Cisco Aironet 600 Series OfficeExtend Access Point User Guide

AP Info

The AP Info tab (see Figure 2-1) shows the access point name, IP address, AP mode, AP MAC address, AP uptime, software version, CAPWAP status, and WAN gateway status.

This page also shows radio-specific information including status, frequency/channel, transmit power, number of packets in and out, and number of bytes in and out.

The CAPWAP status shows the status of the AP’s CAPWAP connection with the controller. The CAPWAP status can be:

• Noop—Indicates CAPWAP is in No operation state
• Init—Indicates CAPWAP is in initialization process state
• Discovery—Indicates CAPWAP is in discovery state
• DTLS Setup—Indicates DTLS connection is in progress
• DTLS Teardown—Indicates DTLS connection is down
• Join—Indicates CAPWAP is in Join state
• Connected—Indicates AP and Controller is in Connected state
• Image Data—Indicates CAPWAP connection has been established and is downloading the image from controller
• Configure - Indicates CAPWAP is in configuration state
• Sulking—Indicates CAPWAP bad/stuck state
• Idle—Indicates CAPWAP is in idle state without any operation

If the WAN connection is established and the AP’s Gateway is reachable then the WAN status is shown as Reachable, else it is shown as Not Reachable.

SSID

The SSID tab (see Figure 2-2) lists configured Local SSIDs and available Corporate SSIDs and the configured security policy. Additionally, for Corporate SSIDs, split-tunnel status is also displayed.

Figure 2-2 Home–SSID Tab

Client

The Client tab (see Figure 2-3) give the details of associated clients with Local as well as Corporate SSIDs. For each connected client, this page reports the client MAC address, WLAN SSID, elapsed association time, number of bytes in and out, number of duplicates and retries, and the number of failed decryptions.

Figure 2-3 Home–Client Tab

System Tab

The System tab (see Figure 2-4) displays general system information, such as username and password for the access point and radio interface information.

Figure 2-4 Configuration–System Tab

SSID Tab

The SSID tab (see Figure 2-5) contains the fields necessary for you to configure and set up security for your personal SSIDs.

Figure 2-5 Configuration–SSID Tab

DHCP Tab

The Configuration DHCP tab (see Figure 2-6) contains the fields necessary for you to change your DHCP scope.

Figure 2-6 Configuration–DHCP Tab

WAN Tab

The Configuration WAN tab (see Figure 2-7) contains the fields necessary for you to configure the IP address of the Wireless LAN controller on your access point.

Figure 2-7 Configuration-WAN Tab

Firewall

The Firewall page (see Figure 2-8) allows you to enable or disable the firewall feature on the AP. If enabled, the Firewall Mode shows Firewall Enabled.

To disable the firewall, from the drop-down list choose Disabled, and then click Apply. The firewall is disabled by default.

The following firewall settings are available:

• Block all TCP and UDP port traffic. By default all ports are blocked.
• Selective unblocking of traffic based on application types such as HTTP, HTTPS, SSH, and FTP.
• Unblocking of traffic based on LAN destination addresses, protocols and ports.
• Port forwarding, with 10 or less total entries for separate port numbers.

Note All firewall settings are applicable on the WAN port for local traffic (traffic sent directly to the Internet, and not to the corporate network). Firewall protection for CAPWAP traffic and traffic sent through the controller to the corporate office is configured and monitored on the WLC.

Figure 2-8 Configuration–Firewall Page

Precedence of Firewall Settings

The order of precedence of the firewall settings is as given below:

1. Port Forwards

2. DMZ

3. LAN Application Access

4. LAN Access Client

Filtering

The filters you can apply are categorized into the two sections – LAN Application Access and LAN Access Client. See Figure 2-9.

Figure 2-9 Firewall–Filtering Page

LAN Application Access

Using the LAN Application Access set of filters (see Figure 2-9) you can enable or disable for LAN clients, the access to certain pre-configured applications on the Internet. This filter also provides an easy way of granting access for a non-Admin end user.

You can enable or disable access to the following 10 pre-configured application types. This configuration allows LAN machines to access, through the OEAP, the selected applications and services over the Internet:

• FTP
• Telnet
• SMTP
• DNS
• TFTP
• HTTP
• POP3
• NNTP
• SNMP
• HTTPS

LAN Access Client

The LAN Access Client set of filters (see Figure 2-9) provide a more fine grained but controlled unblocking of packets based on protocol, port, and IP range. This configuration also allows LAN devices to access, through the OEAP, the selected applications and services over the Internet. A maximum of 10 such filters are allowed. You need to specify the protocol (TCP/UDP), LAN client IP range and destination port range to configure each filters.

Forwarding

The Port Forwards settings (see Figure 2-10) allow you to configure port forwarding rules for packets from WAN port to Local LAN clients and back. A maximum of 10 Port Forwards can be set, but the ranges should not overlap and should be of the same size. Every rule takes protocol (TCP/UDP), WAN port range, Local LAN client IP (where traffic will be forwarded), and LAN port range as parameters.

Figure 2-10 Firewall–Forwarding Settings Page

DMZ

The DMZ feature allows one network computer connected to a local LAN or WLAN to be exposed to the Internet for using special-purpose services such as Internet gaming. The DMZ feature forwards all the ports terminating on a WAN IP (set as the DMZ IP Address) at the same time to one PC.

The DMZ feature, if enabled, will forward all incoming WAN packets to the LAN machine, except the CAPWAP control/data and packets which are destined to any ports and which have a port forwarding rule. The DMZ feature is not applicable to corporate networks such as Remote-LAN and Corp WLAN.

However, the Port Forwards feature is more secure, compared to DMZ feature because the former only opens the ports you want to have opened, while DMZ opens all the ports of one computer, exposing the computer to the Internet/WAN.

Figure 2-11 Firewall–DMZ Page

Download/Upload

The Download/Upload page (see Figure 2-12) allows the following functions;

• To download the content of the AP NVRAM (Download configuration file) for archiving or management purposes. For this, click Download Configuration File.
• To upload a configuration file to the access point. Click Choose File, browse and select a configuration file, and then click Upload Configuration File.
• To download the last boot Eventlog file, click Save last boot event log to file.
• To download the current Eventlog file, click Save current event log to file.

Figure 2-12 Download/Upload Page