Beruflich Dokumente
Kultur Dokumente
The y will hear the wireless signal and attempt to talk to it.
With High Density, Full Power will cause issues (Except Meru Networks)
Wireless Best Practice
• Power again is key here, if you have everything at full power, they will cause
Interference
• Controller based solution can help, but it is not perfect by any means
Be Careful of Wireless Interference
• Microwave ovens: Using your microwave oven near your computer, Bluetooth
device, or Wi-Fi base station may cause interference.
• Direct Satellite Service (DSS) RF leakage: The coax cable and connectors used with
certain types of satellite dishes may cause interference. Check the cable for
damage and obtain newer cables if you suspect RF leakage
• Certain external electrical sources such as power lines, electrical railroad tracks,
and power stations.
• 2.4 GHz or 5 GHz phones: A cordless telephone that operates in this range may
cause interference with wireless devices or networks when used.
• Certain external monitors and LCD displays: Certain displays may emit harmonic
interference, especially in the 2.4GHz band between channels 11 and 14. This
interference may be at its worst if you have a portable computer with the lid closed
and an external monitor connected to it. Try changing your access point to use 5
GHZ or a lower 2.4 GHz channel.
• Any other "wireless" devices that operate in the 2.4 GHz or 5 GHz bandwidth
(microwaves, cameras, baby monitors, neighbors wireless devices, and so on).
Be Careful of Wireless Interference
Placement of Access Points are also Important.
Do you have Sand in your Walls. A School I worked with did and it drastically affected
their wireless coverage, make sure you understand what your Walls are made of.
Attentas’ are also important. External attenta’s can allow you to adjust placement vs
internal attenta’s
Power over Ethernet or POE
You will need Power for your Access Points, may sure you have POE switches (This
might seem like duh, but it is very important)
A NEW POE standard exists called 802.3 at POE+, it allows for power up to 30W,
when purchasing new switches, make sure you have this. Some devices do use this.
Make sure you have POE on all ports, some switches only provide POE to limited
ports.
Make sure you are using Access Points that are using standards based POE,
otherwise you are stuck with Power Injectors and they can suck…..
Client Drivers
• In the Wireless standards clients determined which access point to connect to, not
the Access Points
• Client Drives matter. If you are deploying a High Density or Controller based
solution, update your client drivers. It will make your life better and it will work
much better.
• When you do have problems, this will be on of the first item someone will suggest
to update.
Use WPA or WPA2 AES
• WPA with TKIP can limit the number of clients on an Access point to 20
• Some devices such as IPADS do not operate very well with TKIP
• Why , Beacon and Probe Request/ Response traffic with the increase and it will
start to decrease performance . A single SSID can take up to 7-10% of the wireless
traffic.
• If you have 5 SSID’s, 50% of the traffic can be taken up with management traffic.
• Some Vendors have ways around this. If you need more than 4 SSID’s ask your
Wireless Vendor what they recommend.
• What this really means, it you do not have to place Access Points in the middle of a
room, it might make sense to put it in a corner.
How to Estimate AP Count
• A common question is how many clients can I connect to a single AP? The answer?
The almighty IT answer for everything … It Depends….
• AP Hardware selection (Not all access points are made the same)
The chart listed below is a an reference on client speeds, actual throughput will be
less. For example a legacy 802.11 G client can have a rate of 54 Mbps, but with
overhead of the TCP/IP packet it is more like 20 Mbps.
Client Capability Channel Width Spatial Streams Minimum PHY Rate Maximum PHY Rate
Legacy 802.11b 20 MHZ 1 1 Mbps 11 Mbps
Legacy 802.11g 20 MHZ 1 1 Mbps 54 Mbps
Legacy 802.11a 20 MHZ 1 1 Mbps 54 Mbps
802.11n 1 stream client (1x1:1) 20 MHZ 1 6.5 Mbp 72.2 Mbps
802.11n 1 stream client (1x1:1) 40 MHZ 1 13.5 Mbp 150 Mbps
802.11n 2 stream client (1x1:1) 40 MHZ 2 13 Mbp 300 Mbps
Example Number of client for a Class
Room…
• I have seen with all clients running 802.11n the ability to have between 30 – 40
devices connected to 1 Access Point. Each device will only get about 3 Mbps and
could experience delays at times.
• Some solutions can get more per Access Point (Meru, Ruckus, Aruba, because of
beaming forming or using only a single channel).
• If you are doing a Predictive survey, make sure you budget for Extra Access Points
• With a Predictive survey, make sure you give an accurate Floor plan
• If you are going to support Voice, make sure you tell that to the person doing the
Site Survey
Wireless VOIP Best Practices????
• If you can move Phones to their own SSID and VLAN
• Use the 5 GHZ band to place wireless phones in, avoid the 2.4 GHZ range
• If you are supporting Wireless Phones, will need to be -65 dBm or less (Will get to
what this means in the next slide
• Do not put access points at full power, match your Wireless Phone’s power to the
power of the access point.
• Design with more access points, will get less devices per access point and help with
roaming
• It is a measure of how of signal you have. The farther away you get, the lower the
number
• Wireless Phones and IPADS work best with -65 dDM or less. This is important when
designing wireless networks. You might have coverage, but if it is poor coverage it
is no good.
• Make sure you understand your requirements so you have the best design.
Wireless Troubleshooting Tools????
• If you are running Mac OSX 10.7, a wireless tool is built. It can be launched from
/System/Library/Core Services/Wi-Fi Diagnostics.app
• If you are running Mac OSX 10.7, a wireless tool is built. It can be launched from
/System/Library/CoreServices/Wi-Fi Diagnostics.app
• Wi-Spy from www.metageak.net is a great tool. Can identify WIFI problems and
Interference
• Metageak also has links to great tools, WIFI planners, heat map generators. It is
located here http://www.metageek.net/docs/wireless-networking-tools/
• Fluke has some great tools, the best tool is Air Magnet Wi-Fi Analyzer, You will pay
but it is a great tool.
Basic Wireless Security Best Practices????
• If you have a directory service, authenticate your users with the Directory service.
Most Wireless devices can take advantage of a Radius server.
• With Guest access, place a disclaimer and require someone to accept it at least
once a day.
• Disable SSID broadcasting for corporate networks
Wireless Controller Based SSID Design????
• Have Public Internet tunnel back to the controller and out a separate connection
on the controller for security concerns. Do not place on production network.
• For Corporate connections, consider bridging the traffic at the local switch to
increase speed and the number of devices.
• When utilizing a controller, if possible have two for redundancy and failover and
place them in different locations if possible.
• Not all controllers are created equal, make sure you size your controller
appropriately
• Read the Best Practices guide for your controller for optimal settings.
Wireless Future Planning 802.11 ac????
• It will be 5 GHZ only and will come in 2 phases
• Cisco has a slot for an add in Radio. (Speakers opinion, to do it right, it will need to
be an entirely new device. Translation, don’t believe this sales tactic)
• Standard still being ratified. If you purchase today, will need a firmware to make it
standards based
• Will need to maintain 2 networks, one for 2.4 GHZ devices and the network for the
5 GHZ devices
• Do not use TKIP, it can limit the number of clients per Access Points
• If you are deploying VOICE, IPADS or a heavy use of WIFI Smart Phones, you will
need to have -65 dBm or less.
• If you have 802.11 b devices, remove them or disable 802.11 b on your Access
Points
• Not all Access points are created equal, make sure you understand what you client
density will be to get the correct product.
Switching Best Practices!!!!!!
Spanning Tree
• Who can tell me what this does and why it is needed?
• Need to make sure you set the root bridge to your core
• If multi-vendor, make sure spanning-tree types match, if not you will cause loops
• Should run Per VLAN spanning tree, you can make better use of your uplinks
• Enable Port-fast on all edge ports, will allow devices to become active quicker
Spanning Tree Examples
HP
• Same MSTP Config name. Name is case sensitive.
• Core-1(config)# spanning-tree config-name "B10"
• ! Same MSTP Revision number.
• Core-1(config)# spanning-tree config-revision 1
• ! Same MSTP Instances definition
• Core-1(config)# spanning-tree instance 1 vlan 10 20 108
• Core-1(config)# spanning-tree instance 2 vlan 30 40
• ! Enables Spanning Tree
• Core-1(config)# spanning-tree
• !Core-switch specific configuration:
• !Core-1 is Root in Instance 1
• Core-1(config)# spanning-tree instance 1 priority 0
• Layer 3 limits the need for spanning tree and network loops
• If you need a layer 2 VLAN on all of your switches, consider a separate uplink that carries that
VLAN only.
VLANS!!!!!!
• Disable VLAN 1!!!!!! It is the default VLAN and hackers look for it.
• Use more than 1 VLAN for security and to separate traffic and devices
• Servers should have their own VLAN, Wireless should have it’s own VLAN
• If you have more that 250 devices, you need more than 1 VLAN
VLAN Configuration Guides
Juniper VLAN Configuration
http://www.juniper.net/techpubs/en_US/junos9.4/topics/task/configuration/bridging-vlans-
ex-series-cli.html
HP VLAN Configuration
• http://www.hp.com/rnd/support/config_examples/primary_vlan.pdf
VLAN Security Issues
(Why not to use VLAN1)
• MAC Flooding Attack
• 802.1Q and ISL Tagging Attack
• Double-Encapsulated 802.1Q/Nested VLAN Attack
• ARP Attacks
• Private VLAN Attack
• Multicast Brute Force Attack
• Spanning-Tree Attack
• Random Frame Stress Attack
Switch Trunking Best Practices
• Make sure you use Industry Standards for VLAN
Trunks
• Make sure you set the Native VLAN-ID to something
other than VLAN 1
• Make sure you prune switch trunks for only needed
VLANs
• Do not need all VLANS on all Switches, remove the
VLAN’s that are not needed.
Backups
• How often do you backup your switches?
• Do you use a tool to automate your backups?
• Do you have an email notifying you of changes?
• A simple tool like a product call CATTOOLS can backup your
environment and is low cost.
http://www.kiwisyslog.com/kiwi-cattools-overview/
• Price is $750 plus maintenance.
Code Upgrades
• How often do you upgrade your switches?
• Do you use the recommended release when installing?
• Do you have plan on when/how you upgrade your switches
I write a Monthly Newsletter and send out weekly security tech tips. If you would
like to get unto my list, please provide me with a business card.