This time a very short blogpost, but sometimes a photo says more than words… Just to get an idea how all the current access-points types look next to each other.
Left to right:
1. 3702I
2. 2702I
3. 2602I
4. 3502I
Category Archives: Wireless
Default QoS (CoS) 802.1p values on a WLC and the IEEE/IETF standards
Right now I’m preparing for the 642-742 IUWVN (implementing Cisco Unified Wireless Voice Networks) exam. In all the learning material, you will find that the authors say that Cisco is using a confusing way of configure the QoS markings for bridging wireless traffic to the wired side. The issue is that when you configure the QoS profiles, the default 802.1p (CoS) values that will be shown are wrong if you follow the IEEE/IETF standards. The explanation from Cisco for this is that when you configure the QoS profiles, you work with the WMM user priority value and not the “real” 802.1p value. Very confusing if you ask me π .
However. Since software 8.0 the previous described behavior got changed to match with the IEEE/IETF standards (see bug CSCui22330 for more information). So if you do an upgrade the values you supposed to use are wrong and you need to correct them to the “real” 802.1p values.
Cisco’s WLC AirOS 8.0 has been released!
Earlier today Cisco released a new software train for the AirOS based wireless lan controllers (WLC’s); the 8.0 train. For me the highlights for this software train are:
- Increased scale to support up to 6000 clients on Cisco Virtual Wireless LAN Controller
- Native IPv6 support
- CleanAir Express on AP1600 (I will dedicate a blogpost on this subject in the near future)
- Change the AP mode from local to flex-connect without a reboot, yay!
- Configuring flashing AP LEDs from the GUI (Can be handy to identify that one access-point without a label or to annoy that person who has complains about the fact the the AP’s are not pretty enough to hang on the ceiling.. π )
- High Density deployment features:
- Optimized Roaming
- RSSI Low Check
- RX-SOP
Oh and I don’t know who requested this particular feature, but you can from now on also use set a red Web Color Theme ..
I have to say that my experience with the now released version (8.0.100) on a 5508 WLC is that the code feels and acts a little buggy; not a release that you want to run in a production environment. My advice is to wait for a maintenance release, but it is always fun to test the new features in the lab π .
CCIE Wireless… we have a liftoff!
It started in my early years as a kid. I was curious about how stuff actually worked, especially radio technology had my interest. Two years ago I passed my CCNA Wireless certification and since than I did a few deployments with a lot learning on the job.
The problem with working for a relatively small Cisco partner is that you don’t have a real specialty; you need to know a lot about a lot. It is not that I do not like that. I love to do consulting, create designs and actually implement that firewall or Nexus solution. I do have my CCNP R/S and CCDP, but I always loved the wireless technology.
And now the moment is here. I scheduled all of the four CCNP Wireless exams four the next few months, every month a exam starting with the site survey one next Wednesday. The CCNP should give me a foundation for the CCIE. My plan is that I at least try the CCIE Wireless lab once before I turn 25 in September 2015. They say it is the hardest CCIE exam, I guess I will find out!
My plan is to read as much as possible on the Cisco Supportforums and blogs and by actually doing wireless projects. If I find something interesting I will write a blogpost about it. So, let’s start with my home lab:
The controllers
1x 5508
1x 2504
1x vWLC (not on the blueprint, but the technology is cool)
Access-points
1x 3702I (with the WSSI module)
1x 2602I
1x 2602E (with some external antennas)
1x 3500I
1x 1242AG
Switches
1x 3650CG-12P
1x 3560-8PC
Phones
2x 7925G
For running WCS / Prime, MSE and ACS I have a VMware server collocated in a datacenter connected with a VPN on a ASA firewall.
It is not enough for CCIE, but it will be for CCNP and it is a nice start.. π
External antenna and power levels in a Cisco wireless environment
Lets start this post with some theory about wireless and regulations for wireless networks. Here in Europe we have the ETSI who decides which frequencies you are allowed to use for wireless communications and with how much power you may send signals into the air.
For the 2.4Ghz frequencies (802.11b/g/n) this is 20dBm maximum EIRP which is the same as 100mW. For the 5Ghz frequencies (802.11a/n/ac) it depends on the actual channel you are using (for the UNII-1 and UNII-2 frequencies the maximum EIRP 23dBm, for UNII-2 extended this is 30dBm). The EIRP value is calculated as follows: transmitter power (dBm) – cable loss (dB) + amplifier (dB) + antenna gain (dBi).
Lets say you have a Cisco WLC, a Cisco 2602E-E access-point and you are going to use external antennas. How does that work and what do you need to configure so your deployment is legal?
For the Cisco 2602E-E access-point, the WLC calculates default a minimal 2dBi gain for 802.11b and 4dBi gain for 802.11a. This gives for 802.11b the following power levels:
(Cisco Controller) >show ap config 802.11b APb838.61b1.85a3
Tx Power
Num Of Supported Power Levels ............. 5
Tx Power Level 1 .......................... 18 dBm
Tx Power Level 2 .......................... 15 dBm
Tx Power Level 3 .......................... 12 dBm
Tx Power Level 4 .......................... 9 dBm
Tx Power Level 5 .......................... 6 dBm
Tx Power Configuration .................... AUTOMATIC
Current Tx Power Level .................... 1
Tx Power Assigned By ...................... TPC MAX Default
Lets say we are going to use a dual-band directional AIR-ANT2566P4W-R antenna. This antenna has 6dBi gain for both 2.4Ghz and 5Ghz, which is much higher than the default values and would give a too high EIRP value (18 dBm + 6 dBi = 24dBm). In this case we need to tell the WLC what the gain of this antenna is, so that it can lower the access-point power which ensures that the EIRP in no case is going to be too high.
On the GUI you can find this configuration under the tab “Wireless -> Access Points -> Radios -> 802.11a/n/ac / 802.11b/g/n -> click on configure for the correct radio -> Antenna Parameters -> Antenna Gain”. Please look below for a CLI example.
(Cisco Controller) >config 802.11a disable AP01
(Cisco Controller) >config 802.11b disable AP01
(Cisco Controller) >config 802.11a antenna extAntGain 12 AP01
(Cisco Controller) >config 802.11b antenna extAntGain 12 AP01
(Cisco Controller) >config 802.11a enable AP01
(Cisco Controller) >config 802.11b enable AP01
The value you are going to enter needs to be twice the size of the actual antenna gain! If you are running some extra cables between the antenna and the access-point, you can lower the gain value to compensate for that loss.
So now we configured the antenna gain, we can validate the the WLC did actually adjust the power levels:
(Cisco Controller) > show ap config 802.11b AP01
Tx Power
Num Of Supported Power Levels ............. 4
Tx Power Level 1 .......................... 13 dBm
Tx Power Level 2 .......................... 10 dBm
Tx Power Level 3 .......................... 7 dBm
Tx Power Level 4 .......................... 4 dBm
Tx Power Configuration .................... AUTOMATIC
Current Tx Power Level .................... 1
Tx Power Assigned By ...................... TPC MAX Default
The access-point power is (maximum) 13 dBm now + 6 dBi antenna gain gives a EIRP value of 19 dBi π
Cisco Prime Infrastructure import certificates made easy
Working with certificates time to time can be a little difficult, implementations differ and there are more than one certificate “formats”. This is also the case when it comes to importing a “pfx” archive to Cisco Prime Infrastructure (1.x or 2.x). If you search the web you will find a lot topics, but you will have to mix those together to get the job really done.
In this scenario you have a wildcard certificate and the private key combined together in a pfx archive (cert.pfx). You will need a openssl installation, the CA bundle (Root certificate and intermediates certificates, “CA-CERTS.CER”) which you can download from the certificate authorities website and these six steps:
1. Export the pfx archive to a standalone certificate and private key
openssl pkcs12 -in cert.pfx -nocerts -out key.pem
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem
2. Decrypt the private key
openssl rsa -in key.pem -out key2.pem
3. Convert certificate from pem to der format
openssl x509 -outform der -in cert.pem -out cert.der
4. Download the “CA-CERTS.CER”, “key2.pem” and “cert.der” files with FTP from the Prime CLI
5. Import the CA certs in Prime:
PRIME/admin# ncs key importcacert CA-CERTS CA-CERTS.cer repository defaultRepo
INFO: no staging url defined, using local space. rval:2
truststore used is /opt/CSCOlumos/conf/truststore
The NCS server is running
Changes will take affect on the next server restart
Importing certificate to trust store
6. Import certificate and private key
PRIME/admin# ncs key importkey key2.pem cert.der repository defaultRepo
INFO: no staging url defined, using local space. rval:2
INFO: no staging url defined, using local space. rval:2
truststore used is /opt/CSCOlumos/conf/truststore
The NCS server is running
Changes will take affect on the next server restart
Importing RSA key and matching certificate
7. Restart the NCS application, and drink a cup of coffee.. π
PRIME/admin# ncs stop
PRIME/admin# ncs start
Migrate Cisco standalone AP’s to a controller based solution
Earlier this week I had to migrate a lot of standalone AP to a brand new WLC. Like all the real IT guys and gals I hate it to do manual tasks more than 2 times in a row. So this is what I did to make this hell of a job suck a little less…
This customer had all standalone access-points in the management tool called “Kiwi CatTools” to pull a back-up of the running-configuration every night… nice π
0. Run a task to gather the base MAC address of all the access-points, you gonna need those later to figure out which access-point is which when all connect to the controller.
1. Upload the .tar file with to the TFTP directory in the “CatTools” directory in program files.
2. Create a new task to push the following lines of configuration to all the access-points:
copy tftp://x.x.x.x/load.tar flash:/
This step is gonna take a while depending of how many AP’s and the bandwidth between the AP’s and the controller. Also, in my case it was almost a DDOS attack on the server because of the many incoming connections. However the CatTools tftp deamon didn’t look really bothered.. π
3. Install the software on the AP’s with a new task:
archive download-sw flash:/load.tar
This step is gonna take a while, at least 5 minutes.
4. Here comes the tricky part. If you want the access-points to join the controller based on a DHCP option, you have to make sure that all the static IPv4 information is flushed. This information is not removed with a simple “write erase” so watch out! I created a new task:
reload in 1
y
conf t
interface bvi xx
ip address dhcp
5. After the reload kicks in the access-point will use option 43 or one of the other options for discover the WLC and tries to join it.
Notes
– Make sure that you have the option “answer yes to questions” enabled in all of the tasks in CatTools.
– Repeat step 1 to 3 for all the different types access-points you have in your environment
– Pick the new access-points software carefully and close to the release on the WLC.
I love automation… π
Cisco Aironet 1600/2600/3600 AP back on track from rommon
There where Cisco lacks in writing documentation on this subject at this point, I figured out that it could be handy to write the (small) steps down on how to get a 1600/2600/3600 AP in rommon back on track (autonomous or controller based).
So here you have it… π
ap: set IP_ADDR 192.168.1.2
ap: ether_init
ap: tftp_init
ap: tar -xtract tftp://192.168.1.1/ap3g2-k9w7-tar.152-2.JA.tar flash:
ap: set BOOT flash:/ap3g2-k9w7-mx.152-2.JA/ap3g2-k9w7-mx.152-2.JA
ap: boot