The Cloud giveth, the Cloud taketh away

We all love ‘The Cloud’. It’s flexible, fast, always (mostly) available, and takes our business agility to heretofore unknown heights – but what happens when the service you’re using in the cloud goes a different direction than you need or want it to?

Meraki has been touting the Cloud flexibility as *the* single most important reason to move to their infrastructure management platform. This brings with it a whole host of great things like access-anywhere management, rapid feature development, and a whole new paradigm of how to configure your infrastructure equipment. In one move, Cisco has rocketed past the CLI based days of old, past ‘here’s a pretty GUI’ to 100% web driven, ‘don’t worry your pretty little head about it’ dashboards for everything from configuration, monitoring, troubleshooting, and deployment. It works and it works well.

Today marks the closing of Copy – a Cloud based file sync service from Barracuda and it got me thinking. When someone shudders their doors and it’s ‘just files’, you go to another Cloud based service provider – in this case Dropbox or box.com. What happens when/if Meraki goes away? Okay, they’re under the wing of big-brother Cisco now, so the chances of that happening are basically nil, but what if you ratchet that concern back a notch? What if they make a change you don’t like? What about ‘perpetual beta’ features such as the Remote Control that have been in beta since prior to the Cisco acquisition? What happens if you don’t pay your bill? Those of us familiar with Cloud services like Office 365 know that when you stop paying, you stop playing and for software based services (like Copy today) that doesn’t seem to as big as a deal to most people. What happens when that service is your network?

Remote control

Perpetual Beta features

When Meraki adds a new feature to their product, the Cloud enables rapid deployment of those features. This is good. What happens when they remove a feature you use such as WAN Optimization? As you an see here Meraki decided to retire what they perceived to be either a little-used feature or a feature that was too difficult to maintain to keep functioning properly.

WAN Opt

WAN Optimization, gone baby, gone!

What happens when Meraki decides to artificially cap the performance of your router (intentionally or unintentionally) to 50M?

Z1 Cap

Astute reddit users, always on the lookout.

While the WAN Optimization removal is clearly an intentional move and the Z1 cap is clearly unintentional, these both raise very significant questions about allowing someone else to be the ultimate authority for the features that are deployed on hardware you’ve purchased. What is your recourse when this happens? Open a support ticket? Make a wish? Roll back the firmware (hah!)? With no fail-safe mode of operation by design, when you lock yourself into a Cloud based infrastructure product, you are ultimately at the mercy of using features how and where they determine are best suited. Your only recourse is to scrap your gear if they make a decision to go in a direction that you no longer support. What is the environmental impact to this business model? How many Cloud-only products end up in landfills because of expired licenses? How much eWaste is generated because the product has stopped functioning (not through MTBF, but intentionally crippling through code)? You used to have options like Cucumber Tony and OpenWRT, but apparently Meraki has fixed the technical loophole that those folks used to use for the MR-12 and MR-16 Access Points by way of a Trusted Platform Module.

What is your take on Meraki and other Cloud based services that you operate your business with? Cloud based products are great and work as designed – but is loss of features something you consider prior to your investment in a solution? Does your organization rely on perpetually beta features that never seem to make it into production? Has a feature been ‘pulled out from underneath you’? What are you doing with that old AP/switch/firewall that is perfectly good hardware but you let the license lapse on? Inquiring minds want to know – please leave me a comment and let me know how you and your organization handles this kind of quandary!

10 reasons to take another look at 2015 Cisco Mobility

Let’s face it, Cisco is huge. They’re massive, and occasionally they get things wrong. If you’ve strayed away from Cisco in the past year (or longer) because of a specific issue or gap, it’s high time you took another look. The Cisco Mobility offerings today are a far cry from what they were just an easy year back. Here are 10 great reasons to go get reacquainted with the 2015 Cisco Mobility offerings:

1) 5520/8540 WLCs

The introduction of a Converged Access 60G solution highlighted the gaps in the WLC portfolio in the 20/40G of throughput range. Both of these new controllers (one 20G, one 40G capable) are based on the more mature AireOS codebase running 8.1 and later. While this doesn’t mark an EOS/EOL announcement for the 5508 (clocking in at 8G), it does give that 7 year old platform some good alternatives for lifecycle management.

2) Prime Infrastructure 2.2 then 3.0

Ever since WCS was taken over and moulded into the NCS then Prime Infrastructure products, it’s always bore the scars of a legacy mired in Adobe Flash performance issues. Couple that with a dramatic uptick in features and you’ve got a recipe for disaster. The new versions of Prime Infrastructure are actually performing as well as they should be starting at about the 2.2 version and the new UI of Prime Infrastructure 3.0 completely moves away from Flash and demonstrates a significant re-think of the product – including ‘Make a wish!’.

3) 802.11ac wave 2

Let’s not forget the fun stuff – APs and radios. With competitively positioned 802.11ac Wave 2 products, Cisco is staying in the lead of the latest and greatest standards. With impressive throughput numbers, multiple gigabit uplinks, and fancy new features like MU-MIMO, the 1830/1850 APs are clearly paving the way for the next generation of some pretty obviously numbered future platforms. The only question is, what does Cisco have in store for us next?

4) HALO

No, not the game – the new Hyper-Location Module and antenna array. Cisco is delivering on the promise that the industry made to us oh so many years ago about leveraging your WiFi network as a platform for tracking your enterprises assets. Touting down to 1 meter accuracy, this module for your AP3600/AP3700s will take your location fidelity ‘to the next level’.

5) Mobility Express

Those that don’t like having a bare metal controller and don’t see the need for controller based features (such as centralized data plane), we now have a ‘controller on the AP’ option! This allows us to focus on the smaller deployments without the extra cost and complexity (such as it is) for those customers. This isn’t a ‘one size fits all’ approach that we’ve seen in the past, but rather an evolution of a well thought out strategy to bring enterprise features to every market segment.

6) UI improvements

Along with the Mobility Express product, the ‘metal WLCs’ are sporting a new user interface and out of the box setup experience (Day 0 and Day 1 support). If you’ve felt the WLC interface was a bit dated in the past, go take a gander at the plethora of new graphs, charts, and actual usable data about your infrastructure – all without having to goto a larger NMS platform!

7) CMX Evolution

The MSE product is finally getting some legs under the advanced location pieces. This easy to deploy ‘for everyone’ product starts to bring some pretty insightful analytics to any sized deployment – all the way down to a ‘no maps required’ presence analytics and all the way up to a Hyperlocation enabled, social media engagement platform. With both on premises and cloud based offerings available, it really is very easy to start getting very insightful data out of any sized network.

8) CCIE Wireless version 3

The dated CCIE (Cisco Certified Internetwork Expert, Wireless) exam has been updated to include software and hardware platforms from this year. You can now tackle one of the industries most challenging certifications on contemporary labs that are actually relevant to solutions you’re deploying today!

9) UX domain APs

See my previous blog on the topic for a more in-depth look at the UX products, but for those buying and deploying APs spanning multiple countries, this is a pretty good way to reduce a ton of deployment and ordering complexities. By standardizing on a single SKU globally, you can make quick work of some of the logistics nightmares of the past.

10) Cisco ONE licensing

Yes, licensing is boring, complicated, and expensive. Cisco ONE addresses all three of those pain points in one easy go. With a ‘count the AP’ approach to licensing, you can now start to take advantage of all of the above products in an easy to consume, deploy, and license fashion – without breaking the bank. For example, if you wanted to replace your old WLC with a new one, in the past, you would end up repurchasing your AP licenses. In this model, all products start at 0 APs and you pick the size that’s right for you – at any scale. Pick the solutions you want to deploy: ISE, Prime Infrastructure, advanced location analytics, etc – and go! A significant departure from the traditional licensing model in Cisco-land.

I know that a ‘recap overview’ blog sometimes seems too lofty, but there really is a ton to see if you’ve been unplugged from the Cisco world over the past year or so. Take a deep breath and plunge back in at any level and you’ll find something new that wasn’t there before. The Cisco ship sometimes turns slowly and sometimes it’s easy to forget that there is innovation happening all over the mobility space in San Jose.

Disclaimer: I was part of the Wireless Field Day 8 delegation to Cisco where we learned about several of the above topics. For more information on Cisco’s appearance at WFD8, go check out the video!

UX Domain APs

In the wireless world, we’re constrained by regulatory requirements. These are, at their core, different rules by which we must abide by when we’re operating wireless equipment. Each country has their own set of requirements and restrictions – each manifesting itself in some iteration of channel availability or power limitation of some sort. Until now, this meant that each country had to have it’s own regulatory SKU to prevent a wireless professional or other ‘non-professional’ installer from exceeding or violating that countries requirements. Cisco has worked around this particular issue with a universal SKU Access Point. In the past you would order a specific AP for a specific country. The astute Cisco-configurator would identify the country code in an AP model number (A for North America, N for Mexico, I for Egypt, etc.). The gory details of country code mapping changed occasionally which meant that it was almost a full time job for international companies to wrangle which SKU went where.

Note the UX domain model of AP, last in the list.

UX domain model of AP, last in the list.

Enter the ‘UX’ SKU of AP. These APs are designated by the country code ‘UX’ and are universal SKU APs, meaning one SKU can be installed in any country. The way we’re able to do this is by way of software defining which country the AP is operating in. Now, the FCC won’t just allow you to ‘claim’ a country code, so there are some specific restrictions to deploying a ‘world capable’ AP. Today, this means tying the AP to a specific user, then using a non-hacked device to determine GPS coordinates of where the AP is installed to ‘prime’ or ‘unlock’ the AP based on what country it’s physically located in.

This blog will review the two ways to ‘prime’ a UX domain AP and get you up and running in no time at all! The first thing you need is an un-compromised (not jailbroken) device with both online capabilities (an Internet connection) and GPS capabilities. Enter the smartphone. Most of todays smart phones meet this requirement:

Step 1) Head to your devices respective app store and grab the Cisco AirProvision application.

Don't ask me what the Android store looks like!

Cisco AirProvision in the Apple Store

Step 2) Plug in your AP and let it join to your WLC (this assumes you have things like discovery already taken care of). There are no UX specific join requirements so if you have regular Cisco APs joining your WLC, this part should be easy. Note that at this point the AP will be flashing ‘bad colors’ at you despite it’s radios being up and operational.

Unprimed AP

Unprimed AP

Step 3) Enable ‘Universal AP Admin’ on one of your secure (PSK or .1x) SSIDs that has internet access (WLAN tab -> WLAN ID -> Advanced tab -> ‘Universal AP Admin’).

Universal Admin

Universal AP Admin

Step 4) Join the above SSID on your unprimed AP.

Step 5) Launch the app on your smartphone and log into CCO (page 1) then your WLC (page 2).

Step 6) Click Configure!

Click Provision!

Configure!

That’s it! It’s a relatively straightforward way for your AP to know what country it’s at.

Primed AP!

Primed AP!

The good news is that you only ever need to prime a single AP in this fashion. Once it’s primed and comes back online, it will automatically include in its Neighbor Discovery Packets (NDP) UX domain info. Any other unprimed AP in earshot of these discovery packets will hear them and automatically pickup the country code of the already primed AP! Once you have primed a second AP by way of the NDP the priming sticks with the AP and you can then prime others off it in a cascading fashion – you can even re-prime the AP that you previously primed with the app!

NDP Primed AP!

NDP Primed AP!

While this may seem like unnecessary work for those that are single country entities, those that have to operate in multiple country codes may find that simplified ordering is a lifesaver – assuming your installers have a smart phone and a free CCO account. This can also help if your company accidentally ordered several hundred of these and you don’t want to RMA them. Remember that the country code priming sticks with the AP across reboots, regardless of location (unless you re-launch the mobile app to reconcile your installation).

Things to remember:

  • Your smartphone must allow location access (it has to know where you’re at after all).
  • You must join the SSID on your unprimed AP. Joining on a different AP won’t help you any.
  • You have to have 2.4GHz enabled on your WLC and SSID – an unprimed AP operates in 2.4GHz only so you have to be able to see your SSID.
  • You must have the country code you’re provisioning enabled on the WLC (Thanks Andrew!).
  • Your SSID must have internet access to allow CCO to be accessible.
  • NDP priming only works on other NDP primed UX domain APs or app primed UX domain APs – not ‘regulatory domain APs’.
  • Did you screw something up? You can reset the UX domain AP by performing a ‘Clear All Config’ on the AP page in the GUI (along with all of it’s other settings)!
  • When your AP primes, it reboots. This is the same if you use the app or NDP. Don’t be surprised if you app-prime one AP and it cascades a bunch of NDP reboots.
*Oct 26 14:16:35.003: %CLEANAIR-6-STATE: Slot 0 enabled
*Oct 26 14:16:41.783: %CLEANAIR-6-STATE: Slot 1 enabled
*Oct 26 14:17:08.719: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source Writing out the event log to flash:/event.log ...
*Oct 26 14:19:50.339:  **************************** UNIVERSAL AP PRIMING ***********************
*Oct 26 14:19:50.339:  Action completed: regulatory domain values 0x0 0xB are written. Now trigger AP reload
*Oct 26 14:19:50.507: %SYS-5-RELOAD: Reload requested by UAP DIE process. Reload Reason: UNIVERSAL AP PRIMING SUCCESSFUL .
*Oct 26 14:19:50.527: %LWAPP-5-CHANGED: CAPWAP changed state to DOWN
*Oct 26 14:19:50.727: %CLEANAIR-6-STATE: Slot 0 down
*Oct 26 14:19:50.727: %CLEANAIR-6-STATE: Slot 1 down Write of event.log done

You can see above the log from an AP that was previously online. This AP was unprimed when it powered up, came online with radios up and then after several minutes received the NDP prime message and auto-rebooted. Easy, but potentially disruptive!

Does the world need another spectrum analyzer?

The worst tool in your toolbox is the one you don’t use. I found myself pondering that point when the fine folks over at Oscium sent me one of their WiPry-Pro Spectrum Analyzers – purpose built for iOS. While I don’t want to turn this into an Apple vs Android conversation, I personally use an iPhone and when I temper my tools needs with the devices I use (or am reluctant to use), the WiPry makes for a very handy first exposure tool. Now, many Wireless LAN Professionals will argue the merits of triage using a protocol analyzer vs a spectrum analyzer – my take on that piece of the problem is that you should be able to effectively use whatever is at your fingertips. The Oscium solution makes the spectrum analyzer very rapidly available for casual, at a glance, look at your network as well as a good indicator of where you should go next. Out of the box, the device is very intuitive with a lightning connector on one end and an SMB antenna port on the other end. When you attach the included antenna, and download the WiPry app from the app store, you get a good look at where most people head first – Layer 1 visibility into the 2.4GHz spectrum.

Oscium WiPry

With specifications similar to other similar solutions, it get’s the broad visualization done in fairly short order. You can see here an analog video camera with their channel 9 mask on to highlight the interesting slice.

Oscium ch9

One of the great additions that the WiPry brings to iOS is the ability to bring interesting bits into one view – like SSID names. I know of plenty of people that prefer the Android platform for this one ability. Now that we have it in a handy to use format wrapped around tons of Layer 1 data, I’d consider it a pretty compelling reason to stick with iOS.

Oscium SSIDs

In short, the form factor of the card, the usefulness of the data presented, and the Open API component of the app makes this at the top of my list for my next purchase. I’d recommend you go look at one too. While you’re at it, they have a sweet lineup of Oscilloscopes and Logic Analyzers. They’ve brought a whole lineup of analyzer products to iOS and I for one am keen to get much more hands on time with them.

Does the world need another spectrum analyzer? For my iPhone, yes – making it the best tool in my toolbox; the one I use.

The evolution that will start the revolution

You’ve heard it all before, evolutionary technology versus revolutionary technology. Everyone wants their newest technology to be revolutionary – expecting it to be life changing and a wide-sweeping, compelling reason to spend tons of money. This is rarely the case and more often than not marketing fluff to try and get you onto the next big thing. Occasionally we get such an unassuming technology announcement that fits squarely in the ‘no big deal’ from a speeds and feeds perspective that it’s easy to overlook. This is clearly the case with the recent multigigabit announcements from Cisco during Cisco Live, Milan. Multigigabit is a technology that allows your existing cabling to support speeds in excess of 1G, without having to make the jump all the way to significantly more costly 10G. Since we already have technology that address speeds and feeds above what we’re talking about here (how many 10G uplinks have you deployed recently?), it’s easy to overlook the impact this will bring to our daily lives. The ability to move to 2.5G and 5G link speeds without having to make the jump all the way to 10G will allow us to get improved link speeds without having to pay a premium for them. The expected cost increase is estimated to be anywhere from 0% to 15% according to the rumor mill which makes the 250% to 500% speed bump quite attractive!

802.11ac wave 2
The reason I’m taking about it is the fact that this brings with it the promise of addressing the 1G bottleneck that people have been gnashing their teeth over in the wireless space for the past couple of years. While we’ve been able to reasonably deflect the speeds and feeds conversation with 802.11ac wave 1 (speeds approaching 1G wired requirements), there has been no good way to move past that without having a two-cable conversation. The assumption up till now has been that 2x 1G links will be the way forward and many people have been running two copper runs out to their Access Points for the past several years in anticipation of this approach. 802.11ac wave 2 will undoubtedly break the 1G barrier in fairly short order with speeds being promised of (best case) 6,930Mbps PHY rate (about 4,900Mbps on the wire). Multigigabit solutions will allow us to address these concerns without having to invest in 10G links. Better yet, it will allow us to address these concerns without having to consume two 1G ports on our switches. Regardless of the solution you choose (1x 10G or 2x 1G), the cost for deploying a single Multigigabit link supporting up to 5G will be less at scale.

Power
The other unassuming byproduct of this conversation is that Access Points require power to bring up all of those components. It will be nearly impossible to power up a 10G ethernet interface in an AP in the power budgets that we have today. By reducing the link speed requirements to 5G, we can save power at the edge device and still fit in modern negotiation. Multigigabit solutions today will provide PoE, PoE+, and UPoE to ensure that the wave 2 APs that we’re going to be hanging will have ample power for whatever they’re going to bring.

The Revolution
I predict that the incremental cost and intermediary speeds will allow us to start having conversations about the jump to 10G. Multigigabit solutions on Access Points, switch uplinks, and desktop and server nics will be the next big thing. Stackable solutions today promise backwards compatibility so you don’t have to rip and replace – just add a stack member and you’re good to go in that closet/IDF! Regardless of your future proofing plans, enabling faster wireless, or just ensuring that you’re not spending money after (can you believe it?) now legacy 1G infrastructure, make sure you’re having a conversation today about ethernet to bridge the gap to 10G.

For more information about the NBASE-T alliance, go here.
For the Cisco Live, Milan – Tech Field Day Extra event with Peter Jones, go here.

My wireless literally burns me.

WARNING: this post includes uncensored pictures of a potentially provocative area of my body. While not Rated R (or even PG-13) you are hereby warned to avert your eyes if you believe that you may be even mildly offended or worse, intrigued.

When I was younger I had a lighter leak in my pocket. Unbeknownst to me, lighter fluid leaked all over my upper thigh and by the time I realized it, I had a hand-sized chemical burn where my pocket normally rests on my thigh. After some time (and discarding an otherwise perfect pair of pants!) the irritation went away.

Fast forward to several years ago and I noticed a similar ‘irritation’ forming on both of my upper thighs underneath my pockets. Since I’m a fairly light skinned guy – not albino, but still pretty light and pretty susceptible to sunburns in general, I wrote it off as pocket irritation. I couldn’t find any reasonable rhyme or reason to the general pocket-sized redness and irritation that I was experiencing but didn’t pay it much attention. Being, what I consider a professional in my industry, I recently decided to ‘up my wardrobe’. As a reasonably tall fellow I opted for custom pants among other things and the particular pants that I received included a right-hand pocket-in-the-pocket that was a perfect fit for my wallet! (Follow me here) When I started wearing said new pants, I consistently kept my wallet in the small right pocket which had the side effect of keeping my left pocket as a perfect place for my phone! I started getting into the habit of keeping my phone in my left pocket even when I wasn’t dressed for work. Then one day I noticed, the light, even, and spread out irritation that I used to carry on on both of my upper thighs started getting really bad on my left side – immediately under where my phone fit and has completely disappeared on the right!

Now, I’ve been around the wireless industry for a while now and I’ve heard it all the way up to wireless gives me headaches, so I’m not one for conspiracy theories, but the skin irritation that has followed my phone (and cleared up where my phone no longer is!) has given me a good reason to re-consider the potential risks that may be involved in wireless networking. My phone has not gotten hot, so I’m left with assuming that the skin irritation I’m experiencing is being caused by nothing short of energy radiation burns (not radioactive, silly!). Maybe it’s WiFi, maybe it’s cellular, maybe it’s bluetooth? Does it matter?

Now, I’ve not been to a doctor to have my burns officially evaluated (trying to not get a ‘don’t stick your finger in your eye if it hurts opinion) but there is a clear correlation between the location of my phone and the burns and irritations I’m personally experiencing.

IMG_6008 FullSizeRender

Having said all of that, I’m curious what you, the reader thinks. What do you think about my burns that have clearly followed my phone? Are short-range, long term exposure issues real? I for one will be distancing myself from my device until my burns go away, and likely for some time to follow.

Avaya Wireless is all about SDN

After hearing about Avaya’s wireless portfolio recently, I kept coming back around to a common thread that seemed so entrenched in the core of their solution – SDN. Admittedly I’m not a Data Center or Applications kind of guy, but Avaya has an interesting take on positioning their wireless portfolio. Instead of focusing heavily on a unique set of hardware specific features in their Access Points, they focus on a ‘module enabled’ Software Defined Network strategy. Paul Unbehagen, Chief Architect at Avaya accurately describes SDN as meaning something different to everyone.

At its core, regardless of vendor or implementation, SDN is meant to ease network administration and orchestration by way of software (the S in SDN). Avaya enables this by way of software running on their hardware to create Fabric Attach (FA) Elements. These elements use FA Signaling as a way of communicating amongst each other. These modules running throughout your network (on Avaya hardware) automatically discover and become a part of your FA Core through the orchestration suite.

Avaya does this across their entire infrastructure portfolio which includes their core products, edge switching, and Wireless Access Points. These components all orchestrate together to automatically configure and allocate resources in your infrastructure as needed. In one example, they showed an Access Point coming online and auto-registering using Fabric Attach and magically the requisite VLANs for the wireless infrastructure were automatically provisioned on the uplink switch. It’s clear that Avaya has invested significant resources in enabling this FA functionality including going as far as proposing Fabric Attach as a standard to the IEEE but their messaging is clear – when you run an FA enabled network end to end, it ‘just works’.

It was interesting in hearing the Avaya story in their own words including their addressing some of the more interesting corner cases:

  • Running an FA network without FA enabled devices being attached – this is supported using standards based LLDP TLVs but will likely require more effort than having the FA ‘agent’ running natively on your device.
  • Running Avaya wireless on a non-FA infrastructure – this is supported, but Avaya doesn’t bring anything special to that story that someone else doesn’t already do. This is an interesting scenario that could be positioned for transition needs.

In short, Avaya has taken a link-layer protocol, customized it heavily and allowed it to ask for network resources in an orchestrated fashion. It remains to be seen if this meets everyones definition of SDN and is somewhat predicated on the ‘controller bottleneck myth’ that seems so pervasive in the wireless industry. I, for one, am very interested in seeing where this takes us over the next several years. Addressing distributed challenges at scale (such as provisioning resources) is a problem that has been solved in the wireless space for a long time – do it centralized and scale from the inside out. I look forward to seeing how (and if) Avaya can leverage this FA architecture across multiple platforms and vendors to create the foundational panacea that SDN promises.

Drag racing the bus

Picture it. You’re a school district transportation engineer. You’re in charge of purchasing a fleet of new school busses for your district. The big ones. The expensive ones. The ones that will last you for the foreseeable future. So, you call up Bus Vendor A, B, and C and inform them that you’re in the process of selecting a fleet of new school busses. The following week each vendor dutifully delivers their ‘bus of choice’ to be evaluated. You then grab your intern, put him at the midway point of the bus from ‘Vendor A’ and take it for a spin! You see how fast it goes from 0 to 60. You see how it corners. People hear tires screeching from all over the city as you and your one other occupant sling this bad boy around town ‘evaluating’ the bus. You then repeat the same process for ‘Vendor B’ and ‘Vendor C’. You aggregate your data. You correlated your data. You make pie charts about your data. You do ROI calculations on your data. You do comfort analysis on your data. You do handling analysis on your data. You made your ‘educated’ recommendation and purchased a fleet.

Day 1 of school rolls around and the first thing your brand spanking new fleet of school busses does is immediately do the one thing you neglected to test: they loaded up with kids and trudged along at 20 MPH safely around town. You start getting complaints. They don’t stop well. They don’t handle well. They don’t get good gas mileage. They bounce all over the place and your district has to send 2,000 kids to chiropractic care because you didn’t evaluate the bus under the conditions it’s going to be used in. Instead, you took it for a joy ride. You drag raced it. The one bus that went the fastest with a single guy in it, you bought. When you deployed it, it broke because you didn’t test it using real world scenarios.

Please, don’t drag race your evaluation Access Points. Test them like you’re going to operate them. That way you get a realistic view of how they’re going to behave in the real world. Do your self a favor. Stop joy riding your vendors gear and put it in the real world to test it.

This blog inspiration courtesy of @florwj . Go follow him. He’s awesome.

-Sam

The FCC.

Here in the states, we have a regulatory body called the Federal Communications Commission (FCC). As it pertains to the Wi-Fi world, they tell us what channels we can use how obnoxious we can be (strength) in those channels. We have what you would consider to be a ‘blanket rule’ that basically states ‘within a given number of frequencies, you can do anything you want as long as you limit yourself to a maximum power’. A very intentional byproduct of these rules is the relatively low cost of WiFi components. Since we don’t have to submit everything we operate to the FCC for validation, we have no ‘validation costs’ to pass onto our end users. In short, the FCC, as a regulatory body imposes rules and restrictions on our use of wireless frequencies in the name of the greater good. This generally works very well, creating the ecosystem of ‘small cell’ give and take that we live in today. You are given the choice to make your own determination if analog video cameras, microwave ovens, X-Box controllers, etc should take priority or if your Wi-Fi should. Political challenges aside, we’re masters of our own domain.

So what happens when someone does something outside the norm? What happens when someone violates the FCC specifications? What happens when someone fires up 10 watt outdoor analog video feed in 2.4GHz and points it at the broad side of a hospital?

As it turns out, someone recently did just that. I was asked to assist with locating what was being detected as a whole bunch of analog video cameras that hogging up all of Channel 1 in 2.4GHz along the broad side of a hospital. As you could imagine, with a good 100 or so Access Points all excluding channel 1 (due to interference) from their channel plan, this meant that a two channel plan was all that was left (6 and 11). After much sleuthing, we determined that the signal was traveling well in excess of 10 city blocks! In my book, that certainly fit the bill for ‘obnoxious’. With more than a little hesitancy, I went to the FCC web page for complaints and filed one.

We're concerned with Wi-Fi Jammers.

We’re concerned with Wi-Fi Jammers.

Once my complaint went off into oblivion, I’ll be honest with you, I didn’t expect to hear anything from them at all. Instead, a few weeks later, I got a letter in the mail with the usual FCC ‘devices must accept interference’ text that you’d expect from a Federal entity. I was heartened by the fact that I got a response however, and there was a ‘for more information call this number’. They offered, I did. The nice Federal employee took my call, listened to my acknowledgement of the letter, listened to my insistence the letter was insufficient, and listened to my complaint that there was something going on that the FCC clearly needed to get involved in. She thanked me for my time and stated that she would escalate my case. This was the last I personally heard from them.

I was fortunate enough to have some contacts near the building that we suspected was generating the noise. Sure enough, a couple of weeks later, they informed me that a FCC field agent showed up asking questions. Shortly thereafter, the video camera signatures stopped being detected, the channel cleared up, and things got back to normal at my customer.

The point of all of this is that you do have a friend in the FCC. They’re not the most communicative, timely, or ‘feel good’ organization I’ve ever worked with, but if you have no other choice, and you can prove reasonably that there is a strong need for them to get involved with a neighbor that being obnoxious, they will. Start to finish, once I engaged the FCC, it took roughly 2 months to get back to normal. Don’t expect them to be quick. Don’t expect them to believe you. Don’t expect them to understand what you’re saying. Do be patient. Do be persistent. Do be kind. You don’t want to make a Fed angry.

Here are some good times to engage the FCC:

  • You can prove beyond the shadow of a doubt that something beyond your sphere of influence is causing harmful interference to your Wi-Fi network.

Here are some good times to not engage the FCC:

  • Your ER department won’t buy new Microwave ovens
  • Your security team is installing analog video cameras
  • Your customers are bringing gaming consoles onto your property and using them
  • Your co-worker put a 20dBi antenna on a 200mW radio outside (although, this is a good way to get them called on you!)
  • You believe you have external interference, but don’t have a Spectrum Analyzer to prove it

If you need a Spectrum Analyzer, head on over to the MetaGeek folks and check out their Wi-Spy Mini or their Wi-Spy DBx for a good cost effective way to tackle interference issues. If they get too big, rest assured that Big Brother is out there – just a complaint form and a couple phone calls away…

WPA/TKIP only going away in Cisco WLC release 8.0

Cisco is readying the next major release of their WLC code, version 8.0. At the advocation of the WFA, this will bring with it a very significant change in security capabilities that you may find impacting if you’re caught unaware. In an attempt to raise awareness, Cisco has approved an discussion of this change first mentioned here. Cisco, in accordance with the new WFA guidelines, will no longer be allowing an SSID configuration with WPA/TKIP only security. If you are currently using an SSID that has WPA/TKIP only security, your configuration will automatically be updated to enable WPA2/AES connectivity as well as WPA/TKIP. You may want to start validation testing now if you are currently supporting legacy devices on a WPA/TKIP only SSID today. The easiest way to ensure you’re not caught by this change is to enable WPA2/AES along with WPA/TKIP and check to make sure your devices still behave as expected. I have confirmed in the lab that this change will be automatic:

WPA-TKIP only configuration pre-8.0

WPA-TKIP only SSID configuration, Pre-8.0

WPA2-AES added post-update

Same SSID with WPA2/AES enabled post-update.

 

To summarize of the variety of allowed and disallowed potential configuration options you have available and if they’ll be supported in WLC 8.0:

WPA1-TKIP (Disallowed due to eliminating TKIP)
WPA1-AES (Allowed by Extension Policy)
WPA1-TKIP/AES (Disallowed since not used in conjunction with WPA2-AES)
WPA2-TKIP (Disallowed due to eliminating TKIP)
WPA2-AES (Certified and allowed)
WPA2-TKIP/AES (Disallowed due to WPA2-TKIP)
WPA1-TKIP + WPA2-TKIP (Disallowed – no AES support)
WPA1-TKIP + WPA2-AES (Certified and allowed)
WPA1-TKIP + WPA2-TKIP/AES (Disallowed due to WPA2-TKIP)
WPA1-AES + WPA2-TKIP (Disallowed due to WPA2-TKIP)
WPA1-AES + WPA2-AES (Allowed by Extension Policy)
WPA1-AES + WPA2-TKIP/AES (Disallowed due to WPA2-TKIP)
WPA1-TKIP/AES + WPA2-TKIP (Disallowed due to WPA2-TKIP)
WPA1-TKIP/AES + WPA2-AES (Allowed by Extension Policy)
WPA1-TKIP/AES + WPA2-TKIP/AES (Disallowed due to WPA2-TKIP)

Other SSIDs and security configurations are not impacted, including Open SSIDs, any SSID that currently has AES enabled, and WEP SSIDs.

 

UPDATE: Due to user feedback, Cisco and the WFA finally settled on making the above restrictions in the GUI only. If you still have a business need for a WPA/TKIP SSID, you can configure it from the CLI. If you were building an SSID on a Cisco WLC with an ID of 6, you would use the following commands for example:

config wlan create 6 TKIP-ONLY
config wlan security wpa wpa2 disable 6
config wlan security wpa wpa1 enable 6
config wlan security wpa wpa1 ciphers tkip enable 6

Using the show commands you can validate that this configuration took at the CLI:

show wlan 6

Wi-Fi Protected Access (WPA/WPA2)…………. Enabled
WPA (SSN IE)…………………………. Enabled
TKIP Cipher……………………….. Enabled
AES Cipher………………………… Disabled
WPA2 (RSN IE)………………………… Disabled