Connecting the world…


Wireless controllers – the discussion continues

There is already a lot said and written about wireless controllers and it’s architectures. During my recent holiday my thoughts were wandering about this subject. At the beginning we had the stand-alone access-points, which were all configured as unique identities. Choosing the correct channel and power level could be a challenge in dense environments, so everybody was happy with the centralized wireless controllers.

The centralized wireless controllers were the solution to manage channel and power allocation with their build in ARM functionalities. But also the centralized management of the entire wireless environment was a great improvement for the management burden of IT personnel. Key players, like Cisco Systems and Aruba Networks, adopted this architecture and developed some outstanding wireless controllers. Over time more and more feature were added to the controllers, like spectrum analysis, wireless intrusion prevention systems, L3 roaming and advanced reporting. For some features you have to buy a separate license or you should use dedicated software or hardware, but nonetheless you have a easy to manage and flexible wireless design.

Some people started to discuss this architecture and found some disadvantages, like availability and scalability. The access-points are all managed by a centralized wireless controller, but what happens if the controller goes down? Who much time does it take to failover to a backup wireless controller? What license construction do I need when I would like to implement a redundant wireless controller architecture? Why do I need to tunnel all traffic from the access-points to the wireless controller, before the data of wireless clients accesses the wired infrastructure? Isn’t this a disadvantage for latency, delay and jitter characteristics? What is the impact for the controller when tunneling all traffic and who can I scale the controller to the future? These are all valid questions and some vendors decided to develop another wireless architecture.

Maybe the most well-known is AeroHive with their controller less wireless architecture. The wireless controller functionality is integrated in the access-points, but the management is still centralized. Every access-point is operating as an autonomous entity, but all access-points communicate with each other to form a hive (in AeroHive terminology). All configuration and monitoring is done through a centralized management platform. The impact of access-points loosing their connection with the management platform is minimal. The access-points stay online and stay operational for wireless purposes. This means that the wireless environment doesn’t depend on one or more wireless controllers.

But is this the most ideal situation……. not in my opinion. A few weeks ago a customer couldn’t’ access this manager for a couple of days. No problem, because the wireless infrastructure kept working like a charm. However the customer wasn’t able to do any kind of management and monitoring. He couldn’t see what was happing on his wireless LAN and he couldn’t add additional guest users to the AP user database. The question at that moment was: “Do we keep using the wireless infrastructure without any kind of monitoring and management with all risks associated or do we physically shut down the wireless network by disabling the PoE on the switch ports?”

There are some more “disadvantages” for a controller less architecture. VLAN extension (to a remote location) is difficult. This can be accomplished by configuring GRE tunneling between the remote AP’s and the HQ AP’s. With GRE tunneling you can extend the corporate VLAN to remote locations. The remote AP is the source of the GRE tunnel and the HQ AP is the destination. Another topic is RADIUS authentication. In a controller less architecture every AP acts like a RADIUS client. This can have impact on your RADIUS server. For example a Windows Standard server has a limit of 50 RADIUS clients. This means that you have to use a Microsoft Enterprise or Data Center server. You can also configure RADIUS proxy on the wireless environment. This means that all RADIUS from the AP’s are routed to the a couple of designated AP’s, which act as RADIUS proxy. You should also keep in mind that all traffic is directly routed to the wired network at the access-point. If you are using different VLAN’s, you shouldn’t forget to tag this VLAN’s on the uplink connections to the access-points.

I was talking about disadvantages. The topics aren’t real disadvantages, but more design issues. The point that I am trying to make, is that even a controller less architecture is sometimes working as a controller based wireless architecture. Because building GRE tunnels from remote locations to central AP’s or using AP’s as RADIUS proxy behaves, in my opinion, as a controller based environment.

So the discussion of a controller based architecture, a controller less architecture with a separate manager or a controller less architecture with a virtual controller will continue and every vendor will be saying that his solution is the best. I am very curious about your thoughts on the different wireless architectures.

Please keep in mind, this article is based on my experience and opinion. Also note that I am NOT saying that the solutions of the different vendors aren’t good choices to build your wireless network. I am using and will be using the solutions from the mentioned vendors in this article. Every solution has its advantages and disadvantages. Just look at the requirements for your wireless networks and choose the best suitable solution.

Cisco WLC – Upgrade FUS image

Today I upgraded a FUS image on a Cisco WLC 5500 controller, because I also upgrade the WLC software to The FUS upgrade is straightforward and comparable to a regular software update. The only difference is that you need console access to perform the upgrade. The FUS image upgrades the following components:

  • Field Recovery Image is upgraded to runtime image version
  • Bootloader is upgraded to 1.0.16
  • Offline Field Diagnostics is upgraded to 0.9.28
  • FPGA Revision version is upgraded to 1.7
  • Environment Controller (MCU) Image version is upgraded to 1.8
  • USB Console Revision version is upgraded to 2.2

During the upgrade process you have to confirm to proceed the upgrade, like shown below

Checking for Field recovery image upgrade

Field Recovery Image upgrade …

        Upgrade Field Recovery Image from version to

        Are you sure you want to proceed (y/N) ? y
* Please make sure POWER SUPPLY is always ON during this period. *    ******************************************************************

Erasing Flash (estimated 49 seconds) …

Writing to flash (estimated 716 seconds) …

This happens multiple times and the controller reboots several times during the upgrade. It took about 20 minutes for the complete upgrade of the FUS image.

Internet in Argentina

I don’t know if people from Argentina read my blog, but if they do I would like to thank them for their wireless coverage throughout the country. I am traveling for some time through Argentina and I slept in multiple hotels and hostels. Every single hotel and hostel offers some kind of internet connection. Mostly I have the option to use my iPhone and my iBook without extra fees to pay.

Many (public) places broadcast a wireless network, even in places you wouldn’t suspect a wireless network, like a baker or take the little town El Chaltén. El Chaltén doesn’t have an ATM machine. You cannot use your credit card, but there is a wireless internet connection via a satellite uplink. Some wireless networks are open and some have a captive portal configuration to log in. However most wireless networks are protected with a WPA(2) key. I only need to ask for the key and they directly write it down for me.

Security is something the Argentineans are less familiar with. I guess it’s a hobby, but every time I join a  wireless network, I always try to access the router / default gateway. When trying to access the router, in most cases you get some kind of login page or basic authentication popup. These kind of pages mostly tell me what kind of router is used. A quick search on the internet for some default passwords already gave me access to three routers. Not so clever to use default password!!!

Internet speeds are also decent. You cannot compare it to the speed in the Netherlands, but I made some SIP phone calls without any problems. Internet access makes the holiday a lot easier, because I have to book multiple hostels and hotel along the ride and I can upload my picture from the camera to the iBook and from there to my NAS at home.

You Argentineans are doing a great job. I hope your friends in Chili are like you, because that is the next stop in a couple of days.