"AP Priming with Option 43" VS just using Option 43...

Answered Question
Jun 26th, 2012

On page 197 of the CCNA Wireless: Official Exam Certification Guide it lists there being 4 methods to associating a LAP to a WLC.

Method 1: Subnet Broadcast

Method 2: OTAP

Method 3: AP Priming

Method 4: DHCP with Option 43.

In this offical Cisco document about priming a LAP ( http://www.cisco.com/en/US/docs/wireless/access_point/1240/installation/guide/124h_f.pdf ) It seems to state that DHCP Option 43 and the broadcasting method are all part of LAP priming. If these 2 methods are considered AP priming why does the Cisco book consider them individual methods along with LAP priming?
I am asking this because yesterday I attempted to deploy a LAP with DHCP option 43 enabled on the router on a differrent subnet, with no success. I had to bring the LAP back to the WLC's subnet to allow the Layer 2 braodcast until the WLC found it. I'm trying to figure out if DHCP with option 43 can be used on a different subnet with a LAP that has never contacted the WLC. If so I don't know why it didn't work. I was consoled into the AP and it kept trying to resolve a Cisco.Controller name, seemed like Option 43 had no affect.

Thank in advance for any help in understanding this!

I have this problem too.
0 votes
Correct Answer by Stephen Rodriguez about 1 year 9 months ago

Priming doesn't mean same subnet, unless you want it to.  I may have a VLAN configured on the switch that only exists in my office/cube.  I'd use this VLAN to connect the AP, get it joined to the WLC, set the name, location etc.  But that may be routed to the WLC vs the same subnet.

When I'm talking about priming, it's usually more for an AP that is going to a remote site, or for a MESH AP.  Any thing that is going in the LAN that is local to the WLC not so much.  Though IMHO, it makes sense to connect the AP on a VLAN that is locked down to only DHCP and CAPWAP to the WLC, configure all of it then have my installer hang the AP in its location.

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.4 (7 ratings)
Stephen Rodriguez Tue, 06/26/2012 - 14:01

Yes, option 43 will work for a brand new out of the box AP.  'Priming' means to configure the AP before putting it out in the network.  So the same methods you would use to prime you will use if you don't do it.

Can you post the DHCP scope?

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

markmattix Wed, 06/27/2012 - 08:16

Stephen, why would someone still want to use DHCP option 43 instead of just a subnet broadcast if the WLC is on the same subnet?

Stephen Rodriguez Wed, 06/27/2012 - 08:26

Option 43 is for if the WLC is on a different subnet from the AP.  But when you get down to it, using subnet broadcast, or an ip helper with broadcast forwarding isn't really scalable.

Per the best practices you're only supposed to have 60-100 AP per subnet.  Will more work, yes, but if you are relying on broadcast traffic versus unicast traffic, you are going to be hammering that subnet on any AP reboot, or when you add in more AP as well.

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

markmattix Wed, 06/27/2012 - 08:37

OK, that makes sense. I'm wondering though, isn't priming supposed to involve the AP and WLC on the same subnet? If DHCP option 43 is only used on a different subnet how can that be considered priming when priming involves being on the same subnet?

Also you state, " 'Priming' means to configure the AP before putting it out in the network." Regardless of how you prime the AP it's still technically on your network before it's configured by the WLC because it'd be connected to a switch on the same subnet, wouldn't it?

Correct Answer
Stephen Rodriguez Wed, 06/27/2012 - 08:46

Priming doesn't mean same subnet, unless you want it to.  I may have a VLAN configured on the switch that only exists in my office/cube.  I'd use this VLAN to connect the AP, get it joined to the WLC, set the name, location etc.  But that may be routed to the WLC vs the same subnet.

When I'm talking about priming, it's usually more for an AP that is going to a remote site, or for a MESH AP.  Any thing that is going in the LAN that is local to the WLC not so much.  Though IMHO, it makes sense to connect the AP on a VLAN that is locked down to only DHCP and CAPWAP to the WLC, configure all of it then have my installer hang the AP in its location.

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

markmattix Wed, 06/27/2012 - 09:29

I think I'm understanding this now... So if you're in your office which is on it's own VLAN and wanted to prepare a LAP for HREAP on a remote site, you could first prime the AP in your office by associating to the WLC by using DHCP?

I was only considering the Network Administrator being on the same physical subnet (or vlan) as the WLC, didn't consider that they may also be in a location that would need to be routed to the WLC. So this DHCP option 43 method of priming would just be a time saver instead of trying to do this at the AP's new remote location? So in best practice I guess you should always preconfigure (prime) the LAP and not hope that it will connect and work at the new remote location. I mean I wasn't just hoping it would work, I expected it to work with DHCP option 43 configured, and still don't know why it didn't. I saw your response below saying that the certificates may in fact be out of sync due to the time and date mismatch. do you think this would cause a Layer 3 connection not to work and make the Ap want to translate a domain name, because I didn't see any error messages in the CLI about a certificate.

Thanks for your help, I learned something new today! BTW, I finally figured out what HTH means. At first I thought it was some sort of Cisco clan abbreviation that I wasn't part of, then I Googled it, LOL...

Stephen Rodriguez Wed, 06/27/2012 - 09:40

I think I'm understanding this now... So if you're in your office which  is on it's own VLAN and wanted to prepare a LAP for HREAP on a remote  site, you could first prime the AP in your office by associating to the  WLC by using DHCP?

     Correct.  So long as the AP has an IP address that can reach the WLC, it should join.  No need for it be done at layer 2.

Option 43 just tells the AP the address of the WLC(s), so that it knows where to send a discover request too.

As for the resolving of the DNS....an AP will go through all the mechanisms to learn the WLC address.  DHCP, DNS, L2 broadcast, L3 broadcast.  Once it has gone through all of this, it will attempt to join one of the WLC.

If you had a certificate issue, debug capwap errors enable, would show you a message saying that the certificate was out of date.

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

Scott Fella Tue, 06/26/2012 - 14:02

If you are doing dhcp from the router, you need to make sure you convert the ip address in hex.  The easiest way is to place the ap in the same subnet as the wlc and then after the ap joins, you can put it in any vlan you wish.

Leo Laohoo Tue, 06/26/2012 - 15:36

It depends on the organization but I wouldn't call "priming" as a method.

Primining, as what Scott and Steve has described, is connecting a controller-based access point to a WLC.

Personally, I find this useful in two ways:

1.  It will tell the WAP who is the nearest WLC; and

2.  During this process the WAP will download the correct firmware from the WLC.  This will also hasten the deployment of the WAP in a site whereby it doesn't need to download the firmware once installed into it's fixed position.

You have to note that all of my controllers (except the WiSM-2) are running a uniform firmware.  Also note that I didn't mention that my WAP subnet for priming is in the same subnet as my "landing" WLC.  (By the way, my "landing" WLC is the controller where all the WAPs go to if they don't have specifications as to which controllers to go.)  This is because we have enabled DNS and Options 43.

saravlak Tue, 06/26/2012 - 17:00

Are you sure APs were getting dhcp ip, did you release/renew the AP's ip if option-43 is configured after AP got an ip.

option 43 is Layer3 mechanism to discover WLC. as temp workaround you can use ip-helper forwarding udp 5246, 5247, 12222 & 12223.

Amjad Abdullah Tue, 06/26/2012 - 23:23

You can do it with DNS if easier. Add a name entry for your WLC IP in the DNS server that AP knows via DHCP.

name could be either

CISCO-LWAPP-CONTROLLER

or

CISCO-CAPWAP-CONTROLLER

There is possibly something wrong with your DHCP configuration with option 43. It is either the AP did not receive an IP, did not receive option 43 correctly or did not receive the option at all.

You can show us your configuration for DHCP scope to check it.

BTW, OTAP is obsolete method. it is also a security risk so it is not recommended. I think It is no longer available with new code versions. There was an option to enable/disable OTAP in older versions which is no longer available in newer versions.

HTH

Amjad

markmattix Wed, 06/27/2012 - 06:11

Originally, the router was configured like this,

ip dhcp excluded-address 192.168.0.0 192.168.2.255

ip dhcp excluded-address 192.168.4.0 192.168.255.255

!

ip dhcp pool LabPool

network 192.168.0.0 255.255.0.0

default-router 192.168.1.1

option 43 hex f108c0a80301c0a80302

lease 3

With this configuration the AP obtained an IP and I could ping the WLC on a different subnet within the CLI of the AP. Although, the AP could still not associate with the WLC. This is the output of the error it was giving on the CLI...

Mar  1 00:35:25.439: %CAPWAP-3-ERRORLOG: Invalid event 29 & state 4 combination.

*Mar  1 00:35:25.439: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message.

*Mar  1 00:35:25.439: %CAPWAP-3-ERRORLOG: Failed to handle timer message.

*Mar  1 00:35:25.439: %CAPWAP-3-ERRORLOG: Failed to process timer message.

*Mar  1 00:35:25.439: %CAPWAP-3-ERRORLOG: Discovery interval timer expiry handler failed.

Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)

*Mar  1 00:35:25.451: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY

*Mar  1 00:35:26.455: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

Translating "CISCO-LWAPP-CONTROLLER"...domain server (255.255.255.255)

*Mar  1 00:35:35.455: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER

I can't understand why it was trying to resolve CISCO-CAPWAP-CONTROLLER when it obtained an IP and could ping the WLC. After the error I decided to reconfigure the DHCP Option 43 to this,

ip dhcp excluded-address 192.168.0.0 192.168.2.255

ip dhcp excluded-address 192.168.4.0 192.168.255.255

!

ip dhcp pool LabPool

network 192.168.0.0 255.255.0.0

default-router 192.168.1.1

   option 43 ascii "10.1.1.10,10.1.1.15"

lease 3

This new configuration basically had the same affect, the AP got an IP and could ping the WLC but still could not associate with it and the "Could Not resolve CISCO-CAPWAP-CONTROLLER" error persisted.

BTW, the actual IPs are different here than my private LAN, changed them for for security purposes.

Scott Fella Wed, 06/27/2012 - 06:26

I ran into the same issue before... IOS dhcp option 43 didn't work for me. Option 43 on a Microsoft dhcp I had no issues. Either use DNS or broadcast forwarding I you don't want the ap to be primed on the same subnet as the wlc.

Sent from Cisco Technical Support iPhone App

markmattix Wed, 06/27/2012 - 06:36

That's interesting Scott, do you know if anyone has ever done a packet capture for DHCP with option 43 configured on a Cisco IOS and also a capture of DHCP with option 43 on a Microsoft server?

Also, do you think the wrong date and time could be affecting anything?

Stephen Rodriguez Wed, 06/27/2012 - 08:27

yes the configured time can be an issue.  the WLC is using x.509 certificates for the AP's to join, so if the time is incorrect, you may come up with a certificate that is out of date.

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

Scott Fella Wed, 06/27/2012 - 15:46

I didn't bother.. It was easier to just do udp port forwarding and configure an ip helper... I hate wasting time:)

Sent from Cisco Technical Support iPhone App

markmattix Wed, 06/27/2012 - 09:56

Now I have a new question... If you primed the AP and it knows the IP to contact the WLC, why would you still need DHCP option 43 setup in it's new remote location? Once it knows the IP it shouldn't need the information again to contact it, right?

Would the only reason for setting up DHCP option 43 (after priming) be in case the AP lost it's configuration and would be able to find the WLC again? If so, I personally would rather be using a DNS translation becasue DHCP isn't needed in my remote networks. Will all APs and LAPs try to translate, "CISCO-LWAPP-CONTROLLER" out of the box with no configuration? If so, could someone provide an example of the commands used in a router's CLI to translate the name,  "CISCO-LWAPP-CONTROLLER" to an IP address?

I've never configured DNS, could I use the commands...

ip domain lookup

ip domain name name

Stephen Rodriguez Wed, 06/27/2012 - 10:02

You wouldn't need the Option 43, as the AP will try to join the last WLC that it was attached to.

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

Actions

Login or Register to take actions

This Discussion

Posted June 26, 2012 at 1:58 PM
Stats:
Replies:19 Avg. Rating:4.42857
Views:1334 Votes:0
Shares:0
Tags: ap, option, vs, 43, just, option_43
+

Related Content

Discussions Leaderboard