-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 1 2016-05-19
INTEROPERABILITY REPORT Ascom i62 Cisco 3650/3850/5760
AP1140/1250/1260/1600/1700/2600/2700/3500/3600/3700 Cisco IOS XE
version 03.07.03
Ascom i62 and OEM derivatives version 5.5.0
Ascom, Gothenburg
May 2016
[ ]
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 2 2016-05-19
TABLE OF CONTENT: INTRODUCTION
...........................................................................................................................
3
About Ascom
............................................................................................................................
3 About Cisco
..............................................................................................................................
3
SITE INFORMATION
....................................................................................................................
4 SUMMARY AND TEST RESULTS
................................................................................................
5
Known issues
............................................................................................................................
6 Compatibility information
..........................................................................................................
6 General conclusion
...................................................................................................................
6
APPENDIX A: TEST CONFIGURATIONS
....................................................................................
7 Cisco Catalyst 3850 version 03.07.03
......................................................................................
7
Security settings (PSK)
.........................................................................................................
8 802.1X authentication (PEAP-MSCHAPv2, EAP-FAST or EAP-TLS).
................................. 9 WLAN Settings (QoS, DTIM,
Session Timeout)
..................................................................
12 Radio Settings
.....................................................................................................................
13
Ascom i62
...............................................................................................................................
17 Innovaphone IP6000 (IP PBX)
................................................................................................
21
APPENDIX B: DETAILED TEST RECORDS
..............................................................................
22
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 3 2016-05-19
INTRODUCTION This document describes necessary steps and
guidelines to optimally configure the Cisco IOS XE platform with
Ascom i62 VoWiFi handsets.
The guide should be used in conjunction with both Cisco and
Ascoms configuration guide(s).
About Ascom
Ascom Wireless Solutions (www.ascom.com/ws) is a leading
provider of on-site wireless communications for key segments such
as hospitals, manufacturing industries, retail and hotels. More
than 75,000 systems are installed at major companies all over the
world. The company offers a broad range of voice and professional
messaging solutions, creating value for customers by supporting and
optimizing their Mission-Critical processes. The solutions are
based on VoWiFi, IP-DECT, DECT, Nurse Call and paging technologies,
smartly integrated into existing enterprise systems. The company
has subsidiaries in 10 countries and 1,200 employees worldwide.
Founded in the 1950s and based in Göteborg, Sweden, Ascom Wireless
Solutions is part of the Ascom Group, listed on the Swiss Stock
Exchange.
About Cisco Cisco (NASDAQ: CSCO) is the worldwide leader in IT
that helps companies seize the opportunities of tomorrow by proving
that amazing things can happen when you connect the previously
unconnected. For ongoing news, please go to
http://thenetwork.cisco.com.
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 4 2016-05-19
SITE INFORMATION
Test Site: Ascom US 598 Airport Blvd, Suite 300 Morrisville, NC,
US-27560 USA Participants: Karl-Magnus Olsson, Ascom HQ, Gothenburg
Sweden TEST TOPOLOGY
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 5 2016-05-19
SUMMARY AND TEST RESULTS Please refer to Appendix B for detailed
results. WLAN Controller Features
High Level Functionality Result Association, Open with No
Encryption OK Association, WPA2-PSK, AES Encryption OK Association,
PEAP-MSCHAPv2 Auth., AES Encryption OK Association with EAP-FAST
authentication OK Association, EAP-TLS OK Association, Multiple
ESSIDs OK Beacon Interval and DTIM Period OK PMKSA Caching OK*
WPA2-opportunistic/proactive Key Caching OK* WMM Prioritization OK
Active Mode (load test) OK 802.11 Power-save mode OK 802.11e U-APSD
OK 802.11e U-APSD (load test) OK *) Enabled by default Roaming
High Level Functionality Result Roaming, Open with No Encryption
OK (typical roaming time 25ms) * Roaming, WPA2-PSK, AES Encryption
OK (Typical roaming time 56ms)* Roaming, PEAP-MSCHAPv2 Auth, AES
Encryption OK (Typical roaming time 65ms)* /**Roaming, EAP-FAST,
CCKM OK (Typical roaming time 38ms)* *) Average roaming times are
measured using 802.11a/n. Refer to Appendix B for detailed test
results * *) Measured times is with opportunistic/proactive Key
Caching enabled (default enabled)
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 6 2016-05-19
Known issues
- Important. It is essential to follow the “General guidelines
when deploying Ascom i62 handsets in 802.11a/n/ac environments” on
page 16 and not exceed 8 enabled channels in the system. Not doing
so might cause the Ascom i62 to randomly lose connection to the
network for a few seconds (“no network” including audible
signal)
For additional information regarding known issues, please
contact [email protected] or [email protected]
Compatibility information Supported access points with Cisco IOS
XE 03.07.03: AP1140, AP1250, AP1260 AP1600, AP1700, AP2600, AP2700,
AP3500, AP3600, AP3700 Supported controller platforms with Cisco
IOS XE 03.07.03: Cisco Catalyst integrated switch 3650 and 3850
Cisco Wireless LAN Controller 5760
General conclusion Overall the outcome of interoperability
verification, including association, authentication and roaming
produced very good results.
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 7 2016-05-19
APPENDIX A: TEST CONFIGURATIONS
Cisco Catalyst 3850 version 03.07.03 In the following chapter
you will find screenshots and explanations of basic settings in
order to get a Cisco IOS XE based WLAN system to operate with an
Ascom i62.
System overview.
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 8 2016-05-19
Security settings (PSK) Example of how to configure the system
for PSK (WPA2-AES)
Security profile WPA2-PSK, AES encryption
- Select PSK and enter a key (Here in ASCII format)
3850(config-wlan)# security wpa wpa2 3850(config-wlan)# security
wpa wpa2 ciphers aes 3850(config-wlan)#security wpa akm psk set-key
ascii 0 SecretKey
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 9 2016-05-19
802.1X authentication (PEAP-MSCHAPv2, EAP-FAST or EAP-TLS).
Example of how to configure the system for .1X authentication
Configuration of authentication using external Radius sever,
802.1X (Step 1). In this example is WPA2-AES/CCMP used. Note. To
use CCKM, replace 802.1X with CCKM in the drop down list. The
“security mode” in the i62 has to be set to “Advanced” and CCKM has
to be selected as “Authentication Key Management” instead of the
default 802.11X.
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 10 2016-05-19
Example of authentication configuration using external RADIUS
sever (Step 2). Select the server Group to use. The server is
configured under tab Security/RADIUS. See configuration of server
in next step.
Configuration of authentication using external RADIUS sever
(Step 3). The IP address and the secret must correspond to the IP
and the credential used by the Radius server. All test involving
dot1X security were using Cisco ACS version 5.5.
Create a RADIUS server group. Make sure your RADIUS server from
step 3 is selected as an Assigned Server.
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 11 2016-05-19
Create RADIUS server (Intop_ACS) 3850(config)#aaa group server
radius Intop_ACS 3850(config-radius-server)#address ipv4
192.168.0.31 auth-port 1812 acct-port 1813
3850(config-radius-server)#key YourKey Create RADIUS server Group
(Intop) and assign your Radius Server (Intop_ACS) 3850(config)#aaa
group server radius Intop 3850(config-sg-radius)#server name
Intop_ACS Enable dot1X 3850(config)#dot1x system-auth-control
Configure WLAN 3850(config-wlan)#security wpa wpa2 ciphers aes
3850(config-wlan)#security dot1x authentication-list Intop
3850(config-wlan)#security wpa akm dot1x To use CCKM, replace
802.1X with CCKM in the drop down list (step 1). The “security
mode” in the i62 has to be set to “Advanced” and CCKM has to be
selected as “Authentication Key Management” instead of the default
802.11X. 3850(config-wlan)#security wpa akm CCKM
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 12 2016-05-19
WLAN Settings (QoS, DTIM, Session Timeout)
Disable Coverage Hole Detection. Disable Session Timeout. Enable
Aironet IE. Configure DTIM 5. DTIM value 5 values are recommended
in order to allow maximum battery conservation without impacting
the quality. Using a lower DTIM value is possible but will reduce
the standby time slightly. 3850(config-wlan)#dtim dot11 24ghz 5
3850(config-wlan)#dtim dot11 5ghz 5 Make sure session timeout and
Coverage Hole Detection is disabled 3850(config-wlan)#no
session-timeout 3850(config-wlan)#no chd Recommended WMM and QoS
settings 3850(config-wlan)#wmm require
3850(config-wlan)#service-policy input platinum-up
3850(config-wlan)#service-policy output platinum
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 13 2016-05-19
Radio Settings
Ascom recommended settings for 802.11b/g/n are to only use
channel 1, 6 and 11. For 802.11a/n/ac use channels according to the
infrastructure manufacturer and country regulations. Note that
channel and power level was set manually for test purpose. 3850#ap
name dot11 { 24ghz | 5ghz } 3850#ap name dot11 { 24ghz | 5ghz }
txpower { auto | } General guidelines when deploying Ascom i62
handsets in 802.11a/n/ac environments:
1. Enabling more than 8 channels will degrade roaming
performance. Ascom recommends against going above this limit.
2. Using 40 MHz channels (or “channel-bonding”) will reduce the
number of non-DFS* channels to two in ETSI regions (Europe). In FCC
regions (North America), 40MHz is a more viable option because of
the availability of additional non-DFS channels. The handset can
co-exist with 40MHz stations in the same ESS.
3. Ascom do support and can coexist in 80MHz channel bonding
environments. The recommendations is however to avoid 80MHz channel
bonding as it severely reduces the number of available non
overlapping channels.
4. Make sure that all non-DFS channel are taken before resorting
to DFS channels. The handset can cope in mixed non-DFS and DFS
environments; however, due to “unpredictability” introduced by
radar detection protocols, voice quality may become distorted and
roaming delayed. Hence Ascom recommends if possible avoiding the
use of DFS channels in VoWIFI deployments.
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 14 2016-05-19
The default data rate set will work just fine, however Ascom
recommends disabling the lowest speeds and have 12Mbits as lowest
supported speed. To further optimize performance it is recommended
to disallow 802.11b clients to associate by setting 12Mbps rate to
mandatory in 802.11g/n configuration. 3850(config)#ap dot11 24ghz
rate RATE_1M disable 3850(config)#ap dot11 24ghz rate RATE_2M
disable 3850(config)#ap dot11 24ghz rate RATE_5_5M disable
3850(config)#ap dot11 24ghz rate RATE_6M disable 3850(config)#ap
dot11 24ghz rate RATE_9M disable 3850(config)#ap dot11 24ghz rate
RATE_11M disable 3850(config)#ap dot11 24ghz rate RATE_12M
mandatory
Ascom does support both usage of 40MHZ and “11ac Mode” including
80MHz channels.
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 15 2016-05-19
Ascom recommends “EDCA Profile”: Voice Optimized
3850(config)#apdot11 24ghz edca-parameters optimized-voice
3850(config)#apdot11 5ghz edca-parameters optimized-voice Note.
Using EDCA Profile “WMM” is possible but “Voice Optimized” is to
prefer when voice clients are present in the system.
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 16 2016-05-19
Cisco Configuration file See attached file (Running config.log)
for complete Cisco WLC configuration.
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 17 2016-05-19
Ascom i62
Network settings for WPA2-PSK Note. Make sure that the enabled
channels in the i62 handset match the channel plan used in the
system. Note. FCC is no longer allowing 802.11d to determine
regulatory domain. Devices deployed in USA must set Regulatory
domain to “USA”.
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 18 2016-05-19
Network settings for .1X authentication (PEAP-MSCHAPv2) Note.
Make sure that the enabled channels in the i62 handset match the
channel plan used in the system. Note. FCC is no longer allowing
802.11d to determine regulatory domain. Devices deployed in USA
must set Regulatory domain to “USA”.
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 19 2016-05-19
Network settings for EAP-FAST utilizing CCKM as key management.
Note. Make sure that the enabled channels in the i62 handset match
the channel plan used in the system. Note. FCC is no longer
allowing 802.11d to determine regulatory domain. Devices deployed
in USA must set Regulatory domain to “USA”.
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 20 2016-05-19
802.1X Authentication requires a CA certificate to be uploaded
to the phone by “right clicking” - > Edit certificates. EAP-TLS
will require both a CA and a client certificate. Note that both a
CA and a client certificate are needed for TLS. Otherwise only a CA
certificate is needed. Server certificate validation can be
overridden in version 4.1.12 and above per handset setting.
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 21 2016-05-19
Innovaphone IP6000 (IP PBX) The Innovaphone IP6000 was
configured with a static IP address of 192.168.0.50. Signaling is
less relevant here since testing homes in on interoperability in
relation to the WLAN infrastructure and not features of the IP PBX.
During the tests the IP6000 also was used as DHCP server. IP6000
configuration: See attached file (complete-IP6000-08-03-a6.txt) for
IP6000 configuration
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 22 2016-05-19
APPENDIX B: DETAILED TEST RECORDS VoWIFI Pass 22 Fail 0 Comments
0 Untested 1 Total 23 See attached document
(WLANinteroperabilityTestReport_X.xls) for detailed test results.
Please refer to the test specification for WLAN systems on Ascom’s
interoperability web page for explicit information regarding each
test case. See URL (requires login):
https://www.ascom-ws.com/AscomPartnerWeb/en/startpage/Sales-tools/Interoperability
-
Interoperability Report - Ascom i62 – IOS XE, AP
1140/1250/1260/1600/2600/2700/3500/3600/3700. 23 2016-05-19
Document History Rev Date Author Description P1 2016-02-08 SEKMO
IOS XE v 03.07.03 first draft R1 2016-05-18 SEKMO Revision R1
WLAN TR
WLAN Interoperability Test ReportWLAN configuration:
Beacon Interval: 100ms
Test object - Handset:DTIM Interval: 5
Ascom i62 5.5.0802.11d Regulatory Domain: World
Test object - WLAN system:WMM Enabled (Auto/WMM)
Cisco 3850 version 03.07.03No Auto-tune
AP 1700, 3600, 3500 and 3700AP3700AP1700AP3600AP3500Single Voice
VLAN
2.4Ghz5.0Ghz2.4Ghz5.0Ghz2.4Ghz5.0Ghz2.4Ghz5.0Ghz
Test
CaseDescriptionVerdictVerdictVerdictVerdictVerdictVerdictVerdictVerdictComment
TEST AREA ASSOCIATION / AUTHENTICATION
#101Association with open authentication, no
encryptionPASSPASSPASSPASSPASSPASSPASSPASS
#107Association with WPA2-PSK authentication, AES-CCMP
encryptionPASSPASSPASSPASSPASSPASSPASSPASS
#110Association with PEAP-MSCHAPv2 auth, AES-CCMP
encryptionPASSPASSPASSPASSPASSPASSPASSPASSCisco ACS RADIUS server;
RootCA loaded to device; Handset autheticates twiceFAIL
#111Association with EAP-FAST
authenticationPASSPASSPASSPASSPASSPASSPASSPASSCisco ACS RADIUS
server;
#116Association with EAP-TLS
authenticationPASSPASSPASSPASSPASSPASSPASSPASSCisco ACS RADIUS
server; RootCA and clients certificate loaded to device; Handset
autheticates twice
TEST AREA POWER-SAVE AND QOSPASS
#150802.11 Power-save
modePASSPASSPASSPASSPASSPASSPASSPASSFAIL
#151Beacon period and DTIM
intervalPASSPASSPASSPASSPASSPASSPASSPASSDTIM 1,3 5 , Beacon Period
100tuNOT TESTED
#152802.11e U-APSDPASSPASSPASSPASSPASSPASSPASSPASSSee
Comment
#202WMM prioritizationPASSPASSPASSPASSPASSPASSPASSPASSiperf used
to generate backgound load.
TEST AREA "PERFORMANCE"
#308Power-save mode U-APSD –
WPA2-PSKPASSPASSPASSPASSPASSPASSPASSPASS14hs ok on one single
radio. Note that 12 was not the limit.
#310CAC - TSPECPASSPASSPASSPASSPASSPASSPASSPASS
TEST AREA ROAMING AND HANDOVER TIMES
#401Handover with open authentication and no
encryptionPASSPASSPASSPASSPASSPASSPASSPASSAVG roaming time 11an:
25ms, bgn: 33ms (No significat difference seen in roaming times
between different AP models)
#404Handover with WPA2-PSK auth and AES-CCMP
encryptionPASSPASSPASSPASSPASSPASSPASSPASSAVG roaming time
11an:56ms, bgn: 57ms (No significat difference seen in roaming
times between different AP models)
#408Handover with PEAP-MSCHAPv2 authentication and AES-CCMP
encryptionPASSPASSPASSPASSPASSPASSPASSPASSAVG roaming time 11an:
65ms, bgn: 56ms (No significat difference seen in roaming times
between different AP models)
#409Handover with EAP-FAST authentication with
CCKMPASSPASSPASSPASSPASSPASSPASSPASSAVG roaming time 11an: 38ms,
bgn: 43ms (No significat difference seen in roaming times between
different AP models)
#411Handover using PMKSA and opportunistic/proactive key
cachingPASSPASSPASSPASSPASSPASSPASSPASS
TEST AREA BATTERY LIFETIME
#501Battery lifetime in idlePASSPASSNOT TESTEDNOT TESTEDNOT
TESTEDNOT TESTEDNOT TESTEDNOT TESTED80-90hours. DTM 5. Non-DFS
channels only
#504Battery lifetime in call with power save mode
U-APSDPASSPASSPASSPASSPASSPASSPASSPASS12-14h
TEST AREA STABILITY
#602Duration of call – U-APSD
modePASSPASSPASSPASSPASSPASSPASSPASS24h
TEST AREA 802.11n
#801Frame aggregation A-MSDUNOT TESTEDNOT TESTEDNOT TESTEDNOT
TESTEDNOT TESTEDNOT TESTEDNOT TESTEDNOT TESTED
#802Frame aggregation
A-MPDUPASSPASSPASSPASSPASSPASSPASSPASSUplink and downlink. Except
UP 5 and 6 per Cisco default setting
#80440Mhz channelsNOT TESTEDPASSNOT TESTEDPASSNOT TESTEDPASSNOT
TESTEDPASSonly 20MHz channel width tested on 2.4GHz band
#805802.11n ratesPASSPASSPASSPASSPASSPASSPASSPASS
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2016.02.09 10:53:07
=~=~=~=~=~=~=~=~=~=~=~=
Building configuration...
Current configuration : 13017 bytes!! Last configuration change
at 16:20:54 UTC Mon Feb 8 2016 by admin!version 15.2no service
padservice timestamps debug datetime msecservice timestamps log
datetime msecno service password-encryptionservice
compress-config!hostname KMO-3850!boot-start-markerboot system
switch all flash:packages.confboot-end-marker!!vrf definition
Mgmt-vrf ! address-family ipv4 exit-address-family --More--
��������� ��������� ! address-family ipv6
exit-address-family!logging console emergenciesenable secret 4
/LiUDKl222VXr5BVzYJsZZoMVnMDY807K69ZWa76z6M!username admin2
privilege 15 secret 5 $1$5vhz$LiMKqACk4HcURHldKNVJA1username admin
privilege 15 password 0 changemeuser-name testuser creation-time
1411674251 privilege 15 password 0 testpw type network-user
description testuseraaa new-model!aaa user profile testuser!aaa
group server radius Intop server name Intop!aaa group server radius
Intop_ACS server name Intop_ACS --More-- ��������� ��������� server
name Intop!aaa authentication dot1x default localaaa authentication
dot1x Intop group Intop_ACSaaa authentication dot1x authen_list
localaaa authorization network default group radius aaa
authorization credential-download author_list local aaa accounting
update periodic 15aaa local authentication authen_list
authorization author_list!!!!!aaa server radius dynamic-author
client 192.168.0.93 server-key secret client 192.168.0.31
server-key secret auth-type any!aaa session-id commonclock timezone
UTC -5 0clock summer-time UTC recurringswitch 1 provision
ws-c3850-24p --More-- ��������� ���������eap profile localeap
description localeap method fast profile localeap method peap!eap
method fast profile localeap description localeap no
client-cert-required no local-cert-required local-key 0
test!!!!!!!ip dhcp snooping vlan 1ip dhcp snooping wireless
bootp-broadcast enableip dhcp snooping!!qos
queue-softmax-multiplier 100 --More-- ���������
���������access-session mac-move denycentral-management-version
13882345980218572806!flow monitor wireless-avc-basic record
wireless avc basic!!crypto pki trustpoint TP-self-signed-2002586361
enrollment selfsigned subject-name
cn=IOS-Self-Signed-Certificate-2002586361 revocation-check none
rsakeypair TP-self-signed-2002586361!!crypto pki certificate chain
TP-self-signed-2002586361 certificate self-signed 01 3082023C
308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D
43657274 69666963 6174652D 32303032 35383633 3631301E 170D3135
30373033 30363233 35335A17 0D323030 31303130 30303030 305A3031
312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43
65727469 66696361 74652D32 30303235 38363336 3130819F 300D0609
2A864886 F70D0101 01050003 818D0030 81890281 81009C79 4B936B18
9A0DC468 38694D71 10EB9CE2 D1976386 F892C7EB 05322DD6 --More--
��������� ��������� 9878FC34 36AA3115 3E7DC0F0 5B3471FD C7B91053
9C6ED5B3 E0771273 1B6C5B3A 8BCAB808 038C47B0 607DBBD2 6EABFF95
0F21A151 B096A111 01A0A4AF EB272698 9E640EF7 E7DD43C2 B66CABAF
C4332D73 297761E9 2194DB1B C92F6F4F 6CA836EB C1D30203 010001A3
64306230 0F060355 1D130101 FF040530 030101FF 300F0603 551D1104
08300682 04333835 30301F06 03551D23 04183016 80148354 9976C0D0
95596477 2D4D191F 89C6756C 978F301D 0603551D 0E041604 14835499
76C0D095 5964772D 4D191F89 C6756C97 8F300D06 092A8648 86F70D01
01040500 03818100 792E5B74 9CD18A4E 7AD62602 D18F9C2B 0FF416E5
439B9B33 A6A92319 3FA68C55 820786A3 EA2829F1 EF9D33DC EDC6B485
07066418 D82CD0AB 2C2C469C 13D41DA5 87A4E298 61E92240 EDA38A5C
42CB47B2 9B03E98F 69135C16 933D34F6 DD31B08D BE162AC5 1BCE3C50
2C325C22 5F9C9A3F A08D6497 1AD1FD8D ECD54C8B 78AD0BB7 quitdot1x
system-auth-controldiagnostic bootup level minimalservice-template
webauth-global-inactive inactivity-timer 3600 service-template
DEFAULT_LINKSEC_POLICY_MUST_SECURE linksec policy
must-secureservice-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secureservice-template
DEFAULT_CRITICAL_VOICE_TEMPLATE voice vlan! --More-- ���������
���������spanning-tree mode pvstspanning-tree extend
system-idhw-switch switch 1 logging onboard message level
3!redundancy mode sso!!!!class-map match-any AutoQos-4.0-RT1-Class
match dscp ef match dscp cs6 class-map match-any
AutoQos-4.0-RT2-Class match dscp cs4 match dscp cs3 match dscp af41
class-map match-any AutoQos-4.0-wlan-Voip-Signal-Class match dscp
cs3 match access-group name AutoQos-4.0-wlan-Acl-Signalingclass-map
match-any AutoQos-4.0-wlan-Voip-Data-Class match dscp ef class-map
match-any AutoQos-4.0-wlan-Multimedia-Conf-Class --More-- ���������
��������� match access-group name
AutoQos-4.0-wlan-Acl-MultiEnhanced-Confclass-map match-any
AutoQos-4.0-wlan-Bulk-Data-Class match access-group name
AutoQos-4.0-wlan-Acl-Bulk-Dataclass-map match-any
AutoQos-4.0-wlan-Scavanger-Class match access-group name
AutoQos-4.0-wlan-Acl-Scavangerclass-map match-any
AutoQos-4.0-wlan-Transaction-Class match access-group name
AutoQos-4.0-wlan-Acl-Transactional-Dataclass-map match-any
non-client-nrt-class!!policy-map port_child_policy class
non-client-nrt-class bandwidth remaining ratio 10policy-map
AutoQos-4.0-wlan-ET-Client-Input-Policy class
AutoQos-4.0-wlan-Voip-Data-Class set dscp ef class
AutoQos-4.0-wlan-Voip-Signal-Class set dscp cs3 class
AutoQos-4.0-wlan-Multimedia-Conf-Class set dscp af41 class
AutoQos-4.0-wlan-Transaction-Class set dscp af21 class
AutoQos-4.0-wlan-Bulk-Data-Class --More-- ��������� ��������� set
dscp af11 class AutoQos-4.0-wlan-Scavanger-Class set dscp cs1 class
class-default set dscp defaultpolicy-map
AutoQos-4.0-wlan-GT-SSID-Output-Policy class class-default shape
average percent 100 queue-buffers ratio 0 set dscp
defaultpolicy-map AutoQos-4.0-wlan-GT-SSID-Input-Policy class
class-default set dscp defaultpolicy-map
AutoQos-4.0-wlan-ET-SSID-Child-Policy class AutoQos-4.0-RT1-Class
police cir percent 10 priority level 1 class AutoQos-4.0-RT2-Class
police cir percent 20 priority level 2 class
class-defaultpolicy-map AutoQos-4.0-wlan-ET-SSID-Output-Policy
class class-default --More-- ��������� ��������� shape average
percent 100 queue-buffers ratio 0 service-policy
AutoQos-4.0-wlan-ET-SSID-Child-Policy!! !!!!!!!!!!!!interface
GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address
negotiation auto!interface GigabitEthernet1/0/1 --More-- ���������
��������� description port1 switchport mode access switchport voice
vlan 1 spanning-tree portfast ip dhcp snooping trust!interface
GigabitEthernet1/0/2 switchport mode access switchport voice vlan 1
spanning-tree portfast ip dhcp snooping trust!interface
GigabitEthernet1/0/3 switchport mode access switchport voice vlan 1
spanning-tree portfast!interface GigabitEthernet1/0/4 switchport
mode access switchport voice vlan 1 spanning-tree
portfast!interface GigabitEthernet1/0/5 --More-- ���������
���������!interface GigabitEthernet1/0/6!interface
GigabitEthernet1/0/7!interface GigabitEthernet1/0/8 switchport mode
access switchport voice vlan 1 ip dhcp snooping trust!interface
GigabitEthernet1/0/9!interface GigabitEthernet1/0/10!interface
GigabitEthernet1/0/11!interface GigabitEthernet1/0/12 switchport
trunk allowed vlan 1 switchport mode trunk ip dhcp snooping
trust!interface GigabitEthernet1/0/13! --More-- ���������
���������interface GigabitEthernet1/0/14!interface
GigabitEthernet1/0/15!interface GigabitEthernet1/0/16!interface
GigabitEthernet1/0/17!interface GigabitEthernet1/0/18!interface
GigabitEthernet1/0/19 switchport access vlan 7 switchport mode
access spanning-tree portfast!interface GigabitEthernet1/0/20
switchport access vlan 7 switchport mode access spanning-tree
portfast!interface GigabitEthernet1/0/21 switchport access vlan 7
switchport mode access --More-- ��������� ��������� spanning-tree
portfast!interface GigabitEthernet1/0/22 switchport access vlan 7
switchport mode access spanning-tree portfast!interface
GigabitEthernet1/0/23 switchport access vlan 7 switchport mode
access spanning-tree portfast!interface GigabitEthernet1/0/24
switchport access vlan 7 switchport mode access!interface
GigabitEthernet1/1/1!interface GigabitEthernet1/1/2!interface
GigabitEthernet1/1/3!interface GigabitEthernet1/1/4 --More--
��������� ���������!interface TenGigabitEthernet1/1/1!interface
TenGigabitEthernet1/1/2!interface TenGigabitEthernet1/1/3!interface
TenGigabitEthernet1/1/4!interface Vlan1 description vlan1 ip dhcp
relay information trusted ip address 192.168.0.30 255.255.255.0 ip
helper-address 192.168.0.10 ip helper-address 192.168.0.11!ip
default-gateway 192.168.0.50ip forward-protocol ndip http serverip
http authentication localip http secure-server!! --More-- ���������
���������ip access-list extended AutoQos-4.0-wlan-Acl-Bulk-Data
permit tcp any any eq 22 permit tcp any any eq 465 permit tcp any
any eq 143 permit tcp any any eq 993 permit tcp any any eq 995
permit tcp any any eq 1914 permit tcp any any eq ftp permit tcp any
any eq ftp-data permit tcp any any eq smtp permit tcp any any eq
pop3ip access-list extended AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
permit udp any any range 16384 32767 permit tcp any any range 50000
59999ip access-list extended AutoQos-4.0-wlan-Acl-Scavanger permit
tcp any any range 2300 2400 permit udp any any range 2300 2400
permit tcp any any range 6881 6999 permit tcp any any range 28800
29100 permit tcp any any eq 1214 permit udp any any eq 1214 permit
tcp any any eq 3689 permit udp any any eq 3689 --More-- ���������
��������� permit tcp any any eq 11999ip access-list extended
AutoQos-4.0-wlan-Acl-Signaling permit tcp any any range 2000 2002
permit tcp any any range 5060 5061 permit udp any any range 5060
5061ip access-list extended AutoQos-4.0-wlan-Acl-Transactional-Data
permit tcp any any eq 443 permit tcp any any eq 1521 permit udp any
any eq 1521 permit tcp any any eq 1526 permit udp any any eq 1526
permit tcp any any eq 1575 permit udp any any eq 1575 permit tcp
any any eq 1630 permit udp any any eq 1630 permit tcp any any eq
1527 permit tcp any any eq 6200 permit tcp any any eq 3389 permit
tcp any any eq 5985 permit tcp any any eq 8080!!! --More--
��������� ���������!radius server Intop address ipv4 192.168.0.2
auth-port 1812 acct-port 1646 key secret!radius server Intop_ACS
address ipv4 192.168.0.31 auth-port 1812 acct-port 1813 key
secret!!!!line con 0 exec-timeout 0 0 stopbits 1line aux 0 stopbits
1line vty 0 4 password changeme length 0line vty 5 15 password
changeme! --More-- ��������� ���������wsma agent exec profile
httplistener profile httpslistener!wsma agent config profile
httplistener profile httpslistener!wsma agent filesys profile
httplistener profile httpslistener!wsma agent notify profile
httplistener profile httpslistener!!wsma profile listener
httplistener transport http!wsma profile listener httpslistener
transport https! --More-- ��������� ���������wireless mobility
controllerwireless management interface Vlan1wlan CiscoIntop2 1
CiscoIntop2 no chd dtim dot11 24ghz 5 dtim dot11 5ghz 5 no
exclusionlist ip flow monitor wireless-avc-basic input ip flow
monitor wireless-avc-basic output no security wpa akm dot1x
security wpa akm psk set-key ascii 0 comptest security dot1x
authentication-list Intop service-policy input platinum-up
service-policy output platinum wmm require no shutdownwlan
CiscoIntop2-dot1x 2 CiscoIntop2-dot1x dtim dot11 24ghz 5 dtim dot11
5ghz 5 no exclusionlist security dot1x authentication-list Intop
service-policy input platinum-up service-policy output platinum
--More-- ��������� ��������� session-timeout 60000 wmm require no
shutdownwlan CiscoIntop2-eapfastcckm 3 CiscoIntop2-eapfastcckm dtim
dot11 24ghz 5 dtim dot11 5ghz 5 no exclusionlist security wpa akm
cckm no security wpa akm dot1x security dot1x authentication-list
Intop service-policy input platinum-up service-policy output
platinum session-timeout 60000 wmm require no shutdownwlan
CiscoIntop2OPEN 4 CiscoIntop2OPEN no security wpa no security wpa
akm dot1x no security wpa wpa2 no security wpa wpa2 ciphers aes
service-policy input platinum-up service-policy output platinum
session-timeout 1800 --More-- ��������� ��������� wmm require no
shutdownap country US,SEno ap dot11 24ghz cac voice load-basedap
dot11 24ghz rate RATE_1M disableap dot11 24ghz rate RATE_2M
disableap dot11 24ghz rate RATE_5_5M disableap dot11 24ghz rate
RATE_6M disableap dot11 24ghz rate RATE_9M disableap dot11 24ghz
rate RATE_11M disableap dot11 24ghz rate RATE_12M mandatoryap dot11
24ghz rate RATE_18M supportedap dot11 24ghz rate RATE_24M
supportedap dot11 24ghz rate RATE_36M supportedap dot11 24ghz rate
RATE_48M supportedap dot11 24ghz rate RATE_54M supportedap dot11
5ghz cac multimedia max-bandwidth 8ap dot11 5ghz media-stream
video-redirectap dot11 5ghz cac voice max-bandwidth 13no ap dot11
5ghz cac voice load-basedap dot11 5ghz rate RATE_6M disableap dot11
5ghz rate RATE_9M disableap dot11 5ghz rate RATE_12M mandatory
--More-- ��������� ���������ap dot11 5ghz rate RATE_18M supportedap
dot11 5ghz rate RATE_24M mandatoryap dot11 5ghz rate RATE_36M
supportedap dot11 5ghz rate RATE_48M supportedap dot11 5ghz rate
RATE_54M supportedap group default-groupend
KMO-3850#