Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1263
Views
15
Helpful
7
Replies

wIPS AIR-OS 5508 and Catalys 9800

Go to solution
Leo TI
Level 1
Level 1

‎10-04-2021 01:51 PM

Hello I have a question, I have an AIR-OS 5508 (joined to a Prime and MSE) with APs in monitoring mode for WIPS without WLAN and a 9800 for with WLAN and APs for customer service. My question is if I can do WIPS monitoring the WLANs that work on the 9800 like monitoring neighboring WLAN I guess, there is no integration between the controllers.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni
In response to Leo TI

‎10-05-2021 11:54 AM

aWIPS covers a broad range of attacks and features, what is your ultimate goal by deploying aWIPS? Is it only rogue ap detection and containment? If yes then 9800 and Prime is more than sufficient. I wouldn't recommend having monitor mode AP's in one controller and client serving AP's in another controller. Even if you get RRM to share the TPC, channel and neighbor information between controllers, there is a possibility you will see lot of false positives.

 

From design prospective if you knew aWIPS is a requirement, you must have bought in DNA center. To get aWIPS alerts you can integrate 9800 on non-fabric mode. Just to let you know that starting from 17.6.1 awips alarms can be sent as a syslog message to a remote server.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

View solution in original post

7 Replies 7

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎10-04-2021 03:20 PM

This is a very interesting topic, my first question will be why not integrate 9800 also with Prime and MSE?

Also if you don't plan it properly all the AP's registered in 9800 WLC will be reported as Rogue AP's in 5508. 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Go to solution
Leo TI
Level 1
Level 1
In response to Arshad Safrulla

‎10-04-2021 07:43 PM

the 9800 is not compatible with the MSE, the 9800 series can only be WIPS done at the dna center. So they asked me for the 9800 to manage the wlan for clients and the 5508 to monitor the wlan with wips

0 Helpful

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎10-05-2021 01:34 AM - edited ‎10-05-2021 01:34 AM

Yes you are correct, Sometime back I remember upgrading some of the MSE appliances we manage to CMX, Cisco provided most of the licenses FOC for us. 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/release-notes/rn-17-3-9800.html#:~:text=Compatibility%20Matrix%20document.-,Compatibility%20Matrix,-The%20following%20table

Just check whether you can upgrade your MSE to CMX 10.X where 9800 supported. This will be your option 1.

 

Option 2 prepare for RRM optimization. You can configure 5508 to share RRM information with 9800, but there are some pre-requisites. 

1. RF group name has to be same in both the controllers

2. Upgrade 5508 to IRCM code.

3. Build a mobility tunnel between 5508 and 9800 (optional)

4. Policy tags, rf tags and rf profiles has to match the corresponding AP group name in 5508. Do not use default tags and make sure all the elements in 9800 RF profile match to the 5508 RF profile. 

5. Make sure that the new 9800 is RF group leader. (This is selected automatically depending on the WLC capability and size)

This way you can avoid AP's registered in 9800 reported as Rogue AP by 5508.

 

 

 

 

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Go to solution
Leo TI
Level 1
Level 1
In response to Arshad Safrulla

‎10-05-2021 06:13 AM - edited ‎10-05-2021 06:14 AM

I already tried the solution of installing the CMX, unfortunately CMX does not have WIPS, which is what the client wants.
And anchor functionality is not compatible with the 5508 model with the 9800 only the 5520 is compatible with the 9800 (or I misread the documentation)

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to Leo TI

‎10-05-2021 07:08 AM

5508 supports IRCM

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc11

https://software.cisco.com/download/home/282600534/type/280926587/release/8.5IRCM

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_c9800_wireless_controller-aireos_ircm_dg.html

 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
Leo TI
Level 1
Level 1
In response to Rich R

‎10-05-2021 07:19 AM

but cmx does not have wips or can I implement the MSE in with the 5508 and communication with the 9800 ircm?

0 Helpful

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni
In response to Leo TI

‎10-05-2021 11:54 AM

aWIPS covers a broad range of attacks and features, what is your ultimate goal by deploying aWIPS? Is it only rogue ap detection and containment? If yes then 9800 and Prime is more than sufficient. I wouldn't recommend having monitor mode AP's in one controller and client serving AP's in another controller. Even if you get RRM to share the TPC, channel and neighbor information between controllers, there is a possibility you will see lot of false positives.

 

From design prospective if you knew aWIPS is a requirement, you must have bought in DNA center. To get aWIPS alerts you can integrate 9800 on non-fabric mode. Just to let you know that starting from 17.6.1 awips alarms can be sent as a syslog message to a remote server.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card