James OryszczynPresident, TBJ Consulting LLC

Break 1320 Wireless Infrastructure & Networking

Best Practices

Who Am I

• I am President of TBJ Consulting LLC

• I have been working on Network Infrastructure for over 15 years

Agenda

• Discuss Wireless Power Setting

• Discuss 2.4 GHZ and Wireless Interference

• Discuss Power Over Ethernet

• Discuss 802.11 B clients

• Discuss SSIDs and the recommended maximum

• Discuss Access Point Placement• Discuss Switching Best Practices

Questions

• Who has Wireless Deployed

• Who is Planning or has deployed BYOD

• Has your Wireless Network Held up?

• What are you Concerns ?

Wireless Best PracticeFull Power Is not Better

Full Power is not better……… Need to Tune Power

Better off with more access points with less power

Why????? Strength of Radio’s in clients devices

Will get poor performance with IPADs/ Kindles ETC

The y will hear the wireless signal and attempt to talk to it.

With High Density, Full Power will cause issues (Except Meru Networks)

Wireless Best Practice

Get Rid of 802.11 B clients….It will slow all wireless clients down to this Speed……

Your 802.11 N network will go back to 1998 technology…..

Most devices do not need this anymore………

Wireless Best PracticeIn the 2.4 GHZ Spectrum, Channel Planning is Huge

• You only have 3 channels that are not overlapping. Those Channels are 1, 3 and 11.• Have to do a site survey to see if other current deployed wireless exists.

• Power again is key here, if you have everything at full power, they will cause Interference

• Controller based solution can help, but it is not perfect by any means

Be Careful of Wireless Interference• Microwave ovens: Using your microwave oven near your computer, Bluetooth

device, or Wi-Fi base station may cause interference.

• Direct Satellite Service (DSS) RF leakage: The coax cable and connectors used with certain types of satellite dishes may cause interference. Check the cable for damage and obtain newer cables if you suspect RF leakage

• Certain external electrical sources such as power lines, electrical railroad tracks, and power stations.

• 2.4 GHz or 5 GHz phones: A cordless telephone that operates in this range may cause interference with wireless devices or networks when used.

• Video senders (transmitters/receivers) that operate in the 2.4 GHz or 5 GHz bandwidth.

• Wireless speakers that operate in the 2.4 GHz or 5 GHz band.

Be Careful of Wireless Interference Cont.…

• Certain external monitors and LCD displays: Certain displays may emit harmonic interference, especially in the 2.4GHz band between channels 11 and 14. This interference may be at its worst if you have a portable computer with the lid closed and an external monitor connected to it. Try changing your access point to use 5 GHZ or a lower 2.4 GHz channel.

• Any other "wireless" devices that operate in the 2.4 GHz or 5 GHz bandwidth (microwaves, cameras, baby monitors, neighbors wireless devices, and so on).

Be Careful of Wireless Interference

Placement of Access Points are also Important.

Do you have Sand in your Walls. A School I worked with did and it drastically affected their wireless coverage, make sure you understand what your Walls are made of.

Metal Studs in walls also can have an effect

Do not assume anything, Trust but Verify

Attentas’ are also important. External attenta’s can allow you to adjust placement vs internal attenta’s

Power over Ethernet or POEYou will need Power for your Access Points, may sure you have POE switches (This might seem like duh, but it is very important)

A NEW POE standard exists called 802.3 at POE+, it allows for power up to 30W, when purchasing new switches, make sure you have this. Some devices do use this.

Make sure you have POE on all ports, some switches only provide POE to limited ports.

Make sure you are using Access Points that are using standards based POE, otherwise you are stuck with Power Injectors and they can suck…..

Client Drivers• In the Wireless standards clients determined which access point to connect to, not

the Access Points

• Proprietary technology exists to force clients to Certain Access Points

• Client Drives matter. If you are deploying a High Density or Controller based solution, update your client drivers. It will make your life better and it will work much better.

• When you do have problems, this will be on of the first item someone will suggest to update.

Use WPA or WPA2 AES• WPA with TKIP can limit the number of clients on an Access point to 20

• Some devices such as IPADS do not operate very well with TKIP

• Stay Away from TKIP!!!!!!!!

Number of SSIDS• Limit the number of Wireless SSID that are in use

• Recommendation is to use 4 or less

• Why , Beacon and Probe Request/ Response traffic with the increase and it will start to decrease performance . A single SSID can take up to 7-10% of the wireless traffic.

• If you have 5 SSID’s, 50% of the traffic can be taken up with management traffic.

• Some Vendors have ways around this. If you need more than 4 SSID’s ask your Wireless Vendor what they recommend.

• Also Ask yourself, do you need more than 4???

Role of Multipath with 802.11n and Access Point Placement

• With Legacy WIFI the best location for Access Points with very close and an unobstructed visual line of site

• 802.11n take advantage of RF effect called Mulitpathing. Mulitpathing occurs when RF signals are reflected, refracted and otherwise bounced around a room. Legacy devices do not work well with this. 802.11n can take advantage of this. They use RF streams to transmit which means you can double throughput.

• What this really means, it you do not have to place Access Points in the middle of a room, it might make sense to put it in a corner.

How to Estimate AP Count• A common question is how many clients can I connect to a single AP? The answer? The almighty IT answer for everything … It Depends….

The answer can change based on the following ….

• AP Hardware selection (Not all access points are made the same)

• How many people you want to get connected

• The mounting locations of the Access Points

• Performance metrics (applications, bandwidth, latency)

• Client capability and the estimated number of devices per AP

How to Estimate AP Count, Cont…

Client Capability Channel Width Spatial Streams Minimum PHY Rate Maximum PHY RateLegacy 802.11b 20 MHZ 1 1 Mbps 11 MbpsLegacy 802.11g 20 MHZ 1 1 Mbps 54 MbpsLegacy 802.11a 20 MHZ 1 1 Mbps 54 Mbps802.11n 1 stream client (1x1:1) 20 MHZ 1 6.5 Mbp 72.2 Mbps802.11n 1 stream client (1x1:1) 40 MHZ 1 13.5 Mbp 150 Mbps802.11n 2 stream client (1x1:1) 40 MHZ 2 13 Mbp 300 Mbps

How Quickly a client can get off the air will help determined how many clients per AP. An 802.11 n client can transmit faster than a legacy 802.11 ABG Device.

The chart listed below is a an reference on client speeds, actual throughput will be less. For example a legacy 802.11 G client can have a rate of 54 Mbps, but with overhead of the TCP/IP packet it is more like 20 Mbps.

Example Number of client for a Class Room…

• I have seen with all clients running 802.11n the ability to have between 30 – 40 devices connected to 1 Access Point. Each device will only get about 3 Mbps and could experience delays at times.

• Some solutions can get more per Access Point (Meru, Ruckus, Aruba, because of beaming forming or using only a single channel).

• Will need to be using at least 802.11 N to get this many clients

Site Survey or Not????• Doing a Site survey you can guarantee access point placement and coverage

• Most Vendors can do a predictive survey

• Remember Predictive survey’s are not are perfect

• If you are doing a Predictive survey, make sure you budget for Extra Access Points

• With a Predictive survey, make sure you give an accurate Floor plan

• You will also need to have Wall Construction Available

• If you are going to support Voice, make sure you tell that to the person doing the Site Survey

Wireless VOIP Best Practices????• If you can move Phones to their own SSID and VLAN

• Use the 5 GHZ band to place wireless phones in, avoid the 2.4 GHZ range

• If you are supporting Wireless Phones, will need to be -65 dBm or less (Will get to what this means in the next slide

• Do not put access points at full power, match your Wireless Phone’s power to the power of the access point.

• Design with more access points, will get less devices per access point and help with roaming

• Will need to enable QOS on the Wireless Access Point

What is does -65 dBm mean????

• dBm (the power ratio in decibels of the measured power referenced to one milliwatt.

• It is a measure of how of signal you have. The farther away you get, the lower the number

• Wireless Phones and IPADS work best with -65 dDM or less. This is important when designing wireless networks. You might have coverage, but if it is poor coverage it is no good.

• Make sure you understand your requirements so you have the best design.

Wireless Troubleshooting Tools????

• If you are running Mac OSX 10.7, a wireless tool is built. It can be launched from /System/Library/Core Services/Wi-Fi Diagnostics.app

• It can monitor performance, capture data and Record events

• Can be a good tool for troubleshooting

For Window, Xirrus has a free tool called WIFI Inspector• WIFI inspector tool is located here http://

www.xirrus.com/Products/Wi-Fi-Inspector.aspx.

• Can be used to test speed, quality and signal strength.

More Wireless Troubleshooting Tools????

• If you are running Mac OSX 10.7, a wireless tool is built. It can be launched from /System/Library/CoreServices/Wi-Fi Diagnostics.app

• Wi-Spy from www.metageak.net is a great tool. Can identify WIFI problems and Interference

• Metageak also has links to great tools, WIFI planners, heat map generators. It is located here http://www.metageek.net/docs/wireless-networking-tools/

• Fluke has some great tools, the best tool is Air Magnet Wi-Fi Analyzer, You will pay but it is a great tool.

Basic Wireless Security Best Practices????

• Put your wireless networks on a separate VLAN

• Guests should not be placed on a production network, but them on a separate VLAN that maps to a firewall or public Internet connection.

• If you have a directory service, authenticate your users with the Directory service. Most Wireless devices can take advantage of a Radius server.

• On Corporate networks, use WPA-Enterprise.

• With Guest access, place a disclaimer and require someone to accept it at least once a day.

• Disable SSID broadcasting for corporate networks

Wireless Controller Based SSID Design????

• Have Public Internet tunnel back to the controller and out a separate connection on the controller for security concerns. Do not place on production network.

• For Corporate connections, consider bridging the traffic at the local switch to increase speed and the number of devices.

• When utilizing a controller, if possible have two for redundancy and failover and place them in different locations if possible.

• Not all controllers are created equal, make sure you size your controller appropriately

• Read the Best Practices guide for your controller for optimal settings.

Wireless Future Planning 802.11 ac????

• It will be 5 GHZ only and will come in 2 phases

• Cisco has a slot for an add in Radio. (Speakers opinion, to do it right, it will need to be an entirely new device. Translation, don’t believe this sales tactic)

• It will combine channels in the 5 GHZ range to deliver up to 1 GB through put

• Will require POE+ Ethernet to power access points.

• Standard still being ratified. If you purchase today, will need a firmware to make it standards based

• Will need to maintain 2 networks, one for 2.4 GHZ devices and the network for the 5 GHZ devices

• Ask your Vendors what the path to 802.11 AC will be

Wireless Useful Resources!!!!!!• Ruckus Wireless Design Guide for High Density Wireless Is located here

• Cisco Wireless Design Guide for Higher Education is located here

• Cisco Wireless Controller Best Practices is located here

• Aruba Wireless Whitepapers and Design Guides are located here

• Juniper Wireless Design Guides and solutions are located here

In Closing Wireless Considerations!!!!!!• More Power does not mean greater distance

• If possible, avoid broadcasting more than 4 SSID’s

• Do not use TKIP, it can limit the number of clients per Access Points

• If you are deploying VOICE, IPADS or a heavy use of WIFI Smart Phones, you will need to have -65 dBm or less.

• Guest Wireless Access should never touch your Production Network.

• If you have 802.11 b devices, remove them or disable 802.11 b on your Access Points

• Not all Access points are created equal, make sure you understand what you client density will be to get the correct product.

Switching Best Practices!!!!!!

Spanning Tree• Who can tell me what this does and why it is needed?

• Do all switch manufactures enable it by default?

• How does it determine who is the master?

Network Infrastructure Best Practices!!!!!!Spanning Tree

• Most misconfigured items on the network

• Need to make sure you set the root bridge to your core

• Some switches (HP) come with spanning tree disabled

• Can lead to network loops and also High Switch CPU

• If multi-vendor, make sure spanning-tree types match, if not you will cause loops

• Should run Per VLAN spanning tree, you can make better use of your uplinks

• Enable Port-fast on all edge ports, will allow devices to become active quicker

Spanning Tree ExamplesHP • Same MSTP Config name. Name is case sensitive.• Core-1(config)# spanning-tree config-name "B10"• ! Same MSTP Revision number.• Core-1(config)# spanning-tree config-revision 1• ! Same MSTP Instances definition• Core-1(config)# spanning-tree instance 1 vlan 10 20 108• Core-1(config)# spanning-tree instance 2 vlan 30 40• ! Enables Spanning Tree• Core-1(config)# spanning-tree• !Core-switch specific configuration:• !Core-1 is Root in Instance 1• Core-1(config)# spanning-tree instance 1 priority 0

HP Spanning Tree White Paper• http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/How_to_improve_and_harden_spanning-

tree_configuration_Configuration_note_Dec_08_A4.pdf

Spanning Tree ExamplesCiscospanning-tree mode rapid-pvstspanning-tree portfast bpdufilter defaultpanning-tree vlan priority 10,14,18,40,190,212,216,220 24576spanning-tree vlan priority 4,12,16,20,64,210,214,218,1000 28672

On Edge Port enable spanning-tree port fastWhat is port fast? It allows the Port to become active faster than the traditonal 60 second’s• interface GigabitEthernet 1/0/11• spanning-tree portfast

Cisco White Paperhttp://www.cisco.com/en/US/tech/tk389/tk621/technologies_configuration_example09186a008009467c.shtml

Spanning Tree ExamplesJuniperset protocols vstp vlan 10 bridge-priority 16kset protocols vstp vlan 1000 bridge-priority 16k

Juniper Port fastset protocols stp interface ge-0/0/0.0 edge

White paper found herehttp://www.juniper.net/us/en/local/pdf/implementation-guides/8010002-en.pdf

Layer 3 routing• If possible, use layer 3 on uplinks between the core and the closet.

• Layer 3 limits the need for spanning tree and network loops

• Layer 3 also ensures for fast failover if designed correctly.

• Will also cut down on broadcast traffic between switches.

• If you need a layer 2 VLAN on all of your switches, consider a separate uplink that carries that VLAN only.

VLANS!!!!!!• Disable VLAN 1!!!!!! It is the default VLAN and hackers look for it.

• Use more than 1 VLAN for security and to separate traffic and devices

• Servers should have their own VLAN, Wireless should have it’s own VLAN

• You can have to many VLAN’s….

• If you have more that 250 devices, you need more than 1 VLAN

VLAN Configuration GuidesJuniper VLAN Configurationhttp://www.juniper.net/techpubs/en_US/junos9.4/topics/task/configuration/bridging-vlans-ex-series-cli.html

Cisco VLAN Configurationhttp://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml

HP VLAN Configuration• http://www.hp.com/rnd/support/config_examples/primary_vlan.pdf

VLAN Security Issues(Why not to use VLAN1)

• MAC Flooding Attack• 802.1Q and ISL Tagging Attack• Double-Encapsulated 802.1Q/Nested VLAN Attack• ARP Attacks• Private VLAN Attack• Multicast Brute Force Attack• Spanning-Tree Attack• Random Frame Stress Attack

Switch Trunking Best Practices• Make sure you use Industry Standards for VLAN

Trunks• Make sure you set the Native VLAN-ID to something

other than VLAN 1• Make sure you prune switch trunks for only needed

VLANs• Do not need all VLANS on all Switches, remove the

VLAN’s that are not needed.

Backups• How often do you backup your switches?• Do you use a tool to automate your backups?• Do you have an email notifying you of changes?• A simple tool like a product call CATTOOLS can backup your

environment and is low cost. http://www.kiwisyslog.com/kiwi-cattools-overview/

• Price is $750 plus maintenance.

Code Upgrades• How often do you upgrade your switches?• Do you use the recommended release when installing?• Do you have plan on when/how you upgrade your switches

Should attempt to upgrade yearlyShould use the recommended release at that timeCisco, Juniper have links to the recommended releasesThey are no different than PC’s, they need to be patched

Survey!!!!!!If you provide me your Business Card I will provide you an assessment about your current Wireless Network and see if you are following best practices

Newsletter and Tech Tips

I write a Monthly Newsletter and send out weekly security tech tips. If you would like to get unto my list, please provide me with a business card.

Questions?????

Thank You…………

You can contact me at

James@tbjconsulting.com

262-363-9070