“Reverse” Anchoring?


There are many instances where we want guest traffic to not touch our enterprise networks.  From a security standpoint, having guest traffic quarantined off into a non-routed VLAN, and terminating the traffic into a DMZ provides a secure method for handling all of this untrusted traffic.

What if we could pickup guest traffic (no matter where it is) and tunnel it to a single place like our DMZ?  You can – this is exactly what the Anchor WLC does for us.

By having the Anchor WLC live out in the DMZ, we are able to build a EoIP tunnel between our Foreign WLC and the Anchor WLC. This serves as a mechanism to securely transport traffic from the AP, all the way to the DMZ – all while never gaining visibility into the rest of the network.



In Cisco world, there are 2 main types of tunnels.  The first one is CAPWAP which is the tunneling mechanism used between APs and WLCs for Control and (sometimes) Data traffic to ride in. The second one is Ethernet Over IP (EoIP) that the WLCs use to communicate between each-other. This is the logical underpinning that allows WLCs to share information such as client and AP data, and overall just enables the WLCs to be “aware” of each-other.  We build these EoIP tunnels between WLCs to enable seamless roaming of clients between WLCs, and even to enable L3 roaming between WLCs.

Another great feature of the EoIP tunnels is that it allows us to take an SSID that is configured on our local (it’s actually called “Foreign” – but whatever) WLC, and terminate it on another WLC. This provides great flexability on what IP Network we actually want to terminate the SSID to – especially in the case of guest networks.

The way we form these WLC relationships is with something called a “Mobility Group”. A mobility Group is a bunch of WLCs that are “aware” of eachother and share information such as AP & Client statistics, and also allow us to terminate SSIDs onto a separate WLC.

Within the Mobility Group, messages are shared amongst the group members to enable features like seamless roaming, AP load balancing, Anchoring SSIDs, and fail-over support for APs. Every AP is aware of every WLC in the Mobility group and can failover to a neighboring WLC in the event of an outage (assuming the AP has L3 access to the remaining WLCs in the Mobility Group).


Every time a client associates to an AP or preforms a roam, the WLC sends a unicast message to each of the other Mobility Group members about this incident. As you can imagine, this can get EXTREMELY chatty when working with large scale deployments.  You can enable Multicast Messaging in these types of deployments where the WLC will send a message to the Multicast group, thus everyone in that Multicast Group will hear the message. This is the preferred method for large scale deployments as it reduces chatter and overall load on the WLCs.

Now that we’ve had an overview of what a Mobility Group is, where it’s used and why – lets start approaching it from the other direction.

“Standard” Anchoring

In Enterprise environments, we typically see a single Anchor WLC that lives out in the DMZ somewhere.  All of the Foreign WLCs will anchor their guest SSIDs to this WLC and life goes on as usual.

Regular Anchor

For starters, each WLC has its own “internal” Mobility Group that is defined in the configuration. When we form Mobility Group members, we point the OTHER WLCs at THIS Mobility Group.  This is why the Anchor is aimed at the Mobility Group “Anchor” and the converse is true of the foreign WLCs.

What you will notice here is that each of the Foreign WLCs only has the “Anchor” WLC in its  Mobility Group member list.  This means that WLCs: A, B, and C, all form an EoIP tunnel to only the Anchor WLC.  Even though all 4 WLCs are in the same Mobility Group, Mobility Messages ARE NOT shared between the 3 Foreign WLCs.

This typically works fine and life will go on. There however is only one problem with this design.

It doesn’t scale well.

As of the date of this blog, Cisco has both the Catalyst and AireOS Controllers on the market. The downside is that regardless of which platform you use, you are limited to the following;

  • A WLC may only have 24 Members PER Mobility Group defined in its Member List
  • A WLC may only have 72 entries in its Member List

The below picture is a sample of this very limitation.


You will notice in the list that we max out at 24 members of the “standard” Mobility Group before the WLC starts barking at us, and we have to move to a new Mobility Group name.

The issue here, is that all the Foreign WLCs are anchoring against the Anchor WLC, so what happens at WLC #25? Where does this WLC anchor?

The short answer is: we simply create another Mobility Group (ie: group name “standard1” in above picture) and start pairing Foreign WLCs to the Anchor in a new group.

This is a perfectly valid config and will work just fine.  After-all, not many networks have dozens of WLCs that they are Anchoring guest traffic back to a single place…right?

For those of us that are lucky enough to walk into these types of accounts, it provides a true head-scratching moment mostly around the following:

  • What if I have 60 sites I need to Anchor to 1 or 2 WLCs? They can’t all live in the same Mobility Group afterall..
  • How do I maintain a common config across all my Anchors?
  • How do I address the Mobility Group naming issue while staying on a standard?

“Reverse” Anchoring

This is where “Reverse” Anchoring can help migrate around these headaches.  The only thing we are REALLY changing, is there is no longer a shared mobility group that we will Anchor against.  This solves a few of my nagging OCD points:

  • Using Unique, Foreign-Specific Mobility Groups, we will never approach the 24 Members per 1 Mobility Group Limit
  • It maintains congruence of configs if you are utilizing multiple Anchors for Redundancy.


While we are at it, lets take a look at what our options really are for “Anchor Redundancy”.

  1. Anchor WLCs can be deployed as an SSO pair to give you box level redundancy
  2. Additional Anchor WLCs can be deployed as a standalone WLC for failover & client load balancing

Reverse Anchoring - Redundnat

For my moneys worth, I don’t see any real value in having an SSO pair on your Anchor WLCs. For the exact same amount of hardware and licensing, you can stand up a secondary Anchor.  By having 2 discrete anchors, you have the ability to scale up your guest counts, and still are able to achieve fail-over redundancy.  By setting your Anchor priority values the same on your Foreign WLC, the clients will round-robin between the two WLCs.  This not only gives your greater scale to the number of clients you can anchor, but it also provides non-statefull fail-over should one of the Anchors go down.

This was written on 3/25/2020 while quarantining at home during the COVID-19 Pandemic.  I finally had some time so sit down during my quarantine and put all of this on paper, as it’s been bouncing around my brain a lot lately..  I hope everyone is staying safe and healthy, cheers!

C9800-CL on Windows


After the release of the new Catalyst 9800 Controller, I have been wanting to really get my hands on one to have for my home lab.  My biggest hurdle is that I am in a Windows only environment and don’t have VMWare at my disposal.

I built a pretty beefy gaming PC last year that I use a lot for work, and I have been tinkering with getting the C9800-CL VM running in my environment for a while now.   It wasn’t until this morning that I FINALLY got it working.

The components that I used to finally get this working are;

  • Installed the Oracle VirtualBox Freeware
  • C9800-CL .ISO File
  • Windows 10 PC with an Ethernet Interface

Step 1:  Downloading the WLC Image

For my setup, you will need to obtain the .ISO image of the new C9800 WLC.


This will require that you have a valid CCO account with the appropriate permissions for access to the files.


Step 2:  Create the VM inside of VirtualBox

The VM will need 8GB of Virtual Hard Disk (VDI) space that is Dynamically Allocated, 1 CPU deducated, and 4096 MB of RAM.

1 - vm setup


Once you have provisioned the VM, you need to select the Optical Drive settings, and select your C9800-CL .ISO image file





The next part is the MOST important and after many variations – I have settled on the below network settings as it enables the VM to function properly

Under the VM settings, ensure that your Adapter 1 is the adapter you use to connect to your network with (mine is Eth 0).  You will need to ensure that it is set to your bridged adapter, and the advanced type MUST be virtio-net


Step 3:  Launch the VM

Start the VM and it will launch the .ISO file. Aside from the very start when it says “press any key” – you won’t need to touch the keyboard.  This is a great time to go grab a cup of coffee.


Step 4: Initial Configuration

Setting up the WLC via CLI is much easier than via the GUI, and it also allows you to get around some of the odd traps that the Day-0 provisioning GUI will force on you. François Vergès wrote an awesome blog around how he preformed this.  I have shamelessly copied his last section into this section of the blog.


Start by terminating the auto install so that it drops you down into the WLC CLI


From here you will need to configure the following;

  1. Configure the Enable Password
  2. Create an Admin Account
  3. Configure the Network Interface g1
  4. Configure the default route
  5. Configure the Country Code (this is required to avoid the Day – 0 Provisioning)
  6. Configure which interface will be used for management (g1 for our case)
  7. Generate the Certificate that will be used to establish DTLS connections with the APs

Use the below commands in order to configure these items



  • The IP addresses used here are specific to my setup. Ensure you use relevant IPs to your network.
  • The passwords have not been disclosed, please replace “secret_password” and “user password” by the passwords you want to use
  • Configure these items in the order outlined in this blog
  • The last command doesn’t configure anything, it’s just used to validate that the trustpoint has been generated properly 
  • Since we are disabling the 802.11a and 802.11b radios to configure the country code, you will have to re-enable them later if you want your APs to be operational


From this point, you should be able to ping your WLC VM, as well as browse to it and login to the GUI with the credentials that you selected.   Good luck and Happy New Year to everyone!



CCIE Written Passed! Now the REAL work Begins…

I haven’t updated this blog in about a year now and I apologize for that.  With it being near the end of 2019 I thought it would be a good idea to look back at this year’s notable events.

  1. Traveled to India for work. Took a week off and traveled all over the place – India is quite the experience
  2. I started a new position at a VAR in April, and absolutely love my job
  3. Attempted my CCIE Written in June, November, and passed in December

I finally passed my CCIE-W Written on my 3rd attempt.  It is a rather difficult exam of 100 questions that truly to assess your understanding of the CUWN portfolio and asks some seriously corner case questions.  That being said – I learned a TON through my studies.

My 1st attempt at the end of May I missed by a decent margin. There were a lot of questions I was unfamiliar with and overall, the exam exposed my lack of knowledge in some of the key areas (here’s looking at you, Emerging Technologies) on the exam. From there, I took a study break and got help from a study buddy that is in the Network Dojo with me so that we could help each other train.

This turned out to be PIVOTAL in my success. There are many times when looking at a question that an alternative view point can really help you broaden your grasp, and make you see things in a much better light.  After training with my partner for 6 weeks or so, I went in for my 2nd Written attempt, and failed.  The upshot was that I cut my failure deficit in half which showed me that at least my methodology was correct as I was already seeing improvements in my scoring.

After some extra studying, and reading through countless Deployment/Design Guides, I passed on my 3rd attempt. My score improved on my 3rd attempt by about the same margin as my 2nd attempt, so again – at least we know the methodology works.


Cisco is undergoing its largest change to the Cisco Certification track since its inception.  Everyone in the current program has until 2/24/20220 to obtain Certifications before the new program kicks off. There is a whole host of changes you can read about here, but here are the general highlights.

  • There is now only 1 CCNA for ALL tracks
  • There are now 5 core concentration areas with respective exams, and a whole new DevNet track
    • These Concentration Exams replace the CCIE Written
    • There are specialist badges that when coupled with the new CORE exam, will earn you a CCNP in that specific flavor.
  • There are no more pre-reqs for any Certification level
  • CCIE has no more “suspended” status – they are simply active for 3 years
  • CCIE Rectification requires 120 CE credits that you can obtain an a multitude of ways.  Jeff Rensink has a great video talking through the new re-certification process (which I am a huge fan of).

I think overall that the new re-certification options are a fantastic step in the right direction. If you attend Cisco Live! and take sessions, grab an exam voucher, and renew your CCNP level certs every 3 years – you can maintain your CCIE that way.   Although I will receive credit for my CCIE written in the form of the ENCOR exam, I do plan on retaking the exam itself when it comes time to recertify.  The good news is that the Route/Switch community shares the same CORE exam as Wireless folks – so I expect there to be TONS of great study resources and programs out there that we can tap into. Gone are the days of waiting for the first CCIE study guide to get published – only to be valid for 14 months.

The Lab

Because CertPocalypse is changing everything, I will have to wait for the new version of the Lab to be released.  There are no more CCIE-W lab dates available outside of Tokyo before the February cutoff. Once the new v1.0 lab comes out, I will return to the Network Dojo to begin labbing all the things and giving up free time to pursue my ultimate goal, bringing home CCIE numbers.

Until then, I think I’ll enjoy this short study break..

And so the journey begins..


About two months ago, my employer accepted me into the CCIE program that we have setup. I am lucky that I work for a firm that heavily invests into its consultants, and had the wherewithal to establish such a great program for folks serious enough to start down this lengthy, tough road.

Traditionally most the folks at my VAR going after their CCIE were heading down the Route Switch, Data Center, or Collaboration tracks. The resources available to these tracks is quite rich with loads of training material (INE, Global Knowledge, and lots others) and training programs to support their learning efforts.

Of course with my being a wireless geek, I started to look into the CCIE-W course as this was something I really feel I could sink my teeth into…or so I thought!


For over the past decade I have been always learning something, weather it was finishing out my BSEE, certifications around product and tools, or other industry related certifications.  After finishing up my larger goals, I started looking for my next challenge, and that’s when the CCIE started looking really appealing to me.

The CCIE-W underwent a version change from 3.0 to 3.1 around November 2017. The main change here was they finally got rid of the horrid Converged Access portion of the Lab, as Cisco itself gave up on that product line. The good news is that this made the “new” CCIE v3.1 much more palatable to candidates, as we didn’t have to spend time and money diving into a technology that we would never really see in the wild.

I’ve spent the better part of the last 7 years working for VARs. I took a 18 month break to try different things such as working for Startups, Healthcare, and Global Enterprises – just trying to feel out what was best for me. I ended up coming back to the VAR space as I truly enjoy the work. I love being the trusted adviser to a multitude of customers, in different spaces, all over the globe. The variety of the projects I get to work on, the people I get to work with, and the constant push towards professional development was something that I really enjoyed. A perk of this is the working-from-home aspect that I really do enjoy, as I get to travel enough to breakup the monotony of sitting in the house all the time.


Finding a reputable(and more importantly, company approved) training partner was the next step for me, and this is where the tough part really came into play. While other tracks have tons of resources out there to train and learn from, the wireless track is one of the smaller tracks in this aspect.  Finding gobs of people who are also studying down the same track as you are, can really make the difference. Being able to join study groups, compare notes, and bounce ideas off of one another has truly been helpful for me in my past studying endeavors. The caveat here is that when you select a certain track, you are limiting yourself to a community of others who are studying down that track as well.

There has been a long running trainer that has been coaching and training the next generation of CCIE-Ws for a while now. Jeff Rensink was the CCIE-W trainer back when IPExpert was around. IPExpert was a great training firm and they went through some internal issues that ended up causing them to shut their doors.

Jeff took this as an opportunity to open up his very own training firm focused exclusively around the CCIE-W, The Network Dojo (www.networkdojo.com). After reviewing the training materials, the community around it, and reviews of formal students, this definatly looked like the community I wanted to be a part of. The kicker for me was that someone as experienced as Jeff was the one that created all the content, the videos, the quizzers, the mock labs, the rack rentals – all of it, it it came from THE CCIE-W Training master.


Anyone that has ventured down the CCIE path will tell you, its all about the journey. When someone dedicates 12-18 months of their life to running down a cert, it is far more than a cram session and taking a test. This for me was why having the support community of other folks, in the trenches studying right along side you, was so important to me – and its what the Dojo offered.  I’m lucky enough to have been tinkering with Cisco WLAN gear for about 8 years now, so a lot of the content isn’t new to me, but there is a ton of content that is brand new to me.

  • Autonomous AP & WGB configurations – I’m having to learn how to configure these things from basically scratch as I don’t have much experience with these configurations
  • ISE & CMX – ISE typically always fell to the security folks to implement. ISE itself is a monster, I view it as a box with 142240 dials and 2x as many knobs, yielding unlimited configuration iterations. The part I like is that as a WLAN guy, we are continually seeing NAC being sold and integrated into environments. ISE isn’t going away and having the knowledge set to configure Certs, all the different EAP methods, and the rule writing around a security minded WLAN – is pivotal.
  • WLC – I thought I had a really good handle on WLCs until I actually started training through the Dojo. There are so many funky little options that I didn’t even know existed – but make complete sense to me now

I have a small home lab of a 2504 WLC, pair of 3560s, a pair of 1242 APs, a 3502, and a 3702. For pretty much everything except the ISE/CMX portion of training, having this meager little lab has been truly helpful for my (re)learning feature sets and commands. I have 300 hours of rack rentals at the Dojo I can use to fill in the gaps, but for a bare-bones lab, this has served me well.

Whats Next?

I’ve spent the past 2.5 months running through a “foundations” course that (re)familiarizes a lot of the equipment, commands, and general weirdness to front of mind. Building out my tiny home lab, and getting into a solid study schedule is one of the more tough items, as life has a tendency to get in the way.  Not having any kids, and being free of other typical life “distractions” means that I have 0 reason to not stick to a regimented study schedule, outside of pure laziness. This blog alone will serve as a reminder to get off my ass, stay the course, and see it through to the end.

I am currently in the “Study for Written” phase of the program. This consists of lots of videos, quizzers, practice troubleshooting and debugging issues. As it stands right now, I expect myself to be prepared and ready to attempt the written exam around March 2018. From there, its deep-dive time into the labs, troubleshooting, and mock lab tests to prepare for the beast that is the CCIE Lab.


Cisco is releasing an actual (first time ever) CCIE Lab Study guide this month. The community if very excited as actual reading materials outside of the massive Design Guides is extremely rare. In the past, anyone going after their CCIE-W had to pretty much wing it on their own, studying as best they can from the blueprints and design guides. This is why I am such a fan of proven training resources as the Dojo. The Dojo has different packages for different budgets, from written-refresher programs, all the way thorough a full blow platinum bundle that will take you through ALL of the blue print, content, and training labs to prepare you for success.

Here is the new CCIE v3.x study guide, it will be released in ebook form on 11/22 and runs for $119.99 right now on pre-order. If you use the code “Programming37“, you’ll save an additional 37% off.  I pre-ordered the book yesterday and with that coupon, spent $94.

As we roll into the Holiday season, I want to wish everyone a happy and safe season, and start thinking about what your NEXT professional development goals will be for 2018. I am in ACMA training this week and I will update yall as soon as THAT adventure is over!

This Wi-Fi Stand(s) Out

Last fall, the Wireless Practice at my VAR was kind enough to purchase me a Wi-Fi Stand & Telescoping pole from the Wi-Fi Stand store.  I had been wanting to get one of these bad boys as a ‘Wi-Fi Bracket 2’ had been released and had a rotating mount atop of it. IT moves!


For a while now, Wi-Fi Stand has been the “go to” for WLAN professionals wanting an easy to pack, lightweight, easy solution for holding APs during AP-On-A-Stick (APoaS) surveys. Finally, Drew Lentz & co. came to address that sore spot for so many of us with this wonderful little bracket.


We purchased the Wi-Fi Bracket 2 as well as the Tripod from the online store to ensure compatibility right out of the box. The order arrived in a few days and I was very pleasantly surprised with the size, and durability of all the parts involved. Both the bracket itself , and the mounting clip exhibit a very sturdy feel to them.



And the best part about this setup, is that that the WiFi Bracket2, as well as the tripod can both be purchased for <$100. The tripod collapses down to 36″ and extends up to 8ft – it even comes in this handy carrying case as well. IMG_5770.JPG


When you get the whole rig put together, it truly offers an amazingly sturdy, versatile, easy-to-travel-with option for APoaS surveys – all while at a great price point. (Pictured below with a Cisco AP mounted)



For those of us that have been WLAN professionals for a while, we can certainly appreciate an elegant approach to this exact space. Some of the monstrosities that we have seen in the wild truly needed to be addressed, and that’s exactly what Wi-Fi Stand does.

AP pole


Now all the wizardry aside, I think my favorite part of the Wi-Fi Bracket2, is the rotating mount – and it’s because I am kind of a lazy guy.  The beautiful part is that once you size the mount to clip onto the clip, you can lock it down and you will never have to change it again. An added bonus to this feature as that, at least for Cisco ceiling mounts, the bracket can’t slide off from within the Wi-Fi Stand.stand no move


The best part about this rotating mount is that if you want to remove your already-locked-down-AP-mount, simply roll the bracket over and it slides off.

slide off

The cool part of this feature I enjoy is that I can pre-size all of my mounting clips, and I can screw them down and not have to worry about them falling apart or losing screws. I love this feature as it makes just one less thing to lose for me on the road.

The only drawback that I can see is that the rotating mount on the bracket lacks the required friction to hold the AP in a vertical orientation – similar to how an AP would hang on a wall.  Maybe in future builds WiFi Stand can incorporate some sort of locking mechanism, or sell it as an add-on?

In any event, I couldn’t be happier with my new APoaS setup, and am truly grateful to my old friend and coworker for addressing such a common WLAN need.


Get yours today at: https://www.wifistand.com/


Thanks WiFi Stand!


SHAtastic “Features”

Over the past two weeks, I have been working on a deployment that “seemed” pretty straight forward.

  • Client has 250 APs in autonomous mode to be converted to Flex Connect
    • The motivation here is due to the APs being deployed across the globe
    • This sounds like a perfect use case for a vWLC
    • APs are a mix of 1142, 1242, & 2702

Sounds pretty cut & dry right? All we have to do is find a code rev that supports all the different AP models, and we should be good to go…

The saga started by deploying the .ova into the environment – easy peasy.

The APs from this decade (2702) joined right up, no problem at all. The REAL fun started when we tried to join the old 1242s to the vWLC. At this point, I was seeing an error from my test AP that read something like this;

“*Nov 11 18:07:36.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: x.x.x.x peer_port: 5246
*Nov 11 18:07:36.033: Failed to get CF_CERT_ISSUER_NAME_DECODEDPeer certificate verification failed 000B
*Nov 11 18:07:36.038: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Nov 11 18:07:36.038: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:447 Certificate verified failed!
*Nov 11 18:07:36.038: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to x.x.x.x:5246
*Nov 11 18:07:36.039: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to x.x.x.x:5246
*Nov 11 18:07:36.040: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 3 combination.”


I couldn’t for the LIFE of my figure this one out. So after 2 hours on the phone with TAC we found out an awesome bug feature. It turns out that for whatever reason, the old APs didn’t like MIC certificate that came native with the vWLC. The work around is that we have to deploy an older ( vWLC model, and then we can upgrade from there. It has something to do with vWLC having a MIC certificate that the old APs actually can play nicely with.

Fine. I’ll just get TAC to publish this older vWLC to me (as I can’t download it on CCO because its redacted) and we’ll deploy it in the environment – seems straight forward enough.

So we successfully deployed the vWLC, and now the old 1242 is fussin’ at me with the following;

The AP logger will show messages similar to the following:

*Oct 29 18:01:56.107: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed.
The certificate (SN: 7E3446C40000000CBD95) has expired. Validity period starts on 14:38:08 UTC Oct
26 2021 Peer certificate verification failed 001A

*Oct 29 18:01:56.107: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:496
Certificate verified failed!
*Oct 29 18:01:56.107: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to
*Oct 29 18:01:56.107: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to

On the WLC side, you will only see a message like this:

*osapiBsnTimer: Oct 29 11:05:04.571: #DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2962 Failed to complete DTLS handshake with peer


Weeeeee! So now I get to reengage TAC and ask them what all this nonsense is about. It turns out that if you deploy a vWLC, it will start the MIC cert validity period to something like 8 hours AFTER the vWLC comes online. (Bug ID: CSCuq19142). This means that the NTP time on the vWLC, is before the MIC certificate becomes valid. This means that APs won’t be able to join..


So the workaround? For the first day or so the vWLC is online, you outright lie to the vWLC about what the time is.  I just changed the “year” field to 2019 – nothing like living in the future! *Note* I had to delete any NTP server configured on the WLC before the manual time change took effect.wlcTime


From here, the AP joined up just fine and behaved normally. I was also able to upgrade to without issue, because I started with a “correct” vWLC version. After 24 hours, I was able to sync the vWLC back to NTP as the MIC validity “start” time was sometime late last night.

Lots of us will ask “why do these folks have APs from last decade” and the answer is real simple – money.  Why would a company go out and replace a ton of equipment, that isn’t broken? If one dies, they can just replace it with a new one – all we have to do is ensure the vWLC can support both old AND new equipment. I’ve ran into the same exact issue with one of the worlds largest airlines as well – why fix something that ain’t broke?



Now that we have everything up and running, I certainly learned a lot from all of this. Most of it doesn’t make a whole lot of sense as to why they happen (ie; the SHA cert start date being set to some arbitrary value), but at the end of the day – as long as it’s all working – nobody really cares how you got there.

There are many ways to get to 5. Is 4+1 better than 2+3? And more importantly – the client/business owners don’t really care.




How far, is far enough?

Over the Christmas break, I wanted to compensate a few of my Proxim WiFi adapters so that I knew exactly how different they were when measuring RSSI. There are countless write ups detailing how and why we need to compensate our adapters, and the methodology behind doing so. The one thing that kept jumping out at me was how far do I have to be from the AP, in order to reliably compensate WiFi adapters? I read some articles that have said we need to be X distance, and other articles claim Y distance..so which is it? I live in an apartment and as such I don’t have a clear long 30′ hall to measure against in. Can I reliably compensate adapters at say, 10′ , but more specifically what is the actual distance required to be in the far field?

For starters, why do we need to be a certain distance from the AP to begin with? If an AP is mounted to a 10′ ceiling, is sitting directly under it too close to reliably compensate my adapters?

The answer lies in the math.

In order to properly be at the correct distance, we need to ensure that our receivers are located in what is called the Far Field. The Far Field is where we can predictably and accurately model the RF behavior with tools like CST, and its where the RF has “calmed down and normalized” – this is the zone that clients will live in.

Overall, the Far Field is the region that is far enough away from the antenna, that the behavior can reliably be modeled and calculated. This is the “normal operation zone” for antennas.

Lets explore the idea of far field so that we may be able to know weather or not we are truly in this “normal operating zone”.

In the world of antennas, there are lots of different types. From Patch Antennas, to Horns, Monopole, Dipole, the list goes on and on. For the scope of this post, I will concentrate around the traditional Half-Wave Dipole Antenna, its far field characteristics, & how to calculate the far field.

What exactly is a Dipole Antenna? This type of antenna configuration has 2 poles(ends) where AC current conducts through each pole 180° out of phase. A Half-Wave dipole is the most common type of Dipole utilized due to the physical space savings when compared to a Monopole.  The characteristic radiation pattern yields the main power lobe orthogonal to the radiating element.

Dipole Radation Pattern


Having the understanding of the basic radiation pattern, we can now look at the governing math behind a Hertzian Diploe.  The Hertzian dipole is a theoretical dipole antenna that consists of an infinitesimally small current source acting in free-space. Although a true Hertzian dipole cannot physically exist, very short dipole antennas can make for a reasonable approximation. The length of this antenna is significantly smaller than the wavelength:

small lambda

A surprising result is that even though the Hertzian dipole is minute, its effective aperture is comparable to antennas many times its size. This allows us to make calculations around characteristics such as the Far Field Conditions.

Field Regions


In order for us to know when we are actually in the far field, we have to actually find out where the far field is located.  We need to define the following;

  1. Wavelength λ @ 5.8GHz;
  2. Speed of Light; c = 3E8 m/s
  3. Frequency f = 5.8GHz


Plugging in these variables into the above equation, we find that λ = .0516m, or 5.16cm. Half of this length is the dipole antenna length (as we are utilizing a half-wave dipole antenna) therefore, D~ 2.58cm

Far Field eqns

Being that were using a half-wave dipole, D= λ/2 = 2.58cm. For most cases, a half-wave dipole is going to have an antenna length between .33λ and 2.5λ. This means that we are finally in the far field region at 2.5λFor a 5.8GHz signal, 2.5λ= 12.9 cm. Thus, when we are right about 6in away from the AP, we are barely in the far field and will start to have predictable behavior as we move further away.

So what does all this really mean? Welp, you will see lots of heuristics out there that talk about how far you need to be in order to properly compensate WiFi adapters. Based on the mathematics involved, any distance greater than the 2.5λ value for a half-wave dipole should be fine for our receivers. Personally, I like using the 2-3m range. It’s relatively easy to eye-ball,  and my survey tripod just happens to extend up to 10′ – so this is my “minimum distance” that I use when compensate my adapters. It also just happens to be about the height of APs mounted to a drop ceiling in an office environment.

Happy Surveying!