Controllerless Networks

Hi everyone,

We are a technology company who have about 120 people but 200 wireless devices in our head office (as some people have three wirless devices - a laptop, phone and tablet). We originally had a Meraki wireless setup but had very poor performance when more than about 15-20 devices were connected to an access point which included things like frequent drops, inability to reconnect and general poor thorouput. I have since ripped that out and have purchased four IAP-225 access points hoping that it would better handle our density. I can expand that to maybe 6 if necessary but that will involve some work in getting an electrician out to run more ceiling runs of Ethernet etc.

 

The access points are set up so that at any spot in the long/narrow building you can see 2-3 of them even with the power set as 12 min 18 max - maybe ~30-40 feet apart on average and I have attached the config. We are about 1/4 Mac laptops, 1/4 Windows laptops and 1/2 phones/tables which are 75/25 iOS to Android. We do run MS Lync but have wired Lync phones which handle most of the voip role of that.

 

Since we put in this setup about a week ago we have seen many issues where the clients drop into a status with an exclamation point and say Limited Connectivity until they manually disconnect and reconnect or they need to turn their wifi off and back on on an iPad to get connectivity back. We have tried various things including disabling OKC, disabling 80 and then even 40 Mhz on the 5Ghz band, turning on/off ClientMatch etc. I just noticed that there was a firmware update though - I had been clicking the button under Maintenance and it said there wasn't but I signed in and got 6.4.0.2-4.1.0.0_44004 yesterday which I've just deployed. I am hoping that helps.

 

After the firmware update I turned ClientMatch back on because given the long/narrow building I've been seeing that when people leave their desks to go to meeting rooms  they hang on to the access points and suffer poor performance etc.

 

I guess I am just trying to get a sense of how best to configure these points to get the best results for our ~200 wireless clients. Any advice would be appreciated as I went out on a limb ripping out the Meraki setup (which I had gone out on a limb choosing over controller-less Cisco a year and a half ago) by insisting that an Aruba setup would fix our issues with dropping and poor performance given our high density. For what it's worth most of our offices are only 20-30 people and the Meraki has been fine there - it is just in our device-heavy dense head office it was really crashing and burning.

I thought my config was attached but that doesn't seem to be working. Here it is:

 

version 6.4.0.0-4.1.0
virtual-controller-country AU
virtual-controller-key a4f13610012ea71ab3645937acefd7ae5cc058f16d5c6ee171
name Sydney-Wireless
virtual-controller-ip 172.20.23.249
virtual-controller-vlan 1 255.255.248.0 172.20.19.254
terminal-access
ntp-server 172.20.20.140
clock timezone Sydney 10 00
rf-band all

allow-new-aps
allowed-ap 18:64:72:c8:d8:e2
allowed-ap 18:64:72:c8:d8:06
allowed-ap 18:64:72:c8:d8:ae
allowed-ap 18:64:72:c8:d9:2c

 

arm
wide-bands none
min-tx-power 12
max-tx-power 18
band-steering-mode disable
air-time-fairness-mode preferred-access
client-aware
scanning
client-match
client-match nb-matching 20
client-match calc-threshold 1
client-match calc-interval 10

rf dot11g-radio-profile
spectrum-monitor

rf dot11a-radio-profile
spectrum-monitor

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

 

 

user Guest 29194ba5b29293dafe3735b8221510ff0ae09aff3a8080db portal

mgmt-user info 9c445c4072d147cc18ad712fb58e7245e6b0fc054471a157

wlan access-rule default_wired_port_profile
index 0
rule any any match any any any permit

wlan access-rule wired-instant
index 1
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule Infomedia
index 2
rule any any match any any any permit

wlan access-rule InfomediaR
index 3
rule any any match any any any permit

wlan ssid-profile Infomedia
enable
index 0
type employee
essid Infomedia
opmode wpa2-aes
max-authentication-failures 0
auth-server vm-ifm-dc01
rf-band all
captive-portal disable
dtim-period 1
inactivity-timeout 1000
broadcast-filter arp
dynamic-multicast-optimization
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 128
okc-disable

wlan ssid-profile InfomediaR
enable
index 1
type employee
essid InfomediaR
opmode wpa2-aes
max-authentication-failures 0
auth-server vm-ifm-dc01
rf-band all
captive-portal disable
dtim-period 1
inactivity-timeout 1000
broadcast-filter arp
dynamic-multicast-optimization
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 128
okc-disable
dot11r
dot11k

auth-survivability cache-time-out 24

 

wlan auth-server vm-ifm-dc01
ip 172.20.20.140
port 1812
acctport 1813
timeout 30
retry-count 5
key 6a7366de1e6cd0a30deefca3423732c9cd00cbbfa4e6e553

wlan captive-portal
background-color 13421772
banner-color 16750848
banner-text "Welcome to Guest Network"
terms-of-use "This network is not secure, and use is at your own risk"
use-policy "Please read terms and conditions before using Guest Network"
authenticated

wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https

blacklist-time 3600
auth-failure-blacklist-time 3600

ids classification

ids
wireless-containment none

wired-port-profile wired-instant
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-instant
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x

enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180

airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

Try turning on "Broadcast Filter ALL" on both of your SSIDs.  If your wired and wireless clients are sharing the same layer-2 VLAN, that would deal with alot of broadcasts that are leaking from the wired network onto the wireless and causing contention.

 

Start with that.

 

Thanks to you both - I made the two changes you advised. Between those and the new firmware fingers crossed for Monday :)

alwaysanon,

 

The local probe threshold setting should only be changed if you have problems with roaming.  You should leave that set to zero.  Only change one thing at a time...

Our first day with the new firmware and that broadcast setting looked pretty good. I heard very little complaining and it seemed to hold up well to ~125 wireless clients which ClientMatch balanced pretty evenly across the 4 APs.

 

This was a bit of a slower day so I'll let you know when we have a day with more devices but so far I am impressed.

alwaysanon,

 

Did you get a chance to take a look at the Utilization during peak times?  Please take a look at the link here for some statistics that you can take a look at in an IAP: http://www.arubanetworks.com/techdocs/Instant_40_WebHelp/InstantWebHelp.htm#UG_files/Instant_user_interface/Monitoring.htm

 

I would look at setting the local probe request threshold to 25 and perhaps 30 if there's no improvement after that.