Cisco Router 860, 880 Series User Manual
Have a look at the manual Cisco Router 860, 880 Series User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
17-33 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Configuring the Authentication Cache and Profile The following commands that support this feature are included in Cisco IOS Release 12.3(7): cache expiry cache authorization profile cache authentication profile aaa cache profile NoteSee the Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges, Versions 12.4(10b)JA and 12.3(8)JEC for information about these commands. The following is a configuration example from an access point configured for Admin authentication using TACACS+ with the auth cache enabled. While this example is based on a TACACS server, the access point could be configured for Admin authentication using RADIUS: version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname ap ! ! username Cisco password 7 123A0C041104 username admin privilege 15 password 7 01030717481C091D25 ip subnet-zero ! ! aaa new-model ! ! aaa group server radius rad_eap server 192.168.134.229 auth-port 1645 acct-port 1646 ! aaa group server radius rad_mac server 192.168.134.229 auth-port 1645 acct-port 1646 ! aaa group server radius rad_acct server 192.168.134.229 auth-port 1645 acct-port 1646 ! aaa group server radius rad_admin server 192.168.134.229 auth-port 1645 acct-port 1646 cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache ! aaa group server tacacs+ tac_admin server 192.168.133.231 cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login default local cache tac_admin group tac_admin aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local cache tac_admin group tac_admin aaa accounting network acct_methods start-stop group rad_acct
17-34 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Configuring the Authentication Cache and Profile aaa cache profile admin_cache all ! aaa session-id common ! ! ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 192.168.133.207 255.255.255.0 no ip route-cache ! ip http server ip http authentication aaa no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag ip radius source-interface BVI1 ! tacacs-server host 192.168.133.231 key 7 105E080A16001D1908 tacacs-server directed-request radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.134.229 auth-port 1645 acct-port 1646 key 7 111918160405041E00 radius-server vsa send accounting ! control-plane ! bridge 1 route ip
17-35 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Configuring the Access Point to Provide DHCP Service ! ! ! line con 0 transport preferred all transport output all line vty 0 4 transport preferred all transport input all transport output all line vty 5 15 transport preferred all transport input all transport output all ! end Configuring the Access Point to Provide DHCP Service These sections describe how to configure the wireless device to act as a DHCP server: Setting up the DHCP Server, page 17-35 Monitoring and Maintaining the DHCP Server Access Point, page 17-37 Setting up the DHCP Server By default, access points are configured to receive IP settings from a DHCP server on your network. You can also configure an access point to act as a DHCP server to assign IP settings to devices on both your wired and wireless LANs. NoteWhen you configure the access point as a DHCP server, it assigns IP addresses to devices on its subnet. The devices communicate with other devices on the subnet but not beyond it. If data needs to be passed beyond the subnet, you must assign a default router. The IP address of the default router should be on the same subnet as the access point configured as the DHCP server. For detailed information on DHCP-related commands and options, refer to the DHCP part in the Cisco IOS IP Addressing Services Configuration Guide, Release 12.4. Click this URL to browse to the DHCP part: http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_rdmp_ps6350_TSD_Produ cts_Configuration_Guide_Chapter.html
17-36
Book Title
OL-xxxxx-xx
Chapter 17 Administering the Wireless Device
Configuring the Access Point to Provide DHCP Service
To configure an access point to provide DHCP service and specify a default router, follow these steps
beginning in privileged EXEC mode:
Use the no form of these commands to return to default settings.
This example shows how to configure the wireless device as a DHCP server, exclude a range of IP
address, and assign a default router:
AP# configure terminal
AP(config)# ip dhcp excluded-address 172.16.1.1 172.16.1.20AP(config)# ip dhcp pool wishbone
AP(dhcp-config)# network 172.16.1.0 255.255.255.0
AP(dhcp-config)# lease 10AP(dhcp-config)# default-router 172.16.1.1
AP(dhcp-config)# end
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2ip dhcp excluded-address low_address
[high_address]Excludes the wireless device’s IP address from the range of addresses the
wireless device assigns. Enter the IP address in four groups of characters,
such as 10.91.6.158.
The wireless device assumes that all IP addresses in a DHCP address pool
subnet are available for assigning to DHCP clients. You must specify the
IP addresses that the DHCP Server should not assign to clients.
(Optional) To enter a range of excluded addresses, enter the address at the
low end of the range followed by the address at the high end of the range.
Step 3ip dhcp pool pool_nameCreates a name for the pool of IP addresses that the wireless device
assigns in response to DHCP requests, and enter DHCP configuration
mode.
Step 4network subnet_number
[mask | prefix-length]
Assigns the subnet number for the address pool. The wireless device
assigns IP addresses within this subnet.
(Optional) Assigns a subnet mask for the address pool, or specifies the
number of bits that comprise the address prefix. The prefix is an
alternative way of assigning the network mask. The prefix length must be
preceded by a forward slash (/).
Step 5lease { days [hours] [minutes] |
infinite }
Configures the duration of the lease for IP addresses assigned by the
wireless device.
days—configure the lease duration in number of days
(optional) hours—configure the lease duration in number of hours
(optional) minutes—configure the lease duration in number of
minutes
infinite—set the lease duration to infinite
Step 6default-router address [address2 ...
address 8]Specifies the IP address of the default router for DHCP clients on the
subnet. One IP address is required; however, you can specify up to eight
addresses in one command line.
Step 7endReturns to privileged EXEC mode.
Step 8show running-configVerifies your entries.
Step 9copy running-config startup-config(Optional) Saves your entries in the configuration file.
17-37
Book Title
OL-xxxxx-xx
Chapter 17 Administering the Wireless Device
Configuring the Access Point to Provide DHCP Service
Monitoring and Maintaining the DHCP Server Access Point
These sections describe commands you can use to monitor and maintain the DHCP server access point:
Show Commands, page 17-37
Clear Commands, page 17-37
Debug Command, page 17-38
Show Commands
In privileged EXEC mode, enter the commands in Ta b l e 17-4 to display information about the wireless
device as DHCP server.
Clear Commands
In privileged EXEC mode, use the commands in Ta b l e 17-5 to clear DHCP server variables.
Ta b l e 17-4 Show Commands for DHCP Server
CommandPurpose
show ip dhcp conflict [address]Displays a list of all address conflicts recorded by
a specific DHCP Server. Enter the wireless
device’s IP address to show conflicts recorded by
the wireless device.
show ip dhcp database [url]Displays recent activity on the DHCP database.
NoteUse this command in privileged EXEC
mode.
show ip dhcp server statisticsDisplays count information about server statistics
and messages sent and received.
Ta b l e 17-5 Clear Commands for DHCP Server
CommandPurpose
clear ip dhcp binding
{address | *}
Deletes an automatic address binding from the
DHCP database. Specifying the address argument
clears the automatic binding for a specific (client)
IP address. Specifying an asterisk (*) clears all
automatic bindings.
clear ip dhcp conflict
{address | *}
Clears an address conflict from the DHCP
database. Specifying the address argument clears
the conflict for a specific IP address. Specifying
an asterisk (*) clears conflicts for all addresses.
clear ip dhcp server statisticsResets all DHCP Server counters to 0.
17-38
Book Title
OL-xxxxx-xx
Chapter 17 Administering the Wireless Device
Configuring the Access Point for Secure Shell
Debug Command
To enable DHCP server debugging, use this command in privileged EXEC mode:
debug ip dhcp server { events | packets | linkage }
Use the no form of the command to disable debugging for the wireless device DHCP server.
Configuring the Access Point for Secure Shell
This section describes how to configure the Secure Shell (SSH) feature.
NoteFor complete syntax and usage information for the commands used in this section, refer to the “Secure
Shell Commands” section in the Cisco IOS Security Command Reference for Release 12.4.
Understanding SSH
SSH is a protocol that provides a secure, remote connection to a Layer 2 or Layer 3 device. There are
two versions of SSH: SSH version 1 and SSH version 2. This software release supports both SSH
versions. If you do not specify the version number, the access point defaults to version 2.
SSH provides more security for remote connections than Telnet by providing strong encryption when a
device is authenticated. The SSH feature has an SSH server and an SSH integrated client. The client
supports these user authentication methods:
RADIUS (for more information, see the “Controlling Access Point Access with RADIUS” section
on page 17-9)
Local authentication and authorization (for more information, see the “Configuring the Access Point
for Local Authentication and Authorization” section on page 17-31)
For more information about SSH, refer to Part 5, “Other Security Features” in the Cisco IOS Security
Configuration Guide for Release 12.4.
NoteThe SSH feature in this software release does not support IP Security (IPsec).
Configuring SSH
Before configuring SSH, download the crypto software image from Cisco.com. For more information,
refer to the release notes for this release.
For information about configuring SSH and displaying SSH settings, refer to Part 6, “Other Security
Features” in the Cisco IOS Security Configuration Guide for Release 12.4, which is available on
Cisco.com at the following link:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html
17-39 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Configuring Client ARP Caching Configuring Client ARP Caching You can configure the wireless device to maintain an ARP cache for associated client devices. Maintaining an ARP cache on the wireless device reduces the traffic load on your wireless LAN. ARP caching is disabled by default. This section contains this information: Understanding Client ARP Caching, page 17-39 Configuring ARP Caching, page 17-39 Understanding Client ARP Caching ARP caching on the wireless device reduces the traffic on your wireless LAN by stopping ARP requests for client devices at the wireless device. Instead of forwarding ARP requests to client devices, the wireless device responds to requests on behalf of associated client devices. When ARP caching is disabled, the wireless device forwards all ARP requests through the radio port to associated clients, and the client to which the ARP request is directed responds. When ARP caching is enabled, the wireless device responds to ARP requests for associated clients and does not forward requests to clients. When the wireless device receives an ARP request for an IP address not in the cache, the wireless device drops the request and does not forward it. In its beacon, the wireless device includes an information element to alert client devices that they can safely ignore broadcast messages to increase battery life. Optional ARP Caching When a non-Cisco client device is associated to an access point and is not passing data, the wireless device might not know the client’s IP address. If this situation occurs frequently on your wireless LAN, you can enable optional ARP caching. When ARP caching is optional, the wireless device responds on behalf of clients with IP addresses known to the wireless device but forwards out its radio port any ARP requests addressed to unknown clients. When the wireless device learns the IP addresses for all associated clients, it drops ARP requests not directed to its associated clients. Configuring ARP Caching To configure the wireless device to maintain an ARP cache for associated clients, follow these steps beginning in privileged EXEC mode: CommandPurpose Step 1configure terminalEnters global configuration mode. Step 2dot11 arp-cache [optional]Enables ARP caching on the wireless device. (Optional) Use the optional keyword to enable ARP caching only for the client devices whose IP addresses are known to the wireless device. Step 3endReturns to privileged EXEC mode.
17-40 Book Title OL-xxxxx-xx Chapter 17 Administering the Wireless Device Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging This example shows how to configure ARP caching on an access point: AP# configure terminalAP(config)# dot11 arp-cache AP(config)# end Configuring Multiple VLAN and Rate Limiting for Point-to-Multipoint Bridging This feature modifies the way point-to-multipoint bridging can be configured to operate on multiple VLANs with the ability to control traffic rates on each VLAN. NoteA rate limiting policy can be applied only to Fast Ethernet ingress ports on non-root bridges. In a typical scenario, multiple-VLAN support permits users to set up point-to-multipoint bridge links with remote sites, with each remote site on a separate VLAN. This configuration provides the capability for separating and controlling traffic to each site. Rate limiting ensures that no remote site consumes more than a specified amount of the entire link bandwidth. Only uplink traffic can be controlled by using the Fast Ethernet ingress ports of non-root bridges. Using the class-based policing feature, you can specify the rate limit and apply it to ingress of the Ethernet interface of a non-root bridge. Applying the rate at the ingress of the Ethernet interface ensures that all incoming Ethernet packets conform to the configured rate. Step 4show running-configVerifies your entries. Step 5copy running-config startup-config(Optional) Saves your entries in the configuration file. Command Purpose