Cisco 1100 and 1200 Series APs Using the Wireless LAN Services Module (WLSM) Configuration and Deployment Guide This document describes the required settings and configuration for Cisco 1100 and 1200 Series access points (APs) using the Wireless LAN Services Module (WLSM) to support wireless IP telephones. Product Summary Manufacturer: Cisco: www.cisco.com Approved APs: AP 1121, 1131, 1231, 1232, 1242, BR 1310 WLSM framework: Catalyst 6503-E Switch, Supervisor Engine 720, WLSM Module External network components: RADIUS Server * Cisco 2940 1g Switch RF technology: Radio: QoS Security: AP firmware version tested: 802.11b/g 2.4 2.484 GHz SpectraLink Voice Priority (SVP) WPA-PSK, WPA2-PSK 12.3.7-JA4 Wireless IP telephone software version tested: SRP Version 2.0 (89.124) Handset models 3616/3620/3626 3641/3645 Radio mode 802.11b 802.11b Maximum telephone calls per AP: 8 8 Auto-learn function: Yes * No Recommended network topology: Denotes products directly used in testing Switched Ethernet (recommended) * RADIUS Server used in place of a WLSE Module Network Topology The following topology was tested during lab testing. It is important to note that these do not necessarily represent all tested configurations. Copyright 2007 Avaya, Inc. All rights reserved 21-601643, Issue 1, May 2007 Page 1
Page 2
Known Limitations 1. Wi-Fi Multimedia (WMM) must be disabled in this configuration (default is on ). WMM is a global setting, therefore WMM may not be used for any Wi-Fi devices on this network. 2. Avaya's push-to-talk (PTT) functionality, available in wireless IP telephones, does not work in this configuration because of limitations with the way that multicast traffic is passed through the WLSM. 3. Cisco Fast Secure Roaming (FSR) has limited functionality in this configuration, therefore, it is not recommended. Avaya recommends WPA-PSK and WPA2-PSK for this configuration. Notes on Configuration Initial Setup The AP must support SpectraLink Voice Priority (SVP). Contact your AP vendor if you need to upgrade the AP software. Go to the Cisco Download site at www.cisco.com and download the latest version of firmware for the access point (AP) and WLSM modules. If you encounter difficulties or have questions regarding the configuration process, please contact your local Cisco's customer service at www.cisco.com. WLSM Setup For an introduction and set up guide for Cisco s Catalyst 6500 Switch, go to the following links: http://www.cisco.com/univercd/cc/td/doc/product/wireless/wlsmdig.htm and http://www.cisco.com/en/us/products/sw/cscowork/ps3915/products_white_paper09186a008 01d8630.shtml The minimum components required are a Catalyst 6500 chassis, Supervisory 720 module and a Wireless LAN Services Module (WLSM). Either a Wireless LAN Solution Engine (WLSE ) or a RADIUS server are required for AAA Authentication. The 6500 chassis has only one Ethernet port connection, which is a gigabit port. An Ethernet Module can be added to the 6500 chassis or an external switch used. An external switch must support 802.1Q VLAN s and have at least one Gigabit port. Two 20 amp wall circuits are required for powering the unit. Sample configuration files for the Sup 720 and WLSM modules are shown at the end of this document. AP Setup The APs have to be configured to work within the WLSM environment. The settings shown in the examples in this document correspond to the settings in the configuration files for the WLSM setup. Page 3
Mapping The table below shows how the different modules map to each other. Page 4
Assigning an IP address to a new AP 1. Connect the PC s serial port to the AP via the command line interface (CLI) cable. Run a terminal program set to 9600 baud. 2. At the prompt, type enable. 3. Type the password, default password is Cisco. 4. Type the command configure terminal. 5. Type the command interface BVI 1. 6. Type ip address <ip address> <net mask>. 7. Type end and then type write mem to save configuration. Connecting to the AP Connect to the AP via Netscape or Internet Explorer by navigating to the URL: http://<ip_addr> (where <IP_Addr> is the IP address of the AP). Installing software on the AP 1. Download the appropriate firmware for your model AP from the Cisco IOS Software Downloads Web site. 2. Connect to the AP via a web browser, preferably IE. Turn off pop-up blocking. 3. Click SYSTEM SOFTWARE. 4. Click Software Upgrade 5. Click the HTTP UPGRADE tab. 6. Use the Browse button to select the target image. 7. Click the Upgrade button. 8. Allow for at least five minutes for the upgrade to complete. The progress of the upgrade can be tracked via the AP s LEDs. Center LED RED means image is being downloaded. All LEDs ON means AP is decompressing the image, rebooting, etc. Top LED GREEN, radio and status LEDs blinking means Ethernet connectivity OK, normal operation. 9. The Web browser opens a window indicating the amount of time since the upgrade started. After the upgrade is completed, this window may stay open. The user will need to close these window(s) and refresh the Web browser s connection to the AP. The rest of the configuration can easily be done through the browser interface. Log into the AP via a Web browser using the IP address assigned in the above step. Page 5
Configuring Security Main Security screen The Security Summary screen below shows the configurations of three VLANS. VLANs are set up to work with different encryptions and SSIDs. Network IDs are assigned to the corresponding tunnel ID on the SUP 720. Note that the configurations shown below depict the configuration of three different SSIDs with three different encryption types. For example: BBK VLAN 1 WPA-PSK/AES ADG VLAN2 WPA-PSK/TKIP FSR VLAN3 CCKM/TKIP (which was not used during this testing) Page 6
Configuring VLANs The following screen shows the set-up for creating a VLAN. Note that if your deployment uses only a single encryption type, it is not necessary to configure VLANs. Click Security in the navigation pane, and select Encryption Manager to configure a single encryption type. See the Configuring Encryption section below for an example of the Encryption Manager screen. 1. In the navigation pane, click SERVICES. 2. Select VLAN from the sub-menu. 3. Under Current VLAN List, select the proper VLAN from list box, or create a new one if necessary. 4. Assign a VLAN ID number to the VLAN. 5. Make sure Radio0-802.11G is selected. 6. One VLAN has to be set as the Native VLAN. 7. Click the Apply to button. Page 7
Configuring Encryption Set Security: Encryption manager 1. In the navigation pane, click SECURITY. 2. Select Encryption Manager from the sub-menu. 3. For Set Encryption Mode and Keys for VLAN, select the proper VLAN that corresponds to the SSID. 4. Under Encryption Modes, click the Cipher option. 5. For WPA-PSK, select TKIP from the drop-down list. For WPA2-PSK, select AES CCMP from the drop-down list. 6. Under Encryption Keys, clear all Encryption Key fields. 7. Under Global Properties, click the Disable Rotation option. 8. Click the Apply button. The following example shows the SECURITY screen with WPA2-PSK settings. Page 8
Configuring SSIDs The following screen shows the set-up for WPA2-PSK and VLAN1. 1. In the navigation pane, click SECURITY. 2. Select SSID Manager from the sub-menu. 3. Under SSID Properties, select the proper SSID from the list box, or create a new one if necessary. Make sure Radio0-802.11G is selected. 4. Select the proper VLAN and Network ID number. The Network ID number matches a Mobility Network ID of a Tunnel Interface on the Sup720. 5. Under Authentication Settings, select the Open Authentication check box and select No Addition from the drop-down list. Page 9
6. Use default settings for Server Priorities. 7. Under Authenticated Key Management: a. Select Mandatory from the Key Management drop-down list. b. Select the WPA check box. c. In the WPA Pre-shared Key field, type in the key code used in the phones. Characters are case sensitive. d. Select the ASCII option. 8. Click the Apply button. 9. At the bottom of the page, under Guest Mode/Infrastructure SSID Settings, select the Single BSSID option and select the SSID that was used in step 5. 10. Click the Apply button. Page 10
Configuring QoS Quality of service policies must be set up to enable voice packets to be prioritized properly. Two policies are created, one for downstream traffic and one for upstream traffic. Page 11
Configuring SRP for downstream traffic 1. In the navigation pane, click SERVICES. 2. Select QoS from the sub-menu. 3. Create the downstream QoS policy: a. Under Create/Edit Policy, select the proper Policy Name from the drop-down list, or create a new one if necessary. b. Select Voice <10ms Latency (6) from the third drop-down list under Apply Class of Service. c. Click the Add button to add this classification to your new QoS policy. 4. Click the Apply button. Page 12
Configuring SRP for upstream traffic 1. Create the upstream QoS policy: a. Under Create/Edit Policy, select the proper Policy Name from the drop-down list, or create a new one if necessary. b. Select Video <100ms Latency (5) from the third drop-down list under Apply Class of Service. c. Click the Add button to add this classification to your new QoS policy. 2. Click the Apply button. Page 13
Apply policies to interfaces 1. Scroll down to Apply Policies to Interface/ VLANs. 2. Apply the new QoS policies to Incoming and Outgoing Radio0-802.11G for the appropriate interfaces for each VLAN by selecting them from the applicable drop-down lists: a. Apply the downstream policy to the Incoming traffic for Radio0-802.11G. b. Apply the upstream policy to the Outgoing traffic for Radio0-802.11G. 3. No policies are applied to the Fast Ethernet interface. 4. Click the Apply button. Page 14
Radio0-80211G access categories 1. Click the RADIO0 802.11G ACCESS CATEGORIES tab. 2. At Voice (CoS 6-7): a. Set the Min Contention Window and Max Contention Window fields to 0. b. Set the Fixed Slot Time field to 2. c. Set the Transmit Opportunity field to 0. 3. Click the Apply button. Page 15
QOS advanced settings 1. Click the Advanced tab. 2. At QoS Element for Wireless Phones, click the Enable option. 3. Under IGMP Snooping, click the Enable option. 4. At Map Ethernet Packets with Cos5 to Cos6, click the Yes option. 5. Important Under WMM, under Enable on Radio Interfaces, make sure the check boxes are cleared. 6. Click the Apply button. Page 16
Radio Settings 1. In the navigation pane, click NETWORK INTERFACES. 2. Select Radio0-802.11G from the sub-menu. 3. Click the SETTINGS tab. 4. Set Enable Radio to Enable. 5. For setting up the Data Rates there are two options, Best Range or Best Throughput. a. For Best Throughput select Enable for 1.0, 2.0 and 5.5 Mb/sec, and select Require for 11.0 Mb/sec. To support this data rate set, signal strength of -60 dbm or stronger is required wherever the handsets are to be used. The screen shot below shows the settings for Best Throughput. b. For Best Range select Require for 1.0 Mb/sec, and select Enable for 2.0, 5.5 and 11.0 Mb/sec. To support this data rate set, signal strength of -70 dbm or stronger is required wherever the handsets are to be used. Page 17
6. Power level and Channel selection will vary according to the environment. Page 18
7. At Aironet Extensions, select the Disable option. 8. Set the Data Beacon Rate (DTIM) field to 3. 9. Set the Max. Data Retries and RTS Max. Retries fields to 20. 10. Click the Apply button. Page 19
Wireless Services The AP needs to be configured to access the WDS service on the WLSM module. The IP address is assigned to the WLSM module (under wlan vlan configuration) in its configuration file. 1. In the navigation pane, click WIRELESS SERVICES. 2. Select AP from the sub-menu. Page 20
3. At Participate in SWAN Infrastructure, click the Enable option. 4. At WDS Discovery, click the Specified Discovery option, and enter the IP Address assigned to the WLSM module. 5. Enter the Username assigned to the RADIUS server and WDS. 6. Enter the Password assigned to the RADIUS server and WDS. 7. Click the Apply button. Page 21
Assigning a Different IP Address to a Configured AP 1. In the navigation pane, click NETWORK INTERFACES. 2. Select IP Address from the sub-menu. 3. Enter the new IP Address and IP Subnet Mask as required. 4. Enter a Default Gateway IP Address if required. 5. Click the Apply button. Page 22
Example Configuration File for SUP720 Building configuration... Current configuration : 3940 bytes version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption service counters max age 10 hostname Cat6503-E boot system flash sup-bootflash:s72033-pk9sv-mz.122-18.sxd5.bin logging snmp-authfail enable password cisco no aaa new-model wlan module 3 allowed-vlan 100 vtp mode transparent ip subnet-zero no ip domain-lookup ip dhcp excluded-address 192.168.115.1 ip dhcp excluded-address 192.168.116.1 ip dhcp excluded-address 192.168.112.1 192.168.112.6 ip dhcp excluded-address 192.168.114.1 192.168.114.2 ip dhcp pool mobilnet1 ip dhcp pool mobilenet1 network 192.168.114.0 255.255.255.0 default-router 192.168.114.1 option 151 ip 192.168.110.5 option 66 ip 192.168.110.6 ip dhcp pool mobilenet2 network 192.168.115.0 255.255.255.0 option 66 ip 192.168.110.6 option 151 ip 192.168.110.5 default-router 192.168.115.1 ip dhcp pool mobilenet3 network 192.168.116.0 255.255.255.0 option 151 ip 192.168.110.5 option 66 ip 192.168.110.6 default-router 192.168.116.1 ip dhcp pool aironet-vlan2 Page 23
network 192.168.112.0 255.255.255.0 default-router 192.168.112.1 ip dhcp snooping ip multicast-routing mls ip multicast flow-stat-timer 9 no mls flow ip no mls flow ipv6 mls qos mls cef error action freeze power redundancy-mode combined spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id diagnostic cns publish cisco.cns.device.diag_results diagnostic cns subscribe cisco.cns.device.diag_commands redundancy mode sso main-cpu auto-sync running-config auto-sync standard vlan internal allocation policy ascending vlan access-log ratelimit 2000 vlan 2-3,100 class-map match-all DSCP match any policy-map upstream class DSCP trust cos interface Loopback10 ip address 192.168.117.2 255.255.255.255 interface Loopback11 ip address 192.168.117.1 255.255.255.255 interface Loopback12 ip address 192.168.117.0 255.255.255.255 Page 24
interface Loopback33 ip address 33.33.33.33 255.255.255.255 ip pim sparse-dense-mode interface Tunnel10 description WPA-PSK WPA2 ip address 192.168.114.1 255.255.255.0 no ip redirects ip mtu 1476 ip dhcp snooping packets ip pim sparse-dense-mode tunnel source Loopback10 tunnel mode gre multipoint mobility network-id 10 mobility trust mobility broadcast service-policy input upstream interface Tunnel11 description WPA-LEAP_EAP ip address 192.168.115.1 255.255.255.0 no ip redirects ip mtu 1476 ip dhcp snooping packets ip pim sparse-dense-mode tunnel source Loopback11 tunnel mode gre multipoint mobility network-id 11 mobility trust mobility broadcast service-policy input upstream interface Tunnel12 description CCKM-TKIP-FSR ip address 192.168.116.1 255.255.255.0 no ip redirects ip mtu 1476 ip pim dense-mode tunnel source Loopback12 tunnel mode gre multipoint mobility network-id 12 mobility trust mobility broadcast service-policy input upstream interface GigabitEthernet1/1 ip address 192.168.104.1 255.255.255.0 interface GigabitEthernet1/2 no ip address Page 25
media-type rj45 switchport switchport trunk encapsulation dot1q switchport mode trunk service-policy input upstream interface Vlan1 ip address 192.168.110.1 255.255.255.0 ip pim dense-mode ip igmp join-group 224.0.1.116 ip igmp static-group 224.0.1.116 interface Vlan2 description AP group 1 ip address 192.168.112.1 255.255.255.0 ip pim dense-mode ip igmp static-group 224.0.1.116 interface Vlan3 description AP group 2 ip address 192.168.113.1 255.255.255.0 ip pim dense-mode ip igmp static-group 224.0.1.116 interface Vlan100 ip address 192.168.111.1 255.255.255.0 ip pim dense-mode ip igmp static-group 224.0.1.116 ip classless no ip http server ip pim rp-address 33.33.33.33 control-plane line con 0 line vty 0 4 password cisco login end Cat6503-E# Page 26
Example Configuration File for WLSM version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname wlsm enable password cisco username cisco password 0 cisco spd headroom 512 aaa new-model aaa authentication login leap-devices group radius aaa authentication login client-auth group radius aaa session-id common ip subnet-zero ip tftp source-interface Ethernet0/0.100 no ip domain lookup wlan vlan 100 ipaddr 192.168.111.2 255.255.255.0 gateway 192.168.111.1 admin ip classless ip route 0.0.0.0 0.0.0.0 192.168.111.1 ip http server no ip http secure-server logging snmp-trap emergencies logging snmp-trap alerts logging snmp-trap critical logging snmp-trap errors logging snmp-trap warnings no cdp run radius-server host 192.168.110.7 auth-port 1645 acct-port 1646 radius-server key spectralink Page 27
wlccp authentication-server infrastructure leap-devices wlccp authentication-server client any client-auth line con 0 password cisco transport preferred all transport output all line 1 3 no exec transport preferred all transport input all transport output all flowcontrol software line vty 0 4 password cisco transport preferred all transport input all transport output all end Page 28
Example Configuration File for 2940 Switch version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption hostname Switch enable secret 5 $1$nJJr$yba1.cqtPZvuk91xKLuQ01 ip subnet-zero vtp mode transparent spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id vlan 2-3 interface FastEthernet0/1 switchport access vlan 2 switchport mode access interface FastEthernet0/2 switchport access vlan 2 switchport mode access interface FastEthernet0/3 interface FastEthernet0/4 interface FastEthernet0/5 interface FastEthernet0/6 interface FastEthernet0/7 switchport access vlan 3 switchport mode access interface FastEthernet0/8 switchport access vlan 3 switchport mode access Page 29
interface GigabitEthernet0/1 switchport mode trunk interface Vlan1 ip address 192.168.110.2 255.255.255.0 no ip route-cache ip default-gateway 192.168.110.1 ip http server line con 0 password cisco login line vty 0 4 password cisco login line vty 5 15 login end Page 30
Example Configuration File for 1130 AP Building configuration... Current configuration : 5525 bytes version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption hostname ap enable secret 5 $1$HhzS$AETmoXfrVtIvD6SqHanZi. ip subnet-zero aaa new-model aaa group server radius rad_eap server 192.168.110.7 auth-port 1645 acct-port 1646 aaa group server radius rad_mac aaa group server radius rad_acct aaa group server radius rad_admin server 192.168.110.7 auth-port 1645 acct-port 1646 cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache aaa group server tacacs+ tac_admin cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache aaa group server radius rad_pmip aaa group server radius dummy aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct aaa cache profile admin_cache all Page 31
aaa session-id common dot11 ssid ADG vlan 2 authentication open authentication key-management wpa mobility network-id 11 wpa-psk ascii 7 03267E28575D72181B5F4E dot11 ssid BBK vlan 1 authentication open authentication key-management wpa mobility network-id 10 wpa-psk ascii 7 0529232C701E1D5D4C5340 dot11 ssid FSR vlan 3 authentication open eap eap_methods authentication network-eap eap_methods authentication key-management cckm mbssid guest-mode dtim-period 3 mobility network-id 12 information-element ssidl dot11 priority-map avvid dot11 phone power inline negotiation prestandard source username Cisco password 7 0802455D0A16 class-map match-all _class_srp0 match ip protocol 119 class-map match-all _class_srp-up0 match ip protocol 119 policy-map SRP class _class_srp0 set cos 6 policy-map SRP-UP class _class_srp-up0 set cos 5 bridge irb interface Dot11Radio0 Page 32
no ip address no ip route-cache encryption mode ciphers aes-ccm encryption vlan 1 mode ciphers aes-ccm encryption vlan 3 mode ciphers tkip encryption vlan 2 mode ciphers tkip ssid ADG ssid BBK ssid FSR no short-slot-time traffic-class background cw-min 5 cw-max 10 fixed-slot 7 traffic-class best-effort cw-min 5 cw-max 10 fixed-slot 3 traffic-class video cw-min 4 cw-max 5 fixed-slot 3 traffic-class voice cw-min 0 cw-max 0 fixed-slot 2 speed 1.0 2.0 5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 power local cck -1 power local ofdm -1 power client -1 packet retries 20 no preamble-short channel 2417 station-role root rts retries 20 beacon dtim-period 3 no dot11 qos mode dot11 qos class video transmit-op 0 dot11 qos class voice transmit-op 0 no dot11 extension aironet interface Dot11Radio0.1 encapsulation dot1q 1 native service-policy input SRP service-policy output SRP-UP no ip route-cache bridge-group 1 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled interface Dot11Radio0.2 encapsulation dot1q 2 service-policy input SRP Page 33
service-policy output SRP-UP no ip route-cache bridge-group 2 bridge-group 2 block-unknown-source no bridge-group 2 source-learning no bridge-group 2 unicast-flooding bridge-group 2 spanning-disabled interface Dot11Radio0.3 encapsulation dot1q 3 service-policy input SRP service-policy output SRP-UP no ip route-cache bridge-group 3 bridge-group 3 block-unknown-source no bridge-group 3 source-learning no bridge-group 3 unicast-flooding bridge-group 3 spanning-disabled interface Dot11Radio1 no ip address no ip route-cache shutdown traffic-class voice cw-min 0 cw-max 0 fixed-slot 2 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root no dot11 qos mode dot11 qos class voice transmit-op 1504 bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto interface FastEthernet0.1 encapsulation dot1q 1 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled interface FastEthernet0.2 encapsulation dot1q 2 no ip route-cache bridge-group 2 no bridge-group 2 source-learning bridge-group 2 spanning-disabled Page 34
interface FastEthernet0.3 encapsulation dot1q 3 no ip route-cache bridge-group 3 no bridge-group 3 source-learning bridge-group 3 spanning-disabled interface BVI1 ip address 192.168.113.2 255.255.255.0 no ip route-cache ip default-gateway 192.168.113.1 ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.110.7 auth-port 1645 acct-port 1646 key 7 13160717081 8162B272D2638 radius-server vsa send accounting control-plane bridge 1 route ip wlccp ap username spectralink password 7 071C31494D1D0B041B1B0507 wlccp ap wds ip address 192.168.111.2 line con 0 transport preferred all transport output all line vty 0 4 transport preferred all transport input all transport output all line vty 5 15 transport preferred all transport input all transport output all end Page 35