-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains these sections:
A port is a physical entity that is used for connections on the controller platform. Controllers have two types of ports: distribution system ports and a service port. Figure 4-1 shows the ports available on a 5500 series controller as an example.
Figure 4-1 Ports on the Cisco 5500 Series Wireless LAN Controllers
This section contains the following topics:
A distribution system port connects the controller to a neighbor switch and serves as the data path between these two devices.
Note The Gigabit Ethernet ports on the Cisco 5508 Controllers accept these SX/LC/T small form-factor plug-in (SFP) modules:
- 1000BASE-SX SFP modules, which provide a 1000-Mbps wired connection to a network through an 850nM (SX) fiber-optic link using an LC physical connector
- 1000BASE-LX SFP modules, which provide a 1000-Mbps wired connection to a network through a 1300nM (LX/LH) fiber-optic link using an LC physical connector
- 1000BASE-T SFP modules, which provide a 1000-Mbps wired connection to a network through a copper link using an RJ-45 physical connector
Each distribution system port is, by default, an 802.1Q VLAN trunk port. The VLAN trunking characteristics of the port are not configurable.
Cisco 5500 Series Controllers also have a 10/100/1000 copper Ethernet service port. The service port is controlled by the service-port interface and is reserved for out-of-band management of the controller and system recovery and maintenance in the event of a network failure. It is also the only port that is active when the controller is in boot mode. The service port is not capable of carrying 802.1Q tags, so it must be connected to an access port on the neighbor switch. Use of the service port is optional.
An interface is a logical entity on the controller. An interface has multiple parameters associated with it, including an IP address, default gateway (for the IP subnet), primary physical port, secondary physical port, VLAN identifier, and DHCP server.
These five types of interfaces are available on the controller. Four of these are static and are configured at setup time:
Note You are not required to configure an AP-manager interface on Cisco 5500 Series Controllers.
Each interface is mapped to at least one primary port, and some interfaces (management and dynamic) can be mapped to an optional secondary (or backup) port. If the primary port for an interface fails, the interface automatically moves to the backup port. In addition, multiple interfaces can be mapped to a single controller port.
Note For Cisco 5500 Series Controllers in a non-link-aggregation (non-LAG) configuration, the management interface must be on a different VLAN than any dynamic AP-manager interface. Otherwise, the management interface cannot fail over to the port that the AP-manager is on.
Note Cisco 5500 Series Controllers do not support fragmented pings on any interface.
See the “Configuring Link Aggregation” section if you want to configure the controller to dynamically map the interfaces to a single port channel rather than having to configure primary and secondary ports for each interface.
This section contains the following topics:
The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. It is also used for communications between the controller and access points. The management interface has the only consistently “pingable” in-band interface IP address on the controller. You can access the controller’s GUI by entering the controller’s management interface IP address in Internet Explorer’s or Mozilla Firefox’s address field.
For CAPWAP, the controller requires one management interface to control all inter-controller communications and one AP-manager interface to control all controller-to-access point communications, regardless of the number of ports.
Step 1 Choose Controller > Interfaces to open the Interfaces page.
This page shows the current controller interface settings.
Step 2 Click management link. The Interfaces > Edit page appears.
Step 3 Set the management interface parameters:
Note The management interface uses the controller’s factory-set distribution system MAC address.
Note Select the Quarantine check box if you want to configure this VLAN as unhealthy or you want to configure network access control (NAC) out-of-band integration. Doing so causes the data traffic of any client that is assigned to this VLAN to pass through the controller. See “Working with WLANs,” for more information about NAC out-of-band integration.
Note Select the Enable NAT Address check box and enter the external NAT IP address if you want to be able to deploy your Cisco 2500 Series Controllers or Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT). NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In this case, it maps the controller’s intranet IP addresses to a corresponding external address. The controller’s dynamic AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct IP address in the Discovery Response.
Note The NAT parameters are supported for use only with one-to-one-mapping NAT, where each private client has a direct and fixed mapping to a global address. The NAT parameters do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.
Note If a Cisco 2500 Series Controllers or Cisco 5500 Series Controller is configured with an external NAT IP address under the management interface, the APs in local mode cannot associate with the controller. The workaround is to either ensure that the management interface has a globally valid IP address or ensure that external NAT IP address is valid internally for the local APs.
Note Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged VLANs for the management interface.
Note For Cisco 2500 Series Controllers or Cisco 5500 Series Controllers, the management interface acts like an AP-manager interface by default. If desired, you can disable the management interface as an AP-manager interface and create another dynamic interface as an AP manager.
Note To create ACLs, follow the instructions in Chapter7, “Configuring Security Solutions”
Step 4 Click Save Configuration to save your changes.
Step 5 If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.
Step 1 Enter the show interface detailed management command to view the current management interface settings.
Note The management interface uses the controller’s factory-set distribution system MAC address.
Step 2 Enter the config wlan disable wlan-number command to disable each WLAN that uses the management interface for distribution system communication.
Step 3 Enter these commands to define the management interface:
Note Use the config interface quarantine vlan management vlan_id command to configure a quarantine VLAN on the management interface.
Note Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged VLANs for the management interface.
Note Use the config interface ap-manager management {enable | disable} command to enable or disable dynamic AP management for the management interface. For Cisco 5500 Series Controllers, the management interface acts like an AP-manager interface by default. If desired, you can disable the management interface as an AP-manager interface and create another dynamic interface as an AP manager.
Note See “Configuring Security Solutions,” for more information on ACLs.
Step 4 Enter these commands if you want to be able to deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT):
NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In this case, it maps the controller’s intranet IP addresses to a corresponding external address. The controller’s dynamic AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct IP address in the Discovery Response.
Note These NAT commands can be used only on Cisco 5500 Series Controllers and only if the management interface is configured for dynamic AP management.
Note These commands are supported for use only with one-to-one-mapping NAT, where each private client has a direct and fixed mapping to a global address. These commands do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.
Step 5 Enter the save config command to save your changes.
Step 6 Enter the show interface detailed management command to verify that your changes have been saved.
Step 7 If you made any changes to the management interface, enter the reset system command to reboot the controller in order for the changes to take effect.
This section contains the following topics:
A controller has one or more AP-manager interfaces, which are used for all Layer 3 communications between the controller and lightweight access points after the access points have joined the controller. The AP-manager IP address is used as the tunnel source for CAPWAP packets from the controller to the access point and as the destination for CAPWAP packets from the access point to the controller.
Step 1 Choose Controller > Interfaces to open the Interfaces page.
This page shows the current controller interface settings.
Step 2 Click AP-Manager Interface. The Interface > Edit page appears.
Step 3 Set the AP-Manager Interface parameters:
Note Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged VLANs for the AP-manager interface.
Note The AP-manager interface’s IP address must be different from the management interface’s IP address and may or may not be on the same subnet as the management interface. However, we recommend that both interfaces be on the same subnet for optimum access point association.
Note To create ACLs, follow the instructions in Chapter7, “Configuring Security Solutions”
Step 4 Click Save Configuration to save your changes.
Step 5 If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.
Step 1 Enter the show interface summary command to view the current interfaces.
Note If the system is operating in Layer 2 mode, the AP-manager interface is not listed.
Step 2 Enter the show interface detailed ap-manager command to view the current AP-manager interface settings.
Step 3 Enter the config wlan disable wlan-number command to disable each WLAN that uses the AP-manager interface for distribution system communication.
Step 4 Enter these commands to define the AP-manager interface:
Note Enter 0 for an untagged VLAN or a nonzero value for a tagged VLAN. We recommend using tagged VLANs for the AP-manager interface.
Note See “Configuring Security Solutions,” for more information on ACLs.
Step 5 Enter the save config command to save your changes.
Step 6 Enter the show interface detailed ap-manager command to verify that your changes have been saved.
See the “Configuring Multiple AP-Manager Interfaces” section for information on creating and using multiple AP-manager interfaces.
This section contains the following topics:
A virtual interface is used to support mobility management, Dynamic Host Configuration Protocol (DHCP) relay, and embedded Layer 3 security such as guest web authentication and VPN termination. It also maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify the source of certificates when Layer 3 web authorization is enabled.
Specifically, a virtual interface plays these two primary roles:
Note See “Configuring Security Solutions,” for additional information on web authentication.
Step 1 Choose Controller > Interfaces to open the Interfaces page.
This page shows the current controller interface settings.
Step 2 Click Virtual. The Interfaces > Edit page appears.
Step 3 Enter the following parameters:
Note To ensure connectivity and web authentication, the DNS server should always point to the virtual interface. If a DNS hostname is configured for the virtual interface, then the same DNS host name must be configured on the DNS server(s) used by the client.
Step 4 Click Save Configuration to save your changes.
Step 5 If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.
Step 1 Enter the show interface detailed virtual command to view the current virtual interface settings.
Step 2 Enter the config wlan disable wlan-number command to disable each WLAN that uses the virtual interface for distribution system communication.
Step 3 Enter these commands to define the virtual interface:
Note For ip-address, enter any fictitious, unassigned, and unused gateway IP address.
Step 4 Enter the reset system command. At the confirmation prompt, enter Y to save your configuration changes to NVRAM. The controller reboots.
Step 5 Enter the show interface detailed virtual command to verify that your changes have been saved.
This section contains the following topics:
A service-port interface controls communications through and is statically mapped by the system to the service port. The service port can obtain an IP address using DHCP, or it can be assigned a static IP address, but a default gateway cannot be assigned to the service-port interface. Static routes can be defined through the controller for remote network access to the service port.
Step 1 Choose Controller > Interfaces to open the Interfaces page.
This page shows the current controller interface settings.
Step 2 Click the service-port link to open the Interfaces > Edit page.
Step 3 Enter the Service-Port Interface parameters:
Note The service-port interface uses the factory-set service-port MAC address of the controller.
Step 4 Click Save Configuration to save your changes.
Step 5 If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.
Step 1 Enter the show interface detailed service-port command to view the current service-port interface settings.
Note The service-port interface uses the controller’s factory-set service-port MAC address.
Step 2 Enter these commands to define the service-port interface:
Step 3 The service port is used for out-of-band management of the controller. If the management workstation is in a remote subnet, you may need to add a route on the controller in order to manage the controller from that remote workstation. To do so, enter this command:
config route add network-ip-addr ip-netmask gateway
Step 4 Enter the save config command to save your changes.
Step 5 Enter the show interface detailed service-port command to verify that your changes have been saved.
This section contains the following topics:
Dynamic interfaces, also known as VLAN interfaces, are created by users and designed to be analogous to VLANs for wireless LAN clients. A controller can support up to 512 dynamic interfaces (VLANs). Each dynamic interface is individually configured and allows separate communication streams to exist on any or all of a controller’s distribution system ports. Each dynamic interface controls VLANs and other communications between controllers and all other network devices, and each acts as a DHCP relay for wireless clients associated to WLANs mapped to the interface. You can assign dynamic interfaces to distribution system ports, WLANs, the Layer 2 management interface, and the Layer 3 AP-manager interface, and you can map the dynamic interface to a backup port.
You can configure zero, one, or multiple dynamic interfaces on a distribution system port. However, all dynamic interfaces must be on a different VLAN or IP subnet from all other interfaces configured on the port. If the port is untagged, all dynamic interfaces must be on a different IP subnet from any other interface configured on the port.
Step 1 Choose Controller > Interfaces to open the Interfaces page.
Figure 4-6 Interfaces > New Page
Step 2 Perform one of the following:
Step 3 Enter an interface name and a VLAN identifier, as shown in Figure 4-6.
Step 4 Click Apply to commit your changes. The Interfaces > Edit page appears.
Step 5 Configure the following parameters:
Note Select the Quarantine check box if you want to configure this VLAN as unhealthy or you want to configure network access control (NAC) out-of-band integration. Doing so causes the data traffic of any client that is assigned to this VLAN to pass through the controller. See “Working with WLANs,” for more information about NAC out-of-band integration.
Note Select the Enable NAT Address check box and enter the external NAT IP address if you want to be able to deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT). NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In this case, it maps the controller’s intranet IP addresses to a corresponding external address. The controller’s dynamic AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct IP address in the Discovery Response.
Note The NAT parameters are supported for use only with one-to-one-mapping NAT, where each private client has a direct and fixed mapping to a global address. The NAT parameters do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.
Note When you enable this feature, this dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.
Note Set the APs in a VLAN that is different than the dynamic interface configured on the controller. If the APs are in the same VLAN as the dynamic interface, the APs are not registered on the controller and the “LWAPP discovery rejected” and “Layer 3 discovery request not received on management VLAN” errors are logged on the controller.
Note See “Configuring Security Solutions,” for more information on ACLs.
Note To ensure proper operation, you must set the Port Number and Primary DHCP Server parameters.
Step 6 Click Save Configuration to save your changes.
Step 7 Repeat this procedure for each dynamic interface that you want to create or edit.
Note When you apply a flow policer or an aggregate policer at the ingress of a Dynamic Interface VLAN for the Upstream (wireless to wired) traffic, it is not possible to police because the VLAN based policy has no effect and no policing occurs. When the traffic comes out of the WiSM LAG (L2) and hits the Switch Virtual Interface (SVI) (L3), the QoS policy applied is a VLAN-based policy that has no effect on the policing.
To enable an ingress L3 VLAN-based policy on the SVI, you must enable a VLAN-based QoS equivalent to the mls qos-vlan-based command on the WiSM LAG. All the previous 12.2(33)SXI releases, which support Auto LAG for WiSM only, such as 12.2(33)SXI, 12.2(33)SXI1, 12.2(33)SXI2a, 12.2(33)SXI3, and so on, do not have this WiSM CLI. Therefore, the VLAN-based QoS policy applied at the ingress of the SVI for wireless to wired traffic never polices any traffic coming out of the WiSM LAG that hits the SVI. The commands that are equivalent to the mls qos-vlan-based command are as follows:
Standalone: wism module module_no controller controller_no qos-vlan-based
Virtual Switching System: wism switch switch_no module module_no controller controller_no qos-vlan-based
Step 1 Enter the show interface summary command to view the current dynamic interfaces.
Step 2 View the details of a specific dynamic interface by entering this command:
show interface detailed operator_defined_interface_name .
Note Interface names that contain spaces must be enclosed in double quotes. For example: config interface create "vlan 25".
Step 3 Enter the config wlan disable wlan_id command to disable each WLAN that uses the dynamic interface for distribution system communication.
Step 4 Enter these commands to configure dynamic interfaces:
Note Use the config interface ap-manager operator_defined_interface_name {enable | disable} command to enable or disable dynamic AP management. When you enable this feature, this dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.
Note Use the config interface quarantine vlan interface_name vlan_id command to configure a quarantine VLAN on any interface.
Note See “Configuring Security Solutions,” for more information on ACLs.
Step 5 Enter these commands if you want to be able to deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation (NAT):
NAT allows a device, such as a router, to act as an agent between the Internet (public) and a local network (private). In this case, it maps the controller’s intranet IP addresses to a corresponding external address. The controller’s dynamic AP-manager interface must be configured with the external NAT IP address so that the controller can send the correct IP address in the Discovery Response.
Note These NAT commands can be used only on Cisco 5500 Series Controllers and only if the dynamic interface is configured for dynamic AP management.
Note These commands are supported for use only with one-to-one-mapping NAT, whereby each private client has a direct and fixed mapping to a global address. These commands do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address.
Step 6 Enter the config wlan enable wlan_id command to reenable each WLAN that uses the dynamic interface for distribution system communication.
Step 7 Enter the save config command to save your changes.
Step 8 Enter the show interface detailed operator_defined_interface_name command and show interface summary command to verify that your changes have been saved.
Note If desired, you can enter the config interface delete operator_defined_interface_name command to delete a dynamic interface.
A dynamic interface is created as a WLAN interface by default. However, any dynamic interface can be configured as an AP-manager interface, with one AP-manager interface allowed per physical port. A dynamic interface with the Dynamic AP Management option enabled is used as the tunnel source for packets from the controller to the access point and as the destination for CAPWAP packets from the access point to the controller. The dynamic interfaces for AP management must have a unique IP address and are usually configured on the same subnet as the management interface.
Note If link aggregation (LAG) is enabled, there can be only one AP-manager interface.
We recommend having a separate dynamic AP-manager interface per controller port. See the “Configuring Multiple AP-Manager Interfaces” section for instructions on configuring multiple dynamic AP-manager interfaces.
A WLAN associates a service set identifier (SSID) to an interface. It is configured with security, quality of service (QoS), radio policies, and other wireless network parameters. Up to 512 access point WLANs can be configured per controller.
Figure 4-7 shows the relationship between ports, interfaces, and WLANs.
Figure 4-7 Ports, Interfaces, and WLANs
As shown in Figure 4-7, each controller port connection is an 802.1Q trunk and should be configured as such on the neighbor switch. On Cisco switches, the native VLAN of an 802.1Q trunk is an untagged VLAN. If you configure an interface to use the native VLAN on a neighboring Cisco switch, make sure you configure the interface on the controller to be untagged.
Note A zero value for the VLAN identifier (on the Controller > Interfaces page) means that the interface is untagged.
The default (untagged) native VLAN on Cisco switches is VLAN 1. When controller interfaces are configured as tagged (meaning that the VLAN identifier is set to a nonzero value), the VLAN must be allowed on the 802.1Q trunk configuration on the neighbor switch and not be the native untagged VLAN.
We recommend that tagged VLANs be used on the controller. You should also allow only relevant VLANs on the neighbor switch’s 802.1Q trunk connections to controller ports. All other VLANs should be disallowed or pruned in the switch port trunk configuration. This practice is extremely important for optimal performance of the controller.
Note We recommend that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that controllers properly route VLAN traffic.
This section contains the following topics:
The ports of the controller are preconfigured with factory-default settings designed to make the ports of the controller operational without additional configuration. However, you can view the status of the ports of the controller and edit their configuration parameters at any time.
Step 1 Choose Controller > Ports to open the Ports page.
This page shows the current configuration for each of the controller’s ports.
If you want to change the settings of any port, click the number for that specific port. The Port > Configure page appears.
Note If the management and AP-manager interfaces are mapped to the same port and are members of the same VLAN, you must disable the WLAN before making a port-mapping change to either interface. If the management and AP-manager interfaces are assigned to different VLANs, you do not need to disable the WLAN.
Note The number of parameters available on the Port > Configure page depends on your controller type.
The following show the current status of the port:
Note In Cisco Wireless LAN Controller Module (NM-AIR-WLC6-K9), Cisco 5500 Series Controller, and Cisco Flex 7500 Series Controllers, the physical mode is always set to auto.
– 5500 series—1000 Mbps full duplex
– Controller network module—100 Mbps full duplex
– Catalyst 3750G Integrated Wireless LAN Controller Switch—1000 Mbps full duplex
Note Some older Cisco access points do not draw PoE even if it is enabled on the controller port. In such cases, contact the Cisco Technical Assistance Center (TAC).
Note The controller in the Catalyst 3750G Integrated Wireless LAN Controller Switch supports PoE on all ports.
Step 2 The following is a list of the port’s configurable parameters.
Note Administratively disabling the port on a controller does not affect the port’s link status. The link can be brought down only by other Cisco devices. On other Cisco products, however, administratively disabling a port brings the link down.
Note When a primary port link goes down, messages may get logged internally only and not be posted to a syslog server. It may take up to 40 seconds to restore logging to the syslog server.
– 5500 series—Fixed 1000 Mbps full duplex
– WiSM—Auto or 1000 Mbps full duplex
– Controller network module—Auto or 100 Mbps full duplex
– Catalyst 3750G Integrated Wireless LAN Controller Switch—Auto or 1000 Mbps full duplex
Note You will be prompted with a warning message when the following events occur:
1. When the traffic rate from the data ports exceeds 300 Mbps.
2. When the traffic rate from the data ports exceeds 250 Mbps constantly for 1 minute.
3. When the traffic rate from the data ports falls back to normal from one of the above states for 1 minute.
Step 3 Click Apply to commit your changes.
Step 4 Click Save Configuration to save your changes.
Step 5 Click Back to return to the Ports page and review your changes.
Step 6 Repeat this procedure for each additional port that you want to configure.
The USB console port on the Cisco 5500 Series Controllers connects directly to the USB connector of a PC using a USB Type A-to-5-pin mini Type B cable.
Note The 4-pin mini Type B connector is easily confused with the 5-pin mini Type B connector. They are not compatible. Only the 5-pin mini Type B connector can be used.
For operation with Microsoft Windows, the Cisco Windows USB console driver must be installed on any PC connected to the console port. With this driver, you can plug and unplug the USB cable into and from the console port without affecting Windows HyperTerminal operations.
Note Only one console port can be active at a time. When a cable is plugged into the USB console port, the RJ-45 port becomes inactive. Conversely, when the USB cable is removed from the USB port, the RJ-45 port becomes active.
These operating systems are compatible with the USB console:
Step 1 Download the USB_Console.inf driver file as follows:
a. Click this URL to go to the Software Center:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278875243
b. Click Wireless LAN Controllers .
c. Click Standalone Controllers .
d. Click Cisco 5500 Series Wireless LAN Controllers .
e. Click Cisco 5508 Wireless LAN Controller .
f. Choose the USB driver file.
g. Save the file to your hard drive.
Step 2 Connect the Type A connector to a USB port on your PC.
Step 3 Connect the mini Type B connector to the USB console port on the controller.
Step 4 When prompted for a driver, browse to the USB_Console.inf file on your PC. Follow the prompts to install the USB driver.
Note Some systems might also require an additional system file. You can download the Usbser.sys file from this URL:
http://support.microsoft.com/kb/918365
The USB driver is mapped to COM port 6. Some terminal emulation programs do not recognize a port higher than COM 4. If necessary, change the Cisco USB systems management console COM port to an unused port of COM 4 or lower.
Step 1 From your Windows desktop, right-click My Computer and choose Manage .
Step 2 From the list on the left side, choose Device Manager .
Step 3 From the device list on the right side, double-click Ports (COM & LPT) .
Step 4 Right-click Cisco USB System Management Console 0108 and choose Properties .
Step 5 Click the Port Settings tab and click the Advanced button.
Step 6 From the COM Port Number drop-down list, choose an unused COM port of 4 or lower.
Step 7 Click OK to save and then close the Advanced Settings dialog box.
Step 8 Click OK to save and then close the Communications Port Properties dialog box.
Cisco 5500 Series Controllers have no restrictions on the number of access points per port, but we recommend using link aggregation (LAG) or multiple AP-manager interfaces on each Gigabit Ethernet port to automatically balance the load.
The following factors should help you decide which method to use if your controller is set for Layer 3 operation:
Follow the instructions on the page indicated for the method you want to use:
This section contains the following topics:
Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles all of the controller’s distribution system ports into a single 802.3ad port channel, thereby reducing the number of IP addresses needed to configure the ports on your controller. When LAG is enabled, the system dynamically manages port redundancy and load balances access points transparently to the user.
Figure 4-9 shows LAG.
LAG simplifies controller configuration because you no longer need to configure primary and secondary ports for each interface. If any of the controller ports fail, traffic is automatically migrated to one of the other ports. As long as at least one controller port is functioning, the system continues to operate, access points remain connected to the network, and wireless clients continue to send and receive data.
Note LAG is supported across switches.
When a Cisco 5500 Series Controller LAG port is connected to a Catalyst 3750G or a 6500 or 7600 channel group employing load balancing, note the following:
The following example shows a Catalyst 6500 series switch in PFC3B mode when you enter the global configuration port-channel load-balance src-dst-ip command for proper LAG functionality:
The following example shows Catalyst 6500 series switch in PFC3C mode when you enter the exclude vlan keyword in the port-channel load- balance src-dst-ip exclude vlan command:
Figure 4-10 Link Aggregation with the Catalyst 6500 Series Neighbor Switch
Note The two internal Gigabit ports on the controller within the Catalyst 3750G Integrated Wireless LAN Controller Switch are always assigned to the same LAG group.
Note LAG is enabled by default and is the only option on the Catalyst 3750G Integrated Wireless LAN Controller Switch.
Step 1 Choose Controller > General to open the General page.
Step 2 Set the LAG Mode on Next Reboot parameter to Enabled.
Note Choose Disabled if you want to disable LAG. LAG is disabled by default on the Cisco 5500 but enabled by default on the Catalyst 3750G Integrated Wireless LAN Controller Switch.
Step 3 Click Apply to commit your changes.
Step 4 Click Save Configuration to save your changes.
Step 6 Assign the WLAN to the appropriate VLAN.
Step 1 Enter the config lag enable command to enable LAG.
Note Enter the config lag disable command if you want to disable LAG.
Step 2 Enter the save config command to save your settings.
This section contains the following topics:
When you create two or more AP-manager interfaces, each one is mapped to a different port (see Figure 4-12). The ports should be configured in sequential order so that AP-manager interface 2 is on port 2, AP-manager interface 3 is on port 3, and AP-manager interface 4 is on port 4.
Before an access point joins a controller, it sends out a discovery request. From the discovery response that it receives, the access point can tell the number of AP-manager interfaces on the controller and the number of access points on each AP-manager interface. The access point generally joins the AP-manager with the least number of access points. In this way, the access point load is dynamically distributed across the multiple AP-manager interfaces.
Note Access points may not be distributed completely evenly across all of the AP-manager interfaces, but a certain level of load balancing occurs.
Figure 4-12 Three AP-Manager Interfaces
This configuration has the advantage of load balancing all 100 access points evenly across all four AP-manager interfaces. If one of the AP-manager interfaces fails, all of the access points connected to the controller would be evenly distributed among the three available AP-manager interfaces. For example, if AP-manager interface 2 fails, the remaining AP-manager interfaces (1, 3, and 4) would each manage approximately 33 access points.
– The Cisco 4404-100 Controller supports up to 100 access points and has four ports. To support the maximum number of access points, you would need to create three (or more) AP-manager interfaces (see Figure 4-14). If the port of one of the AP-manager interfaces fails, the controller clears the access points’ state, and the access points must reboot to reestablish communication with the controller using the normal controller join process. The controller no longer includes the failed AP-manager interface in the CAPWAP or LWAPP discovery responses. The access points then rejoin the controller and are load balanced among the available AP-manager interfaces.
Figure 4-13 Two AP-Manager Interfaces
Figure 4-14 Four AP-Manager Interfaces
Step 1 Choose Controller > Interfaces to open the Interfaces page.
Step 2 Click New. The Interfaces > New page appears.
Figure 4-15 Interfaces > New Page
Step 3 Enter an AP-manager interface name and a VLAN identifier.
Step 4 Click Apply to commit your changes. The Interfaces > Edit page appears.
Figure 4-16 Interfaces > Edit Page
Step 5 Enter the appropriate interface parameters.
Note Do not define a backup port for an AP-manager interface. Port redundancy is not supported for AP-manager interfaces. If the AP-manager interface fails, all of the access points connected to the controller through that interface are evenly distributed among the other configured AP-manager interfaces.
Step 6 To make this interface an AP-manager interface, select the Enable Dynamic AP Management check box.
Note Only one AP-manager interface is allowed per physical port. A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.
Step 7 Click Save Configuration to save your settings.
Step 8 Repeat this procedure for each additional AP-manager interface that you want to create.
Step 1 Enter these commands to create a new interface:
Note Use this command to configure a quarantine VLAN on any interface.
Note See “Configuring Security Solutions,” for more information on ACLs.
Step 2 To make this interface an AP-manager interface, enter this command:
config interface ap-manager operator_defined_interface_name { enable | disable }
Note Only one AP-manager interface is allowed per physical port. A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.
Step 3 To save your changes, enter this command:
Step 4 Repeat this procedure for each additional AP-manager interface that you want to create.
For a Cisco 5500 Series Controller, we recommend having eight dynamic AP-manager interfaces and associating them to the controller’s eight Gigabit ports. If you are using the management interface, which acts like an AP-manager interface by default, you need to create only seven more dynamic AP-manager interfaces and associate them to the remaining seven Gigabit ports. For example, Figure 4-17 shows a dynamic interface that is enabled as a dynamic AP-manager interface and associated to port number 2, and Figure 4-18 shows a Cisco 5500 Series Controller with LAG disabled, the management interface used as one dynamic AP-manager interface, and seven additional dynamic AP-manager interfaces, each mapped to a different Gigabit port.
Figure 4-17 Dynamic Interface Example with Dynamic AP Management
Figure 4-18 Cisco 5500 Series Controller Interface Configuration Example
This section contains the following topics:
Whenever a wireless client connects to a wireless network (WLAN), the client is placed in a VLAN that is associated with the WLAN. In a large venue such as an auditorium, a stadium, or a conference where there may be numerous wireless clients, having only a single WLAN to accommodate many clients might be a challenge.
The VLAN select feature enables you to use a single WLAN that can support multiple VLANs. Clients can get assigned to one of the configured VLANs. This feature enables you to map a WLAN to a single or multiple interface VLANs using interface groups. Wireless clients that associate to the WLAN get an IP address from a pool of subnets identified by the interfaces. The IP address is derived by an algorithm based on the MAC address of the wireless client. This feature also extends the current AP group architecture where AP groups can override an interface or interface group to which the WLAN is mapped to, with multiple interfaces using the interface groups. This feature also provides the solution to auto anchor restrictions where a wireless guest user on a foreign location can get an IP address from multiple subnets based on their foreign locations or foreign controllers from the same anchor controller.
When a client roams from one controller to another, the foreign controller sends the VLAN information as part of the mobility announce message. Based on the VLAN information received, the anchor decides whether the tunnel should be created between the anchor controller and the foreign controller. If the same VLAN is available on the foreign controller, the client context is completely deleted from the anchor and the foreign controller becomes the new anchor controller for the client.
If an interface (int-1) in a subnet is untagged in one controller (Vlan ID 0) and the interface (int-2) in the same subnet is tagged to another controller (Vlan ID 1), then with the VLAN select, client joining the first controller over this interface may not undergo an L2 roam while it moves to the second controller. Hence, for L2 roaming to happen between two controllers with VLAN select, all the interfaces in the same subnet should be either tagged or untagged.
As part of the VLAN select feature, the mobility announce message carries an additional vendor payload that contains the list of VLAN interfaces in an interface group mapped to a foreign controller’s WLAN. This VLAN list enables the anchor to differentiate from a local to local or local to foreign handoff.
Note VLAN pooling applies to wireless clients and centrally switched WLANs.
This section contains the following topics:
Interface groups are logical groups of interfaces. Interface groups facilitate user configuration where the same interface group can be configured on multiple WLANs or while overriding a WLAN interface per AP group. An interface group can exclusively contain either quarantine or nonquarantine interfaces. An interface can be part of multiple interface groups.
A WLAN can be associated with an interface or interface group. The interface group name and the interface name cannot be the same.
This feature also enables you to associate a client to specific subnets based on the foreign controller that they are connected to. The anchor controller WLAN can be configured to maintain a mapping between foreign controller MAC and a specific interface or interface group (Foreign maps) as needed. If this mapping is not configured, clients on that foreign controller gets VLANs associated from interface group configured on WLAN.
You can also configure AAA override for interface groups. This feature extends the current access point group and AAA override architecture where access point groups and AAA override can be configured to override the interface group WLAN that the interface is mapped to. This is done with multiple interfaces using interface groups.
This feature enables network administrators to confirure guest anchor restrictions where a wireless guest user at a foreign location can obtain an IP address from multiple subnets on the foreign location and controllers from within the same anchor controller.
Table 4-1 lists the platform support for interface and interface groups:
Step 1 Choose Controller > Interface Groups from the left navigation pane.
The Interface Groups page appears with the list of interface groups already created.
Note To remove an interface group, hover your mouse pointer over the blue drop-down icon and choose Remove.
Step 2 Click Add Group to add a new group.
The Add New Interface Group page appears.
Step 3 Enter the details of the interface group:
Step 1 Choose Controller > Interface Groups .
The Interface Groups page appears with a list of all interface groups.
Step 2 Click the name of the interface group to which you want to add interfaces.
The Interface Groups > Edit page appears.
Step 3 Choose the interface name that you want to add to this interface group from the Interface Name drop-down list.
Step 4 Click Add Interface to add the interface to the Interface group.
Step 5 Repeat Steps 2 and 3 if you want to add multiple interfaces to this interface group.
Note To remove an interface from the interface group, hover your mouse pointer over the blue drop-down arrow and choose Remove.
To add interfaces to interface groups, use the config interface group interface add interface_group interface_name command.
To view a list of VLANs in the interface groups, use the show interface group detailed interface-group-name command.
This section contains the following topics:
Prior to the 7.0.116.0 release, multicast was based on the grouping of the multicast address and the VLAN as one entity, MGID. With VLAN select and VLAN pooling, there is a possibility that you might increase duplicate packets. With the VLAN select feature, every client listens to the multicast stream on a different VLAN. As a result, the controller creates different MGIDs for each multicast address and VLAN. Therefore, the upstream router sends one copy for each VLAN, which results, in the worst case, in as many copies as there are VLANs in the pool. Since the WLAN is still the same for all clients, multiple copies of the multicast packet are sent over the air. To suppress the duplication of a multicast stream on the wireless medium and between the controller and access points, you can use the multicast optimization feature.
Multicast optimization enables you to create a multicast VLAN which you can use for multicast traffic. You can configure one of the VLANs of the WLAN as a multicast VLAN where multicast groups are registered. Clients are allowed to listen to a multicast stream on the multicast VLAN. The MGID is generated using mulicast VLAN and multicast IP addresses. If multiple clients on the VLAN pool of the same WLAN are listening to a single multicast IP address, a single MGID is generated. The controller makes sure that all multicast streams from the clients on this VLAN pool always go out on the multicast VLAN to ensure that the upstream router has one entry for all the VLANs of the VLAN pool. Only one multicast stream hits the VLAN pool even if the clients are on different VLANs. Therefore, the multicast packets that are sent out over the air is just one stream.
Step 2 Click on the WLAN ID of the WLAN that you want to choose for a multicast VLAN.
The WLANs > Edit page appears.
Step 3 Enable the multicast VLAN feature by selecting the Multicast VLAN feature check box.
The Multicast Interface drop-down list appears.
Step 4 Choose the VLAN from the Multicast Interface drop-down list.