This discussion is locked

ASK THE EXPERT - CISCO WIRELESS LAN CONTROLLER

Unanswered Question
Jan 4th, 2010

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn more about designing and troubleshooting wireless LAN controller deployments with Cisco expert Mark Gress. Mark is an escalation engineer at the Cisco Systems Technical Assistance Center (TAC) in Research Triangle Park, North Carolina, where he has worked since 2005. He has been troubleshooting complex wireless networks since the birth of the Cisco Wireless LAN Controller (WLC) as a TAC engineer, a technical lead for the Enterprise Wireless team, and now as an escalation engineer supporting the complete Cisco line of wireless products. Mark has diagnosed problems in some of the largest Cisco wireless deployments and has provided training for TAC teams around the world. He has also contributed to numerous design guides, application notes, and white papers. He has been professionally involved in the networking industry for more than 10 years. Mark holds a bachelor of science degree in computer information systems and business management from North Carolina Wesleyan College. He holds CCIE cerrtification number 25539.


Remember to use the rating system to let Mark know if you have received an adequate response.


Mark might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through January 15, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
skronawithleitner Mon, 01/04/2010 - 22:00

hello mark,


i have a question regarding the Cisco WiSM; is it possible to block rouge IPv6-Router Advertisements (RAs) on the controller? We use IPv6 on a different SSID, but misconfigured clients (windows vista with activated internet connection sharing) flood the non-ipv6-ssid with RAs, misleading ipv6-able clients that they are a gateway.


is it possible to block those RAs on the controller? i've tried already ipv6-acls (not possible) and searched for implementations of ra-snooping or ra-guard (which is a cisco draft), but it seems none of these exist yet. what can i do? how do other big networks block these kind of things?


stefan

magress Tue, 01/05/2010 - 10:59

Hello Stefan,


Unfortunately, at this time the WLC doesn't handle IPv6 traffic any different from any other traffic. The WLC will simply pass the packet along just like any other packet. There are enhancements coming however for this type of support. Any blocking or restricting traffic I would recommend doing so at the switch whenever possible. This is typically where your excess network muscle and/or resources lie.


Thanks,


Mark

George Stefanick Tue, 01/05/2010 - 11:16

Hi Mark,


I was wondering if there is plans for a conprehensive troubleshooting guide. I have a lot of different guides but nothing that has everything in it. For example, i was on the phone with TAC discussing power related question on an access point. I was asked to do


(Cisco Controller) >debug ap command "show controller do 1"


This shows power specific infromation. But i never seen these "debug" options before.


Any feedback ?

magress Tue, 01/05/2010 - 12:27

Hi George,


At this point there is no complete guide. However, the book we just finished writing comes pretty close to certain aspects of your question. For instance, troubleshooting Mesh issues was a headache due to the fact that the majority of debugging commands were either hidden or very cryptic. Lee and I took an initiative to consolidate the list of devshell Mesh commands and work with the developers in actually creating corresponding debug commands. In the end, it resulted in a complete online debugging source for all users which was not present before. This information, each command and the output, was dumped to the book. We also have a complete list of every debugging command and the corresponding output in one of the appendices. So I would strongly recommend that you start with the book as it certainly is a very strong resource for troubleshooting! That was one of the main reasons why we choose to write the book!


Thanks,


Mark

chad_teal Tue, 01/05/2010 - 13:42

Mark,


I'm using one of my 4400 controllers as a DHCP server for our access points and guest wireless.  Is there a way to flush out the allocated addresses on the controller? I've had times were it just gets hosed up.


BTW - I love the book.  To anyone who hasn't bought it yet...you need to.  Thanks!

magress Wed, 01/06/2010 - 09:43

Hi Chad,


Unfortunately, until the lease time expires, there is no way to clear an individual lease.  All leases will be cleared when the controller reboots. You may want to consider shorter lease times so that inactive client leases will expire and return to the pool quicker. The development team does intend to add the ability to clear leases but I am not sure about a date. This is being tracked by CSCsd96350 - Should allow clearing internal-dhcp lease. I hope this helps!


Thanks,


Mark

apopolo Tue, 01/05/2010 - 17:13

Hi Mark,

     Is there a detailed example of how to create a customized Web Authentication Login Page for Guest access? /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} I want the user to confirm a security-policy after the login. Only if the user accepted this policy, it will get access to the internet.  How is the configuration for such a procedure? Is this outlined somewhere?


Thanks,

Anthony

Craig Le-Butt Wed, 01/06/2010 - 07:57

Hi Mark


This a doulbe question regarding antennas.

We seem to be having problems with RRM, but since we've put the correct antenna information in, things seem to have got better.


We are using 1240AP, with 5170p & 2465pr for wall monuted and celing monuted are 5959 & 5145v-r.


Problem 1


The WCS (5.2.1.148) doesn't have a 5170p in its antenna list for the templates, it there a way of adding new atenna templates ect?


Problem 2


Using the 5959 & 5145v-r when adding/editing "Position access points on Floor" it shows the antenna on the left hand side.  Jus a bit confused regarding the Elevation: (degrees) part.


Cheers In advances


Craig



PS, what is the name of this book mentioned in above mails?

magress Wed, 01/06/2010 - 10:54

Hi Craig,


For your question number 1, there is no way for a user to manually add in an antenna to the template.  You will notice that the template gets updated with every newer version of WCS. If you are running the newest WCS version and it still isn't there I would recommend opening a case so they can create a bug to make sure it gets added to the next version. As far as your second question, I am not sure what you are asking. Depending on the antenna type - 0 degrees would be flat but this changes for a wall vs ceiling mount. 90 degrees would be straight up or perpendicular from the previous position. Let me know if I am off target as far as the response you were looking for. Thanks,


Mark

Craig Le-Butt Thu, 01/07/2010 - 08:16

Hi Mark


Thanks for that, I've updated to version WCS 6.0.170, the APs still dont appear in that.  I'll log a call.


Just a quick one, it's doesn't seem to be a bug in the new version of WCS, when you click on View  Rx Neigbours, it gives an error msg "Errpr in fetching Rx Neighnors"


Cheers


Craig

Kayle Miller Wed, 01/06/2010 - 12:47

Craig,


     The book Mark was referring to is called  "Deploying and Troubleshooting Cisco Wireless LAN Controllers" it is available from www.ciscopress.com


http://www.ciscopress.com/bookstore/product.asp?isbn=1587058146



     This book was authored by Mark Gress and Lee Johnson with some insight/help from Javier Contrares (excuse the spelling). It really is a great book and an even better tool. I'm sure Mark can offer more insight if you wish.


     Thanks,


     Kayle

mscherting Wed, 01/06/2010 - 12:44

Mark,


A design/deployment question:


I'm interested in the OfficeExtend solution and am proposing a 5500 controller in an Internet facing DMZ.  The secured WLANs served up by the OE LWAPs would be anchored on inside WiSMs & controllers.  The 5500 would handle no switching, instead handing off all traffic to the inside anchor controllers.  Is this a reasonable design?


When anchoring secured WLANs, on which controller should the security policies be applied; the controller the OE LWAPs are joined to, or the remote controller where the WLAN is anchored, or both?


Thanks.


Mark

magress Thu, 01/07/2010 - 07:43

Hello Mark,


The office extend and guest anchoring are really two different sets of solutions. If you were intending to design an anchoring scenario - I would do so without the office extend solution and/or let that stand as a solution by itself for your remote locations. As far as the security policies you will configured them on both the controllers. However, the policies will actually take effect on the anchored WLC. This is when the guest traffic actually hits the wire with no encryption. You can actually apply additional policies, policy maps, and/or ACLs at this point if you wish.


Thanks,


Mark

mscherting Thu, 01/07/2010 - 13:01

Mark,

Thanks for the reply.

Actually guest service is not part of this proposal.  I would rather place a 5500 in a DMZ, and not have any dynamic interfaces on internal networks.

I would want the OfficeExtend LWAPs controlled by the 5500, with the WLAN-to-VLAN switching handled by internal (anchor) controllers, basically flipping the guest anchor idea 180 degrees extending secure wireless to remote locations across the Internet with remote users anchored to the controllers in their departments.

If this won't work, better to find out now before bringing in a 5500.

BTW, I found we do have a copy of your book in-house.  Good stuff.

Thanks,

Mark

magress Fri, 01/08/2010 - 06:39

Hi Mark,


In theory, your suggestion would work. But the idea of the office extend is that it already provides a secure and encrypted VPN tunnel back to the remote location. So you just want to add another layer of security by parking the associated 5500 out in your network DMZ? If that is the case - you would also have to allow any internal resources that they would need - but you could always do that on a layer 3 device connected to the DMZ 5500 and through the firewall. Am I understanding your setup now?


-Mark

mscherting Fri, 01/08/2010 - 09:04

magress wrote:


Hi Mark,


In theory, your suggestion would work. But the idea of the office extend is that it already provides a secure and encrypted VPN tunnel back to the remote location. So you just want to add another layer of security by parking the associated 5500 out in your network DMZ? If that is the case - you would also have to allow any internal resources that they would need - but you could always do that on a layer 3 device connected to the DMZ 5500 and through the firewall. Am I understanding your setup now?


-Mark


Thanks Mark.  I think we're getting to the same page now.  When you say "back to the remote location" I think we mean "from a remote SOHO location back to the Enterprise."


Currently all of our Internet facing services are in a DMZ, thus the preference for hosting a teleworking service there as well.  In some, but not all cases various departments would have controllers switching traffic onto vlans local to that department/campus.  Somewhat analogous to an Internet facing web server in a DMZ with a backend database inside, I'm thinking of having OfficeExtend LWAPs join a 5500 in the DMZ while having the WLANs actually switched by various backend (anchor) controllers inside.  Some of the reasoning behind this is political.


I believe this should also work with a 5500 completely inside, switching some WLANs itself and handing others off to remote controllers.


This is still in the whiteboard stage and isn't to the point of requesting a demo to test the theory.


Thanks for your feedback!

henning.johanne... Wed, 01/06/2010 - 13:24

Hi Mark,


I have a question about WLC 5508 and CAPWAP Join problem.


I'm having an issue with LAP 1310 AP's on a 5508 WLC running the latest 6.0.188 code.   When I try to join the 1310 AP's to the WLC, the AP's do join and download an image, but then continually reset/reload after these errors: (from AP log)


*Jan  1 18:04:21.463: %CAPWAP-5-SENDJOIN: sending Join Request to 10.8.20.132
*Jan  1 18:04:21.463: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
*Jan  1 18:04:21.465: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 10.8.20.132
*Jan  1 18:04:21.465: %CAPWAP-3-ERRORLOG: Invalid AC Message Type 4.
*Jan  1 18:04:21.466: %CAPWAP-3-ERRORLOG: Failed to handle capwap control message from controller
*Jan  1 18:04:21.466: %CAPWAP-3-ERRORLOG: Failed to process unencrypted capwap packet from 10.8.20.132


It's a simple installation with the management interface uses as ap-manager in vlan 701. The 1310's are on the same Vlan (701) so routing is not involved. The ap's download the software "c1310-k9w8-mx.124-21a.JA2/c1310-k9w8-mx.124-21a.JA2".


Why is there a problem here?


Regards, Henning

magress Thu, 01/07/2010 - 07:49

Hello Henning,


Are you seeing any AP tracebacks? This could possibly be CSCtc14910. Regardless, we are looking at a potential defect. I would recommend opening a TAC case so we can determine what DDTS you are possibly running into or if it might be a new one involving the 1310s. I didn't see any bugs that jumped out at me regarding only the 1310s and that version of code. But that could be because one doesn't exist at this point.


Thanks,


Mark

henning.johanne... Mon, 01/11/2010 - 02:23

Hi Mark, Thanks for reply:) Yes this was related to the Bug ID: CSCte07565. After downgrading the 5508 to 6.0.182 and rebooting the controller tha AP's not starting with MAC 00: we're able to join the controller again. Then upgrading to 6.0.188 the problem was back. After using a Cisco L3 switch with routing between Vlans and AP in one vlan and controller in the other, the AP's also could join because the MAC adress then was the switch Mac starting with 00 connecting with the controller instead of the AP. So now we're waiting for the 7.0.0 release to come...

Stephen Rodriguez Thu, 01/07/2010 - 10:02

*Jan  1 18:04:21.465: %CAPWAP-3-ERRORLOG: Unencrypted non-discovery CAPWAP Control Message from 10.8.20.132


     this would lead me to believe you might be hitting CSCte01087.  does that AP have a MAC address that starts with something other than 00?

henning.johanne... Mon, 01/11/2010 - 02:29

Hi Steve and thanks for the input It showed up to be the bug related to Bug ID: CSCte07565. I wrote a comment to Mark on the steps I took to test and resolve the problem.

Anika Brantley Thu, 01/07/2010 - 10:34

Hello Mark,


I'm new to wireless and I currently have a 1252 AP and a 3750G for the WCL.  I have two 1140's I need to add into the wireless network.  I read in another forum that I have to upgrade the WCL to version 5 or because the 1140's will not work on version 4.x.  But I also read the 1252's will not work with any other version.  How do I make them coexist?  Sorry if this doesn't make much sense.


AB

Leo Laohoo Thu, 01/07/2010 - 12:46

Hi Anika,


You can use either the 5.2.X or 6.0.X firmware for to allow both 1250 and 1140 to operate (and don't forget to upgrade the bootstrap too).


I recommend you stay away from the 5.X because of it's well known nature of being bug-ridden.

JMC Nel Thu, 01/07/2010 - 11:07

Hi Mark


we have a wism in the 6509 - the two controllers will serve all locations. we have several locations each with a head switch and at each location specific vlans associated with employees. we would like to use our current vlans that was set aside for the lan users to be applied to the wireless clients using dhcp with option 43 and 60. no matter if they are plugged in to the network or access via the wireless the same access rules should apply to them. except for guest users which will be handled differently. we have rules in place within the fwsm per vlan per location. my question : is there a way in the controller that we can distinguish within a vlan whihc is wireless and which is network for troubleshooting purposes. we currently have 1 wlan with 1 interface per location. should we duplicate this becasue of the 2 controllers. What is the recommendation to have failover between the controllers.

magress Fri, 01/08/2010 - 06:31

I would look into a feature AP groups vlan and in later versions AP groups vlan and WLAN override being merged. This would allow you to use the same ssid  but assign an AP depending on its physical location a particular vlan where it would dump the users. For troubleshooting purposes you could look at the user list and judging by the AP or vlan, you would be able to determine the AP they are associated to or the network location. As I mentioned this feature does change a little bit in newer versions 5.x and 6.x so it will depend on the WLC version you are running. I hope I understood your question correctly. As far as failover, you can approach it in a few different ways - 1) have the same WLC up and operation with the same config - that way if an outage was found it would only be partial degraded until the APs moved over to the remaining WLC or 2)have a second WLC with the same configuration but have all APs utilizing WLC number 1 (assign each AP to the primary WLC and the 2nd WLC as a secondary). The down fall to option 2 is that convergence time for all APs to move to WLC2 would be longer if WLC1 would go down. You can also see failover methods in any of the WLC configuration guides for additional info.


Thanks,


Mark

sreejith_r Fri, 01/08/2010 - 02:01

Hi


                      I am facing voice jittering issues with 7921 phones especially when roaming around the AP's.


WLC Version : 6.0.188.0


7921 version : 1.3.3


      We are having a combination of 1131 AP for indoor and 1242 ap for outdoor. During roaming we are getting alarms in the controller saying that coverage hole detected even sufficient coverage is available. Do you face any similar issues. Is the issue is related to the firmware or something else. The jitter will happen for 2 or 3 seconds  after that it will come to the normal state. Please provide your valuable suggestions

magress Fri, 01/08/2010 - 06:22

Hello,


Voice Jitter can be caused by a few things. Based on your coverage hole alerts, I would first start by validating you have enough AP coverage. You can do this a few ways. One is with the use of the config analyzer tool available on Cisco or by manually going through and validating the neighbor lists. You can start by the areas that are indicating coverage holes. Another good tool is to look at the trag logs and pay attention to the RF adjustments, the messages here will also give you an insight as to what may be possibly happening. Did you perform a site survey (very critical)? As far as the configuration piece - I would verify that you have checked off all the items in the 7921 deployment guide - /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/administration/guide/7921cklt.html .


Once you have the above in place and out of the way and if the issue still exists you will have to pin-point down by area and even do some debugging to determine what may be causing the jitter. Interference or lack of coverage are both big culprits. If you suspect a heavy hitting DDTS then validate by going through the release notes and looking over the unresolved caveats. Usually doing the above paragraph will provide the releif needed.


Thanks,


Mark

alessandro.dona Fri, 01/08/2010 - 02:11

Hi Mark,


i would like to know if it is possible to assign different VLAN-ID based on AAA-client type(wired or wireless).


example:


wired and wireless connection aauthenticated by ACS(802.1x for wired and WPA/WPA2 for wireless)


if client A connect to the network by using wired connection ACS must assign vlan2.

if client A connect to the network by using wireless connection ACS must assign vlan3.


Thanks in advance.

Regards.

Ale.

magress Fri, 01/08/2010 - 06:27

If you are using the wired guest feature then you can easily break this up by creating two wlans. One wlan will
serve your wired guest users and tie it to its own dynamic interface (vlan). Create a second wlan with your wireless users and tie it to another dynamic interface (vlan). You also have the option of passing down ACS vlan attribute based on certain conditions. If you do not want to use the WLC for your wired connections then it would be dependant on the capabilities of the device that you intend to use to handle your wired clients. But as far as a WLC solution - the wired guest vs wireless solution would be the only solution. You can get more information about the wired guest feature in any of the WLC deployment guides.


-Mark

etmarcof Fri, 01/08/2010 - 07:56

Hi Mark,


I have one WLC 5.0.148 with AP's model 1121BG  and 1131AG  in indoor and  AP's 1310BG  and 1231BG in outdoor both models  with  one 5 dB omni-directional antenna each.  Recently i have migrated 7920 phones to 7925 phones  (firmware 1.3.3) phones and in outdoor i'm having a lot of problems no audio, loose associaton to network etc. In same outdoor area with 7920 phones or  with 7921  phones (firmware  1.3.2) i don't have any problemas at all.


Do you think this could be a WLC problem?if yes do you suggest to upgrade to what version for optimal performance with 7925 phones?


Or do you think that are hardware or firmware of 7925 problem?


PS: I already know 7925 deployment guide doc and i can't use 802.11a because 80% of my AP's didn't support 802.11A.


Best Regards

MC

magress Mon, 01/11/2010 - 11:10

Hello MC,


It is really difficult to say where the issue(s) are without more information in this post. I will say this however, have you performed a site survey for your voice requirements specifically for the 7925s? If no, then I wouild start there. This is going to be the most important and vital step with any voice install. I would then go through the 7925 deployment guide:


http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf


These two steps alone will make your life a lot easier and you will find that these two steps will probably resolve most if not all of your voice issues.


Thanks,


Mark

rashid_ibraheem Fri, 01/08/2010 - 08:49

Hello mark

kindly,i have the following qoustion regarding migration from (router 1760 and switch 3550 and DHCP server) to (router 1841 with normal hub and switch)

my Qoustion is how the configuration will bebecame ,since its the first time i deal with this router 1841

your support are highly

note :- the attach file show the past configratio for router and the switch

harold.morales Fri, 01/08/2010 - 14:34

Hello Mark,


i am implementing a solution of wireless, already configured the WLC2112, when connect a AP1240AG get ip, but the ap do not get the configuration of the WLC, as i know in that mode is setup the ap: in autonomous mode or light mode?


Thanks

Leo Laohoo Sat, 01/09/2010 - 14:00

Hi Harold,


Your AP should be running the LWAP (aka "rcv" image) IOS.

saquib.tandel Sun, 01/10/2010 - 06:18

Hello Mark,


I am relatively new to Wireless LAN Controller.

We have 4402 Box with 10 AP model (AIR-LAP1242AG-E-K9 )

I am in trouble with these

1.       How to find the number of antenna installed on AP from WLC

2.       Different options of Guess Authentication ; webpage with username and password

3.       Voice Quality issues with Nortel Phones

I didn’t find any document which explains how many IP Phones and Data connection can one AP handles. Assuming the above AP Model.

I am also looking for different deployment scenario for Hotels and Corporate offices.

Thanks

ST

Leo Laohoo Sun, 01/10/2010 - 13:07

How to find the number of antenna installed on AP from WLC


The only way is to do a physical inspection of the unit.  There is no way to determine remotely how many antennaes (or are the correct ones installed).

magress Mon, 01/11/2010 - 10:59

Hello,


I am not sure I understand your question. However, you can get AP info from --> Wireless ---> Select AP or go through the radio interface and select the AP.  or by doing a show AP detailed command via the CLI.  Can you please elborate on your question.


Thanks,


Mark

Leo Laohoo Sun, 01/10/2010 - 13:10

I am also looking for different deployment scenario for Hotels and Corporate offices.



Deployment scenarios will depend entirely on how you want to integrate your WLC to the rest of your network.  Look through the document provided below.  The document will provide you the step-by-step instructions on how to configure your brand-new WLC/LAP and the options you can use for your Guest authentication.


Cisco Wireless LAN Controller Configuration Guide, Release 6.0
http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/Controller60CG.html

juancarlosorellana Sun, 01/10/2010 - 15:49

My question is posble integrate Cisco Wireless LAN controler with the wired network (LAN switches) in the same way OOB CAS if, it's possible to do?

magress Mon, 01/11/2010 - 11:01

ST,


You have some pretty broad issues. I would recommend opening service requests for issues such as the phones, etc.


Thanks,


Mark

magress Mon, 01/11/2010 - 11:15

Hello Harold,


The AP has to be converted to LWAPP/CAPWAP in order for it to join the WLC. It will get an IP regardless but it needs to talk the same language of the WLC in order for it to obtain the WLC version of code and the configuration.


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008072d9a1.shtml


If performing the conversion, you will need the following:


Upgrade tool

AP upgrade image file


Thanks,


Mark

klasseolsson Mon, 01/11/2010 - 13:56

Hello!


I have some questions about the tx-power-threshold value. We have in our enviroment the value -65 and all accesspoints are on power level 1.

And the site surveys is done with that value to. Have tryed to change the value to cisco´s recommended and the change we get is that the accesspoints change power level to 2 or 3. And that is good for the functions to work correctly if i understand this right.

But changing this the signal range from the accesspoints?. And what are our recommendation for us to have on this value?.

We are going to change the enviroment to 1140 ap´s and 5508 contollers to move over to 802.11a from 802.11 b/g. And are thinking to complement with more accespoints.

magress Tue, 01/12/2010 - 06:06

Hello,


Great thinking as far as the site survey. Many people neglect this step and end up paying for it 10x's over in the long run. From what you are describing it sounds like you do not have a dense enough deployment and/or incorrectly positioned APs in certain areas or a combination of both. If you have a scenario where you have multiple APs that fail - there is no way for the other APs to power up to compensate for the AP loss since they are already at the highest power level setting. As far as the -65 value - you need to change this value to whatever is recorded in the site survey. That will enable the APs to make the best decisions given actual RF environment variables.


-Mark

mscherting Mon, 01/11/2010 - 15:37

Hello again Mark,


Questions about the following errors:


The AP 'XYZ-LWAP' received a WPA MIC error on protocol '0' from Station '00:12:7b:00:7a:aa'. Counter measures have been activated and traffic has been suspended for 60 seconds.


First question:  What mechanism puts these countermeasures put into effect?  Is the radio shutdown?  This would of course affect all other clients associated to that AP.  The AP logs show more radio bounces than WCS does critical errors.


Why would these be appearing on a H-REAP wlan configured with L2 security WPA+WPA2 and only WPA2 and AES enabled?  Key management is DOT1X and CCKM.



WCS 6.0.132.0

WiSM 6.0.182.0

1131 H-REAP APs converted to CAPWAP

ACS 4.2


I suspect faulty client NICs (VIA Networking).  How can I prove this vs. an attack?

Any configuration settings I'm missing?


Thanks,


Mark

jmprats Tue, 01/12/2010 - 05:00

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabla normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Hi, I have a Cisco Works WLAN Solution Engine Express 1030 with 20 AP1231G Access Points. Now I’m planning to deploy Guest Access (Web portal based with a WLC and a separate VLAN for guests) so I think I need to buy one WLC and upgrade my APs to LWAPP. Is this correct?

We are thinking in deploy 802.11n and VoIP over WLAN in a near future and add more AP’s. So, which is the best WLC option for me? Do I need WCS in this scenario or it can be an improvement for the future?

Thanks

Actions

This Discussion