Which WLC port is used for out-of-band management system recovery and initial boot functions and always connects to a switch port in access mode?

Cisco lightweight access points use the IETF standard Control and Provisioning of Wireless Access Points Protocol (CAPWAP) to communicate with the wireless controller and other lightweight access points on the network

Control and Provisioning of Wireless Access Points Protocol (CAPWAP): The Internet Engineering Task Force (IETF) standard Control and Provisioning of Wireless Access Points Protocol (CAPWAP) is the underlying protocol used in the Cisco Centralized WLAN Architecture (functional architecture of the Cisco Unified Wireless Network solution). CAPWAP provides the configuration and management of APs and WLANs in addition to encapsulation and forwarding of WLAN client traffic between an AP and a WLAN controller (WLC). CAPWAP is based on the Lightweight Access Point Protocol (LWAPP) but adds additional security with Datagram Transport Layer Security (DTLS). CAPWAP uses the User Datagram Protocol (UDP) and can operate either over Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6). CAPWAP encapsulates the data between LAP and WLC within new IP packets. The tunneled data is then switched or routed over a campus network.

CAPWAP control messages: CAPWAP carries exchanges that are used to configure the AP and manage its operation. The control messages are authenticated and encrypted so the AP is securely controlled by only the appropriate WLC,then transported over the control tunnel. Only the CAPWAP(Control and Provisioning of Wireless Access Points) control tunnel is secured by default. Client data passes over the CAPWAP data tunnel, but is optionally encrypted. DHCP requests are client data and are not encrypted by default. Finally, 802.11 beacons are sent over the air from an LAP, so they are not encrypted or transported by CAPWAP.

Because the network is built with a WLC and LAPs, CAPWAP tunnels are required. One CAPWAP tunnel connects each LAP to the WLC, for a total of 32 tunnels. CAPWAP encapsulates wireless traffic inside an additional IP header, so the tunnel packets are routable across a Layer 3 network. That means the LAPs and WLC can reside on any IP subnet as long as the subnets are reachable. There is no restrictions for the LAPs and WLC to lie on the same Layer 2 VLAN or Layer 3 IP subnet. A lightweight AP in local mode needs only an access link with a single VLAN; everything else is carried over the CAPWAP tunnel to a WLC.

Wireless Controller ports: Wireless Controller ports are physical connections to the switched network infrastructure. Controller Ports are the physical ports of the device. The following are the most important Controller physical ports.

Service Port (SP):Used for initial boot function, system recovery and out of band management. If you want to configure the controller with GUI you need to connect your computer with service port.

Redundancy Port (RP): This port is used to connect another controller for redundant operations.

Distribution Ports: These ports are used for all Access Points and management traffic. A Distribution Port connects to a switch port in trunk mode. 4400 series controllers have four distribution ports and 5500 series controllers have eight distribution ports.

Console port: Used for out-of-band management, system recovery and initial boot functions.

Link Aggregation Group(LAG): Controllers use a link aggregation group (LAG) to bundle the ports together. It is a partial implementation of the 802.3ad port aggregation standard. It bundles all of the controller's distribution system ports into a single 802.3ad port channel, thereby reducing the number of IP addresses needed to configure the ports on your controller. LAG multiply the bandwidth, increase port flexibility, and provide link redundancy between two devices. Link Aggregation Control Protocol (LACP) is a part of IEEE specification (802.3az) that can control the bundling of several physical ports together to form a single logical channel (LAG).

WLC Interfaces: Cisco wireless controllers provide the necessary connectivity through internal logical interfaces, which must be configured with an IP address, subnet mask, default gateway, and a Dynamic Host Configuration Protocol (DHCP) server. Each interface is then assigned to a physical port and a VLAN ID.

Previous    Contents    Next

CCNA Cram Notes Contents

• I. Networking Fundamentals
  • 1. Explain role and function of network components
  • 2. Network topologies and Flow control
  • 3. Compare physical interface and cabling types
  • 4. IPv4 Addressing
  • 7. Describe wireless principles
• II. Cisco IOS
  • 1. Cisco Router Architecture
  • 2. Cisco Router (25xx series) and its interfaces
• III. Routing Technologies
• IV. LAN Switching Technologies
• V. WAN Technologies
• VI. Network Access
• VII. IP connectivity and Services
• VIII. Security Fundamentals
• IX. Automation and Programmability
• X. Appendix

Perle Systems White Paper

Remote IT Infrastructure Management

What is Out-of-Band Management (OOBM)?

While In-Band Management is the ability to administer a network via the LAN, Out-of-Band Management is a solution that provides a secure dedicated alternate access method into an IT network infrastructure to administer connected devices and IT assets without using the corporate LAN.

The primary benefit of an out-of-band management interface is its availability when the network is down, a device is turned off, in sleep mode, hibernating, or otherwise inaccessible. OOBM can be used to remotely reboot devices that have crashed and manage powered-down devices. The core idea is to preserve 24/7 uptime of your network by ensuring you always have access to critical IT assets like routers, switches, firewalls, servers, power, storage, and telecom appliances that operate the organizations' backbone communication framework.

When a Network Administrator needs to monitor, manage, troubleshoot, or re-boot critical IT assets, they will generally access the devices directly over an Ethernet network. However, when 24/7 uptime is expected this single point of access is not enough. When IT assets are in off-site locations, controlled server rooms, or the network administrator is in a different location, they need a secure way to remotely access the USB, RS232/422/485, or Ethernet console management port of every device on the network.

In today's world, organizations find it impossible to work without access to their network computers and enterprise-wide systems. The ability to monitor and manage these networks and keep them up and running is pivotal to their business. The responsibility to ensure that organizations have faultless access to their systems is placed on Network Administrators. They must ensure that servers supplying mission-critical applications are functioning and that the entire network connecting the data to a multitude of users remains functional. When networks crash, so do productivity and profits. And, the longer a network is down, the greater the impact on the enterprise.

Is Out-of-Band Management a software or hardware solution?

Software management tools can be used for performance monitoring, and some remote troubleshooting but, they only work when the network is up. During system or network outages, a Console Server is a single hardware solution that provides secure OOBM to monitor IT assets and devices from multiple vendors. The Console Server gives administrators access to multiple USB, RS232, or Ethernet console management ports from anywhere, anytime, and any platform, as if they were locally connected through a direct connection. They can be used to reconfigure, reboot, and reimage remotely across the internet or WANs. Disruption and downtime are minimized by providing better visibility of the physical environment and the physical status of equipment. This ensures business continuity through improved uptime and efficiencies.

What alternate access methods do Console Servers provide?

A Console Server will generally provide one, or more, of the following access methods.

1. Redundant copper and fiber Ethernet network access. Any dual combination of 10/100/1000Base-T Copper Ports and 100/1000Base-X SFP Fiber Ports can be used to meet unique network access requirements. This design provides users with a flexible, cost-effective solution to transmit data from mission-critical equipment over Copper or Fiber-based Ethernet networks.
2. Built-in high-speed LTE with HSPA+, UMTS, EDGE, and GPRS/GSM fallback networks to protect against wired LAN failure. It can also be used to transmit serial data or establish a direct serial to serial peer connection, over cellular networks. This is ideal when devices are located where hardwired Ethernet connections are not available but cellular networks, with their affordable data packages, are accessible.
3. Built-in WiFi network access over dual-band radio antennas for optimal wireless performance, signal reliability, and range.
4. Integrated V.92 modem connection for a secure and reliable out-of-band connection over the POTS network.

For optimal uptime, it is best to choose a Console Server with multiple access methods, fail-over to OOBM, and fail-back to the primary network.

How secure is using a Console Server for Out-of-Band Management?

While device management through the out-of-band management connection can be done via a network connection, it is physically separate from the "in-band" network connection that the system is serving. Unauthorized users do not have access to the out-of-band network channel because there is no connection to it from the regular network channel, making it very secure. It is best practice to choose a Console Server that offers high-level security features for secure access to critical network devices. Considerations include:

• Strong authentication schemes such as RADIUS, TACACS+, LDAP, Kerberos, NIS, and RSA to comply with existing network security policies
• Built-in usernames and passwords and support for encryption protocols such as SSH, SSL/TLS, IPSec VPN, SNMPv3, Telnet, and HTTPS for secure management sessions
• Packet filtering to ensure the Console Server can be kept secure from unauthorized access
• Support SLIP and PPP for remote user dial-in

What about the cost?

Using a Console Server for out-of-band management leads to cost reduction. Numerous studies can be found that show the average annual downtime cost to an organization can be more than $1 million. Depending on the size of your organization downtime cost can range anywhere from $10,000 to $5M per hour.

Console Servers maximize system administrators' productivity. A single interface provides them with simultaneous connectivity to multiple appliances and system consoles from any location. Most Console Servers offer Port Buffers of varying sizes to ensure data from the attached devices is not lost. Without Port Buffers, any data sent from a device, while an administrator is not attached, is lost. With Port Buffers this data is captured and can be viewed later to aid in problem diagnosis. Cost savings come from:

1. The ability to continually support sales and payment transactions.
2. Saving administrators' valuable time and costs.
3. Minimizing expensive training.
4. Reduced HR and travel costs.

Why Choose a Perle Console Server for Out-of-Band Management?

• Up to 50 Console Management Ports that support RS232 RJ45, Ethernet Rj45, and USB 3.0 Interfaces
• Dual 10/100/1000 Ethernet connection for always-on redundant copper and SFP 1G/2.5G fiber network access with automatic failover when a primary link goes down
• Optionally integrated LTE Cellular (with failback support), WiFi, or V.92 modem for multiple alternate access methods when the network is down
• Perle's cloud-based Centralized Management Solution puts all your network and IT infrastructure into a single application and provides secure reliable access and visibility during normal operations and critical network failures. Scalable to suit any business requirement, Cloud Centralized Management reduces human error and guarantees repeatability.
• Support for all AAA security services used in corporate networks, including TACACS+, RADIUS, LDAP, Kerberos, NIS, and RSA. And, to further protect IDs and passwords from someone 'snooping' on the network, SSH/SSL/TLS, IPSec VPN, SNMPv3, Telnet, and HTTPS secure management sessions are supported.
• Straight cabling to Cisco switches, routers and firewalls save time and money during install.
• Perle Console Servers are made from certified components with high MTBF rates that can withstand the harshest environments. An open-source platform and enterprise-grade security ensure you have the best value in one box. Also, we provide the best-in-class Lifetime Warranty.
• Full IPv4/IPv6 routing capabilities with support for RIP, OSPF, and BGP protocols

What do users like about Perle IOLAN Console Servers?

"It is so easy to mix and match the USB 3.0 and RS232 RJ45 interface modules to have the right ports I need to manage all of my equipment."

"Finally, a Console Server that allows me to use straight-through patch cables to Cisco equipment! No more adapters, dongles, or special cables cluttering up my racks."

"Perle's built-in Clustering Software gives me everything I need for centralized management with no annual license fee and no additional hardware."

"No matter where I install a Perle IOLAN, I know it will have the right AAA security and encryption protocols to meet the corporate compliance policies."

"I love the Front-Panel Display and Keyboard. With a quick IP address set-up, the unit is up and running. It is also a convenient way to monitor and trouble-shoot the RS232, USB, Ethernet and dual power supply activity."

"Perle’s IOLAN SCG is the perfect solution for support staff that need always-on remote OOB access to their core network devices. The appliance is easy to manage, its modular design makes it very flexible and its tough security measures allow access to be strictly controlled." Dave Mitchell of Binary Testing.

Dig Deeper -- Special Considerations for: