| Author: | Herbert Haas |
|---|---|
| Address: | herbert AT perihel DOT at http://www.perihel.at/dcom |
| Revision: | 0.5 |
| Date: | 2007-10-29 |
| Copyright: | Copyright (c) 2007 Herbert Haas. |
Abstract
This document summarizes important facts about modern Wireless LANs. It is not a WLAN tutorial. The reader should already be familiar with WLAN fundamentals (see e. g. my WLAN lecture notes). Besides general WLAN theory, practial issues are exemplified on the basis of Cisco WLAN products. If you find any mistakes please send me an E-Mail, thanks! Many thanks to Frank Vergeer for many corrections and input.
New standards (CCX Version 4 supports them partly)
When the access point/bridge receives data packets that are not 802.11 packets (for example Ethernet II packets), the access point or bridge must format these packets to 802.11 using one of the following encapsulation transformation method:
802.1H: This method provides 'optimum performance' for Cisco Aironet wireless products.
- LLC: AA AA 03 (a SNAP header follows)
- SNAP: 00 00 08 ("Ethernet Tunnel") + EtherType
This is the default setting.
RFC1042: This setting ensures interoperability with non-Cisco Aironet wireless equipment. It is used by other manufacturers of wireless equipment.
- LLC: AA AA 03
- SNAP: 00 00 00 ("RFC-1042 OUI") + EtherType
You see the difference is minimal. Usually there is no need to change this setting.
All LEDs blink on/off together: WLC found, code upgrade in progress
Alarm red flashing (Power off, radio off): Duplicate IP address
Alarm red on: LAP boots.
Power green on, alarm off: WLC found, code OK, normal status.
blinking green
- on REAP: loss of connectivity to WLC
- other APs: Site Survey mode
When using DFS:
- During Channel Move Time, the band LED will blink at fast rate (2-3 times per sec) => Radar detected.
- During the Channel Availability Check, the band LED will blink at a slow rate (1-2 times per second) indicating that the LAP is quietly scanning the channel for radar.
All 1000 series AP only support IGMPv1.
A current CCX feature overview table can be found here
Today's (2007) radio parameter recommendations have changed in order to support modern services such as Voice over WLAN and Location Based Services (LBS).
Coverage hole goal: 0-10% (typically 2%-5%) is acceptable! A reasonable coverage hole criterion for launch is 2-10%
1000 series not higher than 16 feet, not more than 100 feet apart.
Other APs not higher than 40 feet.
Voice:
- Check that signal to noise ratio (SNR) levels are 25 db or higher for acceptable voice quality.
- Roaming: RSSI >35
- packet loss < 1%
RSSI is best indicator - measured in dBm
- > -55 dBm is exceptional good
- < -85 dBm is poor
Recommended parameters:
Application |
Rate |
Min RX |
Min SNR |
Recomm. RX |
Recomm. SNR |
|---|---|---|---|---|---|
2.4 GHz Data |
54 Mbit/s |
-71 |
25 |
-61 |
35 |
2.4 GHz Data |
11 Mbit/s |
-82 |
10 |
-72 |
20 |
2.4 GHz Voice |
54 Mbit/s |
-71 |
25 |
-56 |
40 |
2.4 GHz Voice |
11 Mbit/s |
-82 |
10 |
-67 |
25 |
5 GHz Data |
54 Mbit/s |
-68 |
20 |
-58 |
30 |
Typical cell border: -67 dBm
Recommended overlap (2007): 20%
Co-channel separation: 19 dB at least
Voice: at least 11 Mbit/s and min SNR= 25 dBm
The range for a Cisco Aironet 1400 Series Wireless Bridge in a point-to-point link is 8.5 miles at a data rate of 54 Mbps, versus 1.5 miles at 54 Mbps for the Cisco Aironet 1300 Series (typical range with integrated antennas).
If there is more than 1 km between the sites, you need to set the distance parameter on the root bridge to allow for sufficient time for the bridges to acknowledge the frames received. If this parameter is not set on a bridge link over 1 km, the bridges show duplicate frames.
Only the Cisco Aironet 1300 Series can be managed by WLC and WCS. When migrated to LWAPP the 1300 can currently only be used as an AP and NOT as a bridge. 1300 Series have a digital thermometer build-in.
In autoinstall mode, the default distance setting is 99 km. When you change the radio role to operational mode, the value goes back to 0 km.
Typical Connectivity Issues: Data rate mismatch
Default CCA: -62
CW-min 3 and CW-max 10, are best for point-to-point links.
Multipoint Links CWmin/CWmax:
- up to 5 NRB: 4/10
- up to 10 NRB: 5/10
- up to 17 NRB: 6/10
If packet concatenation is enabled, you need to adjust the CW-min and CW-max settings only for traffic class 0. Concatenation is enabled by default.
In order to utilize packet concatenation, both bridges will need to have both the root bridge and non-root bridge packet concatenation enabled.
1400: The default value for packet concatenation is 3500 bytes.
RTS Threshold is 4000 for the root (i.e. disabled) and 1 for non-roots (i.e. enabled)
Fragmentation threshold is 4000 (i.e. disabled)
There is no RSSI voltage port on a BR1310.
Aironet 1300 supports only a single SSID. This SSID should be assigned to the native VLAN. This SSID is used for association of the Non-Root Bridge to the Root Bridge. Additional VLANs can also be assigned to this SSID and are then communicated via 802.1Q.
Configuring your access point/bridge to support VLANs is a five-step process:
- Create subinterfaces on the radio and Ethernet interfaces.
- Enable 802.1Q encapsulation on the subinterfaces and assign one subinterface to the native VLAN.
- Assign a bridge group to each VLAN.
- (Optional) Enable WEP on the native VLAN.
- Assign the bridge's SSID to the native VLAN.
The configuration would look like this:
bridge(config)# interface dot11radio0.1 bridge(config-subif)# encapsulation dot1q 1 native bridge(config-subif)# bridge group 1 bridge(config-subif)# exit bridge(config)# interface fastEthernet0.1 bridge(config-subif)# encapsulation dot1q 1 native bridge(config-subif)# bridge group 1 bridge(config-subif)# exit bridge(config)# interface dot11radio0 bridge(config-if)# ssid batman bridge(config-ssid)# vlan 1 bridge(config-ssid)# infrastructure-ssid bridge(config-ssid)# end
Non-root bridges automatically uses RTS/CTS because multiple Non-root bridges typically do not see each other (their directional antennas pointing only to the Root Bridge).
Configuration Steps:
- Set AP to non-root role.
- Set Infrastructure Devices to associate only to this SSID.
- Set Infrastructure SSID
When a WLC (4404 or WiSM) LAG port is connected to a Catalyst 6500 channel group (or Cat 3750G) then note the following rules:
Without LAG, each WLC port only supports 48 LAPs. With LAG enabled the total LAP capacity is available to all interfaces! That is if on a 4404 e. g. three interfaces fail the remaining can handle up to 100 LAPs. With LAG only one functional physical port is needed to maintain connectivity!
LAG requires the Etherchannel to be configured for the "on" mode on both the WLC and the switch. There is not negotiation protocol supported on the WLC.
Therefore it does not matter if the switch is configured with either Link Aggregation Control Protocol (LACP) or the Cisco Port Aggregation Protocol (PAgP). Both LACP and PAgP are not supported on the controllers.
On the switch a load-balancing method must be chosen that terminates all IP datagram fragments on a single WLC port pair. On the 4404 there is one Network Processing Unit (NPU) for fragment reassembly for ports 1+2 and another NPU for ports 3+4. (On the 4402 there is only a single NPU for ports 1+2 so there is no problem with load balancing.)
- The recommended load-balancing method for Catalyst switches is port-channel load-balance src-dest-ip.
All WLC ports must belong to the same LAG group! Only one LAG group is supported, therefore the WLC can only be attached to one switch (otherwise disable LAG mode). However it is recommended to terminate the links on different modules on a modular switch. Terminating on two different modules within a single Catalyst 6500 switch provides redundancy and ensures that connectivity between the switch and the controller is maintained when one module fails.
HSRP is NOT supported!
Any change to the LAG configuration requires a controller reboot.
When enabling LAG:
- Mgmt and AP-Mgr interfaces move to the LAG port
- All dynamic AP-Mgr interfaces are deleted
- VLAN interfaces are moved to LAG port
- WLANs are disabled and mapped to the Mgmt interface - you need to reassign them to the VLANs!
- You can only create interfaces on the LAG logical port 29.
All packets are transmitted over that physical ports where the packets were received.
When disabling LAG:
- Mgmt and AP-Mgr interfaces as well as VLAN interfaces move to port 1
- You should define secondary ports for all interfaces (for backup)
- You must assign AP-Mgr interfaces to each port
Packets can be forwarded over any port no matter where it originally came in.
LAG is enabled per default and cannot be disabled on the WiSM and on the integrated WLC inside the Catalyst 3750G.
PAgP switchover takes at least 30 seconds, which is too slow to maintain certain traffic (for example, TCP) when switching from port to the other. There is no workaround for this limitation.
LAG configuration on the switch:
interface GigabitEthernet1/0/18 switchport trunk encapsulation dot1q switchport mode trunk channel-group 30 mode on !!! specifying a channel group number forces LAG without PAgP or LACP ! interface GigabitEthernet1/0/20 switchport trunk encapsulation dot1q switchport mode trunk channel-group 30 mode on !!! specifying a channel group number forces LAG without PAgP or LACP
A WCS converted from a WLSE can handle up to 100 Controllers and 1500 APs.
Auto-Manage Templates can be used for the criteria Device Type and Subnet.
CDP version 2 is supported on 2X00 and 440X series (not in integrated WLCs such as WiSM, WLCM etc)
Virtual Interface used by layer 3 security, DHCP relay, and Mobility Managers
up to 17 Radius Servers per WLAN.
RFID timeout on WLC should be 8-10 times the tag beacon rate.
Max 512 VLANs
ESM - 1 for 4402, 2 for 4404, 1 Gbit and 1000 clients per ESM.
Can control up to 16 WLANs for each 10X0 series AP and 8 WLANs for the 1130/1200/1230 and 1240 series AP
Radius server index -> priority
Up to 3 rogues can be concurrently contained by a single AP with a maximum of 4 APs one rouge can be contained
All Multicast packets are send at the lowest QoS level.
AP Power level settings:
- 1= Max
- 2= 50%
- 3= 25%
- 4= 6.25% to 12.5%
- 5= 0.195% to 6.25%
The WLC keeps up to 5 controller crash files.
An Access List (ACL) can be applied either on a VLAN interface or on a specific WLAN:
config wlan acl [<Wlan id>] [<ACL name> | none]
The same is true with MAC filters.
Maximum 256 message logs are stored locally (FIFO). Use external syslog server!
Note: The WLC only uses the user timeout and session timeout settings to terminate client sessions if aggressive load balancing is disabled.
Destination ports:
- Data: 12222
- Control: 12223
Observed (FYI):
- From SP=12221 (AP) to DP=12222 (WLC-Data)
- From SP=12223 (WLC-Control) to DP=52799
Inter-controller messages
- 16666 to 16666 and 16667 to 166667 (mobility traffic)
- WLCs must not be separated by NAT because the WLC's IP address is also carried inside the (encrypted) packets and compared with the header source address. See Controller Hunt Algorithm for further details.
LWAPP discovery response contains:
- controller name
- controller type
- current number of APs (load)
- AP capacity
- AP Manager ip address
- Master Controller status
L2 LWAPP uses Ethertype 0xbbbb
Using DHCP option 43 a DHCP server can announce the IP addresses of WLCs to LAPs. The native LWAPP-APs expect option 43 to be a simple ASCII string while converted APs need a hexadeximal TLV.
It is possible to mix both AP types because every LAP appends DHCP option 60 (the Vendor Class Identifier, VCI) to its DHCP request. A typical DHCP configuration on a Cisco router would therefore look like this:
ip dhcp pool POOL-1000er network 10.1.1.0 /24 default-router 10.1.1.254 ... option 60 ascii "Airespace.AP1200" ! identifies 1000 series option 43 ascii "192.168.10.9,172.26.12.89" ! ip dhcp pool POOL-1200er network 10.2.2.0 /24 default-router 10.2.2.254 ... option 60 ascii "Cisco AP c1200" option 43 hex f108ac1a0c59c0a80a09
Note that there must be a dedicated DHCP section for each AP type. The first pool identifies all 1000 series LAPs and assigns the primary WLC IP address 192.168.10.9 and 172.26.12.89 as secondary WLC address. The second pool matches all 1200 series LAPs (such as the 1231 but not the 1240!) and assigns a strange TLV which consists of:
- Type = f1 (must always be this value!)
- Length = 08 which announces 8 bytes of value following (2 IP addreses)
- Value = ac1a0c59 and c0a80a09 which corresponds to the IP addresses 172.26.12.89 and 192.168.10.9 respectively
The VCI strings for all current Cisco APs are listed in the table below. Please note the odd VCI numbering and the dot in some fields. (The strings are really correct, I verified them twice ;-))
Access Point Vendor Class Identifier 1000 Airespace.AP1200 1100 Cisco AP c1100 1130 Cisco AP c1130 1200 Cisco AP c1200 1240 Cisco AP c1240 1300 Cisco AP c1300 1500 Cisco AP.LAP1510
The WLC acts as a DHCP relay device through the virtual interface. The virtual IP is used downstream to the client and the Management-IP is used upstream to the DHCP server!
Debugging: debug dhcp packet enable
Before WLC software version 4.0 the internal DHCP server could only assign IP addresses to clients and not to LAPs. (Now it is possible but the LAPs should be directly connected to the WLC. Also, you cannot share a DHCP scope between two or more WLCs.)
When a LAP boots up it performs three steps:
Get an IP address (DHCP)
Create a List of reachable WLCs. The reachability is verified via an LWAPP discovery request/response mechanism. In order to find valid WLC IP addresses, the LAP does the following:
- The LAP sends a L3-LWAPP discovery message to 255.255.255.255 (if L2-LWAPP is configured then only a L2 broadcast is used)
- The LAP checks whether IP addresses of any previously joined WLCs are stored in its flash
- The LAP asks other LAPs using its radio interface and the Over the Air Provisioning (OTAP) protocol
- The LAP checks whether a DHCP server sent WLC addresses via DHCP option 43
- The LAP tries a DNS name resolution for the name CISCO-LWAPP-CONTROLLER@local-domain
Select one WLC based on a priority scheme:
- Prefer WLCs that are already stored in the flash. (The primary is tried first, the tertiary last.)
- Prefer the WLC with the Master Controller Flag set. This flag is included in the header of a discovery response.
- Prefer the least loaded WLC. Every WLC announces the number of already connected LAPs via the discovery response.
Note that the Master Controller Mode is disabled after reboot or SW upgrade.
On the WLC's AP pages enter the names of the primary, secondary, and tertiary WLC. Do NOT enter their IP addresses! Use the same names as can be seen on the monitor general page.
When a LAP associates to the primary WLC, this WLC will automatically send the IP addresses of the secondary and tertiary WLCs to the LAP.
After a LAP joins a WLC, the LAP learns the IP addresses of other WLCs in that mobility group from its joined WLC.
Subsequently, the AP sends LWAPP primary discovery requests to each of the WLCs in the mobility group.
The WLCs respond with a primary discovery response to the LAP. This message includes information about the WLC type, the total capacity, and current AP load.
As long as the WLC has the AP Fallback parameter enabled, the AP can decide to change over to a less-loaded WLC.
Place WLCs in the same Mobility Group, then the LAP failover is "seamless" (typically 30-80 seconds switchover delay to the other WLC).
What happens when you power down the primary WLC:
- Each associated LAP waits for the heartbeat timeout (30 seconds)
- Then each LAP sends 7 heartbeats (one per second) to the WLC
- Then each LAP searches another WLC using the default process
Optionally the heartbeat can be reduced down to 1 second
Note: max WAN RTT is 100 ms, the minimum datarate is 128 kbit/s.
Between the access point and the controller, a minimum of a 500 byte MTU is supported.
The 1030 REAP can only reside on a single subnet because it cannot perform IEEE 802.1Q VLAN tagging. However, wireless traffic can still be segmented into different SSIDs but on the wired side all traffic is placed into the same VLAN.
When the WLC is not reachable only WLAN 1 is supported by the REAP. You should use a non-AAA based security policy for WLAN 1 such as WPA-PSK.
The H-REAP mode is supported by the lightweight 1130AG and 1240AG access points. The H-REAP may send data traffic back to the WLC but can also perform local switching.
The main differences to the legacy REAP mode are that H-REAP supports:
Configuration:
On the WLC you must configure both centrally switched and locally switched WLANs.
For the locally switched WLAN choose WPA-PSK and under the WLAN/Advanced tab check the H-REAP Local Switching check box.
On the Wireless/Details page select the H-REAP role.
- On the same page (right) a H-REAP Configuration section appears: Check VLAN Support and enter the number of the native VLAN. All other VLANs will be configured automatically and correspond to the VLAN interface settings of the WLC.
- Below, click VLAN Mappings and enter the VLAN number from which the clients will get an IP address when doing local switching.
The Group Leader is dynamically elected and cannot be chosen by an administrator. The RF group leader analyzes the real-time radio data collected by the group and calculates a master power and channel plan with -65 dBm on the cell borders.
Auto-RF uses fixed and some configurable parameters. The following parameters can be configured:
| Parameter | Default Value | Description |
|---|---|---|
| Interference | 10% | Specifies the maximum percentage of interference every LAP may detect. |
| Clients | 12 | Specifies the maximum number of clients that may be associated on every LAP. Range: 1-75 |
| Noise | -70 dBm | Specifies the maximum noise power level on every LAP. Range: −127 to 0 dBm |
| Coverage | 12 dB @ 2.4 GHz, 16 dB @ 5 GHz | Specifies the lowest allowable SNR on every LAP. If the measured SNR drops below this coverage parameter then a coverage hole exists and the transmit power of the surrounding LAPs will be increased. Range: 3 to 50 dB |
| Utilization | 80% | Specifies the percentage of time a LAP may consume for transmissions. |
| Coverage Exception | 25% | Specifies the percentage of clients per LAP that experience a SNR below the coverage level but cannot roam to another LAP. |
| Data Rate | 1000 Kbit/s | Specifies the lowest allowable data rate a LAP can use for sending or receiving data. Range: 1 to 1000 Kbit/s |
| Client Min Exception Level | 3 | Specifies the maximum number of clients on a LAP that may experience a lower SNR as specified by the Coverage parameter. That is, the Client Min Exception Level indicates the number of clients necessary to trigger a Coverage Alarm if the Coverage Exception is also violated at the same time. A coverage alarm causes an SNMP trap. Range: 1 to 75 |
Additionally, an administrator can configure a (country-specific) channel list, as well as some monitor intervals. The table below shows the default monitor values:
| Measurement | Interval |
|---|---|
| Noise | 180 s |
| Traffic Load | 60 s |
| Receive Signal Power | 60 s |
| Coverage (SNR) | 180 s |
Note that Noise=180s means that every AP must perform a noise scan through all channels within 180 seconds then send a report to the WLC (when LAP in local mode).
The following parameters are set by the manufacturer or created dynamically and cannot be changed:
Output of the show debug mobility enable shows:
Hint: Look for receipt of final message in tunnel sequence "Received Anchor Export Ack".
Output of the show debug mobility enable shows:
A EoIP tunnel is created for every roaming client!
This feature allows to restrain client traffic to a specific subnetwork no matter about their physical location. For example the whole guest WLAN traffic can be tunneled to an Anchor WLC placed in a DMZ of a firewall. Obviously the firewall must permit LWAPP traffic.
Note:
A subset of the WLCs of the mobility group can be configured as anchors for a WLAN. Configure the same set of WLCs on all WLCs of the mobility group! Each WLC sends a controller status message every 15 seconds. After three missing status messages that WLC is considered inactive.
As soon as the first client for an auto-anchored WLAN associates to the initial contact WLC, this WLC sends an announcement message to all other WLCs in the mobility group. If this announcement remains unanswered the WLC chooses the any (usually the first) Anchor WLC in the list (of configured Anchor WLCs) and establishes an EoIP tunnel to that anchor.
Note: Each SSID requires a tunnel from the WLC to an Anchor WLC.
The anchor WLCs may send a handoff message as announcement response to equally distribute the EoIP tunnels (usually on a round robin basis.)
Client traffic always travels a symmetric path.
Every WLC creates one EoIP tunnel for all associated clients (for that remotely anchored WLAN).
The mobility anchor of the local controller must point to the anchor controller, and the mobility anchor of the anchor controller must point to itself.
Each anchor controller supports up to 40 EoIP tunnels from various WLCs.
A 2000 series WLC cannot be configured as anchor.
Auto-anchored WLANs do not support IPsec and L2TP Layer 3 security policies. Web Authentication is supported and performed by the Anchor WLC.
The maximum number of local users in the local database:
- Absolute maximum: 2048
- Default-maximum: 512 [Security>General]
The configured datavase size is shared by local management users (including lobby ambassadors), net users (including guest users), MAC filter entries, and disabled clients.
Traffic Type Cisco AVVID IP DSCP Cisco AVVID 802.1p UP IEEE 802.11e UP Network Control 56 7 7 Reserved 48 6 -- Voice 46 (EF) 5 6 Video 34 (AF41) 4 5 Voice Control 26 (AF 31) 3 4 Background Gold 18 AF21) 2 2 Background Silver 10 (AF11) 1 1 Best effort 0 (BE) 0 0,3
WCS version 4 runs on Windows 2003 and Red Hat Enterprise Linux ES 4.0 and AS 4.0 servers.
WLC version should not be greater than WCS version.
Login: root/public new: root/Public1! (since version 4.1)
All monitor data available for 7 days (e.g. for trending analysis)
Don't block port 169 otherwise WCS can't receive any traps
Calibration 150 data points are required, 50 locations
When clearing alarm, underlying event is not cleared
HTTP and HTTPS ports can be changed during installation
Search criteria to search WLCs: name, networks, IP address
Audit trail should be purged manually
Installation log will be put on the desktop of the server
Backup Automatically - Can enforces WLCs to perform periodic (1:00 am daily) configuration backups via TFTP on specified TFTP server. Period can be changed.
Note: The TFTP server cannot run on the same computer as the WCS, because the WCS and the TFTP server use the same communication port.
Config Groups - Group WLCs that should have same mobility group name and similar configuration. Assign templates to that group and push them to all WLCs in the group.
Polling value should equal to or greater than RFID tag beacon interval. Cisco recommends that the RFID timeout value on your WLC should be 8-10 times the tag beacon rate. If the RFID beacon is 10s, the timeout should be between 80-100 seconds:
(WLC) >config rfid timeout 80
LAPs must be in normal, monitor or H-REAP mode.
Clients and LAPs must support CCXv2 or higher (1030 does not!). On configured intervals the LAPs send broadcast radio measurement requests for every SSID. CCXv2-clients reply with probe requests on all channels specified in the measurement request. On version 4.0 this was a broadcast message and the LAP calculated RF parameters which were send to the Location Appliance. Since version 4.1 the clients send unicast probe requests and send RF parameters from their perspective.
WLC software release 4.1 also improves the ability of the Location Appliance to accurately interpret the location of a device through a new CCXv4 feature called location-based services. The controller issues a path-loss request to a particular CCXv4 client. If the client chooses to respond, it sends a path-loss measurement report to the controller. These reports contain the channel and transmit power of the client.
On WLC enable CCX Location Measurement under Wireless > 802.11 a|b/g > Network. Optionally change the interval (default: 60 sec).
LAPs must be separated every 17-20 meters (50-70 feet).
Devices must be detected at signals greater than -75 dBm for the WLCs to forward information to the Location Appliance.
Active RFID tags do not associate to LAPs and therefore are not affected by any WLAN or WLC settings. RFID tags send L2 multicast packets which are automatically forwarded by the LAP if the WLC is configured for RFID Tag Data Collection:
(Cisco Controller) >config rfid status enable
The WCS and Location Server poll the SNMP table of the WLC in order to view tag information.
Two types of LAPs:
- Mesh APs (MAPs, default!)
- Root APs (RAPs, has wired LWAPP connection to WLC)
Before deployment of MAPs, check:
- AP role (1500 default since code 4.0: MAP)
- Primary WLC name
- Bridge group name
- IP address (optional)
MAPs use 5 GHz and 18 Mbit/s backhaul channel to RAPs
Each MAP can have configured multiple RAPs for backup
A MAP can also have a wired connection when in wireless bridging role (e. g. AP 1510)
Scan mode is used by MAPs at startup or when they loose connectivity to the WLC
MAPs prefer other MAPs with same Bridge Group Name (BGN).
BGN has same functionality as SSID - here it prevents two networks on same channel from communicating with each other and to support MAPs in finding correct WLC.
Note:
- Maximum 10 characters!
- Default BGN=NULL - will connect to ANY neighbor node!
- If WLC cannot be found using the configured BGN, the MAP changes the BGN to DEFAULT. All APs with code version greater then 4.0 will accept other nodes with that name.
Hunt algorithm:
- Passively scan all neighbor nodes regardless of their BGN
- Try to connect to nodes with own BGN
- Try to connect using BGN=DEFAULT (Note: MAP remains in maintenance mode, i. e. accessibe via WLC! No clients or childs!)
- reboot
If connected via BGN=DEFAULT, restart hunt algorithm every 30 minutes.
Per default max power level is used.
AWPP discovers paths and determines AP-relationships (parent or child)
Typical node distance: 1000 feet, up to 35 feet above ground.
One RAP supports up to 32 MAPs. Recommendation: < 20 MAPs.
When co-locating RAPs and MAPs keep safety minimum distance: 10 dBm 'damage level' for 5 GHz, 15 dBm for 2.4 GHz.
To prevent unauthorized LAPs to join the network:
- Use MAC address filters
- Configure a shared key
Maximum MAP distance from RAP: 4 hops.
Antenna options for the 1500 AP
- 2.4 GHz: Omni 5.5 dBi or 8 dBi
- 5 GHz: Omni 7 dBi, Patch 14 dBi or 17 dBi
On autonomous APs use IOS 12.3(8)JA or higher.
Using CAC an AP can announce the available bandwidth to the client.
Cisco 7920 WLAN phones with older software expect that the CAC Limit is set to Client. That is, the client actively asks the AP.
To support newer software versions the AP CAC Limit must be enabled, that is the CAC Limit is announced by the LAP. This is good for mesh networks because also the backhaul bandwidth is announced.
Wireless>802.11a>Voice: enable Admission Control (ACM) and configure Max RF Bandwidth (40-85%, default: 75%) and Reserved Roaming Bandwidth (0-25%, default: 6%). Optionally enable Metrics Collection (Traffic Stream Metric, usually only for troubleshooting - significant overhead!)
When access point-controlled CAC is enabled, the AP sends out a Cisco proprietary CAC IE and does not send out the standard QBSS IE.
With CAC, QoS will be maintained in a network overload scenario by ensuring that the number of active voice calls does not exceed the configured limits on the AP. With this feature, the client device will be capable of integrating layer 2 TSPEC admission control with layer 3 CCM admission control (RSVP). This facilitates providing a fast busy indication to the calling or called parties during times of network congestion.
Note: The 1000 series of AP announces inaccurate AP-CAC information. Always use the Client-CAC option with these LAPs.
This voice specific WLAN client Information Reporting Information Elements (IRIE) include:
These data can be collected and analyzed to allow optimization.
QoS enabled BSS (QBSS) is disabled by default. Enable QBSS with WMM (no 7920!) or QBSS in "7920 support mode"
Configure the voice WLAN for WMM and the Platinum level. Disable that WLAN temporarily for following configuration.
Under Wireless > 802.11a|bg > Voice
- Click Admission Control (ACM) for BW-based CAC and Load-based AC.
- Optionally change allocated BW for voice clients (default: 75%)
- Optionally change reserved roaming bandwidth (default: 6%)
7920 does NOT support WMM: You cannot enable both WMM mode and client-controlled CAC mode on the same WLAN.
A common AP configuration error concerns ARP caching. The phones expect this option to be enabled on the AP, but it is disabled be default on the AP. For optimal performance, Cisco recommends enabling ARP caching on the AP, especially when using Wi-Fi devices capable of power management.
Enable Address Resolution Protocol (ARP): One-way audio can occur if ARP caching is not configured on the access point.
Radius: -67 dBm, 20 percent overlap. Separation of same channel cells should be 19 dBm (7920 RSSI=20).
The 7921 (5GHz) requires RSSI>35 at cell edges which is equivalent to -67 dBm
This is a maximum percentage of air bandwidth given to a user class. For example, if you have a network where the guest QoS profile has the max bw limitation for bronze set to 10% even if a single bronze user is using the AP, it can never receive more than 10% of the total available bandwidth.
Note: Only the 1000 series supports the maximum RF usage setting.
Comparison of dBm and RSSI Values for Unified Wireless IP Phone 7920
RSSI 5 10 15 20 25 30 35 40 45 50 55 60 65 70 dBm -98 -97 -89 -83 -79 -75 -67 -61 -57 -49 -44 -41 -38 -34
Even relatively recent (german) studies show that more than 50% of all WLAN networks rely on WEP encryption, while approximately 17% are protected by WPA or WPA2. Roughly 22% are unprotected at all.
It is important to explain to decision makers that WEP encryption is not 'good enough'. WEP can be cracked within minutes (or even less) and the needed cracker tools can be operated by anybody. That is, using WEP is practically only slightly better than avoiding security measures at all!
WEPplus = WEP with avoidance of weak IVs
WPA2 supports FIPS 140-2 compliant security, basically AES in counter mode. (An early draft included AES-OCB instead but it was dropped due to patent issues.) A 48 bit IV protects against replay attacks.
Authentication and Integrity is maintained using an 8 byte CBC-MAC with a 48 bit nonce. Besides the data also the source and destination MAC addresses in the header are protected by the CBC-MAC. (These fields are called Additional Authentication Data (AAD).
The CBC-MAC, the nonce, and additional 2 byte IEEE 802.11 overhead make the CCMP packet 16 octets larger than an unencrypted IEEE 802.11 packet.
The AP advertises cipher suites both in beacons and probe responses.
PKC allows a client to store PMKs to reuse them when later associated to the same AP or LAP. In order to support PKC the clients calculates and sends PMKIDs, i. e. a hash of the PMK, a string, the station MAC and the AP MAC. This 'PMK SA Identifier' is sent in an association request. The PMKID uniquely identifies the PMK on the WLC and therefore the 802.1x authentication can be by-passed. The client can send more than one key name in the association request. If the access point or WLC sends a success in the association response, then the client and access point proceed directly to the 4-way handshake.
Note:
While PKC reduces the reauthentication time on APs or WLCs where the client has been authenticated once, preauthentication reduces roaming delays because it allows clients to authenticate to other APs or WLCs without association. Note that the preauthentication process is realized through the current AP or WLC to which the client is currently associated! Using preauthentication the client can establish PMKs with all APs or WLCs. The PTK handshake is only performed when the client actively associates to a new AP or WLC. In this case the association request again carries a PMK SA Identifier as explained in the PKC section above.
WPA2 compliant products are always backwards compatible with WPA. If all devices run AES-CCMP then 802.11i is used. If some run TKIP then WPA2 devices are needed which run a mixture of 802.11i and WPA.
Aironet APs support a 'Migration Mode' to support both legacy WEP-only clients and new WPA clients. This mode can be enabled by selecting a cipher suite (>encryption manager) which supports both methods such as
- TKIP+WEP128
- TKIP+WEP40
Besides WPA clients, static and dynamic WEP clients (802.1x) are supported.
Additionally configure
- Appropriate static WEP keys in slot 2 or 3
- Key management 'WPA optional'
MFP Version 1 is called Infrastructure MFP, in which APs validate management packets emitted by other APs. Only infrastructur devices use MFP version 1. Clients simply cannot interpret the new MFP IE and ignore it. Actually a MIC IE is inserted at the end of each management frame. Other APs validate such frames or generate an IDS event.
IE contains:
- Timestamp (therefore use NTP on all WLCs - the time window is 2 seconds only!)
- Sequence number
- MIC
Two configuration options:
- Protection: Add MIC
- Validation: Check MIC and generate alert
MFP Version 2 is called Client MFP and is supported since WLC version 4.1. Requires CCXv5 compatible clients and WPA2 for key management. Management frames are encrypted like data frames via TKIP or AES.
Either via RLDP and/or using Rogue Detection APs which
When either the IP address of the WLAN Controller s incorrect on the AAA Server or the Shared Secret on the controller is different than on the AAA server the error “Unknown Network Access Server” is shown in the ACS log file.
The RADIUS user attributes used for the VLAN ID assignment are:
- IETF 64 (Tunnel Type) - Set this to VLAN.
- IETF 65 (Tunnel Medium Type) - Set this to 802.
- IETF 81 (Tunnel Private Group ID) - Set this to the VLAN ID.
ACS 4.0 supports from 10,000 to 300,000 internal users per server
When PSPF is enabled on the controller, on the switch “protected port” should be enabled to prevent clients from seeing each other data
WLC 4.0 allows the integration of an LWAPP-based WLAN system with the Cisco IDS/IPS product line running software 5.0 or later. The goal is to allow the Cisco IDS/IPS system to instruct the WLCs to block certain clients from access to wireless networks when an attack is detected anywhere from Layer 3 through Layer 7 that involves the client in consideration.
A shun request from an IDS Sensor is distributed throughout the entire mobility group of the controller that retrieves the request from the IDS Sensor.
LEDs:
At the IP layer, there is a 1-byte field Type of Service (ToS) field in the header. The most significant (rightmost1 ) six (RFC 791) or seven (RFC 1349) bits of this field can be used for QoS marks. As specified in RFC 1349:
Since RFC 2474 (1998) the ToS field had been redefined and renamed to DiffServ Code Point (DSCP) or DS Field. As specified in RFC 2474 only six bits are used:
again carry the 0-7 IP precedence value, also known as class selector. However there is a new definition of these values as listed in the table below.
| Level | Meaning |
|---|---|
| 7 | unchanged (link layer and routing protocol keep alive) |
| 6 | unchanged (used for IP routing protocols) |
| 5 | Express Forwarding (EF) |
| 4 | AF Class 4 |
| 3 | AF Class 3 |
| 2 | AF Class 2 |
| 1 | AF Class 1 |
| 0 | Best effort |
The following code points are common and recommended:
Best Effort (BE) should be the default PHB and uses DSCP 000 000.
Assured Forwarding (AF) as defined in RFC 2597 guarantees a certain bandwidth to a traffic class. If the traffic exceeds the commited bandwidth the drop propability is raised according to the specified drop precedence. There are 12 different AF ‘behaviour’ code points, consisting of four classes (AF1x to AF4x) and three drop propabilities for each class (low/med/hi).
Drop
Class 1
Class 2
Class 3
Class 4
Low
AF11 10/001010
AF21 18/010010
AF31 26/011010
AF41 34/100010
Medium
AF12 12/001100
AF22 20/010100
AF32 28/011100
AF42 36/100100
High
AF13 14/001110
AF23 22/010110
AF33 30/011110
AF43 38/100110
Expedited Forwarding (EF) as defined in RFC 3246. DSCP 56 (binary: 101 110) is recommended for the EF PHB and means low delay, low loss and low jitter.
Note: The Cisco AVVID marking defines DSCP 46 to be voice EF (while DSCP 56 is reserved for network control, e. g. LWAPP control packets).
[TO BE DONE]