Controllerless Networks

Hello ill write up some best practice for IAPs  deployments, which i have read.

 

1. Keep Wired and Wireless(clients) on separated vlans.  Do not mix wired clients and wired clients in the same vlans.
2. Enable Broadcast filter if you are able to, one of the biggest issues on the wireless network is the broadcast.
3. Enable Broadcast Filter ARP
4. Enable Dynamic Multicast Optimization
5. Enable AirGroup (for environments where there are many iOS devices)
6. Enable: Drop bad ARP, Fixed malformed DHCP and ARP poison check
7. Protect wired port of IAP using firewall rules to prevent someone from assigning DHCP IPs to clients by connecting a rogue DHCP server into the wired port.
8. Set any ACLs to classify Lync/Facetime or any other high priority traffic and disable scanning for the same.
9. Try not  using UNII-I band
10. If you can pick an  IAP-135  to take advantage of the higer CPU capability
11. use a dedicated IAP mgmt vlan for the VC
12. Alter the user limit in the ssid to 64
13. Set the local probe request threshold to 20dBm
14. Enable fair access
15. Use VLAN pooling

 

Just added SethFiermonti best practices to the list!

 

If you got more best practice for IAP please post it!

 

Cheers

Carlos

 

 

Good start

You can also:

 

- use a dedicated IAP mgmt vlan for the VC

- Alter the user limit in the ssid to 64

- Set the local probe request threshold to 20dBm

- Enable fair access

- Use VLAN pooling

Im currently in the process of setting up an instant deployment. Whats the resoning behind not having wired and wirelss clients on the same vlan...beucase thats exactly what I was planning on doing. We have each dept sepperated into seperate Vlans' and are planning to give the abilty for laptops to unplug and go wireless while staying on the same vlan.

 

Thoughts?

 

Alex

If your network is small, then there isn't any issue.  I am more concerned about the AP mgmt and having that segmented off on a mgmt VLAN.

I guess "small" is all about the perspective. We are around 400 employees and usally have between 300-600 connected devices though many of those are cell phones that do very little. The planned instant deployment is 55 AP's. We have the Mgmt on its own vlan and the rest of the company seperated into 6 other vlans. Is the concern comming from having enough IP's or somthing else?

 

Alex

In wifi its always a good practice having wired clients and wireless clients on different vlans. And the.reason for tjat is that the broadcast heavily the wireless. This is because how it works... The wireless network is a shared medium and its half duplex.
Remenber that just one client can comunicate with the ap at once. When a broadcast occur, noone can send information at that time....

You can always enable broadcast filter but as good practice i would have it in different vlans... Unless there is no other way

Cheers
Carlos

Im a little confused here, I understant the half duplex nature of Wifi, but are you saying that while a client is commmunicating to an AP on say vlan 100  that no other client wired or wireless can communicate on that vlan? That doesent sound correct to me...

 

Alex

WiFi is half-duplex.    As such, if a broadcast frame from the wired side, for example, comes into an AP the AP must transmit that frame into the air.   As WiFi is half-duplex, while it is transmitting that broadcast frame no wireless clients can transmit data to the AP.   So, if you have a large, flat, L2 network with tons of broadcast traffic WiFi becomes inefficient. Enabling broadcast limiting can help as the AP will drop broadcast rather than sending it out.   This may, or may not, affect applications you are running --depends on the app.

 

This only applies to the wireless side of the AP -- not the wired side.

Okay you are misunderstanding what im saying...

Wifi is a shared medium this means that just one client can access that medium at once...

 

Example(forget that you got a wired part here let just take a look to the wireless)

Let say you got 5 clients connected to the wireless, and one AP

 

Client 1 will transmit the data to the AP, while he is transmiting it, noone else can access the AP just the client 1

When client 1 is done then client 2 will start transmiting to the AP and so on.

 

The conclusion here is that just 1 client can communicate with the AP at once... this means that the 5 clients are not transmitting at the same time to the AP, this does not happen.

 

 

Now let see wired and wireless

Let say you got a wired computer, and it send a broadcast!

This broadcast reach the AP

The AP start sending this broadcast to each Client

He first send it to client 1 then send it to client 2 then send it to client 3 and so on.

While this happens noone in the Wireless side can trasmit! this really affect the wireless network... Broadcast is the enemy of the wireless network.

 

Broadcast filter can help, but its better having it in different vlans

 

Do you understand me?

i know my english is not good:P but i try my best :)

 

Cheers

Carlos

 

NightShade,

 

that makes a lot more sense. This seems like more of a problem with larger subnets. I cant really see how a /24 subnet under normal use could produce enough brodcast traffic to even be noticable. I can imagine that for large deployments and large subnets brodcast traffic could get really out of hand. I just wanted to make sure there wasent somehintg inherently differnet about an instant group that makes mixed clients a big no.

 

Alex

It just that i try fallowing the best pracitce always... the network can be 5 users to 100 000 users i dont care :P ill configure it the best way i can.

For example a few months ago  i installed 4 Instant APS for a small company and yes i fallwed all the best practice when deploying it.

 

Cheers

Carlos

How come we don't see anything about:

 - IDS what you have selected and the action to take // Me I have that on High with Wireless containment - Deauth.

 - enable background spectrum monitoring

Thats all I got for now.

Whats the opinion on the Termination setting under security? Here is what the help gives:

It is useful when the radius server may not be able to handle the load of performing full EAP translation with each client, which can be at least 5-6 message exchanges. Doing termination reduces the authentication message from each client to only 1 exchange.

Yan do you recommend always having it on the termination when its possible?

Or do you just recommend in some specific scenarios? if so which scenarios?

 

Cheers

Carlos

Nightshade1,

 

If it is easier for the radius server to have a certificate, leave termination off.  If the administrator is comfortable provisioning a server certificate for the IAP, the administrator can do that.  There is no right or wrong answer.

 

as for best practice IDS my personal would be dont use it unless you really need it for some reason. turning it on by default will probably cause issues at some point.

btw: point 9, do you mean U-NII Low / U-NII-1: 5.15-5.25 GHz. ?

Yep

I took this from Instant ap deployment best practice which was given to me by one of the SE of arubanetworks, which of course i asked permission before posting it in here.

 

Now you mention this point i never asked him why we should avoid UNII band I

 

Cheers

Carlos

In my experience fair access works best for high density environments but in low density environments where throughput is a concern, shouldn't preferred access be used?

 

Additionally, what are everyone's thoughts on using background spectrum monitoring in the IAP135/225's? Has anyone seen a performance hit from this?

 

Would the benefit of ARM having spectrum data outweigh any hits on throughput?

 

Thanks!

I personally have not seen a performance hit on 135s and 225s when spectrum is enabled.

Hi Carlos,

 

Although this is an old post, I wanted to do my bit. I think another best practice points would be:

 

• Don't leave min and max transmit power set to default and tweak them according to your deployment, specially in dense AP doployment.
• Design your network for 5GHz band instead of 2.4GHz, making 5GHz transmit power 6 dB greater than 2.4GHz transmit power. This has to do with the above point.
• If there is no legacy clients in your network, disable lower data rates.

Thats true, we dont have anything on IDS/IPS recommendations...

 

Any Aruba engineer can help us with those? :)

 

Cheers

Carlos