This section addresses configuration guidelines for SWAN central switching deployment mode. This deployment mode is discussed in detail in Chapter 9. Using the central switching deployment mode, both control and user traffic is aggregated by the central switch that is equipped with a WLAN services module. Thus, this deployment mode enables a single point of ingress for both WLAN user and control traffic into the wired network.
The WLAN security methods discussed in the section "WLAN Security Methods: Configuration Guidelines and Examples" also apply to the central switching deployment mode. One of the major changes made in the SWAN central switching deployment mode is that SSID/VLAN is mapped to an mGRE tunnel terminating on the central switch. WDS services such as fast secure roaming, discussed in the section "SWAN Nonswitching Deployment: Configuration Guidelines and Examples," also apply to central switching deployment mode.
Refer to Figure 9-2 for a sample SWAN central switching deployment. Example 12-29 illustrates the configuration required for an AP integrated as part of the central switching deployment mode (using Catalyst 6500 equipped with the wireless LAN services module as the central switch). Note that three VLANs are configured: two VLANs (VLAN 2 and VLAN 3) for user VLANs and the third as the native/management VLAN (VLAN 10). Note that RADIUS server information is not specified because all authentication messages are relayed to the RADIUS infrastructure via the WDS server.
! interface Dot11Radio0 ! Configure encryption parameters for user VLANs 2 and 3 encryption vlan 2 mode ciphers tkip encryption vlan 3 mode wep mandatory mic key-hash ! ! Map SSID "Enterprise22" to network-id 22 (locally mapped to VLAN 2) ssid Enterprise22 vlan 2 authentication open eap eap-methods mobility network-id 22 ! Map SSID "Enterprise33" to network-id 33 (locally mapped to VLAN 3) ssid Enterprise33 vlan 3 authentication open eap eap-methods authentication network-eap eap-methods authentication key-management cckm mobility network-id 33 ! interface Dot11Radio0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 2 bridge-group 2 subscriber-loop-control bridge-group 2 block-unknown-source no bridge-group 2 source-learning no bridge-group 2 unicast-flooding bridge-group 2 spanning-disabled ! interface Dot11Radio0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 3 bridge-group 3 subscriber-loop-control bridge-group 3 block-unknown-source no bridge-group 3 source-learning no bridge-group 3 unicast-flooding bridge-group 3 spanning-disabled ! interface Dot11Radio0.10 encapsulation dot1Q 10 no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! ! interface FastEthernet0 no ip address . . . ! interface FastEthernet0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 2 no bridge-group 2 source-learning bridge-group 2 spanning-disabled ! interface FastEthernet0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 3 no bridge-group 3 source-learning bridge-group 3 spanning-disabled ! interface FastEthernet0.10 encapsulation dot1Q 10 no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 10.10.10.15 255.255.255.0 no ip route-cache ! ip default-gateway 10.10.10.1 ... . ! Configure SNMP parameters to enable management by WLSE snmp-server community snmpro RO snmp-server community snmprw RW snmp-server enable traps tty bridge 1 route ip ! ! Specify WLCCP infrastructure authentication credentials wlccp ap username cisco1 password 7 13061E010803 ! Specify central switch WDS IP address wlccp ap wds ip address 10.99.99.10 ! Enable mGRE tunneling to the central switch wlccp ap mobility !
Supervisor configuration to enable central switching deployment mode on the Catalyst 6500 switch is provided in Example 12-30. As shown in the example, each mGRE tunnel interface is mapped to a network ID on the supervisor. Also, a loopback interface is defined as the source for each mGRE interface. Loopback interfaces and mGRE interfaces must be reachable to the APs (that is, must be routable). The loopback interface address is used as the destination IP address for an mGRE tunnel by the AP, whereas the mGRE tunnel interface address is the default gateway for the WLAN clients. Note that tunnel is in "untrusted" mode by default. If the tunnel is untrusted, DHCP snooping must be enabled within the tunnel, as shown in the example. Note that along with trusted/untrusted and DHCP snooping features, several existing security features of the Catalyst 6500 platform equipped with Supervisor 720 module are applicable to the mGRE interface(s) defined on the supervisor. These include L2-L4 access control lists (ACLs), router ACLs (RACLs), VLAN ACLs (VACLs), TCP Intercept (a feature used to prevent TCP SYN flooding attacks), and Route Processor (RP) rate-limiters (a feature used to prevent denial-of-service [DoS] attacks such as ICMP ping flooding). Finally, you must define VLAN to communicate with the WLAN service module on the supervisor.
! hostname sup720 ! . . . ! Define the VLAN on which WLAN communication to the supervisor is enabled wlan module 3 allowed-vlan 99 ! Enable ip dhcp snooping globally on the switch ! Note that dhcp snooping is required for the "untrusted" tunnels ip dhcp snooping mls ip multicast flow-stat-timer 9 no mls flow ip no mls flow ipv6 ... ! vlan 99 name to-WLSM ! . . . ! Define Loopback interface22 as the source for Tunnel22 interface Loopback22 description tunnel_source for network-ID_22 ip address 10.10.100.22 255.255.255.0 ! Define Loopback interface33 as the source for Tunnel33 interface Loopback33 description tunnel source for network-ID 33 ip address 10.10.101.33 255.255.255.0 ! ! Define mGRE Tunnel22 mapping to network-ID 22 interface Tunnel22 description to Enterprise22 SSID ip address 10.22.22.1 255.255.255.0 ip helper-address 10.20.20.4 no ip redirects ip dhcp snooping packets tunnel source Loopback22 tunnel mode gre multipoint mobility network-id 22 ! ! Define mGRE Tunnel33 mapping to network-ID 33 interface Tunnel33 description to_Enterprise33 SSID ip address 10.33.33.1 255.255.255.0 ip helper-address 10.20.20.4 no ip redirects ip dhcp snooping packets tunnel source Loopback33 tunnel mode gre multipoint mobility network-id 33 ! . . . ! Define interface for VLAN 99 on the Supervisor interface Vlan99 description to_WLSM ip address 10.99.99.1 255.255.255.0 . . . ! Configure routing to advertise 10.x.x.0 subnets router eigrp 100 network 10.0.0.0 no auto-summary !
Example 12-31 illustrates the configuration required on the wireless LAN service module of the Catalyst 6500 switch. As illustrated in the example, a VLAN for communication with the supervisor must be defined (and match what is defined on the supervisor). Along with this, you must specify WLCCP infrastructure and EAP/802.1x, client authentication configuration for RADIUS servers. Finally, you must specify SNMP community strings to communicate with the WLSE.
aaa new-model ! aaa authentication login wlccp-infra group radius aaa session-id common . . . ! wlan vlan 99 ipaddr 10.99.99.10 255.255.255.0 gateway 10.99.99.1 admin ! ! ip classless ip route 0.0.0.0 0.0.0.0 10.99.99.1 . . . ! Configure SNMP parameters to be managed by WLSE snmp-server community snmprw RW snmp-server community snmpro RO snmp-server enable traps tty ! Define radius server parameters radius-server host 10.1.1.11 auth-port 1812 acct-port 1813 radius-server key cisco123cisco radius-server authorization permit missing Service-Type ! ! Enable infrastructure and client EAP/802.1x authentication wlccp authentication-server infrastructure wlccp-infra Wlccp authentication-server client any wlccp-infra ! Define WLSE information wlccp wnm ip address 10.1.1.100