Cisco Wireless LAN Controller Configuration Guide, Release 3.2
Chapter 3 - Configuring Ports and Interfaces
Downloads: This chapterpdf (PDF - 846.0KB) The complete bookPDF (PDF - 8.06MB) | Feedback

Configuring Ports and Interfaces

Table Of Contents

Configuring Ports and Interfaces

Overview of Ports and Interfaces

Ports

Distribution System Ports

Service Port

Interfaces

Management Interface

AP-Manager Interface

Virtual Interface

Service-Port Interface

Dynamic Interface

WLANs

Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces

Using the GUI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces

Using the CLI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces

Using the CLI to Configure the Management Interface

Using the CLI to Configure the AP-Manager Interface

Using the CLI to Configure the Virtual Interface

Using the CLI to Configure the Service-Port Interface

Configuring Dynamic Interfaces

Using the GUI to Configure Dynamic Interfaces

Using the CLI to Configure Dynamic Interfaces

Configuring Ports

Configuring Port Mirroring

Configuring Spanning Tree Protocol

Using the GUI to Configure Spanning Tree Protocol

Using the CLI to Configure Spanning Tree Protocol

Enabling Link Aggregation

Link Aggregation Guidelines

Using the GUI to Enable Link Aggregation

Using the CLI to Enable Link Aggregation

Configuring Neighbor Devices to Support LAG

Configuring a 4400 Series Controller to Support More Than 48 Access Points

Using Link Aggregation

Using Multiple AP-Manager Interfaces

Connecting Additional Ports


Configuring Ports and Interfaces


This chapter describes the controller's physical ports and interfaces and provides instructions for configuring them. It contains these sections:

Overview of Ports and Interfaces

Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces

Configuring Dynamic Interfaces

Configuring Ports

Enabling Link Aggregation

Configuring a 4400 Series Controller to Support More Than 48 Access Points

Overview of Ports and Interfaces

Three concepts are key to understanding how controllers connect to a wireless network: ports, interfaces, and WLANs.

Ports

A port is a physical entity that is used for connections on the controller platform. Controllers have two types of ports: distribution system ports and a service port. The following figures show the ports available on each controller.


Note The controller in a Cisco Integrated Services Router and the controllers on the Cisco WiSM do not have external physical ports. They connect to the network through ports on the router or switch, respectively.


Figure 3-1 Ports on the Cisco 2000 Series Wireless LAN Controllers

Figure 3-2 Ports on the Cisco 4100 Series Wireless LAN Controllers

Figure 3-3 Ports on the Cisco 4400 Series Wireless LAN Controllers


Note Figure 3-3 shows a Cisco 4404 controller. The Cisco 4402 controller is similar but has only two distribution system ports.


Table 3-1 provides a list of ports per controller.

Table 3-1 Controller Ports

Controller
Service Ports
Distribution System Ethernet Ports
Serial Console Port

2000 series

None

4

1

4100 series

1

2

1

4402

1

2

1

4404

1

4

1

Cisco WiSM

2 (ports 9 and 10)

8 (ports 1-8)

2

Controller Network Module within the Cisco 28/37/38xx Series Integrated Services Routers

None

1

1


Distribution System Ports

A distribution system port connects the controller to a neighbor switch and serves as the data path between these two devices.

Cisco 2000 series controllers have four 10/100 copper Ethernet distribution system ports through which the controller can support up to six access points.

Cisco 4100 series controllers have two fiber gigabit Ethernet distribution system ports through which the controller can support up to 36 access points.

Cisco 4402 controllers have two gigabit Ethernet distribution system ports, each of which is capable of managing up to 48 access points. However, Cisco recommends no more than 25 access points per port due to bandwidth constraints. The 4402-25 and 4402-50 models allow a total of 25 or 50 access points to join the controller.

Cisco 4404 controllers have four gigabit Ethernet distribution system ports, each of which is capable of managing up to 48 access points. However, Cisco recommends no more than 25 access points per port due to bandwidth constraints. The 4404-25, 4404-50, and 4404-100 models allow a total of 25, 50, or 100 access points to join the controller.


Note The gigabit Ethernet ports on the 4402 and 4404 controllers accept these SX/LC/T small form-factor plug-in (SFP) modules:
- 1000BASE-SX SFP modules, which provide a 1000-Mbps wired connection to a network through an 850nM (SX) fiber-optic link using an LC physical connector
- 1000BASE-LX SFP modules, which provide a 1000-Mbps wired connection to a network through a 1300nM (LX/LH) fiber-optic link using an LC physical connector
- 1000BASE-T SFP modules, which provide a 1000-Mbps wired connection to a network through a copper link using an RJ-45 physical connector


The Cisco WiSM has eight gigabit Ethernet distribution system ports, which are located on the Catalyst 6500 switch backplane. Through these ports, the controller can support up to 300 access points.

The Controller Network Module within the Cisco 28/37/38xx Series Integrated Services Routers has one Fast Ethernet distribution system port, which is located on the router backplane. Through this port, the controller can support up to six access points.


Note Refer to the "Configuring a 4400 Series Controller to Support More Than 48 Access Points" section if you want to configure your Cisco 4400 series controller to support more than 48 access points.


Each distribution system port is, by default, an 802.1Q VLAN trunk port. The VLAN trunking characteristics of the port are not configurable.


Note Some controllers support link aggregation (LAG), which bundles all of the controller's distribution system ports into a single 802.3ad port channel. Cisco 4400 series controllers support LAG in software release 3.2 and higher, and LAG is enabled automatically on the Cisco WiSM controllers. Refer to the "Enabling Link Aggregation" section for more information.


Service Port

Cisco 4100 and 4400 series controllers also have a 10/100 copper Ethernet service port. The service port is controlled by the service-port interface and is reserved for out-of-band management of the controller and system recovery and maintenance in the event of a network failure. It is also the only port that is active when the controller is in boot mode. The service port is not capable of carrying 802.1Q tags, so it must be connected to an access port on the neighbor switch. Use of the service port is optional.


Note The Cisco WiSM's 4404 controllers use the service port for internal protocol communication between the controllers and the Supervisor 720.



Note The Cisco 2000 series controller and the controller in the Cisco Integrated Services Router do not have a service port.



Note The service port is not auto-sensing. You must use the correct straight-through or crossover Ethernet cable to communicate with the service port.


Interfaces

An interface is a logical entity on the controller. An interface has multiple parameters associated with it, including an IP address, default-gateway (for the IP subnet), primary physical port, secondary physical port, VLAN identifier, and DHCP server.

These five types of interfaces are available on the controller. Four of these are static and are configured at setup time:

Management interface (Static and configured at setup time; mandatory)

AP-manager interface (When using Layer 3 LWAPP, static and configured at setup time; mandatory)

Virtual interface (Static and configured at setup time; mandatory)

Service-port interface (Static and configured at setup time; optional)

Dynamic interface (User-defined)

Each interface is mapped to at least one primary port, and some interfaces (management and dynamic) can be mapped to an optional secondary (or backup) port. If the primary port for an interface fails, the interface automatically moves to the backup port. In addition, multiple interfaces can be mapped to a single controller port.


Note Refer to the "Enabling Link Aggregation" section if you want to configure the controller to dynamically map the interfaces to a single port channel rather than having to configure primary and secondary ports for each interface.


Management Interface

The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. The management interface has the only consistently "pingable" in-band interface IP address on the controller. You can access the controller's GUI by entering the controller's management interface IP address in Internet Explorer's Address field.

The management interface is also used for Layer 2 communications between the controller and Cisco 1000 series lightweight access points. It must be assigned to distribution system port 1 but can also be mapped to a backup port and can be assigned to WLANs if desired. It may be on the same VLAN or IP subnet as the AP-manager interface. However, the management interface can also communicate through the other distribution system ports as follows:

Sends messages through the Layer 2 network to autodiscover and communicate with other controllers through all distribution system ports.

Listens across the Layer 2 network for Cisco 1000 series lightweight access point LWAPP polling messages to autodiscover, associate to, and communicate with as many Cisco 1000 series lightweight access points as possible.

When LWAPP communications are set to Layer 2 (same subnet) mode, the controller requires one management interface to control all inter-controller and all controller-to-access point communications, regardless of the number of ports. When LWAPP communications are set to Layer 3 (different subnet) mode, the controller requires one management interface to control all inter-controller communications and one AP-manager interface to control all controller-to-access point communications, regardless of the number of ports.


Note If the service port is in use, the management interface must be on a different subnet from the service-port interface.


AP-Manager Interface

A controller has one or more AP-manager interfaces, which are used for all Layer 3 communications between the controller and lightweight access points after the access points have joined the controller. The AP-manager IP address is used as the tunnel source for LWAPP packets from the controller to the access point and as the destination for LWAPP packets from the access point to the controller.

The static (or permanent) AP-manager interface must be assigned to distribution system port 1 and must have a unique IP address. It cannot be mapped to a backup port. It is usually configured on the same VLAN or IP subnet as the management interface, but this is not a requirement. The AP-manager interface can communicate through any distribution system port as follows:

Sends Layer 3 messages through the network to autodiscover and communicate with other controllers.

Listens across the network for Layer 3 lightweight access point LWAPP polling messages to autodiscover, associate to, and communicate with as many lightweight access points as possible.


Note Refer to the "Using Multiple AP-Manager Interfaces" section for information on creating and using multiple AP-manager interfaces.



Note When LAG is disabled, you must assign an AP-manager interface to each port on the controller.


Virtual Interface

The virtual interface is used to support mobility management, Dynamic Host Configuration Protocol (DHCP) relay, and embedded Layer 3 security such as guest web authentication and VPN termination. It also maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify the source of certificates when Layer 3 web authorization is enabled.

Specifically, the virtual interface plays these three primary roles:

Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP server.

Serves as the redirect address for the Web Authentication Login window.


Note See Chapter 5 for additional information on web authentication.


Acts as part of the IPSec configuration when the controller is used to terminate IPSec tunnels between wireless clients and the controller.

The virtual interface IP address is used only in communications between the controller and wireless clients. It never appears as the source or destination address of a packet that goes out a distribution system port and onto the switched network. For the system to operate correctly, the virtual interface IP address must be set (it cannot be 0.0.0.0), and no other device on the network can have the same address as the virtual interface. Therefore, the virtual interface must be configured with an unassigned and unused gateway IP address, such as 1.1.1.1. The virtual interface IP address is not pingable and should not exist in any routing table in your network. In addition, the virtual interface cannot be mapped to a backup port.


Note All controllers within a mobility group must be configured with the same virtual interface IP address. Otherwise, inter-controller roaming may appear to work, but the hand-off does not complete, and the client loses connectivity for a period of time.


Service-Port Interface

The service-port interface controls communications through and is statically mapped by the system to the service port. It must have an IP address on a different subnet from the management, AP-manager, and any dynamic interfaces, and it cannot be mapped to a backup port. This configuration enables you to manage the controller directly or through a dedicated operating system network, such as 10.1.2.x, which can ensure service access during network downtime.

The service port can obtain an IP address using DHCP, or it can be assigned a static IP address, but a default gateway cannot be assigned to the service-port interface. Static routes can be defined through the controller for remote network access to the service port.


Note Only Cisco 4100 and 4400 series controllers have a service-port interface.



Note You must configure an IP address on the service-port interface of both Cisco WiSM controllers. Otherwise, the neighbor switch is unable to check the status of each controller.


Dynamic Interface

Dynamic interfaces, also known as VLAN interfaces, are created by users and designed to be analogous to VLANs for wireless LAN clients. A controller can support up to 512 dynamic interfaces (VLANs). Each dynamic interface is individually configured and allows separate communication streams to exist on any or all of a controller's distribution system ports. Each dynamic interface controls VLAN and other communications between controllers and all other network devices, and each acts as a DHCP relay for wireless clients associated to WLANs mapped to the interface. You can assign dynamic interfaces to distribution system ports, WLANs, the Layer 2 management interface, and the Layer 3 AP-manager interface, and you can map the dynamic interface to a backup port.

You can configure zero, one, or multiple dynamic interfaces on a distribution system port. However, all dynamic interfaces must be on a different VLAN or IP subnet from all other interfaces configured on the port. If the port is untagged, all dynamic interfaces must be on a different IP subnet from any other interface configured on the port.


Note Tagged VLANs must be used for dynamic interfaces.



Note Cisco recommends that wired devices (DHCP servers, RADIUS servers, file servers, desktops, etc) be configured on separate VLANs and subnets from wireless devices.


WLANs

A WLAN associates a service set identifier (SSID) to an interface. It is configured with security, quality of service (QoS), radio policies, and other wireless network parameters. Up to 16 access point WLANs can be configured per controller.


Note Chapter 6 provides instructions for configuring WLANs.


Figure 3-4 illustrates the relationship between ports, interfaces, and WLANs.

Figure 3-4 Ports, Interfaces, and WLANs

As shown in Figure 3-4, each controller port connection is an 802.1Q trunk and should be configured as such on the neighbor switch. On Cisco switches, the native VLAN of an 802.1Q trunk is an untagged VLAN. Therefore, if you configure an interface to use the native VLAN on a neighboring Cisco switch, make sure you configure the interface on the controller to be untagged.


Note A zero value for the VLAN identifier (on the Controller > Interfaces page) means that the interface is untagged.


The default (untagged) native VLAN on Cisco switches is VLAN 1. When controller interfaces are configured as tagged (meaning that the VLAN identifier is set to a non-zero value), the VLAN must be allowed on the 802.1Q trunk configuration on the neighbor switch and not be the native untagged VLAN.

Cisco recommends that only tagged VLANs be used on the controller. You should also allow only relevant VLANs on the neighbor switch's 802.1Q trunk connections to controller ports. All other VLANs should be disallowed or pruned in the switch port trunk configuration. This practice is extremely important for optimal performance of the controller.


Note Cisco recommends that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that controllers properly route VLAN traffic.


Follow the instructions on the pages indicated to configure your controller's interfaces and ports:

Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces

Configuring Dynamic Interfaces

Configuring Ports

Enabling Link Aggregation

Configuring a 4400 Series Controller to Support More Than 48 Access Points

Configuring the Management, AP-Manager, Virtual, and Service-Port Interfaces

Typically, you define the management, AP-manager, virtual, and service-port interface parameters using the Startup Wizard. However, you can display and configure interface parameters through either the GUI or CLI after the controller is running.

Using the GUI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces

Follow these steps to display and configure the management, AP-manager, virtual, and service-port interface parameters using the GUI.


Step 1 Click Controller > Interfaces to access the Interfaces page (see Figure 3-5).

Figure 3-5 Interfaces Page

This page shows the current controller interface settings.

Step 2 If you want to modify the settings of a particular interface, click the interface's Edit link. The Interfaces > Edit page for that interface appears.

Step 3 Configure the following parameters for each interface type:

Management Interface


Note The management interface uses the controller's factory-set distribution system MAC address.


VLAN identifier


Note Enter 0 for an untagged VLAN or a non-zero value for a tagged VLAN. Cisco recommends that only tagged VLANs be used on the controller.


Fixed IP address, IP netmask, and default gateway

Physical port assignment

Primary and secondary DHCP servers

Access control list (ACL) setting, if required


Note To create ACLs, follow the instructions in Chapter 5.


AP-Manager Interface

VLAN identifier


Note Enter 0 for an untagged VLAN or a non-zero value for a tagged VLAN. Cisco recommends that only tagged VLANs be used on the controller.


Fixed IP address, IP netmask, and default gateway


Note The AP-manager interface's IP address must be different from the management interface's IP address but must be on the same subnet as the management interface.


Physical port assignment

Primary and secondary DHCP servers

Access control list (ACL) name, if required


Note To create ACLs, follow the instructions in Chapter 5.


Virtual Interface

Any fictitious, unassigned, and unused gateway IP address, such as 1.1.1.1

DNS gateway host name

Service-Port Interface


Note The service-port interface uses the controller's factory-set service-port MAC address.


DHCP protocol (enabled) or

DHCP protocol (disabled) and IP address and IP netmask

Step 4 Click Save Configuration to save your changes.

Step 5 If you made any changes to the virtual interface, reboot the controller so your changes take effect.


Using the CLI to Configure the Management, AP-Manager, Virtual, and Service-Port Interfaces

This section provides instructions for displaying and configuring the management, AP-manager, virtual, and service-port interfaces using the CLI.

Using the CLI to Configure the Management Interface

Follow these steps to display and configure the management interface parameters using the CLI.


Step 1 Enter show interface detailed management to view the current management interface settings.


Note The management interface uses the controller's factory-set distribution system MAC address.


Step 2 Enter config wlan disable wlan-number to disable each WLAN that uses the management interface for distribution system communication.

Step 3 Enter these commands to define the management interface:

config interface address management ip-addr ip-netmask gateway

config interface vlan management {vlan-id | 0}


Note Enter 0 for an untagged VLAN or a non-zero value for a tagged VLAN. Cisco recommends that only tagged VLANs be used on the controller.


config interface port management physical-ds-port-number

config interface dhcp management ip-address-of-primary-dhcp-server [ip-address-of-secondary-dhcp-server]

config interface acl management access-control-list-name


Note To create ACLs, follow the instructions in Chapter 5.


Step 4 Enter show interface detailed management to verify that your changes have been saved.


Using the CLI to Configure the AP-Manager Interface

Follow these steps to display and configure the AP-manager interface parameters using the CLI.


Step 1 Enter show interface summary to view the current interfaces.


Note If the system is operating in Layer 2 mode, the AP-manager interface is not listed.


Step 2 Enter show interface detailed ap-manager to view the current AP-manager interface settings.

Step 3 Enter config wlan disable wlan-number to disable each WLAN that uses the AP-manager interface for distribution system communication.

Step 4 Enter these commands to define the AP-manager interface:

config interface address ap-manager ip-addr ip-netmask gateway

config interface vlan ap-manager {vlan-id | 0}


Note Enter 0 for an untagged VLAN or a non-zero value for a tagged VLAN. Cisco recommends that only tagged VLANs be used on the controller.


config interface port ap-manager physical-ds-port-number

config interface dhcp ap-manager ip-address-of-primary-dhcp-server [ip-address-of-secondary-dhcp-server]

config interface acl ap-manager access-control-list-name


Note To create ACLs, follow the instructions in Chapter 5.


Step 5 Enter show interface detailed ap-manager to verify that your changes have been saved.


Using the CLI to Configure the Virtual Interface

Follow these steps to display and configure the virtual interface parameters using the CLI.


Step 1 Enter show interface detailed virtual to view the current virtual interface settings.

Step 2 Enter config wlan disable wlan-number to disable each WLAN that uses the virtual interface for distribution system communication.

Step 3 Enter these commands to define the virtual interface:

config interface address virtual ip-address


Note For ip-address, enter any fictitious, unassigned, and unused gateway IP address, such as 1.1.1.1.


config interface hostname virtual dns-host-name

Step 4 Enter reset system. At the confirmation prompt, enter Y to save your configuration changes to NVRAM. The controller reboots.

Step 5 Enter show interface detailed virtual to verify that your changes have been saved.


Using the CLI to Configure the Service-Port Interface

Follow these steps to display and configure the service-port interface parameters using the CLI.


Step 1 Enter show interface detailed service-port to view the current service-port interface settings.


Note The service-port interface uses the controller's factory-set service-port MAC address.


Step 2 Enter these commands to define the service-port interface:

To configure the DHCP server: config interface dhcp service-port ip-address-of-primary-dhcp-
server [ip-address-of-secondary-dhcp-server]

To disable the DHCP server: config interface dhcp service-port none

To configure the IP address: config interface address service-port ip-addr ip-netmask gateway

Step 3 The service port is used for out-of-band management of the controller. If the management workstation is in a remote subnet, you may need to add a route on the controller in order to manage the controller from that remote workstation. To do so, enter this command:

config route network-ip-addr ip-netmask gateway

Step 4 Enter show interface detailed service-port to verify that your changes have been saved.


Configuring Dynamic Interfaces

This section provides instructions for configuring dynamic interfaces using either the GUI or CLI.

Using the GUI to Configure Dynamic Interfaces

Follow these steps to create new or edit existing dynamic interfaces using the GUI.


Step 1 Click Controller > Interfaces to access the Interfaces page (see Figure 3-5).

Step 2 Perform one of the following:

To create a new dynamic interface, click New. The Interfaces > New page appears (see Figure 3-6). Go to Step 3.

To modify the settings of an existing dynamic interface, click the interface's Edit link. The Interfaces > Edit page for that interface appears (see Figure 3-7). Go to Step 5.

To delete an existing dynamic interface, click the interface's Remove link.

Figure 3-6 Interfaces > New Page

Step 3 Enter an interface name and a VLAN identifier, as shown in Figure 3-6.


Note Enter a non-zero value for the VLAN identifier. Tagged VLANs must be used for dynamic interfaces.


Step 4 Click Apply to commit your changes. The Interfaces > Edit page appears (see Figure 3-7).

Figure 3-7 Interfaces > Edit Page

Step 5 Configure the following parameters:

VLAN identifier

Fixed IP address, IP netmask, and default gateway

Physical port assignment

Primary and secondary DHCP servers

Access control list (ACL) name, if required


Note To create ACLs, follow the instructions in Chapter 5.



Note To ensure proper operation, you must set the Port Number and Primary DHCP Server parameters.


Step 6 Click Save Configuration to save your changes.

Step 7 Repeat this procedure for each dynamic interface that you want to create or edit.


Using the CLI to Configure Dynamic Interfaces

Follow these steps to configure dynamic interfaces using the CLI.


Step 1 Enter show interface summary to view the current dynamic interfaces.

Step 2 To view the details of a specific dynamic interface, enter show interface detailed operator-defined-interface-name.

Step 3 Enter config wlan disable wlan-number to disable each WLAN that uses the dynamic interface for distribution system communication.

Step 4 Enter these commands to configure dynamic interfaces:

config interface create operator-defined-interface-name {vlan-id | x}


Note Enter a non-zero value for the VLAN identifier. Tagged VLANs must be used for dynamic interfaces.


config interface address operator-defined-interface-name ip-addr ip-netmask [gateway]

config interface vlan operator-defined-interface-name {vlan-id | 0}

config interface port operator-defined-interface-name physical-ds-port-number

config interface dhcp operator-defined-interface-name ip-address-of-primary-dhcp-server [ip-address-of-secondary-dhcp-server]

config interface acl operator-defined-interface-name access-control-list-name


Note To create ACLs, follow the instructions in Chapter 5.


Step 5 Enter show interface detailed operator-defined-interface-name and show interface summary to verify that your changes have been saved.


Note If desired, you can enter config interface delete operator-defined-interface-name to delete a dynamic interface.



Configuring Ports

The controller's ports are preconfigured with factory default settings designed to make the controllers' ports operational without additional configuration. However, you can view the status of the controller's ports and edit their configuration parameters at any time.

Follow these steps to use the GUI to view the status of the controller's ports and make any configuration changes if necessary.


Step 1 Click Controller > Ports to access the Ports page (see Figure 3-8).

Figure 3-8 Ports Page

This page shows the current configuration for each of the controller's ports.

Step 2 If you want to change the settings of any port, click the Edit link for that specific port. The Port > Configure page appears (see Figure 3-9).


Note The number of parameters available on the Port > Configure page depends on your controller type. For instance, Cisco 2000 series controllers and the controller in a Cisco Integrated Services Router have fewer configurable parameters than a Cisco 4400 series controller, which is shown in Figure 3-9.


Figure 3-9 Port > Configure Page

Table 3-2 interprets the current status of the port.

Table 3-2 Port Status

Parameter
Description

Port Number

The number of the current port.

Physical Status

The data rate being used by the port. The available data rates vary based on controller type.

Controller
Available Data Rates

4400 and 4100 series

1000 Mbps full duplex

2000 series

10 or 100 Mbps, half or full duplex

WiSM

1000 Mbps full duplex

Integrated Services Routers

100 Mbps full duplex

Link Status

The port's link status.

Values: Link Up or Link Down

Power Over Ethernet (PoE)

Determines if the connecting device is equipped to receive power through the Ethernet cable and if so provides -48 VDC.

Values: Enable or Disable

Note Some older Cisco access points do not draw PoE even if it is enabled on the controller port. In such cases, contact the Cisco Technical Assistance Center (TAC).


Step 3 Table 3-3 lists and describes the port's configurable parameters. Follow the instructions in the table to make any desired changes.

Table 3-3 Port Parameters 

Parameter
Description

Admin Status

Enables or disables the flow of traffic through the port.

Options: Enable or Disable
Default: Enable

Note Administratively disabling the port does not affect the port's link status.The link can be brought down only by other Cisco devices.

Physical Mode

Determines whether the port's data rate is set automatically or specified by the user. The supported data rates vary based on controller type.

Default: Auto
Controller
Supported Data Rates

4400 and 4100 series

Auto or 1000 Mbps full duplex

2000 series

Auto or 10 or 100 Mbps, half or full duplex

WiSM

Auto or 1000 Mbps full duplex

Integrated Services Routers

Auto or 100 Mbps full duplex

Link Trap

Causes the port to send a trap when the port's link status changes.

Options: Enable or Disable
Default: Enable

Multicast Appliance Mode

Enables or disables the multicast appliance service for this port.

Options: Enable or Disable
Default: Enable

Step 4 Click Save Configuration to save your changes.

Step 5 Click Back to return to the Ports page and review your changes.

Step 6 Repeat this procedure for each additional port that you want to configure.

Step 7 Go to the following sections if you want to configure the controller's ports for these advanced features:

Port mirroring, see below

Spanning Tree Protocol (STP), page 21


Configuring Port Mirroring

Mirror mode enables you to duplicate to another port all of the traffic originating from or terminating at a single client device or access point. It is useful in diagnosing specific network problems. Mirror mode should be enabled only on an unused port as any connections to this port become unresponsive.


Note 4100 series and WiSM controllers do not support mirror mode. Also, a controller's service port cannot be used as a mirrored port.



Note Port mirroring is not supported when link aggregation (LAG) is enabled on the controller.



Note Cisco recommends that you do not mirror traffic from one controller port to another as this setup could cause network problems.


Follow these steps to enable port mirroring.


Step 1 Click Controller > Ports to access the Ports page (see Figure 3-8).

Step 2 Click Edit for the unused port for which you want to enable mirror mode. The Port > Configure page appears (see Figure 3-9).

Step 3 Set the Mirror Mode parameter to Enable.

Step 4 Click Save Configuration to save your changes.

Step 5 Perform one of the following:

Follow these steps if you want to choose a specific client device that will mirror its traffic to the port you selected on the controller:

a. Click Wireless > Clients to access the Clients page.
b. Click Detail for the client on which you want to enable mirror mode. The Clients > Detail page appears.
c. Under Client Details, set the Mirror Mode parameter to Enable.

Follow these steps if you want to choose an access point that will mirror its traffic to the port you selected on the controller:

a. Click Wireless > All APs to access the All APs page.
b. Click Detail for the access point on which you want to enable mirror mode. The All APs > Details page appears.
c. Under General, set the Mirror Mode parameter to Enable.

Step 6 Click Save Configuration to save your changes.


Configuring Spanning Tree Protocol

Spanning Tree Protocol (STP) is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two network devices. STP allows only one active path at a time between network devices but establishes redundant links as a backup if the initial link should fail.

The spanning-tree algorithm calculates the best loop-free path throughout a Layer 2 network. Infrastructure devices such as controllers and switches send and receive spanning-tree frames, called bridge protocol data units (BPDUs), at regular intervals. The devices do not forward these frames but use them to construct a loop-free path.

Multiple active paths among end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages. Infrastructure devices might also learn end-station MAC addresses on multiple Layer 2 interfaces. These conditions result in an unstable network.

STP defines a tree with a root bridge and a loop-free path from the root to all infrastructure devices in the Layer 2 network.


Note STP discussions use the term root to describe two concepts: the controller on the network that serves as a central point in the spanning tree is called the root bridge, and the port on each controller that provides the most efficient path to the root bridge is called the root port. The root bridge in the spanning tree is called the spanning-tree root.


STP forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and activates the standby path.

When two ports on a controller are part of a loop, the spanning-tree port priority and path cost settings determine which port is put in the forwarding state and which is put in the blocking state. The port priority value represents the location of a port in the network topology and how well it is located to pass traffic. The path cost value represents media speed.

The controller maintains a separate spanning-tree instance for each active VLAN configured on it. A bridge ID, consisting of the bridge priority and the controller's MAC address, is associated with each instance. For each VLAN, the controller with the lowest controller ID becomes the spanning-tree root for that VLAN.

STP is disabled for the controller's distribution system ports by default. The following sections provide instructions for configuring STP for your controller using either the GUI or CLI.

Using the GUI to Configure Spanning Tree Protocol

Follow these steps to configure STP using the GUI.


Step 1 Click Controller > Ports to access the Ports page (see Figure 3-8).

Step 2 Click Edit for the specific port for which you want to configure STP. The Port > Configure page appears (see Figure 3-9). This page shows the STP status of the port and enables you to configure STP parameters.

Table 3-4 interprets the current STP status of the port.

Table 3-4 Port Spanning Tree Status

Parameter
Description

STP Port ID

The number of the port for which STP is enabled or disabled.

STP State

The port's current STP state. It controls the action that a port takes upon receiving a frame.

Values: Disabled, Blocking, Listening, Learning, Forwarding, and Broken
STP State
Description

Disabled

The port is not participating in spanning tree because the port is shut down, the link is down, or STP is not enabled for this port.

Blocking

The port does not participate in frame forwarding.

Listening

The first transitional state after the blocking state when STP determines that the port should participate in frame forwarding.

Learning

The port prepares to participate in frame forwarding.

Forwarding

The port forwards frames.

Broken

The port is malfunctioning.

STP Port Designated Root

The unique identifier of the root bridge in the configuration BPDUs.

STP Port Designated Cost

The path cost of the designated port.

STP Port Designated Bridge

The identifier of the bridge that the port considers to be the designated bridge for this port.

STP Port Designated Port

The port identifier on the designated bridge for this port.

STP Port Forward Transitions Count

The number of times that the port has transitioned from the learning state to the forwarding state.


Step 3 Table 3-5 lists and describes the port's configurable STP parameters. Follow the instructions in the table to make any desired changes.

Table 3-5 Port Spanning Tree Parameters 

Parameter
Description

STP Mode

The STP administrative mode associated with this port.

Options: Off, 802.1D, or Fast
Default: Off
STP Mode
Description

Off

Disables STP for this port.

802.1D

Enables this port to participate in the spanning tree and go through all of the spanning tree states when the link state transitions from down to up.

Fast

Enables this port to participate in the spanning tree and puts it in the forwarding state when the link state transitions from down to up more quickly than when the STP mode is set to 802.1D.

Note In this state, the forwarding delay timer is ignored on link up.

STP Port Priority

The location of the port in the network topology and how well the port is located to pass traffic.

Range: 0 to 255
Default: 128

STP Port Path Cost Mode

Determines whether the STP port path cost is set automatically or specified by the user. If you choose User Configured, you also need to set a value for the STP Port Path Cost parameter.

Range: Auto or User Configured
Default: Auto

STP Port Path Cost

The speed at which traffic is passed through the port. This parameter must be set if the STP Port Path Cost Mode parameter is set to User Configured.

Options: 0 to 65535
Default: 0, which causes the cost to be adjusted for the speed of the port when the link comes up.

Note Typically, a value of 100 is used for 10-Mbps ports and 19 for 100-Mbps ports.


Step 4 Click Save Configuration to save your changes.

Step 5 Click Back to return to the Ports page.

Step 6 Repeat Step 2 through Step 5 for each port for which you want to enable STP.

Step 7 Click Controller > Spanning Tree to access the Controller Spanning Tree Configuration page (see Figure 3-10).

Figure 3-10 Controller Spanning Tree Configuration Page

This page allows you to enable or disable the spanning tree algorithm for the controller, modify its characteristics, and view the STP status.Table 3-6 interprets the current STP status for the controller.

Table 3-6 Controller Spanning Tree Status 

Parameter
Description

Spanning Tree Specification

The STP version being used by the controller. Currently, only an IEEE 802.1D implementation is available.

Base MAC Address

The MAC address used by this bridge when it must be referred to in a unique fashion. When it is concatenated with dot1dStpPriority, a unique bridge identifier is formed that is used in STP.

Topology Change Count

The total number of topology changes detected by this bridge since the management entity was last reset or initialized.

Time Since Topology Changed

The time (in days, hours, minutes, and seconds) since a topology change was detected by the bridge.

Designated Root

The bridge identifier of the spanning tree root. This value is used as the Root Identifier parameter in all configuration BPDUs originated by this node.

Root Port

The number of the port that offers the lowest cost path from this bridge to the root bridge.

Root Cost

The cost of the path to the root as seen from this bridge.

Max Age (seconds)

The maximum age of STP information learned from the network on any port before it is discarded.

Hello Time (seconds)

The amount of time between the transmission of configuration BPDUs by this node on any port when it is the root of the spanning tree or trying to become so. This is the actual value that this bridge is currently using.

Forward Delay (seconds)

This value controls how fast a port changes its spanning tree state when moving toward the forwarding state. It determines how long the port stays in each of the listening and learning states that precede the forwarding state. This value is also used, when a topology change has been detected and is underway, to age all dynamic entries in the forwarding database.

Note This is the actual value that this bridge is currently using, in contrast to Stp Bridge Forward Delay, which is the value that this bridge and all others would start using if this bridge were to become the root.

Hold Time (seconds)

The minimum time period to elapse between the transmission of configuration BPDUs through a given LAN port.

Note At most, one configuration BPDU can be transmitted in any hold time period.


Step 8 Table 3-7 lists and describes the controller's configurable STP parameters. Follow the instructions in the table to make any desired changes.

Table 3-7 Controller Spanning Tree Parameters 

Parameter
Description

Spanning Tree Algorithm

Enables or disables STP for the controller.

Options: Enable or Disable
Default: Disable

Priority

The location of the controller in the network topology and how well the controller is located to pass traffic.

Range: 0 to 65535
Default: 32768

Maximum Age (seconds)

The length of time that the controller stores protocol information received on a port.

Range: 6 to 40 seconds
Default: 20 seconds

Hello Time (seconds)

The length of time that the controller broadcasts hello messages to other controllers.

Options: 1 to 10 seconds
Default: 2 seconds

Forward Delay (seconds)

The length of time that each of the listening and learning states lasts before the port begins forwarding.

Options: 4 to 30 seconds
Default: 15 seconds

Step 9 Click Save Configuration to save your changes.


Using the CLI to Configure Spanning Tree Protocol

Follow these steps to configure STP using the CLI.


Step 1 Enter show spanningtree port and show spanningtree switch to view the current STP status.

Step 2 If STP is enabled, you must disable it before you can change STP settings. Enter config spanningtree switch mode disable to disable STP on all ports.

Step 3 Enter one of these commands to configure the STP port administrative mode:

config spanningtree port mode 802.1d {port-number | all}

config spanningtree port mode fast {port-number | all}

config spanningtree port mode off {port-number | all}

Step 4 Enter one of these commands to configure the STP port path cost on the STP ports:

config spanningtree port pathcost 1-65535 {port-number | all}—Specifies a path cost from 1 to 65535 to the port.

config spanningtree port mode pathcost auto {port-number | all}—Enables the STP algorithm to automatically assign the path cost. This is the default setting.

Step 5 Enter config spanningtree port priority 0-255 port-number to configure the port priority on STP ports. The default priority is 128.

Step 6 If necessary, enter config spanningtree switch bridgepriority 0-65535 to configure the controller's STP bridge priority. The default bridge priority is 32768.

Step 7 If necessary, enter config spanningtree switch forwarddelay 4-30 to configure the controller's STP forward delay in seconds. The default forward delay is 15 seconds.

Step 8 If necessary, enter config spanningtree switch hellotime 1-10 to configure the controller's STP hello time in seconds. The default hello time is 2 seconds.

Step 9 If necessary, enter config spanningtree switch maxage 6-40 to configure the controller's STP maximum age. The default maximum age is 20 seconds.

Step 10 After you configure STP settings for the ports, enter config spanningtree switch mode enable to enable STP for the controller. The controller automatically detects logical network loops, places redundant ports on standby, and builds a network with the most efficient pathways.

Step 11 Enter show spanningtree port and show spanningtree switch to verify that your changes have been saved.


Enabling Link Aggregation

Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles all of the controller's distribution system ports into a single 802.3ad port channel, thereby reducing the number of IP addresses needed to configure the ports on your controller. When LAG is enabled, the system dynamically manages port redundancy and load balances access points transparently to the user.

Cisco 4400 series controllers support LAG in software release 3.2 and higher, and LAG is enabled automatically on the Cisco WiSM controllers. Without LAG, each distribution system port on the controller supports up to 48 access points. With LAG enabled, a 4402 controller's logical port supports up to 50 access points, a 4404 controller's logical port supports up to 100 access points, and the logical port on each Cisco WiSM controller supports up to 150 access points.

Figure 3-11 illustrates LAG.

Figure 3-11 Link Aggregation

LAG simplifies controller configuration because you no longer need to configure primary and secondary ports for each interface. If any of the controller ports fail, traffic is automatically migrated to one of the other ports. As long as at least one controller port is functioning, the system continues to operate, access points remain connected to the network, and wireless clients continue to send and receive data.

When configuring bundled ports, you may want to consider spanning modules with your port channel when you connect to a modular switch such as the Catalyst 6500. This practice provides protection in the case of a module failure. Figure 3-12 illustrates a scenario where a 4402-50 controller is connected to a Catalyst 6500 with gigabit modules in slots 2 and 3. The controller's port 1 is connected to gigabit interface 3/1, and the controller's port 2 is connected to gigabit interface 2/1 on the Catalyst 6500. On the Catalyst switch, the two interfaces are assigned to the same channel group.

Figure 3-12 Link Aggregation with Catalyst 6500 Neighbor Switch

Link Aggregation Guidelines

Keep these guidelines in mind when using LAG:

You cannot configure the controller's ports into separate LAG groups. Only one LAG group is supported per controller. Therefore, you can connect a controller in LAG mode to only one neighbor device.

When LAG is enabled, any change to the LAG configuration requires a controller reboot.

When you enable LAG, you can configure only one AP-manager interface because only one logical port is needed.

When you enable LAG, all dynamic AP-manager interfaces and untagged interfaces are deleted, and all WLANs are disabled and mapped to the management interface.

When you enable LAG, you cannot create interfaces with a primary port other than 29.

When you enable LAG, all ports participate in LAG by default. Therefore, you must configure LAG for all of the connected ports in the neighbor switch.

When you enable LAG, port mirroring is not supported.

Make sure the port-channel on the switch is configured for the IEEE standard Link Aggregation Control Protocol (LACP), not the Cisco proprietary Port Aggregation Protocol (PAgP).

When you disable LAG, you must configure primary and secondary ports for all interfaces.

When you disable LAG, you must assign an AP-manager interface to each port on the controller.

LAG is typically configured using the Startup Wizard, but you can enable or disable it at any time through either the GUI or CLI.

Using the GUI to Enable Link Aggregation

Follow these steps to enable LAG on your controller using the GUI.


Step 1 Click Controller > General to access the General page (see Figure 3-13).

Figure 3-13 General Page

Step 2 Set the LAG Mode on Next Reboot parameter to Enabled.


Note Choose Disabled if you want to disable LAG.


Step 3 Click Save Configuration to save your changes.

Step 4 Reboot the controller.


Using the CLI to Enable Link Aggregation

Follow these steps to enable LAG on your controller using the CLI.


Step 1 Enter config lag enable to enable LAG.


Note Enter config lag disable if you want to disable LAG.


Step 2 Enter show lag to verify that your change has been saved.

Step 3 Reboot the controller.


Configuring Neighbor Devices to Support LAG

The controller's neighbor devices must also be properly configured to support LAG.

Each neighbor port to which the controller is connected should be configured as follows:

interface GigabitEthernet <interface id>
	switchport
	channel-group <id> mode on
	no shutdown

The port channel on the neighbor switch should be configured as follows:

interface port-channel <id>
	switchport
	switchport trunk encapsulation dot1q
	switchport trunk native vlan <native vlan id>
	switchport trunk allowed vlan <allowed vlans>
	switchport mode trunk
	no shutdown

Configuring a 4400 Series Controller to Support More Than 48 Access Points

As noted earlier, 4400 series controllers can support up to 48 access points per port. However, you can configure your 4400 series controller to support more access points using one of the following methods:

Link aggregation (for controllers in Layer 3 mode), page 31

Multiple AP-manager interfaces (for controllers in Layer 3 mode), page 31

Connecting additional ports (for controllers in Layer 2 mode), page 36

Follow the instructions on the page indicated for the method you want to use.

The following factors should help you decide which method to use if your controller is set for Layer 3 operation:

With link aggregation, all of the controller ports need to connect to the same neighbor switch. If the neighbor switch goes down, the controller loses connectivity.

With multiple AP-manager interfaces, you can connect your ports to different neighbor devices. If one of the neighbor switches goes down, the controller still has connectivity. However, using multiple AP-manager interfaces presents certain challenges (as discussed in the "Using Multiple AP-Manager Interfaces" section below) when port redundancy is a concern.

Using Link Aggregation

See the "Enabling Link Aggregation" section for more information and instructions on enabling link aggregation.


Note Link aggregation is the only method that can be used for the Cisco WiSM controllers.


Using Multiple AP-Manager Interfaces


Note This method can be used only with Cisco 4400 series stand-alone controllers.


When you create two or more AP-manager interfaces, each one is mapped to a different port (see Figure 3-14). The ports should be configured in sequential order such that AP-manager interface 2 is on port 2, AP-manager interface 3 is on port 3, and AP-manager interface 4 is on port 4. In addition, all AP-manager interfaces must be on the same VLAN or IP subnet, and they may or may not be on the same VLAN or IP subnet as the management interface.


Note You must assign an AP-manager interface to each port on the controller.


Before an access point joins a controller, it sends out a discovery request. From the discovery response that it receives, the access point can tell the number of AP-manager interfaces on the controller and the number of access points on each AP-manager interface. The access point generally joins the AP-manager with the least number of access points. In this way, the access point load is dynamically distributed across the multiple AP-manager interfaces.


Note Access points may not be distributed completely evenly across all of the AP-manager interfaces, but a certain level of load balancing occurs.


Figure 3-14 Two AP-Manager Interfaces


Note Cisco recommends that you configure all AP-manager interfaces on the same VLAN and IP subnet.


Before implementing multiple AP-manager interfaces, you should consider how they would impact your controller's port redundancy.

Examples:

1. The 4402-50 controller supports a maximum of 50 access points and has two ports. To support the maximum number of access points, you would need to create two AP-manager interfaces. A problem arises, however, if you want to support port redundancy. As shown in Figure 3-14, the static AP-manager interface has port 1 assigned as the primary port and port 2 as the secondary, or backup, port. The second AP-manager interface has port 2 assigned as the primary and port 1 as the secondary. If either port fails, the controller would be left trying to support 50 access points on a port that supports only 48. As a result, two access points would be unable to communicate with the controller and would be forced to look for an alternate controller.

2. The 4404-100 controller supports up to 100 access points and has four ports. To support the maximum number of access points, you would need to create three (or more) AP-manager interfaces. Figure 3-15 illustrates three AP-manager interfaces, each with a unique primary port and sharing the same secondary port. If the primary port of one of the AP-manager interfaces fails, the controller clears the access points' state, and the access points must reboot to reestablish communication with the controller using the normal controller join process. The controller no longer includes the failed AP-manager interface in the LWAPP discovery responses. The access points then rejoin the controller and are load balanced among the available AP-manager interfaces.

Figure 3-15 Three AP-Manager Interfaces

Figure 3-16 illustrates the use of four AP-manager interfaces to support 100 access points. Each has a unique primary port, but each port is also a secondary port for one of the AP-manager interfaces.

Figure 3-16 Four AP-Manager Interfaces

This configuration has the advantage of load-balancing all 100 access points evenly across all four AP-manager interfaces. If one of the AP-manager interfaces fails, all of the access points connected to the controller would be evenly distributed among the three available AP-manager interfaces. For example, if AP-manager interface 2 fails, the remaining AP-manager interfaces (1, 3, and 4) would each manage approximately 33 access points.

Follow these steps to create multiple AP-manager interfaces.


Step 1 Click Controller > Interfaces to access the Interfaces page.

Step 2 Click New. The Interfaces > New page appears (see Figure 3-18).

Figure 3-17 Interfaces > New Page

Step 3 Enter an AP-manager interface name and a VLAN identifier, as shown above.

Step 4 Click Apply to commit your changes. The Interfaces > Edit page appears (see Figure 3-18).

Figure 3-18 Interfaces > Edit Page

Step 5 Enter the appropriate interface parameters.

Step 6 To make the interface an AP-manager interface, check the Enable Dynamic AP Management check box.

Step 7 Click Save Configuration to save your settings.

Step 8 Repeat this procedure for each additional AP-manager interface that you want to create.


Connecting Additional Ports

To support more than 48 access points with a 4400 series controller in Layer 2 mode, you must connect more controller ports to individual broadcast domains that are completely separated. Table 3-8 provides an example in which each controller port is connected to an individual switch.

Table 3-8 Example Port Configuration on a 4404 Controller in Layer 2 Mode

[Distribution Switch 1]=Trunk=[Distribution Switch 2]

dot1q

access

access

access

VLAN 250

VLAN 992

VLAN 993

VLAN 994

port 1

port 2

port 3

port 4


VLANs 992, 993, and 994 (used here as VLAN examples) are access VLANs, and you can assign them any VLAN IDs that you choose. An IP address is not allocated to these VLANs, and these ports are access ports only. To connect additional access points, assign the access port connecting the access point to VLAN 992, 993, or 994. The access point then joins the controller using that isolated VLAN with Layer 2 LWAPP. All Layer 2 LWAPP traffic received on ports 2, 3, and 4 egresses the management port (configured as port 1) on VLAN 250 with a dot1q tag of 250.

With a Layer 2 LWAPP configuration, you should distribute access points across VLANs 250, 992, 993, and 994 manually. Ideally, you should distribute 25 access points per port to balance a total of 100 access points. If you have less than 100 access points, divide the number of access points by 4 and distribute that number. For example, 48 total access points divided by 4 equals 12 access points per 4404 port. You could connect 48 access points to port 1, 48 to port 2, and only 2 to port 3, but this unbalanced distribution does not provide the best throughput performance for wireless clients and is not recommended.

It does not matter where you connect ports 2, 3, and 4 as long as they can communicate with the access points configured for their isolated VLANs. If VLAN 250 is a widely used infrastructure VLAN within your network and you notice network congestion, redistribute all of the access points connected to VLAN 250 to ports 2, 3, and 4. Port 1 still remains connected to VLAN 250 as the management network interface but transports data only from wireless clients proxied by the controller.