1 / 0

James Oryszczyn President, TBJ Consulting LLC

Break 1320 Wireless Infrastructure & Networking Best Practices . James Oryszczyn President, TBJ Consulting LLC. Who Am I I am President of TBJ Consulting LLC I have been working on Network Infrastructure for over 15 years. Agenda. Discuss Wireless Power Setting

truman
Download Presentation

James Oryszczyn President, TBJ Consulting LLC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Break 1320 Wireless Infrastructure & Networking Best Practices James Oryszczyn President, TBJ Consulting LLC
  2. Who Am I I am President of TBJ Consulting LLC I have been working on Network Infrastructure for over 15 years
  3. Agenda Discuss Wireless Power Setting Discuss 2.4 GHZ and Wireless Interference Discuss Power Over Ethernet Discuss 802.11 B clients Discuss SSIDs and the recommended maximum Discuss Access Point Placement Discuss Switching Best Practices
  4. Questions Who has Wireless Deployed Who is Planning or has deployed BYOD Has your Wireless Network Held up? What are you Concerns ?
  5. Wireless Best Practice Full Power Is not Better Full Power is not better……… Need to Tune Power Better off with more access points with less power Why????? Strength of Radio’s in clients devices Will get poor performance with IPADs/ Kindles ETC The y will hear the wireless signal and attempt to talk to it. With High Density, Full Power will cause issues (Except Meru Networks)
  6. Wireless Best Practice Get Rid of 802.11 B clients…. It will slow all wireless clients down to this Speed…… Your 802.11 N network will go back to 1998 technology….. Most devices do not need this anymore………
  7. Wireless Best Practice In the 2.4 GHZ Spectrum, Channel Planning is Huge You only have 3 channels that are not overlapping. Those Channels are 1, 3 and 11. Have to do a site survey to see if other current deployed wireless exists. Power again is key here, if you have everything at full power, they will cause Interference Controller based solution can help, but it is not perfect by any means
  8. Be Careful of Wireless Interference Microwave ovens: Using your microwave oven near your computer, Bluetooth device, or Wi-Fi base station may cause interference. Direct Satellite Service (DSS) RF leakage: The coax cable and connectors used with certain types of satellite dishes may cause interference. Check the cable for damage and obtain newer cables if you suspect RF leakage Certain external electrical sources such as power lines, electrical railroad tracks, and power stations. 2.4 GHz or 5 GHz phones: A cordless telephone that operates in this range may cause interference with wireless devices or networks when used. Video senders (transmitters/receivers) that operate in the 2.4 GHz or 5 GHz bandwidth. Wireless speakers that operate in the 2.4 GHz or 5 GHz band.
  9. Be Careful of Wireless Interference Cont.… Certain external monitors and LCD displays: Certain displays may emit harmonic interference, especially in the 2.4GHz band between channels 11 and 14. This interference may be at its worst if you have a portable computer with the lid closed and an external monitor connected to it. Try changing your access point to use 5 GHZ or a lower 2.4 GHz channel. Any other "wireless" devices that operate in the 2.4 GHz or 5 GHz bandwidth (microwaves, cameras, baby monitors, neighbors wireless devices, and so on). 
  10. Be Careful of Wireless Interference Placement of Access Points are also Important. Do you have Sand in your Walls. A School I worked with did and it drastically affected their wireless coverage, make sure you understand what your Walls are made of. Metal Studs in walls also can have an effect Do not assume anything, Trust but Verify Attentas’ are also important. External attenta’s can allow you to adjust placement vs internal attenta’s
  11. Power over Ethernet or POE You will need Power for your Access Points, may sure you have POE switches (This might seem like duh, but it is very important) A NEW POE standard exists called 802.3 at POE+, it allows for power up to 30W, when purchasing new switches, make sure you have this. Some devices do use this. Make sure you have POE on all ports, some switches only provide POE to limited ports. Make sure you are using Access Points that are using standards based POE, otherwise you are stuck with Power Injectors and they can suck…..
  12. Client Drivers In the Wireless standards clients determined which access point to connect to, not the Access Points Proprietary technology exists to force clients to Certain Access Points Client Drives matter. If you are deploying a High Density or Controller based solution, update your client drivers. It will make your life better and it will work much better. When you do have problems, this will be on of the first item someone will suggest to update.
  13. Use WPA or WPA2 AES WPA with TKIP can limit the number of clients on an Access point to 20 Some devices such as IPADS do not operate very well with TKIP Stay Away from TKIP!!!!!!!!
  14. Number of SSIDS Limit the number of Wireless SSID that are in use Recommendation is to use 4 or less Why , Beacon and Probe Request/ Response traffic with the increase and it will start to decrease performance . A single SSID can take up to 7-10% of the wireless traffic. If you have 5 SSID’s, 50% of the traffic can be taken up with management traffic. Some Vendors have ways around this. If you need more than 4 SSID’s ask your Wireless Vendor what they recommend. Also Ask yourself, do you need more than 4???
  15. Role of Multipath with 802.11n and Access Point Placement With Legacy WIFI the best location for Access Points with very close and an unobstructed visual line of site 802.11n take advantage of RF effect called Mulitpathing. Mulitpathing occurs when RF signals are reflected, refracted and otherwise bounced around a room. Legacy devices do not work well with this. 802.11n can take advantage of this. They use RF streams to transmit which means you can double throughput. What this really means, it you do not have to place Access Points in the middle of a room, it might make sense to put it in a corner.
  16. How to Estimate AP Count A common question is how many clients can I connect to a single AP? The answer? The almighty IT answer for everything … It Depends…. The answer can change based on the following …. AP Hardware selection (Not all access points are made the same) How many people you want to get connected The mounting locations of the Access Points Performance metrics (applications, bandwidth, latency) Client capability and the estimated number of devices per AP
  17. How to Estimate AP Count, Cont… How Quickly a client can get off the air will help determined how many clients per AP. An 802.11 n client can transmit faster than a legacy 802.11 ABG Device. The chart listed below is a an reference on client speeds, actual throughput will be less. For example a legacy 802.11 G client can have a rate of 54 Mbps, but with overhead of the TCP/IP packet it is more like 20 Mbps.
  18. Example Number of client for a Class Room… I have seen with all clients running 802.11n the ability to have between 30 – 40 devices connected to 1 Access Point. Each device will only get about 3 Mbps and could experience delays at times. Some solutions can get more per Access Point (Meru, Ruckus, Aruba, because of beaming forming or using only a single channel). Will need to be using at least 802.11 N to get this many clients
  19. Site Survey or Not???? Doing a Site survey you can guarantee access point placement and coverage Most Vendors can do a predictive survey Remember Predictive survey’s are not are perfect If you are doing a Predictive survey, make sure you budget for Extra Access Points With a Predictive survey, make sure you give an accurate Floor plan You will also need to have Wall Construction Available If you are going to support Voice, make sure you tell that to the person doing the Site Survey
  20. Wireless VOIP Best Practices???? If you can move Phones to their own SSID and VLAN Use the 5 GHZ band to place wireless phones in, avoid the 2.4 GHZ range If you are supporting Wireless Phones, will need to be -65 dBm or less (Will get to what this means in the next slide Do not put access points at full power, match your Wireless Phone’s power to the power of the access point. Design with more access points, will get less devices per access point and help with roaming Will need to enable QOS on the Wireless Access Point
  21. What is does -65 dBm mean???? dBm (the power ratio in decibels of the measured power referenced to one milliwatt. It is a measure of how of signal you have. The farther away you get, the lower the number Wireless Phones and IPADS work best with -65 dDM or less. This is important when designing wireless networks. You might have coverage, but if it is poor coverage it is no good. Make sure you understand your requirements so you have the best design.
  22. Wireless Troubleshooting Tools???? If you are running Mac OSX 10.7, a wireless tool is built. It can be launched from /System/Library/Core Services/Wi-Fi Diagnostics.app It can monitor performance, capture data and Record events Can be a good tool for troubleshooting For Window, Xirrus has a free tool called WIFI Inspector WIFI inspector tool is located here http://www.xirrus.com/Products/Wi-Fi-Inspector.aspx. Can be used to test speed, quality and signal strength.
  23. More Wireless Troubleshooting Tools???? If you are running Mac OSX 10.7, a wireless tool is built. It can be launched from /System/Library/CoreServices/Wi-Fi Diagnostics.app Wi-Spy from www.metageak.net is a great tool. Can identify WIFI problems and Interference Metageak also has links to great tools, WIFI planners, heat map generators. It is located here http://www.metageek.net/docs/wireless-networking-tools/ Fluke has some great tools, the best tool is Air Magnet Wi-Fi Analyzer, You will pay but it is a great tool.
  24. Basic Wireless Security Best Practices???? Put your wireless networks on a separate VLAN Guests should not be placed on a production network, but them on a separate VLAN that maps to a firewall or public Internet connection. If you have a directory service, authenticate your users with the Directory service. Most Wireless devices can take advantage of a Radius server. On Corporate networks, use WPA-Enterprise. With Guest access, place a disclaimer and require someone to accept it at least once a day. Disable SSID broadcasting for corporate networks
  25. Wireless Controller Based SSID Design???? Have Public Internet tunnel back to the controller and out a separate connection on the controller for security concerns. Do not place on production network. For Corporate connections, consider bridging the traffic at the local switch to increase speed and the number of devices. When utilizing a controller, if possible have two for redundancy and failover and place them in different locations if possible. Not all controllers are created equal, make sure you size your controller appropriately Read the Best Practices guide for your controller for optimal settings.
  26. Wireless Future Planning 802.11 ac???? It will be 5 GHZ only and will come in 2 phases Cisco has a slot for an add in Radio. (Speakers opinion, to do it right, it will need to be an entirely new device. Translation, don’t believe this sales tactic) It will combine channels in the 5 GHZ range to deliver up to 1 GB through put Will require POE+ Ethernet to power access points. Standard still being ratified. If you purchase today, will need a firmware to make it standards based Will need to maintain 2 networks, one for 2.4 GHZ devices and the network for the 5 GHZ devices Ask your Vendors what the path to 802.11 AC will be
  27. Wireless Useful Resources!!!!!! Ruckus Wireless Design Guide for High Density Wireless Is located here Cisco Wireless Design Guide for Higher Education is located here Cisco Wireless Controller Best Practices is located here Aruba Wireless Whitepapers and Design Guides are located here Juniper Wireless Design Guides and solutions are located here
  28. In Closing Wireless Considerations!!!!!! More Power does not mean greater distance If possible, avoid broadcasting more than 4 SSID’s Do not use TKIP, it can limit the number of clients per Access Points If you are deploying VOICE, IPADS or a heavy use of WIFI Smart Phones, you will need to have -65 dBm or less. Guest Wireless Access should never touch your Production Network. If you have 802.11 b devices, remove them or disable 802.11 b on your Access Points Not all Access points are created equal, make sure you understand what you client density will be to get the correct product.
  29. Switching Best Practices!!!!!!
  30. Spanning Tree Who can tell me what this does and why it is needed? Do all switch manufactures enable it by default? How does it determine who is the master?
  31. Network Infrastructure Best Practices!!!!!! Spanning Tree Most misconfigured items on the network Need to make sure you set the root bridge to your core Some switches (HP) come with spanning tree disabled Can lead to network loops and also High Switch CPU If multi-vendor, make sure spanning-tree types match, if not you will cause loops Should run Per VLAN spanning tree, you can make better use of your uplinks Enable Port-fast on all edge ports, will allow devices to become active quicker
  32. Spanning Tree Examples HP Same MSTP Config name. Name is case sensitive. Core-1(config)# spanning-tree config-name "B10" ! Same MSTP Revision number. Core-1(config)# spanning-tree config-revision 1 ! Same MSTP Instances definition Core-1(config)# spanning-tree instance 1 vlan 10 20 108 Core-1(config)# spanning-tree instance 2 vlan 30 40 ! Enables Spanning Tree Core-1(config)# spanning-tree !Core-switch specific configuration: !Core-1 is Root in Instance 1 Core-1(config)# spanning-tree instance 1 priority 0 HP Spanning Tree White Paper http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/How_to_improve_and_harden_spanning-tree_configuration_Configuration_note_Dec_08_A4.pdf
  33. Spanning Tree Examples Cisco spanning-tree mode rapid-pvst spanning-tree portfast bpdufilter default panning-tree vlan priority 10,14,18,40,190,212,216,220 24576 spanning-tree vlan priority 4,12,16,20,64,210,214,218,1000 28672 On Edge Port enable spanning-tree port fast What is port fast? It allows the Port to become active faster than the traditonal 60 second’s interface GigabitEthernet 1/0/11 spanning-tree portfast Cisco White Paper http://www.cisco.com/en/US/tech/tk389/tk621/technologies_configuration_example09186a008009467c.shtml
  34. Spanning Tree Examples Juniper set protocols vstp vlan 10 bridge-priority 16k set protocols vstp vlan 1000 bridge-priority 16k Juniper Port fast set protocols stp interface ge-0/0/0.0 edge White paper found here http://www.juniper.net/us/en/local/pdf/implementation-guides/8010002-en.pdf
  35. Layer 3 routing If possible, use layer 3 on uplinks between the core and the closet. Layer 3 limits the need for spanning tree and network loops Layer 3 also ensures for fast failover if designed correctly. Will also cut down on broadcast traffic between switches. If you need a layer 2 VLAN on all of your switches, consider a separate uplink that carries that VLAN only.
  36. VLANS!!!!!! Disable VLAN 1!!!!!! It is the default VLAN and hackers look for it. Use more than 1 VLAN for security and to separate traffic and devices Servers should have their own VLAN, Wireless should have it’s own VLAN You can have to many VLAN’s…. If you have more that 250 devices, you need more than 1 VLAN
  37. VLAN Configuration Guides Juniper VLAN Configuration http://www.juniper.net/techpubs/en_US/junos9.4/topics/task/configuration/bridging-vlans-ex-series-cli.html Cisco VLAN Configuration http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml HP VLAN Configuration http://www.hp.com/rnd/support/config_examples/primary_vlan.pdf
  38. VLAN Security Issues (Why not to use VLAN1) MAC Flooding Attack 802.1Q and ISL Tagging Attack Double-Encapsulated 802.1Q/Nested VLAN Attack ARP Attacks Private VLAN Attack Multicast Brute Force Attack Spanning-Tree Attack Random Frame Stress Attack
  39. Switch Trunking Best Practices Make sure you use Industry Standards for VLAN Trunks Make sure you set the Native VLAN-ID to something other than VLAN 1 Make sure you prune switch trunks for only needed VLANs Do not need all VLANS on all Switches, remove the VLAN’s that are not needed.
  40. Backups How often do you backup your switches? Do you use a tool to automate your backups? Do you have an email notifying you of changes? A simple tool like a product call CATTOOLS can backup your environment and is low cost. http://www.kiwisyslog.com/kiwi-cattools-overview/ Price is $750 plus maintenance.
  41. Code Upgrades How often do you upgrade your switches? Do you use the recommended release when installing? Do you have plan on when/how you upgrade your switches Should attempt to upgrade yearly Should use the recommended release at that time Cisco, Juniper have links to the recommended releases They are no different than PC’s, they need to be patched
  42. Survey!!!!!! If you provide me your Business Card I will provide you an assessment about your current Wireless Network and see if you are following best practices
  43. Newsletter and Tech Tips I write a Monthly Newsletter and send out weekly security tech tips. If you would like to get unto my list, please provide me with a business card.
  44. Questions?????Thank You…………You can contact me at James@tbjconsulting.com 262-363-9070
More Related