Probe Cycle Count

Enter a value from 1 to 10 for the probe cycle count. The cycle count sets the number of suppression cycles for a new client. The default cycle count is 2.

Scan Cycle Period Threshold

Enter a value from 1 to 1000 milliseconds for the scan cycle period threshold. This setting determines the time threshold during which new probe requests from a client come from a new scanning cycle. The default cycle threshold is 200 milliseconds.

Age Out Suppression

Enter a value from 10 to 200 seconds for the age-out suppression. Age-out suppression sets the expiration time for pruning previously known 802.11b/g clients. The default value is 20 seconds. After this time elapses, clients become new and are subject to probe response suppression.

Age Out Dual Band

Enter a value from 10 to 300 seconds for the age-out dual band. The age-out period sets the expiration time for pruning previously known dual-band clients. The default value is 60 seconds. After this time elapses, clients become new and are subject to probe response suppression.

Acceptable Client RSSI

Enter a value between –20 and –90 dBm for the acceptable client Received Signal Strength Indicator (RSSI). This field sets the minimum RSSI for a client to respond to a probe. The default value is –80 dBm.

Client Window Size

Enter a value from 1 to 20. The page size becomes part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations:

load-balancing page + client associations on AP with lightest load = load-balancing threshold

Max Denial Count

Enter a value from 0 to 10. The denial count sets the maximum number of association denials during load balancing.

Media Stream Name

Enter the name of the media stream.

Multicast Destination Start IP

Enter the start IP address of the media stream to be multicast.

Multicast Destination End IP

Enter the end IP address of the media stream to be multicast. Start IP and End IP can be IPv4 or IPv6 multicast address, starting from controller Version 7.2.x.

Maximum Expected Bandwidth

Enter the maximum bandwidth that a media stream can use.

Average Packet Size

Enter the average packet size that a media stream can use.

RRC Periodical Update

Enter the Resource Reservation Control (RRC) calculations that are updated periodically; if disabled, RRC calculations are done only once when a client joins a media stream.

RRC Priority

Enter the priority of RRC with the highest at 1 and the lowest at 8.

Traffic Profile Violation

Choose the Traffic Profile Violation from the drop-down list. The drop-down list appears if the stream is dropped or put in the best effort queue if the stream violates the QoS video profile.

Policy

Choose the Policy from the drop-down list. The drop-down list appears if the media stream is admitted or denied.

Number Id

Enter a value to identify the preferred number. You can have a maximum of six preferred call numbers. The valid range is from 1 to 6. The default value is 1.

Preferred Number

Enter the preferred call number.

Template Name

Enter the name of the template.

Profile Name

Enter the name of the current profile.

Description

Enter the Description of the template.

Radio Type

Choose the radio type of the access point from the drop-down list.

Minimum Power Level Assignment (-10 to 30 dBm)

Enter a value from -10 to 30dBm for the minimum power level assignment. The default value is -10 dBM.

Maximum Power Level Assignment (-10 to 30 dBm)

Enter a value from -10 to 30dBm for the maximum power level assignment. The default value is 30 dBM.

Power Threshold v1(-80 to -50 dBm)

Enter a value from -80 to -50dBm for the power threshold v1. The default value is -70 dBM.

Power Threshold v2(-80 to -50 dBm)

Enter a value from -80 to -50dBm for the power threshold v2.The default value is -67 dBM.

Data Rates

Select the data rates from the drop-down lists to specify the rates at which data can be transmitted between the access point and the client. These data rates are available:

• 802.11a—6, 9, 12, 18, 24, 36, 48, and 54 Mbps.

• 802.11b/g—1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps.

For each data rate, you must also choose one of these options:

• Mandatory—Clients must support this data rate to associate to an access point on the controller.

• Supported—Any associated clients that support this data rate might communicate with the access point using that rate. However, the clients are not required to be able to use this rate to associate.

• Disabled—The clients specify the data rates used for communication.

Assignment Mode

From the drop-down list, choose one of three modes:

• Automatic—The transmit power is periodically updated for all access points that permit this operation.

• On Demand—Transmit power is updated when you click Assign Now.

• Disabled—No dynamic transmit power assignments occur, and values are set to their global default.

Avoid Foreign AP Interference

Select the enable check box to have RRM consider interference from foreign Cisco access points (those non-Cisco access points outside RF/mobility domain) when assigning channels. Unselect this check box to have RRM ignore this interference. In certain circumstances with significant interference energy (dB) and load (utilization) from foreign access points, RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the foreign access points. This adjustment increases capacity and reduces variability for the Cisco WLAN Solution.

Avoid Cisco AP Load

Select the enable check box to have controllers consider the traffic bandwidth used by each access point when assigning channels to access points. Unselect this check box to have RRM ignore this value. In certain circumstances and with denser deployments, there might not be enough channels to properly create perfect channel reuse. In these circumstances, RRM can assign better reuse patterns to those access points that carry more traffic load.

Avoid non 802.11 Noise

Select the enable check box to have access points avoid channels that have interference from nonaccess point sources, such as microwave ovens or Bluetooth devices. Unselect this check box to have RRM ignore this interference. In certain circumstances with significant interference energy (dB) from non-802.11 noise sources, RRM might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the noise sources. This adjustment increases capacity and reduces variability for the Cisco WLAN Solution.

Signal Strength Contribution

Always enabled (not configurable). Signal Strength Contribution constantly monitors the relative location of all access points within the RF/mobility domain to ensure near-optimal channel reuse. The net effect is an increase in Cisco WLAN Solution capacity and a reduction in co-channel and adjacent channel interference.

Event Driven RRM

Select the enable check box to disable spectrum event-driven RRM. By default, Event Driven RRM is enabled. Event Driven RRM is used when a CleanAir-enabled access point detects a significant level of interference.

Sensitivity Threshold

If Event Driven RRM is enabled, this field displays the threshold level at which event-driven RRM is triggered. It can have a value of either Low, Medium, or High. When the interference for the access point rises above the threshold level, RRM initiates a local Dynamic Channel Assignment (DCA) run and changes the channel of the affected access point radio if possible to improve network performance. Low represents a decreased sensitivity to changes in the environment while High represents an increased sensitivity.

Neighbor Packet Frequency

Enter the interval at which you want strength measurements taken for each access point. The default is 300 seconds.

Channel Scan Duration

Enter the interval at which you want noise and interference measurements taken for each access point. The default is 300 seconds.

Load Measurement Interval

Enter the interval at which you want load measurements taken for each access point. The default is 300 seconds.

Coverage Measurement Interval

Enter the interval at which you want coverage measurements taken for each access point. The default is 300 seconds.

TPC Version

Choose TPCv1 or TPCv2 from the drop-down list.

Dynamic Assignment

From the Dynamic Assignment drop-down list, choose one of three modes:

• Automatic—The transmit power is periodically updated for all access points that permit this operation.

• On Demand—Transmit power is updated when you click Assign Now.

• Disabled—No dynamic transmit power assignments occur, and values are set to their global default.

Maximum Power Assignment

Indicates the maximum power assigned. Range: -10 to 30 dB. Default: 30 dB.

Minimum Power Assignment

Indicates the minimum power assigned. Range: -10 to 30 dB. Default: 30 dB.

Dynamic Tx Power Control

Click the check box if you want to enable Dynamic Transmission Power Control.

Transmitted Power Threshold

Enter a transmitted power threshold from -50 to -80.

Control Interval

Shows the transmitted power control interval in seconds (read-only).

Min Failed Clients

Enter the minimum number of failed clients currently associated with the controller.

Coverage Level

Enter the target range of coverage threshold (dB).

Signal Strength

When the Coverage Level field is adjusted, the value of the Signal Strength (dBm) automatically reflects this change. The Signal Strength field provides information regarding what the signal strength is when adjusting the coverage level.

Data RSSI

Enter the Data RSSI (–60 to –90 dBm). This number indicates the value for the minimum Received Signal Strength Indicator (RSSI) for data required for the client to associate to an access point.

Voice RSSI

Enter the Voice RSSI (–60 to –90 dBM). This number indicates the value for the minimum Received Signal Strength Indicator (RSSI) required for voice for the client to associate to an access point.

Max. Clients

Enter the maximum number of clients able to be associated with the controller.

RF Utilization

Enter the percentage of threshold for this radio type.

Interference Threshold

Enter an interference threshold from 0 to 100 percent.

Noise Threshold

Enter a noise threshold from -127 to 0 dBm. When the controller is outside of this threshold, it sends an alarm to Prime Infrastructure.

Coverage Exception Level Per AP

Enter the coverage exception level percentage. When the coverage drops by this percentage from the configured coverage for the minimum number of clients, a coverage hole is generated.

Power Constraint

Select the Power Constraint check box if you want the access point to stop transmission on the current channel.

Channel Announcement

Select the Channel Announcement check box to enable channel announcement. Channel announcement is a method in which the access point announces when it is switching to a new channel and the new channel number.

Report Interferers

Select the Report interferers check box to enable the CleanAir system to report and detect sources of interference, or unselect it to prevent the controller from reporting interferers. The default value is unselected.

Interferers Ignored/Selected for Reporting

Make sure that any sources of interference that need to be detected and reported by the CleanAir system appear in the Interferences to Detect box and any that do not need to be detected appear in the Interferers to Ignore box. Use the > and < buttons to move interference sources between these two boxes. By default, all interference sources are ignored.

Persistent Device Propagation

Select the Persistent Device Propagation check box to enable propagation of information about persistent devices that can be detected by CleanAir. Persistent device propagation enables designating information about interference types and propagating this information to the neighboring access points. Persistent interferers are present at the location and interfere with the WLAN operations even if they are not detectable at all times.

Air Quality Alarm

Select the Air Quality Alarm check box to enable the triggering of air quality alarms, or unselect the box to disable this feature.

Air Quality Alarm Threshold

If you selected the Air Quality Alarm check box, enter a value from 1 to 100 in the Air Quality Alarm Threshold field to specify the threshold at which you want the air quality alarm to be triggered. When the air quality falls below the threshold level, the alarm is triggered. A value of 1 represents the worst air quality, and 100 represents the best. The default value is 1.

Air Quality Unclassified Category Alarm

Select the Air Quality Unclassified Category Alarm check box to enable the alarms to be generated for unclassified interference category. CleanAir can detect and monitor unclassified interferences. Unclassified interference are interference that are detected but do not correspond to any of the known interference types.

Air Quality Unclassified Category Severity Threshold

If you selected the Air Quality Unclassified Category Alarm check box, enter a value from 1 to 99 in the Air Quality Unclassified Category Severity Threshold text box to specify the threshold at which you want the unclassified category alarm to be triggered. The default is 20.

Interferers For Security Alarm

Select the Interferers For Security Alarm check box to trigger interferer alarms when the controller detects specified device types, or unselect it to disable this feature. The default value is unselected.

Interferers Ignored/Selected for Security Alarms

Make sure that any sources of interference that need to trigger interferer alarms appear under Interferers Selected for Security Alarms and any that do not need to trigger interferer alarms appear in the Interferers Ignored for Security Alarms. Use the > and < buttons to move interference sources between these two boxes. By default, all interferer sources for security alarms are ignored.

EDCA Profile

Choose one of the following options from the EDCA Profile drop-down list:

• WMM—Enables the Wi-Fi Multimedia (WMM) default parameters. This is the default value. Choose this option when voice or video services are not deployed on your network.

• Spectralink Voice Priority—Enables Spectralink voice priority parameters. Choose this option if Spectralink phones are deployed on your network to improve the quality of calls.

• Voice Optimized—Enables EDCA voice-optimized profile parameters. Choose this option when voice services other than Spectralink are deployed on your network.

• Voice & Video Optimized—Enables EDCA voice- and video-optimized profile parameters. Choose this option when both voice and video services are deployed on your network.

Low Latency MAC

Enable low latency MAC only if all clients on the network are WMM compliant.

802.11n Network Status Enabled

Select the 802.11n Network Status Enabled check box to enable high throughput.

Selected MCS Indexes

Choose which level of data rate you want supported. Modulation coding schemes (MCS) are similar to 802.11a data rate. The defaults are 20 MHz and short guarded interval. When you select the Supported check box next to a numbered Data Rate, the chosen numbers appear in the Selected MCS Indexes field at the bottom of the column.

Maximum Media Bandwidth (0 to 85%)

Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.

Admission Control (ACM)

Select the check box to enable admission control.

Maximum Bandwidth Allowed

Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.

Reserved Roaming Bandwidth

Specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled.

CAC Method

If Admission Control (ACM) is enabled, specify the CAC method as either load-based or static. Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment.

Unicast Video Redirect

Select the Unicast Video Redirect check box to enable all nonmedia stream packets in video queue are redirected to the best effort queue. If disabled, all packets with video marking are kept in video queue.

Client Minimum Phy Rate

Specify the physical data rate required for the client to join a media stream from the Client Minimum Phy Rate drop-down list.

Multicast Direct Enable

Select the Multicast Direct Enable check box to set the Media Direct for any WLAN with Media Direct enabled on a WLAN on this radio.

Maximum Number of Streams per Radio

Specify the maximum number of streams per Radio to be allowed.

Maximum Number of Streams per Client

Specify the maximum number of streams per Client to be allowed.

Best Effort QOS Admission

Select the Best Effort QOS Admission check box to redirect new client requests to the best effort queue. This happens only if all the video bandwidth has been used. If this is disabled and maximum video bandwidth has been used, then any new client request is rejected.

Admission Control (ACM)

Select the check box to enable admission control. For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, call admission control (CAC) is required. CAC on an access point allows it to maintain controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity.

CAC Method

If Admission Control (ACM) is enabled, specify the CAC method as either load-based or static. Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment.

Maximum Bandwidth Allowed

Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.

Reserved Roaming Bandwidth

Specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled.

Expedited Bandwidth

Select the check box to enable expedited bandwidth as an extension of CAC for emergency calls. You must have an expedited bandwidth IE that is CCXv5 compliant so that a TSPEC request is given higher priority.

SIP CAC

Select the check box to enable SIP CAC. SIP CAC should be used only for phones that support status code 17 and do not support TSPEC-based admission control.

SIP Codec

Specify the codec name you want to use on this radio. The available options are G.711, G.729, and User Defined.

SIP Call Bandwidth

Specify the bandwidth in kilobits per second that you want to assign per SIP call on the network. This field can be configured only when the SIP Codec selected is User Defined.

SIP Sample Interval

Specify the sample interval in milliseconds that the codec must operate in.

Metric Collection

Select the check box to enable metric collection. Traffic stream metrics are a series of statistics about VoIP over your wireless LAN that inform you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11b/g interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.

802.11a Network Status

Select the check box to enable 802.11a/n network status.

Client Link

Use this drop-down list to enable Clientlink on all access point 802.11a/n radios that support ClientLink. Otherwise, choose Disable.

Beacon Period

Enter the amount of time between beacons in milliseconds. The valid range is from 20 to 1000 milliseconds.

DTIM Period

Enter the number of beacon intervals that might elapse between transmission of beacon frames containing a traffic indicator message (TIM) element whose delivery count text box is 0. This value is transmitted in the DTIM period field of beacon frames. When client devices receive a beacon that contains a DTIM, they normally wake up to check for pending packets. Longer intervals between DTIMS let clients sleep longer and preserve power. Conversely, shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often.

Fragmentation Threshold

Determine the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference.

802.11e Max Bandwidth

Enter the percentage for 802.11e maximum bandwidth.

Mode

Select the check box to enable Cisco Compatible Extension (CCX) Location Measurement. When enabled, this enhances the location accuracy of clients.

Interval

Enter the interval at which CCX Location Measurement signals are broadcast, in seconds. The CCX location measurement interval of the Cisco Compatible Extension can only be changed when measurement mode is enabled.

Data Rate Dropdowns

Select the negotiation type for each data rate. The client and controller negotiate data rates between them. If the data rate is set to Mandatory, the client must support it to use the network. If a data rate is set as Supported by the controller, any associated client that also supports that same rate might communicate with the access point using that rate. However, it is not required that a client uses all the rates marked supported to associate. For each rate, a drop-down list of Mandatory or Supported is available. Each data rate can also be set to Disable to match client settings.

Channel List

From this drop-down list in the Noise/Interference/Rogue Monitoring Channels section, choose either all channels, country channels, or DCA channels based on the level of monitoring you want. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation amongst a set of managed devices connected to the controller.

Mode

Use the Mode drop-down list to choose one of the configurable modes: Default values or Custom values. If you select Default, the roaming parameters are unavailable for editing and have the default values displayed in the text boxes. Select Custom to edit the roaming parameters.

Minimum RSSI

Enter a value for the minimum Received Signal Strength Indicator (RSSI) required for the client to associate to an access point. If the average received signal power of the client dips below this threshold, reliable communication is usually impossible. Therefore, clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached. Range: -80 to -90 dBm. Default: -85 dBm.

Roaming Hysteresis

Enter a value to indicate how strong the signal strength of a neighboring access point must be for the client to roam to it. This field is intended to reduce the amount of ping-ponging between access points if the client is physically located on or near the border between two access points. Range: 2 to 4 dB. Default: 2 dB.

Adaptive Scan Threshold

Enter the RSSI value from the associated access point of the client, below which the client must be able to roam to a neighboring access point within the specified transition time. This field also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold. Range: -70 to -77 dB. Default: -72 dB.

Transition Time

Enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam, whenever the RSSI from the associated access point of the client is below the scan threshold. Range: 1 to 10 seconds. Default: 5 seconds.

EDCA Profile

Profiles include Wi-Fi Multimedia (WMM), Spectralink Voice Priority (SVP), Voice Optimized, and Voice & Video Optimized. WMM is the default EDCA profile.

Low Latency MAC

Enable this option only if DSCP marking is correct for media (RTP) and signaling packets.

802.11n Network Status

Select the check box to enable high throughput.

MCS (Data Rate) Settings

Choose which level of data rate you want supported. MCS is modulation coding schemes that are similar to 802.11a data rate. The values 20 MHz and short guarded interval are used as defaults. When you select the Supported check box, the chosen numbers appear in the Selected MCS Indexes page.

General

Maximum Media Bandwidth (0 to 85%)

Specify the percentage maximum of bandwidth allowed. This option is only available when CAC is enabled.

Video

Admission Control (ACM)

Select the check box to enable admission control.

Maximum Bandwidth

Specify the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.

Reserved Roaming Bandwidth

Specify the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled.

Unicast Video Redirect

Select the Unicast Video Redirect check box to enable all nonmedia stream packets in the video queue to be redirected to the best effort queue. If disabled, all packets with video marking are kept in video queue.

Client Minimum Phy Rate

Choose the physical data rate required for the client to join a media stream from the Client Minimum Phy Rate drop-down list.

Multicast Direct Enable

Select the Multicast Direct Enable check box to set the Media Direct for any WLAN with Media Direct enabled on a WLAN on this radio.

Maximum Number of Streams per Radio

Specify the maximum number of streams per radio to be allowed.

Maximum Number of Streams per Client

Specify the maximum number of streams per client to be allowed.

Best Effort QOS Admission

Select the Best Effort QOS Admission check box to redirect new client requests to the best effort queue. This happens only if all the video bandwidth has been used. If disabled and maximum video bandwidth has been used, then any new client request is rejected.

Voice

Admission Control (ACM)

Select the check box to enable admission control. For end users to experience acceptable audio quality during a VoIP phone call, packets must be delivered from one endpoint to another with low latency and low packet loss. To maintain QoS under differing network loads, Call Admission Control (CAC) is required. CAC on an access maintains a controlled QoS when the network is experiencing congestion and keep the maximum allowed number of calls to an acceptable quantity.

CAC Method

If Admission Control (ACM) is enabled, specify the CAC method as either load-based or static. Load-based CAC incorporates a measurement scheme that takes into account the bandwidth consumed by all traffic types from itself, from co-channel access points, and by co-located channel interference. Load-based CAC also covers the additional bandwidth consumption resulting from PHY and channel impairment.

Maximum Bandwidth Allowed

Enter the percentage of maximum bandwidth allowed. This option is only available when CAC is enabled.

Reserved Roaming Bandwidth

Enter the percentage of reserved roaming bandwidth. This option is only available when CAC is enabled.

Expedited Bandwidth

Select the check box to enable expedited bandwidth as an extension of CAC for emergency calls. You must have an expedited bandwidth IE that is CCXv5 compliant so that a TSPEC request is given higher priority.

SIP CAC

Select the check box to enable SIP CAC. SIP CAC should be used only for phones that support status code 17 and do not support TSPEC-based admission control.

SIP Codec

Choose the codec name you want to use on this radio from the SIP Codec drop-down list. The available options are G.711, G.729, and User Defined.

SIP Call Bandwidth

Enter the bandwidth in kilobits per second that you want to assign per SIP call on the network. This field can be configured only when the SIP Codec selected is User Defined.

SIP Sample Interval

Enter the sample interval in milliseconds that the codec must operate in.

Max Number of Calls per Radio

Enter the maximum number of calls per radio.

Metric Collection

Select the check box to enable metric collection. Traffic stream metrics are a series of statistics about VoIP over your wireless LAN that inform you of the QoS of the wireless LAN. For the access point to collect measurement values, traffic stream metrics must be enabled. When this is enabled, the controller begins collecting statistical data every 90 seconds for the 802.11b/g interfaces from all associated access points. If you are using VoIP or video, this feature should be enabled.

Policy Name

Enter the name of the security policy in force.

Beam Forming

Choose Enable or Disable from the drop-down list. Beam forming refers to a general signal processing technique used to control the directionality of the reception or transmission of a signal.

Transmitted Power Threshold

Enter the transmitted power threshold. The valid range is from -50 to -80.

Beacon Period

The rate at which the SSID is broadcast by the access point (the amount of time between beacons). The valid range is from 100 to 600 milliseconds.

DTIM Period

The number of beacon intervals that might elapse between transmission of beacon frames containing a traffic indicator message (TIM) element whose delivery count field is 0. This value is transmitted in the DTIM period field of beacon frames. When client devices receive a beacon that contains a DTIM, they normally “wake up” to check for pending packets. Longer intervals between DTIMs let clients sleep longer and preserve power. Conversely, shorter DTIM periods reduce the delay in receiving packets but use more battery power because clients wake up more often.

The DTIM period is not applicable in controller Version 5.0.0.0 and later.

Fragmentation Threshold

Determine the size at which packets are fragmented (sent as several pieces instead of as one block). Use a low setting in areas where communication is poor or where there is a great deal of radio interference. The default value is 2346.

802.11e Max Bandwidth

Percentage for 802.11e max bandwidth. The default value is 100.

Dynamic Assignment

From the Dynamic Assignment drop-down list, choose any one of the following dynamic transmit power assignment modes:

• Automatic—The transmit power is periodically updated for all access points that permit this operation.

• On Demand—Transmit power is updated when you click Assign Now.

• Disabled—No dynamic transmit power assignments occur and values are set to their global default.

The default is Automatic. The power levels and available channels are defined by the country code setting and are regulated on a country by country basis.

Dynamic Tx Power Control

Select this check box to enable DTPC support. If this option is enabled, the transmit power level of the radio is advertised in the beacons and the probe responses.

Assignment Mode

From the Assignment Mode drop-down list, choose any one of the following dynamic channel assignment modes:

• Automatic—The channel assignment is periodically updated for all access points that permit this operation.

• On Demand—Channel assignments are updated when desired.

• Disabled—No dynamic channel assignments occur and values are set to their global default.

The default is Automatic.

Avoid Foreign AP Interference

Enable this Radio Resource Management (RRM) foreign 802.11 interference-monitoring field to have Radio Resource Management consider interference from foreign (non-Cisco access points outside the RF/mobility domain) access points when assigning channels to Cisco access points. Disable this field to have Radio Resource Management ignore this interference.

In certain circumstances with significant interference energy (dB) and load (utilization) from Foreign access points, Radio Resource Management might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in Cisco access points close to the Foreign access points to increase capacity and reduce variability for the Cisco WLAN Solution.

Avoid Cisco AP Load

Enable this Radio Resource Management (RRM) bandwidth-sensing field to have controllers consider the traffic bandwidth used by each access point when assigning channels to access points. Disable this field to have Radio Resource Management ignore this value.

In certain circumstances and with denser deployments, there might not be enough channels to properly create perfect channel reuse. In these circumstances, Radio Resource Management can assign better reuse patterns to those APs that carry more traffic load.

Avoid non 802.11 Noise

Enable this Radio Resource Management (RRM) noise-monitoring field to have access points avoid channels that have interference from non-Access Point sources, such as microwave ovens or Bluetooth devices. Disable this field to have Radio Resource Management ignore this interference.

In certain circumstances with significant interference energy (dB) from non-802.11 noise sources, Radio Resource Management might adjust the channel assignment to avoid these channels (and sometimes adjacent channels) in access points close to the noise sources to increase capacity and reduce variability for the Cisco WLAN Solution.

Signal Strength Contribution

This check box is always enabled (not configurable). Radio Resource Management (RRM) constantly monitors the relative location of all access points within the RF/mobility domain to ensure near-optimal channel reuse. The net effect is an increase in Cisco WLAN Solution capacity and a reduction in co-channel and adjacent channel interference.

Data Rates

The data rates set are negotiated between the client and the controller. If the data rate is set to Mandatory, the client must support it to use the network. If a data rate is set as Supported by the controller, any associated client that also supports that same rate might communicate with the access point using that rate. But it is not required that a client be able to use all the rates marked Supported to associate 6, 9, 12, 18, 24, 36, 48, and 54 Mbps.

For each rate, a drop-down list selection of Mandatory or Supported is available. Each data rate can also be set to Disabled to match client settings.

Channel List

Choose between all channels, country channels, or DCA channels based on the level of monitoring you want. Dynamic Channel Allocation (DCA) automatically selects a reasonably good channel allocation among a set of managed devices connected to the controller.

Mode

Enable or disable the broadcast radio measurement request. When enabled, this parameter enhances the location accuracy of clients.

Interval

Interval in seconds between measurement requests.

The Cisco Compatible Extension location measurement interval can be changed only when measurement mode is enabled.

Mode

Choose Default Values or Custom Values from the drop-down list. If you select Default Values, the roaming parameters are unavailable and the default values are displayed.

Minimum RSSI

Enter a value for the minimum Received Signal Strength Indicator (RSSI) required for the client to associate to an access point. If the client average received signal power dips below this threshold, reliable communication is usually impossible. Therefore, clients must already have found and roamed to another access point with a stronger signal before the minimum RSSI value is reached. Range: -80 to -90 dBm. Default: -85 dBm.

Roaming Hysteresis

Enter a value to indicate how strong the signal strength of a neighboring access point must be in order for the client to roam to it. This field is intended to reduce the amount of ping ponging between access points if the client is physically located on or near the border between two access points. Range: 2 to 4 dB. Default: 2 dB.

Adaptive Scan Threshold

Enter the RSSI value, from a client associated access point, below which the client must be able to roam to a neighboring access point within the specified transition time. This field also provides a power-save method to minimize the time that the client spends in active or passive scanning. For example, the client can scan slowly when the RSSI is above the threshold and scan more rapidly when below the threshold. Range: -70 to -77 dB. Default: -72 dB.

Transition Time

Enter the maximum time allowed for the client to detect a suitable neighboring access point to roam to and to complete the roam whenever the RSSI from the client associated access point is below the scan threshold. Range: 1 to 10 seconds. Default: 5 seconds.

Down Lifetime Interval

This field enables the down lifetime. If you have selected this check box, specify the value in the Down Lifetime Interval text box. This down lifetime interval indicates the maximum time, in seconds, an entry learned from a down interface is kept in the binding table before the entry is deleted or proof is received that the entry is reachable. The range is 0 to 86400 seconds, and the default value is 0.

Reachable Lifetime Interval

This field enables the reachable lifetime. If you have selected this check box, specify the value in the Reachable Lifetime Interval text box. The reachable lifetime interval indicates the maximum time, in seconds, an entry is considered reachable without getting a proof of reachability (direct reachability through tracking, or indirect reachability through Neighbor Discovery protocol [NDP] inspection). After that, the entry is moved to stale.The range is 0 to 86400 seconds, and the default value is 0.

Stale Lifetime Interval

This field enables the stale lifetime. If you have selected this check box, specify the value in the Stale Lifetime Interval text box. The stale lifetime interval indicates the maximum time, in seconds, a stale entry is kept in the binding table before the entry is deleted or proof is received that the entry is reachable. The range is 0 to 86400 seconds, and the default value is 0.

RA Throttle Policy

Enables the RA throttle policy.

Throttle Period

Duration of the throttle period in seconds. The range is 10 to 86400 seconds.

Max Through

<<not present>>

The number of RA that passes through over a period in seconds.

Interval Option

<<not present>>

Indicates the behavior in case of RA with an interval option.

Allow At-least

<<not present>>

Indicates the minimum number of RA not throttled per router.

Allow At-most

<<not present>>

Indicates the maximum number of RA not throttled per router.

Beacon Interval

Enter the BLE transmission interval in hertz (Hz).

Beacon Id

Fixed Beacon Ids. For CUWN devices, the fixed Beacon Id index are from 1 to 5 and for CUWN-IOS and UA devices, the Beacon Id index are from 0 to 4.

UUid

A unique identifier defined by the Beacon administrator.

Tx Power (dBM)

A calibrated indicator of the RSSI of the transmitted measured at a 1m distance.

Beacon Status

Beacon status: Enable or Disable

RFID Tag Data Collection

Select the check box to enable tag collection. Before the mobility services engine can collect asset tag data from controllers, you must enable the detection of active RFID tags using the config rfid status enable command on the controllers.

Calibrating Client

Select the check box to enable calibration for the client. Controllers send regular S36 or S60 requests (depending on the client capability) by way of the access point to calibrating clients. Packets are transmitted on all channels. All access points irrespective of channel (and without a channel change) gather RSSI data from the client at each location. These additional transmissions and channel changes might degrade contemporaneous voice or video traffic. To use all radios (802.11a/b/g/n) available, you must enable multiband in the Advanced tab.

Normal Client

Select the check box to have a noncalibrating client. No S36 requests are transmitted to the client. S36 and S60 are client drivers compatible with specific Cisco Compatible Extensions. S36 is compatible with CCXv2 or later. S60 is compatible with CCXv4 or later. For details, see Cisco Context Aware and Location FAQ.

Tags, Clients and Rogue APs/Clients

Specify how many seconds should elapse before notification of the found tag, client, rogue AP, or rogue client.

For Clients

Enter the number of seconds after which RSSI measurements for clients should be discarded.

For Calibrating Clients

Enter the number of seconds after which RSSI measurements for calibrating clients should be discarded.

For Tags

Enter the number of seconds after which RSSI measurements for tags should be discarded.

For Rogue APs

Enter the number of seconds after which RSSI measurement for rogue access points should be discarded.

RFID Tag Data Timeout

Enter a value in seconds to set the RFID tag data timeout.

Calibrating Client Multiband

Select the check box to send S36 and S60 packets (where applicable) on all channels. Calibrating clients must be enabled on the General tab.

User Name

Enter a template username.

Password

Enter a password for this local management user template.

Confirm Password

Reenter the password.

Access Level

Use the Access Level drop-down list to choose either Read Only or Read Write.

Update Telnet Credentials

Select the Update Telnet Credentials check box to update the user credentials in Prime Infrastructure for Telnet/SSH access.

Session Timeout

Enter the number of minutes a Telnet session is allowed to remain inactive before being logged off. A zero means there is no timeout. The valid range is 0 to 160, and the default is 5.

Maximum Sessions

Enter the number of simultaneous Telnet sessions allowed. The valid range is 0 to 5, and the default is 5. New Telnet sessions can be allowed or disallowed on the DS (network) port. New Telnet sessions are always allowed on the service port.

Allow New Telnet Session

Select Yes to allow new Telnet sessions on the DS port or select No to disallow them. New Telnet sessions can be allowed or disallowed on the DS (network) port. New Telnet sessions are always allowed on the service port. The default is Yes.

Allow New SSH Session

Select Yes to allow Secure Shell Telnet sessions or select No to disallow them. The default is Yes.

Select All Traps

Select this check box to enable all of the traps on this page.

SNMP Authentication

The SNMPv2 entity has received a protocol message that is not properly authenticated. When a user who is configured in SNMP V3 mode tries to access the controller with an incorrect password, the authentication fails and a failure message is displayed. However, no trap logs are generated for the authentication failure.

Link (Port) Up/Down

Select the Link (Port) Up/Down check box to change the state to up or down.

Multiple Users

Select the Multiple Users check box to allow two users to log in with the same login ID.

Spanning Tree

Select the Spanning Tree check box to enable spanning tree traps. See the STP specification for descriptions of individual parameters.

Rogue AP

Select the Rogue AP check box to send a trap with the MAC address whenever a rogue access point is detected or when a rogue access point was detected earlier and no longer exists.

Controller Config Save

Select the Controller Config Save check box to send a notification when the configuration is modified.

802.11 Association

Select the 802.11 Association check box to send a trap when a client is associated to a WLAN. This trap does not guarantee that the client is authenticated.

802.11 Disassociation

Select the 802.11 Disassociation check box to send the disassociate notification when the client sends a disassociation frame.

802.11 Deauthentication

Select the 802.11 Deauthentication check box to send the deauthenticate notification when the client sends a deauthentication frame.

802.11 Failed Authentication

Select the 802.11 Failed Authentication check box to send the authenticate failure notification when the client sends an authentication frame with a status code other than successful.

802.11 Failed Association

Select the 802.11 Failed Association check box to send the associate failure notification when the client sends an association frame with a status code other than successful.

Excluded

Select the Excluded check box to send the associate failure notification when a client is excluded.

AP Register

Select the AP Register check box to send a notification when a access point associates or disassociates with the controller.

AP Interface Up/Down

Select the AP Interface Up/Down check box to send a notification when a access point interface (802.11a/n or 802.11b/g/n) status goes up or down.

Load Profile

Select the Load Profile check box to send a notification when the load profile state changes between PASS and FAIL.

Noise Profile

Select the Noise Profile check box to send a notification when the noise profile state changes between PASS and FAIL.

Interference Profile

Select the Interference Profile check box to send a notification when the interference profile state changes between PASS and FAIL.

Coverage Profile

Select the Coverage Profile check box to send a notification when the coverage profile state changes between PASS and FAIL.

Channel Update

Select the Channel Update check box to send a notification when the dynamic channel algorithm of an access point is updated.

Tx Power Update

Select the Tx Power Update check box to send a notification when the dynamic transmit power algorithm of an access point is updated.

User Auth Failure

Select the User Auth Failure check box to send a trap to inform you that a client RADIUS authentication failure has occurred.

RADIUS Server No Response

Select the RADIUS Server No Response check box to send a trap to indicate that no RADIUS server(s) are responding to authentication requests sent by the RADIUS client.

ESP Authentication Failure

Select the check box to send a IPsec packets with invalid hashes were found in an inbound ESP SA.

ESP Replay Failure

Select the ESP Authentication Failure check box to send a notification when IPsec packets with invalid sequence numbers were found in an inbound ESP SA.

Invalid SPI

Select the Invalid SPI check box to send a notification when a packet with an unknown SPI is detected from the specified peer with the specified SPI using the specified protocol.

IKE Negotiation Failure

Select the check box IKE Negotiation Failure to send a notification when an attempt to negotiate a phase 1 IKE SA fails. The notification counts are also sent as part of the trap, along with the current value of the total negotiation error counters.

IKE Suite Failure

Select the IKE Suite Failure check box to send a notification when a attempt to negotiate a phase 2 SA suite for the specified selector fails. The current total failure counts are passed as well as the notification type counts for the notify involved in the failure.

Invalid Cookie

Select the Invalid Cookie check box to send a notification when ISAKMP packets with invalid cookies are detected from the specified source, intended for the specified destination. The initiator and responder cookies are also sent with the trap.

WEP Decrypt Error

Select the WEP Decrypt Error check box to send a notification when the controller detects a WEP decrypting error.

Signature Attack

Select the Signature Attack check box to enable the 802.11 security trap.

IP Address

Enter the IP address of the server.

Admin Status

Select this check box to enable the administrator status if you want SNMP traps to be sent to the receiver.

Domain Name

The name of the domain.

Maximum Bindings Allowed

Maximum number of binding updates that the controller can send to the MAG. The valid range is from 0 to 40000.

Binding Lifetime

Lifetime of the binding entries in the controller. The valid range is from 10 to 65535 seconds. The default value is 65535. The binding lifetime should be a multiple of 4 seconds.

Binding Refresh Time

Refresh time of the binding entries in the controller. The valid range is from 4 to 65535 seconds. The default value is 300 seconds. The binding refresh time should be a multiple of 4 seconds.

Binding Initial Retry Timeout

Initial timeout between the proxy binding updates (PBUs) when the controller does not receive the proxy binding acknowledgments (PBAs). The valid range is from 100 to 65535 seconds. The default value is 1000 seconds.

Binding Maximum Retry Timeout

Maximum timeout between the proxy binding updates (PBUs) when the controller does not receive the proxy binding acknowledgments (PBAs). The valid range is from 100 to 65535 seconds. The default value is 32000 seconds.

Replay Protection Timestamp

Maximum amount of time difference between the timestamp in the received proxy binding acknowledgment and the current time of the day. The valid range is from 1 to 255 milliseconds. The default value is 7 milliseconds.

Minimum BRI Retransmit Timeout

Minimum amount of time that the controller waits before retransmitting the BRI message. The valid range is from 500 to 65535 seconds.

Maximum BRI Retransmit Timeout

Maximum amount of time that the controller waits before retransmitting the Binding Revocation Indication (BRI) message. The valid range is from 500 to 65535 seconds. The default value is 2000 seconds.

BRI Retries

Maximum number of times that the controller retransmits the BRI message before receiving the Binding Revocation Acknowledgment (BRA) message. The valid range is from 1 to 10. The default value is 1.

LMA Name

Name of the LMA connected to the controller.

LMA IP Address

IP address of the LMA connected to the controller.

PMIP Profile

Enter the profile name, then click Add.

Network Access Identifier

Name of the Network Access Identifier (NAI) associated with the profile.

LMA Name

Name of the LMA with which the profile is to be associated.

Access Point Node

Name of the access point node connected to the controller.

Server Address

Enter the IP address of the server.

Port Number

Port number of the controller to which the access point is connected.

Bind Type

Choose Authenticated or Anonymous. If you choose Authenticated, you must enter a bind username and password as well. A bind is a socket opening that performs a lookup. Anonymous bind requests are rejected.

Server User Base DN

Enter the distinguished name of the subtree in the LDAP server that contains a list of all the users.

Server User Attribute

Enter the attribute that contains the username in the LDAP server.

Server User Type

Enter the ObjectType attribute that identifies the user.

Retransmit Timeout

Enter the number of seconds between retransmissions. The valid range is from 2 to 30 seconds, and the default value is 2 seconds.

Admin Status

Select the Enable check box if you want the LDAP server to have administrative privileges.

Server Address

Enter the server address.

Port Number

Enter the port address.

Shared Secret Format

Choose either ASCII or Hex.

Shared SecretConfirm Shared Secret

Enter and confirm the RADIUS shared secret used by the server you specified.

Admin Status

Select the Enable check box if you want to establish administrative privileges for the server.

Network User

Select if you want to enable the network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.

Retransmit Timeout

Specify the time in seconds after which the RADIUS authentication request times out and a retransmission by the controller occurs. You can specify a value from 2 to 30 seconds.

IPsec Enable

Select the Enable check box to enable IP security.

Server Address

Enter the server address.

Port Number

Enter the port address.

Shared Secret Format

Choose either ASCII or hex.

Shared Secret

Enter the RADIUS shared secret used by your specified server.

Confirm Shared Secret

Reenter the RADIUS shared secret used by your specified server.

Key WRAP

Select the check box if you want to enable key wrap. If this check box is enabled, the authentication request is sent to RADIUS servers that have following key encryption key (KEK) and message authenticator code keys (MACK) configured. When enabled, the following fields appear:

• Shared Secret Format: Enter ASCII or hexadecimal.

• KEK Shared Secret: Enter the KEK shared secret.

• MACK Shared Secret: Enter the MACK shared secret.

Admin Status

Select if you want to enable administration privileges.

Support for RFC 3576

Select if you want to enable support for RFC 3576. RFC 3576 is an extension to the Remote Authentication Dial In User Service (RADIUS) protocol. It allows dynamic changes to a user session and includes support for disconnecting users and changing authorizations applicable to a user session. With these authorizations, support is provided for Disconnect and Change-of-Authorization (CoA) messages. Disconnect messages immediately terminate a user session, whereas CoA messages modify session authorization attributes such as data filters.

Network User

Select if you want to enable network user authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the network user.

Management User

Select if you want to enable management authentication. If this option is enabled, this entry is considered as the RADIUS authenticating server for the management user.

Retransmit Timeout

Specify the time in seconds after which the RADIUS authentication request times out and a retransmission is attempted by the controller. You can specify a value from 2 to 30 seconds.

IPsec

If you click to enable the IP security mechanism, additional IP security fields are added to the page.

IPsec Authentication

Choose which IP security authentication protocol to use. The options are HMAC-SHA1, HMAC-MD5, and None.

Message Authentication Codes (MAC) are used between two parties that share a secret key to validate information transmitted between them. HMAC (Hash MAC) is a mechanism based on cryptographic hash functions and can be used in combination with any iterated cryptographic hash function. HMAC-MD5 and HMAC-SHA1 are two constructs of the HMAC using the MD5 hash function and the SHA1 hash function. HMAC also uses a secret key for calculation and verification of the message authentication values

IPsec Encryption

Select the IP security encryption mechanism to use:

• DES—Data Encryption Standard is a method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.

• Triple DES—Data Encryption Standard that applies three keys in succession.

• AES 128 CBC—Advanced Encryption Standard uses keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192, or 256 bits. AES 128 CBC uses a 128-bit data path in Cipher Clock Chaining (CBC) mode.

• None—No IP security encryption mechanism.

IKE Authentication

The Internet Key Exchange (IKE) authentication is not an editable text box. Internet Key Exchange protocol (IKE) is used as a method of distributing the session keys (encryption and authentication), as well as providing a way for the VPN endpoints to agree on how data should be protected. IKE keeps track of connections by assigning a bundle of security associations (SAs) to each connection.

IKE Phase 1

Choose either aggressive or main. This sets the IKE protocol. IKE phase 1 is used to negotiate how IKE is protected. Aggressive mode passes more information in fewer packets, with the benefit of a slightly faster connection, at the cost of transmitting the identities of the security gateways in the clear.

Lifetime

Set the timeout interval (in seconds) when the session expires.

IKE Diffie Hellman Group

Set the IKE Diffie-Hellman group. The options are group 1 (768 bits), group 2 (1024 bits), or group 5 (1536 bits). Diffie-Hellman techniques are used by two devices to generate a symmetric key where you can publicly exchange values and generate the same symmetric key.

Although all three groups provide security from conventional attacks, Group 5 is considered more secure because of its larger key size. However, computations involving Group 1-based or Group 2-based keys might occur slightly faster because of their smaller prime number size.

Server Type

Select one or more server types by selecting their respective check boxes. The following server types are available:

• authentication—Server for user authentication/authorization.

• authorization—Server for user authorization only.

• accounting—Server for RADIUS user accounting.

Server Address

Enter the IP address of the server.

Port Number

Enter the port number of the server. The default is 49.

Shared Secret Format

Choose either ASCII or hex.

Regardless of which format you choose, for security reasons, only ASCII is visible on the WLC (and Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. Set the key format again in the template in the event a discovered template is applied to another device.

Shared Secret

Enter the TACACS+ shared secret used by your specified server.

Confirmed Shared Secret

Reenter the TACACS+ shared secret used by your specified server.

Admin Status

Select if you want the LDAP server to have administrative privileges.

Retransmit Timeout

Enter the time, in seconds, after which the TACACS+ authentication request times out and a retransmission is attempted by the controller.

Time to Live for the PAC

Enter the number of days for the PAC to remain viable. The valid range is 1 to 1000 days, and the default setting is 10 days.

Authority ID

Enter the authority identifier of the local EAP-FAST server in hexadecimal characters. You can enter up to 32 hexadecimal characters, but you must enter an even number of characters.

Authority Info

Enter the authority identifier of the local EAP-FAST server in text format.

Server Key and Confirm Server Key

Enter the key (in hexadecimal characters) used to encrypt and decrypt PACs.

Anonymous Provision

Select to enable anonymous provisioning. This feature allows PACs to be sent automatically to clients that do not have one during PAC provisioning. If you disable this feature, PACs must be manually provisioned.

Local Auth Active Timeout

Enter the amount of time (in seconds) that the controller attempts to authenticate wireless clients using local EAP after any pair of configured RADIUS servers fail. The valid range is 1 to 3600 seconds, and the default setting is 1000 seconds.

Local EAP Identity Request Timeout

1

Local EAP Identity Request Maximum Retries

20

Local EAP Dynamic WEP Key Index

0

Local EAP Request Timeout

20

Local EAP Request Maximum Retries

2

EAPOL-Key Timeout

1000 (in milliseconds)

EAPOL-Key Max Retries

2

Max Login Ignore Identity Response

Choose Enable to limit the number of devices that can be connected to the controller with the same username.

EAP Profile Name

User-defined identification.

Select Profile Methods

Choose the desired authentication type:

• LEAP—This authentication type leverages Cisco Key Integrity Protocol (CKIP) and Multi-Modal Hashing (MMH) message integrity check (MIC) for data protection. A username and password are used to perform mutual authentication with the RADIUS server through the access point.

• EAP-FAST—This authentication type (Flexible Authentication via Secure Tunneling) uses a three-phased tunnel authentication process to provide advanced 802.1X EAP mutual authentication. A username, password, and PAC (protected access credential) are used to perform mutual authentication with the RADIUS server through the access point.

• TLS—This authentication type uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data. It requires a client certificate for authentication.

• PEAP—This authentication type is based on EAP-TLS authentication but uses a password instead of a client certificate for authentication. PEAP uses a dynamic session-based WEP key derived from the client adapter and RADIUS server to encrypt data.

Certificate Issuer

Determine whether Cisco or another vendor issued the certificate for authentication. Only EAP-FAST and TLS require a certificate.

Check Against CA Certificates

Select if you want the incoming certificate from the client to be validated against the certificate authority (CA) certificates on the controller.

Verify Certificate CN Identity

Select if you want the common name (CN) in the incoming certificate to be validated against the common name of the CA certificate.

Check Against Date Validity

Select if you want the controller to verify that the incoming device certificate is still valid and has not expired.

Local Certificate Required

Select if a local certificate is required.

Client Certificate Required

Select if a client certificate is required.

Rule Type

Choose Malicious or Friendly from the drop-down list. A rogue is considered malicious if a detected access point matches the user-defined malicious rules or has been manually moved from the Friendly AP category. A rogue is considered friendly if it is a known, acknowledged, or trusted access point or a detected access point that matches the user-defined Friendly rules.

Match Type

Choose Match All Conditions or Match Any Condition.

Open Authentication

Select the check box to enable open authentication.

Match Managed AP SSID

Select the check box to enable the matching of a managed AP SSID.

Match User Configured SSID

Select the check box to enable the matching of user-configured SSIDs.

Minimum RSSI

Select the check box to enable the Minimum RSSI threshold limit.

Time Duration

Select the check box to enable the Time Duration limit.

Minimum Number Rogue Clients

Select the check box to enable the Minimum Number Rogue Clients limit. Enter the minimum number of rogue clients allowed. The detected access point is classified as malicious if the number of clients associated to the detected access point is greater than or equal to the indicated value.

Rogue Location Discovery Protocol

Determine whether or not the Rogue Location Discovery Protocol (RLDP) is connected to the enterprise wired network. Choose one of the following:

• Disable—Disables RLDP on all access points.

• All APs—Enables RLDP on all access points.

• Monitor Mode APs—Enables RLDP only on access points in monitor mode.

Expiration Timeout for Rogue AP and Rogue Client Entries

Enter the expiration timeout (in seconds) for rogue access point entries.

Rogue Detection Report Interval

Enter the time interval in seconds at which the APs should send the rogue detection report to the controller. A valid range is from 10 to 300 seconds, and the default value is 10 seconds. This feature is applicable to APs that are in monitor mode only.

Rogue Detection Minimum RSSI

Enter the minimum RSSI value that a rogue should have for the APs to detect and for the rogue entry to be created in the controller. A valid range is from -70 to -128 dBm, and the default value is -128 dBm. This feature is applicable to all the AP modes.

There can be many rogues with very weak RSSI values that do not provide any valuable information in the rogue analysis. Therefore, you can use this option to filter the rogues by specifying the minimum RSSI value at which the APs should detect rogues.

Rogue Detection Transient Interval (Enter 0 to Disable)

Enter the time interval at which a rogue has to be consistently scanned for by the AP after the first time the rogue is scanned. By entering the transient interval, you can control the time interval at which the AP should scan for rogues. The APs can filter the rogues based on their transient interval values. The valid range is from 120 to 1800 seconds, and the default value is 0. This feature is applicable to APs that are in monitor mode only

Validate Rogue Clients against AAA

Select to enable the AAA validation of rogue clients.

Detect and Report Adhoc Networks

Select to enable detection and reporting of rogue clients participating in ad hoc networking.

Rogue on Wire

Automatically contains rogues that are detected on the wired network.

Using our SSID

Automatically contains rogues that are advertising your network’s SSID. If you leave this parameter unselected, the controller only generates an alarm when such a rogue is detected.

Valid Client on Rogue AP

Automatically contains a rogue access point to which trusted clients are associated. If you leave this parameter unselected, the controller only generates an alarm when such a rogue is detected.

ACL Type

IPv6 is supported from controller Version 7.2.x.

Encryption KeyConfirm Encryption Key

Enter an encryption key text string of exactly 16 ASCII characters.

IP Address

Enter an IPv4 address format.

NetmaskNotation

Netmask allows you to set the subnet mask in dotted-decimal notation rather than the CIDR notation for the IP address property. A range of IP addresses defined so that only machines with IP addresses within the range are allowed to access an Internet service.

CIDR Notation

Classless InterDomain Routing (CIDR) notation is a protocol that allows the assignment of Class C IP addresses in multiple contiguous blocks. Use this protocol to add a large number of clients that exist in a subnet range by configuring a single client object.

List of IP Addresses/Netmasks

All the IP address groups are listed. One IP address group can have a maximum of 128 IP address and netmask combinations. To define a new IP address group, choose Add. To view or modify an existing IP address group, click the URL of the IP address group. The IP address group page opens.

Use the Move Up and Move Down buttons to rearrange the order of the list items. Use the Delete button to delete any IP address or netmask.

IP Address

Enter an IPv6 address format.

Prefix Length

Prefix for IPv6 addresses, ranging from 0 to 128.

List of IP Addresses/Netmasks

All the IP address groups are listed. One IP address group can have a maximum of 128 IP address and netmask combinations. To define a new IP address group, choose Add. To view or modify an existing IP address group, click the URL of the IP address group. The IP address group page opens.

Use the Move Up and Move Down buttons to rearrange the order of the list items. Use the Delete button to delete any IP address or netmask.

Rule Name

The rule name is provided for the existing rules, or you can now enter a name for a new rule. ACLs are not required to have rules defined. When a packet matches all the fields of a rule, the action for this rule is exercised.

Protocol

Choose a protocol from the drop-down list:

• Any—All protocols

• TCP—Transmission Control Protocol

• UDP—User Datagram Protocol

• ICMP—Internet Control Message Protocol

• ESP—IP Encapsulating Security Payload

• AH—Authentication Header

• GRE—Generic Routing Encapsulation

• IP—Internet Protocol

• Eth Over IP—Ethernet over Internet Protocol

• Other Port OSPF—Open Shortest Path First

• Other—Any other IANA protocol (http://www.iana.org/)

Some protocol choices (such as TCP or UDP) cause additional Source Port and Dest Port GUI elements to appear.

Source Port

Enter the source port. Can be Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other, and Port Range.

Dest Port

Enter the destination port. If TCP or UDP is selected, can be Any, HTTP, HTTPS, Telnet, RADIUS, DHCP Server, DHCP Client, DNS, L2TP, PPTP control, FTP control, SMTP, SNMP, LDAP, Kerberos, NetBIOS NS, NetBIOS DS, NetBIOS SS, MS Dir Server, Other, and Port Range.

DSCP (Differentiated Services Code Point)

Choose Any or Specific from the drop-down list. If Specific is selected, enter the DSCP (0 through 255). DSCP is a packet header code that can be used to define the quality of service across the Internet.

URL

In the URL Name text box, enter the URL address.

Rule Action

Select Allow or Deny from the drop-down list.

DHCP Option 82 Remote Id field format

This field provides additional security when DHCP is used to allocate network addresses. Specifically, it enables the controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. The controller can be configured to add option 82 information to DHCP requests from clients before forwarding the requests to the DHCP server.

DHCP Proxy

Select the DHCP Proxy check box to enable DHCP proxy on a global basis rather than on a WLAN basis.

When DHCP proxy is enabled on the controller, the controller unicasts DHCP requests from the client to the configured servers. At least one DHCP server must be configured on either the interface associated with the WLAN or on the WLAN itself.

DHCP Timeout

(For Controller Version 7.0.114.74 and later) Enter the DHCP timeout, in seconds.

Guest LAN

Select to mark the interface as wired.

Quarantine

Enable/disable to quarantine a VLAN. Select the check box to enable.

Netmask

Enter the netmask address of the interface.

LAG Mode

Select this check box to enable or disable LAG Mode. If LAG mode is selected with this interface, then the settings can be applied only to the LAG-enabled controllers.

Primary Port Number

Enter the port currently used by the interface.

Secondary Port Number

Enter a secondary port to be used by the interface when the primary port is down. When the primary port is reactivated, the Cisco 4400 Series Wireless LAN controller transfers the interfaces back to the primary port.

Primary and secondary port numbers are present only in the Cisco 4400 Series Wireless LAN controllers.

AP Management

Select this check box to enable access point management.

Primary DHCP Server

Enter the IP addresses of the primary DHCP servers.

Secondary DHCP Server

Enter the IP addresses of the secondary DHCP servers.

ACL Name

Choose a name from the list of defined names.

From the Add Format Type drop-down list in the Add Interface Format Type group box, choose either Device Info or File. If you choose device info, you must configure the device-specific fields for each controller. If you choose File, you must configure CSV device-specific fields (Interface Name, VLAN Identifier, Quarantine VLAN Identifier, IP Address, and Gateway) for all the managed controllers specified in the CSV file (see the following table).

209.165.200.224

dyn-1

1

2

209.165.200.228

209.165.200.229

209.165.200.225

interface-1

4

2

209.165.200.230

209.165.200.231

209.165.200.226

interface-2

5

3

209.165.200.232

209.165.200.233

209.165.200.227

dyna-2

2

3

209.165.200.234

209.165.200.235

802.3x Flow Control Mode

Enable or disable flow control mode.

802.3 Bridging

Enable or disable 802.3 bridging. This 802.3 bridging option is not available for Cisco 5500 and Cisco 2106 series controllers.

Web Radius Authentication

Choose the desired Web RADIUS authentication. You can choose to use PAP, CHAP, or MD5-CHAP for authentication between the controller and the client during the user credential exchange.

AP Primary Discovery Timeout

Specify the number of seconds for the AP Primary Discovery Timeout. The default is 120 seconds, and the valid range is 30 to 3600 seconds.

Back-up Primary Controller IP Address

Specify the back-up primary and secondary controller details.

Back-up Primary Controller Name

Back-up Secondary Controller IP Address

Back-up Secondary Controller Name

CAPWAP Transport Mode

Specify Layer 2 or Layer 3 transport mode. When set to Layer 3, the lightweight access point uses IP addresses to communicate with the access points; these IP addresses are collected from a mandatory DHCP server. When set to Layer 2, the lightweight access point uses proprietary code to communicate with the access points.

Controllers through Version 5.2 use LWAPP and the new controller version uses CAPWAP.

Broadcast Forwarding

Choose to enable or disable broadcast forwarding. The default is disabled.

LAG Mode

Choose Enable or Disable from the LAG Mode drop-down list. Link aggregation allows you to reduce the number of IP addresses needed to configure the ports on your controller by grouping all the physical ports and creating a link aggregation group (LAG).

If LAG is enabled on a controller, any dynamic interfaces that you have created are deleted to prevent configuration inconsistencies in the interface database. When you make changes to the LAG configuration, the controller has to be rebooted for the changes to take effect.

Interfaces cannot be created with the Dynamic AP Manager flag set. Also, you cannot create more than one LAG on a controller.

Peer to Peer Blocking Mode

Choose to enable or disable peer-to-peer blocking mode. If you choose Disable, any same-subnet clients communicate through the controller. If you choose Enable, any same-subnet clients communicate through a higher-level router.

Over-the-Air Provisioning AP Mode

From the Over-the-Air AP Provision Mode drop-down list, choose enable or disable.

AP Fallback

From the AP Fallback drop-down list, choose enable or disable. Enabling fallback causes an access point that lost a primary controller connection to automatically return to service when the primary controller returns.

When a controller fails, the backup controller configured for the access point suddenly receives a number of discovery and join requests. This might cause the controller to reach a saturation point and reject some of the access points. By assigning priority to an access point, you have some control over which access points are rejected. In a failover situation when the backup controller is saturated, the higher priority access points can join the backup controller if the lower priority access points are disjoined. Choose enable from the AP Failover Priority drop-down list if you want to allow this capability.

AP Failover Priority

Apple Talk Bridging

Choose to enable or disable AppleTalk bridging.

This AppleTalk bridging option is not available on Cisco 5500 series controllers.

Fast SSID Change

Choose to enable or disable the Fast SSID Change option. If the option is enabled, the client connects instantly to the controller between SSIDs without having much loss of connectivity. Normally, each client is connected to a particular WLAN identified by the SSID. If the client moves out of reach of the connected access point, the client has to reconnect to the controller using a different access point. This normal process consumes some time as the DHCP (Dynamic Host Configuration Protocol) server has to assign an IP address to the client.

Because the primary controller is normally not used in a deployed network, the primary controller setting is automatically disabled upon reboot or operating system code upgrade. You might want to enable the controller as the primary controller from the Primary Controller Mode drop-down list.

Primary Controller Mode

Choose to enable or disable access to the controller management interface from wireless clients. Because of IPsec operation, management via wireless is only available to operators logging in across WPA or Static WEP.

Wireless Management

Wireless management is not available to clients attempting to log in via an IPsec WLAN.

Symmetric Tunneling Mode

Choose to enable or disable symmetric tunneling mode. With symmetric mobility tunneling, the controller provides inter-subnet mobility for clients roaming from one access point to another within a wireless LAN. The client traffic on the wired network is directly routed by the foreign controller. If a router has Reverse Path Forwarding (RPF) enabled (which provides additional checks on incoming packets), the communication is blocked. Symmetric mobility tunneling allows the client traffic to reach the controller designated as the anchor, even with RPF enabled.

All controllers in a mobility group must have the same symmetric tunneling mode.

For symmetric tunneling to take effect, you must reboot.

ACL Counters

Use the ACL Counters drop-down list to enable or disable ACL counters. The values per ACL rule can be viewed for each controller.

Default Mobility Domain Name

Enter the operator-defined RF mobility group name in the Default Mobility Domain Name text box.

Mobility Anchor Group Keep Alive Interval

Specify the delay between tries for clients attempting to join another access point. With this guest tunneling N+1 redundancy feature, the time it takes for a client to join another access point following a controller failure is decreased because a failure is quickly identified, the clients are moved away from the problem controller, and the clients are anchored to another controller.

When you hover your mouse cursor over the field, the valid range of values appear.

Mobility Anchor Group Keep Alive Retries

Specify the number of queries to anchor before the client declares it unreachable.

RF Network Name

Enter the RF network group name from 8 to 19 characters. Radio Resource Management (RRM) neighbor packets are distributed among access points within an RF network group. The Cisco access points only accept RRM neighbor packets sent with this RF network name. The RRM neighbor packets sent with different RF network names are dropped.

User Idle Timeout

Specify the time out for idle clients. The factory default is 300 seconds. When the timeout expires, the client loses authentication, briefly disassociates from the access point, reassociates, and reauthenticates.

Specify the timeout in seconds for the address resolution protocol. The factory default is 300 seconds.

ARP Timeout

Specify the timeout in seconds.

Global TCP Adjust MSS

Select the Global TCP Adjust MSS check box to start checking the TCP packets originating from the client, for the TCP SYN/ TCP ACK packets and MSS value and reset it to the configured value on the upstream and downstream side.

Disable local access

When this check box is selected, the AP will not broadcast local SSIDs or allow access to any of the Ethernet ports.

Out of Box

Select this check box to create out-of-box RF profiles for both the radios along with out-of-box AP group.

Web Auth Proxy Redirect Mode

Choose enable or disable Web Auth Proxy Redirect Mode if a manual proxy configuration is configured on the browser of the client; all web traffic going out from the client is destined for the PROXY IP and PORT configured on the browser.

Web Auth Proxy Redirect Port

Enter the Web Auth Proxy Redirect Port. The default ports are 8080 and 3128. The range is from 0 to 65535.

AP Retransmit Count

Enter the AP Retransmit Count and Intervals. The AP Retransmit Count default value is 5 and the range is from 3 to 8. The AP Retransmit Interval default value is 3. The range is from 2 to 5.

AP Retransmit Interval

Global IPv6 Config

From the Global IPV6 Config drop-down list, choose Enabled or Disabled.

Dot1x System Authentication Control

Choose Dot1x System Authentication Control check box to enable or disable 802.1x

HTTP Profiling Port

Enter the HTTP profiling port number. This allows custom http port configuration.

CDP on controller

Choose enable or disable CDP on the controller. This configuration cannot be applied on WiSM2 controllers.

Global CDP on APs

Choose to enable or disable CDP on the access points.

Refresh-time Interval

Enter the time in seconds at which CDP messages are generated. The default is 60.

Holdtime

Enter the time in seconds before the CDP neighbor entry expires. The default is 180.

CDP Advertisement Version

Enter which version of the CDP protocol to use. The default is v1.

Ethernet Interface Slot

Select the slots of Ethernet interfaces for which you want to enable CDP. CDP for Ethernet Interfaces fields are supported for Controller Version 7.0.110.2 and later.

Radio Interface Slot

Select the slots of Radio interfaces for which you want to enable CDP. CDP for Radio Interfaces fields are supported for Controller Version 7.0.110.2 and later.

Per-User Bandwidth Contracts

Average Data Rate

The average data rate for non-UDP traffic.

Global CDP on APs

The peak data rate for non-UDP traffic.

Average Real-time Rate

The average data rate for UDP traffic.

Burst Real-time Rate

The peak data rate for UDP traffic.

Over-the-Air QoS

Maximum QoS RF Usage per AP

The maximum air bandwidth available to clients. The default is 100%.

QoS Queue Depth

The depth of queue for a class of client. The packets with a greater value are dropped at the access point.

Wired QoS Protocol

Wired QoS Protocol

Choose 802.1P to activate 802.1P priority tags or None to deactivate 802.1P priority flags.

802.1P Tag

Choose 802.1P priority tag for a wired connection from 0 to 7. This tag is used for traffic and CAPWAP packets.

Wired LAN

Select the check box to indicate whether or not this WLAN is a wired LAN.

Use the Type drop-down list to choose the type of the wired LAN.

• Guest LAN—Indicates that this wired LAN is a guest LAN. If you select the Guest LAN option, you need to select an Egress interface that has not already been assigned to any guest LAN.

• Remote LAN—Indicates that this wired LAN is a remote LAN.

Profile Name

Enter a name in the Profile Name text box that identifies the WLAN or the guest LAN. Do not use any spaces in the name entered.

SSID

Enter the name of the WLAN SSID. An SSID is not required for a guest LAN.

WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a WLAN selection based on information advertised in the beacons and probes.

Status

Select the Enable check box for the Status field.

Configure Wlan Id

Select the check box to give the WLAN an identifier.

Use the Wlan Id text box to enter the WLAN identifier (an integer).

Security Policies

Modifications you make in the Security tab appear after you save the template.

Radio Policy

Set the WLAN policy to apply to All (802.11a/b/g/n), 802.11a only, 802.11g only, 802.11b/g only, or 802.11a/g only.

Interface/Interface Group

Choose the available names of interfaces created by the Controller > Interfaces module.

Multicast VLAN

Select the Enable check box to enable the multicast VLAN feature.

From the Multicast VLAN Interface drop-down list, choose the appropriate interface name. This list is automatically populated when you enable the multicast VLAN feature.

Broadcast SSID

Select to activate SSID broadcasts for this WLAN.

Layer 2

None

No Layer 2 security selected.

• FT Enable—Select the check box to enable fast transition (FT) between access points.

Over the DS—Select the check box to enable or disable the fast transition over a distributed system (DS).

Reassociation Timeout—Time in seconds after which fast transition reassociation times out. The default is 20 seconds, and the valid range is 1 to 100.

To enable Over the DS or Reassociation Timeout, you should enable fast transition.

802.1X

WEP 802.1X data encryption type:

• 40/64 bit key

• 104 bit key

• 152 bit key

Static WEP

Static WEP encryption fields:

• Key sizes: Not set, 40/64, 104, and 152 bit key sizes.

• Key Index: 1 to 4.

• Encryption Key: Encryption key required.

• Key Format: ASCII or HEX.

• Allowed Shared Key Authentication—Select the check box to enable shared key authentication.

Regardless of the format you choose, for security reasons, only ASCII is visible on the WLC (and the Prime Infrastructure). For this reason, you cannot use a template to replicate the configuration on a second controller during auto provisioning. You should set the key format again in the template in case a discovered template is applied to another device.

Static WEP-802.1X

Use this setting to enable both static WEP and 802.1X policies. If this option is selected, static WEP and 802.1X fields are displayed at the bottom of the page.

Static WEP encryption fields:

• Key sizes: Not set, 40/64, 104, and 152 bit key sizes.

• Key index: 1 to 4.

• Encryption Key: Enter encryption key.

• Key Format: ASCII or HEX.

• Allowed Shared Key Authentication—Select the check box to enable.

• 802.1 Data Encryption: 40/64 bit key, 104 bit key, 152 bit key.

CKIP

Cisco Key Integrity Protocol (CKIP). A Cisco access point advertises support for CKIP in beacon and probe response packets. CKIP can be configured only when Aironet IE is enabled on the WLAN.

When selected, these CKIP fields are displayed.

• Key size: Not set, 40, or 104.

• Key Index: 1 to 4

• Encryption Key: Specify encryption key.

• Key Format: ASCII or HEX.

MMH Mode—Select the check box to enable.

Key Permutation—Select the check box to enable.

MAC Filtering

Select to filter clients by MAC address.

You might want to disable the MAC filter list to allow newly added access points to join the controller. Before enabling the MAC filter list again, you should enter the MAC addresses of the new access points.

Authentication Key Management

Choose the desired type of authentication key management. The choices are 802.1X, CCKM, or PSK.

Layer 3

Layer 3 Security

Choose between None and VPN Pass Through.

Web Policy

You can modify the default static WEP (web authentication) or assign specific web authentication (login, logout, login failure) pages and the server source.

1. To change the static WEP to passthrough, select the Web Policy check box and choose the Passthrough option from the drop-down list. This option allows users to access the network without entering a username or password.

An Email Input check box appears. Select this check box if you want users to be prompted for their email address when attempting to connect to the network.

1. Select the WebAuth on MAC Filter Failure radio button so that when clients fail on MAC filter, they are automatically switched to WebAuth.

1. To specify custom web authentication pages, unselect the Global WebAuth Configuration Enable check box.

When the Web Auth Type drop-down list appears, choose one of the following options to define the web login page for the wireless guest users:

• Default Internal—Displays the default web login page for the controller. This is the default value.

• Customized Web Auth—Displays custom web login, login failure, and logout pages. When the customized option is selected, three separate drop-down lists for login, login failure, and logout page selection appear. You do not need to define a customized page for all three of the options. Choose None from the appropriate drop-down list if you do not want to display a customized page for that option.

• These optional login, login failure, and logout pages are downloaded to the controller as webauth.tar files.

• External—Redirects users to an external server for authentication. If you choose this option, you must also enter the URL of the external server in the URL text box.

  Note	External web auth is not supported for 2106 and 5500 series controllers.

• You can select specific RADIUS or LDAP servers to provide external authentication in the Security > AAA page.

  Note	The RADIUS and LDAP servers must be already configured to have selectable options in the Security > AAA page. You can configure these servers in the RADIUS Authentication Servers page and TACACS+ Authentication Servers page.

  If you selected External as the Web Authentication Type, choose Security > AAA, and choose up to three RADIUS and LDAP servers using the drop-down lists.

  Repeat this process if a second (anchor) controller is being used in the network.

AAA Server

Radius Server Overwrite Interface

Select to send the client authentication request through the dynamic interface that is set on the WLAN. When you enable the Radius Server Overwrite Interface option, the WLC sources all RADIUS traffic for a WLAN using the dynamic interface configured on that WLAN.

Select the Enable check box, then use the drop-down lists in the RADIUS and LDAP servers section to choose authentication and accounting servers. This selects the default RADIUS server for the specified WLAN and overrides the RADIUS server that is configured for the network. If all three RADIUS servers are configured for a particular WLAN, server 1 has the highest priority, and so on.

If no LDAP servers are chosen here, Prime Infrastructure uses the default LDAP server order from the database.

Interim Update

Select to enable interim update for RADIUS Server Accounting. If you have selected this check box, specify the Interim Interval value. The range is 180 to 3600 seconds, and the default value is 0.

Local EAP Authentication

Select the Local EAP Authentication check box if you have an EAP profile already configured that you want to enable. Local EAP is an authentication method that allows users and wireless clients to locally authenticate. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down.

Allow AAA Override

When you enable AAA Override, and a client has conflicting AAA and controller WLAN authentication fields, client authentication is performed by the AAA server. As part of this authentication, the operating system moves clients from the default Cisco WLAN Solution to a VLAN returned by the AAA server and predefined in the controller interface configuration (only when configured for MAC filtering, 802.1X, and/or WPA operation). In all cases, the operating system also uses QoS and ACL provided by the AAA server, as long as they are predefined in the controller interface configuration. (This VLAN switching by AAA override is also referred to as identity networking.)

For instance, if the corporate WLAN primarily uses a management interface assigned to VLAN 2, and if AAA override returns a redirect to VLAN 100, the operating system redirects all client transmissions to VLAN 100, regardless of the physical port to which VLAN 100 is assigned.

When AAA override is disabled, all client authentication defaults to the controller authentication parameter settings, and authentication is only performed by the AAA server if the controller WLANs do not contain any client-specific authentication parameters.

The AAA override values might come from a RADIUS server, for example.

Quality of Service (QoS)

Choose Platinum (voice), Gold (video), Silver (best effort), or Bronze (background). Services such as VoIP should be set to gold while nondiscriminating services such as text messaging can be set to bronze.

Override Per-User Rate Limits

Data rates on a per-user basis

Average Data Rate

Define the average data rate for TCP traffic per user or per SSID by entering the rate in kbps in the Average Data Rate text box. A value of 0 imposes no bandwidth restriction on the profile.

Burst Data Rate

Define the peak data rate for TCP traffic per user or per SSID by entering the rate in kbps in the Burst Data Rate text box. A value of 0 imposes no bandwidth restriction on the profile. The Burst Data Rate should be greater than or equal to the Average Data Rate. Otherwise, the QoS policy may block traffic to and from the wireless client.

Average Real-Time Rate

Define the average real-time rate for UDP traffic per user or per SSID by entering the rate in kbps in the Average Real-Time Rate text box. A value of 0 imposes no bandwidth restriction on the profile.

Burst Real-Time Rate

Define the peak real-time rate for UDP traffic per user or per SSID by entering the rate in kbps in the Burst Real-Time Rate text box. A value of 0 imposes no bandwidth restriction on the profile. The Burst Real-Time Rate should be greater than or equal to the Average Real-Time Rate. Otherwise, the QoS policy may block traffic to and from the wireless client.

Override Per-SSID Rate Limits

Data rates on a per SSID basis

Average Data Rate

Define the average data rate TCP traffic per user or per SSID by entering the rate in kbps in the Average Data Rate text box. A value of 0 imposes no bandwidth restriction on the profile.

Burst Data Rate

Define the peak data rate for TCP traffic per user or per SSID by entering the rate in kbps in the Burst Data Rate text box. A value of 0 imposes no bandwidth restriction on the profile. The Burst Data Rate should be greater than or equal to the Average Data Rate. Otherwise, the QoS policy may block traffic in the WLANs.

Average Real-Time Rate

Define the average real-time rate for UDP traffic per user or per SSID by entering the rate in kbps in the Average Real-Time Rate text box. A value of 0 imposes no bandwidth restriction on the profile.

Burst Real-Time Rate

Define the peak real-time rate for UDP traffic per user or per SSID by entering the rate in kbps in the Burst Real-Time Rate text box. A value of 0 imposes no bandwidth restriction on the profile. The Burst Real-Time Rate should be greater than or equal to the Average Real-Time Rate. Otherwise, the QoS policy may block traffic in the WLANs.

WMM Policy

Choose Disabled, Allowed (so clients can communicate with the WLAN), or Required (to make it mandatory for clients to have WMM enabled for communication).

7920 AP CAC

Select to enable support on Cisco 7920 phones.

If you want WLAN to support older versions of the software on 7920 phones, select the 7920 Client CAC check box to enable it. The Call Admission Control (CAC) limit is set on the access point for newer versions of software.

FlexConnect Local Switching

Select to enable FlexConnect local switching. If you enable FlexConnect local switching, the FlexConnect access point handles client authentication and switches client data packets locally.

FlexConnect local switching is only applicable to the Cisco 1130/1240/1250 series access points. It is not supported with L2TP or PPTP authentications, and it is not applicable to WLAN IDs 9 to 16.

VLAN ID—Enter a valid value between 1 to 4094 for VLAN Id. This field shows up only when you select Guest LAN from the LAN Type drop-down list in the WLAN Configuration > General tab.

FlexConnect Local Auth

Select to enable FlexConnect local authentication.

Local authentication is useful where you care unable to maintain the criteria of a remote office setup of minimum bandwidth of 128 kbps with the roundtrip latency no greater than 100 ms and the maximum transmission unit (MTU) no smaller than 500 bytes. In local switching, the authentication capabilities are present in the access point itself. Thus local authentication reduces the latency requirements of the branch office.

Local authentication is not supported in the following scenarios:

• Guest authentication cannot be performed on a FlexConnect local authentication enabled WLAN.

• RRM information is not available at the controller for the FlexConnect local authentication enabled WLAN.

• Local RADIUS is not supported.

• Once the client has been authenticated, roaming is supported after the WLC and the other FlexConnects in the group are updated with the client information.

Learn Client IP Address

When you enable hybrid-REAP local switching, the Learn Client IP Address check box is enabled by default. However, if the client is configured with Fortress Layer 2 encryption, the controller cannot learn the client IP address, and the controller periodically drops the client. Disable this option so that the controller maintains the client connection without waiting to learn the client IP address. The ability to disable this option is supported only with hybrid-REAP local switching; it is not supported with hybrid-REAP central switching.

Diagnostic Channel

Choose to enable the diagnostic channel feature or leave it disabled. The diagnostic channel feature allows you to troubleshoot problems regarding client communication with a WLAN. When initiated by a client having difficulties, the diagnostic channel provides the most robust communication methods with the fewest obstacles to communication.

Aironet IE

Select to enable support for Aironet information elements (IEs) for this WLAN. If Aironet IE support is enabled, the access point sends an Aironet IE 0x85 (which contains the access point name, load, number of associated clients, and so on) in the beacon and probe responses of this WLAN, and the controller sends Aironet IEs 0x85 and 0x95 (which contains the management IP address of the controller and the IP address of the access point) in the reassociation response if it receives Aironet IE 0x85 in the reassociation request.

IPv6

Select the IPv6 check box. You can configure IPv6 bridging and IPv4 web auth on the same WLAN.

Session Timeout

Select to set the maximum time a client session can continue before requiring reauthorization.

Coverage Hole Detection

Choose to enable or disable coverage hold detection (CHD) on this WLAN. By default, CHD is enabled on all WLANs on the controller. If you disable CHD on a WLAN, a coverage hole alert is still sent to the controller, but no other processing is done to mitigate the coverage hole. This feature is useful for guest WLANs where highly mobile guests are connected to your network for short periods of time.

Override Interface ACL

The Override Interface ACL drop-down list provides a list of defined access control lists (ACLs). Upon choosing an ACL from the list, the WLAN associates the ACL to the WLAN. Selecting an ACL is optional, and the default for this field is None.

Peer to Peer Blocking

You can configure peer-to-peer blocking per WLAN rather than applying the status to all WLANs. From the Peer to Peer Blocking drop-down list, choose one of the following:

• Disable—Peer-to-peer blocking is disabled, and traffic is bridged locally whenever possible.

• Drop—The packet is discarded.

• Forward Up Stream—The packet is forwarded on the upstream VLAN, and the decision is made about what to do with the packet.

If FlexConnect local switching is enabled for the WLAN, which prevents traffic from passing through the controller, this drop-down list is dimmed.

Wi-Fi Direct Clients Policy

Choose one of the following options:

• Disabled—Disables the Wi-Fi Direct Clients Policy for the WLAN and deauthenticates all Wi-Fi Direct capable clients. The default is Disabled.

• Allow—Allows the Wi-Fi Direct clients to associate with an infrastructure WLAN.

• Not-Allow—Disallows the Wi-Fi Direct clients from associating with an infrastructure WLAN.

Client Exclusion

Select the check box if you want to enable automatic client exclusion. If you enable client exclusion, you must also set the timeout value in seconds for disabled client machines. Client machines are excluded by MAC address, and their status can be observed. A timeout setting of 0 indicates that administrative control is required to reenable the client.

Passive Client

Enter the maximum number of clients to be associated in a WLAN in the Maximum Clients text box. The valid range is from 0 to 7000. The default value is 0.

Static IP Tunneling

Enable dynamic anchoring of static IP clients by selecting the Static IP Tunneling check box.

Media Session Snooping

This feature enables access points to detect the establishment, termination, and failure of voice calls and then report them to the controller and Prime Infrastructure. It can be enabled or disabled per WLAN.

When media session snooping is enabled, the access point radios that advertise this WLAN snoop for Session Initiation Protocol (SIP) voice packets. Any packets destined to or originating from port number 5060 are considered for further inspection. The access point tracks whether Wi-Fi Multimedia (WMM) and non-WMM clients are establishing a call, already on an active call, or in the process of ending a call and then notify the controller of any major call events.

KTS based CAC

Select the KTS based CAC check box to enable KTS-based CAC support per WLAN.

WLC supports TSPEC-based CAC and SIP-based CAC. But there are certain phones that work with different protocols for CAC, which are based on the KTS (Key Telephone System). For supporting CAC with KTS-based SIP clients, WLC should understand and process the bandwidth request message from those clients to allocate the required bandwidth on the AP radio, in addition to handling and sending certain other messages, as part of this protocol.

NAC State

Choose SNMP NAC or Radius NAC. SIP errors that are discovered generate traps that appear on the client troubleshooting and alarms screens. The controller can integrate with the NAC appliance in out-of-band mode, where the NAC appliance remains in the data path only until clients have been analyzed and cleaned. Out-of-band mode reduces the traffic load on the NAC appliance and enables centralized NAC processing.

Scan Defer Priority

Off-Channel Scanning Defer is essential to the operation of RRM, which gathers information about alternate channel choices such as noise and interference. Additionally, Off-Channel Scanning Defer is responsible for rogue detection. Devices that need to defer Off-Channel Scanning Defer should use the same WLAN as often as possible. If there are many of these devices (and the possibility exists that Off-Channel Defer scanning could be completely disabled by the use of this feature), you should implement an alternative to local AP Off-Channel Scanning Defer, such as monitor access points, or other access points in the same location that do not have this WLAN assigned.

Assignment of a QoS policy (bronze, silver, gold, and platinum) to a WLAN affects how packets are marked on the downlink connection from the access point regardless of how they were received on the uplink from the client. UP=1,2 is the lowest priority, and UP=0,3 is the next higher priority. The marking results of each QoS policy are as follows:

• Bronze marks all downlink traffic to UP=1.

• Silver marks all downlink traffic to UP=0.

• Gold marks all downlink traffic to UP=4.

• Platinum marks all downlink traffic to UP=6.

Set the Scan Defer Priority by clicking the priority argument, and set the time in milliseconds in the Scan Defer Interval text box. Valid values are 0 to 60000. The default value is 100 milliseconds.

DTIM Period

In 802.11a/n and 802.11b/g/n networks, lightweight access points broadcast a beacon at regular intervals, which coincides with the Delivery Traffic Indication Map (DTIM). After the access point broadcasts the beacon, it transmits any buffered broadcast and multicast frames based on the value set for the DTIM period. This feature allows power-saving clients to wake up at the appropriate time if they are expecting broadcast or multicast data.

Normally, the DTIM value is set to 1 (transmit broadcast and multicast frames after every beacon) or 2 (transmit after every other beacon). For instance, if the beacon period of the 802.11a/n or 802.11b/g/n network is 100 ms and the DTIM value is set to 1, the access point transmits buffered broadcast and multicast frames 10 times per second. If the beacon period is 100 ms and the DTIM value is set to 2, the access point transmits buffered broadcast and multicast frames 5 times per second. Either of these settings might be suitable for applications, including VoIP, that expect frequent broadcast and multicast frames.

However, the DTIM value can be set as high as 255 (transmit broadcast and multicast frames after every 255th beacon) if all 802.11a/n or 802.11b/g/n clients have power save enabled. Because the clients have to listen only when the DTIM period is reached, they can be set to listen for broadcasts and multicasts less frequently, resulting in longer battery life. For instance, if the beacon period is 100 ms and the DTIM value is set to 100, the access point transmits buffered broadcast and multicast frames once every 10 seconds, allowing the power-saving clients to sleep longer before they have to wake up and listen for broadcasts and multicasts, resulting in longer battery life.

Many applications cannot tolerate a long time between broadcast and multicast messages, resulting in poor protocol and application performance. We recommend a low DTIM value for 802.11a/n and 802.11b/g/n networks that support such clients.

Under DTIM Period, enter a value from 1 to 255 in the 802.11a/n and 802.11b/g/n fields. The default value is 1 (transmit broadcast and multicast frames after every beacon).

DHCP Server

Select the check box to override DHCP server,. Another field appears where you can enter the IP address of your DHCP server. For some WLAN configurations, this is required. Three valid configurations are as follows:

• DHCP Required and a valid DHCP server IP address—All WLAN clients obtain an IP address from the DHCP server.

• DHCP is not required and a valid DHCP server address—All WLAN clients obtain an IP address from the DHCP server or use a static IP address.

• DHCP not required and DHCP server IP address 0.0.0.0—All WLAN clients are forced to use a static IP address. All DHCP requests are dropped.

You cannot choose to require a DHCP address assignment and then enter a DHCP server IP address.

MFP Signature Generation

Select to enable signature generation for the 802.11 management frames transmitted by an access point associated with this WLAN. Signature generation makes sure that changes to the transmitted management frames by an intruder are detected and reported.

MFP Client Protection

Choose Enabled, Disabled, or Required for configuration of individual WLANs of a controller. If infrastructure MFP is not enabled, this drop-down list is unavailable.

DTIM Period

Enter a value from 1 to 255 beacon intervals. The controller sends a DTIM packet for this WLAN based on what is entered as an interval.

Local Client Profiling

Select to enable or disable profiling of all the clients that are associated with the WLAN.

PMIP Mobility

Choose the mobility type from the following options:

• None—Configures the WLAN with simple IP.

• Mixed—Configures the WLAN with simple IP and PMIPv6.

• PMIPv6—Configures the WLAN with only PMIPv6.

802.11u Configurations

802.11u General Parameters

802.11u Status

Select to enable 802.11u on the WLAN.

• From the drop-down list, in the HESSID field, enter the Homogenous Extended Service Set Identifier value. The HESSID is a 6-octet MAC address that identifies the homogeneous ESS.

Internet Access

Select to enable this WLAN to provide Internet services.

Network Type

Choose one of the following network types that best describes the 802.11u you want to configure on this WLAN:

• Private Network
• Private Network with Guest Access
• Chargeable Public Network
• Free Public Network
• Emergency Services Only Network
• Personal Device Network
• Test or Experimental
• Wildcard

Network Auth Type

Choose the authentication type that you want to configure for the 802.11u parameters on this network:

• Not configured
• Acceptance of Terms and Conditions
• Online Enrollment
• HTTP/HTTPS Redirection

IPv4 Address Type

Choose the IPv4 address type from the drop-down list.

IPv6 Address Type

Choose the IPv6 address type from the drop-down list.

Others

OUI List

Enter the following details:

• OUI name
• Is Beacon
• OUI Index

Select Add to add the OUI (Organizationally Unique Identifier) entry to this WLAN.

• In the group box,

Domain List

Enter the following details:

• Domain Name—The domain name operating in the 802.11 access network.
• Domain Index—Select the domain index from the drop-down list.

Select Add to add the domain entry to this WLAN.

OUI List

Enter the following details:

• Realm Name—The realm name.
• Realm Index—The realm index.

Select Add to add the domain entry to this WLAN.

Service Advertisements

MSAP

Select to enable service advertisements. If you enabled MSAP in the previous step, you must provide a server index. Enter the server index for this WLAN. The server index field uniquely identifies an MSAP server instance serving a venue that is reachable through the BSSID.

MSAP (Mobility Services Advertisement Protocol) is designed to be used primarily by mobile devices that are configured with a set of policies for establishing network services. These services are available for devices that offer higher-layer services, or network services that are enabled through service providers. Service advertisements use MSAP to provide services to mobile devices prior to association to a Wi-Fi access network. This information is conveyed in a service advertisement. A single-mode or dual-mode mobile device queries the network for service advertisements before association. The device's network discovery and the selection function may use the service advertisements in its decision to join the network.

Server Index

If you enabled MSAP, you must provide a server index. Enter the server index for this WLAN. The server index field uniquely identifies an MSAP server instance serving a venue that is reachable through the BSSID.

HotSpot 2.0

HotSpot2 Enable

Choose to enable HotSpot2.

Domain ID

Enter the Domain ID to be sent in hotspot2.0.

OSEN enable/Open wlan profile

Enter the WLAN profile Name.

WAN Link Status

Select the link status.

WAN Symmetric Link Status

The symmetric link status. For example, you can configure the uplink and downlink to have different speeds or same speeds.

Down Link Speed

The downlink speed. The maximum value is 4,194,304 kbps.

Up Link Speed

The uplink speed. The maximum value is 4,194,304 kbps.

Operator Name List

Specify the following:

• Operator Name—Specify the name of the 802.11 operator.
• Operator Index—Select an operator index. The range is from 1 to 32.
• Language Code—An ISO-14962-1997 encoded string defining the language. This string is a three character language code.

Select Add to add the operator details.

Port Config List

Specify the following:

• IP Protocol—The IP protocol that you want to enable. The following options are ESP, FTP, ICMP, and IKEV2.
• Port No—The port number that is enabled on this WLAN.
• Status—The status of the port.

Operator Sign Up List

In the Online Sign Up List group box, specify the following. Online Sign Up (OSU) is the process by which a mobile device registers with a Service Provider (SP), which enables you to select a plan to obtain network access and is provisioned with the credentials necessary to securely to connect to a network.

• OSU Index—The OSU Index uniquely identifies an instance of OSU server configuration.
• Select a value from the OSU Index drop-down list.
• Language—Language defined for the OSU index. The language code can be a minimum of 2 and maximum of 3 characters.
• SP Name—Enter the Service Provider (SP) name for the OSU index. The range for SP Name is 1 to 255 characters.
• Description—Enter the Service Provider (SP) description for the OSU index. The description can be a maximum of 255 characters.

Online Sign Up Icon Filename

Specify the following:

• OSU Index— You can add only those OSU index that have configured in the Online Sign Up List. The OSU Index uniquely identifies an instance of OSU server configuration. Select a value from the OSU Index drop-down list.
• Icon Name—The icon name is pre populated. You must download icon image from Configuration > Network > Network Devices, then select System > Commands path. Configure the icon configurations before downloading icons to Cisco WLC.
• From the Icon drop-down list, choose the downloaded icon name. You can download the icon from ftp or tftp server to the controller.

Online Sign Up Other Configurations

Specify the following:

• OSU Index—You can add only those OSU index which have been configured in the Online Sign Up List.
• Primary Method—The primary and secondary value should be different. The primary value represents the primary server method or the particular OSU index.
• Secondary Method—The secondary value represents the secondary server method for the particular OSU index.
• Uniform Resource Identifier (URI)—This represents the URI for the particular OSU index.
• Network Access Identifier (NAI) —This represents the NAI for the particular OSU index.

IKE Policies

Priority

Enter the priority value of the IKE proposal. The priority value determines the order of the IKE proposals compared by the two negotiating peers when attempting to find a common SA. If the remote IPsec peer does not support the parameters selected in your first priority policy, the device tries to use the parameters defined in the policy with the next lowest priority number.

The range is from 1 to 10000. The lower the number, the higher the priority.

Authentication

Choose one of the following options from the Authentication drop-down list:

• PRE_SHARE—Authentication will be performed using pre-shared keys.
• RSA_SIG—Authentication will be performed using digital signatures.

D-H Group

Choose the Diffie-Hellman (D-H) group used for driving a shared secret between two IPsec peers without transmitting it to each other. A large modulus provides higher security but requires more processing time. The two peers must have a matching modulus group. Choose one of the following options from Diffie-Hellman Group drop-down list:

• 1—Diffie-Hellman Group 1 (768-bit modulus).
• 2—Diffie-Hellman Group 2 (1024-bit modulus).
• 5—Diffie-Hellman Group 5 (1536-bit modulus; considered good protection for 128-bit keys).

Encryption

Choose one of the encryption algorithms from the Encryption drop-down list:

• AES-128—Encrypts according to the Advanced Encryption Standard (AES) using 128-bit keys.
• AES-192—Encrypts according to the AES using 192-bit keys.
• AES-256—Encrypts according to the AES using 256-bit keys.
• DES—Encrypts according to the Data Encryption Standard (DES) using 56-bit keys.
• 3DES—Encrypts three times using 56-bit keys. 3DES is more secure than DES but requires more processing for encryption and decryption. However, it is less secure than AES.

Hash

Choose the hash algorithm drop-down list. The hash algorithm creates a message digest that is used to ensure message integrity. The options are:

• SHA (Secure Hash Algorithm)—Produces a 160-bit digest. SHA is more resistant to brute-force attacks than MD5.
• MD5 (Message Digest 5)—Produces a 128-bit digest. MD5 uses less processing time than SHA.

IKE lifetime

Enter the lifetime of the SA, in seconds. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers. As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPsec security associations can be set up more quickly than with shorter lifetimes.

The range is from 60 to 86400. The default value is 86400.

IKE Settings

Enable IKE

Select the Enable IKE check box to globally enable the IKE. (By default, the IKE is enabled.) You do not have to enable IKE for individual interfaces, but it can be enabled globally for all the interfaces in the router.

If you do not want to use the IKE for your IP Security (IPsec) implementation, you can disable the IKE for all your IPsec peers. If you disable the IKE for one peer, you must disable it for all the IPsec peers.

Enable Aggressive Mode

Select the Enable Aggressive Mode check box to enable the Internet Security Association and Key Management Protocol (ISAKMP) aggressive mode. If you disable the aggressive mode, all the aggressive mode requests to the device and all the aggressive mode requests made by the device will be blocked.

IKE Identity

Choose one option from the IKE identity drop-down list.

An ISAKMP identity is set whenever you specify pre-shared keys or RSA signature authentication. As a general rule, you should set all the peers' identities in the same way, either by IP address or by hostname. The options are:

• IP Address—Sets the ISAKMP identity to the IP address of the interface that is used to communicate to the remote peer during the IKE negotiations.
• DISTINGUISHED NAME—Sets the ISAKMP identity to the distinguished name (DN) of the router certificate.
• HOSTNAME—Sets the ISAKMP identity to the hostname concatenated with the domain name (for example, myhost.example.com).

Enable Dead Peer Detection (DPD)

Enable the gateway to send the Dead Peer Detection (DPD) messages to the peer. DPD is a keepalive scheme that allows the router to query the liveliness of its IKE peer.

Keepalive

Specify the number of seconds between the DPD messages in the DPD Keepalive field. The range is from 10 to 3600.

Retry

Specify the number of seconds between retries if the DPD messages fail during DPD Retry. The range is from 2 to 60.

Name

Enter a name for this IPsec profile. When you edit a profile, you cannot edit the name of the IPsec profile.

Description

Add a description for the IPsec profile that you are adding or editing.

Transform Sets

Enter the transform set name. The transform set (see Security > VPN Components > Transform Sets, page 2-87) encrypts the traffic on the tunnel.

IPSec SA Lifetime (secs)

Enter the IPSec SA Lifetime to establish a new SA after the set period of time elapses. Enter the time in seconds. The range is from 120 to 86400.

IP Address/Host Name

Enter the IP address or the hostname of the remote peer.

Subnet Mask

Enter the subnet mask.

Pre-shared Key/Confirm Pre-shared Key

Enter the pre-shared key, and reenter the key to confirm the pre-shared key.

Label

Enter the name for the key pair.

Modulus

Enter the key modulus value. If you want a modulus value from 512 to 1024, enter an integer value that is a multiple of 64. If you want a value higher than 1024, you can enter 1536 or 2048. If you enter a value greater than 512, key generation may take a minute or longer.

The modulus determines the size of the key. The larger the modulus, the more secure the key, but keys with large modulus take longer to generate, and encryption/decryption operations take longer with larger keys.

Type

Select the type of the RSA key to be generated. The options are:

• general-keys
• usages-keys
• encryption
• signature

Enable Exportable

Enable this field to generate RSA as an exportable key.

Name

Enter a name for the transform set.

ESP Encryption

Choose the ESP encryption algorithm used to encrypt the payload.

ESP Integrity

Choose the ESP integrity algorithm used to check the integrity of the payload.

AH Integrity

Choose the AH integrity from the drop-down list. The options are:

• AH with the MD5 (Message Digest 5) (a Hash-based Message Authentication Code [HMAC] variant) authentication algorithm.
• AH with the SHA (Secure Hash Algorithm) (an HMAC variant) authentication algorithm.

Compression

Enable or disable the IP compression with the Lempel-Ziv-Stac (LZS) algorithm.

Mode

Choose the mode from the drop-down list. The options are:

• Transport—Encrypt data only. Transport mode is used when both endpoints support IPsec. Transport mode places the authentication header or encapsulated security payload after the original IP header; thus, only the IP payload is encrypted. This method allows users to apply network services such as quality-of-service (QoS) controls to encrypted packets.
• Tunnel—Encrypt data and IP header. Tunnel mode provides stronger protection than transport mode. Because the entire IP packet is encapsulated within AH or ESP, a new IP header is attached, and the entire datagram can be encrypted. Tunnel mode allows network devices such as a router to act as an IPsec proxy for multiple VPN users; tunnel mode should be used in those configurations.

Name

(Optional) Enter a name for the policy rule.

Source Zone

Select the source zone from the list of interface roles. The source zone specifies the name of the interface from which the traffic is originating.

Destination Zone

Select the destination zone from the list of interface roles. The destination zone specifies the name of the interface to which the traffic is bound.

Source

Enter the source IP address of the inspected data. The valid parameters are:

• Any
• Other—If you select the Other option, you can choose a combination of IP address, Subnets, and Network Objects.

Destination

Enter the destination IP address of the inspected data. The valid parameters are:

• Any
• Other—If you select the Other option, you can choose a combination of IP address, Subnet, and Network Objects.

Service

Select the service of the inspected data from the object selector. The valid parameters are:

• L3/4 Applications
• ACL-Based Application: TCP, UDP, ICMP

Action

Choose an action to perform on the traffic when the rule matches the condition. The rule matches when:

• The traffic Source IP matches the Source Rule condition.
• The traffic Destination IP matches the Destination Rule condition and the traffic Inspected Service matches the Service Rule condition.

The action options are:

• Drop—Traffic that is handled by the drop action is silently dropped. The system does not send a notification to the end host.
• Drop and Log—Traffic that is handled by the drop and log action is dropped and a syslog notification is sent to the end host.
• Inspect—The inspect action offers state-based traffic control, the router maintains the connection or session information for TCP and UDP traffic.
• Pass—This action allows the router to forward the traffic from one zone to another.
• Pass and Log—This action allows the router to forward traffic from one zone to another while creating a syslog notification of the forwarded traffic.