Cisco Wireless Controller 5508 Configuration Step by Step - Part 1 (CLI and GUI Access, Upgrade) - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, July 25, 2017

Cisco Wireless Controller 5508 Configuration Step by Step - Part 1 (CLI and GUI Access, Upgrade)

As the industry’s most deployed controller, the Cisco 5500 Series Wireless Controller provides the highest performance, security, and scalability to support business communications today and in the future.
Cisco 5500 Series Wireless Controller
• Support for up to 500 access points and 7000 clients
• 8-Gbps throughput, eight 1 Gigabit Ethernet ports, with Link Aggregation Group (LAG)
support
• Standalone, rack-mountable appliance



Benefits include:
• Seamless, high-quality mobile experience: Efficient roaming capabilities help ensure consistent experience on any smart mobile device with voice and video applications.
• Reliability: Cisco 5500 Series Wireless Controllers provide industry-leading IPv6 roaming with secure access.
• Flexibility to pay as you grow: The Cisco 5500 Series offers software license flexibility to add additional access points as business requirements change.
• Versatility: Supports advanced services for any network use case, campus or branch, including Cisco OfficeExtend solutions for secure mobile teleworking and Cisco Enterprise Wireless Mesh solutions, which allow access points to dynamically establish wireless connections in hard-to-connect locations.


1. Booting Terminal Outputs:


WLCNG Boot Loader Version 1.0.20 (Built on Jan  9 2014 at 19:02:44 by cisco)
Board Revision 1.3 (SN: FCW2016B091, Type: AIR-CT5508-K9) (G)

Verifying boot loader integrity... OK.

OCTEON CN5645-NSP pass 2.1, Core clock: 600 MHz, DDR clock: 330 MHz (660 Mhz data rate)
FPGA Revision 1.7
Env FW Revision 1.8
USB Console Revision 2.2
CPU Cores:  10
DRAM:  1024 MB
Flash: 32 MB
Clearing DRAM........ done
Network: octeth0', octeth1
  ' - Active interface
  E - Environment MAC address override
CF Bus 0 (IDE): OK 
IDE device 0:
 - Model: SGEFD1GHB9P1D221 Firm: FW981 Ser#: STP194512FP
 - Type: Hard Disk
 - Capacity: 977.4 MB = 0.9 GB (2001888 x 512)


Press <ESC> now to access the Boot Menu...

Loading primary image (7.4.121.0)
100% 

34583665 bytes read
Launching...
init started: BusyBox v1.6.0 (2010-05-13 17:50:10 EDT) multi-call binary
starting pid 840, tty '': '/etc/init.d/rcS'
Set PLX switch MPS settings .............!!!!!!!
Detecting Hardware ...
set smp_affinity for irq 48
003f
DP from CGE5.0 ...
starting pid 1086, tty '/dev/ttyS0': '/usr/bin/gettyOrMwar'
Setting up ZVM
Exporting LD_LIBRARY_PATH

Cryptographic library self-test....passed!
XML config selected
Validating XML configuration
octeon_device_init: found 1 DPs
readCPUConfigData: cardid 0x6070001
Cisco is a trademark of Cisco Systems, Inc.
Software Copyright Cisco Systems, Inc. All rights reserved.

Cisco AireOS Version 7.4.121.0
Firmware Version FPGA 1.7, Env 1.8, USB console 2.2
Initializing OS Services: ok
Initializing Serial Services: ok
Initializing Network Services: ok
Initializing Licensing Services: ok

License daemon start initialization.....

License daemon running.....
Starting Statistics Service: ok
Starting ARP Services: ok
Starting Trap Manager: ok
Starting Network Interface Management Services: ok
Starting System Services: ok
Starting FIPS Features: ok : Not enabled
Starting Fastpath Hardware Acceleration: ok
Starting Fastpath Console redirect : ok
Starting Fastpath DP Heartbeat : ok
Fastpath CPU0.00: Starting Fastpath Application. SDK-1.8.0, build 269. Flags-[DUTY CYCLE] : ok
Fastpath CPU0.00: Initializing last packet received queue. Num of cores(10)
Fastpath CPU0.00: Init MBUF size: 1856, Subsequent MBUF size: 2040
Fastpath CPU0.00: Core 0 Initialization and FIPS self-test: ok
Fastpath CPU0.00: Initializing Timer...
Fastpath CPU0.00: Initializing Timer...done.
Fastpath CPU0.00: Initializing Timer...
Fastpath CPU0.00: Initializing NBAR AGING Timer...done.
Fastpath CPU0.01: Core 1 Initialization and FIPS self-test: ok
Fastpath CPU0.02: Core 2 Initialization and FIPS self-test: ok
Fastpath CPU0.03: Core 3 Initialization and FIPS self-test: ok
Fastpath CPU0.03: Received instruction to get link status
Fastpath CPU0.04: Core 4 Initialization and FIPS self-test: ok
Fastpath CPU0.05: Core 5 Initialization and FIPS self-test: ok
Fastpath CPU0.06: Core 6 Initialization and FIPS self-test: ok
Fastpath CPU0.07: Core 7 Initialization and FIPS self-test: ok
Fastpath CPU0.08: Core 8 Initialization and FIPS self-test: ok
Fastpath CPU0.09: Core 9 Initialization and FIPS self-test: ok
Starting Switching Services: ok
Starting QoS Services: ok
Starting Policy Manager: ok
Starting Data Transport Link Layer: ok
Starting Access Control List Services: ok
Starting System Interfaces: ok
Starting Client Troubleshooting Service: ok
Starting Management Frame Protection: ok
Starting Certificate Database: ok
Starting VPN Services: ok
Starting Licensing Services: ok
Starting Redundancy: ok 
Starting LWAPP: ok
Starting CAPWAP: ok
Starting LOCP: ok 
Starting Security Services: ok
Starting Policy Manager: ok
Starting Authentication Engine: ok
Starting Mobility Management: ok
Starting AVC Services: ok
Starting Virtual AP Services: ok
Starting AireWave Director: ok
Starting Network Time Services: ok
Starting Cisco Discovery Protocol: ok
Starting Broadcast Services: ok
Starting Logging Services: ok
Starting DHCP Server: ok
Starting IDS Signature Manager: ok
Starting RFID Tag Tracking: ok
Starting RF Profiles: ok
Starting Power Supply and Fan Status Monitoring Service: ok
Starting Mesh Services:  ok
Starting TSM: ok
Starting CIDS Services: ok
Starting Ethernet-over-IP: ok
Starting DTLS server:  enabled in CAPWAP
Starting CleanAir: ok
Starting WIPS: ok 
Starting SSHPM LSC PROV LIST: ok 
Starting RRC Services: ok
Starting SXP Services: ok
Starting Alarm Services: ok
Starting FMC HS: ok 
Starting IPv6 Services: ok
Starting Config Sync Manager : ok
Starting Hotspot Services: ok
Starting PMIP Services: ok
Starting Portal Server Services: ok
Starting mDNS Services: ok
Starting Management Services: 
   Web Server:    CLI: ok
   Secure Web: ok
   License Agent: ok

(Cisco Controller) 

Enter User Name (or 'Recover-Config' this one-time only to reset configuration to factory defaults)


User:  admin
Password:**********
(Cisco Controller) >




2. Basic CLI Commands:



(Cisco Controller) >show ?
               
802.11a        Display 802.11a configuration.
802.11b        Display 802.11b configuration.
802.11h        Display 802.11h configuration.
aaa            Displays AAA related information
acl            Display system Access Control Lists.
advanced       Display Advanced configuration and statistics.
ap             Display AP Configuration.
arp            Display ARP cache.
assisted-roaming Display Assisted Roaming and 802.11k configuration.
auth-list      Display AP authorization list.
avc            Display AVC Configuration/Statistics.
band-select    Display Aggressive Load Balancing configuration.
boot           Displays the default boot image.
buffers        Display pmalloc buffer utilization.
cac            Show Call-Admission-Control details
call-control   Display Call-control information
cdp            Display CDP information
certificate    Display SSL Certificate Configuration.
client         Displays active clients.
coredump       Displays Core Dump Summary
country        Display the configured countries.

--More-- or (q)uit
cpu            Display current CPU usage information.
cts            Displays CTS Information 
custom-web     Display Web Authentication customization information.
database       Show local database configuration.
debug          Display enabled debugs.
dhcp           Display the dhcp server configuration.
dtls           Display the DTLS server status.
eventlog       Display event log entries.
exclusionlist  Display exclusion-list.
flexconnect    Display controller flexconnect information.
flow           Display flow Configuration.
guest-lan      Display Guest LAN Configuration.
ike            Display active IKE SAs.
interface      Display system interfaces.
invalid-config Display Invalid Config.
inventory      Display vital product data.
ipsec          Display active IPSEC SAs.
ipv6           Display IPv6 information.
lag            Display Link Aggregation Group (LAG) information.
ldap           Displays LDAP information.
license        Displays License related information.
linktest       Shows the configured frame size and number of frames for linktest.
load-balancing Display Aggressive Load Balancing configuration.

--More-- or (q)uit
local-auth     Display Local EAP Authentication information.
location       Display Location based System information
logging        Display logger parameters and buffer contents.
loginsession   Display login session info.
macfilter      Display MAC filtering configuration.
mdns           Displays mDNS information
media-stream   Display Multicast-direct Configuration State
memory         Display system memory usage statistics.
mesh           Show mesh configuration.
mgmtuser       Display local management user accounts.
mobility       Display Mobility Management Configuration.
msglog         Display message log entries.
netuser        Display local network user accounts.
network        Display configuration for inband connectivity.
nmheartbeat    Displays Network Manager Heart Beat Summary
nmsp           Displays data for NMSP protocol between controller and Location Server.
ntp-keys       Display the system time.
pmipv6         Proxy mobility
pmk-cache      Display information about the PMK cache.
port           Display port mode and settings; display port status.
process        Display CPU and memory usage per process.
qos            Display qos information (queue length)
queue-info     Display system Message Queue Information.

--More-- or (q)uit
radius         Displays RADIUS information.
redundancy     Display redundancy information.
remote-lan     Display remote LAN Configuration.
reset          Display scheduled system reset parameters.
rf-profile     Configures RF Profile parameters.
rfid           Shows the RFID tag tracking information
rogue          Displays Rogue AP and Client information.
route          Display configured route
rules          Display active internal firewall rules.
run-config     Display running configuration.
running-config Display running configuration.
serial         Display EIA-232 parameters and serial port inactivity timeout.
service        Display service information.
sessions       Display cli session configuration information.
snmpcommunity  Display SNMP community entries.
snmpengineID   Display SNMP v3 EngineId.
snmptrap       Display SNMP trap port number and trap receiver entries.
snmpv3user     Display SNMP v3 user entries.
snmpversion    Display SNMP v1/v2/v3c status(enabled or disabled).
stats          Display port and switch statistics.
switchconfig   Display parameters that apply to the switch.
sysinfo        Display system information including system up time.
syslog         Displays the state of system syslog.

--More-- or (q)uit
tacacs         Displays TACACS+ information.
tech-support   Display system resource information.
time           Display the system time.
trapflags      Display the value of trap flags that apply to the switch.
traplog        Display trap records.
udi            Display UDI for the controller
wgb            Displays active work-group bridges (WGB).
wlan           Display WLAN Configuration.
wps            Displays WPS Configuration.
               
(Cisco Controller) >?    
               
clear          Clear selected configuration elements.
config         Configure switch options and settings.
debug          Manages system debug options.
eping          Send Ethernet-over-IP echo packets to a specified mobility peer IP address.
help           Help
license        Manage Software License
linktest       Perform a link test to a specified MAC address.
logout         Exit this session. Any unsaved changes are lost.
mping          Send Mobility echo packets to a specified mobility peer IP address.
ping           Send ICMP echo packets to a specified IP address.
reset          Reset options.
save           Save switch configurations.
show           Display switch options and settings.
test           Test trigger commands
transfer       Transfer a file to or from the switch.
               

(Cisco Controller) >


(Cisco Controller) show> inventory 

Burned-in MAC Address............................ 04:62:70:7B:73:E0
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 12
NAME: "Chassis"    , DESCR: "Cisco 5500 Series Wireless LAN Controller"

PID: AIR-CT5508-K9,  VID: V04,  SN: FCW2016B091


WLC 5508  will use a startup wizard to guide you for basic configuration. Cisco 5508 Wireless Controller Installation Guide gives more details on each step.


3. Configure SP (Service Port)



Service Port is used exclusively for Out-of-Band management. It is the only port that is active when the controller is in boot mode (useful for troubleshooting). The service port does not support 802.1Q tagging so you must configure the switch port on the other side in access mode. It does not support a backup port and a default gateway in its configuration. This last fact means that you can reach it only if you are on the same subnet (as it will not have a route back) unless you configure static routes in the menu Controller -> Network Routes.

***The service port and the management interface must be on a different subnet.The service port is also not auto-sensing so you must use the correct straight-through or crossover Ethernet cable to communicate with the service port




(Cisco Controller) >show interface summary 


 Number of Interfaces.......................... 5

Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
management                       1    untagged 10.9.0.30    Static  Yes    No   
redundancy-management           1    untagged 0.0.0.0         Static  No     No   
redundancy-port                  -    untagged 0.0.0.0         Static  No     No   
service-port                     N/A  N/A      0.0.0.0         DHCP    No     No   
virtual                          N/A  N/A      10.4.1.1      Static  No     No   

(Cisco Controller) config>interface ?
               
acl            Configures an interface's Access Control List.
address        Configures an interface's address information.
ap-manager     Disables AP Manager features on a dynamic interface.
create         Adds a new dynamic interface.
delete         Deletes a dynamic interface.
dhcp           Configures DHCP options on an interface.
group          Configures an interface group's information
guest-lan      Configure Guest LAN vlan
hostname       Configures the virtual interface's virtual DNS host name.
mdns-profile   Configures mDNS profile for the interface
nasid          Configures NAS-identifier for the interface.
nat-address    Configures an interface's NAT address information.
port           Assign interface to physical port.
quarantine     Configure quarantine vlan
vlan           Configures an interface's VLAN Identifier.
               
(Cisco Controller) config>interface address ?
               
dynamic-interface Enter interface name.
management     Configures the management interface.
redundancy-management Configures redundancy management interface (required for redundancy).
service-port   Configures the out-of-band service Port.
virtual        Configures the virtual gateway interface.
               
(Cisco Controller) config>interface address management 10.9.9.99 ?
               
<netmask>      Enter the interface's netmask.
               
(Cisco Controller) config>interface address management 10.9.9.99 255.255.255.0

Incorrect input! Use 'config interface address management <addr> <netmask> <gateway>'

(Cisco Controller) config>interface address management 10.9.9.99 255.255.255.0 10.9.9.1

Request failed - Active WLAN using interface. Disable WLAN first.
(Cisco Controller) config>exit            
(Cisco Controller) >config wlan disable

Incorrect input! Use 'config wlan [enable/disable] [<WLAN id> | all]'

(Cisco Controller) >config wlan disable all


(Cisco Controller) >config
(Cisco Controller) config>interface address management 10.9.9.99 255.255.255.0 10.9.9.1

(Cisco Controller) config>
(Cisco Controller) config>interface address service-port 10.9.20.30 255.255.255.0
The DHCP protocol for the service port must be disabled before configuring the IP addr

(Cisco Controller) config>interface dhcp service-port disable 


(Cisco Controller) config>interface address service-port 10.9.20.30 255.255.255.0

(Cisco Controller) config>exit
(Cisco Controller) >save config

Are you sure you want to save? (y/n) y


Configuration Saved!

(Cisco Controller) >
(Cisco Controller) >show interface detailed service-port 

Interface Name................................... service-port
MAC Address...................................... 04:62:73:7b:73:e1
IP Address....................................... 10.9.20.30
IP Netmask....................................... 255.255.255.0
DHCP Protocol.................................... Disabled
AP Manager....................................... No
Guest Interface.................................. No

(Cisco Controller) >



The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. It is also used for communications between the controller and access points. The management interface has the only consistently "pingable" in-band interface IP address on the controller. 





After connecting SP (Service Port) within your laptop network, you will be able to browse the web page of your WLC.




RP port is Redundancy Port. After the WLCs are configured with Redundancy Management and Peer Redundancy Management IP Addresses and Redundant Units are configured, it is time to enable SSO. It is important to make sure that physical connections are up between both the controllers (that is, both the WLCs are connected back to back via the Redundant Port using an Ethernet cable) and the uplink is also connected to the infrastructure switch and the gateway is reachable from both the WLCs before SSO is enabled. Once SSO is enabled, it will reboot the WLCs. While it boots, the WLCs negotiate the HA role as per the configuration via Redundant Port. If the WLCs cannot reach each other via Redundant Port or via the Redundant Management Interface, the WLC configured as Secondary may go in to Maintenance Mode.

5. Upgrade 5508 IOS

Once the WLC is upgraded, it must be rebooted for the changes to take effect. Within this time, connectivity to the WLC is lost. LAPs registered to a WLC lose their association to the WLC, so service to the wireless clients is interrupted. When you upgrade the controller's software, the software on the controller's associated access points is also automatically upgraded.
When an access point loads software, each of its LEDs blinks in succession. Up to 10 access points can be concurrently upgraded from the controller. Do not power down the controller or any access point during this process; otherwise, you might corrupt the software image.

Cisco WLC 5508 has latest recommended version 8.0.133.0 from this url. I was able to get AIR-CT5500-K9-8-0-121-0.aes from Baidu Cloud. The size is about 165Mb. 

Note: latest suggested version is 8.0.140 from Cisco download software website. 



There are more details regarding upgrading 5508 IOS to latest one from CCIEROO.COM's post. You will just need a TFTP server on your network that is reachable from the management IP address of the WLC.



It will only take a couple of minutes to download 8.0.121.0 package from TFTP server to WLC controller based on your connection speed, but for WLC5508 to process new IOS package it took almost 20 minutes.

Until 5508 completed processing new 8.0.121 IOS, you will see the Primary Image will change to 8.0.121.0 from Config Boot page.


Note: download software  8.0.140 and 8.2.150


Reference:
1. Cisco 5508 Wireless Controller Installation Guide
2. Cisco 5508 WLC Setup and Initial Configuration
3. Step by Step guide to build a Cisco wireless infrastructure using Cisco WLC 5500, Cisco 1142 AP and Microsoft Radius server
4. 亁颐堂现任明教教主融合网络CCNA.第一天.融合网络概述.1
5. Wireless LAN Controller (WLC) Software Upgrade


No comments:

Post a Comment