Monday, March 26, 2012

Access Point Image Preload via the WLC CLI

George Stefanick has a great post outlining the ins and outs of how to get your APs to pre-download their software image so you can reboot them at your leisure. His post saved me a lot of legwork digging through the latest configuration guide for the steps necessary to enable this time saving feature (that was originally a bug!).

Thanks George for parsing this information out of the Cisco documentation and presenting it for us in a manner that is easy to read, understand, and implement on our own wireless networks.

WLC: Predownload The Image To The Access Points From The Controller CLI



WCS to NCS Migration

I did a quick google search to see if there was a quick run down on the steps you need to know about to do a WCS to NCS migration, and sure enough - the first google result was from my pal Samuel Clements. Sam outlines the features of NCS and the gotchas surrounding the NCS installer being a self-contained small, medium or large OVF file. Instead of installing NCS on a Windows or Redhat server, the VM is imported into an existing VM infrastructure.

If you choose the wrong selection from small, medium and large - there isn't a way to change it after the install without re-licensing the server and incurring an upgrade licensing fee in the process.

Sam has done a great job of listing the tasks that are necessary, so the only other thing I'll include here is a link to the Managing an Enterprise WLAN with Wireless Control System slide deck from CiscoLive 2011.

Key Enhancements with NCS:

15,000 Lightweight APs
5,000 Autonomous APs
5,000 Switches

WCS Supports up to:
3,000 Lightweight APs
1,250 Autonomous APs
zero switches


Cisco has also started to create quick learning modules for NCS. They can be found here.

For the sake of brevity, (and being able to find them again) I created the bitly link bit.ly/NCSQLM to point to that URL. Previously, I did the same thing for the WCS quick learning modules: bit.ly/WCSQLM. That shortened link has come in handy several times when I'm not able to dig up the long url from an email I've sent.

Tuesday, March 20, 2012

Hello Las Vegas! Aruba Airheads is about to begin!



I've gotten the scoop on who the panelists are for the Tech Field Day Roundtable discussion on Thursday, and it looks to be an interesting group of people!



The topics we'll be discussing are:

If you have any questions you'd like presented to this group, let me know and I'll be glad to pass them on.

The hashtags to follow are:
#arubasummit #airheadsconf  and #airheadsAD (tweeting after dark!)

As with any event where
Dan Cybulskie is present, the official mascot is the polar bear!

Friday, March 16, 2012

Aruba Airheads Conference Las Vegas 2012

Red Rock Canyon
Red Rock Canyon
The desert beckons again, but I  won't have room to see Red Rock Canyon this time around! I've got a full schedule of events set up for me in Las Vegas next week for the Aruba Airheads Conference. The group of blogger attendees I'll be traveling with are:

I've never been to an Aruba Airheads Conference before, so I'm sure I'll have lots to report. The agenda for the event starts off with the opening speakers:
Aruba Weather Report - Dominic Orr, President & CEO

Microsoft’s Lync Deployment over Wi-Fi – Victoria Poncini, Microsoft
Enabling Wireless Beyond the Hospital – Nico Arcino, Kaiser
Aruba Technology Update & Demos – Keerti Melkote & Friends

Then we move onto the "hands-on" portion of the event:

Tech Playground: See live demonstrations and speak with the experts on Remote Networking, Virtual Controllers, Mobility Controller, ClearPass, AirWave, Outdoor Mesh.

The technical breakout sessions vary from introductory to technical deep dives (click to expand):



Expect to hear lots more from me next week as I report back what I see and hear at the event. We will be recording a special “Tech Field Day Roundtable” video discussion as well.  Full disclosure: this trip is sponsored by Aruba in conjunction with Foskett Services to bring us bloggers together to get our candid opinions and feedback.

"Nice, France"
Nice, France By HGruber / Flickr.com
You too can win a trip to the next Airheads Conference in Nice, France. I know, nice - right? The details on how to enter to win are found over at Airheads Social. Entering is pretty easy, and the more chicken people are to enter - the better your odds are of winning! The contest runs from now thru Monday, March 26, 2012. Winners will be annouced by Friday, March 30, 2012. So hurry up and get your entry in!

Who wouldn't want to go?

Wednesday, March 14, 2012

Aruba Networks at Wireless Field Day 2


Wireless Field Day 2 - Aruba
Aruba was the first presenter for the second day of  Wireless Field Day 2. We were welcomed to their Executive Briefing Center by Ozer Dondurmacioglu, Product Marketing Manager for Aruba, then they kicked off their presentation with  Keerti Melkote  (founder of Aruba Networks, now the Chief Strategy Officer) outlining their approach to BYOD. He defined it as a security model for personal devices, application aware networking & simple, self provisioned access to a wireless LAN.

Kerrti thinks there are high security concerns around BYOD even thought it is the flavor of the day. Their goal is to reduce wired investements and build WLAN capacity by reducing siloed network management platforms (AAA, NAC, BYOD, Guest access).




Their BYOD solution is about optimizing the application layer at the air level through understanding how the application performs on the WLAN  and ensuring that the WLAN is optimized to deliver that application. A new concept in BYOD is the notion of a personal WLAN within the context of an Enterprise wlan. This concept is emerging in the Higher ED sector. Policy enforcement in BYOD is done with Amigopod, this is an evolution of the RADIUS server. Policy enforcement for mobility - means that applications can be classified even when the data is encrypted.


According to Aruba's presentation, Aruba has a firewall inside the access point because when you're sending peer to peer traffic over the same WLAN there is no other way to firewall traffic between peers. On a wired network the clients are assumed to be trusted, this is not so on a wireless link. RBAC should be applied to every user wired or wireless, and the line between VPNs and local access should be blurred.

Another step in BYOD is to know at the application level when you've signed onto the WLAN. Single sign on is the core of authentication, and until 802.1x was standardized, network access was a free for all. You just got an ip address and you were were granted access. As you get to an authenticated access architecture, the way you connect gets shared with applications. In the context of multiple applications there is not one common store.

Identify / classify / control / optimize / follow

In an Aruba Instant AP, there is a controller-less Virtual Controller. The number of users supported for a singal instance of a virtual controller is up to 512 users today, but you can have multiple virtual controllers in a network as well.

Provision just one AP at a remote site as a virtual controller and each other AP at the remote site will download their software image from the designated virtual controller.

When Aruba refers to AAA, their reference is to Amigopod, Airwave and Avenda.

The Aruba switch offering allows IT administrators to push policy enforcement into the wiring closet. The idea is that you don't have to do VLANs on your network anymore by using the Aruba switches at the edge and the mobility controller at the core. The larger the mobility domain the deeper within the center of your LAN the controller needs to be.



Carlos Gomez then walked us through Aruba's BYOD demonstration of workflow based on provisioning. Aruba's BYOD solution has 3rd party integration with XML/SOAP API s for integration with existing applications. Wireless client pre-registration can be done through bulk import or scratch cards. The sponsor approval system can be used to setup new users, or there are other one time registration options. Carlos cited an Aruba hospital customer in Austrailia that has tied the Guest provisioning process into the patient admin system work flow. As the patient is admitted into the hospital system, a wireless username and password is also generated for the patient to use during their hospital stay.

When guest access is done through the Sponsor Approval, a user account is created in a disabled state.  The sponsor gets requests for access, and can approve the guest access accounts or not.

Their disolveable client for BYOD device connectivity/management has a built in certificate Authentication PKI in a box. Separate provisioning of site certificates on a RADIUS server is not necessary. They are also working to have the same sponsor work flow for certificate creation.

The Aruba BYOD solution sues the TLS termination to get the serial number of the device attempting to connect to the WLAN, and  they can use that to check the corporate asset database to ensure the device attempting to connect is a known corporate asset.


Licensing: There is no licensing with Aruba Instant APs, and they're taking steps to address the licensing headaches by grouping features and consolidating commonly requested features into bundles.



Pradeep Iyer gave us a deep dive into the hardware specifics of the Virtual Controller based WLANs. The Aruba Instant AP has a 1.6GHz CPU 256 NVRAM 16Mb flash memory. The virtual AP and controller UI does not use Flash, the UI is all written in HTML5. It was built to render on iPads, and there are no scrollbars. The throughput to/from the end user device is shown in a live update display. The UI supports 10 - 12 languages, Arabic and Chinese were used as examples of the most difficult languages to support smoothly in the UI. The default language of the UI is based on the default language of the laptop that's being used to connect to the UI, and the UI time is local time. This allows you to debug at local time rather than the timestamp on the debug. All event messages are maintained in UTC, and the display is adjusted according to the client device using the UI.

Pradeep then gave us information on the latest changes in ARM 2.0. Aruba's implementation of BandSteering is for laptops that are built to connect to the strongest signal. The 2.4GHz will typically be the strongest signal for client devices due to 2.4GHz signal propagation. BandSteering must identify the 5GHz capabilites of the client device, and fingerprint these possibilities to steer the client to the 5GHz band based on information in probes. Aruba had to change the ARM algorithm when the iPad came into the enterprise. Fair access to the RF for all connected clients and each gets the same amount of spectrum time. Pradeep states "If you control downlink,  you get control of uplink at the same time".

Pradeep described the spectrum analysis capabilities of an Aruba AP model 13x as that the AP can get raw FFT to do spectrum analysis an but is a manual switch over to Spectrum Analyzer mode. The APs are not capturing raw FFT all the time. Like the Meraki, HP and Ruckus APs, the Aruba APs uses merchant silicon. The Aruba APs use an Atheros chip set.

Spectrum Analysis in Hybrid mode collects RF data on the configured channel as the AP is serving client data. The detected presence of a wireless preamble indicates the detection of a WiFi packet. Aruba's CCA uses 2 algorithms, energy detect and carrier sense.

The Aruba virtual controller IP is a static IP that is assigned to the network. When an AP is made a virtual controller, the AP assumes the identity of that IP address. The APs must on the native vlan for the upstream switch. The Virtual Controller AP algorithm is a L2 broadcast, and thus the Management IP addresses need to be on the same L2 network. This deployment method works for a small store, but can be extended by adding a controller. The APs talk to one another in a proprietary protocol, not CAPWAP. Content filtering is done through a split DNS model. The APs learn the domain name from the DHCP request/return of the domain information. The APs can identify the internal vs. external DNS requests after that information is obtained. The Virtual AP automatically detect the DHCP scopes in use and creates a non conflicting scope. The Virtual Controller is a DHCP server and all other APs are DHCP proxies. The Virtual Controller also becomes your NAT anchor.

The over the air provisioning process starts with the AP booting up, it advertises provisioning via an open SSID, the firewall will only allow connections to the Virtual Controller. The Virtual Controller is doing the function of the DHCP server. All the APs spoof a domain name and point to the Virtual Controller for further configuration. Any new AP that boots up looks for a mesh network and can use its provisioning PSK to get the configuration from the Virtual Controller.

Aruba also has an extensive collection of videos about their technology on their YouTube channel. Their uploads cover everything from their BYOD solution to videos counting down to the Aruba Airheads event March 21st - 23rd 2012 in Las Vegas.


Aruba was a sponsor of Wireless Field Day 2.  As such, they were responsible for covering a portion of my travel and lodging expenses while attending Wireless Field Day 2. They did not ask for, nor where they promised any kind of consideration in the writing of this review/analysis.  The opinions and analysis provided within are my own and any errors or omissions are mine and mine alone. I was provided with an Aruba Instant AP-135 and an Aruba RAP-2WG access point and a one year license to have the AP managed by the Aruba Virtual Controller. I have not had the opportunity yet to connect this AP and do testing with it, but I will be doing so soon.

Meraki at Wireless Field Day 2

Wireless Field Day 2 - Meraki
Meraki presented their wireless solution managed by Cloud Controllers hosted at Meraki's HQ at Wireless Field Day 2.

Meraki APs are a good solution for a diverged enterprise where there are many remote locations without IT staff. The APs "call home" to the Cloud Controller hosting at Meraki. End users can opt-in to allowing Meraki to aggregate date usage information on the wireless traffic passing through the Meraki wireless infrastructure. Event reporting is done through monthly automated summaries, but no alerting on real time traffic issues is currently possible. Meraki c
an do firewall & traffic shaping and rules as well as doing PCP & DSCP tagging on wireless traffic. I thought their data reporting on the wireless traffic was very well done. The user interface was very intuitive, and the display of information was very clean, and searches returned data very quickly. This was probably due to the fact that we were local to the database, but I'll be able to test this once I connect up the MR16 AP they sent home with me. The data aggregation reminds me a lot of Net Flow data or MRTG taken up many notches.


 All of the data reporting and management features are one product set, there are not additional add-ons that require additional fees or licensing.

The Meraki wireless infrastructure Integrates with Ekahau RFID solution for dedicated RTLS implemententations. All Meraki 802.11n APs have the same feature set, there is nothing added or removed by additional licensing or hardware.


Upgrading code on the access points can be scheduled, and there is no master AP image holder at a remote site. Software images are rather small (3-4Mb) and each AP gets its own AP image. 
The APs keep running while the image is downloading, and rebooting of the AP to apply the new image can be scheduled.


Meraki is working with TelMex to implement HotSpot 2.0 and offload cellular data to wireless networks. Meraki supports Layer 2 roaming, but doesn't currently have many customers that require L3 roaming, and as a result they don't support it just yet. If a condition arises at a customer site, they would be able to provide a Layer 3 roaming solution.
Meraki uses proprietary technology to establish the VPN connectivity between the AP and the Meraki Cloud Controller, it isn't a standard version of OSPF. The VPN connection is done by doing UDP hole punching and running IPsec on top of that to establish the end-to-end management tunnel. The Meraki solution can integrate with standards based IPSec devices as well. It is not necessary to configure IKE and IPSEC policies, the Meraki solution handles all of that configuration with no end user intervention.

Merkai also has an extensive collection of informational videos on their YouTube channel describing their wireless design and cloud management capabilities, should you have questions that are not answered during their Wireless Field Day presentations.

Meraki was a sponsor of Wireless Field Day 2.  As such, they were responsible for covering a portion of my travel and lodging expenses while attending Wireless Field Day 2. They did not ask for, nor where they promised any kind of consideration in the writing of this review/analysis.  The opinions and analysis provided within are my own and any errors or omissions are mine and mine alone. I was provided with a Meraki MR16 model access point and a one year license to have the AP managed by the Meraki cloud. I have not had the opportunity yet to connect this AP and do testing with it. 

Ekahau at Wireless Field Day 2


Wireless Field Day 2 - Ekahau
Ekahau was the third presenter at Wireless Field Day 2

Ekahau's s
ite survey software was born out of the RTLS calibration required in order to do site surveys back in  2001-2002. The point of their survey software is to continuing monitoring from the client perspective at the client level.
Ekahau Site Survey Pro (includes Planner and Troubleshooting) is an indoor focused site survey tool, d
esign in 3D for coverage and capacity. The list of access point models that can be used for site survey simulations is updated monthly. If there is a new access point not in the list Ekahau will define the RF profile for the access point.



The requirements of the RF coverage can be customized in planning mode. They recommend not using large Auto CAD files and performing visualizations of large AP deployments in planner mode. You may experience application errors if the planner files are too large.

Blue screens do not happen as often in recent software releases since they've resolved quite a few of the previous wireless driver issues. They have full support for 64 bit operating systems, and you save as you go vs having to save different paths within the application and merging them later.

Alignment points are set from floor to floor to align the floor plans as they change as the building gets higher. The numbering needs to match from floor to floor #1 needs to be #1 on every floor. Where the floor changes would be #4 #5 and #6 so you would use them for the other smaller floors that matched. You can create a custom floor property by editing a conf file in Survey Pro.

You can use the planning mode to
do planning for high density user locations where the users gather. Capacity profiles can be defined for client devices (laptops etc) to a granular degree. It is possible to break up the predictive number of users per floor in a building of an overall capacity planning model.

Survey Pro works on Macs in Bootcamp (preferred) and Fusion and native wireless drivers will pass through in a VM on a Mac. Freezing access points makes a virtual mac address for the AP and fixes its location on the map, and everything is always merged when you collect site survey data.

If your'e using the application to do 3D visualizations you need the alignment points. They have plans to use defined walls within Auto CAD. The properties of a given Auto CAD line is a given wall type and dB loss.




You can tweak the pause time between channels for the "wait time on channel" selection, and you can se
t the host to ping a wireless client/server etc. You don't have to click to collect data, they have a constant data collection method as a background process.
The Ekahau Mobile Survey application is available for Android devices. You can use 
auto detect of your own network to define rogue APs vs infrastructure APs. Background monitoring can turn the phone/tablet into a WiFi sensor, and the application retails at $399. The Android OS must be Froyo 2.2 or better. There is no current ability to do AP-on-a-stick site surveys, since can't freeze the APs and have them seperate if they're the same AP (MAC address). Active survey (AP-on-a-stick) may be in version 2. This release could be in a couple of months, or nearer the end of the year.

Ekahau was a sponsor of Wireless Field Day 2. I received copies of their Survey Pro application for Windows and Android, and as a sponsor, they were responsible for covering a portion of my travel and lodging expenses while attending Wireless Field Day 2. They did not ask for, nor where they promised any kind of consideration in the writing of this review/analysis.  The opinions and analysis provided within are my own and any errors or omissions are mine and mine alone. 

MetaGeek at Wireless Field Day 2 - Eye P.A.


DSC04172

MetaGeek was a return presenter at Wireless Field Day 2, and presented us with their new application Eye P.A. Eye P.A. is a completely new way of visualizing data captured in a WinPcap file.

 


Trent Cutler of MetaGeek demonstrates Wi-Spy at WFD2 from Stephen Foskett on Vimeo.

Some of the intuitive visualizations in Eye P.A are:

Flashlight on hover - highlights the data type you've pinpointed with your pointerTool tips - helper information on menu choices
Colors used to represent different types of date:
Blues - data
Purples - management
Orange - control and subframe types
Light blue - QoS data
Dark blue - data without QoS

The table data to the right of the circular visualizations shows data on the information that is selected. You c
an sort by bytes, retry rates, etc. The flashlight feature will also show total amounts of bytes and the pie is the total amount of time that it took to send the packets. This method of visualizing wireless capture data was accurately described as "The Eye P.A. is legacy hardware's worst nightmare."



Some changes to their Wi-Spy application: They've 
added a session manager to record the data in the background and handle session transitions better between hardware sessions. You can now view recorded data while you're capturing data and capturing simultaneously on 2.4 and 5ghz with two Wi-Spy devices.

Their device finder patch antenna has no sidelobes, it was 
designed to aid in finding sources of interference and high RF utilization devices.

If you haven't already checked out MetaGeek's YouTube channel, I highly recommend you do so. They've shared a huge amount of great information on their entire product line, and it is well worth you spending some time to get familiar with their offerings.

As a part of the Wireless Field Day 2 events, Metageek provided me with copies of all of their latest software offerings. I've used Eye P.A. to get a better view into what sort of data is traversing a given wireless infrastructure. I've found it quite helpful in understanding who the top talkers are, and what kind of data they're sending.

MetaGeek was a sponsor of Wireless Field Day 2.  As such, they were responsible for covering a portion of my travel and lodging expenses while attending Wireless Field Day 2. They did not ask for, nor where they promised any kind of consideration in the writing of this review/analysis.  The opinions and analysis provided within are my own and any errors or omissions are mine and mine alone.

Thursday, March 8, 2012

The Sony NEX-7 has finally arrived

After months and months of delays due to the horrible flooding in Thailand, Sony has started shipping the NEX-7 orders that were placed through the Sony website. My order arrived via FedEx this morning, a few hours after Stephen Foskett received his NEX-7.

Of course, I haven't read the manual (although I probably should - there are a billion new features I need to learn about) so the first pictures I took were with the stock lens, and everything set to auto, with the exception of the color setting set to Vivid.

I swung by the office to pick up the Cisco 3600 series AP that had been delivered (beta testing new Cisco features), and on the way back I stopped at the 360 boat ramp to take some test photos. It was very overcast, not the best day to be taking photos. Out of all the big differences between the NEX-5 and the NEX-7, I have to say that I love the view finder. The green grass I saw through the viewfinder looked a lot different than the green grass in the final pictures. The grass through the viewfinder was cartoonish electric green, and that's not what was in the photos. I'll have to read up more on what I should expect to see through the digital viewfinder before I use that for composing a shot with ISO/f stops.

The picture files are huge, obviously. They've ranged from 5 - 11Mb per picture, and storing upcoming digital photos is something I'm going to have to start dealing with sooner than I'd imagined.

DSC03921
When I got home, I adjusted the ISO and aperture on the tree in the front yard to see what the image would look like when it was overexposed. The tree images still have a lot of detail (IMO) considering how far I've pushed the exposure with the aperture almost wide open (5.6). Indoors I still had the aperture wide open (4.5) to pick up as much detail as possible from the ambient room light.
DSC03940

Clarity? Well, in the self portrait I took by the 360 bridge, I can tell I have an eyelash in my right eye. Mind you, I couldn't feel it, but the NEX-7 captured it in the photo. The indoor self portrait in the bathroom mirror was less detailed at full resolution, probably because I'd adjusted the exposure a bit by then, and maybe due to the camera trying to focus on the mirror itself, rather than my reflection.

DSC03898


DSC03944


Friday, March 2, 2012

How to get the Cisco MSE virtual machine up and running on an ESXi 5.x server

It took me a bit of time to get the new Cisco MSE VM up and running on my ESXi 5.0 box. I used the vSphere client from an XP64 vm to deploy the OVF template according to the video instructions posed by Cisco on YouTube.


But when the VM import was completed, I couldn't start the VM because the MSE OVA file is configured with 8 vCPUs. The error I received when trying to startup the MSE VM was indicating that I needed to run the command esxcfg-advcfg -s 1 /Cpu/AllowWideVsmp at the CLI of the ESXi server.

I had to do some searching to figure out how to get to the CLI of theESXi box. The
solution I found was written up ages ago by Rick Vanover.

I also found out the hard way that you can't have two vSphere clients managing the same ESXi box. If you find yourself facing the error message
Call "PropertyCollector.RetrieveContents" for object "ha-property-collector" on "[IP ADDRESS] ESXi failed. that's what's going on there.

Of course, I also forgot what the default username/password combination is for an MSE VM. For the record, th
e default user ID is root and the default password is password.