Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco Services Modules

Configuring a Cisco Wireless Services Module and Wireless Control System

Downloads

Table Of Contents

Configuring a Cisco Wireless Services Module and Wireless Control System

Key Terms

Cisco WiSM Concepts

Configuration Rules

General Rules

Interface Assignment Rules

Configuration Overview

Verifying the Hardware and Software

Topology Example

Configuring Communication Between the Supervisor 720 and Cisco WiSM

Configuring Communication Between the Supervisor 720 and Cisco WiSM Using 12.2.18SXF2 to 12.2.18SXF5

Configuring Communication Between the Supervisor 720 and Cisco WiSM Using 12.2.18SXF6

Configuring the Cisco WiSM-A

Configuring Cisco WiSM-B

Configuring the RADIUS Server for WPA/WPA-2 Authentication

Configuring the Infrastructure for Access Point Placement

Configuring the WCS and Adding the Cisco WiSM

Integrating Cisco WiSM and Firewall Service Module

Firewall Services Module Overview

How the FWSM Works

Firewall and Cisco WiSM Implementation Configuration

Integrating Cisco WiSM and VPN Service Module

VPNSM Overview

How VPNSM Works

VPNSM Configuration with the Cisco WiSM

Configuring the VPN Client


Configuring a Cisco Wireless Services Module and Wireless Control System

This document provides a technical overview of the new Cisco Wireless Services Module (WiSM) and software extensions to the Supervisor 720 and Cisco Wireless Control System (WCS). It is not an extensive tutorial on wireless LAN technology, the theory of operations of the unified wireless network architecture, or a deployment guide. The upgrade process used to convert Cisco Aironet access points from operating autonomously to operating with lightweight access point protocol (LWAPP) is not discussed. You should work closely with your Cisco account representative if you need more detailed deployment information on the Cisco unified wireless network.

The guide includes the following information and procedures for configuring and deploying the Cisco WiSM:

Key Terms

Cisco WiSM Concepts

Configuration Rules

Configuration Overview

Topology Example

Configuring Communication Between the Supervisor 720 and Cisco WiSM

Configuring the Cisco WiSM-A

Configuring Cisco WiSM-B

Configuring the RADIUS Server for WPA/WPA-2 Authentication

Configuring the Infrastructure for Access Point Placement

Configuring the WCS and Adding the Cisco WiSM

Integrating Cisco WiSM and Firewall Service Module

Key Terms

Table 1 defines key terms used throughout this document.

Table 1 Key Terms

Term or Acronym
Definition

Cisco WiSM

Cisco wireless services module.

WLC

Cisco wireless LAN controller - Cisco devices that centrally manage lightweight access points and wireless LAN data traffic.

WCS

Cisco wireless control system - Management software that manages WLC devices and adds advanced management like location-based services

Lightweight Access Point

An access point running software that makes the access point work with the WLCs.

LWAPP

Lightweight Access Point Protocol - IETF draft protocol used in the Cisco unified wireless network architecture implementations. LWAPP defines both control and data encapsulation formats used in the Cisco unified wireless network architecture.


Cisco WiSM Concepts

The Cisco WiSM is a member of the Cisco wireless LAN controller family. It works in conjunction with Cisco Aironet lightweight access points, the Cisco WCS, and the Cisco wireless location appliance to deliver a secure and unified wireless solution that supports wireless data, voice, and video applications. The Cisco WiSM consists of two Cisco 4404 controllers; therefore, the IT staff must be aware that two separate controllers exist on a single module. The first controller is considered the WiSM-A card, while the second controller is considered the WiSM-B card. Interfaces and IP addressing have to be considered on both cards independently. WiSM-A manages 150 access points, while WiSM-B manages a separate lot of 150 access points. These controllers can be grouped together in a mobility group, forming a cluster.

There are multiple types of interfaces on each controller of the Cisco WiSM: three of them are pre-defined types that must be present and that are configured at setup time:

Management interface (pre-defined and mandatory)

AP-Manager interface (pre-defined and mandatory)

Virtual interface (pre-defined and mandatory)

Service-port interface (pre-defined and mandatory)

Operator-defined interface (user-defined)

The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA server. If the service port is in use, the management interface must be on a different subnet than the service port.

The AP-Manager interface is used as the source IP address for all Layer 3 communications between the controller and the lightweight access points. The AP-Manager must have a unique IP address and should be on the same subnet as the management interface.

The virtual gateway interface is used to support mobility management, DHCP relay, and embedded Layer 3 security, like guest web authentication and VPN termination. The virtual interface must be configured with an unassigned and unused gateway IP address. If multiple controllers are configured in a mobility group, the virtual interface must be the same on all controllers for seamless roaming.

The service-port interface is mapped only to the physical service port. The service port interface must have an IP address on a different subnet from the management and AP-Manager interfaces. A default-gateway cannot be assigned to the service-port interface, but static routes can be defined through the controller command-line interface for remote network access to the service port.

Note On the WiSM, the service port is used to synchronize the supervisor engine and the WiSM.

Each Cisco wireless LAN controller can support up to 512 operator-defined interfaces. Each operator-defined interface controls VLAN and other communications between controllers and all other network devices connected to an individual physical port.

Up to 16 WLANs can be configured per controller. A WLAN designation associates an SSID to an interface and is configured with security, quality of service (QoS), radio policies, and other parameters specific to the WLAN.

Figure 1 illustrates the typical relationship between the ports and the interfaces.

Figure 1 Relationship Between Ports and Interfaces

Another Cisco unified wireless network architecture concept is mobility group. A mobility group is a cluster of controllers. Wireless devices can roam seamlessly within a mobility group. WLC devices within a mobility group also coordinate dynamic radio management calculations for the access points within the mobility group. For Cisco WiSM, both the WiSM modules should be part of the same mobility group for seamless routing among 300 access points. Each Catalyst 6500 chassis supports five Cisco WiSMs (up to 1500 access points). Each Cisco wireless LAN controller cluster supports 12 Cisco WiSMs (up to 3600 access points).

Note The Catalyst 6500 Series Switch chassis can support up to five Cisco WiSMs without any other service module installed. If one or more service modules are installed, the chassis can support up to a maximum of four service modules (WiSMs included).

Configuration Rules

When structured as the logical network diagram shown in Figure 1, the following rules apply to configure the Cisco WiSM.

General Rules

These general rules apply:

Both tagged and untagged VLAN interfaces are supported in any combination.

Layer 3 LWAPP mode is the only supported mode in Cisco WiSM.

A single access point manager interface is needed to support 150 access points per Cisco WiSM.

Interface Assignment Rules

These management interface rules apply:

Make the management interface untagged or tagged.

Put the management interface on the same VLAN/IP subnet as the AP manager interface.

This AP manager interface rules applies:

The AP manager interface must be on the same VLAN/IP subnet as the management interface.

These dynamic interface rules apply:

0, 1, or multiple dynamic interfaces may be configured on a port.

All dynamic interfaces must be on a different VLAN/IP subnet than any other interfaces configured on the port. If the port is untagged, all dynamic interfaces must be on a different IP subnet than any other interfaces configured on the port.

Configuration Overview

The following procedures are required to set up the Cisco WiSM:

Verifying the Hardware and Software

Configuring Communication Between the Supervisor 720 and Cisco WiSM

Configuring the Cisco WiSM-A or Configuring Cisco WiSM-B

Verifying the Hardware and Software

Before configuring the Cisco WiSM, verify that the proper versions of the hardware and software are installed for the following:

Supervisor 720

Cisco WiSM

Cisco Secure ACS

Cisco Wireless Control System

Hardware Components

The Catalyst 6500 or Cisco 7600 chassis in which the Cisco WiSM is installed needs a Supervisor 720 module. The supported slots for the Cisco WiSM are given in Table 2.

Table 2 Supported Slots for the Cisco WiSM

 
Slots 1-3
Slot 4
Slots 5-6
Slots 7-8
Slot 9
Slots 10-13
Catalyst 6503

X

-

-

-

-

-

Catalyst 6504

X

X

-

-

-

-

Catalyst 6506

X

X

X

-

-

-

Catalyst 6509
Cisco 7609

X

X

-

X

X

-

Catalyst 6513
Cisco 7613

-

-

-

-

X

X


The Cisco WiSM module needs 254.94 Watts for its operation. Ensure that your Catalyst chassis provides the necessary power. All Catalyst 6500 chassis except the Catalyst 6503 require the fan tray 2 module, which in turn requires the 2500-W power supply for proper operation. The 2500-W power supplies use a 20-A circuit with a NEMA plug.

Before proceeding, ensure that the module is detected by the supervisor and that the status LED is green. If the status LED is not green, the supervisor may not have the correct software release to detect the Cisco WiSM module or to detect a hardware problem in the module. The output from a show module command specifies that the Cisco WiSM module is installed in slot 3. 

Sup720#sh mod

Mod Ports Card Type                              Model              Serial No.

--- ----- -------------------------------------- ------------------ -----------

  3   10  WiSM WLAN Service Module 			 	 	 	 		 	 	 	 	 WS-SVC-WiSM-1-K9   SAD100604C4

  4   48  48-port 10/100 mb RJ45                 WS-X6148-45AF      SAL08154UT3

  5    2  Supervisor Engine 720 (Active)         WS-SUP720-3BXL     SAL0913827E


Mod MAC addresses                       Hw    Fw           Sw           Status

--- ---------------------------------- ------ ------------ ------------ -------

  3  0016.4625.c838 to 0016.4625.c847		1.2 	 	 	12.2(14r)S5  12.2(18)SXF2 Ok

  4  0011.206d.7ef0 to 0011.206d.7f1f   1.0   5.4(2)       8.5(0.46)RFW Ok

  5  0013.7f0d.114c to 0013.7f0d.114f   4.3   8.1(3)       12.2(18)SXF2 Ok


Mod  Sub-Module                  Model              Serial       Hw     Status 

---- --------------------------- ------------------ ----------- ------- -------

  3  Centralized Forwarding Card WS-SVC-WISM-1-K9-D SAD100605LG  1.2    Ok

  4  IEEE Voice Daughter Card    WS-F6K-FE48-AF     SAD082007YH  1.1    Ok

  5  Policy Feature Card 3       WS-F6K-PFC3BXL     SAL091597AS  1.6    Ok

  5  MSFC3 Daughterboard         WS-SUP720          SAL09158X9K  2.3    Ok


Mod  Online Diag Status 

---- -------------------

3  Pass

4  Pass 
5  Pass

Software Components

The minimum software requirements to support Cisco WiSM module are given in Table 3:

Table 3 Software Components

Component
Minimum Software Release

Supervisor 720

12.2(18)SXF2 [or 12.2(18)SXF5 if using Cisco IOS Software Modularity]

Cisco WiSM

3.2.78.4 (or 4.0.155.5 if using Cisco IOS Software Modularity)

Cisco Secure ACS Server

2.6 or above

Cisco Wireless Control System

3.2.33.0 or above


Note The Cisco WiSM is supported on Cisco 7609 and 7613 Series Routers running only Cisco IOS Release 12.2(18)SXF5 or higher.

Topology Example

Figure 2 illustrates the topology on which the configuration examples in this document are based.

Figure 2 Topology Example

In the configuration example, the Cisco WiSM is installed in slot 3 of the Catalyst 6506 chassis. Two WLANs are configured: one for open authentication (SSID "open") and one for EAP authentication (SSID "secure"). Dynamic interfaces are created for the open SSID and the EAP SSID and are mapped to the appropriate VLAN. For open SSID, VLAN 20 is used; for EAP SSID, VLAN 30 is used. The management and AP-Manager interfaces are configured to use VLAN 40. All network services (AAA, DHCP, and DNS) are configured on VLAN 1. The WCS is also on VLAN 1.

Configuring Communication Between the Supervisor 720 and Cisco WiSM

If you are using a software release between 12.2.18SXF2 and 12.2.18SXF5, eight Gigabit interfaces are created ranging from Gig3/1 to Gig3/8 after the Cisco WiSM controller is detected by the Supervisor. In this case, the Cisco WiSM controller is installed in slot 3. See Configuring Communication Between the Supervisor 720 and Cisco WiSM Using 12.2.18SXF2 to 12.2.18SXF5

If you are using software release 12.2.18SXF6, you will not be able to configure the Gigabit interfaces. See Configuring Communication Between the Supervisor 720 and Cisco WiSM Using 12.2.18SXF6.

Configuring Communication Between the Supervisor 720 and Cisco WiSM Using 12.2.18SXF2 to 12.2.18SXF5 

! -- Create the vlan in the Supervisor 720 to communicate with the management and 
ap-manager ports of the Cisco WiSM controller.


Sup720(config)# vlan 40

Sup720(config)# description Management VLAN for WiSM


! -- Assign an appropriate IP address and subnet mask for VLAN 40


Sup720(config)# interface Vlan40

Sup720(config-if)# ip address 40.1.1.1 255.255.0.0

Sup720(config-if)# no shutdown

Sup720(config-if)# exit

! - Create two port-channel interfaces for the two independent controllers in the Cisco 
WiSM and assign vlan 40 as the native interface.


Sup720(config)# interface Port-channel 1

Sup720(config-if)# switchport

Sup720(config-if)# switchport trunk encapsulation dot1q

Sup720(config-if)# switchport trunk native vlan 40

Sup720(config-if)# switchport mode trunk

Sup720(config-if)# mls qos trust dscp

Sup720(config-if)# spanning-tree portfast

Sup720(config)# interface Port-channel 2

Sup720(config-if)# switchport

Sup720(config-if)# switchport trunk encapsulation dot1q

Sup720(config-if)# switchport trunk native vlan 40

Sup720(config-if)# switchport mode trunk

Sup720(config-if)# mls qos trust dscp

Sup720(config-if)# spanning-tree portfast


! -- Configure the below Giga-bit interfaces as trunk ports with vlan 40 as the native 
vlan (please make sure that native vlan is not getting tagged while doing the Cisco WiSM 
configuration).

The Gigabit interfaces 3/1 to 4 correspond to the first controller in Cisco WiSM and should be a member of channel group one. 


Sup720(config)# interface range GigabitEthernet3/1-4

Sup720(config-if)# switchport

Sup720(config-if)# switchport trunk encapsulation dot1q

Sup720(config-if)# switchport mode trunk

Sup720(config-if)# switchport trunk native vlan 40

Sup720(config-if)# spanning-tree portfast

Sup720(config-if)# channel-group 1 mode on

Sup720(config-if)# no shutdown

Sup720(config-if)# exit

Similarly, the Gigabit interfaces 3/5-8 correspond to the second controller in Cisco WiSM and should be a member of channel group two. 


Sup720(config)# interface range GigabitEthernet3/5-8

Sup720(config-if)# switchport

Sup720(config-if)# switchport trunk encapsulation dot1q

Sup720(config-if)# switchport mode trunk

Sup720(config-if)# switchport trunk native vlan 40

Sup720(config-if)# spanning-tree portfast

Sup720(config-if)# channel-group 2 mode on

Sup720(config-if)# no shutdown

Sup720(config-if)# exit


! - Create a vlan in the Supervisor 720, this vlan is local to the chassis and is used for 
communication between Cisco WiSM and Catalyst Supervisor 720 over a Gigabit interface on 
the Supervisor and service-port in the Cisco WiSM.


Sup720(config)# vlan 192


! -- Assign an appropriate IP address and subnet mask for VLAN 192


Sup720(config)# interface Vlan 192

Sup720(config-if)# ip address 192.168.10.1 255.255.255.0

Sup720(config-if)# no shutdown

Sup720(config-if)# exit

Create a DHCP scope for the service port of the Cisco WiSM in Supervisor 720 or on a standalone DHCP server. Then associate the above VLAN for the service port. 

Sup720(config)# ip dhcp pool wism-service-port

Sup720(dhcp-config)#network 192.168.10.0 255.255.255.0

Sup720(dhcp-config)#default-router 192.168.10.1

! -- Configure the following command to use vlan 192 to communicate with the service-port.

Sup720(config)# wism service-vlan 192

Use the show wism status command to verify that the Cisco WiSM received an IP address from the DHCP server. 

Sup720#sh wism status 


Service Vlan : 192, Service IP Subnet : 192.168.10.1/255.255.255.0

      WLAN

Slot  Controller  Service IP       Management IP    SW Version 	Status

----+-----------+----------------+--------------------------+-----------+---------------

3 		1		192.168.10.3					169.254.1.1				3.2.63.0				Oper-Up

3  		2 		192.168.10.4					169.254.1.1				3.2.63.0				Oper-Up


Sup720#

Configuring Communication Between the Supervisor 720 and Cisco WiSM Using 12.2.18SXF6

Note The configuration methods used for SXF2-5 are still relevant for SXF6 and later. The new configuration methods are intended to ease the tasks and to reduce mistakes from manual configurations.

Note By making the process automatic, the configurations are not as flexible as configuring the interfaces and port channels manually. Continue to use the manual LAG to make changes in the Gigabit interfaces configuration.

Note Using auto-configuration may limit the ability to make essential network changes and may require you to disable, reconfigure, and re-enable your wireless network. 

! -- Create the vlan in the Supervisor 720 to communicate with the management and 
ap-manager ports of the Cisco WiSM controller.


Sup720(config)# vlan 40

Sup720(config)# description Management VLAN for WiSM


! -- Assign an appropriate IP address and subnet mask for VLAN 40

Sup720(config-if)# interface Vlan40

Sup720(config-if)# description Management VLAN for WiSM

Sup720(config-if)# ip address 40.1.1.1 255.255.0.0

Sup720(config-if)# no shutdown

Sup720(config-if)# exit

The Supervisor automatically creates two port-channel interfaces for the two independent controllers in the Cisco WiSM as soon as the module is detected. Usually the port-channels have a high number such as 287 and 288 as shown below. 

Sup720#sh ip int brief	| 	 inc Port

Port-channel1287 	 	 	 	 			unassigned 	 	 	 YES unset 	 administratively down down

Port-channel1288 	 	 	 		 		unassigned 	 	 	 YES unset 	 administratively down down

The following commands can be used to configure the port-channel with native and allowed VLANs. In this case, VLAN 40 is added as the native VLAN.

Note Make sure that the native VLAN is not getting tagged while doing the Cisco WiSM configuration. 

Sup720(config)# wism module 3 controller 1 ?

	allowed-vlan

	native-vlan

Sup720(config)# wism module 3 controller 1 native-vlan 40

Sup720(config)# wism module 3 controller 2 native-vlan 40

The Gigabit interface 3/1 to 4 corresponding to the first controller in the Cisco WiSM are automatically assigned to channel group 287 and the necessary commands are added automatically. 

interface GigabitEthernet3/1-4

	switchport

	switchport trunk encapsulation dot1q

	switchport trunk native vlan 40

	switchport mode trunk

	switchport nonegotiate

	no ip address

	no snmp trap link-status

	mls qos trust cos

	no cdp enable

	channel-group 287 mode on

end

Similarly, the Gigabit interfaces 3/5 to 8 corresponding to the second controller in the Cisco WiSM should be members of channel group 288. 

interface GigabitEthernet3/5-8

	switchport

	switchport trunk encapsulation dot1q

	switchport trunk native vlan 40

	switchport mode trunk

	switchport nonegotiate

	no ip address

	no snmp trap link-status

	mls qos trust cos

	no cdp enable

	channel-group 288 mode on

end

Additionally, Cisco recommends allowing only VLANs that are configured in the Cisco WiSM through the port-channel and Gigabit interfaces with the following command. Later in the example, VLAN30 is created in the Cisco WiSM and mapped to a secure SSID. 

Sup720(config)# wism module 3 controller 1 allowed-vlan 30,40

Sup720(config)# wism module 3 controller 2 allowed-vlan 30,40


! - Create a vlan in the Supervisor 720, this vlan is local to the chassis and is used for 
communication between Cisco WiSM and Catalyst Supervisor 720 over a Gigabit interface on 
the Supervisor and service-port in the Cisco WiSM.


Sup720(config)# vlan 192


! -- Assign an appropriate IP address and subnet mask for VLAN 192


Sup720(config)# interface Vlan 192

Sup720(config-if)# ip address 192.168.10.1 255.255.255.0

Sup720(config-if)# no shutdown

Sup720(config-if)# exit

Create a DHCP scope for the service port of the Cisco WiSM in the Supervisor 720 or on a standalone DHCP server. Then associate the above VLAN for the service port. 

Sup720(config)# ip dhcp pool wism-service-port

Sup720(dhcp-config)#network 192.168.10.1 255.255.255.0

Sup720(dhcp-config)#default-router 192.168.10.1


! -- Configure the following command to use vlan 192 to communicate with the service-port.

Sup720(config)# wism service-vlan 192

Use the show wism status command to verify that the Cisco WiSM received an IP address from the DHCP server. 

Sup720#show wism status


Service Vlan 	: 	 192, Service IP Subnet 	 192.168.10.1/255.255.255.0

	 	WLAN

Slot 	 	Controller 	 Service IP 	 	 	 			 Management IP 	 	 		 	 SW Version 	 	 Status

----+--------------+----------------+--------------------+------------+--------------

3 	 	1 	 	 	 192.168.10.3	 	 		 	0.0.0.0 	 	 	 		4.0.155.5

Service Port Up

3 	 	2 	 	 	 192.168.10.4 	 	 	 	 	0.0.0.0 	 	 	 	 	4.0.155.5


Sup720#show wism mod 3 controller 2 status


WiSM Controller 2 in Slot 3

Operational Status of the Controller										: Oper-Up

Service VLAN 	 									: 192

Service Port 	 	 								: 10

Service Port Mac Address 	 						 			: 0011.92ff.8742

Service IP Address 	 	 								: 192.168.10.4

Management IP Address 	 	 								: 40.1.3.15

Software Version 	 	 								: 4.0.155.5

Port Channel Number 	 									: 288

Allowed vlan list 										: 30,40

Native VLAN ID 										: 40

WCP Keep Alive Missed 										: 0

Configuring the Cisco WiSM-A

The initial configuration of the Cisco WiSM controller consists of initiating a session from the supervisor. The Cisco WiSM controller is inserted into the appropriate slot and powered up. After the administrator establishes a session with the Cisco WiSM, the basic configuration is completed with the help of the setup script. With the completion of basic configuration, the administrator can configure the Cisco WiSM controller through the console CLI or through the Cisco WiSM controller web-interface. An administrator needs to configure WiSM-A and WiSM-B separately in the Cisco WiSM module, initially from the CLI and then from the web interface. Refer to Configuring Cisco WiSM-B for steps for configuring the WiSM-B.

The system name, Cisco WiSM controller administrative user credentials, the management, the AP manager, virtual interfaces, the mobility group name, one SSID, a RADIUS server, and other options are configured by the setup script. For the management interface, leave the VLAN untagged because it corresponds to the native VLAN on the switch trunk port. For a Cisco WiSM controller, an untagged VLAN is assigned VLAN number 0, which may not correspond to the VLAN number on the switchport. In our example, the switchport's native VLAN is VLAN number 40; but on the Cisco WiSM controller, the management interface is assigned to VLAN 0. In our example, the default values for the other options are accepted.

The syntax for the session command to access to Cisco WiSM from the supervisor is as follows: 

Sup720t# session  slot <Module # > processor < Proc #>

In this example, the module is installed in slot 3, and processor number one is configured first (such as, WiSM-A). 

Sup720# sess slot 3 proc 1

The default escape character is Ctrl-^ and then x.

You can also type exit at the remote prompt to end the session. 

Trying 192.168.10.3 ... Open


(WiSM-slot3-1) 

Welcome to the Cisco Wizard Configuration Tool

Use the '-' character to backup

System Name [Cisco_ff:87:23]: 

Enter Administrative User Name (24 characters max): admin

Enter Administrative Password (24 characters max): *****

Service Interface IP Address Configuration [none][DHCP]: dhcp

Management Interface IP Address: 40.1.3.10

Management Interface Netmask: 255.255.0.0

Management Interface Default Router: 40.1.1.1

Management Interface VLAN Identifier (0 = untagged): 

Management Interface DHCP Server IP Address: 10.1.1.12

AP Transport Mode [layer2][LAYER3]: layer3

AP Manager Interface IP Address: 40.1.3.2

AP-Manager is on Management subnet, using same values

AP Manager Interface DHCP Server (10.1.1.12): 

Virtual Gateway IP Address: 1.1.1.1

Mobility/RF Group Name: mobile-1

Network Name (SSID): secure-1

Allow Static IP Addresses [YES][no]: no

Configure a RADIUS Server now? [YES][no]: yes

Enter the RADIUS Server's Address: 10.1.1.12

Enter the RADIUS Server's Port [1812]: 

Enter the RADIUS Server's Secret: cisco

Enter Country Code (enter 'help' for a list of countries) [US]: 

Enable 802.11b Network [YES][no]: YES

Enable 802.11a Network [YES][no]: YES

Enable 802.11g Network [YES][no]: YES

Enable Auto-RF [YES][no]: 

Configuration saved!

The following command verifies the status of all of the above interfaces in the Cisco WiSM. 

(WiSM-slot3-1) >show interface summary 

Interface Name				 				Port		Vlan Id			IP Address				Type			Ap Mgr

_______________								_____		________			___________				____			______

ap-manager 								LAG   		untagged   	40.1.3.2 						Static			Yes   

management 								LAG   		untagged  			40.1.3.10 				Static 			No    

service-port 								N/A   		N/A 			192.168.10.3 				Static 			No    

virtual 								N/A   		N/A 			1.1.1.1 				Static			No

After executing the above configuration on the Cisco WiSM, execute the following commands in the Supervisor 720 to verify the status of the controller. 

Sup720#show wism status 

Service Vlan : 192, Service IP Subnet : 192.168.10.1/255.255.255.0

      WLAN

Slot  Controller  Service IP       Management IP    SW Version  Status

----+-----------+----------------+----------------+-----------+---------------

3     1           192.168.10.3     40.1.3.10        3.2.63.0 	Oper-Up

3     2           192.168.10.4     169.254.1.1 	 3.2.63.0    	 Oper-Up


Sup720#show wism mod 3 cont 1 status 


WiSM Controller 1 in Slot 3

Operational Status of the Controller 	: Oper-Up

Service VLAN 										: 192

Service Port 										: 9

Service Port Mac Address                : 0011.92ff.8722

Service IP Address 										: 192.168.10.3

Management IP Address										: 40.1.3.10

Software Version 										: 3.2.63.0

WCP Keep Alive Missed 										:0

Use the web interface for all configuration of the Cisco WiSM from this point forward. Open the controller web interface by opening the IE browser and point it to the management interface IP address. Only HTTPS is on by default. The URL is https://<management_IP>.

Step 1 Create dynamic interfaces for both VLAN 20 and VLAN 30 through the controller web interface. Navigate to Controller > Interfaces and click the New button (see Figure 3).

Figure 3 Controller > Interfaces

Enter an interface name and VLAN tag. Click Apply. Figure 4 illustrates the configuration of the VLAN 30 interface.

Figure 4 Entering an Interface Name and VLAN Tag

Step 2 Enter the appropriate information in the next form and click Apply (see Figure 5). The primary DHCP server parameter is mandatory.

Figure 5 Controller > Interfaces > Edit

Repeat this process for each dynamic interface.

Navigate to WLANs > WLANs > WLANs interface to configure WLANs. The WLAN configured with the setup script secure-1 should be listed (see Figure 6). The WLAN is by default mapped to the management interface and is moved to the VLAN 30 interface in the example.

Step 3 Choose the Edit link (see Figure 6).

Figure 6 Choosing Edit

Step 4 Change the Interface Name parameter to the appropriate VLAN. Other security parameters, such as the appropriate RADIUS server and encryption settings, must also be configured. After the configuration is complete, click Apply (see Figure 7).

Figure 7 Completing the Configuration

Step 5 Add a WLAN for the open SSID by clicking New and completing the configuration form as appropriate.

Configuring Cisco WiSM-B

Establish a session with Cisco WiSM-B from the supervisor and use the initial script to configure the controller. 

Sup720# sess slot 3 proc 2

The default escape character is Ctrl-^ and then x. You can also type exit at the remote prompt to end the session. 

Trying 192.168.10.4... Open

(WiSM-slot3-2) 

Welcome to the Cisco Wizard Configuration Tool

Use the '-' character to backup

System Name [Cisco_0f:f5:a3]: 

Enter Administrative User Name (24 characters max): admin

Enter Administrative Password (24 characters max): *****

Service Interface IP Address Configuration [none][DHCP]: dhcp

Management Interface IP Address: 40.1.3.15

Management Interface Netmask: 255.255.0.0

Management Interface Default Router: 40.1.1.1

Management Interface VLAN Identifier (0 = untagged): 0

Management Interface Port Num [1 to 4]: 1

Management Interface DHCP Server IP Address: 10.1.1.12

AP Transport Mode [layer2][LAYER3]: layer3

AP Manager Interface IP Address: 40.1.3.16

AP-Manager is on Management subnet, using same values

AP Manager Interface DHCP Server (10.1.1.12): 

Virtual Gateway IP Address: 1.1.1.1

Mobility/RF Group Name: mobile-1

Network Name (SSID): secure-1

Allow Static IP Addresses [YES][no]: no

Configure a RADIUS Server now? [YES][no]: yes

Enter the RADIUS Server's Address: 10.1.1.12

Enter the RADIUS Server's Port [1812]: 

Enter the RADIUS Server's Secret: cisco

Enter Country Code (enter 'help' for a list of countries) [US]: 

Enable 802.11b Network [YES][no]: 

Enable 802.11a Network [YES][no]: 

Enable 802.11g Network [YES][no]: 

Enable Auto-RF [YES][no]: 


Configuration saved!


Resetting system with new configuration...


Sup720#show wism status 


Service Vlan : 192, Service IP Subnet : 192.168.10.1/255.255.255.0

      WLAN

Slot  Controller  Service IP       Management IP    SW Version  Status

----+-----------+----------------+----------------+-----------+---------------

3     1           192.168.10.3     40.1.3.10        3.2.63.0    Oper-Up

3     2           192.168.10.4     40.1.3.15        3.2.63.0    Oper-Up

Configuring the RADIUS Server for WPA/WPA-2 Authentication

The Cisco WiSM must be defined on the RADUIS server as an AAA client, which allows the Cisco WiSM to authenticate credentials to its database. Using the Cisco Secure ACS RADIUS server, choose Network Configuration, define the IP address of the Cisco WiSM management interface and the shared RADIUS key, and specify RADIUS (Cisco Aironet) as the authentication type as shown in Figure 8.

Figure 8 Specifying Authentication Type

Make sure the second controller is also added in the ACS server as a separate NAS.

Create some users in the ACS server for initial testing as shown in Figure 9. To configure the Cisco Secure ACS server so that all authentication requests are forwarded to the domain controller or other external database, refer to the Cisco secure configuration guide.

Figure 9 Creating Users in ACS

Configuring the Infrastructure for Access Point Placement

To make the access points register with the controller, put the access points in the same network as the management interface of the Cisco WiSM, in this case, VLAN 40. The example below shows how to configure one port in the switch where the access point is connected. 

Sup720(config)# interface FastEthernet6/5

Sup720(config-if)# switchport 

Sup720(config-if)# switchport access vlan 40

Sup720(config-if)# exit

Create the necessary scope in the DHCP server so that the access points can obtain an IP address before registering with the Cisco WiSM. Similarly, create a scope in the DHCP server for the clients to obtain an IP address after it is authenticated from the AAA server. Figure 10 shows scopes for VLAN 40 (used by access points) and VLAN 30 (used by wireless clients).

Figure 10 Creating a Scope in DHCP

After the access point gets an IP address from the DHCP server, it tries to discover the Cisco WiSM and register with it. To verify that if the access points are registered with the Cisco WiSM, do a show ap summary command on the Cisco WiSM. 

(WiSM-slot3-1) > show ap sum


AP Name 				Slots		AP Model			Ethernet MAC 					Location					Port

__________				_____		________			_______________					______________					____

AP1-cc:50 				2     AP1030 					00:0b:85:23:cc:50 	default_location  									29   

ap:01:88:e0 				2     AP-1200 					00:0b:85:01:88:e0 	pod3 									29

View the detailed configuration of the access point by entering the show ap config general <AP name> command. 

(WiSM-slot3-1) > show ap config general AP1-cc:50 


Cisco AP Identifier.............................. 5

Cisco AP Name.................................... AP1-cc:50

AP Regulatory Domain............................. 80211bg: -A 80211a: -A 

Switch Port Number .............................. 29

MAC Address...................................... 00:0b:85:23:cc:50

IP Address Configuration......................... DHCP

IP Address....................................... 40.1.0.14

IP NetMask....................................... 255.255.0.0

Gateway IP Addr.................................. 40.1.1.1

Cisco AP Location................................ default_location

Cisco AP Group Name.............................. 

Primary Cisco Switch............................. 

Secondary Cisco Switch........................... 

Tertiary Cisco Switch............................ 

Administrative State ............................ ADMIN_DISABLED

Operation State ................................. REGISTERED

Mirroring Mode .................................. Disabled

AP Mode ......................................... Local

Remote AP Debug ................................. Disabled

S/W  Version .................................... 3.2.63.0

Boot  Version ................................... 2.1.78.0

Mini IOS Version ......--More-- or (q)uit

..........................      --     

Stats Reporting Period .......................... 180

LED State........................................ Enabled

ILP Pre Standard Switch.......................... Disabled

ILP Power Injector............................... Disabled

Number Of Slots.................................. 2 

AP Model......................................... AP1030

AP Serial Number................................. WCN0916004Q

AP Certificate Type.............................. Manufacture Installed

Configuring the WCS and Adding the Cisco WiSM

WCS is the management software used to manage WLC devices and provide advanced management tools like wireless coverage display and location-based services. WCS uses SNMP to manage WLC devices, so the WLC devices need to have SNMP configured correctly.

Step 1 Open the WCS web interface using the URL https://<wcs-ip-address>.

In this example, SNMPv2 is used. Configure SNMPv2 through the Cisco WiSM web interface by navigating to Management > SNMP > Communities. The Cisco WiSM defaults are read-only community public and read-write community private (see Figure 10).

Step 2 Add new communities or modify as necessary. In the example, the defaults are used.

Figure 11 Adding or Modifying Communities

Step 3 Add Cisco WiSMs to WCS by navigating to Configure > Controllers on the WCS interface. Choose Add controller from the drop-down box on the right-hand side, then click Go (see Figure 11).

Figure 12 Adding Controllers

Step 4 Enter the IP address of the WiSM-A management interface and configure the appropriate SNMP parameters. Click OK. The WCS should find the Cisco WiSM. If the WCS cannot find the Cisco WiSM, verify the IP reachability from the WCS to the WLC and the SNMP community configuration (see Figure 12).

Figure 13 Verifying IP Reachability

Step 5 After the first controller is discovered by the WCS, the remaining controllers in the chassis are detected by WCS with the help of the WCP (see Figure 13).

Figure 14 WCS Detecting Controllers

Step 6 Choose controllers to add to the WCS software (see Figure 15).

Figure 15 Choosing Controllers to Add

Step 7 After the controller is successfully added in the WCS software, click the IP address of the controller to see the controller details (see Figure 16).

Figure 16 Controller Details

Step 8 Import a floor plan and place the access points (see Figure 16). Refer to the WCS configuration guide for details on importing floor plans.

Figure 17 Importing a Floor Plan

Step 9 Choose access points to place on the floor map (see Figure 17).

Figure 18 Placing Access Points onto Floorplan

Step 10 After the access points are available for placement, drag and drop them on the appropriate locations on the floor map.

Step 11 Save the location of the access points in the floor map. You can see the coverage area of the access points in Figure 19.

Figure 19 Access Point Coverage Area

Integrating Cisco WiSM and Firewall Service Module

This section includes the following topics:

Firewall Services Module Overview

How the FWSM Works

Firewall and Cisco WiSM Implementation Configuration

Firewall Services Module Overview

The Firewall Services Module (FWSM) is a high-performance, high-speed firewall that can operate up to 5 Gbps. It resides in a single Catalyst 6500 slot and uses VLANs through the backplane to interface with hosts within its domain.

The FWSM supports a maximum of 250 logical (VLAN) interfaces. The FWSM uses VLAN interfaces as its entry and exit points into the networks it serves. The interface schema used is the same as that in the Cisco PIX firewall. Each interface is assigned a security level from 0 to 100, where the lowest security level is 0, and the highest security level is 100. By default, the FWSM has an inside and an outside VLAN interface.

The inside interface has an assigned security level of 100, and the outside interface has an assigned security level of 0. The other logical interfaces that can be created on the FWSM are arbitrarily assigned a security level deemed appropriate by the administrator. These interfaces are often referred to as demilitarized zone (DMZ) interfaces. The definition of what security level is assigned to a particular interface is based on the security policies of that organization.

How the FWSM Works

The main feature of the FWSM architecture is the Adaptive Security Algorithm (ASA). The ASA algorithm establishes some fundamental rules that dictate how the FWSM operates. These rules include the following:

Data flows from one interface to any other interface only if an ACL permits that flow

No data can pass between interfaces with the same security level

No packets can traverse the firewall without a connection and state

Outbound connections are allowed if the access lists permit

Inbound connections are allowed if access lists permit and have either a dynamic or static translation slot. In order to access the servers in the high security network, a static command is used.

TCP sequence numbers are random for the inside hosts

Simple Mail Transfer Protocol (SMTP) FIXUP and TCP intercept functionality are applied only to servers that are in the high security network

The firewall performs the following three levels of processing (see Figure 20):

PC complex

Slow path

Fast path

Figure 20 Firewall Levels of Processing

PC complex is primarily responsible for any L7 processing and associated management tasks such as the following:

Telnet into the FWSM

SSH into the FWSM

Processing SNMP

OSPF route processing

URL and FTP logging

Generating Syslog messages

TFTP configuration

The slow and fast path processing is performed by network processors located on the FWSM. Slow path processing includes ACL route lookups, TCP intercept, session management, port address translation allocations, and more. Fast path processing facilitates support for multimedia protocols such as H.323, Real-Time Streaming Protocol (RTSP), Session Initiation Protocol (SIP), and so on, performing Network Address Translation (NAT), DNS guard, fragmentation and virtual reassembly, session identification, and more.

During normal packet processing, a packet passes over the Catalyst 6500 backplane into the services baseboard where it is presented to the firewall fast path processing. If the fast path does not handle the particular function, it passes the packet to the slow path process and then to the PC complex if the slow path process does not handle the packet.

Firewall and Cisco WiSM Implementation Configuration

The configuration of the Cisco WiSM described in earlier sections is used as the basis of the FWSM integration example that follows. Figure 21 shows the topology that is created as part of this configuration.

Figure 21 Topology

Configuration of the FWSM begins with a properly installed module. The FWSM can be installed in any of the line card slots in any of the current Catalyst 6500 chassis models. Correct installation of the module results in the following output from a show module command. 

Sup720#sh mod

Mod Ports Card Type                              Model              Serial No.

--- ----- -------------------------------------- ------------------ -----------

  3   10  WiSM WLAN Service Module 											WS-SVC-WISM-1-K9					SAD092504J8

  4   48  48-port 10/100 mb RJ45											WS-X6148-45AF					SAL08154UT3

  5    2  Supervisor Engine 720 (Active)											WS-SUP720-3BXL       SAL0913827E

  6    6  Firewall Module 											WS-SVC-FWM-1         SAD090100D9

From the CLI output, you can see that the FWSM is installed in slot 6 and has six ports. The six ports mentioned here are not actually external ports but rather logical connections that the module has to the backplane. In fact, these ports are actually the connections between the baseboard and the daughter card.

Before integrating the FWSM with the Cisco WiSM service module, configure the following prerequisites:

Configure the management interface in the controller.

Configure the AP-manager interfaces in the controller.

Configure both the AP-manager and the management interface as part of the same VLAN network. Create an SVI on the MSFC as the default gateway for this VLAN.

Assign the access points an IP address from a DHCP server. It can be either in the same network or across an L3 network using the ip helper-address CLI command.

The access points associate themselves with the controllers when an IP address has been assigned from the DHCP server. The show ap summary command lists these registered LWAPP devices.

The first configuration action assigns VLANs to the FWSM. These VLANs are essentially the firewall interfaces used by the FWSM to interface with the network. VLANs are configured using the VLAN command in the following example: 

Cat6506(config)#vlan 30

Cat6506(config-vlan)#vlan 200

The first VLAN command causes the CLI to enter VLAN configuration mode, which is indicated by the config-vlan extension on the CLI prompt. The use of this command does not preclude the creation of the second VLAN at this configuration level.

After creating the VLANs, you must assign (or bind) them to the FWSM using the firewall vlan-group command. 

Cat6506(config)#firewall vlan-group 1 30,200

Using this command configures a firewall VLAN group for the FWSM to manage. In this example, it assigns VLANS 30,200 to the VLAN group and assigns a firewall group number (1). This firewall group must now be attached to the FWSM as below: 

Cat6506(config)#firewall module 6 vlan-group 1

The above command associates the firewall VLAN group you created with the earlier command (identified by firewall group 1) with the FWSM in slot 6.

Up to this point, the Catalyst 6500 CLI has issued commands. Use the FWSM CLI to perform subsequent configurations regarding the setting of policies on the FWSM. The administrator must establish a session with the FWSM using the following command: 

Cat6506# session slot 6 processor 1 

User Access Verification

Password: 

Type help or '?' for a list of available commands.

FWSM>

The session command indicates the module with which you want to establish a session. The processor number at the end of the command should remain as 1. At this stage, you can set up the security policies on your FWSM.

When inside the firewall, configure the VLANs to be used by the firewall along with their IP addresses. The configuration statements are as follows: 

FWSM> enable

Password:

FWSM# conf t

FWSM(config)# nameif vlan30 outside security0

FWSM(config)# nameif vlan200 inside security100

The first time you enter enable mode in the FWSM (identified by the FWSM# prompt), the enable password is not set. You must press Enter to enter enable mode. You should set the enable password to better restrict access to this operational mode.

First, use the nameif command to define the VLAN interfaces. Each VLAN is identified with a name (in the above case, inside and outside) and assigned a security level. Security levels are assigned a value from 0 to 100, where 0 is the least secure and 100 is the most secure. These values are arbitrary and can be set to any value by the administrator. Next, assign the newly created interfaces an IP address as follows: 

FWSM(config)#ip address outside 10.1.30.10 255.255.255.0

FWSM(config)#ip address inside 200.1.1.1 255.255.255.0

Some additional commands are optional but are useful in the ongoing administration of the FWSM. One of these commands is enable pings. By default, the FWSM does not respond to pings on any of its interfaces. If the outside or inside interface of the FWSM needs to be pinged, you must enable this on the FWSM. For example, you can enable ping replies on the inside interface (and optionally outside) of the FWSM as follows: 

FWSM(config)#icmp permit any inside 

FWSM(config)#icmp permit any outside

Create policies on the firewall using access control lists. In our example, we want to permit traffic from 200.1.1.0 (inside the firewall) to 10.1.30.0 (where the wireless client resides) in the following manner: 

FWSM(config)#access-list 101 extended permit tcp 200.1.1.0 255.255.255.0 10.1.30.0 
255.255.255.0

As in Cisco IOS software, an implicit "deny all" message can appear at the end of this access list. You must then apply the access list to the outside interface as follows: 

FWSM(config)#access-group 101 in interface inside

Traffic flows from the wireless domain back to the inside in the following manner: 

FWSM(config)#access-list 102 extended permit tcp 10.1.30.0 255.255.255.0 200.1.1.0 
255.255.255.0

Now, create a VRF instance as follows. This is the first step towards configuring the VRF on the tunnel interface. 

c6506(config)#ip vrf wism-fwsm

c6506(config-vrf)#rd 1:100

c6506(config-vrf)#route-target export 1:100