Guest

Cisco Services Modules

Cisco Catalyst 6500 Series Wireless LAN Services Module Configuration Note, Version 2.1.1

Table Of Contents

Cisco Catalyst 6500 Series Wireless LAN Services Module Configuration Note

Introduction

Understanding Wireless LAN Services

Understanding WDS

Layer 2 and Layer 3 Mobility

Layer 2 Mobility

Layer 3 Mobility

New Features in Release 2.1.1

Increased Access Point Scalability

Multiple WLSMs per Catalyst 6500 Chassis

Graceful Tunnel Resiliency

Support for 240 Mobility Groups

Improved Multicast Support

RADIUS Assigned Mobility Groups

Support for WDS Information MIB

Configuring the Wireless LAN Services Module

Configuring VLANs on the Switch

Configuring Layer 3 Interfaces

Adding the Wireless LAN Services Module to the Corresponding VLAN

Configuring the Loopback Interface

Configuring the Wireless mGRE Tunnel

Configuring VLANs on the Wireless LAN Services Module

Configuring Telnet Remote Access

Configuring Wireless Domain Services

Configuring Local Authentication

Configuring the Access Points

Displaying Layer 3 Mobility and Wireless Network Information

Configuring the DHCP Snooping Database

Configuring Graceful Tunnel Resiliency

Configuring Two WLSMs on One Chassis

WLSM Graceful Tunnel Resiliency Performance Limitations

Configuration Examples

Supervisor 720 configuration

WLSM 1 configuration

WLSM 2 configuration

Switch 1 Configuration

Switch 2 Configuration

HSRP Configuration Guidelines for Interswitch Topology

Recovering a Lost Password

Upgrading the Images

Upgrading the Application Software

Cisco IOS Software

Catalyst Operating System Software

Upgrading the Maintenance Software

Cisco IOS Software

Catalyst Operating System Software

Related Documentation

Obtaining Documentation

Cisco.com

Product Documentation DVD

Ordering Documentation

Documentation Feedback

Cisco Product Security Overview

Reporting Security Problems in Cisco Products

Obtaining Technical Assistance

Cisco Technical Support & Documentation Website

Submitting a Service Request

Definitions of Service Request Severity

Obtaining Additional Publications and Information


Cisco Catalyst 6500 Series Wireless LAN Services Module Configuration Note


This document provides configuration procedures for the Cisco Catalyst 6500 series Wireless LAN Services Module (WLSM) and contains these sections:

Introduction

Understanding Wireless LAN Services

Understanding WDS

Layer 2 and Layer 3 Mobility

New Features in Release 2.1.1

Configuring the Wireless LAN Services Module

Configuring Local Authentication

Configuring the Access Points

Displaying Layer 3 Mobility and Wireless Network Information

Configuring the DHCP Snooping Database

Configuring Graceful Tunnel Resiliency

Recovering a Lost Password

Upgrading the Images

Related Documentation

Obtaining Documentation

Documentation Feedback

Cisco Product Security Overview

Obtaining Technical Assistance

Obtaining Additional Publications and Information

Introduction

The Cisco wireless solution provides the framework to integrate and extend wireless networks efficiently and economically. The solution extends wireless into important elements of the network infrastructure, providing the same level of security, scalability, reliability, ease of deployment, and management for wireless LANs. This document provides information about configuring the Cisco Catalyst 6500 series WLSM in a typical wireless network.

The WLSM is one component in the larger wireless LAN solution. The following are additional required components:

Catalyst 6500 Series Switch running Cisco IOS Release 12.2(18)XSF2

http://cisco.com/en/US/products/hw/switches/ps708/tsd_products_support_series_home.html

Catalyst 6500 Series WLSM release 2.1.1

http://cisco.com/en/US/products/ps5865/tsd_products_support_model_home.html

Cisco Aironet 1100, 1130AG, 1200, 1230AG, and 1240AG Series Access Points running Cisco IOS Release 12.3(8)JA

http://cisco.com/en/US/products/hw/wireless/tsd_products_support_category_home.html

Cisco Aironet 1300 Series Outdoor Access Point/Bridge running Cisco IOS Release 12.3(8)JA

http://cisco.com/en/US/products/hw/wireless/tsd_products_support_category_home.html

CiscoWorks Wireless LAN Solution Engine (WLSE) release 2.13

http://cisco.com/en/US/products/ps6379/tsd_products_support_series_home.html

For more information on configuring the solution and for sample configurations, go to this URL:

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1200/accsspts/techref/wlsm/wlsmcfg.htm

Understanding Wireless LAN Services

The WLSM provides the following features for 802.11 wireless clients on Catalyst 6500 series switches:

Fast, uninterrupted, secure Layer 2 and Layer 3 wireless roaming

Radio-management aggregation

WLSM scalability (support for up to 600 access points)

Graceful tunnel resiliency and redundancy

RADIUS assigned mobility group

Improved multicast support

Support for 240 mobility groups

Support for WDS information MIB

Figure 1 shows the system view for the WLSM. Traffic between the access point and the Catalyst 6500 series switch is IP directed. The two devices may be separated by bridges or routers.

Figure 1 WLSM System View

Wireless LAN context control protocol (WLCCP) messages carry authentication message exchanges between the access point and the wireless domain services (WDS) running on the Catalyst 6500 series switch. The Catalyst 6500 series switch acts as an authenticator by learning the location of every associated wireless client node.

The switch learns the MAC-to-IP bindings of the wireless clients either by snooping on the DHCP exchanges or by snooping ARP or IP packets from the wireless nodes. These two learning mechanisms enable the switch to provide uninterrupted Layer 3 mobility to roaming wireless nodes.

You configure a multipoint generic routing encapsulation (mGRE) tunnel between the Catalyst 6500 series switch and each access point so that mobile users can roam between access points and maintain Layer 3 connectivity. The multipoint GRE tunnels simulate logical Layer 3 networks between access points, providing an easier and faster solution for Layer 3 roaming.

Understanding WDS

WDS is a feature for access points in Cisco IOS software and the basis of the Catalyst 6500 series WLSM. WDS is a core function that enables other features such as these:

Fast Secure Roaming

Wireless LAN Solution Engine (WLSE) interaction

Radio Management

You must establish relationships between the access points that participate in WDS and the Wireless LAN Services Module, before any other WDS-based features work. One of the purposes of WDS is to reduce the time required for client authentication by eliminating the need for the authentication server to validate user credentials.

In order to use WDS, you must designate one access point or the Wireless LAN Services Module as the WDS. A WDS access point must establish a relationship to an authentication server by authenticating to it with a WDS username and password. The authentication server can be either an external RADIUS server or the Local RADIUS Server feature in the WDS access point. The Wireless LAN Services Module must have a relationship with the authentication server, even though it does not need to authenticate to the server.

Other access points, called infrastructure access points, communicate with the WDS. Before registration occurs, the infrastructure access points must authenticate themselves to the WDS. An infrastructure server group on the WDS defines this infrastructure authentication.

Client authentication is defined by one or more client server groups on the WDS.

When a client attempts to associate to an infrastructure access point, the infrastructure access point passes the credentials of the user to the WDS for validation. If it is the first time that the WDS sees the credentials, it turns to the authentication server to validate the credentials. The WDS then caches the credentials so that it does not have to return to the authentication server when that user attempts authentication again. Reauthentication can occur under any of the following conditions:

When the access points rekey

When the client roams between access points

When the user starts up the client device

Any RADIUS-based Extensible Authentication Protocol (EAP) can be tunneled through WDS, such as these protocols:

Lightweight EAP (LEAP)

Protected EAP (PEAP)

EAP-Transport Layer Security (EAP-TLS)

EAP-Flexible Authentication through Secure Tunneling (EAP-FAST)

The WDS and the infrastructure access points communicate over WLCCP. These multicast messages can not be routed, so a WDS and its associated infrastructure access points must be in the same IP subnet and on the same LAN segment. Between the WDS and the WLSE, WLCCP uses TCP and User Datagram Protocol (UDP) on port 2887. When the WDS and WLSE are on different subnets, the packets cannot be translated with a protocol like Network Address Translation (NAT).

Current design recommendations specify one WDS access point per thirty infrastructure access points. The Wireless LAN Services Module can handle up to 600 infrastructure access points.

Layer 2 and Layer 3 Mobility

Layer mobility occurs when a wireless LAN client moves between wireless access points that are within the same IP subnet. Layer 3 mobility occurs when a wireless LAN client moves between wireless access points that are in different IP subnets. (See Figure 2.)

Fast secure roaming enables a client to change its connection between access points in the same subnet (Layer 2 mobility) or between subnets (Layer 3 mobility) to support time-sensitive applications such as VoIP, video on demand, VPN over wireless, and client/server-based applications.

Figure 2 Examples of Layer 2 and Layer 3 Mobility

Layer 2 Mobility

Layer 2 mobility occurs when a wireless LAN device physically moves enough so that its radio associates to a different access point. The original and the updated access points offer coverage for the same IP subnet, so that the wireless LAN client is still valid after the roam.

Layer 3 Mobility

Mobility in a wireless LAN environment can present a challenge as the physical reach of the network grows. Applications such as voice require roam times below 150 ms and require IP address continuity regardless of the Layer 3 boundaries that are crossed. Deploying a sprawling Layer 2 network can subject user traffic to delays and loss of service due to issues such as broadcast storms and Spanning Tree Protocol (STP) reconvergence times.

Layer 3 mobility provides a better performing and more scalable approach. Access points may be deployed in any location in a large Layer 3 network without requiring a single VLAN to be carried throughout the wired switch infrastructure. An overlay of multipoint GRE (mGRE) tunnels allows clients to roam to other access points residing on different Layer 3 subnets without loss of connectivity or a change in IP addressing.

The Cisco Layer 3 mobility solution consists of various hardware and software components. For more information about the Cisco wireless solution go to cisco.com:

http://cisco.com/en/US/products/hw/wireless/index.html

The primary devices are as follows:

Cisco Aironet 1100, 1130AG, 1200, 1230AG, and 1240AG Series Access Points and Cisco Aironet 1300 Series Outdoor Access Point/Bridges

Catalyst 6500 Series Switch (and its Supervisor 720 Module)

Catalyst 6500 Series WLSM

Wireless Domain Services (WDS) coordinates these devices and the mobile nodes. The WDS runs on the WLSM. These components must be configured to work together as a unified system.

Configuring Layer 3 mobility requires linkage between different hardware and software components. Linkage is best accomplished by separating the functional components into modules, configuring each module individually, and verifying that each module works properly before proceeding to the next.

New Features in Release 2.1.1

The following sections describe the new features supported in Release 2.1.1:

Increased Access Point Scalability

Multiple WLSMs per Catalyst 6500 Chassis

Graceful Tunnel Resiliency

Improved Multicast Support

RADIUS Assigned Mobility Groups

Support for WDS Information MIB

Increased Access Point Scalability

Memory and software improvements have increased scalability from 300 to 600 access points.

Multiple WLSMs per Catalyst 6500 Chassis

In Release 2.1.1, the Supervisor 720 now supports two WLSMs in a chassis. In this configuration, only one WLSM can be active; the other is operating in a standby state. If the active WLSM fails, the standby WLSM becomes active in a matter of seconds, and combined with graceful tunnel resiliency, the WLSM switchover is seamless and transparent to the user. New clients and roaming clients are minimally affected because of the short time it takes to bring the standby WLSM to the active state.

Running Hot Standby Router Protocol (HSRP) on all WLSMs acheives intra-switch and inter-switch hot standby WLSM redundancy. In order to avoid unnecessary failovers and make use of a graceful recovery feature, disable preemption for HSRP.

Graceful Tunnel Resiliency

Graceful tunnel resiliency is a high availability feature that provides near Stateful Switchover (SSO) capability. In the event of a WLSM failure, graceful tunnel resiliency maintains data traffic forwarding for all existing Mobile Nodes (MNs) that are authenticated. This is done for a configurable grace period. MN authentication and session states are refreshed without disruption to their data traffic after the WLSM reboots or a backup WLSM takes over. Only new authentications or roaming is affected when the WLSM is down or in a recovery state.

Support for 240 Mobility Groups

This feature provides increased scalability and flexibility by supporting up to 240 mobility groups. A larger number of mobility groups allows for multiple policies based on user posture validation. Also, each mobility domain may be set as a smaller group to address big flat IP subnet concerns.

No additional WLSM configuration is required for this feature.

Improved Multicast Support

Release 2.1.1 provides an IGMP snooping-based multicast solution. IGMP snooping is performed on the access point to allow forwarding of downstream multicast traffic from the native network infrastructure to clients of dynamic RADIUS-assigned mobility groups. Multicast traffic forwarding for any mobility group can be turned on or off with the CLI on the Supervisor 720.

The Catalyst 6500 series wireless LAN handles multicast traffic differently from unicast IP traffic. When a wireless user sends upstream IP multicast traffic, the access point encapsulates the packet with a GRE header and forwards the packet over the tunnel. The only exception in this scenario (upstream IP multicast traffic flow) is Internet Group Management Protocol (IGMP) join messages, which are locally bridged by the access point to the local infrastructure.

Downstream IP multicast traffic from the Supervisor 720 to the access point is not sent via the fast secure roaming tunnel. Instead, IP multicast traffic sent to the access point is forwarded using the underlying network infrastructure. Via the locally bridged IGMP messages, the access point dynamically constructs a wireless client-to-multicast group association table. This IGMP snooping operation permits flexible creation of a multicast group-to-wireless client association table at the access point and permits the access point to efficiently use bandwidth by only forwarding multicast traffic when there is a multicast-requesting client associated. However, due to the asymmetric multicast traffic flow, all network nodes between the supervisor engine and the access point must be configured to enable downstream multicast traffic to reach its destination.

RADIUS Assigned Mobility Groups

The fast secure roaming tunnels used with the Catalyst 6500 series WLSM are the components of the solution which permits Layer 3 mobility and fast secure roaming. The fast secure roaming tunnels may be assigned statically by associating a network-ID with each SSID at the access point, or dynamically per user via RADIUS authentication. The primary advantage of RADIUS-based mobility group or tunnel assignment is that it dramatically simplifies the configuration of access points because they are dynamically assigned the necessary mobility groups for users. The access point needs only to be configured for a single SSID. This permits the segmentation of different user groups on the access point (such as employees, contractors, guests, etc.) to different mobility groups and different network access policies from the Catalyst 6500 series switch.

It is also possible to combine the following deployment models to assign the desired mobility group or fast secure roaming tunnel for clients that use RADIUS authentication:

Creation of static tunnels for clients that do not support RADIUS authentication

RADIUS vendor-specific attributes

No extra configuration on the WLSM or Supervisor 720 is required to enable dynamic mobility group assignment. The configuration of the access point and RADIUS server control whether mobility groups are dynamically assigned at the access point using the WLSM's authentication transactions. Mobility group/ tunnel IDs must be configured at the Supervisor 720 for either static or dynamic mobility group operation.

Support for WDS Information MIB

Release 2.1.1 greatly improves MIB support for the WLSM by supporting the CISCO-WDS-INFO-MIB by introducing the capability of querying the WLSM for client, access point, and WLSE status and statistics. This information may be used to query the WLSM for client association, roaming and performance data, or custom SNMP applications.

Configuring the Wireless LAN Services Module

The initial Wireless LAN Services Module configuration consists of the following tasks:

Configuring VLANs on the Switch

Configuring Layer 3 Interfaces

Adding the Wireless LAN Services Module to the Corresponding VLAN

Configuring the Loopback Interface

Configuring the Wireless mGRE Tunnel

Configuring VLANs on the Wireless LAN Services Module

Configuring Telnet Remote Access

Configuring Wireless Domain Services

Configuring Local Authentication

Configuring the DHCP Snooping Database

Configuring Graceful Tunnel Resiliency


Note The initial Wireless LAN Services Module configuration must be made through a direct connection to the console port on the module.


Configuring VLANs on the Switch


Note VLAN IDs must be the same for the switch and the module. Refer to the "Configuring VLANs" chapter in the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide for details.



Note The wireless LAN software supports the extended-range VLANs (2 through 1005).


To configure VLANs on the switch, perform this task:

 
Command
Purpose

Step 1 

Router# configure terminal 

Enters configuration mode and selects the terminal option.

Step 2 

Router(config)# vlan vlan_ID 

Enters VLAN configuration mode and adds a VLAN. The valid range is 2 through 4094.

Step 3 

Router(config-vlan)# exit 

Updates the VLAN database and returns to privileged EXEC mode.

This example shows how to configure VLANs on the switch:

Router> enable
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# vlan 100
Router(config-vlan)# exit
Router(config)#

Configuring Layer 3 Interfaces

To configure the corresponding Layer 3 VLAN interface, perform this task:

 
Command
Purpose

Step 1 

Router(config)# interface vlan vlan_ID 

Selects an interface to configure.

Step 2 

Router(config-if)# ip address ip_address 
subnet_mask 

Configures the IP address and IP subnet.

Step 3 

Router(config-if)# no shutdown 

Enables the interface.

Step 4 

Router(config-if)# exit

Exits configuration mode.

This example shows how to configure the Layer 3 VLAN interface:

Router# configure terminal 
Router(config)# interface vlan 100 
Router(config-if)# ip address 10.10.1.10 255.255.255.0
Router(config-if)# no shutdown
Router(config-if)# exit

Adding the Wireless LAN Services Module to the Corresponding VLAN


Note By default, the Wireless LAN Services Module is in trunking mode with native VLAN 1.


To add the Wireless LAN Services Module to the corresponding VLAN, perform this task:

Command
Purpose
Router(config)# wlan module mod 
allowed-vlan vlan_ID

Configures the VLANs allowed over the trunk to the Wireless LAN Services Module.

Note One of the allowed VLANs must be the admin VLAN.


This example shows how to add a Wireless LAN Services Module that is installed in slot 5 to a specific VLAN:

Router(config)# wlan module 5 allowed-vlan 100
Router(config)# end

Configuring the Loopback Interface

The loopback interface is a software-only virtual interface that emulates an interface.

To configure the loopback interface, perform this task:

 
Command
Purpose

Step 1 

Router(config)# interface loopback number

Configures a loopback interface and enters interface configuration mode. The number argument specifies the number of the loopback interface that you want to create or configure. There is no limit on the number of loopback interfaces that you can create.

Step 2 

Router(config-if)# ip address ip_addr [subnet]

Assigns an IP network address and network mask to the interface.

Step 3 

Router(config-if)# exit

Exits configuration mode.

The following example shows how to configure a loopback interface:

Router(config)# interface loopback 0
Router(config-if)# ip address 10.1.1.2 255.255.255.0
Router(config-if)# exit

Configuring the Wireless mGRE Tunnel

The infrastructure that enables Layer 3 mobility consists of Multipoint Generic Routing Encapsulation (mGRE) tunnels. Each tunnel has a single termination point on the Supervisor 720 module of the Catalyst 6500 that hosts the WLSM. The other logical endpoint of the tunnel exists on all access points participating in the Layer 3 mobility network. Clients that associate to a participating access point associate to a particular SSID. The SSID is mapped (either statically or dynamically via RADIUS) to a mobility network that tunnels all client traffic to the Catalyst 6500. The Supervisor 720 maintains a database of the clients (mobile nodes) and the access points to which they are associated. Roaming from one access point to another simply requires updating the database and changing the forwarding information for that mobile node.

To configure wireless mGRE tunnels, perform this task:

 
Command
Purpose

Step 1 

Router(config)# ip dhcp snooping

(Optional) Enables DHCP snooping.

Note This command is required if you enable DHCP snooping on the tunnel interface for untrusted wireless networks.

Note See the "Configuring the DHCP Snooping Database" section for information on the DHCP snooping database for untrusted networks.

Step 2 

Router(config)# interface tunnel number

(Optional) Configures a tunnel interface and enters interface configuration mode. The number argument specifies the number of the tunnel interface that you want to create or configure.

Step 3 

Router(config-if)# ip address ip_addr [subnet_mask]

Specifies the tunnel IP and the mGRE tunnel overlay subnet.

Step 4 

Router(config-if)# ip mtu bytes

(Optional) Sets the maximum transmission unit (MTU) size, in bytes, of IP packets sent on an interface. The default value for bytes is 1476; the minimum is 512.

Step 5 

Router(config-if)# tunnel source loopback interface

Configures the tunnel source. Each tunnel must have a different tunnel source.

Step 6 

Router(config-if)# tunnel mode gre multipoint

Sets the encapsulation mode to mGRE for the tunnel interface.

Step 7 

Router(config-if)# mac-address 
mac_addr

(Optional) Specifies the MAC address of the router.

Note Entering the router MAC address allows mobile nodes to detect if their IP address is duplicated on the network.

The access point uses the router MAC address to handle address resolution protocol (ARP) requests using proxy ARP. Proxy ARP is automatic and requires no user input.

Enter the show mobility status command to display the MAC address used for proxy ARP. Enter this MAC address as mac_addr.

Step 8 

Router(config-if)# mobility network-id [id]

Specifies the wireless network ID for the mGRE tunnel.

Valid values for id are 1 through 4095.

Step 9 

Router(config-if)# mobility trust [ip-discovery]

(Optional) Specifies the trusted network.

Note If you enter the mobility trust command, do not enter the ip dhcp snooping packets command.

A trusted network can use DHCP or static IP addresses. An untrusted network supports only DHCP clients. The default is untrusted.

The ip-discovery option provides the capability to discover the IP addresses of passive wireless client devices associated to an infrastructure access point.

Step 10 

Router(config-if)# mobility broadcast

(Optional) Specifies the mGRE tunnel to convert nonbroadcast multiaccess (NBMA) to broadcast multiaccess (BMA).

Step 11 

Router(config-if)# ip dhcp snooping packets

(Optional) Enables DHCP snooping for the untrusted wireless network ID.

Note If you enter the ip dhcp snooping packets command, do not enter the mobility trust command.

Note You must enable DHCP snooping globally before enabling DHCP snooping on the tunnel interface by entering the ip dhcp snooping command.

Note See the "Configuring the DHCP Snooping Database" section for information on the DHCP snooping database for untrusted networks.

Step 12 

Router(config-if)# exit

Exits configuration mode.

This example shows how to configure wireless mGRE tunnels:

Router(config)# ip dhcp snooping

Router(config)# interface tunnel 0
Router(config-if)# ip address 10.1.1.2 255.255.255.0
Router(config-if)# ip mtu 1024
Router(config-if)# tunnel source loopback 0
Router(config-if)# tunnel mode gre multipoint
Router(config-if)# mobility network-id 10 
Router(config-if)# ip dhcp snooping packets
Router(config-if)# exit

Configuring VLANs on the Wireless LAN Services Module

When you configure VLANs on the Wireless LAN Services Module, configure one of the VLANs as an administrative VLAN. The system adds the default route through the gateway of the administrative VLAN.


Note The wireless LAN software supports only one admin VLAN. Configuring the admin VLAN is required for using the wireless domain services.



Note VLAN IDs must be the same for the switch and the module. Refer to the "Configuring VLANs" chapter in the Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide for details.


To configure VLANs on the Wireless LAN Services Module, perform this task:

 
Command
Purpose

Step 1 

wlan(config)# wlan vlan vlan_ID 

Configures the wireless LAN VLANs and enters VLAN mode.

Note If this is the admin VLAN, enter the same vlan_ID that you entered for the switch. (See the "Configuring VLANs on the Switch" section.)

Step 2 

wlan(config-vlan)# ipaddr ip_addr 
netmask

Configures an IP address for the wireless LAN VLAN.

Note Configure the IP address in the same subnet as the VLAN IP address.

Step 3 

wlan(config-vlan)# gateway gateway_addr

Configures the gateway IP address.

Note If this is the admin VLAN, enter the same IP address for the gateway as you entered for the switch. (See the "Configuring Layer 3 Interfaces" section.)

Step 4 

wlan(config-vlan)# standby 
[group-number] ip [ip-address]

(Optional) Configures the Hot Standby Router Protocol (HSRP).

Step 5 

wlan(config-vlan)# route ip_addr 
netmask gateway ip_addr

(Optional) Configures a static route for servers that are one or more Layer 3 hops away from the Wireless LAN Services Module.

Step 6 

wlan(config-vlan)# admin

(Optional) Configures the VLAN as the administrative VLAN1 .

1 The administrative VLAN is for management traffic. Specify only one VLAN as the administrative VLAN.

This example shows how to configure the VLAN and specify the IP address, the subnet mask, and the global gateway, and it also specifies the VLAN as the administrative VLAN:

wlan(config)# wlan vlan 100 admin
wlan(config-vlan)# ipaddr 10.10.1.20 255.255.255.0
wlan(config-vlan)# gateway 10.10.1.10
wlan(config-vlan)# admin
wlan(config-vlan)# end
wlan#

Configuring Telnet Remote Access

To configure the Wireless LAN Services Module for Telnet remote access, perform this task:

 
Command
Purpose

Step 1 

wlan(config)# aaa authentication login 
default line

Creates a default authentication list for login purposes. The line password is used for the default authentication list.

Step 2 

wlan(config)# enable password password

Specifies a local enable password.

Step 3 

wlan(config)# line vty 
starting-line-number ending-line-number 

Identifies a range of lines for configuration and enters line configuration mode.

Step 4 

wlan(config-line)# login authentication 
default

Enables password checking at login and also ensures that the default authentication list is used.

Step 5 

wlan(config-line)# password password 

Specifies a password on the line.

This example shows how to configure the Wireless LAN Services Module for remote access:

wlan(config)# aaa authentication login default line
wlan(config)# enable password cisco
wlan(config)# line vty 0 4
wlan(config-line)# login authentication default
wlan(config-line)# password cisco
wlan(config-line)# exit
wlan(config)#

Configuring Wireless Domain Services

To configure the Wireless LAN Services Module as the WDS device, perform this task:

 
Command
Purpose

Step 1 

wlan(config)# aaa new-model

Enables the AAA access control model.

Step 2 

wlan(config)# aaa authentication login 
leap-devices group radius

Defines a group used to authenticate Extensible Authentication Protocol (LEAP) devices.

Step 3 

wlan(config)# aaa authentication login 
default enable

Specifies the enable password as the login authentication method.

Step 4 

wlan(config)# radius-server host 
{hostname | ip_address} [auth-port 
port_number][ acct-port port_number]

Defines the RADIUS server used to LEAP-authenticate devices.

Step 5 

wlan(config)# radius-server key string

Sets the authentication and encryption key for all RADIUS communications between the module and the RADIUS server. The radius-server key command has no default value; however, the key must match the encryption key used on the RADIUS server.

Step 6 

wlan(config)# wlccp authentication-server 
infrastructure leap-devices

Defines a method that authenticates the other access points.

Step 7 

wlan(config)# wlccp authentication-server 
client any leap-devices

Defines a method that authenticates the client devices (a client server group) and what EAP types those clients use.

This example shows how to configure the Wireless LAN Services Module as the WDS device:

wlan# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
wlan(config)# aaa new-model
wlan(config)# aaa authentication login leap-devices group radius
wlan(config)# aaa authentication login default enable
wlan(config)# radius-server host 10.91.104.76 auth-port 1645 acct-port 1646 
wlan(config)# radius-server key cisco
wlan(config)# end

Configuring Local Authentication

To configure the WLSM as a local authenticator, refer to Chapter 8, "Configuring an Access Point as a Local Authenticator," in the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/i12215ja/i12215sc/
s15local.htm

Configuring the Access Points

To configure the access points to use the WDS, refer to Chapter 11, "Configuring WDS, Fast Secure Roaming, and Radio Management," in the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points at this URL:

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/i12215ja/i12215sc/
s15roamg.htm

Displaying Layer 3 Mobility and Wireless Network Information

To display Layer 3 mobility and wireless network information, perform these tasks from the supervisor engine:

Command
Purpose

Router# show mobility [ap | mn | network | status]

Displays Layer 3 mobility and wireless network information.

Router# show mls cef adjacency [all | decap-tunnel | encap-tunnel | entry]

Displays information about the hardware Layer 3 switching adjacency node.


This example shows the output of the various show mobility commands issued from a Supervisor 720:

Sup720...#show mobility ap
Codes: * - dynamic network ID, otherwise - static network ID

 AP IP Address   AP Mac Address  Wireless Network-ID
---------------  --------------  -------------------
10.10.0.36       0013.5f0c.41c5  
10.10.0.64       000b.5f19.665f  100 101 102 103
10.10.0.65       0005.9a39.b03a  
10.10.0.67       000b.fcfb.7ca6  *102 


Sup720...#show mobility ap 10.10.0.67 detail
IP Address                    : 10.10.0.67
MAC Address                   : 000b.fcfb.7ca6
Participating Wireless Tunnels: 
102, Dynamic (Dyanmic MN = 1)

Registered Mobile Nodes on AP :
MN Mac Address  MN IP Address  AP IP Address  Wireless Network-ID  Flags
--------------  -------------  -------------  -------------------  -----
0007.0eb9.3d78  172.16.3.26    10.10.0.67     102                  D F  

Flags: D=Dynamic network ID, F=Fresh, G=Grace Period


Sup720...#show mobility mn
MN Mac Address  MN IP Address  AP IP Address  Wireless Network-ID  Flags
--------------  -------------  -------------  -------------------  -----
0007.0eb9.3d78  172.16.3.26    10.10.0.67     102                  D F  

Flags: D=Dynamic network ID, F=Fresh, G=Grace Period


Sup720...#show mobility mn ip 172.16.3.26
MN Mac Address  MN IP Address  AP IP Address  Wireless Network-ID  Flags
--------------  -------------  -------------  -------------------  -----
0007.0eb9.3d78  172.16.3.26    10.10.0.67     102                  D F  

Flags: D=Dynamic network ID, F=Fresh, G=Grace Period

Sup720...#show mobility network 102
Wireless Network ID                : 102
Wireless Tunnel Source IP Address  : 10.80.0.3
Wireless Network Attributes        : Trusted, Broadcast Enabled, Multicast Enabd
Wireless Network State             : Up

Registered Access Point on Wireless Network 102:
Codes: * - dynamic network ID, otherwise - static network ID

 AP IP Address   AP Mac Address  Wireless Network-ID
---------------  --------------  -------------------
10.10.0.64       000b.5f19.665f  100 101 102 103
10.10.0.67       000b.fcfb.7ca6  *102 

Registered Mobile Nodes on Wireless Network 102:
MN Mac Address  MN IP Address  AP IP Address  Wireless Network-ID  Flags
--------------  -------------  -------------  -------------------  -----
0007.0eb9.3d78  172.16.3.26    10.10.0.67     102                  D F  

Flags: D=Dynamic network ID, F=Fresh, G=Grace Period
Sup720...#show mobility status

Primary WLAN Module is located in Slot: 1 (HSRP State: Not Applicable)
LCP Communication status      : up
No Secondary WLAN Module in the system
WLSM recovery period remaining: 0 seconds
MAC address used for Proxy ARP: 0005.5f54.5800
Number of Wireless Tunnels    : 4
Number of Access Points       : 4
Number of Mobile Nodes        : 1

Wireless Tunnel Bindings: 
Tunnel           Src IP Address   Wireless Network-ID  Flags  
---------------  ---------------  -------------------  -------
Tunnel100        10.80.0.1        100                  TB  M 
Tunnel101        10.80.0.2        101                  TB  M 
Tunnel102        10.80.0.3        102                  TB  M 
Tunnel103        10.80.0.4        103                      M 

Flags: T=Trusted, B=IP Broadcast enabled, M=IP Multicast enabled
       A=TCP Adjust-mss enabled, D=Discover passive MN's IP address

To display Layer 3 mobility and wireless network information, perform these tasks from the Wireless LAN Services Module:

Command
Purpose

wlan# show wlccp wds [aggregator | ap | mn | mobility | nm | statistics]

Displays the access points or mobile nodes registered on the network.

wlan# show wlccp wds statistics

Displays the current WLCCP statistics.

wlan# show wlan [admin-info | crash-info |mac | status | version | vlan ]

Displays information about the wireless LAN.


This example shows the output of the various show wlccp wds commands issued from the WLSM:

WLSM>show wlccp wds aggregator ap

RM Aggregator APs Status [Maximum APs Supported 1024]: 

NUM   IPADDR        REQ   ACK   RPT    AGG-RPT
1    10.10.0.52      54    54    2965     899
2    10.10.0.65      318   318   70750    14573
3    10.10.0.54      2413  2235  86445    33665
4    10.10.0.64      522   472   14823    7106
5    10.10.0.51      37    37    10477    1874
6    10.10.0.55      1594  1594  386476   70712

Total APs: 6

WLSM>show wlccp wds aggregator statistics

RM Aggregator Statistics:
        Maximum Size of the Requests Received: 1124
        Requests Received Count: 3332
        Request Acknowledgment Sent Count: 3332
        Route Response Sent Count: 4717
        Route Response Partially Sent Count: 7

        Request Sent to APs Count: 4938
        Request to AP Send Failure Count: 0
        Request to AP Send Failure due to Unregistered APs Count: 21
        Request Acks Received Count: 4710

        RM Reports Received Count: 571948
        Aggregate RM Reports Sent Count: 128832
        General Event Reports Received Count: 0
        Oversize AP-RM Reports Drop Count: 0
        Oversize WLSE-RM Reports Drop Count: 0

        Invalid WLCCP Message Received Count: 0
        Decode Errors Count: 0
        Encode Errors Count: 0
        Malloc Errors Count: 0
RM Library Statistics:
        Protocol Errors: 0
        MIC Errors: 0
        Packet Allocation Errors: 0
        Memory Allocation Errors: 0
        Data Enqueue Errors: 0
        Zero Length Packet Errors: 0
        Most Recent Error: 

WLSM>show wlccp wds ap
  HOSTNAME                           MAC-ADDR      IP-ADDR          STATE   
 AP1200_25                        000b.5f19.665f  10.10.0.64      REGISTERED   
 Seagle_ap1                       000b.fcfb.7ca6  10.10.0.67      REGISTERED   
 Cisco_AP                         0013.5f0c.41c5  10.10.0.36      REGISTERED  


WLSM>show wlccp wds mn 
    MAC-ADDR       IP-ADDR          Cur-AP            STATE
0007.0eb9.3d78  172.16.3.26     000b.fcfb.7ca6      REGISTERED


WLSM>show wlccp wds mobility network-id 102

Mobile Nodes in Wireless Network 102
MAC Address    IP Address      Current AP IP   Old AP IP       State
============== =============== =============== =============== ========
0007.0eb9.3d78 172.16.3.26     10.10.0.67      10.10.0.67      REGISTERED

WLSM>show wlccp wds statistics 

WDS Statistics for last 6w6d:
        Current AP count:                4
        Current MN count:                1
        AAA Auth Attempt count:          90342
        AAA Auth Success count:          650
        AAA Auth Failure count:          80486
        MAC Spoofing Block count:        0
        Roaming without AAA Auth count:  0
        Roaming with full AAA Auth count:36
        Fast Secured Roaming count:      0
        MSC Failure count:               0
        KSC Failure count:               0
        MIC Failure count:               0
        RN Mismatch count:               0

WLSM>show wlccp wds statistics roaming
MN Roamings five seconds avg: 5; one minute avg: 3; five minutes avg: 3
Start time: 07:44:18.199 UTC Tue Apr 19 2005
 WNID      Total   NO Auth  AAA Auth   Fast Secured   5Sec   1Min   5Min
All        1200       400       500            300     10      6      3
WLSM# show wlccp wds statistics roaming detail
MN Roamings five seconds avg: 5; one minute avg: 3; five minutes avg: 3
Start time: 07:44:18.199 UTC Tue Apr 19 2005
 WNID   Total Roams  NO Auth AAA Auth   Fast Secured  5Sec RPS  1Min RPS 5Min RPS
   1         300       100       100            100     15        10       5
   2         400       200       100            100     20         3       2
   3         500       100       300            100      5         7       4
 All        1200       400       500            300     10         6       3


WLSM>show wlan admin-info
WLAN administration VLAN: 100
WLAN administration IP address: 10.100.0.2
WLAN administration gateway: 10.100.0.1


WLSM>show wlan status fdu 
FDU cpu is alive!
FDU cpu utilization:
    % process util   : 0             % interrupt util : 0         

    proc cycles : 0x50A9C824D        int cycles  : 0x69A38D20F     
    total cycles: 0x8DC6B0A35DB68   
    % process util (5 sec)   : 0             % interrupt util (5 sec) : 0       
    % process util (1 min)  : 0             % interrupt util (1 min): 0         
    % process util (5 min)  : 0             % interrupt util (5 min) : 0 


WLSM>show wlan version 
Cisco IOS Software, SVCWLAN Software (SVCWLAN-K9W7Y9-M), Version 2.1.1]
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 16-Nov-05 10:05 by wnbubld

ROM: System Bootstrap, Version 12.2(11)YS1 RELEASE SOFTWARE 

REQ_TME_WLSM uptime is 6 weeks, 6 days, 2 hours, 43 minutes
System returned to ROM by power-on
System restarted at 14:46:50 UTC Thu Nov 24 2005
System image file is "tftp://255.255.255.255/unknown"
AP Version 2.1(1)


wlan# show wlan vlan
VLAN index 200 (admin VLAN)
   IP addr 200.1.1.2 NetMask 255.255.255.0   Gateway 200.1.1.1

Configuring the DHCP Snooping Database

Wireless clients, or mobile nodes, assigned to an untrusted wireless network must be configured to use DHCP to obtain IP addresses from a DHCP server. The switch should have DHCP snooping enabled on the tunnel corresponding to the wireless network. Because the DHCP snooping database is not synchronized between the active and standby Supervisor 720, Cisco recommends that you store the DHCP snooping database on an external server. Storing the database on an external server allows the standby Supervisor to retrieve the accumulated states if a switchover occurs.

To configure DHCP snooping database options, perform these tasks:

Command
Purpose
Router(config)# ip dhcp snooping database 
{url}

Specifies the URL that stores the DHCP snooping database entries; url takes the following forms:

tftp://host/filename

ftp://user:password@host/filename

rcp://user@host/filename

bootflash:/filename1

Router(config)# ip dhcp snooping database 
write-delay seconds

Specifies (in seconds) the duration for which the database transfer should be delayed after the database changes. The default is 300 seconds. The range is from 15 to 86400 seconds.

1 Due to issues with storing the DHCP snooping database on the bootflash device, as documented in caveat CSCee23185, and the limited storage capacity on the bootflash device, we recommend that you store the database on an external server. When a file is stored in a remote location that is accessible through FTP, TFTP, or RCP, a redundant supervisor engine configured with RPR or SSO takes over the database when a switchover occurs.


This example shows how to specify the database URL using TFTP:

Router(config)# ip dhcp snooping database tftp://90.90.90.90/snooping-rp2

This example shows how to specify the amount of time before writing DHCP snooping entries:

Router(config)# ip dhcp snooping database write-delay 15


Note When you configure RPR and RPR+ redundancy, you must store the DHCP snooping database to an external server. Otherwise, mobile nodes in an untrusted network will lose connectivity after the supervisor engine switchover.

When you configure SSO redundancy, tunnel endpoints for mobile nodes are always synchronized to the standby supervisor engine. As a result, mobile nodes do not lose connectivity after a supervisor engine switchover, even if DHCP snooping database entries are not stored externally. However, after the switchover, the DHCP snooping database is emptied. Therefore, it is always advisable to have the DHCP snooping database to be stored externally for all modes of redundancy so that it will be retrieved automatically by the new active supervisor engine.


Configuring Graceful Tunnel Resiliency

To configure graceful tunnel resiliency, you need to configure the wireless LAN recovery time on the Supervisor 720. This parameter is set to 0 by default. Setting the recovery time to a value establishes the period of time that the Supervisor 720 maintains data communications with authenticated mobile nodes. If a WLSM failure occurs, the graceful recovery begins and the recovery timer starts.

When the WLSM comes back online, it reauthenticates the mobile nodes at a specific rate determined by the wlccp wds recovery rate value, which is the number of mobile nodes the WLSM reauthenticates per second. The default value is 40 authentications per second.

No configuration is required on the access points.

To enable and set the wireless LAN recovery time on the Supervisor 720, begin from the Privileged EXEC mode and perform this task:

 
Command
Purpose

Step 1 

Router #configure terminal

Enters configuration mode.

Step 1 

Router (config)# wlan recovery time seconds

Specifies the recovery time or grace period in seconds for client operation without refreshing wireless LAN session context after a WLSM failure occurs. The default is 0 (which disables the feature) and the range is 0-65535 seconds.

Step 1 

WLSM (config)# end

Exit configuration mode.

Step 1 

WLSM# write mem

Saves configuration to NVRAM.

To verify or change the WLSM recovery rate setting, open the WLSM console, begin from Privileged EXEC mode, and perform this task:

 
Command
Purpose

Step 1 

WLSM# configure terminal

Enters configuration mode.

Step 2 

WLSM (config)# wlccp wds recovery rate seconds

Specifies the number of MN re-authentications per second that the AAA server processes after a WLSM comes back online. The recovery rate throttles the load on the AAA server in the event of a WLSM failover. The default is 40 seconds and the range is 0-1000 seconds.

Step 3 

WLSM (config)# end

Exit configuration mode.

Step 4 

WLSM# write mem

Saves configuration to NVRAM.

Use the show mobility mn command to check the output on the Supervisor 720 during a recovery period, as shown in the following example:

Router# show mobility mn
MN Mac Address  MN IP Address  AP IP Address  Wireless Network-ID  Flags
--------------  -------------  -------------  -------------------  -----
0007.0eb9.3d78  172.16.3.26    10.10.0.67     102 																	G 

Flags: D=Dynamic network ID, F=Fresh, G=Grace Period

You can check the status of a mobile node using the show dot11 associations command on the access point. This mobile node would be shown in a rediscover state, as shown in the following example:

ap# show dot11 associations
802.11 Client Stations on Dot11Radio0:

SSID: [test]
MAC Address					IP Address 				Device				Name			Parent			State
0007.0eb9.3d78					10.10.0.67				350-client				testap1			self			Rediscover

Configuring Two WLSMs on One Chassis

To configure two WLSMs on the same chassis, use the standby ip command to activate HSRP on each WDS. Beginning in the Privileged EXEC mode, perform this task:

 
Command
Purpose

Step 1 

WLSM# config terminal

Enters configuration mode.

Step 2 

WLSM (config)# wlan vlan x

Accesses the VLAN used for Supervisor 720 and WLSM communication