ASK THE EXPERT - CISCO 5500 SERIES WIRELESS LAN CONTROLLER

Unanswered Question
Jul 31st, 2009

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn about Cisco 5500 Series Wireless LAN Controller & 6.0 Software Release with Cisco experts Sujit Ghosh and Sumit Vakil. Sujit is a Technical Marketing Engineer in the Wireless Networking Business Unit of Cisco. He has a CCIE certification and 15 years of experience in networking industry. Sujit is responsible for developing and marketing enterprise networking solutions using the Cisco Unified Wireless Network. He has focused in the areas of Wireless LAN security & wireless/wired LAN integration. Prior to joining the wireless business unit, Sujit worked as a TAC Engineer in Cisco for 5 years in the Security/VPN team working extensively with Security, Wireless and VPN products. Sujit actively speaks at the Networkers conference on the subject of Deploying Secure Wireless LAN, Troubleshooting Wireless LAN, Design and Deployment of 802.11 Wireless LANs with Centralized Controllers and Guest Access Design and Deployment for Wired and 802.11 Wireless LANs. Sumit is a Product Line Manager in Cisco's Wireless Networking Business Unit. He leads a team of product managers responsible for driving the Wireless Controller business. Sumit sets the long term strategy and direction for the controller portfolio, and develops go-to-market strategies for the same. In addition, he leads the business unit's teleworker and green initiatives. Sumit has 14 years of networking experience, including 10 years in wireless. He has expertise in WiFi, security, QoS, routing and remote access.


Remember to use the rating system to let Sujit and Sumit know if you have received an adequate response.


Sujit and Sumit might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 14, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
GRAEME DANIELSON Sun, 08/02/2009 - 21:03

Hello, a timely ATE topic as we are in process of preparing to migrate to a 5508! At this stage we have just a single WLC and want the best resiliency solution in connecting to two LAN switches. Not that keen on LAG/Etherchannel as it forces all connectivity to a single switch so multi AP-Manager looks the way to go. I am getting conflicting messages from the 6.0 ConfGd e.g.

"You must assign an AP-manager interface to each port on the controller."

then

"Only one AP-manager interface is allowed per physical port. A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface."

If you have to assign AP-Mgr int to each port the 2nd statement says I can't use it as a WLAN int.


What is the best way to layout WLC AP-Manager and WLAN intfs across two LAN switches?


Thanks in advance!

sughosh Thu, 08/06/2009 - 09:29

Can you please give me your email id, I need to send you a small ppt file to explain how to achieve this.


Sujit


sughosh Thu, 08/06/2009 - 09:34

Please give me your email address I will send you a ppt file to explain you the options you have.

voipis4me Mon, 08/03/2009 - 06:17

Good Morning,


I was reading the data sheet on the 5508 WLCs and was curious about this statement:


"Service Port : 10/100/1000 Mbps Ethernet (RJ45) For High Availability for future use"

Is this a future design feature so that the 5508s (high availability) share a common backbone, similar to how HSRP is incorporated?

sughosh Mon, 08/03/2009 - 12:19

Yes the 5508 has an additional port which will be used in future for HA and it will be similar to HSRP.

suvakil Tue, 08/04/2009 - 08:15

While BandSelect is available in 6.0 and can be enabled from the CLI, it is not supported by TAC. Full support for BandSelect will be available in 6.0 MR1 that is scheduled for Q4CY2009.

sughosh Thu, 08/06/2009 - 09:32

Band Select will be available on the 6.0MR1 code. It is now available on CLI but not supported by TAC.

sughosh Thu, 08/06/2009 - 09:31

No plans currently to discontinue either of the platforms.

Wilson Samuel Thu, 08/06/2009 - 03:55

Hi,


How does this impact the WCS? Is there any near future release of the new version of WCS?


Regards

Wilson Samuel

sughosh Thu, 08/06/2009 - 09:37

We just release a new version of WCS 6.0 with major enhancements. Did you get a chance to check out the 6.0 release ?


Sujit


rebgbnh01 Thu, 08/06/2009 - 07:32

My ASA 5510 have 5 light (Power, Status, active, VPN and flash) whan I turn on the ASA, the Power light is off, the active and status are in red adn VPN in green. Could you tell me, What can I do? I need to do something before to connect it? I'm doing something incoerrect?


Thank you


2125 port use and performance query


Hello Sujit and Sumit


I have a 2125 deployed in a 2 site scenario

I noticed very poor performance initially on remote site as all traffic be default goes back to controller.

i worked around this using the HREAP feature. this vastly improved my remote site perfomance.


now i realise how the data is tunnelled back via the controller; i wonder how suited the 2125 is for more than 2 or 3 1142N LWAPs????


All traffic needs to travers a *single* 100Mbps link into the controller; am i right?


what are the 8 ports for on the controller then?

I can use ports 7/8 for PoE on 2 APs

I can use (say) port 1 for management and linking into the core network

Does that give me 300Mbps of connectivity into the WLC2125 in total?

what can i do with ports 2-6 ?

*** should i have gone for a 5000 series WLC ***



thanks for your help

dave


2125 port use and performance query


Hello Sujit and Sumit


regarding my above query ...on 2125 performance


I can use ports 7/8 for PoE on 2 APs

I can use (say) port 1 for management and linking into the core network

Does that give me 300Mbps MAX of connectivity into the WLC2125 in total?

what can i do with ports 2-6 ?


if i user power injectors on ports 2-6 does that then allow me to get past 300Mbps limit up to 8 * 100 Mbps

where is the actual limiting factor on performance on the 21xx?



many thanks

dave


Roaming and Re-authentication


Hi again

I am using WPA/802.1x to authenticate users against the Radius/AD server


I am testing roaming by having 2/3 clients with 2 LWAPs

is it a legitimate roaming test to power off the LWAP to chich my client is associated (and authenticated through)

when i do this; the clients do roam ok but there is a re-authentication occurring.


I have clients that do and do not support CCX. they all appear to re-authenticate on losing the inital LWAP assoication


am i missing something please?


thank you

dave

sughosh Sun, 08/09/2009 - 17:39

Hi Dave,


In order to achieve fast secure roaming, you need to either use CCKM or PKC (Proactive Key Caching) which is available on Win XP with SP2 above. You need not do any special config on WLC for PKC support.


Hope this helps.


Sujit

Hi Sujit


I see re-authentication on romaing from APa to APb (I am not powering these off; just standing next to them placed 30 feet apart.


when either of 2 clients roam (both with Fast Reconnect enabled) my IAS server sees a re-authentication


I am using 802.1X with CCKM


WPA+WPA2 Parameters

WPA Policy

WPA Encryption AES TKIP

WPA2 Policy

WPA2 Encryption AES TKIP

Auth Key Mgmt 802.1X+CCKM



thanks for any help and advice


lucky.sibanyoni Wed, 08/12/2009 - 05:58

Hi, I'd like to know on how can i prevent this from happening? i get a lot of this messages lately: is there a way to resolve this? what does this really mean? is it a major network attack?


IDS 'Res mgmt D' Signature attack detected on AP 'AP1' protocol '802.11b/g' on Controller '10.10.120.5. The Signature description is 'Reserved management sub-type D', with precedence '10'. The attacker's mac address is '00:1a:f7:75:43:35', channel number is '1', and the number of detections is '5'.

so how will this unit interoperate with existing 4400 series controllers and 1140 lwap's? Can I use WCS and synch the configs between the 2 still? Also, what is the purpose of the utility port? Distribution lists this device as (3) 10/100/1000 Mbps (RJ45) and 8 SFP Slots - they do not specify management on the 3 RJ45 interfaces so my account manager asked if they can be used as AP Manager and Network interfaces, my quick answer was no, but just in case I am misinformed...

bapatsubodh Fri, 08/14/2009 - 10:46

Hi,

Sujit and Sumit,

I have a doubt about WPA-802.1x process between client , AP and RADIUS.

Client is using AD username and password for authentication. And Radius server will in turn forward the u-name and p-word to AD for authentication. My doubt is, in first place does client send u-name and password in clear text to AP which in turn forwards it to Radius server?. Or cleint sends u-name and p-word in encrypted, if yes how do they encrypt do they use Deff-Hellman algorithm to generate a unique-identical key, and then use this key to encrypt the u-name and password. Once user is authenticated, well PMK is generated at client and also and RADIUS shared with AP and then further communication takes place.( 4 way key hand shake, 2 way hand shake ) If client is sending username and password to AP in clear text at least once in the start phase, is it not a problem? Please clarify me, I may be speculating totally out of phase.

Please let me know any link on cisco.com.

Thanks in advance.

Subodh

Actions

This Discussion