IUWNE Implementing Cisco Unified Wireless Networking Essentials Volume 2 Version 2.0 Student Guide Text Par Nunocisco. ‘mercas Heascuarars ‘Asia Pcie Meadauarters Europe Headauariers eesinersine Gece Syme APs Seco ym eran BV Annercam Cisco has more tha 20 offices worldwide Addestox phone nurs axumbers ested onthe Cico Webste x waciacacom/gootcns Geo 203 70 Cco ogo re wadarari cl Osco Systeme Fc apd elciesm BGS endif couras Alsing cf Cazosvaderari can ba bunt cicaconvgorsdomar Tapa ademas mannose propel ola repaciv carer Toure! he wer pe derek MP purine aisonesp etmaen Gaza 839) ahe comer OOS) [DISCLAIMER WARRANTY. THIS CONTENT IS BEING PROVIDED “AS 5" CISCO MAKES AND VOU RECEIVE NO WARRANTIES IN |CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF [THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU, CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This leaming product may conan carly release content nd while Cisco believes tt be accurate falls subjactthe dels above, Student Guide (© 2011 Cisco andlor its aflates. All righs reservedTable of Contents Volume 2 Overview. 24 Overview. 23 Objectives... 23 Cisco Unified Wireless Network Basics. 24 CAPWAP Fundamentals... sa 26 CAPWAP Benefits... . 2.9 Cisco Unified Wireless Network Hardware Components 242 Cisco Unified Wireless Network Hardware: Access Points 2.43 Cisco Unified Wireless Network Hardware: Controllers... Cisco Unified Wireless Network Management Layer ‘Summary. References. Configuring a Controller. Overview. Objectives. Controller Ports and interfaces. Controller initial Setup CLI Wizard Configuration Too! ‘Web Wizard Configuration Tool... Controller Web Interface. Example Configuration Controller Files. ‘Summary, ting with a Controller Objectives. CAPWAP Layer 3 Mode... [AP CAPWAP Discovery Phase ‘AP CAPWAP Join Order. Configuration Phase Differences Between LWAPP and CAPWAP Design Precautions. AP Failover Process. Failover Priority AAP Fallback Summary... . Describing Access Point Operational Modes. Overview Objectives. ‘Access Point Mode AP Local Mode. ‘AP Monitor Mode AAP Sniffer Mode... [AP Rogue Detector Mode AAP Bridge Mod... ‘AP SE-Connect Mode... H-REAP Mode ‘OEAP Mode. Summary.Wireless Clients... Roaming. Ove rVieW nn ‘Objectives Mobility Groups. Roaming Concept... Cisco Wireless Layer 2 Roaming . Layer 3 Roaming Mobility Anchor Static IP Tunneling Summary ee i Controller. Overview. ‘Objectives Controller Monitor Page. Managing APs Monitoring and Managing Rogues... Class Type Parameters. Radio Status. Monitoring and Managing Clients. DHCP Service. Summary Configurin iting Standalone Access Points Overview. Objectives: Connecting and Managing a Standalone Access Point Standalone Access Point Express Set-Up and Security. Converting a Standalone AP Using an Upgrade Tool Utility. Converting an AP to CAPWAP Using Cisco WCS.... Summary... Module Summary. References... Module Self-Check ‘Module Self-Check Answer Key Overview... Module Objectives. ing D Overview. Objectives Gleont WLAN Configurations Network Profile. Intel PROSE... Connect to a Wireless Network. First-Time Connection with Intel PROSet. Configuring an Ad Hoc Profile. Configuring a Profile Using the Intel PROSet: PSK Authentication. Configuring a Profile Using Intel PROSet: Centralized Authentication Intel PROSet Diagnostics, Mac AirPort Extreme Configuration Utility... ‘Connecting to a WLAN with AirPort Extreme. Configuring a Profile with AirPort Advanced Parameters and Diagnostics with AirPort ‘Windows WLAN AutoConfig Service. Configuring a Profile Using the WLAN AutoConfig Service: PSK Authentication. . Configuring a Profile Using the WLAN AutoConfig Service: Centralized Authentication Example of EAP Profile Configuration on WLAN AutoConfig Service Scan Logic. 37 39 3-40 341 342 313 314 3-45 347 3:21 3-26 3.27 3:28 3-30 Implementing Cisco Unified Wreless Networking Essentials (UWNE) v2.0 (© 2011 Cisco Systems, incApple | and Google Android Cents. ‘Summary. References. Overview. pate 2 sos 387 Objectives, 337 Cisco AnyConnect ... 3:38 The NAM Component. 3-40 ‘System Licensing... 3-42 Installing Cisco AnyConnect 3.43 Installing the Cisco AnyConnect Secure Mobility Client 344 Configuring a Profile Using the Cisco AnyConnect abit Gent PSK ‘Authentication 348 Using DART ss 3-50 ‘Summary. ae ete 351 References. pe eaaieanete 3.51 Overview. 353 Objectives. 3 cae ee 3.53 Cisco Compatible Exiensions Program 2 core) Cisco Compatible Extensions Program for Wi-Fi Tags. : 23-85 Cisco Compatible Extensions Explained, z 3.56 Cisco Compatible Extensions Examples S387 isco Compatible Extensions Features and Versions Summary. S363 Versions and Features 3-63 ‘Summary. References Module Summary References Module Self-Check sear 3-75 Module Self-Check Answer Key... 378 WLAN Security... Overview fers aieas Ce Module Objectives. atrial Cat Objectives. a Seraiereey ee : wo AB Authentication and Encryption. : senses Authentication : Se eA Redathneen AB Encryption 47 Key Management. 49 Cisco IPS for Wireless... 14 Using Radio Resource Management to Detect Wireless Threats ts 413 Detecting and Preventing Rogue APs and Clients z 413 Detecting and Preventing Ad Hoc Networks. = ae 414 Detecting Penetration Attempts and Reconnaissance Packets. 4-14 ‘Management Frame Protection " 416 ‘Summary. — ae 4-20 References ee msensenne 420 Establishing IEEE 802.11 Security. sesssseitssnieiceDM Overview. 4-21 ObjectiVES....rnnnneeennnnnnntnnnnii 421 Open Authentication vn ’ 4-22 WEP Authentication... : 425 MAC Filtering... rene ita eee 430 ‘Summary, : . 4.34 References. ee 4:34 {© 2011 Cisco Systems, Ine Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v2.0 WOverview. seen 485 Objectives — IEEE 802.1X esas set nami ‘Sources of Authentication: RADIUS. 4-43 Local EAP... . Rea Summary References. Describing EAP Authentications.. Overview... Objectives . Certificates Public Key Infrastructure... EAP-Transport Layer Security a EAP-Flexble Authentication vie Secure Tunnoing 4-73 LEAP and Other EAP Type ...nn a Summary te Speen ‘ 4-84 Overview. Objectives W-i Protected Access WPA Authentication WPA Encryption... WPA2 and 802.111 WPA, WPA2, and 802.111 Comparison ene 4401 Key Caching... ne M02 802.111 and WPA2 4-102 Preauthentication a 4-103 Cisco Key Caching... pi so eaciete 4-104 Summary Sa aan oena 4-105 on Controllers and Clients... Overview. 4107 Objectives .. 4-107 Security Options 4-108 ‘Allow AAA Override. 4-110 IEEE 802.1X 4412 WPA and WPA2 ana Client Configuration 4116 Web Authentication 4-126 Summary eee sta 4431 Module Summary. aa nnn 433 Module Self-Check pee 4436 Module Self-Check Answer Key 4-440 v Implementing Gisco Unified Wreless Networking Essentials (TUWNE) v2.0 (© 2011 Cisco Systems, Inc.Module 2 Basic Cisco WLAN Installation Overview In medium to large environments, access points communicate with controllers, where the configuration is centralized. This architecture allows for greater control over the network infrastructure by the administrator. For the network itself, it brings a more global view of network conditions, which in turn allows more granularity and efficiency in the configuration and behavior of each access point. This module will give you the tools to understand how devices in this type of network operate and interact with one another. You will also lear how to configure these devices. Module Objectives Upon completing this module, you will be able to install a Cisco Unified Wireless Network This ability includes being able to meet these objectives: = Describe the Cisco Unified Wireless Network infrastructure = Configure a Cisco Unified Wireless Network controller = Explain how an AP joins a controller = Configure an AP to operate in different modes = Describe the roaming process = Manage the network from a Cisco Unified Wireless Network controller = Configure a standalone AP and convert it to CAPWAP22 Implementing Gisco Unified Wireless Networking Essentials (UWNE) v2.0 ‘© 2011 isco Systems, ineLesson 1 Understanding Cisco Unified Wireless Network Basic Architecture Overview Wireless network sizes can range from a single access point (AP) to many thousands of APs covering a single campus. Wireless LANs (WLANs) become more difficult to manage as they grow in size if the configuration of APS is implemented only one ata time. The Cisco Unified Wireless Networks architecture provides a way for APs to be centrally managed. Their Service Set Identifier (SSID) configuration, power level, and channels can be automatically configured by a central control point. This lesson explains how the different elements involved in this design interact with each other. Objectives Upon completing this lesson, you will be able to describe the Cisco Unified Wireless Network architecture. This ability includes being able to meet these objectives: = Describe the challenges that are solved by the Cisco Unified Wireless Network architecture = Briefly explain how CAPWAP works Describe CAPWAP benefits = Describe the different Cisco Unified Wireless Network hardware component families = Describe the main Cisco APs Describe the main Cisco WLAN controllers = Describe the components of the Cisco Unified Wireless Network management layerCisco Unified Wireless Network Basics This topic describes the major components of the Cisco Unified Wireless Network, Cisco Unifi ireless Networks Basics Deploying and maintaining a wireless network is challenging: + Keeping configurations consistent is difficult. + Monitoring the exact state of each access point and reacting to a change real time is an issue. * Coverage holes adversely affect service. + Interference can be a factor. + Examples of WLAN changes over time: Interference levels Signal-to-noise ratio Signal quality and coverage ‘Throughput and load One of the most significant issues with implementing an IEEE 802.11 wireless network is the ability to monitor and maintain the network. Managing a wireless network involves these tasks: |= Configuring SSID and related parameters (security, associated VLAN, and so on) ‘|= Managing the channels and transmit power of APs to ensure optimal coverage || Managing roaming and credential transmission from one AP to another, so the connection will be maintained while the user moves Ifthe WLAN network comprises just a few APs, the administrator can configure each AP individually, reproducing similar configurations from one AP to another. Even with only a few ‘APs, configuring the channel and exact transmit power of each AP can be challenging. In larger environments, the configuration of APs is more challenging. Changing an SSID parameter can involve the reconfiguration of hundreds of APs. The slightest difference in configuration details can create holes in the pattern of coverage. 24 Implementing Cisco United Wireless Networking Essentials (UWNE) 20 ‘© 2011 Cisco Systems, IncStandalone and Lightweight APs ‘Administrator ‘contoure WAN, conti ‘Standalone Solution Controller-Based Solution ‘The RF environment within any given area is in a constant state of fluctuation. Because of this situation, traditional autonomous wireless deployments may function less efficiently. The traditional method of designing a wireless network is to start by conducting a site survey, which. will capture a snapshot of the RF environment. This approach can cause problems. For example, if after the site survey is conducted, a microwave oven is added to the environment, the autonomous environment has no mechanisms to manage this change, and administrators I need to make network changes manually. This process can be challenging even in small ‘environments, because the cause of degraded coverage is not always obvious. The Cisco Unified Wireless Network products are designed with constant changing wireless environments in mind, By providing intelligent RF management and the ability to change channel and power settings as needed, Cisco provides a high-performance, high-capacity wireless network that costs less to maintain and deploy than a traditional autonomous wireless network. ‘To address these issues and many others, the Cisco Unified Wireless Network architecture includes two types of APs: = Standalone (autonomous) APs: Can be configured one-by-one and offer complete functionality by themselves; they are well-adapted for very small deployments. = Lightweight APs: Rely on a central WLAN controller where the configuration is managed. Access points retrieve their configurations from a controller and will be updated dynamically as network conditions change. Note They are called “lightweight” APs because part of the WLAN administration work is done by the central controller. The AP itself does less than the “fatter” standalone APs. Most standalone APs can be easily upgraded to lightweight functionality. A common scenario is a small network that is based on standalone APs is upgraded, as it grows, to a lightweight architecture by adding a WLAN controller and upgrading the software of the APs. © 2011 Cisco Systems, Ine asic Cisco WLAN installation 25CAPWAP Fundamentals This topic describes Control and Provisioning of Wireless Access Points (CAPWAP) and its role in the Cisco Unified Wireless Networks architecture. Cisco Unified Controller-Based Solution ty ‘mpg Wager ‘The Cisco Unified Wireless Network solution is based on a centrally controled model. The Cisco WLAN Controllers (WLCs) are the central points of administration. The APs are controlled and monitored by the Cisco WLC. Clients and APs send critical information back to the Cisco WLC regarding coverage, interference, and client data. Communication between the APs and the Cisco WLCs is provided through CAPWAP. CAPWAP is used to exchange control information between the APs and the WLC over an encrypted tunnel, The client data is. ‘encapsulated with a CAPWAP header that contains valuable information about the client Received Signal Strength Indicator (RSSI) and signal-to-noise ratio (SNR) and then sent to the ‘Cisco WLC, which forwards the data as needed. This model provides improved control over security and traffic conditioning, The access point and Cisco WLC build a secure Datagram Transport Layer Security (DTLS) tunnel. Any rogue AP will be detected if itis not CAPWAP-capable, and the network can be configured to force the CAPWAP-capable APs to be authenticated before being able to download any configuration from a WLAN controller. The AP configuration will be downloaded from the controller, thus mitigating rogue SSIDs. It will reside in RAM, so that it ‘cannot be retrieved from the AP once the AP has been removed from the network. A single Cisco WLC can manage many APs. However, capacity is increased with additional Cisco WLCs. A mobility services engine (MSE) can be added to provide real time location tracking 26 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (©2011 Cisco Systems, Ine.Cisco “Split MAC” Design Cisco WLAN controller + Security policies ot + QoS policies controler + RF management * Mobility management Cisco controller-based access point + Remote RF interface + Enoryption downstream + Decryption upstream ‘The lightweight architecture allows the splitting of 802.11 protocols between the controller based AP, which processes real-time portions of the protocol, and the Cisco WLC, which ‘manages items that are not time-sensitive, This model is called “split MAC.” The AP processes the portions of the protocol that have real-time requirements, which include the following: = Frame exchange handshake between client and AP when transferring a frame = Transmission of beacon frames = Buffering and transmission of frames for clients in power-save operation ‘= Responses to probe request frames from clients, forwarding notifications of received probe requests to the controller = Providing real-time signal quality information to the controller with every received frame = Monitoring all radio channels for noise, interference, and other WLANs, and monitoring for the presence of other APs ‘= Encryption and decryption, except in the case of VPN or IP Security (IPsec) clients All remaining functionality is managed in the Cisco WLC, where time-sensitivity is not a concem, and controllerwide visibility is required. Some of the MAC-layer functions provided in the Cisco WLC include these: = 802.11 authentication = 802.11 association and reassociation (mobility) = 802.11 frame translation and bridging. ‘©2011 Gis Systems, ne. ‘Basic Cisco WLAN instalation 27Dynamic RF Management «Chanel aeknent “Trane power edustnent ‘nseret «tron evans cen a at * coverage le management Com) PW “toed balancing “ Capecty management" iy ceca tcasron Sy RF Domain | 4 Yowk Real-time RF management is the key to the controller-based wireless solution. The Cisco WLAN controller uses dynamic algorithms to create an environment that is completely self- configuring, self-optimizing, and self-healing. This process is done via the Radio Resource Management (RRM) engine, which performs these functions: © Radio resource monitoring Dynamic channel assignment Interference detection and avoidance Dynamic Transmit Power Control Coverage hole detection and correction Client and network load balancing ‘The AP constantly exchanges information with the controller, and reports what is heard in the wireless environment. Collecting information from various APs, the controller will have a broader view of the wireless network condition CAPWAP is used to send and receive this information. This function is called “traffic control,” as it relates to wireless conditions that are of interest for the infrastructure CAPWAP is also used to encapsulate client data. Each 802.11 data frame that is received from a client is encapsulated with a 6-byte CAPWAP header that contains the SNR and the RSSI at which the client was seen, and a fragment field, This CAPWAP section of the frame is, encrypted. Then the AP adds a new header, where the source is its own address and the destination is the controller address. ‘The resulting frame may be longer than the maximum transmission unit (MTU) of the Ethernet segment to which the AP connects. The MTU in the wireless space is usually 2346 bytes, ‘whereas it is usually 1500 bytes on Ethernet segments. In this ease, the 802.11 frame is fragmented and the fragment field of the CAPWAP header counts the segments. 28 Implementing Cisco Unified Wreless Networking Essentials (UWNE) v2.0 (©2011 Cisco Systems, IneCAPWAP Benefits This topic describes how the CAPWAP protocol allows for better RF management and security. Dynamic annel Assignment and Pr r Optimization (Cont.) ‘The controller examines various real-time RF characteris assignments. These include the following: ics to efficiently manage channel Access point received energy = Noise = 802.11 interference = Utilization = Client load ‘The controller then combines the RF characteristic information with intelligent algorithms to make systemwide decisions. The result is optimal channel configuration in a three-dimensional, space, where APs on the floor above and below are a major factor in an overall WLAN configuration. The controller dynamically adjusts AP transmit power based on real-time WLAN conditions. In normal instances, power can be kept low to gain extra capacity and reduce interference. Ifa failed AP is detected, power can be automatically increased on surrounding APs to fill the gap that is created by the loss in coverage, resulting in a self-healing of the WLAN. In any case, the controller will attempt to balance APS so that they see their neighbors at ~70 dBm, based on. best practice experience. ‘©2011 Cisco Systems, ne Basie Cisco WLAN Installation 2-8Wireless Virtual LAN Support + Multiple SSIDs + Multiple security types + Supports multiple VLANs from switches + IEEE 802.10 trunking protocol Bach Cisco WLC can support up to a maximum of $12 VLAN instances. However, only a few VLAN instances are normally needed for proper WLAN design resulting from separation of data, VoIP, guest access, and network management, ‘The WLC can assign up to 16 WLANS for each AP. Bach WLAN has a separate WLAN ID (1— 512), a separate WLAN SSID (WLAN name), and can be assigned unique security and quality of service (QoS) policies. Clients that are connected to one AP still share the same radio space, but each SSID is in a different network, each with its own QoS and security settings. Clients from different SSIDs can therefore be isolated from each other in the wireless space, and inherit the same isolation as on an Ethemet segment by having different VLAN and QoS tags associated, with respective SSIDs via the Cisco WLC configuration. Note {All Cisco CAPWAP-based APs now support up to 16 SSIDs, Cisco recommends that you assign one set of VLANs for WLANs, and a cifferent set of VLANs for management interfaces, for security purposes. 2-10 __ Implementing Gisco Unified Wireless Networking Essentials (UWNE) v2.0 (© 2017 Gisoo Systems, in.‘Areas of dense user concentration, such as meeting rooms, often suffer what is called “Monday ‘morning syndrome.” This situation occurs when many users gather temporarily in the same area and associate with a single AP due to its close proximity, ignoring other APs that are farther away but less-utilized, ‘The controller provides a centralized view of client loads on all APs. This view can be used to influence where new clients attach to the network. When a new client tries to associate to an overcrowded AP, the controller can temporarily refuse the client association, in order to encourage the client to try a less-crowded AP. If the client ignores this refusal and keeps trying, the controller will finally accept it. This action results in a smooth distribution of capacity across an entire wireless network. This centralized view can also be used when a client roams. Because all the APs report constantly to the controller about the RF environment, the controller will see the RSSI and SNR. of a client fading away from the AP to which it is associated, whereas another AP will report that its station signal level is rising. The controller then can anticipate that the client will soon move from one AP to the other. (© 2011 Cisco Systems, ine. ‘Basic Cisco WLAN Installation 2-11Cisco Unified Wireless Network Hardware Components This topic describes the different hardware devices that are available in the Cisco Unified Wireless Network solution, Cisco Unified Wireless Network Components Network Services Network Management Network Unification Access Points Client Devices ‘The Cisco Unified Wireless Network is composed of five interconnected elements that work together to deliver a unified enterprise-class wireless solution. They are client devices, APs, network unification, network management, and mobility services. Cisco offers a wide range of WLAN products to support the five interconnecting elements of the Cisco Unified Wireless Network. Client devices include Cisco Compatible devices, and Cisco AnyConnect clients Access points include those that are dynamically configured and managed by a Cisco WLC through CAPWAP, and those that operate in standalone mode. Note Cisco controlle-based APs are commonly referred to as lightweight APs in the industry Cisco standalone APs are commonly referred to as autonomous APS. Cisco network unification provides a network infrastructure that functions smoothly across a range of platforms, including Cisco Catalyst 6500 Series Wireless Services Module (WiSM), Cisco Wireless LAN Controller Module (WLCM), Cisco 5500 Series and Cisco 2500 Series WLAN Controllers. Management is provided by the Cisco WLCM. Cisco Self-Defending Networks inelude enhanced network services such as location management, wired and wireless intrusion detection, and Network Admission Control. 2-12 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (© 2041 Cisco Systems, IncCisco Unified Wireless Network Hardware: Access Points ‘This topic describes the various types of access point hardware. Cisco Unified Wireless LAN Access Points Features Cd « Industry's best range and throughput i + Enterprise-class security gZ 4 wh * Multiple configuration options om + Simultaneous air monitoring and trafic : oe een + Wide-area networking for outdoor areas, Benefits g ze wy Zero-touch management <..No destomted air menor, ec + Supports indoor and outdoor deployment See Tee Most Cisco 10S and CAPWAP APs have the capability to perform either as a standalone AP or to be controlled using a Cisco WLC. This capability is found in the Cisco Aironet 1140 Series Access Point, Cisco Aironet 1260 Series Access Point, or Cisco Aironet 1250AGN Series ‘Access Point. Some other APs, such as the Cisco Aironet 1300 Series Wireless Bridge and Cisco Aironet 1400 Series Wireless Bridge, are bridges and are specifically designed to work in ‘an outdoor environment. The Aironet 1300 Series Wireless Bridge can still accept local clients as well, whereas the Aironet 1400 Series Wireless Bridge functions solely as a bridge. The others are indoor APs designed to connect clients to the WLAN, ‘Some models, such as the Cisco Aironet 1500 Series Wireless Mesh AP, are Lightweight Directory Access Point Protocol (CAPWAP) only. Most of the other models can be either standalone or lightweight, and can be migrated from one mode to the other. ‘©2011 Cisco Systems, Ine Basic Cisco WLAN Installation 213isco 3500 Series Access Point * Dual-band IEEE 802.11albig in access point + Integrated antennas and external antennas * Controller-based + Supports H-REAP ‘Supports Cisco Clean Air Technology Performance Protection in Congested RF Environments ‘Supports indoor mesh Lightweight IEEE 802.11/WPA2-compliant Designed for offices and similar environments, Local and inline power (IEEE 802.3af) support The Cisco Aironet 3500 Series Access Point has two mission-critical models. The Aironet 3500i has internal antennas and is supported in office environments. The Aironet 3500e uses external antennas and is used in rugged environments, ‘The Aironet 3500 Series Access Point includes Cisco Spectrum Expert Connect, which provides real-time, raw spectrum data to help with difficult-to-diagnose interference problems. ‘The air quality index provides a snapshot of network performance and the impact of interference. ‘The Aironet 3500 Series Access Point is the first AP in the industry with non-Wi-Fi detection of off-channel rogues. ‘The Aironet 3500 Series Access Point supports either local or inline Power over Ethernet (PoE). It is compliant with 802.11i, Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and numerous Extensible Authentication Protocol (EAP) types. ‘The Aironet 3500 Series Access Point uses Cisco M-Drive technology, which includes the following: ‘© Cisco ClientLink improves reliability and coverage for legacy clients. ‘© Cisco BandSelect improves 5-GHz client connections in mixed client environments, Cisco VideoStream uses multicasts to improve rich-media applications. ‘The Aironet 3500 Series Access Point also supports rogue AP detection, adaptive wireless intrusion prevention system (WwIPS), and interactive multimedia, 214 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (©2011 Cisco Systems, in.Cisco Aironet 1040 Series Access Point * Dualband IEEE 802.11a/big in access point Integrated antennas + Controller-based and standalone versions available * Supports H-REAP ‘Supports indoor mesh + IEEE 802.111WPA2-compliant + Designed for offices and similar environments ‘Local and inline power (IEEE 802.3af) support Lightweight \zerote easels ces pt wt eae nena ey poet les ae ar The Cisco Aironet 1040 Series Access Point is 802.1 1n ready. Cisco Aironet 1140 Series supports Hybrid Remote-Fdge Access Point (H-REAP) and indoor mesh. ‘The Aironet 1040 Series Access Point is recommended for commercial, small to midsized ‘enterprise, and branch environments, Aironet 1040 Series Access Points may be installed on the ceiling to provide users with continuous coverage as they roam throughout a facility. In school buildings and similar facilities, the APs may be installed on the ceiling of each room and hallway to provide users with coverage. In areas where a ceiling installation may not be practical, the APs can be mounted on walls. ‘The Aironet 1040 Series Access Point supports either local or inline PoE. The AP is compliant with 802.111, WPA2, WPA, and numerous EAP types. ‘The Aironet 1040 Series Access Point supports Cisco VideoStream, rogue AP detection, adaptive wIPS, and ean run in both standalone or lightweight mode. ‘©2011 Cisco Systems, ne Basie isco WLAN instalation 2-15isco Aironet 1140 Series Access Point + Dual-band IEEE 802.1 ta/bigin access point + Integrated antennas Controller-based and standalone versions available ‘Supports H-REAP ‘Supports indoor mesh ‘Supports Cisco Office xtend IEEE 802.11/WPA2-compliant Designed for offices and similar environments Local and inline power (IEEE 802.3af) support Lightweight Leo epi aces port wages atmos 85 poy nes sina ‘The Cisco Aironet 1140 Series Access Point is 802.1 In ready. The Aironet 1140 Series Access Point supports Cisco OfficeExtend, H-REAP, and indoor mesh. In offices and similarly open environments, Aironet 1140 Series Access Points may be installed. ‘on the ceiling to provide users with continuous coverage as they roam throughout a facility. In school buildings and similar facilities, the APs may be installed on the ceiling of each room and hallway to provide users with coverage. In areas where a ceiling installation may not be practical, the APs can be mounted on walls. ‘The Aironet 1140 Series Access Point supports either local or inline PoE. The AP is compliant with 802.111, WPA2, WPA, and numerous EAP types. ‘The Aironet 1140 Series Access Point uses Cisco M-Drive technology, which includes the following: = Cisco ClientLink improves reliability and coverage for legacy clients = Cisco BandSelect improves 5-GHz client connections in mixed client environments. = Cisco VideoStream uses multicasts to improve rich-media applications The Aironet 1140 Series Access Point also supports rogue AP detection, adaptive wIPS, and interactive multimedia, This AP is available in two versions, standalone or controller-based, and can be migrated from cone to the other. 2-16 Implementing Cisco Unified Wireless Networking Essentias (UWNE) v2.0 (© 2017 Gisco Systems, Incisco Aironet 1260 Series Access Point Dual-band 802.11a/bigin access point Requires external antennas Controller-based and standalone versions available Can also be an H-REAP Can also be indoor mesh 802.11VWPA2-compliant Designed for rugged indoor environments Local and inline power (IEEE 802.3af) support + Cisco Unified Wireless Network Software Release 7.0 or later Lightweight ‘The Cisco Aironet 1260 Series Access Point is for midsize to large enterprise. The Aironet 1260 Series Access Point has six external antenna connectors for greater range and coverage versatility using a broad selection of the available Cisco antennas, as well as a rugged metal housing for operation over the extended temperature ranges typical of industrial environments. This AP can be placed above ceilings or suspended ceilings, allowing antennas to be discreetly placed below drop ceilings. It allows deployment of WLANs in hazardous locations by remotely placing the antennas in the hazardous locations while securing the AP within the wiring closet. The two remain connected via low-loss antenna cables. ‘The Aironet 1260AG Series Access Point supports either local or inline PoE. It is compliant with 802.111, WPA2, WPA, and numerous EAP types. ‘The Aironet 1260 Series Access Point uses Cisco M-Drive technology, which includes the following: = Cisco ClientLink improves reliability and coverage for legacy clients. = Cisco BandSelect improves 5-GHz client connections in mixed client environments. © Cisco VideoStream uses multicasts to improve rich-media applications ‘The Aironet 1260 Series Access Point also supports rogue AP detection, adaptive wIPS, and interactive multimedia, This AP is available in wo versions, standalone or controller-based, and can be migrated from one to the other. {©2011 Gace Systoms, ne ‘Basic Osco WLAN instalation 2-17Cisco Aironet 1250 AGN + First enterprise class IEEE 802.11n ‘access point Modular for easy upgrade Controller-based and standalone versions. available 802.11i/WPA2-compliant Designed for rugged indoor environments. Local and inline power . ¢ ee ie ad Lightweight certified. This modular wireless AP provides reliable and predictable WLAN coverage with both existing 802.1 1a/b/g clients and new 802.1 In clients. This wireless AP is a robust modular platform that is designed for easy field upgrades, facilitating support of various wireless capabilities. As technology evolves, the platform is flexible to support future radio modules that are designed to deliver intelligent RF services, further enhancing the performance and reliability of the wireless network. The Aironet 1250AGN Series AP is a rugged indoor AP designed for office environments, as well as challenging RF environments such as factories, ‘warehouses, hospitals, and large retail establishments that require the antenna versatility that associated with connectorized antennas, a rugged metal enclosure, and a broad operating temperature range. It has 64 MB of DRAM and 32 MB of flash memory, and delivers the following: ‘Data rates of 300 Mbis per radio ‘= 2x3 Multiple-input, multiple-output technology for enhanced reliability = 2.4-GHz and 5-GHz radio modules ‘= Tested interoperability with leading 802.1 In devices ‘The improved throughput, reliability, and predictability of an 802.1 1n network mean that this AP is especially beneficial for environments with the following characteristics: © Challenging RF environments (manufacturing plants, warehouses, clinical environments) = Bandwidth-intensive applications (digital imaging, file transfers, network backup) = Real-time, latency-sensitive applications, including voice and video . Environments that need to support existing 802.1 1a/b/g and new 802.1 1n wireless clients 2-18 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v20 (© 2017 Cisco Systems, IncCisco Aironet 1300 Series and 1400 Series ridges Standalone IEEE 802.119 (1300) o IEEE 802.11 (1400) Lightweight Integrated or external antenna versions available Controller-based and standalone access point versions available for the 1300 Series, standalone bridge only for the 1400 Series Point-to-point and point-to-muttipoint bridging IEEE 802, 1/WPA2-compliant 1500 eran + Designed for outdoor applications Standalone * Outdoor NEMA-4 weatherproof enclosure ‘The Aironet 1300 Series Wireless Bridge is a flexible platform with AP, bridge, and workgroup bridge functionality. It operates only in the 802.1 1b/g spectrum. It is delivered in a compact, rugged enclosure for deployment in outdoor environments, and is available in two versions, one with and integrated antenna and one with antenna connectors, which support various Cisco 2.4- GHz antennas, providing range and coverage versatility ‘Typical applications for the Aironet 1300 Series Wireless Bridges are as follows ‘= Network connections within a campus area = Outdoor infrastructure for mobile networks and users = Public access for outdoor areas = Temporary networks for portable or military operations ‘The Aironet 1300 Series Wireless Bridge requires a power injector, but its wide DC power- input range allows various power supply options, such as solar power or vehicle power (+10 to 448 VDC). This AP is available in two versions, standalone or controller-based, and can be migrated from cone to the other, ‘The Aironet 1400 Series Wireless Bridge allows placement in an outdoor environment without the use of an expensive additional National Electrical Manufacturers Association (NEMA) enclosure. Further flexibility is achieved by enabling point-to-point or point-to-multipoint networks with a single product line. The mounting bracket has been designed to allow installation on poles, walls, and roofs, while also providing a mechanism for choosing the desired polarization. The Aironet 1400 Series Wireless Bridge offers an outdoor wireless bridging solution in two versions. ‘The captured antenna version features an integrated radio and high-gain integrated antenna for user installations of point-to-point links, and the nonroot nodes of point-to-multipoint networks. {© 2011 Cisco Systems, in. ‘Basic isco WLAN installation 2-19‘The connectorized version provides professional installers with an N-type connector that allows the deployment of the root nodes of point-to-multipoint networks with omnidirectional or sector antennas, or of high-gain dish antennas for longer links. This model is available only in standalone mode and does not support CAPWAP. 220 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 ‘©2011 Cisco Systems, IneCisco Unified Wireless Network Hardware: Controllers This topic describes the different controller hardware, Wire! \N Controllers eee 50 see | Unified network services are provided across various platforms including WLAN controllers, and integrated switches and routers. Cisco WLCs integrate into existing enterprise networks for advanced management capabilities and enhanced performance. They communicate with Cisco ‘Aironet lightweight APs over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure and are responsible for managing systemwide functions. Wireless integrated switches and routers provide cost-effective support for converged networks that integrate wireless connectivity. Integrated platforms lower hardware costs, simplify remote management, and offer flexible configuration options that can reduce the total cost of operations and ownership. ‘Apart from appliance or integrated controller platforms, the main difference between the units, is in the number of APs supported, from 6 to 300 per unit. This support is fixed and based on the hardware requirements to support a given number of APs, It cannot be upgraded via a license. ‘S201 Cisco Systems, ne Basic Claco WLAN Installation 2-21Cis Series WLC + 1-RU design conserves wiring closet space isco 5508 WLC - 8 ports ~ Gigabit Ethernet + Status, Tx/Rx, and link LEDs * Can support up to 12, 25, 50,100, 250, or 500 APs * Supports OfficeExtend + 10/100/1000BASE-TX Ethernet service port + 9-pin serial connector for console port ~ Country-specific power cords ‘Two power supply slots ‘The Cisco 5500 Series Wireless LAN Controllers are enterprise-class devices that are designed to fit into a 19-inch (48.26-cm) rack taking up one rack unit (RU). ‘The $500 Series Wireless LAN Controller also has two ports to manage the configurations, including a console port for CLI access, and a service port for web and GUI management, Telnet, and Secure Shell (SSH) access, ‘When upgrading the software code on a controller, each AP associated with the controller will also be upgraded. 222 Implementing Cisco Unified Wirloss Networking Essentials (UWNE) v2.0 ‘© 2011 Cisco Systems, Incies WLC + 1-RU design conserves wiring closet space ‘Two or four 4-Gigabit Ethernet uplinks using rmini-GBIC (SFP) slots + Status, To/Rx, and link LEDs + Can support up to 12, 25, 50, or 100 APs + Supports 5000 MAC forwarding database + 10/100BASE-TX Ethernet service port + 9:pin serial connector for console port * Country-specific power cords * Two power supply slots * Utility port reserved for future use ‘The Cisco 4400 Series Wireless LAN Controllers are enterprise-class devices that are designed to fit into a 19-inch (48.26-cm) rack taking up one RU. The 4400 Series Wireless LAN Controllers provide small form-factor pluggable (SFP) mini Gigabit Interface Converter (GBIC) ports for connectivity into the network infrastructure. The GBIC ports support copper or fiber-optic interfaces. If more than one GBIC is installed and configured, the Cisco WLC will load balance APs across all available ports that are configured as AP-Manager interfaces. ‘The 4400 Series Wireless LAN Controller also has two ports to manage the configurations, including a console port for CLI access, and a service port for web and GUI management, ‘Telnet, and SSH access. There is also a utility port that is reserved for future use. ‘When upgrading the software code on a controller, each AP associated with the controller will also be upgraded. The controller will upgrade four APs at a time until all APs are upgraded. ‘©2011 Cisco Systems, no Basic Cisco WLAN Installation 225,>» WiSM + Can support up to 300 APs + Supports 5000 MAC forwarding database + Two console ports * Cluster-capable up to 12 modules (3600 APs) Maximum of five modules per chassis, ‘Same features as the 4400 Series controllers ‘The Cisco Catalyst 6500 Wireless Services Module (WiSM) is a blade that uses the Catalyst {6500 Series chassis to provide power and network connectivity. The Cisco WiSM has the features and functionality of the Cisco 4400 Series Wireless LAN Controller and supports a larger number of APs. ‘The Cisco WiSM supports 150 APs per controller, and each blade contains two controllers. A single blade can therefore support a total of 300 APs. You can cluster up to 12 modules in a single mobility domain, allowing 3600 APs to be controlled in a single mobility group. A maximum of five blades can be supported in a single chassis, due to power constraints Note ‘A mobility group can contain up to 24 controllers. Because a Cisco WISM blade contains two ‘controllers per blade, up to 12 blades can be joined to form a single mobility group. The Cisco WiSM supports Cisco Catalyst 6509, 6506, 6503, 6504, and 6513 Switches (enhanced and nonenhanced versions). The Cisco WiSM is built on a 40-Gb-per-slot baseboard, and requires the Cisco Catalyst 6500 Series Supervisor Engine 720. (Only the Catalyst 6500 Series Supervisor Engine 720 supports a 40-Gb-per-slot line card. The Catalyst (6500 Series Supervisor Engine 2 supports only 8-Gb-per-slot line cards and the Cisco WiSM uses a total of 10 gigabit interfaces) 224 Implementing Giseo Unified Wireless Networking Essentials (UNE) v2.0 (© 2011 Cisco Systems, ineCis WiSM-2 + Can support up 500 APs per WiSM-2 module 10,000 ctionts - 5000 tags 10 Mb/s throughput + Single controller — one console port + Cluster-capable Up to 24 modules per mobility ‘group (12,000 APs) Up to 72 modules per roaming domain (36,000 APs) Maximum of seven modules per chassis + Same features as the 5508 Series controllers ‘The Cisco WiSM-2 is the next-generation wireless service module for the Cisco Catalyst 6500 or Catalyst 7600 Series chassis. With a design that is based on the Cisco 5500 Series Wireless LAN Controllers, the WiSM-2 supports more APs, has greater throughput than its predecessor, and supports advanced features like DTLS and OfficeExtend Access Points (OEAPS). The Cisco WiSM-2 can support a total of $00 APs, 10,000 clients, $000 tags, and can coexist in the same chassis as the legacy Cisco WiSM. A maximum of seven blades can be supported in a single chassis allowing for very high AP densities of up to 3500 APs and 70,000 devices in a single chassis. When all WiSM-2s are deployed, you can cluster up to 24 modules, allowing 12,000 APs to be controlled in a single mobility group and up to 36,000 APS in a roaming domain. In addition to a larger AP count, the WiSM-2 is supported by the Cisco Catalyst 6500 Series Supervisor Engine 720, Catalyst 6500 Series Supervisor Engine 720 with 10 Gigabit Ethernet Uplinks (Sup720-10G), and Cisco Catalyst E-series supervisor engines. It supports the incremental licensing model and provides an increased throughput of 10 Gb/s. These factors make the WiSM-2 better suited to service 802.11n clients and multiple concurrent rich-media applications like multicast video. Without any other service module installed, the Catalyst 6509 switch chassis can support up to seven Cisco WiSM-2s, the Catalyst 6506 with a Supervisor Engine 720 can support up to four Cisco WiSM-2s, and any other Catalyst 6500 Series Switch chassis can support up to six Cisco WiSM-2s. If one or more service modules are installed, the chassis can support up to a maximum of four service modules (WiSM-2s included). Redundant supervisors cannot be used with these maximum configurations. Without any other service module installed, the Cisco 7609 router chassis can support up to seven Cisco WiSM-2s, and any other Cisco 7600 Series Router chassis can support up to six Cisco WiSM-2s. If one or more service modules are installed, the chassis can support up to a maximum of four service modules (WiSM-2s included). Redundant supervisors cannot be used with these maximum configurations. {© 2011 Cisco Systems, ne. Basic Cisco WLAN Installation 225Cisco 210 C, Cisco WLCM 1-RU design conserves wiring closet space Eight 10/100BASE-TX Ethemet ports + Power, Tx/Rx, and link LEDs + Supports up to six primary APS JAS serial connector for console port 2 RJ4S ports with PoE Work with ISR routers ‘Support 8 to 12 APs Work in Cisco 2800 or 3800 routers. ‘Same software features as the 2106 Series WLC ‘The Cisco 2106 Wireless LAN Controllers are designed for small office locations. Each controller supports up to six APs and has many of the same features as the Cisco 4400 Series Wireless LAN Controllers. The Cisco 2106 Wireless LAN Controller has eight built-in switch ports, of which two ports are PoE-capable. It also has a console port for CLI access. The Cisco 2106 Wireless LAN Controller is a replacement for the Cisco 2006 WLC; it ‘maintains all of the features, while improving performance and providing additional switch ports for directly connecting APs or other network devices. ‘The Cisco WLCM and the Cisco WLAN Controller Module Enhanced (WLCM-E) are designed to use the integrated services router (ISR) platform, and provide small offices with unified wireless functionality. The Cisco WLCM provides equivalent functionality to the Cisco 2106 Wireless LAN Controller, except for directly connected APs and the console port. The Cisco WLCM supports 6 APs. The Cisco WLCM-E supports a maximum of 8 or 12 APs, depending on the model. 226 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (© 2011 Gisco Systems, Ine00 WLC + Supports 500 clients and 250 tags + Guest access + Cisco Cleandir * OEAP support + Desktop form factor with optional 1- RU rack mount available 4 GE ports; 2x1GE-2x1 GE PoE ‘The Cisco 2500 Wireless LAN Controller offers improved performance and provides enhancements that make it 802.1 In ready. ‘This controller supports from 5 to 50 APs with up to 500 wireless clients and 250 radio frequency identification (RFID) tags. It provides many of the same features as the Cisco 5500 Series Wireless LAN Controllers, including support for OBAPs, data DTLS, Cisco CleanAir technology, and a scale-as-you-grow licensing approach. These features make the 2500 Wireless LAN Controller a cost-effective solution for retail, enterprise branches, and small and. ‘medium-sized businesses. With a desktop form factor or optional rack mount capabilities, these controllers come with four Gigabit Ethernet ports, two of which can provide power directly to Cisco Lightweight APs. The 300-Mb/s throughput capabilities make them easily capable of managing even the ‘most demanding business applications and enabling small and medium-sized branch offices to deploy collaboration applications such as guest access and mobile voice or video. {© 2011 Cisco Systems, ne. ‘Basic Cisco WLAN instalation 2-27s Controller + 14RU design conserves rack space in the data center ‘Two 10-Gigabit Ethernet uplinks using SPF+ connections * Designed to increase scalability of branch office deployments ‘Supports 20,000 devices and 500 to 2000 Access Points Scale-as-you-grow licensing 1100, 260, 500, 1000 incremental licenses available The Cisco Flex 7500 Series Controller is one of the newest members of the Cisco WLAN controller family. It is designed specifically to bring increased scalability to branch office deployments utilizing the Cisco FlexConnect (H-REAP) solution. The Cisco Flex 7500 Series Controller is equipped with two 10-GE fiber interfaces in order to minimize cabling requirements in the data center where itis intended to be deployed. The Cisco Flex 7500 Series Controller supports between 500 and 2000 APs with up to 20,000 devices and supports the scale-as-you-grow licensing model of the Series 2500, 5500, and WiSM-2 controllers. 228 Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v2.0 (© 2011 Cisco Systems, Inc.Cisco Unified Wireless Network Management Layer This topic describes the devices that are used at the management layer of the Cisco Unified Wireless Network solution, Cisco WCS, WCS Navigator, Location Appliance, and Mobility Service Engine wes Pat based retyetir (Goosen A 9 200m) Wis Navigate Cenaes notre of ‘toyeticaly aes Cisco WS ae Leon fotance 8 oy Seven (iigecoey cao bac WiFlocve RFD tge The Cisco Wireless Control System (WCS) provides a single point of management for several controllers. In large networks, WLAN configurations can be done on the Cisco WCS, and deployed to several controllers with one click. The Cisco WCS also allows, even in a single- controller deployment, features such as RF prediction, troubleshooting, graphical user tracking, or security monitoring, ‘The Cisco WCS runs on a server platform with an embedded database. One instance can ‘manage hundreds of Cisco WLCs, which in turn can manage thousands of Cisco controller- based APs. Cisco WLCs can be located on the same LAN as the Cisco WCS, on separate routed subnets, or across a wide-area connection. All Cisco WLC models can be managed by the Ciseo WCS, In an even larger environment, Cisco WCS Navigator allows navigation between several Cisco WCS instances, providing a single point of management for up to 30,000 APs. ‘©2011 Cisco Systems, ne. Basie Cisco WLAN Installation 2-29Summary This topic summarizes the key points that were discussed in this lesson. + Acontroller-based solution allows the creation of the configuration for many APs on one single interface. + In Cisco networks, CAPWAP allows such a communication at Layer 3. + Using CAPWAP, a controller can, among other things, automatically adjust AP channels and transmit power. * The Cisco Unified Wireless Network family has APs, controllers, and a management solution, + Most APs can be standalone or controller-based. Some have a more specific use. * Some controllers are standalone appliances, while others can be integrated into other network devices, + Atthe management layer, WCS provides an extra level of management. References For additional information, refer to this resource: = Wireless—Cisco Systems Web Page at: hitp://www.cisco.com/go/wireless 2-30 implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (© 2011 Cisco Systems, IneLesson 2 Configuring a Controller Overview The wireless LAN (WLAN) controller isa key element of the Cisco Unified Wireless Network solution. It does not have a default configuration. When starting a controller for the first time, basic configuration must be provided through a CLI or web wizard. This lesson will give you the knowledge that is needed to understand the elements that are required for this initial configuration, and to successfully use the web interface to manage i. Objectives Upon completing this lesson, you will be able to configure a WLAN controller. This ability includes being able to meet these objectives: Describe the controller ports and configure its static interfaces = Describe the controller boot sequence Provide an initial configuration from the CLI Provide an initial configuration using the web interface Navigate in the controller web interface Use the controller web interface for configuration purposes ‘Manage the controller configuration and code filesController Ports and Interfaces This topic describes the different elements and concepts that are involved in controller setup. ‘Series Por (Outer Bana) \ aa (roe) [rer] (Poe) t (imertoce 1] [merase 2) (Itecaco.] [ESSER [irae = 12] Examples: Managerrent interface ‘PAtanaperItracs The following terminology is used when configuring and maintaining the controller-based WLAN environment. = Port: The port is the physical interface to the network. = Interface: Logical network interface. An interface can be dynamic, including VLAN tags and port association. Some interfaces are static because they must exist for the system to function properly. The “management interface” is an example of a static interface. = WLAN: The WLAN comprises the Service Set Identifiers (SSIDs) and all their related parameters, which allow access to the wireless networks. A WLAN is associated to an interface, thus determining how the SSID is translated into a VLAN tag on the wired side of the network. 232 Implementing Cisco Unified Wireless Networking Essentials (1UWNE) v2.0 ‘© 2011 Cisco Systems, InePorts Cisco wireless controllers use ports for the following features: * Controlling of associated Cisco wireless APS « Distribution system to enterprise network Can assign multiple interfaces to a port Data must be untagged or tagged to support multiple VLANs on the same trunk ‘CAPWAP header contains Client WLAN information, which is then translated into VLAN tags onthe dstibutio por. veo [iS]. [SERS] Ports provide the physical connection to the network by allowing multiple interfaces to gain access to the network. Each controller model has a different number of ports: = The Cisco 5500 Wireless LAN Controller has eight ports. The Cisco 2504 Wireless LAN Controller has four ports. The Cisco Wireless Services Manager (WiSM) has eight virtual ports (four on each controller). ‘©2011 Cisco Systems, ne. Basie Caco WLAN installation 2-33faces Cisco wireless interface configuration allows the association of a VLAN frame toa VLAN ID, which is then mapped to a physical port and WLAN. ‘Must assign each interface to a prt for astbution into the enterprise * Cannot assign multiple ports to an interface + Can assign multiple WLAN to an interface The VLAN ID will represent either untagged traffic (value 0) or IEEE 802.10 tagged traffic (value 1-4095). Can assign multiple interfaces to a port All interfaces must be assigned to all Cisco wireless controllers in a mobility group to allow seamless roaming. Various interfaces include the following * State Management AP Manager Service port Viral + Dynamic User defined Interfaces fall into two categories: = Static: System interfaces that cannot be removed and serve a specific purpose. There are up to four static interfaces: management, AP manager, service (note: this is also a physical port), and virtual = Dynamic: User-defined interfaces that define VLANs for WLAN access. These interfaces, which are very close to the router subinterface concept, are IEEE 802.1Q-tagged. Interfaces need to be defined on all controllers within a mobility group in order to allow seamless roaming. If interfaces are not defined on all controllers, clients will not be able to roam between access points (APs) assigned to different controllers. They will be required to reauthenticate and reassociate. 2 Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v20, ‘© 2011 Cisoo Systems, Ine.ent Interface Cisco wireless uses the management interface as the default interface for in-band management of the Cisco wireless controller and connectivity to enterprise services such as AAA. + Must be in a different VLAN or subnetwork than the service port interface “AAA= auherteaton, eutoraten, and accounting Each interface performs specific roles within the unified wireless environment. The static interfaces perform system roles, while the dynamic interfaces are user-defined and provide client connectivity. ‘The management interface controls communications with network equipment for all physical ports in all cases. It can be untagged (in which case the tag value is set to 0) or tagged. Cisco recommends assigning a VLAN tag to interfaces. ‘Tagged or untagged, the management interface must be reachable by the APs and the other controllers in the network. The APs will use the management interface to discover the controller. The controllers in a mobility group will use their management interface to exchange information. ‘B01 Cisco Systems, ne Basie Claco WLAN natallaion 2-35AP Manager Interface Cisco wireless uses the AP manager interface as the source IP address for communications from the Cisco wireless controller to Cisco APs. * Must be a unique IP address, preferably in the same subnetwork or network as the management interface and assigned to the same port « Listens for messages through Layer 3 network to autodiscover, associate, and communicate with the Cisco AP + On newer platforms, management interface also acts as the AP manager interface ‘The AP manager interface controls all communications between the controller and the lightweight APs by listening across the Layer 3 network for AP Control and Provisioning of Wireless Access Points (CAPWAP) join messages. This process allows it to associate and communicate with as many lightweight APs as possible, The controller can be configured to aggregate its ports into one single virtual port. This feature is called the link aggregation group (LAG). In this case, a single AP manager is created and attached to the virtual port. ‘When using individual physical ports, one AP manager interface can be attached to each physical port. This situation can result, for example, in up to § AP manager interfaces on the Cisco 5505 Wireless LAN Controller. In software releases before 6.0, the manager interfaces need to be on the same VLAN or IP subnet as the AP manager interface. They must have a unique IP address, preferably in the same subnetwork or network as the management interface, and are assigned to the same port In controtters running Release 6,0 and later, AP manager interfaces do not need to be on the same VLAN or IP subnet as the management interface. However, Cisco recommends that you configure all AP manager interfaces on the same VLAN or IP subnet. Note For Cisco 5500 and 2500 Series Wireless LAN Controllers and Cisco Catalyst 6500 Series Wireless Services Module 2 (WISM2), you are not required to configure an AP manager interface. The management interface acts like an AP manager interface by default, and the ‘APs can join on this interface, Note For Cisco 5500 and 2500 Series Wireless LAN Controllers and Cisco Catalyst 6500 Series Wireless Services Module 2 (WiSM-2), the management interface acts like an AP manager interface by default f desired, you can disable the management interface as an AP ‘manager interface and create another dynamic interface as an AP manager. 2-36 Implementing Cisco Unifed Wireless Networking Essentials (IUWNE) v2.0 (© 2011 Cisco Systoms, IneTo configure management and AP manager interfaces, open the web interface and navigate to Controller > Interfaces. ‘© 2011 Cisco Systems, ne. Basic Cisco WLAN Installation 2.37interface Virtual interface is used when supporting the following features: + Mobility management Mobile client uses the same vitual IP address across mutiple controllers + DHCP relay Client uses the virtual IP address as DHCP server address + Layer 3 security \Web authentication uses the virtual interface asthe gateway IP address ‘The virtual interface is used to support the following: = Mobility management = DHCP relay — Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP server = Web authentication — Serves as the redirect address for the web authentication |= Maintains the Domain Name System (DNS) gateway hostname that is used by Layer 3 security and mobility managers to verify the source of certificates when Layer 3 web authorization is enabled, The virtua interface can be any fictitious, unassigned, and unused gateway IP address, such as 1.1.1.1. It does not need to be routable. It is seen only on the wireless side of the network and disappears in the payload as soon as the packets reach the AP. ‘When several controllers are part of the same mobility group, they should all have the same virtual gateway interface, in order for roaming to be seamless in any situation. 238 Implementing Cisco Uniied Wireless Networking Essentiais (UWNE) v2.0 ‘©2011 Cisco Systems, Ineterfaces > Edit Interfaces> Eat ‘The virtual interface serves as a gateway for wireless clients. When roaming to APs connected to other controllers in the same mobility group, clients try to reach the gateway to renew their credentials Credentials are passed between controllers as clients roam. For the controller to be recognized as the gateway, the virtual interface must be the same on all controllers in the same mobility group. ‘©2011 isco Systems, ne Basie Cisco WLAN Instaation 298ort Interface Associated only with the service port on the Cisco wireless controller front panel 10/00/1000 BASE-T Ethemet port dedicated to out-of-band management. + Must be in a different VLAN or subnetwork than the management port interface You cannot assign a gateway to the service port interface, but must set up static routes if you wish to connect to the service port from remote networks. The service port is not autosensing, ~ You must use a straight-through Ethernet cable to connect to controllers and hubs + You must use a crossover Ethernet cable to connect to routers and ‘workstations. Cisco 5505 Series Wireless LAN Controllers also have a 10/100/1000 copper Ethernet service port. The service port interface is reserved for out-of-band management of the controller, and system recovery and maintenance in the event of a network failure. It is also the only port that is active when the controller is in boot mode. The service port is not capable of carrying 802.1Q tags, so it must be connected to an access port on the neighbor switch, Note “The service port is not autosensing, You must use the correct straight-through or crossover Ethernet cable to communicate with the service port 240 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (© 2011 Cisco Systems, Ine‘The service port is used for out-of-band management of the controller. If the management ‘workstation is in a remote subnet, you may need to add a static route on the controller in order to manage the controller from that remote workstation, You can add the static route using either of the following: |Web interface by navigating to Controller > Network Routes = CLI using the config route network-ip-addr ip-netmask gateway command. In this example, machine 172.0.0.1/32 is allowed to connect to the service interface port, and 192.168.1.254 is used as a gateway to answer it. Any machine in the 176.21.14.0 subnet is allowed to connect to the service interface port, and. 192.168. 1.254 is used as a gateway to answer it (©2011 isco Systems, ne ‘Basic Cisco WLAN installation 2-41lic Interfaces + Dynamic interfaces are generally designed for WLAN client data and provide support for multiple VLAN instances. + These interfaces are manually configured by the administrator + Configuration details include the following: VLAN ID IP address, mask, and gateway information Physical port assignment DHCP server support ‘ACL support Dynamic interfaces, also known as VLAN interfaces, are created by users and designed to be analogous to VLANs for WLAN clients. A controller can support up to $12 dynamic interfaces (VLANs). Each dynamic interface is individually configured and allows separate communication streams to exist on any or all distribution system ports of a controller. VLAN and other communications between controllers and all other network devices are controlled by the dynamic interfaces. Each dynamic interface also acts as DHCP relay for wireless clients that are associated to WLANS that are mapped to the interface. It is possible to assign dynamic interfaces to any distribution system ports and any WLANs. 242 Implementing Cisco Uniied Wireless Networking Essentials (IUWNE) v2.0 (© 2014 Cisco Systems, incController > Interfaces > New and Edit Upon clicking Apply A dynamic interface must be configured before a WLAN can be allocated. It is possible to configure zero, one, or multiple dynamic interfaces on a distribution system port. However, all dynamic interfaces must be on a different VLAN (IP subnet) from all other interfaces that are configured on the port. If the port is untagged, all dynamic interfaces must be on a different IP subnet from any other interface that is configured on the port. It is possible to map a WLAN to the management interface, which implies that the traffic coming from the WLAN will get the same VLAN tag as the default management traffic, for simpler deployment. The management interface can be untagged (created with a VLAN tag value of “0"). Dynamic interfaces must have a VLAN tag. {©2011 Cisco Systems, ne. ‘Basic Cisco WLAN instalation 2-43Controller Initial Setup This topic describes how to connect to a controller to get to the initial setup phase. ntroller Serial console port: * Available on all models * Male DB-9 pin connector or R45 Supports pins 2,3, 85 Detaust port configuration 9600 baud + Bata bits + 1 stop bt + No parity No haraware flow control + DB-9 female-to-female null-modem serial cable + Dedicated to Cisco Unified Wireless Network software management Ensures access to CL in the event of ‘8 notwork failure Can be used fo intial instalation ‘Access to CL only jitial Setup Options Service interface port: + Not available on all models + 10/100Base-TX Ethemet port, ‘hich is speed autosensing + Service interface for DTE & DCE Sraight-trough or crossover Ethometcabe to controler or hub + Category 5 Ethemet cable + Dedicated to controller management Ensures access to Cisco AreOS in the event ofa network fue Can be used fr intial configuration or jutotband management Has a default 192.168.1124 dfaut adores Once configured, a controller ean be managed through three different interfaces: ‘© Serial connection: Provides live interaction with the controller through @ CLI. This port is. ‘used extensively for debugging. = Controller web interface: Provides a user-friendly GUI to configure the controller. As a web server, its information is not dynamically refreshed, even though some pages automatically refresh on a regular bas Cisco Wireless Control System (WCS): Through the Cisco WCS, itis possible to configure Cisco Wireless LAN Controllers (WLCs) via a web interface. A controller does not have a default configuration, so a setup wizard must be run. This initial controller configuration can either be accomplished via the console port and CLI, ot via the controller web interface and a web GUI Both methods provide the same configuration options. The setup using the console port requires a PC with a serial port and a null-modem serial cable. ‘The setup via the service port requires a PC with an Ethernet interface and a Category 5 Ethemet cable. Note ‘On Cisco 5500 Series Wireless LAN Controllers, you can use either the RJ-45 console port CF the USB console port. If you use the USB console port, plug the S-pin mini Type B ‘connector into the controller USB console port and the other end of the cable into the PC USB Type A port. The first time that you connect a Windows PC to the USB console port, {you ate prompted to install the USB console driver. Follow the installation prompts to install the driver. The USB console driver maps to a COM port on your PC. You then need to map the terminal emulator application to the COM port. Tmnplementing Clsea Unified Wireless Networking Essentials (UWNE) v20 (© 2011 Cisoo Systems, ncBoot Loader Menu 2. Run primary image (7.0.116.0) - active 2: Run backup image (7.0.114.58) ; Change active boot image + Clear configuration Format FLASH Drive Manually update images Enter selectior he controler boot sequence will always have these options available because ths is set in PROM to ensure Controller recovery options. On initial boot up of the controller, if connected via the console port, there is an option to enter the Boot Options menu. To enter the Boot Options menu, press the ESC key when prompted. The Boot Options allow the device to boot to the previous version of code, update the code, change the default code to be used on normal startup, and clear the configuration. ‘©2017 Gis Systems, ne Basic Cisco WLAN instalation 2-45,Run Primary or Backup Image astonth Chvgo: Ime neue s¥ze" i8se] If no escape key is pressed to halt the boot tga Coto: Gare © imtiaszted progose and enter the boot options menus the itera nis igns se boo process begins automaticaly ‘The controller maintains two versions of the code, which allows for booting to a primary or backup image. This method is useful if a code upgrade fails, or ifthe primary image on the controller becomes corrupt. Select Option 2 to accomplish a boot from a backup image. Run Backup Image from the Boot Loader menu. 248 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (© 2017 Cisco Systems, Inc.Run Primar 3ackup Image (Cont.) "Web authentication ‘certificate not found (error) ‘only after inital controler boot or controler upgrade. en Certificate not found (error). Tf you cammat terface via NITPS please reconfigure Virtual InterYace cisco Controtier) Welcone Jo, the Cisca Wizard Confieurtion Tool tse‘ the '° "Character Cisco Wizard Configuration Tool bogins automaticaly 7 there is no saved configuration, After choosing which image to boot, the controller will go through the initial boot sequence. If the controller has a saved configuration, it will boot the saved configuration. If the controller does not have a saved configuration, it will boot to the CLI setup wizard Ifthe “Web Authentication Certificate not found (error)” message appears, the controller has not yet been configured and therefore has not generated the certificate for web authentication. If the “Welcome to the Cisco Wizard Configuration Tool” message appears in the CLI, the controller does not have a saved configuration ‘©2011 Gis Systems, Ine. ‘Basic Cisco WLAN Installation 2-47CLI Wizard Configuration Tool This topic describes how the CLI Wizard is used to configure the controller. izard Configuration Tool tigre DF Bing Hate (yee 9 Yew stati 1 asreses (ee. ‘The wizard configuration tool allows for easy setup of the controller. Ifa question is answered incorrectly, use the Minus (~) key to go back in the wizard. The defaults are highlighted to allow for faster selection. Press Enter to select the defaults Parameters that are requested by the wizard include the following: CLI Wizard Parameters Parameter Description ‘System name The name that is used to identify the system for both administrators, and for APS ‘Administrative User Name ‘The inital administrator user account ‘Administrative Password ‘The inital administrator password ‘Service Interface IP Address ‘Setting to determine if the service port wil use DHCP or not. The Configuration ‘options are: none, which means static assigned, or DHCP, which means the port will get its IP address from DHCP. ‘Service Interface IP Address IP address for the service port. This option assumes that you ‘selected none forthe previous selection. By default, the Service Interface IP address is set to 192.168.1.1 and can be used to ‘access the controller web interface initial setup web wizard During the CLI initial setup wizard, it has to be given an IP address (even 192.168.1.1) and cannot be left to a default stato, ‘Service Interface Netmask ‘Subnet mask for the service port ‘Management interface IP address | IP address for the management interface ‘Management interface Netmask | Subnet mask for the management interface 2-48 Implementing Cisco Uniied Wireless Networking Essentials (UWNE) v2.0 (© 2017 Cisco Systems, incParameter Description. ‘Management Interface Default | Default gateway for the management interface Router Management Interface VLAN VLAN tag to be used for the management interface. identiier Management interface Port Number Defines which physical port wil be used for the management Interface Management interface DHCP Server IP Address, Defines which DHCP server will be used by ths interface when it receives a DHCP request Virtual Gateway IP Address, Defines the IP adaress for the virtual interface that is used for DHCP relay, Mobility management, and Layer 3 authentication, MobiliyiRF Group Name "Name that is used by every controller in mobility group, which ‘must be the same for every controller in the mobility domain Network Name (SSID) Defines an SSID on the system, with 802.1X security enabled. This SSID willbe disabled by default, Configure DHCP Bridging Mode _| Enables bridging mode, Allow Static IP Addresses Sets whether the SSID wil allow static IP addresses. ‘B01 Cisco Systems, nc. Basic Caco WLAN instalation 2-49,CLI Wizard Configuration Tool (Cont.) us Network {YES} [no]: YES (VEST ino} ves YES) {ne}: no EVES} Ene}? no systen will save it and reset Wizard questions include these: CLI Wizard Parameters (Cont.) meter Description Configure @ RADIUS Server Now | Allows you to set up a link to a RADIUS server, which will be Used for various security measures within the controller Enter County Code ‘els the courity forthe controler, which sets the appropriato RF characteristics available, Enable 802.1 tb Network ‘Allows you to turn off IEEE 602.1 1b rags at @ controle level Enable 602.11a Network ‘Allows you to tur off IEEE 802. 11a radios at a controller level Enable 802.11g Network ‘Allows you to tum off IEEE 602.119 radios at a controller level Enable Auto-RF ‘Tums on or off auto-channel and auto-power settings Configure an NTP Server Now | Allows you to tie the system time fo a central external source Configure the System Time Now | Allows you to define system tie if no Network Time Protocol (NTP) server's used 2-50 Implementing Cisco Unied Wireless Networking Essentials (UWNE) v2.0 ‘©2017 Cisco Systems, IneSPT ST esate Bice sec gt setts. (cise Cntraeg) 99? lace contrtterT 07 fier the controller wizard is complete and the controller saves and reboots, it prompts for the administrator username and password. After logging into the controller, the controller prompt will appear and you will be able to use commands to administer the device. To display a list of available commands, type a question mark (?), ‘The basic commands allow you to do the following: = Show current configuration information Save settings to NVRAM, transfer files . = Enter submenus . Access debug and testing functions {©2011 Cisco Systems, Ine. ‘asic Cisco WLAN Installation 254Command Line Interface config and debug Commands ee i ieneeeitaeree pitts st a n rape at ia if; ‘The config commands are used to configure the system. The CLI config commands match the settings that can be set using the web interface, ‘The debug commands are used to help troubleshoot controller or AP problems. There are many debug options. The debug commands are not available from the controller web. interface. Note Use caution when using debug commands that consume system resources. The debug commands are enabled until a session timeout, or until they are manually shut of 252 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (© 2017 Cisco Systems, inc.Web Wizard Configuration Tool ‘This topic describes how to configure the controller from the web interface. Controller Wet ration Wizard Login Ifyou attempt to use HTTPS, you will receive an error. Initial system configuration wil support only HTTP access. Default IP address is 192,168.1.1/24 Username: admin Password: admin All the controllers, except for the Cisco 2106 and 2504 Wireless LAN Controllers, ean also be configured using a web GUI wizard that is accessed through the default IP address of the controler (http: //192.168.1.1). Upon entering this address in your web browser, you will be prompted for a username and password. The usemame and password are both “admin” by default S207 Gace Systems, ne. Basic Cisco WLAN Installation 2-55,Controller Web Configuration Wizard seem ‘eae | After SNMP communities area sew comets nate =) | is checked, another login is required to verify the new credentials ‘The next step in the process requests a system name, administrative username, and password, The system then prompts for Simple Network Management Protocol (SNMP) version options. After entering this information, the user will be prompted to log in again, using the newly ‘created account. ——————__ —__ Cont guration Wizard (Cont.) The settings follow the settings from the CLI wizard. Users need to define the settings for the service port, link aggregation, the management interface, and the settings. cellaneous configuration 2.54 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 ‘© 2011 Cisco Systems, IneFollowing the miscellaneous settings, the user will be prompted for the virtual interface, WLAN, RADIUS, and 802.11 configurations. Once again, these settings mirror the CLI Setup wizard Once configuration is completed, the user will be prompted to save configuration changes and to reboot the controller. Saving the configuration writes the settings to the system NVRAM, and then reboots the system using the newly entered settings. {©2017 Goo Systems, no ‘Basie Cisco WLAN instalation 256Controller Web Interface This topic describes the controller web interface main menus and how to use them, ‘Afier the controller web configuration wizard saves the configuration and reboots the controller, HTTPS access is enabled and HTTP access is disabled by default. After the initial configuration is complete, the connection to the controller web interface is, accomplished via a secure HTTPS session. The administrator usemame and password that are created during the initial setup are required to log in Note You can connect using either HTTP://, or HTTPS:/I. Remember that HTTP is disabled by default, The error message “The page cannot be displayed” indicates thatthe corresponding access method has been disabled. 2-86 Implementing Cisco Unied Wireless Netwarting Essentials (UWNE) v2.0 (© 2011 Cisco Systems, ine‘Scere ‘Smut Frese ‘teens Seren naous The menu bar across the top of the window is the main navigation souree for the controller web interface. The menu provides access to the following options: |= Monitor: View status of the controller, APs, and the clients that are attached to it WLAN: Configure and manage the WLANs (SSIDs) Controlles Systemwide general settings Wireless: Configure and manage the APs and the radios that are associated with them, as ‘well as all aspects associated with RF © Security: Control local and remote security settings for client security including RADIUS server and local net users ‘= Management: Local management of the system, control management interfaces (HTTP and HTTPS, Telnet, Secure Shell [SSH]), and SNMP settings for remote management and monitoring = Commands: The controller file management, system status, and reset controls = Help: = Feedback: Allows system feedback to Cisco systemwide help pages with complete search capabilities (©2011 Goo Systems, nc. ‘Basic Cisco WLAN installaton 2-57Administrative Commands Click Save Configuration {o ensure that the changes| you make are saved in NVRAM| Local Management Users from the left menu. Step2 Click the New button to add additional users, Step3 Click the Remove link next to the user to delete the user from the system, New users can have read-write or read-only access. They can also sign on as “LobbyAdmin,” which gives them the ability to create temporary credentials for the guest SSIDs. Note LobbyAdmin, or Lobby Ambassador, cannot create WLANs, but can create accounts for ‘some of the WLANS. They are typically used to create temporary credentials for visitors on a ‘quest type of WLAN. ‘2077 Cisco Systems, ne ‘Basic Cisco WLAN intalaion 2.58Configuring TACACS+ provides the capability to control access to the Cisco WLCs via a ‘TACACS¢ server for authentication, authorization, and accounting (AAA). It is possible to configure up to three TACACS+ AAA servers. For example, it may be necessary to have one central TACACS+ authentication server but several TACACS+ authorization servers in different regions. If multiple servers of the same type are configured and the first one fails or becomes unreachable, the controller automatically tries the second and third, if necessary. 80 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (©2011 Cisco Systems, IneManagement janagement via Wireless "The Cisco WLC can be managed via WLAN clients, but this capabily 1s disabled by default. ‘The ability to manage the network via wireless clients is disabled by default but can be enabled using the Management via Wireless menu item under the Management menu. Before enabling this feature, the security risks that are involved should be considered because any wireless user could try to access the controller web interface. ‘©2011 Caco Systems, ne Basic Clsco WLAN Installation 2.61Example Configuration This topic provides an example WLAN and interface configuration. Example: Interface Creation In this scenario, the administrator wants you to create a WLAN called “Guest,” and send its traffic to VLAN 40, which links to the demilitarized zone (DMZ). To complete the task, use the following procedure: step 1 Step 2 Step 3 Step 4 step 5 Create the “VLAN 40” tag on the controller, From the Controller menu, navigate to Interfaces in the left menu, Click New to create a new interface. ‘The name that is given here is “DMZ,” and the tag is “40.” Click Apply to create the interface. A new window appears where the interface details must be configured. The VLAN identifier is taken from the previous page. The controller must have an IP address in this VLAN with its respective subnet, ‘The gateway to the DMZ will be reachable from port number 2. Two DHCP servers are available to answer queries from this interface. Clients from the WLAN will be mapped to this interface. Therefore, when they request an IP address through DHCP, these two DHCP servers will be queried by the controller, acting as a DHCP relay. Click Apply to validate the changes. A new interface, DMZ, is created allowing the controller to know the VLAN 40 tag. It is associated to port number 2. 262 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (© 2011 Cisco Systems, ine‘The second task is to create the WLAN itself using the following procedure: Stop 1 Step 2 ‘Step3 Stop 4 Stop 5 Stop 6 Step 7 Step 8 From the WLAN menu, click New. Set the Profile Name to IUWNE-2 Set the SSID to Guest. Click Apply to create the WLAN. The WLAN ID is an index intemal to the controller. The number “3” presented means that it is the third WLAN created on. this controller. A new window appears, with several tabs, where the WLAN configuration will be more detailed. In the first tab, click WLAN Status Enabled. Without this option, the WLAN is configured and ready, but is not sent to any AP. Radio policy decides on the radios to which the WLAN should be available: 802.1 1a only, 802.11g only, 802.11 big only, 802.1 1a/g only, or all radios. Provide access only to 802.1 1a users. The next choice concerns the interface. DMZ was created previously, allowing VLAN 40 to exist on the controller. Select DMZ for the interface. All traffic coming, from the Guest SSID will be sent out of port number 2 with a VLAN tag of 40, ‘The next tab, Security, defines many options for authentication and eneryption. In this simple example, in Layer 2 security, choose None to allow access without authentication or encryption. There is no need to change anything in the other tabs. Click Apply to validate the changes. The new WLAN now appears in the list. ©2011 Cisco Systems, ne asic Cisco WLAN Installation 2-63Afler you create up to 512 WLANs on the controller, you can selectively publish them (using AP groups) to different APs to better manage your wireless network. In a typical deployment, all users on a WLAN are mapped to a single interface on the controller. Therefore, all users that are associated with that WLAN are on the same subnet or VLAN. However, you can choose to distribute the load among several interfaces or to a group of users based on specific eriteria such as individual departments (such as Marketing) by creating AP groups. Additionally, these AP groups can be configured in separate VLANs to simplify network administration. In the example, three AP groups are defined, and each is a member of a different VLAN. All AP groups are members of the same SSID. A client within the wireless SSID is assigned an IP address from the VLAN subnet on which its AP is a member. For example, any user that associates with an AP that is a member of AP group VLAN 61 is assigned an IP address from that subnet. To configure AP groups, use the following procedure: ‘Step 1 Configure the appropriate dynamic interfaces and map them to the desired VLANs. Step2 Create the AP groups. ‘Step 3 Assign APs to the appropriate AP groups. (You can create up to 500 AP groups for Cisco 5500 Series Wireless LAN Controllers.) 264 Implementing Cisco Unified Wreiess Networking Essentials (UWNE) v2.0 (©2011 Cisco Systems, Inenple: Configurir 28s Point Groups By default, all APs belong to the default AP group “default-group” unless you assign them to other AP groups using the following procedure: Step 1 Stop 2 Stop 3 Step 4 Step 5 Choose WLANs > Advanced > AP Groups to open the AP Groups page. Click Add Group to create a new AP group. The Add New AP Group section appears at the top of the page. In the AP Group Name text box, enter the group name. In the Description text box, enter the group description. Click Add. The newly created AP group appears in the list of AP groups on the AP Groups page. ‘To delete this group, hover your cursor over the blue drop-down arrow for the group and ‘choose Remove. An error message appears if you ty to delete an AP group that is used by at least one AP. Before deleting an AP group in a controller, move all APs in the group to another group. They will not go back to the default group, Stop 6 Stop 7 Step 8 Step 9 Step 10 Step 11 Step 12 Click the name of the group to edit this new group, Choose the WLANS tab. Click Add NEW to assign a WLAN to this AP group. The Add New section appears at the top of the page From the WLAN SSID drop-down list, choose the SSID of the WLAN, From the Interface Name drop-down list, choose the interface to which you want to ‘map the AP group. Click Add to add this WLAN to the AP group. This WLAN appears in the list of WLANS that are assigned to this AP group. Choose the APs tab to assign the AP to this AP group. {©2011 Cisco Systems, ine ‘Basic Cisco WLAN Insalaion 2-65Step 13 Select the check box to the left of the AP name and click Add APs to add an AP to this AP group. The access point will now reboot. The AP will then appear in the list of APs currently in this AP group. 286 Implementing Cisco Unified Wireless Networking Essentials UWNE) v2.0 (© 2014 Cisco Systems, inece Groups « New feature in code Release 7.0.116 and later allowing implementation of VLAN pooling, (Overcomes current 1:1 WLAN-o-VLAN mapping constraint Allows guest users indifferent locations to utlize individual DHCP scopes * Supported on the Cisco Aironet 1040, 1130, 1140, 1240, 1260, 3500, 1522, 1524, and 1540 Series Access Points and all controller platforms. * Wireless clients associating to a WLAN will get an IP address from a ool of subnets identified by the interface group in round-robin fashion. ‘An interface group is a new feature in Release 7.0.116. This feature now allows an administrator to implement VLAN pooling, where a WLAN can be mapped to a single interface or multiple interfaces using an interface group. Under previous releases of controller code, the WLAN-to-interface mapping was constrained to 1:1. This limitation could lead to implementation issues when a customer wanted a single campus-spanning WLAN. This. situation could lead to either a very large broadcast domain or IP address exhaustion if'a smaller DHCP scope was implemented. Additionally, the availability of a single large subnet may not be feasible for some networks due to existing network design or subnet allocation. Wireless clients associating to a WLAN will get an IP address from a pool of subnets identified by the interface group in a round-robin fashion. The interface group maps the clients to the same WLAN through multiple interfaces. This feature also provides the solution to guest anchor restrictions. Wireless guest users on foreign locations can get an IP address from ‘multiple subnets based on their foreign locations or foreign controllers from the same anchor WLC. This feature is supported on the following: = All Lightweight APs with 16 MB or more flash space, which includes the Cisco Aironet 1130, 1140, 1240, 1250, 1260, 3500, and 1522/1524/1540 Access Points ‘= Allcontroller platforms with the following limitations: Controllers Interface Groupsiinterfaces WiSM-2, 5508, 7500, 2500 ale WiSM, 4400, 4200 2182 2100 and NM6 series(WLCM) ala ‘©2011 Gio Systems, ne ‘asic Cisco WLAN Installation 2-67Configuring Interface Groups at Tews By default, none of the dynamic interfaces belong to a group. To create an interface group and apply it to a WLAN, complete the following steps: Step 1 step 2 Step 3 Step 4 Step 5 Choose Controller > Interface Groups to open the Interface Groups page Click Add Group to create a new interface group. The Add New Interface Group section appears at the top of the page. In the Interface Group Name text box, enter the group name. In the Description text box, enter the group description, Click Add. The newly created interface point group appears in the list of interface point groups on the Interface Groups page. Note ‘To delete this group, hover your cursor over the blue drop-down arrow for the group and choose Remove Step 6 Step 7 Stop 8 Step 9 Step 10 Step 11 Stop 12 Stop 13, Stop 14 Click the name of the group to edit this new group. From the Interface Name drop-down list, choose the dynamic interface for this interface group. Select Add Interface, Repeat Step 19 and 20 for each dynamic interface that is to be added to the interface group, ‘When all the interfaces have been added to the interface group, click Apply. Select WLAN from the menu. Select the WLAN ID that is required to bind the interface group. From the Interface/Interface Group (G) drop-down list, choose the interface group Choose Apply 268 Implementing Cisco Unified Wireless Networking Essentials (UWINE) v2.0 (©2011 Cisoo Systems, IncController Files This topic describes the different files that are used to manage a controller, Controller Files + AP code file * AES combined image Bootloader fle RTOS" of the controller Code fie © Can be upgraded from CLI or web interface + Inthe web interface, these three are under one single fle * Configuration file Can be uploaded or downloaded via TFTP from CLI or web interface In Release 4.2 and later, an XML fle; prior to 4.2, a binary file Release 4.2 configuration file not accepted on pre-4.2 controllers and vice versa. AP gels its configuration and code from the controller "RTOS =roa:tme operating system Upgraded from the web interface, the controller code is a single file. This file has an acs extension. It is actually a compressed archive that is made of three files: ‘= Bootloader: Allows the controller to find the initial boot file and provide the boot menu ‘= Real-time operating system: Provides an abstraction layer to manage operations close to real time = Code: Provides the operating system ‘These three files can be downloaded individually to the controller from the CLI boot menu, ‘They can also be downloaded in one single .aes file using the following CLI commands: transfer download datatype code transfer download start ‘To download from the web interface, navigate to Command > Download. ‘The upgrade process first copies the image to memory and, when the transfer is complete, copies it to the flash memory. The existing primary image becomes the backup image, while the new image becomes the primary image. This process allows for controller recovery in a failed upgrade. To load the new code as the primary image, the controller must reboot, which disconnects its APs. Upon reconnecting, the APs will upgrade their own code from the new controller image, The configuration file can be uploaded and downloaded via TFTP. The configuration file in RAM is the running configuration. To be protected for data loss in the event of a reboot, use the save config command on the CLI or Save Configuration button in the web interface. In versions before version 4.2, the configuration file was a binary file. You could upload and download it between controllers, but you could not modify or read it. ‘©2017 Cisco Systems, ne asic Cieco WLAN Installation 2.68In versions 4.2 to 6.0, the configuration file is an XML document. It can be read and edited. Controllers running a code version before 4.2 are not able to receive and understand an XML configuration file, Controllers running a code version of 4.2 or later cannot receive a binary configuration file. In version 7.0 and later, the configuration file is a text file that can be read and edited. The AP code and configuration files are integrated into the controller. The administrator does not need to directly manage the APs. 2-70 Implementing Cisco Unifed Wireless Networking Essentials (IUWNE) v2.0 ‘©2011 Cisco Systems, in.Controller Code Releases + ED: newest features * MD: bug fixes + Also deferred releases Previously, the software releases for the WLCs were displayed in two categories: latest releases and all releases. This method has been confusing for some customers who need assistance in choosing which software release they should deploy. ‘The software releases are now organized into the following categories: Early Deployment releases, maintenance releases, and deferred releases. ‘Software Release Description Early Deployment releases, ‘These software releases provide new features and new hardware platform ‘support as well as bug fixes. These releases are categorized with Early Deployment (ED) at the end of the release number. =4200ED = 6.0.0.0ED ‘Allows customers to test the newest features recently released ‘Maintenance releases Deferred releases. ‘These software releases define 1/0 releases that provide bug-fix support {and ongoing software maintenance: they are categorized as maintenance deployment (MD) and may be part of the Cisco AssureWave program.” *42.1.0MD = 320.0 MD “These software releases have been deferred. Cisco recommends that customers migrate to an upgraded release. * 5.0.0.0 DF (deferral) Provides customers with a software ‘lease that fixes any minor software bugs Provides visbilty to deferred software releases ‘©2017 Gisco Systems, ne ‘Basic Osco WLAN installaion 271[Pres fatar te contin be duplicated to another controller. Interface address op-nanager 10,20.1.11 255,255.255.0 10.20.1.256 Interface addeess management 10.20.1.18 255,255,255.0 10.20.1256 interface addrese virtual 1.1.1.1 interface dhcp ap-nanager prinary 10.20.1.10 interface dhcp management orinory 10.20.1.10 erface vlan daz 90 The show run-config command displays the controller configuration. The show run-config command displays the complete state of the system. This command is used to get precise information about each component managed by the controller, such as the detailed MAC address of each AP, power level or status, controller internal settings, or por state. The information that is provided is very complete but it cannot, 2 [implementing Cisco Unified Wireless Networking Essentials (UWNE) v20 (© 2011 Cisco Systems, IneSummary This topic summarizes the key points that were discussed in this lesson. nimary Controllers have ports, static and dynamic interfaces, and WLANs. + Upon startup, a boot menu provides several options, such as system upgrade or configuration cleanup. * Ifa controller does not have any prior configuration, a CLI wizard appears. + Initial setup is also possible using a web interface. ‘Once configured, the controller web interface is accessible using HTTPS, Items are usually created in a two-step process: creating the item and then configuring it: Controller code and configuration files can be managed from the web, interface or the CLI. Versions 4.2 and later have a new configuration file format. (©2017 Cisco Systems, nc. ‘Basic Osc WLAN Installation 2732.74 Implementing Cisco Unified Wireless Networking Essentials (UWNE] v2.0 (© 2011 Cisco Systems, IncLesson 3 Discovering and Associating with a Controller Overview Lightweight access points (APS) need to associate and communicate with wireless LAN controllers (WLCs) to obtain software, configurations, and centralized management. This process is a key element of the Cisco Unified Wireless Network infrastructure. This lesson will give you the tools to understand how this process occurs. Objectives Upon completing this lesson, you will be able to describe how a lightweight AP discovers, joins, and receives its configuration from a Cisco WLC. This ability includes being able to meet these objectives: = Explain the different CAPWAP modes = Describe how a CAPWAP AP discovers WLAN controllers, Describe how a CAPWAP AP chooses a WLAN controller and joins it = Describe how a CAPWAP AP receives its configuration from a WLAN controller = Describe the differences between LWAPP and CAPWAP = Plan redundancy for APs and WLAN controllersCAPWAP Layer 3 Mode Layer 3 Light P Protec ol (CAPWAP) Layer’3 CAPWAPis in a UDP or IP frame Cisco WLAN controller and AP can be connected to the same VLAN and subnetwork or connectedto a different VLAN and subnetwork Requires Cisco AP to obtain an IP address using DHCP Controltraffic is encrypted, datais not way conver Ge Deals ‘A Cisco WLC and APs can be connected to the same VLAN and subnet, or more likely connected to a different VLAN and subnet. ‘The AP must obtain an IP address using static IP addressing or a preferred best practice of DHCP. Cisco lightweight APs use the Internet Engineering Task Force (IETF) standard Control and Provisioning of Wireless Access Points (CAPWAP) protocol to communicate with the controller and other lightweight APs on the network. CAPWAP is a standard, interoperable protocol that enables a controller to manage a collection of wireless APs. ‘The CAPWAP protocol uses the IP protocol to communicate with the APs. Data traffic is ‘encapsulated in UDP source port 1024 and destination port 5247, while control traffic is ‘encrypted in UDP source port 1024 and destination port 5246. CAPWAP has been supported since Release 5.2. Before 5.2, Lightweight Directory Access Point Protocol (LWAPP) was used in the hunt and discovery process. Both protocols are supported since Release 5.2 for backward compatibility with older APs that do not support the CAPWAP protocol. 2-76 Implementing Cisco Uniied Wireless Networking Essentials (UNE) v2.0 (© 2011 Cisco Systems, Ine.AP CAPWAP Discovery Phase ‘This topic describes how a lightweight AP discovers controllers at Layer 3. A ation Sequence Zero touch deployment AP boots Huntand discov AP joins WLC AP receives the WLC version of code AP receivesthe configuration Cisco APs undergo a hunting and discovery process when booted. This process is known as zero-touch deployment, which means that a new AP can be taken right from the box and plugged into the network anywhere regardless of the subnet, Once the AP is plugged in, it finds, a WLC to join, and receives the WLC version of code as well as its configuration. Once the process is complete, the AP is ready to support wireless clients. During its hunting and discovery process, the lightweight AP builds a database of all the WLC management interface IP addresses, which it learns through various methods. The management addresses are kept in separate lists in order to reflect how the lightweight AP learned about them, ‘BI0H Cisco Systems, nc Basie Osco WLAN Installation 277ver and Join Overview » APissues a DHCP discover to obtain address * AP attempts Layer3 controller discovery CAPWAP discovery broadcast on local subnet Local stored controller IP address from prior successtuljoin process DHCP option 43 DNS resolution of CISCO-CAPWAP-CONTROLLER + After an AP discovers controllers, it selects and joins one via primary, secondary, tertiary, or master configuration of controllers. The initial discovery process aims at discovering as many controllers as possible to maximize the chances of finding the AP primary controller, or the least loaded controller. ‘The lightweight AP can learn the management IP addresses of multiple controllers through one of the following methods, which are known as the discovery phase: = Broadcast = Local stored controller IP address from prior successful join process = DHCP option 43, = Domain Name System (DNS) resolution of CISCO-CAPWAP-CONTROLLER ‘Once the lightweight AP has gathered a list of WLCs, it selects and joins one WLC via primary, secondary, tertiary, or master configuration of controllers. Note When using the LWAPP protocol, the DNS resolution is CISCO-LWAPP.CONTROLLER, 2-18 Implementing Cisco Unied Wireless Networking Essentials (IUWNE) v2.0 ‘© 2041 Cisco Systems, In.NP CA \P Discovery + AP obtains an IP address Statically defined DHCP discover + Layer3 CAPWAP discovery order: ‘Subnetwork broadcast mode Connect CiscoAP directly o, or same subnet as, a Cisco controller to lear CiscocontrollerIP address. + CiscoAP will send a subnetwork broadcast Subnetwork broadcast mode: The Cisco controller-based AP sends a subnetwork broadcast discovery request to the local subnetwork. All of the Cisco WLAN controllers in the local subnetwork that receive this packet will respond with a discovery response. The same originating APs will also send a subnetwork broadcast to the IP addresses of previously associated controllers because it stores this information even after a reboot. ‘B2017 Geoo Systems, ne Basie Cec WLAN Installation 2.78‘overy (Cont.) + AP pri Connect Cisco AP directly, or same subnet as a Cisco controller tolearn Cisco controller mobility group IP addresses Move Cisco AP to a remote network and haveit use DHCP for a local and gateway address Cisco AP will send a subnetwork broadcast discovery request to the primary controller and all controllers inthe leamed mobility group AP priming: Upon associating with a Cisco WLC, the AP can then learn the controller IP address. Several controllers can be grouped to form a mobility group. Upon associating to a Cisco WLC, the AP also learns the IP addresses of the other members of the mobility group. This information is stored in the AP and cached even after a reboot. The AP sends a subnetwork broadcast discovery request to the primary controller and all controllers in the learned mobility group 280 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v20 ‘© 2011 Cisco Systems, Ine3 Discovery + DHCP vendor option mode Place Cisco AP on remote network and have ituse DHCP fora localand gateway address Use DHCP extension toleam a Cisco controller management interface IP address from extension Option 43 * DNS or DHCP vendor option mode Place Cisco AP on remote network and have it use DHCP for a localand gateway address Use DHCP extension toleam a DNS IP address isco AP will then make an address resolution call using the hostname CISCO-CAPWAP-CONTROLLER, which should be configured to retum the management interface IP address of available controllers, DHCP vendor option mode: When a Cisco AP sends a DHCP discover request, it uses the Cisco vendor option, If the DHCP server is configured to respond to these options, it will send a list of Cisco controller IP addresses to the AP in the DHCP acknowledgment (ACK) message. The AP will then use this information to send a unicast discovery request to each of the controllers. The vendor string that is used by APs to request the vendor option depends on the AP model. The options are served as a comma-separated list of IP addresses, for example, 10.1.1.1, 10.1 DNS or DHCP vendor option mode: The Cisco AP can also obtain the Cisco WLC IP address of a DNS server from the DHCP option. The AP will use this information to perform a hostname lookup using CISCO-CAPWAP-CONTROLLER resolution, which should be associated with the available controller management interface IP addresses. The AP will then be able to perform a unicast query to this address to associate to responsive WLAN controllers. (© 2011 Cisco Systems, Ine Basic Cisco WLAN instalation 2-81AP CAPWAP Join Order ‘This topic describes how an AP, after having discovered one or several controllers through Layer 3 discovery, will select the best candidate controller to join. join Order * Response from primary, then secondary, and finally tertiary configured controller + Ifno configured controller, response from a master controller + If no master controller response, response from the least loaded controller = Leastloaded AP manager interface or least loaded controller When the AP moves into the discovery phase, it sends discovery requests through its primary interface to each of the controllers in the lists based on how it learned about them. There is a predefined method for the AP to select the controller with which it will register: = The AP will associate first with its primary controller, assuming it has been primed. ‘= Upon failing with the primary, it will try to register with its secondary and then the tertiary. = If there is no controller information that is primed in the AP, the AP will then look for a ‘master controller. = Finally, ifthere is no primed controller and no master controller, the AP will select the least loaded AP manager interface from all controllers that have responded to the discovery. 782 Implementing Cisoa Unified Wireless Networking Essentials (IUWNE) 20 © 2071 Ciseo Systems, Ineithout Master If the APs are not primed and are using a broadcast to find their controllers, then the APs will Ultimately load balance between all available AP manager interfaces from any controller. The first AP will register to controller 1, the second to controller 2, and then the process will repeat. ‘The controller answers with its AP capacity and occupation during the discovery process. The AP uses this information to determine the remaining space on the controller and choose the least loaded controller, Because capacity is part of the calculation, itis a relative value: for example, if'an AP receives an answer from a Cisco Wireless Services Module (WiSM) having 50 APs (otal capacity 150 APs) and from a Cisco 5508 WLC having six APs (total capacity twelve APs in this example), it will try to join the Cisco WiSM first because its relative load is 33 percent, whereas the Cisco 5508 WLC load is already 50 percent. When AP 1 boots, it discovers both controllers, each of which has the same load (0. AP). It joins the first to answer. When AP 2 boots, it discovers both controllers. Controller 2 is less loaded than controller 1 (0. AP instead of 1), so AP 2 joins controller 2, When AP 3 boots, it discovers both controllers, each of which has the same load (1 AP). It joins the first to answer, which can be controller 1 or controller 2, When AP 4 boots, it discovers both controllers. Controller 2 is less loaded than controller 1 (I AP instead of 2), so AP 4 joins controller 2 Note ‘The load is a relative value. A 50-AP controller having 10 APS is considered as less loaded (20 percent) than a 6-AP controller having 3 APs (50 percent load). ‘© 2011 Cisco Systems, Ine ‘Basic Cisco WLAN instalation 263> With Master wan Controle 1 Ifa master controller is configured, then the process is changed. All APs that are not primed and are accessing the controller via a Layer 2 or Layer 3 broadcast will automatically join the ‘one controller that is marked as the master. This procedure allows administrators to prime the ‘APs to specific controllers and be aware of which APs have been joined to the network, then locate and reconfigure each AP to reassociate to its correct final destination controller. 7284 Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v2.0 (© 2011 Cisco Systems. IneThe primary, secondary, and tertiary controller names are defined in each AP and stored in the AP flash memory. Ifa controller name is recognized in the controller discovery response, the AP will join that controller. Priming the AP requires the AP to be registered with a controller first. Using the AP details, the administrator can assign a primary, secondary, and tertiary controller, These values will be stored in flash memory in the AP in case of a power failure 1B 2011 Cisco Systems, Ine ‘Basic Clsco WLAN Installation 288Controll ‘ontroller Mode ‘Waster controler configuration should only be Used for provisioringAPs to associate them toa particular controller and then to assign a primary feanteoler ‘To configure a controller as the master, use the controller web interface. Choose Controller > ‘Master Controller Mode and check the check box. Note Only one controller in a mobilty group should be marked as the master. ‘The master controller is normally used only while adding new APs to the Cisco wireless enterprise platform (Cisco WLC), When no more APS are being added to the network, itis recommended that you disable the master controller. Master mode is not saved to flash, 286 Traplementing Gio Unified Wireless Networking Essentials (UWNE) v2.0 (© 2011 Cisco Systems, IncWAP Join Messages CAPWAP join request * CAPWAP join request sent through an established DTLS tunnel + Includes type of controler and MAC address of controller * Includes AP hardware and software version ~ Includes the name of the AP issuing the join request, + Indicates the number and type of radios present in AP CAPWAP join reply » Includes result code CAPWAP dynamic PMTU » CAPWAPuses dynamic PMTU to discover MTU contig at Once it has received a discovery reply from the WLC, the AP will establish an IETF Datagram Transport Layer Security (DTLS) tunnel handshake with each of the discovered controllers. For ach controller that is discovered, a new DTLS tunnel is created. Onee the DTLS session is established, the AP will decide on a controller to join and then send the join request to a specific controller inside the DTLS tunnel. The CAPWAP join request that is sent by the AP includes several pieces of information, First, it includes the type of controller and the MAC address of the controller with which it would like to associate. The AP hardware and software version is also provided. The request also supplies the AP name and indicates the number and type of radios present on the AP. After receiving a join request from an AP, the controller will send a join response. The controller sends a request result code to the AP. A result code of zero (0) indicates that a successful request has occurred, whereas a result code of one (1) indicates a request failure, If there is a request failure, the controller must provide a status message indicating the reason for the failure, All control traffic is exchanged through the DLS tunnel and is protected from eavesdropping. Optionally, data can be encrypted via the DTLS tunnel, but this option is only available on the Cisco 5500 Series controllers. Otherwise, the data is sent unencrypted. CAPWAP uses dynamic path maximum transmission unit (PMTU) to discover the maximum ‘transmission unit (MTU) size. The AP will send a CAPWAP packet with the Don’t Fragment (DF) bit set. If there is a change in MTU, the router will send an Internet Control Message Protocol (ICMP) error back to the AP to fragment the packet. The AP will change the MTU to 576 bytes. The AP will look for the next-hop MTU information in the ICMP error message and will send out a path MTU discovery packet. If the ICMP error message does not have a next- hop MTU value, the AP will start from the lowest MTU of $76 bytes and will increment the transmission unit every 30 seconds. To view the MTU for the CAPWAP path, enter the following command: = show ap config general C/SCO_AP {©2017 Cisco Systems, Ine Basic Cisco WLAN installation 2-67Configuration Phase This topic describes how an AP receives its configuration from the controller it recently joined. The CAPWAP configure request + Wants the controler to provide configuration data «Provides the controller with a list of configurable parameters andthe current values, ‘The CAPWAP configure response * Provides configuration values forthe AP + Allows the controller to override requested configurationelementsfrom the AP + Includes configure command packets. + Causes the AP: ‘To evaluate each configuration element To begin implementing the configuration elements ‘After receiving the CAPWAP join response from the controller, the AP sends a CAPWAP- ‘configure request to the Cisco WLC. The AP wants the controller to provide its configuration information. The request includes a list of configurable parameters and current values for the AP. Most of the values are set at zero. Upon receiving a configure request from an AP, the controller will send a configure response. In the response, the controller provides the AP with configuration values based on the configuration settings of the controller. A controller is able to override requested con elements that the AP sent, and returns configured command packets with specific elements to the AP. The AP will then evaluate each configuration element and begin implementation of those elements. ‘These configuration elements are stored in the AP RAM. The whole process restarts from the discovery stage when an AP reboots. The AP keeps some configuration elements, such as its name, IP address (if statically defined), primary, secondary, and tertiary controller names, location, and the IP addresses of some of the controllers to which it was previously connected. 2-88 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (© 2011 Cisco Systems, IncDifferences Between LWAPP and CAPWAP. ‘This topic describes the differences between LWAPP and CAPWAP. fer PP and CAPWAP- » CAPWAP supported in Release 5.2 or later. * Priorto Release 5.2, only LWAPPis supported, * CAPWAPand LWAPP can be deployed on the same network. CAPWAP does not support Layer 2 deployments, * Access Points released beginning with Release 5.2 support only CAPWAP. * Cisco 5500 and 2500 Series Wireless LAN Controllers only support CAPWAP. ‘The controllerand AP hardware will determine whether LWAPP and CAPWAP are supported. In controller software Release 5.2 and later, Cisco lightweight APs use the IETF standard ‘CAPWAP to communicate with the controller and other lightweight APs on the network. Controller software releases before 5.2 use LWAPP for these communications. CAPWAD, which is based on LWAPP, is a standard, interoperable protocol that enables a controller to manage a collection of wireless APs. LWAPP-cnabled APs can discover and join a CAPWAP controller, and conversion toa CAPWAP controller is seamless. For example, the controller discovery process and the firmware downloading process when using CAPWAP are the same as when using LWAPP. ‘The one exception is for Layer 2 deployments, which are not supported by CAPWAP. ‘The CAPWAP-enabled software allows APs to join either a controller running CAPWAP or LWAPP. You cannot deploy CAPWAP controliers and LWAPP controllers in the same mobility group. Therefore, roaming between CAPWAP controllers and LWAPP controllers is, not supported, The Cisco Aironet 1140 Series Access Point supports only CAPWAP and therefore joins only controllers running CAPWAP. For example, a Cisco 1130 Series Access Point can join a controller running either CAPWAP or LWAPP, whereas an Aironet 1140 Series Access Point ‘ean join only a controller running CAPWAP. Note ‘The Cisco 5500 and 2500 Series Wireless LAN Controllers only support CAPWAP because 16.0) the first software release for the 5500 Series Wireless LAN Controllers, and 7.0 is the first software release for the 2500 Series Wireless LAN Controllers, {©2011 Cisco Systems, Ine Basic Cisco WLAN inetallaton 2-68Differenc een LWAPP and CAPWAP (Cont.) Cae Ce Uses Pots 12222, 12223 Uses Ports 5246, 5247 Suppats two layers of operation for Suppo only Layer 3 for corr ‘conor Gecovery Layer?2 and Layer 3 discovery “To dotamine MTU, sends fist join Uses PMTU request packet wh 1596 bytes. Ino responte, sends a jin wqest wih @ Standard packt size. Uses X509 confcates fr mutual Uses X 500 certicates for muti futhenteation to buld @ WWAPP ture! authentication to bulé DTLS Turnol Data is rot enenpted trough LWAPP Optional can enable DTLS data tunnel ‘eneryten DNS resoliton of‘CISCO-LWAPP- DNS reson of CISCO-CAPWAP- CONTROLLER bealdoman" CONTROLLER Iocaktomain’ LWAPP and CAPWAP define and carry control and data traffic between the controller and AP. All control messages are encrypted. The main difference between LWAPP and CAPWAP is that LWAPP does not encrypt data but CAPWAP defines DTLS. At the initial stage, APs need to discover and join the controller, LWAPP supports two modes of operation: Layer 2 and Layer 3. CAPWAP supports only Layer 3. For Layer 2 mode, an LWAPP AP sends a broadcast Ethernet frame to discover the controller. Therefore, the AP and the controller need to be within the same subnet. ‘When a join request is made, the LWAPP-capable AP initially needs to determine the ‘maximum supported transmission unit, It first sends a packet at 1596 bytes. Ifno response is received by the AP, it sends a join request again with a standard packet size. The CAPWAP protocol supports PMTU discovery. ‘An LWAPP join request from an AP contains the signed X.509 certificate of the AP. The WLC validates the certificate before sending an LWAPP join response. Ifthe AP is validated, the WLC sends the LWAPP join response, which contains the signed X.509 certificate of the controller. Ifthe AP validates the WLC, both are now mutually validate. LWAPP uses UDP ports 1222 (data traffic) and 12223 (control traffic), while CAPWAP uses ports 5247 (data traffic) and 5246 (control traffic). 790 Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v2.0 {© 2011 Cisco Systoms, IncStates In the CAPWAP join state, the AP selects a Ciseo WLC from the candidates that are found in the discovery state, and attempts to establish a trusted relationship via the CAPWAP join process. Ifthe AP fails to establish a trusted CAPWAP join relationship with a Cisco WLC during the CAPWAP join state, it will transition to the reset state, and then enters the discovery state again. On the other hand, ifthe trusted relationship between the AP and Cisco WLC is successfully established, the AP will transition to the image data state to download code, or to the configuration state to receive a configuration from the Cisco WLC. Once the AP is successfully configured by the Cisco WLC, it enters the run state and begins to process data to and from wireless clients, The run state is the normal operational state for the AP. ‘The AP transitions to the image data state when the code version running on the AP is out of syne with the code version running on the Cisco WLC. The AP will always synchronize it code version with the Cisco WLC. This synchronization means the AP will downgrade its code if it joins a Cisco WLC running a lower code revision than what is currently running on the AP. Code is downloaded from the Cisco WLC to the AP in CAPWAP control messages. The AP requests chunks of code from the Cisco WLC in CAPWAP image data request messages and the Cisco WLC responds with CAPWAP image data response messages. The payload of CAPWAP image data response messages is chunks of the AP code. The AP continues to send the CAPWAP image data request messages to the Cisco WLC until all code is downloaded. It then assembles and installs the new software, Once the new software is installed, it transitions to the reset state and reboots. The AP will run through the CAPWAP discovery and join states again {©2011 Cisco Systems, Inc Basic Osco WLAN Insialaton 293Design Precautions This topic describes how a proper design allows for AP and controller redundancy, c undancy AP redundancy + RF self-healing allows system to compensatedynamically forlost APs = System must be designed to suppor self-healing + Distance between APs determines redundancy limits ‘The Cisco Unified Wireless Network architecture offers redundancy at several levels. The system self-heals at the RF level when one or more APs become inactive. The architecture also supports port redundancy per controller (using multiple AP managers or a link aggregation group [LAG]), and controller device redundancy (with primary, secondary, and tertiary). With AP self-healing, the system will raise the power levels and adjust channel selection of neighbor APs to compensate for the lost coverage. It is important to note that the system must bbe designed to support self-healing. Specifically, APs must be placed so that the system has at least one power level available (if not two levels) to step up if RF self-healing is triggered. It also important to note that AP self-healing only works for APs configured to be in the same RF domain, 292 Implementing Cisco Unified Wireless Networking Essentials (TUWNE) v2.0 ‘©2011 Gisco Systems, IncAP Failover Process This topic describes the AP failover process and how to configure the failover priority for APs. Process * During high availabilty, the AP will failover to the backup WLC. When the primary WLC is back online, the AP by default wll fall back to the primary. » Heartbeat verifies reachability from the AP to the WLC. » Heartbeat ACK verifies thatthe WLC is reachable. Heartbeatis sent every 30 seconds. Heartbeat no ACK, resends five times at 1-second intervals before. being declared unreachable ‘The WLC is designed to provide high availability for APs. Ina WLC failure, the APs associated with that WLC will migrate to other controllers, if they have the capacity. The APs will fall back to their primary once the controller is back online, assuming that AP fallback has not been disabled. The AP uses a hello packet, which is also known as the “heartbeat,” to implement high availability for APs to communicate with the controller and verify its reachability status, The default interval for the heartbeat is 30 seconds. Whenever one heartbeat acknowledgment from the controller is missed, the AP resends the heartbeat up to five times at I-second intervals. If an acknowledgment is received after the fifth retry, the AP declares the controller unreachable and searches for a new controller Both the retransmit interval and the retransmit count are configurable from either the GUI or CLL, allowing the administrator the capability to fine-tune the failover behavior in the network. ‘The administrator may select a value between 3 and 8 for the retransmit count, with 3 being the default; a value between 2 and 5 seconds for the retransmit interval, with 3 being the default; and a value between | and 30 for the heartbeat timeout. Using smaller values will allow the APs to discover an unreachable controller faster, but will also contribute to additional general administration traffic being generated, using additional bandwidth. In addition to the heartbeat process used for high availability, APS maintain a list of backup controllers, and periodically send a primary discovery request to each entry on the list. The interval at which these discovery requests are sent is configurable between 30 and 3600 seconds with a default value of 120, and may be set using either the controller GUI ot from the controller CLI using the command config advanced timers ap~primary-discovery-timeout ‘imerval. This timer specifies the amount of time that a controller has to respond to the discovery request of the AP before the AP assumes that the controller cannot be joined and waits for a discovery response from the next controller in the list {©2011 Gio Systems, ne ‘Basic Cisco WLAN Installation 203When an AP declares its primary controller unreachable due to missed heartbeat acknowledgments, it will select an available controller from its backup controller list in this, order: = Primary = Secondary = Tertiary = Primary backup controller = Secondary backup controller If the primary, secondary, tertiary, primary backup, or secondary backup controllers are ‘unavailable, APs will resort to the dynamic CAPWAP algorithms to connect to the least-loaded available controller. 784 Implementing Cisco Unified Wieloss Networking Essentials (IUWNE) v2.0 ‘©2011 Cisco Systems, IncFailover Priority ‘General | Credentials | Taterfaces | Wigh Availabilty | Inventory | Advanced Each controller has a defined number of communication ports for APs. When multiple controllers with unused AP ports are deployed on the same network and one controller fails, the dropped APs automatically poll for unused controller ports and associate with them. In controller software Release 5.1 of later, you can configure your wireless network so that the backup controller recognizes a join request from a higher-priority AP. and if necessary disassociates a lower-priority AP as a means to provide an available port. APs can be assigned one of the following priorities: Low: Assigns the AP to the level 1 priority, which is the lowest priority level = Medium: Assigns the AP to the level 2 priority. = Higi Critical: Assigns the AP to the level 4 priority, which is the highest priority level. ssigns the AP to the level 3 priority. By default, all APs are set to priority level 1, which is the lowest priority level. Therefore, you need to assign a priority level only fo those APs that warrant a higher priority. To utilize this feature, you must enable failover priority on your network and assign priorities to the individual APs {©2011 Gisco Systems, ne Basic Cisco WLAN installaton 2.95AP Fallback When the WLC AP Fallback option is enabled, APs will return to their primary controllers after 2 failover event when the primary controller comes back online. This feature is enabled by default and many administrators choose to leave the AP Fallback default value in place. However, when an AP falls back to its primary controller, there will be a brief window of time, ‘usually on the order of 12 to 30 seconds depending on timer configurations, during which service to wireless clients is interrupted because the APs are rejoining the primary WLC. If for some reason connectivity to the primary WLC has become unstable, the AP may end up flapping back and forth between a primary and the backup WLCs. For this reason, many WLAN adininistrators prefer to disable AP Fallback and move the APs back to the primary in a controlled manner during a scheduled service window. However, it is recommended that you leave the AP Fallback option enabled, and only disable the feature while you troubleshoot and repair the cause of an unstable connection to the WLC. 2-96 Implementing Cisco Unified Wireless Networking Essentials (UWNE) 2.0 (©2011 Gis Systems, Inedundancy Pray oar Secondary ViLAliContsler® Sacondar: WLAN-Contce© “eriry WLAN Conte etany Cisco WLCs ean be configured with multiple physical connections to the network. When you have multiple physical connections to the network, Cisco WLC interfaces can be mapped to a primary and backup port. In a mn when the primary port is down, the interfaces direct the traffic onto the backup port. There is no load balancing that is performed across a primary and ‘backup port, and only one port is used at a time. ‘The CAPWAP protocol allows for dynamic redundancy and load balancing. For example, if you specify more than one IP address for option 43, an AP will send CAPWAP discovery requests to each of the IP addresses it receives. In the controller CAPWAP discovery response, the controller embeds information on its current AP load (defined as the number of APs joined to it atthe time), its AP capacity, and the number of wireless clients that are connected to the controller. The AP will then attempt to join the least loaded controller, which is defined as the controller with the greatest available AP capacity The AP can be configured with a primary, secondary, and tertiary controller. This procedure allows for multiple redundant controller configurations. {© 2017 Cisco Systems, Ine Basic Osco WLAN instalation 2.07Sedundancy Designs: N + 1 ‘Access Points congue with Primary Secondary WLAN Contllor SP NOC or Osta Canter —— aaa “Accass Pints conigeed wih Conta SK? Points contre with WLAN Contato ‘Secondary WLAN Cantelor BKP ‘When there are many WLC devices and capital expenditure costs are a significant consideration, a controller redundancy design V+ 1 solution is a good option. In this configuration, the redundant controller is placed in a network operations center (NOC) ‘or data center, and acts a backup for multiple WLCs. Each AP is configured with a local WLC as primary and all APs point to the next redundant remote controller as secondary. Nevertheless, the redundant controller could become oversubscribed with APs if there are multiple primary WLC failures, which is usually unlikely. Once a WLC has reached the ‘maximum number of joined APs, it accepts no more CAPWAP join requests. When the backup WLC becomes oversubscribed, some APs could be without a WLC and therefore not able to boot or provide WLAN service. When designing an N + 1 redundancy solution, you should assess the risks of multiple WLC failures and the consequences of an oversubscribed backup WLC. Attention to response time differences between APs and local controllers and to the greater response time of remote controllers is also needed. The objective is to keep packet round-trip response time under 100 ms. 298 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (© 2011 Cisco Systems, incWis pene” & Secondary: VAN An N +. configuration can be enabled by having the APs point to one local controller (Controller-A) as its primary, and another (Controller-B) that is reachable with less network delay than the remote backup controller. In this configuration, there are two controllers. Some of the APs are configured with Controller-A as primary and Controller-B as secondary, while other APs are configured with Controller-B as primary and Controller-A as secondary. In this design, itis important to try to load balance the AP capacity across both controllers. It is also important to try to logically group APs on controllers to minimize intercontroller roaming, events. For example, if you are supporting a four-floor building with two redundant controllers, ‘you might configure the APs on floors I and 2 to use one controller as primary and the APs on floors 3 and 4 to use the other controller as primary. You also need to ensure that there is enough excess capacity on each controller to manage a failover situation, {©2017 Cisco Systems, Ine ‘Basic Cisco WLAN Insalation 200Pray ate Cle 8 Sealy i WAN Contre BRP In this configuration, some of the APs are configured with Controller-A as primary and Controller-B as secondary, and all APs are configured to use the final backup, Controller-BKP, as tertiary. Typically, the primary and secondary controllers are placed at the network distribution level and the tertiary controller is placed in an NOC or data center. Multiple distribution blocks can be configured with the same tertiary controller. If both Controller-A and Controller-B fail, all APs will use Controller-BKP at the NOC as a tertiary controller. ‘The risks of WLAN controller failure and the service level agreement (SLA) maintained by your WLAN should be considered when selecting a redundancy option. The higher the SLA, the more robust a redundancy scheme your designed solution should provide 2100 Tinplementing Cisco Unified Wireless Networking Essentials (UWNE) v20, (© 2014 Cisco Systems, IneSummary This topic summarizes the key points that were discussed in this lesson. ary + CAPWAP operates at Layer 3, using IP. * ACAPWAPAP will try to discover as many controllersas possible * TheAP will then choose to join the best controller, based on configuration or network elements. * Once associated to a controller, it will receive its configuration using a secure connection. * CAPWAPis a standard, interoperable protocol that enables a controller to managea collection of wireless APs. ‘Agood design should plan for AP redundancy and also controller redundancy. (© 2011 Gisco Systems, Ine ‘asic Osco WLAN inatalition 2-1012-102 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v20, ©2011 Cisco Systems, Inc.Lesson 4 Describing Access Point Operational Modes Overview The main funetion that is performed by an access point (AP) isto provide basic network access. Ina Cisco network, an AP can be configured to provide different modes for more spec services to the network infrastructure. It can be more than a simple bridge between the wirele space and the wited side. This lesson will describe these different modes and how you ean use them to optimize your wireless network performance. Objectives Upon completing this lesson, you will be able to describe the different AP operational modes. This ability includes being abie to meet these objectives: ™ Configure the different AP modes = Describe the local mode ‘= Describe the monitor mode = Describe the sniffer mode = Describe the rogue detector mode = Describe the bridge mode = Describe SE-Connect mode = Describe the H-REAP mode = Describe the ORAP modeAccess Point Mode This topic describes the mode concept for a lightweight AP. APs controlled by a Cisco Wireless LAN Controller (WLC) support different modes of operation. Each mode has its own purpose and properties. Different models of APs support different modes and not all modes are supported by all APs. Changing the AP mode is accomplished from the controller web interface. Navigate to Wireless > Access Points > All APs and sclect the proper AP mode from the list, Note (Only AP modes that are supported by the AP model will appear inthe lis. 2104 Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v2.0 (© 2014 Cisco Systems, IneAP Local Mode This topic describes the AP local mode. Mode Default mode for an AP, providing: + Data services + Monitoring services ‘AP will can all channels over 180 seconds by default ‘Only management packets are inspected for inrusion detection system (IDS) signaturematches + Sub mode wIPS feature of 7 0.116 or ELM. Local or normal mode is the default operational mode of a Cisco AP. When operating in this ‘mode, an AP will allow both client data services and monitoring of all channels simultaneously. Off-channel scanning is essential to the operation of Radio Resource Management (RRM), which gathers information about alternate channel choices such as noise and interference. The AP will scan all channels over 180 seconds by default. Scan time is configurable by band under Wireless > 802.1 1an or b/gin > RRM > General. Monitoring services will only inspect management frames for intrusion detection system (IDS) signatures, but can be enhanced by enabling the wireless intrusion prevention system (wIPS) submode of operation (enhanced local mode). This mode was introduced in version 7.0.116 for enhanced security. In this mode, the AP will do a complete scan of all packets on the servicing. channel, not just the management packets. Note ‘Simply selecting the submode will nt enable wiPS (enhanced local mode or ELM) ‘functionality. Cisco Mobilty Services Engine (MSE) and Cisco Wireless Control System (WS) with wiPS licensing are required for ELM functionality. {©2011 Cisco Systems, Ine Basic Cisco WLAN Installation 2-108al Mode Monitor Timing ‘AP on Channel 1 s02.11big aa aan Banna Round rp = 180 seconds if noise measurement parameter seo 180 ‘AP on Channe! 36 aoz.tte =ae (5 ts a ns Roundtrip = 180 seconds if noise measurement parameter seo 180 APS are set up to host client data and monitor traffic at the same time. This activity is, accomplished using a 180-second cycle. For the IEEE 802.1 b/g radio, this situation means that the AP will stay on its assigned channel for 13 seconds, then scan the next channel for 60 ms, then return to its assigned channel for 13 seconds. This process repeats until all channels have been scanned. A similar process occurs with IEEE 802.1 1a, except that the assigned channel is allowed 10 seconds, because of the high number of channels to scan. ‘The controller allows for the configuration of the total round-trip time (RTT), along with the choice of channels to sean. 2106 Iinplomenting Cisco Unified Wireless Networking Essentials (UWNE) v2.0 ‘© 2041 Cisco Systems, Inc.AP Monitor Mode ‘This topic describes the lightweight access point monitor mode. itor Mode ‘Software configuration to reduce AP capabilities to perform only WLAN monitoring on a per-AP basis: + Trusted AP polices + Rogue policies » Signatures Both data and management packets are inspected for IDS signature matches ‘AP ill scan all channels for 1.1 seconds + Supports 2 sub modes ToMM wiPs., * AP only a beacon device APs can also be placed into monitor mode. When in this mode, the APs do net allow for client connectivity but only monitor the IFEE 802.11 spectrum secking rogue APs or elients. The AP then reports to the controler, which acts as a wireless IDS. This mode is used for troubleshooting and can also be used for site surveys. In either case, it will report the RF environment values, such as the noise caused by interference, to the controller. The administrator can then use these values to understand the RF environment conditions and take action about where to position APs, or locate and remove the sources of interference, When using location tracking or mobility services with a Cisco Wireless Location Appliance, some additional APs operating in monitor mode can be added to the network to help increase the location accuracy, without interfering with the active APs already deployed. Monitor mode is passive. The AP scans and receives, but does not send any information from its radios. Monitor mode APs can also be configured in two submodes of operation. One submode is called tracking optimized monitor mode (TOMM), which optimizes the monitoring and location calculation of radio frequency identification (RFID) tags. In monitor mode, the APs scan all channels. In TOMM, the channel list can be specified for the 2.4-GHz band. ‘The second submode of operation is called w1PS monitor mode. It is only configurable from the controller CLI or through the Ciseo Wireless Control System (WCS) and is only applicable ‘on Cisco 1130, 1140, 1240, and 1250 Series Access Points. When in wIPS mode, the sean-per- channel scan time is set to 250 ms per channel and it looks at all channels in the dynamic channel assignment (DCA) lst. (© 2017 Gisco Systems, Ine Basie isco WLAN instalation 2-107itor Mode Monitor Timing 002.1169 Round tip = 1.1 seconds * numberof channels eo2.tia SS eSe SSSR E888: Round tip = 1.1 seconds * numberof channels In monitor mode, all possible channels are scanned by default, according to the country code. ‘To change the channel to all channels (despite the country code) or only usable channels within country, use the following CLI command: config advanced 802.11b monitor channel An example would be using the country code for the United States, but only scanning channels 1, 6, or 1, rather than channels | to 11 or 1 to 14 in the IEEE 802.11 range, Use the following ‘commands to configure monitor mode: = config advanced 802.11b monitor channel 3 all: Scans all the channels = config advanced 802.11b monitor channel-list country: Scans all the channels available in the country (for example, 1 to 11 in the United States) = config advanced 802.11b monitor channel-list dea: Scans all the channels that are assigned by dynamic channel assignment (for example, in the United States, channels 1, 6, and 11 will be allocated, so only these three channels will be scanned) You can place a monitor mode AP into the tracking submode via the GUI by navigating to 802.1 Ib/g/n Cisco AP > Configure and selecting Enable from the tracking optimization drop- down menu, Once enabled, choose the 2.4-GHz channels you want to monitor. 2-108 Implementing Gisco Unified Wireless Networking Essentials (UWNE) v20, (© 2011 Cisco Systems, Inc.AP Sniffer Mode This topie describes the lightweight AP sniffer mode and its usage and configuration. iffer Mode: * Works in conjunetion with products like OmniPeek or AirMagnet to monitora single wireless channel + Requiesan external server to capture the packets * Gathers the following data Time stamp Signal strength Packetsize ‘hiffor Channel Assignment sor Sniffer mode works with OmniPeck, AirMagnet, or Wireshark servers to capture all data traveling on a given 802.11 channel. Sniffer mode requires the server to gather the data being sniffed. The AP collects the data, encapsulates it with a specific additional OmniPeck, AirMagnet, or Wireshark header, and directs the frame to a station where the relevant software displays the result ofthe capture the access point is joined to a Cisco 5500 Series Wireless LAN Controller, 2100 Series Wireless LAN Controller, or a controller network module running software Release 6.0 or above, you must disable IP-MAC address binding in order to use an access point in sniffer mode. This action can be accomplished by entering the following at the controller CLI: config network ip-mac-binding disable. In addition to disabling the address binding, wireless LAN (WLAN) I must be enabled for sniffer mode use on these same controllers. Failure to enable WLAN | will result in the inability of the AP to send the captured packets. ‘©2017 Cisco Systeme, ne Basic Cisco WLAN installation 2-108Analyzer Workstation AP Srifer Mode 1) Channel 36 Local Mode | oem Data| Data y Each AP in sniffer mode can monitor a single 2.4 GHz and a single S-GHz. channel simultaneously. However, when in this mode, the AP is not capable of supporting wireless clients and does consume one AP connection on the controller to which it has joined. This mode is entered by sclecting it from the AP Mode drop-down menu, applying it, and waiting for the AP to rejoin the controller after it reboots. Once the AP is restarted, you must select the channel in each band on which the AP will capture traffic as well as the IP address of the station on which the sniffer program runs. The AP will then encapsulate and send all the frames that are captured to the configured IP address, Note “The inner IP packet, including the IP header, User Datagram Protocol (UDP) header, and COmniPeek header, may exceed the 1500-byte limit. Ifo, the AP will fragment the inner IP packet and send ito the switch as two IP fragments, (On the sniffing station, a program such as AirMagnet, OmniPeek Pro v5.1, or Wireshark, which supports the Cisco lightweight AP, will receive the frames. Sniffer mode is used for the remote analysis of frames, for troubleshooting, or for baseline purposes. 2-110 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 ‘© 2011 Cisco Systems, Ine.AP Rogue Detector Mode This topic describes the rogue detector mode and its usage. Detector Mode Software configuration to reduce AP capabilities to perform ‘only rogue detection on a per-AP basis * Listens for rogue devices on the wired network. + Compares ARP requestheard on the network to rogue MAC address. reported by the controller, * Generates an alarm when a wireless rogue is seen on the wired side + Does not allow client connectivity—radios are shut down, 100% of CPU dedicated to rogue detection + Does not perform rogue containment In rogue detector mode, the AP radio is tumed off, and the AP listens to wired traffic only. The controllers keep track of the rogue APs detected in the wireless space. The controllers send all rogue AP and client MAC address lists to the rogue detector. The rogue detector AP then forwards this information to the other Cisco WLCs. The rogue detector AP is placed on a trunk port so that it can monitor all wired-side connected VLANs. It proceeds to find the client on the wired subnet on all the VLANs. The rogue detector AP listens for Address Resolution Protocol (ARP) packets in order to determine the Layer 2 addresses of identified rogue clients or rogue APs sent by the controller. If'a matching Layer 2 address is found, the controller generates an alarm that identifies the rogue AP or client as a threat. This alarm indicates that the rogue was not only detected in the wireless space, but also seen on the wired network. {©2017 Cisco Systems, Ine ‘Basic Cisco WLAN stalaton 2-117AP Bridge Mode This topic describes the bridge mode that is used on lightweight APs for mesh networks. Available on Cisco 1042, 1131,1142, 1242, 1262, 3500 and 1500 Access Points, + Mode used to set up mesh network, either indoor or outdoor + Allows AP to act as a wireless CAPWAP bridge. + Only shows up on supported hardware - An additional protocol, Adaptive Wireless Path Protocol (AWPP) is used bythe AP to determine the best route to the network Selecting the bridge mode of operation enables the AP to operate as a mesh access point (MAP). Wireless mesh networks can simultaneously carry the following two different traffic types: Wireless LAN client traffic = MAP Ethernet port traffic ‘The wireless LAN client traffic terminates on the controller, and the Ethemet traffic terminates, ‘on the Ethernet ports of the mesh access points. MAPs support multiple deployment modes, including the following: = Wireless mesh = WLAN backhaul = Point-o-multipoint wireless bridging = Point-to-point wireless bridging {As of Release 7.0, MRI operation as an indoor MAP is supported on the Cisco Aironet 1042, 1131, 1142, 1242, 1252, 1262, and 3502 Access Points and all WLCs. Operation under 802.11n using either 20-MHz or 40-MHz channels for the backhaul traffic is supported on all but the Cisco Aironet 1131 and 1242 Access Points, which do not support the 802.1 In standard. In order to establish a mesh network indoors, the APs must first be connected to the network and allowed to join the WLC. Once joined, change them to the bridge mode, which requires the controller to download new firmware to the AP and then reboot it. Upon reboot, it will rejoin the network as a MAP. In order for the mesh network to form, at least one AP must then be placed into operation as a root access point (root AP). Once the AP is in operation as a root AP, the mesh network can form. The MAPs will use the Adaptive Wireless Path Protocol (AWPP) to determine the best radio path to an AP granting wired connectivity to the WLC. 2-112 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 ‘© 2011 Cisco Systems, Inc.AP SE-Connect Mode SE-Connect Available on Cisco 3500 Series Access Points + Allows AP to act as a network-connected sensor * Only shows up on supported hardware + Monitors 2.4 GHz and 5GHZ spectrum simultaneously * Does not support wireless clients + Also referred to as Spectrum Only Mode (SOMM) ‘The SE-Connect mode, also referred to as spectrum-only mode, allows any Cisco Clean Air AP to be configured as a network-connected sensor. Spectrum Expert 4.0 is required and gathers information on the signal strength and duty cycle ofall RF transmissions within bands that are utilized by the wireless network With this feature, any CleanAir-capable access point that is joined to a controller can be placed into SE-Connect mode, capturing all transmissions that it receives. This raw spectrum information is then forwarded to a workstation running the Cisco Spectrum Expert version 4 software package for analysis. The software analyzes the data that it receives to provide the same information as it does when capturing packets using a Cisco Spectrum Expert wireless card, This process provides for flexible deployment of monitoring capabilities in any enterprise environment improving response time and eliminating the need for travel to analyze interference data, Each AP in SE-Connect mode monitors the entire 2.4-GHz and 5-GHz spectrum simultaneously. When in this mode, however, the AP is not capable of supporting wireless clients and does consume one AP connection on the controller to which it has joined. This ‘mode is entered by selecting it from the AP Mode drop-down menu, applying it, and waiting for the AP to rejoin the controller after it reboots. Once the AP is restarted, you must select the AP and copy the Network Spectrum Interface Key information before adding the AP as a remote sensor in the Spectrum Expert software package. ‘©2017 Cisco Systems, Ine ‘Basic Clsco WLAN instalation 2-173H-REAP Mode This topic describes the H-REAP mode and the APs on which this feature is available. t REAP H-REAP AP can be controlled across WAN links: Designed to suppert remote offices Control traffc sill CAPWAP and sent to Cisco Wireless LAN Cantal (WLC); cant data an be lea bridged ‘All management control and RF management is available when WAN link is up and connectivity is available to Cisco WLC. H-REAP can remain operational when unable to communicate witha controller during a WAN outage. 2% i Hybrid Remote-Edge Access Point (H-REAP) is an alternative solution for branch and remote office deployments. It enables administrators to configure and control remote APs in a branch or remote office from the corporate office through a WAN link, without deploying a controller in each office. With H-REAP, the AP can also be separated for a time from the controller. It still needs a controller in the initial phase. Ifthe controller is on a WAN link, H-REAP accepts a momentary loss of connection to its controller, and is still able to serve local wirel Earlier implementations of H-REAP were limited in the quantity of APs supported. Now there are no longer deployment restrictions on the number of H-REAP APs per location, provided that some basic design guidelines are followed: = H-REAP APs may not be placed across WAN links any slower than 128 kb/s. = Round-trip laten between the H-REAP AP and controller may not exceed 100 ms. = Between the AP and the controller, a minimum of a $00-byte maximum transmission unit (MTU) is supported, = The AP will need to retrieve a 4-MB code update across the WAN. ‘The H-REAP AP can switch client data traffic locally and perform client authentication locally when its connection to a centralized controller is lost. When it is connected to the controller can also send traffic back again. (On the 802.1 1a spectrum, Dynamic Frequency Selection (DFS), a mandatory part of the IEEE 802.11h protocol, is fully supported in both connected mode and disconnected mode, When an AP detects an airport radar blast, it changes frequency via a controller instruction if in connected mode, or autonomously in disconnected mode. It will remember this channel change even after a reboot, 2-114 Implementing Gisoo Unified Wireless Networking Essentials (UWNE) v20 (© 2011 Cisco Systems, IneHLREAP is supported on Cisco Aironet 1040, 1130AG, 1140, 1240AG, 1250, 1260, or 3500 Series Access Points, With H-REAP, administrators can choose from the following options: | Bridge some traffic locally ‘© Tunnel some traffic over the WAN = Tunnel some traffic over Control and Provisioning of Wireless Access Points (CAPWAP) or Lightweight Access Point Protocol (LWAPP) on a per-Service Set Identifier (SSID) basis H-REAP APs provide more flexibility in setting up wireless access at remote locations. Even though an unlimited number of H-REAP APs can now be deployed per location, the WAN link requirements still mean that the H-REAP concept is reserved for locations where adding a controller would not be cost effective, but where the WAN link to the controller location is fast. Having a local controller is always considered more efficient. {©2011 Cisco Systems, ne ‘asic Cisco WLAN lnsalaion 2-715H-REAP + When operating in CAPWAP, H-REAP-compatible APs have two possible modes: Connected mode (connected stats): When H-REAP can reach the controller, itgets help from the controller io complete client authentication Standalone mode ( General General ‘oleco WIC can ony rede na argo ocy ou. Al controllers that will be part of the same mobility group will need to have the same default ‘mobility domain name. This name is set in the web interface under Controller > General. Each controller is limited to a single mobility group, although they can know about multiple mobility ‘groups. A controller will exchange information about roaring clients only with controllers it knows. Controllers in the same mobility group should also share the same virtual gateway IP address, which is defined in the Controller > Interfaces menu, RF information is exchanged between controllers in the same RF group. The RF group name is ‘an ASCII string that is configured per wireless LAN controller (WLC). The grouping algorithm clects the RF group leader, which in turn calculates the Transmit Power Control (TPC) and. ‘dynamic channel assignment (DCA) for the entire RF group. The RF group name can be the same or different from the default mobility domain name. ‘D201 Cisco Systems, ne Basic Cisco WLAN Insalaion 2-125‘Mobity Group Membere> Eat A Met bed gm nonin roe ye “Thre ae jo rats ode he maby up: Ade member ung err to New Se EESrAiopton natch a member re ASontar can know member of aie moby soups. When creating mobility groups, each controller that will be part of the group needs to know about every other controller in the group. The mobility group is created in the web interface using the Controller > Mobility Groups tab, The local controller is isted by default Adding controllers can be done in one of two ways: ‘The controllers can be added one at a time by using the New button and entering the member IP address, member MAC address, and group name. = The controllers can be added using Edit All, which allows you to paste a text file including the member IP address, member MAC address, and group name. You can add mobility members that are part of a different mobility group into the mobility list of the controller, which creates a mobility domain, Controller software Release 5.1 supports up to 72 controllers in the mobility list and allows for seamless roaming across multiple mobility groups within a mobility domain, For ease of management, the Cisco Wireless Control System (WCS) can be used to deploy a template containing all members of a mobility group. 2-126 Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v2.0 (© 2011 Ciseo Systems, ine.Roaming Concept This topic defines roaming, and what it implies for the network infrastructure. Roaming Concept ~ Roaming refers to movement of clients across Cisco APs while transmitting + Roaming can occur across different mobility groups, but must be within ‘a mobility domain. + The Cisco WLC can reside in only a single mobility group. = The following should be consistent for mobility groups: Mobilty group membership Code across all member controllers (with exceptions) ‘AP control protocol mode across all member controllers ACLs configured on all member controllers WLAN configuration Virtual IP address Two types of roaming Intrasubnet roaming (Layer 2) Intersubnet roaming (Layer 3) Roaming is the process of a client moving from one AP coverage area to another while actively transmitting. This is different from nomadic behavior, in which a client uses the network in one area, stops using it while moving to another area, and expects to still be associated upon arriving at the new area, Nomadic usage allows for temporary disconnections, while roaming. implies a permanent connection, or disconnections short enough not to disturb the communication, ‘The Cisco Unified Wireless Network environment allows for roaming between APs associated with the same Cisco WLC, and roaming between APs associated with different controllers. Roaming can also occur either as Layer 2 or Layer 3 = In Layer 2 roaming, the client subnet does not change. = In Layer 3 roaming, the client moves from a Service Set Identifier (SSID) on one AP that is associated with one VLAN and its respective IP subnet, to the same SSID on a different AP that associated with a different VLAN and IP subnet, For roaming to occur between different controllers, the controllers need to be in the same mobility domain in order for them to communicate. ‘The controllers within a mobility group must all have the following characteristics: = Mobility group name | Version of controller code. Roaming between controllers running different code versions is possible, but not all codes are compatible. For details about which codes are compatible please refer to the following URL: htp://www.cisco.conven/US/partner/docs/wireless/controller/4400/tech_notes/Wireles fiware_Compatibility_Matrix.html#wp80877 So ‘©2017 Cisco Systems, ne Basic isco WLAN Installation 2127= AP control protocol (Lightweight Access Point Protocol [LWAPP] mode or Control and Provisioning of Wireless Access Points [CAPWAP)) access control lists (ACLs) = WLANs (SSIDs) ‘These requirements must be met for client roaming to function properly. Without them, a client could have to reassociate or reauthenticate. During the roaming process, the client connection can be managed by the new controller to which it roams (this is called asymmetric tunneling), or all traffie can be sent back to the controller from which the client originates (this is called symmetric tunneling). Note ‘Same controller intrasubnetwork roaming requires less than 10 ms, while multiple-controler Intrasubnetwork roaming requires less than 20 ms. Intersubnetwork roaming requires less than 30 ms to complete. These estimates do not account for congestion across the enterprise infrastructure, Caveats for Mobility Group Cisco Centralized Key Management (CKM) and Proactive Key Caching (PKC) do not work across mobility groups. If you roam to a controller that you know, but it has another mobility ‘group value, everything is fine if you use pre-shared key (or open or Web authentication). If you use 802.1X with Cisco CKM or Wi-Fi Protected Access 2 (WPA2), your key will not be ‘ransmitted to the other controller and you will have to reauthenticate to get a new key. You will keep your IP address (as part of the roaming process), so you will be briefly disconnected, ‘but your IP session will not be broken. This is fine if you are using a data device. If you are using a Voice over Wireless LAN (VoWLAN) device, you will want to avoid disconnection, and you will need to make sure that the controllers you roam to belong to the same mobility group. 228 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (©2011 Cisco Systems, ncCisco Wireless Layer 2 Roaming This topic describes Layer 2 intracontroller and intercontroller roaming. ayer 2 Roaming + Single Cisco WLC * Multiple Cisco WLCs in the same subnetwork + Transparent to the client + The session is sustained during connection to the new AP + The client continues using the same DHCP-assigned or static IP address Layer 2 roaming occurs whenever a client roams between APs on the same controller, or if clients roam to an AP on a different controller that is located on the same subnet as the original controller. The client will not receive any indication that it has roamed, and will not need to reauthenticate. The client also keeps its IP address, meaning that no Layer 3 activity is required by the roaming event, ‘©2011 Cisco Systems, Ine Basic Caco WLAN Installation 2125Client Roaming Within a Subnetwork Caco Wreees| lo wrens CAN Controle ‘ue Mobity Domain TAN contoter Tvaconraer Moby | [Intercooler Mabity As the client moves from AP to AP, the controller manages all roaming activity and the client is not affected. Even when a client roams to a different controller, itis not affected and will not even recognize the roaming event. This seamless roaming process implies that both controllers are in the same mobility domain. If the controllers are in different mobility domains, the client will nced to reauthenticate and reassociate. ‘When a wireless client associates and authenticates to an access point, the access point controller places an entry for that client in its client database. This entry includes the following, information: = MAC and IP addresses of the client = Security context and associations = Quality of service (QoS) contexts = The WLAN = The associated AP ‘The controller uses this information to forward frames and manage traffic to and from the wireless client, When a client moves from location t1 to 12, it asks for reauthentication on a new AP. This authentication is done by a query that is sent to the controller to which the AP is connected. If the controller is the same one to which the AP that the client is leaving was associated, the controller simply updates the client database with the newly associated AP. If necessary, new security context and associations are established as well. This intemal operation takes less than 10 ms and is known as intracontroller Layer 2 roaming. The process becomes more complicated, however, when a client roams from an AP that is, joined to one controller, roams to an AP that is joined to a different controller, When the client at 13 associates to an AP that is joined to a new controller, the new controller exchanges mobility messages with the original controller, and the client database entry is moved to the new controller. New security context and associations are established if necessary, and the client database entry is updated for the new AP. 2-130 Implementing Cisco Unified Wireless Networking Essentials (IUWNE) v2.0 (© 2041 Cisco Systems, IneThis process takes less than 20 ms and is transparent to the client. This is known as intercontroller Layer 2 roaming, ‘This process remains transparent to the user unless one of the following things occurs: = The client is using automatic link local IP address assignment (called automatic private IP addressing [APIPA] in Microsoft Windows), that is, 169.254.0.0/16. = The client sends a DHCP discover request. = Session timeout is exceeded. ‘©2071 Cisco Systems, Ine Basie Cisco WLAN Instaliaton 231Layer 3 Roaming This topic describes intersubnet roaming operations and their impact on client communication, Layer 3 Roaming + Multiple Cisco WLCs in different subnetworks + Transparent to the client The session is sustained during connection to the new AP * Tunnel between the anchor Cisco WLC and foreign Cisco WLC along with special handling of the client traffic by both controllers allows the client to continue using the same DHCP or client-assigned IP address while the session remains active + Set up using one of the following: ‘Symmetric tunnel ‘Asymmetric tunnel (used by earlier version of controller code) A Layer 3 roaming event requires more processing and controller coordination than a Layer 2 roaming event. A Layer 3 roaming event is more complex because the wireless client is moving from one VLAN and subnet to another. To the client, the process is seamless. The client will not get a new IP address or have to reauthenticate. The controllers create a ‘tunnel that is known as a mobility tunnel, which is used to trick the network and client into thinking thatthe client has not changed subnets. ‘The controllers can be configured for two different types of Layer 3 roaming: = Symmetric: All traffic to and from the client is tunneled between the foreign controller and the anchor controller. Symmetric mobility tunneling became the only method in controller code Release 5.2 and later. = Asymmetric: Traffic from the wireless client is passed via normal IP routing to the destination, Returning traffic is passed to the originating anchor controller, and then tunneled to the foreign controller before returning to the client. Early versions of the controller code used an asymmetric solution to provide client mobility 2-132 Implementing Cisco Uniied Wireless Networking Essentials (IUWNE) v2.0 (© 2017 Cisco Systems, in.Clo Wireoes| laco Wiese As the client moves from one AP to another, control of the client passes from a controller on one subnet to a controller on a different subnet. The client maintains connectivity, and the approximately 30-ms event will not cause any client disruption. ‘The controllers exchange mobility messages about the client roaming event. However, instead ‘of moving the client entry to the client database of the new controller, the original WLC marks the client with an “Anchor” entry in its own client database. The database entry is copied to the new controller client database and marked with a “Foreign” entry in the new controller. The client is reauthenticated to establish a new security context, and the client database entry is, updated for the new AP with which the client is associated. The process on the back end is totally opaque to the wireless client, and the wireless client maintains its original IP address. ‘©2011 Cisco Systems, Ine. Basie Cisco WLAN Installation 2133Roaming Example: Preroaming ~ Before roaming, communication between the client and the infrastructure follows normal network communication rules. In this example, the client IP address is 10.4.4.4, and it is communicating with a 10.3.3.3 machine in the network. ‘A frame that is sent from the client would have the wireless client MAC address as the source, and the router (gateway) as the MAC destination. The IP source would be 10.4.4.4 and the IP destination 10.3.3.3. Upon receiving the frame, the router tries to determine if the destination network is reachable, and switches the packet to the correct interface accordingly. Answers from 10.3.3.3 will follow the exact reverse path. 2-134 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (©2011 Cisco Systems, in.Roaming Example: Layer 3 Asymmetric [Sienna ayer a < After roaming occurs, the client (10.4.4.4) connects to the foreign controller and attempts to continue communications with the same PC (10.3.3.3). packet to the correct interface. ‘The packet travels from the interface on the foreign controller, and takes its normal path to the router to be forwarded to the final destination, The router tries to determine if the destination network is reachable, and switches the {© 2011 Cisco Systems, In. Basie Caco WLAN installation 2-135aming Example: Layer 3 Asymmetric (Cont.) 1. Upon answering, the PC recognizes the traffic as being on the 10.4.4.0 subnet and sends the answer back to that subnet. 2. The router tries to determine if the destination network is reachable, and switches the packet to the 10.4.4.x interface. 3. The anchor controller recognizes the address of the client, and passes the packet via the tunnel that it created to the foreign controller. 4. The foreign controller then passes the trafic back to the client. From the client perspective, nothing has changed between subnet 10.4.4.0 and subnet 10.5.5.0. It still believes that it connects in subnet 10.4.4.0. The foreign controller acts as an Address Resolution Protocol (ARP) proxy for the client Layer 2 to Layer 3 resolution issues. This process is known as asymmetric tunneling. The controllers ean also be set to do symmetric tunneling, Note The use of asymmetic tunneling tend to cause client issues if there are firewalls or an Upstream router that has reverse path fitering (RPF) enabled. 2136 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (© 2011 Cisco Systoms, IneRoaming Example: Layer 3 Symmetric (Gieseaicvomesoromarepon In current versions of the controller code, the data to and from the wireless client is always forwarded to the network by the anchor controller in order to eliminate the issues that are associated with an asymmetric traffic path. If a wireless client roams to a new foreign controller the client database entry is moved from the original foreign controller to the new foreign controller, but the original anchor controller is always maintained. Ifthe client moves back to the original controller, it becomes local again. fier roaming occurs, the client (10.4.4.4) connected to the foreign controller attempts to connect to the same PC (10.3.3.3). 1. The packet is encapsulated at the foreign controller and tunneled to the anchor controller. 2. The anchor controller then passes the traffic to PC 3 via normal IP routing. ‘©2017 Cisco Systems, ne. ‘Basic Cisco WLAN Installation 2-197Roaming Example: Layer 3 Symmetric (Cont.) (EEE 3. The PC recognizes the traffic as being on the 10.4.4.x subnet, and sends the packet back to that subnet. 4, The anchor controller recognizes the address of the client, and passes the packet via the tunnel that it created to the foreign controller. ‘The foreign controller then passes the traffic back to the client. This process is symmetric tunneling. All controllers must be configured to use symmetric tunneling, and the configuration must be the same from one controller to the other for the process to operate properly. 2138 Implementing Gisco Unified Wireless Networking Essentials (UWNE) 20 (©2017 Cisco Systems, Inc.Roaming: Tunnels (Symmetric Example) fee somata The symmetric mobility tunneling feature allows both the ingress and egress traffic of a roamed client to be tunneled to and from the anchor controller. This means that roamed clients reside logically in their anchor controller, and traffic patterns between the anchor and foreign controllers operate fully as a point-to-point symmetric tunnel. There is only one difference in ‘operation between regular, asymmetric mobility tunneling and this new symmetric traffic flow. ‘The upstream traffic from roamed clients will not be forwarded to the destination by the foreign controller, but will instead be tunneled to the anchor controller, where delivery to the network will occur, In the roaming process, a secured CAPWAP tunnel is established between both controllers to copy the client credentials from the anchor controller database to the foreign controller database. Client traffic can then be forwarded directly from the foreign controller, in case of an asymmetric tunnel, or sent back to the anchor controller in a symmetric tunnel. In any case, both controllers have the CAPWAP tunnel that is created for credentials transmission, Ifa wireless client later roams to a new AP joined to a different Cisco WLC, the “Foreign” client database entry is moved from the original foreign Cisco WLC to the new foreign Cisco WLC, but the original anchor Cisco WLC is always maintained. ‘©2011 Cisco Systems, ne asic Cisco WLAN Installation 2-139Mobility Anchor This topic describes the mobility anchor. You can use auto-anchor mobility (also called guest tunneling) in the following cases: '= To limit guest access to the corporate network by first passing the traffic through the corporate firewall, maintaining consistent security polici = To implement a geographic access policy that can restrain client traffic to a specific subnetwork, no matter where the client is physically located, = To change roaming characteristics if firewall prevents Layer 3 roaming from functioning properly. The logic of this implementation differs slightly from the previous designs. The anchor controller is called, inthis case, the mobility anchor controller (and not simply the anchor controller). The client traffic is forwarded to this mobility anchor no matter where the client connection originates. This implies that the client can connect from the mobility anchor and roam, or connect directly from another controller. In either ease, the traffic from that client will first be sent to the defined mobility anchor for this WLAN. There, the client will receive its IP. address and security configuration (interface, VLAN, and so on). From the network perspective, it seems that the client is connected to an AP that is connected to the mobility anchor controller. The foreign controller will do nothing but send all traffic coming from this, WLAN to the mobility anchor. 2140 Implementing Cisco Unified Wreless Networking Essentials (UWNE) v2.0 (©2017 Cisco Systems, ncMore than one controller may be specified as the mobility anchor for a given WLAN. This design provides high availability in the event ofa faiture. Assuming that the local controller is not the anchor for a given WLAN, the foreign controller will select an anchor from the list of configured controllers for a given WLAN, on a round-robin basis. If the local controller is the anchor for a given WLAN, then any mobile clients that associate 10 the local controller will be anchored locally. (©2011 Cisco Systems, ne asic Cisco WLAN installaion 2-1410 Wireless Mobility Anchor Considerations * Aforeign session to the anchor is set up ahead of client IP address determination, The foreign controller will have no knowledge of Layer 3 client information. + Web authentication is supported, but authentication will occur on the mobility anchor as opposed to the local controller. * This mobility anchor function is only available on Cisco 5500 and 4400 Series Wireless LAN Controllers, Cisco 3750G Series Switches and Cisco WISM blades. 2500 and 2100 Series controllers and Cisco WLEM can be the foreign Controller, but not the anchor controler. ‘When a mobility anchor is set up, all client traffic is tunneled from the foreign controller to the anchor controller, including items such as DHCP requests and all authentication requests. The foreign controller will not be involved in any Layer 3 events for the client. All of this, information is tunneled back to the anchor. It should be noted that while any model of the WLC is capable as acting as the anchor controller in an export anchor-export foreign connection as used for symmetric mobility tunneling, the Cisco 2100 and 2500 Series controllers and any of the Cisco Wireless LAN Controller Modules (WLCMs) cannot be designated as an anchor for a WLAN. However, a WLAN created on a 2500 Series Wireless Controller or Cisco WLCM can have a Cisco $500 Series Wireless LAN Controller as its anchor. When implementing an auto-anchor mobility solution, you must use a Cisco 4400 Series or 5500 Series Wireless LAN Controller, a Cisco 3750 Series Switch, or Catalyst 6500 Series Wireless Services Module (WiSM) and (WiSM- 2)as the anchor controller. 2142 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v20, (© 2011 Cisco Systems, incVLANs > Mobility Anchors toe ae =k tty tert ‘The controllers that are available to be a mobility anchor must be defined first in the mobility ‘group configuration. It will then be available in the web interface, in the drop-down menu ‘under Mobility Anchors. Controllers within a mobility group communicate among themselves sending control information over a well-known User Datagram Protocol (UDP) port and exchange data traffic through an Ethemet over IP (EolP) tunnel. Specifically, they send the following: |= Mpings, which test mobility control packet reachability over the management interface, ‘over mobility UDP port 16666 = Epings, which test the mobility data traffic over the management interface, over EolP port 97. The Control Path field shows whether mpings have passed (up) or failed (down), and the Data Path field shows whether epings have passed (up) or failed (down). Ifthe Data or Control Path fields shows down, then the mobility anchor cannot be reached and is considered to have failed. {©2011 Cisco Systems, Ine Basic Cisco WLAN Installaton 2143,Controller Anchor Config By default, when there is more than one mobility anchor controller for a given WLAN, the foreign controller will try to load-balance client sessions across the different mobility anchor controllers. A controller status message is sent by a mobility anchor controller to all of the other members of the mobility group. ‘A status message is sent every 10 seconds by default. The valid range is | to 20 seconds. The status message is used by the other controllers to determine the online status of the sending controller, and to detect configuration issues. Ifone controller misses three (by default) consecutive status messages from another controller, it will mark that controller as being offline. Any existing mobility sessions with the offline controller will be terminated. New mobility anchor requests will not be sent to a controller marked offline. The valid range is 3 to 20 requests. A single status message or other groupcast message from a controller marked offline will ‘change the status back to online and remove all restrictions.” ' This feature, called Guest N+ I redundancy and mobility failover, was introduced in code Release 4.1.171 2-144 Implementing Cisco Unified Wireless Networking Essenias (UWNE) v2.0 ‘© 2011 Cisco Systems, IncStatic IP Tunneling unneling Static IP mobility is a new feature that was introduced with the first maintenance release of the 7.0.116 controller code. Designed to assist customers who must deploy devices with fixed IP addresses, but who still need to be able to move the device to different physical locations within the wireless network. Before Release 7.0 MRI, the only possible option to support this capability was to ensure that the subnet in which the clients address existed was available ‘across the enterprise. For some networks, such a large spanning VLAN is either impractical or impossible due to existing network design. Cisco has introduced a mechanism that is similar to that used for guest tunneling in order to provide clients with static IP addresses the capability to move within the wireless coverage area, and between mobility groups. This movement does not require every controller to ‘maintain an interface in the subnet in which the static client address exists. Mobility across subnets fora client with a static IP address is implemented as follows: When the client associates with a WLC that does not support the subnet of the client, the controller performs a normal mobility announcement to the members of the mobility group. = If the announcing controller receives a reply to the announcement from another member of the mobility group, then a normal mobility handoff is performed. The newly associated controller assumes the role of the foreign controller, and the responding WLC assumes the anchor role. This process is no different than the roaming scenarios examined previously. = If no reply to the mobility announcement is received within the normal timeout, the new WLC will treat the client as @ new association, The new WLC will add the client to the client database as a local entry, and complete the authentication process for the WLAN. m= When the client sends an IP packet, the WLC learns the IP address of the client and updates the client database. ‘©2017 Gis Systems, ne asic Cieco WLAN Installation 2-185= Upon receiving this IP packet, the WLC identifies that it does not have an interface in the subnet, and therefore it cannot support this subnet. It then searches in the database for a WLC that can support this subnet, and if necessary queries all controllers in the mobility group. = Ifno WLC that supports the subnet is located, the message is logged and a trap is generated to alert the administrator who then adds WLC supporting this subnet to the mobility list. = Ifa WLC that supports the subnet is located, an anchor request like the one used for the auto-anchor process is generated and sent to the WLC that can support the subnet of the client. = Once the acknowledgment is received, the mobility handoff for this client will occur. With the controllers assuming their respective foreign and anchor roles and the traffic from the client that tunneled between the anchor and this WLC. It is important to note that in this process, the following restrictions apply: © Support for static IP mobility is disabled by default, and must be enabled on a per-WLAN basis from the GUI or command-line interface (CLI), Static IP address mobility is not supported on any WLAN configured to support guest tunneling, or wired guests. = A WLC that supports the subnet is one that has an interface supporting the subnet of the client, or an interface group that has at least one interface in the group that can support the subnet that is assigned to the WLAN, = Authentication, authorization, and accounting (AAA) override is ignored if static IP tunneling is enabled = A WLAN enabled to suppor static IP mobility cannot be configured for DHCP required or H-REAP local switching. rd Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (©2011 Goo Systems, nc.Summary This topic summarizes the key points that were discussed in this lesson. mary * Controllers can be part of the same mobility group, which allows them to exchange information about clients * Roaming occurs when a station changes connection point while transmitting, At Layer 2, credentials are passed from one controller to the other to ‘ensure seamless mobility, * AtLayer 3, roaming can be symmetric or asymmetric, to maintain the client IP address or complete connection to the original subnet ‘When roaming is asymmetric, the mobility anchor feature allows a partial symmetric configuration based on the WLAN. * Symmetric roaming supports static IP address clients. D207 Caco Systems, ne Basie Cisco WLAN installaion 21472148 Implementing Cisco Unified Wreless Networking Essentials (UWNE) v20 “©2011 Cisco Systems, Ine.Lesson 6 Managing the Network from the Controller Overview This lesson will guide you through some of the common configuration parameters that run on a controller, Objectives Upon completing this lesson, you will be able to manage the network from the controller. This ability includes being able to meet these objectives: Monitor the network from the controller Monitor page Monitor and manage APS Monitor and manage rogues Monitor and manage clients Create an internal DHCP scopeController Monitor Page This topic describes the controller Monitor page and related items. anitor Page ‘The first page that is seen when connecting to a controller is the controller Monitor page. It contains a summarized overview of the main items that an administrator usually needs to monitor on a regular basis. This page is organized in two columns. The first column contains items such as the Controller Summary, Access Point Summary, and Client Summary. The second column contains items such as the Rogue Summary, Top WLANS, and Most Recent ‘Traps. The first area is called the Controller Summary, and contains the following parameters: Controller Summary Parameters Parameter Description Management IP Address Management IP address of the controller Service Port IP Address The IP address of the controller front panel service port if available [on the hardware platform) ‘Software Version| The version of the operating system that is running on the controller. ‘The main controller image code version, the Emergency Image version (fo be used if the main image becomes corrupted), the boot software version (allows the controler to start and offers a choice between the main image and the emergency image). ‘System Name [Controller name thats specified during the intial setup Up Time Time that has elapsed since the controller was last rebooted ‘System Tine [Current time that s set on the controler Internal Temperature __| Current internal chassis temperature 2180 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v20 (© 2017 Cisco Systems, ne.rameter ‘202.1 1a Network State Description Enabled or disabled 802.1 tbig Network State Enabled or disabled Local Mobility Group [Name of the defauit mobility group ‘The Client Summary parameters include the following: Client Summary Parameters Parameter Description ‘Current Clients Excluded Clients isabled Clients ‘The number of clients that are currently associated with the Controller. Click Detail for additional information about current clients. Excluded clients are clients who entered wrong credentials a certain numberof times, and have been excluded for a while. The events. that triggered a temporary exclusion are defined under the Security ‘main menu, and the duration is decided on a per-WLAN basis under the item Excluded Client Policy The number of clients that are curently disabled. Disabled clients ‘are manually forbidden via MAC address by the administrator. In the second column, Rogue Summary! parameters include the following Rogue Summary Parameters Parameter Description ‘Active Rogue APS. ‘Number of unauthorized APs detected by controller. Click Detail for ‘additional information about active unclassified rogue APs. ‘Active Rogue Clients Active clients that are associated with a rogue AP. Click Detail for ‘additional information about rogue client detail ‘Ad hoc Rogues: Rogues on Wired Network Click Detall for addtional information about ad hoc rogues. Click Detail (when present) for additional information. ‘Top WLANs provides information about the most active wireless LANs (WLANS), and. includes these parameters: Top WLANs Parameters Parameter Description WLAN. ‘Name of the WLAN as specified by the administrator Number of Clients by SSID_ ‘Number of clients that are associated with the WLAN based on 'Service Set Identifier (SSID) At the bottom of the same column, the Most Recent Trap area lists the latest Simple Network Management Protocol (SNMP) information that would be sent to a trap receiver. The complete list can be found under Management > SNMP > Trap Logs. " A rogue is any unauthorized wireless device. ‘©2071 Cece Systems, Ine Basie Osco WLAN Installation’ 2-151Managing APs This topic describes how to manage access points (APs) from the controller web interface. it Summary ‘Access Point summary From the controller Monitor page, the Access Point Summary is divided in three sections. The Access Point Summary parameters include the following: Description ‘802.11 aln radios Displays the number of available 802.11 a/n radios on the APs associated to this controller. If any AP has an 802.11 ain radio that is down, itis shown in a separate column. At the end ofthe line, ‘lick the Detail link to open a specific window for the 802.11 ain adios. The link opens the Wireless > All APs > 802.11 aln radios age. £802.11 bigin radios Displays the number of available 802.11 aln radios on the APs ‘associated to this controller. If any AP has an 802.11 an radio that is down, itis shown in a separate column. At the end of the line, Glick the Detail link to open a specific window for the 802.11 an radios. The link opens the Wireless > All APS > 802.11 aln radios, age. AILAPS, ‘Shows the number of APs connected to the controller, whether they have a single radio, 802.11 bigin or aln, or a dual 802.11 albigin radio. The APs that are connected to the controller, but are disabled, ‘are shown on a separate column. At the end of the line, click the Detail link to open a specific window for the AP details. The link ‘opens the Wireless page. 2-162 Implementing Gisoo Unified Wireless Networking Essentials (UWNE) v20, (© 2017 Cisco Systems, ne‘To configure an AP radio, use the following procedure: Step 1 Choose Wireless > All APs, and select the radio type that you want to configure. Step2 You can also click Details from the Access Point Summary in the Controller Monitor page. A new page is displayed showing the list of all APs that are connected to this controller that have this type of radio (whether you chose 802.11 big/n or 802.11 a/n). The new list shows the APs displayed by name, their built-in MAC addresses, admin and operational status,” channel and power-level setting, and type of antenna. A star next to the channel number or transmit power value means that the value is, globally configured by the controller and not statically defined by the administrator. Step3 At the end of the line, a blue arrow is displayed. Positioning the mouse over the arrow shows @ menu, from which the administrator can get more details about the AP, configure it, or check its traffic stream metrics (TSM') parameters. ‘An administrator can disable an access point individually. In that case, the radio would be displayed as admin status Disabled and operational status Down. The AP radio may be down for another reason, in which ease its operational status would be displayed as down even though its admin status is still Enabled, > Traffic stream metries (TSM) involve the collection of uplink and downlink statistics between an AP and a Cisco ‘Compatible Extensions version 4 client that are periodically propagated back to the controller. Ifthe client is not Cisco ‘Compatible Extensions version 4 compliant, then only downlink statistics are captured. TSM collection is configurable by the user on a per-interface band basis. ©2011 Gioo Systems, ne ‘asic Cisco WLAN inatallaion 2-153From the main controller Monitor page, in the Access Points area, click the radio type to display a list of all APs having this radio (for example, 802.1 1b/g/n). At the end of each line is ‘a Detail link, which provides information about each individual AP and its radio configuration From the controller Monitor page main menu, click the Wireless tab and select a radio type (for example, 802.1 Ib/g/n). This action displays a page where all the APs having an 802.1 1b/g/n radio are listed, and a Detail link is displayed at the end of the line. This quick summary is useful to check if this particular radio has an RF-related issue | Ifthe load on the AP exceeds a defined threshold (set by default to 80 percent), a warning will show in the Load Profile column. = ifthe sis noise ratio (SNR) on this radio is too low, the Noise Profile column will show a warning. ‘= If there is too much interference on the same channel as this radio,* the Interference Profile column will show a warning, = Ifsome clients move away from this AP without any other AP being able to relay, the Coverage column will show a warning. These profiles are determined for each AP from the 802.11 AP Interfaces > Performance Profile page. + Ifthe channel is manually set, the controller cannot change it. Ifthe channel is set to “Global,” the controller may not be able to change the radio channel if the other possible channels do not offer a better RF environment. 2-154 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (©2011 Cisco Systems, in.Statistics Click Detail to open a page that shows text or graphical values, including the following: Radio Statistics Parameter Description. Noise vs. Channel Each channel of the AP is displayed, along with the corresponding non-802.11 noise interfering with the currently assigned channel Interference by Channel Each channel of the AP is displayed, with the corresponding traffic interference from other 802.11 sources, Load Statistics Total receive (Rx) and transmit (Tx) bandwidth and channel! Lilization is displayed for transmitting and receiving traffic on this Cisco radio. The number of attached clients is also displayed. % Client Count vs. RSS| Sorts attached clients by their Received Signal Strength Indicators (RSSIs) {% Client Count vs, SNR Sorts attached cients by their signal-to-noise ratio (SNR) Rx Neighbors Information| This area displays the APs thal are neighbors tothe Cisco radio neighboring APs, and their IP addresses and RSS| ‘values. These details are used for channel allotment and RF Coverage area shaping. (©2011 Cisco Systems, ne Basic Cisco WLAN Installation 2-155Configure Clicking Configure opens a new page from wh the selected radio of this particular AP can be configured. This page can also be accessed by choosing Wireless > All APs > 802.1 1b/g/n radios, or 802.1 1a/n radio. You can edit a specific AP configuration by selecting it. AP Configuration Parameters Parameter Description ‘Admin Status Can be set to Disable to manually disable this radio on this AP. ‘Antenna The administrator can inform the controller about the specific antenna that is used on this radio. This information is useful for the [controller to determine the specific radio pattem ofthis antenna, and take it into consideration in the auto-RF calculation and location tracking. This information should be set ifthe radio uses an external antenna, 11n Supported Indicates whether 11n is supported Cleandir Indicates whether the AP is Cisco CleanAir-capable CleanAir Admin status ‘Administration status of the spectrum sensor forthe AP that you can ‘enable or disable. Set this field to Enable or Disable from the drop- down list RF Channel Assignment ips beige inca enh Gil oa cnmvberucons Teeaces Neate scle gees ote wa tae Sica jap ae re. posi etre ve | controller country configuration) is displayed. 286 [implementing Ciso Uniied Wireless Networking Essentials (UWNE) v20 (© 2011 Cisco Systems, ncAP Configuration Parameters (Cont.) Parameter "Tx Power Level Assignment Performance Profile Description {As for Channel Assignment, "Global’ means that the controler determines the value, which based on the RF environment constraints. A level of "t” represents the highest power level available in the country for which this AP is configured. A level of 2" | 50% of this maximum, a level of “3” is 25% of this maximum, and a level "a" is 12.5% etc. Each level is half the power strength of the Previous level. tis possible to define this value statically by clicking Custom. The lst of available power levels on this APis displayed, ‘and the power level can be manually defined. ‘The Performance Profile bution links to another page where ‘advanced parameters about the AP RF values, along with thresholds, can be defined, {©2017 Cisco Systems, ne. ‘Basic Cisco WLAN Installation 2-187Monitoring and Managing Rogues ‘This topic describes the Monitor Rogue section of the controller web interface Monitor page and its related links. To understand the source of possible network interference, you must understand rogues, Rogues are any wireless device that is not allowed on the network. As such, a rogue may be ‘occupying one of the usable frequencies, and may raise the interference level beyond the threshold. Because they can also be a security risk, rogues must be identified and located, Rogues are seen from the second column of the controller Monitor page, and are classified as follows: = Rogue APs: Any AP unknown to the controller. It may be an AP belonging to a neighboring network (in which case it should be identified as such), or an AP connected to the local network, in which case it must be located and removed. Analyzing rogue AP alerts is an important part of wireless network security. = Active Rogue Client: A wireless device becomes a rogue when it sends unexpected frames. This information can reveal an attack in progress, or a false positive.° Clicking Details shows information about the rogue clients to help the administrator determine the level of the threat * For example, some wireless card drivers automatically send flows of probe requests on a given channel with many different SSIDs. This isa false positive, but could also be a reconnaissance attack, Its labeled as rogue client behavior by defaut. 2-186 Implementing Gisco Unified Wireless Networking Essentials (TUWNE) v2.0 ‘© 2011 Cisco Systems, incm= Ad hoe Rogues: Clients creating a peer-to-peer wireless network are considered rogues. They use one of the available channels for a very limited number of stations, and therefore generate interference for the valid APs. They use the wireless space in an uncontrolled ‘manner and may bypass the quality of service (QoS) or security policies that are defined on the controller. They may be a link for an attacker to the wired network.’ For al these reasons, ad hoc clients are labeled as rogues by default. = Rogue on Wired Network: These are rogues that are detected by a rogue detector AP. ‘This AP detects Address Resolution Protocol (ARP) requests on the wired network that are sent by stations or APs labeled as rogues. ® Ad hoc network security is limited to Open and Wired Equivalent Privacy (WEP), which are weak security policies. In certain conditions, a station connected to the wired network and to an ad hoc network may be used as a bridge to the wired side by an attacker associating to the ad hoe network on the wireless side. ‘BRO Caco Systems, ne ‘Basic Cisco WLAN Insalation 2-189Monitor >A ogue AP > Detail From the Rogue section on the controller Monitor page, click Detail to obtain more information ‘on any rogue type. For example, click Detail for the Rogue AP alarm. A new page is displayed, and shows the list ofall detected rogue APs. The radio MAC address is also displayed, along with the rogue SSID, if itis broadcasted or detected. ‘The next two columns provide information on how many radios detected the rogues, and how ‘many clients are associated to this rogue. The more radios that detect the rogue, the closer itis to the network. IF only one or two radios detect it, it may be a neighbor. If, for example, six APS detect the rogue, there are far more chances that the rogue is surrounded by valid APs and therefore inside the building. If clients are associated to this rogue, its threat is more important than if it is idle, ‘The Status column refers to how the administrator has decided to manage the rogue and the Wired column specifies if this AP has been detected by the Wireless LAN controller (WLC) 2-160 Implementing Cisco Uniied Wireless Networking Essentials (UWNE) v2.0 ‘©2011 Cisco Systems, neAP > Detail > Edit Click a rogue MAC address to display detailed information. This information includes when the rogue was first detected. At the bottom of the page, the APs that detected the rogue are shown. This information can be used to roughly locate the rogue. If the APs detecting the rogue are all in the same area and at the edge of the building, the rogue may be a neighbor. If the APs. detecting the rogue are in different areas or not at the edge of the building, the rogue may be inside the controlled area. Class Type Parameters ‘The options for setting the class type are as follows Class Type Parameters meter Description Friendly ’An unknown AP that matches the user-defined friendly rules (Security > Wireless Protection > Polices) or an existing known and ‘acknowledged rogue AP. Friendly APs cannot be contained, Malicious ‘An unknown AP that matches the user-defined malicious rules (Security > Wireless Protection > Polices) or is moved manually by the user from the Friendly or Unclassified classification type. Unclassified ’An unknown AP that does not match the user-defined friendly or malicious rules. An unciassified AP can be contained. It can also be moved to the Friendly or Malicious classification type automatically in accordance with user-defined rules, or manually by the user. This Parameter is the default mode. Note ‘Once an AP is classified as Malicious, you cannot apply rules to it in the future, and it cannot 'be moved to another classification type. If you want to move a malicious AP to the Unclassified classification type, you must delete the AP and allow the controller to reclassify at ©2011 Cisco Systoms, Ine Bacio Cleco WLAN Installation 2161Radio Status ‘The radio status can be set to one of the following values: Radio Status Parameters Parameter Description Internal ‘The controller trusts this rogue AP. This option is available f the Class Type is set to Friendly Extornal The controller acknowledges the presence of this rogue AP. This 2 | option is available ifthe Class Type is set to Friendly, ‘The controller forwards an immediate alert to the system ‘administrator for further action. This option is available if the Class Type is set fo Malicious or Unclassified Contain The controller contains the offending device so that its signals no longer interfere with authorized clients. This option is available ifthe Class Type is set to Malicious or Unclassified. The maximum ‘number of APs that are used to contain this rogue (1,2, 3, oF 4). Note Do not attempt to cor ntain rogue APS that are operated by other establishments, such as the cafe hotspot across the street 262 Implementing Cisco Unified Wireless Networking Essentials (UWNE) v2.0 (© 2011 Cisco Systems, nc