Cisco 3200 Series Wireless MIC Software Configuration Guide June 2005 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS Preface xv Audience Purpose xv xv Organization xv Conventions xvii Related Documentation xix Obtaining Documentation xx Cisco.
Contents Connecting to the WMIC 10 Using the Console Port to Access the Exec Using a Telnet Session to Access the Exec Opening the CLI with Secure Shell 11 10 11 Obtaining and Assigning an IP Address 12 Assigning an IP Address By Using the Exec 12 Assigning Basic Settings By Using the Web Browser Default Settings on the Express Setup Page 16 13 Protecting Your Wireless LAN 16 Configuring Basic Security Settings 17 Understanding Express Security Settings 18 Using VLANs 18 Express Security Types 18 Expre
Contents Configuring NTP 2-9 Default NTP Configuration 2-9 Configuring NTP Authentication 2-9 Configuring NTP Associations 2-11 Configuring NTP Broadcast Service 2-12 Configuring NTP Access Restrictions 2-14 Configuring the Source IP Address for NTP Packets 2-16 Displaying the NTP Configuration 2-16 Configuring Time and Date Manually 2-17 Setting the System Clock 2-17 Displaying the Time and Date Configuration 2-17 Configuring the Time Zone 2-18 Configuring Summer Time (Daylight Saving Time) 2-19 Protectin
Contents TACACS+ Operation 2-45 Default TACACS+ Configuration 2-46 Configuring TACACS+ Login Authentication 2-46 Identifying the TACACS+ Server Host and Setting the Authentication Key 2-47 Configuring TACACS+ Login Authentication 2-48 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting 2-50 Displaying the TACACS+ Configuration 2-50 Configuring the WMIC for Local Authentication and Authorization Configuring the WMIC for Secure Shell Understanding SSH
Contents Configuring the Maximum Data Retries Configuring the Fragmentation Threshold Setting the Root Parent Timeout Value Configuring the Root Parent MAC Performing a Carrier Busy Test CHAPTER 5 Configuring SSIDs 3-19 3-19 3-20 3-2 Configuring the SSID 3-2 Default SSID Configuration Creating an SSID 3-3 6 3-18 3-1 Understanding SSIDs CHAPTER 3-18 3-2 Configuring Spanning Tree Protocol 5-1 Understanding Spanning Tree Protocol 5-2 STP Overview 5-2 Bridge Interoperability 5-3 Bridge Protocol
Contents Configuring Cipher Suites and WEP 6-3 Creating WEP Keys 6-3 WEP Key Restrictions 6-4 Example WEP Key Setup 6-4 Enabling Cipher Suites and WEP 6-5 Matching Cipher Suites with WPA CHAPTER 8 Configuring Authentication Types 6-6 7-1 Understanding Authentication Types 7-2 Open Authentication to the WMIC 7-2 Shared Key Authentication to the Bridge 7-2 EAP Authentication to the Network 7-3 Using CCKM for Authenticated Bridges 7-5 Using WPA Key Management 7-5 Configuring Authentication Types 7-5 Def
Contents Using Debug Messages CHAPTER 10 Configuring VLANs 8-13 9-1 Understanding VLANs 9-2 Related Documents 9-3 Incorporating Wireless Bridges into VLANs Configuring VLANs 9-4 Configuring a VLAN 9-4 Viewing VLANs Configured on the WMIC CHAPTER 11 Configuring QoS in a Wireless Environment 9-4 9-7 10-1 Understanding QoS for Wireless LANs 10-2 QoS for Wireless LANs Versus QoS on Wired LANs Impact of QoS on a Wireless LAN 10-2 Precedence of QoS Settings 10-3 10-2 Configuring QoS 10-3 Configura
Contents CHAPTER 13 Configuring CDP 12-1 Understanding CDP 12-2 Configuring CDP 12-2 Default CDP Configuration 12-2 Configuring the CDP Characteristics 12-3 Disabling and Enabling CDP 12-3 Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP CHAPTER 14 Configuring SNMP 12-4 12-5 13-1 Understanding SNMP 13-2 SNMP Versions 13-2 SNMP Manager Functions 13-3 SNMP Agent Functions 13-3 SNMP Community Strings 13-4 Using SNMP to Access MIB Variables 13-4 Configuring SNMP 13-5 Def
Contents Displaying the Contents of a File 14-8 Working with Configuration Files 14-8 Guidelines for Creating and Using Configuration Files 14-9 Configuration File Types and Location 14-9 Creating a Configuration File by Using a Text Editor 14-10 Copying Configuration Files by Using TFTP 14-10 Preparing to Download or Upload a Configuration File by Using TFTP 14-10 Downloading the Configuration File by Using TFTP 14-11 Uploading the Configuration File by Using TFTP 14-11 Copying Configuration Files by Us
Contents CHAPTER 16 Configuring System Message Logging 15-1 Understanding System Message Logging 15-2 Configuring System Message Logging 15-2 System Log Message Format 15-2 Default System Message Logging Configuration 15-4 Disabling and Enabling Message Logging 15-4 Setting the Message Display Destination Device 15-5 Enabling and Disabling Timestamps on Log Messages 15-6 Enabling and Disabling Sequence Numbers in Log Messages 15-6 Defining the Message Severity Level 15-7 Limiting Syslog Messages Sent
Contents Assigning an IP Address IOS Command Modes Getting Help A-3 A-4 A-5 Abbreviating Commands A-5 Using no and default Forms of Commands Understanding CLI Messages A-6 A-6 Using Command History A-6 Changing the Command History Buffer Size A-7 Recalling Commands A-7 Disabling the Command History Feature A-7 Using Editing Features A-8 Enabling and Disabling Editing Features A-8 Editing Commands Through Keystrokes A-8 Editing Command Lines that Wrap A-9 Searching and Filtering the Output of show
Contents Cisco 3200 Series Wireless MIC Software Configuration Guide xiv OL-7734-02
Preface Audience This guide is for the networking professional who installs and manages Cisco 3200 Series Mobile Access Routers. To use this guide, you should have experience working with the Cisco IOS and be familiar with the concepts and terminology of wireless local area networks. Purpose This guide provides the information you need to install and configure your bridge. This guide provides procedures for using the IOS commands that have been created or changed for use with the WMIC.
Preface Organization Chapter 5, “Configuring SSIDs,” describes how to configure and manage multiple service set identifiers (SSIDs). You can configure up to 16 SSIDs and assign different configuration settings to each SSID. Chapter 6, “Configuring Spanning Tree Protocol,” descibes how to configure Spanning Tree Protocol (STP). STP prevents data loops in your network.
Preface Conventions Conventions This publication uses these conventions to convey instructions and information: Command descriptions use these conventions: • Commands and keywords are in boldface text. • Arguments for which you supply values are in italic. • Square brackets ([ ]) mean optional elements. • Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements.
Preface Conventions Varoitus Tämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien ehkäisykeinoista. (Tässä julkaisussa esiintyvien varoitusten käännökset löydät liitteestä "Translated Safety Warnings" (käännetyt turvallisuutta koskevat varoitukset).) Attention Ce symbole d’avertissement indique un danger.
Preface Related Documentation Related Documentation You can access these documents on the Documentation page on Cisco Connection Online (CCO) at www.cisco.com. The following documentation is available at the http://www.cisco.com/en/US/products/hw/routers/ps272/tsd_products_support_series_home.html URL: • Release Notes for the Cisco 3200 Series Mobile Access Routers—Provides information on accessing documentation and technical assistance for the Cisco 3200 Series Mobile Access Router.
Preface Related Documentation Obtaining Documentation Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems. Cisco.com You can access the Cisco website at this URL: http://www.cisco.com You can access international Cisco websites at this URL: http://www.cisco.com/public/countries_languages.
Preface Related Documentation Feature Navigator—Locates the Cisco IOS Software release based on the features you want to run on your network. http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp Obtain information on compatibility between hardware products and software releases at the following public URL: http://tools.cisco.com/Support/Fusion/FusionHome.
Preface Cisco 3200 Documentation CD Cisco 3200 Documentation CD The Cisco 3200 Series Router Documentation CD contains the technical publications for the Cisco 3200 Series Mobile Access Router. To view the documentation requires Acrobat Reader 4.0 or higher. After the CD is inserted in the CD ROM drive and recognized by your PC, do the following: Step 1 Access the root directory CD drive. Step 2 Double click the StartHere.htm file.
Preface Obtaining Technical Assistance Obtaining Technical Assistance For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour-a-day, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance. If you do not hold a valid Cisco service contract, please contact your reseller.
Preface Obtaining Additional Publications and Information Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels. Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
C H A P T E R 1 Overview The Cisco Wireless Mobile Interface Card (WMIC) provides wireless connectivity for the Cisco 3200 Series Mobile Access Router. WMICs operate in the 2.4-GHz or 4.9-GHz bands and conform to the 802.11 standards.
Chapter 1 Overview Understanding the Cisco Mobile Wireless Network Understanding the Cisco Mobile Wireless Network This section provides basic wireless network configuration descriptions and an example of a metro mobile network. The 2.4-GHz WMIC has a fixed channel spacing and bandwidth of 20-MHz. The 4.9-GHz WMIC can be configured for different channel spacings or bandwidths of 5-MHz, 10-MHz, or 20-MHz. These channels are designed to be non overlapping and non-interfering.
Chapter 1 Overview Understanding the Cisco Mobile Wireless Network Point-to-Point Bridge Configuration 127920 Figure 1-2 Point-to-Multipoint Bridging In a point-to-multipoint configuration, two or more non-root bridges associate to a root bridge. Up to 17 non-root bridges can associate to a root bridge, but the non-root bridges must share the available bandwidth. Figure 1-3 shows bridges in a point-to-multipoint configuration.
Chapter 1 Overview Features Redundant Bridging You can set up two pairs of bridges to add redundancy or load balancing to the bridge link. The bridges must use non-adjacent, non-overlapping radio channels to prevent interference, and they must use Spanning Tree Protocol (STP) to prevent loops. (STP is disabled by default. See Chapter 6, “Configuring Spanning Tree Protocol,” for instructions on configuring STP.) Figure 1-4 shows two pairs of redundant bridges.
Chapter 1 Overview Features Note • Enhanced security—Enable three advanced security features to protect against sophisticated attacks on your wireless network's WEP keys: Message Integrity Check (MIC) and WEP key hashing. Enhanced security for WPA/TKIP is also available. • Enhanced authentication services—Set up non-root bridges or workgroup bridges to authenticate to the network like other wireless client devices.
Chapter 1 Overview Features Table 1-1 Differences Between the 2.4-GHz WMIC and the 4.9-GHz WMIC Feature 4.
Chapter 1 Overview Management Options Table 1-1 Differences Between the 2.4-GHz WMIC and the 4.9-GHz WMIC Feature 2.4-GHz WMIC 4.9-GHz WMIC Scanning Enhancements for Faster Roaming All Scanning Enhancements for Faster Roaming are available. All Scanning Enhancements for Faster Roaming are available except “Use First Better Access Point.
Chapter 1 Overview Management Options Cisco 3200 Series Wireless MIC Software Configuration Guide 1-8 OL-7734-02
C H A P T E R 2 Configuring the WMIC for the First Time This chapter describes how to configure basic settings on a Wireless Mobile Interface Card (WMIC) for the first time. You can configure all the settings described in this chapter using the CLI, but it might be simplest to browse to the web-browser interface to complete the initial configuration and use the CLI to enter additional settings for a more detailed configuration.
Chapter 2 Configuring the WMIC for the First Time Before You Start Before You Start Before you install the WMIC, make sure you are using a computer connected to the same network as the WMIC, and obtain the following information from your network administrator: • A system name for the WMIC • The case-sensitive wireless service set identifier (SSID) that your WMICs use • If not connected to a DHCP server, a unique IP address for your WMIC (such as 172.17.255.
Chapter 2 Configuring the WMIC for the First Time Connecting to the WMIC Using a Telnet Session to Access the Exec Follow these steps to access the WMIC CLI by using a Telnet session. The WMIC must have been previously configured to accept a Telnet session. These steps are for a PC running Microsoft Windows with a Telnet terminal application. Check the PC operating instructions for detailed instructions for your operating system. Step 1 Select Start > Programs > Accessories > Telnet.
Chapter 2 Configuring the WMIC for the First Time Obtaining and Assigning an IP Address Obtaining and Assigning an IP Address To browse to the WMIC Express Setup page, you must assign the WMIC IP address using one of the following methods: • Use command when you connect to the WMIC locally. For detailed instructions, see the “Connecting to the WMIC” section of this document. • Use a DHCP server (if available) to automatically assign an IP address.
Chapter 2 Configuring the WMIC for the First Time Obtaining and Assigning an IP Address Assigning Basic Settings By Using the Web Browser After you determine or assign the WMIC IP address, browse to the Express Setup page and perform an initial configuration: Step 1 Open your Internet browser. The web-browser interface is fully compatible with these browsers: Microsoft Internet Explorer versions 5.0, 5.01, 5.5 and 6.0; and Netscape Navigator versions 4.79 and 7.0.
Chapter 2 Configuring the WMIC for the First Time Obtaining and Assigning an IP Address Figure 2-2 Step 6 Express Setup Page Enter the configuration settings you obtained from your system administrator. The configurable settings include: • System Name— The system name, while not an essential setting, helps identify the WMIC on your network. The system name appears in the titles of the management system pages.
Chapter 2 Configuring the WMIC for the First Time Obtaining and Assigning an IP Address • SNMP Community—If your network is using SNMP, enter the SNMP Community name provided by your network administrator and select the attributes of the SNMP data (also provided by your network administrator). • Role in Radio Network—Click on the button that describes the role of the device on your network. – Root—Configures the device as a root bridge. In this mode, you establish a link with a non-root bridge.
Chapter 2 Configuring the WMIC for the First Time Protecting Your Wireless LAN Default Settings on the Express Setup Page Table 2-1 lists the default settings for the settings on the Express Setup page. Table 2-1 Default Settings on the Express Setup Page Setting Default System Name bridge Configuration Server Protocol DHCP IP Address Assigned by DHCP by default; if DHCP is disabled, the default setting is 10.0.0.
Chapter 2 Configuring the WMIC for the First Time Protecting Your Wireless LAN Configuring Basic Security Settings After you assign basic settings to your access point, you must configure security settings to prevent unauthorized access to your network. Because it is a radio device, the access point can communicate beyond the physical boundaries of your worksite.
Chapter 2 Configuring the WMIC for the First Time Protecting Your Wireless LAN Understanding Express Security Settings When the WMIC configuration is at factory defaults, the first SSID that you create using the Express security page overwrites the default SSID, install, which has no security settings. The SSIDs that you create appear in the SSID table at the bottom of the page. You can create up to 16 SSIDs on the access point.
Chapter 2 Configuring the WMIC for the First Time Protecting Your Wireless LAN Table 2-2 Security Types on Express Security Setup Page (continued) Security Type Description Security Features Enabled EAP Authentication This option enables 802.1x authentication (such as LEAP, PEAP, EAP-TLS, EAP-GTC, EAP-SIM, and others) and requires you to enter the IP address and shared secret for an authentication server on your network (server authentication port 1645). Because 802.
Chapter 2 Configuring the WMIC for the First Time Protecting Your Wireless LAN Using the Express Security Page Follow these steps to create an SSID using the Express Security page: Step 1 Type the SSID in the SSID entry field. The SSID can contain up to 32 alphanumeric characters. a. The Broadcast SSID in Beacon setting is active only when the WMIC is in the Root AP mode. When you broadcast the SSID, devices that do not specify an SSID can associate to the WMIC when it is a root access point.
Chapter 2 Configuring the WMIC for the First Time Protecting Your Wireless LAN concatenation speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 4000 station-role root infrastructure-client bridge-group 1 ! interface Dot11Radio0.
Chapter 2 Configuring the WMIC for the First Time Protecting Your Wireless LAN speed auto bridge-group 1 ! interface FastEthernet0.
Chapter 2 Configuring the WMIC for the First Time Protecting Your Wireless LAN interface FastEthernet0.
Chapter 2 Configuring the WMIC for the First Time Using the IP Setup Utility no ip route-cache bridge-group 40 ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 ! interface FastEthernet0.40 encapsulation dot1Q 40 no ip route-cache bridge-group 40 ! ip http server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag /122-15.
Chapter 2 Configuring the WMIC for the First Time Using the IP Setup Utility Step 7 Download and save the file to a temporary directory on your hard drive and then exit the Internet browser. Step 8 Double-click IPSUvxxxxxx.exe in the temporary directory to expand the file. Step 9 Double-click Setup.exe and follow the steps provided by the installation wizard to install IPSU. The IPSU icon appears on your computer desktop.
Chapter 2 Configuring the WMIC for the First Time Using the IP Setup Utility Using IPSU to Set the IP Address and SSID To change the IP address of the WMIC, use IPSU. You can also set the SSID. Note IPSU can change the IP address and SSID only from the default settings. After the IP address and SSID have been changed, IPSU cannot be used to change them again. Note The computer you use to assign an IP address to the WMIC must have an IP address in the same subnet as the WMIC.
Chapter 2 Configuring the WMIC for the First Time Using the IP Setup Utility Step 6 Click Set Parameters to change the WMIC’s IP address and SSID settings. Step 7 Click Exit to exit IPSU.
Chapter 2 Configuring the WMIC for the First Time Using the IP Setup Utility Cisco 3200 Series Wireless MIC Software Configuration Guide 2-28 OL-7734-02
C H A P T E R 3 Administering the WMIC This chapter describes how to administer your WMIC.
Chapter 3 Administering the WMIC Configuring a System Name and Prompt Configuring a System Name and Prompt You configure the system name on the WMIC to identify it. A greater-than symbol (>) is appended. The prompt is updated whenever the system name changes, unless you manually configure the prompt by using the prompt global configuration command.
Chapter 3 Administering the WMIC Managing DNS Default DNS Configuration Table 3-1 shows the default DNS configuration. Table 3-1 Default DNS Configuration Feature Default Setting DNS enable state Disabled. DNS default domain name None configured. DNS servers No name server addresses are configured. Setting Up DNS Beginning in privileged EXEC mode, follow these steps to set up your WMIC to use the DNS: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 3 Administering the WMIC Creating a Banner domain name is the value set by the ip domain-name global configuration command. If there is a period (.) in the host name, the IOS software looks up the IP address without appending any default domain name to the host name. To remove a domain name, use the no ip domain-name name global configuration command. To remove a name server address, use the no ip name-server server-address global configuration command.
Chapter 3 Administering the WMIC Creating a Banner Command Purpose Step 3 end Return to privileged EXEC mode. Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. To delete the MOTD banner, use the no banner motd global configuration command.
Chapter 3 Administering the WMIC Managing the System Time and Date This example shows how to configure a login banner for the WMIC using the dollar sign ($) symbol as the beginning and ending delimiter: bridge(config)# banner login $ Access for authorized users only. Please enter your username and password.
Chapter 3 Administering the WMIC Managing the System Time and Date running NTP automatically chooses as its time source the device with the lowest stratum number with which it communicates through NTP. This strategy effectively builds a self-organizing tree of NTP speakers. NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized.
Chapter 3 Administering the WMIC Managing the System Time and Date Figure 3-1 Typical NTP Network Configuration Catalyst 6500 series switch (NTP master) Local workgroup servers Catalyst 3550 switch Catalyst 3550 switch Catalyst 3550 switch These switches are configured in NTP server mode (server association) with the Catalyst 6500 series switch. Catalyst 3550 switch This switch is configured as an NTP peer to the upstream and downstream Catalyst 3550 switches.
Chapter 3 Administering the WMIC Managing the System Time and Date Configuring NTP WMICs do not have a hardware-supported clock, and they cannot function as an NTP master clock to which peers synchronize themselves when an external NTP source is not available. These bridges also have no hardware support for a calendar. As a result, the ntp update-calendar and the ntp master global configuration commands are not available. Default NTP Configuration Table 3-2 shows the default NTP configuration.
Chapter 3 Administering the WMIC Managing the System Time and Date Step 4 Command Purpose ntp trusted-key key-number Specify one or more key numbers (defined in Step 3) that a peer NTP device must provide in its NTP packets for this WMIC to synchronize to it. By default, no trusted keys are defined. For key-number, specify the key defined in Step 3. This command provides protection against accidentally synchronizing the WMIC to a device that is not trusted.
Chapter 3 Administering the WMIC Managing the System Time and Date Configuring NTP Associations An NTP association can be a peer association (this WMIC can either synchronize to the other device or allow the other device to synchronize to it), or it can be a server association (meaning that only this WMIC synchronizes to the other device, and not the other way around).
Chapter 3 Administering the WMIC Managing the System Time and Date Configuring NTP Broadcast Service The communications between devices running NTP (known as associations) are usually statically configured; each device is given the IP addresses of all devices with which it should form associations. Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. However, in a LAN environment, NTP can be configured to use IP broadcast messages instead.
Chapter 3 Administering the WMIC Managing the System Time and Date Beginning in privileged EXEC mode, follow these steps to configure the WMIC to receive NTP broadcast packets from connected peers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface interface-id Enter interface configuration mode, and specify the interface to receive NTP broadcast packets. Step 3 ntp broadcast client Enable the interface to receive NTP broadcast packets.
Chapter 3 Administering the WMIC Managing the System Time and Date Configuring NTP Access Restrictions You can control NTP access by using access lists. Creating an Access Group and Assigning a Basic IP Access List Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 3 Administering the WMIC Managing the System Time and Date 3. serve-only—Allows only time requests from a device whose address passes the access list criteria. 4. query-only—Allows only NTP control queries from a device whose address passes the access list criteria. If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices.
Chapter 3 Administering the WMIC Managing the System Time and Date Configuring the Source IP Address for NTP Packets When the WMIC sends an NTP packet, the source IP address is normally set to the address of the interface through which the NTP packet is sent. Use the ntp source global configuration command when you want to use a particular source IP address for all NTP packets. The address is taken from the specified interface.
Chapter 3 Administering the WMIC Managing the System Time and Date Configuring Time and Date Manually If no other source of time is available, you can manually configure the time and date after the system is restarted. The time remains accurate until the next system restart. We recommend that you use manual configuration only as a last resort. If you have an outside source to which the WMIC can synchronize, you do not need to manually set the system clock.
Chapter 3 Administering the WMIC Managing the System Time and Date Configuring the Time Zone Beginning in privileged EXEC mode, follow these steps to manually configure the time zone: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock timezone zone hours-offset [minutes-offset] Set the time zone. The device keeps internal time in universal time coordinated (UTC), so this command is used only for display purposes and when the time is manually set.
Chapter 3 Administering the WMIC Managing the System Time and Date Configuring Summer Time (Daylight Saving Time) Beginning in privileged EXEC mode, follow these steps to configure summer time (daylight saving time) in areas where it starts and ends on a particular day of the week each year: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 clock summer-time zone recurring Configure summer time to start and end on the specified days every year.
Chapter 3 Administering the WMIC Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern (configure the exact date and time of the next summer time events): Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 Configure summer time to start on the first date and end on the second clock summer-time zone date [month date year hh:mm month date year hh:mm date.
Chapter 3 Administering the WMIC Protecting Access to Privileged EXEC Commands This section describes how to control access to the configuration file and privileged EXEC commands. Default Password and Privilege Level Configuration Table 3-3 shows the default password and privilege level configuration. Table 3-3 Default Password and Privilege Levels Feature Default Setting Username and password Default username is Cisco and the default password is Cisco.
Chapter 3 Administering the WMIC Protecting Access to Privileged EXEC Commands Command Purpose Step 4 show running-config Verify your entries. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file. The enable password is not encrypted and can be read in the WMIC configuration file. This example shows how to change the enable password to l1u2c3k4y5.
Chapter 3 Administering the WMIC Protecting Access to Privileged EXEC Commands Beginning in privileged EXEC mode, follow these steps to configure encryption for enable and enable secret passwords: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 enable password [level level] {password | encryption-type encrypted-password} Define a new password or change an existing password for access to privileged EXEC mode.
Chapter 3 Administering the WMIC Protecting Access to Privileged EXEC Commands This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2: bridge(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8 Configuring Username and Password Pairs You can configure username and password pairs, which are locally stored on the WMIC. These pairs are assigned to lines or interfaces and authenticate each user before that user can access the WMIC.
Chapter 3 Administering the WMIC Protecting Access to Privileged EXEC Commands Configuring Multiple Privilege Levels By default, the IOS software has two modes of password security: user EXEC and privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow different sets of users to have access to specified commands.
Chapter 3 Administering the WMIC Protecting the Wireless LAN This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands: bridge(config)# privilege exec level 14 configure bridge(config)# enable password level 14 SecretPswd14 Logging Into and Exiting a Privilege Level Beginning in privileged EXEC mode, follow these steps to log in to a specified privilege level and to exit to a specified privilege level: Comm
Chapter 3 Administering the WMIC Protecting the Wireless LAN Express Security Types Table 3-4 describes the four security types that you can assign to an SSID. Table 3-4 Security Types Security Type Description Security Features Enabled No Security This is the least secure option. Use this option only for None. SSIDs used in a public space and assign it to a VLAN that restricts access to your network. Static WEP Key This option is more secure than no security.
Chapter 3 Administering the WMIC Protecting the Wireless LAN ssid no_security-ssid vlan 10 authentication open guest-mode ! concatenation speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 rts threshold 4000 station-role root infrastructure-client bridge-group 1 ! interface Dot11Radio0.
Chapter 3 Administering the WMIC Protecting the Wireless LAN bridge-group 1 bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.1.1.2 255.255.255.0 no ip route-cache ! ip http server no ip http secure-server ip http help-path http://www.cisco.
Chapter 3 Administering the WMIC Protecting the Wireless LAN no ip route-cache bridge-group 20 bridge-group 20 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 ! interface FastEthernet0.
Chapter 3 Administering the WMIC Protecting the Wireless LAN ! interface FastEthernet0.30 mtu 1500 encapsulation dot1Q 30 no ip route-cache bridge-group 30 no bridge-group 30 source-learning bridge-group 30 spanning-disabled ! WPA Security Example This example shows part of the configuration that creates an SSID called wpa_ssid, excluding the SSID from the beacon, and assigning the SSID to VLAN 40: aaa new-model ! aaa group server radius rad_eap server 10.91.104.
Chapter 3 Administering the WMIC Configuring and Enabling RADIUS encapsulation dot1Q 40 no ip route-cache bridge-group 40 ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 ! interface FastEthernet0.40 encapsulation dot1Q 40 no ip route-cache bridge-group 40 ! ip http server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag /122-15.
Chapter 3 Administering the WMIC Configuring and Enabling RADIUS • Networks already using RADIUS. You can add a Cisco bridge containing a RADIUS client to the network. • Networks that require resource accounting. You can use RADIUS accounting independently of RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and end of services, showing the amount of resources (such as time, packets, bytes, and so forth) used during the session.
Chapter 3 Administering the WMIC Configuring and Enabling RADIUS server. Using information from its user database, the RADIUS server creates its own response and compares that to the response from the non-root bridge. When the RADIUS server authenticates the non-root bridge, the process repeats in reverse, and the non-root bridge authenticates the RADIUS server.
Chapter 3 Administering the WMIC Configuring and Enabling RADIUS Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS Security Command Reference for Release 12.2.
Chapter 3 Administering the WMIC Configuring and Enabling RADIUS Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa new-model Enable AAA. Step 3 radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] Specify the IP address or host name of the remote RADIUS server host. • (Optional) For auth-port port-number, specify the UDP destination port for authentication requests.
Chapter 3 Administering the WMIC Configuring and Enabling RADIUS This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting: bridge(config)# radius-server host host1 Configuring RADIUS Login Authentication To configure AAA authentication, define a named list of authentication methods and apply that list to various interfaces.
Chapter 3 Administering the WMIC Configuring and Enabling RADIUS Step 3 Command Purpose aaa authentication login {default | list-name} method1 [method2...] Create a login authentication method list. • To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all interfaces.
Chapter 3 Administering the WMIC Configuring and Enabling RADIUS Defining AAA Server Groups Configure the bridge to use AAA server groups to group existing server hosts for authentication. Select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Chapter 3 Administering the WMIC Configuring and Enabling RADIUS Step 4 Step 5 Command Purpose aaa group server radius group-name Define the AAA server-group with a group name. server ip-address Associate a particular RADIUS server with the defined server group. Repeat this step for each RADIUS server in the AAA server group. This command puts the bridge in a server group configuration mode. Each server in the group must be previously defined in Step 2.
Chapter 3 Administering the WMIC Configuring and Enabling RADIUS Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 aaa authorization network radius Configure the bridge for user RADIUS authorization for all network-related service requests.
Chapter 3 Administering the WMIC Configuring and Enabling RADIUS Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the bridge and all RADIUS servers: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server key string Specify the shared secret text string used between the bridge and all RADIUS servers.
Chapter 3 Administering the WMIC Configuring and Enabling RADIUS Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate AV pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and the asterisk (*) for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.
Chapter 3 Administering the WMIC Controlling WMIC Access with TACACS+ Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 radius-server host {hostname | ip-address} non-standard Specify the IP address or host name of the remote RADIUS server host and identify that it is using a vendor-proprietary implementation of RADIUS.
Chapter 3 Administering the WMIC Controlling WMIC Access with TACACS+ Understanding TACACS+ TACACS+ is a security application that provides centralized validation of users attempting to gain access to your bridge. Unlike RADIUS, TACACS+ does not authenticate non-root bridges associated to the root bridge. TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX or Windows NT workstation.
Chapter 3 Administering the WMIC Controlling WMIC Access with TACACS+ TACACS+ allows a conversation to be held between the daemon and the administrator until the daemon receives enough information to authenticate the administrator. The daemon prompts for a username and password combination, but can include other items, such as the user’s mother’s maiden name. 2. The WMIC eventually receives one of these responses from the TACACS+ daemon: – ACCEPT—The administrator is authenticated and service can begin.
Chapter 3 Administering the WMIC Controlling WMIC Access with TACACS+ or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.
Chapter 3 Administering the WMIC Controlling WMIC Access with TACACS+ Configuring TACACS+ Login Authentication To configure AAA authentication, you define a named list of authentication methods and then apply that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific interface before any of the defined authentication methods are performed.
Chapter 3 Administering the WMIC Controlling WMIC Access with TACACS+ Step 5 Command Purpose login authentication {default | list-name} Apply the authentication list to a line or set of lines. • If you specify default, use the default list created with the aaa authentication login command. • For list-name, specify the list created with the aaa authentication login command. Step 6 end Return to privileged EXEC mode. Step 7 show running-config Verify your entries.
Chapter 3 Administering the WMIC Controlling WMIC Access with TACACS+ Command Purpose Step 4 end Return to privileged EXEC mode. Step 5 show running-config Verify your entries. Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file. To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command.
Chapter 3 Administering the WMIC Configuring the WMIC for Local Authentication and Authorization Configuring the WMIC for Local Authentication and Authorization You can configure AAA to operate without a server by setting the WMIC to implement AAA in local mode. The WMIC then handles authentication and authorization. No accounting is available in this configuration.
Chapter 3 Administering the WMIC Configuring the WMIC for Secure Shell Configuring the WMIC for Secure Shell This section describes how to configure the Secure Shell (SSH) feature. Note For complete syntax and usage information for the commands used in this section, refer to the “Secure Shell Commands” section in the Cisco IOS Security Command Reference for Release 12.2. Understanding SSH SSH is a protocol that provides a secure, remote connection to a Layer 2 or a Layer 3 device.
Chapter 3 Administering the WMIC Managing Aironet Extensions Configuring SSH Before configuring SSH, download the crypto software image from Cisco.com. For information about configuring SSH and displaying SSH settings, refer to the “Configuring Secure Shell” section in the Cisco IOS Security Configuration Guide for Release 12.2. Managing Aironet Extensions The WMIC uses Cisco Aironet 802.
Chapter 3 Administering the WMIC Managing Aironet Extensions If you try to change the Aironet extensions without setting the radio to the proper role, an error message displays: wmic1(config-if)# wmic1(config-if)#no dot11 extension aironet Aironet Extension is always enabled in Bridge or WGB mode.
C H A P T E R 4 Configuring Radio Settings This chapter describes how to configure radio settings for your WMIC. This chapter includes these sections: • Disabling and Enabling the Radio Interface • Configuring the Role in Radio Network • Configuring Radio Data Rates • Configuring Radio Transmit Power • Configuring Radio Channel Settings • Enabling and Disabling World Mode (2.4-GHz Only) • Disabling and Enabling Short Radio Preambles (2.
Chapter 4 Configuring Radio Settings Disabling and Enabling the Radio Interface Disabling and Enabling the Radio Interface The WMIC radio is enabled by default. Beginning in privileged EXEC mode, follow these steps to disable the WMIC radio: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 shutdown Disable the radio port. Step 4 end Return to privileged EXEC mode.
Chapter 4 Configuring Radio Settings Configuring the Role in Radio Network Configuring the WMIC as an Access Point The WMIC can be configured as a root access point. In this role, it accepts associations from wireless clients. Follow these steps to configure the WMIC as an access point: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface.
Chapter 4 Configuring Radio Settings Configuring Radio Data Rates Configuring the WMIC as a Bridge The WMIC can be configured as a bridge. This is the only role that supports the distance command. There are three install modes: automatic, root, and non-root: Automatic activates the bridge install and alignment mode, and specifies that the unit automatically determines the network role.
Chapter 4 Configuring Radio Settings Configuring Radio Data Rates You can also configure the WMIC to set the data rates automatically to optimize either range or throughput. When you enter range for the data rate setting, the WMIC sets the 6-Mbps rate to basic and the other rates to enabled if you are configuring a 2.4-GHz WMIC or a 4.9-GHz WMIC. If you are configuring a 4.9-GHz WMIC set to 5-MHz spacing, the WMIC sets the 1.5- Mbps rate to basic and the other rates to enable. If you are configuring a 4.
Chapter 4 Configuring Radio Settings Configuring Radio Transmit Power Use the no form of the speed command to disable data rates. When you use the no form of the command, all data rates are disabled except the rates you name in the command. This example shows how to disable data rate 6.0: bridge# configure terminal bridge(config)# interface dot11radio 0 bridge(config-if)# no speed basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.
Chapter 4 Configuring Radio Settings Configuring Radio Channel Settings Note Aironet extensions must be enabled to limit the power level on associated client devices. Aironet extensions are enabled by default. Configuring Radio Channel Settings The default channel setting for the radio is least congested; at startup, the WMIC scans for and selects the least-congested channel.
Chapter 4 Configuring Radio Settings Configuring Radio Channel Settings Step 3 Command Purpose channel frequency | least-congested Set the default channel for the WMIC radio. To search for the least-congested channel on startup, enter least-congested. These are the available frequencies (in MHz) for the 2.
Chapter 4 Configuring Radio Settings Configuring Radio Channel Settings Table 4-1 Radio Frequency Data Rates 4.5 BPSK 19 -93 4 6 QPSK 19 -92 6 9 QPSK 19 -91 6 12 16-QAM 19 -87 11 18 16-QAM 18 -84 11 24 64-QAM 16 -78 20 27 64-QAM 15 -75 20 1.5 BPSK 19 -97 4 2.25 BPSK 19 -96 4 3 QPSK 19 -95 6 4.5 QPSK 19 -94 6 6 16-QAM 19 -90 11 9 16-QAM 18 -87 11 12 64-QAM 16 -81 20 13.
Chapter 4 Configuring Radio Settings Configuring Radio Channel Settings Defaults Table 4-2 Channels, Center Frequencies, and Channel Widths Channel Center Frequency Channel Width 1 4940.5 not supported 2 4941.5 not supported 3 4942.5 5-MHz 4 4943.5 not supported 5 4944.5 not supported 6 4947.5 5-MHz 7 4952.5 5-MHz or 10-MHz 8 4957.5 5-MHz 9 4962.5 5-MHz or 10-MHz 10 4967.5 5-MHz 11 4972.5 5-MHz or10-MHz 12 4977.5 5-MHz 13 4982.5 5-MHz or 10-MHz 14 4985.
Chapter 4 Configuring Radio Settings Enabling and Disabling World Mode (2.4-GHz Only) Enabling and Disabling World Mode (2.4-GHz Only) You can configure the WMIC to support 802.11d world mode or Cisco legacy world mode. When you enable world mode, the WMIC adds channel carrier set information to its beacon. Client devices with world mode enabled receive the carrier set information and adjust their settings automatically.
Chapter 4 Configuring Radio Settings Configuring Transmit and Receive Antennas You cannot configure short or long radio preambles on the 5-GHz radio. Beginning in privileged EXEC mode, follow these steps to disable short radio preambles: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 no preamble-short Disable short preambles and enable long preambles.
Chapter 4 Configuring Radio Settings Configuring the Ethernet Encapsulation Transformation Method Note The Antenna Gain (dB) setting is disabled on the WMIC. Configuring the Ethernet Encapsulation Transformation Method When the WMIC receives data packets that are not 802.3 packets, the WMIC must format the packets to 802.3 using an encapsulation transformation method. These are the two transformation methods: • 802.1H—This method provides optimum performance for Cisco wireless products.
Chapter 4 Configuring Radio Settings Configuring the Radio Distance Setting Command Purpose Step 3 concatenation bytes (Optional) Bytes specifies a maximum size for concatenation packets in bytes. Enter a value from 1600 to 4000. Step 4 end Return to privileged EXEC mode. Step 5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Chapter 4 Configuring Radio Settings Enabling and Disabling Public Secure Packet Forwarding a radio link to the access point, the access point must reduce the delivery reliability of multicast packets to workgroup bridges. With reduced reliability, the access point cannot confirm whether multicast packets reach the intended workgroup bridge, so workgroup bridges at the edge of the access point's coverage area might lose IP connectivity.
Chapter 4 Configuring Radio Settings Enabling and Disabling Public Secure Packet Forwarding PSPF is disabled by default. Beginning in privileged EXEC mode, follow these steps to enable PSPF: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 bridge-group group port-protected Enable PSPF. Step 4 end Return to privileged EXEC mode.
Chapter 4 Configuring Radio Settings Configuring the Beacon Period Configuring the Beacon Period The beacon period is the amount of time between beacons in kilomicroseconds. One Kusec equals 1,024 microseconds. The default beacon period is 100. Beginning in privileged EXEC mode, follow these steps to configure the beacon period: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface.
Chapter 4 Configuring Radio Settings Configuring the Maximum Data Retries Configuring the Maximum Data Retries The maximum data retries setting determines the number of attempts the WMIC makes to send a packet before giving up and dropping the packet. The default setting is 32. Beginning in privileged EXEC mode, follow these steps to configure the maximum data retries: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 4 Configuring Radio Settings Setting the Root Parent Timeout Value Setting the Root Parent Timeout Value Use the parent timeout command to define the amount of time that a non-root bridge or workgroup bridge tries to associate with a parent access point. The command defines how long the bridge or workgroup bridge attempts to associate with a parent in the parent list. If an association is not made within the timeout value, another acceptable parent is used.
Chapter 4 Configuring Radio Settings Performing a Carrier Busy Test Performing a Carrier Busy Test You can perform a carrier busy test to check the radio activity on the channels. During the carrier busy test, the WMIC drops all associations with wireless networking devices for around 4 seconds while it conducts the carrier test and then displays the test results.
C H A P T E R 5 Configuring SSIDs This chapter describes how to configure a service set identifier (SSID) on the WMIC.
Chapter 5 Configuring SSIDs Understanding SSIDs Understanding SSIDs The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. Multiple bridges on a network or sub-network can use the same SSID. SSIDs are case sensitive and can contain up to 32 alphanumeric characters. Do not include spaces in your SSID. The WMIC supports multiple SSIDs.
Chapter 5 Configuring SSIDs Configuring the SSID Creating an SSID Beginning in privileged EXEC mode, follow these steps to create an SSID: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 ssid ssid-string Create an SSID and enter SSID configuration mode for the new SSID. The SSID can consist of up to 32 alphanumeric characters. SSIDs are case sensitive.
Chapter 5 Configuring SSIDs Configuring the SSID Cisco 3200 Series Wireless MIC Software Configuration Guide 5-4 OL-7734-02
C H A P T E R 6 Configuring Spanning Tree Protocol This chapter descibes how to configure Spanning Tree Protocol (STP) on your WMIC. This chapter contains these sections: Note • Understanding Spanning Tree Protocol, page 6-2 • Configuring STP Features, page 6-9 • Displaying Spanning-Tree Status, page 6-15 For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Command Reference for Access Points and Bridges for this release.
Chapter 6 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol Understanding Spanning Tree Protocol This section describes how spanning-tree features work.
Chapter 6 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol The bridge maintains a separate spanning-tree instance for each active VLAN configured on it. A bridge ID, consisting of the bridge priority and the MAC address, is associated with each instance. For each VLAN, the bridge with the lowest bridge ID becomes the spanning-tree root for that VLAN. Bridge Interoperability Cisco bridges are interoperable when STP is enabled and no VLANs are configured.
Chapter 6 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol If a bridge receives a configuration BPDU that contains inferior information to that currently stored for that port, it discards the BPDU. If the bridge is a designated bridge for the LAN from which the inferior BPDU was received, it sends that LAN a BPDU containing the up-to-date information stored for that port. In this way, inferior information is discarded, and superior information is propagated on the network.
Chapter 6 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol Spanning-Tree Timers Table 6-1 describes the timers that affect the entire spanning-tree performance. Table 6-1 Spanning-Tree Timers Variable Description Hello timer Determines how often the bridge broadcasts hello messages to other bridges. Forward-delay timer Determines how long each of the listening and learning states last before the interface begins forwarding.
Chapter 6 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol Spanning-Tree Interface States Propagation delays can occur when protocol information passes through a wireless LAN. As a result, topology changes can take place at different times and at different places in the network. When an interface transitions directly from nonparticipation in the spanning-tree topology to the forwarding state, it can create temporary data loops.
Chapter 6 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol When the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this process occurs: 1. The interface is in the listening state while spanning tree waits for protocol information to transition the interface to the blocking state. 2. While spanning tree waits the forward-delay timer to expire, it moves the interface to the learning state and resets the forward-delay timer. 3.
Chapter 6 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol Learning State An interface in the learning state prepares to participate in frame forwarding. The interface enters the learning state from the listening state. An interface in the learning state performs as follows: • Discards frames received on the port • Learns addresses • Receives BPDUs Forwarding State An interface in the forwarding state forwards frames.
Chapter 6 Configuring Spanning Tree Protocol Configuring STP Features Configuring STP Features You complete three major steps to configure STP on the WMIC: 1. If necessary, assign interfaces and sub-interfaces to bridge groups 2. Enable STP for each bridge group 3.
Chapter 6 Configuring Spanning Tree Protocol Configuring STP Features Command Purpose Step 3 bridge-group number Assign the interface to a bridge group. You can number your bridge groups from 1 to 255. Step 4 no bridge-group number spanning-disabled Counteract the command that automatically disables STP for a bridge group. STP is enabled on the interface when you enter the bridge n protocol ieee command. Step 5 exit Return to global configuration mode.
Chapter 6 Configuring Spanning Tree Protocol Configuring STP Features interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 ! interface BVI1 ip address 1.4.64.23 255.255.0.0 no ip route-cache ! ip default-gateway 1.4.0.
Chapter 6 Configuring Spanning Tree Protocol Configuring STP Features bridge 1 bridge 1 bridge 1 ! line con line vty login line vty login ! end protocol ieee route ip priority 10000 0 0 4 5 15 Root Bridge with VLANs This example shows the configuration of a root bridge with VLANs configured with STP enabled: hostname master-bridge-hq ! ip subnet-zero ! ip ssh time-out 120 ip ssh authentication-retries 3 ! bridge irb ! interface Dot11Radio0 no ip address no ip route-cache ! ssid vlan1 vlan 1 infrastruct
Chapter 6 Configuring Spanning Tree Protocol Configuring STP Features ! interface FastEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 ! interface FastEthernet0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 2 ! interface FastEthernet0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 3 ! interface BVI1 ip address 1.4.64.23 255.255.0.0 no ip route-cache ! ip default-gateway 1.4.0.
Chapter 6 Configuring Spanning Tree Protocol Configuring STP Features interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache no cdp enable bridge-group 1 ! interface Dot11Radio0.2 encapsulation dot1Q 2 no ip route-cache no cdp enable bridge-group 2 ! interface Dot11Radio0.3 encapsulation dot1Q 3 no ip route-cache no cdp enable bridge-group 3 ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto ! interface FastEthernet0.
Chapter 6 Configuring Spanning Tree Protocol Displaying Spanning-Tree Status Displaying Spanning-Tree Status To display the spanning-tree status, use one or more of the privileged EXEC commands in Table 6-3: Table 6-3 Commands for Displaying Spanning-Tree Statusbridge Command Purpose show spanning-tree Displays information on your network’s spanning tree. show spanning-tree blocked-ports Displays a list of blocked ports on this device.
Chapter 6 Configuring Spanning Tree Protocol Displaying Spanning-Tree Status Cisco 3200 Series Wireless MIC Software Configuration Guide 6-16 OL-7734-02
C H A P T E R 7 Configuring WEP and WEP Features This chapter describes how to configure Wired Equivalent Privacy (WEP), Message Integrity Check (MIC), and Temporal Key Integrity Protocol (TKIP).
Chapter 7 Configuring WEP and WEP Features Understanding WEP Understanding WEP Just as anyone within range of a radio station can tune to the station's frequency and listen to the signal, any wireless networking device within range of a bridge can receive the bridge's radio transmissions. Because WEP is the first line of defense against intruders, Cisco recommends that you use full encryption on your wireless network.
Chapter 7 Configuring WEP and WEP Features Configuring Cipher Suites and WEP Configuring Cipher Suites and WEP These sections describe how to configure cipher suites, WEP and additional WEP features such as MIC and TKIP: • Creating WEP Keys, page 7-3 • Enabling Cipher Suites and WEP, page 7-5 WEP, TKIP, and MIC are disabled by default.
Chapter 7 Configuring WEP and WEP Features Configuring Cipher Suites and WEP WEP Key Restrictions Table 7-1 lists WEP key restrictions based on your security configuration.
Chapter 7 Configuring WEP and WEP Features Configuring Cipher Suites and WEP Enabling Cipher Suites and WEP Beginning in privileged EXEC mode, follow these steps to enable a cipher suite: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface.
Chapter 7 Configuring WEP and WEP Features Configuring Cipher Suites and WEP Matching Cipher Suites with WPA If you configure your bridges to use WPA or CCKM authenticated key management, you must select a cipher suite compatible with the authenticated key management type. Table 7-3 lists the cipher suites that are compatible with WPA and CCKM.
C H A P T E R 8 Configuring Authentication Types This chapter describes how to configure authentication types on the WMIC.
Chapter 8 Configuring Authentication Types Understanding Authentication Types Understanding Authentication Types This section describes the authentication types that you can configure on the WMIC. The authentication types are tied to the SSID that you configure on the WMIC. Before wireless devices can communicate, they must authenticate to each other using open or shared-key authentication.
Chapter 8 Configuring Authentication Types Understanding Authentication Types Both the unencrypted challenge and the encrypted challenge can be monitored, however, which leaves the root bridge open to attack from an intruder who calculates the WEP key by comparing the unencrypted and encrypted text strings. Figure 8-2 shows the authentication sequence between a device trying to authenticate and an bridge using shared key authentication.
Chapter 8 Configuring Authentication Types Understanding Authentication Types Figure 8-3 Switch on LAN 1 Sequence for EAP Authentication Non-Root Bridge Root Bridge Authentication server 1. Authentication request 3. Username (Relay to server) (Relay to non-root bridge) 4. Authentication challenge 5. Authentication response (Relay to server) (Relay to non-root bridge) 6. Authentication success 7. Authentication challenge (Relay to server) (Relay to non-root bridge) 8.
Chapter 8 Configuring Authentication Types Configuring Authentication Types Using CCKM for Authenticated Bridges Using Cisco Centralized Key Management (CCKM), authenticated non-root bridges can roam from one root bridge to another without any perceptible delay during reassociation. An access point or switch on your network provides Wireless Domain Services (WDS) and creates a cache of security credentials for CCKM-enabled bridges on the subnet.
Chapter 8 Configuring Authentication Types Configuring Authentication Types Default Authentication Settings The default SSID on the WMIC is autoinstall. Table 8-1 shows the default authentication settings for the default SSID: Table 8-1 Default Authentication Configuration Feature Default Setting SSID autoinstall Guest Mode SSID autoinstall (The WMIC broadcasts this SSID in its beacon and allows bridges with no SSID to associate.
Chapter 8 Configuring Authentication Types Configuring Authentication Types Command Purpose Step 6 authentication network-eap list-name (Optional) Set the authentication type for the SSID to use LEAP for authentication and key distribution. Cisco bridges only support LEAP, while other wireless clients may support other EAP methods such as EAP, PEAP, or TLS. Step 7 authentication key-management {[wpa] [cckm]} [optional] (Optional) Set the authentication type for the SSID to WPA, CCKM, or both.
Chapter 8 Configuring Authentication Types Configuring Authentication Types The configuration on non-root bridges associated to this bridge would also contain these commands: bridge(config)# configure interface dot11radio 0 bridge(config-if)# ssid bridgeman bridge(config-ssid)# authentication client username bridge7 password catch22 bridge(config-ssid)# authentication open eap adam This example sets the authentication type for the SSID bridget to network EAP with a static WEP key.
Chapter 8 Configuring Authentication Types Configuring Authentication Types Configuring Additional WPA Settings Use two optional settings to configure a pre-shared key on the bridge and adjust the frequency of group key updates. Setting a Pre-Shared Key To support WPA on a wireless LAN where 802.1x-based authentication is not available, you must configure a pre-shared key on the bridge. You can enter the pre-shared key as ASCII or hexadecimal characters.
Chapter 8 Configuring Authentication Types Configuring Authentication Types bridge(config-if)# ssid batman bridge(config-ssid)# wpa-psk ascii batmobile65 bridge(config-ssid)# end Configuring Authentication Holdoffs, Timeouts, and Intervals Beginning in privileged EXEC mode, follow these steps to configure holdoff times, reauthentication periods, and authentication timeouts for non-root bridges authenticating through your root bridge: Command Purpose Step 1 configure terminal Enter global configurati
Chapter 8 Configuring Authentication Types Matching Authentication Types on Root and Non-Root Bridges Beginning in Privileged Exec mode, follow these instructions to set up the non-root bridge as a LEAP client: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 interface dot11radio 0 Enter interface configuration mode for the radio interface. Step 3 ssid ssid-string Create an SSID and enter SSID configuration mode for the new SSID.
Chapter 8 Configuring Authentication Types Matching Authentication Types on Root and Non-Root Bridges Table 8-2 Client and Bridge Security Settings (continued) Security Feature Non-Root Bridge Setting Root Bridge Setting CCKM key management Set up and enable WEP and enable Set up and enable WEP and enable CCKM authentication CCKM authentication, configure the root bridge to interact with your WDS device, and add the root bridge to your authentication server as a client device WPA key management S
C H A P T E R 9 Configuring WDS, Fast Secure Roaming, and Radio Management This chapter describes how to configure access points for wireless domain services (WDS), fast, secure roaming of client devices, and radio management.
Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio Management Understanding WDS Understanding WDS The following sections describe WDS even though the WMIC cannot be configured as a WDS server even when it is configured as an access point. However, when configured as an access point, the WMIC can use a WDS server and can act as a WDS authenticator (client).
Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio Management Understanding Fast Secure Roaming Understanding Fast Secure Roaming Access points in many wireless LANs serve mobile client devices that roam from access point to access point throughout the installation. Some applications running on client devices require fast reassociation when they roam to a different access point. Voice applications, for example, require seamless roaming to prevent delays and gaps in conversation.
Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio Management Understanding Radio Management Figure 9-2 Client Reassociation Using CCKM and a WDS Access Point Wired LAN Access point WDS Device - Router/ Switch/AP Authentication server 88964 Roaming client device Reassociation request Pre-registration request Pre-registration reply Reassociation response The WDS access point maintains a cache of credentials for CCKM-capable client devices on your wireless LAN.
Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Configuring WDS and Fast Secure Roaming This section describes how to configure WDS and fast, secure roaming on your wireless LAN.
Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Also, to configure an access point to use a WDS access point, the access point must be configured for an encryption cipher and authentication methods. For example: encryption mode ciphers ckip-cmic ! ssid kin_leap authentication network-eap eap_methods authentication key-management cckm Refer to the “Configuring Authentication Types” chapter for more information.
Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Figure 9-4 Add AAA Client Page Step 3 In the AAA Client Hostname field, enter the name of the WDS access point. Step 4 In the AAA Client IP Address field, enter the IP address of the WDS access point. Step 5 In the Key field, enter exactly the same password that is configured on the WDS access point. Step 6 From the Authenticate Using drop-down menu, select RADIUS. Step 7 Click Submit.
Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Figure 9-5 User Setup Page Step 10 Enter the name of the access point in the User field. Step 11 Click Add/Edit. Step 12 Scroll down to the User Setup box. Figure 9-6 shows the User Setup box.
Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Step 13 Select CiscoSecure Database from the Password Authentication drop-down menu. Step 14 In the Password and Confirm Password fields, enter exactly the same password that you entered on the access point on the Wireless Services AP page. Step 15 Click Submit. Step 16 Repeat Step 10 through Step 15 for each access point that uses the WDS access point.
Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming where is CLI Commands to Enable the Root Device The following CLI commands are required to enable the root device to communicate with the Central WDS server. The no form disables the WDS server. This configuration also allows the Root device to authenticate with per subnet WDS server if the Central WDS server fails.
Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming dot11 interface speed Command The dot11 interface speed command supports only 4.9-GHz data rates. The configured spacing has precedence over the default spacing. For example, if 5-MHz spacing is configured, only data rates corresponding to 5-MHz spacing can be specified in the speed command.
Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Table 9-1 Default Rates, Best Range Rates and Best Throughput Rates Rates for Best Range: basic-1.5, 2.25, 3.0, 4.5, 6.0, 9.0, 12.0, 13.5 Rates for Best Range: basic-3.0, 4.5, 6.0 9.0 12.0 18.0 24.0 27.0 Rates for Best Throughput: basic-1.5, basic-2.25, basic-3.0, basic-4.5, basic-6.0, basic-9.0, basic12.0, basic-13.5 Rates for Best Throughput: basic-3.0, basic-4.5, basic-6.0, basic-9.
Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Using Debug Messages In privileged exec mode, use these debug commands to control the display of debug messages for devices interacting with the WDS access point: Command Description debug wlccp ap { mn | mobility | rm | state |wds-discovery } Use this command to turn on display of debug messages related to client devices (mn), the WDS discovery process, and access point authentication to the WD
Chapter 9 Configuring WDS, Fast Secure Roaming, and Radio Management Configuring WDS and Fast Secure Roaming Cisco 3200 Series Wireless MIC Software Configuration Guide 9-14 OL-7734-02
C H A P T E R 10 Configuring VLANs This chapter describes how to configure your WMIC to operate with the VLANs set up on your wired LAN.
Chapter 10 Configuring VLANs Understanding VLANs Understanding VLANs A VLAN is a switched network that is logically segmented, by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or the fact that they might be intermingled with other teams.
Chapter 10 Configuring VLANs Understanding VLANs Figure 10-1 Bridges Connecting LAN Segments Using VLANs VLAN 1 VLAN 2 VLAN 3 Catalyst VLAN Switch PC PC PC PC PC PC Catalyst VLAN Switch VLAN 1 VLAN 2 VLAN 3 Catalyst VLAN Switch PC PC PC PC PC PC PC PC PC Catalyst VLAN Switch PC PC PC Catalyst VLAN Switch Catalyst VLAN Switch Non-Root Bridge 88904 802.
Chapter 10 Configuring VLANs Configuring VLANs Incorporating Wireless Bridges into VLANs The basic wireless components of a VLAN consist of two or more bridges communicating using wireless technology. The WMIC is physically connected through a trunk port to the network VLAN switch on which the VLAN is configured. The physical connection to the VLAN switch is through the WMIC’s Ethernet port.
Chapter 10 Configuring VLANs Configuring VLANs Step 4 Command Purpose bridge-group number Assign the subinterface to a bridge group. You can number your bridge groups from 1 to 255. Note When you enter the bridge-group command, the WMIC enables the subinterface to be ready to participate in STP when you enter the bridge n protocol ieee command. See Chapter 6, “Configuring Spanning Tree Protocol,” for complete instructions on enabling STP on the WMIC.
Chapter 10 Configuring VLANs Configuring VLANs Step 14 Command Purpose encryption [vlan vlan-id] mode wep {optional [key-hash] | mandatory [mic] [key-hash]} (Optional) Enable WEP and WEP features on the native VLAN. • (Optional) Select the VLAN for which you want to enable WEP and WEP features. • Set the WEP level and enable TKIP and MIC. If you enter optional, another bridge can associate to the WMIC with or without WEP enabled.
Chapter 10 Configuring VLANs Configuring VLANs Viewing VLANs Configured on the WMIC In privileged EXEC mode, use the show vlan command to view the VLANs that the WMIC supports. This is sample output from a show vlan command: Virtual LAN ID: 1 (IEEE 802.
Chapter 10 Configuring VLANs Configuring VLANs Cisco 3200 Series Wireless MIC Software Configuration Guide 10-8 OL-7734-02
C H A P T E R 11 Configuring QoS in a Wireless Environment This chapter describes how to configure quality of service (QoS) on your WMIC. With this feature, you can provide preferential treatment to certain traffic at the expense of others. Without QoS, the WMIC offers best-effort service to each packet, regardless of the packet contents or size. It sends the packets without any assurance of reliability, delay bounds, or throughput.
Chapter 11 Configuring QoS in a Wireless Environment Understanding QoS for Wireless LANs Understanding QoS for Wireless LANs Typically, networks operate on a best-effort delivery basis, which means that all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped.
Chapter 11 Configuring QoS in a Wireless Environment Configuring QoS QoS on the wireless LAN focuses on downstream prioritization from the WMIC. These are the effects of QoS on network traffic: • The radio downstream flow is traffic transmitted out the WMIC radio to another bridge. This traffic is the main focus for QoS on a wireless LAN. • The radio upstream flow is traffic received on the WMIC radio from another bridge. QoS for wireless LAN does not affect this traffic.
Chapter 11 Configuring QoS in a Wireless Environment Configuring QoS Configuration Guidelines Before configuring QoS on your WMIC, you should be aware of this information: • The most important guideline in QoS deployment is to be familiar with the traffic on your wireless LAN. If you know the applications used by wireless client devices, the applications’ sensitivity to delay, and the amount of traffic associated with the applications, you can configure QoS to improve performance.
Chapter 11 Configuring QoS in a Wireless Environment Configuring QoS Figure 11-1 QoS Policies Page Step 3 With selected in the Create/Edit Policy field, type a name for the QoS policy in the Policy Name entry field. The name can contain up to 25 alphanumeric characters. Do not include spaces in the policy name.
Chapter 11 Configuring QoS in a Wireless Environment Configuring QoS • Background (1) • Spare (2) • Excellent (3) • Control Lead (4) • Video <100ms Latency (5) • Voice <10ms Latency (6) • Network Control (7) Step 6 Click the Add button beside the Class of Service menu for IP Precedence. The classification appears in the Classifications field. To delete a classification, select it and click the Delete button beside the Classifications field.
Chapter 11 Configuring QoS in a Wireless Environment Configuring QoS Step 10 If you need to assign a priority to filtered packets, use the Filter drop-down menu to select a Filter to include in the policy. (If no filters are defined on the WMIC, a link to the Apply Filters page appears instead of the Filter drop-down menu.) For example, you could assign a high priority to a MAC address filter that includes the MAC addresses of IP phones.
Chapter 11 Configuring QoS in a Wireless Environment Configuring QoS Table 11-1 Default QoS Radio Traffic Class Definitions Class of Service Min Contention Window Max Contention Window Fixed Slot Time Background (CoS 1-2) 5 10 6 Best Effort (CoS 0) 5 10 2 Video (CoS 3-5) 5 10 2 Voice (CoS 6-7) 3 4 1 Figure 11-2 shows the Radio 802.11G Access Categories page. Figure 11-2 Radio 802.
Chapter 11 Configuring QoS in a Wireless Environment QoS Configuration Examples Table 11-2 CW-min and CW-max Settings for Point-to-Point and Point-to-Multipoint Bridge Links Setting Point-to-Multipoint Links with up to 5 Point-to-Point Links Non-Root Bridges Point-to-Multipoint Links with up to 10 Non-Root Bridges Point-to-Multipoint Links with up to 17 Non-Root Bridges CW-min 3 4 5 6 CW-max 10 10 10 10 Beginning in privileged EXEC mode, follow these steps to adjust the CW-min and CW-max s
Chapter 11 Configuring QoS in a Wireless Environment QoS Configuration Examples Figure 11-3 QoS Policies Page for Voice Example Giving Priority to Video Traffic This section demonstrates how you could apply a QoS policy to a network dedicated to video traffic. In this example, the network administrator creates a policy named video_policy that applies video class of service to video traffic. The user applies the video_policy to the incoming and outgoing radio ports and to the outgoing Ethernet port.
Chapter 11 Configuring QoS in a Wireless Environment QoS Configuration Examples Figure 11-4 QoS Policies Page for Video Example QoS Example Configuration for VLAN The example in this section queues all traffic from VLAN100 to the voice queue. interface fastEthernet 0.1 encapsulation dot1Q 1 native bridge-group 1 interface fastEthernet 0.100 encapsulation dot1Q 100 bridge-group 100 interface fastEthernet 0.
Chapter 11 Configuring QoS in a Wireless Environment QoS Configuration Examples interface dot11Radio 0.1 encapsulation dot1Q 1 native bridge-group 1 interface dot11Radio 0.100 encapsulation dot1Q 100 bridge-group 100 interface dot11Radio 0.
Chapter 11 Configuring QoS in a Wireless Environment QoS Configuration Examples Cisco 3200 Series Wireless MIC Software Configuration Guide OL-7734-02 11-13
Chapter 11 Configuring QoS in a Wireless Environment QoS Configuration Examples Cisco 3200 Series Wireless MIC Software Configuration Guide 11-14 OL-7734-02
C H A P T E R 12 Configuring Filters This chapter describes how to configure and manage MAC address, IP, and Ethertype filters on the WMIC using the web-browser interface.
Chapter 12 Configuring Filters Understanding Filters Understanding Filters Protocol filters (IP protocol, IP port, and Ethertype) prevent or allow the use of specific protocols through the WMIC’s Ethernet and radio ports. You can set up individual protocol filters or sets of filters. You can filter protocols for wireless client devices, users on the wired LAN, or both.
Chapter 12 Configuring Filters Configuring Filters Using the Web-Browser Interface Configuring and Enabling MAC Address Filters MAC address filters allow or disallow the forwarding of unicast and multicast packets either sent from or addressed to specific MAC addresses. You can create a filter that passes traffic to all MAC addresses except those you specify, or you can create a filter that blocks traffic to all MAC addresses except those you specify.
Chapter 12 Configuring Filters Configuring Filters Using the Web-Browser Interface Creating a MAC Address Filter Follow these steps to create a MAC address filter: Step 1 Follow the link path to the MAC Address Filters page. Step 2 If you are creating a new MAC address filter, make sure (the default) is selected in the Create/Edit Filter Index menu. To edit a filter, select the filter number from the Create/Edit Filter Index menu.
Chapter 12 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 12 Select the filter number from one of the MAC drop-down menus. You can apply the filter to either or both the Ethernet and radio ports, and to either or both incoming and outgoing packets. Step 13 Click Apply. The filter is enabled on the selected ports.
Chapter 12 Configuring Filters Configuring Filters Using the Web-Browser Interface Follow this link path to reach the IP Filters page: 1. Click Services in the page navigation bar. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the IP Filters tab at the top of the page. Creating an IP Filter Follow these steps to create an IP filter: Step 1 Follow the link path to the IP Filters page.
Chapter 12 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 13 Select Forward or Block from the Action menu. Step 14 Click Add. The protocol appears in the Filters Classes field. To remove the protocol from the Filters Classes list, select it and click Delete Class. Repeat Step 12 to Step 14 to add protocols to the filter. Step 15 When the filter is complete, click Apply. The filter is saved on the WMIC, but it is not enabled until you apply it on the Apply Filters page.
Chapter 12 Configuring Filters Configuring Filters Using the Web-Browser Interface Figure 12-5 Ethertype Filters Page Follow this link path to reach the Ethertype Filters page: 1. Click Services in the page navigation bar. 2. In the Services page list, click Filters. 3. On the Apply Filters page, click the Ethertype Filters tab at the top of the page. Creating an Ethertype Filter Follow these steps to create an Ethertype filter: Step 1 Follow the link path to the Ethertype Filters page.
Chapter 12 Configuring Filters Configuring Filters Using the Web-Browser Interface Step 9 Click Apply. The filter is saved on the WMIC, but it is not enabled until you apply it on the Apply Filters page. Step 10 Click the Apply Filters tab to return to the Apply Filters page. Figure 12-6 shows the Apply Filters page. Figure 12-6 Apply Filters Page Step 11 Select the filter number from one of the Ethertype drop-down menus.
Chapter 12 Configuring Filters Configuring Filters Using the Web-Browser Interface Cisco 3200 Series Wireless MIC Software Configuration Guide 12-10 OL-7734-02
C H A P T E R 13 Configuring CDP This chapter describes how to configure Cisco Discovery Protocol (CDP) on your WMIC.
Chapter 13 Configuring CDP Understanding CDP Understanding CDP Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices. Information in CDP packets is used in network management software such as CiscoWorks2000. CDP is enabled on the WMIC’s Ethernet and radio ports by default.
Chapter 13 Configuring CDP Configuring CDP Configuring the CDP Characteristics You can configure the CDP holdtime (the number of seconds before the WMIC discards CDP packets) and the CDP timer (the number of seconds between each CDP packets the WMIC sends). Beginning in Privileged Exec mode, follow these steps to configure the CDP holdtime and CDP timer: Command Purpose Step 1 configure terminal Enter global configuration mode.
Chapter 13 Configuring CDP Configuring CDP Beginning in privileged EXEC mode, follow these steps to enable CDP: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 cdp run Enable CDP after disabling it. Step 3 end Return to privileged EXEC mode. This example shows how to enable CDP.
Chapter 13 Configuring CDP Monitoring and Maintaining CDP Monitoring and Maintaining CDP To monitor and maintain CDP on your device, perform one or more of these tasks, beginning in privileged EXEC mode. Command Description clear cdp counters Reset the traffic counters to zero. clear cdp table Delete the CDP table of information about neighbors. show cdp Display global information, such as frequency of transmissions and the holdtime for packets being sent.
Chapter 13 Configuring CDP Monitoring and Maintaining CDP Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=0000000 0FFFFFFFF010221FF00000000000000024B293A00FF0000 VTP Management Domain: '' Duplex: full ------------------------Device ID: idf2-1-lab-l3.cisco.com Entry address(es): IP address: 10.1.1.
Chapter 13 Configuring CDP Monitoring and Maintaining CDP GigabitEthernet0/8 is up, line protocol is down Encapsulation ARPA Sending CDP packets every 60 seconds Holdtime is 180 seconds bridge# show cdp neighbor Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device IDLocal InterfaceHoldtmeCapabilityPlatformPort ID Perdido2Gig 0/6125R S IWS-C3550-1Gig0/6 Perdido2Gig 0/5125R S IWS-C3550-1Gig 0/5 bridge# show cdp traffic CDP counters : Tot
Chapter 13 Configuring CDP Monitoring and Maintaining CDP Cisco 3200 Series Wireless MIC Software Configuration Guide 13-8 OL-7734-02
C H A P T E R 14 Configuring SNMP This chapter describes how to configure the Simple Network Management Protocol (SNMP) on your WMIC.
Chapter 14 Configuring SNMP Understanding SNMP Understanding SNMP SNMP is an application-layer protocol that provides a message format for communication between SNMP managers and agents. The SNMP manager can be part of a network management system (NMS) such as CiscoWorks. The agent and management information base (MIB) reside on the WMIC. To configure SNMP on the WMIC, you define the relationship between the manager and the agent.
Chapter 14 Configuring SNMP Understanding SNMP You must configure the SNMP agent to use the version of SNMP supported by the management station. An agent can communicate with multiple managers; therefore, you can configure the software to support communications with one management station using the SNMPv1 protocol and another using the SNMPv2 protocol. SNMP Manager Functions The SNMP manager uses information in the MIB to perform the operations described in Table 14-1.
Chapter 14 Configuring SNMP Understanding SNMP SNMP Community Strings SNMP community strings authenticate access to MIB objects and function as embedded passwords. In order for the NMS to access the WMIC, the community string definitions on the NMS must match at least one of the three community string definitions on the WMIC.
Chapter 14 Configuring SNMP Configuring SNMP Configuring SNMP This section describes how to configure SNMP on your WMIC.
Chapter 14 Configuring SNMP Configuring SNMP Note In the current IOS MIB agent implementation, the default community string is for the Internet MIB object sub-tree. Because IEEE802dot11 is under another branch of the MIB object tree, you must enable either a separate community string and view on the IEEE802dot11 MIB or a common view and community string on the ISO object in the MIB object tree. ISO is the common parent node of IEEE (IEEE802dot11) and Internet.
Chapter 14 Configuring SNMP Configuring SNMP Step 3 Command Purpose access-list access-list-number {deny | permit} source [source-wildcard] (Optional) If you specified an IP standard access list number in Step 2, then create the list, repeating the command as many times as necessary. • For access-list-number, enter the access list number specified in Step 2. • The deny keyword denies access if the conditions are matched. The permit keyword permits access if the conditions are matched.
Chapter 14 Configuring SNMP Configuring SNMP Table 14-3 Notification Types Notification Type Description authenticate-fail Enable traps for authentication failures. config Enable traps for SNMP configuration changes. deauthenticate Enable traps for client device deauthentications. disassociate Enable traps for client device disassociations. dot11-qos Enable traps for QoS changes. entity Enable traps for SNMP entity changes.
Chapter 14 Configuring SNMP Configuring SNMP Beginning in privileged EXEC mode, follow these steps to configure the WMIC to send traps to a host: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server host host-addr {traps | informs} {version {1 Specify the recipient of the trap message. | 2c}} community-string notification-type • For host-addr, specify the name or address of the host (the targeted recipient).
Chapter 14 Configuring SNMP Configuring SNMP Setting the Agent Contact and Location Information Beginning in privileged EXEC mode, follow these steps to set the system contact and location of the SNMP agent so that these descriptions can be accessed through the configuration file: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 snmp-server contact text Set the system contact string. For example: snmp-server contact Dial System Operator at beeper 21555.
Chapter 14 Configuring SNMP Displaying SNMP Status This example shows how to permit any SNMP manager to access all objects with read-only permission using the community string public. The WMIC also sends config traps to the hosts 192.180.1.111 and 192.180.1.33 using SNMPv1 and to the host 192.180.1.27 using SNMPv2C. The community string public is sent with the traps.
Chapter 14 Configuring SNMP Displaying SNMP Status Cisco 3200 Series Wireless MIC Software Configuration Guide 14-12 OL-7734-02
C H A P T E R 15 Managing Firmware and Configurations This chapter describes how to manipulate the Flash file system, how to copy configuration files, and how to archive (upload and download) software images.
Chapter 15 Managing Firmware and Configurations Working with the Flash File System Working with the Flash File System The Flash file system on your WMIC provides several commands to help you manage software image and configuration files. The Flash file system is a single Flash device on which you can store files. This Flash device is called flash:.
Chapter 15 Managing Firmware and Configurations Working with the Flash File System Table 15-1 show file systems Field Descriptions (continued) Field Value Type Type of file system. flash—The file system is for a Flash memory device. network—The file system is for a network device. nvram—The file system is for a nonvolatile RAM (NVRAM) device. opaque—The file system is a locally generated pseudo file system (for example, the system) or a download interface, such as brimux.
Chapter 15 Managing Firmware and Configurations Working with the Flash File System To display information about files on a file system, use one of the privileged EXEC commands in Table 15-2: Table 15-2 Commands for Displaying Information About Files Command Description dir [/all] [filesystem:][filename] Display a list of files on a file system. show file systems Display more information about each of the files on a file system.
Chapter 15 Managing Firmware and Configurations Working with the Flash File System Use the /recursive keyword to delete the named directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Chapter 15 Managing Firmware and Configurations Working with the Flash File System Use the /recursive keyword for deleting a directory and all subdirectories and the files contained in it. Use the /force keyword to suppress the prompting that confirms a deletion of each file in the directory. You are prompted only once at the beginning of this deletion process.
Chapter 15 Managing Firmware and Configurations Working with the Flash File System Displaying the Contents of a tar File To display the contents of a tar file on the screen, use this privileged EXEC command: archive tar /table source-url For source-url, specify the source URL alias for the local or network file system.
Chapter 15 Managing Firmware and Configurations Working with Configuration Files The tar-filename.tar is the tar file from which to extract files. For flash:/file-url, specify the location on the local Flash file system into which the tar file is extracted. You can also specify an optional list of files or directories within the tar file for extraction. If none are specified, all files and directories are extracted.
Chapter 15 Managing Firmware and Configurations Working with Configuration Files This section includes this information: • Guidelines for Creating and Using Configuration Files, page 15-9 • Configuration File Types and Location, page 15-9 • Creating a Configuration File by Using a Text Editor, page 15-10 • Copying Configuration Files by Using TFTP, page 15-10 • Copying Configuration Files by Using FTP, page 15-12 • Copying Configuration Files by Using RCP, page 15-15 • Clearing Configuration
Chapter 15 Managing Firmware and Configurations Working with Configuration Files Creating a Configuration File by Using a Text Editor When creating a configuration file, you must list commands logically so that the system can respond appropriately. This is one method of creating a configuration file: Step 1 Copy an existing configuration from a WMIC to a server.
Chapter 15 Managing Firmware and Configurations Working with Configuration Files • Ensure that the configuration file to be downloaded is in the correct directory on the TFTP server (usually /tftpboot on a UNIX workstation). • For download operations, ensure that the permissions on the file are set correctly. The permission on the file should be world-read. • Before uploading the configuration file, you might need to create an empty file on the TFTP server.
Chapter 15 Managing Firmware and Configurations Working with Configuration Files Use one of these privileged EXEC commands: • copy system:running-config tftp:[[[//location]/directory]/filename] • copy nvram:startup-config tftp:[[[//location]/directory]/filename] The file is uploaded to the TFTP server. This example shows how to upload a configuration file from an WMIC to a TFTP server: bridge# copy system:running-config tftp://172.16.2.155/tokyo-config Write file tokyo-confg on host 172.16.2.
Chapter 15 Managing Firmware and Configurations Working with Configuration Files Preparing to Download or Upload a Configuration File by Using FTP Before you begin downloading or uploading a configuration file by using FTP, perform these tasks: • Ensure that the WMIC has a route to the FTP server. The WMIC and the FTP server must be in the same subnetwork if you do not have a router to route traffic between subnets. Check connectivity to the FTP server by using the ping command.
Chapter 15 Managing Firmware and Configurations Working with Configuration Files Connected to 172.16.101.101 Loading 1112 byte file host1-confg:![OK] bridge# %SYS-5-CONFIG: Configured from host1-config by ftp from 172.16.101.101 This example shows how to specify a remote username of netadmin1. The software copies the configuration file host2-confg from the netadmin1 directory on the remote server with an IP address of 172.16.101.101 to the WMIC startup configuration.
Chapter 15 Managing Firmware and Configurations Working with Configuration Files Building configuration...[OK] Connected to 172.16.101.101 bridge# This example shows how to store a startup configuration file on a server by using FTP to copy the file: bridge# configure terminal bridge(config)# ip ftp username netadmin2 bridge(config)# ip ftp password mypass bridge(config)# end bridge# copy nvram:startup-config ftp: Remote host[]? 172.16.101.
Chapter 15 Managing Firmware and Configurations Working with Configuration Files Preparing to Download or Upload a Configuration File by Using RCP Before you begin downloading or uploading a configuration file by using RCP, perform these tasks: • Ensure that the workstation acting as the RCP server supports the remote shell (rsh). • Ensure that the WMIC has a route to the RCP server. The WMIC and the server must be in the same subnetwork if you do not have a router to route traffic between subnets.
Chapter 15 Managing Firmware and Configurations Working with Configuration Files Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 copy rcp:[[[//[username@]location]/directory]/filename] system:running-config Using RCP, copy the configuration file from a network server to the running configuration or to the startup configuration file.
Chapter 15 Managing Firmware and Configurations Working with Configuration Files Command Purpose Step 5 end Return to privileged EXEC mode. Step 6 copy system:running-config rcp:[[[//[username@]location]/directory]/filename] Using RCP, copy the configuration file from an WMIC running or startup configuration file to a network server.
Chapter 15 Managing Firmware and Configurations Working with Software Images Working with Software Images This section describes how to archive (download and upload) software image files, which contain the system software, IOS code, radio firmware, and the web management HTML files. You download an WMIC image file from a TFTP, FTP, or RCP server to upgrade the WMIC software. You upload an WMIC image file to a TFTP, FTP, or RCP server for backup purposes.
Chapter 15 Managing Firmware and Configurations Working with Software Images The info.ver file is always at the end of the tar file and contains the same information as the info file. Because it is the last file in the tar file, its existence means that all files in the image have been downloaded. Note The tar file sometimes ends with an extension other than .tar. Copying Image Files by Using TFTP You can download an WMIC image from a TFTP server or upload the image from the WMIC to a TFTP server.
Chapter 15 Managing Firmware and Configurations Working with Software Images • During upload operations, if you are overwriting an existing file (including an empty file, if you had to create one) on the server, ensure that the permissions on the file are set correctly. Permissions on the file should be world-write. Downloading an Image File by Using TFTP You can download a new image file and replace the current image or keep the current image.
Chapter 15 Managing Firmware and Configurations Working with Software Images The download algorithm verifies that the image is appropriate for the WMIC model and that enough DRAM is present, or it aborts the process and reports an error. If you specify the /overwrite option, the download algorithm removes the existing image on the Flash device whether or not it is the same as the new one, downloads the new image, and then reloads the software.
Chapter 15 Managing Firmware and Configurations Working with Software Images Copying Image Files by Using FTP You can download a WMIC image from an FTP server or upload the image from the WMIC to an FTP server. You download a WMIC image file from a server to upgrade the WMIC software. You can overwrite the current image with the new one or keep the current image after a download. You upload an WMIC image file to a server for backup purposes.
Chapter 15 Managing Firmware and Configurations Working with Software Images • If you are accessing the WMIC through a Telnet session and you do not have a valid username, make sure that the current FTP username is the one that you want to use for the FTP download. You can enter the show users privileged EXEC command to view the valid username. If you do not want to use this username, create a new FTP username by using the ip ftp username username global configuration command.
Chapter 15 Managing Firmware and Configurations Working with Software Images Command Step 7 Step 8 Purpose archive download-sw /overwrite /reload Download the image file from the FTP server to the WMIC, ftp:[[//username[:password]@location]/directory] and overwrite the current image. /image-name.tar • The /overwrite option overwrites the software image in Flash with the downloaded image.
Chapter 15 Managing Firmware and Configurations Working with Software Images If you specify the /leave-old-sw, the existing files are not removed. If there is not enough space to install the new image and keep the running image, the download process stops, and an error message is displayed. The algorithm installs the downloaded image onto the system board Flash device (flash:).
Chapter 15 Managing Firmware and Configurations Working with Software Images Command Purpose Step 6 end Return to privileged EXEC mode. Step 7 archive upload-sw Upload the currently running WMIC image to the FTP ftp:[[//[username[:password]@]location]/directory]/ server. image-name.tar • For //username:password, specify the username and password. These must be associated with an account on the FTP server.
Chapter 15 Managing Firmware and Configurations Working with Software Images RCP requires a client to send a remote username on each RCP request to a server. When you copy an image from the WMIC to a server by using RCP, the Cisco IOS software sends the first valid username in this list: • The username specified in the archive download-sw or archive upload-sw privileged EXEC command if a username is specified.
Chapter 15 Managing Firmware and Configurations Working with Software Images Downloading an Image File by Using RCP You can download a new image file and replace or keep the current image. Caution For the download and upload algorithms to operate properly, do not rename image directories. Beginning in privileged EXEC mode, follow Steps 1 through 6 to download a new image from an RCP server and overwrite the existing image. To keep the current image, skip Step 6.
Chapter 15 Managing Firmware and Configurations Working with Software Images Step 7 Command Purpose archive download-sw /leave-old-sw /reload rcp:[[[//[username@]location]/directory]/image-na me.tar] Download the image file from the RCP server to the WMIC, and keep the current image. Note • The /leave-old-sw option keeps the old software version after a download. • The /reload option reloads the system after downloading the image unless the configuration has been changed and not saved.
Chapter 15 Managing Firmware and Configurations Working with Software Images Uploading an Image File by Using RCP You can upload an image from the WMIC to an RCP server. You can later download this image to the same WMIC or to another WMIC of the same type. Caution For the download and upload algorithms to operate properly, do not rename image directories.
Chapter 15 Managing Firmware and Configurations Working with Software Images Reloading the Image Using the Web Browser Interface You can also use the Web browser interface to reload the WMIC image file. The Web browser interface supports loading the image file using HTTP or TFTP interfaces. Note Your WMIC configuration is not changed when using the browser to reload the image file.
Chapter 15 Managing Firmware and Configurations Working with Software Images Step 9 Click the Upgrade button. For additional information click the Help icon on the Software Upgrade screen.
Chapter 15 Managing Firmware and Configurations Working with Software Images Cisco 3200 Series Wireless MIC Software Configuration Guide 15-34 OL-7734-02
C H A P T E R 16 Configuring System Message Logging This chapter describes how to configure system message logging on your WMIC. Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2.
Chapter 16 Configuring System Message Logging Understanding System Message Logging Understanding System Message Logging By default, devices send the output from system messages and debug privileged EXEC commands to a logging process. The logging process controls the distribution of logging messages to various destinations, such as the logging buffer, terminal lines, or a UNIX syslog server, depending on your configuration. The process also sends messages to the console.
Chapter 16 Configuring System Message Logging Configuring System Message Logging Table 16-1 describes the elements of syslog messages. Table 16-1 System Log Message Elements Element Description seq no: Stamps log messages with a sequence number only if the service sequence-numbers global configuration command is configured. For more information, see the “Enabling and Disabling Sequence Numbers in Log Messages” section on page 16-6. Date and time of the message or event.
Chapter 16 Configuring System Message Logging Configuring System Message Logging 82e8 Associated KEY_MGMT[NONE] *Mar 1 23:48:16.986: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0002.8a29.82e8 Reason: Previous authentication no longer valid Default System Message Logging Configuration Table 16-2 shows the default system message logging configuration.
Chapter 16 Configuring System Message Logging Configuring System Message Logging The logging synchronous global configuration command also affects the display of messages to the console. When this command is enabled, messages appear only after you press Return. For more information, see the “Enabling and Disabling Timestamps on Log Messages” section on page 16-6. To re-enable message logging after it has been disabled, use the logging on global configuration command.
Chapter 16 Configuring System Message Logging Configuring System Message Logging Enabling and Disabling Timestamps on Log Messages By default, log messages are not timestamped. Beginning in privileged EXEC mode, follow these steps to enable timestamping of log messages: Command Purpose Step 1 configure terminal Enter global configuration mode. Step 2 service timestamps log uptime Enable log timestamps.
Chapter 16 Configuring System Message Logging Configuring System Message Logging This example shows part of a logging display with sequence numbers enabled: 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36) Defining the Message Severity Level You can limit messages displayed to the selected device by specifying the severity level of the message, which are described in Table 16-3.
Chapter 16 Configuring System Message Logging Configuring System Message Logging Table 16-3 describes the level keywords. It also lists the corresponding UNIX syslog definitions from the most severe level to the least severe level.
Chapter 16 Configuring System Message Logging Configuring System Message Logging Beginning in privileged EXEC mode, follow these steps to change the level and history table size defaults: Command Step 1 Step 2 Purpose configure terminal logging history level Enter global configuration mode. 1 Change the default level of syslog messages stored in the history file and sent to the SNMP server. See Table 16-3 on page 16-8 for a list of level keywords.
Chapter 16 Configuring System Message Logging Configuring System Message Logging Configuring UNIX Syslog Servers The next sections describe how to configure the 4.3 BSD UNIX server syslog daemon and define the UNIX system logging facility. Logging Messages to a UNIX Syslog Daemon Before you can send system log messages to a UNIX syslog server, you must configure the syslog daemon on a UNIX server.
Chapter 16 Configuring System Message Logging Configuring System Message Logging Step 3 Command Purpose logging trap level Limit messages logged to the syslog servers. Be default, syslog servers receive informational messages and lower. See Table 16-3 on page 16-8 for level keywords. Step 4 logging facility facility-type Configure the syslog facility. See Table 16-4 on page 16-11 for facility-type keywords. The default is local7. Step 5 end Return to privileged EXEC mode.
Chapter 16 Configuring System Message Logging Displaying the Logging Configuration Displaying the Logging Configuration To display the current logging configuration and the contents of the log buffer, use the show logging privileged EXEC command. For information about the fields in this display, refer to the Cisco IOS Configuration Fundamentals Command Reference for Release 12.2. To display the logging history file, use the show logging history privileged EXEC command.
C H A P T E R 17 Wireless Device Troubleshooting This chapter provides troubleshooting procedures for basic problems with the wireless device. For the most up-to-date, detailed troubleshooting information, refer to the Cisco TAC website at the following URL (select Top Issues and then select Wireless Technologies): http://www.cisco.
Chapter 17 Wireless Device Troubleshooting Checking the LED Indicators Checking the LED Indicators If your wireless device is not communicating, check theLED indicatorsto quickly assess the device status. The indicator signals on the wireless device have the following meanings (for additional details refer to Table 17-1): • The Ethernet indicator signals traffic on the wired LAN.
Chapter 17 Wireless Device Troubleshooting Checking Basic Settings Table 17-1 Indicator Signals (continued) Message type Ethernet indicator Status indicator Radio indicator Meaning Operation Errors – Green Blinking amber Maximum retries or buffer full occurred on the radio. Blinking amber – – Transmit/receive Ethernet errors. – Blinking amber – General warning. Configuration Reset – Amber – Resetting the configuration options to factory defaults.
Chapter 17 Wireless Device Troubleshooting Resetting to the Default Configuration Note The wireless device MAC address that appears on the Status page in the Aironet Client Utility (ACU) is the MAC address for the wireless device radio. Resetting to the Default Configuration If you forget the password that allows you to configure the wireless device, you may need to completely reset the configuration.
Chapter 17 Wireless Device Troubleshooting Resetting to the Default Configuration Using the CLI Follow the steps below to delete the current configuration and return all wireless device settings to the factory defaults using the CLI. Step 1 Open the CLI using a Telnet session or a connection to the wireless device console port. Step 2 Reboot the wireless device by removing power from and reapplying power to the router.
Chapter 17 Wireless Device Troubleshooting Reloading the Image Step 8 When IOS software is loaded, you can use the del privileged EXEC command to delete the config.old file from Flash. ap# del flash:config.old Delete filename [config.old] Delete flash:config.old [confirm] ap# Reloading the Image If the wireless device has a firmware failure, you must reload the image file using the Web browser interface.
Chapter 17 Wireless Device Troubleshooting Reloading the Image Step 7 Click Upload. For additional information, click the Help icon on the Software Upgrade screen. Browser TFTP Interface The TFTP interface allows you to use a TFTP server on a network device to load the wireless device image file. Follow the instructions below to use a TFTP server: Step 1 Open your Internet browser. You must use Microsoft Internet Explorer (version 5.x or later) or Netscape Navigator (version 4.x).
Chapter 17 Wireless Device Troubleshooting Reloading the Image Step 3 Let the wireless device boot until it begins to inflate the image. When you see these lines on the CLI, press Esc: Loading "flash:/c350-k9w7-mx.v122_13_ja.20031010/c350-k9w7-mx.v122_13_ja.20031010" ...
Chapter 17 Wireless Device Troubleshooting Reloading the Image extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_button_last_flat.gif (318 bytes) extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_button_nth.gif (1177 bytes) extracting c350-k9w7-mx.122-13.JA1/html/level1/images/apps_leftnav_dkgreen.gif (869 bytes) -- MORE -- Note Step 8 If you do not press the spacebar to continue, the process eventually times out and the wireless device stops inflating the image.
Chapter 17 Wireless Device Troubleshooting Reloading the Bootloader Image Reloading the Bootloader Image Follow this procedure to download the boot loader image to the device: Step 1 Place the bootloader image in the proper directory on a TFTP server. Step 2 Connect to the console. Step 3 Enter the enable command to enter privileged mode.
A P P E N D I X A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface This chapter describes how to connect to the router and use the IOS command-line interface (CLI) that you can use to configure the WMIC.
Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Before You Start Before You Start Before you install the WMIC, make sure you are using a computer connected to the same network as the WMIC, and obtain the following information from your network administrator: • A system name for the WMIC • The case-sensitive wireless service set identifier (SSID) that your WMICs use • If not connected to a DHCP server, a unique IP address for your WMIC (such as 172.17.255.
Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Before You Start Assigning an IP Address To assign the WMIC IP address by using one of the following methods: • Use the ip address interface command to assign an IP address to the interface. • Use a DHCP server (if available) to automatically assign an IP address. The WMIC links to the network using a Bridge Group Virtual Interface (BVI) that it creates automatically.
Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface IOS Command Modes IOS Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode. When you start a session on the WMIC, you begin in user mode, often called user EXEC mode.
Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Getting Help Getting Help You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command, as shown in Table A-2. Table A-2 Help Summary Command Purpose help Obtains a brief description of the help system in any command mode.
Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Using no and default Forms of Commands Using no and default Forms of Commands Most configuration commands also have a no form. In general, use the no form to disable a feature or function or reverse the action of a command. For example, the no shutdown interface configuration command reverses the shutdown of an interface.
Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Using Command History Changing the Command History Buffer Size By default, the WMIC records ten command lines in its history buffer. Beginning in privileged EXEC mode, enter this command to change the number of command lines that the WMIC records during the current terminal session: bridge# terminal history [size number-of-lines] The range is from 0 to 256.
Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Using Editing Features Using Editing Features This section describes the editing features that can help you manipulate the command line.
Appendix A Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface Using Editing Features Table A-5 Editing Commands Through Keystrokes (continued) Keystroke1 Capability Purpose Delete entries if you make a mistake Delete or Backspace or change your mind. Ctrl-D Capitalize or lowercase words or capitalize a set of letters. Erase the character to the left of the cursor. Delete the character at the cursor.
Appendix A Searching and Filtering the Output of show and more Commands Connecting to the Cisco 3200 Series Router and Using the Command-Line Interface In this example, the access-list global configuration command entry extends beyond one line. When the cursor first reaches the end of the line, the line is shifted ten spaces to the left and redisplayed. The dollar sign ($) shows that the line has been scrolled to the left.
A P P E N D I X B Channels and Antenna Settings This appendix lists the IEEE 802.11g (2.4-GHz) channels, maximum power levels, and antenna gains supported by the world’s regulatory domains. The following topics are covered in this appendix: • Channels, page B-2 • Maximum Power Levels and Antenna Gains, page B-4 See the “Configuring Radio Transmit Power” in the “Configuring Radio Settings” chapter for instructions about how to change the radio output power.
Appendix B Channels and Antenna Settings Channels Channels This section describes the channels for 802.11b/g (2.4-GHz) and the 4.9-GHz bands. IEEE 802.11g (2.4-GHz Band) The channel identifiers, channel center frequencies, and regulatory domains of each IEEE 802.11g 22-MHz-wide channel are shown in Table B-1. Table B-1 Note Channels for IEEE 802.
Appendix B Channels and Antenna Settings Channels 4.9-GHz Band The channel identifiers, channel center frequencies, and channel width are shown in Table B-2. Table B-2 Channels, Center Frequencies, and Channel Widths Channel Center Frequency Channel Width 1 4940.5 not supported 2 4941.5 not supported 3 4942.5 5-MHz 4 4943.5 not supported 5 4944.5 not supported 6 4947.5 5-MHz 7 4952.5 5-MHz, 10-MHz, or 20-MHz 8 4957.5 5-MHz 9 4962.5 5-MHz or 10-MHz 10 4967.
Appendix B Channels and Antenna Settings Maximum Power Levels and Antenna Gains Maximum Power Levels and Antenna Gains IEEE 802.11g (2.4-GHz Band) An improper combination of power level and antenna gain can result in equivalent isotropic radiated power (EIRP) above the amount allowed per regulatory domain. Table B-3 indicates the maximum power levels and antenna gains allowed for each IEEE 802.11g regulatory domain.
A P P E N D I X C Protocol Filters The tables in this appendix list some of the protocols that you can filter on the WMIC. The tables include: • Table E-1, Ethertype Protocols • Table E-2, IP Protocols • Table E-3, IP Port Protocols In each table, the Protocol column lists the protocol name, the Additional Identifier column lists other names for the same protocol, and the ISO Designator column lists the numeric designator for each protocol.
Appendix C Table C-1 Protocol Filters Ethertype Protocols Protocol Additional Identifier ISO Designator ARP — 0x0806 RARP — 0x8035 IP — 0x0800 Berkeley Trailer Negotiation — 0x1000 LAN Test — 0x0708 X.25 Level3 X.25 0x0805 Banyan — 0x0BAD CDP — 0x2000 DEC XNS XNS 0x6000 DEC MOP Dump/Load — 0x6001 DEC MOP MOP 0x6002 DEC LAT LAT 0x6004 Ethertalk — 0x809B Appletalk ARP Appletalk AARP 0x80F3 IPX 802.2 — 0x00E0 IPX 802.
Appendix C Protocol Filters Table C-2 IP Protocols Protocol Additional Identifier ISO Designator dummy — 0 Internet Control Message Protocol ICMP 1 Internet Group Management Protocol IGMP 2 Transmission Control Protocol TCP 6 Exterior Gateway Protocol EGP 8 PUP — 12 CHAOS — 16 User Datagram Protocol UDP 17 XNS-IDP IDP 22 ISO-TP4 TP4 29 ISO-CNLP CNLP 80 Banyan VINES VINES 83 Encapsulation Header encap_hdr 98 Spectralink Voice Protocol SVP Spectralink 119 raw —
Appendix C Table C-3 Protocol Filters IP Port Protocols Protocol Additional Identifier ISO Designator TCP port service multiplexer tcpmux 1 echo — 7 discard (9) — 9 systat (11) — 11 daytime (13) — 13 netstat (15) — 15 Quote of the Day qotd quote 17 Message Send Protocol msp 18 ttytst source chargen 19 FTP Data ftp-data 20 FTP Control (21) ftp 21 Secure Shell (22) ssh 22 Telnet — 23 Simple Mail Transport Protocol SMTP mail 25 time timserver 37 Resource Locat
Appendix C Protocol Filters Table C-3 IP Port Protocols (continued) Protocol Additional Identifier ISO Designator TSAP iso-tsap 102 CSO Name Server cso-ns csnet-ns 105 Remote Telnet rtelnet 107 Postoffice v2 POP2 POP v2 109 Postoffice v3 POP3 POP v3 110 Sun RPC sunrpc 111 tap ident authentication auth 113 sftp — 115 uucp-path — 117 Network News Transfer Protocol Network News readnews nntp 119 USENET News Transfer Protocol Network News readnews nntp 119 Network Time Pro
Appendix C Table C-3 Protocol Filters IP Port Protocols (continued) Protocol Additional Identifier ISO Designator SNMP Unix Multiplexer smux 199 AppleTalk Routing at-rtmp 201 AppleTalk name binding at-nbp 202 AppleTalk echo at-echo 204 AppleTalk Zone Information at-zis 206 NISO Z39.
A P P E N D I X D Supported MIBs This appendix lists the Simple Network Management Protocol (SNMP) Management Information Bases (MIBs) that the WMIC supports. The Cisco IOS SNMP agent supports both SNMPv1 and SNMPv2.
Appendix D Supported MIBs Using FTP to Access the MIB Files • CISCO-SYSLOG-EVENT-EXT-MIB • CISCO-TC • CISCO-TBRIDGE-DEV-IF-MIB • CISCO-WLAN-VLAN-MIB • ENTITY-MIB • IANAifType-MIB • IEEE802dot11-MIB • IF-MIB • INET-ADDRESS-MIB • OLD-CISCO-SYS-MIB • OLD-CISCO-SYSTEM-MIB • OLD-CISCO-TS-MIB • P-BRIDGE-MIB • Q-BRIDGE-MIB • RFC1213-MIB • RFC1398-MIB • SNMPv2-MIB • SNMPv2-SMI • SNMPv2-TC Using FTP to Access the MIB Files Follow these steps to obtain each MIB file by using F
A P P E N D I X E Error and Event Messages This appendix lists the CLI error and event messages. Table E-1 lists the errors and events and provides an explanation and recommended action for each message. Table E-1 Error and Event Messages Message Explanation Recommended Action Software Auto Upgrade Messages SW_AUTO_UPGRADE-FATAL: Attempt to upgrade software failed, software on Flash may be deleted. Please copy software into Flash. Auto upgrade of the software failed.
Appendix E Table E-1 Error and Event Messages Error and Event Messages (continued) Message Explanation Recommended Action DOT11-3-RADIO_IF_LO: Interface [interface] Radio cannot lock IF freq The unit cannot lock the intermediate frequency. None. DOT11-3-RADIO_RF_LO: Interface [interface] Radio cannot lock RF freq The unit cannot lock the radio frequency. None. DOT11-3-RF_LOOPBACK_FAILURE: Radio loopback test failed at startup time. None.
Appendix E Table E-1 Error and Event Messages Error and Event Messages (continued) Message Explanation Recommended Action DOT11-4-NO_SSID: No SSIDs configured, radio not started All SSIDs were deleted from the configuration. At least one must be configured for the radio to run. Configure at least one SSID on the device. DOT11-4-FLASHING_RADIO: Flashing the radio firmware ([chars]) The radio has been stopped to load new firmware. None.
Appendix E Table E-1 Error and Event Messages Error and Event Messages (continued) Message Explanation Recommended Action WGB_CLIENT_VLAN: Workgroup Bridge Ethernet client VLAN not configured. A VLAN configuration is missing for client devices connected to a workgroup bridge. Use the workgroup-bridge client-vlan command to assign a VLAN to Ethernet client devices connected to the workgroup bridge. UNDER_VOLTAGE: Under voltage condition detected.
GLOSSARY 802.11 The IEEE standard that specifies carrier sense media access control and physical layer specifications for 1- and 2-megabit-per-second (Mbps) wireless LANs operating in the 2.4-GHz band. 802.11a The IEEE standard that specifies carrier sense media access control and physical layer specifications for wireless LANs operating in the 5-GHz frequency band. 802.11b The IEEE standard that specifies carrier sense media access control and physical layer specifications for 5.
Glossary B backoff time The random length of time that a station waits before sending a packet on the LAN. Backoff time is a multiple of slot time, so a decrease in slot time ultimately decreases the backoff time, which increases throughput. beacon A wireless LAN packet that signals the availability and presence of the wireless device. BID Bridge identifier used in spanning-tree calculations. The BID contains the bridge MAC address and its spanning-tree priority value.
Glossary Cisco Centralized Key Management (CCKM) CCKM is the basis of Cisco Fast reassociation and reauthentication solution, which utilizes a central node, an AP, as the key distributor to enable protected communications between the AP and the Wireless Stations. Station using CCKM use proprietary supports SSN Group Key update. CKIP Cisco Temporal Key Integrity Protocol client A radio device that uses the services of an access point to communicate wirelessly with other devices on a local area network.
Glossary EAPOL Key Encryption Key (KEK) Key that encrypts key material in EAPOL-key packet EAPOL-Key MIC Key Key used to integrity check an EAPOL-Key Message. (KCK) The most widely used wired local area network. Ethernet uses carrier sense multiple access (CSMA) to allow computers to share a network and operates at 10, 100, or 1000 Mbps, depending on the physical layer used. Ethernet F file server A repository for files so that a local area network can share files, mail, and programs.
Glossary M MAC Media Access Control address. A unique 48-bit number used in Ethernet data packets to identify an Ethernet device such as an access point or your client adapter. Message Integrity Code (MIC) A cryptographic checksum, designed to make it computationally infeasible for an adversary to alter data. This is usually called a Message Authentication Code, or MAC, in the literature, but the acronym MAC is already reserved for another meaning in this standard.
Glossary Q quadruple phase shift keying A modulation technique used by IEEE 802.11b-compliant wireless LANs for transmission at 2 Mbps. R range A linear measure of the distance that a transmitter can send a signal. receiver sensitivity A measurement of the weakest signal a receiver can receive and still correctly translate it into data. RF Radio frequency. A generic term for radio-based technology.
Glossary T Temporal Encryption Key Key used to encrypt data packets. Temporal Key Combination of temporal encryption key and temporal MIC key. Temporal MIC Key Key used to integrity check data packets TID Traffic Identifier (802.1Q user priority value) TKIP Temporal Key Integrity Protocol transmit power The power level of radio transmission. U UNII Unlicensed National Information Infrastructure—regulations for UNII devices operating in the 5.15- to 5.35-GHz and 5.725- to 5.
Glossary WNM Wireless Network Manager. workstation A computing device with an installed client adapter. WPA Wi-Fi Protected Access (WPA) is a security solution from the Wireless Ethernet Compatibility Alliance (WECA). WPA, mostly synonymous to Simple Security Network (SSN), relies on the interim version of IEEE Standard 802.11i. WPA supports WEP and TKIP encryption algorithms as well as 802.1X and EAP for simple integration with existing authentication systems.
Beta Draft -- Cisco Conf idential INDEX key Symbols 2-35 login <$nopage)Message Integrity Check
Index Beta Draft -- Cisco Conf idential comands C encryption mode cipher carrier busy test CCKM 3-20 command-line interface 7-5 See CLI CDP command modes disabling for routing device enabling and disabling monitoring 12-4 12-4 aaa authorization 12-5 aaa new-model channel data rates 6-2 abbreviating 3-8 A-5 1-5 16-1 13-4 3-14 16-6 distance 1-5 3-16 concatenation del 3-4 dot11 interface speed CKIP (Cisco Key Integrity Protocol) 6-2 CLI abbreviating commands command modes A-5
Index Beta Draft -- Cisco Conf idential preparing distance command 14-10, 14-13, 14-16 reasons for 14-8 using FTP 14-13 using RCP 14-16 using TFTP distance setting 3-14 DNS default configuration 2-3 displaying the configuration 14-11 guidelines for creating and using 14-9 invalid combinations when copying 14-5 system contact and location information types and location 3-4 13-10 overview 2-2 setting up 2-3 domain names DNS 14-9 uploading 2-4 2-2 Domain Name System preparing
Index Beta Draft -- Cisco Conf idential encryption for passwords configuration files 2-22 encryption mode cipher command downloading 6-2 error messages overview during command entry uploading 15-5 system message format 14-14 deleting old image 15-2 downloading 16-2 Express Security page 14-26 14-24 preparing the server 17 Extensible Authentication Protocol (EAP) extensions, Aironet 14-13 image files 15-7 Ethernet indicator 14-12 preparing the server A-6 setting the display des
Index Beta Draft -- Cisco Conf idential IP address, finding and setting IPSU Message Authentication Code 25 GL-5 Message Integrity Check 24 ISO designators for protocols See MIC C-1 Message Integrity Check See MIC Message Integrity Code (MIC), definition K messages KCK GL-4 KEK GL-4 to users through banners method list key features 2-4 2-34 MIBs 1-4 accessing files with FTP location of files L overview example MIC 7-12 setting on client and access point 13-4 2-53, 6-1, 16-3 m
Index Beta Draft -- Cisco Conf idential time Q services 2-7 synchronizing QoS 2-6 configuration guidelines overview O 10-4 10-2 quality of service OFDM See QoS 1-5 R P packet retries command pairwise radio 3-18 distance setting GL-5 Pairwise Master Key (PMK) parent command indicator GL-5 radio management 16-4 default configuration encrypting vendor-proprietary 2-22 vendor-specific accounting 2-22 with usernames 5-2 authorization See QoS 7-9 A-4 2-40 2-35, 2-42 multiple U
Index Beta Draft -- Cisco Conf idential downloading overview self-healing wireless LAN 14-16 sequence numbers in log messages 14-15 preparing the server uploading AAA image files uploading 7-4 set BOOT command 14-30 set command 14-29 preparing the server 16-9 16-9 set-request operation 14-27 13-4 severity levels, defining in system messages 14-31 regulatory domains show cdp traffic command B-2 reloading access point image See SNMP Remote Copy Protocol SNMP See RCP accessing MI
Index Beta Draft -- Cisco Conf idential location in Flash overview 14-19 tar file format, described spacing command redundant bridging 14-19 root port, defined 3-9 Spanning Tree Protocol superior BPDU See STP SSH 5-2 configuring 2-53 crypto software image described 5-3 stratum, NTP 2-6 summer time 2-19 5-5 switchport protected command 2-52 3-16 syslog 2-52 displaying settings See system message logging 2-53 SSH Communications Security, Ltd.
Index Beta Draft -- Cisco Conf idential manual configuration system requirements preparing the server 2-2 uploading xxii 14-20 14-22 tftp_init command 16-8 time T See NTP and system clock TAC timestamps in log messages 16-1 time zones TACACS+ accounting, defined TKIP 2-45 authentication, defined configuring managers accounting defined 2-50 authentication key authorization 13-4 with system message logging 2-47 limiting the services to the user operation of 16-1 with CiscoWorks
Index Beta Draft -- Cisco Conf idential using TFTP 14-22 user EXEC mode A-4 username-based authentication 2-24 V VLAN SSID 2-26, 2-27 W WDS 8-1 web site Cisco Software Center WEP 6-1 described 6-2 key example keys 24, 16-9 6-4 16-3 troubleshooting with EAP 16-3 7-3 Wi-Fi Protected Access See WPA Wi-Fi Protected Access (WPA) 2-27 Wired Equivalent Privacy See WEP Wireless Domain Services (WDS) wireless domain services (WDS) 7-5 8-5 world-mode 802.
