Date Archives

May 2011

Cisco OfficeExtend AP600

Cisco recently announced their OfficeExtend AP600 which is expected to hit FCS in June ’11. I’ve been fortunate to receive one of these for testing and experimenting with and here are some of the things that I’ve learned about the AP so far. This is not mean to be an all encompassing post regarding OfficeExtend solutions, if you have yet to setup OfficeExtend on your WLAN network please refer to my other post “Cisco OfficeExtend – Always Connected” for the ins and outs. So without further stalling lets get into the gotchas associated with these APs.

Initial Configuration

The OEAP600 differs from the previous in how you set it up, but the difference is a positive move! The OEAP600 is a functioning NAT router for your network. This AP can be used as a DHCP server for the personal side network. The OEAP600 ships with a default 10.0.0.0/24 network and is set as 10.0.0.1. To log into the AP the default credentials are admin/admin. Once logged in you can make changes to the DHCP server, personal SSID, and other settings. Check out some of the AP screens below:

 

Primary Controller Setup

With the 1131’s and 1142’s when you wanted to use them as OfficeExtend APs it was a somewhat tedious process of bringing them online, converting to HREAP, setting the checkbox for OfficeExtend, changing the primary to a public address, and testing on an external network. With the OEAP600 you now simply login to the web based GUI and enter in the public address for the WLC as shown below. The OEAP600 does not come with a serial console which takes away one of the troubleshooting tools used when debugging a failed WLC join. Cisco has replaced the serial console cable with a web based event log viewer that can be used to watch the join process.


 

 

 

 

 

WLAN Setup

There are some important caveats to take note of when setting up the SSIDs on the OEAP600. The first caveat that I ran into was that when the AP is placed in the default-group the WLAN index needs to be less than 8. Also the OEAP600 will only broadcast 2 corporate SSIDs, this is determined by either the lowest index values or by AP Group settings. Originally I was told that only WLANs with an index of 1 or 2 would be enabled on the OEAP600 so it’s nice to hear that there is a way (AP Groups) enable other indexes without recreating all of your SSIDs. Most all of my installs typically look like the following as to pre-stage the install for OfficeExtend: WLAN index 1 is the internal secure network, WLAN index 2 is voice, WLAN index 10 is the guest network. By setting up the WLANs in this way I can be assured that the correct networks will be enabled on the OEAP600.

Another caveat that I found was when I testing my voice network. OEAP600’s cannot use CCKM on their WLANs, as you may know CCKM is preferred for voice networks due to its fast roaming abilities. So remember when setting up your voice network to only have it support 802.1x, your internal anchor WLAN can support CCKM seen as this setting does not need to match in order for the Mobility Tunnel to come up. It’s also important to note that the OEAP600 does not support inter-band roaming on the 792x wireless IP Phones. You will be required to support a single frequency (most likely 5GHz) in an employees home office environment or be aware that there will be dropped audio packets when switching from 2.4Ghz to 5Ghz or vice-versa.

RemoteLAN Setup

Seen as the OEAP600 has wired Ethernet ports on it we now have the ability to bring one of those ports, port 4, back to the corporate network. While this creates more functionality it does introduce a large security risk. The setup is similar to a WLAN in that you would typically have the RemoteLAN setup on your DMZ WLC and then have that anchor to an internal DMZ that then drops the traffic onto an internal VLAN. Typical usage for this port is going to be either wired side IP Phones or a printer. The port has no concept of a voice VLAN so the interface should be set accordingly on your internal WLC. The port will support up to 4 connected devices via MAC address checks. If a 5th device connects it will not be allowed to connect until a previously connected device is idle for greater than 60 seconds. See below for the configuration screens.

 

 

 

 

 

 

What is the large security risk that this RemoteLAN port introduces? An open wireless AP could be connected to the port and will allow traffic onto your corporate network. To mitigate this you could do one of two steps: MAC filter or 802.1x port based security. If you remember from the previous images you may have noticed that there was an AAA tab under Security. When configuring a WLAN we would use this to set the RADIUS servers to be used for 802.1x authentication. The same holds true for the OEAP600 however in order to enable 802.1x security we have to go to the CLI to do so, these commands are not in the GUI yet. Once you run these CLI commands to enable 802.1x security make sure you NEVER apply changes via the GUI again to the RemoteLAN. If you do so you will disable 802.1x security.

 

 

 

 

 

 

Final Thoughts

Hopefully you are still reading this and didn’t get too bored! Having been able to use the OEAP600 for the past few days and going through quite a few different scenarios (RemoteLAN open, RemoteLAN 802.1x, wired IP Phone, printer, etc) I believe that I have ran into most issues that one would hit when doing an install. The OEAP600 is going to be a good device for a typical teleworker but I don’t think it is going to hit the mark for a power user. My 7925 wireless IP Phone modulates often on the OEAP600 while it doesn’t ever on my 1142 in OfficeExtend mod. I haven’t ran any range checks with Ekahau yet to determine the overall range, but I do feel that it is smaller than using an 1131 or 1142 AP. The ease of setup for the primary controller helps out a lot to make this a quicker setup. I’m still not sure on which route I want to take to handle the RemoteLAN setup, most likely I would prefer to do a simple MAC auth but with how easy it is to spoof MACs these days that won’t work well. I was unable to get my IP Phone up with EAP-FAST, EAP-TLS, or EAP-MD5, but my laptop was able to do EAP-PEAP and EAP-FAST without any problems over the RemoteLAN.

I’m intrigued as to the future features of this AP line. Given that it has a USB port I can see a lot of potential with that, think USB storage drives, printers, or maybe even a 3G/4G back-haul for popup sales/support offices. I would like to see PoE available via port 4 as well for an IP Phone, I can’t stand cables (hence why I’m a Wireless Engineer) nor can I stand wall warts so this would be a huge plus for me. I would also like to see the ability to support multiple OfficeExtend APs in a single home, we have a few customers that have inquired about 10000sqft executive homes that would require multiple APs for coverage.

I hope you enjoyed my look into the OEAP600 and look forward to your comments!