BSS: Basic Service Set (Range of the wireless adaptor of laptop/mobile)
ESS: Extended Service Set (More than one Access Point sharing the same SSID)
BSA: Basic Service Area (Range of Area Access Point Cover)
SSID: Service Set Identifier
Distributed System: Path from Wireless Network to everything i.e. internal servers of the company or internet access for guests.
Path Loss: Without any Obstacle, the signal will become weak with distance.
Scattering : Signal degraded due to moist & humid weather.
Reflection: Signal changed its path after colliding with an obstacle.
Multipath: When the signal takes more than one path after collision with an obstacle and reaches the receiver.
Fade: If the signal after multipath is in 180 / 0 phase then it will degrade strongly.
Antenna Gain (dBi) # amount of focus (direction) it applies to the incoming signal.
Effective Isotropic Radiated Power (EIRP) = Tx power (dBm)+ Anteena Gain (dBi) - Cable loss Dipole Reference (dBd)
Access Point and Antenna must be of the same company to keep EIRP under control.
Access Point is generating less/More power than there must be an amplifier /attenuator between Access Point & Antenna.
802.11 --> 2.4 GHz --> FHSS/DSSS --> 2 Mbps
802.11b --> 2.4 GHz --> DSSS --> 11 Mbps --> Old & Rare
802.11a --> 5GHz --> OFDM --> 54 Mbps --> Old & Rare
802.11g --> 2.4 GHz --> DSSS/OFDM --> 54 Mbps --> Backward Compatibility with 802.11b
802.11n --> 2.4/5 GHz --> OFDM --> 300 Mbps
Even though 802.11g Access Point can support 802.11b clients but it will significantly deteriorate the performance as despite using OFDM the access point will use DSSS, and throughput will drop.
If suppose Access Point "AP1" has one client which uses 802.11b & this AP1 is advertising, it to AP3 & AP4 then the performance of all i.e. AP1, AP2, AP3 & AP4 will go down.
If suppose access point "AP1" is having one client which uses 802.11b & this AP1 is advertising, it is to AP2 which further advertises it to AP3 & AP4.
You will notice that this one client which uses 802.11b will degrade the performance of all APs.
CAPWAP: Control & Provisioning of Wireless Access Points (CAPWAPs)
Wireless Controller makes user authentication. It uses CAPWAP protocol to control both data & control plane traffic to Access Points.
AP's encapsulate the frame in CAPWAP and sends it to WLC's.
MSE (Mobility Service Engine) uses wireless IPS to prevent unauthorized access points from popping into the network.
LIGHTWEIGHT ACCESS POINT can be connected to Wireless Controller, but he must know the ip address of the controller and default gateway.
HYBRID REMOTE EDGE ACCESS POINT: Let's say WLC is in the head office which has a slow lan connection with the branch office with APs.
So, we want that AP must be capable of routing local traffic in the branch office.
AUTONOMOUS ACCESS POINT must be connected to the trunk port of the switch.
DEPLOY THE WLC
Connection from WLC to switch will be trunk yet while configuring the controller it will ask for management IP and VLAN associated with it.
Virtual Gateway IP Address: All controllers within the same mobility group use the same virtual Gateway IP address so that clients can move from one lan controller to another.
Access Points will be given "option 43" from DHCP Server so that they could build a CAPWAP connection to WLC. Here APs receive the IP address of WLC through "option 43"
Note: DHCP Option 43 is sent from server to client and contains Vendor-specific information that the DHCP server has been configured to offer to the client. The information is sent to the client only if the server has a Vendor Class Identifier (VCI) in its table that matches the VCI in the client's DHCPREQUEST.
AP's Hooking with WLAN
Discovering Options
Broadcast
Flash(IP address of last WLC & will try to connect with it)
DHCP
DNS(create DNS entry of "CISCO-CAPWAP-CONTROLLER" with WLC ip address)
APs will connect to Primary/Secondary/Tertiary Controller in sequence i.e. if AP doesn't get heartbeat response from WLC and it will go for a few more retries and then AP will use secondary and likewise Tertiary controller.
If none of the above are reachable then it will try to Master Controller.
Controllers can be made "Master-Controller"
Controller --> Advances --> Master Controller Mode
If no access controller is marked as "Master" then the least busy controller will be used.
When connected to WLC sends the s certificate to AP and then AP to WLC.
APs use UDP port 5246 for control information (code/config/Heartbeat) & UDP port 5247 for client data.
Noe : By default control data between AP and WLC is encrypted but not user data.
Access Point Modes
Local (Data + Monitoring) --> Default Mode
Monitor (Monitoring Only) --> can be used as IPS
Sniffer --> captures and forwards all the packets on a particular channel to a remote machine that runs packet analyzer software
Rogue Detector (Wired only) -- Clients present on Wire & Wireless
Bridge (Mesh AP Network)
SE-Connect: SE-Connect mode allows you to connect to the LAP using Cisco Spectrum Expert and gather vital information about the RF spectrum surrounding the LAP
OEAP: A Cisco OfficeExtend access point (Cisco OEAP) provides secure communications from a Cisco WLC to a Cisco AP at a remote location.
H-REAP is a wireless solution for branch office and remote office deployments. H-REAP enables customers to configure and control access points (APs) in a branch or remote office from the corporate office through a WAN link without deploying a controller in each office.
H-REAPs can switch client data traffic locally and perform client authentication locally when the connection to the controller is lost. When connected to the controller, H-REAPs can also tunnel traffic back to the controller. In connected mode, the hybrid REAP AP can also perform local authentication.
The H-REAP-capable LAP operates in these two different modes:
Connected mode:
An H-REAP is said to be in connected mode when its CAPWAP control plane link to the WLC is up and operational. This means that the WAN link between the LAP and WLC is not down.
Standalone mode:
An H-REAP is said to be in standalone mode when its WAN link to the WLC is down. For example, when this H-REAP no longer has connectivity to the WLC connected across the WAN link.
Note: Light Weight Access Point will only be connected to the access port of the switch. Rest WLC, Autonomous AP, HREAP, and Flexconnect will connect on a trunk port.
Default password of AP is "Cisco" without any username.
How to Reset AP?
Press the mode button then apply power and hold it for 20 sec and you will see one of the light near mode button will turn Red. Now you can leave the mode button and AP is doing broadcast TFTP request with source ip of 10.0.0.1/8.
Please enable Radio to able to make it work for 802.11 A
Network Interfaces --> Radio 802.11A --> Settings ---> Enable
Roaming
A mobility Group (Domain)
Layer 2 & Layer 3
Symmetric vs Asymmetric
Anchors and "Mobility Anchors"
Static Address Tunneling
A WLC must agree on
1) CAPWAP [LWAP(older)]
2) Group Name for Mobility
3) VirtualIP
4) Software must be compatible (H/W may be different)
Under Controller --> Default Mobility Domain Name
Both WLCs have the WLAN SSID of "WLAN-30" configured and associated with VLAN 30
Controller --> Mobility Management --> Mobility Groups --> Member IP Address 172.16.10.5 --> Member MAC Address --> 00:0C:29:32:79:fa
Group Name (need not be same b/w controllers but good to keep same) --> Mobility-Group1 --> Hash --> None
The command line for verifying control or management PATH tool is "mping" & for Data Path is "eping"
Layer 2 Roaming
Layer 2 Roaming is symmetric because the path for the client's traffic to the server (both sending & receiving) will pass through same router interface.
L3 Roaming
Now let's say client has associated with AP3 the also IP address of the client won't change (172.16.30.55) because AP3 will encapsulate to let's say 172.16.40.55 and send it's traffic to WLC3.
Note: Here client has been configured to take IP address by DHCP.
Now WLC3 will remove the encapsulated header and send the traffic to the router with client's original ip address (172.16.30.55).
Now because traffic received by the server is from the client's original ip address (172.16.30.55) so it's response will be sent to WLC-2 & not WLC-3.Hence, the path for the client's traffic to the server (both sending & receiving) will pass through different router interfaces so L3 Roaming is Asymmetric.
To resolve the issue, a tunnel between WLC-2 & WLC-3 must be created as they are in the n same mobility group.
STATIC ADDRESS TUNNELING
Suppose a client connected to AP2 is having static IP address 172.16.30.55/32 and when it associates itself with AP3 then WLC-3 will see it's ip address and ask other WLCs in it's mobility group "Do any of you Guys support 172.16.30.0/24 subnet"?
Now WLC-2 will respond and WLC-3 will create a mobility tunnel to it and send all packets from client to it.
To enable Static IP Tunnel
WLANs --> Edit "Our-Profile"
Mobility Anchors
Suppose we have a "Guest" network all over the enterprise network and we don't want any controllers to take decisions to forward traffic.
So we can ask WLC-2 & WLC-3 to tunnel all traffic for the "Guest" network to WLC-1.
Now this WLC-1 for "Guest Network" will be called "Mobility Anchors"
Troubleshooting
(WLC1) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... mrn-cciew
Multicast Mode .................................. Enabled
Mobility Domain ID for 802.11r................... 0x4ccd
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 3
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Status
00:0b:85:40:a1:c0 10.10.112.10 mrn-cciew 239.239.239.239 Control and Data Path Down
00:0b:85:43:d8:60 10.10.111.10 mrn-cciew 239.239.239.239 Up
00:1b:d5:cf:e6:00 10.10.120.140 mrn-ccie
Two ping tests are available:
Mobility ping over UDP— This test runs over mobility UDP port 16666. It tests whether the mobility
control packet can be reached over the management interface.
Mobility ping over EoIP— This test runs over EoIP. It tests the mobility data traffic over the
management interface.
“mping <mobility_peer_IP> ” & “eping < mobility_peer_IP> ” are the CLI command you need to run.
(WLC1) >mping 10.10.120.140
Send count=3, Receive count=3 from 10.10.120.140
(WLC1) >eping 10.10.120.140
Send count=3, Receive count=3 from 10.10.120.140
------------------------------------------------------------------------------------------------------------------
What is the master controller mode on WLC?
When there is a master controller enabled, all newly added access points with no primary,secondary, or tertiary controllers assigned associate with the master controller on the same subnet.
This allows the operator to verify the access point configuration and assign primary,
secondary, and tertiary controllers to the access point using the All APs > Details page.
The master controller is normally used only when adding new access points to the Cisco
Wireless LAN solution. When no more access points are being added to the network, Cisco WLAN solution recommends that you disable the master controller.
How does DHCP work with the WLC?
The WLC is designed to act as a DHCP relay agent to the external DHCP server and acts like a DHCP server to the client. This is the sequence of events that occurs:
Generally, WLAN is tied to an interface which is configured with a DHCP server.
When the WLC receives a DHCP request from the client on a WLAN, it relays the request to the DHCP server with its management IP address.
The WLC shows its Virtual IP address, which must be a non−routable address,usually configured as 1.1.1.1, as the DHCP server to the client.
How do I change power & channels for a LAP?
Once a LAP registers to a WLC, all the configuration for a LAP is done on the WLC.There is a built−in feature in WLC called RRM, wherein the WLC internally runs an algorithm and automatically adjusts the channel and power settings as per the deployment of LAPs. RRM is turned on by default on the WLC. You need not change the channel and power settings for a LAP, but you can override the RRM feature and statically assign power and channel settings for a LAP.
What happens to the wireless network when I perform a software upgrade? Do all the access points (APs) registered to a WLC go down until they are upgraded, or are they upgraded one at a time so that the wireless network can remain up?
Once the WLC is upgraded, it must be rebooted for the changes to take effect. Within this time, connectivity to the WLC is lost. LAPs registered to a WLC lose their association to the WLC, so service to the wireless clients is interrupted. When you upgrade the controller’s software, the software on the controller’s associated access points is also automatically upgraded.
Up to 10 access points can be concurrently upgraded from the controller. Do not power down the controller or any access point during this process; otherwise, you might corrupt the software image.
With the “ Management via Wireless” feature enabled on WLCs in a mobility group, I can only access one WLC from that mobility group, but not all. Why?
This is an expected behavior. When enabled, the Management via Wireless feature allows a wireless client to reach or manage only the WLC to which its associated access point is registered. The client cannot manage other WLCs, even though these WLCs are in same mobility groups. This is implemented for security, and recently was tightened down to just the one WLC in order to limit exposure.
Are there any basic requirements to maintain when I use the mobilityanchor feature in order to configure wireless LAN controllers (WLCs) for guest access?
These are the 2 basic requirements that need to be maintained when you use mobility anchor in order to configure WLCs for guest access.
The mobility anchor of the local WLC must point to the anchor WLC, and the mobility anchor of the anchor WLC must point only to itself.
Note: You can configure configure redundant anchor WLCs. Local WLC uses them in the order WLCs are configured.
Make sure you configure the same security policy for the service set identifier (SSID) on both the local and anchor WLCs. For example, if the SSID is “guest” and you turn on web authentication on the local WLC, make sure the same SSID and security policy is also configured on the anchor WLC.
If the WLCs in the same mobility group are separated by Network Address Translation (NAT) boundaries, can they communicate mobility messages with each other?
BEFORE VERSION 4.2
In controller software releases earlier than 4.2, mobility between controllers in the same Mobility Group does not work if one of the controllers is behind a network address translation (NAT) device.
Reason
Mobility message payloads carry IP address information about the source controller. This IP address is validated with the source IP address of the IP header. This behavior poses a problem when a NAT device is introduced in the network because it changes the source IP address in the IP header.
AFTER VERSION 4.2
In controller software release 4.2 and later, the Mobility Group lookup is changed to use the MAC address of the source controller. Because the source IP address is changed due to the mapping in the NAT device, the Mobility Group database is searched before a reply is sent to get the IP address of the controller that makes the request. This is done with the MAC address of the controller that makes the request.
Can we place the lightweight access point (LAP) under Network Address Translation (NAT)? Does LWAPP from access point (AP) to WLC work through NAT boundaries?
Yes, you can place the LAP under NAT. On the AP side, you can have any type of NAT configured, but, on the WLC side, you can have only 1:1 (static NAT) configured. PAT cannot be configured on the WLC side because LAPs cannot respond to WLCs if the ports are translated to ports other than 12222 or 12223, which are meant for data and control messages.
Can I place the Lightweight Access Point (LAP) under Network Address Translation (NAT)? Does CAPWAP from access point (AP) to WLC work through NAT boundaries?
Yes, you can place the LAP under NAT. On the AP side, you can have any type of NAT configured. But on the WLC side, you can have only 1:1 (Static NAT) configured.
PAT cannot be configured on the WLC side because LAPs cannot respond to WLCs if the ports are translated to ports other than 5246 or 5247, which are meant for control and data messages.
Select the Enable NAT Address check box and enter the external NAT IP address if you want to be able to deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one−to−one mapping network address translation (NAT).
Can I upgrade the WLC from one major version to another directly?
You can upgrade or downgrade the WLC software only between two releases. In order to upgrade or downgrade beyond two releases, you must first install an intermediate release.
We have finished our initial deployment of LAPs. When our clients move from one end of the building to the other, they stay associated with the AP to which they were closest. The clients do not appear to be handed off to the next−closest AP until the signal strength from the initial AP is completely depleted. why?
Coverage area of an AP is entirely controlled by the WLC. The WLC talks between its APs and manages their signal strength on the basis of how each AP senses other APs. However the client movement from one AP to other is entirely controlled by the client. The radio within the client determines when the client wants to move from one AP to the other.
No setting on the WLC, AP, or the rest of your network can influence client’s decision to roam to a different AP.
How do I prevent loops on the WLC?
You can enable STP on the WLC to prevent loops. From the WLC GUI click Controller, then navigate to the Advanced submenu located on the left side of the application.
Click the Spanning Tree option, and choose Enable for Spanning Tree Algorithm located on the right side of the application.
By default, STP need not be enabled to prevent loops.
Is there any way to recover my password for WLC?
BEFORE VERSION 5.1
We don’t have any option.
AFTER VERSION 5.1
If you forget your password in WLC version 5.1 and later, you can use the CLI from the controller’s serial console in order to configure a new user name and password. Complete these steps in order to configure a new user name and password. After the controller boots up, enter Restore−Password at the user prompt.
Note: For security reasons, the text that you enter does not appear on the controller console.
At the Enter User Name prompt, enter a new user name.
At the Enter Password prompt, enter a new password.
At the Re−enter Password prompt, re−enter the new password.
The controller validates and stores your entries in the database.
When the User prompt reappears, enter your new username.
When the Password prompt appears, enter your new password.
The controller logs you in with your new username and password.
I have set up a guest Wireless LAN and the WLC is physically separated from my internal LAN. I decided to use the internal DHCP feature of this WLC but my wireless clients do not get IP addresses from the WLC.
How do the wireless guest users get IP addresses from the WLC when they are connected on a physically separate network?
Check if the DHCP scope is enabled on the WLC. In order to check this, click the Controller Menu and click Internal DHCP server from the left−hand side.
Generally, the DHCP server is specified on the interface, which maps to the WLAN.
Make sure that the management interface address of the WLC is specified as the
DHCP server on the interface that maps to the guest user WLAN. Alternatively, you can enable the DHCP Server override option on the WLANs > Edit page and specify the management interface address of the WLC in the DHCP server IP Addr field.
I have a 4400 Series WLC & LAPs registered to the WLC. I have configured WLANs for the clients to connect on the WLC. The problem is that the WLC does not broadcast SSIDs that I configured for the WLANs. Why?
The Admin Status and the Broadcast SSID parameters are disabled by default. Complete these steps in order to enable Admin Status and Broadcast SSID:
Go to the WLC GUI and choose Controller > WLANs. The WLANs page appears.
This page lists the WLANs that are configured. Select the WLAN for which you want to enable broadcasting of the SSID and click Edit.
In the WLAN > Edit page, check Admin Staus in order to enable the WLAN. Also,check Broadcast SSID in order to ensure that the SSID is broadcast in the beacon messages sent by the AP.
Wireless LAN Clients associated with the lightweight access points are not able to get IP addresses from the DHCP server. How do I proceed ?
The DHCP server for a client is usually marked on the interface, which maps to the WLAN to which the client. Check if the interface is configured appropriately.
My 1131 lightweight access point (LAP) does not register with my 4402 wireless LAN controller (WLC). What can be the possible reason for this?
One common reason is that the Lightweight Access Point Protocol (LWAPP) Transport Mode is configured on the WLC. A 4402 WLC can operate in both Layer 2 and Layer 3 LWAPP mode. Whereas, an 1131 LAP can only operate in Layer 3 mode. Layer 2 mode is not supported on the 1131 LAP.
So, if the WLC is configured with the LWAPP Transport Mode of Layer 2, then your LAP does not join the WLC. In order to overcome this problem, change the LWAPP Transport Mode of the WLC from Layer 2 to Layer 3. In order to change the LWAPP Transport Mode using the GUI, go to the WLC page and locate the second selection in the main field which is LWAPP Transport Mode. Change this to Layer 3 and reboot the WLC. Now, your LAP is able to register with the WLC.
We have a couple of Access Control Servers (ACS) that authenticate the wireless clients associated to wireless LAN controllers (WLCs). One ACS acts as a primary authenticating server and the other as a failover server. If the primary server fails, the WLC falls back to secondary for authenticating the wireless clients. Once the primary server comes back up, the WLC does not fallback to the primary server. Why?
This is an expected behavior. These steps occur when a client is authenticated through the WLC in multiple ACS deployments:
Upon boot up, the WLC determines the active ACS. When this active ACS does not respond to the RADIUS request from the WLC, the WLC searches and makes a failover to the secondary ACS.
Even when the primary ACS comes back up, the WLC does not fall back to it until the ACS to which the WLC is currently authenticating fails.
In such cases, reboot the WLC in order for the WLC to identify the primary ACS again and fallback to it. This fallback does not occur immediately after reboot. It might take some time.
Comments