuring Location Settings (CLI) 204
Modifying the NMSP Notification Interval for Clients, RFID Tags, and Rogues
206
Modifying the NMSP Notification Threshold for Clients, RFID Tags, and Rogues (CLI) 207
Monitoring Location Settings and NMSP Settings 208
Monitoring Location Settings (CLI) 208
Monitoring NMSP Settings (CLI) 208
Examples: Location Settings Configuration 209
Examples: NMSP Settings Configuration 209
Additional References for Location Settings 210
Feature History and Information For Performing Location Settings Configuration 210
CHAPTER 14
Monitoring Flow Control 211
Finding Feature Information 211
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
x
OL-32363-01
Contents
Information About Flow Control 211
Monitoring Flow Control 211
Examples: Monitoring Flow Control 212
Additional References for Monitoring Flow Control 213
Feature History and Information For Monitoring Flow Control 213
CHAPTER 15
Configuring System Message Logs 215
Finding Feature Information 215
Finding Feature Information 215
Restrictions for Configuring System Message Logs 216
Information About Configuring System Message Logs 216
System Messsage Logging 216
System Log Message Format 216
Default System Message Logging Settings 217
Syslog Message Limits 218
Enabling Syslog Trap Messages 218
How to Configure System Message Logs 219
Setting the Message Display Destination Device 219
Synchronizing Log Messages 220
Disabling Message Logging 222
Enabling and Disabling Time Stamps on Log Messages 223
Enabling and Disabling Sequence Numbers in Log Messages 223
Defining the Message Severity Level 224
Limiting Syslog Messages Sent to the History Table and to SNMP 225
Logging Messages to a UNIX Syslog Daemon 226
Monitoring and Maintaining System Message Logs 227
Monitoring Configuration Archive Logs 227
Configuration Examples for System Message Logs 227
Example: Switch System Message 227
Additional References for System Message Logs 228
Additional References for System Message Logs 229
Feature History and Information For System Message Logs 230
CHAPTER 16
Configuring Online Diagnostics 231
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xi
Contents
Finding Feature Information 231
Finding Feature Information 231
Information About Configuring Online Diagnostics 232
Online Diagnostics 232
How to Configure Online Diagnostics 232
Starting Online Diagnostic Tests 232
Configuring Online Diagnostics 233
Scheduling Online Diagnostics 233
Configuring Health-Monitoring Diagnostics 234
Monitoring and Maintaining Online Diagnostics 237
Displaying Online Diagnostic Tests and Test Results 237
Configuration Examples for Online Diagnostic Tests 237
Examples: Start Diagnostic Tests 237
Example: Configure a Health Monitoring Test 237
Examples: Schedule Diagnostic Test 238
Examples: Displaying Online Diagnostics 238
Additional References for Online Diagnostics 239
Feature History and Information for Configuring Online Diagnostics 240
CHAPTER 17
Predownloading an Image to Access Points 241
Finding Feature Information 241
Information About Predownloading an Image to an Access Point 241
Restrictions for Predownloading an Image to an Access Point 241
How to Predownload an Image to an Access Point 242
Predownloading an Image to Access Points (CLI) 242
Monitoring the Access Point Predownload Process 243
Examples: Access Point Predownload Process 244
Additional References for Predownloading an Image to an Access Point 244
Feature History and Information For Performing Predownloading an Image to an Access Point
CHAPTER 18
245
Troubleshooting the Software Configuration 247
Finding Feature Information 247
Finding Feature Information 248
Information About Troubleshooting the Software Configuration 248
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xii
OL-32363-01
Contents
Software Failure on a Switch 248
Lost or Forgotten Password on a Controller 248
Power over Ethernet Ports 248
Disabled Port Caused by Power Loss 249
Disabled Port Caused by False Link-Up 249
Ping 249
Layer 2 Traceroute 250
Layer 2 Traceroute Guidelines 250
IP Traceroute
251
Time Domain Reflector Guidelines 251
Debug Commands 253
Crashinfo Files 253
System Reports 254
Onboard Failure Logging on the Switch 254
Fan Failures 255
Possible Symptoms of High CPU Utilization
255
How to Troubleshoot the Software Configuration 256
Recovering from a Software Failure 256
Recovering from a Lost or Forgotten Password 259
Procedure with Password Recovery Enabled 260
Procedure with Password Recovery Disabled 261
Preventing Switch Stack Problems
263
Preventing Autonegotiation Mismatches 264
Troubleshooting SFP Module Security and Identification 264
Monitoring SFP Module Status 265
Executing Ping 265
Monitoring Temperature 265
Monitoring the Physical Path 266
Executing IP Traceroute 266
Running TDR and Displaying the Results 266
Redirecting Debug and Error Message Output 266
Using the show platform forward Command 267
Using the show debug command 267
Configuring OBFL 267
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xiii
Contents
WSMA Configuration for WebUI 268
Verifying Troubleshooting of the Software Configuration 269
Displaying OBFL Information 269
Example: Verifying the Problem and Cause for High CPU Utilization 270
Scenarios for Troubleshooting the Software Configuration 271
Scenarios to Troubleshoot Power over Ethernet (PoE) 271
Configuration Examples for Troubleshooting Software 273
Example: Pinging an IP Host 273
Example: Performing a Traceroute to an IP Host 274
Example: Enabling All System Diagnostics 275
Additional References for Troubleshooting Software Configuration 276
Additional References for Troubleshooting Software Configuration 277
Feature History and Information for Troubleshooting Software Configuration 278
PART II
QoS 279
CHAPTER 19
Configuring QoS 281
Finding Feature Information 281
Prerequisites for Quality of Service 281
QoS Components 282
QoS Terminology 283
Information About QoS 283
QoS Overview 283
Modular QoS Command-Line Interface 283
Wireless QoS Overview 284
QoS and IPv6 for Wireless 285
Wired and Wireless Access Supported Features 285
Supported QoS Features on Wireless Targets 287
Port Policies 289
Radio Policies 291
SSID Policies 291
Client Policies 292
Hierarchical QoS 293
Hierarchical Wireless QoS 293
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xiv
OL-32363-01
Contents
QoS Implementation 295
Layer 2 Frame Prioritization Bits
296
Layer 3 Packet Prioritization Bits 296
End-to-End QoS Solution Using Classification 296
Packet Classification 296
QoS Wired Model 299
Ingress Port Activity 299
Egress Port Activity 299
Classification 300
Access Control Lists 300
Class Maps 301
Policy Maps 301
Policing 303
Token-Bucket Algorithm 304
Marking 304
Packet Header Marking 304
Switch Specific Information Marking 305
Table Map Marking 305
Traffic Conditioning 306
Policing 307
Shaping 308
Queueing and Scheduling 309
Bandwidth 310
Weighted Tail Drop 311
Priority Queues 312
Queue Buffer 312
Queuing in Wireless 314
Trust Behavior 314
Trust Behavior for Wired and Wireless Ports 314
Port Security on a Trusted Boundary for Cisco IP Phones 315
Wireless QoS Mobility 316
Inter-Controller Roaming 316
Intra-Controller Roaming 317
Precious Metal Policies for Wireless QoS 317
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xv
Contents
Standard QoS Default Settings 318
Default Wired QoS Configuration 318
Default Wireless QoS Configuration 319
Configuring Auto QoS for Wireless 320
Information About Auto QoS for Wireless 320
Configuring Auto QoS for Wireless (GUI) 321
Configuring Auto QoS for Wireless (CLI) 322
Guidelines for QoS Policies 322
Restrictions for QoS on Wired Targets 322
Restrictions for QoS on Wireless Targets 325
How to Configure QoS 328
Configuring Class, Policy, and Table Maps 328
Creating a Traffic Class (CLI) 328
Creating a Traffic Policy (CLI) 331
Configuring Client Policies (GUI) 335
Configuring Client Policies 337
Configuring Class-Based Packet Marking (CLI)
338
Configuring Class Maps for Voice and Video (CLI) 343
Attaching a Traffic Policy to an Interface (CLI) 344
Configuring SSID Policies (GUI) 345
Applying an SSID or Client Policy on a WLAN (CLI) 347
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps (CLI) 348
Classifying, Policing, and Marking Traffic on SVIs by Using Policy Maps (CLI) 351
Configuring Table Maps (CLI) 355
Configuring Trust 357
Configuring Trust Behavior for Wireless Traffic (CLI) 357
Configuring QoS Features and Functionality 358
Configuring Call Admission Control (CLI) 358
Configuring Bandwidth (CLI) 365
Configuring Police (CLI) 367
Configuring Priority (CLI) 369
Configuring Queues and Shaping 372
Configuring Egress Queue Characteristics 372
Configuring Queue Buffers (CLI) 372
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xvi
OL-32363-01
Contents
Configuring Queue Limits (CLI) 374
Configuring Shaping (CLI) 377
Configuring Precious Metal Policies (CLI) 379
Configuring QoS Policies for Multicast Traffic (CLI) 380
Configuring Port Policies (GUI) 381
Applying or Changing Port Policies (GUI) 381
Applying a QoS Policy on a WLAN (GUI) 382
Monitoring QoS 383
Monitoring SSID and Client Policies Statistics (GUI) 386
Configuration Examples for QoS 387
Examples: Classification by Access Control Lists 387
Examples: Class of Service Layer 2 Classification 387
Examples: Class of Service DSCP Classification 388
Examples: VLAN ID Layer 2 Classification 388
Examples: Classification by DSCP or Precedence Values 388
Examples: Hierarchical Classification 389
Examples: Hierarchical Policy Configuration 389
Examples: Classification for Voice and Video 390
Examples: Wireless QoS Policy Classified by Voice, Video, and Multicast Traffic 391
Examples: Configuring Downstream SSID Policy 392
Examples: Ingress SSID Policies 393
Examples: Client Policies 394
Examples: Average Rate Shaping Configuration 396
Examples: Queue-limit Configuration 397
Examples: Queue Buffers Configuration 398
Examples: Policing Action Configuration 398
Examples: Policer VLAN Configuration 399
Examples: Policing Units 399
Examples: Single-Rate Two-Color Policing Configuration 400
Examples: Dual-Rate Three-Color Policing Configuration 400
Examples: Table Map Marking Configuration 401
Example: Table Map Configuration to Retain CoS Markings 402
Where to Go Next 402
Additional References for QoS 403
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xvii
Contents
Feature History and Information for QoS 404
PART III
Mobility 407
CHAPTER 20
Information About Mobility 409
Overview 409
Wired and Wireless Mobility 410
Features of Mobility 410
Sticky Anchoring for Low Latency Roaming 412
Bridge Domain ID and L2/L3 Roaming 412
Link Down Behavior 412
Platform Specific Scale Requirement for the Mobility Controller 413
CHAPTER 21
Mobility Network Elements 415
Mobility Agent 415
Mobility Controller 416
Mobility Tunnel Endpoint 417
Mobility Oracle 417
Guest Controller 418
CHAPTER 22
Mobility Control Protocols 419
About Mobility Control Protocols 419
Initial Association and Roaming 419
Initial Association 420
Intra Switch Handoff 421
Intra Switch Peer Group Handoff 422
Inter Switch Peer Group Handoff 422
Inter Sub Domain Handoff 423
Inter Mobility Group Handoff 425
Three Way Sub Domain Handoff 425
CHAPTER 23
Configuring Mobility 427
Configuring Mobility Controller 427
Configuring Converged Access Controllers 427
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xviii
OL-32363-01
Contents
Creating Peer Groups, Peer Group Member, and Bridge Domain ID (CLI) 427
Creating Peer Groups, Peer Group Member, and Bridge Domain ID (GUI) 429
Configuring Optional Parameters for Roaming Behavior 429
Configuring Local Mobility Group (CLI) 430
Configuring Local Mobility Group (GUI) 431
Adding a Peer Mobility Group (CLI) 431
Adding a Peer Mobility Group (GUI) 432
Configuring Optional Parameters for Roaming Behavior 432
Pointing the Mobility Controller to a Mobility Oracle (CLI) 433
Pointing the Mobility Controller to a Mobility Oracle (GUI) 434
Configuring Guest Controller 434
Configuring Guest Anchor 435
Configuring Converged Access Controller on 5508 or WiSM 2
Enabling the New Mobility
436
436
Configuring Mobility Controller 437
Creating Peer Groups, Peer Group Member, and Bridge Domain ID (CLI) 437
Configuring Local Mobility Group (CLI) 439
Adding a Peer Mobility Group (CLI) 440
Configuring Optional Parameters for Roaming Behavior 440
Pointing the Mobility Controller to a Mobility Oracle (CLI) 441
Configuring Mobility Agent 441
Configuring Mobility Agent by Pointing to Mobility Controller (CLI) 441
Configuring Mobility Agent by Pointing to Mobility Controller (GUI) 442
Configuring the Mobility Controller for the Mobility Agent (CLI) 443
Configuring Optional Parameters on a Mobility Agent (CLI) 443
Configuring the Mobility Oracle 444
Configuring Mobility Oracle on Converged Access Controller
444
Enabling the Mobility Oracle on the Controller 444
Configuring Mobility Oracle on CUWN 444
Enabling Mobility Oracle on CUWN 444
PART IV
Interface 447
CHAPTER 24
Configuring Interfaces 449
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xix
Contents
Finding Feature Information 450
Pre-requisites for Configuring Interfaces 450
Restrictions for Configuring Interfaces 450
Information About Interfaces 450
Interface Types 451
Port-Based VLANs 451
Switch Ports 451
Access Ports 452
Trunk Ports 452
Tunnel Ports 452
Routed Ports 453
Switch Virtual Interfaces 453
SVI Autostate Exclude 454
EtherChannel Port Groups 455
10-Gigabit Ethernet Interfaces 455
Interface Connections 455
Interface Configuration Mode 456
Default Ethernet Interface Configuration 457
Layer 3 Interfaces 458
Configuring Interfaces 460
Adding a Description for an Interface 461
Configuring a Range of Interfaces: Examples 462
Configuring and Using Interface Range Macros: Examples 462
Configuring Interfaces 463
Configuring Layer 3 Interfaces 464
Shutting Down and Restarting the Interface 465
Monitoring Interface Characteristics 467
Monitoring Interface Status 467
Clearing and Resetting Interfaces and Counters 468
Viewing Wireless Interfaces (GUI) 468
Configuring Ports (GUI) 469
Configuring Wireless Interface (GUI) 469
Feature History and Information For Configuring Interfaces 470
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xx
OL-32363-01
Contents
CHAPTER 25
Configuring Management Interfaces 471
Finding Feature Information 471
Information About the Management Interface 471
Pre-requisites for Configuring Management Interfaces 472
Restrictions for Configuring Management Interfaces 472
Configuring the Management Interface using the CLI 473
Configuring the Management Interface 473
Feature History and Information For Configuring Management Interfaces 473
CHAPTER 26
Configuring AP Manager Interfaces 475
Finding Feature Information 475
Pre-requisites for Configuring Access Point Management Interface 475
Restrictions for Configuring AP Manager Interfaces 475
Information About AP-Manager Interface 476
Configuring AP Join in an AP Manager Interface 477
Viewing Configured Access Point Join Management Interfaces 477
Feature History and Information For Configuring AP Manager Interfaces 478
CHAPTER 27
Configuring Dynamic Interfaces 479
Finding Feature Information 479
Prerequisites for Configuring Dynamic Interfaces 479
Restrictions for Configuring Dynamic Interfaces 479
Information About Dynamic AP Management 480
Configuring Dynamic Interfaces 480
Feature History and Information For Configuring Dynamic Interfaces 481
CHAPTER 28
Configuring Multiple AP Manager Interfaces 483
Finding Feature Information 483
Pre-requisites For Configuring AP Manager Interfaces 483
Restrictions on Configuring Multiple AP Manager Interfaces 483
Information About Multiple AP-Manager Interfaces 484
Configuring Multiple AP Manager Interfaces 484
Feature History and Information For Configuring Multiple AP Manager Interfaces 484
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xxi
Contents
CHAPTER 29
Configuring Interface Groups 485
Finding Feature Information 485
Information About Interface Groups 485
Creating Interface Groups 486
Adding a VLAN Group to a WLAN 486
Configuring the Trunk Port 487
Configuring VLAN Interfaces (GUI) 488
Feature History and Information For Configuring Interface Groups 488
PART V
VLAN 489
CHAPTER 30
VLANs 491
Finding Feature Information 491
Prerequisites for VLANs 491
Restrictions for VLANs 492
Information About VLANs 492
Logical Networks 492
Supported VLANs 492
VLAN Port Membership Modes 493
VLAN Configuration Files 494
Normal-Range VLAN Configuration Guidelines 495
Extended-Range VLAN Configuration Guidelines 496
Information About VLAN Groups 496
How to Configure VLANs 496
How to Configure Normal-Range VLANs 496
Creating or Modifying an Ethernet VLAN (CLI) 497
Deleting a VLAN (CLI) 500
Creating a VLAN Group (CLI) 501
Adding a VLAN Group to a WLAN (CLI) 502
Assigning Static-Access Ports to a VLAN (CLI) 503
How to Configure Extended-Range VLANs 504
Creating an Extended-Range VLAN (CLI) 505
Monitoring VLANs 507
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xxii
OL-32363-01
Contents
Where to Go Next 507
Additional References 508
Feature History and Information for VLANs 509
CHAPTER 31
Configuring VLAN Group 511
Finding Feature Information 511
Prerequisites for VLAN Groups 511
Restrictions for VLAN Groups 512
Information About VLAN Groups 512
How to Configure VLAN Groups 512
Creating a VLAN Group (CLI) 512
Removing a VLAN Group (CLI) 513
Creating VLAN Groups (GUI)
514
Adding a VLAN Group to a WLAN (CLI) 514
Adding a VLAN Group to WLAN (GUI) 515
Removing VLAN Groups (GUI)
515
Viewing the VLANs in a VLAN Group (CLI) 516
Viewing VLAN Groups (GUI)
516
Where to Go Next 516
Additional References 517
Feature History and Information for VLAN Groups 519
CHAPTER 32
Configuring VLAN Trunks 521
Finding Feature Information 521
Prerequisites for VLAN Trunks 521
Restrictions for VLAN Trunks 522
Information About VLAN Trunks 523
Trunking Overview 523
Trunking Modes 523
Layer 2 Interface Modes 523
Allowed VLANs on a Trunk 524
Load Sharing on Trunk Ports 524
Network Load Sharing Using STP Priorities 524
Network Load Sharing Using STP Path Cost 525
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xxiii
Contents
Feature Interactions 525
How to Configure VLAN Trunks 525
Configuring an Ethernet Interface as a Trunk Port 526
Configuring a Trunk Port (CLI) 526
Defining the Allowed VLANs on a Trunk (CLI) 528
Changing the Pruning-Eligible List (CLI) 530
Configuring the Native VLAN for Untagged Traffic (CLI) 531
Configuring Trunk Ports for Load Sharing 532
Configuring Load Sharing Using STP Port Priorities (CLI) 532
Configuring Load Sharing Using STP Path Cost (CLI) 536
Where to Go Next 539
Additional References 539
Feature History and Information for VLAN Trunks 540
PART VI
VideoStream 541
CHAPTER 33
VideoStream 543
Finding Feature Information 543
Prerequisites for VideoStream 543
Restrictions for Configuring VideoStream 544
Information about VideoStream 544
How to Configure VideoStream 544
Configuring Multicast-Direct Globally for Media-Stream 544
Configuring Media-Stream for 802.11 bands 546
Configuring WLAN to Stream Video 547
Deleting a Media-Stream 548
Monitoring Media Streams 549
CHAPTER 34
Configuring VideoStream GUI 551
Configuring VideoStream (GUI) 551
PART VII
Multicast 555
CHAPTER 35
Configuring IGMP 557
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xxiv
OL-32363-01
Contents
Finding Feature Information 557
Restrictions for Configuring IGMP 557
Information About IGMP 558
IP Multicast Group Addresses 558
IGMP Versions 559
IGMP Version 1 559
IGMP Version 2 559
IGMP Version 3 559
IGMPv3 Host Signalling 559
IGMP Snooping 560
Joining a Multicast Group 560
Leaving a Multicast Group 562
Immediate Leave
562
IGMP Configurable-Leave Timer 562
IGMP Report Suppression 563
IGMP Filtering and Throttling 563
Default IGMP Configuration 564
Default IGMP Snooping Configuration 564
Default IGMP Filtering and Throttling Configuration 565
How to Configure IGMP 565
Configuring the Controller as a Member of a Group (CLI) 565
Controlling Access to IP Multicast Group (CLI) 567
Modifying the IGMP Host-Query Message Interval (CLI) 569
Changing the IGMP Query Timeout for IGMPv2 (CLI) 570
Changing the Maximum Query Response Time for IGMPv2 (CLI) 572
Configuring the Controller as a Statically Connected Member (CLI) 573
Configuring IGMP Profiles (CLI) 574
Applying IGMP Profiles (CLI) 576
Setting the Maximum Number of IGMP Groups (CLI) 578
Configuring the IGMP Throttling Action (CLI) 579
How to Configure IGMP Snooping 581
Enabling or Disabling IGMP Snooping on a Controller (CLI) 581
Enabling or Disabling IGMP Snooping on a VLAN Interface (CLI) 582
Setting the Snooping Method (CLI) 583
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xxv
Contents
Configuring a Multicast Router Port (CLI) 585
Configuring a Host Statically to Join a Group (CLI) 586
Enabling IGMP Immediate Leave (CLI) 587
Configuring the IGMP Leave Timer (CLI) 588
Configuring the IGMP Robustness-Variable (CLI) 590
Configuring the IGMP Last Member Query Count (CLI) 591
Configuring TCN-Related Commands 593
Configuring the IGMP Snooping Querier (CLI) 596
Disabling IGMP Report Suppression (CLI) 598
Monitoring IGMP 600
Monitoring IGMP Snooping Information 600
Monitoring IGMP Filtering and Throttling Configuration 602
Configuration Examples for IGMP 602
Example: Configuring the Controller as a Member of a Multicast Group 602
Example: Controlling Access to Multicast Groups 602
Examples: Configuring IGMP Snooping 603
Examples: Configuring Filtering and Throttling 604
Example: Interface Configuration as a Routed Port 604
Example: Interface Configuration as an SVI 605
Where to Go Next for IGMP 605
Additional References 606
Feature History and Information for IGMP 607
CHAPTER 36
Configuring Wireless Multicast 609
Finding Feature Information 609
Prerequisites for Configuring Wireless Multicast 609
Restrictions on Configuring Wireless Multicast 610
Restrictions for IPv6 Snooping 610
Restrictions for IPv6 RA Guard 610
Information About Wireless Multicast 610
Multicast Optimization 611
IPv6 Global Policies 612
IPv6 RA Guard 612
Information About IPv6 Snooping 612
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xxvi
OL-32363-01
Contents
IPv6 Neighbor Discovery Inspection 612
How to Configure Wireless Multicast 614
Configuring Wireless Multicast-MCMC Mode (CLI) 614
Configuring Wireless Multicast-MCUC Mode (CLI) 615
Configuring IPv6 Snooping (CLI) 616
Configuring IPv6 Snooping Policy (CLI) 616
Configuring Layer 2 Port as Multicast Router Port (CLI) 617
Configuring IPv6 RA Guard (CLI) 618
Configuring Non-IP Wireless Multicast (CLI) 619
Configuring Wireless Broadcast (CLI) 620
Configuring IP Multicast VLAN for WLAN (CLI) 621
Monitoring Wireless Multicast 622
Where to Go Next for Wireless Multicast 622
CHAPTER 37
Configuring the Service Discovery Gateway 625
Finding Feature Information 625
Restrictions for Configuring the Service Discovery Gateway 625
Information about the Service Discovery Gateway and mDNS 626
mDNS 626
mDNS-SD 626
Service Discovery Gateway
627
mDNS Gateway and Subnets 627
Filtering 628
How to Configure the Service Discovery Gateway 629
Configuring the Service List (CLI) 629
Configuring the Service List (GUI) 631
Enabling mDNS Gateway and Redistributing Services (CLI) 632
Configuring Interface Service Rules (GUI) 635
Configuring mDNS Global Rules (GUI) 635
Monitoring Service Discovery Gateway 636
Configuration Examples 636
Example: Specify Alternative Source Interface for Outgoing mDNS Packets 636
Example: Redistribute Service Announcements 637
Example: Disable Bridging of mDNS Packets to Wireless Clients 637
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xxvii
Contents
Example: Creating a Service-List, Applying a Filter and Configuring Parameters 637
Example: Enabling mDNS Gateway and Redistributing Services 638
Example: Global mDNS Configuration 638
Example: Interface mDNS Configuration 638
Monitoring Service Cache (GUI) 639
Monitoring Static Service Cache (GUI) 639
Where to Go Next for Configuring Services Discovery Gateway 640
Additional References 640
Feature History and Information for Services Discovery Gateway 641
PART VIII
Security 643
CHAPTER 38
Preventing Unauthorized Access
645
Finding Feature Information 645
Preventing Unauthorized Access 645
CHAPTER 39
Controlling Switch Access with Passwords and Privilege Levels
647
Finding Feature Information 647
Restrictions for Controlling Switch Access with Passwords and Privileges 647
Information About Passwords and Privilege Levels 648
Default Password and Privilege Level Configuration 648
Additional Password Security 648
Password Recovery 649
Terminal Line Telnet Configuration 649
Username and Password Pairs 649
Privilege Levels 649
How to Control Switch Access with Passwords and Privilege Levels 650
Setting or Changing a Static Enable Password 650
Protecting Enable and Enable Secret Passwords with Encryption 652
Disabling Password Recovery 654
Setting a Telnet Password for a Terminal Line 655
Configuring Username and Password Pairs 656
Setting the Privilege Level for a Command 658
Changing the Default Privilege Level for Lines 660
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xxviii
OL-32363-01
Contents
Logging into and Exiting a Privilege Level 661
Monitoring Switch Access 662
Configuration Examples for Setting Passwords and Privilege Levels 662
Example: Setting or Changing a Static Enable Password 662
Example: Protecting Enable and Enable Secret Passwords with Encryption 662
Example: Setting a Telnet Password for a Terminal Line 662
Example: Setting the Privilege Level for a Command 663
Additional References 663
CHAPTER 40
Configuring TACACS+
665
Finding Feature Information 665
Prerequisites for TACACS+ 665
Information About TACACS+ 667
TACACS+ and Switch Access 667
TACACS+ Overview 667
TACACS+ Operation 668
Method List 669
TACACS+ Configuration Options 669
TACACS+ Login Authentication 669
TACACS+ Authorization for Privileged EXEC Access and Network Services 670
TACACS+ Accounting 670
Default TACACS+ Configuration 670
How to Configure Switch Access with TACACS+ 670
Identifying the TACACS+ Server Host and Setting the Authentication Key 671
Identifying the TACACS+ Server Host and Setting the Authentication Key 672
Configuring TACACS+ Login Authentication 674
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 677
Starting TACACS+ Accounting 678
Establishing a Session with a Router if the AAA Server is Unreachable 680
Monitoring TACACS+ 680
Additional References for Configuring Secure Shell 680
Feature Information for TACACS+ 681
CHAPTER 41
Configuring RADIUS
683
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xxix
Contents
Finding Feature Information 683
Prerequisites for Configuring RADIUS 683
Restrictions for Configuring RADIUS 684
Information about RADIUS 685
RADIUS and Switch Access 685
RADIUS Overview 685
RADIUS Operation 686
RADIUS Change of Authorization 687
Change-of-Authorization Requests 688
CoA Request Response Code 690
CoA Request Commands 691
Stacking Guidelines for Session Termination 693
Default RADIUS Configuration 694
RADIUS Server Host 694
RADIUS Login Authentication 695
AAA Server Groups 696
AAA Authorization 696
RADIUS Accounting 696
Vendor-Specific RADIUS Attributes 696
Vendor-Proprietary RADIUS Server Communication 708
How to Configure RADIUS 708
Identifying the RADIUS Server Host 708
Identifying the RADIUS Server Host 711
Configuring RADIUS Login Authentication 713
Defining AAA Server Groups 716
Configuring RADIUS Authorization for User Privileged Access and Network Services 717
Starting RADIUS Accounting 719
Establishing a Session with a Router if the AAA Server is Unreachable 720
Configuring Settings for All RADIUS Servers 721
Configuring the Controller to Use Vendor-Specific RADIUS Attributes 722
Configuring the Controller for Vendor-Proprietary RADIUS Server Communication 724
Configuring the Controller for Vendor-Proprietary RADIUS Server Communication 725
Configuring CoA on the Controller 727
Configuring RADIUS Server Load Balancing 729
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xxx
OL-32363-01
Contents
Monitoring CoA Functionality 730
Configuration Examples for Controlling Switch Access with RADIUS 730
Examples: Identifying the RADIUS Server Host 730
Examples: Identifying the RADIUS Server Host 730
Example: Using Two Different RADIUS Group Servers 731
Example: Using Two Different RADIUS Group Servers 731
Examples: Configuring the Switch to Use Vendor-Specific RADIUS Attributes 731
Example: Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 732
Example: Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 732
Additional References for Configuring Secure Shell 733
Feature Information for RADIUS 734
CHAPTER 42
Configuring Local Authentication and Authorization
735
Finding Feature Information 735
How to Configure Local Authentication and Authorization 735
Configuring the Switch for Local Authentication and Authorization 735
Monitoring Local Authentication and Authorization 738
Additional References 738
Feature Information for Local Authentication and Authorization 739
CHAPTER 43
Configuring Secure Shell (SSH)
741
Finding Feature Information 741
Prerequisites for Configuring Secure Shell 741
Restrictions for Configuring Secure Shell 742
Information About Configuring Secure Shell
742
SSH and Switch Access 743
SSH Servers, Integrated Clients, and Supported Versions 743
SSH Configuration Guidelines 743
Secure Copy Protocol Overview 744
Secure Copy Protocol 744
How to Configure SSH 745
Setting Up the Controller to Run SSH 745
Configuring the SSH Server 746
Monitoring the SSH Configuration and Status 748
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xxxi
Contents
Additional References for Configuring Secure Shell 749
Feature Information for Configuring Secure Shell 750
CHAPTER 44
Configuring Secure Socket Layer HTTP
751
Finding Feature Information 751
Information about Secure Sockets Layer (SSL) HTTP 751
Secure HTTP Servers and Clients Overview 751
Certificate Authority Trustpoints 752
CipherSuites 753
Default SSL Configuration 754
SSL Configuration Guidelines 754
How to Configure Secure HTTP Servers and Clients 755
Configuring a CA Trustpoint 755
Configuring the Secure HTTP Server 757
Configuring the Secure HTTP Client 761
Monitoring Secure HTTP Server and Client Status 762
Additional References for Configuring Secure Shell 762
Feature Information for Secure Socket Layer HTTP 763
CHAPTER 45
IPv4 ACLs
765
Finding Feature Information 765
Prerequisites for Configuring IPv4 Access Control Lists 765
Restrictions for Configuring IPv4 Access Control Lists 766
Information about Network Security with ACLs 767
Cisco TrustSec and ACLs 767
ACL Overview 767
Access Control Entries 768
ACL Supported Types 768
Supported ACLs 768
ACL Precedence 768
Port ACLs 769
Router ACLs 770
VLAN Maps 770
ACEs and Fragmented and Unfragmented Traffic 771
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xxxii
OL-32363-01
Contents
ACEs and Fragmented and Unfragmented Traffic Examples 771
ACLs and Switch Stacks 772
Active Switch and ACL Functions 772
Stack Member and ACL Functions 772
Active Switch Failure and ACLs 773
Standard and Extended IPv4 ACLs 773
IPv4 ACL Switch Unsupported Features 773
Access List Numbers 773
Numbered Standard IPv4 ACLs 774
Numbered Extended IPv4 ACLs 774
Named IPv4 ACLs 775
ACL Logging 776
Smart Logging 776
Hardware and Software Treatment of IP ACLs 776
VLAN Map Configuration Guidelines 777
VLAN Maps with Router ACLs 777
VLAN Maps and Router ACL Configuration Guidelines 778
Time Ranges for ACLs 778
IPv4 ACL Interface Considerations 779
How to Configure ACLs 779
Configuring IPv4 ACLs 779
Creating a Numbered Standard ACL 780
Creating a Numbered Extended ACL 781
Creating Named Standard ACLs 785
Creating Extended Named ACLs 786
Configuring Time Ranges for ACLs 788
Applying an IPv4 ACL to a Terminal Line 790
Applying an IPv4 ACL to an Interface 791
Creating Named MAC Extended ACLs 793
Applying a MAC ACL to a Layer 2 Interface 794
Configuring VLAN Maps 796
Creating a VLAN Map 798
Applying a VLAN Map to a VLAN 799
Configuring VACL Logging 800
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xxxiii
Contents
Monitoring IPv4 ACLs 802
Configuration Examples for ACLs 803
Examples: Using Time Ranges with ACLs 803
Examples: Including Comments in ACLs 803
Examples: Troubleshooting ACLs 804
IPv4 ACL Configuration Examples 805
ACLs in a Small Networked Office 805
Examples: ACLs in a Small Networked Office 806
Example: Numbered ACLs 807
Examples: Extended ACLs 807
Examples: Named ACLs 808
Examples: Time Range Applied to an IP ACL 808
Examples: Configuring Commented IP ACL Entries 809
Examples: ACL Logging 809
Configuration Examples for ACLs and VLAN Maps 811
Example: Creating an ACL and a VLAN Map to Deny a Packet 811
Example: Creating an ACL and a VLAN Map to Permit a Packet 811
Example: Default Action of Dropping IP Packets and Forwarding MAC Packets 811
Example: Default Action of Dropping MAC Packets and Forwarding IP Packets 812
Example: Default Action of Dropping All Packets 812
Configuration Examples for Using VLAN Maps in Your Network 813
Example: Wiring Closet Configuration 813
Example: Restricting Access to a Server on Another VLAN 814
Example: Denying Access to a Server on Another VLAN 814
Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs 815
Example: ACLs and Switched Packets 815
Example: ACLs and Bridged Packets 816
Example: ACLs and Routed Packets 816
Example: ACLs and Multicast Packets 817
Additional References 818
Feature Information for IPv4 Access Control Lists 819
CHAPTER 46
Configuring DHCP
821
Finding Feature Information 821
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xxxiv
OL-32363-01
Contents
Information About DHCP 821
DHCP Server 821
DHCP Relay Agent 821
DHCP Snooping 822
Option-82 Data Insertion 823
Cisco IOS DHCP Server Database 826
DHCP Snooping Binding Database 826
DHCP Snooping and Switch Stacks 827
How to Configure DHCP Features 828
Default DHCP Snooping Configuration 828
DHCP Snooping Configuration Guidelines 829
Configuring the DHCP Server 829
DHCP Server and Switch Stacks 829
Configuring the DHCP Relay Agent
829
Specifying the Packet Forwarding Address 830
Prerequisites for Configuring DHCP Snooping and Option 82
Enabling DHCP Snooping and Option 82
833
834
Enabling the Cisco IOS DHCP Server Database 837
Monitoring DHCP Snooping Information 837
Configuring DHCP Server Port-Based Address Allocation 838
Information About Configuring DHCP Server Port-Based Address Allocation 838
Default Port-Based Address Allocation Configuration 838
Port-Based Address Allocation Configuration Guidelines 838
Enabling the DHCP Snooping Binding Database Agent 838
Enabling DHCP Server Port-Based Address Allocation 840
Monitoring DHCP Server Port-Based Address Allocation 842
Additional References 842
Feature Information for DHCP Snooping and Option 82
CHAPTER 47
Configuring IP Source Guard
843
845
Finding Feature Information 845
Information About IP Source Guard 845
IP Source Guard 845
IP Source Guard for Static Hosts 846
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xxxv
Contents
IP Source Guard Configuration Guidelines 847
How to Configure IP Source Guard 847
Enabling IP Source Guard 847
Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port 849
Monitoring IP Source Guard 851
Additional References 851
CHAPTER 48
Configuring Dynamic ARP Inspection 853
Finding Feature Information 853
Restrictions for Dynamic ARP Inspection 853
Understanding Dynamic ARP Inspection 855
Interface Trust States and Network Security 856
Rate Limiting of ARP Packets 857
Relative Priority of ARP ACLs and DHCP Snooping Entries 858
Logging of Dropped Packets
858
Default Dynamic ARP Inspection Configuration 858
Relative Priority of ARP ACLs and DHCP Snooping Entries 859
Configuring ARP ACLs for Non-DHCP Environments
859
Configuring Dynamic ARP Inspection in DHCP Environments 862
Limiting the Rate of Incoming ARP Packets 864
Performing Dynamic ARP Inspection Validation Checks 866
Monitoring DAI 868
Verifying the DAI Configuration 868
Additional References 869
CHAPTER 49
Configuring IEEE 802.1x Port-Based Authentication 871
Finding Feature Information 871
Information About 802.1x Port-Based Authentication 871
Port-Based Authentication Process 872
Port-Based Authentication Initiation and Message Exchange 874
Authentication Manager for Port-Based Authentication 876
Port-Based Authentication Methods 876
Per-User ACLs and Filter-Ids 876
Port-Based Authentication Manager CLI Commands 877
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xxxvi
OL-32363-01
Contents
Ports in Authorized and Unauthorized States 879
Port-Based Authentication and Switch Stacks 880
802.1x Host Mode 880
802.1x Multiple Authentication Mode 881
Multi-auth Per User VLAN assignment 882
MAC Move 883
MAC Replace 883
802.1x Accounting 884
802.1x Accounting Attribute-Value Pairs 884
802.1x Readiness Check 885
Switch-to-RADIUS-Server Communication 886
802.1x Authentication with VLAN Assignment 886
802.1x Authentication with Per-User ACLs 888
802.1x Authentication with Downloadable ACLs and Redirect URLs 889
Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 890
Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 891
VLAN ID-based MAC Authentication 891
802.1x Authentication with Guest VLAN 891
802.1x Authentication with Restricted VLAN 892
802.1x Authentication with Inaccessible Authentication Bypass 893
Inaccessible Authentication Bypass Support on Multiple-Authentication Ports 894
Inaccessible Authentication Bypass Authentication Results 894
Inaccessible Authentication Bypass Feature Interactions 894
802.1x Critical Voice VLAN 895
802.1x User Distribution 896
802.1x User Distribution Configuration Guidelines 896
IEEE 802.1x Authentication with Voice VLAN Ports 896
IEEE 802.1x Authentication with Port Security 897
IEEE 802.1x Authentication with Wake-on-LAN 897
IEEE 802.1x Authentication with MAC Authentication Bypass 898
Network Admission Control Layer 2 IEEE 802.1x Validation 899
Flexible Authentication Ordering 899
Open1x Authentication 900
Multidomain Authentication 900
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xxxvii
Contents
Limiting Login for Users 902
802.1x Supplicant and Authenticator Switches with Network Edge Access Topology (NEAT) 902
Voice Aware 802.1x Security 903
Common Session ID 904
How to Configure 802.1x Port-Based Authentication 904
Default 802.1x Authentication Configuration 904
802.1x Authentication Configuration Guidelines 906
802.1x Authentication 906
VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass
907
MAC Authentication Bypass 908
Maximum Number of Allowed Devices Per Port 908
Configuring 802.1x Readiness Check 908
Configuring Voice Aware 802.1x Security 910
Configuring 802.1x Violation Modes 912
Configuring 802.1x Authentication 913
Configuring 802.1x Port-Based Authentication 914
Configuring 802.1x Port-Based Authentication 916
Configuring the Switch-to-RADIUS-Server Communication 919
Configuring Switch-to-RADIUS-Server Communication 920
Configuring the Host Mode 922
Configuring Periodic Re-Authentication 923
Changing the Quiet Period 925
Changing the Switch-to-Client Retransmission Time 926
Setting the Switch-to-Client Frame-Retransmission Number 927
Setting the Re-Authentication Number 928
Enabling MAC Move 929
Enabling MAC Replace 930
Configuring 802.1x Accounting 932
Configuring a Guest VLAN 933
Configuring a Restricted VLAN 934
Configuring Number of Authentication Attempts on a Restricted VLAN 936
Configuring 802.1x Inaccessible Authentication Bypass with Critical Voice VLAN 937
Example of Configuring Inaccessible Authentication Bypass 941
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xxxviii
OL-32363-01
Contents
Configuring 802.1x Inaccessible Authentication Bypass with Critical Voice VLAN 941
Example of Configuring Inaccessible Authentication Bypass 944
Configuring 802.1x Authentication with WoL 945
Configuring MAC Authentication Bypass 946
Configuring 802.1x User Distribution 947
Example of Configuring VLAN Groups 948
Configuring NAC Layer 2 802.1x Validation 948
Configuring Limiting Login for Users 950
Configuring an Authenticator Switch with NEAT 952
Configuring a Supplicant Switch with NEAT 953
Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs 956
Configuring Downloadable ACLs 956
Configuring a Downloadable Policy 958
Configuring VLAN ID-based MAC Authentication 960
Configuring Flexible Authentication Ordering 961
Configuring Open1x 962
Disabling 802.1x Authentication on the Port 964
Resetting the 802.1x Authentication Configuration to the Default Values 965
Monitoring 802.1x Statistics and Status 966
Additional References for IEEE 802.1x Port-Based Authentication 967
Feature Information for 802.1x Port-Based Authentication 968
CHAPTER 50
Web-Based Authentication
969
Finding Feature Information 969
Web-Based Authentication Overview 969
Device Roles 971
Host Detection 971
Session Creation 971
Authentication Process 972
Local Web Authentication Banner 973
Web Authentication Customizable Web Pages 975
Guidelines 975
Authentication Proxy Web Page Guidelines 977
Redirection URL for Successful Login Guidelines 977
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xxxix
Contents
Custom Web Authentication Guidelines 978
Web-based Authentication Interactions with Other Features 978
Port Security 978
LAN Port IP 978
Gateway IP 978
ACLs 978
Context-Based Access Control 978
EtherChannel 979
How to Configure Web-Based Authentication 979
Default Web-Based Authentication Configuration 979
Web-Based Authentication Configuration Guidelines and Restrictions 979
Web-Based Authentication Configuration Task List 981
Configuring the Authentication Rule and Interfaces 981
Configuring AAA Authentication 983
Configuring AAA Authentication 984
Configuring Switch-to-RADIUS-Server Communication 986
Configuring Switch-to-RADIUS-Server Communication 988
Configuring the HTTP Server 989
Customizing the Authentication Proxy Web Pages 990
Specifying a Redirection URL for Successful Login 992
Configuring the Web-Based Authentication Parameters 993
Configuring a Web-Based Authentication Local Banner 994
Configuring Web-Based Authentication without SVI 995
Configuring Web-Based Authentication with VRF Aware 996
Removing Web-Based Authentication Cache Entries 998
Downloading Web Authentication Tar Bundle (CLI) 998
Downloading Web Authentication Tar Bundle (GUI) 999
Integrating Customized Web Authentication Pages into a Parameter Map (CLI) 1000
Linking Image in Custom Pages 1001
Configuring a Parameter Map for Local Web Authentication (CLI) 1002
Monitoring Web-Based Authentication Status 1005
Feature Information for Web-Based Authentication 1006
CHAPTER 51
Configuring Port-Based Traffic Control 1007
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xl
OL-32363-01
Contents
Finding Feature Information 1008
Information About Storm Control 1008
Storm Control 1008
How Traffic Activity is Measured 1008
Traffic Patterns 1009
How to Configure Storm Control 1010
Configuring Storm Control and Threshold Levels 1010
Configuring Small-Frame Arrival Rate 1012
Monitoring Storm Control 1014
Where to Go Next 1015
Additional References 1015
Feature Information 1015
Finding Feature Information 1016
Information About Protected Ports 1016
Protected Ports 1016
Default Protected Port Configuration 1016
Protected Ports Guidelines 1016
How to Configure Protected Ports 1017
Configuring a Protected Port 1017
Monitoring Protected Ports 1018
Where to Go Next 1018
Additional References 1019
Feature Information 1019
Finding Feature Information 1019
Information About Port Blocking 1020
Port Blocking 1020
How to Configure Port Blocking 1020
Blocking Flooded Traffic on an Interface 1020
Monitoring Port Blocking 1022
Where to Go Next 1022
Additional References 1022
Feature Information 1023
Finding Feature Information 1023
Prerequisites for Port Security 1023
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xli
Contents
Restrictions for Port Security 1023
Information About Port Security 1023
Port Security 1023
Types of Secure MAC Addresses 1024
Sticky Secure MAC Addresses 1024
Security Violations 1024
Port Security Aging 1026
Port Security and Switch Stacks 1026
Default Port Security Configuration 1026
Port Security Configuration Guidelines 1026
How to Configure Port Security 1028
Enabling and Configuring Port Security 1028
Enabling and Configuring Port Security Aging 1033
Configuring Port Security and Private VLANs 1035
Monitoring Port Security 1036
Configuration Examples for Port Security 1037
Where to Go Next 1038
Additional References 1038
Feature Information 1038
Finding Feature Information 1038
Information About Protocol Storm Protection 1039
Protocol Storm Protection 1039
Default Protocol Storm Protection Configuration 1039
How to Configure Protocol Storm Protection 1040
Enabling Protocol Storm Protection 1040
Monitoring Protocol Storm Protection 1041
Where to Go Next 1041
Additional References 1041
Feature Information 1042
CHAPTER 52
Configuring Cisco TrustSec 1043
Information about Cisco TrustSec 1043
Finding Feature Information 1043
Feature Information for Cisco TrustSec 1044
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xlii
OL-32363-01
Contents
CHAPTER 53
Configuring IPv6 First Hop Security 1045
Finding Feature Information 1045
Prerequisites for First Hop Security in IPv6 1045
Restrictions for First Hop Security in IPv6 1046
Information about First Hop Security in IPv6 1046
How to Configure an IPv6 Snooping Policy 1048
How to Attach an IPv6 Snooping Policy to an Interface 1050
How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface 1051
How to Attach an IPv6 Snooping Policy to VLANs Globally
How to Configure the IPv6 Binding Table Content
1052
1053
How to Configure an IPv6 Neighbor Discovery Inspection Policy 1054
How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface
1056
How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2 EtherChannel Interface
1057
How to Attach an IPv6 Neighbor Discovery Inspection Policy to VLANs Globally
1058
How to Configure an IPv6 Router Advertisement Guard Policy 1059
How to Attach an IPv6 Router Advertisement Guard Policy to an Interface 1061
How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel Interface
1062
How to Attach an IPv6 Router Advertisement Guard Policy to VLANs Globally 1064
How to Configure an IPv6 DHCP Guard Policy
1064
How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface 1067
How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface 1068
How to Attach an IPv6 DHCP Guard Policy to VLANs Globally
1069
Additional References 1070
CHAPTER 54
Managing Rogue Devices 1071
Finding Feature Information 1071
Information About Rogue Devices 1071
Validating Rogue Devices Using MSE 1076
How to Configure Rogue Detection 1076
Configuring Rogue Detection (CLI) 1076
Configuring Rogue Detection (GUI) 1078
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xliii
Contents
Monitoring Rogue Detection 1079
Examples: Rogue Detection Configuration 1080
Additional References for Rogue Detection 1080
Feature History and Information For Performing Rogue Detection Configuration 1081
CHAPTER 55
Classifying Rogue Access Points 1083
Finding Feature Information 1083
Information About Classifying Rogue Access Points 1083
Restrictions on Classifying Rogue Access Points 1086
How to Classify Rogue Access Points 1087
Configuring Rogue Classification Rules (CLI) 1087
Configuring Rogue Classification Rules (GUI) 1090
Viewing and Classifying Rogue Devices (GUI)
1092
Examples: Classifying Rogue Access Points 1094
Additional References for Classifying Rogue Access Points 1094
Feature History and Information For Classifying Rogue Access Points 1095
CHAPTER 56
Configuring wIPS 1097
Finding Feature Information 1097
Information About wIPS 1097
How to Configure wIPS on an Access Point 1104
Configuring wIPS on an Access Point (CLI) 1104
Configuring wIPS on an Access Point (GUI) 1105
Monitoring wIPS Information 1105
Examples: wIPS Configuration 1105
Additional References for Configuring wIPS 1106
Feature History for Performing wIPS Configuration 1106
CHAPTER 57
Configuring Wireless Guest Access
1107
Finding Feature Information 1107
Prerequisites for Guest Access 1107
Restrictions for Guess Access 1108
Information about Wireless Guest Access 1108
Fast Secure Roaming 1108
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xliv
OL-32363-01
Contents
How to Configure Guest Access 1109
Creating a Lobby Administrator Account 1109
Configuring Guest User Accounts 1110
Configuring Mobility Agent (MA) 1111
Configuring Mobility Controller 1113
Configuring Guest Controller 1114
Obtaining a Web Authentication Certificate 1116
Displaying a Web Authentication Certificate 1116
Choosing the Default Web Authentication Login Page 1117
Choosing a Customized Web Authentication Login Page from an External Web Server 1118
Assigning Login, Login Failure, and Logout Pages per WLAN 1120
Configuring AAA-Override 1121
Configuring Client Load Balancing 1122
Configuring Preauthentication ACL 1123
Configuring IOS ACL Definition 1124
Configuring Webpassthrough 1125
Configuration Examples for Guest Access 1126
Example: Creating a Lobby Ambassador Account 1126
Example: Obtaining Web Authentication Certificate 1126
Example: Displaying a Web Authentication Certificate 1128
Example: Configuring Guest User Accounts
1128
Example: Configuring Mobility Controller 1129
Example: Choosing the Default Web Authentication Login Page 1130
Example: Choosing a Customized Web Authentication Login Page from an IPv4 External Web
Server 1130
Example: Assigning Login, Login Failure, and Logout Pages per WLAN 1131
Example: Configuring AAA-Override 1131
Example: Configuring Client Load Balancing 1131
Example: Configuring Preauthentication ACL 1131
Example: Configuring IOS ACL Definition 1132
Example: Configuring Webpassthrough 1132
Additional References for Guest Access 1132
Feature History and Information for Guest Access 1133
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xlv
Contents
CHAPTER 58
Configuring Intrusion Detection System 1135
Finding Feature Information 1135
Information About Intrusion Detection System 1135
How to Configure Intrusion Detection System 1136
Configuring IDS Sensors 1136
Monitoring Intrusion Detection System 1137
PART IX
Layer 2 (Link Aggregation) 1139
CHAPTER 59
Configuring EtherChannels 1141
Finding Feature Information 1141
Restrictions for EtherChannels 1141
Information About EtherChannels 1142
EtherChannel Overview 1142
EtherChannel Modes 1142
EtherChannel on Controllers 1143
EtherChannel Link Failover 1145
Channel Groups and Port-Channel Interfaces 1145
Port Aggregation Protocol 1146
PAgP Modes
1146
PAgP Learn Method and Priority 1147
PAgP Interaction with Other Features
1148
Link Aggregation Control Protocol 1148
LACP Modes 1149
LACP and Link Redundancy
1149
LACP Interaction with Other Features
1150
EtherChannel On Mode 1150
Load-Balancing and Forwarding Methods 1150
MAC Address Forwarding 1151
IP Address Forwarding 1151
Load-Balancing Advantages 1152
EtherChannel and Controller Stacks 1153
Controller Stack and PAgP 1153
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xlvi
OL-32363-01
Contents
Controller Stacks and LACP 1154
Default EtherChannel Configuration 1154
EtherChannel Configuration Guidelines 1155
Layer 2 EtherChannel Configuration Guidelines 1156
Layer 3 EtherChannel Configuration Guidelines 1157
How to Configure EtherChannels 1157
Configuring Layer 2 EtherChannels (CLI) 1157
Configuring Layer 3 EtherChannels (CLI) 1160
Configuring EtherChannel Load-Balancing (CLI) 1162
Configuring EtherChannel Extended Load-Balancing (CLI) 1163
Configuring the PAgP Learn Method and Priority (CLI) 1164
Configuring LACP Hot-Standby Ports 1166
Configuring the LACP Max Bundle Feature (CLI) 1166
Configuring LACP Port-Channel Standalone Disable 1167
Configuring the LACP Port Channel Min-Links Feature (CLI) 1168
Configuring the LACP System Priority (CLI) 1169
Configuring the LACP Port Priority (CLI) 1170
Monitoring EtherChannel, PAgP, and LACP Status 1172
Configuration Examples for Configuring EtherChannels 1173
Configuring Layer 2 EtherChannels: Examples 1173
Configuring Layer 3 EtherChannels: Examples 1174
Configuring LACP Hot-Standby Ports: Example 1174
Additional References for EtherChannels 1175
Feature Information for EtherChannels 1176
CHAPTER 60
Configuring UniDirectional Link Detection 1177
Finding Feature Information 1177
Restrictions for Configuring UDLD 1177
Information About UDLD 1178
Modes of Operation 1178
Normal Mode 1178
Aggressive Mode 1178
Methods to Detect Unidirectional Links 1179
Neighbor Database Maintenance 1179
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xlvii
Contents
Event-Driven Detection and Echoing 1180
UDLD Reset Options 1180
Default UDLD Configuration 1180
How to Configure UDLD 1181
Enabling UDLD Globally (CLI) 1181
Enabling UDLD on an Interface (CLI) 1182
Monitoring and Maintaining UDLD 1183
Additional References for UDLD 1184
Feature Information for UDLD 1184
PART X
WLAN 1185
CHAPTER 61
WLANs 1187
Finding Feature Information 1187
Information About WLANs 1187
Band Selection 1188
Off-Channel Scanning Defer 1188
DTIM Period 1188
Session Timeouts 1189
Cisco Client Extensions 1189
Peer-to-Peer Blocking 1190
Diagnostic Channel 1190
Per-WLAN Radius Source Support 1190
Prerequisites for WLANs 1191
Restrictions for WLANs 1191
How to Configure WLANs 1194
Creating WLANs (CLI) 1194
Creating WLANs (GUI) 1195
Deleting WLANs (CLI) 1196
Deleting WLANs (GUI) 1196
Searching WLANs (CLI) 1197
Searching WLANs (GUI) 1197
Enabling WLANs (CLI) 1198
Disabling WLANs (CLI) 1198
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
xlviii
OL-32363-01
Contents
Configuring General WLAN Properties (CLI) 1199
Configuring General WLAN Properties (GUI) 1201
Configuring Advanced WLAN Properties (CLI) 1203
Configuring Advanced WLAN Properties (GUI) 1205
Applying a QoS Policy on a WLAN (GUI) 1208
Monitoring WLAN Properties (CLI) 1210
Viewing WLAN Properties (GUI) 1210
Where to Go Next 1211
Additional References 1211
Feature Information for WLANs 1212
CHAPTER 62
DHCP for WLANs 1213
Information About the Dynamic Host Configuration Protocol 1213
Internal DHCP Servers 1213
External DHCP Servers 1214
DHCP Assignments 1214
Information About DHCP Option 82
1215
Configuring DHCP Scopes 1215
Information About Internal DHCP Server 1215
Prerequisites for Configuring DHCP for WLANs 1216
Restrictions for Configuring DHCP for WLANs 1217
How to Configure DHCP for WLANs 1217
Configuring DHCP for WLANs (CLI) 1217
Configuring DHCP Scopes (CLI) 1219
Additional References 1220
Feature Information for DHCP for WLANs 1221
CHAPTER 63
WLAN Security 1223
Finding Feature Information 1223
Prerequisites for Layer 2 Security 1223
Information About AAA Override 1224
How to Configure WLAN Security 1224
Configuring Static WEP + 802.1X Layer 2 Security Parameters (CLI) 1224
Configuring Static WEP Layer 2 Security Parameters (CLI) 1225
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
xlix
Contents
Configuring WPA + WPA2 Layer 2 Security Parameters (CLI) 1226
Configuring 802.1X Layer 2 Security Parameters (CLI) 1228
Configuring Layer 2 Parameters (GUI) 1229
Additional References 1232
Feature Information about WLAN Layer 2 Security 1233
CHAPTER 64
Setting Client Count Per WLAN 1235
Finding Feature Information 1235
Restrictions for Setting Client Count for WLANs 1235
Information About Setting the Client Count per WLAN 1236
How to Configure Client Count Per WLAN 1236
Configuring Client Count per WLAN (CLI) 1236
Configuring Client Count Per AP Per WLAN (CLI) 1237
Configuring Client Count per AP Radio per WLAN (CLI) 1238
Monitoring Client Connections (CLI) 1238
Additional References for Client Connections 1239
Feature Information about Client Connections Per WLAN 1240
CHAPTER 65
802.11w 1241
Finding Feature Information 1241
Prerequisites for 802.11w 1241
Restrictions for 802.11w 1242
Information About 802.11w 1242
How to Configure 802.11w 1243
Configuring 802.11w (CLI) 1243
Disabling 802.11w (CLI) 1244
Monitoring 802.11w (CLI) 1246
Additional References for 802.11w 1246
Feature Information for 802.11w 1247
CHAPTER 66
Configuring Wi-Fi Direct Client Policy 1249
Finding Feature Information 1249
Restrictions for the Wi-Fi Direct Client Policy 1249
Information About the Wi-Fi Direct Client Policy 1250
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
l
OL-32363-01
Contents
How to Configure Wi-Fi Direct Client Policy 1250
Configuring the Wi-Fi Direct Client Policy (CLI) 1250
Disabling Wi-Fi Direct Client Policy (CLI) 1251
Monitoring Wi-Fi Direct Client Policy (CLI) 1252
Additional References for Wi-Fi Direct Client Policy 1252
Feature Information about Wi-Fi Direct Client Policy 1253
CHAPTER 67
Configuring 802.11r BSS Fast Transition 1255
Finding Feature Information 1255
Restrictions for 802.11r Fast Transition 1255
Information About 802.11r Fast Transition 1256
How to Configure 802.11r Fast Transition 1258
Configuring 802.11r Fast Transition in an Open WLAN (CLI) 1258
Configuring 802.11r BSS Fast Transition on a Dot1x Security Enabled WLAN (CLI) 1260
Configuring 802.11r Fast Transition on a PSK Security Enabled WLAN (CLI) 1261
Configuring 802.11 Fast Transition (GUI) 1262
Disabling 802.11r Fast Transition (CLI) 1263
Monitoring 802.11r Fast Transition (CLI) 1264
Additional References for 802.11r Fast Transition 1265
Feature Information for 802.11r Fast Transition 1266
CHAPTER 68
Assisted Roaming 1267
Finding Feature Information 1267
Information About Assisted Roaming 1267
Restrictions for Assisted Roaming 1268
How to Configure Assisted Roaming 1269
Configuring Assisted Roaming (CLI) 1269
Monitoring Assisted Roaming 1270
Configuration Examples for Assisted Roaming 1270
Additional References for Assisted Roaming 1271
Feature History and Information For Performing Assisted Roaming Configuration 1272
CHAPTER 69
Configuring Access Point Groups 1273
Finding Feature Information 1273
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
li
Contents
Prerequisites for Configuring AP Groups 1273
Restrictions on Configuring Access Point Groups 1274
Information About Access Point Groups 1274
How to Configure Access Point Groups 1275
Creating Access Point Groups 1275
Assigning an Access Point to an AP Group 1276
Viewing Access Point Group 1277
Additional References 1277
Feature History and Information for Access Point Groups 1278
PART XI
Radio Resource Management 1279
CHAPTER 70
Radio Resource Management 1281
Finding Feature Information 1281
Prerequisites for Configuring Radio Resource Management 1281
Restrictions for Radio Resource Management 1282
Information About Radio Resource Management 1282
Radio Resource Monitoring 1283
Information About RF Groups 1283
RF Group Leader 1284
RF Group Name 1285
Mobility Controller 1285
Mobility Agent 1286
Rogue Access Point Detection in RF Groups 1286
Transmit Power Control 1287
Overriding the TPC Algorithm with Minimum and Maximum Transmit Power Settings 1287
Dynamic Channel Assignment 1287
Coverage Hole Detection and Correction 1289
How to Configure RRM 1290
Configuring Advanced RRM CCX Parameters (CLI) 1290
Configuring Neighbor Discovery Type (CLI) 1290
Configuring RRM Profile Thresholds, Monitoring Channels, and Monitoring Intervals (GUI) 1291
Configuring RF Groups 1292
Configuring the RF Group Mode (GUI) 1292
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
lii
OL-32363-01
Contents
Configuring RF Group Selection Mode (CLI) 1293
Configuring an RF Group Name (CLI) 1294
Configuring an RF Group Name (GUI) 1294
Configuring Members in a 802.11 Static RF Group (CLI) 1295
Configuring Transmit Power Control 1295
Configuring the Tx-Power Control Threshold (CLI) 1295
Configuring the Tx-Power Level (CLI) 1296
Configuring Transmit Power Control (GUI) 1297
Configuring 802.11 RRM Parameters 1298
Configuring Advanced 802.11 Channel Assignment Parameters (CLI) 1298
Configuring Dynamic Channel Assignment (GUI) 1301
Configuring 802.11 Coverage Hole Detection (CLI) 1303
Configuring Coverage Hole Detection (GUI) 1305
Configuring 802.11 Event Logging (CLI) 1306
Configuring 802.11 Statistics Monitoring (CLI) 1306
Configuring the 802.11 Performance Profile (CLI) 1308
Configuring Rogue Access Point Detection in RF Groups 1309
Configuring Rogue Access Point Detection in RF Groups (CLI) 1309
Enabling Rogue Access Point Detection in RF Groups (GUI) 1310
Monitoring RRM Parameters and RF Group Status 1311
Monitoring RRM Parameters 1311
Monitoring RF Group Status (CLI) 1312
Monitoring RF Group Status (GUI) 1312
Examples: RF Group Configuration 1313
Information About ED-RRM 1313
Configuring ED-RRM on the Cisco Wireless LAN Controller (CLI) 1313
Configuring ED-RRM (GUI) 1314
Additional References for Radio Resource Management 1315
Feature History and Information For Performing Radio Resource Management Configuration 1315
PART XII
Lightweight Access Points 1317
CHAPTER 71
Configuring the Controller for Access Point Discovery 1319
Finding Feature Information 1319
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
liii
Contents
Prerequisites for Configuring the Controller for Access Point Discovery 1319
Restrictions for Configuring the Controller for Access Point Discovery 1320
Information About Configuring the Controller for Access Point Discovery 1320
Access Point Communication Protocols 1321
Viewing Access Point Join Information 1321
Troubleshooting the Access Point Join Process 1321
How to Configure Access Point Discovery 1322
Configuring the Syslog Server for Access Points (CLI) 1322
Monitoring Access Point Join Information (CLI) 1322
Configuration Examples for Configuring the Controller for Access Point Discovery 1324
Displaying the MAC Addresses of all Access Points: Example 1324
DHCP Option 43 for Lightweight Cisco Aironet Access Points Configuration Example 1325
CHAPTER 72
Configuring Data Encryption 1327
Finding Feature Information 1327
Prerequisites for Configuring Data Encryption 1327
Restrictions for Configuring Data Encryption 1327
Information About Data Encryption 1328
How to Configure Data Encryption 1328
Configuring Data Encryption (CLI) 1328
Configuring Data Encryption (GUI) 1329
Configuration Examples for Configuring Data Encryption 1329
Displaying Data Encryption States for all Access Points: Examples 1329
CHAPTER 73
Configuring Retransmission Interval and Retry Count 1331
Finding Feature Information 1331
Prerequisites for Configuring the Access Point Retransmission Interval and Retry Count 1331
Information About Retransmission Interval and Retry Count 1332
How to Configure Access Point Retransmission Interval and Retry Count 1332
Configuring the Access Point Retransmission Interval and Retry Count (CLI) 1332
Configuring the Access Point Retransmission Interval and Retry Count (GUI) 1333
Viewing CAPWAP Maximum Transmission Unit Information (CLI) 1334
Viewing CAPWAP Maximum Transmission Unit Information (GUI) 1335
Configuration Examples for Configuring Access Point Retransmission Interval and Retry Count 1335
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
liv
OL-32363-01
Contents
Viewing the CAPWAP Retransmission Details: Example 1335
Viewing Maximum Transmission Unit Information: Example 1335
CHAPTER 74
Configuring Adaptive Wireless Intrusion Prevention System 1337
Finding Feature Information 1337
Prerequisites for Configuring wIPS 1337
How to Configure wIPS on Access Points 1337
Configuring wIPS on an Access Point (CLI) 1337
Configuring wIPS on an Access Point (GUI) 1339
Monitoring wIPS Information 1339
Configuration Examples for Configuring wIPS on Access Points 1340
Displaying the Monitor Configuration Channel Set: Example 1340
Displaying wIPS Information: Examples 1341
CHAPTER 75
Configuring Authentication for Access Points 1343
Finding Feature Information 1343
Prerequisites for Configuring Authentication for Access Points 1343
Restrictions for Configuring Authentication for Access Points 1344
Information about Configuring Authentication for Access Points 1344
How to Configure Authentication for Access Points 1344
Configuring Global Credentials for Access Points (CLI) 1344
Configuring Authentication for Access Points (CLI) 1346
Configuring the Switch for Authentication (CLI) 1348
Configuration Examples for Configuring Authentication for Access Points 1350
Displaying the Authentication Settings for Access Points: Examples 1350
CHAPTER 76
Converting Autonomous Access Points to Lightweight Mode 1351
Finding Feature Information 1351
Guidelines for Converting Autonomous Access Points to Lightweight Mode 1351
Information About Autonomous Access Points Converted to Lightweight Mode 1352
Reverting from Lightweight Mode to Autonomous Mode 1352
Using DHCP Option 43 and DHCP Option 60
1352
How Converted Access Points Send Crash Information to the Controller 1353
Uploading Memory Core Dumps from Converted Access Points 1353
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
lv
Contents
Displaying MAC Addresses for Converted Access Points 1353
Configuring a Static IP Address for a Lightweight Access Point 1353
How to Convert a Lightweight Access Point Back to an Autonomous Access Point 1354
Converting a Lightweight Access Point Back to an Autonomous Access Point (CLI) 1354
Converting a Lightweight Access Point Back to an Autonomous Access Point (Using the Mode
Button and a TFTP Server) 1354
Authorizing Access Points (CLI) 1355
Authorizing Access Points (GUI) 1356
Disabling the Reset Button on Converted Access Points (CLI) 1357
Monitoring the AP Crash Log Information 1358
How to Configure a Static IP Address on an Access Point 1358
Configuring a Static IP Address on an Access Point (CLI) 1358
Configuring a Static IP Address on an Access Point (GUI) 1360
Recovering the Access Point Using the TFTP Recovery Procedure 1361
Configuration Examples for Converting Autonomous Access Points to Lightweight Mode 1361
Example: Displaying the IP Address Configuration for Access Points 1361
Example: Displaying Access Point Crash File Information 1361
CHAPTER 77
Using Cisco Workgroup Bridges 1363
Finding Feature Information 1363
Information About Cisco Workgroup Bridges and non-Cisco Workgroup bridges 1363
Monitoring the Status of Workgroup Bridges 1364
Debugging WGB Issues (CLI) 1364
Configuration Examples for Configuring Workgroup Bridges 1366
WGB Configuration: Example 1366
CHAPTER 78
Configuring Backup Controllers and Failover Priority for Access Points 1367
Finding Feature Information 1367
Prerequisites for Configuring Backup Controllers and Failover Priority for Access Points 1367
Restrictions for Configuring Backup Controllers and Failover Priority for Access Points 1368
Information About Configuring Backup Controllers 1369
Configuring Failover Priority for Access Points 1369
Optimizing RFID Tracking on Access Points 1369
Retrieving the Unique Device Identifier on Controllers and Access Points 1369
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
lvi
OL-32363-01
Contents
How to Configure Backup Controllers for Access Points 1369
Configuring Backup Controllers for Access Points (CLI) 1369
Configuring Backup Controllers for Access Points (GUI) 1372
How to Configure Failover Priority for Access Points 1373
Configuring Failover Priority for Access Points (CLI) 1373
Retrieving Unique Device Identifier on Controllers (CLI) 1374
Monitoring Failover Priority Settings (CLI) 1375
Configuration Examples for Configuring Backup Controllers and Failover Priority for Access Points
1375
Displaying Access Point Configuration Information: Examples 1375
Displaying Wireless Client Timer Information 1376
Displaying Access Point CAPWAP Summary: Example 1376
CHAPTER 79
Configuring Probe Request Forwarding 1377
Finding Feature Information 1377
Information About Configuring Probe Request Forwarding 1377
How to Configure Probe Request Forwarding (CLI) 1377
CHAPTER 80
Optimizing RFID Tracking 1379
Finding Feature Information 1379
Optimizing RFID Tracking on Access Points 1379
How to Optimize RFID Tracking on Access Points 1379
Optimizing RFID Tracking on Access Points (CLI) 1379
Configuration Examples for Optimizing RFID Tracking 1381
Displaying all the Access Points in Monitor Mode: Example 1381
CHAPTER 81
Country Codes 1383
Finding Feature Information 1383
Information About Country Codes 1383
Prerequisites for Configuring Country Codes 1384
How to Configure Country Codes
1384
Configuration Examples for Configuring Country Codes 1387
Displaying Channel List for Country Codes: Example 1387
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
lvii
Contents
CHAPTER 82
Configuring Link Latency 1389
Finding Feature Information 1389
Prerequisites for Configuring Link Latency 1389
Restrictions for Configuring Link Latency 1389
Information About Configuring Link Latency 1390
TCP MSS 1390
Link Tests 1390
How to Configure Link Latency 1391
Configuring Link Latency (CLI) 1391
Configuring Link Latency (GUI) 1393
How to Configure TCP MSS 1394
Configuring TCP MSS (CLI) 1394
Configuring TCP MSS (GUI) 1394
Performing a Link Test (CLI) 1395
Configuration Examples for Configuring Link Latency 1396
Running a Link Test: Example 1396
Displaying Link Latency Information: Example 1396
Displaying TCP MSS Settings: Example 1397
CHAPTER 83
Configuring Power over Ethernet 1399
Finding Feature Information 1399
Information About Configuring Power over Ethernet 1399
How to Configure Power over Ethernet 1399
Configuring Power over Ethernet (CLI) 1399
Configuring Power over Ethernet (GUI) 1400
Configuration Examples for Configuring Power over Ethernet 1402
Displaying Power over Ethernet Information: Example 1402
CHAPTER 84
Configuring LED States for Access Points 1403
Finding Feature Information 1403
Prerequisites for Configuring LED States for Access Points 1403
Restrictions for Configuring LED States for Access Points 1403
Information About Configuring LED States for Access Points 1403
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
lviii
OL-32363-01
Contents
How to Configure LED State of an Access Point in a Network Globally 1404
Configuring the LED State of an Access Point in a Network Globally (CLI) 1404
Configuring LED State of Access Points in a Network Globally (GUI) 1404
Configuring the LED State on an Access Point 1405
Configuration Examples for Configuring LED States for Access Points 1405
Displaying an Access Point Summary: Example 1405
PART XIII
CleanAir 1407
CHAPTER 85
Cisco CleanAir 1409
Finding Feature Information 1409
Prerequisites for CleanAir 1409
Restrictions for CleanAir 1410
Information About Cisco CleanAir 1411
Cisco CleanAir Components 1411
Cisco CleanAir-Related Terms 1413
Interference Types that Cisco CleanAir can Detect 1414
Interference Device Merging 1415
Persistent Devices 1415
Persistent Devices Detection 1415
Persistent Device Avoidance 1415
EDRRM and AQR Update Mode 1415
CleanAir High Availability 1416
How to Configure CleanAir 1416
Enabling CleanAir for the 2.4-GHz Band 1416
Configuring a CleanAir Alarm for 2.4-GHz Air-Quality and Devices 1417
Configuring Interference Reporting for a 2.4-GHz Device 1418
Enabling CleanAir for the 5-GHz Band 1420
Configuring a CleanAir Alarm for 5-GHz Air-Quality and Devices 1421
Configuring Interference Reporting for a 5-GHz Device 1422
Configuring EDRRM for a CleanAir Event 1423
Configuring Persistent Device Avoidance 1424
Configuring Cisco CleanAir using the Controller GUI 1425
Configuring Cisco CleanAir on the Cisco Wireless LAN Controller (GUI) 1425
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
lix
Contents
Configuring Cisco CleanAir on an Access Point (GUI) 1427
Configuring Cisco Spectrum Expert 1427
Configuring Spectrum Expert (GUI) 1427
Configuring Spectrum Expert (CLI) 1428
Monitoring CleanAir Parameters 1430
Monitoring Interference Devices 1432
Monitoring the Interference Devices (GUI) 1433
Monitoring the Worst Air Quality of Radio Bands (GUI) 1433
Configuration Examples for CleanAir 1434
CleanAir FAQs 1435
Additional References 1437
PART XIV
IPv6 1439
CHAPTER 86
IPv6 Client IP Address Learning 1441
Prerequisites for IPv6 Client Address Learning 1441
Restrictions for IPv6 Client Address Learning 1441
Information About IPv6 Client Address Learning 1442
SLAAC Address Assignment 1442
Stateful DHCPv6 Address Assignment 1443
Static IP Address Assignment 1444
Router Solicitation 1445
Router Advertisement 1445
Neighbor Discovery 1445
Neighbor Discovery Suppression 1445
RA Guard 1446
RA Throttling 1447
Configuring IPv6 Unicast 1447
Configuring RA Guard Policy 1448
Applying RA Guard Policy 1449
Configuring RA Throttle Policy (CLI) 1450
Applying RA Throttle Policy on VLAN (CLI) 1451
Configuring IPv6 Snooping 1452
Configuring IPv6 ND Suppress Policy 1453
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
lx
OL-32363-01
Contents
Configuring IPv6 Snooping on VLAN/PortChannel 1454
Configuring IPv6 on Controller Interface 1455
Configuring DHCP Pool
1456
Configuring Stateless Auto Address Configuration Without DHCP (CLI) 1457
Configuring Stateless Auto Address Configuration With DHCP
1459
Configuring Stateful DHCP Locally 1460
Configuring Stateful DHCP Externally 1463
Monitoring IPv6 Clients (GUI) 1465
Verifying IPv6 Address Learning Configuration 1465
Additional References 1466
Feature Information for IPv6 Client Address Learning 1466
CHAPTER 87
Configuring IPv6 WLAN Security 1469
Prerequisites for IPv6 WLAN Security 1469
Restrictions for IPv6 WLAN Security 1469
Information About IPv6 WLAN Security 1469
How to Configure IPv6 WLAN Security 1472
Configuring Local Authentication 1472
Creating a Local User 1472
Creating an Client VLAN and Interface 1472
Configuring an EAP Profile 1474
Creating a Local Authentication Model
Creating a Client WLAN
1476
1478
Configuring Local Authentication with WPA2+AES 1479
Configuring External RADIUS Server 1483
Configuring RADIUS Authentication Server Host
Configuring RADIUS Authentication Server Group
1483
1484
Creating a Client VLAN 1486
Creating 802.1x WLAN Using an External RADIUS Server 1487
Additional References
1488
Feature Information for IPv6 WLAN Security 1489
CHAPTER 88
IPv6 ACL 1491
Prerequisites for Configuring IPv6 ACL 1491
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
lxi
Contents
Restrictions for Configuring IPv6 ACL 1491
Information About IPv6 ACL 1492
Understanding IPv6 ACLs 1492
Types of ACL 1493
Per User IPv6 ACL 1493
Filter ID IPv6 ACL 1494
Downloadable IPv6 ACL 1494
IPv6 ACLs and Switch Stacks 1494
Configuring IPv6 ACLs
1494
Default IPv6 ACL Configuration 1495
Interaction with Other Features and Switches 1495
How To Configure an IPv6 ACL 1496
Creating an IPv6 ACL 1496
Applying an IPv6 to an Interface 1499
Creating WLAN IPv6 ACL 1501
Verifying IPv6 ACL 1502
Displaying IPv6 ACLs 1502
Configuration Examples for IPv6 ACL 1502
Example: Creating an IPv6 ACL 1502
Example: Applying IPv6 ACLs 1503
Example: Displaying IPv6 ACLs 1503
Example: Configuring RA Throttling and NS Suppression
1503
Configuring RA Guard Policy 1505
Configuring IPv6 Neighbor Binding 1507
Additional References 1507
Feature Information for IPv6 ACLs 1508
CHAPTER 89
Configuring IPv6 Web Authentication
1509
Prerequisites for IPv6 Web Authentication 1509
Restrictions for IPv6 Web Authentication 1509
Information About IPv6 Web Authentication 1510
Web Authentication Process 1510
How to Configure IPv6 Web Authentication 1511
Disabling WPA 1511
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
lxii
OL-32363-01
Contents
Enabling Security on the WLAN 1512
Enabling a Parameter Map on the WLAN 1513
Enabling Authentication List on WLAN 1513
Configuring a Global WebAuth WLAN Parameter Map 1513
Configuring the WLAN 1514
Enabling IPv6 in Global Configuration Mode 1516
Verifying IPv6 Web Authentication 1516
Verifying the Parameter Map 1516
Verifying Authentication List 1517
Additional References
1518
Feature Information for IPv6 Web Authentication 1519
CHAPTER 90
IPv6 Client Mobility 1521
Prerequisites for IPv6 Client Mobility 1521
Restrictions For IPv6 Client Mobility 1521
Information About IPv6 Client Mobility 1521
Using Router Advertisment 1522
RA Throttling and NS suppression 1523
IPv6 Address Learning 1523
Handling Multiple IP Addresses 1524
IPv6 Configuration 1524
High Availability 1524
Verifying IPv6 Client Mobility 1525
Monitoring IPv6 Client Mobility 1525
Additional References 1526
Feature Information for IPv6 Client Mobility 1527
CHAPTER 91
Configuring IPv6 Mobility 1529
Pre-requisites for IPv6 Mobility 1529
Information About IPv6 Mobility 1529
Inter Controller Roaming 1529
Intra Subnet Roaming with Sticky Anchoring, and Inter Subnet Roaming 1530
How to Configure IPv6 Mobility 1530
Monitoring IPv6 Mobility 1530
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
lxiii
Contents
Additional References 1532
Feature Information for IPv6 Mobility 1533
CHAPTER 92
Configuring IPv6 NetFlow 1535
Prerequisites For IPv6 Netflow 1535
Restrictions For IPv6 Netflow 1535
Information About IPv6 Netflow 1536
Understanding Flexible Netflow 1536
IPv6 Netflow 1537
How To Configure IPv6 Netflow 1537
Configuring a Customized Flow Record
Configuring the Flow Exporters
1537
1540
Configuring a Customized Flow Monitor 1542
Applying a Flow Monitor to an Interface 1544
Configuring and Enabling Flow Sampling
1546
Verifying IPv6 Netflow 1548
Monitoring IPv6 Netflow 1548
Additional References 1549
Feature Information for IPv6 NetFlow 1550
PART XV
Flexible Netflow 1551
CHAPTER 93
Configuring Flexible NetFlow 1553
Finding Feature Information 1553
Prerequisites 1553
Prerequisites for Flexible NetFlow 1553
Prerequisites for Wireless Flexible NetFlow 1554
Restrictions 1555
Restrictions for Flexible NetFlow 1555
Restrictions for Wireless Flexible NetFlow 1556
Information About NetFlow 1557
Overview 1557
Wireless Flexible NetFlow Overview 1558
Flow Records 1559
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
lxiv
OL-32363-01
Contents
Flexible NetFlow Match Parameters 1559
Flexible NetFlow Collect Parameters 1561
Exporters 1562
Export Formats 1563
Monitors 1564
Samplers 1564
Supported Flexible NetFlow Fields 1564
Default Settings 1568
How to Configure Flexible Netflow 1568
Creating a Flow Record 1569
Creating a Flow Exporter 1571
Creating a Flow Monitor 1574
Creating a Sampler 1575
Applying a Flow to an Interface 1577
Configuring a Bridged NetFlow on a VLAN 1578
Configuring Layer 2 NetFlow 1579
Configuring WLAN to Apply Flow Monitor in Data Link Input/Output Direction 1580
Configuring WLAN to Apply Flow Monitor in IPV4 and IPv6 Input/Output Direction 1581
Monitoring Flexible NetFlow 1583
Configuration Examples for Flexible NetFlow 1583
Example: Configuring a Flow 1583
Example: Configuring IPv4 Flexible NetFlow in WLAN (Ingress Direction) 1584
Example: Configuring IPv6 and Transport Flag Flexible NetFlow in WLAN (Egress Direction) 1585
Example: Configuring IPv6 Flexible NetFlow in WLAN (Both Ingress and Egress Directions) 1585
Additional References for NetFlow 1586
Feature Information for Flexible NetFlow 1587
PART XVI
High Availability 1589
CHAPTER 94
Managing Controller Stacks 1591
Finding Feature Information 1591
Pre-requisites for Configuring Controller Stack 1591
Restrictions for Configuring Controller Stack 1592
Information About Controller Stack 1592
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
lxv
Contents
Configuring Controller Stack 1593
Switch Stack Membership 1594
Stack Member Numbers 1594
Stack Member Priority Values 1595
Election and Reelection 1596
Enabling the Persistent MAC Address Feature 1596
Assigning a Stack Member Number 1598
Setting the Stack Member Priority Value 1599
Displaying Incompatible Switches in the Switch Stack 1600
Upgrading an Incompatible Switch in the Switch Stack 1600
CHAPTER 95
Configuring High Availability 1603
Finding Feature Information 1603
Information about High Availability 1603
Information About Redundancy 1604
Configuring Redundancy in Access Points 1604
Configuring Heartbeat Messages 1605
Information about Access Point Stateful Switch Over
1606
Initiating Graceful Switchover 1606
Configuring EtherChannels for High Availability 1606
Configuring LACP 1607
Troubleshooting High Availability 1608
Access the Standby Console 1608
Before a Switchover 1609
After a Switchover 1610
Viewing Redundancy Switchover History (GUI) 1611
Viewing Switchover States (GUI) 1611
Monitoring the Controller Stack 1612
LACP Configuration: Example 1613
Flex Link Configuration: Example 1615
PART XVII
Network Management 1619
CHAPTER 96
Configuring Cisco IOS Configuration Engine 1621
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
lxvi
OL-32363-01
Contents
Prerequisites for Configuring the Configuration Engine 1621
Restrictions for Configuring the Configuration Engine 1621
Information About Configuring the Configuration Engine 1622
Cisco Configuration Engine Software 1622
Configuration Service 1623
Event Service 1623
NameSpace Mapper 1624
Cisco Networking Services IDs and Device Hostnames 1624
ConfigID 1624
DeviceID 1624
Hostname and DeviceID 1625
Hostname, DeviceID, and ConfigID 1625
Cisco IOS CNS Agents 1625
Initial Configuration 1625
Incremental (Partial) Configuration 1626
Synchronized Configuration 1626
Automated CNS Configuration 1626
How to Configure the Configuration Engine 1627
Enabling the CNS Event Agent 1627
Enabling the Cisco IOS CNS Agent 1629
Enabling an Initial Configuration for Cisco IOS CNS Agent 1631
Refreshing DeviceIDs 1635
Enabling a Partial Configuration for Cisco IOS CNS Agent 1637
Monitoring CNS Configurations 1639
Additional References 1640
Feature History and Information for the Configuration Engine 1641
CHAPTER 97
Configuring the Cisco Discovery Protocol 1643
Information About CDP 1643
Cisco Discovery Protocol Overview 1643
CDP and Stacks 1644
Default Cisco Discovery Protocol Configuration 1644
How to Configure CDP 1644
Configuring Cisco Discovery Protocol Characteristics 1644
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
lxvii
Contents
Disabling Cisco Discovery Protocol
1646
Enabling Cisco Discovery Protocol 1647
Disabling Cisco Discovery Protocol on an Interface 1648
Enabling Cisco Discovery Protocol on an Interface 1650
Monitoring and Maintaining Cisco Discovery Protocol 1651
Additional References 1652
Feature History and Information for Cisco Discovery Protocol 1653
CHAPTER 98
Configuring Simple Network Management Protocol 1655
Finding Feature Information 1655
Prerequisites for SNMP 1655
Restrictions for SNMP 1657
Information About SNMP 1658
SNMP Overview 1658
SNMP Manager Functions 1658
SNMP Agent Functions 1658
SNMP Community Strings 1659
SNMP MIB Variables Access 1659
SNMP Notifications 1660
SNMP ifIndex MIB Object Values 1660
SNMP ifIndex MIB Object Values 1661
Default SNMP Configuration 1661
SNMP Configuration Guidelines 1661
How to Configure SNMP 1662
Disabling the SNMP Agent 1662
Configuring Community Strings 1663
Configuring SNMP Groups and Users 1666
Configuring SNMP Notifications 1669
Setting the Agent Contact and Location Information 1673
Limiting TFTP Servers Used Through SNMP 1675
Configuring Trap Flags for SNMP 1676
Enabling SNMP Wireless Trap Notification 1678
Monitoring SNMP Status 1679
SNMP Examples 1680
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
lxviii
OL-32363-01
Contents
Additional References 1681
Feature History and Information for Simple Network Management Protocol 1682
CHAPTER 99
Configuring Service Level Agreements 1683
Finding Feature Information 1683
Restrictions on SLAs 1683
Information About SLAs 1684
Cisco IOS IP Service Level Agreements (SLAs) 1684
Network Performance Measurement with Cisco IOS IP SLAs 1685
IP SLA Responder and IP SLA Control Protocol 1686
Response Time Computation for IP SLAs 1687
IP SLAs Operation Scheduling 1688
IP SLA Operation Threshold Monitoring 1688
UDP Jitter 1689
How to Configure IP SLAs Operations 1689
Default Configuration 1690
Configuration Guidelines 1690
Configuring the IP SLA Responder 1690
Implementing IP SLA Network Performance Measurement 1692
Analyzing IP Service Levels by Using the UDP Jitter Operation 1696
Analyzing IP Service Levels by Using the ICMP Echo Operation 1699
Monitoring IP SLA Operations 1703
Monitoring IP SLA Operation Examples 1703
Additional References 1704
Feature History and Information for Service Level Agreements 1705
CHAPTER 100
Configuring SPAN and RSPAN 1707
Prerequisites for SPAN and RSPAN 1707
Restrictions for SPAN and RSPAN 1707
Information About SPAN and RSPAN 1709
SPAN and RSPAN 1709
Local SPAN 1709
Remote SPAN 1710
SPAN and RSPAN Concepts and Terminology 1711
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
lxix
Contents
SPAN and RSPAN Interaction with Other Features 1716
SPAN and RSPAN and Device Stacks 1717
Flow-Based SPAN 1717
Default SPAN and RSPAN Configuration 1718
Configuration Guidelines 1718
SPAN Configuration Guidelines 1718
RSPAN Configuration Guidelines 1719
FSPAN and FRSPAN Configuration Guidelines 1719
How to Configure SPAN and RSPAN 1719
Creating a Local SPAN Session 1719
Creating a Local SPAN Session and Configuring Incoming Traffic 1722
Specifying VLANs to Filter 1724
Configuring a VLAN as an RSPAN VLAN 1726
Creating an RSPAN Source Session 1727
Specifying VLANs to Filter 1729
Creating an RSPAN Destination Session 1731
Creating an RSPAN Destination Session and Configuring Incoming Traffic 1733
Configuring an FSPAN Session 1736
Configuring an FRSPAN Session 1738
Monitoring SPAN and RSPAN Operations 1741
SPAN and RSPAN Configuration Examples 1741
Example: Configuring Local SPAN 1741
Examples: Creating an RSPAN VLAN 1743
Additional References 1744
Feature History and Information for SPAN and RSPAN 1745
CHAPTER 101
Configuring Wireshark 1747
Finding Feature Information 1747
Prerequisites for Wireshark 1747
Restrictions for Wireshark 1748
Information About Wireshark 1749
Wireshark Overview 1749
Capture Points 1750
Attachment Points 1750
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
lxx
OL-32363-01
Contents
Filters 1751
Actions 1752
Storage of Captured Packets to Buffer in Memory 1752
Storage of Captured Packets to a .pcap File 1752
Packet Decoding and Display 1753
Packet Storage and Display 1754
Wireshark Capture Point Activation and Deactivation 1754
Wireshark Features 1754
Guidelines for Wireshark 1756
Default Wireshark Configuration 1759
How to Configure Wireshark 1759
Defining a Capture Point 1760
Adding or Modifying Capture Point Parameters 1764
Deleting Capture Point Parameters 1767
Deleting a Capture Point 1768
Activating and Deactivating a Capture Point 1770
Clearing the Capture Point Buffer 1773
Monitoring Wireshark 1775
Configuration Examples for Wireshark 1775
Example: Displaying a Brief Output from a .pcap File 1775
Example: Displaying Detailed Output from a .pcap File 1776
Example: Simple Capture and Display 1777
Example: Simple Capture and Store 1779
Example: Using Buffer Capture 1781
Example: Capture Sessions 1788
Example: Capture and Store in Lock-step Mode 1789
Example: Simple Capture and Store of Packets in Egress Direction 1790
Additional References 1792
Feature History and Information for WireShark 1793
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
lxxi
Contents
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
lxxii
OL-32363-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com
go trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any
other company. (1721R)
© 2014
Cisco Systems, Inc. All rights reserved.
Preface
• Document Conventions , on page lxxv
• Related Documentation, on page lxxvii
• Obtaining Documentation and Submitting a Service Request, on page lxxvii
Document Conventions
This document uses the following conventions:
Convention
Description
^ or Ctrl
Both the ^ symbol and Ctrl represent the Control (Ctrl) key on a keyboard. For
example, the key combination ^D or Ctrl-D means that you hold down the Control
key while you press the D key. (Keys are indicated in capital letters but are not
case sensitive.)
bold font
Commands and keywords and user-entered text appear in bold font.
Italic font
Document titles, new or emphasized terms, and arguments for which you supply
values are in italic font.
Courier
font
Bold Courier
Terminal sessions and information the system displays appear in courier font.
font
Bold Courier
font indicates text that the user must enter.
[x]
Elements in square brackets are optional.
...
An ellipsis (three consecutive nonbolded periods without spaces) after a syntax
element indicates that the element can be repeated.
|
A vertical line, called a pipe, indicates a choice within a set of keywords or
arguments.
[x | y]
Optional alternative keywords are grouped in brackets and separated by vertical
bars.
{x | y}
Required alternative keywords are grouped in braces and separated by vertical
bars.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
lxxv
Preface
Preface
Convention
Description
[x {y | z}]
Nested set of square brackets or braces indicate optional or required choices within
optional or required elements. Braces and a vertical bar within square brackets
indicate a required choice within an optional element.
string
A nonquoted set of characters. Do not use quotation marks around the string or
the string will include the quotation marks.
<>
Nonprinting characters such as passwords are in angle brackets.
[]
Default responses to system prompts are in square brackets.
!, #
An exclamation point (!) or a pound sign (#) at the beginning of a line of code
indicates a comment line.
Reader Alert Conventions
This document may use the following conventions for reader alerts:
Note
Tip
Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.
Means the following information will help you solve a problem.
Caution
Means reader be careful. In this situation, you might do something that could result in equipment damage or
loss of data.
Timesaver
Means the described action saves time. You can save time by performing the action described in the paragraph.
Warning
IMPORTANT SAFETY INSTRUCTIONS
This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work
on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard
practices for preventing accidents. Use the statement number provided at the end of each warning to locate
its translation in the translated safety warnings that accompanied this device. Statement 1071
SAVE THESE INSTRUCTIONS
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
lxxvi
OL-32363-01
Preface
Related Documentation
Related Documentation
Note
Before installing or upgrading the controller, refer to the controller release notes.
• Cisco Catalyst 3850 Series Switches documentation, located at:
http://www.cisco.com/go/cat3850_docs
• Cisco 5700 Series Wireless Controller documentation, located at:
http://www.cisco.com/go/wlc5700_sw
• Cisco Catalyst 3650 Series Switchesdocumentation, located at:
http://www.cisco.com/go/cat3650_docs
• Cisco SFP, SFP+, and QSFP+ modules documentation, including compatibility matrixes, located at:
http://www.cisco.com/en/US/products/hw/modules/ps5455/tsd_products_support_series_home.html
• Cisco Validated Designs documents, located at:
http://www.cisco.com/go/designzone
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information,
see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco
technical documentation, at:
http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
lxxvii
Preface
Obtaining Documentation and Submitting a Service Request
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
lxxviii
OL-32363-01
CHAPTER
1
Using the Command-Line Interface
This chapter contains the following topics:
• Information About Using the Command-Line Interface, on page 1
• How to Use the CLI to Configure Features, on page 6
Information About Using the Command-Line Interface
Command Modes
The Cisco IOS user interface is divided into many different modes. The commands available to you depend
on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands
available for each command mode.
You can start a CLI session through a console connection, through Telnet, an SSH, or by using the browser.
When you start a session, you begin in user mode, often called user EXEC mode. Only a limited subset of
the commands are available in user EXEC mode. For example, most of the user EXEC commands are one-time
commands, such as show commands, which show the current configuration status, and clear commands,
which clear counters or interfaces. The user EXEC commands are not saved when the controller reboots.
To have access to all commands, you must enter privileged EXEC mode. Normally, you must enter a password
to enter privileged EXEC mode. From this mode, you can enter any privileged EXEC command or enter
global configuration mode.
Using the configuration modes (global, interface, and line), you can make changes to the running configuration.
If you save the configuration, these commands are stored and used when the controller reboots. To access the
various configuration modes, you must start at global configuration mode. From global configuration mode,
you can enter interface configuration mode and line configuration mode .
This table describes the main command modes, how to access each one, the prompt you see in that mode, and
how to exit the mode.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
1
Using the Command-Line Interface
Command Modes
Table 1: Command Mode Summary
Mode
Access Method
Prompt
User EXEC
Begin a session
using Telnet, SSH,
or console.
Controller>
Exit Method
About This Mode
Enter logout or Use this mode to
quit.
• Change
terminal
settings.
• Perform basic
tests.
• Display system
information.
Privileged EXEC
While in user
EXEC mode, enter
the enable
command.
Controller#
Enter disable to Use this mode to
verify commands
exit.
that you have
entered. Use a
password to protect
access to this mode.
Use this mode to
execute privilege
EXEC commands for
access points. These
commands are not
part of the running
config of the
controller, they are
sent to the IOS
config of the access
point.
Global
configuration
While in privileged
EXEC mode, enter
the configure
command.
Controller(config)#
To exit to
privileged
EXEC mode,
enter exit or
end, or press
Ctrl-Z.
Use this mode to
configure parameters
that apply to the
entire controller.
Use this mode to
configure access
point commands that
are part of the
running config of the
controller.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
2
OL-32363-01
Using the Command-Line Interface
Understanding Abbreviated Commands
Mode
Access Method
VLAN
configuration
While in global
configuration mode,
enter the vlan
vlan-id command.
Interface
configuration
While in global
configuration mode,
enter the interface
command (with a
specific interface).
Prompt
Controller(config-vlan)#
Controller(config-if)#
Exit Method
About This Mode
To exit to
global
configuration
mode, enter the
exit command.
Use this mode to
configure VLAN
parameters. When
VTP mode is
transparent, you can
create
To return to
extended-range
privileged
VLANs (VLAN IDs
EXEC mode,
greater than 1005)
press Ctrl-Z or
and save
enter end.
configurations in the
controller startup
configuration file.
To exit to
global
configuration
mode, enter
exit.
Use this mode to
configure parameters
for the Ethernet
ports.
To return to
privileged
EXEC mode,
press Ctrl-Z or
enter end.
Line configuration While in global
configuration mode,
specify a line with
the line vty or line
console command.
Controller(config-line)#
To exit to
global
configuration
mode, enter
exit.
Use this mode to
configure parameters
for the terminal line.
To return to
privileged
EXEC mode,
press Ctrl-Z or
enter end.
Understanding Abbreviated Commands
You need to enter only enough characters for the controller to recognize the command as unique.
This example shows how to enter the show configuration privileged EXEC command in an abbreviated form:
Controller# show conf
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
3
Using the Command-Line Interface
No and Default Forms of Commands
No and Default Forms of Commands
Almost every configuration command also has a no form. In general, use the no form to disable a feature or
function or reverse the action of a command. For example, the no shutdown interface configuration command
reverses the shutdown of an interface. Use the command without the keyword no to reenable a disabled feature
or to enable a feature that is disabled by default.
Configuration commands can also have a default form. The default form of a command returns the command
setting to its default. Most commands are disabled by default, so the default form is the same as the no form.
However, some commands are enabled by default and have variables set to certain default values. In these
cases, the default command enables the command and sets variables to their default values.
CLI Error Messages
This table lists some error messages that you might encounter while using the CLI to configure your controller.
Table 2: Common CLI Error Messages
Error Message
Meaning
How to Get Help
% Ambiguous
command: "show
con"
You did not enter enough
characters for your controller to
recognize the command.
Reenter the command followed by a question mark
(?) without any space between the command and
the question mark.
The possible keywords that you can enter with the
command appear.
% Incomplete
command.
You did not enter all of the
keywords or values required by
this command.
Reenter the command followed by a question mark
(?) with a space between the command and the
question mark.
The possible keywords that you can enter with the
command appear.
% Invalid input
detected at ‘^’
marker.
You entered the command
incorrectly. The caret (^) marks
the point of the error.
Enter a question mark (?) to display all of the
commands that are available in this command mode.
The possible keywords that you can enter with the
command appear.
Configuration Logging
You can log and view changes to the controller configuration. You can use the Configuration Change Logging
and Notification feature to track changes on a per-session and per-user basis. The logger tracks each
configuration command that is applied, the user who entered the command, the time that the command was
entered, and the parser return code for the command. This feature includes a mechanism for asynchronous
notification to registered applications whenever the configuration changes. You can choose to have the
notifications sent to the syslog.
Note
Only CLI or HTTP changes are logged.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
4
OL-32363-01
Using the Command-Line Interface
Using the Help System
Using the Help System
You can enter a question mark (?) at the system prompt to display a list of commands available for each
command mode. You can also obtain a list of associated keywords and arguments for any command.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
help
abbreviated-command-entry ?
abbreviated-command-entry <Tab>
?
command ?
command keyword ?
DETAILED STEPS
Step 1
Command or Action
Purpose
help
Obtains a brief description of the help system in any
command mode.
Example:
Controller# help
Step 2
abbreviated-command-entry ?
Example:
Obtains a list of commands that begin with a particular
character string.
Controller# di?
dir disable disconnect
Step 3
abbreviated-command-entry <Tab>
Completes a partial command name.
Example:
Controller# sh conf<tab>
Controller# show configuration
Step 4
Lists all commands available for a particular command
mode.
?
Example:
Controller> ?
Step 5
command ?
Lists the associated keywords for a command.
Example:
Controller> show ?
Step 6
command keyword ?
Lists the associated arguments for a keyword.
Example:
Controller(config)# cdp holdtime ?
<10-255> Length of time (in sec) that receiver
must keep this packet
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
5
Using the Command-Line Interface
How to Use the CLI to Configure Features
How to Use the CLI to Configure Features
Configuring the Command History
The software provides a history or record of commands that you have entered. The command history feature
is particularly useful for recalling long or complex commands or entries, including access lists. You can
customize this feature to suit your needs.
Changing the Command History Buffer Size
By default, the controller records ten command lines in its history buffer. You can alter this number for a
current terminal session or for all sessions on a particular line. This procedure is optional.
SUMMARY STEPS
1. terminal history [size number-of-lines]
DETAILED STEPS
Step 1
Command or Action
Purpose
terminal history [size number-of-lines]
Changes the number of command lines that the controller
records during the current terminal session in privileged
EXEC mode. You can configure the size from 0 to 256.
Example:
Controller# terminal history size 200
Recalling Commands
To recall commands from the history buffer, perform one of the actions listed in this table. These actions are
optional.
Note
The arrow keys function only on ANSI-compatible terminals such as VT100s.
SUMMARY STEPS
1. Ctrl-P or use the up arrow key
2. Ctrl-N or use the down arrow key
3. show history
DETAILED STEPS
Step 1
Command or Action
Purpose
Ctrl-P or use the up arrow key
Recalls commands in the history buffer, beginning with the
most recent command. Repeat the key sequence to recall
successively older commands.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
6
OL-32363-01
Using the Command-Line Interface
Disabling the Command History Feature
Command or Action
Purpose
Step 2
Ctrl-N or use the down arrow key
Returns to more recent commands in the history buffer after
recalling commands with Ctrl-P or the up arrow key. Repeat
the key sequence to recall successively more recent
commands.
Step 3
show history
Lists the last several commands that you just entered in
privileged EXEC mode. The number of commands that
appear is controlled by the setting of the terminal history
global configuration command and the history line
configuration command.
Example:
Controller# show history
Disabling the Command History Feature
The command history feature is automatically enabled. You can disable it for the current terminal session or
for the command line. This procedure is optional.
SUMMARY STEPS
1. terminal no history
DETAILED STEPS
Step 1
Command or Action
Purpose
terminal no history
Disables the feature during the current terminal session in
privileged EXEC mode.
Example:
Controller# terminal no history
Enabling and Disabling Editing Features
Although enhanced editing mode is automatically enabled, you can disable it and reenable it.
SUMMARY STEPS
1. terminal editing
2. terminal no editing
DETAILED STEPS
Step 1
Command or Action
Purpose
terminal editing
Reenables the enhanced editing mode for the current
terminal session in privileged EXEC mode.
Example:
Controller# terminal editing
Step 2
terminal no editing
Example:
Disables the enhanced editing mode for the current terminal
session in privileged EXEC mode.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
7
Using the Command-Line Interface
Editing Commands Through Keystrokes
Command or Action
Purpose
Controller# terminal no editing
Editing Commands Through Keystrokes
The keystrokes help you to edit the command lines. These keystrokes are optional.
Note
The arrow keys function only on ANSI-compatible terminals such as VT100s.
Table 3: Editing Commands
Editing Commands
Description
Ctrl-B or use the left arrow key Moves the cursor back one character.
Ctrl-F or use the right arrow
key
Moves the cursor forward one character.
Ctrl-A
Moves the cursor to the beginning of the command line.
Ctrl-E
Moves the cursor to the end of the command line.
Esc B
Moves the cursor back one word.
Esc F
Moves the cursor forward one word.
Ctrl-T
Transposes the character to the left of the cursor with the character located
at the cursor.
Delete or Backspace key
Erases the character to the left of the cursor.
Ctrl-D
Deletes the character at the cursor.
Ctrl-K
Deletes all characters from the cursor to the end of the command line.
Ctrl-U or Ctrl-X
Deletes all characters from the cursor to the beginning of the command
line.
Ctrl-W
Deletes the word to the left of the cursor.
Esc D
Deletes from the cursor to the end of the word.
Esc C
Capitalizes at the cursor.
Esc L
Changes the word at the cursor to lowercase.
Esc U
Capitalizes letters from the cursor to the end of the word.
Ctrl-V or Esc Q
Designates a particular keystroke as an executable command, perhaps as
a shortcut.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
8
OL-32363-01
Using the Command-Line Interface
Editing Command Lines That Wrap
Return key
Scrolls down a line or screen on displays that are longer than the terminal
screen can display.
Note
The More prompt is used for any output that has more lines
than can be displayed on the terminal screen, including show
command output. You can use the Return and Space bar
keystrokes whenever you see the More prompt.
Space bar
Scrolls down one screen.
Ctrl-L or Ctrl-R
Redisplays the current command line if the controller suddenly sends a
message to your screen.
Editing Command Lines That Wrap
You can use a wraparound feature for commands that extend beyond a single line on the screen. When the
cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten
characters of the line, but you can scroll back and check the syntax at the beginning of the command. The
keystroke actions are optional.
To scroll back to the beginning of the command entry, press Ctrl-B or the left arrow key repeatedly. You can
also press Ctrl-A to immediately move to the beginning of the line.
Note
The arrow keys function only on ANSI-compatible terminals such as VT100s.
The following example shows how to wrap a command line that extends beyond a single line on the screen.
SUMMARY STEPS
1. access-list
2. Ctrl-A
3. Return key
DETAILED STEPS
Step 1
Command or Action
Purpose
access-list
Displays the global configuration command entry that
extends beyond one line.
Example:
Controller(config)# access-list 101 permit tcp
10.15.22.25 255.255.255.0 10.15.22.35
Controller(config)# $ 101 permit tcp 10.15.22.25
255.255.255.0 10.15.22.35 255.25
Controller(config)# $t tcp 10.15.22.25
255.255.255.0 131.108.1.20 255.255.255.0 eq
Controller(config)# $15.22.25 255.255.255.0
10.15.22.35 255.255.255.0 eq 45
Step 2
Ctrl-A
When the cursor first reaches the end of the line, the line is
shifted ten spaces to the left and redisplayed. The dollar
sign ($) shows that the line has been scrolled to the left.
Each time the cursor reaches the end of the line, the line is
again shifted ten spaces to the left.
Checks the complete syntax.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
9
Using the Command-Line Interface
Searching and Filtering Output of show and more Commands
Command or Action
Purpose
Example:
The dollar sign ($) appears at the end of the line to show
that the line has been scrolled to the right.
Controller(config)# access-list 101 permit tcp
10.15.22.25 255.255.255.0 10.15.2$
Step 3
Return key
Execute the commands.
The software assumes that you have a terminal screen that
is 80 columns wide. If you have a different width, use the
terminal width privileged EXEC command to set the width
of your terminal.
Use line wrapping with the command history feature to
recall and modify previous complex command entries.
Searching and Filtering Output of show and more Commands
You can search and filter the output for show and more commands. This is useful when you need to sort
through large amounts of output or if you want to exclude output that you do not need to see. Using these
commands is optional.
SUMMARY STEPS
1. {show | more} command | {begin | include | exclude} regular-expression
DETAILED STEPS
Step 1
Command or Action
Purpose
{show | more} command | {begin | include | exclude}
regular-expression
Searches and filters the output.
Example:
Controller# show interfaces | include protocol
Vlan1 is up, line protocol is up
Vlan10 is up, line protocol is down
GigabitEthernet1/0/1 is up, line protocol is down
GigabitEthernet1/0/2 is up, line protocol is up
Expressions are case sensitive. For example, if you enter
| exclude output, the lines that contain output are not
displayed, but the lines that contain output appear.
Accessing the CLI
You can access the CLI through a console connection, through Telnet, a SSH, or by using the browser.
You manage the switch stack and the stack member interfaces through the . You cannot manage stack members
on an individual switch basis. You can connect to the through the console port or the Ethernet management
port of one or more stack members. Be careful with using multiple CLI sessions on the . Commands that you
enter in one session are not displayed in the other sessions. Therefore, it is possible to lose track of the session
from which you entered commands.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
10
OL-32363-01
Using the Command-Line Interface
Accessing the CLI Through a Console Connection or Through Telnet
Note
We recommend using one CLI session when managing the switch stack.
If you want to configure a specific stack member port, you must include the stack member number in the CLI
command interface notation.
Accessing the CLI Through a Console Connection or Through Telnet
Before you can access the CLI, you must connect a terminal or a PC to the controller console or connect a
PC to the Ethernet management port and then power on the controller, as described in the hardware installation
guide that shipped with your controller.
If your controller is already configured, you can access the CLI through a local console connection or through
a remote Telnet session, but your controller must first be configured for this type of access.
You can use one of these methods to establish a connection with the controller:
Procedure
• Connect the controller console port to a management station or dial-up modem, or connect the Ethernet
management port to a PC. For information about connecting to the console or Ethernet management port,
see the controller hardware installation guide.
• Use any Telnet TCP/IP or encrypted Secure Shell (SSH) package from a remote management station.
The controller must have network connectivity with the Telnet or SSH client, and the controller must
have an enable secret password configured.
• The controller supports up to 16 simultaneous Telnet sessions. Changes made by one Telnet user
are reflected in all other Telnet sessions.
• The controller supports up to five simultaneous secure SSH sessions.
After you connect through the console port, through the Ethernet management port, through a Telnet
session or through an SSH session, the user EXEC prompt appears on the management station.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
11
Using the Command-Line Interface
Accessing the CLI Through a Console Connection or Through Telnet
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
12
OL-32363-01
CHAPTER
2
Using the Web Graphical User Interface
• Prerequisites for Using the Web GUI, on page 13
• Information About Using The Web GUI, on page 14
• Connecting the Console Port of the Controller , on page 15
• Logging On to the GUI, on page 15
• Enabling Web and Secure Web Modes , on page 16
• Configuring the Controller Web GUI, on page 16
Prerequisites for Using the Web GUI
Wired Web UI (Device Manager) System Requirements
Hardware Requirements
Table 4: Minimum Hardware Requirements
Processor Speed
DRAM
233 MHz minimum 512 MB
1
Number of Colors
Resolution
Font Size
256
1024 x 768
Small
2
1
2
We recommend 1 GHz.
We recommend 1 GB DRAM.
Software Requirements
• – Windows 7, Windows Vista, Windows XP, Windows 2003, or Windows 2000
• – Microsoft Internet Explorer 6.0 and 7.0, and Mozilla Firefox up to version 26.0, with JavaScript enabled.
Wireless Web UI Software Requirements
• Operating Systems
• Windows 7
• Windows 8
• Mac OS X 10.8
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
13
Using the Web Graphical User Interface
Information About Using The Web GUI
• Browsers:
• Google Chrome, version 35
• Microsoft Internet Explorer, versions 10 or 11
• Mozilla Firefox, version 30 or later
• Safari, version 6.1
Information About Using The Web GUI
A web browser, or graphical user interface (GUI), is built into each controller.
You can use either the service port interface or the management interface to access the GUI. We recommend
that you use the service-port interface. Click Help at the top of any page in the GUI to display online help.
You might need to disable your browser’s pop-up blocker to view the online help.
Note
The following special characters are not supported in the GUI: ampersand (&), semicolon (;), and lesser than
(<).
Web GUI Features
The controller web GUI supports the following:
The Configuration Wizard—After initial configuration of the IP address and the local username/password or
auth via the authentication server (privilege 15 needed), the wizard provides a method to complete the initial
wireless configuration. Start the wizard through Configuration -> Wizard and follow the nine-step process to
configure the following:
• Admin Users
• SNMP System Summary
• Management Port
• Wireless Management
• RF Mobility and Country code
• Mobility configuration
• WLANs
• 802.11 Configuration
• Set Time
The Monitor tab:
• Displays summary details of controller, clients, and access points.
• Displays all radio and AP join statistics.
• Displays air quality on access points.
• Displays list of all Cisco Discovery Protocol (CDP) neighbors on all interfaces and the CDP traffic
information.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
14
OL-32363-01
Using the Web Graphical User Interface
Connecting the Console Port of the Controller
• Displays all rogue access points based on their classification-friendly, malicious, ad hoc, classified, and
unclassified.
The Configuration tab:
• Enables you to configure the controller for all initial operation using the web Configuration Wizard. The
wizard allows you to configure user details, management interface, and so on.
• Enables you to configure the system, internal DHCP server, management, and mobility management
parameters.
• Enables you to configure the controller, WLAN, and radios.
• Enables you to configure and set security policies on your controller.
• Enables you to access the controller operating system software management commands.
The Administration tab enables you to configure system logs.
Connecting the Console Port of the Controller
Before you begin
Before you can configure the controller for basic operations, you need to connect it to a PC that uses a VT-100
terminal emulation program (such as HyperTerminal, ProComm, Minicom, or Tip).
Step 1
Connect one end of a null-modem serial cable to the controller's RJ-45 console port and the other end to your PC's serial
port.
Step 2
Plug the AC power cord into the controller and a grounded 100 to 240 VAC, 50/60-Hz electrical outlet. Turn on the
power supply. The bootup script displays operating system software initialization (code download and power-on self-test
verification) and basic configuration. If the controller passes the power-on self-test, the bootup script runs the configuration
wizard, which prompts you for basic configuration input.
Step 3
Enter yes. Proceed with basic initial setup configuration parameters in the CLI setup wizard. Specify the IP address for
the service port which is the gigabitethernet 0/0 interface.
After entering the configuration parameters in the configuration wizard, you can access the Web GUI. Now, the controller
is configured with the IP address for service port.
Logging On to the GUI
Note
Do not configure TACACS+ authentication when the controller is set to use local authentication.
Step 1
Enter the controller IP address in your browser’s address bar. For a secure connection, enter https://ip-address.
For a less secure connection, enter https://ip-address.
Step 2
When prompted, enter a valid username and password and click OK.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
15
Using the Web Graphical User Interface
Enabling Web and Secure Web Modes
Note
The administrative username and password that you created in the configuration wizard are case sensitive. The
default username is admin, and the default password is cisco.
The Accessing page appears.
Enabling Web and Secure Web Modes
Step 1
Choose Configuration > Controller > Switch > Management > Protocol Management > HTTP-HTTPS.
The HTTP-HTTPS Configuration page appears.
Step 2
To enable web mode, which allows users to access the controller GUI using “http://ip-address,” choose Enabled from
the HTTP Access drop-down list. Otherwise, choose Disabled. Web mode (HTTP) is not a secure connection.
Step 3
To enable secure web mode, which allows users to access the controller GUI using “https://ip-address,” choose Enabled
from the HTTPS Access drop-down list. Otherwise, choose Disabled. Secure web mode (HTTPS) is a secure connection.
Step 4
Choose to track the device in the IP Device Tracking check box.
Step 5
Choose to enable the trust point in the Enable check box.
Step 6
Choose the trustpoints from the Trustpoints drop-down list.
Step 7
Enter the amount of time, in seconds, before the web session times out due to inactivity in the HTTP Timeout-policy
(1 to 600 sec) text box.
The valid range is from 1 to 600 seconds.
Step 8
Enter the server life time in the Server Life Time (1 to 86400 sec) text box.
The valid range is from1 to 86400 seconds.
Step 9
Enter the maximum number of connection requests that the server can accept in the Maximum number of Requests (1
to 86400) text box.
The valid range is from 1 to 86400 connections.
Step 10
Click Apply.
Step 11
Click Save Configuration.
Configuring the Controller Web GUI
The configuration wizard enables you to configure basic settings on the controller. You can run the wizard
after you receive the controller from the factory or after the controller has been reset to factory defaults. The
configuration wizard is available in both GUI and CLI formats.
Step 1
Connect your PC to the service port and configure an IPv4 address to use the same subnet as the controller. The controller
is loaded with IOS XE image and the service port interface is configured as gigabitethernet 0/0.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
16
OL-32363-01
Using the Web Graphical User Interface
Configuring the Controller Web GUI
Step 2
Start Internet Explorer 10 (or later), Firefox 2.0.0.11 (or later), or Google Chrome on your PC and enter the management
interface IP address on the browser window. The management interface IP address is same as the gigabitethernet 0/0
(also known as service port interface). When you log in for the first time, you need to enter HTTP username and
password. By default, the username is admin and the password is cisco.
You can use both HTTP and HTTPS when using the service port interface. HTTPS is enabled by default and HTTP
can also be enabled.
When you log in for the first time, the Accessing Cisco Switch Accessing Cisco Controller <Model Number>
<Hostname> page appears.
Step 3
On the Accessing Cisco SwitchAccessing Cisco Controller page, click the Wireless Web GUI link to access controller
web GUI Home page.
Step 4
Choose Configuration > Wizard to perform all steps that you need to configure the controller initially.
The Admin Users page appears.
Step 5
On the Admin Users page, enter the administrative username to be assigned to this controller in the User Name text
box and the administrative password to be assigned to this controller in the Password and Confirm Password text boxes.
Click Next.
The default username is admin and the default password is cisco. You can also create a new administrator user for the
controller. You can enter up to 24 ASCII characters for username and password.
The SNMP System Summary page appears.
Step 6
On the SNMP System Summary page, enter the following SNMP system parameters for the controller, and click Next:
• Customer-definable controller location in the Location text box.
• Customer-definable contact details such as phone number with names in the Contact text box.
• Choose enabled to send SNMP notifications for various SNMP traps or disabled not to send SNMP notifications
for various SNMP traps from the SNMP Global Trap drop-down list.
• Choose enabled to send system log messages or disabled not to send system log messages from the SNMP Logging
drop-down list.
Note
The SNMP trap server, must be reachable through the distribution ports (and not through the gigabitethernet0/0
service or management interface).
The Management Port page appears.
Step 7
In the Management Port page, enter the following parameters for the management port interface (gigabitethernet 0/0)
and click Next.
• Interface IP address that you assigned for the service port in the IP Address text box.
• Network mask address of the management port interface in the Netmask text box.
• The IPv4 Dynamic Host Configuration Protocol (DHCP) address for the selected port in the IPv4 DHCP Server
text box.
The Wireless Management page appears.
Step 8
In the Wireless Management page, enter the following wireless interface management details, and click Next.
• Choose the interface—VLAN, or Ten Gigabit Ethernet from the Select Interface drop-down list.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
17
Using the Web Graphical User Interface
Configuring the Controller Web GUI
• VLAN tag identifier, or 0 for no VLAN tag in the VLAN id text box.
• IP address of wireless management interface where access points are connected in the IP Address text box.
• Network mask address of the wireless management interface in the Netmask text box.
• DHCP IPv4 IP address in the IPv4 DHCP Server text box.
When selecting VLAN as interface, you can specify the ports as –Trunk or Access ports from the selected list displayed
in the Switch Port Configuration text box.
The RF Mobility and Country Code page appears.
Step 9
In the RF Mobility and Country Code page, enter the RF mobility domain name in the RF Mobility text box, choose
current country code from the Country Code drop-down list, and click Next. From the GUI, you can select only one
country code.
Before configuring RF grouping parameters and mobility configuration, ensure that you refer to the relevant
conceptual content and then proceed with the configuration.
Note
The Mobility Configuration page with mobility global configuration settings appears.
Step 10
In the Mobility Configuration page, view and enter the following mobility global configuration settings, and click
Next.
• Displays Mobility Controller in the Mobility Role text box.
• Displays mobility protocol port number in the Mobility Protocol Port text box.
• Displays the mobility group name in the Mobility Group Name text box.
• Displays whether DTLS is enabled in the DTLS Mode text box.
DTLS is a standards-track Internet Engineering Task Force (IETF) protocol based on TLS.
• Displays mobility domain identifier for 802.11 radios in the Mobility Domain ID for 802.11 radios text box.
• Displays the number of members configured on the controller in the Mobility Domain Member Count text box.
• To enable the controller as a Mobility Oracle, select the Mobility Oracle Enabled check box.
Note
Only the controller can be configured as Mobility Oracle. You cannot configure the switch as Mobility
Oracle.
The Mobility Oracle is optional, it maintains the client database under one complete mobility domain.
• The amount of time (in seconds) between each ping request sent to an peer controller in the Mobility Keepalive
Interval (1-30)sec text box.
Valid range is from 1 to 30 seconds, and the default value is 10 seconds.
• Number of times a ping request is sent to an peer controller before the peer is considered to be unreachable in the
Mobility Keepalive Count (3-20) text box.
The valid range is from 3 to 20, and the default value is 3.
• The DSCP value that you can set for the mobility controller in the Mobility Control Message DSCP Value (0-63)
text box.
The valid range is 0 to 63, and the default value is 0.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
18
OL-32363-01
Using the Web Graphical User Interface
Configuring the Controller Web GUI
The WLANs page appears.
Step 11
In the Mobility Configuration page, view and enter the following mobility global configuration settings, and click
Next.
• Choose Mobility Controller or Mobility Agent from the Mobility Role drop-down list:
• If Mobility Agent is chosen, enter the mobility controller IP address in the Mobility Controller IP Address
text box and mobility controller IP address in the Mobility Controller Public IP Address text box.
• If Mobility Controller is chosen, then the mobility controller IP address and mobility controller public IP
address are displayed in the respective text boxes.
• Displays mobility protocol port number in the Mobility Protocol Port text box.
• Displays the mobility switch peer group name in the Mobility Switch Peer Group Name text box.
• Displays whether DTLS is enabled in the DTLS Mode text box.
DTLS is a standards-track Internet Engineering Task Force (IETF) protocol based on TLS.
• Displays mobility domain identifier for 802.11 radios in the Mobility Domain ID for 802.11 radios text box.
• The amount of time (in seconds) between each ping request sent to an peer controller in the Mobility Keepalive
Interval (1-30)sec text box.
Valid range is from 1 to 30 seconds, and the default value is 10 seconds.
• Number of times a ping request is sent to an peer controller before the peer is considered to be unreachable in the
Mobility Keepalive Count (3-20) text box.
The valid range is from 3 to 20, and the default value is 3.
• The DSCP value that you can set for the mobility controller in the Mobility Control Message DSCP Value (0-63)
text box.
The valid range is 0 to 63, and the default value is 0.
• Displays the number of mobility switch peer group member configured in the Switch Peer Group Members
Configured text box.
The WLANs page appears.
Step 12
In the WLANs page, enter the following WLAN configuration parameters, and click Next.
• WLAN identifier in the WLAN ID text box.
• SSID of the WLAN that the client is associated with in the SSID text box.
• Name of the WLAN used by the client in the Profile Name text box.
The 802.11 Configuration page appears.
Step 13
In the 802.11 Configuration page, check either one or both 802.11a/n/ac and 802.11b/g/n check boxes to enable the
802.11 radios, and click Next.
The Set Time page appears.
Step 14
In the Set Time page, you can configure the time and date on the controller based on the following parameters, and
click Next.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
19
Using the Web Graphical User Interface
Configuring the Controller Web GUI
• Displays current timestamp on the controller in the Current Time text box.
• Choose either Manual or NTP from the Mode drop-down list.
On using the NTP server, all access points connected to the controller, synchronizes its time based on the NTP
server settings available.
• Choose date on the controller from the Year, Month, and Day drop-down list.
• Choose time from the Hours, Minutes, and Seconds drop-down list.
• Enter the time zone in the Zone text box and select the off setting required when compared to the current time
configured on the controller from the Offset drop-down list.
The Save Wizard page appears.
Step 15
In the Save Wizard page, you can review the configuration settings performed on the controller using these steps, and
if you wish to change any configuration value, click Previous and navigate to that page.
You can save the controller configuration created using the wizard only if a success message is displayed for all the
wizards. If the Save Wizard page displays errors, you must recreate the wizard for initial configuration of the controller.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
20
OL-32363-01
PA R T
I
System Management
• Administering the System, on page 23
• Performing Controller Setup Configuration, on page 59
• Configuring Right-To-Use Licenses, on page 87
• Configuring Administrator Usernames and Passwords, on page 97
• 802.11 parameters and Band Selection, on page 103
• Configuring Aggressive Load Balancing, on page 125
• Configuring Client Roaming, on page 131
• Configuring Application Visibility and Control, on page 145
• Configuring Voice and Video Parameters, on page 177
• Configuring RFID Tag Tracking, on page 199
• Configuring Location Settings, on page 203
• Monitoring Flow Control, on page 211
• Configuring System Message Logs, on page 215
• Configuring Online Diagnostics, on page 231
• Predownloading an Image to Access Points, on page 241
• Troubleshooting the Software Configuration, on page 247
CHAPTER
3
Administering the System
• Finding Feature Information, on page 23
• Finding Feature Information, on page 23
• Information About Administering the Controller, on page 24
• How to Administer the Controller, on page 30
• Monitoring and Maintaining Administration of the Controller, on page 51
• Configuration Examples for Controller Administration, on page 52
• Additional References for Controller Administration, on page 54
• Additional References for Controller Administration, on page 56
• Feature History and Information for Controller Administration, on page 57
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Related Topics
Feature History and Information for Troubleshooting Software Configuration, on page 278
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
23
System Management
Information About Administering the Controller
Information About Administering the Controller
System Time and Date Management
You can manage the system time and date on your controller using automatic configuration methods (RTC
and NTP), or manual configuration methods.
Note
For complete syntax and usage information for the commands used in this section, see the Cisco IOS
Configuration Fundamentals Command Referenceon Cisco.com.
System Clock
The basis of the time service is the system clock. This clock runs from the moment the system starts up and
keeps track of the date and time.
The system clock can then be set from these sources:
• NTP
• Manual configuration
The system clock can provide time to these services:
• User show commands
• Logging and debugging messages
The system clock keeps track of time internally based on Coordinated Universal Time (UTC), also known as
Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time
(daylight saving time) so that the time appears correctly for the local time zone.
The system clock keeps track of whether the time is authoritative or not (that is, whether it has been set by a
time source considered to be authoritative). If it is not authoritative, the time is available only for display
purposes and is not redistributed.
Network Time Protocol
The NTP is designed to time-synchronize a network of devices. NTP runs over User Datagram Protocol
(UDP), which runs over IP. NTP is documented in RFC 1305.
An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic
clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient;
no more than one packet per minute is necessary to synchronize two devices to within a millisecond of one
another.
NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative
time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server
receives its time through NTP from a stratum 1 time server, and so on. A device running NTP automatically
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
24
OL-32363-01
System Management
Network Time Protocol
chooses as its time source the device with the lowest stratum number with which it communicates through
NTP. This strategy effectively builds a self-organizing tree of NTP speakers.
NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device
that is not synchronized. NTP also compares the time reported by several devices and does not synchronize
to a device whose time is significantly different than the others, even if its stratum is lower.
The communications between devices running NTP (known as associations) are usually statically configured;
each device is given the IP address of all devices with which it should form associations. Accurate timekeeping
is possible by exchanging NTP messages between each pair of devices with an association. However, in a
LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces
configuration complexity because each device can simply be configured to send or receive broadcast messages.
However, in that case, information flow is one-way only.
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the
accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based
restriction scheme and an encrypted authentication mechanism.
Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or
atomic clock. We recommend that the time service for your network be derived from the public NTP servers
available on the IP Internet.
The figure below shows a typical network example using NTP. Controller A is the NTP master, with the
Controller B, C, and D configured in NTP server mode, in server association with Controller A. Controller
E is configured as an NTP peer to the upstream and downstream Controller, Controller B and Controller F,
respectively.
Figure 1: Typical NTP Network Configuration
If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as if it is
synchronized through NTP, when in fact it has learned the time by using other means. Other devices then
synchronize to that device through NTP.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
25
System Management
NTP Stratum
When multiple sources of time are available, NTP is always considered to be more authoritative. NTP time
overrides the time set by any other method.
Several manufacturers include NTP software for their host systems, and a publicly available version for
systems running UNIX and its various derivatives is also available. This software allows host systems to be
time-synchronized as well.
NTP Stratum
NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative
time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server
receives its time through NTP from a stratum 1 time server, and so on. A device running NTP automatically
chooses as its time source the device with the lowest stratum number with which it communicates through
NTP. This strategy effectively builds a self-organizing tree of NTP speakers.
NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device
that is not synchronized. NTP also compares the time reported by several devices and does not synchronize
to a device whose time is significantly different than the others, even if its stratum is lower.
NTP Associations
The communications between devices running NTP (known as associations) are usually statically configured;
each device is given the IP address of all devices with which it should form associations. Accurate timekeeping
is possible by exchanging NTP messages between each pair of devices with an association. However, in a
LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces
configuration complexity because each device can simply be configured to send or receive broadcast messages.
However, in that case, information flow is one-way only.
NTP Security
The time kept on a device is a critical resource; you should use the security features of NTP to avoid the
accidental or malicious setting of an incorrect time. Two mechanisms are available: an access list-based
restriction scheme and an encrypted authentication mechanism.
NTP Implementation
Implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic
clock. We recommend that the time service for your network be derived from the public NTP servers available
on the IP Internet.
Figure 2: Typical NTP Network Configuration
The following figure shows a typical network example using NTP. Controller A is the NTP master, with the
Controller B, C, and D configured in NTP server mode, in server association with Controller A. Controller E
is configured as an NTP peer to the upstream and downstream controllers, Controller B and Controller F,
respectively.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
26
OL-32363-01
System Management
NTP Version 4
If the network is isolated from the Internet, NTP allows a device to act as if it is synchronized through NTP,
when in fact it has learned the time by using other means. Other devices then synchronize to that device
through NTP.
When multiple sources of time are available, NTP is always considered to be more authoritative. NTP time
overrides the time set by any other method.
Several manufacturers include NTP software for their host systems, and a publicly available version for
systems running UNIX and its various derivatives is also available. This software allows host systems to be
time-synchronized as well.
NTP Version 4
NTP version 4 is implemented on the controller. NTPv4 is an extension of NTP version 3. NTPv4 supports
both IPv4 and IPv6 and is backward-compatible with NTPv3.
NTPv4 provides these capabilities:
• Support for IPv6.
• Improved security compared to NTPv3. The NTPv4 protocol provides a security framework based on
public key cryptography and standard X509 certificates.
• Automatic calculation of the time-distribution hierarchy for a network. Using specific multicast groups,
NTPv4 automatically configures the hierarchy of the servers to achieve the best time accuracy for the
lowest bandwidth cost. This feature leverages site-local IPv6 multicast addresses.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
27
System Management
DNS
For details about configuring NTPv4, see the Implementing NTPv4 in IPv6 chapter of the Cisco IOS IPv6
Configuration Guide, Release 12.4T.
DNS
The DNS protocol controls the Domain Name System (DNS), a distributed database with which you can map
hostnames to IP addresses. When you configure DNS on your controller, you can substitute the hostname for
the IP address with all IP commands, such as ping, telnet, connect, and related Telnet support operations.
IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. Domain
names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a
commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific
device in this domain, for example, the File Transfer Protocol (FTP) system is identified as ftp.cisco.com.
To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache
(or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify
the hostnames, specify the name server that is present on your network, and enable the DNS.
Default DNS Settings
Table 5: Default DNS Settings
Feature
Default Setting
DNS enable state
Enabled.
DNS default domain name
None configured.
DNS servers
No name server addresses are configured.
Login Banners
You can configure a message-of-the-day (MOTD) and a login banner. The MOTD banner is displayed on all
connected terminals at login and is useful for sending messages that affect all network users (such as impending
system shutdowns).
The login banner is also displayed on all connected terminals. It appears after the MOTD banner and before
the login prompts.
Note
For complete syntax and usage information for the commands used in this section, see the Cisco IOS
Configuration Fundamentals Command Reference, Release 12.4.
Default Banner Configuration
The MOTD and login banners are not configured.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
28
OL-32363-01
System Management
MAC Address Table
MAC Address Table
The MAC address table contains address information that the controller uses to forward traffic between ports.
All MAC addresses in the address table are associated with one or more ports. The address table includes
these types of addresses:
• Dynamic address—A source MAC address that the controller learns and then ages when it is not in use.
• Static address—A manually entered unicast address that does not age and that is not lost when the
controller resets.
The address table lists the destination MAC address, the associated VLAN ID, and port number associated
with the address and the type (static or dynamic).
Note
For complete syntax and usage information for the commands used in this section, see the command reference
for this release.
MAC Address Table Creation
With multiple MAC addresses supported on all ports, you can connect any port on the controller to other
network devices. The controller provides dynamic addressing by learning the source address of packets it
receives on each port and adding the address and its associated port number to the address table. As devices
are added or removed from the network, the controller updates the address table, adding new dynamic addresses
and aging out those that are not in use.
The aging interval is globally configured. However, the controller maintains an address table for each VLAN,
and STP can accelerate the aging interval on a per-VLAN basis.
The controller sends packets between any combination of ports, based on the destination address of the received
packet. Using the MAC address table, the controller forwards the packet only to the port associated with the
destination address. If the destination address is on the port that sent the packet, the packet is filtered and not
forwarded. The controller always uses the store-and-forward method: complete packets are stored and checked
for errors before transmission.
MAC Addresses and VLANs
All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different
destinations in each. Unicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9,
10, and 1 in VLAN 5.
Each VLAN maintains its own logical address table. A known address in one VLAN is unknown in another
until it is learned or statically associated with a port in the other VLAN.
Default MAC Address Table Settings
The following table shows the default settings for the MAC address table.
Table 6: Default Settings for the MAC Address
Feature
Default Setting
Aging time
300 seconds
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
29
System Management
ARP Table Management
Feature
Default Setting
Dynamic addresses
Automatically learned
Static addresses
None configured
ARP Table Management
To communicate with a device (over Ethernet, for example), the software first must learn the 48-bit MAC
address or the local data link address of that device. The process of learning the local data link address from
an IP address is called address resolution.
The Address Resolution Protocol (ARP) associates a host IP address with the corresponding media or MAC
addresses and the VLAN ID. Using an IP address, ARP finds the associated MAC address. When a MAC
address is found, the IP-MAC address association is stored in an ARP cache for rapid retrieval. Then the IP
datagram is encapsulated in a link-layer frame and sent over the network. Encapsulation of IP datagrams and
ARP requests and replies on IEEE 802 networks other than Ethernet is specified by the Subnetwork Access
Protocol (SNAP). By default, standard Ethernet-style ARP encapsulation (represented by the arpa keyword)
is enabled on the IP interface.
ARP entries added manually to the table do not age and must be manually removed.
For CLI procedures, see the Cisco IOS Release 12.4 documentation on Cisco.com.
How to Administer the Controller
Configuring the Time and Date Manually
System time remains accurate through restarts and reboot, however, you can manually configure the time and
date after the system is restarted.
We recommend that you use manual configuration only when necessary. If you have an outside source to
which the controller can synchronize, you do not need to manually set the system clock.
Setting the System Clock
If you have an outside source on the network that provides time services, such as an NTP server, you do not
need to manually set the system clock.
Follow these steps to set the system clock:
SUMMARY STEPS
1. enable
2. Use one of the following:
• clock set hh:mm:ss day month year
• clock set hh:mm:ss month day year
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
30
OL-32363-01
System Management
Configuring the Time Zone
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
Use one of the following:
Manually set the system clock using one of these formats:
• clock set hh:mm:ss day month year
• clock set hh:mm:ss month day year
Example:
• hh:mm:ss—Specifies the time in hours (24-hour
format), minutes, and seconds. The time specified is
relative to the configured time zone.
• day—Specifies the day by date in the month.
Controller# clock set 13:32:00 23 March 2013
• month—Specifies the month by name.
• year—Specifies the year (no abbreviation).
Configuring the Time Zone
Follow these steps to manually configure the time zone:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
enable
configure terminal
clock timezone zone hours-offset [minutes-offset]
end
show running-config
copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
Enters global configuration mode.
configure terminal
Example:
Controller# configure terminal
Step 3
clock timezone zone hours-offset [minutes-offset]
Sets the time zone.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
31
System Management
Configuring Summer Time (Daylight Saving Time)
Command or Action
Purpose
Example:
Internal time is kept in Coordinated Universal Time (UTC),
so this command is used only for display purposes and when
the time is manually set.
Controller(config)# clock timezone AST -3 30
• zone—Enters the name of the time zone to be displayed
when standard time is in effect. The default is UTC.
• hours-offset—Enters the hours offset from UTC.
• (Optional) minutes-offset—Enters the minutes offset
from UTC. This available where the local time zone
is a percentage of an hour different from UTC.
Step 4
Returns to privileged EXEC mode.
end
Example:
Controller(config)# end
Step 5
show running-config
Verifies your entries.
Example:
Controller# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
Configuring Summer Time (Daylight Saving Time)
To configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the
week each year, perform this task:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
enable
configure terminal
clock summer-time zone date date month year hh:mm date month year hh:mm [offset]]
clock summer-time zone recurring [week day month hh:mm week day month hh:mm [offset]]
end
show running-config
copy running-config startup-config
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
32
OL-32363-01
System Management
Configuring Summer Time (Daylight Saving Time)
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
Enters global configuration mode.
configure terminal
Example:
Controller# configure terminal
Step 3
clock summer-time zone date date month year hh:mm
date month year hh:mm [offset]]
Configures summer time to start and end on specified days
every year.
Example:
Controller(config)# clock summer-time PDT date
10 March 2013 2:00 3 November 2013 2:00
Step 4
clock summer-time zone recurring [week day month
hh:mm week day month hh:mm [offset]]
Example:
Controller(config)# clock summer-time
PDT recurring 10 March 2013 2:00 3 November 2013
2:00
Configures summer time to start and end on the specified
days every year. All times are relative to the local time zone.
The start time is relative to standard time.
The end time is relative to summer time. Summer time is
disabled by default. If you specify clock summer-time zone
recurring without parameters, the summer time rules
default to the United States rules.
If the starting month is after the ending month, the system
assumes that you are in the southern hemisphere.
• zone—Specifies the name of the time zone (for
example, PDT) to be displayed when summer time is
in effect.
• (Optional) week— Specifies the week of the month (1
to 4, first, or last).
• (Optional) day—Specifies the day of the week (Sunday,
Monday...).
• (Optional) month—Specifies the month (January,
February...).
• (Optional) hh:mm—Specifies the time (24-hour format)
in hours and minutes.
• (Optional) offset—Specifies the number of minutes to
add during summer time. The default is 60.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
33
System Management
Step 5
Command or Action
Purpose
end
Returns to privileged EXEC mode.
Example:
Controller(config)# end
Step 6
show running-config
Verifies your entries.
Example:
Controller# show running-config
Step 7
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
Follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date
and time of the next summer time events):
SUMMARY STEPS
1. enable
2. configure terminal
3. clock summer-time zone date[ month date year hh:mm month date year hh:mm [offset]]orclock
summer-time zone date [date month year hh:mm date month year hh:mm [offset]]
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
34
OL-32363-01
System Management
Configuring a System Name
Command or Action
Step 3
Purpose
clock summer-time zone date[ month date year hh:mm Configures summer time to start on the first date and end
month date year hh:mm [offset]]orclock summer-time zone on the second date.
date [date month year hh:mm date month year hh:mm
Summer time is disabled by default.
[offset]]
• For zone, specify the name of the time zone (for
example, PDT) to be displayed when summer time is
in effect.
• (Optional) For week, specify the week of the month
(1 to 5 or last).
• (Optional) For day, specify the day of the week
(Sunday, Monday...).
• (Optional) For month, specify the month (January,
February...).
• (Optional) For hh:mm, specify the time (24-hour
format) in hours and minutes.
• (Optional) For offset, specify the number of minutes
to add during summer time. The default is 60.
Step 4
Returns to privileged EXEC mode.
end
Example:
Controller(config)# end
Step 5
Verifies your entries.
show running-config
Example:
Controller# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
Configuring a System Name
Follow these steps to manually configure a system name:
SUMMARY STEPS
1. enable
2. configure terminal
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
35
System Management
Configuring a System Name
3.
4.
5.
6.
hostname name
end
show running-config
copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 3
hostname name
Example:
Configures a system name. When you set the system name,
it is also used as the system prompt.
The default setting is Switch.
Controller(config)# hostname
remote-users
Step 4
The name must follow the rules for ARPANET hostnames.
They must start with a letter, end with a letter or digit, and
have as interior characters only letters, digits, and hyphens.
Names can be up to 63 characters.
Returns to priviliged EXEC mode.
end
Example:
remote-users(config)#end
remote-users#
Step 5
show running-config
Verifies your entries.
Example:
Controller# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
36
OL-32363-01
System Management
Setting Up DNS
Setting Up DNS
If you use the controller IP address as its hostname, the IP address is used and no DNS query occurs. If you
configure a hostname that contains no periods (.), a period followed by the default domain name is appended
to the hostname before the DNS query is made to map the name to an IP address. The default domain name
is the value set by the ip domain-name global configuration command. If there is a period (.) in the hostname,
the Cisco IOS software looks up the IP address without appending any default domain name to the hostname.
Follow these steps to set up your switch to use the DNS:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
enable
configure terminal
ip domain-name name
ip name-server server-address1 [server-address2 ... server-address6]
ip domain-lookup [nsap | source-interface interface]
end
show running-config
copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
Enters global configuration mode.
configure terminal
Example:
Controller# configure terminal
Step 3
ip domain-name name
Defines a default domain name that the software uses to
complete unqualified hostnames (names without a
dotted-decimal domain name).
Example:
Controller(config)# ip domain-name Cisco.com
Do not include the initial period that separates an
unqualified name from the domain name.
At boot time, no domain name is configured; however, if
the controller configuration comes from a BOOTP or
Dynamic Host Configuration Protocol (DHCP) server, then
the default domain name might be set by the BOOTP or
DHCP server (if the servers were configured with this
information).
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
37
System Management
Configuring a Message-of-the-Day Login Banner
Step 4
Command or Action
Purpose
ip name-server server-address1 [server-address2 ...
server-address6]
Specifies the address of one or more name servers to use
for name and address resolution.
Example:
You can specify up to six name servers. Separate each server
address with a space. The first server specified is the
primary server. The controller sends DNS queries to the
primary server first. If that query fails, the backup servers
are queried.
Controller(config)# ip
name-server 192.168.1.100
192.168.1.200 192.168.1.300
Step 5
ip domain-lookup [nsap | source-interface interface]
Example:
Step 6
(Optional) Enables DNS-based hostname-to-address
translation on your controller. This feature is enabled by
default.
Controller(config)# ip domain-lookup
If your network devices require connectivity with devices
in networks for which you do not control name assignment,
you can dynamically assign device names that uniquely
identify your devices by using the global Internet naming
scheme (DNS).
end
Returns to privileged EXEC mode.
Example:
Controller(config)# end
Step 7
show running-config
Verifies your entries.
Example:
Controller# show running-config
Step 8
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
Configuring a Message-of-the-Day Login Banner
You can create a single or multiline message banner that appears on the screen when someone logs in to the
controller
Follow these steps to configure a MOTD login banner:
SUMMARY STEPS
1. enable
2. configure terminal
3. banner motd c message c
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
38
OL-32363-01
System Management
Configuring a Message-of-the-Day Login Banner
4. end
5. show running-config
6. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
Enters global configuration mode.
configure terminal
Example:
Controller# configure terminal
Step 3
banner motd c message c
Specifies the message of the day.
Example:
c—Enters the delimiting character of your choice, for
example, a pound sign (#), and press the Return key. The
delimiting character signifies the beginning and end of the
banner text. Characters after the ending delimiter are
discarded.
Controller(config)# banner motd #
This is a secure site. Only
authorized users are allowed.
For access, contact technical
support.
#
Step 4
message—Enters a banner message up to 255 characters.
You cannot use the delimiting character in the message.
Returns to privileged EXEC mode.
end
Example:
Controller(config)# end
Step 5
Verifies your entries.
show running-config
Example:
Controller# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
39
System Management
Configuring a Login Banner
Configuring a Login Banner
You can configure a login banner to be displayed on all connected terminals. This banner appears after the
MOTD banner and before the login prompt.
Follow these steps to configure a login banner:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
enable
configure terminal
banner login c message c
end
show running-config
copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 3
banner login c message c
Specifies the login message.
Example:
c— Enters the delimiting character of your choice, for
example, a pound sign (#), and press the Return key. The
delimiting character signifies the beginning and end of the
banner text. Characters after the ending delimiter are
discarded.
Controller(config)# banner login $
Access for authorized users only.
Please enter your username and
password.
$
Step 4
message—Enters a login message up to 255 characters. You
cannot use the delimiting character in the message.
Returns to privileged EXEC mode.
end
Example:
Controller(config)# end
Step 5
show running-config
Verifies your entries.
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
40
OL-32363-01
System Management
Managing the MAC Address Table
Command or Action
Purpose
Controller# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
Managing the MAC Address Table
Changing the Address Aging Time
Follow these steps to configure the dynamic address table aging time:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
enable
configure terminal
mac address-table aging-time [0 | 10-1000000] [routed-mac | vlan vlan-id]
end
show running-config
copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
Enters global configuration mode.
configure terminal
Example:
Controller# configure terminal
Step 3
mac address-table aging-time [0 | 10-1000000]
[routed-mac | vlan vlan-id]
Sets the length of time that a dynamic entry remains in the
MAC address table after the entry is used or updated.
Example:
The range is 10 to 1000000 seconds. The default is 300.
You can also enter 0, which disables aging. Static address
entries are never aged or removed from the table.
Controller(config)# mac address-table
aging-time 500 vlan 2
vlan-id—Valid IDs are 1 to 4094.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
41
System Management
Configuring MAC Address Change Notification Traps
Step 4
Command or Action
Purpose
end
Returns to privileged EXEC mode.
Example:
Controller(config)# end
Step 5
show running-config
Verifies your entries.
Example:
Controller# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
Configuring MAC Address Change Notification Traps
Follow these steps to configure the switch to send MAC address change notification traps to an NMS host:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
enable
configure terminal
snmp-server host host-addr community-string notification-type { informs | traps } {version {1 | 2c |
3}} {vrf vrf instance name}
snmp-server enable traps mac-notification change
mac address-table notification change
mac address-table notification change [interval value] [history-size value]
interface interface-id
snmp trap mac-notification change {added | removed}
end
show running-config
copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
42
OL-32363-01
System Management
Configuring MAC Address Change Notification Traps
Step 2
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 3
Specifies the recipient of the trap message.
snmp-server host host-addr community-string
notification-type { informs | traps } {version {1 | 2c | 3}}
• host-addr—Specifies the name or address of the NMS.
{vrf vrf instance name}
• traps (the default)—Sends SNMP traps to the host.
Example:
• informs—Sends SNMP informs to the host.
Controller(config)# snmp-server host
172.20.10.10 traps private mac-notification
• version—Specifies the SNMP version to support.
Version 1, the default, is not available with informs.
• community-string—Specifies the string to send with
the notification operation. Though you can set this
string by using the snmp-server host command, we
recommend that you define this string by using the
snmp-server community command before using the
snmp-server host command.
• notification-type—Uses the mac-notification
keyword.
• vrf vrf instance name—Specifies the VPN
routing/forwarding instance for this host.
Step 4
snmp-server enable traps mac-notification change
Example:
Enables the controller to send MAC address change
notification traps to the NMS.
Controller(config)# snmp-server enable traps
mac-notification change
Step 5
mac address-table notification change
Enables the MAC address change notification feature.
Example:
Controller(config)# mac address-table
notification change
Step 6
mac address-table notification change [interval value] Enters the trap interval time and the history table size.
[history-size value]
• (Optional) interval value—Specifies the notification
trap interval in seconds between each set of traps that
Example:
are generated to the NMS. The range is 0 to
Controller(config)# mac address-table
2147483647 seconds; the default is 1 second.
notification change interval 123
Controller(config)#mac address-table
notification change history-size 100
• (Optional) history-size value—Specifies the
maximum number of entries in the MAC notification
history table. The range is 0 to 500; the default is 1.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
43
System Management
Configuring MAC Address Move Notification Traps
Step 7
Command or Action
Purpose
interface interface-id
Enters interface configuration mode, and specifies the
Layer 2 interface on which to enable the SNMP MAC
address notification trap.
Example:
Controller(config)# interface
gigabitethernet1/0/2
Step 8
snmp trap mac-notification change {added | removed} Enables the MAC address change notification trap on the
interface.
Example:
• Enables the trap when a MAC address is added on
Controller(config-if)# snmp trap
this interface.
mac-notification change added
• Enables the trap when a MAC address is removed
from this interface.
Step 9
Returns to privileged EXEC mode.
end
Example:
Controller(config)# end
Step 10
show running-config
Verifies your entries.
Example:
Controller# show running-config
Step 11
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
Configuring MAC Address Move Notification Traps
When you configure MAC-move notification, an SNMP notification is generated and sent to the network
management system whenever a MAC address moves from one port to another within the same VLAN.
Follow these steps to configure the controller to send MAC address-move notification traps to an NMS host:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
enable
configure terminal
snmp-server host host-addr {traps | informs} {version {1 | 2c | 3}} community-string notification-type
snmp-server enable traps mac-notification move
mac address-table notification mac-move
end
show running-config
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
44
OL-32363-01
System Management
Configuring MAC Address Move Notification Traps
8. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
Enters global configuration mode.
configure terminal
Example:
Controller# configure terminal
Step 3
snmp-server host host-addr {traps | informs} {version
{1 | 2c | 3}} community-string notification-type
Example:
Specifies the recipient of the trap message.
• host-addr—Specifies the name or address of the NMS.
• traps (the default)—Sends SNMP traps to the host.
Controller(config)# snmp-server host
172.20.10.10 traps private mac-notification
• informs—Sends SNMP informs to the host.
• version—Specifies the SNMP version to support.
Version 1, the default, is not available with informs.
• community-string—Specifies the string to send with
the notification operation. Though you can set this
string by using the snmp-server host command, we
recommend that you define this string by using the
snmp-server community command before using the
snmp-server host command.
• notification-type—Uses the mac-notification keyword.
Step 4
snmp-server enable traps mac-notification move
Example:
Enables the controller to send MAC address move
notification traps to the NMS.
Controller(config)# snmp-server enable traps
mac-notification move
Step 5
mac address-table notification mac-move
Enables the MAC address move notification feature.
Example:
Controller(config)# mac address-table
notification mac-move
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
45
System Management
Configuring MAC Threshold Notification Traps
Step 6
Command or Action
Purpose
end
Returns to privileged EXEC mode.
Example:
Controller(config)# end
Step 7
show running-config
Verifies your entries.
Example:
Controller# show running-config
Step 8
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
What to do next
To disable MAC address-move notification traps, use the no snmp-server enable traps mac-notification
move global configuration command. To disable the MAC address-move notification feature, use the no mac
address-table notification mac-move global configuration command.
You can verify your settings by entering the show mac address-table notification mac-move privileged
EXEC commands.
Configuring MAC Threshold Notification Traps
When you configure MAC threshold notification, an SNMP notification is generated and sent to the network
management system when a MAC address table threshold limit is reached or exceeded.
Follow these steps to configure the switch to send MAC address table threshold notification traps to an NMS
host:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
enable
configure terminal
snmp-server host host-addr {traps | informs} {version {1 | 2c | 3}} community-string notification-type
snmp-server enable traps mac-notification threshold
mac address-table notification threshold
mac address-table notification threshold [limit percentage] | [interval time]
end
show running-config
copy running-config startup-config
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
46
OL-32363-01
System Management
Configuring MAC Threshold Notification Traps
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
Enters global configuration mode.
configure terminal
Example:
Controller# configure terminal
Step 3
snmp-server host host-addr {traps | informs} {version
{1 | 2c | 3}} community-string notification-type
Example:
Specifies the recipient of the trap message.
• host-addr—Specifies the name or address of the NMS.
• traps (the default)—Sends SNMP traps to the host.
Controller(config)# snmp-server host
172.20.10.10 traps private
mac-notification
• informs—Sends SNMP informs to the host.
• version—Specifies the SNMP version to support.
Version 1, the default, is not available with informs.
• community-string—Specifies the string to send with
the notification operation. You can set this string by
using the snmp-server host command, but we
recommend that you define this string by using the
snmp-server community command before using the
snmp-server host command.
• notification-type—Uses the mac-notification keyword.
Step 4
snmp-server enable traps mac-notification threshold
Enables MAC threshold notification traps to the NMS.
Example:
Controller(config)# snmp-server enable traps
mac-notification threshold
Step 5
mac address-table notification threshold
Enables the MAC address threshold notification feature.
Example:
Controller(config)# mac address-table
notification threshold
Step 6
mac address-table notification threshold [limit
percentage] | [interval time]
Enters the threshold value for the MAC address threshold
usage monitoring.
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
47
System Management
Adding and Removing Static Address Entries
Command or Action
Controller(config)# mac address-table
notification threshold interval 123
Controller(config)# mac address-table
notification threshold limit 78
Step 7
Purpose
• (Optional) limit percentage—Specifies the percentage
of the MAC address table use; valid values are from
1 to 100 percent. The default is 50 percent.
• (Optional) interval time—Specifies the time between
notifications; valid values are greater than or equal to
120 seconds. The default is 120 seconds.
Returns to privileged EXEC mode.
end
Example:
Controller(config)# end
Step 8
show running-config
Verifies your entries.
Example:
Controller# show running-config
Step 9
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
Adding and Removing Static Address Entries
Follow these steps to add a static address:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
enable
configure terminal
mac address-table static mac-addr vlan vlan-id interface interface-id
end
show running-config
copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
48
OL-32363-01
System Management
Configuring Unicast MAC Address Filtering
Step 2
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 3
mac address-table static mac-addr vlan vlan-id interface Adds a static address to the MAC address table.
interface-id
• mac-addr—Specifies the destination MAC unicast
address to add to the address table. Packets with this
Example:
destination address received in the specified VLAN
Controller(config)# mac address-table
are forwarded to the specified interface.
static c2f3.220a.12f4 vlan 4 interface
gigabitethernet 1/0/1
• vlan-id—Specifies the VLAN for which the packet
with the specified MAC address is received. Valid
VLAN IDs are 1 to 4094.
• interface-id—Specifies the interface to which the
received packet is forwarded. Valid interfaces include
physical ports or port channels. For static multicast
addresses, you can enter multiple interface IDs. For
static unicast addresses, you can enter only one
interface at a time, but you can enter the command
multiple times with the same MAC address and VLAN
ID.
Step 4
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Step 5
Verifies your entries.
show running-config
Example:
Controller# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
Configuring Unicast MAC Address Filtering
Follow these steps to configure the Controller to drop a source or destination unicast static address:
SUMMARY STEPS
1. enable
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
49
System Management
Configuring Unicast MAC Address Filtering
2.
3.
4.
5.
6.
configure terminal
mac address-table static mac-addr vlan vlan-id drop
end
show running-config
copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 3
mac address-table static mac-addr vlan vlan-id drop
Example:
Controller(config)# mac address-table
static c2f3.220a.12f4 vlan 4 drop
Enables unicast MAC address filtering and configure the
controller to drop a packet with the specified source or
destination unicast static address.
• mac-addr—Specifies a source or destination unicast
MAC address (48-bit). Packets with this MAC address
are dropped.
• vlan-id—Specifies the VLAN for which the packet
with the specified MAC address is received. Valid
VLAN IDs are 1 to 4094.
Step 4
Returns to privileged EXEC mode.
end
Example:
Controller(config)# end
Step 5
show running-config
Verifies your entries.
Example:
Controller# show running-config
Step 6
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
50
OL-32363-01
System Management
Monitoring and Maintaining Administration of the Controller
Monitoring and Maintaining Administration of the Controller
Command
Purpose
clear mac address-table dynamic
Removes all dynamic entries.
clear mac address-table dynamic address
mac-address
Removes a specific MAC address.
clear mac address-table dynamic interface
interface-id
Removes all addresses on the specified physical port
or port channel.
clear mac address-table dynamic vlan vlan-id
Removes all addresses on a specified VLAN.
show clock [detail]
Displays the time and date configuration.
show ip igmp snooping groups
Displays the Layer 2 multicast entries for all VLANs
or the specified VLAN.
show mac address-table address mac-address
Displays MAC address table information for the
specified MAC address.
show mac address-table aging-time
Displays the aging time in all VLANs or the specified
VLAN.
show mac address-table count
Displays the number of addresses present in all
VLANs or the specified VLAN.
show mac address-table dynamic
Displays only dynamic MAC address table entries.
show mac address-table interface interface-name
Displays the MAC address table information for the
specified interface.
show mac address-table move update
Displays the MAC address table move update
information.
show mac address-table multicast
Displays a list of multicast MAC addresses.
show mac address-table notification {change |
mac-move | threshold}
Displays the MAC notification parameters and history
table.
show mac address-table secure
Displays the secure MAC addresses.
show mac address-table static
Displays only static MAC address table entries.
show mac address-table vlan vlan-id
Displays the MAC address table information for the
specified VLAN.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
51
System Management
Configuration Examples for Controller Administration
Configuration Examples for Controller Administration
Example: Setting the System Clock
This example shows how to manually set the system clock:
Controller# clock set 13:32:00 23 July 2013
Examples: Configuring Summer Time
This example (for daylight savings time) shows how to specify that summer time starts on March 10 at 02:00
and ends on November 3 at 02:00:
Controller(config)# clock summer-time PDT recurring PST date
10 March 2013 2:00 3 November 2013 2:00
This example shows how to set summer time start and end dates:
Controller(config)#clock summer-time PST date
20 March 2013 2:00 20 November 2013 2:00
Example: Configuring a MOTD Banner
This example shows how to configure a MOTD banner by using the pound sign (#) symbol as the beginning
and ending delimiter:
Controller(config)# banner motd #
This is a secure site. Only authorized users are allowed.
For access, contact technical support.
#
Controller(config)#
This example shows the banner that appears from the previous configuration:
Unix> telnet 192.0.2.15
Trying 192.0.2.15...
Connected to 192.0.2.15.
Escape character is '^]'.
This is a secure site. Only authorized users are allowed.
For access, contact technical support.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
52
OL-32363-01
System Management
Example: Configuring a Login Banner
User Access Verification
Password:
Example: Configuring a Login Banner
This example shows how to configure a login banner by using the dollar sign ($) symbol as the beginning
and ending delimiter:
Controller(config)# banner login $
Access for authorized users only. Please enter your username and password.
$
Controller(config)#
Example: Configuring MAC Address Change Notification Traps
This example shows how to specify 172.20.10.10 as the NMS, enable MAC address notification traps to the
NMS, enable the MAC address-change notification feature, set the interval time to 123 seconds, set the
history-size to 100 entries, and enable traps whenever a MAC address is added on the specified port:
Controller(config)# snmp-server host 172.20.10.10 traps private mac-notification
Controller(config)# snmp-server enable traps mac-notification change
Controller(config)# mac address-table notification change
Controller(config)# mac address-table notification change interval 123
Controller(config)# mac address-table notification change history-size 100
Controller(config)# interface gigabitethernet1/2/1
Controller(config-if)# snmp trap mac-notification change added
Example: Configuring MAC Threshold Notification Traps
This example shows how to specify 172.20.10.10 as the NMS, enable the MAC address threshold notification
feature, set the interval time to 123 seconds, and set the limit to 78 per cent:
Controller(config)#
Controller(config)#
Controller(config)#
Controller(config)#
Controller(config)#
snmp-server host 172.20.10.10 traps private mac-notification
snmp-server enable traps mac-notification threshold
mac address-table notification threshold
mac address-table notification threshold interval 123
mac address-table notification threshold limit 78
Example: Adding the Static Address to the MAC Address Table
This example shows how to add the static address c2f3.220a.12f4 to the MAC address table. When a packet
is received in VLAN 4 with this MAC address as its destination address, the packet is forwarded to the specified
port:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
53
System Management
Example: Configuring Unicast MAC Address Filtering
Note
You cannot associate the same static MAC address to multiple interfaces. If the command is executed again
with a different interface, the static MAC address is overwritten on the new interface.
Controller(config)# mac address-table static c2f3.220a.12f4 vlan 4 interface
gigabitethernet1/1/1
Example: Configuring Unicast MAC Address Filtering
This example shows how to enable unicast MAC address filtering and how to configure drop packets that
have a source or destination address of c2f3.220a.12f4. When a packet is received in VLAN 4 with this MAC
address as its source or destination, the packet is dropped:
Controller(config)# mac address-table static c2f3.220a.12f4 vlan 4 drop
Additional References for Controller Administration
Related Documents
Related Topic
Document Title
System management commands
System Management Command
Reference (Catalyst 3850
Switches)System Management
Command Reference (Cisco WLC
5700 Series)System Management
Command Reference (Catalyst
3650 Switches)
Network management configuration
Network Management
Configuration Guide (Catalyst
3850 Switches) Network
Management Configuration Guide
(Cisco WLC 5700 Series) Network
Management Configuration Guide
(Catalyst 3650 Switches)
Layer 2 configuration
Layer 2/3 Configuration Guide
(Catalyst 3850 Switches)Layer 2
Configuration Guide (Cisco WLC
5700 Series)Layer 2/3
Configuration Guide (Catalyst
3650 Switches)
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
54
OL-32363-01
System Management
Additional References for Controller Administration
Related Topic
Document Title
VLAN configuration
VLAN Configuration Guide
(Catalyst 3850 Switches) VLAN
Configuration Guide (Cisco WLC
5700 Series)VLAN Configuration
Guide (Catalyst 3650 Switches)
Platform-independent command references
Configuration Fundamentals
Command Reference, Cisco IOS
XE Release 3S (Catalyst 3850
Switches)
Platform-independent configuration information
Configuration Fundamentals
Configuration Guide, Cisco IOS
XE Release 3S (Catalyst 3850
Switches)
IP Addressing Configuration Guide
Library, Cisco IOS XE Release 3S
(Catalyst 3850 Switches)
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
55
System Management
Additional References for Controller Administration
Additional References for Controller Administration
Related Documents
Related Topic
Document Title
System management commands
System Management Command
Reference (Catalyst 3650 Switches)
Network management configuration
Network Management
Configuration Guide (Catalyst
3650 Switches)
Layer 2 configuration
Layer 2/3 Configuration Guide
(Catalyst 3650 Switches)
VLAN configuration
VLAN Configuration Guide
(Catalyst 3650 Switches)
Platform-independent command references
Configuration Fundamentals
Command Reference, Cisco IOS
XE Release 3S (Catalyst 3650
Switches)
Platform-independent configuration information
Configuration Fundamentals
Configuration Guide, Cisco IOS
XE Release 3S (Catalyst 3650
Switches)
IP Addressing Configuration Guide
Library, Cisco IOS XE Release 3S
(Catalyst 3650 Switches)
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
56
OL-32363-01
System Management
Feature History and Information for Controller Administration
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Feature History and Information for Controller Administration
Release
Modification
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS XE 3.3SE
This feature was introduced.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
57
System Management
Feature History and Information for Controller Administration
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
58
OL-32363-01
CHAPTER
4
Performing Controller Setup Configuration
• Finding Feature Information, on page 59
• Finding Feature Information, on page 59
• Information About Performing Controller Setup Configuration, on page 60
• How to Perform Controller Setup Configuration, on page 67
• Monitoring Controller Setup Configuration, on page 77
• Configuration Examples for Performing Controller Setup, on page 81
• Additional References For Performing Controller Setup, on page 82
• Additional References For Performing Controller Setup, on page 84
• Feature History and Information For Performing Controller Setup Configuration, on page 85
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Related Topics
Feature History and Information for Troubleshooting Software Configuration, on page 278
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
59
System Management
Information About Performing Controller Setup Configuration
Information About Performing Controller Setup Configuration
Review the sections in this module before performing your initial controller configuration tasks that include
IP address assignments and DHCP autoconfiguration.
Controller Boot Process
To start your controller, you need to follow the procedures in the hardware installation guide for installing
and powering on the controller and setting up the initial controller configuration (IP address, subnet mask,
default gateway, secret and Telnet passwords, and so forth).
The normal boot process involves the operation of the boot loader software and includes these activities:
• Performs low-level CPU initialization. It initializes the CPU registers, which control where physical
memory is mapped, its quantity, its speed, and so forth.
• Performs power-on self-test (POST) for the CPU subsystem and tests the system DRAM.
• Initializes the file systems on the system board.
• Loads a default operating system software image into memory and boots up the controller.
The boot loader provides access to the file systems before the operating system is loaded. Normally, the boot
loader is used only to load, decompress, and start the operating system. After the boot loader gives the operating
system control of the CPU, the boot loader is not active until the next system reset or power-on.
The boot loader also provides trap-door access into the system if the operating system has problems serious
enough that it cannot be used. The trap-door mechanism provides enough access to the system so that if it is
necessary, you can reinstall the operating system software image by using the Xmodem Protocol, recover
from a lost or forgotten password, and finally restart the operating system.
Before you can assign controller information, make sure you have connected a PC or terminal to the console
port or a PC to the Ethernet management port, and make sure you have configured the PC or terminal-emulation
software baud rate and character format to match these of the controller console port:
• Baud rate default is 9600.
• Data bits default is 8.
Note
If the data bits option is set to 8, set the parity option to none.
• Stop bits default is 2 (minor).
• Parity settings default is none.
Software Installer Features
The following software installer features are supported on your switch:
• Software bundle installation on a standalone switch.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
60
OL-32363-01
System Management
Software Boot Modes
• Software rollback to a previously installed package set.
• Emergency installation in the event that no valid installed packages reside on the boot flash.
Software Boot Modes
Your controller supports two modes to boot the software packages:
• Installed mode
• Bundle mode
Related Topics
Examples: Displaying Software Bootup in Install Mode, on page 77
Example: Emergency Installation, on page 79
Installed Boot Mode
You can boot your controller in installed mode by booting the software package provisioning file that resides
in flash:
Switch: boot flash:packages.conf
The provisioning file contains a list of software packages to boot, mount, and run. The ISO file system in
each installed package is mounted to the root file system directly from flash.
Note
The packages and provisioning file used to boot in installed mode must reside in flash. Booting in installed
mode from usbflash0: or tftp: is not supported.
Related Topics
Examples: Displaying Software Bootup in Install Mode, on page 77
Example: Emergency Installation, on page 79
Bundle Boot Mode
You can boot your controller in bundle boot mode by booting the bundle (.bin) file:
switch:
boot flash:cat3850-universalk9.SSA.03.08.83.EMD.150-8.83.EMD.bin
controller:
boot flash:ct5700-ipservicesk9.SSA.03.09.07.EMP.150-9.07.EMP.bin
The provisioning file contained in a bundle is used to decide which packages to boot, mount, and run. Packages
are extracted from the bundle and copied to RAM. The ISO file system in each package is mounted to the
root file system.
Unlike install boot mode, additional memory that is equivalent to the size of the bundle is used when booting
in bundle mode.
Unlike install boot mode, bundle boot mode is available from several locations:
• flash:
• usbflash0:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
61
System Management
Controllers Information Assignment
• tftp:
Note
Auto install and smart install functionality is not supported in bundle boot mode.
Note
The AP image pre-download feature is not supported in bundle boot mode. For more information about the
pre-download feature see the Cisco WLC 5700 Series Preloading an Image to Access Points chapter.
Note
The AP image predownload feature is not supported in bundle boot mode.
Related Topics
Examples: Displaying Software Bootup in Install Mode, on page 77
Example: Emergency Installation, on page 79
Controllers Information Assignment
You can assign IP information through the controller setup program, through a DHCP server, or manually.
Use the controller setup program if you want to be prompted for specific IP information. With this program,
you can also configure a hostname and an enable secret password.
It gives you the option of assigning a Telnet password (to provide security during remote management) and
configuring your switch as a command or member switch of a cluster or as a standalone switch.
Use a DHCP server for centralized control and automatic assignment of IP information after the server is
configured.
Note
If you are using DHCP, do not respond to any of the questions in the setup program until the controller receives
the dynamically assigned IP address and reads the configuration file.
If you are an experienced user familiar with the controller configuration steps, manually configure the controller.
Otherwise, use the setup program described in the Boot Process section.
DHCP-Based Autoconfiguration Overview
DHCP provides configuration information to Internet hosts and internetworking devices. This protocol consists
of two components: one for delivering configuration parameters from a DHCP server to a device and an
operation for allocating network addresses to devices. DHCP is built on a client-server model, in which
designated DHCP servers allocate network addresses and deliver configuration parameters to dynamically
configured devices. The controller can act as both a DHCP client and a DHCP server.
During DHCP-based autoconfiguration, your controller (DHCP client) is automatically configured at startup
with IP address information and a configuration file.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
62
OL-32363-01
System Management
DHCP Client Request Process
With DHCP-based autoconfiguration, no DHCP client-side configuration is needed on your controller.
However, you need to configure the DHCP server for various lease options associated with IP addresses.
If you want to use DHCP to relay the configuration file location on the network, you might also need to
configure a Trivial File Transfer Protocol (TFTP) server and a Domain Name System (DNS) server.
The DHCP server for your controller can be on the same LAN or on a different LAN than the controller. If
the DHCP server is running on a different LAN, you should configure a DHCP relay device between your
controller and the DHCP server. A relay device forwards broadcast traffic between two directly connected
LANs. A router does not forward broadcast packets, but it forwards packets based on the destination IP address
in the received packet.
DHCP-based autoconfiguration replaces the BOOTP client functionality on your controller.
DHCP Client Request Process
When you boot up your controller, the DHCP client is invoked and requests configuration information from
a DHCP server when the configuration file is not present on the controller. If the configuration file is present
and the configuration includes the ip address dhcp interface configuration command on specific routed
interfaces, the DHCP client is invoked and requests the IP address information for those interfaces.
This is the sequence of messages that are exchanged between the DHCP client and the DHCP server.
Figure 3: DHCP Client and Server Message Exchange
The client, Controller A, broadcasts a DHCPDISCOVER message to locate a DHCP server. The DHCP server
offers configuration parameters (such as an IP address, subnet mask, gateway IP address, DNS IP address, a
lease for the IP address, and so forth) to the client in a DHCPOFFER unicast message.
In a DHCPREQUEST broadcast message, the client returns a formal request for the offered configuration
information to the DHCP server. The formal request is broadcast so that all other DHCP servers that received
the DHCPDISCOVER broadcast message from the client can reclaim the IP addresses that they offered to
the client.
The DHCP server confirms that the IP address has been allocated to the client by returning a DHCPACK
unicast message to the client. With this message, the client and server are bound, and the client uses
configuration information received from the server. The amount of information the controller receives depends
on how you configure the DHCP server.
If the configuration parameters sent to the client in the DHCPOFFER unicast message are invalid (a
configuration error exists), the client returns a DHCPDECLINE broadcast message to the DHCP server.
The DHCP server sends the client a DHCPNAK denial broadcast message, which means that the offered
configuration parameters have not been assigned, that an error has occurred during the negotiation of the
parameters, or that the client has been slow in responding to the DHCPOFFER message (the DHCP server
assigned the parameters to another client).
A DHCP client might receive offers from multiple DHCP or BOOTP servers and can accept any of the offers;
however, the client usually accepts the first offer it receives. The offer from the DHCP server is not a guarantee
that the IP address is allocated to the client; however, the server usually reserves the address until the client
has had a chance to formally request the address. If the controller accepts replies from a BOOTP server and
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
63
System Management
DHCP Server Configuration Guidelines
configures itself, the controller broadcasts, instead of unicasts, TFTP requests to obtain the controller
configuration file.
The DHCP hostname option allows a group of controllers to obtain hostnames and a standard configuration
from the central management DHCP server. A client (controller) includes in its DCHPDISCOVER message
an option 12 field used to request a hostname and other configuration parameters from the DHCP server. The
configuration files on all clients are identical except for their DHCP-obtained hostnames.
If a client has a default hostname (the hostname name global configuration command is not configured or
the no hostname global configuration command is entered to remove the hostname), the DHCP hostname
option is not included in the packet when you enter the ip address dhcp interface configuration command.
In this case, if the client receives the DCHP hostname option from the DHCP interaction while acquiring an
IP address for an interface, the client accepts the DHCP hostname option and sets the flag to show that the
system now has a hostname configured.
DHCP Server Configuration Guidelines
Follow these guidelines if you are configuring a device as a DHCP server:
• You should configure the DHCP server with reserved leases that are bound to each controller by the
controller hardware address.
• If you want the controller to receive IP address information, you must configure the DHCP server with
these lease options:
• IP address of the client (required)
• Subnet mask of the client (required)
• DNS server IP address (optional)
• Router IP address (default gateway address to be used by the controller) (required)
• If you want the controller to receive the configuration file from a TFTP server, you must configure the
DHCP server with these lease options:
• TFTP server name (required)
• Boot filename (the name of the configuration file that the client needs) (recommended)
• Hostname (optional)
• Depending on the settings of the DHCP server, the controller can receive IP address information, the
configuration file, or both.
• If you do not configure the DHCP server with the lease options described previously, it replies to client
requests with only those parameters that are configured. If the IP address and the subnet mask are not in
the reply, the controller is not configured. If the router IP address or the TFTP server name are not found,
the controller might send broadcast, instead of unicast, TFTP requests. Unavailability of other lease
options does not affect autoconfiguration.
• The controller can act as a DHCP server. By default, the Cisco IOS DHCP server and relay agent features
are enabled on your controller but are not configured. (These features are not operational.)
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
64
OL-32363-01
System Management
Purpose of the TFTP Server
Purpose of the TFTP Server
Based on the DHCP server configuration, the controller attempts to download one or more configuration files
from the TFTP server. If you configured the DHCP server to respond to the controller with all the options
required for IP connectivity to the TFTP server, and if you configured the DHCP server with a TFTP server
name, address, and configuration filename, the controller attempts to download the specified configuration
file from the specified TFTP server.
If you did not specify the configuration filename, the TFTP server, or if the configuration file could not be
downloaded, the controller attempts to download a configuration file by using various combinations of
filenames and TFTP server addresses. The files include the specified configuration filename (if any) and these
files: network-config, cisconet.cfg, hostname.config, or hostname.cfg, where hostname is the controller’s
current hostname. The TFTP server addresses used include the specified TFTP server address (if any) and
the broadcast address (255.255.255.255).
For the controller to successfully download a configuration file, the TFTP server must contain one or more
configuration files in its base directory. The files can include these files:
• The configuration file named in the DHCP reply (the actual controller configuration file).
• The network-confg or the cisconet.cfg file (known as the default configuration files).
• The router-confg or the ciscortr.cfg file (These files contain commands common to all controllers.
Normally, if the DHCP and TFTP servers are properly configured, these files are not accessed.)
If you specify the TFTP server name in the DHCP server-lease database, you must also configure the TFTP
server name-to-IP-address mapping in the DNS-server database.
If the TFTP server to be used is on a different LAN from the controller, or if it is to be accessed by the controller
through the broadcast address (which occurs if the DHCP server response does not contain all the required
information described previously), a relay must be configured to forward the TFTP packets to the TFTP server.
The preferred solution is to configure the DHCP server with all the required information.
Purpose of the DNS Server
The DHCP server uses the DNS server to resolve the TFTP server name to an IP address. You must configure
the TFTP server name-to-IP address map on the DNS server. The TFTP server contains the configuration
files for the controller.
You can configure the IP addresses of the DNS servers in the lease database of the DHCP server from where
the DHCP replies will retrieve them. You can enter up to two DNS server IP addresses in the lease database.
The DNS server can be on the same LAN or on a different LAN from the controller. If it is on a different
LAN, the controller must be able to access it through a router.
How to Obtain Configuration Files
Depending on the availability of the IP address and the configuration filename in the DHCP reserved lease,
the controller obtains its configuration information in these ways:
• The IP address and the configuration filename is reserved for the controller and provided in the DHCP
reply (one-file read method).
The controller receives its IP address, subnet mask, TFTP server address, and the configuration filename
from the DHCP server. The controller sends a unicast message to the TFTP server to retrieve the named
configuration file from the base directory of the server and upon receipt, it completes its boot up process.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
65
System Management
How to Control Environment Variables
• The IP address and the configuration filename is reserved for the controller, but the TFTP server address
is not provided in the DHCP reply (one-file read method).
The controller receives its IP address, subnet mask, and the configuration filename from the DHCP
server. The controller sends a broadcast message to a TFTP server to retrieve the named configuration
file from the base directory of the server, and upon receipt, it completes its boot-up process.
• Only the IP address is reserved for the controller and provided in the DHCP reply. The configuration
filename is not provided (two-file read method).
The controller receives its IP address, subnet mask, and the TFTP server address from the DHCP server.
The controller sends a unicast message to the TFTP server to retrieve the network-confg or cisconet.cfg
default configuration file. (If the network-confg file cannot be read, the controller reads the cisconet.cfg
file.)
The default configuration file contains the hostnames-to-IP-address mapping for the controller. The
controller fills its host table with the information in the file and obtains its hostname. If the hostname is
not found in the file, the controller uses the hostname in the DHCP reply. If the hostname is not specified
in the DHCP reply, the controller uses the default Switch as its hostname.
After obtaining its hostname from the default configuration file or the DHCP reply, the controller reads
the configuration file that has the same name as its hostname (hostname-confg or hostname.cfg, depending
on whether network-confg or cisconet.cfg was read earlier) from the TFTP server. If the cisconet.cfg file
is read, the filename of the host is truncated to eight characters.
If the controller cannot read the network-confg, cisconet.cfg, or the hostname file, it reads the router-confg
file. If the controller cannot read the router-confg file, it reads the ciscortr.cfg file.
Note
The controller broadcasts TFTP server requests if the TFTP server is not obtained from the DHCP replies, if
all attempts to read the configuration file through unicast transmissions fail, or if the TFTP server name cannot
be resolved to an IP address.
How to Control Environment Variables
With a normally operating controller, you enter the boot loader mode only through the console connection
configured for 9600 bps. Unplug the controller power cord, and press the Mode button while reconnecting
the power cord. You can release the Mode button after all the amber system LEDs turn on and remain solid.
The boot loader controller prompt then appears.
The controller boot loader software provides support for nonvolatile environment variables, which can be
used to control how the boot loader, or any other software running on the system, operates. Boot loader
environment variables are similar to environment variables that can be set on UNIX or DOS systems.
Environment variables that have values are stored in flash memory outside of the flash file system.
Each line in these files contains an environment variable name and an equal sign followed by the value of the
variable. A variable has no value if it is not present; it has a value if it is listed even if the value is a null string.
A variable that is set to a null string (for example, “ ”) is a variable with a value. Many environment variables
are predefined and have default values.
You can change the settings of the environment variables by accessing the boot loader or by using Cisco IOS
commands. Under normal circumstances, it is not necessary to alter the setting of the environment variables.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
66
OL-32363-01
System Management
Scheduled Reload of the Software Image
Scheduled Reload of the Software Image
You can schedule a reload of the software image to occur on the controller at a later time (for example, late
at night or during the weekend when the controller is used less), or you can synchronize a reload network-wide
(for example, to perform a software upgrade on all controllers in the network).
You have these reload options:
• Reload of the software to take affect in the specified minutes or hours and minutes. The reload must take
place within approximately 24 hours. You can specify the reason for the reload in a string up to 255
characters in length.
• Reload of the software to take place at the specified time (using a 24-hour clock). If you specify the
month and day, the reload is scheduled to take place at the specified time and date. If you do not specify
the month and day, the reload takes place at the specified time on the current day (if the specified time
is later than the current time) or on the next day (if the specified time is earlier than the current time).
Specifying 00:00 schedules the reload for midnight.
The reload command halts the system. If the system is not set to manually boot up, it reboots itself.
If your controller is configured for manual booting, do not reload it from a virtual terminal. This restriction
prevents the controller from entering the boot loader mode and then taking it from the remote user’s control.
If you modify your configuration file, the controller prompts you to save the configuration before reloading.
During the save operation, the system requests whether you want to proceed with the save if the CONFIG_FILE
environment variable points to a startup configuration file that no longer exists. If you proceed in this situation,
the system enters setup mode upon reload.
To cancel a previously scheduled reload, use the reload cancel privileged EXEC command.
How to Perform Controller Setup Configuration
Using DHCP to download a new image and a new configuration to a controller requires that you configure
at least two controllers. One controller acts as a DHCP and TFTP server and the second controller (client) is
configured to download either a new configuration file or a new configuration file and a new image file.
Configuring DHCP Autoconfiguration (Only Configuration File)
This task describes how to configure DHCP autoconfiguration of the TFTP and DHCP settings on an existing
controller in the network so that it can support the autoconfiguration of a new controller.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
configure terminal
ip dhcp pool poolname
boot filename
network network-number mask prefix-length
default-router address
option 150 address
exit
tftp-server flash:filename.text
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
67
System Management
Configuring DHCP Autoconfiguration (Only Configuration File)
9.
10.
11.
12.
interface interface-id
no switchport
ip address address mask
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
ip dhcp pool poolname
Example:
Creates a name for the DHCP server address pool, and
enters DHCP pool configuration mode.
Controller(config)# ip dhcp pool pool
Step 3
boot filename
Example:
Specifies the name of the configuration file that is used as
a boot image.
Controller(dhcp-config)# boot config-boot.text
Step 4
network network-number mask prefix-length
Example:
Specifies the subnet network number and mask of the
DHCP address pool.
Note
Controller(dhcp-config)# network 10.10.10.0
255.255.255.0
Step 5
default-router address
Example:
The prefix length specifies the number of bits
that comprise the address prefix. The prefix is
an alternative way of specifying the network
mask of the client. The prefix length must be
preceded by a forward slash (/).
Specifies the IP address of the default router for a DHCP
client.
Controller(dhcp-config)# default-router 10.10.10.1
Step 6
option 150 address
Specifies the IP address of the TFTP server.
Example:
Controller(dhcp-config)# option 150 10.10.10.1
Step 7
Returns to global configuration mode.
exit
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
68
OL-32363-01
System Management
Manually Assigning IP Information to Multiple SVIs
Command or Action
Purpose
Controller(dhcp-config)# exit
Step 8
tftp-server flash:filename.text
Specifies the configuration file on the TFTP server.
Example:
Controller(config)# tftp-server
flash:config-boot.text
Step 9
interface interface-id
Specifies the address of the client that will receive the
configuration file.
Example:
Controller(config)# interface gigabitethernet1/0/4
Step 10
Puts the interface into Layer 3 mode.
no switchport
Example:
Controller(config-if)# no switchport
Step 11
ip address address mask
Specifies the IP address and mask for the interface.
Example:
Controller(config-if)# ip address 10.10.10.1
255.255.255.0
Step 12
Returns to privileged EXEC mode.
end
Example:
Controller(config-if)# end
Manually Assigning IP Information to Multiple SVIs
This task describes how to manually assign IP information to multiple switched virtual interfaces (SVIs):
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
configure terminal
interface vlan vlan-id
ip address ip-address subnet-mask
exit
ip default-gateway ip-address
end
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
69
System Management
Manually Assigning IP Information to Multiple SVIs
7. show interfaces vlan vlan-id
8. show ip redirects
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
interface vlan vlan-id
Example:
Enters interface configuration mode, and enters the VLAN
to which the IP information is assigned. The range is 1 to
4094.
Controller(config)# interface vlan 99
Step 3
ip address ip-address subnet-mask
Enters the IP address and subnet mask.
Example:
Controller(config-vlan)# ip address 10.10.10.2
255.255.255.0
Step 4
Returns to global configuration mode.
exit
Example:
Controller(config-vlan)# exit
Step 5
ip default-gateway ip-address
Example:
Controller(config)# ip default-gateway 10.10.10.1
Enters the IP address of the next-hop router interface that
is directly connected to the controller where a default
gateway is being configured. The default gateway receives
IP packets with unresolved destination IP addresses from
the controller.
Once the default gateway is configured, the controller has
connectivity to the remote networks with which a host needs
to communicate.
Step 6
Note
When your controller is configured to route with
IP, it does not need to have a default gateway
set.
Note
The controller capwap relays on default-gateway
configuration to support routed access point join
the controller.
Returns to privileged EXEC mode.
end
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
70
OL-32363-01
System Management
Modifying the Controller Startup Configuration
Command or Action
Purpose
Controller(config)# end
Step 7
show interfaces vlan vlan-id
Verifies the configured IP address.
Example:
Controller# show interfaces vlan 99
Step 8
Verifies the configured default gateway.
show ip redirects
Example:
Controller# show ip redirects
Modifying the Controller Startup Configuration
Specifying the Filename to Read and Write the System Configuration
By default, the Cisco IOS software uses the config.text file to read and write a nonvolatile copy of the system
configuration. However, you can specify a different filename, which will be loaded during the next boot cycle.
Before you begin
Use a standalone controller for this task.
SUMMARY STEPS
1.
2.
3.
4.
5.
configure terminal
boot flash:/file-url
end
show boot
copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Switch# configure terminal
Step 2
boot flash:/file-url
Example:
Specifies the configuration file to load during the next boot
cycle.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
71
System Management
Booting the Controller in Installed Mode
Command or Action
Purpose
Switch(config)# boot flash:config.text
file-url—The path (directory) and the configuration
filename.
Filenames and directory names are case-sensitive.
Step 3
Returns to privileged EXEC mode.
end
Example:
Switch(config)# end
Step 4
show boot
Verifies your entries.
Example:
The boot global configuration command changes the setting
of the CONFIG_FILE environment variable.
Switch# show boot
Step 5
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Switch# copy running-config startup-config
Booting the Controller in Installed Mode
SUMMARY STEPS
1.
2.
3.
4.
5.
cp source_file_path destination_file_path
reload
boot flash:packages.conf
show version
DETAILED STEPS
Step 1
Command or Action
Purpose
cp source_file_path destination_file_path
(Optional) Copies the bin file (image.bin) from the FTP
or TFTP server to USB flash.
Example:
Switch#
copy
tftp://10.0.0.6/cat3k_caa-universalk9.SSA.03.12.02.EZP.150-12.02.EZP.150-12.02.EZP.bin
flash:
cp
tftp://10.0.0.6/ct5700-ipservicesk9.SSA.03.12.02.EZP.150-12.02.EZP.150-12.02.EZP.bin
Step 2
Example:
Expanding the bin file from the TFTP server:
Switch# request platform software package expand
switch all file
Expands the bin file stored in flash, FTP, TFTP, HTTP, or
HTTPS server on the booted controller.
Note
Ensure that the packages.conf file is
available in the expanded list.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
72
OL-32363-01
System Management
Booting the Controller in Installed Mode
Command or Action
Purpose
tftp://10.0.0.2/cat3k_caa-universalk9.SSA.03.09.37.EXP.150-9.37.EXP.bin
to flash:
Preparing expand operation ...
[1]: Downloading file
tftp://10.0.0.2/cat3k_caa-universalk9.SSA.03.09.37.EXP.150-9.37.EXP.bin
to active switch 1
[1]: Finished downloading file
tftp://10.0.0.2/cat3k_caa-universalk9.SSA.03.09.37.EXP.150-9.37.
EXP.bin to active switch 1
[1]: Copying software from active switch 1 to
switch 2
[1]: Finished copying software to switch 2
[1 2]: Expanding bundle
cat3k_caa-universalk9.SSA.03.09.37.EXP.150-9.37.EXP.bin
[1 2]: Copying package files
[1 2]: Package files copied
[1 2]: Finished expanding bundle
cat3k_caa-universalk9.SSA.03.09.37.EXP.150-9.37.EXP.bin
18 -rw74387812
Dec 7 2012 05:55:43
+00:00 cat3k_caa-base.SSA.03.09.37.EXP.pkg
19 -rw2738868
Dec 7 2012 05:55:44
+00:00 cat3k_caa-drivers.SSA.03.09.37.EXP.pkg
20 -rw32465772
Dec 7 2012 05:55:44
+00:00 cat3k_caa-infra.SSA.03.09.37.EXP.pkg
21 -rw30389036
Dec 7 2012 05:55:44
+00:00
cat3k_caa-iosd-universalk9.SSA.150-9.37.EXP.pkg
22 -rw18342624
Dec 7 2012 05:55:44
+00:00 cat3k_caa-platform.SSA.03.09.37.EXP.pkg
23 -rw63374028
Dec 7 2012 05:55:44
+00:00 cat3k_caa-wcm.SSA.10.0.10.14.pkg
17 -rw1239
Dec 7 2012 05:56:29
+00:00 packages.conf
Expanding the bin file from Flash:
Controller# software expand file
flash:ct5700-ipservicesk9.SSA.03.09.26.EXP.150-9.26.EXP.bin
Controller#
$flash:ct5700-ipservicesk9.SSA.03.09.26.EXP.150-9.26.EXP.bin
Preparing expand operation ...
[1]: Expanding bundle
flash:ct5700-ipservicesk9.SSA.03.09.26.EXP.150-9.26.EXP.bin
[1]: Copying package files
[1]: Package files copied
[1]: Finished expanding bundle
flash:ct5700-ipservicesk9.SSA.03.09.26.EXP.150-9.26.EXP.bin
138504 -rwx
237922344 Nov 29 2012 14:53:57
+00:00
ct5700-ipservicesk9.SSA.03.09.26.EXP.150-9.26.EXP.bin
154743 -rwx
78911772
Dec 3 2012 15:18:16
+00:00 ct5700-base.SSA.03.09.26.EXP.pkg
154744 -rwx
2269876
Dec 3 2012 15:18:20
+00:00 ct5700-drivers.SSA.03.09.26.EXP.pkg
154745 -rwx
29854608
Dec 3 2012 15:18:16
+00:00 ct5700-infra.SSA.03.09.26.EXP.pkg
154746 -rwx
43072360
Dec 3 2012 15:18:18
+00:00
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
73
System Management
Booting the Controller in Bundle Mode
Command or Action
Purpose
ct5700-iosd-ipservicesk9.SSA.150-9.26.EXP.pkg
154747 -rwx
22020832
Dec 3 2012 15:18:17
+00:00 ct5700-platform.SSA.03.09.26.EXP.pkg
154742 -rwx
1207
Dec 3 2012 15:18:38
+00:00 packages.conf
154748 -rwx
61788880
Dec 3 2012 15:18:20
+00:00 ct5700-wcm.SSA.03.09.26.EXP.pkg
Step 3
reload
Reloads the controller.
Example:
Note
Switch# reload
Step 4
You can boot the controller manually or
automatically using the packages.conf file.
If you are booting manually, you can proceed to
Step 4. Otherwise, the controller boots up
automatically.
Boots the controller with the packages.conf file.
boot flash:packages.conf
Example:
Switch: boot flash:packages.conf
Step 5
Verifies that the controller is in the INSTALL mode.
show version
Example:
switch# show version
Switch Ports Model
SW Image
Mode
------ ----- ----------------1 6
WS-C3850-6DS-S
ct3850-ipservicesk9
INSTALL
SW Version
---------03.09.26.EXP
controller# show version
Switch Ports Model
SW Image
Mode
------ ----- ----------------1 6
WS-C5700-6DS-S
ct5700-k9
INSTALL
SW Version
---------03.09.26.EXP
Booting the Controller in Bundle Mode
There are several methods by which you can boot the controller—either by copying the bin file from the TFTP
server and then boot the controller, or by booting the controller straight from flash or USB flash using the
commands boot flash:<image.bin> or boot usbflash0:<image.bin> .
The following procedure explains how to boot the controller from the TFTP server in the bundle mode.
SUMMARY STEPS
1. switch:BOOT=<source path of .bin file>controller:BOOT=<source path of .bin file>
2. boot
3. show version
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
74
OL-32363-01
System Management
Configuring a Scheduled Software Image Reload
DETAILED STEPS
Step 1
Command or Action
Purpose
switch:BOOT=<source path of .bin
file>controller:BOOT=<source path of .bin file>
Sets the boot parameters.
Example:
switch:BOOT=tftp://10.0.0.2/cat3k_caa-universalk9.SSA.03.09.37.EXP.150-9.37.EXP.bincontroller:BOOT=tftp://10.0.0.2/ct5700-ipservicesk9.SSA.03.09.07.EMP.150-9.07.EMP.bin
Step 2
Boots the controller.
boot
Example:
switch: boot
Step 3
Verifies that the controller is in the BUNDLE mode.
show version
Example:
switch# show version
Switch Ports Model
SW Image
Mode
------ ----- ----------------1 6
WS-C3850-6DS-S
ct3850-ipservicesk9
BUNDLE
controller# show version
Switch Ports Model
SW Image
Mode
------ ----- ----------------1 6
WS-C5700-6DS-S
ct5700-k9
BUNDLE
SW Version
---------03.09.40.EXP
SW Version
---------03.09.40.EXP
Configuring a Scheduled Software Image Reload
This task describes how to configure your controller to reload the software image at a later time.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
configure terminal
copy running-config startup-config
reload in [hh:]mm [text]
reload slot [stack-member-number]
reload at hh: mm [month day | day month] [text]
reload cancel
show reload
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
75
System Management
Configuring a Scheduled Software Image Reload
Command or Action
Purpose
Controller# configure terminal
Step 2
copy running-config startup-config
Example:
Saves your controller configuration information to the
startup configuration before you use the reload command.
copy running-config startup-config
Step 3
reload in [hh:]mm [text]
Example:
Controller(config)# reload in 12
Schedules a reload of the software to take affect in the
specified minutes or hours and minutes. The reload must
take place within approximately 24 days. You can specify
the reason for the reload in a string up to 255 characters in
length.
System configuration has been modified. Save?
[yes/no]: y
Step 4
reload slot [stack-member-number]
Schedules a reload of the software in a switch stack.
Example:
Controller(config)# reload slot 6
Proceed with reload? [confirm] y
Step 5
reload at hh: mm [month day | day month] [text]
Example:
Specifies the time in hours and minutes for the reload to
occur.
Note
Controller(config)# reload at 14:00
Step 6
reload cancel
Use the at keyword only if the controller system
clock has been set (through Network Time
Protocol (NTP), the hardware calendar, or
manually). The time is relative to the configured
time zone on the controller. To schedule reloads
across several controllers to occur
simultaneously, the time on each controller must
be synchronized with NTP.
Cancels a previously scheduled reload.
Example:
Controller(config)# reload cancel
Step 7
show reload
Example:
Displays information about a previously scheduled reload
or identifies if a reload has been scheduled on the controller.
show reload
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
76
OL-32363-01
System Management
Monitoring Controller Setup Configuration
Monitoring Controller Setup Configuration
Example: Verifying the Controller Running Configuration
Controller# show running-config
Building configuration...
Current configuration: 1363 bytes
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Stack1
!
enable secret 5 $1$ej9.$DMUvAUnZOAmvmgqBEzIxE0
!
.
<output truncated>
.
interface gigabitethernet6/0/2
mvr type source
<output truncated>
...!
interface VLAN1
ip address 172.20.137.50 255.255.255.0
no ip directed-broadcast
!
ip default-gateway 172.20.137.1 !
!
snmp-server community private RW
snmp-server community public RO
snmp-server community private@es0 RW
snmp-server community public@es0 RO
snmp-server chassis-id 0x12
!
end
Examples: Displaying Software Bootup in Install Mode
This example displays software bootup in install mode:
switch: boot flash:packages.conf
Getting rest of image
Reading full image into memory....done
Reading full base package into memory...: done = 74596432
Nova Bundle Image
-------------------------------------Kernel Address : 0x6042f354
Kernel Size : 0x318412/3245074
Initramfs Address : 0x60747768
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
77
System Management
Examples: Displaying Software Bootup in Install Mode
Initramfs Size : 0xdc08e8/14420200
Compression Format: .mzip
Bootable image at @ ram:0x6042f354
Bootable image segment 0 address range [0x81100000, 0x81b80000] is in range [0x80180000,
0x90000000].
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@boot_system:
377
Loading Linux kernel with entry point 0x811060f0 ...
Bootloader: Done loading app on core_mask: 0xf
### Launching Linux Kernel (flags = 0x5)
All packages are Digitally Signed
Starting System Services
Nov 7 09:57:05 %IOSXE-1-PLATFORM: process stack-mgr: %STACKMGR-1-DISC_START: Switch 2 is
starting stack discovery
#######################################################################################################################
Nov 7 09:59:07 %IOSXE-1-PLATFORM: process stack-mgr: %STACKMGR-1-DISC_DONE: Switch 2 has
finished stack discovery
Nov 7 09:59:07 %IOSXE-1-PLATFORM: process stack-mgr: %STACKMGR-1-SWITCH_ADDED: Switch 2 has
been added to the stack
Nov 7 09:59:14 %IOSXE-1-PLATFORM: process stack-mgr: %STACKMGR-1-ACTIVE_ELECTED: Switch 2
has been elected ACTIVE
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M),
Version 03.09.12.EMD EARLY DEPLOYMENT ENGINEERING NOVA_WEEKLY BUILD, synced to
DSGS_PI2_POSTPC_FLO_DSBU7_NG3K_1105
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Sun 04-Nov-12 22:53 by gereddy
License level to iosd is ipservices
This example displays software bootup in bundle mode:
switch: boot flash:cat3k_caa-universalk9.SSA.03.09.12.EMD.150-9.12.EMD.bin
Reading full image into
memory..................................................................done
Nova Bundle Image
-------------------------------------Kernel Address : 0x6042ff38
Kernel Size : 0x318412/3245074
Initramfs Address : 0x6074834c
Initramfs Size : 0xdc08e8/14420200
Compression Format: .mzip
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
78
OL-32363-01
System Management
Example: Emergency Installation
Bootable image at @ ram:0x6042ff38
Bootable image segment 0 address range [0x81100000, 0x81b80000] is in range [0x80180000,
0x90000000].
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
File "flash:cat3k_caa-universalk9.SSA.03.09.12.EMD.150-9.12.EMD.bin" uncompressed and
installed, entry point: 0x811060f0
Loading Linux kernel with entry point 0x811060f0 ...
Bootloader: Done loading app on core_mask: 0xf
### Launching Linux Kernel (flags = 0x5)
All packages are Digitally Signed
Starting System Services
Nov 7 09:45:49 %IOSXE-1-PLATFORM: process stack-mgr: %STACKMGR-1-DISC_START: Switch 2 is
starting stack discovery
#######################################################################################################################
Nov 7 09:47:50 %IOSXE-1-PLATFORM: process stack-mgr: %STACKMGR-1-DISC_DONE: Switch 2 has
finished stack discovery
Nov 7 09:47:50 %IOSXE-1-PLATFORM: process stack-mgr: %STACKMGR-1-SWITCH_ADDED: Switch 2 has
been added to the stack
Nov 7 09:47:58 %IOSXE-1-PLATFORM: process stack-mgr: %STACKMGR-1-ACTIVE_ELECTED: Switch 2
has been elected ACTIVE
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M),
Version 03.09.12.EMD
EARLY DEPLOYMENT ENGINEERING NOVA_WEEKLY BUILD, synced to DSGS_PI2_POSTPC_FLO_DSBU7_NG3K_1105
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Sun 04-Nov-12 22:53 by gereddy
License level to iosd is ipservices
Related Topics
Software Boot Modes, on page 61
Installed Boot Mode, on page 61
Bundle Boot Mode, on page 61
Example: Emergency Installation
This sample output is an example when the emergency-install boot command is initiated:
switch: emergency-install
tftp://192.0.2.47/cat3k/cat3k_caa-universalk9.SSA.03.09.12.EMD.150-9.12.EMD.bin
The bootflash will be erased during install operation, continue (y/n)?y
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
79
System Management
Example: Emergency Installation
Starting emergency recovery
(tftp://192.0.2.47/cat3k/cat3k_caa-universalk9.SSA.03.09.12.EMD.150-9.12.EMD.bin)...
Reading full image into memory......................done
Nova Bundle Image
-------------------------------------Kernel Address : 0x6042e5cc
Kernel Size : 0x318261/3244641
Initramfs Address : 0x60746830
Initramfs Size : 0xdb0fb9/14356409
Compression Format: .mzip
Bootable image at @ ram:0x6042e5cc
Bootable image segment 0 address range [0x81100000, 0x81b80000] is in range [0x80180000,
0x90000000].
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
File "sda9:c3850-recovery.bin" uncompressed and installed, entry point: 0x811060f0
Loading Linux kernel with entry point 0x811060f0 ...
Bootloader: Done loading app on core_mask: 0xf
### Launching Linux Kernel (flags = 0x5)
Initiating Emergency Installation of bundle
tftp://172.19.211.47/cstohs/cat3k_caa-universalk9.SSA.03.09.12.EMD.150-9.12.EMD.bin
Downloading bundle
tftp://192.0.2.47/cat3k/cat3k_caa-universalk9.SSA.03.09.12.EMD.150-9.12.EMD.bin...
Validating bundle
tftp://192.0.2.47/cat3k/cat3k_caa-universalk9.SSA.03.09.12.EMD.150-9.12.EMD.bin...
Installing bundle
tftp://192.0.2.47/cat3k/cat3k_caa-universalk9.SSA.03.09.12.EMD.150-9.12.EMD.bin...
Verifying bundle
tftp://192.0.2.47/cat3k/cat3k_caa-universalk9.SSA.03.09.12.EMD.150-9.12.EMD.bin...
Package cat3k_caa-base.SSA.03.09.12.EMD.pkg is Digitally Signed
Package cat3k_caa-drivers.SSA.03.09.12.EMD.pkg is Digitally Signed
Package cat3k_caa-infra.SSA.03.09.12.EMD.pkg is Digitally Signed
Package cat3k_caa-iosd-universalk9.SSA.150-9.12.EMD.pkg is Digitally Signed
Package cat3k_caa-platform.SSA.03.09.12.EMD.pkg is Digitally Signed
Package cat3k_caa-wcm.SSA.03.09.12.EMD.pkg is Digitally Signed
Preparing flash...
Syncing device...
Emergency Install successful... Rebooting
Restarting system.
Booting...(use DDR clock 667 MHz)Initializing and Testing RAM +++@@@@####...++@@++@@++@@++@
switch: emergency-install tftp://172.20.249.254/katana/ct5760.renum.bin
The bootflash will be erased during install operation, continue (y/n)?y
Starting emergency recovery (tftp://172.20.249.254/katana/ct5760.renum.bin)...
Loading "sda9:ct5760-recovery.bin"...
Reading full image into memory....................done
Verifying image digital signature.
Nova Bundle Image
-------------------------------------Kernel Address
: 0x8b35b598
Kernel Size
: 0x367550/3568976
Initramfs Address : 0x8b6c2ae8
Initramfs Size
: 0xbfe484/12575876
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
80
OL-32363-01
System Management
Configuration Examples for Performing Controller Setup
Compression Format: unknown
File "sda9:ct5760-recovery.bin" uncompressed and installed, entry point: 0x8b35b598
Image validated
\ufffd
Initiating Emergency Installation of bundle tftp://172.20.249.254/katana/ct5760.renum.bin
Downloading bundle tftp://172.20.249.254/katana/ct5760.renum.bin...
Validating bundle tftp://172.20.249.254/katana/ct5760.renum.bin...
Installing bundle tftp://172.20.249.254/katana/ct5760.renum.bin...
Verifying bundle tftp://172.20.249.254/katana/ct5760.renum.bin...
Package ct5760-base.SPA.03.02.00.pkg is Digitally Signed
Package ct5760-drivers.SPA.03.02.00.SE.pkg is Digitally Signed
Package ct5760-infra.SPA.03.02.00.pkg is Digitally Signed
Package ct5760-iosd-ipservicesk9.SPA.150-1.EX.pkg is Digitally Signed
Package ct5760-platform.SPA.03.02.00.SE.pkg is Digitally Signed
Package ct5760-wcm.SPA.10.0.10.48.pkg is Digitally Signed
Preparing flash...
Syncing device...
Emergency Install successful... Rebooting
Restarting system.
Xmodem file system is available.
Base ethernet MAC Address: 20:37:06:4d:64:00
Verifying bootloader digital signature.
The system is not configured to boot automatically. The
following command will finish loading the operating system
software:
boot
Related Topics
Software Boot Modes, on page 61
Installed Boot Mode, on page 61
Bundle Boot Mode, on page 61
Configuration Examples for Performing Controller Setup
Example: Configuring a Controller to Download Configurations from a DHCP
Server
This example uses a Layer 3 SVI interface on VLAN 99 to enable DHCP-based autoconfiguration with a
saved configuration:
Controller# configure terminal
Controller(config)# boot host dhcp
Controller(config)# boot host retry timeout 300
Controller(config)# banner config-save ^C Caution - Saving Configuration File to NVRAM May
Cause You to No longer Automatically Download Configuration Files at Reboot^C
Controller(config)# vlan 99
Controller(config-vlan)# interface vlan 99
Controller(config-if)# no shutdown
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
81
System Management
Examples: Scheduling Software Image Reload
Controller(config-if)# end
Controller# show boot
BOOT path-list:
Config file:
flash:/config.text
Private Config file: flash:/private-config.text
Enable Break:
no
Manual Boot:
no
HELPER path-list:
NVRAM/Config file
buffer size:
32768
Timeout for Config
Download:
300 seconds
Config Download
via DHCP:
enabled (next boot: enabled)
Controller#
Examples: Scheduling Software Image Reload
This example shows how to reload the software on the controller on the current day at 7:30 p.m:
Controller# reload at 19:30
Reload scheduled for 19:30:00 UTC Wed Jun 5 2013 (in 2 hours and 25 minutes)
Proceed with reload? [confirm]
This example shows how to reload the software on the controller at a future time:
Controller# reload at 02:00 jun 20
Reload scheduled for 02:00:00 UTC Thu Jun 20 2013 (in 344 hours and 53 minutes)
Proceed with reload? [confirm]
Additional References For Performing Controller Setup
Related Documents
Related Topic
Document Title
Controller setup commands
System Management Command
Reference (Catalyst 3850
Switches)System Management
Command Reference (Cisco WLC
5700 Series)System Management
Command Reference (Catalyst
3650 Switches)
Boot loader commands
Pre-download feature
System Management Configuration
Guide (Cisco WLC 5700 Series)
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
82
OL-32363-01
System Management
Additional References For Performing Controller Setup
Related Topic
Document Title
IOS XE DHCP configuration
IP Addressing Configuration Guide
Library, Cisco IOS XE Release 3S
(Catalyst 3850 Switches)
IP Addressing Configuration Guide
Library, Cisco IOS XE Release 3S
(Catalyst 3650 Switches)
Catalyst 3850 Switch Hardware
Installation Guide
Hardware installation
Catalyst 3650 Switch Hardware
Installation Guide
Platform-independent command references
Configuration Fundamentals
Command Reference, Cisco IOS
XE Release 3S (Catalyst 3850
Switches)
Configuration Fundamentals
Command Reference, Cisco IOS
XE Release 3S (Catalyst 3650
Switches)
Platform-independent configuration information
Configuration Fundamentals
Configuration Guide, Cisco IOS
XE Release 3S (Catalyst 3850
Switches)
Configuration Fundamentals
Configuration Guide, Cisco IOS
XE Release 3S (Catalyst 3650
Switches)
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
83
System Management
Additional References For Performing Controller Setup
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Additional References For Performing Controller Setup
Related Documents
Related Topic
Document Title
Controller setup commands
System Management Command
Reference (Catalyst 3650 Switches)
Boot loader commands
System Management Command
Reference (Cisco WLC 5700 Series)
Pre-download feature
System Management Configuration
Guide (Cisco WLC 5700 Series)
IOS XE DHCP configuration
IP Addressing Configuration Guide
Library, Cisco IOS XE Release 3S
(Catalyst 3650 Switches)
Hardware installation
Catalyst 3650 Switch Hardware
Installation Guide
Platform-independent command references
Configuration Fundamentals
Command Reference, Cisco IOS
XE Release 3S (Catalyst 3650
Switches)
Platform-independent configuration information
Configuration Fundamentals
Configuration Guide, Cisco IOS
XE Release 3S (Catalyst 3650
Switches)
IP Addressing Configuration Guide
Library, Cisco IOS XE Release 3S
(Catalyst 3650 Switches)
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
84
OL-32363-01
System Management
Feature History and Information For Performing Controller Setup Configuration
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Feature History and Information For Performing Controller Setup
Configuration
Command History
Release
Modification
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS XE 3.3SE
This feature was introduced.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
85
System Management
Feature History and Information For Performing Controller Setup Configuration
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
86
OL-32363-01
CHAPTER
5
Configuring Right-To-Use Licenses
• Finding Feature Information, on page 87
• Restrictions for Right-To-Use AP-Count Licenses, on page 87
• Information About Configuring RTU Licenses, on page 88
• How to Configure RTU Licenses, on page 89
• Monitoring and Maintaining RTU Licenses, on page 91
• Examples: RTU Licenses Configuration, on page 94
• Additional References for RTU Licensing, on page 95
• Feature History and Information for RTU Licensing, on page 96
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Restrictions for Right-To-Use AP-Count Licenses
The following are the restrictions you must keep in mind when using license for the Cisco 5700 Series Wireless
Controller:
• The license you have purchased is applicable only for the Cisco 5700 Series Wireless Controller. You
cannot use the same license for the earlier version of the Cisco 5700 Series Wireless Controllers.
• The CLI commands that you run for the Cisco 5700 Series Wireless Controller are applicable only for
these controllers. You cannot run these commands for the earlier version of the controllers.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
87
System Management
Information About Configuring RTU Licenses
Information About Configuring RTU Licenses
Right-To-Use AP-Count Licensing
Right-to-use licensing (RTU) allows you to order and activate a specific license type, and then to manage
license usage on your controller.
You can order your controller with support for a specific number of adder access point count licenses, but the
total number of licenses ordered should not exceed 25501000. You can also order your adder access point
count licenses after receiving the controller.
For example, if you have ordered 25 50700 new adder licenses, you can add only those ordered adder licenses
to the controller. The licenses can be added in increments of 1, but the total number of licenses added for the
controller should not exceed 25 50 1000.
You can configure controller to manage the access point count licenses from the CLI and view the number
of access points currently in use from both the CLI and GUI.
You can configure your switch to manage the access point count licenses and view the number of access
points currently in use from the CLI.
The following are two different types of access point licenses:
1. Permanent licenses for the access points
• Adder access point count license—You can purchase the adder license to increase the controller
capacity at a later time. You can transfer the adder access point count license from one controller to
another.
2. Evaluation licenses for the access points
• You can activate these licenses to evaluate more access points before purchasing the licenses.
• The maximum number of access points that can be evaluated is 2550 1000.
• The evaluation period for using the access point licenses is 90 days.
• You can activate and deactivate the evaluation licenses from the CLI.
Right-to-Use AP-Count Evaluation Licenses
If you are considering upgrading to a license with a higher access point count, you can try an evaluation license
before upgrading to a permanent version of the license. For example, if you are using a permanent license
with a 50-access-point count and want to try an evaluation license with a 100-access-point count, you can try
out the evaluation license for 90 days.
When an evaluation license is activated, the permanent AP-count licenses are ignored. The maximum supported
licenses of 1000 access points are available for 90 days .
To prevent disruptions in operation, the controller does not change licenses when an evaluation license expires.
A warning expiry message is displayed daily starting five days prior to the expiry date. After 90 days, the
evaluation license expires with a warning message. You must disable the evaluation license and then purchase
the permanent license.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
88
OL-32363-01
System Management
Right-To-Use Adder AP-Count Rehosting Licenses
When the controller reboots after the evaluation license expiry, the license defaults to a permanent license.
Right-To-Use Adder AP-Count Rehosting Licenses
Revoking a license from one device and installing it on another is called rehosting. You might want to rehost
a license to change the purpose of a device. For example, if you want to move your Office Extend or indoor
access points to a different controller, you could transfer the adder ap-count license from one controller to
another.
To rehost a license, you must deactivate the adder ap-count license from one device and activate the same
license on another device.
Evaluation licenses cannot be rehosted.
How to Configure RTU Licenses
Activating an AP-Count Evaluation License (CLI)
When an evaluation license is activated, the maximum supported ap-count licenses are made available. A
maximum of 1000 access points can be evaluated for 90 days by enabling the evaluation ap-count licenses.
SUMMARY STEPS
1. license right-to-use activate ap-count evaluation
2. show license right-to-use summary
DETAILED STEPS
Step 1
Command or Action
Purpose
license right-to-use activate ap-count evaluation
Enables the ap-count evaluation licenses on the controller.
By default during activation, the EULA gets displayed. If
the acceptEULA is passed, the EULA content is not
displayed, and you can activate the evaluation license. This
option is useful for automation and scripting.
Example:
Controller# license right-to-use activate ap-count
evaluation
Step 2
show license right-to-use summary
Example:
Verifies that the evaluation license is activated on the
controller.
Controller# show license right-to-use summary
Example
Activating an AP-Count Permanent License
You can deactivate an evaluation ap-count license and activate the permanent ap-count license on the controller.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
89
System Management
Obtaining an Upgrade or Capacity Adder License
After activating ap-count permanent or adder license, if the show license right-to-use summary command
still shows evaluation ap-count licenses, then you must deactivate the previously used evaluation license that
was not deactivated earlier. Deactivate the evaluation license to enable permanent or adder ap-count licenses.
SUMMARY STEPS
1. license right-to-use deactivate ap-count evaluation
2. show license right-to-use summary
DETAILED STEPS
Step 1
Command or Action
Purpose
license right-to-use deactivate ap-count evaluation
Deactivates particular evaluation license level and activates
the permanent ap-count licenses on the controller.
Example:
Controller# license right-to-use deactivate
ap-count evaluation
Step 2
show license right-to-use summary
Example:
Verifies the number of permanent ap-count licenses
activated on the controller.
Controller# show license right-to-use summary
Obtaining an Upgrade or Capacity Adder License
You can use the capacity adder licenses to increase the number of access points supported by the controller.
SUMMARY STEPS
1. license right-to-use activate ap-count ap-number slot 1
2. show license right-to-use summary
DETAILED STEPS
Step 1
Command or Action
Purpose
license right-to-use activate ap-count ap-number slot 1
Obtains an upgrade or increases the license capacity by
adding new adder licenses.
Example:
Controller# license right-to-use activate ap-count
500 slot 1
Step 2
show license right-to-use summary
Example:
Verifies the number of permanent ap-count licenses
activated on the controller.
Controller# show license right-to-use summary
Transferring Licenses to a Replacement Controller after an RMA
The replacement controller comes with same permanent ap-count licences.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
90
OL-32363-01
System Management
Configuring Right-To-Use Licenses (GUI)
SUMMARY STEPS
1. license right-to-use deactivate ap-count count slot 1 acceptEULA
2. license right-to-use activate ap-count count slot 1 acceptEULA
3. show license right-to-use summary
DETAILED STEPS
Step 1
Command or Action
Purpose
license right-to-use deactivate ap-count count slot 1
acceptEULA
Deactivates the permanent ap-count licenses on earlier
controller to be replaced.
Example:
Controller# license right-to-use deactivate
ap-count 55 slot 1 acceptEULA
Step 2
license right-to-use activate ap-count count slot 1
acceptEULA
Activates the same permanent ap-count licenses on the
replacement controller.
Example:
Controller# license right-to-use activate ap-count
55 slot 1 acceptEULA
Step 3
show license right-to-use summary
Example:
Verifies the number of ap-count licenses points activated
on the replacement controller.
Controller# show license right-to-use summary
Configuring Right-To-Use Licenses (GUI)
Step 1
Choose Administration > Software Activation > Licenses to open the Licenses page.
Step 2
In the License Activation area, choose Activate or Deactivate from the License drop box and enter the number of adder
licenses you want to activate or deactive in the License Adder of AP-Count (1 to 1000) text box.
Step 3
Click Apply and Save Configuration.
Monitoring and Maintaining RTU Licenses
Viewing Right-To-Use AP-Count Licenses (GUI)
You can view the details of access point licenses installed on the controller using the Licenses and License
Usage pages from the controller GUI.
Step 1
Choose Administration > Software Activation > Licenses.
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
91
System Management
Viewing Right-To-Use AP-Count Licenses (CLI)
The Licenses page appears.
This page lists all of the access point licenses installed on the controller. You can view the following details for the license:
• License name
• License type (adder, permanent, or evaluation)
• Count (the maximum number of access points allowed for this license)
• Period left for the license
In addition, you can view the following details of the AP-Count licenses:
• Whether the ap-count license is enabled or not
• The maximum number of access points allowed for this license
• The number of access points currently using this license
• The remaining ap-count licenses
Step 2
Choose Administration > Software Activation > License Usage.
Example:
The License Usage page appears.
In the License Usage page, you can view the consolidated list of all of the licenses based on their usage duration, use of
the license, and the end-user license agreement (EULA) acceptance state.
Step 3
Choose Administration > Software Activation > Eula > Adder, Evaluation, or Permanent.
Example:
The Eula page for the selected license appears.
You can read the terms and the conditions for the Adder, Evaluation, or Permanent license.
Viewing Right-To-Use AP-Count Licenses (CLI)
You can view the detailed information of ap-count licenses installed on the controller using the show license
right-to-use commands from the controller CLI.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
show license right-to-use detail
show license right-to-use detail | output modifiers
show license right-to-use eula
show license right-to-use
show license right-to-use usage
show license right-to-use | output modifiers
show license right-to-use summary
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
92
OL-32363-01
System Management
Viewing Right-To-Use AP-Count Licenses (CLI)
DETAILED STEPS
Step 1
Command or Action
Purpose
show license right-to-use detail
Displays details of all of the licenses installed on the stack
1.
Example:
Controller# show license right-to-use detail
Step 2
show license right-to-use detail | output modifiers
Example:
Controller# show license right-to-use detail |
append <url>
Example:
Controller# show license right-to-use detail |
begin apcount
Displays the details of licenses based on the filtered search
using output modifiers such as append, begin, count,
exclude, format, include, redirect, section, and tee.
Appends the redirected license information output to URL.
The URLs supporting append operation are crash
information, flash, FTP, HTTP, HTTPS, NVRAM, RCP,
SCP, TFTP, UNIX, and USB flash0.
Displays the license information that begins with the lines
which match the regular expression.
Example:
Controller# show license right-to-use detail |
count ap
Example:
Displays the number of lines that match the regular
expression.
Controller# show license right-to-use detail |
exclude ap
Displays the details of license information that excludes
lines which match the regular expression.
Example:
Displays the details of license information based on the
format specified in the spec file.
Controller# show license right-to-use detail |
format <spec file location>
Example:
Controller# show license right-to-use detail |
include apcount
Example:
Controller# show license right-to-use detail |
redirect <url>
Example:
Controller# show license right-to-use detail |
section include apcount
Controller# show license right-to-use detail |
section exclude apcount
Displays the lines that match the regular expression.
Redirects the license information output to URL. The URLs
that support the redirect operation are crash information,
flash, FTP, HTTP, HTTPS, NVRAM, RCP, SCP, TFTP,
UNIX, and USB flash0.
Filters the section of the license information output based
on the include, exclude, or other regular expression options
specified.
Copies the license information output to URL. The URLs
that support the copy operation are crash information, flash,
FTP, HTTP, HTTPS, NVRAM, RCP, SCP, TFTP, UNIX,
and USB flash0.
Controller# show license right-to-use detail |
section license
Example:
Controller# show license right-to-use detail | tee
<url>
Step 3
show license right-to-use eula
Example:
Displays the EULA content for the adder, evaluation, and
permanent AP-count licenses.
Controller# show license right-to-use eula adder
Controller# show license right-to-use eula
evaluation
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
93
System Management
Examples: RTU Licenses Configuration
Command or Action
Purpose
Controller# show license right-to-use eula
permanent
Step 4
show license right-to-use
Displays the licenses that got activated with EULA.
Example:
Controller# show license right-to-use
Step 5
show license right-to-use usage
Displays the usage details of all licenses.
Example:
Controller# show license right-to-use usage
Step 6
show license right-to-use | output modifiers
Example:
Displays the details of licenses based on the filtered search
using output modifiers such as append, begin, count,
exclude, format, include, redirect, section, and tee.
Controller# show license right-to-use | append
Step 7
show license right-to-use summary
Displays the summary of licenses that are currently in use.
Example:
Controller# show license right-to-use summary
Examples: RTU Licenses Configuration
This example shows how to activate an ap-count evaluation license:
Controller# license right-to-use activate ap-count evaluation
Controller# show license right-to-use summary
This example shows how to activate an ap-count permanent license:
Controller# license right-to-use deactivate ap-count evaluation
Controller# show license right-to-use summary
This example shows how to obtain an upgrade or adder license:
Controller# license right-to-use activate ap-count 700 slot 1
Controller# show license right-to-use summary
This example shows how to transfer licenses to a replacement controller after an RMA. Deactivate the licenses
from the controller to be replaced and activate or add the same number of licenses in the replacement controller:
Controller# license right-to-use deactivate ap-count 250 slot 1
Controller# license right-to-use activate ap-count 250 slot 1
Controller# show license right-to-use summary
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
94
OL-32363-01
System Management
Additional References for RTU Licensing
Additional References for RTU Licensing
Related Documents
Related Topic
Document Title
For complete syntax and usage information for the commands used in System Management Command
this chapter.
Reference (Catalyst 3850
Switches)System Management
Command Reference (Cisco WLC
5700 Series)System Management
Command Reference (Catalyst
3650 Switches)
System Management Configuration
Guide (Cisco WLC 5700 Series)
RTU AP image preload feature
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
95
System Management
Feature History and Information for RTU Licensing
Feature History and Information for RTU Licensing
Release
Feature Information
Cisco IOS XE 3.2SECisco IOS XE 3.3SE
This feature was introduced.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
96
OL-32363-01
CHAPTER
6
Configuring Administrator Usernames and
Passwords
• Finding Feature Information, on page 97
• Information About Configuring Administrator Usernames and Passwords, on page 97
• Configuring Administrator Usernames and Passwords, on page 98
• Examples: Administrator Usernames and Passwords Configuration, on page 100
• Additional References for Administrator Usernames and Passwords, on page 101
• Feature History and Information For Performing Administrator Usernames and Passwords Configuration,
on page 102
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Information About Configuring Administrator Usernames and
Passwords
You can configure administrator usernames and passwords to prevent unauthorized users from reconfiguring
the controller and viewing configuration information. This section provides instructions for initial configuration
and for password recovery.
You can also set administrator usernames and passwords to manage and configure one or more access points
that are associated with the controller.
Strong Passwords
You can set strong administrator passwords such as encrypted passwords with ASCII keys for the administrator
user for managing access points.
Use the following guidelines while creating strong passwords:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
97
System Management
Configuring Administrator Usernames and Passwords
• There should be at least three of the following categories—lowercase letters, uppercase letters, and digits,
and special characters.
Note
Special characters are not supported for username and password for GUI login.
• The new password should not be the same as that of the associated username and the username should
not be reversed.
• The characters in the password should not be repeated more than three times consecutively.
• The password should not be cisco, ocsic, admin, nimda, or any variant obtained by changing the
capitalization of letters therein, or by substituting "1" "|" or "!" for i, and/or substituting "0" for "o", and/or
substituting "$" for "s".
• The maximum number of characters accepted for the username and password is 32.
Encrypted Passwords
You can set three types of keys for the password:
• Randomly generated key—This key is generated randomly and it is the most secure option. To export
the configuration file from one system to another, the key should also be exported.
• Static key—The simplest option is to use a fixed (static) encryption key. By using a fixed key, no key
management is required, but if the key is somehow discovered, the data can be decrypted by anyone with
the knowledge of that key. This is not a secure option and it is called obfuscation in the CLI.
• User defined key—You can define the key by yourself. To export the configuration file from one system
to another, both systems should have the same key configured.
Note
When you configure the ap mgmtuser username and ap dot1x username commands, the system encrypts
the password automatically when password encryption aes is enabled and the encryption key is configured
with the key config-key password-encrypt command. If an already-encrypted password is entered (that is,
type 8), then it must be one that has been encrypted with the currently stored key. If the key of the encrypted
password does not match the currently stored key, the encrypted password is rejected. In such case, you can
enter the password in plain text (that is, type 0) and allow the system to encrypt it automatically.
Configuring Administrator Usernames and Passwords
SUMMARY STEPS
1.
2.
3.
4.
configure terminal
wireless security strong-password
username admin-username password {0 unencrypted_password | 7 hidden_password | unencrypted_text}
username admin-username secret {0 unencrypted_secret_text | 4 SHA256 encrypted_secret_text | 5
MD5 encrypted_secret_text | LINE}
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
98
OL-32363-01
System Management
Configuring Administrator Usernames and Passwords
5. ap mgmtuser username username password {0 unencrypted password | 8 AES encrypted password
}secret {0 unencrypted password | 8 AES encrypted password }
6. ap dot1x username username password {0 unencrypted password | 8 AES encrypted password }
7. end
8. ap name apname mgmtuser username usernamepassword password secret secret _text
9. ap name apname dot1x-user username password password
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
wireless security strong-password
Enables strong password policy for the administrator user.
Example:
Controller(config)# wireless security
strong-password
Step 3
username admin-username password {0
unencrypted_password | 7 hidden_password |
unencrypted_text}
Specifies a username and password for an administrator.
The administrator can configure the controller and view the
configured information.
Example:
Controller(config)# username adminuser1 password
0 QZsek239@
Step 4
Specifies the secret for the administrator.
username admin-username secret {0
unencrypted_secret_text | 4 SHA256 encrypted_secret_text
| 5 MD5 encrypted_secret_text | LINE}
Example:
Controller(config)# username adminuser1 secret 0
QZsek239@
Step 5
Specifies administrator username and password for
ap mgmtuser username username password {0
unencrypted password | 8 AES encrypted password }secret managing all of the access points configured to the
{0 unencrypted password | 8 AES encrypted password } controller.
Example:
Controller(config)# ap mgmtuser username cisco
password 0 Qwci12@ secret 0 Qwci14@!
You can also include the secret text to perform privileged
access point management.
Note
If your password is not strong enough to fulfill
the strong password policy, then the password
is rejected with a valid error message. For
example, the following password is rejected
because it is not a strong password.
Controller# ap mgmtuser username cisco
password 0 abcd secret 0 1234
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
99
System Management
Examples: Administrator Usernames and Passwords Configuration
Command or Action
Step 6
Purpose
ap dot1x username username password {0 unencrypted Specifies the 802.1X username and password for managing
all of the access points configured to the controller.
password | 8 AES encrypted password }
Example:
Controller(config)# ap dot1x username cisco
password 0 Qwci12@
Step 7
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Step 8
ap name apname mgmtuser username
usernamepassword password secret secret _text
Example:
Configures the administrator username, password, and secret
text for managing a specific access point that is configured
to the controller.
Controller# ap name APf0f7.55c7.7b23 mgmtuser
username cisco password Qne35! secret Nzep592$
Step 9
ap name apname dot1x-user username password
password
Configures the 802.1X username and password for a specific
access point.
Example:
Controller# ap name APf0f7.55c7.7b23 dot1x-user
username cisco password Qne35!
Example
Examples: Administrator Usernames and Passwords
Configuration
This example shows how to configure administrator usernames and passwords with the strong password policy
in configuration mode:
Controller# configure terminal
Controller(config)# wireless security strong-password
Controller(config)# username adminuser1 password 0 QZsek239@
Controller(config)# ap mgmtuser username cisco password 0 Qwci12@ secret 0 Qwci14@!
Controller(config)# ap dot1x username cisco password 0 Qwci12@
Controller# end
This example shows how to configure administrator usernames and passwords for an access point in global
EXEC mode:
Controller# wireless security strong-password
Controller# ap name APf0f7.55c7.7b23 mgmtuser username cisco password Qwci12@ secret Qwci14@
Controller# ap name APf0f7.55c7.7b23 dot1x-user username cisco password Qwci12@
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
100
OL-32363-01
System Management
Additional References for Administrator Usernames and Passwords
Controller# end
Additional References for Administrator Usernames and
Passwords
Related Documents
Related Topic
Document Title
System management commands System Management Command Reference Guide (Cisco IOS XE Release
3SE (Cisco WLC 5700 Series)
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All the supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
101
System Management
Feature History and Information For Performing Administrator Usernames and Passwords Configuration
Feature History and Information For Performing Administrator
Usernames and Passwords Configuration
Release
Feature Information
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS This feature was introduced.
XE 3.3SE
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
102
OL-32363-01
CHAPTER
7
802.11 parameters and Band Selection
• Finding Feature Information, on page 103
• Restrictions on Band Selection, 802.11 Bands, and Parameters, on page 103
• Information About Configuring Band Selection, 802.11 Bands, and Parameters, on page 104
• How to Configure 802.11 Bands and Parameters, on page 106
• Monitoring Configuration Settings for Band Selection, 802.11 Bands, and Parameters, on page 116
• Configuration Examples for Band Selection, 802.11 Bands, and Parameters, on page 120
• Additional References for 802.11 Parameters and Band Selection, on page 122
• Feature History and Information For Performing 802.11 parameters and Band Selection Configuration,
on page 123
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Restrictions on Band Selection, 802.11 Bands, and Parameters
• Band selection-enabled WLANs do not support time-sensitive applications such as voice and video
because of roaming delays.
• Band selection can be used only with Cisco Aironet 1140, 1250, 1260, 1550, 1600, 1800, 2600, 2800,
3500, 3600, 3800 Series access points.
• Mid-RSSI is not supported on Cisco Aironet 1600 Series access points.
• Band selection is not supported in Cisco Aironet 1040, OEAP 600 Series access points.
• Band selection operates only on access points that are connected to a controller. A FlexConnect access
point without a controller connection does not perform band selection after a reboot.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
103
System Management
Information About Configuring Band Selection, 802.11 Bands, and Parameters
• The band-selection algorithm directs dual-band clients only from the 2.4-GHz radio to the 5-GHz radio
of the same access point, and it only runs on an access point when both the 2.4-GHz and 5-GHz radios
are up and running.
• You can enable both band selection and aggressive load balancing on the controller. They run
independently and do not impact one another.
• It is not possible to enable or disable band selection and client load balancing globally through the
controller GUI or CLI. You can, however, enable or disable band selection and client load balancing for
a particular WLAN. Band selection and client load balancing are enabled globally by default.
Information About Configuring Band Selection, 802.11 Bands,
and Parameters
Band Selection
Band selection enables client radios that are capable of dual-band (2.4 and 5-GHz) operations to move to a
less congested 5-GHz access point. The 2.4-GHz band is often congested. Clients on this band typically
experience interference from Bluetooth devices, microwave ovens, and cordless phones as well as co-channel
interference from other access points because of the 802.11b/g limit of 3 nonoverlapping channels. To prevent
these sources of interference and improve overall network performance, configure band selection on the
controller.
Band selection works by regulating probe responses to clients and it can be enabled on a per-WLAN basis.
It makes 5-GHz channels more attractive to clients by delaying probe responses to clients on 2.4-GHz channels.
In an access point, the band select table can be viewed by running the show dot11 band-select command. It
can also be viewed by running the show cont d0/d1 | begin Lrucommand.
Note
The WMM default configuration is not shown in the show running-config command output.
Band Selection Algorithm
The band selection algorithm affects clients that use 2.4-GHz band. Initially, when a client sends a probe
request to an access point, the corresponding client probe’s Active and Count values (as seen from the band
select table) become 1. The algorithm functions based on the following scenarios:
• Scenario1—Client RSSI (as seen from the show cont d0/d1 | begin RSSIcommand output) is greater
than both Mid RSSI and Acceptable Client RSSI.
• Dual-band clients—No 2.4-GHz probe responses are seen at any time; 5-GHz probe responses are
seen for all 5-GHz probe requests.
• Single-band (2.4-GHz) clients—2.4-GHz probe responses are seen only after the probe suppression
cycle.
• After the client’s probe count reaches the configured probe cycle count, the algorithm waits for the
Age Out Suppression time and then marks the client probe’s Active value as 0. Then, the algorithm
is restarted.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
104
OL-32363-01
System Management
802.11 Bands
• Scenario2—Client RSSI (as seen from show cont d0/d1 | begin RSSI) lies between Mid-RSSI and
Acceptable Client RSSI.
• All 2.4-GHz and 5-GHz probe requests are responded to without any restrictions.
• This scenario is similar to the band select disabled.
Note
The client RSSI value (as seen in the sh cont d0 | begin RSSI command output) is the average of the client
packets received, and the Mid RSSI feature is the instantaneous RSSI value of the probe packets. As a result,
the client RSSI is seen as weaker than the configured Mid RSSI value (7-dB delta). The 802.11b probes from
the client are suppressed to push the client to associate with the 802.11a band.
802.11 Bands
You can configure the 802.11b/g/n (2.4 GHz) and 802.11a/n (5 GHz) bands for the controller to comply with
the regulatory requirements in your country. By default, both 802.11b/g/n and 802.11a/n are enabled.
When a controller is configured to allow only 802.11g traffic, 802.11b client devices are able to successfully
connect to an access point, but cannot pass traffic. When you configure the controller only for 802.11g traffic,
you must mark 11g rates as mandatory.
Note
The Block Acks in a Cisco 2800, 3800, 1560 APs are sent at configured mandatory data rates in Cisco WLC
for 2.4 GHz radio.
802.11n Parameters
This section provides instructions for managing 802.11n access points on your network. The 802.11n devices
support the 2.4 and 5-GHz bands and offer high throughput data rates.
The 802.11n high throughput rates are available on all the 802.11n access points for the WLANs using WMM
with no Layer 2 encryption or with WPA2/AES encryption enabled.
Note
Some Cisco 802.11n APs may intermittently emit incorrect beacon frames, which can trigger false wIPS
alarms. We recommend that you ignore these alarms. The issue is observed in the following Cisco 802.11n
APs: 1140, 1250, 2600, 3500, and 3600.
802.11h Parameters
802.11h informs client devices about channel changes and can limit the transmit power of those client devices.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
105
System Management
How to Configure 802.11 Bands and Parameters
How to Configure 802.11 Bands and Parameters
Configuring Band Selection (CLI)
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
configure terminal
wireless client band-select cycle-count cycle_count
wireless client band-select cycle-threshold milliseconds
wireless client band-select expire suppression seconds
wireless client band-select expire dual-band seconds
wireless client band-select client-rssi client_rssi
end
wlan wlan_profile_name wlan_ID SSID_network_name band-select
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
wireless client band-select cycle-count cycle_count
Sets the probe cycle count for band select.
Example:
Valid range is between 1 and 10.
Controller(config)# wireless client band-select
cycle-count 3
Step 3
wireless client band-select cycle-threshold milliseconds Sets the time threshold for a new scanning cycle period.
Example:
Valid range is between 1 and 1000.
Controller(config)# wireless client band-select
cycle-threshold 5000
Step 4
wireless client band-select expire suppression seconds
Sets the suppression expire to the band select.
Example:
Valid range is between 10 and 200.
Controller(config)# wireless client band-select
expire suppression 100
Step 5
wireless client band-select expire dual-band seconds
Sets the dual band expire.
Example:
Valid range is between 10 and 300.
Controller(config)# wireless client band-select
expire dual-band 100
Step 6
wireless client band-select client-rssi client_rssi
Sets the client RSSI threshold.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
106
OL-32363-01
System Management
Configuring the 802.11 Bands (CLI)
Command or Action
Purpose
Example:
Valid range is between 20 and 90.
Controller(config)# wireless client band-select
client-rssi 40
Step 7
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Step 8
wlan wlan_profile_name wlan_ID SSID_network_name
band-select
Example:
Controller(config)# wlan wlan1 25 ssid12
Configures band selection on specific WLANs.
Valid range is between 1 and 512.
You can enter up to 32 alphanumeric characters for
SSID_network_name parameter.
Controller(config-wlan)# band-select
Step 9
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Configuring the 802.11 Bands (CLI)
The following procedure provides information about how to configure 802.11 bands and parameters.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
configure terminal
ap dot11 5ghz shutdown
ap dot11 24ghz shutdown
ap dot11 {5ghz | 24ghz} beaconperiod time_unit
ap dot11 {5ghz | 24ghz} fragmentation threshold
ap dot11 {5ghz | 24ghz} dtpc
wireless client association limit number interval milliseconds
ap dot11 {5ghz | 24ghz} rate rate {disable | mandatory | supported}
no ap dot11 5ghz shutdown
no ap dot11 24ghz shutdown
ap dot11 24ghz dot11g
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
107
System Management
Configuring the 802.11 Bands (CLI)
Step 2
Command or Action
Purpose
ap dot11 5ghz shutdown
Disables the 802.11a band.
Example:
Note
Controller(config)# ap dot11 5ghz shutdown
Step 3
ap dot11 24ghz shutdown
Disables the 802.11b band.
Example:
Note
Controller(config)# ap dot11 24ghz shutdown
Step 4
ap dot11 {5ghz | 24ghz} beaconperiod time_unit
Example:
Step 5
You must disable the 802.11b band before
configuring the 802.11b network parameters.
Specifies the rate at which the SSID is broadcast by the
corresponding access point.
Controller(config)# ap dot11 5ghz beaconperiod
500
The beacon interval is measured in time units (TUs). One
TU is 1024 microseconds. You can configure the access
point to send a beacon every 20 to 1000 milliseconds.
ap dot11 {5ghz | 24ghz} fragmentation threshold
Specifies the size at which packets are fragmented.
Example:
The threshold is a value between 256 and 2346 bytes
(inclusive). Specify a low number for areas where
communication is poor or where there is a great deal of
radio interference.
Controller(config)# ap dot11 5ghz fragmentation
300
Step 6
You must disable the 802.11a band before
configuring the 802.11a network parameters.
ap dot11 {5ghz | 24ghz} dtpc
Example:
Controller(config)# ap dot11 5ghz dtpc
Controller(config)# no ap dot11 24ghz dtpc
Enables access points to advertise their channels and
transmit the power levels in beacons and probe responses.
The default value is enabled. Client devices using dynamic
transmit power control (DTPC) receive the channel-level
and power-level information from the access points and
adjust their settings automatically. For example, a client
device used primarily in Japan can rely on DTPC to adjust
its channel and power settings automatically when it travels
to Italy and joins a network there.
The no form of the command disables the 802.11a or
802.11b DTPC setting.
Step 7
wireless client association limit number interval
milliseconds
Specifies the maximum allowed clients that can be
configured.
Example:
You can configure the maximum number of association
requests on a single access point slot at a given interval.
The range of association limit that you can configure is
from 1 to 100.
Controller(config)# wireless client association
limit 50 interval 1000
The association request limit interval is measured between
100 to 10000 milliseconds.
Step 8
ap dot11 {5ghz | 24ghz} rate rate {disable | mandatory Specifies the rate at which data can be transmitted between
the controller and the client.
| supported}
Example:
• disable—Defines that the clients specify the data rates
used for communication.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
108
OL-32363-01
System Management
Configuring the 802.11 Bands (GUI)
Command or Action
Purpose
Controller(config)# ap dot11 5ghz rate 36
mandatory
• mandatory—Defines that the clients support this data
rate in order to associate to an access point on the
controller.
• supported—Any associated clients that support this
data rate can communicate with the access point using
that rate. However, the clients are not required to use
this rate in order to associate.
• rate—Specifies the rate at which data is transmitted.
For the 802.11a and 802.11b bands, the data is
transmitted at the rate of 1, 2, 5.5, 6, 9, 11, 12, 18,
24, 36, 48, or 54 Mbps.
Step 9
no ap dot11 5ghz shutdown
Enables the 802.11a band.
Example:
Note
The default value is enabled.
Controller(config)# no ap dot11 5ghz shutdown
Step 10
no ap dot11 24ghz shutdown
Enables the 802.11b band.
Example:
Note
The default value is enabled.
Controller(config)# no ap dot11 24ghz shutdown
Step 11
Step 12
ap dot11 24ghz dot11g
Enables or disables 802.11g network support.
Example:
Controller(config)# ap dot11 24ghz dot11g
The default value is enabled. You can use this command
only if the 802.11b band is enabled. If you disable this
feature, the 802.11b band is enabled without 802.11g
support.
end
Returns to privileged EXEC mode.
Example:
Controller(config)# end
Configuring the 802.11 Bands (GUI)
Step 1
Choose Configuration > Wireless > 802.11a/n/ac > Network or Configuration > Wireless > 802.11b/g/n > Network
to open the Global Parameters page.
Step 2
Select the 802.11a/n/ac (or 802.11b/g) Network Status check box to enable the 802.11a or 802.11b/g band. To disable
the band, unselect the check box. The default value is enabled. You can enable both the 802.11a and 802.11b/g bands.
Step 3
If you enabled the 802.11b/g band in Step 2, select the 802.11g Support check box if you want to enable 802.11g
network support. The default value is enabled. If you disable this feature, the 802.11b band is enabled without 802.11g
support.
Step 4
Specify the period at which the SSID is broadcast by the access point by entering a value between 20 and 1000
milliseconds (inclusive) in the Beacon Period text box. The default value is 100 milliseconds.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
109
System Management
Configuring 802.11n Parameters (CLI)
Note
The beacon period in controllers is listed in terms of milliseconds. The beacon period can also be measured
in time units, where one time unit equals 1024 microseconds or 102.4 milliseconds. If a beacon interval is
listed as 100 milliseconds in a controller, it is only a rounded off value for 102.4 milliseconds. Due to hardware
limitation in certain radios, even though the beacon interval is, say 100 time units, it is adjusted to 102 time
units, which roughly equals 104.448 milliseconds. When the beacon period is to be represented in terms of
time units, the value is adjusted to the nearest multiple of 17.
Step 5
Specify the size at which packets are fragmented by entering a value between 256 and 2346 bytes (inclusive) in the
Fragmentation Threshold text box. Enter a low number for areas where communication is poor or where there is a great
deal of radio interference.
Step 6
Make access points advertise their channel and transmit power level in beacons and probe responses for CCX clients.
Select the DTPC Support check box. Otherwise, unselect this check box. The default value is enabled.
Client devices using dynamic transmit power control (DTPC) receive the channel and power level information from
the access points and adjust their settings automatically. For example, a client device used primarily in Japan could
rely on DTPC to adjust its channel and power settings automatically when it travels to Italy and joins a network there.
Note
On access points that run Cisco IOS software, this feature is called world mode.
Note
DTPC and 801.11h power constraint cannot be enabled simultaneously.
Step 7
Specify the maximum allowed clients by entering a value between 1 to 200 in the Maximum Allowed Client text box.
The default value is 200.
Step 8
Use the Data Rates options to specify the rates at which data can be transmitted between the access point and the client.
These data rates are available:
• 802.11a—6, 9, 12, 18, 24, 36, 48, and 54 Mbps
• 802.11b/g—1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps
For each data rate, choose one of these options:
• Mandatory—Clients must support this data rate in order to associate to an access point on the controller.
• Supported—Any associated clients that support this data rate may communicate with the access point using that
rate. However, the clients are not required to be able to use this rate in order to associate.
• Disabled—The clients specify the data rates used for communication.
Step 9
Click Apply.
Step 10
Click Save Configuration.
Configuring 802.11n Parameters (CLI)
SUMMARY STEPS
1.
2.
3.
4.
configure terminal
ap dot11 {5ghz | 24ghz} dot11n
ap dot11 {5ghz | 24ghz} dot11n mcs tx rtu
wlanwlan_profile_name wlan_ID SSID_network_name wmm require
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
110
OL-32363-01
System Management
Configuring 802.11n Parameters (CLI)
5.
6.
7.
8.
9.
10.
ap dot11 {5ghz | 24ghz} shutdown
{ap | no ap} dot11 {5ghz | 24 ghz} dot11n a-mpdu tx priority {all | 0-7}
no ap dot11 {5ghz | 24ghz} shutdown
ap dot11 {5ghz | 24ghz} dot11n guard-interval {any | long}
ap dot11 {5ghz | 24ghz} dot11n rifs rx
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
ap dot11 {5ghz | 24ghz} dot11n
Enables 802.11n support on the network.
Example:
The no form of this command disables the 802.11n support
on the network.
Controller(config)# ap dot11 5ghz dot11n
Step 3
ap dot11 {5ghz | 24ghz} dot11n mcs tx rtu
Example:
Controller(config)# ap dot11 5ghz dot11n mcs tx
20
Specifies the modulation and coding scheme (MCS) rates
at which data can be transmitted between the access point
and the client.
rtu-The valid range is between 0 and 23.
The no form of this command disables the MCS rates that
are configured.
Step 4
wlanwlan_profile_name wlan_ID SSID_network_name
wmm require
Enables WMM on the WLAN and uses the 802.11n data
rates that you configured.
Example:
The require keyword requires client devices to use WMM.
Devices that do not support WMM cannot join the WLAN.
Controller(config)# wlan wlan1 25 ssid12
Controller(config-wlan)# wmm require
Step 5
ap dot11 {5ghz | 24ghz} shutdown
Disables the network.
Example:
Controller(config)# ap dot11 5ghz shutdown
Step 6
{ap | no ap} dot11 {5ghz | 24 ghz} dot11n a-mpdu tx
priority {all | 0-7}
Example:
Controller(config)# ap dot11 5ghz dot11n a-mpdu
tx priority all
Specifies the aggregation method used for 802.11n packets.
Aggregation is the process of grouping packet data frames
together, rather than transmitting them separately. Two
aggregation methods are available: Aggregated MAC
Protocol Data Unit (A-MPDU) and Aggregated MAC
Service Data Unit (A-MSDU). Both A-MPDU and
A-MSDU are performed in the software.
You can specify the aggregation method for various types
of traffic from the access point to the clients.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
111
System Management
Configuring 802.11n Parameters (CLI)
Command or Action
Purpose
The list defines the priority levels (0-7) assigned per traffic
type.
• 0—Best effort
• 1—Background
• 2—Spare
• 3—Excellent effort
• 4—Controlled load
• 5—Video, less than 100-ms latency and jitter
• 6—Voice, less than 100-ms latency and jitter
• 7—Network control
You can configure each priority level independently, or
you can use the all the parameters to configure all the
priority levels at once. You can configure priority levels
so that the traffic uses either A-MPDU transmission or
A-MSDU transmission.
• When you use the ap command along with the other
options, the traffic associated with that priority level
uses A-MPDU transmission.
• When you use the no ap command along with the
other options, the traffic associated with that priority
level uses A-MSDU transmission.
Configure the priority levels to match the aggregation
method used by the clients. By default, A-MPDU is
enabled for priority level 0, 4, and 5, and the rest are
disabled. By default, A-MPDU is enabled for all
priorities except 6 and 7.
Step 7
no ap dot11 {5ghz | 24ghz} shutdown
Re-enables the network.
Example:
Controller(config)# no ap dot11 5ghz shutdown
Step 8
ap dot11 {5ghz | 24ghz} dot11n guard-interval {any |
long}
Configures the guard interval for the network.
Example:
Controller(config)# ap dot11 5ghz dot11n
guard-interval long
Step 9
ap dot11 {5ghz | 24ghz} dot11n rifs rx
Example:
Configures the Reduced Interframe Space (RIFS) for the
network.
Controller(config)# ap dot11 5ghz dot11n rifs rx
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
112
OL-32363-01
System Management
Configuring the 802.11n Parameters (GUI)
Step 10
Command or Action
Purpose
end
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
Example:
Controller(config)# end
Configuring the 802.11n Parameters (GUI)
Step 1
Choose Configuration > Wireless > 802.11a/n/ac or 802.11b/g/n > High Throughput (802.11n) to open the 802.11n/ac
(5 GHz or 2.4 GHz) Throughput page.
Step 2
Step 3
Select the Enable 11n check box to enable 802.11n support on the network. The default value is enabled.
Select the check boxes of the desired rates to specify the modulation and coding scheme (MCS) rates at which data can
be transmitted between the access point and the client. These data rates, which are calculated for a 20-MHz channel width
using a short guard interval, are available:
• 0 (7 Mbps)
• 1 (14 Mbps)
• 2 (21 Mbps)
• 3 (29 Mbps)
• 4 (43 Mbps)
• 5 (58 Mbps)
• 6 (65 Mbps)
• 7 (72 Mbps)
• 8 (14 Mbps)
• 9 (29 Mbps)
• 10 (43 Mbps)
• 11 (58 Mbps)
• 12 (87 Mbps)
• 13 (116 Mbps)
• 14 (130 Mbps)
• 15 (144 Mbps)
• 16 (22 Mbps)
• 17 (43 Mbps)
• 18 (65 Mbps)
• 19 (87 Mbps)
• 20 (130 Mbps)
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
113
System Management
Configuring 802.11h Parameters (CLI)
• 21 (173 Mbps)
• 22 (195 Mbps)
• 23 (217 Mbps)
• Any associated clients that support the selected rates may communicate with the access point using those rates.
However, the clients are not required to be able to use this rate in order to associate. The MCS settings determine
the number of spatial streams, the modulation, the coding rate, and the data rate values that are used.
Step 4
Click Apply.
Step 5
Use the 802.11n data rates that you configured by enabling WMM on the WLAN as follows:
a) Choose WLANs to open the WLANs page.
b) Click the ID number of the WLAN for which you want to configure WMM mode.
c) When the WLANs > Edit page appears, choose the QoS tab to open the WLANs > Edit (Qos) page.
d) From the WMM Policy drop-down list, choose Required or Allowed to require or allow client devices to use WMM.
Devices that do not support WMM cannot join the WLAN.
If you choose Allowed, devices that cannot support WMM can join the WLAN but will not benefit from the 802.11n
rates.
e) Click Apply.
Step 6
Click Save Configuration.
Note
To determine if an access point supports 802.11n, look at the 11n Supported text box on either the 802.11a/n
(or 802.11b/g/n) Cisco APs > Configure page or the 802.11a/n (or 802.11b/g/n) AP Interfaces > Details page.
Configuring 802.11h Parameters (CLI)
SUMMARY STEPS
1.
2.
3.
4.
5.
ap dot11 5ghz shutdown
{ap | no ap} dot11 5ghz channelswitch mode switch_mode
ap dot11 5ghz power-constraint value
no ap dot11 5ghz shutdown
end
DETAILED STEPS
Step 1
Command or Action
Purpose
ap dot11 5ghz shutdown
Disables the 802.11a network.
Example:
Controller(config)# ap dot11 5ghz shutdown
Step 2
{ap | no ap} dot11 5ghz channelswitch mode switch_mode Enables or disables the access point to announce when it is
switching to a new channel.
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
114
OL-32363-01
System Management
Configuring the 802.11h Parameters (GUI)
Step 3
Command or Action
Purpose
Controller(config)# ap dot11 5ghz channelswitch
mode 0
switch_mode--Enter 0 or 1 to specify whether transmissions
are restricted until the actual channel switch (0) or are not
restricted (1). The default value is disabled.
ap dot11 5ghz power-constraint value
Configures the 802.11h power constraint value in dB. The
valid range is from 0 to 255.
Example:
Controller(config)# ap dot11 5ghz power-constraint
200
Step 4
no ap dot11 5ghz shutdown
The default value is 3.
Re-enables the 802.11a network.
Example:
Controller(config)# no ap dot11 5ghz shutdown
Step 5
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Configuring the 802.11h Parameters (GUI)
Step 1
Disable the 802.11 band as follows:
a) Choose Configuration > Wireless > 802.11a/n/ac > Network to open the 802.11a/n/ac Global Parameters page.
b) Unselect the 802.11a Network Status check box.
c) Click Apply.
Step 2
Choose Configuration > Wireless > 802.11a/n/ac > DFS (802.11h) to open the 802.11h Global Parameters page.
Step 3
In the Power Constraint area, enter the local power constraint. The valid range is between 0 dBm and 30 dBm.
Step 4
In the Channel Switch Announcement area, enter the channel switch announcement mode. You can enter a value of either
1 or 0.
Step 5
Click Apply.
Step 6
Reenable the 802.11a band as follows:
a) Choose Wireless > 802.11a/n/ac > Network to open the 802.11a/n/ac Global Parameters page.
b) Select the 802.11a Network Status check box.
c) Click Apply.
Step 7
Click Save Configuration.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
115
System Management
Monitoring Configuration Settings for Band Selection, 802.11 Bands, and Parameters
Monitoring Configuration Settings for Band Selection, 802.11
Bands, and Parameters
Monitoring Configuration Settings Using Band Selection and 802.11 Bands
Commands
The following commands can be used to monitor band selection, 802.11 bands, and parameters on the controller.
Table 7: Monitoring Configuration Settings Using Band Selection and 802.11 Band Commands
Command
Purpose
show ap dot11 5ghz network Displays 802.11a band network parameters, 802.11a operational rates,
802.11n MCS settings, and 802.11n status information.
show ap dot11 24ghz network Displays 802.11b band network parameters, 802.11b/g operational rates,
802.11n MCS settings, and 802.11n status information.
show wireless dot11h
Displays 802.11h configuration parameters.
show wireless band-select
Displays band-select configuration settings.
Example: Viewing the Configuration Settings for the 5-GHz Band
Controller# show ap dot11 5ghz network
802.11a Network : Enabled
11nSupport : Enabled
802.11a Low Band : Enabled
802.11a Mid Band : Enabled
802.11a High Band : Enabled
802.11a Operational Rates
802.11a 6M : Mandatory
802.11a 9M : Supported
802.11a 12M : Mandatory
802.11a 18M : Supported
802.11a 24M : Mandatory
802.11a 36M : Supported
802.11a 48M : Supported
802.11a 54M : Supported
802.11n MCS Settings:
MCS 0 : Supported
MCS 1 : Supported
MCS 2 : Supported
MCS 3 : Supported
MCS 4 : Supported
MCS 5 : Supported
MCS 6 : Supported
MCS 7 : Supported
MCS 8 : Supported
MCS 9 : Supported
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
116
OL-32363-01
System Management
Example: Viewing the Configuration Settings for the 5-GHz Band
MCS 10 : Supported
MCS 11 : Supported
MCS 12 : Supported
MCS 13 : Supported
MCS 14 : Supported
MCS 15 : Supported
MCS 16 : Supported
MCS 17 : Supported
MCS 18 : Supported
MCS 19 : Supported
MCS 20 : Supported
MCS 21 : Supported
MCS 22 : Supported
MCS 23 : Supported
802.11n Status:
A-MPDU Tx:
Priority 0 : Enabled
Priority 1 : Disabled
Priority 2 : Disabled
Priority 3 : Disabled
Priority 4 : Enabled
Priority 5 : Enabled
Priority 6 : Disabled
Priority 7 : Disabled
A-MSDU Tx:
Priority 0 : Enabled
Priority 1 : Enabled
Priority 2 : Enabled
Priority 3 : Enabled
Priority 4 : Enabled
Priority 5 : Enabled
Priority 6 : Disabled
Priority 7 : Disabled
Guard Interval : Any
Rifs Rx : Enabled
Beacon Interval : 100
CF Pollable mandatory : Disabled
CF Poll Request Mandatory : Disabled
CFP Period : 4
CFP Maximum Duration : 60
Default Channel : 36
Default Tx Power Level : 1
DTPC Status : Enabled
Fragmentation Threshold : 2346
Pico-Cell Status : Disabled
Pico-Cell-V2 Status : Disabled
TI Threshold : 0
Legacy Tx Beamforming setting : Disabled
Traffic Stream Metrics Status : Disabled
Expedited BW Request Status : Disabled
EDCA profile type check : default-wmm
Call Admision Control (CAC) configuration
Voice AC
Voice AC - Admission control (ACM) : Disabled
Voice Stream-Size : 84000
Voice Max-Streams : 2
Voice Max RF Bandwidth : 75
Voice Reserved Roaming Bandwidth : 6
Voice Load-Based CAC mode : Enabled
Voice tspec inactivity timeout : Enabled
CAC SIP-Voice configuration
SIP based CAC : Disabled
SIP Codec Type : CODEC_TYPE_G711
SIP call bandwidth : 64
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
117
System Management
Example: Viewing the Configuration Settings for the 24-GHz Band
SIP call bandwith sample-size : 20
Video AC
Video AC - Admission control (ACM) : Disabled
Video max RF bandwidth : Infinite
Video reserved roaming bandwidth : 0
Example: Viewing the Configuration Settings for the 24-GHz Band
Controller# show ap dot11 24ghz network
802.11b Network : Enabled
11gSupport : Enabled
11nSupport : Enabled
802.11b/g Operational Rates
802.11b 1M : Mandatory
802.11b 2M : Mandatory
802.11b 5.5M : Mandatory
802.11g 6M : Supported
802.11g 9M : Supported
802.11b 11M : Mandatory
802.11g 12M : Supported
802.11g 18M : Supported
802.11g 24M : Supported
802.11g 36M : Supported
802.11g 48M : Supported
802.11g 54M : Supported
802.11n MCS Settings:
MCS 0 : Supported
MCS 1 : Supported
MCS 2 : Supported
MCS 3 : Supported
MCS 4 : Supported
MCS 5 : Supported
MCS 6 : Supported
MCS 7 : Supported
MCS 8 : Supported
MCS 9 : Supported
MCS 10 : Supported
MCS 11 : Supported
MCS 12 : Supported
MCS 13 : Supported
MCS 14 : Supported
MCS 15 : Supported
MCS 16 : Supported
MCS 17 : Supported
MCS 18 : Supported
MCS 19 : Supported
MCS 20 : Supported
MCS 21 : Supported
MCS 22 : Supported
MCS 23 : Supported
802.11n Status:
A-MPDU Tx:
Priority 0 : Enabled
Priority 1 : Disabled
Priority 2 : Disabled
Priority 3 : Disabled
Priority 4 : Enabled
Priority 5 : Enabled
Priority 6 : Disabled
Priority 7 : Disabled
A-MSDU Tx:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
118
OL-32363-01
System Management
Example: Viewing the status of 802.11h Parameters
Priority 0 : Enabled
Priority 1 : Enabled
Priority 2 : Enabled
Priority 3 : Enabled
Priority 4 : Enabled
Priority 5 : Enabled
Priority 6 : Disabled
Priority 7 : Disabled
Guard Interval : Any
Rifs Rx : Enabled
Beacon Interval : 100
CF Pollable Mandatory : Disabled
CF Poll Request Mandatory : Disabled
CFP Period : 4
CFP Maximum Duration : 60
Default Channel : 11
Default Tx Power Level : 1
DTPC Status : true
Call Admission Limit : 105
G711 CU Quantum : 15
ED Threshold : -50
Fragmentation Threshold : 2346
PBCC Mandatory : Disabled
Pico-Cell Status : Disabled
Pico-Cell-V2 Status : Disabled
RTS Threshold : 2347
Short Preamble Mandatory : Enabled
Short Retry Limit : 7
Legacy Tx Beamforming setting : Disabled
Traffic Stream Metrics Status : Disabled
Expedited BW Request Status : Disabled
EDCA profile type : default-wmm
Call Admision Control (CAC) configuration
Voice AC
Voice AC - Admission control (ACM) : Disabled
Voice Stream-Size : 84000
Voice Max-Streams : 2
Voice Max RF Bandwidth : 75
Voice Reserved Roaming Bandwidth : 6
Voice Load-Based CAC mode : Enabled
Voice tspec inactivity timeout : Enabled
CAC SIP-Voice configuration
SIP based CAC : Disabled
SIP Codec Type : CODEC_TYPE_G711
SIP call bandwidth : 64
SIP call bandwith sample-size : 20
Video AC
Video AC - Admission control (ACM) : Disabled
Video max RF bandwidth : Infinite
Video reserved roaming bandwidth : 0
Example: Viewing the status of 802.11h Parameters
Controller# show wireless dot11h
Power Constraint: 0
Channel Switch: 0
Channel Switch Mode: 0
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
119
System Management
Example: Verifying the Band-Selection Settings
Example: Verifying the Band-Selection Settings
The following example displays a band-select configuration:
Controller# show wireless band-select
Band Select Probe Response
Cycle Count
Cycle Threshold (millisec)
Age Out Suppression (sec)
Age Out Dual Band (sec)
Client RSSI (dBm)
Client Mid RSSI (dBm)
:
:
:
:
:
:
:
per WLAN enabling
2
200
20
60
-80
-80
Configuration Examples for Band Selection, 802.11 Bands, and
Parameters
Examples: Band Selection Configuration
This example shows how to set the probe cycle count and time threshold for a new scanning cycle period for
band select:
Controller# configure terminal
Controller(config)# wireless client band-select cycle-count 3
Controller(config)# wireless client band-select cycle-threshold 5000
Controller(config)# end
This example shows how to set the suppression expiry time to the band select:
Controller# configure terminal
Controller(config)# wireless client band-select expire suppression 100
Controller(config)# end
This example shows how to set the dual-band expiry time for the band select:
Controller# configure terminal
Controller(config)# wireless client band-select expire dual-band 100
Controller(config)# end
This example shows how to set the client RSSI threshold for the band select:
Controller# configure terminal
Controller(config)# wireless client band-select client-rssi 40
Controller(config)# end
This example shows how to configure band selection on specific WLANs:
Controller# configure terminal
Controller(config)# wlan wlan1 25 ssid12
Controller(config-wlan)# band-select
Controller(config)# end
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
120
OL-32363-01
System Management
Examples: 802.11 Bands Configuration
Examples: 802.11 Bands Configuration
This example shows how to configure 802.11 bands using beacon interval, fragmentation, and dynamic
transmit power control:
Controller# configure terminal
Controller(config)# ap dot11 5ghz shutdown
Controller(config)# ap dot11 24ghz shutdown
Controller(config)# ap dot11 5ghz beaconperiod 500
Controller(config)# ap dot11 5ghz fragmentation 300
Controller(config)# ap dot11 5ghz dtpc
Controller(config)# wireless client association limit 50 interval 1000
Controller(config)# ap dot11 5ghz rate 36 mandatory
Controller(config)# no ap dot11 5ghz shutdown
Controller(config)# no ap dot11 24ghz shutdown
Controller(config)# ap dot11 24ghz dot11g
Controller(config)#end
Examples: 802.11n Configuration
This example shows how to configure 802.11n parameters for 5-GHz band using aggregation method:
Controller# configure terminal
Controller(config)# ap dot11 5ghz dot11n
Controller(config)# ap dot11 5ghz dot11n mcs tx 20
Controller(config)# wlan wlan1 25 ssid12
Controller(config-wlan)# wmm require\
Controller(config-wlan)# exit
Controller(config)# ap dot11 5ghz shutdown
Controller(config)# ap dot11 5ghz dot11n a-mpdu tx priority all
Controller(config)# no ap dot11 5ghz shutdown
Controller(config)#exit
This example shows how to configure the guard interval for 5-GHz band:
Controller# configure terminal
Controller(config)# ap dot11 5ghz dot11n
Controller(config)# ap dot11 5ghz dot11n mcs tx 20
Controller(config)# wlan wlan1 25 ssid12
Controller(config-wlan)# wmm require\
Controller(config-wlan)# exit
Controller(config)# no ap dot11 5ghz shutdown
Controller(config)# ap dot11 5ghz dot11n guard-interval long
Controller(config)#end
This example shows how to configure the RIFS for 5-GHz band:
Controller# configure terminal
Controller(config)# ap dot11 5ghz dot11n
Controller(config)# ap dot11 5ghz dot11n mcs tx 20
Controller(config)# wlan wlan1 25 ssid12
Controller(config-wlan)# wmm require\
Controller(config-wlan)# exit
Controller(config)# ap dot11 5ghz shutdown
Controller(config)# ap dot11 5ghz dot11n rifs rx
Controller(config)#end
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
121
System Management
Examples: 802.11h Configuration
Examples: 802.11h Configuration
This example shows how to configure the access point to announce when it is switching to a new channel
using restriction transmission:
Controller# configure terminal
Controller(config)# ap dot11 5ghz shutdown
Controller(config)# ap dot11 5ghz channelswitch mode 0
Controller(config)# no ap dot11 5ghz shutdown
Controller(config)#end
This example shows how to configure the 802.11h power constraint for 5-GHz band:
Controller# configure terminal
Controller(config)# ap dot11 5ghz shutdown
Controller(config)# ap dot11 5ghz power-constraint 200
Controller(config)# no ap dot11 5ghz shutdown
Controller(config)#end
AdditionalReferencesfor802.11ParametersandBandSelection
Related Documents
Related Topic
Document Title
System management commands System Management Command Reference, Cisco IOS XE Release 3SE (Cisco
WLC 5700 Series)
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All the supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
122
OL-32363-01
System Management
Feature History and Information For Performing 802.11 parameters and Band Selection Configuration
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Feature History and Information For Performing 802.11
parameters and Band Selection Configuration
Release
Feature Information
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS This feature was introduced.
XE 3.3SE
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
123
System Management
Feature History and Information For Performing 802.11 parameters and Band Selection Configuration
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
124
OL-32363-01
CHAPTER
8
Configuring Aggressive Load Balancing
• Finding Feature Information, on page 125
• Restrictions for Aggressive Load Balancing, on page 125
• Information for Configuring Aggressive Load Balancing Parameters, on page 126
• How to Configure Aggressive Load Balancing, on page 127
• Monitoring Aggressive Load Balancing, on page 128
• Examples: Aggressive Load Balancing Configuration, on page 128
• Additional References for Aggressive Load Balancing, on page 129
• Feature History and Information For Performing Aggressive Load Balancing Configuration , on page
130
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Restrictions for Aggressive Load Balancing
• You can configure aggressive load balancing only from the command-line interface.
• Aggressive load balancing is disabled by default, you must enable it manually.
• You can enable load balancing either separately or together with the band select configurations.
• When the band select is enabled on the dual-band clients, the load balancing parameter selects only the
lowest load radio from 5-GHz radios. For the 2.4-GHz clients, there is no probe information of the client
on 5 GHz and therefore the load balancing algorithm can only be selected between radio on 2.4 GHz.
• You can operate load balancing of clients between access points on the same controller but not for the
clients between access points on the different controller.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
125
System Management
Information for Configuring Aggressive Load Balancing Parameters
• The load balancing uses an existing association denial mechanism based on the number of client on the
radio and the band select is implemented by the distributed probe response suppression on the access
point only.
Information for Configuring Aggressive Load Balancing
Parameters
Aggressive Load Balancing
Enabling aggressive load balancing on the controller allows lightweight access points to load balance wireless
clients across access points. You can enable aggressive load balancing using the controller.
When a wireless client attempts to associate to a lightweight access point, association response packets are
sent to the client with an 802.11 response packet including status code 17. The code 17 indicates that the AP
is busy. The AP does not respond with an association response bearing 'success' if the AP threshold is not
met, and with code 17 (AP busy) if the AP utilization threshold is exceeded, and another less busy AP heard
the client request.
For example, if the number of clients on AP1 is more than the number of clients on AP2 plus the load-balancing
window, then AP1 is considered to be busier than AP2. When a client attempts to associate to AP1, it receives
an 802.11 response packet with status code 17, indicating that the access point is busy, and the client attempts
to associate to a different access point.
You can configure the controller to deny client associations up to 10 times (if a client attempted to associate
11 times, it would be allowed to associate on the 11th try). You can also enable or disable load balancing on
a particular WLAN, which is useful if you want to disable load balancing for a select group of clients (such
as time-sensitive voice clients).
Note
Voice Client does not authenticate when delay is configured more than 300 ms. To avoid this configure a
Central-Auth, Local Switching WLAN with CCKM, configure a Pagent Router between AP and WLC with
a delay of 600 ms (300 ms UP and 300 ms DOWN and try associating the voice client
The maximum number of client associations that the access points can support is dependent upon the following
factors:
• The maximum number of client associations differs for lightweight and autonomous Cisco IOS access
points.
• There may be a limit per radio and an overall limit per AP.
• AP hardware (the 16-MB APs have a lower limit than the 32-MB and higher APs)
The Client Association Limits for Lightweight Access Points are as follows:
• For 16-MB APs, the limit is 128 clients per AP. This limit is applicable to 1100 and 1200 series APs.
• For 32-MB and higher APs, there is no per-AP limit.
The maximum Client Association Limits per-radio for all of the Cisco IOS APs is 200 associations.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
126
OL-32363-01
System Management
How to Configure Aggressive Load Balancing
Note
With 32-MB and higher lightweight Cisco IOS APs, with two radios, up to 200 + 200 = 400 associations are
supported.
The maximum Client Association Limits per Autonomous Cisco IOS access point is around 80 to 127 clients
per AP. This number varies depending on the following factors:
• AP model (whether it is 16 MB or 32 MB or higher)
• Cisco IOS software release
• Hardware configuration (two radios use more memory than one)
• Enabled features (WDS functionality in particular)
The per-radio limit is about 200 associations. One association will likely hit the per-AP limit first. Unlike
Cisco Unified Wireless Network, autonomous Cisco IOS supports per-SSID/per-AP association limits. This
limit is configured using the max-associations CLI, under dot11 SSID. The maximum number is 255
associations (which is also the default number).
Note
For a FlexConnect AP the association is locally handled. The load-balancing decisions are taken at the Cisco
WLC. A FlexConnect AP initially responds to the client before knowing the result of calculations at the Cisco
WLC. Load-balancing doesn't take effect when the FlexConnect AP is in standalone mode.
FlexConnect AP does not send (re)association response with status 17 for Load-Balancing as Local mode
APs do; instead, it first sends (re)association with status 0 (success) and then deauth with reason 5.
How to Configure Aggressive Load Balancing
Configuring Aggressive Load Balancing
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
configure terminal
wireless load-balancing window client-count
wireless load-balancing denial denial-count
end
wlan wlan_profile_name wlan_ID SSID_network_name load-balance
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
127
System Management
Monitoring Aggressive Load Balancing
Command or Action
Purpose
Controller# configure terminal
Step 2
wireless load-balancing window client-count
Example:
Sets the client window for aggressive load balancing. You
can enter a value between 0 and 20 for the client_count
parameter.
Controller(config)# wireless load-balancing window
1
Step 3
wireless load-balancing denial denial-count
Example:
Sets the denial count for load balancing. You can enter a
value between 0 and 10 for the denial_count parameter.
Controller(config)# wireless load-balancing
denial-count 1
Step 4
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Step 5
wlan wlan_profile_name wlan_ID SSID_network_name
load-balance
Enables or disables aggressive load balancing on specific
WLANs.
Example:
You can enter a value between 1 and 512 for the wlan_ID
parameter.
Controller(config)# wlan wlan1 25 ssid12
Step 6
Controller(config-wlan)# load-balance
You can enter the up to 32 alphanumeric characters for
SSID_network_name parameter.
end
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
Example:
Controller(config)# end
Monitoring Aggressive Load Balancing
This section describes the new command for aggressive load balancing.
The following command can be used to monitor aggressive load balancing on the controller.
Table 8: Monitoring Aggressive Load Balancing Command
Command
Purpose
show wireless
load-balancing
Displays the status of the load-balancing feature.
Examples: Aggressive Load Balancing Configuration
This example shows how to configure the load balancing denial count:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
128
OL-32363-01
System Management
Additional References for Aggressive Load Balancing
Controller# configure terminal
Controller(config)# wireless load-balancing denial-count 1
Controller(config)# end
Controller# show wireless load-balancing
This example shows how to configure the client window for aggressive load balancing:
Controller# configure terminal
Controller(config)# wireless load-balancing window 1
Controller(config)# end
Controller# show wireless load-balancing
This example shows how to configure load balancing on specific WLAN:
Controller# configure terminal
Controller(config)# wlan wlan1 25 ssid12
Controller(config-wlan)# load-balance
Controller(config)# end
Controller# show wireless load-balancing
Additional References for Aggressive Load Balancing
Related Documents
Related Topic
Document Title
System management commands System Management Command Reference Guide, Cisco IOS XE Release
3SE (Cisco WLC 5700 Series)
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All the supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
129
System Management
Feature History and Information For Performing Aggressive Load Balancing Configuration
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
FeatureHistoryandInformationForPerformingAggressiveLoad
Balancing Configuration
Release
Feature Information
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS This feature was introduced.
XE 3.3SE
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
130
OL-32363-01
CHAPTER
9
Configuring Client Roaming
• Finding Feature Information, on page 131
• Prerequisites for Configuring Client Roaming, on page 131
• Restrictions for Configuring Client Roaming, on page 131
• Information About Client Roaming, on page 132
• How to Configure Layer 2 or Layer 3 Roaming, on page 134
• Monitoring Client Roaming Parameters, on page 141
• Monitoring Mobility Configurations, on page 141
• Additional References for Configuring Client Roaming, on page 142
• Feature History and Information For Performing Client Roaming Configuration , on page 143
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Prerequisites for Configuring Client Roaming
• There should be one active mobility controller to manage client roaming.
• The WLAN SSID on the mobility agents across which roaming is desired should be the same.
Restrictions for Configuring Client Roaming
The following are the restrictions that you should be aware while configuring client roaming:
• Cisco Compatible Extensions (CCX) support is enabled automatically for every WLAN on the controller
and cannot be disabled. The controller stores the CCX version of the client in its client database and uses
it to generate and respond to CCX frames appropriately. Clients must support CCXv4 or v5 (or CCXv2
for access point assisted roaming) to utilize these roaming enhancements.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
131
System Management
Information About Client Roaming
• Client roaming between 600 Series Access points is not supported.
Information About Client Roaming
The controllers deliver high-end wireless services to the clients roaming across wireless network. Now, the
wireless services are integrated with the switches, thus delivering a value-added Cisco unified new mobility
architecture. This unified architecture enables client-roaming services to both wireless and wired clients with
seamless, fast- roaming services.
The new mobility architecture supports fast client roaming services using logical categorization of network
into Mobility Domains (MDs), Mobility Groups (MGs), Mobility Subdomains (MSDs), and Switch Peer
Groups (SPGs) using systems such as Mobility Oracle (MO), Mobility Controller (MC), and Mobility Agent
(MA).
• A Mobility Domain is the entire domain across which client roaming is supported. It is a collection of
mobility groups. For example, a campus network can be considered as a mobility domain.
• A Mobility Group is a collection of mobility subdomains across which fast roaming is supported. The
mobility group can be one or more buildings within a campus across which frequent roaming is supported.
• A Mobility Subdomain is an autonomous portion of the mobility domain network. Each mobility
subdomain contains one mobility controller (MC) and a collection of SPGs. A subdomain is equivalent
to an 802.11r key domain.
• A Switch Peer Group is a collection of mobility agents.
• The Mobility Oracle acts as the point of contact for mobility events that occur across mobility subdomains.
The mobility oracle also maintains a local database of each client in the entire mobility domain, their
home and current subdomain. There is only one MO for an entire mobility domain. The Cisco WLC
5700 Series Controllers or Cisco Unified Wireless Networking Solution controller can act as MO.
• The Mobility Controller provides mobility management services for inter-SPG roaming events. The
MC sends the configuration like SPG name and SPG peer member list to all of the mobility agents under
its subdomain. The Cisco WLC 5700 Series Controllers, Cisco Catalyst 3850 Switch, or Cisco Unified
Wireless Networking Solution controller can act as MC. The MC has MC functionality and MA
functionality that is running internally into it.
• The Mobility Agent is the component that maintains client mobility state machine for a mobile client.
All APs are connected to the mobility agent.
The New mobility architecture supports seamless roaming in the following scenarios:
• Intra-switch roaming—The client roaming between APs managed by same mobility agent.
• Intra-SPG roaming—The client roaming between mobility agents in the same SPG.
• Inter-SPG, Intra-subdomain roaming—The client roaming between mobility agents in different SPGs
within the same subdomain.
• Inter-subdomain roaming—The client roaming between mobility agents across a subdomain.
Fast Roaming
New mobility architecture supports fast roaming when clients roam within a mobility group by eliminating
the need for full authentication. Security polices should be same across the switches for fast roaming.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
132
OL-32363-01
System Management
Inter-Subnet Roaming
Local, anchor, foreign MAs and MCs
When a client joins an MA initially and its point of attachment has not changed, that MA is referred as local
or associated MA. The MC to which this MA is associated is referred as local or associated MC.
When a client roams between two MAs, the MA to which the client was previously associated is the anchor
MA (point of attachment) and the MA to which the client is currently associated is the foreign or associated
MA (point of presence). The MCs to which these MAs are associated are referred as anchor, foreign, or
associated MCs, respectively.
Inter-Subnet Roaming
Multiple-controller deployments support client roaming across access points managed by controllers in the
same mobility group on different subnets. This roaming is transparent to the client because the session is
sustained and a tunnel between the controllers allows the client to continue using the same DHCP-assigned
or client-assigned IP address as long as the session remains active. The tunnel is torn down, and the client
must reauthenticate when the client sends a DHCP Discover with a 0.0.0.0 client IP address or a 169.254.*.*
client auto-IP address or when the operator-set user timeout is exceeded.
Voice-over-IP Telephone Roaming
802.11 voice-over-IP (VoIP) telephones actively seek out associations with the strongest RF signal to ensure
the best quality of service (QoS) and the maximum throughput. The minimum VoIP telephone requirement
of 20-millisecond or shorter latency time for the roaming handover is easily met by the Cisco Wireless solution,
which has an average handover latency of 5 or fewer milliseconds when open authentication is used. This
short latency period is controlled by controllers rather than allowing independent access points to negotiate
roaming handovers.
The Cisco Wireless solution supports 802.11 VoIP telephone roaming across lightweight access points managed
by controllers on different subnets, as long as the controllers are in the same mobility group. This roaming is
transparent to the VoIP telephone because the session is sustained and a tunnel between controllers allows
the VoIP telephone to continue using the same DHCP-assigned IP address as long as the session remains
active. The tunnel is torn down, and the VoIP client must reauthenticate when the VoIP telephone sends a
DHCP Discover with a 0.0.0.0 VoIP telephone IP address or a 169.254.*.* VoIP telephone auto-IP address
or when the operator-set user timeout is exceeded.
CCX Layer 2 Client Roaming
The controller supports five CCX Layer 2 client roaming enhancements:
• Access point assisted roaming—This feature helps clients save scanning time. When a CCXv2 client
associates to an access point, it sends an information packet to the new access point listing the
characteristics of its previous access point. Roaming time decreases when the client recognizes and uses
an access point list built by compiling all previous access points to which each client was associated and
sent (unicast) to the client immediately after association. The access point list contains the channels,
BSSIDs of neighbor access points that support the client’s current SSID(s), and time elapsed since
disassociation.
• Enhanced neighbor list—This feature focuses on improving a CCXv4 client’s roam experience and
network edge performance, especially when servicing voice applications. The access point provides its
associated client information about its neighbors using a neighbor-list update unicast message.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
133
System Management
How to Configure Layer 2 or Layer 3 Roaming
• Enhanced neighbor list request (E2E)—The End-2-End specification is a Cisco and Intel joint program
that defines new protocols and interfaces to improve the overall voice and roaming experience. It applies
only to Intel clients in a CCX environment. Specifically, it enables Intel clients to request a neighbor list
at will. When this occurs, the access point forwards the request to the controller. The controller receives
the request and replies with the current CCX roaming sublist of neighbors for the access point to which
the client is associated.
Note
To see whether a particular client supports E2E, choose Wireless > Clients on
the controller GUI, click the Detail link for the desired client, and look at the
E2E Version text box in the Client Properties area.
• Roam reason report—This feature enables CCXv4 clients to report the reason why they roamed to a new
access point. It also allows network administrators to build and monitor a roam history.
• Directed roam request—This feature enables the controller to send directed roam requests to the client
in situations when the controller can better service the client on an access point different from the one
to which it is associated. In this case, the controller sends the client a list of the best access points that it
can join. The client can either honor or ignore the directed roam request. Non-CCX clients and clients
running CCXv3 or below must not take any action. No configuration is required for this feature.
How to Configure Layer 2 or Layer 3 Roaming
Configuring Layer 2 or Layer 3 Roaming
Before you begin
To configure the mobility agent for Layer 2 or Layer 3 roaming, the following requisites should be considered:
• SSID and security polices should be same across MAs for Layer 2 and Layer 3 roaming.
• Client VLAN ID should be same for Layer 2 roaming and different for Layer 3 roaming.
• Bridge domain ID and client VLAN IDs should be same for Layer 2 roaming. Either one or both of the
bridge domain ID and client VLAN ID should be different for Layer 3 roaming.
SUMMARY STEPS
1.
2.
3.
4.
configure terminal
wlan wlan_profile_name wlan_ID SSID_network_name
no mobility anchor sticky
end
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
134
OL-32363-01
System Management
Configuring CCX Client Roaming Parameters (CLI)
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
wlan wlan_profile_name wlan_ID SSID_network_name
Enters WLAN configuration mode.
Example:
Controller(config)#wlan wlan1
Step 3
no mobility anchor sticky
(Optional) Disables Layer 2 anchoring.
Example:
Controller(config-wlan)#no mobility anchor sticky
Step 4
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Configuring CCX Client Roaming Parameters (CLI)
SUMMARY STEPS
1. configure terminal
2. ap dot11 {5ghz | 24ghz} l2roam rf-params {default | custom min-rssi roam-hyst scan-thresh trans-time}
3. end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
ap dot11 {5ghz | 24ghz} l2roam rf-params {default |
custom min-rssi roam-hyst scan-thresh trans-time}
Example:
Controller#ap dot11 5ghz l2roam rf-params custom
-80
Configures CCX Layer 2 client roaming parameters.
To choose the default RF parameters, enter the default
option.
To fine-tune the RF parameters that affect client roaming,
enter the custom option and then enter any one of the
following options:
• Minimum RSSI—Indicates minimum Received Signal
Strength Indicator (RSSI) required for the client to
associate to an access point.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
135
System Management
Configuring CCX Client Roaming Parameters (CLI)
Command or Action
Purpose
If the client’s average received signal power dips below
this threshold, reliable communication is usually
impossible. Therefore, clients must already have found
and roamed to another access point with a stronger
signal before the minimum RSSI value is reached.
You can configure the minimum RSSI range from –50
through –90 dBm and the default value is –85 dBm.
• Hysteresis—Indicates how much greater the signal
strength of a neighboring access point must be for the
client to roam to it.
This parameter is intended to reduce the amount of
roaming between access points if the client is
physically located on or near the border between two
access points.
You can configure the hysteresis range from 3 through
20 dB and the default is 3 dB.
• Scan Threshold—Indicates a minimum RSSI that is
allowed before the client should roam to a better access
point.
When the RSSI drops below the specified value, the
client must be able to roam to a better access point
within the specified transition time. This parameter
also provides a power-save method to minimize the
time that the client spends in active or passive
scanning. For example, the client can scan slowly when
the RSSI is above the threshold and scan more rapidly
when the RSSI is below the threshold.
You can configure the RSSI range from –50 through
–90 dBm and the default value is –72 dBm.
• Transition Time—Indicates the maximum time allowed
for the client to detect a suitable neighboring access
point to roam to and to complete the roam, whenever
the RSSI from the client’s associated access point is
below the scan threshold.
The Scan Threshold and Transition Time parameters
guarantee a minimum level of client roaming
performance. Together with the highest expected client
speed and roaming hysteresis, these parameters make
it possible to design a wireless LAN network that
supports roaming simply by ensuring a certain
minimum overlap distance between access points.
You can configure the time period in the range from
1 through 5 seconds and the default time is 5 seconds.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
136
OL-32363-01
System Management
Configuring Mobility Oracle
Step 3
Command or Action
Purpose
end
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
Example:
Controller(config)# end
Example
Configuring Mobility Oracle
SUMMARY STEPS
1. configure terminal
2. wireless mobility oracle
3. end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
Enables mobility oracle on the controller.
wireless mobility oracle
Example:
Controller(config)# wireless mobility oracle
Step 3
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Example
Configuring Mobility Controller
SUMMARY STEPS
1.
2.
3.
4.
configure terminal
wireless mobility controller
wireless mobility controller peer-group switch-peer-group-name
wireless mobility controller peer-group switch-peer-group-name member ip ip-address {public-ip
public-ip-address}
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
137
System Management
Configuring Mobility Controller
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
wireless mobility controller peer-group switch-peer-group-name multicast
wireless mobility controller peer-group switch-peer-group-name multicast ip
peer-group-multicast-ip-addr
wireless mobility controller peer-groupswitch-peer-group-name bridge-domain-id id
wireless mobility group member ip ip-address [public-ip public-ip-address] [group group-name]
wireless mobility dscp value
wireless mobility group keepalive {count | interval}
wireless mobility group name name
wireless mobility oracle ipmo-ip-address
wireless management interface interface-name
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
wireless mobility controller
Enables wireless mobility controller.
Example:
Controller(config)# wireless mobility controller
Step 3
wireless mobility controller peer-group
switch-peer-group-name
Example:
Configures a switch peer group name. You can enter up
to 31 case-sensitive ASCII printable characters for the
group name. Spaces are not allowed in mobility group.
Controller(config)# wireless mobility controller Note
peer-group SPG1
Step 4
The No form of the command deletes the switch
peer group.
wireless mobility controller peer-group
Adds a mobility group member to a switch peer group.
switch-peer-group-name member ip ip-address {public-ip
Note
The No form of the command deletes the
public-ip-address}
member from the switch peer group.
Example:
Controller(config)# wireless mobility controller
peer-group SPG1 member ip 10.0.0.1
Step 5
wireless mobility controller peer-group
switch-peer-group-name multicast
Configures the multicast mode within a switch peer group.
Example:
Controller(config)# wireless mobility controller
peer-group SPG1 multicast
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
138
OL-32363-01
System Management
Configuring Mobility Controller
Step 6
Command or Action
Purpose
wireless mobility controller peer-group
switch-peer-group-name multicast ip
peer-group-multicast-ip-addr
Configures the multicast IP address for a switch peer group.
Note
The No form of the command deletes the
multicast IP for the switch peer group.
Example:
Controller(config)# wireless mobility controller
peer-group SPG1 multicast ip 10.0.0.4
Step 7
wireless mobility controller
peer-groupswitch-peer-group-name bridge-domain-id
id
Example:
Configures the bridge domain ID for a switch peer group.
The default is zero.
Note
The No form of command sets the bridge
domain ID to the default value.
Controller(config)# wireless mobility controller
peer-group SPG bridge-domain-id 10.0.0.5
Step 8
wireless mobility group member ip ip-address [public-ip Adds a mobility group member.
public-ip-address] [group group-name]
Note
The No form of the command removes the
member from the group. The default group
Example:
name is the group name of MC.
Controller(config)# wireless mobility group member
ip 10.0.0.1
Step 9
wireless mobility dscp value
Sets the DSCP value for mobility control packet.
Example:
You can configure the DSCP value in a range from 0
through 63. The default value is 46.
Controller(config)# wireless mobility dscp 46
Step 10
wireless mobility group keepalive {count | interval}
Example:
Controller(config)# wireless mobility group
keepalive count
Step 11
wireless mobility group name name
Example:
Configures the wireless mobility group keepalive count
which is the number of keepalive retries before a member
status is termed DOWN and keepalive interval which is
interval between two keepalives.
Specifies the case sensitive wireless mobility group name
which can be ASCII printable string up to 31 characters.
Controller(config)# wireless mobility group name
group1
Step 12
wireless mobility oracle ipmo-ip-address
Configures the mobility oracle IP address.
Example:
Controller(config)# wireless mobility oracle ip
10.0.0.5
Step 13
wireless management interface interface-name
Configures the wireless management interface.
Example:
Controller(config)# wireless management interface
Vlan21
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
139
System Management
Configuring Mobility Agent
Step 14
Command or Action
Purpose
end
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
Example:
Controller(config)# end
Example
Configuring Mobility Agent
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
configure terminal
wireless mobility controller ip ip-address
wireless mobility load-balance
wireless mobility load-balance threshold threshold -value
wireless management interface interface-name
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
wireless mobility controller ip ip-address
Sets the IP address of the mobility controller.
Example:
Controller(config)# wireless mobility controller
ip 10.10.10.20
Step 3
wireless mobility load-balance
Configures wireless mobility load balancing.
Example:
Controller(config)# wireless mobility load-balance
Step 4
wireless mobility load-balance threshold threshold -value Configures the number of clients that can be local or
anchored on the MA. You can configure the threshold value
Example:
in a range from 100 to 2000. The default value is 1000.
Controller(config)# wireless mobility load-balance
threshold 100
Step 5
wireless management interface interface-name
Example:
Configures wireless management interface for the mobility
agent.
Controller(config)# wireless management interface
Vlan21
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
140
OL-32363-01
System Management
Monitoring Client Roaming Parameters
Step 6
Command or Action
Purpose
end
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
Example:
Controller(config)# end
Monitoring Client Roaming Parameters
This section describes the new commands for the client parameters.
The following commands can be used to monitor the client roaming parameters on the controller.
Table 9: Monitoring Client Roaming Parameters Commands
Command
Purpose
show ap dot11 {5ghz | 24ghz} l2roam
rf-param
Displays the current RF parameters configured for client
roaming for the 802.11a or 802.11b/g network.
show ap dot11 {5ghz | 24ghz} l2roam statistics Displays the CCX Layer 2 client roaming statistics for the
802.11a or 802.11b/g network.
show ap dot11 {5ghz | 24ghz} l2roam
mac-address mac-address statistics
Displays the CCX Layer 2 client roaming statistics for a
particular access point.
Monitoring Mobility Configurations
This section describes the new commands for monitoring mobility configurations.
The following command can be used to monitor mobility configurations on the Mobility Oracle, Mobility
Controller, and Mobility Agent.
Table 10: Monitoring Mobility Configuration Commands on the Mobility Controller and Mobility Agent
Command
Purpose
show wireless mobility summary
Displays the summary information for the Mobility Controller
and Mobility Agent.
show wireless mobility statistics
Displays mobility statistics.
show wireless mobility dtls connections Displays established DTLS connections.
Table 11: Monitoring Mobility Configuration Commands on the Mobility Oracle
Command
Purpose
show wireless mobility oracle summary
Displays the status of the Mobility Controllers known to the
Mobility Oracle.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
141
System Management
Additional References for Configuring Client Roaming
show wireless mobility oracle client
summary
Displays the information of a list of clients in the Mobility
Oracle database.
show wireless mobility oracle client detail Displays the detailed information of a particular client in the
Mobility Oracle database.
client -mac-address
show wireless mobility oracle mc-ip
Displays the information of a list of clients in the Mobility
Oracle database that are anchored or associated to a specified
Mobility Controller.
Table 12: Monitoring Mobility Configuration Commands on the Mobility Controller
Command
Purpose
show wireless mobility controller client summary Displays a list of clients in the subdomain.
show wireless mobility controller client
mac-address detail
Displays detailed information for a client in a subdomain.
show wireless mobility agent ma-ip client
summary
Displays a list of clients anchored or associated to a
specified Mobility Agent.
show wireless mobility ap-list
Displays the list of Cisco APs known to the mobility
group.
Table 13: Monitoring Mobility Configuration Commands on the Mobility Agent
Command
Purpose
show wireless mobility load-balance summary Displays the summary of mobility load-balance properties.
Additional References for Configuring Client Roaming
Related Documents
Related Topic
Document Title
Mobility configuration
Mobility Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700
Series)
Mobility-related
commands
Mobility Command Reference Guide, Cisco IOS XE Release 3SE (Cisco WLC
5700 Series)
Standards and RFCs
Standard/RFC Title
None
—
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
142
OL-32363-01
System Management
Feature History and Information For Performing Client Roaming Configuration
MIBs
MIB
MIBs Link
All the supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Feature History and Information For Performing Client Roaming
Configuration
Release
Feature Information
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS This feature was introduced.
XE 3.3SE
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
143
System Management
Feature History and Information For Performing Client Roaming Configuration
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
144
OL-32363-01
CHAPTER
10
Configuring Application Visibility and Control
• Finding Feature Information, on page 145
• Information About Application Visibility and Control, on page 145
• Supported AVC Class Map and Policy Map Formats, on page 147
• Prerequisites for Application Visibility and Control, on page 149
• Guidelines for Inter-Controller Roaming with Application Visibility and Control, on page 149
• Restrictions for Application Visibility and Control, on page 149
• How to Configure Application Visibility and Control, on page 151
• Monitoring Application Visibility and Control, on page 169
• Examples: Application Visibility and Control, on page 171
• Additional References for Application Visibility and Control, on page 174
• Feature History and Information For Application Visibility and Control, on page 175
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Information About Application Visibility and Control
Application Visibility and Control (AVC) classifies applications using deep packet inspection techniques with
the Network-Based Application Recognition engine, and provides application-level visibility and control
(QoS) in wireless networks. After the applications are recognized, the AVC feature enables you to either drop,
mark, or police the data traffic.
AVC is configured by defining a class map in a QoS client policy to match a protocol.
Using AVC, we can detect more than 1000 applications. AVC enables you to perform real-time analysis and
create policies to reduce network congestion, costly network link usage, and infrastructure upgrades.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
145
System Management
Information About Application Visibility and Control
Note
You can view list of 30 applications in Top Applications in Monitor Summary section of the UI.
Traffic flows are analyzed and recognized using the NBAR2 engine at the access point. For more information
about the NBAR2 Protocol Library, see http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_nbar/prot_lib/
config_library/nbar-prot-pack-library.html. The specific flow is marked with the recognized protocol or
application, such as WebEx. This per-flow information can be used for application visibility using Flexible
NetFlow (FNF).
AVC QoS actions are applied with AVC filters in both upstream and downstream directions. The QoS actions
supported for upstream flow are drop, mark, and police, and for downstream flow are mark and police. AVC
QoS is applicable only when the application is classified correctly and matched with the class map filter in
the policy map. For example, if the policy has a filter based on an application name, and the traffic has also
been classified to the same application name, then the action specified for this match in the policy will be
applied.
Note
When you downgrade the controller from 8.0 to any earlier version, the AVC rate limit rules display the action
as drop. This action is expected since the AVC rate limit rule is introduced in the controller version 8.0.
Cisco WLC Platform
Flow
Cisco 2504 WLC
26,250
Cisco 5508 WLC
183,750
Cisco WiSM2
393,750
Cisco 8510 WLC
336,000
Cisco 5520 WLC
336,000
Cisco 8540 WLC
336,000
Application Visibility and Control Protocol Packs
Protocol packs are a means to distribute protocol updates outside the switch software release trains, and can
be loaded on the switch without replacing the switch software.
The Application Visibility and Control Protocol Pack (AVC Protocol Pack) is a single compressed file that
contains multiple Protocol Description Language (PDL) files and a manifest file. A set of required protocols
can be loaded, which helps AVC to recognize additional protocols for classification on your network. The
manifest file gives information about the protocol pack, such as the protocol pack name, version, and some
information about the available PDLs in the protocol pack.
The AVC Protocol Packs are released to specific AVC engine versions. You can load a protocol pack if the
engine version on the switch platform is the same or higher than the version required by the protocol pack.
AAA override for AVC profiles
The AAA attribute for client or user profile is configured on the AAA server using authentication from
RADIUS server or Cisco ACS or ISE. The AAA attribute is processed during layer 2 or layer 3 authentication
by the switch and the same is overridden by what is configured on the WLAN.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
146
OL-32363-01
System Management
Supported AVC Class Map and Policy Map Formats
The AAA AVC profile is defined as a Cisco AV air. The string option is defined as avc-profile-name and
this value has to be configured for any AVC profile available in the switch.
Supported AVC Class Map and Policy Map Formats
Supported AVC Class Map Format
Class Map Format
Class Map Example
Direction
match protocol protocol name
class-map match-any
webex-class
match protocol webex-media
Both upstream and downstream
match protocol attribute category
category-name
class-map match-any IM
match protocol attribute
category instant-messaging
Both upstream and downstream
match protocol attribute
sub-category sub-category-name
class-map match-any
realtimeconferencing
match protocol attribute
sub-category
voice-video-chat-collaboration
Both upstream and downstream
match protocol attribute
application-group
application-group-name
class-map match-any skype
match protocol attribute
application-group skype-group
Both upstream and downstream
Combination filters
class-map match-any
webex-class
match protocol webex
match dscp 45
match wlan user-priority 6
Upstream only
Supported AVC Policy Format
Policy Format
QoS Action
Upstream client policy based on match protocol filter Mark, police, and drop
Downstream client policy based on match protocol
filter
Mark and police
The following table describes the detailed AVC policy format with an example:
AVC Policy Format
AVC Policy Example
Direction
Basic set
policy-map webex-policy
class webex-class
set dscp ef //or set up,cos
Upstream and downstream
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
147
System Management
Supported AVC Class Map and Policy Map Formats
AVC Policy Format
AVC Policy Example
Direction
Basic police
policy-map webex-policy
class webex-class
police 5000000
Upstream and downstream
Basic set and police
policy-map webex-policy
class webex-class
set dscp ef //or set up,cos
police 5000000
Upstream and downstream
Multiple set and police including
default
policy-map webex-policy
class webex-class
set dscp af31 //or set up,cos
Upstream and downstream
police 4000000
class class-webex-category
set dscp ef //or set up,cos
police 6000000
class class-default
set dscp <>
Hierarchical police
policy-map webex-policy
class webex-class
police 5000000
service-policy
client-in-police-only
Upstream and downstream
policy-map
client-in-police-only
class webex-class
police 100000
class class-webex-category
set dscp ef //or set up,cos
police 6000000
police 200000
Hierarchical set and police
policy-map webex-policy
class class-default
police 1500000
service policy
client-up-child
policy-map webex-policy
class webex-class
police 100000
set dscp ef
class class-webex-category
police 200000
set dscp af31
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
148
OL-32363-01
System Management
Prerequisites for Application Visibility and Control
AVC Policy Format
AVC Policy Example
Direction
Drop action
Any of the above examples apply Upstream only
to this format with this additional
example:
policy-map webex-policy
class webex-class
drop
class netflix
set dscp ef //or set up,cos
police 6000000
class class-default
set dscp <>
Prerequisites for Application Visibility and Control
• The access points should be AVC capable.
• For the control part of AVC (QoS) to work, the application visibility feature with FNF has to be configured.
Guidelines for Inter-Controller Roaming with Application
Visibility and Control
Follow these guidelines to prevent clients from getting excluded due to malformed QoS policies:
• When a new QoS policy is added to the controller, a QoS policy with the same name should be added
to other controller within the same roam or mobility domain.
• When a controller is loaded with a software image of a later release, the new policy formats are supported.
If you have upgraded the software image from an earlier release to a later release, you should save the
configuration separately. When an earlier release image is loaded, some QoS policies might show as not
supported, and you should restore those QoS policies to supported policy formats.
Restrictions for Application Visibility and Control
• AVC is supported only on the following access points:
• Cisco Aironet 1260 Series Access Points
• Cisco Aironet 1600 Series Access Points
• Cisco Aironet 2600 Series Access Point
• Cisco Aironet 2600 Series Wireless Access Points
• Cisco Aironet 2700 Series Access Point
• Cisco Aironet 3500 Series Access Points
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
149
System Management
Restrictions for Application Visibility and Control
• Cisco Aironet 3600 Series Access Points
• AVC is not supported on Cisco Aironet 702W, 702I (128 M memory), and 1530 Series Access Points.
• Dropping or marking of the data traffic (control part) is not supported for software Release 3.3.
• Dropping or marking of the data traffic (control part) is supported in software Release 3E.
• Only the applications that are recognized with application visibility can be used for applying QoS control.
• Multicast traffic classification is not supported.
• Only the applications that are recognized with App visibility can be used for applying QoS control.
• IPv6 including ICMPv6 traffic classifications are not supported.
• Datalink is not supported for NetFlow fields for AVC.
• The following commands are not supported for AVC flow records:
• collect flow username
• collect interface { input | output}
• collect wireless client ipv4 address
• match interface { input | output}
• match transport igmp type
• The template timeout cannot be modified on exporters configured with AVC. Even if the template timeout
value is configured to a different value, only the default value of 600 seconds is used.
• For the username information in the AVC-based record templates, ensure that you configure the options
records to get the user MAC address to username mapping.
• When there is a mix of AVC-enabled APs such as 3600, and non-AVC-enabled APs such as 1140, and
the chosen policy for the client is AVC-enabled, the policy will not be sent to the APs that cannot support
AVC.
• Only ingress AVC statistics are supported. The frequency of statistics updates depends on the number
of clients loaded at the AP at that time. Statistics are not supported for very large policy format sizes.
• The total number of flows for which downstream AVC QoS supported per client is 1000.
• The maximum number of flows supported for Cisco WLC 5700 Series is 360 K and Catalyst 3850 Series
Switch is 48 K.
• These are some class map and policy map-related restrictions. For supported policy formats, see Supported
AVC Class Map and Policy Map Formats, on page 147
.
• AVC and non-AVC classes cannot be defined together in a policy in a downstream direction. For
example, when you have a class map with match protocol, you cannot use any other type of match
filter in the policy map in the downstream direction.
• Drop action is not applicable for the downstream AVC QoS policy.
• Match protocol is not supported in ingress or egress for SSID policy.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
150
OL-32363-01
System Management
How to Configure Application Visibility and Control
• Google shares resources among several of their services because of which for some of the traffic it is not
possible to say it is unique to one application. Therefore we added google-services for traffic that cannot
be distinguished. The behavior you experience is expected.
How to Configure Application Visibility and Control
Configuring Application Visibility and Control (CLI)
To configure Application Visibility, follow these general steps:
1.
2.
3.
4.
Create a flow record by specifying keys and non-key fields to the flow.
Create an optional flow exporter by specifying the flow record as an option.
Create a flow monitor based on the flow record and flow exporter.
Configure WLAN to apply flow monitor in IPv4 input or output direction.
To configure Application Control, follow these general steps:
1. Create an AVC QoS policy.
2. Attach AVC QoS policy to the client in one of three ways: configuring WLAN, using ACS or ISE, or
adding local policies.
Creating a Flow Record
By default, wireless avc basic (flow record) is available. When you click Apply from the GUI, then the record
is mapped to the flow monitor.
Default flow record cannot be edited or deleted. If you require a new flow record, you need to create one and
map it to the flow monitor from CLI.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
configure terminal
flow record flow_record_name
description string
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match application name
match wireless ssid
collect counter bytes long
collect counter packets long
collect wireless ap mac address
collect wireless client mac address
end
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
151
System Management
Creating a Flow Record
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
flow record flow_record_name
Enters flow record configuration mode.
Example:
Controller(config)# flow record record1
Controller (config-flow-record)#
Step 3
description string
Example:
(Optional) Describes the flow record as a maximum
63-character string.
Controller(config-flow-record)# description
IPv4flow
Step 4
match ipv4 protocol
Specifies a match to the IPv4 protocol.
Example:
Controller (config-flow-record)# match ipv4
protocol
Step 5
match ipv4 source address
Specifies a match to the IPv4 source address-based field.
Example:
Controller (config-flow-record)# match ipv4 source
address
Step 6
match ipv4 destination address
Example:
Specifies a match to the IPv4 destination address-based
field.
Controller (config-flow-record)# match ipv4
destination address
Step 7
match transport source-port
Specifies a match to the transport layer source-port field.
Example:
Controller (config-flow-record)# match transport
source-port
Step 8
match transport destination-port
Example:
Specifies a match to the transport layer destination-port
field.
Controller (config-flow-record)# match transport
destination-port
Step 9
match flow direction
Example:
Specifies a match to the direction the flow was monitored
in.
Controller (config-flow-record)# match flow
direction
Step 10
match application name
Specifies a match to the application name.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
152
OL-32363-01
System Management
Creating a Flow Exporter (Optional)
Command or Action
Purpose
Example:
Note
Controller (config-flow-record)# match application
name
Step 11
This action is mandatory for AVC support, as
this allows the flow to be matched against the
application.
Specifies a match to the SSID name identifying the
wireless network.
match wireless ssid
Example:
Controller (config-flow-record)# match wireless
ssid
Step 12
collect counter bytes long
Specifies to collect counter fields total bytes.
Example:
Controller (config-flow-record)# collect counter
bytes long
Step 13
collect counter packets long
Specifies to collect counter fields total packets.
Example:
Controller (config-flow-record)# collect counter
bytes long
Step 14
collect wireless ap mac address
Example:
Specifies to collect the BSSID with MAC addresses of the
access points that the wireless client is associated with.
Controller (config-flow-record)# collect wireless
ap mac address
Step 15
collect wireless client mac address
Example:
Specifies to collect MAC address of the client on the
wireless network.
Controller (config-flow-record)# collect wireless Note
client mac address
Step 16
The collect wireless client mac address is
mandatory configuration for wireless AVC.
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Creating a Flow Exporter (Optional)
You can create a flow export to define the export parameters for a flow. This is an optional procedure for
configuring flow parameters.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
configure terminal
flow exporter flow_exporter_name
description string
destination {hostname | ip-address}
transport udp port-value
option application-table timeout seconds (optional)
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
153
System Management
Creating a Flow Exporter (Optional)
7.
8.
9.
10.
option usermac-table timeout seconds (optional)
end
show flow exporter
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
flow exporter flow_exporter_name
Enters flow exporter configuration mode.
Example:
Controller(config)# flow exporter record1
Controller (config-flow-exporter)#
Step 3
description string
Example:
Describes the flow record as a maximum 63-character
string.
Controller(config-flow-exporter)# description
IPv4flow
Step 4
destination {hostname | ip-address}
Example:
Specifies the hostname or IPv4 address of the system to
which the exporter sends data.
Controller (config-flow-exporter) # destination
10.99.1.4
Step 5
transport udp port-value
Configures a port value for the UDP protocol.
Example:
Controller (config-flow-exporter) # transport udp
2
Step 6
option application-table timeout seconds (optional)
Example:
(Optional) Specifies application table timeout option. The
valid range is from 1 to 86400 seconds.
Controller (config-flow-exporter)# option
application-table timeout 500
Step 7
option usermac-table timeout seconds (optional)
Example:
(Optional) Specifies wireless usermac-to-username table
option. The valid range is from 1 to 86400 seconds.
Controller (config-flow-exporter)# option
usermac-table timeout 1000
Step 8
end
Example:
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
Controller(config)# end
Step 9
show flow exporter
Verifies your configuration.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
154
OL-32363-01
System Management
Creating a Flow Monitor
Command or Action
Purpose
Example:
Controller # show flow exporter
Step 10
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Creating a Flow Monitor
You can create a flow monitor and associate it with a flow record and a flow exporter.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
configure terminal
flow monitor monitor-name
description description
record record-name
exporter exporter-name
cache timeout {active | inactive} (Optional)
end
show flow monitor
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
flow monitor monitor-name
Example:
Creates a flow monitor and enters flow monitor
configuration mode.
Controller (config)# flow monitor flow-monitor-1
Step 3
description description
Creates a description for the flow monitor.
Example:
Controller (config-flow-monitor)# description
flow-monitor-1
Step 4
record record-name
Specifies the name of a recorder that was created previously.
Example:
Controller (config-flow-monitor)# record
flow-record-1
Step 5
exporter exporter-name
Example:
Specifies the name of an exporter that was created
previously.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
155
System Management
Creating AVC QoS Policy
Command or Action
Purpose
Controller (config-flow-monitor)# exporter
flow-exporter-1
Step 6
cache timeout {active | inactive} (Optional)
Example:
Controller (config-flow-monitor)# cache timeout
active 1800
Specifies to configure flow cache parameters. You can
configure for a time period of 1 to 604800 seconds
(optional).
Note
Controller (config-flow-monitor)# cache timeout
inactive 200
Step 7
To achieve optimal result for the AVC flow
monitor, we recommend you to configure the
inactive cache timeout value to be greater than
90 seconds.
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Step 8
show flow monitor
Verifies your configuration.
Example:
Controller # show flow monitor
Creating AVC QoS Policy
To create AVC QoS policy, perform these general steps:
1. Create a class map with match protocol filters.
2. Create a policy map.
3. Apply a policy map to the client in one of the following ways:
1. Apply a policy map over WLAN either from the CLI or GUI.
2. Apply a policy map through the AAA server (ACS server or ISE) from the CLI.
For more information, refer to the Cisco Identity Services Engine User Guide and Cisco Secure Access
Control System User Guide.
3. Apply local policies either from the CLI or GUI.
Creating a Class Map
You need to create a class map before configuring any match protocol filter. The QoS actions such as marking,
policing, and dropping can be applied to the traffic. The AVC match protocol filters are applied only for the
wireless clients. For more information about the protocols that are supported, see http://www.cisco.com/c/en/
us/td/docs/ios-xml/ios/qos_nbar/prot_lib/config_library/nbar-prot-pack-library.html.
SUMMARY STEPS
1. configure terminal
2. class-map class-map-name
3. match protocol {application-name | attribute category category-name | attribute sub-category
sub-category-name | attribute application-group application-group-name}
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
156
OL-32363-01
System Management
Creating a Policy Map
4. end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
class-map class-map-name
Creates a class map.
Example:
Controller(config)# class-map webex-class
Step 3
match protocol {application-name | attribute category Specifies match to the application name, category name,
subcategory name, or application group.
category-name | attribute sub-category
sub-category-name | attribute application-group
application-group-name}
Example:
Controller(config)# class-map webex-class
Controller(config-cmap)# match protocol webex-media
Controller(config)# class-map class-webex-category
Controller(config-cmap)# match protocol attribute
category webex-media
Controller# class-map class-webex-sub-category
Controller(config-cmap)# match protocol attribute
sub-category webex-media
Controller# class-map class-webex-application-group
Controller(config-cmap)# match protocol attribute
application-group webex-media
Step 4
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Creating a Policy Map
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
configure terminal
policy-map policy-map-name
class [class-map-name | class-default]
police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}]
set {dscp new-dscp | cos cos-value}
end
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
157
System Management
Creating a Policy Map
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
policy-map policy-map-name
Example:
Creates a policy map by entering the policy map name, and
enters policy-map configuration mode.
By default, no policy maps are defined.
Controller(config)# policy-map webex-policy
Controller(config-pmap)#
The default behavior of a policy map is to set the DSCP to
0 if the packet is an IP packet and to set the CoS to 0 if the
packet is tagged. No policing is performed.
Note
Step 3
class [class-map-name | class-default]
Example:
To delete an existing policy map, use the no
policy-map policy-map-name global
configuration command.
Defines a traffic classification, and enters policy-map class
configuration mode.
By default, no policy map and class maps are defined.
Controller(config-pmap)# class-map webex-class
Controller(config-pmap-c)#
If a traffic class has already been defined by using the
class-map global configuration command, specify its name
for class-map-name in this command.
A class-default traffic class is predefined and can be added
to any policy. It is always placed at the end of a policy map.
With an implied match any is included in the class-default
class, all packets that have not already matched the other
traffic classes will match class-default.
Note
Step 4
police rate-bps burst-byte [exceed-action {drop |
policed-dscp-transmit}]
Example:
Controller(config-pmap-c)# police 100000 80000 drop
To delete an existing class map, use the no class
class-map-name policy-map configuration
command.
Defines a policer for the classified traffic.
By default, no policer is defined.
• For rate-bps, specify an average traffic rate in bits per
second (b/s). The range is 8000 to 10000000000.
• For burst-byte, specify the normal burst size in bytes.
The range is 8000 to 1000000.
• (Optional) Specifies the action to take when the rates
are exceeded. Use the exceed-action drop keywords
to drop the packet. Use the exceed-action
policed-dscp-transmit keywords to mark down the
DSCP value (by using the policed-DSCP map) and to
send the packet.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
158
OL-32363-01
System Management
Configuring Local Policies (CLI)
Step 5
Command or Action
Purpose
set {dscp new-dscp | cos cos-value}
Classifies IP traffic by setting a new value in the packet.
• For dscp new-dscp, enter a new DSCP value to be
assigned to the classified traffic. The range is 0 to 63.
Example:
Controller(config-pmap-c)# set dscp 45
Step 6
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
What to do next
After creating your policy maps, attach the traffic policy or polices to an interface using the service-policy
command.
Configuring Local Policies (CLI)
Configuring Local Policies (CLI)
To configure local policies, complete these procedures:
1.
2.
3.
4.
5.
Create a service template.
Create an interface template.
Create a parameter map.
Create a policy map.
Apply a local policy on a WLAN.
Creating a Service Template (CLI)
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
configure terminal
service-template service-template-name
access-group acl_list
vlan vlan_id
absolute-timer seconds
service-policy qos {input | output}
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
159
System Management
Creating a Parameter Map (CLI)
Step 2
Command or Action
Purpose
service-template service-template-name
Enters service template configuration mode.
Example:
Controller(config)# service-template
cisco-phone-template
Controller(config-service-template)#
Step 3
access-group acl_list
Specifies the access list to be applied.
Example:
Controller(config-service-template)# access-group
foo-acl
Step 4
vlan vlan_id
Example:
Specifies VLAN ID. You can specify a value from 1 to
4094.
Controller(config-service-template)# vlan 100
Step 5
absolute-timer seconds
Example:
Specifies session timeout value for service template. You
can specify a value from 1 to 65535.
Controller(config-service-template)# absolute-timer
20
Step 6
service-policy qos {input | output}
Configures QoS policies for the client.
Example:
Controller(config-service-template)# service-policy
qos input foo-qos
Step 7
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Creating a Parameter Map (CLI)
Parameter map is preferred to use than class map.
SUMMARY STEPS
1. configure terminal
2. parameter-map type subscriber attribute-to-service parameter-map-name
3. map-index map { device-type | mac-address | oui | user-role | username} {eq | not-eq | regex
filter-name }
4. service-template service-template-name
5. interface-template interface-template-name
6. end
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
160
OL-32363-01
System Management
Creating a Policy Map (CLI)
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
parameter-map type subscriber attribute-to-service
parameter-map-name
Specifies the parameter map type and name.
Example:
Controller(config)# parameter-map type subscriber
attribute-to-service Aironet-Policy-para
Step 3
Specifies parameter map attribute filter criteria.
map-index map { device-type | mac-address | oui |
user-role | username} {eq | not-eq | regex filter-name
}
Example:
Controller(config-parameter-map-filter)# 10 map
device-type eq "WindowsXP-Workstation"
Step 4
service-template service-template-name
Enters service template configuration mode.
Example:
Controller(config-parameter-map-filter-submode)#
service-template cisco-phone-template
Controller(config-parameter-map-filter-submode)#
Step 5
interface-template interface-template-name
Enters service template configuration mode.
Example:
Controller(config-parameter-map-filter-submode)#
interface-template cisco-phone-template
Controller(config-parameter-map-filter-submode)#
Step 6
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Creating a Policy Map (CLI)
SUMMARY STEPS
1.
2.
3.
4.
5.
configure terminal
policy-map type control subscriber policy-map-name
event identity-update {match-all | match-first}
class_number class {class_map_name | always } {do-all | do-until-failure | do-until-success}
action-index map attribute-to-service table parameter-map-name
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
161
System Management
Creating a Policy Map (CLI)
6. end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
policy-map type control subscriber policy-map-name
Specifies the policy map type.
Example:
Controller(config)# policy-map type control
subscriber Aironet-Policy
Step 3
event identity-update {match-all | match-first}
Specifies match criteria to the policy map.
Example:
Controller(config-policy-map)# event
identity-update match-all
Step 4
class_number class {class_map_name | always }
{do-all | do-until-failure | do-until-success}
Example:
Controller(config-class-control-policymap)# 1 class
local_policy1_class do-until-success
Step 5
action-index map attribute-to-service table
parameter-map-name
Configures the local profiling policy class map number and
specifies how to perform the action. The class map
configuration mode includes the following command
options:
• always—Executes without doing any matching but
return success.
• do-all—Executes all the actions.
• do-until-failure—Execute all the actions until any
match failure is encountered. This is the default value.
• do-until-success—Execute all the actions until any
match success happens.
Specifies parameter map table to be used.
Example:
Controller(config-policy-map)# 10 map
attribute-to-service table Aironet-Policy-para
Step 6
end
Example:
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
Controller(config)# end
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
162
OL-32363-01
System Management
Applying a Local Policy for a Device on a WLAN (CLI)
Applying a Local Policy for a Device on a WLAN (CLI)
Before you begin
If the service policy contains any device type-based rules in the parameter map, ensure that the device classifier
is already enabled.
Note
You should use the device classification command to classify the device for it to be displayed correctly on
the show command output.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
configure terminal
wlan wlan-name
service-policy type control subscriber policymapname
profiling local http (optional)
profiling radius http (optional)
no shutdown
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
wlan wlan-name
Enters WLAN configuration mode.
Example:
Controller(config)# wlan wlan1
Step 3
service-policy type control subscriber policymapname
Applies local policy to WLAN.
Example:
Controller(config-wlan)# service-policy type
control subscriber Aironet-Policy
Step 4
profiling local http (optional)
Example:
Enables only profiling of devices based on HTTP protocol
(optional).
Controller(config-wlan)# profiling local http
Step 5
profiling radius http (optional)
Enables profiling of devices on ISE (optional).
Example:
Controller(config-wlan)# profiling radius http
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
163
System Management
Configuring Local Policies (GUI)
Step 6
Command or Action
Purpose
no shutdown
Specifies not to shut down the WLAN.
Example:
Controller(config-wlan)# no shutdown
Step 7
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Configuring Local Policies (GUI)
Configuring Local Policies (GUI)
To configure local policies, complete these procedures:
Procedure
Command or Action
Step 1
Create a service template.
Step 2
Create a policy map.
Step 3
Apply a local policy that you have created to a WLAN.
Purpose
Creating a Service Template (GUI)
Step 1
Choose Configuration > Security > Local Policies > Service Template to open the Service Template page.
Step 2
Create a new template as follows:
a) Click New to open the Service Template > New page.
b) In the Service Template name text box, enter the new service template name.
c) In the VLAN ID text box, enter the VLAN identifier that has to be associated with the policy. The value ranges from
1 to 4094.
d) In the Session timeout text box, enter the maximum amount of time, in seconds, after which a client is forced to
reauthenticate. The value ranges from 1 to 65535 seconds.
e) From the Access control list drop-down list, choose the access control list to be mapped to the policy.
f) From the Ingress QoS drop-down list, choose the ingress QoS policy to be applied.
g) From the Egress QoS drop-down list, choose the egress QoS policy to be applied.
h) Click Apply to save the configuration.
Step 3
Edit a service template as follows:
a) From the Service Template page, click the service template to open the Service Template > Edit page.
b) In the VLAN ID text box, enter the VLAN identifier that has to be associated with the policy. The value ranges from
1 to 4094.
c) In the Session timeout text box, enter the maximum amount of time, in seconds, after which a client is forced to
reauthenticate. The value ranges from 1 to 65535 seconds.
d) From the Access control list drop-down list, choose the access control list to be mapped to the policy.
e) From the Ingress QoS drop-down list, choose the ingress QoS policy to be applied.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
164
OL-32363-01
System Management
Creating a Policy Map (GUI)
f) From the Egress QoS drop-down list, choose the egress QoS policy to be applied.
g) Click Apply to save the configuration.
Step 4
Remove a service template as follows:
a) From the Service Template page, select the service template.
b) Click Remove.
c) Click Apply to save the configuration.
Creating a Policy Map (GUI)
Step 1
Choose Configuration > Security > Local Policies > Policy Map to open the Policy Map page.
Step 2
Create a new policy map as follows:
a) Click New to open the Policy Map > New page.
b) In the Policy Map name text box, enter the new policy map name.
c) Click Add to open the Match Criteria area.
d) From the Device Type drop-down list, choose the device type. The match criteria for the device type can be eq, not-eq,
or regex with respect to the device type you are choosing.
e) From the User Role drop-down list, select the match criteria as eq, not-eq, or regex and enter the user type or user
group of the user, for example, student, teacher, and so on.
f) From the Service Template drop-down list, choose the service template to be mapped to the policy.
g) Click Add. The match criteria is added to the Match Criteria Lists.
h) In the Match Criteria Lists area, click Add to add the match criteria to the policy.
i) Click Apply to save the configuration.
Step 3
Edit a policy map as follows:
a)
In the Policy Map page, select the policy map that you want to edit, and click Edit to open the Policy Map > Edit
page.
b)
In the Match Criteria area, choose the device type from the Device Type drop-down list. The match criteria for the
device type can be eq, not-eq, or regex with respect to the device type you are choosing.
c)
In the Match Criteria area, choose the user role from the User Role drop-down list. Select the match criteria as eq,
not-eq, or regex and enter the user type or user group of the user
d)
From the Service Template drop-down list, choose the service template to be mapped to the policy.
e)
Click Ok to save the configuration or Cancel to discard the configuration.
f)
Click Add to add more match criteria based on device type, user role, and service template to the policy.
g)
In the Match Criteria Lists area, select the match criteria and click Move to to move the match criteria with respect
to a value entered in the row text box.
h)
Select the match criteria and click Move up to move the match criteria up in the list.
i)
Select the match criteria and click Move down to move the match criteria down in the list.
j)
Select the match criteria and click Remove to remove the match criteria from the policy map list.
k)
Click Apply to save the configuration.
Step 4
Remove a policy map as follows:
a) From the Policy Map page, select the policy map.
b) Click Remove.
c) Click Apply to save the configuration.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
165
System Management
Applying Local Policies to WLAN (GUI)
Applying Local Policies to WLAN (GUI)
Step 1
Choose Configuration > Wireless > WLAN to open the WLANs page.
Step 2
Click the corresponding WLAN profile. The WLANs > Edit page is displayed.
Step 3
Click the Policy-Mapping tab.
Step 4
Check the Device Classification check box to enable classification based on device type.
Step 5
From the Local Subscriber Policy drop-down list, choose the policy that has to be applied for the WLAN.
Step 6
Select Local HTTP Profiling to enable profiling on devices based on HTTP (optional).
Step 7
Select Radius HTTP Profiling to enable profiling on devices based on RADIUS (optional).
Step 8
Click Apply to save the configuration.
Configuring WLAN to Apply Flow Monitor in IPV4 Input/Output Direction
SUMMARY STEPS
1.
2.
3.
4.
configure terminal
wlan wlan-id
ip flow monitor monitor-name {input | output}
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
wlan wlan-id
Example:
Enters WLAN configuration submode. For wlan-id, enter
the WLAN ID. The range is 1 to 64.
Controller (config) # wlan 1
Step 3
ip flow monitor monitor-name {input | output}
Example:
Associates a flow monitor to the WLAN for input or output
packets.
Controller (config-wlan) # ip flow monitor
flow-monitor-1 input
Step 4
end
Example:
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
Controller(config)# end
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
166
OL-32363-01
System Management
Configuring Application Visibility and Control (GUI)
Configuring Application Visibility and Control (GUI)
Configuring Application Visibility (GUI)
You can apply the default flow record (wireless avc basic) to the default flow monitor (wireless-avc-basic).
If you are using the flow record and flow monitor you have created, then the record name and monitor name
should be same. This is specific only for configuring AVC from GUI and not for the CLI configuration.
You can use the flow monitor you have created either for upstream or downstream, or both, but ensure that
you use the same record name while mapping with the flow monitor.
Step 1
Choose Configuration > Wireless > WLAN.
The WLAN page appears.
Step 2
Click on the corresponding WLAN ID to open the WLAN > Edit page and click AVC.
The Application Visibility page appears.
a) Select the Application Visibility Enabled check box to enable AVC on a WLAN.
b) In the Upstream Profile text box, enter the name of the AVC profile.
c) In the Downstream Profile text box, enter the name of the AVC profile.
To enable AVC, you need to enter the profile names for the upstream and downstream profiles. The profile names are
the flow monitor names. By default, the flow monitor names (wireless-avc-basic) appear in the Upstream Profile and
Downstream Profile text boxes. For the default flow monitor, the default flow record (wireless avc basic) will be taken.
The default flow record is generated by the system and is available.
You can change the profile names for the upstream and downstream profiles but ensure that the same flow records are
available for the flow monitors.
The upstream and downstream profiles can have different profile names but there should be flow records available for
the flow monitors.
Step 3
Click Apply to apply AVC on the WLAN.
Step 4
To disable AVC on a specific WLAN, perform the following steps:
• Choose Configuration > Wireless > WLAN to open the WLAN page.
• Click on the corresponding WLAN ID to open the WLAN > Edit page.
• Click AVC to open the Application Visibility page.
• Uncheck the Application Visibility Enabled check box.
• Click Apply to disable AVC on the specific WLAN.
Configuring Application Visibility and Control (GUI)
Step 1
Choose Configuration > Wireless.
Step 2
Expand the QoS node by clicking the left pane and choosing QOS-Policy.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
167
System Management
Configuring Application Visibility and Control (GUI)
The QOS-Policy page is displayed.
Step 3
Click Add New to create a new QoS Policy.
The Create QoS Policy page is displayed.
Step 4
Select Client from the Policy Type drop-down list.
Step 5
Select the direction into which the policy needs to be applied from the Policy Direction drop-down list.
The available options are:
• Ingress
• Egress
Step 6
In the Policy Name text box, specify a policy name.
Step 7
In the Description text box, provide a description to the policy.
Step 8
Check the Enable Application Recognition check box to configure the AVC class map for a client policy.
Note
For an egress client policy, when you enable Application Recognition, the Voice, Video, and User Defined
check boxes are disabled.
The following options are available:
• Trust—Specify a classification type for this policy.
• Protocol—Allows you to choose the protocols and configure the marking and policing of the packets.
• Category—Allows you to choose the category of the application, for example, browsing.
• Subcategory—Allows you to choose the subcategory of the application, for example, file-sharing.
• Application-Group—Allows you to choose the application group, for example, ftp-group.
• Protocol Choice—Choose the protocols, category, subcategory, or application group from the Available Protocols
list into the Assigned Protocols to apply the marking and policing of the packets.
• Mark—Specify the marking label for each packet. The following options are available:
• DSCP—Assigns a label to indicate the given quality of service. The range is from 0 to 63.
• CoS—Matches IEEE 802.1Q class of service. The range is from 0 to 7.
• None—Does not mark the packets.
• Police (kbps)—Specify the policing rate in kbps. This option is available when the Policy Direction is egress.
• Drop—Specify to drop the ingress packets that correspond to the chosen protocols.
Note
You can add a maximum of five AVC classes for each client policy.
Step 9
Click Add to create an AVC class map. The new class map is listed in a tabular format.
Step 10
Click Apply to create an AVC QoS policy.
Step 11
Click the QoS policy link in the QOS-Policy page to edit the QoS policy. The QOS-Policy > Edit page is displayed.
Make changes and click Apply to commit your changes.
Step 12
Remove an AVC class map from the QoS policy by navigating to the corresponding AVC class map row in the AVC
class map table and clicking Remove. Click Apply to commit your changes.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
168
OL-32363-01
System Management
Monitoring Application Visibility and Control
Monitoring Application Visibility and Control
Monitoring Application Visibility and Control (CLI)
This section describes the new commands for application visibility.
The following commands can be used to monitor application visibility on the controller and access points.
Table 14: Monitoring Application Visibility Commands on the controller
Command
Purpose
show avc client client-mac top n application Displays information about top "N" applications for the
given client MAC.
[aggregate | upstream | downstream]
show avc wlan ssid top n application
[aggregate | upstream | downstream]
Displays information about top "N" applications for the
given SSID.
avc top user[enable | disable]
Enables or disables the information about top "N"
application.
show avc wlan wlan-id application app name Displays to know network usage information on a per user
topN [aggregate | upstream | downstream] basis within an application.
Note
show wlan id wlan-id
On Catalyst 4500E Supervisor Engine 8-E, in the
information about top N users that is displayed,
the client's MAC address and username are not
displayed. This issue occurs only within 90
seconds after the client is disconnected.
Displays information whether AVC is enabled or disabled
on a particular WLAN.
show flow monitor flow_monitor_name cache Displays information about flow monitors.
show wireless client mac-address
Displays information about policy mapped to the wireless
mac-address service-policy { input | output clients.
}
Table 15: Clearing Application Visibility Statistics Commands
Command
Purpose
clear avc client mac stats
Clears the statistics per client.
clear avc wlan wlan-name stats Clears the statistics per WLAN.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
169
System Management
Monitoring Application Visibility and Control (GUI)
Monitoring Application Visibility and Control (GUI)
You can view AVC information on a WLAN in a single shot using a AVC on WLAN pie chart on the Home
page of the controller. The pie chart displays the AVC data (Aggregate - Application Cumulative usage %)
of the first WLAN. In addition, the top 5 WLANs based on clients are displayed first. Click on any one of the
WLANs to view the corresponding pie chart information. If AVC is not enabled on the first WLAN, then the
Home page does not display the AVC pie chart.
Step 1
Choose Monitor > Controller > AVC > WLANs.
The WLANs page appears.
Step 2
Click the corresponding WLAN profile.
The Application Statistics page appears.
From the Top Applications drop-down list, choose the number of top applications you want to view and click Apply.
The valid range is between 5 to 30, in multiples of 5.
a) On the Aggregate, Upstream, and Downstream tabs, you can view the application cumulative and last 90 seconds
statistics and usage percent with the following fields:
• Application name
• Packet count
• Byte count
• Average packet size
• usage (%)
Step 3
Choose Monitor > Clients > Client Details > Clients.
The Clients page appears.
Step 4
Click Client MAC Address and then click AVC Statistics tab.
The Application Visibility page appears.
a) On the Aggregate, Upstream, and Downstream tabs, you can view the application cumulative and last 90 seconds
statistics and usage percent with the following fields:
• Application name
• Packet count
• Byte count
• Average packet size
• usage (%)
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
170
OL-32363-01
System Management
Monitoring SSID and Client Policies Statistics (GUI)
Monitoring SSID and Client Policies Statistics (GUI)
Statistics are supported only for ingress policies with a maximum of five classes on wireless targets. For very
large policies, statistics for ingress policies are not visible at the controller. The frequency of the statistics
depends on the number of clients associated with the access point.
Type of Statistics
Method
Details
SSID Policies
Choose Monitor > Controller >
Statistics > QoS.
The QoS page is displayed with a
list of SSID policies, Radio Type,
and AP.
Choose an SSID policy, radio, and
access point from the drop-down
lists and click Apply to view the
statistics of the chosen SSID policy.
You can view details such as match
criteria, confirmed bytes,
conformed rate, and exceeded rate.
Client Policies
Choose Monitor > Clients >
Client Details .
The Clients page is displayed with
a list of client MAC addresses, AP,
and other details.
Click the MAC address of a client
and click the QoS Statistics tab.
You can view details such as match
criteria, confirmed bytes,
conformed rate, and exceeded rate.
Examples: Application Visibility and Control
Examples: Application Visibility Configuration
This example shows how to create a flow record, create a flow monitor, apply the flow record to the flow
monitor, and apply the flow monitor on a WLAN:
Controller# configure terminal
Controller(config)# flow record
Controller(config-flow-record)#
Controller(config-flow-record)#
Controller(config-flow-record)#
Controller(config-flow-record)#
Controller(config-flow-record)#
Controller(config-flow-record)#
Controller(config-flow-record)#
Controller(config-flow-record)#
Controller(config-flow-record)#
Controller(config-flow-record)#
Controller(config-flow-record)#
fr_v4
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport destination-port
match flow direction
match application name
match wireless ssid
collect counter bytes long
collect counter packets long
collect wireless ap mac address
collect wireless client mac address
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
171
System Management
Examples: Application Visibility and Control QoS Configuration
Controller(config)#end
Controller# configure terminal
Controller# flow monitor fm_v4
Controller(config-flow-monitor)# record fr_v4
Controller(config-flow-monitor)# cache timeout active 1800
Controller(config)#end
Controller(config)#wlan wlan1
Controller(config-wlan)#ip flow monitor fm_v4 input
Controller(config-wlan)#ip flow mon fm-v4 output
Controller(config)#end
Examples: Application Visibility and Control QoS Configuration
This example shows how to create class maps with apply match protocol filters for application name, category,
and subcategory:
Controller# configure terminal
Controller(config)# class-map cat-browsing
Controller(config-cmap)# match protocol attribute category browsing
Controller(config-cmap)#end
Controller# configure terminal
Controller(config)# class-map cat-fileshare
Controller(config-cmap)# match protocol attribute category file-sharing
Controller(config-cmap)#end
Controller# configure terminal
Controller(config)# class-map match-any subcat-terminal
Controller(config-cmap)# match protocol attribute sub-category terminal
Controller(config-cmap)#end
Controller# configure terminal
Controller(config)# class-map match-any webex-meeting
Controller(config-cmap)# match protocol webex-meeting
Controller(config-cmap)#end
This example shows how to create policy maps and define existing class maps for upstream QoS:
Controller# configure terminal
Controller(config)# policy-map test-avc-up
Controller(config-pmap)# class cat-browsing
Controller(config-pmap-c)# police 150000
Controller(config-pmap-c)# set dscp 12
Controller(config-pmap-c)#end
Controller# configure terminal
Controller(config)# policy-map test-avc-up
Controller(config-pmap)# class cat-fileshare
Controller(config-pmap-c)# police 1000000
Controller(config-pmap-c)# set dscp 20
Controller(config-pmap-c)#end
Controller# configure terminal
Controller(config)# policy-map test-avc-up
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
172
OL-32363-01
System Management
Examples: Application Visibility and Control QoS Configuration
Controller(config-pmap)# class subcat-terminal
Controller(config-pmap-c)# police 120000
Controller(config-pmap-c)# set dscp 15
Controller(config-pmap-c)#end
Controller# configure terminal
Controller(config)# policy-map test-avc-up
Controller(config-pmap)# class webex-meeting
Controller(config-pmap-c)# police 50000000
Controller(config-pmap-c)# set dscp 21
Controller(config-pmap-c)#end
This example shows how to create policy maps and define existing class maps for downstream QoS:
Controller# configure terminal
Controller(config)# policy-map test-avc-down
Controller(config-pmap)# class cat-browsing
Controller(config-pmap-c)# police 200000
Controller(config-pmap-c)# set dscp 10
Controller(config-pmap-c)#end
Controller# configure terminal
Controller(config)# policy-map test-avc-up
Controller(config-pmap)# class cat-fileshare
Controller(config-pmap-c)# police 300000
Controller(config-pmap-c)# set wlan user-priority 2
Controller(config-pmap-c)# set dscp 20
Controller(config-pmap-c)#end
Controller# configure terminal
Controller(config)# policy-map test-avc-up
Controller(config-pmap)# class subcat-terminal
Controller(config-pmap-c)# police 100000
Controller(config-pmap-c)# set dscp 25
Controller(config-pmap-c)#end
Controller# configure terminal
Controller(config)# policy-map test-avc-up
Controller(config-pmap)# class webex-meeting
Controller(config-pmap-c)# police 60000000
Controller(config-pmap-c)# set dscp 41
Controller(config-pmap-c)#end
This example shows how to apply defined QoS policy on a WLAN:
Controller# configure terminal
Controller(config)#wlan alpha
Controller(config-wlan)#shut
Controller(config-wlan)#end
Controller(config-wlan)#service-policy client input test-avc-up
Controller(config-wlan)#service-policy client output test-avc-down
Controller(config-wlan)#no shut
Controller(config-wlan)#end
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
173
System Management
Example: Configuring QoS Attribute for Local Profiling Policy
Example: Configuring QoS Attribute for Local Profiling Policy
The following example shows how to configure QoS attribute for a local profiling policy:
Controller(config)# class-map type control subscriber match-all local_policy1_class
Controller(config-filter-control-classmap)# match device-type android
Controller(config)# service-template local_policy1_template
Controller(config-service-template)# vlan 40
Controller(config-service-template)# service-policy qos output local_policy1
Controller(config)# policy-map type control subscriber local_policy1
Controller(config-event-control-policymap)# event identity-update match-all
Controller(config-class-control-policymap)# 1 class local_policy1_class do-until-success
Controller(config-action-control-policymap)# 1 activate service-template
local_policy1_template
Controller(config)# wlan open_auth 9
Controller(config-wlan)# client vlan VLAN40
Controller(config-wlan)# service-policy type control subscriber local_policy1
Additional References for Application Visibility and Control
Related Documents
Related Topic
Document Title
System management commands System Management Command Reference Guide, Cisco IOS XE Release
3SE (Cisco WLC 5700 Series)
Flexible NetFlow configuration Flexible NetFlow Configuration Guide, Cisco IOS XE Release 3SE (Cisco
WLC 5700 Series)
Flexible NetFlow commands
Flexible NetFlow Command Reference, Cisco IOS XE Release 3SE (Cisco
WLC 5700 Series)
QoS configuration
QoS Configuration Guide, Cisco IOS XE Release 3E (Cisco WLC 5700
Series)
QoS commands
QoS Command Reference, Cisco IOS XE Release 3E (Cisco WLC 5700
Series)
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All the supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
174
OL-32363-01
System Management
Feature History and Information For Application Visibility and Control
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Feature History and Information For Application Visibility and
Control
Release
Feature Information
Cisco IOS XE 3.3SE
This feature was introduced.
Cisco IOS XE 3E
AVC control with QoS was introduced.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
175
System Management
Feature History and Information For Application Visibility and Control
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
176
OL-32363-01
CHAPTER
11
Configuring Voice and Video Parameters
• Finding Feature Information, on page 177
• Prerequisites for Voice and Video Parameters, on page 177
• Restrictions for Voice and Video Parameters, on page 177
• Information About Configuring Voice and Video Parameters, on page 178
• How to Configure Voice and Video Parameters, on page 183
• Monitoring Voice and Video Parameters, on page 194
• Configuration Examples for Voice and Video Parameters, on page 196
• Additional References for Voice and Video Parameters, on page 197
• Feature History and Information For Performing Voice and Video Parameters Configuration, on page
198
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Prerequisites for Voice and Video Parameters
You can confirm the following points before configuring voice and video parameters:
• Ensure that the controller has access points connected to it.
• Configure SSID.
Restrictions for Voice and Video Parameters
The following are the restrictions that you should keep in mind while configuring voice and video parameters:
• SIP CAC can be used for the 9971 Cisco phones that support TSPEC-based admission control. You can
also use the phones that support Status code 17.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
177
System Management
Information About Configuring Voice and Video Parameters
• SIP snooping is supported for providing voice priority to the non-TSPEC SIP phones.
• TSPEC for video CAC is not supported.
• The following features are not supported for the 802.11ac module on the Cisco 3600 Access Point:
• Voice support
• CAC support
• TSM support
• When the 802.11ac module is enabled, the 11n LBCAC parameters can be inaccurate resulting in
degradation in voice quality of 11ac enabled calls.
• Cisco 792x IP phones that are admitted as non-WMM devices with 11K enabled will experience audio
problems with the phones.
Note
Disable 11K for voice WLAN for all 792x Cisco IP phones that are admitted as
non-WMM devices with 11K enabled. Upgrade the firmware on Cisco Unified
Call Manager to 1.4.5 to resolve this issue. Refer to the Cisco Unified Call
Manager configuration guide for more information.
Information About Configuring Voice and Video Parameters
Three parameters on the controller affect voice and/or video quality:
• Call Admission Control
• Expedited bandwidth requests
• Unscheduled automatic power save delivery
Call Admission Control (CAC) and UAPSD are supported on Cisco Compatible Extensions (CCX) v4 and
v5; however, these parameters are also supported even without CCX but on any device implementing WMM
(that supports 802.1e). Expedited bandwidth requests are supported only on CCXv5.
Traffic stream metrics (TSM) can be used to monitor and report issues with voice quality.
Call Admission Control
Call Admission Control (CAC) enables an access point to maintain controlled quality of service (QoS) when
the wireless LAN is experiencing congestion. The WMM protocol deployed in CCXv4 maintains QoS under
differing network loads.
Two types of Over The Air (OTA) CAC are available: static-based CAC and load-based CAC.
The controller supports the following QoS policies:
• User-defined policies: You can define your own QoS policies. You can have more control over these
policies than the existing metal policies.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
178
OL-32363-01
System Management
Static-Based CAC
• System-defined precious metal policies: To support backward compatibility.
• Platinum: Used for VoIP clients.
• Gold: Used for video clients.
• Silver: Used for best effort traffic.
• Bronze: Used for NRT traffic.
Static-Based CAC
Voice over WLAN applications supporting WMM and TSPEC can specify how much bandwidth or shared
medium time is required to initiate a call. Bandwidth-based, or static, CAC enables the access point to determine
whether it is capable of accommodating a particular call. The access point rejects the call if necessary in order
to maintain the maximum allowed number of calls with acceptable quality.
The QoS setting for a WLAN determines the level of bandwidth-based CAC support. To use bandwidth-based
CAC with voice applications, the WLAN must be configured for Platinum QoS. With bandwidth-based CAC,
the access point bandwidth availability is determined based on the amount of bandwidth currently used by
the access point clients, to which the bandwidth requested by the Voice over WLAN applications is added.
If this total exceeds a configured bandwidth threshold, the new call is rejected.
Note
You must enable admission control (ACM) for CCXv4 clients that have WMM enabled. Otherwise,
bandwidth-based CAC does not operate properly for these CCXv4 clients.
Load-Based CAC
Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all
traffic types (including that from clients), cochannel access point loads, and coallocated channel interference,
for voice and video applications. Load-based CAC also covers the additional bandwidth consumption resulting
from PHY and channel impairment.
In load-based CAC, the access point continuously measures and updates the utilization of the RF channel
(that is, the mean time of bandwidth that has been exhausted), channel interference, and the additional calls
that the access point can admit. The access point admits a new call only if the channel has enough unused
bandwidth to support that call. By doing so, load-based CAC prevents oversubscription of the channel and
maintains QoS under all conditions of WLAN loading and interference.
Note
If you disable load-based CAC, the access points start using bandwidth-based CAC.
IOSd Call Admission Control
IOSd Call Admission Control (CAC) controls bandwidth availability from controller to access point.
You can configure class-based, unconditional packet marking features on your switch for CAC.
CAC is a concept that applies to voice and video traffic only—not data traffic. If an influx of data traffic
oversubscribes a particular link in the network, queueing, buffering, and packet drop decisions resolve the
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
179
System Management
Expedited Bandwidth Requests
congestion. The extra traffic is simply delayed until the interface becomes available to send the traffic, or, if
traffic is dropped, the protocol or the end user initiates a timeout and requests a retransmission of the
information.
Network congestion cannot be resolved in this manner when real-time traffic, sensitive to both latency and
packet loss, is present, without jeopardizing the quality of service (QoS) expected by the users of that traffic.
For real-time delay-sensitive traffic such as voice, it is better to deny network access under congestion
conditions than to allow traffic onto the network to be dropped and delayed, causing intermittent impaired
QoS and resulting in customer dissatisfaction.
CAC is therefore a deterministic and informed decision that is made before a voice call is established and is
based on whether the required network resources are available to provide suitable QoS for the new call.
Based on the admit CAC CLI configuration in addition to the existing CAC algorithm, controller allows either
voice or video with TSPEC or SIP snooping. The admit cac CLI is mandatory for the voice call to pass
through.
If the BSSID policer is configured for the voice or video traffic, then additional checks are performed on the
packets.
Expedited Bandwidth Requests
The expedited bandwidth request feature enables CCXv5 clients to indicate the urgency of a WMM traffic
specifications (TSPEC) request (for example, an e911 call) to the WLAN. When the controller receives this
request, it attempts to facilitate the urgency of the call in any way possible without potentially altering the
quality of other TSPEC calls that are in progress.
You can apply expedited bandwidth requests to both bandwidth-based and load-based CAC. Expedited
bandwidth requests are disabled by default. When this feature is disabled, the controller ignores all expedited
requests and processes TSPEC requests as normal TSPEC requests.
The following table lists examples of TSPEC request handling for normal TSPEC requests and expedited
bandwidth requests.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
180
OL-32363-01
System Management
U-APSD
Table 16: TSPEC Request Handling Examples
CAC Mode
Reserved bandwidth Usage
for voice calls
Normal TSPEC
Request
TSPEC with
Expedited
Bandwidth Request
Bandwidth-based
CAC
75% (default
setting)
Admitted
Admitted
Between 75% and Rejected
90% (reserved
bandwidth for voice
calls exhausted)
Admitted
More than 90%
Rejected
Rejected
Less than 75%
Admitted
Admitted
Between 75% and Rejected
85% (reserved
bandwidth for voice
calls exhausted)
Admitted
More than 85%
Rejected
Load-based CAC
3
4
Note
Less than 75%
Rejected
For bandwidth-based CAC, the voice call bandwidth usage is per access point radio and does not take
into account cochannel access points. For load-based CAC, the voice call bandwidth usage is measured
for the entire channel.
Bandwidth-based CAC (consumed voice and video bandwidth) or load-based CAC (channel utilization
[Pb]).
Admission control for TSPEC G711-20ms and G711-40 ms codec types are supported.
U-APSD
Unscheduled automatic power save delivery (U-APSD) is a QoS facility defined in IEEE 802.11e that extends
the battery life of mobile clients. In addition to extending battery life, this feature reduces the latency of traffic
flow delivered over the wireless media. Because U-APSD does not require the client to poll each individual
packet buffered at the access point, it allows delivery of multiple downlink packets by sending a single uplink
trigger packet. U-APSD is enabled automatically when WMM is enabled.
Traffic Stream Metrics
In a voice-over-wireless LAN (VoWLAN) deployment, traffic stream metrics (TSM) can be used to monitor
voice-related metrics on the client-access point air interface. It reports both packet latency and packet loss.
You can isolate poor voice quality issues by studying these reports.
The metrics consist of a collection of uplink (client side) and downlink (access point side) statistics between
an access point and a client device that supports CCX v4 or later releases. If the client is not CCX v4 or CCXv5
compliant, only downlink statistics are captured. The client and access point measure these metrics. The access
point also collects the measurements every 5 seconds, prepares 90-second reports, and then sends the reports
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
181
System Management
Information About Configuring Voice Prioritization Using Preferred Call Numbers
to the controller. The controller organizes the uplink measurements on a client basis and the downlink
measurements on an access point basis and maintains an hour’s worth of historical data. To store this data,
the controller requires 32 MB of additional memory for uplink metrics and 4.8 MB for downlink metrics.
TSM can be configured through either the GUI or the CLI on a per radio-band basis (for example, all 802.11a
radios). The controller saves the configuration in flash memory so that it persists across reboots. After an
access point receives the configuration from the controller, it enables TSM on the specified radio band.
This table shows the upper limit for TSM entries in different controller series.
Note
TSM Entries
5700
MAX AP TSM entries
100
MAX Client TSM entries
250
MAX TSM entries
100*250=25000
Once the upper limit is reached, additional TSM entries cannot be stored and sent to WCS or NCS. If client
TSM entries are full and AP TSM entries are available, then only the AP entries are stored, and viceversa.
This leads to partial output. TSM cleanup occurs every one hour. Entries are removed only for those APs and
clients that are not in the system.
Information About Configuring Voice Prioritization Using Preferred Call
Numbers
You can configure a controller to provide support for SIP calls from VoWLAN clients that do not support
TSPEC-based calls. This feature is known as SIP CAC support. If bandwidth is available in the configured
voice pool, the SIP call uses the normal flow and the controller allocates the bandwidth to those calls.
You can also prioritize up to six preferred call numbers. When a call comes to one of the configured preferred
numbers, the controller does not check the configured maximum voice bandwidth. The controller allocates
the bandwidth needed for the call, even if it exceeds the maximum bandwidth for voice configured for voice
CAC. The preferred call will be rejected if bandwidth allocation exceeds 85% of the radio bandwidth. The
bandwidth allocation is 85 percent of the entire bandwidth pool, not just from the maximum configured voice
pool. The bandwidth allocation is the same even for roaming calls.
You must configure the following parameters before configuring voice prioritization:
• Set WLAN QoS to allow voice calls to pass through.
• Enable ACM for the radio.
• Enable SIP call snooping on the WLAN.
Information About Enhanced Distributed Channel Access Parameters
Enhanced Distributed Channel Access (EDCA) parameters are designed to provide preferential wireless
channel access for voice, video, and other quality of service (QoS) traffic.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
182
OL-32363-01
System Management
How to Configure Voice and Video Parameters
How to Configure Voice and Video Parameters
Configuring Voice Parameters (CLI)
Before you begin
Ensure that you have configured SIP-based CAC.
You should have created a class map for CAC before beginning this procedure.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
show wlan summary
show wlan wlan_id
configure terminal
policy-map policy-map name
class {class-name | class-default}
admit cac wmm-tspec
service-policy policy-map name
end
wlan wlan_profile_name wlan_ID SSID_network_name wlan shutdown
wlan wlan_profile_name wlan_ID SSID_network_name
wlan wlan_name call-snoop
wlan wlan_name service-policy input input_policy_name
wlan wlan_name service-policy output ouput_policy_name
wlan wlan_name service-policy input ingress_policy_name
wlan wlan_name service-policy output egress_policy_name
ap dot11 {5ghz | 24ghz} shutdown
ap dot11 {5ghz | 24ghz} cac voice sip
ap dot11 {5ghz | 24ghz} cac voice acm
ap dot11 {5ghz | 24ghz} cac voice max-bandwidth bandwidth
ap dot11 {5ghz | 24ghz} cac voice roam-bandwidth bandwidth
no wlan shutdown
no ap dot11 {5ghz | 24ghz} shutdown
end
DETAILED STEPS
Step 1
Command or Action
Purpose
show wlan summary
Specifies all of the WLANs configured on the controller.
Example:
Controller# show wlan summary
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
183
System Management
Configuring Voice Parameters (CLI)
Step 2
Command or Action
Purpose
show wlan wlan_id
Specifies the WLAN that you plan to modify. For voice
over WLAN, ensure that the WLAN is configured for
WMM and the QoS level is set to Platinum.
Example:
Controller# show wlan 25
Step 3
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 4
policy-map policy-map name
Enters policy map configuration mode.
Example:
Creates or modifies a policy map that can be attached to
one or more interfaces to specify a service policy.
Controller(config)# policy-map test_2000
Step 5
Controller(config-pmap)#
In WLAN, you need to configure service-policy for these
commands to take effect.
class {class-name | class-default}
Enters policy class map configuration mode. Specifies the
name of the class whose policy you want to create or
change.
Example:
Controller(config-pmap)# class test_1000
Controller(config-pmap-c)#
Specifies the name of the class whose policy you want to
create or change.
You can also create a system default class for unclassified
packets.
Step 6
admit cac wmm-tspec
Example:
(Optional) Admits the request for Call Admission Control
(CAC) for policy map.
Controller(config-pmap-c)# admit cac wmm-tspec
Controller(config-pmap-c)#
Step 7
service-policy policy-map name
Configures the QoS service policy.
Example:
Controller(config-pmap-c)# service-policy
test_2000
Controller(config-pmap-c)#
Step 8
end
Example:
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
Controller(config)# end
Step 9
wlan wlan_profile_name wlan_ID SSID_network_name
wlan shutdown
Disables all WLANs with WMM enabled prior to changing
the video parameters.
Example:
Controller(config)# wlan wlan1
Controller(config-wlan)# wlan shutdown
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
184
OL-32363-01
System Management
Configuring Voice Parameters (CLI)
Step 10
Command or Action
Purpose
wlan wlan_profile_name wlan_ID SSID_network_name
Disables all WLANs with WMM enabled prior to changing
the voice parameters.
Example:
Controller(config)# wlan wlan1
Controller(config-wlan)# wlan shutdown
Step 11
wlan wlan_name call-snoop
Enables the call-snooping on a particular WLAN.
Example:
Controller(config)# wlan wlan1 call-snoop
Step 12
wlan wlan_name service-policy input input_policy_name Configures input SSID policy on a particular WLAN to
voice.
Example:
Controller(config)# wlan wlan1
Controller(config-wlan)# service-policy input
platinum-up
Step 13
wlan wlan_name service-policy output
ouput_policy_name
Configures output SSID policy on a particular WLAN to
voice.
Example:
Controller(config)# wlan wlan1
Controller(config-wlan)# service-policy output
platinum
Step 14
wlan wlan_name service-policy input
ingress_policy_name
Configures ingress SSID policy on a particular WLAN as
user-defined policy.
Example:
Controller(config)# wlan wlan1
Controller(config-wlan)# service-policy input
policy1
Step 15
wlan wlan_name service-policy output
egress_policy_name
Configures egress SSID policy on a particular WLAN as
user-defined policy.
Example:
Controller(config)# wlan wlan1
Controller(config-wlan)# service-policy output
policy2
Step 16
Step 17
ap dot11 {5ghz | 24ghz} shutdown
Disables the radio network.
Example:
Controller(config)# ap dot11 5ghz shutdown
ap dot11 {5ghz | 24ghz} cac voice sip
Enables or disables SIP IOSd CAC for the 802.11a or
802.11b/g network.
Example:
Controller(config)# ap dot11 5ghz cac voice sip
Step 18
ap dot11 {5ghz | 24ghz} cac voice acm
Example:
Enables or disables bandwidth-based voice CAC for the
802.11a or 802.11b/g network.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
185
System Management
Configuring Video Parameters (CLI)
Command or Action
Purpose
Controller(config)# ap dot11 5ghz cac voice acm
Step 19
ap dot11 {5ghz | 24ghz} cac voice max-bandwidth
bandwidth
Example:
Step 20
Step 21
Sets the percentage of maximum bandwidth allocated to
clients for voice applications on the 802.11a or 802.11b/g
network.
Controller(config)# ap dot11 5ghz cac voice
max-bandwidth 85
The bandwidth range is 5 to 85%, and the default value is
75%. Once the client reaches the value specified, the access
point rejects new videos on this network.
ap dot11 {5ghz | 24ghz} cac voice roam-bandwidth
bandwidth
Sets the percentage of maximum allocated bandwidth
reserved for roaming voice clients.
Example:
Controller(config)# ap dot11 5ghz cac voice
roam-bandwidth 10
The bandwidth range is 0 to 25%, and the default value is
6%. The controller reserves this much bandwidth from the
maximum allocated bandwidth for roaming voice clients.
no wlan shutdown
Reenables all WLANs with WMM enabled.
Example:
Controller(config-wlan)# no wlan shutdown
Step 22
no ap dot11 {5ghz | 24ghz} shutdown
Reenables the radio network.
Example:
Controller(config)# no ap dot11 5ghz shutdown
Step 23
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Example
Configuring Video Parameters (CLI)
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
show wlan summary
show wlan wlan_id
configure terminal
policy-map policy-map name
class {class-name | class-default}
admit cac wmm-tspec
service-policy policy-map name
end
wlanwlan_profile_name
ap dot11 {5ghz | 24ghz} shutdown
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
186
OL-32363-01
System Management
Configuring Video Parameters (CLI)
11.
12.
13.
14.
15.
16.
17.
ap dot11 {5ghz | 24ghz} cac video acm
ap dot11 {5ghz | 24ghz} cac video load-based
ap dot11 {5ghz | 24ghz} cac video max-bandwidth bandwidth
ap dot11 {5ghz | 24ghz} cac video roam-bandwidth bandwidth
no wlan shutdown wlan_id
no ap dot11 {5ghz | 24ghz} shutdown
end
DETAILED STEPS
Step 1
Command or Action
Purpose
show wlan summary
Specifies all of the WLANs configured on the controller.
Example:
Controller# show wlan summary
Step 2
show wlan wlan_id
Specifies the WLAN that you plan to modify.
Example:
Controller# show wlan 25
Step 3
Enters global configuration mode.
configure terminal
Example:
Controller# configure terminal
Step 4
policy-map policy-map name
Enters policy map configuration mode.
Example:
Creates or modifies a policy map that can be attached to
one or more interfaces to specify a service policy.
Controller(config)# policy-map test_2000
Step 5
Controller(config-pmap)#
In WLAN, you need to configure service-policy for these
commands to take effect.
class {class-name | class-default}
Enters policy class map configuration mode. Specifies the
name of the class whose policy you want to create or
change.
Example:
Controller(config-pmap)# class test_1000
Controller(config-pmap-c)#
Specifies the name of the class whose policy you want to
create or change.
You can also create a system default class for unclassified
packets.
Step 6
(Optional) Admits the request for Call Admission Control
(CAC) for policy map.
admit cac wmm-tspec
Example:
Controller(config-pmap-c)# admit cac wmm-tspec
Controller(config-pmap-c)#
Step 7
service-policy policy-map name
Configures the QoS service policy.
Example:
Controller(config-pmap-c)# service-policy
test_2000
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
187
System Management
Configuring Video Parameters (CLI)
Command or Action
Purpose
Controller(config-pmap-c)#
Step 8
end
Example:
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
Controller(config)# end
Step 9
wlanwlan_profile_name
Example:
Disables all WLANs with WMM enabled prior to changing
the video parameters.
Controller(config)# wlan wlan1
Controller(config-wlan)# wlan shutdown
Step 10
ap dot11 {5ghz | 24ghz} shutdown
Disables the radio network.
Example:
Controller(config)# ap dot11 5ghz shutdown
Step 11
ap dot11 {5ghz | 24ghz} cac video acm
Example:
Enables or disables bandwidth-based video CAC for the
802.11a or 802.11b/g network.
Controller(config)# ap dot11 5ghz cac video acm
Step 12
ap dot11 {5ghz | 24ghz} cac video load-based
Configures the load-based CAC method.
Example:
If you do not enter this command, then the default static
CAC is applied.
Controller(config)# ap dot11 5ghz cac video
load-based
Step 13
ap dot11 {5ghz | 24ghz} cac video max-bandwidth
bandwidth
Example:
Controller(config)# ap dot11 5ghz cac video
max-bandwidth 20
Step 14
The bandwidth range is 5 to 85%, and the default value is
75%. The default value is 0, which means no bandwidth
request control. The sum of the voice bandwidth and video
bandwidth should not exceed 85% or configured maximum
media bandwidth.
ap dot11 {5ghz | 24ghz} cac video roam-bandwidth
bandwidth
Sets the percentage of maximum allocated bandwidth
reserved for roaming clients for video.
Example:
The bandwidth range is 0 to 25%, and the default value is
0%.
Controller(config)# ap dot11 5ghz cac video
roam-bandwidth 9
Step 15
Sets the percentage of maximum bandwidth allocated to
clients for video applications on the 802.11a or 802.11b/g
network.
no wlan shutdown wlan_id
Reenables all WLANs with WMM enabled.
Example:
Controller(config-wlan)# no wlan shutdown 25
Step 16
no ap dot11 {5ghz | 24ghz} shutdown
Reenables the radio network.
Example:
Controller(config)# no ap dot11 5ghz shutdown
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
188
OL-32363-01
System Management
Configuring SIP-Based CAC (CLI)
Step 17
Command or Action
Purpose
end
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
Example:
Controller(config)# end
Example
Configuring SIP-Based CAC (CLI)
SIP CAC controls the total number of SIP calls that can be made.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
configure terminal
wlan wlan-name
call-snoop
service-policy [client] input policy-map name
service-policy [client] output policy-map name
end
show wlan {wlan-id | wlan-name}
configure terminal
ap dot11 {5ghz | 24ghz} cac {voice | video} acm
ap dot11 {5ghz | 24ghz} cac voice sip
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
wlan wlan-name
Enters WLAN configuration submode.
Example:
Controller(config)# wlan qos-wlan
Controller(config-wlan)#
Step 3
Enables the call-snooping feature for a particular WLAN.
call-snoop
Example:
Controller(config-wlan)# call-snoop
Step 4
service-policy [client] input policy-map name
Example:
Assigns a policy map to WLAN input traffic. Ensure that
you provide QoS policy to voice for input traffic.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
189
System Management
Configuring a Preferred Call Number (CLI)
Command or Action
Purpose
Controller(config-wlan)# service-policy input
platinum-up
Step 5
service-policy [client] output policy-map name
Example:
Assigns policy map to WLAN output traffic. Ensure that
you provide QoS policy to voice for output traffic.
Controller(config-wlan)# service-policy output
platinum
Step 6
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Step 7
show wlan {wlan-id | wlan-name}
Verifies the configured QoS policy on the WLAN.
Example:
Controller# show wlan qos-wlan
Step 8
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 9
Step 10
ap dot11 {5ghz | 24ghz} cac {voice | video} acm
Enables the ACM static on the radio.
Example:
Controller(config)# ap dot11 5ghz cac voice acm
When enabling SIP snooping, use the static CAC, not the
load-based CAC.
ap dot11 {5ghz | 24ghz} cac voice sip
Configures SIP-based CAC.
Example:
Controller(config)# ap dot11 5ghz cac voice sip
Step 11
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Example
Configuring a Preferred Call Number (CLI)
Before you begin
You must set the following parameters before configuring a preferred call number.
• Set WLAN QoS to voice.
• Enable ACM for the radio.
• Enable SIP call snooping on the WLAN.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
190
OL-32363-01
System Management
Configuring a Preferred Call Number (CLI)
• Enable SIP-based CAC.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
configure terminal
wlan wlan-name qos platinum
ap dot11 {5ghz | 24ghz} cac {voice | video} acm
wlan wlan-name
wireless sip preferred-call-no call_index call_number
no wireless sip preferred-call-no call_index
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
wlan wlan-name qos platinum
Sets QoS to voice on a particular WLAN.
Example:
Controller(config)# wlan wlan1
Controller(config-wlan)# qos platinum
Step 3
Step 4
ap dot11 {5ghz | 24ghz} cac {voice | video} acm
Enables the static ACM on the radio.
Example:
Controller(config)# ap dot11 5ghz cac voice acm
When enabling SIP snooping, use the static CAC, not the
load-based CAC.
wlan wlan-name
Enables the call-snooping feature for a particular WLAN.
Example:
Controller(config)# wlan wlan1
Controller(config-wlan)# call-snoop
Step 5
wireless sip preferred-call-no call_index call_number
Adds a new preferred call.
Example:
Controller(config)# wireless sip preferred-call-no
1 555333
Step 6
no wireless sip preferred-call-no call_index
Removes a preferred call.
Example:
Controller(config)# no wireless sip
preferred-call-no 1
Step 7
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
191
System Management
Configuring EDCA Parameters (CLI)
Example
Configuring EDCA Parameters (CLI)
SUMMARY STEPS
1. configure terminal
2. ap dot11 {5ghz | 24ghz } shutdown
3. ap dot11 {5ghz | 24ghz} edca-parameters {custom-voice | fastlane | optimized-video-voice |
optimized-voice | svp-voice | wmm-default}
4. no ap dot11 {5ghz | 24ghz} shutdown
5. end
6. show ap dot11 {5ghz | 24ghz} network
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
ap dot11 {5ghz | 24ghz } shutdown
Disables the radio network.
Example:
Controller(config)# ap dot11 5ghz shutdown
Step 3
ap dot11 {5ghz | 24ghz} edca-parameters {custom-voice Enables specific EDCA parameters for the 802.11a or
802.11b/g network.
| fastlane | optimized-video-voice | optimized-voice |
svp-voice | wmm-default}
• custom-voice—Enables custom voice parameters for
the 802.11a or 802.11b/g network.
Example:
Controller(config)# ap dot11 5ghz edca-parameters
optimized-voice
• fastlane—Enables the fastlane parameters for the
802.11a or 802.11b/g network.
• optimized-video-voice—Enables EDCA
voice-optimized and video-optimized parameters for
the 802.11a or 802.11b/g network. Choose this option
when both voice and video services are deployed on
your network.
• optimized-voice—Enables non-SpectraLink
voice-optimized profile parameters for the 802.11a or
802.11b/g network. Choose this option when voice
services other than SpectraLink are deployed on your
network.
• svp-voice—Enables SpectraLink voice-priority
parameters for the 802.11a or 802.11b/g network.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
192
OL-32363-01
System Management
Configuring EDCA Parameters (GUI)
Command or Action
Purpose
Choose this option if SpectraLink phones are deployed
on your network to improve the quality of calls.
• wmm-default—Enables the Wi-Fi Multimedia
(WMM) default parameters for the 802.11a or
802.11b/g network. This is the default option. Choose
this option when voice or video services are not
deployed on your network.
Step 4
no ap dot11 {5ghz | 24ghz} shutdown
Re-enables the radio network.
Example:
Controller(config)# no ap dot11 5ghz shutdown
Step 5
Returns to privileged EXEC mode.
end
Example:
Controller(config)# end
Step 6
show ap dot11 {5ghz | 24ghz} network
Displays the current status of MAC optimization for voice.
Example:
Controller# show ap dot11 5ghz network
Configuring EDCA Parameters (GUI)
Step 1
Choose Configuration > Wireless > 802.11a/n/ac > EDCA Parameters or Configuration > Wireless > 802.11b/g/n >
EDCA Parameters to open EDCA Parameters page.
Step 2
Choose one of the following options from the EDCA Profile drop-down list:
• wmm-default—Enables the Wi-Fi Multimedia (WMM) default parameters. This is the default value. Choose this
option when voice or video services are not deployed on your network.
• svp-voice—Enables SpectraLink voice priority parameters. Choose this option if SpectraLink phones are deployed
on your network to improve the quality of calls.
• optimized-voice—Enables EDCA voice-optimized profile parameters. Choose this option when voice services other
than SpectraLink are deployed on your network.
• optimized-video-voice—Enables EDCA voice- and video-optimized profile parameters. Choose this option when
both voice and video services are deployed on your network.
• custom-voice—Enables custom voice EDCA parameters for 802.11a. The EDCA parameters under this option also
match the 6.0 WMM EDCA parameters when this profile is applied.
Note
Step 3
If you deploy video services, admission control (ACM) must be disabled.
If you want to enable MAC optimization for voice, select the Enable Low Latency MAC check box. Otherwise, leave
this check box unselected, which is the default value. This feature enhances voice performance by controlling packet
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
193
System Management
Monitoring Voice and Video Parameters
retransmits and appropriately aging out voice packets on lightweight access points, which improves the number of voice
calls serviced per access point.
Note
We do not recommend you to enable low latency MAC. You should enable low latency MAC only if the WLAN
allows WMM clients. If WMM is enabled, then low latency MAC can be used with any of the EDCA profiles.
Step 4
Click Apply to commit your changes.
Step 5
To reenable the radio network, choose Network under 802.11a/n or 802.11b/g/n, select the 802.11a/n/ac (or 802.11b/g/n)
Network Status check box, and click Apply.
Step 6
Click Save Configuration.
Monitoring Voice and Video Parameters
This section describes the new commands for the voice and video parameters.
The following commands can be used to monitor voice and video parameters.
Table 17: Monitoring Voice Parameters Commands
Command
Purpose
show ap dot11 {5ghz | 24ghz} network Displays the radio-based statistics for voice.
show ap name ap_name dot11 24ghz
tsm all
Displays the TSM voice metrics and current status of MAC
optimization for voice.
show ap name apname cac voice
Displays the information about CAC for a particular access point.
show client detail client_mac
Displays the U-APSD status for a particular client.
show policy-map interface wireless
client
Displays the video client policy details.
show access-list
Displays the video client dynamic access-list from the controller.
show wireless client voice diag status Displays information about whether voice diagnostics are enabled
or disabled. If enabled, this also displays information about the
clients in the watch list and the time remaining for the diagnostics
of the voice call.
Note
To work on voice diagnostics CLIs, you need to enter
the following command: debug voice-diagnostic
mac-addr client_mac_01 client_mac_02
show wireless client voice diag tspec
Displays the TSPEC information sent from the clients that are
enabled for voice diagnostics.
show wireless client voice diag
qos-map
Displays information about the QoS/DSCP mapping and packet
statistics in each of the four queues: VO, VI, BE, BK. The different
DSCP values are also displayed.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
194
OL-32363-01
System Management
Monitoring Voice and Video Parameters
show wireless client voice diag rssi
Display the client’s RSSI values in the last 5 seconds when voice
diagnostics is enabled.
show client voice-diag roam-history
Displays information about the last three roaming calls. The output
contains the timestamp, access point associated with roaming,
roaming reason, and if there is a roaming failure, reason for
roaming-failure.
show policy-map interface wireless
mac mac-address
Displays information about the voice and video data packet
statistics.
show wireless media-stream client
summary
Displays a summary of the media stream and video client
information.
show controllers d0 | b queue
Displays which queue the packets are going through on an access
point.
show platform qos queue stats
interface
Displays which queue packets are going through from the controller.
You can monitor the video parameters using the following commands.
Table 18: Monitoring Video Parameters Commands
Command
Purpose
show ap join stats summary ap_mac
Displays the last join error detail for a specific access point.
show ip igmp snooping wireless mgid
Displays the TSM voice metrics and current status of MAC
optimization for voice.
show wireless media-stream multicast-direct Displays the media stream multicast-direct parameters.
state
show wireless media-stream group
summary
Displays the summary of the media stream and client
information.
show wireless media-stream group detail
group_name
Displays the details of a specific media-stream group.
show wireless media-stream client summary Displays the details for a set of media-stream clients.
show wireless media-stream client detail
group_name
Displays the details for a set of media-stream clients.
show ap dot11 {5ghz | 24ghz) media-stream Display the details of media stream.
rrc
show wireless media-stream message details Displays information about the message configuration.
show ap name ap-name auto-rf dot11 5ghz Displays the details of channel utilization.
| i Util
show controllers d0 | b queue
Displays which queue the packets are going through on an
access point based on 2.4- and 5-GHz bands.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
195
System Management
Configuration Examples for Voice and Video Parameters
show controllers d1 | b queue
Displays which queue the packets are going through on an
access point based on 2.4- and 5-GHz bands.
show cont d1 | b Media
Displays the video metric details on the band A or B.
show capwap mcast mgid all
Displays information about all of the multicast groups and
their corresponding multicast group identifications (MGIDs)
associated to the access point.
show capwap mcast mgid id id
Displays information about all of the video clients joined to
the multicast group in a specific MGID.
Configuration Examples for Voice and Video Parameters
Example: Configuring Voice and Video
Configuring Egress SSID Policy for Voice and Video
The following example shows how to create and configure an egress SSID policy for voice and video:
table-map egress_ssid_tb
map from 24 to 24
map from 34 to 34
map from 46 to 46
default copy
class-map match-any voice
match dscp ef
class-map match-any video
match dscp af41
policy-map ssid-cac
class class-default
shape average 25000000
set dscp dscp table egress_ssid_tb
queue-buffers ratio 0
service-policy ssid-child-cac
policy-map ssid-child-cac
class voice
priority level 1
police 5000000
conform-action transmit
exceed-action drop
admit cac wmm-tspec
rate 1000
wlan-up 6 7
class video
priority level 2
police 10000000
conform-action transmit
exceed-action drop
admit cac wmm-tspec
rate 3000
wlan-up 4 5
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
196
OL-32363-01
System Management
Additional References for Voice and Video Parameters
Configuring Ingress SSID Policy for Voice and Video
The following example shows how to create and configure an ingress SSID policy for voice and video:
table-map up_to_dscp
map from 0 to 0
map from 1 to 8
map from 2 to 8
map from 3 to 0
map from 4 to 34
map from 5 to 34
map from 6 to 46
map from 7 to 48
default copy
policy-map ingress_ssid
class class-default
set dscp wlan user-priority table up_to_dscp
Configuring Egress Port Policy Voice and Video
The following example shows how to create and configure an egress port policy for voice and video:
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
class voice
priority level 1
police rate 3000000
class video
priority level 2
police rate 4000000
Applying Ingress and Egress SSID policies for Voice and Video on a WLAN
The following example shows how to apply ingress and egress SSID policies for voice and video on a WLAN:
wlan voice_video 1 voice_video
service-policy input ingress_ssid
service-policy output ssid-cac
Additional References for Voice and Video Parameters
Related Documents
Related Topic
Document Title
Multicast configuration
Multicast Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700
Series)
VideoStream
configuration
VideoStream Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700
Series)
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
197
System Management
Feature History and Information For Performing Voice and Video Parameters Configuration
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All the supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Feature History and Information For Performing Voice and Video
Parameters Configuration
Release
Feature Information
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS This feature was introduced.
XE 3.3SE
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
198
OL-32363-01
CHAPTER
12
Configuring RFID Tag Tracking
• Finding Feature Information, on page 199
• Information About Configuring RFID Tag Tracking, on page 199
• How to Configure RFID Tag Tracking, on page 199
• Monitoring RFID Tag Tracking Information, on page 200
• Additional References RFID Tag Tracking, on page 201
• Feature History and Information For Performing RFID Tag Tracking Configuration , on page 202
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Information About Configuring RFID Tag Tracking
The device enables you to configure radio-frequency identification (RFID) tag tracking. RFID tags are small
wireless devices that are affixed to assets for real-time location tracking. They operate by advertising their
location using special 802.11 packets, which are processed by access points, the controller, and the location
appliance.
How to Configure RFID Tag Tracking
Configuring RFID Tag Tracking (CLI)
SUMMARY STEPS
1. location rfid status
2. (Optional) no location rfid status
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
199
System Management
Monitoring RFID Tag Tracking Information
3. location rfid timeout seconds
4. location rfid mobility vendor-name name
5. (Optional) no location rfid mobility name
DETAILED STEPS
Step 1
Command or Action
Purpose
location rfid status
Enables RFID tag tracking.
Example:
By default, RFID tag tracking is enabled.
Controller(config)# location rfid status
Step 2
(Optional) no location rfid status
Disables RFID tag tracking.
Example:
Controller(config)# no location rfid status
Step 3
location rfid timeout seconds
Specifies a static timeout value (between 60 and 7200
seconds).
Example:
Controller(config)# location rfid timeout 1500
Step 4
location rfid mobility vendor-name name
The static timeout value is the amount of time that the
controller maintains tags before expiring them. For example,
if a tag is configured to beacon every 30 seconds, we
recommend that you set the timeout value to 90 seconds
(approximately three times the beacon value). The default
value is 1200 seconds.
Enables RFID tag mobility for specific tags. When you
enter the location rfid mobility vendor-name command,
tags are unable to obtain a DHCP address for client mode
when attempting to select and/or download a configuration.
Example:
Controller(config)# location rfid mobility
vendor-name Aerosct
Note
Step 5
(Optional) no location rfid mobility name
Example:
Controller(config)# no location rfid mobility test
These commands can be used only for Pango
tags. Therefore, the only valid entry for
vendor_name is “pango” in all lowercase letters.
Disables RFID tag mobility for specific tags. When you
enter the no location rfid mobility command , tags can
obtain a DHCP address. If a tag roams from one subnet to
another, it obtains a new address rather than retaining the
anchor state.
Monitoring RFID Tag Tracking Information
This section describes the new commands for the RFID tag tracking Information.
The following commands can be used to monitor the RFID tag tracking Information on the controller.
Table 19: Monitoring RFID Tag Tracking Information Commands
Command
Purpose
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
200
OL-32363-01
System Management
Additional References RFID Tag Tracking
show location rfid config
Displays the current configuration for RFID tag tracking.
show location rfid detail mac_address Displays the detailed information for a specific RFID tag.
show location rfid summary
Displays a list of all RFID tags currently connected to the controller.
show location rfid client
Displays a list of RFID tags that are associated to the controller as
clients.
Additional References RFID Tag Tracking
Related Documents
Related Topic
Document Title
System management commands System Management Command Reference, Cisco IOS XE Release 3SE (Cisco
WLC 5700 Series)
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All the supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
201
System Management
Feature History and Information For Performing RFID Tag Tracking Configuration
Feature History and Information For Performing RFID Tag
Tracking Configuration
Release
Feature Information
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS This feature was introduced.
XE 3.3SE
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
202
OL-32363-01
CHAPTER
13
Configuring Location Settings
• Finding Feature Information, on page 203
• Information About Configuring Location Settings, on page 203
• How to Configure Location Settings, on page 204
• Monitoring Location Settings and NMSP Settings, on page 208
• Examples: Location Settings Configuration, on page 209
• Examples: NMSP Settings Configuration, on page 209
• Additional References for Location Settings, on page 210
• Feature History and Information For Performing Location Settings Configuration, on page 210
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Information About Configuring Location Settings
The controller determines the location of client devices by gathering Received Signal Strength Indication
(RSSI) measurements from access points all around the client of interest. The controller can obtain location
reports from up to 16 access points for clients, RFID tags, and rogue access points.
You can configure the path loss measurement (S60) request for normal clients or calibrating clients to improve
location accuracy.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
203
System Management
How to Configure Location Settings
How to Configure Location Settings
Configuring Location Settings (CLI)
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
configure terminal
location plm {calibrating [multiband | uniband] | client burst_interval
location rssi-half-life {calibrating-client | client | rogue-aps | tags } seconds
location expiry {calibrating-client | client | rogue-aps | tags } timeout
location algorithm {rssi-average | simple}
location admin-tag string
location civic-location identifier {identifier | host}
location custom-location identifier {identifier | host}
location geo-location identifier {identifier | host}
location prefer {cdp | lldp-med | static} weight priority_value
location rfid {status | timeout | vendor-name}
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
location plm {calibrating [multiband | uniband] | client Configures the path loss measurement (S60) request for
calibrating clients or non-calibrating.
burst_interval
Example:
Controller(config)# location plm client 100
The path loss measurement request improves the location
accuracy. You can configure the burst_interval parameter
for the normal, noncalibrating client from zero through
3600 seconds, and the default value is 60 seconds.
You can configure the path loss measurement request for
calibrating clients on the associated 802.11a or 802.11b/g
radio or on the associated 802.11a/b/g radio.
If a client does not send probes often or sends them only
on a few channels, its location cannot be updated or cannot
be updated accurately. The location plm command forces
clients to send more packets on all channels. When a
CCXv4 (or higher) client associates, the Controller sends
it a path loss measurement request, which instructs the
client to transmit on the bands and channels that the access
points are on (typically, channels 1, 6, and 11 for
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
204
OL-32363-01
System Management
Configuring Location Settings (CLI)
Command or Action
Purpose
2.4-GHz-only access points) at a configurable interval
(such as 60 seconds) indefinitely.
Step 3
location rssi-half-life {calibrating-client | client |
rogue-aps | tags } seconds
Configures the RSSI half life for the clients, calibrating
clients, RFID tags, and rogue access points.
Example:
You can enter the location rssi-half-life parameter value
for the clients, calibrating clients, RFID tags, and rogue
access points as 0, 1, 2, 5, 10, 20, 30, 60, 90, 120, 180, or
300 seconds, and the default value is 0 seconds.
Controller(config)# location rssi-half-life
calibrating-client 60
Some client devices transmit at reduced power immediately
after changing channels, and RF is variable, so RSSI values
might vary considerably from packet to packet. The
location rssi-half-life command increases accuracy by
averaging nonuniformly arriving data using a configurable
forget period (or half life).
Note
Step 4
We recommend that you do not use or modify
the location rssi-half-life command.
location expiry {calibrating-client | client | rogue-aps | Configures the RSSI timeout value for the clients,
calibrating clients, RFID tags, and rogue access points.
tags } timeout
Example:
Controller(config)# location expiry
calibrating-client 50
You can enter the RSSI timeout value for the clients, RFID
tags, and rogue access points from 5 through 3600 seconds,
and the default value is 5 seconds.
For the calibrating clients, you can enter the RSSI timeout
value from 0 through 3600 seconds, and the default value
is 5 seconds.
Ensuring that recent, strong RSSIs are retained by the CPU
is critical to location accuracy. The location expiry
command enables you to specify the length of time after
which old RSSI averages expire.
Note
Step 5
location algorithm {rssi-average | simple}
Example:
Controller(config)# location algorithm
rssi-average
We recommend that you do not use or modify
the location expiry command.
Configures the algorithm used to average RSSI and
signal-to-noise ratio (SNR) values.
You can enter the location algorithm rssi-average
command to specify a more accurate algorithm but requires
more CPU overhead or the location algorithm simple
command to specify a faster algorithm that requires low
CPU overhead but provides less accuracy.
Note
We recommend that you do not use or modify
the location algorithm command.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
205
System Management
Modifying the NMSP Notification Interval for Clients, RFID Tags, and Rogues
Step 6
Command or Action
Purpose
location admin-tag string
Sets administrative tag or site information for the location
of client devices.
Example:
Controller(config)# location admin-tag
Step 7
location civic-location identifier {identifier | host}
Specifies civic location information.
Example:
You can set the civic location identifier either as a string
or host.
Controller(config)# location civic-location
identifier host
Step 8
location custom-location identifier {identifier | host}
Specifies custom location information.
Example:
You can set the custom location identifier either as a string
or host.
Controller(config)# location custom-location
identifier host
Step 9
location geo-location identifier {identifier | host}
Example:
Controller(config)# location geo-location
identifier host
Step 10
location prefer {cdp | lldp-med | static} weight
priority_value
Specifies geographical location information of the client
devices.
You can set the location identifier either as a string or host.
Sets location information source priority.
You can enter the priority weight from zero through 255.
Example:
Controller(config)# location prefer weight cdp 50
Step 11
location rfid {status | timeout | vendor-name}
Example:
Controller(config)# location rfid timeout 100
Step 12
end
Example:
Configures RFID tag tracking options such as RFID tag
status, RFID timeout value, and RFID tag vendor name.
You can enter the RFID timeout value in a range from 60
and 7200 seconds.
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
Controller(config)# end
Example
Modifying the NMSP Notification Interval for Clients, RFID Tags, and Rogues
NMSP manages communication between the Cisco Mobility Services Engine (Cisco MSE) and the controller
for incoming and outgoing traffic. If your application requires more frequent location updates, you can modify
the NMSP notification interval (to a value between 1 and 180 seconds) for clients, active RFID tags, and
rogue access points and clients.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
206
OL-32363-01
System Management
Modifying the NMSP Notification Threshold for Clients, RFID Tags, and Rogues (CLI)
Note
The TCP port (16113) that the controller and Cisco MSE communicate over must be open (not blocked) on
any firewall that exists between the controller and the Cisco MSE for NMSP to function.
SUMMARY STEPS
1. configure terminal
2. nmsp notification interval {attachment seconds | location seconds | rssi [clients interval | rfid interval
| rogues [ap | client ] interval]}
3. end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
nmsp notification interval {attachment seconds | location Sets the NMSP notification interval value for clients, RFID
seconds | rssi [clients interval | rfid interval | rogues [ap tags, and rogue clients and access points.
| client ] interval]}
You can enter the NMSP notification interval value for
RSSI measurement from 1 through 180 seconds.
Example:
Controller(config)# nmsp notification interval rssi
rfid 50
Step 3
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Modifying the NMSP Notification Threshold for Clients, RFID Tags, and Rogues
(CLI)
SUMMARY STEPS
1. configure terminal
2. location notify-threshold {clients | rogues ap | tags } threshold
3. end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
207
System Management
Monitoring Location Settings and NMSP Settings
Step 2
Command or Action
Purpose
location notify-threshold {clients | rogues ap | tags }
threshold
Configures the NMSP notification threshold for clients,
RFID tags, rogue clients, and access points.
Example:
threshold-RSSI threshold value, in db. Valid range is from
0 to 10..
Controller(config)# location notify-threshold
clients 5
Step 3
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Monitoring Location Settings and NMSP Settings
Monitoring Location Settings (CLI)
This section describes the new commands for location settings.
The following commands can be used to monitor location settings on the controller.
Table 20: Monitoring Location Settings Commands
Command
Purpose
show location summary
Displays the current location configuration values.
show location statistics rfid
Displays the location-based RFID statistics.
show location detail client_mac_addr Displays the RSSI table for a particular client.
Monitoring NMSP Settings (CLI)
The following commands can be used to monitor NMSP settings on the controller.
Table 21: Monitoring NMSP Settings Commands
Command
Purpose
show nmsp attachment suppress interfaces Displays the attachment suppress interfaces.
show nmsp capability
Displays the NMSP capabilities.
show nmsp notification interval
Displays the NMSP notification intervals.
show nmsp statistics connection
Displays the connection-specific NMSP counters.
show nmsp statistics summary
Displays the common NMSP counters.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
208
OL-32363-01
System Management
Examples: Location Settings Configuration
show nmsp status
Displays the status of active NMSP connections.
show nmsp subscription detail
Displays all of the mobility services to which the controller
is subscribed.
show nmsp subscription detail ip_addr
Displays details only for the mobility services subscribed to
by a specific IP address.
show nmsp subscription summary
Displays details for all of the mobility services to which the
controller is subscribed.
Examples: Location Settings Configuration
This example shows how to configure the path loss measurement (S60) request for calibrating client on the
associated 802.11a or 802.11b/g radio:
Controller# configure terminal
Controller(config)# location plm calibrating uniband
Controller(config)# end
Controller# show location summary
This example shows how to configure the RSSI half life for a rouge access point:
Controller# configure terminal
Controller(config)# location rssi-half-life rogue-aps 20
Controller(config)# end
Controller# show location summary
Examples: NMSP Settings Configuration
This example shows how to configure the NMSP notification interval for RFID tags:
Controller# configure terminal
Controller(config)# nmsp notification interval rssi rfid 50
Controller(config)# end
Controller# show nmsp notification interval
This example shows how to configure the NMSP notification interval for clients:
Controller# configure terminal
Controller(config)# nmsp notification interval rssi clients 180
Controller(config)# end
Controller# show nmsp notification interval
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
209
System Management
Additional References for Location Settings
Additional References for Location Settings
Related Documents
Related Topic
Document Title
System management commands System Management Command Reference, Cisco IOS XE Release 3SE (Cisco
WLC 5700 Series)
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All the supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Feature History and Information For Performing Location
Settings Configuration
Release
Feature Information
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS This feature was introduced.
XE 3.3SE
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
210
OL-32363-01
CHAPTER
14
Monitoring Flow Control
• Finding Feature Information, on page 211
• Information About Flow Control, on page 211
• Monitoring Flow Control, on page 211
• Examples: Monitoring Flow Control, on page 212
• Additional References for Monitoring Flow Control, on page 213
• Feature History and Information For Monitoring Flow Control, on page 213
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Information About Flow Control
Flow control is enabled by default on the controller.
Flow control provides shim layers between WCM and Cisco IOS for a reliable IPC. Every component in
WCM has a dedicated channel. Few of the components in WCM have leveraged flow control in that. There
is no configuration of flow control from CLI. You can monitor the flow control for any channel.
Monitoring Flow Control
This section describes the new commands for flow control.
The following commands can be used to monitor flow control on the controller.
Table 22: Monitoring Flow Control
Command
Purpose
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
211
System Management
Examples: Monitoring Flow Control
show wireless flow-control channel -id
Displays information about flow control on a particular
channel.
show wireless flow-control channel-id statistics Displays statistical information about flow control on a
particular channel.
Examples: Monitoring Flow Control
This example shows how to view information pertaining to any channel:
Controller# show wireless flow-control 3
Controller#
Channel Name
:
FC State
:
Remote Server State :
Pass-thru Mode
:
EnQ Disabled
:
Queue Depth
:
Max Retries
:
Min Retry Gap (mSec):
CAPWAP
Disabled
Enabled
Disabled
Disabled
2048
5
3
This example shows how to view flow control for a particular channel:
Controller# show wireless flow-control 3
Controller#
Channel Name
# of times channel went into FC
# of times channel came out of FC
Total msg count received by the FC Infra
Pass-thru msgs send count
Pass-thru msgs fail count
# of msgs successfully queued
# of msgs for which queuing failed
# of msgs sent thru after queuing
# of msgs sent w/o queuing
# of msgs for which send failed
# of invalid EAGAINS received
Highest watermark reached
# of times Q hit max capacity
Avg time channel stays in FC (mSec)
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
CAPWAP
0
0
1
0
0
0
0
0
1
0
0
0
0
0
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
212
OL-32363-01
System Management
Additional References for Monitoring Flow Control
Additional References for Monitoring Flow Control
Related Documents
Related Topic
Document Title
System management commands System Management Command Reference Guide, Cisco IOS XE Release
3SE (Cisco WLC 5700 Series)
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All the supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Feature History and Information For Monitoring Flow Control
Release
Feature Information
Cisco IOS XE 3.3SE
This feature was introduced.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
213
System Management
Feature History and Information For Monitoring Flow Control
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
214
OL-32363-01
CHAPTER
15
Configuring System Message Logs
• Finding Feature Information, on page 215
• Finding Feature Information, on page 215
• Restrictions for Configuring System Message Logs, on page 216
• Information About Configuring System Message Logs, on page 216
• How to Configure System Message Logs, on page 219
• Monitoring and Maintaining System Message Logs, on page 227
• Configuration Examples for System Message Logs, on page 227
• Additional References for System Message Logs, on page 228
• Additional References for System Message Logs, on page 229
• Feature History and Information For System Message Logs, on page 230
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Related Topics
Feature History and Information for Troubleshooting Software Configuration, on page 278
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
215
System Management
Restrictions for Configuring System Message Logs
Restrictions for Configuring System Message Logs
When the logging discriminator command is configured, the device may experience memory leak or crash.
This usually happens during heavy syslog or debug output. The rate of the memory leak is dependent on the
number of logs being produced. In extreme cases, the device may also crash. As a workaround, use the no
logging discriminator command to disable the logging discriminator.
Information About Configuring System Message Logs
System Messsage Logging
By default, a switch sends the output from system messages and debug privileged EXEC commands to a
logging process. . The logging process controls the distribution of logging messages to various destinations,
such as the logging buffer, terminal lines, or a UNIX syslog server, depending on your configuration. The
process also sends messages to the console.
When the logging process is disabled, messages are sent only to the console. The messages are sent as they
are generated, so message and debug output are interspersed with prompts or output from other commands.
Messages appear on the active consoles after the process that generated them has finished.
You can set the severity level of the messages to control the type of messages displayed on the consoles and
each of the destinations. You can time-stamp log messages or set the syslog source address to enhance real-time
debugging and management. For information on possible messages, see the system message guide for this
release.
You can access logged system messages by using the switch command-line interface (CLI) or by saving them
to a properly configured syslog server. The switch software saves syslog messages in an internal buffer on a
standalone switch. If a standalone switch , the log is lost unless you had saved it to flash memory.
You can remotely monitor system messages by viewing the logs on a syslog server or by accessing the switch
through Telnet, through the console port, or through the Ethernet management port.
Note
The syslog format is compatible with 4.3 BSD UNIX.
System Log Message Format
System log messages can contain up to 80 characters and a percent sign (%), which follows the optional
sequence number or time-stamp information, if configured. Depending on the switch, messages appear in one
of these formats:
• seq no:timestamp: %facility-severity-MNEMONIC:description (hostname-n)
• seq no:timestamp: %facility-severity-MNEMONIC:description
The part of the message preceding the percent sign depends on the setting of these global configuration
commands:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
216
OL-32363-01
System Management
Default System Message Logging Settings
• service sequence-numbers
• service timestamps log datetime
• service timestamps log datetime [localtime] [msec] [show-timezone]
• service timestamps log uptime
Table 23: System Log Message Elements
Element
Description
seq no:
Stamps log messages with a sequence number only if the service sequence-numbers
global configuration command is configured.
timestamp formats:
Date and time of the message or event. This information appears only if the service
timestamps log [datetime | log] global configuration command is configured.
mm/dd h h:mm:ss
or
hh:mm:ss (short
uptime)
or
d h (long uptime)
facility
The facility to which the message refers (for example, SNMP, SYS, and so forth).
severity
Single-digit code from 0 to 7 that is the severity of the message.
MNEMONIC
Text string that uniquely describes the message.
description
Text string containing detailed information about the event being reported.
hostname-n
Hostname of a stack member and its switch number in the stack. Though the is a
stack member, it does not append its hostname to system messages.
Default System Message Logging Settings
Table 24: Default System Message Logging Settings
Feature
Default Setting
System message logging to the console Enabled.
Console severity
Debugging.
Logging file configuration
No filename
specified.
Logging buffer size
4096 bytes.5
Logging history size
1 message.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
217
System Management
Syslog Message Limits
Feature
Default Setting
Time stamps
Disabled.
Synchronous logging
Disabled.
Logging server
Disabled.
Syslog server IP address
None configured.
Server facility
Local7
Server severity
Informational.
5
For Cisco IOS XE 3.6E release, the default logging buffer size is 16384 bytes.
Syslog Message Limits
If you enabled syslog message traps to be sent to an SNMP network management station by using the
snmp-server enable trap global configuration command, you can change the level of messages sent and
stored in the switch history table. You also can change the number of messages that are stored in the history
table.
Messages are stored in the history table because SNMP traps are not guaranteed to reach their destination. By
default, one message of the level warning and numerically lower levels are stored in the history table even
if syslog traps are not enabled.
When the history table is full (it contains the maximum number of message entries specified with the logging
history size global configuration command), the oldest message entry is deleted from the table to allow the
new message entry to be stored.
The history table lists the level keywords and severity level. For SNMP usage, the severity level values increase
by 1. For example, emergencies equal 1, not 0, and critical equals 3, not 2.
Enabling Syslog Trap Messages
You can enable Syslog traps using the snmp-server enable traps syslog command.
After enabling Syslog traps, you have to specify the trap message severity. Use the logging snmp-trap
command to specify the trap level. By default, the command enables severity 0 to 4. To enable all the severity
level, configure the logging snmp-trap 0 7 command.
To enable individual trap levels, configure the following commands:
• logging snmp-trap emergencies:Enables only severity 0 traps.
• logging snmp-trap alert Enables only severity 1 traps.
Note that, along with the Syslog traps, the Syslog history should also be applied. Without this configuration,
Syslog traps are not sent.
Use the logging history informational command to enable the Syslog history.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
218
OL-32363-01
System Management
How to Configure System Message Logs
How to Configure System Message Logs
Setting the Message Display Destination Device
If message logging is enabled, you can send messages to specific locations in addition to the console.
This task is optional.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
configure terminal
logging buffered [size]
logging host
logging file flash: filename [max-file-size [min-file-size]] [severity-level-number | type]
end
terminal monitor
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
logging buffered [size]
Example:
Controller(config)# logging buffered 8192
Logs messages to an internal buffer on the switch or on a
standalone switch or, in the case of a switch stack, on the .
The range is 4096 to 2147483647 bytes. The default buffer
size is 4096 bytes.
If a standalone switch or the fails, the log file is lost unless
you previously saved it to flash memory. See Step 4.
Note
Step 3
Do not make the buffer size too large because
the switch could run out of memory for other
tasks. Use the show memory privileged EXEC
command to view the free processor memory on
the switch. However, this value is the maximum
available, and the buffer size should not be set
to this amount.
logging host
Logs messages to a UNIX syslog server host.
Example:
host specifies the name or IP address of the host to be used
as the syslog server.
Controller(config)# logging 125.1.1.100
To build a list of syslog servers that receive logging
messages, enter this command more than once.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
219
System Management
Synchronizing Log Messages
Command or Action
Step 4
Purpose
logging file flash: filename [max-file-size [min-file-size]] Stores log messages in a file in flash memory on a
standalone switch or, in the case of a switch stack, on the .
[severity-level-number | type]
Example:
• filename—Enters the log message filename.
Controller(config)# logging file flash:log_msg.txt
40960 4096 3
• (Optional) max-file-size —Specifies the maximum
logging file size. The range is 4096 to 2147483647.
The default is 4096 bytes.
• (Optional) min-file-size—Specifies the minimum
logging file size. The range is 1024 to 2147483647.
The default is 2048 bytes.
• (Optional) severity-level-number | type—Specifies
either the logging severity level or the logging type.
The severity range is 0 to 7.
Step 5
Returns to privileged EXEC mode.
end
Example:
Controller(config)# end
Step 6
terminal monitor
Example:
Controller# terminal monitor
Logs messages to a nonconsole terminal during the current
session.
Terminal parameter-setting commands are set locally and
do not remain in effect after the session has ended. You
must perform this step for each session to see the debugging
messages.
Synchronizing Log Messages
You can synchronize unsolicited messages and debug privileged EXEC command output with solicited device
output and prompts for a specific console port line or virtual terminal line. You can identify the types of
messages to be output asynchronously based on the level of severity. You can also configure the maximum
number of buffers for storing asynchronous messages for the terminal after which messages are dropped.
When synchronous logging of unsolicited messages and debug command output is enabled, unsolicited device
output appears on the console or printed after solicited device output appears or is printed. Unsolicited messages
and debug command output appears on the console after the prompt for user input is returned. Therefore,
unsolicited messages and debug command output are not interspersed with solicited device output and prompts.
After the unsolicited messages appear, the console again displays the user prompt.
This task is optional.
SUMMARY STEPS
1. configure terminal
2. line [console | vty] line-number [ending-line-number]
3. logging synchronous [level [severity-level | all] | limit number-of-buffers]
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
220
OL-32363-01
System Management
Synchronizing Log Messages
4. end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
line [console | vty] line-number [ending-line-number]
Example:
Controller(config)# line console
Specifies the line to be configured for synchronous logging
of messages.
• console —Specifies configurations that occur through
the switch console port or the Ethernet management
port.
• line vty line-number—Specifies which vty lines are
to have synchronous logging enabled. You use a vty
connection for configurations that occur through a
Telnet session. The range of line numbers is from 0 to
15.
You can change the setting of all 16 vty lines at once by
entering:
line vty 0 15
You can also change the setting of the single vty line being
used for your current connection. For example, to change
the setting for vty line 2, enter:
line vty 2
When you enter this command, the mode changes to line
configuration.
Step 3
logging synchronous [level [severity-level | all] | limit
number-of-buffers]
Example:
Controller(config)# logging synchronous level 3
limit 1000
Enables synchronous logging of messages.
• (Optional) level severity-level—Specifies the message
severity level. Messages with a severity level equal to
or higher than this value are printed asynchronously.
Low numbers mean greater severity and high numbers
mean lesser severity. The default is 2.
• (Optional) level all—Specifies that all messages are
printed asynchronously regardless of the severity level.
• (Optional) limit number-of-buffers—Specifies the
number of buffers to be queued for the terminal after
which new messages are dropped. The range is 0 to
2147483647. The default is 20.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
221
System Management
Disabling Message Logging
Step 4
Command or Action
Purpose
end
Returns to privileged EXEC mode.
Example:
Controller(config)# end
Disabling Message Logging
Message logging is enabled by default. It must be enabled to send messages to any destination other than the
console. When enabled, log messages are sent to a logging process, which logs messages to designated locations
asynchronously to the processes that generated the messages.
Disabling the logging process can slow down the switch because a process must wait until the messages are
written to the console before continuing. When the logging process is disabled, messages appear on the console
as soon as they are produced, often appearing in the middle of command output.
The logging synchronous global configuration command also affects the display of messages to the console.
When this command is enabled, messages appear only after you press Return.
To reenable message logging after it has been disabled, use the logging on global configuration command.
This task is optional.
SUMMARY STEPS
1. configure terminal
2. no logging console
3. end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
no logging console
Disables message logging.
Example:
Controller(config)# no logging console
Step 3
Returns to privileged EXEC mode.
end
Example:
Controller(config)# end
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
222
OL-32363-01
System Management
Enabling and Disabling Time Stamps on Log Messages
Enabling and Disabling Time Stamps on Log Messages
By default, log messages are not time-stamped.
This task is optional.
SUMMARY STEPS
1. configure terminal
2. Use one of these commands:
• service timestamps log uptime
• service timestamps log datetime[msec | localtime | show-timezone]
3. end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
Use one of these commands:
• service timestamps log uptime
• service timestamps log datetime[msec | localtime |
show-timezone]
Example:
Controller(config)# service timestamps log uptime
Enables log time stamps.
• log uptime—Enables time stamps on log messages,
showing the time since the system was rebooted.
• log datetime—Enables time stamps on log messages.
Depending on the options selected, the time stamp can
include the date, time in milliseconds relative to the
local time zone, and the time zone name.
or
Controller(config)# service timestamps log datetime
Step 3
Returns to privileged EXEC mode.
end
Example:
Controller(config)# end
Enabling and Disabling Sequence Numbers in Log Messages
If there is more than one log message with the same time stamp, you can display messages with sequence
numbers to view these messages. By default, sequence numbers in log messages are not displayed.
This task is optional.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
223
System Management
Defining the Message Severity Level
SUMMARY STEPS
1. configure terminal
2. service sequence-numbers
3. end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
service sequence-numbers
Enables sequence numbers.
Example:
Controller(config)# service sequence-numbers
Step 3
Returns to privileged EXEC mode.
end
Example:
Controller(config)# end
Defining the Message Severity Level
Limit messages displayed to the selected device by specifying the severity level of the message.
This task is optional.
SUMMARY STEPS
1.
2.
3.
4.
5.
configure terminal
logging console level
logging monitor level
logging trap level
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
224
OL-32363-01
System Management
Limiting Syslog Messages Sent to the History Table and to SNMP
Step 2
Command or Action
Purpose
logging console level
Limits messages logged to the console.
Example:
By default, the console receives debugging messages and
numerically lower levels.
Controller(config)# logging console 3
Step 3
logging monitor level
Limits messages logged to the terminal lines.
Example:
By default, the terminal receives debugging messages and
numerically lower levels.
Controller(config)# logging monitor 3
Step 4
logging trap level
Limits messages logged to the syslog servers.
Example:
By default, syslog servers receive informational messages
and numerically lower levels.
Controller(config)# logging trap 3
Step 5
Returns to privileged EXEC mode.
end
Example:
Controller(config)# end
Limiting Syslog Messages Sent to the History Table and to SNMP
This task explains how to limit syslog messages that are sent to the history table and to SNMP.
This task is optional.
SUMMARY STEPS
1.
2.
3.
4.
configure terminal
logging history level
logging history size number
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
225
System Management
Logging Messages to a UNIX Syslog Daemon
Step 2
Command or Action
Purpose
logging history level
Changes the default level of syslog messages stored in the
history file and sent to the SNMP server.
Example:
Controller(config)# logging history 3
Step 3
logging history size number
Example:
Step 4
By default, warnings, errors, critical, alerts, and
emergencies messages are sent.
Specifies the number of syslog messages that can be stored
in the history table.
Controller(config)# logging history size 200
The default is to store one message. The range is 0 to 500
messages.
end
Returns to privileged EXEC mode.
Example:
Controller(config)# end
Logging Messages to a UNIX Syslog Daemon
This task is optional.
Note
Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network.
If this is the case with your system, use the UNIX man syslogd command to decide what options must be
added to or removed from the syslog command line to enable logging of remote syslog messages.
Before you begin
• Log in as root.
• Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon
on a UNIX server.
SUMMARY STEPS
1. Add a line to the file /etc/syslog.conf.
2. Enter these commands at the UNIX shell prompt.
3. Make sure the syslog daemon reads the new changes.
DETAILED STEPS
Command or Action
Step 1
Add a line to the file /etc/syslog.conf.
Purpose
• local7—Specifies the logging facility.
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
226
OL-32363-01
System Management
Monitoring and Maintaining System Message Logs
Command or Action
Purpose
local7.debug /usr/adm/logs/cisco.log
Step 2
Enter these commands at the UNIX shell prompt.
Example:
• debug—Specifies the syslog level. The file must
already exist, and the syslog daemon must have
permission to write to it.
Creates the log file. The syslog daemon sends messages at
this level or at a more severe level to this file.
$ touch /var/log/cisco.log
$ chmod 666 /var/log/cisco.log
Step 3
Make sure the syslog daemon reads the new changes.
Example:
For more information, see the man syslog.conf and man
syslogd commands on your UNIX system.
$ kill -HUP `cat /etc/syslog.pid`
Monitoring and Maintaining System Message Logs
Monitoring Configuration Archive Logs
Command
Purpose
show archive log config {all | number
Displays the entire configuration log or the log for specified
[end-number] | user username [session number] parameters.
number [end-number] | statistics}
[provisioning]
Configuration Examples for System Message Logs
Example: Switch System Message
This example shows a partial switch system message on a switch:
00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up
00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state
to down 2
*Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
18:47:02: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
*Mar 1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
227
System Management
Additional References for System Message Logs
Additional References for System Message Logs
Related Documents
Related Topic
Document Title
System management commands
System Management Command
Reference (Catalyst 3850
Switches)System Management
Command Reference (Cisco WLC
5700 Series)System Management
Command Reference (Catalyst
3650 Switches)
Platform-independent command references
Configuration Fundamentals
Command Reference, Cisco IOS
XE Release 3S (Catalyst 3850
Switches)
Platform-independent configuration information
Configuration Fundamentals
Configuration Guide, Cisco IOS
XE Release 3S (Catalyst 3850
Switches)
IP Addressing Configuration Guide
Library, Cisco IOS XE Release 3S
(Catalyst 3850 Switches)
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
228
OL-32363-01
System Management
Additional References for System Message Logs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Additional References for System Message Logs
Related Documents
Related Topic
Document Title
System management commands
System Management Command
Reference (Catalyst 3650 Switches)
System Management Command
Reference (Cisco WLC 5700 Series)
Platform-independent command references
Configuration Fundamentals
Command Reference, Cisco IOS
XE Release 3S (Catalyst 3650
Switches)
Platform-independent configuration information
IP Addressing Configuration Guide
Library, Cisco IOS XE Release 3S
(Catalyst 3650 Switches)
Configuration Fundamentals
Configuration Guide, Cisco IOS
XE Release 3S (Catalyst 3650
Switches)
Standards and RFCs
Standard/RFC Title
None
—
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
229
System Management
Feature History and Information For System Message Logs
MIBs
MIB
MIBs Link
All supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Feature History and Information For System Message Logs
Release
Modification
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS XE 3.3SE
This feature was introduced.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
230
OL-32363-01
CHAPTER
16
Configuring Online Diagnostics
• Finding Feature Information, on page 231
• Finding Feature Information, on page 231
• Information About Configuring Online Diagnostics, on page 232
• How to Configure Online Diagnostics, on page 232
• Monitoring and Maintaining Online Diagnostics, on page 237
• Configuration Examples for Online Diagnostic Tests, on page 237
• Additional References for Online Diagnostics, on page 239
• Feature History and Information for Configuring Online Diagnostics, on page 240
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Related Topics
Feature History and Information for Troubleshooting Software Configuration, on page 278
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
231
System Management
Information About Configuring Online Diagnostics
Information About Configuring Online Diagnostics
Online Diagnostics
With online diagnostics, you can test and verify the hardware functionality of the Controller while the Controller
is connected to a live network.
The online diagnostics contain packet switching tests that check different hardware components and verify
the data path and the control signals.
The online diagnostics detect problems in these areas:
• Hardware components
• Interfaces (Ethernet ports and so forth)
• Solder joints
Online diagnostics are categorized as on-demand, scheduled, or health-monitoring diagnostics. On-demand
diagnostics run from the CLI; scheduled diagnostics run at user-designated intervals or at specified times
when the Controller is connected to a live network; and health-monitoring runs in the background with
user-defined intervals. By default, the health-monitoring test runs for every 30 seconds.
After you configure online diagnostics, you can manually start diagnostic tests or display the test results. You
can also see which tests are configured for the Controller or switch stack and the diagnostic tests that have
already run.
How to Configure Online Diagnostics
Starting Online Diagnostic Tests
After you configure diagnostic tests to run on the Controller, use the diagnostic start privileged EXEC
command to begin diagnostic testing.
After starting the tests, you cannot stop the testing process.
Use this privileged EXEC command to manually start online diagnostic testing:
SUMMARY STEPS
1. diagnostic start switch number test {name | test-id | test-id-range | all | basic | complete | minimal |
non-disruptive | per-port}
DETAILED STEPS
Step 1
Command or Action
Purpose
diagnostic start switch number test {name | test-id |
test-id-range | all | basic | complete | minimal |
non-disruptive | per-port}
Starts the diagnostic tests.
You can specify the tests by using one of these options:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
232
OL-32363-01
System Management
Configuring Online Diagnostics
Command or Action
Purpose
Example:
• name—Enters the name of the test.
• test-id—Enters the ID number of the test.
Controller# diagnostic start switch 2 test basic
• test-id-range—Enters the range of test IDs by using
integers separated by a comma and a hyphen.
• all—Starts all of the tests.
• basic— Starts the basic test suite.
• complete—Starts the complete test suite.
• minimal—Starts the minimal bootup test suite.
• non-disruptive—Starts the non-disruptive test suite.
• per-port—Starts the per-port test suite.
Configuring Online Diagnostics
You must configure the failure threshold and the interval between tests before enabling diagnostic monitoring.
Scheduling Online Diagnostics
You can schedule online diagnostics to run at a designated time of day or on a daily, weekly, or monthly basis
for a Controller. Use the no form of this command to remove the scheduling.
SUMMARY STEPS
1. configure terminal
2. diagnostic schedule switch number test {name | test-id | test-id-range | all | basic | complete | minimal
| non-disruptive | per-port} {daily | on mm dd yyyy hh:mm | port inter-port-number port-number-list |
weekly day-of-week hh:mm}
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
diagnostic schedule switch number test {name | test-id | Schedules on-demand diagnostic tests for a specific day
and time.
test-id-range | all | basic | complete | minimal |
non-disruptive | per-port} {daily | on mm dd yyyy hh:mm
When specifying the tests to be scheduled, use these options:
| port inter-port-number port-number-list | weekly
• name—Name of the test that appears in the show
day-of-week hh:mm}
diagnostic content command output.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
233
System Management
Configuring Health-Monitoring Diagnostics
Command or Action
Purpose
Example:
• test-id—ID number of the test that appears in the show
diagnostic content command output.
Controller(config)# diagnostic schedule switch 3
test 1-5 on July 3 2013 23:10
• test-id-range—ID numbers of the tests that appear in
the show diagnostic content command output.
• all—All test IDs.
• basic—Starts the basic on-demand diagnostic tests.
• complete—Starts the complete test suite.
• minimal—Starts the minimal bootup test suite.
• non-disruptive—Starts the non-disruptive test suite.
• per-port—Starts the per-port test suite.
You can schedule the tests as follows:
• Daily—Use the daily hh:mm parameter.
• Specific day and time—Use the on mm dd yyyy hh:mm
parameter.
• Weekly—Use the weekly day-of-week hh:mm
parameter.
Configuring Health-Monitoring Diagnostics
You can configure health-monitoring diagnostic testing on a Controller while it is connected to a live network.
You can configure the execution interval for each health-monitoring test, enable the Controller to generate a
syslog message because of a test failure, and enable a specific test.
Use the no form of this command to disable testing.
By default, health monitoring is disabled, but the Controller generates a syslog message when a test fails.
Follow these steps to configure and enable the health-monitoring diagnostic tests:
SUMMARY STEPS
1. enable
2. configure terminal
3. diagnostic monitor interval switch number test {name | test-id | test-id-range | all} hh:mm:ss milliseconds
day
4. diagnostic monitor syslog
5. diagnostic monitor threshold switch number number test {name | test-id | test-id-range | all} failure
count count
6. diagnostic monitor switch number test {name | test-id | test-id-range | all}
7. end
8. show running-config
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
234
OL-32363-01
System Management
Configuring Health-Monitoring Diagnostics
9. copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
Enters global configuration mode.
configure terminal
Example:
Controller# configure terminal
Step 3
diagnostic monitor interval switch number test {name | Configures the health-monitoring interval of the specified
tests.
test-id | test-id-range | all} hh:mm:ss milliseconds day
When specifying the tests, use one of these parameters:
Example:
Controller(config)# diagnostic monitor interval
switch 2 test 1 12:30:00 750 5
• name—Name of the test that appears in the show
diagnostic content command output.
• test-id—ID number of the test that appears in the show
diagnostic content command output.
• test-id-range—ID numbers of the tests that appear in
the show diagnostic content command output.
• all—All of the diagnostic tests.
When specifying the interval, set these parameters:
• hh:mm:ss—Monitoring interval in hours, minutes, and
seconds. The range for hh is 0 to 24, and the range for
mm and ss is 0 to 60.
• milliseconds—Monitoring interval in milliseconds
(ms). The range is from 0 to 999.
• day—Monitoring interval in the number of days. The
range is from 0 to 20.
Step 4
diagnostic monitor syslog
Example:
(Optional) Configures the switch to generate a syslog
message when a health-monitoring test fails.
Controller(config)# diagnostic monitor syslog
Step 5
diagnostic monitor threshold switch number number test (Optional) Sets the failure threshold for the
health-monitoring tests.
{name | test-id | test-id-range | all} failure count count
Example:
When specifying the tests, use one of these parameters:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
235
System Management
Configuring Health-Monitoring Diagnostics
Command or Action
Controller(config)# diagnostic monitor threshold
switch 2 test 1 failure count 20
Purpose
• name—Name of the test that appears in the show
diagnostic content command output.
• test-id—ID number of the test that appears in the show
diagnostic content command output.
• test-id-range—ID numbers of the tests that appear in
the show diagnostic content command output.
• all—All of the diagnostic tests.
The range for the failure threshold count is 0 to 99.
Step 6
diagnostic monitor switch number test {name | test-id |
test-id-range | all}
Example:
Controller(config)# diagnostic monitor switch 2
test 1
Enables the specified health-monitoring tests.
The switch number keyword is supported only on stacking
switches.
When specifying the tests, use one of these parameters:
• name—Name of the test that appears in the show
diagnostic content command output.
• test-id—ID number of the test that appears in the show
diagnostic content command output.
• test-id-range—ID numbers of the tests that appear in
the show diagnostic content command output.
• all—All of the diagnostic tests.
Step 7
Returns to privileged EXEC mode.
end
Example:
Controller(config)# end
Step 8
show running-config
Verifies your entries.
Example:
Controller# show running-config
Step 9
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
What to do next
Use the no diagnostic monitor interval testtest-id | test-id-range } global configuration command to change
the interval to the default value or to zero. Use the no diagnostic monitor syslog command to disable generation
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
236
OL-32363-01
System Management
Monitoring and Maintaining Online Diagnostics
of syslog messages when a health-monitoring test fails. Use the diagnostic monitor threshold testtest-id |
test-id-range }failure countcommand to remove the failure threshold.
Monitoring and Maintaining Online Diagnostics
Displaying Online Diagnostic Tests and Test Results
You can display the online diagnostic tests that are configured for the Controller or Controller stack and check
the test results by using the privileged EXEC show commands in this table:
Table 25: Commands for Diagnostic Test Configuration and Results
Command
Purpose
show diagnostic content switch [number | all]
Displays the online diagnostics configured for a switch.
show diagnostic status
Displays the currently running diagnostic tests.
show diagnostic result switch [number | all] [detail Displays the online diagnostics test results.
| test {name | test-id | test-id-range | all} [detail]]
show diagnostic switch [number | all] [detail]
Displays the online diagnostics test results.
show diagnostic schedule switch [number | all]
Displays the online diagnostics test schedule.
show diagnostic post
Displays the POST results. (The output is the same as
the show post command output.)
Configuration Examples for Online Diagnostic Tests
Examples: Start Diagnostic Tests
This example shows how to start a diagnostic test by using the test name:
Controller# diagnostic start switch 2 test TestInlinePwrCtlr
This example shows how to start all of the basic diagnostic tests:
Controller# diagnostic start switch 1 test all
Example: Configure a Health Monitoring Test
This example shows how to configure a health-monitoring test:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
237
System Management
Examples: Schedule Diagnostic Test
Controller(config)# diagnostic monitor threshold switch 1 test 1 failure count 50
Controller(config)# diagnostic monitor interval switch 1 test TestPortAsicStackPortLoopback
Examples: Schedule Diagnostic Test
This example shows how to schedule diagnostic testing for a specific day and time on a specific switch:
Controller(config)# diagnostic schedule test DiagThermalTest on June 3 2013
22:25
This example shows how to schedule diagnostic testing to occur weekly at a certain time on a specific switch:
Controller(config)# diagnostic schedule switch 1 test 1,2,4-6 weekly saturday 10:30
Examples: Displaying Online Diagnostics
This example shows how to display on demand diagnostic settings:
Controller# show diagnostic ondemand settings
Test iterations = 1
Action on test failure = continue
This example shows how to display diagnostic events for errors:
Controller# show diagnostic events event-type error
Diagnostic events (storage for 500 events, 0 events recorded)
Number of events matching above criteria = 0
No diagnostic log entry exists.
This example shows how to display the description for a diagnostic test:
Controller# show diagnostic description switch 1 test all
DiagGoldPktTest :
The GOLD packet Loopback test verifies the MAC level loopback
functionality. In this test, a GOLD packet, for which doppler
provides the support in hardware, is sent. The packet loops back
at MAC level and is matched against the stored packet. It is a non
-disruptive test.
DiagThermalTest :
This test verifies the temperature reading from the sensor is below the yellow
temperature threshold. It is a non-disruptive test and can be run as a health
monitoring test.
DiagFanTest :
This test verifies all fan modules have been inserted and working properly on the
board
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
238
OL-32363-01
System Management
Additional References for Online Diagnostics
It is a non-disruptive test and can be run as a health monitoring test.
DiagPhyLoopbackTest :
The PHY Loopback test verifies the PHY level loopback
functionality. In this test, a packet is sent which loops back
at PHY level and is matched against the stored packet. It is a
disruptive test and cannot be run as a health monitoring test.
DiagScratchRegisterTest :
The Scratch Register test monitors the health of application-specific
integrated circuits (ASICs) by writing values into registers and reading
back the values from these registers. It is a non-disruptive test and can
be run as a health monitoring test.
DiagPoETest :
This test checks the PoE controller functionality. This is a disruptive test
and should not be performed during normal switch operation.
DiagMemoryTest :
This test runs the exhaustive ASIC memory test during normal switch operation
NG3K utilizes mbist for this test. Memory test is very disruptive
in nature and requires switch reboot after the test.
Controller#
This example shows how to display the boot up level:
Controller# show diagnostic bootup level
Current bootup diagnostic level: minimal
Controller#
Additional References for Online Diagnostics
Related Documents
Related Topic
Document Title
System management commands
System Management Command
Reference (Catalyst 3850
Switches)System Management
Command Reference (Cisco WLC
5700 Series)System Management
Command Reference (Catalyst
3650 Switches)
Platform-independent command reference
Configuration Fundamentals
Command Reference, Cisco IOS
XE Release 3S (Catalyst 3850
Switches)
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
239
System Management
Feature History and Information for Configuring Online Diagnostics
Related Topic
Document Title
Platform-independent configuration information
Configuration Fundamentals
Configuration Guide, Cisco IOS
XE Release 3S (Catalyst 3850
Switches)
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Feature History and Information for Configuring Online
Diagnostics
Release
Modification
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS XE 3.3SE
This feature was introduced.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
240
OL-32363-01
CHAPTER
17
Predownloading an Image to Access Points
• Finding Feature Information, on page 241
• Information About Predownloading an Image to an Access Point, on page 241
• Restrictions for Predownloading an Image to an Access Point, on page 241
• How to Predownload an Image to an Access Point, on page 242
• Monitoring the Access Point Predownload Process, on page 243
• Examples: Access Point Predownload Process, on page 244
• Additional References for Predownloading an Image to an Access Point, on page 244
• Feature History and Information For Performing Predownloading an Image to an Access Point , on page
245
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Information About Predownloading an Image to an Access Point
To minimize network outages, download an upgrade image to an access point from the controller without
resetting the access point or losing network connectivity. Previously, you could download an upgrade image
to the controller and reset it, causing the access point to go into discovery mode. After the access point
discovered the controller with the new image, the access point would download the new image, reset it, go
into discovery mode, and rejoin the controller.
Now, you can download the upgrade image to the controller and then download the image to the access point
while the network is still up. When both devices are up, the access point discovers and rejoins the controller.
Restrictions for Predownloading an Image to an Access Point
The following are the restrictions for predownloading an image to an access point:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
241
System Management
How to Predownload an Image to an Access Point
• The maximum number of concurrent predownloads is limited to half the number of concurrent normal
image downloads. This limitation allows new access points to join the controller during image
downloading.
If you reach the predownload limit, then the access points that cannot get an image sleep for a time
between 180 to 600 seconds and then reattempt the predownload.
• Access points with 16-MB total available memory may not have enough free memory to download an
upgrade image and may automatically delete crash information files, radio files, and backup images, if
any, to free up space. However, this limitation does not affect the predownload process because the
predownload image replaces backup image, if any, on the access point.
• All of the primary, secondary, and tertiary controllers should run the same images. Otherwise, the feature
will not be effective.
• At the time of reset, you must make sure that all of the access points have downloaded the image.
• An access point can store only 2 software images.
How to Predownload an Image to an Access Point
Predownloading an Image to Access Points (CLI)
Before you begin
There are some prerequisites that you must keep in mind while predownloading an image to an access point:
• Predownloading can be done only when the controller is booted in the install mode.
• You can copy the new image either from the TFTP server, flash image, or USB.
• Before predownloading the new image, you must install the new software using the software install
command and select no to the reload option.
• If the latest upgrade image is already present in the AP, predownload will not be triggered. Check whether
the primary and backup image versions are the same as the upgrade image, using the show ap image
command.
SUMMARY STEPS
1.
2.
3.
4.
5.
ap image predownload or ap ap-name image predownload
show ap image
ap image reset
reload
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
242
OL-32363-01
System Management
Monitoring the Access Point Predownload Process
DETAILED STEPS
Step 1
Command or Action
Purpose
ap image predownload or ap ap-name image
predownload
Downloads the new image to all the access points or a
specific access point connected to the controller.
Example:
Controller# ap image predownload
Controller#
Step 2
show ap image
Verifies the access point's predownload status.
Example:
This command initially displays the status as
Predownloading and then moves to Completed, when
download is complete.
Controller# show ap image
Step 3
Step 4
Example:
Controller# ap image swap
Swaps the images of the APs that have completed
predownload.
ap image reset
Resets the access points.
Example:
Controller# ap image reset
Step 5
Resets the system.
reload
Example:
Controller# reload
Monitoring the Access Point Predownload Process
This section describes the commands that you can use to monitor the access point predownload process.
While downloading an access point predownload image, enter the show ap image command to verify the
predownload progress on the corresponding access point:
Controller# show ap image
Total number of APs : 1
Number of APs
Initiated
Predownloading
Completed predownloading
Not Supported
Failed to Predownload
:
:
:
:
:
1
1
0
0
0
AP Name
Primary Image
Backup Image
Predownload Status
Predownload Ver... Next Retry Time
Retry Count
-----------------------------------------------------------------------------------------------------------------------------------------AP1
10.0.1.66
10.0.1.66
Predownloading
10.0.1.67
NA
0
Controller# show ap image
Total number of APs
: 1
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
243
System Management
Examples: Access Point Predownload Process
Number of APs
Initiated
Predownloading
Completed predownloading
Not Supported
Failed to Predownload
:
:
:
:
:
1
0
1
0
0
AP Name
Primary Image
Backup Image
Predownload Status
Predownload Ver... Next Retry Time
Retry Count
-----------------------------------------------------------------------------------------------------------------------------------------AP1
10.0.1.66
10.0.1.67
Complete
10.0.1.67
NA
0
Use the following command to view the image details of a particular AP:
Controller# show ap name APe4aa.5dd1.99b0 image
AP Name : APe4aa.5dd1.99b0
Primary Image : 16.6.230.46
Backup Image : 3.0.51.0
Predownload Status : None
Predownload Version : 000.000.000.000
Next Retry Time : N/A
Retry Count : 0
Examples: Access Point Predownload Process
This example shows how to predownload an image to an access point AP1:
Controller#
Controller#
Controller#
Controller#
Controller#
Controller#
ap image predownload
show ap image
ap image swap
show ap image
ap image reset
reload
Additional References for Predownloading an Image to an
Access Point
Related Documents
Related Topic
Document Title
Lightweight access points
configuration
Lightweight Access Point Configuration Guide, Cisco IOS XE Release
3SE (Cisco WLC 5700 Series)
Lightweight Access Point Configuration Guide, Cisco IOS XE Release
3SE (Catalyst 3850 Switches)
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
244
OL-32363-01
System Management
Feature History and Information For Performing Predownloading an Image to an Access Point
Related Topic
Document Title
Lightweight Access Point
commands
Lightweight Access Point Command Reference, Cisco IOS XE Release
3SE (Cisco WLC 5700 Series)
Lightweight Access Point Command Reference, Cisco IOS XE Release
3SE (Catalyst 3850 Switches)
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All the supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
FeatureHistoryandInformationForPerformingPredownloading
an Image to an Access Point
Release
Feature Information
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS This feature was introduced.
XE 3.3SE
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
245
System Management
Feature History and Information For Performing Predownloading an Image to an Access Point
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
246
OL-32363-01
CHAPTER
18
Troubleshooting the Software Configuration
This chapter describes how to identify and resolve software problems related to the Cisco IOS software on
the switch. Depending on the nature of the problem, you can use the command-line interface (CLI), Device
Manager, or Network Assistant to identify and solve problems.
Additional troubleshooting information, such as LED descriptions, is provided in the hardware installation
guide.
• Finding Feature Information, on page 247
• Finding Feature Information, on page 248
• Information About Troubleshooting the Software Configuration, on page 248
• How to Troubleshoot the Software Configuration, on page 256
• Verifying Troubleshooting of the Software Configuration, on page 269
• Scenarios for Troubleshooting the Software Configuration, on page 271
• Configuration Examples for Troubleshooting Software, on page 273
• Additional References for Troubleshooting Software Configuration, on page 276
• Additional References for Troubleshooting Software Configuration, on page 277
• Feature History and Information for Troubleshooting Software Configuration, on page 278
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Related Topics
Feature History and Information for Troubleshooting Software Configuration, on page 278
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
247
System Management
Finding Feature Information
Finding Feature Information
Your software release may not support all of the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Information About Troubleshooting the Software Configuration
Software Failure on a Switch
Switch software can be corrupted during an upgrade by downloading the incorrect file to the switch, and by
deleting the image file. In all of these cases, the switch does not pass the power-on self-test (POST), and there
is no connectivity.
Related Topics
Recovering from a Software Failure, on page 256
Lost or Forgotten Password on a Controller
The default configuration for the controller allows an end user with physical access to the controller to recover
from a lost password by interrupting the boot process during power-on and by entering a new password. These
recovery procedures require that you have physical access to the controller.
Note
On these controllers, a system administrator can disable some of the functionality of this feature by allowing
an end user to reset a password only by agreeing to return to the default configuration. If you are an end user
trying to reset a password when password recovery has been disabled, a status message reminds you to return
to the default configuration during the recovery process.
Note
You cannot recover encryption password key, when Cisco WLC configuration is copied from one Cisco WLC
to another (in case of an RMA).
Related Topics
Recovering from a Lost or Forgotten Password, on page 259
Power over Ethernet Ports
A Power over Ethernet (PoE) switch port automatically supplies power to one of these connected devices if
the switch detects that there is no power on the circuit:
• a Cisco pre-standard powered device (such as a Cisco IP Phone or a Cisco Aironet Access Point)
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
248
OL-32363-01
System Management
Disabled Port Caused by Power Loss
• an IEEE 802.3af-compliant powered device
• an IEEE 802.3at-compliant powered device
A powered device can receive redundant power when it is connected to a PoE switch port and to an AC power
source. The device does not receive redundant power when it is only connected to the PoE port.
After the switch detects a powered device, the switch determines the device power requirements and then
grants or denies power to the device. The switch can also detect the real-time power consumption of the device
by monitoring and policing the power usage.
For more information, see the "Configuring PoE" chapter in the Interface and Hardware Component
Configuration Guide (Catalyst 3850 Switches) Interface Configuration Guide (Cisco WLC 5700 Series)
Interface and Hardware Component Configuration Guide (Catalyst 3650 Switches) .
Related Topics
Scenarios to Troubleshoot Power over Ethernet (PoE), on page 271
Disabled Port Caused by Power Loss
If a powered device (such as a Cisco IP Phone 7910) that is connected to a PoE Controller port and powered
by an AC power source loses power from the AC power source, the device might enter an error-disabled state.
To recover from an error-disabled state, enter the shutdown interface configuration command, and then enter
the no shutdown interface command. You can also configure automatic recovery on the Controller to recover
from the error-disabled state.
On a Controller, the errdisable recovery cause loopback and the errdisable recovery interval seconds
global configuration commands automatically take the interface out of the error-disabled state after the specified
period of time.
Disabled Port Caused by False Link-Up
If a Cisco powered device is connected to a port and you configure the port by using the power inline never
interface configuration command, a false link-up can occur, placing the port into an error-disabled state. To
take the port out of the error-disabled state, enter the shutdown and the no shutdown interface configuration
commands.
You should not connect a Cisco powered device to a port that has been configured with the power inline
never command.
Ping
The Controller supports IP ping, which you can use to test connectivity to remote hosts. Ping sends an echo
request packet to an address and waits for a reply. Ping returns one of these responses:
• Normal response—The normal response (hostname is alive) occurs in 1 to 10 seconds, depending on
network traffic.
• Destination does not respond—If the host does not respond, a no-answer message is returned.
• Unknown host—If the host does not exist, an unknown host message is returned.
• Destination unreachable—If the default gateway cannot reach the specified network, a
destination-unreachable message is returned.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
249
System Management
Layer 2 Traceroute
• Network or host unreachable—If there is no entry in the route table for the host or network, a network
or host unreachable message is returned.
Related Topics
Executing Ping, on page 265
Example: Pinging an IP Host, on page 273
Layer 2 Traceroute
The Layer 2 traceroute feature allows the switch to identify the physical path that a packet takes from a source
device to a destination device. Layer 2 traceroute supports only unicast source and destination MAC addresses.
Traceroute finds the path by using the MAC address tables of the Controller in the path. When the Controller
detects a device in the path that does not support Layer 2 traceroute, the Controller continues to send Layer
2 trace queries and lets them time out.
The Controller can only identify the path from the source device to the destination device. It cannot identify
the path that a packet takes from source host to the source device or from the destination device to the destination
host.
Layer 2 Traceroute Guidelines
• Cisco Discovery Protocol (CDP) must be enabled on all the devices in the network. For Layer 2 traceroute
to function properly, do not disable CDP.
If any devices in the physical path are transparent to CDP, the switch cannot identify the path through
these devices.
• A Controller is reachable from another Controller when you can test connectivity by using the ping
privileged EXEC command. All Controller in the physical path must be reachable from each other.
• The maximum number of hops identified in the path is ten.
• You can enter the traceroute mac or the traceroute mac ip privileged EXEC command on a Controller
that is not in the physical path from the source device to the destination device. All Controller in the path
must be reachable from this switch.
• The traceroute mac command output shows the Layer 2 path only when the specified source and
destination MAC addresses belong to the same VLAN. If you specify source and destination MAC
addresses that belong to different VLANs, the Layer 2 path is not identified, and an error message appears.
• If you specify a multicast source or destination MAC address, the path is not identified, and an error
message appears.
• If the source or destination MAC address belongs to multiple VLANs, you must specify the VLAN to
which both the source and destination MAC addresses belong. If the VLAN is not specified, the path is
not identified, and an error message appears.
• The traceroute mac ip command output shows the Layer 2 path when the specified source and destination
IP addresses belong to the same subnet. When you specify the IP addresses, the Controller uses the
Address Resolution Protocol (ARP) to associate the IP addresses with the corresponding MAC addresses
and the VLAN IDs.
• If an ARP entry exists for the specified IP address, the Controller uses the associated MAC address
and identifies the physical path.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
250
OL-32363-01
System Management
IP Traceroute
• If an ARP entry does not exist, the Controller sends an ARP query and tries to resolve the IP address.
If the IP address is not resolved, the path is not identified, and an error message appears.
• When multiple devices are attached to one port through hubs (for example, multiple CDP neighbors are
detected on a port), the Layer 2 traceroute feature is not supported. When more than one CDP neighbor
is detected on a port, the Layer 2 path is not identified, and an error message appears.
• This feature is not supported in Token Ring VLANs.
IP Traceroute
You can use IP traceroute to identify the path that packets take through the network on a hop-by-hop basis.
The command output displays all network layer (Layer 3) devices, such as routers, that the traffic passes
through on the way to the destination.
Your Controller can participate as the source or destination of the traceroute privileged EXEC command and
might or might not appear as a hop in the traceroute command output. If the Controller is the destination of
the traceroute, it is displayed as the final destination in the traceroute output. Intermediate Controller do not
show up in the traceroute output if they are only bridging the packet from one port to another within the same
VLAN. However, if the intermediate Controller is a multilayer Controller that is routing a particular packet,
this Controller shows up as a hop in the traceroute output.
The traceroute privileged EXEC command uses the Time To Live (TTL) field in the IP header to cause
routers and servers to generate specific return messages. Traceroute starts by sending a User Datagram Protocol
(UDP) datagram to the destination host with the TTL field set to 1. If a router finds a TTL value of 1 or 0, it
drops the datagram and sends an Internet Control Message Protocol (ICMP) time-to-live-exceeded message
to the sender. Traceroute finds the address of the first hop by examining the source address field of the ICMP
time-to-live-exceeded message.
To identify the next hop, traceroute sends a UDP packet with a TTL value of 2. The first router decrements
the TTL field by 1 and sends the datagram to the next router. The second router sees a TTL value of 1, discards
the datagram, and returns the time-to-live-exceeded message to the source. This process continues until the
TTL is incremented to a value large enough for the datagram to reach the destination host (or until the maximum
TTL is reached).
To learn when a datagram reaches its destination, traceroute sets the UDP destination port number in the
datagram to a very large value that the destination host is unlikely to be using. When a host receives a datagram
destined to itself containing a destination port number that is unused locally, it sends an ICMP port-unreachable
error to the source. Because all errors except port-unreachable errors come from intermediate hops, the receipt
of a port-unreachable error means that this message was sent by the destination port.
Related Topics
Executing IP Traceroute, on page 266
Example: Performing a Traceroute to an IP Host, on page 274
Time Domain Reflector Guidelines
You can use the Time Domain Reflector (TDR) feature to diagnose and resolve cabling problems. When
running TDR, a local device sends a signal through a cable and compares the reflected signal to the initial
signal.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
251
System Management
Time Domain Reflector Guidelines
TDR is supported only on 10/100/1000 copper Ethernet ports. It is not supported on 10-Gigabit Ethernet ports
and on SFP module ports.
TDR is supported on 10/100/1000 copper Ethernet ports and on Multigigabit Ethernet (100Mbps/1/2.5/5/10
Gbps) ports. It is not supported on SFP module ports.
TDR can detect these cabling problems:
• Open, broken, or cut twisted-pair wires—The wires are not connected to the wires from the remote
device.
• Shorted twisted-pair wires—The wires are touching each other or the wires from the remote device. For
example, a shorted twisted pair can occur if one wire of the twisted pair is soldered to the other wire.
If one of the twisted-pair wires is open, TDR can find the length at which the wire is open.
Note
When using the feature with Multigigabit Ethernet ports, the cable length is displayed only when an open or
short condition is detected.
Use TDR to diagnose and resolve cabling problems in these situations:
• Replacing a Controller
• Setting up a wiring closet
• Troubleshooting a connection between two devices when a link cannot be established or when it is not
operating properly
When you run TDR, the Controller reports accurate information in these situations:
• The cable for the gigabit link is a solid-core cable.
• The open-ended cable is not terminated.
When you run TDR, the Controller does not report accurate information in these situations:
• The cable for the gigabit link is a twisted-pair cable or is in series with a solid-core cable.
• The link is a 10-megabit or a 100-megabit link.
• The cable is a stranded cable.
• The link partner is a Cisco IP Phone.
• The link partner is not IEEE 802.3 compliant.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
252
OL-32363-01
System Management
Debug Commands
Debug Commands
Caution
Because debugging output is assigned high priority in the CPU process, it can render the system unusable.
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions
with Cisco technical support staff. It is best to use debug commands during periods of lower network traffic
and fewer users. Debugging during these periods decreases the likelihood that increased debug command
processing overhead will affect system use.
All debug commands are entered in privileged EXEC mode, and most debug commands take no arguments.
Related Topics
Redirecting Debug and Error Message Output, on page 266
Example: Enabling All System Diagnostics, on page 275
Crashinfo Files
The crashinfo files save information that helps Cisco technical support representatives to debug problems that
caused the Cisco IOS image to fail (crash). The switch generates two files at the time of the failure: full core
and crashinfo.
The information in the crashinfo file includes the Cisco IOS image name and version that failed, a list of the
processor registers, and a stack trace. You can provide this information to the Cisco technical support
representative by using the show tech-support privileged EXEC command.
The file names have the following format:
[fullcore | crashinfo]_[process that crashed]_[date]-[timestamp]-UTC
From IOS, you can view the crashinfo files on each switch by using the following command:
Controller# dir crashinfo?
crashinfo-1: crashinfo-2: crashinfo-3: crashinfo:
Controller#
For example, to access the crashinfo directory for switch 1, enter
Controller dir crashinfo-1
From the ROMMON prompt, you can view the crashinfo files by using the dir command:
Controller: dir sda1
The following is sample output of a crashinfo file
Controller# dir crashinfo:
Directory of crashinfo:/
12 -rwx
15 -rwx
16 -rwx
2768 Dec 31 1969 16:00:15 -08:00 koops.dat
0 Jan 12 2000 22:53:40 -08:00 deleted_crash_files
4246576 Jan 12 2000 22:53:40 -08:00 crashinfo_stack-mgr_20000113-065250-UTC
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
253
System Management
System Reports
17 -rwx
26 -rwx
18 -rwx
50
Oct 2 2012 03:18:42 -08:00 last_crashinfo
39 Jan 22 2013 14:14:14 -08:00 last_systemreport
2866565 Jan 12 2000 22:53:41 -08:00 fullcore_stack-mgr_20000113-065250-UTC
20
4391796
-rwx
21 -rwx
34817 -rw18434 -rw18435 -rw34821 -rw6147 -rw34824 -rwx
6155 -rwx
2920325
1050209
1016913
1136167
1094631
Feb 1 2000 17:50:44 -08:00
Feb 1
Jan 10
Jan 11
Jan 22
Jan 2
2000
2013
2013
2013
2013
17:50:45
20:26:23
10:35:28
14:14:11
17:59:23
-08:00
-08:00
-08:00
-08:00
-08:00
crashinfo_stack-mgr_20000202-014954-UTC
fullcore_stack-mgr_20000202-014954-UTC
system-report_1_20130111-042535-UTC.gz
system-report_1_20130111-183440-UTC.gz
system-report_1_20130122-221322-UTC.gz
system-report_1_20130103-015835-UTC.gz
967429
Jan 3 2013 10:32:44 -08:00 system-report_1_20130103-183156-UTC.gz
50 Jan 22 2013 14:14:14 -08:00 deleted_sysreport_files
373 Jan 22 2013 14:14:13 -08:00 last_systemreport_log
145898496 bytes total (18569216 bytes free)
stack3#
The file name of the most recent crashinfo file is stored in last_crashinfo.
The file name of the most recent system report is stored in last_systemreport.
Controller#
System Reports
When a controller crashes, a system report is automatically generated for each switch in the switch stack. The
system report file captures all the trace buffers, and other system-wide logs found on the switch. System
reports are located in the crashinfo directory in the following format:
system-report_[switch number]_[date]-[timestamp]-UTC.gz
After a switch crash, you should check if a system report file was generated. The name of the most recently
generated system report file is stored in the last_systemreport file under the crashinfo directory. The system
report and crashinfo files assist TAC when troubleshooting your issue.
Onboard Failure Logging on the Switch
You can use the onboard failure logging (OBFL) feature to collect information about the Controller. The
information includes uptime, temperature, and voltage information and helps Cisco technical support
representatives to troubleshoot Controller problems. We recommend that you keep OBFL enabled and do not
erase the data stored in the flash memory.
By default, OBFL is enabled. It collects information about the Controller and small form-factor pluggable
(SFP) modules. The Controller stores this information in the flash memory:
• CLI commands—Record of the OBFL CLI commands that are entered on a standalone Controller or a
switch stack member.
• Environment data—Unique device identifier (UDI) information for a standalone Controller or a switch
stack member and for all the connected FRU devices: the product identification (PID), the version
identification (VID), and the serial number.
• Message—Record of the hardware-related system messages generated by a standalone Controller or a
switch stack member.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
254
OL-32363-01
System Management
Fan Failures
• Power over Ethernet (PoE)—Record of the power consumption of PoE ports on a standalone Controller
or a switch stack member.
• Temperature—Temperature of a standalone Controller or a switch stack member.
• Uptime data—Time when a standalone Controller or a switch stack member starts, the reason the
Controller restarts, and the length of time the Controller has been running since it last restarted.
• Voltage—System voltages of a standalone Controller or a switch stack member.
You should manually set the system clock or configure it by using Network Time Protocol (NTP).
When the Controller is running, you can retrieve the OBFL data by using the show logging onboard privileged
EXEC commands. If the Controller fails, contact your Cisco technical support representative to find out how
to retrieve the data.
When an OBFL-enabled Controller is restarted, there is a 10-minute delay before logging of new data begins.
Related Topics
Configuring OBFL, on page 267
Displaying OBFL Information, on page 269
Fan Failures
By default, the feature is disabled. When more than one of the fans fails in a field-replaceable unit (FRU) or
in a power supply, the Controller does not shut down, and this error message appears:
Multiple fan(FRU/PS) failure detected. System may get overheated. Change fan quickly.
The Controller might overheat and shut down.
To enable the fan failures feature, enter the system env fan-fail-action shut privileged EXEC command. If
more than one fan in the Controller fails, the Controller automatically shuts down, and this error message
appears:
Faulty (FRU/PS) fans detected, shutting down system!
After the first fan shuts down, if the Controller detects a second fan failure, the Controller waits for 20 seconds
before it shuts down.
To restart the Controller, it must be power cycled.
Possible Symptoms of High CPU Utilization
Excessive CPU utilization might result in these symptoms, but the symptoms might also result from other
causes:
Note
You may see increased system memory usage when Cisco Catalyst 4500E Supervisor Engine 8-E is used in
wireless mode.
• Spanning tree topology changes
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
255
System Management
How to Troubleshoot the Software Configuration
• EtherChannel links brought down due to loss of communication
• Failure to respond to management requests (ICMP ping, SNMP timeouts, slow Telnet or SSH sessions)
• UDLD flapping
• IP SLAs failures because of SLAs responses beyond an acceptable threshold
• DHCP or IEEE 802.1x failures if the switch does not forward or respond to requests
How to Troubleshoot the Software Configuration
Recovering from a Software Failure
Before you begin
This recovery procedure requires that you have physical access to the switch.
This procedure uses boot loader commands and TFTP to recover from a corrupted or incorrect image file.
Step 1
From your PC, download the software image file (image.bin) from Cisco.com.
Step 2
Load the software image to your TFTP server.
Step 3
Connect your PC to the switch Ethernet management port.
Step 4
Unplug the switch power cord.
Step 5
Press the Mode button, and at the same time, reconnect the power cord to the switch.
Step 6
From the bootloader (ROMMON) prompt, ensure that you can ping your TFTP server.
a) Set the IP address switch: set IP_ADDRESS ip_address subnet_mask
Example:
switch: set IP_ADDRESS 192.0.2.123/255.255.255.0
b) Set the default router IP address switch: set DEFAULT_ROUTER ip_address
Example:
switch: set DEFAULT_ROUTER 192.0.2.1
c) Verify that you can ping the TFTP server switch: ping ip_address_of_TFTP_server
Example:
switch: ping 192.0.2.15
ping 192.0.2.1 with 32 bytes of data...
Host 192.0.2.1 is alive.
switch:
Step 7
Verify that you have a recovery image in your recovery partition (sda9:).
This recovery image is required for recovery using the emergency-install feature.
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
256
OL-32363-01
System Management
Recovering from a Software Failure
switch: dir sda9:
Directory of sda9:/
2
2
11
drwx
drwx
-rw-
1024
1024
18923068
.
..
c3850-recovery.bin
36939776 bytes available (20830208 bytes used)
switch:
Step 8
From the bootloader (ROMMON) prompt, initiate the emergency-install feature that assists you in recovering the software
image on your switch.
WARNING: The emergency install command will erase your entire boot flash!
Example:
Switch#
emergency-install
tftp://192.0.2.47/cat3k_caa-universalk9.SSA.03.12.02.EZP.150-12.02.EZP.150-12.02.EZP.bin
The bootflash will be erased during install operation, continue (y/n)?y
Starting emergency recovery
(tftp://192.0.2.47/cat3k/cat3k_caa-universalk9.SPA.03.02.00.SE.150-1.EX.bin)...
Reading full image into memory......................done
Nova Bundle Image
-------------------------------------Kernel Address : 0x6042e5cc
Kernel Size : 0x318261/3244641
Initramfs Address : 0x60746830
Initramfs Size : 0xdb0fb9/14356409
Compression Format: .mzip
Bootable image at @ ram:0x6042e5cc
Bootable image segment 0 address range [0x81100000, 0x81b80000] is in range [0x80180000, 0x90000000].
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
File "sda9:c3850-recovery.bin" uncompressed and installed, entry point: 0x811060f0
Loading Linux kernel with entry point 0x811060f0 ...
Bootloader: Done loading app on core_mask: 0xf
### Launching Linux Kernel (flags = 0x5)
Initiating Emergency Installation of bundle
tftp://192.0.2.47/cat3k/cat3k_caa-universalk9.SSA.03.12.02.EZP.150-12.02.EZP.150-12.02.EZP.bin
Downloading bundle
tftp://192.0.2.47/cat3k/cat3k_caa-universalk9.SSA.03.12.02.EZP.150-12.02.EZP.150-12.02.EZP.bin...
Validating bundle
tftp://192.0.2.47/cat3k/cat3k_caa-universalk9.SSA.03.12.02.EZP.150-12.02.EZP.150-12.02.EZP.bin...
Installing bundle
tftp://192.0.2.47/cat3k/cat3k_caa-universalk9.SSA.03.12.02.EZP.150-12.02.EZP.150-12.02.EZP.bin...
Verifying bundle
tftp://192.0.2.47/cat3k/cat3k_caa-universalk9.SSA.03.12.02.EZP.150-12.02.EZP.150-12.02.EZP.bin...
Package cat3k_caa-base..pkg is Digitally Signed
Package cat3k_caa-drivers.SPA.03.02.00.SE.pkg is Digitally Signed
Package cat3k_caa-infra.SPA.03.02.00.SE.pkg is Digitally Signed
Package cat3k_caa-iosd-universalk9.SPA.03.02.00.SE.pkg is Digitally Signed
Package cat3k_caa-platform.SPA.03.02.00.SE.pkg is Digitally Signed
Package cat3k_caa-wcm.SPA.03.02.00.SE.pkg is Digitally Signed
Preparing flash...
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
257
System Management
Recovering from a Software Failure
Syncing device...
Emergency Install successful... Rebooting
Restarting system.
Booting...(use DDR clock 667 MHz)Initializing and Testing RAM +++@@@@####...++@@++@@++@@++@
switch: emergency-install tftp://172.20.249.254/katana/ct5760.renum.bin
The bootflash will be erased during install operation, continue (y/n)?y
Starting emergency recovery (tftp://172.20.249.254/katana/ct5760.renum.bin)...
Loading "sda9:ct5760-recovery.bin"...
Reading full image into memory....................done
Verifying image digital signature.
Nova Bundle Image
-------------------------------------Kernel Address
: 0x8b35b598
Kernel Size
: 0x367550/3568976
Initramfs Address : 0x8b6c2ae8
Initramfs Size
: 0xbfe484/12575876
Compression Format: unknown
File "sda9:ct5760-recovery.bin" uncompressed and installed, entry point: 0x8b35b598
Image validated
\ufffd
Initiating Emergency Installation of bundle tftp://172.20.249.254/katana/ct5760.renum.bin
Downloading bundle tftp://172.20.249.254/katana/ct5760.renum.bin...
Validating bundle tftp://172.20.249.254/katana/ct5760.renum.bin...
Installing bundle tftp://172.20.249.254/katana/ct5760.renum.bin...
Verifying bundle tftp://172.20.249.254/katana/ct5760.renum.bin...
Package ct5760-base.SPA.03.02.00.pkg is Digitally Signed
Package ct5760-drivers.SPA.03.02.00.SE.pkg is Digitally Signed
Package ct5760-infra.SPA.03.02.00.pkg is Digitally Signed
Package ct5760-iosd-ipservicesk9.SPA.150-1.EX.pkg is Digitally Signed
Package ct5760-platform.SPA.03.02.00.SE.pkg is Digitally Signed
Package ct5760-wcm.SPA.10.0.10.48.pkg is Digitally Signed
Preparing flash...
Syncing device...
Emergency Install successful... Rebooting
Restarting system.
Xmodem file system is available.
Base ethernet MAC Address: 20:37:06:4d:64:00
Verifying bootloader digital signature.
The system is not configured to boot automatically. The
following command will finish loading the operating system
software:
boot
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
258
OL-32363-01
System Management
Recovering from a Lost or Forgotten Password
Related Topics
Software Failure on a Switch, on page 248
Recovering from a Lost or Forgotten Password
The default configuration for the switch allows an end user with physical access to the switch to recover from
a lost password by interrupting the boot process during power-on and by entering a new password. These
recovery procedures require that you have physical access to the switch.
Note
On these switches, a system administrator can disable some of the functionality of this feature by allowing
an end user to reset a password only by agreeing to return to the default configuration. If you are an end user
trying to reset a password when password recovery has been disabled, a status message shows this during the
recovery process.
SUMMARY STEPS
1.
2.
3.
4.
Connect a terminal or PC to the switch.
Set the line speed on the emulation software to 9600 baud.
Power off the standalone switch or the entire switch stack.
Reconnect the power cord to the or the . Within 15 seconds, press the Mode button while the System LED
is still flashing green. Continue pressing the Mode button until a prompt is seen; then release the Mode
button.
5. After recovering the password, reload the switch or the .
DETAILED STEPS
Step 1
Connect a terminal or PC to the switch.
• Connect a terminal or a PC with terminal-emulation software to the switch console port.
• Connect a PC to the Ethernet management port.
Step 2
Set the line speed on the emulation software to 9600 baud.
Step 3
Power off the standalone switch or the entire switch stack.
Step 4
Reconnect the power cord to the or the . Within 15 seconds, press the Mode button while the System LED is still flashing
green. Continue pressing the Mode button until a prompt is seen; then release the Mode button.
Switch:
Xmodem file system is available.
Base ethernet MAC Address: 20:37:06:4d:e9:80
Verifying bootloader digital signature.
The system has been interrupted prior to loading the operating
system software, console will be reset to 9600 baud rate.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
259
System Management
Procedure with Password Recovery Enabled
Proceed to the Procedure with Password Recovery Enabled section, and follow the steps.
Step 5
After recovering the password, reload the switch or the .
On a switch:
Switch> reload
Proceed with reload? [confirm] y
Related Topics
Lost or Forgotten Password on a Controller, on page 248
Procedure with Password Recovery Enabled
If the password-recovery operation is enabled, this message appears:
Step 1
Initialize the flash file system.
Switch: flash_init
Step 2
Ignore the startup configuration with the following command:
Switch: SWITCH_IGNORE_STARTUP_CFG=1
Step 3
Boot the switch with the packages.conf file from flash.
Switch: boot flash:packages.conf
Step 4
Terminate the initial configuration dialog by answering No.
Would you like to enter the initial configuration dialog? [yes/no]: No
Step 5
At the switch prompt, enter privileged EXEC mode.
Switch> enable
Switch#
Step 6
Copy the startup configuration to running configuration.
Switch# copy startup-config running-config Destination filename [running-config]?
Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the
password.
Step 7
Enter global configuration mode and change the enable password.
Switch# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
260
OL-32363-01
System Management
Procedure with Password Recovery Disabled
Switch(config)#
Step 8
Write the running configuration to the startup configuration file.
Switch(config)# copy running-config startup-config
Step 9
Confirm that manual boot mode is enabled.
Switch# show boot
BOOT variable = flash:packages.conf;
Manual Boot = yes
Enable Break = yes
Step 10
Reload the controller.
Switch# reload
Step 11
Return the Bootloader parameters (previously changed in Steps 2 and 3) to their original values.
switch: SWITCH_IGNORE_STARTUP_CFG=0
Step 12
Boot the controller with the packages.conf file from flash.
Switch: boot flash:packages.conf
Step 13
After the controller boots up, disable manual boot on the controller.
Switch(config)# no boot manual
Procedure with Password Recovery Disabled
If the password-recovery mechanism is disabled, this message appears:
The password-recovery mechanism has been triggered, but
is currently disabled. Access to the boot loader prompt
through the password-recovery mechanism is disallowed at
this point. However, if you agree to let the system be
reset back to the default system configuration, access
to the boot loader prompt can still be allowed.
Would you like to reset the system back to the default configuration (y/n)?
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
261
System Management
Procedure with Password Recovery Disabled
Caution
Returning the Controller to the default configuration results in the loss of all existing configurations. We
recommend that you contact your system administrator to verify if there are backup Controller and VLAN
configuration files.
• If you enter n (no), the normal boot process continues as if the Mode button had not been pressed; you
cannot access the boot loader prompt, and you cannot enter a new password. You see the message:
Press Enter to continue........
• If you enter y (yes), the configuration file in flash memory and the VLAN database file are deleted. When
the default configuration loads, you can reset the password.
Step 1
Choose to continue with password recovery and delete the existing configuration:
Would you like to reset the system back to the default configuration (y/n)? Y
Step 2
Display the contents of flash memory:
Controller: dir flash:
The Controller file system appears.
Directory of flash:/
.
.
.i'
15494 drwx
4096
Jan 1 2000 00:20:20 +00:00 kirch
15508 -rw258065648
Sep 4 2013 14:19:03 +00:00
cat3k_caa-universalk9.SSA.03.12.02.EZP.150-12.02.EZP.150-12.02.EZP.bin
162196684
Step 3
Boot up the system:
Controller: boot
You are prompted to start the setup program. To continue with password recovery, enter N at the prompt:
Continue with the configuration dialog? [yes/no]: N
Step 4
At the Controller prompt, enter privileged EXEC mode:
Controller> enable
Step 5
Enter global configuration mode:
Controller# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
262
OL-32363-01
System Management
Preventing Switch Stack Problems
Step 6
Change the password:
Controller(config)# enable secret password
The secret password can be from 1 to 25 alphanumeric characters, can start with a number, is case sensitive, and allows
spaces but ignores leading spaces.
Step 7
Return to privileged EXEC mode:
Controller(config)# exit
Controller#
Note
Step 8
Before continuing to Step 9, power on any connected stack members and wait until they have completely
initialized.
Write the running configuration to the startup configuration file:
Controller# copy running-config startup-config
The new password is now in the startup configuration.
Step 9
You must now reconfigure the Controller. If the system administrator has the backup Controller and VLAN configuration
files available, you should use those.
Preventing Switch Stack Problems
To prevent switch stack problems, you should do the following:
• Make sure that the Controller that you add to or remove from the switch stack are powered off. For all
powering considerations in switch stacks, see the “Switch Installation” chapter in the hardware installation
guide.
• Press the Mode button on a stack member until the Stack mode LED is on. The last two port LEDs on
the Controller should be green. Depending on the Controller model, the last two ports are either
10/100/1000 ports or small form-factor pluggable (SFP) module. If one or both of the last two port LEDs
are not green, the stack is not operating at full bandwidth.
• We recommend using only one CLI session when managing the switch stack. Be careful when using
multiple CLI sessions to the . Commands that you enter in one session are not displayed in the other
sessions. Therefore, it is possible that you might not be able to identify the session from which you
entered a command.
• Manually assigning stack member numbers according to the placement of the Controller in the stack can
make it easier to remotely troubleshoot the switch stack. However, you need to remember that the
Controller have manually assigned numbers if you add, remove, or rearrange Controller later. Use the
switch current-stack-member-number renumber new-stack-member-number global configuration
command to manually assign a stack member number.
If you replace a stack member with an identical model, the new Controller functions with the exact same
configuration as the replaced Controller. This is also assuming the new Controller is using the same member
number as the replaced Controller.
Removing powered-on stack members causes the switch stack to divide (partition) into two or more switch
stacks, each with the same configuration. If you want the switch stacks to remain separate, change the IP
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
263
System Management
Preventing Autonegotiation Mismatches
address or addresses of the newly created switch stacks. To recover from a partitioned switch stack, follow
these steps:
1. Power off the newly created switch stacks.
2. Reconnect them to the original switch stack through their StackWise Plus ports.
3. Power on the Controller.
For the commands that you can use to monitor the switch stack and its members, see the Displaying Switch
Stack Information section.
Preventing Autonegotiation Mismatches
The IEEE 802.3ab autonegotiation protocol manages the Controller settings for speed (10 Mb/s, 100 Mb/s,
and 1000 Mb/s, excluding SFP module ports) and duplex (half or full). There are situations when this protocol
can incorrectly align these settings, reducing performance. A mismatch occurs under these circumstances:
• A manually set speed or duplex parameter is different from the manually set speed or duplex parameter
on the connected port.
• A port is set to autonegotiate, and the connected port is set to full duplex with no autonegotiation.
To maximize Controller performance and ensure a link, follow one of these guidelines when changing the
settings for duplex and speed:
• Let both ports autonegotiate both speed and duplex.
• Manually set the speed and duplex parameters for the ports on both ends of the connection.
Note
If a remote device does not autonegotiate, configure the duplex settings on the two ports to match. The speed
parameter can adjust itself even if the connected port does not autonegotiate.
Troubleshooting SFP Module Security and Identification
Cisco small form-factor pluggable (SFP) modules have a serial EEPROM that contains the module serial
number, the vendor name and ID, a unique security code, and cyclic redundancy check (CRC). When an SFP
module is inserted in the Controller, the Controller software reads the EEPROM to verify the serial number,
vendor name and vendor ID, and recompute the security code and CRC. If the serial number, the vendor name
or vendor ID, the security code, or CRC is invalid, the software generates a security error message and places
the interface in an error-disabled state.
Note
The security error message references the GBIC_SECURITY facility. The Controller supports SFP modules
and does not support GBIC modules. Although the error message text refers to GBIC interfaces and modules,
the security messages actually refer to the SFP modules and module interfaces.
If you are using a non-Cisco SFP module, remove the SFP module from the Controller, and replace it with a
Cisco module. After inserting a Cisco SFP module, use the errdisable recovery cause gbic-invalid global
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
264
OL-32363-01
System Management
Monitoring SFP Module Status
configuration command to verify the port status, and enter a time interval for recovering from the error-disabled
state. After the elapsed interval, the Controller brings the interface out of the error-disabled state and retries
the operation. For more information about the errdisable recovery command, see the command reference
for this release.
If the module is identified as a Cisco SFP module, but the system is unable to read vendor-data information
to verify its accuracy, an SFP module error message is generated. In this case, you should remove and reinsert
the SFP module. If it continues to fail, the SFP module might be defective.
Monitoring SFP Module Status
You can check the physical or operational status of an SFP module by using the show interfaces transceiver
privileged EXEC command. This command shows the operational status, such as the temperature and the
current for an SFP module on a specific interface and the alarm status. You can also use the command to
check the speed and the duplex settings on an SFP module. For more information, see the show interfaces
transceiver command in the command reference for this release.
Executing Ping
If you attempt to ping a host in a different IP subnetwork, you must define a static route to the network or
have IP routing configured to route between those subnets.
IP routing is disabled by default on all Controller.
Note
Though other protocol keywords are available with the ping command, they are not supported in this release.
Use this command to ping another device on the network from the Controller:
Command
Purpose
ping ip host | address
Pings a remote host through IP or by supplying the hostname or network
address.
Controller# ping 172.20.52.3
Related Topics
Ping, on page 249
Example: Pinging an IP Host, on page 273
Monitoring Temperature
The Controller monitors the temperature conditions and uses the temperature information to control the fans.
Use the show env temperature status privileged EXEC command to display the temperature value, state,
and thresholds. The temperature value is the temperature in the Controller (not the external temperature).You
can configure only the yellow threshold level (in Celsius) by using the system env temperature threshold
yellow value global configuration command to set the difference between the yellow and red thresholds. You
cannot configure the green or red thresholds. For more information, see the command reference for this release.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
265
System Management
Monitoring the Physical Path
Monitoring the Physical Path
You can monitor the physical path that a packet takes from a source device to a destination device by using
one of these privileged EXEC commands:
Table 26: Monitoring the Physical Path
Command
Purpose
tracetroute mac [interface interface-id]
{source-mac-address} [interface interface-id]
{destination-mac-address} [vlan vlan-id] [detail]
Displays the Layer 2 path taken by the packets from
the specified source MAC address to the specified
destination MAC address.
tracetroute mac ip {source-ip-address |
source-hostname}{destination-ip-address |
destination-hostname} [detail]
Displays the Layer 2 path taken by the packets from
the specified source IP address or hostname to the
specified destination IP address or hostname.
Executing IP Traceroute
Note
Though other protocol keywords are available with the traceroute privileged EXEC command, they are not
supported in this release.
Command
Purpose
traceroute ip host
Traces the path that
packets take through the
network.
Controller# traceroute ip 192.51.100.1
Related Topics
IP Traceroute , on page 251
Example: Performing a Traceroute to an IP Host, on page 274
Running TDR and Displaying the Results
To run TDR, enter the test cable-diagnostics tdr interface interface-id privileged EXEC command.
To display the results, enter the show cable-diagnostics tdr interface interface-id privileged EXEC command.
Redirecting Debug and Error Message Output
By default, the network server sends the output from debug commands and system error messages to the
console. If you use this default, you can use a virtual terminal connection to monitor debug output instead of
connecting to the console port or the Ethernet management port.
Possible destinations include the console, virtual terminals, internal buffer, and UNIX hosts running a syslog
server. The syslog format is compatible with 4.3 Berkeley Standard Distribution (BSD) UNIX and its
derivatives.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
266
OL-32363-01
System Management
Using the show platform forward Command
Note
Be aware that the debugging destination you use affects system overhead. When you log messages to the
console, very high overhead occurs. When you log messages to a virtual terminal, less overhead occurs.
Logging messages to a syslog server produces even less, and logging to an internal buffer produces the least
overhead of any method.
For more information about system message logging, see Configuring System Message Logging.
Related Topics
Debug Commands, on page 253
Using the show platform forward Command
The output from the show platform forward privileged EXEC command provides some useful information
about the forwarding results if a packet entering an interface is sent through the system. Depending upon the
parameters entered about the packet, the output provides lookup table results and port maps used to calculate
forwarding destinations, bitmaps, and egress information.
Most of the information in the output from the command is useful mainly for technical support personnel,
who have access to detailed information about the Controller application-specific integrated circuits (ASICs).
However, packet forwarding information can also be helpful in troubleshooting.
Using the show debug command
The show debug command is entered in privileged EXEC mode. This command displays all debug options
available on the switch.
To view all conditional debug options run the command show debug condition The commands can be listed
by selecting either a condition identifier <1-1000> or all conditions.
To disable debugging, use the no debug all command.
Caution
Because debugging output is assigned high priority in the CPU process, it can render the system unusable.
For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions
with Cisco technical support staff. Moreover, it is best to use debug commands during periods of lower
network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug
command processing overhead will affect system use.
For more information, see Cisco IOS Configuration Fundamentals Command Reference, Cisco IOS XE Release
16.1 (Catalyst 3850 Switches).
Configuring OBFL
Caution
We recommend that you do not disable OBFL and that you do not remove the data stored in the flash memory.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
267
System Management
WSMA Configuration for WebUI
• To enable OBFL, use the hw-switch switch [switch-number] logging onboard [message level level]
global configuration command. On switches, the range for switch-number is from 1 to 9. Use the message
level level parameter to specify the severity of the hardware-related messages that the switch generates
and stores in the flash memory.
• To copy the OBFL data to the local network or a specific file system, use the copy onboard switch
switch-number url url-destination privileged EXEC command.
• To disable OBFL, use the no hw-switch switch [switch-number] logging onboard [message level]
global configuration command.
• To clear all the OBFL data in the flash memory except for the uptime and CLI command information,
use the clear onboard switch switch-number privileged EXEC command.
• In a switch stack, you can enable OBFL on a standalone switch or on all stack members by using the
hw-switch switch [switch-number] logging onboard [message level level] global configuration command.
• You can enable or disable OBFL on a member switch from the .
For more information about the commands in this section, see the command reference for this release.
Related Topics
Onboard Failure Logging on the Switch, on page 254
Displaying OBFL Information, on page 269
WSMA Configuration for WebUI
WSMA configurations are available by default to access the Web UI. If you explicitly delete the configuration,
you have to reconfigure as below:
Controller(config)#wsma agent exec
Controller(wsma-exec-agent)# profile httplistener
Controller(wsma-exec-agent)# profile httpslistener
Controller(wsma-exec-agent)#exit
Controller(config)#wsma agent config
Controller(wsma-config-agent)# profile httplistener
Controller(wsma-config-agent)# profile httpslistener
Controller(wsma-config-agent)#exit
Controller(config)#wsma agent filesys
Controller(wsma-filesys-agent)# profile httplistener
Controller(wsma-filesys-agent)# profile httpslistener
Controller(wsma-filesys-agent)#exit
Controller(config)#wsma agent notify
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
268
OL-32363-01
System Management
Verifying Troubleshooting of the Software Configuration
Verifying Troubleshooting of the Software Configuration
Displaying OBFL Information
Table 27: Commands for Displaying OBFL Information
Command
Purpose
show onboard switch switch-number clilog
Displays the OBFL CLI commands that were
entered on a standalone switch or the specified
stack members.
Controller# show onboard switch 1 clilog
show onboard switch switch-number environment
Controller# show onboard switch 1 environment
show onboard switch switch-number message
Controller# show onboard switch 1 message
show onboard switch switch-number counter
Controller# show onboard switch 1 counter
show onboard switch switch-number temperature
Controller# show onboard switch 1 temperature
show onboard switch switch-number uptime
Controller# show onboard switch 1 uptime
show onboard switch switch-number voltage
Controller# show onboard switch 1 voltage
show onboard switch switch-number status
Controller# show onboard switch 1 status
Displays the UDI information for a standalone
switch or the specified stack members and for
all the connected FRU devices: the PID, the
VID, and the serial number.
Displays the hardware-related messages
generated by a standalone switch or the
specified stack members.
Displays the counter information on a
standalone switch or the specified stack
members.
Displays the temperature of a standalone
switch or the specified switch stack members.
Displays the time when a standalone switch
or the specified stack members start, the
reason the standalone switch or specified
stack members restart, and the length of time
that the standalone switch or specified stack
members have been running since they last
restarted.
Displays the system voltages of a standalone
switch or the specified stack members.
Displays the status of a standalone switch or
the specified stack members.
Related Topics
Onboard Failure Logging on the Switch, on page 254
Configuring OBFL, on page 267
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
269
System Management
Example: Verifying the Problem and Cause for High CPU Utilization
Example: Verifying the Problem and Cause for High CPU Utilization
To determine if high CPU utilization is a problem, enter the show processes cpu sorted privileged EXEC
command. Note the underlined information in the first line of the output example.
Controller# show processes cpu sorted
CPU utilization for five seconds: 8%/0%; one minute: 7%; five minutes: 8%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
309 42289103 752750 56180 1.75% 1.20% 1.22% 0 RIP Timers
140 8820183 4942081 1784 0.63% 0.37% 0.30% 0 HRPC qos request
100 3427318 16150534 212 0.47% 0.14% 0.11% 0 HRPC pm-counters
192 3093252 14081112 219 0.31% 0.14% 0.11% 0 Spanning Tree
143 8 37 216 0.15% 0.01% 0.00% 0 Exec
...
<output truncated>
This example shows normal CPU utilization. The output shows that utilization for the last 5 seconds is 8%/0%,
which has this meaning:
• The total CPU utilization is 8 percent, including both time running Cisco IOS processes and time spent
handling interrupts.
• The time spent handling interrupts is zero percent.
Table 28: Troubleshooting CPU Utilization Problems
Type of Problem
Cause
Corrective Action
Interrupt percentage value is
almost as high as total CPU
utilization value.
The CPU is receiving too many
packets from the network.
Determine the source of the network
packet. Stop the flow, or change the
switch configuration. See the section on
“Analyzing Network Traffic.”
Total CPU utilization is greater One or more Cisco IOS process
than 50% with minimal time
is consuming too much CPU time.
spent on interrupts.
This is usually triggered by an
event that activated the process.
Identify the unusual event, and
troubleshoot the root cause. See the
section on “Debugging Active
Processes.”
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
270
OL-32363-01
System Management
Scenarios for Troubleshooting the Software Configuration
Scenarios for Troubleshooting the Software Configuration
Scenarios to Troubleshoot Power over Ethernet (PoE)
Table 29: Power over Ethernet Troubleshooting Scenarios
Symptom or Problem
Possible Cause and Solution
Only one port does not have PoE.
Verify that the powered device works on another PoE port.
Trouble is on only one switch port.
Use the show run, or show interface status user EXEC commands
PoE and non-PoE devices do not work to verify that the port is not shut down or error-disabled.
on this port, but do on other ports.
Note
Most switches turn off port power when the port is shut
down, even though the IEEE specifications make this
optional.
Verify that power inline never is not configured on that interface
or port.
Verify that the Ethernet cable from the powered device to the switch
port is good: Connect a known good non-PoE Ethernet device to the
Ethernet cable, and make sure that the powered device establishes a
link and exchanges traffic with another host.
Note
Cisco powered device works only with straight cable and
not with crossover one.
Verify that the total cable length from the switch front panel to the
powered device is not more than 100 meters.
Disconnect the Ethernet cable from the switch port. Use a short
Ethernet cable to connect a known good Ethernet device directly to
this port on the switch front panel (not on a patch panel). Verify that
it can establish an Ethernet link and exchange traffic with another
host, or ping the port VLAN SVI. Next, connect a powered device
to this port, and verify that it powers on.
If a powered device does not power on when connected with a patch
cord to the switch port, compare the total number of connected
powered devices to the switch power budget (available PoE). Use
the show inline power command to verify the amount of available
power.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
271
System Management
Scenarios to Troubleshoot Power over Ethernet (PoE)
Symptom or Problem
Possible Cause and Solution
No PoE on all ports or a group of ports. If there is a continuous, intermittent, or reoccurring alarm related to
power, replace the power supply if possible it is a field-replaceable
Trouble is on all switch ports.
unit. Otherwise, replace the switch.
Nonpowered Ethernet devices cannot
establish an Ethernet link on any port, If the problem is on a consecutive group of ports but not all ports,
and PoE devices do not power on.
the power supply is probably not defective, and the problem could
be related to PoE regulators in the switch.
Use the show log privileged EXEC command to review alarms or
system messages that previously reported PoE conditions or status
changes.
If there are no alarms, use the show interface status command to
verify that the ports are not shut down or error-disabled. If ports are
error-disabled, use the shut and no shut interface configuration
commands to reenable the ports.
Use the show env power and show power inline privileged EXEC
commands to review the PoE status and power budget (available
PoE).
Review the running configuration to verify that power inline never
is not configured on the ports.
Connect a nonpowered Ethernet device directly to a switch port. Use
only a short patch cord. Do not use the existing distribution cables.
Enter the shut and no shut interface configuration commands, and
verify that an Ethernet link is established. If this connection is good,
use a short patch cord to connect a powered device to this port and
verify that it powers on. If the device powers on, verify that all
intermediate patch panels are correctly connected.
Disconnect all but one of the Ethernet cables from switch ports.
Using a short patch cord, connect a powered device to only one PoE
port. Verify the powered device does not require more power than
can be delivered by the switch port.
Use the show power inline privileged EXEC command to verify
that the powered device can receive power when the port is not shut
down. Alternatively, watch the powered device to verify that it
powers on.
If a powered device can power on when only one powered device is
connected to the switch, enter the shut and no shut interface
configuration commands on the remaining ports, and then reconnect
the Ethernet cables one at a time to the switch PoE ports. Use the
show interface status and show power inline privileged EXEC
commands to monitor inline power statistics and port status.
If there is still no PoE at any port, a fuse might be open in the PoE
section of the power supply. This normally produces an alarm. Check
the log again for alarms reported earlier by system messages.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
272
OL-32363-01
System Management
Configuration Examples for Troubleshooting Software
Symptom or Problem
Possible Cause and Solution
Cisco pre-standard powered device
disconnects or resets.
Verify all electrical connections from the switch to the powered
device. Any unreliable connection results in power interruptions and
irregular powered device functioning such as erratic powered device
After working normally, a Cisco phone
disconnects and reloads.
intermittently reloads or disconnects
from PoE.
Verify that the cable length is not more than 100 meters from the
switch port to the powered device.
Notice what changes in the electrical environment at the switch
location or what happens at the powered device when the disconnect
occurs.
Notice whether any error messages appear at the same time a
disconnect occurs. Use the show log privileged EXEC command to
review error messages.
Verify that an IP phone is not losing access to the Call Manager
immediately before the reload occurs. (It might be a network problem
and not a PoE problem.)
Replace the powered device with a non-PoE device, and verify that
the device works correctly. If a non-PoE device has link problems
or a high error rate, the problem might be an unreliable cable
connection between the switch port and the powered device.
IEEE 802.3af-compliant or IEEE
Use the show power inline command to verify that the switch power
802.3at-compliant powered devices do budget (available PoE) is not depleted before or after the powered
not work on Cisco PoE switch.
device is connected. Verify that sufficient power is available for the
powered device type before you connect it.
A non-Cisco powered device is
connected to a Cisco PoE switch, but Use the show interface status command to verify that the switch
never powers on or powers on and then detects the connected powered device.
quickly powers off. Non-PoE devices
Use the show log command to review system messages that reported
work normally.
an overcurrent condition on the port. Identify the symptom precisely:
Does the powered device initially power on, but then disconnect? If
so, the problem might be an initial surge-in (or inrush) current that
exceeds a current-limit threshold for the port.
Related Topics
Power over Ethernet Ports, on page 248
Configuration Examples for Troubleshooting Software
Example: Pinging an IP Host
This example shows how to ping an IP host:
Controller# ping 172.20.52.3
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
273
System Management
Example: Performing a Traceroute to an IP Host
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 172.20.52.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Controller#
Table 30: Ping Output Display Characters
Character Description
!
Each exclamation point means receipt of a reply.
.
Each period means the network server timed out while waiting for a reply.
U
A destination unreachable error PDU was received.
C
A congestion experienced packet was received.
I
User interrupted test.
?
Unknown packet type.
&
Packet lifetime exceeded.
To end a ping session, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and release the
Ctrl, Shift, and 6 keys and then press the X key.
Related Topics
Ping, on page 249
Executing Ping, on page 265
Example: Performing a Traceroute to an IP Host
This example shows how to perform a traceroute to an IP host:
Controller# traceroute ip 192.0.2.10
Type escape sequence to abort.
Tracing the route to 192.0.2.10
1
2
3
4
192.0.2.1 0 msec 0 msec 4 msec
192.0.2.203 12 msec 8 msec 0 msec
192.0.2.100 4 msec 0 msec 0 msec
192.0.2.10 0 msec 4 msec 0 msec
The display shows the hop count, the IP address of the router, and the round-trip time in milliseconds for each
of the three probes that are sent.
Table 31: Traceroute Output Display Characters
Character Description
*
The probe timed out.
?
Unknown packet type.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
274
OL-32363-01
System Management
Example: Enabling All System Diagnostics
Character Description
A
Administratively unreachable. Usually, this output means that an access list is blocking traffic.
H
Host unreachable.
N
Network unreachable.
P
Protocol unreachable.
Q
Source quench.
U
Port unreachable.
To end a trace in progress, enter the escape sequence (Ctrl-^ X by default). Simultaneously press and release
the Ctrl, Shift, and 6 keys and then press the X key.
Related Topics
IP Traceroute , on page 251
Executing IP Traceroute, on page 266
Example: Enabling All System Diagnostics
Caution
Because debugging output takes priority over other network traffic, and because the debug all privileged
EXEC command generates more output than any other debug command, it can severely diminish switch
performance or even render it unusable. In virtually all cases, it is best to use more specific debug commands.
This command disables all-system diagnostics:
Controller# debug all
The no debug all privileged EXEC command disables all diagnostic output. Using the no debug all command
is a convenient way to ensure that you have not accidentally left any debug commands enabled.
Related Topics
Debug Commands, on page 253
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
275
System Management
Additional References for Troubleshooting Software Configuration
Additional References for Troubleshooting Software
Configuration
Related Documents
Related Topic
Document Title
System management commands
System Management Command
Reference (Catalyst 3850
Switches)System Management
Command Reference (Cisco WLC
5700 Series)System Management
Command Reference (Catalyst
3650 Switches)
Platform-independent command reference
Configuration Fundamentals
Command Reference, Cisco IOS
XE Release 3S (Catalyst 3850
Switches)
Platform_independent configuration information
Configuration Fundamentals
Configuration Guide, Cisco IOS
XE Release 3S (Catalyst 3850
Switches)
Standards and RFCs
Standard/RFC Title
None
—
MIBs
MIB
MIBs Link
All supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
276
OL-32363-01
System Management
Additional References for Troubleshooting Software Configuration
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Additional References for Troubleshooting Software
Configuration
Related Documents
Related Topic
Document Title
System management commands
System Management Command
Reference (Catalyst 3650 Switches)
System Management Command
Reference (Cisco WLC 5700 Series)
Platform-independent command reference
Configuration Fundamentals
Command Reference, Cisco IOS
XE Release 3S (Catalyst 3650
Switches)
Platform_independent configuration information
Configuration Fundamentals
Configuration Guide, Cisco IOS
XE Release 3S (Catalyst 3650
Switches)
Standards and RFCs
Standard/RFC Title
None
—
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
277
System Management
Feature History and Information for Troubleshooting Software Configuration
MIBs
MIB
MIBs Link
All supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Feature History and Information for Troubleshooting Software
Configuration
Release
Modification
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS XE 3.3SE
This feature was introduced.
Related Topics
Finding Feature Information, on page 23
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
278
OL-32363-01
PA R T
II
QoS
• Configuring QoS, on page 281
CHAPTER
19
Configuring QoS
• Finding Feature Information, on page 281
• Prerequisites for Quality of Service, on page 281
• QoS Components, on page 282
• QoS Terminology, on page 283
• Information About QoS, on page 283
• Guidelines for QoS Policies, on page 322
• Restrictions for QoS on Wired Targets, on page 322
• Restrictions for QoS on Wireless Targets, on page 325
• How to Configure QoS, on page 328
• Monitoring QoS, on page 383
• Configuration Examples for QoS, on page 387
• Where to Go Next, on page 402
• Additional References for QoS, on page 403
• Feature History and Information for QoS, on page 404
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Related Topics
Feature History and Information for Troubleshooting Software Configuration, on page 278
Prerequisites for Quality of Service
Before configuring standard QoS, you must have a thorough understanding of these items:
• Standard QoS concepts.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
281
QoS
QoS Components
• Wireless concepts and network topologies.
• Classic Cisco IOS QoS.
• Modular QoS CLI (MQC).
• Understanding of QoS implementation.
• The types of applications used and the traffic patterns on your network.
• Traffic characteristics and needs of your network. For example, is the traffic on your network bursty?
Do you need to reserve bandwidth for voice and video streams?
• Bandwidth requirements and speed of the network.
• Location of congestion points in the network.
Related Topics
Restrictions for QoS on Wired Targets, on page 322
Restrictions for QoS on Wireless Targets, on page 325
QoS Components
Quality of service (QoS) consists of the following key components:
• Classification— Classification is the process of distinguishing one type of traffic from another based
upon access control lists (ACLs), Differentiated Services Code Point (DSCP), Class of Service (CoS),
and other factors.
• Marking and mutation— Marking is used on traffic to convey specific information to a downstream
device in the network, or to carry information from one interface in a controller to another. When traffic
is marked, QoS operations on that traffic can be applied. This can be accomplished directly using the set
command or through a table map, which takes input values and translates them directly to values on
output.
• Shaping and policing— Shaping is the process of imposing a maximum rate of traffic, while regulating
the traffic rate in such a way that downstream devices are not subjected to congestion. Shaping in the
most common form is used to limit the traffic sent from a physical or logical interface. Policing is used
to impose a maximum rate on a traffic class. If the rate is exceeded, then a specific action is taken as
soon as the event occurs.
• Queuing — Queueing is used to prevent traffic congestion. Traffic is sent to specific queues for servicing
and scheduling based upon bandwidth allocation. Traffic is then scheduled or sent out through the port.
• Bandwidth—Bandwidth allocation determines the available capacity for traffic that is subject to QoS
policies.
• Trust— Trust enables traffic to pass through the controller, and the Differentiated Services Code Point
(DSCP), precedence, or CoS values coming in from the end points are retained in the absence of any
explicit policy configuration.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
282
OL-32363-01
QoS
QoS Terminology
QoS Terminology
The following terms are used interchangeably in this QoS configuration guide:
• Upstream (direction towards the controller) is the same as ingress.
• Downstream (direction from the controller) is the same as egress.
Note
Upstream is wireless to wired. Downstream is wired to wireless. Wireless to wireless has no specific term.
Information About QoS
QoS Overview
By configuring the quality of service (QoS), you can provide preferential treatment to specific types of traffic
at the expense of other traffic types. Without QoS, the controller offers best-effort service to each packet,
regardless of the packet contents or size. The controller sends the packets without any assurance of reliability,
delay bounds, or throughput.
The following are specific features provided by QoS:
• Low latency
• Bandwidth guarantee
• Buffering capabilities and dropping disciplines
• Traffic policing
• Enables the changing of the attribute of the frame or packet header
• Relative services
Related Topics
Restrictions for QoS on Wired Targets, on page 322
Restrictions for QoS on Wireless Targets, on page 325
Modular QoS Command-Line Interface
With the controller, QoS features are enabled through the Modular QoS command-line interface (MQC). The
MQC is a command-line interface (CLI) structure that allows you to create traffic policies and attach these
policies to interfaces. A traffic policy contains a traffic class and one or more QoS features. A traffic class is
used to classify traffic, while the QoS features in the traffic policy determine how to treat the classified traffic.
One of the main goals of MQC is to provide a platform-independent interface for configuring QoS across
Cisco platforms.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
283
QoS
Wireless QoS Overview
Wireless QoS Overview
Wireless QoS can be configured on the following wireless targets:
• Wireless ports, including all physical ports to which an access point can be associated.
• Radio
• SSID (applicable on a per-radio, per-AP, and per-SSID)
• Client
From Cisco IOS XE Release 3E, marking and policing actions for ingress SSID and client policies are applied
at the access point. The SSID and client ingress policies that you configure in the controller are moved to the
access point. The access point performs policing and marking actions for each packet. However, the controller
selects the QoS policies. Marking and policing of egress SSID and client policies are applied at the controller.
The following table displays how policies are supported for the wireless targets.
Table 32: Wireless Targets Policies Support
Note
Wireless Target
Policies on Wireless
Targets Supported
Policies Supported Egress Policies Supported
Direction
Ingress Direction
Wireless port
Yes
Yes - user configurable
Radio
Yes
Yes - but not configurable No
by user
SSID
Yes
Yes - user configurable
Yes - user configurable
Client
Yes
Yes - user configurable
Yes - user configurable
No
Additional polices that are user configured include multidestination policers and VLANs.
Wireless QoS supports the following features:
• Queuing in the egress direction.
• Policing of wireless traffic
• Marking of wireless traffic.
• Shaping of wireless traffic in the egress direction.
• Approximate Fair Drop (AFD) in the egress direction.
• Mobility support for QoS.
• Compatibility with precious metal QoS policies available on Cisco Unified Wireless Controllers.
• Combination of CLI/Traffic Class (TCLAS) and CLI/snooping.
• Application control (can drop or mark the data traffic) by configuring an AVC QoS client policy.
• Drop action for ingress policies.
• QoS statistics for client and SSID targets in the ingress direction.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
284
OL-32363-01
QoS
QoS and IPv6 for Wireless
• QoS attribute for local profiling policy.
• Hierarchical policies.
QoS and IPv6 for Wireless
The controller supports QoS for both IPv4 and IPv6 traffic, and client policies can now have IPv4 and IPv6
filters.
Wired and Wireless Access Supported Features
The following table describes the supported features for both wired and wireless access.
Table 33: Supported QoS Features for Wired and Wireless Access
Feature
Targets
Wired
Wireless
• Gigabit Ethernet
• Wireless port (CAPWAP tunnel)
• 10 Gigabit Ethernet
• SSID
• VLAN
• Client
• Radio
• CAPWAP multicast tunnel
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
285
QoS
Wired and Wireless Access Supported Features
Feature
Wired
Configuration
Sequence
QoS policy installed using the
service-policy command.
Wireless
• When an access point joins the switch, the
switch installs a policy on the port. The port
policy has a child policy called
port_child_policy.
• A policy is installed on the radio which has a
shaper configured to the radio rate. The default
radio policy (which cannot be modified) is
attached to the radio.
• The default client policies take effect when a
WMM client associates, and if admission
control is enabled on the radio.
• User can modify the port_child_policy to add
more classes.
• User can attach a user-defined policy at the
SSID level.
• User can attach a user-defined policy at the
client level.
• User can configure a port policy.
• User can configure an SSID policy.
• These policies can then be modified.
• The default radio policy (which cannot be
modified) is attached to the radio.
• Optionally, the user can attach a client policy
as required.
• The default client policies take effect when a
WMM client associates, and if admission
control is enabled on the radio.
Number of queues
Up to 8 queues supported on a Only four queues supported.
permitted at port level port.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
286
OL-32363-01
QoS
Supported QoS Features on Wireless Targets
Feature
Wired
Classification
mechanism
Wireless
• DSCP
• Port level
• Ingress: QoS policies not supported on
ingress in wireless ports.
• IP precedence
• CoS
• Egress: Only DSCP based classification.
• QoS-group
• SSID level
• ACL membership
including:
• Ingress: DSCP, UP
• IPv4 ACLs
• Egress: DSCP,COS, QoS group
• IPv6 ACLS
• Client level
• MAC ACLs
• Ingress: ACL, DSCP, UP
• Egress: DSCP and COS
Related Topics
Port Policy Format, on page 289
Supported QoS Features on Wireless Targets
This table describes the various features available on wireless targets.
Table 34: QoS Features Available on Wireless Targets
Target
Port
Features
• Port shaper
• Priority queuing
• Multicast policing
Radio
• Shaping
Traffic
Direction Where
Policies Are
Applicable
Comments
Non-Real
Egress
Time (NRT),
Real Time
(RT)
Non-Real
Time
Egress
Radio policies are
not user
configurable.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
287
QoS
Supported QoS Features on Wireless Targets
Target
SSID
Features
• Police
• Table map
Traffic
Direction Where
Policies Are
Applicable
Non-Real
Time, Real
Time
Ingress and egress
Shaping
Egress
BRR
Egress
Set actions
Ingress
You can use set in
both class-default
and user-defined
classes of SSID
ingress policies.
Egress
You can define table
maps only in the
class-default class of
an SSID policy.
• Table map
• set dscp
• set cos
Set actions
• Table map
• set dscp
• set wlan user-priority
Drop
Client
Comments
Police
Drop
Set actions
Ingress
Non-Real
Time, Real
time
Ingress and egress
Ingress
Ingress
• set dscp
• set cos
Set actions
For client policies,
the following filters
are supported:
• ACL
• DSCP
Egress
• set dscp
• set wlan user-priority
• CoS (only for
egress)
• WLAN UP
• protocol
Related Topics
Configuring Port Policies (GUI), on page 381
Applying or Changing Port Policies (GUI), on page 381
Applying a QoS Policy on a WLAN (GUI), on page 382
Port Policies, on page 289
Port Policy Format, on page 289
Radio Policies, on page 291
Applying an SSID or Client Policy on a WLAN (CLI), on page 347
Configuring SSID Policies (GUI), on page 345
SSID Policies, on page 291
Configuring Client Policies (CLI)
Configuring Client Policies (GUI), on page 335
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
288
OL-32363-01
QoS
Port Policies
Client Policies, on page 292
Port Policies
Note
Port child policies only apply to wireless ports and not to wired ports on the switch. A wireless port is defined
as a port to which APs join. A default port child policy is applied on the switch to the wireless ports at start
up.The port shaper rate is limited to 1G
Port shaper specifies the traffic policy applicable between the device and the AP. This is the sum of the radio
rates supported on the access point.
The child policy determines the mapping between packets and queues defined by the port-child policy. The
child policy can be configured to include voice, video, class-default, and non-client-nrt classes where voice
and video are based on DSCP value (which is the outer CAPWAP header DSCP value). The definition of
class-default is known to the system as any value other than voice and video DSCP.
The DSCP value is assigned when the packet reaches the port. Before the packet arrives at the port, the SSID
policies are applied on the packet. Port child policy also includes multicast percentage for a given port traffic.
By default, the port child policy allocates up to 10 percent of the available rate.
Related Topics
Configuring Port Policies (GUI), on page 381
Applying or Changing Port Policies (GUI), on page 381
Applying a QoS Policy on a WLAN (GUI), on page 382
Restrictions for QoS on Wireless Targets, on page 325
Supported QoS Features on Wireless Targets, on page 287
Examples: Wireless QoS Policy Classified by Voice, Video, and Multicast Traffic, on page 391
Port Policy Format
This section describes the behavior of the port policies on a switch. The ports on the switch do not distinguish
between wired or wireless physical ports. Depending on the kind of device associated to the switch, the policies
are applied. For example, when an access point is connected to a switch port, the switch detects it as a wireless
device and applies the default hierarchical policy which is in the format of a parent-child policy. This policy
is an hierarchical policy. The parent policy cannot be modified but the child policy (port-child policy) can be
modified to suit the QoS configuration. The switch is pre configured with a default class map and a policy
map.
Default class map:
Class Map match-any non-client-nrt-class
Match non-client-nrt
The above port policy processes all network traffic to the Q3 queue. You can view the class map by executing
the show class-map command.
Default policy map:
Policy Map port_child_policy
Class non-client-nrt-class
bandwidth remaining ratio 10
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
289
QoS
Port Policy Format
Note
The class map and policy map listed are system-defined policies and cannot be changed.
The following is the system-defined policy map available on the ports on which wireless devices are associated.
The format consists of a parent policy and a service child policy (port_child_policy). To customize the policies
to suite your network needs, you must configure the port child policy.
Policy-map policy_map_name
Class class-default
Shape average average_rate
Service-policy port_child_policy
Note
The parent policy is system generated and cannot be changed. You must configure the port_child_policy
policy to suit the QoS requirements on your network.
Depending on the type of traffic in your network, you can configure the port child policy. For example, in a
typical wireless network deployment, you can assign specific priorities to voice and video traffic. Here is an
example:
Policy-map port_child_policy
Class voice-policy-name (match dscp ef)
Priority level 1
Police (multicast-policer-name-voice) Multicast Policer
Class video-policy-name (match dscp af41)
Priority level 2
Police (multicast-policer-name-video) Multicast Policer
Class non-client-nrt-class traffic(match non-client-nrt)
Bandwidth remaining ratio (brr-value-nrt-q2)
Class class-default (NRT Data)
Bandwidth remaining ratio (brr-value-q3)
In the above port child policy:
• voice-policy-name— Refers to the name of the class that specifies rules for the traffic for voice packets.
Here the DSCP value is mapped to a value of 46 (represented by the keyword ef). The voice traffic is
assigned the highest priority of 1.
• video-policy-name— Refers to the name of the class that specifies rules for the traffic for video packets.
The DSCP value is mapped to a value of 34 (represented by the keyword af41).
• multicast-policer-name-voice— If you need to configure multicast voice traffic, you can configure
policing for the voice class map.
• multicast-policer-name-video— If you need to configure multicast video traffic, you can configure
policing for the video class map.
In the above sample configuration, all voice and video traffic is directed to the Q0 and Q1 queues, respectively.
These queues maintain a strict priority. The packets in Q0 and Q1 are processed in that order. The bandwidth
remaining ratios brr-value-nrt-q2 and brr-value-q3 are directed to the Q2 and Q3 respectively specified by
the class maps and class-default and non-client-nrt. The processing of packets on Q2 and Q3 are based on a
weighted round-robin approach. For example, if the brr-value-nrtq2 has a value of 90 and brr-value-nrtq3 is
10, the packets in queue 2 and queue 3 are processed in the ratio of 9:1.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
290
OL-32363-01
QoS
Radio Policies
The Cisco 5700 Series Wireless Controller does not contain a default port policy. Physical port policies must
be configured for voice and video to function. Because a Cisco 5700 Series Wireless Controller contains six
10-gigabit ports, the policy map must be configured on all ports.
Note
The policy must be configured on all of the six physical ports on the controller even if LAG (Link
Aggregation/Etherchannel) is configured.
The following basic port policy must be configured on the physical ports. You can add further classification
if required:
Policy-map <port-policy-name>
Class voice
Priority level 1
class video
Priority level 2
Related Topics
Configuring Port Policies (GUI), on page 381
Applying or Changing Port Policies (GUI), on page 381
Applying a QoS Policy on a WLAN (GUI), on page 382
Restrictions for QoS on Wireless Targets, on page 325
Supported QoS Features on Wireless Targets, on page 287
Examples: Wireless QoS Policy Classified by Voice, Video, and Multicast Traffic, on page 391
Wired and Wireless Access Supported Features, on page 285
Policy Maps, on page 301
Radio Policies
The radio policies are system defined and are not user configurable. Radio wireless targets are only applicable
in the egress direction.
Radio policies are applicable on a per-radio, per-access point basis. The rate limit on the radios is the practical
limit of the AP radio rate. This value is equivalent to the sum of the radios supported by the access point.
The following radios are supported:
• 802.11 a/n
• 802.11 b/n
• 802.11 ac
Related Topics
Restrictions for QoS on Wireless Targets, on page 325
Supported QoS Features on Wireless Targets, on page 287
SSID Policies
You can create QoS policies on SSID BSSID (Basic Service Set Identification) in both the ingress and egress
directions. By default, there is no SSID policy. All traffic is transmitted as best effort because the wireless
traffic in untrusted. You can configure an SSID policy based on the SSID name. The policy is applicable on
a per BSSID.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
291
QoS
Client Policies
The types of policies you can create on SSID include marking by using table maps (table-maps), shape rate,
and RT1 (Real Time 1) and RT2 (Real Time 2) policiers. If traffic is ingress, you usually configure a marking
and policing policy on the SSID. If traffic is downstream, you can configure marking and queuing.
There should be a one-to-one mapping between the policies configured on a port and an SSID. For example,
if you configure class voice and class video on the port, you can have a similar policy on the SSID.
The policy on the port is mandatory if you want to preserve the voice and video behavior priority at the port
level. Queuing policy is applicable in a downstream direction. When packets arrive from the AP, you can
only configure policing and rate limiting.
SSID priorities can be specified by configuring bandwidth remaining ratio. Queuing SSID policies are applied
in the egress direction.
Related Topics
Applying an SSID or Client Policy on a WLAN (CLI), on page 347
Configuring SSID Policies (GUI), on page 345
Applying a QoS Policy on a WLAN (GUI), on page 382
Supported QoS Features on Wireless Targets, on page 287
Examples: SSID Policy
Examples: Configuring Downstream SSID Policy, on page 392
Client Policies
Client policies are applicable in the ingress and egress direction. The wireless control module of the controller
applies the default client policies when admission control is enabled for WMM clients. When admission
control is disabled, there is no default client policy. You can configure policing and marking policies on
clients.
Note
A client policy can have both IPv4 and IPv6 filters.
You can configure client policies in the following ways:
• Using AAA
• Using the Cisco IOS MQC CLI
• You can use service policy client command in the WLAN configuration.
• Using the default configuration
• Using local policies (native profiling)
Use the show wireless client mac address mac_address service-policy command to display the source of
the client policy (for example, local profiling policy, AAA, or CLI). The precedence order of client policies
is AAA > local policy > WLAN service client policy CLI > default configuration.
Note
If you configured AAA by configuring the unified wireless controller procedure, and using the MQC QoS
commands, the policy configuration performed through the MQC QoS commands takes precedence.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
292
OL-32363-01
QoS
Hierarchical QoS
Note
When applying client policies on a WLAN, you must disable the WLAN before modifying the client policy.
SSID policies can be modified even if the WLAN is enabled.
The default client policy is enabled only on Wi-Fi Multimedia (WMM) clients that are admission control
(ACM)-enabled.
Policy Chaining
Every packet has a maximum of two applicable policies, first at the client target and second at the SSID target.
The client policing action is applied to the packet before the marking action that is specified in the client
policy. After the client policing and marking actions are applied to the packet, the SSID policy action is applied
to the updated packet. If no custom policies are specified, the system trust configuration is applied to the
packet. Egress trust is based on DSCP, and ingress trust is based on WLAN user priority.
Related Topics
Configuring Client Policies (CLI)
Configuring Client Policies (GUI), on page 335
Applying a QoS Policy on a WLAN (GUI), on page 382
Supported QoS Features on Wireless Targets, on page 287
Examples: Client Policies, on page 394
Hierarchical QoS
The controller supports hierarchical QoS (HQoS). HQoS allows you to perform:
• Hierarchical classification— Traffic classification is based upon other classes.
• Hierarchical policing—The process of having the policing configuration at multiple levels in a hierarchical
policy.
• Hierarchical shaping—Shaping can also be configured at multiple levels in the hierarchy.
Note
Hierarchical shaping is only supported for the port shaper, where for the parent
you only have a configuration for the class default, and the only action for the
class default is shaping.
Related Topics
Examples: Hierarchical Classification, on page 389
Examples: Hierarchical Policy Configuration, on page 389
Hierarchical Wireless QoS
The controller supports hierarchical QoS for wireless targets. Hierarchical QoS policies are applicable on
port, radio, SSID, and client. QoS policies configured on the device (including marking, shaping, policing)
can be applied across the targets. If the network contains non-realtime traffic, the non-realtime traffic is subject
to approximate fair drop. Hierarchy refers to the process of application of the various QoS policies on the
packets arriving to the device. You can configure policing in both the parent and child policies.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
293
QoS
Wireless Packet Format
Note
For hierarchical client and SSID policies, you only configure marking either in the parent or child policy.
Wireless Packet Format
Figure 4: Wireless Packet Path in the Egress Direction during First Pass
This figure displays the wireless packet flow and encapsulation used in hierarchical wireless QoS. The incoming
packet enters the controller. The controller encapsulates this incoming packet and adds the 802.11e and
CAPWAP headers.
Hierarchical AFD
Approximate Fair Dropping (AFD) is a feature provided by the QoS infrastructure in Cisco IOS. For wireless
targets, AFD can be configured on SSID (via shaping) and clients (via policing). AFD shaping rate is only
applicable for downstream direction. Unicast real-time traffic is not subjected to AFD drops.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
294
OL-32363-01
QoS
QoS Implementation
QoS Implementation
Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and
an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance
of being dropped.
When you configure the QoS feature, you can select specific network traffic, prioritize it according to its
relative importance, and use congestion-management and congestion-avoidance techniques to provide
preferential treatment. Implementing QoS in your network makes network performance more predictable and
bandwidth utilization more effective.
The QoS implementation is based on the Differentiated Services (Diff-Serv) architecture, a standard from the
Internet Engineering Task Force (IETF). This architecture specifies that each packet is classified upon entry
into the network.
The classification is carried in the IP packet header, using 6 bits from the deprecated IP type of service (ToS)
field to carry the classification (class) information. Classification can also be carried in the Layer 2 frame.
Figure 5: QoS Classification Layers in Frames and Packets
The special bits in the Layer 2 frame or a Layer 3 packet are shown in the following
figure:
Related Topics
Restrictions for QoS on Wired Targets, on page 322
Restrictions for QoS on Wireless Targets, on page 325
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
295
QoS
Layer 2 Frame Prioritization Bits
Layer 2 Frame Prioritization Bits
Layer 2 Inter-Switch Link (ISL) frame headers have a 1-byte User field that carries an IEEE 802.1p class of
service (CoS) value in the three least-significant bits. On ports configured as Layer 2 ISL trunks, all traffic is
in ISL frames.
Layer 2 802.1Q frame headers have a 2-byte Tag Control Information field that carries the CoS value in the
three most-significant bits, which are called the User Priority bits. On ports configured as Layer 2 802.1Q
trunks, all traffic is in 802.1Q frames except for traffic in the native VLAN.
Other frame types cannot carry Layer 2 CoS values.
Layer 2 CoS values range from 0 for low priority to 7 for high priority.
Layer 3 Packet Prioritization Bits
Layer 3 IP packets can carry either an IP precedence value or a Differentiated Services Code Point (DSCP)
value. QoS supports the use of either value because DSCP values are backward-compatible with IP precedence
values.
IP precedence values range from 0 to 7. DSCP values range from 0 to 63.
End-to-End QoS Solution Using Classification
All switches and routers that access the Internet rely on the class information to provide the same forwarding
treatment to packets with the same class information and different treatment to packets with different class
information. The class information in the packet can be assigned by end hosts or by switches or routers along
the way, based on a configured policy, detailed examination of the packet, or both. Detailed examination of
the packet is expected to occur closer to the edge of the network, so that the core switches and routers are not
overloaded with this task.
Switches and routers along the path can use the class information to limit the amount of resources allocated
per traffic class. The behavior of an individual device when handling traffic in the Diff-Serv architecture is
called per-hop behavior. If all devices along a path provide a consistent per-hop behavior, you can construct
an end-to-end QoS solution.
Implementing QoS in your network can be a simple task or complex task and depends on the QoS features
offered by your internetworking devices, the traffic types and patterns in your network, and the granularity
of control that you need over incoming and outgoing traffic.
Packet Classification
Packet classification is the process of identifying a packet as belonging to one of several classes in a defined
policy, based on certain criteria. The Modular QoS CLI (MQC) is a policy-class based language. The policy
class language is used to define the following:
• Class-map template with one or several match criteria
• Policy-map template with one or several classes associated to the policy map
The policy map template is then associated to one or several interfaces on the controller.
Packet classification is the process of identifying a packet as belonging to one of the classes defined in the
policy map. The process of classification will exit when the packet being processed matches a specific filter
in a class. This is referred to as first-match exit. If a packet matches multiple classes in a policy, irrespective
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
296
OL-32363-01
QoS
Classification Based on Information That is Propagated with the Packet
of the order of classes in the policy map, it would still exit the classification process after matching the first
class.
If a packet does not match any of the classes in the policy, it would be classified into the default class in the
policy. Every policy map has a default class, which is a system-defined class to match packets that do not
match any of the user-defined classes.
Packet classification can be categorized into the following types:
• Classification based on information that is propagated with the packet
• Classification based on information that is controller specific
• Hierarchical classification
Classification Based on Information That is Propagated with the Packet
Classification that is based on information that is part of the packet and propagated either end-to-end or
between hops, typically includes the following:
• Classification based on Layer 3 or 4 headers
• Classification based on Layer 2 information
Classification Based on Layer 3 or Layer 4 Header
This is the most common deployment scenario. Numerous fields in the Layer 3 and Layer 4 headers can be
used for packet classification.
At the most granular level, this classification methodology can be used to match an entire flow. For this
deployment type, an access control list (ACLs) can be used. ACLs can also be used to match based on various
subsets of the flow (for example, source IP address only, or destination IP address only, or a combination of
both).
Classification can also be done based on the precedence or DSCP values in the IP header. The IP precedence
field is used to indicate the relative priority with which a particular packet needs to be handled. It is made up
of three bits in the IP header's type of service (ToS) byte.
The following table shows the different IP precedence bit values and their names.
Note
IP precedence is not supported for wireless QoS.
Table 35: IP Precedence Values and Names
IP Precedence Value
IP Precedence Bits
IP Precedence Names
0
000
Routine
1
001
Priority
2
010
Immediate
3
011
Flash
4
100
Flash Override
5
101
Critical
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
297
QoS
Classification Based on Layer 2 Header
Note
IP Precedence Value
IP Precedence Bits
IP Precedence Names
6
110
Internetwork control
7
111
Network control
All routing control traffic in the network uses IP precedence value 6 by default. IP precedence value 7 also
is reserved for network control traffic. Therefore, the use of IP precedence values 6 and 7 is not recommended
for user traffic.
The DSCP field is made up of 6 bits in the IP header and is being standardized by the Internet Engineering
Task Force (IETF) Differentiated Services Working Group. The original ToS byte contained the DSCP bits
has been renamed the DSCP byte. The DSCP field is part of the IP header, similar to IP precedence. The
DSCP field is a super set of the IP precedence field. Therefore, the DSCP field is used and is set in ways
similar to what was described with respect to IP precedence.
Note
The DSCP field definition is backward-compatible with the IP precedence values.
Classification Based on Layer 2 Header
A variety of methods can be used to perform classification based on the Layer 2 header information. The most
common methods include the following:
• MAC address-based classification (only for access groups)—Classification is based upon the source
MAC address (for policies in the input direction) and destination MAC address (for policies in the output
direction).
• Class-of-Service—Classification is based on the 3 bits in the Layer 2 header based on the IEEE 802.1p
standard. This usually maps to the ToS byte in the IP header.
• VLAN ID—Classification is based on the VLAN ID of the packet.
Note
Some of these fields in the Layer 2 header can also be set using a policy.
Classification Based on Information that is Device Specific (QoS Groups)
The controller also provides classification mechanisms that are available where classification is not based on
information in the packet header or payload.
At times you might be required to aggregate traffic coming from multiple input interfaces into a specific class
in the output interface. For example, multiple customer edge routers might be going into the same access
controller on different interfaces. The service provider might want to police all the aggregate voice traffic
going into the core to a specific rate. However, the voice traffic coming in from the different customers could
have a different ToS settings. QoS group-based classification is a feature that is useful in these scenarios.
Policies configured on the input interfaces set the QoS group to a specific value, which can then be used to
classify packets in the policy enabled on output interface.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
298
OL-32363-01
QoS
Hierarchical Classification
The QoS group is a field in the packet data structure internal to the controller. It is important to note that a
QoS group is an internal label to the controller and is not part of the packet header.
Hierarchical Classification
The controller permits you to perform a classification based on other classes. Typically, this action may be
required when there is a need to combine the classification mechanisms (that is, filters) from two or more
classes into a single class map.
QoS Wired Model
To implement QoS, the controller must perform the following tasks:
• Traffic classification—Distinguishes packets or flows from one another.
• Traffic marking and policing—Assigns a label to indicate the given quality of service as the packets
move through the controller , and then make the packets comply with the configured resource usage
limits.
• Queuing and scheduling—Provides different treatment in all situations where resource contention exists.
• Shaping—Ensures that traffic sent from the controller meets a specific traffic profile.
Ingress Port Activity
The following activities occur at the ingress port of the controller:
• Classification—Classifying a distinct path for a packet by associating it with a QoS label. For example,
the controller maps the CoS or DSCP in the packet to a QoS label to distinguish one type of traffic from
another. The QoS label that is generated identifies all future QoS actions to be performed on this packet.
• Policing—Policing determines whether a packet is in or out of profile by comparing the rate of the
incoming traffic to the configured policer. The policer limits the bandwidth consumed by a flow of traffic.
The result is passed to the marker.
• Marking—Marking evaluates the policer and configuration information for the action to be taken when
a packet is out of profile and determines what to do with the packet (pass through a packet without
modification, mark down the QoS label in the packet, or drop the packet).
Note
Applying polices on the wireless ingress port is not supported on the controller.
Egress Port Activity
The following activities occur at the egress port of the controller:
• Policing—Policing determines whether a packet is in or out of profile by comparing the rate of the
incoming traffic to the configured policer. The policer limits the bandwidth consumed by a flow of traffic.
The result is passed to the marker.
• Marking—Marking evaluates the policer and configuration information for the action to be taken when
a packet is out of profile and determines what to do with the packet (pass through a packet without
modification, mark down the QoS label in the packet, or drop the packet).
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
299
QoS
Classification
• Queueing—Queueing evaluates the QoS packet label and the corresponding DSCP or CoS value before
selecting which of the egress queues to use. Because congestion can occur when multiple ingress ports
simultaneously send data to an egress port, Weighted Tail Drop (WTD) differentiates traffic classes and
subjects the packets to different thresholds based on the QoS label. If the threshold is exceeded, the
packet is dropped.
Classification
Classification is the process of distinguishing one kind of traffic from another by examining the fields in the
packet. Classification is enabled only if QoS is enabled on the controller. By default, QoS is enabled on the
controller.
During classification, the controller performs a lookup and assigns a QoS label to the packet. The QoS label
identifies all QoS actions to be performed on the packet and from which queue the packet is sent.
Access Control Lists
You can use IP standard, IP extended, or Layer 2 MAC ACLs to define a group of packets with the same
characteristics (class). You can also classify IP traffic based on IPv6 ACLs.
In the QoS context, the permit and deny actions in the access control entries (ACEs) have different meanings
from security ACLs:
• If a match with a permit action is encountered (first-match principle), the specified QoS-related action
is taken.
• If a match with a deny action is encountered, the ACL being processed is skipped, and the next ACL is
processed.
Note
Deny action is supported in Cisco IOS Release 3.7.4E and later releases.
• If no match with a permit action is encountered and all the ACEs have been examined, no QoS processing
occurs on the packet, and the controller offers best-effort service to the packet.
• If multiple ACLs are configured on a port, the lookup stops after the packet matches the first ACL with
a permit action, and QoS processing begins.
Note
When creating an access list, note that by default the end of the access list contains
an implicit deny statement for everything if it did not find a match before reaching
the end.
After a traffic class has been defined with the ACL, you can attach a policy to it. A policy might contain
multiple classes with actions specified for each one of them. A policy might include commands to classify
the class as a particular aggregate (for example, assign a DSCP) or rate-limit the class. This policy is then
attached to a particular port on which it becomes effective.
You implement IP ACLs to classify IP traffic by using the access-list global configuration command; you
implement Layer 2 MAC ACLs to classify non-IP traffic by using the mac access-list extended global
configuration command.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
300
OL-32363-01
QoS
Class Maps
Class Maps
A class map is a mechanism that you use to name a specific traffic flow (or class) and isolate it from all other
traffic. The class map defines the criteria used to match against a specific traffic flow to further classify it.
The criteria can include matching the access group defined by the ACL or matching a specific list of DSCP
or IP precedence values. If you have more than one type of traffic that you want to classify, you can create
another class map and use a different name. After a packet is matched against the class-map criteria, you
further classify it through the use of a policy map.
You create a class map by using the class-map global configuration command or the class policy-map
configuration command. You should use the class-map command when the map is shared among many ports.
When you enter the class-map command, the controller enters the class-map configuration mode. In this
mode, you define the match criterion for the traffic by using the match class-map configuration command.
You can create a default class by using the class class-default policy-map configuration command. The default
class is system-defined and cannot be configured. Unclassified traffic (traffic that does not meet the match
criteria specified in the traffic classes) is treated as default traffic.
Related Topics
Creating a Traffic Class (CLI), on page 328
Examples: Classification by Access Control Lists, on page 387
Policy Maps
A policy map specifies which traffic class to act on. Actions can include the following:
• Setting a specific DSCP or IP precedence value in the traffic class
• Setting a CoS value in the traffic class
• Setting a QoS group
• Setting a wireless LAN (WLAN) value in the traffic class
• Specifying the traffic bandwidth limitations and the action to take when the traffic is out of profile
Before a policy map can be effective, you must attach it to a port.
You create and name a policy map using the policy-map global configuration command. When you enter
this command, the controller enters the policy-map configuration mode. In this mode, you specify the actions
to take on a specific traffic class by using the class or set policy-map configuration and policy-map class
configuration commands.
The policy map can also be configured using the police and bandwidth policy-map class configuration
commands, which define the policer, the bandwidth limitations of the traffic, and the action to take if the
limits are exceeded. In addition, the policy-map can further be configured using the priority policy-map class
configuration command, to schedule priority for the class or the queueing policy-map class configuration
commands, queue-buffers and queue-limit.
To enable the policy map, you attach it to a port by using the service-policy interface configuration command.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
301
QoS
Policy Map on Physical Port
Note
You cannot configure both priority and set for a policy map. If both these commands are configured for a
policy map, and when the policy map is applied to an interface, error messages are displayed. The following
example shows this restriction:
Switch# configure terminal
Switch(config)# class-map cmap
Switch(config-cmap)# exit
Switch(config)# class-map classmap1
Switch(config-cmap)# exit
Switch(config)# policy-map pmap
Switch(config-pmap)# class cmap
Switch(config-pmap-c)# priority
Switch(config-pmap-c)# exit
Switch(config-pmap)# class classmap1
Switch(config-pmap-c)# set
Switch(config-pmap-c)# exit
Switch(config-pmap)# exit
Switch(config)# interface gigabitethernet 0/1/1
Switch(config-if)# service-policy output pmap
Non-queuing action only is unsupported in a queuing policy!!!
%QOS-6-POLICY_INST_FAILED:
Service policy installation failed
Related Topics
Creating a Traffic Policy (CLI), on page 331
Port Policy Format, on page 289
Policy Map on Physical Port
You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on.
Actions can include setting a specific DSCP or IP precedence value in the traffic class, specifying the traffic
bandwidth limitations for each matched traffic class (policer), and taking action when the traffic is out of
profile (marking).
A policy map also has these characteristics:
• A policy map can contain multiple class statements, each with different match criteria and policers.
• A policy map can contain a predefined default traffic class explicitly placed at the end of the map.
When you configure a default traffic class by using the class class-default policy-map configuration
command, unclassified traffic (traffic that does not meet the match criteria specified in the traffic classes)
is treated as the default traffic class (class-default).
• A separate policy-map class can exist for each type of traffic received through a port.
Related Topics
Attaching a Traffic Policy to an Interface (CLI), on page 344
Policy Map on VLANs
The controller supports a VLAN QoS feature that allows the user to perform QoS treatment at the VLAN
level (classification and QoS actions) using the incoming frame’s VLAN information. In VLAN-based QoS,
a service policy is applied to an SVI interface. All physical interfaces belonging to a VLAN policy map then
need to be programmed to refer to the VLAN-based policy maps instead of the port-based policy map.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
302
OL-32363-01
QoS
Wireless QoS Multicast
Although the policy map is applied to the VLAN SVI, any policing (rate-limiting) action can only be performed
on a per-port basis. You cannot configure the policer to take account of the sum of traffic from a number of
physical ports. Each port needs to have a separate policer governing the traffic coming into that port.
Related Topics
Classifying, Policing, and Marking Traffic on SVIs by Using Policy Maps (CLI), on page 351
Examples: Policer VLAN Configuration, on page 399
Wireless QoS Multicast
You can configure multicast policing rate at the port level.
There are two modes of a multicast configuration in the Cisco 5700 Series Wireless Controller:
• multicast-unicast mode—Multicast traffic is copied as unicast traffic to the APs. QoS on multicast traffic
when multicast-unicast mode is not supported on the Cisco 5700 Series Wireless Controller.
• multicast-multicast mode—The controller sends the traffic to the multicast group. The APs in the multicast
group then receive the multicast traffic.
Related Topics
Configuring QoS Policies for Multicast Traffic (CLI), on page 380
Examples: Wireless QoS Policy Classified by Voice, Video, and Multicast Traffic, on page 391
Policing
After a packet is classified and has a DSCP-based, CoS-based, or QoS-group label assigned to it, the policing
and marking process can begin.
Policing involves creating a policer that specifies the bandwidth limits for the traffic. Packets that exceed the
limits are out of profile or nonconforming. Each policer decides on a packet-by-packet basis whether the
packet is in or out of profile and specifies the actions on the packet. These actions, carried out by the marker,
include passing through the packet without modification, dropping the packet, or modifying (marking down)
the assigned DSCP or CoS value of the packet and allowing the packet to pass through.
To avoid out-of-order packets, both conform and nonconforming traffic typically exit the same queue.
Note
All traffic, regardless of whether it is bridged or routed, is subjected to a policer, if one is configured. As a
result, bridged packets might be dropped or might have their DSCP or CoS fields modified when they are
policed and marked.
You can only configure policing on a physical port.
After you configure the policy map and policing actions, attach the policy to an ingress port or SVI by using
the service-policy interface configuration command.
Related Topics
Configuring Police (CLI), on page 367
Examples: Policing Action Configuration, on page 398
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
303
QoS
Token-Bucket Algorithm
Token-Bucket Algorithm
Policing uses a token-bucket algorithm. As each frame is received by the controller, a token is added to the
bucket. The bucket has a hole in it and leaks at a rate that you specify as the average traffic rate in bits per
second. Each time a token is added to the bucket, the controller verifies that there is enough room in the bucket.
If there is not enough room, the packet is marked as nonconforming, and the specified policer action is taken
(dropped or marked down).
How quickly the bucket fills is a function of the bucket depth (burst-byte), the rate at which the tokens are
removed (rate-bps), and the duration of the burst above the average rate. The size of the bucket imposes an
upper limit on the burst length and limits the number of frames that can be transmitted back-to-back. If the
burst is short, the bucket does not overflow, and no action is taken against the traffic flow. However, if a burst
is long and at a higher rate, the bucket overflows, and the policing actions are taken against the frames in that
burst.
You configure the bucket depth (the maximum burst that is tolerated before the bucket overflows) by using
the burst-byte option of the police policy-map class configuration command. You configure how fast (the
average rate) that the tokens are removed from the bucket by using the rate option of the police policy-map
class configuration command.
Related Topics
Configuring Police (CLI), on page 367
Examples: Policing Action Configuration, on page 398
Examples: Policing Units, on page 399
Marking
Marking is used to convey specific information to a downstream device in the network, or to carry information
from one interface in a controller to another.
Marking can be used to set certain field/bits in the packet headers, or marking can also be used to set certain
fields in the packet structure that is internal to the controller. Additionally, the marking feature can be used
to define mapping between fields. The following marking methods are available for QoS:
• Packet header
• Device (controller)) specific information
• Table maps
Packet Header Marking
Marking on fields in the packet header can be classified into two general categories:
• IPv4/v6 header bit marking
• Layer 2 header bit marking
The marking feature at the IP level is used to set the precedence or the DSCP in the IP header to a specific
value to get a specific per-hop behavior at the downstream device (switch or router), or it can also be used to
aggregate traffic from different input interfaces into a single class in the output interface. The functionality
is currently supported on both the IPv4 and IPv6 headers.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
304
OL-32363-01
QoS
Switch Specific Information Marking
Marking in the Layer 2 headers is typically used to influence dropping behavior in the downstream devices
(switch or router). It works in tandem with the match on the Layer 2 headers. The bits in the Layer 2 header
that can be set using a policy map are class of service.
Switch Specific Information Marking
This form of marking includes marking of fields in the packet data structure that are not part of the packets
header, so that the marking can be used later in the data path. This is not propagated between the switches.
Marking of QoS-group falls into this category. This form of marking is only supported in policies that are
enabled on the input interfaces. The corresponding matching mechanism can be enabled on the output interfaces
on the same switch and an appropriate QoS action can be applied.
Table Map Marking
Note
QoS marking is not supported on the 802.11ac Wave 2 APs. This is because table-maps used for QoS marking
are not supported on the 802.11ac Wave 2 APs.
Table map marking enables the mapping and conversion from one field to another using a conversion table.
This conversion table is called a table map.
Depending upon the table map attached to an interface, CoS, DSCP, and UP values (UP specific to wireless
packets) of the packet are rewritten. The controller allows configuring both ingress table map policies and
egress table map policies.
As an example, a table map can be used to map the Layer 2 CoS setting to a precedence value in Layer 3.
This feature enables combining multiple set commands into a single table, which indicates the method to
perform the mapping. This table can be referenced in multiple policies, or multiple times in the same policy.
The following table shows the currently supported forms of mapping:
Table 36: Packet-Marking Types Used for Establishing a To-From Relationship
The To Packet-Marking Type
The From Packet-Marking Type
Precedence
CoS
Precedence
QoS Group
DSCP
CoS
DSCP
QoS Group
CoS
Precedence
CoS
DSCP
QoS Group
Precedence
QoS Group
DSCP
A table map-based policy supports the following capabilities:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
305
QoS
Traffic Conditioning
• Mutation—You can have a table map that maps from one DSCP value set to another DSCP value set,
and this can be attached to an egress port.
• Rewrite—Packets coming in are rewritten depending upon the configured table map.
• Mapping—Table map based policies can be used instead of set policies.
The following steps are required for table map marking:
1. Define the table map—Use the table-map global configuration command to map the values. The table
does not know of the policies or classes within which it will be used. The default command in the table
map is used to indicate the value to be copied into the to field when there is no matching from field.
2. Define the policy map—You must define the policy map where the table map will be used.
3. Associate the policy to an interface.
Note
A table map policy on an input port changes the trust setting of that port to the from type of qos-marking.
Related Topics
Configuring Table Maps (CLI), on page 355
Examples: Table Map Marking Configuration, on page 401
Traffic Conditioning
To support QoS in a network, traffic entering the service provider network needs to be policed on the network
boundary routers to ensure that the traffic rate stays within the service limit. Even if a few routers at the
network boundary start sending more traffic than what the network core is provisioned to handle, the increased
traffic load leads to network congestion. The degraded performance in the network makes it difficult to deliver
QoS for all the network traffic.
Traffic policing functions (using the police feature) and shaping functions (using the traffic shaping feature)
manage the traffic rate, but differ in how they treat traffic when tokens are exhausted. The concept of tokens
comes from the token bucket scheme, a traffic metering function.
Note
When running QoS tests on network traffic, you may see different results for the shaper and policing data.
Network traffic data from shaping provides more accurate results.
This table compares the policing and shaping functions.
Table 37: Comparison Between Policing and Shaping Functions
Policing Function
Shaping Function
Sends conforming traffic up to the line rate and allows Smooths traffic and sends it out at a constant rate.
bursts.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
306
OL-32363-01
QoS
Policing
Policing Function
Shaping Function
When tokens are exhausted, action is taken
immediately.
When tokens are exhausted, it buffers packets and
sends them out later, when tokens are available. A
class with shaping has a queue associated with it
which will be used to buffer the packets.
Policing has multiple units of configuration – in bits Shaping has only one unit of configuration - in bits
per second, packets per second and cells per second. per second.
Policing has multiple possible actions associated with Shaping does not have the provision to mark packets
an event, marking and dropping being example of
that do not meet the profile.
such actions.
Works for both input and output traffic.
Implemented for output traffic only.
Transmission Control Protocol (TCP) detects the line TCP can detect that it has a lower speed line and adapt
at line speed but adapts to the configured rate when its retransmission timer accordingly. This results in
a packet drop occurs by lowering its window size.
less scope of retransmissions and is TCP-friendly.
Policing
The QoS policing feature is used to impose a maximum rate on a traffic class. The QoS policing feature can
also be used with the priority feature to restrict priority traffic. If the rate is exceeded, then a specific action
is taken as soon as the event occurs. The rate (committed information rate [CIR] and peak information rate
[PIR] ) and the burst parameters (conformed burst size [ Bc ] and extended burst size [Be] ) are all configured
in bytes per second.
The following policing forms or policers are supported for QoS:
• Single-rate two-color policing
• Dual-rate three-color policing
Note
Single-rate three-color policing is not supported.
Single-Rate Two-Color Policing
Single-rate two-color policer is the mode in which you configure only a CIR and a Bc.
The Bc is an optional parameter, and if it is not specified it is computed by default. In this mode, when an
incoming packet has enough tokens available, the packet is considered to be conforming. If at the time of
packet arrival, enough tokens are not available within the bounds of Bc, the packet is considered to have
exceeded the configured rate.
Note
For information about the token-bucket algorithm, see Token-Bucket Algorithm, on page 304.
Related Topics
Configuring Police (CLI), on page 367
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
307
QoS
Dual-Rate Three-Color Policing
Examples: Single-Rate Two-Color Policing Configuration, on page 400
Dual-Rate Three-Color Policing
With the dual rate policer, the controller supports only color-blind mode. In this mode, you configure a
committed information rate (CIR) and a peak information rate (PIR). As the name suggests, there are two
token buckets in this case, one for the peak rate, and one for the conformed rate.
Note
For information about the token-bucket algorithm, see Token-Bucket Algorithm, on page 304.
In the color-blind mode, the incoming packet is first checked against the peak rate bucket. If there are not
enough tokens available, the packet is said to violate the rate. If there are enough tokens available, then the
tokens in the conformed rate buckets are checked to determine if there are enough tokens available. The tokens
in the peak rate bucket are decremented by the size of the packet. If it does not have enough tokens available,
the packet is said to have exceeded the configured rate. If there are enough tokens available, then the packet
is said to conform, and the tokens in both the buckets are decremented by the size of the packet.
The rate at which tokens are replenished depends on the packet arrival. Assume that a packet comes in at time
T1 and the next one comes in at time T2. The time interval between T1 and T2 determines the number of
tokens that need to be added to the token bucket. This is calculated as:
Time interval between packets (T2-T1) * CIR)/8 bytes
Related Topics
Configuring Police (CLI), on page 367
Examples: Dual-Rate Three-Color Policing Configuration, on page 400
Shaping
Shaping is the process of imposing a maximum rate of traffic, while regulating the traffic rate in such a way
that the downstream switches and routers are not subjected to congestion. Shaping in the most common form
is used to limit the traffic sent from a physical or logical interface.
Shaping has a buffer associated with it that ensures that packets which do not have enough tokens are buffered
as opposed to being immediately dropped. The number of buffers available to the subset of traffic being shaped
is limited and is computed based on a variety of factors. The number of buffers available can also be tuned
using specific QoS commands. Packets are buffered as buffers are available, beyond which they are dropped.
Class-Based Traffic Shaping
The controller uses class-based traffic shaping. This shaping feature is enabled on a class in a policy that is
associated to an interface. A class that has shaping configured is allocated a number of buffers to hold the
packets that do not have tokens. The buffered packets are sent out from the class using FIFO. In the most
common form of usage, class-based shaping is used to impose a maximum rate for an physical interface or
logical interface as a whole. The following shaping forms are supported in a class:
• Average rate shaping
• Hierarchical shaping
Shaping is implemented using a token bucket. The values of CIR, Bc and Be determine the rate at which the
packets are sent out and the rate at which the tokens are replenished.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
308
OL-32363-01
QoS
Average Rate Shaping
Note
For information about the token-bucket algorithm, see Token-Bucket Algorithm, on page 304.
Average Rate Shaping
You use the shape average policy-map class command to configure average rate shaping.
This command configures a maximum bandwidth for a particular class. The queue bandwidth is restricted to
this value even though the port has more bandwidth available. The controller supports configuring shape
average by either a percentage or by a target bit rate value.
Related Topics
Configuring Shaping (CLI), on page 377
Examples: Average Rate Shaping Configuration, on page 396
Hierarchical Shaping
Shaping can also be configured at multiple levels in a hierarchy. This is accomplished by creating a parent
policy with shaping configured, and then attaching child policies with additional shaping configurations to
the parent policy.
There are two supported types of hierarchical shaping:
• Port shaper
• User-configured shaping
The port shaper uses the class default and the only action permitted in the parent is shaping. The queueing
action is in the child with the port shaper. With the user configured shaping, you cannot have queueing action
in the child.
Related Topics
Configuring Shaping (CLI), on page 377
Queueing and Scheduling
The controller uses both queueing and scheduling to help prevent traffic congestion. The controller supports
the following queueing and scheduling features:
• Bandwidth
• Weighted Tail Drop
• Priority queues
• Queue buffers
When you define a queuing policy on a port, control packets are mapped to the best priority queue with the
highest threshold. Control packets queue mapping works differently in the following scenarios:
• Without a quality of service (QoS) policy—If no QoS policy is configured, control packets with DSCP
values 16, 24, 48, and 56 are mapped to queue 0 with the highest threshold of threshold2.
• With an user-defined policy—An user-defined queuing policy configured on egress ports can affect the
default priority queue setting on control packets.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
309
QoS
Bandwidth
Control traffic is redirected to the best queue based on the following rules:
1. If defined in a user policy, the highest- level priority queue is always chosen as the best queue.
2. In the absence of a priority queue, Cisco IOS software selects queue 0 as the best queue. When the
software selects queue 0 as the best queue, you must define the highest bandwidth to this queue to
get the best QoS treatment to the control plane traffic.
3. If thresholds are not configured on the best queue, Cisco IOS software assigns control packets with
Differentiated Services Code Point (DSCP) values 16, 24, 48, and 56 are mapped to threshold2 and
reassigns the rest of the control traffic in the best queue to threshold1.
If a policy is not configured explicitly for control traffic, the Cisco IOS software maps all unmatched
control traffic to the best queue with threshold2, and the matched control traffic is mapped to the queue
as configured in the policy.
Note
To provide proper QoS for Layer 3 packets, you must ensure that packets are
explicitly classified into appropriate queues. When the software detects DSCP
values in the default queue, then it automatically reassigns this queue as the best
queue.
Bandwidth
The controller supports the following bandwidth configurations:
• Bandwidth percent
• Bandwidth remaining ratio
Related Topics
Configuring Bandwidth (CLI), on page 365
Bandwidth Percent
You can use the bandwidth percent policy-map class command to allocate a minimum bandwidth to a
particular class. The total sum cannot exceed 100 percent and in case the total sum is less than 100 percent,
then the rest of the bandwidth is divided equally among all bandwidth queues.
Note
A queue can oversubscribe bandwidth in case the other queues do not utilize the entire port bandwidth.
You cannot mix bandwidth types on a policy map. For example, you cannot configure bandwidth in a single
policy map using both a bandwidth percent and in kilobits per second.
Bandwidth Remaining Ratio
You use the bandwidth remaining ratio policy-map class command to create a ratio for sharing unused
bandwidth in specified queues. Any unused bandwidth will be used by these specific queues in the ratio that
is specified by the configuration. Use this command when the priority command is also used for certain
queues in the policy.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
310
OL-32363-01
QoS
Weighted Tail Drop
When you assign ratios, the queues will be assigned certain weights which are inline with these ratios.
You can specify ratios using a range from 0 to 100. For example, you can configure a bandwidth remaining
ration of 2 on one class, and another queue with a bandwidth remaining ratio of 4 on another class. The
bandwidth remaining ratio of 4 will be scheduled twice as often as the bandwidth remaining ratio of 2.
The total bandwidth ratio allocation for the policy can exceed 100. For example, you can configure a queue
with a bandwidth remaining ratio of 50, and another queue with a bandwidth remaining ratio of 100.
Weighted Tail Drop
The controller egress queues use an enhanced version of the tail-drop congestion-avoidance mechanism called
weighted tail drop (WTD). WTD is implemented on queues to manage the queue lengths and to provide drop
precedences for different traffic classifications.
As a frame is enqueued to a particular queue, WTD uses the frame’s assigned QoS label to subject it to different
thresholds. If the threshold is exceeded for that QoS label (the space available in the destination queue is less
than the size of the frame), the controller drops the frame.
Each queue has three configurable threshold values. The QoS label determines which of the three threshold
values is subjected to the frame.
Figure 6: WTD and Queue Operation
The following figure shows an example of WTD operating on a queue whose size is 1000 frames. Three drop
percentages are configured: 40 percent (400 frames), 60 percent (600 frames), and 100 percent (1000 frames).
These percentages indicate that up to 400 frames can be queued at the 40-percent threshold, up to 600 frames
at the 60-percent threshold, and up to 1000 frames at the 100-percent
threshold.
In the example, CoS value 6 has a greater importance than the other CoS values, and is assigned to the
100-percent drop threshold (queue-full state). CoS values 4 is assigned to the 60-percent threshold, and CoS
values 3 is assigned to the 40-percent threshold. All of these threshold values are assigned using the queue-limit
cos command.
Assuming the queue is already filled with 600 frames, and a new frame arrives. It contains CoS value 4 and
is subjected to the 60-percent threshold. If this frame is added to the queue, the threshold will be exceeded,
so the controller drops it.
Related Topics
Configuring Queue Limits (CLI), on page 374
Examples: Queue-limit Configuration, on page 397
Weighted Tail Drop Default Values
The following are the Weighted Tail Drop (WTD) default values and the rules for configuring WTD threshold
values.
• If you configure less than three queue-limit percentages for WTD, then WTD default values are assigned
to these thresholds.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
311
QoS
Priority Queues
The following are the WTD threshold default values:
Table 38: WTD Threshold Default Values
Threshold
Default Value Percentage
0
80
1
90
2
400
• If 3 different WTD thresholds are configured, then the queues are programmed as configured.
• If 2 WTD thresholds are configured, then the maximum value percentage will be 400.
• If a WTD single threshold is configured as x, then the maximum value percentage will be 400.
• If the value of x is less than 90, then threshold1=90 and threshold 0= x.
• If the value of x equals 90, then threshold1=90, threshold 0=80.
• If the value x is greater than 90, then threshold1=x, threshold 0=80.
Priority Queues
Each port supports eight egress queues, of which two can be given a priority.
You use the priority level policy class-map command to configure the priority for two classes. One of the
classes has to be configured with a priority queue level 1, and the other class has to be configured with a
priority queue level 2. Packets on these two queues are subjected to less latency with respect to other queues.
Note
You can configure a priority only with a level.
Only one strict priority or a priority with levels is allowed in one policy map. Multiple priorities with the same
priority levels without kbps/percent are allowed in a policy map only if all of them are configured with police.
Related Topics
Configuring Priority (CLI), on page 369
Queue Buffer
Each 1-gigabit port on the controller is allocated 168 buffers for a wireless port and 300 buffers for a wired
port. Each 10-gigabit port is allocated 1800 buffers.
In Cisco IOS XE Release 3.7.5 E and later releases, all downlink ports are allocated 1 GB port buffer, even
though the downlink port size is 10GB. Prior to this change, all 1 GB downlink ports had 1 GB buffer and 10
GB downlink ports had 10 GB buffer.
At boot time, when there is no policy map enabled on the wired port, there are two queues created by default.
Wired ports can have a maximum of 8 queues configured using MQC-based policies. The following table
shows which packets go into which one of the queues:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
312
OL-32363-01
QoS
Queue Buffer Allocation
Table 39: DSCP, Precedence, and CoS - Queue Threshold Mapping Table
Note
DSCP, Precedence or CoS
Queue
Threshold
Control Packets
0
2
Rest of Packets
1
2
You can guarantee the availability of buffers, set drop thresholds, and configure the maximum memory
allocation for a queue. You use the queue-buffers policy-map class command to configure the queue buffers.
You use the queue-limit policy-map class command to configure the maximum thresholds.
There are two types of buffer allocations: hard buffers, which are explicitly reserved for the queue, and soft
buffers, which are available for other ports when unused by a given port.
For the wireless port default, Queue 0 will be given 40 percent of the buffers that are available for the interface
as hard buffers, that is 67 buffers are allocated for Queue 0 in the context of 1-gigabit ports. The soft maximum
for this queue is set to 268 (calculated as 67 * 400/100) for 1-gigabit ports, where 400 is the default maximum
threshold that is configured for any queue.
For the wired port default, Queue 0 will be given 40 percent of the buffers that are available for the interface
as hard buffers, that is 120 buffers are allocated for Queue 0 in the context of 1-gigabit ports, and 720 buffers
in the context of 10-gigabit ports. The soft maximum for this queue is set to 480 (calculated as 120 * 400/100)
for 1-gigabit ports and 2880 for 10-gigabit ports, where 400 is the default maximum threshold that is configured
for any queue.
Queue Buffer Allocation
The buffer allocation to any queue can be tuned using the queue-buffers ratio policy-map class configuration
command.
Related Topics
Configuring Queue Buffers (CLI), on page 372
Examples: Queue Buffers Configuration, on page 398
Dynamic Threshold and Scaling
Traditionally, reserved buffers are statically allocated for each queue. No matter whether the queue is active
or not, its buffers are held up by the queue. In addition, as the number of queues increases, the portion of the
reserved buffers allocated for each queue can become smaller and smaller. Eventually, a situation may occur
where there are not enough reserved buffers to support a jumbo frame for all queues.
The controller supports Dynamic Thresholding and Scaling (DTS), which is a feature that provides a fair and
efficient allocation of buffer resources. When congestion occurs, this DTS mechanism provides an elastic
buffer allocation for the incoming data based on the occupancy of the global/port resources. Conceptually,
DTS scales down the queue buffer allocation gradually as the resources are used up to leave room for other
queues, and vice versa. This flexible method allows the buffers to be more efficiently and fairly utilized.
As mentioned in the previous sections, there are two limits configured on a queue—a hard limit and a soft
limit.
Hard limits are not part of DTS. These buffers are available only for that queue. The sum of the hard limits
should be less than the globally set up hard maximum limit. The global hard limit configured for egress
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
313
QoS
Queuing in Wireless
queuing is currently set to 5705. In the default scenario when there are no MQC policies configured, the 24
1-gigabit ports would take up 24 * 67 = 1608, and the 4 10-gigabit ports would take up 4 * 720 = 2880, for
a total of 4488 buffers, allowing room for more hard buffers to be allocated based upon the configuration.
Soft limit buffers participate in the DTS process. Additionally, some of the soft buffer allocations can exceed
the global soft limit allocation. The global soft limit allocation for egress queuing is currently set to 7607.
The sum of the hard and soft limits add up to 13312, which in turn translates to 3.4 MB. Because the sum of
the soft buffer allocations can exceed the global limit, it allows a specific queue to use a large number of
buffers when the system is lightly loaded. The DTS process dynamically adjusts the per-queue allocation as
the system becomes more heavily loaded.
Queuing in Wireless
Queuing in the wireless component is performed based on the port policy and is applicable only in the
downstream direction. The wireless module supports the following four queues:
• Voice—This is a strict priority queue. Represented by Q0, this queue processes control traffic and
multicast or unicast voice traffic. All control traffic (such as CAPWAP packets) is processed through
the voice queue. The QoS module uses a different threshold within the voice queue to process control
and voice packets to ensure that control packets get higher priority over other non-control packets.
• Video—This is a strict priority queue. Represented by Q1, this queue processes multicast or unicast video
traffic.
• Data NRT—Represented by Q2, this queue processes all non-real-time unicast traffic.
• Multicast NRT—Represented by Q3, this queue processes Multicast NRT traffic. Any traffic that does
not match the traffic in Q0, Q1, or Q2 is processed through Q3.
Note
By default, the queues Q0 and Q1 are not enabled.
Note
A weighted round-robin policy is applied for traffic in the queues Q2 and Q3.
For upstream direction only one queue is available. Port and radio policies are applicable only in the downstream
direction.
Note
The wired ports support eight queues.
Trust Behavior
Trust Behavior for Wired and Wireless Ports
For wired or wireless ports that are connected to the controller (end points such as IP phones, laptops, cameras,
telepresence units, or other devices), their DSCP, precedence, or CoS values coming in from these end points
are trusted by the controller and therefore are retained in the absence of any explicit policy configuration.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
314
OL-32363-01
QoS
Port Security on a Trusted Boundary for Cisco IP Phones
This trust behavior is applicable to both upstream and downstream QoS.
The packets are enqueued to the appropriate queue per the default initial configuration. No priority queuing
at the controller is done by default. This is true for unicast and multicast packets.
In scenarios where the incoming packet type differs from the outgoing packet type, the trust behavior and the
queuing behavior are explained in the following table. Note that the default trust mode for a port is DSCP
based. The trust mode ‘falls back’ to CoS if the incoming packet is a pure Layer 2 packet. You can also change
the trust setting from DSCP to CoS. This setting change is accomplished by using an MQC policy that has a
class default with a 'set cos cos table default default-cos' action, where default-cos is the name of the table
map created (which only performs a default copy).
Table 40: Trust and Queueing Behavior
Incoming Packet
Outgoing Packet
Trust Behavior
Queuing Behavior
Layer 3
Layer 3
Preserve DSCP/Precedence
Based on DSCP
Layer 2
Layer 2
Not applicable
Based on CoS
Tagged
Tagged
Preserve DSCP and CoS
Based on DSCP (trust DSCP
takes precedence)
Layer 3
Tagged
Preserve DSCP, CoS is set to Based on DSCP
0
The Cisco IOS XE 3.2 Release supported different trust defaults for wired and wireless ports. The trust default
for wired ports was the same as for this software release. For wireless ports, the default system behavior was
non-trust, which meant that when the controller came up, all markings for the wireless ports were defaulted
to zero and no traffic received priority treatment. For compatibility with an existing wired controller, all traffic
went to the best-effort queue by default. The access point performed priority queuing by default. In the
downstream direction, the access point maintained voice, video, best-effort, and background queues for
queuing. The access selected the queuing strategy based on the 11e tag information. By default, the access
point treated all wireless packets as best effort.
Related Topics
Configuring Trust Behavior for Wireless Traffic (CLI), on page 357
Example: Table Map Configuration to Retain CoS Markings, on page 402
Port Security on a Trusted Boundary for Cisco IP Phones
In a typical network, you connect a Cisco IP Phone to a controller port and cascade devices that generate data
packets from the back of the telephone. The Cisco IP Phone guarantees the voice quality through a shared
data link by marking the CoS level of the voice packets as high priority (CoS = 5) and by marking the data
packets as low priority (CoS = 0). Traffic sent from the telephone to the controller is typically marked with
a tag that uses the 802.1Q header. The header contains the VLAN information and the class of service (CoS)
3-bit field, which is the priority of the packet.
For most Cisco IP Phone configurations, the traffic sent from the telephone to the controller should be trusted
to ensure that voice traffic is properly prioritized over other types of traffic in the network. By using the trust
device interface configuration command, you configure the controller port to which the telephone is connected
to trust the traffic received on that port.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
315
QoS
Wireless QoS Mobility
Note
The trust device device_type command available in interface configuration mode is a stand-alone command
on the controller. When using this command in an AutoQoS configuration, if the connected peer device is not
a corresponding device (defined as a device matching your trust policy), both CoS and DSCP values are set
to "0" and any input policy will not take effect. If the connected peer device is a corresponding device, input
policy will take effect.
With the trusted setting, you also can use the trusted boundary feature to prevent misuse of a high-priority
queue if a user bypasses the telephone and connects the PC directly to the controller. Without trusted boundary,
the CoS labels generated by the PC are trusted by the controller (because of the trusted CoS setting). By
contrast, trusted boundary uses CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP Phone
7910, 7935, 7940, and 7960) on a controller port. If the telephone is not detected, the trusted boundary feature
disables the trusted setting on the controller port and prevents misuse of a high-priority queue. Note that the
trusted boundary feature is not effective if the PC and Cisco IP Phone are connected to a hub that is connected
to the controller.
Wireless QoS Mobility
Wireless QoS mobility enables you to configure QoS policies so that the network provides the same service
anywhere in the network. A wireless client can roam from one location to another and as a result the client
can get associated to different access points associated with a different controller. Wireless client roaming
can be classified into two types:
• Intra-controller roaming
• Inter-controller roaming
Note
The client policies must be available on all of the controllers in the mobility group. The same SSID and port
policy must be applied to all controllers in the mobility group so that the clients get consistent treatment.
Inter-Controller Roaming
When a client roams from one location to another, the client can get associated to access points either associated
to the same controller (anchor controller) or a different controller (foreign controller). Inter-controller roaming
refers to the scenario where the client gets associated to an access point that is not associated to the same
device before the client roamed. The host device is now foreign to the device to which the client was initially
anchored.
In the case of inter-controller roaming, the client QoS policy is always executed on the foreign controller.
When a client roams from anchor controller to foreign controller, the QoS policy is uninstalled on the anchor
controller and installed on the foreign controller. In the mobility handoff message, the anchor device passes
the name of the policy to the foreign controller. The foreign controller should have a policy with the same
name configured for the QoS policy to be applied correctly.
In the case of inter-controller roaming, all of the QoS policies are moved from the anchor device to the foreign
device. While the QoS policies are in transition from the anchor device to the foreign device, the traffic on
the foreign device is provided the default treatment. This is comparable to a new policy installation on the
client target.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
316
OL-32363-01
QoS
Intra-Controller Roaming
Note
If the foreign device is not configured with the user-defined physical port policy, the default port policy is
applicable to all traffic is routed through the NRT queue, except the control traffic which goes through RT1
queue. The network administrator must configure the same physical port policy on both the anchor and foreign
devices symmetrically.
During inter-controller roaming, client and SSID policy statistics are collected only for the duration that the
client is associated with the foreign controller. Cumulative statistics for the whole roaming (anchor controller
and foreign controller) are not collected.
Intra-Controller Roaming
With intra-controller roaming, the client gets associated to an access point that is associated to the same
controller before the client roamed, but this association to the device occurs through a different access point.
Note
QoS policies remain intact in the case of intra-controller roaming.
Precious Metal Policies for Wireless QoS
Wireless QoS is backward compatible with the precious metal policies offered by the unified wireless controller
platforms. The precious metal policies are system-defined policies that are available on the controller.
The following policies are available:
• Platinum—Used for VoIP clients.
• Gold—Used for video clients.
• Silver— Used for traffic that can be considered best-effort.
• Bronze—Used for NRT traffic.
These policies (also known as profiles) can be applied to a WLAN based on the traffic. We recommend the
configuration using the Cisco IOS MQC configuration. The policies are available in the system based on the
precious metal policy required. You can configure precious metal policies only for SSID ingress and egress
policies.
Based on the policies applied, the 802.1p, 802.11e (WMM), and DSCP fields in the packets are affected.
These values are preconfigured and installed when the controller is booted.
Note
Unlike the precious metal policies that were applicable in the Cisco Unified Wireless controllers, the attributes
rt-average-rate, nrt-average-rate, and peak rates are not applicable for the precious metal policies configured
on this controller platform.
Note
The 802.1p protocol priority is applicable on the Cisco 5700 Series Wireless Controller.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
317
QoS
Standard QoS Default Settings
Related Topics
Configuring Precious Metal Policies (CLI), on page 379
Standard QoS Default Settings
Default Wired QoS Configuration
There are two queues configured by default on each wired interface on the controller. All control traffic
traverses and is processed through queue 0. All other traffic traverses and is processed through queue 1.
DSCP Maps
Default CoS-to-DSCP Map
When DSCP transparency mode is disabled, the DSCP values are derived from CoS as per the following table.
If these values are not appropriate for your network, you need to modify them.
Note
The DSCP transparency mode is disabled by default. If it is enabled (no mls qos rewrite ip dscp
interface configuration command), DSCP rewrite will not happen.
Table 41: Default CoS-to-DSCP Map
CoS Value
DSCP Value
0
0
1
8
2
16
3
24
4
32
5
40
6
48
7
56
Default IP-Precedence-to-DSCP Map
You use the IP-precedence-to-DSCP map to map IP precedence values in incoming packets to a DSCP value
that QoS uses internally to represent the priority of the traffic. The following table shows the default
IP-precedence-to-DSCP map. If these values are not appropriate for your network, you need to modify them.
Table 42: Default IP-Precedence-to-DSCP Map
IP Precedence Value
DSCP Value
0
0
1
8
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
318
OL-32363-01
QoS
Default DSCP-to-CoS Map
IP Precedence Value
DSCP Value
2
16
3
24
4
32
5
40
6
48
7
56
Default DSCP-to-CoS Map
You use the DSCP-to-CoS map to generate a CoS value, which is used to select one of the four egress queues.
The following table shows the default DSCP-to-CoS map. If these values are not appropriate for your network,
you need to modify them.
Table 43: Default DSCP-to-CoS Map
DSCP Value
CoS Value
0–7
0
8–15
1
16–23
2
24–31
3
32–39
4
40–47
5
48–55
6
56–63
7
Default Wireless QoS Configuration
The ports on the switch do not distinguish between wired or wireless physical ports. Depending on the kind
of device associated to the switch, the policies are applied. For example, when an access point is connected
to a switch port, the switch detects it as a wireless device and applies the default hierarchical policy which is
in the format of a parent-child policy. This policy is an hierarchical policy. The parent policy cannot be
modified but the child policy (port-child policy) can be modified to suite the QoS configuration. The switch
is preconfigured with a default class map and a policy map.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
319
QoS
Configuring Auto QoS for Wireless
Configuring Auto QoS for Wireless
Information About Auto QoS for Wireless
Auto QoS for Wireless feature, introduced in Cisco IOS XE Release 3.7.0, is supported on the following
platforms:
• Cisco 5760 Wireless Controller
• Catalyst 3850 Series Switches
• Catalyst 3650 Series Switches
• Cisco Catalyst 4500E Supervisor Engine 8-E
The following pre-defined global configuration templates/profiles are available:
• Enterprise
• Voice
• Guest
You can customize these templates to suit your needs. Auto QoS for Wireless can be configured using both
CLI and GUI. Auto QoS for Wireless can be applied on a per-WLAN basis.
Precedence applicable:
1. AAA QoS
2. Native Profile QoS
3. Auto QoS/CLI-based QoS
Policy Names
P1
AutoQos-4.0-wlan-ET-Client-Input-Policy
P2
AutoQos-4.0-wlan-ET-SSID-Output-Policy
P3
platinum-up (Auto generated system policy at boot-up)
P4
platinum (Auto generated system policy at boot-up)
P5
AutoQos-4.0-wlan-GT-SSID-Input-Policy
P6
AutoQos-4.0-wlan-GT-SSID-Output-Policy
P7
port_child_policy
P8
AutoQos-4.0-wlan-Port-Output-Policy
P9
Capwap-SRND4-Queuing-Policy
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
320
OL-32363-01
QoS
Configuring Auto QoS for Wireless (GUI)
List of Targets
• Client
• BSSID
• Radio
• AP Port (Catalyst 3850 Switch)
• Uplink Port (Catalyst 3850 Switch)
• Cisco 5760 WLC physical port
• Catalyst 4500E Supervisor Engine 8-E Front Panel Ports
Auto QoS for Wireless - Wireless QoS Matrix
TempaletsT/argest Client
BSSID
Radio AP Port
Uplink Port
Cisco 5760
Catalyst 4500E
(Catalyst 3850 (Catalyst 3850 WLC physical Supervisor
Switch)
Switch)
port
Engine 8-E
Front Panel
Ports
Ingress Egress Ingress Egress
Ingress Egress Ingress Egress Ingress Egress Ingress Egress
Enterprise P1
N/A
N/A
P2
N/A
N/A
P7
N/A
N/A
N/A
P8
N/A
P9
Voice N/A
N/A
P3
P4
N/A
N/A
P7
N/A
N/A
N/A
P8
N/A
P9
Guest N/A
N/A
P5
P6
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
P9
Guidelines for Auto QoS for Wireless
• The Catalyst 3850 Switch uplink ports should not be configured along with Auto QoS for Wireless. This
should be managed using Wired Auto QoS
• The Catalyst 3850 Switch AP Port Policy (port_child_policy) and Cisco 5760 WLC physical ports should
be automatically configured for Enterprise and Voice templates.
• AP Control traffic must go through the P0 queue (should be given highest priority among all traffic).
• All the Auto QoS policies for Wireless applied through the GUI have the prefix 'AutoQos-4.0'. This
enables you to recognize the policies that are applied through templates.
• On the CLI, it is not possible to create a policy name that starts with 'AutoQos-4.0' because this is reserved
for policies generated through templates.
Configuring Auto QoS for Wireless (GUI)
Step 1
Choose Configuration > Wireless > WLAN.
Step 2
Click the WLAN ID.
Step 3
Click the QoS tab.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
321
QoS
Configuring Auto QoS for Wireless (CLI)
Step 4
In the Auto QoS section, choose the policy from the drop-down list.
Note
Step 5
By default, the Auto QoS policy applied for a WLAN is 'None'.
Save the configuration.
Configuring Auto QoS for Wireless (CLI)
Controller(config-wlan)# auto qos {enterprise | guest | voice}
Guidelines for QoS Policies
Follow these guidelines to prevent clients from getting excluded due to malformed QoS policies:
• When a new QoS policy is added to the controller, a QoS policy with the same name should be added
to other controller within the same roam or mobility domain.
• When a controller is loaded with a software image of a later release, the new policy formats are supported.
If you have upgraded the software image from an earlier release to a later release, you should save the
configuration separately. When an earlier release image is loaded, some QoS policies might show as not
supported, and you should restore those QoS policies to supported policy formats.
Restrictions for QoS on Wired Targets
A target is an entity where a policy is applied. You can apply a policy to either a wired or wireless target. A
wired target can be either a port or VLAN. A wireless target can be either a port, radio, SSID, or client. Only
port, SSID, and client policies are user configurable. Radio polices are not user configurable. Wireless QoS
policies for port, radio, SSID, and client are applied in the downstream direction, and for upstream only SSID
and client targets are supported. Downstream indicates that traffic is flowing from the controller to the wireless
client. Upstream indicates that traffic is flowing from wireless client to the controller.
The following are restrictions for applying QoS features on the controller for the wired target:
• A maximum of 8 queuing classes are supported on the controller port for the wired target.
• A maximum of 63 policers are supported per policy on the wired port for the wired target.
• In Cisco IOS XE Release 3.7.5E and later releases, by default all downlink ports are allocated 1 GB port
buffer, even though the downlink port size is 10 GB. Prior to this change, all 1 GB downlink ports had
1 GB buffer and 10 GB downlink ports had 10 GB buffer.
• A maximum of 1599 policy-maps can be created.
• No more than two levels are supported in a QoS hierarchy.
• In a hierarchical policy, overlapping actions between parent and child are not allowed, except when a
policy has the port shaper in the parent and queueing features in the child policy.
• A QoS policy cannot be attached to any EtherChannel interface.
• Policing in both the parent and child is not supported in a QoS hierarchy.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
322
OL-32363-01
QoS
Restrictions for QoS on Wired Targets
• Marking in both the parent and child is not supported in a QoS hierarchy.
• A mixture of queue limit and queue buffer in the same policy is not supported.
Note
The queue-limit percent is not supported on the controller because the
queue-buffer command handles this functionality. Queue limit is only supported
with the DSCP and CoS extensions.
• With shaping, there is an IPG overhead of 20Bytes for every packet that is accounted internally in the
hardware. Shaping accuracy will be effected by this, specially for packets of small size.
• The classification sequence for all wired queuing-based policies should be the same across all wired
upstream ports (10-Gigabit Ethernet), and the same for all downstream wired ports (1-Gigabit Ethernet).
• Empty classes are not supported.
• Class-maps with empty actions are not supported. If there are two policies with the same order of
class-maps and if there are class-maps with no action in one of the policies, there may be traffic drops.
As a workaround, allocate minimal bandwidth for all the classes in PRIORITY_QUEUE.
• A maximum of 256 classes are supported per policy on the wired port for the wired target.
• The actions under a policer within a policy map have the following restrictions:
• The conform action must be transmit.
• The exceed/violate action for markdown type can only be cos2cos, prec2prec, dscp2dscp.
• The markdown types must be the same within a policy.
• A port-level input marking policy takes precedence over an SVI policy; however, if no port policy is
configured, the SVI policy takes precedence. For a port policy to take precedence, define a port-level
policy; so that the SVI policy is overwritten.
• Classification counters have the following specific restrictions:
• Classification counters count packets instead of bytes.
• Filter-based classification counters are not supported
• Only QoS configurations with marking or policing trigger the classification counter.
• The classification counter is not port based. This means that the classification counter aggregates
all packets belonging to the same class of the same policy which attach to different interfaces.
• As long as there is policing or marking action in the policy, the class-default will have classification
counters.
• When there are multiple match statements in a class, then the classification counter only shows the
traffic counter for one of the match statements.
• Table maps have the following specific restrictions:
• Only one table map for policing exceeding the markdown and one table map for policing violating
the markdown per direction per target is supported.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
323
QoS
Restrictions for QoS on Wired Targets
• Table maps must be configured under the class-default; table maps are unsupported for a user-defined
class.
• Hierarchical policies are required for the following:
• Port-shapers
• Aggregate policers
• PV policy
• Parent shaping and child marking/policing
• In a HQoS policy with parent shaping and child policy having priority level queuing and priority level
policing, the statistics for policing are not updated. Only QoS shaper statistics are updated. To view the
QoS shaper statistics, use the show policy-map interface command in global configuration mode.
• For ports with wired targets, these are the only supported hierarchical policies:
• Police chaining in the same policy is unsupported, except for wireless client.
• Hierarchical queueing is unsupported in the same policy (port shaper is the exception).
• In a parent class, all filters must have the same type. The child filter type must match the parent
filter type with the following exceptions:
• If the parent class is configured to match IP, then the child class can be configured to match
the ACL.
• If the parent class is configured to match CoS, then the child class can be configured to match
the ACL.
• The trust device device_type command available in interface configuration mode is a stand-alone
command on the controller. When using this command in an AutoQoS configuration, if the connected
peer device is not a corresponding device (defined as a device matching your trust policy), both CoS and
DSCP values are set to "0" and any input policy will not take effect. If the connected peer device is a
corresponding device, input policy will take effect.
The following are restrictions for applying QoS features on the VLAN to the wired target:
• For a flat or nonhierarchical policy, only marking or a table map is supported.
The following are restrictions and considerations for applying QoS features on EtherChannel and channel
member interfaces:
• QoS is not supported on an EtherChannel interface.
• QoS is supported on EtherChannel member interfaces in both ingress and egression directions. All
EtherChannel members must have the same QoS policy applied. If the QoS policy is not the same, each
individual policy on the different link acts independently.
• On attaching a service policy to channel members, the following warning message appears to remind
the user to make sure the same policy is attached to all ports in the EtherChannel: ' Warning: add service
policy will cause inconsistency with port xxx in ether channel xxx. '.
• Auto QoS is not supported on EtherChannel members.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
324
OL-32363-01
QoS
Restrictions for QoS on Wireless Targets
Note
On attaching a service policy to an EtherChannel, the following message appears on the console: ' Warning:
add service policy will cause inconsistency with port xxx in ether channel xxx. '. This warning message should
be expected. This warning message is a reminder to attach the same policy to other ports in the same
EtherChannel. The same message will be seen during boot up. This message does not mean there is a
discrepancy between the EtherChannel member ports.
Related Topics
Restrictions for QoS on Wireless Targets, on page 325
Prerequisites for Quality of Service, on page 281
QoS Overview, on page 283
QoS Implementation, on page 295
Restrictions for QoS on Wireless Targets
General Restrictions
A target is an entity where a policy is applied. You can apply a policy to either a wired or wireless target. A
wired target can be either a port or VLAN. A wireless target can be either a port, radio, SSID, or client. Only
port, SSID, and client policies are user configurable. Radio polices are not user configurable. Wireless QoS
policies for port, radio, SSID, and client are applied in the downstream direction, and for upstream only SSID
and client targets are supported. Downstream indicates that traffic is flowing from the controller to the wireless
client. Upstream indicates that traffic is flowing from wireless client to the controller.
Note
Auto QOS SRND is enabled by default on the Cisco Catalyst 4500E Supervisor Engine 8-E. When AP is
connected, egress QoS policy is automatically applied on the AP connected ports and the QoS policy is
removed when the AP is disconnected. This policy classification is applied through DSCP, so the drop threshold
can be configured for voice and CAPWAP control packets. All other traffic goes to different queues.If you
prefer to have a different QoS policy to prioritize different class of traffic, you can configure it using the ’no
auto qos srnd4' command. This will remove the Auto QOS SRND4 policies attached to AP connected port
and BB-DC inter-link port, and a default policy to protect CAPWAP control and voice traffic will be attached
to BB-DC inter-link port.
• Only port, SSID, and client (using AAA and Cisco IOS command-line interface) policies are
user-configurable. Radio policies are set by the wireless control module and are not user-configurable.
• Port and radio policies are applicable only in the egress direction.
• SSID and client targets can be configured only with marking and policing policies.
• One policy per target per direction is supported.
• For the egress class-default SSID policy, you must configure the queue buffer ratio as 0 after you configure
the average shape rate.
• Class maps in a policy map can have different types of filters. However, only one marking action (either
table map, or set dscp, or set cos) is supported in a map in egress direction.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
325
QoS
Restrictions for QoS on Wireless Targets
• For hierarchical client and SSID ingress policies, you cannot configure marking in both the parent and
child policies. You can only configure marking either in the parent or child policy.
• You cannot configure multiple set actions in the same class.
• For both SSID and client ingress policies, supported set actions are only for DSCP, and CoS values.
• You cannot delete a group of WLANs or QoS policy.
Wireless QoS Restrictions on Ports
The following are restrictions for applying QoS features on a wireless port target:
• All wireless ports have similar parent policy with one class-default and one action shape under
class-default. Shape rates are dependent on the 802.11a/b/g/ac bands.
• You can create a maximum of four classes in a child policy by modifying the port_chlid_policy.
• If there are four classes in the port_child_policy at the port level, one must be a non-client-nrt class
and one must be class-default.
• No two classes can have the same priority level. Only priority level 1 (for voice traffic and control traffic)
and 2 (for video) are supported.
• Priority is not supported in the multicast NRT class (non-client-nrt class) and class-default.
• If four classes are configured, two of them have to be priority classes. If only three classes are configured,
at least one of them should be a priority class. If three classes are configured and there is no non-client-nrt
class, both priority levels must be present.
• Only match DSCP is supported.
• The port policy applied by the wireless control module cannot be removed using the CLI.
• Both priority rate and police CIR (using MQC) in the same class is unsupported.
• Queue limit (which is used to configure Weighted Tail Drop) is unsupported.
Wireless QoS Restrictions on SSID
The following are restrictions for applying QoS features on SSID:
• One table map is supported at the ingress policy.
• Table maps are supported for the parent class-default only. Up to two table maps are supported in the
egress direction and three table-maps can be configured when a QoS group is involved.
Note
Table-maps are not supported at the client targets.
• If a wireless port has a default policy with only two queues (one for multicast-NRT, one for class-default),
the policy at SSID level cannot have voice and video class in the egress direction.
• Policing without priority is not supported in the egress direction.
• Priority configuration at the SSID level is used only to configure the RT1 and RT2 policers (AFD for
policer). Priority configuration does not include the shape rate. Therefore, priority is restricted for SSID
policies without police.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
326
OL-32363-01
QoS
Restrictions for QoS on Wireless Targets
• If set is not enabled in class-default, the classification at the SSID for voice or video must be a subset of
the classification for the voice or video class at the port level.
• The mapping in the DSCP2DSCP and COS2COS table should be based on the classification function
for the voice and video classes in the port level policy.
• No action is allowed under the class-default of a child policy.
• For SSID ingress policies, only UP and DSCP filters (match criteria) are supported. ACL and protocol
match criteria are not supported.
• For a flat policy (non hierarchical), in the ingress direction, the policy configuration must be a set (table
map) or policing or both.
Wireless QoS Restrictions on Clients
The following are restrictions for applying QoS policies on client targets:
• The default client policy is enabled only on WMM clients that are ACM-enabled.
• Queuing is not supported.
• Attaching, removing, or modifying client policies on a WLAN in the enabled state is not supported. You
must shut down the WLAN to apply, remove, or modify a policy.
• Table-map configuration is not supported for client targets.
• Policing and set configured together in class-default is blocked in egress direction:
policy-map foo
class class-default
police X
set dscp Y
• Child policy is not supported under class-default if the parent policy contains other user-defined class
maps in it.
• For flat egress client policy, policing in class-default and marking action in other classes are not supported.
• Only set marking actions are supported in the client policies.
• For client ingress policies, only ACL, UP, DSCP, and protocol filters (match criteria) are supported.
• All the filters in classes in a policy map for client policy must have the same attributes. Filters matching
on protocol-specific attributes such as IPv4 or IPv6 addresses are considered as different attribute sets.
• For filters matching on ACLs, all ACEs (Access Control Entry) in the access list should have the same
type and number of attributes.
• In client egress policies, all filters in the policy-map must match on the same marking attribute for filters
matching on marking attributes. For example, If filter matches on DSCP, then all filters in the policy
must match on DSCP.
• ACL matching on port ranges and subnet are only supported in ingress direction.
Related Topics
Configuring Port Policies (GUI), on page 381
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
327
QoS
How to Configure QoS
Applying or Changing Port Policies (GUI), on page 381
Applying a QoS Policy on a WLAN (GUI), on page 382
Port Policies, on page 289
Port Policy Format, on page 289
Radio Policies, on page 291
Restrictions for QoS on Wired Targets, on page 322
Prerequisites for Quality of Service, on page 281
QoS Overview, on page 283
QoS Implementation, on page 295
How to Configure QoS
Configuring Class, Policy, and Table Maps
Creating a Traffic Class (CLI)
To create a traffic class containing match criteria, use the class-map command to specify the traffic class
name, and then use the following match commands in class-map configuration mode, as needed.
Before you begin
All match commands specified in this configuration task are considered optional, but you must configure at
least one match criterion for a class.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
configure terminal
class-map class-map name{ match-any | match-all}
match access-group {index number | name}
match class-map class-map name
match cos cos value
match dscp dscp value
match ip {dscp dscp value | precedence precedence value }
match non-client-nrt
match qos-group qos group value
match vlan vlan value
match wlan user-priority wlan value
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
328
OL-32363-01
QoS
Creating a Traffic Class (CLI)
Command or Action
Purpose
Controller# configure terminal
Step 2
class-map class-map name{ match-any | match-all} Enters class map configuration mode.
• Creates a class map to be used for matching packets
to the class whose name you specify.
Example:
Controller(config)# class-map test_1000
Controller(config-cmap)#
• match-any: Any one of the match criteria must be
met for traffic entering the traffic class to be classified
as part of it.
• match-all: All of the match criteria must be met for
traffic entering the traffic class to be classified as part
of the traffic class.
Note
Step 3
match access-group {index number | name}
This is the default. If match-any or
match-all is not explicitly defined,
match-all is chosen by default.
The following parameters are available for this command:
• access-group
Example:
Controller(config-cmap)# match access-group 100
Controller(config-cmap)#
• class-map
• cos
• dscp
• ip
• non-client-nrt
• precedence
• qos-group
• vlan
• wlan user priority
(Optional) For this example, enter the access-group ID:
• Access list index (value from 1 to 2799)
• Named access list
Step 4
match class-map class-map name
(Optional) Matches to another class-map name.
Example:
Controller(config-cmap)# match class-map test_2000
Controller(config-cmap)#
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
329
QoS
Creating a Traffic Class (CLI)
Step 5
Command or Action
Purpose
match cos cos value
(Optional) Matches IEEE 802.1Q or ISL class of service
(user) priority values.
Example:
Controller(config-cmap)# match cos 2 3 4 5
Controller(config-cmap)#
Step 6
match dscp dscp value
Example:
• Enters up to 4 CoS values separated by spaces (0 to
7).
(Optional) Matches the DSCP values in IPv4 and IPv6
packets.
Controller(config-cmap)# match dscp af11 af12
Controller(config-cmap)#
Step 7
match ip {dscp dscp value | precedence precedence
value }
Example:
(Optional) Matches IP values including the following:
• dscp—Matches IP DSCP (DiffServ codepoints).
• precedence—Matches IP precedence (0 to 7).
Note
Controller(config-cmap)# match ip dscp af11 af12
Controller(config-cmap)#
Step 8
match non-client-nrt
(Optional) Matches non-client NRT (Non-Real-Time).
Example:
Note
Controller(config-cmap)# match non-client-nrt
Controller(config-cmap)#
Step 9
Since CPU generated packets are not
marked at egress, the packet will not match
the configured class-map.
match qos-group qos group value
This match is applicable only for policies on a
wireless port. It carries all the multi-destination
and AP (non-client) bound traffic.
(Optional) Matches QoS group value (from 0 to 31).
Example:
Controller(config-cmap)# match qos-group 10
Controller(config-cmap)#
Step 10
match vlan vlan value
(Optional) Matches a VLAN ID (from 1 to 4095).
Example:
Controller(config-cmap)# match vlan 210
Controller(config-cmap)#
Step 11
match wlan user-priority wlan value
Example:
(Optional) Matches 802.11e specific values. Enter the user
priority 802.11e user priority (0 to 7).
Controller(config-cmap)# match wlan user priority
7
Controller(config-cmap)#
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
330
OL-32363-01
QoS
Creating a Traffic Policy (CLI)
Step 12
Command or Action
Purpose
end
Saves the configuration changes.
Example:
Controller(config-cmap)# end
What to do next
Configure the policy map.
Related Topics
Class Maps, on page 301
Examples: Classification by Access Control Lists, on page 387
Creating a Traffic Policy (CLI)
To create a traffic policy, use the policy-map global configuration command to specify the traffic policy
name.
The traffic class is associated with the traffic policy when the class command is used. The class command
must be entered after you enter the policy map configuration mode. After entering the class command, the
controller is automatically in policy map class configuration mode, which is where the QoS policies for the
traffic policy are defined.
The following policy map class-actions are supported:
• admit—Admits the request for Call Admission Control (CAC).
• bandwidth—Bandwidth configuration options.
• exit—Exits from the QoS class action configuration mode.
• no—Negates or sets default values for the command.
• police—Policer configuration options.
• priority—Strict scheduling priority configuration options for this class.
• queue-buffers—Queue buffer configuration options.
• queue-limit—Queue maximum threshold for Weighted Tail Drop (WTD) configuration options.
• service-policy—Configures the QoS service policy.
• set—Sets QoS values using the following options:
• CoS values
• DSCP values
• Precedence values
• QoS group values
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
331
QoS
Creating a Traffic Policy (CLI)
• WLAN values
• shape—Traffic-shaping configuration options.
Before you begin
You should have first created a class map.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
configure terminal
policy-map policy-map name
class {class-name | class-default}
admit
bandwidth {kb/s kb/s value | percent percentage | remaining {percent | ratio}}
exit
no
police {target_bit_rate | cir | rate}
priority {kb/s | level level value | percent percentage value}
queue-buffers ratio ratio limit
queue-limit {packets | cos | dscp | percent}
service-policy policy-map name
set {cos | dscp | ip | precedence | qos-group | wlan}
shape average {target _bit_rate | percent}
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
policy-map policy-map name
Enters policy map configuration mode.
Example:
Creates or modifies a policy map that can be attached to
one or more interfaces to specify a service policy.
Controller(config)# policy-map test_2000
Controller(config-pmap)#
Step 3
class {class-name | class-default}
Example:
Controller(config-pmap)# class test_1000
Controller(config-pmap-c)#
Specifies the name of the class whose policy you want to
create or change.
You can also create a system default class for unclassified
packets.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
332
OL-32363-01
QoS
Creating a Traffic Policy (CLI)
Step 4
Command or Action
Purpose
admit
(Optional) Admits the request for Call Admission Control
(CAC). For a more detailed example of this command and
its usage, see the section Configuring Call Admission
Control.
Example:
Controller(config-pmap-c)# admit cac wmm-tspec
Controller(config-pmap-c)#
Step 5
bandwidth {kb/s kb/s value | percent percentage |
remaining {percent | ratio}}
Note
This command only configures CAC for
wireless QoS.
(Optional) Sets the bandwidth using one of the following:
Example:
• kb/s—Kilobits per second, enter a value between
20000 and 10000000 for Kb/s.
Controller(config-pmap-c)# bandwidth 50
Controller(config-pmap-c)#
• percent—Enter the percentage of the total bandwidth
to be used for this policy map.
• remaining—Enter the percentage ratio of the
remaining bandwidth.
For a more detailed example of this command and its
usage, see Configuring Bandwidth (CLI), on page 365.
Step 6
(Optional) Exits from QoS class action configuration mode.
exit
Example:
Controller(config-pmap-c)# exit
Controller(config-pmap-c)#
Step 7
(Optional) Negates the command.
no
Example:
Controller(config-pmap-c)# no
Controller(config-pmap-c)#
Step 8
police {target_bit_rate | cir | rate}
(Optional) Configures the policer:
• target_bit_rate—Enter the bit rate per second, enter
a value between 8000 and 10000000000.
Example:
Controller(config-pmap-c)# police 100000
Controller(config-pmap-c)#
• cir—Committed Information Rate
• rate—Specify police rate, PCR for hierarchical
policies or SCR for single-level ATM 4.0 policer
policies.
For a more detailed example of this command and its
usage, see Configuring Police (CLI), on page 367.
Step 9
priority {kb/s | level level value | percent percentage (Optional) Sets the strict scheduling priority for this class.
Command options include:
value}
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
333
QoS
Creating a Traffic Policy (CLI)
Command or Action
Example:
Controller(config-pmap-c)# priority percent 50
Controller(config-pmap-c)#
Purpose
• kb/s—Kilobits per second, enter a value between 1
and 2000000.
• level—Establishes a multi-level priority queue. Enter
a value (1 or 2).
• percent—Enter a percent of the total bandwidth for
this priority.
For a more detailed example of this command and its
usage, see Configuring Priority (CLI), on page 369.
Step 10
queue-buffers ratio ratio limit
Example:
Controller(config-pmap-c)# queue-buffers ratio 10
Controller(config-pmap-c)#
Step 11
queue-limit {packets | cos | dscp | percent}
Example:
Controller(config-pmap-c)# queue-limit cos 7
percent 50
Controller(config-pmap-c)#
(Optional) Configures the queue buffer for the class. Enter
the queue buffers ratio limit (0 to 100).
For a more detailed example of this command and its
usage, see Configuring Queue Buffers (CLI), on page 372.
(Optional) Specifies the queue maximum threshold for the
tail drop:
• packets—Packets by default, enter a value between
1 to 2000000.
• cos—Enter the parameters for each COS value.
• dscp—Enter the parameters for each DSCP value.
• percent—Enter the percentage for the threshold.
For a more detailed example of this command and its
usage, see Configuring Queue Limits (CLI), on page 374.
Step 12
service-policy policy-map name
(Optional) Configures the QoS service policy.
Example:
Controller(config-pmap-c)# service-policy
test_2000
Controller(config-pmap-c)#
Step 13
set {cos | dscp | ip | precedence | qos-group |
wlan}
Example:
Controller(config-pmap-c)# set cos 7
Controller(config-pmap-c)#
(Optional) Sets the QoS values. Possible QoS configuration
values include:
• cos—Sets the IEEE 802.1Q/ISL class of service/user
priority.
• dscp—Sets DSCP in IP(v4) and IPv6 packets.
• ip—Sets IP specific values.
• precedence—Sets precedence in IP(v4) and IPv6
packet.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
334
OL-32363-01
QoS
Configuring Client Policies (GUI)
Command or Action
Purpose
• qos-group—Sets the QoS Group.
• wlan—Sets the WLAN user-priority.
Step 14
shape average {target _bit_rate | percent}
Example:
(Optional) Sets the traffic shaping. Command parameters
include:
• target_bit_rate—Target bit rate.
Controller(config-pmap-c) #shape average percent
50
Controller(config-pmap-c) #
• percent—Percentage of interface bandwidth for
Committed Information Rate.
For a more detailed example of this command and its
usage, see Configuring Shaping (CLI), on page 377.
Step 15
Saves the configuration changes.
end
Example:
Controller(config-pmap-c) #end
Controller(config-pmap-c) #
What to do next
Configure the interface.
Related Topics
Policy Maps, on page 301
Configuring Client Policies (GUI)
Step 1
Choose Configuration > Wireless.
Step 2
Expand the QoS node by clicking on the left pane and choose QOS-Policy.
The QOS-Policy page is displayed.
Step 3
Click Add New to create a new QoS Policy.
The Create QoS Policy page is displayed.
Step 4
Select Client from the Policy Type drop-down menu.
Step 5
Select the direction into which the policy needs to be applied from the Policy Direction drop-down menu.
The available options are:
• Ingress
• Egress
Step 6
Specify a policy name in the Policy Name text box.
Step 7
Provide a description to the policy in the Description text box.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
335
QoS
Configuring Client Policies (GUI)
Step 8
(Optional) Configure the default voice or video configuration parameters by checking the Enable Voice or Enable
Video checkbox.
The following options are available:
• Trust—Specify the classification type behavior on this policy. The options available are:
• DSCP—Assigns a label to indicate the given quality of service. The range is from 0 to 63.
• User Priority—This option is available when the Policy Direction is ingress. Enter the 802.11e user priority.
The range is from 0 to 7.
• COS—This option is available when the Policy Direction is egress. Matches IEEE 802.1Q class of service.
The range is from 0 to 7.
• Mark—Specify the marking label for each packet. The following options are available:
• DSCP—Assigns a label to indicate the given quality of service. The range is from 0 to 63.
• CoS—Matches IEEE 802.1Q class of service. The range is from 0 to 7.
• User Priority—Enter the 802.11e user priority. The range is from 0 to 7.
• Police(kbps)—Specify the policing rate in kbps.
Note
Step 9
The marking and policing options are optional.
Specify the Class-default parameters.
The following options are available:
• Mark—Specify the marking label for each packet. The following options are available:
• DSCP—Assigns a label to indicate the given quality of service. The range is from 0 to 63.
• CoS—Matches IEEE 802.1Q class of service. The range is from 0 to 7.
• User Priority—Enter the 802.11e user priority. The range is from 0 to 7.
• Police (kbps)—This option is available when the Policy Direction is egress. This option Specify the policing rate
in kbps.
Note
Step 10
You can choose either Mark or Police action for the class-default class when creating an egress client policy.
(Optional) To configure the AVC class map for a client policy, check the Enable Application Recognition check box
Note
For an egress client policy, when you enable Application Recognition, the Voice, Video, and User Defined
check boxes are disabled.
The following options are available:
• Trust—Specify a classification type for this policy.
• Protocol—Allows you to choose the protocols and configure the marking and policing of the packets.
• Category—Allows you to choose the category of the application. For example, browsing.
• Subcategory—Allows you to choose the subcategory of the application. For example, file-sharing.
• Application-Group—Allows you to choose the application group. For example, ftp-group.
• Protocol Choice—Choose the protocols, category, subcategory, or application group from the Available Protocols
list into the Assigned Protocols to apply the marking and policing of the packets.
• Mark—Specify the marking label for each packet. The following options are available:
• DSCP—Assigns a label to indicate the given quality of service. The range is from 0 to 63.
• CoS—Matches IEEE 802.1Q class of service. The range is from 0 to 7.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
336
OL-32363-01
QoS
Configuring Client Policies
• None—Choose this option when you do not want to mark the packets.
• Police (kbps)—Specifies the policing rate in kbps. This option is available when the Policy Direction is egress.
• Drop—Drops the ingress packets that correspond to the chosen protocols.
Step 11
(Optional) To configure user defined classes, check the User Defined Classes checkbox.
The following options are available:
• Trust—Specify the classification type behavior on this policy.
• DSCP—Assigns a label to indicate the given quality of service. The range is from 0 to 63.
• User Priority—This option is available when the Policy Direction is ingress. Enter the 802.11e user priority.
The range is from 0 to 7.
• COS—This option is available when the Policy Direction is egress. Matches IEEE 802.1Q class of service.
The range is from 0 to 7.
• Mark—Specify the marking label for each packet. The following options are available:
• DSCP—Assigns a label to indicate the given quality of service. The range is from 0 to 63.
• CoS—Matches IEEE 802.1Q class of service. The range is from 0 to 7.
• User Priority—Enter the 802.11e user priority. The range is from 0 to 7.
• Police (kbps)—This option is available when the Policy Direction is egress. This option specifies the policing
rate in kbps.
Note
Step 12
You can add a maximum of five user-defined classes for each client policy.
Click Add to add the policy.
Related Topics
Client Policies, on page 292
Supported QoS Features on Wireless Targets, on page 287
Examples: Client Policies, on page 394
Configuring Client Policies
You can configure client policies using one of the following methods:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
337
QoS
Configuring Class-Based Packet Marking (CLI)
Method
Topic/Details
Default client policies
The wireless control module of the controller applies
the default client policies when admission control
(ACM) is enabled for WMM clients. When ACM is
disabled, there is no default client policy.
The default policies are:
• Ingress—cldeffromWMM
• Egress—cldeftoWMM
You can verify if ACM is enabled by using the show
ap dot11 {5ghz | 24ghz} command. To enable
ACM, use the ap dot11 {5ghz | 24ghz} cac voice
acm command.
Apply the client policy on the WLAN using the GUI. Configuring Client Policies (GUI)
Apply the client policy on the WLAN using the CLI. Applying an SSID or Client Policy on a WLAN (CLI)
Apply the QoS attributes policy using a local profiling Applying a Local Policy for a Device on a WLAN
policy using the CLI.
(CLI)
Apply the QoS attributes policy using a local profiling
policy using the GUI.
• Choose Configuration > Security > Local
Policies to create a local profiling policy.
• Choose Configuration > Wireless > WLAN >
Policy Mapping to apply a local profiling policy
on a WLAN.
For more information, see Applying Local Policies
to WLAN (GUI), on page 166
Apply policy map through a AAA server (ACS/ISE) Cisco Identity Services Engine User Guide
Cisco Secure Access Control System User Guide
Configuring Class-Based Packet Marking (CLI)
This procedure explains how to configure the following class-based packet marking features on your controller:
• CoS value
• DSCP value
• IP value
• Precedence value
• QoS group value
• WLAN value
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
338
OL-32363-01
QoS
Configuring Class-Based Packet Marking (CLI)
Before you begin
You should have created a class map and a policy map before beginning this procedure.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
configure terminal
policy-map policy name
class class name
set cos {cos value | cos table table-map name | dscp table table-map name | precedence table table-map
name | qos-group table table-map name | wlan user-priority table table-map name}
set dscp {dscp value | default | dscp table table-map name | ef | precedence table table-map name |
qos-group table table-map name | wlan user-priority table table-map name}
set ip {dscp | precedence}
set precedence {precedence value | cos table table-map name | dscp table table-map name | precedence
table table-map name | qos-group table table-map name}
set qos-group {qos-group value | dscp table table-map name | precedence table table-map name}
set wlan user-priority {wlan user-priority value | cos table table-map name | dscp table table-map
name | qos-group table table-map name | wlan table table-map name}
end
show policy-map
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
policy-map policy name
Enters policy map configuration mode.
Example:
Creates or modifies a policy map that can be attached to
one or more interfaces to specify a service policy.
Controller(config)# policy-map policy1
Controller(config-pmap)#
Step 3
class class name
Enters policy class map configuration mode. Specifies the
name of the class whose policy you want to create or
change.
Example:
Controller(config-pmap)# class class1
Controller(config-pmap-c)#
Command options for policy class map configuration mode
include the following:
• admit—Admits the request for Call Admission
Control (CAC).
• bandwidth—Bandwidth configuration options.
• exit—Exits from the QoS class action configuration
mode.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
339
QoS
Configuring Class-Based Packet Marking (CLI)
Command or Action
Purpose
• no—Negates or sets default values for the command.
• police—Policer configuration options.
• priority—Strict scheduling priority configuration
options for this class.
• queue-buffers—Queue buffer configuration options.
• queue-limit—Queue maximum threshold for
Weighted Tail Drop (WTD) configuration options.
• service-policy—Configures the QoS service policy.
• set—Sets QoS values using the following options:
• CoS values
• DSCP values
• Precedence values
• QoS group values
• WLAN values
• shape—Traffic-shaping configuration options.
Note
Step 4
This procedure describes the available
configurations using set command options. The
other command options (admit, bandwidth,
etc.) are described in other sections of this
guide. Although this task lists all of the possible
set commands, only one set command is
supported per class.
set cos {cos value | cos table table-map name | dscp table (Optional) Sets the specific IEEE 802.1Q Layer 2 CoS
value of an outgoing packet. Values are from 0 to7.
table-map name | precedence table table-map name |
qos-group table table-map name | wlan user-priority
You can also set the following values using the set cos
table table-map name}
command:
Example:
• cos table—Sets the CoS value based on a table map.
Controller(config-pmap)# set cos 5
Controller(config-pmap)#
• dscp table—Sets the code point value based on a
table map.
• precedence table—Sets the code point value based
on a table map.
• qos-group table—Sets the CoS value from QoS
group based on a table map.
• wlan user-priority table—Sets the CoS value from
the WLAN user priority based on a table map.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
340
OL-32363-01
QoS
Configuring Class-Based Packet Marking (CLI)
Command or Action
Step 5
Purpose
set dscp {dscp value | default | dscp table table-map name (Optional) Sets the DSCP value.
| ef | precedence table table-map name | qos-group table
In addition to setting specific DSCP values, you can also
table-map name | wlan user-priority table table-map
set the following using the set dscp command:
name}
• default—Matches packets with default DSCP value
Example:
(000000).
Controller(config-pmap)# set dscp af11
Controller(config-pmap)#
• dscp table—Sets the packet DSCP value from DSCP
based on a table map.
• ef—Matches packets with EF DSCP value (101110).
• precedence table—Sets the packet DSCP value from
precedence based on a table map.
• qos-group table—Sets the packet DSCP value from
a QoS group based upon a table map.
• wlan user-priority table—Sets the packet DSCP
value based upon a WLAN user-priority based upon
a table map.
Step 6
set ip {dscp | precedence}
Example:
Controller(config-pmap)# set ip dscp c3
Controller(config-pmap)#
(Optional) Sets IP specific values. These values are either
IP DSCP or IP precedence values.
You can set the following values using the set ip dscp
command:
• dscp value—Sets a specific DSCP value.
• default—Matches packets with default DSCP value
(000000).
• dscp table—Sets the packet DSCP value from DSCP
based on a table map.
• ef—Matches packets with EF DSCP value (101110).
• precedence table—Sets the packet DSCP value from
precedence based on a table map.
• qos-group table—Sets the packet DSCP value from
a QoS group based upon a table map.
• wlan user-priority table—Sets the packet DSCP
value based upon a WLAN user-priority based upon
a table map.
You can set the following values using the set ip
precedence command:
• precedence value—Sets the precedence value (from
0 to 7) .
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
341
QoS
Configuring Class-Based Packet Marking (CLI)
Command or Action
Purpose
• cos table—Sets the packet precedence value from
Layer 2 CoS based on a table map.
• dscp table—Sets the packet precedence from DSCP
value based on a table map.
• precedence table—Sets the precedence value from
precedence based on a table map
• qos-group table—Sets the precedence value from a
QoS group based upon a table map.
Step 7
set precedence {precedence value | cos table table-map (Optional) Sets precedence values in IPv4 and IPv6
packets.
name | dscp table table-map name | precedence table
table-map name | qos-group table table-map name}
You can set the following values using the set precedence
command:
Example:
Controller(config-pmap)# set precedence 5
Controller(config-pmap)#
• precedence value—Sets the precedence value (from
0 to 7) .
• cos table—Sets the packet precedence value from
Layer 2 CoS on a table map.
• dscp table—Sets the packet precedence from DSCP
value on a table map.
• precedence table—Sets the precedence value from
precedence based on a table map.
• qos-group table—Sets the precedence value from a
QoS group based upon a table map.
Step 8
set qos-group {qos-group value | dscp table table-map
name | precedence table table-map name}
(Optional) Sets QoS group values. You can set the
following values using this command:
Example:
• qos-group value—A number from 1 to 31.
Controller(config-pmap)# set qos-group 10
Controller(config-pmap)#
• dscp table—Sets the code point value from DSCP
based on a table map.
• precedence table—Sets the code point value from
precedence based on a table map.
Step 9
(Optional) Sets the WLAN user priority value. You can
set wlan user-priority {wlan user-priority value | cos
set the following values using this command:
table table-map name | dscp table table-map name |
qos-group table table-map name | wlan table table-map
• wlan user-priority value—A value between 0 to 7.
name}
• cos table—Sets the WLAN user priority value from
Example:
CoS based on a table map.
Controller(config-pmap)# set wlan user-priority
1
Controller(config-pmap)#
• dscp table—Sets the WLAN user priority value from
DSCP based on a table map.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
342
OL-32363-01
QoS
Configuring Class Maps for Voice and Video (CLI)
Command or Action
Purpose
• qos-group table—Sets the WLAN user priority value
from QoS group based on a table map.
• wlan table—Sets the WLAN user priority value from
the WLAN user priority based on a table map.
Step 10
Saves configuration changes.
end
Example:
Controller(config-pmap)# end
Controller#
Step 11
(Optional) Displays policy configuration information for
all classes configured for all service policies.
show policy-map
Example:
Controller# show policy-map
What to do next
Attach the traffic policy to an interface using the service-policy command.
Configuring Class Maps for Voice and Video (CLI)
To configure class maps for voice and video traffic, follow these steps:
SUMMARY STEPS
1.
2.
3.
4.
class-map class-map-name
match dscp dscp-value-for-voice
class-map class-map-name
match dscp dscp-value-for-video
DETAILED STEPS
Step 1
Command or Action
Purpose
class-map class-map-name
Creates a class map.
Example:
Controller(config)# class-map voice
Step 2
match dscp dscp-value-for-voice
Example:
Matches the DSCP value in the IPv4 and IPv6 packets. Set
this value to 46.
Controller(config-cmap)# match dscp 46
Step 3
class-map class-map-name
Configures a class map.
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
343
QoS
Attaching a Traffic Policy to an Interface (CLI)
Command or Action
Purpose
Controller(config)# class-map video
Step 4
match dscp dscp-value-for-video
Example:
Matches the DSCP value in the IPv4 and IPv6 packets. Set
this value to 34.
Controller(config-cmap)# match dscp 34
Attaching a Traffic Policy to an Interface (CLI)
After the traffic class and traffic policy are created, you must use the service-policy interface configuration
command to attach a traffic policy to an interface, and to specify the direction in which the policy should be
applied (either on packets coming into the interface or packets leaving the interface).
Before you begin
A traffic class and traffic policy must be created before attaching a traffic policy to an interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
configure terminal
interface type
service-policy {input policy-map | output policy-map }
end
show policy map
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
interface type
Example:
Controller(config)# interface GigabitEthernet1/0/1
Controller(config-if)#
Enters interface configuration mode and configures an
interface.
Command parameters for the interface configuration
include:
• Auto Template— Auto-template interface
• Capwap—CAPWAP tunnel interface
• GigabitEthernet—Gigabit Ethernet IEEE 802
• GroupVI—Group virtual interface
• Internal Interface— Internal interface
• Loopback—Loopback interface
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
344
OL-32363-01
QoS
Configuring SSID Policies (GUI)
Command or Action
Purpose
• Null—Null interface
• Port-channel—Ethernet Channel of interface
• TenGigabitEthernet—10-Gigabit Ethernet
• Tunnel—Tunnel interface
• Vlan—Catalyst VLANs
• Range—Interface range
Step 3
service-policy {input policy-map | output policy-map }
Example:
Step 4
Attaches a policy map to an input or output interface. This
policy map is then used as the service policy for that
interface.
Controller(config-if)# service-policy output
policy_map_01
Controller(config-if)#
In this example, the traffic policy evaluates all traffic leaving
that interface.
end
Saves configuration changes.
Example:
Controller(config-if)# end
Controller#
Step 5
(Optional) Displays statistics for the policy on the specified
interface.
show policy map
Example:
Controller# show policy map
What to do next
Proceed to attach any other traffic policy to an interface, and to specify the direction in which the policy should
be applied.
Related Topics
Policy Map on Physical Port, on page 302
Configuring SSID Policies (GUI)
Step 1
Choose Configuration > Wireless.
Step 2
Expand the QoS node by clicking on the left pane and choose QOS-Policy.
The Create QoS Policy page is displayed.
Step 3
Click Add New to create a new QoS Policy.
The QoS Policy page is displayed.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
345
QoS
Configuring SSID Policies (GUI)
Step 4
Select SSID from the Policy Type drop-down menu.
Step 5
Select the direction into which the policy needs to be applied from the Policy Direction drop-down list.
The available options are:
• Ingress
• Egress
Note
Voice and video configurations are available only in the egress direction.
Note
When creating an egress SSID policy for voice and video classes, if the port_child_policy is already configured
with voice and video classes having priority level, the existing port_child_policy is used. If a
port_child_policy does not exist with voice and video classes, the switch will create voice and video classes
with priority levels 1 and 2 under port_child_policy for voice and video traffic.
Step 6
Specify a policy name in the Policy Name text box.
Step 7
Provide a description to the policy in the Description text box.
Step 8
Select the trust parameter from the Trust drop-down list.
The following options are available:
• DSCP— Assigns a label to indicate the given quality of service as DSCP.
• COS—Matches IEEE 802.1Q class of service. This option is not available when the Policy Direction is ingress.
• User Priority—Enter the 802.11e user priority. This option is not available when the Policy Direction is egress.
• None—This option is available when the Policy Direction is egress. This option is available only for egress
policies.
Step 9
If you chose Egress policy above, the following options are available:
• Bandwidth—Specifies the bandwidth rate. The following options are available:
• Rate—Specifies the bandwidth in kbps. Enter a value in kbps in the Value field.
• Remaining Ratio—Specifies the bandwidth in BRR (bandwidth remaining ratio). Enter the percentage in
the Percent field.
Note
If you choose the Rate option for the Bandwidth parameter, this value must be greater than the sum of
the policing values for voice and video traffic.
.
• Enable Voice—Check the Enable Voice check box to enable voice traffic on this policy. Specify the following
properties:
• Priority—Sets the priority for this policy for strict scheduling. The priority level is set to 1.
• Police (kbps)—Specifies the police rate in Kilobits per second.
• CAC—Enables or disables CAC. If CAC is enabled, you must specify the following options:
• User priorityThis option is available when the Policy Direction is ingress. Enter the 802.11e user
priority. The range is from 0 to 7. By default, a value of 6 is assigned.
• Rate(kbps)
Note
The CAC rate must be less than the police rate.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
346
OL-32363-01
QoS
Applying an SSID or Client Policy on a WLAN (CLI)
• Enable Video—Check the Enable Video check box to enable video traffic on this policy. Specify the following
properties:
• Priority—Sets the priority for this policy for strict scheduling.
• Police (kbps)—Specifies the police rate in kilobits per second.
Step 10
Click Apply.
Related Topics
SSID Policies, on page 291
Supported QoS Features on Wireless Targets, on page 287
Examples: SSID Policy
Examples: Configuring Downstream SSID Policy, on page 392
Applying an SSID or Client Policy on a WLAN (CLI)
Before you begin
You must have a service-policy map configured before applying it on an SSID.
SUMMARY STEPS
1.
2.
3.
4.
5.
configure terminal
wlan profile-name
service-policy
[ input | output ] policy-name
service-policy
client [ input | output ] policy-name
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
wlan profile-name
Enters WLAN configuration submode. The profile-name
is the profile name of the configured WLAN.
Example:
Controller# wlan test4
Step 3
service-policy
[ input | output ] policy-name
Example:
Controller(config-wlan)# service-policy input
policy-map-ssid
Applies the policy. The following options are available:
• input— Assigns the policy map to WLAN ingress
traffic.
• output— Assigns the policy map to WLAN egress
traffic.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
347
QoS
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps (CLI)
Command or Action
Step 4
service-policy
client [ input | output ] policy-name
Example:
Controller(config-wlan)# service-policy client
input policy-map-client
Step 5
Purpose
Applies the policy. The following options are available:
• input— Assigns the client policy for ingress direction
on the WLAN.
• output— Assigns the client policy for egress direction
on the WLAN.
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Related Topics
SSID Policies, on page 291
Supported QoS Features on Wireless Targets, on page 287
Examples: SSID Policy
Examples: Configuring Downstream SSID Policy, on page 392
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps (CLI)
You can configure a nonhierarchical policy map on a physical port that specifies which traffic class to act on.
Actions supported are remarking and policing.
Before you begin
You should have already decided upon the classification, policing, and marking of your network traffic by
policy maps prior to beginning this procedure.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
configure terminal
class-map {class-map name | match-any }
match access-group { access list index | access list name }
policy-map policy-map-name
class {class-map-name | class-default}
set {cos | dscp | ip | precedence | qos-group | wlan user-priority}
police {target_bit_rate | cir | rate }
exit
exit
interface interface-id
service-policy input policy-map-name
end
show policy-map [policy-map-name [class class-map-name]]
copy running-config startup-config
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
348
OL-32363-01
QoS
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps (CLI)
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
class-map {class-map name | match-any }
• Creates a class map to be used for matching packets
to the class whose name you specify.
Example:
Controller(config)# class-map ipclass1
Controller(config-cmap)# exit
Controller(config)#
Step 3
Enters class map configuration mode.
• If you specify match-any, one of the match criteria
must be met for traffic entering the traffic class to be
classified as part of the traffic class. This is the
default.
match access-group { access list index | access list name Specifies the classification criteria to match to the class
map. You can match on the following criteria:
}
Example:
• access-group—Matches to access group.
Controller(config-cmap)# match access-group 1000
Controller(config-cmap)# exit
Controller(config)#
• class-map—Matches to another class map.
• cos—Matches to a CoS value.
• dscp—Matches to a DSCP value.
• ip—Matches to a specific IP value.
• non-client-nrt—Matches non-client NRT.
• precedence—Matches precedence in IPv4 and IPv6
packets.
• qos-group—Matches to a QoS group.
• vlan—Matches to a VLAN.
Step 4
policy-map policy-map-name
Example:
Creates a policy map by entering the policy map name,
and enters policy-map configuration mode.
By default, no policy maps are defined.
Controller(config)# policy-map flowit
Controller(config-pmap)#
Step 5
class {class-map-name | class-default}
Example:
Defines a traffic classification, and enter policy-map class
configuration mode.
By default, no policy map class-maps are defined.
Controller(config-pmap)# class ipclass1
Controller(config-pmap-c)#
If a traffic class has already been defined by using the
class-map global configuration command, specify its name
for class-map-name in this command.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
349
QoS
Classifying, Policing, and Marking Traffic on Physical Ports by Using Policy Maps (CLI)
Command or Action
Purpose
A class-default traffic class is predefined and can be added
to any policy. It is always placed at the end of a policy
map. With an implied match any included in the
class-default class, all packets that have not already
matched the other traffic classes will match class-default.
Step 6
set {cos | dscp | ip | precedence | qos-group | wlan (Optional) Sets the QoS values. Possible QoS configuration
values include:
user-priority}
Example:
Controller(config-pmap-c)# set dscp 45
Controller(config-pmap-c)#
• cos—Sets the IEEE 802.1Q/ISL class of service/user
priority.
• dscp—Sets DSCP in IP(v4) and IPv6 packets.
• ip—Sets IP specific values.
• precedence—Sets precedence in IP(v4) and IPv6
packet.
• qos-group—Sets QoS group.
• wlan user-priority—Sets WLAN user priority.
In this example, the set dscp command classifies the IP
traffic by setting a new DSCP value in the packet.
Step 7
police {target_bit_rate | cir | rate }
Example:
Controller(config-pmap-c)# police 100000
conform-action transmit exceed-action
drop
Controller(config-pmap-c)#
(Optional) Configures the policer:
• target_bit_rate—Specifies the bit rate per second,
enter a value between 8000 and 10000000000.
• cir—Committed Information Rate.
• rate—Specifies the police rate, PCR for hierarchical
policies, or SCR for single-level ATM 4.0 policer
policies.
In this example, the police command adds a policer to the
class where any traffic beyond the 100000 set target bit
rate is dropped.
Step 8
Returns to policy map configuration mode.
exit
Example:
Controller(config-pmap-c)# exit
Step 9
Returns to global configuration mode.
exit
Example:
Controller(config-pmap)# exit
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
350
OL-32363-01
QoS
Classifying, Policing, and Marking Traffic on SVIs by Using Policy Maps (CLI)
Step 10
Command or Action
Purpose
interface interface-id
Specifies the port to attach to the policy map, and enters
interface configuration mode.
Example:
Valid interfaces include physical ports.
Controller(config)# interface
gigabitethernet 2/0/1
Step 11
service-policy input policy-map-name
Example:
Specifies the policy-map name, and applies it to an ingress
port. Only one policy map per ingress port is supported.
Controller(config-if)# service-policy
input flowit
Step 12
Returns to privileged EXEC mode.
end
Example:
Controller(config-if)# end
Step 13
show policy-map [policy-map-name [class
class-map-name]]
(Optional) Verifies your entries.
Example:
Controller# show policy-map
Step 14
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy-running-config
startup-config
What to do next
If applicable to your QoS configuration, configure classification, policing, and marking of traffic on SVIs by
using policy maps.
Classifying, Policing, and Marking Traffic on SVIs by Using Policy Maps (CLI)
Before you begin
You should have already decided upon the classification, policing, and marking of your network traffic by
using policy maps prior to beginning this procedure.
SUMMARY STEPS
1.
configure terminal
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
351
QoS
Classifying, Policing, and Marking Traffic on SVIs by Using Policy Maps (CLI)
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
class-map {class-map name | match-any }
match vlan vlan number
policy-map policy-map-name
description description
class {class-map-name | class-default}
set {cos | dscp | ip | precedence | qos-group | wlan user-priority}
police {target_bit_rate | cir | rate}
exit
exit
interface interface-id
service-policy input policy-map-name
end
show policy-map [policy-map-name [class class-map-name]]
copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
class-map {class-map name | match-any }
Example:
Controller(config)# class-map class_vlan100
Step 3
match vlan vlan number
Enters class map configuration mode.
• Creates a class map to be used for matching packets
to the class whose name you specify.
• If you specify match-any, one of the match criteria
must be met for traffic entering the traffic class to be
classified as part of the traffic class. This is the
default.
Specifies the VLAN to match to the class map.
Example:
Controller(config-cmap)# match vlan 100
Controller(config-cmap)# exit
Controller(config)#
Step 4
policy-map policy-map-name
Example:
Creates a policy map by entering the policy map name,
and enters policy-map configuration mode.
By default, no policy maps are defined.
Controller(config)# policy-map policy_vlan100
Controller(config-pmap)#
Step 5
description description
(Optional) Enters a description of the policy map.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
352
OL-32363-01
QoS
Classifying, Policing, and Marking Traffic on SVIs by Using Policy Maps (CLI)
Command or Action
Purpose
Example:
Controller(config-pmap)# description vlan 100
Step 6
class {class-map-name | class-default}
Example:
Defines a traffic classification, and enters the policy-map
class configuration mode.
By default, no policy map class-maps are defined.
Controller(config-pmap)# class class_vlan100
Controller(config-pmap-c)#
If a traffic class has already been defined by using the
class-map global configuration command, specify its name
for class-map-name in this command.
A class-default traffic class is predefined and can be added
to any policy. It is always placed at the end of a policy
map. With an implied match any included in the
class-default class, all packets that have not already
matched the other traffic classes will match class-default.
Step 7
set {cos | dscp | ip | precedence | qos-group | wlan (Optional) Sets the QoS values. Possible QoS configuration
values include:
user-priority}
• cos—Sets the IEEE 802.1Q/ISL class of service/user
priority.
Example:
Controller(config-pmap-c)# set dscp af23
Controller(config-pmap-c)#
• dscp—Sets DSCP in IP(v4) and IPv6 packets.
• ip—Sets IP specific values.
• precedence—Sets precedence in IP(v4) and IPv6
packet.
• qos-group—Sets QoS group.
• wlan user-priority—Sets WLAN user-priority.
In this example, the set dscp command classifies the IP
traffic by matching the packets with a DSCP value of AF23
(010010).
Step 8
police {target_bit_rate | cir | rate}
(Optional) Configures the policer:
• target_bit_rate—Specifies the bit rate per second.
Enter a value between 8000 and 10000000000.
Example:
Controller(config-pmap-c)# police 200000
conform-action transmit
exceed-action drop
Controller(config-pmap-c)#
• cir—Committed Information Rate.
• rate—Specifies the police rate, PCR for hierarchical
policies, or SCR for single-level ATM 4.0 policer
policies.
In this example, the police command adds a policer to the
class where any traffic beyond the 200000 set target bit
rate is dropped.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
353
QoS
Classifying, Policing, and Marking Traffic on SVIs by Using Policy Maps (CLI)
Step 9
Command or Action
Purpose
exit
Returns to policy map configuration mode.
Example:
Controller(config-pmap-c)# exit
Step 10
Returns to global configuration mode.
exit
Example:
Controller(config-pmap)# exit
Step 11
interface interface-id
Example:
Specifies the port to attach to the policy map, and enters
interface configuration mode.
Valid interfaces include physical ports.
Controller(config)# interface
gigabitethernet 1/0/3
Step 12
service-policy input policy-map-name
Example:
Specifies the policy-map name, and applies it to an ingress
port. Only one policy map per ingress port is supported.
Controller(config-if)# service-policy
input policy_vlan100
Step 13
Returns to privileged EXEC mode.
end
Example:
Controller(config-if)# end
Step 14
show policy-map [policy-map-name [class
class-map-name]]
(Optional) Verifies your entries.
Example:
Controller# show policy-map
Step 15
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy-running-config
startup-config
Related Topics
Policy Map on VLANs, on page 302
Examples: Policer VLAN Configuration, on page 399
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
354
OL-32363-01
QoS
Configuring Table Maps (CLI)
Configuring Table Maps (CLI)
Table maps are a form of marking, and also enable the mapping and conversion of one field to another using
a table. For example, a table map can be used to map and convert a Layer 2 CoS setting to a precedence value
in Layer 3.
Note
A table map can be referenced in multiple policies or multiple times in the same policy.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
configure terminal
table-map name {default {default value | copy | ignore} | exit | map {from from value to to value }
| no}
map from value to value
exit
exit
show table-map
configure terminal
policy-map
class class-default
set cos dscp table table map name
end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
table-map name {default {default value | copy | ignore} Creates a table map and enters the table map configuration
mode. In table map configuration mode, you can perform
| exit | map {from from value to to value } | no}
the following tasks:
Example:
• default—Configures the table map default value, or
Controller(config)# table-map table01
sets the default behavior for a value not found in the
Controller(config-tablemap)#
table map to copy or ignore.
• exit—Exits from the table map configuration mode.
• map—Maps a from to a to value in the table map.
• no—Negates or sets the default values of the
command.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
355
QoS
Configuring Table Maps (CLI)
Step 3
Command or Action
Purpose
map from value to value
In this step, packets with DSCP values 0 are marked to the
CoS value 2, DSCP value 1 to the CoS value 4, DSCP
value 24 to the CoS value 3, DSCP value 40 to the CoS
value 6 and all others to the CoS value 0.
Example:
Controller(config-tablemap)#
Controller(config-tablemap)#
Controller(config-tablemap)#
Controller(config-tablemap)#
Controller(config-tablemap)#
Controller(config-tablemap)#
Step 4
map from 0 to 2
map from 1 to 4
map from 24 to 3
map from 40 to 6
default 0
Note
The mapping from CoS values to DSCP values
in this example is configured by using the set
policy map class configuration command as
described in a later step in this procedure.
Returns to global configuration mode.
exit
Example:
Controller(config-tablemap)# exit
Controller(config)#
Step 5
Returns to privileged EXEC mode.
exit
Example:
Controller(config) exit
Controller#
Step 6
show table-map
Displays the table map configuration.
Example:
Controller# show table-map
Table Map table01
from 0 to 2
from 1 to 4
from 24 to 3
from 40 to 6
default 0
Step 7
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Controller(config)#
Step 8
policy-map
Configures the policy map for the table map.
Example:
Controller(config)# policy-map table-policy
Controller(config-pmap)#
Step 9
class class-default
Matches the class to the system default.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
356
OL-32363-01
QoS
Configuring Trust
Command or Action
Purpose
Example:
Controller(config-pmap)# class
Controller(config-pmap-c)#
Step 10
class-default
set cos dscp table table map name
Example:
If this policy is applied on input port, that port will have
trust DSCP enabled on that port and marking will take
place depending upon the specified table map.
Controller(config-pmap-c)# set cos dscp table
table01
Controller(config-pmap-c)#
Step 11
Returns to privileged EXEC mode.
end
Example:
Controller(config-pmap-c)# end
Controller#
What to do next
Configure any additional policy maps for QoS for your network. After creating your policy maps, attach the
traffic policy or polices to an interface using the service-policy command.
Related Topics
Table Map Marking, on page 305
Examples: Table Map Marking Configuration, on page 401
Configuring Trust
Configuring Trust Behavior for Wireless Traffic (CLI)
The Cisco IOS XE 3.2 Release supported different trust defaults for wired and wireless ports. The trust default
for wired ports was the same as for this software release. For wireless ports, the default system behavior was
non-trust, which meant that when the controller came up, all markings for the wireless ports were defaulted
to zero and no traffic received priority treatment. For compatibility with an existing wired controller, all traffic
went to the best-effort queue by default. The access point performed priority queuing by default. In the
downstream direction, the access point maintained voice, video, best-effort, and background queues for
queuing. The access selected the queuing strategy based on the 11e tag information. By default, the access
point treated all wireless packets as best effort.
SUMMARY STEPS
1. configure terminal
2. qos wireless-default-untrust
3. end
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
357
QoS
Configuring QoS Features and Functionality
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
qos wireless-default-untrust
Example:
Configures the behavior of the controller to untrust wireless
traffic. To configure the controller to trust wireless traffic
by default, use the no form of the command.
Controller (config)# qos wireless-default-untrust
Step 3
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Related Topics
Trust Behavior for Wired and Wireless Ports, on page 314
Configuring QoS Features and Functionality
Configuring Call Admission Control (CLI)
This task explains how to configure class-based, unconditional packet marking features on your controller
for Call Admission Control (CAC).
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
configure terminal
class-map class name
match dscp dscp value
exit
class-map class name
match dscp dscp value
exit
table-map name
default copy
exit
table-map name
default copy
exit
policy-map policy name
class class-map-name
priority level level_value
police [target_bit_rate | cir | rate ]
admit cac wmm-tspec
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
358
OL-32363-01
QoS
Configuring Call Admission Control (CLI)
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
rate value
wlan-up value
exit
exit
class class name
priority level level_value
police [target_bit_rate | cir | rate ]
admit cac wmm-tspec
rate value
wlan-up value
exit
exit
policy-map policy name
class class-map-name
set dscp dscp table table_map_name
set wlan user-priority dscp table table_map_name
shape average {target bit rate | percent percentage}
queue-buffers {ratio ratio value}
service-policy policy_map_name
end
show policy-map
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
class-map class name
Example:
Controller(config)# class-map voice
Controller(config-cmap)#
Enters policy class map configuration mode. Specifies the
name of the class whose policy you want to create or
change. Command options for policy class map
configuration mode include the following:
• word—Class map name.
• class-default—System default class matching any
otherwise unclassified packets.
Step 3
match dscp dscp value
(Optional) Matches the DSCP values in IPv4 and IPv6
packets.
Example:
Controller(config-cmap)#
Step 4
exit
match dscp 46
Returns to global configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
359
QoS
Configuring Call Admission Control (CLI)
Command or Action
Purpose
Example:
Controller(config-cmap)# exit
Controller(config)#
Step 5
class-map class name
Example:
Controller(config)# class-map video
Controller(config-cmap)#
Enters policy class map configuration mode. Specifies the
name of the class whose policy you want to create or
change. Command options for policy class map
configuration mode include the following:
• word—Class map name.
• class-default—System default class matching any
otherwise unclassified packets.
Step 6
match dscp dscp value
(Optional) Matches the DSCP values in IPv4 and IPv6
packets.
Example:
Controller(config-cmap)#
Step 7
match dscp 34
Returns to global configuration mode.
exit
Example:
Controller(config-cmap)# exit
Controller(config)#
Step 8
table-map name
Creates a table map and enters the table map configuration
mode.
Example:
Controller(config)# table-map
Controller(config-tablemap)#
Step 9
dscp2dscp
default copy
Example:
Sets the default behavior for value not found in the table
map to copy.
Note
Controller(config-tablemap)# default copy
Step 10
This is the default option. You can also do a
mapping of values for DSCP to DSCP.
Returns to global configuration mode.
exit
Example:
Controller(config-tablemap)# exit
Controller(config)#
Step 11
table-map name
Example:
Creates a new table map and enters the table map
configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
360
OL-32363-01
QoS
Configuring Call Admission Control (CLI)
Command or Action
Purpose
Controller(config)# table-map dscp2up
Controller(config-tablemap)#
Step 12
Sets the default behavior for value not found in the table
map to copy.
default copy
Example:
Note
Controller(config-tablemap)# default copy
Step 13
This is the default option. You can also do a
mapping of values for DSCP to UP.
Returns to global configuration mode.
exit
Example:
Controller(config-tablemap)# exit
Controller(config)#
Step 14
policy-map policy name
Enters policy map configuration mode.
Example:
Creates or modifies a policy map that can be attached to
one or more interfaces to specify a service policy.
Controller(config)# policy-map ssid_child_cac
Controller(config-pmap)#
Step 15
class class-map-name
Defines an interface-level traffic classification, and enters
policy-map configuration mode.
Example:
Controller(config-pmap)# class voice
Step 16
priority level level_value
The priority command assigns a strict scheduling priority
for the class.
Example:
Note
Controller(config-pmap-c)# priority level 1
Step 17
police [target_bit_rate | cir | rate ]
Example:
Controller(config-pmap-c)#
police cir 10m
Priority level 1 is more important than priority
level 2. Priority level 1 reserves bandwidth that
is processed first for QoS, so its latency is very
low. Both priority level 1 and 2 reserve
bandwidth.
(Optional) Configures the policer:
• target_bit_rate—Specifies the bit rate per second.
Enter a value between 8000 and 10000000000.
• cir—Committed Information Rate.
• rate—Specifies the police rate, PCR for hierarchical
policies, or SCR for single-level ATM 4.0 policer
policies.
Step 18
admit cac wmm-tspec
Configures call admission control for the policy map.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
361
QoS
Configuring Call Admission Control (CLI)
Command or Action
Purpose
Example:
Note
This command only configures CAC for
wireless QoS.
Controller(config-pmap-c)# admit cac wmm-tspec
Controller(config-pmap-cac-wmm)#
Step 19
rate value
Example:
Configures the target bit rate (Kilo Bits per second). Enter
a value from 8 to 10000000.
Controller(config-pmap-admit-cac-wmm)# rate 5000
Step 20
wlan-up value
Example:
Configures the WLAN UP value. Enter a value from 0 to
7.
Controller(config-pmap-admit-cac-wmm)# wlan-up 6
7
Step 21
Returns to policy map class configuration mode.
exit
Example:
Controller(config-pmap-admit-cac-wmm)# exit
Controller(config-pmap-c)#
Step 22
Returns to policy map configuration mode.
exit
Example:
Controller(config-pmap-c)# exit
Controller(config-pmap)#
Step 23
class class name
Example:
Controller(config-pmap)# class video
Controller(config-pmap-c)#
Step 24
priority level level_value
Example:
Enters policy class map configuration mode. Specifies the
name of the class whose policy you want to create or
change. Command options for policy class map
configuration mode include the following:
• word—Class map name.
• class-default—System default class matching any
otherwise unclassified packets.
The priority command assigns a strict scheduling priority
for the class.
Note
Controller(config-pmap-c)# priority level 2
Priority level 1 is more important than priority
level 2. Priority level 1 reserves bandwidth that
is processed first for QoS, so its latency is very
low. Both priority level 1 and 2 reserve
bandwidth.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
362
OL-32363-01
QoS
Configuring Call Admission Control (CLI)
Step 25
Command or Action
Purpose
police [target_bit_rate | cir | rate ]
(Optional) Configures the policer:
Example:
Controller(config-pmap-c)#
police cir 20m
• target_bit_rate—Specifies the bit rate per second.
Enter a value between 8000 and 10000000000.
• cir—Committed Information Rate.
• rate—Specifies the police rate, PCR for hierarchical
policies, or SCR for single-level ATM 4.0 policer
policies.
Step 26
admit cac wmm-tspec
Configures call admission control for the policy map.
Example:
Note
This command only configures CAC for
wireless QoS.
Controller(config-pmap-c)# admit cac wmm-tspec
Controller(config-pmap-admit-cac-wmm)#
Step 27
rate value
Configures the target bit rate (Kilo Bits per second). Enter
a value from 8 to 10000000.
Example:
Controller(config-pmap-admit-cac-wmm)# rate 5000
Step 28
wlan-up value
Configures the WLAN UP value. Enter a value from 0 to
7.
Example:
Controller(config-pmap-admit-cac-wmm)# wlan-up 4
5
Step 29
Returns to policy map configuration mode.
exit
Example:
Controller(config-pmap-cac-wmm)# exit
Controller(config-pmap)#
Step 30
Returns to global configuration mode.
exit
Example:
Controller(config-pmap)# exit
Controller(config)#
Step 31
policy-map policy name
Enters policy map configuration mode.
Example:
Creates or modifies a policy map that can be attached to
one or more interfaces to specify a service policy.
Controller(config)# policy-map ssid_cac
Controller(config-pmap)#
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
363
QoS
Configuring Call Admission Control (CLI)
Step 32
Command or Action
Purpose
class class-map-name
Defines an interface-level traffic classification, and enters
policy-map configuration mode.
Example:
In this example, the class map is set to default.
Controller(config-pmap)# class default
Step 33
set dscp dscp table table_map_name
Example:
Controller(config-pmap-c)#
dscp2dscp
Step 34
(Optional) Sets the QoS values. In this example, the set
dscp dscp table command creates a table map and sets its
values.
set dscp dscp table
set wlan user-priority dscp table table_map_name
Example:
(Optional) Sets the QoS values. In this example, the set
wlan user-priority dscp table command sets the WLAN
user priority.
Controller(config-pmap-c)#
set wlan
user-priority dscp table dscp2up
Step 35
shape average {target bit rate | percent percentage}
Example:
Controller(config-pmap-c)# shape average 100000000
Step 36
Configures the average shape rate. You can configure the
average shape rate by target bit rates (bits per second) or
by percentage of interface bandwidth for the Committed
Information Rate (CIR).
queue-buffers {ratio ratio value}
Configures the relative buffer size for the queue.
Example:
Note
The sum of all configured buffers in a policy
must be less than or equal to 100 percent.
Unallocated buffers are evenly distributed to
all the remaining queues. Ensure sufficient
buffers are allocated to all queues including the
priority queues.
Note
Protocol Data Units (PDUs) for network control
protocols such as spanning-tree and LACP
utilize the priority queue or queue 0 (when a
priority queue is not configured). Ensure
sufficient buffers are allocated to these queues
for the protocols to function.
Controller(config-pmap-c)# queue-buffers ratio 0
Step 37
service-policy policy_map_name
Specifies the policy map for the service policy.
Example:
Controller(config-pmap-c)#
ssid_child_cac
service-policy
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
364
OL-32363-01
QoS
Configuring Bandwidth (CLI)
Step 38
Command or Action
Purpose
end
Saves configuration changes.
Example:
Controller(config-pmap)# end
Controller#
Step 39
(Optional) Displays policy configuration information for
all classes configured for all service policies.
show policy-map
Example:
Controller# show policy-map
What to do next
Configure any additional policy maps for QoS for your network. After creating your policy maps, attach the
traffic policy or polices to an interface using the service-policy command.
For additional information about CAC, refer to the System Management Configuration Guide, Cisco IOS XE
Release 3SE (Catalyst 3850 Switches).
For additional information about CAC, refer to the System Management Configuration Guide, Cisco IOS XE
Release 3SE (Catalyst 3650 Switches).
For additional information about CAC, refer to the System Management Configuration Guide, Cisco IOS XE
Release 3SE (Cisco WLC 5700 Series) .
Configuring Bandwidth (CLI)
This procedure explains how to configure bandwidth on your controller.
Before you begin
You should have created a class map for bandwidth before beginning this procedure.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
configure terminal
policy-map policy name
class class name
bandwidth {Kb/s | percent percentage | remaining { ratio ratio }}
end
show policy-map
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
365
QoS
Configuring Bandwidth (CLI)
Command or Action
Purpose
Controller# configure terminal
Step 2
policy-map policy name
Enters policy map configuration mode.
Example:
Creates or modifies a policy map that can be attached to
one or more interfaces to specify a service policy.
Controller(config)# policy-map policy_bandwidth01
Controller(config-pmap)#
Step 3
class class name
Example:
Controller(config-pmap)# class class_bandwidth01
Controller(config-pmap-c)#
Enters policy class map configuration mode. Specifies the
name of the class whose policy you want to create or
change. Command options for policy class map
configuration mode include the following:
• word—Class map name.
• class-default—System default class matching any
otherwise unclassified packets.
Step 4
bandwidth {Kb/s | percent percentage | remaining { ratio Configures the bandwidth for the policy map. The
parameters include:
ratio }}
Example:
Controller(config-pmap-c)# bandwidth 200000
Controller(config-pmap-c)#
• Kb/s—Configures a specific value in kilobits per
second (from 20000 to 10000000).
• percent-—Allocates minimum bandwidth to a
particular class based on a percentage. The queue can
oversubscribe bandwidth in case other queues do not
utilize the entire port bandwidth. The total sum cannot
exceed 100 percent, and in case it is less than 100
percent, the rest of the bandwidth is equally divided
along all bandwidth queues.
• remaining— Allocates minimum bandwidth to a
particular class. The queue can oversubscribe
bandwidth in case other queues do not utilize entire
port bandwidth. The total sum cannot exceed 100
percent. It is preferred to use this command when the
priority command is used for certain queues in the
policy. You can also assign ratios rather than
percentages to each queue; the queues will be assigned
certain weights which are inline with these ratios.
Ratios can range from 0 to 100. Total bandwidth ratio
allocation for the policy in this case can exceed 100.
Note
Step 5
end
You cannot mix bandwidth types on a policy
map. For example, you cannot configure
bandwidth in a single policy map using both a
bandwidth percent and in kilobits per second.
Saves configuration changes.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
366
OL-32363-01
QoS
Configuring Police (CLI)
Command or Action
Purpose
Example:
Controller(config-pmap-c)# end
Controller#
Step 6
(Optional) Displays policy configuration information for
all classes configured for all service policies.
show policy-map
Example:
Controller# show policy-map
What to do next
Configure any additional policy maps for QoS for your network. After creating the policy maps, attach the
traffic policy or polices to an interface using the service-policy command.
Related Topics
Bandwidth, on page 310
Configuring Police (CLI)
This procedure explains how to configure policing on your controller.
Before you begin
You should have created a class map for policing before beginning this procedure.
SUMMARY STEPS
1.
2.
3.
4.
configure terminal
policy-map policy name
class class name
police {target_bit_rate [burst bytes | bc | conform-action | pir ] | cir {target_bit_rate | percent percentage}
| rate {target_bit_rate | percent percentage} conform-action transmit exceed-action {drop [violate
action] | set-cos-transmit | set-dscp-transmit | set-prec-transmit | transmit [violate action] }}
5. end
6. show policy-map
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
policy-map policy name
Enters policy map configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
367
QoS
Configuring Police (CLI)
Command or Action
Purpose
Example:
Creates or modifies a policy map that can be attached to
one or more interfaces to specify a service policy.
Controller(config)# policy-map policy_police01
Controller(config-pmap)#
Step 3
class class name
Example:
Controller(config-pmap)# class class_police01
Controller(config-pmap-c)#
Enters policy class map configuration mode. Specifies the
name of the class whose policy you want to create or
change. Command options for policy class map
configuration mode include the following:
• word—Class map name.
• class-default—System default class matching any
otherwise unclassified packets.
Step 4
police {target_bit_rate [burst bytes | bc | conform-action The following police subcommand options are available:
| pir ] | cir {target_bit_rate | percent percentage} | rate
• target_bit_rate—Bits per second (from 8000 to
{target_bit_rate | percent percentage} conform-action
10000000000).
transmit exceed-action {drop [violate action] |
• burst bytes—Enter a value from 1000 to
set-cos-transmit | set-dscp-transmit | set-prec-transmit
512000000.
| transmit [violate action] }}
Example:
Controller(config-pmap-c)# police 8000
conform-action transmit exceed-action drop
Controller(config-pmap-c)#
• bc—Conform burst.
• conform-action—Action taken when rate is less
than conform burst.
• pir—Peak Information Rate.
• cir—Committed Information Rate.
• target_bit_rate—Target bit rate (8000
to10000000000).
• percent—Percentage of interface bandwidth for
CIR.
• rate—Specifies the police rate, PCR for hierarchical
policies, or SCR for single-level ATM 4.0 policer
policies.
• target_bit_rate—Target Bit Rate (8000 to
10000000000).
• percent—Percentage of interface bandwidth for
rate.
The following police conform-action transmit
exceed-action subcommand options are available:
• drop—Drops the packet.
• set-cos-transmit—Sets the CoS value and sends it.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
368
OL-32363-01
QoS
Configuring Priority (CLI)
Command or Action
Purpose
• set-dscp-transmit—Sets the DSCP value and sends
it.
• set-prec-transmit—Rewrites the packet precedence
and sends it.
• transmit—Transmits the packet.
Note
Step 5
Policer-based markdown actions are only
supported using table maps. Only one markdown
table map is allowed for each marking field in
the controller.
Saves configuration changes.
end
Example:
Controller(config-pmap-c)# end
Controller#
Step 6
(Optional) Displays policy configuration information for
all classes configured for all service policies.
show policy-map
Example:
Controller# show policy-map
What to do next
Configure any additional policy maps for QoS for your network. After creating your policy maps, attach the
traffic policy or polices to an interface using the service-policy command.
Related Topics
Single-Rate Two-Color Policing, on page 307
Examples: Single-Rate Two-Color Policing Configuration, on page 400
Dual-Rate Three-Color Policing, on page 308
Examples: Dual-Rate Three-Color Policing Configuration, on page 400
Policing, on page 303
Token-Bucket Algorithm, on page 304
Examples: Policing Action Configuration, on page 398
Examples: Policing Units, on page 399
Configuring Priority (CLI)
This procedure explains how to configure priority on your controller.
The controller supports giving priority to specified queues. There are two priority levels available (1 and 2).
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
369
QoS
Configuring Priority (CLI)
Note
Queues supporting voice and video should be assigned a priority level of 1.
Before you begin
You should have created a class map for priority before beginning this procedure.
SUMMARY STEPS
1.
2.
3.
4.
configure terminal
policy-map policy name
class class name
priority [Kb/s [burst_in_bytes] | level level_value [Kb/s [burst_in_bytes] | percent percentage
[burst_in_bytes] ] | percent percentage [burst_in_bytes] ]
5. end
6. show policy-map
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
policy-map policy name
Enters policy map configuration mode.
Example:
Creates or modifies a policy map that can be attached to
one or more interfaces to specify a service policy.
Controller(config)# policy-map policy_priority01
Controller(config-pmap)#
Step 3
class class name
Example:
Controller(config-pmap)# class class_priority01
Controller(config-pmap-c)#
Enters policy class map configuration mode. Specifies the
name of the class whose policy you want to create or
change. Command options for policy class map
configuration mode include the following:
• word—Class map name.
• class-default—System default class matching any
otherwise unclassified packets.
Step 4
priority [Kb/s [burst_in_bytes] | level level_value [Kb/s (Optional) The priority command assigns a strict scheduling
[burst_in_bytes] | percent percentage [burst_in_bytes] ] | priority for the class.
percent percentage [burst_in_bytes] ]
The command options include:
Example:
• Kb/s—Specifies the kilobits per second (from 1 to
2000000).
Controller(config-pmap-c)# priority level 1
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
370
OL-32363-01
QoS
Configuring Priority (CLI)
Command or Action
Purpose
• burst_in_bytes—Specifies the burst in bytes (from
32 to 2000000).
Controller(config-pmap-c)#
• level level_value—Specifies the multilevel (1-2)
priority queue.
• Kb/s—Specifies the kilobits per second (from 1
to 2000000).
• burst_in_bytes—Specifies the burst in bytes
(from 32 to 2000000).
• percent—Percentage of the total bandwidth.
• burst_in_bytes—Specifies the burst in bytes
(from 32 to 2000000).
• percent—Percentage of the total bandwidth.
• burst_in_bytes—Specifies the burst in bytes (32
to 2000000).
Note
Step 5
Priority level 1 is more important than priority
level 2. Priority level 1 reserves bandwidth that
is processed first for QoS, so its latency is very
low. Both priority level 1 and 2 reserve
bandwidth.
Saves configuration changes.
end
Example:
Controller(config-pmap-c)# end
Controller#
Step 6
(Optional) Displays policy configuration information for
all classes configured for all service policies.
show policy-map
Example:
Controller# show policy-map
What to do next
Configure any additional policy maps for QoS for your network. After creating your policy maps, attach the
traffic policy or polices to an interface using the service-policy command.
Related Topics
Priority Queues, on page 312
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
371
QoS
Configuring Queues and Shaping
Configuring Queues and Shaping
Configuring Egress Queue Characteristics
Depending on the complexity of your network and your QoS solution, you may need to perform all of the
procedures in this section. You need to make decisions about these characteristics:
• Which packets are mapped by DSCP, CoS, or QoS group value to each queue and threshold ID?
• What drop percentage thresholds apply to the queues, and how much reserved and maximum memory
is needed for the traffic type?
• How much of the fixed buffer space is allocated to the queues?
• Does the bandwidth of the port need to be rate limited?
• How often should the egress queues be serviced and which technique (shaped, shared, or both) should
be used?
Note
You can only configure the egress queues on the controller.
Configuring Queue Buffers (CLI)
The controller allows you to allocate buffers to queues. If there is no allocation made to buffers, then they are
divided equally for all queues. You can use the queue-buffer ratio to divide it in a particular ratio. Since by
default DTS (Dynamic Threshold and Scaling) is active on all queues, these are soft buffers.
Note
The queue-buffer ratio is supported on both wired and wireless ports, but the queue-buffer ratio cannot be
configured with a queue-limit.
Before you begin
The following are prerequisites for this procedure:
• You should have created a class map for the queue buffer before beginning this procedure.
• You must have configured either bandwidth, shape, or priority on the policy map prior to configuring
the queue buffers.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
configure terminal
policy-map policy name
class class name
bandwidth {Kb/s | percent percentage | remaining { ratio ratio value }}
queue-buffers {ratio ratio value}
end
show policy-map
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
372
OL-32363-01
QoS
Configuring Queue Buffers (CLI)
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
policy-map policy name
Enters policy map configuration mode.
Example:
Creates or modifies a policy map that can be attached to
one or more interfaces to specify a service policy.
Controller(config)# policy-map policy_queuebuffer01
Controller(config-pmap)#
Step 3
class class name
Example:
Controller(config-pmap)# class class_queuebuffer01
Controller(config-pmap-c)#
Enters policy class map configuration mode. Specifies the
name of the class whose policy you want to create or
change. Command options for policy class map
configuration mode include the following:
• word—Class map name.
• class-default—System default class matching any
otherwise unclassified packets.
Step 4
bandwidth {Kb/s | percent percentage | remaining { ratio Configures the bandwidth for the policy map. The command
parameters include:
ratio value }}
Example:
• Kb/s—Use this command to configure a specific value.
The range is 20000 to 10000000.
Controller(config-pmap-c)# bandwidth percent 80
Controller(config-pmap-c)#
• percent—Allocates a minimum bandwidth to a
particular class using a percentage. The queue can
oversubscribe bandwidth in case other queues do not
utilize the entire port bandwidth. The total sum cannot
exceed 100 percent, and in case it is less than 100
percent, the rest of the bandwidth is equally divided
along all bandwidth queues.
• remaining—Allocates a minimum bandwidth to a
particular class. The queue can oversubscribe
bandwidth in case other queues do not utilize entire
port bandwidth. The total sum cannot exceed 100
percent. It is preferred to use this command when the
priority command is used for certain queues in the
policy. You can also assign ratios rather than a
percentage to each queue; the queues will be assigned
certain weights that are inline with these ratios. Ratios
can range from 0 to 100. Total bandwidth ratio
allocation for the policy in this case can exceed 100.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
373
QoS
Configuring Queue Limits (CLI)
Command or Action
Purpose
Note
Step 5
queue-buffers {ratio ratio value}
Configures the relative buffer size for the queue.
Example:
Note
The sum of all configured buffers in a policy
must be less than or equal to 100 percent.
Unallocated buffers are are evenly distributed to
all the remaining queues. Ensure sufficient
buffers are allocated to all queues including the
priority queues.
Note
Protocol Data Units(PDUs) for network control
protocols such as spanning-tree and LACP utilize
the priority queue or queue 0 (when a priority
queue is not configured). Ensure sufficient
buffers are allocated to these queues for the
protocols to function.
Controller(config-pmap-c)# queue-buffers ratio 10
Controller(config-pmap-c)#
Step 6
You cannot mix bandwidth types on a policy
map.
Saves configuration changes.
end
Example:
Controller(config-pmap-c)# end
Controller#
Step 7
show policy-map
Example:
(Optional) Displays policy configuration information for
all classes configured for all service policies.
Controller# show policy-map
What to do next
Configure any additional policy maps for QoS for your network. After creating your policy maps, attach the
traffic policy or polices to an interface using the service-policy command.
Related Topics
Queue Buffer Allocation, on page 313
Examples: Queue Buffers Configuration, on page 398
Configuring Queue Limits (CLI)
You use queue limits to configure Weighted Tail Drop (WTD). WTD ensures the configuration of more than
one threshold per queue. Each class of service is dropped at a different threshold value to provide for QoS
differentiation. With the controller, each queue has 3 explicit programmable threshold classes—0, 1, 2.
Therefore, the enqueue/drop decision of each packet per queue is determined by the packet’s threshold class
assignment, which is determined by the DSCP, CoS, or QoS group field of the frame header.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
374
OL-32363-01
QoS
Configuring Queue Limits (CLI)
WTD also uses a soft limit, and therefore you are allowed to configure the queue limit to up to 400 percent
(maximum four times the reserved buffer from common pool). This soft limit prevents overrunning the
common pool without impacting other features.
Note
You can only configure queue limits on the controller egress queues on wired ports.
Before you begin
The following are prerequisites for this procedure:
• You should have created a class map for the queue limits before beginning this procedure.
• You must have configured either bandwidth, shape, or priority on the policy map prior to configuring
the queue limits.
SUMMARY STEPS
1.
2.
3.
4.
5.
configure terminal
policy-map policy name
class class name
bandwidth {Kb/s | percent percentage | remaining { ratio ratio value }}
queue-limit {packets packets | cos {cos value { maximum threshold value | percent percentage } | values
{cos value | percent percentage } } | dscp {dscp value {maximum threshold value | percent percentage}
| match packet {maximum threshold value | percent percentage} | default {maximum threshold value |
percent percentage} | ef {maximum threshold value | percent percentage} | dscp values dscp value} |
percent percentage }}
6. end
7. show policy-map
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
policy-map policy name
Enters policy map configuration mode.
Example:
Creates or modifies a policy map that can be attached to
one or more interfaces to specify a service policy.
Controller(config)# policy-map policy_queuelimit01
Controller(config-pmap)#
Step 3
class class name
Example:
Enters policy class map configuration mode. Specifies the
name of the class whose policy you want to create or
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
375
QoS
Configuring Queue Limits (CLI)
Command or Action
Controller(config-pmap)# class class_queuelimit01
Controller(config-pmap-c)#
Purpose
change. Command options for policy class map
configuration mode include the following:
• word—Class map name.
• class-default—System default class matching any
otherwise unclassified packets.
Step 4
bandwidth {Kb/s | percent percentage | remaining { ratio Configures the bandwidth for the policy map. The
parameters include:
ratio value }}
Example:
Controller(config-pmap-c)# bandwidth 500000
Controller(config-pmap-c)#
• Kb/s—Use this command to configure a specific value.
The range is 20000 to 10000000.
• percent—Allocates a minimum bandwidth to a
particular class. The queue can oversubscribe
bandwidth in case other queues do not utilize the entire
port bandwidth. The total sum cannot exceed 100
percent, and in case it is less than 100 percent, the rest
of the bandwidth is equally divided along all bandwidth
queues.
• remaining—Allocates a minimum bandwidth to a
particular class. The queue can oversubscribe
bandwidth in case other queues do not utilize entire
port bandwidth. The total sum cannot exceed 100
percent. It is preferred to use this command when the
priority command is used for certain queues in the
policy. You can also assign ratios rather than a
percentage to each queue; the queues will be assigned
certain weights that are inline with these ratios. Ratios
can range from 0 to 100. Total bandwidth ratio
allocation for the policy in this case can exceed 100.
Note
Step 5
queue-limit {packets packets | cos {cos value { maximum
threshold value | percent percentage } | values {cos value
| percent percentage } } | dscp {dscp value {maximum
threshold value | percent percentage} | match packet
{maximum threshold value | percent percentage} | default
{maximum threshold value | percent percentage} | ef
{maximum threshold value | percent percentage} | dscp
values dscp value} | percent percentage }}
Example:
Controller(config-pmap-c)# queue-limit dscp 3
percent 20
Controller(config-pmap-c)# queue-limit dscp 4
percent 30
Controller(config-pmap-c)# queue-limit dscp 5
You cannot mix bandwidth types on a policy
map.
Sets the queue limit threshold percentage values.
With every queue, there are three thresholds (0,1,2), and
there are default values for each of these thresholds. Use
this command to change the default or any other queue limit
threshold setting. For example, if DSCP 3, 4, and 5 packets
are being sent into a specific queue in a configuration, then
you can use this command to set the threshold percentages
for these three DSCP values. For additional information
about queue limit threshold values, see Weighted Tail Drop,
on page 311.
Note
The controller does not support absolute
queue-limit percentages. The controller only
supports DSCP or CoS queue-limit percentages.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
376
OL-32363-01
QoS
Configuring Shaping (CLI)
Command or Action
Purpose
percent 40
Step 6
Saves configuration changes.
end
Example:
Controller(config-pmap-c)# end
Controller#
Step 7
(Optional) Displays policy configuration information for
all classes configured for all service policies.
show policy-map
Example:
Controller# show policy-map
What to do next
Proceed to configure any additional policy maps for QoS for your network. After creating your policy maps,
proceed to attach the traffic policy or polices to an interface using the service-policy command.
Related Topics
Weighted Tail Drop, on page 311
Examples: Queue-limit Configuration, on page 397
Configuring Shaping (CLI)
You use the shape command to configure shaping (maximum bandwidth) for a particular class. The queue's
bandwidth is restricted to this value even though the port has additional bandwidth left. You can configure
shaping as an average percent, as well as a shape average value in bits per second.
Before you begin
You should have created a class map for shaping before beginning this procedure.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
configure terminal
policy-map policy name
class class name
shape average {target bit rate | percent percentage}
end
show policy-map
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
377
QoS
Configuring Shaping (CLI)
Command or Action
Purpose
Controller# configure terminal
Step 2
policy-map policy name
Enters policy map configuration mode.
Example:
Creates or modifies a policy map that can be attached to
one or more interfaces to specify a service policy.
Controller(config)# policy-map policy_shaping01
Controller(config-pmap)#
Step 3
class class name
Example:
Controller(config-pmap)# class class_shaping01
Controller(config-pmap-c)#
Enters policy class map configuration mode. Specifies the
name of the class whose policy you want to create or
change. Command options for policy class map
configuration mode include the following:
• word—Class map name.
• class-default—System default class matching any
otherwise unclassified packets.
Step 4
shape average {target bit rate | percent percentage}
Example:
Controller(config-pmap-c)# shape average percent
50
Controller(config-pmap-c)#
Step 5
Configures the average shape rate. You can configure the
average shape rate by target bit rates (bits per second) or
by percentage of interface bandwidth for the Committed
Information Rate (CIR).
Note
For the egress class-default SSID policy, you
must configure the queue buffer ratio as 0 after
you configure the average shape rate.
Saves configuration changes.
end
Example:
Controller(config-pmap-c)# end
Controller#
Step 6
show policy-map
Example:
(Optional) Displays policy configuration information for
all classes configured for all service policies.
Controller# show policy-map
What to do next
Configure any additional policy maps for QoS for your network. After creating your policy maps, attach the
traffic policy or polices to an interface using the service-policy command.
Related Topics
Average Rate Shaping, on page 309
Examples: Average Rate Shaping Configuration, on page 396
Hierarchical Shaping, on page 309
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
378
OL-32363-01
QoS
Configuring Precious Metal Policies (CLI)
Configuring Precious Metal Policies (CLI)
You can configure precious metal QoS policies on a per-WLAN basis.
SUMMARY STEPS
1.
2.
3.
4.
5.
configure terminal
wlan wlan-name
service-policy {input | output} policy-name
end
show wlan {wlan-id | wlan-name}
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global command mode.
Example:
Controller# configure terminal
Step 2
wlan wlan-name
Enters the WLAN configuration submode.
Example:
Controllerwlan test4
Step 3
service-policy {input | output} policy-name
Controller(config-wlan)# service-policy output
platinum
Configures the WLAN with the QoS policy. To configure
the WLAN with precious metal policies, you must enter
one of the following keywords: platinum, gold, silver, or
bronze. The upstream policy is specified with the keyword
platinum-up as shown in the example.
Example:
Note
Example:
Controller(config-wlan)# service-policy input
platinum-up
Step 4
Upstream policies differ from downstream
policies. The upstream policies have a suffix of
-up.
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit the global configuration mode.
end
Example:
Controller(config)# end
Step 5
show wlan
{wlan-id | wlan-name}
Verifies the configured QoS policy on the WLAN.
Example:
Controller# show wlan name qos-wlan
Controller# show wlan name qos-wlan
. . .
. . .
. . .
QoS Service Policy - Input
Policy Name
platinum-up
Policy State
Validated
QoS Service Policy - Output
:
:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
379
QoS
Configuring QoS Policies for Multicast Traffic (CLI)
Command or Action
Purpose
Policy Name
platinum
Policy State
Validated
. . .
:
:
. . .
Related Topics
Precious Metal Policies for Wireless QoS, on page 317
Configuring QoS Policies for Multicast Traffic (CLI)
Before you begin
The following are the prerequisites for configuring a QoS policy for multicast traffic:
• You must have a multicast service policy configured.
• You must enable multicast-multicast mode before applying the policy.
SUMMARY STEPS
1. configure terminal
2. ap capwap multicast service-policy output service-policy-name
3. end
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
ap capwap multicast service-policy output
service-policy-name
Applies the configured multicast policy.
Example:
Controller(config)#ap capwap multicast
service-policy output service-policy-mcast
Step 3
Returns to privileged EXEC mode. Alternatively, you can
also press Ctrl-Z to exit global configuration mode.
end
Example:
Controller(config)# end
Related Topics
Wireless QoS Multicast, on page 303
Examples: Wireless QoS Policy Classified by Voice, Video, and Multicast Traffic, on page 391
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
380
OL-32363-01
QoS
Configuring Port Policies (GUI)
Configuring Port Policies (GUI)
Step 1
Choose Configuration > Wireless
Step 2
Expand the QoS node by clicking on left pane and choose QOS-Policy.
The QOS-Policy page is displayed.
Step 3
Click Add New to create a new QoS policy.
The Create QoS Policy page is displayed.
Step 4
Select Port from the Policy Type drop-down menu.
Step 5
Enter the policy name in the Policy Name text field.
Step 6
Specify a description for the policy you want to create in the Description field.
Step 7
Configure the voice or video priorities for the port policies by enabling the Enable Voice and Enable Video parameters.
Note
Step 8
You must attach the port policy to an interface. Default values are recommended.
Click Add to add the policy.
What to do next
Proceed to assign the port policy on an interface.
Related Topics
Port Policies, on page 289
Port Policy Format, on page 289
Restrictions for QoS on Wireless Targets, on page 325
Supported QoS Features on Wireless Targets, on page 287
Examples: Wireless QoS Policy Classified by Voice, Video, and Multicast Traffic, on page 391
Applying or Changing Port Policies (GUI)
Step 1
Choose Configuration > Controller > System > Interfaces > Port Summary.
The Port Configuration page is displayed.
Step 2
Select the interface on which you want to configure the port policy from the Interface Name column.
Step 3
Apply or change the QoS Port Policy by selecting the policy from the Assign Policy drop-down list.
The Existing Policy field displays the current policy assigned.
Note
Step 4
All interfaces in a channel group must be assigned to the same port policy.
Click Apply.
Related Topics
Port Policies, on page 289
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
381
QoS
Applying a QoS Policy on a WLAN (GUI)
Port Policy Format, on page 289
Restrictions for QoS on Wireless Targets, on page 325
Supported QoS Features on Wireless Targets, on page 287
Examples: Wireless QoS Policy Classified by Voice, Video, and Multicast Traffic, on page 391
Applying a QoS Policy on a WLAN (GUI)
Step 1
Choose Configuration > Wireless.
Step 2
Expand the WLAN node by clicking on the left pane and choose WLANs.
The WLANs page is displayed.
Step 3
Select the WLAN for which you want to configure the QoS policies by clicking on the WLAN Profile.
Step 4
Click the QoS tab to configure the QoS policies on the WLAN.
You can also configure precious metal policies for the WLAN.
The following options are available:
Parameter
Description
QoS SSID Policy
Egress Policy
QoS downstream policy configuration.
The Existing Policy column displays the current applied policy. To change the existing policy,
select the policy from the drop-down list in the Assign Policy column.
If a policy is not selected, NONE is displayed.
Ingress Policy
QoS upstream policy configuration.
The Existing Policy column displays the current applied policy. To change the existing policy,
select the policy from the drop-down list in the Assign Policy column.
If a policy is not selected, NONE is displayed.
QoS Client Policy
Egress Policy
QoS downstream policy configuration.
The Existing Policy column displays the current applied policy. To change the existing policy,
select the policy from the drop-down list in the Assign Policy column.
If a policy is not selected, NONE is displayed.
Ingress Policy
QoS upstream policy configuration.
The Existing Policy column displays the current applied policy. To change the existing policy,
select the policy from the drop-down list in the Assign Policy column.
If a policy is not selected, NONE is displayed.
WMM
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
382
OL-32363-01
QoS
Monitoring QoS
Parameter
Description
WMM Policy
WMM Policy. This parameter has the following values:
• Disabled—Disables this WMM policy.
• Allowed—Allows the clients to communicate with the WLAN.
• Require—Ensures that it is mandatory for the clients to have WMM features enabled on
them to communicate with the WLAN.
Step 5
Click Apply.
Related Topics
Port Policies, on page 289
Port Policy Format, on page 289
Restrictions for QoS on Wireless Targets, on page 325
Supported QoS Features on Wireless Targets, on page 287
Examples: Wireless QoS Policy Classified by Voice, Video, and Multicast Traffic, on page 391
SSID Policies, on page 291
Examples: SSID Policy
Examples: Configuring Downstream SSID Policy, on page 392
Client Policies, on page 292
Examples: Client Policies, on page 394
Monitoring QoS
The following commands can be used to monitor QoS on the controller.
Table 44: Monitoring QoS
Command
Description
show class-map [class_map_name]
Displays a list of all class maps
configured.
show class-map type control subscriber {all | name }
Displays control class map and
statistics.
show class-map type control subscriber detail
• all—Displays information for
all class maps.
• name—Displays configured
class maps.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
383
QoS
Monitoring QoS
Command
Description
show policy-map [policy_map_name]
Displays a list of all policy maps
configured. Command parameters
include:
• policy map name
• interface
• session
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
384
OL-32363-01
QoS
Monitoring QoS
Command
Description
show policy-map interface { Auto-template | Capwap |
GigabitEthernet | GroupVI | InternalInterface | Lspvif |Loopback
| Null | Port-channel | TenGigabitEthernet | Tunnel | Vlan | brief |
class | input | output | wireless }
Displays the runtime representation
and statistics of all the policies
configured on the controller.
Command parameters include:
• Auto-template—Auto-Template
interface
• Capwap—CAPWAP tunnel
interface
• GigabitEthernet—Gigabit
Ethernet IEEE.802.3z
• GroupVI—Group virtual
interface
• InternalInterface—Internal
interface
• Loopback—Loopback
interface
• Null—Null interface
• Lspvif—LSP virtual interface
• Port-channel—Ethernet
channel of interfaces
• TenGigabitEthernet—10-Gigabit
Ethernet
• Tunnel—Tunnel interface
• Vlan—Catalyst VLANs
• brief—Brief description of
policy maps
• class—Statistics for individual
class
• input—Input policy
• output—Output policy
• wireless—wireless
show policy-map interface wireless ap [access point]
Displays the runtime representation
and statistics for all the wireless APs
on the controller.
show policy-map interface wireless ssid [ssid]
Displays the runtime representation
and statistics for all the SSID targets
on the controller.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
385
QoS
Monitoring SSID and Client Policies Statistics (GUI)
Command
Description
show policy-map interface wireless client mac [mac_address]
Displays the runtime representation
and statistics for all the client targets
on the controller.
show policy-map session [ input | output | uid UUID ]
Displays the session QoS policy.
Command parameters include:
• input—Input policy
• output—Output policy
• uid—Policy based on SSS
unique identification.
show policy-map type control subscriber { all | name }
Displays the type QoS policy-map.
show table-map
Displays all the table maps and their
configurations.
show platform qos wireless {afd { client | ssid } | stats { bssid
Displays wireless targets. The
bssid-value | client name | ssid {ssid-value | all} client all}} following command parameters are
supported:
• afd—AFD information
• stats—Statistics information
show policy-map interface wireless ssid name ssid-name [radio
type {24ghz | 5ghz} ap name ap-name | ap name ap-name]
Displays SSID policy configuration
on an access point.
show wireless client mac-address mac_address service-policy {input Displays details of the client policy.
| output}
show wlan qos service-policies
Displays the SSID policies
configured on all WLANs.
show ap name ap_name service-policy
Displays all the policies configured
on the AP.
Monitoring SSID and Client Policies Statistics (GUI)
Statistics are supported only for ingress policies with a maximum of five classes on wireless targets. For very
large policies, statistics for ingress policies are not visible at the controller. The frequency of the statistics
depends on the number of clients associated with the access point.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
386
OL-32363-01
QoS
Configuration Examples for QoS
Type of Statistics
Method
Details
SSID Policies
Choose Monitor > Controller >
Statistics > QoS.
The QoS page is displayed with a
list of SSID policies, Radio Type,
and AP.
Choose an SSID policy, radio, and
access point from the drop-down
lists and click Apply to view the
statistics of the chosen SSID policy.
You can view details such as match
criteria, confirmed bytes,
conformed rate, and exceeded rate.
Client Policies
Choose Monitor > Clients >
Client Details .
The Clients page is displayed with
a list of client MAC addresses, AP,
and other details.
Click the MAC address of a client
and click the QoS Statistics tab.
You can view details such as match
criteria, confirmed bytes,
conformed rate, and exceeded rate.
Configuration Examples for QoS
Examples: Classification by Access Control Lists
This example shows how to classify packets for QoS by using access control lists (ACLs):
Controller# configure terminal
Controller(config)# access-list 101 permit ip host 12.4.1.1 host 15.2.1.1
Controller(config)# class-map acl-101
Controller(config-cmap)# description match on access-list 101
Controller(config-cmap)# match access-group 101
Controller(config-cmap)#
After creating a class map by using an ACL, you then create a policy map for the class, and apply the policy
map to an interface for QoS.
Related Topics
Creating a Traffic Class (CLI), on page 328
Class Maps, on page 301
Examples: Class of Service Layer 2 Classification
This example shows how to classify packets for QoS using a class of service Layer 2 classification:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
387
QoS
Examples: Class of Service DSCP Classification
Controller# configure terminal
Controller(config)# class-map cos
Controller(config-cmap)# match cos ?
<0-7> Enter up to 4 class-of-service values separated by white-spaces
Controller(config-cmap)# match cos 3 4 5
Controller(config-cmap)#
After creating a class map by using a CoS Layer 2 classification, you then create a policy map for the class,
and apply the policy map to an interface for QoS.
Examples: Class of Service DSCP Classification
This example shows how to classify packets for QoS using a class of service DSCP classification:
Controller# configure terminal
Controller(config)# class-map dscp
Controller(config-cmap)# match dscp af21 af22 af23
Controller(config-cmap)#
After creating a class map by using a DSCP classification, you then create a policy map for the class, and
apply the policy map to an interface for QoS.
Examples: VLAN ID Layer 2 Classification
This example shows how to classify for QoS using a VLAN ID Layer 2 classification:
Controller# configure terminal
Controller(config)# class-map vlan-120
Controller(config-cmap)# match vlan ?
<1-4095> VLAN id
Controller(config-cmap)# match vlan 120
Controller(config-cmap)#
After creating a class map by using a VLAN Layer 2 classification, you then create a policy map for the class,
and apply the policy map to an interface for QoS.
Examples: Classification by DSCP or Precedence Values
This example shows how to classify packets by using DSCP or precedence values:
Controller# configure terminal
Controller(config)# class-map prec2
Controller(config-cmap)# description matching precedence 2 packets
Controller(config-cmap)# match ip precedence 2
Controller(config-cmap)# exit
Controller(config)# class-map ef
Controller(config-cmap)# description EF traffic
Controller(config-cmap)# match ip dscp ef
Controller(config-cmap)#
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
388
OL-32363-01
QoS
Examples: Hierarchical Classification
After creating a class map by using a DSCP or precedence values, you then create a policy map for the class,
and apply the policy map to an interface for QoS.
Examples: Hierarchical Classification
The following is an example of a hierarchical classification, where a class named parent is created, which
matches another class named child. The class named child matches based on the IP precedence being set to
2.
Controller# configure terminal
Controller(config)# class-map child
Controller(config-cmap)# match ip precedence 2
Controller(config-cmap)# exit
Controller(config)# class-map parent
Controller(config-cmap)# match class child
Controller(config-cmap)#
After creating the parent class map, you then create a policy map for the class, and apply the policy map to
an interface for QoS.
Related Topics
Hierarchical QoS, on page 293
Examples: Hierarchical Policy Configuration
The following is an example of a configuration using hierarchical polices:
Controller# configure terminal
Controller(config)# class-map c1
Controller(config-cmap)# match dscp 30
Controller(config-cmap)# exit
Controller(config)# class-map c2
Controller(config-cmap)# match precedence 4
Controller(config-cmap)# exit
Controller(config)# class-map c3
Controller(config-cmap)# exit
Controller(config)# policy-map child
Controller(config-pmap)# class c1
Controller(config-pmap-c)# priority level 1
Controller(config-pmap-c)# police rate percent 20 conform-action transmit exceed action
drop
Controller(config-pmap-c-police)# exit
Controller(config-pmap-c)# exit
Controller(config-pmap)# class c2
Controller(config-pmap-c)# bandwidth 20000
Controller(config-pmap-c)# exit
Controller(config-pmap)# class class-default
Controller(config-pmap-c)# bandwidth 20000
Controller(config-pmap-c)# exit
Controller(config-pmap)# exit
Controller(config)# policy-map parent
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
389
QoS
Examples: Classification for Voice and Video
Controller(config-pmap)# class class-default
Controller(config-pmap-c)# shape average 1000000
Controller(config-pmap-c)# service-policy child
Controller(config-pmap-c)# end
The following example shows a hierarchical policy using table maps:
Controller(config)# table-map dscp2dscp
Controller(config-tablemap)# default copy
Controller(config)# table-map dscp2up
Controller(config-tablemap)# map from 46 to 6
Controller(config-tablemap)# map from 34 to 5
Controller(config-tablemap)# default copy
Controller(config)# policy-map ssid_child_policy
Controller(config-pmap)# class voice
Controller(config-pmap-c)# priority level 1
Controller(config-pmap-c)# police 15000000
Controller(config-pmap)# class video
Controller(config-pmap-c)# priority level 2
Controller(config-pmap-c)# police 10000000
Controller(config)# policy-map ssid_policy
Controller(config-pmap)# class class-default
Controller(config-pmap-c)# shape average 30000000
Controller(config-pmap-c)# queue-buffer ratio 0
Controller(config-pmap-c)# set dscp dscp table dscp2dscp
Controller(config-pmap-c)# service-policy ssid_child_policy
Related Topics
Hierarchical QoS, on page 293
Examples: Classification for Voice and Video
This example describes how to classify packet streams for voice and video using controller specific information.
In this example, voice and video are coming in from end-point A into GigabitEthernet1/0/1 on the controller
and have precedence values of 5 and 6, respectively. Additionally, voice and video are also coming from
end-point B into GigabitEthernet1/0/2 on the controller with DSCP values of EF and AF11, respectively.
Assume that all the packets from the both the interfaces are sent on the uplink interface, and there is a
requirement to police voice to 100 Mbps and video to 150 Mbps.
To classify per the above requirements, a class to match voice packets coming in on GigabitEthernet1/0/1 is
created, named voice-interface-1, which matches precedence 5. Similarly another class for voice is created,
named voice-interface-2, which will match voice packets in GigabitEthernet1/0/2. These classes are associated
to two separate policies named input-interface-1, which is attached to GigabitEthernet1/0/1, and
input-interface-2, which is attached to GigabitEthernet1/0/2. The action for this class is to mark the qos-group
to 10. To match packets with QoS-group 10 on the output interface, a class named voice is created which
matches on QoS-group 10. This is then associated to another policy named output-interface, which is associated
to the uplink interface. Video is handled in the same way, but matches on QoS-group 20.
The following example shows how classify using the above controller specific information:
Controller(config)#
Controller(config)# class-map voice-interface-1
Controller(config-cmap)# match ip precedence 5
Controller(config-cmap)# exit
Controller(config)# class-map video-interface-1
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
390
OL-32363-01
QoS
Examples: Wireless QoS Policy Classified by Voice, Video, and Multicast Traffic
Controller(config-cmap)# match ip precedence 6
Controller(config-cmap)# exit
Controller(config)# class-map voice-interface-2
Controller(config-cmap)# match ip dscp ef
Controller(config-cmap)# exit
Controller(config)# class-map video-interface-2
Controller(config-cmap)# match ip dscp af11
Controller(config-cmap)# exit
Controller(config)# policy-map input-interface-1
Controller(config-pmap)# class voice-interface-1
Controller(config-pmap-c)# set qos-group 10
Controller(config-pmap-c)# exit
Controller(config-pmap)# class video-interface-1
Controller(config-pmap-c)# set qos-group 20
Controller(config-pmap-c)# policy-map input-interface-2
Controller(config-pmap)# class voice-interface-2
Controller(config-pmap-c)# set qos-group 10
Controller(config-pmap-c)# class video-interface-2
Controller(config-pmap-c)# set qos-group 20
Controller(config-pmap-c)# exit
Controller(config-pmap)# exit
Controller(config)# class-map voice
Controller(config-cmap)# match qos-group 10
Controller(config-cmap)# exit
Controller(config)# class-map video
Controller(config-cmap)# match qos-group 20
Controller(config)# policy-map output-interface
Controller(config-pmap)# class voice
Controller(config-pmap-c)# police 256000 conform-action transmit exceed-action drop
Controller(config-pmap-c-police)# exit
Controller(config-pmap-c)# exit
Controller(config-pmap)# class video
Controller(config-pmap-c)# police 1024000 conform-action transmit exceed-action drop
Controller(config-pmap-c-police)# exit
Controller(config-pmap-c)# exit
Examples: Wireless QoS Policy Classified by Voice, Video, and Multicast
Traffic
The following example provides a template for creating a port child policy for managing quality of service
for voice and video traffic.
Policy-map port_child_policy
Class voice (match dscp ef)
Priority level 1
Police Multicast Policer
Class video (match dscp af41)
Priority level 2
Police Multicast Policer
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
391
QoS
Examples: Configuring Downstream SSID Policy
Class mcast-data (match non-client-nrt)
Bandwidth remaining ratio <>
Class class-default (NRT Data)
Bandwidth remaining ratio <>
Note
Multicast Policer in the example above is not a keyword. It refers to the policing policy configured.
Two class maps with name voice and video are configured with DSCP assignments of 46 and 34. The voice
traffic is assigned the priority of 1 and the video traffic is assigned the priority level 2 and is processed using
Q0 and Q1. If your network receives multicast voice and video traffic, you can configure multicast policers.
The non-client NRT data and NRT data are processed using the Q2 and Q3 queues.
Related Topics
Configuring Port Policies (GUI), on page 381
Applying or Changing Port Policies (GUI), on page 381
Applying a QoS Policy on a WLAN (GUI), on page 382
Port Policies, on page 289
Port Policy Format, on page 289
Configuring QoS Policies for Multicast Traffic (CLI), on page 380
Wireless QoS Multicast, on page 303
Examples: Configuring Downstream SSID Policy
To configure a downstream BSSID policy, you must first configure a port child policy with priority
level queuing.
Type of Policy
Example
User-defined port child policy
policy-map port_child_policy
class voice
priority level 1 20000
class video
priority level 2 10000
class non-client-nrt-class
bandwidth remaining ratio 10
class class-default
bandwidth remaining ratio 15
Egress BSSID policy
policy-map bssid-policer
queue-buffer ratio 0
class class-default
shape average 30000000
set dscp dscp table dscp2dscp
set wlan user-priority dscp table dscp2up
service-policy ssid_child_qos
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
392
OL-32363-01
QoS
Examples: Ingress SSID Policies
Type of Policy
Example
SSID Child QoS policy
Policy Map ssid-child_qos
Class voice
priority level 1
police cir 5m
admit cac wmm-tspec
UP 6,7 / tells WCM allow ‘voice’
TSPEC\SIP snoop for this ssid
rate 4000 / must be police rate
value is in kbps)
Class video
priority level 2
police cir 60000
Related Topics
Applying an SSID or Client Policy on a WLAN (CLI), on page 347
Configuring SSID Policies (GUI), on page 345
Applying a QoS Policy on a WLAN (GUI), on page 382
SSID Policies, on page 291
Examples: Ingress SSID Policies
The following examples show ingress SSID hierarchical policies:
Type of ingress SSID policies
Example
Ingress SSID hierarchical policies
policy-map ssid-child-policy
class voice //match dscp 46
police 3m
class video //match dscp 34
police 4m
policy-map ssid-in-policy
class class-default
set dscp wlan user-priority table up2dscp
service-policy ssid-child-policy
policy-map ssid_in_policy
class dscp-40
set cos 1
police 10m
class up-1
set dscp 34
police 12m
class dscp-10
set dscp 20
police 15m
class class-default
set dscp wlan user-priority table up2dscp
police 50m
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
393
QoS
Examples: Client Policies
Examples: Client Policies
Type of Client Policy
Example/Details
Default egress client policy
Any incoming traffic contains the user-priority as 0.
Note
The default client policy is enabled only on WMM clients that
are ACM-enabled.
You can verify if ACM is enabled by using the show ap dot11
5ghz network command. To enable ACM, use the ap dot11 5ghz
cac voice acm command.
Policy-map client-def-down
class class-default
set wlan user-priority 0
Default ingress client policy
Any traffic that is sent to the wired network from wireless network will result
in the DSCP value being set to 0.
Note
The default client policy is enabled only on WMM clients that
are ACM-enabled.
Policy-map client-def-up
class class-default
set dscp 0
Client policies generated
automatically and applied to
the WMM client when the
client authenticates to a profile
in AAA with a configured
QoS-level attribute.
Policy Map platinum-WMM
Class voice-plat
set wlan user-priority 6
Class video-plat
set wlan user-priority 4
Class class-default
set wlan user-priority 0
Policy Map gold-WMM
Class voice-gold
set wlan user-priority 4
Class video-gold
set wlan user-priority 4
Class class-default
set wlan user-priority 0
Non-WMM client precious
metal policies
Policy Map platinum
set wlan user-priority 6
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
394
OL-32363-01
QoS
Examples: Client Policies
Type of Client Policy
Example/Details
Egress client policy where any The class can be set to assign a DSCP or ACL.
traffic matching class voice1,
the user priority is set to a
Policy Map client1-down
Class voice1
//match dscp, cos
pre-defined value.
set wlan user-priority <>
Class voice2
//match acl
set wlan user-priority <>
Class voice3
set wlan user-priority <>
Class class-default
set wlan user-priority 0
Client policy based on AAA
and TCLAS
Client policy for voice and
video for traffic in the egress
direction
Client policy for voice and
video for traffic in the ingress
direction using policing
Client policy for voice and
video based on DSCP
Policy Map client2-down[ AAA+ TCLAS pol example]
Class
voice\\match dscp
police <>
set <>
Class class-default
set <>
Class voice1|| voice2 [match acls]
police <>
class voice1
set <>
class voice2
set <>
Policy Map client3-down
class voice \\match dscp, cos
police X
class video
police Y
class class-default
police Z
Policy Map client1-up
class voice
\\match dscp, up, cos
police X
class video
police Y
class class-default
police Z
Policy Map client2-up
class voice
\\match dscp, up, cos
set dscp <>
class video
set dscp <>
class class-default
set dscp <>
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
395
QoS
Examples: Average Rate Shaping Configuration
Type of Client Policy
Client ingress policy with
marking and policing
Hierarchical client ingress
policy
Example/Details
policy-map client_in_policy
class dscp-48 //match dscp 48
set cos 3
police 2m
class up-4
//match wlan user-priority 4
set dscp 10
police 3m
class acl
//match acl
set cos 2
police 5m
class class-default
set dscp 20
police 15m
policy-map client-child-policy
class voice //match dscp 46
set dscp 40
police 5m
class video //match dscp 34
set dscp 30
police 7m
policy-map client-in-policy
class class-default
police 15m
service-policy client-child-policy
Related Topics
Configuring Client Policies (CLI)
Configuring Client Policies (GUI), on page 335
Applying a QoS Policy on a WLAN (GUI), on page 382
Client Policies, on page 292
Examples: Average Rate Shaping Configuration
The following example shows how to configure average rate shaping:
Controller# configure terminal
Controller(config)# class-map prec1
Controller(config-cmap)# description matching precedence 1 packets
Controller(config-cmap)# match ip precedence 1
Controller(config-cmap)# end
Controller# configure terminal
Controller(config)# class-map prec2
Controller(config-cmap)# description matching precedence 2 packets
Controller(config-cmap)# match ip precedence 2
Controller(config-cmap)# exit
Controller(config)# policy-map shaper
Controller(config-pmap)# class prec1
Controller(config-pmap-c)# shape average 512000
Controller(config-pmap-c)# exit
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
396
OL-32363-01
QoS
Examples: Queue-limit Configuration
Controller(config-pmap)# policy-map shaper
Controller(config-pmap)# class prec2
Controller(config-pmap-c)# shape average 512000
Controller(config-pmap-c)# exit
Controller(config-pmap)# class class-default
Controller(config-pmap-c)# shape average 1024000
After configuring the class maps, policy map, and shape averages for your configuration, proceed to then
apply the policy map to the interface for QoS.
Related Topics
Configuring Shaping (CLI), on page 377
Average Rate Shaping, on page 309
Examples: Queue-limit Configuration
The following example shows how to configure a queue-limit policy based upon DSCP values and percentages:
Controller# configure terminal
Controller#(config)# policy-map port-queue
Controller#(config-pmap)# class dscp-1-2-3
Controller#(config-pmap-c)# bandwidth percent 20
Controller#(config-pmap-c)# queue-limit dscp 1 percent 80
Controller#(config-pmap-c)# queue-limit dscp 2 percent 90
Controller#(config-pmap-c)# queue-limit dscp 3 percent 100
Controller#(config-pmap-c)# exit
Controller#(config-pmap)# class dscp-4-5-6
Controller#(config-pmap-c)# bandwidth percent 20
Controller#(config-pmap-c)# queue-limit dscp 4 percent 20
Controller#(config-pmap-c)# queue-limit dscp 5 percent 30
Controller#(config-pmap-c)# queue-limit dscp 6 percent 20
Controller#(config-pmap-c)# exit
Controller#(config-pmap)# class dscp-7-8-9
Controller#(config-pmap-c)# bandwidth percent 20
Controller#(config-pmap-c)# queue-limit dscp 7 percent 20
Controller#(config-pmap-c)# queue-limit dscp 8 percent 30
Controller#(config-pmap-c)# queue-limit dscp 9 percent 20
Controller#(config-pmap-c)# exit
Controller#(config-pmap)# class dscp-10-11-12
Controller#(config-pmap-c)# bandwidth percent 20
Controller#(config-pmap-c)# queue-limit dscp 10 percent 20
Controller#(config-pmap-c)# queue-limit dscp 11 percent 30
Controller#(config-pmap-c)# queue-limit dscp 12 percent 20
Controller#(config-pmap-c)# exit
Controller#(config-pmap)# class dscp-13-14-15
Controller#(config-pmap-c)# bandwidth percent 10
Controller#(config-pmap-c)# queue-limit dscp 13 percent 20
Controller#(config-pmap-c)# queue-limit dscp 14 percent 30
Controller#(config-pmap-c)# queue-limit dscp 15 percent 20
Controller#(config-pmap-c)# end
Controller#
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
397
QoS
Examples: Queue Buffers Configuration
After finishing with the above policy map queue-limit configuration, you can then proceed to apply the policy
map to an interface for QoS.
Related Topics
Configuring Queue Limits (CLI), on page 374
Weighted Tail Drop, on page 311
Examples: Queue Buffers Configuration
The following example shows how configure a queue buffer policy and then apply it to an interface for QoS:
Controller# configure terminal
Controller(config)# policy-map policy1001
Controller(config-pmap)# class class1001
Controller(config-pmap-c)# bandwidth remaining ratio 10
Controller(config-pmap-c)# queue-buffer ratio ?
<0-100> Queue-buffers ratio limit
Controller(config-pmap-c)# queue-buffer ratio 20
Controller(config-pmap-c)# end
Controller# configure terminal
Controller(config)# interface gigabitEthernet2/0/3
Controller(config-if)# service-policy output policy1001
Controller(config-if)# end
Related Topics
Configuring Queue Buffers (CLI), on page 372
Queue Buffer Allocation, on page 313
Examples: Policing Action Configuration
The following example displays the various policing actions that can be associated to the policer. These actions
are accomplished using the conforming, exceeding, or violating packet configurations. You have the flexibility
to drop, mark and transmit, or transmit packets that have exceeded or violated a traffic profile.
For example, a common deployment scenario is one where the enterprise customer polices traffic exiting the
network towards the service provider and marks the conforming, exceeding and violating packets with different
DSCP values. The service provider could then choose to drop the packets marked with the exceeded and
violated DSCP values under cases of congestion, but may choose to transmit them when bandwidth is available.
Note
The Layer 2 fields can be marked to include the CoS fields, and the Layer 3 fields can be marked to include
the precedence and the DSCP fields.
One useful feature is the ability to associate multiple actions with an event. For example, you could set the
precedence bit and the CoS for all conforming packets. A submode for an action configuration could then be
provided by the policing feature.
This is an example of a policing action configuration:
Controller# configure terminal
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
398
OL-32363-01
QoS
Examples: Policer VLAN Configuration
Controller(config)# policy-map police
Controller(config-pmap)# class class-default
Controller(config-pmap-c)# police cir 1000000 pir 2000000
Controller(config-pmap-c-police)# conform-action transmit
Controller(config-pmap-c-police)# exceed-action set-dscp-transmit dscp table
exceed-markdown-table
Controller(config-pmap-c-police)# violate-action set-dscp-transmit dscp table
violate-markdown-table
Controller(config-pmap-c-police)# end
In this example, the exceed-markdown-table and violate-mark-down-table are table maps.
Note
Policer-based markdown actions are only supported using table maps. Only one markdown table map is
allowed for each marking field in the controller.
Related Topics
Configuring Police (CLI), on page 367
Policing, on page 303
Token-Bucket Algorithm, on page 304
Examples: Policer VLAN Configuration
The following example displays a VLAN policer configuration. At the end of this configuration, the VLAN
policy map is applied to an interface for QoS.
Controller# configure terminal
Controller(config)# class-map vlan100
Controller(config-cmap)# match vlan 100
Controller(config-cmap)# exit
Controller(config)# policy-map vlan100
Controller(config-pmap)# policy-map class vlan100
Controller(config-pmap-c)# police 100000 bc conform-action transmit exceed-action drop
Controller(config-pmap-c-police)# end
Controller# configure terminal
Controller(config)# interface gigabitEthernet1/0/5
Controller(config-if)# service-policy input vlan100
Related Topics
Classifying, Policing, and Marking Traffic on SVIs by Using Policy Maps (CLI), on page 351
Policy Map on VLANs, on page 302
Examples: Policing Units
The following examples display the various units of policing that are supported for QoS. The policing unit is
the basis on which the token bucket works .
The following units of policing are supported:
• CIR and PIR are specified in bits per second. The burst parameters are specified in bytes. This is the
default mode; it is the unit that is assumed when no units are specified. The CIR and PIR can also be
configured in percent, in which case the burst parameters have to be configured in milliseconds.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
399
QoS
Examples: Single-Rate Two-Color Policing Configuration
• CIR and PIR are specified in packets per second. In this case, the burst parameters are configured in
packets as well.
The following is an example of a policer configuration in bits per second:
Controller(config)# policy-map bps-policer
Controller(config-pmap)# class class-default
Controller(config-pmap-c) # police rate 256000 bps burst 1000 bytes
conform-action transmit exceed-action drop
The following is an example of a policer configuration in packets per second. In this configuration, a dual-rate
three-color policer is configured where the units of measurement is packet. The burst and peak burst are all
specified in packets.
Controller(config)# policy-map pps-policer
Controller(config-pmap)# class class-default
Controller(config-pmap-c)# police rate 5000 pps burst 100 packets
peak-rate 10000 pps peak-burst 200 packets conform-action transmit
exceed-action drop violate-action drop
Related Topics
Configuring Police (CLI), on page 367
Token-Bucket Algorithm, on page 304
Examples: Single-Rate Two-Color Policing Configuration
The following example shows how to configure a single-rate two-color policer:
Controller(config)# class-map match-any prec1
Controller(config-cmap)# match ip precedence 1
Controller(config-cmap)# exit
Controller(config)# policy-map policer
Controller(config-pmap)# class prec1
Controller(config-pmap-c)# police cir 256000 conform-action transmit exceed-action drop
Controller(config-pmap-c-police)# exit
Controller(config-pmap-c)#
Related Topics
Configuring Police (CLI), on page 367
Single-Rate Two-Color Policing, on page 307
Examples: Dual-Rate Three-Color Policing Configuration
The following example shows how to configure a dual-rate three-color policer:
Controller# configure terminal
Controller(config)# policy-Map dual-rate-3color-policer
Controller(config-pmap)# class class-default
Controller(config-pmap-c)# police cir 64000 bc 2000 pir 128000 be 2000
Controller(config-pmap-c-police)# conform-action transmit
Controller(config-pmap-c-police)# exceed-action set-dscp-transmit dscp table
exceed-markdown-table
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
400
OL-32363-01
QoS
Examples: Table Map Marking Configuration
Controller(config-pmap-c-police)# violate-action set-dscp-transmit dscp table
violate-markdown-table
Controller(config-pmap-c-police)# exit
Controller(config-pmap-c)#
In this example, the exceed-markdown-table and violate-mark-down-table are table maps.
Note
Policer based markdown actions are only supported using table maps. Only one markdown table map is
allowed for each marking field in the controller.
Related Topics
Configuring Police (CLI), on page 367
Dual-Rate Three-Color Policing, on page 308
Examples: Table Map Marking Configuration
The following steps and examples show how to use table map marking for your QoS configuration:
1. Define the table map.
Define the table-map using the table-map command and indicate the mapping of the values. This table
does not know of the policies or classes within which it will be used. The default command in the table
map indicates the value to be copied into the ‘to’ field when there is no matching ‘from’ field. In the
example, a table map named table-map1 is created. The mapping defined is to convert the value from 0
to 1 and from 2 to 3, while setting the default value to 4.
Controller(config)# table-map table-map1
Controller(config-tablemap)# map from 0 to 1
Controller(config-tablemap)# map from 2 to 3
Controller(config-tablemap)# default 4
Controller(config-tablemap)# exit
2. Define the policy map where the table map will be used.
In the example, the incoming CoS is mapped to the DSCP based on the mapping specified in the table
table-map1. For this example, if the incoming packet has a DSCP of 0, the CoS in the packet is set 1. If
no table map name is specified the command assumes a default behavior where the value is copied as is
from the ‘from’ field (DSCP in this case) to the ‘to’ field (CoS in this case). Note however, that while the
CoS is a 3-bit field, the DSCP is a 6-bit field, which implies that the CoS is copied to the first three bits
in the DSCP.
Controller(config)# policy map policy1
Controller(config-pmap)# class class-default
Controller(config-pmap-c)# set cos dscp table table-map1
Controller(config-pmap-c)# exit
3. Associate the policy to an interface.
Controller(config)# interface GigabitEthernet1/0/1
Controller(config-if)# service-policy output policy1
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
401
QoS
Example: Table Map Configuration to Retain CoS Markings
Controller(config-if)# exit
Related Topics
Configuring Table Maps (CLI), on page 355
Table Map Marking, on page 305
Example: Table Map Configuration to Retain CoS Markings
The following example shows how to use table maps to retain CoS markings on an interface for your QoS
configuration.
The cos-trust-policy policy (configured in the example) is enabled in the ingress direction to retain the CoS
marking coming into the interface. If the policy is not enabled, only the DSCP is trusted by default. If a pure
Layer 2 packet arrives at the interface, then the CoS value will be rewritten to 0 when there is no such policy
in the ingress port for CoS.
Controller# configure terminal
Controller(config)# table-map cos2cos
Controller(config-tablemap)# default copy
Controller(config-tablemap)# exit
Controller(config)# policy map cos-trust-policy
Controller(config-pmap)# class class-default
Controller(config-pmap-c)# set cos cos table cos2cos
Controller(config-pmap-c)# exit
Controller(config)# interface GigabitEthernet1/0/2
Controller(config-if)# service-policy input cos-trust-policy
Controller(config-if)# exit
Related Topics
Trust Behavior for Wired and Wireless Ports, on page 314
Where to Go Next
Review the auto-QoS documentation to see if you can use these automated capabilities for your QoS
configuration.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
402
OL-32363-01
QoS
Additional References for QoS
Additional References for QoS
Related Documents
Related Topic
Document Title
For complete syntax and usage information for the
commands used in this chapter.
QoS Command Reference (Catalyst 3850
Switches)QoS Command Reference (Cisco WLC 5700
Series)QoS Command Reference (Catalyst 3650
Switches)
Cisco IOS Quality of Service Solutions Command
Reference
Call Admission Control (CAC)
System Management Configuration Guide (Catalyst
3850 Switches)System Management Configuration
Guide (Cisco WLC 5700 Series) System Management
Configuration Guide (Catalyst 3650 Switches)
System Management Command Reference (Catalyst
3850 Switches)System Management Command
Reference (Cisco WLC 5700 Series)System
Management Command Reference (Catalyst 3650
Switches)
Multicast Shaping and Policing Rate
IP Multicast Routing Configuration Guide (Catalyst
3850 Switches)Routing Configuration Guide (Cisco
WLC 5700 Series)IP Multicast Routing Configuration
Guide (Catalyst 3650 Switches)
Application Visibility and Control
System Management Configuration Guide (Catalyst
3850 Switches)System Management Configuration
Guide (Cisco WLC 5700 Series) System Management
Configuration Guide (Catalyst 3650 Switches)
System Management Command Reference (Catalyst
3850 Switches)System Management Command
Reference (Cisco WLC 5700 Series)System
Management Command Reference (Catalyst 3650
Switches)
Application Visibility and Control
System Management Configuration Guide (Catalyst
3850 Switches)System Management Configuration
Guide (Cisco WLC 5700 Series) System Management
Configuration Guide (Catalyst 3650 Switches)
System Management Command Reference (Catalyst
3850 Switches)System Management Command
Reference (Cisco WLC 5700 Series)System
Management Command Reference (Catalyst 3650
Switches)
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
403
QoS
Feature History and Information for QoS
Error Message Decoder
Description
Link
To help you research and resolve system
https://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi
error messages in this release, use the Error
Message Decoder tool.
Standards and RFCs
Standard/RFC Title
—
MIBs
MIB
MIBs Link
All the supported MIBs for this
release.
To locate and download MIBs for selected platforms, Cisco IOS releases,
and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description
Link
The Cisco Support website provides extensive online resources, including
documentation and tools for troubleshooting and resolving technical issues
with Cisco products and technologies.
http://www.cisco.com/support
To receive security and technical information about your products, you can
subscribe to various services, such as the Product Alert Tool (accessed from
Field Notices), the Cisco Technical Services Newsletter, and Really Simple
Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user
ID and password.
Feature History and Information for QoS
Release
Modification
Cisco IOS XE 3.3SE
This feature was introduced.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
404
OL-32363-01
QoS
Feature History and Information for QoS
Release
Modification
Cisco IOS XE 3.3SE
Consistent system default trust
behavior for both wired and
wireless ports.
The Cisco IOS XE 3.2 Release
supported different trust defaults
for wired and wireless ports. The
trust default for wired ports was the
same as for this software release.
For wireless ports, the default
system behavior was non-trust,
which meant that when the
controller came up, all markings
for the wireless ports were
defaulted to zero and no traffic
received priority treatment. For
compatibility with an existing
wired controller, all traffic went to
the best-effort queue by default.
The access point performed priority
queuing by default.
The default trust behavior in the
case of wireless ports could be
changed by using the no qos
wireless default untrust
command.
Cisco IOS XE 3.3SE
Support for IPv6 wireless clients.
The Cisco IOS XE 3.2 software
release did not support IPv6 for
wireless clients. This is now
supported. Client policies can now
have IPv4 and IPv6 filters.
Cisco IOS XE 3.3SE
Support for 3 radios and 11ac.
Cisco IOS XE 3.3SE
New classification counters
available in the show policy-map
command.
Note
Cisco IOS XE 3.6E
This feature is only
available on wired
targets.
Marking and policing actions for
ingress SSID policies. Client
policies are applied at the access
point.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
405
QoS
Feature History and Information for QoS
Release
Modification
Cisco IOS XE 3.6E
New classification counters for
wireless targets available in the
show policy-map command.
Cisco IOS XE 3.6E
Statistics are supported only for
ingress policies.
Release
Modification
Cisco IOS XE 3.3SE
This feature was introduced.
Cisco IOS XE 3.6E
Marking and policing actions for upstream SSID and
client policies are applied at the access point.
Cisco IOS XE 3.6E
New classification counters for wireless targets
available in the show policy-map command.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
406
OL-32363-01
PA R T
III
Mobility
• Information About Mobility, on page 409
• Mobility Network Elements, on page 415
• Mobility Control Protocols, on page 419
• Configuring Mobility, on page 427
CHAPTER
20
Information About Mobility
• Overview, on page 409
• Wired and Wireless Mobility, on page 410
• Features of Mobility, on page 410
• Sticky Anchoring for Low Latency Roaming, on page 412
• Bridge Domain ID and L2/L3 Roaming, on page 412
• Link Down Behavior, on page 412
• Platform Specific Scale Requirement for the Mobility Controller, on page 413
Overview
The controller delivers more services at access layer other than merely providing increased speeds and feeds.
Wireless services is now integrated with the switch, which ensures that the access layer switch terminates the
wireless users data plane, thereby delivering on the promise of Cisco's unified architecture. Unification implies
that mobility services are provided to both wireless and wired stations.
The controller provides seamless roaming, which requires transparency of the network configuration and
deployment options to the client.
From the end user's perspective, any mobility event must not change its IP address, its default router or DHCP
server. This means that as stations roam, they must be able to
• Send an ARP to their default router, or
• Transmit a DHCP request to the server that had previously assigned their address.
From the infrastructure's perspective, as mobility events occur, the station's traffic must follow its current
point of attachment, which can either be a mobility agent (MA) or mobility controller (MC). This must be
true regardless of whether the station has moved to a network that is configured for a different subnet. The
period from which the station is not receiving traffic following its mobility event must be as short as possible,
even below 40 ms whenever possible, which includes any authentication procedures that are required.
From the infrastructure's perspective, the mobility management solution must have four main components,
and all of these functions must be performed within the constraints of roaming:
• Initial Association—This function is used to identify the user's new point of attachment in the network.
• Context Transfer—This function is used to transfer state information associated with the station. This
ensures that the station's static and real-time policies, including security and application ACLs, and
services, remain the same across handoffs.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
409
Mobility
Wired and Wireless Mobility
• Handoff—This function is used to signal that the station's point of attachment has changed, and control
of the station should be relinquished by the previous access controller.
• Data Plane—This function is typically tied to the handoff process, and ensures that the station's traffic
continues to be delivered and received from the station without any noticeable performance degradation.
Caution
If you have configured virtual routing and forwarding (VRF) on wireless management interface VLAN, the
mobility feature may not work expected.
Note
You must enable PIM, IP ROUTING and IP MULTICAST Routing for wireless mobility multicast to work.
Wired and Wireless Mobility
One of the key features of the Converged access solution (applicable to both the Cisco Catalyst 3850 Switch
and Cisco WLC 5700 Series Controller) is its ability to provide a device with an IP address and maintain its
session persistence, across mobility events from ethernet connections to wireless and vice-versa. This feature
allows users to remain on an ethernet network when possible, and make use of the freedom of mobility
associated with wireless when necessary.
This feature leverages support from both the client and the infrastructure and uses the two factor
authentication-device and user. The device authentication credentials is cached in the mobility controller
(MC). When a device transitions across link layers, the device credentials is validated, and if a match is found,
the MC ensures that the same IP address is assigned to the new interface.
Features of Mobility
• Mobility Controller (MC)—The controller provides mobility management services for inter-peer group
roaming events. The MC provides a central point of contact for management and policy based control
protocols, such as RADIUS. This eliminates the need for the infrastructure servers to maintain a user's
location as it transitions throughout the network. The MC sends the configuration to all the mobility
agents under its sub-domain of their mobility configuration, peer group membership and list of members.
A sub-domain is synonymous to the MC that forms it. Each sub-domain consists of an MC and zero or
more access switches that have AP's associated to them.
• Mobility Agents (MA)— A mobility agent is either an access switch that has a wireless module running
on it or an MC with an internal MA running on it. A mobility agent is the wireless component that
maintains client mobility state machine for a mobile client that is connected via an AP to the device that
the MA is running on.
• Mobility Sub Domain— It is an autonomous portion of the mobility domain network. A mobility
sub-domain comprises of a single mobility controller and its associated mobility agents (MAs).
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
410
OL-32363-01
Mobility
Features of Mobility
Note
Even when more than one mobility controller is present, only one MC can be
active at any given time.
A mobility sub-domain is the set of devices managed by the active mobility controller. A mobility
sub-domain comprises of a set of mobility agents and associated access points.
• Mobility Group— A collection of mobility controllers (MCs) across which fast roaming is supported.
The concept of mobility group is the same as a collection of buildings in a campus across which frequent
roaming is expected.
• Mobility Domain— A collection of mobility sub-domains across which mobility is supported. The term
mobility domain may be the same as a campus network.
• Mobility Oracle (MO)—The mobility oracle acts as the point of contact for mobility events that occur
across mobility sub-domains. It also maintains a local database of each station in the entire mobility
domain, their home and current sub-domain. A mobility domain includes one or more mobility oracle,
though only one would be active at any given time.
• Mobility Tunnel Endpoint (MTE)— The mobility tunnel endpoint (MTE) provides data plane services
for mobile devices through the use of tunneling. This minimizes the impact of roaming events on the
network by keeping the user's point of presence on the network a constant.
• Point of Attachment— A station's point of attachment is where its data path is initially processed upon
entry in the network. This could either be the access switch that is currently providing it service, or the
wireless LAN controller.
• Point of Presence— A station's point of presence is the place in the network where the station is being
advertised. For instance, if an access switch is advertising reachability to the station via a routing protocol,
the interface on which the route is being advertised is considered the station's point of presence.
• Switch Peer Group (SPG)— A peer group is a statically created list of neighboring access switches
between which fast mobility services is provided. A peer group limits the scope of interactions between
switches during handoffs to only those that are geographically proximate.
• Station—A user's device that connects to and requests service from the network. The device may have
a wired, wireless or both interfaces.
• Switch in the same SPG—A peer switch that is part of the peer group of the local switch.
• Switch outside the SPG—A peer access switch that is not part of the local switch's peer group.
• Foreign Mobility Controller— The mobility controller providing mobility management service for the
station in a foreign mobility sub-domain. The foreign mobility controller acts as a liaison between access
switches in the foreign sub-domain and the mobility controller in the home domain.
• Foreign Mobility Sub-Domain— The mobility sub-domain, controlled by a mobility controller, supporting
a station which is anchored in another mobility sub-domain
• Foreign Switch— The access switch in the foreign mobility sub-domain currently providing service to
the station.
• Anchor Mobility Controller— The mobility controller providing a single point of control and mobility
management service for stations in their home mobility sub-domain.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
411
Mobility
Sticky Anchoring for Low Latency Roaming
• Anchor Mobility Sub-Domain— The mobility sub-domain, controlled by a mobility controller, for a
station where its IP address was assigned.
• Anchor Switch— The switch in the home mobility sub-domain that last provided service to a station.
Sticky Anchoring for Low Latency Roaming
Sticky Anchoring ensures low roaming latency from the client's point of presence is maintained at the switch
where the client initially joins the network. It is expensive to apply client policies at a switch for a roaming
client. There can be considerable delay as it involves contacting the AAA server for downloadable ACLs
which is not acceptable for restoring time sensitive client traffic.
To manage this delay, when the client roams between APs connected to different switches , irrespective of
whether it is an intra sub-domain roam or inter sub-domain roam, the client traffic is always tunneled to the
switch where the client first associates. The client is anchored at its first point of attachment for its lifetime
in the network.
This behavior is enabled by default. You can also disable this behavior to allow the client anchoring only for
inter-subnet roams. This configuration is per WLAN config and is available under the WLAN config mode.
The customer can configure different SSIDs for time sensitive and non time sensitive applications.
Bridge Domain ID and L2/L3 Roaming
Bridge domain ID provides the mobility nodes with information to decide on specific roam type, either as L2
or L3 roam. It also allows the network administrators to reuse the VLAN IDs across network distribution.
When the VLAN IDs do not have the associated subnet configurations, they may require additional parameter
to use in conjunction with VLAN ID. The network administrator ensures that the given VLAN under the same
bridge domain ID are associated with the unique subnet. The mobility nodes will first check for the bridge
domain ID for the given node and the VLAN ID associated with the client to identify the roam type. The
bridge domain ID and the VLAN ID must be same to treat a roam as L2 roam.
The bridge domain ID is configured for each SPG when creating a SPG and later on the MC. The bridge
domain ID could be same for more than one SPG and all the MAs under the SPG will share the same bridge
domain ID. This information is pushed to the MAs as part of the configuration download when MA comes
up initially. If the bridge domain ID is modified when the system is up, it will be pushed to all the MAs in
the modified SPG and will take immediate effect for the future roams.
Link Down Behavior
This section provides information about data synchronization between MA-MC and MC-MO when MC or
MO faces downtime in absence of redundancy manager. When Keepalive is configured between MA-MC or
MC-MO the clients database is synchronized between the MO and the MCs and the MC and its MAs
respectively.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
412
OL-32363-01
Mobility
Platform Specific Scale Requirement for the Mobility Controller
Platform Specific Scale Requirement for the Mobility Controller
The Mobility Controller (MC) role is supported on a number of different platforms like, the Cisco WLC 5700
Series, CUWN and Catalyst 3850 Switches. The scale requirements on these three platforms are summarized
in the table below:
Scalability
Catalyst
3850 as
MC
Catalyst
3650 as
MC
Cisco WLC 5700 as MC
CUWN 5508
as MC
WiSM2 as
MC
Max number of MC in
Mobility Domain
8
8
72
72
72
Max number of MC in
Mobility Group
8
8
24
24
24
Max number of MAs in
Sub-domain (per MC)
16
16
350
350
350
Max number of SPGs in
Sub-domain (per MC)
8
8
24
24
24
Max number of MAs in a
SPG
16
16
64
64
64
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
413
Mobility
Platform Specific Scale Requirement for the Mobility Controller
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
414
OL-32363-01
CHAPTER
21
Mobility Network Elements
• Mobility Agent, on page 415
• Mobility Controller, on page 416
• Mobility Tunnel Endpoint, on page 417
• Mobility Oracle, on page 417
• Guest Controller, on page 418
Mobility Agent
A Mobility Controller resides on the switch. It is both, control path and data path entity and is responsible
for:
The Mobility Agent (MA) interacts with the Mobility Controller (MC), which can be a Catalyst 3850 Switch,
or a Cisco WLC 5760, or a Cisco Unified Wireless Networking Solution controller. The MA is responsible
for:
• Handling the mobility events on the switch
• Configuring the datapath elements on the switch for mobility, and
• Communicating with the mobility controller
As MA, the controller performs the datapath functions by terminating the CAPWAP tunnels that encapsulate
802.11 traffic sourced by wireless stations.
This allows the controller to apply features to wired and wireless traffic in a uniform fashion. As far as
controller is concerned, 802.11 is just another access medium.
The MA performs the following functions:
• Support the mobility protocol – The MA is responsible for responding in a timely manner, ensuring the
controller is capable of achieving its roaming budget.
• Point of presence – If the wireless subnets are not available at the MC, the MA assumes the point of
presence if the wireless client VLAN is not available at the new point of attachment and tunnel the client
traffic accordingly.
• ARP Server – When the network is configured in a layer 2 mode, the MA is responsible for advertising
reachability for the stations connected to it. If tunneling is employed, the ARP request is transmitted on
behalf of the station through the tunnel, which the point of presence (anchor switch) would bridge onto
its uplink interface.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
415
Mobility
Mobility Controller
• Proxy IGMP – The MA on the controller is responsible for subscribing to multicast groups on behalf of
a station after a roaming event has occurred. This information is passed as part of the context to the new
controller. This ensures the multicast flows follow the user as it roams.
• Routing – When the controller is connected to a layer 3 access network, the MA is responsible for injecting
routes for the stations that are associated with it for which tunneling is not provided.
• 802.1X Authenticator – The authenticator function is included in the MA, and handles both wired and
wireless stations.
• Secure PMK Sharing – When a station successfully authenticates to the network, the MA forwards the
PMK to the MC. The MC is responsible for flooding the PMK to all the MAs under its sub-domain and
to the peer MCs in the mobility group.
The MA also performs the following datapath functions:
• Mobility tunnel – If tunneling is used, the MA encapsulates and decapsulates packets from the mobility
tunnel to the MC, and to other MA in the peer group, if the access switches are serving as points of
presence. The MA supports the tunneling of client data traffic between the point of attachment and the
point of attachment. The packet format used for other switches is CAPWAP with an 802.3 payload. The
MA also supports reassembly and fragmentation for mobility tunnels.
• Encryption – The mobility control traffic between the mobility nodes is DTLS encrypted. The MA also
encrypts the CAPWAP control and data (optional) at the point of attachment.
• CAPWAP – The controller supports the CAPWAP control and data planes. The controller forwarding
logic is responsible for terminating the CAPWAP tunnels with 802.11 as well as 802.3 payloads. Since
support for large frames (greater than 1500bytes) is not universally available, the controller supports
CAPWAP fragmentation and reassembly.
Note
Mobility tunnel path via an L3 interface on the 4500 or the L3 interface on the
uplink port is not supported. It is not possible to have an L3 wireless management
interface. Even if the tunnel comes up, packet forwarding is not possible as it is
not supported. 4510 drops DHCP packets from wireless clients if SSID is anchored
to a different Cisco WLC.
Mobility Controller
The main function of mobility controller is to coordinate the client roaming beyond a switch peer group. The
other features of the mobility controller are:
• Station Database—The Mobility Controller maintains a database of all the clients that are connected
within the local mobility sub-domain.
• Mobility Protocol—The MC supports the mobility protocol which ensures the target roaming point
responds in a timely manner and achieves the 150ms roaming budget
• Interface to Mobility Oracle—The Mobility Controller acts as a gateway between the controller and the
Mobility Oracle. When the Mobility Controller does not find a match in its local database, it suggests a
match for a wireless client entry (in its database) and forwards the request to the Mobility Oracle, which
manages the Mobility Domain.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
416
OL-32363-01
Mobility
Mobility Tunnel Endpoint
Note
Mobility Oracle function can be enabled on an MC only if it is supported by the
platform.
• ARP Server—When tunneling is employed for a station, its point of presence on the network is the
Mobility Tunnel Endpoint (MTE). The Mobility Controller responds to any ARP requests received for
the stations it is responsible for.
• Routing—When the Mobility Controller is connected to a layer three network, the Mobility Controller
is responsible for injecting routes for the stations it supports into the network.
• Configures MTE—The Mobility Controller is the control point for the controller for all mobility
management related requests. When a change in a station’s point of attachment occurs, the Mobility
Controller is responsible for configuring the forwarding policy on the MTE.
• NTP Server—The Mobility Controller acts as an NTP server to the controller and supports all the nodes
to have their clocks synchronized with it.
Note
The Cisco 5700 series WLC and other controller platforms that have the Mobility Controller function enabled
by default should not be added to a switch peer group (SPG).
Mobility Tunnel Endpoint
MTE is the Data plane component of MC and MA and provides data plane services for mobile devices through
the use of tunneling .
The functions of the MTE include:
• Tunnel Termination: The MTE terminates the data part of mobility tunnels from the Controller. Traffic
to and from the roamed client is sent to the foreign switch via the mobility tunnel.
• Inter-MTE Tunnel Termination – The MTE-MTE tunnel is used to tunnel traffic between mobility
sub-domains. These tunnels have the same format as the Switch-MTE tunnels.
• Mobility Controller Configuration Interface: This is the interface the MC uses to configure the MTE’s
forwarding tables to reflect mobility events.
Mobility Oracle
The Mobility Oracle coordinates the client roams beyond the subdomain on a need basis and consists of the
following features:
• Station Database—The Mobility Oracle maintains a database of all stations that are serviced within the
mobility domain. This database is populated during the Mobility Oracle's interactions with all the Mobility
Controllers, in all of the mobility sub-domains it supports.
• Interface to Mobility Controller—When the Mobility Oracle receives a request from a Mobility Controller,
it performs a station lookup, and forwards, whenever needed, the request to the proper Mobility Controller.
• NTP Server—The Mobility Oracle acts as an NTP server to the Mobility Controllers and synchronizes
all the controller clocks within the mobility domain.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
417
Mobility
Guest Controller
Guest Controller
The guest access feature provides guest access to wireless clients. The guest tunnels use the same format as
the mobility tunnels. Using the guest access feature, there is no need to configure guest VLANs on the access
switch. Traffic from the wired and wireless clients terminates on Guest Controller. Since the guest VLAN is
not present on the access switch, the traffic is tunneled to the MTE over the existing mobility tunnel, and then
via a guest tunnel to the Guest Controller.
The advantage of this approach is that all guest traffic passes through the MTE before it is tunneled to the
Guest Controller. The Guest Controller only needs to support tunnels between itself and all the MTEs.
The disadvantage is that the traffic from the guest client is tunneled twice - once to the MTE and then again
to the Guest Controller.
Clients cannot roam to Guest Controllers because roaming is not supported on Guest Controllers. This restriction
is applicable only for the IOS-XE guest anchor, and not for AireOS.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
418
OL-32363-01
CHAPTER
22
Mobility Control Protocols
• About Mobility Control Protocols, on page 419
• Initial Association and Roaming, on page 419
• Initial Association, on page 420
• Intra Switch Handoff, on page 421
• Intra Switch Peer Group Handoff, on page 422
• Inter Switch Peer Group Handoff, on page 422
• Inter Sub Domain Handoff, on page 423
• Inter Mobility Group Handoff, on page 425
• Three Way Sub Domain Handoff, on page 425
About Mobility Control Protocols
The mobility control protocol is used regardless of whether tunneled or routed. The mobility control protocol
is used for mobility events between the MO, MC and MA.
The mobility architecture uses both,
• Distributed approach, using the direct communication with the switches in their respective SPG, as well
as
• Centralized approach, using the MC and MO.
The goal is to reduce the overhead on the centralized MC, while limiting the interactions between switches
to help scale the overall system.
Initial Association and Roaming
The following scenarios are applicable to the mobility management protocol:
• Initial Association
• Intra Switch Roam
• Intra Switch Peer Group Roam
• Inter Switch Peer Group Roam
• Inter Sub-Domain Roam
• Inter Group Roam
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
419
Mobility
Initial Association
Initial Association
The illustration below explains the initial association process followed by thecontroller:
Figure 7: Initial Association
1.
2.
3.
When a station initially associates with a mobility agent, the MA performs a lookup to determine whether
keying information for key caching is locally available in the MA. If no keying information is available,
which is the case when the station first appears in the network, the controller prompts the device to
authenticate itself to generate the Pairwise Master Key (PMK). The PMK is generated on the client and
the RADIUS server side, and the RADIUS sever forwards the PMK to the authenticator, the MA.
The MA sends the PMK to the MC.
After receiving the PMK from the MA, the MC transmits the PMK to all the MAs in its sub-domain,
and to all the other MCs in its mobility group.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
420
OL-32363-01
Mobility
Intra Switch Handoff
4.
Note
The 802.11r protocol defines a key domain, which is a collection of access points that share keying information.
5.
6.
7.
Note
The mobility group is a single key domain. This ensures that 802.11r compliant stations recognize the
key domain, and attempts to utilize the fast transition procedures defined in 802.11r.
(Refer to step 2B in the illustration). Since the station is new to the mobility sub-domain, as indicated
by the fact that the PMK is not in the MA local key cache, the MA transmits a mobile announce message
to the MC.
The MC checks if the client exists in its database. As the client cannot be found, the MC in turn forwards
it to the MO, if available.
(Refer to step 5 in the illustration). As the station is new to the network, the MO returns a negative
response (NACK), which is forwarded by the MC to the controller. If the Mobility Oracle is not available
then the MC is responsible for not responding to the Mobile Announce.
In new mobility if there are many peers, the IOS controller will not react on a NACK message from the AirOS
peer and sends two more probes. NACK is ignored if the client is not present it just drops it, is such a scenario
AIREOS sends the NACK. So NACK from mobility controller is not processed.
8.
9.
10.
The MA on the controller informs the MC about the station's new point of attachment via the Handoff
Complete message.
The MA then informs the other MAs in its switch peer group (SPG) about the station's new point of
attachment via the Handoff Notification message. It is necessary to transmit this notification to the MAs
in its SPG to allow local handoff without interacting with the MC. The Handoff Notification message
sent to MAs in SPG need not carry all the information in Handoff Complete message sent to the MC.
(Refer to step 7B in the illustration). The MC updates its database and forwards the Handoff Complete
message to the Mobility Oracle. This ensures that the Mobility Oracle's database is updated to record
the station's current home mobility sub-domain.
To eliminate race conditions that could occur with devices moving quickly across controller, regardless of
whether they are within a mobility sub-domain or not, the messages between MA and MC/MO are time
synchronized. This would allow the MC and MO to properly process requests, if they are received out of
order.
The Handoff Notification sent to MAs in the SPG are not acknowledged.
Intra Switch Handoff
Mobility events within an MA are completely transparent to the SPG and the MC. When a station moves
across APs on the same MA and attempts to perform a fast handoff, the PMK is present on the MA. The MA
will complete the fast handoff without invoking any additional signal.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
421
Mobility
Intra Switch Peer Group Handoff
Intra Switch Peer Group Handoff
The switch peer group (SPG) is a group of MAs between which users may roam, and expect fast roaming
services. Allowing the MA to handoff directly within a SPG reduces the overhead on the MC as it requires
fewer messages to be exchanged.
After the initial association is complete the station moves to another MA belonging to its SPG. In an intra
switch peer group roam, the initial association, the stations PMK was forwarded to all MAs in the mobility
sub-domain.
Figure 8: Intra Switch Peer Group Handoff
The following process explains the intra switch peer group handoff:
1. In the initial association example, the Handoff Notification message is sent to all MAs in its SPG to know
the station's current point of attachment.
2. The new MA sends a unicast Mobile Announce message to the previous MA to which the client is
associated.
3. After the handoff completion, the new MA transmits a Handoff Complete message to the MC.
4. The new controller sends a Handoff Notification to all MA in its own SPG to inform them about the clients
new point of presence.
Inter Switch Peer Group Handoff
The Intra SPG roams do not cover all possible scenarios and there can be cases where it is possible for mobility
events to occur between two MAs that are not in the same SPG.
When a MA does not have any information about a station's current point of attachment, because of the
Handoff Notification message getting lost in the network, or because of the the station roaming to an MA that
is not in the new SPG, the MA consults the MC. The MC provides information about the clients point of
presence within the mobility sub-domain. This eliminates the need to consult all other MCs within the mobility
sub-domain.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
422
OL-32363-01
Mobility
Inter Sub Domain Handoff
Figure 9: Inter Switch Peer Group Handoff
The image above illustrates an example of a mobility event that occurs across MAs that are not in the same
SPG, but within the same mobility sub-domain.
Note
The MA color matches the circle representing its SPG.
1. The new MA will have the PMK for the station, which was forwarded to each MA in the mobility
sub-domain upon client initial authentication.
2. Since the MA had not been previously notified of the station's presence on a neighboring MA inside a
different SPG transmits the mobile announce to the sub-domain's MC.
3. (Refer to step 2 in the illustration) On receiving the mobile announce message, the MC performs a lookup
in its database, and forwards the request to the MA that was previously providing service to the station.
This information is known to the MC through a previously received Handoff Complete message sent in
a reliable fashion from the old MA.
4. (Refer to step 3 in the illustration) The old MA, shown in green above, transmits a Handoff message
directly to the new MA.
5. The old MA needs to notify other MAs within its SPG of the fact that the station has left the group using
a Station Left message. This ensures that if the station were to come back to one of the MA , they would
be aware of the fact that the station is no longer being serviced by the old MA.
6. Once the handoff is complete, the new MA transmits the Handoff Complete message in a reliable fashion
to the MC.
7. The new MA then transmits the Handoff Notification to the other MAs within its SPG.
Inter Sub Domain Handoff
A sub-domain is an ensemble formed by a mobility controller and the mobility agents it directly manages.
An inter sub-domain mobility event implies communication between two mobility controllers. These 2 mobility
controllers can be configured with the same mobility group value and recognize each other. They will appear
in each other's mobility list, or they can be configured with different mobility group values, and still recognize
each other.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
423
Mobility
Inter Sub Domain Handoff
When the roaming event occurs across sub-domains between MCs in the same mobility group, the 802.11r
key domain advertised by the new APs are the same. Additionally, the client PMK is also transmitted to all
MCs upon the client's initial authentication. The new MC does not need to force the client to reauthenticate,
and the new MC also knows which previous MC was managing the wireless client mobility.
Figure 10: Inter Sub Domain Handoff
The following steps are involved in the inter sub domain handoff, when mobility controllers belong to the
same mobility group:
1. When a clients PMK was sent by the initial MA to all the MCs in the mobility group, the new MA already
had already received the client PMK from its MC, and re-authentication is not required.
2. The new MA was not notified previously of the station's presence on a neighboring MA inside a different
SPG it transmits the mobile announce to the sub-domain's MC.
3. On receiving the mobile announce message, the MC forwards the mobile announce to the MO, which
performs a lookup in its database, and forwards the request to the MC that was previously providing
service to the station.
4. The previous MC, in turn, forwards the request to the MA that was previously providing service to the
station.
5. The old MA, shown in yellow color above, transmits a Handoff message directly to the new MA.
6. The old MA must notify the other MAs within its SPG of the fact that the station has left the SPG using
a Station Left message. This ensures that if the station comes back to one of the MA , the MA is aware
of the fact that the station is no longer serviced by the old MA.
7. Once the handoff is complete, the new MA transmits the Handoff Complete message in a reliable fashion
to the new Mobility Controller.
8. The new MA then transmits the Handoff Notification to all other MAs.
9. The new MC then transmits the Handoff Complete to the old MC.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
424
OL-32363-01
Mobility
Inter Mobility Group Handoff
Inter Mobility Group Handoff
A mobility group is formed by MCs sharing the same mobility group name, and knowing each other.
Since the roaming event occurs across mobility groups, the 802.11r key domain advertised by the new APs
differ. This forces the client to re-authenticate. They are propagated only within a mobility group, and roaming
across mobility groups requires the stations to re-authenticate when they cross mobility group boundaries.
When the authentication is complete, the PMK that is generated is pushed to the MAs and MCs within the
same mobility group. The stations cache the PMK from the previous sub-domain because each PMK is
associated to a given sub-domain (802.11y key domain). This ensures that you do not have to re-authenticate
when the PMK roams back to the previous sub-domain within the pmk cache timeout interval. The remaining
procedure follows the inter-sub-domain handoff steps, except that these steps relate to inter mobility group
roaming.
Three Way Sub Domain Handoff
The switch controller also supports mobility events that occur across foreign domains, known as a three-way
sub-domain mobility event.
The illustration below explains the interaction between the Mobility Controllers in both foreign sub-domains
through the Mobility Oracle.
The message exchange shown in the illustration is identical to that described in Inter Sub Domain Handoff
except for the exception that the Handoff Complete notification is transmitted to the Mobility Controllers in
the old foreign sub-domain as well as the home sub-domain.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
425
Mobility
Three Way Sub Domain Handoff
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
426
OL-32363-01
CHAPTER
23
Configuring Mobility
• Configuring Mobility Controller, on page 427
• Configuring Mobility Agent, on page 441
• Configuring the Mobility Oracle, on page 444
Configuring Mobility Controller
Configuring Converged Access Controllers
Creating Peer Groups, Peer Group Member, and Bridge Domain ID (CLI)
Before you begin
• On the mobility agent, you can only configure the IP address of the mobility controller.
• On the mobility controller, you can define the peer group and the IP address of each peer group member.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
wireless mobility controller
wireless mobility controller peer-group SPG1
wireless mobility controller peer-group SPG1 member ip member-ip-addr public-ip public-ip-addr
wireless mobility controller peer-group SPG1 member ip member-ip-addr public-ip public-ip-addr
wireless mobility controller peer-group SPG2
wireless mobility controller peer-group SPG2 member ip member-ip-addr public-ip public-ip-addr
wireless mobility controller peer-group SPG1 bridge-domain-id id
DETAILED STEPS
Step 1
Command or Action
Purpose
wireless mobility controller
Enables the mobility controller functionality on the device.
This command is applicable only to the switch. The
controller is by default a mobility controller.
Example:
Controller(config)# wireless mobility controller
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
427
Mobility
Creating Peer Groups, Peer Group Member, and Bridge Domain ID (CLI)
Step 2
Command or Action
Purpose
wireless mobility controller peer-group SPG1
Creates a peer group named SPG1.
Example:
Controller(config)# wireless mobility controller
peer-group SPG1
Step 3
wireless mobility controller peer-group SPG1 member Adds a mobility agent to the peer group.
ip member-ip-addr public-ip public-ip-addr
Note
The 10.10.20.2 is the mobility agent's direct
IP address. When NAT is used, use the optional
Example:
public IP address to enter the mobility agent's
Controller(config)# wireless mobility controller
NATed address. When NAT is not used, the
peer-group
SPG1 member ip 10.10.20.2 public-ip 10.10.20.2
public IP address is not used and the device
displays the mobility agent's direct IP address.
Step 4
wireless mobility controller peer-group SPG1 member Adds another member to the peer group SPG1.
ip member-ip-addr public-ip public-ip-addr
Example:
Controller(config)# wireless mobility controller
peer-group
SPG1 member ip 10.10.20.6 public-ip 10.10.20.6
Step 5
wireless mobility controller peer-group SPG2
Creates another peer group SPG2.
Example:
Controller(config)# wireless mobility controller
peer-group SPG2
Step 6
wireless mobility controller peer-group SPG2 member Adds a member to peer group SPG2.
ip member-ip-addr public-ip public-ip-addr
Example:
Controller(config)# wireless mobility controller
peer-group
SPG2 member ip 10.10.10.20 public-ip 10.10.10.20
Step 7
wireless mobility controller peer-group SPG1
bridge-domain-id id
(Optional) Adds a bridge domain to SPG1 used for defining
the subnet-VLAN mapping with other SPGs.
Example:
Controller(config)# wireless mobility controller
peer-group
SPG1 bridge-domain-id 54
Example
This example shows how to create peer group and add members to it:
Controller(config)#
Controller(config)#
Controller(config)#
Controller(config)#
wireless
wireless
wireless
wireless
mobility
mobility
mobility
mobility
controller
controller peer-group SPG1
controller peer-group SPG1
controller peer-group SPG1 member ip 10.10.20.2
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
428
OL-32363-01
Mobility
Creating Peer Groups, Peer Group Member, and Bridge Domain ID (GUI)
public-ip 10.10.20.2
Controller(config)# wireless
public-ip 10.10.20.6
Controller(config)# wireless
Controller(config)# wireless
public-ip 10.10.10.20
Controller(config)# wireless
mobility controller peer-group SPG1 member ip 10.10.20.6
mobility controller peer-group SPG2
mobility controller peer-group SPG2 member ip 10.10.10.20
mobility controller peer-group SPG1 bridge-domain-id 54
Creating Peer Groups, Peer Group Member, and Bridge Domain ID (GUI)
Before you begin
• Ensure that the device is in mobility controller state.
• On the mobility agent, you can only configure the IP address of the mobility controller.
• On the mobility controller, you can define the peer group and the IP address of each peer group member.
Step 1
Choose Controller > Mobility Management > Switch Peer Group.
The Mobility Switch Peer Groups page is displayed.
Step 2
Click New.
Step 3
Enter the following details:
a) Switch Peer Group Name
b) Bridge Domain ID
c) Multicast IP Address
Step 4
Click Apply.
Step 5
Click Save Configuration.
Configuring Optional Parameters for Roaming Behavior
Use this configuration to disable the sticky anchor. This command can also be used, if required, between all
MA's and MC's where roaming is expected for the target SSID.
SUMMARY STEPS
1. wlan open21
2. no mobility anchor sticky
DETAILED STEPS
Step 1
Command or Action
Purpose
wlan open21
Configures a WLAN.
Example:
Controller(config)# wlan open20
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
429
Mobility
Configuring Local Mobility Group (CLI)
Step 2
Command or Action
Purpose
no mobility anchor sticky
Disables the default sticky mobility anchor.
Example:
Controller(config-wlan)# no mobility anchor sticky
Example
Controller(config)# wlan open20
Controller(config-wlan)# no mobility anchor sticky
Configuring Local Mobility Group (CLI)
Configuration for wireless mobility groups and mobility group members where the mobility group is a group
of MCs.
Before you begin
MCs can belong only to one mobility group, and can know MCs in several mobility groups.
SUMMARY STEPS
1.
2.
3.
4.
wireless mobility group name group-name
wireless mobility group member ip member-ip-addr public-ip public-ip-addr
wireless mobility group keepalive interval time-in-seconds
wireless mobility group keepalive count count
DETAILED STEPS
Step 1
Command or Action
Purpose
wireless mobility group name group-name
Creates a mobility group named Mygroup.
Example:
Controller(config)# wireless mobility group name
Mygroup
Step 2
wireless mobility group member ip member-ip-addr
public-ip public-ip-addr
Example:
Controller(config)# wireless mobility group member
ip 10.10.34.10 public-ip 10.10.34.28
Step 3
Adds a mobility controller to the Mygroup mobility group.
Note
When NAT is used, use the optional public IP
address to enter the NATed IP address of the
mobility controller.
wireless mobility group keepalive interval time-in-seconds Configures the interval between two keepalives sent to a
mobility member.
Example:
Controller(config)# wireless mobility group
keepalive interval 5
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
430
OL-32363-01
Mobility
Configuring Local Mobility Group (GUI)
Step 4
Command or Action
Purpose
wireless mobility group keepalive count count
Configures the keep alive retries before a member status is
termed DOWN.
Example:
Controller(config)# wireless mobility group
keepalive count 3
Example
Controller(config)#
Controller(config)#
Controller(config)#
Controller(config)#
wireless
wireless
wireless
wireless
mobility
mobility
mobility
mobility
group
group
group
group
name Mygroup
member ip 10.10.34.10 public-ip 10.10.34.28
keepalive interval 5
keepalive count 3
Configuring Local Mobility Group (GUI)
Before you begin
Mobility controllers can belong to only one mobility group and can know mobility controllers in several
mobility groups.
Step 1
Choose Controller > Mobility Management > Mobility Global Config.
The Mobility Controller Configuration page is displayed.
Step 2
Enter the following details:
a) Mobility Group Name
b) Mobility Keepalive Interval
c) Mobility Keepalive Count
d) Multicast IP Address if you want to enable multicast mode to send mobile announce messages to the mobility
members.
If you do not enable multicast IP address, the device uses unicast mode to send mobile announce messages.
Note
Step 3
Click Apply.
Step 4
Click Save Configuration.
Adding a Peer Mobility Group (CLI)
Before you begin
MCs belong to only one group, and can know MCs in several groups.
SUMMARY STEPS
1. wireless mobility group member ip member-ip-addr public-ip public-ip-addr group group-name
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
431
Mobility
Adding a Peer Mobility Group (GUI)
DETAILED STEPS
Step 1
Command or Action
Purpose
wireless mobility group member ip member-ip-addr
public-ip public-ip-addr group group-name
Adds the member as a peer MC in a different group than
the Mygroup.
Example:
Controller(config)# wireless mobility group member
ip 10.10.10.24 public-ip 10.10.10.25 group Group2
Adding a Peer Mobility Group (GUI)
Before you begin
Mobility controllers belong to only one group, and can know several mobility groups.
Step 1
Choose Controller > Mobility Management > Mobility Peer.
The Mobility Peer page is displayed.
Step 2
Click New.
Step 3
Enter the following details:
a) Mobility Member IP
b) Mobility Member Public IP
c) Mobility Member Group Name
d) Multicast IP Address
Step 4
Click Apply.
Step 5
Click Save Configuration.
Configuring Optional Parameters for Roaming Behavior
Use this configuration to disable the sticky anchor. This command can also be used, if required, between all
MA's and MC's where roaming is expected for the target SSID.
SUMMARY STEPS
1. wlan open21
2. no mobility anchor sticky
DETAILED STEPS
Step 1
Command or Action
Purpose
wlan open21
Configures a WLAN.
Example:
Controller(config)# wlan open20
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
432
OL-32363-01
Mobility
Pointing the Mobility Controller to a Mobility Oracle (CLI)
Step 2
Command or Action
Purpose
no mobility anchor sticky
Disables the default sticky mobility anchor.
Example:
Controller(config-wlan)# no mobility anchor sticky
Example
Controller(config)# wlan open20
Controller(config-wlan)# no mobility anchor sticky
Pointing the Mobility Controller to a Mobility Oracle (CLI)
Before you begin
You can configure a mobility oracle on a known mobility controller.
SUMMARY STEPS
1. wireless mobility group member ip member-ip-addr group group-name
2. wireless mobility oracle ip oracle-ip-addr
DETAILED STEPS
Step 1
Command or Action
Purpose
wireless mobility group member ip member-ip-addr
group group-name
Creates and adds a MC to a mobility group.
Example:
Controller(config)# wireless mobility group member
ip 10.10.10.10 group Group3
Step 2
wireless mobility oracle ip oracle-ip-addr
Configures the mobility controller as mobility oracle.
Example:
Controller(config)# wireless mobility oracle ip
10.10.10.10
Example
Controller(config)# wireless mobility group member ip 10.10.10.10 group Group3
Controller(config)# wireless mobility oracle ip 10.10.10.10
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
433
Mobility
Pointing the Mobility Controller to a Mobility Oracle (GUI)
Pointing the Mobility Controller to a Mobility Oracle (GUI)
Before you begin
You can configure a mobility oracle on a known mobility controller.
Step 1
Choose Controller > Mobility Management > Mobility Global Config.
The Mobility Controller Configuration page is displayed.
Step 2
Enter the Mobility Oracle IP Address.
To make the mobility controller itself a mobility oracle, select the Mobility Oracle Enabled check box.
Note
Step 3
Click Apply.
Step 4
Click Save Configuration.
Configuring Guest Controller
A guest controller is used when the client traffic is tunneled to a guest anchor controller in the demilitarized
zone (DMZ). The guest client goes through a web authentication process. The web authentication process is
optional, and the guest is allowed to pass traffic without authentication too.
Enable the WLAN on the mobility agent on which the guest client connects with the mobility anchor address
of the guest controller.
On the guest controller WLAN, which can be Cisco 5500 Series WLC, Cisco WiSM2, or Cisco 5700 Series
WLC, configure the IP address of the mobility anchor as its own IP address. This allows the traffic to be
tunneled to the guest controller from the mobility agent.
Note
With Cisco 5700 Series WLC as the guest anchor controller and Cisco 5500 Series WLC or Cisco WiSM2
as export foreign controller, the guest user role per user is not supported on the Cisco 5700 Series WLC.
SUMMARY STEPS
1.
2.
3.
4.
wlan wlan-id
mobility anchor guest-anchor-ip-addr
client vlan vlan-name
security open
DETAILED STEPS
Step 1
Command or Action
Purpose
wlan wlan-id
Creates a WLAN for the client.
Example:
Controller(config)# wlan Mywlan1
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
434
OL-32363-01
Mobility
Configuring Guest Anchor
Step 2
Command or Action
Purpose
mobility anchor guest-anchor-ip-addr
Enables the guest anchors (GA) IP address on the MA.
Example:
Note
Controller(config-wlan)# mobility anchor 10.10.10.2
Step 3
client vlan vlan-name
To enable guest anchor on the mobility
controller, you need not enter the IP address.
Enter the mobility anchor command in the
WLAN configuration mode to enable GA on the
mobility controller.
Assigns a VLAN to the client's WLAN.
Example:
Controller(config-wlan)# client vlan gc_ga_vlan1
Step 4
Assigns a security type to the WLAN.
security open
Example:
Controller(config-wlan)# security open
Example
Controller(config)# wlan
Controller(config-wlan)#
Controller(config-wlan)#
Controller(config-wlan)#
Mywlan1
mobility anchor 10.10.10.2
client vlan gc_ga_vlan1
security open
Configuring Guest Anchor
SUMMARY STEPS
1.
2.
3.
4.
wlan Mywlan1
mobility anchor <guest-anchors-own-ip-address>
client vlan<vlan-name>
security open
DETAILED STEPS
Step 1
Command or Action
Purpose
wlan Mywlan1
Creates a wlan for the client.
Example:
Controller(config)# wlan Mywlan1
Step 2
mobility anchor
<guest-anchors-own-ip-address>
Enables the guest anchors IP address on the guest anchor
(GA). The GA assigns its own address on itself.
Example:
Controller(config-wlan)# mobility anchor 10.10.10.2
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
435
Mobility
Configuring Converged Access Controller on 5508 or WiSM 2
Step 3
Command or Action
Purpose
client vlan<vlan-name>
Assigns a vlan to the clients wlan.
Example:
Controller(config-wlan)# client vlan gc_ga_vlan1
Step 4
Assigns a security type to the wlan.
security open
Example:
Controller(config-wlan)# security open
Example
Controller(config)# wlan
Controller(config-wlan)#
Controller(config-wlan)#
Controller(config-wlan)#
Mywlan1
mobility anchor 10.10.10.2
client vlan gc_ga_vlan1
security open
Configuring Converged Access Controller on 5508 or WiSM 2
Enabling the New Mobility
Before you begin
You will require Cisco Unified Wireless Network 7.3 MR1, 8.0 or later to configure the new mobility
architecture.
SUMMARY STEPS
1. config mobility new-architecture enable
DETAILED STEPS
Step 1
Command or Action
Purpose
config mobility new-architecture enable
Enables and installs the new mobility architecture on the
CUWN based controller.
Example:
(Cisco Controller) >config mobility
new-architecture enable
Example
(Cisco Controller) >config mobility new-architecture enable
Enabling new-architecture would change mobility architecture from flat to hierarchical !!!
Configuration changes will be saved and System will be rebooted. !!!
Are you sure you want to continue? (y/n) y
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
436
OL-32363-01
Mobility
Configuring Mobility Controller
Configuring Mobility Controller
This configuration shows how to change the MCs public address, or mobility group name.
SUMMARY STEPS
1.
DETAILED STEPS
Command or Action
Step 1
Purpose
Example:
Example
Creating Peer Groups, Peer Group Member, and Bridge Domain ID (CLI)
Before you begin
• On the mobility agent, you can only configure the IP address of the mobility controller.
• On the mobility controller, you can define the peer group and the IP address of each peer group member.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
wireless mobility controller
wireless mobility controller peer-group SPG1
wireless mobility controller peer-group SPG1 member ip member-ip-addr public-ip public-ip-addr
wireless mobility controller peer-group SPG1 member ip member-ip-addr public-ip public-ip-addr
wireless mobility controller peer-group SPG2
wireless mobility controller peer-group SPG2 member ip member-ip-addr public-ip public-ip-addr
wireless mobility controller peer-group SPG1 bridge-domain-id id
DETAILED STEPS
Step 1
Command or Action
Purpose
wireless mobility controller
Enables the mobility controller functionality on the device.
This command is applicable only to the switch. The
controller is by default a mobility controller.
Example:
Controller(config)# wireless mobility controller
Step 2
wireless mobility controller peer-group SPG1
Creates a peer group named SPG1.
Example:
Controller(config)# wireless mobility controller
peer-group SPG1
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
437
Mobility
Creating Peer Groups, Peer Group Member, and Bridge Domain ID (CLI)
Command or Action
Purpose
Step 3
wireless mobility controller peer-group SPG1 member Adds a mobility agent to the peer group.
ip member-ip-addr public-ip public-ip-addr
Note
The 10.10.20.2 is the mobility agent's direct
IP address. When NAT is used, use the optional
Example:
public IP address to enter the mobility agent's
Controller(config)# wireless mobility controller
NATed address. When NAT is not used, the
peer-group
SPG1 member ip 10.10.20.2 public-ip 10.10.20.2
public IP address is not used and the device
displays the mobility agent's direct IP address.
Step 4
wireless mobility controller peer-group SPG1 member Adds another member to the peer group SPG1.
ip member-ip-addr public-ip public-ip-addr
Example:
Controller(config)# wireless mobility controller
peer-group
SPG1 member ip 10.10.20.6 public-ip 10.10.20.6
Step 5
wireless mobility controller peer-group SPG2
Creates another peer group SPG2.
Example:
Controller(config)# wireless mobility controller
peer-group SPG2
Step 6
wireless mobility controller peer-group SPG2 member Adds a member to peer group SPG2.
ip member-ip-addr public-ip public-ip-addr
Example:
Controller(config)# wireless mobility controller
peer-group
SPG2 member ip 10.10.10.20 public-ip 10.10.10.20
Step 7
wireless mobility controller peer-group SPG1
bridge-domain-id id
(Optional) Adds a bridge domain to SPG1 used for defining
the subnet-VLAN mapping with other SPGs.
Example:
Controller(config)# wireless mobility controller
peer-group
SPG1 bridge-domain-id 54
Example
This example shows how to create peer group and add members to it:
Controller(config)# wireless
Controller(config)# wireless
Controller(config)# wireless
Controller(config)# wireless
public-ip 10.10.20.2
Controller(config)# wireless
public-ip 10.10.20.6
Controller(config)# wireless
Controller(config)# wireless
public-ip 10.10.10.20
Controller(config)# wireless
mobility
mobility
mobility
mobility
controller
controller peer-group SPG1
controller peer-group SPG1
controller peer-group SPG1 member ip 10.10.20.2
mobility controller peer-group SPG1 member ip 10.10.20.6
mobility controller peer-group SPG2
mobility controller peer-group SPG2 member ip 10.10.10.20
mobility controller peer-group SPG1 bridge-domain-id 54
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
438
OL-32363-01
Mobility
Configuring Local Mobility Group (CLI)
Configuring Local Mobility Group (CLI)
Configuration for wireless mobility groups and mobility group members where the mobility group is a group
of MCs.
Before you begin
MCs can belong only to one mobility group, and can know MCs in several mobility groups.
SUMMARY STEPS
1.
2.
3.
4.
wireless mobility group name group-name
wireless mobility group member ip member-ip-addr public-ip public-ip-addr
wireless mobility group keepalive interval time-in-seconds
wireless mobility group keepalive count count
DETAILED STEPS
Step 1
Command or Action
Purpose
wireless mobility group name group-name
Creates a mobility group named Mygroup.
Example:
Controller(config)# wireless mobility group name
Mygroup
Step 2
wireless mobility group member ip member-ip-addr
public-ip public-ip-addr
Adds a mobility controller to the Mygroup mobility group.
Note
Example:
Controller(config)# wireless mobility group member
ip 10.10.34.10 public-ip 10.10.34.28
Step 3
When NAT is used, use the optional public IP
address to enter the NATed IP address of the
mobility controller.
wireless mobility group keepalive interval time-in-seconds Configures the interval between two keepalives sent to a
mobility member.
Example:
Controller(config)# wireless mobility group
keepalive interval 5
Step 4
wireless mobility group keepalive count count
Example:
Configures the keep alive retries before a member status is
termed DOWN.
Controller(config)# wireless mobility group
keepalive count 3
Example
Controller(config)#
Controller(config)#
Controller(config)#
Controller(config)#
wireless
wireless
wireless
wireless
mobility
mobility
mobility
mobility
group
group
group
group
name Mygroup
member ip 10.10.34.10 public-ip 10.10.34.28
keepalive interval 5
keepalive count 3
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
439
Mobility
Adding a Peer Mobility Group (CLI)
Adding a Peer Mobility Group (CLI)
Before you begin
MCs belong to only one group, and can know MCs in several groups.
SUMMARY STEPS
1. wireless mobility group member ip member-ip-addr public-ip public-ip-addr group group-name
DETAILED STEPS
Step 1
Command or Action
Purpose
wireless mobility group member ip member-ip-addr
public-ip public-ip-addr group group-name
Adds the member as a peer MC in a different group than
the Mygroup.
Example:
Controller(config)# wireless mobility group member
ip 10.10.10.24 public-ip 10.10.10.25 group Group2
Configuring Optional Parameters for Roaming Behavior
Use this configuration to disable the sticky anchor. This command can also be used, if required, between all
MA's and MC's where roaming is expected for the target SSID.
SUMMARY STEPS
1. wlan open21
2. no mobility anchor sticky
DETAILED STEPS
Step 1
Command or Action
Purpose
wlan open21
Configures a WLAN.
Example:
Controller(config)# wlan open20
Step 2
no mobility anchor sticky
Disables the default sticky mobility anchor.
Example:
Controller(config-wlan)# no mobility anchor sticky
Example
Controller(config)# wlan open20
Controller(config-wlan)# no mobility anchor sticky
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
440
OL-32363-01
Mobility
Pointing the Mobility Controller to a Mobility Oracle (CLI)
Pointing the Mobility Controller to a Mobility Oracle (CLI)
Before you begin
You can configure a mobility oracle on a known mobility controller.
SUMMARY STEPS
1. wireless mobility group member ip member-ip-addr group group-name
2. wireless mobility oracle ip oracle-ip-addr
DETAILED STEPS
Step 1
Command or Action
Purpose
wireless mobility group member ip member-ip-addr
group group-name
Creates and adds a MC to a mobility group.
Example:
Controller(config)# wireless mobility group member
ip 10.10.10.10 group Group3
Step 2
wireless mobility oracle ip oracle-ip-addr
Configures the mobility controller as mobility oracle.
Example:
Controller(config)# wireless mobility oracle ip
10.10.10.10
Example
Controller(config)# wireless mobility group member ip 10.10.10.10 group Group3
Controller(config)# wireless mobility oracle ip 10.10.10.10
Configuring Mobility Agent
Configuring Mobility Agent by Pointing to Mobility Controller (CLI)
Before you begin
• By default, the switches are configured as mobility agents.
• Your network must have at least one mobility controller and the network connectivity with the mobility
controller must be operational.
• You cannot configure mobility from the mobility agent. On the mobility agent, you can configure only
the IP address of the mobility controller to download the SPG configuration.
• On the mobility agent, you can either configure the mobility controller address to point to an external
mobility agent, or enable the mobility controller function.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
441
Mobility
Configuring Mobility Agent by Pointing to Mobility Controller (GUI)
SUMMARY STEPS
1. configure terminal
2. wireless management interface vlan 21
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
wireless management interface vlan 21
Example:
Enables the wireless functionality on the device and
activates the mobility agent function. This ensures the APs
have a place to terminate the CAPWAP tunnel.
Controller (config)# wireless management interface
vlan 21
Example
This example shows how to add a mobility agent into the mobility group by pointing it to a mobility
controller:
Controller(config)# wireless management interface vlan 21
Configuring Mobility Agent by Pointing to Mobility Controller (GUI)
Before you begin
• By default, the switches are configured as mobility agents.
• Your network must have at least one mobility controller and the network connectivity with the mobility
controller must be operational.
• You cannot configure mobility from the mobility agent. On the mobility agent, you can configure only
the IP address of the mobility controller to download the SPG configuration.
• On the mobility agent, you can either configure the mobility controller address to point to an external
mobility agent, or enable the mobility controller function.
Step 1
Choose Configuration > Controller > Mobility Management > Mobility Global Config
The Mobility Controller Configuration page is displayed.
Step 2
From the Mobility Role drop-down list, choose Mobility Agent.
Step 3
In the Mobility Controller IP Address, enter the IP address of the mobility controller.
Step 4
Click Apply.
Step 5
Click Save Configuration.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
442
OL-32363-01
Mobility
Configuring the Mobility Controller for the Mobility Agent (CLI)
Step 6
Reboot the device.
Configuring the Mobility Controller for the Mobility Agent (CLI)
SUMMARY STEPS
1. wireless mobility controller
2. wireless mobility controller ip ip-addr
DETAILED STEPS
Step 1
Command or Action
Purpose
wireless mobility controller
Enables the mobility function on the controller.
Example:
Note
Controller (config)# wireless mobility controller
After you enter this command, save the
configuration and reboot the controller for the
mobility controller function to take effect.
Mobility role changed to Mobility Controller.
Please save config and reboot the whole stack.
Step 2
wireless mobility controller ip ip-addr
Example:
Specifies the mobility controller to which the mobility agent
relates.
Controller (config)# wireless mobility controller Note
ip 10.10.21.3
If a mobility agent is configured and the mobility
controller exists on a different device, configure
the SPG on the mobility controller to ensure the
mobility agent functions properly.
What to do next
After you add a mobility controller role to the mobility agent, you can configure optional parameters on the
mobility agent.
Configuring Optional Parameters on a Mobility Agent (CLI)
This section shows how to configure load-balancing on a controller.
• By default, the load-balancing is enabled and it cannot be disabled.
• The controller supports a maximum of 2000 clients and the default threshold value is fifty percent of
client max load.
• When the controller reaches its threshold, it redistributes the new clients load to other mobility agents
in the same SPG, if their client load is lower.
SUMMARY STEPS
1. wireless mobility load-balance threshold threshold-value
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
443
Mobility
Configuring the Mobility Oracle
DETAILED STEPS
Command or Action
Step 1
Purpose
wireless mobility load-balance threshold threshold-value Configures the threshold that triggers load-balancing.
Example:
Controller(config)# wireless mobility load-balance
threshold 150
Configuring the Mobility Oracle
Configuring Mobility Oracle on Converged Access Controller
This configuration shows how to configure mobility oracle on a converged access controller only. The mobility
controller can either have mobility oracle enabled or point to an external mobility oracle, but not both.
Enabling the Mobility Oracle on the Controller
SUMMARY STEPS
1. wireless mobility oracle
DETAILED STEPS
Step 1
Command or Action
Purpose
wireless mobility oracle
Enables the mobility oracle on the mobility controller.
Example:
Controller(config)# wireless mobility oracle
Example
This example shows how to enable the mobility oracle on the mobility controller:
Controller(config)# wireless mobility oracle
Configuring Mobility Oracle on CUWN
Enabling Mobility Oracle on CUWN
This configuration shows how to enable the mobility oracle on the 5508 or WiSM2 controllers.
SUMMARY STEPS
1. config mobility oracleenable
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
444
OL-32363-01
Mobility
Enabling Mobility Oracle on CUWN
2. config mobility oracle ip 10.10.10.5
DETAILED STEPS
Step 1
Command or Action
Purpose
config mobility oracleenable
Enables the oracle on CUWN 5500.
Example:
<cisco-controller> config wireless mobility oracle
Step 2
config mobility oracle ip 10.10.10.5
Configures the MC with MO's IP address.
Example:
<cisco-controller> config wireless mobility oracle
ip 10.10.10.5
Example
This example shows how to enable oracle on CUWN and make the CUWN also act as MO:
<cisco-controller> config wireless mobility oracle
<cisco-controller> config wireless mobility oracle ip 10.10.10.5
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
445
Mobility
Enabling Mobility Oracle on CUWN
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
446
OL-32363-01
PA R T
IV
Interface
• Configuring Interfaces, on page 449
• Configuring Management Interfaces, on page 471
• Configuring AP Manager Interfaces, on page 475
• Configuring Dynamic Interfaces, on page 479
• Configuring Multiple AP Manager Interfaces, on page 483
• Configuring Interface Groups, on page 485
CHAPTER
24
Configuring Interfaces
This chapter contains the following topics:
• Finding Feature Information, on page 450
• Pre-requisites for Configuring Interfaces, on page 450
• Restrictions for Configuring Interfaces, on page 450
• Information About Interfaces, on page 450
• Interface Types, on page 451
• Port-Based VLANs, on page 451
• Switch Ports, on page 451
• Access Ports, on page 452
• Trunk Ports, on page 452
• Tunnel Ports, on page 452
• Routed Ports, on page 453
• Switch Virtual Interfaces, on page 453
• SVI Autostate Exclude, on page 454
• EtherChannel Port Groups, on page 455
• 10-Gigabit Ethernet Interfaces, on page 455
• Interface Connections, on page 455
• Interface Configuration Mode, on page 456
• Default Ethernet Interface Configuration, on page 457
• Layer 3 Interfaces, on page 458
• Configuring Interfaces, on page 460
• Adding a Description for an Interface, on page 461
• Configuring a Range of Interfaces: Examples, on page 462
• Configuring and Using Interface Range Macros: Examples, on page 462
• Configuring Interfaces, on page 463
• Configuring Layer 3 Interfaces, on page 464
• Shutting Down and Restarting the Interface, on page 465
• Monitoring Interface Characteristics, on page 467
• Monitoring Interface Status, on page 467
• Clearing and Resetting Interfaces and Counters, on page 468
• Viewing Wireless Interfaces (GUI), on page 468
• Configuring Ports (GUI), on page 469
• Configuring Wireless Interface (GUI), on page 469
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
449
Interface
Finding Feature Information
• Feature History and Information For Configuring Interfaces, on page 470
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. Use Cisco Feature
Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Pre-requisites for Configuring Interfaces
You can define the wireless management, AP-manager, virtual, and management interface parameters using
the Startup Wizard. However, you can display and configure interface parameters through either the GUI or
CLI after the controller is running.
For Cisco 5700 Series Controllers in a non-link-aggregation (non-LAG) configuration, the management
interface must be on a different VLAN than any dynamic AP-manager interface. Otherwise, the management
interface cannot fail over to the port that the AP-manager is on.
To configure interfaces, you must configure the default gateway, router, and the IP route using the following
commands:
• ip default-gateway 154.4.0.1
• default-router 154.51.0.1
• ip route 0.0.0.0 0.0.0.0 154.4.0.1
Restrictions for Configuring Interfaces
Information About Interfaces
An interface is a logical entity on the controller. An interface has multiple parameters associated with it,
including an IP address, default gateway, VLAN identifier, and DHCP server. The following interfaces
available on the controller:
• Wireless Management Interface
• AP Manager Interface
• Dynamic Interface
The wireless management interface is used for access point join functions, mobility, RRM , and also used for
peer connections (MC - MC connections) and MC to MA connections.
Typically, you define the management, AP-manager, virtual, and service-port interface parameters using the
Startup Wizard. However, you can display and configure interface parameters through either the GUI or CLI
after the controller is running.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
450
OL-32363-01
Interface
Interface Types
Interface Types
This section describes the different types of interfaces supported by the controller. The rest of the chapter
describes configuration procedures for physical interface characteristics.
Note
The stack ports on the rear of the stacking-capable controllers are not Ethernet ports and cannot be configured.
Port-Based VLANs
A VLAN is a switched network that is logically segmented by function, team, or application, without regard
to the physical location of the users. Packets received on a port are forwarded only to ports that belong to the
same VLAN as the receiving port. Network devices in different VLANs cannot communicate with one another
without a Layer 3 device to route traffic between the VLANs.
VLAN partitions provide hard firewalls for traffic in the VLAN, and each VLAN has its own MAC address
table. A VLAN comes into existence when a local port is configured to be associated with the VLAN, when
the VLAN Trunking Protocol (VTP) learns of its existence from a neighbor on a trunk, or when a user creates
a VLAN. VLANs can be formed with ports across the stack.
To configure VLANs, use the vlan vlan-id global configuration command to enter VLAN configuration mode.
The VLAN configurations for normal-range VLANs (VLAN IDs 1 to 1005) are saved in the VLAN database.
If VTP is version 1 or 2, to configure extended-range VLANs (VLAN IDs 1006 to 4094), you must first set
VTP mode to transparent. Extended-range VLANs created in transparent mode are not added to the VLAN
database but are saved in the controller running configuration. With VTP version 3, you can create
extended-range VLANs in client or server mode. These VLANs are saved in the VLAN database.
In a switch stack, the VLAN database is downloaded to all switches in a stack, and all switches in the stack
build the same VLAN database. The running configuration and the saved configuration are the same for all
switches in a stack.
Add ports to a VLAN by using the switchport interface configuration commands:
• Identify the interface.
• For a trunk port, set trunk characteristics, and, if desired, define the VLANs to which it can belong.
• For an access port, set and define the VLAN to which it belongs.
Switch Ports
Switch ports are Layer 2-only interfaces associated with a physical port. Switch ports belong to one or more
VLANs. A controller port can be an access port, a trunk port, or a tunnel port. You can configure a port as an
access port or trunk port or let the Dynamic Trunking Protocol (DTP) operate on a per-port basis to set the
switchport mode by negotiating with the port on the other end of the link. You must manually configure tunnel
ports as part of an asymmetric link connected to an IEEE 802.1Q trunk port. Switch ports are used for managing
the physical interface and associated Layer 2 protocols and do not handle routing or bridging.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
451
Interface
Access Ports
Configure controller ports by using the switchport interface configuration commands. Use the switchport
command with no keywords to put an interface that is in Layer 3 mode into Layer 2 mode.
Note
When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration information
related to the affected interface might be lost, and the interface is returned to its default configuration.
Access Ports
An access port belongs to and carries the traffic of only one VLAN (unless it is configured as a voice VLAN
port). Traffic is received and sent in native formats with no VLAN tagging. Traffic arriving on an access port
is assumed to belong to the VLAN assigned to the port. If an access port receives a tagged packet (Inter-Switch
Link [ISL] or IEEE 802.1Q tagged), the packet is dropped, and the source address is not learned.
The types of access ports supported are:
• Static access ports are manually assigned to a VLAN (or through a RADIUS server for use with IEEE
802.1x.
You can also configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and
another VLAN for data traffic from a device attached to the phone.
Trunk Ports
A trunk port carries the traffic of multiple VLANs and by default is a member of all VLANs in the VLAN
database.
Although by default, a trunk port is a member of every VLAN known to the VTP, you can limit VLAN
membership by configuring an allowed list of VLANs for each trunk port. The list of allowed VLANs does
not affect any other port but the associated trunk port. By default, all possible VLANs (VLAN ID 1 to 4094)
are in the allowed list. A trunk port can become a member of a VLAN only if VTP knows of the VLAN and
if the VLAN is in the enabled state. If VTP learns of a new, enabled VLAN and the VLAN is in the allowed
list for a trunk port, the trunk port automatically becomes a member of that VLAN and traffic is forwarded
to and from the trunk port for that VLAN. If VTP learns of a new, enabled VLAN that is not in the allowed
list for a trunk port, the port does not become a member of the VLAN, and no traffic for the VLAN is forwarded
to or from the port.
Tunnel Ports
Tunnel ports are used in IEEE 802.1Q tunneling to segregate the traffic of customers in a service-provider
network from other customers who are using the same VLAN number. You configure an asymmetric link
from a tunnel port on a service-provider edge switch to an IEEE 802.1Q trunk port on the customer switch.
Packets entering the tunnel port on the edge switch, already IEEE 802.1Q-tagged with the customer VLANs,
are encapsulated with another layer of an IEEE 802.1Q tag (called the metro tag), containing a VLAN ID
unique in the service-provider network, for each customer. The double-tagged packets go through the
service-provider network keeping the original customer VLANs separate from those of other customers. At
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
452
OL-32363-01
Interface
Routed Ports
the outbound interface, also a tunnel port, the metro tag is removed, and the original VLAN numbers from
the customer network are retrieved.
Tunnel ports cannot be trunk ports or access ports and must belong to a VLAN unique to each customer.
Routed Ports
A routed port is a physical port that acts like a port on a router; it does not have to be connected to a router.
A routed port is not associated with a particular VLAN, as is an access port. A routed port behaves like a
regular router interface, except that it does not support VLAN subinterfaces. Routed ports can be configured
with a Layer 3 routing protocol. A routed port is a Layer 3 interface only and does not support Layer 2
protocols, such as DTP and STP.
Configure routed ports by putting the interface into Layer 3 mode with the no switchport interface configuration
command. Then assign an IP address to the port, enable routing, and assign routing protocol characteristics
by using the ip routing and router protocol global configuration commands.
Note
Entering a no switchport interface configuration command shuts down the interface and then re-enables it,
which might generate messages on the device to which the interface is connected. When you put an interface
that is in Layer 2 mode into Layer 3 mode, the previous configuration information related to the affected
interface might be lost.
The number of routed ports that you can configure is not limited by software. However, the interrelationship
between this number and the number of other features being configured might impact CPU performance
because of hardware limitations.
Note
The IP Base imagesupports static routing and the Routing Information Protocol (RIP). For full Layer 3 routing
or for fallback bridging, you must enable the IP Services image on the standalone controller, or the active
controller
Switch Virtual Interfaces
A switch virtual interface (SVI) represents a VLAN of switch ports as one interface to the routing or bridging
function in the system. Only one SVI can be associated with a VLAN, but you need to configure an SVI for
a VLAN only when you wish to route between VLANs, to fallback-bridge nonroutable protocols between
VLANs, or to provide IP host connectivity to the controller. By default, an SVI is created for the default
VLAN (VLAN 1) to permit remote controller administration. Additional SVIs must be explicitly configured.
Note
You cannot delete interface VLAN 1.
SVIs provide IP host connectivity only to the system; in Layer 3 mode, you can configure routing across SVIs.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
453
Interface
SVI Autostate Exclude
Although the switch stack or controller supports a total of 1005 VLANs and SVIs, the interrelationship between
the number of SVIs and routed ports and the number of other features being configured might impact CPU
performance because of hardware limitations.
SVIs are created the first time that you enter the vlan interface configuration command for a VLAN interface.
The VLAN corresponds to the VLAN tag associated with data frames on an ISL or IEEE 802.1Q encapsulated
trunk or the VLAN ID configured for an access port. Configure a VLAN interface for each VLAN for which
you want to route traffic, and assign it an IP address.
Note
When you create an SVI, it does not become active until it is associated with a physical port.
SVIs support routing protocols and bridging configurations.
Note
The IP base feature set supports static routing and RIP. For more advanced routing or for fallback bridging,
enable the IP services feature set on the standalone switch or the active switch. For information about using
the software activation feature to install a software license for a specific feature set, see the Cisco IOS Software
Activation document.
SVI Autostate Exclude
The line state of an SVI with multiple ports on a VLAN is in the up state when it meets these conditions:
• The VLAN exists and is active in the VLAN database on the controller
• The VLAN interface exists and is not administratively down.
• At least one Layer 2 (access or trunk) port exists, has a link in the up state on this VLAN, and is in the
spanning-tree forwarding state on the VLAN.
Note
The protocol link state for VLAN interfaces come up when the first switchport belonging to the corresponding
VLAN link comes up and is in STP forwarding state.
The default action, when a VLAN has multiple ports, is that the SVI goes down when all ports in the VLAN
go down. You can use the SVI autostate exclude feature to configure a port so that it is not included in the
SVI line-state up-or-down calculation. For example, if the only active port on the VLAN is a monitoring port,
you might configure autostate exclude on that port so that the VLAN goes down when all other ports go down.
When enabled on a port, autostate exclude applies to all VLANs that are enabled on that port.
The VLAN interface is brought up when one Layer 2 port in the VLAN has had time to converge (transition
from STP listening-learning state to forwarding state). This prevents features such as routing protocols from
using the VLAN interface as if it were fully operational and minimizes other problems, such as routing black
holes.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
454
OL-32363-01
Interface
EtherChannel Port Groups
EtherChannel Port Groups
EtherChannel port groups treat multiple switch ports as one switch port. These port groups act as a single
logical port for high-bandwidth connections between controllers or between controllers and servers. An
EtherChannel balances the traffic load across the links in the channel. If a link within the EtherChannel fails,
traffic previously carried over the failed link changes to the remaining links. You can group multiple trunk
ports into one logical trunk port, group multiple access ports into one logical access port, group multiple tunnel
ports into one logical tunnel port, or group multiple routed ports into one logical routed port. Most protocols
operate over either single ports or aggregated switch ports and do not recognize the physical ports within the
port group. Exceptions are the DTP, the Cisco Discovery Protocol (CDP), and the Port Aggregation Protocol
(PAgP), which operate only on physical ports.
When you configure an EtherChannel, you create a port-channel logical interface and assign an interface to
the EtherChannel. For Layer 3 interfaces, you manually create the logical interface by using the interface
port-channel global configuration command. Then you manually assign an interface to the EtherChannel by
using the channel-group interface configuration command. For Layer 2 interfaces, use the channel-group
interface configuration command to dynamically create the port-channel logical interface. This command
binds the physical and logical ports together.
10-Gigabit Ethernet Interfaces
A 10-Gigabit Ethernet interface operates only in full-duplex mode. The interface can be configured as a
switched or routed port.
The controller has a network module slot into which you can insert a 10-Gigabit Ethernet network module, a
1-Gigabit Ethernet network module, or a blank module.
For more information about the Cisco TwinGig Converter Module, see the controller hardware installation
guide and your transceiver module documentation.
Interface Connections
Devices within a single VLAN can communicate directly through any switch. Ports in different VLANs cannot
exchange data without going through a routing device. With a standard Layer 2 controller, ports in different
VLANs have to exchange information through a router. By using the controller with routing enabled, when
you configure both VLAN 20 and VLAN 30 with an SVI to which an IP address is assigned, packets can be
sent from Host A to Host B directly through the controller with no need for an external router.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
455
Interface
Interface Configuration Mode
Figure 11: Connecting VLANs with the Switch
• The routing function can be enabled on all SVIs and routed ports. The controller routes only IP traffic.
When IP routing protocol parameters and address configuration are added to an SVI or routed port, any
IP traffic received from these ports is routed.
• Fallback bridging forwards traffic that the controller does not route or traffic belonging to a nonroutable
protocol, such as DECnet. Fallback bridging connects multiple VLANs into one bridge domain by
bridging between two or more SVIs or routed ports. When configuring fallback bridging, you assign
SVIs or routed ports to bridge groups with each SVI or routed port assigned to only one bridge group.
All interfaces in the same group belong to the same bridge domain.
Interface Configuration Mode
The controller supports these interface types:
• Physical ports—controller ports and routed ports
• VLANs—switch virtual interfaces
• Port channels—EtherChannel interfaces
You can also configure a range of interfaces.
To configure a physical interface (port), specify the interface type, stack member number (only stacking-capable
switches), module number, and controller port number, and enter interface configuration mode.
• Type—Gigabit Ethernet (gigabitethernet or gi) for 10/100/1000 Mb/s Ethernet ports, 10-Gigabit Ethernet
(tengigabitethernet or te) for 10,000 Mb/s, or small form-factor pluggable (SFP) module Gigabit Ethernet
interfaces (gigabitethernet or gi).
• Stack member number—The number that identifies the controller within the stack. The controller number
range is 1 to 9 and is assigned the first time the controller initializes. The default controller number,
before it is integrated into a controller stack, is 1. When a controller has been assigned a stack member
number, it keeps that number until another is assigned to it.
You can use the switch port LEDs in Stack mode to identify the stack member number of a controller.
• Module number—The module or slot number on the controller: switch (downlink) ports are 0, and uplink
ports are 1.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
456
OL-32363-01
Interface
Default Ethernet Interface Configuration
• Port number—The interface number on the controller. The 10/100/1000 port numbers always begin at 1,
starting with the far left port when facing the front of the controller, for example, gigabitethernet1/0/1
or gigabitethernet1/0/8.
On a controller with SFP uplink ports, the module number is 1 and the port numbers restart. For example,
if the controller has 24 10/100/1000 ports, the SFP module ports are gigabitethernet1/1/1 through
gigabitethernet1/1/4 or tengigabitethernet1/1/1 through tengigabitethernet1/1/4.
You can identify physical interfaces by physically checking the interface location on the controller. You can
also use the show privileged EXEC commands to display information about a specific interface or all the
interfaces on the switch. The remainder of this chapter primarily provides physical interface configuration
procedures.
These are examples of how to identify interfaces on a stacking-capable controller:
• To configure 10/100/1000 port 4 on a standalone controller, enter this command:
Controller(config)# interface gigabitethernet1/0/4
• To configure 10-Gigabit Ethernet port 1 on a standalone controller, enter this command:
Controller(config)# interface tengigabitethernet1/0/1
• To configure 10-Gigabit Ethernet port on stack member 3, enter this command:
Controller(config)# interface tengigabitethernet3/0/1
• To configure the first SFP module (uplink) port on a standalone controller, enter this command:
Controller(config)# interface gigabitethernet1/1/1
Default Ethernet Interface Configuration
To configure Layer 2 parameters, if the interface is in Layer 3 mode, you must enter the switchport interface
configuration command without any parameters to put the interface into Layer 2 mode. This shuts down the
interface and then re-enables it, which might generate messages on the device to which the interface is
connected. When you put an interface that is in Layer 3 mode into Layer 2 mode, the previous configuration
information related to the affected interface might be lost, and the interface is returned to its default
configuration.
This table shows the Ethernet interface default configuration, including some features that apply only to Layer
2 interfaces.
Table 45: Default Layer 2 Ethernet Interface Configuration
Feature
Default Setting
Operating mode
Layer 2 or switching mode (switchport command).
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
457
Interface
Layer 3 Interfaces
Feature
Default Setting
Allowed VLAN range
VLANs 1– 4094.
Default VLAN (for access ports)
VLAN 1 (Layer 2 interfaces only).
Native VLAN (for IEEE 802.1Q trunks)
VLAN 1 (Layer 2 interfaces only).
VLAN trunking
Switchport mode dynamic auto (supports DTP) (Layer 2
interfaces only).
Port enable state
All ports are enabled.
Port description
None defined.
Speed
Autonegotiate. (Not supported on the 10-Gigabit interfaces.)
Duplex mode
Autonegotiate. (Not supported on the 10-Gigabit interfaces.)
Flow control
Flow control is set to receive: off. It is always off for sent
packets.
EtherChannel (PAgP)
Disabled on all Ethernet ports.
Port blocking (unknown multicast and
unknown unicast traffic)
Disabled (not blocked) (Layer 2 interfaces only).
Broadcast, multicast, and unicast storm
control
Disabled.
Protected port
Disabled (Layer 2 interfaces only).
Port security
Disabled (Layer 2 interfaces only).
Port Fast
Disabled.
Auto-MDIX
Enabled.
Note
Power over Ethernet (PoE)
The switch might not support a pre-standard powered
device—such as Cisco IP phones and access points
that do not fully support IEEE 802.3af—if that
powered device is connected to the switch through a
crossover cable. This is regardless of whether
auto-MIDX is enabled on the switch port.
Enabled (auto).
Layer 3 Interfaces
The controller supports these types of Layer 3 interfaces:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
458
OL-32363-01
Interface
Layer 3 Interfaces
• SVIs: You should configure SVIs for any VLANs for which you want to route traffic. SVIs are created
when you enter a VLAN ID following the interface vlan global configuration command. To delete an
SVI, use the no interface vlan global configuration command. You cannot delete interface VLAN 1.
Note
When you create an SVI, it does not become active until it is associated with a
physical port.
When configuring SVIs, you can also configure SVI autostate exclude on a port in the SVI to exclude
that port from being included in determining SVI line-state status.
• Routed ports: Routed ports are physical ports configured to be in Layer 3 mode by using the no switchport
interface configuration command.
• Layer 3 EtherChannel ports: EtherChannel interfaces made up of routed ports.
A Layer 3 controller can have an IP address assigned to each routed port and SVI.
There is no defined limit to the number of SVIs and routed ports that can be configured in a controller or in
a controller stack. However, the interrelationship between the number of SVIs and routed ports and the number
of other features being configured might have an impact on CPU usage because of hardware limitations. If
the controller is using its maximum hardware resources, attempts to create a routed port or SVI have these
results:
• If you try to create a new routed port, the controller generates a message that there are not enough
resources to convert the interface to a routed port, and the interface remains as a switchport.
• If you try to create an extended-range VLAN, an error message is generated, and the extended-range
VLAN is rejected.
• If the controller is notified by VLAN Trunking Protocol (VTP) of a new VLAN, it sends a message that
there are not enough hardware resources available and shuts down the VLAN. The output of the show
vlan user EXEC command shows the VLAN in a suspended state.
• If the controller attempts to boot up with a configuration that has more VLANs and routed ports than
hardware can support, the VLANs are created, but the routed ports are shut down, and the controller
sends a message that this was due to insufficient hardware resources.
Note
All Layer 3 interfaces require an IP address to route traffic. This procedure shows how to configure an interface
as a Layer 3 interface and how to assign an IP address to an interface:
If the physical port is in Layer 2 mode (the default), you must enter the no switchport interface configuration
command to put the interface into Layer 3 mode. Entering a no switchport command disables and then
re-enables the interface, which might generate messages on the device to which the interface is connected.
Furthermore, when you put an interface that is in Layer 2 mode into Layer 3 mode, the previous configuration
information related to the affected interface might be lost, and the interface is returned to its default
configuration
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
459
Interface
Configuring Interfaces
Configuring Interfaces
This module lists the generic steps used to configure any interface on the controller. You must use the following
steps to configure interfaces on the controller:
Before you begin
•
SUMMARY STEPS
1.
2.
3.
4.
5.
configure terminal
global configuration
interface
show interface summary
show interface detail management
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enables you to enter configure terminal configured mode
at the privileged prompt.
Example:
Step 2
global configuration
Example:
Step 3
Identify interface details, for example the interface type,
connector, and so on and enter global configuration mode.
global configuration
Enables you to identify the interface and enter global
configuration mode.
interface
Follow each interface command with the interface
configuration commands that the interface requires. The
commands that you enter define the protocols and
applications that will run on the configuration commands.
Interfaces configured in a range must be the same type and
must be configured with the same feature options. The
commands are collected and applied to the interface when
you enter another interface command or enter end to return
to privileged EXEC mode.
Example:
Enables you to configure the supported interfaces on the
controller.
Step 4
show interface summary
Example:
Verify the status of the configured interface using the show
interface summary.
Enables you to view the status of the configured interface.
Step 5
show interface detail management
Example:
Verify the status of the configured interface using the show
interface detail management.
Enables you to view the status of the configured interface.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
460
OL-32363-01
Interface
Adding a Description for an Interface
Adding a Description for an Interface
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
enable
configure terminal
interface interface-id
description string
end
show interfaces interface-id description
copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
Enters global configuration mode.
configure terminal
Example:
Controller# configure terminal
Step 3
interface interface-id
Specifies the interface for which you are adding a
description, and enter interface configuration mode.
Example:
Controller(config)# interface gigabitethernet1/0/2
Step 4
description string
Adds a description (up to 240 characters) for an interface.
Example:
Controller(config-if)# description Connects to
Marketing
Step 5
Returns to privileged EXEC mode.
end
Example:
Controller(config-if)# end
Step 6
show interfaces interface-id description
Verifies your entry.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
461
Interface
Configuring a Range of Interfaces: Examples
Step 7
Command or Action
Purpose
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
Configuring a Range of Interfaces: Examples
This example shows how to use the interface range global configuration command to set the speed to 100
Mb/s on ports 1 to 4 on switch 1:
Controller# configure terminal
Controller(config)# interface range gigabitethernet1/0/1 - 4
Controller(config-if-range)# speed 100
This example shows how to use a comma to add different interface type strings to the range to enable Gigabit
Ethernet ports 1 to 3 and 10-Gigabit Ethernet ports 1 and 2 to receive flow-control pause frames:
Controller# configure terminal
Controller(config)# interface range gigabitethernet1/0/1 - 3 , tengigabitethernet1/1/1 - 2
Controller(config-if-range)# flowcontrol receive on
If you enter multiple configuration commands while you are in interface-range mode, each command is
executed as it is entered. The commands are not batched and executed after you exit interface-range mode. If
you exit interface-range configuration mode while the commands are being executed, some commands might
not be executed on all interfaces in the range. Wait until the command prompt reappears before exiting
interface-range configuration mode.
Configuring and Using Interface Range Macros: Examples
This example shows how to define an interface-range named enet_list to include ports 1 and 2 on switch 1
and to verify the macro configuration:
Controller# configure terminal
Controller(config)# define interface-range enet_list gigabitethernet1/1/1 - 2
Controller(config)# end
Controller# show running-config | include define
define interface-range enet_list GigabitEthernet1/1/1 - 2
This example shows how to create a multiple-interface macro named macro1:
Controller# configure terminal
Controller(config)# define interface-range macro1 gigabitethernet1/1/1 - 2,
gigabitethernet1/1/5 - 7, tengigabitethernet1/1/1 -2
Controller(config)# end
This example shows how to enter interface-range configuration mode for the interface-range macro enet_list:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
462
OL-32363-01
Interface
Configuring Interfaces
Controller# configure terminal
Controller(config)# interface range macro enet_list
Controller(config-if-range)#
This example shows how to delete the interface-range macro enet_list and to verify that it was deleted.
Controller# configure terminal
Controller(config)# no define interface-range enet_list
Controller(config)# end
Controller# show run | include define
Controller#
Configuring Interfaces
These general instructions apply to all interface configuration processes.
Procedure
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
Enters global configuration mode.
configure terminal
Example:
Controller# configure terminal
Step 3
Identifies the interface type, the controller number (only on
stacking-capable switches), and the number of the
connector.
interface
Example:
You do not need to add a space between the
interface type and the interface number. For
example, in the preceding line, you can specify
either gigabitethernet 0/1, gigabitethernet0/1,
gi 0/1, or gi0/1.
Controller(config)# interface gigabitethernet0/1
Controller(config-if)#
Note
Step 4
Follow each interface command with the interface
configuration commands that the interface requires.
Defines the protocols and applications that will run on the
interface. The commands are collected and applied to the
interface when you enter another interface command or
enter end to return to privileged EXEC mode.
Step 5
interface range or interface range macro
(Optional) Configures a range of interfaces.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
463
Interface
Configuring Layer 3 Interfaces
Command or Action
Purpose
Note
Step 6
show interfaces
Interfaces configured in a range must be the same
type and must be configured with the same
feature options.
Displays a list of all interfaces on or configured for the
switch. A report is provided for each interface that the
device supports or for the specified interface.
Configuring Layer 3 Interfaces
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
enable
configure terminal
interface {gigabitethernet interface-id} | {vlan vlan-id} | {port-channel port-channel-number}
no switchport
ip address ip_address subnet_mask
no shutdown
end
show interfaces [interface-id]
copy running-config startup-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 3
interface {gigabitethernet interface-id} | {vlan vlan-id} Specifies the interface to be configured as a Layer 3
interface, and enter interface configuration mode.
| {port-channel port-channel-number}
Example:
Controller(config)# interface gigabitethernet1/0/2
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
464
OL-32363-01
Interface
Shutting Down and Restarting the Interface
Step 4
Command or Action
Purpose
no switchport
For physical ports only, enters Layer 3 mode.
Example:
Controller(config-if)# no switchport
Step 5
ip address ip_address subnet_mask
Configures the IP address and IP subnet.
Example:
Controller(config-if)# ip address 192.20.135.21
255.255.255.0
Step 6
Enables the interface.
no shutdown
Example:
Controller(config-if)# no shutdown
Step 7
Returns to privileged EXEC mode.
end
Example:
Controller(config-if)# end
Step 8
show interfaces [interface-id]
Verifies the configuration.
Step 9
copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Example:
Controller# copy running-config startup-config
Shutting Down and Restarting the Interface
Shutting down an interface disables all functions on the specified interface and marks the interface as unavailable
on all monitoring command displays. This information is communicated to other network servers through all
dynamic routing protocols. The interface is not mentioned in any routing updates.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
enable
configure terminal
interface {vlan vlan-id} | { gigabitethernetinterface-id} | {port-channel port-channel-number}
shutdown
no shutdown
end
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
465
Interface
Shutting Down and Restarting the Interface
7. show running-config
DETAILED STEPS
Step 1
Command or Action
Purpose
enable
Enables privileged EXEC mode.
Example:
• Enter your password if prompted.
Controller> enable
Step 2
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 3
interface {vlan vlan-id} | { gigabitethernetinterface-id} Selects the interface to be configured.
| {port-channel port-channel-number}
Example:
Controller(config)# interface gigabitethernet1/0/2
Step 4
shutdown
Shuts down an interface.
Example:
Controller(config-if)# shutdown
Step 5
no shutdown
Restarts an interface.
Example:
Controller(config-if)# no shutdown
Step 6
Returns to privileged EXEC mode.
end
Example:
Controller(config-if)# end
Step 7
show running-config
Verifies your entries.
Example:
Controller# show running-config
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
466
OL-32363-01
Interface
Monitoring Interface Characteristics
Monitoring Interface Characteristics
Monitoring Interface Status
Commands entered at the privileged EXEC prompt display information about the interface, including the
versions of the software and the hardware, the configuration, and statistics about the interfaces.
Table 46: Show Commands for Interfaces
Command
Purpose
show interfaces interface-number downshift Displays the downshift status details of the specified interfaces
and modules.
modulemodule-number
show interfaces interface-id status
[err-disabled]
Displays interface status or a list of interfaces in the
error-disabled state.
show interfaces [interface-id] switchport
Displays administrative and operational status of switching
(nonrouting) ports. You can use this command to find out if
a port is in routing or in switching mode.
show interfaces [interface-id] description
Displays the description configured on an interface or all
interfaces and the interface status.
show ip interface [interface-id]
Displays the usability status of all interfaces configured for
IP routing or the specified interface.
show interface [interface-id] stats
Displays the input and output packets by the switching path
for the interface.
show interfaces interface-id
(Optional) Displays speed and duplex on the interface.
show interfaces transceiver
dom-supported-list
(Optional) Displays Digital Optical Monitoring (DOM) status
on the connect SFP modules.
show interfaces transceiver properties
(Optional) Displays temperature, voltage, or amount of current
on the interface.
show interfaces [interface-id] [{transceiver Displays physical and operational status about an SFP module.
properties | detail}] module number]
show running-config interface [interface-id] Displays the running configuration in RAM for the interface.
show version
Displays the hardware configuration, software version, the
names and sources of configuration files, and the boot images.
show controllers ethernet-controller
interface-id phy
Displays the operational state of the auto-MDIX feature on
the interface.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
467
Interface
Clearing and Resetting Interfaces and Counters
Clearing and Resetting Interfaces and Counters
Table 47: Clear Commands for Interfaces
Command
Purpose
clear counters [interface-id]
Clears interface counters.
clear interface interface-id
Resets the hardware logic on an interface.
clear line [number | console 0 | vty number] Resets the hardware logic on an asynchronous serial line.
Note
The clear counters privileged EXEC command does not clear counters retrieved by using Simple Network
Management Protocol (SNMP), but only those seen with the show interface privileged EXEC command.
Viewing Wireless Interfaces (GUI)
You can view the wireless interfaces available in the controller by choosing Monitor > Controller > System
> Wireless Interface. in the controller web UI. The following details of the wireless interface page are
displayed.
Parameter
Description
Interface Type
Displays the operator-defined interface type. Values are as follows:
• Static—Wireless Management.
• AP-Manager.
• Service-Port—The Ten Gigabit Ethernet port located on the back of the controller
• Virtual interfaces.
Interface Name
Displays the name of the interface. Values are as follows:
• Management—802.11 distribution system wired network.
• Service-port—System service interface.
• Virtual—Loopback interface for the web interface to work. This is available in
the controller by default. You need not explicitly configure this interface.
• AP-manager—Can be on the same subnet as the management IP address, but
must have a different IP address than the management interface.
• name—Operator-defined interface assignment, without any spaces.
IP Address
Displays the IP address of the Controller and its distribution port.
IP Netmask
Displays the destination subnet mask.
MAC Address
Displays the MAC address of the interface.
VLAN ID
Displays the virtual LAN assignment of the interface.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
468
OL-32363-01
Interface
Configuring Ports (GUI)
Configuring Ports (GUI)
You can configure ports in controller using the web UI. To do this, you must follow the steps defined in this
module in the web UI.
You can create the following types of port using the controller web UI.
• Loopback Interfaces
• EtherChannel Port
• Ten Gigabit Ethernet Interfaces
• Gigabit Ethernet Interfaces
SUMMARY STEPS
1. Choose Configuration > Controller > System > Interfaces > Port Summary.
2. Click on the port in the port summary table to view the details of the selected port.
3. Click Apply.
DETAILED STEPS
Step 1
Choose Configuration > Controller > System > Interfaces > Port Summary.
Displays all the ports and details of the ports in the controller.
Step 2
Click on the port in the port summary table to view the details of the selected port.
The Edit Port details page appears. To edit the values listed in the page, enter values for the parameters listed in the Edit
page.
Note
Step 3
You must configure the selected port as a Layer2 or Layer3 interface.
Click Apply.
Configuring Wireless Interface (GUI)
You can configure wireless interface the in controller using the web user interface (GUI). To do this, you
must follow the steps defined in this module in the GUI.
SUMMARY STEPS
1.
2.
3.
4.
Choose Configuration > Controller > System > Interfaces > Wireless Summary.
Click New.
Select the interface to configure the AP management interface(s) and management interface.
Click Apply.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
469
Interface
Feature History and Information For Configuring Interfaces
DETAILED STEPS
Step 1
Choose Configuration > Controller > System > Interfaces > Wireless Summary.
Displays all the wireless interfaces and details of the interfaces in the controller.
Step 2
Click New.
The New page appears.
Step 3
Select the interface to configure the AP management interface(s) and management interface.
You can configure one management and one or multiple AP management interfaces in the controller using the web UI.
Step 4
Click Apply.
Feature History and Information For Configuring Interfaces
Command History
Release
Modification
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS XE 3.3SE
This command was introduced.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
470
OL-32363-01
CHAPTER
25
Configuring Management Interfaces
This module lists the following topics:
•
• Finding Feature Information, on page 471
• Information About the Management Interface, on page 471
• Pre-requisites for Configuring Management Interfaces, on page 472
• Restrictions for Configuring Management Interfaces, on page 472
• Configuring the Management Interface using the CLI, on page 473
• Configuring the Management Interface, on page 473
• Feature History and Information For Configuring Management Interfaces, on page 473
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. Use Cisco Feature
Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About the Management Interface
The management interface is the default interface for in-band management of the controller and connectivity
to enterprise services such as AAA servers. It is also used for communications between the controller and
access points. The management interface has the only consistently “pingable” in-band interface IP address
on the controller. You can access the GUI of the controller by entering the management interface IP address
of the controller in the address field of your browser.
For CAPWAP, the controller requires one management interface to control all inter-controller communications
and one AP-manager interface to control all controller-to-access point communications, regardless of the
number of ports.
If the service port is in use, the management interface must be on a different supernet from the service-port
interface.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
471
Interface
Pre-requisites for Configuring Management Interfaces
Note
To prevent or block a wired or wireless client from accessing the management network on a controller (from
the wireless client dynamic interface or VLAN), the network administrator must ensure that only authorized
clients gain access to the management network through proper CPU ACLs, or use a firewall between the client
dynamic interface and the management network.
Do not map a guest WLAN to the management interface. If the EoIP tunnel breaks, the client could obtain
an IP and be placed on the management subnet.
Do not configure wired clients in the same VLAN or subnet of the service port of the controller on the network.
If you configure wired clients on the same subnet or VLAN as the service port, it is not possible to access the
management interface of the controller.
Authentication Type for Management Interfaces
For any type of management access to the controller, be it SSH, Telnet, or HTTP, we recommend that you
use any one authentication type, which can be TACACS+, RADIUS, or Local, and not a mix of these
authentication types. Ensure that you take care of the following:
• Authentication type (TACACS+, RADIUS, or Local), must be the same for all management access and
for all AAA authentication and authorization parameters.
• The method list must be explicitly specified in the HTTP authentication.
Pre-requisites for Configuring Management Interfaces
The pre-requisites for configuring the management interfaces on the controller follow:
• For Cisco 5700 Series Controllers in a non-link-aggregation (non-LAG) configuration, the management
interface must be on a different VLAN than any dynamic AP-manager interface. Otherwise, the
management interface cannot fail over to the port that the AP-manager is on.
• If the service port is in use, the management interface must be on a different supernet from the service-port
interface.
• To prevent or block a wired or wireless client from accessing the management network on a controller
(from the wireless client dynamic interface or VLAN), the network administrator must ensure that only
authorized clients gain access to the management network through proper CPU ACLs, or use a firewall
between the client dynamic interface and the management network.
Restrictions for Configuring Management Interfaces
The following are the restrictions for configuring the controller's management interface:
• Do not map a guest WLAN to the management interface. If the EoIP tunnel breaks, the client could
obtain an IP and be placed on the management subnet.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
472
OL-32363-01
Interface
Configuring the Management Interface using the CLI
• Do not configure wired clients in the same VLAN or subnet of the service port of the controller on the
network. If you configure wired clients on the same subnet or VLAN as the service port, it is not possible
to access the management interface of the controller.
Configuring the Management Interface using the CLI
Before you begin
You must use the following steps to configure management interfaces on the controller. You can also use
these steps to configure the AP manager interfaces on the controller. These general instructions apply to all
management interfaces.
SUMMARY STEPS
1.
2.
3.
4.
5.
show ip interface brief
config terminal
wireless management interface vlan vlanID
end
show wireless interface summary
DETAILED STEPS
Command or Action
Purpose
Step 1
show ip interface brief
Displays all the interfaces in the controller.
Step 2
config terminal
Enters global configuration mode.
Step 3
wireless management interface vlan vlanID
Creates a management interface by providing the values
for the VLAN (VLAN identifier).
Step 4
end
Returns to EXEC mode.
Step 5
show wireless interface summary
Displays all the wireless interfaces in the controller.
Configuring the Management Interface
This module contains the following topics:
Feature History and Information For Configuring Management
Interfaces
Command History
Release
Modification
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS XE 3.3SE
This command was introduced.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
473
Interface
Feature History and Information For Configuring Management Interfaces
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
474
OL-32363-01
CHAPTER
26
Configuring AP Manager Interfaces
This module lists the following sections:
•
• Finding Feature Information, on page 475
• Pre-requisites for Configuring Access Point Management Interface, on page 475
• Restrictions for Configuring AP Manager Interfaces, on page 475
• Information About AP-Manager Interface, on page 476
• Configuring AP Join in an AP Manager Interface, on page 477
• Viewing Configured Access Point Join Management Interfaces, on page 477
• Feature History and Information For Configuring AP Manager Interfaces, on page 478
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. Use Cisco Feature
Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Pre-requisites for Configuring Access Point Management
Interface
Before configuring the AP manager interfaces in the controller you must ensure that you have separate dynamic
AP manager interface per port.
Restrictions for Configuring AP Manager Interfaces
• For IPv4—The MAC address of the management interface and the AP-manager interface is the same as
the base LAG MAC address.
• If only one distribution system port can be used, you should use distribution system port 1.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
475
Interface
Information About AP-Manager Interface
• You can configure multiple LAGs in the controller.
•
•
•
Information About AP-Manager Interface
A controller configured with IPv4 has one or more AP-manager interfaces, which are used for all Layer 3
communications between the controller and lightweight access points after the access points have joined the
controller. The AP-manager IP address is used as the tunnel source for CAPWAP packets from the controller
to the access point and as the destination for CAPWAP packets from the access point to the controller.
Note
Release 8.2 does not support multiple non-AP Manager dynamic interfaces, untagged management interfaces,
management interfaces mapped to physical ports, and non-LAG scenarios.
Note
A controller configured with IPv6 has only one AP-manager and is applicable on management interface. You
cannot remove the AP-manager configured on management interface.
Note
The controller does not support transmitting the jumbo frames. To avoid having the controller transmit
CAPWAP packets to the AP that will necessitate fragmentation and reassembly, reduce MTU/MSS on the
client side.
The AP-manager interface communicates through any distribution system port by listening across the Layer
3 network for access point CAPWAP or LWAPP join messages to associate and communicate with as many
lightweight access points as possible.
The controller sends the access point a CAPWAP join response allowing the access point to join the controller.
When the access point joins the controller, the controller manages its configuration, firmware, control and
data transactions.
When an access point performs a reboot or is disconnected from the controller, the join statistics for an access
point is maintained from the controller. But this statistics are lost when the controller performs a reboot or
disconnects.
A controller configured with IPv6 does not support Dynamic AP-Manager. By default, the management
interface acts like an AP-manager interface. Link Aggregation (LAG) is used for IPv6 AP load balancing.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
476
OL-32363-01
Interface
Configuring AP Join in an AP Manager Interface
Configuring AP Join in an AP Manager Interface
Before you begin
The controller sends the access point a CAPWAP join response allowing the access point to join the controller.
When the access point joins the controller, the controller manages its configuration, firmware, control and
data transactions.
When an access point performs a reboot or is disconnected from the controller, the join statistics for an access
point is maintained from the controller. But this statistics are lost when the controller performs a reboot or
disconnects.
SUMMARY STEPS
1. conf t
2. wireless ap-manager interface vlan vlan-ID
3. end
DETAILED STEPS
Command or Action
Purpose
Step 1
conf t
Enters global configuration mode.
Step 2
wireless ap-manager interface vlan vlan-ID
Enables the access point to receive the IP address and join
the specified VLAN.
Maps the AP manager to the selected interface.
Step 3
Returns to EXEC mode.
end
Viewing Configured Access Point Join Management Interfaces
Before you begin
You can view the access point join interfaces configured in the controller using the following steps:
SUMMARY STEPS
1.
2.
3.
4.
show ap summary
show ap name
show ap name apname config general
show wireless interface summary
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
477
Interface
Feature History and Information For Configuring AP Manager Interfaces
DETAILED STEPS
Command or Action
Purpose
Step 1
show ap summary
Displays the summary of all the access points configured
in the interface.
Step 2
show ap name
Displays the summary of all the access points configured
in the interface.
Step 3
show ap name apname config general
Displays all the general parameter configuration for the
access point.
Step 4
show wireless interface summary
Displays all the wireless- management and AP manager
interfaces in the controller.
Feature History and Information For Configuring AP Manager
Interfaces
Command History
Release
Modification
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS XE 3.3SE
This command was introduced.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
478
OL-32363-01
CHAPTER
27
Configuring Dynamic Interfaces
This module lists the following sections:
•
• Finding Feature Information, on page 479
• Prerequisites for Configuring Dynamic Interfaces, on page 479
• Restrictions for Configuring Dynamic Interfaces, on page 479
• Information About Dynamic AP Management, on page 480
• Configuring Dynamic Interfaces, on page 480
• Feature History and Information For Configuring Dynamic Interfaces, on page 481
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. Use Cisco Feature
Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Configuring Dynamic Interfaces
While configuring on the dynamic interface of the controller, you must ensure the following:
• A controller’s dynamic interface and all wireless clients in the WLAN that are local to the controller
must have IP addresses in the same subnet.
• You must use tagged VLANs for dynamic interfaces.
Restrictions for Configuring Dynamic Interfaces
The following restrictions apply for configuring the dynamic interfaces on the controller:
• Wired clients cannot access management interface of the Cisco WLC 2500 series using the IP address
of the AP Manager interface .
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
479
Interface
Information About Dynamic AP Management
• The controller does not respond to SNMP requests if the source address of the request comes from a
subnet that is configured as a dynamic interface.
•
•
• You must not use ap-manager as the interface name while configuring dynamic interfaces as
ap-manager is a reserved name.
Information About Dynamic AP Management
A dynamic interface is created as a WLAN interface by default. However, any dynamic interface can be
configured as an AP-manager interface, with one AP-manager interface allowed per physical port. A dynamic
interface with the Dynamic AP Management option enabled is used as the tunnel source for packets from the
controller to the access point and as the destination for CAPWAP packets from the access point to the controller.
The dynamic interfaces for AP management must have a unique IP address and are usually configured on the
same subnet as the management interface.
Note
If link aggregation (LAG) is enabled, there can be only one AP-manager interface.
We recommend having a separate dynamic AP-manager interface per controller port.
Configuring Dynamic Interfaces
Before you begin
You must create the Layer 2 interface that you plan to use in the WLAN.
You can configure the dynamic interface using the following steps:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
show VLAN
show int VLAN
configure terminal
wlan wlan-name wlan-ID wlan-SSID
client vlan vlan-name
show vlan
end
Show WLAN summary
DETAILED STEPS
Step 1
Command or Action
Purpose
show VLAN
Displays all the VLANs.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
480
OL-32363-01
Interface
Feature History and Information For Configuring Dynamic Interfaces
Command or Action
Purpose
Step 2
show int VLAN
Displays all the VLAN interfaces.
Step 3
configure terminal
Enters global configuration mode.
Step 4
wlan wlan-name wlan-ID wlan-SSID
Configures the WLAN.
Step 5
client vlan vlan-name
Configures the client VLAN.
Step 6
show vlan
Displays all the VLANs in the WLAN.
Step 7
end
Exit configuration mode.
Step 8
Show WLAN summary
Displays a summary of all the configured VLANs.
Feature History and Information For Configuring Dynamic
Interfaces
Command History
Release
Modification
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS XE 3.3SE
This command was introduced.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
481
Interface
Feature History and Information For Configuring Dynamic Interfaces
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
482
OL-32363-01
CHAPTER
28
Configuring Multiple AP Manager Interfaces
This module lists the following sections:
•
• Finding Feature Information, on page 483
• Pre-requisites For Configuring AP Manager Interfaces, on page 483
• Restrictions on Configuring Multiple AP Manager Interfaces, on page 483
• Information About Multiple AP-Manager Interfaces, on page 484
• Configuring Multiple AP Manager Interfaces, on page 484
• Feature History and Information For Configuring Multiple AP Manager Interfaces, on page 484
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. Use Cisco Feature
Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Pre-requisites For Configuring AP Manager Interfaces
You must ensure that you have a separate dynamic AP-manager interface per controller port before configuring
the controller's AP manager interfaces.
Restrictions on Configuring Multiple AP Manager Interfaces
The following restrictions apply while configuring the multiple AP manager interfaces in the controller:
• You must assign an AP-manager interface to each port on the controller.
• Before implementing multiple AP-manager interfaces, you should consider how they would impact your
controller’s port redundancy.
•
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
483
Interface
Information About Multiple AP-Manager Interfaces
• In the case of management interface, because there is support for backup port, APs already connected
to management interface continue to be in connected state (falling to backup port) rather than dropping
off. However, AP-Mgr will get disabled any new APs will associate with the current AP-Mgr.
Information About Multiple AP-Manager Interfaces
When you create two or more AP-manager interfaces, each one is mapped to a different port. The ports should
be configured in sequential order so that AP-manager interface 2 is on port 2, AP-manager interface 3 is on
port 3, and AP-manager interface 4 is on port 4.
Before an access point joins a controller, it sends out a discovery request. From the discovery response that
it receives, the access point can tell the number of AP-manager interfaces on the controller and the number
of access points on each AP-manager interface. The access point generally joins the AP-manager with the
least number of access points. In this way, the access point load is dynamically distributed across the multiple
AP-manager interfaces.
Note
Access points may not be distributed completely evenly across all of the AP-manager interfaces, but a certain
level of load balancing occurs.
For CAPWAP, the controller needs one management interface for all controller-controller communications.
AP-manager interfaces manages the communications from controller to access points. The access points join
the controller using the IP address of the AP manager. The IP address of the AP manager is used as the tunnel
source for the CAPWAP packets from the controller to the access points and the destination source for the
CAPWAP packets from the access points to the controller. The AP manager is a Layer3 interface that maps
to an SVI in Cisco IOS software.
You can configure the AP-manager and management interface in any order, however; we recommend that
you configure the management interface before configuring an AP-manager interface.
Mapping of an AP-manager interface to an SVI that does not have a mapped VLAN is valid, however; you
must map the AP-manager interface to an SVI that contains a mapped VLAN. The controller assumes that
the mapping of an SVI to an existing VLAN; in the absence of which the SVI status would be operationally
down indicating that no access points join the controller.
Configuring Multiple AP Manager Interfaces
This section has the following topics:
Feature History and Information For Configuring Multiple AP
Manager Interfaces
Command History
Release
Modification
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS XE 3.3SE
This command was introduced.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
484
OL-32363-01
CHAPTER
29
Configuring Interface Groups
This module lists the following sections:
•
• Finding Feature Information, on page 485
• Information About Interface Groups, on page 485
• Creating Interface Groups, on page 486
• Adding a VLAN Group to a WLAN, on page 486
• Configuring the Trunk Port, on page 487
• Configuring VLAN Interfaces (GUI), on page 488
• Feature History and Information For Configuring Interface Groups, on page 488
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature
information and caveats, see the release notes for your platform and software release. Use Cisco Feature
Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Interface Groups
Interface groups are logical groups of interfaces. Interface groups facilitate user configuration where the same
interface group can be configured on multiple WLANs or while overriding a WLAN interface per AP group.
An interface group can exclusively contain either quarantine or nonquarantine interfaces. An interface can be
part of multiple interface groups.
A WLAN can be associated with an interface or interface group. The interface group name and the interface
name cannot be the same.
This feature also enables you to associate a client to specific subnets based on the foreign controller that they
are connected to. The anchor controller WLAN can be configured to maintain a mapping between foreign
controller MAC and a specific interface or interface group (Foreign maps) as needed. If this mapping is not
configured, clients on that foreign controller gets VLANs associated in a round robin fashion from interface
group configured on WLAN.
Controller marks VLAN as dirty when the clients are unable to receive IP address using DHCP. The VLAN
interface is marked as dirty based on two methods:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
485
Interface
Creating Interface Groups
Aggressive Method—When only one failure is counted per association per client and controller marks VLAN
as dirty interface when a failure occurs three times for a client or for three different clients.
Non-Aggressive Method—When only one failure is counted per association per client and controller marks
VLAN as a dirty interface only when three or more clients fail.
Creating Interface Groups
Before you begin
You must create the interface groups using the following commands after you configure the terminal.
SUMMARY STEPS
1. vlan group groupname vlan-list 1-256
2. wlan wlanname 1 wlanname
3. client vlan vlangrp1
DETAILED STEPS
Command or Action
Purpose
Step 1
vlan group groupname vlan-list 1-256
Creates a VLAN group with the given group name and adds
all the VLANs listed in the command. The recommended
number of VLANs in a group is 128.
Step 2
wlan wlanname 1 wlanname
Enables the WLAN to map a VLAN group.
Step 3
client vlan vlangrp1
Maps the VLAN group to the WLAN.
Adding a VLAN Group to a WLAN
SUMMARY STEPS
1.
2.
3.
4.
conf t
wlan wlanname 1 wlanname
client vlan vlangrp1
end
DETAILED STEPS
Step 1
Command or Action
Purpose
conf t
Enters global configuration mode.
Example:
Step 2
wlan wlanname 1 wlanname
Enables the WLAN to map a VLAN group.
Example:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
486
OL-32363-01
Interface
Configuring the Trunk Port
Command or Action
Purpose
Step 3
client vlan vlangrp1
Maps the VLAN group to the WLAN.
Step 4
end
Returns back to exec mode.
Example:
Configuring the Trunk Port
Before you begin
You must configure the VLAN after configuring the controller port as a trunk port. We recommend that you
configure the trunk port first and then associate the VLANs to the trunk port.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
show wireless interface summary
show run int te1/0/1
interface TenGigabitEthernet1/0/1
switchport trunk allowed vlan 1-10
switchport mode trunk
nmsp attachment suppress
end
DETAILED STEPS
Step 1
Command or Action
Purpose
show wireless interface summary
Displays all the wireless interfaces in the controller.
Example:
Step 2
Displays the running configuration available in the
controller.
show run int te1/0/1
Example:
Step 3
interface TenGigabitEthernet1/0/1
Configures the 10-Gigabit Ethernet.
Example:
interface TenGigabitEthernet1/0/1
Step 4
switchport trunk allowed vlan 1-10
Configures the trunk port.
Step 5
switchport mode trunk
Configures the switch port mode as a trunk.
Step 6
nmsp attachment suppress
Step 7
end
Returns to EXEC mode.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
487
Interface
Configuring VLAN Interfaces (GUI)
Configuring VLAN Interfaces (GUI)
Before you begin
You can configure VLANs in the controller using the web UI. To do this, you must follow the steps defined
in this module in the web UI.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
Choose Configuration > Controller > System > Interfaces > VLAN Summary.
Click the VLAN ID field in the table to view the details of the selected VLAN.
Enter the values.
Click Apply.
To create a new VLAN, click New.
To delete a VLAN, check the check box in the VLAN summary page, and click Remove.
DETAILED STEPS
Step 1
Choose Configuration > Controller > System > Interfaces > VLAN Summary.
This page displays all the VLANs and details of the VLANs in the controller.
Step 2
Click the VLAN ID field in the table to view the details of the selected VLAN.
The Edit VLAN details page appears.
Step 3
Enter the values.
Step 4
Click Apply.
Step 5
To create a new VLAN, click New.
Step 6
To delete a VLAN, check the check box in the VLAN summary page, and click Remove.
FeatureHistoryandInformationForConfiguringInterfaceGroups
Command History
Release
Modification
Cisco IOS XE 3.2SECisco IOS XE 3.3SECisco IOS XE 3.3SE
This command was introduced.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
488
OL-32363-01
PA R T
V
VLAN
• VLANs, on page 491
• Configuring VLAN Group, on page 511
• Configuring VLAN Trunks, on page 521
CHAPTER
30
VLANs
• Finding Feature Information, on page 491
• Prerequisites for VLANs, on page 491
• Restrictions for VLANs, on page 492
• Information About VLANs, on page 492
• How to Configure VLANs, on page 496
• Monitoring VLANs, on page 507
• Where to Go Next, on page 507
• Additional References, on page 508
• Feature History and Information for VLANs, on page 509
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not
required.
Related Topics
Feature History and Information for Troubleshooting Software Configuration, on page 278
Prerequisites for VLANs
The following are prerequisites and considerations for configuring VLANs:
• Before you create VLANs, you must decide whether to use VLAN Trunking Protocol (VTP) to maintain
global VLAN configuration for your network.
• If you plan to configure many VLANs on the controller and to not enable routing, you can set the Switch
Database Management (SDM) feature to the VLAN template, which configures system resources to
support the maximum number of unicast MAC addresses.
• Controllers running the LAN Base feature set support only static routing on SVIs.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
491
VLAN
Restrictions for VLANs
• A VLAN should be present in the controller to be able to add it to the VLAN group.
Restrictions for VLANs
The following are restrictions for VLANs:
• In the Cisco Catalyst 4500E Supervisor Engine, the number of controller per-VLAN spanning-tree
(PVST) or rapid PVST is based on the number of trunks on the switch multiplied by the number of active
VLANs on the trunks, plus the number of non-trunking interfaces on the switch (trunks * VLANS +
non-trunk ports). For MSTP, the maximum number of MST instances supported is 4094.
• The controller supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
• Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already
has an MAC address assigned by default.
• Private VLANs are not supported on the controller.
• You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.
Information About VLANs
Logical Networks
A VLAN is a switched network that is logically segmented by function, project team, or application, without
regard to the physical locations of the users. VLANs have the same attributes as physical LANs, but you can
group end stations even if they are not physically located on the same LAN segment. Any controller port can
belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end
stations in the VLAN. Each VLAN is considered a logical network, and packets destined for stations that do
not belong to the VLAN must be forwarded through a router or a controller supporting fallback bridging.
Because a VLAN is considered a separate logical network, it contains its own bridge Management Information
Base (MIB) information and can support its own implementation of spanning tree.
VLANs are often associated with IP subnetworks. For example, all the end stations in a particular IP subnet
belong to the same VLAN. Interface VLAN membership on the controller is assigned manually on an
interface-by-interface basis. When you assign controller interfaces to VLANs by using this method, it is known
as interface-based, or static, VLAN membership.
Traffic between VLANs must be routed.
The controller can route traffic between VLANs by using controller virtual interfaces (SVIs). An SVI must
be explicitly configured and assigned an IP address to route traffic between VLANs.
Supported VLANs
The controller supports VLANs in VTP client, server, and transparent modes. VLANs are identified by a
number from 1 to 4094. VLAN 1 is the default VLAN and is created during system initialization. VLAN IDs
1002 through 1005 are reserved for Token Ring and FDDI VLANs. All of the VLANs except 1002 to 1005
are available for user configuration.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
492
OL-32363-01
VLAN
VLAN Port Membership Modes
There are 3 VTP versions: VTP version 1, version 2, and version 3. All VTP versions support both normal
and extended range VLANs, but only with VTP version 3, does the controller propagate extended range VLAN
configuration information. When extended range VLANs are created in VTP versions 1 and 2, their
configuration information is not propagated. Even the local VTP database entries on the controller are not
updated, but the extended range VLANs configuration information is created and stored in the running
configuration file.
You can configure up to 4049 VLANs on the controller.
Related Topics
Creating or Modifying an Ethernet VLAN (CLI), on page 497
Deleting a VLAN (CLI), on page 500
Assigning Static-Access Ports to a VLAN (CLI), on page 503
Monitoring VLANs, on page 507
Creating an Extended-Range VLAN (CLI), on page 505
Creating an Extended-Range VLAN with an Internal VLAN ID
VLAN Port Membership Modes
You configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic
the port carries and the number of VLANs to which it can belong.
When a port belongs to a VLAN, the controller learns and manages the addresses associated with the port on
a per-VLAN basis.
Table 48: Port Membership Modes and Characteristics
Membership
Mode
VLAN Membership Characteristics
Static-access
A static-access port can belong to one VLAN VTP is not required. If you do not want
and is manually assigned to that VLAN.
VTP to globally propagate information,
set the VTP mode to transparent. To
participate in VTP, there must be at least
one trunk port on the controller connected
to a trunk port of a second controller.
Trunk (IEEE
802.1Q) :
VTP is recommended but not required.
VTP maintains VLAN configuration
consistency by managing the addition,
deletion, and renaming of VLANs on a
network-wide basis. VTP exchanges
VLAN configuration messages with other
controllers over trunk links.
A trunk port is a member of all VLANs by
default, including extended-range VLANs,
but membership can be limited by configuring
• IEEE
the allowed-VLAN list. You can also modify
802.1Q—
the pruning-eligible list to block flooded
Industry-standard
traffic to VLANs on trunk ports that are
trunking
included in the list.
encapsulation.
VTP Characteristics
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
493
VLAN
VLAN Configuration Files
Membership
Mode
VLAN Membership Characteristics
VTP Characteristics
Dynamic access
A dynamic-access port can belong to one
VLAN (VLAN ID 1 to 4094) and is
dynamically assigned by a VLAN Member
Policy Server (VMPS).
VTP is required.
Configure the VMPS and the client with
the same VTP domain name.
To participate in VTP, at least one trunk
You can have dynamic-access ports and trunk
port on the controller must be connected
ports on the same controller, but you must
to a trunk port of a second controller .
connect the dynamic-access port to an end
station or hub and not to another controller.
Voice VLAN
A voice VLAN port is an access port attached VTP is not required; it has no effect on a
to a Cisco IP Phone, configured to use one voice VLAN.
VLAN for voice traffic and another VLAN
for data traffic from a device attached to the
phone.
Related Topics
Assigning Static-Access Ports to a VLAN (CLI), on page 503
Monitoring VLANs, on page 507
VLAN Configuration Files
Configurations for VLAN IDs 1 to 1005 are written to the vlan.dat file (VLAN database), and you can display
them by entering the show vlan privileged EXEC command. The vlan.dat file is stored in flash memory. If
the VTP mode is transparent, they are also saved in the controller running configuration file.
You use the interface configuration mode to define the port membership mode and to add and remove ports
from VLANs. The results of these commands are written to the running-configuration file, and you can display
the file by entering the show running-config privileged EXEC command.
When you save VLAN and VTP information (including extended-range VLAN configuration information)
in the startup configuration file and reboot the controller, the controller configuration is selected as follows:
• If the VTP mode is transparent in the startup configuration, and the VLAN database and the VTP domain
name from the VLAN database matches that in the startup configuration file, the VLAN database is
ignored (cleared), and the VTP and VLAN configurations in the startup configuration file are used. The
VLAN database revision number remains unchanged in the VLAN database.
• If the VTP mode or domain name in the startup configuration does not match the VLAN database, the
domain name and VTP mode and configuration for the VLAN IDs 1 to 1005 use the VLAN database
information.
• In VTP versions 1 and 2, if VTP mode is server, the domain name and VLAN configuration for VLAN
IDs 1 to 1005 use the VLAN database information. VTP version 3 also supports VLANs 1006 to 4094.
• From image 15.0(02)SE6, on vtp transparent and off modes, vlans get created from startup-config even
if they are not applied to the interface.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
494
OL-32363-01
VLAN
Normal-Range VLAN Configuration Guidelines
Note
Ensure that you delete the vlan.dat file along with the configuration files before you reset the switch
configuration using write erase command. This ensures that the switch reboots correctly on a reset.
Normal-Range VLAN Configuration Guidelines
Normal-range VLANs are VLANs with IDs from 1 to 1005.
Follow these guidelines when creating and modifying normal-range VLANs in your network:
• Normal-range VLANs are identified with a number between 1 and 1001. VLAN numbers 1002 through
1005 are reserved for Token Ring and FDDI VLANs.
• VLAN configurations for VLANs 1 to 1005 are always saved in the VLAN database. If the VTP mode
is transparent, VTP and VLAN configurations are also saved in the controller running configuration file.
• If the controller is in VTP server or VTP transparent mode, you can add, modify or remove configurations
for VLANs 2 to 1001 in the VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created
and cannot be removed.)
• Extended-range VLANs created in VTP transparent mode are not saved in the VLAN database and are
not propagated. VTP version 3 supports extended range VLAN (VLANs 1006 to 4094) database
propagation in VTP server mode.
• Before you can create a VLAN, the controller must be in VTP server mode or VTP transparent mode.
If the controller is a VTP server, you must define a VTP domain or VTP will not function.
• The controller does not support Token Ring or FDDI media. The controller does not forward FDDI,
FDDI-Net, TrCRF, or TrBRF traffic, but it does propagate the VLAN configuration through VTP.
• The controller supports 128 spanning tree instances. If a controller has more active VLANs than supported
spanning-tree instances, spanning tree can be enabled on 128 VLANs and is disabled on the remaining
VLANs.
If you have already used all available spanning-tree instances on a controller, adding another VLAN
anywhere in the VTP domain creates a VLAN on that controller that is not running spanning-tree. If you
have the default allowed list on the trunk ports of that controller (which is to allow all VLANs), the new
VLAN is carried on all trunk ports. Depending on the topology of the network, this could create a loop
in the new VLAN that would not be broken, particularly if there are several adjacent controllers that all
have run out of spanning-tree instances. You can prevent this possibility by setting allowed lists on the
trunk ports of controllers that have used up their allocation of spanning-tree instances.
If the number of VLANs on the controller exceeds the number of supported spanning-tree instances, we
recommend that you configure the IEEE 802.1s Multiple STP (MSTP) on your controller to map multiple
VLANs to a single spanning-tree instance.
Related Topics
Creating or Modifying an Ethernet VLAN (CLI), on page 497
Monitoring VLANs, on page 507
Deleting a VLAN (CLI), on page 500
Assigning Static-Access Ports to a VLAN (CLI), on page 503
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
495
VLAN
Extended-Range VLAN Configuration Guidelines
Extended-Range VLAN Configuration Guidelines
Extended-range VLANs are VLANs with IDs from 1006 to 4094.
Follow these guidelines when creating extended-range VLANs:
• VLAN IDs in the extended range are not saved in the VLAN database and are not recognized by VTP
unless the controller is running VTP version 3.
• You cannot include extended-range VLANs in the pruning eligible range.
• For VTP version 1 or 2, you can set the VTP mode to transparent in global configuration mode. You
should save this configuration to the startup configuration so that the controller boots up in VTP transparent
mode. Otherwise, you lose the extended-range VLAN configuration if the controller resets. If you create
extended-range VLANs in VTP version 3, you cannot convert to VTP version 1 or 2.
Related Topics
Creating an Extended-Range VLAN (CLI), on page 505
Monitoring VLANs, on page 507
Creating an Extended-Range VLAN with an Internal VLAN ID
Information About VLAN Groups
Whenever a client connects to a wireless network (WLAN), the client is placed in a VLAN that is associated
with the WLAN. In a large venue, such as an auditorium, a stadium, or a conference room where there are
numerous wireless clients, having only a single WLAN to accommodate many clients might be a challenge.
The VLAN Groups feature uses a single WLAN that can support multiple VLANs. The clients can get assigned
to one of the configured VLANs. This feature maps a WLAN to a single VLAN or multiple VLANs using
the VLAN groups. When a wireless client associates to the WLAN, the VLAN is derived by an algorithm
based on the MAC address of the wireless client. A VLAN is assigned to the client and the client gets the IP
address from the assigned VLAN. This feature also extends the current AP group architecture and AAA
override architecture, where the AP groups and AAA override can override a VLAN or a VLAN group to
which the WLAN is mapped.
The system marks VLAN as Dirty for 30 minutes when the clients are unable to receive IP addresses using
DHCP. The system might not clear the Dirty flag from the VLAN even after 30 minutes for a VLAN group.
After 30 minutes, when the VLAN is marked non-dirty, new clients in the IP Learn state can get assigned
with IP addresses from the VLAN if free IPs are available in the pool and DHCP scope is defined correctly.
This is the expected behavior because the timestamp of each interface has to be checked to see if it is greater
than 30 minutes, due to which there is a lag of 5 minutes for the global timer to expire.
Related Topics
Creating a VLAN Group (CLI), on page 501
How to Configure VLANs
How to Configure Normal-Range VLANs
You can set these parameters when you create a new normal-range VLAN or modify an existing VLAN in
the VLAN database:
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
496
OL-32363-01
VLAN
Creating or Modifying an Ethernet VLAN (CLI)
• VLAN ID
• VLAN name
• VLAN type
• Ethernet
• Fiber Distributed Data Interface [FDDI]
• FDDI network entity title [NET]
• TrBRF or TrCRF
• Token Ring
• Token Ring-Net
• VLAN state (active or suspended)
• Security Association Identifier (SAID)
• Bridge identification number for TrBRF VLANs
• Ring number for FDDI and TrCRF VLANs
• Parent VLAN number for TrCRF VLANs
• Spanning Tree Protocol (STP) type for TrCRF VLANs
• VLAN number to use when translating from one VLAN type to another
You can cause inconsistency in the VLAN database if you attempt to manually delete the vlan.dat file. If you
want to modify the VLAN configuration, follow the procedures in this section.
Creating or Modifying an Ethernet VLAN (CLI)
Before you begin
With VTP version 1 and 2, if the controller is in VTP transparent mode, you can assign VLAN IDs greater
than 1006, but they are not added to the VLAN database.
The controller supports only Ethernet interfaces. Because FDDI and Token Ring VLANs are not locally
supported, you only configure FDDI and Token Ring media-specific characteristics for VTP global
advertisements to other controllers.
Although the controller does not support Token Ring connections, a remote device with Token Ring connections
could be managed from one of the supported controllers. Controllers running VTP Version 2 advertise
information about these Token Ring VLANs:
• Token Ring TrBRF VLANs
• Token Ring TrCRF VLANs
SUMMARY STEPS
1. configure terminal
2. vlan vlan-id
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
OL-32363-01
497
VLAN
Creating or Modifying an Ethernet VLAN (CLI)
3.
4.
5.
6.
7.
name vlan-name
media { ethernet | fd-net | fddi | tokenring | trn-net }
remote-span
end
show vlan {name vlan-name | id vlan-id}
DETAILED STEPS
Step 1
Command or Action
Purpose
configure terminal
Enters global configuration mode.
Example:
Controller# configure terminal
Step 2
vlan vlan-id
Example:
Controller(config)# vlan 20
Enters a VLAN ID, and enters VLAN configuration mode.
Enter a new VLAN ID to create a VLAN, or enter an
existing VLAN ID to modify that VLAN.
Note
The available VLAN ID range for this command
is 1 to 4094.
Additional vlan command options include:
• access-map—Creates VLAN access-maps or enters
the vlan access map command mode.
• configuration—Enters the vlan feature configuration
mode.
• dot1q—Configures VLAN dot1q tag native
parameters.
• filter—Applies a VLAN filter map to a VLAN list.
• group—Creates a VLAN group.
Step 3
name vlan-name
Example:
Controller(config-vlan)# name test20
(Optional) Enters a name for the VLAN. If no name is
entered for the VLAN, the default is to append the vlan-id
value with leading zeros to the word VLAN. For example,
VLAN0004 is a default VLAN name for VLAN 4.
The following additional VLAN configuration command
options are available:
• are—Sets the maximum number of All Router
Explorer (ARE) hops for the VLAN.
• backupcrf—Enables or disables the backup
concentrator relay function (CRF) mode for the VLAN.
• bridge—Sets the value of the bridge number for the
FDDI net or Token Ring net type VLANs.
Consolidated Platform Configuration Guide, Cisco IOS XE Release 3E (Cisco 5700 Series WLC)
498
OL-32363-01
VLAN
Creating or Modifying an Ethernet VLAN (CLI)
Command or Action
Purpose
• exit—Applies changes, bumps the revision number,
and exits.
• media—Sets the media type of the VLAN.
• no—Negates the command or default.
• parent—Sets the value of the ID for the parent VLAN
for FDDI or Token Ring type VLANs.
• remote-span—Configures a remote SPAN VLAN.
• ring—Sets the ring number value for FDDI or Token
Ring type VLANs.
• said—Sets the IEEE 802.10 SAID value.
• shutdown—Shuts down the VLAN switching.
• state—Sets the operational VLAN state to active or
suspended.
• ste—Sets the maximum number of Spanning Tree
Explorer (STE) hops for the VLAN.
• stp—Sets the Spanning Tree characteristics of the
VLAN.
Step 4
media { ethernet | fd-net | fddi | tokenring | trn-net }
Example:
Configures the VLAN media type. Command options
include:
• ethernet—Sets the VLAN media type as Ethernet.
Controller(config-vlan)# media ethernet
• fd-net—Sets the VLAN media type as FDDI net.
• fddi—Sets the VLAN media type as FDDI.
• tokenring—Sets the VLAN media type as Token Ring.
• trn-net—Sets the VLAN media type as Token Ring
net.
Step 5
remote-span
Example:
Controller(con 