newby questions

Unanswered Question

Hello All,

I am new to wireless and my company is about to pilot an internal iPad app. I am a network specialist in an IT department of a business that requires high security. I have received recommendations to look at Cisco access point routers due to their security features.

Are there any guides to give me a high level understanding about wireless access, including terminology, differences between technologies and deployment strategies?

The recommendation was for the Aironet 3502e. The iPads in our pilot project will be used in a public area of our business. At this point we are not ready to offer WiFi access in the public area. That may change. The iPads will connect to at least one server on our production network. If the pilot goes well we will be deploying this to several of our remote offices. Is the 3502e the best option for this project? Is there another Cisco device that may be better suited for our project?

If this should be posted elsewhere, please let me know and I will repost.

I appreciate assistance you can provide


Sent from Cisco Technical Support iPad App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Leo Laohoo Thu, 08/11/2011 - 15:28
The recommendation was for the Aironet 3502e. 

There are three models of the 3500:

1.  3500i has an internal antenna;

2.  3500e has no internal antenna and you need to purchase optional external antenna; and

3.  3500p also has no internal antenna but is designed for stadium deployment.

One thing you should know about the 3500 AP is that this model requires a Wireless LAN Controller (WLC).   I would recommend WLC5508 and would NOT recommend the smaller 2504.

Leo Laohoo Thu, 08/11/2011 - 16:04

So the 3500's require a WLC.  Does the WLC do what the name implies?  If I have 20 remote offices that use a 3500 for an AP, plugged them into our LAN/WAN, I could configure and control access from one console in the main office?  Is it worth it for 20 offices?

The Wireless LAN Controller (WLC) basically controlls your AP.  All your configuration is generally done ONCE:  At the WLC making your APs akin to an oversized antenna.

Now what you have is not new:  One HQ site where the WLC will sit and a number of smaller sites where there are no WLC but the APs will be installed.  There's a feature called H-REAP which answers your question.

H-Reap Design and Deployment Guide

H-REAP Modes of Operation Configuration Example

Hybrid Remote Edge Access Point (H-REAP) Basic Troubleshooting

Now there are two kinds of controller that will support this solution.  They are the WLC5508 and the Flex 7500.  The main difference between the two is that the Flex 7500 will do nothing but H-REAP while the WLC can do both.

People tend to use both in a combo:  The WLC controls APs around the physical location of the APs the the 7500 controls all the remote-end APs.

dennischolmes Fri, 08/12/2011 - 04:15

One more major issue to remember around iPads. If they connect to your production network you will be fine. If however, you use web authentication and redirect you will need to install a certificate on the solution or disable https on the controller due to the iPad's inability to accept the controller provided certificate. If you disable https on the controller remember to install strong password support for the user accounts on the controller as the management login page is protected by https and would now be open to the public to beat on.

Thank you all for your patience. Just to be clear the Aironet 3500 series requires a WLC? They will not work as a standalone AP? I'm not sure my company wants to get wireless to the point of using a WLC. We were just thinking about deploying a few wireless routers in our remote offices and call it a day. Our type of business has not embraced wireless due to the sensitive information we must protect. None of our IT staff thoroughly trust wireless and we do not have the expertise on staff to administer a managed wireless network. However, if we decide to roll this out to some of our remote offices AND we could justify the use of a WLC, we would train our staff in wireless technology. Is it worth the cost and effort to invest in a managed wireless network?

If you use proper security you can make your wireless LAN very secure. Hospitals and financial institutions commonly use wireless networks to transport sensitive information. You can make your wireless network compliant with any standard like FIPS, SOX, PCI etc.if you implement it properly. If I were you I would not use the 3502 AP unless you want the built in spectrum analyzer feature. You could use the AIR-AP1262N-x-K9 where (x) is the country code. The AIR-AP1262N-x-K9 is a standalone AP which does not require a controller. The down side is you have to manage each one seperately. If you deployment grows you can upgrade the AIR-AP1262N-x-K9 to become controller based and not lose your investment.

Leo Laohoo Fri, 08/12/2011 - 17:35
We were just thinking about deploying a few wireless routers in our remote offices and call it a day.

I'm not a big fan of routers with wireless because of the physical location of the router.  If your router, for example, is inside a metal box then you might as well not deploy wireless because the metal box will prevent wireless coverage.   Another example is if the location of your router is in a remote corner of the office and the wireless client is on another corner of the site, thus giving people a bad experience with their wireless.  Deploying an AP is better because it can be fixed and moved according to your requirement.  A router, however, has to be near or around your patch panel and/or MDF.

Our type of business has not embraced wireless due to the sensitive information we must protect. None of our IT staff thoroughly trust wireless

Nowadays security in wireless is a must.  WPA or WPA2 are used to ensure security.

Is it worth the cost and effort to invest in a managed wireless network?

Forgive me for being frank and "crass" but I have no intention to offend you or anyone reading this.  You are very brave for dipping your toes into wireless when you have acknowledged the fact that you and your organization have little or no experience in wireless.

A few years ago, I worked in a government organization and the power-that-be issued an edict that they will not accept or allow wireless because of security implications.  Now note that this edict was issued well after WPA2 was certified as very secure.  The organizations issued this memo because the decision-makers were ignorant of the technology.  That was the good news.  The bad news?  When staff who knew about the technology tried to provide positive inputs, management shut down the lines of communications and branded the same staff members as "ignoramous".  So what did the staff do?  They brought in their own "chop suey" wireless and they set up their own wireless network (connected to the production network, of course, and with proper WPA/PSK).

My point is this:  It's good that you are starting to learn about wireless because one day the need will arise and since you have done all the investigations, you might be able to manage your wireless network better.

Thank you all for your patience. Just to be clear the Aironet 3500 series requires a WLC?

If you want wireless APs that does not require a WLC then there are a number of candidates:

  • Internal antennas:  1040, 1140
  • External antennas:  1250, 1260

Take note that the above-mentioned APs support 802.11n.  If you want an that will support 802.11a/b & g then you can still get your hands on the 1130. 

I want to thank you all for your input.  Thank you leolaohoo and evarmer for your input on the Aironets and wireless LAN's, and Dennis for your comment about the iPad; I'll keep it in mind as we move forward.  As far as the access points, we will be using the 1260's.  I like the idea of deploying one or two in a standalone mode and then as we grow invest in a WLC and then convert the 1260's into a controller based device. Leolaohoo, I was not offended in any way.  I appreciate your frankness and I understand the point you're making.  We will be hiring a vendor that employs several CCIE's to help us not only deploy the 1260's, but also plan for a WLC.  In the mean time I will be attending training classes, if not to become a CCIE at least to know the basics and how to maintain what we have, and also know when to consult a true CCIE. Thanks again, Dan

Leo Laohoo Fri, 08/19/2011 - 19:00
As far as the access points, we will be using the 1260's.

Do remember that the 1260 require optional external antennas.  The 1260 will support antennas with a maximum gain of -6 dBi.

Am I correct in the assumption that I can place the antennas in different areas of the building, that do not overlap, to offer access in those areas?

On a related topic: My company is in the process of building a new corporate headquarters. We are also looking at local vendors to consult and build a new network. Currently we employ a mixture of Cisco and HP. As it relates to the wireless controllers; Is it beneficial to build a total Cisco network?

As in many corporate environments the process to get things done is often a lengthy. Everybody and their brother wants to be involved with every little aspect of the project, dragging it on longer than necessary. Please bare with me as I learn about wireless before I actually attend Cisco classes and we finally install a wireless solution.

Sent from Cisco Technical Support iPad App

dennischolmes Sun, 08/21/2011 - 07:34

SO from a purely RF coverage standpoint yes you could do that with the antennae. Is it the correct and best practices method of doing that? NO. Why? RF is a wave pattern carrier of data traffic. When the waves bounce off of multiple surfaces they ten to reflect and turn inward. Another example of this is a bathtub of water that is completely still. You drop a marble in at the far end and desire to get a perfect waveform at the other. As the waves spread out from the drop point the bounce off the walls and by the time they get to the other end the perfect wave is now only chop. The same happens with RF and when this happens multiple copies of the same wave hit the receiver at slightly different times. This is called multipath distortion or multipath interference. Second generation access points combated this with SiSo diversity technologies where the receiving access point would choose which of its two antennae to accept the signal from and then assuming the best path to then was also the best path back, send the return signal out of the chosen antenna that received the signal. The problem with mobility is that we are mobile and often the signal did not return adequately resulting in packet retries. Packet retries occur when the signal does not arrive properly at the intended receiver and the transmitting AP never gets the packet received message back from its intended target. OFDM modulation was the 3rd generation improvement still using SiSO to make diversity event stronger but still did not provide robust enough protection to allow for high speed data rates on RF. In come 802.11n. 802.11n allows for multiples of antennae to receive individual signals then phase shift them so that the signals can be combined to make a single, stronger, and more reliable reception of signal.This is called maximal ratio combining diversity or MRC. As much as a 40% SNR improvement. Then by phase shifting the return signal you can focus the return signal to the original sending device like a mag light. This is called beamforming. Since the signal is going back via multiple paths you can split the signal according to the number of transmitting antennae thus allowing for a quicker transmission of the data because you now have multiple paths back to achieve this. This is called spatial multiplexing. 802.11n also allows you to channel bond or add two adjacent channels together to in fact double the size of the pipe you are sending the data on. All of these technologies for 802.11n are the key components of MiMO technology or multiple in multiple out. We won't get into packet aggregation today as that could easily be another two pages of typing but just think of the old jumbo frame for Ethernet and you'll get the idea.

5th and 6th generation access points are now being developed around even more antennae and new standards. 4x4 or four antenna per radio solutions are now nearing fielding to the market and promise even better throughput rates of up to 6gb of throughput based on the being developed 802.11ac standard. These new standards reside around competing technologies such as Multiuser MiMO and DiDO or distributed input distributed output. The coming years promise even more innovation as RF scientists learn even more efficient ways of utilizing our existing spectrum.

So, back to the original question, spread the antennae around? No. Why? We need MRC diversity and MiMO to complete the task reliably. How? By placing the antennae apart in a linear path along a distance determined by multiples of the length of the wavelength. You can achieve this with individual antennae for each antenna connector on the AP and do the math calculations yourself OR just buy MiMO enable antennae that have proper placement of the antenna elements already placed for you.

Leo Laohoo Sun, 08/21/2011 - 14:37
Currently we employ a mixture of Cisco and HP.  As it relates to the wireless controllers; Is it beneficial to build a total Cisco network?

With your wireless, you have no other choice but to go with Cisco WLC if you are using Cisco APs.  However, unless you are using 3500 then you don't need a WLC.  WLC is good because this manages your APs better than monitoring them individually (which is a pain).  If you have a non-Cisco wired network then make sure that you properly test your setup.  Make sure the switches can understand 802.1Q and VLANs.


This Discussion