Considerations for Location Services

I’ve got a client that need to become PCI compliant. As part of their PCI compliance they want to be able to detect and locate rogue devices on their network. My biggest obstacle is that the client has several offices throughout Australia and not one office has more than two Access Points per floor.

Below is the WLAN design considerations for Location Services which would make it possible for the client to accurately locate rogue devices.

Minimal Signal Thresholds

For devices to be tracked properly, a minimum of three access points (with four or more preferred for better accuracy and precision) should be detecting and reporting the received signal strength (RSSI) of that device being tracked. It is preferred that this detected signal strength level be -75dBm or better.

Access Point Placement

Here are the requirements to adhere to:

  • Perimeter placement – In a location-ready design, it is important to ensure that access points are not solely clustered in the interior and toward the centre of floors. Rather, perimeter access points should complement access points located within floor interior areas. In addition, access points should be placed in each of the four corners of the floor, and at any other corners that are encountered along the floor perimeter.
  • Triangulation – As mentioned before you need at minimum three Access Points for Location Services but it is important that these APs are not placed in a straight line but rather in a triangular format while using the perimeter of the building as the diagram below indicates.


  • If possible, mount antennas such that they have an unencumbered 360º view of all areas around them, without being blocked at close range by large objects.
  • The distance between deployed access points can impact location performance, as well as the performance of co-resident voice and data applications. From a location perspective, while location tracking inter-access point spacing requirements tend to be relatively flexible and supportive of the coverage needs of underlying applications, very small or very large inter-access point separation distances are usually best avoided.

Determining Location Readiness

I would suggest AirMagnet Survey Pro to do your planning for Location Services and by using AirWise within the software you will be able to verify if signal coverage, multiple AP signal coverage and data rates are sufficient for Location Services. AirWise will provide you a Pass/Fail and % of Good Area regarding signal and data rates.

The end result is two AP’s per floor won’t give you Location Services.

Considerations for Location Services

POE Power Pack for Site Surveys

If you start browsing, looking for POE Power Packs that can provide power to your access point while doing a site survey there are two products that keep coming up:

Terra Wave MIMO Site Survey Battery Pack and
Pointsource Portable Battery Powered POE injector

TerraWave’s MIMO/802.3af site survey battery pack provides 6-8 hours of extension cord free surveying and is designed to power most leading manufacturers’ 802.11 a/b/g or 802.11n (I’m sure it will do 802.11ac as well as long as it is 802.3af) radio products. Please note that the battery pack supports 802.3af compliant access points and does not support the legacy Cisco power protocol solutions.

Features and Benefits:
– Provides DC power for a full 6-8 hour shift of surveying
– Built-in RJ45 port that supports the 802.3af (Power over Ethernet) standard and supports any 802.3af compliant product
– 56 Volt port for the Cisco 1252 AP
– Built-in charge indicator light
– Feet are made with sturdy plastic for longer life
– Case made from aluminum to minimize weight
– Internal components are rugged to withstand use in the field
Holes pre-drilled in lid to allow most manufacturers’ AP’s to be mounted directly to the battery pack using the manufacturers’ mounting bracket
– Includes charger and built-in handle

It does mention on the link that it doesn’t ship to international countries but you can find distributors in some countries (Australia in my case), the price might just double.


Option 2 is Pointsource a rechargeable, portable battery-powered POE injector for IP cameras specifically designed to make installation, site surveys, testing and demonstration work simple and fast.

– Includes a 12 volt power output for auxiliary equipment
– Battery capacity sufficient for typical full day’s installation work (IP cameras not access points)
– POINTSOURCE supports all classes of 802.3af POE device
– Installs in seconds – removes in seconds – reduces time on site

I like the fact that it has a port on the Pointsource device that can give you direct connectivity to your access point on the tripod but this device will not give you a full day of surveying as it is designed for IP cameras rather than access point surveys.

It looks professional, comes with a shoulder strap and is light weight but will not provide the surveying hours provided by the TerraWave. I also like the fact that you can mount the access point bracket onto the battery pack with the TerraWave product, that will make life easy when not using a tripod.



POE Power Pack for Site Surveys

Cisco Notification Alert


Field Notice: FN – 63916 – Cisco Aironet 1530, 1550, 1600, 1700, 2600, 2700, 3500, 3600 and 3700 Series – AireOS or Cisco IOS-XE 3.6.0E – AP Unable to Join WLC or AP Stuck in Downloading State – Software Update Required


Some Wireless Access Points (APs) manufactured between August 2014 and October 2014 might have a corrupted SHA-2 certificate.


12 January 2015

Cisco Notification Alert

N+1 High Availability (HA)

Since release 7.4 for Wireless LAN Controllers (WLC) more and more customers are using this solution to provide wireless redundancy. The HA-SKU secondary WLC within the Cisco Unified Wireless Network (CUWN) framework allows a single WLC to be used as a backup WLC for N primary controllers. The advantages of this would be cost (HA-SKU controller with no need for additional licences) and the secondary controller could be geographically separate from any of the other primary controllers.

N+1 HA

These WLCs are independent of each other and do not share configuration or IP addresses on any of their interfaces. Each WLC needs to be managed separately by Cisco Prime, can run a different hardware and a different software version (it would however make sense to have all WLC’s on the same software version) and can be deployed in different data centres across the WAN link.

When an AP fails over to a WLC running a version other than that on the primary, the corresponding image is downloaded to the AP. This adds to the failover time. Again, it is recommended to have your WLC’s on the same software version.

When a primary WLC resumes operation, the APs fall back from the backup WLC to the primary WLC automatically if the AP fallback option is enabled. AP’s with high priority on the primary controller always connect first to the backup controller, even if they have to push out low priority APs.

On the HA-SKU secondary controller the 90-day timer will start when the AP’s join the controller and the user will see a warning message after 90 days. In other words, an HA-SKU controller can be used as a secondary controller for 90 days without a warning message. Starting release 7.6, if all the access points fall back to the primary controller within or after the 90 days period, the timer will be reset and warning messages will stop.

The HA-SKU provides the capability of the maximum number of APs supported on that hardware. For instance, a 5508 HA- SKU controller provides support for 500 APs.


From the primary controller, navigate to Access Points > Global Configuration, then configure the backup controller on the primary to point to the secondary controller.

On the secondary controller, navigate to Controller > Redundancy > Global Configuration, then configure the secondary controller to convert it to an HA-SKU secondary controller. Ensure Redundant Unit are changed to Secondary and AP SSO is Disabled.

On all WLC’s under Wireless > All APs > High Availability your HA-SKU can be configured as secondary or tertiary as needed.

Failover Process

In the N+1 HA redundancy model, one WLC serves as the backup controller for N primary controllers. When any of the primary WLCs fail, the APs connected to that controller fall back to the backup controller. The AP has to restart its CAPWAP state machine and go through a complete discovery phase before it joins the backup controller. The available AP count on the backup controller is reduced by the number of APs that fall back from the primary WLC to the backup WLC.

For example, when the primary controller supporting 90 APs fails, these APs fall back to the backup controller that has a maximum AP support of 500. The backup WLC is left with an available AP count of 500 – 90 = 410 APs.

Nice and easy!


N+1 High Availability (HA)

When to FlexConnect

This week I’m having talks with a client regarding wireless at his remote sites. As they are currently having autonomous access points on all these sites they are looking to change to controller based access points and are starting to ask questions like ‘Do I need a WLC on each site?’, ‘How many AP’s can I have on a remote site connecting back to a central WLC’ and ‘What happens when the WAN-link goes down?’. Hopefully the answers can be found in this post.


FlexConnect is a wireless solution for branch office and remote office deployments. From a central Wireless LAN Controller (WLC), hopefully in your Data Centre with a redundant WLC not too far away, you can configure, control and manage access points in a branch or remote office. No need for a WLC in each office.

Switching Modes 

There are two switching modes supported by FlexConnect AP’s:

Local Switched: Locally-switched WLAN’s (the SSID you are connected to) will map their wireless user traffic to a VLAN via 802.1Q trunking to a local switch adjacent to the access point. A branch user, who is associated to a local switched WLAN, has their traffic forwarded by the on-site router. Traffic destined off-site (to the central site) is forwarded as standard IP packets by the branch router. All AP control/management-related traffic is sent to the centralized Wireless LAN Controller (WLC) via CAPWAP. This diagram below from Enterprise Mobility 7.3 Design Guide shows the local switched VLAN terminates at the switch and traffic can move from there to the branch servers or over the WAN as a standard IP packet and not a CAPWAP controlled tunnel. Flexconnect Central Switched: Central switched WLANs tunnel both the wireless user traffic and all control traffic via CAPWAP to the centralized WLC where the user traffic is mapped to a dynamic interface/VLAN on the WLC. This is the normal CAPWAP mode of operation. The traffic of a branch user, who is associated to a central switched WLAN, is tunnelled directly to the centralized WLC. If that user needs to communicate with computing resources within the branch (where that client is associated), their data is forwarded as standard IP packets back across the WAN link to the branch location. Depending on the WAN link bandwidth, this might not be desirable behaviour. Thus, if the branch client is connected to a SSID that needs services locally (such as print services and internet breakout) and centralized services (such as e-mail and AD) I would suggest to follow local switching. I would only follow central switching when the only service the WLAN provide is central such as secure guest services for example.

Design Considerations 

For me the main consideration is the WAN-link and here are some of the main considerations to take into account:

  •  It is highly recommended that the minimum bandwidth restriction remains 12.8 kbps per AP.
  • The round trip latency should not be greater than 300 ms for data deployments and 100 ms for data + voice deployments.
  • The maximum transmission unit (MTU) must be at least 500 bytes.
Deployment Type WAN Bandwidth (Min) WAN RTT Latency (Max) APs per Branch (Max) Clients per Branch (Max)
Data 64 kbps 300 ms 5 25
Data + Voice 128 kbps 100 ms 5 25
Monitor 64 kbps 2 sec 5 N/A
Data 640 kbps 300 ms 50 1000
Data + Voice 1.44 Mbps 100 ms 50 1000
Monitor 640 kbps 2 sec 50 N/A

Other considerations you might want to look at is roaming capabilities and QOS but from experience with both Cisco and Spectralink wireless phone solutions I had no problems in getting them working over a FlexConnect local switching solution.

Operation Modes

There are two modes of operation for the FlexConnect AP.

  • Connected mode: The WLC is reachable. In this mode the FlexConnect AP has CAPWAP connectivity with its WLC.
  • Standalone mode: The WLC is unreachable. The FlexConnect has lost or failed to establish CAPWAP connectivity with its WLC. A WAN-link outage between a branch and its central site is a example of such a mode of operation.

FlexConnect States

A FlexConnect WLAN, depending on its configuration and network connectivity, is classified as being in one of the following defined states.

  • Authentication-Central/Switch-Central: This state represents a WLAN that uses a centralized authentication method such as 802.1X, VPN, or web. User traffic is sent to the WLC via CAPWAP (Central switching). This state is supported only when FlexConnect is in connected mode.
  • Authentication Down/Switching Down: Central switched WLANs no longer beacon or respond to probe requests when the FlexConnect AP is in standalone mode. Existing clients are disassociated.
  • Authentication-Central/Switch-Local: This state represents a WLAN that uses centralized authentication, but user traffic is switched locally. This state is supported only when the FlexConnect AP is in connected mode.
  • Authentication-Down/Switch-Local: A WLAN that requires central authentication rejects new users. Existing authenticated users continue to be switched locally until session time-out if configured. The WLAN continues to beacon and respond to probes until there are no more existing users associated to the WLAN. This state occurs as a result of the AP going into standalone mode.
  • Authentication-local/switch-local: This state represents a WLAN that uses open, static WEP, shared, or WPA2 PSK security methods. User traffic is switched locally. These are the only security methods supported locally if a FlexConnect goes into standalone mode. The WLAN continues to beacon and respond to probes. Existing users remain connected and new user associations are accepted. If the AP is in connected mode, authentication information for these security types is forwarded to the WLC.

I hope this summarization will help in your decisions regarding FlexConnect.

Reference and other FlexConnect information:

When to FlexConnect

Cisco Wireless EoS and EoL announcement – Dec 2014

Here are the end-of-sale and end-of-life announcements regarding Cisco Wireless for the last month.

Note: Use the links to view the table info mentioned in the post.

End-of-Sale and End-of-Life Announcement for the Cisco Aironet 600 Series OfficeExtend -E and -I Regulatory Domain

Cisco announces the end-of-sale and end-of-life dates for the Cisco Aironet 600 Series OfficeExtend -E and -I Regulatory Domain. The last day to order the affected product(s) is December 19, 2014. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers’ service contract.

End-of-Sale and End-of-Life Announcement for the Cisco 3355 Mobility Services Engine

Cisco announces the end-of-sale and end-of-life dates for the Cisco 3355 Mobility Services Engine. The last day to order the affected product(s) is June 15, 2015. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers’ service contract.

Cisco Wireless EoS and EoL announcement – Dec 2014

Translating mW, dBm, MHz and channels

Every so often I have to configure the Radio Transmit Power on an Access Point (AP) and it just happen that the wireless client transmit power is provided in milliwatt (mW) but I need to configure the APs transmit power to match that of the wireless client which need to be done in decibel-milliwatt (dBm). So let’s translate between the two.

The Radio Transmit Power setting determines the power level of the radio transmission. The default power setting is the highest transmit power allowed in your regulatory domain. Government regulations define the highest allowable power level for radio devices. This setting must conform to established standards for the country in which you use the device. The power settings may be in mW or in dBm depending on the particular radio that is being configured.


  • Watt (W): a unit of power equal to 1 joule per second; the power dissipated by a current of 1 ampere flowing across a resistance of 1 ohm.
  • Milliwatt (mW): a unit of power equal to one thousandth of a watt.
  • Decibel-milliwatt (dBm): an electrical power unit in decibels (dB), referenced to 1 milliwatt (mW).

Translation between mW and dBm:

 mW  dBm
1 -1
2 2
3 5
4 6
5 7
6 8
8 9
10 10
12 11
15 12
20 13
25 14
30 15
40 16
50 17
60 18
80 19
100 20
125 21
150 22
200 23
250 24

Then there is the configuration of channels for your autonomous access point and instead of providing the channel number it actually asks for the corresponding frequency in your regulatory domain.

Each 2.4-GHz channel are 22 MHz wide. The bandwidth for channels 1, 6, and 11 does not overlap, so you can set up multiple access points in the same vicinity without causing interference. Both 802.11b and 802.11g 2.4-GHz radios use the same channels and frequencies.

The 5-GHz radio operates from 5180 to 5825 MHz. Each channel covers 20 MHz, and the bandwidth for the channels overlaps slightly. For best performance, use channels that are not adjacent (44 and 46, for example) for radios that are close to each other.

Translation between channel and MHz for 802.11b/g:

Channel Identifier Center Frequency (MHz)
1 2412
2 2417
3 2422
4 2427
5 2432
6 2437
7 2442
8 2447
9 2452
10 2457
11 2462
12 2467
13 2472
14 2484

Translation between channel and MHz for 802.11a:

Channel ID Center Frequency (MHz)
5150 to 5250 MHz
34 5170
36 5180
38 5190
40 5200
42 5210
44 5220
46 5230
48 5240
5250 to 5350 MHz
52 5260
56 5280
60 5300
64 5320
5470 to 5725 MHz
100 5500
104 5520
108 5540
112 5560
116 5580
120 5600
124 5620
128 5640
132 5660
136 5680
140 5700
5725 to 5850 MHz
149 5745
153 5765
157 5785
161 5805
165 5825


Translating mW, dBm, MHz and channels