Table Of Contents
Designing Device Configurations
About Configuration Templates
Deploying a Branches
Creating Configuration Templates
Default Configuration Templates
Creating CLI Configuration Templates
Prerequisites for Creating CLI Templates
Database Variables in CLI Templates
Creating CLI Configuration Templates from Copied Code
Importing CLI Configuration Templates From Cisco Prime LMS
Creating Feature and Technology Templates
Creating ACL Templates
Creating Wireless Controller Templates
Creating System Templates
Creating a General Template
Creating an SNMP Community Controller Template
Creating an NTP Server Template
Creating a QoS Templates
Creating a User Roles Controller Template
Creating an AP Username Password Controller Template
Creating an AP 802.1X Supplicant Credentials Template
Creating a Global CDP Configuration Template
Creating a DHCP Template
Creating an Interface Group Template
Creating a Traffic Stream Metrics QoS Template
Creating a Dynamic Interface Template
Creating WLAN Templates
Creating a WLAN Template
Creating Mobile Concierge (802.11u) Groups
Creating a WLAN AP Groups Template
Creating FlexConnect Templates
Creating a FlexConnect AP Groups Template
Creating FlexConnect Users
Creating Security Templates
Creating a General Security Controller Template
Creating a RADIUS Authentication Template
Creating a RADIUS Accounting Template
Creating a RADIUS Fallback Template
Creating an LDAP Server Template
Creating a TACACS+ Server Template
Creating a Local EAP General Template
Creating a Local EAP Profile Template
Creating an EAP-FAST Template
Creating a Network User Priority Template
Creating Wireless Protection Policies Templates
Creating a Rogue Policies Template
Creating a Rogue AP Rules Template
Creating a Rogue AP Rule Groups Template
Creating a Friendly Access Point Template
Creating an Ignored Rogue AP Template
Creating a File Encryption Template
Creating a Security Password Policy Template
Creating a User Login Policies Template
Creating a Manually Disabled Client Template
Creating an Access Control List Template
Creating a CPU Access Control List (ACL) Template
Creating a FlexConnect Access Control List Template
Creating an ACL IP Groups Template
Creating an ACL Protocol Groups Template
Creating an External Web Auth Server Template
Creating Radio Templates (802.11)
Creating a Load Balancing Template
Creating a Band Selection Template
Creating a Preferred Call Template
Creating a Media Stream for Controller Template (802.11)
Creating an RF Profiles Template
Creating Radio Templates (802.11a/n)
Creating an 802.11a/n Parameters Template
Creating a CleanAir Controller Template (802.11a/n)
Creating a Media Parameters Controller Template (802.11a/n)
Creating an EDCA Parameters Template (802.11a/n)
Creating a Roaming Parameters Template (802.11a/n)
Creating an 802.11h Template
Creating a High Throughput Template (802.11a/n)
Creating 802.11a/n RRM Templates
Creating Radio Templates (802.11b/g/n)
Creating an 802.11b/g/n Parameters Template
Creating a Media Parameters Controller Template (802.11b/g/n)
Creating an EDCA Parameters Controller Template (802.11b/g/n)
Creating an Roaming Parameters Controller Template (802.11b/g/n)
Creating a High Throughput (802.11n) Controller Template (802.11b/g/n)
Creating a CleanAir Controller Template (802.11 b/g/n)
Creating 802.11b/g/n RRM Templates
Creating Mesh Templates
Creating a Mesh Setting Template
Creating Management Templates
Creating a Trap Receiver Template
Creating a Trap Control Template
Creating a Telnet SSH Template
Creating a Legacy Syslog Template
Creating a Multiple Syslog Template
Creating a Local Management User Template
Creating a User Authentication Priority Template
Creating a CLI Template
Creating a Location Configuration Template
Creating IPv6 Templates
Creating a Neighbor Binding Timers Template
Creating a RA Throttle Policy Template
Creating an RA Guard Template
Creating Proxy Mobile IPv6 Templates
Creating a PMIP Global Configurations Template
Creating an LMA Configurations Template
Creating a PMIP Profiles Template
Publishing and Deploying Controller Templates
Creating Security Configuration Templates
Creating a DMVPN Templates
Creating a GET VPN Group Member Templates
Creating a GET VPN Key Server Templates
Creating ScanSafe Templates
Configuring Switch Location Configuration Templates
Creating AP Configuration Templates
Creating Lightweight Access Point Templates
Creating Autonomous Access Point Templates
Creating an Autonomous Access Point Template
Applying an AP Configuration Template to an Autonomous Access Point
Creating Autonomous Access Point Migration Templates
Configuring Autonomous AP Migration Templates
Viewing the Migration Analysis Summary
Copying a Migration Template
Deleting Migration Templates
Viewing the Current Status of Cisco IOS Access Points
Designing Controller Config Groups
Adding New Config Group
Configuring Config Groups
Applying or Scheduling Config Groups
Auditing Config Groups
Rebooting Config Groups
Reporting Config Groups
Downloading Software
Downloading IDS Signatures
Downloading Customized WebAuth
Configuring wIPS Profiles
Adding a Profile
Editing a wIPS Profile
Deleting a wIPS Profile
Applying a wIPS Profile
Configuring Features on a Device
Application Visibility
Configuring AV
Editing AV Policy
Changing AV Advanced Options
Overview of NAT
Types of NAT
How to Configure NAT for IP Address Conservation
IP Pools
Creating, Editing, and Deleting IP Pools
NAT44
Creating, Editing, and Deleting NAT44 Rule
Managing Interfaces
Configuring Interfaces
Managing NAT MAX Translation
Setting NAT MAX Translation
Dynamic Multipoint VPN
Configuring DMVPN
Creating DMVPN Tunnel
Configuring Hub and Spoke Topology
Configuring Fully Mesh Topology
Cluster Configuration
Edit DMVPN
Delete DMVPN
GETVPN
Group Member
Key Server
Configuring GETVPN
Creating GETVPN Group Member
Creating GETVPN Key Server
Editing GET VPN Group Member or Key Server
Deleting GETVPN Group Member or Key Server
VPN Components
IKE Policies
IKE Settings
IPsec Profile
Pre-shared Keys
RSA Keys
Transform Sets
Overview of Zones
Security Zones
Managing Applications
Managing Services
Managing Policy Rules
Changing the Firewall Rule Order
Creating Security Zone
Configuring Default-Zone
Managing Default Parameters
Managing Interfaces
Routing
Static Routing
RIP Routing
EIGRP Routing
OSPF Routing
Creating Composite Templates
Testing and Troubleshooting Configuration Templates
Designing Device Configurations
You use templates to define device parameters and settings, which you can later deploy to a specified number of devices based on device type. Templates enhance productivity when you are implementing new services or a new site. Altering configurations across a large number of devices can be tedious and time-consuming, and templates save you time by applying the necessary configurations and by ensuring consistency across devices. You can also create and deploy configuration for the selected device.
Table 4-1 describes the process for creating and deploying templates.
Table 4-1 Process for Using Configuration Templates
Task
|
Additional Information
|
1.  Create a template.
|
Under the Design menu, choose which type of template to create.
|
2. Publish the template.
|
After you have created the template, click Publish to publish the template and make it available to be deployed.
|
3. Deploy the template.
|
Under the Deploy menu, choose which template to deploy. See Deploying Templates for more information.
|
4. Verify the status of the template deployment.
|
Choose Administration > Jobs Dashboard to verify the status of the template deployment.
|
This chapter contains the following sections:
•About Configuration Templates
•Creating Configuration Templates
•Creating Wireless Controller Templates
•Creating Security Configuration Templates
•Configuring Features on a Device
•Creating Composite Templates
•Testing and Troubleshooting Configuration Templates
About Configuration Templates
You use configuration templates to design the set of device configurations you need to set up all the devices in a branch. When you have a site, office, or branch that uses a similar set of devices and configurations, you can use configuration templates to build a generic configuration that you can apply to one more or more devices in the branch. You can also use configuration templates when you have a new branch and want to quickly and accurately set up common configurations on the devices in the branch.
Related Topic
•Creating Configuration Templates
Deploying a Branches
Deploying a branch is creating the minimum configurations for the branch router. Prime Infrastructure allows you to create a set of required features that include:
•Feature templates for the Ethernet interface
•CLI template for additional features you require
All of the templates you create can then be added to a single composite template, which aggregates all the individual feature templates you need for the branch router. You can then use this composite template when you perform branch deployment operations and to replicate the configurations at other branches.
When you have a set of similar devices across a branch, you can deploy a composite template that includes "golden" configurations to simplify deployment and ensure consistency across your device configurations. You can also use the composite template to compare against an existing device configuration to determine if there are mismatches.
Related Topics
•Creating Configuration Templates
•Creating Composite Templates
Creating Configuration Templates
Prime Infrastructure provides the following types of configuration templates:
•Default templates—Cisco-supplied templates that are ready for use the moment you install Prime Infrastructure.See Default Configuration Templates.
•CLI templates—User-defined templates that are created based on your own parameters. CLI templates allow you to choose the elements in the configurations. Prime Infrastructure provides variables that you replace with actual values and logic statements. You can also import templates from Cisco Prime LAN Management System. See Creating CLI Configuration Templates.
•Feature and technology templates—Configurations that are specific to a feature or technology in a device's configuration. See Creating Feature and Technology Templates.
•Composite templates—Two or more feature or CLI templates grouped together into one template. You specify the order in which the templates contained in the composite template are deployed to devices. See Creating Composite Templates.
Note All templates must be published before they can be deployed to devices.
You use templates to define device parameters and settings, which you can later deploy to a specified number of devices based on device type. Altering configurations across a large number of devices can be tedious and time-consuming, and templates save you time by applying the necessary configurations and ensuring consistency across devices.
Default Configuration Templates
Prime Infrastructure ships with default configuration templates that you can find under Design > Configuration Templates > My Templates > OOTB. These templates are described in Table 4-2.
Table 4-2 Prime Infrastructure-Provided Configuration Templates
Use This Configuration Template...
|
To Do This...
|
Medianet - PerfMon
|
Configure performance monitoring for Medianet.
|
PA with WAAS
|
Configure Cisco Performance Agent1 and Wide Area Application Services (WAAS).
|
PA without WAAS
|
Configure Cisco Performance Agent without WAAS.
|
Collecting Traffic Statistics
|
Collect network traffic statistics.
|
Authentication Priority
|
Configure the level of priority you want to assign to each authentication server.
|
EtherChannel
|
Configure an EtherChannel.
|
Local Management Users
|
Configure local users, their privilege level, and password.
|
Logging
|
Configure logging, trap level, severity level, buffer size, etc.
|
NTP
|
Configure an NTP peer/server on a device.
|
RADIUS-AUTH
|
Configure a RADIUS authentication server.
|
RADIUS Acct. Servers
|
Configure a RADIUS accounting server.
|
SNMP
|
Configure SNMP V1/V2.
|
TACACS Server
|
Configure a TACACS server.
|
Trap Receiver
|
Configure a trap receiver.
|
STP
|
Configure Spanning Tree Protocol (STP).
|
VLAN
|
Configure a VLAN.
|
Creating CLI Configuration Templates
Before creating a CLI template, make sure you have satisfied the prerequisites as described in Database Variables in CLI Templates.
Step 1 Choose Design > Configuration Templates.
Step 2 Expand the CLI Template folder, then click CLI.
Step 3 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 4 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 5 In the Template Detail section, click Manage Variables.
This allows you to specify a variable for which you will define a value when you deploy the template.
Step 6 Click Add Row and enter the parameters for a new variable, then click Save.
Step 7 Enter the CLI information.
Note In the CLI field, you must enter code using Apache VTL.
Step 8 (Optional) To change the variables, click Form View (a read-only view), then click Manage Variables and make your changes.
Step 9 Click Save As New Template.
Related Topics
•Prerequisites for Creating CLI Templates
•Database Variables in CLI Templates
•Creating CLI Configuration Templates from Copied Code
•Importing CLI Configuration Templates From Cisco Prime LMS
Prerequisites for Creating CLI Templates
Creating CLI templates is an advanced function that should be done by expert users. Before you create a CLI template, you should:
•Have expert knowledge and understanding of the CLI and be able to write the CLI in Apache VTL. For more information about Apache Velocity Template Language, see http://velocity.apache.org/engine/devel/vtl-reference-guide.html.
•Understand to what devices the CLI you create can be applied.
•Understand the data types supported by Prime Infrastructure.
•Understand and be able to manually label configurations in the template.
Database Variables in CLI Templates
When a device is discovered and added to Prime Infrastructure, you can use the database values that were gathered during the inventory collection to create CLI templates. For example, if you want to create and deploy a CLI template to shut down all interfaces in a branch, you can create a CLI template that contains the following commands:
#foreach ($interfaceName in $interfaceNameList)
interface $interfaceName \n
shutdown
#end
where $interfaceNameList is the database variable type whose value will be retrieved from the database. $interfaceNameList has a default value of Inventory::EthernetProtocolEndpoint.IntfName.
To populate interfaceNameList with the value from the database, you must create a properties file to capture the query string as described below and save it in the /opt/CSCOlumos/conf/ifm/template/InventoryTagsInTemplate folder.
Sample Property File
Filename: interface.properties
# for interface name tag->Name
EthernetProtocolEndpoint.IntfName=select u.name from EthernetProtocolEndpoint u where u.owningEntityId =
# say for other attributes of EthernetProtocolEndpoint Model, should we define tags
# any good generic way of accepting tags -attr+its mapped query ?
After you create the CLI template and the property file and deploy the CLI template, the following CLI is configured on the devices. This output assumes the device has two interfaces (Gigabitethernet0/1 and Gigabitethernet0/0):
interface GigabitEthernet0/0
shutdown
interface GigabitEthernet0/1
shutdown
Note InterfaceNameList is a Prime Infrastructure default database variable.
Verify that the Enterprise JavaBeans Query Language (EJB QL) specified in the properties file returns a list of strings; or, if a single element is specified, the EJB QL should return a list containing one element.
The following are the database variables present in the CLITemplateDbVariablesQuery.properties file:
•IntfName
•UpIntfName
•DownIntfName
•AllIntf
•DeviceName
•ProductSeries
•SysObjectID
•IPAddress
•SoftwareVersion
•SerialNumber
•ModelNumber
•ImageName
•ImnageFileName
•ImageVersion
•VlanID
•VlanName
•ProductType
Related Topics
•Creating CLI Configuration Templates
•Prerequisites for Creating CLI Templates
•Creating CLI Configuration Templates from Copied Code
•Importing CLI Configuration Templates From Cisco Prime LMS
Creating CLI Configuration Templates from Copied Code
One quick way to create CLI configuration templates is to copy code from a command line configuration session, CLI script, or other stored set of configuration commands. Prime Infrastructure lets you turn all the CLI parameters in the copied CLI into template variables.
To create a CLI template variable from copied code:
Step 1 Choose Design > Configuration Templates.
Step 2 Expand the CLI Template directory, and then click CLI.
Step 3 In the CLI template, paste the copied code into the CLI Content field.
Step 4 Select the text that is to be the variable name.
Step 5 Click Manage Variable.
The Manage Variable dialog box appears with the new variable name added to the list of variables.
Step 6 Enter the values of the following parameters:
•Name.
•Type—Data type of the variable. Default is String.
•Description (Optional) —Description of the variable.
•Display Label—Display name of the variable in the template.
•Display Label—If the variable is mandatory in the template, check this check box.
Step 7 To set the range, validation, and default value of the variable, click the arrow next to the radio button:
•Default Value.
•Range—If the variable is an integer, enter the range in the From and To fields.
•Validation Expression—If the variable is a string, enter a valid regular expression to validate the user input. For example, if the string should start with "hostname," enter ^[\S]+$ as the validation expression.
Step 8 Click Save.
Step 9 Click Add.
To view the new variable, click Form View.
To edit an existing variable created from copied code:
Step 1 Click Manage Variable.
Step 2 Click the radio button to select a variable, and then click Edit.
Step 3 Continue from Step 6 of the procedure for creating a variable from copied code.
Related Topics
•Creating CLI Configuration Templates
•Prerequisites for Creating CLI Templates
•Database Variables in CLI Templates
•Importing CLI Configuration Templates From Cisco Prime LMS
Importing CLI Configuration Templates From Cisco Prime LMS
In addition to creating new configuration templates, you can import configurations from Cisco Prime LAN Management Solution (LMS). If you have "golden" templates in Cisco Prime LMS, you can import those configurations into Prime Infrastructure and save them as configuration templates that you can deploy to the devices in your network.
Before you import a configuration, you must first export and save the configuration from Cisco Prime LMS.
Step 1 Choose Design > Configuration Templates.
Step 2 Expand the CLI Template folder, then choose the CLI template.
Step 3 Click the Import icon at the top right of the CLI template page.
Step 4 Browse to the configuration .xml file that you previously exported from Cisco Prime LMS, then click OK.
Step 5 Navigation to the My Templates folder and choose the configuration you imported.
Step 6 To view the contents of the configuration, click the CLI Content tab.
To view the parameters defined in the configuration, click the Form View tab. These values are read-only.
To change any of the variables defined in the configuration, click Manage Variables.
Step 7 Click the Publish icon to publish the template so it can be deployed.
Step 8 Click the Go to Deployment icon and go to the Deploy > Configuration Tasks page.
Step 9 Click Deploy on the template you published.
Step 10 Specify the deployment options as explained in Specifying Template Deployment Options.
Step 11 Click OK.
Related Topics
•Creating CLI Configuration Templates
•Prerequisites for Creating CLI Templates
•Database Variables in CLI Templates
•Creating CLI Configuration Templates from Copied Code
Creating Feature and Technology Templates
Feature and technology templates are templates that are based on device configuration. Feature and technology templates focus on specific features or technologies in a device's configuration. When you add a device to Prime Infrastructure, Prime Infrastructure gathers the device configuration for the model you added.
Note Prime Infrastructure does not support every configurable option for all device types. If Prime Infrastructure does not have a feature and technology template for the specific feature or parameter you want configure, create a CLI template as described in Creating CLI Configuration Templates.
You create feature and technology templates to simplify the deployment of configuration changes. For example, you can create an SNMP feature and technology template and then quickly deploy it to the devices you specify. You can also add one or more feature and technology templates to a composite template. If you do, when you update the SNMP template, the composite template in which the SNMP template is contained automatically has your latest changes.
Step 1 Choose Design > Configuration Templates.
Step 2 Expand the Features and Technologies folder, choose an appropriate subfolder, then choose a template type to create.
Step 3 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 4 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Note If you are creating a feature template that applies only to a particular device type, the Device Type field lists only the applicable device type, and you cannot change the selection.
Step 5 In the Template Detail section, enter the CLI information.
Step 6 Click Save As New Template.
Creating ACL Templates
To create and deploy a template to configure access lists:
Step 1 Choose Design > Configuration Templates.
Step 2 Expand the Features and Technologies folder, expand the Security subfolder, then click ACL.
Step 3 Enter the basic template information.
Step 4 In the Template Detail section, click Add Row, then complete the fields described in Table 4-3.
Table 4-3 ACL Template Details
Field
|
Description
|
Name/Number
|
Name or number of the ACL.
|
Applied To
|
Enter the interface of the router on which to apply the ACL. It is recommended that you apply the ACL on the interface closest to the source of the traffic.
|
Type
|
Choose:
Standard—Standard IP ACLs control traffic based on the source IP address.
Extended—Extended IP ACLs identify traffic based on source IP address, source port, destination IP address, and destination port.
|
Description
|
Description of the ACL.
|
Step 5 Click Save As New Template.
Step 6 Navigate to the My Templates folder and choose the template you just saved.
Step 7 Click the Publish icon to publish the template so it can be deployed.
Step 8 Click the Go to Deployment icon and go to the Deploy > Configuration Tasks page.
Step 9 Click Deploy on the template you published.
Step 10 Specify the deployment options as explained in Specifying Template Deployment Options.
Step 11 Click OK.
Creating Wireless Controller Templates
Getting the wireless LAN up and running quickly and cost-effectively to meet your needs is streamlined with the broad array of Cisco Prime Infrastructure integrated configuration templates. These easy-to-use templates and deployment tools help you to provision and configure the wireless LAN to expressly deliver the services that their business requires. You use controller templates to define controller parameters and settings, which you can later deploy to a specified number of wireless LAN controllers. The controller templates enhance productivity when you are implementing new services or a new site. Altering configurations across a large number of controllers can be tedious and time-consuming, and templates save you time by applying the necessary configurations and by ensuring consistency across controllers.
See Table 4-1 for information about the process for creating and deploying templates.
This section contains the following topics:
•Creating System Templates
•Creating WLAN Templates
•Creating FlexConnect Templates
•Creating Security Templates
•Creating Wireless Protection Policies Templates
•Creating Radio Templates (802.11)
•Creating Radio Templates (802.11a/n)
•Creating Radio Templates (802.11b/g/n)
•Creating Mesh Templates
•Creating Management Templates
•Creating a CLI Template
•Creating a Location Configuration Template
•Creating IPv6 Templates
•Creating Proxy Mobile IPv6 Templates
•Publishing and Deploying Controller Templates
Creating System Templates
This section contains the following topics:
•Creating a General Template
•Creating an SNMP Community Controller Template
•Creating an NTP Server Template
•Creating a QoS Templates
•Creating a User Roles Controller Template
•Creating an AP Username Password Controller Template
•Creating a Global CDP Configuration Template
•Creating an AP 802.1X Supplicant Credentials Template
•Creating a DHCP Template
•Creating an Interface Group Template
•Creating a Traffic Stream Metrics QoS Template
•Creating a Dynamic Interface Template
Creating a General Template
To create a general template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > General.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Note Specifying a device type helps you to prevent a mismatch, that is, you cannot create a configuration and apply the configuration to a wrong device.
Step 4 In the Template Detail section, complete the fields as described in Table 31-1.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an SNMP Community Controller Template
Create or modify a template for configuring SNMP communities on controllers. Communities can have read-only or read-write privileges using SNMP v1, v2, or v3.
To create a template with SNMP community information for a controller:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > SNMP Community.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, enter the SNMP Community information.
Note If the Access Mode option is configured as Read Only, then the Prime Infrastructure has only read access to the controller after applying this template.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an NTP Server Template
NTP is used to synchronize computer clocks on the Internet.
To create an NTP template or make modifications to an existing NTP template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > SNMP Community.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Enter the NTP server IP address.
Step 5 Click Save as New Template. After you save the template, see the "Creating System Templates" section for information about publishing and deploying controller templates.
Creating a QoS Templates
To create the quality of service (QoS) profiles:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > Qos Profiles.
Step 2 Click in the Name column for the profile you want to edit. The Edit QoS Profile Template page appears.
Step 3 Set the following values in the Per-User Bandwidth Contracts group box. All have a default of 0 or Off.
•Average Data Rate—The average data rate for non-UDP traffic.
•Burst Data Rate—The peak data rate for non-UDP traffic.
•Average Real-time Rate—The average data rate for UDP traffic.
•Burst Real-time Rate—The peak data rate for UDP traffic.
Step 4 Set the following values in the Over-the-Air QoS group box.
•Maximum QoS RF Usage per AP - The maximum air bandwidth available to clients. The default is 100%.
•QoS Queue Depth - The depth of queue for a class of client. The packets with a greater value are dropped at the access point.
Note The Air QoS configurations are applicable for controller Version 7.0 and earlier.
Step 5 Set the following values in the Wired QoS Protocol group box.
•Wired QoS Protocol - Choose 802.1P to activate 802.1P priority tags or None to deactivate 802.1P priority flags.
•802.1P Tag - Choose 802.1P priority tag for a wired connection from 0 to 7. This tag is used for traffic and CAPWAP packets.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a User Roles Controller Template
This section describes how to create or modify a template for configuring user roles. User roles determine how much bandwidth the network can use. Four QoS levels (Platinum, Bronze, Gold, and Silver) are available for the bandwidth distribution to Guest Users. Guest Users are associated with predefined roles (Contractor, Customer, Partner, Vendor, Visitor, Other) with respective bandwidth configured by the Admin. These roles can be applied when adding a new Guest User.
To create a template with User Roles information for a controller:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > User Roles.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Configure the following fields:
•Role Name
•Average Data Rate—The average data rate for non-UDP (User Datagram Protocol) traffic.
•Burst Data Rate—The peak data rate for non-UDP traffic.
•Average Real-time Rate—The average data rate for UDP traffic.
•Burst Real-time Rate—The peak data rate for UDP traffic.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an AP Username Password Controller Template
Create or modify a template for setting an access point username and password. All access points inherit the password as they join the controller and these credentials are used to log into the access point via the console or Telnet/SSH.
The AP Username Password page enables you to set a global password that all access points inherit as they join a controller. When you are adding an access point, you can also choose to accept this global username and password or override it on a per-access point basis.
Also, in controller software Release 5.0, after an access point joins the controller, the access point enables console port security and you are prompted for your username and password whenever you log into the access point console port. When you log in, you are in non-privileged mode and you must enter the enable password to use the privileged mode.
To create a template with AP Username Password information for a controller:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > AP Username Password.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, enter the AP username and password information.
Note For Cisco IOS access points, you must also enter and confirm an enable password.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an AP 802.1X Supplicant Credentials Template
You can configure 802.1X authentication between lightweight access points and the switch. The access point acts as an 802.1X supplicant and is authenticated by the switch using EAP-FAST with anonymous PAC provisioning. You can set global authentication settings that all access points inherit as they join the controller. All access points that are currently joined to the controller and any that join in the future are included.
To create or modify an existing AP 802.1X Supplicant Credentials template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > AP 802.1X Supplicant Credentials.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Select the Enable check box to enable global supplicant credentials.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Global CDP Configuration Template
Cisco Discovery Protocol (CDP) is a device-discovery protocol that runs on all Cisco network equipment. Each device sends identifying messages to a multicast address, and each device monitors the messages sent by other devices.
CDP is enabled on the Ethernet and radio ports of the bridge by default.
To create a Global CDP Configuration template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > Global CDP Configuration.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-2.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Note The Global Interface CDP configuration is applied only to the APs for which the CDP is enabled at AP level.
Creating a DHCP Template
To create a DHCP template or make modifications to an existing DHCP template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > DHCP.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 You can enable or disable DHCP proxy on a global basis rather than on a WLAN basis.
Note When DHCP proxy is enabled on the controller, the controller unicasts DHCP requests from the client to the configured servers. At least one DHCP server must be configured on either the interface associated with the WLAN or on the WLAN itself. DHCP proxy is enabled by default.
Step 5 Enter the DHCP Timeout in seconds, after which the DHCP request times out. The default setting is 5. Allowed values range from 5 to 120 seconds.
Note DHCP Timeout is applicable for Controller Version 7.0.114.74 and later.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an Interface Group Template
The interface group template page allows you to select list of interfaces and form a group.
To create an interface group template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > Interface Groups.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Specify the following details:
•Name—Interface Group name.
•Description (optional)—A more detailed description of the interface group.
•Quarantine—Indicates the type of interfaces that can be added to an interface group. If this option is enabled, you can add interfaces with quarantine VLAN ID set. If this options is disabled, you can add interfaces with quarantine VLAN ID not set.
Step 5 Selected Controllers/Interfaces that you want to add to the group.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Traffic Stream Metrics QoS Template
Traffic stream metrics are a series of statistics about VoIP over your wireless LAN and informs you of the QoS of the wireless LAN. These statistics are different than the end-to-end statistics provided by VoIP systems. End-to-end statistics provide information on packet loss and latency covering all the links comprising the call path. However, traffic stream metrics are statistics for only the WLAN segment of the call. Because of this, system administrators can quickly determine whether audio problems are being caused by the WLAN or by other network elements participating in a call. By observing which access points have impaired QoS, system administrators can quickly determine the physical area where the problem is occurring. This is important when lack of radio coverage or excessive interference is the root problem.
Four QoS values (packet latency, packet jitter, packet loss, and roaming time), which can affect the audio quality of voice calls, are monitored. All the wireless LAN components participate in this process. Access points and clients measure the metrics, access points collect the measurements and then send them to the controller. The access points update the controller with traffic stream metric information every 90 seconds, and 10 minutes of data is stored at one time. The Prime Infrastructure queries the controller for the metrics and displays them in the Traffic Stream Metrics QoS Status. These metrics are compared to threshold values to determine their status level and if any of the statistics are displaying a status level of fair (yellow) or degraded (red), the administrator investigates the QoS of the wireless LAN.
For the access points to collect measurement values, traffic stream metrics must be enabled on the controller.
To create a Traffic Stream Metrics QoS template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > Traffic Stream Metrics QoS.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
The Traffic Stream Metrics QoS Controller Configuration page shows several QoS values. An administrator can monitor voice and video quality of the following:
•Upstream delay
•Upstream packet loss rate
•Roaming time
•Downstream packet loss rate
•Downstream delay
Packet Loss Rate (PLR) affects the intelligibility of voice. Packet delay can affect both the intelligibility and conversational quality of the connection. Excessive roaming time produces undesired gaps in audio.
There are three levels of measurement:
•Normal: Normal QoS (green)
•Fair: Fair QoS (yellow)
•Degraded: Degraded QoS (red)
System administrators should employ some judgement when setting the green, yellow, and red alarm levels. Some factors to consider are:
•Environmental factors including interference and radio coverage which can affect PLR.
•End-user expectations and system administrator requirements for audio quality on mobile devices (lower audio quality can permit greater PLR).
•Different codec types used by the phones have different tolerance for packet loss.
•Not all calls are mobile-to-mobile; therefore, some have less stringent PLR requirements for the wireless LAN.
Creating a Dynamic Interface Template
To create a dynamic interface template or make modifications to an existing interface configuration:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > System > Dynamic Interface.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-3.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating WLAN Templates
This section contains the following topics:
•Creating a WLAN Template
•Creating a WLAN AP Groups Template
Creating a WLAN Template
WLAN templates allow you to define various WLAN profiles for application to different controllers.
You can configure multiple WLANs with the same SSID. This feature enables you to assign different Layer 2 security policies within the same wireless LAN.
These restrictions apply when configuring multiple WLANs with the same SSID:
•WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in the beacons and probes. These are the available Layer 2 security policies:
–None (open WLAN)
–Static WEP or 802.1
–CKIP
–WPA/WPA2
•Broadcast SSID must be enabled on the WLANs that share an SSID so that the access points can generate probe responses for these WLANs.
•FlexConnect access points do not support multiple SSIDs.
To create a WLAN template or make modifications to an existing WLAN template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > WLANs > WLAN Configuration.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Template Detail section:
•Select the General tab and complete the fields as described in Table 31-5.
•Select the Security tab and complete the fields as described in Table 31-6.
•Select the QoS tab and complete the field as described in Table 31-7.
•Select the Advanced tab and complete the fields as described in Table 31-8.
•Select the Hot Spot tab and complete the field as described in Table 31-9.
Step 4 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating Mobile Concierge (802.11u) Groups
Mobile Concierge is a solution that enables 802.1X capable clients to interwork with external networks. The Mobile Concierge feature provides service availability information to clients and can help them to associate available networks.
The services offered by the network can be broadly classified into two protocols:
•802.11u MSAP
•802.11u HotSpot 2.0
The following guidelines and limitations apply to Mobile Concierge:
•Mobile Concierge is not supported on FlexConnect Access Points.
•802.11u configuration upload is not supported. If you perform a configuration upgrade and upload a configuration on the controller, the HotSpot configuration on the WLANs is lost.
To create Mobile Concierge (802.11u) Groups:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > WLANs > WLAN Configuration.
Step 2 Click the Hot Spot tab. See Table 31-9.
Step 3 Click Save As New Template.
Creating a WLAN AP Groups Template
Site-specific VLANs or AP groups limit the broadcast domains to a minimum by segmenting a WLAN into different broadcast domains. Benefits include more effective management of load balancing and bandwidth allocation.
To create WLAN AP Groups:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > WLANs > AP Group VLANs.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
This page displays a summary of the AP groups configured on your network. In this page, you can add, remove, edit, or view details of an AP group. Click in the Edit column to edit its access point(s). Select the check box in the WLAN Profile Name column, and click Remove to delete WLAN profiles.
Note The maximum characters that you can enter in the Description text box is 256.
Adding Access Point Groups
You can create or modify a template for dividing the WLAN profiles into AP groups.
To create a new access point group:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > WLANs > AP Group VLANs.
Step 2 If you want to add a WLAN profile, click the WLAN Profiles tab and configure the following fields:
a. Click Add.
Note To display all available WLAN profile names, delete the current WLAN profile name from the text box. When the current WLAN profile name is deleted from the text box, all available WLAN profiles appear in the drop-down list.
Note Each access point is limited to 16 WLAN profiles. Each access point broadcasts all WLAN profiles unless the WLAN override feature is enabled. The WLAN override feature allows you to disable any of the 16 WLAN profiles per access point.
Note The WLAN override feature applies only to older controllers that do not support the 512 WLAN feature (can support up to 512 WLAN profiles).
b. Type a WLAN profile name or choose one from the WLAN Profile Name drop-down list.
c. Enter an interface/interface group or choose one from the Interface/Interface Group drop-down list.
Note To display all available interfaces, delete the current interface from the Interface text box. When the current interface is deleted from the Interface text box, all available interfaces appear in the drop-down list.
d. Select the NAC Override check box, if applicable. The NAC override feature is disabled by default.
e. When access points and WLAN profiles are added, click Save.
Step 3 If you want to add a RF profile, click the RF Profiles tab, and configure the following fields:
•802.11a—Drop-down list from which you can choose an RF profile for APs with 802.11a radios.
•802.11b—Drop-down list from which you can choose an RF profile for APs with 802.11b radios.
•When RF profiles are added, click Save.
Creating FlexConnect Templates
This section contains the following topics:
•Creating a FlexConnect AP Groups Template
•Creating FlexConnect Users
Creating a FlexConnect AP Groups Template
FlexConnect enables you to configure and control access points in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office. There is no deployment restriction on the number of FlexConnect access points per location, but you can organize and group the access points per floor and limit them to 25 or so per building, because it is likely the branch offices share the same configuration.
To set up an FlexConnect AP group:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > FlexConnect > FlexConnect AP Groups.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-10.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating FlexConnect Users
Note You can create FlexConnect users only after you save the FlexConnect AP Group.
Note Maximum 100 FlexConnect users are supported in controller version 5.2.x.x and later. If controller Version 5.2.0.0, and earlier supports only 20 FlexConnect users.
To create a FlexConnect user:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > FlexConnect > FlexConnect AP Groups.
Step 2 Click the FlexConnect Configuration tab to enable local authentication for a FlexConnect group.
Step 3 Select the FlexConnect Local Authentication check box to enable local authentication for this FlexConnect group.
Step 4 Click the Users configured in the group link. The FlexConnect Users page appears.
Step 5 If you want to add a new user, choose Add User from the Select a command drop-down list, and click Go. The Add User page appears.
Step 6 In the User Name text box, enter the FlexConnect username.
Step 7 In the Password text box, enter the password.
Step 8 Reenter the password in the Confirm Password text box.
Step 9 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating Security Templates
This section contains the following topics:
•Creating a General Security Controller Template
•Creating a Security Password Policy Template
•Creating a RADIUS Authentication Template
•Creating a RADIUS Accounting Template
•Creating a RADIUS Fallback Template
•Creating an LDAP Server Template
•Creating a TACACS+ Server Template
•Creating a Local EAP General Template
•Creating a Local EAP Profile Template
•Creating an EAP-FAST Template
•Creating a Network User Priority Template
•Creating a User Login Policies Template
•Creating a User Login Policies Template
•Creating an Access Control List Template
•Creating a Manually Disabled Client Template
•Creating an Access Control List Template
Creating a General Security Controller Template
To create a new template with general security information for a controller:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > Security > AAA > General.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Add or modify the following fields:
•Template Name
Note Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
•Maximum Local Database Entries (on next reboot)—Enter the maximum number of allowed database entries. This amount becomes effective on the next reboot.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a RADIUS Authentication Template
This page allows you to add a RADIUS authentication template or make modifications to an existing template. After these server templates are configured, controller users who log into the controller through the CLI or GUI are authenticated.
To create a RADIUS Authentication template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > Security > AAA > RADIUS Auth Servers.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-11.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a RADIUS Accounting Template
This page allows you to add a RADIUS accounting template or make modifications to an existing RADIUS accounting template.
To create a RADIUS Accounting template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > Security > RADIUS Auth Servers.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Use the Shared Secret Format drop-down list to choose either ASCII or hexadecimal.
Note Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.
Step 5 Enter the RADIUS shared secret used by your specified server.
Step 6 Retype the shared secret.
Step 7 Click if you want to establish administrative privileges for the server.
Step 8 Click if you want to enable the network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.
Step 9 Specify the time in seconds after which the RADIUS authentication request times out and a retransmission by the controller occurs. You can specify a value between 2 and 30 seconds.
Step 10 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a RADIUS Fallback Template
This page allows you to add a RADIUS fallback template or make modifications to an existing RADIUS fallback template.
To configuring a RADIUS Fallback template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > Security > RADIUS Auth Servers.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 From the RADIUS Fallback Mode drop-down list, choose Off, Passive, or Active.
•Off—Disables fallback.
•Passive—You must enter a time interval.
•Active—You must enter a username and time interval.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an LDAP Server Template
This section explains how to configure a Lightweight Directory Access Protocol (LDAP) server as a backend database, similar to a RADIUS or local user database. An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user. For example, local EAP might use an LDAP server as its backend database to retrieve user credentials.
To create an LDAP server template or make modifications to an existing LDAP server template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > Security > AAA > LDAP Servers.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-12.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a TACACS+ Server Template
This page allows you to add a TACACS+ server or make modifications to an existing TACACS+ server template. After these server templates are configured, controller users who log into the controller through the CLI or GUI are authenticated.
To create a TACACS+ Server template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Controller > Security > AAA > TACACS+ Servers.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-13.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Local EAP General Template
This page allows you to specify a timeout value for local EAP. You can then add or make changes to an existing local EAP general template.
Note If any RADIUS servers are configured on the controller, the controller tries to authenticate the wireless clients using the RADIUS servers first. Local EAP is attempted only if no RADIUS servers are found, either because the RADIUS servers timed out or no RADIUS servers were configured. If four RADIUS servers are configured, the controller attempts to authenticate the client with the first RADIUS server, then the second RADIUS server, and then local EAP. If the client attempts to then reauthenticate manually, the controller tries the third RADIUS server, then the fourth RADIUS server, and then local EAP.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Local EAP > General - Local EAP.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-14.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Local EAP Profile Template
This page allows you to add a local EAP profile template or make modifications to an existing template. Local EAP is an authentication method that allows users and wireless clients to be authenticated locally. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local user database, thereby removing dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users.
Note The LDAP backend database supports only these local EAP methods: EAP-TLS and EAP-FAST with certificates. LEAP and EAP-FAST with PACs are not supported for use with the LDAP backend database.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Local EAP > Local EAP Profiles.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-15.
Step 5 Click Save As New Template.
Step 6 To enable local EAP:
a. Choose WLAN > WLAN Configuration from the left sidebar menu.
b. Click the profile name of the desired WLAN.
c. Choose the Security > AAA Servers tab to access the AAA Servers page.
d. Select the Local EAP Authentication check box to enable local EAP for this WLAN.
Step 7 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an EAP-FAST Template
This authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1X EAP mutual authentication. A username, password, and PAC are used to perform mutual authentication with the RADIUS server through the access point. This page allows you to add an EAP-FAST template or make modifications to an existing EAP-FAST template.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Local EAP > EAP-FAST Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-16.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Network User Priority Template
You can specify the order that LDAP and local databases use to retrieve user credential information. This page allows you to add or make modifications to an existing network user credential retrieval priority template.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Local EAP > Network Users Priority.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Use the left and right pointing arrows to include or exclude network user credentials in the right page.
Step 5 Use the up and down buttons to determine the order credentials are tried.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating Wireless Protection Policies Templates
This section contains the following topics:
•Creating a Rogue Policies Template
•Creating a Rogue AP Rules Template
•Creating a Rogue AP Rule Groups Template
•Creating a Friendly Access Point Template
Creating a Rogue Policies Template
This page enables you to configure the rogue policy (for access points and clients) applied to the controller.
To create or modify an existing template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Wireless Protection Policies > Rogue Policies.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-17.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Rogue AP Rules Template
Rogue access point rules allow you to define rules to automatically classify rogue access points. Prime Infrastructure applies the rogue access point classification rules to the controllers. These rules can limit the appearance of a rogue on maps based on RSSI level (weaker rogue access points are ignored) and time limit (a rogue access point is not flagged unless it is seen for the indicated period of time).
Note Rogue access point rules also help reduce false alarms.
Note Rogue classes include the following types:
Malicious Rogue—A detected access point that matches the user-defined malicious rules or has been manually moved from the Friendly AP category.
Friendly Rogue—Known, acknowledged, or trusted access point or a detected access point that matches user-defined friendly rules.
Unclassified Rogue—A detected access point that does not match the malicious or friendly rules.
To create a new classification rule template for rogue access points:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Wireless Protection Policies > Rogue AP Rules.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the General group box, configure the following fields:
•Rule Name—Enter a name for the rule in the text box.
•Rule Type—Choose Malicious or Friendly from the drop-down list. A rogue is considered malicious if a detected access point matches the user-defined malicious rules or has been manually moved from the Friendly AP category. A rogue is considered friendly if it is a known, acknowledged, or trusted access point or a detected access point that matches the user-defined Friendly rules.
•Match Type—Choose Match All Conditions or Match Any Condition from the drop-down list.
Step 5 In the Malicious Rogue Classification Rule group box of the page, configure the following fields.
•Open Authentication—Select the check box to enable open authentication.
•Match Managed AP SSID—Select the check box to enable the matching of a Managed AP SSID.
Note Managed SSIDs are the SSIDs configured for the WLAN and known to the system.
•Match User Configured SSID—Select the check box to enable the matching of User Configured SSIDs.
Note User Configured SSIDs are the SSIDs that are manually added. Enter the User Configured SSIDs (one per line) in the Match User Configured SSID text box.
•Minimum RSSI—Select the check box to enable the Minimum RSSI threshold limit.
Note Enter the minimum RSSI threshold level (dB) in the text box. The detected access point is classified as malicious if it is detected above the indicated RSSI threshold.
•Time Duration—Select the check box to enable the Time Duration limit.
Note Enter the time duration limit (in seconds) in the text box. The detected access point is classified as malicious if it is viewed for a longer period of time than the indicated time limit.
•Minimum Number Rogue Clients—Select the check box to enable the Minimum Number Rogue Clients limit. Enter the minimum number of rogue clients allowed. The detected access point is classified as malicious if the number of clients associated to the detected access point is greater than or equal to the indicated value.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Rogue AP Rule Groups Template
A rogue access point rule group template allows you to combine more than one rogue access point rule to controllers.
To view current rogue access point rule group templates or create a new rule group:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Wireless Protection Policies > Rogue AP Rule Groups.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Enter a name for the rule group in the General group box of the page.
Step 5 To add a Rogue AP rule, click to highlight the rule in the left column. Click Add to move the rule to the right column.
Note Rogue access point rules can be added from the Rogue Access Point Rules section. See the "Creating a Rogue AP Rules Template" section for more information.
Step 6 To remove a rogue access point rule, click to highlight the rule in the right column. Click Remove to move the rule to the left column.
Step 7 Use the Move Up/Move Down buttons to specify the order in which the rules apply. Highlight the desired rule and click Move Up or Move Down to move it higher or lower in the current list.
Step 8 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Friendly Access Point Template
This template allows you to import friendly internal access points. Importing these friendly access points prevents non-lightweight access points from being falsely identified as rogues.
Note Friendly Internal access points were previously referred to as Known APs.
Note The Friendly AP page identifies the MAC address of an access point, status, any comments, and whether or not the alarm is suppressed for this access point.
To view or edit the current list of friendly access points:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Wireless Protection Policies > Friendly AP.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Friendly access points can be added by either importing the access point or manually entering the access point information:
•To import an access point using the Import feature do the following:
–Select the Import from File check box.
–Enter the file path or click Browse to navigate to the correct file.
Note Use a line break to separate MAC addresses. For example, enter the MAC addresses as follows:
00:00:11:22:33:44
00:00:11:22:33:45
00:00:11:22:33:46
•To manually add an access point, do the following:
–Unselect the Import from File check box.
–Enter the MAC address for the access point.
–Choose Internal access point from the Status drop-down list.
–Enter a comment regarding this access point, if necessary.
–Select the Suppress Alarms check box to suppress all alarms for this access point.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an Ignored Rogue AP Template
The Ignored Rogue AP Template page allows you to create or modify a template for importing ignored access points. Access points in the Ignored AP list are not identified as rogues.
Note An Ignored Rogue AP template does not get applied to any controller. It suppresses the Rogue AP/Adhoc alarm if Ignored Rogue AP Template has the Rogue MAC Address when the controller reports the Rogue AP to Prime Infrastructure and this MAC address is added to the Rogue AP Ignore-List on the controller.
To create or edit the Ignored Rogue access points:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Wireless Protection Policies > Ignored Rogue AP.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 The Ignored Rogue access points can be added by either importing the access point or manually entering the access point information:
•To import an ignored rogue access point using the Import feature:
–Select the Import from File check box.
–Enter the file path or use the Browse button to navigate to the correct file. The import file must be a CSV file with MAC address (one MAC Address per line).
Note For example, enter the MAC addresses as follows:
00:00:11:22:33:44
00:00:11:22:33:45
00:00:11:22:33:46
•To manually add an ignored rogue access point:
–Unselect the Import from File check box.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a File Encryption Template
This page enables you to add a file encryption template or make modifications to an existing file encryption template.
To create a File Encryption template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > File Encryption.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Check if you want to enable file encryption.
Step 5 Enter an encryption key text string of exactly 16 ASCII characters.
Step 6 Retype the encryption key.
Step 7 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Security Password Policy Template
This page enables you to determine your security password policy.
To create or make modifications to an existing password policy template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Password Policy.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Enter the template name.
Step 5 You can enable or disable the following settings:
•Password must contain characters from at least 3 different classes such as uppercase letters, lowercase letters, digits, and special characters.
•No character can be repeated more than 3 times consecutively.
•Password cannot be the default words like cisco, admin.
Note Password cannot be "cisco", "ocsic", "admin", "nimda' or any variant obtained by changing the capitalization of letters, or by substituting `1" "|" or "!" for i, or substituting "0" for "o", or substituting "$" for "s".
•Password cannot contain username or reverse of username.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a User Login Policies Template
This page allows you to add a user login template or make modifications to an existing user login policies template. On this template you set the maximum number of concurrent logins that each single user can have.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > User Login Policies.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 You can adjust the maximum number of concurrent logins each single user can have.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Manually Disabled Client Template
This page allows you to add a manually disable client template or make modifications to an existing disabled client template.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Manually Disabled Clients.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Enter the MAC address of the client you want to disable.
Step 5 Enter a description of the client you are setting to disabled.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Note You cannot use a MAC address in the broadcast range.
Creating an Access Control List Template
You can create or modify an ACL template for configuring the type of traffic that is allowed, by protocol, direction, and the source or destination of the traffic.
An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you want to restrict a wireless client from pinging the management interface of the controller). ACLs can be applied to data traffic to and from wireless clients or to all traffic destined for the controller Central Processing Unit (CPU) and can now support reusable grouped IP addresses and reusable protocols. After ACLs are configured in the template, they can be applied to the management interface, the AP-manager interface, or any of the dynamic interfaces for client data traffic; to the Network Processing Unit (NPU) interface for traffic to the controller CPU; or to a WAN.
This release of Prime Infrastructure provides support to IPv6 ACLs.
To create or modify an existing ACL template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Access Control Lists.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In this page, specify the following fields:
•Access Control List Name—User-defined name of the template.
•ACL Type—Choose either IPv4 or IPv6.
Note IPv6 ACL is supported from controller Version 7.2.x.
Step 5 To create reusable grouped IP addresses and protocols, choose Access Control > IP Groups from the left sidebar menu.
Step 6 All the IP address groups are listed. One IP address group can have a maximum of 128 IP address and netmask combinations. To define a new IP address group, choose Add IP Group from the Select a command drop-down list, and click Go. To view or modify an existing IP address group, click the URL of the IP address group. The IP address group page opens.
Note For the IP address of any, an any group is predefined.
Step 7 In the ACL IP Groups details page you can edit the current IP group fields.
•IP Group Name
•IP Address
•Netmask OR CIDR Notation—Enter the Netmask or CIDR Notation and then click Add. The list of IP addresses or Netmasks appears in the List of IP Address/Netmasks text box.
CIDR notation allows you to add a large number of clients that exist in a subnet range by configuring a single client object.
Netmask allows you to set the subnet mask in dotted-decimal notation rather than the CIDR notation for the IP address property.
–Netmask—A range of IP addresses defined so that only machines with IP addresses within the range are allowed to access an Internet service.
–CIDR—Classless InterDomain Routing. A protocol which allows the assignment of Class C IP addresses in multiple contiguous blocks.
•BroadCast/Network
•List of IP Addresses/Netmasks—Use the Move Up and Move Down buttons to rearrange the order of the list items. Use the Delete button to delete any IP address or Netmask.
Step 8 To define an additional protocol that is not a standard predefined one, choose Access Control > Protocol Groups from the left sidebar menu. The protocol groups with their source and destination port and DSCP are displayed.
Step 9 To create a new protocol group, choose Add Protocol Group from the Select a command drop-down list, and click Go. To view or modify an existing protocol group, click the URL of the group. The Protocol Groups page appears.
Step 10 The rule name is provided for the existing rules, or you can now enter a name for a new rule. ACLs are not required to have rules defined. When a packet matches all the parameters of a rule, the action for this rule is exercised.
Step 11 Choose a protocol from the drop-down list:
•Any—All protocols
•TCP—Transmission Control Protocol
•UDP—User Datagram Protocol
•ICMP—Internet Control Message Protocol
•ESP—IP Encapsulating Security Payload
•AH—Authentication Header
•GRE—Generic Routing Encapsulation
•IP—Internet Protocol
•Eth Over IP—Ethernet over Internet Protocol
•Other Port OSPF—Open Shortest Path First
•Other—Any other IANA protocol (http://www.iana.org/)
Step 12 Some protocol choices (such as TCP or UDP) cause additional Source Port and Dest Port GUI elements to appear.
•Source Port—Specify the source of the packets to which this ACL applies. The choices are Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other, and Port Range.
•Dest Port—Specify the destination of the packets to which this ACL applies. The choices are Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other, and Port Range.
Step 13 From the DSCP (Differentiated Services Code Point) drop-down list, choose any or specific. If you choose specific, enter the DSCP (range of 0 to 255).
Note DSCP is a packet header code that can be used to define the quality of service across the Internet.
Step 14 Click Save.
Step 15 You can now create new mappings from the defined IP address groups and protocol groups. To define a new mapping, choose the ACL template to which you want to map the new groups. All ACL mappings appear on the top of the page, and all ACL rules appear on the bottom.
Step 16 To define a new mapping, choose Add Rule Mappings from the Select a command drop-down list. The Add Rule Mapping page appears.
Step 17 Configure the following fields:
•Source IP Group—Predefined groups for IPv4 and IPv6.
•Destination IP Group—Predefined groups for IPv4 and IPv6.
•Protocol Group—Protocol group to use for the ACL.
•Direction—Any, Inbound (from client) or Outbound (to client).
•Action—Deny or Permit. The default filter is to deny all access unless a rule explicitly permits it.
Step 18 Click Add. The new mappings populate the bottom table.
Step 19 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Step 20 You can now automatically generate rules from the rule mappings you created. Choose the mappings for which you want to generate rules, and click Generate. This automatically creates the rules. These rules are generated with contiguous sequence. That is, if rules 1 through 4 are already defined and you add rule 29, it is added as rule 5.
Existing ACL templates are duplicated into a new ACL template. This duplication clones all the ACL rules and mappings defined in the source ACL template.
Creating a CPU Access Control List (ACL) Template
Note CPU ACL configuration with IPv6 is not supported in this release because all IP addresses of controllers on interfaces use IPv4 except the virtual interface.
The existing ACLs established in the "Creating a FlexConnect Access Control List Template" section is used to set traffic controls between the Central Processing Unit (CPU) and Network Processing Unit (NPU).
To create or modify an existing CPU ACL template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > CPU Access Control List.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 If you select the check box to enable CPU ACL, two more fields appear. When CPU ACL is enabled and applied on the controller, Prime Infrastructure displays the details of the CPU ACL against that controller.
Step 5 From the ACL Name drop-down list, choose a name from the list of defined names.
Step 6 From the CPU ACL Mode drop-down list, choose which data traffic direction this CPU ACL list controls. The choices are the wired side of the data traffic, the wireless side of the data traffic, or both wired and wireless.
Step 7 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a FlexConnect Access Control List Template
To create and apply an Access Control List template to a Controller:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > FlexConnect ACLs.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Enter a name for the new FlexConnect ACL in the FlexConnect ACL Name text box.
Step 5 Click Save.
A FlexConnect ACL template is created. You can now create new mappings from the defined IP address groups and protocol groups. To define a new mapping, choose the ACL template to which you want to map the new groups. All FlexConnect ACL mappings appear on the top of the page, and all FlexConnect ACL rules appear in the bottom.
Step 6 From the Select a command drop-down list, choose Add Rule Mappings, and click Go.
Step 7 The FlexConnect ACL IP Protocol Map page appears.
Step 8 Configure the following fields:
•Source IP Group—Predefined groups for IPv4 and IPv6.
•Destination IP Group—Predefined groups for IPv4 and IPv6.
•Protocol Group—Protocol group to use for the ACL.
•Action—Deny or Permit. The default filter is to deny all access unless a rule explicitly permits it.
Step 9 Click Add. The new mappings populate the bottom table.
Step 10 Click Save.
Step 11 You can now automatically generate rules from the rule mappings you created. Choose the mappings for which you want to generate rules, and click Generate. This automatically creates the rules. These rules are generated with contiguous sequence. That is, if rules 1 through 4 are already defined and you add rule 29, it is added as rule 5.
Existing FlexConnect ACL templates are duplicated into a new FlexConnect ACL template. This duplication clones all the FlexConnect ACL rules and mappings defined in the source FlexConnect ACL template.
Step 12 From the Select a command drop-down list in the FlexConnect ACL page, choose Apply Templates.
The Apply to Controllers page appears.
Step 13 Select Save Config to Flash after apply check box to save the configuration to Flash after applying the FlexConnect ACL to the controller.
Step 14 Select Reboot Controller after apply to reboot the controller once the FlexConnect ACL is applied. This check box is available only when you select the Save Config to Flash after apply check box.
Step 15 Select one or more controllers and click OK to apply the FlexConnect ACL template.
The FlexConnect ACL that you created appears in Configure > Controller Template Launch Pad > <IP Address> > Security > Access Control > FlexConnect ACLs.
Creating an ACL IP Groups Template
To create reusable grouped IP addresses:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > IP Groups.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 To define a new IP address group, choose Add IP Group or Add IPv6 Group from the Select a command drop-down list, and click Go.
Step 5 Add or modify the fields described in Controller > Security > IP Groups
Step 6 For IPv4 networks only: Under Broadcast Network, use the Move Up and Move Down buttons to rearrange the order of the list items. Use the Delete button to delete an IP address or Netmask.
Step 7 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an ACL Protocol Groups Template
To define an additional protocol that is not a standard predefined one:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > Protocol Groups.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Add or modify the fields described in Controller > Security > Protocol Groups
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an External Web Auth Server Template
To create or modify an External Web Auth Server template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > External Web Auth Server.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Creating Radio Templates (802.11)
This section contains the following topics:
•Creating a Load Balancing Template
•Creating a Band Selection Template
•Creating a Media Parameters Controller Template (802.11a/n)
Creating a Load Balancing Template
To create load balancing templates:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > 802.11 > Load Balancing.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Enter a value between 1 and 20 for the client window size. The page size becomes part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations:
load-balancing page + client associations on AP with lightest load = load-balancing threshold
In the group of access points accessible to a client device, each access point has a different number of client associations. The access point with the lowest number of clients has the lightest load. The client page size plus the number of clients on the access point with the lightest load forms the threshold. Access points with more client associations than this threshold is considered busy, and clients can associate only to access points with client counts lower than the threshold.
Step 5 Enter a value between 0 and 10 for the max denial count. The denial count sets the maximum number of association denials during load balancing.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Band Selection Template
To create band selection templates:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > 802.11 > Band Select.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Add or modify the fields described in Controller > Security > 802.11 > Band Select
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Preferred Call Template
This page enables you to create or modify a template for configuring Preferred Call.
To create or modify preferred call templates:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > 802.11 > Preferred Call.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Add or modify the following Preferred Call parameters:
•Template Name
Note Template Name is the unique key used to identify the template. A template name is mandatory to distinguish between two templates that have identical key attributes.
•Number Id—Enter a value to identify the preferred number. You can have a maximum of six preferred call numbers. The valid range is from 1 to 6. The default value is 1.
•Preferred Number—Enter the preferred call number.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Media Stream for Controller Template (802.11)
To create the media stream for a controller template for an 802.11 Radio:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > 802.11 > Media Stream.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Complete the fields provided in the Template Details section. See Table 31-21.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an RF Profiles Template
The RF Profiles page enables you to create or modify RF profiles that get associated to AP Groups.
To create an RF Profile for a controller template for an 802.11 Radio:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Security > 802.11 > RF Profiles.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Complete the fields provided in the Template Details section. See Table 31-22.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating Radio Templates (802.11a/n)
This section contains the following topics:
•Creating an 802.11a/n Parameters Template
•Creating a Media Parameters Controller Template (802.11a/n)
•Creating an EDCA Parameters Template (802.11a/n)
•Creating a Roaming Parameters Template (802.11a/n)
•Creating an 802.11h Template
•Creating a High Throughput Template (802.11a/n)
•Creating a CleanAir Controller Template (802.11a/n)
Creating an 802.11a/n Parameters Template
To create or modify an 802.11a/n radio template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Complete the fields provided in the Template Details section. See Table 31-23.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a CleanAir Controller Template (802.11a/n)
Create or modify a template for configuring CleanAir parameters for the 802.11a/n radio. You can configure the template to enable or disable CleanAir, reporting and alarms for the controllers. You can also configure the type of interfering devices to include for reporting and alarms.
To create a new template with 802.11a/n CleanAir information for a controller:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > CleanAir.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Select the CleanAir check box to enable CleanAir functionality on the 802.11 b/g/n network (or unselect to prevent the controller from detecting spectrum interference). If CleanAir is enabled, the Reporting Configuration and Alarm Configuration group boxes appear.
Step 5 Complete the fields provided in the Template Detail section. See Table 31-24.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Media Parameters Controller Template (802.11a/n)
This page enables you to create or modify a template for configuring 802.11a/n voice fields such as call admission control and traffic stream metrics.
To create a new template with 802.11a/n voice fields information (such as Call Admission Control and traffic stream metrics) for a controller:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > Media Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section:
•Select the Voice tab and complete the fields as described in Table 31-25.
•Select the Video tab and complete the fields as described in Table 31-26.
•Select the General tab and complete the field as described in Table 31-27.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an EDCA Parameters Template (802.11a/n)
Enhanced distributed channel access (EDCA) parameters are designed to provide preferential wireless channel access for voice, video, and other quality of service (QoS) traffic.
To create 802.11a/n EDCA parameters through a controller template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > EDCA Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, choose one of the following options from the EDCA Profile drop-down list:
•WMM—Enables the Wi-Fi Multimedia (WMM) default parameters. This is the default value. Choose this option when voice or video services are not deployed on your network.
•Spectralink Voice Priority—Enables Spectralink voice priority parameters. Choose this option if Spectralink phones are deployed on your network to improve the quality of calls.
•Voice Optimized—Enables EDCA voice-optimized profile parameters. Choose this option when voice services other than Spectralink are deployed on your network.
•Voice & Video Optimized—Enables EDCA voice- and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.
Note Video services must be deployed with admission control (ACM). Video services without ACM are not supported.
Note You must shut down the radio interface before configuring EDCA Parameters.
Step 5 Select the Low Latency MAC check box to enable this feature.
Note Enable low latency MAC only if all clients on the network are WMM compliant.
Creating a Roaming Parameters Template (802.11a/n)
To create or modify an existing roaming parameter template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > Roaming Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-28.
Note The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with highest expected client speed and Roaming Hysteresis, these parameters make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an 802.11h Template
802.11h informs client devices about channel changes and can limit the transmit power of the client device. Create or modify a template for configuration 802.11h parameters (such as power constraint and channel controller announcement) and applying these settings to multiple controllers.
To create or modify an 802.11h template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > 802.11h.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as follows:
•Select the Power Constraint check box if you want the access point to stop transmission on the current channel.
•Select the Channel Announcement check box to enable channel announcement. Channel announcement is a method in which the access point announces when it is switching to a new channel and the new channel number.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a High Throughput Template (802.11a/n)
To create or modify an 802.11a/n high throughput template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > High Throughput (802.11n).
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as follows:
•Select the 802.11n Network Status Enabled check box to enable high throughput.
•In the MCS (Data Rate) Settings column, choose which level of data rate you want supported. Modulation coding schemes (MCS) are similar to 802.11a data rate. The defaults are, 20 MHz and short guarded interval. When you select the Supported check box next to a numbered Data Rate, the chosen numbers appear in the Selected MCS Indexes field at the bottom of the column.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating 802.11a/n RRM Templates
This section contains the following topics:
•Creating an RRM Threshold Template (802.11a/n)
•Creating an RRM Interval Template (802.11a/n)
•Creating an RRM Dynamic Channel Allocation Template (802.11a/n)
•Creating an RRM Transmit Power Control Template (802.11a/n)
Creating an RRM Threshold Template (802.11a/n)
To create or make modifications to an 802.11a/n or 802.11b/g/n RRM threshold template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > dot11a-RRM > Thresholds.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-29.
Note You must disable the 802.11a/n network before applying these RRM threshold fields.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an RRM Interval Template (802.11a/n)
To create or make modifications to an 802.11a/n RRM interval template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > dot11a-RRM > Intervals.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as follows:
•Neighbor Packet Frequency—Enter the interval at which you want strength measurements taken for each access point. The default is 300 seconds.
•Channel Scan Duration—Enter the interval at which you want noise and interference measurements taken for each access point. The default is 300 seconds.
•Load Measurement Interval—Enter the interval at which you want load measurements taken for each access point. The default is 300 seconds.
•Coverage Measurement Interval — Enter the interval at which you want coverage measurements taken for each access point. The default is 300 seconds.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an RRM Dynamic Channel Allocation Template (802.11a/n)
The Radio Resource Management (RRM) Dynamic Channel Assignment (DCA) page allows you to choose the DCA channels as well as the channel width for this controller.
RRM DCA supports 802.11n 40-MHz channel width in the 5-GHz band. The higher bandwidth allows radios to achieve higher instantaneous data rates.
Note Choosing a larger bandwidth reduces the non-overlapping channels which could potentially reduce the overall network throughput for certain deployments.
To create 802.11 a/n RRM DCA template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > dot11a-RRM > DCA.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-30.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an RRM Transmit Power Control Template (802.11a/n)
The controller dynamically controls access point transmit power based on real-time wireless LAN conditions. Normally, power can be kept low to gain extra capacity and reduce interference. The controller attempts to balance the transmit power of the access points according to how the access points are seen by their third strongest neighbor.
The transmit power control (TPC) algorithm both increases and decreases the power of an access point in response to changes in the RF environment. In most instances, TPC seeks to lower the power of an access point to reduce interference, but in the case of a sudden change in the RF coverage—for example, if an access point fails or becomes disabled—TPC can also increase power on surrounding access points. This feature is different from Coverage Hole Detection. Coverage hole detection is primarily concerned with clients, while TPC is tasked with providing enough RF power to achieve desired coverage levels while avoiding channel interference between access points.
To create 802.11a/n RRM TPC template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 80211a or n > dot11a-RRM > TPC.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as follows:
•Template Name—Enter the template name in the text box.
•TPC Version—Choose TPCv1 or TPCv2.
Note The TPCv2 option is applicable only for those controllers running Version 7.2.x or later.
•Dynamic Assignment—From the Dynamic Assignment drop-down list, choose one of three modes:
–Automatic—The transmit power is periodically updated for all access points that permit this operation.
–On Demand—Transmit power is updated when you click Assign Now.
–Disabled—No dynamic transmit power assignments occur, and values are set to their global default.
•Maximum Power Assignment—Indicates the maximum power assigned.
–Range: -10 to 30 dB
–Default: 30 dB
•Minimum Power Assignment—Indicates the minimum power assigned.
–Range: -10 to 30 dB
–Default: 30 dB
•Dynamic Tx Power Control—Determine if you want to enable Dynamic Tx Power Control.
•Transmitted Power Threshold—Enter a transmitted power threshold between -50 and -80.
•Control Interval—In seconds (read-only).
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating Radio Templates (802.11b/g/n)
This section contains the following topics:
•Creating an 802.11b/g/n Parameters Template
•Creating a Media Parameters Controller Template (802.11b/g/n)
•Creating an EDCA Parameters Controller Template (802.11b/g/n)
•Creating an Roaming Parameters Controller Template (802.11b/g/n)
•Creating a High Throughput (802.11n) Controller Template (802.11b/g/n)
•Creating a CleanAir Controller Template (802.11 b/g/n)
•Creating 802.11b/g/n RRM Templates
Creating an 802.11b/g/n Parameters Template
Create or modify a template for configuring 802.11b/g/n parameters (such as power and channel status, data rates, channel list, and CCX location measurement) and/or applying these settings to controller(s).
To create a new template with 802.11b/g/n parameters information for a controller:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 802.11b or g or n > Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-31.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Media Parameters Controller Template (802.11b/g/n)
Create or modify a template for configuring 802.11b/g/n voice parameters such as Call Admission Control and traffic stream metrics.
To create a new template with 802.11b/g/n voice parameters information (such as Call Admission Control and traffic stream metrics) for a controller:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 802.11b or g or n > Media Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section:
•Select the Voice tab and complete the fields as described in Table 31-32.
•Select the Video tab and complete the fields as described in Table 31-33.
•Select the General tab and complete the field as described in Table 31-34.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an EDCA Parameters Controller Template (802.11b/g/n)
Create or modify a template for configuring 802.11b/g/n EDCA parameters. EDCA parameters designate pre-configured profiles at the MAC layer for voice and video.
To create a new template with 802.11b/g/n EDCA parameters information for a controller:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 802.11b or g or n > EDCA Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as follows:
•EDCA Profile—Profiles include Wi-Fi Multimedia (WMM), Spectralink Voice Priority (SVP), Voice Optimized, and Voice & Video Optimized. WMM is the default EDCA profile.
Note You must shut down radio interface before configuring EDCA Parameters.
•Streaming MAC—Only enable streaming MAC if all clients on the network are WMM compliant.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an Roaming Parameters Controller Template (802.11b/g/n)
Create or modify a template for configuring roaming parameters for 802.11b/g/n radios.
To create a new template with 802.11b/g/n Roaming parameters information for a controller:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 802.11b or g or n > Roaming Parameters.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-35.
Note The Scan Threshold and Transition Time parameters guarantee a minimum level of client roaming performance. Together with the highest expected client speed and roaming hysteresis, these parameters make it possible to design a wireless LAN network that supports roaming simply by ensuring a certain minimum overlap distance between access points.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a High Throughput (802.11n) Controller Template (802.11b/g/n)
Create or modify a template for configuring high-throughput parameters such as MCS (data rate) settings and indexes and for applying these 802.11n settings to multiple controllers.
To create a new template with High Throughput (802.11n) information for a controller:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 802.11b or g or n > High Throughput(802.11n).
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as follows:
•802.11n Network Status—Select the check box to enable high throughput.
•MCS (Data Rate) Settings—Choose which level of data rate you want supported. MCS is modulation coding schemes which are similar to 802.11a data rate. The values 20 MHz and short guarded interval are used as defaults. When you select the Supported check box, the chosen numbers appear in the Selected MCS Indexes page.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a CleanAir Controller Template (802.11 b/g/n)
Create or modify a template for configuring CleanAir parameters for the 802.11 b/g/n radio. You can configure the template to enable or disable CleanAir, reporting and alarms for the controllers. You can also configure the type of interfering devices to include for reporting and alarms.
To create a new template with 802.11b/g/n CleanAir information for a controller:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > 802.11b or g or n > CleanAir.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-36.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating 802.11b/g/n RRM Templates
This section contains the following topics:
•Creating an RRM Thresholds Controller Template (802.11b/g/n)
•Creating an RRM Intervals Controller Template (802.11b/g/n)
•Creating an RRM Dynamic Channel Allocation Template (802.11b/g/n)
•Creating an RRM Transmit Power Control Template (802.11b/g/n)
Creating an RRM Thresholds Controller Template (802.11b/g/n)
Create or modify a template for setting various RRM thresholds such as load, interference, noise, and coverage.
To create a new template with 802.11b/g/n RRM thresholds information for a controller:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > dot11b-RRM > Thresholds.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-37.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an RRM Intervals Controller Template (802.11b/g/n)
Create or modify a template for configuring RRM intervals for 802.11b/g/n radios.
To create a new template with 802.11b/g/n RRM intervals information for a controller:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > dot11b-RRM > Intervals.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as follows:
•Neighbor Packet Frequency—Enter the interval at which you want strength measurements taken for each access point. The default is 300 seconds.
•Noise Measurement Interval—Enter the interval at which you want noise and interference measurements taken for each access point. The default is 180 seconds.
•Load Measurement Interval—Enter the interval at which you want load measurements taken for each access point. The default is 300 seconds.
•Channel Scan Duration—Enter the interval at which you want coverage measurements taken for each access point. The default is 300 seconds.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an RRM Transmit Power Control Template (802.11b/g/n)
The controller dynamically controls access point transmit power based on real-time wireless LAN conditions. Normally, power can be kept low to gain extra capacity and reduce interference. The controller attempts to balance the transmit power of an access point according to how the access points are seen by their third strongest neighbor.
The transmit power control (TPC) algorithm both increases and decreases the power of an access point in response to changes in the RF environment. In most instances, TPC seeks to lower the power of an access point to reduce interference, but in the case of a sudden change in the RF coverage—for example, if an access point fails or becomes disabled—TPC can also increase power on surrounding access points. This feature is different from Coverage Hole Detection. Coverage hole detection is primarily concerned with clients, while TPC is tasked with providing enough RF power to achieve desired coverage levels while avoiding channel interference between access points.
To create 802.11b/g/n RRM TPC template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > dot11b-RRM > TPC.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-38.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an RRM Dynamic Channel Allocation Template (802.11b/g/n)
The Radio Resource Management (RRM) Dynamic Channel Assignment (DCA) page allows you to choose the DCA channels as well as the channel width for this controller.
RRM DCA supports 802.11n 40-MHz channel width in the 5-GHz band. The higher bandwidth allows radios to achieve higher instantaneous data rates.
Note Choosing a larger bandwidth reduces the non-overlapping channels, which could potentially reduce the overall network throughput for certain deployments.
To create 802.11b/g/n RRM DCA template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > dot11b-RRM > DCA.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-39.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating Mesh Templates
Creating a Mesh Setting Template
You can configure an access point to establish a connection with the controller.
To create or modify a mesh template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Mesh > Mesh Settings.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 The Root AP to Mesh AP Range is 12,000 feet by default. Enter the optimum distance (in feet) that should exist between the root access point and the mesh access point. This global field applies to all access points when they join the controller and all existing access points in the network.
Step 5 The Client Access on Backhaul Link check box is not selected by default. When this option is enabled, mesh access points can associate with 802.11a/n wireless clients over the 802.11a/n backhaul. This client association is in addition to the existing communication on the 802.11a/n backhaul between the root and mesh access points.
Note This feature applies only to access points with two radios.
Step 6 The Mesh DCA Channels check box is not selected by default. Select this option to enable backhaul channel deselection on the Controller using the DCA channel list configured in the Controller. Any change to the channels in the Controller DCA list is pushed to the associated access points. This feature applies only to the 1524SB mesh access points. For more information on this feature, see the Controller Configuration Guide.
Step 7 Select the Background Scanning check box to enable background scanning or unselect it to disable the feature. The default value is disabled. Background scanning allows Cisco Aironet 1510 Access Points to actively and continuously monitor neighboring channels for more optimal paths and parents.
Step 8 From the Security Mode drop-down list, choose EAP (Extensible Authentication Protocol) or PSK (Pre-Shared Key).
Step 9 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating Management Templates
This section contains the following topics:
•Creating a Trap Receiver Template
•Creating a Trap Control Template
•Creating a Telnet SSH Template
•Creating a Legacy Syslog Template
•Creating a Multiple Syslog Template
•Creating a Local Management User Template
•Creating a User Authentication Priority Template
Creating a Trap Receiver Template
If you have monitoring devices on your network that receive SNMP traps, you might want to add a trap receiver template.
To create or modify a trap receiver template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Management > Trap Receiver.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Enter the IP address of the server in the text box.
Step 5 Select the Admin Status check box to enable the administrator status if you want SNMP traps to be sent to the receiver.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Trap Control Template
To create or modify a trap control template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Management > Trap Control.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-40.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Telnet SSH Template
To create or modify a Telnet SSH configuration template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Management > Telnet SSH.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-41.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Legacy Syslog Template
To create or modify a legacy syslog configuration template:
Note Legacy Syslog applies to controllers Version 5.0.6.0 and earlier.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Management > Legacy Syslog.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Select the Syslog check box to enable syslogs. When you do, a Syslog Host IP Address text box appears.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Multiple Syslog Template
To create or modify a multiple syslog configuration template:
Note You can enter up to three syslog server templates.
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Management > Multiple Syslog.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Enter a template name and a syslog server IP address in the text boxes.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a Local Management User Template
To create or modify a local management user template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Management > Local Management User.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 Enter a template username.
Step 5 Enter a password for this local management user template.
Step 6 Reenter the password.
Step 7 Use the Access Level drop-down list to choose either Read Only or Read Write.
Step 8 Select the Update Telnet Credentials check box to update the user credentials in Prime Infrastructure for Telnet/SSH access.
Note If the template is applied successfully and the Update Telnet Credentials option is enabled, the applied management user credentials are used in Prime Infrastructure for Telnet/SSH credentials to that applied controller.
Step 9 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a User Authentication Priority Template
Management user authentication priority templates control the order in which authentication servers are used to authenticate the management users of a controller.
To create a user authentication priority template or make modifications to an existing template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Management > Authentication Priority.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 The local server is tried first. Choose either RADIUS or TACACS+ from the drop-down list to try if local authentication fails.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a CLI Template
You can create templates containing a set of CLI commands and apply them to one or more controllers from Prime Infrastructure. These templates are meant for provisioning features in multiple controllers for which there is no SNMP support or custom Prime Infrastructure user interface. The template contents are simply a command array of strings. No support for substitution variables, conditionals, and the like exist.
The CLI sessions to the device are established based on user preferences. The default protocol is SSH.
To create or modify a CLI template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > CLI > General.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 If you are adding a new template, provide a name that you are giving to this string of commands in the text box. If you are making modifications to an existing template, the Template Name text box cannot be modified.
Step 5 In the Commands page, enter the series of CLI commands.
Step 6 Select the Refresh Config after Apply check box to perform a refresh config on the controller after the CLI template is applied successfully.
Step 7 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Note If the Controller Telnet credentials check fails or the Controller CLI template fails with invalid username and password even though the correct username and password are configured on the controller, check whether the controller has exceeded the number of CLI connections it can accept. If the connections have exceeded the maximum limit, then either increase the maximum allowed CLI sessions or terminate any pre-existing CLI sessions on the controller, and then retry the operation.
Creating a Location Configuration Template
To create or modify a location setting template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > Location > Location Configuration.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section:
•Select the General tab and complete the fields as described in Table 31-42.
•Select the Advanced tab and complete the fields as described in Table 31-43.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating IPv6 Templates
This section contains the following topics:
•Creating a Neighbor Binding Timers Template
•Creating a RA Throttle Policy Template
•Creating an RA Guard Template
Creating a Neighbor Binding Timers Template
You can create or modify a template for configuring IPv6 Router Neighbor Binding Timers such as Down Lifetime, Reachable Lifetime, State Lifetime, and corresponding intervals.
To create a Neighbor Binding Timers template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > IPv6 > Neighbor Binding Timers.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 If you want to enable the down lifetime, select the Enable check box. If you have selected this check box, specify the value in the Down Lifetime Interval text box. This indicates the maximum time, in seconds, an entry learned from a down interface is kept in the binding table before the entry is deleted or proof is received that the entry is reachable.The range is 0 to 86,400 seconds, and the default value is 0.
Step 5 If you want to enable the reachable lifetime, select the Enable check box. If you have selected this check box, specify the value in the Reachable Lifetime Interval text box. This indicates the maximum time, in seconds, an entry is considered reachable without getting a proof of reachability (direct reachability through tracking, or indirect reachability through Neighbor Discovery protocol [NDP] inspection). After that, the entry is moved to stale.The range is 0 to 86,400 seconds, and the default value is 0.
Step 6 If you want to enable the stale lifetime, select the Enable check box. If you have selected this check box, specify the value in the Stale Lifetime Interval text box. This indicates the maximum time, in seconds, a stale entry is kept in the binding table before the entry is deleted or proof is received that the entry is reachable.The range is 0 to 86,400 seconds, and the default value is 0.
Step 7 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a RA Throttle Policy Template
The RA Throttle Policy allows you to limit the amount of multicast Router Advertisements (RA) circulating on the wireless network. You can create or modify a template for configuring IPv6 Router Advertisement parameters such as RA Throttle Policy, Throttle Period, and other options.
To create a RA Throttle Policy template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > IPv6 > RA Throttle Policy.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 If you want to enable the down lifetime, select the Enable check box. If you have selected this check box, configure the following parameters:
•Throttle Period—Duration of the throttle period in seconds. The range is 10 to 86,400 seconds.
•Max Through—The number of RA that passes through over a period in seconds.
•Interval Option—Indicates the behavior in case of RA with an interval option.
•Allow At-least—Indicates the minimum number of RA not throttled per router.
•Allow At-most—Indicates the maximum number of RA not throttled per router.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an RA Guard Template
RA Guard is a Unified Wireless solution used to drop RA from wireless clients. It is configured globally, and by default it is enabled. You can create or modify a template for configuring IPv6 Router Advertisement parameters.
To create an RA Guard template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > IPv6 > RA Guard.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 If you want to enable the Router Advertisement Guard, select the Enable check box.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating Proxy Mobile IPv6 Templates
Proxy Mobile IPv6 is a network-based mobility management protocol that supports a mobile node by acting as the proxy for the mobile node in any IP mobility-related signaling. The mobility entities in the network track the movements of the mobile node and initiate the mobility signaling and set up the required routing state.
The main functional entities are the Local Mobility Anchor (LMA) and Mobile Access Gateway (MAG). The LMA maintains the reachability state of the mobile node and is the topological anchor point for the IP address of the mobile node. The MAG performs the mobility management on behalf of a mobile node. The MAG resides on the access link where the mobile node is anchored. The controller implements the MAG functionality.
Creating a PMIP Global Configurations Template
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > PMIP > Global Config.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-44.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating an LMA Configurations Template
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > PMIP > LMA.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the following fields:
•LMA Name—Name of the LMA connected to the controller.
•LMA IP Address—IP address of the LMA connected to the controller.
Step 5 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Creating a PMIP Profiles Template
Step 1 Choose Design > Configuration Templates > Features and Technologies > Controller > PMIP > PMIP Profile.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, create a PMIP profile as follows:
a. In PMIP Profile, enter the profile name.
b. Click Add and then complete the following fields:
–Network Access Identifier—Name of the Network Access Identifier (NAI) associated with the profile.
–LMA Name—Name of the LMA with which the profile is to be associated.
–Access Point Node—Name of the access point node connected to the controller.
Step 5 Repeat Step 4 for each additional PMIP Profile needed.
Step 6 Click Save as New Template. After you save the template, see the "Publishing and Deploying Controller Templates" section for information about publishing and deploying controller templates.
Publishing and Deploying Controller Templates
After configuring a controller template, follow these steps:
Step 1 Navigate to the My Templates folder and choose the template you just saved.
Step 2 Click the Publish icon to publish the template so it can be deployed.
Step 3 Click the Go to Deployment icon and go to the Deploy > Configuration Tasks page.
Step 4 Click Deploy on the template you published.
Step 5 Specify the deployment options as explained in the "Specifying Template Deployment Options" section.
Step 6 Click OK.
Note When you deploy the WLAN Configuration templates, the controllers configured with Interface/Interface Group, selected RADIUS servers, LDAP servers, ACL name with rules, and Ingress interface appear in the Template Deployment - Prepare and Schedule page.
Creating Security Configuration Templates
The following sections explain how to create and deploy security configuration templates:
•Creating a DMVPN Templates
•Creating a GET VPN Group Member Templates
•Creating a GET VPN Key Server Templates
•Creating ScanSafe Templates
Creating a DMVPN Templates
To create a Dynamic Multipoint VPN template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Security > DMVPN.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-45.
Step 5 Click Save as New Template. After you save the template, see the "Deploying the DMVPN Template" section for information about publishing and deploying DMVPN templates.
Creating a GET VPN Group Member Templates
To create a GETVPN group member template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Security > GETVPN-GroupMember.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as described in Table 31-46.
Step 5 Click Save as New Template. After you save the template, see the "Deploying GETVPN Templates" section for information about publishing and deploying GETVPN Group Member templates.
Creating a GET VPN Key Server Templates
To create a GETVPN Key Server template:
Step 1 Choose Design > Configuration Templates> Features and Technologies > Security > GETVPN-KeyServer.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as explained in Table 31-47.
Step 5 Click Save as New Template. After you save the template, see the "Deploying GETVPN Templates" section for information about publishing and deploying GETVPN Server templates.
Creating ScanSafe Templates
ScanSafe Web Security is a cloud-based SaaS (Security as a Service) that allows you to scan the content of the HTTP and HTTPs traffic. When ScanSafe Web Security is integrated with a router, selected HTTP and HTTPS traffic is redirected to the ScanSafe cloud for content scanning and malware detection.
When Cisco ISR Web Security with Cisco ScanSafe is enabled and the ISR is configured to redirect web traffic to ScanSafe, the ISR transparently redirects HTTP and HTTPS traffic to the ScanSafe proxy servers based on the IP address and port. You can configure the ISR to relay web traffic directly to the originally requested web server without being scanned by ScanSafe.
Whitelisting Traffic
You can configure the ISR so that some approved web traffic is not redirected to ScanSafe for scanning. When you bypass ScanSafe scanning, the ISR retrieves the content directly from the originally requested web server without contacting ScanSafe. When it receives the response from the web server, it sends the data to the client. This is called "whitelisting" traffic.
See http://www.cisco.com/en/US/docs/security/web_security/ISR_SS/ISR_ScanSafe_SolutionGuide.pdf for more information on ScanSafe.
To create the ScanSafe template specify the following:
•ScanSafe server and interface information
•User information
•Whitelist information
To create a ScanSafe template:
Step 1 Choose Design > Configuration Templates > Features and Technologies > Security > ScanSafe.
Step 2 In the Template Basic section, enter a name and a description in the appropriate fields.
Step 3 In the Validation Criteria section, choose a Device Type from the list and enter the OS Version.
Step 4 In the Template Detail section, complete the fields as explained in Table 31-48.
Step 5 Click Save as New Template. After you save the template, see the "Deploying ScanSafe Template" section for information about publishing and deploying ScanSafe templates.
Configuring Switch Location Configuration Templates
You can configure the location template for a switch using the Switch Location Configuration template.
To configure a location template for a switch:
Step 1 Choose Design > Wireless Configuration > Switch Location Configuration.
Step 2 From the Select a command drop-down list, choose Add Template.
Step 3 Click Go. The New Template page appears.
Step 4 Complete the fields as described in Table 31-75:
Creating AP Configuration Templates
Select the template name to view or edit parameters for current access point templates.
This section contains the following topics:
•Creating Lightweight Access Point Templates
•Creating Autonomous Access Point Templates
Creating Lightweight Access Point Templates
To create a Lightweight Access Point template:
Step 1 Choose Design > Wireless Configuration > Lightweight AP Configuration Templates.
Step 2 From the Select a command drop-down list, choose Add Template.
Step 3 Click Go.
Step 4 Enter a template name in the text box.
Step 5 Enter a template description in the text box.
Step 6 Click Save. If you are updating an already existing template, click the applicable template in the Template Name column. The Lightweight AP Template Detail page appears.
Step 7 Select each of the following tabs and complete the fields as described in Lightweight AP Configuration Templates:
•Lightweight AP Configuration Templates> AP Parameters
•Lightweight AP Configuration Templates> Mesh
•Lightweight AP Configuration Templates> 802.11a/n
•Lightweight AP Configuration Templates > 802.11a SubBand
•Lightweight AP Configuration Templates > 802.11b/g/n
•Lightweight AP Configuration Templates > CDP
•Lightweight AP Configuration Templates >FlexConnect
•Lightweight AP Configuration Templates > Select APs
•Lightweight AP Configuration Templates > Report
Creating Autonomous Access Point Templates
The Autonomous AP Configuration Templates page allows you to configure CLI templates for autonomous access points.
This section contains the following topics:
•Creating an Autonomous Access Point Template
•Applying an AP Configuration Template to an Autonomous Access Point
•Configuring Autonomous AP Migration Templates
Creating an Autonomous Access Point Template
To create a new Autonomous Access Point template:
Step 1 Choose Design > Wireless Configuration > Autonomous AP Configuration Templates.
Step 2 From the Select a command drop-down list, choose Add Template.
Step 3 Click Go. If you are updating an already existing template, click the applicable template in the Template Name column.
Step 4 Enter a Template Name.
Step 5 Enter the applicable CLI commands.
Note Do not include any show commands in the CLI commands text box. The show commands are not supported.
Step 6 Click Save.
Applying an AP Configuration Template to an Autonomous Access Point
To apply an AP Configuration template to an autonomous access point:
Step 1 Choose Design > Wireless Configuration > Autonomous AP Configuration Templates.
Step 2 Click the template name link to select a template and apply it to the an autonomous access point. The Autonomous AP Configuration Template page appears.
Step 3 Click Apply to Autonomous Access Points. The Apply to Autonomous Access Points page appears.
Step 4 Select the desired autonomous access point.
Step 5 Click OK.
Note Select the Ignore errors on Apply template to Controllers check box to ignore errors and apply all commands in the template to the Autonomous AP. If this check box is not selected, any errors encountered while applying a command in the template to a Autonomous AP causes the rest of the commands to be not applied.
Viewing Template Results
To view the results when you apply an Autonomous AP Configuration template to an access point:
Step 1 Choose Design > Wireless Configuration > Autonomous AP Configuration Templates.
Step 2 Click the template name link to select a template and apply it to the an autonomous access point. The Autonomous AP Configuration template page appears.
Step 3 Click Apply to Autonomous Access Points. The Apply to Autonomous Access Points page appears.
Step 4 Select the desired autonomous access point.
Step 5 Click OK. The Template Results page appears.
Creating Autonomous Access Point Migration Templates
To make a transition from an Autonomous solution to a Unified architecture, autonomous access points must be converted to lightweight access points. The migration utility is available in the Autonomous AP Migration Templates page (Design > Wireless Configuration > Autonomous AP Migration Template) where existing templates are listed.
The Autonomous AP Migration Templates list page displays the following information:
•Name.
•Description.
•AP Count.
•Schedule Run.
•Status—Indicates one of the following task statuses:
–Not initiated—The template is yet to start the migration and starts at the scheduled time.
–Disabled—The template is disabled and does not run at the scheduled time. This is the default state for a template when it is created without selecting any autonomous access points.
–Expired—The template did not run at the scheduled time (this might be due to the Prime Infrastructure server being down).
–Enabled—The template is yet to start the migration and starts at the scheduled time.
–In progress—The template is currently converting the selected autonomous access points to CAPWAP.
–Success—The template has completed the migration of autonomous access point to CAPWAP successfully.
–Failure—The template failed to migrate all the selected autonomous access point to CAPWAP. You can check the detailed status about the failures by using the View Migration Status page.
–Partial Success—The template failed to migrate a subset of the selected autonomous access point to CAPWAP. You can check the detailed status about the failures by using the View Migration Status page.
Note In any of these states, you can edit the template by clicking the Name link.
Note Once an access point is converted to lightweight, the previous status or configuration of the access point is not retained.
Related Topics
•Configuring Autonomous AP Migration Templates
•Viewing the Migration Analysis Summary
•Copying a Migration Template
•Deleting Migration Templates
•Viewing the Current Status of Cisco IOS Access Points
Configuring Autonomous AP Migration Templates
To create a migration template:
Step 1 Choose Design > Wireless Configuration > Autonomous AP Migration Templates.
Step 2 From the Select a command drop-down list, choose Add Template.
Step 3 Click Go. If you are updating an already existing template, click the applicable template in the Template Name column.
Step 4 Configure the necessary parameters as described in Autonomous AP Migration Templates.
Step 5 Click Save.
Related Topics
•Creating Autonomous Access Point Migration Templates
•Viewing the Migration Analysis Summary
•Copying a Migration Template
•Deleting Migration Templates
•Viewing the Current Status of Cisco IOS Access Points
Viewing the Migration Analysis Summary
To view the Migration Analysis Summary:
Note You can also view the migration analysis summary by choosing Operate > Wireless > Migration Analysis.
Step 1 Choose Design > Wireless Configuration > Autonomous AP Migration Templates.
Step 2 Choose View Migration Analysis Summary from the Select a command drop-down list, and click Go. The Migration Analysis Summary page appears.
The autonomous access points are eligible for migration only if all the criteria have a pass status. A red X designates ineligibility, and a green check mark designates eligibility. These columns represent the following:
•Privilege 15 Criteria—The Telnet credential provided as part of the autonomous access point discovery must be privilege 15.
•Software Version Criteria—Conversion is supported only in Cisco IOS Release 12.3(7)JA excluding 12.3(11)JA, 12.3(11)JA1, 12.3(11)JA2, and 12.3(11)JA3.
•Role Criteria—A wired connection between the access point and controller is required to send the association request; therefore, the following autonomous access point roles are required:
–root
–root access point
–root fallback repeater
–root fallback shutdown
–root access point only
•Radio Criteria—In dual-radio access points, the conversion can happen even if only one radio is of the supported type.
Related Topics
•Creating Autonomous Access Point Migration Templates
•Configuring Autonomous AP Migration Templates
•Copying a Migration Template
•Deleting Migration Templates
•Viewing the Current Status of Cisco IOS Access Points
Copying a Migration Template
To copy a migration template:
Step 1 Choose Design > Wireless Configuration > Autonomous AP Migration Templates.
Step 2 Select the check box of the template you want to copy, and then choose Copy Template from the Select a command drop-down list.
Step 3 Click Go.
Step 4 Enter the name for the new template to which you want to copy the current template.
Related Topics
•Creating Autonomous Access Point Migration Templates
•Configuring Autonomous AP Migration Templates
•Viewing the Migration Analysis Summary
•Deleting Migration Templates
•Viewing the Current Status of Cisco IOS Access Points
Deleting Migration Templates
To delete migration templates:
Step 1 Choose Design > Wireless Configuration > Autonomous AP Migration Templates.
Step 2 Select the check boxes of the templates you want to delete, and then choose Delete Templates from the Select a command drop-down list.
Step 3 Click Go.
Step 4 Click OK to confirm the deletion or Cancel to close this page without deleting the template.
Related Topics
•Creating Autonomous Access Point Migration Templates
•Configuring Autonomous AP Migration Templates
•Viewing the Migration Analysis Summary
•Copying a Migration Template
•Viewing the Current Status of Cisco IOS Access Points
Viewing the Current Status of Cisco IOS Access Points
Step 1 Choose Design > Wireless Configuration > Autonomous AP Migration Templates.
Step 2 Select View Current Status from the Select a command drop-down list.
Step 3 Click Go.
The following information is displayed:
•IP Address—IP address of the access point.
•Status—Current status of the migration.
•Progress—Summary of the migration progress.
Related Topics
•Creating Autonomous Access Point Migration Templates
•Configuring Autonomous AP Migration Templates
•Viewing the Migration Analysis Summary
•Copying a Migration Template
•Deleting Migration Templates
Designing Controller Config Groups
By creating a config group, you can group controllers that should have the same mobility group name and similar configuration. You can assign templates to the group and push templates to all the controllers in a group. You can add, delete, or remove config groups, and download software, IDS signatures, or a customized web authentication page to controllers in the selected config groups. You can also save the current configuration to nonvolatile (flash) memory to controllers in selected config groups.
Note A controller cannot be a member of more than one mobility group. Adding a controller to one mobility group removes that controller from any other mobility group to which it is already a member.
This section contains the following topics:
•Adding New Config Group
•Configuring Config Groups
•Applying or Scheduling Config Groups
•Auditing Config Groups
•Rebooting Config Groups
•Reporting Config Groups
•Downloading Software
Adding New Config Group
Step 1 Choose Design > Wireless Configuration > Controller Config Groups.
Step 2 From the Select a command drop-down list, choose Add Config Group, and click Go. The Add New Group page appears.
Step 3 Enter the new config group name. It must be unique across all groups. If Enable Background Audit is selected, the network and controller audits occur for this config group. If Enable Enforcement is selected, the templates are automatically applied during the audit if any discrepancies are found.
Note If the Enable Background Audit option is chosen, the network and controller audit is performed on this config group.
Step 4 Other templates created in Prime Infrastructure can be assigned to a config group. The same WLAN template can be assigned to more than one config group. Choose from the following:
•Select and add later: Click to add a template at a later time.
•Copy templates from a controller: Click to copy templates from another controller. Choose a controller from a list of current controllers to copy its applied template to the new config group. Only the templates are copied.
Note The order of the templates is important when dealing with radio templates. For example, if the template list includes radio templates that require the radio network to be disabled prior to applying the radio parameters, the template to disable the radio network must be added to the template first.
Step 5 Click Save.
Configuring Config Groups
Step 1 Choose Design > Wireless Configuration > Controller Config Groups.
Step 2 Click a group name in the Group Name column. The Config Group page appears.
Step 3 Click the General tab. The following options for the config group appear:
•Group Name: Name of the config group
–Enable Background Audit—If selected, all the templates that are part of this group are audited against the controller during network and controller audits.
–Enable Enforcement—If selected, the templates are automatically applied during the audit if any discrepancies are found.
Note The audit and enforcement of the config group template happens when the selected audit mode is Template based audit.
–Enable Mobility Group—If selected, the mobility group name is pushed to all controllers in the group.
•Mobility Group Name: Mobility Group Name that is pushed to all controllers in the group. The Mobility Group Name can also be modified here.
Note A controller can be part of multiple config groups.
•Last Modified On: Date and time config group was last modified.
•Last Applied On: Date and time last changes were applied.
Step 4 You must click the Apply/Schedule tab to distribute the specified mobility group name to the group controllers and to create mobility group members on each of the group controllers.
Step 5 Click Save.
Applying or Scheduling Config Groups
The scheduling function allows you to schedule a start day and time for provisioning.
To apply the mobility groups, mobility members, and templates to all the controllers in a config group:
Step 1 Choose Design > Wireless Configuration > Controller Config Groups.
Step 2 Click a group name in the Group Name column.
Step 3 Click the Apply/Schedule tab to access this page.
Step 4 Click Apply to start the provisioning of mobility groups, mobility members, and templates to all the controllers in the config group. After you apply, you can leave this page or log out of Prime Infrastructure. The process continues, and you can return later to this page to view a report.
Note Do not perform any other config group functions during the apply provisioning.
A report is generated and appears in the Recent Apply Report page. It shows which mobility group, mobility member, or template were successfully applied to each of the controllers.
Note If you want to print the report as shown on the page, you must choose landscape page orientation.
Step 5 Enter a starting date in the text box or use the calendar icon to choose a start date.
Step 6 Choose the starting time using the hours and minutes drop-down lists.
Step 7 Click Schedule to start the provisioning at the scheduled time.
Auditing Config Groups
The Config Groups Audit page allows you to verify if the configuration complies of the controller with the group templates and mobility group. During the audit, you can leave this screen or log out of Prime Infrastructure. The process continues, and you can return to this page later to view a report.
Note Do not perform any other config group functions during the audit verification.
To perform a config group audit:
Step 1 Choose Design > Wireless Configuration > Controller Config Groups.
Step 2 Click a group name in the Group Name column.
Step 3 Click the Audit tab to access this page.
Step 4 Click to highlight a controller from the Controllers tab, choose >> (Add), and Save Selection.
Step 5 Click to highlight a template from the Templates tab, choose >> (Add), and Save Selection.
Step 6 Click Audit to begin the auditing process.
A report is generated and the current configuration on each controller is compared with that in the config group templates. The report displays the audit status, the number of templates in sync, and the number of templates out of sync.
Note This audit does not enforce Prime Infrastructure configuration to the device. It only identifies the discrepancies.
Step 7 Click Details to view the Controller Audit Report details.
Step 8 Double-click a line item to open the Attribute Differences page. This page displays the attribute, its value in Prime Infrastructure, and its value in the controller.
Note Click Retain Prime Infrastructure Value to push all attributes in the Attribute Differences page to the device.
Step 9 Click Close to return to the Controller Audit Report page.
Rebooting Config Groups
Step 1 Choose Design > Wireless Configuration > Controller Config Groups.
Step 2 Click a group name in the Group Name column.
Step 3 Click the Reboot tab.
Step 4 Select the Cascade Reboot check box if you want to reboot one controller at a time, waiting for that controller to come up before rebooting the next controller.
Step 5 Click Reboot to reboot all controllers in the config group at the same time. During the reboot, you can leave this page or logout of Prime Infrastructure. The process continues, and you can return later to this page and view a report.
The Recent Reboot Report page shows when each controller was rebooted and what the controller status is after the reboot. If Prime Infrastructure is unable to reboot the controller, a failure is shown.
Note If you want to print the report as shown on the page, you must choose landscape page orientation.
Reporting Config Groups
To display all recently applied reports under a specified group name:
Step 1 Choose Design > Wireless Configuration > Controller Config Groups.
Step 2 Click a group name in the Group Name column.
Step 3 Click the Report tab. The Recent Apply Report page displays all recently applied reports including the apply status, the date and time the apply was initiated, and the number of templates. The following information is provided for each individual IP address:
•Apply Status—Indicates success, partial success, failure, or not initiated.
•Successful Templates—Indicates the number of successful templates associated with the applicable IP address.
•Failures—Indicates the number of failures with the provisioning of mobility group, mobility members, and templates to the applicable controller.
•Details—Click Details to view the individual failures and associated error messages.
Step 4 If you want to view the scheduled task reports, click the click here link at the bottom of the page. You are then redirected to the Configure > Scheduled Configuration Tasks > Config Group menu where you can view reports of the scheduled config groups.
Downloading Software
To download software to all controllers in the selected groups after you have a config group established:
Step 1 Choose Design > Wireless Configuration > Controller Config Groups.
Step 2 Select the check box to choose one or more config groups names on the Config Groups page.
Step 3 Choose Download Software from the Select a command drop-down list, and click Go.
Step 4 The Download Software to Controller page appears. The IP address of the controller to receive the bundle and the current status are displayed. Choose local machine from the File is Located On field.
Step 5 Enter the maximum number of times the controller should attempt to download the signature file in the Maximum Retries field.
Step 6 Enter the maximum amount of time in seconds before the controller times out while attempting to download the signature file in the Timeout field.
Step 7 The signature files are uploaded to the c:\tftp directory. Specify the local filename in that directory or click Browse to navigate to it. The controller uses this local filename as a base name and then adds _custom.sgi as a suffix.
If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is Located On field, and the server filename is populated for you and retried.
Step 8 Click OK.
Downloading IDS Signatures
Step 1 Choose Design > Wireless Configuration > Controller Config Groups.
Step 2 Select the check box to choose one or more config groups on the Config Groups page.
Step 3 Choose Download IDS Signatures from the Select a command drop-down list, and click Go.
Step 4 The Download IDS Signatures to Controller page appears. The IP address of the controller to receive the bundle and the current status are displayed. Choose local machine from the File is Located On field.
Step 5 Enter the maximum number of times the controller should attempt to download the signature file in the Maximum Retries field.
Step 6 Enter the maximum amount of time in seconds before the controller times out while attempting to download the signature file in the Timeout field.
Step 7 The signature files are uploaded to the c:\tftp directory. Specify the local filename in that directory or click Browse to navigate to it. The controller uses this local filename as a base name and then adds _custom.sgi as a suffix.
If the transfer times out for some reason, you can simply choose the TFTP server option in the File Is Located On field, and the server filename is populated for you and retried.
Step 8 Click OK.
Downloading Customized WebAuth
Step 1 Choose Design > Wireless Configuration > Controller Config Groups.
Step 2 Select the check box to choose one or more config groups on the Config Groups page.
Step 3 Choose Download Customized WebAuth from the Select a command drop-down list, and click Go.
Step 4 The Download Customized Web Auth Bundle to Controller page appears. The IP address of the controller to receive the bundle and the current status are displayed.
Step 5 Choose local machine from the File is Located On field.
Configuring wIPS Profiles
Prime Infrastructure provides several pre-defined profiles from which to choose. These profiles (based on customer types, building types, industry types, and so on) allow you to quickly activate the additional wireless threat protection available through Cisco Adaptive wIPS. You can use a profile `as is' or customize it to better meet your needs.
Pre-defined profiles include the following:
•Education
•EnterpriseBest
•EnterpriseRogue
•Financial
•HealthCare
•HotSpotOpen
•Hotspot8021x
•Military
•Retail
•Tradeshow
•Warehouse
To access the wIPS Profile page, choose Design > Wireless Configuration > wIPS Profiles.
The wIPS Profiles > Profile List page allows you to view, edit, apply, or delete current wIPS profiles and to add new profiles.
The Profile List provides the following information for each profile:
•Profile Name—Indicates the user-defined name for the current profile. Click the profile name to view or edit profile details.
Note When you hover your mouse cursor over the profile name, the Profile ID and version appear.
•MSE(s) Applied To—Indicates the number of mobility services engines (MSEs) to which this profile is applied. Click the MSE number to view profile assignment details.
•Controller(s) Applied To—Indicates the number of controllers to which this profile is applied. Click the controller number to view profile assignment details.
This section contains the following topics:
•Adding a Profile
•Deleting a wIPS Profile
•Applying a wIPS Profile
The profile editor allows you to create new or modify current profiles. See the "Editing a wIPS Profile" section for more information.
Adding a Profile
A new wIPS profile can be created using the default or a pre-configured profile.
To add a wIPS profile:
Step 1 Select Design > Wireless Configuration > wIPS Profiles. The wIPS Profiles page appears.
Step 2 From the Select a command drop-down list, choose Add Profile.
Step 3 Click Go.
Step 4 Type a profile name in the Profile Name text box of the Profile Parameters page.
Step 5 Select the applicable pre-defined profile, or choose Default from the drop-down list.
Step 6 Select one of the following:
•Save—Saves the profiles to the Prime Infrastructure database with no changes and no mobility services engine or controller assignments. The profile appears in the profile list.
•Save and Edit—Saves the profile and allows you to edit the profile.
Related Topics
•Configuring wIPS Profiles
•Editing a wIPS Profile
•Deleting a wIPS Profile
•Applying a wIPS Profile
Editing a wIPS Profile
The profile editor allows you to configure profile details including the following:
•SSID groups—Add, edit, or delete SSID groups.
•Policy inclusion—Determine which policies are included in the profile.
•Policy level settings—Configure settings for each policy such as threshold, severity, notification type, and ACL/SSID groups.
•MSE/controller applications—Select the mobility services engine(s) or controller(s) to which you want to apply the profile.
To create profile details:
Step 1 Access the profile editor. This can be done in two ways:
•When creating a new profile, click Save and Edit in the Profile Parameters page.
•Click the profile name from the Profile List page.
Step 2 From the SSID Groups page, you can edit and delete current groups or add a new group.
Step 3 When SSID groups have been added or edited as needed, select one of the following:
•Save—Saves the changes made to the SSID groups.
•Cancel—Returns to the profile list with no changes made.
•Next—Proceeds to the Profile Configuration page.
Step 4 From the Profile Configuration page, you can determine which policies are included in the current profile. The check boxes in the policy tree (located in the left Select Policy pane) indicate which policies are enabled or disabled in the current profile. You can enable or disable an entire branch or an individual policy as needed by selecting the check box for the applicable branch or policy.
Note By default, all policies are selected.
Step 5 In the Profile Configuration page, click an individual policy to display the policy description and to view or modify current policy rule settings.
The following options are available for each policy:
•Add—Click Add to access the Policy Rule Configuration page to create a new rule for this policy.
•Edit—Select the check box of the applicable rule, and click Edit to access the Policy Rule Configuration page to edit the settings for this rule.
•Delete—Select the check box of the rule you want to delete, and click Delete. Click OK to confirm the deletion.
Note There must be at least one policy rule in place. You cannot delete a policy rule if it is the only one in the list.
•Move Up—Select the check box of the rule you want to move up in the list. Click Move Up.
•Move Down—Select the check box of the rule you want to move down in the list. Click Move Down.
The following settings can be configured at the policy level:
•Threshold (not applicable to all policies)—Indicates the threshold or upper limit associated with the selected policy. When the threshold is reached for a policy, an alarm is triggered.
Note Because every policy must contain at least one threshold, default thresholds are defined for each based on standard wireless network issues.
Note Threshold options vary based on the selected policy.
Note Alarms from Cisco Adaptive wIPS DoS and security penetration attacks are classified as security alarms. A summary of these attacks is located in the Security Summary page. Choose Monitor > Security to access this page. The wIPS attacks are located in the Threats and Attacks section.
•Severity—Indicates the level of severity of the selected policy. Parameters include critical, major, info, and warning. The value of this field might vary depending on the wireless network.
•Notification—Indicates the type of notification associated with the threshold.
•ACL/SSID Group—Indicates the ACL or SSID Group(s) to which this threshold is be applied.
Note Only selected groups trigger the policy.
Step 6 When the profile configuration is complete, select one of the following:
•Save—Saves the changes made to the current profile.
•Cancel—Returns to the profile list with no changes made.
•Back—Returns to the SSID Groups page.
•Next—Proceeds to the MSE/Controller(s) page.
Step 7 In the Apply Profile page, select the check box(es) of the mobility services engine and controller(s) to which you want to apply the current profile.
Step 8 When the applicable mobility services engine(s) and controller(s) are selected, choose one of the following:
•Apply—Applies the current profile to the selected mobility services engine/controller(s).
•Cancel—Returns to the profile list with no changes made.
Note A created profile can also be applied directly from the profile list. From the Profile List page, select the check box of the profile you want to apply and click Apply Profile from the Select a command drop-down list. Click Go to access the Apply Profile page.
Related Topics
•Configuring wIPS Profiles
•Adding a Profile
•Deleting a wIPS Profile
•Applying a wIPS Profile
Deleting a wIPS Profile
To delete a wIPS profile:
Step 1 Choose Design > Wireless Configuration > wIPS Profiles. The wIPS Profiles page appears.
Step 2 Select the check box of the wIPS profiles you want to delete.
Step 3 From the Select a command drop-down list, choose Delete Profile.
Step 4 Click Go.
Step 5 Click OK to confirm the deletion.
Note If the profile is already applied to a controller, it cannot be deleted.
Related Topics
•Configuring wIPS Profiles
•Adding a Profile
•Editing a wIPS Profile
•Applying a wIPS Profile
Applying a wIPS Profile
To apply a wIPS profile:
Step 1 Choose Design > Wireless Configuration > wIPS Profiles. The wIPS Profiles page appears.
Step 2 Select the check box of the wIPS profiles you want to apply.
Step 3 From the Select a command drop-down list, choose Apply Profile.
Step 4 Click Go.
Step 5 Select the mobility services engines and controllers to which the profile is applied.
Note If the new assignment is different than the current assignment, you are prompted to save the profile with a different name
Step 6 When the applicable mobility services engines and controllers are selected, click Apply.
Related Topics
•Configuring wIPS Profiles
•Adding a Profile
•Editing a wIPS Profile
•Deleting a wIPS Profile
Configuring Features on a Device
You can create or change the feature configuration for the selected device. The following topics provide more information:
•Application Visibility
•Overview of NAT
•Dynamic Multipoint VPN
•GETVPN
•VPN Components
•Overview of Zones
•Routing
Application Visibility
The Application Visibility (AV) feature helps in monitoring the traffic sent towards the internet. To configure AV, you need to perform the following:
•Create / Update AV Configuration
•Assign AV policies on interfaces
•Change AV Advanced options
Note The Application Visibility feature is supported on ASR devices from the IOS version 3.5 or later. This feature is not supported on ISR devices. The CLI changes that starts with "EMS_" is not supported and may cause unexpected behavior.
Configuring AV
The Application Visibility Configuration feature creates the required elements in the device to send the NetFlow messages for Transaction Records and Usage Records. To configure AV, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Choose the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Application Visibility folder, and then choose the Configuration. The AV Configuration page appears.
Step 5 From the AV Configuration page, set the Primary CM IP Address and port, Secondary CM IP Address and port, VPN Routing and Forwarding (VRF), and Source IP address and Export protocol.
Note For Source IP address, specify the IP address for an interface, which will be used as the source for sending FNF messages towards the CM.
Note The Export Protocol is supported from IOS version 3.7 or later. For the IOS version 3.7 or later, IPfix is the default value. For older versions, netflow-v9 is set as the default value.
Step 6 Set the advanced AV parameters. For more information on the Advanced AV parameters, see Changing AV Advanced Options.
Step 7 Click Save / Apply to save the changes in the server.
Editing AV Policy
To edit the existing AV policy, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Choose the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Application Visibility folder, and then choose the Interfaces.
Step 5 In the Interface page, select one or more interfaces and click Edit.
Step 6 To monitor the bandwidth usage and the traffic at transactions level, select the usage/transaction records in the input reports or output reports section.
Note Application Visibility configuration supports all the interfaces that are supported on the ASR device.
Step 7 Select the IPv4 or IPV6 or IPv4+IPv6 from the drop-down list.
a. Usage Records (UR)—Usage Records are records of the different type of applications that run on a specific interface. The operator can use the Usage Records to monitor the bandwidth usage of different applications. The Usage Records can show the application usage over a specific time period, the peak and average usages, and usage for a specific application type. Usage Records perform periodic aggregation of the category information for the interface. (For example, export information for peer-to-peer traffic or email usage).
b. Transaction Records (TR)—A transaction is a set of logical exchanges between endpoints. There is normally one transaction within a flow. The Transaction Record monitors the traffic at transaction levels. These records provide a detailed analysis of the traffic flows. Transaction Records are bound to the input and output directions of the network side interfaces. These Transaction Records allow the system to capture each unidirectional flow once.
Step 8 Click OK to deploy the changes to the device.
Changing AV Advanced Options
To change the Application Visibility Advanced options, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Application Visibility folder, and then click Configuration.
Step 5 In the AV Configuration page, set the new values for the AV configuration.
Step 6 Specify the Differentiated Services Codepoint (DSCP) value to set the exporter DSCP service code point value.
Step 7 Specify the Time-to-Live (TTL) value to set the exporter TTL or hop limit.
Step 8 Click on the title area to view the to view the FNF Advanced Options, FNF Record Advanced Options, and NBAR Advanced options.
Step 9 To customize the value, check the specific attribute check box and set the new value. To use the system default value, uncheck the check box of the specific attribute.
Step 10 In the FNF Advanced Options, set the timeout value in seconds.
Step 11 In the FNF Record Advanced Options, set the maximum flow entries in the flow cache and specify the active/inactive flow timeout in seconds. Disable Unresolved Traffic Reporting check box to disable the total usage records.
Step 12 In the IPv4/IPv6 NetFlow Sampled Transaction Records section, set the maximum flow entries in the flow cache and define the sampling rate.
Step 13 In the NBAR Advanced Options section, define the maximum allowed sessions in multiples of 50000.
Step 14 Click Save / Deploy to save the changes in the device.
Step 15 Click Reset to Default to reset the parameter values to their default values.
Overview of NAT
The Network Address Translation (NAT) is the process where a network device, usually a firewall, assigns a public address to a computer (or group of computers) inside a private network. The NAT helps to limit the number of public IP addresses used by an organization or company, for both economy and security purposes.
The NAT feature allows organizations to resolve the problem of IP address depletion when they have existing networks and need to access the Internet. The NAT allows the IP network of an organization to use different IP address space for the outside network. Thus, NAT allows an organization that does not have globally routable addresses to connect to the Internet by translating those addresses into globally routable address space. The NAT also allows a more graceful renumbering strategy for organizations that are changing service providers or voluntarily renumbering into Classless Inter Domain Routing (CIDR) blocks. The NAT is described in RFC 1631.
A router configured with the NAT will have at least one interface to the inside network and one to the outside network. In a typical environment, the NAT is configured at the exit router between a sub domain and a backbone. When a packet leaves the domain, the NAT translates the locally significant source address into a globally unique address. When a packet enters the domain, the NAT translates the globally unique destination address into a local address. If more than one exit point exists, each NAT must have the same translation table. If the NAT cannot allocate an address because it has run out of addresses, it drops the packet and sends an Internet Control Message Protocol (ICMP) host unreachable packet.
For more information on NAT, see http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/iadnat-addr-consv.html.
Types of NAT
The NAT operates on a router—Generally connecting only two networks together—and translates your private (inside local) addresses within the internal network, into public (inside global) addresses before any packets are forwarded to another network. This functionality gives you the option to configure the NAT so that it will advertise only a single address for your entire network to the outside world. Doing this effectively hides the internal network from the world, giving you some additional security.
NAT types include:
•Static Address Translation (SAT) —Allows one-to-one mapping between local and global addresses.
•Dynamic Address Translation—Maps unregistered IP addresses to registered IP addresses from a pool of registered IP addresses.
•Overloading—A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address (many to one) using different ports. This method is also known as Port Address Translation (PAT). By using PAT (NAT Overload), thousands of users can be connected to the Internet using only one real global IP address.
How to Configure NAT for IP Address Conservation
To configure NAT, perform the following steps:
1. Create the NAT pool (required for Dynamic NAT)
2. Configure the ACL
3. Create the NAT44 rules
4. Assign rules on the interfaces
5. Set up the NAT maximum translation (Optional)
Note The NAT feature is supported on the ASR platform from the IOS version 3.5 or later. The NAT feature is supported on the ISR platform from the IOS version 12.4(24)T or later. The CLI changes that starts with "EMS_" is not supported and may cause unexpected behavior.
IP Pools
The IP Pool is a device object that represents IP ranges to be used on the Dynamic NAT. The NAT IP Pools feature allows you to create a new pool that can be used in the Dynamic NAT, change the existing pool, and delete the pool from the device.
Creating, Editing, and Deleting IP Pools
To create, edit, and delete the IP Pools, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security, expand the NAT subfolder, and then click IP Pools. The NAT Pools page appears.
Step 5 Click the Add IP Pool > IP+Prefix or IP Range + Prefix button, and enter the Name, IP Address/Range, Prefix Length, and Description. You cannot change the name of the pool after creating the pool.
Note A valid IPv4 address consists of 4 octets separated by a period (.).
Step 6 Click OK to save the configurations.
Step 7 Click the Apply button to deploy the pool to the server database.
Step 8 To edit the existing IP Pool, in the NAT IP Pools page do the following:
a. Click on the selected IP Pools parameters row, and edit the parameters. or
b. Select the IP Pools, and click the Edit button. The selected IP Pools opens for editing. You can edit all the parameters except the pool name.
Step 9 Click Save / Apply to save the changes in the server.
Step 10 To delete the existing IP Pools, select the IP Pool, and then click the Delete button.
Step 11 Click OK on the warning message to delete the IP Pool. The selected IP Pool will be deleted.
NAT44
The NAT44 feature allows the user to create, delete, and change the NAT44 rules.
Creating, Editing, and Deleting NAT44 Rule
This section describes how to create the NAT44 rules.
There are three types of NAT rules:
•Static
•Dynamic
•Dynamic PAT
To create the NAT44 rule, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security, expand the NAT subfolder, and then click NAT44.
Step 5 From the NAT 44 Rule page, click the down arrow icon on the Add NAT Rule button.
•Click Static to create Static Rule. For elements on this page, see Table 4-4.
•Click Dynamic to create Dynamic NAT Rule. For elements on this page, see Table 4-5.
•Click Dynamic PAT to create Dynamic PAT Rule. For elements on this page, see Table 4-6.
Table 4-4 lists the elements on the Static Rule page.
Table 4-4 Static Rule Page
Element
|
Description
|
Direction
|
Displays the directions. This release supports only the Inbound to Outbound direction.
|
VRF
|
Displays the VRF on which the NAT translation process happens.
|
Source A
|
Enter a valid IPv4 address. A valid IPv4 address consists of 4 octets separated by a period (.).
•If the Source A is defined, then the Source B must also be defined.
•If the Source A is defined, then the Destination A will be Any by default.
|
Destination A
|
Enter a valid IPv4 address. A valid IPv4 address consists of 4 octets separated by a period (.).
•If the Destination A is defined, then the Destination B must also be defined.
•If the Destination A is defined, then the Source A will be Any by default.
|
Translation
|
Displays the static translation type.
|
Source B
|
Enter a valid IPv4 address. A valid IPv4 address consists of 4 octets separated by a period (.). You can also select an interface from the list of interfaces.
•If the Source B is defined, then the Source A must also be defined.
•If the Source B is defined, then the Destination B will be Any by default.
|
Destination B
|
Enter a valid IPv4 address. A valid IPv4 address consists of 4 octets separated by a period (.).
•If the Destination B is defined, then the Destination A must also be defined.
•If the Destination B is defined, then the Source A and B will be Any by default.
|
Options
|
Displays the advance options for the Static type. Configure the following:
•To ignore the embedded IP addresses (no-Payload), check the Ignore Embedded IP address check box.
•To enable port translation, check the Enable Port Translation check box, and then define the following:
–TCP or UDP
–Original Port
–Port Translation
|
Table 4-5 lists the elements on the Dynamic NAT page.
Table 4-5 Dynamic NAT Page
Element
|
Description
|
Direction
|
Displays the directions. This release supports only the Inbound to Outbound direction.
|
VRF
|
Displays the VRF on which the NAT translation process happens.
|
Source A
|
Select the ACL name from the list.
•If the Source A is defined, then the Source B must also be defined.
•If the Source A is defined, then the Destination A will be Any by default.
|
Destination A
|
Select the ACL name from the list.
•If the Destination A is defined, then the Destination B must also be defined.
•If the Destination A is defined, then the Source A will be Any by default.
|
Translation
|
Displays the Dynamic NAT translation type.
|
Source B
|
Choose the NAT pool from the drop-down list. You can also select an interface from the list of interfaces.
•If the Source B is defined, then the Source A must be defined.
•If the Source B is defined, then the Destination B will be Any by default.
|
Destination B
|
Choose the NAT pool from the drop-down list.
•If the Destination B is defined, then the Destination A must also be defined.
•If the Destination B is defined, then the Source A and B will be Any by default.
|
Options
|
Displays the advance options for the Dynamic type.
•To ignore the embedded IP addresses (no-Payload), check the Ignore Embedded IP address check box.
•To enable port translation, check the Enable Port Translation check box, and then define the following:
–TCP or UDP
–Original Port
–Port Translation
Note This option is supported only on the ISR devices.
|
Table 4-6 lists the elements on the Dynamic PAT page.
Table 4-6 Dynamic PAT Page
Element
|
Description
|
Direction
|
Displays the directions. This release support the Inbound to Outbound directions.
|
VRF
|
Displays the VRF on which the NAT translation process happens.
|
Source A
|
Select the ACL name from the list.
|
Destination A
|
Not defined.
|
Translation
|
Displays the Dynamic PAT translation type.
|
Source B
|
Select the IP Pool Name from the list. You can also select an interface from the list of interfaces.
|
Destination B
|
Not defined.
|
Options
|
Displays the advance options for the Dynamic PAT. Select the Ignores embedded IP Addresses (no-Payload) option. The options are: Yes or No.
Note This option is supported only on the ISR devices.
|
Step 6 Click:
•Save to save and deploy the changes to the device.
•Cancel to exit without saving.
Step 7 To edit the existing NAT44 rule in the NAT44 page, do one of the following:
•Click on the selected NAT44 rules parameters row, and edit the parameters.
•Select the NAT44 rule, and click the Edit button. The selected NAT44 rule opens for editing. You can edit all the parameters except the pool Name.
Step 8 You can change the Source and Destination according to the creation rules. You can also change the Options selection according to the creation rules.
Step 9 Click Save/ Apply to save the changes in the server.
Step 10 To delete the existing NAT44 rules, select the rules, and then click the Delete button.
Step 11 Click OK on the warning message to delete the rules. The selected NAT44 rules will be deleted.
Managing Interfaces
A virtual interface is a logical interface configured with generic configuration information for a specific purpose or for configuration common to specific users, plus router-dependent information.
Configuring Interfaces
To assign the interfaces to a specific association, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security, expand the NAT subfolder, and then click Interfaces.
In the Interface page, select the interface you want to change and select the association from the drop-down list. The options are: Inside, Outside, and None.
Step 5 Click:
•Save/ Apply to save the changes in the server.
•Cancel to exit without saving.
Managing NAT MAX Translation
The Rate Limiting NAT Translation feature provides the ability to limit the maximum number of concurrent NAT operations on a router. In addition, the NAT MAX feature gives users additional control to use the NAT addresses. The Rate Limiting NAT Translation feature can be used to limit the effects of viruses, worms, and denial-of-service attacks.
The NAT Maximum Translations feature allows you to reset the global translation attribute values.
Setting NAT MAX Translation
To set the MAX Translation, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security, expand the NAT subfolder, and then click Max. Translation.
Step 5 Reset the parameter values. Configure the maximum number of NAT entries that are allowed for all the parameters. A typical range for a NAT rate limit is from 100 to 300 entries.
Step 6 Click:
•Save / Apply to save the changes in the server.
•Cancel to exit without saving.
Dynamic Multipoint VPN
The DMVPN feature allows users to scale large and small IP Security (IPsec) VPNs by combining generic routing encapsulation (GRE) tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP).
A typical VPN connection is a point-to-point IPSec tunnel connecting two routers. DMVPN enables you to create a network with a central hub that connects other remote routers, referred to as spokes using a GRE over IPSec tunnel. IPSec traffic is routed through the hub to the spokes in the network.
See Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs) for more information about DMVPN (requires a CCO login ID).
Configuring DMVPN
Cisco Network Control System allows you to configure your router as a DMVPN hub or DMVPN spoke. You can configure the router in the following ways:
Hub
•Configuring Hub and Spoke Topology
Spoke
•Configuring Fully Mesh Topology
Creating DMVPN Tunnel
You should configure the following parameters to create the DMVPN tunnel:
•Device role and topology type
•Multipoint GRE interface information
•NHRP and tunnel parameters
•Next Hub Server (NHS) Server (Optional)
To create the DMVPN tunnel, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click DMVPN. Click the Add button to create the DMVPN.
Step 5 In the Device Role and Topology Type section, select the topology and the device role. The options are: Spoke, Hub, and Dynamic Connection between Spokes.
Step 6 In the Multipoint GRE Interface Information section, select the WAN interface that connects to the Internet from the drop-down list.
Step 7 Enter the IP address of the Tunnel Interface, and Subnet Mask.
Step 8 In the NHRP and Tunnel Parameters section, complete the fields on this section.
Note The Network ID is a unique 32-bit network identifier from a Non Broadcast Multiaccess (NBMA) network. The tunnel key is used to enable a key ID for a particular tunnel interface. The MTU size of IP packets that are sent on a particular interface.
Note The default MTU value for Ethernet and the serial interface is 1500. The default value varies depending upon the media type. The Tunnel throughput delay is used to set the delay value for a particular interface.
Step 9 In the Encryption policy field, click the anchored plus button (+) to add the Transform Set Profile.
Step 10 In the Transform Set Profile dialog box, enter the Name and choose the acceptable combination of security protocols and algorithm from the drop-down list to configure the transform set.
Step 11 Enable the IP Compression check box to enable the IP compression for the transform set.
Step 12 Choose the mode for the transform set. The options are: Tunnel mode or Transport mode.
Step 13 In the NHS Server Information section, enter the IP address for the physical interface of the hub and tunnel and the Fallback Time. If the device supports the cluster then add the next hop server information, such as Cluster ID, Max Connection, Hub IP address, and Priority.
Note The NHS server information is required only for spoke configuration. If you check the Use Cluster for NHS check box, add the information, such as Cluster ID, Max Connection, and Next Hub Server. The template with the NHS cluster configuration will be applied only to the device running Cisco IOS Software version 15.1(2)T or later.
Step 14 In the Routing Information section, choose the routing information. The options are: EIGR, RIPV2, and Other.
Note The routing information is required only for hub configuration.
Step 15 Choose the existing EIGRP number from the drop-down list or enter an EIGRP number. Use the Other option to configure the other protocols.
Step 16 Click Save to save the single NHS server entry details and the priority of the server, save the entire group of server, and save the NHS cluster information. when you save the NHS cluster information, the NHS server will be populated in the non-editable field.
Step 17 Click OK to save the configuration to the device.
Step 18 Click Cancel to cancel all the changes you have made without sending them to the router.
Configuring Hub and Spoke Topology
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click DMVPN. Click the Add button to create the DMVPN tunnel.
Step 5 In the Device Type and Topology section, choose Hub and Spoke as the topology, and select either Hub or Spoke as a device role.
Step 6 Select the WAN interface from the drop-down list, and then configure the Multipoint GRE IP Address and the subnet mask for the tunnel interface.
Step 7 Configure the NHRP and the Tunnel Interface parameters, such as the IP address, NHRP parameters and map, MTU value, Source of the Tunnel, Tunnel Mode, and Tunnel Key.
Step 8 Create the transform-set for protecting the data flow between the devices. You can specify up to four transforms: One Authentication Header (AH), one Encapsulating Security Payload (ESP) encryption, one ESP authentication, and one compression. These transforms define the IPSec security protocols and the algorithms.
Step 9 Configure the routing protocol to be used.
Step 10 Click Save to save the configuration to the device.
Step 11 Click Cancel to close the Create DMVPN Tunnel page without applying the changes to the device.
Configuring Fully Mesh Topology
The dynamic spoke-to-spoke option allows you to configure the DMVPN fully meshed topology. In this topology, you can configure the router as a spoke, capable of establishing a direct IPSec tunnel to other spokes in the network.
To configure the hub and spoke topology, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click DMVPN. Click the Add button to create the DMVPN tunnel with fully meshed topology.
Step 5 From the Create DMVPN Tunnel configuration page, select the Full Mesh radio button to configure the network type as full mesh topology.
Step 6 Repeat Step 6 through Step 8 from the Configuring Hub and Spoke Topology section.
Step 7 For Fully Mesh spoke topology, in the NHS Server Information section, add the next hub server information, such as the IP Address of Hub's physical interface and the IP address of Hub's tunnel interface.
Step 8 Click Save to save the configuration to the device.
Step 9 Click Cancel to close the Create DMVPN Tunnel page without applying the changes to the device.
Cluster Configuration
To configure the cluster, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click DMVPN. Click the Add button to create the DMVPN tunnel.
Step 5 From the Create DMVPN Tunnel configuration page, select the Spoke radio button to configure the device role as a spoke.
Step 6 Repeat Step 6 through Step 8 from the Configuring Hub and Spoke Topology section.
Note The device must be running IOS version of 15.1(2)T or later.
Step 7 Click the Add Row button to configure the cluster related information, and add the Cluster-ID and Maximum Connection values.
Step 8 Click the Expand Row button (next to the radio button) and click the Add Row button to add the NHS server information.
Step 9 Enter the NHS server, the GRE Tunnel IP addresses, and the Priority of this NHS server. Click the Save button to save the NHS server entry configuration.
Step 10 Click the Save button to save the NHS server group information.
Step 11 Click the Save button again to save the NHS group information with the cluster configuration. This will automatically populate the NHS server IP address in the table.
Edit DMVPN
To edit the existing DMVPN tunnel, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click DMVPN. The available tunnel is displayed.
Step 5 Select the tunnel, and click the Edit button. The Edit DMVPN Tunnel page opens.
Step 6 From the Edit DMVPN Tunnel page, you can edit the DMVPN parameters.
Step 7 Click OK to send the edited DMVPN tunnel configuration to the device.
Step 8 Click Cancel to close the Edit DMVPN Tunnel page without applying the configuration to the device.
Delete DMVPN
To delete the existing DMVPN tunnel, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list to delete the DMVPN tunnel. If the device is not added, click the Add button to add the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click DMVPN. The available tunnel is displayed.
Step 5 Select the tunnel, and click the Delete button.
Step 6 Click Yes on the warning message to delete the selected tunnel.
Step 7 Click No on the warning message if you do not want to delete the selected tunnel.
Step 8 Click Cancel to cancel all the changes you have made without sending them to the router.
GETVPN
A Group Encrypted Transport VPN (GETVPN) deployment has primarily three components: Key Server (KS), Group Member (GM), and Group Domain of Interpretation (GDOI) protocol. GMs encrypt/decrypt the traffic and KS distributes the encryption key to all the group members. The KS decides on one single data encryption key for a given life time. Because all GMs use the same key, any GM can decrypt the traffic encrypted by any other GM. GDOI protocol is used between the GM and KS for group key and group Security Association (SA) management. Minimum one KS is required for a GETVPN deployment.
Unlike traditional IPSec encryption solutions, GETVPN uses the concept of group SA. All members in the GETVPN group can communicate with each other using a common encryption policy and a shared SA. Therefore, there is no need to negotiate IPSec between GMs on a peer-to-peer basis; thereby reducing the resource load on the GM routers.
Group Member
The GM registers with the KS to get the IPSec SA that is necessary to encrypt data traffic within the group. The GM provides the group identification number to the KS to get the respective policy and keys for this group. These keys are refreshed periodically by the KS, before the current IPSec SAs expire, so that there is no traffic loss.
Key Server
The KS is responsible for maintaining security policies, authenticating the GMs and providing the session key for encrypting traffic. KS authenticates the individual GMs at the time of registration. Only after successful registration can the GMs participate in group SA.
A GM can register at any time and receive the most current policy and keys. When a GM registers with the KS, the KS verifies the group identification number of the GM. If this identification number is valid, and the GM has provided valid Internet Key Exchange (IKE) credentials, the KS sends the SA policy and the Keys to the group member.
There are two types of keys that the GM will receive from the KS: the Key Encryption Key (KEK) and the Traffic Encryption Key (TEK). The TEK becomes part of the IPSec SA with which the group members within the same group encrypt the data. KEK is used to secure rekey messages between the KS and the GMs.
The KS sends out rekey messages either because of an impending IPSec SA expiration or because the security policy has changed on the KS. Keys can be distributed during re-key using either multicast or unicast transport. Multicast method is more scalable as keys need not be transmitted to each group member individually. Unlike in unicast, KS will not receive acknowledgement from GM about the success of the rekey reception in multicast rekey method. In unicast rekey method, KS will delete a GM from its database if three consecutive rekeys are not acknowledged by that particular GM.
GDOI protocol is used for Group key and group SA management. GDOI uses Internet Security Association Key Management Protocol (ISAKMP) for authenticating the GMs and KSs. All the standard ISAKMP authentication schemes like RSA Signature (certificates) and Pre-shared key can be used for GETVPN.
For more information on GETVPN, See http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/deployment_guide_c07_554713.html.
Configuring GETVPN
The Cisco Network Control System allows you to configure the GETVPN. To configure the GETVPN, you should configure the following:
•Group member
•Key server
Creating GETVPN Group Member
Use the Add GroupMember configuration page to configure the GETVPN group member.
To create the GETVPN group member, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to add a new device, then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click GETVPN-GroupMember. Click the Add button to create the GET VPN group member.
Step 5 In the Add GroupMember dialog box, select the General tab, and enter the Group Name and Group Identity. Choose the Registration Interface from the drop-down list.
Step 6 Enter the Primary Key Server and Secondary Key Server IP addresses. Click the Add Row or Delete button to add or delete the secondary key server IP addresses.
Note The primary key server is responsible for creating and distributing group policies to all group members and periodically synchronizes with the secondary key servers. The server with the highest priority is elected as a primary key server.
Step 7 Click on the row or field to edit the secondary key server IP address.
Step 8 Click:
•Save to save the configuration.
•Cancel to exit without saving your changes.
Step 9 In the Add Group Member dialog box, select the Advanced tab, and choose the Local Exception ACL and Fail Close ACL from the drop-down list.
Note If the Fail Close feature is configured, all the traffic passing through the group member will be dropped until the group member is registered successfully. Once the group member registers successfully and SAs are downloaded, this feature turns off by itself.
Step 10 Select the Migration tab, and check the Enable Passive SA check box to enable passive SA. Use this option to turn on the Passive SA mode on this group member.
Step 11 Click:
•OK to add the Group member in the table. To display the commands, click CLI preview. After the scheduled deploy is completed, the configuration is applied on the device.
•Cancel to cancel all the changes you have made without sending them to the router.
•Close to close the page.
Creating GETVPN Key Server
Use the Add KeyServer configuration page to configure the GETVPN key server.
To create the GETVPN key server, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to add a new device, then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click GETVPN-KeyServer. Click the Add button to create the GETVPN key server.
Step 5 In the Add Key Server dialog box, select the General tab, and enter the Group Name, Group Identity, WAN IP address, and Priority of this key server.
Step 6 Enter the Co-operative Key Servers IP address. Click the Add Row or Delete button to add or delete the Co-operative key server IP address. Click on the row or field, and edit the IP address.
Step 7 In the Add KeyServer dialog box, select the Rekey tab, and choose the Distribution method from the drop-down list.
Note The distribution method is used to send the rekey information from key server to group members. When you choose the distribution method as multicast, specify the multicast address to which the rekey needs to be transmitted.
Step 8 In the Add KeyServer dialog box, select the GETVPN Traffic tab, and enter the Traffic to be encrypted, Encryption Policy, and Anti Replay.
Note The access list defines the traffic to be encrypted. Only the traffic which matches the "permit" lines will be encrypted. Be sure not to encrypt certain traffic that should always be permitted even if the crypto sessions are not up
Step 9 Click:
•OK to add the Group member in the table. To display the commands, click CLI preview. After the scheduled deployment is completed, the configuration is applied on the device.
•Cancel to cancel all the changes you have made without sending them to the router.
Step 10 Click Close to close the page.
Editing GET VPN Group Member or Key Server
To edit the existing GETVPN group member or the GETVPN key server, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to add a new device, then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click GETVPN-Group Member or GETVPN-KeyServer. The GETVPN-GroupMember or GETVPN-KeyServer summary page opens.
Step 5 From the GETVPN summary page, select the group name and click Edit. The Edit GETVPN-GroupMember or GETVPN-Keyserver page appears.
Step 6 From the Edit GETVPN-GroupMember or GETVPN-KeyServer page, you can edit the GETVPN parameters.
Step 7 Click:
•OK to save the configurations.
•Cancel to cancel all the changes you have made without sending them to the router.
Step 8 Click Close to close the page.
Deleting GETVPN Group Member or Key Server
To delete the existing GETVPN group member or the GETVPN key server, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to add a new device, then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then click GETVPN-Group Member or GETVPN-KeyServer. The GETVPN-GroupMember or GETVPN-KeyServer summary page opens.
Step 5 From the GETVPN summary page, select the group name and click Delete.
Step 6 Click:
•OK to save the configurations.
•Cancel to cancel all the changes you have made without sending them to the router.
Step 7 Click Close to close the page.
VPN Components
The VPN components primarily include the following:
•IKE Policies
•IKE Settings
•IPsec Profile
•Pre-shared Keys
•RSA Keys
•Transform Sets
IKE Policies
The Internet Key Exchange (IKE) is a standard method for arranging secure and authenticated communications. The IKE establishes session keys (and associated cryptographic and networking configuration) between two hosts across the network. The IKE policies will protect the identities of peers during authentication.
The IKE negotiations must be protected; therefore, each IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states the security parameters that will be used to protect subsequent IKE negotiations. After the two peers agree on a policy, the security parameters of the policy are identified by a security association established at each peer. These security associations are applied to all the subsequent IKE traffic during the negotiation.
When the IKE negotiation begins, IKE looks for an IKE policy that is the same on both the peers. The peer that initiates the negotiation will send all its policies to the remote peer, and the remote peer will try to find a match. The remote peer looks for a match by comparing its own highest priority policy against the other peer's received policies. The remote peer checks each of its policies in the order of its priority (highest first) until a match is found. A match is made when both the policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman (D-H) parameter values, and when the remote peer's policy specifies a lifetime less than or equal to the lifetime in the policy being compared. If the lifetimes are not identical, the shorter lifetime is used from the remote peer's policy.
Creating, Editing, and Deleting IKE Policies
The IKE Policies feature allows you to create, edit, and delete the IKE policies.
To create, edit, or delete the IKE policies, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select a device or click Add to add a new device, then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then choose VPN Components > IKE Policies.
Step 5 Click the Add Row button to create the IKE policies.
Step 6 In the IKE Policies page, enter the Priority, Authentication, D-H Group, Encryption, Hash, and Lifetime.
Step 7 To edit the IKE policies parameters, click on the Field and edit the parameter of that IKE policy.
Step 8 To delete the IKE policies, select the IKE policies from the list, and click the Delete button.
Table 4-7 lists the elements on the IKE Policies page.
Table 4-7 IKE Policies Page
Element
|
Description
|
IKE Policies
|
Priority
|
Enter the priority value of the IKE proposal. The priority value determines the order of the IKE proposals compared by the two negotiating peers when attempting to find a common security association (SA). If the remote IPsec peer does not support the parameters selected in your first priority policy, the device tries to use the parameters defined in the policy with the next lowest priority number.
The range is from 1 to 10000. The lower the number, the higher the priority.
|
Authentication
|
Choose the Pre-shared keys or RSA Signatures from the drop-down list.
•Pre-SHARE—Authentication will be performed using pre-shared keys.
•RSA_SIG— Authentication will be performed using digital signatures.
|
Encryption
|
Choose the encryption algorithm from the drop-down list.
•AES-128—Encrypts according to the Advanced Encryption Standard using 128-bit keys.
•AES-192—Encrypts according to the Advanced Encryption Standard using 192-bit keys.
•AES-256—Encrypts according to the Advanced Encryption Standard using 256-bit keys.
•DES—Encrypts according to the Data Encryption Standard using 56-bit keys.
•3DES—Encrypts three times using 56-bit keys. 3DES is more secure than DES, but requires more processing for encryption and decryption. It is less secure than AES. A 3DES license is required to use this option.
|
Diffie-Hellman Group
|
Choose the D-H group algorithm from the drop-down list.
The Diffie-Hellman group is used for driving a shared secret between the two IPsec peers without transmitting it to each other. A larger modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Options are:
•1—Diffie-Hellman Group 1 (768-bit modulus).
•2—Diffie-Hellman Group 2 (1024-bit modulus).
•5—Diffie-Hellman Group 5 (1536-bit modulus, considered good protection for 128-bit keys).
|
Hash
|
Choose the hash algorithm used in the IKE proposal from the drop-down list. The hash algorithm creates a message digest, which is used to ensure message integrity. The options are:
•SHA (Secure Hash Algorithm)—Produces a 160-bit digest. SHA is more resistant to brute-force attacks than MD5.
•MD5 (Message Digest 5)—Produces a 128-bit digest. MD5 uses less processing time than SHA.
|
Lifetime
|
The lifetime of the security association (SA), in seconds. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPsec security associations can be set up more quickly than with shorter lifetimes.
The range is from 60 to 86400 seconds. The default value is 86400.
|
Step 9 Click:
•Save to save the configuration.
•Cancel to exit without saving your changes.
•Save again to generate the CLI commands.
IKE Settings
The IKE Settings feature allows you to globally enable the IKE for your peer router.
Creating IKE Settings
To enable the IKE policies and set the aggressive mode for the IKE, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select a device or click Add to add a new device, then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then choose VPN Components > IKE Settings.
Step 5 Check the Enable IKE and Enable Aggressive Mode check box to enable the IKE policies and the aggressive mode.
Step 6 Choose the IKE Identity from the drop-down list.
Step 7 Enter the Dead Peer Detection Keepalive and Dead Peer Detection Retry time in seconds.
Table 4-8 lists the elements on the IKE Settings page.
Table 4-8 IKE Settings Page
Element
|
Description
|
IKE Settings
|
Enable IKE
|
Check the Enable IKE check box to globally enable the IKE. By default, the IKE is enabled. You do not have to enable IKE for individual interfaces, but it can be enabled globally for all the interfaces at the router.
If you do not want to use the IKE for your IP Security (IPSec) implementation, you can disable the IKE for all your IPSec peers. If you disable the IKE for one peer, you must disable it for all the IPSec peers.
|
Enable Aggressive Mode
|
Check the Enable Aggressive Mode check box to enable the Internet Security Association and Key Management Protocol (ISAKMP) aggressive mode. If you disable the aggressive mode, all aggressive mode requests to the device and all aggressive mode requests made by the device will be blocked.
|
IKE Identity
|
Choose the ISAKMP identity from the drop-down list. The options are: IP address, Distinguished Name and HostName. An ISAKMP identity is set whenever you specify pre-shared keys or RSA signature authentication. As a general rule, you should set all peers' identities in the same way, either by IP address or by host name.
•IP Address—Sets the ISAKMP identity to the IP address of the interface that is used to communicate to the remote peer during the IKE negotiations.
•Distinguished Name—Sets the ISAKMP identity to the distinguished name (DN) of the router certificate.
•Host Name—Sets the ISAKMP identity to the host name concatenated with the domain name (for example, myhost.example.com).
|
Dead Peer Detection Keepalive
|
Enable the gateway to send the DPD messages to the peer. DPD is a keepalive scheme that allows the router to query the liveliness of its Internet Key Exchange (IKE) peer.
Specify the number of seconds between DPD messages in the DPD Keepalive field. The range is from 10 to 3600 seconds.
|
Dead Peer Detection Retry
|
Specify the number of seconds between retries if the DPD messages fail in the DPD Retry. The range is from 2 to 60 seconds.
|
Step 8 Click:
•Save to save the configuration.
•Refresh to refresh the page.
IPsec Profile
The IPsec profiles, also called ISAKMP profiles, enable you to define a set of IKE parameters that you can associate with one or more IPSec tunnels. An IPsec profile applies parameters to an incoming IPSec connection identified uniquely through its concept of match identity criteria. These criteria are based on the IKE identity that is presented by incoming IKE connections and includes IP address, Fully Qualified Domain Name (FQDN), and group (the Virtual Private Network (VPN) remote client grouping).
Creating, Editing, and Deleting IPsec Profile
The IKE Profile feature allows you to create, edit, and delete the IPsec Profile.
To create, edit, or delete the IPsec Profile, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select a device or click Add to add a new device, and then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then choose VPN Components > IPsec Profile.
Step 5 Click the Add Row button to create the IPsec profile.
Step 6 In the IPsec Profile page, enter the information such as Name, Description, and Transform Set, and the IPsec SA Lifetime.
Note When you edit a profile, you cannot edit the name of the IPsec profile. A transform set represents a certain combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow. A transform describes a particular security protocol with its corresponding algorithms
Step 7 Enter the IPSec SA Lifetime in seconds to establish a new SA after the set period of time elapses.
Step 8 To edit the IPsec profile parameters, click on the Field and edit the parameter of that IPsec profile.
Step 9 To delete the IPsec profile, select the IPsec Profile from the list, and click the Delete button.
Step 10 Click:
•Save to save the configuration.
•Cancel to exit without saving your changes.
•Save again to generate the CLI commands.
Pre-shared Keys
The Pre-shared Keys feature allows you to share a secret key between two peers and will be used by the IKE during the authentication phase.
Creating, Editing, and Deleting Pre-shared Keys
To create, edit, or delete the pre-shared keys, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select a device or click Add to add a new device, and then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then choose VPN Components > Pre-Shared Keys.
Step 5 Click the Add Row button to create the pre-shared key.
Step 6 In the Pre-Shared Keys page, enter the IP Address, Host Name, Subnet Mask, and Pre-Shared Keys.
Step 7 To edit the pre-shared key parameters, click on the Field and edit the parameter of that pre-shared key.
Step 8 To delete the pre-shared key, select the pre-shared key from the list, and click the Delete button.
Step 9 Click:
•Save to save the configuration.
•Cancel to exit without saving your changes.
•Save again to save the configuration and generate the CLI commands.
RSA Keys
An RSA key pair consists of a public key and a private key. When setting up your Public Key Infrastructure (PKI), you must include the public key in the certificate enrollment request. After the certificate is granted, the public key will be included in the certificate so that the peers can use it to encrypt the data that is sent to the router. The private key is kept on the router and used for both to decrypt the data sent by the peers and to digitally sign transactions when negotiating with the peers.
The RSA key pairs contain a key modulus value. The modulus determines the size of the RSA key. The larger the modulus, the more secure the RSA key. However, keys with large modulus values take longer to generate, and encryption and decryption operations take longer with larger keys.
Creating, Importing, Exporting, and Deleting RSA Keys
To create, export, import, or delete the RSA keys, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select a device or click Add to add a new device, and then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then choose VPN Components > RSAKeys.
Step 5 Click the Add Row button to create the RSA Keys.
Step 6 The Add RSA Keys dialog box appears.
Step 7 In the Add RSA Keys dialog box, enter the Label, Modulus, and Type.
Note For a modulus value between 512 and 1024, enter an integer value that is a multiple of 64. If you want a value higher than 1024, you can enter 1536 or 2048. If you enter a value greater than 512, key generation may take a minute or longer. The modulus determines the size of the key. The larger the modulus, the more secure the key, but keys with a large modulus take longer to generate, and encryption/decryption operations take longer with larger keys.
Step 8 Check the Make the Key exportable check box to generate the RSA as a exportable key.
Step 9 Click:
•OK to save the configuration.
•Cancel to exit without saving your changes.
Step 10 To import the RSA key, click the Import button. The Import RSA Key dialog box appears.
Step 11 In the Import RSA Key dialog box, enter the label of the RSA key, Key type, and password to decrypt the key. If the key type is general-keys, signature or encryption, copy and paste the public and private key data that was saved.
Step 12 To import usage-key, enter the public and private key data of both the signature and encryption keys.
Step 13 Click:
•Import to import the RSA key.
•Close to exit without saving your changes.
Step 14 To export the RSA key, select the RSA key from the list and click the Export button. The Export RSA Key Pair dialog box appears.
Step 15 In the Export RSA Key Pair dialog box, enter the password to encrypt the RSA key and choose the encryption algorithm from the drop-down list.
Step 16 Click:
•OK to display the exported keys.
•Cancel to exit without saving your changes.
Step 17 To delete the RSA key, select the RSA key from the list, and click the Delete button.
Transform Sets
A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to Upset protected traffic. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.
Creating, Editing, and Deleting Transform Sets
To create, edit, or delete the transform sets, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select a device or click Add to add a new device, then configure the device. The device details appear on the lower part of the screen.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Security folder, and then choose VPN Components > Transform Sets.
Step 5 Click the Add Row button to create the transform sets.
Step 6 In the Transform Sets page, enter the Name and select the acceptable combination of security protocols and algorithm to configure the transform set.
Note The ESP encryption algorithm is used to encrypt the payload and the integrity algorithm is used to check the integrity of the payload.
Step 7 Specify the mode for a transform set. The options are: Tunnel mode or Transport mode.
•Transport—Encrypt data only. Transport mode is used when both endpoints support IPsec. Transport mode places the authentication header or encapsulated security payload after the original IP header; thus, only the IP payload is encrypted. This method allows users to apply network services such as quality-of-service (QoS) controls to encrypted packets.
•Tunnel—Encrypt data and IP header. Tunnel mode provides stronger protection than transport mode. Because the entire IP packet is encapsulated within AH or ESP, a new IP header is attached, and the entire datagram can be encrypted. Tunnel mode allows network devices such as a router to act as an IPsec proxy for multiple VPN users; tunnel mode should be used in those configurations.
Step 8 To edit the Transform sets parameters, click on the Field and edit the parameter of that transform sets.
Step 9 To delete the transform set, select the transform set from the list, and click the Delete button.
Step 10 Click:
•Save to save the configuration.
•Cancel to exit without saving your changes.
•Save again to save the configuration changes.
Overview of Zones
The Zone Based Firewall (ZBFW) feature allows users to easily manage Cisco IOS unidirectional firewall policy between groups of interfaces known as zones.
A zone is a group of interfaces that have similar functions or features. For example, on a router, Gigabit Ethernet interface 0/0/0 and Gigabit Ethernet interface 0/0/1 may be connected to the local LAN. These two interfaces are similar because they represent the internal network, so they can be grouped into a zone for firewall configurations.
By default, the traffic between interfaces in the same zone is not subjected to any policy. The traffic passes freely. Firewall zones are used for security features.
Security Zones
A security zone is a group of interfaces to which a policy can be applied. Grouping interfaces into zones involves the following two procedures:
•Creating a zone so that the interfaces can be attached to it.
•Configuring an interface as a member of a given zone.
By default, the traffic flows among the interfaces that are members of the same zone. When an interface is a member of a security zone, all traffic to and from that interface (except traffic going to the router or initiated by the router) is dropped. To permit the traffic to and from a zone-member interface, you must make that zone part of a zone pair, and then apply a policy to that zone pair. If the policy permits the traffic (through inspect or pass actions), traffic can flow through the interface.
Figure 4-1 Security Zone Diagram
•Interfaces E0 and E1 are members of the security zone Z1.
•Interface E2 is a member of the security zone Z2.
•Interface E3 is not a member of any of the security zone.
In this scenario, the following situations exist:
•Traffic flows freely between the interfaces E0 and E1 because they are members of the same security zone (Z1).
•If no policies are configured, traffic will not flow between interfaces (for example, E0 and E2, E1 and E2, E3 and E1, and E3 and E2).
•Traffic can flow between E0 or E1 and E2 interfaces only when an explicit policy is configured to permit the traffic between the zone Z1 and zone Z2.
•Traffic can never flow between E3 and E0/E1/E2 interfaces because E3 is not a part of any security zone.
The following topics provide more information:
•Managing Applications
•Managing Default Parameters
•Managing Interfaces
•Managing Policy Rules
•Creating Security Zone
•Creating Security Zone
Managing Applications
This feature allows you to assign or un-assign the Transmission Control Protocol (TCP) / User Datagram Protocol (UDP) ports to an application.
Note When you click the Save or Delete button, the changes are deployed on the device. You cannot review the requested operation and also, you cannot remove the operation request from the pending changes queue. The CLI changes that starts with "EMS_" is not supported and may cause unexpected behavior.
Editing Port Application Mapping
To assign or un-assign the TCP/UDP ports to an application, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Common Building Block subfolder, and then click Port Applications Mapping. The Port Application Mapping page appears.
Note Displays the application name that is driven from the device.
Step 5 To assign or unassign the TCP/UDP ports to an application, click on the application and update its TCP/UDP ports value. The TCP/UD Port values are assigned to the specific application.
a. Assign port(s) by defining one or more ports separated by comma (For example: 1234, 2222 and so on).
b. Assign port(s) by defining the port range (For example: 1111-1118). You can also assign a group of ports or port range.
c. Unassign port(s) by deleting the existing port values.
Step 6 Click Save to save the configurations.
Managing Services
This feature allows you to create, update or delete the service element.
Creating Services
To create the services, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Common Building Block subfolder, and then click Services. The Service page appears.
Step 5 In the Service page, click the Add Service button to create a new service.
Step 6 In the Service page, enter the Service Name. You cannot change the name after creating the service. Also, you cannot create a service without an application.
Step 7 To assign Applications, click the down arrow icon. The Applications Object Selector dialog box appears.
a. In the Applications dialog box, check the Applications check box to select the applications from the list (can be multiple selection).
b. Click OK to accept the changes or Cancel to cancel the changes.
Step 8 Click Save to apply your changes to the device.
Editing Service
To edit the existing service, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Common Building Block subfolder, and then click Services.
Step 5 In the Service page:
a. Click on the Service parameters row and edit the parameters. or
b. Select the service, and click the Edit button. The selected Service entity opens for editing. You can add new applications or remove an already selected application.
c. To remove an application from the selected list, rest your cursor on the application name, and click the X icon.
Step 6 Click Save to save the configuration.
Deleting the Service
To delete the existing service, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Common Building Block subfolder, and then click Services.
Step 5 From the Service page, select the service, and then click the Delete button.
Step 6 Click OK on the warning message to delete the service. The selected service is deleted.
Managing Policy Rules
The policy rule section allows you to create a new firewall policy rule, change the existing policy rule, delete the policy rule, and change the policy rule order. When you create the firewall policy rule, it is up to you to define the location in the policy table.
Creating Policy Rules
To create the policy rules, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Security subfolder, and then click Policy Rules. The Firewall Rules page appears.
Step 5 From the Firewall Rules page, click the Add Rule button and complete the fields. The source zone and the destination zone must be different.
Step 6 To move the rules, click on the down arrow icon on the Add Rule button. You can place the selected rule at the top of the list or bottom of the list or move the selected rule after or before a rule in the table.
Note The name field is optional. If you do not provide the name for the firewall rule, the system generates a name for the firewall rule. You cannot use these formats rule_<number> or EMS_rule_<number> to create the firewall rule name (For example, rule_1). These are system reserved formats.
Step 7 To add the source and the destination IP address, click the add icon. The Source/Destination IP address dialog box appears.
a. From the Source/Destination IP address dialog box, check the Any check box to set the value to any.
a. Enter the source/ destination IP addresses.
b. Click the Add button to add the new IP address and the subnet.
c. Click Delete to delete the existing value.
d. Click OK to save the configurations.
e. Click Cancel to cancel all the changes you have made without sending them to the router.
Step 8 Set the Service values. To add or remove the Application, click the down arrow icon. The Firewall Service dialog box appears.
a. In the Firewall Service dialog box, check the Application check box to select the application to inspect.
b. To select an ACL Based Application, select either the TCP or UDP or ICMP application.
c. To select an interface,
d. Use the navigation arrow buttons to navigate forward and backward.
e. Click OK to save the configurations.
Step 9 Select the appropriate action. The options are: Drop, Drop and Log, Inspect, Pass, and Pass and Log.
Step 10 If you select the action to inspect, click the Configure button in the Advance options column. The Advanced Parameters Configuration dialog box appears.
Step 11 In the Advanced Parameters Configuration dialog box, do the following:
a. To customize the device default value, check the Parameter box and set the new value.
b. To apply the device default value, uncheck the Parameter box.
c. To view the firewall rule default parameters, see "Managing Default Parameters" section.
d. When you rest your cursor on the Advanced Options icon, the configured parameters will be displayed in the quick view window.
Table 4-9 lists the elements on the policy rule page.
Table 4-9 Policy Rule Page
Element
|
Description
|
Name
|
(Optional) Enter a name for the policy rule.
|
Source Zone
|
Enter the name of the source zone. The source zone specifies the name of the zone from which the traffic is originating.
|
Destination Zone
|
Enter the name of the destination zone. The destination zone specifies the name of the router to which the traffic is bound to.
|
Source
|
Enter the source IP address of the inspected data. The valid parameters are:
•Any
•IP Address
•Subnet
|
Destination
|
Enter the destination IP address of the inspected data. The valid parameters are:
•Any
•IP Address
•Subnet
|
Service
|
The service of the inspected data. The valid parameters are:
•L3/4 Applications, see "Managing Applications" section
•Services "Creating Security Zone" section
•ACL Based application: TCP, UDP, ICMP
|
Action
|
Choose the action to perform on the traffic when there is a match on Rule condition. The rule matches when:
•The traffic Source IP matches the Source Rule condition.
•The traffic Destination IP matches the Destination Rule condition and the traffic inspected Service matches the Service Rule condition.
The action options are:
•Drop
•Drop and Log
•Inspect
•Pass
•Pass and Log
|
Advance Options
|
Specify the configuration parameters to set the Firewall Rule Parameter-Map behavior when the Action option is set to Inspect.
|
Step 12 Click Save to apply the rule to the device.
Monitoring Policy Rules
To monitor Policy Rules, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Security subfolder, and then click Policy Rules. The Firewall Rules page appears.
Step 5 In the Firewall Rules page, click Hit Counters and use the options to analyze the sessions and packets of the selected rules.
Step 6 Click the Show all option to view the packets and sessions counters. The packets and sessions counters are displayed in two separate columns. The packet counters are used to analyze the pass/drop rules and sessions counters are used for the inspect rules.
Note When you select the Show all option, the system will display a warning message stating that it may take more time to complete this operation.
Step 7 To know the time of the last update for the rules, hover the mouse over the column names or click the Last Update Time option in the Hit Counters. You can refresh the Hit counters for a specific rule or for all the selected rules. This option is enabled when the you select the "Show for selected rules" option.
Step 8 Use the pre-defined filters options to display the rules at the top or bottom based on the packets/sessions counts.
Step 9 Click the Reset All Counters to discard all the rules counters. The application will display a warning message before resetting the rules counters.
Editing Policy Rule
To edit the existing Policy Rule, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Security subfolder, and then click Policy Rules.
Step 5 In the Firewall Rules page, choose one of the following options:
•Click on the Rules parameters row and edit the parameters.
•Check the check box to select the rule, and then click the Edit button. The selected Rule opens for edit. You cannot edit the name of the policy rule.
Step 6 Click Save to apply the changes in the device.
Deleting the Policy Rule
To delete the existing Policy Rule, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Security subfolder, and then click Policy Rules.
Step 5 In the Firewall Rules page, check the check box to select the rules, and then click the Delete button.
Step 6 Click OK on the warning message to delete the policy rule. The selected policy rule is deleted from the device.
Changing the Firewall Rule Order
The class-default rules always appear at the bottom of the list and their location is fixed. The regular rules cannot be moved beneath the class-default rules.
To change the Policy Rule order, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Security subfolder, and then click Policy Rules.
Step 5 In the Firewall Rules page, to move the rule to a specific row, drag and drop the rule to the new location.
Creating Security Zone
To create the security zone, follow these steps,
Note The Zone Based Firewall feature is supported on ASR platform from the IOS version 3.5 or later. The Zone Based Firewall feature is supported on ISR platform from the IOS release 12.4(24)T or later.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Security subfolder, and then click Zones.
Step 5 Click the Add Zone button to create the security zone.
Step 6 In the security zone page, enter the Zone Name.
Step 7 Select the VRF of the zone.
a. VRF selection will affect the interface that can be assigned to the security zone.
b. If the user selects the default VRF option, then the security zone can be assigned only to the interfaces that are not related to any other VRF.
Step 8 To assign the interfaces to the security zone, click the down arrow icon. The Interface Object Selector dialog box appears.
a. In the Interface selector dialog box, check the Interface check box to select the interface from the list (can be multiple selection).
b. Click OK to save the configuration.
c. Click Cancel to cancel all the changes you have made without sending them to the router.
Step 9 In the Advance options column, click the Configure button. The Advanced Parameters Configuration dialog box appears.
Step 10 In the Advanced Parameters Configuration dialog box, do the following:
a. Check the Alert check box and click the On radio button to set the alert.
b. Check the Maximum Detection check box to set the maximum detection.
c. Check the TCP SYN-Flood Rate per Destination check box to set the TCP flood rate.
d. Check the Basic Threat Detection Parameters check box and click the On radio button to configure the FW drop threat detection rate, FW inspect threat detection rate, and FW SYN attack threat detection rate.
Step 11 Click:
•OK to save configuration.
•Cancel to exit without saving.
Step 12 To edit the existing security zone parameters, select the zone, and click the Configure button on the Advance options column. The Advanced Parameters Configuration dialog box appears.
Step 13 In the Advanced Parameters Configuration dialog box, edit the values and click Save to save the changes. When you rest your cursor on the Advanced Options icon, the configured parameters will be displayed in the quick view window.
Note By default, the Advanced configurations parameters are disabled.
Step 14 Enter the description for the zone.
Step 15 Click:
•Save to save the changes.
•Cancel to exit without saving.
Editing Security Zone
To edit the existing security zone, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Security subfolder, and then click Zones.
Step 5 In the Security Zone page, choose one of the following options:
a. Click on the Zone parameters row, and edit the parameters. or
b. Select the zone, and click the Edit button. The selected Zone entity opens for editing.
Step 6 Click the add icon to assign the interface to the zone or to un-assign the existing interfaces from the zone You can also change the Description of the zone.
Step 7 Click Save to save the configuration.
Deleting the Security Zone
To delete the existing security zone, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Security subfolder, and then click Zones.
Step 5 In the Security Zone page, select the security zone, and then click the Delete button.
Step 6 Click OK on the warning message to delete the security zone. The selected zone is deleted.
Configuring Default-Zone
To configure the default zone, follow these steps.
Note The Default-Zone feature is supported only on ASR platform.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Security subfolder, and then click Zones.
Step 5 In the Security Zone page, click the Default Zone button to enable or disable the default security zone in the device. The device will host all the interfaces that are not related to any zone.
Step 6 Click OK to save the configuration.
Managing Default Parameters
To change the Default Parameters Map, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Security subfolder, and then click Default Parameters Map.
Step 5 From the Default Parameters Map page, change the parameters map value.
Note You can change the default parameters only on ISR devices.
Step 6 Click Save to save the configuration.
Managing Interfaces
A virtual interface is a logical interface configured with generic configuration information for a specific purpose or configured for a common to specific users. The zone member information is acquired from a RADIUS server, and then the dynamically created interface is made as a member of that zone.
Configuring Interfaces
To assign the interfaces to the zone and un-assign the interface from a specific zone, follow these steps.
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Zone Based Firewall folder, expand the Security subfolder, and then click Interfaces.
Step 5 In the Interface page, select the interface you want to change and click the down arrow icon. The Zone dialog box appears.
Step 6 In the Zone dialog box, select the new security zone for the interface. If the selected interface is already assigned to a zone, you will get a warning message.
Step 7 Click Yes on the warning message if you want to change the assignment of that interface.
Step 8 To un-assign the interface from the specific zone, select the interface and delete the zone information.
Step 9 Click:
•Save to save and apply your changes.
•Cancel to exit without saving.
Routing
A Routing protocol specifies how routers communicate with each other in a network, select their routing paths between two nodes on a computer network to transmit data, and how network information can be shared with each other.
Prime Infrastructure supports the following routing protocols:
•"Static Routing" section
•"RIP Routing" section
•"EIGRP Routing" section
•"OSPF Routing" section
Static Routing
Static routing is the simplest form of routing, where the network administrator manually enters the routes into the routing table of the router. The route does not change until the network administrator changes it. Static routing is normally used when there are very few devices to be configured and the administrator is very sure that the routes do not change. The main drawback of static routing is that a change in the network topology or a failure in the external network cannot be handled as the routes that are configured manually must be updated to fix any lost connectivity.
To create a static route, do the following:
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add Device to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Routing folder, and then click Static. The Static Routing page appears with options to configure IPv4 and IPv6 static routes.
Step 5 To configure an IPv4 static route, do the following:
a. From the IPv4 Static Routes page, click Add Row, and then complete the fields.
For Permanent Route, choose:
•True to specify that the route will not be removed from the routing table, even if the next-hop interface shuts down or the next-hop IP address is not reachable.
•False to specify that the route will be removed from the routing table, even if the next-hop interface shuts down or the next-hop IP address is not reachable.
b. Click Save.
c. Click Save to save the configuration.
Step 6 To configure an IPv6 static route, do the following:
a. From the IPv6 Static Routes page, click Add Row, and then complete the fields.
Note Effective from 1.2 release, only Unicast is supported for IPv6 static routes.
b. Click Save.
c. Click Save to save the configuration.
RIP Routing
Routing Information Protocol (RIP) is a distance-vector routing protocol, which uses the hop count as a routing metric. RIP implements a limit on the hop count (a maximum of 15 hop counts) allowed in a path from the source to a destination to prevent routing loops. This hop limit also limits the size of the networks that RIP can support. RIP sends its routing table every 30 seconds.
The most popular variants of RIP are RIP version 1 (described in RFC1058) and RIP version 2 (described in RFC2453). RIP uses the split horizon, route poisoning, and holddown mechanisms to prevent incorrect routing information from being propagated.
To create a RIP route, do the following:
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add Device to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Routing folder, and then click RIP. The RIP Routing page appears with options to configure IPv4 and IPv6 RIP routes.
Step 5 To configure an IPv4 RIP route, do the following:
a. From the IPv4 RIP Routes page, select the RIP version.
b. Click Add Row, and then complete the fields.
c. Click Save.
d. Click Passive Interface to select the passive interface you want to add.
e. Click Save to save the configuration.
Step 6 To configure an IPv6 RIP route, do the following:
a. From the IPv6 RIP Routes page, click Add Row, and then complete the fields.
b. Click Save.
c. Choose Add/Remove Interfaces to add or remove an interface from your routing domain (AS number).
d. Click Save to save the configuration.
EIGRP Routing
EIGRP is an enhancement of the Interior Gateway Routing Protocol (IGRP). In EIGRP, when an entry in the routing table changes in any of the routers, it notifies its neighbors only of the change rather than sending the entire routing table. Every router in the network sends a "hello" packet periodically so that all routers on the network understand the state of its neighbors. If a "hello" packet is not received from a router during a certain period of time, it is assumed that the router is inoperative.
EIGRP uses the Diffusing Update Algorithm (DUAL) to determine the most efficient route to a destination and provides a mechanism for fast convergence. Routers using EIGRP and IGRP can interoperate because the routing metric used with one protocol can be easily translated into the routing metric of the other protocol.
To create an EIGRP route, do the following:
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add Device to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Routing folder, and then click EIGRP. The EIGRP Routing page appears with options to configure IPv4 and IPv6 EIGRP routes.
Step 5 To configure an IPv4 EIGRP route, do the following:
a. From the IPv4 EIGRP Routes page, click Add Row, and then complete the fields.
b. Click Save.
c. Click Add Interface to select the passive interface you want to associate to the Autonomous System (AS) number created.
d. Click Save to save the configuration.
Step 6 To configure an IPv6 EIGRP route, do the following:
a. From the IPv6 EIGRP Routes page, click Add Row, and then complete the fields.
b. Click Save.
c. Choose Add/Remove Interfaces to add or remove an interface associated with the AS number you created.
d. Click Save to save the configuration.
OSPF Routing
Open Shortest Path First (OSPF) is a standards-based routing protocol that uses the Shortest Path First (SPF) algorithm to determine the best route to its destination. OSPF sends Link State Advertisements (LSAs) to all other routers within the same area. OSPF only sends routing updates for the changes, and does not send the entire routing table.
To create an OSPF route, do the following:
Step 1 Choose Operate > Device Work Center.
Step 2 Select the device from the list or click Add Device to create a new device, then configure the device.
Step 3 After selecting the device, click Configuration. The Feature Configuration panel appears.
Step 4 Expand the Routing folder, and then click OSPF. The OSPF Processes page appears with options to configure IPv4 and IPv6 OSPF processes.
Step 5 To configure an IPv4 OSPF process, do the following:
a. From the IPv4 OSPF Processes page, click Add Row, and then complete the fields.
b. Click Save.
c. Click Passive Interfaces to select the passive interface you want to associate to the process created.
d. Click Advanced. The Advanced OSPF IPv4 Configuration dialog box appears.
e. Click Networks > Add Row, and then complete the fields.
f. Click Route Summarization > Add Row, and then complete the fields.
g. Click OK.
h. Click Save to save the configuration.
Step 6 To configure an IPv6 OSPF process, do the following:
a. From the IPv6 OSPP Processes page, click Configure.
b. Click Add Row, and then complete the fields.
c. Click Save.
d. Click Advanced. The Route Summarization dialog box appears.
e. Click Add Row, and then complete the fields.
f. Click OK.
g. Click Enable, and then complete the fields.
h. Click Save to save the configuration.
Creating Composite Templates
You create a composite template if you have a collection of existing feature or CLI templates that you want to apply collectively to devices. You specify the order in which the templates contained in the composite template are applied to devices. The composite templates are for CLI templates only, not wireless devices. The equivalent tasks for wireless devices are handled by controller config groups. For more information about controller config groups, see the "Designing Controller Config Groups" section.
If you have multiple similar devices replicated across a branch, you can create and deploy a "master" composite template to all the devices in the branch. This master composite template can also be used later when you create new branches.
Step 1 Choose Design > Templates > Configuration, then click Composite Template.
Step 2 Enter parameters for the composite template.
Step 3 From the Validation Criteria drop-down list, choose the devices to which all of the templates contained in the composite template apply. For example, if in your composite template you have a template that applies to Cisco 7200 Series routers and another that applies to all routers, choose the Cisco 7200 Series routers in the Device Type drop-down menu.
Note If a device type is grayed out, the template cannot be applied on that device type.
Step 4 Under Template Details, choose the templates to include in the composite template.
Step 5 Using the arrows, put the templates in the composite into the order in which they should be deployed to the devices. For example, to create an ACL and associate it with an interface, put the ACL template first, followed by the interface template.
Step 6 Click Save as New Template.
Step 7 Navigate to the My Templates folder and choose the template you just saved.
Step 8 Click Publish to publish the template so it can be deployed.
Step 9 Click Deploy on the template you published.
Step 10 Specify the deployment options as explained in Creating Wireless Controller Templates.
Step 11 Click OK.
Step 12 Choose Administration > Jobs Dashboard to verify the status of a template deployment.
Testing and Troubleshooting Configuration Templates
The most common reasons that a template might not be deployed are:
•One or more devices are unreachable—Verify that the device credentials are correct; ping the device to verify that it is reachable. (See Getting Device Details Using the 360° View for more information.)
•A device CLI returned an error because the CLI was incorrect—Verify that the CLI commands contained in the template are correct by running the commands on a test device.
After you create a new template, you should deploy it to one device only to verify that it works as designed. After you test that your configuration template is working on a single device, you can deploy it to multiple devices as necessary.
Feedback
