This discussion is locked

Ask the Expert: Still Facing Challenges of Designing, Deploying, and Troubleshooting Wireless Networks?

Unanswered Question
Sep 19th, 2013

Configuring and Troubleshooting Border Gateway Protocol (BGP)With Flavien Richard

Welcome to the Cisco Support Community Ask the Expert conversation.  This  is an opportunity to learn and ask questions about how to overcome the challenges of planning, designing, deploying, and troubleshooting wireless networks with expert Flavien Richard.

High density, high availability, converged access, unified access, radio resource management, and site surveys: What do they have in common? They’re all complex and difficult to understand and implement properly, but there are tips and rules to follow that will make your life easier. Expert Flavien Richard will share best practices and make recommendations for the different phases, technologies, and features around enterprise wireless networks.

Flavien Richard is a technology solutions architect in the Borderless Networks team in France. He is an expert in wireless and mobility topics and serves as an escalation point of contact in the European theater. This gives him visibility over most of the biggest projects in EMEA. He is a technical interface between the Wireless business unit and Cisco customers, partners, and employees to help define and prioritize the new features and products for the mobility market. He is a frequent speaker and session manager at Cisco Live and other Cisco events on mobility. He also was a contributor to the writing of the first Wireless CCIE exams.

Remember to use the rating system to let Flavien know if you have received an adequate response.

Because of the volume expected during this event, Flavien might not be able to answer every question. Remember that you can continue the conversation in the Wireless Community, subcommunity Getting Started with Wireless shortly after the event. This event lasts through October 4, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (9 ratings)
regpugh Tue, 09/24/2013 - 12:53

Excellent Resource and Timely topic

Flavien thanks for taking on this topic : 

This question/comment is to discuss/ designing networks and performing site surrveys. Especially those that are used to support smart phones. It has always been but more than ever becoming users portal to internet to avoid 3G/4G data charges with multimedia for video/voice application to include Netflix, Hulu, Skype, iTunes.

What is your recommendation for such environments?  Granted we are moiving to the use 802.11a/n/ac in future devices Should the next design guides reflect that scenario ?  Take on designing  to support context awareness, location tracking since old guide requires at least from the clients perspective a minimum of 3 APs at -75dBm .  Should we be changing that with these so called weaker devices with 802.11an/ac support ?  I know you can sprinkle in some APs in Monitor mode. But what AP would you consider the best to use as a monitor mode AP given the presence of 802.11ac?

Thanks in advance.

frichard Thu, 09/26/2013 - 11:39

Hi Reginald,

If I understand your question well, you mainly want to know how to design a network with growing numbers of weaker transmitting devices that consume even more bandwidth than laptops, for instance?

First, I would say that you definitely have to use advanced MIMO technologies like MRC (Maximal Ratio Combining) to receive better than usual MLR (Most likely receiver) on 802.11n for those clients. By using MRC, you can virtually gain up to 3 to 4.5 dB of gain in your access point from those weaker devices.

Second, I would say that, as you mentioned, getting most of the clients on 5GHz compared to 2.4 GHz will greatly help, as there are so many more channels and you can bond multiple 20 MHz channels on this frequency, using 802.11n and 802.11ac, even with single spatial stream clients like the smartphones that you are referring to. BandSelect could be of help here.

Third, if you see that there is too much noise on the 2.4GHz coming from co-channel interference from your own APs, you can still disable, per AP, the "admin status" of the Radio, which will allow the AP to only service 5GHz, and therefore not add more potential co-channel interference in a crowded environment.

Last, you can deploy external antennas Access Points, with more directional antennas (patch most of the time - pointing downwards towards the clients), which will allow the AP to focus the reception on the area of antennas' Azimuth and Elevation planes. By doing this, the AP will essentially get better reception from the clients in its zone of coverage, and virtually filter out those clients that are not where the AP should be listening and talking to them. This will also allow RRM to reuse the same channel more often on the same floor, for instance, and will then allow more APs to be deployed in the same area with less interference overall between access points on the floor.

Regarding the Location tracking part of your question, what you mention is still valid. To do some kind of triangulation, the system has to see the client from at least 3 different access points. There are 2 ways to enhance the accuracy:

- you either get a beacon on multiple channels almost at the same time (this is the principle behind the active WiFi tags), so that APs on different channels can catch the signal and attach it to the same client,

- or you can use Access Points that are looking for multiple channels sequentially, so they can catch beacons coming from the same client on multiple channels (that is the principle behind the Monitor Mode AP).

In the case of 802.11ac, there still is a primary channel when you bond multiple channels together, so, the beacons can be heard from non 11ac access points in the neighborhood. Hence, an 802.11n access point in Monitor mode can still be working to listen to 11n and non-11n clients for context awareness. Nevertheless, as 802.11ac is going to have much fewer bonded channels than 11a/n, the 2.4GHz location advantage over 5GHz will be diminishing over time because, an 11ac deployment will use much less number of channels to listen to in order to do location tracking. Therefore, to combine 802.11ac and context awareness, it is a very good idea to use the 3600 with its 802.11ac module already, not as a Monitor mode AP, but as a normal servicing AP with clients and also do the Location tracking function at the same time.

Hope this answers your questions,

Best Regards,


huangedmc Wed, 09/25/2013 - 11:24

hi Flavien,

-Fast Reconnect / Fast Transition

Is Fast Reconnect generally recommended for customers that use PEAP?

Does it work w/ both L2 & L3 roaming?

Ditto for Fast Transition.

Is there caveat w/ Fast Reconnect that we should watch out for?

Why does this Cisco doc suggest to disable Fast Reconnect as a troubleshooting step?


-FlexConnect/H-REAP Roaming

What is the expected behavior for L2 & L3 roaming in a FlexConnect deployment?

Are both supported, or only L2?



frichard Thu, 09/26/2013 - 12:17

Hi Kevin,

The main issue we see with Fast Reconnect is that it has to be BOTH on the client and on the Radius server (IAS, ACS, etc.) to work properly. If both are the same, there should be no issue, for L2 and L3 roaming, as long as the WLAN/SSID points out to the same Radius server in both the originating WLC and the destination WLC.

Please see this TechNet note for more info and the vulnerabilities to check out for:

Regarding Fast Transition (802.11r), please have a look at this description and the "restrictions" section:

Eventually, regarding your question on FlexConnect roaming, indeed, and by design, the Fast Secure roaming can only happen at layer 2 between Access Points in local switching mode. A Layer 3 roam would mean that the client has to re-DHCP with local switching, which is not possible without a full reauthentication of the client, hence the only way of doing Fast Secure Roaming within the same subnet in FlexConnect local switching.



PS: In FlexConnect Central switching, as you cannot spread the same FlexConnect group in multiple controllers who would not be sharing the same subnet attached to the SSID, you cannot have a L3 roaming happening anyhow, so I restricted your question to FlexConnect local switching.

regpugh Thu, 09/26/2013 - 13:34

Thanks Sir. Appreciate the insight. Can you elaborate on the Coverage Hole Detection. Is it using RSSI or SNR as the means to adjust AP power?

There are conflicting documents that reference SNR , then RSSI values. Which is right ?


frichard Thu, 09/26/2013 - 14:35

Since WLC version 5.0, the CHD (Coverage Hole Detection) algorithm has solely been using Client RSSI values.

Prior to that (3.x, 4.x), it used to be based on a calculation between the local noise and the client RSSI, creating a metric that could be assimilated to an SNR value.

Bottom line is: only RSSI for quite some time now...


egordon310 Thu, 09/26/2013 - 15:56

Hi Flavien,

What are your recommendations for spacing the Access Points in an indoor environment? thanks in advance for your help on this.


frichard Fri, 09/27/2013 - 03:36

Hi Evan,

If you are planning for regular coverage of 802.11n APs in an office environment (laptops, tablets, phones for data) and use omnidirectional antennas, the rule of thumb is to place the Access Points about 25 meters apart from each other.

If you need to do location tracking, Voice over Wireless LAN coverage, or high-density deployments, we are recommending to place Access Points 17 meters apart from each other, in general, with omnidirectional antennas.

Nevertheless, even though RRM is very powerful and should be used 99% of the time, a proper Site Survey of the building has to be conducted prior to the deployment of the Network, in order to determine the best coverage for a given facility, based on materials used for instance.

Regards. Flavien.

regpugh Fri, 09/27/2013 - 04:37

Flavien, in reference to RRM and  making using RF Profiles adjusting the TPC thresholds . This question may seem all over the map ;but I think you will get the gist of my train of thought.

What is your recommendation of using RF profiles in multifloor buildings or do you just recommend it per entire building ? Have to consider data rates, roaming, etc.  I know a proper physical site survey is key and alway recommended. However, from past and present experiences many make use of the WCS/NCS/Prime planning tools and base the AP layout on that model or through some other professional survey planning tool that recommends the layout.

Granted, not all buildings attenuate RF well, but with the better radios in the 3600s and the next 802.11ac capable AP from Cisco, I see more clients becoming sticky and gravitating to these radios because of the "better ears" per say.

I do see there is a means to limit the number of clients per AP and  do recommend using that feature after dealing with the default of 200.  Not sure if that is a realistic number to allow on an AP between the two bands, but again it depends on the application support.

Hence my concern with interfloor RF.  Location tracking requires more ears (APs) to listen to the probe request of clients and report that back to the WLC so that the MSE can make sense of it then it can be mapped on the floor plans.

Is there such thing as" too many" APs in Monitor Mode for location tracking ?  I do understand you can place the APs in local mode and "admin disable the 2.4 GHz radio for less CCI- that is common and you did mention that in a previous response.

Lastly:  Since location tracking relies on client probes...if clients are not constantly probing /in sleep mode. Location accuracy can suffer significantly ?

Thanks in advance.

frichard Sun, 09/29/2013 - 16:43


I think that this document should be a very good read for you if you haven't read it already:

This is the High Density Design Guide.

Most of the people who I am working with wouldn't take the time and effort to define all parameters differently for each floor of a building using AP Groups and RF profiles. What I usually see is the definition of special areas for high density, or with high ceilings with the specific TPC thresholds for this environment, and the standard RRM for the rest of the network.

Nevertheless, if you have the possibility and the willingness to go the extra mile and deploy it that way, this can be done, and you can even create a one-to-one AP to AP Group relationship in most of the WLCs (500 in the 5508, 1000 in the 5760 and WiSM-2, 6000 in the 7500 and 8500) except the 2504.

Regarding the rest of your questions:

- Is there such thing as" too many" APs in Monitor Mode for location tracking? --> No.

- [...] Location accuracy can suffer significantly ? --> Yes, absolutely, and this is why some Apps writers are forcing, on certain platforms, the device to send probes much more often, in order to improve network location visibility, and, therefore, accuracy.



regpugh Mon, 09/30/2013 - 02:39

Thanks Sir will reread the guide. This does clarify things . Mastering RRM should be a class all by itself : especially when it comes to deploying for high density or even location.

Sent from Cisco Technical Support iPad App

Manannalage ras... Sun, 09/29/2013 - 15:29

Hi Flavien,

What is the best practice around new 3850 switches wireless management interface ? Is it good idea to have seperate mgt interface for wireless management different to switch management SVI ?


frichard Sun, 09/29/2013 - 16:13

Hi Rasika,

The wireless management interface and the switch management can be set independently in the same or in different vlans, as you know. There is no correlation between them. Nevertheless, one needs to take into account that the "wireless management interface" vlan has to be locally served on the switch as it needs to be the same as the directly attached access points to the 3850 switchports. If you have a deployment with numerous access points and use the same switch management and wireless management vlans in your entire network, you have to consider that each switch and each AP take an IP address in this spread management vlan, and then, it could make sense to separate wireless management interfaces' vlans geographically (one per wiring closet, or one per building), for instance, and not spread accross the network like your management vlan.



PS: it may seem obvious to many, but it may be worth mentioning to some that, like for the wired clients, wireless client access vlans should be set totally different from the AP vlan, especially if you use the same switch and wireless management vlan...

Manannalage ras... Sun, 09/29/2013 - 18:53

Hi Flavien,

Thanks for the explaination & it helps. If this is the case I prefer to have seperate wireless mgt interface to sw mgt in order to better capacity planning (for wired sw & APs) & reporting perspective.

At the moment in my campus we are having L2-Access model (100s of 3750x/G stacks)  with vlan span across multiple buildings with aggregation to dual 6506-E (no VSS yet). Therefore having two seperate /23 for SW-Mgt & WAP-Mgt for a given distribution block. We are in the process of moving to 3850 as standard access switch model & later on enable WLC functionality in each of the stacks.

Will this be problematic when moving to 3850 ? ie having 3850 wireless management vlan span on to multiple buildings. Is there any implications to mobility  or any other aspects of this CA deployment.



frichard Mon, 09/30/2013 - 10:49

Hi Rasika,

I have been working on a document that is not public yet and that includes a section on IP Addressing. I am copying the entire section here as it should help you understand the pros and cons of Wireless ACCESS vlan deployments.


The options cover a range of cases and highlight the pros and cons of different design choices that involve dealing with same or different IP address pools for wireless and wired traffic, differentiated policy assignment, and ease of implementation.

Option 1. Separate Wired and Wireless VLANs Per Wiring Closet

This option separates wired and wireless VLANs per wiring closet, as shown in the following figure. In this example, there is a pair of VLANs in each closet. This is a simple design that allows the application of separate policies per VLAN to wireless and wired users and eliminates any contention for DHCP between wired and wireless.

However, because wireless clients are moving, it is important to consider how large the subnet must be for that wiring closet to accommodate these non-static clients. For wired connectivity, it is necessary only to count the number of available ports. Wireless usage is much more dynamic, so it is harder to determine the size of the DHCP scope that is required, and thus some of the IP address space as allocated might be wasted simply to accommodate for the maximum possible number of wireless clients that could potentially appear on the network simultaneously.

This approach for IP addressing is applicable mainly to a small or medium sized site or branch, where predicting the maximum size of the wireless subnets needed is easier, based on user and device populations at the small to medium branch involved.

Option 2. Merged Wired and Wireless VLANs Per Wiring Closet

In this option, the VLANs are merged and the same subnet is used for wired and wireless for each wiring closet, but separated for different wiring closets. For example, VLAN 11 is used for wired and wireless on wiring closet one, VLAN 21 for the second and so on. The main advantage of this option is in saving IP subnets, and thus conserving the associated IP address space to the greatest extent possible. There is still the challenge of sizing subnets, and as well there is the possibility in this deployment option of IP address space contention between wired and wireless clients, since wired and wireless users are mapped into common subnets in this deployment option. Wireless clients could consume all of the IP addresses within a given subnet, resulting in insufficient addresses for wired clients (or vice versa). Moreover, it is not possible to apply separate wired and wireless policies using VLAN based policies alone in this deployment option.

Option 3. Wired VLANs Per Wiring Closet and Spanned Wireless VLANs

This option is a hybrid with separate wired subnets and one wireless subnet spread across multiple wiring closets below a common distribution layer. This deployment option retains the advantage of a separate per-VLAN policy for both wired and wireless users, and avoids IP address space contention between these user communities, as wired and wireless clients are still mapped into separate VLANs. Fewer IP subnets are needed because wireless clients are grouped into a single VLAN (per SSID) below the distribution layer.  This deployment option typically requires a VSS deployment at the distribution layer or a single distribution switch with multiple supervisors, to avoid Layer 2 loops and any associated spanning tree blocking / forwarding issues.

Important information on what I said on my previous post about directly connected APs and vlans, with more details:

As an MA, the Catalyst 3850 supports only direct attached APs. For the AP to register, a management wireless VLAN interface (such as VLAN 20) to which the AP is connected is needed. If the AP is in any other VLAN, it cannot register, and an error message is generated on the console. This is because the

wireless management interface Vlan command, which activates the MA functionality, intercepts the CAPWAP messages and processes only those from the designated wireless management VLAN (into which all of the APs connected to this Catalyst 3850 must be deployed). If the command is not employed on the switch, the Catalyst 3850 functions just as any other Layer 2 or Layer 3 switch (CAPWAP passthrough), and the AP can be connected and registered to any other controller within the larger network.



Manannalage ras... Mon, 09/30/2013 - 12:38

Hi Flavian,

Thank you very much for such detail explanation of each different option. Looking forward to see such  a valuable document available to us to use a desing guide in this new deployment model.

If I understood correctly most preferred option  for us is to go with "Spanned Wireless vlan". There is a pre-requisite VSS implementation at distribution layer to avoid any possible l2-looping issues.

Thanks again


frichard Mon, 09/30/2013 - 13:19


In your case, with the current network that you describe, Option 3 seems to be a good fit, indeed.

Best regards,


Manannalage ras... Tue, 10/01/2013 - 05:29

Hi Flavien,

I read your response couple of times and now I have another question on that. I understand for the wireless users better to have span vlan across building to have less IP contention.

Is this applicable to "wireless management vlan" as well ? Let's say we have 5 buildings (each 3 stories & having switch stack in each level). Assuming less than 10AP in each floor and allocationg 10 IPs for wireless management (for AP & SW wireless mgt). We do not want to control AP IPs too much & below is for an example scenario,

BLD1-L1 -

BLD1-L2 -

BLD1-L3 -

BLD2-L1 -







When allocating DHCP for the AP, does this require local DHCP pools in each stack pointing to its own SVI as gateway for the AP mgt dhcp scope ? or Could we have single DHCP scope (somewhere in cetral DHCP server) pointing to SVI defined at Distribution layer (6506) for these buiding if we have SVI on the same vlan as wireless mgt. For example

In otherwords if AP get's a default gateway different  to local 3850 SVI IP (but on the same subnet as wireless mgt IP of 3850 stack) will that impact the CAPWAP termination of that switch stack ?

We would like to have central DHCP solution even for AP mgmt & would like to know that design rule can be maintain in the given scenario

Hope this clear


frichard Tue, 10/01/2013 - 10:49

Hi Rasika,

You can have a central DHCP scope for Access Points, and  not use a local DHCP pool in the stack to do what you want and describe here. The default gateway parameter returned by the DHCP server won't be specific per stack, as it is the normal defaut gateway of the subnet. The switch itself on each floor will intercept the CAPWAP join request on the wireless management interface subnet locally, which will let it join the converged access stack.


Manannalage ras... Mon, 09/30/2013 - 13:21

Hi Flavien,

What is the feature set requirement for a 3850 to operate as MC/MA ? Does it require "ipbase" or "ipservices"

If 3850 comes with "lanbase" can it operate as MC/MA ?



frichard Mon, 09/30/2013 - 13:31

Lanbase does not have any Wireless termination support, so, you can only work in passthrough mode indicated above with this license.

Both ipbase and ipservices will allow Wireless support  and termination the same way, and allow for MA and MC functionalities. (to activate MC you also need AP licenses on the switch or stack, not on the MA itself).



Manannalage ras... Mon, 09/30/2013 - 13:36

Hi Flavian,

Thanks for this information, This is a very important piece of information when planning to roll-out 3850 in large scale. If you want to terminate APs locally on the switch stack & stack to act as a WLC, then you should have minimum "ipbase" feature set.



Sandeep Choudhary Tue, 10/01/2013 - 05:46

Hi Flavian,

I am not sure that this question belongs to this community or .....

We had implemneted the cisco ISE for Guest access.

I have some questions regarding ( via Cisco ISE sponsore portal) Guest email notification via Sponsor account.

Right now we have this kind of structure for Guest email notification:

Welcome to the XYZ Guest Portal.

Your guest account details:

Username: aefgh
Password: 4Z7Pk
Valid From: Mon Sep 30 10:15:45 CEST 2013
Valid To: Mon Sep 30 18:15:45 CEST 2013


Now I want to add my company logo in this notification.(Email as well as in print format).

Can you please guide me to place my comapny logo in this notification.


snarayan62 Tue, 10/01/2013 - 09:02



Please explain the two layer security in wireless mobility  because one of my client wants the new wireless mobility with two layers security

Thanks and Regards


frichard Tue, 10/01/2013 - 22:23


Can you please help me understand your question and be a little more specific on what you want me to let you know?



snarayan62 Tue, 10/01/2013 - 22:39

Hi Flavien

I want to know regarding double layer security like authentication on Controller and AP differently.

Secondly he want to know that can only one SSID be used for different building for contineous communication



frichard Wed, 10/02/2013 - 00:15


For the first question on double authentication, please have a look at this document, as this is possible on wireless Lan controller versions 7.4 and above:

Regarding setting up the same SSID between buildings for seamless roaming, this is definitely something that we recommend, and that is made possible to easily deploy thanks to our Wireless Lan controllers, both standalone like 5760, 5508, 8510s, or integrated into the switches for converged wired and wireless access like the 3650 and 3850.



snarayan62 Wed, 10/02/2013 - 02:25

Hi Richard

Thanks for your early response and give reference I read it and it is benificial to explain the client in this regards



fziliott Tue, 10/01/2013 - 12:42

Hi Sandeep,

As of today there is no option to modify the notification template used to email/print/sms the guest account details.

This feature is being looked at for future releases.

Hope this answers your question,


renoufi Tue, 10/01/2013 - 17:45

Bonjour Flavien!

I recently discovered that the Cisco 1552 outdoor APs don't fully support wIPS when used as an LWAPP. I was wondering why an outdoor access point which has military style physical protection and would presumably be more open to electronic attack, would be lacking in some IPS functionality that is standard for indoor APs?

frichard Wed, 10/02/2013 - 01:58

Hi Renoufi,

The 1552 is an industrial grade, outdoor rated access point. It has primarily been designed for Outdoor Mesh environments, and has been optimized with a wireless network self-building optimization in mind.

It is fully compatible and supports the integrated controller WIDS features (the signatures in the controller that you can also customize), but, as you mentioned, it is not designed to be used with the Advanced wIPS, using the MSE.

Would you be willing to use the 1552 as a Local mode AP with wIPS (no Mesh but serving clients and reporting to MSE for forensics for instance), or as a Monitor Mode AP dedicated to wIPS?



tsparks143 Wed, 10/02/2013 - 08:40

Hi Flavein,

I am currently supporting a service provider network with client exclusions configured for clients that attempt to use an Ip assigned to another device. I have over 700 client exclusions presenlty but the worrying thing is most of them have this message 'client xx.xx.xx.xx.xx.xx ( which was associated to interface 802.11b/g/n on APxx is excluded. The reason is code 3(attempted to use IP address assigned to another device)'. The Ip address that was attempted to be used is Please can you explain why this is likely to happen.

Also at what stage do we say a client is associated to a Cisco AP? is it after a dhcp offer has been made?


huangedmc Wed, 10/02/2013 - 23:10

hi Flavien,

Is it correct to say the 3850's are targeted for those who only need small WLC's (MC featue) at each campus?

What benefits would we gain w/ the 3850's MC, or MA wireless features, when we already have centralized deployment w/ NCS, WiSM2 & 8510's, and FlexConnect AP's dumping traffic to be switched/routed locally?

It may be a great option for some other folks, but for my deployment, using the 3850's for wireless actually adds additional management overhead, w/ little or no


I read somewhere that the AP's need to be "locally attached" to the 3850's.

Can they be L2 hop's away, attached to 2960's, which uplink to 3850's, or do the AP's need to physically connect to the 3850's?


Now that the 3650 & 3850's provide MC wireless feature for 25 & 50 AP's, is there any reason why anyone would want to purchase a 5508 w/ 25 or 50-AP license?

Are there wireless features that are only available on a pure WLC platform (5508 & 5700), and not on 3650/3850's?


Is the wireless functionality handled by a soft-module, which is handled & managed separately from the L2/L3 IOS switching & routing, or is everything mixed together?

In another word, when you do "show run" on 3850, does it include all the wireless MC/MA config as well like on a 871 router, or do you have to "session" to a separate virtual device, like a 881 router?

thanks in advance,


frichard Thu, 10/03/2013 - 01:47

Hi Kevin,

These are a lot of questions in just one post. Let me try to capture them all, but, before I begin, I would recommend you to have a close look into this document:

Cisco Catalyst 3850 Switch Deployment Guide

For your first question, this is a definite NO. The Converged Access deployment mode is an option for branch offices as well as for large campuses. As you will be seing here (the entire paragraph is very useful to understand the different deployment scenarios),

the Cisco Catalyst 3850 Switch can serve as an integrated wireless LAN controller for up to 50 directly attached Cisco access points and 2000 clients per stack. The Cisco Catalyst 3850 Switches can also form the basis of a deployment that supports up to 250 Cisco access points and 16,000 clients. AND, if you have more than 250 APs and/or 16000 clients, it can serve as Mobility Agent and you can still have 5508, WiSM-2 or 5760s as Mobility Controllers, and reach up to enormous numbers like 72000 Access Points and over 1 million wireless devices supported with this architecture.

The comparison between FlexConnect APs in the Campus and the Converged Access model is a great one, but, due to the size of the FlexConnect Groups, and the unavailability of L3 roaming for locally switched wlans, you cannot deploy a campus with this design. As a result, a deployment like that one with Converged Access will add much less additional management overhead than the FlexConnect local switching one. Eventually, when you are refreshing the Switching infrastructure, the configuration of the equipments for Wired and Wireless will be much more streamlined than a deployment of the switching infrastructure independently from the Wireless infrastructure.

Using the 3650 or 3850s offer many benefits in a campus deployment, including the Visibility of both the wired and wireless traffics, often from the same users who either plug in their laptops or use the same devices wirelessly. It also provides a relief of the datacenter links by optimizing the datapath, for wired and wireless Multicast for instance, or also to the Internet, not having to go back all the way to the datacenter encapsulated and leave it again to reach the Internet Gateway, which doesn't reside in the same network block most of the time.

Quite a few other benefits can be mentioned, like the more advanced, hierarchical QoS that can be applied properly at the closest point of access into the network, both wired and wireless, as well as the same downloadable ACLs for the users who connect sometimes wirelessly, and sometimes through the Ethernet port. All of these benefits may or may not appeal to you and/or apply to your environment, but Cisco is offering you the choice of architecture, and, more importantly, lets you migrate from one to the other easily as any 1600, 2600, 3600 access point bought today can be in Autonomous IOS, FlexConnect, Monitor mode, Local CUWN or Converged Access mode ! And you can buy the 3650/3850 switches today, and deploy wireless whenever you will be ready or whenever you will benefit from Converged Access if you are currently not fully convinced, with just a software activation (and Wireless AP licenses somewhere in the network).


The APs have to be "locally attached" to the 3650 or the 3850. There is no support for a "L2 hop away" function as you describe it.


Customers who do not upgrade their switching infrastructure to the 3650 or 3850 at the access will need the 5508 w/ 25 or 50 APs licenses, so this still applies, and, once again, this is an architectural choice, as I have seen customers with 100's of APs and very very few clients/traffic, and customers with too few APs and a lot of clients with very high volumes of traffic. The first type would probably still prefer to have the CUWN centralized deployment, whereas the second type would have the real choice and is actually moving over to 3850s as we speak.

Some wireless features, like the ones for Service Provider WiFi deployments, are different between 5508/WiSM-2 and 5760/3650/3850. Generally, the 3.3.0SE IOS features (available in October 2013) can be considered on-par with 7.4 AireOS wireless features.


Everything is integrated into the same IOS config, for Wired and Wireless features, as there is one UADP ASIC that handles wireless and wired termination and switching with 20Gbps performance. In a 48 ports switch, you can terminate and switch 40 Gbps of wireless traffic, and in a stack of up to 9 switches, you will be able to terminate and switch up to 480 Gbps of traffic (the capacity of StackWise).



huangedmc Wed, 10/02/2013 - 23:24

Additional questions:

1. Do 3850 & 3650's support Apple Bonjour Gateway as part of their MC feature?

2. 3850 datasheet says it supports up to 2000 clients.

Is this a hard limit, or soft recommendation?

What happens when the 2001st client tries to join? Rejected?

We ran into client count limitation w/ our older WiSM1's, before we migrated to WiSM2's, because there are so many mobile devices around, especially when our remote campuses share same building/space w/ other tenants.

If each 3850 can only recognize up to 2000 endpoints, even if they're just probing, then we'll probably stick w/ centralized WiSM2's.

frichard Thu, 10/03/2013 - 08:34

Hi again Kevin,

1. As part of the IOS XE software version 3.3.0SE, available this month, Apple Bonjour Gateway is supported under the name "Services Discovery Gateway" which goes much farther than just Bonjour as it handles all types of configurable mdns services.

2. The 3850 supports up to 2000 wireless clients as an MC (Mobility Controller). But each stack can be configured with MC, and still have a single Mobility group between the MCs to have full Fast Secure L2/L3 roaming between them, and reach 250 APs and up to 16 000 wireless clients in the system (with each stack of 1 to 9 switches having a 2000 active clients limit). That being said, when the 2001st ACTIVE client (so, no timeout of any of the other 2000 clients happened), its "request association" will be ignored.

Best Regards,


patrick.kofler Fri, 10/04/2013 - 07:08

Hi Flavien,

I am currently trying to configure the legacy mobility infrastructure mode also known as centralized mode on the 5760 controller. According to the deployment guide this is supported for this platform.

On the AireOS based WLC I configured:

  • MAC Address of 5760 WLC
  • IP Address of 5760 WLC
  • Mobility Group Name

On the 5760 WLC I configured:

  • IP address of Mgmt Interface of the AireOS based WLC
  • Mobility Group Name

It does not give me the option to configure the MAC address.

Yet both WLCs show that control and data path are down.

Is there anything additional which needs to be configured?



frichard Fri, 10/04/2013 - 07:29

Hi Patrick,

please make sure that you are using WLC versions 7.3 or 7.5, not any other code type on AireOS (not 7.2 or 7.4 for instance)?




Login or Register to take actions

This Discussion

Posted September 19, 2013 at 12:14 PM

Related Content

Discussions Leaderboard