Cisco Systems XSCLCR14 4.9 GHz WMIC Mini PCI Module User Manual Tune up Procedure

Cisco Systems Inc 4.9 GHz WMIC Mini PCI Module Tune up Procedure

Users Manual Revised

Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000800 553-NETS (6387)Fax: 408 526-4100Cisco 3200 Series Wireless MIC Software Configuration GuideJune 2005Text Part Number: OL-7734-02
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCOOR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.Cisco 3200 Series Wireless MIC Software Configuration Guide Copyright © 2005 Cisco Systems, Inc. All rights reserved.CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0401R)
iiiCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02CONTENTSPreface xvAudience xvPurpose xvOrganization xvConventions xviiRelated Documentation xixObtaining Documentation xxCisco.com xxOrdering Documentation xxDocumentation Feedback xxTools and Web Sites xxObtaining Additional Publications and Information xxiCisco 3200 Documentation CD xxiiSystem Requirements for the CD xxiiPrinting Documents from the CD xxiiObtaining Technical Assistance xxiiiCisco TAC Website xxiiiOpening a TAC Case xxiiiTAC Case Priority Definitions xxiiiObtaining Additional Publications and Information xxivCHAPTER1Overview 1-1Understanding the Cisco Mobile Wireless Network 1-2Network Configuration Descriptions 1-2Access Point Mode 1-2Point-to-Point Bridging 1-2Point-to-Multipoint Bridging 1-3Redundant Bridging 1-4Workgroup Bridge Mode 1-4Features 1-4Management Options 1-7CHAPTER2Configuring the WMIC for the First Time 9Before You Start 10
ContentsivCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Connecting to the WMIC 10Using the Console Port to Access the Exec 10Using a Telnet Session to Access the Exec 11Opening the CLI with Secure Shell 11Obtaining and Assigning an IP Address 12Assigning an IP Address By Using the Exec 12Assigning Basic Settings By Using the Web Browser 13Default Settings on the Express Setup Page 16Protecting Your Wireless LAN 16Configuring Basic Security Settings 17Understanding Express Security Settings 18Using VLANs 18Express Security Types 18Express Security Limitations 19Using the Express Security Page 20CLI Security Configuration Examples 20Example: No Security 20Example: Static WEP 21Example: EAP Authentication 22Example: WPA 23Using the IP Setup Utility 24Obtaining and Installing IPSU 24Using IPSU to Find the WMIC IP Address 25Using IPSU to Set the IP Address and SSID 26CHAPTER3Administering the WMIC 2-1Configuring a System Name and Prompt 2-2Configuring a System Name 2-2Managing DNS 2-2Default DNS Configuration 2-3Setting Up DNS 2-3Displaying the DNS Configuration 2-4Creating a Banner 2-4Default Banner Configuration 2-4Configuring a Message-of-the-Day Login Banner 2-4Configuring a Login Banner 2-5Managing the System Time and Date 2-6Understanding the System Clock 2-6Understanding Network Time Protocol 2-6
ContentsvCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Configuring NTP 2-9Default NTP Configuration 2-9Configuring NTP Authentication 2-9Configuring NTP Associations 2-11Configuring NTP Broadcast Service 2-12Configuring NTP Access Restrictions 2-14Configuring the Source IP Address for NTP Packets 2-16Displaying the NTP Configuration 2-16Configuring Time and Date Manually 2-17Setting the System Clock 2-17Displaying the Time and Date Configuration 2-17Configuring the Time Zone 2-18Configuring Summer Time (Daylight Saving Time) 2-19Protecting Access to Privileged EXEC Commands 2-20Setting or Changing a Static Enable Password 2-21Protecting Enable and Enable Secret Passwords with Encryption 2-22Configuring Username and Password Pairs 2-24Configuring Multiple Privilege Levels 2-25Setting the Privilege Level for a Command 2-25Logging Into and Exiting a Privilege Level 2-26Protecting the Wireless LAN 2-26Using VLANs 2-26Express Security Types 2-27Security Configuration Examples 2-27Configuring and Enabling RADIUS 2-32Understanding RADIUS 2-32RADIUS Operation 2-33Controlling WMIC Access with RADIUS 2-34Identifying the RADIUS Server Host 2-35Configuring RADIUS Login Authentication 2-37Defining AAA Server Groups 2-39Configuring RADIUS Authorization for User Privileged Access and Network Services 2-40Starting RADIUS Accounting 2-41Configuring Settings for All RADIUS Servers 2-42Configuring the Bridge to Use Vendor-Specific RADIUS Attributes 2-42Configuring the Bridge for Vendor-Proprietary RADIUS Server Communication 2-43Displaying the RADIUS Configuration 2-44Controlling WMIC Access with TACACS+ 2-44Understanding TACACS+ 2-45
ContentsviCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02TACACS+ Operation 2-45Default TACACS+ Configuration 2-46Configuring TACACS+ Login Authentication 2-46Identifying the TACACS+ Server Host and Setting the Authentication Key 2-47Configuring TACACS+ Login Authentication 2-48Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 2-49Starting TACACS+ Accounting 2-50Displaying the TACACS+ Configuration 2-50Configuring the WMIC for Local Authentication and Authorization 2-51Configuring the WMIC for Secure Shell 2-52Understanding SSH 2-52Configuring SSH 2-53Managing Aironet Extensions 2-53CHAPTER4Configuring Radio Settings 3-1Disabling and Enabling the Radio Interface 3-2Configuring the Role in Radio Network 3-2Configuring the WMIC as an Access Point 3-3Configuring the WMIC as a Workgroup Bridge 3-3Configuring the WMIC as a Bridge 3-4Configuring Radio Data Rates 3-4Configuring Radio Transmit Power 3-6Configuring Radio Channel Settings 3-7IEEE 802.11g (2.4-GHz Band) 3-74.9-GHz Band 3-8spacing channel User Interface Command 3-9Enabling and Disabling World Mode (2.4-GHz Only) 3-11Disabling and Enabling Short Radio Preambles (2.4-GHz Only) 3-11Configuring Transmit and Receive Antennas 3-12Configuring the Ethernet Encapsulation Transformation Method 3-13Enabling and Disabling Concatenation (2.4-GHz Only) 3-13Configuring the Radio Distance Setting 3-14Enabling and Disabling Reliable Multicast to Workgroup Bridges 3-14Enabling and Disabling Public Secure Packet Forwarding 3-15Configuring Protected Ports 3-16Configuring the Beacon Period 3-17Configure RTS Threshold and Retries 3-17
ContentsviiCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Configuring the Maximum Data Retries 3-18Configuring the Fragmentation Threshold 3-18Setting the Root Parent Timeout Value 3-19Configuring the Root Parent MAC 3-19Performing a Carrier Busy Test 3-20CHAPTER5Configuring SSIDs 3-1Understanding SSIDs 3-2Configuring the SSID 3-2Default SSID Configuration 3-2Creating an SSID 3-3CHAPTER6Configuring Spanning Tree Protocol 5-1Understanding Spanning Tree Protocol 5-2STP Overview 5-2Bridge Interoperability 5-3Bridge Protocol Data Units 5-3Election of the Spanning-Tree Root 5-4Spanning-Tree Timers 5-5Creating the Spanning-Tree Topology 5-5Spanning-Tree Interface States 5-6Blocking State 5-7Listening State 5-7Learning State 5-8Forwarding State 5-8Disabled State 5-8Configuring STP Features 5-9Default STP Configuration 5-9Configuring STP Settings 5-9STP Configuration Examples 5-10Root Bridge Without VLANs 5-10Non-Root Bridge Without VLANs 5-11Root Bridge with VLANs 5-12Non-Root Bridge with VLANs 5-13Displaying Spanning-Tree Status 5-15CHAPTER7Configuring WEP and WEP Features 6-1Understanding WEP 6-2
ContentsviiiCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Configuring Cipher Suites and WEP 6-3Creating WEP Keys 6-3WEP Key Restrictions 6-4Example WEP Key Setup 6-4Enabling Cipher Suites and WEP 6-5Matching Cipher Suites with WPA 6-6CHAPTER8Configuring Authentication Types 7-1Understanding Authentication Types 7-2Open Authentication to the WMIC 7-2Shared Key Authentication to the Bridge 7-2EAP Authentication to the Network 7-3Using CCKM for Authenticated Bridges 7-5Using WPA Key Management 7-5Configuring Authentication Types 7-5Default Authentication Settings 7-6Assigning Authentication Types to an SSID 7-6Configuring the Root Bridge to Interact with the WDS Device 7-8Configuring Additional WPA Settings 7-9Configuring Authentication Holdoffs, Timeouts, and Intervals 7-10Setting Up a Non-Root Bridge as a LEAP Client 7-10Matching Authentication Types on Root and Non-Root Bridges 7-11LEAP Example Configurations 7-12CHAPTER9Configuring WDS, Fast Secure Roaming, and Radio Management 8-1Understanding WDS 8-2Role of the WDS Access Point 8-2Role of Access Points Using the WDS Access Point 8-2Understanding Fast Secure Roaming 8-3Understanding Radio Management 8-4Configuring WDS and Fast Secure Roaming 8-5Guidelines for WDS 8-5Requirements for WDS and Fast Secure Roaming 8-5Configuring the WMIC to use the WDS Access Point 8-5Configuring the Authentication Server to Support Fast Secure Roaming 8-6CLI Commands to Enable the WDS Server 8-9CLI Commands to Enable the Root Device 8-10dot11 interface speed Command 8-11Viewing WDS Information 8-12
ContentsixCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Using Debug Messages 8-13CHAPTER10 Configuring VLANs 9-1Understanding VLANs 9-2Related Documents 9-3Incorporating Wireless Bridges into VLANs 9-4Configuring VLANs 9-4Configuring a VLAN 9-4Viewing VLANs Configured on the WMIC 9-7CHAPTER11 Configuring QoS in a Wireless Environment 10-1Understanding QoS for Wireless LANs 10-2QoS for Wireless LANs Versus QoS on Wired LANs 10-2Impact of QoS on a Wireless LAN 10-2Precedence of QoS Settings 10-3Configuring QoS 10-3Configuration Guidelines 10-4Configuring QoS Using the Web-Browser Interface 10-4Adjusting Radio Access Category Definitions 10-7CW-min and CW-max Settings for Point-to-Point and Point-to-Multipoint Bridge Links 10-8QoS Configuration Examples 10-9Giving Priority to Voice Traffic 10-9Giving Priority to Video Traffic 10-10QoS Example Configuration for VLAN 10-11QoS Example of IP DSCP and IP Precedence 10-12CHAPTER12 Configuring Filters 11-1Understanding Filters 11-2Configuring Filters Using the CLI 11-2Configuring Filters Using the Web-Browser Interface 11-2Configuring and Enabling MAC Address Filters 11-3Creating a MAC Address Filter 11-4Configuring and Enabling IP Filters 11-5Creating an IP Filter 11-6Configuring and Enabling Ethertype Filters 11-7Creating an Ethertype Filter 11-8
ContentsxCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02CHAPTER13 Configuring CDP 12-1Understanding CDP 12-2Configuring CDP 12-2Default CDP Configuration 12-2Configuring the CDP Characteristics 12-3Disabling and Enabling CDP 12-3Disabling and Enabling CDP on an Interface 12-4Monitoring and Maintaining CDP 12-5CHAPTER14 Configuring SNMP 13-1Understanding SNMP 13-2SNMP Versions 13-2SNMP Manager Functions 13-3SNMP Agent Functions 13-3SNMP Community Strings 13-4Using SNMP to Access MIB Variables 13-4Configuring SNMP 13-5Default SNMP Configuration 13-5Enabling the SNMP Agent 13-5Configuring Community Strings 13-5Configuring Trap Managers and Enabling Traps 13-7Setting the Agent Contact and Location Information 13-10Using the snmp-server view Command 13-10SNMP Examples 13-10Displaying SNMP Status 13-11CHAPTER15 Managing Firmware and Configurations 14-1Working with the Flash File System 14-2Displaying Available File Systems 14-2Setting the Default File System 14-3Displaying Information About Files on a File System 14-3Changing Directories and Displaying the Working Directory 14-4Creating and Removing Directories 14-4Copying Files 14-5Deleting Files 14-5Creating, Displaying, and Extracting tar Files 14-6Creating a tar File 14-6Displaying the Contents of a tar File 14-7Extracting a tar File 14-7
ContentsxiCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Displaying the Contents of a File 14-8Working with Configuration Files 14-8Guidelines for Creating and Using Configuration Files 14-9Configuration File Types and Location 14-9Creating a Configuration File by Using a Text Editor 14-10Copying Configuration Files by Using TFTP 14-10Preparing to Download or Upload a Configuration File by Using TFTP 14-10Downloading the Configuration File by Using TFTP 14-11Uploading the Configuration File by Using TFTP 14-11Copying Configuration Files by Using FTP 14-12Preparing to Download or Upload a Configuration File by Using FTP 14-13Downloading a Configuration File by Using FTP 14-13Uploading a Configuration File by Using FTP 14-14Copying Configuration Files by Using RCP 14-15Preparing to Download or Upload a Configuration File by Using RCP 14-16Downloading a Configuration File by Using RCP 14-16Uploading a Configuration File by Using RCP 14-17Clearing Configuration Information 14-18Deleting a Stored Configuration File 14-18Working with Software Images 14-19Image Location on the WMIC 14-19tar File Format of Images on a Server or Cisco.com 14-19Copying Image Files by Using TFTP 14-20Preparing to Download or Upload an Image File by Using TFTP 14-20Downloading an Image File by Using TFTP 14-21Uploading an Image File by Using TFTP 14-22Copying Image Files by Using FTP 14-23Preparing to Download or Upload an Image File by Using FTP 14-23Downloading an Image File by Using FTP 14-24Uploading an Image File by Using FTP 14-26Copying Image Files by Using RCP 14-27Preparing to Download or Upload an Image File by Using RCP 14-27Downloading an Image File by Using RCP 14-29Uploading an Image File by Using RCP 14-31Reloading the Image Using the Web Browser Interface 14-32Browser HTTP Interface 14-32Browser TFTP Interface 14-32
ContentsxiiCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02CHAPTER16 Configuring System Message Logging 15-1Understanding System Message Logging 15-2Configuring System Message Logging 15-2System Log Message Format 15-2Default System Message Logging Configuration 15-4Disabling and Enabling Message Logging 15-4Setting the Message Display Destination Device 15-5Enabling and Disabling Timestamps on Log Messages 15-6Enabling and Disabling Sequence Numbers in Log Messages 15-6Defining the Message Severity Level 15-7Limiting Syslog Messages Sent to the History Table and to SNMP 15-8Setting a Logging Rate Limit 15-9Configuring UNIX Syslog Servers 15-10Logging Messages to a UNIX Syslog Daemon 15-10Configuring the UNIX System Logging Facility 15-10Displaying the Logging Configuration 15-12CHAPTER17 Wireless Device Troubleshooting 16-1Checking the LED Indicators 16-2Checking Basic Settings 16-3SSID 16-3WEP Keys 16-3Security Settings 16-3Resetting to the Default Configuration 16-4Using the Web Browser Interface 16-4Using the CLI 16-5Reloading the Image 16-6Using the Web Browser Interface 16-6Browser HTTP Interface 16-6Browser TFTP Interface 16-7Using the CLI 16-7Obtaining the Image File 16-9Obtaining TFTP Server Software 16-9Reloading the Bootloader Image 16-10APPENDIXAConnecting to the Cisco 3200 Series Router and Using the Command-Line Interface A-1Before You Start A-2Resetting the WMIC to the Default Settings A-2
ContentsxiiiCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Assigning an IP Address A-3IOS Command Modes A-4Getting Help A-5Abbreviating Commands A-5Using no and default Forms of Commands A-6Understanding CLI Messages A-6Using Command History A-6Changing the Command History Buffer Size A-7Recalling Commands A-7Disabling the Command History Feature A-7Using Editing Features A-8Enabling and Disabling Editing Features A-8Editing Commands Through Keystrokes A-8Editing Command Lines that Wrap A-9Searching and Filtering the Output of show and more Commands A-10APPENDIXBChannels and Antenna Settings B-1Channels B-2IEEE 802.11g (2.4-GHz Band) B-24.9-GHz Band B-3Maximum Power Levels and Antenna Gains B-4IEEE 802.11g (2.4-GHz Band) B-4APPENDIXCProtocol Filters C-1APPENDIXDSupported MIBs D-1MIB List D-1Using FTP to Access the MIB Files D-2APPENDIXEError and Event Messages E-1
ContentsxivCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02
xvCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02PrefaceAudienceThis guide is for the networking professional who installs and manages Cisco 3200 Series Mobile Access Routers. To use this guide, you should have experience working with the Cisco IOS and be familiar with the concepts and terminology of wireless local area networks.PurposeThis guide provides the information you need to install and configure your bridge. This guide provides procedures for using the IOS commands that have been created or changed for use with the WMIC. It does not provide detailed information about these commands. For detailed information about these commands, refer to the IOS documentation set available from the Cisco.com home page at Service and Support > Technical Documents. On the Cisco Product Documentation home page, select Release 12.3from the Cisco IOS Software drop-down list.This guide includes an overview of the web-based interface, which contains all the funtionality of the command-line interface (CLI). This guide does not provide field-level descriptions of the web-based windows nor does it provide the procedures for configuring the WMIC from the web-based interface. For all window descriptions and procedures, refer to the online help, which is available from the Help buttons on the web-based interface pages.OrganizationThis guide is organized into these chapters:Chapter 1, “Overview,” lists the software and hardware features of the WMIC and describes the WMIC’s role in your network.Chapter 2, “Configuring the WMIC for the First Time,” describes how to configure basic settings on a Wireless Mobile Interface Card (WMIC) for the first time. Chapter 3, “Administering the WMIC,” describes how to perform one-time operations to administer your WMIC, such as preventing unauthorized access to the device, setting the system date and time, and setting the system name and prompt.Chapter 4, “Configuring Radio Settings,” describes how to configure settings for the WMIC radio such as the role in the radio network, data rates, transmit power, channel settings, and others.
xviCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Preface OrganizationChapter 5, “Configuring SSIDs,” describes how to configure and manage multiple service set identifiers (SSIDs). You can configure up to 16 SSIDs and assign different configuration settings to each SSID.Chapter 6, “Configuring Spanning Tree Protocol,” descibes how to configure Spanning Tree Protocol (STP). STP prevents data loops in your network.Chapter 7, “Configuring WEP and WEP Features,” describes how to configure the cipher suites required to use authenticated key management, Wired Equivalent Privacy (WEP), and WEP features including MIC, CMIC, TKIP, CKIP, and broadcast key rotation.Chapter 8, “Configuring Authentication Types,” describes how to configure authentication types. Client devices use these authentication methods to join your network.Chapter 9, “Configuring WDS, Fast Secure Roaming, and Radio Management,” describes Wireless Domain Services (WDS), fast secure roaming, and radio management features. The chapter also provides instructions for configuring the WMIC to register with a WDS access point.Chapter 10, “Configuring VLANs,” describes how to configure your WMIC to interoperate with the VLANs set up on your wired LAN. Chapter 11, “Configuring QoS in a Wireless Environment,” describes how to configure quality of service (QoS) on your WMIC. With this feature, you can provide preferential treatment to certain traffic at the expense of others.Chapter 12, “Configuring Filters,” describes how to configure and manage MAC address, IP, and Ethertype filters on the WMICWMIC by using the web-browser interface.Chapter 13, “Configuring CDP,” describes how to configure Cisco Discovery Protocol (CDP) on your WMIC. CDP is a device-discovery protocol that runs on all Cisco network equipment.Chapter 14, “Configuring SNMP,” describes how to configure the Simple Network Management Protocol (SNMP) on your WMIC. Chapter 15, “Managing Firmware and Configurations,” describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images.Chapter 16, “Configuring System Message Logging,” describes how to configure system message logging on your WMIC.Chapter 17, “Wireless Device Troubleshooting,” describes basic troubleshooting procedures.Appendix A, “Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface,”describes how to use the command-line interface (CLI) to configure the WMIC.Appendix B, “Channels and Antenna Settings,” lists the WMIC radio channels and the maximum power levels supported by the world’s regulatory domains.Appendix C, “Protocol Filters,” lists some of the protocols that you can filter on the WMIC. Appendix D, “MIB List,” lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the WMIC supports.Appendix E, “Error and Event Messages,” lists the CLI error and event messages and provides an explanation and recommended action for each message.
xviiCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Preface ConventionsConventionsThis publication uses these conventions to convey instructions and information:Command descriptions use these conventions:•Commands and keywords are in boldface text.•Arguments for which you supply values are in italic.•Square brackets ([ ]) mean optional elements.•Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.•Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional element.Interactive examples use these conventions:•Terminal sessions and system displays are in screen font.•Information you enter is in boldface screen font.•Non printing characters, such as passwords or tabs, are in angle brackets (< >).Notes, cautions, and timesavers use these conventions and symbols:Tip Means the following will help you solve a problem. The tips information might not be troubleshooting or even an action, but could be useful information.Note Means reader take note. Notes contain helpful suggestions or references to materials not contained in this manual.Caution Means reader be careful. In this situation, you might do something that could result equipment damage or loss of data.WarningThis warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents. (To see translations of the warnings that appear in this publication, refer to the appendix “Translated Safety Warnings.”)WaarschuwingDit waarschuwingssymbool betekent gevaar. U verkeert in een situatie die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken, dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico’s en dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen. (Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen, kunt u het aanhangsel “Translated Safety Warnings” (Vertalingen van veiligheidsvoorschriften) raadplegen.)
xviiiCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Preface ConventionsVaroitusTämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. (Tässä julkaisussa esiintyvien varoitusten käännökset löydät liitteestä "Translated Safety Warnings" (käännetyt turvallisuutta koskevat varoitukset).)AttentionCe symbole d’avertissement indique un danger. Vous vous trouvez dans une situation pouvant entraîner des blessures. Avant d’accéder à cet équipement, soyez conscient des dangers posés par les circuits électriques et familiarisez-vous avec les procédures courantes de prévention des accidents. Pour obtenir les traductions des mises en garde figurant dans cette publication, veuillez consulter l’annexe intitulée « Translated Safety Warnings » (Traduction des avis de sécurité).WarnungDieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und der Standardpraktiken zur Vermeidung von Unfällen bewußt. (Übersetzungen der in dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Anhang mit dem Titel “Translated Safety Warnings” (Übersetzung der Warnhinweise).)AvvertenzaQuesto simbolo di avvertenza indica un pericolo. Si è in una situazione che può causare infortuni. Prima di lavorare su qualsiasi apparecchiatura, occorre conoscere i pericoli relativi ai circuiti elettrici ed essere al corrente delle pratiche standard per la prevenzione di incidenti. La traduzione delle avvertenze riportate in questa pubblicazione si trova nell’appendice, “Translated Safety Warnings” (Traduzione delle avvertenze di sicurezza).AdvarselDette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til personskade. Før du utfører arbeid på utstyr, må du være oppmerksom på de faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig praksis når det gjelder å unngå ulykker. (Hvis du vil se oversettelser av de advarslene som finnes i denne publikasjonen, kan du se i vedlegget "Translated Safety Warnings" [Oversatte sikkerhetsadvarsler].)AvisoEste símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá causar danos fisicos. Antes de começar a trabalhar com qualquer equipamento, familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer práticas comuns que possam prevenir possíveis acidentes. (Para ver as traduções dos avisos que constam desta publicação, consulte o apêndice “Translated Safety Warnings” - “Traduções dos Avisos de Segurança”).¡Advertencia!Este símbolo de aviso significa peligro. Existe riesgo para su integridad física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de accidentes. (Para ver traducciones de las advertencias que aparecen en esta publicación, consultar el apéndice titulado “Translated Safety Warnings.”)Varning!Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan leda till personskada. Innan du utför arbete på någon utrustning måste du vara medveten om farorna med elkretsar och känna till vanligt förfarande för att förebygga skador. (Se förklaringar av de varningar som förekommer i denna publikation i appendix "Translated Safety Warnings" [Översatta säkerhetsvarningar].)
xixCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Preface Related DocumentationRelated DocumentationYou can access these documents on the Documentation page on Cisco Connection Online (CCO) at www.cisco.com. The following documentation is available at the http://www.cisco.com/en/US/products/hw/routers/ps272/tsd_products_support_series_home.htmlURL:•Release Notes for the Cisco 3200 Series Mobile Access Routers—Provides information on accessing documentation and technical assistance for the Cisco 3200 Series Mobile Access Router.•Cisco IOS Command Reference for Cisco Access Points and Bridges1—New and revised Cisco IOS commands for the radio ports provided on the Wireless Mobile Interface Card (WMIC).•Cisco 3200 Series Wireless MIC Software Configuration Guide1—Example procedures for using the IOS commands to configure the Wireless Mobile Interface Card (WMIC).•Configuration Guide for the Cisco 3200 Series Mobile Access Router1—Example procedures for using the IOS commands to configure assembled Cisco 3200 Series routers.•Cisco 3200 Series Mobile Access Router Hardware Reference1—This document. It provides descriptions of the Cisco MIC I/O cards found in Cisco 3200 Series routers.•Cisco 3200 Series Mobile Access Router Reference Sell Document1—An overview of the reference sell program and components for the Cisco 3200 Series router.The Release Notes for the Cisco 3250 Mobile Router lists the enhancements to and caveats for Cisco IOS releases as they relate to the Cisco 3200 Series router can be found at:http://www.cisco.com/en/US/products/sw/iosswrel/products_ios_cisco_ios_software_releases.html orhttp://www.cisco.com/en/US/products/sw/iosswrel/ps5012/ps4629/index.html1. Also available on the platform-specific CD-ROM.This feature adds support for RFC 2006 Set operations and security violation traps. For specifications, see RFC 2006, The Definitions of Managed Objects for IP Mobility Support Using SMIv2.For information about using Cisco IOS software to configure SNMP, refer to the following documents:•The “Configuring SNMP Support” chapter of the Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2 •The “SNMP Commands” chapter of the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2 For information about using Cisco IOS software to configure SNMP MIB features, refer to the appropriate documentation for your network management system.For information on configuring Mobile IP using Cisco IOS software, refer to the following documents:•The “Configuring Mobile IP” chapter of the Cisco IOS IP Configuration Guide, Release 12.2 •The “Mobile IP Commands” chapter of the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 Related documents from the Cisco TAC Web pages include:•Antenna Cabling (http://www.cisco.com/warp/public/102/wlan/antcable.html)
xxCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Preface Related DocumentationObtaining DocumentationCisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.Cisco.comYou can access the Cisco website at this URL:http://www.cisco.comYou can access international Cisco websites at this URL:http://www.cisco.com/public/countries_languages.shtmlOrdering DocumentationYou can order Cisco documentation in these ways:•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool:http://www.cisco.com/en/US/partner/ordering/index.shtml•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).Documentation FeedbackYou can send comments about technical documentation to bug-doc@cisco.com.You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:Cisco SystemsAttn: Customer Document Ordering170 West Tasman DriveSan Jose, CA 95134-9883We appreciate your comments.Tools and Web SitesIf you are registered Cisco Direct Customer, you can access the following web sites:IOS Command Lookup—A search engine dedicated to finding information on Cisco IOS commands in the Cisco IOS Command Reference, Cisco IOS Configuration Guide, Catalyst Command Reference, and PIX Firewall Command Reference.http://www.cisco.com/cgi-bin/Support/Cmdlookup/home.plBug Toolkit—Searches for known bugs based on software version, feature set and keywords. The resulting matrix shows when each bug was integrated, or fixed if applicable.http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl
xxiCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Preface Related DocumentationFeature Navigator—Locates the Cisco IOS Software release based on the features you want to run on your network.http://tools.cisco.com/ITDIT/CFN/jsp/index.jspObtain information on compatibility between hardware products and software releases at the following public URL:http://tools.cisco.com/Support/Fusion/FusionHome.doObtaining Additional Publications and InformationInformation about Cisco products, technologies, and network solutions is available from various online and printed sources.•Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL:http://www.cisco.com/go/marketplace/•The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:http://cisco.com/univercd/cc/td/doc/pcat/•Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press at this URL:http://www.ciscopress.com•Packet magazine is the Cisco Systems technical user magazine for maximizing Internet and networking investments. Each quarter, Packet delivers coverage of the latest industry trends, technology breakthroughs, and Cisco products and solutions, as well as network deployment and troubleshooting tips, configuration examples, customer case studies, certification and training information, and links to scores of in-depth online resources. You can access Packet magazine at this URL:http://www.cisco.com/packet•iQ Magazine is the quarterly publication from Cisco Systems designed to help growing companies learn how they can use technology to increase revenue, streamline their business, and expand services. The publication identifies the challenges facing these companies and the technologies to help solve them, using real-world case studies and business strategies to help readers make sound technology investment decisions. You can access iQ Magazine at this URL:http://www.cisco.com/go/iqmagazine•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:http://www.cisco.com/ipj•World-class networking training is available from Cisco. You can view current offerings at this URL:http://www.cisco.com/en/US/learning/index.html
xxiiCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Preface Cisco 3200 Documentation CDCisco 3200 Documentation CD The Cisco 3200 Series Router Documentation CD contains the technical publications for the Cisco 3200 Series Mobile Access Router. To view the documentation requires Acrobat Reader 4.0 or higher.After the CD is inserted in the CD ROM drive and recognized by your PC, do the following:Step 1 Access the root directory CD drive.Step 2 Double click the StartHere.htm file.System Requirements for the CDPrinting Documents from the CDTo print a document: Step 1 Display the document in Acrobat.Step 2 Click the Printer icon on the Acrobat toolbar. The Windows Print Dialog box appears.Step 3 Select your default printer, and click OK.Processor Pentium 150 MHz or faster recommendedPC Operating System Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows MEMicrosoft Windows XPMicrosoft Windows NT 4.0 Microsoft Windows 2000Memory 64-MB DRAMDrives 4x CD-ROM driveMonitor Color monitor capable of 800 x 600 pixel resolutionSoftware Adobe Acrobat Reader 4.0 or later
xxiiiCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Preface Obtaining Technical AssistanceObtaining Technical AssistanceFor all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.Cisco TAC WebsiteThe Cisco TAC website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year. The Cisco TAC website is located at this URL:http://www.cisco.com/tacAccessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL: http://tools.cisco.com/RPF/register/register.doOpening a TAC CaseUsing the online TAC Case Open Tool is the fastest way to open P3 and P4 cases. (P3 and P4 cases are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using the recommended resources, your case will be assigned to a Cisco TAC engineer. The online TAC Case Open Tool is located at this URL:http://www.cisco.com/tac/caseopenFor P1 or P2 cases (P1 and P2 cases are those in which your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.To open a case by telephone, use one of the following numbers:Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227) EMEA: +32 2 704 55 55 USA: 1 800 553-2447For a complete listing of Cisco TAC contacts, go to this URL:http://www.cisco.com/warp/public/687/Directory/DirTAC.shtmlTAC Case Priority DefinitionsTo ensure that all cases are reported in a standard format, Cisco has established case priority definitions.Priority 1 (P1)—Your network is “down” or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation. Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
xxivCisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Preface Obtaining Additional Publications and InformationPriority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.Obtaining Additional Publications and InformationInformation about Cisco products, technologies, and network solutions is available from various online and printed sources.•Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Go to this URL to visit the company store:http://www.cisco.com/go/marketplace/•The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:http://cisco.com/univercd/cc/td/doc/pcat/•Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to Cisco Press online at this URL:http://www.ciscopress.com•Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:http://www.cisco.com/packet•iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:http://www.cisco.com/go/iqmagazine•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:http://www.cisco.com/ipj•Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:http://www.cisco.com/en/US/learning/index.html
CHAPTER1-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-021OverviewThe Cisco Wireless Mobile Interface Card (WMIC) provides wireless connectivity for the Cisco 3200 Series Mobile Access Router. WMICs operate in the 2.4-GHz or 4.9-GHz bands and conform to the 802.11 standards. This chapter provides information on the following topics:•Understanding the Cisco Mobile Wireless Network•Features•Management Options
1-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 1 OverviewUnderstanding the Cisco Mobile Wireless NetworkUnderstanding the Cisco Mobile Wireless NetworkThis section provides basic wireless network configuration descriptions and an example of a metro mobile network. The 2.4-GHz WMIC has a fixed channel spacing and bandwidth of 20-MHz. The 4.9-GHz WMIC can be configured for different channel spacings or bandwidths of 5-MHz, 10-MHz, or 20-MHz. These channels are designed to be non overlapping and non-interfering. Network Configuration DescriptionsThis section describes the role of a Cisco 3200 Series Mobile Access Router in common wireless configurations: access point mode, point-to-point bridging, point-to-multipoint bridging, redundant bridging, and workgroup bridge mode. Root Bridge–accepts associations from workgroup bridges, non-root bridges, and clientsRoot Access Point–accepts assocations from workgroup bridge and clientsWorkgroup Bridge–associates to root access points or root bridgesNon-Root Bridge–associates to root bridgesAccess Point ModeYou can configure the WMIC as an access point. In the access point mode, the WMIC accepts associations from local client devices. See Chapter 4, “Configuring Radio Settings,” for instructions on configuring the WMIC as an access point.Figure 1-1 shows a typical scenario where the WMIC functions as an access point.Figure 1-1 Access Point ModePoint-to-Point BridgingIn a point-to-point configuration, a non-root bridge associates to a root bridge. The WMIC listens for another bridge. If it does not recognize another bridge, the WMIC becomes a root bridge. If it recognizes another bridge, it becomes a non-root bridge associated to the bridge it recognizes. Figure 1-2 shows bridges in a point-to-point configuration.127919Cisco 3200
1-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 1 OverviewUnderstanding the Cisco Mobile Wireless NetworkFigure 1-2 Point-to-Point Bridge ConfigurationPoint-to-Multipoint BridgingIn a point-to-multipoint configuration, two or more non-root bridges associate to a root bridge. Up to 17 non-root bridges can associate to a root bridge, but the non-root bridges must share the available bandwidth. Figure 1-3 shows bridges in a point-to-multipoint configuration. Figure 1-3 Point-to-Multipoint Configuration127920117021
1-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 1 OverviewFeaturesRedundant BridgingYou can set up two pairs of bridges to add redundancy or load balancing to the bridge link. The bridges must use non-adjacent, non-overlapping radio channels to prevent interference, and they must use Spanning Tree Protocol (STP) to prevent loops. (STP is disabled by default. See Chapter 6, “Configuring Spanning Tree Protocol,” for instructions on configuring STP.)Figure 1-4 shows two pairs of redundant bridges.Figure 1-4 Redundant Bridge ConfigurationWorkgroup Bridge ModeYou can configure the WMIC to function as a workgroup bridge. Figure 1-5 shows a typical scenario where the WMIC functions as a workgroup bridge. See Chapter 4, “Configuring Radio Settings,” for instructions on how to configure the WMIC as a workgroup bridge.Figure 1-5 Workgroup Bridge ModeFeaturesCisco wireless devices running Cisco IOS offer these software features:•VLANs—Allow VLAN trunking on both wireless and Ethernet interfaces.•QoS—Use this feature to support quality of service for prioritizing traffic on the wireless interface. •RADIUS Accounting—Enable accounting on the WMIC to send accounting data about wireless client devices to a RADIUS server on your network.•TACACS+ administrator authentication—Enable TACACS+ for server-based, detailed accounting information and flexible administrative control over authentication and authorization processes. It provides secure, centralized validation of administrators attempting to gain access to your WMIC. 127922Cisco 3200127923Cisco 3200
1-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 1 OverviewFeatures•Enhanced security—Enable three advanced security features to protect against sophisticated attacks on your wireless network's WEP keys: Message Integrity Check (MIC) and WEP key hashing. Enhanced security for WPA/TKIP is also available.•Enhanced authentication services—Set up non-root bridges or workgroup bridges to authenticate to the network like other wireless client devices. After a network username and password for the non-root bridge or workgroup bridge are set, it authenticates to the network using Cisco Light Extensible Authentication Protocol (LEAP), and receives and uses dynamic WEP keys. •Advanced Encryption Standard (AES) (only available on the 4.9-GHz WMIC)—This feature supports Advanced Encryption Standard-Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). AES-CCMP is required for Wi-Fi Protected Access 2 (WPA2) and IEEE 802.11i wireless LAN security. •Enhanced authentication for Cisco Centralized Key Management (CCKM).•Fast, secure roaming of client devices, and radio management through wireless domain services (WDS) (See the “Configuring WDS, Fast Secure Roaming, and Radio Management” chapter for more information.Note The 4.9-GHz WMIC does not support CKIP and CMIC encryption; however, The 2.4-GHz WMIC does support CKIP and CMIC encryption.The key differences between the 2.4-GHz WMIC and the 4.9-GHz WMIC are shown in Table 1-1.Table 1-1 Differences Between the 2.4-GHz WMIC and the 4.9-GHz WMICFeature 2.4-GHz WMIC 4.9-GHz WMIC CommentCookie and BannerC3201 C32XX Frequency 2.4 GHz 4.9 GHzData rates 802.11b data rates are 1 Mbps, 2 Mbps, 5.5 Mbps and 11 Mbps.802.11g, data rates are 1 Mbps, 2 Mbps, 5.5 Mbps, 6 Mbps, 9 Mbps, 11 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps, and 54 Mbps20-MHz base band. 6 Mbps, 9 Mbps, 12 Mbps, 24 Mbps, 36 Mbps, 48 Mbps, and 56 Mbps.10-MHz base band. Data rates are 3 Mbps, 4.5 Mbps, 6 Mbps, 9 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, and 27 Mbps.5-MHz base band. Data rates are 1.5 Mbps, 2.25 Mbps, 3 Mbps, 4.5 Mbps, 6 Mbps, 9 Mbps, 12 Mbps, and 13.5 MbpsThe dot11 interface speed command manages data rates and only applies to the 4.9-GHz WMIC.Power Maximum OFDM power level is 15 dBm (30mw). This varies by country.Maximum OFDM power level is 17 dBm (50mw). US only.The dot11 interface power command is used to manage the power levels.Concatenation Supported Not supported
1-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 1 OverviewFeaturesdistance command (minimizes delay propagation)Supported Supported Formula to minimize the delay propagation will be added to the dot11 interface distance commandWorld Mode Supported Not supportedHTML-Based User InterfaceSupported Not supportedVLAN 16 unencrypted VLANs16 static key VLANs16 dynamic key VLANs16 unencrypted VLANs1 static key VLANsor4 dynamic key VLANsWireless encryption/cipher suitesWEP-40, WEP-128, TKIP, CKIP, CMIC, and CKIP-CMICWEP-40, WEP-128, TKIP, and AES-CCMCKIP, CMIC and CKIP-CMIC are not part of 802.11 standard cipher suites. Maximum number of stations with WEP255 116Maximum number of stations with TKIP256 26Maximum number of stations with AES-CCM256 116Channelization Statically declared as defined by IEEE 802.11b/g.Channel spacing selected by using the CLI.WDS server Not supported Can be configured to act as WDS server.WDS client 2.4 GHz WMIC (C3201-WMIC) acting as Root device can auto-discover a WDS server.Acting as Root device, it can auto-discover and work within a subnet WDS server. If the IP address of a WDS server is statically configured, the 4.9-GHz WMIC, acting as Root device, can also work with central WDS server located anywhere in the network.Table 1-1 Differences Between the 2.4-GHz WMIC and the 4.9-GHz WMICFeature 2.4-GHz WMIC 4.9-GHz WMIC Comment
1-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 1 OverviewManagement OptionsManagement OptionsYou can use the WMIC management system through the following interfaces:•The IOS command-line interface (CLI), which you use through a PC running terminal emulation software or a Telnet session. Appendix A, “Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface,” provides a detailed description of how the CLI is used to confugure the router. The “Preface” describes the command formats.•Simple Network Management Protocol (SNMP). Chapter 14, “Configuring SNMP,” explains how to configure your bridge for SNMP management.ScanningEnhancements for Faster RoamingAll Scanning Enhancements for Faster Roaming are available.All Scanning Enhancements for Faster Roaming are available except “Use First Better Access Point.”•Synthesizer tuning time•Start on Current Channel•Only Probe Current SSID•Shorten Wait time for Probe Response•Automatically Limiting Frequencies Scanned•Time out the Scan•Use First Better Access Point•Save Best Probe ResponseEAP-TLS,EAP-TTLSSupported on root devices Not supportedSNMP MIB Ids Supported Supported (new values) The platform-dependent SNMP code was modified to return new values. (entPhysicalVendorType, System OID, and Chassis ID)Dot11 MIB parametersNot available The dot11 parameters are returned through the dot11 MIB interface.WDS server-related MIBSNot available SupportedTable 1-1 Differences Between the 2.4-GHz WMIC and the 4.9-GHz WMICFeature 2.4-GHz WMIC 4.9-GHz WMIC Comment
1-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 1 OverviewManagement Options
CHAPTER2-9Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-022Configuring the WMIC for the First TimeThis chapter describes how to configure basic settings on a Wireless Mobile Interface Card (WMIC) for the first time. You can configure all the settings described in this chapter using the CLI, but it might be simplest to browse to the web-browser interface to complete the initial configuration and use the CLI to enter additional settings for a more detailed configuration. This chapter contains these sections:•Before You Start•Connecting to the WMIC•Obtaining and Assigning an IP Address•Obtaining and Assigning an IP Address•Configuring Basic Security Settings•Using the IP Setup Utility
2-10Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeBefore You StartBefore You StartBefore you install the WMIC, make sure you are using a computer connected to the same network as the WMIC, and obtain the following information from your network administrator:•A system name for the WMIC•The case-sensitive wireless service set identifier (SSID) that your WMICs use•If not connected to a DHCP server, a unique IP address for your WMIC (such as 172.17.255.115)•If the WMIC is not on the same subnet as your PC, a default gateway address and subnet mask•A Simple Network Management Protocol (SNMP) community name and the SNMP file attribute (if SNMP is in use)Connecting to the WMIC To configure the WMIC locally (without connecting the WMIC to a wired LAN), connect a PC to the console port. If the WMIC has an IP address and Telnet is allowed on the device, connect to a Fast Ethernet Switch Mobile Interface Card (FESMIC) Ethernet port by using an Ethernet cable, and use Telnet to establish the connection. Or you can Telnet into the WMIC from a node on the LAN.Note When you connect your PC to the WMIC or reconnect your PC to the LAN, it might be necessary to release and renew the IP address on the PC. On most PCs, release and renew the IP address by rebooting the PC or by entering the ipconfig /release and ipconfig /renew commands in a command window. Consult your PC operating instructions for detailed instructions.Using the Console Port to Access the ExecConnect a PC to the WMIC console port by using a DB-9 to RJ-45 serial cable. Note that there might be several console ports on a Cisco 3200 Series router. Follow these steps to access the CLI by connecting to the WMIC console port: Step 1 Connect a nine-pin, female DB-9 to RJ-45 serial cable to the WMIC RJ-45 serial port on the router and to the COM port on your PC.Step 2 Set up a terminal emulator to communicate with the WMIC. Use the following settings for the terminal emulator connection: 9600 baud, 8 data bits, no parity, 1 stop bit, and no flow control.Step 3 When the terminal emulator is activated, press Enter. An Enter Network Password window appears.Step 4 Enter your username in the User Name field. The default username is Cisco.Step 5 Enter the WMIC password in the Password field and press Enter. The default password is Cisco.When the CLI activates, you can enter CLI commands to configure the WMIC.
2-11Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeConnecting to the WMICUsing a Telnet Session to Access the ExecFollow these steps to access the WMIC CLI by using a Telnet session. The WMIC must have been previously configured to accept a Telnet session. These steps are for a PC running Microsoft Windows with a Telnet terminal application. Check the PC operating instructions for detailed instructions for your operating system.Step 1 Select Start > Programs > Accessories > Telnet.If Telnet is not listed in your Accessories menu, select Start > Run, type Telnet in the entry field, and press Enter.Step 2 When the Telnet window appears, click Connect and select Remote System.Note In Windows 2000, the Telnet window does not contain drop-down menus. To start the Telnet session in Windows 2000, type open followed by the WMIC IP address.Step 3 In the Host Name field, type the WMIC IP address and click Connect.Opening the CLI with Secure ShellSecure Shell Protocol is a protocol that provides a secure, remote connection to networking devices set up to use it. Secure Shell (SSH) is a software package that provides secure login sessions by encrypting the entire session. SSH features strong cryptographic authentication, strong encryption, and integrity protection. For detailed information on SSH, visit the homepage of SSH Communications Security, Ltd. at this URL: http://www.ssh.com/SSH provides more security for remote connections than Telnet by providing strong encryption when a device is authenticated. See the “Configuring the WMIC for Secure Shell” section for instructions on setting up the WMIC for SSH access.
2-12Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeObtaining and Assigning an IP AddressObtaining and Assigning an IP AddressTo browse to the WMIC Express Setup page, you must assign the WMIC IP address using one of the following methods:•Use command when you connect to the WMIC locally. For detailed instructions, see the “Connecting to the WMIC” section of this document.•Use a DHCP server (if available) to automatically assign an IP address. You can find out the DHCP-assigned IP address using one of the following methods:–Provide your organization’s network administrator with your WMIC Media Access Control (MAC) address. Your network administrator will query the DHCP server using the MAC address to identify the IP address. –Use the Cisco IP Setup Utility (IPSU) to identify the assigned address. You can also use IPSU to assign an IP address to the WMIC if it did not receive an IP address from the DHCP server. IPSU runs on most Microsoft Windows operating systems: Windows 9x, 2000, Me, NT, and XP.You can download IPSU from the Software Center on Cisco.com. Click this link to browse to the Software Center:http://www.cisco.com/public/sw-center/sw-wireless.shtml–If the unit is a non-root bridge, browse to the Associations page on the root bridge to which the non-root is associated. The non-root bridge’s MAC address and IP address appear on the root bridge’s Associations page.Assigning an IP Address By Using the ExecThe WMIC links to the network using a Bridge Group Virtual Interface (BVI) that it creates automatically. Instead of tracking separate IP addresses for the WMIC Ethernet and radio ports, the network uses the BVI.Note The WMIC supports only one BVI. Configuring more than one BVI might cause errors in the WMIC ARP table.When you assign an IP address to the WMIC using the CLI, you must assign the address to the BVI. Beginning in privileged EXEC mode, follow these steps to assign an IP address to the BVI:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface bvi1 Enter interface configuration mode for the BVI.Step 3 ip address addressmaskAssign an IP address and address mask to the BVI. Note If you are connected to the WMIC using a Telnet session, you lose your connection to the WMIC when you assign a new IP address to the BVI. To continue configuring the WMIC using Telnet, use the new IP address to open another Telnet session to the WMIC.
2-13Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeObtaining and Assigning an IP AddressAssigning Basic Settings By Using the Web BrowserAfter you determine or assign the WMIC IP address, browse to the Express Setup page and perform an initial configuration:Step 1 Open your Internet browser. The web-browser interface is fully compatible with these browsers: Microsoft Internet Explorer versions 5.0, 5.01, 5.5 and 6.0; and Netscape Navigator versions 4.79 and 7.0.Step 2 Enter the IP address in the browser address line and press Enter. An Enter Network Password screen appears.Step 3 Press Tab to bypass the Username field and advance to the Password field.Step 4 Enter the case-sensitive password (usually Cisco) and press Enter. The Summary Status page appears. Figure 2-1 shows the Summary Status page.Figure 2-1 Summary Status PageStep 5 Click Express Setup. The Express Setup screen appears. Figure 2-2 shows the Express Setup page.
2-14Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeObtaining and Assigning an IP AddressFigure 2-2 Express Setup PageStep 6 Enter the configuration settings you obtained from your system administrator. The configurable settings include:•System Name— The system name, while not an essential setting, helps identify the WMIC on your network. The system name appears in the titles of the management system pages.•Configuration Server Protocol—Click on the button that matches the network’s method of IP address assignment.–DHCP—IP addresses are automatically assigned by your network’s DHCP server.–Static IP—The WMIC uses a static IP address that you enter in the IP address field.•IP Address—Use this setting to assign or change the WMIC’s IP address. If DHCP is enabled for your network, leave this field blank. Note If the WMIC IP address changes while you are configuring the WMIC using the web-browser interface or a Telnet session over the wired LAN, you lose your connection to the WMIC. If you lose your connection, reconnect to the WMIC using its new IP address. Follow the steps in the “Obtaining and Assigning an IP Address” section on page 2-12 if you need to start over.•IP Subnet Mask—Enter the IP subnet mask provided by your network administrator so the IP address can be recognized on the LAN. If DHCP is enabled, leave this field blank. •Default Gateway—Enter the default gateway IP address provided by your network administrator. If DHCP is enabled, leave this field blank.
2-15Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeObtaining and Assigning an IP Address•SNMP Community—If your network is using SNMP, enter the SNMP Community name provided by your network administrator and select the attributes of the SNMP data (also provided by your network administrator). •Role in Radio Network—Click on the button that describes the role of the device on your network.–Root—Configures the device as a root bridge. In this mode, you establish a link with a non-root bridge. In this mode, the bridge also accepts associations from clients.–Non-Root— Places the device in non-root mode. In this mode, it links with a root bridge. –Install Mode—Places the device into installation mode so you can align and adjust the bridge link for optimum efficiency. –Root AP—Places the device in the access point mode. In this mode, the device accepts associations from client devices.–Workgroup Bridge—Places the device in the workgroup bridge mode. In this mode, the bridge accepts wired clients.Note In bridge modes, one bridge in any pair or group of bridges must be set to root, and the bridge or bridges associated to the root bridge must be set to non-root.•Optimize Radio Network for—Use this setting to select either preconfigured settings or customized settings for the bridge radio. See the “Configuring the Radio Distance Setting” section on page 4-14 for more information on data rates and throughput.–Throughput—Maximizes the data volume handled by the WMIC but might reduce its range. When you select Throughput, the WMIC sets all data rates to basic.–Range—Maximizes the WMIC’s range but might reduce throughput. When you select Range,the WMIC sets the 6-Mbps rate to basic and the other rates to enabled.–Default—The WMIC retains default radio settings that are designed to provide good range and throughput for most bridges.–Custom—Takes you to the Network Interfaces: Radio-802.11G Settings page.•Aironet Extensions—Enabled by default, click the Disable Aironet Extensions radio button, and click Apply. The change will not be made to the configuration if the device is in workgroup bridge mode. In root bridge and non-root bridge mode, an error message displays, indicating that Aironet Extensions should always be enabled in root or non-root mode. Step 7 Click Apply to save your settings. If you changed the IP address, you lose your connection to the WMIC. Browse to the new IP address to reconnect to the WMIC.Your WMIC is now running but probably requires additional configuring to conform to your network’s operational and security requirements.
2-16Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeProtecting Your Wireless LANDefault Settings on the Express Setup PageTable 2-1 lists the default settings for the settings on the Express Setup page. Protecting Your Wireless LANAfter you assign basic settings to your WMIC, you must configure security settings to prevent unauthorized access to your network. Because it is a radio device, the WMIC can communicate beyond the physical boundaries of your building. You can use Express Security page in the Configuring Basic Security Settings section to set basic security settings for your WMIC. Advanced security features can be found in the following chapters:•A unique SSID that are not broadcast in the beacon (see Chapter 5, “Configuring SSIDs”•WEP and WEP features (see Chapter 7, “Configuring WEP and WEP Features”)•Dynamic WEP and WMIC authentication (see Chapter 8, “Configuring Authentication Types”)Table 2-1 Default Settings on the Express Setup PageSetting DefaultSystem Name bridgeConfiguration Server Protocol DHCPIP Address Assigned by DHCP by default; if DHCP is disabled, the default setting is 10.0.0.1IP Subnet Mask Assigned by DHCP by default; if DHCP is disabled, the default setting is 255.255.255.224Default Gateway Assigned by DHCP by default; if DHCP is disabled, the default setting is 0.0.0.0SNMP Community defaultCommunityRole in Radio Network Install-ModeOptimize Radio Network for DefaultAironet Extensions Enable
2-17Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeProtecting Your Wireless LANConfiguring Basic Security SettingsAfter you assign basic settings to your access point, you must configure security settings to prevent unauthorized access to your network. Because it is a radio device, the access point can communicate beyond the physical boundaries of your worksite. Just as you use the Express Setup page to assign basic settings, you can use the Express Security page to create unique SSIDs and assign one of four security types to them. Figure 2-3 shows the Express Security page.Figure 2-3 Express Security PageThe Express Security page helps you configure basic security settings. You can use the web-browser interface’s main Security pages to configure more advanced security settings.
2-18Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeProtecting Your Wireless LANUnderstanding Express Security SettingsWhen the WMIC configuration is at factory defaults, the first SSID that you create using the Express security page overwrites the default SSID, install, which has no security settings. The SSIDs that you create appear in the SSID table at the bottom of the page. You can create up to 16 SSIDs on the access point.Using VLANsIf you use VLANs on your wireless LAN and assign SSIDs to VLANs, you can create multiple SSIDs using any of the four security settings on the Express Security page. However, if you do not use VLANs on your wireless LAN, the security options that you can assign to SSIDs are limited because, on the Express Security page, encryption settings and authentication types are linked. Without VLANs, encryption settings (WEP and ciphers) apply to an interface such as the 2.4-GHz radio, and you cannot use more than one encryption setting on an interface. For example, when you create an SSID with static WEP with VLANs disabled, you cannot create additional SSIDs with WPA authentication because they use different encryption settings. If you find that the security setting for an SSID conflicts with another SSID, you can delete one or more SSIDs to eliminate the conflict.Express Security TypesTable 2-2 describes the four security types that you can assign to an SSID.Table 2-2 Security Types on Express Security Setup PageSecurity Type Description Security Features EnabledNo Security This is the least secure option. You should use this option only for SSIDs used in a public space and assign it to a VLAN that restricts access to your network.None.Static WEP Key This option is more secure than no security. However, static WEP keys are vulnerable to attack. If you configure this setting, you should consider limiting association to the access point based on MAC address or, if your network does not have a RADIUS server, consider using an access point as a local authentication server.Mandatory WEP encryption, no key management, and open authentication. In Root AP mode, client devices cannot associate using this SSID without a WEP key that matches the access point key.
2-19Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeProtecting Your Wireless LANExpress Security LimitationsBecause the Express Security page is designed for simple configuration of basic security, the options available are a subset of the WMIC’s security capabilities. Keep these limitations in mind when using the Express Security page:•You cannot edit SSIDs. However, you can delete SSIDs and re-create them.•You cannot assign SSIDs to specific radio interfaces. The SSIDs that you create are enabled on all radio interfaces. To assign SSIDs to specific radio interfaces, use the Security SSID Manager page.•You cannot configure multiple authentication servers. To configure multiple authentication servers, use the Security Server Manager page.•You cannot configure multiple WEP keys. To configure multiple WEP keys, use the Security Encryption Manager page.•You cannot assign an SSID to a VLAN that is already configured on the WMIC. To assign an SSID to an existing VLAN, use the Security SSID Manager page.•You cannot configure combinations of authentication types on the same SSID (for example, MAC address authentication and EAP authentication). To configure combinations of authentication types, use the Security SSID Manager page.EAP Authentication This option enables 802.1x authentication (such as LEAP, PEAP, EAP-TLS, EAP-GTC, EAP-SIM, and others) and requires you to enter the IP address and shared secret for an authentication server on your network (server authentication port 1645). Because 802.1x authentication provides dynamic encryption keys, you do not need to enter a WEP key.Mandatory 802.1x authentication, In Root AP mode, client devices that associate using this SSID must perform 802.1x authentication.WPA Wi-Fi Protected Access (WPA) permits wireless access to users authenticated against a database through the services of an authentication server, then encrypts their IP traffic with stronger algorithms than those used in WEP. As with EAP authentication, you must enter the IP address and shared secret for an authentication server on your network (server authentication port 1645).Mandatory WPA authentication. In Root AP mode, client devices that associate using this SSID must be WPA-capable.Table 2-2 Security Types on Express Security Setup Page (continued)Security Type Description Security Features Enabled
2-20Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeProtecting Your Wireless LANUsing the Express Security PageFollow these steps to create an SSID using the Express Security page:Step 1 Type the SSID in the SSID entry field. The SSID can contain up to 32 alphanumeric characters.a. The Broadcast SSID in Beacon setting is active only when the WMIC is in the Root AP mode. When you broadcast the SSID, devices that do not specify an SSID can associate to the WMIC when it is a root access point. This is a useful option for an SSID used by guests or by client devices in a public space. If you do not broadcast the SSID, client devices cannot associate to the access point unless their SSID matches this SSID. Only one SSID can be included in the beacon.Step 2 (Optional) Check the Enable VLAN ID check box and enter a VLAN number (1 through 4095) to assign the SSID to a VLAN. You cannot assign an SSID to an existing VLAN.Step 3 (Optional) Check the Native VLAN check box to mark the VLAN as the native VLAN. Step 4 Select the security setting for the SSID. The settings are listed in order of robustness, from No Security to WPA, which is the most secure setting. If you select EAP Authentication or WPA, enter the IP address and shared secret for the authentication server on your network.Note If you do not use VLANs on your wireless LAN, the security options that you can assign to multiple SSIDs are limited. See the “Using VLANs” section on page 2-18 for details.Step 5 Click Apply. The SSID appears in the SSID table at the bottom of the page.CLI Security Configuration ExamplesThe examples in this section show the CLI commands that are equivalent to creating SSIDs using each security type on the Express Security page. This section contains these example configurations:•Example: No Security, page 2-20•Example: Static WEP, page 2-21•Example: EAP Authentication, page 2-22•Example: WPA, page 2-23Example: No SecurityThis example shows part of the configuration that results from using the Express Security page to create an SSID called no_security_ssid, including the SSID in the beacon, assigning it to VLAN 10, and selecting VLAN 10 as the native VLAN:interface Dot11Radio0 no ip address no ip route-cache ! ssid no_security-ssid vlan 10 authentication open guest-mode !!
2-21Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeProtecting Your Wireless LAN concatenation speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 4000 station-role root infrastructure-client bridge-group 1!interface Dot11Radio0.10 encapsulation dot1Q 10 no ip route-cache bridge-group 10 bridge-group 10 spanning-disabled!interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1!interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1Example: Static WEPThis example shows part of the configuration that results from using the Express Security page to create an SSID called static_wep_ssid, excluding the SSID from the beacon, assigning the SSID to VLAN 20, selecting 3 as the key slot, and entering a 128-bit key:interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 20 key 3 size 128bit 7 4E78330C1A841439656A9323F25A transmit-key encryption vlan 20 mode wep mandatory ! ssid static_wep_ssid vlan 20 authentication open ! concatenation speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 4000 station-role root infrastructure-client bridge-group 1!interface Dot11Radio0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 bridge-group 20 spanning-disabled!interface FastEthernet0 no ip address no ip route-cache duplex auto
2-22Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeProtecting Your Wireless LAN speed auto bridge-group 1!interface FastEthernet0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 bridge-group 20 spanning-disabledExample: EAP AuthenticationThis example shows part of the configuration that results from using the Express Security page to create an SSID called eap_ssid, excluding the SSID from the beacon, and assigning the SSID to VLAN 30:interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 30 mode wep mandatory ! ssid eap_ssid vlan 30 authentication open eap eap_methods authentication network-eap eap_methods ! speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 rts threshold 2312 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled!interface Dot11Radio0.30 encapsulation dot1Q 30 no ip route-cache bridge-group 30 bridge-group 30 subscriber-loop-control bridge-group 30 block-unknown-source no bridge-group 30 source-learning no bridge-group 30 unicast-flooding bridge-group 30 spanning-disabled!interface FastEthernet0 mtu 1500 no ip address ip mtu 1564 no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled!
2-23Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeProtecting Your Wireless LANinterface FastEthernet0.30 mtu 1500 encapsulation dot1Q 30 no ip route-cache bridge-group 30 no bridge-group 30 source-learning bridge-group 30 spanning-disabledExample: WPAThis example shows part of the configuration that results from using the Express Security page to create an SSID called wpa_ssid, excluding the SSID from the beacon, and assigning the SSID to VLAN 40:aaa new-model!aaa group server radius rad_eap server 10.91.104.92 auth-port 1645 acct-port 1646!aaa group server radius rad_mac!aaa group server radius rad_acct!aaa group server radius rad_admin!aaa group server tacacs+ tac_admin!aaa group server radius rad_pmip!aaa group server radius dummy!aaa authentication login eap_methods group rad_eapaaa authentication login mac_methods localaaa authorization exec default localaaa authorization ipmobile default group rad_pmipaaa accounting network acct_methods start-stop group rad_acctaaa session-id common!!bridge irb!!interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 40 mode ciphers tkip ! ssid wpa_ssid vlan 40 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa ! concatenation speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48 54.0 rts threshold 4000 station-role root infrastructure-client bridge-group 1!interface Dot11Radio0.40 encapsulation dot1Q 40
2-24Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeUsing the IP Setup Utility no ip route-cache bridge-group 40!interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1!interface FastEthernet0.40 encapsulation dot1Q 40 no ip route-cache bridge-group 40!ip http serverip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/122-15.JA/1100ip radius source-interface BVI1radius-server attribute 32 include-in-access-req format %hradius-server host 10.91.104.92 auth-port 1645 acct-port 1646 key 7 135445415F59radius-server authorization permit missing Service-Typeradius-server vsa send accountingbridge 1 route ip!line con 0line vty 5 15!endUsing the IP Setup UtilityIPSU enables you to find the IP address of a device when it has been assigned by a DHCP server. You can also use IPSU to set the IP address and SSID of a device if they have not been changed from the default settings. This section explains how to download the utility from Cisco.com and install it, how to use it to find the IP address of a device, and how to use it to set the IP address and the SSID.Note IPSU can be used only on the following operating systems: Windows 95, 98, NT, 2000, ME, or XP. Obtaining and Installing IPSUIPSU is available on the Cisco web site. Follow these steps to obtain and install IPSU:Step 1 Use your Internet browser to access the Cisco Software Center at the following URL:http://www.cisco.com/public/sw-center/sw-wireless.shtmlStep 2 Click Cisco Aironet Wireless LAN Client Adapters.Step 3 Scroll down to the Windows Utility section.Step 4 Click Cisco Aironet Client Utility (ACU) for Windows.Step 5 Click the file IPSUvxxxxxx.exe. The vxxxxxx identifies the software package version number.Step 6 Read and accept the terms and conditions of the Software License Agreement.
2-25Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeUsing the IP Setup UtilityStep 7 Download and save the file to a temporary directory on your hard drive and then exit the Internet browser. Step 8 Double-click IPSUvxxxxxx.exe in the temporary directory to expand the file.Step 9 Double-click Setup.exe and follow the steps provided by the installation wizard to install IPSU.The IPSU icon appears on your computer desktop.Using IPSU to Find the WMIC IP AddressIf your WMIC receives an IP address from a DHCP server, you can use IPSU to find its IP address. Because IPSU sends a reverse-ARP request based on the MAC address, you must run IPSU from a computer on the same subnet as the WMIC. Follow these steps to find the IP address:Step 1 Double-click the IPSU icon on your computer desktop to start the utility. The IPSU screen appears (see Figure 2-4).Figure 2-4 IPSU Get IP Address ScreenStep 2 When the utility window opens, make sure the Get IP addr radio button in the Function box is selected.Step 3 Enter the WMIC MAC address in the Device MAC ID field. The WMIC MAC address should contain six pairs of hexadecimal digits. The MAC address might look like the following example:000164xxxxxxNote The MAC address field is not case-sensitive.Step 4 Click Get IP Address.Step 5 When the IP address appears in the IP Address field, write it down. If IPSU reports that the IP address is the default IP address, the WMIC did not receive a DHCP-assigned IP address. To change the IP address by using IPSU, refer to the “Using IPSU to Set the IP Address and SSID” section.
2-26Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeUsing the IP Setup UtilityUsing IPSU to Set the IP Address and SSIDTo change the IP address of the WMIC, use IPSU. You can also set the SSID.Note IPSU can change the IP address and SSID only from the default settings. After the IP address and SSID have been changed, IPSU cannot be used to change them again.Note The computer you use to assign an IP address to the WMIC must have an IP address in the same subnet as the WMIC.Follow these steps to assign an IP address and an SSID to the WMIC:Step 1 Double-click the IPSU icon on your computer desktop to start the utility. Step 2 Click the Set Parameters radio button in the Function box (see Figure 2-5).Figure 2-5 IPSU Set Parameters ScreenStep 3 Enter the WMIC MAC address in the Device MAC ID field. The MAC address should contain six pairs of hexadecimal digits. Your MAC address might look like this example:004096xxxxxxNote The MAC address field is not case-sensitive.Step 4 Enter the IP address you want to assign to the WMIC in the IP Address field.Step 5 Enter the SSID you want to assign to the WMIC in the SSID field.Note You cannot set the SSID without also setting the IP address. However, you can set the IP address without setting the SSID.
2-27Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeUsing the IP Setup UtilityStep 6 Click Set Parameters to change the WMIC’s IP address and SSID settings.Step 7 Click Exit to exit IPSU.
2-28Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 2 Configuring the WMIC for the First TimeUsing the IP Setup Utility
CHAPTER3-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-023Administering the WMICThis chapter describes how to administer your WMIC. This chapter contains these sections:•Configuring a System Name and Prompt•Managing the System Time and Date•Creating a Banner•Protecting Access to Privileged EXEC Commands•Protecting the Wireless LAN•Controlling WMIC Access with RADIUS•Controlling WMIC Access with TACACS+•Configuring the WMIC for Local Authentication and Authorization•Configuring the WMIC for Secure Shell•Managing Aironet Extensions
3-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring a System Name and PromptConfiguring a System Name and PromptYou configure the system name on the WMIC to identify it. A greater-than symbol (>) is appended. The prompt is updated whenever the system name changes, unless you manually configure the prompt by using the prompt global configuration command.Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference and the Cisco IOS IP and IP Routing Command Reference for Release 12.1.Configuring a System NameBeginning in privileged EXEC mode, follow these steps to manually configure a system name:When you set the system name, it is also used as the system prompt. To return to the default host name, use the no hostname global configuration command.Managing DNSThe DNS protocol controls the Domain Name System (DNS), a distributed database with which you can map host names to IP addresses. When you configure DNS on your WMIC, you can substitute the host name for the IP address with all IP commands, such as ping,telnet,connect, and related Telnet support operations.IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, such as the File Transfer Protocol (FTP) system, is identified as ftp.cisco.com.To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache (or database) of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the host names, specify the name server that is present on your network, and enable the DNS.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 hostname name Manually configure a system name.The default setting is bridge.The name must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphens. Names can be up to 63 characters.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging DNSDefault DNS ConfigurationTable 3-1 shows the default DNS configuration.Setting Up DNSBeginning in privileged EXEC mode, follow these steps to set up your WMIC to use the DNS:If you use the WMIC IP address as its host name, the IP address is used and no DNS query occurs. If you configure a host name that contains no periods (.), a period followed by the default domain name is appended to the host name before the DNS query is made to map the name to an IP address. The default Table 3-1 Default DNS ConfigurationFeature Default SettingDNS enable state Disabled.DNS default domain name None configured.DNS servers No name server addresses are configured.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 ip domain-name name Define a default domain name that the software uses to complete unqualified host names (names without a dotted-decimal domain name).Do not include the initial period that separates an unqualified name from the domain name.At boot time, no domain name is configured; however, if the configuration comes from a BOOTP or Dynamic Host Configuration Protocol (DHCP) server, then the default domain name might be set by the BOOTP or DHCP server (if the servers were configured with this information).Step 3 ip name-server server-address1[server-address2 ... server-address6]Specify the address of one or more name servers to use for name and address resolution.You can specify up to six name servers. Separate each server address with a space. The first server specified is the primary server. The WMIC sends DNS queries to the primary server first. If that query fails, the backup servers are queried.Step 4 ip domain-lookup (Optional) Enable DNS-based host name-to-address translation on your WMIC. This feature is enabled by default. If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme (DNS).Step 5 end Return to privileged EXEC mode.Step 6 show running-config Verify your entries.Step 7 copy running-config startup-config(Optional) Save your entries in the configuration file.
3-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICCreating a Bannerdomain name is the value set by the ip domain-name global configuration command. If there is a period (.) in the host name, the IOS software looks up the IP address without appending any default domain name to the host name.To remove a domain name, use the no ip domain-name name global configuration command. To remove a name server address, use the no ip name-server server-address global configuration command. To disable DNS on the WMIC, use the no ip domain-lookup global configuration command.Displaying the DNS ConfigurationTo display the DNS configuration information, use the show running-config privileged EXEC command.Creating a BannerYou can configure a message-of-the-day (MOTD) and a login banner. The MOTD banner appears on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns).The login banner also appears on all connected terminals. It appears after the MOTD banner and before the login prompts. Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.Default Banner ConfigurationThe MOTD and login banners are not configured.Configuring a Message-of-the-Day Login BannerYou can create a single or multiline message banner that appears on the screen when someone logs into the WMIC. Beginning in privileged EXEC mode, follow these steps to configure a MOTD login banner:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 banner motd c message c Specify the message of the day.For c, enter the delimiting character of your choice, such as a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded.For message, enter a banner message up to 255 characters. You cannot use the delimiting character in the message.
3-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICCreating a BannerTo delete the MOTD banner, use the no banner motd global configuration command.This example shows how to configure a MOTD banner for the WMIC using the pound sign (#) symbol as the beginning and ending delimiter:bridge(config)# banner motd #This is a secure site. Only authorized users are allowed.For access, contact technical support.#bridge(config)#This example shows the banner displayed from the previous configuration:Unix> telnet 172.2.5.4Trying 172.2.5.4...Connected to 172.2.5.4.Escape character is '^]'.This is a secure site. Only authorized users are allowed.For access, contact technical support.User Access VerificationPassword:Configuring a Login BannerYou can configure a login banner to appear on all connected terminals. This banner appears after the MOTD banner and before the login prompt.Beginning in privileged EXEC mode, follow these steps to configure a login banner:To delete the login banner, use the no banner login global configuration command.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 banner login c message c Specify the login message.For c, enter the delimiting character of your choice, such as a pound sign (#), and press the Return key. The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded.For message, enter a login message up to 255 characters. You cannot use the delimiting character in the message.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging the System Time and DateThis example shows how to configure a login banner for the WMIC using the dollar sign ($) symbol as the beginning and ending delimiter:bridge(config)# banner login $Access for authorized users only. Please enter your username and password.$bridge(config)#Managing the System Time and DateYou can manage the system time and date on your WMIC automatically, using the Network Time Protocol (NTP), or manually, by setting the time and date on the WMIC.Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.Understanding the System Clock The heart of the time service is the system clock. This clock runs from the moment the system starts up and keeps track of the date and time. The system clock can then be set from these sources:•Network Time Protocol•Manual configurationThe system clock can provide time to these services:•User show commands•Logging and debugging messagesThe system clock determines time internally based on Universal Time Coordinated (UTC), also known as Greenwich Mean Time (GMT). You can configure information about the local time zone and summer time (daylight saving time) so that the time is correctly displayed for the local time zone.The system clock keeps track of whether the time is authoritative or not (that is, whether it has been set by a time source considered to be authoritative). If it is not authoritative, the time is available only for display purposes and is not redistributed. For configuration information, see the “Configuring Time and Date Manually” section on page 3-17.Understanding Network Time ProtocolThe NTP is designed to time-synchronize a network of devices. NTP runs over User Datagram Protocol (UDP), which runs over IP. NTP is documented in RFC 1305. An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two devices to within a millisecond of one another.NTP uses the concept of a stratum to describe how many NTP hops away a device is from an authoritative time source. A stratum 1 time server has a radio or atomic clock directly attached, a stratum 2 time server receives its time through NTP from a stratum 1 time server, and so on. A device
3-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging the System Time and Daterunning NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP speakers.NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized. NTP also compares the time reported by several devices and does not synchronize to a device whose time is significantly different than the others, even if its stratum is lower.The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP address of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, in that case, information flow is one-way only.The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time. Two mechanisms are available: an access-list-based restriction scheme and an encrypted authentication mechanism.Cisco’s implementation of NTP does not support stratum 1 service; it is not possible to connect to a radio or atomic clock. We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet. Figure 3-1 shows a typical network example using NTP.If the network is isolated from the Internet, Cisco’s implementation of NTP allows a device to act as though it is synchronized through NTP, when in fact it has determined the time by using other means. Other devices then synchronize to that device through NTP.When multiple sources of time are available, NTP is always considered to be more authoritative. NTP time overrides the time set by any other method.Several manufacturers include NTP software for their host systems, and a publicly available version for systems running UNIX and its various derivatives is also available. This software allows host systems to be time-synchronized as well.
3-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging the System Time and DateFigure 3-1 Typical NTP Network ConfigurationCatalyst 3550switchCatalyst 3550switchCatalyst 3550switchCatalyst 3550switchThese switches are configured inNTP server mode (server association)with the Catalyst 6500 series switch.Catalyst 6500series switch(NTP master)This switch is configured as an NTPpeer to the upstream and downstreamCatalyst 3550 switches.Catalyst 3550switchWorkstationsWorkstationsLocalworkgroupservers43269
3-9Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging the System Time and DateConfiguring NTPWMICs do not have a hardware-supported clock, and they cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. These bridges also have no hardware support for a calendar. As a result, the ntp update-calendar and the ntp master global configuration commands are not available.Default NTP ConfigurationTable 3-2 shows the default NTP configuration.NTP is disabled by default.Configuring NTP AuthenticationThis procedure must be coordinated with the administrator of the NTP server; the information you configure in this procedure must be matched by the servers used by the WMIC to synchronize its time to the NTP server.Beginning in privileged EXEC mode, follow these steps to authenticate the associations (communications between devices running NTP that provide for accurate timekeeping) with other devices for security purposes:Table 3-2 Default NTP ConfigurationFeature Default SettingNTP authentication Disabled. No authentication key is specified.NTP peer or server associations None configured.NTP broadcast service Disabled; no interface sends or receives NTP broadcast packets.NTP access restrictions No access control is specified.NTP packet source IP address The source address is determined by the outgoing interface.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 ntp authenticate Enable the NTP authentication feature, which is disabled by default. Step 3 ntp authentication-key number md5 value Define the authentication keys. By default, none are defined.•For number, specify a key number. The range is 1 to 4294967295.•md5 specifies that message authentication support is provided by using the message digest algorithm 5 (MD5).•For value, enter an arbitrary string of up to eight characters for the key.The WMIC does not synchronize to a device unless both have one of these authentication keys, and the key number is specified by the ntp trusted-key key-number command.
3-10Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging the System Time and DateTo disable NTP authentication, use the no ntp authenticate global configuration command. To remove an authentication key, use the no ntp authentication-key number global configuration command. To disable authentication of the identity of a device, use the no ntp trusted-key key-number global configuration command.This example shows how to configure the WMIC to synchronize only to devices providing authentication key 42 in the device’s NTP packets:bridge(config)# ntp authenticatebridge(config)# ntp authentication-key 42 md5 aNiceKeybridge(config)# ntp trusted-key 42Step 4 ntp trusted-key key-number Specify one or more key numbers (defined in Step 3) that a peer NTP device must provide in its NTP packets for this WMIC to synchronize to it.By default, no trusted keys are defined.For key-number, specify the key defined in Step 3.This command provides protection against accidentally synchronizing the WMIC to a device that is not trusted.Step 5 end Return to privileged EXEC mode.Step 6 show running-config Verify your entries.Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
3-11Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging the System Time and DateConfiguring NTP AssociationsAn NTP association can be a peer association (this WMIC can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this WMIC synchronizes to the other device, and not the other way around). Beginning in privileged EXEC mode, follow these steps to form an NTP association with another device:You need to configure only one end of an association; the other device can automatically establish the association. If you are using the default NTP version (version 3) and NTP synchronization does not occur, try using NTP version 2. Many NTP servers on the Internet run version 2.To remove a peer or server association, use the no ntp peer ip-address or the no ntp server ip-addressglobal configuration command.This example shows how to configure the WMIC to synchronize its system clock with the clock of the peer at IP address 172.16.22.44 using NTP version 2:bridge(config)# ntp server 172.16.22.44 version 2Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 ntp peer ip-address [version number][key keyid] [source interface] [prefer]orntp server ip-address [version number][key keyid] [source interface] [prefer]Configure the WMIC system clock to synchronize a peer or to be synchronized by a peer (peer association).orConfigure the WMIC system clock to be synchronized by a time server (server association).No peer or server associations are defined by default.•For ip-address in a peer association, specify either the IP address of the peer providing, or being provided, the clock synchronization. For a server association, specify the IP address of the time server providing the clock synchronization.•(Optional) For number, specify the NTP version number. The range is 1 to 3. By default, version 3 is selected.•(Optional) For keyid, enter the authentication key defined with the ntp authentication-key global configuration command.•(Optional) For interface, specify the interface from which to pick the IP source address. By default, the source IP address is taken from the outgoing interface.•(Optional) Enter the prefer keyword to make this peer or server the preferred one that provides synchronization. This keyword reduces switching back and forth between peers and servers.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-12Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging the System Time and DateConfiguring NTP Broadcast ServiceThe communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, the information flow is one-way only.The WMIC can send or receive NTP broadcast packets on an interface-by-interface basis if there is an NTP broadcast server, such as a router, broadcasting time information on the network. The WMIC can send NTP broadcast packets to a peer so that the peer can synchronize to it. The WMIC can also receive NTP broadcast packets to synchronize its own clock. This section provides procedures for both sending and receiving NTP broadcast packets.Beginning in privileged EXEC mode, follow these steps to configure the WMIC to send NTP broadcast packets to peers so that they can synchronize their clock to the WMIC:To disable the interface from sending NTP broadcast packets, use the no ntp broadcast interface configuration command.This example shows how to configure an interface to send NTP version 2 packets:bridge(config)# interface gigabitethernet0/1bridge(config-if)# ntp broadcast version 2Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface interface-id Enter interface configuration mode, and specify the interface to send NTP broadcast packets.Step 3 ntp broadcast [version number] [key keyid][destination-address]Enable the interface to send NTP broadcast packets to a peer.By default, this feature is disabled on all interfaces.•(Optional) For number, specify the NTP version number. The range is 1 to 3. If you do not specify a version, version 3 is used.•(Optional) For keyid, specify the authentication key to use when sending packets to the peer.•(Optional) For destination-address, specify the IP address of the peer that is synchronizing its clock to this WMIC.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.Step 7 Configure the connected peers to receive NTP broadcast packets as described in the next procedure.
3-13Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging the System Time and DateBeginning in privileged EXEC mode, follow these steps to configure the WMIC to receive NTP broadcast packets from connected peers:To disable an interface from receiving NTP broadcast packets, use the no ntp broadcast client interface configuration command. To change the estimated round-trip delay to the default, use the no ntp broadcastdelay global configuration command.This example shows how to configure an interface to receive NTP broadcast packets:bridge(config)# interface gigabitethernet0/1bridge(config-if)# ntp broadcast clientCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface interface-id Enter interface configuration mode, and specify the interface to receive NTP broadcast packets.Step 3 ntp broadcast client Enable the interface to receive NTP broadcast packets.By default, no interfaces receive NTP broadcast packets.Step 4 exit Return to global configuration mode.Step 5 ntp broadcastdelay microseconds (Optional) Change the estimated round-trip delay between the WMIC and the NTP broadcast server.The default is 3000 microseconds; the range is 1 to 999999.Step 6 end Return to privileged EXEC mode.Step 7 show running-config Verify your entries.Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-14Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging the System Time and DateConfiguring NTP Access RestrictionsYou can control NTP access by using access lists.Creating an Access Group and Assigning a Basic IP Access ListBeginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists:The access group keywords are scanned in this order, from least restrictive to most restrictive: 1. peer—Allows time requests and NTP control queries and allows the WMIC to synchronize itself to a device whose address passes the access list criteria.2. serve—Allows time requests and NTP control queries, but does not allow the WMIC to synchronize itself to a device whose address passes the access list criteria.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 ntp access-group {query-only | serve-only | serve | peer}access-list-numberCreate an access group, and apply a basic IP access list.The keywords have these meanings:•query-only—Allows only NTP control queries.•serve-only—Allows only time requests.•serve—Allows time requests and NTP control queries, but does not allow the WMIC to synchronize to the remote device.•peer—Allows time requests and NTP control queries and allows the WMIC to synchronize to the remote device.For access-list-number, enter a standard IP access list number from 1 to 99. Step 3 access-list access-list-number permit source [source-wildcard]Create the access list.•For access-list-number, enter the number specified in Step 2.•Enter the permit keyword to permit access if the conditions are matched.•For source, enter the IP address of the device that is permitted access to the WMIC.•(Optional) For source-wildcard, enter the wildcard bits to be applied to the source.Note When creating an access list, remember that, by default, the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-15Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging the System Time and Date3. serve-only—Allows only time requests from a device whose address passes the access list criteria.4. query-only—Allows only NTP control queries from a device whose address passes the access list criteria.If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted.To remove access control to the WMIC NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command.This example shows how to configure the WMIC to allow itself to synchronize to a peer from access list 99. However, the WMIC restricts access to allow only time requests from access list 42:bridge# configure terminalbridge(config)# ntp access-group peer 99bridge(config)# ntp access-group serve-only 42bridge(config)# access-list 99 permit 172.20.130.5bridge(config)# access list 42 permit 172.20.130.6Disabling NTP Services on a Specific Interface NTP services are enabled on all interfaces by default. Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on an interface:To re-enable receipt of NTP packets on an interface, use the no ntp disable interface configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface interface-id Enter interface configuration mode, and specify the interface to disable.Step 3 ntp disable Disable NTP packets from being received on the interface.By default, all interfaces receive NTP packets.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-16Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging the System Time and DateConfiguring the Source IP Address for NTP PacketsWhen the WMIC sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. Use the ntp source global configuration command when you want to use a particular source IP address for all NTP packets. The address is taken from the specified interface. This command is useful if the address on an interface cannot be used as the destination for reply packets.Beginning in privileged EXEC mode, follow these steps to configure a specific interface from which the IP source address is to be taken:The specified interface is used for the source address for all packets sent to all destinations. If a source address is to be used for a specific association, use the source keyword in the ntp peer or ntp serverglobal configuration command as described in the “Configuring NTP Associations” section on page 3-11.Displaying the NTP ConfigurationYou can use two privileged EXEC commands to display NTP information: •show ntp associations [detail]•show ntp statusFor detailed information about the fields in these displays, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.1.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 ntp source type number Specify the interface type and number from which the IP source address is taken.By default, the source address is determined by the outgoing interface.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-17Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging the System Time and DateConfiguring Time and Date ManuallyIf no other source of time is available, you can manually configure the time and date after the system is restarted. The time remains accurate until the next system restart. We recommend that you use manual configuration only as a last resort. If you have an outside source to which the WMIC can synchronize, you do not need to manually set the system clock. Setting the System ClockIf you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock.Beginning in privileged EXEC mode, follow these steps to set the system clock:This example shows how to manually set the system clock to 1:32 p.m. on July 23, 2001:bridge# clock set 13:32:00 23 July 2001Displaying the Time and Date ConfigurationTo display the time and date configuration, use the show clock [detail] privileged EXEC command.The system clock keeps an authoritative flag that shows whether the time is authoritative (believed to be accurate). If the system clock has been set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes. Until the clock is authoritative and the authoritative flag is set, the flag prevents peers from synchronizing to the clock when the peers’ time is invalid.The symbol that precedes the show clock display has this meaning: •*—Time is not authoritative.•(blank)—Time is authoritative.•.—Time is authoritative, but NTP is not synchronized.Command PurposeStep 1 clock set hh:mm:ss day month yearorclock set hh:mm:ss month day yearManually set the system clock using one of these formats.•For hh:mm:ss, specify the time in hours (24-hour format), minutes, and seconds. The time specified is relative to the configured time zone.•For day, specify the day by date in the month.•For month, specify the month by name.•For year, specify the year (no abbreviation).Step 2 show running-config Verify your entries.Step 3 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-18Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging the System Time and DateConfiguring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone:The minutes-offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC. For example, the time zone for some sections of Atlantic Canada (AST) is UTC-3.5, where the 3 means 3 hours and .5 means 50 percent. In this case, the necessary command is clock timezone AST -3 30.To set the time to UTC, use the no clock timezone global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 clock timezone zone hours-offset[minutes-offset]Set the time zone.The device keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.•For zone, enter the name of the time zone to be displayed when standard time is in effect. The default is UTC.•For hours-offset, enter the hours offset from UTC.•(Optional) For minutes-offset, enter the minutes offset from UTC.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-19Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging the System Time and DateConfiguring Summer Time (Daylight Saving Time)Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year:The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time. If the starting month is after the ending month, the system assumes that you are in the southern hemisphere.This example shows how to specify that summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00:bridge(config)# clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 clock summer-time zone recurring[week day month hh:mm week day month hh:mm [offset]]Configure summer time to start and end on the specified days every year. Summer time is disabled by default. If you specify clock summer-timezone recurring without parameters, the summer time rules default to the United States rules.•For zone, specify the name of the time zone (for example, PDT) to be displayed when summer time is in effect.•(Optional) For week, specify the week of the month (1 to 5 or last).•(Optional) For day, specify the day of the week (Sunday, Monday...).•(Optional) For month, specify the month (January, February...).•(Optional) For hh:mm, specify the time (24-hour format) in hours and minutes.•(Optional) For offset, specify the number of minutes to add during summer time. The default is 60.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-20Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICProtecting Access to Privileged EXEC CommandsBeginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events):The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time. If the starting month is after the ending month, the system assumes that you are in the southern hemisphere.To disable summer time, use the no clock summer-time global configuration command.This example shows how to set summer time to start on October 12, 2000, at 02:00, and end on April 26, 2001, at 02:00:bridge(config)# clock summer-time pdt date 12 October 2000 2:00 26 April 2001 2:00Protecting Access to Privileged EXEC CommandsA simple way of providing terminal access control in your network is to use passwords and assign privilege levels. Password protection restricts access to a network or network device. Privilege levels define what commands users can issue after they have logged into a network device.Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.2.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 clock summer-time zone date [month date year hh:mm month date year hh:mm[offset]]orclock summer-time zone date [datemonth year hh:mm date month year hh:mm [offset]]Configure summer time to start on the first date and end on the second date.Summer time is disabled by default.•For zone, specify the name of the time zone (for example, PDT) to be displayed when summer time is in effect.•(Optional) For week, specify the week of the month (1 to 5 or last).•(Optional) For day, specify the day of the week (Sunday, Monday...).•(Optional) For month, specify the month (January, February...).•(Optional) For hh:mm, specify the time (24-hour format) in hours and minutes.•(Optional) For offset, specify the number of minutes to add during summer time. The default is 60.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-21Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICProtecting Access to Privileged EXEC CommandsThis section describes how to control access to the configuration file and privileged EXEC commands. Default Password and Privilege Level ConfigurationTable 3-3 shows the default password and privilege level configuration.Setting or Changing a Static Enable PasswordThe enable password controls access to the privileged EXEC mode. Note The no enable password global configuration command removes the enable password, but you should use extreme care when using this command. If you remove the enable password, you are locked out of the EXEC mode.Beginning in privileged EXEC mode, follow these steps to set or change a static enable password:Table 3-3 Default Password and Privilege LevelsFeature Default SettingUsername and password Default username is Cisco and the default password is Cisco.Enable password and privilege level Default password is Cisco. The default is level 15 (privileged EXEC level). The password is encrypted in the configuration file.Enable secret password and privilege level The default enable password is Cisco. The default is level 15 (privileged EXEC level). The password is encrypted before it is written to the configuration file.Line password Default password is Cisco. The password is encrypted in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 enable password password Define a new password or change an existing password for access to privileged EXEC mode.The default password is Cisco.For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. It can contain the question mark (?) character if you precede the question mark with the key combination Crtl-V when you create the password; for example, to create the password abc?123, do this:1. Enter abc.2. Enter Crtl-V.3. Enter ?123.When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-V; you can simply enter abc?123 at the password prompt. Step 3 end Return to privileged EXEC mode.
3-22Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICProtecting Access to Privileged EXEC CommandsThis example shows how to change the enable password to l1u2c3k4y5. The password is not encrypted and provides access to level 15 (traditional privileged EXEC mode access):bridge(config)# enable password l1u2c3k4y5Protecting Enable and Enable Secret Passwords with EncryptionTo provide an additional layer of security, particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secret global configuration commands. Both commands accomplish the same thing; that is, you can establish an encrypted password that users must enter to access privileged EXEC mode (the default) or any privilege level you specify.We recommend that you use the enable secret command because it uses an improved encryption algorithm.If you configure the enable secret command, it takes precedence over the enable password command; the two commands cannot be in effect simultaneously.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.The enable password is not encrypted and can be read in the WMIC configuration file.Command Purpose
3-23Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICProtecting Access to Privileged EXEC CommandsBeginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords:If both the enable and enable secret passwords are defined, users must enter the enable secret password.Use the level keyword to define a password for a specific privilege level. After you specify the level and set a password, give the password only to users who need to have access at this level. Use the privilege level global configuration command to specify commands accessible at various levels. For more information, see the “Configuring Multiple Privilege Levels” section on page 3-25.If you enable password encryption, it applies to all passwords including username passwords, authentication key passwords, the privileged command password, and console and virtual terminal line passwords.To remove a password and level, use the no enable password [level level] or no enable secret [levellevel] global configuration command. To disable password encryption, use the no service password-encryption global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 enable password [level level] {password | encryption-type encrypted-password}orenable secret [level level] {password | encryption-type encrypted-password}Define a new password or change an existing password for access to privileged EXEC mode.orDefine a secret password, which is saved using a nonreversible encryption method.•(Optional) For level, the range is from 0 to 15. Level 1 is normal user EXEC mode privileges. The default level is 15 (privileged EXEC mode privileges).•For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined. •(Optional) For encryption-type, only type 5, a Cisco proprietary encryption algorithm, is available. If you specify an encryption type, you must provide an encrypted password—an encrypted password you copy from another WMIC configuration.Note If you specify an encryption type and then enter a clear text password, you can not re-enter privileged EXEC mode. You cannot recover a lost encrypted password by any method.Step 3 service password-encryption (Optional) Encrypt the password when the password is defined or when the configuration is written.Encryption prevents the password from being readable in the configuration file.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-24Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICProtecting Access to Privileged EXEC CommandsThis example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2:bridge(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8Configuring Username and Password PairsYou can configure username and password pairs, which are locally stored on the WMIC. These pairs are assigned to lines or interfaces and authenticate each user before that user can access the WMIC. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.Beginning in privileged EXEC mode, follow these steps to establish a username-based authentication system that requests a login username and a password:To disable username authentication for a specific user, use the no username name global configuration command. To disable password checking and allow connections without a password, use the no login line configuration command.Note You must have at least one username configured and you must have login local set to open a Telnet session to the WMIC. If you enter no username for the only username, you can be locked out of the WMIC.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 username name [privilege level]{password encryption-type password}Enter the username, privilege level, and password for each user.•For name, specify the user ID as one word. Spaces and quotation marks are not allowed.•(Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15. Level 15 gives privileged EXEC mode access. Level 1 gives user EXEC mode access.•For encryption-type, enter 0 to specify that an unencrypted password will follow. Enter 7 to specify that a hidden password will follow.•For password, specify the password the user must enter to gain access to the WMIC. The password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.Step 3 login local Enable local password checking at login time. Authentication is based on the username specified in Step 2.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-25Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICProtecting Access to Privileged EXEC CommandsConfiguring Multiple Privilege LevelsBy default, the IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.For example, if you want many users to have access to the clear line command, you can assign it level 2 security and distribute the level 2 password fairly widely. But if you want more restricted access to the configure command, you can assign it level 3 security and distribute that password to a more restricted group of users.Setting the Privilege Level for a CommandBeginning in privileged EXEC mode, follow these steps to set the privilege level for a command mode:When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to that level. For example, if you set the show ip route command to level 15, the showcommands and show ip commands are automatically set to privilege level 15 unless you set them individually to different levels.To return to the default privilege for a given command, use the no privilege mode level level commandglobal configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 privilege mode level level command Set the privilege level for a command.•For mode, enter configure for global configuration mode, exec for EXEC mode, interface for interface configuration mode, or line for line configuration mode.•For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. Level 15 is the level of access permitted by the enable password.•For command, specify the command to which you want to restrict access.Step 3 enable password level level password Specify the enable password for the privilege level.•For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges. •For password, specify a string from 1 to 25 alphanumeric characters. The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is defined. Step 4 end Return to privileged EXEC mode.Step 5 show running-configorshow privilegeVerify your entries.The first command displays the password and access level configuration. The second command displays the privilege level configuration.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-26Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICProtecting the Wireless LANThis example shows how to set the configure command to privilege level 14 and define SecretPswd14as the password users must enter to use level 14 commands:bridge(config)# privilege exec level 14 configurebridge(config)# enable password level 14 SecretPswd14Logging Into and Exiting a Privilege LevelBeginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level:Protecting the Wireless LANConfigure security settings to prevent unauthorized access to your network. Because it is a radio device, the WMIC can communicate beyond the physical boundaries of your building. Advanced security features can be found in the following chapters:•A unique SSID that are not broadcast in the beacon (see Chapter 5, “Configuring SSIDs”)•WEP and WEP features (see Chapter 7, “Configuring WEP and WEP Features”)•Dynamic WEP authentication (see Chapter 8, “Configuring Authentication Types”)Using VLANsAssign SSIDs to the VLANs on the wireless LAN. If you do not use VLANs on the wireless LAN, the security options that can be assigned to SSIDs are limited, because encryption settings and authentication types are linked. Without VLANs, encryption settings (WEP and ciphers) are applied to an interface and no more than one encryption setting can be used on each interface. For example, if an SSID with static WEP is created with VLANs disabled, an additional SSIDs with WPA authentication cannot be created because of the different encryption settings. If a security setting for an SSID conflicts with another SSID, delete one or more SSIDs to eliminate the conflict.Command PurposeStep 1 enable level Log in to a specified privilege level.For level, the range is 0 to 15.Step 2 disable level Exit to a specified privilege level.For level, the range is 0 to 15.
3-27Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICProtecting the Wireless LANExpress Security TypesTable 3-4 describes the four security types that you can assign to an SSID.Security Configuration ExamplesThis section contains these example configurations:•No Security SSID Example•Static WEP Security Example•EAP Authentication Security Example•WPA Security ExampleNo Security SSID ExampleThis example shows part of the configuration to create an SSID called no_security_ssid, including the SSID in the beacon, assigning it to VLAN 10, and selecting VLAN 10 as the native VLAN (as it applies to the 2.4-GHz (802.11b/g) WMIC):interface Dot11Radio0 no ip address no ip route-cache !Ta b l e 3 - 4 S e c u ri t y Ty p e sSecurity Type Description Security Features EnabledNo Security This is the least secure option. Use this option only for SSIDs used in a public space and assign it to a VLAN that restricts access to your network.None.Static WEP Key This option is more secure than no security. However, static WEP keys are vulnerable to attack. Consider limiting association to the access point based on MAC address or, if the network does not have a RADIUS server, consider using an access point as a local authentication server.Mandatory WEP encryption, no key management, and open authentication. In root access point mode, client devices cannot associate using this SSID without a WEP key that matches the access point key.EAP Authentication This option enables 802.1x authentication (such as LEAP, PEAP, EAP-TLS, EAP-GTC, EAP-SIM, and others) requires an IP address and shared secret for an authentication server on the network (server authentication port 1645). Because 802.1x authentication provides dynamic encryption keys, a WEP key is not required.Mandatory 802.1x authentication, In root access point mode, client devices that associate using this SSID must perform 802.1x authentication.WPA Wi-Fi Protected Access (WPA) permits wireless access to users authenticated against a database through the services of an authentication server, then encrypts their IP traffic with stronger algorithms than those used in WEP. As with EAP authentication, the IP address and shared secret for an authentication server on your network (server authentication port 1645) are required.Mandatory WPA authentication. In root access point mode, client devices that associate using this SSID must be WPA-capable.
3-28Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICProtecting the Wireless LAN ssid no_security-ssid vlan 10 authentication open guest-mode! concatenation speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 4000 station-role root infrastructure-client bridge-group 1!interface Dot11Radio0.10 encapsulation dot1Q 10 no ip route-cache bridge-group 10 bridge-group 10 spanning-disabled!interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1!interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1As it applies to the 4.9-GHz (US Only, Public Safety) WMIC:hostname root!username Cisco password 7 02250D480809ip subnet-zero!no aaa new-model!bridge irb!interface Dot11Radio0 no ip address no ip route-cache ! ssid test authentication open infrastructure-ssid ! spacing 5 channel 4942 speed basic-1.5 2.25 basic-3.0 4.5 basic-6.0 9.0 12.0 13.5 power local 10 station-role root infrastructure-client bridge-group 1 bridge-group 1 spanning-disabled!interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto
3-29Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICProtecting the Wireless LAN bridge-group 1 bridge-group 1 spanning-disabled!interface BVI1 ip address 192.1.1.2 255.255.255.0 no ip route-cache!ip http serverno ip http secure-serverip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eagip radius source-interface BVI1 logging snmp-trap emergencieslogging snmp-trap alertslogging snmp-trap criticallogging snmp-trap errorslogging snmp-trap warningsbridge 1 route ip!!!line con 0 exec-timeout 0 0 transport preferred all transport output allline vty 0 4 login local transport preferred all transport input all transport output allline vty 5 15 login transport preferred all transport input all transport output all!endStatic WEP Security ExampleThis example shows part of the configuration to create an SSID called static_wep_ssid, excluding the SSID from the beacon, assigning the SSID to VLAN 20, selecting 3 as the key slot, and entering a 128-bit key:interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 20 key 3 size 128bit 7 4E78330C1A841439656A9323F25A transmit-key encryption vlan 20 mode wep mandatory ! ssid static_wep_ssid vlan 20 authentication open ! concatenation speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 4000 station-role root infrastructure-client bridge-group 1!interface Dot11Radio0.20 encapsulation dot1Q 20
3-30Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICProtecting the Wireless LAN no ip route-cache bridge-group 20 bridge-group 20 spanning-disabled!interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1!interface FastEthernet0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 20 bridge-group 20 spanning-disabledEAP Authentication Security ExampleThis example shows part of the configuration to create an SSID called eap_ssid, excluding the SSID from the beacon, and assigning the SSID to VLAN 30:interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 30 mode wep mandatory ! ssid eap_ssid vlan 30 authentication open eap eap_methods authentication network-eap eap_methods ! speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 rts threshold 2312 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled!interface Dot11Radio0.30 encapsulation dot1Q 30 no ip route-cache bridge-group 30 bridge-group 30 subscriber-loop-control bridge-group 30 block-unknown-source no bridge-group 30 source-learning no bridge-group 30 unicast-flooding bridge-group 30 spanning-disabled!interface FastEthernet0 mtu 1500 no ip address ip mtu 1564 no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled
3-31Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICProtecting the Wireless LAN!interface FastEthernet0.30 mtu 1500 encapsulation dot1Q 30 no ip route-cache bridge-group 30 no bridge-group 30 source-learning bridge-group 30 spanning-disabled!WPA Security ExampleThis example shows part of the configuration that creates an SSID called wpa_ssid, excluding the SSID from the beacon, and assigning the SSID to VLAN 40:aaa new-model!aaa group server radius rad_eap server 10.91.104.92 auth-port 1645 acct-port 1646!aaa group server radius rad_mac!aaa group server radius rad_acct!aaa group server radius rad_admin!aaa group server tacacs+ tac_admin!aaa group server radius rad_pmip!aaa group server radius dummy!aaa authentication login eap_methods group rad_eapaaa authentication login mac_methods localaaa authorization exec default localaaa authorization ipmobile default group rad_pmipaaa accounting network acct_methods start-stop group rad_acctaaa session-id common!!bridge irb!!interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 40 mode ciphers tkip ! ssid wpa_ssid vlan 40 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa ! concatenation speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48 54.0 rts threshold 4000 station-role root infrastructure-client bridge-group 1!interface Dot11Radio0.40
3-32Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring and Enabling RADIUS encapsulation dot1Q 40 no ip route-cache bridge-group 40!interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1!interface FastEthernet0.40 encapsulation dot1Q 40 no ip route-cache bridge-group 40!ip http serverip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/122-15.JA/1100ip radius source-interface BVI1radius-server attribute 32 include-in-access-req format %hradius-server host 10.91.104.92 auth-port 1645 acct-port 1646 key 7 135445415F59radius-server authorization permit missing Service-Typeradius-server vsa send accountingbridge 1 route ip!line con 0line vty 5 15!endConfiguring and Enabling RADIUSThis section describes how to configure and enable Remote Authentication Dial-In User Service (RADIUS). Understanding RADIUSRADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on supported Cisco devices and send authentication requests to a central RADIUS server, which contains all user authentication and network service access information. The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (Cisco Secure Access Control Server version 3.0), Livingston, Merit, Microsoft, or another software provider. For more information, refer to the RADIUS server documentation.Use RADIUS in these network environments, which require access security:•Networks with multiple-vendor access servers, each supporting RADIUS. For example, access servers from several vendors use a single RADIUS server-based security database. In an IP-based network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS server that is customized to work with the Kerberos security system.•Turnkey network security environments in which applications support the RADIUS protocol, such as an access environment that uses a smart card access control system. In one case, RADIUS has been used with Enigma’s security cards to validate users and to grant access to network resources.
3-33Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring and Enabling RADIUS•Networks already using RADIUS. You can add a Cisco bridge containing a RADIUS client to the network. •Networks that require resource accounting. You can use RADIUS accounting independently of RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and end of services, showing the amount of resources (such as time, packets, bytes, and so forth) used during the session. An Internet service provider might use a freeware-based version of RADIUS access control and accounting software to meet special security and billing needs.RADIUS is not suitable in these network security situations:•Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA), NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or X.25 PAD connections.•Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication.•Networks using a variety of services. RADIUS generally binds a user to one service model.RADIUS OperationWhen a non-root bridge attempts to authenticate to a bridge whose access is controlled by a RADIUS server, authentication to the network occurs in the steps shown in Figure 3-2:Figure 3-2 Sequence for EAP AuthenticationIn Steps 1 through 9 in Figure 3-2, a non-root bridge and a RADIUS server on the wired LAN use 802.1x and EAP to perform a mutual authentication through the root bridge. The RADIUS server sends an authentication challenge to the non-root bridge. The non-root bridge uses a one-way encryption of the user-supplied password to generate a response to the challenge and sends that response to the RADIUS 88901Switch onLAN 11. Authentication requestAuthenticationserverNon-RootBridgeRoot Bridge2. Identity request3. Username(Relay to non-root bridge)5. Authentication response(Relay to non-root bridge)7. Authentication challenge(Relay to non-root bridge)9. Authentication success(Relay to server)4. Authentication challenge(Relay to server)6. Authentication success(Relay to server)8. Authentication response(Relay to server)
3-34Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring and Enabling RADIUSserver. Using information from its user database, the RADIUS server creates its own response and compares that to the response from the non-root bridge. When the RADIUS server authenticates the non-root bridge, the process repeats in reverse, and the non-root bridge authenticates the RADIUS server.When mutual authentication is complete, the RADIUS server and the non-root bridge determine a WEP key that is unique to the non-root bridge and provides the non-root bridge with the appropriate level of network access, thereby approximating the level of security in a wired switched segment to an individual desktop. The non-root bridge loads this key and prepares to use it for the logon session. During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over the wired LAN to the root bridge. The root bridge encrypts its broadcast key with the session key and sends the encrypted broadcast key to the non-root bridge, which uses the session key to decrypt it. The non-root bridge and the root bridge activate WEP and use the session and broadcast WEP keys for all communications during the remainder of the session.There is more than one type of EAP authentication, but the root bridge behaves the same way for each type: it relays authentication messages from the non-root bridge to the RADIUS server and from the RADIUS server to the non-root bridge. See the “Assigning Authentication Types to an SSID” section on page 8-6 for instructions on setting up authentication using a RADIUS server.Controlling WMIC Access with RADIUS This section describes how to control administrator access to the WMIC using RADIUS. RADIUS provides detailed accounting information and flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only through AAA commands. RADIUS and AAA are disabled by default.At a minimum, the host or hosts that run the RADIUS server software must be identified and the method lists for RADIUS authentication must be defined. Optionally, method lists for RADIUS authorization and accounting can be defined. A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a non-root bridge. Method lists are used to designate one or more security protocols to be used, thus ensuring a backup system if the initial method fails. The software uses the first method listed to authenticate, to authorize, or to keep accounts on non-root bridges; if that method does not respond, the software selects the next method in the list. This process continues until there is successful communication with a listed method or the method list is exhausted.You must have access to and should configure a RADIUS server before configuring RADIUS features.These sections describe RADIUS configuration:•Identifying the RADIUS Server Host•Configuring RADIUS Login Authentication•Defining AAA Server Groups•Configuring RADIUS Authorization for User Privileged Access and Network Services•Starting RADIUS Accounting•Configuring Settings for All RADIUS Servers•Configuring the Bridge to Use Vendor-Specific RADIUS Attributes•Configuring the Bridge for Vendor-Proprietary RADIUS Server Communication•Displaying the RADIUS Configuration
3-35Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring and Enabling RADIUSNote For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.2.Identifying the RADIUS Server Host Access point-to-RADIUS-server communication involves several components:•Host name or IP address•Authentication destination port•Accounting destination port•Key string•Timeout period•Retransmission valueRADIUS security servers are identified by their host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service—such as accounting—the second host entry configured acts as a fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the bridge tries the second host entry configured on the same device for accounting services. (The RADIUS host entries are tried in the order that they are configured.)A RADIUS server and the bridge use a shared secret text string to encrypt passwords and exchange responses. To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the bridge. The timeout, retransmission, and encryption key values can be configured globally per server for all RADIUS servers or in some combination of global and per-server settings. To apply these settings globally to all RADIUS servers communicating with the bridge, use the three unique global configuration commands: radius-server timeout, radius-server retransmit, and radius-server key. To apply these values on a specific RADIUS server, use the radius-server host global configuration command.Note If you configure both global and per-server functions (timeout, retransmission, and key commands) on the bridge, the per-server timer, retransmission, and key value commands override global timer, retransmission, and key value commands. For information on configuring these setting on all RADIUS servers, see the “Configuring Settings for All RADIUS Servers” section on page 3-42.You can configure the bridge to use AAA server groups to group existing server hosts for authentication. For more information, see the “Defining AAA Server Groups” section on page 3-39.Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required.
3-36Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring and Enabling RADIUSTo remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting:bridge(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1bridge(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa new-model Enable AAA.Step 3 radius-server host {hostname | ip-address} [auth-port port-number][acct-port port-number] [timeoutseconds] [retransmit retries] [keystring]Specify the IP address or host name of the remote RADIUS server host.•(Optional) For auth-port port-number, specify the UDP destination port for authentication requests.•(Optional) For acct-port port-number, specify the UDP destination port for accounting requests.•(Optional) For timeout seconds, specify the time interval that the bridge waits for the RADIUS server to reply before retransmitting. The range is 1 to 1000. This setting overrides the radius-server timeout global configuration command setting. If no timeout is set with the radius-server host command, the setting of the radius-server timeout command is used.•(Optional) For retransmit retries, specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly. The range is 1 to 1000. If no retransmit value is set with the radius-server host command, the setting of the radius-server retransmit global configuration command is used.•(Optional) For key string, specify the authentication and encryption key used between the bridge and the RADIUS daemon running on the RADIUS server. Note The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.To configure the bridge to recognize more than one host entry associated with a single IP address, enter this command as many times as necessary, making sure that each UDP port number is different. The bridge software searches for hosts in the order in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-37Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring and Enabling RADIUSThis example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting:bridge(config)# radius-server host host1Configuring RADIUS Login AuthenticationTo configure AAA authentication, define a named list of authentication methods and apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined.A method list describes the sequence and authentication methods to be queried to authenticate a user (in this case, a non-root bridge). Designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa new-model Enable AAA.
3-38Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring and Enabling RADIUSTo disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name}method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.Step 3 aaa authentication login {default | list-name}method1 [method2...]Create a login authentication method list.•To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces. For more information on list names, click this link: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfathen.htm#xtocid2•For method1..., specify the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails.Select one of these methods:•line—Use the line password for authentication. You must define a line password before you can use this authentication method. Use the password password line configuration command.•local—Use the local username database for authentication. You must enter username information in the database. Use the usernamepassword global configuration command.•radius—Use RADIUS authentication. You must configure the RADIUS server before you can use this authentication method. For more information, see the “Identifying the RADIUS Server Host”section.Step 4 line [console | tty | vty]line-number[ending-line-number]Enter line configuration mode, and configure the lines to which you want to apply the authentication list.Step 5 login authentication {default | list-name}Apply the authentication list to a line or set of lines.•If you specify default, use the default list created with the aaa authentication login command.•For list-name, specify the list created with the aaa authentication login command.Step 6 radius-server attribute 32 include-in-access-req format %hConfigure the device to send its system name in the NAS_ID attribute for authentication.Step 7 end Return to privileged EXEC mode.Step 8 show running-config Verify your entries.Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
3-39Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring and Enabling RADIUSDefining AAA Server GroupsConfigure the bridge to use AAA server groups to group existing server hosts for authentication. Select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts. Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. If you configure two different host entries on the same RADIUS server for the same service (such as accounting), the second configured host entry acts as a fail-over backup to the first one.Use the server group server configuration command to associate a particular server with a defined group server. Identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords.Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa new-model Enable AAA.Step 3 radius-server host {hostname|ip-address} [auth-portport-number] [acct-portport-number] [timeoutseconds] [retransmit retries][key string]Specify the IP address or host name of the remote RADIUS server host.•(Optional) For auth-port port-number, specify the UDP destination port for authentication requests.•(Optional) For acct-port port-number, specify the UDP destination port for accounting requests.•(Optional) For timeout seconds, specify the time interval that the bridge waits for the RADIUS server to reply before retransmitting. The range is 1 to 1000. This setting overrides the radius-server timeout global configuration command setting. If no timeout is set with the radius-server host command, the setting of the radius-server timeout command is used.•(Optional) For retransmit retries, specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly. The range is 1 to 1000. If no retransmit value is set with the radius-server hostcommand, the setting of the radius-server retransmit global configuration command is used.•(Optional) For key string, specify the authentication and encryption key used between the bridge and the RADIUS daemon running on the RADIUS server. Note The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.To configure the bridge to recognize more than one host entry associated with a single IP address, enter this command as many times as necessary, making sure that each UDP port number is different. The bridge software searches for hosts in the order in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host.
3-40Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring and Enabling RADIUSTo remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command.In this example, the bridge is configured to recognize two different RADIUS group servers (group1 and group2). Group1 has two different host entries on the same RADIUS server configured for the same services. The second host entry acts as a fail-over backup to the first entry.bridge(config)# aaa new-modelbridge(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001bridge(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646bridge(config)# aaa group server radius group1bridge(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001bridge(config-sg-radius)# exitbridge(config)# aaa group server radius group2bridge(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001bridge(config-sg-radius)# exitConfiguring RADIUS Authorization for User Privileged Access and Network ServicesAAA authorization limits the services available to a user. When AAA authorization is enabled, the bridge uses information retrieved from the user profile, which is in the local user database or on the security server, to configure the user’s session. The user is granted access to a requested service only if the information in the user profile allows it.You can use the aaa authorization global configuration command with the radius keyword to set parameters that restrict a user’s network access to privileged EXEC mode. The aaa authorization exec radius local command sets these authorization parameters:•Use RADIUS for privileged EXEC access authorization if authentication was performed by using RADIUS.•Use the local database if authentication was not performed by using RADIUS.Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured.Step 4 aaa group server radius group-nameDefine the AAA server-group with a group name.This command puts the bridge in a server group configuration mode.Step 5 server ip-address Associate a particular RADIUS server with the defined server group. Repeat this step for each RADIUS server in the AAA server group.Each server in the group must be previously defined in Step 2.Step 6 end Return to privileged EXEC mode.Step 7 show running-config Verify your entries.Step 8 copy running-config startup-config(Optional) Save your entries in the configuration file.Step 9 Enable RADIUS login authentication. See the “Configuring RADIUS Login Authentication” section on page 3-37.Command Purpose
3-41Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring and Enabling RADIUSBeginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: To disable authorization, use the no aaa authorization {network | exec}method1 global configuration command. Starting RADIUS AccountingThe AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the bridge reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing.Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:To disable accounting, use the no aaa accounting {network | exec} {start-stop}method1... global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa authorization network radius Configure the bridge for user RADIUS authorization for all network-related service requests.Step 3 aaa authorization exec radius Configure the bridge for user RADIUS authorization to determine if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information). Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa accounting network start-stop radiusEnable RADIUS accounting for all network-related service requests. Step 3 ip radius source-interface bvi1 Configure the bridge to send its BVI IP address in the NAS_IP_ADDRESS attribute for accounting records.Step 4 aaa accounting update periodic minutes Enter an accounting update interval in minutes. Step 5 end Return to privileged EXEC mode.Step 6 show running-config Verify your entries.Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-42Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring and Enabling RADIUSConfiguring Settings for All RADIUS ServersBeginning in privileged EXEC mode, follow these steps to configure global communication settings between the bridge and all RADIUS servers:To return to the default setting for the retransmit, timeout, and deadtime, use the no forms of these commands.Configuring the Bridge to Use Vendor-Specific RADIUS AttributesThe Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the bridge and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. Cisco’s vendor ID is 9, and the supported option has vendor type 1, which is named cisco-avpair. The value is a string with this format:protocol : attribute sep value *Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 radius-server key string Specify the shared secret text string used between the bridge and all RADIUS servers.Note The key is a text string that must match the encryption key used on the RADIUS server. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.Step 3 radius-server retransmit retries Specify the number of times the bridge sends each RADIUS request to the server before giving up. The default is 3; the range 1 to 1000.Step 4 radius-server timeout seconds Specify the number of seconds an bridge waits for a reply to a RADIUS request before resending the request. The default is 5 seconds; the range is 1 to 1000.Step 5 radius-server deadtime minutes Use this command to cause the Cisco IOS software to mark as “dead” any RADIUS servers that fail to respond to authentication requests, thus avoiding the wait for the request to time out before trying the next configured server. A RADIUS server marked as dead is skipped by additional requests for the duration of minutes that you specify, or unless there are no servers not marked dead.Note If you set up more than one RADIUS server, you must configure the RADIUS server deadtime for optimal performance.Step 6 radius-server attribute 32 include-in-access-req format %hConfigure the bridge to send its system name in the NAS_ID attribute for authentication.Step 7 end Return to privileged EXEC mode.Step 8 show running-config Verify your settings.Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-43Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring and Enabling RADIUSProtocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and the asterisk (*) for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS. For example, the following AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP’s IPCP address assignment):cisco-avpair= ”ip:addr-pool=first“The following example shows how to provide a user logging in from an bridge with immediate access to privileged EXEC commands:cisco-avpair= ”shell:priv-lvl=15“ Other vendors have their own unique vendor IDs, options, and associated VSAs. For more information about vendor IDs and VSAs, refer to RFC 2138, “Remote Authentication Dial-In User Service (RADIUS).” Beginning in privileged EXEC mode, follow these steps to configure the bridge to recognize and use VSAs:For a complete list of RADIUS attributes or more information about VSA 26, refer to the “RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide for Release 12.2.Configuring the Bridge for Vendor-Proprietary RADIUS Server CommunicationAlthough an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the bridge and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the bridge. You specify the RADIUS host and secret text string by using the radius-server global configuration commands.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 radius-server vsa send [accounting | authentication]Enable the bridge to recognize and use VSAs as defined by RADIUS IETF attribute 26.•(Optional) Use the accounting keyword to limit the set of recognized vendor-specific attributes to only accounting attributes.•(Optional) Use the authentication keyword to limit the set of recognized vendor-specific attributes to only authentication attributes.If you enter this command without keywords, both accounting and authentication vendor-specific attributes are used.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your settings.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-44Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICControlling WMIC Access with TACACS+Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string:To delete the vendor-proprietary RADIUS host, use the no radius-server host {hostname | ip-address}non-standard global configuration command. To disable the key, use the no radius-server key global configuration command.This example shows how to specify a vendor-proprietary RADIUS host and to use a secret key of rad124 between the bridge and the server:bridge(config)# radius-server host 172.20.30.15 nonstandardbridge(config)# radius-server key rad124Displaying the RADIUS ConfigurationTo display the RADIUS configuration, use the show running-config privileged EXEC command.Controlling WMIC Access with TACACS+ This section describes how to control administrator access to the WMIC using Terminal Access Controller Access Control System Plus (TACACS+). TACACS+ provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled only through AAA commands.Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.2.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 radius-server host {hostname | ip-address} non-standard Specify the IP address or host name of the remote RADIUS server host and identify that it is using a vendor-proprietary implementation of RADIUS.Step 3 radius-server key string Specify the shared secret text string used between the bridge and the vendor-proprietary RADIUS server. The bridge and the RADIUS server use this text string to encrypt passwords and exchange responses.Note The key is a text string that must match the encryption key used on the RADIUS server. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your settings.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-45Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICControlling WMIC Access with TACACS+Understanding TACACS+TACACS+ is a security application that provides centralized validation of users attempting to gain access to your bridge. Unlike RADIUS, TACACS+ does not authenticate non-root bridges associated to the root bridge. TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX or Windows NT workstation. You should have access to and should configure a TACACS+ server before configuring TACACS+ features on your WMIC.TACACS+ provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. TACACS+, administered through the AAA security services, can provide these services:•Authentication—Provides complete control of authentication of administrators through login and password dialog, challenge and response, and messaging support.The authentication facility can conduct a dialog with the administrator (for example, after a username and password are provided, to challenge a user with several questions, such as home address, mother’s maiden name, service type, and social security number). The TACACS+ authentication service can also send messages to administrator screens. For example, a message could notify administrators that their passwords must be changed because of the company’s password aging policy.•Authorization—Provides fine-grained control over administrator capabilities for the duration of the administrator’s session, including but not limited to setting autocommands, access control, session duration, or protocol support. You can also enforce restrictions on the commands that an administrator can execute with the TACACS+ authorization feature.•Accounting—Collects and sends information used for billing, auditing, and reporting to the TACACS+ daemon. Network managers can use the accounting facility to track administrator activity for a security audit or to provide information for user billing. Accounting records include administrator identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. The TACACS+ protocol provides authentication between the WMIC and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between the WMIC and the TACACS+ daemon are encrypted. You need a system running the TACACS+ daemon software to use TACACS+ on your WMIC. TACACS+ OperationWhen an administrator attempts a simple ASCII login by authenticating to a WMIC using TACACS+, this process occurs:1. When the connection is established, the WMIC contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the administrator. The administrator enters a username, and the WMIC then contacts the TACACS+ daemon to obtain a password prompt. The WMIC displays the password prompt to the administrator, the administrator enters a password, and the password is then sent to the TACACS+ daemon.
3-46Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICControlling WMIC Access with TACACS+TACACS+ allows a conversation to be held between the daemon and the administrator until the daemon receives enough information to authenticate the administrator. The daemon prompts for a username and password combination, but can include other items, such as the user’s mother’s maiden name. 2. The WMIC eventually receives one of these responses from the TACACS+ daemon: –ACCEPT—The administrator is authenticated and service can begin. If the WMIC is configured to require authorization, authorization begins at this time.–REJECT—The administrator is not authenticated. The administrator can be denied access or is prompted to retry the login sequence, depending on the TACACS+ daemon.–ERROR—An error occurred at some time during authentication with the daemon or in the network connection between the daemon and the WMIC. If an ERROR response is received, the WMIC typically tries to use an alternative method for authenticating the administrator.–CONTINUE—The administrator is prompted for additional authentication information.After authentication, the administrator undergoes an additional authorization phase if authorization has been enabled on the WMIC. Administrators must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization. 3. If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response contains data in the form of attributes that direct the EXEC or NETWORK session for that administrator, determining the services that the administrator can access:–Telnet, rlogin, or privileged EXEC services–Connection parameters, including the host or client IP address, access list, and administrator timeoutsDefault TACACS+ ConfigurationTACACS+ and AAA are disabled by default.To prevent a lapse in security, you cannot configure TACACS+ through a network management application.When enabled, TACACS+ can authenticate administrators accessing the WMIC through the CLI.Configuring TACACS+ Login AuthenticationTo configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default).The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list.A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method
3-47Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICControlling WMIC Access with TACACS+or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.Identifying the TACACS+ Server Host and Setting the Authentication KeyYou can configure the WMIC to use a single server or AAA server groups to group existing server hosts for authentication. You can group servers to select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list and contains the list of IP addresses of the selected server hosts.Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining TACACS+ server and optionally set the encryption key:To remove the specified TACACS+ server name or address, use the no tacacs-server host hostnameglobal configuration command. To remove a server group from the configuration list, use the no aaa group server tacacs+ group-name global configuration command. To remove the IP address of a TACACS+ server, use the no server ip-address server group subconfiguration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 tacacs-server host hostname [port integer] [timeout integer] [key string]Identify the IP host or hosts maintaining a TACACS+ server. Enter this command multiple times to create a list of preferred hosts. The software searches for hosts in the order in which you specify them.•For hostname, specify the name or IP address of the host.•(Optional) For port integer, specify a server port number. The default is port 49. The range is 1 to 65535.•(Optional) For timeout integer, specify a time in seconds the WMIC waits for a response from the daemon before it times out and declares an error. The default is 5 seconds. The range is 1 to 1000 seconds.•(Optional) For key string, specify the encryption key for encrypting and decrypting all traffic between the WMIC and the TACACS+ daemon. You must configure the same key on the TACACS+ daemon for encryption to be successful.Step 3 aaa new-model Enable AAA.Step 4 aaa group server tacacs+ group-name (Optional) Define the AAA server-group with a group name.This command puts the WMIC in a server group subconfiguration mode.Step 5 server ip-address (Optional) Associate a particular TACACS+ server with the defined server group. Repeat this step for each TACACS+ server in the AAA server group.Each server in the group must be previously defined in Step 2.Step 6 end Return to privileged EXEC mode.Step 7 show tacacs Verify your entries.Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-48Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICControlling WMIC Access with TACACS+Configuring TACACS+ Login AuthenticationTo configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list.A method list describes the sequence and authentication methods to be queried to authenticate an administrator. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the administrator access—the authentication process stops, and no other authentication methods are attempted.Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa new-model Enable AAA.Step 3 aaa authentication login {default | list-name}method1 [method2...]Create a login authentication method list.•To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.•For list-name, specify a character string to name the list you are creating. •For method1..., specify the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails.Select one of these methods:•local—Use the local username database for authentication. You must enter username information into the database. Use the usernamepassword global configuration command.•tacacs+—Use TACACS+ authentication. You must configure the TACACS+ server before you can use this authentication method.Step 4 line [console | tty | vty]line-number[ending-line-number]Enter line configuration mode, and configure the lines to which you want to apply the authentication list.
3-49Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICControlling WMIC Access with TACACS+To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name}method1 [method2...] global configuration command. To either disable TACACS+ authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.Configuring TACACS+ Authorization for Privileged EXEC Access and Network ServicesAAA authorization limits the services available to a user. When AAA authorization is enabled, the WMIC uses information retrieved from the user’s profile, which is located either in the local user database or on the security server, to configure the user’s session. The user is granted access to a requested service only if the information in the user profile allows it.You can use the aaa authorization global configuration command with the tacacs+ keyword to set parameters that restrict a user’s network access to privileged EXEC mode. The aaa authorization exec tacacs+ local command sets these authorization parameters:•Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TAC ACS+.•Use the local database if authentication was not performed by using TACACS+.Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured.Beginning in privileged EXEC mode, follow these steps to specify TACACS+ authorization for privileged EXEC access and network services: Step 5 login authentication {default | list-name}Apply the authentication list to a line or set of lines.•If you specify default, use the default list created with the aaa authentication login command.•For list-name, specify the list created with the aaa authentication login command.Step 6 end Return to privileged EXEC mode.Step 7 show running-config Verify your entries.Step 8 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa authorization network tacacs+ Configure the WMIC for user TACACS+ authorization for all network-related service requests.Step 3 aaa authorization exec tacacs+ Configure the WMIC for user TACACS+ authorization to determine if the user has privileged EXEC access. The exec keyword might return user profile information (such as autocommand information).
3-50Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICControlling WMIC Access with TACACS+To disable authorization, use the no aaa authorization {network | exec}method1 global configuration command. Starting TACACS+ AccountingThe AAA accounting feature tracks the services that administrators are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the WMIC reports administrator activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing.Beginning in privileged EXEC mode, follow these steps to enable TACACS+ accounting for each Cisco IOS privilege level and for network services:To disable accounting, use the no aaa accounting {network | exec} {start-stop}method1... global configuration command.Displaying the TACACS+ ConfigurationTo display TACACS+ server statistics, use the show tacacs privileged EXEC command.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa accounting network start-stop tacacs+Enable TACACS+ accounting for all network-related service requests. Step 3 aaa accounting exec start-stop tacacs+ Enable TACACS+ accounting to send a start-record accounting notice at the beginning of a privileged EXEC process and a stop-record at the end.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-51Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring the WMIC for Local Authentication and AuthorizationConfiguring the WMIC for Local Authentication and AuthorizationYou can configure AAA to operate without a server by setting the WMIC to implement AAA in local mode. The WMIC then handles authentication and authorization. No accounting is available in this configuration.Beginning in privileged EXEC mode, follow these steps to configure the WMIC for local AAA:To disable AAA, use the no aaa new-model global configuration command. To disable authorization, use the no aaa authorization {network | exec}method1 global configuration command. Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 aaa new-model Enable AAA.Step 3 aaa authentication login default local Set the login authentication to use the local username database. The default keyword applies the local user database authentication to all interfaces.Step 4 aaa authorization exec local Configure user AAA authorization to determine if the user is allowed to run an EXEC shell by checking the local database.Step 5 aaa authorization network local Configure user AAA authorization for all network-related service requests.Step 6 username name [privilege level]{password encryption-type password}Enter the local database, and establish a username-based authentication system.Repeat this command for each user.•For name, specify the user ID as one word. Spaces and quotation marks are not allowed.•(Optional) For level, specify the privilege level the user has after gaining access. The range is 0 to 15. Level 15 gives privileged EXEC mode access. Level 0 gives user EXEC mode access.•For encryption-type, enter 0 to specify that an unencrypted password follows. Enter 7 to specify that a hidden password follows.•For password, specify the password the user must enter to gain access to the WMIC. The password must be from 1 to 25 characters, can contain embedded spaces, and must be the last option specified in the username command.Step 7 end Return to privileged EXEC mode.Step 8 show running-config Verify your entries.Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-52Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICConfiguring the WMIC for Secure ShellConfiguring the WMIC for Secure ShellThis section describes how to configure the Secure Shell (SSH) feature. Note For complete syntax and usage information for the commands used in this section, refer to the “Secure Shell Commands” section in the Cisco IOS Security Command Reference for Release 12.2.Understanding SSH SSH is a protocol that provides a secure, remote connection to a Layer 2 or a Layer 3 device. There are two versions of SSH: SSH version 1 and SSH version 2. This software release supports only SSH version 1.SSH provides more security for remote connections than Telnet by providing strong encryption when a device is authenticated. The SSH feature has an SSH server and an SSH integrated client. The client supports these user authentication methods:•RADIUS (for more information, see the “Controlling WMIC Access with RADIUS” section on page 3-34)•Local authentication and authorization (for more information, see the “Configuring the WMIC for Local Authentication and Authorization” section on page 3-51)For more information about SSH, refer to the “Configuring Secure Shell” section in the Cisco IOS Security Configuration Guide for Release 12.2.Note The SSH feature in this software release does not support IP Security (IPSec).
3-53Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging Aironet ExtensionsConfiguring SSHBefore configuring SSH, download the crypto software image from Cisco.com. For information about configuring SSH and displaying SSH settings, refer to the “Configuring Secure Shell” section in the Cisco IOS Security Configuration Guide for Release 12.2.Managing Aironet ExtensionsThe WMIC uses Cisco Aironet 802.11 extensions to detect the capabilities of Cisco client devices and to support features that require specific interaction between the WMIC and associated client devices. The Aironet Extensions can only be deactivated in the Root Access Point mode. Since workgroup bridge, root bridge, and non-root bridge are Cisco-specific modes, they always use the Aironet extensions. Aironet extensions must be enabled to support these features:•Load balancing—The WMIC uses Aironet extensions to direct client devices to an access point that provides the best connection to the network based on factors such as number of users, bit error rates, and signal strength.•Message Integrity Check (MIC)—MIC is an additional WEP security feature that prevents attacks on encrypted packets called bit-flip attacks. The MIC, implemented on both the WMIC and all associated client devices, adds a few bytes to each packet to make the packets tamper-proof.•Temporal Key Integrity Protocol (TKIP)—TKIP, also known as WEP key hashing, is an additional WEP security feature that defends against an attack on WEP in which the intruder uses an unencrypted segment called the initialization vector (IV) in encrypted packets to calculate the WEP key. •Limiting the power level on associated client devices—When a client device associates to the WMIC, the WMIC sends the maximum allowed power level setting to the client.Beginning in privileged EXEC mode, follow these steps to disable the Aironet extensions:If you change the radio to a role that requires Aironet extensions, the Aironet extensions are enabled automatically: wmic1(config)#int dot 0wmic1(config-if)#station-role rootSelected role requires Cisco Aironet Extension enabled.Enabled Cisco Aironet Extension.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 station-role root ap-only Enter the station role. Root enables the access point mode. Step 4 no dot11 extension aironet Enter the extension aironet command to disable extensions.Step 5 end Return to privileged EXEC mode.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
3-54Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 3 Administering the WMICManaging Aironet ExtensionsIf you try to change the Aironet extensions without setting the radio to the proper role, an error message displays: wmic1(config-if)#wmic1(config-if)#no dot11 extension aironetAironet Extension is always enabled in Bridge or WGB mode.
CHAPTER4-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-024Configuring Radio SettingsThis chapter describes how to configure radio settings for your WMIC. This chapter includes these sections:•Disabling and Enabling the Radio Interface•Configuring the Role in Radio Network•Configuring Radio Data Rates•Configuring Radio Transmit Power•Configuring Radio Channel Settings•Enabling and Disabling World Mode (2.4-GHz Only)•Disabling and Enabling Short Radio Preambles (2.4-GHz Only)•Configuring Transmit and Receive Antennas•Configuring the Ethernet Encapsulation Transformation Method•Enabling and Disabling Concatenation (2.4-GHz Only)•Configuring the Radio Distance Setting•Enabling and Disabling Reliable Multicast to Workgroup Bridges•Enabling and Disabling Public Secure Packet Forwarding•Configuring the Beacon Period•Configure RTS Threshold and Retries•Configuring the Maximum Data Retries•Configuring the Fragmentation Threshold•Setting the Root Parent Timeout Value•Configuring the Root Parent MAC•Performing a Carrier Busy Test
4-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsDisabling and Enabling the Radio InterfaceDisabling and Enabling the Radio InterfaceThe WMIC radio is enabled by default. Beginning in privileged EXEC mode, follow these steps to disable the WMIC radio:Use the no form of the shutdown command to enable the radio port. Configuring the Role in Radio NetworkYou can configure your WMIC as a root bridge, non-root bridge, access point, or workgroup bridge. (Chapter 1, “Overview” describes the various WMIC radio network roles.) Beginning in privileged EXEC mode, follow these steps to set the WMIC radio network role:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 shutdown Disable the radio port.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 station-role {root [ap-only] | non-root |workgroup-bridge |install [automatic |root |non-root]}Set the WMIC role.•Bridge—root, non-root, or install modes. In root mode, the access point function is automatically enabled allowing client devices to associate.•Access point—root ap-only mode•Workgroup bridge—workgroup bridge modeStep 4 mobile station (Optional) Use this command to configure a non-root bridge or workgroup bridge as a mobile station. When this feature is enabled the bridge scans for a new parent association when it encounters a poor Received Signal Strength Indicator (RSSI), excessive radio interference, or a high frame-loss percentage. Using these criteria, the WMIC searches for a new root association and roams to a new root bridge before it loses its current association. When the mobile station setting is disabled (the default setting) the WMIC does not search for a new association until it loses its current association.Step 5 end Return to privileged EXEC mode.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
4-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsConfiguring the Role in Radio NetworkConfiguring the WMIC as an Access PointThe WMIC can be configured as a root access point. In this role, it accepts associations from wireless clients.Follow these steps to configure the WMIC as an access point:Configuring the WMIC as a Workgroup BridgeThe WMIC can be configured as a workgroup bridge. In this role, the WMIC has the following functionality:•Associates to the following devices:–Root access points–Root bridges•If the router contains a 2.4-GHz WMIC, it operates with 2.4-GHz (802.11b/g) IOS-based bridges. If the router contains a 4.9-GHz WMIC, it operates with 4.9-GHz IOS-based bridges.•Accepts only wired clients.•Informs its root parent of all attached wired clients using IAPP messaging.Follow these steps to configure the WMIC as a workgroup bridge.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface.Step 3 station-role root ap-only Specifies that the WMIC functions as a root access point. Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface.Step 3 station-role workgroup-bridge Enables workgroup bridge mode. Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
4-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsConfiguring Radio Data RatesConfiguring the WMIC as a BridgeThe WMIC can be configured as a bridge. This is the only role that supports the distance command. There are three install modes: automatic, root, and non-root:Automatic activates the bridge install and alignment mode, and specifies that the unit automatically determines the network role. If the unit is able to associate to another Cisco root bridge within 60 seconds, the unit assumes a non-root bridge role. If the unit is unable to associate with another Cisco root bridge within 60 seconds, the unit assumes a root bridge role. The device can be configured into root bridge or non-root bridge modes to avoid the 60-second automatic detection phase.Root specifies that the device is operating as a root bridge and connects directly to the main Ethernet LAN network. In this mode, the unit accepts associations from other Cisco bridges and wireless client devices.Non-root specifies that the device is operating as a non-root bridge, and that it connects to a remote LAN network, and that it must associate with a Cisco root bridge by using the wireless interface. Follow these steps to configure the WMIC to determine is role automatically:Configuring Radio Data RatesYou use the data rate settings to choose the data rates the 4.9-GHz (US Only, Public Safety) WMIC uses for data transmission. The rates are expressed in megabits per second. The WMIC always attempts to transmit at the highest data rate set to Basic, also called Require on the browser-based interface. If there are obstacles or interference, the WMIC steps down to the highest rate that allows data transmission. You can set each data rate to one of three states: •Basic (this is the default state for all data rates)—Allows transmission at this rate for all packets, both unicast and multicast. At least one of the WMIC's data rates must be set to Basic. •Enabled—The WMIC transmits only unicast packets at this rate; multicast packets are sent at one of the data rates set to Basic. •Disabled—The WMIC does not transmit data at this rate. Note At least one data rate must be set to basic.You can use the Data Rate settings to set up the WMIC to operate at specific data rates. For example, to configure the WMIC to operate at 54 megabits per second (Mbps) service only, set the 54-Mbps rate to Basic and set the other data rates to Enabled. To set up the WMIC to operate at 24, 48, and 54 Mbps, set 24, 48, and 54 to Basic and set the rest of the data rates to Enabled.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface.Step 3 station-role install automatic Specifies that role of the WMIC is chosen based on the device to which it is associated. Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
4-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsConfiguring Radio Data RatesYou can also configure the WMIC to set the data rates automatically to optimize either range or throughput. When you enter range for the data rate setting, the WMIC sets the 6-Mbps rate to basic and the other rates to enabled if you are configuring a 2.4-GHz WMIC or a 4.9-GHz WMIC.If you are configuring a 4.9-GHz WMIC set to 5-MHz spacing, the WMIC sets the 1.5- Mbps rate to basic and the other rates to enable. If you are configuring a 4.9-GHz WMIC set to 10-MHz spacing, the WMIC sets the 3.0-Mbps rate to basic and the other rates to enable. If you enter throughput for the data rate setting, the WMIC sets all data rates to basic. Enter default to set the data rates to factory defaultsBeginning in privileged EXEC mode, follow these steps to configure the radio data rates:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 speed{[1.0] [2.0] [5.5] [6.0] [9.0] [11.0][12.0] [18.0] [24.0] [36.0] [48.0][54.0] [basic-1.0] [basic-2.0][basic-5.5] [basic-6.0] [basic-9.0][basic-11.0] [basic-12.0][basic-18.0] [basic-24.0][basic-36.0] [basic-48.0][basic-54.0] | range | throughput | default }Set each data rate to basic or enabled, or enter range to optimize the range or throughput to optimize the throughput.If you are entering the speed for a 2.4-GHz WMIC, enter 1.0,2.0,5.5,6.0,9.0,11.0,12.0,18.0,24.0,36.0,48.0, and54.0 to set these data rates to enabled.If you are entering the speed for a 4.9-GHz WMIC:With 5-MHz spacing, enter a speed of 1.5, 2.25, 3.0, 4.5, 6.0, 9.0, 12.0, or 13.5. With 10-MHz spacing, enter a speed of 3.0, 4.5, 6.0, 9.0, 12.0, 18.0, 24.0, or 27.0.Enter basic-1.0,basic-2.0, basic-5.5, basic-6.0,basic-9.0,basic-11.0,basic-12.0,basic-18.0,basic-24.0,basic-36.0,basic-48.0, and basic-54.0 to set these data rates to basic.Note The client must support the basic rate that you select or it cannot associate to the WMIC. If you select 12 Mbps or higher for the basic data rate on the 802.11g radio, 802.11b client devices cannot associate to the WMIC’s 802.11g radio.•(Optional) Enter range or throughput to automatically optimize radio range or throughput. When you enter range, The WMIC sets the lowest data rate to basic and the other rates to enabled. When you enter throughput, the WMIC sets all data rates to basic.(Optional) The default option sets data rates 1, 2, 5.5, 6, 11, 12, and 24 to basic, and data rates 9, 18, 36, 48, and 54 to enabled. These data rate settings allow both 802.11b and 802.11g client devices to associate to the WMIC’s 802.11g radio.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
4-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsConfiguring Radio Transmit PowerUse the no form of the speed command to disable data rates. When you use the no form of the command, all data rates are disabled except the rates you name in the command. This example shows how to disable data rate 6.0:bridge# configure terminalbridge(config)# interface dot11radio 0bridge(config-if)# no speed basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0bridge(config-if)# endData rate 6 is disabled, and the rest of the rates are set to basic.This example shows how to set up the WMIC for 54 Mbps service only:bridge# configure terminalbridge(config)# interface dot11radio 0bridge(config-if)# speed basic-54.0bridge(config-if)# endData rate 54 is set to basic, and the rest of the data rates are set to enabled.Configuring Radio Transmit PowerBeginning in privileged EXEC mode, follow these steps to set the transmit power on your WMIC radio:Use the no form of the power command to return the power setting to maximum, the default setting. Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 power local{1 | 5|10 |20 |30 |50 |100 |maximum }Set the transmit power for the radio to one of the power levels allowed in your regulatory domain. All settings are in mW.The settings allowed in your regulatory domain might differ from the settings listed here.The maximum power level for the 4.9-GHz (US Only, Public Safety) radio is 40 mW.The 2.4-GHz (802.11b/g) radio transmits at up to 100 mW for the 1, 2, 5.5, and 11 Mbps data rates. However, for the 6, 9, 12, 18, 24, 36, 48, and 54 Mbps data rates, the maximum transmit power for the 802.11g radio is 30 mW.Step 4 power client{1 | 5 | 10 | 20 | 30 | 50 | 100 | maximum }Set the maximum power level allowed on client devices that associate to the WMIC in access point mode. All settings are in mW.Note The settings allowed in your regulatory domain might differ from the settings listed here.Step 5 end Return to privileged EXEC mode.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
4-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsConfiguring Radio Channel SettingsNote Aironet extensions must be enabled to limit the power level on associated client devices. Aironet extensions are enabled by default.Configuring Radio Channel SettingsThe default channel setting for the radio is least congested; at startup, the WMIC scans for and selects the least-congested channel. For most consistent performance after a site survey, however, we recommend that you assign a static channel setting to each bridge. The channel settings on your WMIC correspond to the frequencies available in your regulatory domain. See Appendix B, “Channels and Antenna Settings,” for the frequencies allowed in your domain.IEEE 802.11g (2.4-GHz Band)The radio operates on 11 channels from 2412-MHz to 2462-MHz. Each channel covers 5 MHz, and the bandwidth for the channels overlaps slightly. For best performance, use channels that are not adjacent (such as 2412 and 2417) for bridges that are close to each other. Beginning in privileged EXEC mode, follow these steps to set the WMIC’s radio channel:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface.
4-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsConfiguring Radio Channel Settings4.9-GHz BandThis band is available only in the USA. The radio operates on 16 channels, either 5-MHz wide or 10-MHz wide between 4940-MHz and 4990-MHz for the public safety community. To reduce the interference between two consecutive intersections, use two different channels in line-of-sight, cascaded deployments. The throughput is a minimum of 4 Mbps half-duplex at a range of one mile line-of-sight for a 5-MHz-wide channel, and 8 Mbps half-duplex at on mile line-of-sight range for a 10-MHz-wide channel.Step 3 channel frequency |least-congestedSet the default channel for the WMIC radio. To search for the least-congested channel on startup, enter least-congested.These are the available frequencies (in MHz) for the 2.4-GHz radio:•channel 1—2412 (Americas, EMEA, Japan, and China)•channel 2—2417 (Americas, EMEA, Japan, and China)•channel 3—2422 (Americas, EMEA, Japan, Israel, and China)•channel 4—2427 (Americas, EMEA, Japan, Israel, and China)•channel 5—2432 (Americas, EMEA, Japan, Israel, and China)•channel 6—2437 (Americas, EMEA, Japan, Israel, and China)•channel 7—2442 (Americas, EMEA, Japan, Israel, and China)•channel 8—2447 (Americas, EMEA, Japan, Israel, and China)•channel 9—2452 (Americas, EMEA, Japan, Israel, and China)•channel 10—2457 (Americas, EMEA, Japan, and China)•channel 11—2462 (Americas, EMEA, Japan, and China)•channel 12—2467 (EMEA and Japan)•channel 13—2474 (EMEA and Japan)•channel 14—2484 (Japan)Note The frequencies allowed in your regulatory domain might differ from the frequencies listed here.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config(Optional) Save your entries in the configuration file.Command PurposeTable 4-1 Radio Frequency Data RatesData Rate (Mbps)Modulation on sub-carriers based on OFDMRMS Transmit Power (dBm)Receiver Sensitivity (dBm)Signal-to-noise Ratio (dB)10 MHz Channelization3 BPSK 19 -94 4
4-9Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsConfiguring Radio Channel Settingsspacing channel User Interface CommandUse the spacing privileged EXEC command to define allowable channels and center frequencies for the 4.9-GHz WMIC. Use no form of this command to reset the channels and center frequencies to defaults. Released in 12.3(JK).spacing <baseband_no> [channel {centerFrequency | channel_number | least-congested}]Note The channel command is not available when this command is entered in the configuration.Syntax Description4.5 BPSK 19 -93 46 QPSK 19 -92 69 QPSK 19 -91 612 16-QAM 19 -87 1118 16-QAM 18 -84 1124 64-QAM 16 -78 2027 64-QAM 15 -75 205 MHz Channelization1.5 BPSK 19 -97 42.25 BPSK 19 -96 43 QPSK 19 -95 64.5 QPSK 19 -94 66 16-QAM 19 -90 119 16-QAM 18 -87 1112 64-QAM 16 -81 2013.5 64-QAM 15 -78 20 Table 4-1 Radio Frequency Data Ratesbaseband_no Specifies the channel spacing in megahertz on the desired channel band. The frequency is either 5-MHz wide or 10-MHz wide.centerFrequency Specifies the center frequency in megahertz of the desired channel band. Supported frequencies are listed in Table 4-2.channel_number Supported channel number. Supported channels are listed in Table 4-2.least-congested Automatically scan for the best frequency.
4-10Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsConfiguring Radio Channel SettingsDefaultsCommand Modes Configuration interface ExamplesThis example shows how to set the channel spacing to 5-MHz spacing and channel number to 13 on a root device.WMIC(config-if)# spacing5channel 13This example shows how to set the channel spacing to 10-MHz spacing and center frequency to 4982.5-MHz spacing on a root device. (Note that the command requires that the entry be 4982, as opposed to 4982.5.)WMIC(config-if)# spacing 10 channel 4982This example shows how to set the channel spacing 5-MHz spacing on a non-root device.WMIC(config-if)# spacing 5Related CommandsTable 4-2 Channels, Center Frequencies, and Channel WidthsChannel Center Frequency Channel Width1 4940.5 not supported2 4941.5 not supported3 4942.5 5-MHz4 4943.5 not supported5 4944.5 not supported6 4947.5 5-MHz7 4952.5 5-MHz or 10-MHz8 4957.5 5-MHz9 4962.5 5-MHz or 10-MHz10 4967.5 5-MHz11 4972.5 5-MHz or10-MHz12 4977.5 5-MHz13 4982.5 5-MHz or 10-MHz14 4985.5 not supported15 4986.5 5-MHz16 4987.5 not supported17 4988.5 not supported18 4989.5 not supportedCommand Descriptionshow controllers dot11radio 0 Display the radio controller information and status.
4-11Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsEnabling and Disabling World Mode (2.4-GHz Only)Enabling and Disabling World Mode (2.4-GHz Only)You can configure the WMIC to support 802.11d world mode or Cisco legacy world mode. When you enable world mode, the WMIC adds channel carrier set information to its beacon. Client devices with world mode enabled receive the carrier set information and adjust their settings automatically. For example, a client device used primarily in Japan could rely on world mode to adjust its channel and power settings automatically when it travels to Italy and joins a network there. Cisco client devices running firmware version 5.30.17 or later detect whether the WMIC is using 802.11d or Cisco legacy world mode and automatically use world mode that matches the mode used by the WMIC. World mode is disabled by default.Beginning in privileged EXEC mode, follow these steps to enable world mode:Use the no form of the command to disable world mode. Aironet extensions must be enabled for world mode operation. Aironet extensions are enabled by default.Disabling and Enabling Short Radio Preambles (2.4-GHz Only)The radio preamble (sometimes called a header) is a section of data at the head of a packet that contains information that the access point and client devices need when sending and receiving packets. You can set the radio preamble to long or short:•Short—A short preamble improves throughput performance. Cisco Wireless LAN Client Adapters support short preambles. Early models of Cisco Aironet Wireless LAN Adapters (PC4800 and PC4800A) require long preambles.•Long—A long preamble ensures compatibility between the WMIC and all early models of Cisco Wireless LAN Adapters. If these client devices do not associate to your WMIC, you should use short preambles.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface.Step 3 world-mode dot11d country_code code{ both | indoor | outdoor }| legacy Enable world mode.•Enter the dot11d option to enable 802.11d world mode. –When you enter the dot11d option, you must enter a two-character ISO country code (for example, the ISO country code for the United States is US). You can find a list of ISO country codes at the ISO website. –After the country code, you must enter indoor,outdoor, or both to indicate the placement of the WMIC.•Enter the legacy option to enable Cisco legacy world mode.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
4-12Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsConfiguring Transmit and Receive AntennasYou cannot configure short or long radio preambles on the 5-GHz radio.Beginning in privileged EXEC mode, follow these steps to disable short radio preambles:Short preambles are enabled by default. Use the preamble-short command to enable short preambles if they are disabled. Configuring Transmit and Receive AntennasYou can select the antenna the WMIC uses to receive and transmit data. There are three options for both the receive and the transmit antenna:•Diversity—This default setting tells the WMIC to use the antenna that receives the best signal.•Right—If you install a high-gain antenna on the right connector and no antenna on the left connector, you should use this setting for both receive and transmit.•Left—If you install a high-gain antenna on the left connector and no antenna on the right connector, use this setting for both receive and transmit.Note The antenna commands are not available for bridges equipped with a captive (internal) antenna.Beginning in privileged EXEC mode, follow these steps to select the antennas the access point uses to receive and transmit data:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface.Step 3 no preamble-short Disable short preambles and enable long preambles.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface.Step 3 antenna receive{diversity | left | right}Set the receive antenna to diversity, left, or right.Note For best performance, leave the receive antenna setting at the default setting, diversity.Step 4 antenna transmit{diversity | left | right}Set the transmit antenna to diversity, left, or right.Note For best performance, leave the transmit antenna setting at the default setting, diversity.Step 5 end Return to privileged EXEC mode.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
4-13Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsConfiguring the Ethernet Encapsulation Transformation MethodNote The Antenna Gain (dB) setting is disabled on the WMIC.Configuring the Ethernet Encapsulation Transformation MethodWhen the WMIC receives data packets that are not 802.3 packets, the WMIC must format the packets to 802.3 using an encapsulation transformation method. These are the two transformation methods:•802.1H—This method provides optimum performance for Cisco wireless products. This is the default setting.•RFC1042—Use this setting to ensure interoperability with non-Cisco wireless equipment. RFC1042 does not provide the interoperability advantages of 802.1H but is used by other manufacturers of wireless equipment. Beginning in privileged EXEC mode, follow these steps to configure the encapsulation transformation method:Note For best performance over your bridge links, adjust the CW-min and CW-max contention window settings to to a value based on the number of non-root bridges associated to each root bridge. Refer to the “CW-min and CW-max Settings for Point-to-Point and Point-to-Multipoint Bridge Links” section on page 11-8 for instructions on adjusting these settings.Enabling and Disabling Concatenation (2.4-GHz Only)Use the concatenation command to enable packet concatenation on the WMIC radio. Using concatenation, the WMIC combines multiple packets into one packet to reduce packet overhead and overall latency, which increases transmission efficiency.Beginning in privileged EXEC mode, follow these steps to enable concatenation and set the maximum length of concatenation.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 payload-encapsulation RFC1042 | dot1hSet the encapsulation transformation method to RFC1042 or 802.1h (dot1h, the default setting).Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface.
4-14Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsConfiguring the Radio Distance SettingConfiguring the Radio Distance SettingUse the distance command to specify the distance from a root bridge to its clients (non-root bridges and/or workgroup bridges). The distance setting adjusts the time out values to account for the time required for radio signals for radio signals to travel from a root bridge to its clients (non-root bridges and/or workgroup bridges). If more than one non-root bridge (or workgroup bridge) communicates with the root bridge, enter the distance from the root bridge to the non-root bridge (or work-group bridge) that is farthest away. Enter a value from 0 to 99 km for a 2.4-GHz WMIC or 0 to 3 km for a 4.9-GHz WMIC. You do not need to adjust this setting on non-root bridges.In installation mode, the default distance setting is 99 km. In other modes, the default distance setting is 0km.Beginning in privileged EXEC mode, follow these steps to configure the distance setting:Use the no form of the distance command to set the default distance.Enabling and Disabling Reliable Multicast to Workgroup BridgesThe Reliable multicast messages from the access point to workgroup bridges setting limits reliable delivery of multicast messages to approximately 20 Cisco Workgroup Bridges that are associated to the access point. The default setting, disabled, reduces the reliability of multicast delivery to allow more workgroup bridges to associate to the access point.Access points and bridges normally treat workgroup bridges not as client devices but as infrastructure devices, like access points or bridges. Treating a workgroup bridge as an infrastructure device means that the access point reliably delivers multicast packets, including Address Resolution Protocol (ARP) packets, to the workgroup bridge. The performance cost of reliable multicast delivery—duplication of each multicast packet sent to each workgroup bridge—limits the number of infrastructure devices, including workgroup bridges, that can associate to the access point. To increase beyond 20 the number of workgroup bridges that can maintain Step 3 concatenation bytes (Optional) Bytes specifies a maximum size for concatenation packets in bytes. Enter a value from 1600 to 4000.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 distance kilometers Enter a distance setting from 0 to 99 km for a 2.4-GHz WMIC or 0 to 3 km for a 4.9-GHz WMIC.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
4-15Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsEnabling and Disabling Public Secure Packet Forwardinga radio link to the access point, the access point must reduce the delivery reliability of multicast packets to workgroup bridges. With reduced reliability, the access point cannot confirm whether multicast packets reach the intended workgroup bridge, so workgroup bridges at the edge of the access point's coverage area might lose IP connectivity. When you treat workgroup bridges as client devices, you increase performance but reduce reliability.Note This feature is best suited for use with stationary workgroup bridges. Mobile workgroup bridges might encounter spots in the access point's coverage area where they do not receive multicast packets and lose communication with the access point even though they are still associated to it. A Cisco Workgroup Bridge provides a wireless LAN connection for up to eight Ethernet-enabled devices. Beginning in privileged EXEC mode, follow these steps to configure the encapsulation transformation method:Use the no form of the command to disable reliable multicast messages to workgroup bridges.Enabling and Disabling Public Secure Packet ForwardingPublic Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client devices associated to the access point. It provides Internet access to client devices without providing other capabilities of a LAN. This feature is useful for public wireless networks like those installed in airports or on college campuses. Note To prevent communication between clients associated to different access points, you must set up protected ports on the switch to which your access points are connected. See the Configuring Protected Ports, page 4-16 for instructions on setting up protected ports.To enable and disable PSPF using CLI commands on your access point, you use bridge groups. You can find a detailed explanation of bridge groups and instructions for implementing them in this document:•Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.2. Click this link to browse to the Configuring Transparent Bridging chapter:http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fibm_c/bcfpart1/bcftb.htmYou can also enable and disable PSPF using the web-browser interface. The PSPF setting is on the Radio Settings pages.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface.Step 3 infrastructure-client Enable reliable multicast messages to workgroup bridges.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
4-16Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsEnabling and Disabling Public Secure Packet ForwardingPSPF is disabled by default. Beginning in privileged EXEC mode, follow these steps to enable PSPF:Use the no form of the command to disable PSPF.Configuring Protected PortsTo prevent communication between client devices associated to different access points on your wireless LAN, you must set up protected ports on the switch to which your access points are connected.Beginning in privileged EXEC mode, follow these steps to define a port on your switch as a protected port:To disable protected port, use the no switchport protected interface configuration command.For detailed information on protected ports and port blocking, refer to the “Configuring Port-Based Traffic Control” chapter in the Catalyst 3550 Multilayer Switch Software Configuration Guide, 12.1(12c)EA1. Click this link to browse to that guide:http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_book09186a008011591c.htmlCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 bridge-group group port-protected Enable PSPF.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface interface-id Enter interface configuration mode, and enter the type and number of the switchport interface to configure, such as gigabitethernet0/1.Step 3 switchport protected Configure the interface to be a protected port.Step 4 end Return to privileged EXEC mode.Step 5 show interfaces interface-id switchportVerify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
4-17Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsConfiguring the Beacon PeriodConfiguring the Beacon PeriodThe beacon period is the amount of time between beacons in kilomicroseconds. One Kusec equals 1,024 microseconds. The default beacon period is 100. Beginning in privileged EXEC mode, follow these steps to configure the beacon period:Configure RTS Threshold and RetriesThe RTS threshold determines the packet size at which the WMIC issues a request to send (RTS) before sending the packet. A low RTS Threshold setting can be useful in areas where many client devices are associating with the WMIC, or in areas where the clients are far apart and can detect only the WMIC and not each other. You can enter a setting ranging from 0 to 2339 bytes.Note When concatenation is enabled for a 2.4-GHz WMIC, the RTS and fragment thresholds are set to 4000. Changing them to a lower value might degrade device performance. The 4.9-GHz WMIC does not support concatenation.Maximum RTS Retries is the maximum number of times the WMIC issues an RTS before stopping the attempt to send the packet over the radio. Enter a value from 1 to 128.The default RTS threshold is 2312, and the default value for RTS retries is 32. Beginning in privileged EXEC mode, follow these steps to configure the RTS threshold and maximum RTS retries:Use the no form of the command to reset the RTS settings to defaults.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 beacon period value Set the beacon period. Enter a value between 20 and 4000 Kusecs.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 rts threshold value Set the RTS threshold. Enter an RTS threshold from 0 to 2339 for a 2.4-GHz WMIC or 0 to 4000 for a 4.9-GHz WMIC.Step 4 rts retries value Set the maximum RTS retries. Enter a setting from 1 to 128.Step 5 end Return to privileged EXEC mode.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
4-18Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsConfiguring the Maximum Data RetriesConfiguring the Maximum Data RetriesThe maximum data retries setting determines the number of attempts the WMIC makes to send a packet before giving up and dropping the packet. The default setting is 32. Beginning in privileged EXEC mode, follow these steps to configure the maximum data retries:Use the no form of the command to reset the setting to defaults.Configuring the Fragmentation ThresholdThe fragmentation threshold determines the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference.Note When concatenation is enabled for the 2.4-GHz WMIC, the RTS and fragment thresholds are set to 4000. Changing them to a lower value may degrade performance. The 4.9-GHz WMIC does not support concatenation.The default setting is 2338 bytes. Beginning in privileged EXEC mode, follow these steps to configure the fragmentation threshold:Use the no form of the command to reset the setting to defaults.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 packet retries value Set the maximum data retries. Enter a setting from 1 to 128.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 fragment-threshold value Set the fragmentation threshold. Enter a setting from 256 to 4000 bytes.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
4-19Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsSetting the Root Parent Timeout ValueSetting the Root Parent Timeout ValueUse the parent timeout command to define the amount of time that a non-root bridge or workgroup bridge tries to associate with a parent access point. The command defines how long the bridge or workgroup bridge attempts to associate with a parent in the parent list. If an association is not made within the timeout value, another acceptable parent is used. You set up the parent list using the parentcommand. With the timeout disabled, the parent must come from the parent list.Beginning in privileged EXEC mode, follow these steps to configure the root parent timeout value:Use the no form of the command to reset the setting to defaults.Configuring the Root Parent MAC Use the parent command to add a parent to a list of valid parent access points. The command adds a parent to the list of valid parent access points. You can use this command multiple times to define up to four valid parents.Caution This command should not be used to configure a workgroup bridge or a non-root bridge a mobile application, as this feature adversely effects roaming time. If the same devices are used for stationary applications the parent command can be configured.Beginning in privileged EXEC mode, follow these steps to configure up to four parent MAC addresses:Use the no form of the command to reset the setting to defaults.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 parent timeout seconds The seconds value specifies the amount of time in seconds the non-root bridge or workgroup bridge attempts to associate with a specified parent. Enter a value between 0 and 65535 seconds.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 parent 1-4 mac-address The value 1-4 specifies the parent root access point number. mac-address specifies the MAC address of a parent access point (in xxxx.xxxx.xxxx format).Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
4-20Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 4 Configuring Radio SettingsPerforming a Carrier Busy TestPerforming a Carrier Busy TestYou can perform a carrier busy test to check the radio activity on the channels. During the carrier busy test, the WMIC drops all associations with wireless networking devices for around 4 seconds while it conducts the carrier test and then displays the test results.In privileged EXEC mode, enter this command to perform a carrier busy test:dot 11 dot11Radio interface-number carrier busywhere, interface-number is the dot11radio interface.Use the show dot11 carrier busy command to re-display the carrier busy test results.
CHAPTER5-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-025Configuring SSIDsThis chapter describes how to configure a service set identifier (SSID) on the WMIC. This chapter contains these sections:•Understanding SSIDs, page 5-2•Configuring the SSID, page 5-2
5-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 5 Configuring SSIDsUnderstanding SSIDsUnderstanding SSIDsThe SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. Multiple bridges on a network or sub-network can use the same SSID. SSIDs are case sensitive and can contain up to 32 alphanumeric characters. Do not include spaces in your SSID. The WMIC supports multiple SSIDs. When you configure an SSID you assign these configuration settings to the SSID:•VLAN•RADIUS accounting for traffic using the SSID •Authentication methodNote For detailed information on client authentication types, see Chapter 8, “Configuring Authentication Types.”If you want the WMIC to allow associations from bridges that do not specify an SSID in their configurations, you can include the SSID in the beacon. The default SSID, autoinstall, is included in the beacon. However, to keep your network secure, you should remove the SSID from the beacon.You can assign an authentication username and password to the SSID to allow the WMIC to authenticate to your network using LEAP authentication.If your network uses VLANs, you should assign the WMIC SSID to your network’s native VLAN.Configuring the SSIDThese sections contain configuration information for the SSID:•Default SSID Configuration, page 5-2•Creating an SSID, page 5-3Default SSID ConfigurationTable 5-1 shows the default SSID configuration:Table 5-1 Default SSID ConfigurationFeature Default SettingSSID autoinstallGuest Mode SSID autoinstall (The WMIC broadcasts this SSID in its beacon and allows bridges with no SSID to associate.)
5-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 5 Configuring SSIDsConfiguring the SSIDCreating an SSIDBeginning in privileged EXEC mode, follow these steps to create an SSID:Note You use the ssid command’s authentication options to configure an authentication type for the SSID. See Chapter 8, “Configuring Authentication Types,”for instructions on configuring authentication types.Use the no form of the command to disable the SSID or to disable SSID features.This example shows how to:•Name an SSID•Configure the SSID for RADIUS accounting•Assign the SSID to the native VLAN•Designate the SSID as the infrastructure SSIDbridge# configure terminalbridge(config)# interface dot11radio 0bridge(config-if)# ssid bridgemanbridge(config-ssid)# accounting accounting-method-listbridge(config-ssid)# vlan 1bridge(config-ssid)# infrastructure-ssidbridge(config-ssid)# endCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 ssid ssid-string Create an SSID and enter SSID configuration mode for the new SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive.Note You can include spaces in an SSID, but be careful not to add spaces to an SSID accidentally, especially at the end of an SSID.Step 4 authentication client username usernamepassword password(Optional) Set an authentication username and password that the WMIC uses to authenticate to the network. Step 5 accounting list-name (Optional) Enable RADIUS accounting for this SSID. For list-name, specify the accounting method list. Click this link for more information on method lists: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/scfacct.htm#xtocid2Step 6 vlan vlan-id (Optional) Assign the SSID to a VLAN on your network. On your WMIC, you should assign the SSID to the native VLAN.Step 7 infrastructure-ssid Designate the SSID as the infrastructure SSID. It is used to instruct a non-root bridge or workgroup bridge radio to associate with this SSID.Step 8 end Return to privileged EXEC mode.Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.
5-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 5 Configuring SSIDsConfiguring the SSID
CHAPTER6-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-026Configuring Spanning Tree ProtocolThis chapter descibes how to configure Spanning Tree Protocol (STP) on your WMIC. This chapter contains these sections:•Understanding Spanning Tree Protocol, page 6-2•Configuring STP Features, page 6-9•Displaying Spanning-Tree Status, page 6-15Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Command Reference for Access Points and Bridges for this release.
6-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolUnderstanding Spanning Tree ProtocolUnderstanding Spanning Tree ProtocolThis section describes how spanning-tree features work. It includes this information:•STP Overview, page 6-2•Bridge Protocol Data Units, page 6-3•Election of the Spanning-Tree Root, page 6-4•Spanning-Tree Timers, page 6-5•Creating the Spanning-Tree Topology, page 6-5•Spanning-Tree Interface States, page 6-6STP OverviewSTP is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations. Spanning-tree operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or to a LAN of multiple segments.When you create fault-tolerant internetworks, you must have a loop-free path between all nodes in a network. The spanning-tree algorithm calculates the best loop-free path throughout a Layer 2 network. Infrastructure devices such as wireless bridges and switches send and receive spanning-tree frames, called bridge protocol data units (BPDUs), at regular intervals. The devices do not forward these frames but use them to construct a loop-free path.Multiple active paths among end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages. Infrastructure devices might also learn end-station MAC addresses on multiple Layer 2 interfaces. These conditions result in an unstable network.STP defines a tree with a root bridge and a loop-free path from the root to all infrastructure devices in the Layer 2 network. Note STP discussions use the term root to describe two concepts: the bridge on the network that serves as a central point in the spanning tree is called the root bridge, and the port on each device that provides the most efficient path to the device is called the root port. These meanings are separate from the Role in radio network setting that includes root and non-root options. A bridge whose Role in radio network setting is Root Bridge does not necessarily become the root bridge in the spanning tree. In this chapter, the root bridge in the spanning tree is called the spanning-tree root.STP forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and activates the standby path.When two interfaces are part of a loop, the spanning-tree port priority and path cost settings determine which interface is put in the forwarding state and which is put in the blocking state. The port priority value represents the location of an interface in the network topology and how well it is located to pass traffic. The path cost value represents media speed. The bridge supports both per-VLAN spanning tree (PVST) and a single 802.1q spanning tree without VLANs. The bridge cannot run 802.1s MST or 802.1d Common Spanning Tree, which maps multiple VLANs into a one-instance spanning tree.
6-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolUnderstanding Spanning Tree ProtocolThe bridge maintains a separate spanning-tree instance for each active VLAN configured on it. A bridge ID, consisting of the bridge priority and the MAC address, is associated with each instance. For each VLAN, the bridge with the lowest bridge ID becomes the spanning-tree root for that VLAN. Bridge InteroperabilityCisco bridges are interoperable when STP is enabled and no VLANs are configured. This configuration is the only one available for the following reasons:•When STP is disabled, the bridge acts as an access point and disallows association of non-root bridge.•The bridge has a single instance of STP in non-VLAN configurations and multiple instances of STP in VLAN configurations.•Incompatibilities between single and multiple instances of STP can cause inconsistent blocking of traffic when VLANs are configured. When the native VLAN is blocked, you can experience bridge flapping. Therefore, the best configuration for STP interoperability is when the bridge STP feature is enabled and VLANs are not configured. Note When the Cisco bridges are configured as workgroup bridges, they can operate with STP disabled and allow for associations with access points. However, this configuration is not technically a bridge-to-bridge scenario.Bridge Protocol Data UnitsThe stable, active spanning-tree topology of your network is determined by these elements:•The unique bridge ID (wireless bridge priority and MAC address) associated with each VLAN on each wireless bridge•The spanning-tree path cost to the spanning-tree root•The port identifier (port priority and MAC address) associated with each Layer 2 interfaceWhen the bridges in a network are powered up, each bridge functions as the STP root. The bridges send configuration BPDUs through the Ethernet and radio ports. The BPDUs communicate and compute the spanning-tree topology. Each configuration BPDU contains this information:•The unique bridge ID of the wireless bridge that the sending bridge identifies as the spanning-tree root•The spanning-tree path cost to the root•The bridge ID of the sending bridge•Message age•The identifier of the sending interface•Values for the hello, forward delay, and max-age protocol timersWhen a bridge receives a configuration BPDU that contains superior information (lower bridge ID, lower path cost, and so forth), it stores the information for that port. If this BPDU is received on the root port of the bridge, the bridge also forwards it with an updated message to all attached LANs for which it is the designated bridge.
6-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolUnderstanding Spanning Tree ProtocolIf a bridge receives a configuration BPDU that contains inferior information to that currently stored for that port, it discards the BPDU. If the bridge is a designated bridge for the LAN from which the inferior BPDU was received, it sends that LAN a BPDU containing the up-to-date information stored for that port. In this way, inferior information is discarded, and superior information is propagated on the network.A BPDU exchange results in these actions:•One bridge is elected as the spanning-tree root.•A root port is selected for each bridge (except the spanning-tree root). This port provides the best path (lowest cost) when the bridge forwards packets to the spanning-tree root.•The shortest distance to the spanning-tree root is calculated for each bridge based on the path cost.•A designated bridge for each LAN segment is selected. The designated bridge incurs the lowest path cost when forwarding packets from that LAN to the spanning-tree root. The port through which the designated bridge is attached to the LAN is called the designated port.•Interfaces included in the spanning-tree instance are selected. Root ports and designated ports are put in the forwarding state.•All interfaces not included in the spanning tree are blocked.Election of the Spanning-Tree RootAll bridges in the Layer 2 network participating in STP gather information about other bridges in the network through an exchange of BPDU data messages. This exchange of messages results in these actions:•The election of a unique spanning-tree root for each spanning-tree instance•The election of a designated bridge for every LAN segment•The removal of loops in the network by blocking Layer 2 interfaces connected to redundant linksFor each VLAN, the bridge with the highest bridge priority (the lowest numerical priority value) is elected as the spanning-tree root. If all bridges are configured with the default priority (32768), the bridge with the lowest MAC address in the VLAN becomes the spanning-tree root. The bridge priority value occupies the most significant bits of the bridge ID.When you change the bridge priority value, you change the probability that the bridge will be elected as the root bridge. Configuring a higher value decreases the probability; a lower value increases the probability.The spanning-tree root is the logical center of the spanning-tree topology. All paths that are not needed to reach the spanning-tree root from anywhere in the network are placed in the spanning-tree blocking mode.BPDUs contain information about the sending bridge and its ports, including bridge and MAC addresses, bridge priority, port priority, and path cost. STP uses this information to elect the spanning-tree root and root port for the network and the root port and designated port for each LAN segment.
6-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolUnderstanding Spanning Tree ProtocolSpanning-Tree TimersTable 6-1 describes the timers that affect the entire spanning-tree performance.Creating the Spanning-Tree TopologyIn Figure 6-1, bridge 4 is elected as the spanning-tree root because the priority of all the bridges is set to the default (32768) and bridge 4 has the lowest MAC address. However, because of traffic patterns, number of forwarding interfaces, or link types, bridge 4 might not be the ideal spanning-tree root. By increasing the priority (lowering the numerical value) of the ideal bridge so that it becomes the spanning-tree root, you force a spanning-tree recalculation to form a new topology with the ideal bridge as the spanning-tree root.Figure 6-1 Spanning-Tree TopologyTable 6-1 Spanning-Tree TimersVariable DescriptionHello timer Determines how often the bridge broadcasts hello messages to other bridges.Forward-delay timer Determines how long each of the listening and learning states last before the interface begins forwarding.Maximum-age timer Determines the amount of time the bridge stores protocol information received on an interface.LAN segment ALAN segment BBridge 1Bridge 3Bridge 2Bridge 456612
6-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolUnderstanding Spanning Tree ProtocolSpanning-Tree Interface StatesPropagation delays can occur when protocol information passes through a wireless LAN. As a result, topology changes can take place at different times and at different places in the network. When an interface transitions directly from nonparticipation in the spanning-tree topology to the forwarding state, it can create temporary data loops. Interfaces must wait for new topology information to propagate through the LAN before starting to forward frames. They must allow the frame lifetime to expire for forwarded frames that have used the old topology.Each interface on a bridge using spanning tree exists in one of these states: •Blocking—The interface does not participate in frame forwarding.•Listening—The first transitional state after the blocking state when the spanning tree determines that the interface should participate in frame forwarding.•Learning—The interface prepares to participate in frame forwarding.•Forwarding—The interface forwards frames.•Disabled—The interface is not participating in spanning tree because of a shutdown port, no link on the port, or no spanning-tree instance running on the port.An interface moves through these states:•From initialization to blocking•From blocking to listening or to disabled•From listening to learning or to disabled•From learning to forwarding or to disabled•From forwarding to disabledFigure 6-2 illustrates how an interface moves through the states.Figure 6-2 Spanning-Tree Interface StatesWhen you enable STP on the bridge, the Ethernet and radio interfaces go through the blocking state and the transitory states of listening and learning. Spanning tree stabilizes each interface at the forwarding or blocking state.Power-oninitializationBlockingstate43569ListeningstateDisabledstateLearningstateForwardingstate
6-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolUnderstanding Spanning Tree ProtocolWhen the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this process occurs:1. The interface is in the listening state while spanning tree waits for protocol information to transition the interface to the blocking state.2. While spanning tree waits the forward-delay timer to expire, it moves the interface to the learning state and resets the forward-delay timer.3. In the learning state, the interface continues to block frame forwarding as the bridge learns end-station location information for the forwarding database.4. When the forward-delay timer expires, spanning tree moves the interface to the forwarding state, where both learning and frame forwarding are enabled.Blocking StateAn interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to the bridge’s Ethernet and radio ports. A bridge initially functions as the spanning-tree root until it exchanges BPDUs with other bridges. This exchange establishes which bridge in the network is the spanning-tree root. If there is only one bridge in the network, no exchange occurs, the forward-delay timer expires, and the interfaces move to the listening state. An interface always enters the blocking state when you enable STP.An interface in the blocking state performs as follows:•Discards frames received on the port•Does not learn addresses•Receives BPDUsNote If a port is blocked, some broadcast or multicast packets can reach a forwarding port on the bridge and cause the bridging logic to switch the blocked port into listening state momentarily before the packets are dropped at the blocked port.Listening StateThe listening state is the first state an interface enters after the blocking state. The interface enters this state when STP determines that the interface should participate in frame forwarding.An interface in the listening state performs as follows:•Discards frames received on the port•Does not learn addresses•Receives BPDUs
6-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolUnderstanding Spanning Tree ProtocolLearning StateAn interface in the learning state prepares to participate in frame forwarding. The interface enters the learning state from the listening state.An interface in the learning state performs as follows:•Discards frames received on the port•Learns addresses•Receives BPDUsForwarding StateAn interface in the forwarding state forwards frames. The interface enters the forwarding state from the learning state.An interface in the forwarding state performs as follows:•Receives and forwards frames received on the port•Learns addresses•Receives BPDUsDisabled StateAn interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational.A disabled interface performs as follows:•Discards frames received on the port•Does not learn addresses•Does not receive BPDUs
6-9Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolConfiguring STP FeaturesConfiguring STP FeaturesYou complete three major steps to configure STP on the WMIC:1. If necessary, assign interfaces and sub-interfaces to bridge groups 2. Enable STP for each bridge group3. Set the STP priority for each bridge groupThese sections include spanning-tree configuration information:•Default STP Configuration, page 6-9•Configuring STP Settings, page 6-9•STP Configuration Examples, page 6-10Default STP ConfigurationSTP is disabled by default. Table 6-2 lists the default STP settings when you enable STP.The radio and Ethernet interfaces and the native VLAN on the bridge are assigned to bridge group 1 by default. When you enable STP and assign a priority on bridge group 1, STP is enabled on the radio and Ethernet interfaces and on the primary VLAN, and those interfaces adopt the priority assigned to bridge group 1. You can create bridge groups for sub-interfaces and assign different STP settings to those bridge groups.Configuring STP SettingsBeginning in privileged EXEC mode, follow these steps to configure STP on the WMIC:Table 6-2 Default STP Values When STP is EnabledSetting Default Valuebridge priority 32768bridge max age 20bridge hello time 2bridge forward delay 15Ethernet port path cost 19Ethernet port priority 128Radio port path cost 33Radio port priority 128Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface { dot11radio number | fastethernet number }Enter interface configuration mode for radio or Ethernet interfaces or sub-interfaces.
6-10Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolConfiguring STP FeaturesSTP Configuration ExamplesThese configuration examples show how to enable STP on root and non-root bridges with and without VLANs:•Root Bridge Without VLANs, page 6-10•Non-Root Bridge Without VLANs, page 6-11•Root Bridge with VLANs, page 6-12•Non-Root Bridge with VLANs, page 6-13Root Bridge Without VLANsThis example shows the configuration of a root bridge with no VLANs configured and with STP enabled:hostname master-bridge-southip subnet-zero!bridge irb!interface Dot11Radio0no ip addressno ip route-cache!ssid tsunamiauthentication open guest-mode!speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0rts threshold 2312station-role rootno cdp enableinfrastructure-clientbridge-group 1!Step 3 bridge-group number Assign the interface to a bridge group. You can number your bridge groups from 1 to 255.Step 4 no bridge-group number spanning-disabled Counteract the command that automatically disables STP for a bridge group. STP is enabled on the interface when you enter the bridge n protocol ieee command.Step 5 exit Return to global configuration mode.Step 6 bridge number protocol ieee Enable STP for the bridge group. You must enable STP on each bridge group that you create with bridge-group commands.Step 7 bridge number priority priority (Optional) Assign a priority to a bridge group. The lower the priority, the more likely it is that the bridge becomes the spanning-tree root.Step 8 end Return to privileged EXEC mode.Step 9 show spanning-tree bridge Verify your entries.Step 10 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
6-11Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolConfiguring STP Featuresinterface FastEthernet0no ip addressno ip route-cacheduplex autospeed autobridge-group 1!interface BVI1ip address 1.4.64.23 255.255.0.0no ip route-cache!ip default-gateway 1.4.0.1bridge 1 protocol ieeebridge 1 route ipbridge 1 priority 9000!line con 0exec-timeout 0 0line vty 0 4loginline vty 5 15login!endNon-Root Bridge Without VLANsThis example shows the configuration of a non-root bridge with no VLANs configured with STP enabled:hostname client-bridge-northip subnet-zero!bridge irb!interface Dot11Radio0no ip addressno ip route-cache!ssid tsunamiauthentication open guest-mode!speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0rts threshold 2312station-role non-rootno cdp enablebridge-group 1!interface FastEthernet0no ip addressno ip route-cacheduplex autospeed autobridge-group 1 path-cost 40!interface BVI1ip address 1.4.64.24 255.255.0.0no ip route-cache!
6-12Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolConfiguring STP Featuresbridge 1 protocol ieeebridge 1 route ipbridge 1 priority 10000!line con 0line vty 0 4loginline vty 5 15login!endRoot Bridge with VLANsThis example shows the configuration of a root bridge with VLANs configured with STP enabled:hostname master-bridge-hq!ip subnet-zero!ip ssh time-out 120ip ssh authentication-retries 3!bridge irb!interface Dot11Radio0no ip addressno ip route-cache!ssid vlan1vlan 1infrastructure-ssidauthentication open !speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0rts threshold 2312station-role rootno cdp enableinfrastructure-client!interface Dot11Radio0.1encapsulation dot1Q 1 nativeno ip route-cacheno cdp enablebridge-group 1!interface Dot11Radio0.2encapsulation dot1Q 2no ip route-cacheno cdp enablebridge-group 2!interface Dot11Radio0.3encapsulation dot1Q 3no ip route-cachebridge-group 3bridge-group 3 path-cost 500!interface FastEthernet0no ip addressno ip route-cacheduplex autospeed auto
6-13Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolConfiguring STP Features!interface FastEthernet0.1encapsulation dot1Q 1 nativeno ip route-cachebridge-group 1!interface FastEthernet0.2encapsulation dot1Q 2no ip route-cachebridge-group 2!interface FastEthernet0.3encapsulation dot1Q 3no ip route-cachebridge-group 3!interface BVI1ip address 1.4.64.23 255.255.0.0no ip route-cache!ip default-gateway 1.4.0.1bridge 1 protocol ieeebridge 1 route ipbridge 1 priority 9000bridge 2 protocol ieeebridge 2 priority 10000bridge 3 protocol ieeebridge 3 priority 3100!line con 0exec-timeout 0 0line vty 5 15!endNon-Root Bridge with VLANsThis example shows the configuration of a non-root bridge with VLANs configured with STP enabled:hostname client-bridge-remote!ip subnet-zero!ip ssh time-out 120ip ssh authentication-retries 3!bridge irb!interface Dot11Radio0no ip addressno ip route-cache!ssid vlan1vlan 1authentication open infrastructure-ssid!speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0rts threshold 2312station-role non-rootno cdp enable!
6-14Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolConfiguring STP Featuresinterface Dot11Radio0.1encapsulation dot1Q 1 nativeno ip route-cacheno cdp enablebridge-group 1!interface Dot11Radio0.2encapsulation dot1Q 2no ip route-cacheno cdp enablebridge-group 2!interface Dot11Radio0.3encapsulation dot1Q 3no ip route-cacheno cdp enablebridge-group 3!interface FastEthernet0no ip addressno ip route-cacheduplex autospeed auto!interface FastEthernet0.1encapsulation dot1Q 1 nativeno ip route-cachebridge-group 1!interface FastEthernet0.2encapsulation dot1Q 2no ip route-cachebridge-group 2! interface FastEthernet0.3encapsulation dot1Q 3no ip route-cachebridge-group 3bridge-group 3 path-cost 400!interface BVI1ip address 1.4.64.24 255.255.0.0no ip route-cache!bridge 1 protocol ieeebridge 1 route ipbridge 1 priority 10000bridge 2 protocol ieeebridge 2 priority 12000bridge 3 protocol ieeebridge 3 priority 2900!line con 0line vty 5 15!end
6-15Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolDisplaying Spanning-Tree StatusDisplaying Spanning-Tree StatusTo display the spanning-tree status, use one or more of the privileged EXEC commands in Table 6-3:For information about other keywords for the show spanning-tree privileged EXEC command, refer to the Cisco IOS Command Reference for Cisco Access Points and Bridges.Table 6-3 Commands for Displaying Spanning-Tree StatusbridgeCommand Purposeshow spanning-tree Displays information on your network’s spanning tree.show spanning-tree blocked-ports Displays a list of blocked ports on this device.show spanning-tree bridge Displays status and configuration of this bridge.show spanning-tree active Displays spanning-tree information on active interfaces only.show spanning-tree root Displays a detailed summary of information on the spanning-tree root.show spanning-tree interface interface-id Displays spanning-tree information for the specified interface.show spanning-tree summary [totals] Displays a summary of port states or displays the total lines of the STP state section.
6-16Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 6 Configuring Spanning Tree ProtocolDisplaying Spanning-Tree Status
CHAPTER7-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-027Configuring WEP and WEP FeaturesThis chapter describes how to configure Wired Equivalent Privacy (WEP), Message Integrity Check (MIC), and Temporal Key Integrity Protocol (TKIP). This chapter contains these sections:•Understanding WEP, page 7-2•Configuring Cipher Suites and WEP, page 7-3
7-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 7 Configuring WEP and WEP FeaturesUnderstanding WEPUnderstanding WEPJust as anyone within range of a radio station can tune to the station's frequency and listen to the signal, any wireless networking device within range of a bridge can receive the bridge's radio transmissions. Because WEP is the first line of defense against intruders, Cisco recommends that you use full encryption on your wireless network.WEP encryption scrambles the radio communication between bridges to keep the communication private. Communicating bridges use the same WEP key to encrypt and unencrypt radio signals. WEP keys encrypt both unicast and multicast messages. Unicast messages are addressed to just one device on the network. Multicast messages are addressed to multiple devices on the network. Extensible Authentication Protocol (EAP) authentication provides dynamic WEP keys to wireless devices. Dynamic WEP keys are more secure than static, or unchanging, WEP keys. If an intruder passively receives enough packets encrypted by the same WEP key, the intruder can perform a calculation to learn the key and use it to join your network. Because they change frequently, dynamic WEP keys prevent intruders from performing the calculation and learning the key. See Chapter 8, “Configuring Authentication Types” for detailed information on EAP and other authentication types.Cipher suites are sets of encryption and integrity algorithms designed to protect radio communication on your wireless LAN. You must use a cipher suite to enable Wi-Fi Protected Access (WPA) or Cisco Centralized Key Management (CCKM). Because cipher suites provide the protection of WEP while also allowing use of authenticated key management, Cisco recommends that you enable WEP by using the encryption mode cipher command in the CLI or by using the cipher drop-down menu in the web-browser interface. Cipher suites that contain TKIP provide the best security for your wireless LAN, and cipher suites that contain only WEP are the least secure. These security features protect the data traffic on your wireless LAN:•WEP (Wired Equivalent Privacy)—WEP is an 802.11 standard encryption algorithm originally designed to provide your wireless LAN with the same level of privacy available on a wired LAN. However, the basic WEP construction is flawed, and an attacker can compromise the privacy with reasonable effort. •TKIP (Temporal Key Integrity Protocol)—TKIP is a suite of algorithms surrounding WEP that is designed to achieve the best possible security on legacy hardware built to run WEP. TKIP adds four enhancements to WEP: –A per-packet key mixing function to defeat weak-key attacks–A new IV sequencing discipline to detect replay attacks–A cryptographic message integrity Check (MIC), called Michael, to detect forgeries such as bit flipping and altering packet source and destination –An extension of IV space, to virtually eliminate the need for re-keying•CKIP (Cisco Key Integrity Protocol)—The Cisco WEP key permutation technique based on an early algorithm presented by the IEEE 802.11i security task group. (ckip and ckip-cmic are supported only on the 2.4-GHz (802.11b/g) WMIC.)•CMIC (Cisco Message Integrity Check)—Like TKIP, the Cisco message integrity check mechanism is designed to detect forgery attacks. Note If VLANs are enabled on your bridges, WEP, MIC, and TKIP are supported only on the native VLAN.
7-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 7 Configuring WEP and WEP FeaturesConfiguring Cipher Suites and WEPConfiguring Cipher Suites and WEPThese sections describe how to configure cipher suites, WEP and additional WEP features such as MIC and TKIP:•Creating WEP Keys, page 7-3•Enabling Cipher Suites and WEP, page 7-5WEP, TKIP, and MIC are disabled by default.Creating WEP KeysBeginning in privileged EXEC mode, follow these steps to create a WEP key and set the key properties:This example shows how to create a 128-bit WEP key in slot 2 for VLAN 1 and sets the key as the transmit key:bridge# configure terminalbridge(config)# configure interface dot11radio 0bridge(config-if)# encryption vlan 1 key 2 size 128 12345678901234567890123456 transmit-keybridge(config-if)# endCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface.Step 3 encryption [vlan vlan-id]key 1-4size {40 | 128 } encryption-key[transmit-key]Create a WEP key and set up its properties.•(Optional) Select the VLAN for which you want to create a key. WEP, MIC, and TKIP are supported only on the native VLAN.•Name the key slot in which this WEP key resides. You can assign up to 4 WEP keys for each VLAN, but key slot 4 is reserved for the session key.•Enter the key and set the size of the key, either 40-bit or 128-bit. 40-bit keys contain 10 hexadecimal digits; 128-bit keys contain 26 hexadecimal digits. •(Optional) Set this key as the transmit key. The key in slot 2 is the transmit key by default. If you enable WEP with MIC, use the same WEP key as the transmit key in the same key slot on both root and non-root bridges.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
7-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 7 Configuring WEP and WEP FeaturesConfiguring Cipher Suites and WEPWEP Key Restrictions Table 7-1 lists WEP key restrictions based on your security configuration.Example WEP Key SetupTable 7-2 shows an example WEP key setup that would work for the root bridge and an associated non-root bridge:Because the root bridge’s WEP key 1 is selected as the transmit key, WEP key 1 on the non-root bridge must have the same contents. WEP key 4 on the non-root bridge is set, but because it is not selected as the transmit key, WEP key 4 on the root bridge does not need to be set at all.Note If you enable MIC but you use static WEP (you do not enable any type of EAP authentication), both the root bridge and any non-root bridges with which it communicates must use the same WEP key for transmitting data. For example, if the MIC-enabled root bridge uses the key in slot 1 as the transmit key, a non-root bridge associated to the root bridge must use the same key in its slot 1, and the key in the non-root bridge’s slot 1 must be selected as the transmit key.Table 7-1 WEP Key RestrictionsSecurity Configuration WEP Key RestrictionCCKM or WPA authenticated key managementCannot configure a WEP key in key slot 1LEAP or EAP authentication Cannot configure a WEP key in key slot 4Cipher suite with 40-bit WEP Cannot configure a 128-bit keyCipher suite with 128-bit WEP Cannot configure a 40-bit keyCipher suite with TKIP Cannot configure any WEP keysCipher suite with TKIP and 40-bit WEP or 128-bit WEPCannot configure a WEP key in key slot 1 and 4Static WEP with MIC or CMIC Root and non-root bridges must use the same WEP key as the transmit key, and the key must be in the same key slot on both root and non-root bridgesTable 7-2 WEP Key Setup Example KeySlotRoot Bridge Associated Non-Root BridgeTransmit? Key Contents Transmit? Key Contents1 x 12345678901234567890abcdef –12345678901234567890abcdef2–09876543210987654321fedcba x 09876543210987654321fedcba3–not set –not set4–not set –FEDCBA09876543211234567890
7-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 7 Configuring WEP and WEP FeaturesConfiguring Cipher Suites and WEPEnabling Cipher Suites and WEPBeginning in privileged EXEC mode, follow these steps to enable a cipher suite:Use the no form of the encryption command to disable a cipher suite.This example sets up a cipher suite for VLAN 1 that enables CKIP, CMIC, and 128-bit WEP.bridge# configure terminalbridge(config)# configure interface dot11radio 0bridge(config-if)# encryption vlan 1 mode ciphers ckip-cmic wep128bridge(config-if)# endCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 encryption[vlan vlan-id]mode ciphers{[aes-ccm | ckip | cmic | ckip-cmic |tkip]}{[wep128 | wep40]}Enable a cipher suite containing the WEP protection you need. Table 7-3 lists guidelines for selecting a cipher suite that matches the type of authenticated key management you configure.•(Optional) Select the VLAN for which you want to enable WEP and WEP features.•Set the cipher options and WEP level. You can combine TKIP with 128-bit or 40-bit WEP.Note If you enable a cipher suite with two elements (such as TKIP and 128-bit WEP), the second cipher becomes the group cipher.Note You can also use the encryption mode wep command to set up static WEP. However, you should use encryption mode wep only if none of the non-root bridges that associate to the root bridge are capable of key management. See the Cisco IOS Command Reference for Cisco Access Points and Bridges for a detailed description of the encryption mode wepcommand.Note When you configure TKIP-only cipher encryption (not TKIP + WEP 128 or TKIP + WEP 40) on any radio interface or VLAN, the SSID on that radio or VLAN must be set to use WPA or CCKM key management. If you configure TKIP on a radio or VLAN but you do not configure key management on the SSID, non-root bridge authentication fails on the SSID.Note ckip and ckip-cmic are supported only on the 2.4-GHz (802.11b/g) WMIC.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
7-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 7 Configuring WEP and WEP FeaturesConfiguring Cipher Suites and WEPMatching Cipher Suites with WPAIf you configure your bridges to use WPA or CCKM authenticated key management, you must select a cipher suite compatible with the authenticated key management type. Table 7-3 lists the cipher suites that are compatible with WPA and CCKM.Note When you configure TKIP-only cipher encryption (not TKIP + WEP 128 or TKIP + WEP 40) on any radio interface or VLAN, the SSID on that radio or VLAN must be set to use WPA or CCKM key management. If you configure TKIP on a radio or VLAN but you do not configure key management on the SSID, non-root bridge authentication fails on the SSID.For a complete description of WPA and CCKM and instructions for configuring authenticated key management, see the “Using WPA Key Management” section on page 8-5 and the “Using CCKM for Authenticated Bridges” section on page 8-5.Table 7-3 Cipher Suites Compatible with WPA and CCKMAuthenticated Key Management Types Compatible Cipher SuitesCCKM •encryption mode ciphers wep128•encryption mode ciphers wep40•encryption mode ciphers ckip•encryption mode ciphers cmic•encryption mode ciphers ckip-cmic•encryption mode ciphers tkip•encryption mode ciphers tkip wep128•encryption mode ciphers tkip wep40WPA •encryption mode ciphers tkip•encryption mode ciphers tkip wep128•encryption mode ciphers tkip wep40
CHAPTER8-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-028Configuring Authentication TypesThis chapter describes how to configure authentication types on the WMIC. This chapter contains these sections:•Understanding Authentication Types, page 8-2•Configuring Authentication Types, page 8-5•Matching Authentication Types on Root and Non-Root Bridges, page 8-11
8-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 8 Configuring Authentication TypesUnderstanding Authentication TypesUnderstanding Authentication TypesThis section describes the authentication types that you can configure on the WMIC. The authentication types are tied to the SSID that you configure on the WMIC. Before wireless devices can communicate, they must authenticate to each other using open or shared-key authentication. For maximum security, wireless devices should also authenticate to your network using EAP authentication, an authentication type that relies on an authentication server on your network.The WMIC uses four authentication mechanisms or types and can use more than one at the same time. These sections explain each authentication type:•Open Authentication to the WMIC, page 8-2•Shared Key Authentication to the Bridge, page 8-2•EAP Authentication to the Network, page 8-3Open Authentication to the WMICOpen authentication allows any wireless device to authenticate and then attempt to communicate with another wireless device. Using open authentication, a non-root bridge can authenticate to a root bridge. A bridge that is not using WEP does not attempt to authenticate with a bridge that is using WEP. Open authentication does not rely on a RADIUS server on your network. Figure 8-1 shows the authentication sequence between a non-root bridge trying to authenticate and a root bridge using open authentication. In this example, the device’s WEP key does not match the bridge’s key, so it can authenticate but it cannot pass data.Figure 8-1 Sequence for Open AuthenticationShared Key Authentication to the BridgeCisco provides shared key authentication to comply with the IEEE 802.11b and IEEE 802.11g standards. However, because of shared key’s security flaws, we recommend that you use another method of authentication, such as EAP, in environments where security is an issue.During shared key authentication, the root bridge sends an unencrypted challenge text string to other bridges attempting to communicate with the root bridge. The bridge requesting authentication encrypts the challenge text and sends it back to the root bridge. If the challenge text is encrypted correctly, the root bridge allows the requesting device to authenticate. 88902Switch onLAN 11. Authentication requestSwitch onLAN 2Non-Root BridgewithWEP key = 321Root BridgewithWEP key = 1232. Authentication response
8-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 8 Configuring Authentication TypesUnderstanding Authentication TypesBoth the unencrypted challenge and the encrypted challenge can be monitored, however, which leaves the root bridge open to attack from an intruder who calculates the WEP key by comparing the unencrypted and encrypted text strings.Figure 8-2 shows the authentication sequence between a device trying to authenticate and an bridge using shared key authentication. In this example the device’s WEP key matches the bridge’s key, so it can authenticate and communicate.Figure 8-2 Sequence for Shared Key AuthenticationEAP Authentication to the NetworkThis authentication type provides the highest level of security for your wireless network. By using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the root bridge helps another bridge and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key. The RADIUS server sends the WEP key to the root bridge, which uses it for all unicast data signals that it sends to or receives from the non-root bridge. The root bridge also encrypts its broadcast WEP key (entered in the bridge’s WEP key slot 1) with the non-root bridge’s unicast key and sends it to the non-root bridge. When you enable EAP on your bridges, authentication to the network occurs in the sequence shown in Figure 8-3:88903Switch onLAN 11. Authentication requestSwitch onLAN 2Non-Root BridgewithWEP key = 123Root BridgewithWEP key = 1232. Unencrypted challenge3. Encrypted challenge response4. Authentication response
8-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 8 Configuring Authentication TypesUnderstanding Authentication TypesFigure 8-3 Sequence for EAP AuthenticationIn Steps 1 through 9 in Figure 8-3, a non-root bridge and a RADIUS server on the wired LAN use 802.1x and EAP to perform a mutual authentication through the root bridge. The RADIUS server sends an authentication challenge to the non-root bridge. The non-root bridge uses a one-way encryption of the user-supplied password to generate a response to the challenge and sends that response to the RADIUS server. Using information from its user database, the RADIUS server creates its own response and compares that to the response from the non-root bridge. When the RADIUS server authenticates the non-root bridge, the process repeats in reverse, and the non-root bridge authenticates the RADIUS server.When mutual authentication is complete, the RADIUS server and the non-root bridge determine a WEP key that is unique to the non-root bridge and provides the non-root bridge with the appropriate level of network access, thereby approximating the level of security in a wired switched segment to an individual desktop. The non-root bridge loads this key and prepares to use it for the logon session. During the logon session, the RADIUS server encrypts and sends the WEP key, called a session key, over the wired LAN to the root bridge. The root bridge encrypts its broadcast key with the session key and sends the encrypted broadcast key to the non-root bridge, which uses the session key to decrypt it. The non-root bridge and the root bridge activate WEP and use the session and broadcast WEP keys for all communications during the remainder of the session.There is more than one type of EAP authentication, but the bridge behaves the same way for each type. It relays authentication messages from the wireless client device to the RADIUS server and from the RADIUS server to the wireless client device. See the “Assigning Authentication Types to an SSID” section on page 8-6 for instructions on setting up EAP on the WMIC.Note If you use EAP authentication, you can select open or shared key authentication, but you do not have to. EAP authentication controls authentication both to your bridge and to your network.88901Switch onLAN 11. Authentication requestAuthenticationserverNon-RootBridgeRoot Bridge2. Identity request3. Username(Relay to non-root bridge)5. Authentication response(Relay to non-root bridge)7. Authentication challenge(Relay to non-root bridge)9. Authentication success(Relay to server)4. Authentication challenge(Relay to server)6. Authentication success(Relay to server)8. Authentication response(Relay to server)
8-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 8 Configuring Authentication TypesConfiguring Authentication TypesUsing CCKM for Authenticated BridgesUsing Cisco Centralized Key Management (CCKM), authenticated non-root bridges can roam from one root bridge to another without any perceptible delay during reassociation. An access point or switch on your network provides Wireless Domain Services (WDS) and creates a cache of security credentials for CCKM-enabled bridges on the subnet. The WDS device’s cache of credentials dramatically reduces the time required for reassociation when a CCKM-enabled non-root bridge roams to a new root bridge.When a non-root bridge roams, the WDS device forwards the bridge’s security credentials to the new root bridge, and the reassociation process is reduced to a two-packet exchange between the roaming bridge and the new root bridge. Roaming bridges reassociate so quickly that there is no perceptible delay in voice or other time-sensitive applications. See the “Assigning Authentication Types to an SSID” section on page 8-6 for instructions on enabling CCKM on your bridge.Using WPA Key ManagementWi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that strongly increases the level of data protection and access control for existing and future wireless LAN systems. It is derived from the IEEE 802.11i standard. WPA leverages TKIP (Temporal Key Integrity Protocol) for data protection and 802.1X for authenticated key management.WPA key management supports two mutually exclusive management types: WPA and WPA-Pre-shared key (WPA-PSK). Using WPA key management, non-root bridges and the authentication server authenticate to each other using an EAP authentication method, and the non-root bridge and server generate a pairwise master key (PMK). Using WPA, the server generates the PMK dynamically and passes it to the root bridge. Using WPA-PSK, however, you configure a pre-shared key on both the non-root bridge and the root bridge, and that pre-shared key is used as the PMK.Note Unicast and multicast cipher suites advertised in the WPA information element (and negotiated during 802.11 association) might potentially mismatch with the cipher suite supported in an explicitly assigned VLAN. If the RADIUS server assigns a new VLAN ID which uses a different cipher suite from the previously negotiated cipher suite, there is no way for the root bridge and the non-root bridge to switch back to the new cipher suite. Currently, the WPA and CCKM protocols do not allow the cipher suite to be changed after the initial 802.11 cipher negotiation phase. In this scenario, the non-root bridge is disassociated from the wireless LAN. See the “Assigning Authentication Types to an SSID” section on page 8-6 for instructions on configuring WPA key management on your bridge. Configuring Authentication TypesThis section describes how to configure authentication types. You attach configuration types to the WMIC’s SSID. See Chapter 5, “Configuring SSIDs,” for details on setting up the WMIC SSID. This section contains these topics:•Default Authentication Settings, page 8-6•Assigning Authentication Types to an SSID, page 8-6•Configuring Authentication Holdoffs, Timeouts, and Intervals, page 8-10
8-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 8 Configuring Authentication TypesConfiguring Authentication TypesDefault Authentication SettingsThe default SSID on the WMIC is autoinstall.Table 8-1 shows the default authentication settings for the default SSID:Assigning Authentication Types to an SSIDBeginning in privileged EXEC mode, follow these steps to configure authentication types for SSIDs:Table 8-1 Default Authentication ConfigurationFeature Default SettingSSID autoinstallGuest Mode SSID autoinstall (The WMIC broadcasts this SSID in its beacon and allows bridges with no SSID to associate.)Authentication types assigned to tsunami openCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 ssid ssid-string Create an SSID and enter SSID configuration mode for the new SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive.Note Do not include spaces in SSIDs.Step 4 authentication open [eap list-name](Optional) Set the authentication type to open for this SSID. Open authentication allows any bridge to authenticate and then attempt to communicate with the WMIC. •(Optional) Set the SSID’s authentication type to open with EAP authentication. The WMIC forces all other bridges to perform EAP authentication before they are allowed to join the network. For list-name, specify the authentication method list. Note A bridge configured for EAP authentication forces all bridges that associate to perform EAP authentication. Bridges that do not use EAP cannot communicate with the bridge.Step 5 authentication shared[eap list-name](Optional) Set the authentication type for the SSID to shared key.Note Because of shared key's security flaws, Cisco recommends that you avoid using it.•(Optional) Set the SSID’s authentication type to shared key with EAP authentication. For list-name, specify the authentication method list.
8-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 8 Configuring Authentication TypesConfiguring Authentication TypesUse the no form of the SSID commands to disable the SSID or to disable SSID features.This example sets the authentication type for the SSID bridgeman to open with EAP authentication. Bridges using the SSID bridgeman attempt EAP authentication using a server named adam.bridge# configure terminalbridge(config)# configure interface dot11radio 0bridge(config-if)# ssid bridgemanbridge(config-ssid)# authentication open eap adambridge(config-ssid)# endStep 6 authentication network-eaplist-name(Optional) Set the authentication type for the SSID to use LEAP for authentication and key distribution. Cisco bridges only support LEAP, while other wireless clients may support other EAP methods such as EAP, PEAP, or TLS.Step 7 authentication key-management{[wpa][cckm]} [optional](Optional) Set the authentication type for the SSID to WPA, CCKM, or both. If you use the optional keyword, non-root bridges not configured for WPA or CCKM can use this SSID. If you do not use the optional keyword, only WPA or CCKM bridges are allowed to use the SSID.To enable CCKM for an SSID, you must also enable Network-EAP authentication. To enable WPA for an SSID, you must also enable Open authentication or Network-EAP or both.Note Only 802.11b and 802.11g radios support WPA and CCKM simultaneously.Note Before you can enable CCKM or WPA, you must set the encryption mode for the SSID’s VLAN to one of the cipher suite options. To enable both CCKM and WPA, you must set the encryption mode to a cipher suite that includes TKIP. See the “Enabling Cipher Suites and WEP” section on page 7-5 for instructions on configuring the VLAN encryption mode.Note If you enable WPA for an SSID without a pre-shared key, the key management type is WPA. If you enable WPA with a pre-shared key, the key management type is WPA-PSK. See the “Configuring Additional WPA Settings” section on page 8-9 for instructions on configuring a pre-shared key.Note To support CCKM, your root bridge must interact with the WDS device on your network. See the “Configuring the Root Bridge to Interact with the WDS Device” section on page 8-8 for instructions on configuring your root bridge to interact with your WDS device.Step 8 end Return to privileged EXEC mode.Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
8-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 8 Configuring Authentication TypesConfiguring Authentication TypesThe configuration on non-root bridges associated to this bridge would also contain these commands:bridge(config)# configure interface dot11radio 0bridge(config-if)# ssid bridgemanbridge(config-ssid)# authentication client username bridge7 password catch22bridge(config-ssid)# authentication open eap adamThis example sets the authentication type for the SSID bridget to network EAP with a static WEP key. EAP-enabled bridges using the SSID bridget attempt EAP authentication using a server named eve,and bridges using static WEP rely on the static WEP key.bridge#configure terminalbridge#aaa new-modelbridge#aaa group server radius rad_eapbridge#server 13.1.1.99 auth-port 1645 acct-port 1646bridge#aaa authentication login eap_methods group rad_eapbridge#aaa session-id commonbridge(config)#interface dot11radio 0bridge(config-if)#encryption key 1 size 128bit 7 082CC74122FD8DA7E84856427E9D transmit-keybridge(config-if)#encryption mode wep mandatorybridge(config-if)# ssid bridgetbridge(config-ssid)# authentication network-eap eap_methodsbridge(config-ssid)# authentication network-eap evebridge(config-ssid)# infrastructure-ssidbridge(config-ssid)# radius-server host 13.1.1.99 auth-port 1645 acct-port 1646 key 7 141B1309bridge(config-ssid)# radius-server authorization permit missing Service-Typebridge(config-ssid)# endThe configuration on non-root bridges associated to this bridge would also contain these commands:bridge(config)# configure interface dot11radio 0bridge(config)# encryption key 1 size 128bit 7 06061D688B87F1A0C978330C1A84 transmit-keybridge(config)# encryption mode wep mandatorybridge(config-if)# ssid bridgetbridge(config-if)# authentication network-eap eap_methodsbridge(config-if)# authentication client username thomasd password 7 010012165E18155Dbridge(config-if)# infrastructure-ssidConfiguring the Root Bridge to Interact with the WDS DeviceTo support non-root bridges using CCKM, your root bridge must interact with the WDS device on your network, and your authentication server must be configured with a username and password for the root bridge. For detailed instructions on configuring WDS and CCKM on your wireless LAN, see Chapter 11 in the Cisco IOS Software Configuration Guide for Cisco Access Points.On your root bridge, enter this command in global configuration mode:bridge(config)# wlccp ap username username password passwordYou must configure the same username and password pair when you set up the root bridge as a client on your authentication server.
8-9Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 8 Configuring Authentication TypesConfiguring Authentication TypesConfiguring Additional WPA SettingsUse two optional settings to configure a pre-shared key on the bridge and adjust the frequency of group key updates.Setting a Pre-Shared KeyTo support WPA on a wireless LAN where 802.1x-based authentication is not available, you must configure a pre-shared key on the bridge. You can enter the pre-shared key as ASCII or hexadecimal characters. If you enter the key as ASCII characters, you enter between 8 and 63 characters, and the bridge expands the key using the process described in the Password-based Cryptography Standard(RFC2898). If you enter the key as hexadecimal characters, you must enter 64 hexadecimal characters.Configuring Group Key UpdatesIn the last step in the WPA process, the root bridge distributes a group key to the authenticated non-root bridge. You can use these optional settings to configure the root bridge to change and distribute the group key based on association and disassociation of non-root bridges:•Membership termination—the root bridge generates and distributes a new group key when any authenticated non-root bridge disassociates from the root bridge. This feature keeps the group key private for associated bridges.•Capability change—the root bridge generates and distributes a dynamic group key when the last non-key management (static WEP) non-root bridge disassociates, and it distributes the statically configured WEP key when the first non-key management (static WEP) non-root bridge authenticates. In WPA migration mode, this feature significantly improves the security of key-management capable clients when there are no static-WEP bridges associated to the root bridge.Beginning in privileged EXEC mode, follow these steps to configure a WPA pre-shared key and group key update options:This example shows how to configure a pre-shared key for non-root bridges using WPA and static WEP, with group key update options:bridge# configure terminalbridge(config)# configure interface dot11radio 0Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 ssid ssid-string Enter SSID configuration mode for the SSID. Step 4 wpa-psk { hex | ascii } [ 0 | 7 ] encryption-keyEnter a pre-shared key for bridges using WPA that also use static WEP keys.Enter the key using either hexadecimal or ASCII characters. If you use hexadecimal, you must enter 64 hexadecimal characters to complete the 256-bit key. If you use ASCII, you must enter a minimum of 8 letters, numbers, or symbols, and the bridge expands the key for you. You can enter a maximum of 63 ASCII characters.Step 5 end Return to privileged EXEC mode.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
8-10Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 8 Configuring Authentication TypesConfiguring Authentication Typesbridge(config-if)# ssid batmanbridge(config-ssid)# wpa-psk ascii batmobile65bridge(config-ssid)# endConfiguring Authentication Holdoffs, Timeouts, and IntervalsBeginning in privileged EXEC mode, follow these steps to configure holdoff times, reauthentication periods, and authentication timeouts for non-root bridges authenticating through your root bridge:Use the no form of these commands to reset the values to default settings. Setting Up a Non-Root Bridge as a LEAP ClientYou can set up a non-root bridge to authenticate to your network like other wireless client devices. After you provide a network username and password for the non-root bridge, it authenticates to your network using LEAP, Cisco's wireless authentication method, and receives and uses dynamic WEP keys. Setting up a non-root bridge as a LEAP client requires three major steps:1. Create an authentication username and password for the non-root bridge on your authentication server.2. Configure LEAP authentication on the root bridge to which the non-root bridge associates. 3. Configure the non-root bridge to act as a LEAP client. Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 dot11 holdoff-time seconds Enter the number of seconds a root bridge must wait before it disassociates and idle client. Enter a value from 1 to 65555 seconds.Step 3 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 4 dot1x client-timeout seconds Enter the number of seconds the bridge should wait for a reply from a non-root bridge attempting to authenticate before the authentication fails. Enter a value from 1 to 65555 seconds.Step 5 dot1x reauth-period seconds [server]Enter the interval in seconds that the WMIC waits before forcing an authenticated non-root bridge to reauthenticate.•(Optional) Enter the server keyword to configure the bridge to use the reauthentication period specified by the authentication server. If you use this option, configure your authentication server with RADIUS attribute 27, Session-Timeout. This attribute sets the maximum number of seconds of service to be provided to the non-root bridge before termination of the session or prompt. The server sends this attribute to the root bridge when a non-root bridge performs EAP authentication.Step 6 end Return to privileged EXEC mode.Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
8-11Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 8 Configuring Authentication TypesMatching Authentication Types on Root and Non-Root BridgesBeginning in Privileged Exec mode, follow these instructions to set up the non-root bridge as a LEAP client:This example sets a LEAP username and password for the SSID bridgeman:bridge# configure terminalbridge(config)# configure interface dot11radio 0bridge(config-if)# ssid bridgemanbridge(config-ssid)# authentication client username bugsy password run4yerlifebridge(config-ssid)# endMatching Authentication Types on Root and Non-Root BridgesTo use the authentication types described in this section, the root bridge authentication settings must match the settings on the non-root bridges that associate to the root bridge. Table 8-2 lists the settings required for each authentication type on the root and non-root bridges.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface.Step 3 ssid ssid-string Create an SSID and enter SSID configuration mode for the new SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case-sensitive.Step 4 authentication client username username password passwordConfigure the username and password that the non-root bridge uses when it performs LEAP authentication. This username and password must match the username and password that you set up for the non-root bridge on the authentication server.Step 5 end Return to privileged EXEC mode.Step 6 copy running-config startup-config(Optional) Save your entries in the configuration file.Table 8-2 Client and Bridge Security SettingsSecurity Feature Non-Root Bridge Setting Root Bridge SettingStatic WEP with open authenticationSet up and enable WEP Set up and enable WEP and enable Open AuthenticationStatic WEP with shared key authenticationSet up and enable WEP and enable Shared Key AuthenticationSet up and enable WEP and enable Shared Key AuthenticationLEAP authentication Configure a LEAP username and passwordSet up and enable WEP and enable network-EAP authentication
8-12Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 8 Configuring Authentication TypesMatching Authentication Types on Root and Non-Root BridgesLEAP Example ConfigurationsWorkgroup Bridgeaaa new-model!aaa group server radius rad_eap server 172.16.8.151 auth-port 1645 acct-port 1646!aaa authentication login eap_methods group rad_eap!interface Dot11Radio0 no ip address no ip route-cache ! encryption key 1 size 128bit 0 123456789012334567890123456 transmit-key encryption mode wep mandatory ! ssid silicon_beach_hotspot authentication network-eap eap_methods authentication client username officer1 password 0 beach123Access Pointaaa new-model!aaa group server radius rad_eap server 172.16.8.151 auth-port 1645 acct-port 1646!aaa authentication login eap_methods group rad_eap!interface Dot11Radio0 no ip address no ip route-cache !encryption key 1 size 128bit 7 A56C276D6B9560D2F4267B256926 transmit-key encryption mode wep mandatory ! ssid silicon_beach_wep authentication network-eap eap_methods CCKM key management Set up and enable WEP and enable CCKM authenticationSet up and enable WEP and enable CCKM authentication, configure the root bridge to interact with your WDS device, and add the root bridge to your authentication server as a client deviceWPA key management Set up and enable WEP and enable WPA authenticationSet up and enable WEP and enable WPA authentication Table 8-2 Client and Bridge Security Settings (continued)Security Feature Non-Root Bridge Setting Root Bridge Setting
CHAPTER9-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-029Configuring WDS, Fast Secure Roaming, and Radio ManagementThis chapter describes how to configure access points for wireless domain services (WDS), fast, secure roaming of client devices, and radio management. This chapter contains these sections:•Understanding WDS, page 9-2•Understanding Fast Secure Roaming, page 9-3•Understanding Radio Management, page 9-4•Configuring WDS and Fast Secure Roaming, page 9-5•Using Debug Messages, page 9-13
9-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio ManagementUnderstanding WDSUnderstanding WDSThe following sections describe WDS even though the WMIC cannot be configured as a WDS server even when it is configured as an access point. However, when configured as an access point, the WMIC can use a WDS server and can act as a WDS authenticator (client).When you configure an access point to provide WDS, other access points (such as your WMIC if it is configured as an access point) on your wireless LAN use the WDS access point to provide fast, secure roaming for client devices and to participate in radio management. Fast, secure roaming provides rapid reauthentication when a client device roams from one access point to another, preventing delays in voice and other time-sensitive applications. Access points participating in radio management forward information about the radio environment (such as possible rogue access points and client associations and disassociations) to the WDS access point. The WDS access point aggregates the information and forwards it to a wireless LAN solution engine (WLSE) device on your network. Role of the WDS Access PointThe WDS access point performs several tasks on your wireless LAN:•Advertises its WDS capability and participates in electing the best WDS access point for your wireless LAN. When you configure your wireless LAN for WDS, you set up one access point as the main WDS access point candidate and one or more additional access points as backup WDS access point candidates. •Authenticates all access points in the subnet and establishes a secure communication channel with each of them.•Collects radio data from access points in the subnet, aggregates the data, and forwards it to the WLSE device on your network.•Registers all client devices in the subnet, establishes session keys for them, and caches their security credentials. When a client roams to another access point, the WDS access point forwards the client’s security credentials to the new access point.Role of Access Points Using the WDS Access PointThe access points on your wireless LAN interact with the WDS access point in these activities:•Discover and track the current WDS access point and relay WDS advertisements to the wireless LAN.•Authenticate with the WDS access point and establish a secure communication channel to the WDS access point.•Register associated client devices with the WDS access point.•Report radio data to the WDS access point.
9-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio ManagementUnderstanding Fast Secure RoamingUnderstanding Fast Secure RoamingAccess points in many wireless LANs serve mobile client devices that roam from access point to access point throughout the installation. Some applications running on client devices require fast reassociation when they roam to a different access point. Voice applications, for example, require seamless roaming to prevent delays and gaps in conversation.During normal operation, LEAP-enabled client devices mutually authenticate with a new access point by performing a complete LEAP authentication, including communication with the main RADIUS server, as in Figure 9-1.Figure 9-1 Client Authentication Using a RADIUS ServerWhen you configure your wireless LAN for fast, secure roaming, however, LEAP-enabled client devices roam from one access point to another without involving the main server. Using Cisco Centralized Key Management (CCKM), an access point configured to provide Wireless Domain Services (WDS) takes the place of the RADIUS server and authenticates the client so quickly that there is no perceptible delay in voice or other time-sensitive applications. Figure 9-2 shows client authentication using CCKM.Access pointor bridgeWired LANClientdevice Server1. Authentication request2. Identity request3. Username(relay to client)(relay to server)4. Authentication challenge5. Authentication response(relay to client)(relay to server)6. Authentication success7. Authentication challenge(relay to client)(relay to server)8. Authentication response9. Successful authentication (relay to server)65583
9-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio ManagementUnderstanding Radio ManagementFigure 9-2 Client Reassociation Using CCKM and a WDS Access PointThe WDS access point maintains a cache of credentials for CCKM-capable client devices on your wireless LAN. When a CCKM-capable client roams from one access point to another, the client sends a reassociation request to the new access point, and the new access point relays the request to the WDS access point. The WDS access point forwards the client’s credentials to the new access point, and the new access point sends the reassociation response to the client. Only two packets pass between the client and the new access point, greatly shortening the reassociation time. The client also uses the reassociation response to generate the unicast key. Understanding Radio ManagementAccess points participating in radio management scan the radio environment and send reports to the WDS access point on such radio information as potential rogue access points, associated clients, client signal strengths, and the radio signals from other access points. The WDS access point forwards the aggregated radio data to the WLSE device on your network. Access points participating in radio management also assist with the self-healing wireless LAN, automatically adjusting settings to provide coverage in case a nearby access point fails. Refer to the “” section on page 9-13 for instructions on configuring radio management.88964Reassociation requestReassociation responsePre-registration requestPre-registration replyRoaming clientdeviceAccess point WDS Device - Router/Switch/AP Authentication serverWired LAN
9-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio ManagementConfiguring WDS and Fast Secure RoamingConfiguring WDS and Fast Secure RoamingThis section describes how to configure WDS and fast, secure roaming on your wireless LAN. This section contains these sections:•Guidelines for WDS, page 9-5•Requirements for WDS and Fast Secure Roaming, page 9-5•Configuring the WMIC to use the WDS Access Point, page 9-5•Configuring the WMIC to use the WDS Access Point, page 9-5•Configuring the Authentication Server to Support Fast Secure Roaming, page 9-6•CLI Commands to Enable the WDS Server, page 9-9•Using Debug Messages, page 9-13Guidelines for WDSYou should be aware of these WDS guidelines:•You cannot configure your WMIC as a WDS access point. However, when you configure your WMIC as an access point, you can also configure it to use the WDS access point.•Repeater access points do not support WDS. Requirements for WDS and Fast Secure RoamingThe wireless LAN on which your WMIC resides must meet these requirements:•Central wireless domain services (WDS) server serving a zone (see the Configuring WDS, Fast Secure Roaming, and Radio Management chapter for more information)•Root devices configured to communicate with Central WDS server for the zone•Root devices on subnet / zone boundaries configured to allow unauthenticated traffic only to home agent•MoIP in foreign agent modeConfiguring the WMIC to use the WDS Access PointYour WMIC must be configured as an access point before you can configure it to use WDS. Configure the WMIC to authenticate through the WDS access point and participate in CCKM.AP# configure terminalAP(config)# wlccp ap username APWestWing password 7 wes7win8AP(config)# endIn this example, the WMIC is enabled to interact with the WDS access point, and it authenticates to your authentication server using APWestWing as its username and wes7win8 as its password. You must configure the same username and password pair when you set up the access point as a client on your authentication server.
9-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio ManagementConfiguring WDS and Fast Secure RoamingAlso, to configure an access point to use a WDS access point, the access point must be configured for an encryption cipher and authentication methods. For example:encryption mode ciphers ckip-cmic ! ssid kin_leap authentication network-eap eap_methods authentication key-management cckmRefer to the “Configuring Authentication Types” chapter for more information.Configuring the Authentication Server to Support Fast Secure RoamingThe WDS access point and all access points participating in CCKM must authenticate to your authentication server. On your server, you must configure usernames and passwords for the access points and a username and password for the WDS access point. Follow these steps to configure the access points on your server:Step 1 Log into Cisco Secure ACS and click Network Configuration to browse to the Network Configuration page. You must use the Network Configuration page to create an entry for the WDS access point. Figure 9-3 shows the Network Configuration page.Figure 9-3 Network Configuration PageStep 2 Click Add Entry under the AAA Clients table. The Add AAA Client page appears. Figure 9-4 shows the Add AAA Client page.
9-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio ManagementConfiguring WDS and Fast Secure RoamingFigure 9-4 Add AAA Client PageStep 3 In the AAA Client Hostname field, enter the name of the WDS access point.Step 4 In the AAA Client IP Address field, enter the IP address of the WDS access point.Step 5 In the Key field, enter exactly the same password that is configured on the WDS access point.Step 6 From the Authenticate Using drop-down menu, select RADIUS.Step 7 Click Submit.Step 8 Repeat Step 2 through Step 7 for each WDS access point candidate.Step 9 Click User Setup to browse to the User Setup page. You must use the User Setup page to create entries for the access points that use the WDS access point. Figure 9-5 shows the User Setup page.
9-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio ManagementConfiguring WDS and Fast Secure RoamingFigure 9-5 User Setup PageStep 10 Enter the name of the access point in the User field.Step 11 Click Add/Edit.Step 12 Scroll down to the User Setup box. Figure 9-6 shows the User Setup box.Figure 9-6 ACS User Setup Box
9-9Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio ManagementConfiguring WDS and Fast Secure RoamingStep 13 Select CiscoSecure Database from the Password Authentication drop-down menu.Step 14 In the Password and Confirm Password fields, enter exactly the same password that you entered on the access point on the Wireless Services AP page.Step 15 Click Submit.Step 16 Repeat Step 10 through Step 15 for each access point that uses the WDS access point.Step 17 Browse to the System Configuration page, click Service Control, and restart ACS to apply your entries. Figure 9-7 shows the System Configuration page.Figure 9-7 ACS System Configuration PageCLI Commands to Enable the WDS ServerThe following CLI commands are required to enable the WDS server. The no form of the commands disables the WDS server. The same configuration applies for Central WDS server and per subnet WDS server.[no] wlccp wds priority <1-255> interface BVI1[no] wlccp authentication-server infrastructure <method_infra>where <method_infra> is <authentication server list name>[no] wlccp authentication-server client [any | eap | leap | mac] <method_client>where <method_ client > is <authentication server list name>[no] aaa group server radius infra[no] server <IP address of RADIUS server> auth-port <Port number> acct-port <Port number>[no] aaa group server radius client[no] server <IP address of RADIUS server> auth-port <Port number> acct-port <Port number> [no] aaa authentication login <method_infra> group infrawhere <method_infra> is <named authentication list>[no] aaa authentication login <method_client> group client
9-10Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio ManagementConfiguring WDS and Fast Secure Roamingwhere <method_ client > is <named authentication list>CLI Commands to Enable the Root DeviceThe following CLI commands are required to enable the root device to communicate with the Central WDS server. The no form disables the WDS server. This configuration also allows the Root device to authenticate with per subnet WDS server if the Central WDS server fails.[no] wlccp ap wds ip address <IP address of the WDS>[no] wlccp ap username <WLCCP user name> password 0 <The UNENCRYPTED (cleartext) LEAP password>[no] interface Dot11Radio0[no] encryption mode ciphers [aes-ccm | tkip | wep128 | wep40][no] ssid <radio Service Set ID>[no] authentication network-eap <eap_methods>where <eap_methods> is <leap list name> [no] authentication key-management cckm[no] aaa group server radius rad_eap[no] server <IP address of RADIUS server> auth-port <Port number> acct-port <Port number>[no] aaa authentication login <eap_methods> group rad_eapwhere <eap_methods> is <named authentication list>The authentication network-eap <eap_methods> command allows traffic to and from the client while it is being authenticated by the root device. This command should be entered on all the root devices located in zone boundaries and on all the clients.authentication network-eap <eap_methods> <non-blocking>where <non-blocking> allows a client to send or receive traffic while the root device is authenticating the client.To enable blocking of client traffic during authentication, enter the command without the non-blockingkeyword.authentication network-eap <eap_methods>Refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ibm_r1/ib1_a1g.pdf for details on configuring access control lists on an access point to allow clients to send traffic to a home agent only.Refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/iprmb_r/ip4bookg.pdf for details on Mobile IP configuration commands.Refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/gtfamoip.htmfor details on the foreign agent local routing feature and its configuration details.
9-11Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio ManagementConfiguring WDS and Fast Secure Roamingdot11 interface speed CommandThe dot11 interface speed command supports only 4.9-GHz data rates. The configured spacing has precedence over the default spacing. For example, if 5-MHz spacing is configured, only data rates corresponding to 5-MHz spacing can be specified in the speed command. If an incorrect data rate is specified for the currently configured spacing, an error message displays, “Incorrect data rate for currently configured spacing.”[no] interface Dot11Radio0[no] speed <data rate>where data rate can be one of the following:Data Rate Description Spacing1.5 Allow 1.5 Mbps 5-MHz2.25 Allow 2.25 Mbps 5-MHz 3.0 Allow 3.0 Mbps 5-MHz and 10-MHz 4.5 Allow 4.5 Mbps 5-MHz and 10-MHz 6.0 Allow 6.0 Mbps 5-MHz and 10-MHz 9.0 Allow 9.0 Mbps 5-MHz and 10-MHz 12.0 Allow 12.0 Mbps 5-MHz and 10-MHz 13.5 Allow 13.5 Mbps 5-MHz18.0 Allow 18.0 Mbps 10-MHz24.0 Allow 24.0 Mbps 10-MHz27.0 Allow 27.0 Mbps 10-MHzbasic-1.5 Require 1.5 Mbps 5-MHzbasic-2.25 Require 2.25 Mbps 5-MHzbasic-3.0 Require 3 Mbps 5-MHz and 10-MHz basic-4.5 Require 4.5 Mbps 5-MHz and 10-MHz basic-6.0 Require 6 Mbps 5-MHz and 10-MHz basic-9.0 Require 9 Mbps 5-MHz and 10-MHz basic-12.0 Require 12 Mbps 5-MHz and 10-MHz basic-13.5 Require 13.5 Mbps 5-MHz basic-18.0 Require 18 Mbps 10-MHz basic-24.0 Require 24 Mbps 10-MHz basic-27.0 Require 27 Mbps 10-MHz default Set default rates Table 9-1 shows the default rates.range Set rates for best range Table 9-1 shows the best range.throughput Set rates for best throughput Table 9-1 shows the best throughput rates.Table 9-1 Default Rates, Best Range Rates and Best Throughput Rates5-MHz Spacing 10-MHz SpacingDefault Rates: basic-1.5, 2.25, basic-3.0, 4.5, basic-6.0, 9.0, 12.0, 13.5Default Rates: basic-3.0, 4.5, basic-6.0, 9.0, basic-12.0, 18.0, 24.0, 27.0
9-12Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio ManagementConfiguring WDS and Fast Secure RoamingViewing WDS InformationOn the web-browser interface, browse to the Wireless Services Summary page to view a summary of WDS status.On the CLI in privileged exec mode, use these commands to view information about the current WDS access point and other access points participating in CCKM:Rates for Best Range: basic-1.5, 2.25, 3.0, 4.5, 6.0, 9.0, 12.0, 13.5 Rates for Best Range: basic-3.0, 4.5, 6.0 9.0 12.0 18.0 24.0 27.0 Rates for Best Throughput: basic-1.5, basic-2.25, basic-3.0, basic-4.5, basic-6.0, basic-9.0, basic- 12.0, basic-13.5Rates for Best Throughput: basic-3.0, basic-4.5, basic-6.0, basic-9.0, basic-12.0, basic-18.0, basic-24.0, basic-27.0Table 9-1 Default Rates, Best Range Rates and Best Throughput RatesCommand Descriptionshow wlccp ap Use this command on access points participating in CCKM to display the WDS access point’s MAC address, the WDS access point’s IP address, the access point’s state (authenticating, authenticated, or registered), the IP address of the infrastructure authenticator, and the IP address of the client device (MN) authenticator.show wlccp wds { ap | mn }[detail ] [ mac-addr mac-address ]On the WDS access point only, use this command to display cached information about access points and client devices.•ap—Use this option to display access points participating in CCKM. The command displays each access point’s MAC address, IP address, state (authenticating, authenticated, or registered), and lifetime (seconds remaining before the access point must reauthenticate). Use the mac-addr option to display information about a specific access point.•mn—Use this option to display cached information about client devices, also called mobile nodes. The command displays each client’s MAC address, IP address, the access point to which the client is associated (cur-AP), and state (authenticating, authenticated, or registered). Use the detailoption to display the client’s lifetime (seconds remaining before the client must reauthenticate), SSID, and VLAN ID. Use the mac-addr option to display information about a specific client device.If you only enter show wlccp wds, the command displays the access point’s IP address, MAC address, priority, and interface state (administratively standalone, active, backup, or candidate). If the state is backup, the command also displays the current WDS access point’s IP address, MAC address, and priority.
9-13Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio ManagementConfiguring WDS and Fast Secure RoamingUsing Debug MessagesIn privileged exec mode, use these debug commands to control the display of debug messages for devices interacting with the WDS access point:Command Descriptiondebug wlccp ap{ mn | mobility | rm | state |wds-discovery }Use this command to turn on display of debug messages related to client devices (mn), the WDS discovery process, and access point authentication to the WDS access point (state).debug wlccp leap-client Use this command to turn on display of debugging messages related to LEAP-enabled client devices.debug wlccp packet Use this command to turn on display of packets to and from the WDS access point.debug wlccp wds [state | statistics ]Use this command and the state option to turn on display of WDS debug and state messages. Use the statistics option to turn on display of failure statistics.
9-14Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio ManagementConfiguring WDS and Fast Secure Roaming
CHAPTER10-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-0210Configuring VLANsThis chapter describes how to configure your WMIC to operate with the VLANs set up on your wired LAN. These sections describe how to configure your WMIC to support VLANs:•Understanding VLANs, page 10-2•Configuring VLANs, page 10-4
10-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 10 Configuring VLANsUnderstanding VLANsUnderstanding VLANsA VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they might be intermingled with other teams. You use VLANs to reconfigure the network through software rather than physically unplugging and moving devices or wires.A VLAN can be thought of as a broadcast domain that exists within a defined set of switches. A VLAN consists of a number of end systems, either hosts or network equipment (such as bridges and routers), connected by a single bridging domain. The bridging domain is supported on various pieces of network equipment such as LAN switches that operate bridging protocols between them with a separate group for each VLAN.VLANs provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address scalability, security, and network management. You should consider several key issues when designing and building switched LAN networks:•LAN segmentation•Security•Broadcast control•Performance•Network management•Communication between VLANsYou extend VLANs into a wireless LAN by adding IEEE 802.11Q tag awareness to the WMIC. VLAN 802.1Q trunking is supported between root and non-root bridges through the bridges’ primary SSID.Figure 10-1 shows two bridges sending 802.11Q-tagged packets between two LAN segments that use logical VLAN segmentation.
10-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 10 Configuring VLANsUnderstanding VLANsFigure 10-1 Bridges Connecting LAN Segments Using VLANsRelated DocumentsThese documents provide more detailed information pertaining to VLAN design and configuration:•Cisco IOS Switching Services Configuration Guide. Click this link to browse to this document:http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fswtch_c/index.htm•Cisco Internetwork Design Guide. Click this link to browse to this document:http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/index.htm•Cisco Internetworking Technology Handbook. Click this link to browse to this document:http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/index.htm•Cisco Internetworking Troubleshooting Guide. Click this link to browse to this document:http://www.cisco.com/univercd/cc/td/doc/cisintwk/itg_v1/index.htm88904PCCatalystVLAN SwitchCatalystVLAN SwitchCatalystVLAN SwitchNon-Root Bridge802.11Q-tagged packets sentacross wireless bridge linkRoot BridgePC PCPC PC PCPCVLAN 1 VLAN 2 VLAN 3PC PCPCCatalystVLAN SwitchCatalystVLAN SwitchCatalystVLAN SwitchPC PCPC PC PCPCVLAN 1 VLAN 2 VLAN 3PC PC
10-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 10 Configuring VLANsConfiguring VLANsIncorporating Wireless Bridges into VLANsThe basic wireless components of a VLAN consist of two or more bridges communicating using wireless technology. The WMIC is physically connected through a trunk port to the network VLAN switch on which the VLAN is configured. The physical connection to the VLAN switch is through the WMIC’s Ethernet port.In fundamental terms, the key to configuring a WMIC to connect to a specific VLAN is by configuring its SSID to recognize that VLAN. Since VLANs are identified by a VLAN ID, it follows that if the SSID on a WMIC is configured to recognize a specific VLAN ID, a connection to the VLAN is established. The WMIC supports 16 SSIDs. You can assign only one SSID to the native VLAN.Configuring VLANsThese sections describe how to configure VLANs on your WMIC:•Configuring a VLAN, page 10-4•Viewing VLANs Configured on the WMIC, page 10-7Configuring a VLANConfiguring your WMIC to support VLANs is a five-step process:1. Create subinterfaces on the radio and Ethernet interfaces.2. Enable 802.1q encapsulation on the subinterfaces and assign one subinterface as the native VLAN.3. Assign a bridge group to each VLAN.4. (Optional) Enable WEP on the native VLAN.5. Assign the WMIC’s SSID to the native VLAN.This section describes how to assign an SSID to a VLAN and how to enable a VLAN on the WMIC radio and Ethernet ports. For detailed instructions on assigning authentication types to SSIDs, see Chapter 8, “Configuring Authentication Types.”Beginning in privileged EXEC mode, follow these steps to assign an SSID to a VLAN and enable the VLAN on the WMIC radio and Ethernet ports:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio0.x Create a radio subinterface and enter interface configuration mode for the subinterface.Step 3 encapsulation dot1q vlan-id[native]Enable a VLAN on the subinterface. (Optional) Designate the VLAN as the native VLAN. On many networks, the native VLAN is VLAN 1.
10-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 10 Configuring VLANsConfiguring VLANsStep 4 bridge-group number Assign the subinterface to a bridge group. You can number your bridge groups from 1 to 255.Note When you enter the bridge-group command, the WMIC enables the subinterface to be ready to participate in STP when you enter the bridge nprotocol ieee command. See Chapter 6, “Configuring Spanning Tree Protocol,” for complete instructions on enabling STP on the WMIC.Step 5 exit Return to global configuration mode.Step 6 interface fastEthernet0.x Create an Ethernet subinterface and enter interface configuration mode for the subinterface.Step 7 encapsulation dot1q vlan-id[native]Enable a VLAN on the subinterface. (Optional) Designate the VLAN as the native VLAN. On many networks, the native VLAN is VLAN 1.Step 8 bridge-group number Assign the subinterface to a bridge group. You can number your bridge groups from 1 to 255.Step 9 exit Return to global configuration mode.Step 10 interface dot11radio 0 Enter interface configuration mode for the radio interface.Step 11 ssid ssid-string Create an SSID and enter SSID configuration mode for the new SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive. You can create up to 16 SSIDs on the bridge; however, only one SSID can be assigned to the native VLAN.Note You use the ssid command’s authentication options to configure an authentication type for each SSID. See Chapter 8, “Configuring Authentication Types,” for instructions on configuring authentication types.Step 12 vlan vlan-id Assign the SSID to the native VLAN.Step 13 infrastructure-ssid Designate the SSID as the infrastructure SSID. It is used to instruct a non-root bridge or workgroup bridge radio to associate with this SSID.Command Purpose
10-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 10 Configuring VLANsConfiguring VLANsThis example shows how to:•Enable the VLAN on the radio and Ethernet ports as the native VLAN•Name an SSID•Assign the SSID to a VLANbridge# configure terminalbridge(config)# interface dot11radio0.1bridge(config-subif)# encapsulation dot1q 1 nativebridge(config-subif)# bridge group 1bridge(config-subif)# exitbridge(config)# interface fastEthernet0.1bridge(config-subif)# encapsulation dot1q 1 nativebridge(config-subif)# bridge group 1bridge(config-subif)# exitbridge(config)# interface dot11radio0bridge(config-if)# ssid batmanbridge(config-ssid)# vlan 1bridge(config-ssid)# infrastructure-ssidbridge(config-ssid)# endStep 14 encryption[vlan vlan-id]mode wep {optional [key-hash] | mandatory [mic] [key-hash]}(Optional) Enable WEP and WEP features on the native VLAN.•(Optional) Select the VLAN for which you want to enable WEP and WEP features.•Set the WEP level and enable TKIP and MIC. If you enter optional, another bridge can associate to the WMIC with or without WEP enabled. You can enable TKIP with WEP set to optional but you cannot enable MIC. If you enter mandatory, other bridges must have WEP enabled to associate to the WMIC. You can enable both TKIP and MIC with WEP set to mandatory.Note You can enable encryption for each VLAN, but the WMIC uses only the encryption on the native VLAN. For example, if the native VLAN encryption is set to 128-bit static WEP, that is the only encryption method used for traffic between the root and non-root bridge.Step 15 exit Return to interface configuration mode for the radio interface.Step 16 end Return to privileged EXEC mode.Step 17 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
10-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 10 Configuring VLANsConfiguring VLANsViewing VLANs Configured on the WMICIn privileged EXEC mode, use the show vlan command to view the VLANs that the WMIC supports. This is sample output from a show vlan command:Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation) vLAN Trunk Interfaces: Dot11Radio0FastEthernet0Virtual-Dot11Radio0 This is configured as native Vlan for the following interface(s) :Dot11Radio0FastEthernet0Virtual-Dot11Radio0 Protocols Configured: Address: Received: Transmitted: Bridging Bridge Group 1 201688 0 Bridging Bridge Group 1 201688 0 Bridging Bridge Group 1 201688 0Virtual LAN ID: 2 (IEEE 802.1Q Encapsulation) vLAN Trunk Interfaces: Dot11Radio0.2FastEthernet0.2Virtual-Dot11Radio0.2 Protocols Configured: Address: Received: Transmitted:
10-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 10 Configuring VLANsConfiguring VLANs
CHAPTER11-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-0211Configuring QoS in a Wireless EnvironmentThis chapter describes how to configure quality of service (QoS) on your WMIC. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the WMIC offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.This chapter consists of these sections:•Understanding QoS for Wireless LANs, page 11-2•Configuring QoS, page 11-3•QoS Configuration Examples, page 11-9
11-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 11 Configuring QoS in a Wireless EnvironmentUnderstanding QoS for Wireless LANsUnderstanding QoS for Wireless LANsTypically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.When you configure QoS on the WMIC, you can select specific network traffic, prioritize it, and use congestion-management and congestion-avoidance techniques to provide preferential treatment. Implementing QoS in your wireless LAN makes network performance more predictable and bandwidth utilization more effective.When you configure QoS, you create QoS policies and apply the policies to the VLAN configured on your WMIC. If you do not use VLANs on your network, you can apply your QoS policies to the WMIC’s Ethernet and radio ports.Note Configuring the limited WMIC QoS features typically are not enough to manage the traffic when traffic can congest the limited 20 Mbps bandwidth of the WMIC. We highly recommended that you apply traffic shaping and other MQC based QoS features.QoS for Wireless LANs Versus QoS on Wired LANsThe QoS implementation for wireless LANs differs from QoS implementations on other Cisco devices. With QoS enabled, bridges perform the following:•They do not classify packets; they prioritize packets based on DSCP value, client type (such as a wireless phone), or the priority value in the 802.1q or 802.1p tag.•They do not match packets using ACL; they use only MQC class-map for matching clauses.•They do not construct internal DSCP values; they only support mapping by assigning IP DSCP, Precedence, or Protocol values to Layer 2 COS values.•They carry out EDCF like queuing on the radio egress port only.•They do only FIFO queueing on the Ethernet egress port.•They support only 802.1Q/P tagged packets. Bridges do not support ISL.•They support only MQC policy-map set cos action.To contrast the wireless LAN QoS implementation with the QoS implementation on other Cisco network devices, see the Cisco IOS Quality of Service Solutions Configuration Guide at this URL:http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/index.htmImpact of QoS on a Wireless LANWireless LAN QoS features are a subset of the proposed 802.11e draft. QoS on wireless LANs provides prioritization of traffic from the WMIC over the WLAN based on traffic classification.Just as in other media, you might not notice the effects of QoS on a lightly loaded wireless LAN. The benefits of QoS become more obvious as the load on the wireless LAN increases, keeping the latency, jitter, and loss for selected traffic types within an acceptable range.
11-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 11 Configuring QoS in a Wireless EnvironmentConfiguring QoSQoS on the wireless LAN focuses on downstream prioritization from the WMIC. These are the effects of QoS on network traffic:•The radio downstream flow is traffic transmitted out the WMIC radio to another bridge. This traffic is the main focus for QoS on a wireless LAN.•The radio upstream flow is traffic received on the WMIC radio from another bridge. QoS for wireless LAN does not affect this traffic.•The Ethernet downstream flow is traffic sent from a switch or a router to the Ethernet port on the WMIC. If QoS is enabled on the switch or router, the switch or router might prioritize and rate-limit traffic to the WMIC.•The Ethernet upstream flow is traffic sent from the WMIC Ethernet port to a switch or router on the wired LAN. The WMIC does not prioritize traffic that it sends to the wired LAN based on traffic classification.Precedence of QoS SettingsWhen you enable QoS, the WMIC queues packets based on the Layer 2 class of service value for each packet. The WMIC applies QoS policies in this order:1. Packets already classified—When the WMIC receives packets from a QoS-enabled switch or router that has already classified the packets with non-zero 802.1Q/P user_priority values, the WMIC uses that classification and does not apply other QoS policy rules to the packets. An existing classification takes precedence over all other policies on the WMIC.Note The WMIC always acts on tagged 802.1P packets that it receives over the radio interface, even if a QoS policy has not been configured.2. Policies you create on the WMIC—QoS Policies that you create and apply to VLANs or to the WMIC interfaces are second in precedence after previously classified packets.3. Default classification for all packets on VLAN—If you set a default classification for all packets on a VLAN, that policy is third in the precedence list.Configuring QoSQoS is disabled by default. This section describes how to configure QoS on your WMIC. It contains this configuration information:•Configuration Guidelines, page 11-4•Configuring QoS Using the Web-Browser Interface, page 11-4•Adjusting Radio Access Category Definitions, page 11-7
11-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 11 Configuring QoS in a Wireless EnvironmentConfiguring QoSConfiguration GuidelinesBefore configuring QoS on your WMIC, you should be aware of this information:•The most important guideline in QoS deployment is to be familiar with the traffic on your wireless LAN. If you know the applications used by wireless client devices, the applications’ sensitivity to delay, and the amount of traffic associated with the applications, you can configure QoS to improve performance.•QoS does not create additional bandwidth for your wireless LAN; it helps control the allocation of bandwidth. If you have plenty of bandwidth on your wireless LAN, you might not need to configure QoS.Configuring QoS Using the Web-Browser InterfaceThis section describes configuring QoS using the web-browser interface. Follow these steps to configure QoS:Step 1 If you use VLANs on your wireless LAN, make sure the necessary VLAN is configured on your WMIC before configuring QoS.Step 2 Click Services in the task menu on the left side of any page in the web-browser interface. When the list of Services expands, click QoS. The QoS Policies page appears. Figure 11-1 shows the QoS Policies page.
11-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 11 Configuring QoS in a Wireless EnvironmentConfiguring QoSFigure 11-1 QoS Policies PageStep 3 With <NEW> selected in the Create/Edit Policy field, type a name for the QoS policy in the Policy Name entry field. The name can contain up to 25 alphanumeric characters. Do not include spaces in the policy name.Step 4 If the packets that you need to prioritize contain IP precedence information in the IP header TOS field, select an IP precedence classification from the IP Precedence drop-down menu. Menu selections include:•Routine (0)•Priority (1)•Immediate (2)•Flash (3)•Flash Override (4)•Critic/CCP (5)•Internet Control (6)•Network Control (7)Step 5 Use the Apply Class of Service drop-down menu to select the class of service that the WMIC will apply to packets of the type that you selected from the IP Precedence menu. The WMIC matches your IP Precedence selection with your class of service selection. Settings in the Apply Class of Service menu include:•Best Effort (0)
11-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 11 Configuring QoS in a Wireless EnvironmentConfiguring QoS•Background (1)•Spare (2)•Excellent (3)•Control Lead (4)•Video <100ms Latency (5)•Voice <10ms Latency (6)•Network Control (7)Step 6 Click the Add button beside the Class of Service menu for IP Precedence. The classification appears in the Classifications field. To delete a classification, select it and click the Delete button beside the Classifications field.Step 7 If the packets that you need to prioritize contain IP DSCP precedence information in the IP header TOS field, select an IP DSCP classification from the IP DSCP drop-down menu. Menu selections include:•Best Effort•Assured Forwarding — Class 1 Low•Assured Forwarding — Class 1 Medium•Assured Forwarding — Class 1 High•Assured Forwarding — Class 2 Low•Assured Forwarding — Class 2 Medium•Assured Forwarding — Class 2 High•Assured Forwarding — Class 3 Low•Assured Forwarding — Class 3 Medium•Assured Forwarding — Class 3 High•Assured Forwarding — Class 4 Low•Assured Forwarding — Class 4 Medium•Assured Forwarding — Class 4 High•Class Selector 1•Class Selector 2•Class Selector 3•Class Selector 4•Class Selector 5•Class Selector 6•Class Selector 7•Expedited ForwardingStep 8 Use the Apply Class of Service drop-down menu to select the class of service that the WMIC will apply to packets of the type that you selected from the IP DSCP menu. The WMIC matches your IP DSCP selection with your class of service selection.Step 9 Click the Add button beside the Class of Service menu for IP DSCP. The classification appears in the Classifications field.
11-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 11 Configuring QoS in a Wireless EnvironmentConfiguring QoSStep 10 If you need to assign a priority to filtered packets, use the Filter drop-down menu to select a Filter to include in the policy. (If no filters are defined on the WMIC, a link to the Apply Filters page appears instead of the Filter drop-down menu.) For example, you could assign a high priority to a MAC address filter that includes the MAC addresses of IP phones.Note The access list you use in QoS does not affect the WMIC’s packet forwarding decisions.Step 11 Use the Apply Class of Service drop-down menu to select the class of service that the WMIC will apply to packets that match the filter that you selected from the Filter menu. The WMIC matches your filter selection with your class of service selection.Step 12 Click the Add button beside the Class of Service menu for Filter. The classification appears in the Classifications field.Step 13 If you want to set a default classification for all packets on a VLAN, use the Apply Class of Service drop-down menu to select the class of service that the WMIC will apply to all packets on a VLAN. The WMIC matches all packets with your class of service selection.Step 14 Click the Add button beside the Class of Service menu for Default classification for packets on the VLAN. The classification appears in the Classifications field. Step 15 When you finish adding classifications to the policy, click the Apply button under the Apply Class of Service drop-down menus. To cancel the policy and reset all fields to defaults, click the Cancel button under the Apply Class of Service drop-down menus. To delete the entire policy, click the Delete button under the Apply Class of Service drop-down menus. Step 16 Use the Apply Policies to Interface/VLANs drop-down menus to apply policies to the Ethernet and radio ports. If VLANs are configured on the WMIC, drop-down menus for each VLAN’s virtual ports appear in this section. If VLANs are not configured on the WMIC, drop-down menus for each interface appear.Step 17 Click the Apply button at the bottom of the page to apply the policies to the ports.Adjusting Radio Access Category DefinitionsThe WMIC uses the radio access category definitions to calculate backoff times for each packet. As a rule, high-priority packets have short backoff times.The default values in the Min and Max Contention Window fields and in the Slot Time fields are based on settings recommended in IEEE Draft Standard 802.11e. For detailed information on these values, consult that standard.We strongly recommend that you use the default settings on the Radio Traffic Access Categories page, or that you use the settings described in section x. Changing these values can lead to unexpected blockages of traffic on your wireless LAN, and the blockages might be difficult to diagnose. If you change these values and find that you need to reset them to defaults, use the default settings listed in Table 11-1.The values listed in Table 11-1 are to the power of 2. The WMIC computes Contention Window values with this equation:CW = 2 ** X minus 1where X is the value from Table 11-1.
11-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 11 Configuring QoS in a Wireless EnvironmentConfiguring QoSFigure 11-2 shows the Radio 802.11G Access Categories page.Figure 11-2 Radio 802.11G Access Categories PageCW-min and CW-max Settings for Point-to-Point and Point-to-Multipoint Bridge LinksFor best performance on your WMIC links, adjust the CW-min and CW-max contention window settings according to the values listed in Table 11-2. The default settings, CW-min 3 and CW-max 10, are best for point-to-point links. However, for point-to-multipoint links, you should adjust the settings depending on the number of non-root bridges that associate to the root bridge.Note If packet concatenation is enabled, you need to adjust the CW-min and CW-max settings only for traffic class 0. Concatenation is disabled by default.Table 11-1 Default QoS Radio Traffic Class DefinitionsClass of Service Min Contention Window Max Contention Window Fixed Slot TimeBackground (CoS 1-2) 5 10 6Best Effort (CoS 0) 5 10 2Video (CoS 3-5) 5 10 2Voice (CoS 6-7) 3 4 1
11-9Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 11 Configuring QoS in a Wireless EnvironmentQoS Configuration ExamplesBeginning in privileged EXEC mode, follow these steps to adjust the CW-min and CW-max settings:Use the no form of the command to reset the setting to defaults.QoS Configuration ExamplesThese sections describe two common uses for QoS:•Giving Priority to Voice Traffic, page 11-9•Giving Priority to Video Traffic, page 11-10Giving Priority to Voice TrafficThis section demonstrates how you can apply a QoS policy to your wireless network.In this example, the network administrator creates a policy named voice_policy that applies voice class of service to traffic from packets having Priority precedence in IP Precedence field. The user applies the voice_policy to the incoming and outgoing radio ports and to the outgoing Ethernet port. Figure 11-3shows the administrator’s QoS Policies page. Table 11-2 CW-min and CW-max Settings for Point-to-Point and Point-to-Multipoint Bridge LinksSetting Point-to-Point LinksPoint-to-Multipoint Links with up to 5 Non-Root BridgesPoint-to-Multipoint Links with up to 10 Non-Root BridgesPoint-to-Multipoint Links with up to 17 Non-Root BridgesCW-min3456CW-max 10 10 10 10Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 traffic-class class{cw-min number }{cw-max number }{fixed-slot number }Assign CW-min, CW-max, and fixed-slot settings to a traffic class. Use the values in Table 11-2 to enter settings that provide the best performance for your network configuration.Note If packet concatenation is enabled, you need to adjust the CW-min and CW-max settings only for traffic class 0. Concatenation is enabled by default. Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
11-10Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 11 Configuring QoS in a Wireless EnvironmentQoS Configuration ExamplesFigure 11-3 QoS Policies Page for Voice ExampleGiving Priority to Video TrafficThis section demonstrates how you could apply a QoS policy to a network dedicated to video traffic.In this example, the network administrator creates a policy named video_policy that applies video class of service to video traffic. The user applies the video_policy to the incoming and outgoing radio ports and to the outgoing Ethernet port. Figure 11-4 shows the administrator’s QoS Policies page.
11-11Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 11 Configuring QoS in a Wireless EnvironmentQoS Configuration ExamplesFigure 11-4 QoS Policies Page for Video ExampleQoS Example Configuration for VLANThe example in this section queues all traffic from VLAN100 to the voice queue.interface fastEthernet 0.1 encapsulation dot1Q 1 native bridge-group 1interface fastEthernet 0.100 encapsulation dot1Q 100 bridge-group 100interface fastEthernet 0.101 encapsulation dot1Q 101 bridge-group 101
11-12Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 11 Configuring QoS in a Wireless EnvironmentQoS Configuration Examplesinterface dot11Radio 0.1 encapsulation dot1Q 1 native bridge-group 1interface dot11Radio 0.100 encapsulation dot1Q 100 bridge-group 100interface dot11Radio 0.101 encapsulation dot1Q 101 bridge-group 101interface dot11Radio 0 ssid qosWMIC-1 vlan 1 authentication open ssid qosWMIC-100 vlan 100 authentication open ssid qosWMIC-101 vlan 101 authentication openclass-map match-all alldata match anypolicy-map v100traffic class alldata set cos 6interface dot11Radio 0.100 service-policy output v100trafficQoS Example of IP DSCP and IP PrecedenceThe example in this section queues traffic data with the IP Precedence value 2 to Queue 0, IP DSCP value 12 to Queue 1, IP Precedence value 5 to Queue 2, and IP DSCP value 46 to queue 3.class-map match-all dscp12 match ip dscp af12class-map match-all dscp46 match ip dscp efclass-map match-all prec2 match ip precedence immediateclass-map match-all prec5 match ip precedence criticalpolicy-map L3Mapclass prec2 set cos 2 class dscp12 set cos 0class prec5 set cos 5class dscp46 set cos 6interface dot11Radio 0 service-policy output L3Map
11-13Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 11 Configuring QoS in a Wireless EnvironmentQoS Configuration Examples
11-14Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 11 Configuring QoS in a Wireless EnvironmentQoS Configuration Examples
CHAPTER12-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-0212Configuring FiltersThis chapter describes how to configure and manage MAC address, IP, and Ethertype filters on the WMIC using the web-browser interface. This chapter contains these sections:•Understanding Filters, page 12-2•Configuring Filters Using the CLI, page 12-2•Configuring Filters Using the Web-Browser Interface, page 12-2
12-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 12 Configuring FiltersUnderstanding FiltersUnderstanding FiltersProtocol filters (IP protocol, IP port, and Ethertype) prevent or allow the use of specific protocols through the WMIC’s Ethernet and radio ports. You can set up individual protocol filters or sets of filters. You can filter protocols for wireless client devices, users on the wired LAN, or both. For example, an SNMP filter on the WMIC’s radio port prevents SNMP access through the radio but does not block SNMP access from the wired LAN.IP address and MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific IP or MAC addresses. You can create a filter that passes traffic to all addresses except those you specify, or you can create a filter that blocks traffic to all addresses except those you specify.You can configure filters using the web-browser interface or by entering commands in the CLI. Tip You can include filters in the WMIC’s QoS policies. Refer to Chapter 11, “Configuring QoS in a Wireless Environment,” for detailed instructions on setting up QoS policies.Configuring Filters Using the CLITo configure filters using IOS commands, you use access control lists (ACLs) and bridge groups. You can find explanations of these concepts and instructions for implementing them in these documents:•Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.2. Click this link to browse to the “Configuring Transparent Bridging” chapter: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fibm_c/bcfpart1/bcftb.htm•Catalyst 4908G-L3 Cisco IOS Release 12.0(10)W5(18e) Software Feature and Configuration Guide.Click this link to browse to the “Command Reference” chapter: http://www.cisco.com/univercd/cc/td/doc/product/l3sw/4908g_l3/ios_12/10w518e/config/cmd_ref.htmConfiguring Filters Using the Web-Browser InterfaceThis section describes how to configure and enable filters using the web-browser interface. You complete two steps to configure and enable a filter:1. Name and configure the filter using the filter setup pages.2. Enable the filter using the Apply Filters page.These sections describe setting up and enabling three filter types:•Configuring and Enabling MAC Address Filters, page 12-3•Configuring and Enabling IP Filters, page 12-5•Configuring and Enabling Ethertype Filters, page 12-7
12-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 12 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceConfiguring and Enabling MAC Address FiltersMAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses. You can create a filter that passes traffic to all MAC addresses except those you specify, or you can create a filter that blocks traffic to all MAC addresses except those you specify. You can apply the filters you create to either or both the Ethernet and radio ports and to either or both incoming and outgoing packets.Note MAC address filters are powerful, and you can lock yourself out of the WMIC if you make a mistake setting up the filters. If you accidentally lock yourself out of your WMIC, use the CLI to disable the filters, or reset the WMIC to factory defaults.Use the MAC Address Filters page to create MAC address filters for the WMIC. Figure 12-1 shows the MAC Address Filters page.Figure 12-1 MAC Address Filters PageFollow this link path to reach the Address Filters page:1. Click Services in the page navigation bar.2. In the Services page list, click Filters.3. On the Apply Filters page, click the MAC Address Filters tab at the top of the page.
12-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 12 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceCreating a MAC Address FilterFollow these steps to create a MAC address filter:Step 1 Follow the link path to the MAC Address Filters page.Step 2 If you are creating a new MAC address filter, make sure <NEW> (the default) is selected in the Create/Edit Filter Index menu. To edit a filter, select the filter number from the Create/Edit Filter Index menu.Step 3 In the Filter Index field, name the filter with a number from 700 to 799. The number you assign creates an access control list (ACL) for the filter. Step 4 Enter a MAC address in the Add MAC Address field. Enter the address with periods separating the three groups of four characters (0040.9612.3456, for example).Step 5 Use the Mask entry field to indicate how many bits, from left to right, the filter checks against the MAC address. For example, to require an exact match with the MAC address (to check all bits) enter FFFF.FFFF.FFFF. To check only the first 4 bytes, enter FFFF.FFFF.0000.Step 6 Select Forward or Block from the Action menu. Step 7 Click Add. The MAC address appears in the Filters Classes field. To remove the MAC address from the Filters Classes list, select it and click Delete Class.Step 8 Repeat Step 4 through Step 7 to add addresses to the filter.Step 9 Select Forward All or Block All from the Default Action menu. The filter’s default action must be the opposite of the action for at least one of the addresses in the filter. For example, if you enter several addresses and you select Block as the action for all of them, you must choose Forward All as the filter’s default action.Step 10 Click Apply. The filter is saved on the WMIC, but it is not enabled until you apply it on the Apply Filters page.Step 11 Click the Apply Filters tab to return to the Apply Filters page. Figure 12-2 shows the Apply Filters page.Figure 12-2 Apply Filters Page
12-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 12 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceStep 12 Select the filter number from one of the MAC drop-down menus. You can apply the filter to either or both the Ethernet and radio ports, and to either or both incoming and outgoing packets.Step 13 Click Apply. The filter is enabled on the selected ports.Configuring and Enabling IP FiltersIP filters (IP address, IP protocol, and IP port) prevent or allow the use of specific protocols through the WMIC’s Ethernet and radio ports, and IP address filters allow or prevent the forwarding of unicast and multicast packets either sent from or addressed to specific IP addresses. You can create a filter that passes traffic to all addresses except those you specify, or you can create a filter that blocks traffic to all addresses except those you specify. You can create filters that contain elements of one, two, or all three IP filtering methods. You can apply the filters you create to either or both the Ethernet and radio ports and to either or both incoming and outgoing packets.Use the IP Filters page to create IP filters for the WMIC. Figure 12-3 shows the IP Filters page.Figure 12-3 IP Filters Page
12-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 12 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceFollow this link path to reach the IP Filters page:1. Click Services in the page navigation bar.2. In the Services page list, click Filters.3. On the Apply Filters page, click the IP Filters tab at the top of the page.Creating an IP FilterFollow these steps to create an IP filter:Step 1 Follow the link path to the IP Filters page.Step 2 If you are creating a new filter, make sure <NEW> (the default) is selected in the Create/Edit Filter Index menu. To edit an existing filter, select the filter name from the Create/Edit Filter Index menu.Step 3 Enter a descriptive name for the new filter in the Filter Name field.Step 4 Select Forward all or Block all as the filter’s default action from the Default Action menu. The filter’s default action must be the opposite of the action for at least one of the addresses in the filter. For example, if you create a filter containing an IP address, an IP protocol, and an IP port and you select Block as the action for all of them, you must choose Forward All as the filter’s default action.Step 5 To filter an IP address, enter an address in the IP Address field.Note If you plan to block traffic to all IP addresses except those you specify as allowed, put the address of your own PC in the list of allowed addresses to avoid losing connectivity to the WMIC.Step 6 Type the mask for the IP address in the Mask field. Enter the mask with periods separating the groups of characters (112.334.556.778, for example). If you enter 255.255.255.255 as the mask, the WMIC accepts any IP address. If you enter 0.0.0.0, the WMIC looks for an exact match with the IP address you entered in the IP Address field. The mask you enter in this field behaves the same way that a mask behaves when you enter it in the CLI.Step 7 Select Forward or Block from the Action menu. Step 8 Click Add. The address appears in the Filters Classes field. To remove the address from the Filters Classes list, select it and click Delete Class. Repeat Step 5 through Step 8 to add addresses to the filter.If you do not need to add IP protocol or IP port elements to the filter, skip to Step 15 to save the filter on the WMIC. Step 9 To filter an IP protocol, select one of the common protocols from the IP Protocol drop-down menu, or select the Custom radio button and enter the number of an existing ACL in the Custom field. Enter an ACL number from 0 to 255. See Appendix C, “Protocol Filters,” for a list of IP protocols and their numeric designators.Step 10 Select Forward or Block from the Action menu. Step 11 Click Add. The protocol appears in the Filters Classes field. To remove the protocol from the Filters Classes list, select it and click Delete Class. Repeat Step 9 to Step 11 to add protocols to the filter.If you do not need to add IP port elements to the filter, skip to Step 15 to save the filter on the WMIC. Step 12 To filter a TCP or UDP port protocol, select one of the common port protocols from the TCP Port or UDP Port drop-down menus, or select the Custom radio button and enter the number of an existing protocol in one of the Custom fields. Enter a protocol number from 0 to 65535. See Appendix C, “Protocol Filters,” for a list of IP port protocols and their numeric designators.
12-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 12 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceStep 13 Select Forward or Block from the Action menu. Step 14 Click Add. The protocol appears in the Filters Classes field. To remove the protocol from the Filters Classes list, select it and click Delete Class. Repeat Step 12 to Step 14 to add protocols to the filter.Step 15 When the filter is complete, click Apply. The filter is saved on the WMIC, but it is not enabled until you apply it on the Apply Filters page.Step 16 Click the Apply Filters tab to return to the Apply Filters page. Figure 12-4 shows the Apply Filters page.Figure 12-4 Apply Filters PageStep 17 Select the filter name from one of the IP drop-down menus. You can apply the filter to either or both the Ethernet and radio ports, and to either or both incoming and outgoing packets.Step 18 Click Apply. The filter is enabled on the selected ports.Configuring and Enabling Ethertype FiltersEthertype filters prevent or allow the use of specific protocols through the WMIC’s Ethernet and radio ports. You can apply the filters you create to either or both the Ethernet and radio ports and to either or both incoming and outgoing packets.Use the Ethertype Filters page to create Ethertype filters. Figure 12-5 shows the Ethertype Filters page.
12-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 12 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceFigure 12-5 Ethertype Filters PageFollow this link path to reach the Ethertype Filters page:1. Click Services in the page navigation bar.2. In the Services page list, click Filters.3. On the Apply Filters page, click the Ethertype Filters tab at the top of the page.Creating an Ethertype FilterFollow these steps to create an Ethertype filter:Step 1 Follow the link path to the Ethertype Filters page.Step 2 If you are creating a new filter, make sure <NEW> (the default) is selected in the Create/Edit Filter Index menu. To edit an existing filter, select the filter number from the Create/Edit Filter Index menu.Step 3 In the Filter Index field, name the filter with a number from 200 to 299. The number you assign creates an access control list (ACL) for the filter. Step 4 Enter an Ethertype number in the Add Ethertype field. See Appendix C, “Protocol Filters,” for a list of protocols and their numeric designators.Step 5 Enter the mask for the Ethertype in the Mask field. Step 6 Select Forward or Block from the Action menu. Step 7 Click Add. The Ethertype appears in the Filters Classes field. To remove the Ethertype from the Filters Classes list, select it and click Delete Class. Repeat Step 4 through Step 7 to add Ethertypes to the filter.Step 8 Select Forward All or Block All from the Default Action menu. The filter’s default action must be the opposite of the action for at least one of the Ethertypes in the filter. For example, if you enter several Ethertypes and you select Block as the action for all of them, you must choose Forward All as the filter’s default action.
12-9Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 12 Configuring FiltersConfiguring Filters Using the Web-Browser InterfaceStep 9 Click Apply. The filter is saved on the WMIC, but it is not enabled until you apply it on the Apply Filters page.Step 10 Click the Apply Filters tab to return to the Apply Filters page. Figure 12-6 shows the Apply Filters page.Figure 12-6 Apply Filters PageStep 11 Select the filter number from one of the Ethertype drop-down menus. You can apply the filter to either or both the Ethernet and radio ports, and to either or both incoming and outgoing packets.Step 12 Click Apply. The filter is enabled on the selected ports.
12-10Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 12 Configuring FiltersConfiguring Filters Using the Web-Browser Interface
CHAPTER13-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-0213Configuring CDPThis chapter describes how to configure Cisco Discovery Protocol (CDP) on your WMIC.This chapter contains these sections:•Understanding CDP, page 13-2•Configuring CDP, page 13-2•Monitoring and Maintaining CDP, page 13-5
13-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 13 Configuring CDPUnderstanding CDPUnderstanding CDPCisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices. Information in CDP packets is used in network management software such as CiscoWorks2000.CDP is enabled on the WMIC’s Ethernet and radio ports by default. Note For best performance on your wireless LAN, disable CDP on all radio interfaces and on sub-interfaces if VLANs are enabled on the WMIC.Configuring CDPThis section contains CDP configuration information and procedures:•Default CDP Configuration, page 13-2•Configuring the CDP Characteristics, page 13-3•Disabling and Enabling CDP, page 13-3•Disabling and Enabling CDP on an Interface, page 13-4Default CDP ConfigurationTable 13-1 lists the default CDP settings.Table 13-1 Default CDP ConfigurationFeature Default SettingCDP global state EnabledCDP interface state EnabledCDP holdtime (packet holdtime in seconds) 180CDP timer (packets sent every x seconds) 60
13-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 13 Configuring CDPConfiguring CDPConfiguring the CDP CharacteristicsYou can configure the CDP holdtime (the number of seconds before the WMIC discards CDP packets) and the CDP timer (the number of seconds between each CDP packets the WMIC sends).Beginning in Privileged Exec mode, follow these steps to configure the CDP holdtime and CDP timer:Use the no form of the CDP commands to return to the default settings.This example shows how to configure and verify CDP characteristics:bridge# configure terminalbridge(config)# cdp holdtime 120bridge(config)# cdp timer 50bridge(config)# endbridge# show cdpGlobal CDP information:Sending a holdtime value of 120 seconds Sending CDP packets every 50 secondsFor additional CDP show commands, see the “Monitoring and Maintaining CDP” section on page 13-5.Disabling and Enabling CDPCDP is enabled by default. Beginning in Privileged Exec mode, follow these steps to disable the CDP device discovery capability:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 cdp holdtime seconds (Optional) Specify the amount of time a receiving device should hold the information sent by your device before discarding it.The range is from 10 to 255 seconds; the default is 180 seconds.Step 3 cdp timer seconds (Optional) Set the transmission frequency of CDP updates in seconds. The range is from 5 to 254; the default is 60 seconds.Step 4 end Return to Privileged Exec mode.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 no cdp run Disable CDP.Step 3 end Return to Privileged Exec mode.
13-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 13 Configuring CDPConfiguring CDPBeginning in privileged EXEC mode, follow these steps to enable CDP:This example shows how to enable CDP.bridge# configure terminalbridge(config)# cdp runbridge(config)# endDisabling and Enabling CDP on an InterfaceCDP is enabled by default on all supported interfaces to send and receive CDP information.Beginning in privileged EXEC mode, follow these steps to disable CDP on an interface:Beginning in privileged EXEC mode, follow these steps to enable CDP on an interface:This example shows how to enable CDP on an interface:bridge# configure terminalbridge(config)# interface xbridge(config-if)# cdp enablebridge(config-if)# endCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 cdp run Enable CDP after disabling it.Step 3 end Return to privileged EXEC mode.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface interface-id Enter interface configuration mode, and enter the interface on which you are disabling CDP.Step 3 no cdp enable Disable CDP on an interface.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface interface-id Enter interface configuration mode, and enter the interface on which you are enabling CDP.Step 3 cdp enable Enable CDP on an interface after disabling it.Step 4 end Return to privileged EXEC mode.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
13-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 13 Configuring CDPMonitoring and Maintaining CDPMonitoring and Maintaining CDPTo monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode.Below are six examples of output from the CDP show privileged EXEC commands:bridge# show cdpGlobal CDP information: Sending CDP packets every 50 seconds Sending a holdtime value of 120 secondsbridge# show cdp entry *-------------------------Device ID: bridgeEntry address(es): IP address: 10.1.1.66Platform: cisco WS-C3550-12T, Capabilities: Switch IGMPInterface: GigabitEthernet0/2, Port ID (outgoing port): GigabitEthernet0/2Holdtime : 129 secVersion :Cisco Internetwork Operating System SoftwareIOS (tm) C3550 Software (C3550-I5Q3L2-M), Experimental Version 12.1(20010612:021316) [jang-flamingo 120]Copyright (c) 1986-2001 by cisco Systems, Inc.Compiled Fri 06-Jul-01 18:18 by jangadvertisement version: 2Command Descriptionclear cdp counters Reset the traffic counters to zero.clear cdp table Delete the CDP table of information about neighbors.show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent.show cdp entry entry-name [protocol |version]Display information about a specific neighbor. You can enter an asterisk (*) to display all CDP neighbors, or you can enter the name of the neighbor about which you want information.You can also limit the display to information about the protocols enabled on the specified neighbor or information about the version of software running on the device.show cdp interface [type number] Display information about interfaces where CDP is enabled.You can limit the display to the type of interface or the number of the interface about which you want information (for example, entering gigabitethernet 0/1 displays information only about Gigabit Ethernet port 1).show cdp neighbors [type number][detail]Display information about neighbors, including device type, interface type and number, holdtime settings, capabilities, platform, and port ID. You can limit the display to neighbors on a specific type or number of interface or expand the display to provide more detailed information.show cdp traffic Display CDP counters, including the number of packets sent and received and checksum errors.
13-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 13 Configuring CDPMonitoring and Maintaining CDPProtocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010221FF00000000000000024B293A00FF0000VTP Management Domain: ''Duplex: full-------------------------Device ID: idf2-1-lab-l3.cisco.comEntry address(es): IP address: 10.1.1.10Platform: cisco WS-C3524-XL, Capabilities: Trans-Bridge SwitchInterface: GigabitEthernet0/1, Port ID (outgoing port): FastEthernet0/10Holdtime : 141 secVersion :Cisco Internetwork Operating System SoftwareIOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.1)XP, MAINTENANCE INTERIM SOFTWARECopyright (c) 1986-1999 by cisco Systems, Inc.Compiled Fri 10-Dec-99 11:16 by cchangadvertisement version: 2Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=25, value=00000000FFFFFFFF010101FF000000000000000142EFA400FFVTP Management Domain: '' bridge# show cdp entry * protocolProtocol information for talSwitch14 : IP address: 172.20.135.194Protocol information for tstswitch2 : IP address: 172.20.135.204 IP address: 172.20.135.202Protocol information for tstswitch2 : IP address: 172.20.135.204 IP address: 172.20.135.202 bridge# show cdp interfaceGigabitEthernet0/1 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 secondsGigabitEthernet0/2 is up, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 secondsGigabitEthernet0/3 is administratively down, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 secondsGigabitEthernet0/4 is up, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 secondsGigabitEthernet0/5 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 secondsGigabitEthernet0/6 is up, line protocol is up Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 secondsGigabitEthernet0/7 is up, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds
13-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 13 Configuring CDPMonitoring and Maintaining CDPGigabitEthernet0/8 is up, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds bridge# show cdp neighborCapability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - RepeaterDevice IDLocal InterfaceHoldtmeCapabilityPlatformPort IDPerdido2Gig 0/6125R S IWS-C3550-1Gig0/6Perdido2Gig 0/5125R S IWS-C3550-1Gig 0/5 bridge# show cdp trafficCDP counters : Total packets output: 50882, Input: 52510 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0 CDP version 1 advertisements output: 0, Input: 0 CDP version 2 advertisements output: 50882, Input: 52510
13-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 13 Configuring CDPMonitoring and Maintaining CDP
CHAPTER14-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-0214Configuring SNMPThis chapter describes how to configure the Simple Network Management Protocol (SNMP) on your WMIC.This chapter consists of these sections:•Understanding SNMP, page 14-2•Configuring SNMP, page 14-5•Displaying SNMP Status, page 14-11
14-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 14 Configuring SNMPUnderstanding SNMPUnderstanding SNMPSNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents. The SNMP manager can be part of a network management system (NMS) such as CiscoWorks. The agent and management information base (MIB) reside on the WMIC. To configure SNMP on the WMIC, you define the relationship between the manager and the agent.The SNMP agent contains MIB variables whose values the SNMP manager can request or change. A manager can get a value from an agent or store a value into the agent. The agent gathers data from the MIB, the repository for information about device parameters and network data. The agent can also respond to a manager’s requests to get or set data.An agent can send unsolicited traps to the manager. Traps are messages alerting the SNMP manager to a condition on the network. Traps can mean improper user authentication, restarts, link status (up or down), MAC address tracking, closing of a TCP connection, loss of connection to a neighbor, or other significant events.This section includes these concepts:•SNMP Versions, page 14-2•SNMP Manager Functions, page 14-3•SNMP Agent Functions, page 14-3•SNMP Community Strings, page 14-4•Using SNMP to Access MIB Variables, page 14-4SNMP VersionsThis software release supports these SNMP versions:•SNMPv1—The Simple Network Management Protocol, a full Internet standard, defined in RFC 1157.•SNMPv2C, which has these features:–SNMPv2—Version 2 of the Simple Network Management Protocol, a draft Internet standard, defined in RFCs 1902 through 1907.–SNMPv2C—The Community-based Administrative Framework for SNMPv2, an experimental Internet protocol defined in RFC 1901.SNMPv2C replaces the Party-based Administrative and Security Framework of SNMPv2Classic with the Community-based Administrative Framework of SNMPv2C while retaining the bulk retrieval and improved error handling of SNMPv2Classic.Both SNMPv1 and SNMPv2C use a community-based form of security. The community of managers able to access the agent’s MIB is defined by an IP address access control list and password. SNMPv2C includes a bulk retrieval mechanism and more detailed error message reporting to management stations. The bulk retrieval mechanism retrieves tables and large quantities of information, minimizing the number of round-trips required. The SNMPv2C improved error-handling includes expanded error codes that distinguish different kinds of error conditions; these conditions are reported through a single error code in SNMPv1. Error return codes now report the error type.
14-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 14 Configuring SNMPUnderstanding SNMPYou must configure the SNMP agent to use the version of SNMP supported by the management station. An agent can communicate with multiple managers; therefore, you can configure the software to support communications with one management station using the SNMPv1 protocol and another using the SNMPv2 protocol. SNMP Manager FunctionsThe SNMP manager uses information in the MIB to perform the operations described in Table 14-1.SNMP Agent FunctionsThe SNMP agent responds to SNMP manager requests as follows: •Get a MIB variable—The SNMP agent begins this function in response to a request from the NMS. The agent retrieves the value of the requested MIB variable and responds to the NMS with that value.•Set a MIB variable—The SNMP agent begins this function in response to a message from the NMS. The SNMP agent changes the value of the MIB variable to the value requested by the NMS.The SNMP agent also sends unsolicited trap messages to notify an NMS that a significant event has occurred on the agent. Examples of trap conditions include, but are not limited to, when a port or module goes up or down, when spanning-tree topology changes occur, and when authentication failures occur.Table 14-1 SNMP OperationsOperation Descriptionget-request Retrieves a value from a specific variable.get-next-request Retrieves a value from a variable within a table.11. With this operation, an SNMP manager does not need to know the exact variable name. A sequential search is performed to find the needed variable from within a table.get-bulk-request22. The get-bulk command works only with SNMPv2.Retrieves large blocks of data that would otherwise require the transmission of many small blocks of data, such as multiple rows in a table.get-response Replies to a get-request, get-next-request, and set-request sent by an NMS.set-request Stores a value in a specific variable.trap An unsolicited message sent by an SNMP agent to an SNMP manager when some event has occurred.
14-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 14 Configuring SNMPUnderstanding SNMPSNMP Community StringsSNMP community strings authenticate access to MIB objects and function as embedded passwords. In order for the NMS to access the WMIC, the community string definitions on the NMS must match at least one of the three community string definitions on the WMIC.A community string can have one of these attributes:•Read-only—Gives read access to authorized management stations to all objects in the MIB except the community strings, but does not allow write access•Read-write—Gives read and write access to authorized management stations to all objects in the MIB, but does not allow access to the community stringsUsing SNMP to Access MIB Variables An example of an NMS is the CiscoWorks network management software. CiscoWorks 2000 software uses the MIB variables to set device variables and to poll devices on the network for specific information. The results of a poll can be displayed as a graph and analyzed to troubleshoot internetworking problems, increase network performance, verify the configuration of devices, monitor traffic loads, and more.As shown in Figure 14-1, the SNMP agent gathers data from the MIB. The agent can send traps (notification of certain events) to the SNMP manager, which receives and processes the traps. Traps are messages alerting the SNMP manager to a condition on the network such as improper user authentication, restarts, link status (up or down), MAC address tracking, and so forth. The SNMP agent also responds to MIB-related queries sent by the SNMP manager in get-request,get-next-request, and set-request format. Figure 14-1 SNMP NetworkFor information on supported MIBs and how to access them, see Appendix D, “Supported MIBs.”get-request, get-next-request,get-bulk, set-requestNetwork deviceget-response, traps 81949SNMP managerNMSMIBSNMP agent
14-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 14 Configuring SNMPConfiguring SNMPConfiguring SNMPThis section describes how to configure SNMP on your WMIC. It contains this configuration information:•Default SNMP Configuration, page 14-5•Enabling the SNMP Agent, page 14-5•Configuring Community Strings, page 14-5•Configuring Trap Managers and Enabling Traps, page 14-7•Setting the Agent Contact and Location Information, page 14-10•Using the snmp-server view Command, page 14-10•SNMP Examples, page 14-10Default SNMP ConfigurationTable 14-2 shows the default SNMP configuration.Enabling the SNMP AgentNo specific IOS command exists to enable SNMP. The first snmp-server global configuration command that you enter enables SNMPv1 and SNMPv2.You can also enable SNMP on the SNMP Properties page on the web-browser interface. When you enable SNMP on the web-browser interface, the access point automatically creates a community string called public with read-only access to the IEEE802dot11 MIB.Configuring Community StringsYou use the SNMP community string to define the relationship between the SNMP manager and the agent. The community string acts like a password to permit access to the agent on the WMIC. Optionally, you can specify one or more of these characteristics associated with the string:•An access list of IP addresses of the SNMP managers that are permitted to use the community string to gain access to the agent•A MIB view, which defines the subset of all MIB objects accessible to the given community •Read and write or read-only permission for the MIB objects accessible to the communityTable 14-2 Default SNMP ConfigurationFeature Default SettingSNMP agent DisabledSNMP community strings None configuredSNMP trap receiver None configuredSNMP traps None enabled
14-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 14 Configuring SNMPConfiguring SNMPNote In the current IOS MIB agent implementation, the default community string is for the Internet MIB object sub-tree. Because IEEE802dot11 is under another branch of the MIB object tree, you must enable either a separate community string and view on the IEEE802dot11 MIB or a common view and community string on the ISO object in the MIB object tree. ISO is the common parent node of IEEE (IEEE802dot11) and Internet. This MIB agent behavior is different from the MIB agent behavior on access points not running IOS software. Beginning in privileged EXEC mode, follow these steps to configure a community string on the WMIC:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 snmp-server community string[access-list-number ][view mib-view ][ro |rw]Configure the community string.•For string, specify a string that acts like a password and permits access to the SNMP protocol. You can configure one or more community strings of any length.•(Optional) For access-list-number, enter an IP standard access list numbered from 1 to 99 and 1300 to 1999.•(Optional) For view mib-view, specify a MIB view to which this community has access, such as ieee802dot11. See the “Using the snmp-server view Command” section on page 14-10 for instructions on using the snmp-server viewcommand to access Standard IEEE 802.11 MIB objects through IEEE view.•(Optional) Specify either read-only (ro) if you want authorized management stations to retrieve MIB objects, or specify read/write (rw) if you want authorized management stations to retrieve and modify MIB objects. By default, the community string permits read-only access to all objects.Note To access the IEEE802dot11 MIB, you must enable either a separate community string and view on the IEEE802dot11 MIB or a common view and community string on the ISO object in the MIB object tree.
14-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 14 Configuring SNMPConfiguring SNMPTo disable access for an SNMP community, set the community string for that community to the null string (do not enter a value for the community string). To remove a specific community string, use the no snmp-server community string global configuration command. This example shows how to assign the strings open and ieee to SNMP, to allow read-write access for both, and to specify that open is the community string for queries on non-IEEE802dot11-MIB objects and ieee is the community string for queries on IEEE802dot11-mib objects:bridge(config)# snmp-server view dot11view ieee802dot11 includedbridge(config)# snmp-server community open rwbridge(config)# snmp-server community ieee view ieee802dot11 rwConfiguring Trap Managers and Enabling TrapsA trap manager is a management station that receives and processes traps. Traps are system alerts that the device generates when certain events occur. By default, no trap manager is defined, and no traps are issued. Bridges running this IOS release can have an unlimited number of trap managers. Community strings can be any length.Table 14-3 describes the supported traps (notification types). You can enable any or all of these traps and configure a trap manager to receive them.Step 3 access-list access-list-number{deny |permit}source [source-wildcard](Optional) If you specified an IP standard access list number in Step 2, then create the list, repeating the command as many times as necessary.•For access-list-number, enter the access list number specified in Step 2.•The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.•For source, enter the IP address of the SNMP managers that are permitted to use the community string to gain access to the agent.•(Optional) For source-wildcard, enter the wildcard bits in dotted decimal notation to be applied to the source. Place ones in the bit positions that you want to ignore.Recall that the access list is always terminated by an implicit deny statement for everything.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.Command Purpose
14-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 14 Configuring SNMPConfiguring SNMPSome notification types cannot be controlled with the snmp-server enable global configuration command, such as tty and udp-port. These notification types are always enabled. You can use the snmp-server host global configuration command to a specific host to receive the notification types listed in Table 14-3.Table 14-3 Notification TypesNotification Type Descriptionauthenticate-fail Enable traps for authentication failures.config Enable traps for SNMP configuration changes.deauthenticate Enable traps for client device deauthentications.disassociate Enable traps for client device disassociations.dot11-qos Enable traps for QoS changes.entity Enable traps for SNMP entity changes.envmon temperature Enable traps for monitoring radio temperature. This trap is sent out when the WMIC radio temperature approaches the limits of its operating range.snmp Enable traps for SNMP events.syslog Enable syslog traps.wlan-wep Enable WEP traps.
14-9Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 14 Configuring SNMPConfiguring SNMPBeginning in privileged EXEC mode, follow these steps to configure the WMIC to send traps to a host:To remove the specified host from receiving traps, use the no snmp-server host host global configuration command. To disable a specific trap type, use the no snmp-server enable trapsnotification-types global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 snmp-server host host-addr {traps | informs} {version {1|2c}} community-string notification-typeSpecify the recipient of the trap message.•For host-addr, specify the name or address of the host (the targeted recipient).•Specify traps (the default) to send SNMP traps to the host. Specify informs to send SNMP informs to the host.•Specify the SNMP version to support. Version 1, the default, is not available with informs.Note Though visible in the command-line help string, the version 3 keyword (SNMPv3) is not supported.•For community-string, specify the string to send with the notification operation. Though you can set this string using the snmp-server host command, we recommend that you define this string by using the snmp-server communitycommand before using the snmp-server hostcommand. •For notification-type, use the keywords listed in Table 14-3 on page 14-8.Step 3 snmp-server enable traps notification-types Enable the WMIC to send specific traps. For a list of traps, see Table 14-3 on page 14-8.To enable multiple types of traps, you must issue a separate snmp-server enable traps command for each trap type.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
14-10Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 14 Configuring SNMPConfiguring SNMPSetting the Agent Contact and Location InformationBeginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file:Using the snmp-server view CommandIn global configuration mode, use the snmp-server view command to access Standard IEEE 802.11 MIB objects through IEEE view and the dot11 read-write community string. This example shows how to enable IEEE view and dot11 read-write community string:bridge(config)# snmp-server view ieee ieee802dot11 includedbridge(config)# snmp-server community dot11 view ieee RWSNMP ExamplesThis example shows how to enable SNMPv1 and SNMPv2C. The configuration permits any SNMP manager to access all objects with read-only permissions using the community string public. This configuration does not cause the WMIC to send any traps.bridge(config)# snmp-server community publicThis example shows how to assign the strings open and ieee to SNMP, to allow read-write access for both, and to specify that open is the community string for queries on non-IEEE802dot11-MIB objects and ieee is the community string for queries on IEEE802dot11-mib objects:bridge(config)# snmp-server view dot11view ieee802dot11 includedbridge(config)# snmp-server community open rwbridge(config)# snmp-server community ieee view ieee802dot11 rwCommand PurposeStep 1 configure terminal Enter global configuration mode.Step 2 snmp-server contact text Set the system contact string.For example:snmp-server contact Dial System Operator at beeper 21555.Step 3 snmp-server location text Set the system location string.For example:snmp-server location Building 3/Room 222Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.
14-11Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 14 Configuring SNMPDisplaying SNMP StatusThis example shows how to permit any SNMP manager to access all objects with read-only permission using the community string public. The WMIC also sends config traps to the hosts 192.180.1.111 and 192.180.1.33 using SNMPv1 and to the host 192.180.1.27 using SNMPv2C. The community string public is sent with the traps.bridge(config)# snmp-server community publicbridge(config)# snmp-server enable traps configbridge(config)# snmp-server host 192.180.1.27 version 2c publicbridge(config)# snmp-server host 192.180.1.111 version 1 publicbridge(config)# snmp-server host 192.180.1.33 publicThis example shows how to allow read-only access for all objects to members of access list 4 that use the comaccess community string. No other SNMP managers have access to any objects. SNMP Authentication Failure traps are sent by SNMPv2C to the host cisco.com using the community string public.bridge(config)# snmp-server community comaccess ro 4bridge(config)# snmp-server enable traps snmp authenticationbridge(config)# snmp-server host cisco.com version 2c publicThis example shows how to send Entity MIB traps to the host cisco.com. The community string is restricted. The first line enables the WMIC to send Entity MIB traps in addition to any traps previously enabled. The second line specifies the destination of these traps and overwrites any previous snmp-server host commands for the host cisco.com.bridge(config)# snmp-server enable traps entitybridge(config)# snmp-server host cisco.com restricted entityThis example shows how to enable the WMIC to send all traps to the host myhost.cisco.com using the community string public:bridge(config)# snmp-server enable trapsbridge(config)# snmp-server host myhost.cisco.com publicDisplaying SNMP StatusTo display SNMP input and output statistics, including the number of illegal community string entries, errors, and requested variables, use the show snmp privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
14-12Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 14 Configuring SNMPDisplaying SNMP Status
CHAPTER15-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-0215Managing Firmware and ConfigurationsThis chapter describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images. This chapter consists of these sections:•Working with the Flash File System, page 15-2•Working with Configuration Files, page 15-8•Working with Software Images, page 15-19
15-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with the Flash File SystemWorking with the Flash File SystemThe Flash file system on your WMIC provides several commands to help you manage software image and configuration files.The Flash file system is a single Flash device on which you can store files. This Flash device is calledflash:.This section contains this information:•Displaying Available File Systems, page 15-2•Setting the Default File System, page 15-3•Displaying Information About Files on a File System, page 15-3•Changing Directories and Displaying the Working Directory, page 15-4•Creating and Removing Directories, page 15-4•Copying Files, page 15-5•Deleting Files, page 15-5•Creating, Displaying, and Extracting tar Files, page 15-6•Displaying the Contents of a File, page 15-8Displaying Available File SystemsTo display the available file systems on your WMIC, use the show file systems privileged EXEC command as shown in this example:bridge# show file systemsFile Systems: Size(b) Free(b) Type Flags Prefixes* 16128000 11118592 flash rw flash: 16128000 11118592 unknown rw zflash: 32768 26363 nvram rw nvram: - - network rw tftp: - - opaque rw null: - - opaque rw system: - - opaque ro xmodem: - - opaque ro ymodem: - - network rw rcp: - - network rw ftp:Table 15-1 lists field descriptions for the show file systems command.Table 15-1 show file systems Field DescriptionsField ValueSize(b) Amount of memory in the file system in bytes.Free(b) Amount of free memory in the file system in bytes.
15-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with the Flash File SystemSetting the Default File SystemYou can specify the file system or directory that the system uses as the default file system by using the cd filesystem: privileged EXEC command. You can set the default file system to omit the filesystem:argument from related commands. For example, for all privileged EXEC commands that have the optional filesystem: argument, the system uses the file system specified by the cd command.By default, the default file system is flash:.You can display the current default file system as specified by the cd command by using the pwdprivileged EXEC command.Displaying Information About Files on a File SystemYou can view a list of the contents of a file system before manipulating its contents. For example, before copying a new configuration file to Flash memory, you might want to verify that the file system does not already contain a configuration file with the same name. Similarly, before copying a Flash configuration file to another location, you might want to verify its filename for use in another command.Type Type of file system.flash—The file system is for a Flash memory device.network—The file system is for a network device.nvram—The file system is for a nonvolatile RAM (NVRAM) device.opaque—The file system is a locally generated pseudo file system (for example, the system) or a download interface, such as brimux.unknown—The file system is an unknown type.Flags Permission for file system. ro—read-only.rw—read/write.wo—write-only.Prefixes Alias for file system.flash:—Flash file system.ftp:—File Transfer Protocol network server. Used to transfer files to or from the network device.nvram:—Non-volatile RAM memory (NVRAM).null:—Null destination for copies. You can copy a remote file to null to determine its size.rcp:—Remote Copy Protocol (RCP) network server.system:—Contains the system memory, including the running configuration.tftp:—Trivial File Transfer Protocol (TFTP) network server.zflash:—Read-only file decompression file system, which mirrors the contents of the Flash file system.Table 15-1 show file systems Field Descriptions (continued)Field Value
15-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with the Flash File SystemTo display information about files on a file system, use one of the privileged EXEC commands in Table 15-2:Changing Directories and Displaying the Working DirectoryBeginning in privileged EXEC mode, follow these steps to change directories and display the working directory.Creating and Removing DirectoriesBeginning in privileged EXEC mode, follow these steps to create and remove a directory:To delete a directory with all its files and subdirectories, use the delete /force /recursive filesystem:/file-url privileged EXEC command. Table 15-2 Commands for Displaying Information About FilesCommand Descriptiondir [/all] [filesystem:][filename] Display a list of files on a file system.show file systems Display more information about each of the files on a file system.show file information file-url Display information about a specific file.show file descriptors Display a list of open file descriptors. File descriptors are the internal representations of open files. You can use this command to see if another user has a file open.Command PurposeStep 1 dir filesystem:Display the directories on the specified file system.For filesystem:, use flash: for the system board Flash device.Step 2 cd new_configs Change to the directory of interest.The command example shows how to change to the directory named new_configs.Step 3 pwd Display the working directory.Command PurposeStep 1 dir filesystem:Display the directories on the specified file system.For filesystem:, use flash: for the system board Flash device.Step 2 mkdir old_configs Create a new directory.The command example shows how to create the directory named old_configs.Directory names are case sensitive. Directory names are limited to 45 characters between the slashes (/); the name cannot contain control characters, spaces, deletes, slashes, quotes, semicolons, or colons.Step 3 dir filesystem:Verify your entry.
15-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with the Flash File SystemUse the /recursive keyword to delete the named directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process. Use the /force and /recursive keywords for deleting old software images that were installed by using the archive download-sw command but are no longer needed.For filesystem, use flash: for the system board Flash device. For file-url, enter the name of the directory to be deleted. All the files in the directory and the directory are removed.Caution When files and directories are deleted, their contents cannot be recovered.Copying FilesTo copy a file from a source to a destination, use the copy [/erase]source-url destination-url privileged EXEC command. For the source and destination URLs, you can use running-config and startup-configkeyword shortcuts. For example, the copy running-config startup-config command saves the currently running configuration file to the NVRAM section of Flash memory to be used as the configuration during system initialization.Network file system URLs include ftp:,rcp:, and tftp: and have the following syntax:•File Transfer Protocol (FTP)—ftp:[[//username [:password]@location]/directory]/filename•Remote Copy Protocol (RCP)—rcp:[[//username@location]/directory]/filename•Trivial File Transfer Protocol (TFTP)—tftp:[[//location]/directory]/filenameLocal writable file systems include flash:.Some invalid combinations of source and destination exist. Specifically, you cannot copy these combinations:•From a running configuration to a running configuration•From a startup configuration to a startup configuration•From a device to the same device (for example, the copy flash: flash: command is invalid)For specific examples of using the copy command with configuration files, see the “Working with Configuration Files” section on page 15-8.To copy software images either by downloading a new version or uploading the existing one, use the archive download-sw or the archive upload-sw privileged EXEC command. For more information, see the “Working with Software Images” section on page 15-19.Deleting FilesWhen you no longer need a file on a Flash memory device, you can permanently delete it. To delete a file or directory from a specified Flash device, use the delete [/force] [/recursive] [filesystem:]/file-urlprivileged EXEC command. Caution When files are deleted, their contents cannot be recovered.
15-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with the Flash File SystemUse the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process. Use the /force and /recursivekeywords for deleting old software images that were installed by using the archive download-swcommand but are no longer needed.If you omit the filesystem: option, the WMIC uses the default device specified by the cd command. For file-url, you specify the path (directory) and the name of the file to be deleted.This example shows how to delete the file myconfig from the default Flash memory device:bridge# delete myconfigCreating, Displaying, and Extracting tar FilesYou can create a tar file and write files into it, list the files in a tar file, and extract the files from a tar file as described in the next sections.Creating a tar FileTo create a tar file and write files into it, use this privileged EXEC command:archive tar /create destination-url flash:/file-urlFor destination-url, specify the destination URL alias for the local or network file system and the name of the tar file to create. These options are supported:•For the local Flash file system, the syntax isflash:/file-url•For the File Transfer Protocol (FTP), the syntax is ftp:[[//username[:password]@location]/directory]/tar-filename.tar•For the Remote Copy Protocol (RCP), the syntax is rcp:[[//username@location]/directory]/tar-filename.tar•For the Trivial File Transfer Protocol (TFTP), the syntax is tftp:[[//location]/directory]/tar-filename.tarThe tar-filename.tar is the tar file to be created.For flash:/file-url, specify the location on the local Flash file system from which the new tar file is created. You can also specify an optional list of files or directories within the source directory to write to the new tar file. If none are specified, all files and directories at this level are written to the newly created tar file.This example shows how to create a tar file. This command writes the contents of the new-configsdirectory on the local Flash device to a file named saved.tar on the TFTP server at 172.20.10.30:bridge# archive tar /create tftp://172.20.10.30/saved.tar flash:/new-configs
15-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with the Flash File SystemDisplaying the Contents of a tar FileTo display the contents of a tar file on the screen, use this privileged EXEC command:archive tar /table source-urlFor source-url, specify the source URL alias for the local or network file system. These options are supported:•For the local Flash file system, the syntax isflash:•For the File Transfer Protocol (FTP), the syntax is ftp:[[//username[:password]@location]/directory]/tar-filename.tar•For the Remote Copy Protocol (RCP), the syntax is rcp:[[//username@location]/directory]/tar-filename.tar•For the Trivial File Transfer Protocol (TFTP), the syntax is tftp:[[//location]/directory]/tar-filename.tarThe tar-filename.tar is the tar file to display.You can also limit the display of the files by specifying an optional list of files or directories after the tar file; then only these files are displayed. If none are specified, all files and directories are displayed.This example shows how to display the contents of the c1200-k9w7-mx.122-8.JA.tar file that is in Flash memory:bridge# archive tar /table flash:c1200-k9w7-mx.122-8.JA.tarinfo (219 bytes)c1400-k9w7-mx.122-11.JA/ (directory)c1400-k9w7-mx.122-11.JA/html/ (directory)c1400-k9w7-mx.122-11.JA/html/foo.html (0 bytes)c1400-k9w7-mx.122-11.JA/c1200-k9w7-mx.122-8.JA.bin (610856 bytes)c1400-k9w7-mx.122-11.JA/info (219 bytes)info.ver (219 bytes)This example shows how to display only the c1200-k9w7-mx.122-8.JA/html directory and its contents:bridge# archive tar /table flash:c1200-k9w7-mx.122-8.JA/htmlc1400-k9w7-mx.122-11.JA/html/ (directory)c1400-k9w7-mx.122-11.JA/html/foo.html (0 bytes)Extracting a tar FileTo extract a tar file into a directory on the Flash file system, use this privileged EXEC command:archive tar /xtract source-url flash:/file-urlFor source-url, specify the source URL alias for the local or network file system. These options are supported:•For the local Flash file system, the syntax isflash:•For the File Transfer Protocol (FTP), the syntax is ftp:[[//username[:password]@location]/directory]/tar-filename.tar•For the Remote Copy Protocol (RCP), the syntax is rcp:[[//username@location]/directory]/tar-filename.tar•For the Trivial File Transfer Protocol (TFTP), the syntax is tftp:[[//location]/directory]/tar-filename.tar
15-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Configuration FilesThe tar-filename.tar is the tar file from which to extract files.For flash:/file-url, specify the location on the local Flash file system into which the tar file is extracted. You can also specify an optional list of files or directories within the tar file for extraction. If none are specified, all files and directories are extracted.This example shows how to extract the contents of a tar file located on the TFTP server at 172.20.10.30. This command extracts just the new-configs directory into the root directory on the local Flash file system. The remaining files in the saved.tar file are ignored.bridge# archive tar /xtract tftp://172.20.10.30/saved.tar flash:/new-configsDisplaying the Contents of a FileTo display the contents of any readable file, including a file on a remote file system, use the more [/ascii|/binary | /ebcdic]file-url privileged EXEC command: This example shows how to display the contents of a configuration file on a TFTP server:bridge# more tftp://serverA/hampton/savedconfig!! Saved configuration on server!version 11.3service timestamps log datetime localtimeservice linenumberservice udp-small-serversservice pt-vty-logging!<output truncated>Working with Configuration FilesThis section describes how to create, load, and maintain configuration files. Configuration files contain commands entered to customize the function of the Cisco IOS software. To better benefit from these instructions, your WMIC contains a minimal default running configuration for interacting with the system software. You ca n c opy (download) configuration files from a TFTP, FTP, or RCP server to the running configuration of the WMIC for various reasons:•To restore a backed-up configuration file.•To use the configuration file for another bridge. For example, you might add another bridge to your network and want it to have a configuration similar to the original bridge. By copying the file to the new bridge, you can change the relevant parts rather than recreating the whole file.•To load the same configuration commands on all the access points in your network so that all the access points have similar configurations.You can copy (upload) configuration files from the WMIC to a file server by using TFTP, FTP, or RCP. You might perform this task to back up a current configuration file to a server before changing its contents so that you can later restore the original configuration file from the server. The protocol you use depends on which type of server you are using. The FTP and RCP transport mechanisms provide faster performance and more reliable delivery of data than TFTP. These improvements are possible because FTP and RCP are built on and use the Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which is connection oriented.
15-9Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Configuration FilesThis section includes this information:•Guidelines for Creating and Using Configuration Files, page 15-9•Configuration File Types and Location, page 15-9•Creating a Configuration File by Using a Text Editor, page 15-10•Copying Configuration Files by Using TFTP, page 15-10•Copying Configuration Files by Using FTP, page 15-12•Copying Configuration Files by Using RCP, page 15-15•Clearing Configuration Information, page 15-18Guidelines for Creating and Using Configuration FilesCreating configuration files can aid in your WMIC configuration. Configuration files can contain some or all of the commands needed to configure one or more access points. For example, you might want to download the same configuration file to several access points that have the same hardware configuration.Use these guidelines when creating a configuration file:•If no passwords have been set on the WMIC, you must set them on each bridge by entering the enable secret secret-password global configuration command. Enter a blank line for this command. The password is saved in the configuration file as clear text.•If passwords already exist, you cannot enter the enable secret secret-password global configuration command in the file because the password verification will fail. If you enter a password in the configuration file, the WMIC mistakenly attempts to execute the passwords as commands as it executes the file.•The copy {ftp: | rcp: | tftp:}system:running-config privileged EXEC command loads the configuration files on the WMIC as if you were entering the commands at the command line. The WMIC does not erase the existing running configuration before adding the commands. If a command in the copied configuration file replaces a command in the existing configuration file, the existing command is erased. For example, if the copied configuration file contains a different IP address in a particular command than the existing configuration, the IP address in the copied configuration is used. However, some commands in the existing configuration might not be replaced or negated. In this case, the resulting configuration file is a mixture of the existing configuration file and the copied configuration file, with the copied configuration file having precedence. To restore a configuration file to an exact copy of a file stored on a server, copy the configuration file directly to the startup configuration (by using the copy {ftp: | rcp: | tftp:}nvram:startup-config privileged EXEC command), and reload the WMIC.Configuration File Types and LocationStartup configuration files are used during system startup to configure the software. Running configuration files contain the current configuration of the software. The two configuration files can be different. For example, you might want to change the configuration for a short time period rather than permanently. In this case, you would change the running configuration but not save the configuration by using the copy running-config startup-config privileged EXEC command.The running configuration is saved in DRAM; the startup configuration is stored in the NVRAM section of Flash memory.
15-10Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Configuration FilesCreating a Configuration File by Using a Text EditorWhen creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file:Step 1 Copy an existing configuration from a WMIC to a server.For more information, see the “Downloading the Configuration File by Using TFTP” section on page 15-11, the “Downloading a Configuration File by Using FTP” section on page 15-13, or the “Downloading a Configuration File by Using RCP” section on page 15-16.Step 2 Open the configuration file in a text editor such as vi or emacs on UNIX or Notepad on a PC.Step 3 Extract the portion of the configuration file with the desired commands, and save it in a new file.Step 4 Copy the configuration file to the appropriate server location. For example, copy the file to the TFTP directory on the workstation (usually /tftpboot on a UNIX workstation).Step 5 Make sure the permissions on the file are set to world-read.Copying Configuration Files by Using TFTPYou can configure the WMIC by using configuration files you create, download from another device, or download from a TFTP server. You can copy (upload) configuration files to a TFTP server for storage.This section includes this information:•Preparing to Download or Upload a Configuration File by Using TFTP, page 15-10•Downloading the Configuration File by Using TFTP, page 15-11•Uploading the Configuration File by Using TFTP, page 15-11Preparing to Download or Upload a Configuration File by Using TFTPBefore you begin downloading or uploading a configuration file by using TFTP, perform these tasks:•Ensure that the workstation acting as the TFTP server is properly configured. On a Sun workstation, make sure that the /etc/inetd.conf file contains this line:tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -p -s /tftpbootMake sure that the /etc/services file contains this line:tftp 69/udpNote You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files. To restart the daemon, either stop the inetd process and restart it, or enter a fastbootcommand (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). For more information on the TFTP daemon, refer to the documentation for your workstation.•Ensure that the WMIC has a route to the TFTP server. The WMIC and the TFTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the TFTP server by using the ping command.
15-11Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Configuration Files•Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation).•For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read.•Before uploading the configuration file, you might need to create an empty file on the TFTP server. To create an empty file, enter the touch filename command, where filename is the name of the file you will use when uploading it to the server.•During upload operations, if you are overwriting an existing file (including an empty file, if you had to create one) on the server, ensure that the permissions on the file are set correctly. Permissions on the file should be world-write.Downloading the Configuration File by Using TFTPTo configure the WMIC by using a configuration file downloaded from a TFTP server, follow these steps:Step 1 Copy the configuration file to the appropriate TFTP directory on the workstation.Step 2 Verify that the TFTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using TFTP” section on page 15-10.Step 3 Log into the WMIC through a Telnet session.Step 4 Download the configuration file from the TFTP server to configure the WMIC. Specify the IP address or host name of the TFTP server and the name of the file to download.Use one of these privileged EXEC commands:•copy tftp:[[[//location]/directory]/filename]system:running-config•copy tftp:[[[//location]/directory]/filename]nvram:startup-configThe configuration file downloads, and the commands are executed as the file is parsed line-by-line.This example shows how to configure the software from the file tokyo-confg at IP address 172.16.2.155:bridge# copy tftp://172.16.2.155/tokyo-confg system:running-configConfigure using tokyo-confg from 172.16.2.155? [confirm] yBooting tokyo-confg from 172.16.2.155:!!! [OK - 874/16000 bytes]Uploading the Configuration File by Using TFTPTo upload a configuration file from a WMIC to a TFTP server for storage, follow these steps:Step 1 Verify that the TFTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using TFTP” section on page 15-10.Step 2 Log into the WMIC through a Telnet session.Step 3 Upload the WMIC configuration to the TFTP server. Specify the IP address or host name of the TFTP server and the destination filename.
15-12Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Configuration FilesUse one of these privileged EXEC commands:•copy system:running-config tftp:[[[//location]/directory]/filename]•copy nvram:startup-config tftp:[[[//location]/directory]/filename]The file is uploaded to the TFTP server.This example shows how to upload a configuration file from an WMIC to a TFTP server:bridge# copy system:running-config tftp://172.16.2.155/tokyo-configWrite file tokyo-confg on host 172.16.2.155? [confirm] y#Writing tokyo-confg!!! [OK]Copying Configuration Files by Using FTPYou can copy configuration files to or from an FTP server.The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy a configuration file from the WMIC to a server by using FTP, the Cisco IOS software sends the first valid username in this list:•The username specified in the copy command if a username is specified.•The username set by the ip ftp username username global configuration command if the command is configured.•Anonymous.The WMIC sends the first valid password in this list:•The password specified in the copy command if a password is specified.•The password set by the ip ftp password password global configuration command if the command is configured.•The WMIC forms a password named username@apname.domain. The variable username is the username associated with the current session, apname is the configured host name, and domain is the domain of the WMIC.The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept your FTP write request.Use the ip ftp username and ip ftp password commands to specify a username and password for all copies. Include the username in the copy command if you want to specify only a username for that copy operation.If the server has a directory structure, the configuration file is written to or copied from the directory associated with the username on the server. For example, if the configuration file resides in the home directory of a user on the server, specify that user's name as the remote username. For more information, refer to the documentation for your FTP server.This section includes this information:•Preparing to Download or Upload a Configuration File by Using FTP, page 15-13•Downloading a Configuration File by Using FTP, page 15-13•Uploading a Configuration File by Using FTP, page 15-14
15-13Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Configuration FilesPreparing to Download or Upload a Configuration File by Using FTPBefore you begin downloading or uploading a configuration file by using FTP, perform these tasks:•Ensure that the WMIC has a route to the FTP server. The WMIC and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the FTP server by using the ping command.•If you are accessing the WMIC through a Telnet session and you do not have a valid username, make sure that the current FTP username is the one that you want to use for the FTP download. You can enter the show users privileged EXEC command to view the valid username. If you do not want to use this username, create a new FTP username by using the ip ftp username username global configuration command during all copy operations. The new username is stored in NVRAM. If you are accessing the WMIC through a Telnet session and you have a valid username, this username is used, and you do not need to set the FTP username. Include the username in the copy command if you want to specify a username for only that copy operation. •When you upload a configuration file to the FTP server, it must be properly configured to accept the write request from the user on the WMIC.For more information, refer to the documentation for your FTP server.Downloading a Configuration File by Using FTPBeginning in privileged EXEC mode, follow these steps to download a configuration file by using FTP:This example shows how to copy a configuration file named host1-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 and to load and run those commands on the WMIC:bridge# copy ftp://netadmin1:mypass@172.16.101.101/host1-confg system:running-configConfigure using host1-confg from 172.16.101.101? [confirm]Command PurposeStep 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using FTP” section on page 15-13.Step 2 Log into the WMIC through a Telnet session.Step 3 configure terminal Enter global configuration mode on the WMIC.This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username.Step 5 ip ftp password password (Optional) Change the default password.Step 6 end Return to privileged EXEC mode. Step 7 copyftp:[[[//[username[:password]@]location]/directory]/filename]system:running-configorcopyftp:[[[//[username[:password]@]location]/directory]/filename]nvram:startup-configUsing FTP, copy the configuration file from a network server to the running configuration or to the startup configuration file.
15-14Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Configuration FilesConnected to 172.16.101.101Loading 1112 byte file host1-confg:![OK]bridge#%SYS-5-CONFIG: Configured from host1-config by ftp from 172.16.101.101This example shows how to specify a remote username of netadmin1. The software copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 to the WMIC startup configuration.bridge# configure terminalbridge(config)# ip ftp username netadmin1bridge(config)# ip ftp password mypassbridge(config)# endbridge# copy ftp: nvram:startup-configAddress of remote host [255.255.255.255]? 172.16.101.101Name of configuration file[rtr2-confg]? host2-confgConfigure using host2-confg from 172.16.101.101?[confirm]Connected to 172.16.101.101Loading 1112 byte file host2-confg:![OK][OK]bridge#%SYS-5-CONFIG_NV:Non-volatile store configured from host2-config by ftp from 172.16.101.101Uploading a Configuration File by Using FTPBeginning in privileged EXEC mode, follow these steps to upload a configuration file by using FTP:This example shows how to copy the running configuration file named ap2-confg to the netadmin1directory on the remote host with an IP address of 172.16.101.101: bridge# copy system:running-config ftp://netadmin1:mypass@172.16.101.101/ap2-confgWrite file ap2-confg on host 172.16.101.101?[confirm]Command PurposeStep 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using FTP” section on page 15-13.Step 2 Log into the WMIC through a Telnet session.Step 3 configure terminal Enter global configuration mode.This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username.Step 5 ip ftp password password (Optional) Change the default password.Step 6 end Return to privileged EXEC mode. Step 7 copy system:running-config ftp:[[[//[username[:password]@]location]/directory]/filename]orcopy nvram:startup-config ftp:[[[//[username[:password]@]location]/directory]/filename]Using FTP, store the WMIC running or startup configuration file to the specified location.
15-15Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Configuration FilesBuilding configuration...[OK]Connected to 172.16.101.101bridge#This example shows how to store a startup configuration file on a server by using FTP to copy the file:bridge# configure terminalbridge(config)# ip ftp username netadmin2bridge(config)# ip ftp password mypassbridge(config)# endbridge# copy nvram:startup-config ftp:Remote host[]? 172.16.101.101Name of configuration file to write [ap2-confg]?Write file ap2-confg on host 172.16.101.101?[confirm]![OK]Copying Configuration Files by Using RCPThe Remote Copy Protocol (RCP) provides another method of downloading, uploading, and copying configuration files between remote hosts and the WMIC. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented. To use RCP to copy files, the server from or to which you will be copying files must support RCP. The RCP copy commands rely on the rsh server (or daemon) on the remote system. To copy files by using RCP, you do not need to create a server for file distribution as you do with TFTP. You only need to have access to a server that supports the remote shell (rsh). (Most UNIX systems support rsh.) Because you are copying a file from one place to another, you must have read permission on the source file and write permission on the destination file. If the destination file does not exist, RCP creates it for you.The RCP requires a client to send a remote username with each RCP request to a server. When you copy a configuration file from the WMIC to a server, the Cisco IOS software sends the first valid username in this list:•The username specified in the copy command if a username is specified.•The username set by the ip rcmd remote-username username global configuration command if the command is configured.•The remote username associated with the current TTY (terminal) process. For example, if the user is connected to the router through Telnet and was authenticated through the username command, the WMIC software sends the Telnet username as the remote username. •The WMIC host name.For a successful RCP copy request, you must define an account on the network server for the remote username. If the server has a directory structure, the configuration file is written to or copied from the directory associated with the remote username on the server. For example, if the configuration file is in the home directory of a user on the server, specify that user's name as the remote username. This section includes this information:•Preparing to Download or Upload a Configuration File by Using RCP, page 15-16•Downloading a Configuration File by Using RCP, page 15-16•Uploading a Configuration File by Using RCP, page 15-17
15-16Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Configuration FilesPreparing to Download or Upload a Configuration File by Using RCPBefore you begin downloading or uploading a configuration file by using RCP, perform these tasks:•Ensure that the workstation acting as the RCP server supports the remote shell (rsh).•Ensure that the WMIC has a route to the RCP server. The WMIC and the server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the RCP server by using the ping command.•If you are accessing the WMIC through a Telnet session and you do not have a valid username, make sure that the current RCP username is the one that you want to use for the RCP download. You can enter the show users privileged EXEC command to view the valid username. If you do not want to use this username, create a new RCP username by using the ip rcmd remote-username usernameglobal configuration command to be used during all copy operations. The new username is stored in NVRAM. If you are accessing the WMIC through a Telnet session and you have a valid username, this username is used, and you do not need to set the RCP username. Include the username in the copy command if you want to specify a username for only that copy operation. •When you upload a file to the RCP server, it must be properly configured to accept the RCP write request from the user on the WMIC. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server. For example, suppose that the WMIC contains these configuration lines:hostname ap1ip rcmd remote-username User0If the WMIC IP address translates to ap1.company.com, the .rhosts file for User0 on the RCP server should contain this line:ap1.company.com ap1For more information, refer to the documentation for your RCP server.Downloading a Configuration File by Using RCPBeginning in privileged EXEC mode, follow these steps to download a configuration file by using RCP:Command PurposeStep 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using RCP” section on page 15-16.Step 2 Log into the WMIC through a Telnet session.Step 3 configure terminal Enter global configuration mode.This step is required only if you override the default remote username (see Steps 4 and 5). Step 4 ip rcmd remote-username username (Optional) Specify the remote username.
15-17Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Configuration FilesThis example shows how to copy a configuration file named host1-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 and load and run those commands on the WMIC:bridge# copy rcp://netadmin1@172.16.101.101/host1-confg system:running-configConfigure using host1-confg from 172.16.101.101? [confirm]Connected to 172.16.101.101Loading 1112 byte file host1-confg:![OK]bridge#%SYS-5-CONFIG: Configured from host1-config by rcp from 172.16.101.101This example shows how to specify a remote username of netadmin1. Then it copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 to the startup configuration:bridge# configure terminalbridge(config)# ip rcmd remote-username netadmin1bridge(config)# endbridge# copy rcp: nvram:startup-configAddress of remote host [255.255.255.255]? 172.16.101.101Name of configuration file[rtr2-confg]? host2-confgConfigure using host2-confg from 172.16.101.101?[confirm]Connected to 172.16.101.101Loading 1112 byte file host2-confg:![OK][OK]bridge#%SYS-5-CONFIG_NV:Non-volatile store configured from host2-config by rcp from 172.16.101.101Uploading a Configuration File by Using RCPBeginning in privileged EXEC mode, follow these steps to upload a configuration file by using RCP:Step 5 end Return to privileged EXEC mode. Step 6 copyrcp:[[[//[username@]location]/directory]/filename]system:running-configorcopyrcp:[[[//[username@]location]/directory]/filename]nvram:startup-configUsing RCP, copy the configuration file from a network server to the running configuration or to the startup configuration file. Command PurposeCommand PurposeStep 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using RCP” section on page 15-16.Step 2 Log into the WMIC through a Telnet session.Step 3 configure terminal Enter global configuration mode.This step is required only if you override the default remote username (see Steps 4 and 5). Step 4 ip rcmd remote-username username (Optional) Specify the remote username.
15-18Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Configuration FilesThis example shows how to copy the running configuration file named ap2-confg to the netadmin1directory on the remote host with an IP address of 172.16.101.101: bridge# copy system:running-config rcp://netadmin1@172.16.101.101/ap2-confgWrite file br-confg on host 172.16.101.101?[confirm]Building configuration...[OK]Connected to 172.16.101.101bridge#This example shows how to store a startup configuration file on a server:bridge# configure terminalbridge(config)# ip rcmd remote-username netadmin2bridge(config)# endbridge# copy nvram:startup-config rcp:Remote host[]? 172.16.101.101Name of configuration file to write [ap2-confg]?Write file ap2-confg on host 172.16.101.101?[confirm]![OK]Clearing Configuration InformationThis section describes how to clear configuration information. Deleting a Stored Configuration FileCaution You cannot restore a file after it has been deleted. To delete a saved configuration from Flash memory, use the delete flash:filename privileged EXEC command. Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the WMIC prompts for confirmation on destructive file operations. For more information about the file prompt command, refer to the Cisco IOS Command Reference for Release 12.1.Step 5 end Return to privileged EXEC mode. Step 6 copy system:running-config rcp:[[[//[username@]location]/directory]/filename]orcopy nvram:startup-config rcp:[[[//[username@]location]/directory]/filename]Using RCP, copy the configuration file from an WMIC running or startup configuration file to a network server.Command Purpose
15-19Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software ImagesWorking with Software ImagesThis section describes how to archive (download and upload) software image files, which contain the system software, IOS code, radio firmware, and the web management HTML files.You download an WMIC image file from a TFTP, FTP, or RCP server to upgrade the WMIC software. You upload an WMIC image file to a TFTP, FTP, or RCP server for backup purposes. You can use this uploaded image for future downloads to the same WMIC or another of the same type.The protocol you use depends on which type of server you are using. The FTP and RCP transport mechanisms provide faster performance and more reliable delivery of data than TFTP. These improvements are possible because FTP and RCP are built on and use the Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which is connection-oriented.This section includes this information:•Image Location on the WMIC, page 15-19•tar File Format of Images on a Server or Cisco.com, page 15-19•Copying Image Files by Using TFTP, page 15-20•Copying Image Files by Using FTP, page 15-23•Copying Image Files by Using RCP, page 15-27•Reloading the Image Using the Web Browser Interface, page 15-32Note For a list of software images and supported upgrade paths, refer to the release notes for your WMIC.Image Location on the WMICThe IOS image is stored in a directory that shows the version number. A subdirectory contains the HTML files needed for web management. The image is stored on the system board Flash memory (flash:). You can use the show version privileged EXEC command to see the software version that is currently running on your WMIC. In the display, check the line that begins with System image file is... It shows the directory name in Flash memory where the image is stored.You can also use the dir filesystem: privileged EXEC command to see the directory names of other software images you might have stored in Flash memory.tar File Format of Images on a Server or Cisco.comSoftware images located on a server or downloaded from Cisco.com are provided in a tar file format, which contains these files:•info file (The info file is always at the beginning of the tar file and contains information about the files within it.)•IOS image•Web management files needed by the HTTP server on the WMIC•radio firmware 6500.img file•info.ver file
15-20Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software ImagesThe info.ver file is always at the end of the tar file and contains the same information as the info file. Because it is the last file in the tar file, its existence means that all files in the image have been downloaded.Note The tar file sometimes ends with an extension other than .tar.Copying Image Files by Using TFTPYou can download an WMIC image from a TFTP server or upload the image from the WMIC to a TFTP server.You download an WMIC image file from a server to upgrade the WMIC software. You can overwrite the current image with the new one.You upload an WMIC image file to a server for backup purposes; this uploaded image can be used for future downloads to the same or another device of the same type.This section includes this information:•Preparing to Download or Upload an Image File by Using TFTP, page 15-20•Downloading an Image File by Using TFTP, page 15-21•Uploading an Image File by Using TFTP, page 15-22Preparing to Download or Upload an Image File by Using TFTPBefore you begin downloading or uploading an image file by using TFTP, perform these tasks:•Ensure that the workstation acting as the TFTP server is properly configured. On a Sun workstation, make sure that the /etc/inetd.conf file contains this line:tftp dgram udp wait root /usr/etc/in.tftpd in.tftpd -p -s /tftpbootMake sure that the /etc/services file contains this line:tftp 69/udpNote You must restart the inetd daemon after modifying the /etc/inetd.conf and /etc/services files. To restart the daemon, either stop the inetd process and restart it, or enter a fastbootcommand (on the SunOS 4.x) or a reboot command (on Solaris 2.x or SunOS 5.x). For more information on the TFTP daemon, refer to the documentation for your workstation.•Ensure that the WMIC has a route to the TFTP server. The WMIC and the TFTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the TFTP server by using the ping command.•Ensure that the image to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation).•For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read.•Before uploading the image file, you might need to create an empty file on the TFTP server. To create an empty file, enter the touch filename command, where filename is the name of the file you will use when uploading the image to the server.
15-21Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software Images•During upload operations, if you are overwriting an existing file (including an empty file, if you had to create one) on the server, ensure that the permissions on the file are set correctly. Permissions on the file should be world-write.Downloading an Image File by Using TFTPYou can download a new image file and replace the current image or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories.Beginning in privileged EXEC mode, follow Steps 1 through 3 to download a new image from a TFTP server and overwrite the existing image. Note To avoid an unsuccessful download, use the archive download-sw /safe command, which downloads the image first and does not delete the current running version until the download succeeds.Command PurposeStep 1 . Copy the image to the appropriate TFTP directory on the workstation. Make sure the TFTP server is properly configured; see the “Preparing to Download or Upload an Image File by Using TFTP” section on page 15-20Step 2 Log into the WMIC through a Telnet session.Step 3 archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-nameDownload the image file from the TFTP server to the WMIC, and overwrite the current image.•The /overwrite option overwrites the software image in Flash with the downloaded image.•The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.•For location, specify the IP address of the TFTP server.•For directory/image-name, specify the directory (optional) and the image to download. Directory and image names are case sensitive.Step 4 archive download-sw /leave-old-sw /reload tftp:[[//location]/directory]/image-nameDownload the image file from the TFTP server to the WMIC, and keep the current image.•The /leave-old-sw option keeps the old software version after a download.•The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.•For location, specify the IP address of the TFTP server.•For directory/image-name, specify the directory (optional) and the image to download. Directory and image names are case sensitive.
15-22Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software ImagesThe download algorithm verifies that the image is appropriate for the WMIC model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the Flash device whether or not it is the same as the new one, downloads the new image, and then reloads the software.Note If the Flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option.If you specify the /leave-old-sw, the existing files are not removed. If there is not enough space to install the new image and keep the current running image, the download process stops, and an error message is displayed.The algorithm installs the downloaded image on the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the system boot path variable is updated to point to the newly installed image.If you kept the old image during the download process (you specified the /leave-old-sw keyword), you can remove it by entering the delete /force /recursive filesystem:/file-url privileged EXEC command. For filesystem, use flash: for the system board Flash device. For file-url, enter the directory name of the old image. All the files in the directory and the directory are removed.Uploading an Image File by Using TFTPYou can upload an image from the WMIC to a TFTP server. You can later download this image to the WMIC or to another WMIC of the same type.Caution For the download and upload algorithms to operate properly, do not rename image directories.Beginning in privileged EXEC mode, follow these steps to upload an image to a TFTP server:The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format. Command PurposeStep 1 Make sure the TFTP server is properly configured; see the “Preparing to Download or Upload an Image File by Using TFTP” section on page 15-20.Step 1 Log into the WMIC through a Telnet session.Step 2 archive upload-swtftp:[[//location]/directory]/image-name.tarUpload the currently running WMIC image to the TFTP server. •For location, specify the IP address of the TFTP server.•For directory/image-name.tar, specify the directory (optional) and the name of the software image to be uploaded. Directory and image names are case sensitive. The image-name.tar is the name of the software image to be stored on the server.
15-23Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software ImagesCopying Image Files by Using FTPYou can download a WMIC image from an FTP server or upload the image from the WMIC to an FTP server.You download a WMIC image file from a server to upgrade the WMIC software. You can overwrite the current image with the new one or keep the current image after a download.You upload an WMIC image file to a server for backup purposes. You can use this uploaded image for future downloads to the WMIC or another device of the same type.This section includes this information:•Preparing to Download or Upload an Image File by Using FTP, page 15-23•Downloading an Image File by Using FTP, page 15-24•Uploading an Image File by Using FTP, page 15-26Preparing to Download or Upload an Image File by Using FTPYou can copy images files to or from an FTP server.The FTP protocol requires a client to send a remote username and password on each FTP request to a server. When you copy an image file from the WMIC to a server by using FTP, the Cisco IOS software sends the first valid username in this list:•The username specified in the archive download-sw or archive upload-sw privileged EXEC command if a username is specified.•The username set by the ip ftp username username global configuration command if the command is configured.•Anonymous.The WMIC sends the first valid password in this list:•The password specified in the archive download-sw or archive upload-sw privileged EXEC command if a password is specified.•The password set by the ip ftp password password global configuration command if the command is configured.•The WMIC forms a password named username@apname.domain. The variable username is the username associated with the current session, apname is the configured host name, and domain is the domain of the WMIC.The username and password must be associated with an account on the FTP server. If you are writing to the server, the FTP server must be properly configured to accept the FTP write request from you.Use the ip ftp username and ip ftp password commands to specify a username and password for all copies. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username only for that operation. If the server has a directory structure, the image file is written to or copied from the directory associated with the username on the server. For example, if the image file resides in the home directory of a user on the server, specify that user's name as the remote username. Before you begin downloading or uploading an image file by using FTP, perform these tasks:•Ensure that the WMIC has a route to the FTP server. The WMIC and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Verify connectivity to the FTP server by using the ping command.
15-24Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software Images•If you are accessing the WMIC through a Telnet session and you do not have a valid username, make sure that the current FTP username is the one that you want to use for the FTP download. You can enter the show users privileged EXEC command to view the valid username. If you do not want to use this username, create a new FTP username by using the ip ftp username username global configuration command. This new name will be used during all archive operations. The new username is stored in NVRAM. If you are accessing the WMIC through a Telnet session and you have a valid username, this username is used, and you do not need to set the FTP username. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username for that operation only. •When you upload an image file to the FTP server, it must be properly configured to accept the write request from the user on the WMIC.For more information, refer to the documentation for your FTP server.Downloading an Image File by Using FTPYou can download a new image file and overwrite the current image or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories.Beginning in privileged EXEC mode, follow Steps 1 through 7 to download a new image from an FTP server and overwrite the existing image. To keep the current image, skip Step 7.Command PurposeStep 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload an Image File by Using FTP” section on page 15-23.Step 2 Log into the WMIC through a Telnet session.Step 3 configure terminal Enter global configuration mode.This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username.Step 5 ip ftp password password (Optional) Change the default password.Step 6 end Return to privileged EXEC mode.
15-25Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software ImagesNote To avoid an unsuccessful download, use the archive download-sw /safe command, which downloads the image first and does not delete the current running version until the download succeeds.The download algorithm verifies that the image is appropriate for the WMIC model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the Flash device, whether or not it is the same as the new one, downloads the new image, and then reloads the software.Note If the Flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option.Step 7 archive download-sw /overwrite /reload ftp:[[//username[:password]@location]/directory]/image-name.tarDownload the image file from the FTP server to the WMIC, and overwrite the current image.•The /overwrite option overwrites the software image in Flash with the downloaded image.•The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.•For //username[:password], specify the username and password; these must be associated with an account on the FTP server. For more information, see the “Preparing to Download or Upload an Image File by Using FTP” section on page 15-23.•For @location, specify the IP address of the FTP server.•For directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.Step 8 archive download-sw /leave-old-sw /reload ftp:[[//username[:password]@location]/directory]/image-name.tarDownload the image file from the FTP server to the WMIC, and keep the current image.•The /leave-old-sw option keeps the old software version after a download.•The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.•For //username[:password], specify the username and password. These must be associated with an account on the FTP server. For more information, see the “Preparing to Download or Upload an Image File by Using FTP” section on page 15-23.•For @location, specify the IP address of the FTP server.•For directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.Command Purpose
15-26Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software ImagesIf you specify the /leave-old-sw, the existing files are not removed. If there is not enough space to install the new image and keep the running image, the download process stops, and an error message is displayed.The algorithm installs the downloaded image onto the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT path-list is updated to point to the newly installed image. Use the privileged EXEC mode show boot command to display boot attributes, and use the global configuration boot command to change the boot attributes.If you kept the old image during the download process (you specified the /leave-old-sw keyword), you can remove it by entering the delete /force /recursive filesystem:/file-url privileged EXEC command. For filesystem, use flash: for the system board Flash device. For file-url, enter the directory name of the old software image. All the files in the directory and the directory are removed.Uploading an Image File by Using FTPYou can upload an image from the WMIC to an FTP server. You can later download this image to the same WMIC or to another WMIC of the same type.Caution For the download and upload algorithms to operate properly, do not rename image directories.The upload feature is available only if the HTML pages associated with the Cluster Management Suite (CMS) have been installed with the existing image.Beginning in privileged EXEC mode, follow these steps to upload an image to an FTP server:Command PurposeStep 1 Verify that the FTP server is properly configured by referring to the “Preparing to Download or Upload a Configuration File by Using FTP” section on page 15-13.Step 2 Log into the WMIC through a Telnet session.Step 3 configure terminal Enter global configuration mode.This step is required only if you override the default remote username or password (see Steps 4, 5, and 6). Step 4 ip ftp username username (Optional) Change the default remote username.Step 5 ip ftp password password (Optional) Change the default password.
15-27Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software ImagesThe archive upload-sw command builds an image file on the server by uploading these files in order: info, the IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format. Copying Image Files by Using RCPYou can download a WMIC image from an RCP server or upload the image from the WMIC to an RCP server.You download a WMIC image file from a server to upgrade the WMIC software. You can overwrite the current image with the new one or keep the current image after a download.You upload a WMIC image file to a server for backup purposes. You can use this uploaded image for future downloads to the same WMIC or another device of the same type.This section includes this information:•Preparing to Download or Upload an Image File by Using RCP, page 15-27•Downloading an Image File by Using RCP, page 15-29•Uploading an Image File by Using RCP, page 15-31Preparing to Download or Upload an Image File by Using RCPRCP provides another method of downloading and uploading image files between remote hosts and the WMIC. Unlike TFTP, which uses User Datagram Protocol (UDP), a connectionless protocol, RCP uses TCP, which is connection-oriented. To use RCP to copy files, the server from or to which you will be copying files must support RCP. The RCP copy commands rely on the rsh server (or daemon) on the remote system. To copy files by using RCP, you do not need to create a server for file distribution as you do with TFTP. You only need to have access to a server that supports the remote shell (rsh). (Most UNIX systems support rsh.) Because you are copying a file from one place to another, you must have read permission on the source file and write permission on the destination file. If the destination file does not exist, RCP creates it for you.Step 6 end Return to privileged EXEC mode. Step 7 archive upload-sw ftp:[[//[username[:password]@]location]/directory]/image-name.tarUpload the currently running WMIC image to the FTP server. •For //username:password, specify the username and password. These must be associated with an account on the FTP server. For more information, see the “Preparing to Download or Upload an Image File by Using FTP” section on page 15-23.•For @location, specify the IP address of the FTP server.•For /directory/image-name.tar, specify the directory (optional) and the name of the software image to be uploaded. Directory and image names are case sensitive. The image-name.tar is the name of the software image to be stored on the server.Command Purpose
15-28Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software ImagesRCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the WMIC to a server by using RCP, the Cisco IOS software sends the first valid username in this list:•The username specified in the archive download-sw or archive upload-sw privileged EXEC command if a username is specified.•The username set by the ip rcmd remote-username username global configuration command if the command is entered.•The remote username associated with the current TTY (terminal) process. For example, if the user is connected to the router through Telnet and was authenticated through the username command, the WMIC software sends the Telnet username as the remote username. •The WMIC host name.For the RCP copy request to execute successfully, an account must be defined on the network server for the remote username. If the server has a directory structure, the image file is written to or copied from the directory associated with the remote username on the server. For example, if the image file resides in the home directory of a user on the server, specify that user’s name as the remote username. Before you begin downloading or uploading an image file by using RCP, do these tasks:•Ensure that the workstation acting as the RCP server supports the remote shell (rsh).•Ensure that the WMIC has a route to the RCP server. The WMIC and the server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the RCP server by using the ping command.•If you are accessing the WMIC through a Telnet session and you do not have a valid username, make sure that the current RCP username is the one that you want to use for the RCP download. You can enter the show users privileged EXEC command to view the valid username. If you do not want to use this username, create a new RCP username by using the ip rcmd remote-username usernameglobal configuration command to be used during all archive operations. The new username is stored in NVRAM. If you are accessing the WMIC through a Telnet session and you have a valid username, this username is used, and there is no need to set the RCP username. Include the username in the archive download-sw or archive upload-sw privileged EXEC command if you want to specify a username only for that operation. •When you upload an image to the RCP to the server, it must be properly configured to accept the RCP write request from the user on the WMIC. For UNIX systems, you must add an entry to the .rhosts file for the remote user on the RCP server. For example, suppose the WMIC contains these configuration lines:hostname ap1ip rcmd remote-username User0If the WMIC IP address translates to ap1.company.com, the .rhosts file for User0 on the RCP server should contain this line:ap1.company.com ap1For more information, refer to the documentation for your RCP server.
15-29Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software ImagesDownloading an Image File by Using RCPYou can download a new image file and replace or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories.Beginning in privileged EXEC mode, follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image. To keep the current image, skip Step 6.Command PurposeStep 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload an Image File by Using RCP” section on page 15-27.Step 2 Log into the WMIC through a Telnet session.Step 3 configure terminal Enter global configuration mode.This step is required only if you override the default remote username (see Steps 4 and 5). Step 4 ip rcmd remote-username username (Optional) Specify the remote username.Step 5 end Return to privileged EXEC mode. Step 6 archive download-sw /overwrite /reload rcp:[[[//[username@]location]/directory]/image-name.tar]Download the image file from the RCP server to the WMIC, and overwrite the current image.•The /overwrite option overwrites the software image in Flash with the downloaded image.•The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.•For //username, specify the username. For the RCP copy request to execute successfully, an account must be defined on the network server for the remote username. For more information, see the “Preparing to Download or Upload an Image File by Using RCP” section on page 15-27.•For @location, specify the IP address of the RCP server.•For /directory/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.
15-30Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software ImagesNote To avoid an unsuccessful download, use the archive download-sw /safe command, which downloads the image first and does not delete the current running version until the download succeeds.The download algorithm verifies that the image is appropriate for the WMIC model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the Flash device whether or not it is the same as the new one, downloads the new image, and then reloads the software.Note If the Flash device has sufficient space to hold two images and you want to overwrite one of these images with the same version, you must specify the /overwrite option.If you specify the /leave-old-sw, the existing files are not removed. If there is not enough room to install the new image an keep the running image, the download process stops, and an error message is displayed.The algorithm installs the downloaded image onto the system board Flash device (flash:). The image is placed into a new directory named with the software version string, and the BOOT environment variable is updated to point to the newly installed image.If you kept the old software during the download process (you specified the /leave-old-sw keyword), you can remove it by entering the delete /force /recursive filesystem:/file-url privileged EXEC command. For filesystem, use flash: for the system board Flash device. For file-url, enter the directory name of the old software image. All the files in the directory and the directory are removed.Step 7 archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-name.tar]Download the image file from the RCP server to the WMIC, and keep the current image.•The /leave-old-sw option keeps the old software version after a download.•The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.•For //username, specify the username. For the RCP copy request to execute, an account must be defined on the network server for the remote username. For more information, see the “Preparing to Download or Upload an Image File by Using RCP” section on page 15-27.•For @location, specify the IP address of the RCP server.•For /directory]/image-name.tar, specify the directory (optional) and the image to download. Directory and image names are case sensitive.Command Purpose
15-31Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software ImagesUploading an Image File by Using RCPYou can upload an image from the WMIC to an RCP server. You can later download this image to the same WMIC or to another WMIC of the same type.Caution For the download and upload algorithms to operate properly, do not rename image directories.The upload feature is available only if the HTML pages associated with the Cluster Management Suite (CMS) have been installed with the existing image.Beginning in privileged EXEC mode, follow these steps to upload an image to an RCP server:The archive upload-sw privileged EXEC command builds an image file on the server by uploading these files in order: info, the IOS image, the HTML files, and info.ver. After these files are uploaded, the upload algorithm creates the tar file format. Command PurposeStep 1 Verify that the RCP server is properly configured by referring to the “Preparing to Download or Upload an Image File by Using RCP” section on page 15-27.Step 2 Log into the WMIC through a Telnet session.Step 3 configure terminal Enter global configuration mode.This step is required only if you override the default remote username (see Steps 4 and 5). Step 4 ip rcmd remote-username username (Optional) Specify the remote username.Step 5 end Return to privileged EXEC mode. Step 6 archive upload-sw rcp:[[[//[username@]location]/directory]/image-name.tar]Upload the currently running WMIC image to the RCP server. •For //username, specify the username; for the RCP copy request to execute, an account must be defined on the network server for the remote username. For more information, see the “Preparing to Download or Upload an Image File by Using RCP” section on page 15-27.•For @location, specify the IP address of the RCP server.•For /directory]/image-name.tar, specify the directory (optional) and the name of the software image to be uploaded. Directory and image names are case sensitive.•The image-name.tar is the name of software image to be stored on the server.
15-32Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software ImagesReloading the Image Using the Web Browser InterfaceYou can also use the Web browser interface to reload the WMIC image file. The Web browser interface supports loading the image file using HTTP or TFTP interfaces. Note Your WMIC configuration is not changed when using the browser to reload the image file.Browser HTTP InterfaceThe HTTP interface allows you to browse to the WMIC image file on your PC and download the image to the WMIC. Follow the instructions below to use the HTTP interface:Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).Step 2 Enter the WMIC’s IP address in the browser address line and press Enter. An Enter Network Password screen appears.Step 3 Enter your username in the User Name field.Step 4 Enter the password in the Password field and press Enter. The Summary Status page appears.Step 5 Click the System Software tab and then click Software Upgrade. The HTTP Upgrade screen appears.Step 6 Click the Browse button to locate the image file on your PC.Step 7 Click the Upgrade button.For additional information, click the Help icon on the Software Upgrade screen. Browser TFTP InterfaceThe TFTP interface allows you to use a TFTP server on a network device to load the image file. Follow the instructions below to use a TFTP server:Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).Step 2 Enter the WMIC’s IP address in the browser address line and press Enter. An Enter Network Password screen appears.Step 3 Enter your username in the User Name field.Step 4 Enter the password in the Password field and press Enter. The Summary Status page appears.Step 5 Click the System Software tab and then click Software Upgrade. The HTTP Upgrade screen appears.Step 6 Click the TFTP Upgrade tab.Step 7 Enter the IP address for the TFTP server in the TFTP Server field.Step 8 Enter the file name for the image file in the Upload New System Image Tar File field. If the file is located in a subdirectory of the TFTP server root directory, include the relative path of the TFTP server root directory with the filename. If the file is located in the TFTP root directory, enter only the filename.
15-33Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software ImagesStep 9 Click the Upgrade button.For additional information click the Help icon on the Software Upgrade screen.
15-34Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 15 Managing Firmware and ConfigurationsWorking with Software Images
CHAPTER16-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-0216Configuring System Message LoggingThis chapter describes how to configure system message logging on your WMIC.Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.This chapter consists of these sections:•Understanding System Message Logging, page 16-2•Configuring System Message Logging, page 16-2•Displaying the Logging Configuration, page 16-12
16-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 16 Configuring System Message LoggingUnderstanding System Message LoggingUnderstanding System Message LoggingBy default, devices send the output from system messages and debug privileged EXEC commands to a logging process. The logging process controls the distribution of logging messages to various destinations, such as the logging buffer, terminal lines, or a UNIX syslog server, depending on your configuration. The process also sends messages to the console. Note The syslog format is compatible with 4.3 BSD UNIX.When the logging process is disabled, messages are sent only to the console. The messages are sent as they are generated, so message and debug output are interspersed with prompts or output from other commands. Messages are displayed on the console after the process that generated them has finished.You can set the severity level of the messages to control the type of messages displayed on the console and each of the destinations. You can timestamp log messages or set the syslog source address to enhance real-time debugging and management.You can access logged system messages by using the command-line interface (CLI) or by saving them to a properly configured syslog server. The device saves syslog messages in an internal buffer. You can remotely monitor system messages by accessing the WMIC through Telnet or by viewing the logs on a syslog server.Configuring System Message LoggingThis section describes how to configure system message logging. It contains this configuration information:•System Log Message Format, page 16-2•Default System Message Logging Configuration, page 16-4•Disabling and Enabling Message Logging, page 16-4•Setting the Message Display Destination Device, page 16-5•Enabling and Disabling Timestamps on Log Messages, page 16-6•Enabling and Disabling Sequence Numbers in Log Messages, page 16-6•Defining the Message Severity Level, page 16-7•Limiting Syslog Messages Sent to the History Table and to SNMP, page 16-8•Setting a Logging Rate Limit, page 16-9•Configuring UNIX Syslog Servers, page 16-10System Log Message FormatSystem log messages can contain up to 80 characters and a percent sign (%), which follows the optional sequence number or timestamp information, if configured. Messages are displayed in this format:seq no:timestamp: %facility-severity-MNEMONIC:descriptionThe part of the message preceding the percent sign depends on the setting of the service sequence-numbers,service timestamps log datetime,service timestamps log datetime [localtime][msec] [show-timezone], or service timestamps log uptime global configuration command.
16-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 16 Configuring System Message LoggingConfiguring System Message LoggingTable 16-1 describes the elements of syslog messages.This example shows a partial system message:Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns, xml disabled) Console logging: level debugging, 74 messages logged, xml disabled Monitor logging: level debugging, 0 messages logged, xml disabled Buffer logging: level debugging, 76 messages logged, xml disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational, 78 message lines loggedLog Buffer (4096 bytes):CHANGED: Interface Dot11Radio0, changed state to reset*Mar 1 17:02:19.618: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up*Mar 1 17:14:21.520: %SYS-5-CONFIG_I: Configured from console by Cisco on vty0(10.0.0.42)*Mar 1 17:36:33.519: %SYS-5-CONFIG_I: Configured from console by Cisco on vty0(10.0.0.42)*Mar 1 17:56:48.596: %SYS-5-CONFIG_I: Configured from console by Cisco on vty0(10.0.0.42)*Mar 1 18:12:01.670: %SYS-5-CONFIG_I: Configured from console by Cisco on vty0(10.0.0.42)*Mar 1 19:35:39.710: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset*Mar 1 19:35:39.718: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up*Mar 1 20:52:06.007: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down*Mar 1 20:52:06.022: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset*Mar 1 20:52:06.035: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up*Mar 1 23:47:38.851: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0002.8a29.Table 16-1 System Log Message ElementsElement Descriptionseq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section on page 16-6.timestamp formats:mm/dd hh:mm:ssorhh:mm:ss (short uptime)ord h (long uptime)Date and time of the message or event. This information appears only if the service timestamps log [datetime | log] global configuration command is configured.For more information, see the “Enabling and Disabling Timestamps on Log Messages” section on page 16-6.facility The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message.severity Single-digit code from 0 to 7 that is the severity of the message. For a description of the severity levels, see Table 16-3 on page 16-8.MNEMONIC Text string that uniquely describes the message.description Text string containing detailed information about the event being reported.
16-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 16 Configuring System Message LoggingConfiguring System Message Logging82e8 Associated KEY_MGMT[NONE]*Mar 1 23:48:16.986: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0002.8a29.82e8 Reason: Previous authentication no longer validDefault System Message Logging ConfigurationTable 16-2 shows the default system message logging configuration.Disabling and Enabling Message LoggingMessage logging is enabled by default. It must be enabled to send messages to any destination other than the console. When enabled, log messages are sent to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.Beginning in privileged EXEC mode, follow these steps to disable message logging:Disabling the logging process can slow down the WMIC because a process must wait until the messages are written to the console before continuing. When the logging process is disabled, messages are displayed on the console as soon as they are produced, often appearing in the middle of command output.Table 16-2 Default System Message Logging ConfigurationFeature Default SettingSystem message logging to the console EnabledConsole severity Debugging (and numerically lower levels; see Table 16-3 on page 16-8)Logging buffer size 4096 bytesLogging history size 1 messageTimestamps DisabledSynchronous logging DisabledLogging server DisabledSyslog server IP address None configuredServer facility Local7 (see Table 16-4 on page 16-11)Server severity Informational (and numerically lower levels; see Table 16-3 on page 16-8)Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 no logging on Disable message logging.Step 3 end Return to privileged EXEC mode.Step 4 show running-configorshow loggingVerify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
16-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 16 Configuring System Message LoggingConfiguring System Message LoggingThe logging synchronous global configuration command also affects the display of messages to the console. When this command is enabled, messages appear only after you press Return. For more information, see the “Enabling and Disabling Timestamps on Log Messages” section on page 16-6.To re-enable message logging after it has been disabled, use the logging on global configuration command.Setting the Message Display Destination DeviceIf message logging is enabled, you can send messages to specific locations in addition to the console. Beginning in privileged EXEC mode, use one or more of the following commands to specify the locations that receive messages:The logging buffered global configuration command copies logging messages to an internal buffer. The buffer is circular, so newer messages overwrite older messages after the buffer is full. To display the messages that are logged in the buffer, use the show logging privileged EXEC command. The first message displayed is the oldest message in the buffer. To clear the contents of the buffer, use the clear logging privileged EXEC command.To disable logging to the console, use the no logging console global configuration command. To disable logging to a file, use the no logging file [severity-level-number | type] global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 logging buffered [size] [level] Log messages to an internal buffer. The default buffer size is 4096. The range is 4096 to 2147483647 bytes. Levels include emergencies 0, alerts 1, critical 2, errors 3, warnings 4, notifications 5, informational 6, and debugging 7.Note Do not make the buffer size too large because the WMIC could run out of memory for other tasks. Use the show memory privileged EXEC command to view the free processor memory on the WMIC; however, this value is the maximum available, and you should not set the buffer size to this amount.Step 3 logging host Log messages to a UNIX syslog server host.For host, specify the name or IP address of the host to be used as the syslog server.To build a list of syslog servers that receive logging messages, enter this command more than once.For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 16-10.Step 4 end Return to privileged EXEC mode.Step 5 terminal monitor Log messages to a non-console terminal during the current session.Terminal parameter-setting commands are set locally and do not remain in effect after the session has ended. You must perform this step for each session to see the debugging messages.Step 6 show running-config Verify your entries.Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
16-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 16 Configuring System Message LoggingConfiguring System Message LoggingEnabling and Disabling Timestamps on Log MessagesBy default, log messages are not timestamped. Beginning in privileged EXEC mode, follow these steps to enable timestamping of log messages:To disable timestamps for both debug and log messages, use the no service timestamps global configuration command.This example shows part of a logging display with the service timestamps log datetime global configuration command enabled:*Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)This example shows part of a logging display with the service timestamps log uptime global configuration command enabled:00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to upEnabling and Disabling Sequence Numbers in Log MessagesBecause there is a chance that more than one log message can have the same timestamp, you can display messages with sequence numbers so that you can unambiguously refer to a single message. By default, sequence numbers in log messages are not displayed. Beginning in privileged EXEC mode, follow these steps to enable sequence numbers in log messages:To disable sequence numbers, use the no service sequence-numbers global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 service timestamps log uptimeorservice timestamps log datetime [msec] [localtime][show-timezone]Enable log timestamps.The first command enables timestamps on log messages, showing the time since the system was rebooted.The second command enables timestamps on log messages. Depending on the options selected, the timestamp can include the date, time in milliseconds relative to the local time zone, and the time zone name.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 service sequence-numbers Enable sequence numbers.Step 3 end Return to privileged EXEC mode.Step 4 show running-config Verify your entries.Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
16-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 16 Configuring System Message LoggingConfiguring System Message LoggingThis example shows part of a logging display with sequence numbers enabled:000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)Defining the Message Severity LevelYou can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 16-3.Beginning in privileged EXEC mode, follow these steps to define the message severity level:Note Specifying a level causes messages at that level and numerically lower levels to be displayed at the destination.To disable logging to the console, use the no logging console global configuration command. To disable logging to a terminal other than the console, use the no logging monitor global configuration command. To disable logging to syslog servers, use the no logging trap global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 logging console level Limit messages logged to the console.By default, the console receives debugging messages and numerically lower levels (see Table 16-3 on page 16-8).Step 3 logging monitor level Limit messages logged to the terminal lines.By default, the terminal receives debugging messages and numerically lower levels (see Table 16-3 on page 16-8).Step 4 logging trap level Limit messages logged to the syslog servers.By default, syslog servers receive informational messages and numerically lower levels (see Table 16-3 on page 16-8).For complete syslog server configuration steps, see the “Configuring UNIX Syslog Servers” section on page 16-10.Step 5 end Return to privileged EXEC mode.Step 6 show running-configorshow loggingVerify your entries.Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.
16-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 16 Configuring System Message LoggingConfiguring System Message LoggingTable 16-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.The software generates four other categories of messages:•Error messages about software or hardware malfunctions, displayed at levels warnings through emergencies. These types of messages mean that the functionality of the WMIC is affected. •Output from the debug commands, displayed at the debugging level. Debug commands are typically used only by the Technical Assistance Center (TAC).•Interface up or down transitions and system restart messages, displayed at the notifications level. This message is only for information; WMIC functionality is not affected.•Reload requests and low-process stack messages, displayed at the informational level. This message is only for information; WMIC functionality is not affected.Limiting Syslog Messages Sent to the History Table and to SNMPIf you have enabled syslog message traps to be sent to an SNMP network management station by using the snmp-server enable trap global configuration command, you can change the level of messages sent and stored in the WMIChistory table. You can also change the number of messages that are stored in the history table.Messages are stored in the history table because SNMP traps are not guaranteed to reach their destination. By default, one message of the level warning and numerically lower levels (see Table 16-3 on page 16-8) are stored in the history table even if syslog traps are not enabled.Table 16-3 Message Logging Level KeywordsLevel Keyword Level Description Syslog Definitionemergencies 0 System unstable LOG_EMERGalerts 1 Immediate action needed LOG_ALERTcritical 2 Critical conditions LOG_CRITerrors 3 Error conditions LOG_ERRwarnings 4 Warning conditions LOG_WARNINGnotifications 5 Normal but significant condition LOG_NOTICEinformational 6 Informational messages only LOG_INFOdebugging 7 Debugging messages LOG_DEBUG
16-9Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 16 Configuring System Message LoggingConfiguring System Message LoggingBeginning in privileged EXEC mode, follow these steps to change the level and history table size defaults:When the history table is full (it contains the maximum number of message entries specified with the logging history size global configuration command), the oldest message entry is deleted from the table to allow the new message entry to be stored.To return the logging of syslog messages to the default level, use the no logging history global configuration command. To return the number of messages in the history table to the default value, use the no logging history size global configuration command.Setting a Logging Rate LimitYou can enable a limit on the number of messages that the device logs per second. You can enable the limit for all messages or for messages sent to the console, and you can specify that messages of a specific severity are exempt from the limit.Beginning in privileged EXEC mode, follow these steps to enable a logging rate limit:To disable the rate limit, use the no logging rate-limit global configuration command.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 logging history level11. Table 16-3 lists the level keywords and severity level. For SNMP usage, the severity level values increase by 1. For example, emergenciesequal 1, not 0, and critical equals 3, not 2.Change the default level of syslog messages stored in the history file and sent to the SNMP server.See Table 16-3 on page 16-8 for a list of level keywords.By default, warnings,errors,critical,alerts, and emergencies messages are sent.Step 3 logging history size number Specify the number of syslog messages that can be stored in the history table.The default is to store one message. The range is 1 to 500 messages.Step 4 end Return to privileged EXEC mode.Step 5 show running-config Verify your entries.Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 logging rate-limit seconds[all | console][except severity]Enable a logging rate limit in seconds.•(Optional) Apply the limit to all logging or only to messages logged to the console.•(Optional) Exempt a specific severity from the limit.Step 3 end Return to privileged EXEC mode.Step 4 copy running-config startup-config (Optional) Save your entries in the configuration file.
16-10Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 16 Configuring System Message LoggingConfiguring System Message LoggingConfiguring UNIX Syslog ServersThe next sections describe how to configure the 4.3 BSD UNIX server syslog daemon and define the UNIX system logging facility.Logging Messages to a UNIX Syslog DaemonBefore you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server. Log in as root, and perform these steps:Note Some recent versions of UNIX syslog daemons no longer accept by default syslog packets from the network. If this is the case with your system, use the UNIX man syslogd command to determine what options must be added to or removed from the syslog command line to enable logging of remote syslog messages.Step 1 Add a line such as the following to the file /etc/syslog.conf:local7.debug /usr/adm/logs/cisco.logThe local7 keyword specifies the logging facility to be used; see Table 16-4 on page 16-11 for information on the facilities. The debug keyword specifies the syslog level; see Table 16-3 on page 16-8for information on the severity levels. The syslog daemon sends messages at this level or at a more severe level to the file specified in the next field. The file must already exist, and the syslog daemon must have permission to write to it.Step 2 Create the log file by entering these commands at the UNIX shell prompt:$touch /usr/adm/log/cisco.log$chmod 666 /usr/adm/log/cisco.logStep 3 Make sure the syslog daemon reads the new changes by entering this command:$kill -HUP `cat /etc/syslog.pid`For more information, see the man syslog.conf and man syslogd commands on your UNIX system.Configuring the UNIX System Logging FacilityWhen sending system log messages to an external device, you can cause the WMIC to identify its messages as originating from any of the UNIX syslog facilities.Beginning in privileged EXEC mode, follow these steps to configure UNIX system facility message logging:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 logging host Log messages to a UNIX syslog server host by entering its IP address.To build a list of syslog servers that receive logging messages, enter this command more than once.
16-11Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 16 Configuring System Message LoggingConfiguring System Message LoggingTo remove a syslog server, use the no logging host global configuration command, and specify the syslog server IP address. To disable logging to syslog servers, enter the no logging trap global configuration command.Table 16-4 lists the 4.3 BSD UNIX system facilities supported by the Cisco IOS software. For more information about these facilities, consult the operator’s manual for your UNIX operating system.Step 3 logging trap level Limit messages logged to the syslog servers.Be default, syslog servers receive informational messages and lower. See Table 16-3 on page 16-8 for level keywords.Step 4 logging facility facility-type Configure the syslog facility. See Table 16-4 on page 16-11 for facility-type keywords.The default is local7.Step 5 end Return to privileged EXEC mode.Step 6 show running-config Verify your entries.Step 7 copy running-config startup-config (Optional) Save your entries in the configuration file.Command PurposeTable 16-4 Logging Facility-Type KeywordsFacility Type Keyword Descriptionauth Authorization systemcron Cron facilitydaemon System daemonkern Kernellocal0-7 Locally defined messageslpr Line printer systemmail Mail systemnews USENET newssys9 System usesys10 System usesys11 System usesys12 System usesys13 System usesys14 System usesyslog System loguser User processuucp UNIX-to-UNIX copy system
16-12Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 16 Configuring System Message LoggingDisplaying the Logging ConfigurationDisplaying the Logging ConfigurationTo display the current logging configuration and the contents of the log buffer, use the show loggingprivileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.To display the logging history file, use the show logging history privileged EXEC command.
CHAPTER17-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-0217Wireless Device TroubleshootingThis chapter provides troubleshooting procedures for basic problems with the wireless device. For the most up-to-date, detailed troubleshooting information, refer to the Cisco TAC website at the following URL (select Top Issues and then select Wireless Technologies):http://www.cisco.com/tac Sections in this chapter include:•Checking the LED Indicators, page 17-2•Checking Basic Settings, page 17-3•Resetting to the Default Configuration, page 17-4•Reloading the Image, page 17-6
17-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 17 Wireless Device TroubleshootingChecking the LED IndicatorsChecking the LED IndicatorsIf your wireless device is not communicating, check theLED indicatorsto quickly assess the device status.The indicator signals on the wireless device have the following meanings (for additional details refer to Table 17-1):•The Ethernet indicator signals traffic on the wired LAN. This indicator is normally green when an Ethernet cable is connected, and blinks green when a packet is received or transmitted over the Ethernet infrastructure. The indicator is off when the Ethernet cable is not connected. •The status indicator signals operational status. Steady green indicates that the wireless device is associated with at least one wireless client. Blinking green indicates that the wireless device is operating normally but is not associated with any wireless devices.•The radio indicator blinks green to indicate radio traffic activity. The light is normally off, but it blinks whenever a packet is received or transmitted over the wireless device radio.Table 17-1 Indicator SignalsMessagetypeEthernetindicatorStatusindicatorRadioindicatorMeaningBoot loader statusGreen – Green DRAM memory test.– Amber Red Board initialization test.– Blinking greenBlinking greenFlash memory test.Amber Green – Ethernet initialization test.Green Green Green Starting Cisco IOS software.Association status– Green – At least one wireless client device is associated with the unit.– Blinking green– No client devices are associated; check the wireless device SSID and WEP settings.Operating status–GreenBlinking greenTransmitting/receiving radio packets.Green – – Ethernet link is operational.Blinking green– – Transmitting/receiving Ethernet packets.Boot Loader ErrorsRed – Red DRAM memory test failure.– Red Red File system failure.Red Red – Ethernet failure during image recovery.Amber Green Amber Boot environment error.Red Green Red No Cisco IOS image file.Amber Amber Amber Boot failure.
17-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 17 Wireless Device TroubleshootingChecking Basic SettingsChecking Basic SettingsMismatched basic settings are the most common causes of lost connectivity with wireless clients. If the wireless device does not communicate with client devices, check the areas described in this section.SSIDWireless clients attempting to associate with the wireless device must use the same SSID as the wireless device. If a client device SSID does not match the SSID of an wireless device in radio range, the client device will not associate. The wireless device default SSID is tsunami.WEP KeysThe WEP key you use to transmit data must be set up exactly the same on the wireless device and any wireless devices with which it associates. For example, if you set WEP Key 3 on your client adapter to 0987654321 and select it as the transmit key, you must set WEP Key 3 on the wireless device to exactly the same value. The wireless device does not need to use Key 3 as its transmit key, however.Security SettingsWireless clients attempting to authenticate with the wireless device must support the same security options configured in the wireless device, such as EAP or LEAP, MAC address authentication, Message Integrity Check (MIC), WEP key hashing, and 802.1X protocol versions.If a wireless client is unable to authenticate with the wireless device, contact the system administrator for proper security settings in the client adapter and for the client adapter driver and firmware versions that are compatible with the wireless device settings.Operation Errors–GreenBlinking amberMaximum retries or buffer full occurred on the radio.Blinking amber– – Transmit/receive Ethernet errors. – Blinking amber– General warning.Configuration Reset– Amber – Resetting the configuration options to factory defaults.Failures Red Red Red Firmware failure; try disconnecting and reconnecting unit power.Blinking red – – Hardware failure. The wireless device must be replaced.Firmware Upgrade– Red – Loading new firmware image.Table 17-1 Indicator Signals (continued)MessagetypeEthernetindicatorStatusindicatorRadioindicatorMeaning
17-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 17 Wireless Device TroubleshootingResetting to the Default ConfigurationNote The wireless device MAC address that appears on the Status page in the Aironet Client Utility (ACU) is the MAC address for the wireless device radio. Resetting to the Default ConfigurationIf you forget the password that allows you to configure the wireless device, you may need to completely reset the configuration.Note The following steps reset all configuration settings to factory defaults, including passwords, WEP keys, the IP address, and the SSID. The default username and password are both Cisco, which is case-sensitive.Using the Web Browser InterfaceFollow these steps to delete the current configuration and return all wireless device settings to the factory defaults using the web browser interface:Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).Step 2 Enter the wireless device IP address in the browser address line and press Enter. An Enter Network Password screen appears.Step 3 Enter your username in the User Name field.Step 4 Enter the wireless device password in the Password field and press Enter. The Summary Status page appears.Step 5 Click System Software and the System Software screen appears.Step 6 Click System Configuration and the System Configuration screen appears.Step 7 Click the Reset to Defaults button.Note If the wireless device is configured with a static IP address, the IP address does not change.Step 8 After the wireless device reboots, you must reconfigure the wireless device by using the Web-browser interface or the CLI. The default username and password are Cisco, which is case-sensitive.
17-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 17 Wireless Device TroubleshootingResetting to the Default ConfigurationUsing the CLIFollow the steps below to delete the current configuration and return all wireless device settings to the factory defaults using the CLI.Step 1 Open the CLI using a Telnet session or a connection to the wireless device console port.Step 2 Reboot the wireless device by removing power from and reapplying power to the router.Step 3 Let the wireless device boot until the command prompt appears and the wireless device begins to inflate the image. When you see these lines on the CLI, press Esc:Loading "flash:/c350-k9w7-mx.v122_13_ja.20031010/c350-k9w7-mx.v122_13_ja.20031010"...###############################################################################################################################################################################################################################################################Step 4 At the ap: prompt, enter the flash_init command to initialize the Flash.ap: flash_initInitializing Flash...flashfs[0]: 142 files, 6 directoriesflashfs[0]: 0 orphaned files, 0 orphaned directoriesflashfs[0]: Total bytes: 7612416flashfs[0]: Bytes used: 3407360flashfs[0]: Bytes available: 4205056flashfs[0]: flashfs fsck took 0 seconds....done initializing Flash.Step 5 Use the dir flash: command to display the contents of Flash and find the config.txt configuration file.ap: dir flash:Directory of flash:/3 .rwx 223 <date> env_vars4 .rwx 2190 <date> config.txt5 .rwx 27 <date> private.config150 drwx 320 <date> c350.k9w7.mx.122.13.JA4207616 bytes available (3404800 bytes used)Step 6 Use the rename command to change the name of the config.txt file to config.old.ap: rename flash:config.txt flash:config.oldStep 7 Use the reset command to reboot the wireless device.ap: resetAre you sure you want to reset the system (y/n)?ySystem resetting..Xmodem file system is available.flashfs[0]: 142 files, 6 directoriesflashfs[0]: 0 orphaned files, 0 orphaned directoriesflashfs[0]: Total bytes: 7612416flashfs[0]: Bytes used: 3407360flashfs[0]: Bytes available: 4205056flashfs[0]: flashfs fsck took 0 seconds.Reading cookie from flash parameter block...done.Base ethernet MAC Address: 00:40:96:41:e4:dfLoading "flash:/c350.k9w7.mx.122.13.JA/c350.k9w7.mx.122.13.JA"...######## . . .Note The wireless device is configured with factory default values, including the IP address (set to receive an IP address using DHCP) and the default username and password (Cisco).
17-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 17 Wireless Device TroubleshootingReloading the ImageStep 8 When IOS software is loaded, you can use the del privileged EXEC command to delete the config.old file from Flash. ap# del flash:config.oldDelete filename [config.old]Delete flash:config.old [confirm]ap#Reloading the ImageIf the wireless device has a firmware failure, you must reload the image file using the Web browser interface. You can use the browser interface if the wireless device firmware is still fully operational and you want to upgrade the firmware image.If the wireless device experiences a firmware failure or a corrupt firmware image, indicated by three red LED indicators, you must reload the image from a connected TFTP server.Note This process resets all configuration settings to factory defaults, including passwords, WEP keys, the wireless device IP address, and SSIDs. Using the Web Browser InterfaceYou can also use the Web browser interface to reload the wireless device image file. The Web broswer interface supports loading the image file using HTTP or TFTP interfaces. Note Your wireless device configuration does not change when you use the browser to reload the image file.Browser HTTP InterfaceThe HTTP interface enables you to browse to the wireless device image file on your PC and download the image to the wireless device. Follow the instructions below to use the HTTP interface:Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).Step 2 Enter the wireless device IP address in the browser address line and press Enter. An Enter Network Password screen appears.Step 3 Enter your username in the User Name field.Step 4 Enter the wireless device password in the Password field and press Enter. The Summary Status page appears.Step 5 Click the System Software tab and then click Software Upgrade. The HTTP Upgrade screen appears.Step 6 Click Browse to find the image file on your PC.
17-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 17 Wireless Device TroubleshootingReloading the ImageStep 7 Click Upload.For additional information, click the Help icon on the Software Upgrade screen. Browser TFTP InterfaceThe TFTP interface allows you to use a TFTP server on a network device to load the wireless device image file. Follow the instructions below to use a TFTP server:Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).Step 2 Enter the wireless device IP address in the browser address line and press Enter. An Enter Network Password screen appears.Step 3 Enter your username in the User Name field.Step 4 Enter the wireless device password in the Password field and press Enter. The Summary Status page appears.Step 5 Click the System Software tab and then click Software Upgrade. The HTTP Upgrade screen appears.Step 6 Click the TFTP Upgrade tab.Step 7 Enter the IP address for the TFTP server in the TFTP Server field.Step 8 Enter the file name for the image file in the Upload New System Image Tar File field. If the file is located in a subdirectory of the TFTP server root directory, include the relative path of the TFTP server root directory with the filename. If the file is located in the TFTP root directory, enter only the filename.Step 9 Click Upload.For additional information click the Help icon on the Software Upgrade screen. Using the CLIFollow the steps below to reload the wireless device image using the CLI. When the wireless device begins to boot, interrupt the boot process and use boot loader commands to load an image from a TFTP server to replace the image in the wireless device.Note Your wireless device configuration is not changed when using the CLI to reload the image file.Step 1 Open the CLI using a Telnet session or a connection to the wireless device console port.Step 2 Reboot the wireless device by removing power and reapplying power.
17-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 17 Wireless Device TroubleshootingReloading the ImageStep 3 Let the wireless device boot until it begins to inflate the image. When you see these lines on the CLI, press Esc:Loading "flash:/c350-k9w7-mx.v122_13_ja.20031010/c350-k9w7-mx.v122_13_ja.20031010"...###############################################################################################################################################################################################################################################################Step 4 When the ap: command prompt appears, enter the set command to assign an IP address, subnet mask, and default gateway to the wireless device. Note You must use upper-case characters when you enter the IP-ADDR,NETMASK, and DEFAULT_ROUTER options with the set command.Your entries might look like this example:ap: set IP_ADDR 192.168.133.160ap: set NETMASK 255.255.255.0ap: set DEFAULT_ROUTER 192.168.133.1Step 5 Enter the tftp_init command to prepare the wireless device for TFTP.ap: tftp_initStep 6 Enter the tar command to load and inflate the new image from your TFTP server. The command must include this information:•the -xtract option, which inflates the image when it is loaded•the IP address of your TFTP server•the directory on the TFTP server that contains the image•the name of the image•the destination for the image (the wireless device Flash)Your entry might look like this example:ap: tar -xtract tftp://192.168.130.222/images/c350-k9w7-tar.122-13.JA1 flash:Step 7 When the display becomes full, the CLI pauses and displays --MORE--. Press the spacebar to continue.extracting info (229 bytes)c350-k9w7-mx.122-13.JA1/ (directory) 0 (bytes)c350-k9w7-mx.122-13.JA1/html/ (directory) 0 (bytes)c350-k9w7-mx.122-13.JA1/html/level1/ (directory) 0 (bytes)extracting c350-k9w7-mx.122-13.JA1/html/level1/appsui.js (558 bytes)extracting c350-k9w7-mx.122-13.JA1/html/level1/back.htm (205 bytes)extracting c350-k9w7-mx.122-13.JA1/html/level1/cookies.js (5027 bytes).extracting c350-k9w7-mx.122-13.JA1/html/level1/forms.js (15704 bytes)...extracting c350-k9w7-mx.122-13.JA1/html/level1/sitewide.js (14621 bytes)...extracting c350-k9w7-mx.122-13.JA1/html/level1/config.js (2554 bytes)extracting c350-k9w7-mx.122-13.JA1/html/level1/stylesheet.css (3215 bytes)c350-k9w7-mx.122-13.JA1/html/level1/images/ (directory) 0 (bytes)extracting c350-k9w7-mx.122-13.JA1/html/level1/images/ap_title_appname.gif (1422 bytes)extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_button_1st.gif (1171 bytes)extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_button_cbottom.gif (318 bytes)extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_button_current.gif (348 bytes)extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_button_last.gif (386 bytes)extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_button_last_filler.gif (327 bytes)
17-9Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 17 Wireless Device TroubleshootingReloading the Imageextracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_button_last_flat.gif (318 bytes)extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_button_nth.gif (1177 bytes)extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_leftnav_dkgreen.gif (869 bytes) -- MORE --Note If you do not press the spacebar to continue, the process eventually times out and the wireless device stops inflating the image.Step 8 Enter the set BOOT command to designate the new image as the image that the wireless device uses when it reboots. The wireless device creates a directory for the image that has the same name as the image, and you must include the directory in the command. Your entry might look like this example:ap: set BOOT flash:/c350-k9w7-mx.122-13.JA1/c350-k9w7-mx.122-13.JA1Step 9 Enter the set command to check your bootloader entries.ap: setBOOT=flash:/c350-k9w7-mx.122-13.JA1/c350-k9w7-mx.122-13.JA1DEFAULT_ROUTER=192.168.133.1IP_ADDR=192.168.133.160NETMASK=255.255.255.0Step 10 Enter the boot command to reboot the wireless device. When the wireless device reboots, it loads the new image.ap: bootObtaining the Image FileYou can obtain the wireless device image file from the Cisco.com software center by following these steps:Step 1 Use your Internet browser to access the Cisco Software Center at the following URL:http://www.cisco.com/public/sw-center/sw-wireless.shtmlStep 2 Find the wireless device firmware and utilities section and click on the link for the wireless device.Step 3 Double-click the latest firmware image file for wireless devices.Step 4 Download the image file to a directory on your PC hard drive. Obtaining TFTP Server SoftwareYou can download TFTP server software from several websites. Cisco recommends the shareware TFTP utility available at this URL:http://tftpd32.jounin.netFollow the instructions on the website for installing and using the utility.
17-10Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Chapter 17 Wireless Device TroubleshootingReloading the Bootloader ImageReloading the Bootloader ImageFollow this procedure to download the boot loader image to the device:Step 1 Place the bootloader image in the proper directory on a TFTP server.Step 2 Connect to the console. Step 3 Enter the enable command to enter privileged mode.Step 4 Download the new boot loader image from the TFTP server to the boot sector by using the copy tftp://ip address/path/imagename bs: command, where ip address is the address of the TFTP server and path is the path to the directory where the boot loader image is located.Caution The boot sector Flash file system is addressed as bs:. The WMIC will not boot up and will not recover if a non-bootloader image is downloaded to the boot sector of the Flash file system. Step 5 When the boot loader download is complete, enter the reset command at the console prompt to reset the device.Step 6 When the boot loader upgrade is complete, enter the boot command at the console prompt to reboot the device.Step 7 Enter the version commmand to verify that it boots using the upgraded boot loader.Example Command Outputbridge: copy tftp://223.255.254.253/tftpboot/jrehage/loader_c3202_bs.img bs:................................................................File "tftp://223.255.254.253/tftpboot/jrehage/loader_c3202_bs.img" successfully copied to "bs:"bridge:resetAre you sure you want to reset the system (y/n)?ySystem resetting... Xmodem file system is available.flashfs[0]:136 files, 6 directoriesflashfs[0]:0 orphaned files, 0 orphaned directoriesflashfs[0]:Total bytes:15998976flashfs[0]:Bytes used:7458304flashfs[0]:Bytes available:8540672flashfs[0]:flashfs fsck took 30 seconds.Base ethernet MAC Address:00:ff:ff:f0:01:4fInitializing ethernet port 0...Reset ethernet port 0...Reset done!ethernet link up, 100 mbps, full-duplexEthernet port 0 initialized:link is up
A-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02APPENDIXAConnecting to the Cisco 3200 Series Router and Using the Command-Line InterfaceThis chapter describes how to connect to the router and use the IOS command-line interface (CLI) that you can use to configure the WMIC. It contains these sections:•Before You Start•IOS Command Modes, page A-4•Getting Help, page A-5•Abbreviating Commands, page A-5•Using no and default Forms of Commands, page A-6•Understanding CLI Messages, page A-6•Using Command History, page A-6•Using Editing Features, page A-8•Searching and Filtering the Output of show and more Commands, page A-10
A-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Before You StartBefore You StartBefore you install the WMIC, make sure you are using a computer connected to the same network as the WMIC, and obtain the following information from your network administrator:•A system name for the WMIC•The case-sensitive wireless service set identifier (SSID) that your WMICs use•If not connected to a DHCP server, a unique IP address for your WMIC (such as 172.17.255.115)•If the WMIC is not on the same subnet as your PC, a default gateway address and subnet mask•A Simple Network Management Protocol (SNMP) community name and the SNMP file attribute (if SNMP is in use)Resetting the WMIC to the Default SettingsYou can use the CLI to reset the WMIC to a factory default configuration.Note The following steps reset all configuration settings to factory defaults, including passwords, WEP keys, the IP address, and the SSID. From the privileged EXEC mode, you can reset the WMIC configuration to factory default values using the CLI by following these steps: Step 1 Enter erase nvram: to erase all NVRAM files including the startup configuration.Step 2 Enter Y when the following CLI message displays: Erasing the nvram filesystem will remove all configuration files! Continue? [confirm].Step 3 Enter reload when the following CLI message displays: Erase of nvram: complete. This command reloads the operating system.Step 4 Enter Y when the following CLI message displays: Proceed with reload? [confirm].Caution Do not interrupt the boot process to avoid damaging the configuration file. You can see the following CLI message when the load process has finished: Line protocal on Interface Dot11Radio0, changed state to up.Step 5 After the WMIC reboots, you can reconfigure the WMIC by using the Web-browser interface or the CLI.To obtain the WMIC’s new IP address, you can use the show interface bvi1 CLI command.
A-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Before You StartAssigning an IP AddressTo assign the WMIC IP address by using one of the following methods:•Use the ip address interface command to assign an IP address to the interface.•Use a DHCP server (if available) to automatically assign an IP address. The WMIC links to the network using a Bridge Group Virtual Interface (BVI) that it creates automatically. Instead of tracking separate IP addresses for the WMIC Ethernet and radio ports, the network uses the BVI.Note The WMIC supports only one BVI on each WMIC. Configuring more than one BVI might cause errors in the WMIC ARP table.When you assign an IP address to the WMIC using the CLI, you must assign the address to the BVI. Beginning in privileged EXEC mode, follow these steps to assign an IP address to the BVI:Command PurposeStep 1 configure terminal Enter global configuration mode.Step 2 interface bvi1 Enter interface configuration mode for the BVI.Step 3 ip address addressmaskAssign an IP address and address mask to the BVI. Note If you are connected to the WMIC using a Telnet session, you lose your connection to the WMIC when you assign a new IP address to the BVI. To continue configuring the WMIC using Telnet, use the new IP address to open another Telnet session to the WMIC.
A-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface IOS Command ModesIOS Command ModesThe Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode.When you start a session on the WMIC, you begin in user mode, often called user EXEC mode. Only a limited subset of the commands are available in user EXEC mode. For example, most of the user EXEC commands are one-time commands, such as show commands, which show the current configuration status, and clear commands, which clear counters or interfaces. The user EXEC commands are not saved when the WMIC reboots.To have access to all commands, you must enter privileged EXEC mode. Normally, you must enter a password to enter privileged EXEC mode. From this mode, you must enter privileged EXEC mode before you can enter the global configuration mode. Using the configuration modes (global, interface, and line), you can make changes to the running configuration. If you save the configuration, these commands are stored and used when the WMIC reboots. To access the various configuration modes, you must start at global configuration mode. From global configuration mode, you can enter interface configuration mode and line configuration mode.Table A-1 describes the main command modes, how to access each one, the prompt you see in that mode, and how to exit the mode. The examples in the table use the host name BR.Table A-1 Command Mode SummaryMode Access Method Prompt Exit Method About This ModeUser EXEC Begin a session with your WMIC.bridge> Enter logout or quit. Use this mode to:•Change terminal settings•Perform basic tests•Display system informationPrivileged EXEC While in user EXEC mode, enter the enable command.bridge# Enter disable to exit. Use this mode to verify commands. Use a password to protect access to this mode.Global configurationWhile in privileged EXEC mode, enter the configurecommand.bridge(config)# To exit to privileged EXEC mode, enter exit or end, or press Ctrl-Z.Use this mode to configure parameters that apply to the entire device.Interface configurationWhile in global configuration mode, enter the interfacecommand (with a specific interface).bridge(config-if)# To exit to global configuration mode, enter exit. To return to privileged EXEC mode, press Ctrl-Z or enter end.Use this mode to configure parameters for the Ethernet and radio interfaces. The 2.4-GHz radio is radio 0.
A-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Getting HelpGetting HelpYou can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table A-2.Abbreviating CommandsYou have to enter only enough characters for the WMIC to recognize the command as unique. This example shows how to enter the show configuration privileged EXEC command:bridge# show confTable A-2 Help SummaryCommand Purposehelp Obtains a brief description of the help system in any command mode.abbreviated-command-entry?Obtains a list of commands that begin with a particular character string.For example:bridge# di?dir disable disconnect abbreviated-command-entry<Tab > Completes a partial command name. For example:bridge# sh conf<tab>bridge# show configuration?Lists all commands available for a particular command mode. For example: bridge> ?command ? Lists the associated keywords for a command. For example:bridge> show ?command keyword ?Lists the associated arguments for a keyword.For example:bridge(config)# cdp holdtime ? <10-255> Length of time (in sec) that receiver must keep this packet
A-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Using no and default Forms of CommandsUsing no and default Forms of CommandsMost configuration commands also have a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface. Use the command without the keyword no to re-enable a disabled feature or to enable a feature that is disabled by default. Configuration commands can also have a default form. The default form of a command returns the command setting to its default. Most commands are disabled by default, so the default form is the same as the no form. However, some commands are enabled by default and have variables set to certain default values. In these cases, the default command enables the command and sets variables to their default values.Understanding CLI MessagesTable A-3 lists some error messages that you might encounter while using the CLI to configure your WMIC.Using Command HistoryThe IOS provides a history or record of commands that you have entered. This feature is particularly useful for recalling long or complex commands or entries, including access lists. You can customize the command history feature to suit your needs as described in these sections:•Changing the Command History Buffer Size, page A-7•Recalling Commands, page A-7•Disabling the Command History Feature, page A-7Table A-3 Common CLI Error MessagesError Message Meaning How to Get Help% Ambiguous command: "show con"You did not enter enough characters for your WMIC to recognize the command.Re-enter the command followed by a question mark (?)with a space between the command and the question mark.The possible keywords that you can enter with the command are displayed.% Incomplete command. You did not enter all the keywords or values required by this command.Re-enter the command followed by a question mark (?)with a space between the command and the question mark.The possible keywords that you can enter with the command are displayed.% Invalid input detected at ‘^’ marker.You entered the command incorrectly. The caret (^) marks the point of the error.Enter a question mark (?) to display all the commands that are available in this command mode.The possible keywords that you can enter with the command are displayed.
A-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Using Command HistoryChanging the Command History Buffer SizeBy default, the WMIC records ten command lines in its history buffer. Beginning in privileged EXEC mode, enter this command to change the number of command lines that the WMIC records during the current terminal session: bridge# terminal history [size number-of-lines]The range is from 0 to 256.Beginning in line configuration mode, enter this command to configure the number of command lines the WMIC records for all sessions on a particular line:bridge(config-line)# history [size number-of-lines]The range is from 0 to 256.Recalling CommandsTo recall commands from the history buffer, perform one of the actions listed in Table A-4:Disabling the Command History FeatureThe command history feature is automatically enabled. To disable the feature during the current terminal session, enter the terminal no history privileged EXEC command. To disable command history for the line, enter the no history line configuration command.Table A-4 Recalling CommandsAction11. The arrow keys function only on ANSI-compatible terminals such as VT100s.ResultPress Ctrl-P or the up arrow key. Recall commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands.Press Ctrl-N or the down arrow key. Return to more recent commands in the history buffer after recalling commands with Ctrl-P or the up arrow key. Repeat the key sequence to recall successively more recent commands. show history While in privileged EXEC mode, list the last several commands that you just entered. The number of commands that are displayed is determined by the setting of the terminal history global configuration command and history line configuration command.
A-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Using Editing FeaturesUsing Editing FeaturesThis section describes the editing features that can help you manipulate the command line. It contains these sections:•Enabling and Disabling Editing Features, page A-8•Editing Commands Through Keystrokes, page A-8•Editing Command Lines that Wrap, page A-9Enabling and Disabling Editing FeaturesAlthough enhanced editing mode is automatically enabled, you can disable it.To re-enable the enhanced editing mode for the current terminal session, enter this command in privileged EXEC mode: bridge# terminal editingTo reconfigure a specific line to have enhanced editing mode, enter this command in line configuration mode: bridge(config-line)# editingTo globally disable enhanced editing mode, enter this command in line configuration mode: bridge(config-line)# no editingEditing Commands Through KeystrokesTable A-5 shows the keystrokes that you need to edit command lines.Table A-5 Editing Commands Through KeystrokesCapability Keystroke1PurposeMove around the command line to make changes or corrections.Ctrl-B or the left arrow keyMove the cursor back one character. Ctrl-F or the right arrow keyMove the cursor forward one character. Ctrl-A Move the cursor to the beginning of the command line.Ctrl-E Move the cursor to the end of the command line.Esc B Move the cursor back one word.Esc F Move the cursor forward one word.Ctrl-T Transpose the character to the left of the cursor with the character located at the cursor.Recall commands from the buffer and paste them in the command line. The WMIC provides a buffer with the last ten items that you deleted.Ctrl-Y Recall the most recent entry in the buffer.Esc Y Recall the next buffer entry.The buffer contains only the last 10 items that you have deleted or cut. If you press Esc Y more than ten times, you cycle to the first buffer entry.
A-9Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Using Editing FeaturesEditing Command Lines that WrapYou can use a wraparound feature for commands that extend beyond a single line on the screen. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command. To scroll back to the beginning of the command entry, press Ctrl-B or the left arrow key repeatedly. You can also press Ctrl-A to immediately move to the beginning of the line.Note The arrow keys function only on ANSI-compatible terminals such as VT100s.Delete entries if you make a mistake or change your mind.Delete or Backspace Erase the character to the left of the cursor.Ctrl-D Delete the character at the cursor.Ctrl-K Delete all characters from the cursor to the end of the command line.Ctrl-U or Ctrl-X Delete all characters from the cursor to the beginning of the command line.Ctrl-W Delete the word to the left of the cursor.Esc D Delete from the cursor to the end of the word.Capitalize or lowercase words or capitalize a set of letters.Esc C Capitalize at the cursor.Esc L Change the word at the cursor to lowercase.Esc U Capitalize letters from the cursor to the end of the word.Designate a particular keystroke as an executable command, perhaps as a shortcut.Ctrl-V or Esc QScroll down a line or screen on displays that are longer than the terminal screen can display.Note The More prompt appears for output that has more lines than can be displayed on the terminal screen, including show command output. You can use the Return and Space bar keystrokes whenever you see the Moreprompt. Return Scroll down one line.Space Scroll down one screen.Redisplay the current command line if the WMIC suddenly sends a message to your screen.Ctrl-L or Ctrl-R Redisplay the current command line.1. The arrow keys function only on ANSI-compatible terminals such as VT100s.Table A-5 Editing Commands Through Keystrokes (continued)Capability Keystroke1Purpose
A-10Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Searching and Filtering the Output of show and more CommandsIn this example, the access-list global configuration command entry extends beyond one line. When the cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar sign ($) shows that the line has been scrolled to the left. Each time the cursor reaches the end of the line, the line is again shifted ten spaces to the left. bridge(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1bridge(config)# $ 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.25bridge(config)# $t tcp 131.108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eqbridge(config)# $108.2.5 255.255.255.0 131.108.1.20 255.255.255.0 eq 45After you complete the entry, press Ctrl-A to check the complete syntax before pressing the Return key to execute the command. The dollar sign ($) appears at the end of the line to show that the line has been scrolled to the right:bridge(config)# access-list 101 permit tcp 131.108.2.5 255.255.255.0 131.108.1$The software assumes you have a terminal screen that is 80 columns wide. If you have a width other than that, use the terminal width privileged EXEC command to set the width of your terminal.Use line wrapping with the command history feature to recall and modify previous complex command entries. For information about recalling previous command entries, see the “Editing Commands Through Keystrokes” section on page A-8.Searching and Filtering the Output of show and more CommandsYou can search and filter the output for show and more commands. This is useful when you need to sort through large amounts of output or if you want to exclude output that you do not need to see.To use this functionality, enter a show or more command followed by the pipe character (|), one of the keywords begin,include, or exclude, and an expression that you want to search for or filter out:command | {begin | include | exclude}regular-expressionExpressions are case sensitive. For example, if you enter | exclude output, the lines that contain outputare not displayed, but the lines that contain Output are displayed.This example shows how to include in the output display only lines where the expression protocolappears:bridge# show interfaces | include protocolVlan1 is up, line protocol is upVlan10 is up, line protocol is downGigabitEthernet0/1 is up, line protocol is downGigabitEthernet0/2 is up, line protocol is up
B-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02APPENDIXBChannels and Antenna SettingsThis appendix lists the IEEE 802.11g (2.4-GHz) channels, maximum power levels, and antenna gains supported by the world’s regulatory domains. The following topics are covered in this appendix:•Channels, page B-2•Maximum Power Levels and Antenna Gains, page B-4See the “Configuring Radio Transmit Power” in the “Configuring Radio Settings” chapter for instructions about how to change the radio output power.
B-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix B Channels and Antenna Settings ChannelsChannelsThis section describes the channels for 802.11b/g (2.4-GHz) and the 4.9-GHz bands. IEEE 802.11g (2.4-GHz Band)The channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.11g 22-MHz-wide channel are shown in Table B-1.Note Mexico is included in the Americas (–A) regulatory domain; however, channels 1 through 8 are for indoor use only while channels 9 through 11 can be used indoors and outdoors. Users are responsible for ensuring that the channel set configuration is in compliance with the regulatory standards of Mexico.Table B-1 Channels for IEEE 802.11gChannel IdentifierCenterFrequency(MHz)Regulatory DomainsAmericas (–A) EMEA (–E) Israel (–I) Japan (–J)CCK OFDM CCK OFDM CCK OFDM CCK OFDM12412XXXX––XX22417XXXX––XX32422XXXX––XX42427XXXX––XX52432XXXXXXXX62437XXXXXXXX72442XXXXXXXX82447XXXXXXXX92452XXXX––XX10 2457 X X X X – – X X11 2462 X X X X – – X X12 2467 – – X X – – X X13 2472 – – X X – – X X14 2484 – – – – – – X –
B-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix B Channels and Antenna Settings Channels4.9-GHz BandThe channel identifiers, channel center frequencies, and channel width are shown in Table B-2.Table B-2 Channels, Center Frequencies, and Channel WidthsChannel Center Frequency Channel Width1 4940.5 not supported2 4941.5 not supported3 4942.5 5-MHz4 4943.5 not supported5 4944.5 not supported6 4947.5 5-MHz7 4952.5 5-MHz, 10-MHz, or 20-MHz8 4957.5 5-MHz9 4962.5 5-MHz or 10-MHz10 4967.5 5-MHz11 4972.5 5-MHz, 10-MHz, or 20-MHz12 4977.5 5-MHz13 4982.5 5-MHz or 10-MHz14 4985.5 not supported15 4986.5 5-MHz16 4987.5 not supported17 4988.5 not supported18 4989.5 not supported
B-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix B Channels and Antenna Settings Maximum Power Levels and Antenna GainsMaximum Power Levels and Antenna Gains IEEE 802.11g (2.4-GHz Band)An improper combination of power level and antenna gain can result in equivalent isotropic radiated power (EIRP) above the amount allowed per regulatory domain. Table B-3 indicates the maximum power levels and antenna gains allowed for each IEEE 802.11g regulatory domain.Note To meet regulatory restrictions, the external antenna BR1300 configuration and the external antenna must be professionally installed. The network administration or other IT professional responsible for installing and configuring the unit is a suitable professional installer. Following installation, access to the unit should be password protected by the network administrator to maintain regulatory compliance.Table B-3 Maximum Power Levels Per Antenna Gain for IEEE 802.11gRegulatory DomainAntenna Gain (dBi)Maximum Power Level (mW)CCK OFDM Americas (–A)(4 W EIRP maximum)2.2 100 306100 306.5 100 3010 100 3013.5 100 3015 50 2021 20 10EMEA (–E) and Israel(-I)(100 mW EIRP maximum)2.2 50 30630 106.5 20 1010 10 513.5 5 515 5 121 1 —Japan (-J)(10 mW/MHz EIRP maximum)2.2 5 5 65 5 6.5 5 5 10 5 5 13.5 5 5 15 5 5 21 5 5
C-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02APPENDIXCProtocol FiltersThe tables in this appendix list some of the protocols that you can filter on the WMIC. The tables include:•Table E-1, Ethertype Protocols•Table E-2, IP Protocols•Table E-3, IP Port ProtocolsIn each table, the Protocol column lists the protocol name, the Additional Identifier column lists other names for the same protocol, and the ISO Designator column lists the numeric designator for each protocol.
C-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix C Protocol FiltersTable C-1 Ethertype ProtocolsProtocol Additional Identifier ISO DesignatorARP — 0x0806RARP — 0x8035IP — 0x0800Berkeley Trailer Negotiation — 0x1000LAN Test — 0x0708X.25 Level3 X.25 0x0805Banyan — 0x0BADCDP — 0x2000DEC XNS XNS 0x6000DEC MOP Dump/Load — 0x6001DEC MOP MOP 0x6002DEC LAT LAT 0x6004Ethertalk — 0x809BAppletalk ARP AppletalkAARP0x80F3IPX 802.2 — 0x00E0IPX 802.3 — 0x00FFNovell IPX (old) — 0x8137Novell IPX (new) IPX 0x8138EAPOL (old) — 0x8180EAPOL (new) — 0x888ETelxon TXP TXP 0x8729Aironet DDP DDP 0x872DEnet Config Test — 0x9000NetBUI — 0xF0F0
C-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix C Protocol FiltersTable C-2 IP ProtocolsProtocol Additional Identifier ISO Designatordummy — 0Internet Control Message Protocol ICMP 1Internet Group Management Protocol IGMP 2Transmission Control Protocol TCP 6Exterior Gateway Protocol EGP 8PUP — 12CHAOS — 16User Datagram Protocol UDP 17XNS-IDP IDP 22ISO-TP4 TP4 29ISO-CNLP CNLP 80Banyan VINES VINES 83Encapsulation Header encap_hdr 98Spectralink Voice Protocol SVPSpectralink119raw — 255
C-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix C Protocol FiltersTable C-3 IP Port ProtocolsProtocol Additional Identifier ISO DesignatorTCP port service multiplexer tcpmux 1echo — 7discard (9) — 9systat (11) — 11daytime (13) — 13netstat (15) — 15Quote of the Day qotdquote 17Message Send Protocol msp 18ttytst source chargen 19FTP Data ftp-data 20FTP Control (21) ftp 21Secure Shell (22) ssh 22Telnet — 23Simple Mail Transport Protocol SMTPmail25time timserver 37Resource Location Protocol RLP 39IEN 116 Name Server name 42whois nicname 4343Domain Name Server DNS domain53MTP — 57BOOTP Server — 67BOOTP Client — 68TFTP — 69gopher — 70rje netrjs 77finger — 79Hypertext Transport Protocol HTTPwww80ttylink link 87Kerberos v5 Kerberoskrb588supdup — 95hostname hostnames 101
C-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix C Protocol FiltersTSAP iso-tsap 102CSO Name Server cso-nscsnet-ns105Remote Telnet rtelnet 107Postoffice v2 POP2POP v2109Postoffice v3 POP3POP v3110Sun RPC sunrpc 111tap ident authentication auth 113sftp — 115uucp-path — 117Network News Transfer ProtocolNetwork Newsreadnewsnntp119USENET News Transfer ProtocolNetwork Newsreadnewsnntp119Network Time Protocol ntp 123NETBIOS Name Service netbios-ns 137NETBIOS Datagram Service netbios-dgm 138NETBIOS Session Service netbios-ssn 139Interim Mail Access Protocol v2 Interim Mail Access ProtocolIMAP2143Simple Network Management ProtocolSNMP 161SNMP Traps snmp-trap 162ISO CMIP Management Over IP CMIP Management Over IPcmip-manCMOT163ISO CMIP Agent Over IP cmip-agent 164X Display Manager Control Protocolxdmcp 177NeXTStep Window Server NeXTStep 178Border Gateway Protocol BGP 179Prospero — 191Internet Relay Chap IRC 194Table C-3 IP Port Protocols (continued)Protocol Additional Identifier ISO Designator
C-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix C Protocol FiltersSNMP Unix Multiplexer smux 199AppleTalk Routing at-rtmp 201AppleTalk name binding at-nbp 202AppleTalk echo at-echo 204AppleTalk Zone Information at-zis 206NISO Z39.50 database z3950 210IPX — 213Interactive Mail Access Protocol v3imap3 220Unix Listserv ulistserv 372syslog — 514Unix spooler spooler 515talk — 517ntalk — 518route RIP 520timeserver timed 525newdate tempo 526courier RPC 530conference chat 531netnews — 532netwall wall 533UUCP Daemon UUCPuucpd540Kerberos rlogin klogin 543Kerberos rsh kshell 544rfs_server remotefs 556Kerberos kadmin kerberos-adm 749network dictionary webster 765SUP server supfilesrv 871swat for SAMBA swat 901SUP debugging supfiledbg 1127ingreslock — 1524Prospero non-priveleged prospero-np 1525RADIUS — 1812Concurrent Versions System CVS 2401Cisco IAPP — 2887Radio Free Ethernet RFE 5002Table C-3 IP Port Protocols (continued)Protocol Additional Identifier ISO Designator
D-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02APPENDIXDSupported MIBsThis appendix lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the WMIC supports. The Cisco IOS SNMP agent supports both SNMPv1 and SNMPv2. This appendix contains these sections:•MIB List, page D-1•Using FTP to Access the MIB Files, page D-2MIB List•BRIDGE-MIB•CISCO-AAA-SERVER-MIB•CISCO-CDP-MIB•CISCO-CLASS-BASED-QOS-MIB•CISCO-CONFIG-COPY-MIB•CISCO-CONFIG-MAN-MIB•CISCO-DOT11-ASSOCIATION-MIB•CISCO-DOT11-IF-MIB•CISCO-ENTITY-VENDORTYPE-OID-MIB•CISCO-ENV-MON-MIB•CISCO-FLASH-MIB•CISCO-IETF-DOT11-QOS-MIB•CISCO-IETF-DOT11-QOS-EXT-MIB•CISCO-IMAGE-MIB•CISCO-IP-PROTOCOL-FILTER-MIB•CISCO-MEMORY-POOL-MIB•CISCO-PROCESS-MIB•CISCO-PRODUCTS-MIB•CISCO-SMI•CISCO-SYSLOG-MIB
D-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix D Supported MIBs Using FTP to Access the MIB Files•CISCO-SYSLOG-EVENT-EXT-MIB•CISCO-TC•CISCO-TBRIDGE-DEV-IF-MIB•CISCO-WLAN-VLAN-MIB•ENTITY-MIB•IANAifType-MIB•IEEE802dot11-MIB•IF-MIB•INET-ADDRESS-MIB•OLD-CISCO-SYS-MIB•OLD-CISCO-SYSTEM-MIB•OLD-CISCO-TS-MIB•P-BRIDGE-MIB•Q-BRIDGE-MIB•RFC1213-MIB•RFC1398-MIB•SNMPv2-MIB•SNMPv2-SMI•SNMPv2-TCUsing FTP to Access the MIB FilesFollow these steps to obtain each MIB file by using FTP:Step 1 Use FTP to access the server ftp.cisco.com.Step 2 Log in with the username anonymous.Step 3 Enter your e-mail username when prompted for the password.Step 4 At the ftp> prompt, change directories to /pub/mibs/v1 or /pub/mibs/v2.Step 5 Use the get MIB_filename command to obtain a copy of the MIB file.Note You can also access information about MIBs on the Cisco web site:http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
E-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02APPENDIXEError and Event MessagesThis appendix lists the CLI error and event messages. Table E-1 lists the errors and events and provides an explanation and recommended action for each message.Table E-1 Error and Event MessagesMessage Explanation Recommended ActionSoftware Auto Upgrade MessagesSW_AUTO_UPGRADE-FATAL: Attempt to upgrade software failed, software on Flash may be deleted. Please copy software into Flash. Auto upgrade of the software failed. The software on the Flash memory might have been deleted. Copy software into the Flash memory. Copy software before rebooting the unit. SW_AUTO_UPGRADE-7-FAILURE: dhcp_client_start_stop failed Auto upgrade of the software failed due to error in starting/stopping DHCP client process.Copy the error message exactly as it appears and report it to your technical support representative. SW_AUTO_UPGRADE-7-FAILURE: Failed to obtain ip addr from dhcp server Auto upgrade of the software failed. Copy the error message exactly as it appears and report it to your technical support representative.SW_AUTO_UPGRADE-7-FAILURE: boot_file_pathent creation failed Auto upgrade of the software failed due to error in creation of pathent (internal data structure).Copy the error message exactly as it appears and report it to your technical support representative.Association Management MessagesDOT11-2-RADIO_HW_RESET: Radio subsystem is under going hardware reset to recover from problemRadio must be reset due to problem. None.DOT11-3-BADSTATE: [mac-address] [chars] [chars] -> [chars]802.11 Association and management uses a table-driven state machine to keep track and transition an Association through various states. A state transition occurs when an Association receives one of many possible events. When this error occurs, it means that an Association received an event that it did not expect while in this state.The system can continue but may lose the Association that generates this error. Copy the message exactly as it appears and report it to your technical service representative.DOT11-3-RADIO_OVER_TEMPERATURE: Interface [interface] Radio over temperatureThe WMIC detected that the unit has exceeded the radio operating temperature.Investigate and take steps to cool the unit.
E-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix E Error and Event MessagesDOT11-3-RADIO_IF_LO: Interface [interface] Radio cannot lock IF freqThe unit cannot lock the intermediate frequency.None.DOT11-3-RADIO_RF_LO: Interface [interface] Radio cannot lock RF freqThe unit cannot lock the radio frequency. None.DOT11-3-RF_LOOPBACK_FAILURE: Interface [interface] Radio failed to pass RF loopback testRadio loopback test failed at startup time. None.DOT11-3-TX_PWR_OUT_OF_RANGE: Interface [interface] Radio Tx power control out of rangeThe unit has detected that the radio transmit power cannot be locked within the operating range.None.DOT11-4-MAXERTRIES: Packet to client [mac] reached max retries, remove the clientA packet sent to the client has not been successfully delivered many times, and the max retries limit has been reached. The client is deleted from the association table.None.DOT11-6-ASSOC: Interface [interface], Station [char] [mac] AssociatedA station associated to a bridge. None.DOT11-6-ADD: Interface [interface], Station [mac] Associated to Parent [mac]A station associated to a bridge. None.DOT11-6-DISASSOC: Interface [interface], Deauthenticating Station [mac] [char]A station disassociated from a bridge. None.DOT11-6-ROAMED: Station [mac-address] Roamed to [mac-address]A station has roamed to a new bridge. None.Unzip MessagesSOAP-4-UNZIP_OVERFLOW: Failed to unzip Flash:/c1200-k9w7-mx.122-3.6.JA1/html/level15/ap_xxx.htm.gz, exceeds maximum uncompressed html sizeThe HTTP server cannot retrieve a compressed file in response to an HTTP GET request because the size of the file is too large for the buffers used in the uncompression process.Make sure file is a valid HTML page. If so, you'll have to copy an uncompressed version of the file into Flash to retrieve it through HTTP.802.11 Subsystem MessagesDOT11-6-FREQ_INUSE: Radio frequency [int] is in useWhen scanning for an unused frequency, the unit recognized another radio using the displayed frequency.None.DOT11-6-FREQ_USED: Radio frequency [int] selectedAfter scanning for an unused frequency, the unit selected the displayed frequency.None.DOT11-4-VERSION_MISMATCH: Require radio version [hex].[int], found version [hex].[int]When starting the radio, the wrong firmware version was found. The radio will be loaded with the required version.None.DOT11-2-VERSION_INVALID: Unable to find required radio version [hex].[int]When trying to re-flash the radio firmware, the device recognized that the radio firmware packaged with the IOS firmware had the incorrect version. None.Table E-1 Error and Event Messages (continued)Message Explanation Recommended Action
E-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix E Error and Event MessagesDOT11-4-NO_SSID: No SSIDs configured, radio not startedAll SSIDs were deleted from the configuration. At least one must be configured for the radio to run.Configure at least one SSID on the device.DOT11-4-FLASHING_RADIO: Flashing the radio firmware ([chars])The radio has been stopped to load new firmware.None.DOT11-2-NO_FIRMWARE: No radio firmware file ([chars]) was foundWhen trying to Flash new firmware into the radio, the file for the radio was not found in the Flash file system.The wrong image has been loaded into the unit. Locate the correct image based on the type of radio used.DOT11-2-BAD_FIRMWARE: Radio firmware file ([chars]) is invalidWhen trying to Flash new firmware into the radio, the file was found to be invalid.Put the correct firmware image file in the place where the unit is looking.DOT11-4-FLASH_RADIO_DONE: Flashing the radio firmware completedThe radio firmware Flash is complete, and the radio will be restarted with the new firmware.None.DOT11-4-LINK_DOWN: Radio parent lost: [chars]The connection to the parent bridge was lost for the displayed reason. The unit will try to find a new parent bridge.None.DOT11-4-CANT_ASSOC: Cannot associate: [chars]The unit could not establish a connection to a parent bridge for the displayed reason.Check the configuration of both the parent bridge and this unit to make sure the basic settings (SSID, WEP, and others) match.Inter-Bridge Protocol MessagesDOT11-6-ROAMED: Station [mac-address] Roamed to [mac-address]A station has roamed to a new bridge. None.DOT11-6-STANDBY_ACTIVE: Standby to Active, Reason = [chars] ([int])The device is transitioning from standby mode to active mode.None.DOT11-6-ROGUE_AP: Rogue AP [mac-address] reported. Reason: [chars]A station has reported a potential rogue bridge for the stated reason.None.SCHED-3-UNEXPECTEDMESSAGE: Unknown message [hex] received (ptr arg [hex], num arg [hex]).A process can register to be notified when various events occur in the router. This message indicates that a process received a message from another process that it does not know how to handle.Copy the error message exactly as it appears, and report it to your technical support representative.SCHED-3-UNEXPECTEDEVENT: Process received unknown event (maj [hex], min [hex]).A process can register to be notified when various events occur in the router. This message indicates that a process received an event that it did not know how to handle.Copy the error message exactly as it appears, and report it to your technical support representative.Miscellaneous MessagesTable E-1 Error and Event Messages (continued)Message Explanation Recommended Action
E-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Appendix E Error and Event MessagesWGB_CLIENT_VLAN: Workgroup Bridge Ethernet client VLAN not configured.A VLAN configuration is missing for client devices connected to a workgroup bridge.Use the workgroup-bridge client-vlan command to assign a VLAN to Ethernet client devices connected to the workgroup bridge.UNDER_VOLTAGE: Under voltage condition detected.The hardware under voltage detection logic has reported a low voltage condition.Check the power supply and associated power connections.Table E-1 Error and Event Messages (continued)Message Explanation Recommended Action
GL-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02GLOSSARY802.11 The IEEE standard that specifies carrier sense media access control and physical layer specifications for 1- and 2-megabit-per-second (Mbps) wireless LANs operating in the 2.4-GHz band.802.11a The IEEE standard that specifies carrier sense media access control and physical layer specifications for wireless LANs operating in the 5-GHz frequency band.802.11b The IEEE standard that specifies carrier sense media access control and physical layer specifications for 5.5- and 11-Mbps wireless LANs operating in the 2.4-GHz frequency band.802.11g The IEEE standard that specifies carrier sense media access control and physical layer specifications for wireless LANs operating in the 2.4-GHz frequency band.Aaccess point A wireless LAN data transceiver that uses radio waves to connect a wired network with wireless stations.AC_BE Access Category Best EffortAC_BK Access Category BackgroundAC_VI Access Category VideoAC_VO Access Category VoiceAESCounter-Mode/CBC-MAC protocol (AES CCMP)A protocol based on AES using the CCM mode of operation. The CCM mode combines Counter (CTR) mode privacy and Cipher Block Chaining Message Authentication Code (CBC-MAC) authenticationad hoc network A wireless network composed of stations without access points.antenna gain The gain of an antenna is a measure of the antenna’s ability to direct or focus radio energy over a region of space. High-gain antennas have a more focused radiation pattern in a specific direction.associated A station is configured properly to enable it to wirelessly communicate with an access point.authentication suite A suggested set of authentication methods
GlossaryGL-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Bbackoff time The random length of time that a station waits before sending a packet on the LAN. Backoff time is a multiple of slot time, so a decrease in slot time ultimately decreases the backoff time, which increases throughput.beacon A wireless LAN packet that signals the availability and presence of the wireless device. BID Bridge identifier used in spanning-tree calculations. The BID contains the bridge MAC address and its spanning-tree priority value. If all bridges in the spanning tree are assigned the same priority, the bridge with the lowest MAC address becomes the spanning-tree root.BOOTP Boot Protocol. A protocol used for the static assignment of IP addresses to devices on the network.BPDU Bridge protocol data unit. When STP is enabled, bridges send and receive spanning-tree frames, called BPDUs, at regular intervals and use the frames to maintain a loop-free network.BPSK A modulation technique used by IEEE 802.11b-compliant wireless LANs for transmission at 1 Mbps.broadcast packet A single data message (packet) sent to all addresses on the same subnet.CCCK Complementary code keying. A modulation technique used by IEEE 802.11b-compliant wireless LANs for transmission at 5.5 and 11 Mbps.CCKM Cisco Centralized Key Management. Using CCKM, authenticated client devices can roam from one access point to another without any perceptible delay during reassociation. An access point on your network acts as a subnet context manager (SCM) and creates a cache of security credentials for CCKM-enabled client devices on the subnet. The SCM’s cache of credentials dramatically reduces the time required for reassociation when a CCKM-enabled client device roams to a new access point.cell The area of radio range or coverage in which the wireless devices can communicate with the base station. The size of the cell depends upon the speed of the transmission, the type of antenna used, and the physical environment, as well as other factors.client A radio device that uses the services of an Access Point to communicate wirelessly with other devices on a local area network.Cipher Suite A set of one or more cryptographic algorithms designed to protect data traffic. A cipher suite may provide data privacy, data authenticity or integrity, and/or replay protection
GlossaryGL-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Cisco Centralized Key Management (CCKM)CCKM is the basis of Cisco Fast reassociation and reauthentication solution, which utilizes a central node, an AP, as the key distributor to enable protected communications between the AP and the Wireless Stations. Station using CCKM use proprietary supports SSN Group Key update.CKIP Cisco Temporal Key Integrity Protocolclient A radio device that uses the services of an access point to communicate wirelessly with other devices on a local area network.CMIC Cisco Message Integrity CheckCSMA Carrier sense multiple access. A wireless LAN media access method specified by the IEEE 802.11 specification.Ddata rates The range of data transmission rates supported by a device. Data rates are measured in megabits per second (Mbps).dBi A ratio of decibels to an isotropic antenna that is commonly used to measure antenna gain. The greater the dBi value, the higher the gain, and the more acute the angle of coverage.DHCP Dynamic host configuration protocol. A protocol available with many operating systems that automatically issues IP addresses within a specified range to devices on the network. The device retains the assigned address for a specific administrator-defined period.dipole A type of low-gain (2.2-dBi) antenna consisting of two (often internal) elements.domain name The text name that refers to a grouping of networks or network resources based on organization-type or geography; for example: name.com—commercial; name.edu—educational; name.gov—government; ISPname.net—network provider (such as an ISP); name.ar—Argentina; name.au—Australia; and so on.DNS Domain Name System server. A server that translates text names into IP addresses. The server maintains a database of host alphanumeric names and their corresponding IP addresses.DSSS Direct sequence spread spectrum. A type of spread spectrum radio transmission that spreads its signal continuously over a wide frequency band.EEAP Extensible Authentication Protocol. An optional IEEE 802.1x security feature ideal for organizations with a large user base and access to an EAP-enabled Remote Authentication Dial-In User Service (RADIUS) server.EAPOL-Key Key Combination of EAPOL-Key Encryption key and EAPOL-Key MIC Key.
GlossaryGL-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02EAPOL Key Encryption Key (KEK)Key that encrypts key material in EAPOL-key packetEAPOL-Key MIC Key (KCK)Key used to integrity check an EAPOL-Key Message.Ethernet The most widely used wired local area network. Ethernet uses carrier sense multiple access (CSMA) to allow computers to share a network and operates at 10, 100, or 1000 Mbps, depending on the physical layer used.Ffile server A repository for files so that a local area network can share files, mail, and programs.firmware Software that is programmed on a memory chip.Ggateway A device that connects two otherwise incompatible networks.GHz Gigahertz. One billion cycles per second. A unit of measure for frequency.IIEEE Institute of Electrical and Electronic Engineers. A professional society serving electrical engineers through its publications, conferences, and standards development activities. The body responsible for the Ethernet 802.3 and wireless LAN 802.11 specifications.infrastructure The wired Ethernet network.IP address The Internet Protocol (IP) address of a station.IP subnet mask The number used to identify the IP subnetwork, indicating whether the IP address can be recognized on the LAN or if it must be reached through a gateway. This number is expressed in a form similar to an IP address; for example: 255.255.255.0.isotropic An antenna that radiates its signal in a spherical pattern.
GlossaryGL-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02MMAC Media Access Control address. A unique 48-bit number used in Ethernet data packets to identify an Ethernet device such as an access point or your client adapter.Message Integrity Code (MIC)A cryptographic checksum, designed to make it computationally infeasible for an adversary to alter data. This is usually called a Message Authentication Code, or MAC, in the literature, but the acronym MAC is already reserved for another meaning in this standard.modulation Any of several techniques for combining user information with a transmitter’s carrier signal.multipath The echoes created as a radio signal bounces off of physical objects.multicast packet A single data message (packet) sent to multiple addresses.Oomni-directional This typically refers to a primarily circular antenna radiation pattern.Orthogonal Frequency Division Multiplex (OFDM)A modulation technique used by IEEE 802.11a-compliant wireless LANs for transmission at 6, 9, 12, 18, 24, 36, 48, and 54 Mbps.Ppacket A basic message unit for communication across a network. A packet usually includes routing information, data, and sometimes error detection information.pairwise Two entities that is associated with each other; an access point and one associated station, or a pair of stations in an IBSS network, used to describe the key hierarchies for keys that are shared only between the two entities in a pairwise.Pairwise Master Key (PMK)The key that is generated on a per-session basis and is used as one of the inputs into the PRF to derive the Pairwise Transient Keys (PTK). For EAP-TLS authentication, the Pairwise Master Key is the key from the RADIUS MS-MPPE-Recv-Key attribute. For Pre-Shared Key authentication, the Pairwise Master Key is the Pre-Shared Key.PMKID PMK identificationPairwise Transient Key (PTK)A value that is derived from the PRF using the SNonce and ANonce, and is split up into as many as five keys (Temporal Encryption Key, two Temporal MIC Keys, EAPOL-Key Encryption Key, EAPOL-Key MIC Key) for use by the rest of the system.Pre-Shared Key (PSK)A key that is distributed to the units in the system by manual means. Legacy WEP systems without authentication used Pre-Shared Keys as the WEP keys. The Robust Security Network (RSN) specification allows a system to use a Pre-Shared Key if there is no other authentication method available, but using a Pre-Shared Key is not as secure.
GlossaryGL-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Qquadruple phase shift keyingA modulation technique used by IEEE 802.11b-compliant wireless LANs for transmission at 2 Mbps.Rrange A linear measure of the distance that a transmitter can send a signal.receiver sensitivity A measurement of the weakest signal a receiver can receive and still correctly translate it into data.RF Radio frequency. A generic term for radio-based technology.roaming A feature of some access points that allows users to move through a facility while maintaining an unbroken connection to the LAN.RSN Robust Security NetworkRSNIE RSN Information ElementRP-TNC A connector type unique to Cisco radios and antennas. Part 15.203 of the FCC rules covering spread spectrum devices limits the types of antennas that may be used with transmission equipment. In compliance with this rule, Cisco, like all other wireless LAN providers, equips its radios and antennas with a unique connector to prevent attachment of non-approved antennas to radios.Sslot time The amount of time a device waits after a collision before retransmitting a packet. Short slot times decrease the backoff time, which increases throughput.spread spectrum A radio transmission technology that spreads the user information over a much wider bandwidth than otherwise required in order to gain benefits such as improved interference tolerance and unlicensed operation.SSID Service Set Identifier (also referred to as Radio Network Name). A unique identifier used to identify a radio network and which stations must use to be able to communicate with each other or to an access point. The SSID can be any alphanumeric entry up to a maximum of 32 characters.SSN Simple Security NetworkSSN-PSK Authenticated Key Management using pre-shared Key over 802.1X. SSN is enabled and there exists a per-configured pre-shared key. In this mode, the station use 802.1X for key management.
GlossaryGL-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02TTemporal Encryption KeyKey used to encrypt data packets.Temporal Key Combination of temporal encryption key and temporal MIC key.Temporal MIC Key Key used to integrity check data packetsTID Traffic Identifier (802.1Q user priority value)TKIP Temporal Key Integrity Protocoltransmit power The power level of radio transmission.UUNII Unlicensed National Information Infrastructure—regulations for UNII devices operating in the 5.15- to 5.35-GHz and 5.725- to 5.825-GHz frequency bands.UNII-1 Regulations for UNII devices operating in the 5.15- to 5.25-GHz frequency band.UNII-2 Regulations for UNII devices operating in the 5.25- to 5.35-GHz frequency band.UNII-3 Regulations for UNII devices operating in the 5.725- to 5.825-GHz frequency band.unicast packet A single data message (packet) sent to a specific IP address.WWDS Wireless Domain Services. An access point providing WDS on your wireless LAN maintains a cache of credentials for CCKM-capable client devices on your wireless LAN. When a CCKM-capable client roams from one access point to another, the WDS access point forwards the client’s credentials to the new access point with the multicast key. Only two packets pass between the client and the new access point, greatly shortening the reassociation time. WEP Wired Equivalent Privacy. An optional security mechanism defined within the 802.11 standard designed to make the link integrity of wireless devices equal to that of a cable.WLSE Wireless LAN Solutions Engine. The WLSE is a specialized appliance for managing Cisco wireless LAN infrastructures. It centrally identifies and configures access points in customer-defined groups and reports on throughput and client associations. WLSE centralized management capabilities are further enhanced with an integrated template-based configuration tool for added configuration ease and improved productivity.
GlossaryGL-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02WNM Wireless Network Manager.workstation A computing device with an installed client adapter.WPA Wi-Fi Protected Access (WPA) is a security solution from the Wireless Ethernet Compatibility Alliance (WECA). WPA, mostly synonymous to Simple Security Network (SSN), relies on the interim version of IEEE Standard 802.11i. WPA supports WEP and TKIP encryption algorithms as well as 802.1X and EAP for simple integration with existing authentication systems. WPA key management uses a combination of encryption methods to protect communication between client devices and the access point.
Beta Draft -- Cisco ConfidentialIN-1Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02INDEXSymbols<$nopage)Message Integrity Check<I_Italic MIC 16-3Numerics802.1x authentication 2-27AAAAserver group 2-39aaa authorization command 2-41aaa new-model command 2-38abbreviating commands A-5access point security settings, matching client devices 7-11accountingwith RADIUS 2-41with TACACS+ 2-45, 2-50Advanced Encryption Standard (AES) 1-5Aironet 802.11 extensions 2-53Aironet Client Utility (ACU) 16-4antenna gains B-4attributes, RADIUSvendor-proprietary 2-43vendor-specific 2-42authenticationEAP server 2-33, 7-3local mode with AAA 2-51NTP associations 2-9RADIUSkey 2-35login 2-37TACACS+defined 2-45key 2-47login 2-46, 2-48authentication network-eap command 8-10authentication typesNetwork-EAP 7-3open 7-2authoritative time source, described 2-6authorizationwith RADIUS 2-40with TACACS+ 2-45, 2-49Bbannersconfiguringlogin 2-5message-of-the-day login 2-4default configuration 2-4when displayed 2-4basic settingschecking 16-3beacon period command 3-17blocking communication between clients 3-15bootloader 16-10BR350 interoperability 5-3bridge-group command 3-16bridge interoperability 5-3
Beta Draft -- Cisco ConfidentialIndexIN-2Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02Ccarrier busy test 3-20CCKM 7-5CDPdisabling for routing device 12-4enabling and disabling 12-4monitoring 12-5Centralized Key Management (CCKM) 6-2channel data rates 3-8Cisco Centralized Key ManagementSee CCKMCisco Centralized Key Management (CCKM) 1-5Cisco TAC 16-1CiscoWorks 2000 13-4CKIP 1-5CKIP (Cisco Key Integrity Protocol) 6-2CLIabbreviating commands A-5command modes A-4editing featuresenabling and disabling A-8keystroke editing A-8wrapped lines A-9error messages A-6filtering command output A-10getting help A-5historychanging the buffer size A-7described A-6disabling A-7recalling commands A-7no and default forms of commands A-6client communication, blocking 3-15clockSee system clockCMIC 1-5, 6-2CMIC (Cisco Message Integrity Check)See CMICcomandsencryption mode cipher 6-2command-line interfaceSee CLIcommand modes A-4commandsaaa authorization 2-41aaa new-model 2-38abbreviating A-5authentication network-eap 8-10beacon period 3-17bridge-group 3-16concatenation 3-14del 16-6distance 3-4dot11 interface speed 8-11fragment-threshold 3-18infrastructure-client 3-15login authentication 2-38no and default A-6packet retries 3-18parent 3-19rts 3-17rts retries 3-17set 16-9set BOOT 16-9setting privilege levels 2-25show dot11 carrier busy 3-20spacing 3-9tftp_init 16-8community stringsconfiguring 13-5overview 13-4concatenation 3-17, 3-18concatenation command 3-14configuration filescreating using a text editor 14-10deleting a stored configuration 14-18downloading
Beta Draft -- Cisco ConfidentialIndexIN-3Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02preparing 14-10, 14-13, 14-16reasons for 14-8using FTP 14-13using RCP 14-16using TFTP 14-11guidelines for creating and using 14-9invalid combinations when copying 14-5system contact and location information 13-10types and location 14-9uploadingpreparing 14-10, 14-13, 14-16reasons for 14-8using FTP 14-14using RCP 14-17using TFTP 14-11connections, secure remote 2-52cryptographic message integrity 6-2crypto software image 2-52Ddata rates 3-8daylight saving time 2-19defaultconfiguration, resetting 16-4default commands A-6default configurationbanners 2-4DNS 2-3NTP 2-9password and privilege level 2-21SNMP 13-5system message logging 15-4TACACS+ 2-46del command 16-6directorieschanging 14-4creating and removing 14-4displaying the working 14-4distance command 3-4distance setting 3-14DNSdefault configuration 2-3displaying the configuration 2-4overview 2-2setting up 2-3domain namesDNS 2-2Domain Name SystemSee DNSdot11 interface speed command 8-11downloadingconfiguration filespreparing 14-10, 14-13, 14-16reasons for 14-8using FTP 14-13using RCP 14-16using TFTP 14-11image filesdeleting old image 14-22preparing 14-20, 14-23, 14-27reasons for 14-19using FTP 14-24using RCP 14-29using TFTP 14-21EEAP authenticationoverview 7-3editing featuresenabling and disabling A-8keystrokes used A-8wrapped lines A-9EIRP, maximum B-4 to ??enable password 2-22enable secret password 2-22encrypted software image 2-52
Beta Draft -- Cisco ConfidentialIndexIN-4Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02encryption for passwords 2-22encryption mode cipher command 6-2error messagesduring command entry A-6setting the display destination device 15-5severity levels 15-7system message format 15-2Ethernet indicator 16-2Express Security page 17Extensible Authentication Protocol (EAP) 6-2extensions, Aironet 2-53Ffast secure roaming 8-1filescopying 14-5deleting 14-5displaying the contents of 14-8tarcreating 14-6displaying the contents of 14-7extracting 14-7image file format 14-19file systemdisplaying available file systems 14-2displaying file information 14-3local file system names 14-2network file system names 14-5setting the default 14-3filteringshow and more command output A-10Flash device 14-2forward-delay time 5-7fragmentation threshold 3-18fragment-threshold command 3-18frequencies B-2FTPaccessing MIB files D-2configuration filesdownloading 14-13overview 14-12preparing the server 14-13uploading 14-14image filesdeleting old image 14-26downloading 14-24preparing the server 14-23uploading 14-26Gget-bulk-request operation 13-3get-next-request operation 13-3, 13-4get-request operation 13-3, 13-4get-response operation 13-3global configuration mode A-4group key updates 7-9Hhelp, for the command line A-5historychanging the buffer size A-7described A-6disabling A-7recalling commands A-7history table, level and number of syslog messages 15-8Iimage, operating system 16-6indicators 16-2infrastructure-client command 3-15install mode 3-4inter-client communication, blocking 3-15interface configuration mode A-4
Beta Draft -- Cisco ConfidentialIndexIN-5Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02IP address, finding and setting 25IPSU 24ISO designators for protocols C-1KKCK GL-4KEK GL-4key features 1-4LLEAPexample 7-12setting on client and access point 7-11LED indicatorsEthernet 16-2radio traffic 16-2status 16-2Load balancing 2-53login authenticationwith RADIUS 2-37with TACACS+ 2-46, 2-48login authentication command 2-38login banners 2-4log messagesSee system message loggingMMAC address 25IPSU 26troubleshooting 16-4management optionsCLI A-1memoryFlash 14-2PC system requirements xxiiMessage Authentication Code GL-5Message Integrity CheckSee MICMessage Integrity Check See MICMessage Integrity Code (MIC), definition GL-5messagesto users through banners 2-4method list 2-34MIBsaccessing files with FTP D-2location of files D-2overview 13-2SNMP interaction with 13-4MIC 2-53, 6-1, 16-3mobile station command 3-2monitoring, CDP 12-5NNetwork-EAP 7-3Network Time ProtocolSee NTPno commands A-6NTPassociationsauthenticating 2-9defined 2-7enabling broadcast messages 2-12peer 2-11server 2-11default configuration 2-9displaying the configuration 2-16overview 2-6restricting accesscreating an access group 2-14disabling NTP services per interface 2-15source IP address, configuring 2-16stratum 2-6synchronizing devices 2-11
Beta Draft -- Cisco ConfidentialIndexIN-6Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02timeservices 2-7synchronizing 2-6OOFDM 1-5Ppacket retries command 3-18pairwise GL-5Pairwise Master Key (PMK) GL-5parent command 3-19password reset 16-4passwordsdefault configuration 2-21encrypting 2-22settingenable 2-21enable secret 2-22with usernames 2-24per-VLAN Spanning Tree (PVST) 5-2ports, protected 3-16power level, maximum B-4preferential treatment of trafficSee QoSpre-shared key 7-9privileged EXEC mode A-4privilege levelsexiting 2-26logging into 2-26overview 2-20, 2-25setting a command with 2-25Public Secure Packet Forwarding 3-15QQoSconfiguration guidelines 10-4overview 10-2quality of serviceSee QoSRradiodistance setting 3-14indicator 16-2radio frequency data rates 3-8radio management 8-1RADIUSattributesvendor-proprietary 2-43vendor-specific 2-42configuringaccounting 2-41authentication 2-37authorization 2-40communication, global 2-35, 2-42communication, per-server 2-35multiple UDP ports 2-35default configuration 2-34defining AAA server groups 2-39displaying the configuration 2-44identifying the server 2-35limiting the services to the user 2-40method list 2-34operation of 2-33overview 2-32suggested network environments 2-32tracking services accessed by user 2-41rate limit, logging 15-9RCPconfiguration files
Beta Draft -- Cisco ConfidentialIndexIN-7Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02downloading 14-16overview 14-15preparing the server 14-16uploading 14-17image filesdeleting old image 14-30downloading 14-29preparing the server 14-27uploading 14-31regulatory domains B-2reloading access point image 16-6Remote Authentication Dial-In User ServiceSee RADIUSRemote Copy ProtocolSee RCPrequest to send (RTS) 3-17restricting accessNTP services 2-14passwords and privilege levels 2-20TACACS+ 2-44RFC1157, SNMPv1 13-21305, NTP 2-61901, SNMPv2C 13-21902 to 1907, SNMPv2 13-2roaming, fast secure roaming using CCKM 8-1rts command 3-17rts retries command 3-17Ssecure remote connections 2-52Secure ShellSee SSHsecurityprotocol 2-34synchronizing 7-11troubleshooting 16-3security settings, Express Security page 17self-healing wireless LAN 8-4sequence numbers in log messages 15-6server groupAAA 2-39session key 7-4set BOOT command 16-9set command 16-9set-request operation 13-4severity levels, defining in system messages 15-7show cdp traffic command 12-5show dot11 carrier busy command 3-20Simple Network Management ProtocolSee SNMPSNMPaccessing MIB variables with 13-4agentdescribed 13-3disabling 13-5community stringsconfiguring 13-5overview 13-4configuration examples 13-10default configuration 13-5limiting system log messages to NMS 15-8manager functions 13-3MIBs, location of D-2overview 13-2, 13-4snmp-server view 13-10status, displaying 13-11system contact and location 13-10trap manager, configuring 13-9trapsdescribed 13-3enabling 13-7overview 13-2, 13-4types of 13-7versions supported 13-2software imagesdelete from Flash 16-6
Beta Draft -- Cisco ConfidentialIndexIN-8Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02location in Flash 14-19tar file format, described 14-19spacing command 3-9Spanning Tree ProtocolSee STPSSH 11configuring 2-53crypto software image 2-52described 2-52displaying settings 2-53SSH Communications Security, Ltd. 11SSIDdefault (tsunami) 16-3multiple SSIDs 3-1troubleshooting 16-3VLAN 2-27without VLANs 2-26static WEP 2-26with open authentication, setting on client and access point 7-11with shared key authentication, setting on client and access point 7-11statisticsCDP 12-5SNMP input and output 13-11status indicators 16-2STPBPDU message exchange 5-3designated port, defined 5-4designated switch, defined 5-4displaying status 5-15inferior BPDU 5-4interface statesblocking 5-7disabled 5-8forwarding 5-7, 5-8learning 5-8listening 5-7overview 5-6overview 5-2redundant bridging 1-4root port, defined 5-4superior BPDU 5-3timers, described 5-5stratum, NTP 2-6summer time 2-19switchport protected command 3-16syslogSee system message loggingsystem clockconfiguringdaylight saving time 2-19manually 2-17summer time 2-19time zones 2-18displaying the time and date 2-17overview 2-6See also NTPsystem message loggingdefault configuration 15-4defining error message severity levels 15-7disabling 15-4displaying the configuration 15-12enabling 15-4facility keywords, described 15-11level keywords, described 15-8limiting messages 15-8message format 15-2overview 15-2rate limit 15-9sequence numbers, enabling and disabling 15-6setting the display destination device 15-5timestamps, enabling and disabling 15-6UNIX syslog serversconfiguring the daemon 15-10configuring the logging facility 15-10facilities supported 15-11system name
Beta Draft -- Cisco ConfidentialIndexIN-9Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02manual configuration 2-2system requirements xxiiTTAC 16-1TACACS+accounting, defined 2-45authentication, defined 2-45authorization, defined 2-45configuringaccounting 2-50authentication key 2-47authorization 2-49login authentication 2-46, 2-48default configuration 2-46displaying the configuration 2-50identifying the server 2-47limiting the services to the user 2-49operation of 2-45overview 2-45tracking services accessed by user 2-50tar filescreating 14-6displaying the contents of 14-7extracting 14-7image file format 14-19Telnet 11Temporal Key Integrity Protocol 6-1Terminal Access Controller Access Control System PlusSee TACACS+TFTP 16-8configuration filesdownloading 14-11preparing the server 14-10uploading 14-11image filesdeleting 14-22downloading 14-21preparing the server 14-20uploading 14-22tftp_init command 16-8timeSee NTP and system clocktimestamps in log messages 15-6time zones 2-18TKIP 2-53, 6-1TKIP (Temporal Key Integrity Protocol) 6-2trapsconfiguring managers 13-7defined 13-3enabling 13-7notification types 13-7overview 13-2, 13-4troubleshooting 16-1with CiscoWorks 13-4with system message logging 15-2UUNIX syslog serversdaemon configuration 15-10facilities supported 15-11message logging configuration 15-10upgrading software imagesSee downloadinguploadingconfiguration filespreparing 14-10, 14-13, 14-16reasons for 14-8using FTP 14-14using RCP 14-17using TFTP 14-11image filespreparing 14-20, 14-23, 14-27reasons for 14-19using FTP 14-26using RCP 14-31
Beta Draft -- Cisco ConfidentialIndexIN-10Cisco 3200 Series Wireless MIC Software Configuration GuideOL-7734-02using TFTP 14-22user EXEC mode A-4username-based authentication 2-24VVLANSSID 2-26, 2-27WWDS 8-1web siteCisco Software Center 24, 16-9WEP 6-1described 6-2key example 6-4keys 16-3troubleshooting 16-3with EAP 7-3Wi-Fi Protected AccessSee WPAWi-Fi Protected Access (WPA) 2-27Wired Equivalent PrivacySee WEPWireless Domain Services (WDS) 7-5wireless domain services (WDS) 8-5world-mode802.11d standard 3-11Cisco legacy 3-11WPA 2-26, 7-5cipher suite 6-2description 7-5WPA2 1-5

Navigation menu