AP's, pfSense, VLANs, 802.11ax, no cloud ..

[Alpha 007]

I currently have a rather complex network with a pfSense router, multiple switches (including PoE+), 4xCisco WAP581 APs, 6 VLANs and everything wired with CAT7 cables. We are 7 people that uses the network heavily. In addition we have about 100 devices on the network. The Cisco APs have never been great with weird crashes and now one of them is dying (needs power cycling every 2 days). I am tired of them and they need to go. We have thick walls that greatly attenuates 5GHz signals and thus more APs than most other homes.

Thus I am looking for replacement APs:

- Just APs (no router)
- Must allow multiple VLANs (at least 6)
- Wired infrastructure
- PoE powered
- Must support some form of fast handover when roaming
- 802.11ax
- Locally managed (no cloud stuff)
- Not designed in china

Any advice in 2022?

 

[thiggins]

Search for posts by @Trip. His advice is always spot on.

 

[L&LD]

Advanced search results | SmallNetBuilder Forums (snbforums.com)

 

[coxhaus]

How are your cisco WAP581 being powered? More than likely it is a POE+ power problem. I had this kind problem with my Cisco WAP371 APs when I first set them up. They were not stable and ran slow because of lack of power.

 

[Alpha 007]

How are your cisco WAP581 being powered? More than likely it is a POE+ power problem. I had this kind problem with my Cisco WAP371 APs when I first set them up. They were not stable and ran slow because of lack of power.

I use a Cisco SG350-10MP PoE switch that is capable of delivering 124W. The WAP581's are specified at 18W peak power. It looks like peak power usage is 18-22W depending on which access point I am looking at (it is odd that the APs with the longest cables use the least power but perhaps Tx power is adaptive). Thus there should be enough of power (especially since they are never used heavily at the same time). I have checked out the SG350 and power consumption is never very high (80W peak), the statistics never show any problems and there is nothing in the logs on the switch about power issues. I have also disabled some of the APs to check that power is not a issue - that does not solve the problems. One of the WAP581 also sometimes switches to channel 4 or 15 on the 5GHz band ... weird as there is neither a channel 4 nor 15 in the 5GHz band.

I can see in the community posting that there are other that have problems with the WAP581 in a home network setup. It was hinted a year ago that Cisco allowed select people to test a new firmware version that is to fix a problem that sounds similar to mine. However no new firmware has been released for a long time. At this point I have reached the point where I have invested too much time in getting it to work. I just want to move on to something that works (don't we all?)

Right now I am thinking about getting a bunch of Unify access points but the Wifi 6 models are sold out in Europe. I hear good things about the Unify AP's.

 

[coxhaus]

Looking at the POE+ on my SG350-10MP it looks like I only have enough power for 2 WAP581. My SG350-10P switch shows I have 62 watts available total and I am using 52 watts with 2 WAP581 APs. So less than 80 watts seems low to me for power for 4 APs. You might try changing to CAT6 or "a" and not use CAT7 as there is no standard and there are a lot of crap CAT7 cables coming out of China.

Sorry I have a SG350-P now. My old switch was a SG300-10 MPP.

PS
The last firmware was April of last year. All your Cisco APs need to be for the same region or they won't work right. Where are you located? Can you take a picture of the bottom of your units for me?

 

[degrub]

I use a Cisco SG350-10MP PoE switch that is capable of delivering 124W. The WAP581's are specified at 18W peak power. It looks like peak power usage is 18-22W depending on which access point I am looking at (it is odd that the APs with the longest cables use the least power but perhaps Tx power is adaptive). Thus there should be enough of power (especially since they are never used heavily at the same time). I have checked out the SG350 and power consumption is never very high (80W peak), the statistics never show any problems and there is nothing in the logs on the switch about power issues. I have also disabled some of the APs to check that power is not a issue - that does not solve the problems. One of the WAP581 also sometimes switches to channel 4 or 15 on the 5GHz band ... weird as there is neither a channel 4 nor 15 in the 5GHz band.

I can see in the community posting that there are other that have problems with the WAP581 in a home network setup. It was hinted a year ago that Cisco allowed select people to test a new firmware version that is to fix a problem that sounds similar to mine. However no new firmware has been released for a long time. At this point I have reached the point where I have invested too much time in getting it to work. I just want to move on to something that works (don't we all?)

Right now I am thinking about getting a bunch of Unify access points but the Wifi 6 models are sold out in Europe. I hear good things about the Unify AP's.

if you have a SG350-10MP or -10P and using 18-22 W per AP ( 4x18=72 W), then it looks like insufficient power according to the spec sheet -

Cisco Sx350 Series Fully Managed Switches Product Specifications

This article aims to show the product and hardware specifications of the Sx350 Series Fully Managed Switches.

www.cisco.com

Did you mean SG355-10P ?

 

[coxhaus]

Cisco network gear works if you are within spec or they will fix it.

PS
I am running 1.0.4.4 firmware on my Cisco WAP581 as I just looked. I don't see it out there now. I see 1.0.3.1.

 

[Alpha 007]

Weird. Here the spec on the SG350-10MP says 124W:

Cisco SG350-10 10-Port Gigabit Managed Switch - Cisco 350 Series Managed Switches Data Sheet

Cisco 350 Series Managed Switches Data Sheet

www.cisco.com

And later:

Here is the switch:

And the POE event counters which indicates no overload events:

All of the APs are european versions running 1.0.4.4 in a "single point setup". To run a "single point setup" all have to be same version and region (I am located in Denmark). Here are the labels on the WAP581s:

(continued as a post can only contain 5 images)

 

[Alpha 007]

WAP581s continued:

Two of the APs have sequential serial numbers.

I have a 180W HP PoE switch that I am not using because of fan-noise. I will try that. As for switching from Cat 7 to 6a that will be a very large task. I am fairly confident when it comes to my cables as they allow me to run full speed 10GBase-T. I have tested it up to 60m. Obviously it is not the same as being able to transfer power but they are from a reputable german company.

 

[coxhaus]

Your WAP581 APs look to be all European so they should work in Europe.

Just because CAT7 will work for data does not mean it will work for POE+ power. I would not go the CAT7 route.

What does your Cisco SG350-10MP GUI on the switch say under POE? It should list the max POE+ power and what is used and what is remaining.

What I don't know is why firmware 1.0.4.4 was pulled. It seems to work fine for me.

 

[Alpha 007]

What does your Cisco SG350-10MP GUI on the switch say under POE? It should list the max POE+ power and what is used and what is remaining.

Here is the consumption for the past 24h:

Here are the devices:

(GE7 is an old WAP121 dealing with some special devices)

And here are the sums:

I assume that consumed power is actually total reserved power and not what is being used right now. Because it stays at 107W all the time even though the power usage on each port may change. As you can see here is says 128W ... a bit more than in the spec.

I have now moved one of the APs to a different PoE switch. That drops consumed power to 81W and leaves 47W available.

What I don't know is why firmware 1.0.4.4 was pulled. It seems to work fine for me.

The 1.0.4.4 is still there. It is just not listed as the latest release. But you can find it under "All releases" and given that it solved a number of security issues it is weird that it is (still) not listed as "latest release".

 

[coxhaus]

(GE7 is an old WAP121 dealing with some special devices)


I have now moved one of the APs to a different PoE switch. That drops consumed power to 81W and leaves 47W available.

These are the 2 things that bother me now. I would try removing the WAP121 AP. It can be causing issues with the WAP581 APs. I have heard of this. Can't you just add another SSID and VLAN to support what the WAP121 is doing. Maybe VLAN it off? So, no trunk usage. It needs to not be able to respond to any WAP581 communication. Cisco WAP581 APs only work with like Cisco WAP581 APs.

Is that other switch a Cisco POE+ switch? Power usage should not drop.

If none of this then we are back to testing CAT7 cables with POE+. The longer the cable runs the better the cable needs to be.

Firmware 1.0.4.4 just was released a couple of months ago.

 

[Alpha 007]

I would try removing the WAP121 AP. It can be causing issues with the WAP581 APs. I have heard of this. Can't you just add another SSID and VLAN to support what the WAP121 is doing. Maybe VLAN it off? So, no trunk usage. It needs to not be able to respond to any WAP581 communication. Cisco WAP581 APs only work with like Cisco WAP581 APs.

Getting rid of it right now is not an option. I bought it because the crappy wifi in the temperature control system in my apartment would not connect to the WAP581 when I enabled setting X ... where X is a setting in the AP that I have forgotten (obviously I should have written it down). It didn't matter that I was not enabling it for a different SSID than the temperature controller was using. So I bought a cheap AP - the WAP121. However I will replace it sometime in the future as Cisco has stopped providing software updates to it.

I will move the management interface on the WAP121 to a different network. It will take a bit of time though.

Is that other switch a Cisco POE+ switch? Power usage should not drop.

The power dropped on the SG350 when I moved one (now two) APs to another PoE+ switch. I had an unused HP 1920S switch (JL384A - 185W PoE+). I hate it due to the fan noise and because of the crappy user interface (used to like the HP OfficeConnect switches, now no longer). So now I have two APs on the SG350 and two APs on the 1920S.

If none of this then we are back to testing CAT7 cables with POE+. The longer the cable runs the better the cable needs to be.

Now two APs are on CAT6. Replacing the rest will be very expensive. I have about 1km CAT7 in the walls (for all kinds of devices) ... :-(

 

[coxhaus]

Getting rid of it right now is not an option. I bought it because the crappy wifi in the temperature control system in my apartment would not connect to the WAP581 when I enabled setting X ... where X is a setting in the AP that I have forgotten (obviously I should have written it down). It didn't matter that I was not enabling it for a different SSID than the temperature controller was using. So I bought a cheap AP - the WAP121. However I will replace it sometime in the future as Cisco has stopped providing software updates to it.

... :-(

What do you mean by not connecting? So, it pulls a DHCP IP address but if you set a setting then it won't pull an IP address? Where does your DHCP run from? And yes, what setting?

So let me know if you still have the exact same problems now that you moved 2 APs. I hate running those loud wiring closet switches also. Let's see if we see a difference. You know there is a higher spec POE power than at and it is bt.

Silly question but none of your CAT7 runs are longer than 100 meters, right?

 

[Alpha 007]

What do you mean by not connecting? So, it pulls a DHCP IP address but if you set a setting then it won't pull an IP address? Where does your DHCP run from? And yes, what setting?

No it wouldn't even get an IP address. There would be nothing in the log on that WAP581.It was one of the wireless network settings like WMF, Band Steer, PMF, etc. But which one I don't remember. Everything worked but this single device. I found some info in a forum on it and other people had a similar problem. It was very weird that a setting on one SSID could affect the others. But which one ... I don't remember. I worked with for a week and then I gave up. I just got a cheap AP, created a separate SSID and put the device on that. It communicates very little so not a big issue.

I use pfSense for routing, VPN, DHCP, etc. on a home build box. Works very well but need to upgrade it to be able to run 10Gbe (right now I have a multihomed NAS server to ensure users can access it at 10Gbe) but it is a complex setup.

You know there is a higher spec POE power than at and it is bt.

Yes, but the WAP581 only supports 802.03.af and 802.03.at. I am in no rush to get yet another POE switch.

Silly question but none of your CAT7 runs are longer than 100 meters, right?

No. But I have 47 network outlets - most of them dual ... that is how I ended up with about 1km in the walls. About half of them are in use. The longest cable run is about 40m. To test that it works on longer cable runs I just looped it back through another plug.

So let me know if you still have the exact same problems now that you moved 2 APs.

Will do. Thank you for you help.

 

[Trip]

@Alpha 007 - I've been eyeing this thread since the mention from @thiggins. Since it appears you're still troubleshooting the current setup, I won't interject suggestions for other gear yet, but should you fail to get anywhere with the Cisco WAP's, feel free to @ mention me and I'll jump back in.

 

[coxhaus]

No it wouldn't even get an IP address. There would be nothing in the log on that WAP581.It was one of the wireless network settings like WMF, Band Steer, PMF, etc. But which one I don't remember. Everything worked but this single device. I found some info in a forum on it and other people had a similar problem. It was very weird that a setting on one SSID could affect the others. But which one ... I don't remember. I worked with for a week and then I gave up. I just got a cheap AP, created a separate SSID and put the device on that. It communicates very little so not a big issue.

I use pfSense for routing, VPN, DHCP, etc. on a home build box. Works very well but need to upgrade it to be able to run 10Gbe (right now I have a multihomed NAS server to ensure users can access it at 10Gbe) but it is a complex setup.



Yes, but the WAP581 only supports 802.03.af and 802.03.at. I am in no rush to get yet another POE switch.



No. But I have 47 network outlets - most of them dual ... that is how I ended up with about 1km in the walls. About half of them are in use. The longest cable run is about 40m. To test that it works on longer cable runs I just looped it back through another plug.



Will do. Thank you for you help.

How about hard coding an IP address in the thermostat and see if it works with the WAP581?
I don't care for band steering so I have it off.
I assume you are running single point setup with your WAP581? You set 1 up and join the rest.

 

[Alpha 007]

How about hard coding an IP address in the thermostat and see if it works with the WAP581?

It does not even allow that. It accepts an SSID and then either no security, WEP or WPA and a password. No manual IP address. It does not accept any incoming requests - all it does is to connect to some cloud service for interaction with mobile devices. The only good thing about that is that the attack surface for any hacker on the device is very small. BTW here in northern Europe cooling down houses is not really an issue - nature takes care of that. Thus heating is done through old fashioned radiators with hot water in each room. The device collects temperatures from sensors in each room and controls valves for each radiator to ensure that each room gets whatever temperature selected for that room. Playing around this stuff in the middle of winter is a no go (even though the device does work without internet connection).

At the time when I was troubleshooting it I put wireshark on the communication from the AP using port mirroring. Nothing was sent.

I assume you are running single point setup with your WAP581? You set 1 up and join the rest.

Yes. That works very well except that it is pretty random if devices associated with other APs in the group show up on the clients page in the UI. Not a big issue though.

So far all AP's are working fine.