Hello Vladislav, <o:p></o:p>
Regarding 802.3af PoE. <o:p></o:p>
Yes, according to the specifications this the only restriction. With 3x3:3 MIMO you can achieve a maximum data rate of 450Mbps however only if you are using 40MHz channels. With 2x2:2 MIMO and 40MHz channels the max data rate is 300Mbps.<o:p></o:p>
It is an industry accepted best practice to not use 40MHz in 2.4GHz band in enterprise environment because there are only 3x non-overlapping 20MHz channels and bonding any 2 of them causes co-channel interference (CCI). In home environments 40MHz channels in 2.4GHz are mostly used although CCI can also be an issue and will also affect the throughput. <o:p></o:p>
When using 20MHz channels and 3 spatial streams (3x3:3) the maximum data rate is 216Mbps and when using 20MHz and 2 spatial streams (2x2:2) it is 144Mbps. Again, this are data rates, and the real throughput is only about 50 to max 70 percent of the data rate. So if you want/need to use 20MHz channels there will be a throughput cap. With 40MHz channels the data rate may be acceptable but the throughput may be affected by CCI.<o:p></o:p>
I think it will depend on the capabilities of your client population; do you have a lot of 2.4GHz only clients. How many spatial streams do they support. The majority of the client devices have a 2x2:2 radios. Only high-end enterprise class laptops may have 3x3:3 but they will also for sure also support 5GHz.<o:p></o:p>
<o:p> </o:p>
Would the throughput increase if you setup an external RADIUS server? <o:p></o:p>
Assuming that you are using WPA2-Personal (called Preshared Key here) now and Access Control is disabled so that the APs are bridging the traffic directly to the switch, there will be no increase of the throughput when using 802.1x and RADIUS server instead. There will be certainly a huge increase of the security level and that's why this mode is called WPA2-Enterprise. The forwarding path will remain the same. <o:p></o:p>
With 802.1x and RADIUS server, the encryption keys (PMKs) are generated dynamically at the client and RADIUS as a byproduct of the 801.1x EAP authentication. For every user and every new authentication new dynamic keys are generated. With WPA2-Preshared Key on the contrary, the controller and all the clients must be preconfigured with the same static preshared key. This introduces the risk that the preshared key can be compromised. Of course dynamic pairwise transient keys are also created for every new association but they are based on the static PMK. That's why with WPA2-Preshared key, captured wireless traffic can be decrypted if the intruder knows the static preshared key and can capture the 4 way handshake. This is not possible or much more difficult with 802.1x/RADIUS. But as I said, this will not affect the throughput in any way. The encryption by itself is the same it is WPA2 AES.<o:p></o:p>
Is there any other way to set up dynamic key and not have neither RADIUS nor AD running for simplicity's sake?<o:p></o:p>
As explained above the EAP protocol requires the interaction with an EAP capable RADIUS server and as a by-product of this interaction (apart from authentication) dynamic encryption keys are created. If I remember correctly the controller has also an internal user database which can also be used for EAP. However I am not sure if it can work without "Use Controller for Access Control". "Use controller for Authentication" has to be enabled for sure. Maybe you can test if you are curious and have time.<o:p></o:p>
But I don't see any benefits for the throughput by enabling "Fast wireless roaming/WPA2 opportunistic key caching". This option is only useful when using 802.1x/RADIUS and not intended for PSK. The time that it takes for a wireless client to connect is different with WPA2 PSK and WPA2 Enterprise. With WPA2-PSK there is a limited number of frames which are exchanged only between AP and client, and it takes less than 50ms. With WPA2 Enterprise, the client starts an EAPOL multiple frame exchange with the AP, then the AP (or the controller) starts a RADIUS interaction with a RADIUS server. These exchanges can take about 700ms to more than 1 second (depending on latency to the RADIUS server). If a client has to do the full EAP/RADIUS exchange with every AP it roams to, this will severely affect the roaming because there is no traffic for about 1 second and time sensitive application will be affected. The goal of WPA2 opportunistic key caching is to avoid the full RADIUS authentication with every AP while roaming. The client must perform only a single full authentication, then the controller will distribute the key created at the first authentication to all APs and subsequent roams to other APs will require only a short handshake instead of the full authentication. <o:p></o:p>
WPA2-PSK has by default connection and roaming times which are similar to the roaming times with WPA2 opportunistic key caching. So I don't see any increase in throughput or even in roaming by using WPA2 with 802.1x/RADIUS instead of WPA2 Preshared Key. The only increase would be in security but of course it also adds complexity.<o:p></o:p>
I'm still not entirely sure my setup is currently a local breakout or distributed?<o:p></o:p>
Based on your description the traffic should be distributed now. All traffic of wireless clients is decrypted and translated to 802.3 Ethernet frames by the AP. The AP then forwards the Ethernet frames directly to the switch where it is switched or routed. <o:p></o:p>
Maybe you can connect a client to a certain AP, note the wireless MAC of the client and check with show mac-address <wireless-mac> in the switch CLI on which port exactly the MAC was learned. If it is the port where the AP is connected, this confirms that we have distributed forwarding. In centralized forwarding (use controller for AC) the MAC should appear on the MSM720 internet port.<o:p></o:p>
You could even configure a port-mirroring and mirror all the traffic of the AP port to another switch port. If you connect a laptop with Wireshark to the other port, you would be able to see if the packets of the client are captured there. You should be able to see DHCP, ARP, DNS etc.<o:p></o:p>
With "use controller for Access Control" basically the AP is tunneling all wireless frames to the controller. The controller is doing decryption, translation to Ethernet and routing or switching.<o:p></o:p>
Original Message:
Sent: Feb 09, 2023 06:29 PM
From: tachev
Subject: MSM720 + 3500yl + HP560s performance issues
Hi Emil,
so some great news - finally got the time to dig through settings again and managed to disable access control globally (after first disabling it on all VSCs manually) and post-sync the throughput via speedtest jumped to a solid 300-350-380Mbps down, 100 up (my uplink is capped at 1G down/100Mbit up, so the ISP is clipping my wings there). It does occasionally spike to 400-430Mbps down, though I'm assuming this is hitting some CDN or cache partially and then fetching resources from the original server or something. Either way, I couldn't be happier. Especially since the link speeds are capped at 780-866Mbps, so basically 50% of the max throughput.
I've got a couple more questions that probably won't be a clearcut yes/no's so I hope you'd be able to give me your "best guess" based on your experience:
- As we discussed the POE switch is just 802.3af and caps out at 13W per device. I could replace it for a smaller 802.3at one to unblock that extra watt or two out of the built-in injector, but the question is would this help in any way in reality? Like, if I read the specs of the 560's correctly the only downside of using the af-standard is that the 2.4GHz radio works at 2x2:2 MIMO instead of it's full 3x3:3, but the 2.4GHz radio is capped at 802.11n, which I guess means max 450Mbps link speed, so realistically I don't think I'll ever get any higher practical throughput. Is there any point in looking for like a 2910 or something similar, besides potentially cutting some on the electricity bill (the 3500yl idles at like 350watts when POE is enabled...)
- I'm surprized how much the throughput increased by dropping the access control entirely from the MSM720.
I'm wondering if I were to set up a RADIUS server (which probably means I'd need to set up a full-time running AD domain with an NPS and all that shebang supporting the RADIUS) but if I did, would there be any reason the throughput could increase any further? I might try it out in the future regardless so I play again with the tech from back in the day of my MCSEs, but nonetheless knowing it might have some real benefit could motivate me to do so sooner rather than later.
- To the previous point I noticed there is an option for fast wireless roaming, which, however, requires me to set the key on the VSCs to be dynamic, which means I guess RADIUS or AD+NPS. Is there any other way to set up dynamic key and not have neither RADIUS nor AD running for simplicity's sake?
- All things said and done, I'm still not entirely sure my setup is currently a local breakout or distirbuted - does it suffice to just not use the controller for access control? If I understand correctly using the controller for AC forces traffic to be routed through the controller, which in turn capped the throughput? Or am I missing something else?
Thanks again for all your help!
Cheers,
Vlad