I don’t have any hard statistics to back this up, but I’m willing to fake bet that at least 90% of Mist’s customer deployments use local breakout (LBO) or local bridging as the method of offloading Wi-Fi client traffic onto the wired network. If this is your first time seeing the term LBO, it’s essentially bridging traffic directly onto the switch port that the AP is connected to. It requires a L2 network where your client VLANs are available on the switch(es) that your AP(s) are connected to.
When working with networking vendors in this day and age, AI and ML are terms that are thrown around as features that add value to your team by proactively monitoring and alerting you of interesting or problematic things that may unknowingly exist in your environment. At face value, that sounds great! You don’t have to constantly check your network for issues because the system will bubble them up for you. And in an environment with close to 310,000 APs across multiple orgs and sites, it’s pretty much table stakes. The good news is that I’ve seen this work, as long as you’re checking those alerts because today, these systems will most likely alert, but not automatically remediate any of its findings. The remediation process still requires human intervention in most cases. However, what happens if the vendor’s AI/ML solution isn’t trained to find something in your environment that it should or something that you might be interested in looking at? That’s where knowing how to code and also work with APIs really comes in handy these days. I’m going to walk you through two different scenarios where writing my own code to leverage one of our WLAN vendor’s APIs led to insightful discoveries in our environment to help find a few needles in a massive haystack. One of the scenarios even led to the vendor implementing their own proactive checks into the platform which has sparked an auto RMA process for us.
Continue readingIn my current role, we sometimes receive complaints about the Wi-Fi being slow or not working properly. When we ask what the issue is, we’re often sent responses referring to speed test results only that are supposed to serve as the definitive proof that something’s wrong with the Wi-Fi. What our user base often doesn’t understand is that there are many variables when it comes to speed tests in general, but when running these speed tests while connected to Wi-Fi, even more variables exist. Let me try to explain.
Whether it be wired or Wi-Fi, there are theoretical and real-world throughput maximums in networking that are affected by a number of things. For example, even when you have a 1 Gbps wired connection, chances are you’ll never get full 1 Gbps line-rate speeds in a raw throughput test due to at minimum, the overhead needed to put bits onto the wire, not to mention whether the latency and TCP Window Size (if using TCP) can support the line-rate speed. Latency and the TCP Window Size are two things I’ll come back to in more detail later.
Continue readingMy employer is currently building a new home office (HO) campus. In every building except two infrastructure support buildings, we are installing Mist AP45s which are 6E capable. The two support buildings received AP43s which don’t support 6E, but are Wi-Fi 6 (802.11ax) capable and still very capable APs.
Why is that important? Well, as most if not all of you out there know by now, WPA3 is mandatory in 6 GHz. We haven’t deployed the AP45s in many places yet, so the new HO campus is an opportunity to really get our hands dirty with not just 6 GHz, but also WPA3-Enterprise on our corp WLAN and OWE on our guest WLAN to see how some of our client base would respond and operate. But Keith, didn’t you just say the support buildings had AP43s which don’t support 6 GHz operation? I did, but as I mentioned in the opening paragraph, they are 802.11ax capable and 802.11ax does support WPA3 which isn’t something we had broadly enabled yet in our environments up to this point!
Continue readingI’ll be heading to WLPC for the first time since 2020 and I’m finally starting to get a little excited. Nate York, who first got me hooked on the WLPC run club unfortunately won’t be there, but I’m going to try and continue the spirit of it on his behalf. Below, you’ll find my plans for maintaining my fitness while in Phoenix. The offer is open to anyone and everyone and I’ll be using the hashtag of #WLPCFit on Twitter for communication and reminders. I hope to see a good amount of participation!
Continue readingI’ve always been someone who has advocated for buying your own tools to test and troubleshoot things. This applied when I was working primarily as a network engineer focused on route/switch, datacenter, and security technologies and it still applies today, now that I’m primarily focused on wireless. In my experience, some companies and/or management are better than others with regards to buying tools for their employees so you cannot always rely on them for help. Investing in yourself and your learning is critical in my opinion so don’t let that deter you. It’s also nice to be able to take those tools with you if you decide to move on to “greener pastures” one day. Unfortunately, not all tools are what I consider to be affordable for the average person, especially if they are somewhat frugal like myself. Just do the best you can, when you can.
Continue readingThis morning, I tweeted the message below without much context:
With the 280 character limit of Twitter (hard to believe it used to be 140), sometimes it’s difficult to fully express an idea or the context behind it and instead of trying to create a messy, multi-threaded tweet, I just left it there as food for thought. But here on my blog, I can elaborate further on why this situation stood out to me and how it applies to you, the reader, who’s most likely in an IT related role.
Continue readingThis is not meant to be a bash post or anything like that, but more of a “public service announcement” for anyone who might have to deal with this scenario in the future and cannot find a ton of info online; I know I couldn’t.
I was on a work-related call today regarding a project to bring in a vendor that was going to leverage the 5 GHz Wi-Fi channels that we typically leave out of our channel plans for their own autonomous Wi-Fi network to provide connectivity for their client devices. Those unused channels are in the UNII-2e (or UNII-2C for the initiated) band, specifically 112-132. That’s not a small amount of spectrum that we give up, but we do it as part of our partnership with vendors who need the spectrum in order to provide their own networks for their solutions. I know what you’re thinking… We picked those specific channels because traditionally they’ve been known to have more problems than others with DFS events, but I can neither confirm nor deny that! Those channels were selected before my time here so I’ll claim plausible deniability on that one :). Anyway, nothing new for us there and back to the story…
It was noted on the call that Meraki does not allow channels 116-132 to be used and my antennas (wireless pun) immediately went up. “Hold up, flag on the play! That CAN’T be right. Are you sure?” is what I was thinking to myself. Admittedly, while I have worked on some Meraki tasks and troubleshot a few things since starting here, I have not completely delved into the world of Meraki to say much, if anything, definitively about their solution. So I kept my mouth shut and scrambled to log into our Meraki dashboard, trying to confirm what was said by someone who wasn’t even on our team; surely they had to be mistaken. And then I saw it…
I’ve been doing less and less Python development since moving to a new company back in June. At my previous employer, I worked on Python command-line scripts and a custom-built web app fairly often that assisted with daily, monotonous tasks as well as troubleshooting. I really enjoyed the process of learning more about Python and developing tools that helped not just myself, but also my team.
Continue reading
So you’ve got that fancy new AP from VendorX with all the speeds and feeds, including multi-gigabit capability. Are you taking advantage of the increased speeds? How do you keep track of all your APs and the speeds they are linked up at? I found this interesting tidbit about LLDP when I was doing some investigation on an infrastructure insight that RUCKUS Analytics provides…
The 5.850-5.925 GHz frequency band of spectrum, otherwise known as U-NII-4 was approved for unlicensed use on May 3, 2021, effective July 2, 2021. Well, kind of. Let me explain…
Continue readingI was recently asked to do a predictive design for a warehouse. Sounds innocent enough, except the floor plan was a picture of the floor plan made in an Excel spreadsheet. Up until this point, I had never dealt with something like this, but it immediately reminded me of this exchange on Twitter between Eduard Petrov and Vasco Costa a day or two before receiving it:
Continue readingClient fingerprinting, in my opinion, is one of those features that many people don’t think about until they either need it, want it, or it’s broken. It’s not as sexy as other Wi-Fi security related topics such as 802.1X or micro segmentation and it’s certainly not going to prevent a client from operating correctly on the network if it’s not available (or can it?). However, it does help provide insight into your Wi-Fi client base which can be valuable in terms of knowing what device or devices are popular and making sure your Wi-Fi supports them well. Additionally, it is possible to tie access controls to clients by their device type which can affect what they are able to do on the network. With that said, it’s probably worth knowing how client devices are identified from their manufacturer down to the OS version and more importantly, the methods your Wi-Fi vendor uses to identify them. In this post, I’m going to discuss how client fingerprinting is done in general, how RUCKUS does it, and how one method of fingerprinting that we use today is changing due to security concerns.
No, I’m not quitting my career as an IT professional to start a R&B group, but hopefully the title of my blog post captured your attention enough to get you here. Now let me explain.
Earlier this year, RUCKUS released SmartZone (SZ) 6.0. There were many new features and improvements like a completely redesigned web UI for example, but another minor feature made the cut as well: AP Hostname Advertisement
