For SFTP, the default value is Click Upload to upload the CA certificate from the controller. A message appears indicating the status of the upload. Log on to the controller CLI. Specify the type of the file to be uploaded by entering this command:.
Specify the transfer mode used to upload the file by entering this command:. Specify the directory path of the file by entering this command:. Specify the name of the file to be uploaded by entering this command:. View the updated settings by entering the transfer upload start command. Answer y when prompted to confirm the current settings and start the upload process.
Reboot the controller by entering the reset system command. Controllers and access points have a Certificate Authority CA certificate that is used to sign and validate device certificates. The controller is shipped with a Cisco-installed CA certificate. However, if you want to use your own vendor-specific CA certificate, it must be downloaded to the controller. Copy the CA certificate to the default directory on your server.
Click Download to download the CA certificate to the controller. In the File Path field, enter the directory path of the certificate.
In the File Name field, enter the name of the certificate. If prompted to save your changes, click Save. This section describes how to generate a Certificate Signing Request CSR to get a third-party certificate and how to download a chained certificate to the controller. You can generate a CSR using either of the following methods:. After you issue the command, you are prompted to enter information such as country name, state, city, and so on.
After you submit the CSR to a third party CA, the third party CA digitally signs the certificate and sends back the signed certificate chain through e-mail. In case of chained certificates, you receive the entire chain of certificates from the CA. If you only have one intermediate certificate similar to the example above, you will receive the following three certificates from the CA:. Once you have all the three certificates, copy and paste into another file the contents of each.
Combine the All-certs. In Release 8. If you generate the CSR and do not install the resulting certificate, the controller will be inaccessible over HTTPS upon the next reboot because the controller looks for the newly generated CSR key after the reboot. You must copy and paste the CSR printed on the terminal to a file on your computer. The generated key stays in the controller until the next CSR is generated the previously generated CSR is overwritten.
If you have to change the controller hardware later on RMA , it is not possible to reinstall the same certificate; instead, you must generate the certificate newly on the new controller.
Copy the device certificate final. In the Certificate Password text box, enter the password to protect the certificate. Click Apply. Click OK in order to confirm your decision to reboot the controller.
Move the final. Change the download settings by entering the following commands:. Enter the password for the. Start the certificate and key download by entering the this command:. Skip to content Skip to search Skip to footer.
Book Contents Book Contents. Find Matches in This Book. PDF - Complete Book Updated: November 18, Chapter: Managing Certificates. The VLAN trunking characteristics of the port are not configurable. The service port is controlled by the service-port interface and is reserved for out-of-band management of the controller and system recovery and maintenance in the event of a network failure.
It is also the only port that is active when the controller is in boot mode. The service port is not capable of carrying Use of the service port is optional. An interface is a logical entity on the controller. These five types of interfaces are available on the controller. Four of these are static and are configured at setup time:.
Each interface is mapped to at least one primary port, and some interfaces management and dynamic can be mapped to an optional secondary or backup port. If the primary port for an interface fails, the interface automatically moves to the backup port.
In addition, multiple interfaces can be mapped to a single controller port. Otherwise, the management interface cannot fail over to the port that the AP-manager is on.
Note Cisco Series Controllers do not support fragmented pings on any interface. The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. It is also used for communications between the controller and access points. For CAPWAP, the controller requires one management interface to control all inter-controller communications and one AP-manager interface to control all controller-to-access point communications, regardless of the number of ports.
Figure Interfaces Page. This page shows the current controller interface settings. Step 2 Click management link. Step 3 Set the management interface parameters:. Doing so causes the data traffic of any client that is assigned to this VLAN to pass through the controller. NAT allows a device, such as a router, to act as an agent between the Internet public and a local network private.
Note The NAT parameters are supported for use only with one-to-one-mapping NAT, where each private client has a direct and fixed mapping to a global address. The NAT parameters do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address. The workaround is to either ensure that the management interface has a globally valid IP address or ensure that external NAT IP address is valid internally for the local APs.
We recommend using tagged VLANs for the management interface. If desired, you can disable the management interface as an AP-manager interface and create another dynamic interface as an AP manager. Step 4 Click Save Configuration to save your changes. Step 5 If you made any changes to the management or virtual interface, reboot the controller so that your changes take effect.
Step 1 Enter the show interface detailed management command to view the current management interface settings. Step 2 Enter the config wlan disable wlan-number command to disable each WLAN that uses the management interface for distribution system communication.
Step 3 Enter these commands to define the management interface:. For Cisco Series Controllers, the management interface acts like an AP-manager interface by default. Step 4 Enter these commands if you want to be able to deploy your Cisco Series Controller behind a router or other gateway device that is using one-to-one mapping network address translation NAT :. Note These commands are supported for use only with one-to-one-mapping NAT, where each private client has a direct and fixed mapping to a global address.
These commands do not support one-to-many NAT, which uses source port mapping to enable a group of clients to be represented by a single IP address. Step 5 Enter the save config command to save your changes. Step 6 Enter the show interface detailed management command to verify that your changes have been saved. Step 7 If you made any changes to the management interface, enter the reset system command to reboot the controller in order for the changes to take effect.
A controller has one or more AP-manager interfaces, which are used for all Layer 3 communications between the controller and lightweight access points after the access points have joined the controller.
However, we recommend that both interfaces be on the same subnet for optimum access point association. Step 1 Enter the show interface summary command to view the current interfaces. Note If the system is operating in Layer 2 mode, the AP-manager interface is not listed. Step 2 Enter the show interface detailed ap-manager command to view the current AP-manager interface settings.
Step 3 Enter the config wlan disable wlan-number command to disable each WLAN that uses the AP-manager interface for distribution system communication. Step 4 Enter these commands to define the AP-manager interface:. Step 6 Enter the show interface detailed ap-manager command to verify that your changes have been saved.
It also maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify the source of certificates when Layer 3 web authorization is enabled.
Specifically, a virtual interface plays these two primary roles:. Step 2 Click Virtual. Note To ensure connectivity and web authentication, the DNS server should always point to the virtual interface. Step 1 Enter the show interface detailed virtual command to view the current virtual interface settings. Step 2 Enter the config wlan disable wlan-number command to disable each WLAN that uses the virtual interface for distribution system communication.
Step 3 Enter these commands to define the virtual interface:. Note For ip-address , enter any fictitious, unassigned, and unused gateway IP address.
Step 4 Enter the reset system command. The controller reboots. Step 5 Enter the show interface detailed virtual command to verify that your changes have been saved.
A service-port interface controls communications through and is statically mapped by the system to the service port. The service port can obtain an IP address using DHCP, or it can be assigned a static IP address, but a default gateway cannot be assigned to the service-port interface.
Static routes can be defined through the controller for remote network access to the service port. Step 3 Enter the Service-Port Interface parameters:. Note The service-port interface uses the factory-set service-port MAC address of the controller. Step 1 Enter the show interface detailed service-port command to view the current service-port interface settings. Step 2 Enter these commands to define the service-port interface:. Step 3 The service port is used for out-of-band management of the controller.
If the management workstation is in a remote subnet, you may need to add a route on the controller in order to manage the controller from that remote workstation. To do so, enter this command:. Step 4 Enter the save config command to save your changes.
Step 5 Enter the show interface detailed service-port command to verify that your changes have been saved. A controller can support up to dynamic interfaces VLANs. You can assign dynamic interfaces to distribution system ports, WLANs, the Layer 2 management interface, and the Layer 3 AP-manager interface, and you can map the dynamic interface to a backup port. You can configure zero, one, or multiple dynamic interfaces on a distribution system port. However, all dynamic interfaces must be on a different VLAN or IP subnet from all other interfaces configured on the port.
If the port is untagged, all dynamic interfaces must be on a different IP subnet from any other interface configured on the port. Step 4 Click Apply to commit your changes. The XML validation may succeed but the configuration download infrastructure will immediately reject the configuration with no validation errors.
An invalid configuration can be verified by using the show invalid-config command. The show invalid-config command reports the configuration that is rejected by the controller either as part of download process or by XML validation infrastructure. The transfer cannot be performed over one of the wireless clients of the Cisco WLC.
If you try to use a wireless client of the Cisco WLC, you are prompted with a system message saying that the server is not reachable. The default value for the port parameter is Information similar to the following appears:. If the upload fails, repeat this procedure and try again. The key that you enter here should match the one entered during the upload process. If you are using a TFTP server, the default values of 10 retries and 6 seconds for the Maximum Retries and Timeout text boxes should work correctly without any adjustment.
However, you can change these values. The controller does not support incremental configuration downloads. The configuration file contains all mandatory commands all interface address commands, mgmtuser with read-write permission commands, and interface port or LAG enable or disable commands required to successfully complete the download.
Only the commands present in the configuration file are applied to the controller, and any configuration in the controller prior to the download is removed. The default values of 10 retries and a 6-second timeout should work correctly without any adjustment.
To do so, enter the maximum number of times that the TFTP server attempts to download the software for the retries parameter and the amount of time in seconds that the TFTP server attempts to download the software for the timeout parameter. If the download fails, repeat this procedure and try again. The text file cannot be larger than characters and cannot have more than 16 lines of text. The login banner supports only printable characters. If you are downloading through the service port, the TFTP or FTP server must be on the same subnet as the service port because the service port is not routable, or you must create static routes on the controller.
If you are downloading through the distribution system network port, the TFTP or FTP server can be on the same or a different subnet because the distribution system port is routable.
Clearing the controller configuration does not remove the login banner. The controller can have only one login banner file. If you download another login banner file to the controller, the first login banner file is overwritten.
To clear the login banner from the controller using the controller CLI, enter the clear login-banner command. If you are uploading through the service port, the TFTP or FTP server must be on the same subnet as the service port because the service port is not routable, or you must create static routes on the controller.
If you are uploading through the distribution system network port, the TFTP or FTP server can be on the same or a different subnet because the distribution system port is routable. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book.
PDF - Complete Book Updated: April 29, Chapter: Managing Configuration. Start your Internet browser. Enter the controller IP address in the browser address line and press Enter. An Enter Network Password dialog box appears. Enter your username in the User Name text box. The default username is admin. This section explains several common errors, along with typical causes and corrective actions you can take to complete the WLC software upgrade:.
Skip to content Skip to search Skip to footer. Available Languages. Download Options. Updated: October 21, Contents Introduction. Prerequisites Requirements In addition to basic networking knowledge and familiarity with the basic configuration and installation of Cisco Wireless LAN Controllers, ensure that you read the Guidelines and Recomendations present in the release notes.
You can reduce the network downtime using the following options: You can predownload the AP image. Components Used The information in this document is based on these software and hardware versions: An FTP server with the upgrade files stored.
A Cisco WLC that runs 8. Follow these steps: Upload your controller configuration files to a server to back up the configuration files. The software releases are labeled as described here to help you determine which release to download. Click a controller software release number: Early Deployment ED —These software releases provide new features and new hardware platform support as well as bug fixes.
Maintenance Deployment MD —These software releases provide bug fixes and ongoing software maintenance. Deferred DF —These software releases have been deferred. We recommend that you migrate to an upgraded release. Click Download. Save the file to your hard drive. Optional Disable the controller Note: For busy networks, controllers on high utilization, and small controller platforms, we recommend that you disable the From the File Type drop-down list, choose Code.
If you choose HTTP you will be prompted for the location of the file. Proceed to step 13 if you choose HTTP. If you are using a TFTP server, the default value of 10 retries for the Maximum Retries field, and 6 seconds for the Timeout field should work correctly without any adjustment. However, you can change these values, if required. To do so, enter the maximum number of times the TFTP server attempts to download the software in the Maximum Retries field and the amount of time in seconds for which the TFTP server attempts to download the software, in the Timeout field.
In the File Path field, enter the directory path of the software. The default value is Click Download to download the software to the controller. A message indicating the status of the download is displayed.
After the download is complete, click Reboot. If you are prompted to save your changes, click Save and Reboot. Click OK to confirm your decision to reboot the controller. If you have disabled the
0コメント