This document provides information on the most frequently asked
questions (FAQ) about Wireless Domain Services (WDS).
What is WDS?
A. WDS is a part of the Cisco Structured Wireless Aware Network (SWAN).
WDS is a collection of Cisco IOS® Software features that enhance WLAN client
mobility, and simplify WLAN deployment and management. WDS is a new feature for
access points (APs) in Cisco IOS Software, and the basis of the Cisco Catalyst
6500 Series Wireless LAN Services Module (WLSM). WDS is a core function that
enables other features, such as:
Before the operation of any other WDS-based features, you must
establish relationships between the APs that participate in WDS and the device
that is configured as the WDS. One of the main purposes of WDS is to cache the
user credentials as soon as the authentication server authenticates the client
for the first time. On subsequent attempts, WDS authenticates the client on the
basis of the cached information.
How do I configure my AP as a WDS?
A. Refer to
Domain Services Configuration for information on how to configure the AP
as a WDS.
On what platforms does Cisco Structured Wireless-Aware Network (SWAN) WDS
A. You can run SWAN WDS on Cisco Aironet APs, Cisco Catalyst switches, or
Cisco routers. Here is the list of platforms that currently support SWAN
Aironet 1230 AG Series APs
Aironet 1240AG Series APs
Aironet 1200 Series APs
Aironet 1130 AG Series APs
Aironet 1100 Series APs
Catalyst 6500 Series Wireless LAN Services Module
Cisco 3800, 3700 series Integrates Services Routers (ISR) and some
models of 2800 and 2600 series ISR that run Cisco IOS version 12.3(11)T or
How does AP-based WDS compare with switch-based
A. When you use AP-based WDS, Cisco SWAN supports:
Layer 2 (L2) fast secure roaming (FSR)
Scalable wireless LAN (WLAN) management
Advanced radio management (RM) capabilities
Enhanced wireless security
When you use switch-based WDS, SWAN supports:
How do I set up WDS with my current wireless LAN (WLAN)
A. In order to set up WDS, you must designate one AP or the Wireless LAN
Services Module (WLSM) as the WDS. The WDS AP must establish a relationship to
an authentication server through authentication with a WDS user name and
password. The authentication server can be either an external Remote
Authentication Dial-In User Service (RADIUS) server or the local RADIUS server
feature in the WDS AP. The WLSM must have a relationship with the
authentication server, even though the WLSM does not need to authenticate to
What is the role of the WDS device in the wireless LAN (WLAN)
A. The WDS device performs these tasks on your WLAN:
Advertises WDS capability and participates in an election of the best
WDS device for your WLAN.
When you configure your WLAN for WDS, you set up one device as the
main WDS candidate and one or more additional devices as backup WDS candidates.
If the main WDS device goes offline, one of the backup WDS devices takes the
place of the main device.
Authenticates all APs in the subnetwork and establishes a secure
communication channel with each of the APs.
Collects radio data from APs in the subnetwork, aggregates the data,
and forwards the data to the Wireless LAN Solution Engine (WLSE) device on your
Registers all client devices in the subnetwork, establishes session
keys for the client devices, and caches the client security credentials.
When a client roams to another AP, the WDS device forwards the
client security credentials to the new AP.
How do the WDS and the infrastructure APs in the WLAN communicate with
A. The WDS and the infrastructure APs communicate over a multicast
protocol called the Wireless LAN Context Control Protocol (WLCCP). These
multicast messages cannot be routed. Therefore, a WDS and the associated
infrastructure APs must be in the same IP subnetwork and on the same LAN
segment. Between the WDS and the Wireless LAN Solution Engine (WLSE), WLCCP
uses Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) on
port 2887. When the WDS and WLSE are on different subnetworks, packet
translation with a protocol like Network Address Translation (NAT) cannot
Can I configure the 1300 AP/Bridge as a WDS
A. You cannot configure the Cisco Aironet 1300 AP/Bridge as a WDS master.
The 1300 AP/Bridge does not support this functionality. The 1300 AP/Bridge can
participate in a WDS network in which some other AP or WLSM acts as the WDS
How many infrastructure APs can a single WDS
A. A single WDS AP can support a maximum of 60 infrastructure APs when
the radio interface is disabled. The number drops to 30 if the AP that acts as
the WDS AP also accepts client associations.
A Wireless LAN Services Module (WLSM)-equipped switch supports up to
What is fast secure roaming (FSR)?
A. FSR is one of the features that WDS offers. FSR is supported by Cisco
Aironet 1200 and 1100 Series APs in conjunction with Cisco client devices or
Cisco-compatible client devices. With FSR, authenticated client devices can
roam securely at Layer 2 (L2) from one AP to another without any perceptible
delay during re-association. FSR supports latency-sensitive applications, such
WDS provides fast, secure handoff services to APs, without the drop of
connections. The services are for applications, such as voice, that require
roaming times that are less than 150 ms.
What is Layer 3 (L3) roaming?
A. With Layer 2 (L2) roaming, the wireless client roams between two APs
that are part of the same subnetwork on the wired side. AP-based WDS provides
this functionality. With AP-based WDS, you must configure the APs to be in the
With L3 roaming, the wireless client roams between two APs that reside
in two different subnetworks. Therefore, the client roams between two different
VLANs on the wired side. This removes the creation of VLANs that span the
entire campus, which the AP-based WDS create. Client devices use multipoint
generic routing encapsulation (mGRE) tunnels in order to roam to APs that
reside on different L3 subnetworks. The roaming clients remain connected to
your network without the need to change IP addresses.
What is the role of the Wireless LAN Solution Engine (WLSE) in a
WDS-enabled wireless LAN (WLAN) network?
A. APs and, optionally, Cisco client devices or Cisco-compatible client
devices take radio frequency (RF) measurements within a single subnetwork.
Cisco SWAN WDS aggregates the measurements and forwards the measurements to
CiscoWorks WLSE for analysis. With these measurements as a basis, CiscoWorks
Detect rogue APs and interference from other devices.
Note: The maximum number of rogues that can be shown in WLSE is 5000. If
the WLSE has reached this rogue limit, the Limit of
Infrastructure/Ad-hoc rogues tracking error message appears. In
such cases, to delete these rogues from WLSE, navigate to IDS >
Manage Rogues, choose the "Select *ALL*" *&
'Delete' option in order to delete the rogues.
If the unknown (rogue) radio count is over 5000 in your environment,
you again hit this number and the same warning message appears. The only way to
overcome this is to either manage those radios or mark those radios as
Provide assisted site surveys
Support WLAN self-healing for optimal channel and power-level
What are the advantages of the use of WDS on a Wireless LAN Services
A. The introduction of switch-based WDS and the WLSM facilitates Layer 3
(L3) fast secure roaming (FSR) and provides a highly scalable solution for L3
mobility in the campus. Switch-based WDS centralizes the functionality of WDS
in the WLSM blade in a central switch and provides these benefits:
Increased WDS scalability—The scalability increases to 300 APs and
6000 users across a campus wireless LAN (WLAN) network.
Simplified design and implementation—No VLANs span the campus
network. With the use of multipoint generic routing encapsulation (mGRE)
architecture, no changes to the current network wired infrastructure are
Manageability for a large WLAN deployment—This solution provides a
single point of ingress for both WLAN control and user data into the wired
network for which to apply security and quality of service (QoS) policies.
L3 mobility between floors and across multiple
The ability to use advanced features on the Cisco Catalyst 6500,
which includes other Catalyst 6500 service modules
Enhanced end-to-end security and QoS by integration with the Catalyst
What is the radio management (RM) feature of
A. A WDS-enabled AP also acts as an aggregator for radio frequency (RF)
statistics from the other APs. The WDS-enabled AP passes along these statistics
to the Wireless LAN Solution Engine (WLSE) in order to highlight rogue APs. The
monitor of RF allows the WLSE to create a map of wireless coverage. The WLSE
also uses current APs in order to carry out site surveys and identify areas
with no coverage. You can import floor plans onto the software to make areas
where you need extra APs easy to spot.
Can Cisco Aironet APs support clients while the APs scan the air/radio
frequency (RF) environment?
A. Yes, Cisco APs are multifunctional. Cisco APs serve clients and also
monitor the air/RF. It is always recommended to have less clients associated to
the AP configured as WDS.
Can WDS perform accounting functions?
A. No. WDS can perform authentication but not accounting. Accounting is
totally independent and you need to have a RADIUS server for this
In order to set up WDS with CCKM what are the cipher suites supported? Is
Extensible Authentication Protocol-Flexible Authentication through Secured
Tunnel (EAP-FAST) compatible with Cisco CKM? What combination do I
A. You need to use a cipher suite in order to use Cisco CKM. These Cipher
suite combinations are supported with CCKM.
encryption mode ciphers wep128
encryption mode ciphers wep40
encryption mode ciphers ckip
encryption mode ciphers ckip-cmic
encryption mode ciphers cmic
encryption mode ciphers tkip
EAP-FAST/Cisco CKM is supported with the Cisco Aironet 350 cards and,
soon, will be supported with the Aironet CB21AG cards. Here is the command to
enable the cipher:
encryption vlan 1 mode ciphers tkip wep128
EAP-FAST does not use the WEP key that you have set. EAP-FAST uses a
Does the authentication key-management cckm
optional command work for both Aironet clients with fast roaming
checked and those without fast roaming checked?
A. If you set Cisco Centralized Key Management (CKM) to optional, the
setting works for both Aironet clients that have fast roaming checked and those
clients that do not have fast roaming checked.
For how long does the WLSM cache user
A. The cache time can depend on the type of client. There is a keep alive
between the AP and the mobile node (MN), which depends on the AP configuration
and the type of client. If it is a Cisco client, the AP detects the absence of
the client quickly and leaves its association list. Once that happens, the
client stays in the MN list of the WDS in a detached state for about 10
If it is a third party client, the keep alive timeout on an AP can be
very long, as long as 30 minutes.
Basically, if the Cisco client is not in the dot11 association table in
any AP for 10 minutes, re-authentication is needed, which means to send it to
the authentication server instead of to the infrastructure AP based on the
cached user. If a non-Cisco client is not in the dot11 association table in any
AP for between 10 and 30 minutes, re-authentication is needed.
Can I set up more than 60 APs in a WDS that uses AP-based
A. Do not use more than 60 APs on one WDS master. You can run into CPU
utilization problems with more than 60 APs. You can have multiple WDS masters,
but they need to be on different subnetworks. An example is the use of:
In this case, the issue is that you cannot fast roam between WDS
How many WDS backup candidates can I have? Can a WDS backup candidate
still function as an AP in the WDS and report the information to the primary
A. There is no limit to the number of WDS backup candidates. Yes, the
backup candidates still function as APs that report to the WDS master. In
addition, only the primary WDS AP establishes WLSE security keys and registers
with the WLSE in order to interact with the WLSE. Only if the primary WDS
fails, the backup WDS takes up the role of an active WDS AP and goes on to
register with the WLSE and establish security keys. As long as the primary WDS
is active, the backup WDS functions as a normal AP that reports to the WDS
If I have three WDS APs and they all fail, does the failure only affect
WDS information, or all APs and clients? In other words, is the WDS a point of
failure for the wireless network?
A. If your WDS masters fail, all APs fail as well. However, if the APs
have all the configurations that are necessary for the AP to function
independently, the APs begin to work without the WDS when the WDS device
On one subnetwork, I have a WDS configured with a priority of 200 and a
WDS with a priority of 100. If the WDS master with a priority of 200 fails,
does the WDS with the priority of 100 become the master on the subnetwork?
A. In this case, the WDS master with the priority of 100 becomes the
master if this WDS is on the same subnetwork. If this WDS is on another
subnetwork, it does not become the master.
Does the show iapp rogue-ap-list command
in a Cisco 1200 AP provide any useful information when a Wireless LAN Solution
Engine (WLSE) is not in place?
A. No, this command only works in conjunction with the WLSE and when you
use the Location Manager in the WLSE.
I have a Cisco AP1200 configured for WDS. The AP hangs and does not
respond on the console or Telnet until I perform a power cycle. However, the AP
does not crash. Why does this happen?
A. This problem occurs due to Cisco bug ID
registered customers only)
. This problem occurs only
on the WDS AP when several wireless clients try to associate or roam. This
issue started in Cisco IOS Software Release 12.3(4)JA, but most problems are
reported in Cisco IOS Software Release 12.3(7)JA. The Wireless LAN Solution
Engine (WLSE) that sends out the Simple Network Management Protocol (SNMP)
query on the MAC spoofing event triggers the issue. The WDS AP records a number
of MAC spoofing events on at least two APs. In order to resolve this problem,
you must upgrade to Cisco IOS Software Release 12.3(8)JA or later.
Can a repeater AP support WDS?
A. Repeater access points do not support WDS. Do not configure a repeater
access point as a WDS candidate, and do not configure a WDS access point to
fall back to repeater mode in case of Ethernet failure.
Can a 350 series AP be configured as WDS access
A. You cannot configure a 350 series access point as a WDS access point.
However, you can configure 350 series access points to use the WDS access