Solved: Ask the Expert: Deploying and Troubleshooting Wireless Networks - Page 4

Monica Lluis · ‎02-19-2016

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and any ask questions about how to configure and troubleshoot a wireless network with Cisco expert Alexander De Menezes.

Ask questions from Monday February 22 to Friday March 4, 2016

Wireless networks have became pervasive in today's world. Cisco offers very strong wireless porfolio that helps business to connect to the Internet anywhere anytime.

This session will focus on answering question regarding how to deploy a wireless network and also, the common pitfalls and issues that might happen in an installed wireless network.

Alexander De Menezes is a Technical Support engineer in the Cisco Technical Assistance Center in Cisco Brussels. He is expert on any wireless products, including Wireless LAN controllers and Access Points. He also has in-depth knowledge of AAA and IBNS technologies. Alexander joined Cisco in 2007. He holds a Master in Sciences in Advanced Electronic Engineering from the University of Warwick, UK.

Alexander might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Getting Started with Wireless Community

Find other https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

I hope you and your love ones are safe and healthy
Monica Lluis
Community Manager Lead

Alexander De Menezes · ‎02-29-2016

Hi

I just tested this out, it was working fine for me.

-What is the version on your 5760?

I think the issue is probably something wrong on your remote side ,What is the version of wireshark in your setup?

On wireshark, for decoding the traffic, do you us >Analyze>decode Transport "UDP source (5555) port as "PEEKREMOTE"?

In some earlier versions of wireshark, its named as "AIROPEEK".

Do you see the 802.11 traffic after using above decode option?

-Alex

wyfy-2015 · ‎03-03-2016

Hi,

Here is the command i tried since on wlc 5760- (CT5760-IPSERVICESK9-M), Version 03.06.03E RELEASE SOFTWARE) .I cant find a gui equivalent command for that .

" ap name test-ap sniff dot11b 6 192.168.100.100 "

before going to decode part , i must see some traffic from the sniffer with source port 5555 .

Correct me if i am wrong

Thanks

AZIZ BOUHMADI · ‎02-25-2016

Hi Alexander,

I have 2 questions over Short Guard Interval.

-When SGI is enabled on 2,4 and 5 GHz, is it also applied to legacy client connected only with G or A, without N or AC?

-If I disabled SGI, it will only decrease the performance for N & AC client without any side effect?

?

Thanks

Aziz

AZIZ BOUHMADI · ‎02-29-2016

Hi Alex,

Can you take a look at my questions?

Thanks

Aziz

AZIZ BOUHMADI · ‎03-02-2016

Hi alex,

I have another question.

One of the best practice for deploying an enterprise wireless network, is to have a max of 4 SSID's. We have 6 different SSID's. If I use the same SSID name with different security level (open, WPA2-PSK and WPA2-802.1X) , I can reduce the number of SSID to 4. Does this solution respect the best practice ?

What is the problem to have more than 4 SSID's ?

Thanks

Aziz

Alexander De Menezes · ‎02-29-2016

Hi Aziz,

SGI applies to N/AC.However i don't see much benefit of enabling SGI on 2.4Ghz .if you have a lot of legacy clients in the deployment,test with leaving it as any, some legacy clients don't work fine with SGI.

config 802.11{a | b} 11nsupport guard_interval {any | long}

any	Enables either a short or a long guard interval.

So with any settings, its for wireless client to decide, if wireless client supports short guard interval it will use it.

Could you also clarify:

-what is your AP model?

-Is this for indoor environment where you may have lot of multipath issues with metal objects around like in a warehouse ,as in that case you will not want to enable SGI.

-Are you separating your legacy clients onto a different WLAN/SSID?

-If using only 802.11n/ac clients, then you can test and enable SGI, but you will want to avoid enabling SGI in environment with legacy clients which don't support it.

-Alex

AZIZ BOUHMADI · ‎02-29-2016

Hi Alex,

The SGI config is "any" by default, no? It's a global config, not a config per SSID right?

-We have AIR-CAP2702I-E-K9

-for indoor with a lot of multipath (metal wall, ceiling and floor)

-no, same SSID for legacy and recent client

-all kind of client

So, if I understand well, I should disable it with "config 802.11{a | b} 11nsupport guard_interval long" ?

Aziz

Alexander De Menezes · ‎02-29-2016

Hi Aziz,

Yes, by default its any, so upto wireless client to decide if using short or long.

There was no config for only short guard interval as it can cause problems for some clients which don't support it.

For indoor with lot of multi path,its best practice to use long guard interval, as there will be higher possibility of interference from reflections with having it as short.So:

config 802.11{a | b} 11nsupport guard_interval long

Also its better to opt for long if using some legacy clients which don't support it, this point is more from testing out guard interval config in your setup, so for example if you don't see issues with "any" and the client types you use, then you can leave it at "any".But i did have some cases in the past with really old clients where we then needed to use "long".

Hope that helps to clarify?

-Alex

AZIZ BOUHMADI · ‎02-29-2016

Hi Alex,

So, with the default config (any), on the same SSID and same access-point, the legacy clients (G or A) will send and receive data with long interval while recent clients (N or AC) will send and receive data with short interval. Right?

But, it's advised to disable SGI if there is a lot of multipath reflection OR really old client (we have both conditions) Right?

Tx

Regards,

Aziz

Alexander De Menezes · ‎03-01-2016

Hi Aziz,

Yes, your summary is correct!

Hope that helped.

-Alex

AZIZ BOUHMADI · ‎03-01-2016

Hi Alex,

Thanks for the feedback, it really helps.

Regards,

Aziz

robserafin · ‎02-25-2016

Hi Alex,

Every few days I get a few hundred alarms in Prime from many different AP's; like this example
IDS 'Auth flood' Signature attack detected on AP
IDS 'Deauth flood' Signature attack detected on AP
IDS 'Disassoc flood' Signature attack detected on AP

I use default settings for the signatures and use MFP for AP Authentication, I would really like to know what causes this if you have any idea. Perhaps something I'm missing... I can delete the alarms and its quiet for a while but that doesnt get to the root of the issue.

Regards
Rob

Alexander De Menezes · ‎02-26-2016

Hi Rob,

Those attacks are normally caused by an attacker/hacker who attempts to flood Aps with auth , deauth frames.
Here's some detailed info on what those alerts are for:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0111111.html#topic_B9683352392247E0A2FD3F1DAF160966

Some points to consider for problem source:

-The issue may be caused by an attacker/hacker.

-The issue may be caused unintenionally by buggy wireless clients, so you will want to update the latest wireless driver/versions on all your wireless clients.

-The issue may also be if you have a dense AP environment (for example using 2.4Ghz with low date rates enabled which causes high channel utilization problems and wireless connectivity problems).So more like a false alert from wireless clients which are buggy or attempting to associate to incorrect WLAN profile with incorrect security config parameters.

-There may be a third party access point in vicinity which is causing problems.

-You will want to check on your WLC version, as some old WLC versions had bugs with own APs being detected as rogues and causing problems:
Cisco suggested releases are marked on Cisco.com>software downloads page.For release note info:
http://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/products-release-notes-list.html

To isolate the problem:

If you do have wireless clients reporting disconnection or connectivity issues, then to investigate that further:
On all those alarms , you will see the attackers mac address.You can do a lookup for the MAC vendor to verify for type of device causing the alarms.
-check if the alerts are being seen all across floor area or specific floor area (to pinpoint the attacker location).
-check if alerts are being seen throughout the day or specific time period of day.

If you dont see wireless clients disconnecting or complaining in your network, then its good- as latest wireless devices will normally not be affected by those attacks:

So if you want to ignore the huge amount of alarms, then you can have options like
1)On Prime:
You can lower the severity of the alarm as described in:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-0/user/guide/pi_ug/alarms.html#pgfId-1054680

2)The other alternative is also you can disable the signature alert on the WLC itself.
Example:
From WLC GUI>Security tab>Wireless Protection Policies>Standard Signatures>Open Precedence ID (5) Auth Flood
You can uncheck /untick the box for “State”

If you have adaptive wIPS solution with Cisco MSE/PI integrated with WLC/cleanair APs, you can detect/track/locate the attacker:
http://www.cisco.com/c/en/us/td/docs/wireless/technology/wips/deployment/guide/WiPS_deployment_guide.html#pgfId-43454

If not having adaptive wIPS solution, you will then need to use a wireless sniffer trace which is taken on same channel and location while AP is detecting the attack.
For example,from comparing the RSSI seen from the specific MAC in the wireless sniffer trace, you can then try to isolate in which area is the attacker/hacker/problematic device physically at.

https://supportforums.cisco.com/document/75236/collecting-wireless-sniffer-trace-using-cisco-lightweight-ap-sniffer-mode

https://supportforums.cisco.com/document/75331/80211-wireless-sniffing-packet-capture

Useful link:
BRKEWN-3000 - Advanced - Analyzing and fixing WiFi issues - Cisco WLC tools and packet capture analysis techniques(2015 Milan)
https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=81865&tclass=popup

Hope that helps to isolate the problem.

-Alex

khinminn1181 · ‎02-25-2016

Hi Alex,

what devices can i use to control wireless network in the place of WCS,WLC and MSE as similar their function in Packet Tracer Simulation Tool?

ps,plz reply me as soon as you have seen this post here coz i have to do implement and do proposal within a few weeks!

-No No

Alexander De Menezes · ‎02-26-2016

Hi No

If you are looking for simulation tools like for IOS, we don't have that in wireless.

But you can download virtual MSE/WLC/Prime and use demo/trial licenses for x days,you still will need physical AP hardware:
http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-lan-management-solution/product_announcements.html

For example for MSE:
http://www.cisco.com/c/en/us/td/docs/wireless/mse/8-0/MSE_Virtual_Appliance/guide/Cisco_MSE_VA_Config_Guide/Licensing_the_Virtual_appliance.html

https://software.cisco.com/download/release.html?mdfid=284294864&flowid=31242&softwareid=282487503&release=7.2.103.0&relind=AVAILABLE&rellifecycle=ED&reltype=latest

The virtual controller software is posted as a .ovf package in the Cisco software center.
Customers can download the .ovf package and install it similarly to any other virtual application.
Software comes with a free 60-day evaluation license. After the VM is started, the evaluation license can be activated, and later a purchased license can be automatically installed and activated.
http://www.cisco.com/c/en/us/support/docs/wireless/virtual-wireless-controller/113677-virtual-wlan-dg-00.html

Also you can use a CCO account and get demo/trial licenses from (select "Get Other Licenses">Demo and Evaluation):
https://tools.cisco.com/SWIFT/LicensingUI/Quickstart#

-Alex