Creating Feature-Level Configuration Templates
Prime Infrastructure provides the following types of feature-level configuration templates:
-
Features and technologies templates—Configurations that are specific to a feature or technology in a device’s configuration.
-
CLI templates—User-defined templates that are created based on your own parameters. CLI templates allow you to choose the elements in the configurations. Prime Infrastructure provides variables that you replace with actual values and logic statements. You can also import templates from the Cisco Prime LAN Management System.
-
Composite templates—Two or more feature or CLI templates grouped together into one template. You specify the order in which the templates contained in the composite template are deployed to devices.
Related Topics
Creating Features and Technologies Templates
Features and Technologies templates are templates that are based on device configuration and that focus on specific features or technologies in a device’s configuration.
When you add a device to Prime Infrastructure, Prime Infrastructure gathers the device configuration for the model you added. Prime Infrastructure does not support every configurable option for all device types. If Prime Infrastructure does not have a Features and Technologies template for the specific feature or parameter that you want to configure, create a CLI template.
Features and Technologies templates simplify the deployment of configuration changes. For example, you can create an SNMP Features and Technologies template and then quickly apply it to devices you specify. You can also add this SNMP template to a composite template. Then later, when you update the SNMP template, the composite template in which the SNMP template is contained automatically has your latest changes.
To create a Features and Technologies template, follow these steps:
Step 1 Choose
Configuration > Templates > Features and Technologies
.
Step 2 In the Features and Technologies menu on the left, choose a template type to create.
Step 3 Complete the fields for that template.
If you are creating a feature template that applies only to a particular device type, the Device Type field lists only the applicable device type, and you cannot change the selection. Specifying a device type helps you to prevent a mismatch; that is, you cannot create a configuration and apply the configuration to a wrong device.
Step 4 Click Save as New Template. After you save the template, apply it to your devices.
Step 5 To verify the status of a template deployment, choose
Administration > Dashboard > Jobs Dashboard
.
Step 6 To modify the deployment parameters for any subsequent configuration template deployments, select a configuration job, then click
Edit Schedule
.
Related Topics
Example: Creating an ACL Template
To create an ACL template, follow these steps:
Step 1 Choose
Configuration > Templates > Features and Technologies > Security > ACL
.
Step 2 Enter the mandatory fields.
Step 3 In the Template Detail, click
Add Row
.
Step 4 Enter the ACL details, then click
Save as New Template
.
Step 5 Click the arrow to expand the ACL, then click
Add Row
to provide additional details about the ACL such as the action, source IP address, and wildcard mask.
Step 6 Click
Save
.
Step 7 After you save the template, you can specify devices, values, and scheduling information to tailor your deployment.
Related Topics
Creating CLI Templates
CLI templates are a set of re-usable device configuration commands with the ability to parameterize select elements of the configuration as well as add control logic statements. This template is used to generate a device deployable configuration by replacing the parameterized elements (variables) with actual values and evaluating the control logic statements.
To view the list of system CLI templates, choose
Configuration > Templates > Features and Technologies > CLI Templates > System Templates - CLI
. You cannot delete a System Template, but you can modify and save it as a new template. In this page, you can import or export any template. You cannot import a template under the system defined folder. The Undeploy button is disabled in this page since the CLI templates do not have an option undeploy them.
Prerequisites for Creating CLI Templates
Before you create a CLI template, you must:
-
Have expert knowledge and understanding of the CLI and be able to write the CLI in Apache VTL. For more information about Apache Velocity Template Language, see
http://velocity.apache.org/engine/devel/vtl-reference-guide.html
.
-
Understand to what devices the CLI you create can be applied.
-
Understand the data types supported by Prime Infrastructure.
-
Understand and be able to manually label configurations in the template.
-
To know how to use variables and data types, see the Variables and Data Types.
Creating CLI Configuration Templates
Use templates to define device parameters and settings, which you can later to a specified number of devices based on device type.
Before You Begin
Make sure that you have satisfied the prerequisites (see Prerequisites for Creating CLI Templates).
Step 1 Choose
Configuration > Templates > Features and Technologies
.
Step 2 Expand the CLI Templates folder, then click CLI.
Step 3 Enter the required information.
a. In the OS Version field, you can specify an OS image version so that you can filter out devices older than the one that you specified.
a. In the Template Detail section, click the
Manage Variables
icon (above the CLI Content field).
This allows you to specify a variable for which you will define a value when you apply the template.
b. Click
Add Row
and enter the parameters for the new variable (see the Variables and Data Types), then click
Save
.
c. Enter the CLI information. In the CLI field, you must enter code using Apache VTL (see
http://velocity.apache.org/engine/devel/vtl-reference-guide.html)
. For more information about different CLI command formats, see:
– Adding Multi-line Commands
– Adding Enable Mode Commands
– Adding Interactive Commands
d. (Optional) To change the variables, click the Manage Variables icon, and then make your changes (see the Variables and Data Types). Click
Form View
(a read-only view) to view the variables.
Step 4 Click
Save As New Template
, specify the folder in which you want to save the template, then click
Save
.
To duplicate a CLI template, expand the
System Templates - CLI
, hover your mouse cursor over the quick view picker icon next to CLI, and then click
Duplicate
.
Variables and Data Types
You can use variables as placeholders to store values. The variables have names and data types.
Table 20-1
lists data types that you can configure in the Manage Variables page.
Table 20-1 Data Types
|
|
String
|
Enables you to create a text box for CLI templates. To specify a validation expression and a default value, expand the row and configure the Default Value and Validation Expression fields.
|
Integer
|
Enables you to create a text box that accepts only numeric value. If you want to specify a range for the integer, expand the row and configure the Range From and To fields. To specify a validation expression and a default value, expand the row and configure the Default Value and Validation Expression fields.
|
DB
|
Enables you to specify a database type. See the Managing Database Variables in CLI Templates.
|
IPv4 Address
|
Enables you to create a text box that accepts only IPv4 addresses for CLI templates. To specify a validation expression and a default value, expand the row and configure the Default Value and Validation Expression fields.
|
Drop-down
|
Enables you to create a list for CLI templates. To specify a validation expression and a default value, expand the row and configure the Default Value field (with a comma-separated value for multiple lists which appears in the UI).
|
Check box
|
Enables you to create a check box for CLI templates. To specify a validation expression and a default value, expand the row and configure the Default Value field.
|
Radio Button
|
Enables you to create a radio button for CLI templates. To specify a validation expression and a default value, expand the row and configure the Default Value field.
|
Text Area
|
Enables you to create a text area which allows multiline values for CLI templates. To specify a validation expression and a default value, expand the row and configure the Default Value and Validation Expression fields.
|
Managing Database Variables in CLI Templates
You can use database (DB) variables for the following reasons:
-
DB variables are one of the data types in CLI templates. You can use the DB variables to generate device-specific commands.
-
DB variables are predefined variables. To view the list of predefined DB variables, see the CLITemplateDbVariablesQuery.properties file in the following folder
/opt/CSCOlumos/conf/ifm/template/inventoryTagsInTemplate.
-
For example, SysObjectID, IPAddress, ProductSeries, ImageVersion are DB variables.When a device is added to Prime Infrastructure, the complete details of the device is collected in the DB variables. That is, the OID of the devices is collected in SysObjeectID, product series in ProductSeries, image versions of the device in ImageVersion, and so on.
-
Using the data collected by the DB variables, accurate commands can be generated to the device.
-
You can select the DB variable in the Type field (using the Managed Variables page). Expand the name field and fill in the default value field with any of the DB variables which you want to use.
-
When a device is discovered and added to Prime Infrastructure, you can use the database values that were gathered during the inventory collection to create CLI templates.
For example, if you want to create a CLI template to shut down all interfaces in a branch, create a CLI template that contains the following commands:
#foreach ($interfaceName in
$interfaceNameList)
where
$interfaceNameList
is the database variable type whose value will be retrieved from the database.
$interfaceNameList
has a default value of IntfName. You need to create the interfaceNameList variable as DB data type (using the managed variable dialog box) and add set the default to IntfName. If you have not specified a default value, you can specify it when you apply the CLI template.
To populate
interfaceNameList
with the value from the database, you must create a properties file to capture the query string and save it in the
/opt/CSCOlumos/conf/ifm/template/inventoryTagsInTemplate
folder.
To view the predefined DB variables go to the following path:
cd /opt/CSCOlumos/conf/ifm/template/inventoryTagsInTemplate
After you create and apply the CLI template and the property file, the following CLI is configured on the devices. This output assumes that the device has two interfaces (Gigabitethernet0/1 and Gigabitethernet0/0):
interface GigabitEthernet0/0
interface GigabitEthernet0/1
Note While it is possible to create a customized query using Enterprise JavaBeans Query Language (EJB QL), only advanced developers should attempt this. We recommend you use the variables defined in the CLITemplateDbVariablesQuery.properties file only.
Using Validation Expression
The values that you define in the Validation Expression are validated with the associated component value. For example, if you enter a default value and a validation expression value in the design flow, this will be validated during the design flow. That is, if the default value does not match with the entered value in the validation expression, you will encounter a get error at the design flow.
Note The validation expression value works only for the string data type field.
Example:
Choose Configuration > Features and Technologies > CLI Templates > CLI > Manage Variables > Add Row. Choose string data type and then expand the row and configure the regular expression, which will not allow a space in that text box.
Enter the following expression in the validating expression field.
Default value (optional)—ncs
The value should match with regular expression in the validation expression field.)
Result:
Save the template, and then select a device. Try to enter a space in the text field. You will encounter a regular expression error.
Adding Multi-line Commands
To enter multi-line commands in the CLI Content area, use the following syntax:
<MLTCMD>First Line of Multiline Command Second Line of Multiline Command Last Line of Multiline Command</MLTCMD>
where:
-
<MLTCMD> and </MLTCMD> tags are case-sensitive and must be entered as uppercase.
-
The multi-line commands must be inserted between the <MLTCMD> and </MLTCMD> tags.
-
Do not start this tag with a space.
-
Do not use <MLTCMD> and </MLTCMD> in a single line.
Example 1:
<MLTCMD>banner motd ~ Welcome to
Example 2:
<MLTCMD>banner motd ~ ${message}
where
message
is a multi-line input variable.
Restrictions for Using Multi-line Banner Commands
You can use “
banner file xyz
”' format as shown in the following example:
Enter configuration commands, one per line. End with Ctrl-Z. (config)#parameter-map type webauth global (config-params-parameter-map)# type webauth (config-params-parameter-map)#banner file tftp://192.168.0.0/banner.txt (config-params-parameter-map)#^Z #more tftp://192.168.0.0/banner.txt Usage of this wireless network is restricted to authorized users only. Unauthorized access is strictly forbidden. All accesses are logged and can be monitored.
Adding Enable Mode Commands
Use this syntax to add enable mode commands to your CLI templates:
Adding Interactive Commands
An interactive command contains the input that must be entered following the execution of a command.
To enter an interactive command in the CLI Content area, use the following syntax:
CLI Command<IQ>interactive question 1<R>command response 1 <IQ>interactive question 2<R>command response 2
where <IQ> and <R> tag are case-sensitive and must be entered as uppercase.
For example:
crypto key generate rsa general-keys <IQ>yes/no<R> no
Combining Interactive Enable Mode Commands
Use this syntax to combine interactive Enable Mode commands:
commands<IQ>interactive question<R>response
For example:
mkdir <IQ>Create directory<R>xyz
Adding Interactive Multiline Commands
This is an example of an interactive command that contains multiple lines:
macro name EgressQoS<IQ>Enter macro<R><MLTCMD>mls qos trust dscp wrr-queue queue-limit 10 25 10 10 10 10 10 wrr-queue bandwidth 1 25 4 10 10 10 10 priority-queue queue-limit 15 wrr-queue random-detect 1 wrr-queue random-detect 2 wrr-queue random-detect 3 wrr-queue random-detect 4 wrr-queue random-detect 5 wrr-queue random-detect 6 wrr-queue random-detect 7 wrr-queue random-detect max-threshold 1 100 100 100 100 wrr-queue random-detect min-threshold 1 80 100 100 100 wrr-queue random-detect max-threshold 2 100 100 100 100 wrr-queue random-detect min-threshold 2 80 100 100 100 wrr-queue random-detect max-threshold 3 80 90 100 100 wrr-queue random-detect min-threshold 3 70 80 90 100 wrr-queue random-detect min-threshold 4 70 80 90 100 wrr-queue random-detect max-threshold 4 80 90 100 100 wrr-queue random-detect min-threshold 5 70 80 90 100 wrr-queue random-detect max-threshold 5 80 90 100 100 wrr-queue random-detect min-threshold 6 70 80 90 100 wrr-queue random-detect max-threshold 6 80 90 100 100 wrr-queue random-detect min-threshold 7 60 70 80 90 wrr-queue random-detect max-threshold 7 70 80 90 100
Creating CLI Configuration Templates from Copied Code
A quick way to create CLI configuration templates is to copy code from a command line configuration session, CLI script, or other stored set of configuration commands. Prime Infrastructure lets you turn all the CLI parameters in the copied CLI into template variables.
To create a CLI template variable from copied code:
Step 1 Choose
Configuration > Templates > Features and Technologies
.
Step 2 Expand the CLI Template folder, then click CLI.
Step 3 In the CLI template, paste the copied code into the
CLI Content
field.
Step 4 Select the text that is to be the variable name and click
Manage Variables
(the icon above the CLI Content field).
You can use this same procedure to edit an existing variable created from copied code.
Step 5 Fill out the required information, then click
Save > Add
.
Step 6 To view the new variable, click
Form View
.
Exporting a CLI Configuration Template
If you have CLI templates in any other Prime Infrastructure server, you can export them as an XML file and import them into your current Prime Infrastructure server.
Step 1 Choose
Configuration > Templates > Features and Technologies
.
Step 2 Expand the CLI Template folder, then click
System Templates - CLI
.
Step 3 Select the template(s) that you want to export.
Step 4 Click the
Export
icon at the top right of the CLI template page.
Importing a CLI Configuration Template
Step 1 Choose
Configuration > Templates > Features and Technologies
.
Step 2 Expand the CLI Template folder, then hover your mouse cursor over the quick view picker icon next to CLI.
Step 3 Click
Show All Templates
.
Step 4 Click the
Import
icon at the top right of the CLI template page.
Step 5 Click
Select Templates
to navigate to your file, then click
OK
.
Exporting CLI Variables
You can export the CLI variables into a CSV file while deploying a CLI configuration template. You can use the CSV file to make necessary changes in the variable configuration and import it into Prime Infrastructure at a later time.
Step 1 Choose
Configuration > Templates > Features and Technologies > CLI Templates
.
Step 2 Click System Templates - CLI.
Step 3 Select the template whose variables you want to export.
Step 4 Click
Deploy
.
Step 5 Select devices in
Device Selection
area.
Step 6 Click the
Export
icon at the top right of the
Value Assignment
area.
Step 7 Click
OK
.
Exporting the variables without any data will export a blank file.
Importing CLI Variables
Step 1 Choose
Configuration > Templates > Features and Technologies > CLI Templates
.
Step 2 Click System Templates - CLI.
Step 3 Select the template whose variables you want to import.
Step 4 Click the
Import
icon at the top right of the CLI template page.
Step 5 Click
OK
.
Example: Updating Passwords Using a CLI Template
You might want to update the password for network devices on a regular basis, once every six months. To make the changes in a rolling fashion, you plan to perform the operation once for two regions every three months.
In this example, there are four custom dynamic groups, one for each region based on the cities in every region: North Region, South Region, East Region, and West Region. You must update the enable password for all of the devices in the north and south region. After this is complete, you plan to set another job to occur for the West and East region devices to occur three months later.
Before You Begin
The devices in these regions must have an assigned location attribute.
Step 1 If the four groups, North Region, South Region, East Region, and West Region, have not been created:
a. Choose
Inventory > Device Management > Network Devices
, then hover your mouse cursor over
User Defined
and click
Add SubGroup
.
b. In the Create Sub-Group area, enter:
– Group Name: North Region
– Group Description: List of devices in the north region
– Filter:
Location > Contains >
SJC-N
To determine the location of a device, choose
Inventory > Device Management > Network Devices > (gear icon) > Columns > Location
.
The devices for the new group appear under Device Work Center > User Defined > North.
c. Do the same for south, east, and west regions.
Step 2 To deploy the password template:
a. Choose
Configuration > Templates > Features and Technologies > CLI Templates > System Templates-CLI
.
b. Select the
Enable Password-IOS
template and click
Deploy
.
c. In the Device Selection area, open the User Defined groups and select the
North Region
and
South Region
groups.
d. In the Value Selection area, enter and confirm the new enable password, then click
Apply
.
e. In the Schedule area, enter a name for the job, the date and time to apply the new template (or click
Now
), then click
OK
.
Step 3 After the job has run, choose
Administration > Jobs
to view the status of the job (see Monitoring Jobs).
Tagging Templates
You can label a set of templates by providing an intuitive name to tag the templates. After you create a tagged template, the template is listed under the My Tags folder. Tagging a configuration template helps you:
-
Search a template using the tag name in the search field
-
Use the tagged template as a reference to configure more devices
Tagging a New Configuration Template
To tag a new configuration template and publish the tagged template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies
.
Step 2 Expand the Features and Technologies folder, choose an appropriate subfolder, and then choose a template type.
Step 3 Complete the required fields, enter a tag name in the Tags field, then click Save as New Template.
Tagging an Existing Template
To tag an existing template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies
.
Step 2 In the Features and Technologies menu on the left, expand the My Templates folder and choose the template that you want to update.
Step 3 Click the Tag icon, enter a tag name in the Tag as text box, then click Save.
Associating a Tag With Multiple Templates
You can tag a new tag name or associate an existing tag with multiple templates.
Step 1 Choose
Configuration > Templates > Features & Technologies
.
Step 2 Click the Tag icon on the navigation toolbar of the Templates column.
Step 3 Enter a tag name in the Tag as field.
Step 4 In the My Templates folder, click the templates that are to be associated with the tag.
To associate all of the templates in the folder with the tag, select the check box next to the My Templates folder.
Step 5 Click Apply.
Creating Wireless Templates
This section describes how to add and apply wireless templates. Templates allow you to set fields that you can then apply to multiple devices without having to reenter the common information.
Related Topics
Controller Templates
The controller templates provides access to all Cisco Prime Infrastructure templates from a single page. You can add and apply controller templates, view templates, or make modifications to the existing templates. This section also includes steps for applying and deleting controller templates and creating or changing access point templates.
To access the controller templates, choose
Configuration > Templates > Features & Technologies > Controller
.
Related Topics
Adding Controller Templates
To add a new controller template:
Step 1 Choose
Configuration > Features & Technologies > Controller
.
Step 2 Select the template you want to add.
Step 3 Enter the template name.
Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
Step 4 Provide a description of the template.
Step 5 Click
Save
.
Related Topics
Deleting Controller Templates
To delete a controller template:
Step 1 Choose
Configuration > Features & Technologies > My Templates
.
Step 2 Select the template(s) you want to delete, then click
Delete
.
Step 3 Click
OK
to confirm the deletion. If this template is applied to controllers, the Remove Template Confirmation page opens and lists all controllers to which this template is currently applied.
Step 4 Select the check box of each controller from which you want to remove the template.
Step 5 Click
OK
to confirm the deletion or
Cancel
to close this page without deleting the template.
Related Topics
Applying Controller Templates
You can apply a controller template directly to a controller or to controllers in a selected configuration group.
To apply a controller template, follow these steps:
Step 1 Choose
Configuration > Features & Technologies > Controller
.
Step 2 From the left sidebar menu, choose the category of templates to apply.
Step 3 Click the template name for the template that you want to apply to the controller.
Step 4 Click
Apply to Controllers
to open the Apply to Controllers page.
Step 5 Select the check box for each controller to which you want to apply the template.
To select all controllers, select the check box that appears at the left most corner of the controllers table.
Select the
Ignore errors on Apply template to Controllers
check box to ignore errors and apply all commands in the template to the controller. If this check box is not selected, any errors encountered while applying a command in the template to a controller causes the rest of the commands to be not applied.
Step 6 Choose between applying the template directly to a controller or to all controllers in a selected configuration group.
To apply the template directly to a controller (or controllers), follow these steps:
a. Select the
Apply to controllers selected directly
radio button. The Apply to Controllers page lists the IP address for each available controller along with the controller name and the configuration group name (if applicable).
b. Select the check box for each controller to which you want to apply the template.
Select the
Ignore errors on Apply template to Controllers
check box to ignore errors and apply all commands in the template to the controller. If this check box is not selected, any errors encountered while applying a command in the template to a controller causes the rest of the commands to be not applied.
To apply the template to all controllers in a selected configuration group, follow these steps:
a. Select the
Apply to controllers in the selected Config Groups
radio button. The Apply to Controllers page lists the name of each configuration group along with the mobility group name and the number of controllers included.
b. Select the check box for each configuration group to which you want to apply the template.
Configuration groups which have no controllers cannot be selected to apply the templates.
Step 7 You can perform the following additional operations:
-
If you select the Save Config to Flash after apply check box, the save config to Flash command is executed after the template is applied successfully.
-
If you select the Reboot Controller after apply check box, the controller reboots after the template is successfully applied.
This configuration results can be viewed in the Template Results page by enabling the View Save Config / Reboot Results option.
Step 8 Click
Save
.
You can apply some templates directly from the Template List page. Select the check box(es) of the template(s) that you want to apply, choose
Apply Templates
from the Select a command drop-down list, and click
Go
to open the Apply to Controllers page. Select the check box(es) of the controllers to which you want to apply this template, and click
OK
.
Related Topics
Creating System Templates
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > System. You can create the following controller system template:
-
AP 802.1X Supplicant Credentials
-
AP Timers
-
AP Username Password
-
DHCP
-
Dynamic Interface
-
General-System
-
Global CDP Configuration
-
Interface Groups
-
Network Time Protocol
-
QoS Profiles
-
SNMP Community
-
Traffic Stream Metrics QoS
-
User Roles
-
Vlan Group
Related Topics
Creating AP 802.1X Supplicant Credentials
You can configure 802.1X authentication between lightweight access points and the switch. The access point acts as an 802.1X supplicant and is authenticated by the switch using EAP-FAST with anonymous PAC provisioning. You can set global authentication settings that all access points inherit as they join the controller. All access points that are currently joined to the controller and any that join in the future are included.
If desired, you can override the global authentication settings and assign unique authentication settings for a specific access point.
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > System > AP 802.1X Supplicant Credentials.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create the template.
Step 3 Complete the required fields, then and click Save as New Template.
Related Topics
Configuring AP Timers Template
Some advanced timer configuration for FlexConnect and local mode is available for the controller on Prime Infrastructure.
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > System > AP 802.1X Supplicant Credentials.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
General - System template.
Step 3 Complete the required fields, then and click Save as New Template.
Related Topics
Creating AP Username Password Controller Templates
Create or modify a template for setting an access point username and password. All access points inherit the password as they join the controller and these credentials are used to log into the access point via the console or Telnet/SSH.
The AP Username Password page enables you to set a global password that all access points inherit as they join a controller. When you are adding an access point, you can also choose to accept this global username and password or override it on a per-access point basis. See the to see where the global password is displayed and how it can be overridden on a per-access point basis.
Also, in controller software Release 5.0, after an access point joins the controller, the access point enables console port security and you are prompted for your username and password whenever you log into the access point console port. When you log in, you are in non-privileged mode and you must enter the enable password to use the privileged mode.
To create an AP username password controller template:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > System > AP Username Password.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create a
General - System template.
Step 3 Complete the required fields, then and click Save as New Template.
Related Topics
Creating DHCP Templates
You can enable or disable DHCP proxy on a global basis rather than on a WLAN basis. When DHCP proxy is enabled on the controller, the controller unicasts DHCP requests from the client to the configured servers. At least one DHCP server must be configured on either the interface associated with the WLAN or on the WLAN itself. DHCP proxy is enabled by default.
To create DHCP templates:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > System > DHCP Templates.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
General - System template.
Step 3 Complete the required fields, then and click Save as New Template.
Related Topics
Creating Dynamic Interface Templates
If you change the interface fields, the WLANs are temporarily disabled, therefore you might lose connectivity for some clients. Any changes to the interface fields are saved only after you successfully apply them to the controller(s).
If you remove an interface here, it is removed only from this template and not from the controllers. Primary and secondary port numbers are present only in the Cisco 4400 Series Wireless LAN controllers.
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > System > Dynamic Interface Templates.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
General - System template.
Step 3 Complete the required fields, then and click Save as New Template.
Related Topics
Applying a Dynamic Interface Template to Controllers
Changing the Interface fields causes the WLANs to be temporarily disabled and might result in loss of connectivity for some clients.
Interfaces removed from this page are removed only from this template and not from controllers.
To apply a Dynamic Interface template to a controller, follow these steps:
Step 1 In the Dynamic Interface controller template page, click
Apply to Controllers
.
Step 2 Use the Manage Interfaces options to configure device-specific fields:
-
Add—Click
Add
to open the Add Interface dialog box. Enter an interface name, VLAN identifier, IP address, and gateway. When all fields are entered, click
Done
.
-
Edit—Click
Edit
to make changes to current interfaces.
-
Remove—Click
Remove
to delete a current interface.
Step 3 Select a check box for each controller to which you want to apply this template.
Step 4 Click
Apply
. Interface field changes or configurations made on this page are saved only when applied successfully to the controller(s).
Related Topics
Creating General - System Templates
To add a general-system template or make changes to an existing general template:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > System > General - System.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
General - System template.
Step 3 Complete the required fields, then and click Save as New Template.
Related Topics
Creating a Global CDP Configuration Template
Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices. CDP is enabled on the Ethernet and radio ports of the bridge by default.
CDP for Ethernet Interfaces fields are supported for Controller Release 7.0.110.2 and later.
The Global Interface CDP configuration is applied only to the APs for which the CDP is enabled at AP level.
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > System > Global CDP Configuration.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
General - System template.
Complete the required fields, then and click Save as New Template.
Related Topics
Creating an Interface Group Template
The interface group template page allows you to select list of interfaces and form a group. You cannot create interfaces using this page.
The Interface Groups feature is supported by controller software release 7.0.116.0 and later.
To configure an interface group template:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > System > Interface Group.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
General - System template.
Step 3 Complete the required fields, then and click Save as New Template.
Related Topics
Creating an Network Time Protocol Template
NTP is used to synchronize computer clocks on the Internet.
To add an NTP template or make modifications to an existing NTP template:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > System > Network Time Protocol.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
General - System template.
Step 3 Complete the required fields, then and click Save as New Template.
Related Topic
Creating QoS Profiles Templates
The Air QoS configurations are applicable for controller Release 7.0 and earlier.
To modify the quality of service (QoS) profiles:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > System > QoS Profiles.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create
QoS profiles template.
Step 3 Complete the required fields, then and click Save as New Template.
Related Topics
Creating SNMP Community Controller Templates
Create or modify a template for configuring SNMP communities on controllers. Communities can have read-only or read-write privileges using SNMP v1, v2, or v3.
When setting up SNMP communities on the WLC (Wireless LAN Controller), you are given an option to specify IP address and subnet. The default is 0.0.0.0 for both, which allows open SNMP access to any host using the specified community string. If you specify something other than the default of 0.0.0.0, the SNMP access is limited to the settings specified for IP address and Subnet Mask. A subnet of 255.255.255.255 limits to the specific host ID specified in the IP address.
If the Access Mode option is configured as Read Only, then Prime Infrastructure has only read access to the controller after applying this template.
To create a new template with SNMP community information for a controller:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > System > SNMP Community.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create SNMP community template.
Step 3 Complete the required fields, then and click Save as New Template.
The template appears in the Template List page. In the Template List page, you can apply this template to controllers. If a template is applied successfully and the Update Discover Community option is enabled, then the applied community name is updated in Prime Infrastructure database for that applied controller. Also, Prime Infrastructure uses that community name for further communication with the controller.
Related Topics
Creating a Traffic Stream Metrics QoS Template
Traffic stream metrics are a series of statistics about VoIP over your wireless LAN and informs you of the QoS of the wireless LAN. These statistics are different than the end-to-end statistics provided by VoIP systems. End-to-end statistics provide information on packet loss and latency covering all the links comprising the call path. However, traffic stream metrics are statistics for only the WLAN segment of the call. Because of this, system administrators can quickly determine whether audio problems are being caused by the WLAN or by other network elements participating in a call. By observing which access points have impaired QoS, system administrators can quickly determine the physical area where the problem is occurring. This is important when lack of radio coverage or excessive interference is the root problem.
Four QoS values (packet latency, packet jitter, packet loss, and roaming time), which can affect the audio quality of voice calls, are monitored. All the wireless LAN components participate in this process. Access points and clients measure the metrics, access points collect the measurements and then send them to the controller. The access points update the controller with traffic stream metric information every 90 seconds, and 10 minutes of data is stored at one time. Prime Infrastructure queries the controller for the metrics and displays them in the Traffic Stream Metrics QoS Status. These metrics are compared to threshold values to determine their status level and if any of the statistics are displaying a status level of fair (yellow) or degraded (red), the administrator investigates the QoS of the wireless LAN.
For the access points to collect measurement values, traffic stream metrics must be enabled on the controller.
To configure a Traffic Stream Metrics QoS template:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > System > Traffic Stream Metrics QoS.
The Traffic Stream Metrics QoS Controller Configuration page shows several QoS values. An administrator can monitor voice and video quality of the following:
-
Upstream delay
-
Upstream packet loss rate
-
Roaming time
-
Downstream packet loss rate
-
Downstream delay
Packet Loss Rate (PLR) affects the intelligibility of voice. Packet delay can affect both the intelligibility and conversational quality of the connection. Excessive roaming time produces undesired gaps in audio.
There are three levels of measurement:
-
Normal: Normal QoS (green)
-
Fair: Fair QoS (yellow)
-
Degraded: Degraded QoS (red)
System administrators should employ some judgment when setting the green, yellow, and red alarm levels. Some factors to consider are:
-
Environmental factors including interference and radio coverage which can affect PLR.
-
End-user expectations and system administrator requirements for audio quality on mobile devices (lower audio quality can permit greater PLR).
-
Different codec types used by the phones have different tolerance for packet loss.
-
Not all calls are mobile-to-mobile; therefore, some have less stringent PLR requirements for the wireless LAN.
Related Topics
Creating User Roles Controller Templates
This section describes how to create or modify a template for configuring user roles. User roles determine how much bandwidth the network can use. Four QoS levels (Platinum, Bronze, Gold, and Silver) are available for the bandwidth distribution to Guest Users. Guest Users are associated with predefined roles (Contractor, Customer, Partner, Vendor, Visitor, Other) with respective bandwidth configured by the Admin. These roles can be applied when adding a new Guest User.
To add a new template with User Roles information for a controller:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > System > User Roles.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create user Roles template.
Step 3 Complete the required fields, then and click Save as New Template.
Related Topics
About WLAN Templates
WLAN templates allow you to define various WLAN profiles for application to different controllers.
You can configure multiple WLANs with the same SSID. This feature enables you to assign different Layer 2 security policies within the same wireless LAN. Unlike previous release where profile name was used as the unique identifier, the template name is now the unique identifier with software release 5.1.
These restrictions apply when configuring multiple WLANs with the same SSID:
-
WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in the beacons and probes. These are the available Layer 2 security policies:
– None (open WLAN)
– Static WEP or 802.1
– CKIP
– WPA/WPA2
-
Broadcast SSID must be enabled on the WLANs that share an SSID so that the access points can generate probe responses for these WLANs.
-
FlexConnect access points do not support multiple SSIDs.
Related Topics
Creating WLAN Configuration Templates
To add a WLAN configuration template or make modifications to an existing WLAN template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > WLANs > WLAN Configuration.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New.
Step 3 Complete the required fields in the General, Security, QoS, Advanced, HotSpot, Policy Mappings tabs, and then click Save as New Template.
Related Topic
Client Profiling
When a client tries to associate with a WLAN, it is possible to determine the client type from the information received in the process. The controller acts as the collector of the information and sends the ISE with the required data in an optimal form.
Follow these guidelines when configuring client profiling:
By default, client profiling will be disabled on all WLANs.
-
Client profiling is supported on access points that are in Local mode and FlexConnect mode.
-
Profiling is not supported for clients in the following scenarios:
– Clients associating with FlexConnect mode APs in Standalone mode.
– Clients associating with FlexConnect mode APs when local authentication is done with local switching is enabled.
-
Both DHCP Proxy and DHCP Bridging mode on the controller are supported.
-
Accounting Server configuration on the WLAN must be pointing at an ISE running 1.1 MnR or later releases. Cisco ACS does not support client profiling.
-
The type of DHCP server used does not affect client profiling.
-
If the DHCP_REQUEST packet contains a string that is found in the Profiled Devices list of the ISE, then the client will be profiled automatically.
-
The client is identified based on the MAC address sent in the Accounting request packet.
-
Only MAC address should be sent as calling station ID in accounting packets when profiling is enabled.
-
With profiling enabled for local switching FlexConnect mode APs, only VLAN override is supported as an AAA override attribute.
Related Topics
Configuring Client Profiling
To configure client profiling, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > WLANs > WLAN Configuration.
Step 2 Click the
Advanced
tab.
Step 3 Select the
DHCP Profiling
check box to enable DHCP profiling.
Step 4 Select the
HTTP Profiling
check box to enable HTTP profiling.
HTTP client profiling is supported since controller Version 7.3.1.31.
Step 5 Click
Save
.
Related Topics
Configuring Mobile Concierge (802.11u)
Mobile Concierge is a solution that enables 802.1X capable clients to interwork with external networks. The Mobile Concierge feature provides service availability information to clients and can help them to associate available networks.
The services offered by the network can be broadly classified into two protocols:
-
802.11u MSAP
-
802.11u HotSpot 2.0
The following guidelines and limitations apply to Mobile Concierge:
-
Mobile Concierge is not supported on FlexConnect Access Points.
-
802.11u configuration upload is not supported. If you perform a configuration upgrade and upload a configuration on the controller, the HotSpot configuration on the WLANs is lost.
To configure Mobile Concierge (802.11u) Groups:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > WLANs > WLAN Configuration.
Step 2 Click the
Hot Spot
tab.
Step 3 On the General tab, configure the following fields:
-
Select the
802.11u Status
check box to enable 802.11u on the WLAN.
-
Select the
Internet Access
check box to enable this WLAN to provide Internet services.
-
From the Network Type drop-down list, choose the network type that best describes the 802.11u you want to configure on this WLAN. The following options are available:
–
Private Network
–
Private Network with Guest Access
–
Chargeable Public Network
–
Free Public Network
–
Emergency Services Only Network
–
Personal Device Network
–
Test or Experimental
–
Wildcard
-
Choose the authentication type that you want to configure for the 802.11u parameters on this network:
–
Not configured
–
Acceptance of Terms and Conditions
–
Online Enrollment
–
HTTP/HTTPS Redirection
-
In the HESSID field, enter the Homogeneous Extended Service Set Identifier value. The HESSID is a 6-octet MAC address that identifies the homogeneous ESS.
Step 4 On the Others tab, configure the following fields:
-
In the OUI List group box, enter the following details:
– OUI name
– Is Beacon
– OUI Index
Click
Add
to add the OUI (Organizationally Unique Identifier) entry to this WLAN.
-
In the Domain List group box, enter the following details:
– Domain Name—The domain name operating in the 802.11 access network.
– Domain Index—Choose the domain index from the drop-down list.
Click
Add
to add the domain entry to this WLAN.
Step 5 On the Realm tab, configure the following fields:
-
In the OUI List section, enter the following details:
– Realm Name—The realm name.
– Realm Index—The realm index.
Click
Add
to add the domain entry to this WLAN.
Step 6 On the Service Advertisement tab, configure the following fields:
-
Select the
MSAP Enable
check box to enable service advertisements.
-
If you enabled MSAP in the previous step, you must provide a server index. Enter the server index for this WLAN. The server index field uniquely identifies an MSAP server instance serving a venue that is reachable through the BSSID.
MSAP (Mobility Services Advertisement Protocol) is designed to be used primarily by mobile devices that are configured with a set of policies for establishing network services. These services are available for devices that offer higher-layer services, or network services that are enabled through service providers. Service advertisements use MSAP to provide services to mobile devices prior to association to a Wi-Fi access network. This information is conveyed in a service advertisement. A single-mode or dual-mode mobile device queries the network for service advertisements before association. The device's network discovery and the selection function may use the service advertisements in its decision to join the network.
Step 7 On the HotSpot 2.0 tab, configure the following fields:
-
Choose the
Enable
option from the HotSpot2 Enable drop-down list.
-
In the WAM Metrics group box, specify the following:
– WAN Link Status—The link status. The valid range is 1 to 3.
– WAN SIM Link Status—The symmetric link status. For example, you can configure the uplink and downlink to have different speeds or same speeds.
– Down Link Speed—The downlink speed. The maximum value is 4,194,304 kbps.
– Up Link Speed—The uplink speed. The maximum value is 4,194,304 kbps.
-
In the Operator Name List group box, specify the following:
– Operator Name—Specify the name of the 802.11 operator.
– Operator Index—Select an operator index. The range is from 1 to 32.
– Language Code—An ISO-14962-1997 encoded string defining the language. This string is a three character language code.
Click
Add
to add the operator details. The operator details are displayed in a tabular form.
-
In the Port Config List, specify the following:
– IP Protocol—The IP protocol that you want to enable. The following options are ESP, FTP, ICMP, and IKEV2.
– Port No—The port number that is enabled on this WLAN.
– Status—The status of the port.
Step 8 Click
Save
.
Related Topics
Creating WLAN AP Groups Templates
Site-specific VLANs or AP groups limit the broadcast domains to a minimum by segmenting a WLAN into different broadcast domains. Benefits include more effective management of load balancing and bandwidth allocation.
To configure WLAN AP Groups, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > WLANs > AP Groups.
The WLAN > AP Groups page appears, and the number of controllers and virtual domains that the template is applied to automatically populates. The last column indicates when the template was last saved.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 2 If you want to add a new template, choose
Add Template
from the Select a command drop-down list, and click
Go
. To modify an existing template, click the template name. The AP Groups template page appears.
This page displays a summary of the AP groups configured on your network. In this page, you can add, remove, edit, or view details of an AP group. Click in the Edit column to edit its access point(s). Select the check box in the WLAN Profile Name column, and click
Remove
to delete WLAN profiles.
The maximum characters that you can enter in the Description text box is 256.
Related Topics
Adding Access Point Groups
-
AP Groups (for controllers Release 5.2 and later) are referred to as AP Group VLANs for controllers prior to 5.2.
-
To display all available WLAN profile names, delete the current WLAN profile name from the text box. When the current WLAN profile name is deleted from the text box, all available WLAN profiles appear in the drop-down list.
-
Each access point is limited to 16 WLAN profiles. Each access point broadcasts all WLAN profiles unless the WLAN override feature is enabled. The WLAN override feature allows you to disable any of the 16 WLAN profiles per access point.
-
The WLAN override feature applies only to older controllers that do not support the 512 WLAN feature (can support up to 512 WLAN profiles).
You can create or modify a template for dividing the WLAN profiles into AP groups.
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > WLANs > AP Groups.
Step 2 Choose
Add Template
from the Select a command drop-down list, and click
Go
.
Step 3 Enter a name and group description for the access point group. The group description is optional.
Step 4 If you want to add a WLAN profile, click the
WLAN Profiles
tab and configure the following fields:
a. Click
Add
.
b. Type a WLAN profile name or choose one from the WLAN Profile Name drop-down list.
c. Enter an interface/interface group or choose one from the Interface/Interface Group drop-down list.
To display all available interfaces, delete the current interface from the Interface text box. When the current interface is deleted from the Interface text box, all available interfaces appear in the drop-down list.
d. Select the
NAC Override
check box, if applicable. The NAC override feature is disabled by default.
e. Specify the policy configuration parameters by clicking the
Add/Edit
link.
– Policy Name—Name of the policy.
– Policy Priority—Configure policy priority between 1 and 16. No two policies can have same priority. Only 16 Policy mappings are allowed per WLAN. Selected policy template for the mapping will be applied first if it does not exist on the controller.
f. When access points and WLAN profiles are added, click
Save
.
Step 5 If you want to add a RF profile, click the
RF Profiles
tab, and configure the following fields:
-
802.11a—Drop-down list from which you can choose an RF profile for APs with 802.11a radios.
-
802.11b—Drop-down list from which you can choose an RF profile for APs with 802.11b radios.
-
When RF profiles are added, click
Save
.
Related Topics
Deleting Access Point Groups
To delete an access point group, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies.
Step 2
Choose Controller > WLANs > AP Groups from the left sidebar menu.
Step 3 Click
Remove
.
Related Topics
Creating Policy Configuration Templates
The Policy Configuration Templates page enables you to configure the device-based policies on the controller. You can configure policies for a user or a device on the network. The maximum number of policies that you can configure is 64. Policies are not applied on WLANs and AP groups if AAA override is configured on the controller.
To configure Policy Configuration templates:
Step 1 Choose
Configuration > Templates > Features &Technologies > Controller > WLANs > Policy Configuration
.
Step 2 If you want to add a new template, choose
Add Template
from the Select a command drop-down list, and click
Go
.
Step 3 Configure the required fields.
Step 4 Click Save as New Template.
Creating FlexConnect Templates
FlexConnect enables you to configure and control access points in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office. There is no deployment restriction on the number of FlexConnect access points per location, but you can organize and group the access points per floor and limit them to 25 or so per building, because it is likely the branch offices share the same configuration.
Related Topics
Creating FlexConnect AP Groups Templates
To set up a FlexConnect AP group, follow these steps:
Step 1 Choose
Configuration > Features & Technologies > Controller
.
Step 2 Choose
FlexConnect > FlexConnect AP Groups
from the left sidebar menu.
Step 3 Hover the mouse on FlexConnect AP Groups and select Show All Templates. It displays the primary and secondary RADIUS, as well as the number of controllers and virtual domains that the template is applied to, which automatically populates. The last column indicates when the template was last saved.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names. To modify an existing template, click the template name.
Step 4 If you want to add a new template, hover the mouse on FlexConnect AP Groups and select
New
or select FlexConnect AP Groups. The General tab of the FlexConnect AP Groups page appears.
Step 5 The Template Name shows the group name assigned to the FlexConnect access point group.
Step 6 Choose the primary RADIUS authentication servers for each group. You can also configure local RADIUS servers on the flexconnect group (at a site-level) which are not present on the controller. The FlexConnect groups support up to 100 RADIUS servers per group.
Step 7 Choose the secondary RADIUS authentication servers for each group. You can also configure local RADIUS servers on the flexconnect group (at a site-level) which are not present on the controller. The FlexConnect groups support up to 100 RADIUS servers per group.
Step 8 If you want to add an access point to the group, click the
FlexConnect AP
tab.
Step 9 An access point Ethernet MAC address cannot exist in more than one FlexConnect group on the same controller. If more than one group is applied to the same controller, select the
Ethernet MAC
check box to unselect an access point from one of the groups. You should save this change or apply it to controllers.
Step 10 Click
Add AP
. Select the applicable check boxes and click Add.
Step 11 Click the Local Authentication tab to enable local authentication for a FlexConnect group. Ensure that the Primary RADIUS Server and Secondary RADIUS Server fields are set to
None
on the General tab to perform this action.
Step 12 Select the
FlexConnect Local Authentication
check box to enable local authentication for this FlexConnect group. Enabling this potion enables EAP-TLS Authentication.
Step 13 Select the EAP-TLS Authentication check box to enable EAP-TLS certificate download.
Step 14 To allow a FlexConnect access point to authenticate clients using LEAP, select the
LEAP
Authentication check box. Otherwise, to allow a FlexConnect access point to authenticate clients using EAP-FAST, select the
EAP-FAST
Authentication check box.
Step 15 Perform one of the following, depending on how you want Protected Access Credentials (PACs) to be provisioned:
-
To use manual PAC provisioning, enter the key used to encrypt and decrypt PACs in the EAP-FAST Key and Confirm EAP-FAST Key text boxes. The key must be 32 hexadecimal characters.
-
To allow PACs to be sent automatically to clients that do not have one during PAC provisioning, select the
Auto key generation
check box.
The following EAP-FAST options are available only if you select the
EAP-FAST
check box in Step 14.
Step 16 In the EAP-FAST Key text box, enter the authority identifier of the EAP-FAST server. The identifier must be 32 hexadecimal characters.
Step 17 In the EAP-FAST Authority ID text box, enter the authority identifier of the EAP-FAST server in text format. You can enter up to 32 hexadecimal characters.
Step 18 In the EAP-FAST Authority Info text box, enter the authority information of the EAP-FAST server.
Step 19 In the EAP-FAST PAC Timeout text box, specify a PAC timeout value by entering the number of seconds for the PAC to remain viable in the edit box. The valid range is 2 to 4095 seconds.
Step 20 To allow a FlexConnect access point to authenticate clients using PEAP, select the
PEAP
Authentication check box.
Step 21 Click the
Image Upgrade
tab and configure the following:
-
FlexConnect AP Upgrade—Select the check box if you want to upgrade the FlexConnect access points.
-
Slave Maximum Retry Count—Enter the maximum retries for the slave to undertake to start the download from the master in the FlexConnect group. This option is available only if you select the FlexConnect AP Upgrade check box.
-
You are allowed to add an access point as a master access point only if the FlexConnect AP Upgrade check box is enabled on the General tab. Click Add Master to add an access point as master AP.
Step 22 Click the ACL Mapping tab.
-
Click
VLAN-ACL Mapping
tab to view, add, edit, or remove a VLAN ACL mapping.
-
Click the
WLAN-ACL Mapping
tab to view, add, edit, or remove a WLAN ACL mapping. You can add up to a maximum of 16 WebAuth ACLs.
-
Click the
Local Split
to view, add, edit, or remove a Local Split ACL mapping. Only the FlexConnect central switching WLANs are displayed in the WLAN Profile Name drop-down list.
-
Click the
Policies
tab to view, add, edit, or remove a WebPolicy ACL mapping. You can add up to a maximum of 16 Web-Policy ACLs.
-
Click Save.
Step 23 Click the
Central DHCP
tab to view, add, edit, or remove a Central DHCP processing.
a. Click the Add Row icon.
b. From the WLAN Profile Name drop-down list, choose a WLAN profile. Only the FlexConnect local switching WLANs are displayed in the WLAN Profile Name drop-down list.
c. From the Central DHCP drop-down list, choose Enable or Disable. When you enable this feature, the DHCP packets received from AP are centrally switched to the controller and then forwarded to the corresponding VLAN based on the AP and the SSID.
d. From the Override DNS drop-down list, choose Enable or Disable. You can enable or disable the overriding of the DNS server address on the interface assigned to the locally switched WLAN. When you override DNS in centrally switched WLANs, the clients get their DNS server IP address from the AP, not from the controller.
e. From the NAT-PAT drop-down list, choose Enable or Disable. You can enable or disable Network Address Translation (NAT) and Port Address Translation (PAT) on locally switched WLANs. You must enable Central DHCP Processing to enable NAT and PAT.
f. Click
Save
.
Step 24 Click the WLAN-VLAN Mapping tab to view, add, edit, or remove the WLAN-VLAN mapping.
a. Click the Add Row icon.
b. From the WLAN Profile Name drop-down list, choose a WLAN profile. Only the FlexConnect local switching WLANs are displayed in the WLAN Profile Name drop-down list.
c. Enter the VLAN ID within the specified range.
d. Click Save.
Step 25 Click the WLAN-AVC Mapping tab to view, add, edit, or remove the WLAN-AVC mapping.
a. Click the Add Row icon.
b. From the WLAN Profile Name drop-down list, choose a WLAN profile. Only the FlexConnect local switching WLANs are displayed in the WLAN Profile Name drop-down list.
c. From the Application Visibility drop-down list, choose Enable, Disable or Wlan-specific. When Wlan-specific is chosen, the Flex AVC Profile will be disabled.
d. From the Flex AVC Profile drop-down list, choose the specific AVC profile.
e. Click Save.
Step 26 Click
Save
.
Related Topic
Adding FlexConnect Users to FlexConnect AP Groups Templates
You can click the
Users configured in the group
link that appears when the
FlexConnect Local Authentication
check box is enabled to view the list of FlexConnect users. You can create FlexConnect users only after you save the FlexConnect AP Group.Maximum 100 FlexConnect users are supported in controller Release 5.2.x.x and later. If controller Release 5.2.0.0, and earlier supports only 20 FlexConnect users.
To delete a FlexConnect User, choose a user from the FlexConnect Users list, and then click
Delete
.
To configure a FlexConnect user, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller >
FlexConnect > FlexConnect AP Groups
.
Step 2 Hover the mouse on FlexConnect AP Groups and select Show All Templates.
Step 3 Click the
Local Authentication
tab and select the
FlexConnect Local Authentication
check box to enable local authentication for this FlexConnect group.
Step 4 Click the
Users configured in the group
link. The FlexConnect Users page appears.
Step 5 If you want to add a new user, choose
Add User
from the Select a command drop-down list, and click
Go
. The
Add User
page appears.
Step 6 In the User Name text box, enter the FlexConnect username.
Step 7 In the Password text box, enter the password.
Step 8 Reenter the password in the Confirm Password text box.
Step 9 Click
Save
.
Related Topics
Creating Security Templates
This section contains the following topics:
Creating General Security Controller Templates
To add a new template with general security information for a controller, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security
.
Step 2 Select the template you want to add.
Step 3 Complete the following fields:
-
Template Name—Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
-
Maximum Local Database Entries (on next reboot)—Enter the maximum number of allowed database entries. This amount becomes effective on the next reboot.
Step 4 Click
Save
.
The template appears in the Template List page. In the Template List page, you can apply this template to controllers.
Related Topics
Creating File Encryption Templates
To add and configure a File Encryption template or make modifications to an existing file encryption template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > File Encryption
.
Step 2 Choose
Add Template
from the
Select a command
drop-down list, and click
Go
to add a new template. To modify an existing template, click the template name. The File Encryption template page appears.
Step 3 Check if you want to enable file encryption.
Step 4 Enter an encryption key text string of exactly 16 ASCII characters.
Step 5 Re-enter the encryption key.
Step 6 Click
Save
.
Related Topics
RADIUS Authentication Templates
You can add a RADIUS authentication template or make modifications to an existing template. After these server templates are configured, controller users who log into the controller through the CLI or GUI are authenticated.
Related Topics
Creating RADIUS Authentication Templates
To configure a RADIUS Authentication template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > AAA > RADIUS Auth Servers
.
Step 2 From the
Shared Secret Format
drop-down list, choose either
ASCII
or
hex
.
Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.
Step 3 Enter the RADIUS shared secret used by your specified server.
Step 4 Check the
Key Wrap
check box if you want to enable key wrap. If this check box is enabled, the authentication request is sent to RADIUS servers that have key encryption key (KEK) and message authenticator code keys (MACK) configured. Complete the following fields:
-
Shared Secret Format: Enter ASCII or hexadecimal.
Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in the event a discovered template is applied to another device.
-
KEK Shared Secret.
-
MACK Shared Secret.
Each time the controller is notified with the shared secret, the existing shared secret is overwritten with the new shared secret.
Step 5 Check the
Admin Status
check box to enable administration privileges.
Step 6 Check the
Support for RFC 3576
check box to t to enable support for RFC 3576.
RFC 3576 is an extension to the Remote Authentication Dial In User Service (RADIUS) protocol. It allows dynamic changes to a user session and includes support for disconnecting users and changing authorizations applicable to a user session. With these authorizations, support is provided for Disconnect and Change-of-Authorization (CoA) messages. Disconnect messages immediately terminate a user session, whereas CoA messages modify session authorization attributes such as data filters.
Step 7 Check
Network User
to enable network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.
Step 8 Check
Management User
to enable management authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the management user.
Step 9 In the
Retransmit Timeout
text box, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.
Step 10 If you enable
IP Sec
the IP security mechanism, additional IP security fields are added to the page, and Steps 13 to 19 are required. If you disable it, click
Save
and skip Steps 13 to 19.
Step 11 Use the drop-down list to choose the IP security authentication protocol to be used. The available options are:
Message Authentication Codes (MAC) are used between two parties that share a secret key to validate information transmitted between them. HMAC (Hash MAC) is a mechanism based on cryptographic hash functions and can be used in combination with any iterated cryptographic hash function. HMAC-MD5 and HMAC-SHA1 are two constructs of the HMAC using the MD5 hash function and the SHA1 hash function. HMAC also uses a secret key for calculation and verification of the message authentication values.
Step 12 Set the IP security encryption mechanism to use. The options are as follows:
-
DES
—Data Encryption Standard is a method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.
-
Triple DES
—Data Encryption Standard that applies three keys in succession.
-
AES 128 CBC
—Advanced Encryption Standard uses keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses a 128-bit data path in Cipher Clock Chaining (CBC) mode.
-
None
—No IP security encryption mechanism.
Step 13 From the IKE phase 1 drop-down list choose either
aggressive
or
main
to set the IKE protocol. IKE phase 1 is used to negotiate how IKE is protected. Aggressive mode passes more information in fewer packets, with the benefit of a slightly faster connection, at the cost of transmitting the identities of the security gateways in the clear.
Step 14 Enter the timeout interval (in seconds) in the
Lifetime
field to define when the session expires.
Step 15 Set the
IKE Diffie Hellman
group. The options are group 1 (768 bits), group 2 (1024 bits), or group 5 (1536 bits).
Diffie-Hellman techniques are used by two devices to generate a symmetric key where you can publicly exchange values and generate the same symmetric key.
Although all three groups provide security from conventional attacks, Group 5 is considered more secure because of its larger key size. However, computations involving Group 1 and Group 2 based keys might occur slightly faster because of their smaller prime number size.
Step 16 Click
Save
.
Related Topics
Creating RADIUS Accounting Templates
To add and configure a RADIUS Accounting template or modify and existing template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > AAA > RADIUS Acct Servers
.
Step 2 Use the
Shared Secret Format
drop-down list to choose either
ASCII
or
hexadecimal
.
Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.
Step 3 Enter the RADIUS shared secret used by your specified server.
Step 4 Re-enter the shared secret.
Step 5 Click if you want to establish administrative privileges for the server.
Step 6 Click if you want to enable the network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.
Step 7 Specify the time in seconds after which the RADIUS authentication request times out and a retransmission by the controller occurs. You can specify a value between 2 and 30 seconds.
Step 8 Click
Save
.
Related Topics
Creating RADIUS Fallback Templates
To add and configure a RADIUS Fallback template or modify an existing template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > AAA > RADIUS
Fallback
.
Step 2 From the
RADIUS Fallback Mode
drop-down list, choose one of the following:
-
Off
—Disables fallback.
-
Passive
—You must enter a time interval.
-
Active
—You must enter a username and time interval.
Step 3 Click
Save
.
Related Topics
LDAP Server Templates
This section explains how to configure a Lightweight Directory Access Protocol (LDAP) server as a backend database, similar to a RADIUS or local user database. An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user. For example, local EAP might use an LDAP server as its backend database to retrieve user credentials.
Related Topics
Creating LDAP Server Templates
To add an LDAP server template or make modifications to an existing LDAP server template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > AAA > LDAP Servers
.
Step 2 Enter the port number of the controller to which the access point is connected.
Step 3 From the
Bind Type
drop-down list, choose one of the following:
-
Authenticated
—Enter a bind username and password.
-
Anonymous
.
Step 4 In the
Server User Base DN
text box, enter the distinguished name of the subtree in the LDAP server that contains a list of all the users.
Step 5 In the
Server User Attribute
text box, enter the attribute that contains the username in the LDAP server.
Step 6 In the
Server User Type
text box, enter the ObjectType attribute that identifies the user.
Step 7 In the
Retransmit Timeout
text box, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.
Step 8 Check the
Admin Status
check box if you want the LDAP server to have administrative privileges.
Step 9 Click
Save
.
Related Topics
TACACS+ Server Templates
This page allows you to add a TACACS+ server or make modifications to an existing TACACS+ server template. After these server templates are configured, controller users who log into the controller through the CLI or GUI are authenticated.
Related Topics
Creating TACACS+ Server Templates
To configure a TACACS+ Server template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > AAA > TACACS+ Servers
.
Step 2 Select one or more server types by selecting their respective check boxes. The following server types are available:
-
authentication
—Server for user authentication/authorization.
-
authorization
—Server for user authorization only.
-
accounting
—Server for RADIUS user accounting.
Step 3 Enter the IP address of the server.
Step 4 Enter the port number of the server. The default is 49.
Step 5 From the drop-down list, choose either
ASCII
or
hex
.
Regardless of which format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. Set the key format again in the template in the event a discovered template is applied to another device.
Step 6 Enter the TACACS+ shared secret used by your specified server in the
Shared Secret
text box.
Step 7 Reenter the shared secret in the Confirm Shared Secret text box.
Step 8 Select the
Admin Status
check box if you want the TACACS+ server to have administrative privileges.
Step 9 In the
Retransmit Timeout
text box, enter the time, in seconds, after which the TACACS+ authentication request times out and a retransmission is attempted by the controller.
Step 10 Click
Save
.
Related Topics
Local EAP General Templates
This page allows you to specify a timeout value for local EAP. You can then add or make changes to an existing local EAP general template.
If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP.
Related Topics
Creating Local EAP General Templates
To add an Local EAP template or make modifications to an existing template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > Local EAP > General - Local EAP
.
The Local EAP General page appears.
Step 2 In the
Local Auth Active Timeout
text box, enter the time (in seconds) that the controller attempts to authenticate wireless clients using local EAP after any pair of configured RADIUS servers fail. The valid range is 1 to 3600 seconds, and the default setting is 1000 seconds.
The following values should be adjusted if you are using EAP-FAST, manual password entry, one-time password, or 7920/7921 phones:
-
Local EAP Identify Request Timeout =1
-
Local EAP Identity Request Maximum Retries=20
-
Local EAP Dynamic WEP Key Index=0
-
Local EAP Request Timeout=20
-
Local EAP Request Maximum Retries=2
You must increase the 802.1x timeout values on the controller (default=2 seconds) for the client to obtain the PAC using automatic provisioning. The recommended and default timeout on the Cisco ACS server is 20 seconds.
Roaming fails if these values are not set the same across multiple controllers.
Step 3 Click
Save
.
Related Topics
Local EAP Profile Templates
Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local user database, thereby removing dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users.
The LDAP backend database supports only these local EAP methods:
-
EAP-TLS.
-
EAP-FAST with certificates.
LEAP and EAP-FAST with PACs are not supported for use with the LDAP backend database.
Related Topic
Creating Local EAP Profile Templates
To add Local EAP Profile template or make modifications to an existing template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > Local EAP > Local EAP Profiles
.
Step 2 Choose one of the following desired authentication type:
-
LEAP
—This authentication type leverages Cisco Key Integrity Protocol (CKIP) and MMH message integrity check (MIC) for data protection. A username and password are used to perform mutual authentication with the RADIUS server through the access point.
-
EAP-FAST
—This authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1X EAP mutual authentication. A username, password, and PAC (protected access credential) are used to perform mutual authentication with the RADIUS server through the access point.
-
TLS
—This authentication type uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data. It requires a client certificate for authentication.
-
PEAP
—This authentication type is based on EAP-TLS authentication but uses a password instead of a client certificate for authentication. PEAP uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data.
Step 3 Choose the certificate for authentication from the
Certificate Issuer
drop-down list to determine whether Cisco or another vendor issued the certificate for authentication. Only EAP-FAST and TLS require a certificate.
Step 4 Check the
Check Against CA Certificates
check box if you want the incoming certificate from the client to be validated against the certificate authority (CA) certificates on the controller.
Step 5 Check the
Verify Certificate CN Identity
check box if you want the incoming certificate to be validated against the common name of the CA certificate.
Step 6 Check the
Check Against Date Validity
check box if you want the controller to verify that the incoming device certificate is still valid and has not expired,.
Step 7 Check the
Local Certificate Required
check box if a local certificate is required.
Step 8 Check the
Client Certificate Required
check box if a client certificate is required.
Step 9 Click
Save
.
Step 10 To enable local EAP, follow these steps:
a. Choose
WLAN > WLAN Configuration
from the left sidebar menu.
b. Click the profile name of the desired WLAN.
c. Choose the
Security > AAA Servers
tab to access the AAA Servers page.
d. Select the
Local EAP Authentication
check box to enable local EAP for this WLAN.
Step 11 Click
Save
.
Related Topics
EAP-FAST Templates
This authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1X EAP mutual authentication. A username, password, and PAC are used to perform mutual authentication with the RADIUS server through the access point.
Related Topics
Creating an EAP-FAST Template
To add an EAP-FAST template or make modifications to an existing template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > Local EAP > EAP-FAST Parameters
.
Step 2 In the
Time to Live for the PAC
text box, enter the number of days for the PAC to remain viable. The valid range is 1 to 1000 days, and the default setting is 10 days.
Step 3 In the
Authority ID
text box, enter the authority identifier of the local EAP-FAST server in hexadecimal characters. You can enter up to 32 hexadecimal characters, but you must enter an even number of characters.
Step 4 In the
Authority Info
text box, enter the authority identifier of the local EAP-FAST server in text format.
Step 5 In the
Server Key
and
Confirm Server Key
text boxes, enter the key (in hexadecimal characters) used to encrypt and decrypt PACs.
Step 6 If you want to enable anonymous provisioning, select the
Anonymous Provision
check box.
This feature allows PACs to be sent automatically to clients that do not have one during PAC provisioning. If you disable this feature, PACs must be manually provisioned.
Step 7 Click
Save
.
Related Topics
Creating Network User Priority Templates
You can specify the order that LDAP and local databases use to retrieve user credential information. This page allows you to add or make modifications to an existing network user credential retrieval priority template.
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > Local EAP > Network Users Priority
.
Step 2 Use the left and right arrow keys to include or exclude network user credentials in the right page.
Step 3 Use the up and down keys to determine the order credentials are tried.
Step 4 Click
Save
.
Related Topics
Local Network Users Templates
With this template, you can store the credentials (username and password) of all the local network users. These credentials are then used to authenticate the users. For example, local EAP might use the local user database as its back end database to retrieve user credentials. This page allows you to add or make modifications to an existing local network user template. You must create a local net user and define a password when logging in as a web authentication client.
Related Topics
Creating Local Network Users Templates
To configure a Local Network Users template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > AAA > Local Net Users
.
Step 2 Click
Import CSV
to import from a file, then click
Browse
to navigate to the file. Then continue to Step 6. If you disable the import, continue to Step 3.
Only CSV file formats are supported.
Prime Infrastructure reads data from the second row onwards. The first row in the file is treated as the header and the data is not read by Prime Infrastructure. The header can either be blank or filled.
Step 3 Enter the following details:
-
Username
-
Password
-
Profile
-
Description.
The Profile column if left blank (or filled in with
any profile
) means a client on any profile can use this account.
Step 4 Use the drop-down list to choose the SSID which this local user is applied to or choose the any SSID option.
Step 5 Enter a user-defined description of this interface.
Step 6 Click
Save
.
Related Topics
Guest User Templates
The purpose of a guest user account is to provide a user account for a limited amount of time. A Lobby Ambassador is able to configure a specific time frame for the guest user account to be active. After the specified time period, the guest user account automatically expires. Choose
Configuration > Templates > Features & Technologies > CLI Templates > System Templates - CLI > Guest Users
to access the Guest Users template page.
Related Topics
Creating Guest User Templates
To add an guest user template or make modifications to an existing template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > CLI Templates > System Templates - CLI > Guest Users
.
Step 2 Enter a guest username in the
User Name
text box. The maximum size is 24 characters.
Step 3 Enter a password for this username in the
Password
text box.
Step 4 From the
Advanced
tab choose the guest user to connect to from the
Profile
drop-down list
Step 5 Choose a user role for the guest user from the drop-down list. User roles are predefined by the administrator and are associated with the access of the guest.
User Role is used to manage the amount of bandwidth allocated to specific users within the network.
Step 6 Choose one of the following radio buttons to specify the lifetime of the guest account:
-
Limited—
The period of time that the guest user account is active using the hours and minutes drop-down lists. The default value for Limited is one day (8 hours).
-
Unlimited Lifetime
—no expiration date for the guest account.
Step 7 Choose the area (indoor, outdoor), controller list, or config group to which the guest user traffic is limited from the
Apply to
drop-down list.
If you choose the controller list option, a list of controller IP addresses appears.
Step 8 Modify the default guest user description on the General tab if necessary. This is not mandatory.
Step 9 Modify the Disclaimer text on the General tab, if necessary. If you want the supplied text to be the default, select the
Make this Disclaimer default
check box. This is not mandatory.
Step 10 Click
Save
.
Related Topics
User Login Policies Templates
You can set the maximum number of concurrent logins that each single user can have.
Related Topics
Creating User Login Policies Templates
To add a user login template or make modifications to an existing template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security >
User Login Policies
.
Step 2 Enter the maximum number of concurrent logins each single user can have.
Step 3 Click
Save as New Template
.
Related Topics
Creating a MAC Filter Template
To add a MAC filter template or make modifications to an existing template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > AAA > MAC Filtering
or choose
Security > MAC Filtering
.
Step 2 Click
Import CSV
to import a file containing access point MAC addresses.
Step 3 Enter the desired file path or click Browse to import the file.
The import file must be a CSV file with MAC address, profile name, interface, and description (such as 00:11:22:33:44:55, Profile1, management, test filter). If you disable the Import from File check box, continue to
Choose the profile name to which this MAC filter is applied or choose the Any Profile option.
..
The client MAC address appears.
Step 4 Choose the profile name to which this MAC filter is applied or choose the
Any Profile
option.
Step 5 Use the drop-down list to choose from the available interface names.
Step 6 Enter a user-defined description of this interface.
Step 7 Click
Save as New Template
.
You cannot use MAC address in the broadcast range.
Related Topics
Access Point or MSE Authorization Templates
These templates are devised for Cisco 11xx/12xx series access points converted from Cisco IOS to lightweight access points or for 1030 access points connecting in bridge mode. See the Cisco Mobility Services Engine Configuration Guide for further information.
Related Topics
Creating an Access Point or MSE Authorization Templates
To add a MSE authorization template or make modifications to an existing template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > AAA > AP or MSE Authorization.
Step 2 Click
Import CSV
to import a file containing access point MAC addresses.
You can only import a CSV file. The file format parallels the fields in the GUI and therefore includes access point base radio MAC, Type, Certificate Type (MIC or SSC), and key hash (such as 00:00:00:00:00:00, AP, SSC, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx). No other file formats are not supported.
Step 3 Enter the desired file path or click
Browse
to import the file.
Step 4 Click
Save As New Template
.
You cannot use MAC address in the broadcast range.
Related Topics
Creating a Manually Disabled Client Template
This page allows you to add a manually disable client template or make modifications to an existing disabled client template.
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > Manually Disable Clients
.
Step 2 Enter the MAC address of the client you want to disable.
Step 3 Enter a description of the client you are setting to disabled.
Step 4 Click
Save as New Template
.
You cannot use a MAC address in the broadcast range.
Related Topics
Creating Client Exclusion Policies Templates
To add a client exclusion policies template or modify an existing client exclusion policies template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > Wireless Protection Policies > Client Exclusion Policies
.
Step 2 Complete the following fields:
-
Template Name
—Enter a name for the client exclusion policy.
-
Excessive 802.11 Association Failures
—Enable to exclude clients with excessive 802.11 association failures.
-
Excessive 802.11 Authentication Failures
—Enable to exclude clients with excessive 802.11 authentication failures.
-
Excessive 802.1X Authentication Failure
s—Enable to exclude clients with excessive 802.1X authentication failures.
-
Excessive 802.11 Web Authentication Failures
—Enable to exclude clients with excessive 802.11 web authentication failures.
-
IP Theft or Reuse
—Enable to exclude clients exhibiting IP theft or reuse symptoms.
Step 3 Click
Save as New Template
.
Related Topics
Access Point Authentication and MFP Templates
Management Frame Protection (MFP) provides for the authentication of 802.11 management frames by the wireless network infrastructure. Management frames can be protected to detect adversaries who are invoking denial of service attacks, flooding the network with associations and probes, interjecting as rogue access points, and affecting the network performance by attacking the QoS and radio measurement frames.
When enabled, the access point protects the management frames it transmits by adding a message integrity check information element (MIC IE) to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC, causing any receiving access point configured to detect MFP frames to report the discrepancy. An access point must be a member of a WDS to transmit MFP frames.
When MFP detection is enabled, the access point validates every management frame that it receives from other access points in the network. It ensures that the MIC IE is present (when the originator is configured to transmit MFP frames) and matches the content of the management frame. If it receives any frame that does not contain a valid MIC IE from a BSSID belonging to an access point that is configured to transmit MFP frames, it reports the discrepancy to the network management system.
Related Topics
Creating Access Point Authentication and MFP Templates
To add or make modifications for the access point authentication and management frame protection (MFP) template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > Wireless Protection Policies > AP Authentication and MFP
.
Step 2 From the Protection Type drop-down list, choose one of the following authentication policies:
-
None
—No access point authentication policy.
-
AP Authentication
—Apply authentication policy.
-
MFP
—Apply management frame protection.
Alarm trigger threshold appears only when AP authentication is selected as a protection type. Set the number of hits from an alien access point to ignore before raising an alarm.
The valid range is from 1 to 255. The default value is 255.
Step 3 Click
Save as New Template
.
Related Topics
Web Authentication Templates
With web authentication, guests are automatically redirected to a web authentication page when they launch their browsers. Guests gain access to the WLAN through this web portal. Wireless LAN administrators using this authentication mechanism should have the option of providing unencrypted or encrypted guest access. Guest users can then log into the wireless network using a valid username and password, which is encrypted with SSL. Web authentication accounts might be created locally or managed by a RADIUS server. The Cisco Wireless LAN controllers can be configured to support a web authentication client. You can use this template to replace the Web authentication page provided on the controller.
Related Topics
Creating a Web Authentication Template
To add or make modifications to an existing web authentication template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > AAA > Web Auth Configuration
.
Step 2 Choose one of the following web authentication type from the drop-down list.
-
default
internal
— You can still alter the page title, message, and redirect URL, as well as whether the logo appears. Continue to Step 5.
-
customized web authentication
—Click
Save
and apply this template to the controller. You are prompted to download the web authentication bundle.
Before you can choose customized web authentication, you must first download the bundle by going to
Config > Controller
and choose
Download Customized Web Authentication
from the
Select a command
drop-down list, and click
Go
.
-
external
—you need to enter the URL you want to redirect to after a successful authentication. For example, if the value entered for this text box is http://www.example.com, the user is directed to the company home page
Step 3 Select the
Logo Display
check box if you want your company logo displayed.
Step 4 Enter the title you want displayed on the Web Authentication page.
Step 5 Enter the message you want displayed on the Web Authentication page.
Step 6 Provide the URL where the user is redirected after a successful authentication. For example, if the value entered for this text box is http://www.example.com, the user would be directed to the company home page.
Step 7 Click
Save as New Template
.
Related Topics
Customized Web Authentication Pages
You can download a customized Web Authentication page to the controller. With a customized web page, you can establish a username and password for user web access.
When downloading customized web authentication, you must follow these strict guidelines:
-
Provide a username.
-
Provide a password.
-
Retain a redirect URL as a hidden input item after extracting from the original URL.
-
Extract the action URL and set aside from the original URL.
-
Include scripts to decode the return status code.
Related Topics
Downloading Customized Web Authentication Pages
Before downloading, follow these steps:
Step 1 Download the sample login.html bundle file from the server. The following figure displays .html file. The login page is presented to web users the first time they access the WLAN if web authentication is turned on.
Figure 20-1 Login.html
Step 2 Edit the login.html file and save it as a .tar or .zip file.
You can change the text of the Submit button to read Accept terms and conditions and Submit.
Step 3 Make sure you have a Trivial File Transfer Protocol (TFTP) server available for the download. Keep these guidelines in mind when setting up a TFTP server:
-
If you are downloading through the service port, the TFTP server must be on the same subnet as the service port because the service port is not routable. However, if you want to put the TFTP server on a different network while the management port is down, add a static route if the subnet where the service port resides has a gateway (config route add
IP address of TFTP server
).
-
If you are downloading through the distribution system network port, the TFTP server can be on the same or a different subnet because the distribution system port is routable.
-
A third-party TFTP server cannot run on the same computer as Prime Infrastructure because the built-in TFTP server of Prime Infrastructure and third-party TFTP server use the same communication port.
Step 4 Download the .tar or .zip file to the controller(s).
The controller allows you to download up to 1 MB of a .tar file containing the pages and image files required for the Web authentication display. The 1 MB limit includes the total size of uncompressed files in the bundle.
You can now continue with the download.
Step 5 Copy the file to the default directory on your TFTP server.
Step 6 Choose
Configuration > Network > Network Devices > Wireless Controller
.
Step 7 Click on a Device Name. If you select more than one device, the customized Web authentication page is downloaded to multiple controllers.
Step 8 From the left sidebar menu, choose
System > Commands
.
Step 9 From the Upload/Download Commands drop-down list, choose
Download Customized Web Auth,
and click
Go
.
Step 10 The IP address of the controller to receive the bundle and the current status are displayed.
Step 11 Choose
local machine
from the File is Located On field. If you know the filename and path relative to the root directory of the server, you can also select TFTP server.
For a local machine download, either .zip or .tar file options exists, but Prime Infrastructure does the conversion of .zip to .tar automatically. If you chose a TFTP server download, only .tar files would be specified.
Step 12 Enter the maximum number of times the controller should attempt to download the file in the Maximum Retries field.
Step 13 Enter the maximum amount of time in seconds before the controller times out while attempting to download the file in the Timeout field.
Step 14 The files are uploaded to the c:\tftp directory. Specify the local filename in that directory or click
Browse
to navigate to it.
Step 15 Click
OK
.
If the transfer times out, you can simply choose the TFTP server option in the File Is Located On field, and the server filename is populated for you. The local machine option initiates a two-step operation. First, the local file is copied from the workstation of the administrator to the built-in TFTP server of Prime Infrastructure. Then the controller retrieves that file. For later operations, the file is already in the TFTP directory of Prime Infrastructure server, and the download web page now automatically populates the filename.
Step 16 Click the
Click here to download a sample tar file
link to get an option to open or save the login.tar file.
Step 17 After completing the download, you are directed to the new page and able to authenticate.
Related Topics
Creating External Web Auth Server Templates
To create or modify an External Web Auth Server template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > External Web Auth Server
or choose
Security > External Web Auth Server
.
Step 2 Enter the server address of the external web auth server.
Step 3 Click
Save as New Template
.
Related Topics
Creating a Security Password Policy Template
To add or make modifications to an existing password policy template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Security > Password Policy
.
Step 2 You can enable or disable the following settings:
-
Password must contain characters from at least 3 different classes such as uppercase letters, lowercase letters, digits, and special characters.
-
No character can be repeated more than 3 times consecutively.
-
Password cannot be the default words like cisco or admin.
Password cannot be “cisco”, “ocsic”, “admin”, “nimda’ or any variant obtained by changing the capitalization of letters, or by substituting ‘1” “|” or “!” for i, or substituting “0” for “o”, or substituting “$” for “s”.
-
Password cannot contain username or reverse of username.
Step 3 Click
Save
.
Related Topics
Creating 802.11 Templates
You can create the following 802.11 templates:
-
Creating Load Balancing Templates.
-
Creating Band Selection Templates.
-
Creating Media Parameters Controller Templates (802.11a/n).
Related Topics
Creating Load Balancing Templates
To configure load balancing templates, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > 802.11 > Load Balancing
.
Step 2 Enter a value between 1 and 20 for the client window size.
The page size becomes part of the following algorithm that determines whether an access point is too heavily loaded to accept more client associations:
load-balancing page + client associations on AP with lightest load = load-balancing threshold
In the group of access points accessible to a client device, each access point has a different number of client associations. The access point with the lowest number of clients has the lightest load. The client page size plus the number of clients on the access point with the lightest load forms the threshold. Access points with more client associations than this threshold is considered busy, and clients can associate only to access points with client counts lower than the threshold.
Step 3 Enter a value between 0 and 10 for the max denial count. The denial count sets the maximum number of association denials during load balancing.
Step 4 Click
Save as New Template
.
Related Topics
Creating Band Selection Templates
To configure band selection templates, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > 802.11 > Band Select
.
Step 2 Enter a value between 1 and 10 for the
probe cycle count
.
The cycle count sets the number of suppression cycles for a new client. The default cycle count is 2.
Step 3 Enter a value between 1 and 1000 milliseconds for the
scan cycle period threshold
.
This setting determines the time threshold during which new probe requests from a client come from a new scanning cycle. The default cycle threshold is 200 milliseconds.
Step 4 Enter a value between 10 and 200 seconds for the
age out suppression
field.
Age-out suppression sets the expiration time for pruning previously known 802.11b/g clients. The default value is 20 seconds. After this time elapses, clients become new and are subject to probe response suppression.
Step 5 Enter a value between 10 and 300 seconds for the
age out dual band
field.
The age-out period sets the expiration time for pruning previously known dual-band clients. The default value is 60 seconds. After this time elapses, clients become new and are subject to probe response suppression.
Step 6 Enter a value between –20 and –90 dBm for the
acceptable client RSSI
field.
This field sets the minimum RSSI for a client to respond to a probe. The default value is –80 dBm.
Step 7 Click
Save
.
Related Topics
Creating Preferred Call Templates
To add or modify preferred call templates, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller >
802.11 > Preferred Call.
Step 2 Configure the following Preferred Call parameters:
-
Template Name—Enter a template name which is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
-
Number Id—Enter a value to identify the preferred number. You can have a maximum of six preferred call numbers. The valid range is from 1 to 6. The default value is 1.
-
Preferred Number—Enter the preferred call number.
Step 3 Click
Save as New Template
.
Related Topics
Creating Media Stream for Controller Templates (802.11)
To configure the media stream for a controller template for an 802.11 Radio, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > 802.11 > Mediat Stream
.
Step 2 Enter a name for the template.
Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
Step 3 In the
Media Stream Configuration
group box, specify the following fields:
-
Media Stream Name
-
Multicast Destination Start IP
—Start IP address of the media stream to be multicast.
-
Multicast Destination End IP
—End IP address of the media stream to be multicast.
-
IPv4 or IPv6 multicast addresses are supported from controller Release 7.2.x.
-
Maximum Expected Bandwidth
—Maximum bandwidth that a media stream can use.
Step 4 In the R
esource Reservation Control (RRC) Parameters
group box, specify the following fields:
-
Average Packet Size
—Average packet size that a media stream can use.
-
RRC Periodical Update
—Resource Reservation Control calculations that are updated periodically; if disabled, RRC calculations are done only once when a client joins a media stream.
-
RRC Priority
—Priority of RRC with the highest at 1 and the lowest at 8.
-
Traffic Profile Violation
—Appears if the stream is dropped or put in the best effort queue if the stream violates the QoS video profile.
-
Policy
—Appears if the media stream is admitted or denied.
Step 5 Click
Save
.
Once saved, the template is displayed in the Template List page. In the Template List page, you can apply this template to controllers.
Related Topics
Creating RF Profiles Templates (802.11)
To configure a RF Profile for a controller template for an 802.11 Radio, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > 802.11 > RF Profiles
.
Step 2 Configure the following information:
–
Template Name
—User-defined name for the template.
–
Profile Name
—User-defined name for the current profile.
–
Description
—Description of the template.
–
Radio Type
—The radio type of the access point. This is a drop-down list from which you can choose an RF profile for APs with 802.11a or 802.11b radios.
-
TPC (Transmit Power Control)
–
Minimum Power Level Assignment (-10 to 30 dBm)
—Indicates the minimum power assigned. Range: -10 to 30 dBm Default: -10 dBm.
–
Maximum Power Level Assignment (-10 to 30 dBm)
—Indicates the maximum power assigned. Range: -10 to 30 dBm Default: 30 dBm.
–
Power Threshold v1(-80 to -50 dBm)
—Indicates the transmitted power threshold.
–
Power Threshold v2(-80 to -50 dBm)
—Indicates the transmitted power threshold.
-
Data Rates
—Use the Data Rates drop-down lists to specify the rates at which data can be transmitted between the access point and the client. The following data rates are available:
– 802.11a—6, 9, 12, 18, 24, 36, 48, and 54 Mbps.
– 802.11b/g—1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps
For each data rate, choose one of these options:
–
Mandatory
—Clients must support this data rate to associate to an access point on the controller.
–
Supported
—Any associated clients that support this data rate might communicate with the access point using that rate. However, the clients are not required to be able to use this rate to associate.
–
Disabled
—The clients specify the data rates used for communication.
-
Band Selec
t—The Band Select feature enables you to balance client distribution among both serving radios when APs are serving hundreds of clients in a dense auditorium or stadium sites. Band Select discovers the client capabilities to verify whether client can associate on both 2.4 GHz and 5Ghz spectrum. Enabling band select on a WLAN, forces AP to do a probe suppression on 2.4GHz that ultimately moves dual band clients to 5Ghz spectrum. In the Band Select group box, specify the following:
– Probe Response
– Cycle Count(1 to 10 Cycles)
– Cycle Threshold(1 to 1000 msecs)
– Suppression Expire(10 to 200 secs)
– Dual Band Expire(10 to 300 secs)
– Client RSSI(-90 to -20 dBm)
-
High Density Configurations
–
Maximum Clients
—Specify the maximum number of clients
–
Multicast Data Rate
—From the Multicast Data Rate drop-down list, choose the data rate. The value “auto” indicates that the AP automatically adjusts data rate with client.
–
Data RSSI(-90 to -60 dBm)
—Enter the minimum receive signal strength indication (RSSI) value for data packets received by the access point. The value that you enter is used to identify coverage holes (or areas of poor coverage) within your network. If the access point receives a packet in the data queue with an RSSI value below the value that you enter here, a potential coverage hole has been detected. The valid range is –90 to –60 dBm, and the default value is –80 dBm. The access point takes data RSSI measurements every 5 seconds and reports them to the controller in 90-second intervals.
–
Voice RSSI(-90 to -60 dBm)
—Enter the minimum receive signal strength indication (RSSI) value for voice packets received by the access point. The value that you enter is used to identify coverage holes within your network. If the access point receives a packet in the voice queue with an RSSI value below the value that you enter here, a potential coverage hole has been detected. The valid range is –90 to –60 dBm, and the default value is –75 dBm. The access point takes voice RSSI measurements every 5 seconds and reports them to the controller in 90-second intervals.
–
Coverage Exception(1 to 75 Clients)
—Enter the minimum number of clients on an access point with an RSSI value at or below the data or voice RSSI threshold. The valid range is 1 to 75, and the default value is 3.
–
Coverage Level(0 to 100%)
—In the Coverage Exception Level per AP text box, enter the percentage of clients on an access point that are experiencing a low signal level but cannot roam to another access point. The valid range is 0 to 100%, and the default value is 25%.
–
Window(0 to 20 Clients)
—Enter a value between 1 and 20. The window size becomes part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations.
–
Denial(1 to 10)
—Enter a value between 0 and 10. The denial count sets the maximum number of association denials during load balancing.
Step 3 Click
Save
.
Related Topics
SIP Snooping
Keep the following guidelines in mind when using SIP Snooping:
-
SIPs are available only on the Cisco 5500 Series Controllers and on the 1240, 1130, and 11n access points.
-
SIP CAC should only be used for phones that support status code 17 and do not support TSPEC-based admission control.
-
SIP CAC will be supported only if SIP snooping is enabled.
Creating SIP Snooping
To configure SIP Snooping for a controller, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > 802.11 > SIP Snooping
.
Step 2 Configure the following fields:
If single port is to be used, configure both start and end port fields with same number.
Step 3 Click
Save as New Template
.
Related Topics
Creating 802.11a/n Radio Templates
You can create or modify a 802.11a/n radio template for a wireless controller and/or apply specific settings to controller(s).
Related Topics
Creating 802.11a/n Parameters Templates
To add or modify radio templates, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > 802.11a or n or ac > Parameters
.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 2 Select the check box if you want to enable 802.11a/n network status.
Step 3 In the Beacon Period field, enter the amount of time between beacons in kilo-microseconds. The valid range is from 20 to 1000 milliseconds.
Step 4 In the DTIM Period field, enter the number of beacon intervals that might elapse between transmission of beacon frames containing a traffic indicator message (TIM) element whose delivery count text box is 0. This value is transmitted in the DTIM period field of beacon frames. Shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often.
Step 5 In the Fragmentation Threshold field, determine the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference.
Step 6 Enter the percentage for 802.11e Maximum Bandwidth.
Step 7 The client and controller negotiate data rates between them. It can range from 6 Mbps to 54 Mbps.
-
If the data rate is set to Mandatory, the client must support it to use the network.
-
If a data rate is set as Supported by the controller, any associated client that also supports that same rate might communicate with the access point using that rate.
-
Each data rate can also be set to Disabled to match client settings.
Step 8 From the Channel List drop-down list in the Noise/Interference/Rogue Monitoring Channels section, choose between
all channels
,
country channels
, or
DCA channels
based on the level of monitoring you want. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation amongst a set of managed devices connected to the controller.
Step 9 Configure the CCX Location Measurement parameters:
-
Select the Mode check box to enable the broadcast radio measurement request. When enabled, this enhances the location accuracy of clients.
-
When the Mode check box is enabled, you can enter the time in seconds between requests in the Interval field.
Step 10 Click
Save as New Template
.
Related Topics
Creating 802.11a/n Media Parameters Controller Templates
This page enables you to create or modify a template for configuring 802.11a/n voice fields such as call admission control and traffic stream metrics.
To add a new template with 802.11a/n voice fields information (such as Call Admission Control and traffic stream metrics) for a controller, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > 802.11a or n or ac > Media Parameters
.
Step 2 Specify an appropriate name for the template.
Step 3 On the Voice tab, configure the following fields:
-
Select the Admission Control (ACM) check box to enable admission control.
For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, call admission control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity.
-
If Admission Control (ACM) is enabled, choose either load-based or static from the CAC method drop-down list.
Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment.
-
In the Maximum Bandwidth Allowed field, specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled. For controller versions 6.0.188.0 and earlier, the valid range is 40 to 85. For controller versions 6.0.188.1 and later, the valid range is 5 to 85, and the default is 75.
-
In the Reserved Roaming Bandwidth field, specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled. The valid range is 0 to 25, and the default is 6.
-
Select the Expedited Bandwidth check box to enable expedited bandwidth as an extension of CAC for emergency calls.
You must have an expedited bandwidth IE that is CCXv5 compliant so that a TSPEC request is given higher priority.
-
Select the SIP CAC check box to enable SIP CAC.
-
Choose the appropriate option from the SIP Codec drop-down list. The available options are
G.711
,
G.729
, and
User Defined
.
-
In the SIP Call Bandwidth field, specify the bandwidth in kilobits per second that you want to assign per SIP call on the network. This field can be configured only when the SIP Codec selected is User Defined.
-
In the SIP Sample Interval field, specify the sample interval in milliseconds that the Codec must operate in.
-
Select the Metric Collection check box to enable metric collection.
Traffic stream metrics are a series of statistics about VoIP over your wireless LAN which inform you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11a/n interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.
Step 4 On the Video tab, configure the following fields:
-
Select the Admission Control (ACM) check box to enable admission control.
-
In the Maximum Bandwidth Allowed field, specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.
-
In the Reserved Roaming Bandwidth field, specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled. The valid range is 0 to 25.
-
From the SIP Codec drop-down list, choose one of the following options to set the CAC method.
-
Select the SIP CAC check box to enable Static CAC support. SIP CAC will be supported only if SIP snooping is enabled.
-
Select the
Unicast Video Redirect
check box to enable all non-media stream packets in video queue are redirected to the best effort queue. If disabled, all packets with video marking are kept in video queue.
-
Specify the physical data rate required for the client to join a media stream from the Client Minimum Phy Rate drop-down list.
-
Select the
Multicast Direct Enable
check box to set the Media Direct for any WLAN with Media Direct enabled on a WLAN on this radio.
-
In the Maximum Number of Streams per Radio field, specify the maximum number of streams per radio to be allowed.
-
In the Maximum Number of Streams per Client field, specify the maximum number of streams per client to be allowed.
-
Select the
Best Effort QOS Admission
check box to redirect new client requests to the best effort queue. This happens only if all the video bandwidth has been used. If disabled and maximum video bandwidth has been used, then any new client request is rejected.
-
In the Maximum Retry Percentage field, specify the maximum retry percentage value.
Step 5 On the General tab, specify the following field:
-
In the Maximum Media Bandwidth field, specify the percentage of maximum of bandwidth allowed. This option is only available when CAC is enabled.
Step 6 Click
Save as New Template
.
Related Topics
Creating 802.11a/n EDCA Parameters Through a Controller Template
Enhanced Distributed Channel Access (EDCA) parameters are designed to provide preferential wireless channel access for voice, video, and other quality of service (QoS) traffic.
You must shut down radio interface before configuring EDCA Parameters
To add or configure 802.11a/n EDCA parameters through a controller template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller >
802.11a or n or ac > EDCA Parameters.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names. .
Step 2 Choose one of the following options from the
EDCA Profile
drop-down list:
-
WMM
—Enables the Wi-Fi Multimedia (WMM) default parameters. This is the default value. Choose this option when voice or video services are not deployed on your network.
-
Spectralink Voice Priority
—Enables Spectralink voice priority parameters. Choose this option if Spectralink phones are deployed on your network to improve the quality of calls.
-
Voice Optimized
—Enables EDCA voice-optimized profile parameters. Choose this option when voice services other than Spectralink are deployed on your network.
-
Voice & Video Optimized
—Enables EDCA voice- and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.Video services must be deployed with admission control (ACM). Video services without ACM are not supported.
Step 3 Select the
Low Latency MAC
check box to enable this feature. Enable low latency MAC only if all clients on the network are WMM compliant.
Related Topics
Creating 802.11a/n Roaming Parameters Template
To add or modify an existing roaming parameter template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller >
802.11a or n or ac > Roaming Parameters.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 2 Use the Mode drop-down list to choose one of the configurable modes.
-
Default values—When this option is chosen, the roaming parameters are unavailable with the default values displayed in the text boxes.
-
Custom values—When this option is chosen, the roaming parameters can be edited in the text boxes. To edit the parameters, continue to Step 6.
Step 3 In the Minimum RSSI field, enter a value for the minimum Received Signal Strength Indicator (RSSI) required for the client to associate to an access point. If the average received signal power of the client dips below this threshold, reliable communication is usually impossible. Therefore, clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.
Step 4 In the Roaming Hysteresis field, enter a value to indicate how strong the signal strength of a neighboring access point must be for the client to roam to it. This field is intended to reduce the amount of ping between access points if the client is physically located on or near the border between two access points.
Step 5 In the Adaptive Scan Threshold field, enter the RSSI value from the associated access point of the client, below which the client must be able to roam to a neighboring access point within the specified transition time. This field also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold.
Step 6 In the Transition Time field, enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the associated access point of the client is below the scan threshold.
The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.
Step 7 Click
Save as New Template
.
Related Topics
Creating an 802.11h Template
802.11h informs client devices about channel changes and can limit the transmit power of the client device. You can create or modify a template for configuring 802.11h parameters (such as power constraint and channel controller announcement) and apply these settings to multiple controllers.
To add or modify an 802.11h template, follow these steps:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller >
802.11a or n or ac > 802.11h.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 2 Select the
Power Constraint
check box if you want the access point to stop transmission on the current channel.
Step 3 Select the
Channel Announcement
check box to enable channel announcement. Channel announcement is a method in which the access point announces when it is switching to a new channel and the new channel number.
Step 4 Click
Save as New Template
.
Related Topics
Creating 802.11a/n High Throughput Template
To add or modify to an 802.11a/n high throughput template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11a or n or ac > High Throughput (802.11n or ac).
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 2 Select the
802.11n Network Status
check box to enable high throughput.
Step 3 The 802.11ac Network Status check box can be enabled and is supported from WLC version 7.5 onwards.
Step 4 In the MCS (Data Rate) Settings column, choose which level of data rate you want supported. Modulation coding schemes (MCS) are similar to 802.11a data rate. As a default, 20 MHz and short guarded interval is used. When you select the Supported check box, the chosen numbers appear in the Selected MCS Indexes page.
Step 5 Click
Save as New Template
.
Related Topics
Creating 802.11a/n CleanAir Controller Templates
You can configure the template to enable or disable CleanAir, reporting and alarms in 802.11a/n radio for the controllers. You can also configure the type of interfering devices to include for reporting and alarms.
To add a new template with 802.11a/n CleanAir information for a controller, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11a or n or ac > CleanAir.
Step 2 Configure the following fields:
-
Select the CleanAir check box to enable CleanAir functionality on the 802.11 b/g/n network, or unselect to prevent the controller from detecting spectrum interference. If CleanAir is enabled, the Reporting Configuration and Alarm Configuration group boxes appear.
-
Reporting Configuration—Use the fields in this group box to configure the interferer devices you want to include for your reports.
– Select the
Report Interferers
check box to enable CleanAir system to report and detect sources of interference.
Make sure that any sources of interference that need to be detected and reported by the CleanAir system appear in the Interferences Selected for Reporting box and any that do not need to be detected appear in the Interferences Ignored for Reporting box. Use the > and < buttons to move interference sources between these two boxes. By default, all interference sources are ignored.
– Select the
Persistent Device Propagation
check box to enable propagation of information about persistent devices that can be detected by CleanAir. Persistent device propagation enables designating information about interference types and propagating this information to the neighboring access points. Persistent interferers are present at the a location and interfere with the WLAN operations even if they are not detectable at all times.
-
Alarm Configuration—This group box enables you to configure triggering of air quality alarms.
– Select the
Air Quality Alarm
check box to enable the triggering of air quality alarms.
– If you selected the Air Quality Alarm check box, enter a value between 1 and 100 (inclusive) in the Air Quality Alarm Threshold field to specify the threshold at which you want the air quality alarm to be triggered. When the air quality falls below the threshold level, the alarm is triggered.
– Select the
Air Quality Unclassified category Alarm
check box to enable the alarms to be generated for unclassified interference category. CleanAir can detect and monitor unclassified interferences. Unclassified interference are interference that are detected but do not correspond to any of the known interference types.
The Unclassified category alarm is generated when the unclassified severity goes above the configured threshold value for unclassified severity or when the air quality index goes below the configured threshold value for Air Quality Index.
– If you selected the Air Quality Unclassified category Alarm check box, enter a value between 1 and 99 (inclusive) in the Air Quality Unclassified Severity Threshold text box to specify the threshold at which you want the unclassified category alarm to be triggered. The default is 20.
– Select the
Interferers For Security Alarm
check box to trigger interferer alarms when the controller detects specified device types.
– Make sure that any sources of interference that need to trigger interferer alarms appear in the Interferers Selected for Security Alarms box and any that do not need to trigger interferer alarms appear in the Interferers Ignored for Security Alarms box. Use the
>
and
<
buttons to move interference sources between these two boxes. By default, all interferer sources for security alarms are ignored.
Step 3 Click
Save as New Template
.
Related Topics
Creating 802.11a/n RRM Templates
You can create or modify the parameters such as threshold, interval, DCA, TPC for 802.11a/n Radio Resource Management (RRM) templates.
Related Topics
Creating 802.11a/n RRM Threshold Template
You must disable the 802.11a/n network before applying the RRM threshold fields.
To add or make modifications to an 802.11a/n RRM threshold template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11a or n or ac > dot11a-RRM > Thresholds.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 2 Coverage Hole Algorithm—Enter the values for the following parameters.
-
In the Min Failed Clients field, enter the minimum number of failed clients currently associated with the controller.
-
In the Coverage Level field, enter the target range of coverage threshold.
-
In the Data RSSI field, enter the value in the specified range. This number indicates the value for the minimum Received Signal Strength Indicator (RSSI) for data required for the client to associate to an access point.
-
In the Voice RSSI field, enter the value in the specified range. This number indicates the value for the minimum Received Signal Strength Indicator (RSSI) required for voice for the client to associate to an access point.
Step 3 Local Thresholds—Enter the values for the following parameters.
-
In the Max Clients field, enter the maximum number of failed clients that are currently associated with the controller.
-
In the RF Utilization field, enter the percentage of threshold for 802.11a/n.
Step 4 Threshold for Traps—Enter the values for the following parameters.
-
In the Interference Threshold Percentage field, enter the percentage of interference threshold.
-
In the Noise Threshold field, enter a noise threshold between -127 and 0 dBm. When the controller is outside of this threshold, it sends an alarm to Prime Infrastructure.
-
In the Coverage Exception Level per AP field, enter the percentage value of coverage exception level. When the coverage drops by this percentage from the configured coverage for the minimum number of clients, a coverage hole is generated.
Step 5 Click
Save as New Template
.
Related Topics
Creating 802.11a/n RRM Interval Template
To add or make modifications to an 802.11a/n RRM interval template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11a or n or ac > dot11a-RRM > Intervals.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 2 In the Neighbor Packet Frequency field, enter the interval at which you want strength measurements taken for each access point. The default is 300 seconds.
Step 3 In the Channel Scan Duration field, enter the interval at which you want scanning of the channel for each access point. The default is 300 seconds.
Step 4 Click
Save as New Template
.
Related Topics
Creating 802.11a/n RRM Dynamic Channel Allocation Template
The RRM Dynamic Channel Assignment (DCA) page allows you to choose the DCA channels as well as the channel width for this controller.
RRM DCA supports 802.11n 40-MHz channel width in the 5-GHz band. The higher bandwidth allows radios to achieve higher instantaneous data rates.
Choosing a larger bandwidth reduces the non-overlapping channels which could potentially reduce the overall network throughput for certain deployments.
To configure 802.11 a/n RRM DCA template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11a or n or ac > dot11a-RRM > DCA.
Step 2 Hover the mouse on DCA and select Show All Templates. The 802.11a/n RRM DCA Template page appears and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. The last column indicates when the template was last saved.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 3 If you want to add a new template, hover the mouse on DCA and select New or click DCA. The 802.11a/n DCA template page appears.
Step 4 Dynamic Channel Assignment Algorithm— Configure the following fields:
-
From the Assignment Mode drop-down list, choose one of three modes:
–
Automatic
—The transmit power is periodically updated for all access points that permit this operation.
–
On Demand
—Transmit power is updated when you click
Assign Now
.
–
Disabled
—No dynamic transmit power assignments occur, and values are set to their global default.
-
Select the
Avoid Foreign AP Interference
check box to enable RRM to consider interference from foreign Cisco access points (those non-Cisco access points outside RF/mobility domain) when assigning channels. Unselect this check box to have RRM ignore this interference.
In certain circumstances with significant interference energy (dB) and load (utilization) from foreign access points, RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the foreign access points. This increases capacity and reduces variability for the Cisco WLAN Solution.
-
Select the
Avoid Cisco AP Load
check box to enable this bandwidth-sensing field to have controllers consider the traffic bandwidth used by each access point when assigning channels to access points. Unselect this check box to have RRM ignore this value.
In certain circumstances and with denser deployments, there might not be enough channels to properly create perfect channel reuse. In these circumstances, RRM can assign better reuse patterns to those access points that carry more traffic load.
-
Select the
Avoid non 802.11 Noise
check box to enable this noise-monitoring field to have access points avoid channels that have interference from non-access point sources, such as microwave ovens or Bluetooth devices. Unselect this check box to have RRM ignore this interference.
In certain circumstances with significant interference energy (dB) from non-802.11 noise sources, RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the noise sources. This increases capacity and reduces variability for the Cisco WLAN Solution.
-
Select the Avoid Persistent Non-WiFi Interference check box to enable this field to have access points avoid persistent interferences from non-wifi sources.
-
The Signal Strength Contribution check box is always enabled (not configurable). This constantly monitors the relative location of all access points within the RF/mobility domain to ensure near-optimal channel reuse. The net effect is an increase in Cisco WLAN Solution capacity and a reduction in co-channel and adjacent channel interference.
-
Event Driven RRM—Enable or disable event-driven RRM using the following fields. Event Driven RRM is used when a CleanAir-enabled access point detects a significant level of interference.
– Select the Event Driven RRM check box to enable it.
– If Event Driven RRM is enabled, Sensitivity Threshold field displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local Dynamic Channel Assignment (DCA) run and changes the channel of the affected access point radio if possible to improve network performance.
Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity.
– Select the Rogue Contribution check box to enable contribution from rogue access points.
– If the Rogue Contribution is enabled, Rogue Duty-Cycle field displays the interval at which the rogue access points are interfered. The range is between 1 to 99.
Step 5 Click
Save as New Template
.
Related Topics
Creating 802.11a/n RRM Transmit Power Control Template
The controller dynamically controls access point transmit power based on real-time wireless LAN conditions. Normally, power can be kept low to gain extra capacity and reduce interference. The controller attempts to balance the transmit power of the access points according to how the access points are seen by their third strongest neighbor.
The transmit power control (TPC) algorithm both increases and decreases the power of an access point in response to changes in the RF environment. In most instances, TPC seeks to lower the power of an access point to reduce interference, but in the case of a sudden change in the RF coverage—for example, if an access point fails or becomes disabled—TPC can also increase power on surrounding access points. This feature is different from Coverage Hole Detection. Coverage hole detection is primarily concerned with clients, while TPC is tasked with providing enough RF power to achieve desired coverage levels while avoiding channel interference between access points.
To configure 802.11a/n RRM TPC template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11a or n or ac > dot11a-RRM > TPC.
Step 2 Hover the mouse on TPC and select Show All Templates. The 802.11a/n RRM TPC Template page appears and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. The last column indicates when the template was last saved.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 3 If you want to add a new template, hover the mouse on TPC and select New or click TPC. The 802.11a/n TPC template page appears.
Step 4 Configure the following fields:
-
Choose TPCv1 or TPCv2 radio buttons in the TPC Version field. The TPCv2 option is applicable only for those controllers running on Release 7.2.x or later.
-
From the Dynamic Assignment drop-down list, choose one of three modes:
–
Automatic
—The transmit power is periodically updated for all access points that permit this operation.
–
On Demand
—Transmit power is updated when you click
Assign Now
.
–
Disabled
—No dynamic transmit power assignments occur, and values are set to their global default.
-
In the Maximum Power Assignment field, enter the value that indicates the maximum power assigned.
– Range: -10 to 30 dB
– Default: 30 dB
-
In the Minimum Power Assignment field, enter the value that indicates the minimum power assigned.
– Range: -10 to 30 dB
– Default: 30 dB
-
Determine if you want to enable Dynamic Tx Power Control check box.
-
In the Transmitted Power Threshold field, enter a value between -50 and -80.
Step 5 Click
Save as New Template
.
Related Topics
Creating 802.11b/g/n Radio Templates
You can create or modify a 802.11b/g/n radio template for a wireless controller and/or apply specific settings to controller(s).
Related Topics
Creating 802.11b/g/n Parameters Templates
You can create or modify a template for configuring 802.11b/g/n parameters (such as power and channel status, data rates, channel list, and CCX location measurement) and/or applying these settings to controller(s).
To add a new template with 802.11b/g/n parameters information for a controller, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > Parameters.
Step 2 Configure the following General parameters:
-
Select the 802.11b/g Network Status check box to enable 802.11b/g network status on controller.
-
In the Beacon Period field, enter the rate at which the SSID is broadcast by the access point (the amount of time between beacons). The valid range is from 100 to 600 milliseconds.
-
In the DTIM Period field, enter the number of beacon intervals that might elapse between transmission of beacon frames containing a traffic indicator message (TIM) element whose delivery count field is 0. This value is transmitted in the DTIM period field of beacon frames.
DTIM period is not applicable in controller Release 5.0.0.0 and later.
When client devices receive a beacon that contains a DTIM, they normally “wake up” to check for pending packets. Longer intervals between DTIMs let clients sleep longer and preserve power. Conversely, shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often.
-
In the Fragmentation Threshold field, enter the value that determines the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference. The default value is 2346.
-
In the 802.11e Max Bandwidth field, enter the percentage value for 802.11e max bandwidth. The default value is 100.
-
Select the Short Preamble check box to enable short preamble.
Step 3 Configure the Data Rate parameters that are negotiated between the client and the controller. For each rate, a drop-down list selection of Mandatory, Supported and Disabled is available.
-
If the data rate is set to Mandatory, the client must support it to use the network.
-
If a data rate is set as Supported by the controller, any associated client that also supports that same rate might communicate with the access point using that rate. But it is not required that a client be able to use all the rates marked Supported to associate 6, 9, 12, 18, 24, 36, 48, 54 Mbps.
-
Each data rate can also be set to Disabled to match Client settings.
Step 4 Configure the Noise/Interference/Rogue Monitoring Channels parameters.
-
From the Channel List drop-down list, choose between All Channels, Country Channels, or DCA Channels based on the level of monitoring you want. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation among a set of managed devices connected to the controller.
Step 5 Configure the CCX Location Measurement parameters:
-
Select the Mode check box to enable the broadcast radio measurement request. When enabled, this enhances the location accuracy of clients.
-
When the Mode check box is enabled, you can enter the time in seconds between requests in the Interval field.
Step 6 Click
Save as New Template
.
Related Topics
Creating 802.11b/g/n Media Parameters Controller Templates
You can create or modify a template for configuring 802.11b/g/n voice parameters such as Call Admission Control and traffic stream metrics.
To add a new template with 802.11b/g/n voice parameters information (such as Call Admission Control and traffic stream metrics) for a controller, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > Media Parameters.
Step 2 On the Voice tab, configure the following parameters:
-
Select the Admission Control (ACM) check box to enable admission control.
For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, call admission control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity.
-
If Admission Control (ACM) is enabled, choose either load-based or static from the CAC method drop-down list.
Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment.
-
In the Maximum Bandwidth Allowed field, specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled. For controller versions 6.0.188.0 and earlier, the valid range is 40 to 85. For controller versions 6.0.188.1 and later, the valid range is 5 to 85, and the default is 75.
-
In the Reserved Roaming Bandwidth field, specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled. The valid range is 0 to 25, and the default is 6.
-
Select the Expedited Bandwidth check box to enable expedited bandwidth as an extension of CAC for emergency calls.
You must have an expedited bandwidth IE that is CCXv5 compliant so that a TSPEC request is given higher priority.
-
Select the SIP CAC check box to enable SIP CAC. SIP CAC should be used only for phones that support status code 17 and do not support TSPEC-based admission control.
-
Choose the appropriate option from the SIP Codec drop-down list. The available options are
G.711
,
G.729
, and
User Defined
.
-
In the SIP Call Bandwidth field, specify the bandwidth in kilobits per second that you want to assign per SIP call on the network. This field can be configured only when the SIP Codec selected is User Defined.
-
In the SIP Sample Interval field, specify the sample interval in milliseconds that the Codec must operate in.
-
Select the Metric Collection check box to enable metric collection.
Traffic stream metrics are a series of statistics about VoIP over your wireless LAN which inform you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11b/g interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.
Step 3 On the Video tab, configure the following parameters:
-
Select the Admission Control (ACM) check box to enable admission control.
-
In the Maximum Bandwidth Allowed field, specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.
-
In the Reserved Roaming Bandwidth field, specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled. The valid range is 0 to 25.
-
From the SIP Codec drop-down list, choose one of the following options to set the CAC method.
-
Select the SIP CAC check box to enable Static CAC support. SIP CAC will be supported only if SIP snooping is enabled.
-
Select the
Unicast Video Redirect
check box to enable all non-media stream packets in video queue are redirected to the best effort queue. If disabled, all packets with video marking are kept in video queue.
-
Specify the physical data rate required for the client to join a media stream from the Client Minimum Phy Rate drop-down list.
-
Select the
Multicast Direct Enable
check box to set the Media Direct for any WLAN with Media Direct enabled on a WLAN on this radio.
-
In the Maximum Number of Streams per Radio field, specify the maximum number of streams per radio to be allowed.
-
In the Maximum Number of Streams per Client field, specify the maximum number of streams per client to be allowed.
-
Select the
Best Effort QOS Admission
check box to redirect new client requests to the best effort queue. This happens only if all the video bandwidth has been used. If disabled and maximum video bandwidth has been used, then any new client request is rejected.
-
In the Maximum Retry Percentage field, specify the maximum retry percentage value.
Step 4 On the General tab, specify the following field:
-
In the Maximum Media Bandwidth field, specify the percentage of maximum of bandwidth allowed. This option is only available when CAC is enabled.
Step 5 Click
Save as New Template
.
Related Topics
Creating 802.11b/g/n EDCA Parameters Controller Templates
You can create or modify a template for configuring 802.11b/g/n EDCA parameters. EDCA parameters designate pre-configured profiles at the MAC layer for voice and video.
You must shut down radio interface before configuring EDCA Parameters.
To add a new template with 802.11b/g/n EDCA parameters information for a controller, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > EDCA Parameters.
Step 2 Choose one of the following options from the
EDCA Profile
drop-down list:
-
WMM
—Enables the Wi-Fi Multimedia (WMM) default parameters. This is the default value. Choose this option when voice or video services are not deployed on your network.
-
Spectralink Voice Priority
—Enables Spectralink voice priority parameters. Choose this option if Spectralink phones are deployed on your network to improve the quality of calls.
-
Voice Optimized
—Enables EDCA voice-optimized profile parameters. Choose this option when voice services other than Spectralink are deployed on your network.
-
Voice & Video Optimized
—Enables EDCA voice- and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.Video services must be deployed with admission control (ACM). Video services without ACM are not supported.
Step 3 Select the
Low Latency MAC
check box to enable this feature. Enable low latency MAC only if all clients on the network are WMM compliant.
Step 4 Click
Save as New Template
.
Related Topics
Creating 802.11b/g/n Roaming Parameters Controller Templates
You can create or modify a template for configuring roaming parameters for 802.11b/g/n radios.
To add a new template with 802.11b/g/n Roaming parameters information for a controller, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > Roaming Parameters.
Step 2 Configure the following parameters:
-
From the Mode drop-down list, choose one of the configurable modes:
– Default Values—The roaming parameters are unavailable and the default values are displayed.
– Custom Values—The following roaming parameters can be edited.
-
In the Minimum RSSI field, enter a value for the minimum Received Signal Strength Indicator (RSSI) required for the client to associate to an access point.
If the client average received signal power dips below this threshold, reliable communication is usually impossible. Therefore, clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.
– Range: -80 to -90 dBm
– Default: -85 dBm
-
In the Roaming Hysteresis field, enter a value to indicate how strong the signal strength of a neighboring access point must be in order for the client to roam to it. This field is intended to reduce the amount of “ping ponging” between access points if the client is physically located on or near the border between two access points.
– Range: 2 to 4 dB
– Default: 2 dB
-
In the Adaptive Scan Threshold field, enter the RSSI value, from a client associated access point, below which the client must be able to roam to a neighboring access point within the specified transition time.
This field also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold.
– Range: -70 to -77 dB
– Default: -72 dB
-
In the Transition Time field, enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the client associated access point is below the scan threshold.
– Range: 1 to 10 seconds
– Default: 5 seconds
The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.
Step 3 Click
Save as New Template
.
Related Topics
Creating 802.11b/g/n High Throughput Controller Templates
You can create or modify a template for configuring high-throughput parameters such as MCS (data rate) settings and indexes and for applying these 802.11n settings to multiple controllers.
To add a new template with High Throughput (802.11n) information for a controller, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > High Throughput(802.11n) Parameters.
Step 2 Configure the following fields:
-
Select the 802.11n Network Status check box to enable high throughput.
-
In the HT MCS (Data Rate) SS VHT MCS Index, choose which level of data rate you want supported. MCS is modulation coding schemes which are similar to 802.11a data rate.
As a default, 20 MHz and short guarded interval are used.
– When you select the Supported check box, the chosen numbers appear in the Selected MCS Indexes page.
Step 3 Click
Save as New Template
.
Related Topics
Creating 802.11 b/g/n CleanAir Controller Templates
You can create or modify a template for configuring CleanAir parameters for the 802.11 b/g/n radio to enable or disable CleanAir, reporting and alarms for the controllers. You can also configure the type of interfering devices to include for reporting and alarms.
To add a new template with 802.11b/g/n CleanAir information for a controller, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > CleanAir Parameters.
Step 2 Configure the following fields:
-
Select the CleanAir check box to enable CleanAir functionality on the 802.11 b/g/n network, or unselect to prevent the controller from detecting spectrum interference. The default value is selected.
If CleanAir is enabled, the Reporting Configuration and Alarm Configuration group boxes appear.
-
Reporting Configuration—Use the parameters in this group box to configure the interferer devices you want to include for your reports.
– Select the
Report Interferers
check box to enable CleanAir system to report and detect sources of interference, or unselect it to prevent the controller from reporting interferers.
– Make sure that any sources of interference that need to be detected and reported by the CleanAir system appear in the Interferers Selected for Reporting box and any that do not need to be detected appear in the Interferers Ignored for Reporting box. Use the > and < buttons to move interference sources between these two boxes. By default, all interference sources are ignored.
– Select the
Persistent Device Propagation
check box to enable propagation of information about persistent devices that can be detected by CleanAir. Persistent device propagation enables designating information about interference types and propagating this information to the neighboring access points. Persistent interferers are present at the a location and interfere with the WLAN operations even if they are not detectable at all times.
-
Alarm Configuration—This group box enables you to configure triggering of air quality alarms.
– Select the
Air Quality Alarm
check box to enable the triggering of air quality alarms, or unselect the box to disable this feature.
– If you selected the Air Quality Alarm check box, enter a value between 1 and 100 (inclusive) in the Air Quality Alarm Threshold text box to specify the threshold at which you want the air quality alarm to be triggered. When the air quality falls below the threshold level, the alarm is triggered. A value of 1 represents the worst air quality, and 100 represents the best. The default value is 1.
– Select the
Air Quality Unclassified category Alarm
check box to enable the alarms to be generated for unclassified interference category. CleanAir can detect and monitor unclassified interferences. Unclassified interference are interference that are detected but do not correspond to any of the known interference types.
The Unclassified category alarm is generated when the unclassified severity goes above the configured threshold value for unclassified severity or when the air quality index goes below the configured threshold value for Air Quality Index.
– If you selected the Air Quality Unclassified category Alarm check box, enter a value between 1 and 99 (inclusive) in the Air Quality Unclassified Severity Threshold text box to specify the threshold at which you want the unclassified category alarm to be triggered. The default is 20.
– Select the
Interferers For Security
Alarm check box to trigger interferer alarms when the controller detects specified device types, or unselected it to disable this feature. The default value is unselected.
– Make sure that any sources of interference that need to trigger interferer alarms appear in the Interferers Selected for Security Alarms box and any that do not need to trigger interferer alarms appear in the Interferers Ignored for Security Alarms box. Use the
>
and
<
buttons to move interference sources between these two boxes. By default, all interferer sources for security alarms are ignored.
Step 3 Click
Save as New Template
.
Related Topics
Creating 802.11b/g/n RRM Templates
You can create or modify the parameters such as threshold, interval, DCA, TPC for 802.11b/g/n Radio Resource Management (RRM) templates.
Related Topics
Creating 802.11b/g/n RRM Thresholds Controller Templates
You can create or modify a template for setting various RRM thresholds such as load, interference, noise, and coverage.
To add a new template with 802.11b/g/n RRM thresholds information for a controller, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > dot11b-RRM > Thresholds.
Step 2 Configure the following Coverage Hole Algorithm parameters:
-
In the Min. Failed Clients field, enter the minimum number of failed clients currently associated with the controller.
-
In the Coverage Level field, enter the target range of coverage threshold (dB).
-
When the Coverage Level field is adjusted, the value in the Signal Strength (dBm) field automatically reflects this change. The Signal Strength field provides information regarding what the signal strength is when adjusting the coverage level.
-
In the Data RSSI field, enter the Data RSSI value (-60 to -90 dBm). This number indicates the value for the minimum Received Signal Strength Indicator (RSSI) for data required for the client to associate to an access point.
-
In the Voice RSSI field, enter the Voice RSSI value(-60 to -90 dBm). This number indicates the value for the minimum Received Signal Strength Indicator (RSSI) required for voice for the client to associate to an access point.
Step 3 Configure the following Load Thresholds parameters:
-
In the Max Clients field, enter the maximum number of clients able to be associated with the controller.
-
In the RF Utilization field, enter the percentage of threshold for this radio type.
Step 4 Configure the following Threshold for Traps parameters:
-
In the Interference Threshold field, enter an interference threshold between 0 and 100 percent.
-
In the Noise Threshold field, enter a noise threshold between -127 and 0 dBm. When outside of this threshold, the controller sends an alarm to Prime Infrastructure.
-
In the Coverage Exception Level per AP field, enter the coverage exception level percentage. When the coverage drops by this percentage from the configured coverage for the minimum number of clients, a coverage hole is generated.
Step 5 Click
Save as New Template
.
Related Topics
Creating 802.11b/g/n RRM Intervals Controller Templates
You can create or modify a template for configuring RRM intervals for 802.11b/g/n radios.
To add a new template with 802.11b/g/n RRM intervals information for a controller, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > dot11b-RRM > Intervals.
Step 2 Configure the following parameters:
-
In the Neighbor Packet Frequency field, enter at which interval you want strength measurements taken for each access point. The default is 300 seconds.
-
In the Channel Scan Duration field, enter at which interval you want coverage measurements taken for each access point. The default is 300 seconds.
Step 3 Click
Save as New Template
.
Related Topics
Creating 802.11b/g/n RRM Dynamic Channel Allocation Template
The RRM Dynamic Channel Assignment (DCA) page allows you to choose the DCA channels as well as the channel width for this controller.
RRM DCA supports 802.11n 40-MHz channel width in the 5-GHz band. The higher bandwidth allows radios to achieve higher instantaneous data rates.
Choosing a larger bandwidth reduces the non-overlapping channels, which could potentially reduce the overall network throughput for certain deployments.
To configure 802.11b/g/n RRM DCA template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > dot11b-RRM > DCA.
Step 2 Configure the following parameters in Dynamic Channel Assignment Algorithm:
-
From the Assignment Mode drop-down list, choose one of three modes:
–
Automatic
—The transmit power is periodically updated for all access points that permit this operation.
–
On Demand
—Transmit power is updated when you click
Assign Now
.
–
Disabled
—No dynamic transmit power assignments occur, and values are set to their global default.
-
Select the
Avoid Foreign AP Interference
check box to enable this field to have RRM consider interference from foreign Cisco access points (those non-Cisco access points outside RF/mobility domain) when assigning channels. This foreign 802.11 interference. Unselect this check box to have RRM ignore this interference.
In certain circumstances with significant interference energy (dB) and load (utilization) from foreign access points, RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the foreign access points. This increases capacity and reduces variability for the Cisco WLAN Solution.
-
Select the
Avoid Cisco AP Load
check box to enable this bandwidth-sensing field to have controllers consider the traffic bandwidth used by each access point when assigning channels to access points. Unselect this check box to have RRM ignore this value.
In certain circumstances and with denser deployments, there might not be enough channels to properly create perfect channel reuse. In these circumstances, RRM can assign better re-use patterns to those access points that carry more traffic load.
-
Select the
Avoid non 802.11 Noise
check box to enable this noise-monitoring field to have access points avoid channels that have interference from non-access point sources, such as microwave ovens or Bluetooth devices. Unselect this check box to have RRM ignore this interference.
In certain circumstances with significant interference energy (dB) from non-802.11 noise sources, RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the noise sources. This increases capacity and reduces variability for the Cisco WLAN Solution.
-
Select the Avoid Persistent Non-WiFi Interference check box to enable this field to have access points avoid persistent interferences from non-wifi sources.
-
The
Signal Strength Contribution
check box is always enabled (not configurable). constantly monitors the relative location of all access points within the RF/mobility domain to ensure near-optimal channel re-use. The net effect is an increase in Cisco WLAN Solution capacity and a reduction in co-channel and adjacent channel interference.
-
Event-driven RRM—Enable or disable event-driven RRM using the following parameters. Event Driven RRM is used when a CleanAir-enabled access point detects a significant level of interference.
– Select the Event Driven RRM check box to enable it.
– If Event Driven RRM is enabled, Sensitivity Threshold field displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local Dynamic Channel Assignment (DCA) run and changes the channel of the affected access point radio if possible to improve network performance.
Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity.
– Select the Rogue Contribution check box to enable contribution from rogue access points.
– If the Rogue Contribution is enabled, Rogue Duty-Cycle field displays the interval at which the rogue access points are interfered. The range is between 1 to 99.
Step 3 Click
Save as New Template
.
Related Topics
Creating 802.11b/g/n RRM Transmit Power Control Template
The controller dynamically controls access point transmit power based on real-time wireless LAN conditions. Normally, power can be kept low to gain extra capacity and reduce interference. The controller attempts to balance the transmit power of an access point according to how the access points are seen by their third strongest neighbor.
The transmit power control (TPC) algorithm both increases and decreases the power of an access point in response to changes in the RF environment. In most instances, TPC seeks to lower the power of an access point to reduce interference, but in the case of a sudden change in the RF coverage—for example, if an access point fails or becomes disabled—TPC can also increase power on surrounding access points. This feature is different from Coverage Hole Detection. Coverage hole detection is primarily concerned with clients, while TPC is tasked with providing enough RF power to achieve desired coverage levels while avoiding channel interference between access points.
To configure 802.11b/g/n RRM TPC template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > 802.11b or g or n > dot11b-RRM > TPC.
Step 2 Configure the following parameters:
-
Choose TPCv1 or TPCv2 radio buttons in the TPC Version field. The TPCv2 option is applicable only for those controllers running on Release 7.2.x or later.
-
From the Dynamic Assignment drop-down list, choose one of three modes:
–
Automatic
—The transmit power is periodically updated for all access points that permit this operation.
–
On Demand
—Transmit power is updated when you click
Assign Now
.
–
Disabled
—No dynamic transmit power assignments occur, and values are set to their global default.
-
In the Maximum Power Assignment field, enter the value that indicates the maximum power assigned.
– Range: -10 to 30 dB
– Default: 30 dB
-
In the Minimum Power Assignment field, enter the value that indicates the minimum power assigned.
– Range: -10 to 30 dB
– Default: 30 dB
-
Determine if you want to enable Dynamic Tx Power Control check box.
-
In the Transmitted Power Threshold field, enter a value between -50 and -80.
Step 3 Click
Save as New Template
.
Related Topics
Creating Mesh Settings Templates
You can configure an access point to establish a connection with the controller.
To add or modify a mesh template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > Mesh > Mesh Settings.
Step 2 Hover the mouse on Mesh Settings and select Show All Templates. The Mesh Configuration Template page appears, and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. This initial page also displays the rootAP to MeshAP range, the client access on backhaul link, and security mode. The last column indicates when the template was last saved.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 3 The Root AP to Mesh AP Range field ha the value as 12,000 feet by default. Enter the optimum distance (in feet) that should exist between the root access point and the mesh access point. This global field applies to all access points when they join the controller and all existing access points in the network.
Step 4 When the
Client Access on Backhaul Link
check box is enabled, mesh access points can associate with 802.11a/n wireless clients over the 802.11a/n backhaul. This client association is in addition to the existing communication on the 802.11a/n backhaul between the root and mesh access points.
This feature applies only to access points with two radios.
Step 5 Select
Mesh DCA Channels
check box to enable backhaul channel deselection on the Controller using the DCA channel list configured in the Controller. Any change to the channels in the Controller DCA list is pushed to the associated access points. This feature applies only to the 1524SB mesh access points.
Step 6 Select the
Background Scanning
check box to enable Cisco Aironet 1510 Access Points to actively and continuously monitor neighboring channels for more optimal paths and parents.
Step 7 Enabling the Global Public Safety check box indicates that 4.9 Ghz can be used on backhaul link by selecting channel on the 802.11a backhaul radio. 4.9Ghz considered to be public safety band and is limited to some service providers. This setting applies at the controller level.
Step 8 From the Security Mode drop-down list, choose
EAP
(Extensible Authentication Protocol) or
PSK
(Pre-Shared Key).
Step 9 Click
Save as New Template
.
Creating Management Templates
You can create or modify the templates for the following management parameters of the controllers.
-
Trap Receivers
-
Trap Control
-
Telnet and SSH
-
Multiple Syslog servers
-
Local Management Users
-
Authentication Priority
Related Topics
Creating Trap Receiver Templates
If you have monitoring devices on your network that receive SNMP traps, you might want to add a trap receiver template.
To add or modify a trap receiver template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > Management > Trap Receiver.
Step 2 Hover the mouse on Trap Receiver and select Show All Templates. The Management > Trap Receiver page appears, and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. This initial page also displays the IP address and admin status. The last column indicates when the template was last saved.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
The Trap Receiver Template name should not contain any space.
Step 3 Enter the IP address of the server in the IP Address text box.
Step 4 Select the
Admin Status
check box to enable the administrator status if you want SNMP traps to be sent to the receiver.
Step 5 Click
Save as New Template
.
Related Topics
Creating Trap Control Templates
To add or modify a trap control template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > Management > Trap Control.
Step 2 Hover the mouse on Trap Control and select Show All Templates. The Management > Trap Control page appears, and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. This initial page also displays the link port up or down and rogue AP. The last column indicates when the template was last saved.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 3 If you want to add a new template, hover the mouse on Trap Control and select New or click Trap Control. The Trap Control template page appears.
Step 4 Select the appropriate check box to enable any of the following Miscellaneous Traps:
-
SNMP Authentication—The SNMPv2 entity has received a protocol message that is not properly authenticated. When a user who is configured in SNMP V3 mode tries to access the controller with an incorrect password, the authentication fails and a failure message is displayed. However, no trap logs are generated for the authentication failure.
-
Link (Port) Up/Down—Link changes states from up or down.
-
Multiple Users—Two users log in with the same login ID.
-
Spanning Tree—Spanning Tree traps. See the STP specification for descriptions of individual parameters.
-
Rogue AP—Whenever a rogue access point is detected or when a rogue access point was detected earlier and no longer exists, this trap is sent with its MAC address.
-
Controller Config Save as New Template—Notification sent when the configuration is modified.
-
RFID Limit Reached Threshold— The maximum permissible value for RFID limit.
Step 5 Select the appropriate check box to enable any of the following Client-related Traps:
-
802.11 Association—A trap is sent when a client is associated to a WLAN. This trap does not guarantee that the client is authenticated.
-
802.11 Disassociation—The disassociate notification is sent when the client sends a disassociation frame.
-
802.11 Deauthentication—The deauthenticate notification is sent when the client sends a deauthentication frame.
-
802.11 Failed Authentication—The authenticate failure notification is sent when the client sends an authentication frame with a status code other than successful.
-
802.11 Failed Association—The associate failure notification is sent when the client sends an association frame with a status code other than successful.
-
Excluded—The associate failure notification is sent when a client is excluded.
-
802.11 Authenticated— The authenticate notification is sent when the client sends an authentication frame with a status code 'successful'.
-
MaxClients Limit Reached Threshold— The maximum permissible number of clients allowed.
Step 6 Select the appropriate check box to enable any of the following Cisco AP Traps:
-
AP Register—Notification sent when an access point associates or disassociates with the controller.
-
AP Interface Up/Down—Notification sent when access point interface (802.11a/n or 802.11b/g/n) status goes up or down.
Step 7 Select the appropriate check box to enable any of the following Auto RF Profile Traps:
-
Load Profile—Notification sent when Load Profile state changes between PASS and FAIL.
-
Noise Profile—Notification sent when Noise Profile state changes between PASS and FAIL.
-
Interference Profile—Notification sent when Interference Profile state changes between PASS and FAIL.
-
Coverage Profile—Notification sent when Coverage Profile state changes between PASS and FAIL.
Step 8 Select the appropriate check box to enable any of the following Auto RF Update Traps:
-
Channel Update—Notification sent when the dynamic channel algorithm of an access point is updated.
-
Tx Power Update—Notification sent when the dynamic transmit power algorithm of an access point is updated.
Step 9 Select the appropriate check box to enable any of the following AAA Traps:
-
User Auth Failure—This trap is to inform you that a client RADIUS authentication failure has occurred.
-
RADIUS Server No Response—This trap is to indicate that no RADIUS server(s) are responding to authentication requests sent by the RADIUS client.
Step 10 Select the appropriate check box to enable the following 802.11 Security Traps:
-
WEP Decrypt Error—Notification sent when the controller detects a WEP decrypting error.
-
Signature Attack— Notification sent when a signature attack is detected in the wireless controller that uses RADIUS Authentication.
Step 11 Click
Save as New Template
.
Related Topics
Creating Telnet SSH Templates
To add or modify a Telnet SSH configuration template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > Management > Telnet SSH.
Step 2 Hover the mouse on Telnet SSH and select Show All Templates. The Management > Telnet SSH page appears, and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. This initial page also displays the session timeout, maximum sessions, and whether Telnet or SSH sessions are allowed. The last column indicates when the template was last saved.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 3 If you want to add a new template, hover the mouse on Telnet SSH and select New or click Telnet SSH. The Telnet SSH template page appears.
Step 4 In the Session Timeout field, enter the number of minutes a Telnet session is allowed to remain inactive before being logged off. A zero means there is no timeout. The valid range is 0 to 160, and the default is 5.
Step 5 In the Maximum Sessions field, enter the number of simultaneous Telnet sessions allowed. The valid range is 0 to 5, and the default is 5. New Telnet sessions can be allowed or disallowed on the DS (network) port. New Telnet sessions are always allowed on the service port.
Step 6 Use the Allow New Telnet Session drop-down list to determine if you want new Telnet sessions allowed on the DS port. New Telnet sessions can be allowed or disallowed on the DS (network) port. New Telnet sessions are always allowed on the service port. The default is no.
Step 7 Use the Allow New SSH Session drop-down list to determine if you want Secure Shell Telnet sessions allowed. The default is yes.
Step 8 Click
Save as New Template
.
Related Topics
Creating Multiple Syslog Templates
You can enter up to three syslog server templates. To add or modify a multiple syslog configuration template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > Management >
Multiple Syslog
.
Step 2 Hover the mouse on
Multiple Syslog
and select Show All Templates. The Management >
Multiple Syslog
page appears, and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. This initial page also displays the syslog server address. The last column indicates when the template was last saved.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 3 If you want to add a new template, hover the mouse on
Multiple Syslog
and select New or click
Multiple Syslog
. The Multiple Syslog template page appears.
Step 4 In the Syslog Server IP Address field, enter the appropriate syslog server IP address.
Step 5 Click
Save as New Template
.
Related Topics
Creating Local Management User Templates
To add or modify a local management user template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > Management >
Local Management Users
.
Step 2 Hover the mouse on
Local Management Users
and select Show All Templates. The Management >
Local Management Users
page appears, and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. This initial page also displays the username and access level. The last column indicates when the template was last saved.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 3 If you want to add a new template, hover the mouse on
Local Management Users
and select New or click
Local Management Users
. The Local Management Users template page appears.
Step 4 In the User Name text box, enter the template username.
Step 5 In the Password text box, enter a password for this local management user template.
Step 6 In the Confirm Password text box, reenter the password.
Step 7 From the Access Level drop-down list, choose either
Read Only
or
Read Write
.
Step 8 Select the
Update Telnet Credentials
check box to update the user credentials in Prime Infrastructure for Telnet/SSH access.
If the template is applied successfully and the Update Telnet Credentials option is enabled, the applied management user credentials are used in Prime Infrastructure for Telnet/SSH credentials to that applied controller.
Step 9 Click
Save as New Template
.
Related Topics
Creating User Authentication Priority Templates
Management user authentication priority templates control the order in which authentication servers are used to authenticate the management users of a controller.
To add a user authentication priority template or make modifications to an existing template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > Management >
Authentication Priority
.
Step 2 Hover the mouse on
Authentication Priority
and select Show All Templates. The Management >
Authentication Priority
page appears, and to modify an existing template, click the template name. The number of controllers and virtual domains that the template is applied to automatically populates. This initial page also displays the authentication priority list. The last column indicates when the template was last saved.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 3 If you want to add a new template, hover the mouse on
Authentication Priority
and select New or click
Authentication Priority
. The Local Management Users template page appears.
Step 4 Select either First or Second radio buttons to prioritize the authentication of the local server.
Step 5 Select either
RADIUS
or
TACACS+
radio buttons to try if local authentication fails.
Step 6 Click
Save as New Template
.
Related Topics
Creating CLI Templates
You can create templates containing a set of CLI commands and apply them to one or more controllers from Prime Infrastructure. These templates are meant for provisioning features in multiple controllers for which there is no SNMP support or custom Prime Infrastructure user interface. The template contents are simply a command array of strings. No support for substitution variables, conditionals, and the like exist.
The CLI sessions to the device are established based on user preferences. The default protocol is SSH.
To add or modify a CLI template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > CLI > General -CLI.
Step 2 Hover the mouse on General -CLI and select Show All Templates. The General-CLI page appears, and to modify an existing template, click the template name. The number of controllers that the template is applied to automatically populates.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 3 If you want to add a new template, hover the mouse on General -CLI and select New or click General -CLI. The Command-Line Interface General template page appears.
Step 4 In the Commands box, enter the series of CLI commands.
Step 5 Select the
Refresh Config after Apply
check box to perform a refresh config on the controller after the CLI template is applied successfully.
Step 6 Select the Save as New Template Config to Flash after apply check box to save the config to flash after the CLI template is applied successfully.
Step 7 When the Save as New Template Config to Flash after apply check box is enabled, the Reboot Controller after apply check box can be selected to perform a reboot on the controller after the CLI template is applied successfully.
Step 8 Select the Ignore errors on Apply Template to Controllers check box to ignore the errors when the template is applied to the controllers.
Step 9 Click
Save as New Template
.
When the template is applied to the selected controllers, a status screen appears. If an error occurred while you applied the template, an error message is displayed. You can click the icon in the Session Output column to get the entire session output.
If the Controller Telnet credentials check fails or the Controller CLI template fails with invalid username and password even though the correct username and password are configured on the controller, check whether the controller has exceeded the number of CLI connections it can accept. If the connections have exceeded the maximum limit, then either increase the maximum allowed CLI sessions or terminate any pre-existing CLI sessions on the controller, and then retry the operation.
Creating Location Configuration Templates
To add or modify a location setting template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > Location >
Location Configuration.
Step 2 Hover the mouse on
Location Configuration
and select Show All Templates. The
Location Configuration
appears, and to modify an existing template, click the template name. The number of controllers that the template is applied to automatically populates.
The Applied to Controllers number is a link. Clicking the number opens an Applied to Controllers page, which displays the controller name and IP address to which that template is applied, as well as the time it was applied and its status. The Applied to Virtual Domains number is also a link. Clicking this link opens an Applied to Virtual Domains page that shows all partition names.
Step 3 If you want to add a new template, hover the mouse on
Location Configuration
and select New or click
Location Configuration
. The General tab of Location Configuration template page appears.
Step 4 Select the RFID
Tag Data Collection
check box to enable tag collection. Before the mobility services engine can collect asset tag data from controllers, you must enable the detection of active RFID tags using the CLI command
config rfid status enable
on the controllers.
Step 5 Configure the following Location Path Loss Configuration parameters:
-
Select the Calibrating Client check box to enable calibration for the client. Controllers send regular S36 or S60 requests (depending on the client capability) by way of the access point to calibrating clients. Packets are transmitted on all channels. All access points irrespective of channel (and without a channel change) gather RSSI data from the client at each location. These additional transmissions and channel changes might degrade contemporaneous voice or video traffic.
-
Select the
Normal Client
check box to have a non-calibrating client. No S36 requests are transmitted to the client.
Note S36 and S60 are client drivers compatible with specific Cisco-compatible Extensions. S36 is compatible with CCXv2 or later. S60 is compatible with CCXv4 or later. For details, see the following URL:
http://www.cisco.com/en/US/products/ps9806/products_qanda_item09186a0080af9513.shtml
Step 6 Measurement Notification Interval— In the Tags, Clients and Rogue APs/Clients field, specify how many seconds should elapse before notification of the found element (tags, clients, and rogue APs/clients).
Step 7 Configure the following RSSI Expiry Timeout parameters:
-
In the For Clients field, enter the number of seconds after which RSSI measurements for clients should be discarded.
-
In the For Calibrating Clients field, enter the number of seconds after which RSSI measurements for calibrating clients should be discarded.
-
In the For Tags field, enter the number of seconds after which RSSI measurements for tags should be discarded.
-
In the For Rogue APs field, enter the number of seconds after which RSSI measurement for rogue access points should be discarded.
Step 8 Click the
Advanced
tab.
Step 9 In the RFID Tag Data Timeout field, enter a value in seconds to set the RFID tag data timeout setting.
Step 10 Location Path Loss Configuration—Select the
Calibrating Client Multiband
check box to send S36 and S60 packets (where applicable) on all channels. Calibrating clients must be enabled in the General group box.
Step 11 Configure the Hyperlocation Config parameters:
-
Select the Hyperlocation check box so that all the APs associated to that controller which have the Hyperlocation module will be enabled.
-
Adjust the value in Packet Detection RSSI Minimum field to filter out weak RSSI readings from location calculation.
-
In the Scan Count Threshold for Idle Client Detection field, enter the maximum permissible count of the idle clients detected while scanning.
-
In the NTP Server IP Address field, enter the valid NTP server IP address.This IP address is used by all APs for time synchronization.
Step 12 Click
Save as New Template
.
Creating LyncSDN Templates
LyncSDN configuration is not supported on Virtual and Cisco 2500 Series and Virtual Controllers.
You can create these LyncSDN templates:
-
LyncSDN Global Config feature templates.
-
LyncSDN PolicyFeature templates.
-
LyncSDN ProfileFeature templates
Related Topics
Creating LyncSDN Global Configuration Template
To create parameters to apply to devices using the LyncSDN Global Config feature, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > LyncSDN > LyncSDN Global Config.
Step 2 In the Template Basic area, enter a name, description, and tag for your template in the appropriate text boxes.
Step 3 In the Validation Criteria area, choose a Device Type from the drop-down list and enter the OS Version.
Step 4 In the Template Detail area, configure the following information:
-
Select the LyncServer checkbox to enable or disable the LYNC application on the PI.
-
Enter the port number.
You can configure support for HTTP/HTTPS communication on PI for LYNC server. PI supports only http. For https certificate, you need to provide and approved at Lync server which takes once Lync service is ready from Prime Infrastructure.
Step 5 When you are finished, click Save as Template.
Related Topics
Creating LyncSDN Policy Template
To create parameters to apply to devices using the LyncSDN Policy feature, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > LyncSDN > LyncSDN Policy.
Step 2 In the Template Basic area, enter a name, description, and tag for your template in the appropriate text boxes.
Step 3 In the Validation Criteria area, choose a Device Type from the drop-down list and enter the OS Version.
Step 4 In the Template Detail area, configure the following information:
-
Choose the policy of audio lync call on WLAN from the Audio drop-down list. The possible policy types are Silver, Gold, Platinum, or Bronze.
-
Choose the policy of video lync call on WLAN from the Video drop-down list. The possible policy types are Silver, Gold, Platinum, or Bronze.
-
Choose the policy of desktop-share lync call on WLAN from the Application-Sharing drop-down list. The possible policy types are Silver, Gold, Platinum, or Bronze.
-
Choose the policy of file transfer lync call on WLAN from the File-Transfer drop-down list. The possible policy types are Silver, Gold, Platinum, or Bronze.
Step 5 When you are finished, click Save as Template.
Related Topics
Creating LyncSDN Profile Template
To create parameters to apply to devices using the LyncSDN Profile feature, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller > LyncSDN > LyncSDN Policy.
Step 2 In the Template Basic area, enter a name, description, and tag for your template in the appropriate text boxes.
Step 3 In the Validation Criteria area, choose a Device Type from the drop-down list and enter the OS Version.
Step 4 In the Template Detail area, click the Wlan Profile check box and select a policy from the LyncSDN Policy drop-down list.
Step 5 When you are finished, click Save as Template.
Related Topics
Creating IPv6 Templates
You can create or modify IPv6 templates with parameters such as Neighbor Binding Timers and Router Advertisements (RA).
Related Topics
Creating Neighbor Binding Timers Templates
You can create or modify a template for configuring IPv6 Router Neighbor Binding Timers such as Down Lifetime, Reachable Lifetime, State Lifetime, and corresponding intervals.
To create a Neighbor Binding Timers template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller >
IPv6 > Neighbor Binding Timers
.
Step 2 Specify the value in the Down Lifetime Interval text box which indicates the maximum time, in seconds, an entry learned from a down interface is kept in the binding table before the entry is deleted or proof is received that the entry is reachable.The range is 0 to 86,400 seconds, and the default value is 0.
Step 3 Specify the value in the Reachable Lifetime Interval text box which indicates the maximum time, in seconds, an entry is considered reachable without getting a proof of reachability (direct reachability through tracking, or indirect reachability through Neighbor Discovery protocol [NDP] inspection). After that, the entry is moved to stale.The range is 0 to 86,400 seconds, and the default value is 0.
Step 4 Specify the value in the Stale Lifetime Interval text box which indicates the maximum time, in seconds, a stale entry is kept in the binding table before the entry is deleted or proof is received that the entry is reachable.The range is 0 to 86,400 seconds, and the default value is 0.
Step 5 Click
Save as New Template
.
Related Topics
Creating RA Throttle Policy Templates
The RA Throttle Policy allows you to limit the amount of multicast Router Advertisements (RA) circulating on the wireless network. You can create or modify a template for configuring IPv6 Router Advertisement parameters such as RA Throttle Policy, Throttle Period, and other options.
To create a RA Throttle Policy template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller >
IPv6 > RA Throttle Policy
.
Step 2 If you want to add a new template, hover the mouse on
RA Throttle Policy
and select New or click
RA Throttle Policy
. To modify an existing template, click the template name. The IPv6 > RA Throttle Policy page appears.
Step 3 If you want to enable the RA Throttle Policy, select the
Enable
check box and configure the following parameters:
-
In the Throttle Period field, enter the duration of the throttle period in seconds. The range is 10 to 86,400 seconds.
-
In the Max Through field, enter the number of RA that passes through over a period in seconds. If the No Limit check-box is not enabled, the maximum pass-through number can be specified.
-
From the Interval Option drop-down list, choose an option (Ignore, Passthrough, Throttle) that indicates the behavior in case of RA with an interval option.
-
Specify the value in the Allow At-least field that indicates the minimum number of RA not throttled per router.
-
Specify the value in the Allow At-most field that indicates the maximum number of RA not throttled per router. If the No Limit check-box is not enabled, the maximum number of RA not throttled per router can be specified.
Step 4 Click
Save as New Template
.
Related Topics
Creating RA Guard Templates
RA Guard is a Unified Wireless solution used to drop RA from wireless clients. It is configured globally, and by default it is enabled. You can create or modify a template for configuring IPv6 Router Advertisement parameters.
To create an RA Guard template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller >
IPv6 > RA Guard
.
Step 2 If you want to add a new template, hover the mouse on
RA Guard
and select New or click
RA Guard
. To modify an existing template, click the template name. The RA Guard template page appears.
Step 3 If you want to enable the RA Guard on AP, select the
Enable
check box.
Step 4 Click
Save as New Template
.
Creating Proxy Mobile IPv6 Templates
Proxy Mobile IPv6 is a network-based mobility management protocol that supports a mobile node by acting as the proxy for the mobile node in any IP mobility-related signaling. The mobility entities in the network track the movements of the mobile node and initiate the mobility signaling and set up the required routing state.
The main functional entities are the Local Mobility Anchor (LMA) and Mobile Access Gateway (MAG). The LMA maintains the reachability state of the mobile node and is the topological anchor point for the IP address of the mobile node. The MAG performs the mobility management on behalf of a mobile node. The MAG resides on the access link where the mobile node is anchored. The controller implements the MAG functionality.
Related Topics
Creating PMIP Global Configurations
Step 1 Choose Configuration > Features & Technologies > Controller >
PMIP > Global Config
.
Step 2 If you want to add a new template, hover the mouse on
Global Config
and select New or click
Global Config
. To modify an existing template, click the template name.
Step 3 Enter a template name in the text box.
Step 4 Configure the following fields:
-
In the Domain Name text box, enter the domain name.
-
In the Maximum Bindings Allowed field, enter the maximum number of binding updates that the controller can send to the MAG. The valid range is between 0 to 7000.
-
In the Binding Lifetime field, enter the value of the lifetime of the binding entries in the controller. The valid range is between 10 to 65535 seconds. The default value is 65535. The binding lifetime should be a multiple of 4 seconds.
-
In the Binding Refresh Time field, enter the refresh time of the binding entries in the controller. The valid range is between 4 to 65535 seconds. The default value is 300 seconds. The binding refresh time should be a multiple of 4 seconds.
-
In the Binding Initial Retry Timeout field, specify the initial timeout between the proxy binding updates (PBUs) when the controller does not receive the proxy binding acknowledgments (PBAs). The valid range is between 100 to 65535 seconds. The default value is 1000 second.
-
In the Binding Maximum Retry Timeout field, enter the maximum timeout between the proxy binding updates (PBUs) when the controller does not receive the proxy binding acknowledgments (PBAs). The valid range is between 100 to 65535 seconds. The default value is 32000 seconds.
-
In the Replay Protection Timestamp field, specify the maximum amount of time difference between the timestamp in the received proxy binding acknowledgment and the current time of the day. The valid range is between 1 to 255 milliseconds. The default value is 7 milliseconds.
-
In the Minimum BRI Retransmit Timeout field, specify the minimum amount of time that the controller waits before retransmitting the BRI message. The valid range is between 500 to 65535 seconds.
-
In the Maximum BRI Retransmit Timeout field, specify the maximum amount of time that the controller waits before retransmitting the Binding Revocation Indication (BRI) message. The valid range is between 500 to 65535 seconds. The default value is 2000 seconds.
-
In the BRI Retries, specify the number of BRI retries.
-
In the MAG APN text box, specify the name of the Access Point Node of MAG.
Step 5 Click Save as New Template.
Related Topics
Creating LMA Configurations
Step 1 Choose Configuration > Features & Technologies > Controller >
PMIP > LMA Config
.
Step 2 If you want to add a new template, hover the mouse on
LMA Config
and select New or click
LMA Config
. To modify an existing template, click the template name.
Step 3 Configure the following fields:
-
In the LMA Name text box, enter the name of the LMA connected to the controller.
-
In the LMA IP Address, enter the IP address of the LMA connected to the controller.
Step 4 Click Save as New Template.
Related Topics
Creating PMIP Profile
Step 1 Choose Configuration > Features & Technologies > Controller >
PMIP > PMIP Profile
.
Step 2 If you want to add a new template, hover the mouse on
PMIP Profile
and select New or click
PMIP Profile
. To modify an existing template, click the template name.
Step 3 In the PMIP Profile text box, enter the profile name.
Step 4 Click
Add
and then configure the following fields:
-
In the Network Access Identifier text box, enter the name of the Network Access Identifier (NAI) associated with the profile.
-
In the LMA field, enter the name of the LMA to which the profile is associated.
-
In the Access Point Node text box, enter the name of the access point node connected to the controller.
Step 5 Click Save as New Template.
Related Topics
Creating mDNS Templates
Multicast DNS (mDNS) service discovery provides a way to announce and discover services on the local network. mDNS performs DNS queries over IP multicast. mDNS supports zero configuration IP networking.
The following are the guidelines and limitations for mDNS templates:
-
You cannot delete a mDNS service when it is mapped to one or more profiles.
-
The length of the profile name and the services name can be a maximum of 31 characters.
-
The length of the service string can be maximum 255 characters.
-
You cannot delete the default profile (default-mdns-profile).
-
You cannot delete profiles when they are mapped to interfaces, interface-groups, or WLANs.
-
You cannot remove mDNS services from a profile when they are mapped to interface, interface-groups or WLANs. You can add new services.
-
Whenever you create and apply any mDNS template, it overwrites existing configuration on controller.
-
You cannot enable mDNS snooping for WLAN when FlexConnect local switching is ON.
-
You cannot attach mDNS profiles to interfaces when “AP Management” is enabled.
You can create a mDNS template so that the controller can learn about the mDNS services and advertise these services to all clients.
There are two tabs—Services and Profiles.
-
Services Tab—This tab enables you to configure the global mDNS parameters and update the Master Services database.
-
Profiles Tab—This tab enables to view the mDNS profiles configured on the controller and create new mDNS profiles. After creating a new profile, you must map the profile to an interface group, an interface, or a WLAN. Clients receive service advertisements only for the services associated with the profile. The controller gives the highest priority to the profiles associated to interface groups, followed by the interface profiles, and then the WLAN profiles. Each client is mapped to a profile based on the order of priority. By default, the controller has an mDNS profile, default-mdns-profile. You cannot delete this default profile.
Step 1 Choose Configuration > Features & Technologies > Controller >
mDNS > mDNS
.
Step 2 If you want to add a new template, hover the mouse on
mDNS
and select New or click
mDNS
. To modify an existing template, click the template name.
Step 3 On the Services tab, configure the following parameters:
-
Select the mDNS Global Snooping check box to enable snooping of mDNS packets. The controller does not support IPv6 mDNS packets even when you enable mDNS snooping.
-
In the Query Interval(10-120) field, specify the mDNS query interval in minutes that you can set. This interval is used by WLC to send periodic mDNS query messages to services which do not send service advertisements automatically after they are started. The default value is 15 minutes.
-
Master Services—Click
Add Row
and then configure the following fields. To add a new service, enter or choose the service name, enter the service string, and then choose the service status.
– From the Master Service Name drop-down list, choose the supported services that can be queried. The following services are available:
– AirTunes
– AirPrint
– AppleTV
– HP Photosmart Printer1
– HP Photosmart Printer2
– Apple File Sharing Protocol (AFP)
– Scanner
– Printer
– FTP
– iTunes Music Sharing
– iTunes Home Sharing
– iTunes Wireless Device Syncing
– Apple Remote Desktop
– Apple CD/DVD Sharing
– Time Capsule Backup
-
In the Service String text box, specify the unique string associated to an mDNS service. For example, _airplay._tcp.local. is the service string associated to AppleTV.
-
From the Query Status drop-down list, choose Enabled or Disabled to specify an mDNS query for a service. Periodic mDNS query messages will be sent by WLC at configured Query Interval for services only when the query status is enabled; otherwise, service should automatically advertised for other services where the query status is disabled (for example AppleTV).
Step 4 On the Profiles tab, configure the following parameters:
-
Profiles—Click
Add Profile
and then configure the following fields:
– In the Profile Name text box, enter the name of the mDNS profile. You can create a maximum of 16 profiles.
– Select the services (using the check boxes) that you want to map to the mDNS profile.
– Click OK.
Step 5 Click
Save as New Template
.
Creating AVC Profiles Templates
Application Visibility and Control (AVC) uses the Network Based Application Recognition (NBAR) deep packet inspection technology to classify applications based on the protocol they use. Using AVC, the controller can detect more than 1400 Layer 4 to Layer 7 protocols. AVC enables you to perform real-time analysis and create policies to reduce network congestion, costly network link usage, and infrastructure upgrades.
AVC is supported only on the following controllers:
-
Cisco 2500 and 5500 Series Controllers.
-
WiSM 2 Controllers
-
Cisco Flex 7500 and Cisco 8500 Series Controllers.
To configure the AVC profile template, follow these steps:
Step 1 Choose Configuration > Features & Technologies > Controller >
Application Visibility And Control > AVC Profiles
.
Step 2 If you want to add a new template, hover the mouse on
AVC Profiles
and select New or click
AVC Profiles
. To modify an existing template, click the template name.
Step 3 In the AVC Profile Name text box, enter the AVC Profile Name.
Note You can configure only one AVC profile per WLAN and each AVC profile can have up to 32 rules. Each rule states a Mark or Drop action for an application. This allows you to configure up to 32 application actions per WLAN. You can configure up to 16 AVC profiles on a controller and associate an AVC profile with multiple WLANs.
Step 4 Under the AVC Rule List, click Add Row to create AVC rules.
-
In the Application Name field, enter the name of the application.
-
In the Application Group Name field, enter the name of the application group to which the application belongs.
-
From the Action drop-down list, choose one of the following:
– Drop—Drops the upstream and downstream packets corresponding to the chosen application.
– Mark— Marks the upstream and downstream packets corresponding to the chosen application with the DSCP value that you specify in the Differentiated Services Code Point (DSCP) drop-down list. The DSCP value helps you provide differentiated services based on the QoS levels.
– Rate Limit—If you select Rate Limit as an action, you can specify Average Rate Limit per client and Burst data rate limit. The number of rate limit applications is limited to 3.
The default action is to permit all applications.
-
If you select Mark as an action, then choose QoS levels from the DSCP drop-down list. DSCP is a Packet header code that is used to define quality of service across the Internet. The DSCP values are mapped to the following QoS levels:
– Platinum (Voice)—Assures a high QoS for Voice over Wireless.
– Gold (Video)—Supports the high-quality video applications.
– Silver (Best Effort)—Supports the normal bandwidth for clients.
– Bronze (Background)— Provides lowest bandwidth for guest services.
– Custom—Specify the DSCP value. The range is from 0 to 63.
-
In the DSCP Value field, enter the value which can be entered only when Custom is chosen from the DSCP drop-down list.
-
If you select Rate Limit as an action, you can specify the value in Avg. Rate Limit (in Kbps), which is the average bandwidth limit of that application.
-
If you select Rate Limit as an action, you can specify Burst Rate Limit (in Kbps), which is the peak limit of that application
Step 5 Click
Save as New Template
.
Related Topics
Creating NetFlow Templates
NetFlow is a protocol that provides valuable information about network users and applications, peak usage times, and traffic routing. This protocol collects IP traffic information from network devices to monitor traffic. The NetFlow architecture consists of the following components:
-
Collector—An entity that collects all the IP traffic information from various network elements.
-
Exporter—A network entity that exports the template with the IP traffic information. The controller acts as an exporter.
Related Topics
Creating NetFlow Monitor Template
To create NetFlow Monitor template:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Netflow > Monitor.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create.
Step 3 Complete the required fields, then and click Save as New Template.
Related Topics
Creating NetFlow Exporter Template
You can configure only one NetFlow Exporter per controller. To create NetFlow exporter template:
Step 1 Choose
Configuration > Templates > Features & Technologies > Controller > Netflow > Monitor.
Step 2 Hover your mouse cursor over the tool tip next to the template type and click New to create.
Step 3 Complete the required fields, then and click Save as New Template.
Related Topics