This discussion is locked

Ask the Expert: Cisco Wireless LAN Controllers (WLCs)

Unanswered Question
Jun 11th, 2013

Read the biowith Cisco Expert Nicolas Darchis

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to trobuleshoot, configure and deploy any Cisco Wireless LAN controller with Cisco subject matter expert Nicolas Darchis.

Nicolas Darchis is a wireless and authentication, authorization, and accounting expert for the Technical Assistance Center at Cisco Europe. He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server since 2007. He also focuses on filing technical and documentation bugs. Nicolas Darchis holds a bachelor's degree in computer networking from the Haute Ecole Rennequin Sualem and a master's degree in computer science from the University of Liege. He also holds CCIE Wireless certification number 25344.

Remember to use the rating system to let Nicolas know if you have received an adequate response.

Nicolas might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless sub-community, Getting Started with Wireless discussion forum shortly after the event.

This event last through Friday June 28, 2013. Visit the community often to view responses to youe questions of other community members.

I have this problem too.
4 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.3 (19 ratings)
huangedmc Sun, 06/16/2013 - 12:24

hi Nicolas,

Can Flex7500 WLC's support central-switched WLAN's, or are they restricted to local-switched WLAN's only?

We have a bunch of WiSM1 & WiSM2 blades in our datacneter, and 6 WLAN's on FlexConnect/HREAP WAP's in each of the remote campuses.

Two of the WLAN's are central-switched, and support our guest wireless solution, while the other four are local-switched, and support local traffic.

We'd like to replace the WiSM1's w/ Flex 7500.

Will we be able to support our existing WLAN's on 7500, or will we need to get WiSM2, or 8500 to do it?


Also, the CAPWAP AP's operate in local-mode by default, when they're out of a box.

Will they join the Flex 7500 in local-mode?

Assuming they can join the 7500, what happens if we don't change them to FlexConnect mode? Will traffic still be forwarded?

I suppose this is related to the first question above.

It looks like the Flex7500 is much cheaper than WiSM2 & 8500, but we'd like to know exactly what caveats are there, so that we don't run in to surprises.

I've consulted data sheets, and "Flex 7500 Wireless Branch Controller Deployment Guide" on, but am still not clear on what the caveats are.

If you could please clarify I'd really appreciate it.



Nicolas Darchis Mon, 06/17/2013 - 00:14

Hi Kevin,

the 7500 can support local mode APs yes and can also support centrally switched WLANs. However it has a limited throughput. It does not dedicate the 10Gbps of its ethernet port to centrally switched traffic.

The idea is that the 7500 should be loaded with much more APs than a Wism WLC but on the other hand, they have to be Flex with locally switched WLANs.

It does tolerate a bit of centrally switched traffic but its architecture is not optimized for it.



Nicolas Darchis Mon, 06/17/2013 - 00:22

Recorrecting my words after a verification. The 7500 WLC will autoconvert local mode APs to HREAP, so it does not support local mode APs per se. The centrally switched WLAN max throughput is 250Mbps.

huangedmc Mon, 06/17/2013 - 05:40


Thank you for the prompt response & clarification.

Is there a hard limit on how many central-switched WLAN's I can have on the Flex 7500?

We're ok w/ limited throughput, as the central-switched SSID's are used by guests least for now.

Could you please point me to a URL, where it references the 250Mbps max throughput?

Not doubting what you're saying, just wanted to know where to look up the info.

If it's not available on a public page, could you at least let me know the name of the file, or the internal link, so that I can have our account team retrieve it?

Also, is the 250Mbps cap per central-switched WLAN, or the aggregate per Flex 7500?



Nicolas Darchis Mon, 06/17/2013 - 12:04

Hi Kevin,

I'll be totally honest. I found this only in the "New Product Introduction" training for TAC. By the way, checking deeper, 250Mbps of max throughput for centrally switched was for 7.0 release. As of 7.2, it was increased to 1Gbps.

I strongly agree that this should be mentioned in the data sheet, so I will contact the marketing team to have this added. I haven't found another place where it is mentionned.

This throughput is for all centrally switched WLANS combined no matter how many you have

klkilloren Mon, 06/17/2013 - 09:27


I have a RV802 router, recently when I try to connect to my wifi it reads " not in range". I have tried unplugging the router and plugging it back in, but it is still reading the same thing. Can you please help me in troubleshooting this issue. (note: the router is within 10 ft of me)

Nicolas Darchis Mon, 06/17/2013 - 12:06

Hi Katie, unfortunately "linksys routers" does not fit into the subject of this event which is "Cisco Wireless LAN controllers".

However,I would advise checking if you configure an SSID to be enabled, to be broadcasted (if not broadcast, it will be harder to see it). Try to configure no security on it, at least for testing.

I am not sure if that router models requires external antenna. If so, you need to make sure they are plugged in and screwed in correclty

jokern Mon, 06/24/2013 - 09:59

Hi Katie, the RV082 is a Cisco router. The older ones might be branded Linksys. However it does not a WiFi AP built in. Cisco's entry level routers including WiFi would have a 'W" in the name, like RV220W or RV120W.

Best Jo

Product Manager, Enterprise Networking Group

jino_jacob Mon, 06/17/2013 - 13:12

Hi Nicholas,

This question is regarding the Clean Air functionality.

We have a mixed environment with Clean Air and Non Clean Air APs that share the same coverage area.

On some controllers we have both types of APs but are part of different coverage areas.

I have read it is not advisable to enable Clean Air with Event driver RRM in a mixed environment but with the enhancements to Clean Air, AP Groups and RF profiles, as part of the WLC firmware release 7.2, is it now possible to enable Clean Air with EDDRM functionality in the above described scenario?



lapyan_sun Mon, 06/17/2013 - 22:48

Hi Nicholas,

I'm new to Cisco Wifi infrastructure and don't have much experience.

Recently we have deployed 1 x 2504 WLC with 14 x 3600 APs, all the access points are configured as Flexconnect mode.

Generally, the Wifi is running well, but we had a few clients machine keeps on getting 14Mbps not 144 Mbps. As soon as they disconnect from the Wifi and reconnect, it works fine. They are running Win7 Enterprise x64 and using Win Wifi not IntelProSet.

Can you please point me to a right direction to fix the problem?



Nicolas Darchis Tue, 06/18/2013 - 00:25

Hi Lap,

it could virtually be anything. But I would tend to think that it's your client that is misbehaving and not roaming properly.

What I suggest you do is when the problem is occuring, go with another laptop to the WLC configuration web page.

Go to Monitor->clients and find the mac address of the problematic client. Click on it to display the details.

Check the signal strength (RSSI) it is displaying. If it is a number below (i.e. further from zero) -70, then indeed, the client is associated to a far away AP and thus having a bad data rate. ( you can also check if the AP name mentioned is physically closeby or not).

Roaming is decided by the client and typically the intel proset is a much better software than the windows native supplicant.

Nicolas Darchis Tue, 06/18/2013 - 00:02

Hi Jino,

yes you can enable it. Indeed the RRM algorithm was improved to evalute potential changes and prevent any cascading effects.

Of course the result will not be as good as if all APs were cleanair (so you might have cases where the APs do not adapt when they should theoretically have), but overall, it shouldn't be any major problem

Bilal Nawaz Tue, 06/18/2013 - 06:13

Hello Nicolas, I have 4 WLC 5508's with many AP's associated to them. One WLC represents one building (4 of them within walking distance), although they are in the same data center at the moment. (on 7.4.100)

I also have 3 ACS servers (5.4) that are configured. I have set up a Corporate Wireless SSID for staff to connect to.... The authentication WPA2 AES + 802.1x where the Laptop's get authenticated by ACS and then the user themselves get authenticated.

The problem I am experiencing is when users go to another building with their laptops, they are not able to authenticate to the SSID, they have to do a full reboot of the laptop to connect cleanly again.

I suspect that one WLC is doing authentication to one ACS, and the other WLC is authenticating to the other ACS.

The result is, when user leaves the building and associates with the SSID, result is the laptop is only authenticating the user, and not the laptop itself because it has already authenticated the laptop. When auth happens with the other ACS it is expecting the auth of the laptop but only gets the user auth.

Is there any way where I can strictly configure priority on authentication servers and make the roaming experience better?

Thank you

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

saquib.tandel Tue, 06/18/2013 - 08:10


How to migrate the configuration from WLC 4400 series to WLC 5500 series box

Nicolas Darchis Tue, 06/18/2013 - 08:48


it's not really a problem if you are using NCS/WCS as you can simply repush all templates.

Otherwise, the best method out of my experience is the "show run-config commands" or backup the 4404 config via tftp (it's mostly commands). Paste all commands on the new WLC. You will have to repush the certificate and a few other basic details though.

Bilal Nawaz Wed, 06/19/2013 - 00:46

Hello Nicolas, thanks for the response...

I have ACS with default configurations - does this configuration look like what we should have configured.

Also I found this link here.......

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Nicolas Darchis Wed, 06/19/2013 - 01:47

the link I gave you clearly stated black on white :

MAR Cache Distribution Groups

ACS 5.4 has the option to group ACS nodes in MAR cache distribution  groups. This option is used to control the impact of MAR cache  distribution operations on ACS performance and memory usage.

A text label is assigned to each ACS node, which is called the MAR cache  distribution group value. ACS nodes are grouped based on the MAR cache  distribution group value. You can perform MAR cache distribution  operations only between the ACS nodes that are assigned to the same MAR  cache distribution group.

If the group value of an ACS node is empty, then it is considered as not  assigned to any MAR cache distribution group. Such ACS nodes do not  participate in any MAR cache distribution operations.

So you need to configure the same MAR cache group, otherwise magic does not happen.

The link you found is for ACS 4 which didn't have a MAR cache.

Bilal Nawaz Wed, 06/19/2013 - 01:53

Hi Nicolas, I realised that when I read again shortly after I posted, thanks. I'll give it a go.

I do want to understand why the WLC's opt to go with another ACS which has the lowest priority, rather than the other two though - unless they just don't respond quick enough to the request.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Nicolas Darchis Wed, 06/19/2013 - 02:16

I cannot make remote guesses but a WLC has by default a passive failover behavior. I.e. if for some reason the radius server number 1 does not respond to one authenticaiton request, WLC will start using the 2nd server. If 2nd server works fine it will keep using that one until the next problem ...

In Security->Radius->general you can configure failover behavior to be more active where it will go back to using the primary ACS if it's back alive.

It doesn't mean that primary ACs was down at some point, it may have consciously not replied to a WLC auth request for many reasons (in ACS, you can configure when to drop or to reject failed auth scenarios)

Bilal Nawaz Wed, 06/19/2013 - 02:21

Thanks Nicolas, appreciate your time and help.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

jino_jacob Tue, 06/18/2013 - 09:32

Nicolas Darchis wrote:

Hi Jino,

yes you can enable it. Indeed the RRM algorithm was improved to evalute potential changes and prevent any cascading effects.

Of course the result will not be as good as if all APs were cleanair (so you might have cases where the APs do not adapt when they should theoretically have), but overall, it shouldn't be any major problem

Hi Nicholas,

Many thanks for answering the question.

I would like to know if there is any configuration guidelines/best practise for configuring Clean Air in mixed environment. Say on a controller I have APs from two different coverage areas/sites. One site has only clean air APs and the other with Non Clean AIR APs. Should they be seperated into different APgroups/RF profiles or is it ok to have them on the same AP Group?

Many Thanks


Nicolas Darchis Tue, 06/18/2013 - 09:38

There isn't such a guide to my knowledge because it's pretty much straighforward. There is no need in playing with RF groups. Indeed, if you have one WLC with let's say 100 access points, but spread over 10 buildings far from each other. Then the WLC will create 10 RF groups. Although the WLC is configured with only 1 RF group name, it only combines together APs that can hear each other. Therefore APs in different building will end up in different RF groups in reality.

The RF group name works as a kind of pre-shared key. Meaning, if put close to each other, APs will be able to form adjacency and form an RF group. But if 2 WLCs have different RF group name, even if APs are close to each other, they will treat each other as rogues and will not discuss RF between them.

I hope it clarifies.

Nicolas Darchis Tue, 06/18/2013 - 22:44

Hi Brett,

Quoting the center part of your query :

Is the allocation of per floor IP subnets considered best practice? I'm under the

understanding that if a wireless client moves from Level 2 to Level 3 for example, an IP

address change occurs when the client associates to the Level 3 AP so this would cause a

brief drop to the client connection?..OR should the client retain its original IP?

Is there an automated or configurable feature on the WLC that allows for the client to

retain its original IP that it had on Level 2.

WLC is all about smooth roaming and keeping connectivity. Therefore if you roam to another floor, you will retain your original ip address.

Same goes if you have APs spread across 2 WLCs and your 2nd WLC has interfaces in totally different subnets. The WLC will tunnel traffic back to your original WLC so that you can keep using your original ip address. Same goes when you have "AP groups", i.e. group of APs on the same WLC with different client subnet. The first AP to which you connect determines your subnet/ip address. You can then roam to wherever you want and you will retain your ip address.

If you stay offline for longer than the "client user idle timeout (5 mins by default)" then your client entry is deleted and when you reassociate again, you get a new ip address.

Tuning this behavior would mean reducing idle timeout so that if you take more than 30 seconds for example to come back into coverage area, you get a new ip (or 30 seconds of sleep mode on the laptop).

But I don't see any reason on earth why one would not want to retain the original ip address. Should you really want to have different ip per floor, you would need different SSIDs on each floor or the same SSID , as simple as that.

Regarding the "best practice" side of things, there are multiple scenarios :

-You want to segregate users : the ideal is actually radius authentication and the radius server assigning a different vlan depending on the username.

-You simply want "load balancing" of the subnets and ip address : you may be better off using "interface groups" to an SSID. i.e. different subnets are given in a round robin manner.

-Per floor segregation is perfectly fine. But it achieves a poor load balancing (what if there are way more users on one floor than on another ?) and it does not achieve real separation (i.e. if you change floors, you keep your original ip).

brettcodey Tue, 06/18/2013 - 23:16

Hello Nicolas,

Thank you so much for your prompt reply.

The problem is that my clients are getting a new IP address when they associate with an AP on another floor - ie they dont keep their original IP and I dont know why as you have stated in your initial reply:

"WLC is all about smooth roaming and keeping connectivity. Therefore if you roam to another floor, you will retain your original ip address."

What configuration change on the floor switches that the APs connect to or on the WLC will prevent this from happening

so that the client keeps the same IP address?



Nicolas Darchis Tue, 06/18/2013 - 23:52

Something has to be wrong somewhere.

The client traffic is tunneled from the AP to the WLC, so the floow switch configuration does not matter at all, client traffic is released in the core where WLC is plugged.

I would need to see a "debug client " showing a client switching floor and getting a new ip as well as a "show run-config" of your WLC to understand what could possibly be wrong.

But I suggest opening a discussion on the forum rather than putting so much info in this general thread.



Craiglebutt_2 Thu, 06/20/2013 - 03:46

Hi, I've been having the same issue, I found when we added some mobility anchors added to external agencies, this somehow effected our own local mobility group, on the wlan on the right hand side, check the mobility anchor for you lan, there shouldn't been any thing in there, we found all differnt settings, I was told that this was a bug,

hope this helps

Amjad Abdullah Wed, 06/19/2013 - 01:04

Hi Nicolas,

How are you? Hope everything is OK.

I just have a question about allowing the WLC to chagne the CWmin, CWmax, TXOP...etc. values.

This is currenlty achived by a template-based configuratoin where those values are getting currently chagned based on the EDCA profile that you use from the EDCA Parameters configuration. But we don't know what values are being chosen for the variables (CWmin, CWmin...etc). nor we are able to chose cutome values for those.

Is there any plen to get those values configurable in the future? maybe by allowing users to create their own custom EDCA profiles. And at least let the users see what values are chosen for those variables when they choose a pre-defined EDCA profile.

Thank you.


Rating useful replies is more useful than saying "Thank you"

Nicolas Darchis Wed, 06/19/2013 - 05:06

That's a though and interesting question. I need to dig this further as I don't have this information handy.

Nicolas Darchis Fri, 06/21/2013 - 00:42

Hi Amjad,

I found the answer simply by configuring the setting and sniffing the beacons since it displays the actual settings.

There is no plans to have this configurable as far as I could find out because not many people have a business need for that feature I'm afraid.

WMM timers :

Spectralink :

Voice optimized :

Voice and video optimized :

Custom voice :

Amjad Abdullah Mon, 06/24/2013 - 02:59

Thank you Nicolas,

Yes one can see the values by a wireless packet capture. But I just wondered if making those values at least availalbe (or better, configurable) for users (or the probability of adding the feature to allow users to add their own EDCA profiles).

Thank you anyway for your information.



useful replies is more useful than saying "Thank you"

patrick.kofler Wed, 06/19/2013 - 03:01

Hi Nicholas,

I got two topics for you, where I hope you can help me further.

1.) When configuring advanced timeout values there are two timers, for which I could not find a detailed explanation on what exactly they do.

config advanced ap-rpimed-join-timeout - Configuration of the AP PRIMED Discovery Timeout

config advanced timers pkt-fwd-watchdog - This is used for preventing a deadlock in fastpath.

Also there is another command config advanced 802.11b/a logging with its subcommands (e.g. channel, foreign, noise etc.) set to off per default. I once tried to enable them but I could not see a difference in the message log of the WLC, which led me to believe that the logs must go somewhere else.

If it is possible can you please elaborate on those commands?

2.) The heartbeat timer for APs is using a predefined count and interval for sending those packets. This can be seen via show ap retransmit all where a (default) stands next to the values. The fast-heartbeat timer however uses a different count of packets, but the same interval as the normal heartbeat.

When I change the count timer the (default) flag disappears, a logical consequence. Now when I observe the timers the hearbeat-timer is working as expected, but the fast-heartbeat timer is now also using the same count as the normal timer.

When trying to revert this change and go back to the default values and taking a look at them the (default) flag does NOT reappear and when I look at the debug of the timers again the fast-heartbeat timer is not using its default values anymore, which should be lower than the normal heartbeat timer.

You can take a look at a debug I made some time ago here:

Do you know if there is a way to restore the default values in such a way that the fast-heartbeat timer uses its true default timers again?



Nicolas Darchis Wed, 06/19/2013 - 05:30


AP PRimed time out is actually "documented" with CSCsw68997. It means the AP should not "freak out" (i.e. reboot) on config chances. IT avoids the AP rebooting constantly if you do vlan mapping changes for example.

Also when joining a WLC it will take this time before digesting the new vlan config. It is helpful to buffer and not have the AP change its hreap vlan setting all the time.

the other is related to fastpath, i.e. what replaces the NPU, i.e. the way the WLC forward traffic since the last generation of WLCs that are CPU-based. I'm not sure why this is even a documented command as it is "don't touch this unless you have a very good reason to !". It changes an internal forwarding timer and the consequences are too complex to be a usable item.

2) That's a very precise query. I will try to look into it but I'm not aware of anything with that regard

omerpal1190 Wed, 06/19/2013 - 06:33

hi nicolas,

I am trying to connect Cisco Aironet 1142 (which has been converted into Lightweight AP already) on WLC in Cisco Catalyst 3850. But i am getting following error when i console into LWAPP.

Not in Bound state.

*Mar  1 05:26:18.948: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.

*Mar  1 05:26:23.963: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.

*Mar  1 05:26:24.078: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address, mask, hostname APc464.13c2.dc7a

Translating "CISCO-CAPWAP-CONTROLLER"...domain server ( [OK]

*Mar  1 05:26:29.949: %CAPWAP-5-DHCP_OPTION_43: Controller address obtained through DHCP

*Mar  1 05:26:29.950: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.


Cisco Catalyst 3850

ip dhcp pool test




option 60 ascii Cisco AP c1140

option 43 hex f104.c0a8.0101


interface vlan 1

ip address


wlan test 1 test

client association limit 5

client vlan 1

ip dhcp opt82

ip dhcp opt82 format add-ssid

ip dhcp required

ip dhcp server

ip multicast vlan 1

media-stream multicast-direct

no shutdown

ap dot11 24ghz rrm channel dca 1

ap dot11 24ghz rrm channel dca 6

ap dot11 24ghz rrm channel dca 11

ap dot11 5ghz rrm channel dca 36

ap dot11 5ghz rrm channel dca 40

ap dot11 5ghz rrm channel dca 44

ap dot11 5ghz rrm channel dca 48

ap dot11 5ghz rrm channel dca 52

ap dot11 5ghz rrm channel dca 56

ap dot11 5ghz rrm channel dca 60

ap dot11 5ghz rrm channel dca 64

ap dot11 5ghz rrm channel dca 149

ap dot11 5ghz rrm channel dca 153

ap dot11 5ghz rrm channel dca 157

ap dot11 5ghz rrm channel dca 161

ap group default-group

ap group test

wlan test

  vlan 1


Nicolas Darchis Thu, 06/20/2013 - 02:25


I'm not sure if this is your whole switch/wlc config or not ?

After the wizard, the 3850 config should look like this :

hostname w-5760-3

enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY^Q

enable password cisco

line vty 0 15

password cisco

ntp server maxpoll 4 minpoll 4

ip http authentication local

ip http secure-server

wsma agent exec profile httplistener

wsma agent exec profile httpslistener

wsma agent config profile httplistener

wsma agent config profile httpslistener

wsma agent filesys profile httplistener

wsma agent filesys profile httpslistener

wsma agent notify profile httplistener

wsma agent notify profile httpslistener

wsma profile listener httplistener

transport http

wsma profile listener httpslistener

transport https

no snmp-server


no ip routing


interface Vlan1

no shutdown

ip address


interface GigabitEthernet0/0


no ip address


interface TenGigabitEthernet1/0/1


interface TenGigabitEthernet1/0/2


interface TenGigabitEthernet1/0/3


interface TenGigabitEthernet1/0/4


interface TenGigabitEthernet1/0/5


interface TenGigabitEthernet1/0/6


wireless management interface Vlan1



Then to support APs joining, you would need to add :

Important Note:

Ensure that your switch is having the right boot command under global  configuration. Depending how you installed the software on the switch.  If it has been extracted on the flash, then the following boot command  is required:

w-5760-3(config)#boot system flash:packages.conf

1. Configure the TenGig interface that is connecting to the backbone  network and on which your will have CAPWAP traffic coming in/out. In  this document the interface used is TenGigabitEthernet1/0/1. We are  allowing on it Vlan1 for management and Vlan100 for client WLAN data.

interface TenGigabitEthernet1/0/1
switchport trunk allowed vlan 1,100
switchport mode trunk
ip dhcp relay information trusted
ip dhcp snooping trust

2. Configure default route out:

ip route

3. Prepare the WLC for WEB GUI Access:

The GUI can be access via https:///wireless.

The username password is the privilege 15 username/password defined on the first configuration line below.

username admin privilege 15 password 0 admin
ip http server
ip http authentication local
ip http secure-server

wsma agent exec
profile webui_service
profile httplistener
profile httpslistener
wsma agent config
profile webui_service
profile httplistener
profile httpslistener
wsma agent filesys
profile webui_service
profile httplistener
profile httpslistener
wsma agent notify
profile webui_service
profile httplistener
profile httpslistener
wsma profile listener webui_service
wsma profile listener httplistener
transport http
wsma profile listener httpslistener
transport https

4. Ensure wireless management interface is correctly configured

wireless management interface Vlan1

w-5760-3#sh run int vlan 1
Building configuration...

Current configuration : 62 bytes
interface Vlan1
ip address

w-5760-3#sh ip int br
Interface              IP-Address      OK? Method Status                Protocol
Vlan1            YES NVRAM  up                    up
Vlan100             YES TFTP   up                    up
GigabitEthernet0/0     unassigned      YES unset  down                  down
Te1/0/1                unassigned      YES unset  up                    up
Te1/0/2                unassigned      YES unset  down                  down
Te1/0/3                unassigned      YES unset  down                  down
Te1/0/4                unassigned      YES unset  down                  down
Te1/0/5                unassigned      YES unset  down                  down
Te1/0/6                unassigned      YES unset  down                  down
Capwap2                unassigned      YES unset  up                    up

5. Ensure you have enabled license with the right ap count

Note: The 5760 does not have activated license levels, the image is already ipservices

Note: 5760 acting as MC can support up to 1000 APs

w-5760-3#license right-to-use activate apcount slot 1 acceptEULA

6. Ensure you have configured the correct country code on your WLC  in compliance with the regulatory domain of the country the AP(s) will  be servicing in and in compliance with the regulatory domain of the  AP(s)

w-5760-1#show wireless country configured

Configured Country.............................: US  - United States
Configured Country Codes
    US  - United States : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

w-5760-1(config)#ap dot11 24ghz shutdown

w-5760-1(config)#ap dot11 5ghz shutdown

w-5760-1(config)#ap country BE
Changing  country code could reset channel and RRM grouping configuration. If  running in RRM One-Time mode, reassign channels after this command.  Check customized APs for valid channel values after this command.
Are you sure you want to continue? (y/n)[y]: y
w-5760-1(config)#no ap dot11 24ghz shut
w-5760-1(config)#no ap dot11 5ghz shut
Building configuration...
Compressed configuration from 3564 bytes to 2064 bytes[OK]

w-5760-1#show wireless country configured

Configured Country.............................: BE  - Belgium
Configured Country Codes
    BE  - Belgium : 802.11a Indoor,Outdoor/ 802.11b / 802.11g

7. Ensure that your AP(s) on whatever VLAN they are will be able to  learn the IP address of the WLC in this example vian DHCP  option 43, DNS, or any other dicovery mechanism in CAPWAP.

8. Ensure that your AP(s) have joined:

w-5760-3#show ap summary
Number of APs: 1

Global AP User Name: Not configured

Global AP Dot1x User Name: Not configured

AP Name                           AP Model  Ethernet MAC    Radio MAC       State


APa493.4cf3.232a                  1042N     a493.4cf3.232a  10bd.186d.9a40  Registered

9. Useful debugs for troubleshooting AP join issues:

3850a#debug capwap ap events

capwap/ap/events debugging is on

3850a#debug capwap ap error

capwap/ap/error debugging is on

patrick.kofler Fri, 06/21/2013 - 02:41

Hi Nicholas,

Thanks for the clarification. So this timer is actually used for Flexconnect APs only? I will try to test it, as it is off per default (timer set to 0)

Do you also have by chance more information about config advanced 802.11b/a logging?

Regarding point 2 hopefully you find something.



Nicolas Darchis Sat, 06/22/2013 - 01:11

It seems to enable RF event logging for that band. For example Channel updates, coverage profile, noise profile, txpower updates ...

Manannalage ras... Thu, 06/20/2013 - 21:57

Hi Nicolas

Would you be able to explain how "off-channel Scanning" works. I would like to clarify the following points specifically

1. Does it works only for the upstream packets coming from wireless clients with WMM UP values ?

2. Could downstram traffic (from AP to Client) trigger off-channel scanning ? In otherwords if AP has packets to send to clients with configured UP values does off-channel scan triggers?

3. If I want to configure this feature for Best Effort traffic should I select both UP values 0 & 3  or  only 0 ?

I saw your response to this post & went though the config guide explanation, still it confuse me.


Nicolas Darchis Fri, 06/21/2013 - 00:46

1. Yes

2. No (it is the same question as number 1 in reverse right ?)

The idea is that if the AP has to send QoS frames to the client, it can send it when it is not off-channel (since it's the AP controlling when it goes off channel) so there is no impact and no need to defer in that direction. Only when clients are transmitting QoS frames, we need to make sure the AP is on the channel listening to it.

But typically if there is QoS, the client is replying to downstream at some point. Pure one way QoS is awkward.

3. Only 0 should be sufficient. I have never seen a laptop sending best effort traffic tagged with 3.

If you configure the feature for best effort, it's basically the same thing as disabling off channel scanning completely. It's good for your operations (more AP on channel time) but you will be blind 100% to rogues and APs won't be capable of evaluating if other channels are maybe better suited from RRM perspective

Manannalage ras... Fri, 06/21/2013 - 02:15

Hi Nicolas,

Thanks for clarification.. it make more sense the way you describe it.

I took Best Effort (Silver profile traffic) as an example & documents says it can be either UP=0 or UP=3.



Nicolas Darchis Fri, 06/21/2013 - 02:18

That is absolutely correct. But laptops by default send best effort traffic and leave the UP field empty (=0). So yes 3 also means best effort, but no drivers on earth bother to write "3" when leaving 0 does the same effect.

robertssean Fri, 06/21/2013 - 02:26


Question regarding USB ports 0 & 1

Can these ports be used? If so how are they enabled? I have a USB drive in port 0 but n green light on, is there something I am missing? My wlc 5508 is running ver



Manannalage ras... Fri, 06/21/2013 - 02:30

Hi Nicolas,

When we configuring DHCP option-82, we normally enable it for dynamic interfaces where users are connected.(to get an idea about point of attachment of a user).

In Auto-Anchor configuration for guest users do we need to enable this on management interface (where guest WLAN is map to management interface on foreign controllers) of foreign WLCs ? Or do we only need to configure it on Anchor Controller dyanamic interface where guest users get an IP ?


Nicolas Darchis Fri, 06/21/2013 - 04:12

Option 82 is not yet supported in anchor scenario. The problem is that it's the anchor doing DHCP and it's the foreign having the ap mac address information.

It is not entirely impossible as you could imagine the foreign WLC "telling" via mobility protocol the anchor about the current AP mac address, but it is not happening at this stage. I heard several customers request it but did not hear it coming as a new feature soon.

Manannalage ras... Fri, 06/21/2013 - 02:45


Which version of the WLC code (for 5508, 3850 & 5760) will support 802.11ac  for 3600 AP with .11ac module ?


Nicolas Darchis Fri, 06/21/2013 - 02:49

7.5 on 5508 and similar

the 3850/5760 run a different kind of code and do not support 11ac at this time. I don't have the information on the availability there. I would guess in the coming release though.

patrick.kofler Fri, 06/21/2013 - 02:48

Hi Nicholas,

I'll post this question separately as it does not relate to the previous inquiry.

There are two boot modes for the NGWCs 5760/3850 - Bundle and Install.

When I read the documentation it seems the bundle mode does not yield any advantages over the install mode, in fact it has some limitations to it like AP Image predownloading not supported.

This leaves me the question why this mode actually exists?

Can you please elaborate a bit more on the bundle mode?





Login or Register to take actions

This Discussion

Posted June 11, 2013 at 3:06 PM

Related Content

Discussions Leaderboard