Aruba Instant & Cloud Wi-Fi

Reply
MVP
Posts: 2,932
Registered: ‎10-25-2011

Best Practice IAP deployment

[ Edited ]

Hello ill write up some best practice for IAPs  deployments, which i have read.

 

  1. Keep Wired and Wireless(clients) on separated vlans.  Do not mix wired clients and wired clients in the same vlans.
  2. Enable Broadcast filter if you are able to, one of the biggest issues on the wireless network is the broadcast.
  3. Enable Broadcast Filter ARP
  4. Enable Dynamic Multicast Optimization
  5. Enable AirGroup (for environments where there are many iOS devices)
  6. Enable: Drop bad ARP, Fixed malformed DHCP and ARP poison check
  7. Protect wired port of IAP using firewall rules to prevent someone from assigning DHCP IPs to clients by connecting a rogue DHCP server into the wired port.
  8. Set any ACLs to classify Lync/Facetime or any other high priority traffic and disable scanning for the same.
  9. Try not  using UNII-I band
  10. If you can pick an  IAP-135  to take advantage of the higer CPU capability
  11. use a dedicated IAP mgmt vlan for the VC
  12. Alter the user limit in the ssid to 64
  13. Set the local probe request threshold to 20dBm
  14. Enable fair access
  15. Use VLAN pooling

 

Just added SethFiermonti best practices to the list!

 

If you got more best practice for IAP please post it!

 

Cheers

Carlos

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 706
Registered: ‎12-01-2010

Re: Best Practice IAP deployment

Good start

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Best Practice IAP deployment

You can also:

 

- use a dedicated IAP mgmt vlan for the VC

- Alter the user limit in the ssid to 64

- Set the local probe request threshold to 20dBm

- Enable fair access

- Use VLAN pooling

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 34
Registered: ‎12-12-2013

Re: Best Practice IAP deployment

Im currently in the process of setting up an instant deployment. Whats the resoning behind not having wired and wirelss clients on the same vlan...beucase thats exactly what I was planning on doing. We have each dept sepperated into seperate Vlans' and are planning to give the abilty for laptops to unplug and go wireless while staying on the same vlan.

 

Thoughts?

 

Alex

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Best Practice IAP deployment

If your network is small, then there isn't any issue.  I am more concerned about the AP mgmt and having that segmented off on a mgmt VLAN.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 34
Registered: ‎12-12-2013

Re: Best Practice IAP deployment

I guess "small" is all about the perspective. We are around 400 employees and usally have between 300-600 connected devices though many of those are cell phones that do very little. The planned instant deployment is 55 AP's. We have the Mgmt on its own vlan and the rest of the company seperated into 6 other vlans. Is the concern comming from having enough IP's or somthing else?

 

Alex

MVP
Posts: 2,932
Registered: ‎10-25-2011

Re: Best Practice IAP deployment

In wifi its always a good practice having wired clients and wireless clients on different vlans. And the.reason for tjat is that the broadcast heavily the wireless. This is because how it works... The wireless network is a shared medium and its half duplex.
Remenber that just one client can comunicate with the ap at once. When a broadcast occur, noone can send information at that time....

You can always enable broadcast filter but as good practice i would have it in different vlans... Unless there is no other way

Cheers
Carlos
----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Occasional Contributor II
Posts: 34
Registered: ‎12-12-2013

Re: Best Practice IAP deployment

Im a little confused here, I understant the half duplex nature of Wifi, but are you saying that while a client is commmunicating to an AP on say vlan 100  that no other client wired or wireless can communicate on that vlan? That doesent sound correct to me...

 

Alex

Moderator
Posts: 681
Registered: ‎04-16-2009

Re: Best Practice IAP deployment

[ Edited ]

WiFi is half-duplex.    As such, if a broadcast frame from the wired side, for example, comes into an AP the AP must transmit that frame into the air.   As WiFi is half-duplex, while it is transmitting that broadcast frame no wireless clients can transmit data to the AP.   So, if you have a large, flat, L2 network with tons of broadcast traffic WiFi becomes inefficient. Enabling broadcast limiting can help as the AP will drop broadcast rather than sending it out.   This may, or may not, affect applications you are running --depends on the app.

 

This only applies to the wireless side of the AP -- not the wired side.

MVP
Posts: 2,932
Registered: ‎10-25-2011

Re: Best Practice IAP deployment

Okay you are misunderstanding what im saying...

Wifi is a shared medium this means that just one client can access that medium at once...

 

Example(forget that you got a wired part here let just take a look to the wireless)

Let say you got 5 clients connected to the wireless, and one AP

 

Client 1 will transmit the data to the AP, while he is transmiting it, noone else can access the AP just the client 1

When client 1 is done then client 2 will start transmiting to the AP and so on.

 

The conclusion here is that just 1 client can communicate with the AP at once... this means that the 5 clients are not transmitting at the same time to the AP, this does not happen.

 

 

Now let see wired and wireless

Let say you got a wired computer, and it send a broadcast!

This broadcast reach the AP

The AP start sending this broadcast to each Client

He first send it to client 1 then send it to client 2 then send it to client 3 and so on.

While this happens noone in the Wireless side can trasmit! this really affect the wireless network... Broadcast is the enemy of the wireless network.

 

Broadcast filter can help, but its better having it in different vlans

 

Do you understand me?

i know my english is not good:P but i try my best :)

 

Cheers

Carlos

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: