Q. What is the CiscoWorks Wireless LAN Solution Engine (WLSE)?
A. CiscoWorks WLSE is a centralized, systems-level solution for managing the entire Cisco® Aironet® wireless LAN (WLAN) infrastructure. The advanced radio frequency (RF) and device-management features of CiscoWorks WLSE simplify the everyday operation of WLANs, help to ensure smooth deployment, enhance security, and maximize network availability, while reducing deployment and operating expense. The CiscoWorks WLSE is a core component of the Cisco Structured Wireless-Aware Network (SWAN) autonomous access-point solution.
Q. What is Cisco SWAN?
A. Cisco SWAN provides the framework to integrate and extend wired and wireless networks to deliver the lowest possible total cost of ownership for organizations deploying WLANs. Cisco SWAN extends "wireless awareness" into important elements of the network infrastructure, providing the same level of security, scalability, reliability, ease of deployment, and management for wireless LANs that organizations have come to expect from their wired LANs.
Q. What are the primary benefits of Cisco SWAN?
A. Cisco SWAN reduces overall operational expenses by simplifying network operations and management. With Cisco SWAN, several, hundreds, or thousands of central or remotely located Cisco access points can be managed from a single management console. Cisco SWAN's flexibility allows network managers to design networks to meet their specific needs, whether implementing a highly integrated network design or a simple overlay network.
Q. What role does CiscoWorks WLSE perform in the Cisco SWAN framework?
A. CiscoWorks WLSE provides centralized, comprehensive management for the Cisco SWAN autonomous access-point solution. CiscoWorks WLSE, working with Cisco Aironet access points and a Wireless Domain Services (WDS) device, provides visibility into the RF network, including coverage displays, continual "Air/RF" monitoring, network security with intrusion detection and suppression, simplified deployment, self-healing capabilities, and network optimization. CiscoWorks WLSE also assists network managers by automating and simplifying mass configuration deployment, fault and policy monitoring and alerting, tracking wireless clients, and reporting.
Q. How many Cisco Aironet access points can CiscoWorks WLSE manage?
A. CiscoWorks WLSE has the capacity to manage up to 2500 Cisco Aironet access points from a single CiscoWorks WLSE appliance.
Q. Can CiscoWorks WLSE be used to manage deployments of more than 2500 Cisco Aironet access points?
A. Yes. Multiple CiscoWorks WLSEs can be deployed to manage networks with more than 2500 Cisco Aironet access points.
Q. Which Cisco Aironet access points are supported by CiscoWorks WLSE?
A. CiscoWorks WLSE supports Cisco Aironet 1230 AG, Aironet 1200, Aironet 1130 AG, Aironet 1100, and Aironet 350 series access points. It also supports the Cisco Aironet 1300 Access Point/Bridge.
Q. Does CiscoWorks WLSE support the Cisco 1000 Series lightweight access points (formerly Airespace access points)?
A. No. The Cisco 1000 Series lightweight access points are supported by the Cisco Wireless Control System.
Q. Do Cisco Aironet access points need to run Cisco IOS® Software to support the Cisco SWAN framework?
A. Yes, only Cisco Aironet access points running Cisco IOS Software can support Cisco SWAN and send RF management data back to CiscoWorks WLSE.
Q. Can CiscoWorks WLSE upgrade Cisco Aironet 1200 and Aironet 350 series access points running VxWorks software to Cisco IOS Software?
A. Yes, CiscoWorks WLSE provides centralized mass conversion capabilities. Some configuration settings are not preserved in this conversion process; they can be easily recreated using the configuration templates available in CiscoWorks WLSE.
Q. Does CiscoWorks WLSE support Cisco Aironet wireless bridges?
A. Yes. CiscoWorks WLSE provides network management support, including configuration, monitoring, and reporting for the Cisco Aironet 1400 Wireless Bridge and Cisco Aironet 1300 Access Point/Bridge in wireless bridge mode. CiscoWorks WLSE provides Cisco SWAN support for the Cisco Aironet 1300 when it is configured in access-point mode.
Q. Does CiscoWorks WLSE support IEEE 802.11a, b, and g networks?
A. Yes. CiscoWorks WLSE supports IEEE 802.11a, b, and g networks.
Q. Does CiscoWorks WLSE support the Cisco Wireless IP Phone 7920?
A. The Cisco Wireless IP Phone 7920 is supported by CiscoWorks WLSE as a wireless client. CiscoWorks WLSE provides client-association reports and client-tracking support for the Cisco Wireless IP Phone 7920. The client-tracking feature can be used for troubleshooting and finding associated access points.
Q. Does CiscoWorks WLSE support the Cisco Catalyst® 6500 Series Wireless LAN Services Module (WLSM)?
A. Yes. CiscoWorks WLSE interoperates with the Cisco SWAN Wireless Domain Services (WDS) software feature. Cisco SWAN WDS can run on both Cisco Aironet access points and the Cisco Catalyst 6500 Series WLSM. Cisco SWAN WDS aggregates radio management information received from the access points and client devices and sends this information to the CiscoWorks WLSE where it is used to manage, monitor, and control the RF environment.
RF MANAGEMENT AND WIRELESS DOMAIN SERVICES
Q. What is Cisco SWAN WDS?
A. Cisco SWAN WDS is a collection of Cisco IOS Software features that enhance WLAN client mobility, help to ensure WLAN security, and simplify WLAN deployment and management. Cisco SWAN WDS can be located in Cisco Aironet access points or Cisco Catalyst switches. The Cisco SWAN WDS device communicates with CiscoWorks WLSE.
Q. What platforms can operate as a Cisco SWAN WDS device?
A. A Cisco SWAN WDS device can be a Cisco Aironet 1230 AG, Aironet 1200, Aironet 1130 AG, or Aironet 1100 series access point, or a Cisco Catalyst 6500 Series WLSM.
Q. Is Cisco SWAN WDS required for RF management when the Cisco SWAN autonomous access point solution is used?
A. Yes. A WDS device is required for the Cisco SWAN autonomous access-point solution. For deployments that use access-point-based WDS, at least one Cisco SWAN WDS access point per subnet is required for RF management of that subnet. For deployments that use the switch-based WDS on the Cisco Catalyst 6500 Series WLSM, up to 300 access points per device across subnets can be supported by a single Cisco Catalyst 6500 Series WLSM.
Q. How is Cisco SWAN WDS related to CiscoWorks WLSE?
A. RF measurements taken by access points (and optionally Cisco or Cisco compatible client devices) within a given subnet are aggregated by the WDS device and forwarded to CiscoWorks WLSE for analysis. Based on the measurements received from WDS device, CiscoWorks WLSE can detect rogue access points, interference from other devices, provide assisted site surveys, and support WLAN self-healing for optimal channel and power-level setting.
Q. Can Cisco Aironet access points support clients while scanning the air/RF environment?
A. Yes. Cisco Aironet access points are multifunctional. In addition to serving clients, they also provide air/RF monitoring.
Q. Are third-party switches supported for rogue access-point switch-port tracing and shutdown?
A. No. CiscoWorks WLSE uses the Cisco Discovery Protocol and standard Simple Network Management Protocol (SNMP) MIBs to trace rogue access points to specific switch ports, and thus supports Cisco switches exclusively.
Q. Can a rogue access point configured on a different channel than the access point that is scanning the RF environment be detected?
A. Yes. Cisco Aironet access points can monitor both the serving channel and nonserving channels, so a rogue access point configured on a different channel than the access point scanning the RF environment can be detected.
Q. Is there service disruption to associated clients when an access point performs air/RF scanning?
A. No. There is no service disruption to associated clients when an access point performs air/RF scanning.
Q. Can an IEEE 802.11a rogue access point be detected by an IEEE 802.11b/g radio?
A. No. An IEEE 802.11a radio is required to detect an IEEE 802.11 rogue access point. Dual-mode IEEE 802.11a/b/g Cisco Aironet 1230 AG, Aironet 1200, or Aironet 1130 AG series access points can be deployed to detect IEEE 802.11a/b/g rogue access points.
WIRELESS LAN INTRUSION DETECTION AND PROTECTION
Q. Does the Cisco SWAN autonomous access-point solution support a WLAN intrusion detection system (IDS)?
A. Yes. The Cisco SWAN autonomous access-point solution supports a WLAN IDS. WLAN IDS helps to secure WLANs from malicious and unauthorized access. It detects and suppresses rogue access points, detects unassociated clients, detects unauthorized networks, and mitigates network attacks. The system is deployable as either an integrated or dedicated solution through Cisco Aironet access points.
Q. What is the Cisco SWAN Integrated WLAN IDS for autonomous access points?
A. Cisco SWAN Integrated WLAN IDS uses a Cisco Aironet access point deployed with its radio (802.11a, b, or g) placed in multifunction mode to service client devices and provide WLAN intrusion monitoring. In this configuration, an access point functions as both an active 802.11 infrastructure device and as an 802.11 scanning device. Basic WLAN IDS capabilities such as rogue access-point detection and unauthorized client network detection are supported.
Q. What is the Cisco SWAN Dedicated WLAN IDS for autonomous access points?
A. Cisco SWAN Dedicated WLAN IDS uses a Cisco Aironet access point deployed with its radio (802.11a, b, or g) placed in scanning-only mode to support only WLAN intrusion monitoring. In this configuration, an access point functions as an 802.11 scanning-only device providing continuous, 24-hour monitoring of the RF environment. The access point's full bandwidth is dedicated to intrusion detection RF monitoring.
Q. How do I deploy Cisco Aironet access points operating in scanning-only mode?
A. Cisco Aironet access points operating in scanning-only mode are deployed as dedicated access points to detect intrusions. Because scanner-mode access points are not supporting client devices, only a small number of access points, with higher gain antennas, need to be deployed for complete dedicated WLAN IDS. Scanner-mode access points can also be deployed as an overlay to an existing integrated WLAN deployment for advanced WLAN IDS support.
Q. How does CiscoWorks WLSE contain any rogue access points that have been detected through air/RF monitoring?
A. CiscoWorks WLSE traces the switch port of the detected rogue access point. It provides an effective means of tracing rogue access points by monitoring and using the clients associated to rogue access points. When a switch port is traced, CiscoWorks WLSE can shut down the switch port, disabling the rogue from accessing the network.
DEPLOYMENT, MANAGEMENT AND TROUBLESHOOTING
Q. What is the CiscoWorks WLSE feature called "auto-configuration" for access points?
A. Auto-configuration facilitates automatic downloading of configurations to newly deployed access points and bridges based on customer-defined templates. This simplifies and speeds up the deployment of new access points. CiscoWorks WLSE 2.11 introduces a deployment wizard that allows administrators to define their configuration policies for access points up front based on the location. The wizard also simplifies and automates the setup for access-point-based WDS. CiscoWorks WLSE can automatically designate a primary and backup access-point-based WDS per subnet and automatically generate configurations and credentials.
Q. How does access-point automatic configuration work?
A. The network administrator can use the CiscoWorks WLSE deployment wizard to specify the access-point configuration policies and setup based on the location (subnet). When the new access point boots, it receives the CiscoWorks WLSE information from the Dynamic Host Configuration Protocol (DHCP) server and downloads the default configuration. Specific configuration templates based on device type, subnet, and software version can be applied automatically on authorized access points.
Q. Can shared keys and other security parameters be configured using the auto-configuration feature?
A. Yes. Shared keys and other security parameters can be configured using the specific configuration templates based on device type, subnet, and so on.
Q. Can CiscoWorks WLSE be used to archive access-point and bridge configurations?
A. Yes. CiscoWorks WLSE can save up to four configurations for each device. Device configuration can be archived on demand, or scheduled to run periodically. Users can view, search, and compare configurations.
Q. Is a client walkabout required for the assisted site survey?
A. No. Client walkabouts are optional for the assisted site survey. CiscoWorks WLSE can provide optimal channel and power-level settings based on only the access point air/RF monitoring phase of the assisted site survey. However, performing client walkabouts during the assisted site survey is recommended because it increases the coverage for RF management and it makes the surveys more effective. A Cisco client adapter or a Cisco compatible client adapter can be used to perform a client walkabout.
Q. How is the Cisco SWAN autonomous access-point solution self-healing?
A. If CiscoWorks WLSE detects that an access point has failed, it compensates by automatically increasing the power and cell coverage of nearby access points. This WLAN self-healing minimizes the outage impact to wireless client devices and maximizes the availability of wireless applications. Self-healing also recalculates power coverage when the radio comes back up. CiscoWorks WLSE also periodically assesses the performance of the network from the established radio setting and performance baseline. Alerts are generated for performance degradation.
Q. When CiscoWorks WLSE increases the power of access points to cover for a lost radio access point during WLAN self-healing, is there service disruption to existing client devices?
A. No. There is no service disruption to client devices associated to access points that have increased their power during WLAN self-healing.
Q. Can CiscoWorks WLSE be used to track a wireless client device?
A. Yes. CiscoWorks WLSE can be used to discover the associated access point of a specific client device. Client lookup by MAC address, user name, and client name are supported. User name lookup is supported for IEEE 802.1X-standard Cisco LEAP and Protected Extensible Authentication Protocol (PEAP) running on Cisco Secure Access Control Server (ACS). Because Cisco SWAN WDS notifies CiscoWorks WLSE when a client roams, this information is available in near real time as opposed to polling-based model.
Q. What Extensible Authentication Protocol (EAP) monitoring capabilities are provided for Cisco Secure ACS?
A. CiscoWorks WLSE monitors the authentication response time from the EAP server running on Cisco Secure ACS by performing synthetic authentication transactions using Cisco LEAP, PEAP, or EAP-Flexible Authentication via Secure Tunneling (EAP-FAST). Administrators can set up response-time fault thresholds, and receive notifications when response time exceeds specified thresholds. Generic RADIUS server monitoring is also supported.
Q. How does CiscoWorks WLSE gather fault and performance data?
A. The CiscoWorks WLSE queries standard SNMP MIBs from Cisco devices whenever possible. Administrators can specify polling intervals and define thresholds for monitored data. When thresholds are exceeded, CiscoWorks WLSE can generate northbound alarms and traps through SNMP traps, syslog messages, and e-mail notifications. This allows wireless fault information from deployed CiscoWorks WLSEs to be consolidated using a higher-level network management system, such as HP OpenView or the Cisco Information Center.
Q. Can there be multiple syslog or trap receivers that receive messages from the CiscoWorks WLSE?
A. Yes. Multiple syslog or trap receivers can be defined.
Q. Does CiscoWorks WLSE receive SNMP traps from the WLAN infrastructure?
A. No. The CiscoWorks WLSE monitors the WLAN infrastructure using SNMP polling and in turn generates SNMP trap messages to be forwarded to other network management applications when user-defined thresholds are exceeded.
Q. How much historical data can CiscoWorks WLSE store?
A. The CiscoWorks WLSE can save up to a few weeks of historical data. Administrators can specify both aggregation and truncation frequencies for the monitored data.
Q. Does CiscoWorks WLSE support Multiple Basic Service Set Identifiers (MBSSID) on Cisco Aironet access points?
A. Yes, CiscoWorks WLSE can be used to configure and monitor MBSSIDs. Security policies for multiple basic Service Set Identifiers (SSIDs) can be defined and monitored.
Q. Can a device-level access-point interface be launched from the CiscoWorks WLSE?
A. Yes. A device-level Web interface can be launched and independently used to configure an access point or a bridge from the CiscoWorks WLSE.
Q. Does CiscoWorks WLSE provide a visual representation of Cisco Aironet access points?
A. Yes. CiscoWorks WLSE (versions 2.5 and later) provides GUI visualization of Cisco Aironet access points and coverage displays with its Location Manager feature. Administrators can import a floor plan (.jpeg or .gif formats) and place the access points in approximate locations. A rogue access point's location is shown on the floor plan GUI.
Q. Where should CiscoWorks WLSE reside in the network?
A. In general, CiscoWorks WLSE should be placed in the central network operations center. It is typically connected to a Cisco Catalyst switch.
Q. Can the CiscoWorks WLSE hardware be upgraded?
A. No. CiscoWorks 1130 and CiscoWorks 1130-19 for WLSE, which is the hardware that CiscoWorks WLSE runs on, have a fixed configuration. No components of the CiscoWorks 1130-19 can be upgraded or replaced in the field. As application needs change, new hardware configurations will be introduced into the product family to support changing requirements. This approach enhances the reliability and supportability of the CiscoWorks WLSE.
Q. Does the CiscoWorks WLSE support data backup and restore capabilities?
A. Yes. The CiscoWorks WLSE configuration data can be backed up to another device and later restored. Data backup can also be scheduled to run periodically, to minimize the data loss in the event of a CiscoWorks WLSE failure.
Q. Does CiscoWorks WLSE support redundancy?
Yes. The CiscoWorks WLSE supports warm-standby redundancy. A backup server can be configured to take over the wireless management in the case of a primary CiscoWorks WLSE failure. Data on primary and backup servers can be synchronized periodically (the minimum is 15 minutes). Multiple CiscoWorks WLSEs can be assigned and referenced by a virtual IP address to make this transparent to the user. Both primary and backup CiscoWorks WLSEs have to reside on the same subnet.
Q. Can CiscoWorks WLSE software run on a customer-provided workstation or server?
A. No. CiscoWorks WLSE software is available only preinstalled on the specialized CiscoWorks WLSE 1130 and 1130-19 hardware.
Q. How does CiscoWorks WLSE integrate with other network management systems?
A. When network faults are detected or user-defined performance thresholds are exceeded, CiscoWorks WLSE generates notifications through SNMP trap and syslog messages that can be forwarded to other network management systems. CiscoWorks WLSE also provides an Extensible Markup Language (XML) API for exporting device lists, faults, reports, and other settings for third-party integration and customization.
Q. What is the integration between the CiscoWorks WLSE and CiscoWorks LAN Management Solution (LMS)?
A. CiscoWorks LMS provides broad, generalized network operations management for a wide range of Cisco devices. It integrates with CiscoWorks WLSE in the following ways:
• CiscoWorks WLSE can be launched from CiscoWorks LMS and vice versa.
• A list of IP addresses and credentials from the inventory can be imported and exported between CiscoWorks LMS and CiscoWorks WLSE. Device import can be automated.
Q. Is CiscoWorks LMS required for CiscoWorks WLSE to work?
A. No. CiscoWorks LMS is not required for CiscoWorks WLSE to function.
Q. Is CiscoWorks WLSE required for CiscoWorks LMS to manage Cisco wireless devices?
A. No. CiscoWorks LMS can perform standard maintenance operations on Cisco Aironet access points just as it does for any other Cisco device. However, the operations in CiscoWorks LMS are generalized, and not specific to the unique factors involved in managing Cisco wireless-aware infrastructure. For complete management of wireless technology, CiscoWorks WLSE is required.
Q. Are hardware and software service support programs available? How are they ordered?
A. Yes. A Software Application Support (SAS) service contract can be purchased that provides Cisco Technical Assistance Center (TAC) support, Cisco.com Software Center access, and minor updates. You can also purchase a Cisco SMARTnet® hardware service contract that provides hardware support for the CiscoWorks 1130 and 1130-19. Contact your service representative for available options.
Q. How do I gain access to CiscoWorks WLSE software updates?
A. Software patches and updates are posted to the Cisco.com Software Center. Customers with existing SAS contracts can also obtain the latest release of CiscoWorks WLSE 2.11 software by using the Product Upgrade Tool at http://www.cisco.com/upgrade.