Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on different aspects of wireless network design and installation with Fred Niehaus. Fred is a Technical Marketing Engineer for the Wireless Networking Business Unit at Cisco, where he is responsible for developing and marketing enterprise wireless solutions using Cisco Aironet and Airespace wireless LAN products. In addition to his participation in major deployments, Niehaus has served as technical editor for several Cisco Press books including the "Cisco 802.11 Wireless Networking Reference Guide" and "The Business Case for Enterprise-Class Wireless LANs." Prior to joining Cisco with the acquisition of Aironet, Niehaus was a support engineer for Telxon Corporation, supporting some of the very first wireless implementations for major corporate customers. Fred has been in the data communications and networking industry for more than 20 years and holds a Radio Amateur (Ham) License "N8CPI."
Remember to use the rating system to let Fred know if you have received an adequate response.
Fred might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 16, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
I have 2 Wism blades that I want to setup as redundant or failover for each other. I am using WCS and my 2 wism blades are on 2 different 6500 switches. My 6500's are connected via fiber at layer 2. I have a couple of wlans' setup on my primary controller and I am using dynamic interfaces to map the vlan supporting the wlan. If my primary controller fails, I understand I use templates on the WCS to apply secondary and tertiary controllers to the connected AP's. What happens to my session as a client if my primary controller fails, and I then begin to look for secondary controller and the secondary controller has a different IP address for vlan 300? Will a mobility group keep me connected or will my session fail and re-connect after finding the secondary controller? What are best practices for setting up what I want to achieve? Thank you!
IF your WLAN setup isn't that complicated (no 802.1x, for example), I'd recommend you look into H-REAP. During a failover with H-REAP, the LWAPs don't loose sessions and it's "business as usual".
I am using HREAP for my field sites, but these controllers are supporting my local campus. Are you suggesting I use HREAP for my local campus?
The mobility group will not keep you connected, as it is not completely seamless, there will be a very short client disconnection during this process.
See the design guide at the following URL http://www.cisco.ws/en/US/docs/wireless/technology/controller/deployment/guide/dep.html
I want a Switch/Router to tranfer data from ATM (Automated Teller Machine) at one side using GPRS as medium and have a Router at the other end with VPN connectivity. Could you suggest me the Cisco part numbers for the Switch/Router with GRPS Modem and Router with VPN connectivity. And also I want to know what IP address will be used at the Switch/Router (ATM side) i.e is it a public IP address or private IP address ? and is it possible to use Cisco 880 Wireless Router at the ATM Machine side in my design ?
Could you suggest me the Cisco part numbers for the Switch/Router with GRPS Modem and Router with VPN connectivity.
How many VPN tunnels do you have in mind?
The 880G series router has 3G capability and supports up to 20 VPN tunnels.
Cisco 880G Series 3G Wireless Integrated Services Router
3G Features for Cisco 880 Series Integrated Services Routers
Don't forget to rate useful posts. Thanks.
Sir, how do we get the info about the number of VPN tunnels supported by a router. I can't find it in documentation provided by cisco. I still need to contact Cisco regarding some infos.
Sir, how do we get the info about the number of VPN tunnels supported by a router.
Just want to let you know that this is not the correct forum topic to discuss this subject matter. But here's the link to the documentation anyway.
Don't forget to rate useful posts. Thanks.
I am searching for wireless connectivity for two office premises which is 50m(line of sight) apart from each other, which should also support at least 30Mbps(this is impartive) traffic. Can I use 1300 series bridge to accomplish my objective? Alternatively, anyone has a better suggestion other than 1300 series?
Please let me know.
You sure you can't use fibre optic?
I'd be using a 1250 autonomous AP with directional dish antennae. You can configure point-to-point bridge.
Wireless Bridges Point-to-Point Link Configuration Example
Don't forget to rate useful posts. Thanks.
Thanks for you reply.Actually we selected wirless, as an alternative for fiber optic(its not cheap).Could you please tell me more about the antenna( directional dish) your using at the moment? Also gain of the antenna?
I cant access follwing link.Can you please attach it to me as a pdf or HTML format.
Have a look at the following links:
Cisco Aironet 2.4 GHz and 5 GHz Antennas and Accessories
Cisco Aironet Antennas and Accessories Reference Guide
For the distance mentioned, a yagi antennae would be suitable. AIR-ANT2410Y-R (between one or two) for the 2.4Ghz radio (with diversity turned off) would be suitable.
Hope this helps.
Please don't forget to rate useful posts. Thanks.
Thank you very much.Can you please conform following sepc's are ok to deploy.
Use two Cisco Aironet 1252G (a/b/g/n compatible) AP’s between the two buildings. This Access point is also able to support external antenna connectivity.
But this option is more expensive than previous.
• Wireless technology 802.11a/g/n
• Data transfer rate (max) 300Mbit/s
• Interfaces 1 x antenna - RP-TNC x 3
For the distance mentioned, a yagi antenna would be more suitable.
AIR-ANT2410Y-R for the 2.4Ghz radio (with diversity turned off).
Gain -10 dBi
However, I have a doubt with the antenna connector type (RP-TNC),I think AP has RP-TNC x 3interfaces(sockets), But the selected antenna(AIR-ANT2410Y-R) has only one RP-TNC jack.Is that correct?How it going to be connected to the AP(is there any special type of connecting arrangement available for this)?Please let me know.
Take a look at the MIMO Patch antenna http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2460np.pdf
This is a directional antenna that will allow you to point the antenna at the other Bridge link. The AP-1250 does not support the dish type antenna as the maximum gain for any antenna on the AP-1250 is 10 dBi.
You can use a pair of 1300 or 1400 Series Bridges for this link as each will support up to 54 MB data rate.
Keep in mind the 54 Mb is the radio data rate with actual throughput being approximately half the radio data rate
50m is an easy link distance to attain providing there are no obstructions but actual throughput will not be 54 MB
Another option might be to use a pair of AP-1250's in Bridge mode as they support faster 802.11n throughput speeds but those are indoor devices so you would need to mount the units inside with the antennas located outside (keeping antenna cables to very short distances) as there is a lot of loss in the cable at 2.4 and 5 GHz.
Using the AP-1250 you can achieve a radio data rate of 150 Mb so half of that (actual throughput) might be closer to what you require.
Hi, I’m not finding any secure method to authenticate wireless users through web portal in the WLC 5508 with a backbend database.
- We have the option of using radius, but in this case WLC can only use CHAP or PAP, but they are not secure access methods. I could use Ipsec in the radius access but to allow CHAP access I have to enable reversible passwords in the Active Directory which is not a secure method to store passwords. So I cannot use radius
- I could use LDAP, but WLC doesn’t support LDAP over SSL, so it transmits passwords in clear text and there is no option to make an ipsec connection between WLC and LDAP server. So I cannot use LDAP
Any help? Is there any secure method to authenticate web users?
Sorry, but for web authentication the WLC only has radius, ldap or local authentication options.
802.1x is layer 2 authentication and web authentication is layer 3. I'm not doing layer 2 authentication for this wlan but I need to authenticate users with Active Directory through captive portal.
If I use radius, web authentication on the WLC only supports PAP or CHAP (I cannot understand why it doesn't support MSCHAPv2). If I use LDAP , it doesn't support LDAP over SSL. I think there is a lack of security for a device like this,
Well Radius is how we do it today.
Given you do not wish to do CHAP or PAP this certainly limits your options.
You are correct when you say that WLC doesn't support LDAP over SSL but we are working to add this as I've seen some chatter where folks are working on this.
I think it's a security hole for this device:
- LDAP without SSL transmits passwords in clear text, so I can't understand how this configuration option in the controller exists. In fact in older versions you could configure LDAP with TLS, so in newer versions there is less security! In this example you can see that: Choose Secure from the Server Mode drop-down box if you want all LDAP transactions to use a secure TLS tunnel http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml#localeap
- And Radius with CHAP or PAP with Windows Active Directory backbend database force to store passwords using reversible encryption which is the same as storing plaintext versions of the passwords, which is not admissible http://technet.microsoft.com/en-us/library/cc784581%28WS.10%29.aspx
So we don't have an option with minimal security requirements.
I have an issue that I hope you can help with. Wism controller with code 126.96.36.199 with 136 remote cisco 1242 Ap's connected. As of late I'm having to reset the Ap's to restore connectivity. When the remote site rings in I can see clients Associated and Authenticated to the Ap's but cannot ping the clients from the local router on the same subnet as the Ap's but can ping the Ap's with no loss of connectivity. WCS is on ver 188.8.131.52. I've just recently upgraded WISM from ver 184.108.40.206 to 220.127.116.11 to 18.104.22.168. It almost seems as if the device is going to sleep or loses connectivity to the controller? This is happening at random sites but constantly resetting the Ap's cures the issue. Any help or suggestions would be greatly appreciated.
There's a bug in the 6.X code where clients stops responding for a duration in time. Cisco is asking everyone listening/reading to avoid 5.X or 6.X codes. Upgrade to the 7.X and see if you find any improvements.
Please don't forget to rate useful posts. Thanks.
I need your help, I setup AP-1310 as a Root Bridge in main site and AP-1310 as a Non Root Bridge in the Remote site, the Distance between them 2 Kilometers, I need to know the fellowing:
1- which the best power option for both.
2- what is best way to know the signal strength between Both Access points (because I don't know where to see the signal strength between the Root Bridge and Non Root Bridge) .
3- how Can I align the Antenna in both access point for the both sites.
Thanks in Advanced,
The best power option for the 1300 is the standard power injector.
If however you are using mobility applications (say you were mounting the Bridge in a vehicle or on a mountain top using solar panels) then rather then using the standard injector that uses 48 VDC you would want to order the injector with a "T" in the part number as the T stands for "Transportation Injector" as that injector uses + 12 volts (for car and solar applications).
The best way to know the signal strength (without consoling in) would be to simply look at the LED lights the blink pattern will tell you.
Another way is to console or browse into the device. For the LED patterns see the hardware installation guide at this URL
To align (for best performance) you should be able to see your other units (clear line of sight) some folks use binoculars or they might make a bigger target like a cluster of helium balloons and initially point the Root Bridge to the non root site. Once you get the root unit installed then go to the non-Root and align to it (as previously described).
I wonder if there is any easy way to know the signal strength of the 1300 bridge (except by lead light because the access point is up high on the tower), because always I wonder how much the signal strength become, after I successful connect the 1300 Bridge and I want to tel the client how much signal strength he has.
I also setup an(WLC V.6) 4402 and I add many 1130 LAP to it, every thing is works fine but suddenly there is a problem with some of the 1130LAP, when two or more 1130 LAP close to each other one of theme works by broadcasting SSID but the other who are close to it is not sending SSID, but when I turnoff one who is working the other works fine and send ssid, so at last one of theme works fine every time, and not all of theme at the same time, when I check in my WLC I found all of the LAP 1130 is registered and have the HREAP Mode.
Thanks in advanced,