Virtual WLC 7.5 - AP Enforced Rate Limiting

Similar Messages

• WLC - Rate-limiting with QoS Roles

  We have a large number of locations that we would like to deploy the 2100 series wireless controllers. Among other things, we would like to provide generic rate-limiting to all users(per-user bandwidth limits). This is a hospitality guest access environment and content filtering is really not a concern. We would, however, like to prevent one or a few users from saturating the circuit at the expense of other users. It looks like the WLCs can handle this with a QoS Profile assigned to the guest wlan and bandwidth-limiting QoS Roles applied to each user. The issue we may run into is web-authentication needs to be disabled. There is another device on these locations that will be providing those services.
  Is it possible to apply a QoS Role by default to all users who associate to a controller without authentication? Also, if anyone has attempted this design model I would greatly appreciate some input on any unexpected or undesirable results you may have noticed.
  I appreciate everyones help.

  Thanks so much for such a quick response. I may be misunderstanding some of the documentation and would really appreciate some clarity. I am understanding a QoS Profile to be applied to one or more WLANs and all user traffic from clients of those WLANs will fall under the qos policy as a group(bandwidth limitations would be applied to all of the user traffic combined). For example, a profile capping downstream bandwidth at 1544kbps would limit all user traffic from all of the clients associated to that ssid at 1544kbps. If we were to assume some degree of fair bandwidth distribution and there are 10 users receiving traffic at a given time, then each user would receive no more than 154.4kbps. Or, are QoS Profiles actual templates that are applied to each user that associates to that ssid? For instance, if we consider a profile capping 1544kbps downstream applied to a WLAN with 10 users associated. Each user would be able to download up to 1544kbps and the full bandwidth usage for that WLAN would be 15440kbps.
  Thanks again for your help.

• Current outbound rate limiting capabilities

  Hello All,
  I have recently reviewed this thread from back in January-March: https://supportforums.cisco.com/thread/2002325?tstart=60 .  I have been facing the same predcament decrsibed be people in this thread.  That being end user machines get compromised and then send out large volumes of spam via legitimate accounts on our servers.  In our cases, the outbound from addresses have all been the actual user address.  The end user environment is ActiveDirectory & Exchange.
  If I cannot rate limit based on a sender address, then I am wondering if the 370D model would allow me to somehow define virtual gateways which would correspond to users found within a specific portion of my Active Directory environment.  For example, if all sales dept. staff were within a single AD OU, could I create a virtual gateway that corresponds to just these people and have that gateway set with different rate limits than another gateway which corresponds to a different group of users?
  Lastly, is it possible with any of the appliance models to define specific outbound rate limits for recipient domains?  For example, messages destined for hotmail.com would have a different rate limit than messages destined for gmail.com.  Would this functionality work with mixed recipient domains in the To: field?
  Thanks,

  Yes, you can define outgoing mail policy or outgoing content filter  based on sender's LDAP group (e.g. CN=West,OU=Sales,....) and then use a  filter action "Deliver from IP interface" to choose to deliver the  emails from selected IP interface.
  You can define delivery rate limit based on destination domain under 'Mail Policies'-'Destination Controls'.
  I recommend to enable antispam scanning for outgoing emails. You can add custom header if the message is a positively-identified spam.  Then you can use an outgoing content filter action to redirect spams to  be delivered from another IP interface or another mail host if outgoing  message contains the custom header. This can allow good and bad emails to be delivered from different IP interfaces.

• Virtual WLC in LAB environment

  Hi!
  I have just installed a Virtual WLC at home for lab purpose. Now i want to connect one accesspoint to my wlc, but for now the WLC says "0 access points supported". 
  Can i somehow still use the evaluation licens and connect a accesspoint to the wlc? 
  /Lajja1234

  Hi Lajja,
  You have to enable the evaluation license in order to allow the AP to join.
  How to do it, please check here:
  http://www.cisco.com/c/en/us/support/docs/wireless/virtual-wireless-controller/113677-virtual-wlan-dg-00.html
  Hope it helps.
  Regards
  Dont forget to rate helpful posts

• Wireless Rate Limiting via Radius

  We have a setup as 1 SSID in air , authentication via LDAP
  One user login as aaa  to VLAN 51
  other user login as bbb to VLAN 52
  I want to setup different rate limiters for those users.As i know thera are 2 methods of rate limiting available in WLC
  a)per User in the same SSID
  b)per SSID for any user
  In this case there is only one WLAN so we cant use b , as i dont want all users to get same bandwidth contract rate limiting method a isnt useful for us.Because i want to seperate employee / guest / admin bandwidth limits.
  How can i overcome of this case ?

  For the first question  ;
  What do you mean with "maybe depends on your equipment" ?
  For the second question ;
  Sorry it has to be "VLAN" assignment , and i have found the solution.
  As i read
  IETF 64 (Tunnel Type)—Set this to VLAN.
  IETF 65 (Tunnel Medium Type)—Set this to 802
  IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
  Three types of attribute has to be returned from ldap server.All three of these has to be returned or just Private group id is enough ?

• URGENT HELP WITH VIRTUAL WLC

  We had a problem with Virtual Machine which Cisco Virtual WLC installed. Virtual Machine files were damaged and the system was not start normally. We have had to reinstall the WLC, but after installation impossible to import current license to new one.
  how can we install this licence again?

  Licenses are tied to the device they're being used on. With a virtual WLC, the license is tied to the unique identifier of the vWLC and when you recreated the vWLC after your VMware problems the new vWLC has a different unique identifier.
  It's a similar situation to what happens when a physical controller is faulty and is swapped out by cisco, the replacement will have a different serial number and you'd have to re-host the license to the new serial number.

• SNMP OID for AssociatedAPs in Virtual WLC 7.4.100.0

  Hello Guys!
  I need you help for something that I need to do to monitor my Wi-FI network.
  I'm using a Virtual WLC (SW Ver 7.4.100.0) where most that 30 APs are associated with, but I would like to monitor each disaciossiation of APs using SNMP. After some search, I have found this OID .1.3.6.1.4.1.14179.2.1.1.1.38 on some forums but it doesn't work, I see random number in my monitoring tool.
  Do you know if there is any another OID to use with this software version or maybe if I have to upgrade to ver7.6 or ver8?
  Thanks in advance,
  Kevin

  I'm assuming you don't own a license for Cisco Prime Infrastructure
  One thing you can do is send SNMP traps to your monitoring software from the WLC (I've never used virtual WLC but my assumption is most options are the same. If your software doesn't support SNMP Traps consider a different monitoring software...
  Go to Management > SNMP > Trap Receivers and set up your receiver
  Then to to Management > SNMP > Trap ControlsHere is where you set what traps are sent via SNMP. If you see the "AP" tab you can set several things.
  If you only want to see if an AP is dropping off the network and the above doesn't work, you could just put dhcp reservations on your APs and have your software ping it. This of course is only if its off network, not if it simply disassociates.

• Virtualized WLC + Prime + MSE solution

  Dear all,
  we are facing some problem to deploy a virtualized localization solution made of WLC, Prime Infrastructure and MSE.
  We constructed, in our lab, on a UCS C220M3 with VMWare 5.1 the following solution:
  Virtual WLC version 7.3.101 (ip address 10.0.1.249)
  Prime Infrastructure 1.2.0.103 (ip address 10.0.1.250)
  Virtual MSE 7.3.101 (ip address 10.0.1.247)
  WLC is working properly, can register APs and is properly integrated with the Prime. For the localization solution we deployed three access points:  
  -one 3502 in flex connect mode
  -two 1142 in monitor mode
  The problem came out  when we started to work with the MSE. MSE has been registered inside Prime and synchronized with maps and controller.
  After that we checked the maps but no information was displayed. So we started facing the problem and we found that the NMSP protocol remained inactive even if the troubleshooting windows didn't report any explicit issue.
  At this stage we started checking the debug messages and in particular, for the NMSP we countinuously received the follwing message:
  *nmspRxServerTask: Nov 17 17:55:09.777: Allocated new NMSP connection 0
  *nmspRxServerTask: Nov 17 17:55:09.778: sslConnectionInit:  SSL_new() conn ssl 0x2aaaae71ab88
  *nmspRxServerTask: Nov 17 17:55:09.778: sslConnectionInit: SSL_do_handshake for conn ssl 0x2aaaae71ab88, conn state: INIT, SSL state: HANDSHAKING
  *nmspRxServerTask: Nov 17 17:55:09.778: -- returns WANT_READ for conn ssl 0x2aaaae71ab88
  *nmspRxServerTask: Nov 17 17:55:09.778: sslConnectionInit() success with Connection state: INIT, SSL state: HANDSHAKING
  *nmspRxServerTask: Nov 17 17:55:09.785: doSSLRecvLoop: Handshake has not completed for conn 0
  *nmspRxServerTask: Nov 17 17:55:09.785: sslConnectionInit: SSL_do_handshake for conn ssl 0x2aaaae71ab88, conn state: INIT, SSL state: HANDSHAKING
  *nmspRxServerTask: Nov 17 17:55:09.785: -- returns WANT_READ for conn ssl 0x2aaaae71ab88
  *nmspRxServerTask: Nov 17 17:55:10.100: doSSLRecvLoop: Handshake has not completed for conn 0
  *nmspRxServerTask: Nov 17 17:55:10.100: sslConnectionInit: SSL_do_handshake for conn ssl 0x2aaaae71ab88, conn state: INIT, SSL state: HANDSHAKING
  *nmspRxServerTask: Nov 17 17:55:10.100: -- handshake failed for conn ssl 0x2aaaae71ab88,error = error:00000000:lib(0):func(0):reason(0)
  *nmspRxServerTask: Nov 17 17:55:10.100:  freeing Nmsp conn ssl 0x2aaaae71ab88, conn id 0
  Also the statistics for the NMSP protocol emphatized an SSL error:
  (Cisco Controller) >show nmsp statistics summary
  NMSP Global Counters
  Client Measure Send Fail......................... 0
  Send RSSI with no entry.......................... 0
  APP msg too big.................................. 0
  Failed Select on Accept Socket................... 0
  Failed SSL write................................. 0
  Partial SSL write................................ 0
  SSL write returned zero.......................... 0
  SSL write attempts to want read.................. 0
  SSL write attempts to want write................. 0
  SSL write got default error...................... 0
  SSL write max data length sent................... 0
  SSL write max attempts to write in loop.......... 0
  SSL read returned zero........................... 0
  SSL read attempts to want read................... 0
  SSL read attempts to want write.................. 0
  SSL read got default error....................... 0
  Failed SSL read - Con Rx buf freed............... 0
  Failed SSL read - Con/SSL freed.................. 0
  Max records read before exiting SSL read......... 0
  --More-- or (q)uit
  Highest Prio Tx Q full........................... 0
  Normal Prio Tx Q full............................ 0
  Highest Prio Tx Q Sent........................... 0
  Normal Prio Tx Q Sent............................ 0
  Highest Prio Tx Q count.......................... 0
  Normal Prio Tx Q count........................... 0
  Messages sent by APPs to Highest Prio TxQ........ 0
  Max Measure Notify Msg........................... 0
  Max Info Notify Msg.............................. 0
  Max Highest Prio Tx Q Size....................... 0
  Max Normal Prio Tx Q Size........................ 0
  Max Rx Size...................................... 1
  Max Info Notify Q Size........................... 0
  Max Client Info Notify Delay..................... 0
  Max Rogue AP Info Notify Delay................... 0
  Max Rogue Client Info Notify Delay............... 0
  Max Client Measure Notify Delay.................. 0
  Max Tag Measure Notify Delay..................... 0
  Max Rogue AP Measure Notify Delay................ 0
  Max Rogue Client Measure Notify Delay............ 0
  Max Client Stats Notify Delay.................... 0
  Max RFID Stats Notify Delay...................... 0
  RFID Measurement Periodic........................ 0
  --More-- or (q)uit
  RFID Measurement Immediate....................... 0
  SSL Handshake failed............................. 1319
  NMSP Rx detected con failure..................... 0
  NMSP Tx detected con failure..................... 0
  NMSP Tx buf size exceeded........................ 0
  NMSP Tx Invalid msg id .......................... 0
  Reconnect Before Conn Timeout.................... 0
  Rogue AP Info Changed DB Full.................... 0
  Rogue AP Meas Changed DB Full.................... 0
  Rogue Client Info Changed DB Full................ 0
  Rogue Client Meas Changed DB Full................ 0
  Looking around the Internet we found a similar case where the issue was solved dealing with the authorization list upon the wireless lan controller but after the suggested check we saw that the MSE is correctly authorized inside the controller: Here's the "show auth-list" on the WLC:
  (Cisco Controller) >show auth-list
  Authorize MIC APs against AAA ................... disabled
  Authorize LSC APs against Auth-List ............. disabled
  APs Allowed to Join
    AP with Manufacturing Installed Certificate.... no
    AP with Self-Signed Certificate................ no
    AP with Locally Significant Certificate........ no
  Mac Addr                  Cert Type    Key Hash
  00:0c:29:68:c8:57         LBS-SSC      6d6703ef9cccfb5a430e04b3ad128f8170fb435c
  that perfectly matches what was on the MSE:
  cmd> show server-auth-info
  invoke command: com.aes.server.cli.CmdGetServerAuthInfo
  AesLog queue high mark: 50000
  AesLog queue low mark: 500
  Server Auth Info
  MAC Address: 00:0c:29:68:c8:57
  Key Hash: 6d6703ef9cccfb5a430e04b3ad128f8170fb435c
  Certificate Type: SSC
  Finally I tried to look around the MSE logs and here what I found tailing the locserver errors:
  ==> /opt/mse/logs/locserver/locserver-error-0-0.log <==
  11/17/12 17:54:13.513 ERROR[locp] [36] Error in ConnectHandler(endPoint) <LocpSessionTarget mode=CLIENT><LocpEndPoint status=HANDSHAKE totalBytesSent=72000 totalBytesReceived=1315800><LocpEndPoint.Key host=10.0.1.249 port=16113/></LocpEndPoint></LocpSessionTarget>
  11/17/12 17:54:13.513 ERROR[com.aes] [36] [ConnectHandler:handle-09] THROW
  javax.net.ssl.SSLHandshakeException: General SSLEngine problem
          at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1015)
          at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:485)
          at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1128)
          at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1100)
          at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:452)
          at com.aes.server.locp.transport.IOChannelSecure.doHandshake(IOChannelSecure.java:230)
          at com.aes.server.locp.transport.LocpTransportService$ConnectHandler.handle(LocpTransportService.java:354)
          at com.aes.server.locp.transport.ChannelEventDispatcherImpl$HandlerTask.run(ChannelEventDispatcherImpl.java:348)
          at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
          at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
          at java.util.concurrent.FutureTask.run(FutureTask.java:138)
          at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
          at java.lang.Thread.run(Thread.java:662)
  Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
          at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
          at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1528)
          at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:243)
          at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
          at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
          at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
          at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
          at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:533)
          at java.security.AccessController.doPrivileged(Native Method)
          at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:952)
          at com.aes.server.locp.transport.IOChannelSecure.doTasks(IOChannelSecure.java:265)
          at com.aes.server.locp.transport.IOChannelSecure.doHandshake(IOChannelSecure.java:193)
          ... 8 more
  Caused by: sun.security.validator.ValidatorException: No trusted certificate found
          at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:346)
          at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:111)
          at sun.security.validator.Validator.validate(Validator.java:218)
          at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
          at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
          at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
          at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
          ... 15 more
  Everything seems to bring to a certificate error but I don't know, from a side if this is the right direction of investigfation and, from the other, where to check for this certificate and how to find a solution.
  May someone  give us some help?
  Thank in advance to all.
  Regards.
  Marco

  Hi Pongsatorn,
  This is caused by a bug with the ID - CSCub42987. And yes, it only applies to the Virtual WLC's.
  Here is the work-around: (need to be performed from the CLI of the MSE as follows)
  1. cmdshell
  2. config unauthenticated-nmsp true
  3. exit
  4. service msed restart
  Ram.

• Rate limiting on Catalyst 2950T switches

  Hi,
  I would like to allow some users full access to internal servers, but only provide them with 2 Mbps access to the Internet. As far as I understand I cannot use the deny statement when defining the access-list for the class-map and therefore I am asking for your help. (The config below work well for rate-limiting all traffic, but I would need full access for traffic matching access-list 111):
  access-list 111 remark [ Traffic not to be rate limited ]
  access-list 111 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
  access-list 112 remark [ Traffic to be rate limited ]
  access-list 112 permit ip 10.0.0.0 0.255.255.255 any
  class-map match-all Internet-Class
  match access-group 112
  policy-map Internet
  description [ Rate limit Internet access ]
  class Internet-Class
  police 2000000 65536 exceed-action drop
  interface FastEthernet0/1
  service-policy input Internet
  interface FastEthernet0/24
  service-policy input Internet
  Any help would be very appreciated!
  Regards,
  Harald

  Thanks again for the reply!
  My "working" configuration is as follows:
  access-list 111 remark [ Traffic not to be rate limited ]
  access-list 111 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
  access-list 112 remark [ Traffic to be rate limited ]
  access-list 112 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
  class-map match-all Local-Class
  match access-group 111
  class-map match-all Internet-Class
  match access-group 112
  policy-map Internet-Policy
  description [ Rate limit Internet access ]
  class Internet-Class
  police 2000000 65536 exceed-action drop
  class Local-Class
  police 98000000 65536
  interface FastEthernet0/1
  description [ Local LAN facing interface ]
  service-policy input Internet-Policy
  interface FastEthernet0/24
  description [ Internet facing interface ]
  service-policy input Internet-Policy
  However, I would like to change "172.16.0.0 0.0.255.255" in access-list 112 to "any" since it should apply to all Internet traffic. If I try to do that I get the mask error I previously mentioned.
  Regards,
  Harald

• Policy-map based rate-limiting per vlan

  Hi
  I was thinking if someone could help me to come up with solution to a problem. Scenario as follow:
  I have a trunk interface with multiple vlans on:
  interface GigabitEthernet2/0/3
  description TRUNK-to-*********
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 415,416,610,1191-1193,1195
  switchport mode trunk
  duplex full
  storm-control broadcast level pps 1k
  storm-control multicast level pps 3k
  storm-control unicast level pps 250k
  storm-control action trap
  spanning-tree portfast trunk
  spanning-tree bpdufilter enable
  I'm trying to rate limit two of the vlans that are present on this trunk interface - vlan 415 and vlan 1192.
  So I'm putting the class-map (to be later applied under the policy-map which is not significant here):
  (config)#class-map match-any 120-mbps-class
  (config-cmap)#match input-interface vlan 415
  (config-cmap)#match input-interface vlan 1192
  Now, when you show the class-map I created, I can see this:
  sh class-map 120-mbps-class
  Class Map match-any 120-mbps-class (id 1)
     Match input-interface  Vlan415
     Match input-interface  FastEthernet0
  For some bizzare reason class-map is matching the Fa0. I have researched this, and this is most probably because you can only match 1 vlan instance under the class-map.
  And here's my problem - I can't police whole interface as the other vlans should not be policed - how can I police those two vlans ?
  Any thoughts ? All help appreciated as always.
  Rob.

  Hi Daniel,
  I have labed it and unfortuantely it does not work as expected. I have put 1x 3750 and 1x 2960 trunk between them, each box had an access port for laptop to create some traffic across. All vlan-based qos has been applied on 3750G.
  3750G config
  Interface g1/0/20
  descriprion trunk
  swicthport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk allowed vlan 100,120
  Interface g1/0/1
  description access
  switchport mode access
  switchport access vlan 100
  Interface vlan 100
  ip address 192.168.100.254
  service-policy input PARENT-POLICER
  Interface vlan 120
  ip address 10.10.10.1
  Policy-map PARENT-POLICER
  class PERMIT-ANY-CLASS
  trust COS
  service-policy CHILD-POLICER
  class-map match-any PERMIT-ANY-CLASS
  match access-group name POLICY-LIST
  Extended IP access list POLICY-LIST
      10 permit ip any any
  Policy-map CHILD-POLICER
  class INTERFACE-POLICE-CLASS
    police 100000 8000 exceed-action drop
  Class Map match-any INTERFACE-POLICE-CLASS
  Match input-interface  GigabitEthernet1/0/20
  2960 config:
  interface g0/20
  switchport mode trunk
  switchport trunk allowed vlan 100,120
  interface g0/1
  switchport mode access
  switchport access vlan 100
  interface vlan 100
  ip address 192.168.100.253
  interface vlan 120
  ip address 10.10.10.2
  So as you can see vlan 100 is the one it need to be rate limited (I have only rate limited to 100kbps just to see if it's working) and vlan 120 is only on the trunk ports to confirm if the traffic  for this one is not affected.
  Unfortunately when the policing is applied on 3750 vlan 100 (and policing is working fine) then I can see the packet loss while pinging between switches on vlan 120 suggesting that the policy is affecting the other vlan as well. When I take the policy out of the vlan 100 I cannot observe the packet loss on vlan 120 meaning is no longer affected.
  Not sure if I have explained this clear enough so far, if not let me know.
  Do you have any suggestions ?
  Thanks!

• EMAIL RATE LIMITATION error msg

  I sent an email to my sis [whom I email on a regular basis] and 3 days later it came back undelivered with the following message:
  Temporary error returned by SMTP partner.
  smtp;421 RP-001 The mail server IP connecting to Windows Live Hotmail server has exceeded the rate limit allowed.
  Reason for rate limitation is related to IP/domain reputation problems.
  Does this mean I might have a virus that's using my email client to spam other people? What does it mean?

  A valid email address should have the form "[email protected]" with only one "@" character and no spaces.

• Cisco LAP 2602 can not join Virtual WLC

  dear all, 
  i just install Virtual WLC and i remove WLC 2504 , i install & configured it , but LAP can not join. it was work fine with WLC 2504.
  i used the same network topology with the old WLC.
  i receive this error logs.
  *spamApTask4: Feb 04 06:01:30.082: <<<<  Start of CAPWAP Packet  >>>>
  *spamApTask4: Feb 04 06:01:30.082: CAPWAP Control mesg Recd from 10.192.200.93, Port 26711
  *spamApTask4: Feb 04 06:01:30.082:              HLEN 4,   Radio ID 0,    WBID 1
  *spamApTask4: Feb 04 06:01:30.082:              Msg Type   :   CAPWAP_DISCOVERY_REQUEST
  *spamApTask4: Feb 04 06:01:30.082:              Msg Length : 155
  *spamApTask4: Feb 04 06:01:30.082:              Msg SeqNum : 0
  *spamApTask4: Feb 04 06:01:30.082:   
  *spamApTask4: Feb 04 06:01:30.082:       Type : CAPWAP_MSGELE_DISCOVERY_TYPE, Length 1
  *spamApTask4: Feb 04 06:01:30.082:              Discovery Type : CAPWAP_DISCOVERY_TYPE_UNKNOWN
  *spamApTask4: Feb 04 06:01:30.082:   
  *spamApTask4: Feb 04 06:01:30.082:       Type : CAPWAP_MSGELE_WTP_BOARD_DATA, Length 62
  *spamApTask4: Feb 04 06:01:30.083:              Vendor Identifier      : 0x00409600
  *spamApTask4: Feb 04 06:01:30.083:              WTP_SERIAL_NUMBER : AIR-CAP2602E-I-K9
  *spamApTask4: Feb 04 06:01:30.083:   
  *spamApTask4: Feb 04 06:01:30.083:       Type : CAPWAP_MSGELE_WTP_DESCRIPTOR, Length 40
  *spamApTask4: Feb 04 06:01:30.083:              Maximum Radios Supported  : 2
  *spamApTask4: Feb 04 06:01:30.083:              Radios in Use             : 2
  *spamApTask4: Feb 04 06:01:30.083:              Encryption Capabilities   : 0x00 0x01
  *spamApTask4: Feb 04 06:01:30.083:   
  *spamApTask4: Feb 04 06:01:30.083:       Type : CAPWAP_MSGELE_WTP_FRAME_TUNNEL, Length 1
  *spamApTask4: Feb 04 06:01:30.083:              WTP Frame Tunnel Mode : NATIVE_FRAME_TUNNEL_MODE
  *spamApTask4: Feb 04 06:01:30.083:   
  *spamApTask4: Feb 04 06:01:30.083:       Type : CAPWAP_MSGELE_WTP_MAC_TYPE, Length 1
  *spamApTask4: Feb 04 06:01:30.083:              WTP Mac Type  : SPLIT_MAC
  *spamApTask4: Feb 04 06:01:30.083:   
  *spamApTask4: Feb 04 06:01:30.083:       Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 10
  *spamApTask4: Feb 04 06:01:30.083:              Vendor Identifier  : 0x00409600
  *spamApTask4: Feb 04 06:01:30.083: 
          IE            :   UNKNOWN IE 207
  *spamApTask4: Feb 04 06:01:30.083:      IE Length     :   4
  *spamApTask4: Feb 04 06:01:30.083:      Decode routine not available, Printing Hex Dump
  *spamApTask4: Feb 04 06:01:30.083: 00000000: 03 00 00 01                                       ....
  *spamApTask4: Feb 04 06:01:30.083:   
  *spamApTask4: Feb 04 06:01:30.083:       Type : CAPWAP_MSGELE_VENDOR_SPECIFIC_PAYLOAD, Length 12
  *spamApTask4: Feb 04 06:01:30.083:              Vendor Identifier  : 0x00409600
  *spamApTask4: Feb 04 06:01:30.083: 
          IE            :   RAD_NAME_PAYLOAD
  *spamApTask4: Feb 04 06:01:30.083:      IE Length     :   6
  *spamApTask4: Feb 04 06:01:30.083:      Rad  Name     :   
  *spamApTask4: Feb 04 06:01:30.083: CEO_AP
  *spamApTask4: Feb 04 06:01:30.083: <<<<  End of CAPWAP Packet  >>>>
  *spamApTask4: Feb 04 06:01:30.083: dc:a5:f4:8c:ff:30 Discovery Request from 10.192.200.93:26711
  *spamApTask4: Feb 04 06:01:30.083: dc:a5:f4:8c:ff:30 ApModel: AIR-CAP2602E-I-K9
  *spamApTask4: Feb 04 06:01:30.083: dc:a5:f4:8c:ff:30 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 200, joined Aps =0
  *spamApTask4: Feb 04 06:01:30.083: apModel: AIR-CAP2602E-I-K9
  *spamApTask4: Feb 04 06:01:30.083: apType = 26 apModel: AIR-CAP2602E-I-K9
  *spamApTask4: Feb 04 06:01:30.083: apType: Ox1a bundleApImageVer: 8.0.110.0
  *spamApTask4: Feb 04 06:01:30.083: version:8 release:0 maint:110 build:0
  *spamApTask4: Feb 04 06:01:30.083: dc:a5:f4:8c:ff:30 Discovery Response sent to 10.192.200.93 port 26711
  *spamApTask4: Feb 04 06:01:30.083: dc:a5:f4:8c:ff:30 Discovery Response sent to 10.192.200.93:26711
  Please any help.

  dear
  yes  the wlc  2504  is 8.0.110 but because its damaged i replaced it with  new vWLC v 8.0.110.
  also i can not put the LAP in flexconnect until its joint.

• Major bug in SMTP rate-limiting implementation

  I use my home computer to, among other things, host a mailing-list for a fan-club of a contemporary Russian poet. The total list of subscribers is about 40 people and messages are, on average, rare.
  However, when a discussion picks up, the number of e-mails can briefly spike easily exceeding Verizon's "you must be spamming" threshold. Imagine: one person asks a question and two others respond. Both the question and the responses get sent to the list, so that's 3x40=120 e-mails. If the discussion gets any longer, the e-mail account gets suspended for several days for exceeding the quota...
  I understand, why Verizon rate-limits the outgoing e-mail sending and don't object to it in principle. However, the current implementation has a major flaw. When the threshold is exceeded, instead of blocking all subsequent messages with a permanent error (5xx in SMTP-speak), the server ought to issue a temporary failure (4xx in SMTP-speak).
  This would block any spam-bots just as effectively, but allow legitimate messages to be properly queued by the sender's computers for resending. The 5xx code signals a permanent error so instead of being queued, the innocent message is suddenly bounced.
  A friend of mine is an RCN-subscriber and we know, that RCN implements rate-limiting exactly this way: if you are sending "too much", your messages will start being temporarily rejected for a while.
  Solved!
  Go to Solution.

  Anthony, this is not a "disagreement" -- I'm pointing out a bug. The bug manifested itself with the following two problems:
  Although none of the e-mails sent by my computer were spam, I was "identified" as a spammer and my access to SMTP was suspended for days. For no good reason.
  Even if it were possible to appeal such automatic verdict (and I did try to talk to a customer support representative), permanent rejections in the case of a temporary error are wrong -- and in violation of SMTP specifications.
  I did post the same text under the "New Ideas", but I don't think, "new idea" is the good place for this. I'm not suggesting a new service, but demanding a fix to the existing one.

• Migrate AP from WiSM to Virtual WLC

  Hello all,
  We have WiSM installed in Core Switch 6500 having 300+ AP registered on it.
  We want to migrate our AP's to new Virtual WLC. What is the best way to migrate AP to new vWLC with less down time.
  Can we migrate AP's from WiSM to Virtual WLC in bulk ( all in one time)? I read some where in form that AP version 7.3 & above start supporting vWLC. I am not sure if this applies for WisM as well ( i am assuming WiSM & WLC are differnt) ?
  My WiSM is running 7.0.240.0 & vWLC is 7.4. please check the WiSM attachments.
  Also is there any way to take backup from WiSM and restore on vWLC ?
  Regards.

  Hi,
  First of all, in order to reduce downtime, I would recommend that you upload the 7.4 code on the WiSM and predownload it to all the APs. (Wireless -> Global Configuration - AP Image Pre-download).
  Another thing would be to configure the vWLCs as back-up Primary & Secondary Controllers (Wireless -> Global Configuration - High Availabiliy). Doing this your APs will already know about the new WLC when the first will go down and will not have to go through discovery process. (test from AP CLI with show capwap client config)
  For the AP mode "mass-conversion" to flexconnect I don't know a better way than from WLC CLI, using:
  config ap mode flexconnect submode none AP_NAME_1
  config ap mode flexconnect submode none AP_NAME_300
  You could use text file to edit the the command with the AP names and than paste it all at once in the WLC. It would be wise to test it first with a few lines.
  If you did all this, when your old WLC goes down all your APs should associate to the new WLCs.
  Best regards,
  Sebastian

• Moving Licences from WLC2504 to Virtual WLC

  I have a WLC2504 with 35 licences (two 5 packs and one 25 pack)
  The fear is that if this older piece of hardware would die, then so would my 35 licences.
  I recently installed a Virtual WLC with 5 licences.
  What I would really love to able to do, is somehow migrate my 35 licences from 2504 to the Virtual controller.
  Is there a backdoor method to get those licences out of my 2504
  I do not have a Smartnet on any of these devices, so no worries of warranties, etc..
  Comments, suggestions, opinions and flames are all welcome and appreciated
  Bryan Smith
  Fort Wayne, Indiana

  If I am not mistaken, you will not be able to move a license from a Gen 2 WLC (like the 2500) to the Gen 3 box (like the vWLC).