CCC Event WiFi Guidelines (draft) by c3noc, 2015-08-26 === IN GENERAL Important factors in our WiFi deployments are: * "Overlay"-mode a.k.a. tunneling from AP to controller. We run numerous VLANs on the WiFi infrastructure, we don't want to stretch all those VLANs to each access point. * If possible, we'd like to use central handling of 802.11-crypto to offload the APs. * Proper broadcast filtering. We use large IP subnets on the WiFi infrastructure (up to 16K users - IPv4 /18). We want users to be able to keep their IP addresses as they roam through the venue. Filtering unneccesary broadcast/multicast is key. Broadcast/multicast frames are sent at the lowest 802.11 data rates and consume a lot of airtime. * The solution should implement ARP proxy (IPv4) and NDP proxy (IPv6); we run with public IPv4/IPv6 space on the WiFi-infrastructure, thus there will be constant traffic towards unclaimed addresses. Any unnecessary ARP/NDP requests should not reach the WiFi user. * 802.1X support with dynamic VLAN assignment via RADIUS, including IPv6 SLAAC support. Deploying an SSID for each VLAN doesn't scale with numerous VLANs on the WiFi infrastructure. We use RADIUS to drop users into different VLANs, for example: NOC users, VOC users, NAT64 users, etc. The solution should support IPv6 SLAAC with dynamic VLAN assignment. * Dual-radio accesspoints with: ** 3*3 MIMO for high density areas, 2*2 MIMO for low density areas. ** Either 802.11n or 802.11ac support. ** Channel 13 support for 2.4GHz in EU/Germany. ** DFS support in 5GHz (we are deploying with 19 20MHz channels) for optimal capacity. ** PoE/PoE+ 802.3af/at support. * Security features to suppress rogue DHCP & rogue IPv6 SLAAC router advertisements. * IPS/IDS features to detect rogue APs and potentially mitigate them. DESIGN * Design for capacity first, coverage area second. This means mounting APs in a way they will provide good coverage to specific area but not any other areas. Use the characteristics of the building to achieve this. * Design for 60-70% of the clients to be in the 5GHz-band. The number of 5GHz-capable clients will continue to increase with the introduction of 802.11ac. * Plan for a maximum of 50-75 clients on the same channel ("collision domain"); this means you need enough radios/channels to support the number of clients in a single room. * Use 20MHz channels in *both* 2.4GHz and 5GHz. Channel bonding (a.k.a. 40/80MHz/160MHz channels) in 5GHz does not make sense in dense areas, as it will decrease the number of clients you can support. * For EU deployments: use a 4-channel plan in 2.4GHz: 1/5/9/13. Combine DFS and non-DFS channels in 5GHz (19 20MHz channels available). Monitor radar events and disable specific channels if needed. * When deploying 5 or more APs in the same room/area, disable any 2.4GHz radios that would otherwise end up on the same channels. * Use auto channel & power-assignment, but with this rule: "trust, but verify". Automatic assignment does not always work; certain high-density areas will need static assignment. * Limit the number of SSIDs. Having too many SSIDs will consume a lot of airtime. Use 802.1X with dynamic VLAN assignment to enable multiple VLANs on the same SSID. At a typical CCC event, we will have on the same band an open (unencrypted) SSID, an (encrypted) 802.1X SSID and various community SSIDs (such as Freifunk). * Use seperate SSIDs for 2.4GHz and 5GHz; this eliminates the chances of a client taking the "wrong decision" of connecting to 2.4GHz despite being 5GHz-capable. Technologies like "band-steering" do not always work, whereas this method does. * Disable low 802.11-rates for 802.11a+g and disable 802.11b entirely. This means that management/control/beacon-frames are broadcast at higher rates, minimising their airtime usage. We use a minimum of 24Mbit/s for 802.11g (2.4GHz) and 18Mbit/s for 802.11a (5GHz). * Use large IP subnets in the VLANs for WiFi end users, but make sure the router supports the number of clients in terms of ARP & IPv6 ND entries. Calculate enough overhead for the subnet size: we use a IPv4 /18 (16K addresses) to support ~10K WiFi end-users. Remember that many visitors will bring three or four WiFi-capable devices that may at some point all be active. SOFTWARE * FreeRADIUS for 802.1X. * Graphite for graphing; see http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Aruba-stats-to-Graphite/td-p/222329 to get Aruba metrics into Graphite. * Aruba AirWave (for saving historic data of the WiFi infra & mapping the locations of the APs). REFERENCES Excellent documentation by Aruba: "Very High Density 802.11ac Networks Validated Reference Design": http://community.arubanetworks.com/t5/Validated-Reference-Design/Very-High-Density-802-11ac-Networks-Validated-Reference-Design/ta-p/230891