Category Archives: Wireless

Cisco OfficeExtend (OEAP) Firewall Rules

2 Replies

I remember I had some dramas getting the OfficeExtend APs initially set up, so here are the firewall rules you need to get the Cisco OfficeExtend access points (OEAP) working. The setup assumes you have a DMZ controller which will have mobility anchors into the internal or “Inside” controller.

Internet -> “DMZ” WLC
UDP 5246/5247   (for OEAP communication)

DMZ Controller <-> Inside Controller:
UDP 16666/16667 Bidirectional to “Inside” WLC and “DMZ” WLC
IP Protocol 97 Bidirectional to “Inside” WLC and “DMZ” WLC

DMZ Controller -> Inside Controller:
UDP 1812/1813 to RADIUS Server

Inside Network -> DMZ Controller:
TCP 80/443  (for http/https access)
TCP 22 (for SSH access)

If you have a Wireless Control System server (WCS) or Cisco NCS Prime -> DMZ Controller:
UDP 69  (for TFTP)
UDP 161 (for SNMP)

I spent some time a year or so back getting it going and it has been a good solution for extending the corporate wireless lans to wherever it is required. Obviously, security should be of concern so at least ensure you are securing the WLANs using certificates, RADIUS and AD authentication (WPA2 Enterprise) at minimum.

In my case the 602 model AP can provide 2 WLANs as well as a “Remote LAN” connection which I use to plug in a Cisco IP phone for those that want a hard phone coupled with the AP. Be careful of the remote lan port – it essentially is a port that is tunneled straight onto your inside network (which is why the phone works).

Google Blake Krone’s 602 AP review for more detail on the OEAP setup – he helped me out a lot and could not have done it without his assistance….thanks Blake!

Office Extend Setup

OfficeExtend setup – clear as mud now? :)

Upgrading Cisco 4400 Wireless Controllers

Leave a reply

Make sure you absolutely check the release notes for the software as changes to the behaviour of the wlans and settings can occur between releases.

I found it is better to ssh into the controller and upgrade it from the CLI. This gives you a running output of what is going on at each stage.

debug transfer trace enable
transfer download datatype code
transfer download mode tftp
transfer download serverip 10.1.1.10
transfer download path /
transfer download filename AIR-WLC4400-K9-6-0-196-0.aes 
transfer download start

After a successful download of the new image you should see something like:

TFTP File transfer is successful.
                                   Reboot the switch for update to complete.

Sat Jun 19 15:47:00 2010: Still waiting!  Status = 2 Sat Jun 19 15:47:03 2010: Still waiting!  
Sat Jun 19 15:47:04 2010: finished umounting

(Cisco Controller) >

Issue a ‘reset system’ and say yes to saving the config before rebooting. Remember to repeat for the bootloader file should the release notes say to do so. It takes about 2 mins for the WLC to reboot. If there are access points registered to the WLC before rebooting, they will migrate to another controller.

Check release notes of the main image re bootloader. Similar procedure, however the version on the cisco web site has a ‘BOOT’ after the name. The example below was for version 5.2.

debug transfer trace enable
transfer download datatype code
transfer download mode tftp
transfer download serverip 10.1.1.10
transfer download path /
transfer download filename AIR-WLC4400-K9-5-2-157-0-ER.aes 
transfer download start

The following output (show sysinfo) after reboot verifies the versions:

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 6.0.196.0
RTOS Version..................................... 6.0.196.0
Bootloader Version............................... 4.1.171.0
Emergency Image Version.......................... 5.2.157.0
Build Type....................................... DATA + WPS