Mobility groups and MAC filtering

Similar Messages

• WiSM redundancy, mobility groups and RF groups

  Hi there
  we would like to implement the following:
  - Support for about 2000 LAP's
  - 1 x Catalyst 6509
  - 1 x Sup 720
  - 7 x WiSM's
  What I'm interesting is are the following points:
  1. I thought that we would build the switch completly redudant, so we have to wlan switches (switch A and B) with 7 WiSM's eatch. So I can garanty a N+N redundancy --> each LAP's has a primary controller on switch A and it's secondary controller on switch B. The LAP's can be splitted on the two switches, but for your understanding there is a 1:1 redundancy. What do you think of this design, is the too much or is this appropriate?
  2. As I know you can build up a mobility group of a maximum of 24 controllers or 12 WiSM's. I would put only these controllers in a mobility group, where Layer 2 roaming can occure.
  3. But what is about the RF groups - there is a maximum of 1000 LAP's, so I can put only 3 WiSM's in one group. But this would not work form me, then I would have 2 WiSM's on switch A and only 1 WiSM on switch B in a RF group (not a 1:1 redundancy). First is it possible to put WiSM-A and WiSM-B into different RF groups, I think so because they are logically splitted, aren't they?
  And what RF group design would be best (just as a reference)? I thought that it would make sense to form a RF group for each of the seven pairs (1 WiSM on switch A and 1 WiSM on switch B) for redundancy? What do you think of that approach?
  4. So I would have 1 mobility group and 7 RF groups. Or do you recommend to form the mobility groups like the RF groups? But what happens with Layer 2 roaming in that case?
  I'm sorry for the long and messy text, but I hope you can see my design questions?
  Thanks a lot in advance.
  Dominic

  It sounds like you already have some good replies. Personally I like N+1 redundancy, but that is a designers choice. One thing I should point out is that the 6500 can only support 5 WiSM cards each. In this case a 4 WiSM x 3 chassis option would give your more spare capacity with only 12 total cards. The lower WiSM cost (12 vs 14) would help offset the cost of the extra chassis. You could also support 2400 APs with 8 WiSM cards even if one switch is down.
  Not too long ago Cisco added the ability to set the priority of APs so your critical ones would join a controller and the less critical ones would go down if a controller failed and there were no redundancy. That is something to keep in mind when designing wireless. You may not need redundancy for all APs and that could affect your design and costs.
  Randy

• AP1242AG WPA and MAC Filtering problem

  Hello,
  Presently I managed some AP1242AG in ofiice area
  I need implement WPA and MAC filtering.
  I found what :
  In IOS 12.2(13)JA branch IOS and before, MAC authentication was supported
  in conjunction with WPA.
  In 12.2(15)JA and above, configuring MAC authentication with WPA does not
  work. MAC Authentication passes everyone through.
  I can't found IOS 12.2(13) in Cisco site.
  Can anybody help me and give link to download 12.2(13)JA ?
  Thanks.

  Also when I acivete MAC filterring
  access-list 700 deny   0024.d7ed.2204   0000.0000.0000
  access-list 700 deny   0000.0000.0000   ffff.ffff.ffff
  dot11 association mac-list 700
  dot11 ssid zero!v
     vlan 390
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa
     wpa-psk ascii 7 14531708030A2E1A3108212127015644
  The WPA is working but MAC filtering not reject
  IOS Ver.
  Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.3(11)JA1, RELEASE SOFTWARE (fc2)

• E1200 - Ports not working and mac filtering problem

  If there was a way to give negative stars to this router, I would. As it is, the minimum rating I can give this product is one star, and that's one star too many.
  I was upgrading from the WRT54G, which is an ugly thing to look at, but a reliable workhorse nonetheless. I turned that in to a downstream switch in my comms hub.
  On the E1200, I flashed the latest firmware, used different Cat5 cables, and different laptops before committing to hating this product.
  The first time I reached out to Amazon, the Amazon rep gave me a Cisco number to call. Turns out, that's some shady mortgage refinance hotline. Try it for yourself! 1-800-666-1771.
  Now, the rant -
  1. Two out of four wired LAN ports don't work: What can be the fix for this?! The activity lights on ports 3 and 4 blink and suggest data transfer is taking place, but the wired laptop simply can't acquire an IP address and access the internet. Same result when I connect my Panasonic Blu-Ray player to ports 3 and 4. None of the Viera Cast features load.
  2. MAC filtering unreliable: The wireless routing works somewhat reliably, if and only if, one settles for the most basic security. If I only choose a password and WPA2 protocol, things work fine. If I add another layer of security (in my case, enabling MAC filtering and only PERMITTING gateway to listed MAC IDs), things break down. As soon as I disable MAC filtering, wireless access to authenticated clients is restored.
  3. Cisco customer service: The censored world we live in, compels me to criticize politely. TERRIBLE. Cisco website is unintuitive, and frustrating. There's no easy way to register your purchased product. The Cisco "registration" is intentionally misleading and deceptive. For all intents and purposes, it's just an information gathering tool for Cisco. Don't bother registering there, unless you love the idea of storing your personal information on their servers. Their phone-based customer service is apathetic and uninterested. My rep was so distrusting of my intelligence and motor control, that he simply wouldn't believe that I had selected "PERMIT" and not "PREVENT" as the option under MAC filtering. After he asked me the same question for the fourth time, I raised my voice, and he gave up the idea of checking for the fifth time.
  However, this review is a tale of two companies. I reached out to Amazon again. This time, I got a rockstar in the shape of Leanne C! She was incredibly helpful, and understanding. What's more, she set up my return without any hassle and this Cisco dud is on its way back. I'm a big fan of Leanne's and my confidence in Amazon is restored.
  I'm sure that i received a lemon. I've never had problems with Linksys products. Maybe others' experience is different from mine.

  In your case as port numbers 1 and 2 does not work, what you could have done a loop back test. To perform a loop back test you need to take an ethernet cable, connect one end of that cable to internet port and the other end to the non-working port on the router. If you get the led to glow on both internet and the respective ethernet port that indicates that the port is working fine.
  It could also be a sychronization issue between the above mentioned lan ports and the lan card of your computer. As a part of trouble shooting you can try to reduce the card speed of your lan card. Following are the steps to reduce the speed of your lan card.
  START--> right-click My Network Places and click Properties
  right-click on the device manager and click properties
  Click on the CONFIGURE button
  Select the ADVANCED tab and in the box under the header property select "speed and duplex" and change the value on the right to 10 mbps half duplex. A restart would be recommended after performing these steps.
  In the second half you said that after enabling the mac filter option the internet breaks down. Here, do you mean to say that the computer
  gets disconnected from the wireless network or it stays connected with a valid IP address but without an internet connection.
  Well, it is an unusual issue however you could have reset and reconfigure the router as you got the latest firmware upgraded on it.
  Steps to reset the router:
  Push the reset button on router for 30 seconds, turn off the router wait for 30 seconds and then power it on. Power light should blink when you perform the reset process.

• Mac can't see new printer-told to Disable Airport Extreme Firewall and Mac Filtering...

  I have a new Epson WF-3520 AIO printer. I run Mac on OS X 10.5.7.  The printer appears to be properly set up to run wirelessly but it doesn't show up as a choice to be added to my list of available printers.  My Mac just doesn't see it.  After trying many things Epson's tech support told me to call Apple and find out how to disable the Airport Extreme's firewall as well as Mac Filtering.  I went into the Airport's utility and just got lost in knowing exactly what steps I need to take to do this.  Also, I'm somewhat dubious that this is really what needs to be done in the first place and I'm wondering if he simply wanted to get off the phone....  All advice welcome!  Thanks. Stephanie

  Forget it.... My suspicion was correct.  I was talking to an idiot.  Problem resolved by me.  Unrelated to Airport.
  Forgot to install a piece of software... duh!!!

• WAG54GS CD and MAC Filtering

  Hello,
  1)  Where can I obtain a Install CD for my WAG54GS Router?
  2) I have had the WAG54GS in use for some years now, and more and more computers and devices are to the router.
  Recently my Printer (HP 6500) often tells me that it cannot obtain an IP address  but it does t "see" the SSID Router name.)
  Error roughly translates (German) to
  Your Router uses MAC Filtering. So a Connection the HP Printer may fail.
  I must either deactivate the MAC filer or add the Printer MAC Address to the allowed list.
  I am unsure how to do this.
  Any help on both of these comments.??????
  NT

  OK, thank you.
  I keep losing IP addresses now fron my PC's as well a my printer. Usually a router re-boot helps.
  The thing  I did not like about this WAG54GS  is that there is no power fail re-start.
  Have you any idea why losing the IP address occurs. Note that the SSID is being recogonised and with a healthy
  signal level.
  However
  A am sending on Channel 1 but there is a TP-LINK 504132  Router in my neighbourhood that is on channel 1
    (2,412 GHz) and is sending 802.11n and seems to be tranmitting a much higher speed than me.
  I wonder if this could be causing problems.
  Regards

• EA2700 bridging and mac filtering

  I have a EA4500 as a main router and a EA2700 router connected to it (wire) in bridging mode.
  On the EA4500 I use mac filtering for the wireless connections.
  My problem:
  If a device connects wireless to the EA2700, the EA4500 see this as a LAN connection and thus the MAC filter is bypassed.
  Can this be solved?

  You can try this, bridge the 2700 router and use the following LAN-to-LAN configuration to see if the 4500 sees the device correctly:
  http://www.northshore-it.com/tips/how-tos/cascade_linksys/#LAN_to_LAN
  It's possible that the design and detection behavior of the 4500 with the use of a wired 2ndary AP maybe how it's detecting the client devices since it's connected wirelessly to the 2700 however when it goes thru the 2700 to the 4500, it's over a LAN wired connection and thats what the 4500 is seeing. 

• Guest networking and mac filtering

  I have a dual band airport extreme that I've purposfully kept at an old firmware revision because I have mac filtering enabled and also want to have guest network enabled. Somewhere around version 7.5 a bug was introduced that applied the mac filtering to both the private and guest SSID's. I found a number of posts from back then about it, but can anyone tell me if it has since been corrected in the more recent releases?
  Thanks
  Matt

  Somewhere around version 7.5 a bug was introduced that applied the mac filtering to both the private and guest SSID's. I found a number of posts from back then about it, but can anyone tell me if it has since been corrected in the more recent releases?
  No.  For what it's worth, Apple Support does not call it a "bug". They call it a "feature".

• Groups and ESSBASE Filters

  Can anyone tell me we can import the Data level filters for Groups from ESSBASE?
  If so, do we have any documentation on how to perform this?
  Thank you,

  You can't import them but they will be applied to all selections if you use integrated access control between OBIEE and Essbase (i.e. hand over :USER, :PASSWORD in the connection pool rather than generic conneciton credentials).
  Cheers,
  C.

• Mobile.me AND .mac-account on two machines - sync iphone.

  Hi,
  i have a .mac account for work (where i purchased music i needed for work) and a private mobile.me account, which i use for buying my private music. Whenever i connect the iphone to one on these two machines it gets the account id from that computer.
  The problem now is this. I purchased some apps from the appstore for account A and some apps for account B. So far no problem, i can use all these apps on my iphone. BUT: Occasionally the app store finds some updates for installed apps, which i would like to load. But if the app was bought using account A i cannot update this app, when the iphone thinks it is synced to account B - and vice versa. There is an error message saying, you have to buy the original software first to get the update. Thats what i did, but with the wrong account.
  So my question: Can i use the iphone with two accounts? I payed for the apps, so there is no reason i cannot updtae them, when i´m allowed to use them. Or, the option i would NOT like to go: Can i merge these two accounts?
  Thanks
  Rainer

  Authorize both computers for one iTunes account. You should only be syncing with one iTunes account at a time, by using 2 you risk having everything wiped each time you sync with another computer with a different account. You can setup several mobileme accounts, but you should only use one iTunes account for purchases on the iPhone to avoid problems like this.
  Message was edited by: Randy Fast

• WiFi MBSSID and MAC filtering

  Dear Sirs!
  I use Cisco AiroNet and have multissid WiFI
  What can I filter users by MAC address only on specific SSID?
  Thanks!

  Mac address-table xxxx.xxxx.xxxx static
  vlan ### drop
  In this sring, xxxx.xxxx.xxxx it is allowed MAC?
  and vlan ### drop it is entered in global config?
  Thanks!

• WLC 4402 Web Authentication, Mac Filtering and Layer 2 Seciruty

  Hi All,
  I have configured web authentication and Mac filtering on WLC 4402 for my wireless network and its working fine. I wants to configure layer 2 security for the same Wireless network without pre shared key. Could you please advice how to configure layer 2 security with web authentication withour preshare key.
  Is there any security issue with web authentication and Mac FIltering only? My concern in my wireless network shows open.
  Thanks,
  Kashif

  Hi,
  if you have a ACS, then you can do Web auth Splash page!!! Please refer to the below doc!!
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml
  Lemme know if this answered ur question!!
  Regards
  Surendra

• WLC Flexconnect with AAA and MAC authentication

  hi,
  i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
  my question is i am having  Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
  My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
  one more question,
  is it possible to make each AP seperate MAC filters On the WLC.
  thanks
  cyril

  If you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
  In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
  Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
  Hope this clears you doubts!!!
  Note: Please do not forget to rate and accept as solution incase the post is valid.

• Migrating 2 standalone 5508 to one mobility-group

  hey everyone,
  for some reason our wlan-controllers were build up to be standalone instead of beeing one mobility-group.
  I would like to change this in order to use all features of HA.
  let me describe our scenario:
  two WLCs 5508 running SW ver. 6
  - same subnet
  - both are running in master controller mode
  - different hostnames, ip-addresses, etc
  - all settings for WLANs and AP-groups (exept the APs themselves in these groups) are the same
  - in total at this moment we are running around 100 LAPs configured one half on WLC#1, the other half on WLC#2
  I don't know exactly why, but when that setting was installed, someone already configuredHA for each accesspoint...
  e.g.:
  - AP#1 primary WLC#1, secondary WLC#2
  - AP#2 primary WLC#2, secondary WLC#1
  but without WLC#2 knowing the configuration for AP#1 it makes no sense, correct?
  so my question is: how should I do the migration in the best way?
  is it easy as:
  - disabling master controller mode on WLC#2
  - configuring both WLCs into one mobility group
  --> WLCs are negotiating their configurations for the APs
  and everything is fine after this?
  comments appriciated. ;-)
  rgeards, Manuel

  Master Controller Mode is only listened to if the AP does not have a primary controller set.
  So all you should need to do is change the mobility group name on the Controller tab to match between the two, then go into the mobility group and edit the mac/ip address of the WLC to be in both WLC.  Make sure you use the mac address from the mobility configuration, and you should be good.
  Steve

• Replace WLC Mobility Group Anchor

  We have 2 5508 and 1 4402 WLCs and all belong to the same mobility group. The 4402 does not have any access points and does nothing more than serve as a mobility anchor for our public wireless SSID. We are planning to replace the 4402 with a new 2504 unit which will have the same configuration including IP as the 4402. Is there anything I need to do with the mobility groups when we remove the 4402?
  Thanks for any help.
  Jeff

  you'll need to add the MAC of the 2504 to the mobility group, and remove the entry for the 4402.
  Out of Curiosity...how many concurrent guest users to you have usually?
  Steve