Disabling the LED Indicator on a Cisco Lightweight AP

This is just another one of those ad-hoc posts for a piece of information I get tired of looking up. I often get the question: "can I disable the LED indicator on a Cisco Lightweight Access Point?". At this point, I always have to jump for my CLI reference guide and can never remember the right word to search for. So, here is the command I need (for next time...): config ap led-state  {enable |  disable} {cisco_ap  |  all}  It can only be done from the CLI as far as I am aware. It can be useful from time to time if you have someone in a dark room who is annoyed by the lamp, or even more useful, if you are trying to track a particular AP that perhaps you aren't too sure of the location of ("go and look for the AP with no lamp on"). I just hope I remember that I blogged about this next time I need this command...

Issue: Having to log back in on Apple devices on a Cisco wireless guest network

I'm documenting this for my own reference as much as anything, to avoid having to look this information up (yet again). (This description assumes that the use-case is for a guest network, but will apply to any layer-3 authenticated wireless network) It is a common occurrence on Cisco wireless networks (using a WLC of some type) to have complaints from guest users that they have to keep logging back in to the guest network after their device has gone in to sleep mode. They are often put in to sleep when they are enveloped in some type of holder or covering system that has a built-in magnet to make them sleep when they are not in use (this is very typical on iPad holders/covers). The reason for the annoying issue of having to log back in to the guest network is that the WLC has a user idle timeout setting which expires (by default) after 5 minutes. So, when a device is put in to sleep mode, the WLC will not hear from it for a while and then after  5 minutes will terminate its s

One User, Many Devices

I've been read lots recently about BYOD and how many users in an organisation may well have 2, 3, 4 or more devices that they wish to use on a WiFi network. The will often have a laptop, possibly a tablet and almost certainly some type of smartphone. The characteristics of these different types of device vary enormously, depending on the device capabilities and their RF characteristics. I thought it might be interesting to just fire up 4 random devices I have in my home and compare the signal levels I could see from the same SSID on my home ADSL router. Each device had some type of software installed that could (allegedly) report the signal level that the AP is observed at from the client device point of view. I know this isn't a particularly definitive approach, as the software used probably has varying levels of accuracy, so I wouldn't treat these results as being too accurate. But, they may give an indication of different device performance. The devices I tested

Decoding Cisco CAPWAP With Wireshark

Here's an interesting little gotcha I wasted a few hours on recently... I have been looking at QOS on a Cisco WLC and was looking at DSCP markings in CAPWAP packets between a Cisco WLC and access point. I did this by spanning the switch port that the AP is connected to and then using a copy of Wireshark on another switch port to capture the traffic so that I could have a look through it. However, when I looked at the CAPWAP frames, Wireshark was reporting most of the CAPWAP packets as being "Association Requests" and that they were "[Malformed Packets]". After testing this in quite a number of versions of Wireshark (assuming a Wireshark decode bug), I finally gave up and reported a bug to the guys at Wireshark. They were incredibly quick to respond and diagnosed the issue very quickly! It turns out that Cisco have not implemented the final draft of CAPWAP (according the guys at Wireshark), and that there is an option in Wireshark for Cisco CAPWAP support

Fast SSID Change - Out Of The Shadows

There are many configuration settings on a piece of networking kit that are just 'there'. They sit there year after year just minding their own business being a quiet little chunk of configuration sitting in their default state not doing anyone any particular harm. Then, occaisionally, you come across some obscure case that causes you to actually pay attention to what exactly that particular setting is 'bringing to the party'. One particular instance I came across recently is the 'Fast SSID Change' setting on a Cisco WLC. From memory, it's been sat there for quite a while on many of the controllers I've installed, sitting dutifully in its default state of 'Disabled'. I've never really paid it much attention as it doesn't (on the face of it) seem to cause anyone any particular problems. However, I recently ran in to a situation where a customer had some Apple iPads that he wanted to connect to an SSID that was mapped to an internal

Cisco NCS 1.0/1.1 - Internet Explorer Chrome Plugin Gotcha

If you're like me, then when it's time to use or install a new release of software, you quickly scan through the release notes trying to make sense of the reams and reams of 'new features', 'caveats', 'bugs fixed' etc. without falling to sleep and smashing your nose on the desk in front of you. (Why can't technical writers give those things a plot, a love interest and a gripping ending..?) The main purpose of this exercise is often to pick up the 'headlines' so that you can fairly comfortably install or implement the new software, armed with a reasonable amount of knowledge to allow you to not fall down any particularly large holes during the process. One area I'm particularly guilty of 'glossing over' in this release-note-scanning activity is the section that describes the versions of browser support that are provided for web-GUI based products (e.g. network management software). Sure, I give the browser support section a

Creating Per-site Guest VLANs on a Guest WLC (Cisco Guest Solution)

Overview Before the advent of WLC code version, it was difficult to scale a Cisco guest wireless solution (in terms of IP address space) due to the fact that all foreign controllers (i.e. non-guest controllers) could only map to a single layer 3 interface on the guest (anchor) controller. This often meant that a very large subnet had to be allocated to guest users to allow for multiple sites which shared a guest controller. The guest controller is usually located on a firewall DMZ interface (perhaps in a data center). The only way around this was to have multiple guest SSIDs (e.g. one per building), with a separate VLAN for each SSID. This is not a very popular option with customers as there is no consistency of SSIDs between sites/buildings. Another drawback of the single guest-VLAN restriction is that all guest traffic originates from a single subnet range. From an administrative point of view, it is often desirable for guest traffic from different buildings or sites