Wireless

Infrastructure & Networking

Best Practices
 Who Am I
• I am President of TBJ Consulting LLC
• I have been working on Network Infrastructure for
over 15 years
 Agenda
• Discuss Wireless Power Setting

• Discuss 2.4 GHZ and Wireless Interference

• Discuss Power Over Ethernet

• Discuss 802.11 B clients

• Discuss SSIDs and the recommended

maximum
• Discuss Access Point Placement
• Discuss Switching Best Practices
 Questions
• Who has Wireless Deployed

• Who is Planning or has deployed BYOD

• Has your Wireless Network Held up?

• What are you Concerns ?

 Wireless Best Practice
Full Power Is not Better
Full Power is not better……… Need to Tune Power

Better off with more access points with less power

Why????? Strength of Radio’s in clients devices

Will get poor performance with IPADs/ Kindles ETC

The y will hear the wireless signal and attempt to talk to it.

With High Density, Full Power will cause issues (Except Meru Networks)
 Wireless Best Practice

Get Rid of 802.11 B clients….

It will slow all wireless clients down to this Speed……

Your 802.11 N network will go back to 1998 technology…..

Most devices do not need this anymore………

 Wireless Best Practice
In the 2.4 GHZ Spectrum,
Channel Planning is Huge
• You only have 3 channels that are not overlapping. Those Channels are 1, 3 and 11.
• Have to do a site survey to see if other current deployed wireless exists.

• Power again is key here, if you have everything at full power, they will cause
Interference
• Controller based solution can help, but it is not perfect by any means
Be Careful of Wireless Interference
• Microwave ovens: Using your microwave oven near your computer, Bluetooth
device, or Wi-Fi base station may cause interference.

• Direct Satellite Service (DSS) RF leakage: The coax cable and connectors used with
certain types of satellite dishes may cause interference. Check the cable for
damage and obtain newer cables if you suspect RF leakage

• Certain external electrical sources such as power lines, electrical railroad tracks,
and power stations.

• 2.4 GHz or 5 GHz phones: A cordless telephone that operates in this range may
cause interference with wireless devices or networks when used.

• Video senders (transmitters/receivers) that operate in the 2.4 GHz or 5 GHz

bandwidth.

• Wireless speakers that operate in the 2.4 GHz or 5 GHz band.

Be Careful of Wireless Interference Cont.…

• Certain external monitors and LCD displays: Certain displays may emit harmonic
interference, especially in the 2.4GHz band between channels 11 and 14. This
interference may be at its worst if you have a portable computer with the lid closed
and an external monitor connected to it. Try changing your access point to use 5
GHZ or a lower 2.4 GHz channel.

• Any other "wireless" devices that operate in the 2.4 GHz or 5 GHz bandwidth
(microwaves, cameras, baby monitors, neighbors wireless devices, and so on).
 Be Careful of Wireless Interference
Placement of Access Points are also Important.

Do you have Sand in your Walls. A School I worked with did and it drastically affected
their wireless coverage, make sure you understand what your Walls are made of.

Metal Studs in walls also can have an effect

Do not assume anything, Trust but Verify

Attentas’ are also important. External attenta’s can allow you to adjust placement vs
internal attenta’s
 Power over Ethernet or POE
You will need Power for your Access Points, may sure you have POE switches (This
might seem like duh, but it is very important)

A NEW POE standard exists called 802.3 at POE+, it allows for power up to 30W,
when purchasing new switches, make sure you have this. Some devices do use this.

Make sure you have POE on all ports, some switches only provide POE to limited
ports.

Make sure you are using Access Points that are using standards based POE,
otherwise you are stuck with Power Injectors and they can suck…..
 Client Drivers
• In the Wireless standards clients determined which access point to connect to, not
the Access Points

• Proprietary technology exists to force clients to Certain Access Points

• Client Drives matter. If you are deploying a High Density or Controller based
solution, update your client drivers. It will make your life better and it will work
much better.

• When you do have problems, this will be on of the first item someone will suggest
to update.
 Use WPA or WPA2 AES
• WPA with TKIP can limit the number of clients on an Access point to 20

• Some devices such as IPADS do not operate very well with TKIP

• Stay Away from TKIP!!!!!!!!

 Number of SSIDS
• Limit the number of Wireless SSID that are in use

• Recommendation is to use 4 or less

• Why , Beacon and Probe Request/ Response traffic with the increase and it will
start to decrease performance . A single SSID can take up to 7-10% of the wireless
traffic.
• If you have 5 SSID’s, 50% of the traffic can be taken up with management traffic.

• Some Vendors have ways around this. If you need more than 4 SSID’s ask your
Wireless Vendor what they recommend.

• Also Ask yourself, do you need more than 4???

 Role of Multipath with 802.11n and
Access Point Placement
• With Legacy WIFI the best location for Access Points with very close and an
unobstructed visual line of site

• 802.11n take advantage of RF effect called Mulitpathing. Mulitpathing occurs when

RF signals are reflected, refracted and otherwise bounced around a room. Legacy
devices do not work well with this. 802.11n can take advantage of this. They use RF
streams to transmit which means you can double throughput.

• What this really means, it you do not have to place Access Points in the middle of a
room, it might make sense to put it in a corner.
 How to Estimate AP Count
• A common question is how many clients can I connect to a single AP? The answer?
The almighty IT answer for everything … It Depends….

The answer can change based on the following ….

• AP Hardware selection (Not all access points are made the same)

• How many people you want to get connected

• The mounting locations of the Access Points

• Performance metrics (applications, bandwidth, latency)

• Client capability and the estimated number of devices per AP

 How to Estimate AP Count, Cont…
How Quickly a client can get off the air will help determined how many clients per AP.
An 802.11 n client can transmit faster than a legacy 802.11 ABG Device.

The chart listed below is a an reference on client speeds, actual throughput will be
less. For example a legacy 802.11 G client can have a rate of 54 Mbps, but with
overhead of the TCP/IP packet it is more like 20 Mbps.
Client Capability Channel Width Spatial Streams Minimum PHY Rate Maximum PHY Rate
Legacy 802.11b 20 MHZ 1 1 Mbps 11 Mbps
Legacy 802.11g 20 MHZ 1 1 Mbps 54 Mbps
Legacy 802.11a 20 MHZ 1 1 Mbps 54 Mbps
802.11n 1 stream client (1x1:1) 20 MHZ 1 6.5 Mbp 72.2 Mbps
802.11n 1 stream client (1x1:1) 40 MHZ 1 13.5 Mbp 150 Mbps
802.11n 2 stream client (1x1:1) 40 MHZ 2 13 Mbp 300 Mbps
Example Number of client for a Class
Room…
• I have seen with all clients running 802.11n the ability to have between 30 – 40
devices connected to 1 Access Point. Each device will only get about 3 Mbps and
could experience delays at times.

• Some solutions can get more per Access Point (Meru, Ruckus, Aruba, because of
beaming forming or using only a single channel).

• Will need to be using at least 802.11 N to get this many clients

 Site Survey or Not????
• Doing a Site survey you can guarantee access point placement and coverage

• Most Vendors can do a predictive survey

• Remember Predictive survey’s are not are perfect

• If you are doing a Predictive survey, make sure you budget for Extra Access Points

• With a Predictive survey, make sure you give an accurate Floor plan

• You will also need to have Wall Construction Available

• If you are going to support Voice, make sure you tell that to the person doing the
Site Survey
Wireless VOIP Best Practices????
• If you can move Phones to their own SSID and VLAN

• Use the 5 GHZ band to place wireless phones in, avoid the 2.4 GHZ range

• If you are supporting Wireless Phones, will need to be -65 dBm or less (Will get to
what this means in the next slide

• Do not put access points at full power, match your Wireless Phone’s power to the
power of the access point.

• Design with more access points, will get less devices per access point and help with
roaming

• Will need to enable QOS on the Wireless Access Point

 What is does -65 dBm mean????
• dBm (the power ratio in decibels of the measured power referenced to one
milliwatt.

• It is a measure of how of signal you have. The farther away you get, the lower the
number

• Wireless Phones and IPADS work best with -65 dDM or less. This is important when
designing wireless networks. You might have coverage, but if it is poor coverage it
is no good.

• Make sure you understand your requirements so you have the best design.
Wireless Troubleshooting Tools????
• If you are running Mac OSX 10.7, a wireless tool is built. It can be launched from
/System/Library/Core Services/Wi-Fi Diagnostics.app

• It can monitor performance, capture data and Record events

• Can be a good tool for troubleshooting

For Window, Xirrus has a free tool called WIFI Inspector

• WIFI inspector tool is located here http://www.xirrus.com/Products/Wi-Fi-
Inspector.aspx.

• Can be used to test speed, quality and signal strength.

More Wireless Troubleshooting Tools????

• If you are running Mac OSX 10.7, a wireless tool is built. It can be launched from
/System/Library/CoreServices/Wi-Fi Diagnostics.app

• Wi-Spy from www.metageak.net is a great tool. Can identify WIFI problems and
Interference

• Metageak also has links to great tools, WIFI planners, heat map generators. It is
located here http://www.metageek.net/docs/wireless-networking-tools/

• Fluke has some great tools, the best tool is Air Magnet Wi-Fi Analyzer, You will pay
but it is a great tool.
Basic Wireless Security Best Practices????

• Put your wireless networks on a separate VLAN

• Guests should not be placed on a production network, but them on a separate

VLAN that maps to a firewall or public Internet connection.

• If you have a directory service, authenticate your users with the Directory service.
Most Wireless devices can take advantage of a Radius server.

• On Corporate networks, use WPA-Enterprise.

• With Guest access, place a disclaimer and require someone to accept it at least
once a day.
• Disable SSID broadcasting for corporate networks
Wireless Controller Based SSID Design????

• Have Public Internet tunnel back to the controller and out a separate connection
on the controller for security concerns. Do not place on production network.

• For Corporate connections, consider bridging the traffic at the local switch to
increase speed and the number of devices.

• When utilizing a controller, if possible have two for redundancy and failover and
place them in different locations if possible.

• Not all controllers are created equal, make sure you size your controller
appropriately

• Read the Best Practices guide for your controller for optimal settings.
Wireless Future Planning 802.11 ac????
• It will be 5 GHZ only and will come in 2 phases

• Cisco has a slot for an add in Radio. (Speakers opinion, to do it right, it will need to
be an entirely new device. Translation, don’t believe this sales tactic)

• It will combine channels in the 5 GHZ range to deliver up to 1 GB through put

• Will require POE+ Ethernet to power access points.

• Standard still being ratified. If you purchase today, will need a firmware to make it
standards based

• Will need to maintain 2 networks, one for 2.4 GHZ devices and the network for the
5 GHZ devices

• Ask your Vendors what the path to 802.11 AC will be

 Wireless Useful Resources!!!!!!
• Ruckus Wireless Design Guide for High Density Wireless Is located here

• Cisco Wireless Design Guide for Higher Education is located here

• Cisco Wireless Controller Best Practices is located here

• Aruba Wireless Whitepapers and Design Guides are located here

• Juniper Wireless Design Guides and solutions are located here

 In Closing Wireless Considerations!!!!!!
• More Power does not mean greater distance

• If possible, avoid broadcasting more than 4 SSID’s

• Do not use TKIP, it can limit the number of clients per Access Points

• If you are deploying VOICE, IPADS or a heavy use of WIFI Smart Phones, you will
need to have -65 dBm or less.

• Guest Wireless Access should never touch your Production Network.

• If you have 802.11 b devices, remove them or disable 802.11 b on your Access
Points
• Not all Access points are created equal, make sure you understand what you client
density will be to get the correct product.
Switching Best Practices!!!!!!
 Spanning Tree
• Who can tell me what this does and why it is needed?

• Do all switch manufactures enable it by default?

• How does it determine who is the master?

Network Infrastructure Best Practices!!!!!!
Spanning Tree
• Most misconfigured items on the network

• Need to make sure you set the root bridge to your core

• Some switches (HP) come with spanning tree disabled

• Can lead to network loops and also High Switch CPU

• If multi-vendor, make sure spanning-tree types match, if not you will cause loops

• Should run Per VLAN spanning tree, you can make better use of your uplinks

• Enable Port-fast on all edge ports, will allow devices to become active quicker
 Spanning Tree Examples
HP
• Same MSTP Config name. Name is case sensitive.
• Core-1(config)# spanning-tree config-name "B10"
• ! Same MSTP Revision number.
• Core-1(config)# spanning-tree config-revision 1
• ! Same MSTP Instances definition
• Core-1(config)# spanning-tree instance 1 vlan 10 20 108
• Core-1(config)# spanning-tree instance 2 vlan 30 40
• ! Enables Spanning Tree
• Core-1(config)# spanning-tree
• !Core-switch specific configuration:
• !Core-1 is Root in Instance 1
• Core-1(config)# spanning-tree instance 1 priority 0

HP Spanning Tree White Paper

• http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-
notes/How_to_improve_and_harden_spanning-tree_configuration_Configuration_note_Dec_08_A4.pdf
 Spanning Tree Examples
Cisco
spanning-tree mode rapid-pvst
spanning-tree portfast bpdufilter default
panning-tree vlan priority 10,14,18,40,190,212,216,220 24576
spanning-tree vlan priority 4,12,16,20,64,210,214,218,1000 28672

On Edge Port enable spanning-tree port fast

What is port fast? It allows the Port to become active faster than the traditonal 60 second’s
• interface GigabitEthernet 1/0/11
• spanning-tree portfast

Cisco White Paper

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_configuration_example09186a008009
467c.shtml
 Spanning Tree Examples
Juniper
set protocols vstp vlan 10 bridge-priority 16k
set protocols vstp vlan 1000 bridge-priority 16k

Juniper Port fast

set protocols stp interface ge-0/0/0.0 edge

White paper found here

http://www.juniper.net/us/en/local/pdf/implementation-guides/8010002-en.pdf
 Layer 3 routing
• If possible, use layer 3 on uplinks between the core and the closet.

• Layer 3 limits the need for spanning tree and network loops

• Layer 3 also ensures for fast failover if designed correctly.

• Will also cut down on broadcast traffic between switches.

• If you need a layer 2 VLAN on all of your switches, consider a separate uplink that carries that
VLAN only.
 VLANS!!!!!!
• Disable VLAN 1!!!!!! It is the default VLAN and hackers look for it.

• Use more than 1 VLAN for security and to separate traffic and devices

• Servers should have their own VLAN, Wireless should have it’s own VLAN

• You can have to many VLAN’s….

• If you have more that 250 devices, you need more than 1 VLAN
 VLAN Configuration Guides
Juniper VLAN Configuration
http://www.juniper.net/techpubs/en_US/junos9.4/topics/task/configuration/bridging-vlans-
ex-series-cli.html

Cisco VLAN Configuration

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a0
08019e74e.shtml

HP VLAN Configuration
• http://www.hp.com/rnd/support/config_examples/primary_vlan.pdf
 VLAN Security Issues
(Why not to use VLAN1)
• MAC Flooding Attack
• 802.1Q and ISL Tagging Attack
• Double-Encapsulated 802.1Q/Nested VLAN Attack
• ARP Attacks
• Private VLAN Attack
• Multicast Brute Force Attack
• Spanning-Tree Attack
• Random Frame Stress Attack
 Switch Trunking Best Practices
• Make sure you use Industry Standards for VLAN
Trunks
• Make sure you set the Native VLAN-ID to something
other than VLAN 1
• Make sure you prune switch trunks for only needed
VLANs
• Do not need all VLANS on all Switches, remove the
VLAN’s that are not needed.
Backups
• How often do you backup your switches?
• Do you use a tool to automate your backups?
• Do you have an email notifying you of changes?
• A simple tool like a product call CATTOOLS can backup your
environment and is low cost.
http://www.kiwisyslog.com/kiwi-cattools-overview/
• Price is $750 plus maintenance.
Code Upgrades
• How often do you upgrade your switches?
• Do you use the recommended release when installing?
• Do you have plan on when/how you upgrade your switches

Should attempt to upgrade yearly

Should use the recommended release at that time
Cisco, Juniper have links to the recommended releases
They are no different than PC’s, they need to be patched
 Survey!!!!!!
If you provide me your Business Card I will provide you an assessment about your
current Wireless Network and see if you are following best practices
 Newsletter and Tech Tips

I write a Monthly Newsletter and send out weekly security tech tips. If you would
like to get unto my list, please provide me with a business card.