Channels and Maximum Power Settings for Cisco 3700

The Tx Power Level Assignment for each AP shows its current power level assignment in a numbering system that starts with 1 and ends with 8. The number 1 indicates the AP is on full power and the higher the number goes less power are transmitted.

That number (1-8) can be converted to dBm or mW to show the AP’s actual power output by using this command ‘show ap config 802.11a’. It is here where you might notice the power level of APs all on power level 1 might not be transmitting the same dBm or mW.

The reason for this is the UNII band the AP is on for example below is an extraction of the ‘show ap config 802.11a’ command for three APs. All three AP’s were configured exactly the same except for Dynamic Channel Assignment (DCA) which put them on three different UNII bands.

UNII-1

Tx Power
Num Of Supported Power Levels …………. 3
Tx Power Level 1 …………………….. 8 dBm
Tx Power Level 2 …………………….. 5 dBm
Tx Power Level 3 …………………….. 2 dBm
Tx Power Configuration ……………….. AUTOMATIC
Current Tx Power Level ……………….. 1
Tx Power Assigned By …………………. DTPC
Phy OFDM parameters
Configuration ……………………….. AUTOMATIC
Current Channel ……………………… 36
Channel Assigned By ………………….. DCA

UNII-2Ext

Tx Power
Num Of Supported Power Levels …………. 5
Tx Power Level 1 …………………….. 16 dBm
Tx Power Level 2 …………………….. 13 dBm
Tx Power Level 3 …………………….. 10 dBm
Tx Power Level 4 …………………….. 7 dBm
Tx Power Level 5 …………………….. 4 dBm
Tx Power Configuration ……………….. AUTOMATIC
Current Tx Power Level ……………….. 1
Tx Power Assigned By …………………. DTPC
Phy OFDM parameters
Configuration ……………………….. AUTOMATIC
Current Channel ……………………… 100
Channel Assigned By ………………….. DCA

UNII-3

Tx Power
Num Of Supported Power Levels …………. 8
Tx Power Level 1 …………………….. 23 dBm
Tx Power Level 2 …………………….. 20 dBm
Tx Power Level 3 …………………….. 17 dBm
Tx Power Level 4 …………………….. 14 dBm
Tx Power Level 5 …………………….. 11 dBm
Tx Power Level 6 …………………….. 8 dBm
Tx Power Level 7 …………………….. 5 dBm
Tx Power Level 8 …………………….. 2 dBm
Tx Power Configuration ……………….. AUTOMATIC
Current Tx Power Level ……………….. 1
Tx Power Assigned By …………………. DTPC
Phy OFDM parameters
Configuration ……………………….. AUTOMATIC
Current Channel ……………………… 149
Channel Assigned By ………………….. DCA

All three APs indicate Power Level 1 on the Wireless LAN Controller but their actual power transmit power is:
AP1 = 8dBm
AP2 = 16dBm
AP3 = 23dBm

With this information available you might want to disable certain UNII-bands as the power output is not enough for the environment the APs are in.

Below is the path to get to the Cisco provided spreadsheet indicating what the power setting will be for your regulatory domain using certain antennas, configuration settings and certain UNII-bands.

http://www.cisco.com/c/en/us/support/wireless/aironet-3700i-access-point/model.html

Under Install and Upgrade Guides click on Detailed Channels and Maximum Power Settings for Cisco 3702e and 3702i Series Access Points.

 Have fun.

Channels and Maximum Power Settings for Cisco 3700

Cisco Notification Alert

Title

Cisco Wireless LAN Controller Unauthorized Access Vulnerability

Link

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160113-wlc

Description

Devices running Cisco Wireless LAN Controller (WLC) software versions 7.6.120.0 or later, 8.0 or later, or 8.1 or later contain an unauthorized access vulnerability that could allow an unauthenticated, remote attacker to modify the configuration of the device.

An attacker who can connect to an affected device could exploit this vulnerability. A successful exploit may compromise the device completely. Customers are advised to upgrade to a version of Cisco WLC software that addresses this vulnerability.

There are no workarounds that address this vulnerability.

Cisco has released software updates that address this vulnerability.

Date

13 January 2016

Title

Cisco Identity Services Engine Unauthorized Access Vulnerability

Link

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160113-ise

Description

A vulnerability in the Admin portal of devices running Cisco Identity Services Engine (ISE) software could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device.

An attacker who can connect to the Admin portal of an affected device could potentially exploit this vulnerability. A successful exploit may result in a complete compromise of the affected device. Customers are advised to apply a patch or upgrade to a version of Cisco ISE software that resolves this vulnerability.

Cisco has released software updates that address this vulnerability.

There are no workarounds that address this vulnerability.

Date

13 January 2016

Cisco Notification Alert

Cisco MSE High-Availability

A while back I ran into a peculiar situation where I had to setup Cisco MSE High-Availability (HA). I’ll explain the peculiar part after addressing  the requirements for MSE HA first –

  • MSE Virtual Appliance supports only 1:1 HA.
  • One secondary MSE can support up to two primary MSEs.
  • HA supports Network Connected and Direct Connected.
  • Only MSE Layer-2 redundancy is supported. Both the health monitor IP and virtual IP must be on the same subnet and accessible from the Network Control System (NCS). Layer-3 redundancy is not supported.
  • Health monitor IP and virtual IP must be be different.
  • You can use either manual or automatic failover.
  • You can use either manual or automatic failback.
  • Both the primary and secondary MSE should be on the same software version.
  • Every active primary MSE is backed up by another inactive instance. The secondary MSE becomes active only after the failover procedure is initiated.
  • The failover procedure can be manual or automatic.
  • There is one software and database instance for each registered primary MSE.

113462-mse-ha-config-dg-01

My problem arose from point 4 above. Only MSE Layer-2 redundancy is supported. Layer-3 redundancy is not supported.

I had two Cisco MSE Virtual Appliances (Primary and Secondary) with no virtual server infrastructure at the local site. Thus, I had to install the primary in DC1 and the secondary in DC2.

The only way this could be done was Overlay Transport Virtualization (OTV). OTV provides an operationally optimized solution for the extension of Layer 2 connectivity across any transport. With the help of our Data Centre engineers we got OTV up-and-running but the heartbeat between primary and secondary did not come up.

Cisco TAC was my next call but after two weeks they were still looking at logs until one day, to my surprise, the heartbeat was up and the MSE HA solution was working.

I then had to match the time when the heartbeat came up to changes on the network and the resolution was …..

Maximum Transmission Unit (MTU) that was initially implemented as the standard 1500 bytes between the two DC’s but changed to jumbo frames and solved the issue.

Cisco TAC seemed surprised and it was never a consideration for them but that is how things work sometimes.

For more on Cisco MSE HA check out this link as I also used it as a reference:

http://www.cisco.com/c/en/us/support/docs/wireless/mobility-services-engine/200058-MSE-Software-Release-8-0-High-Availabili.html

Cisco MSE High-Availability

Considerations for Location Services

I’ve got a client that need to become PCI compliant. As part of their PCI compliance they want to be able to detect and locate rogue devices on their network. My biggest obstacle is that the client has several offices throughout Australia and not one office has more than two Access Points per floor.

Below is the WLAN design considerations for Location Services which would make it possible for the client to accurately locate rogue devices.

Minimal Signal Thresholds

For devices to be tracked properly, a minimum of three access points (with four or more preferred for better accuracy and precision) should be detecting and reporting the received signal strength (RSSI) of that device being tracked. It is preferred that this detected signal strength level be -75dBm or better.

Access Point Placement

Here are the requirements to adhere to:

  • Perimeter placement – In a location-ready design, it is important to ensure that access points are not solely clustered in the interior and toward the centre of floors. Rather, perimeter access points should complement access points located within floor interior areas. In addition, access points should be placed in each of the four corners of the floor, and at any other corners that are encountered along the floor perimeter.
  • Triangulation – As mentioned before you need at minimum three Access Points for Location Services but it is important that these APs are not placed in a straight line but rather in a triangular format while using the perimeter of the building as the diagram below indicates.

LocationServices

  • If possible, mount antennas such that they have an unencumbered 360º view of all areas around them, without being blocked at close range by large objects.
  • The distance between deployed access points can impact location performance, as well as the performance of co-resident voice and data applications. From a location perspective, while location tracking inter-access point spacing requirements tend to be relatively flexible and supportive of the coverage needs of underlying applications, very small or very large inter-access point separation distances are usually best avoided.

Determining Location Readiness

I would suggest AirMagnet Survey Pro to do your planning for Location Services and by using AirWise within the software you will be able to verify if signal coverage, multiple AP signal coverage and data rates are sufficient for Location Services. AirWise will provide you a Pass/Fail and % of Good Area regarding signal and data rates.

The end result is two AP’s per floor won’t give you Location Services.

Considerations for Location Services

POE Power Pack for Site Surveys

If you start browsing, looking for POE Power Packs that can provide power to your access point while doing a site survey there are two products that keep coming up:

Terra Wave MIMO Site Survey Battery Pack and
Pointsource Portable Battery Powered POE injector

TerraWave’s MIMO/802.3af site survey battery pack provides 6-8 hours of extension cord free surveying and is designed to power most leading manufacturers’ 802.11 a/b/g or 802.11n (I’m sure it will do 802.11ac as well as long as it is 802.3af) radio products. Please note that the battery pack supports 802.3af compliant access points and does not support the legacy Cisco power protocol solutions.

Features and Benefits:
– Provides DC power for a full 6-8 hour shift of surveying
– Built-in RJ45 port that supports the 802.3af (Power over Ethernet) standard and supports any 802.3af compliant product
– 56 Volt port for the Cisco 1252 AP
– Built-in charge indicator light
– Feet are made with sturdy plastic for longer life
– Case made from aluminum to minimize weight
– Internal components are rugged to withstand use in the field
Holes pre-drilled in lid to allow most manufacturers’ AP’s to be mounted directly to the battery pack using the manufacturers’ mounting bracket
– Includes charger and built-in handle

It does mention on the link that it doesn’t ship to international countries but you can find distributors in some countries (Australia in my case), the price might just double.

Terrawave

Option 2 is Pointsource a rechargeable, portable battery-powered POE injector for IP cameras specifically designed to make installation, site surveys, testing and demonstration work simple and fast.

– Includes a 12 volt power output for auxiliary equipment
– Battery capacity sufficient for typical full day’s installation work (IP cameras not access points)
– POINTSOURCE supports all classes of 802.3af POE device
– Installs in seconds – removes in seconds – reduces time on site

I like the fact that it has a port on the Pointsource device that can give you direct connectivity to your access point on the tripod but this device will not give you a full day of surveying as it is designed for IP cameras rather than access point surveys.

It looks professional, comes with a shoulder strap and is light weight but will not provide the surveying hours provided by the TerraWave. I also like the fact that you can mount the access point bracket onto the battery pack with the TerraWave product, that will make life easy when not using a tripod.

Pointsource

References:

http://www.terra-wave.com/shop/80211n-mimo-site-survey-battery-pack-p-1535.html
http://www.veracityglobal.com/products/ip-camera-installation-tools/pointsource.aspx

POE Power Pack for Site Surveys

Cisco Notification Alert

Title

Field Notice: FN – 63916 – Cisco Aironet 1530, 1550, 1600, 1700, 2600, 2700, 3500, 3600 and 3700 Series – AireOS 8.0.100.0 or Cisco IOS-XE 3.6.0E – AP Unable to Join WLC or AP Stuck in Downloading State – Software Update Required

Description

Some Wireless Access Points (APs) manufactured between August 2014 and October 2014 might have a corrupted SHA-2 certificate.

Date

12 January 2015

Cisco Notification Alert

N+1 High Availability (HA)

Since release 7.4 for Wireless LAN Controllers (WLC) more and more customers are using this solution to provide wireless redundancy. The HA-SKU secondary WLC within the Cisco Unified Wireless Network (CUWN) framework allows a single WLC to be used as a backup WLC for N primary controllers. The advantages of this would be cost (HA-SKU controller with no need for additional licences) and the secondary controller could be geographically separate from any of the other primary controllers.

N+1 HA

These WLCs are independent of each other and do not share configuration or IP addresses on any of their interfaces. Each WLC needs to be managed separately by Cisco Prime, can run a different hardware and a different software version (it would however make sense to have all WLC’s on the same software version) and can be deployed in different data centres across the WAN link.

When an AP fails over to a WLC running a version other than that on the primary, the corresponding image is downloaded to the AP. This adds to the failover time. Again, it is recommended to have your WLC’s on the same software version.

When a primary WLC resumes operation, the APs fall back from the backup WLC to the primary WLC automatically if the AP fallback option is enabled. AP’s with high priority on the primary controller always connect first to the backup controller, even if they have to push out low priority APs.

On the HA-SKU secondary controller the 90-day timer will start when the AP’s join the controller and the user will see a warning message after 90 days. In other words, an HA-SKU controller can be used as a secondary controller for 90 days without a warning message. Starting release 7.6, if all the access points fall back to the primary controller within or after the 90 days period, the timer will be reset and warning messages will stop.

The HA-SKU provides the capability of the maximum number of APs supported on that hardware. For instance, a 5508 HA- SKU controller provides support for 500 APs.

Configuration

From the primary controller, navigate to Access Points > Global Configuration, then configure the backup controller on the primary to point to the secondary controller.

On the secondary controller, navigate to Controller > Redundancy > Global Configuration, then configure the secondary controller to convert it to an HA-SKU secondary controller. Ensure Redundant Unit are changed to Secondary and AP SSO is Disabled.

On all WLC’s under Wireless > All APs > High Availability your HA-SKU can be configured as secondary or tertiary as needed.

Failover Process

In the N+1 HA redundancy model, one WLC serves as the backup controller for N primary controllers. When any of the primary WLCs fail, the APs connected to that controller fall back to the backup controller. The AP has to restart its CAPWAP state machine and go through a complete discovery phase before it joins the backup controller. The available AP count on the backup controller is reduced by the number of APs that fall back from the primary WLC to the backup WLC.

For example, when the primary controller supporting 90 APs fails, these APs fall back to the backup controller that has a maximum AP support of 500. The backup WLC is left with an available AP count of 500 – 90 = 410 APs.

Nice and easy!

Reference:

http://www.cisco.com/c/en/us/td/docs/wireless/technology/hi_avail/N1_High_Availability_Deployment_Guide/N1_HA_Overview.html

N+1 High Availability (HA)