And so the journey begins..

About two months ago, my employer accepted me into the CCIE program that we have setup. I am lucky that I work for a firm that heavily invests into its consultants, and had the wherewithal to establish such a great program for folks serious enough to start down this lengthy, tough road.

Traditionally most the folks at my VAR going after their CCIE were heading down the Route Switch, Data Center, or Collaboration tracks. The resources available to these tracks is quite rich with loads of training material (INE, Global Knowledge, and lots others) and training programs to support their learning efforts.

Of course with my being a wireless geek, I started to look into the CCIE-W course as this was something I really feel I could sink my teeth into…or so I thought!

 Why?

For over the past decade I have been always learning something, weather it was finishing out my BSEE, certifications around product and tools, or other industry related certifications.  After finishing up my larger goals, I started looking for my next challenge, and that’s when the CCIE started looking really appealing to me.

The CCIE-W underwent a version change from 3.0 to 3.1 around November 2017. The main change here was they finally got rid of the horrid Converged Access portion of the Lab, as Cisco itself gave up on that product line. The good news is that this made the “new” CCIE v3.1 much more palatable to candidates, as we didn’t have to spend time and money diving into a technology that we would never really see in the wild.

I’ve spent the better part of the last 7 years working for VARs. I took a 18 month break to try different things such as working for Startups, Healthcare, and Global Enterprises – just trying to feel out what was best for me. I ended up coming back to the VAR space as I truly enjoy the work. I love being the trusted adviser to a multitude of customers, in different spaces, all over the globe. The variety of the projects I get to work on, the people I get to work with, and the constant push towards professional development was something that I really enjoyed. A perk of this is the working-from-home aspect that I really do enjoy, as I get to travel enough to breakup the monotony of sitting in the house all the time.

Where?

Finding a reputable(and more importantly, company approved) training partner was the next step for me, and this is where the tough part really came into play. While other tracks have tons of resources out there to train and learn from, the wireless track is one of the smaller tracks in this aspect.  Finding gobs of people who are also studying down the same track as you are, can really make the difference. Being able to join study groups, compare notes, and bounce ideas off of one another has truly been helpful for me in my past studying endeavors. The caveat here is that when you select a certain track, you are limiting yourself to a community of others who are studying down that track as well.

There has been a long running trainer that has been coaching and training the next generation of CCIE-Ws for a while now. Jeff Rensink was the CCIE-W trainer back when IPExpert was around. IPExpert was a great training firm and they went through some internal issues that ended up causing them to shut their doors.

Jeff took this as an opportunity to open up his very own training firm focused exclusively around the CCIE-W, The Network Dojo (www.networkdojo.com). After reviewing the training materials, the community around it, and reviews of formal students, this definatly looked like the community I wanted to be a part of. The kicker for me was that someone as experienced as Jeff was the one that created all the content, the videos, the quizzers, the mock labs, the rack rentals – all of it, it it came from THE CCIE-W Training master.

How?

Anyone that has ventured down the CCIE path will tell you, its all about the journey. When someone dedicates 12-18 months of their life to running down a cert, it is far more than a cram session and taking a test. This for me was why having the support community of other folks, in the trenches studying right along side you, was so important to me – and its what the Dojo offered.  I’m lucky enough to have been tinkering with Cisco WLAN gear for about 8 years now, so a lot of the content isn’t new to me, but there is a ton of content that is brand new to me.

• Autonomous AP & WGB configurations – I’m having to learn how to configure these things from basically scratch as I don’t have much experience with these configurations
• ISE & CMX – ISE typically always fell to the security folks to implement. ISE itself is a monster, I view it as a box with 142240 dials and 2x as many knobs, yielding unlimited configuration iterations. The part I like is that as a WLAN guy, we are continually seeing NAC being sold and integrated into environments. ISE isn’t going away and having the knowledge set to configure Certs, all the different EAP methods, and the rule writing around a security minded WLAN – is pivotal.
• WLC – I thought I had a really good handle on WLCs until I actually started training through the Dojo. There are so many funky little options that I didn’t even know existed – but make complete sense to me now

I have a small home lab of a 2504 WLC, pair of 3560s, a pair of 1242 APs, a 3502, and a 3702. For pretty much everything except the ISE/CMX portion of training, having this meager little lab has been truly helpful for my (re)learning feature sets and commands. I have 300 hours of rack rentals at the Dojo I can use to fill in the gaps, but for a bare-bones lab, this has served me well.

Whats Next?

I’ve spent the past 2.5 months running through a “foundations” course that (re)familiarizes a lot of the equipment, commands, and general weirdness to front of mind. Building out my tiny home lab, and getting into a solid study schedule is one of the more tough items, as life has a tendency to get in the way.  Not having any kids, and being free of other typical life “distractions” means that I have 0 reason to not stick to a regimented study schedule, outside of pure laziness. This blog alone will serve as a reminder to get off my ass, stay the course, and see it through to the end.

I am currently in the “Study for Written” phase of the program. This consists of lots of videos, quizzers, practice troubleshooting and debugging issues. As it stands right now, I expect myself to be prepared and ready to attempt the written exam around March 2018. From there, its deep-dive time into the labs, troubleshooting, and mock lab tests to prepare for the beast that is the CCIE Lab.

Resources?

Cisco is releasing an actual (first time ever) CCIE Lab Study guide this month. The community if very excited as actual reading materials outside of the massive Design Guides is extremely rare. In the past, anyone going after their CCIE-W had to pretty much wing it on their own, studying as best they can from the blueprints and design guides. This is why I am such a fan of proven training resources as the Dojo. The Dojo has different packages for different budgets, from written-refresher programs, all the way thorough a full blow platinum bundle that will take you through ALL of the blue print, content, and training labs to prepare you for success.

Here is the new CCIE v3.x study guide, it will be released in ebook form on 11/22 and runs for $119.99 right now on pre-order. If you use the code “Programming37“, you’ll save an additional 37% off.  I pre-ordered the book yesterday and with that coupon, spent $94.

As we roll into the Holiday season, I want to wish everyone a happy and safe season, and start thinking about what your NEXT professional development goals will be for 2018. I am in ACMA training this week and I will update yall as soon as THAT adventure is over!

This Wi-Fi Stand(s) Out

Last fall, the Wireless Practice at my VAR was kind enough to purchase me a Wi-Fi Stand & Telescoping pole from the Wi-Fi Stand store.  I had been wanting to get one of these bad boys as a ‘Wi-Fi Bracket 2’ had been released and had a rotating mount atop of it. 

 

For a while now, Wi-Fi Stand has been the “go to” for WLAN professionals wanting an easy to pack, lightweight, easy solution for holding APs during AP-On-A-Stick (APoaS) surveys. Finally, Drew Lentz & co. came to address that sore spot for so many of us with this wonderful little bracket.

 

We purchased the Wi-Fi Bracket 2 as well as the Tripod from the online store to ensure compatibility right out of the box. The order arrived in a few days and I was very pleasantly surprised with the size, and durability of all the parts involved. Both the bracket itself , and the mounting clip exhibit a very sturdy feel to them.

 

And the best part about this setup, is that that the WiFi Bracket2, as well as the tripod can both be purchased for <$100. The tripod collapses down to 36″ and extends up to 8ft – it even comes in this handy carrying case as well. 

 

When you get the whole rig put together, it truly offers an amazingly sturdy, versatile, easy-to-travel-with option for APoaS surveys – all while at a great price point. (Pictured below with a Cisco AP mounted)

 

For those of us that have been WLAN professionals for a while, we can certainly appreciate an elegant approach to this exact space. Some of the monstrosities that we have seen in the wild truly needed to be addressed, and that’s exactly what Wi-Fi Stand does.

 

Now all the wizardry aside, I think my favorite part of the Wi-Fi Bracket2, is the rotating mount – and it’s because I am kind of a lazy guy.  The beautiful part is that once you size the mount to clip onto the clip, you can lock it down and you will never have to change it again. An added bonus to this feature as that, at least for Cisco ceiling mounts, the bracket can’t slide off from within the Wi-Fi Stand.

 

The best part about this rotating mount is that if you want to remove your already-locked-down-AP-mount, simply roll the bracket over and it slides off.

The cool part of this feature I enjoy is that I can pre-size all of my mounting clips, and I can screw them down and not have to worry about them falling apart or losing screws. I love this feature as it makes just one less thing to lose for me on the road.

The only drawback that I can see is that the rotating mount on the bracket lacks the required friction to hold the AP in a vertical orientation – similar to how an AP would hang on a wall.  Maybe in future builds WiFi Stand can incorporate some sort of locking mechanism, or sell it as an add-on?

In any event, I couldn’t be happier with my new APoaS setup, and am truly grateful to my old friend and coworker for addressing such a common WLAN need.

 

Get yours today at: https://www.wifistand.com/

 

Thanks WiFi Stand!

 

SHAtastic “Features”

Over the past two weeks, I have been working on a deployment that “seemed” pretty straight forward.

• Client has 250 APs in autonomous mode to be converted to Flex Connect
  • The motivation here is due to the APs being deployed across the globe
  • This sounds like a perfect use case for a vWLC
  • APs are a mix of 1142, 1242, & 2702

Sounds pretty cut & dry right? All we have to do is find a code rev that supports all the different AP models, and we should be good to go…

The saga started by deploying the 8.0.152.0 .ova into the environment – easy peasy.

The APs from this decade (2702) joined right up, no problem at all. The REAL fun started when we tried to join the old 1242s to the vWLC. At this point, I was seeing an error from my test AP that read something like this;

“*Nov 11 18:07:36.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: x.x.x.x peer_port: 5246
*Nov 11 18:07:36.033: Failed to get CF_CERT_ISSUER_NAME_DECODEDPeer certificate verification failed 000B
*Nov 11 18:07:36.038: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Nov 11 18:07:36.038: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!
*Nov 11 18:07:36.038: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to x.x.x.x:5246
*Nov 11 18:07:36.039: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to x.x.x.x:5246
*Nov 11 18:07:36.040: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.”

I couldn’t for the LIFE of my figure this one out. So after 2 hours on the phone with TAC we found out an awesome bug feature. It turns out that for whatever reason, the old APs didn’t like MIC certificate that came native with the 8.0.152.0 vWLC. The work around is that we have to deploy an older (8.0.121.0) vWLC model, and then we can upgrade from there. It has something to do with 8.0.121.0 vWLC having a MIC certificate that the old APs actually can play nicely with.

Fine. I’ll just get TAC to publish this older vWLC to me (as I can’t download it on CCO because its redacted) and we’ll deploy it in the environment – seems straight forward enough.

So we successfully deployed the 8.0.121.0 vWLC, and now the old 1242 is fussin’ at me with the following;

The AP logger will show messages similar to the following:

*Oct 29 18:01:56.107: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.
The certificate (SN: 7E3446C40000000CBD95) has expired. Validity period starts on 14:38:08 UTC Oct
26 2021 Peer certificate verification failed 001A

*Oct 29 18:01:56.107: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:496
Certificate verified failed!
*Oct 29 18:01:56.107: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.10.10:5246
*Oct 29 18:01:56.107: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.10.10:5246

On the WLC side, you will only see a message like this:

*osapiBsnTimer: Oct 29 11:05:04.571: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2962 Failed to complete DTLS handshake with peer 192.168.202.8

 

Weeeeee! So now I get to reengage TAC and ask them what all this nonsense is about. It turns out that if you deploy a vWLC, it will start the MIC cert validity period to something like 8 hours AFTER the vWLC comes online. (Bug ID: CSCuq19142). This means that the NTP time on the vWLC, is before the MIC certificate becomes valid. This means that APs won’t be able to join..

So the workaround? For the first day or so the vWLC is online, you outright lie to the vWLC about what the time is.  I just changed the “year” field to 2019 – nothing like living in the future! *Note* I had to delete any NTP server configured on the WLC before the manual time change took effect.

 

From here, the AP joined up just fine and behaved normally. I was also able to upgrade to 8.0.151.0 without issue, because I started with a “correct” vWLC version. After 24 hours, I was able to sync the vWLC back to NTP as the MIC validity “start” time was sometime late last night.

Lots of us will ask “why do these folks have APs from last decade” and the answer is real simple – money.  Why would a company go out and replace a ton of equipment, that isn’t broken? If one dies, they can just replace it with a new one – all we have to do is ensure the vWLC can support both old AND new equipment. I’ve ran into the same exact issue with one of the worlds largest airlines as well – why fix something that ain’t broke?

 

Now that we have everything up and running, I certainly learned a lot from all of this. Most of it doesn’t make a whole lot of sense as to why they happen (ie; the SHA cert start date being set to some arbitrary value), but at the end of the day – as long as it’s all working – nobody really cares how you got there.

There are many ways to get to 5. Is 4+1 better than 2+3? And more importantly – the client/business owners don’t really care.

 

 

 

How far, is far enough?

Over the Christmas break, I wanted to compensate a few of my Proxim WiFi adapters so that I knew exactly how different they were when measuring RSSI. There are countless write ups detailing how and why we need to compensate our adapters, and the methodology behind doing so. The one thing that kept jumping out at me was how far do I have to be from the AP, in order to reliably compensate WiFi adapters? I read some articles that have said we need to be X distance, and other articles claim Y distance..so which is it? I live in an apartment and as such I don’t have a clear long 30′ hall to measure against in. Can I reliably compensate adapters at say, 10′ , but more specifically what is the actual distance required to be in the far field?

For starters, why do we need to be a certain distance from the AP to begin with? If an AP is mounted to a 10′ ceiling, is sitting directly under it too close to reliably compensate my adapters?

The answer lies in the math.

In order to properly be at the correct distance, we need to ensure that our receivers are located in what is called the Far Field. The Far Field is where we can predictably and accurately model the RF behavior with tools like CST, and its where the RF has “calmed down and normalized” – this is the zone that clients will live in.

Overall, the Far Field is the region that is far enough away from the antenna, that the behavior can reliably be modeled and calculated. This is the “normal operation zone” for antennas.

Lets explore the idea of far field so that we may be able to know weather or not we are truly in this “normal operating zone”.

In the world of antennas, there are lots of different types. From Patch Antennas, to Horns, Monopole, Dipole, the list goes on and on. For the scope of this post, I will concentrate around the traditional Half-Wave Dipole Antenna, its far field characteristics, & how to calculate the far field.

What exactly is a Dipole Antenna? This type of antenna configuration has 2 poles(ends) where AC current conducts through each pole 180° out of phase. A Half-Wave dipole is the most common type of Dipole utilized due to the physical space savings when compared to a Monopole.  The characteristic radiation pattern yields the main power lobe orthogonal to the radiating element.

 

Having the understanding of the basic radiation pattern, we can now look at the governing math behind a Hertzian Diploe.  The Hertzian dipole is a theoretical dipole antenna that consists of an infinitesimally small current source acting in free-space. Although a true Hertzian dipole cannot physically exist, very short dipole antennas can make for a reasonable approximation. The length of this antenna is significantly smaller than the wavelength:

A surprising result is that even though the Hertzian dipole is minute, its effective aperture is comparable to antennas many times its size. This allows us to make calculations around characteristics such as the Far Field Conditions.

 

In order for us to know when we are actually in the far field, we have to actually find out where the far field is located.  We need to define the following;

1. Wavelength λ @ 5.8GHz;
2. Speed of Light; c = 3E8 m/s
3. Frequency f = 5.8GHz

Plugging in these variables into the above equation, we find that λ = .0516m, or 5.16cm. Half of this length is the dipole antenna length (as we are utilizing a half-wave dipole antenna) therefore, D~ 2.58cm

Being that were using a half-wave dipole, D= λ/2 = 2.58cm. For most cases, a half-wave dipole is going to have an antenna length between .33λ and 2.5λ. This means that we are finally in the far field region at 2.5λ. For a 5.8GHz signal, 2.5λ= 12.9 cm. Thus, when we are right about 6in away from the AP, we are barely in the far field and will start to have predictable behavior as we move further away.

So what does all this really mean? Welp, you will see lots of heuristics out there that talk about how far you need to be in order to properly compensate WiFi adapters. Based on the mathematics involved, any distance greater than the 2.5λ value for a half-wave dipole should be fine for our receivers. Personally, I like using the 2-3m range. It’s relatively easy to eye-ball,  and my survey tripod just happens to extend up to 10′ – so this is my “minimum distance” that I use when compensate my adapters. It also just happens to be about the height of APs mounted to a drop ceiling in an office environment.

Happy Surveying!