Thursday, March 27, 2014

Cisco ASA 5500 Caractéristiques

Les appliances de sécurité adaptables de Pare-feu Cisco ASA5500 associent sécurité de pointe et services VPN dans une architecture de services innovante et évolutive. Ces appliances assurent une protection proactive contre les menaces en bloquant les attaques avant qu'elles n'aient le temps de se répandre sur le réseau. Elles contrôlent également l'activité réseau et le trafic des applications tout en offrant une connectivité VPN extrêmement flexible.
Cisco ASA 5505 k9
Cisco ASA 5500 Caractéristiques
Sécurité personnalisée selon les besoins d'accès et les stratégies d'entreprise spécifiques
Grande flexibilité pour l'ajout de fonctionnalités ou la mise à niveau d'un périphérique vers un autre
Sécurité avancée grâce aux technologies les plus récentes en matière de sécurité de contenu, de cryptage, d'authentification, d'autorisation et de prévention des intrusions
Grande simplicité grâce à une installation, une gestion et un contrôle aisés de chaque périphérique
Fonctionnalités réseau avancées grâce à des réseaux VPN offrant aux travailleurs mobiles et distants un accès hautement sécurisé aux ressources de l'entreprise ; ou grâce à la possibilité d'établir des connexions VPN entre partenaires, bureaux ou employés en fonction de leur rôle
Technologies à fonctionnalités étendues et hautes performances en termes de pare-feu, de prévention des intrusions, de sécurité de contenu et de VPN SSL/IPsec, assurant une sécurité robuste des applications, un contrôle d'accès basé sur les applications et les utilisateurs, une réduction des risques d'infection par virus ou vers, une protection contre les logiciels malveillants, un filtrage du contenu et une connectivité étendue entre utilisateurs et sites distants
Technologie de pare-feu permettant au flux des activités légitimes de l'entreprise de circuler, tout en bloquant l'accès des visiteurs indésirables et en empêchant tout accès non autorisé aux applications et aux informations
Technologie de protection contre les virus et les logiciels espions permettant de protéger les ressources réseau internes des attaques virales et de réduire les coûts liés au nettoyage des contaminations dues aux logiciels espions, virus et autres logiciels malveillants
Blocage efficace du courrier indésirable grâce à un très faible taux de faux positifs qui permet de retrouver une efficacité optimale en termes de messagerie et d'améliorer la productivité des employés
Capacités VPN pour un accès à distance et de site à site aux services et systèmes réseau internes

ASDM (Cisco Adaptive Security Device Manager) pour une configuration et une surveillance complètes de tous les services via une application unique grâce à une interface Web de gestion à la fois puissante et simple d'utilisation
Posted by at No comments:
Labels: , , , , , , ,

Wednesday, March 26, 2014

Fonctions de routeur Cisco 2900

Développés pour les petites et moyennes entreprises dont l'activité repose sur les nouvelles technologies et qui recherchent des solutions de connectivité fiables, hautement sécurisées et hautes performances, les Cisco routeur 2900 à services intégrés offrent une expérience client exceptionnelle qui révolutionne l'espace de travail grâce à leur ensemble complet de services intégrés, leur prise en charge multimédia et leur excellence opérationnelle.
Cisco 2900,3900 Tableau comparatif des fonctionnalités
De plus, une nouvelle image universelle logicielle Cisco IOS et un nouveau module Services Ready Engine vous permettent de découpler le déploiement de matériels et de logiciels, fournissant ainsi une base technologique stable qui peut s'adapter rapidement à l'évolution des exigences réseau. La réflexion du marché de Cisco 2900 série , nous sommes clairement que les modèles de Cisco 2900 Série sont requis par les clients de Cisco, tels que Cisco 2951/K9, Cisco 2911/K9, Cisco 2921/K9, Cisco 2901/K9.
Cisco 2901 k9
Caractéristiques
Architecture modulaire avec plusieurs logements de modules offrant de nombreuses options de connectivité et de services pour des niveaux accrus d'intégration de services avec données, sécurité, communication sans fil et mobilité
Accélération matérielle IPsec/VPN SSL intégrée offrant une évolutivité et des performances accrues avec sécurité de la liaison WAN et services VPN
Logements de modules de service permettant de doubler les capacités d'alimentation par rapport aux logements de modules réseau, et offrant la souplesse requise pour des modules de taille et de performances supérieures
Carte d'interface WAN haut débit optimisée (EHWIC) avec prise en charge des cartes d'interface voix et WAN
Logement ISM (Internal Services Module) pour une grande souplesse d'intégration de modules de services intelligents ne requérant aucun port d'interface.
Image logicielle Cisco IOS universelle contenant tous les ensembles de technologies et permettant aux TPE-PME le déploiement rapide de fonctionnalités avancées sans téléchargement d'une nouvelle image logicielle
Progiciel de technologies Cisco IOS Software Security offrant un large éventail de fonctionnalités de sécurité courantes, telles que l'inspection et le contrôle avancés des applications, la protection contre les menaces ainsi que des architectures de cryptage permettant une plus grande évolutivité et une meilleure gestion des réseaux VPN
Un nouveau port de console mini USB type B innovant prend en charge la connectivité de gestion lorsque les ports série traditionnels ne sont pas disponibles
Logements de modules de DSP voix par paquets de haute densité (PVDM3) Cisco sur carte mère, offrant une prise en charge d'une densité accrue pour la voix et la vidéo multimédia
Alimentation en ligne intégrée en option (PoE compatible 802.3af) pour les modules de commutation intégrés
Bloc d'alimentation redondant externe en option permettant de réduire les périodes d'indisponibilité du réseau et de le protéger des pannes d'alimentation
Posted by at No comments:
Labels: , , , , , , , ,

Tuesday, November 12, 2013

How to Configure Cisco 3850 Switches?

In this converged access product platform, you should have some familiarity with the new Cisco 3850 switch, especially the answer for “how to configure a Cisco 3850 switch for basic wireless connectivity?” Now, let’s share the 5 key points of using 3850 as WLC firstly.
1. Attach your access points directly to your 3850 switches (every wiring closet you should have this in order to all building AP to be connect to this new environment)
2. Wireless management vlan & AP management vlan should be identical. (If you configure vlan 20 as wireless management in 3850 switch all your APs connected to this switch should be on access vlan 20.)
3. Enable Mobility Controller (MC) functionality to terminate CAP/WAP (or register AP). By default, when you enable wireless management, switch will act as Mobility Agent (MA) & not able to terminate CAP/WAP.
4. “ipbase” or “ipservices” feature set to be there for CAP/WAP termination.”lanbase” cannot be used.
5. Given 3850 switch stack can support maximum 50 APs.
Catalyst 3850 switch (the picture is from Cisco.com)
In the following example, we will have two 3850 switches stacked together. (We will have latest software code- IOS-XE 3.2.3SE on this switch. Then let’s get down to business:
New image to flash of Cisco 3850 switch:

3850-1#copy tftp://192.168.20.51/firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin flash:
Destination filename [cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin]?
Accessing tftp://192.168.20.51/firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin...
Loading firmware/cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin from 192.168.20.51 (via Vlan999):
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!
[OK - 223743040 bytes]

 There are two modes called "INSTALL" & "BUNDLE" available in these new switches. If you want to boot in "INSTALL" mode you have to copy the image onto flash first. In "BUNDLE" mode, you can keep the image on TFTP & boot if required. But in BUNDLE mode switch require more memory to do this function, meanwhile, the preferred method is doing it via "INSTALL" mode.
You can use "software install file <file_location>“command to install new software onto your switch. At the end it will prompt to reload the switch as shown below:

3850-1#software install file flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
Preparing install operation...
[1]: Copying software from active switch 1 to switch 2
[1]: Finished copying software to switch 2
[1 2]: Starting install operation
[1 2]: Expanding bundle flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
[1 2]: Copying package files
[1 2]: Package files copied
[1 2]: Finished expanding bundle flash:cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
[1 2]: Verifying and copying expanded package files to flash:
[1 2]: Verified and copied expanded package files to flash:
[1 2]: Starting compatibility checks
[1 2]: Finished compatibility checks
[1 2]: Starting application pre-installation processing
[1 2]: Finished application pre-installation processing
[1]: Old files list:
 Removed cat3k_caa-base.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-infra.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 Removed cat3k_caa-platform.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-wcm.SPA.10.0.111.0.pkg
[2]: Old files list:
 Removed cat3k_caa-base.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-infra.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 Removed cat3k_caa-platform.SPA.03.02.02.SE.pkg
 Removed cat3k_caa-wcm.SPA.10.0.111.0.pkg
[1]: New files list:
 Added cat3k_caa-base.SPA.03.02.03.SE.pkg
 Added cat3k_caa-drivers.SPA.03.02.03.SE.pkg
 Added cat3k_caa-infra.SPA.03.02.03.SE.pkg
 Added cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
 Added cat3k_caa-platform.SPA.03.02.03.SE.pkg
 Added cat3k_caa-wcm.SPA.10.0.120.0.pkg
[2]: New files list:
 Added cat3k_caa-base.SPA.03.02.03.SE.pkg
 Added cat3k_caa-drivers.SPA.03.02.03.SE.pkg
 Added cat3k_caa-infra.SPA.03.02.03.SE.pkg
 Added cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
 Added cat3k_caa-platform.SPA.03.02.03.SE.pkg
 Added cat3k_caa-wcm.SPA.10.0.120.0.pkg
[1 2]: Creating pending provisioning file
[1 2]: Finished installing software. New software will load on reboot.
[1 2]: Committing provisioning file
[1 2]: Do you want to proceed with reload? [yes/no]: yes
[2]: Reloading
[1]: Pausing before reload

Now look at your flash directory, there could be multiple versions of the .conf files & .pkg files depending on the number of images came with your switch and the frequency you upgraded the switch. You can clean this directory using “software clean” command which will result deleting all unwanted file from your directory. In this way you will only keep 3.2.3SE related files on your flash.

3850-1#dir
Directory of flash:/
85193 -rw- 2097152 Sep 28 2013 14:28:26 +10:00 nvram_config
85187 -rw- 74410468 Jan 1 1970 11:01:11 +11:00 cat3k_caa-base.SPA.03.02.00SE.pkg
85188 -rw- 2773680 Jan 1 1970 11:01:12 +11:00 cat3k_caa-drivers.SPA.03.02.00.SE.pkg
85189 -rw- 32478044 Jan 1 1970 11:01:12 +11:00 cat3k_caa-infra.SPA.03.02.00SE.pkg
85190 -rw- 30393116 Jan 1 1970 11:01:12 +11:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg
85191 -rw- 18313952 Jan 1 1970 11:01:12 +11:00 cat3k_caa-platform.SPA.03.02.00.SE.pkg
85192 -rw- 63402700 Jan 1 1970 11:01:12 +11:00 cat3k_caa-wcm.SPA.10.0.100.0.pkg
85199 -rw- 1224 Sep 28 2013 14:19:19 +10:00 packages.conf
85196 -rw- 8916 Sep 26 2013 15:59:58 +10:00 vlan.dat
85195 -rw- 114 Jun 6 2013 08:31:45 +10:00 express_setup.debug
85194 -rw- 1224 Sep 25 2013 02:20:20 +10:00 packages.conf.00-
 7750 -rw- 74369252 Sep 25 2013 02:20:16 +10:00 cat3k_caa-base.SPA.03.02.02.SE.pkg
 7751 -rw- 5808828 Sep 25 2013 02:20:16 +10:00 cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 7752 -rw- 32488292 Sep 25 2013 02:20:16 +10:00 cat3k_caa-infra.SPA.03.02.02.SE.pkg
 7753 -rw- 30403764 Sep 25 2013 02:20:16 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 7754 -rw- 16079584 Sep 25 2013 02:20:16 +10:00 cat3k_caa-platform.SPA.03.02.02.SE.pkg
 7755 -rw- 64580300 Sep 25 2013 02:20:17 +10:00 cat3k_caa-wcm.SPA.10.0.111.0.pkg
85186 -rw- 223743040 Sep 28 2013 13:30:24 +10:00 cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
85198 -rw- 1218 Jan 1 1970 11:01:22 +11:00 packages.conf.01-
30979 -rw- 74369716 Sep 28 2013 14:19:15 +10:00 cat3k_caa-base.SPA.03.02.03.SE.pkg
30980 -rw- 5808828 Sep 28 2013 14:19:15 +10:00 cat3k_caa-drivers.SPA.03.02.03.SE.pkg
30981 -rw- 32496484 Sep 28 2013 14:19:15 +10:00 cat3k_caa-infra.SPA.03.02.03.SE.pkg
30982 -rw- 30418104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
30983 -rw- 16059104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-platform.SPA.03.02.03.SE.pkg
30984 -rw- 64586444 Sep 28 2013 14:19:15 +10:00 cat3k_caa-wcm.SPA.10.0.120.0.pkg
1621966848 bytes total (723390464 bytes free)

3850-1#software clean
Preparing clean operation...
[1 2]: Cleaning up unnecessary package files
[1 2]: No path specified, will use booted path flash:packages.conf
[1 2]: Cleaning flash:
[1]: Preparing packages list to delete ...
 cat3k_caa-base.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-drivers.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-infra.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
 File is in use, will not delete.
 cat3k_caa-platform.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-wcm.SPA.10.0.120.0.pkg
 File is in use, will not delete.
 packages.conf
 File is in use, will not delete.
[2]: Preparing packages list to delete ...
 cat3k_caa-base.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-drivers.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-infra.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
 File is in use, will not delete.
 cat3k_caa-platform.SPA.03.02.03.SE.pkg
 File is in use, will not delete.
 cat3k_caa-wcm.SPA.10.0.120.0.pkg
 File is in use, will not delete.
 packages.conf
 File is in use, will not delete.
[1]: Files that will be deleted:
 cat3k_caa-base.SPA.03.02.00SE.pkg
 cat3k_caa-base.SPA.03.02.02.SE.pkg
 cat3k_caa-drivers.SPA.03.02.00.SE.pkg
 cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 cat3k_caa-infra.SPA.03.02.00SE.pkg
 cat3k_caa-infra.SPA.03.02.02.SE.pkg
 cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg
 cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 cat3k_caa-platform.SPA.03.02.00.SE.pkg
 cat3k_caa-platform.SPA.03.02.02.SE.pkg
 cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
 cat3k_caa-wcm.SPA.10.0.100.0.pkg
 cat3k_caa-wcm.SPA.10.0.111.0.pkg
 packages.conf.00-
 packages.conf.01-
[2]: Files that will be deleted:
 cat3k_caa-base.SPA.03.02.00SE.pkg
 cat3k_caa-base.SPA.03.02.02.SE.pkg
 cat3k_caa-drivers.SPA.03.02.00.SE.pkg
 cat3k_caa-drivers.SPA.03.02.02.SE.pkg
 cat3k_caa-infra.SPA.03.02.00SE.pkg
 cat3k_caa-infra.SPA.03.02.02.SE.pkg
 cat3k_caa-iosd-universalk9.SPA.150-1.EX.pkg
 cat3k_caa-iosd-universalk9.SPA.150-1.EX2.pkg
 cat3k_caa-platform.SPA.03.02.00.SE.pkg
 cat3k_caa-platform.SPA.03.02.02.SE.pkg
 cat3k_caa-universalk9.SPA.03.02.03.SE.150-1.EX3.bin
 cat3k_caa-wcm.SPA.10.0.100.0.pkg
 cat3k_caa-wcm.SPA.10.0.111.0.pkg
 packages.conf.00-
 packages.conf.01-
[1 2]: Do you want to proceed with the deletion? [yes/no]: yes
[1 2]: Clean up completed

3850-1#dir
Directory of flash:/
85193 -rw- 2097152 Sep 28 2013 14:28:26 +10:00 nvram_config
85199 -rw- 1224 Sep 28 2013 14:19:19 +10:00 packages.conf
85196 -rw- 8916 Sep 26 2013 15:59:58 +10:00 vlan.dat
85195 -rw- 114 Jun 6 2013 08:31:45 +10:00 express_setup.debug
30979 -rw- 74369716 Sep 28 2013 14:19:15 +10:00 cat3k_caa-base.SPA.03.02.03.SE.pkg
30980 -rw- 5808828 Sep 28 2013 14:19:15 +10:00 cat3k_caa-drivers.SPA.03.02.03.SE.pkg
30981 -rw- 32496484 Sep 28 2013 14:19:15 +10:00 cat3k_caa-infra.SPA.03.02.03.SE.pkg
30982 -rw- 30418104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-iosd-universalk9.SPA.150-1.EX3.pkg
30983 -rw- 16059104 Sep 28 2013 14:19:15 +10:00 cat3k_caa-platform.SPA.03.02.03.SE.pkg
30984 -rw- 64586444 Sep 28 2013 14:19:15 +10:00 cat3k_caa-wcm.SPA.10.0.120.0.pkg
1621966848 bytes total (1393401856 bytes free)

In this step, you can verify switch is having upgraded image in each member of the switch stack.
3850-1#sh ver | be SW

Switch Ports Model              SW Version        SW Image              Mode  
------ ----- -----              ----------        ----------            ----  
     1 56    WS-C3850-48P       03.02.03.SE       cat3k_caa-universalk9 INSTALL
     2 56    WS-C3850-48P       03.02.03.SE       cat3k_caa-universalk9 INSTALL

You can verify boot configuration of your switch using "show boot" CLI command. As you can see "packages.conf" file is the boot loading file used in the booting process. If this file not exists or corrupted, the switch will go onto ROMMON mode."

3850-1#sh boot
---------------------------
Switch 1
---------------------------
Current Boot Variables:
BOOT variable = flash:packages.conf;

Boot Variables on next reload:
BOOT variable = flash:packages.conf;
Manual Boot = no
Enable Break = no

You can access wireless controller GUI using https://<switch-ipaddress>/wireless URL.
Cisco 3850 switch configuration example

It is different when compare to CUWN controllers (5508,2504, etc). Let's see how we can configure the wireless controller config on this switch. First of all you need to ensure you have the correct license to start with.

3850-1#show license right-to-use?
 default Displays the default license information.
 detail Displays details of all the licenses in the stack.
 eula Displays the EULA text.
 mismatch Displays mismatch license information.
 slot Specify switch number
 summary Displays consolidated stack wide license information.
 usage Displays the usage details of all licenses.
 | Output modifiers
 <cr>

3850-1#show license right-to-use summary
License Name Type Count Period left
-----------------------------------------------
 lanbase permanent N/A Lifetime
 apcount base 0 Lifetime
 apcount adder 0 Lifetime
 --------------------------------------------
 License Level In Use: ipbase
 License Level on Reboot: ipbase
 Evaluation AP-Count: Disabled
 Total AP Count Licenses: 0
 AP Count Licenses In-use: 0
 AP Count Licenses Remaining: 0

In Converged Access architecture, 3850 can act as Mobility Agent (MA) or Mobility Controller (MC). By default it is a MA. Normally AP license should be on a MC where CAP/WAP tunnels from AP get terminated. In this case we have only 3850 switch for everything (MC & MA) so you have to install AP license onto this switch. Remember that maximum 50 APs can be supported by a 3850 switch stack. In our case we will configure 25 licenses each for the first two members of stack & all APs to be terminated in these two switches (max 25 in each member).

3850-1#license right-to-use?
 activate activate particular license level
 deactivate deactivate particular license level

3850-1#license right-to-use activate?
 apcount configure the AP-count licenses on the switch
 ipbase activate ipbase license on the switch
 ipservices activate Ipservices license on the switch
 lanbase activate lanbase license on the switch

3850-1#license right-to-use activate apcount?
 <1-50> configure the number of adder licenses
 evaluation activate evaluation license

3850-1#license right-to-use activate apcount 50?
 slot Specify switch number

3850-1#license right-to-use activate apcount 50 slot?
 <1-9> Specify switch number

3850-1#license right-to-use activate apcount 50 slot 1?
 acceptEULA automatically accept the EULA for the given license
 <cr>

3850-1#license right-to-use activate apcount 50 slot 1 acceptEULA
3850-1#license right-to-use activate apcount 50 slot 2 acceptEULA
% switch-2:stack-mgr:ACTIVATION FAIL : Total AP Count Licenses exceed maximum limit
!
3850-1#license right-to-use deactivate apcount 25 slot 1
3850-1#license right-to-use activate apcount 25 slot 2 acceptEULA

You have to enable the MC functionality of 3850 by using the "wireless mobility controller" CLI command as shown below.
3850-1(config)#wireless mobility ?
 controller Configures mobility controller settings
 dscp Configures the Mobility inter controller DSCP value
 group Configures the Mobility group parameters
 load-balance Configure mobility load-balance status
 multicast Configures the Multicast Mode for mobility messages
 oracle Configures mobility oracle settings

3850-1(config)#wireless mobility controller ?
 ip no description
 peer-group Configures mobility peer groups
 <cr>
3850-1(config)#wireless mobility controller

Now we are one step away to register our AP. To register AP you should nominate an interface as wireless management interface. You have to remember that all your AP should be configured with same vlan access port where you configured for wireless management, otherwise AP won’t join. In our case we will use vlan21 as wireless management interface & configure switch port connected to AP in vlan 21.

interface Vlan21
 ip address 192.168.21.1 255.255.255.0
!
wireless management interface Vlan21
!
interface GigabitEthernet1/0/1
switchport access vlan 21
switchport mode access
spanning-tree portfast

Now if you type "show ap summary" you would see your AP get registered to your 3850 WLC.

3850-1#show ap summary
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured

AP Name                           AP Model  Ethernet MAC    Radio MAC       State        
----------------------------------------------------------------------------------------
bc16.6516.790e                    3602I     bc16.6516.790e  f41f.c298.c2a0  Registered

You can change any AP specific configuration by using "ap name <AP-NAME> x" CLI commands. Following are the all options available. we will change the name as example.

5508-1#ap name bc16.6516.790e?
  ap-groupname      Set groupname
  bhrate            Bridge Backhaul Tx Rate
  bridgegroupname   Set bridgegroupname
  bridging          Enable Ethernet-to-Ethernet bridging
  capwap            AP Capwap parameters
  command           Remote execute a command on Cisco AP
  console-redirect  Enable redirecting remote debug output of Cisco AP to
                    console
  core-dump         Enable memory core dump on Cisco AP
  country           Configure the country of operation
  crash-file        Manage crash data and radio core files for Cisco AP
  dot11             Configures 802.11 parameters
  dot1x-user        Enable the 802.1X credential for the current AP
  ethernet          Configure Ethernet Port of the AP
  image             Configure image
  led               Enable LED-state for Cisco AP
  link-encryption   Enable link encryption state on Cisco AP
  link-latency      Enable Link Latency on Cisco AP
  location          Configure AP location
  mfp               Enable Management Frame Protection
  mgmtuser          Configures user name, password and secret for AP management
  mode              Select AP mode of operation
  monitor-mode      Monitor-mode channel optimization
  name              Configure AP name
  no                Negate a command or set its defaults
  power             Configure Cisco Power over Ethernet (PoE) feature for AP
  reset             Reset AP
  reset-button      Disable or enable reset button on AP
  shutdown          Disable AP
  slot              Set slot number
  sniff             Enable sniffing on dot11a/b radio
  ssh               Enable SSH
  static-ip         Set Cisco AP static IP address configuration
  stats-timer       Set the frequency at which statistics are sent from AP
  syslog            Set the system logging settings for Cisco AP
  tcp-adjust-mss    TCP MSS configuration for an AP
  telnet            Enable telnet for Cisco AP
  tftp-downgrade    Initiate AP image downgrade from a TFTP server

5508-1#ap name bc16.6516.790e name L3600-1

5508-1#show ap summary
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured

AP Name                           AP Model  Ethernet MAC    Radio MAC       State        
----------------------------------------------------------------------------------------
L3600-1                           3602I     bc16.6516.790e  f41f.c298.c2a0  Registered

You can use "show ap name <AP_NAME> x" CLI commands to view specific AP configurations.
name L3600-1 ?                   
  auto-rf          Auto-RF information for a Cisco AP
  bhmode           Show Cisco Bridge Backhaul Mode
  bhrate           Show Cisco Bridge Backhaul Rate
  cac              Display Call Admission Control details
  capwap           AP Capwap parameters
  ccx              Shows ccx related information
  cdp              Shows Cisco AP cdp information
  channel          Shows the channel information of an Cisco AP
  config           Shows the configuration of an Cisco AP
  core-dump        Shows the AP memory core dump setting for an Cisco AP
  data-plane       Show data plane status
  dot11            Show 802.11 parameters
  ethernet         Shows ethernet information
  eventlog         Downloads and displays the event log of a Cisco AP
  image            Shows the images present on a Cisco AP
  inventory        Displays the inventory of a Cisco AP
  link-encryption  Show link encryption status
  service-policy   Show service policy information
  tcp-adjust-mss   Show tcp-adjust-mss  for an AP
  wlan             Show BSSIDs for each AP

5508-1#show ap name L3600-1 config general
Cisco AP Name                                   : L3600-1
Cisco AP Identifier                             : 3
Country Code                                    : AU  - Australia
Regulatory Domain Allowed by Country            : 802.11bg:-A     802.11a:-N
AP Country Code                                 : AU  - Australia
AP Regulatory Domain                            : Unconfigured
Switch Port Number                              : Gi1/0/1
MAC Address                                     : bc16.6516.790e
IP Address Configuration                        : DHCP
IP Address                                      : 192.168.21.53
IP Netmask                                      : 255.255.255.0
Gateway IP Address                              : 192.168.21.254
CAPWAP Path MTU                                 : 1500
Telnet State                                    : Disabled
SSH State                                       : Disabled
Cisco AP Location                               : default location
Cisco AP Group Name                             : default-group
Administrative State                            : Enabled
Operation State                                 : Registered
AP Mode                                         : Local
AP Submode                                      : Not Configured
Remote AP Debug                                 : Disabled
Logging Trap Severity Level                     : informational
Software Version                                : 10.0.101.0
Boot Version                                    : 15.2.2.4
Stats Reporting Period                          : 180
LED State                                       : Enabled
PoE Pre-Standard Switch                         : Disabled
PoE Power Injector MAC Address                  : Disabled
Power Type/Mode                                 : Power Injector/Normal Mode
Number of Slots                                 : 2
AP Model                                        : 3602I
AP Image                                        : C3600-K9W8-M
IOS Version                                     : 15.2(2)JN$
Reset Button                                    : Enabled
AP Serial Number                                : FGL1721X3K5
AP Certificate Type                             : Manufacture Installed
Management Frame Protection Validation          : Disabled
AP User Mode                                    : Automatic
AP User Name                                    : Not Configured
AP 802.1X User Mode                             : Not Configured
AP 802.1X User Name                             : Not Configured
Cisco AP System Logging Host                    : 255.255.255.255
AP Up Time                                      : 3 days 20 hours 14 minutes 26 seconds
AP CAPWAP Up Time                               : 3 days 20 hours 12 minutes 57 seconds
Join Date and Time                              : 09/24/2013 19:01:11

If you want to configure global settings for all APs then you have to go for the configuration mode & then use "ap x " CLI command as shown below. We will change Country code as example. You can add upto 20 country codes if you have AP in multiple countries.

3850-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
3850-1(config)#ap ?
  auth-list         Configure Access Point authorization list
  bridging          Enable/Disable Ethernet-to-Ethernet bridging on all Cisco APs
  capwap            ap capwap parameters
  cdp               Enable/Disable CDP for all Cisco APs
  core-dump         Enable/Disable memory core dump on all Cisco APs
  country           Configure the country of operation
  dot11             Configures 802.11 parameters
  dot1x             Configure the 802.1X credential for all APs
  ethernet          Configure Ethernet Port on all Cisco APs
  group             Manage AP Groups VLAN feature
  led               Enable/Disable LED-state for all Cisco APs
  link-encryption   Enable link encryption state on all Cisco AP's
  link-latency      Enable Link Latency on all Cisco AP's
  mgmtuser          Configure the user for AP management
  power             Configure Cisco Power over Ethernet (PoE) feature for all AP's
  reporting-period  Configure AP rogue/error reporting period
  reset-button      Enable/Disable reset button for all Cisco APs
  static-ip         Set Cisco AP static IP address configuration
  syslog            Configure the system logging settings for Cisco AP
  tcp-adjust-mss    Enable/Disable TCP MSS configuration for all Cisco APs
  tftp-downgrade    Initiate AP image downgrade from a TFTP server for all Cisco APs

3850-1(config)#ap country ?
  WORD  Enter the country code (e.g. US,MX,IN) upto a maximum of 20 countries

3850-1(config)#ap country AU
Changing country code could reset channel and RRM grouping configuration. If running in RRM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command.
Are you sure you want to continue? (y/n)[y]: y
3850-1(config)#

Next we will configure a WLAN.

5508-1(config)#wlan ?
  WORD      Enter Profile Name up to 32 alphanumeric characters
  shutdown  Enable/disable all WLANs

5508-1(config)#wlan MRN-CCIEW ?
  <1-64>  Create WLAN Identifier
  <cr>

5508-1(config)#wlan MRN-CCIEW 1 ?
  WORD  Enter SSID (Network Name) up to 32 alphanumeric characters
  <cr>

5508-1(config)#wlan MRN-CCIEW 1 MRN-CCIEW
5508-1(config-wlan)#no shutdown

You can verify WLAN configuration in your “show running-config all” output.
5508-1#show running-config all | section wlan
wlan MRN-CCIEW 1 MRN-CCIEW
 accounting-list
 channel-scan defer-time 100
 client association limit 0
 client vlan default
 dtim dot11 24ghz 1
 dtim dot11 5ghz 1
 exclusionlist timeout 60
 ip access-group web none
 ip access-group none
 ip dhcp server 0.0.0.0
 ipv6 traffic-filter web none
 ipv6 traffic-filter none
 mac-filtering
 radio all
 security dot1x authentication-list
 security dot1x encryption 104
 security static-wep-key authentication open
 security tkip hold-down 60
 security web-auth authentication-list
 security web-auth parameter-map
 service-policy client input unknown
 service-policy client output unknown
 service-policy input unknown
 service-policy output unknown
 session-timeout 1800
 no shutdown

You can configure any WLAN specific configs as shown below. You have to shutdown the WLAN before make any changes.
5508-1(config)#wlan MRN-CCIEW 1 MRN-CCIEW
5508-1(config-wlan)#?
  aaa-override         AAA policy override
  accounting-list      Set the accounting list for IEEE 802.1x
  band-select          Allow|Disallow Band Select on a WLAN.
  broadcast-ssid       Set broadcast SSID on a WLAN
  call-snoop           Call Snooping support
  ccx                  Configure Cisco Client Extension options
  channel-scan         Configures off channel scanning deferral parameters
  chd                  Set CHD per WLAN
  client               WLAN configuration for clients
  datalink             WLAN Datalink commands
  default              Set a command to its defaults
  diag-channel         Set Diagnostics Channel Capability on a WLAN
  dtim                 Set the DTIM period for the WLAN
  exclusionlist        Set exclusion-listing on WLAN
  exit                 Exit sub-mode
  ip                   WLAN IP configuration commands
  ipv6                 IPv6 WLAN subcommands
  load-balance         Allow|Disallow Load Balance on a WLAN.
  local-auth           Set the EAP Profile on a WLAN
  mac-filtering        Set MAC filtering support on WLAN
  media-stream         Configures media stream
  mfp                  Configures Management Frame Protection
  mobility             Configure mobility
  nac                  Configures Radius NAC support(Identity Service Engine).
  no                   Negate a command or set its defaults
  passive-client       Configures passive client feature
  peer-blocking        Configure peer-to-peer blocking on a WLAN
  radio                Configures the Radio Policy
  roamed-voice-client  Configure Roaming Attrbutes for Voice Clients
  security             Configures the security policy for a WLAN
  service-policy       Configure WLAN QOS Service Policy
  session-timeout      Configures client timeout
  shutdown             Disable WLAN
  sip-cac              Configure Wlan Sip-Cac attributes
  static-ip            Configures static IP client tunneling support on a WLAN.
  uapsd                Configure WMM UAPSD attributes for Wlan
  wgb                  Configures WGB support on the WLAN
  wmm                  Configures WMM (WME)

5508-1(config-wlan)#client vlan 51
% switch-1:wcm:Request failed - WLAN in the enabled state.

5508-1(config-wlan)#shut
5508-1(config-wlan)#client vlan 51

5508-1(config-wlan)#radio ?
  all      Enable all available radios
  dot11a   Enable 802.11a radio only
  dot11ag  Enable 802.11 a and g radios
  dot11bg  Enable 802.11b and g radios
  dot11g   Enable 802.11g radio only

5508-1(config-wlan)#radio dot11a

5508-1(config-wlan)#wmm ?
  allowed  Allows WMM on the WLAN
  require  Requires WMM enabled clients on the WLAN

5508-1(config-wlan)#wmm require

5508-1(config-wlan)#ip ?
  access-group  Specify WLAN ACL
  dhcp          Configure DHCP parameters for WLAN
  flow          Flexible Netflow commands
  multicast     Configure multicast
  verify        verify

5508-1(config-wlan)#ip dhcp ?
  opt82     Set DHCP option 82 for wireless clients on this WLAN
  required  Specify whether DHCP address assignment is required
  server    Configures the WLAN's IPv4 DHCP Server

5508-1(config-wlan)#ip dhcp server 192.168.51.1

5508-1(config-wlan)#no shut

You can verify WLAN settings “show wlan id <WLAN_ID>” CLI command as shown below.

5508-1#show wlan id 1
WLAN Profile Name     : MRN-CCIEW
================================================
Identifier                                     : 1
Network Name (SSID)                            : MRN-CCIEW
Status                                         : Enabled
Broadcast SSID                                 : Enabled
Maximum number of Associated Clients           : 0
AAA Policy Override                            : Disabled
Network Admission Control
  NAC-State                                    : Disabled
Number of Active Clients                       : 0
Exclusionlist Timeout                          : 60
Session Timeout                                : 1800 seconds
CHD per WLAN                                   : Enabled
Webauth DHCP exclusion                         : Disabled
Interface                                      : 51
Interface Status                               : Unconfigured
Multicast Interface                            : Unconfigured
WLAN IPv4 ACL                                  : unconfigured
WLAN IPv6 ACL                                  : unconfigured
DHCP Server                                    : 192.168.51.1
DHCP Address Assignment Required               : Disabled
DHCP Option 82                                 : Disabled
DHCP Option 82 Format                          : ap-mac
DHCP Option 82 Ascii Mode                      : Disabled
DHCP Option 82 Rid Mode                        : Disabled
QoS Service Policy - Input
  Policy Name                                  : unknown
  Policy State                                 : None
QoS Service Policy - Output
  Policy Name                                  : unknown
  Policy State                                 : None
QoS Client Service Policy
  Input  Policy Name                           : unknown
  Output Policy Name                           : unknown
WMM                                            : Required
Channel Scan Defer Priority:
  Priority (default)                           : 4
  Priority (default)                           : 5
  Priority (default)                           : 6
Scan Defer Time (msecs)                        : 100
Media Stream Multicast-direct                  : Disabled
CCX - AironetIe Support                        : Enabled
CCX - Gratuitous ProbeResponse (GPR)           : Disabled
CCX - Diagnostics Channel Capability           : Disabled
Dot11-Phone Mode (7920)                        : Invalid
Wired Protocol                                 : None
Peer-to-Peer Blocking Action                   : Disabled
Radio Policy                                   : 802.11a only
DTIM period for 802.11a radio                  : 1
DTIM period for 802.11b radio                  : 1
Local EAP Authentication                       : Disabled
Mac Filter Authorization list name             : Disabled
Accounting list name                           : Disabled
802.1x authentication list name                : Disabled
Security
    802.11 Authentication                      : Open System
    Static WEP Keys                            : Disabled
    802.1X                                     : Disabled
    Wi-Fi Protected Access (WPA/WPA2)          : Enabled
        WPA (SSN IE)                           : Disabled
        WPA2 (RSN IE)                          : Enabled
            TKIP Cipher                        : Disabled
            AES Cipher                         : Enabled
        Auth Key Management
            802.1x                             : Enabled
            PSK                                : Disabled
            CCKM                               : Disabled
    CKIP                                       : Disabled
    IP Security                                : Disabled
    IP Security Passthru                       : Disabled
    L2TP                                       : Disabled
    Web Based Authentication                   : Disabled
    Conditional Web Redirect                   : Disabled
    Splash-Page Web Redirect                   : Disabled
    Auto Anchor                                : Disabled
    Sticky Anchoring                           : Enabled
    Cranite Passthru                           : Disabled
    Fortress Passthru                          : Disabled
    PPTP                                       : Disabled
    Infrastructure MFP protection              : Enabled
    Client MFP                                 : Optional
    Webauth On-mac-filter Failure              : Disabled
    Webauth Authentication List Name           : Disabled
    Webauth Parameter Map                      : Disabled
    Tkip MIC Countermeasure Hold-down Timer    : 60
Call Snooping                                  : Disabled
Passive Client                                 : Disabled
Non Cisco WGB                                  : Disabled
Band Select                                    : Disabled
Load Balancing                                 : Disabled
IP Source Guard                                : Disabled

By default WLAN is configured with WPA2/AES. So if you want to check basic client connectivity you can disable it. Then you should be able to connect your wireless client to this new SSID.

In a separate post we will see how to configure different security methods for a given SSID.
The material is referred from:

Getting Started with 3850
Posted by at 1 comment:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)