Unanswered Question
Aug 24th, 2007

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update with Cisco expert Sergey Shitov on the Cisco internal enterprise WLAN deployment. Sergey Shitov is an IT engineer in Cisco's IT department, with his main focus on the design and architecture of the company's enterprise wireless LAN. His major IT projects include deployment of the original Cisco WLAN in 2000-2001 and serving as technical track lead for the Next-Generation Wireless network project in 2005-2007. Prior to joining Cisco.

Remember to use the rating system to let Sergey know if you have received an adequate response.

Sergey might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through September 7, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.2 (5 ratings)
andrew.brazier@... Sun, 08/26/2007 - 01:59

Not strictly a deployment question but...!

What's the status of the autonomous APs and the WLSE? Are they still being developed or are they pretty much due for retirement? In other words should we be moving to using LWAPs and WLCs?

sshitov Mon, 08/27/2007 - 12:15

Although this question does not exactly fit into the discussion subject I know that WLAN products based on the Distributed Architecture are still being developed, although you are likely to see more new features coming in the controller based solution. Using our internally deployed WLAN as an example - we are migrating from the fully featured IOS based APs deployed about 6 years ago to the network with about twice as many LWAPP APs and wireless controllers.

ihutchinson Sun, 08/26/2007 - 18:09

Hi Sergey, I hope this question falls into the forum brief. We are installing a WiSM in 6509 with Sup720, 3750 access switches and 1242 LWAPPs. A tunnel is created from the LWAPP back to the WiSM (WLC). We are configuring the Platinum/Gold/Silver traffic prioritization for various SSID's. The wireless traffic will be tunneled from the 1242's through the 3750 and back to the WiSM. Is there any way we can configure the 3750 to respect the priorities on the tunnelled traffic when forward on the 1GB uplink into the 6509?

sshitov Mon, 08/27/2007 - 14:58

In this scenario I would have looked at setting up a port based DSCP trust for the switch ports which APs connect to and using Shaped Round Robin egress queuing on the trunk ports connecting to a C6K. A priority queue can be configured also.

ihutchinson Tue, 08/28/2007 - 15:58

Thanks Serey, I came to a similar conclusion. Would it be worth looking into each tunnelled packet to determine the priority that the AP has assigned? i.e. Platiunum/Gold/Silver/Bronze.

sshitov Wed, 08/29/2007 - 14:22


If you set span/monitor session for AP port (DSCP trusted) in the switch and run packet capture you will see that IP header of the LWAPP packet bound to the controller will have an appropriate DSCP value setting. It will come up based on the User Priority to DSCP mapping depending on what that WLAN/SSID has been configured with. If you have WMM clients and WMM is allowed on that WLAN this all becomes more flexible as the priority setting can be automatically downgraded if a client generates traffic with lower priority than what is set in the controller for that WLAN.


examples20001 Mon, 08/27/2007 - 07:34


One of my AP got disconnected from my network suddenly.

I am not able to ping the IP address of AP from the core switch.

Then I login into AP from console and checked the config, it seems OK, but not sure.

I have attached the config, can you please tell what is the problem?

Thank you.

sshitov Mon, 08/27/2007 - 13:33

IMO configuration looks good enough for a ?ping? test to AP management IP. I suggest checking status of interfaces in AP and in the switch it connects to. If there is a bigger problem raising Cisco TAC case will help.

reginald-pugh Tue, 08/28/2007 - 13:03

Hi Sergey,

What would keep causing the Location Appliance to be unreachable ? I have a new installed 2710 that shows up in WCS, but the server keeps disappearing from the database of WCS before I can populate it with the clients and rogues.


sshitov Tue, 08/28/2007 - 14:02


If there is no problem with network connectivity I would suggest checking status of LBS software. Refer to CLI syntax for the commands outlined in Location Appliance Installation and Configuration Guide, Verifying the Location Appliance State. Also I would check if WCS has valid account credentials for the LBS.


jongbeak Tue, 08/28/2007 - 20:48

We operate AP1121G (IOS 12.2(15)XR2).

There are problem symptom that we can access only some internet web sites (Google ok).

We guess, it may cause from MTU size. When we changed MTU size 1100 on PC, we could access all web sites. And we tried to configure MTU size on the AP, but we failed.

We used "ip MTU" commend on the inferface prompt.

interface Dot11Radio0

ip mtu 1100


Could you advise for us how to configure MTU ? or some recomendation ?

I can read we are able to configure same SSID on muti APs at the same place. Why do we need same SSID for ? for roarming ?

And I could read an article about some problems about it. Can I have got some advise ? We are using same SSID for our two APs.

One more,

we configure same DHCP pool IP range ( at the two APs.

What sould we configure at AP for roaming ? especially we are using DHCP server function on the AP ?


sshitov Wed, 08/29/2007 - 11:28


Try using ip mtu command on the Ethernet interface of AP to see if it gives you the result you would want to achieve.

Deploying the same SSID across multiple APs is typical when you need a Wireless network with larger coverage than a single AP can provide. This way you can keep the same SSID in the client?s configuration and clients can roam between APs without profile/SSID changes. If both APs map this SSID to the same VLAN on the switch then clients simply perform a Layer 2 roam. If this is a small site with autonomous AP solution and a L2 roaming what you are after I would recommend making sure management interfaces of the APs have L2 connectivity between them too.


jongbeak Wed, 08/29/2007 - 15:40


We tried to configure MTU size 1100 on the Ethernet interface of AP. But it was not ok. Is there any method that we can check the MTU commend to run correctly ?

Is there any reports about MTU related bug or problems ?

Anyway, thanks a lot your advise.

sshitov Thu, 08/30/2007 - 12:01


I checked mtu interface level command on one of the autonomous APs and it was not supported as a user configurable option neither for radio nor for Fast Ethernet interfaces. Unfortunately, I can provide no recommendation here apart from a suggestion to raise a Cisco TAC case. In our practical experience we kept mtu on AP interfaces at default values on production network.


clarkmat Wed, 08/29/2007 - 04:57

Hi Sergey

We have an autonomous IOS Access Point setup here with guest traffic utilising the WLSM. In the future we want to upgrade to the controller based solution with WiSM on the 6500 and maybe 4400 in smaller areas. In your experience would it be better to still utilise the WLSM for guest traffic? We mostly have 1231G access points and i read somewhere that some older ones cannot be upgraded is that true?

sshitov Wed, 08/29/2007 - 10:09


There is more than one way to design a centralized guest networking. With LWAPP APs and Unified solution you can either use one of the controllers as anchor to tunnel wireless guest traffic from other controllers to it. Alternatively you can use generic tunnels from a first hop router for clients (after it gets LWAPP decapsulated by a controller) and aggregate these tunnels from multiple sites into some point i.e. DMZ. The use of a WLSM is not clear to me in this scenario as GRE tunnels get terminated on a supervisor if you consider using a WLSM as an aggregation device. Unless you continue using a dedicated network of autonomous IOS APs for this purpose.

IMO the option with an anchor controller will be easier to deploy.

Cisco IT example: At present we use GRE tunnels for guest traffic which was a part of legacy guest networking solution we had at Cisco for several years. GRE tunnels get terminated at one the DMZ routers. Each request for a guest connection to the Internet gets authenticated over https by either a Cisco Building BroadBand Services Manager (BBSM) or a Cisco NAC Appliance. Guests get provided with an access code in advance as we use a web based portal/application to produce those. Also we support guest connections for both wireless and wired clients from some switch ports.

With regards to the conversion of APs to LWAPP this is what is supported for the model you are asking:

For all IOS-based 1200 series modular access point (1200/1220 Cisco IOS Software Upgrade, 1210 and 1230 AP) platforms, it depends on the radio:

? if 802.11G, MP21G and MP31G are supported

? if 802.11A, RM21A and RM22A are supported

The 1200 series access points can be upgraded with any combination of supported


pugs17211721 Wed, 08/29/2007 - 11:04


I have an interesting situation, hopefully you can help. This is our basic setup. I work for a large company in Ohio. We have two main remote locations, one in Indiana and one in North Carolina. At each location (including Ohio), there are approximately 15-20 timeclocks at each location, and in each location there are 2 gateway servers. The gateway servers communicate directly with the main servers, which are located back in Ohio, over the WAN circuit. They traffic traverses a dedicated leased Point-To-Point circuit back to our Ohio facility. The timeclocks connect thru a 802.11B network to our access points. In the facility in Indiana, we have 7 access points, and the facility in North Carolina we have 6 access points. The time clocks are essentially "dumb terminals", in that once you hit a button, it waits for the gateway server to respond back with what to put on the screen. The gateway server also sends time every 60 seconds to the timeclocks. When you press a button on a timeclock, it checks to see if it has a valid session with the gateway, and if the session is active it goes on to the next step. If the session is not valid timeclock will reboot and start an all new network session. So if the session is invalid, the clocks reboot once a button is pressed. The timeclocks are not smart enough to reboot themselves if the session is lost.

There is a WLC 4400 series in our Ohio facility controlling the access points.

Here are the multiple scenarios that we have tested:

#1 - If the access points are running in lightweight mode, connecting to the gateway servers at their local location, and are pointing to a WLC that is sitting in Ohio, the clocks have issues keeping their sessions alive, and reboot at random times through out the day, once a button is pressed.

#2 ? If the access points are running in lightweight mode, connecting to the gateway servers at their local location, and are pointing to a WLC that is sitting on the local LAN, the clocks have issues keeping their sessions alive, and reboot at random times through out the day, once a button is pressed.

#3 ? If the access points are running in lightweight mode, connecting to the gateway at the Ohio location, and are pointing to a WLC that is sitting in Ohio, the clocks have issues keeping their sessions alive, and reboot at random times through out the day, once a button is pressed.

#4 ? The facility in Ohio (which does not have to traverse the WAN link) has no issues with any rebooting. The access points are pointing to the WLC and gateway over the local LAN in Ohio.

#4 ? If the time clock in Ohio points to a gateway server in either the North Carolina or Indiana location, with the access points as Lightweight pointing to a WLC on the local Ohio LAN, the clocks have issues keeping their sessions alive, and reboot at random times through out the day, once a button is pressed.

#5 ? If the access points are configured as Autonomous access points, pointing to a local gateway server, there are no issues at all.

So the end result is that any combination of Lightweight Access Points and the WAN link results in timeclock issues. Any combination of Autonomous Access Points and the WAN/LAN links, results in no issues.

Is there a significant difference in the traffic patterns of a Lightweight AP?s versus Autonomous AP?s?

I know that this is confusing, if you need more details please message me and I can provide more, and any show commands that are needed.

Here is the list of devices that we are using

Timeclocks ? Intermeck Trakker Antares 2400 series

Access Points ? Cisco 1242AG ? IOS 12.4(3g)JA

WLC ? AIR-WLC4402-50-K9 ? S/W Version

reginald-pugh Wed, 08/29/2007 - 11:30

Curious, are these APs enabled using Dynamic TX Power Control, better known as Auto RF?

pugs17211721 Thu, 08/30/2007 - 05:32

Yes, when they are communicating back to the WLC, they are using auto rf.

sshitov Wed, 08/29/2007 - 14:48


If I followed your description correctly I believe you excluded WAN connection in case 2 and still have clock application failing, please confirm.

Have these terminals and the application been tested in a simplified environment (read - LAB) with LWAPP infrastructure to workout WLC>>WLAN and terminal settings prior to deployment?

Is this application based on unicast only?

Also, may I have more data on WAN circuit latency to understand your situation better.

You did not mention if your APs are in H-REAP mode so I assume you are using Local mode.


pugs17211721 Thu, 08/30/2007 - 07:45

Thanks for the quick reply.

To answer your questions,

in example number 2, the gateway server traffic still traverses the WAN circuit. The Main Servers sit in our Ohio facilities, and are unable to be moved.

We did some testing of this infrastucture in a mini lab, but not with the WAN link involved.

The WAN circuit has other traffic traversing it, with no notable latency issues. I will attach a screen capture of the MRTG for this circuit.

Yes these access points are running H-REAP mode.

sshitov Thu, 08/30/2007 - 10:09


With regards to H-REAP deployments LWAPP control will go to the remote WLC via WAN while data can be locally switched.

Please can you confirm that roundtrip latency between a remote site and central location is less than 100 ms?

Has LWAPP control traffic been prioritized over WAN?

The above points shall insure that APs do now flap between connected and standalone modes.

Do you use local switching for data on WLAN which wireless clocks connect to?

The above recommendations do not help with case 2 as you already mentioned that controller and APs were local to each other. I would have looked at replicating WLC/AP setup which you described in 4 at one of the remote sites. If clock application is sensitive to WAN latency and packet loss then prioritizing traffic between gw server and main server will help.


pugs17211721 Fri, 08/31/2007 - 12:05

Here are the response times

From LWAP - Location in North Carolina to Ohio


Tracing route to over a maximum of 30 hops

1 8 ms 4 ms 1 ms

2 102 ms 63 ms 65 ms

3 63 ms 63 ms 66 ms

4 64 ms 63 ms 106 ms

Trace complete.

From Autonomous AP - Location in North Carolina to Ohio


Tracing route to []

over a maximum of 30 hops:

1 1 ms 1 ms 1 ms

2 66 ms 126 ms 65 ms

3 63 ms 140 ms 69 ms

4 63 ms 63 ms 63 ms *.*.com []

LWAPP has not been prioritized over the WAN Link.

We user local switching for the data.

Also I have attached a diagram of our situation. The diagram labeled IN is our Remote Facility in Indiana, and the diagram labeled OH is our main office in Ohio.

Thanks for your help.

sshitov Fri, 08/31/2007 - 14:00


LWAPP traffic prioritization over the WAN is the suggestion which comes to my mind as you already have the same type of mobile devices working with LWAPP infrastructure over the LAN and the application seems to be capable running over a link with similar latency (unless WAN connection from two remote sites has different levels of utilization, then setting a priority for the application data traffic shall be considered too). Having said that in the example of Cisco IT network we use locally based controllers and APs in ?Local? rather than ?H-REAP? mode so I will not be able to add much more on H-REAP over the WAN stability from our own practical experience.

I would also check if there is any difference on the wireless side which could impact wireless link and connection quality so these sessions are not stable enough at that site. I wonder if you have any other devices there which can give any indication if there is any problem with connectivity and also if you looked at the statistics for the clock devices, in particular checking historical graphs on AP associations, RSSI and SNR trends. You can get these reports from WCS. Also if you use Auto RF you can check how often APs themselves change channels, ideally they should not be doing that often if a network is stable.



I have just got 37 aironet 1240's for our new wireless network. we have a mix of laptops and PDA's. The PDA's are HP Ipaq RX1950's and HX2750's these all work fine with the WPA encryption set. My problem is that all our HP HX4150's will not support WPA only WEP and so will not connect to the network.

I need these as they our for our electronic registers in the school.

Can I have both types of encryption on the AP's and if so how do I configure the AP's to do this.

I am new to the world of wireless so any help would be greatfully recieved.

sshitov Wed, 09/05/2007 - 08:08


I think you are asking about autonomous APs here. If both ciphers can not be supported on the same SSID I would recommend creating two different SSIDs and mapping them onto either the same or different VLANs depending on your requirements and policies.


jcbonnard Wed, 08/29/2007 - 23:52


I would like to get an information. I am using Aironet Client Utility Version 2.40.03 on windows ce device. Is it possible to configure a profile programmaticaly.

Thanks in advance,

Jean Christophe

PS: Sorry if I didn't put the message in the right post..

sshitov Thu, 08/30/2007 - 13:24


We have ACU deployed on many IT supported production PCs at CISCO but not on Win CE platform. I have no answer if profiles can be scripted in the 2.40.x version.


jcbonnard Fri, 08/31/2007 - 06:32

Thanks for your answer.

Do you have any documentation for this version: Aironet Client Utility 2.40.03

Is there newer version of Aironet Client Utility for Windows CE 4.2


Jean Christophe

sshitov Fri, 08/31/2007 - 13:01


The last release I could find references for was 2.60. However I don?t see it anywhere available for download. I will post another update if I get more information.


jcbonnard Mon, 09/03/2007 - 03:01


Thanks for your answer.

I found on one windowsce device, that the profile settings are kept in the registry.

My wish is to develop a procedure which will set a profile. The only obstacle I have come across is the password profile. I think it is kept in the UseData registry key. It is a Reg_Binary type, I have read this value and got the bytes array from it. I decode it to get the string value and unfortunatelly it is encrypted. Do you have any solution to help me to set the password in the registry ? Thanks in advance

Jean Christophe

sshitov Thu, 09/06/2007 - 14:20


I attempted to find more information on similar ACU programming tasks we had during Cisco IT internal deployment some years ago. Unfortunately nothing comes up with regards to Win CE O/S. All references and API instructions were relevant to Win2K and to WinXP. You might want either post this question into another forum or to ask the Cisco TAC.


99xpltd99 Thu, 08/30/2007 - 07:26

On the 1510 AP is there a mac address on the radio side. I know there is a base mac but when I do a survey the base mac and what I?m getting do not mach up. I am using a 4402 with and Airmagnet survey pro. Any thoughts?

sshitov Fri, 08/31/2007 - 10:19


You are likely seeing BSSID built on the base radio MAC, you can check if the last octet what differs.


sbarasiscom Sat, 09/01/2007 - 08:21


I have WLC with 3 accesspoints, all them are shown in wlc and their status enable and REG, my problem is the users can associate only with one access point but they can't associate to the others ???

**Note :

in GUI - Security - AP Policies - authorized AP - there is only ONE I added the other 2 later but the same results.

Any idea ASAP,


sshitov Tue, 09/04/2007 - 08:23


I would also check status of the Radios to make sure they are enabled and UP.


dbentley Tue, 09/04/2007 - 08:52

That is a great question. I have the same issue. I have to go to each WLC and enable the power source if using a injector.

sshitov Tue, 09/04/2007 - 11:27


If you are referring to Power Over Ethernet Setting, it is not available in WCS configuration. This feature is being considered for implementation in future releases.


dbentley Tue, 09/04/2007 - 09:01

When I use the AP template on my WCS and select WLAN override and select the APs and WLANs to broadcast. I select to reboot and save then apply. This all works fine. The APs reboot and override is on. The problem is I am seeing that the APs go to WLAN override but do not have any WLANs assigned. Does anyone else have this issue?

sshitov Wed, 09/05/2007 - 08:49


WLC configuration GUI - Wireless, Radios, Dot11xxx.

Do you see that this function becomes enabled and WLANs get selected on that page?


shibindong Wed, 09/05/2007 - 08:35

i have 3 questions: I am new to wireless network and just have a few question about WLC and IPS:

1. I saw WLC 4400 have IPS function, and configuration guide of how to configure IPS in the WLC, my question is: this IPS function, also need to download IPS signature from cisco website? if yes, is it free for ever? or any other product/suscription need to pay?

2.I also found there is a configuration example about how to integrate WLC with IPS system to protect network, my question is: since WLC itself has IPS fuction, why it still need to be integrated with IPS?

3.If our network only has IPS without WLC, Can I use IPS to prevent rogue AP, say, some staff bring their own wireless router in the office to turn on the wireless access?

thanks in advance.

sshitov Thu, 09/06/2007 - 09:58


1. By default a WLC comes up with a set of standard signatures which can detect multiple attacks it can also send clients to the excluded list. You don?t have to download those signatures as they are already in the controller, see GUI Security, Wireless Protection Policies, Standard Signatures.

2. Integrating WLC with external IPS systems shall provide visibility into higher protocol layers as comparing with the IPS function integrated in a WLC.

3. I am not convinced on this one. Rogue AP detection can be done either over RF or on wired network if this is a network connected rogue. If you have no visibility onto RF domain the RF based detection will not be there. If your network based IPS device has some means of scanning the network for example, it will be able to detect some AP signatures (if they are known) and report them accordingly. If you use wireless controllers you can detect rogues over the wireless, it also has an option to classify those which are network connected as ?Treat?, a rogue AP detector will be required to achieve that. So it can combine information from both wireless and wired sides to make a decision.

I hope this helps.


xianglingzj Wed, 09/05/2007 - 18:33

Sorry a simple question. What kind of outdoor lightning arrestor shoud I deploy for 1300 with integrated antenna? I saw only one lightning arrestor available AIR-ACC245LA-R and it is RP-TNC connector and looks like not fitting AIR-BR1310G-x-K9.

sshitov Thu, 09/06/2007 - 14:00


It is not clear to me where you would want to connect a lightning arrestor to when this device has an integrated antenna. From my experience lightning arrestors go inline (and grounded) with the antenna cable. If antenna is integrated there will be no external cable. With regards to the outdoor installation I strongly recommended following all documented instructions and using a professional installer.


danny9797 Fri, 09/07/2007 - 07:06


I'm contemplating b/w CCIP and CCNP. I'll be working for an ISP so i'm gearing towards CCIP. I only have my CCNA at the moment. I heard CCNP has more 'beginner" type courses like MPLS, QOS and BGP. CCNP teaches the basics of the above while CCIP teaches more advanced material on the subject so CCIP is possibly geared towards someone who already has some experience and knowledge on the subjects.

What are your opinions on the matter? Do you recommend CCNP before CCIP? Is CCIP too difficult for a somewhat beginner in Cisco?


sshitov Fri, 09/07/2007 - 07:37


It sounds like you posted this question to wrong forum as this one is supposed to be related to WLAN deployments.

If you are asking for my own opinion on these courses I can assure that CCNP courses are a big step forward from CCNA. If you take latest BSCI course for example you will see that there are topics like BGP, IPv6, Multicast, IS-IS which are not covered in CCNA course at all. These are likely to be useful for your job at an ISP.



This Discussion