WiFi - Offirmo-team/wiki GitHub Wiki

bunch of optimisations to the WiFi

Set 'Enable Session Timeout' to 28800 seconds (8 hours).

prevents needless disconnections.

Disable Aironet IE - causes problems with OS X devices.

Disable Client Exclusion - basically locks people off the network if they fail authentication a few times, which can happen with crappy supplicants roaming very quickly through lifts and floors etc.

User Idle Timeout to 28800 (from current 300 seconds) - This feature is killing sessions for clients that don't send packets over 5 minutes. Because we aren't a university or cafe, we don't really need to worry about memory being used up by quiet clients and can raise this value. The user experience is that if they go out of range, sleep, coffee, or just don't have much network activity for a moment they need to go through a full re-auth and association.

Load Balancing - either turn off, or use very loose values:

Client window Size: 20 - we raise this because we don't want load balancing to actually kick in until there are at least 20 clients on an AP.

Maximum Denial Count: 1 - we lower this because sending more than 1 denial can cause roaming delays for end-users.

band Select - either turn off or use very loose values

Probe Cycle Count: 1 - lower to 1 so that we don't keep trying to force clients onto 5ghz if they request 2.4ghz twice in a probe cycle

Optimised Roaming: LEAVE DISABLED - This feature prevents client association when RSSI is low and actively kills associations when RSSI is low. We leave it disabled because we want clients to choose when and how to roam. Cisco Wireless Controller Configuration Guide, Release 8.0 - WLAN Security [Cisco Wireless LAN Controller Software] Enabling optimised roaming can cause black holing.

Tick UNII-2 Channels - You should now see the following channels in the list 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 132, 136, 140, 149, 153, 157, 161, 165 Congrats! you've now doubled the number of channels the APs can use to escape interference and optimize speed.

Disable packseq-jump-delba to prevent client traffic from being black holed when clients don't sent 802.11 ACK frames

Cisco

Decrease power neighbor threshold to -76 dBm from default -70 to get the APs to all lower their power output. (Wireless > 802.11a > RRM > TPC > Power Threshold (-80 to -50 dBm) ) based on below quote and cisco-2100-series-wireless-lan-controllers

In the Power Threshold text box, enter the cutoff signal level used by RRM when determining whether to reduce an access point’s power. The default value for this parameter is –70 dBm but can be changed when access points are transmitting at higher (or lower) than desired power levels.

The range for this parameter is –80 to –50 dBm. Increasing this value (between –65 and –50 dBm) causes the access points to operate at higher transmit power rates. Decreasing the value has the opposite effect.

In applications with a dense population of access points, it may be useful to decrease the threshold to –80 or – 75 dBm to reduce the number of BSSIDs (access points) and beacons seen by the wireless clients. Some wireless clients might have difficulty processing a large number of BSSIDs or a high beacon rate and might exhibit problematic behavior with the default threshold.

Set Maximum Power Level Assignment (-10 to 30 dBm) to 17 dBm or lower. Prevent clients all being attracted to a single powerful AP.

Decrease the coverage hole threashold detection Data RSSI and Voice RSSI to -90 dBm from default -80. Prevent APs from raising their power level too often.

Lower the EAP timeouts Based on Cisco recommendations: EAP Timers on Wireless Lan Controllers http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.html

config advanced eap identity-request-timeout 5 (from 30) config advanced eap request-timeout 5 (from 30)

Disable Event Driven RRM on both Bands (ED-RRM) - Causes Apple clients to experience drop-outs, as the cisco algorithm is too quick to change channels in a big city.

Disable 802.11k and 802.11v BSS Transition Support - Causes AP to broadcast the 802.11h Power Constraint IE with a persistant value of 3 dbm (even if the 802.11h value is set to 0), which can push Apple clients to 0 dB Transmit power (due to faulty Apple implementation of Power Constraint)

configured config network ip-mac-binding disable

Disabling this prevents the WiFi from dropping frames from clients if they don't have an IP-MAC address combination that matches the existing binding the WLC knows about. The rationale here is that perhaps, when the client is coming out of sleep, it is using some sort of auto-configured link-local address, or the WLC logic isn't amazing and its dropping inverse-ARP and ARP frames out of sleep.

Disabled "Learn Client IP Address" on the WLAN.

Testing revealed this setting doesn't cause traffic to be dropped initiall, but after some time a client without a learned IP will have their traffic dropped, and then will be booted off the WiFi. This state should never occur in production, but to rule out the possibility that clients coming out of sleep self-assign themselves addresses (Apple implements an unique DHCP behaviour when exiting sleep), and don't allow the WLC to learn it via DHCP, I have disabled this feature. The downside is worse reporting, since the WLC will now show 0.0.0.0 for the client IP initially. However, after some time the IP is learned anyway and included in accounting messages.

The way Cisco should describe this feature is: "If you don't see a DHCP exchange when the client connects, kick them off".

config dhcp proxy disable

I read more into Apples implementation of DNAv4 (rapid DHCP) in RFC 4436: Detecting Network Attachment in IPv4 (DNAv4) and Mac OS X Mavericks: DNS-Server required for default route and Understand how AireOS WLCs Handle DHCP Protocol , it seems that it records to DHCP server address for later use, however the WLC intercepts DHCP (even in flexconnect? I'm not sure anymore) and replaces the DHCP server address with its virtual IP of 1.1.1.1, which will be unreachable to a client coming out of sleep.

So the rationale here is that we 1. disable a feature and 2. maybe expose the real DHCP server IP addresses to the client so it can use them properly for DNAv4.