| Question |
| Let me know the Difference b/w flex and local mode ? |
| Answer |
| Local mode is the default mode of an access point. In this mode, ap sends all traffic to the controller using CAPWAP protocol. this is also called as central switching. In enterprise network Local mode is recommended. In Flexconnect (HREAP) mode, ap will switch data traffic locally and only control traffic is sent to controller. this is called as local switching. In branch offices where controller is not available locally can use this flex mode. |
| |
| Question |
| |
| What is anchor controller and how it works ? |
| Answer |
| Anchor controller is for Guest traffic. In this scenario there will be two controllers named as Foreign & Anchor controller. A mobility tunnel will be created between Foreign and anchor to forward all the guest traffic to anchor. Once user is connected to guest ssid, all his traffic will be just sent through the EoIP tunnel to anchor/guest controller. He gets and ip address from DHCP as this is a L3 web authentication. Then he will be redirected to web authentication page to provide his user name and password. |
| |
| Question |
| Is there any availability of wireless PoE switches ? |
| |
| Answer |
| |
| Yes. Recently cisco has come up with cisco 3850 switches which is integrated WLC and capwap tunnel of all access points can be terminated in this switch. |
| |
| Question |
| Can you please explain anchor controller? and how it works? |
| Answer |
| Under Mobility Management, you will have to create a tunnel by providing MAC address, IP address and group name (Mobility name) of a controller. Then it should be called under guest ssid to forward all traffic to anchor controller. |
| |
| Question |
| What is the use of monitor mode |
| |
| Answer |
| |
| Monitor mode is for scanning the RF medium for any attacks and rogues access points. Monitor mode ap’s will dedicatedly scan all channels for any intrusion and reports to MSE (Mobility Services Engine). Users cant connect to these ap’s. |
| |
| Question |
| What is AVC? |
| |
| Answer |
| |
| AVC is Application Visibility Control that can be enabled on WLC to have visibility on the application the clients are using. |
| |
| Question |
| If our laptop is connected with ap and there is not internet connectivity or sometimes it will show limited connectivity, then where is the problem |
| Answer |
| You will need to check whether user got an ip address first. Also if NAP (Network Access Protection) is enabled on your network, check whether your laptop is compliant as per policy. |
| |
| Question |
| Is there any virtual Lab is available for setup a lab and practice ? |
| |
| Answer |
| In Cisco Packet tracer you can use for basic standalone ap configuration. You can also download and install virtual WLC from cisco and use for 60 days evaluation license for your practice. |
| |
| Question |
| |
| Impact of configuring a single SSID simultaneously to support both TKIP and AES encrption? |
| |
| Answer |
| You can do that. you wont get an error when you configure like this on WLC. But client supplicant should support it ultimately right. You cannot configure both TKIP and AES on your laptop supplicant profile at a time. For your information, AES is more secured than TKIP. |
| |
| Question |
| |
| What kind of Security policies can we configure into cisco AP ? |
| Answer |
| L2 Security- WPA, WPA2, 802.1X and WEP keys (WPA2 is recommended security policy) L3 Security- Web Authentication (For Guest authentication) |
| |
| Question |
| Most of the time , we face this issue. users gets disconnected and they will connect it back to AP . Is there any specific best practices to over come this kind of issue. |
| Answer |
| Yes. This could be due to RF interference. When the client sees a best signal than the current connected signal, laptop will jump and connect to the other ap which provides the best signal. With the help of proper site survey this issue can be mitigated. |
| |
| Question |
|
| Where the Anhcor/Guest controller need to be connected in Network ? |
| |
| Answer |
| Anchor will be on DMZ zone so that all your client traffic is just isolated to DMZ. |
| |
| Question |
| |
| Can you pls explain about SSID broadcast means ? |
| Answer |
| SSID that is broadcasted will be visible to whoever turns on their Wi-FI adapter on their laptop. They can just try to connect to it. As per best practice, we must disable the broadcast of ssid and create manual ssid profile on laptop. Ex. our staywifi ssid. It is not broadcasted and manual profile is created on each laptop. |
| |
| Question |
| What are the basic criteria to conduct effective site survey. Many a times switching between one AP to another causes lot many problems like disconnection, low data transfer rate…etc., |
| Answer |
| Site surey itself a big concept and need lot of understanding. To be precise, when a organisation plans to go for a wireless solution, the basic thing they need to do is Site survey. Various tools(Aironet, Airmagnet etc) are available for doing survey. When switching between on ap to other ap (also called as roaming) the proper overlap coverage should be provided to avoid disconnection and re connection. If all are same ap model (which support 802.11 a/b/g/n/ac for example) then low data rate issue will not occur. These will be taken care during survey. |
| |
| Question |
| Is it mandatory to connect Anchor controller in DMZ or is there any other way to tunnel the guest traffic to the foreign controller so that it does not touch corp traffic ? |
| Answer |
| You can also create a seperate vlan for guest and just allow only internet access. But using Anchor controller is cisco recommended way of doing and providing more control on guest users traffic. |
| |
|
| Question |
| For upgrading the LWAPP AP now we are seeing 2 type of Images in cisco site , one is recovery software and other is LWAPP ap image . Which one i should be using . |
| Answer |
| You should use recovery image (image with k9w8) for Light weight access points. |
| |
| Question |
| Can we have AP SSO and client SSO on the WLC 2500 controller , I was facing the issue in a customer site . I am running the version 7.6 |
| |
| Answer |
| AP SSO is possible on all versions before 7.4. Later on Client SSO is possible from 7.5 version. 7.6 must support client sso. If it is not working we should check whether the hardware model 2500 supporting that feature. I will give you more details after this chat. |
| |
| Question |
| Explain me about hidden network ? |
| |
| Answer |
| Hidden Network is nothing but making ssid not to broadcast it out. So that only on whose laptop that ssid is manually configured can connect to it. Others cant see it and connect to it. |
| |
| Question |
| |
| Can we have different groups of mobility anchors on the same controller and also can we load balance the mobility anchor traffic |
| Answer |
| |
| Yes you can create many Mobility anchors on the controller depends on the mode. Load balancing can be possible by creating different ssid and calling different anchors. |
| |
| Question |
| |
| What is the main difference between capwap and lwap protocols? |
| Answer |
| |
| Main difference is CAPWAP supports DTLS which encrypts communication traffic between AP and WLC |
| |
| Question |
| |
| If two AP channel width is different than what happens ? |
| Answer |
| |
| If channel width is 40 Mhz in one ap and other ap is 20 Mhz, client can connect to 20 Mhz with momentary disconnection |
| |
| Question |
| How can we achieve certificate based authentication for WiFi users? |
| Answer |
| Using EAP-TLS protocol, certificate based authentication is possible. It is most trusted wireless security. |
| |
| Question |
| Whats the difference between WLC 5508 and the 3850 WLCs . What is converged access ? |
| |
| Answer |
| We will get wire speed when the switch itself takes care of all traffic switching instead of sending to controller. 3850 switch is a controller based switch where access points can terminate its capwap connection and switch traffic at wire speed. WLC 5508 is appliance that can be installed on your network and all traffic just goes to that controller. |
| |
| Question |
| Is it possible to find out the hidden networks ? Is hidden netwrksprovides optimal security to my WLAN? |
| Answer |
| It is not very secured mechanism. And yes it is possible to find out what ssid is hidden using sniffers. |
| |
| Question |
| |
| In my company ,we have around 200 users who are connected in wired environment . how many AP’s do you suggest for this network to enable mobility access to all the users. |
| |
| Answer |
| |
| Again site survey needs to be done to finalize ap count for those users. |
| |
| Question |
| |
| What are all the authentication mechanisms currently supported by Cisco Access Points (APs)? |
| |
| Answer |
| very good question Vignesh. L2 Security- WPA, WPA2, 802.1X and WEP keys (WPA2 is recommended security policy) L3 Security- Web Authentication (For Guest authentication) |
| |
| Question |
| |
| I have an access point about 50 feet away from my client. The signal is very weak and there is significant interference in the path (paper storage). What should I do to obtain proper coverage? |
| Answer |
| You can try to increase power of your ap. Try to remove the interference source. |
