Archive | AP RSS for this section

Downgrading LWAPP to Autonomous with WLC

In a previous article I was telling about restoring the LWAPP to autonomous, but it’s also possible if you got access to the WLC.

(Cisco Controller) >config ap tftp-downgrade c1250-k9w7-tar.124-21a.JA1.tar L1252-1
And you won’t see anything at the WLC, but you can see at the AP :

examining image…
Loading c1250-k9w7-tar.124-21a.JA1.tar from (via GigabitEthernet0): !
extracting info (287 bytes)
Image info:
Version Suffix: k9w7-.124-21a.JA1
Image Name: c1250-k9w7-mx.124-21a.JA1
Version Directory: c1250-k9w7-mx.124-21a.JA1
Ios Image Size: 5693952
Total Image Size: 6431232
Image Feature: WIRELESS LAN
Image Family: C1250
Wireless Switch Management Version:
Extracting files…

WGB settings

Jerome got a nice blog about WGB :

To summarize :

Root ap :

dot11 ssid hereIam

int do1
station-role root
infrastructure-client (Reliable multicast)

dot11 ssid hereIam
infrastructure-ssid (Works without)

int do 1
statioin-role workgroup
infrastructure-client (Reliable multicast)


How to see if an AP is at which state of HREAP ?
That’s possible from the CLI of the LWAPP AP.

You can do :

L1240-4#sh lwapp reap status
AP Mode: REAP, Connected
Radar detected on:

L1240-4#sh lw reap status
AP Mode: REAP, Standalone
Radar detected on:

To see the “config” of the LWAPP AP :
show derived-config

When the AP is in standalone mode you can do :
L1240-4#sh lw reap association
Address : 0021.a00e.6426 Name : SEP0021A00E6426
IP Address : Interface : Dot11Radio 1
Device : CP-7921 Software Version : NONE
CCX Version : 4 Client MFP : Off

When the AP is switching between modes you’ll see :

%LWAPP-5-CHANGED: LWAPP changed state to JOIN
%WIDS-6-DISABLED: IDS Signature is removed and disabled.

Radius accounting is not working when the AP is at HREAP Mode.


When I was testing at an autonomous AP, I had the following :

*Mar 1 01:27:49.972: %DOT11-6-ASSOC: Interface Dot11Radio0, Station SEP0021A00E6426 0021.a00e.6426 Associated KEY_MGMT[WPAv2-CP]


*Mar 1 01:22:17.515: %DOT11-6-ASSOC: Interface Dot11Radio0, Station SEP0021A00E6426 0021.a00e.6426 Associated KEY_MGMT[WPAv2]

WPAv2-CP = Cached PMK

Autonomous : Power local ofdm / cck

It’s possible to have different powerlevels for different kind of data rates.
That’s because there is a command power local at the Autonomous AP.

BR1(config-if)#power local ?
cck Set local power for CCK rates
ofdm Set local power for OFDM rates

cck = 802.11b
ofdm = 802.11g for datarates 6,12,18,24,36,48,54
Datarates 5.5 and 11 uses cck.
Datarates 1 and 2 uses DBPSK/DQPSK+DSS.

MAC Access list on Autonomous AP.

Sometimes you want to have an AP working as a bridge and you don’t want every other AP connected to this bridge. Only a specific one.

This is possible with a MAC-Access list.

On the Root bridge you configure an access list :
access-list 700 permit 0021.d790.fba0 0000.0000.0000
Accesslist 700 – 799 are for MAC.
The mac is the mac of the non-root bridge who are gonna have access to the root bridge.
To discover the MAC, you’ll do a
AP5#sh contr d0
interface Dot11Radio0
Radio AIR-AP1242GR, Base Address 0021.d790.fba0

To be very, very sure, you can first authenticate the non-root to the root bridge and then at the root bridge :
BR1#sh dot11 ass all
Address : 0021.d790.fba0 Name : AP5

The 0000.0000.0000 is the wildmask of the access-list. In this case the whole MAC should be exactly the same.

Okay… We got an access list.. Now we need to configure the dot11 association to use the access-list :
BR1(config)#dot11 association mac-list 700

And that is it.
If it’s the correct mac, the non-root will still be able to connect to the root.
You can change the mac of the access-list and see if the non-root will make a connection or not…

If the MAC is not the same as the non-root you’ll see :
*Mar 1 00:11:34.842: %DOT11-4-CANT_ASSOC: Interface Dot11Radio0, cannot associate: No Response
at the root bridge.

Here’s a nice link at the Cisco Site :
Access Point ACL Filter Configuration Example

Beacon Period and DTIM

You can customize the beacon period and DTIM on a WLC and AP.

For an autonomous AP you can use :
AP5(config-if)#beacon period ?
20-4000 Kusec (or msec)
AP5(config-if)#beacon dtim-period ?
1-100 dtim count

It said at the documentation of the WLC 4.2 that the beacon period should be between 100ms and 600ms, but when you configure it the values can be :

The DTIM count should be between 1 and 255.
At the WCS you can put the same values like the WLC’s. There is no difference.