The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
You use templates to define device parameters and settings, which you can later deploy to a specified number of devices based on device type. Templates enhance productivity when you are implementing new services or a new site. Altering configurations across a large number of devices can be tedious and time-consuming, and templates save you time by applying the necessary configurations and by ensuring consistency across devices. You can also create and deploy configuration for the selected device.
Table 4-1 describes the process for creating and deploying templates.
|
|
---|---|
1. |
Under the Design menu, choose which type of template to create. |
2. |
After you have created the template, click the Publish icon to publish the template and make it available to be deployed. |
3. |
Under the Deploy menu, choose which template to deploy. See Deploying Templates for more information. |
4. |
Choose Tools > Task Manager > Jobs Dashboard to verify the status of the template deployment. |
This chapter contains the following sections:
•About Configuration Templates
•Creating Configuration Templates
•Creating Wireless Controller Templates
•Creating Security Configuration Templates
•Configuring Features on a Device
•Testing and Troubleshooting Configuration Templates
You use configuration templates to design the set of device configurations you need to set up all the devices in a branch. When you have a site, office, or branch that uses a similar set of devices and configurations, you can use configuration templates to build a generic configuration that you can apply to one more or more devices in the branch. You can also use configuration templates when you have a new branch and want to quickly and accurately set up common configurations on the devices in the branch.
Deploying a branch is creating the minimum configurations for the branch router. Prime Infrastructure allows you to create a set of required features that include:
•Feature templates for the Ethernet interface
•Feature templates for the routing configuration
•CLI template for additional features you require
All of the templates you create can then be added to a single composite template, which aggregates all the individual feature templates you need for the branch router. You can then use this composite template when you perform branch deployment operations and to replicate the configurations at other branches.
When you have a set of similar devices across a branch, you can deploy a composite template that includes "golden" configurations to simplify deployment and ensure consistency across your device configurations. You can also use the composite template to compare against an existing device configuration to determine if there are mismatches.
Related Topics
•Creating Configuration Templates
Prime Infrastructure provides the following types of configuration templates:
•Default templates—Cisco-supplied templates that are ready for use the moment you install Prime Infrastructure.See Default Configuration Templates.
•CLI templates—User-defined templates that are created based on your own parameters. CLI templates allow you to choose the elements in the configurations. Prime Infrastructure provides variables that you replace with actual values and logic statements. You can also import templates from Cisco Prime LAN Management System. See Creating CLI Configuration Templates.
•Feature and technology templates—Configurations that are specific to a feature or technology in a device's configuration. See Creating Feature and Technology Templates.
•Composite templates—Two or more feature or CLI templates grouped together into one template. You specify the order in which the templates contained in the composite template are deployed to devices. See Creating Composite Templates.
Note All templates must be published before they can be deployed to devices.
You use templates to define device parameters and settings, which you can later deploy to a specified number of devices based on device type. Altering configurations across a large number of devices can be tedious and time-consuming, and templates save you time by applying the necessary configurations and ensuring consistency across devices.
Prime Infrastructure ships with default configuration templates that you can find under Design > Configuration Templates > My Templates > OOTB. These templates are described in Table 4-2.
|
|
---|---|
Medianet - PerfMon |
Configure performance monitoring for Medianet. |
PA with WAAS |
Configure Cisco Performance Agent1 and Wide Area Application Services (WAAS). |
PA without WAAS |
Configure Cisco Performance Agent without WAAS. |
Collecting Traffic Statistics |
Collect network traffic statistics. |
1 Cisco Performance Agent is a licensed feature of Cisco IOS Software. It offers comprehensive application performance and network usage data to help network administrators accurately assess user experience and optimize the use of network resources. |
Before creating a CLI template, make sure you have satisfied the prerequisites as described in About Database Variables in CLI Templates.
Step 1 Choose Design > Configuration Templates.
Step 2 Expand the CLI Template folder, then click CLI.
Step 3 Enter the basic template information.
Step 4 From the Validation Criteria drop-down list, choose the device types to which this CLI template can be applied.
The Device Type field lists product types, product families, and model numbers.
Step 5 Under Template Detail, click Manage Variables.
This allows you to specify a variable for which you will define a value when you deploy the template.
Step 6 Click Add Row and enter the parameters for a new variable, then click Save.
Step 7 Enter the CLI information.
Note In the CLI field, you must enter code using Apache VTL.
Step 8 To view a list of all variables used in the template, click Form View (this is a read-only view), then click Manage Variables to change the variables.
Step 9 Click Save As New Template.
Related Topics
•Prerequisites for Creating CLI Templates
•About Database Variables in CLI Templates
•Creating CLI Configuration Templates from Copied Code
•Importing CLI Configuration Templates From Cisco Prime LMS
Creating CLI templates is an advanced function that should be done by expert users. Before you create a CLI template, you should:
•Have expert knowledge and understanding of the CLI and be able to write the CLI in Apache VTL. For more information about Apache Velocity Template Language, see http://velocity.apache.org.
•Understand to what devices the CLI you create can be applied.
•Understand the data types supported by Prime Infrastructure.
•Understand and be able to manually label configurations in the template.
When a device is discovered and added to Prime Infrastructure, you can use the database values that were gathered during the inventory collection to create CLI templates. For example, if you want to create and deploy a CLI template to shut down all interfaces in a branch, you can create a CLI template that contains the following commands:
#foreach ($interfaceName in $interfaceNameList)
interface $interfaceName \n
shutdown
#end
where $interfaceNameList is the database variable type whose value will be retrieved from the database. $interfaceNameList has a default value of Inventory::EthernetProtocolEndpoint.IntfName.
To populate interfaceNameList with the value from the database, you must create a properties file to capture the query string as described below and save it in the /opt/CSCOlumos/conf/ifm/template/InventoryTagsInTemplate folder.
Sample Property File
Filename: interface.properties
# for interface name tag->Name
EthernetProtocolEndpoint.IntfName=select u.name from EthernetProtocolEndpoint u where u.owningEntityId =
# say for other attributes of EthernetProtocolEndpoint Model, should we define tags
# any good generic way of accepting tags -attr+its mapped query ?
After you create the CLI template and the property file and deploy the CLI template, the following CLI is configured on the devices. This output assumes the device has two interfaces (Gigabitethernet0/1 and Gigabitethernet0/0):
interface GigabitEthernet0/0
shutdown
interface GigabitEthernet0/1
shutdown
Note InterfaceNameList is a Prime Infrastructure default database variable.
Verify that the Enterprise JavaBeans Query Language (EJB QL) specified in the properties file returns a list of strings; or, if a single element is specified, the EJB QL should return a list containing one element.
Related Topics
•Creating CLI Configuration Templates
•Prerequisites for Creating CLI Templates
•Creating CLI Configuration Templates from Copied Code
•Importing CLI Configuration Templates From Cisco Prime LMS
One quick way to create CLI configuration templates is to copy code from a command line configuration session, CLI script, or other stored set of configuration commands. Prime Infrastructure lets you turn all the CLI parameters in the copied CLI into template variables.
To create a CLI template variable from copied code:
Step 1 Choose Design > Configuration Templates.
Step 2 Expand the CLI Template directory, and then click CLI.
Step 3 In the CLI template, paste the copied code into the CLI Content field.
Step 4 Select the text that is to be the variable name.
Step 5 Click Manage Variable.
The Manage Variable dialog box appears with the new variable name added to the list of variables.
Step 6 Enter the values of the following parameters:
•Name.
•Type—Datatype of the variable. Default is String.
•Description(Optional) —Description of the variable.
•Display Label—Display name of the variable in the template.
•Display Label—If the variable is mandatory in the template, check this check box.
Step 7 To set the range, validation, and default value of the variable, click the arrow next to the radio button:
•Default Value.
•Range—If the variable is an integer, enter the range in the From and To fields.
•Validation Expression—If the variable is a string, enter a valid regular expression to validate the user input. For example, if the string should start with "hostname," enter ^[\S]+$ as the validation expression.
Step 8 Click Save.
Step 9 Click Add.
To view the new variable, click Form View.
To edit an existing variable created from copied code:
Step 1 Click Manage Variable.
Step 2 Click the radio button to select a variable, and then click Edit.
Step 3 Continue from Step 6 of the procedure for creating a variable from copied code.
Related Topics
•Creating CLI Configuration Templates
•Prerequisites for Creating CLI Templates
•About Database Variables in CLI Templates
•Importing CLI Configuration Templates From Cisco Prime LMS
In addition to creating new configuration templates, you can import configurations from Cisco Prime LAN Management Solution (LMS). If you have "golden" templates in Cisco Prime LMS, you can import those configurations into Prime Infrastructure and save them as configuration templates that you can deploy to the devices in your network.
Before you import a configuration, you must first export and save the configuration from Cisco Prime LMS.
Step 1 Choose Design > Configuration Templates.
Step 2 Expand the CLI Template folder, then choose the CLI template.
Step 3 Click the Import icon at the top right of the CLI template page.
Step 4 Browse to the configuration .xml file that you previously exported from Cisco Prime LMS, then click OK.
Step 5 Navigation to the My Templates folder and choose the configuration you imported.
Step 6 To view the contents of the configuration, click the CLI Content tab.
To view the parameters defined in the configuration, click the Form View tab. These values are read-only.
To change any of the variables defined in the configuration, click Manage Variables.
Step 7 Click the Publish icon to publish the template so it can be deployed.
Step 8 Click the Go to Deployment icon and go to the Deploy > Configuration Tasks page.
Step 9 Click Deploy on the template you published.
Step 10 Specify the deployment options as explained in Specifying Template Deployment Options.
Step 11 Click OK.
Related Topics
•Creating CLI Configuration Templates
•Prerequisites for Creating CLI Templates
•About Database Variables in CLI Templates
•Creating CLI Configuration Templates from Copied Code
Feature and technology templates are templates that are based on device configuration. Feature and technology templates focus on specific features or technologies in a device's configuration. When you add a device to Prime Infrastructure, Prime Infrastructure gathers the device configuration for the model you added.
Note Prime Infrastructure does not support every configurable option for all device types. If Prime Infrastructure does not have a feature and technology template for the specific feature or parameter you want configure, create a CLI template as described in Creating CLI Configuration Templates.
You create feature and technology templates to simplify the deployment of configuration changes. For example, you can create an SNMP feature and technology template and then quickly deploy it to the devices you specify. You can also add one or more feature and technology templates to a composite template. If you do, when you update the SNMP template, the composite template in which the SNMP template is contained automatically has your latest changes.
Step 1 Choose Design > Configuration Templates.
Step 2 Expand the Features and Technologies folder, choose an appropriate subfolder, then choose a template type to create.
Step 3 Enter the basic template information.
Step 4 From the Validation Criteria drop-down list, choose the device types to which this feature template can be applied. The Device Type field lists product types, product families, and model numbers.
Note If you are creating a feature template that applies only to a particular device type, the Device Type field lists only the applicable device type, and you cannot change the selection.
Step 5 Under Template Detail, enter the CLI information.
Step 6 Click Save As New Template.
Many branch deployments require an Ethernet interface configuration template, which you then include in the composite template for branch deployments.
To create an Ethernet interface configuration template:
Step 1 Choose Design > Configuration Templates.
Step 2 Under the Features and Technologies folder, expand Interfaces, then click Ethernet Interfaces.
Step 3 Enter the basic template information.
Step 4 From the Device Type drop-down list, choose Routers.
Step 5 Under Template Detail, click Add Row in the Ethernet Interfaces table.
Step 6 Complete the fields for an Ethernet interface that is configured on the device. (If, for example, you enter "GigabitEthernet0/1" in the Interface field, the GigabitEthernet0/1 interface must be physically present on the device.)
Step 7 In the IP Address field, enter a valid IP and mask configuration; for example, 192.168.1.1 255.255.255.0.
Step 8 Click Save.
Step 9 Click Save as New Template.
Many branch deployments require an EIGRP routing configuration template, which you then include in the composite template for branch deployments.
To create an EIGRP routing configuration template:
Step 1 Choose Design > Templates > Configuration.
Step 2 Under the Features and Technologies folder, expand Routing, then click EIGRP.
Step 3 Enter the basic template information.
Step 4 From the Device Type drop-down list, choose Routers.
Step 5 Under Template Detail, click Add Row in the EIGRP Routes table.
Step 6 Enter an Autonomous System (AS) Number and a passive interface such as FastEthernet0/0, and choose a value for Auto Summary.
Step 7 Click Save.
Step 8 Click Save as New Template.
Many branch deployments require a RIP routing configuration template, which you then include in the composite template for branch deployments.
To create a RIP routing configuration template:
Step 1 Choose Design > Templates > Configuration.
Step 2 Under the Features and Technologies folder, expand Routing, then click RIP.
Step 3 Enter the basic template information.
Step 4 From the Device Type drop-down list, choose Routers.
Step 5 Under Template Detail, click Enable RIP.
Step 6 Choose a RIP version.
Step 7 Under Advanced Configuration, choose:
•IP Network List—Enter network IP addresses, such as 10.10.10.10.
•Passive Interfaces—Enter a passive interface, such as FastEthernet0/0.
Step 8 Click Save.
Step 9 Click Save as New Template.
You can use a template to configure a static route. Static routes can be overwhelming in a large or complicated network. By creating a static routing template, you can avoid making manual changes each time there is a change in the network.
To create and deploy a static routing template:
Step 1 Choose Design > Configuration Templates.
Step 2 Expand the Features and Technologies folder, expand the Routing subfolder, then click Static.
Step 3 Enter the basic template information.
Step 4 Under Template Detail, click Add Row, then complete the fields.
Note For Permanent Route, choose
•True to specify that the route will not be removed from the routing table, even if the next-hop interface shuts down or next-hop IP address is not reachable.
•False to specify that the route will be removed from the routing table, even if the next-hop interface shuts down or next-hop IP address is not reachable.
Step 5 Click Save As New Template.
Step 6 Navigate to the My Templates folder and choose the template you just saved.
Step 7 Click the Publish icon to publish the template so it can be deployed.
Step 8 Click the Go to Deployment icon and go to the Deploy > Configuration Tasks page.
Step 9 Click Deploy on the template you published.
Step 10 Specify the deployment options as explained in Specifying Template Deployment Options.
Step 11 Click OK.
To create and deploy a template to configure access lists:
Step 1 Choose Design > Configuration Templates.
Step 2 Expand the Features and Technologies folder, expand the Security subfolder, then click ACL.
Step 3 Enter the basic template information.
Step 4 Under Template Detail, click Add Row, then complete the fields described in Table 4-3.
Step 5 Click Save As New Template.
Step 6 Navigate to the My Templates folder and choose the template you just saved.
Step 7 Click the Publish icon to publish the template so it can be deployed.
Step 8 Click the Go to Deployment icon and go to the Deploy > Configuration Tasks page.
Step 9 Click Deploy on the template you published.
Step 10 Specify the deployment options as explained in Specifying Template Deployment Options.
Step 11 Click OK.
Getting the wireless LAN up and running quickly and cost-effectively to meet your needs is streamlined with the broad array of Cisco Prime Infrastructure integrated configuration templates. These easy-to-use templates and deployment tools help you to provision and configure the wireless LAN to expressly deliver the services that their business requires. You use controller templates to define controller parameters and settings, which you can later deploy to a specified number of wireless LAN controllers. The controller templates enhance productivity when you are implementing new services or a new site. Altering configurations across a large number of controllers can be tedious and time-consuming, and templates save you time by applying the necessary configurations and by ensuring consistency across controllers.
See Table 4-1 for information about the process for creating and deploying templates.
After configuring a controller template, follow these steps:
Step 1 Navigate to the My Templates folder and choose the template you just saved.
Step 2 Click the Publish icon to publish the template so it can be deployed.
Step 3 Click the Go to Deployment icon and go to the Deploy > Configuration Tasks page.
Step 4 Click Deploy on the template you published.
Step 5 Specify the deployment options as explained in the "Specifying Template Deployment Options" section.
Step 6 Click OK.
This section contains the following topics:
•Configuring General Templates
•Configuring SNMP Community Controller Templates
•Configuring an NTP Server Template
•Configuring User Roles Controller Templates
•Configuring AP Username Password Controller Templates
•Configuring a Global CDP Configuration Template
•Configuring AP 802.1X Supplicant Credentials
•Configuring an Interface Group Template
•Configuring a Traffic Stream Metrics QoS Template
•Configuring Dynamic Interface Templates
To configure a general template, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > General.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Note Specifying a device type helps you to prevent a mismatch, that is, you cannot create a configuration and apply the configuration to a wrong device.
Step 4 In the Template Detail section, enter the IKE Authentication and Encryption policy.
Step 5 Use the 802.3x Flow Control Mode drop-down list to enable or disable flow control mode.
Step 6 Use the 802.3x Bridging drop-down list to enable or disable 802.3 bridging.
Note This 802.3 bridging option is not available for 5500 and 2106 series controllers.
Step 7 Use the Web RADIUS Authentication drop-down list to choose the desired Web RADIUS authentication. You can choose to use PAP, CHAP, or MD5-CHAP for authentication between the controller and the client during the user credential exchange.
Step 8 Specify the number of seconds for the AP Primary Discovery Timeout. The default is 120 seconds, and the valid range is 30 to 3600.
Step 9 Specify the Back-up primary and secondary controller details (controller IP address and controller name).
Step 10 Specify Layer 2 or Layer 3 transport mode. When set to Layer 3, the lightweight access point uses IP addresses to communicate with the access points; these IP addresses are collected from a mandatory DHCP server. When set to Layer 2, the lightweight access point uses proprietary code to communicate with the access points.
Note Controllers through Version 5.2 use LWAPP and the new controller version uses CAPWAP.
Step 11 Choose to enable or disable broadcast forwarding. The default is disabled.
Step 12 Choose Enable or Disable from the LAG Mode drop-down list. Link aggregation allows you to reduce the number of IP addresses needed to configure the ports on your controller by grouping all the physical ports and creating a link aggregation group (LAG).
If LAG is enabled on a controller, any dynamic interfaces that you have created are deleted to prevent configuration inconsistencies in the interface database. When you make changes to the LAG configuration, the controller has to be rebooted for the changes to take effect.
Note Interfaces cannot be created with the Dynamic AP Manager flag set. Also, you cannot create more than one LAG on a controller.
Step 13 Choose to enable or disable peer-to-peer blocking mode. If you choose Disable, any same-subnet clients communicate through the controller. If you choose Enable, any same-subnet clients communicate through a higher-level router.
Step 14 From the Over Air AP Provision Mode drop-down list, choose enable or disable.
Step 15 From the AP Fallback drop-down list, choose enable or disable. Enabling fallback causes an access point that lost a primary controller connection to automatically return to service when the primary controller returns.
Step 16 When a controller fails, the backup controller configured for the access point suddenly receives a number of discovery and join requests. This might cause the controller to reach a saturation point and reject some of the access points. By assigning priority to an access point, you have some control over which access points are rejected. In a failover situation when the backup controller is saturated, the higher priority access points can join the backup controller if the lower priority access points are disjoined. Choose enable from the AP Failover Priority drop-down list if you want to allow this capability.
Step 17 Choose to enable or disable AppleTalk bridging.
Note This AppleTalk bridging option is not available on 5500 series controllers.
Step 18 Choose to enable or disable the Fast SSID Change option. If the option is enabled, the client connects instantly to the controller between SSIDs without having much loss of connectivity. Normally, each client is connected to a particular WLAN identified by the SSID. If the client moves out of reach of the connected access point, the client has to reconnect to the controller using a different access point. This normal process consumes some time as the DHCP (Dynamic Host Configuration Protocol) server has to assign an IP address to the client.
Step 19 Because the master controller is normally not used in a deployed network, the master controller setting is automatically disabled upon reboot or operating system code upgrade. You might want to enable the controller as the master controller from the Master Controller Mode drop-down list.
Step 20 Choose to enable or disable access to the controller management interface from wireless clients. Because of IPsec operation, management via wireless is only available to operators logging in across WPA or Static WEP. Wireless management is not available to clients attempting to log in via an IPsec WLAN.
Step 21 Choose to enable or disable symmetric tunneling mode. With symmetric mobility tunneling, the controller provides inter-subnet mobility for clients roaming from one access point to another within a wireless LAN. The client traffic on the wired network is directly routed by the foreign controller. If a router has Reverse Path Forwarding (RPF) enabled (which provides additional checks on incoming packets), the communication is blocked. Symmetric mobility tunneling allows the client traffic to reach the controller designated as the anchor, even with RPF enabled.
Note All controllers in a mobility group should have the same symmetric tunneling mode.
Note For symmetric tunneling to take effect, you must reboot.
Step 22 Use the ACL Counters drop-down list to enable or disable ACL counters. The values per ACL rule can be viewed for each controller.
Step 23 Enter the operator-defined RF mobility group name in the Default Mobility Domain Name text box.
Step 24 At the Mobility Anchor Group Keep Alive Interval, determine the delay between tries for clients attempting to join another access point. With this guest tunneling N+1 redundancy feature, the time it takes for a client to join another access point following a controller failure is decreased because a failure is quickly identified, the clients are moved away from the problem controller, and the clients are anchored to another controller.
Note When you hover your mouse cursor over the field, the valid range of values appear.
Step 25 At the Mobility Anchor Group Keep Alive Retries, specify the number of queries to anchor before the client declares it unreachable.
Step 26 Enter the RF network group name between 8 and 19 characters. Radio Resource Management (RRM) neighbor packets are distributed among access points within an RF network group. The Cisco access points only accept RRM neighbor packets sent with this RF network name. The RRM neighbor packets sent with different RF network names are dropped.
Step 27 Specify the time out for idle clients. The factory default is 300 seconds. When the timeout expires, the client loses authentication, briefly disassociates from the access point, reassociates, and re-authenticates.
Step 28 Specify the timeout in seconds for the address resolution protocol. The factory default is 300 seconds.
Step 29 Select the Global TCP Adjust MMS check box to start checking the TCP packets originating from the client, for the TCP SYN/ TCP ACK packets and MSS value and reset it to the configured value on the upstream and downstream side.
Step 30 Choose enable or disable Web Auth Proxy Redirect Mode if a manual proxy configuration is configured on the browser of the client; all web traffic going out from the client is destined for the PROXY IP and PORT configured on the browser.
Step 31 Enter the Web Auth Proxy Redirect Port. The default ports are 8080 and 3128. The range is 0 to 65535.
Step 32 Enter the AP Retransmit Count and Intervals. The AP Retransmit Count default value is 5 and the range is from 3 to 8. The AP Retransmit Interval default value is 3. The range is 2 to 5.
Step 33 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Create or modify a template for configuring SNMP communities on controllers. Communities can have read-only or read-write privileges using SNMP v1, v2, or v3.
To add a new template with SNMP community information for a controller, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > SNMP Community.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Under Template Detail, enter the SNMP Community information.
Note If the Access Mode option is configured as Read Only, then the Prime Infrastructure has only read access to the controller after applying this template.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Note NTP is used to synchronize computer clocks on the Internet.
To add an NTP template or make modifications to an existing NTP template, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > SNMP Community.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Enter the NTP server IP address.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
To modify the quality of service (QoS) profiles, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > Qos Profiles.
Step 2 If you want to edit the bronze, gold, platinum, or silver QoS profile, click in the Name column for the profile you want to edit. The Edit QoS Profile Template page appears.
Step 3 Set the following values in the Per-User Bandwidth Contracts group box. All have a default of 0 or Off.
•Average Data Rate—The average data rate for non-UDP traffic.
•Burst Data Rate—The peak data rate for non-UDP traffic.
•Average Real-time Rate—The average data rate for UDP traffic.
•Burst Real-time Rate—The peak data rate for UDP traffic.
Step 4 Set the following values in the Over-the-Air QoS group box.
•Maximum QoS RF Usage per AP - The maximum air bandwidth available to clients. The default is 100%.
•QoS Queue Depth - The depth of queue for a class of client. The packets with a greater value are dropped at the access point.
Note The Air QoS configurations are applicable for controller Version 7.0 and earlier.
Step 5 Set the following values in the Wired QoS Protocol group box.
•Wired QoS Protocol - Choose 802.1P to activate 802.1P priority tags or None to deactivate 802.1P priority flags.
•802.1P Tag - Choose 802.1P priority tag for a wired connection from 0 to 7. This tag is used for traffic and CAPWAP packets.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This section describes how to create or modify a template for configuring user roles. User roles determine how much bandwidth the network can use. Four QoS levels (Platinum, Bronze, Gold, and Silver) are available for the bandwidth distribution to Guest Users. Guest Users are associated with predefined roles (Contractor, Customer, Partner, Vendor, Visitor, Other) with respective bandwidth configured by the Admin. These roles can be applied when adding a new Guest User.
To add a new template with User Roles information for a controller, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > User Roles.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Configure the following fields:
•Role Name
•Average Data Rate—The average data rate for non-UDP (User Datagram Protocol) traffic.
•Burst Data Rate—The peak data rate for non-UDP traffic.
•Average Real-time Rate—The average data rate for UDP traffic.
•Burst Real-time Rate—The peak data rate for UDP traffic.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Create or modify a template for setting an access point username and password. All access points inherit the password as they join the controller and these credentials are used to log into the access point via the console or Telnet/SSH.
The AP Username Password page enables you to set a global password that all access points inherit as they join a controller. When you are adding an access point, you can also choose to accept this global username and password or override it on a per-access point basis.
Also, in controller software Release 5.0, after an access point joins the controller, the access point enables console port security and you are prompted for your username and password whenever you log into the access point console port. When you log in, you are in non-privileged mode and you must enter the enable password to use the privileged mode.
To add a new template with AP Username Password information for a controller, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > AP Username Password.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Under Template Detail, enter the AP username and password information.
Note For Cisco IOS access points, you must also enter and confirm an enable password.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
You can configure 802.1X authentication between lightweight access points and the switch. The access point acts as an 802.1X supplicant and is authenticated by the switch using EAP-FAST with anonymous PAC provisioning. You can set global authentication settings that all access points inherit as they join the controller. All access points that are currently joined to the controller and any that join in the future are included.
To add or modify an existing AP 802.1X Supplicant Credentials template, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > AP 802.1X Supplicant Credentials.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Select the Enable check box to enable global supplicant credentials.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices.
Note CDP is enabled on the Ethernet and radio ports of the bridge by default.
To configure a Global CDP Configuration template, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > Global CDP Configuration.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 In the Global CDP group box of the page, configure the following fields:
•CDP on controller—Choose enable or disable CDP on the controller.
Note This configuration cannot be applied on WiSM2 controllers.
•Global CDP on APs—Choose to enable or disable CDP on the access points.
•Refresh-time Interval (seconds)—At the Refresh Time Interval field, enter the time in seconds at which CDP messages are generated. The default is 60.
•Holdtime (seconds)—Enter the time in seconds before the CDP neighbor entry expires. The default is 180.
•CDP Advertisement Version—Enter which version of the CDP protocol to use. The default is v1.
Step 5 In the CDP for Ethernet Interfaces group box of the page, select the slots of Ethernet interfaces for which you want to enable CDP.
Note CDP for Ethernet Interfaces fields are supported for Controller Version 7.0.110.2 and later.
Step 6 In the CDP for Radio Interfaces group box of the page, select the slots of Radio interfaces for which you want to enable CDP.
Note CDP for Radio Interfaces fields are supported for Controller Version 7.0.110.2 and later.
Step 7 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Note The Global Interface CDP configuration is applied only to the APs for which the CDP is enabled at AP level.
To add a DHCP template or make modifications to an existing DHCP template, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > DHCP.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 You can enable or disable DHCP proxy on a global basis rather than on a WLAN basis. When DHCP proxy is enabled on the controller, the controller unicasts DHCP requests from the client to the configured servers. At least one DHCP server must be configured on either the interface associated with the WLAN or on the WLAN itself. DHCP proxy is enabled by default.
Step 5 Enter the DHCP Timeou,t in seconds, after which the DHCP request times out. The default setting is 5. Allowed values range from 5 to 120 seconds.
Note DHCP Timeout is applicable for Controller Version 7.0.114.74 and later.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
The interface group template page allows you to select list of interfaces and form a group.
To configure an interface group template, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > Interface Groups.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Specify the following details:
•Name—Interface Group name.
•Description (optional)—A more detailed description of the interface group.
•Quarantine—Indicates the type of interfaces that can be added to an interface group. If this option is enabled, you can add interfaces with quarantine VLAN ID set. If this options is disabled, you can add interfaces with quarantine VLAN ID not set.
Step 5 Selected Controllers/Interfaces that you want to add to the group.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Traffic stream metrics are a series of statistics about VoIP over your wireless LAN and informs you of the QoS of the wireless LAN. These statistics are different than the end-to-end statistics provided by VoIP systems. End-to-end statistics provide information on packet loss and latency covering all the links comprising the call path. However, traffic stream metrics are statistics for only the WLAN segment of the call. Because of this, system administrators can quickly determine whether audio problems are being caused by the WLAN or by other network elements participating in a call. By observing which access points have impaired QoS, system administrators can quickly determine the physical area where the problem is occurring. This is important when lack of radio coverage or excessive interference is the root problem.
Four QoS values (packet latency, packet jitter, packet loss, and roaming time), which can affect the audio quality of voice calls, are monitored. All the wireless LAN components participate in this process. Access points and clients measure the metrics, access points collect the measurements and then send them to the controller. The access points update the controller with traffic stream metric information every 90 seconds, and 10 minutes of data is stored at one time. The Prime Infrastructure queries the controller for the metrics and displays them in the Traffic Stream Metrics QoS Status. These metrics are compared to threshold values to determine their status level and if any of the statistics are displaying a status level of fair (yellow) or degraded (red), the administrator investigates the QoS of the wireless LAN.
For the access points to collect measurement values, traffic stream metrics must be enabled on the controller.
To configure a Traffic Stream Metrics QoS template, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > Traffic Stream Metrics QoS.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
The Traffic Stream Metrics QoS Controller Configuration page shows several QoS values. An administrator can monitor voice and video quality of the following:
•Upstream delay
•Upstream packet loss rate
•Roaming time
•Downstream packet loss rate
•Downstream delay
Packet Loss Rate (PLR) affects the intelligibility of voice. Packet delay can affect both the intelligibility and conversational quality of the connection. Excessive roaming time produces undesired gaps in audio.
There are three levels of measurement:
•Normal: Normal QoS (green)
•Fair: Fair QoS (yellow)
•Degraded: Degraded QoS (red)
System administrators should employ some judgement when setting the green, yellow, and red alarm levels. Some factors to consider are:
•Environmental factors including interference and radio coverage which can affect PLR.
•End-user expectations and system administrator requirements for audio quality on mobile devices (lower audio quality can permit greater PLR).
•Different codec types used by the phones have different tolerance for packet loss.
•Not all calls are mobile-to-mobile; therefore, some have less stringent PLR requirements for the wireless LAN.
To add a dynamic interface template or make modifications to an existing interface configuration, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > Dynamic Interface.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Select the Guest LAN check box to mark the interface as wired.
Step 5 Enter the net mask address of the interface.
Step 6 Enter the port currently used by the interface.
Step 7 Enter a secondary port to be used by the interface when the primary port is down. When the primary port is reactivated, the Cisco 4400 Series Wireless LAN controller transfers the interfaces back to the primary port.
Note Primary and secondary port numbers are present only in the Cisco 4400 Series Wireless LAN controllers.
Step 8 Enter the IP addresses of the primary and secondary DHCP servers.
Step 9 From the ACL Name drop-down list, choose a name from the list of defined names.
Step 10 From the Add Format Type drop-down list in the Add Interface Format Type group box, choose either Device Info or File. If you choose device info, you must configure the device-specific fields for each controller. If you choose File, you must configure CSV device-specific fields (Interface Name, VLAN Identifier, Quarantine VLAN Identifier, IP Address, and Gateway) for all the managed controllers specified in the CSV file (see Table 4-4). If you choose Device Info, continue to Step 12.
The sample CSV files are as follows.
The first row of the CSV file is used to describe the columns included. The CSV files can contain the following fields:
•ip_address
•interface_name
•vlan_id
•quarantine_vlan_id
•interface_ip_address
•gateway
Step 11 If you choose Apply to Controllers, you advance to the Apply To page where you can configure device-specific fields for each controller.
Step 12 Use the Add and Remove options to configure device specific fields for each controllers. If you click Edit, a dialog box appears with the current parameter input.
Step 13 Make the necessary changes in the dialog box, and click OK.
Note If you change the interface fields, the WLANs are temporarily disabled, therefore you might lose connectivity for some clients. Any changes to the interface fields are saved only after you successfully apply them to the controller(s).
Note If you remove an interface here, it is removed only from this template and not from the controllers.
This section contains the following topics:
•Configuring WLAN AP Groups Templates
WLAN templates allow you to define various WLAN profiles for application to different controllers.
You can configure multiple WLANs with the same SSID. This feature enables you to assign different Layer 2 security policies within the same wireless LAN. Unlike previous release where profile name was used as the unique identifier, the template name is now the unique identifier with software release 5.1.
These restrictions apply when configuring multiple WLANs with the same SSID:
•WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in the beacons and probes. These are the available Layer 2 security policies:
–None (open WLAN)
–Static WEP or 802.1
–CKIP
–WPA/WPA2
•Broadcast SSID must be enabled on the WLANs that share an SSID so that the access points can generate probe responses for these WLANs.
•FlexConnect access points do not support multiple SSIDs.
To add a WLAN template or make modifications to an existing WLAN template, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > WLANs > WLAN Configuration.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 Select the Wired LAN check box to indicate whether or not this WLAN is a wired LAN.
Note Specify if you want guest users to have wired guest access from an Ethernet connection designated and configured for guest access. Wired guest access ports might be available in a guest office or specific ports in a conference room and accounts are added to the network using the Lobby Ambassador portal. (See the "Creating Guest User Accounts" section).
Note The Egress or Ingress interface configurations are applicable for Wired LAN only.
Step 4 Use the Type drop-down list to select the type of the wired LAN.
•Guest LAN—Indicates that this wired LAN is a Guest LAN.
Note If you selected the Guest LAN option, you need to select an Ingress interface which has not already been assigned to any Guest LAN.
•Remote LAN—Indicates that this wired LAN is a Remote LAN.
Step 5 Enter a name in the Profile Name text box that identifies the WLAN or the guest LAN. Do not use any spaces in the name entered.
Step 6 Enter the name of the WLAN SSID. An SSID is not required for a guest LAN.
WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in the beacons and probes.
Step 7 Select the Enable check box for the Status field.
Step 8 Use the Radio Policy drop-down list to set the WLAN policy to apply to All (802.11a/b/g/n), 802.11a only, 802.11g only, 802.11b/g only, or 802.11a/g only.
Step 9 Use the Interface/Interface Group drop-down list to choose the available names of interfaces created by the Controller > Interfaces module.
Step 10 From the Egress Interface drop-down list, choose the Egress interface that you created in the "Creating an Egress Interface" section. This provides a path out of the controller for wired guest client traffic.
Step 11 From the Ingress Interface drop-down list, choose the Ingress interface that you created in the "Creating an Ingress Interface" section. The provides a path between the wired guest client and the controller by way of the Layer 2 access switch.
Step 12 Select the Enable check box to enable the multicast VLAN feature.
Step 13 From the Multicast VLAN Interface drop-down list, choose the appropriate interface name. This list is automatically populated when you enable the multicast VLAN feature.
Step 14 Click Broadcast SSID to activate SSID broadcasts for this WLAN.
Step 15 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Step 16 To further configure the WLAN template, choose from the following:
•Click the Security tab to establish which AAA can override the default servers on this WLAN and to establish the security mode for Layer 2 and 3. Continue to the "Security Tab" section.
•Click the QoS tab to establish which quality of service is expected for this WLAN. Continue to the "QoS Tab" section.
•Click the Advanced tab to configure any other details about the WLAN, such as DHCP assignments and management frame protection. Continue to the "Advanced Tab" section.
After choosing Security, you have an additional three tabs: Layer 2, Layer 3, and AAA Servers.
When you click the Layer 2 tab, the Layer 2 tab appears.
Note The tab contains different views depending on what option is chosen in the Layer 2 Security drop-down list.
To configure the Layer 2 tab, follow these steps:
Step 1 Use the Layer 2 Security drop-down list to choose None, 802.1X, Static WEP, Static WEP-802.1X, WPA + WPA2, or CKIP as described in Table 4-5.
Step 2 Select the MAC Filtering check box if you want to filter clients by MAC address.
Note The ability to join a controller without specification within a MAC filter list is only supported on mesh access points.
Note For releases prior to 4.1.82.0, mesh access points do not join the controller unless they are defined in the MAC filter list.
You might want to disable the MAC filter list to allow newly added access points to join the controller. Before enabling the MAC filter list again, you should enter the MAC addresses of the new access points.
Step 3 Choose the desired type of authentication key management. The choices are 802.1X, CCKM, or PSK.
Note If you choose PSK, you must enter the shared key and type (ASCII or hexadecimal).
Note Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.
Step 4 Click Save As New Template.
When you click the Layer 3 tab, the Layer 3 tab appears.
Note The tab contains different views depending on the option you chose from the Layer 3 Security drop-down list.
To configure the Layer 3 tab, follow these steps:
Step 1 Use the Layer 3 security drop-down list to choose between None and VPN Pass Through. The page fields change according to the selection you make. If you choose VPN pass through, you must enter the VPN gateway address.
Note The VPN passthrough option is not available for the 2106 or 5500 series controllers.
Step 2 You can modify the default static WEP (web authentication) or assign specific web authentication (login, logout, login failure) pages and the server source.
a. To change the static WEP to passthrough, select the Web Policy check box and choose the Passthrough option from the drop-down list. This option allows users to access the network without entering a username or password.
An Email Input check box appears. Select this check box if you want users to be prompted for their e-mail address when attempting to connect to the network.
b. Choose the WebAuth on MAC Filter Failure option so that when clients fail on MAC filter, they are automatically switched to webAuth.
Note The WebAuth on Mac Filter Failure option works only when the Layer 2 Mac Filtering option is enabled.
c. To specify custom web authentication pages, unselect the Global WebAuth Configuration Enable check box.
1. When the Web Auth Type drop-down list appears, choose one of the following options to define the web login page for the wireless guest users:
Default Internal—Displays the default web login page for the controller. This is the default value.
Customized Web Auth—Displays custom web login, login failure, and logout pages. When the customized option is selected, three separate drop-down lists for login, login failure, and logout page selection appear. You do not need to define a customized page for all three of the options. Choose None from the appropriate drop-down list if you do not want to display a customized page for that option.
These optional login, login failure, and logout pages are downloaded to the controller as webauth.tar files.
External—Redirects users to an external server for authentication. If you choose this option, you must also enter the URL of the external server in the URL text box.
Note External web auth is not supported for 2106 and 5500 series controllers.
You can select specific RADIUS or LDAP servers to provide external authentication in the Security > AAA page. To do so, continue with Step 4.
Note The RADIUS and LDAP servers must be already configured to have selectable options in the Security > AAA page. You can configure these servers in the RADIUS Authentication Servers page and TACACS+ Authentication Servers page.
Step 3 If you selected External as the Web Authentication Type in Step 2, choose Security > AAA, and choose up to three RADIUS and LDAP servers using the drop-down lists.
Step 4 Click Save As New Template.
Step 5 Repeat this process if a second (anchor) controller is being used in the network.
When you click the AAA Servers tab, the AAA Servers tab appears.
To configure the AAA Servers tab, follow these steps:
Step 1 Select the Radius Server Overwrite Interface check box to send the client authentication request through the dynamic interface which is set on the WLAN. When you enable the Radius Server Overwrite Interface option, the WLC sources all radius traffic for a WLAN using the dynamic interface configured on that WLAN.
Note You cannot enable Radius Server Overwrite Interface when Diagnostic Channel is enabled.
Note The Radius Server Overwrite Interface option is supported in controller Version 7.0.x and later.
Step 2 Select the Enable check boxes, then use the drop-down lists in the RADIUS and LDAP servers section to choose authentication and accounting servers. This selects the default RADIUS server for the specified WLAN and overrides the RADIUS server that is configured for the network. If all three RADIUS servers are configured for a particular WLAN, server 1 has the highest priority, and so on.
If no LDAP servers are chosen here, Prime Infrastructure uses the default LDAP server order from the database.
Step 3 Select the Interim Update check box if you want to enable interim update for RADIUS Server Accounting. If you have selected this check box, specify the Interim Interval value. The range is 180 to 3600 seconds, and the default value is 0.
Note The Interim Interval can be entered only when Interim Update is enabled.
Step 4 Select the Local EAP Authentication check box if you have an EAP profile already configured that you want to enable. Local EAP is an authentication method that allows users and wireless clients to locally authenticate. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down.
Step 5 When AAA Override is enabled, and a client has conflicting AAA and controller WLAN authentication fields, client authentication is performed by the AAA server. As part of this authentication, the operating system moves clients from the default Cisco WLAN Solution to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system also uses QoS and ACL provided by the AAA server, as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as identity networking.)
For instance, if the corporate WLAN primarily uses a management interface assigned to VLAN 2, and if AAA override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.
When AAA override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is only performed by the AAA server if the controller WLANs do not contain any client-specific authentication parameters.
The AAA override values might come from a RADIUS server, for example.
Step 6 Click Save As New Template.
When you click the QoS tab in the WLAN Template page, the QoS tab appears.
To configure the QoS fields, follow these steps:
Step 1 From the QoS drop-down list, choose Platinum (voice), Gold (video), Silver (best effort), or Bronze (background). Services such as VoIP should be set to gold while non-discriminating services such as text messaging can be set to bronze.
Step 2 From the WMM Policy drop-down list, choose Disabled, Allowed (so clients can communicate with the WLAN), or Required to make it mandatory for clients to have WMM enabled for communication.
Step 3 Select the 7920 AP CAC check box if you want to enable support on Cisco 7920 phones.
Step 4 If you want WLAN to support older versions of the software on 7920 phones, select the 7920 Client CAC check box to enable it. The CAC limit is set on the access point for newer versions of software.
Step 5 Click Save As New Template.
When you click the Advanced tab in the WLAN Template page, the Advanced tab appears.
Step 1 Select the FlexConnect local switching check box if you want to enable FlexConnect local switching. For more information on FlexConnect, see the "Configuring FlexConnect" section. If you enable it, the FlexConnect access point handles client authentication and switches client data packets locally.
FlexConnect local switching is only applicable to the Cisco 1130/1240/1250 series access points. It is not supported with L2TP or PPTP authentications, and it is not applicable to WLAN IDs 9-16.
Step 2 Select the FlexConnect Local Auth check box if you want to enable FlexConnect local authentication.
Local authentication is useful where you cannot maintain the criteria a remote office setup of minimum bandwidth of 128 kbps with the roundtrip latency no greater than 100 ms and the maximum transmission unit (MTU) no smaller than 500 bytes. In local switching, the authentication capabilities are present in the access point itself. Thus local authentication reduces the latency requirements of the branch office.
Note Local authentication can only be enabled on the WLAN of a FlexConnect AP that is in local switching mode.
Local authentication is not supported in the following scenarios:
–Guest Authentication cannot be performed on a FlexConnect local authentication enabled WLAN.
–RRM information is not available at the controller for the FlexConnect local authentication enabled WLAN.
–Local radius is not supported.
–Once the client has been authenticated, roaming is supported after the WLC and the other FlexConnects in the group are updated with the client information.
Step 3 When you enable hybrid-REAP local switching, the Learn Client IP Address check box is enabled by default. However, if the client is configured with Fortress Layer 2 encryption, the controller cannot learn the client IP address, and the controller periodically drops the client. Disable this option so that the controller maintains the client connection without waiting to learn the client IP address. The ability to disable this option is supported only with hybrid-REAP local switching; it is not supported with hybrid-REAP central switching.
Step 4 Choose to enable the diagnostic channel feature or leave it disabled. The diagnostic channel feature allows you to troubleshoot problems regarding client communication with a WLAN. When initiated by a client having difficulties, the diagnostic channel provides the most robust communication methods with the fewest obstacles to communication.
Step 5 Select the Aironet IE check box if you want to enable support for Aironet information elements (IEs) for this WLAN. If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the controller sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the controller and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the reassociation request.
Step 6 Select the IPv6 check box. You can configure IPv6 bridging and IPv4 web auth on the same WLAN.
Step 7 Select the Session Timeout check box to set the maximum time a client session can continue before requiring reauthorization.
Step 8 Choose to enable or disable coverage hold detection (CHD) on this WLAN. By default, CHD is enabled on all WLANs on the controller. If you disable CHD on a WLAN, a coverage hole alert is still sent to the controller, but no other processing is done to mitigate the coverage hole. This feature is useful for guest WLANs where highly mobile guests are connected to your network for short periods of time.
Step 9 The Override Interface drop-down lists provides a list of defined access control lists (ACLs). (See the "Configuring a FlexConnect Access Control List" section for steps on defining ACLs.) Upon choosing an ACL from the list, the WLAN associates the ACL to the WLAN. Selecting an ACL is optional, and the default for this field is None.
Step 10 You can configure peer-to-peer blocking per WLAN rather than applying the status to all WLANs. From the Peer to Peer Blocking drop-down list, choose one of the following:
•Disable—Peer-to-peer blocking is disabled, and traffic is bridged locally whenever possible.
•Drop—The packet is discarded.
•Forward Up Stream—The packet is forwarded on the upstream VLAN, and the decision is made about what to do with the packet.
Note For locally switched clients, the Forward Up Stream is same as Drop from 7.2.x version of controllers.
If FlexConnect local switching is enabled for the WLAN, which prevents traffic from passing through the controller, this drop-down list is dimmed.
Note Peer-to-peer blocking does not apply to multicast traffic.
Step 11 From the Wi-Fi Direct Clients Policy drop-down list, choose one of the following options:
–Disabled—Disables the Wi-Fi Direct Clients Policy for the WLAN and deauthenticates all Wi-Fi Direct capable clients. The default is Disabled.
–Allow—Allows the Wi-Fi Direct clients to associate with an infrastructure WLAN.
–Not-Allow—Disallows the Wi-Fi Direct clients from associating with an infrastructure WLAN.
Note Wi-Fi Direct Client Policy is applicable to WLANs that have APs in local mode only.
Note The Wi-Fi Direct Clients Policy is applicable for controller Version 7.2.x. and later.
Step 12 Select the check box if you want to enable automatic client exclusion.
Step 13 If you enable client exclusion, you must also set the Timeout Value in seconds for disabled client machines. Client machines are excluded by MAC address, and their status can be observed. A timeout setting of 0 indicates that administrative control is required to reenable the client.
Note When session timeout is not set, it implies that an excluded client remains and does not timeout from the excluded state. It does not imply that the exclusion feature is disabled.
Step 14 Enter the maximum number of clients to be associated in a WLAN in the Maximum Clients text box. The valid range is from 0 to 7000. The default value is 0.
Note A value of 0 allows unlimited number of clients to be associated with a WLAN.
Step 15 Enable dynamic anchoring of static IP clients by selecting the Static IP Tunneling check box.
Step 16 Select the Media Session Snooping check box. This feature enables access points to detect the establishment, termination, and failure of voice calls and then report them to the controller and Prime Infrastructure. It can be enabled or disabled per WLAN.
When media session snooping is enabled, the access point radios that advertise this WLAN snoop for Session Initiation Protocol (SIP) voice packets. Any packets destined to or originating from port number 5060 are considered for further inspection. The access point tracks whether Wi-Fi Multimedia (WMM) and non-WMM clients are establishing a call, already on an active call, or in the process of ending a call and then notify the controller of any major call events.
Step 17 Select the KTS based CAC check box to enable KTS based CAC support per WLAN.
WLC supports TSPEC based CAC and SIP based CAC. But there are certain phones that work with different protocols for CAC, which are based on the KTS (Key Telephone System). For supporting CAC with KTS-based SIP clients, WLC should understand and process the bandwidth request message from those clients to allocate the required bandwidth on the AP radio, in addition to handling and sending certain other messages, as part of this protocol.
Note The KTS CAC configuration is only supported by Cisco 5508, 7500, WISM2, and 2500 controllers that run controller software Release 7.2.x. This feature is not supported by Cisco 4400 series controllers.
Step 18 NAC State—From the NAC State drop-down list, choose SNMP NAC or Radius NAC. SIP errors that are discovered generate traps that appear on the client troubleshooting and alarms screens. The controller can integrate with the NAC appliance in out-of-band mode, where the NAC appliance remains in the data path only until clients have been analyzed and cleaned. Out-of-band mode reduces the traffic load on the NAC appliance and enables centralized NAC processing. See the "NAC Integration" section for more information.
Step 19 Off-Channel Scanning Defer is essential to the operation of RRM, which gathers information about alternate channel choices such as noise and interference. Additionally, Off-Channel Scanning Defer is responsible for rogue detection. Devices that need to defer Off-Channel Scanning Defer should use the same WLAN as often as possible. If there are many of these devices (and the possibility exists that Off-Channel Defer scanning could be completely disabled by the use of this feature), you should implement an alternative to local AP Off-Channel Scanning Defer, such as monitor access points, or other access points in the same location that do not have this WLAN assigned.
Assignment of a QoS policy (bronze, silver, gold, and platinum) to a WLAN affects how packets are marked on the downlink connection from the access point regardless of how they were received on the uplink from the client. UP=1,2 is the lowest priority, and UP=0,3 is the next higher priority. The marking results of each QoS policy are as follows:
•Bronze marks all downlink traffic to UP= 1.
•Silver marks all downlink traffic to UP= 0.
•Gold marks all downlink traffic to UP=4.
•Platinum marks all downlink traffic to UP=6.
Set the Scan Defer Priority by clicking the priority argument and Set the time in milliseconds in the Scan Defer Interval text box. Valid values are 0 through 60000. The default value is 100 milliseconds.
Step 20 In 802.11a/n and 802.11b/g/n networks, lightweight access points broadcast a beacon at regular intervals, which coincides with the Delivery Traffic Indication Map (DTIM). After the access point broadcasts the beacon, it transmits any buffered broadcast and multicast frames based on the value set for the DTIM period. This feature allows power-saving clients to wake up at the appropriate time if they are expecting broadcast or multicast data.
Normally, the DTIM value is set to 1 (transmit broadcast and multicast frames after every beacon) or 2 (transmit after every other beacon). For instance, if the beacon period of the 802.11a/n or 802.11b/g/n network is 100 ms and the DTIM value is set to 1, the access point transmits buffered broadcast and multicast frames 10 times per second. If the beacon period is 100 ms and the DTIM value is set to 2, the access point transmits buffered broadcast and multicast frames 5 times per second. Either of these settings might be suitable for applications, including VoIP, that expect frequent broadcast and multicast frames.
However, the DTIM value can be set as high as 255 (transmit broadcast and multicast frames after every 255th beacon) if all 802.11a/n or 802.11b/g/n clients have power save enabled. Because the clients have to listen only when the DTIM period is reached, they can be set to listen for broadcasts and multicasts less frequently, resulting in longer battery life. For instance, if the beacon period is 100 ms and the DTIM value is set to 100, the access point transmits buffered broadcast and multicast frames once every 10 seconds, allowing the power-saving clients to sleep longer before they have to wake up and listen for broadcasts and multicasts, resulting in longer battery life.
Many applications cannot tolerate a long time between broadcast and multicast messages, resulting in poor protocol and application performance. We recommend a low DTIM value for 802.11a/n and 802.11b/g/n networks that support such clients.
Under DTIM Period, enter a value between 1 and 255 (inclusive) in the 802.11a/n and 802.11b/g/n fields. The default value is 1 (transmit broadcast and multicast frames after every beacon).
Step 21 When you select the check box to override DHCP server, another field appears where you can enter the IP address of your DHCP server. For some WLAN configurations, this is required. Three valid configurations are as follows:
•DHCP Required and a valid DHCP server IP address - All WLAN clients obtain an IP address from the DHCP server.
•DHCP is not required and a valid DHCP server IP address - All WLAN clients obtain an IP address from the DHCP server or use a static IP address.
•DHCP not required and DHCP server IP address 0.0.0.0 - All WLAN clients are forced to use a static IP address. All DHCP requests are dropped.
You cannot choose to require a DHCP address assignment and then enter a DHCP server IP address.
Step 22 If the MFP Signature Generation check box is selected, it enables signature generation for the 802.11 management frames transmitted by an access point associated with this WLAN. Signature generation makes sure that changes to the transmitted management frames by an intruder are detected and reported.
Step 23 From the MFP Client Protection drop-down list, choose Enabled, Disabled, or Required for configuration of individual WLANs of a controller. If infrastructure MFP is not enabled, this drop-down list is unavailable.
Note The Enabled parameter is the same as the Optional parameter that you choose from the MFP Client Protection drop-down list in the WLC graphical user interface.
Note Client-side MFP is only available for those WLANs configured to support Cisco Compatible Extensions (version 5 or later) clients, and WPA2 must first be configured.
Step 24 Enter a value between 1 and 255 beacon intervals in the 802.11a/n DTIM Period group box of the page. The controller sends a DTIM packet on the 802.11a/n radio for this WLAN based on what is entered as an interval.
Step 25 Enter a value between 1 and 255 beacon intervals in the 802.11b/g/n DTIM Period group box of the page. The controller sends a DTIM packet on the 802.11b/g/n radio for this WLAN based on what is entered as an interval.
Note The DTIM configuration is not appropriate for guest LANs.
Step 26 Select the Client Profiling check box to enable or disable profiling of all the clients that are associated with the WLAN.
Note Client Profiling is not supported with FlexConnect local authentication.
Note Client Profiling is configurable only when you select the DHCP Address Assignment check box.
Step 27 From the PMIP Mobility Type drop-down list, choose the mobility type from the following options:
•None—Configures the WLAN with Simple IP.
•Mixed—Configures the WLAN with Simple IP and PMIPv6.
•PMIPv6—Configures the WLAN with only PMIPv6.
Step 28 Click Save As New Template.
Mobile Concierge is a solution that enables 802.1X capable clients to interwork with external networks. The Mobile Concierge feature provides service availability information to clients and can help them to associate available networks.
The services offered by the network can be broadly classified into two protocols:
•802.11u MSAP
•802.11u HotSpot 2.0
The following guidelines and limitations apply to Mobile Concierge:
•Mobile Concierge is not supported on FlexConnect Access Points.
•802.11u configuration upload is not supported. If you perform a configuration upgrade and upload a configuration on the controller, the HotSpot configuration on the WLANs is lost.
To configure Mobile Concierge (802.11u) Groups, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > WLANs > WLAN Configuration.
Step 2 Click the Hot Spot tab.
Step 3 On the General tab, configure the following fields:
•Select the 802.11u Status check box to enable 802.11u on the WLAN.
•Select the Internet Access check box to enable this WLAN to provide Internet services.
•From the Network Type drop-down list, choose the network type that best describes the 802.11u you want to configure on this WLAN. The following options are available:
–Private Network
–Private Network with Guest Access
–Chargeable Public Network
–Free Public Network
–Emergency Services Only Network
–Personal Device Network
–Test or Experimental
–Wildcard
•Choose the authentication type that you want to configure for the 802.11u parameters on this network:
–Not configured
–Acceptance of Terms and Conditions
–Online Enrollment
–HTTP/HTTPS Redirection
•In the HESSID field, enter the Homogenous Extended Service Set Identifier value. The HESSID is a 6-octet MAC address that identifies the homogeneous ESS.
Step 4 On the Others tab, configure the following fields:
•In the OUI List group box, enter the following details:
–OUI name
–Is Beacon
–OUI Index
Click Add to add the OUI (Organizationally Unique Identifier) entry to this WLAN.
•In the Domain List group box, enter the following details:
–Domain Name—The domain name operating in the 802.11 access network.
–Domain Index—Select the domain index from the drop-down list.
Click Add to add the domain entry to this WLAN.
Step 5 On the Realm tab, configure the following fields:
•In the OUI List section, enter the following details:
–Realm Name—The realm name.
–Realm Index—The realm index.
Click Add to add the domain entry to this WLAN.
Step 6 On the Service Advertisement tab, configure the following fields:
•Click the MSAP Enable check box to enable service advertisements.
•If you enabled MSAP in the previous step, you must provide a server index. Enter the server index for this WLAN. The server index field uniquely identifies an MSAP server instance serving a venue that is reachable through the BSSID.
Note MSAP (Mobility Services Advertisement Protocol) is designed to be used primarily by mobile devices that are configured with a set of policies for establishing network services. These services are available for devices that offer higher-layer services, or network services that are enabled through service providers. Service advertisements use MSAP to provide services to mobile devices prior to association to a Wi-Fi access network. This information is conveyed in a service advertisement. A single-mode or dual-mode mobile device queries the network for service advertisements before association. The device's network discovery and the selection function may use the service advertisements in its decision to join the network.
Step 7 On the HotSpot 2.0 tab, configure the following fields:
•Choose the Enable option from the HotSpot2 Enable drop-down list.
•In the WAM Metrics group box, specify the following:
–WAN Link Status—The link status. The valid range is 1 to 3.
–WAN SIM Link Status—The symmetric link status. For example, you can configure the uplink and downlink to have different speeds or same speeds.
–Down Link Speed—The downlink speed. The maximum value is 4,194,304 kbps.
–Up Link Speed—The uplink speed. The maximum value is 4,194,304 kbps.
•In the Operator Name List group box, specify the following:
–Operator Name—Specify the name of the 802.11 operator.
–Operator Index—Select an operator index. The range is from 1 to 32.
–Language Code—An ISO-14962-1997 encoded string defining the language. This string is a three character language code.
Click Add to add the operator details. The operator details are displayed in a tabular form.
•In the Port Config List, specify the following:
–IP Protocol—The IP protocol that you want to enable. The following options are ESP, FTP, ICMP, and IKEV2.
–Port No—The port number that is enabled on this WLAN.
–Status—The status of the port.
Step 8 Click Save As New Template.
Site-specific VLANs or AP groups limit the broadcast domains to a minimum by segmenting a WLAN into different broadcast domains. Benefits include more effective management of load balancing and bandwidth allocation.
To configure WLAN AP Groups, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > WLANs > AP Group VLANs.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
This page displays a summary of the AP groups configured on your network. In this page, you can add, remove, edit, or view details of an AP group. Click in the Edit column to edit its access point(s). Select the check box in the WLAN Profile Name column, and click Remove to delete WLAN profiles.
Note The maximum characters that you can enter in the Description text box is 256.
You can create or modify a template for dividing the WLAN profiles into AP groups.
To add a new access point group, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > WLANs > AP Group VLANs.
Step 2 If you want to add a WLAN profile, click the WLAN Profiles tab and configure the following fields:
a. Click Add.
Note To display all available WLAN profile names, delete the current WLAN profile name from the text box. When the current WLAN profile name is deleted from the text box, all available WLAN profiles appear in the drop-down list.
Note Each access point is limited to 16 WLAN profiles. Each access point broadcasts all WLAN profiles unless the WLAN override feature is enabled. The WLAN override feature allows you to disable any of the 16 WLAN profiles per access point.
Note The WLAN override feature applies only to older controllers that do not support the 512 WLAN feature (can support up to 512 WLAN profiles).
b. Type a WLAN profile name or choose one from the WLAN Profile Name drop-down list.
c. Enter an interface/interface group or choose one from the Interface/Interface Group drop-down list.
Note To display all available interfaces, delete the current interface from the Interface text box. When the current interface is deleted from the Interface text box, all available interfaces appear in the drop-down list.
d. Select the NAC Override check box, if applicable. The NAC override feature is disabled by default.
e. When access points and WLAN profiles are added, click Save.
Step 3 If you want to add a RF profile, click the RF Profiles tab, and configure the following fields:
•802.11a—Drop-down list from which you can choose an RF profile for APs with 802.11a radios.
•802.11b—Drop-down list from which you can choose an RF profile for APs with 802.11b radios.
•When RF profiles are added, click Save.
This section contains the following topics:
•Configuring FlexConnect AP Groups Templates
•Configuring FlexConnect Users
FlexConnect enables you to configure and control access points in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office. There is no deployment restriction on the number of FlexConnect access points per location, but you can organize and group the access points per floor and limit them to 25 or so per building, because it is likely the branch offices share the same configuration.
To set up an FlexConnect AP group, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > FlexConnect > FlexConnect AP Groups.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Choose the primary RADIUS authentication servers for each group. If a RADIUS authentication server is not present on the controller, Prime Infrastructure configured RADIUS server does not apply. A value of 10 indicates that the primary RADIUS server is not configured for this group.
Step 5 Choose the secondary RADIUS authentication servers for each group. If a RADIUS authentication server is not present on the controller, Prime Infrastructure configured RADIUS server does not apply. A value of 0 indicates that the primary RADIUS server is not configured for this group.
Step 6 If you want to add an access point to the group, click the FlexConnect AP tab.
Step 7 An access point Ethernet MAC address cannot exist in more than one FlexConnect group on the same controller. If more than one group is applied to the same controller, select the Ethernet MAC check box to unselect an access point from one of the groups. You should save this change or apply it to controllers.
Step 8 Click Add AP. The FlexConnect AP Group page appears.
Step 9 Click the FlexConnect Configuration tab to enable local authentication for a FlexConnect group.
Note Make sure that the Primary RADIUS Server and Secondary RADIUS Server fields are set to None on the General tab.
Step 10 Select the FlexConnect Local Authentication check box to enable local authentication for this FlexConnect group. The default value is unselected.
Note When you attempt to use this feature, a warning message indicates that it is a licensed feature.
Note You can click the Users configured in the group link that appears at the bottom of the page to view the list of FlexConnect users. You can create FlexConnect users only after you save the FlexConnect AP Group.
Step 11 To allow a FlexConnect access point to authenticate clients using LEAP, select the LEAP check box. Otherwise, to allow a FlexConnect access point to authenticate clients using EAP-FAST, select the EAP-FAST check box.
Step 12 Perform one of the following, depending on how you want Protected Access Credentials (PACs) to be provisioned:
•To use manual PAC provisioning, enter the key used to encrypt and decrypt PACs in the EAP-FAST Key and Confirm EAP-FAST Key text boxes. The key must be 32 hexadecimal characters.
•To allow PACs to be sent automatically to clients that do not have one during PAC provisioning, select the Auto key generation check box.
Step 13 In the EAP-FAST Key text box, enter the authority identifier of the EAP-FAST server. The identifier must be 32 hexadecimal characters.
Step 14 In the EAP-FAST Authority ID text box, enter the authority identifier of the EAP-FAST server in text format. You can enter up to 32 hexadecimal characters.
Step 15 In the EAP-FAST Authority Info text box, enter the authority information of the EAP-FAST server.
Step 16 In the EAP-FAST Pac Timeout text box, specify a PAC timeout value by entering the number of seconds for the PAC to remain viable in the edit box. The valid range is 2 to 4095 seconds.
Note The EAP-FAST options are available only if you select the EAP-FAST check box in Step 11.
Step 17 Click the Image Upgrade tab and configure the following:
•FlexConnect AP Upgrade—Select the check box if you want to upgrade the FlexConnect access points.
•Slave Maximum Retry Count—Enter the maximum retries for the slave to undertake to start the download from the master in the FlexConnect group. This option is available only if you select the FlexConnect AP Upgrade check box.
Note You are allowed to add an access point as a master access point only if FlexConnect AP Upgrade check box is enabled on the General tab.
Step 18 Click the VLAN-ACL Mapping tab to view, add, edit, or remove a VLAN ACL mapping.
a. Click Add.
b. Enter a VLAN ID. The valid VLAN ID range is 1—4094.
c. From the Ingress ACL drop-down list, choose an Ingress ACL.
d. From the Egress AC drop-down list, choose an Egress ACL.
e. Click Save.
Step 19 Click the WLAN-ACL Mapping tab to view, add, edit, or remove a WLAN ACL mapping.
a. Click Add.
b. From the WLAN Profile Name drop-down list, choose a WLAN profile.
c. From the WebAuth ACL drop-down list, choose a WebAuth ACL.
d. Click Save.
Note You can add up to a maximum of 16 WebAuth ACLs.
Step 20 Click the WebPolicy ACL tab to view, add, edit, or remove a WebPolicy ACL mapping
a. Click Add.
b. From the Web-Policy ACL drop-down list, choose a WebPolicy ACL.
c. Click Save.
Note You can add up to a maximum of 16 Web-Policy ACLs.
Step 21 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Note You can create FlexConnect users only after you save the FlexConnect AP Group.
Note Maximum 100 FlexConnect users are supported in controller version 5.2.x.x and later. If controller Version 5.2.0.0, and earlier supports only 20 FlexConnect users.
To configure a FlexConnect user, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > FlexConnect > FlexConnect AP Groups.
Step 2 Click the FlexConnect Configuration tab to enable local authentication for a FlexConnect group.
Step 3 Select the FlexConnect Local Authentication check box to enable local authentication for this FlexConnect group.
Step 4 Click the Users configured in the group link. The FlexConnect Users page appears.
Step 5 If you want to add a new user, choose Add User from the Select a command drop-down list, and click Go. The Add User page appears.
Step 6 In the User Name text box, enter the FlexConnect username.
Step 7 In the Password text box, enter the password.
Step 8 Reenter the password in the Confirm Password text box.
Step 9 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This section contains the following topics:
•Configuring a General Security Controller Template
•Configuring a Security Password Policy Template
•Configuring a RADIUS Authentication Template
•Configuring a RADIUS Accounting Template
•Configuring a RADIUS Fallback Template
•Configuring an LDAP Server Template
•Configuring a TACACS+ Server Template
•Configuring a Local EAP General Template
•Configuring a Local EAP Profile Template
•Configuring an EAP-FAST Template
•Configuring a Network User Priority Template
•Configuring a User Login Policies Template
•Configuring a User Login Policies Template
•Configuring an Access Control List Template
•Configuring a Manually Disabled Client Template
•Configuring an Access Control List Template
To add a new template with general security information for a controller, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > Security > AAA > General.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Add or modify the following fields:
•Template Name
Note Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
•Maximum Local Database Entries (on next reboot)—Enter the maximum number of allowed database entries. This amount becomes effective on the next reboot.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This page allows you to add a RADIUS authentication template or make modifications to an existing template. After these server templates are configured, controller users who log into the controller through the CLI or GUI are authenticated.
To configure a RADIUS Authentication template, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > Security > RADIUS Auth Servers.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 From the Shared Secret Format drop-down list, choose either ASCII or hex.
Note Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.
Step 5 Enter the RADIUS shared secret used by your specified server.
Step 6 Select the check box if you want to enable key wrap. If this check box is enabled, the authentication request is sent to RADIUS servers that have following key encryption key (KEK) and message authenticator code keys (MACK) configured. When enabled, the following fields appear:
•Shared Secret Format: Enter ASCII or hexadecimal.
Note Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in the event a discovered template is applied to another device.
•KEK Shared Secret: Enter the KEK shared secret.
•MACK Shared Secret: Enter the MACK shared secret.
Note Each time the controller is notified with the shared secret, the existing shared secret is overwritten with the new shared secret.
Step 7 Click if you want to enable administration privileges.
Step 8 Click if you want to enable support for RFC 3576. RFC 3576 is an extension to the Remote Authentication Dial In User Service (RADIUS) protocol. It allows dynamic changes to a user session and includes support for disconnecting users and changing authorizations applicable to a user session. With these authorizations, support is provided for Disconnect and Change-of-Authorization (CoA) messages. Disconnect messages immediately terminate a user session, whereas CoA messages modify session authorization attributes such as data filters.
Step 9 Click if you want to enable network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.
Step 10 Click if you want to enable management authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the management user.
Step 11 Specify the time in seconds after which the RADIUS authentication request times out and a retransmission is attempted by the controller. You can specify a value between 2 and 30 seconds.
Step 12 If you click to enable the IP security mechanism, additional IP security fields are added to the page, and Steps 13 to 19 are required. If you disable it, click Save and skip Steps 13 to 19.
Step 13 Use the drop-down list to choose which IP security authentication protocol to use. The options are HMAC-SHA1, HMAC-MD5, and None.
Message Authentication Codes (MAC) are used between two parties that share a secret key to validate information transmitted between them. HMAC (Hash MAC) is a mechanism based on cryptographic hash functions and can be used in combination with any iterated cryptographic hash function. HMAC-MD5 and HMAC-SHA1 are two constructs of the HMAC using the MD5 hash function and the SHA1 hash function. HMAC also uses a secret key for calculation and verification of the message authentication values.
Step 14 Set the IP security encryption mechanism to use. The options are as follows:
•DES—Data Encryption Standard is a method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.
•Triple DES—Data Encryption Standard that applies three keys in succession.
•AES 128 CBC—Advanced Encryption Standard uses keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses a 128-bit data path in Cipher Clock Chaining (CBC) mode.
•None—No IP security encryption mechanism.
Step 15 The Internet Key Exchange (IKE) authentication is not an editable text box. Internet Key Exchange protocol (IKE) is used as a method of distributing the session keys (encryption and authentication), as well as providing a way for the VPN endpoints to agree on how data should be protected. IKE keeps track of connections by assigning a bundle of security associations (SAs) to each connection.
Step 16 Use the IKE phase 1 drop-down list to choose either aggressive or main. This sets the IKE protocol. IKE phase 1 is used to negotiate how IKE is protected. Aggressive mode passes more information in fewer packets, with the benefit of a slightly faster connection, at the cost of transmitting the identities of the security gateways in the clear.
Step 17 At the Lifetime field, set the timeout interval (in seconds) when the session expires.
Step 18 Set the IKE Diffie Hellman group. The options are group 1 (768 bits), group 2 (1024 bits), or group 5 (1536 bits). Diffie-Hellman techniques are used by two devices to generate a symmetric key where you can publicly exchange values and generate the same symmetric key.
Although all three groups provide security from conventional attacks, Group 5 is considered more secure because of its larger key size. However, computations involving Group 1 and Group 2 based keys might occur slightly faster because of their smaller prime number size.
Step 19 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This page allows you to add a RADIUS accounting template or make modifications to an existing RADIUS accounting template.
To configure a RADIUS Accounting template, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > Security > RADIUS Auth Servers.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Use the Shared Secret Format drop-down list to choose either ASCII or hexadecimal.
Note Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.
Step 5 Enter the RADIUS shared secret used by your specified server.
Step 6 Retype the shared secret.
Step 7 Click if you want to establish administrative privileges for the server.
Step 8 Click if you want to enable the network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.
Step 9 Specify the time in seconds after which the RADIUS authentication request times out and a retransmission by the controller occurs. You can specify a value between 2 and 30 seconds.
Step 10 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This page allows you to add a RADIUS fallback template or make modifications to an existing RADIUS fallback template.
To configuring a RADIUS Fallback template, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > Security > RADIUS Auth Servers.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 From the RADIUS Fallback Mode drop-down list, choose Off, Passive, or Active.
•Off—Disables fallback.
•Passive—You must enter a time interval.
•Active—You must enter a username and time interval.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This section explains how to configure a Lightweight Directory Access Protocol (LDAP) server as a backend database, similar to a RADIUS or local user database. An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user. For example, local EAP might use an LDAP server as its backend database to retrieve user credentials.
To add an LDAP server template or make modifications to an existing LDAP server template, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > Security > RADIUS Auth Servers.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 The port number of the controller to which the access point is connected.
Step 5 From the Bind Type drop-down list, choose Authenticated or Anonymous. If you choose Authenticated, you must enter a bind username and password as well. A bind is a socket opening that performs a lookup. Anonymous bind requests are rejected.
Step 6 In the Server User Base DN text box, enter the distinguished name of the subtree in the LDAP server that contains a list of all the users.
Step 7 In the Server User Attribute text box, enter the attribute that contains the username in the LDAP server.
Step 8 In the Server User Type text box, enter the ObjectType attribute that identifies the user.
Step 9 In the Retransmit Timeout text box, enter the number of seconds between retransmissions. The valid range is 2 to 30 seconds, and the default value is 2 seconds.
Step 10 Select the Admin Status check box if you want the LDAP server to have administrative privileges.
Step 11 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This page allows you to add a TACACS+ server or make modifications to an existing TACACS+ server template. After these server templates are configured, controller users who log into the controller through the CLI or GUI are authenticated.
To configure a TACACS+ Server template, follow these steps:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > Security > RADIUS Auth Servers.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Select one or more server types by selecting their respective check boxes. The following server types are available:
•authentication—Server for user authentication/authorization.
•authorization—Server for user authorization only.
•accounting—Server for RADIUS user accounting.
Step 5 Enter the IP address of the server.
Step 6 Enter the port number of the server. The default is 49.
Step 7 From the drop-down list, choose either ASCII or hex.
Note Regardless of which format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. Set the key format again in the template in the event a discovered template is applied to another device.
Step 8 Enter the TACACS+ shared secret used by your specified server in the Shared Secret text box.
Step 9 Reenter the shared secret in the Confirm Shared Secret text box.
Step 10 Select the Admin Status check box if you want the TACACS+ server to have administrative privileges.
Step 11 In the Retransmit Timeout text box, enter the time, in seconds, after which the TACACS+ authentication request times out and a retransmission is attempted by the controller.
Step 12 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This page allows you to specify a timeout value for local EAP. You can then add or make changes to an existing local EAP general template.
Note If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Local EAP > General - Local EAP.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 In the Local Auth Active Timeout text box, enter the amount of time (in seconds) that the controller attempts to authenticate wireless clients using local EAP after any pair of configured RADIUS servers fail. The valid range is 1 to 3600 seconds, and the default setting is 1000 seconds.
Step 5 The following values should be adjusted if you are using EAP-FAST, manual password entry, one-time password, or 7920/7921 phones. You must increase the 802.1x timeout values on the controller (default=2 seconds) for the client to obtain the PAC using automatic provisioning. The recommended and default timeout on the Cisco ACS server is 20 seconds.
Note Roaming fails if these values are not set the same across multiple controllers.
•Local EAP Identify Request Timeout =1
•Local EAP Identity Request Maximum Retries=20
•Local EAP Dynamic WEP Key Index=0
•Local EAP Request Timeout=20
•Local EAP Request Maximum Retries=2
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This page allows you to add a local EAP profile template or make modifications to an existing template. Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local user database, thereby removing dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users.
Note The LDAP backend database supports only these local EAP methods: EAP-TLS and EAP-FAST with certificates. LEAP and EAP-FAST with PACs are not supported for use with the LDAP backend database.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Local EAP > Local EAP Profiles.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Each EAP profile must be associated with an authentication type(s). Choose the desired authentication type:
•LEAP—This authentication type leverages Cisco Key Integrity Protocol (CKIP) and MMH message integrity check (MIC) for data protection. A username and password are used to perform mutual authentication with the RADIUS server through the access point.
•EAP-FAST—This authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1X EAP mutual authentication. A username, password, and PAC (protected access credential) are used to perform mutual authentication with the RADIUS server through the access point.
•TLS—This authentication type uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data. It requires a client certificate for authentication.
•PEAP—This authentication type is based on EAP-TLS authentication but uses a password instead of a client certificate for authentication. PEAP uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data.
Step 5 Use the Certificate Issuer drop-down list to determine whether Cisco or another vendor issued the certificate for authentication. Only EAP-FAST and TLS require a certificate.
Step 6 If you want the incoming certificate from the client to be validated against the certificate authority (CA) certificates on the controller, select the Check Against CA Certificates check box.
Step 7 If you want the (CN) in the incoming certificate to be validated against the common name of the CA certificate, select the Verify Certificate CN Identity check box.
Step 8 If you want the controller to verify that the incoming device certificate is still valid and has not expired, select the Check Against Date Validity check box.
Step 9 If a local certificate is required, select the check box.
Step 10 If a client certificate is required, select the check box.
Step 11 Click Save As New Template.
Step 12 To enable local EAP, follow these steps:
a. Choose WLAN > WLAN Configuration from the left sidebar menu.
b. Click the profile name of the desired WLAN.
c. Choose the Security > AAA Servers tab to access the AAA Servers page.
d. Select the Local EAP Authentication check box to enable local EAP for this WLAN.
Step 13 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1X EAP mutual authentication. A username, password, and PAC are used to perform mutual authentication with the RADIUS server through the access point. This page allows you to add an EAP-FAST template or make modifications to an existing EAP-FAST template.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Local EAP > EAP-FAST Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 In the Time to Live for the PAC text box, enter the number of days for the PAC to remain viable. The valid range is 1 to 1000 days, and the default setting is 10 days.
Step 5 In the Authority ID text box, enter the authority identifier of the local EAP-FAST server in hexadecimal characters. You can enter up to 32 hexadecimal characters, but you must enter an even number of characters.
Step 6 In the Authority Info text box, enter the authority identifier of the local EAP-FAST server in text format.
Step 7 In the Server Key and Confirm Server Key text boxes, enter the key (in hexadecimal characters) used to encrypt and decrypt PACs.
Step 8 If you want to enable anonymous provisioning, select the Anonymous Provision check box. This feature allows PACs to be sent automatically to clients that do not have one during PAC provisioning. If you disable this feature, PACs must be manually provisioned.
Step 9 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
You can specify the order that LDAP and local databases use to retrieve user credential information. This page allows you to add or make modifications to an existing network user credential retrieval priority template.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Local EAP > Network Users Priority.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Use the left and right pointing arrows to include or exclude network user credentials in the right page.
Step 5 Use the up and down buttons to determine the order credentials are tried.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This section contains the following topics:
•Configuring a Rogue Policies Template
•Configuring a Rogue AP Rules Template
•Configuring a Rogue AP Rule Groups Template
•Configuring a Friendly Access Point Template
This page enables you to configure the rogue policy (for access points and clients) applied to the controller.
To add or modify an existing template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Wireless Protection Policies > Rogue Policies.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Determine whether or not the Rogue Location Discovery Protocol (RLDP) is connected to the enterprise wired network. Choose one of the following from the drop-down list:
•Disable—Disables RLDP on all access points.
•All APs—Enables RLDP on all access points.
•Monitor Mode APs—Enables RLDP only on access points in monitor mode.
Note With RLDP, the controller instructs a managed access point to associate with the rogue access point and sends a special packet to the controller. If the controller receives the packet, the rogue access point is connected to the enterprise network. This method works for rogue access points that do not have encryption enabled.
Step 5 Set the expiration timeout (in seconds) for rogue access point entries.
Step 6 In the Rogue Detection Report Interval text box, enter the time interval in seconds at which the APs should send the rogue detection report to the controller. A valid range is 10 seconds to 300 seconds, and the default value is 10 seconds. This feature is applicable to APs that are in monitor mode only.
Step 7 In the Rogue Detection Minimum RSSI text box, enter the minimum RSSI value that a rogue should have for the APs to detect and for the rogue entry to be created in the controller. A valid range is -70 dBm to -128 dBm, and the default value is -128 dBm. This feature is applicable to all the AP modes.
Note There can be many rogues with very weak RSSI values that do not provide any valuable information in the rogue analysis. Therefore, you can use this option to filter the rogues by specifying the minimum RSSI value at which the APs should detect rogues.
Step 8 In the Rogue Detection Transient Interval text box, enter the time interval at which a rogue has to be consistently scanned for by the AP after the first time the rogue is scanned. By entering the transient interval, you can control the time interval at which the AP should scan for rogues. The APs can filter the rogues based on their transient interval values. Valid range is between 120 seconds to 1800 seconds, and the default value is 0. This feature is applicable to APs that are in monitor mode only.
Step 9 Select the Validate rogue clients against AAA check box to enable the AAA validation of rogue clients.
Step 10 Select the Detect and report Adhoc networks check box to enable detection and reporting of rogue clients participating in ad hoc networking.
Step 11 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Rogue access point rules allow you to define rules to automatically classify rogue access points. Prime Infrastructure applies the rogue access point classification rules to the controllers. These rules can limit the appearance of a rogue on maps based on RSSI level (weaker rogue access points are ignored) and time limit (a rogue access point is not flagged unless it is seen for the indicated period of time).
Note Rogue access point rules also help reduce false alarms.
Note Rogue classes include the following types:
Malicious Rogue—A detected access point that matches the user-defined malicious rules or has been manually moved from the Friendly AP category.
Friendly Rogue—Known, acknowledged, or trusted access point or a detected access point that matches user-defined friendly rules.
Unclassified Rogue—A detected access point that does not match the malicious or friendly rules.
To add or create a new classification rule template for rogue access points, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Wireless Protection Policies > Rogue AP Rules.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 In the General group box, configure the following fields:
•Rule Name—Enter a name for the rule in the text box.
•Rule Type—Choose Malicious or Friendly from the drop-down list. A rogue is considered malicious if a detected access point matches the user-defined malicious rules or has been manually moved from the Friendly AP category. A rogue is considered friendly if it is a known, acknowledged, or trusted access point or a detected access point that matches the user-defined Friendly rules.
•Match Type—Choose Match All Conditions or Match Any Condition from the drop-down list.
Step 5 In the Malicious Rogue Classification Rule group box of the page, configure the following fields.
•Open Authentication—Select the check box to enable open authentication.
•Match Managed AP SSID—Select the check box to enable the matching of a Managed AP SSID.
Note Managed SSIDs are the SSIDs configured for the WLAN and known to the system.
•Match User Configured SSID—Select the check box to enable the matching of User Configured SSIDs.
Note User Configured SSIDs are the SSIDs that are manually added. Enter the User Configured SSIDs (one per line) in the Match User Configured SSID text box.
•Minimum RSSI—Select the check box to enable the Minimum RSSI threshold limit.
Note Enter the minimum RSSI threshold level (dB) in the text box. The detected access point is classified as malicious if it is detected above the indicated RSSI threshold.
•Time Duration—Select the check box to enable the Time Duration limit.
Note Enter the time duration limit (in seconds) in the text box. The detected access point is classified as malicious if it is viewed for a longer period of time than the indicated time limit.
•Minimum Number Rogue Clients—Select the check box to enable the Minimum Number Rogue Clients limit. Enter the minimum number of rogue clients allowed. The detected access point is classified as malicious if the number of clients associated to the detected access point is greater than or equal to the indicated value.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
A rogue access point rule group template allows you to combine more than one rogue access point rule to controllers.
To view current rogue access point rule group templates or create a new rule group, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Wireless Protection Policies > Rogue AP Rule Groups.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Enter a name for the rule group in the General group box of the page.
Step 5 To add a Rogue AP rule, click to highlight the rule in the left column. Click Add to move the rule to the right column.
Note Rogue access point rules can be added from the Rogue Access Point Rules section. See the "Configuring a Rogue AP Rules Template" section for more information.
Step 6 To remove a rogue access point rule, click to highlight the rule in the right column. Click Remove to move the rule to the left column.
Step 7 Use the Move Up/Move Down buttons to specify the order in which the rules apply. Highlight the desired rule and click Move Up or Move Down to move it higher or lower in the current list.
Step 8 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This template allows you to import friendly internal access points. Importing these friendly access points prevents non-lightweight access points from being falsely identified as rogues.
Note Friendly Internal access points were previously referred to as Known APs.
Note The Friendly AP page identifies the MAC address of an access point, status, any comments, and whether or not the alarm is suppressed for this access point.
To view or edit the current list of friendly access points, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Wireless Protection Policies > Friendly AP.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Friendly access points can be added by either importing the access point or manually entering the access point information:
•To import an access point using the Import feature do the following:
–Select the Import from File check box.
–Enter the file path or click Browse to navigate to the correct file.
Note Use a line break to separate MAC addresses. For example, enter the MAC addresses as follows:
00:00:11:22:33:44
00:00:11:22:33:45
00:00:11:22:33:46
•To manually add an access point, do the following:
–Unselect the Import from File check box.
–Enter the MAC address for the access point.
–Choose Internal access point from the Status drop-down list.
–Enter a comment regarding this access point, if necessary.
–Select the Suppress Alarms check box to suppress all alarms for this access point.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
The Ignored Rogue AP Template page allows you to create or modify a template for importing ignored access points. Access points in the Ignored AP list are not identified as rogues.
Note An Ignored Rogue AP template does not get applied to any controller. It suppresses the Rogue AP/Adhoc alarm if Ignored Rogue AP Template has the Rogue MAC Address when the controller reports the Rogue AP to Prime Infrastructure and this MAC address is added to the Rogue AP Ignore-List on the controller.
To add or edit the Ignored Rogue access points, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Wireless Protection Policies > Ignored Rogue AP.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 The Ignored Rogue access points can be added by either importing the access point or manually entering the access point information:
•To import an ignored rogue access point using the Import feature:
–Select the Import from File check box.
–Enter the file path or use the Browse button to navigate to the correct file. The import file must be a CSV file with MAC address (one MAC Address per line).
Note For example, enter the MAC addresses as follows:
00:00:11:22:33:44
00:00:11:22:33:45
00:00:11:22:33:46
•To manually add an ignored rogue access point:
–Unselect the Import from File check box.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This page enables you to add a file encryption template or make modifications to an existing file encryption template.
To configure a File Encryption template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > File Encryption.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Check if you want to enable file encryption.
Step 5 Enter an encryption key text string of exactly 16 ASCII characters.
Step 6 Retype the encryption key.
Step 7 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This page enables you to determine your security password policy.
To add or make modifications to an existing password policy template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Password Policy.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Enter the template name.
Step 5 You can enable or disable the following settings:
•Password must contain characters from at least 3 different classes such as uppercase letters, lowercase letters, digits, and special characters.
•No character can be repeated more than 3 times consecutively.
•Password cannot be the default words like cisco, admin.
Note Password cannot be "cisco", "ocsic", "admin", "nimda' or any variant obtained by changing the capitalization of letters, or by substituting `1" "|" or "!" for i, or substituting "0" for "o", or substituting "$" for "s".
•Password cannot contain username or reverse of username.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This page allows you to add a user login template or make modifications to an existing user login policies template. On this template you set the maximum number of concurrent logins that each single user can have.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > User Login Policies.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 You can adjust the maximum number of concurrent logins each single user can have.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This page allows you to add a manually disable client template or make modifications to an existing disabled client template.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Manually Disabled Clients.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Enter the MAC address of the client you want to disable.
Step 5 Enter a description of the client you are setting to disabled.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Note You cannot use a MAC address in the broadcast range.
You can create or modify an ACL template for configuring the type of traffic that is allowed, by protocol, direction, and the source or destination of the traffic.
An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller). ACLs can be applied to data traffic to and from wireless clients or to all traffic destined for the controller Central Processing Unit (CPU) and can now support reusable grouped IP addresses and reusable protocols. After ACLs are configured in the template, they can be applied to the management interface, the AP-manager interface, or any of the dynamic interfaces for client data traffic; to the Network Processing Unit (NPU) interface for traffic to the controller CPU; or to a WAN.
This release of Prime Infrastructure provides support to IPv6 ACLs.
To add or modify an existing ACL template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Access Control Lists.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 In this page, specify the following fields:
•Access Control List Name—User-defined name of the template.
•ACL Type—Choose either IPv4 or IPv6.
Note IPv6 ACL is supported from controller Version 7.2.x.
Step 5 To create reusable grouped IP addresses and protocols, choose Access Control > IP Groups from the left sidebar menu.
Step 6 All the IP address groups are listed. One IP address group can have a maximum of 128 IP address and netmask combinations. To define a new IP address group, choose Add IP Group from the Select a command drop-down list, and click Go. To view or modify an existing IP address group, click the URL of the IP address group. The IP address group page opens.
Note For the IP address of any, an any group is predefined.
Step 7 In the ACL IP Groups details page you can edit the current IP group fields.
•IP Group Name
•IP Address
•Netmask OR CIDR Notation—Enter the Netmask or CIDR Notation and then click Add. The list of IP addresses or Netmasks appears in the List of IP Address/Netmasks text box.
CIDR notation allows you to add a large number of clients that exist in a subnet range by configuring a single client object.
Netmask allows you to set the subnet mask in dotted-decimal notation rather than the CIDR notation for the IP address property.
–Netmask—A range of IP addresses defined so that only machines with IP addresses within the range are allowed to access an Internet service.
–CIDR—Classless InterDomain Routing. A protocol which allows the assignment of Class C IP addresses in multiple contiguous blocks.
•BroadCast/Network
•List of IP Addresses/Netmasks—Use the Move Up and Move Down buttons to rearrange the order of the list items. Use the Delete button to delete any IP address or Netmask.
Step 8 To define an additional protocol that is not a standard predefined one, choose Access Control > Protocol Groups from the left sidebar menu. The protocol groups with their source and destination port and DSCP are displayed.
Step 9 To create a new protocol group, choose Add Protocol Group from the Select a command drop-down list, and click Go. To view or modify an existing protocol group, click the URL of the group. The Protocol Groups page appears.
Step 10 The rule name is provided for the existing rules, or you can now enter a name for a new rule. ACLs are not required to have rules defined. When a packet matches all the parameters of a rule, the action for this rule is exercised.
Step 11 Choose a protocol from the drop-down list:
•Any—All protocols
•TCP—Transmission Control Protocol
•UDP—User Datagram Protocol
•ICMP—Internet Control Message Protocol
•ESP—IP Encapsulating Security Payload
•AH—Authentication Header
•GRE—Generic Routing Encapsulation
•IP—Internet Protocol
•Eth Over IP—Ethernet over Internet Protocol
•Other Port OSPF—Open Shortest Path First
•Other—Any other IANA protocol (http://www.iana.org/)
Step 12 Some protocol choices (such as TCP or UDP) cause additional Source Port and Dest Port GUI elements to appear.
•Source Port—Specify the source of the packets to which this ACL applies. The choices are Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other, and Port Range.
•Dest Port—Specify the destination of the packets to which this ACL applies. The choices are Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other, and Port Range.
Step 13 From the DSCP (Differentiated Services Code Point) drop-down list, choose any or specific. If you choose specific, enter the DSCP (range of 0 to 255).
Note DSCP is a packet header code that can be used to define the quality of service across the Internet.
Step 14 Click Save.
Step 15 You can now create new mappings from the defined IP address groups and protocol groups. To define a new mapping, choose the ACL template to which you want to map the new groups. All ACL mappings appear on the top of the page, and all ACL rules appear on the bottom.
Step 16 To define a new mapping, choose Add Rule Mappings from the Select a command drop-down list. The Add Rule Mapping page appears.
Step 17 Configure the following fields:
•Source IP Group—Predefined groups for IPv4 and IPv6.
•Destination IP Group—Predefined groups for IPv4 and IPv6.
•Protocol Group—Protocol group to use for the ACL.
•Direction—Any, Inbound (from client) or Outbound (to client).
•Action—Deny or Permit. The default filter is to deny all access unless a rule explicitly permits it.
Step 18 Click Add. The new mappings populate the bottom table.
Step 19 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Step 20 You can now automatically generate rules from the rule mappings you created. Choose the mappings for which you want to generate rules, and click Generate. This automatically creates the rules. These rules are generated with contiguous sequence. That is, if rules 1 through 4 are already defined and you add rule 29, it is added as rule 5.
Existing ACL templates are duplicated into a new ACL template. This duplication clones all the ACL rules and mappings defined in the source ACL template.
Note CPU ACL configuration with IPv6 is not supported in this release becuase all IP addresses of controllers on interfaces use IPv4 except the virtual interface.
The existing ACLs established in the "Configuring a FlexConnect Access Control List" section is used to set traffic controls between the Central Processing Unit (CPU) and Network Processing Unit (NPU).
To add or modify an existing CPU ACL template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > CPU Access Control List.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 If you select the check box to enable CPU ACL, two more fields appear. When CPU ACL is enabled and applied on the controller, Prime Infrastructure displays the details of the CPU ACL against that controller.
Step 5 From the ACL Name drop-down list, choose a name from the list of defined names.
Step 6 From the CPU ACL Mode drop-down list, choose which data traffic direction this CPU ACL list controls. The choices are the wired side of the data traffic, the wireless side of the data traffic, or both wired and wireless.
Step 7 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
To configure and apply an Access Control List template to a Controller, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > FlexConnect ACLs.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Enter a name for the new FlexConnect ACL in the FlexConnect ACL Name text box.
Step 5 Click Save.
A FlexConnect ACL template is created. You can now create new mappings from the defined IP address groups and protocol groups. To define a new mapping, choose the ACL template to which you want to map the new groups. All FlexConnect ACL mappings appear on the top of the page, and all FlexConnect ACL rules appear in the bottom.
Step 6 From the Select a command drop-down list, choose Add Rule Mappings, and click Go.
Step 7 The FlexConnect ACL IP Protocol Map page appears.
Step 8 Configure the following fields:
•Source IP Group—Predefined groups for IPv4 and IPv6.
•Destination IP Group—Predefined groups for IPv4 and IPv6.
•Protocol Group—Protocol group to use for the ACL.
•Action—Deny or Permit. The default filter is to deny all access unless a rule explicitly permits it.
Step 9 Click Add. The new mappings populate the bottom table.
Step 10 Click Save.
Step 11 You can now automatically generate rules from the rule mappings you created. Choose the mappings for which you want to generate rules, and click Generate. This automatically creates the rules. These rules are generated with contiguous sequence. That is, if rules 1 through 4 are already defined and you add rule 29, it is added as rule 5.
Existing FlexConnect ACL templates are duplicated into a new FlexConnect ACL template. This duplication clones all the FlexConnect ACL rules and mappings defined in the source FlexConnect ACL template.
Step 12 From the Select a command drop-down list in the FlexConnect ACL page, choose Apply Templates.
The Apply to Controllers page appears.
Step 13 Select Save Config to Flash after apply check box to save the configuration to Flash after applying the FlexConnect ACL to the controller.
Step 14 Select Reboot Controller after apply to reboot the controller once the FlexConnect ACL is applied. This check box is available only when you select the Save Config to Flash after apply check box.
Step 15 Select one or more controllers and click OK to apply the FlexConnect ACL template.
The FlexConnect ACL that you created appears in Configure > Controller Template Launch Pad > <IP Address> > Security > Access Control > FlexConnect ACLs.
To create reusable grouped IP addresses, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > IP Groups.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 All the IP address including IPv4 and IPv6 groups are listed. One IP address group can have a maximum of 128 IP address and netmask combinations. To define a new IP address group, choose Add IP Group or Add IPv6 Group from the Select a command drop-down list, and click Go.
Note For the IP address of any, an any group is predefined.
Note For the IPv6 address of any, an any group is predefined with an IP address type as IPv6.
Step 5 Add or modify the following fields:
•IP Group Name
•IP Address—For IP Group, enter an IPv4 address format. For IPv6 groups, enter an IPv6 address format.
•Netmask OR CIDR Notation—Enter the Netmask or CIDR Notation and then click Add. The list of IP addresses or Netmasks appears in the List of IP Addresses/Netmasks text box.
Note These fields are not applicable for IPv6 groups.
CIDR notation allows the user to add a large number of clients that exist in a subnet range by configuring a single client object.
Netmask allows the user to set the subnet mask in dotted-decimal notation rather than the CIDR notation for the IP address property.
–Netmask—A range of IP addresses defined so that only machines with IP addresses within the range are allowed to access an Internet service.
–CIDR—Classless InterDomain Routing. A protocol which allows the assignment of Class C IP addresses in multiple contiguous blocks.
•BroadCast/Network
Note These fields are not applicable for IPv6 groups.
•Prefix Length—Prefix for IPv6 addresses, ranging from 0 to 128.
•List of IP Addresses/Netmasks—Use the Move Up and Move Down buttons to rearrange the order of the list items. Use the Delete button to delete an IP address or Netmask.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
To define an additional protocol that is not a standard predefined one, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Protocol Groups.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Add or modify the following fields:
•Rule Name—The rule name is provided for the existing rules, or you can now enter a name for a new rule. ACLs are not required to have rules defined. When a packet matches all the fields of a rule, the action for this rule is exercised.
•Protocol—Choose a protocol from the drop-down list:
–Any—All protocols
–TCP—Transmission Control Protocol
–UDP—User Datagram Protocol
–ICMP—Internet Control Message Protocol
–ESP—IP Encapsulating Security Payload
–AH—Authentication Header
–GRE—Generic Routing Encapsulation
–IP—Internet Protocol
–Eth Over IP—Ethernet over Internet Protocol
–Other Port OSPF—Open Shortest Path First
–Other—Any other IANA protocol (http://www.iana.org/)
•Source Port—Can be Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other and Port Range.
•Dest Port—Destination port. If TCP or UDP is selected, can be Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other and Port Range.
•DSCP (Differentiated Services Code Point)—Choose Any or Specific from the drop-down list. If Specific is selected, enter the DSCP (range of 0 through 255).
Note DSCP is a packet header code that can be used to define the quality of service across the Internet.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
To create or modify an External Web Auth Server template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > External Web Auth Server.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
This section contains the following topics:
•Configuring Load Balancing Templates
•Configuring Band Selection Templates
•Configuring Media Parameters Controller Templates (802.11a/n)
To configure load balancing templates, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > 802.11 > Load Balancing.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Enter a value between 1 and 20 for the client window size. The page size becomes part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations:
load-balancing page + client associations on AP with lightest load = load-balancing threshold
In the group of access points accessible to a client device, each access point has a different number of client associations. The access point with the lowest number of clients has the lightest load. The client page size plus the number of clients on the access point with the lightest load forms the threshold. Access points with more client associations than this threshold is considered busy, and clients can associate only to access points with client counts lower than the threshold.
Step 5 Enter a value between 0 and 10 for the max denial count. The denial count sets the maximum number of association denials during load balancing.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
To configure band selection templates, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > 802.11 > Band Select.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Enter a value between 1 and 10 for the probe cycle count. The cycle count sets the number of suppression cycles for a new client. The default cycle count is 2.
Step 5 Enter a value between 1 and 1000 milliseconds for the scan cycle period threshold. This setting determines the time threshold during which new probe requests from a client come from a new scanning cycle. The default cycle threshold is 200 milliseconds.
Step 6 Enter a value between 10 and 200 seconds for the age out suppression field. Age-out suppression sets the expiration time for pruning previously known 802.11b/g clients. The default value is 20 seconds. After this time elapses, clients become new and are subject to probe response suppression.
Step 7 Enter a value between 10 and 300 seconds for the age out dual band field. The age-out period sets the expiration time for pruning previously known dual-band clients. The default value is 60 seconds. After this time elapses, clients become new and are subject to probe response suppression.
Step 8 Enter a value between -20 and -90 dBm for the acceptable client RSSI field. This field sets the minimum RSSI for a client to respond to a probe. The default value is -80 dBm.
Step 9 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This page enables you to create or modify a template for configuring Preferred Call.
To add or modify preferred call templates, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > 802.11 > Preferred Call.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Add or modify the following Preferred Call parameters:
•Template Name
Note Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
•Number Id—Enter a value to identify the preferred number. You can have a maximum of six preferred call numbers. The valid range is from 1 to 6. The default value is 1.
•Preferred Number—Enter the preferred call number.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
To configure the media stream for a controller template for an 802.11 Radio, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > 802.11 > Media Stream.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 In the Media Stream Configuration group box, specify the following fields:
•Media Stream Name
•Multicast Destination Start IP—Start IP address of the media stream to be multicast.
•Multicast Destination End IP—End IP address of the media stream to be multicast.
Note Start IP and End IP can be IPv4 or IPv6 multicast address from controller Version 7.2.x.
•Maximum Expected Bandwidth—Maximum bandwidth that a media stream can use.
Step 5 In the Resource Reservation Control (RRC) Parameters group box, specify the following fields:
•Average Packet Size—Average packet size that a media stream can use.
•RRC Periodical Update—Resource Reservation Control calculations that are updated periodically; if disabled, RRC calculations are done only once when a client joins a media stream.
•RRC Priority—Priority of RRC with the highest at 1 and the lowest at 8.
•Traffic Profile Violation—Appears if the stream is dropped or put in the best effort queue if the stream violates the QoS video profile.
•Policy—Appears if the media stream is admitted or denied.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
The RF Profiles page enables you to create or modify RF profiles that get associated to AP Groups.
To configure a RF Profile for a controller template for an 802.11 Radio, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > 802.11 > RF Profiles.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Configure the following information:
•General
–Template Name—User-defined name for the template.
–Profile Name—User-defined name for the current profile.
–Description—Description of the template.
–Radio Type—The radio type of the access point. This is a drop-down list from which you can choose an RF profile for APs with 802.11a or 802.11b radios.
•TPC (Transmit Power Control)
–Minimum Power Level Assignment (-10 to 30 dBm)—Indicates the minimum power assigned. Range: -10 to 30 dBm Default: -10 dBm.
–Maximum Power Level Assignment (-10 to 30 dBm)—Indicates the maximum power assigned. Range: -10 to 30 dBm Default: 30 dBm.
–Power Threshold v1(-80 to -50 dBm)—Indicates the transmitted power threshold.
–Power Threshold v2(-80 to -50 dBm)—Indicates the transmitted power threshold.
•Data Rates—Use the Data Rates drop-down lists to specify the rates at which data can be transmitted between the access point and the client. These data rates are available:
–802.11a—6, 9, 12, 18, 24, 36, 48, and 54 Mbps.
–802.11b/g—1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps
For each data rate, choose one of these options:
–Mandatory—Clients must support this data rate to associate to an access point on the controller.
–Supported—Any associated clients that support this data rate might communicate with the access point using that rate. However, the clients are not required to be able to use this rate to associate.
–Disabled—The clients specify the data rates used for communication.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This section contains the following topics:
•Configuring 802.11a/n Parameters Templates
•Configuring Media Parameters Controller Templates (802.11a/n)
•Configuring EDCA Parameters Through a Controller Template (802.11a/n)
•Configuring a Roaming Parameters Template (802.11a/n)
•Configuring an 802.11h Template
•Configuring a High Throughput Template (802.11a/n)
•Configuring CleanAir Controller Templates (802.11a/n)
To add or modify radio templates, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Select the check box if you want to enable 802.11a/n network status.
Step 5 Use the ClientLink drop-down list to enable Clientlink on all access point 802.11a/n radios that support ClientLink. Otherwise, choose Disable.
Step 6 Enter a transmitted power threshold between -50 and -80.
Step 7 Enter the amount of time between beacons in kilomicroseconds. The valid range is from 20 to 1000 milliseconds.
Step 8 Enter the number of beacon intervals that might elapse between transmission of beacon frames containing a traffic indicator message (TIM) element whose delivery count text box is 0. This value is transmitted in the DTIM period field of beacon frames. When client devices receive a beacon that contains a DTIM, they normally wake up to check for pending packets. Longer intervals between DTIMS let clients sleep longer and preserve power. Conversely, shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often.
Step 9 In the Fragmentation Threshold field, determine the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference.
Step 10 Enter the percentage for 802.11e maximum bandwidth.
Step 11 Click if you want short preamble enabled.
Step 12 From the Dynamic Assignment drop-down list, choose one of three modes:
•Automatic—The transmit power is periodically updated for all access points that permit this operation.
•On Demand—Transmit power is updated when the Assign Now button is selected.
•Disabled—No dynamic transmit power assignments occur, and values are set to their global default.
Step 13 Determine if you want to enable Dynamic Tx Power Control. The power levels and available channels are defined by the country code setting and are regulated on a country by country basis.
Step 14 The Assignment Mode drop-down list has three dynamic channel modes:
•Automatic—The channel assignment is periodically updated for all access points that permit this operation. This is also the default mode.
•On Demand—Channel assignments are updated when desired.
•OFF—No dynamic channel assignments occur, and values are set to their global default.
Step 15 Select the Avoid Foreign AP Interference check box if you want to enable it. Enable this field to have RRM consider interference from foreign Cisco access points (those non-Cisco access points outside RF/mobility domain) when assigning channels. This Radio Resource Management (RRM) field monitors foreign 802.11 interference. Unselect this check box to have RRM ignore this interference.
In certain circumstances with significant interference energy (dB) and load (utilization) from foreign access points, RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the foreign access points. This increases capacity and reduces variability for the Cisco WLAN Solution.
Step 16 Select the Avoid Cisco AP Load check box if you want it enabled. Enable this RRM bandwidth-sensing field to have controllers consider the traffic bandwidth used by each access point when assigning channels to access points. Unselect this check box to have RRM ignore this value.
In certain circumstances and with denser deployments, there might not be enough channels to properly create perfect channel reuse. In these circumstances, RRM can assign better reuse patterns to those access points that carry more traffic load.
Step 17 Select the Avoid non 802.11 Noise check box if you want to enable it. Enable this RRM noise-monitoring field to have access points avoid channels that have interference from non-access point sources, such as microwave ovens or Bluetooth devices. Unselect this check box to have RRM ignore this interference.
In certain circumstances with significant interference energy (dB) from non-802.11 noise sources, RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the noise sources. This increases capacity and reduces variability for the Cisco WLAN Solution.
Step 18 The Signal Strength Contribution check box is always enabled (not configurable). RRM constantly monitors the relative location of all access points within the RF/mobility domain to ensure near-optimal channel reuse. The net effect is an increase in Cisco WLAN Solution capacity and a reduction in co-channel and adjacent channel interference.
Step 19 The client and controller negotiate data rates between them. If the data rate is set to Mandatory, the client must support it to use the network. If a data rate is set as Supported by the controller, any associated client that also supports that same rate might communicate with the access point using that rate. However, it is not required that a client uses all the rates marked supported to associate. For each rate, a drop-down list of Mandatory or Supported is available. Each data rate can also be set to Disabled to match client settings.
Step 20 From the Channel List drop-down list in the Noise/Interference/Rogue Monitoring Channels section, choose between all channels, country channels, or DCA channels based on the level of monitoring you want. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation amongst a set of managed devices connected to the controller.
Step 21 The location measurement interval of the Cisco Compatible Extension can only be changed when measurement mode is enabled to broadcast radio measurement requests. When enabled, this enhances the location accuracy of clients.
Step 22 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Create or modify a template for configuring CleanAir parameters for the 802.11a/n radio. You can configure the template to enable or disable CleanAir, reporting and alarms for the controllers. You can also configure the type of interfering devices to include for reporting and alarms.
To add a new template with 802.11a/n CleanAir information for a controller, follow these steps:
Step 1 Choose Configure > Controller Template Launch Pad.
Step 2 From the left sidebar menu, choose 802.11a/n > CleanAir. The 802.11a/n CleanAir Controller Templates page displays all currently saved 802.11a/n CleanAir templates. It also displays and the number of controllers and virtual domains to which each template is applied.
Step 3 From the Select a command drop-down list, choose Add a Template, and click Go.
The New Controller Template page appears.
Step 4 Add or modify the following fields:
•Template Name—Enter the template name.
•CleanAir—Select the check box to enable CleanAir functionality on the 802.11 b/g/n network, or unselect to prevent the controller from detecting spectrum interference.
Note If CleanAir is enabled, the Reporting Configuration and Alarm Configuration group boxes appear.
•Reporting Configuration—Use the fields in this group box to configure the interferer devices you want to include for your reports.
Report Interferers—Select the report interferers check box to enable CleanAir system to report and detect sources of interference, or unselect it to prevent the controller from reporting interferers. The default value is selected.
Make sure that any sources of interference that need to be detected and reported by the CleanAir system appear in the Interferences to Detect box and any that do not need to be detected appear in the Interferers to Ignore box. Use the > and < buttons to move interference sources between these two boxes. By default, all interference sources are ignored.
•Alarm Configuration—This group box enables you to configure triggering of air quality alarms.
–Air Quality Alarm—Select the Air Quality Alarm check box to enable the triggering of air quality alarms, or unselect the box to disable this feature.
–Air Quality Alarm Threshold—If you selected the Air Quality Alarm check box, enter a value between 1 and 100 (inclusive) in the Air Quality Alarm Threshold field to specify the threshold at which you want the air quality alarm to be triggered. When the air quality falls below the threshold level, the alarm is triggered. A value of 1 represents the worst air quality, and 100 represents the best. The default value is 1.
–Interferers For Security Alarm—Select the Interferers For Security Alarm check box to trigger interferer alarms when the controller detects specified device types, or unselect it to disable this feature. The default value is unselected.
–Make sure that any sources of interference that need to trigger interferer alarms appear in the Interferers Selected for Security Alarms box and any that do not need to trigger interferer alarms appear in the Interferers Ignored for Security Alarms box. Use the > and < buttons to move interference sources between these two boxes. By default, all interferer sources for security alarms are ignored.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This page enables you to create or modify a template for configuring 802.11a/n voice fields such as call admission control and traffic stream metrics.
To add a new template with 802.11a/n voice fields information (such as Call Admission Control and traffic stream metrics) for a controller, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > Media Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 On the Voice tab, add or modify the following fields:
•Admission Control (ACM)—Select the check box to enable admission control.
For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, call admission control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity.
•CAC Method—If Admission Control (ACM) is enabled, specify the CAC method as either load-based or static.
Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment.
•Maximum Bandwidth Allowed—Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.
•Reserved Roaming Bandwidth—Specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled.
•Expedited Bandwidth—Select the check box to enable expedited bandwidth as an extension of CAC for emergency calls.
You must have an expedited bandwidth IE that is CCXv5 compliant so that a TSPEC request is given higher priority.
•SIP CAC—Select the check box to enable SIP CAC.
SIP CAC should be used only for phones that support status code 17 and do not support TSPEC-based admission control.
•SIP Codec—Specify the codec name you want to use on this radio. The available options are G.711, G.729, and User Defined.
•SIP Call Bandwidth—Specify the bandwidth in kilobits per second that you want to assign per SIP call on the network. This field can be configured only when the SIP Codec selected is User Defined.
•SIP Sample Interval—Specify the sample interval in milliseconds that the codec must operate in.
•Max Number of Calls per Radio—Specify the maximum number of calls per Radio.
•Metric Collection—Select the check box to enable metric collection.
Traffic stream metrics are a series of statistics about VoIP over your wireless LAN which inform you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11b/g interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.
Step 5 On the Video tab, add or modify the following fields:
•Admission Control (ACM)—Select the check box to enable admission control.
•Maximum Bandwidth—Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.
•Reserved Roaming Bandwidth—Specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled.
•Unicast Video Redirect—Select the Unicast Video Redirect check box to enable all non-media stream packets in video queue are redirected to the best effort queue. If disabled, all packets with video marking are kept in video queue.
•Client Minimum Phy Rate—Specify the physical data rate required for the client to join a media stream from the Client Minimum Phy Rate drop-down list.
•Multicast Direct Enable—Select the Multicast Direct Enable check box to set the Media Direct for any WLAN with Media Direct enabled on a WLAN on this radio.
•Maximum Number of Streams per Radio—Specify the maximum number of streams per Radio to be allowed.
•Maximum Number of Streams per Client—Specify the maximum number of streams per Client to be allowed.
•Best Effort QOS Admission—Select the Best Effort QOS Admission check box to redirect new client requests to the best effort queue. This happens only if all the video bandwidth has been used.
Note If disabled and maximum video bandwidth has been used, then any new client request is rejected.
Step 6 On the General tab, specify the following field:
•Maximum Media Bandwidth (0 to 85%)—Specify the percentage of maximum of bandwidth allowed. This option is only available when CAC is enabled.
Step 7 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Enhanced distributed channel access (EDCA) parameters are designed to provide preferential wireless channel access for voice, video, and other quality of service (QoS) traffic.
To add or configure 802.11a/n EDCA parameters through a controller template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > EDCA Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Choose one of the following options from the EDCA Profile drop-down list:
•WMM—Enables the Wi-Fi Multimedia (WMM) default parameters. This is the default value. Choose this option when voice or video services are not deployed on your network.
•Spectralink Voice Priority—Enables Spectralink voice priority parameters. Choose this option if Spectralink phones are deployed on your network to improve the quality of calls.
•Voice Optimized—Enables EDCA voice-optimized profile parameters. Choose this option when voice services other than Spectralink are deployed on your network.
•Voice & Video Optimized—Enables EDCA voice- and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.
Note Video services must be deployed with admission control (ACM). Video services without ACM are not supported.
Note You must shut down radio interface before configuring EDCA Parameters.
Step 5 Select the Low Latency MAC check box to enable this feature.
Note Enable low latency MAC only if all clients on the network are WMM compliant.
To add or modify an existing roaming parameter template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > Roaming Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Use the Mode drop-down list to choose one of the configurable modes: default values and custom values. When the default values option is chosen, the roaming parameters are unavailable with the default values displayed in the text boxes. When the custom values option is selected, the roaming parameters can be edited in the text boxes. To edit the parameters, continue to Step 5.
Step 5 In the Minimum RSSI field, enter a value for the minimum Received Signal Strength Indicator (RSSI) required for the client to associate to an access point. If the average received signal power of the client dips below this threshold, reliable communication is usually impossible. Therefore, clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.
Range: -80 to -90 dBm
Default: -85 dBm
Step 6 In the Roaming Hysteresis field, enter a value to indicate how strong the signal strength of a neighboring access point must be for the client to roam to it. This field is intended to reduce the amount of ping ponging between access points if the client is physically located on or near the border between two access points.
Range: 2 to 4 dB
Default: 2 dB
Step 7 In the Adaptive Scan Threshold field, enter the RSSI value from the associated access point of the client, below which the client must be able to roam to a neighboring access point within the specified transition time. This field also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold.
Range: -70 to -77 dB
Default: -72 dB
Step 8 In the Transition Time field, enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the associated access point of the client is below the scan threshold.
The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.
Range: 1 to 10 seconds
Default: 5 seconds
Step 9 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
802.11h informs client devices about channel changes and can limit the transmit power of the client device. Create or modify a template for configuration 802.11h parameters (such as power constraint and channel controller announcement) and applying these settings to multiple controllers.
To add or modify an 802.11h template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > 802.11h.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Select the Power Constraint check box if you want the access point to stop transmission on the current channel.
Step 5 Select the Channel Announcement check box to enable channel announcement. Channel announcement is a method in which the access point announces when it is switching to a new channel and the new channel number.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
To add or modify to an 802.11a/n high throughput template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > High Throughput (802.11n).
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Select the 802.11n Network Status Enabled check box to enable high throughput.
Step 5 In the MCS (Data Rate) Settings column, choose which level of data rate you want supported. Modulation coding schemes (MCS) are similar to 802.11a data rate. As a default, 20 MHz and short guarded interval is used.
Note When you select the Supported check box, the chosen numbers appear in the Selected MCS Indexes page.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This section contains the following topics:
•Configuring an RRM Threshold Template (802.11a/n)
•Configuring an RRM Interval Template (802.11a/n)
•Configuring an RRM Dynamic Channel Allocation Template (802.11a/n)
•Configuring an RRM Transmit Power Control Template (802.11a/n)
To add or make modifications to an 802.11a/n or 802.11b/g/n RRM threshold template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > dot11a-RRM > Thresholds.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Enter the minimum number of failed clients currently associated with the controller.
Step 5 Enter the target range of coverage threshold.
Step 6 Enter the Data RSSI (-60 to -90 dBm). This number indicates the value for the minimum Received Signal Strength Indicator (RSSI) for data required for the client to associate to an access point.
Note You must disable the 802.11a/n network before applying these RRM threshold fields.
Step 7 Enter the Voice RSSI (-60 to -90 dBM). This number indicates the value for the minimum Received Signal Strength Indicator (RSSI) required for voice for the client to associate to an access point.
Step 8 Enter the maximum number of failed clients that are currently associated with the controller.
Step 9 In the RF Utilization text box, enter the percentage of threshold for 802.11a/n.
Step 10 Enter an interference threshold percentage.
Step 11 Enter a noise threshold between -127 and 0 dBm. When the controller is outside of this threshold, it sends an alarm to Prime Infrastructure.
Step 12 Enter the coverage exception level percentage. When the coverage drops by this percentage from the configured coverage for the minimum number of clients, a coverage hole is generated.
Step 13 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
To add or make modifications to an 802.11a/n RRM interval template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > dot11a-RRM > Intervals.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 In the Neighbor Packet Frequency text box, enter the interval at which you want strength measurements taken for each access point. The default is 300 seconds.
Step 5 Enter the interval at which you want noise and interference measurements taken for each access point. The default is 300 seconds.
Step 6 Enter the interval at which you want load measurements taken for each access point. The default is 300 seconds.
Step 7 At the Coverage Measurement Interval field, enter at which interval you want coverage measurements taken for each access point. The default is 300 seconds.
Step 8 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
The Radio Resource Management (RRM) Dynamic Channel Assignment (DCA) page allows you to choose the DCA channels as well as the channel width for this controller.
RRM DCA supports 802.11n 40-MHz channel width in the 5-GHz band. The higher bandwidth allows radios to achieve higher instantaneous data rates.
Note Choosing a larger bandwidth reduces the non-overlapping channels which could potentially reduce the overall network throughput for certain deployments.
To configure 802.11 a/n RRM DCA template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > dot11a-RRM > TPC.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Add or modify the following fields:
•Template Name—Enter the template name.
•Assignment Mode—From the Dynamic Assignment drop-down list, choose one of three modes:
–Automatic—The transmit power is periodically updated for all access points that permit this operation.
–On Demand—Transmit power is updated when you click Assign Now.
–Disabled—No dynamic transmit power assignments occur, and values are set to their global default.
•Select the Avoid Foreign AP Interference check box to enable it. Enable this check box to have RRM consider interference from foreign Cisco access points (those non-Cisco access points outside RF/mobility domain) when assigning channels. This foreign 802.11 interference. Unselect this check box to have RRM ignore this interference.
In certain circumstances with significant interference energy (dB) and load (utilization) from foreign access points, RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the foreign access points. This increases capacity and reduces variability for the Cisco WLAN Solution.
•Select the Avoid Cisco AP Load check box if you want it enabled. Enable this bandwidth-sensing field to have controllers consider the traffic bandwidth used by each access point when assigning channels to access points. Unselect this check box to have RRM ignore this value.
In certain circumstances and with denser deployments, there might not be enough channels to properly create perfect channel reuse. In these circumstances, RRM can assign better reuse patterns to those access points that carry more traffic load.
•Select the Avoid non 802.11 Noise check box if you want to enable it. Enable this noise-monitoring field to have access points avoid channels that have interference from non-access point sources, such as microwave ovens or Bluetooth devices. Unselect this check box to have RRM ignore this interference.
In certain circumstances with significant interference energy (dB) from non-802.11 noise sources, RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the noise sources. This increases capacity and reduces variability for the Cisco WLAN Solution.
•The Signal Strength Contribution check box is always enabled (not configurable). This constantly monitors the relative location of all access points within the RF/mobility domain to ensure near-optimal channel reuse. The net effect is an increase in Cisco WLAN Solution capacity and a reduction in co-channel and adjacent channel interference.
•Enable or disable event-driven Radio Resource Management (RRM) using the following fields. Event Driven RRM is used when a CleanAir-enabled access point detects a significant level of interference.
–Event Driven RRM—Enable or Disable spectrum event-driven RRM. By default, Event Driven RRM is enabled.
–Sensitivity Threshold—If Event Driven RRM is enabled, this field displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local Dynamic Channel Assignment (DCA) run and changes the channel of the affected access point radio if possible to improve network performance. Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
The controller dynamically controls access point transmit power based on real-time wireless LAN conditions. Normally, power can be kept low to gain extra capacity and reduce interference. The controller attempts to balance the transmit power of the access points according to how the access points are seen by their third strongest neighbor.
The transmit power control (TPC) algorithm both increases and decreases the power of an access point in response to changes in the RF environment. In most instances, TPC seeks to lower the power of an access point to reduce interference, but in the case of a sudden change in the RF coverage—for example, if an access point fails or becomes disabled—TPC can also increase power on surrounding access points. This feature is different from Coverage Hole Detection. Coverage hole detection is primarily concerned with clients, while TPC is tasked with providing enough RF power to achieve desired coverage levels while avoiding channel interference between access points.
To configure 802.11a/n RRM TPC template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > dot11a-RRM > DCA.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Add or modify the following fields:
•Template Name—Enter the template name in the text box.
•TPC Version—Choose TPCv1 or TPCv2.
Note The TPCv2 option is applicable only for those controllers running Version 7.2.x or later.
•Dynamic Assignment—From the Dynamic Assignment drop-down list, choose one of three modes:
–Automatic—The transmit power is periodically updated for all access points that permit this operation.
–On Demand—Transmit power is updated when you click Assign Now.
–Disabled—No dynamic transmit power assignments occur, and values are set to their global default.
•Maximum Power Assignment—Indicates the maximum power assigned.
–Range: -10 to 30 dB
–Default: 30 dB
•Minimum Power Assignment—Indicates the minimum power assigned.
–Range: -10 to 30 dB
–Default: 30 dB
•Dynamic Tx Power Control—Determine if you want to enable Dynamic Tx Power Control.
•Transmitted Power Threshold—Enter a transmitted power threshold between -50 and -80.
•Control Interval—In seconds (read-only).
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This section contains the following topics:
•Configuring 802.11b/g/n Parameters Templates
•Configuring Media Parameters Controller Templates (802.11b/g/n)
•Configuring EDCA Parameters Controller Templates (802.11b/g/n)
•Configuring Roaming Parameters Controller Templates (802.11b/g/n)
•Configuring High Throughput (802.11n) Controller Templates (802.11b/g/n)
•Configuring CleanAir Controller Templates (802.11 b/g/n)
•Configuring 802.11b/g/n RRM Templates
Create or modify a template for configuring 802.11b/g/n parameters (such as power and channel status, data rates, channel list, and CCX location measurement) and/or applying these settings to controller(s).
To add a new template with 802.11b/g/n parameters information for a controller, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 802.11b or g or n > Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Add or modify the following General parameters:
•Policy Name—Security policy in force.
•802.11b/g Network Status
•Beam Forming—Choose Enable or Disable from the drop-down list.
Note Beam forming refers to a general signal processing technique used to control the directionality of the reception or transmission of a signal.
•Transmitted Power Threshold—The valid range is from -50 to -80.
•Beacon Period—The rate at which the SSID is broadcast by the access point (the amount of time between beacons). The valid range is from 100 to 600 milliseconds.
•DTIM Period—The number of beacon intervals that might elapse between transmission of beacon frames containing a traffic indicator message (TIM) element whose delivery count field is 0. This value is transmitted in the DTIM period field of beacon frames.
When client devices receive a beacon that contains a DTIM, they normally "wake up" to check for pending packets. Longer intervals between DTIMs let clients sleep longer and preserve power. Conversely, shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often.
Note DTIM period is not applicable in controller Version 5.0.0.0 and later.
•Fragmentation Threshold—Determine the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference. The default value is 2346.
•802.11e Max Bandwidth—Percentage for 802.11e max bandwidth. The default value is 100.
Step 5 Add or modify the following 802.11b/g Power Status parameters:
•Dynamic Assignment—From the Dynamic Assignment drop-down list, choose any one of the following dynamic transmit power assignment modes.
–Automatic—The transmit power is periodically updated for all access points that permit this operation.
–On Demand—Transmit power is updated when you click Assign Now.
–Disabled—No dynamic transmit power assignments occur and values are set to their global default. The default is Automatic.
Note The power levels and available channels are defined by the country code setting and are regulated on a country by country basis.
•Dynamic Tx Power Control—Select this check box to enable DTPC support. If this option is enabled, the transmit power level of the radio is advertised in the beacons and the probe responses.
Step 6 Add or modify the following 802.11b/g Channel Status parameters:
•Assignment Mode—From the Assignment Mode drop-down list, choose any one of the following dynamic channel assignment modes.
–Automatic—The channel assignment is periodically updated for all access points that permit this operation.
–On Demand—Channel assignments are updated when desired.
–Disabled—No dynamic channel assignments occur and values are set to their global default.
Note The default is Automatic.
•Avoid Foreign AP Interference—Enable this Radio Resource Management (RRM) foreign 802.11 interference-monitoring parameter to have Radio Resource Management consider interference from foreign (non-Cisco access points outside the RF/mobility domain) access points when assigning channels to Cisco access points.
Disable this field to have Radio Resource Management ignore this interference.
Note In certain circumstances with significant interference energy (dB) and load (utilization) from Foreign access points, Radio Resource Management might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in Cisco access points close to the Foreign access points to increase capacity and reduce variability for the Cisco WLAN Solution.
•Avoid Cisco AP Load—Enable this Radio Resource Management (RRM) bandwidth-sensing parameter to have controllers consider the traffic bandwidth used by each access point when assigning channels to access points.
Disable this field to have Radio Resource Management ignore this value.
Note In certain circumstances and with denser deployments, there might not be enough channels to properly create perfect channel re-use. In these circumstances, Radio Resource Management can assign better re-use patterns to those APs that carry more traffic load.
•Avoid non 802.11 Noise—Enable this Radio Resource Management (RRM) noise-monitoring field to have access points avoid channels that have interference from non-Access Point sources, such as microwave ovens or Bluetooth devices.
Disable this field to have Radio Resource Management ignore this interference.
Note In certain circumstances with significant interference energy (dB) from non-802.11 noise sources, Radio Resource Management might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the noise sources to increase capacity and reduce variability for the Cisco WLAN Solution.
•Signal Strength Contribution—This check box is always enabled (not configurable). Radio Resource Management (RRM) constantly monitors the relative location of all access points within the RF/mobility domain to ensure near-optimal channel reuse. The net effect is an increase in Cisco WLAN Solution capacity and a reduction in co-channel and adjacent channel interference.
Step 7 Add or modify the Data Rate parameters.
The data rates set are negotiated between the client and the controller. If the data rate is set to Mandatory, the client must support it to use the network. If a data rate is set as Supported by the controller, any associated client that also supports that same rate might communicate with the access point using that rate. But it is not required that a client be able to use all the rates marked Supported to associate 6, 9, 12, 18, 24, 36, 48, 54 Mbps. For each rate, a drop-down list selection of Mandatory or Supported is available. Each data rate can also be set to Disabled to match Client settings.
Step 8 Add or modify the Noise/Interference/Rogue Monitoring Channels parameters.
Choose between all channels, country channels, or DCA channels based on the level of monitoring you want. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation among a set of managed devices connected to the controller.
Step 9 Add or modify the CCX Location Measurement parameters:
•Mode—Enable or disable the broadcast radio measurement request. When enabled, this enhances the location accuracy of clients.
•Interval—Interval in seconds between requests.
Note Cisco Compatible Extension location measurement interval can be changed only when measurement mode is enabled.
Step 10 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Create or modify a template for configuring 802.11b/g/n voice parameters such as Call Admission Control and traffic stream metrics.
To add a new template with 802.11b/g/n voice parameters information (such as Call Admission Control and traffic stream metrics) for a controller, follow these steps:
Step 1 CChoose Design > Configuration Templates > Features and Technologies > Controller > 802.11b or g or n > Media Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 On the Voice tab, add or modify the following parameters:
•Admission Control (ACM)—Select the check box to enable admission control.
For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, Call Admission Control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity.
•CAC Method—If Admission Control (ACM) is enabled, specify the CAC method as either load-based or static.
Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment.
•Maximum Bandwidth Allowed—Enter the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.
•Reserved Roaming Bandwidth—Enter the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled.
•Expedited Bandwidth—Select the check box to enable expedited bandwidth as an extension of CAC for emergency calls.
You must have an expedited bandwidth IE that is CCXv5 compliant so that a TSPEC request is given higher priority.
•SIP CAC—Select the check box to enable SIP CAC.
SIP CAC should be used only for phones that support status code 17 and do not support TSPEC-based admission control.
•SIP Codec—Choose the codec name you want to use on this radio from the SIP Codec drop-don list. The available options are G.711, G.729, and User Defined.
•SIP Call Bandwidth—Enter the bandwidth in kilobits per second that you want to assign per SIP call on the network. This field can be configured only when the SIP Codec selected is User Defined.
•SIP Sample Interval—Enter the sample interval in milliseconds that the codec must operate in.
•Max Number of Calls per Radio—Enter the maximum number of calls per radio.
•Metric Collection—Select the check box to enable metric collection.
Traffic stream metrics are a series of statistics about VoIP over your wireless LAN which inform you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11b/g interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.
Step 5 On the Video tab, add or modify the following parameters:
•Admission Control (ACM)—Select the check box to enable admission control.
•Maximum Bandwidth—Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.
•Reserved Roaming Bandwidth—Specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled.
•Unicast Video Redirect—Select the Unicast Video Redirect check box to enable all non-media stream packets in video queue are redirected to the best effort queue. If disabled, all packets with video marking are kept in video queue.
•Client Minimum Phy Rate—Choose the physical data rate required for the client to join a media stream from the Client Minimum Phy Rate drop-down list.
•Multicast Direct Enable—Select the Multicast Direct Enable check box to set the Media Direct for any WLAN with Media Direct enabled on a WLAN on this radio.
•Maximum Number of Streams per Radio—Specify the maximum number of streams per Radio to be allowed.
•Maximum Number of Streams per Client—Specify the maximum number of streams per Client to be allowed.
•Best Effort QOS Admission—Select the Best Effort QOS Admission check box to redirect new client requests to the best effort queue. This happens only if all the video bandwidth has been used.
Note If disabled and maximum video bandwidth has been used, then any new client request is rejected.
Step 6 On the General tab, specify the following field:
•Maximum Media Bandwidth (0 to 85%)—Specify the percentage of maximum of bandwidth allowed. This option is only available when CAC is enabled.
Step 7 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Create or modify a template for configuring 802.11b/g/n EDCA parameters. EDCA parameters designate pre-configured profiles at the MAC layer for voice and video.
To add a new template with 802.11b/g/n EDCA parameters information for a controller, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 802.11b or g or n > EDCA Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Add or modify the following parameters:
•Template Name
Note Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
•EDCA Profile—Profiles include Wi-Fi Multimedia (WMM), Spectralink Voice Priority (SVP), Voice Optimized, and Voice & Video Optimized. WMM is the default EDCA profile.
Note You must shut down radio interface before configuring EDCA Parameters.
•Streaming MAC—Only enable streaming MAC if all clients on the network are WMM compliant.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Create or modify a template for configuring roaming parameters for 802.11b/g/n radios.
To add a new template with 802.11b/g/n Roaming parameters information for a controller, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 802.11b or g or n > Roaming Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Add or modify the following parameters:
•Template Name
Note Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
•Mode—Choose Default Values or Custom Values from the drop-down list.
–Default Values—The roaming parameters are unavailable and the default values are displayed.
–Custom Values—The following roaming parameters can be edited.
•Minimum RSSI—Enter a value for the minimum Received Signal Strength Indicator (RSSI) required for the client to associate to an access point.
If the client average received signal power dips below this threshold, reliable communication is usually impossible. Therefore, clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached.
–Range: -80 to -90 dBm
–Default: -85 dBm
•Roaming Hysteresis—Enter a value to indicate how strong the signal strength of a neighboring access point must be in order for the client to roam to it. This field is intended to reduce the amount of "ping ponging" between access points if the client is physically located on or near the border between two access points.
–Range: 2 to 4 dB
–Default: 2 dB
•Adaptive Scan Threshold—Enter the RSSI value, from a client associated access point, below which the client must be able to roam to a neighboring access point within the specified transition time.
This field also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold.
–Range: -70 to -77 dB
–Default: -72 dB
•Transition Time—Enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the client associated access point is below the scan threshold.
–Range: 1 to 10 seconds
–Default: 5 seconds
Note The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Create or modify a template for configuring high-throughput parameters such as MCS (data rate) settings and indexes and for applying these 802.11n settings to multiple controllers.
To add a new template with High Throughput (802.11n) information for a controller, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 802.11b or g or n > High Throughput(802.11n).
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Add or modify the following fields:
•Template Name
Note Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
•802.11n Network Status—Select the check box to enable high throughput.
•MCS (Data Rate) Settings—Choose which level of data rate you want supported. MCS is modulation coding schemes which are similar to 802.11a data rate.
Note As a default, 20 MHz and short guarded interval are used.
Note When you select the Supported check box, the chosen numbers appear in the Selected MCS Indexes page.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Create or modify a template for configuring CleanAir parameters for the 802.11 b/g/n radio. You can configure the template to enable or disable CleanAir, reporting and alarms for the controllers. You can also configure the type of interfering devices to include for reporting and alarms.
To add a new template with 802.11b/g/n CleanAir information for a controller, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 802.11b or g or n > CleanAir.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Add or modify the following fields:
•Template Name—Enter the template name in the text box.
•CleanAir—Select the check box to enable CleanAir functionality on the 802.11 b/g/n network, or unselect to prevent the controller from detecting spectrum interference. The default value is selected.
Note If CleanAir is enabled, the Reporting Configuration and Alarm Configuration group boxes appear.
•Reporting Configuration—Use the parameters in this group box to configure the interferer devices you want to include for your reports.
–Report Interferers—Select the report interferers check box to enable CleanAir system to report and detect sources of interference, or unselect it to prevent the controller from reporting interferers. The default value is selected.
–Make sure that any sources of interference that need to be detected and reported by the CleanAir system appear in the Interferences to Detect box and any that do not need to be detected appear in the Interferers to Ignore box. Use the > and < buttons to move interference sources between these two boxes. By default, all interference sources are ignored.
•Alarm Configuration—This group box enables you to configure triggering of air quality alarms.
–Air Quality Alarm—Select the Air Quality Alarm check box to enable the triggering of air quality alarms, or unselect the box to disable this feature.
–Air Quality Alarm Threshold—If you selected the Air Quality Alarm check box, enter a value between 1 and 100 (inclusive) in the Air Quality Alarm Threshold text box to specify the threshold at which you want the air quality alarm to be triggered. When the air quality falls below the threshold level, the alarm is triggered. A value of 1 represents the worst air quality, and 100 represents the best. The default value is 1.
–Interferers For Security Alarm—Select the Interferers For Security Alarm check box to trigger interferer alarms when the controller detects specified device types, or unselected it to disable this feature. The default value is unselected.
–Make sure that any sources of interference that need to trigger interferer alarms appear in the Interferers Selected for Security Alarms box and any that do not need to trigger interferer alarms appear in the Interferers Ignored for Security Alarms box. Use the > and < buttons to move interference sources between these two boxes. By default, all interferer sources for security alarms are ignored.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This section contains the following topics:
•Configuring RRM Thresholds Controller Templates (802.11b/g/n)
•Configuring RRM Intervals Controller Templates (802.11b/g/n)
•Configuring an RRM Dynamic Channel Allocation Template (802.11b/g/n)
•Configuring an RRM Transmit Power Control Template (802.11b/g/n)
Create or modify a template for setting various RRM thresholds such as load, interference, noise, and coverage.
To add a new template with 802.11b/g/n RRM thresholds information for a controller, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > dot11b-RRM > Thresholds.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Add or modify the following template name.
Note Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
Step 5 Add or modify the following Coverage Hole Algorithm parameters:
•Min. Failed Clients (#)—Enter the minimum number of failed clients currently associated with the controller.
•Coverage Level—Enter the target range of coverage threshold (dB).
•Signal Strength—When the Coverage Level field is adjusted, the value of the Signal Strength (dBm) automatically reflects this change. The Signal Strength field provides information regarding what the signal strength is when adjusting the coverage level.
•Data RSSI—Enter the Data RSSI (-60 to -90 dBm). This number indicates the value for the minimum Received Signal Strength Indicator (RSSI) for data required for the client to associate to an access point.
•Voice RSSI—Enter the Voice RSSI (-60 to -90 dBm). This number indicates the value for the minimum Received Signal Strength Indicator (RSSI) required for voice for the client to associate to an access point.
Step 6 Add or modify the following Load Thresholds parameters:
•Max. Clients—Enter the maximum number of clients able to be associated with the controller.
•RF Utilization—Enter the percentage of threshold for this radio type.
Step 7 Add or modify the following Threshold for Traps parameters:
•Interference Threshold—Enter an interference threshold between 0 and 100 percent.
•Noise Threshold—Enter a noise threshold between -127 and 0 dBm. When outside of this threshold, the controller sends an alarm to Prime Infrastructure.
•Coverage Exception Level—Enter the coverage exception level percentage. When the coverage drops by this percentage from the configured coverage for the minimum number of clients, a coverage hole is generated.
Step 8 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Create or modify a template for configuring RRM intervals for 802.11b/g/n radios.
To add a new template with 802.11b/g/n RRM intervals information for a controller, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > dot11b-RRM > Intervals.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Add or modify the following parameters:
•Template Name
Note Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
•Neighbor Packet Frequency—Enter at which interval you want strength measurements taken for each access point. The default is 300 seconds.
•Noise Measurement Interval—Enter at which interval you want noise and interference measurements taken for each access point. The default is 180 seconds.
•Load Measurement Interval—Enter at which interval you want load measurements taken for each access point. The default is 300 seconds.
•Channel Scan Duration—Enter at which interval you want coverage measurements taken for each access point. The default is 300 seconds.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
The controller dynamically controls access point transmit power based on real-time wireless LAN conditions. Normally, power can be kept low to gain extra capacity and reduce interference. The controller attempts to balance the transmit power of an access point according to how the access points are seen by their third strongest neighbor.
The transmit power control (TPC) algorithm both increases and decreases the power of an access point in response to changes in the RF environment. In most instances, TPC seeks to lower the power of an access point to reduce interference, but in the case of a sudden change in the RF coverage—for example, if an access point fails or becomes disabled—TPC can also increase power on surrounding access points. This feature is different from Coverage Hole Detection. Coverage hole detection is primarily concerned with clients, while TPC is tasked with providing enough RF power to achieve desired coverage levels while avoiding channel interference between access points.
To configure 802.11b/g/n RRM TPC template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > dot11b-RRM > TPC.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Add or modify the following parameters:
•Template Name—Enter the template name in the text box.
•TPC Version—Choose TPCv1 or TPCv2 from the drop-down list.
Note The TPCv2 option is applicable only for those controller Version 7.2.x or later.
•Dynamic Assignment—From the Dynamic Assignment drop-down list, choose one of three modes:
–Automatic—The transmit power is periodically updated for all access points that permit this operation.
–On Demand—Transmit power is updated when you click Assign Now.
–Disabled—No dynamic transmit power assignments occur, and values are set to their global default.
•Maximum Power Assignment—Indicates the maximum power assigned.
–Range: -10 to 30 dB
–Default: 30 dB
•Minimum Power Assignment—Indicates the minimum power assigned.
–Range: -10 to 30 dB
–Default: 30 dB
•Dynamic Tx Power Control—Determine if you want to enable Dynamic Tx Power Control.
•Transmitted Power Threshold—Enter a transmitted power threshold between -50 and -80.
•Control Interval—In seconds (read-only).
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
The Radio Resource Management (RRM) Dynamic Channel Assignment (DCA) page allows you to choose the DCA channels as well as the channel width for this controller.
RRM DCA supports 802.11n 40-MHz channel width in the 5-GHz band. The higher bandwidth allows radios to achieve higher instantaneous data rates.
Note Choosing a larger bandwidth reduces the non-overlapping channels, which could potentially reduce the overall network throughput for certain deployments.
To configure 802.11b/g/n RRM DCA template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > dot11b-RRM > DCA.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Add or modify the following parameters:
•Template Name—Enter the template name.
•Assignment Mode—From the Dynamic Assignment drop-down list, choose one of three modes:
–Automatic—The transmit power is periodically updated for all access points that permit this operation.
–On Demand—Transmit power is updated when you click Assign Now.
–Disabled—No dynamic transmit power assignments occur, and values are set to their global default.
•Select the Avoid Foreign AP Interference check box to enable it. Enable this field to have RRM consider interference from foreign Cisco access points (those non-Cisco access points outside RF/mobility domain) when assigning channels. This foreign 802.11 interference. Unselect this check box to have RRM ignore this interference.
In certain circumstances with significant interference energy (dB) and load (utilization) from foreign access points, RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the foreign access points. This increases capacity and reduces variability for the Cisco WLAN Solution.
•Select the Avoid Cisco AP Load check box if you want it enabled. Enable this bandwidth-sensing field to have controllers consider the traffic bandwidth used by each access point when assigning channels to access points. Unselect this check box to have RRM ignore this value.
In certain circumstances and with denser deployments, there might not be enough channels to properly create perfect channel reuse. In these circumstances, RRM can assign better re-use patterns to those access points that carry more traffic load.
•Select the Avoid non 802.11 Noise check box if you want to enable it. Enable this noise-monitoring field to have access points avoid channels that have interference from non-access point sources, such as microwave ovens or Bluetooth devices. Unselect this check box to have RRM ignore this interference.
In certain circumstances with significant interference energy (dB) from non-802.11 noise sources, RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the noise sources. This increases capacity and reduces variability for the Cisco WLAN Solution.
•The Signal Strength Contribution check box is always enabled (not configurable). constantly monitors the relative location of all access points within the RF/mobility domain to ensure near-optimal channel re-use. The net effect is an increase in Cisco WLAN Solution capacity and a reduction in co-channel and adjacent channel interference.
•Enable or disable event-driven Radio Resource Management (RRM) using the following parameters. Event Driven RRM is used when a CleanAir-enabled access point detects a significant level of interference.
–Event Driven RRM—Enable or Disable spectrum event-driven RRM. By default, Event Driven RRM is enabled.
–Sensitivity Threshold—If Event Driven RRM is enabled, this field displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local Dynamic Channel Assignment (DCA) run and changes the channel of the affected access point radio if possible to improve network performance. Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
You can configure an access point to establish a connection with the controller.
To add or modify a mesh template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Mesh > Mesh Settings.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 The Root AP to Mesh AP Range is 12,000 feet by default. Enter the optimum distance (in feet) that should exist between the root access point and the mesh access point. This global field applies to all access points when they join the controller and all existing access points in the network.
Step 5 The Client Access on Backhaul Link check box is not selected by default. When this option is enabled, mesh access points can associate with 802.11a/n wireless clients over the 802.11a/n backhaul. This client association is in addition to the existing communication on the 802.11a/n backhaul between the root and mesh access points.
Note This feature applies only to access points with two radios.
Step 6 The Mesh DCA Channels check box is not selected by default. Select this option to enable backhaul channel deselection on the Controller using the DCA channel list configured in the Controller. Any change to the channels in the Controller DCA list is pushed to the associated access points. This feature applies only to the 1524SB mesh access points. For more information on this feature, see the Controller Configuration Guide.
Step 7 Select the Background Scanning check box to enable background scanning or unselect it to disable the feature. The default value is disabled. Background scanning allows Cisco Aironet 1510 Access Points to actively and continuously monitor neighboring channels for more optimal paths and parents. See the "Background Scanning on 1510s in Mesh Networks" section for further information.
Step 8 From the Security Mode drop-down list, choose EAP (Extensible Authentication Protocol) or PSK (Pre-Shared Key).
Step 9 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This section contains the following topics:
•Configuring Trap Receiver Templates
•Configuring Trap Control Templates
•Configuring Telnet SSH Templates
•Configuring Legacy Syslog Templates
•Configuring Multiple Syslog Templates
•Configuring Local Management User Templates
•Configuring User Authentication Priority Templates
If you have monitoring devices on your network that receive SNMP traps, you might want to add a trap receiver template.
To add or modify a trap receiver template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Management > Trap Receiver.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Enter the IP address of the server in the text box.
Step 5 Select the Admin Status check box to enable the administrator status if you want SNMP traps to be sent to the receiver.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
To add or modify a trap control template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Management > Trap Control.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Select the appropriate check box to enable any of the following miscellaneous traps:
•SNMP Authentication—The SNMPv2 entity has received a protocol message that is not properly authenticated. When a user who is configured in SNMP V3 mode tries to access the controller with an incorrect password, the authentication fails and a failure message is displayed. However, no trap logs are generated for the authentication failure.
•Link (Port) Up/Down—Link changes states from up or down.
•Multiple Users—Two users log in with the same login ID.
•Spanning Tree—Spanning Tree traps. See the STP specification for descriptions of individual parameters.
•Rogue AP—Whenever a rogue access point is detected or when a rogue access point was detected earlier and no longer exists, this trap is sent with its MAC address.
•Controller Config Save—Notification sent when the configuration is modified.
Step 5 Select the appropriate check box to enable any of the following client-related traps:
•802.11 Association—A trap is sent when a client is associated to a WLAN. This trap does not guarantee that the client is authenticated.
•802.11 Disassociation—The disassociate notification is sent when the client sends a disassociation frame.
•802.11 Deauthentication—The deauthenticate notification is sent when the client sends a deauthentication frame.
•802.11 Failed Authentication—The authenticate failure notification is sent when the client sends an authentication frame with a status code other than successful.
•802.11 Failed Association—The associate failure notification is sent when the client sends an association frame with a status code other than successful.
•Excluded—The associate failure notification is sent when a client is excluded.
Step 6 Select the appropriate check box to enable any of the following access point traps:
•AP Register—Notification sent when an access point associates or disassociates with the controller.
•AP Interface Up/Down—Notification sent when access point interface (802.11a/n or 802.11b/g/n) status goes up or down.
Step 7 Select the appropriate check box to enable any of the following auto RF profile traps:
•Load Profile—Notification sent when Load Profile state changes between PASS and FAIL.
•Noise Profile—Notification sent when Noise Profile state changes between PASS and FAIL.
•Interference Profile—Notification sent when Interference Profile state changes between PASS and FAIL.
•Coverage Profile—Notification sent when Coverage Profile state changes between PASS and FAIL.
Step 8 Select the appropriate check box to enable any of the following auto RF update traps:
•Channel Update—Notification sent when the dynamic channel algorithm of an access point is updated.
•Tx Power Update—Notification sent when the dynamic transmit power algorithm of an access point is updated.
Step 9 Select the appropriate check box to enable any of the following AAA traps:
•User Auth Failure—This trap is to inform you that a client RADIUS authentication failure has occurred.
•RADIUS Server No Response—This trap is to indicate that no RADIUS server(s) are responding to authentication requests sent by the RADIUS client.
Step 10 Select the appropriate check box to enable the following IP security traps:
•ESP Authentication Failure
•ESP Replay Failure
•Invalid SPI
•IKE Negotiation Failure
•IKE Suite Failure
•Invalid Cookie
Step 11 Select the appropriate check box to enable the following 802.11 security trap:
•WEP Decrypt Error—Notification sent when the controller detects a WEP decrypting error.
•Signature Attack
Step 12 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
To add or modify a Telnet SSH configuration template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Management > Telnet SSH.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Enter the number of minutes a Telnet session is allowed to remain inactive before being logged off. A zero means there is no timeout. The valid range is 0 to 160, and the default is 5.
Step 5 At the Maximum Sessions field, enter the number of simultaneous Telnet sessions allowed. The valid range is 0 to 5, and the default is 5. New Telnet sessions can be allowed or disallowed on the DS (network) port. New Telnet sessions are always allowed on the service port.
Step 6 Use the Allow New Telnet Session drop-down list to determine if you want new Telnet sessions allowed on the DS port. New Telnet sessions can be allowed or disallowed on the DS (network) port. New Telnet sessions are always allowed on the service port. The default is no.
Step 7 Use the Allow New SSH Session drop-down list to determine if you want Secure Shell Telnet sessions allowed. The default is yes.
Step 8 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
To add or modify a legacy syslog configuration template, follow these steps:
Note Legacy Syslog applies to controllers Version 5.0.6.0 and earlier.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Management > Legacy Syslog.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Select the Syslog check box to enable syslog. When you do, a Syslog Host IP Address text box appears.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
To add or modify a multiple syslog configuration template, follow these steps:
Note You can enter up to three syslog server templates.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Management > Multiple Syslog.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Enter a template name and a syslog server IP address in the text boxes.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
To add or modify a local management user template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Management > Local Management User.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Enter a template username.
Step 5 Enter a password for this local management user template.
Step 6 Reenter the password.
Step 7 Use the Access Level drop-down list to choose either Read Only or Read Write.
Step 8 Select the Update Telnet Credentials check box to update the user credentials in Prime Infrastructure for Telnet/SSH access.
Note If the template is applied successfully and the Update Telnet Credentials option is enabled, the applied management user credentials are used in Prime Infrastructure for Telnet/SSH credentials to that applied controller.
Step 9 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Management user authentication priority templates control the order in which authentication servers are used to authenticate the management users of a controller.
To add a user authentication priority template or make modifications to an existing template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Management > Authentication Priority.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 The local server is tried first. Choose either RADIUS or TACACS+ from the drop-down list to try if local authentication fails.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
You can create templates containing a set of CLI commands and apply them to one or more controllers from Prime Infrastructure. These templates are meant for provisioning features in multiple controllers for which there is no SNMP support or custom NCS user interface. The template contents are simply a command array of strings. No support for substitution variables, conditionals, and the like exist.
The CLI sessions to the device are established based on user preferences. The default protocol is SSH.
To add or modify a CLI template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > CLI > General.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 If you are adding a new template, provide a name that you are giving to this string of commands in the text box. If you are making modifications to an existing template, the Template Name text box cannot be modified.
Step 5 In the Commands page, enter the series of CLI commands.
Step 6 Select the Refresh Config after Apply check box to perform a refresh config on the controller after the CLI template is applied successfully.
Step 7 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Note If the Controller Telnet credentials check fails or the Controller CLI template fails with invalid username and password even though the correct username and password are configured on the controller, check whether the controller has exceeded the number of CLI connections it can accept. If the connections have exceeded the maximum limit, then either increase the maximum allowed CLI sessions or terminate any pre-existing CLI sessions on the controller, and then retry the operation.
To add or modify a location setting template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Location > Location Configuration.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Select the RFID Tag Data Collection check box to enable tag collection. Before the mobility services engine can collect asset tag data from controllers, you must enable the detection of active RFID tags using the CLI command config rfid status enable on the controllers.
Step 5 Select the Calibrating Client check box to enable calibration for the client. Controllers send regular S36 or S60 requests (depending on the client capability) by way of the access point to calibrating clients. Packets are transmitted on all channels. All access points irrespective of channel (and without a channel change) gather RSSI data from the client at each location. These additional transmissions and channel changes might degrade contemporaneous voice or video traffic.
Note To use all radios (802.11a/b/g/n) available, you must enable multiband in the Advanced page.
Step 6 Select the Normal Client check box to have a non-calibrating client. No S36 requests are transmitted to the client.
Note S36 and S60 are client drivers compatible with specific Cisco Compatible Extensions. S36 is compatible with CCXv2 or later. S60 is compatible with CCXv4 or later. For details, see the following URL:
http://www.cisco.com/en/US/products/ps9806/products_qanda_item09186a0080af9513.shtml
Step 7 Specify how many seconds should elapse before notification of the found element (tags, clients, and rogue APs/clients).
Step 8 Enter the number of seconds after which RSSI measurements for clients should be discarded.
Step 9 Enter the number of seconds after which RSSI measurements for calibrating clients should be discarded.
Step 10 Enter the number of seconds after which RSSI measurements for tags should be discarded.
Step 11 Enter the number of seconds after which RSSI measurement for rogue access points should be discarded.
Step 12 Click the Advanced tab.
Step 13 Enter a value in seconds to set the RFID tag data timeout setting.
Step 14 Select the Calibrating Client Multiband check box to send S36 and S60 packets (where applicable) on all channels. Calibrating clients must be enabled in the General group box.
Step 15 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
This section contains the following topics:
•Configuring Neighbor Binding Timers Templates
•Configuring RA Throttle Policy Templates
•Configuring RA Guard Templates
You can create or modify a template for configuring IPv6 Router Neighbor Binding Timers such as Down Lifetime, Reachable Lifetime, State Lifetime, and corresponding intervals.
To configure a Neighbor Binding Timers template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > IPv6 > Neighbor Binding Timers.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 If you want to enable the down lifetime, select the Enable check box. If you have selected this check box, specify the value in the Down Lifetime Interval text box. This indicates the maximum time, in seconds, an entry learned from a down interface is kept in the binding table before the entry is deleted or proof is received that the entry is reachable.The range is 0 to 86,400 seconds, and the default value is 0.
Step 5 If you want to enable the reachable lifetime, select the Enable check box. If you have selected this check box, specify the value in the Reachable Lifetime Interval text box. This indicates the maximum time, in seconds, an entry is considered reachable without getting a proof of reachability (direct reachability through tracking, or indirect reachability through Neighbor Discovery protocol [NDP] inspection). After that, the entry is moved to stale.The range is 0 to 86,400 seconds, and the default value is 0.
Step 6 If you want to enable the stale lifetime, select the Enable check box. If you have selected this check box, specify the value in the Stale Lifetime Interval text box. This indicates the maximum time, in seconds, a stale entry is kept in the binding table before the entry is deleted or proof is received that the entry is reachable.The range is 0 to 86,400 seconds, and the default value is 0.
Step 7 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
The RA Throttle Policy allows you to limit the amount of multicast Router Advertisements (RA) circulating on the wireless network. You can create or modify a template for configuring IPv6 Router Advertisement parameters such as RA Throttle Policy, Throttle Period, and other options.
To configure a RA Throttle Policy template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > IPv6 > RA Throttle Policy.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 If you want to enable the down lifetime, select the Enable check box. If you have selected this check box, configure the following parameters:
•Throttle Period—Duration of the throttle period in seconds. The range is 10 to 86,400 seconds.
•Max Through—The number of RA that passes through over a period in seconds.
•Interval Option—Indicates the behavior in case of RA with an interval option.
•Allow At-least—Indicates the minimum number of RA not throttled per router.
•Allow At-most—Indicates the maximum number of RA not throttled per router.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
RA Guard is a Unified Wireless solution used to drop RA from wireless clients. It is configured globally, and by default it is enabled. You can create or modify a template for configuring IPv6 Router Advertisement parameters.
To configure an RA Guard template, follow these steps:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > IPv6 > RA Guard.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 If you want to enable the Router Advertisement Guard, select the Enable check box.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Proxy Mobile IPv6 is a network-based mobility management protocol that supports a mobile node by acting as the proxy for the mobile node in any IP mobility-related signaling. The mobility entities in the network track the movements of the mobile node and initiate the mobility signaling and set up the required routing state.
The main functional entities are the Local Mobility Anchor (LMA) and Mobile Access Gateway (MAG). The LMA maintains the reachability state of the mobile node and is the topological anchor point for the IP address of the mobile node. The MAG performs the mobility management on behalf of a mobile node. The MAG resides on the access link where the mobile node is anchored. The controller implements the MAG functionality.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > PMIP > Global Config.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Configure the following fields:
•Domain Name
•Maximum Bindings Allowed—Maximum number of binding updates that the controller can send to the MAG. The valid range is between 0 to 40000.
•Binding Lifetime—Lifetime of the binding entries in the controller. The valid range is between 10 to 65535 seconds. The default value is 65535. The binding lifetime should be a multiple of 4 seconds.
•Binding Refresh Time—Refresh time of the binding entries in the controller. The valid range is between 4 to 65535 seconds. The default value is 300 seconds. The binding refresh time should be a multiple of 4 seconds.
•Binding Initial Retry Timeout—Initial timeout between the proxy binding updates (PBUs) when the controller does not receive the proxy binding acknowledgments (PBAs). The valid range is between 100 to 65535 seconds. The default value is 1 second.
•Binding Maximum Retry Timeout—Maximum timeout between the proxy binding updates (PBUs) when the controller does not receive the proxy binding acknowledgments (PBAs). The valid range is between 100 to 65535 seconds. The default value is 32 seconds.
•Replay Protection Timestamp—Maximum amount of time difference between the timestamp in the received proxy binding acknowledgment and the current time of the day. The valid range is between 1 to 255 milliseconds. The default value is 300 milliseconds.
•Minimum BRI Retransmit Timeout—Minimum amount of time that the controller waits before retransmitting the BRI message. The valid range is between 500 to 65535 seconds.
•Maximum BRI Retransmit Timeout—Maximum amount of time that the controller waits before retransmitting the Binding Revocation Indication (BRI) message. The valid range is between 500 to 65535 seconds. The default value is 2 seconds.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > PMIP > LMA.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Configure the following fields:
•LMA Name—Name of the LMA connected to the controller.
•LMA IP Address—IP address of the LMA connected to the controller.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > PMIP > PMIP Profile.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 4 Enter the profile name.
Step 5 Click Add and then configure the following fields:
•Network Access Identifier—Name of the Network Access Identifier (NAI) associated with the profile.
•LMA Name—Name of the LMA to which the profile is associated.
•Access Point Node—Name of the access point node connected to the controller.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
The following sections explain how to create and deploy security configuration templates:
•Creating a GET VPN Group Member Template
•Creating a GET VPN Key Server Template
•Creating and Deploying ScanSafe Template
•Creating and Deploying Easy VPN Browser Proxy Template
•Creating and Deploying Easy VPN Remote Template
To create a DMVPN template, follow these steps:
Step 1 Choose Design > Configuration Templates.
Step 2 Under the Features and Technologies folder, expand the Security subfolder, then click DMVPN.
Step 3 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 4 From the Validation Criteria drop-down list, choose the device types to which this feature template can be applied. The Device Type field lists product types, product families, and model numbers.
Step 5 In the Template Detail section, enter the IKE Authentication and Encryption policy.
Step 6 In the IKE Authentication Type field, click the anchored plus button (+), and choose the IKE authentication type.
Note If you choose the default Pre-Shared key, you must provide the secret key and reconfirm it. If you choose Digital Certificate as the authentication type, the router must have a digital certificate issued by a Certificate Authority to authenticate itself.
Step 7 In the IKE Authentication Policy section, click the Add Row button to add the IKE policies.
Step 8 Enter the priority, and choose Authentication, Diffie-Hellman (D-H) Group, Encryption, Hash, and Lifetime from the drop-down list.
Note The priority value determines the order of the IKE proposals compared by the two negotiating peers when attempting to find a common security association (SA). If the remote IPsec peer does not support the parameters selected in your first priority policy, the device tries to use the parameters defined in the policy with the next lowest priority number.
Note When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be.
Step 9 To delete the IKE policies, choose the policy and click Delete.
Step 10 To edit the parameters of the IKE policy, click on the row or field and edit its parameters.
Step 11 Click Save to save the configuration.
Step 12 In the Encryption policy field, click the anchored plus button (+) to add the Transform Set Profile.
Step 13 In the Transform Set Profile dialog box, enter a name and choose the acceptable combination of security protocols and algorithm from the drop-down list to configure the transform set.
Step 14 Enable IP compression and choose a mode for the transform set.
Step 15 To delete the transfer set, choose the transfer set and click Delete.
Step 16 To edit the parameters of the transfer set, click on the row or field and edit its parameters.
Step 17 Click Save to save the configuration.
Step 18 In the Topology and Routing Information section, choose the topology and the device role. For the Routing Protocol, choose the Extended Interior Gateway Routing Protocol (EIGRP) or Routing Information Protocol Version 2 (RIPv2). Use the Other option to configure other protocols.
Note The routing information are disabled when you select Hub as the device role.
Step 19 Enter the required information in the NHRP and Tunnel Parameters section.
Step 20 In the NHS Server Information section, add the Next Hub server information, including the IP Address of the Hub's physical interface and the IP address of Hub's tunnel interface.
Note If you check the Cluster Support check box, add the information, such as Cluster ID, Max Connection, and Next Hub Server. The template with the NHS cluster configuration will be applied only to the device running Cisco IOS Software version 15.1(2)T or later.
Note After you create the template, publish it to make it available for deployment.
Step 21 Click Save As New Template.
The new template appears in the My Templates folder.
Step 22 Click the Publish icon to publish the template so it can be deployed. Specify the deployment options as explained in Deploying DMVPN Templates.
To create a GETVPN group member template:
Step 1 Choose Design > Configuration Templates.
Step 2 Under the Features and Technologies folder, expand the Security subfolder, then click GETVPN-GroupMember.
Step 3 In the Template Basic section, enter a name, description, and author name in the appropriate fields.
Step 4 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 5 In the Group Information section, enter the Group Name and the Group ID.
Note The Group ID is a unique identity for the GETVPN group member. This can be a number or an IP address.
Step 6 Click the IKE Authentication Policy + button to add the IKE authentication information.
Step 7 In the IKE Authentication Policy dialog box, click the Pre-Shared key or Digital Certificate radio button.
Note If you choose the default Pre-Shared key, you must provide the secret key and reconfirm it. If you choose Digital Certificate as the authentication type, the router must have a digital certificate issued by a Certificate Authority to authenticate itself.
Step 8 In the IKE Policy section, click Add Row and add the IKE policies, then click Save.
Note The priority value determines the order of the IKE proposals compared by the two negotiating peers when attempting to find a common security association (SA). If the remote IPsec peer does not support the parameters selected in your first priority policy, the device tries to use the parameters defined in the policy with the next lowest priority number.
Note When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be.
Step 9 Click on the row or field to edit the parameters.
Step 10 Select the IKE policies from the list and click Delete to delete the IKE policies.
Step 11 Enter the registration interface for the group member.
Step 12 In the Traffic Detail section, enter the Local Exception ACL and the Fail Close ACL.
Note If the Fail Close ACL feature is configured, all the traffic passing through the group member will be dropped until the group member is registered successfully. Once the group member registers successfully and SAs are downloaded, this feature turns off by itself.
Step 13 In the Key Servers section, enter the Primary Key Servers and Secondary Key Servers IP addresses/Hostname.
Note The primary key server is responsible for creating and distributing group policies to all group members and periodically synchronizing with the secondary key servers. The server with the highest priority is elected as a primary key server.
Step 14 Click Add Row or Delete to add or delete the secondary key server. If you want to edit the secondary key server, click on the row or field and edit the IP address of the key server.
Step 15 In the Migration section, check the Enable Passive SA check box to enable passive SA. Use this option to turn on the Passive SA mode on this group member.
Note After you create the template, publish it to make it available for deployment.
Step 16 Click Save As New Template.
The template you created appears under My Templates.
Step 17 Click the Publish icon to publish the template so it can be deployed. Specify the deployment options as explained in Deploying GETVPN Templates.
Use the GETVPN Key Server template to create the template.
To create a GETVPN Key Server template:
Step 1 Choose Design > Configuration Templates.
Step 2 Under the Features and Technologies folder, expand the Security subfolder, then click GETVPN-KeyServer.
Step 3 In the Template Basic section, enter a name, description, and author in the appropriate fields.
Step 4 From the Validation Criteria drop-down list, choose a device type from the drop-down list and enter the OS version.
Step 5 In the Group Information section, enter the group name and group ID.
Step 6 Click the IKE Authentication Policy + button to add the IKE authentication information. The IKE Authentication Policy dialog box opens.
Step 7 Click the Pre-Shared key radio button or the Digital Certificate radio button.
Note The priority value determines the order of the IKE proposals compared by the two negotiating peers when attempting to find a common SA. If the remote IPsec peer does not support the parameters selected in your first priority policy, the device tries to use the parameters defined in the policy with the next lowest priority number.
Step 8 In the IKE Authentication Policy section, click Add Row to add the IKE policies.
Step 9 In the IKE Policy section, click Add Row and add the IKE policies. Click on the Row or Field to edit the parameters. Select the IKE policies from the list and click Delete to delete the IKE policies.
Step 10 Enter the WAN IP address of the device and check the Dead Peer Detection (DPD) check box to enable DPD on all key servers, to effectively keep track of the states of other key servers.
Step 11 In the Key Server Profile section, select the Rekey tab, and choose the Distribution method from the drop-down list. Enter the required information in the Rekey section.
Note When you choose Multicast as the distribution method, specify the multicast address to which the rekey must be transmitted.
Step 12 To encrypt rekey messages, use the RSA key. You can either select the existing RSA key from the drop-down list or click the + button to create a new RSA key.
Step 13 To generate an RSA key, provide the key label and modulus. Check the Exportable key check box, if you want to export the certificate.
Step 14 In the Add KeyServer dialog box, select the GETVPN Traffic tab, and enter the traffic to be encrypted, the encryption policy, and anti-replay.
Note Be sure not to encrypt certain traffic that should always be permitted even if the encrypted sessions are not active.
Step 15 Choose the Rekey Encryption algorithm from the drop-down list to encrypt the rekey.
Step 16 In the Key Server Profile page, click the GETVPN Traffic tab.
Step 17 In the GETVPN Traffic dialog box, enter the Traffic to be encrypted, the encryption policy, and anti-replay.
Click the Encryption Policy + button to add the transform sets that are to be part of this encryption policy. Add the transform set from the table, which is used to encrypt the traffic between the peers.
Step 18 In the Migration section, check the Enable Receive Only SA Feature to send traffic in clear text to all group members. This feature can decrypt any arriving encrypted traffic.
Note After you create the template, publish it to make it available for deployment.
Step 19 Click Save As New Template.
The template you created appears under My Templates.
Step 20 Click the Publish icon to publish the template so it can be deployed. Specify the deployment options as explained in Deploying GETVPN Templates.
ScanSafe Web Security is a cloud-based SaaS (Security as a Service) that allows you to scan the content of the HTTP and HTTPs traffic. When ScanSafe Web Security is integrated with a router, selected HTTP and HTTPS traffic is redirected to ScanSafe Cloud for content scanning and for malware detection by other means.
When Cisco ISR Web Security with Cisco ScanSafe is enabled and the ISR is configured to redirect web traffic to ScanSafe, the ISR transparently redirects HTTP and HTTPS traffic to the ScanSafe proxy servers based on the IP address and port. The ScanSafe proxy servers scan the content and either allow or block the traffic based on configured policies to enforce acceptable use and protect clients from malware.The ISR authenticates and identifies users making web traffic requests using currently configured authentication and authorization methods. It encrypts and includes the user credentials (including user names and user groups) in the traffic it redirects to ScanSafe. ScanSafe uses the user credentials to determine which policies to apply to which users and for user based reporting.
If you want, you can configure the ISR to send some web traffic directly to the originally requested web server and does not get scanned by ScanSafe.
Whitelisting Traffic
You can configure the ISR so that some approved web traffic is not redirected to ScanSafe for scanning. When you bypass ScanSafe scanning, the ISR retrieves the content directly from the originally requested web server without contacting ScanSafe. When it receives the response from the web server, it sends the data to the client. This is called "whitelisting" traffic.
See http://www.cisco.com/en/US/docs/security/web_security/ISR_SS/ISR_ScanSafe_SolutionGuide.pdf for more information on ScanSafe.
To create the ScanSafe template specify the following:
•Specify the ScanSafe server and interface information
•Specify the user information
•Specify the whitelist information
To create a ScanSafe template, follow these steps.
Step 1 Click Design > Configuration Templates.
Step 2 Under the Features and Technologies folder, expand the Security subfolder, then click ScanSafe.
Step 3 Enter the basic template information.
Step 4 From the Validation Criteria drop-down list, choose the device types to which this feature template can be applied.
Step 5 In the Template Detail section, enter the Scansafe Server and Interface information.
Step 6 Specify the HTTP/HTTPs port to redirect the HTTP requests.
Note By default, ScanSafe uses port 80 for the HTTP/HTTPs traffic, but you can choose to use different ports for each request type.
Step 7 Specify the license key that the ISR sends to the ScanSafe proxy servers to indicate from which organization the request has originated. The license is a 16 byte hexadecimal key.
Step 8 Choose the Drop All Traffic or Allow All Traffic option to drop or allow all the traffic when the ISR cannot reach the configured ScanSafe proxy server.
Step 9 In the User Information section, specify the user role. The options are: Global User and Global User Group.
Note Global User and Group information will be used if the web authentication is not configured under the Ingress Interfaces and default group information is not configured under the Egress Interfaces.
Step 10 In the User Group Inclusion and Exclusion Info section, click Add Row to add the user group information. Displays the user group inclusion list.
Step 11 In the Whitelist section, check the Notify Whitelist Info to Scansafe Tower check box to notify the whitelist information to the Scansafer server. (See Whitelisting Traffic section for more information.)
Step 12 Click Add Row to add the Safe URL, Safe User Agent, and Safe ACLs.
Step 13 To the delete the existing Safe URL, Safe User Agent, and Safe ACLs, select the URL, User Agent, and ACLs from the list and click Delete.
Step 14 Click Save As New Template.
Step 15 Click Cancel to cancel all the changes you have made without sending them to the router.
Step 16 Navigate to the My Templates folder and choose the template you just saved.
Step 17 Click the Publish icon at the top-right corner, then click OK.
Step 18 Click the Go to Deployment icon and go to the Deploy > Configuration tasks page.
Step 19 Click Deploy on the template you published.
Step 20 For ScanSafe, you can change the interfaces.
Step 21 Specify the deployment options as explained in Specifying Template Deployment Options.
Step 22 Click OK.
Easy VPN browser proxy feature allows you to specify the settings for Easy VPN clients. Using this feature, the user does not have to manually modify the proxy settings of his or her web browser when connecting to the corporate network using Cisco IOS VPN Client or manually revert the proxy settings upon disconnecting.
To create Easy VPN Browser Proxy template, you should specify the following:
•Proxy server settings
•IP address of proxy server
To create a Easy VPN Browser Proxy template, follow these steps.
Step 1 Click Design > Configuration Templates.
Step 2 Under the Features and Technologies folder, expand the Security subfolder, then click Easy VPN-BrowserProxy.
Step 3 Enter the basic template information.
Step 4 From the Device Type drop-down list, choose Routers.
Step 5 In the Template detail section, enter the Name, and choose the settings that you want to associate with the group.
Step 6 Choose the No Proxy Server option if you want the clients in this group to automatically detect a proxy server when they use the VPN tunnel.
Step 7 Choose the Automatically Detect Proxy Settings option if you want the clients in this group to automatically detect a proxy server when they use the VPN tunnel.
Step 8 Choose the Manual Configuration option to manually configure a proxy server for clients in this group. If you choose this option, complete the procedure for manually configuring a proxy server.
Step 9 Check the Bypass proxy server for local addresses box to prevent the clients from using the proxy server for local (LAN) addresses.
Note After you have created the template, click Publish to publish the template and make it available to be deployed.
Step 10 Click Save As New Template.
Step 11 Click Cancel to cancel all the changes you have made without sending them to the router.
Step 12 Navigate to the My Templates folder and choose the template you just saved.
Step 13 Click the Publish icon at the top-right corner, then click OK.
Step 14 Click the Go to Deployment icon and go to the Deploy > Configuration tasks page.
Step 15 Click Deploy on the template you published.
Step 16 Specify the deployment options as explained in Creating Wireless Controller Templates.
Step 17 Click OK.
Cable modems, xDSL routers, and other forms of broadband access provide high-performance connections to the Internet, but many applications also require the security of VPN connections that perform a high level of authentication and that encrypt the data between two particular endpoints. However, establishing a VPN connection between two routers can be complicated and typically requires tedious coordination between network administrators to configure the VPN parameters of the two routers.
The Cisco Easy VPN Remote feature eliminates much of this tedious work by implementing Cisco Unity Client Protocol, which allows most VPN parameters to be defined at a Cisco IOS Easy VPN server. This server can be a dedicated VPN device, such as a Cisco VPN 3000 concentrator or a Cisco PIX Firewall or a Cisco IOS router that supports the Cisco Unity Client Protocol.
After the Cisco Easy VPN server has been configured, a VPN connection can be created with minimal configuration on an Easy VPN remote, such as a Cisco 800 series router or a Cisco 2800 series router. When the Easy VPN remote initiates the VPN tunnel connection, the Cisco Easy VPN server pushes the IPsec policies to the Easy VPN remote and creates the corresponding VPN tunnel connection.
Before you create a Easy VPN Remote template, you should create an ACL template and publish the ACL template. See Creating ACL Templates. To create a Easy VPN Remote template, follow these steps.
Step 1 Click Design > Configuration Templates.
Step 2 Under the Features and Technologies folder, expand the Security subfolder, then click Easy VPN Remote.
Step 3 Enter the basic template information.
Step 4 From the Device Type drop-down list, choose Routers.
Step 5 In the Easy VPN Remote Interface Configuration section, enter the Profile Name, Inside and Outside Interfaces, and Easy VPN Server Assignment for the Easy VPN remote. Also, set the default server.
•Inside Interfaces are the inside interfaces included in this Easy VPN connection. All hosts connected to these interfaces are part of the VPN.
•Outside Interface are the interface that connects to the Easy VPN server or concentrator.
•Virtual Template provides a routable interface to selectively send traffic to different Easy VPN concentrators as well as to the Internet.
Step 6 In the Easy VPN Remote connection characteristics section:
a. Choose the mode of operation. The Cisco Easy VPN Remote feature supports three modes of operation: client, network extension, and network extension plus.
b. Enter the ACL for subnets which are not part of inside interface.
c. Enable identical addressing if you want to integrate Network Address Translation (NAT) with Easy VPN and allow remote client with overlapping internal IP addressing to connect to the Easy VPN server.
Note Easy VPN Remote must be configured in network extension mode before you can configure the Identical Addressing
d. Specify the connection method to bring up the tunnel.
Step 7 In the Remote Authentication Mechanisms section, choose the authentication method.
Step 8 In the Remote Firewall Settings section, set the firewall settings for the Easy VPN Remote connection.
Step 9 Click Save As New Template.
Step 10 Click Cancel to cancel all the changes you have made without sending them to the router.
Step 11 Navigate to the My Templates folder and choose the template you just saved.
Step 12 Click the Publish icon at the top-right corner, then click OK.
Step 13 Create a composite template (Creating Composite Templates) and add the ACL (Creating ACL Templates) and EasyVPN_ Remote templates in the composite template.
Step 14 Using the arrows, put the templates in the composite into the order in which they should be deployed to the devices. For example, to create an ACL and associate it with an interface, put the ACL template first, followed by the EasyVPN_Remote template.
Step 15 Click Save as New Template.
Step 16 Navigate to the My Templates folder and choose the template you just saved.
Step 17 Click the Publish icon to publish the template so it can be deployed.
Step 18 Click the Go to Deployment icon and go to the Deploy > Configuration Tasks page.
Step 19 Click Deploy on the template you published.
Step 20 Specify the deployment options as explained in Creating Wireless Controller Templates.
Step 21 Click OK.
The Easy VPN Server feature introduces server support for the Cisco VPN Client Release 3.x and later software clients and Cisco VPN hardware clients (such as the Cisco 800, Cisco 900, Cisco 1700, VPN 3002, and PIX 501 devices). This feature allows a remote end user to communicate using IP Security (IPsec) with any Cisco IOS Virtual Private Network (VPN) gateway. Centrally managed IPsec policies are "pushed" to the client device by the server, minimizing configuration by the end user.
Before you create a Easy VPN Server template, you should:
•Create an AAA method list for the group and user by using the CLI template
•Create an IPsec Profile template
•If you choose Crypto Map then create a Transform Set template
•(Optional) Create a CLI template for the Radius server group creation or configure the Radius server while creating the AAA method list
•(Optional) Create a ACL template for the split tunnel ACL in ISAKMP Group configuration
•Create a Browser Proxy template for ISAKMP group configuration
Before creating a Easy VPN Server template, make sure you have satisfied the prerequisites as described in Prerequisites for Creating Easy VPN Server Template. To create a Easy VPN Remote template, follow these steps.
Step 1 Click Design > Configuration Templates.
Step 2 Under the Features and Technologies folder, expand the Security subfolder, then click Easy VPN Server.
Step 3 Enter the basic template information.
Step 4 From the Device Type drop-down list, choose Routers.
Step 5 In the Interface Configuration section, choose the configuration methods and complete the fields of the interface that is configured on the device. The options are: Configure Dynamic Virtual Tunnel Interface and Configure Dynamic Crpto Map.
Step 6 In VPN Components Assembly, enter the Transform Set profile name that you created in the Transform Set template (Transform Sets) and complete the fields on this section.
Step 7 In the Group Authorization section, enter the Method List profile name that you created in the CLI template and complete the fields on this section.
Step 8 In the User Authorization section, enter the same Method List profile name that you created in the CLI template and complete the fields on this section.
Step 9 In the ISAKMP Group configuration section, click Add Row to add the ISAKMP Group configuration.
Step 10 In the ISAKMP Group configuration dialog box, enter the ACL profile name that you created in the ACL template and the Browser Proxy profile name that you created in the Browser Proxy template and complete the fields on this section.
Step 11 Click Save As New Template.
Step 12 Click Cancel to cancel all the changes you have made without sending them to the router.
Step 13 Navigate to the My Templates folder and choose the template you just saved.
Step 14 Click the Publish icon at the top-right corner, then click OK.
Step 15 Create a composite template (Creating Composite Templates) and add the AAA Method List and Radius server (Creating Composite Templates), IPsec Profile (IPsec Profile), ACL (Creating ACL Templates), Browser Proxy (Creating and Deploying Easy VPN Browser Proxy Template), and EasyVPN_ Remote templates in the composite template.
Step 16 Using the arrows, put the templates in the composite into the order in which they should be deployed to the devices. For example, to create an ACL and associate it with an interface, put the ACL template first, followed by the EasyVPN_Remote template.
Step 17 Click Save as New Template.
Step 18 Navigate to the My Templates folder and choose the template you just saved.
Step 19 Click the Publish icon to publish the template so it can be deployed.
Step 20 Click the Go to Deployment icon and go to the Deploy > Configuration Tasks page.
Step 21 Click Deploy on the template you published.
Step 22 Specify the deployment options as explained in Creating Wireless Controller Templates.
Step 23 Click OK.
To create the GSM Profile tempalte, follow these steps.
Step 1 Click Design > Configuration Templates.
Step 2 Under the Features and Technologies folder, expand the Interface subfolder, then choose Cellular > GSM Profile.
Step 3 Enter the basic template information.
Step 4 From the Device Type drop-down list, choose Routers.
Step 5 In the Template Detail section, enter the Access Point Name and select the profile number from the drop-down list.
Step 6 Choose the type of authentication used by your service provider. CHAP authentication is more secure than PAP authentication.
Step 7 Enter the Username and Password. The username is given to you by your Internet service provider or network administrator and is used as the username for CHAP or PAP authentication.
Step 8 Click Save as New Template.
Step 9 Specify the deployment options as explained in Specifying Template Deployment Options.
Step 10 Click OK.
To create the Cellular Profile Template, follow these steps.
Note If you want to deploy the cellular profile template on any GSM HSPA, HSPA+R7, and LTE-Verizon modem, you should have the GSM profile (Creating GSM Profile Template) created on the router.
Step 1 Click Design > Configuration Templates.
Step 2 Under the Features and Technologies folder, expand the Interface subfolder, then choose Cellular > Cellular Profile.
Step 3 Enter the basic template information.
Step 4 From the Device Type drop-down list, choose Routers.
Step 5 In the Template Detail section, define the interface as Primary WAN Inteface or Backup WAN Interface and complete the fields.
Step 6 In the Dialer Configuration section, choose theYes radio button to enable the persistent data connection and complete the fields.
Step 7 Click Save as New Template.
Step 8 Specify the deployment options as explained in Specifying Template Deployment Options.
Step 9 Click OK.
You can create or change the feature configuration for the selected device. The following topics provide more information:
The Interfaces feature helps in setting up the physical and logical interfaces. The types of physical interfaces on a device depend on the SKU and its interface processors or port adapters. The IPv4 and IPv6 addressing is supported for all the interfaces including the service modules, WAN, LAN, and logical interfaces. The following interfaces are supported in this release:
WAN Interfaces
•Serial
•POS
•DSL (ATM and Ethernet)
LAN Interfaces
•Gigabit Ethernet
•Fast Ethernet
•Switch Port
Logical Interfaces
•Loopback
•VLan
•Tunnel
•Virtual Template
To edit and delete the Serial interface:
Step 1 Choose Operate > Device Work Center.
Step 2 Choose the device from the list or click Add to add a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Interface folder, then the choose Interfaces.
Step 5 In the Interface page, select the serial interface from the list and click Edit.
Step 6 In the Create or Edit Serial Interface page, enter the basic configuration information.
Step 7 Select the encapsulation type as HDLC or PPP or Frame Relay and use the Advance Configuration section to configure the encapsulations.
Note For controller based serial interfaces, only interface configurations are supported.
Step 8 Enter the IPV4 or IPV6 address.
Step 9 For Frame Relay, the IETF option to connect to non-Cisco routers.
Note The Autosense feature is supported on Frame Relay. The Autosense feature allows the router to detect the LMI type that is being used, by communicating with the switch and then to use the same type.
Step 10 For PPP, specify the CHAP and PAP configurations with directions.
Step 11 Click Save.
Step 12 The Interface Summary page will display the modified interfaces.
Step 13 Click Save / Deploy to save the changes in the device.
Step 14 To delete the configuration on this interface, select the interface and click Delete. The interface configuration will be reset to default values.
Step 15 Click Save / Deploy to save the changes in the device.
Step 16 Click Reset to reset the values on the interface.
To edit and delete the POS interface:
Step 1 Choose Operate > Device Work Center.
Step 2 Choose the device from the list or click Add to add a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Interface folder, then choose the Interfaces.
Step 5 In the Interface page, select the POS interface from the list and click Edit.
Step 6 In the Create or Edit POS Interface page, enter the basic configuration information.
Step 7 Check the Enable SPE Scrambling check box to enable the SPE scrambling.
Step 8 Check the Send LAIS when Shutdown check box to send the LAIS information.
Step 9 Select the encapsulation type as HDLC or PPP or Frame Relay and use the Advance Configuration section to configure the encapsulations.
Note For controller based serial interfaces, only interface configurations are supported.
Step 10 Enter the IPV4 or IPV6 address.
Step 11 In the Advanced Configuration section, select the alarm reporting and alarm reporting threshold options to receive alarms when there is any event.
Step 12 Repeat Step 9 through Step 16 from the Configuring Serial Interface section.
To edit and delete the Service Module interface:
Step 1 Choose Operate > Device Work Center.
Step 2 Choose the device from the list or click Add to add a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Interface folder, then choose the Interfaces.
Step 5 In the Interface page, select the service module interface from the list and click Edit. The Create or Edit Service Module Interface appears.
Step 6 In the Create or Edit Serial Interface page, enter the basic configuration information.
Step 7 Enter the IPV4 or IPV6 address.
Step 8 Click Save.
Step 9 Click Save / Deploy to save the changes in the device.
Step 10 To delete the configuration on this interface, select the interface and click Delete. The interface configuration will be reset to default values.
Step 11 Click Save / Deploy to save the changes in the device.
Step 12 Click Reset to reset the values on the interface.
To create, edit, and delete the DSL, SHDSL, and VDSL interface:
To create, edit, and delete the Loopback interface:
Step 1 Choose Operate > Device Work Center.
Step 2 Choose the device from the list or click Add to add a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Interface folder, then choose the Interfaces.
Step 5 In the Interface page, select click Add Logical Interface > Loopback.
Step 6 In the Create or Edit Loopback Interface page, enter the basic configuration information.
Step 7 Enter the IPV4 or IPV6 address.
Step 8 Click OK.
Step 9 Click Save / Deploy to save the changes in the device.
Step 10 To delete the configuration on this interface, select the interface and click Delete. The interface configuration will be reset to default values.
Step 11 Click Save / Deploy to save the changes in the device.
Step 12 Click Reset to reset the values on the interface.
To create, edit, and delete the Vlan interface:
Step 1 Choose Operate > Device Work Center.
Step 2 Choose the device from the list or click Add to add a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Interface folder, then choose the Interfaces.
Step 5 In the Interface page, click Add Logical Interface > VLan.
Step 6 In the Create or Edit Vlan Interface page, enter the basic configuration information.
Step 7 Enter the IPV4 or IPV6 address.
Step 8 Click Save.
Step 9 To delete the configuration on this interface, select the interface and click Delete. The interface configuration will be reset to default values.
Step 10 Click Save / Deploy to save the changes in the device.
Step 11 Click Reset to reset the values on the interface.
To create, edit, and delete the Tunnel interface:
Step 1 Choose Operate > Device Work Center.
Step 2 Choose the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Interface folder, then choose the Interfaces.
Step 5 In the Interface page, click Add Logical Interface > Tunnel.
Step 6 In the Create or Edit Tunnel Interface page, enter the basic configuration information.
Step 7 Select the tunnel mode from the drop-down list.
Step 8 Enter the IPV4 or IPV6 address.
Step 9 To do click the Advanced Configuration, enter the tunnel source, tunnel destination and select the IPSec profile from the drop-down list.
Step 10 Click Save.
Step 11 To delete the configuration on this interface, select the interface and click Delete. The interface configuration will be reset to default values.
Step 12 Click Save / Deploy to save the changes in the device.
Step 13 Click Reset to reset the values on the interface.
To create, edit, and delete the Virtual Template interface:
Step 1 Choose Operate > Device Work Center.
Step 2 Choose the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Selector panel appears.
Step 4 Expand the Interface folder, then choose the Interfaces.
Step 5 In the Interface page, click Add Logical Interface Virtual Template.
Step 6 In the Create or Edit Tunnel Interface page, enter the basic configuration information.
Step 7 Select the type from the drop-down list. The options are: Ethernet, Serial, and Tunnel.
e. If you select the Ethernet as the type, specify the MTU and the Bandwidth.
f. If you select the Serial as the type, specify the encapsulation method. The options are: Slip, PPP, and Frame Relay.
–For PPP, specify the CHAP and PAP configurations.
–For Frame Relay, specify the LMI, DLCI and check the Use IETF encapsulation when connecting to non-Cisco routers check box.
g. If you select Tunnel as the type, enter the tunnel source, tunnel destination and select the IPSec profile from the drop-down list
Step 8 Click Save.
Step 9 To delete the configuration on this interface, select the interface and click Delete. The interface configuration will be reset to default values.
Step 10 Click Save / Deploy to save the changes in the device.
Step 11 Click Reset to reset the values on the interface.
To create, edit, and delete the Cellular WAN interfaces:
Step 1 Choose Operate > Device Work Center.
Step 2 Choose the device from the list or click Add to add a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Interface folder, then choose the Interfaces > Cellular WAN Interfaces.
Step 5
The Application Visibility (AV) feature helps in monitoring the traffic sent towards the internet. To configure AV, you need to perform the following:
•Create / Update AV Configuration
•Assign AV policies on interfaces
•Change AV Advanced options
Note The Application Visibility feature is supported on ASR devices from the IOS version 3.5 or later. This feature is not supported on ISR devices. The CLI changes that starts with "EMS_" is not supported and may cause unexpected behavior.
The Application Visibility Configuration feature creates the required elements in the device to send the NetFlow messages for Transaction Records and Usage Records. To configure AV, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Choose the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Application Visibility folder, and then choose the Configuration. The AV Configuration page appears.
Step 5 From the AV Configuration page, set the Primary CM IP Address and port, Secondary CM IP Address and port, VPN Routing and Forwarding (VRF), and Source IP address and Export protocol.
Note For Source IP address, specify the IP address for an interface, which will be used as the source for sending FNF messages towards the CM.
Note The Export Protocol is supported from IOS version 3.7 or later. For the IOS version 3.7 or later, IPfix is the default value. For older versions, netflow-v9 is set as the default value.
Step 6 Set the advanced AV parameters. For more information on the Advanced AV parameters, see Changing AV Advanced Options.
Step 7 Click Save / Apply to save the changes in the server.
To edit the existing AV policy, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Choose the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Application Visibility folder, and then choose the Interfaces.
Step 5 In the Interface page, select one or more interfaces and click Edit.
Step 6 To monitor the bandwidth usage and the traffic at transactions level, select the usage/transaction records in the input reports or output reports section.
Step 7 Select the IPv4 or IPV6 or IPv4+IPv6 from the drop-down list.
a. Usage Records (UR)—Usage Records are records of the different type of applications that run on a specific interface. The operator can use the Usage Records to monitor the bandwidth usage of different applications. The Usage Records can show the application usage over a specific time period, the peak and average usages, and usage for a specific application type. Usage Records perform periodic aggregation of the category information for the interface. (For example, export information for peer-to-peer traffic or email usage).
b. Transaction Records (TR)—A transaction is a set of logical exchanges between endpoints. There is normally one transaction within a flow. The Transaction Record monitors the traffic at transaction levels. These records provide a detailed analysis of the traffic flows. Transaction Records are bound to the input and output directions of the network side interfaces. These Transaction Records allow the system to capture each unidirectional flow once.
Step 8 Click OK to deploy the changes to the device.
To change the Application Visibility Advanced options, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Application Visibility folder, and then click Configuration.
Step 5 In the AV Configuration page, set the new values for the AV configuration.
Step 6 Specify the Differentiated Services Codepoint (DSCP) value to set the exporter DSCP service code point value.
Step 7 Specify the Time-to-Live (TTL) value to set the exporter TTL or hop limit.
Step 8 Click on the title area to view the to view the FNF Advanced Options, FNF Record Advanced Options, and NBAR Advanced options.
Step 9 To customize the value, check the specific attribute check box and set the new value. To use the system default value, uncheck the check box of the specific attribute.
Step 10 In the FNF Advanced Options, set the timeout value in seconds.
Step 11 In the FNF Record Advanced Options, set the maximum flow entries in the flow cache and specify the active/inactive flow timeout in seconds. Disable Unresolved Traffic Reporting check box to disable the total usage records.
Step 12 In the IPv4/IPv6 NetFlow Sampled Transaction Records section, set the maximum flow entries in the flow cach and define the sampling rate.
Step 13 In the NBAR Advanced Options section, define the maximum allowed sessions in multiples of 50000.
Step 14 Click Save / Deploy to save the changes in the device.
Step 15 Click Reset to Default to reset the parameter values to their default values.
The Network Address Translation (NAT) is the process where a network device, usually a firewall, assigns a public address to a computer (or group of computers) inside a private network. The NAT helps to limit the number of public IP addresses used by an organization or company, for both economy and security purposes.
The NAT feature allows organizations to resolve the problem of IP address depletion when they have existing networks and need to access the Internet. The NAT allows the IP network of an organization to use different IP address space for the outside network. Thus, NAT allows an organization that does not have globally routable addresses to connect to the Internet by translating those addresses into globally routable address space. The NAT also allows a more graceful renumbering strategy for organizations that are changing service providers or voluntarily renumbering into Classless Inter Domain Routing (CIDR) blocks. The NAT is described in RFC 1631.
A router configured with the NAT will have at least one interface to the inside network and one to the outside network. In a typical environment, the NAT is configured at the exit router between a sub domain and a backbone. When a packet leaves the domain, the NAT translates the locally significant source address into a globally unique address. When a packet enters the domain, the NAT translates the globally unique destination address into a local address. If more than one exit point exists, each NAT must have the same translation table. If the NAT cannot allocate an address because it has run out of addresses, it drops the packet and sends an Internet Control Message Protocol (ICMP) host unreachable packet.
For more information on NAT, see http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/iadnat-addr-consv.html.
The NAT operates on a router—Generally connecting only two networks together—and translates your private (inside local) addresses within the internal network, into public (inside global) addresses before any packets are forwarded to another network. This functionality gives you the option to configure the NAT so that it will advertise only a single address for your entire network to the outside world. Doing this effectively hides the internal network from the world, giving you some additional security.
NAT types include:
•Static Address Translation (SAT) —Allows one-to-one mapping between local and global addresses.
•Dynamic Address Translation—Maps unregistered IP addresses to registered IP addresses from a pool of registered IP addresses.
•Overloading—A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address (many to one) using different ports. This method is also known as Port Address Translation (PAT). By using PAT (NAT Overload), thousands of users can be connected to the Internet using only one real global IP address.
To configure NAT, perform the following steps:
1. Create the NAT pool (required for Dynamic NAT)
2. Configure the ACL
3. Create the NAT44 rules
4. Assign rules on the interfaces
5. Set up the NAT maximum translation (Optional)
Note The NAT feature is supported on the ASR platform from the IOS version 3.5 or later. The NAT feature is supported on the ISR platform from the IOS version 12.4(24)T or later. The CLI changes that starts with "EMS_" is not supported and may cause unexpected behavior.
The IP Pool is a device object that represents IP ranges to be used on the Dynamic NAT. The NAT IP Pools feature allows you to create a new pool that can be used in the Dynamic NAT, change the existing pool, and delete the pool from the device.
To create, edit, and delete the IP Pools, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the NAT folder, and then click IP Pools. The NAT Pools page appears.
Step 5 Click the Add IP Pool > IP+Prefix or IP Range + Prefix button, and enter the Name, IP Address/Range, Prefix Length, and Description. You cannot change the name of the pool after creating the pool.
Note A valid IPv4 address consists of 4 octets separated by a period (.).
Step 6 Click OK to save the configurations.
Step 7 Click the Apply button to deploy the pool to the server database.
Step 8 To edit the existing IP Pool, in the NAT IP Pools page do the following:
a. Click on the selected IP Pools parameters row, and edit the parameters. or
b. Select the IP Pools, and click the Edit button. The selected IP Pools opens for editing. You can edit all the parameters except the pool name.
Step 9 Click Save / Apply to save the changes in the server.
Step 10 To delete the existing IP Pools, select the IP Pool, and then click the Delete button.
Step 11 Click OK on the warning message to delete the IP Pool. The selected IP Pool will be deleted.
The NAT44 feature allows the user to create, delete, and change the NAT44 rules.
This section describes how to create the NAT44 rules.
There are three types of NAT rules:
•Static
•Dynamic
•Dynamic PAT
To create the NAT44 rule, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the NAT folder, and then click NAT44.
Step 5 From the NAT 44 Rule page, click the down arrow icon on the Add NAT Rule button.
•Click Static to create Static Rule. For elements on this page, see Table 4-6.
•Click Dynamic to create Dynamic NAT Rule. For elements on this page, see Table 4-7.
•Click Dynamic PAT to create Dynamic PAT Rule. For elements on this page, see Table 4-8.
Table 4-6 lists the elements on the Static Rule page.
Table 4-7 lists the elements on the Dynamic NAT page.
Table 4-8 lists the elements on the Dynamic PAT page.
Step 6 Click:
•Save to save and deploy the changes to the device.
•Cancel to exit without saving.
Step 7 To edit the existing NAT44 rule in the NAT44 page, do one of the following:
•Click on the selected NAT44 rules parameters row, and edit the parameters.
•Select the NAT44 rule, and click the Edit button. The selected NAT44 rule opens for editing. You can edit all the parameters except the pool Name.
Step 8 You can change the Source and Destination according to the creation rules. You can also change the Options selection according to the creation rules.
Step 9 Click Save/ Apply to save the changes in the server.
Step 10 To delete the existing NAT44 rules, select the rules, and then click the Delete button.
Step 11 Click OK on the warning message to delete the rules. The selected NAT44 rules will be deleted.
A virtual interface is a logical interface configured with generic configuration information for a specific purpose or for configuration common to specific users, plus router-dependent information.
To assign the interfaces to a specific association, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the NAT folder, and then click Interfaces.
In the Interface page, select the interface you want to change and enter the VRF and select the association from the drop-down list. The options are: Inside, Outside, and None.
Step 5 Click:
•Save/ Apply to save the changes in the server.
•Cancel to exit without saving.
The Rate Limiting NAT Translation feature provides the ability to limit the maximum number of concurrent NAT operations on a router. In addition, the NAT MAX feature gives users additional control to use the NAT addresses. The Rate Limiting NAT Translation feature can be used to limit the effects of viruses, worms, and denial-of-service attacks.
The NAT Maximum Translations feature allows you to reset the global translation attribute values.
To set the MAX Translation, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the NAT folder, and then click Max. Translation.
Step 5 Reset the parameter values. Configure the maximum number of NAT entries that are allowed for all the parameters. A typical range for a NAT rate limit is from 100 to 300 entries.
Step 6 Click:
•Save / Apply to save the changes in the server.
•Cancel to exit without saving.
The DMVPN feature allows users to scale large and small IP Security (IPsec) VPNs by combining generic routing encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).
A typical VPN connection is a point-to-point IPSec tunnel connecting two routers. DMVPN enables you to create a network with a central hub that connects other remote routers, referred to as spokes using a GRE over IPSec tunnel. IPSec traffic is routed through the hub to the spokes in the network.
See Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs) for more information about DMVPN (requires a CCO login ID).
Cisco Network Control System allows you to configure your router as a DMVPN hub or DMVPN spoke. You can configure the router in the following ways:
Hub
•Configuring Hub and Spoke Topology
Spoke
•Configuring Fully Mesh Topology
You should configure the following parameters to create the DMVPN tunnel:
•Device role and topology type
•Multipoint GRE interface information
•NHRP and tunnel parameters
•Next Hub Server (NHS) Server (Optional)
To create the DMVPN tunnel, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click DMVPN. Click the Add button to create the DMVPN.
Step 5 In the Device Role and Topology Type section, select the topology and the device role. The options are: Spoke, Hub, and Dynamic Connection between Spokes.
Step 6 In the Multipoint GRE Interface Information section, select the WAN interface that connects to the Internet from the drop-down list.
Step 7 Enter the IP address of the Tunnel Interface, and Subnet Mask.
Step 8 In the NHRP and Tunnel Parameters section, complete the fields on this section.
Note The Network ID is a unique 32-bit network identifier from a Non Broadcast Multiaccess (NBMA) network. The tunnel key is used to enable a key ID for a particular tunnel interface. The MTU size of IP packets that are sent on a particular interface.
Note The default MTU value for Ethernet and the serial interface is 1500. The default value varies depending upon the media type. The Tunnel throughput delay is used to set the delay value for a particular interface.
Step 9 In the Encryption policy field, click the anchored plus button (+) to add the Transform Set Profile.
Step 10 In the Transform Set Profile dialog box, enter the Name and choose the acceptable combination of security protocols and algorithm from the drop-down list to configure the transform set.
Step 11 Enable the IP Compression check box to enable the IP compression for the transform set.
Step 12 Choose the mode for the transform set. The options are: Tunnel mode or Transport mode.
Step 13 In the NHS Server Information section, enter the IP address for the physical interface of the hub and tunnel and the Fallback Time. If the device supports the cluster then add the next hop server information, such as Cluster ID, Max Connection, Hub IP address, and Priority.
Note The NHS server information is required only for spoke configuration. If you check the Use Cluster for NHS check box, add the information, such as Cluster ID, Max Connection, and Next Hub Server. The template with the NHS cluster configuration will be applied only to the device running Cisco IOS Software version 15.1(2)T or later.
Step 14 In the Routing Information section, choose the routing information. The options are: EIGR, RIPV2, and Other.
Note The routing information is required only for hub configuration.
Step 15 Choose the existing EIGRP number from the drop-down list or enter an EIGRP number. Use the Other option to configure the other protocols.
Step 16 Click Save to save the single NHS server entry details and the priority of the server, save the entire group of server, and save the NHS cluster information. when you save the NHS cluster information, the NHS server will be populated in the non-editable field.
Step 17 Click OK to save the configuration to the device.
Step 18 Click Cancel to cancel all the changes you have made without sending them to the router.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click DMVPN. Click the Add button to create the DMVPN tunnel.
Step 5 In the Device Type and Topology section, choose Hub and Spoke as the topology, and select either Hub or Spoke as a device role.
Step 6 Select the WAN interface from the drop-down list, and then configure the Multipoint GRE IP Address and the subnet mask for the tunnel interface.
Step 7 Configure the NHRP and the Tunnel Interface parameters, such as the IP address, NHRP parameters and map, MTU value, Source of the Tunnel, Tunnel Mode, and Tunnel Key.
Step 8 Create the transform-set for protecting the data flow between the devices. You can specify up to four transforms: One Authentication Header (AH), one Encapsulating Security Payload (ESP) encryption, one ESP authentication, and one compression. These transforms define the IPSec security protocols and the algorithms.
Step 9 Configure the routing protocol to be used.
Step 10 Click Save to save the configuration to the device.
Step 11 Click Cancel to close the Create DMVPN Tunnel page without applying the changes to the device.
The dynamic spoke-to-spoke option allows you to configure the DMVPN fully meshed topology. In this topology, you can configure the router as a spoke, capable of establishing a direct IPSec tunnel to other spokes in the network.
To configure the hub and spoke topology, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click DMVPN. Click the Add button to create the DMVPN tunnel with fully meshed topology.
Step 5 From the Create DMVPN Tunnel configuration page, select the Full Mesh radio button to configure the network type as full mesh topology.
Step 6 Repeat Step 6 through Step 8 from the Configuring Hub and Spoke Topology section.
Step 7 For Fully Mesh spoke topology, in the NHS Server Information section, add the next hub server information, such as the IP Address of Hub's physical interface and the IP address of Hub's tunnel interface.
Step 8 Click Save to save the configuration to the device.
Step 9 Click Cancel to close the Create DMVPN Tunnel page without applying the changes to the device.
To configure the cluster, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click DMVPN. Click the Add button to create the DMVPN tunnel.
Step 5 From the Create DMVPN Tunnel configuration page, select the Spoke radio button to configure the device role as a spoke.
Step 6 Repeat Step 6 through Step 8 from the Configuring Hub and Spoke Topology section.
Note The device must be running IOS version of 15.1(2)T or later.
Step 7 Click the Add Row button to configure the cluster related information, and add the Cluster-ID and Maximum Connection values.
Step 8 Click the Expand Row button (next to the radio button) and click the Add Row button to add the NHS server information.
Step 9 Enter the NHS server, the GRE Tunnel IP addresses, and the Priority of this NHS server. Click the Save button to save the NHS server entry configuration.
Step 10 Click the Save button to save the NHS server group information.
Step 11 Click the Save button again to save the NHS group information with the cluster configuration. This will automatically populate the NHS server IP address in the table.
To edit the existing DMVPN tunnel, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click DMVPN. The available tunnel is displayed.
Step 5 Select the tunnel, and click the Edit button. The Edit DMVPN Tunnel page opens.
Step 6 From the Edit DMVPN Tunnel page, you can edit the DMVPN parameters.
Step 7 Click OK to send the edited DMVPN tunnel configuration to the device.
Step 8 Click Cancel to close the Edit DMVPN Tunnel page without applying the configuration to the device.
To delete the existing DMVPN tunnel, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list to delete the DMVPN tunnel. If the device is not added, click the Add button to add the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click DMVPN. The available tunnel is displayed.
Step 5 Select the tunnel, and click the Delete button.
Step 6 Click Yes on the warning message to delete the selected tunnel.
Step 7 Click No on the warning message if you do not want to delete the selected tunnel.
Step 8 Click Cancel to cancel all the changes you have made without sending them to the router.
A Group Encrypted Transport VPN (GETVPN) deployment has primarily three components: Key Server (KS), Group Member (GM), and Group Domain of Interpretation (GDOI) protocol. GMs encrypt/decrypt the traffic and KS distributes the encryption key to all the group members. The KS decides on one single data encryption key for a given life time. Because all GMs use the same key, any GM can decrypt the traffic encrypted by any other GM. GDOI protocol is used between the GM and KS for group key and group Security Association (SA) management. Minimum one KS is required for a GETVPN deployment.
Unlike traditional IPSec encryption solutions, GETVPN uses the concept of group SA. All members in the GETVPN group can communicate with each other using a common encryption policy and a shared SA. Therefore, there is no need to negotiate IPSec between GMs on a peer-to-peer basis; thereby reducing the resource load on the GM routers.
The GM registers with the KS to get the IPSec SA that is necessary to encrypt data traffic within the group. The GM provides the group identification number to the KS to get the respective policy and keys for this group. These keys are refreshed periodically by the KS, before the current IPSec SAs expire, so that there is no traffic loss.
The KS is responsible for maintaining security policies, authenticating the GMs and providing the session key for encrypting traffic. KS authenticates the individual GMs at the time of registration. Only after successful registration can the GMs participate in group SA.
A GM can register at any time and receive the most current policy and keys. When a GM registers with the KS, the KS verifies the group identification number of the GM. If this identification number is valid, and the GM has provided valid Internet Key Exchange (IKE) credentials, the KS sends the SA policy and the Keys to the group member.
There are two types of keys that the GM will receive from the KS: the Key Encryption Key (KEK) and the Traffic Encryption Key (TEK). The TEK becomes part of the IPSec SA with which the group members within the same group encrypt the data. KEK is used to secure rekey messages between the KS and the GMs.
The KS sends out rekey messages either because of an impending IPSec SA expiration or because the security policy has changed on the KS. Keys can be distributed during re-key using either multicast or unicast transport. Multicast method is more scalable as keys need not be transmitted to each group member individually. Unlike in unicast, KS will not receive acknowledgement from GM about the success of the rekey reception in multicast rekey method. In unicast rekey method, KS will delete a GM from its database if three consecutive rekeys are not acknowledged by that particular GM.
GDOI protocol is used for Group key and group SA management. GDOI uses Internet Security Association Key Management Protocol (ISAKMP) for authenticating the GMs and KSs. All the standard ISAKMP authentication schemes like RSA Signature (certificates) and Pre-shared key can be used for GETVPN.
For more information on GETVPN, See http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/deployment_guide_c07_554713.html.
The Cisco Network Control System allows you to configure the GETVPN. To configure the GETVPN, you should configure the following:
•Group member
•Key server
Use the Add GroupMember configuration page to configure the GETVPN group member.
To create the GETVPN group member, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to add a new device, then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click GETVPN-GroupMember. Click the Add button to create the GET VPN group member.
Step 5 In the Add GroupMember dialog box, select the General tab, and enter the Group Name and Group Identity. Choose the Registration Interface from the drop-down list.
Step 6 Enter the Primary Key Server and Secondary Key Server IP addresses. Click the Add Row or Delete button to add or delete the secondary key server IP addresses.
Note The primary key server is responsible for creating and distributing group policies to all group members and periodically synchronizes with the secondary key servers. The server with the highest priority is elected as a primary key server.
Step 7 Click on the row or field to edit the secondary key server IP address.
Step 8 Click:
•Save to save the configuration.
•Cancel to exit without saving your changes.
Step 9 In the Add Group Member dialog box, select the Advanced tab, and choose the Local Exception ACL and Fail Close ACL from the drop-down list.
Note If the Fail Close feature is configured, all the traffic passing through the group member will be dropped until the group member is registered successfully. Once the group member registers successfully and SAs are downloaded, this feature turns off by itself.
Step 10 Select the Migration tab, and check the Enable Passive SA check box to enable passive SA. Use this option to turn on the Passive SA mode on this group member.
Step 11 Click:
•OK to add the Group member in the table. To display the commands, click CLI preview. After the scheduled deploy is completed, the configuration is applied on the device.
•Cancel to cancel all the changes you have made without sending them to the router.
•Close to close the page.
Use the Add KeyServer configuration page to configure the GETVPN key server.
To create the GETVPN key server, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to add a new device, then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click GETVPN-KeyServer. Click the Add button to create the GETVPN key server.
Step 5 In the Add Key Server dialog box, select the General tab, and enter the Group Name, Group Identity, WAN IP address, and Priority of this key server.
Step 6 Enter the Co-operative Key Servers IP address. Click the Add Row or Delete button to add or delete the Co-operative key server IP address. Click on the row or field, and edit the IP address.
Step 7 In the Add KeyServer dialog box, select the Rekey tab, and choose the Distribution method from the drop-down list.
Note The distribution method is used to send the rekey information from key server to group members. When you choose the distribution method as multicast, specify the multicast address to which the rekey needs to be transmitted.
Step 8 In the Add KeyServer dialog box, select the GETVPN Traffic tab, and enter the Traffic to be encrypted, Encryption Policy, and Anti Replay.
Note The access list defines the traffic to be encrypted. Only the traffic which matches the "permit" lines will be encrypted. Be sure not to encrypt certain traffic that should always be permitted even if the crypto sessions are not up
Step 9 Click:
•OK to add the Group member in the table. To display the commands, click CLI preview. After the scheduled deployment is completed, the configuration is applied on the device.
•Cancel to cancel all the changes you have made without sending them to the router.
Step 10 Click Close to close the page.
To edit the existing GETVPN group member or the GETVPN key server, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to add a new device, then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click GETVPN-Group Member or GETVPN-KeyServer. The GETVPN-GroupMember or GETVPN-KeyServer summary page opens.
Step 5 From the GETVPN summary page, select the group name and click Edit. The Edit GETVPN-GroupMember or GETVPN-Keyserver page appears.
Step 6 From the Edit GETVPN-GroupMember or GETVPN-KeyServer page, you can edit the GETVPN parameters.
Step 7 Click:
•OK to save the configurations.
•Cancel to cancel all the changes you have made without sending them to the router.
Step 8 Click Close to close the page.
To delete the existing GETVPN group member or the GETVPN key server, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to add a new device, then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click GETVPN-Group Member or GETVPN-KeyServer. The GETVPN-GroupMember or GETVPN-KeyServer summary page opens.
Step 5 From the GETVPN summary page, select the group name and click Delete.
Step 6 Click:
•OK to save the configurations.
•Cancel to cancel all the changes you have made without sending them to the router.
Step 7 Click Close to close the page.
The VPN components primarily include the following:
The Internet Key Exchange (IKE) is a standard method for arranging secure and authenticated communications. The IKE establishes session keys (and associated cryptographic and networking configuration) between two hosts across the network. The IKE policies will protect the identities of peers during authentication.
The IKE negotiations must be protected; therefore, each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states the security parameters that will be used to protect subsequent IKE negotiations. After the two peers agree on a policy, the security parameters of the policy are identified by a security association established at each peer. These security associations are applied to all the subsequent IKE traffic during the negotiation.
When the IKE negotiation begins, IKE looks for an IKE policy that is the same on both the peers. The peer that initiates the negotiation will send all its policies to the remote peer, and the remote peer will try to find a match. The remote peer looks for a match by comparing its own highest priority policy against the other peer's received policies. The remote peer checks each of its policies in the order of its priority (highest first) until a match is found. A match is made when both the policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman (D-H) parameter values, and when the remote peer's policy specifies a lifetime less than or equal to the lifetime in the policy being compared. If the lifetimes are not identical, the shorter lifetime is used from the remote peer's policy.
The IKE Policies feature allows you to create, edit, and delete the IKE policies.
To create, edit, or delete the IKE policies, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select a device or click Add to add a new device, then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then choose VPN Components > IKE Policies.
Step 5 Click the Add Row button to create the IKE policies.
Step 6 In the IKE Policies page, enter the Priority, Authentication, D-H Group, Encryption, Hash, and Lifetime.
Step 7 To edit the IKE policies parameters, click on the Field and edit the parameter of that IKE policy.
Step 8 To delete the IKE policies, select the IKE policies from the list, and click the Delete button.
Table 4-9 lists the elements on the IKE Policies page.
Step 9 Click:
•Save to save the configuration.
•Cancel to exit without saving your changes.
•Save again to generate the CLI commands.
The IKE Settings feature allows you to globally enable the IKE for your peer router.
To enable the IKE policies and set the aggressive mode for the IKE, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select a device or click Add to add a new device, then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then choose VPN Components > IKE Settings.
Step 5 Check the Enable IKE and Enable Aggressive Mode check box to enable the IKE policies and the aggressive mode.
Step 6 Choose the IKE Identity from the drop-down list.
Step 7 Enter the Dead Peer Detection Keepalive and Dead Peer Detection Retry time in seconds.
Table 4-10 lists the elements on the IKE Settings page.
Step 8 Click:
•Save to save the configuration.
•Refresh to refresh the page.
The IPsec profiles, also called ISAKMP profiles, enable you to define a set of IKE parameters that you can associate with one or more IPSec tunnels. An IPsec profile applies parameters to an incoming IPSec connection identified uniquely through its concept of match identity criteria. These criteria are based on the IKE identity that is presented by incoming IKE connections and includes IP address, Fully Qualified Domain Name (FQDN), and group (the Virtual Private Network (VPN) remote client grouping).
The IKE Profile feature allows you to create, edit, and delete the IPsec Profile.
To create, edit, or delete the IPsec Profile, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select a device or click Add to add a new device, and then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then choose VPN Components > IPsec Profile.
Step 5 Click the Add Row button to create the IPsec profile.
Step 6 In the IPsec Profile page, enter the information such as Name, Description, and Transform Set, and the IPsec SA Lifetime.
Note When you edit a profile, you cannot edit the name of the IPsec profile. A transform set represents a certain combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow. A transform describes a particular security protocol with its corresponding algorithms
Step 7 Enter the IPSec SA Lifetime in seconds to establish a new SA after the set period of time elapses.
Step 8 To edit the IPsec profile parameters, click on the Field and edit the parameter of that IPsec profile.
Step 9 To delete the IPsec profile, select the IPsec Profile from the list, and click the Delete button.
Step 10 Click:
•Save to save the configuration.
•Cancel to exit without saving your changes.
•Save again to generate the CLI commands.
The Pre-shared Keys feature allows you to share a secret key between two peers and will be used by the IKE during the authentication phase.
To create, edit, or delete the pre-shared keys, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select a device or click Add to add a new device, and then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then choose VPN Components > Pre-Shared Keys.
Step 5 Click the Add Row button to create the pre-shared key.
Step 6 In the Pre-Shared Keys page, enter the IP Address, Host Name, Subnet Mask, and Pre-Shared Keys.
Step 7 To edit the pre-shared key parameters, click on the Field and edit the parameter of that pre-shared key.
Step 8 To delete the pre-shared key, select the pre-shared key from the list, and click the Delete button.
Step 9 Click:
•Save to save the configuration.
•Cancel to exit without saving your changes.
•Save again to save the configuration and generate the CLI commands.
An RSA key pair consists of a public key and a private key. When setting up your Public Key Infrastructure (PKI), you must include the public key in the certificate enrollment request. After the certificate is granted, the public key will be included in the certificate so that the peers can use it to encrypt the data that is sent to the router. The private key is kept on the router and used for both to decrypt the data sent by the peers and to digitally sign transactions when negotiating with the peers.
The RSA key pairs contain a key modulus value. The modulus determines the size of the RSA key. The larger the modulus, the more secure the RSA key. However, keys with large modulus values take longer to generate, and encryption and decryption operations take longer with larger keys.
To create, export, import, or delete the RSA keys, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select a device or click Add to add a new device, and then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then choose VPN Components > RSAKeys.
Step 5 Click the Add Row button to create the RSA Keys.
Step 6 The Add RSA Keys dialog box appears.
Step 7 In the Add RSA Keys dialog box, enter the Label, Modulus, and Type.
Note For a modulus value between 512 and 1024, enter an integer value that is a multiple of 64. If you want a value higher than 1024, you can enter 1536 or 2048. If you enter a value greater than 512, key generation may take a minute or longer. The modulus determines the size of the key. The larger the modulus, the more secure the key, but keys with a large modulus take longer to generate, and encryption/decryption operations take longer with larger keys.
Step 8 Check the Make the Key exportable check box to generate the RSA as a exportable key.
Step 9 Click:
•OK to save the configuration.
•Cancel to exit without saving your changes.
Step 10 To import the RSA key, click the Import button. The Import RSA Key dialog box appears.
Step 11 In the Import RSA Key dialog box, enter the label of the RSA key, Key type, and password to decrypt the key. If the key type is general-keys, signature or encryption, copy and paste the public and private key data that was saved.
Step 12 To import usage-key, enter the public and private key data of both the signature and encryption keys.
Step 13 Click:
•Import to import the RSA key.
•Close to exit without saving your changes.
Step 14 To export the RSA key, select the RSA key from the list and click the Export button. The Export RSA Key Pair dialog box appears.
Step 15 In the Export RSA Key Pair dialog box, enter the password to encrypt the RSA key and choose the encryption algorithm from the drop-down list.
Step 16 Click:
•OK to display the exported keys.
•Cancel to exit without saving your changes.
Step 17 To delete the RSA key, select the RSA key from the list, and click the Delete button.
A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to Upset protected traffic. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
To create, edit, or delete the transform sets, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select a device or click Add to add a new device, then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then choose VPN Components > Transform Sets.
Step 5 Click the Add Row button to create the transform sets.
Step 6 In the Transform Sets page, enter the Name and select the acceptable combination of security protocols and algorithm to configure the transform set.
Note The ESP encryption algorithm is used to encrypt the payload and the integrity algorithm is used to check the integrity of the payload.
Step 7 Specify the mode for a transform set. The options are: Tunnel mode or Transport mode.
•Transport—Encrypt data only. Transport mode is used when both endpoints support IPsec. Transport mode places the authentication header or encapsulated security payload after the original IP header; thus, only the IP payload is encrypted. This method allows users to apply network services such as quality-of-service (QoS) controls to encrypted packets.
•Tunnel—Encrypt data and IP header. Tunnel mode provides stronger protection than transport mode. Because the entire IP packet is encapsulated within AH or ESP, a new IP header is attached, and the entire datagram can be encrypted. Tunnel mode allows network devices such as a router to act as an IPsec proxy for multiple VPN users; tunnel mode should be used in those configurations.
Step 8 To edit the Transform sets parameters, click on the Field and edit the parameter of that transform sets.
Step 9 To delete the transform set, select the transform set from the list, and click the Delete button.
Step 10 Click:
•Save to save the configuration.
•Cancel to exit without saving your changes.
•Save again to save the configuration changes.
The Zone Based Firewall (ZBFW) feature allows users to easily manage Cisco IOS unidirectional firewall policy between groups of interfaces known as zones.
A zone is a group of interfaces that have similar functions or features. For example, on a router, Gigabit Ethernet interface 0/0/0 and Gigabit Ethernet interface 0/0/1 may be connected to the local LAN. These two interfaces are similar because they represent the internal network, so they can be grouped into a zone for firewall configurations.
By default, the traffic between interfaces in the same zone is not subjected to any policy. The traffic passes freely. Firewall zones are used for security features.
A security zone is a group of interfaces to which a policy can be applied. Grouping interfaces into zones involves the following two procedures:
•Creating a zone so that the interfaces can be attached to it.
•Configuring an interface as a member of a given zone.
By default, the traffic flows among the interfaces that are members of the same zone. When an interface is a member of a security zone, all traffic to and from that interface (except traffic going to the router or initiated by the router) is dropped. To permit the traffic to and from a zone-member interface, you must make that zone part of a zone pair, and then apply a policy to that zone pair. If the policy permits the traffic (through inspect or pass actions), traffic can flow through the interface.
Figure 4-1 Security Zone Diagram
•Interfaces E0 and E1 are members of the security zone Z1.
•Interface E2 is a member of the security zone Z2.
•Interface E3 is not a member of any of the security zone.
In this scenario, the following situations exist:
•Traffic flows freely between the interfaces E0 and E1 because they are members of the same security zone (Z1).
•If no policies are configured, traffic will not flow between interfaces (for example, E0 and E2, E1 and E2, E3 and E1, and E3 and E2).
•Traffic can flow between E0 or E1 and E2 interfaces only when an explicit policy is configured to permit the traffic between the zone Z1 and zone Z2.
•Traffic can never flow between E3 and E0/E1/E2 interfaces because E3 is not a part of any security zone.
The following topics provide more information:
This feature allows you to assign or un-assign the Transmission Control Protocol (TCP) / User Datagram Protocol (UDP) ports to an application.
Note When you click the Save or Delete button, the changes are deployed on the device. You cannot review the requested operation and also, you cannot remove the operation request from the pending changes queue. The CLI changes that starts with "EMS_" is not supported and may cause unexpected behavior.
To assign or un-assign the TCP/UDP ports to an application, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Applications. The Applications page appears.
Note Displays the application name that is driven from the device.
Step 5 To assign or unassign the TCP/UDP ports to an application, click on the application and update its TCP/UDP ports value. The TCP/UD Port values are assigned to the specific application.
a. Assign port(s) by defining one or more ports separated by comma (For example: 1234, 2222 and so on).
b. Assign port(s) by defining the port range (For example: 1111-1118). You can also assign a group of ports or port range.
c. Unassign port(s) by deleting the existing port values.
Step 6 Click Save to save the configurations.
To change the Default Parameters Map, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Default Parameters Map.
Step 5 From the Default Parameters Map page, change the parameters map value.
Note You can change the default parameters only on ISR devices.
Step 6 Click Save to save the configuration.
A virtual interface is a logical interface configured with generic configuration information for a specific purpose or configured for a common to specific users. The zone member information is acquired from a RADIUS server, and then the dynamically created interface is made as a member of that zone.
To assign the interfaces to the zone and un-assign the interface from a specific zone, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Interfaces.
Step 5 In the Interface page, select the interface you want to change and click the down arrow icon. The Zone dialog box appears.
Step 6 In the Zone dialog box, select the new security zone for the interface. If the selected interface is already assigned to a zone, you will get a warning message.
Step 7 Click Yes on the warning message if you want to change the assignment of that interface.
Step 8 To un-assign the interface from the specific zone, select the interface and delete the zone information.
Step 9 Click:
•Save to save and apply your changes.
•Cancel to exit without saving.
The policy rule section allows you to create a new firewall policy rule, change the existing policy rule, delete the policy rule, and change the policy rule order. When you create the firewall policy rule, it is up to you to define the location in the policy table.
To create the policy rules, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Policy Rules. The Firewall Rules page appears.
Step 5 From the Firewall Rules page, click the Add Rule button and complete the fields. The source zone and the destination zone must be different.
Step 6 To move the rules, click on the down arrow icon on the Add Rule button. You can place the selected rule at the top of the list or bottom of the list or move the selected rule after or before a rule in the table.
Note The name field is optional. If you do not provide the name for the firewall rule, the system generates a name for the firewall rule. You cannot use these formats rule_<number> or EMS_rule_<number> to create the firewall rule name (For example, rule_1). These are system reserved formats.
Step 7 To add the source and the destination IP address, click the add icon. The Source/Destination IP address dialog box appears.
a. From the Source/Destination IP address dialog box, check the Any check box to set the value to any.
a. Enter the source/ destination IP addresses.
b. Click the Add button to add the new IP address and the subnet.
c. Click Delete to delete the existing value.
d. Click OK to save the configurations.
e. Click Cancel to cancel all the changes you have made without sending them to the router.
Step 8 Set the Service values. To add or remove the Application, click the down arrow icon. The Firewall Service dialog box appears.
a. In the Firewall Service dialog box, check the Application check box to select the application to inspect.
b. To select an ACL Based Application, select either the TCP or UDP or ICMP application.
c. Use the navigation arrow buttons to navigate forward and backward.
d. Click the plus + button to save the configurations.
Step 9 Select the appropriate action. The options are: Drop, Drop and Log, Inspect, Pass, and Pass and Log.
Step 10 If you select the action to inspect, click the Configure button in the Advance options column. The Advanced Parameters Configuration dialog box appears.
Step 11 In the Advanced Parameters Configuration dialog box, do the following:
a. To customize the device default value, check the Parameter box and set the new value.
b. To apply the device default value, uncheck the Parameter box.
c. To view the firewall rule default parameters, see "Managing Default Parameters" section.
d. When you rest your cursor on the Advanced Options icon, the configured parameters will be displayed in the quick view window.
Table 4-11 lists the elements on the policy rule page.
|
|
---|---|
Name |
(Optional) Enter a name for the policy rule. |
Source Zone |
Enter the name of the source zone. The source zone specifies the name of the zone from which the traffic is originating. |
Destination Zone |
Enter the name of the destination zone. The destination zone specifies the name of the router to which the traffic is bound to. |
Source |
Enter the source IP address of the inspected data. The valid parameters are: • • • |
Destination |
Enter the destination IP address of the inspected data. The valid parameters are: • • • |
Service |
The service of the inspected data. The valid parameters are: • • • |
Action |
Choose the action to perform on the traffic when there is a match on Rule condition. The rule matches when: • • The action options are: • • • • • |
Advance Options |
Specify the configuration parameters to set the Firewall Rule Parameter-Map behavior when the Action option is set to Inspect. |
Step 12 Click Save to apply the rule to the device.
To monitor Policy Rules, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Policy Rules. The Firewall Rules page appears.
Step 5 In the Firewall Rules page, click Hit Counters and use the options to analyze the sessions and packets of the selected rules.
Step 6 Select the rules and click the Show all option to view the packets and sessions counters. The packets and sessions counters are displayed in two separate columns. The packet counters are used to analyze the pass/drop rules and sessions counters are used for the inspect rules.
Note When you select the Show all option, the system will display a warning message stating that it may take more time to complete this operation. When you do not provide valid values, the N/A message is displayed.
Step 7 To know the time of the last update for the rules, hover the mouse over the column names or click the Last Update Time option in the Hit Counters. You can refresh the Hit counters for a specific rule or for all the selected rules.
Step 8 To sort out the rules, use the predefined filters. You can place the selected rule at the top of the list or bottom of the list or move the selected rule after or before a rule in the table.
Step 9 Click the Reset All Counters to discard all the rules counters. The application will display a warning message before resetting the rules counters.
To edit the existing Policy Rule, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Policy Rules.
Step 5 In the Firewall Rules page, choose one of the following options:
•Click on the Rules parameters row and edit the parameters.
•Check the check box to select the rule, and then click the Edit button. The selected Rule opens for edit. You cannot edit the name of the policy rule.
Step 6 Click Save to apply the changes in the device.
To delete the existing Policy Rule, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Policy Rules.
Step 5 In the Firewall Rules page, check the check box to select the rules, and then click the Delete button.
Step 6 Click OK on the warning message to delete the policy rule. The selected policy rule is deleted from the device.
The class-default rules always appear at the bottom of the list and their location is fixed. The regular rules cannot be moved beneath the class-default rules.
To change the Policy Rule order, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Policy Rules.
Step 5 In the Firewall Rules page, to move the rule to a specific row, drag and drop the rule to the new location.
This feature allows you to create, update or delete the service element. You can assign or unassign the TCP/UDP ports to an application.
To create the services, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Services. The Service page appears.
Step 5 In the Service page, click the Add Service button to create a new service.
Step 6 In the Service page, enter the Service Name. You cannot change the name after creating the service. Also, you cannot create a service without an application.
Step 7 To assign Applications, click the down arrow icon. The Applications Object Selector dialog box appears.
a. In the Applications dialog box, check the Applications check box to select the applications from the list (can be multiple selection).
b. Click OK to accept the changes or Cancel to cancel the changes.
Step 8 Click Save to apply your changes to the device.
To edit the existing service, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Services.
Step 5 In the Service page:
a. Click on the Service parameters row and edit the parameters. or
b. Select the service, and click the Edit button. The selected Service entity opens for editing. You can add new applications or remove an already selected application.
c. To remove an application from the selected list, rest your cursor on the application name, and click the X icon.
Step 6 Click Save to save the configuration.
To delete the existing service, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Services.
Step 5 From the Service page, select the service, and then click the Delete button.
Step 6 Click OK on the warning message to delete the service. The selected service is deleted.
To create the security zone, follow these steps,
Note The Zone Based Firewall feature is supported on ASR platform from the IOS version 3.5 or later. The Zone Based Firewall feature is supported on ISR platform from the IOS release 12.4(24)T or later.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Zones.
Step 5 Click the Add Zone button to create the security zone.
Step 6 In the security zone page, enter the Zone Name.
Step 7 Select the VRF of the zone.
a. VRF selection will affect the interface that can be assigned to the security zone.
b. If the user selects the default VRF option, then the security zone can be assigned only to the interfaces that are not related to any other VRF.
Step 8 To assign the interfaces to the security zone, click the down arrow icon. The Interface Object Selector dialog box appears.
a. In the Interface selector dialog box, check the Interface check box to select the interface from the list (can be multiple selection).
b. Click OK to save the configuration.
c. Click Cancel to cancel all the changes you have made without sending them to the router.
Step 9 In the Advance options column, click the Configure button. The Advanced Parameters Configuration dialog box appears.
Step 10 In the Advanced Parameters Configuration dialog box, do the following:
a. Check the Alert check box and click the On radio button to set the alert.
b. Check the Maximum Detection check box to set the maximum detection.
c. Check the TCP SYN-Flood Rate per Destination check box to set the TCP flood rate.
d. Check the Basic Threat Detection Parameters check box and click the On radio button to configure the FW drop threat detection rate, FW inspect threat detection rate, and FW SYN attack threat detection rate.
Step 11 Click:
•OK to save configuration.
•Cancel to exit without saving.
Step 12 To edit the existing security zone parameters, select the zone, and click the Configure button on the Advance options column. The Advanced Parameters Configuration dialog box appears.
Step 13 In the Advanced Parameters Configuration dialog box, edit the values and click Save to save the changes. When you rest your cursor on the Advanced Options icon, the configured parameters will be displayed in the quick view window.
Note By default, the Advanced configurations parameters are disabled.
Step 14 Enter the description for the zone.
Step 15 Click:
•Save to save the changes.
•Cancel to exit without saving.
To edit the existing security zone, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Zones.
Step 5 In the Security Zone page, choose one of the following options:
a. Click on the Zone parameters row, and edit the parameters. or
b. Select the zone, and click the Edit button. The selected Zone entity opens for editing.
Step 6 Click the add icon to assign the interface to the zone or to un-assign the existing interfaces from the zone You can also change the Description of the zone.
Step 7 Click Save to save the configuration.
To delete the existing security zone, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Zones.
Step 5 In the Security Zone page, select the security zone, and then click the Delete button.
Step 6 Click OK on the warning message to delete the security zone. The selected zone is deleted.
To configure the default zone, follow these steps.
Note The Default-Zone feature is supported only on ASR platform.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, and then click Zones.
Step 5 In the Security Zone page, click the Default Zone button to enable or disable the default security zone in the device. The device will host all the interfaces that are not related to any zone.
Step 6 Click OK to save the configuration.
You create a composite template if you have a collection of existing feature or CLI templates that you want to apply collectively to devices. You specify the order in which the templates contained in the composite template are applied to devices.
If you have multiple similar devices replicated across a branch, you can create and deploy a "master" composite template to all the devices in the branch. This master composite template can also be used later when you create new branches.
Step 1 Choose Design > Templates > Configuration, then click Composite Template.
Step 2 Enter parameters for the composite template.
Step 3 From the Validation Criteria drop-down list, choose the devices to which all of the templates contained in the composite template apply. For example, if in your composite template you have a template that applies to Cisco 7200 Series routers and another that applies to all routers, choose the Cisco 7200 Series routers in the Device Type drop-down menu.
Note If a device type is grayed out, the template cannot be applied on that device type.
Step 4 Under Template Details, choose the templates to include in the composite template.
Step 5 Using the arrows, put the templates in the composite into the order in which they should be deployed to the devices. For example, to create an ACL and associate it with an interface, put the ACL template first, followed by the interface template.
Step 6 Click Save as New Template.
Step 7 Navigate to the My Templates folder and choose the template you just saved.
Step 8 Click the Publish icon to publish the template so it can be deployed.
Step 9 Click the Go to Deployment icon and go to the Deploy > Configuration Tasks page.
Step 10 Click Deploy on the template you published.
Step 11 Specify the deployment options as explained in Creating Wireless Controller Templates.
Step 12 Click OK.
Step 13 Choose Tools > Task Manager > Jobs Dashboard to verify the status of a template deployment.
The most common reasons that a template might not be deployed are:
•One or more devices are unreachable—Verify that the device credentials are correct; ping the device to verify that it is reachable. (See Using 360° View for more information.)
•A device CLI returned an error because the CLI was incorrect—Verify that the CLI commands contained in the template are correct by running the commands on a test device.
Explain how to do a limited deployment to one device first and make sure it works, and give advice on things to do and not do when, say, combining feature and CLI templates into a composite template