What’s new in WLC 7.6.110 – 8.0.100

A while back I wrote an article that covered the changes from WLC 7.1 – 7.6.100 . Let’s catch up to 8.0, shall we?

7.6.110

  • Bugfix release.
  • Fix for issues with WMM with Broadcom clients (no 802.11n for you)
  • Fix for an issue with the AP3700 and replay counters which apparently causes major performance problems on 5GHz.

7.6.120

  • Adds support for 2700 series and 700W series APs.
  • Adds “Cisco WLAN Express Setup” for 2500 series controllers. The notes say: “It includes easy to use GUI Configuration Wizard, an intuitive monitoring dashboard and several Cisco Wireless LAN best practices enabled by default.” Sounds nifty. I need to get a 2504 for my lab… If you are upgrading a 2500 to this release, there’s a decent chunk of steps involved to enable this feature. More info about the feature and the steps here: Cisco WLAN Express Setup for Cisco 2500 Series Wireless Controller.
  • Of course, lots of bugfixes.
  • Several crashes fixed.
  • Obligatory security fixes.
  • False DFS positives fixed.
  • If you really want to see if your favorite bug is fixed, check here: 7.6.120 Resolved Caveats

7.6.130

  • Bugfix release with an even longer list of resolved caveats (7.6.130 Resolved Caveats).
  • More crash fixes and obligatory security fixes. The ones that jumped out at me below.
  • 99% CPU usage fix.
  • Apple auth problems fixed.
  • Fix for CAPWAP disassociation due to DTLS errors
  • Vocera broadcast failure fix
  • RAID volumes get proper status codes
  • vWLC Service Port issue with distributed vSwitch fixed
  • Annoying MFP anomaly messages fixed (but I’m still seeing them)

Now the really interesting stuff. Major releases are always fun, at least once the first round or two of bug fixes come in. Let’s see what’s shiny, shall we?

[Note: I've since found this Cisco Wireless Release 8.0 document, which has a nice summary of the features.]

8.0.100

  • Cisco Aironet AP and Scale Features
    • Keep-alives now sent over both control and data CAPWAP tunnels.
    • New Flex+Bridge mode enabled FlexConnect functionality across mesh APs. This means if the wired link goes down, your AP can failover to mesh backhaul. (Not supported on 1130 and 1240. No surprise.)
    • Mesh fast convergence. Automatically sets faster convergence timers. Convergence time per hop down to 20s.
    • AP700W gets VLAN tagging
    • FlexConnect APs can be a PPPoE client. Was in 7.3/7.4, but not 7.5/7.6. Now it’s back. And it’s angry…
    • Dynamic Channel Assignment (DCA) on RF Profiles. Enables multi-country support using AP groups and simplifies mixed channel environments (40MHz/80MHz mix). Sounds like this could be useful for those of us with a mixed .11n and .11ac environment, which will probably be just about everybody soon… See Configuring RF Profiles for more information. (Not supported for mesh/bridge APs.)
    • Rx-SOP: Receiver Start of Packet threshold. #shiny Particularly helpful in high density environments. This helps reduce CCI by controlling what frames the AP will decode. The No Strings Attached Show has a nice whitepaper about it. Config information is here: Configuring Receiver Start of Packet Detection Threshold.
    • Optimized Roaming. Ooh, more #shiny! This helps with sticky clients by disassociating them based on RSSI and data rate. This will also help prevent clients from associating as they pass by. Config info: Configuring Optimized Roaming.
    • Side note: Good article covering Rx-SOP, Optimized Roaming, and RSSI low at Revolution Wi-Fi: Optimized Roaming, RSSI Low Check, RX-SOP, Oh My!
    • AP1700 support added
    • CleanAir Express for AP1600 and AP1700
    • OEAP gets basic firewall support, split tunneling, VoIP QoS
    • Increased scale of vWLC (now up to 6000 clients)
    • 2500 WLC now supports wired guests
  • Native IPv6 (if you need the exhaustive list see Native IPv6 Support)
    • Finally!
    • SLAAC for the service port
    • Full support for all the services and ways of accessing the WLC that you would expect out of v6 support.
    • DHCPv6 option 52 for controller discovery
    • CAPWAP preferred mode – you can choose v4 or v6 as preferred. v4 is preferred by default
    • List of things not supported, which will take away your initial joy:
      • FlexConnect-local switched, mesh/outdoor, teleworker/OEAP, converged acces
      • Services: mDNS, AVC, and TrustSec
      • Bridge mode APs with 64MB of RAM: 600 OEAP, ISR 800/802, 1130, 1240, 1250, 1310, 1410, 1520
      • Internal DHCPv6 server, DHCPv6 proxy, auto-configuration, dynamic interfaces, RA interfaces, OSCP and CA server URL, VLAN pooling
      • NTPv4 (typo?), MLDv2, IPSec v3 and IKEv2, RLDP and CIDS, PMIPv6, mDNS IPv6 clients, and New Mobility
      • IPv6 is not supported for HA Redundancy Interface configuration
      • Auto-RRM, Dynamic Anchoring, DNS RADIUS/TACACS+, core dump
  • Security and RADIUS enhancements
    • SPs can configure new VSAs and tell the WLC how to handle them.
    • WLC can be configured to use the realm value to determine the RADIUS server for a client.
    • WebAuth now works for HTTPS.
    • 802.1X and EAP WLANs now support sending the WLAN ID to the RADIUS server.
    • SHA256 certificate support
  • Ease of Management Features
    • SSID and WLAN profiles can be renamed (Yay! Now you can cleanup the mess!)
    • “ping” can be sourced from a dynamic interface.
    • “show ap summary” now shows the AP’s IP address. Also can search for APs based on IP in the GUI.
    • Bunch of new show system commands. They provide more info about how WLC is running.
    • show run-config startup-commands – Finally, something you can copy and paste into a controller!
    • You can globally enable/disable SSH/telnet for all APs on a controller.
    • Choice of color themes for the GUI (default and red). Helps distinguish between controllers.
    • You can now flash the LEDs on an AP to identify it. About time…
    • “show client detail” now shows AP and WLAN
    • “show ap join stats” corrects output for renamed APs
    • “debug client” now shows the AP connected and RSSI.
    • You can now update the OUI list without upgrading the controller. But it requires a reboot…
    • 802.11v. My understanding is it’s supposed to leverage 802.11k info to control client associations. Not sure if any clients actually support this.
    • 802.11r mixed mode. Yes, bold. No need for a seperate SSID for 802.11r and non-11r clients. This is very shiny. And useful.
  • High Availability Enhancements
    • 802.11ac is now supported in HA. I hadn’t realized it wasn’t supported before.
    • Handful of enhancements to HA, including faster sync and more configurability.
    • Internal DHCP now works with client SSO. The database is synced between the active and standby controllers.
  • Better policy control for mDNS
  • AVC
    • NBAR 2 protocol pack updated to 11. Heh.
    • Per app, per client rate limiting. Nice.
    • QoS marking can choose the direction instead of only bidirectional. I wonder what the use case for that is.
  • Q-in-Q support. Outer tag for AP group. Inner tag assigned by AAA.
  • VideoStream now supported for FlexConnect locally switched mode.
  • WPA/TKIP now only configurable from the CLI.

Closing Notes

WLC 8.0 is supported on PI 2.1.1. A number of the new features aren’t supported, though I expect those will be available in PI 2.2. ISE 1.2 is supported. Obviously, MSE 8.0 is supported with it. It’s not clear is MSE 8.0 upgrade is required, but it is at least implied.

I suspect this will be the last release to support the 1130 and 1240 series.

8.0.100 has a LONG list of resolved caveats (many of which are also resolved in the 7.x code base) and a decent list of open ones. If you are considering 8.0, I recommend going over those carefully: WLC 8.0 Caveats. Personally, I will likely wait for 8.0.110 before going into production with it.

FIN

Pseudo-Random Bits of IT Humor

I have a collection of IT humor that I’ve accumulated over the years. I thought I’d share some of the shorter ones with you. I hope you enjoy them!

From the choice-of-metaphors dept:

“Installing [Exchange 2000] is just about as hard as firing a rocket
launcher into your data center. Just point and click.”
— Chuck Yerkes

From the tip-of-the-iceberg dept:

The purpose of IT is to seamlessly and transparently provide the other
9/10’s of the iceberg for people who need to work with chunks of floating
ice. This would explain why sysadmins are so often equipped with only poles
and kayaks and told to go out and keep the shipping lanes clear.

“Twin turbo diesel pushers of several hundred horsepower each? Why do
you need that? That’s just a little chunk of ice! Now stop web surfing
and go out there and push it out of the way in your kayak. By the
way, since the ice is getting smaller, we’ve cut the pole budget for
this month. Yours is shorter now, but you should be able to get by.”
— Strata Rose Chalup

From the overheard-on-IRC dept:

Is it just me, or does it seem appropriate for Novell to
give out pens with puzzles in them at a trade show?
Only if the pen doesn’t actually work until you solve the
puzzle.

From the things-never-change dept:

“On two occasions, I have been asked [by members of Parliament], ‘Pray,
Mr. Babbage, if you put into the machine wrong figures, will the right
answers come out?’ I am not able to rightly apprehend the kind of confusion
of ideas that could provoke such a question.”
— Charles Babbage

From the funnier-with-context dept:

I went all Charles Babbage on him.

From the packet-pushers dept:

“VTP is an incarnation of the Devil. He came down on the Earth and put
VTP so that engineers could make mistakes and kill their networks.”
— Greg Ferro

From the #yourrouterjokes dept:

From the business-is-good dept:

Honestly, security experts don’t pick on Microsoft because we have some
fundamental dislike for the company. Indeed, Microsoft’s poor products are
one of the reasons we’re in business.
— Bruce Schneier

From the must-be-this-old-to-get dept:

Yup. Dog was crawling around under the desk and pulled on some of the
cableK@J ^T ^$9a NO TERRIER

From the afterburner-style-anti-spam dept:

*** AB is now known as |
< |> Greetings.
< |>
< |> You will doubtless be pleased to know that the account of the
spammer you’re reporting has been been ground into fine metal
shavings, distributed amongst some 27 or so small glass vials, and
launched independently into the heart of the sun.
< |> We apologize for the inconvenience of this spam, and hope that the
rest of your day remains spam-free.
*** | is now known as AB

From the RFC-FTW dept:

“Contrary to Microsoft, Cisco engineers actually read the RFCs and implement them.”
— Ivan Pepelnjak on Microsoft NLB

This Is Not The Flash You Are Looking For

A while back, I was trying to install an IOS-XE update on an ASR1001 and run into something weird.

asr1001#request platform software package expand file ?
 bootflash: RP-relative file path
 flash: RP-relative file path

OK, sounds good, right? Nothing obviously weird, until you discover that only bootflash: actually works… Let me show why this is really confusing.

asr1001#request platform software package expand file flash:?
flash:.installer
flash:.prst_sync
flash:.rollback_timer
flash:archive
flash:asr1000-rommon.153-1r.S.pkg
flash:asr1001-universalk9.03.09.00.S.153-2.S.bin
flash:asr1001-universalk9.03.11.00.S.154-1.S-std.bin
flash:core
flash:lost+found
flash:pp-adv-asr1k-153-1.S-14-4.0.0.pack
flash:pp-adv-asr1k-154-1.S-17-8.0.0.pack
flash:tracelogs
flash:vman_fdb

asr1001#request platform software package expand file bootflash:?
bootflash:.installer
bootflash:.prst_sync
bootflash:.rollback_timer
bootflash:archive
bootflash:asr1000-rommon.153-1r.S.pkg
bootflash:asr1001-universalk9.03.09.00.S.153-2.S.bin
bootflash:asr1001-universalk9.03.11.00.S.154-1.S-std.bin
bootflash:core
bootflash:lost+found
bootflash:pp-adv-asr1k-153-1.S-14-4.0.0.pack
bootflash:pp-adv-asr1k-154-1.S-17-8.0.0.pack
bootflash:tracelogs
bootflash:vman_fdb

It looks like either one should work, doesn’t it? Let’s see what happens if you choose incorrectly.

asr1001#request platform software package expand file \
     flash:asr1001-universalk9.03.11.00.S.154-1.S-std.bin to flash:test
/usr/binos/conf/provfunc.sh: line 1991: cd: flash: No such file or directory
Verifying parameters
  FAILED: Specified package file flash:asr1001-universalk9.03.11.00.S.154-1.S-std.bin does not exist

This can lead to a bunch of wasted time replacing images, verifying checksums, and scratching your head. Then you finally try bootflash…

asr1001#request platform software package expand \
     file bootflash:asr1001-universalk9.03.11.00.S.154-1.S-std.bin to bootflash:test
Verifying parameters
Validating package type
Copying package files
SUCCESS: Finished expanding all-in-one software package.

Yep. Pretty annoying. Check out the directory listings. (I’m doing the directory listings in this odd way so they fit my WordPress theme better, just in case you were wondering.)

asr1001#dir bootflash:test/?
bootflash:test/asr1001-espbase.03.11.00.S.154-1.S-std.pkg
bootflash:test/asr1001-packages-universalk9.03.11.00.S.154-1.S-std.conf
bootflash:test/asr1001-rpaccess.03.11.00.S.154-1.S-std.pkg
bootflash:test/asr1001-rpbase.03.11.00.S.154-1.S-std.pkg
bootflash:test/asr1001-rpcontrol.03.11.00.S.154-1.S-std.pkg
bootflash:test/asr1001-rpios-universalk9.03.11.00.S.154-1.S-std.pkg
bootflash:test/asr1001-sipbase.03.11.00.S.154-1.S-std.pkg
bootflash:test/asr1001-sipspa.03.11.00.S.154-1.S-std.pkg
bootflash:test/packages.conf

asr1001#dir flash:test/?
flash:test/asr1001-espbase.03.11.00.S.154-1.S-std.pkg
flash:test/asr1001-packages-universalk9.03.11.00.S.154-1.S-std.conf
flash:test/asr1001-rpaccess.03.11.00.S.154-1.S-std.pkg
flash:test/asr1001-rpbase.03.11.00.S.154-1.S-std.pkg
flash:test/asr1001-rpcontrol.03.11.00.S.154-1.S-std.pkg
flash:test/asr1001-rpios-universalk9.03.11.00.S.154-1.S-std.pkg
flash:test/asr1001-sipbase.03.11.00.S.154-1.S-std.pkg
flash:test/asr1001-sipspa.03.11.00.S.154-1.S-std.pkg
flash:test/packages.conf

So, just remember to use bootflash and you’ll save yourself some headache and confusion!

FIN

SolarWinds Thwack Community

Screen Shot 2014-09-02 at 10.13.49 PMAugust has come and gone, and with it my Thwack Ambassador status. You might be wondering what that means. Perhaps you thought @amyengineer with her sparkly bat was the ambassador of thwack. This is not the thwack you are looking for. This thwack is the SolarWinds Thwack Community. SolarWinds, as you likely already know, is a software company that provides a variety of network and system management/monitoring tools. Their tools are good, easy to use, and reasonably priced. Their marketing is amusing and occasionally inspired (see The Joy of Whiteboarding with Rob Boss). The Thwack Community is an open forum for discussion of network management topics. Forums exist for the SolarWinds tools as well as general discussion. A Thwack Ambassador is given the job to spur conversation in their assigned topic areas in order to encourage participation in the forums. This is done through weekly blog posts on Thwack and my assigned area was network management. I’ve included the intro to each week below, but if you want to read more, you’ll have to follow the link to the thwack website. :)

The Discussions

For week one I asked, “What is a well managed network?

What is network management and what constitutes a well managed network? Is it monitoring devices and links to ensure they are “up?” Is it backing up your device configurations? Is it tracking bandwidth utilization? Network management is all this and more. We often seem to confuse network monitoring with network management, but monitoring is really just the start.

This post generated the most discussion and it was interesting to see the variety of views expressed from different perspectives. One user even created a nice outline of what we decided made up a well managed network.

On week two we discussed “Thinking in terms of availability.

Network monitoring tracks the state of the network and is primarily looking for faults. At the most basic level, we want to know if devices and interfaces are “up.” This is a simple binary reachability test. Your device is either reachable or not, it’s either “up” or “down.” However, just because a device is reachable does not mean there are no faults in the network. If a circuit is dropping packets, performance may be impacted and can make the circuit unusable even though it is “up.” Time to stop thinking in terms of reachability and start thinking in terms of availability.

The comments to this post were mostly people nodding in agreement, though one reader brought up the idea of acceptability, as well.

During week three I reminded everyone that “Useful alerts help you be proactive.

You may need to have an alert sent if an interface goes down in the data center, but you almost certainly don’t want an alert if an interface goes down for a user’s desktop. You don’t need (or want) an alert for every event in the network. If you receive alerts for everything, it becomes difficult to find the ones that really matter in the noise. Unnecessary alerts train people to ignore all alerts, since those that represent real issues are (hopefully) few. Remember the story of the boy who cried wolf? Keep your alerts useful.

This post had a nice little discussion talking about ways to make the alerts useful, like including severity in the subject of the alert.

Finally, in week four I asked, “What’s on your network?

There is a credit card commercial that asks, “What’s in your wallet?” I’m going to ask, “What’s in your network?” Sure, you might be able to tell me what’s in your network right now, but can you still tell me about a device when it’s down? Its model and serial number? The modules or line cards installed? Which interfaces are in use and how much bandwidth they use?

This question focused more on documentation, which received the obligatory head nodding and a little snark. There was also a side thread that brought up the lack of communications between teams (silos).

Closing Thought

I hope you found these discussions of interest, and maybe got you thinking a little more or a little differently about something. I can’t help but think of a rant posted by @etherealmind titled, “You Are Not A Precious Snowflake. IT Infrastructure Is The Same Everywhere.

Vendors keep telling me that every business is different and customer have different needs. We all buy the same products from the same companies, use the same deployment methodologies and best practices, have the same problems and deliver the same results to the business. You aren’t a precious snowflake.

I was looking at the discussions and thinking that we are all talking about the same sets of problems and appreciating the same sets of solutions, yet I’m sure the organizations we all work for are wildly different. I’m sure you’ve noticed this when talking with other IT professionals, too. In reality, our infrastructures are not all that dissimilar. I think that’s actually a good thing, but it is something to ponder…

FIN

#vBrownBag Book Contest (not) Still Going!

The contest is still going until June 30, 2014 over! There hasn’t been a huge number of entries, so your odds are very good. Get your entries in!

Contest Details

ShowCover.aspI have copies of both the CCNA Routing and Switching 200-120 Official Cert Guide Library and Networking for VMware Administrators to give away. These are courtesy of Cisco Press and VMware Press, so a big thanks goes to them!

Here’s how you can win one:
Send out a tweet with your CCNA R&S question, including the hashtag #vBrownBag and @scottm32768. If your question too long for twitter, you can post it as a comment here, then link to it on twitter. The best questions by the end of the month (June 30 2014 23:59) will win. Myself and others related to the #vBrownBag podcast will make this decision. In the event we cannot reach a decision, we will use the contents of a hermetically sealed envelope kept in a #2 mayonnaise jar on Funk and Wagnall’s back porch. Or maybe just choose winners at random.

FIN

#vBrownBag CCNA R&S Questions & Free Books

Last week was part 1 of the #vBrownBag CCNA Routing & Switching session. For part 2 this week, the we will cover topics that commonly confuse people. To that end, if you have questions of your own or have a suggested topic, we would love to hear them so we can cover the topics you want. As long as they are at least somewhat related to CCNA R&S studies…

Free Books!

ShowCover.aspI have copies of both the CCNA Routing and Switching 200-120 Official Cert Guide Library and Networking for VMware Administrators to give away. These are courtesy of Cisco Press and VMware Press, so a big thanks goes to them!

Here’s how you can win one:
Send out a tweet with your CCNA R&S question, including the hashtag #vBrownBag and @scottm32768. If your question too long for twitter, you can post it as a comment here, then link to it on twitter. The best questions by the end of the month (June 30 2014 23:59) will win. Myself and others related to the #vBrownBag podcast will make this decision. In the event we cannot reach a decision, we will use the contents of a hermetically sealed envelope kept in a #2 mayonnaise jar on Funk and Wagnall’s back porch. Or maybe just choose winners at random.

I will compile these questions and answer them. If you get them to me before the podcast recording, I will try to answer during the podcast.

FIN

#vBrownBag Cisco Certification Series

ProfessionalVMware.com

The #vBrownBag folks over at ProfessionalVMware.com are currently running a Cisco Certification Track. They started last month and have had a several episodes covering related topics ranging from the Cisco Learning Network to setting up a virtual lab. Last week they had their first session talking about a specific certification, the CCENT.

The next two weeks for the US episodes (June 4 and June 10) will be Edward Henry (@NetworkN3rd) and myself talking about CCNA R&S prep. That will be followed by the infamous Tom Hollingsworth (@networkingnerd) leaving the #SDNicorn long enough to talk CCNA DC prep. Last on the schedule is Lawrence Kohan (@LawrenceKohan) with a three part series covering prep for the CCNP R&S exams.

It looks like a good lineup, so I hope you can join in live to ask questions Wednesdays at 730PM Central for the next couple months!

FIN