With Flavien Richard
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to overcome the challenges of planning, designing, deploying, and troubleshooting wireless networks with expert Flavien Richard.
High density, high availability, converged access, unified access, radio resource management, and site surveys: What do they have in common? They’re all complex and difficult to understand and implement properly, but there are tips and rules to follow that will make your life easier. Expert Flavien Richard will share best practices and make recommendations for the different phases, technologies, and features around enterprise wireless networks.
Flavien Richard is a technology solutions architect in the Borderless Networks team in France. He is an expert in wireless and mobility topics and serves as an escalation point of contact in the European theater. This gives him visibility over most of the biggest projects in EMEA. He is a technical interface between the Wireless business unit and Cisco customers, partners, and employees to help define and prioritize the new features and products for the mobility market. He is a frequent speaker and session manager at Cisco Live and other Cisco events on mobility. He also was a contributor to the writing of the first Wireless CCIE exams.
Remember to use the rating system to let Flavien know if you have received an adequate response.
Because of the volume expected during this event, Flavien might not be able to answer every question. Remember that you can continue the conversation in the Wireless Community, subcommunity Getting Started with Wireless shortly after the event. This event lasts through October 4, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
Excellent Resource and Timely topic
Flavien thanks for taking on this topic :
This question/comment is to discuss/ designing networks and performing site surrveys. Especially those that are used to support smart phones. It has always been but more than ever becoming users portal to internet to avoid 3G/4G data charges with multimedia for video/voice application to include Netflix, Hulu, Skype, iTunes.
What is your recommendation for such environments? Granted we are moiving to the use 802.11a/n/ac in future devices Should the next design guides reflect that scenario ? Take on designing to support context awareness, location tracking since old guide requires at least from the clients perspective a minimum of 3 APs at -75dBm . Should we be changing that with these so called weaker devices with 802.11an/ac support ? I know you can sprinkle in some APs in Monitor mode. But what AP would you consider the best to use as a monitor mode AP given the presence of 802.11ac?
Thanks in advance.
If I understand your question well, you mainly want to know how to design a network with growing numbers of weaker transmitting devices that consume even more bandwidth than laptops, for instance?
First, I would say that you definitely have to use advanced MIMO technologies like MRC (Maximal Ratio Combining) to receive better than usual MLR (Most likely receiver) on 802.11n for those clients. By using MRC, you can virtually gain up to 3 to 4.5 dB of gain in your access point from those weaker devices.
Second, I would say that, as you mentioned, getting most of the clients on 5GHz compared to 2.4 GHz will greatly help, as there are so many more channels and you can bond multiple 20 MHz channels on this frequency, using 802.11n and 802.11ac, even with single spatial stream clients like the smartphones that you are referring to. BandSelect could be of help here.
Third, if you see that there is too much noise on the 2.4GHz coming from co-channel interference from your own APs, you can still disable, per AP, the "admin status" of the Radio, which will allow the AP to only service 5GHz, and therefore not add more potential co-channel interference in a crowded environment.
Last, you can deploy external antennas Access Points, with more directional antennas (patch most of the time - pointing downwards towards the clients), which will allow the AP to focus the reception on the area of antennas' Azimuth and Elevation planes. By doing this, the AP will essentially get better reception from the clients in its zone of coverage, and virtually filter out those clients that are not where the AP should be listening and talking to them. This will also allow RRM to reuse the same channel more often on the same floor, for instance, and will then allow more APs to be deployed in the same area with less interference overall between access points on the floor.
Regarding the Location tracking part of your question, what you mention is still valid. To do some kind of triangulation, the system has to see the client from at least 3 different access points. There are 2 ways to enhance the accuracy:
- you either get a beacon on multiple channels almost at the same time (this is the principle behind the active WiFi tags), so that APs on different channels can catch the signal and attach it to the same client,
- or you can use Access Points that are looking for multiple channels sequentially, so they can catch beacons coming from the same client on multiple channels (that is the principle behind the Monitor Mode AP).
In the case of 802.11ac, there still is a primary channel when you bond multiple channels together, so, the beacons can be heard from non 11ac access points in the neighborhood. Hence, an 802.11n access point in Monitor mode can still be working to listen to 11n and non-11n clients for context awareness. Nevertheless, as 802.11ac is going to have much fewer bonded channels than 11a/n, the 2.4GHz location advantage over 5GHz will be diminishing over time because, an 11ac deployment will use much less number of channels to listen to in order to do location tracking. Therefore, to combine 802.11ac and context awareness, it is a very good idea to use the 3600 with its 802.11ac module already, not as a Monitor mode AP, but as a normal servicing AP with clients and also do the Location tracking function at the same time.
Hope this answers your questions,
Thanks Sir. Appreciate the insight. Can you elaborate on the Coverage Hole Detection. Is it using RSSI or SNR as the means to adjust AP power?
There are conflicting documents that reference SNR , then RSSI values. Which is right ?
Since WLC version 5.0, the CHD (Coverage Hole Detection) algorithm has solely been using Client RSSI values.
Prior to that (3.x, 4.x), it used to be based on a calculation between the local noise and the client RSSI, creating a metric that could be assimilated to an SNR value.
Bottom line is: only RSSI for quite some time now...
-Fast Reconnect / Fast Transition
Is Fast Reconnect generally recommended for customers that use PEAP?
Does it work w/ both L2 & L3 roaming?
Ditto for Fast Transition.
Is there caveat w/ Fast Reconnect that we should watch out for?
Why does this Cisco doc suggest to disable Fast Reconnect as a troubleshooting step?
What is the expected behavior for L2 & L3 roaming in a FlexConnect deployment?
Are both supported, or only L2?
The main issue we see with Fast Reconnect is that it has to be BOTH on the client and on the Radius server (IAS, ACS, etc.) to work properly. If both are the same, there should be no issue, for L2 and L3 roaming, as long as the WLAN/SSID points out to the same Radius server in both the originating WLC and the destination WLC.
Please see this TechNet note for more info and the vulnerabilities to check out for: http://technet.microsoft.com/en-us/library/cc757996(v=WS.10).aspx
Regarding Fast Transition (802.11r), please have a look at this description and the "restrictions" section:
Eventually, regarding your question on FlexConnect roaming, indeed, and by design, the Fast Secure roaming can only happen at layer 2 between Access Points in local switching mode. A Layer 3 roam would mean that the client has to re-DHCP with local switching, which is not possible without a full reauthentication of the client, hence the only way of doing Fast Secure Roaming within the same subnet in FlexConnect local switching.
PS: In FlexConnect Central switching, as you cannot spread the same FlexConnect group in multiple controllers who would not be sharing the same subnet attached to the SSID, you cannot have a L3 roaming happening anyhow, so I restricted your question to FlexConnect local switching.
What are your recommendations for spacing the Access Points in an indoor environment? thanks in advance for your help on this.
If you are planning for regular coverage of 802.11n APs in an office environment (laptops, tablets, phones for data) and use omnidirectional antennas, the rule of thumb is to place the Access Points about 25 meters apart from each other.
If you need to do location tracking, Voice over Wireless LAN coverage, or high-density deployments, we are recommending to place Access Points 17 meters apart from each other, in general, with omnidirectional antennas.
Nevertheless, even though RRM is very powerful and should be used 99% of the time, a proper Site Survey of the building has to be conducted prior to the deployment of the Network, in order to determine the best coverage for a given facility, based on materials used for instance.
Flavien, in reference to RRM and making using RF Profiles adjusting the TPC thresholds . This question may seem all over the map ;but I think you will get the gist of my train of thought.
What is your recommendation of using RF profiles in multifloor buildings or do you just recommend it per entire building ? Have to consider data rates, roaming, etc. I know a proper physical site survey is key and alway recommended. However, from past and present experiences many make use of the WCS/NCS/Prime planning tools and base the AP layout on that model or through some other professional survey planning tool that recommends the layout.
Granted, not all buildings attenuate RF well, but with the better radios in the 3600s and the next 802.11ac capable AP from Cisco, I see more clients becoming sticky and gravitating to these radios because of the "better ears" per say.
I do see there is a means to limit the number of clients per AP and do recommend using that feature after dealing with the default of 200. Not sure if that is a realistic number to allow on an AP between the two bands, but again it depends on the application support.
Hence my concern with interfloor RF. Location tracking requires more ears (APs) to listen to the probe request of clients and report that back to the WLC so that the MSE can make sense of it then it can be mapped on the floor plans.
Is there such thing as" too many" APs in Monitor Mode for location tracking ? I do understand you can place the APs in local mode and "admin disable the 2.4 GHz radio for less CCI- that is common and you did mention that in a previous response.
Lastly: Since location tracking relies on client probes...if clients are not constantly probing /in sleep mode. Location accuracy can suffer significantly ?
Thanks in advance.
I think that this document should be a very good read for you if you haven't read it already:
This is the High Density Design Guide.
Most of the people who I am working with wouldn't take the time and effort to define all parameters differently for each floor of a building using AP Groups and RF profiles. What I usually see is the definition of special areas for high density, or with high ceilings with the specific TPC thresholds for this environment, and the standard RRM for the rest of the network.
Nevertheless, if you have the possibility and the willingness to go the extra mile and deploy it that way, this can be done, and you can even create a one-to-one AP to AP Group relationship in most of the WLCs (500 in the 5508, 1000 in the 5760 and WiSM-2, 6000 in the 7500 and 8500) except the 2504.
Regarding the rest of your questions:
- Is there such thing as" too many" APs in Monitor Mode for location tracking? --> No.
- [...] Location accuracy can suffer significantly ? --> Yes, absolutely, and this is why some Apps writers are forcing, on certain platforms, the device to send probes much more often, in order to improve network location visibility, and, therefore, accuracy.
Thanks Sir will reread the guide. This does clarify things . Mastering RRM should be a class all by itself : especially when it comes to deploying for high density or even location.
Sent from Cisco Technical Support iPad App
What is the best practice around new 3850 switches wireless management interface ? Is it good idea to have seperate mgt interface for wireless management different to switch management SVI ?
The wireless management interface and the switch management can be set independently in the same or in different vlans, as you know. There is no correlation between them. Nevertheless, one needs to take into account that the "wireless management interface" vlan has to be locally served on the switch as it needs to be the same as the directly attached access points to the 3850 switchports. If you have a deployment with numerous access points and use the same switch management and wireless management vlans in your entire network, you have to consider that each switch and each AP take an IP address in this spread management vlan, and then, it could make sense to separate wireless management interfaces' vlans geographically (one per wiring closet, or one per building), for instance, and not spread accross the network like your management vlan.
PS: it may seem obvious to many, but it may be worth mentioning to some that, like for the wired clients, wireless client access vlans should be set totally different from the AP vlan, especially if you use the same switch and wireless management vlan...
Thanks for the explaination & it helps. If this is the case I prefer to have seperate wireless mgt interface to sw mgt in order to better capacity planning (for wired sw & APs) & reporting perspective.
At the moment in my campus we are having L2-Access model (100s of 3750x/G stacks) with vlan span across multiple buildings with aggregation to dual 6506-E (no VSS yet). Therefore having two seperate /23 for SW-Mgt & WAP-Mgt for a given distribution block. We are in the process of moving to 3850 as standard access switch model & later on enable WLC functionality in each of the stacks.
Will this be problematic when moving to 3850 ? ie having 3850 wireless management vlan span on to multiple buildings. Is there any implications to mobility or any other aspects of this CA deployment.
I have been working on a document that is not public yet and that includes a section on IP Addressing. I am copying the entire section here as it should help you understand the pros and cons of Wireless ACCESS vlan deployments.
The options cover a range of cases and highlight the pros and cons of different design choices that involve dealing with same or different IP address pools for wireless and wired traffic, differentiated policy assignment, and ease of implementation.
This option separates wired and wireless VLANs per wiring closet, as shown in the following figure. In this example, there is a pair of VLANs in each closet. This is a simple design that allows the application of separate policies per VLAN to wireless and wired users and eliminates any contention for DHCP between wired and wireless.
However, because wireless clients are moving, it is important to consider how large the subnet must be for that wiring closet to accommodate these non-static clients. For wired connectivity, it is necessary only to count the number of available ports. Wireless usage is much more dynamic, so it is harder to determine the size of the DHCP scope that is required, and thus some of the IP address space as allocated might be wasted simply to accommodate for the maximum possible number of wireless clients that could potentially appear on the network simultaneously.
This approach for IP addressing is applicable mainly to a small or medium sized site or branch, where predicting the maximum size of the wireless subnets needed is easier, based on user and device populations at the small to medium branch involved.
In this option, the VLANs are merged and the same subnet is used for wired and wireless for each wiring closet, but separated for different wiring closets. For example, VLAN 11 is used for wired and wireless on wiring closet one, VLAN 21 for the second and so on. The main advantage of this option is in saving IP subnets, and thus conserving the associated IP address space to the greatest extent possible. There is still the challenge of sizing subnets, and as well there is the possibility in this deployment option of IP address space contention between wired and wireless clients, since wired and wireless users are mapped into common subnets in this deployment option. Wireless clients could consume all of the IP addresses within a given subnet, resulting in insufficient addresses for wired clients (or vice versa). Moreover, it is not possible to apply separate wired and wireless policies using VLAN based policies alone in this deployment option.
This option is a hybrid with separate wired subnets and one wireless subnet spread across multiple wiring closets below a common distribution layer. This deployment option retains the advantage of a separate per-VLAN policy for both wired and wireless users, and avoids IP address space contention between these user communities, as wired and wireless clients are still mapped into separate VLANs. Fewer IP subnets are needed because wireless clients are grouped into a single VLAN (per SSID) below the distribution layer. This deployment option typically requires a VSS deployment at the distribution layer or a single distribution switch with multiple supervisors, to avoid Layer 2 loops and any associated spanning tree blocking / forwarding issues.
Important information on what I said on my previous post about directly connected APs and vlans, with more details:
As an MA, the Catalyst 3850 supports only direct attached APs. For the AP to register, a management wireless VLAN interface (such as VLAN 20) to which the AP is connected is needed. If the AP is in any other VLAN, it cannot register, and an error message is generated on the console. This is because the
wireless management interface Vlan command, which activates the MA functionality, intercepts the CAPWAP messages and processes only those from the designated wireless management VLAN (into which all of the APs connected to this Catalyst 3850 must be deployed). If the command is not employed on the switch, the Catalyst 3850 functions just as any other Layer 2 or Layer 3 switch (CAPWAP passthrough), and the AP can be connected and registered to any other controller within the larger network.
Thank you very much for such detail explanation of each different option. Looking forward to see such a valuable document available to us to use a desing guide in this new deployment model.
If I understood correctly most preferred option for us is to go with "Spanned Wireless vlan". There is a pre-requisite VSS implementation at distribution layer to avoid any possible l2-looping issues.
In your case, with the current network that you describe, Option 3 seems to be a good fit, indeed.
I read your response couple of times and now I have another question on that. I understand for the wireless users better to have span vlan across building to have less IP contention.
Is this applicable to "wireless management vlan" as well ? Let's say we have 5 buildings (each 3 stories & having switch stack in each level). Assuming less than 10AP in each floor and allocationg 10 IPs for wireless management (for AP & SW wireless mgt). We do not want to control AP IPs too much & below is for an example scenario,
BLD1-L1 - 192.168.100.1-10
BLD1-L2 - 192.168.100.11-20
BLD1-L3 - 192.168.100.21-30
BLD2-L1 - 192.168.100.31-40
When allocating DHCP for the AP, does this require local DHCP pools in each stack pointing to its own SVI as gateway for the AP mgt dhcp scope ? or Could we have single DHCP scope (somewhere in cetral DHCP server) pointing to SVI defined at Distribution layer (6506) for these buiding if we have SVI on the same vlan as wireless mgt. For example 192.168.100.254.
In otherwords if AP get's a default gateway different to local 3850 SVI IP (but on the same subnet as wireless mgt IP of 3850 stack) will that impact the CAPWAP termination of that switch stack ?
We would like to have central DHCP solution even for AP mgmt & would like to know that design rule can be maintain in the given scenario
Hope this clear
You can have a central DHCP scope for Access Points, and not use a local DHCP pool in the stack to do what you want and describe here. The default gateway parameter returned by the DHCP server won't be specific per stack, as it is the normal defaut gateway of the subnet. The switch itself on each floor will intercept the CAPWAP join request on the wireless management interface subnet locally, which will let it join the converged access stack.
What is the feature set requirement for a 3850 to operate as MC/MA ? Does it require "ipbase" or "ipservices"
If 3850 comes with "lanbase" can it operate as MC/MA ?
Lanbase does not have any Wireless termination support, so, you can only work in passthrough mode indicated above with this license.
Both ipbase and ipservices will allow Wireless support and termination the same way, and allow for MA and MC functionalities. (to activate MC you also need AP licenses on the switch or stack, not on the MA itself).
Thanks for this information, This is a very important piece of information when planning to roll-out 3850 in large scale. If you want to terminate APs locally on the switch stack & stack to act as a WLC, then you should have minimum "ipbase" feature set.
I am not sure that this question belongs to this community or .....
We had implemneted the cisco ISE for Guest access.
I have some questions regarding ( via Cisco ISE sponsore portal) Guest email notification via Sponsor account.
Right now we have this kind of structure for Guest email notification:
Welcome to the XYZ Guest Portal.
Your guest account details:
Valid From: Mon Sep 30 10:15:45 CEST 2013
Valid To: Mon Sep 30 18:15:45 CEST 2013
Now I want to add my company logo in this notification.(Email as well as in print format).
Can you please guide me to place my comapny logo in this notification.
Please explain the two layer security in wireless mobility because one of my client wants the new wireless mobility with two layers security
Thanks and Regards
Can you please help me understand your question and be a little more specific on what you want me to let you know?
I want to know regarding double layer security like authentication on Controller and AP differently.
Secondly he want to know that can only one SSID be used for different building for contineous communication
For the first question on double authentication, please have a look at this document, as this is possible on wireless Lan controller versions 7.4 and above:
Regarding setting up the same SSID between buildings for seamless roaming, this is definitely something that we recommend, and that is made possible to easily deploy thanks to our Wireless Lan controllers, both standalone like 5760, 5508, 8510s, or integrated into the switches for converged wired and wireless access like the 3650 and 3850.
Thanks for your early response and give reference I read it and it is benificial to explain the client in this regards