I originally calculated that the broadcast and multicast traffic was accounting for between 40Kbps and 60Kbps of traffic on our wireless network. However, looking at the traffic graphs right after the change I was shocked at the delta. I performed the change just before noon and you can see a delta of Mbps not Kbps. I would estimate that the changes are saving us 5Mbps of traffic to/from our wireless network.

That’s a lot of needless background noise that ultimately leads to airtime issues which eventually results in retransmissions, delayed packets, jitter and packet loss which can severely impact application performance.

Over the past few weeks I’ve been working to deploy some filters on our Motorola RFS 7000 Wireless LAN Switches  (v4.4.2) so I thought I would share them as a best practice in any medium to large scale wireless deployment. If you only have 10 APs then you probably don’t need to worry about filtering the broadcast and multicast traffic. If you have 500 APs then you definitely need to be paying attention to all the needless noise being generated on your wireless network. In the example below I also took the opportunity to block IPv6 frames since we’re still utilizing only IPv4 on our wireless networks.

enable
config t

firewall enable

no firewall stateful-packet-inspection l2

mac access-list extended ARP-ALLOW-ACL
deny any any type ipv6 rule-precedence 10
permit any any type arp rule-precedence 20
permit any any type ip rule-precedence 30

ip access-list extended WLAN-FILTER-BCMC-ACL
permit udp any any range 67 68 rule-precedence 10
deny udp any range 137 138 any range 137 138 rule-precedence 20
deny udp any eq 17500 any eq 17500 rule-precedence 40
deny ip any host 255.255.255.255 rule-precedence 50
deny ip any 224.0.0.0/4 rule-precedence 60
permit ip any any rule-precedence 70

wlan-acl <wlan idx> WLAN-FILTER-BCMC-ACL in
wlan-acl <wlan idx> ARP-ALLOW-ACL in
wlan-acl <wlan idx> WLAN-FILTER-BCMC-ACL out
wlan-acl <wlan idx> ARP-ALLOW-ACL out

You’ll notice that the firewall needs to be enabled. And you need to verify that Layer 2 inspection is disabled.

If you are utilizing VRRP you may need to enable ARP trust on the interfaces relieving the VRRP packets, if you don’t you may see errors such as the following;

sw-wireless.store.acme.org*#Sep 12 11:27:00 2013: %DATAPLANE-4-ARPPOISON: ARP CACHE POISONING: Conflicting ethernet header and inner arp header :Ethernet Src Mac: 00-21-62-E3-XX-XX, Ethernet Dst Mac: 00-15-70-82-XX-XX, ARP Src Mac: 00-00-5E-00-01-C8, ARP Dst Mac: 00-15-70-82-XX-XX, ARP Src IP: 10.1.255.1, ARP Target IP: 10.1.255.19

sw-wireless.store.acme.org*#Sep 12 11:27:25 2013: %DATAPLANE-4-ARPPOISON: ARP CACHE POISONING: Conflicting ethernet header and inner arp header :Ethernet Src Mac: 00-21-62-E3-XX-XX, Ethernet Dst Mac: 00-15-70-82-XX-XX, ARP Src Mac: 00-00-5E-00-01-C8, ARP Dst Mac: 00-15-70-82-XX-XX, ARP Src IP: 10.1.255.1, ARP Target IP: 10.1.255.19

sw-wireless.store.acme.org*#Sep 12 11:27:48 2013: %DATAPLANE-4-ARPPOISON: ARP CACHE POISONING: Conflicting ethernet header and inner arp header :Ethernet Src Mac: 00-21-62-E3-XX-XX, Ethernet Dst Mac: 00-15-70-82-XX-XX, ARP Src Mac: 00-00-5E-00-01-C8, ARP Dst Mac: 00-15-70-82-XX-XX, ARP Src IP: 10.1.255.1, ARP Target IP: 10.1.255.19

Just enable ARP trust on the interface connected to the routers/switches running VRRP;

enable
config t

interface ge1
ip arp trust
exit

Cheers!

Ethernet Routing Switch 8600 Software Release v7.1.3.2

Avaya has released software v7.1.3.2 for the Ethernet Routing Switch 8600/8800.

• Every 5 seconds, on a timer, the CPU sends the clock time to all the line cards. A timer was created each time a card came online, so when there are multiple IO cards, multiple messages were sent every 5 seconds to all cards. Eventually a lockup resulted, and when it was detected by the CPU, the chassis was reset. (wi00996291)

Please refer to the release notes for all the details.

Motorola RFS7000 WiNG v5.2.21 Software Release

You may also want to review software release 5.2.3 and 5.2.4 before deciding to check out software release 5.2.21 which was intended to resolve several MESH issues with the AP7131.

RFS Controllers with WiNG v5.2.21 can adopt and provision the following 802.11n and legacy Access Points:

Dependent Access Points:

• AP621
• AP650
• Legacy: AP300

Adaptive/ Independent Access Points:

• AP6511
• AP6521
• AP6532
• AP7131 (Including the D-mode SKUs)
• AP7161

You should check over the release notes for all the details.

Cheers!

• RFS7000 v4.4.0.0-034R
• WS5100 v3.3.4.0-002R

I would recommend you review the release notes for v4.4.0.0-034R and v3.3.4.0-002R for all the details.

There were a few points that caught my attention.

• Polycom Certification for AP-650 & AP-7131N. We have successfully completed internal Motorola testing against the Polycom test plan for SVP certification. Expecting to have formal certification in the fear future.
• The AP650 can take up to 2 minutes to download new firmware the first time it is associated to a switch.
• Documentation updated – AP650 is requesting for different DNS alias than AP300.

I searched through the reference guide and found the following regarding the DNS name;

The default DNS name requested by an AP300 is “Symbol-CAPWAP-Address”. Similarly, The default DNS name requested by an AP650 is “WISPE_ADDRESS”. However, since the default name is configurable, it can be set as a factory default to whatever value is needed.

I just recently deployed a RFS7000 installation with approximately 80 AP650s and I can attest that it definitely takes them 2 minutes (I thought it was more like 3-4 minutes) to get going. It appeared to me as though they had to go through an initial upgrade since they rebooted twice before coming online. I’m waiting for the Polycom VIEW certification for this site since we plan on deploying around 120 Avaya 6140 wireless handsets, although we’ll probably deploy them with WMM as opposed to SVP.

Cheers!

Motorola has released software v3.3.1 for the WS5100 and v1.3.1 for the RFS7000 Wireless LAN Switches. You can find the release notes for the 3.3.1 (WS5100) software release here. And you can find the release notes for the 1.3.1 (RFS7000) software release here. We’ve been running v1.3 on the RFS7000 for the past few months now with only a few small problems. We hope to start testing the Smart RF feature set that was released in the 1.3 Wi-NG software base very soon. We’re also eager to start testing the AP7131 802.11n Access Port in a few specific locations.

Here’s a quick excerpt from Motorola on v1.3.1 for the RFS7000;

RFS7000 v1.3.1 has the following feature focus: Voice, Security and Resiliency

Voice: Enhancements provide comprehensive WMM Admission control, enabling not only superior voice quality but also optimizations with respect to network usage for voice.

Security: Enhances the built-in IDS capabilities for Ad-Hoc Network Detection and .11n Rogue detection. Provides built-in IPS capabilities via Rogue AP containment for the wireless network.

Resiliency: SMART RF Management that enables the WLAN to automatically and intelligently adapt to changes in the RF environment to eliminate unforseen gaps in coverage.This technology provides dynamic network optimization to ensure user quality of experience at all times by automatic adjustments to channel and power (on detection of RF interference or loss of RF coverage/neighbor recovery).

All the above enable the wireless enterprise by making it easy to deploy, securely and with built-in resiliency and support for voice.
For the Adaptive AP:
• Adaptive AP7131 802.11 a/b/g/n Support ( v3.1.1 )
• Rogue AP detection
• Mesh statistics
• WLAN statistics
• Configurable IPS Sensor on the AP5131( D SKU) in Adaptive mode(ADP-5131 v2.2.1 image)
With the AP300:
• Dynamic Load balancing of AP300s after a primary reverts in a cluster
• Email Notification for critical alarms
• LDAP enhancements
• Cluster GUI for WLANS and APs visualization
• Securing Layer 3 AP and Wireless Switch protocol – Secure WiSPe
• MU Naming
System Enhancements:
• IP v6 Client Support

Cheers!

You can find the release notes for the 3.3 (WS5100) software release here. And you can find the release notes for the 1.3 (RFS7000) software release here.

I hope to provide some feedback in the coming weeks.

Cheers!

The RFS7000 provides 4 10/100/1000 Cu/SFP Ethernet interfaces and can manage up to 256 802.11a/b/g Access Ports. We’ve long struggled managing some of our largest wireless environments where we needed 18 WS5000 switches (each WS5000 would only manage up to 48 802.11a/b/g Access Ports).The old WS5000 also required a one-to-one cold standby for redundancy and high-availability. The RFS7000 supports clustering and N+1 redundancy so we’re going to be using a lot less power and rack space not to mention all the configuration and cabling.

You can find the technical specifications for the RFS7000 here. And you can find the entire Motorola Wireless LAN portfolio here.

Let me provide a small example configuration. You’ll need to connect to the console interface (19200,8,N,1) and configure the Gigabit Ethernet interfaces. The default username is “admin” while the default password is “superuser”.

RFS7000 release 1.2.0.0-040R
Login as 'cli' to access CLI.
sw-wireless.acme.org login: cli

User Access Verification

Username: admin
Password:
Welcome to CLI
RFS7000>enable
RFS7000#config term
Enter configuration commands, one per line.  End with CNTL/Z.

We’ll be using the interface ‘ge1’ as the Layer 2 (AP VLAN) interface and ‘ge2’ will be our Layer 3 interface. We’ll trunk ge2 and leave ge1 as access. We’ll also use VLANS 29-32 in order to bridge our WLANs to our Nortel Ethernet Routing Switch 8600 core. VLAN 23 will be our Layer 2 AP VLAN where the Access Ports will be connected.

RFS7000(config)#interface ge1
RFS7000(config-if )# switchport access vlan 23
RFS7000(config-if)# exit
RFS7000(config)# interface ge2
RFS7000(config-if)# switchport mode trunk
RFS7000(config-if)# switchport trunk native vlan 200
RFS7000(config-if)# switchport trunk native tagged
RFS7000(config-if)# switchport trunk allowed vlan none
RFS7000(config-if)# switchport trunk allowed vlan add 29-32,200

We’ll shutdown VLAN 1 just to be careful, we don’t want any loops.

RFS7000(config)# interface vlan1 no ip address
RFS7000(config)# interface vlan1
RFS7000(config-if)# shutdown

I use VLAN 200 as my management VLAN and place all my network electronics in that VLAN.

RFS7000(config)# interface vlan200
RFS7000(config-if)# management
RFS7000(config-if)# interface vlan200 ip address 10.1.1.40/24
RFS7000(config-if)# exit
RFS7000(config)# ip route 0.0.0.0/0 10.1.1.1

At this point the Motorola RFS7000 should be online and reachable via the network. Let’s configure a single WLAN/ESSID called “PHILLIES” for WPA-TKIP with 802.1x EAP-PEAP authentication to a Microsoft Internet Authentication Server (IAS) so our Windows XP laptop can automatically pass our Windows Active Directory credentials for authentication.

RFS7000(config)#wireless
RFS7000(config-wirless)# manual-wlan-mapping enable
RFS7000(config-wirless)# wlan 1 enable
RFS7000(config-wirless)# wlan 1 description 80211a
RFS7000(config-wirless)# wlan 1 ssid PHILLIES
RFS7000(config-wirless)# wlan 1 vlan 30
RFS7000(config-wirless)# wlan 1 encryption-type tkip
RFS7000(config-wirless)# wlan 1 authentication-type eap
RFS7000(config-wirless)# wlan 1 radius server primary 10.1.1.100
RFS7000(config-wirless)# wlan 1 radius server primary radius-key 0 RaDiUsKeY
RFS7000(config-wirless)# wlan 1 radius server secondary 10.5.1.100
RFS7000(config-wirless)# wlan 1 radius server secondary radius-key 0 RaDiUsKeY
RFS7000(config-wirless)# wlan 1 radius authentication-protocol chap
RFS7000(config-wirless)# exit
RFS7000(config)#

I’m authenticating users against the RADIUS servers at 10.1.1.100 and 10.5.1.100 with the radius key of “RaDiUsKeY” using CHAP as the protocol. Those servers are actually Windows 2003 Domain Controllers running the Internet Authentication Service (IAS).

Since I’m manaully mapping the WLANs I need to make sure I map the WLAN to the default 802.11a radio configuration with the following command. I’ll also set the AP to indoor, the channel selection to ACS and the power to 20mW.

RFS7000(config)#wireless
RFS7000(config-wireless)# radio default-11a bss 1 1
RFS7000(config-wireless)# radio default-11a channel-power indoor acs 20

You’ll obviously need to have the the RADIUS servers setup and you’ll also need Microsoft’s Certificate Server in your Active Directory. The clients will use the trusted root certificate to authenticate the login request from the RADIUS server.

I don’t think there are may people that haven’t figured out how to-do this (it’s really ease) so I’m not going to really go into the topic. If you have questions please feel free to post a comment and I’ll do me best to respond.

That’s a little taste of the RFS700, hopefully you’ll find the information useful.

Cheers!

RFS7000*>
RFS7000*>enable
RFS7000*#service clear ?
all          Remove all core, dump and panic files
aplogs       Remove all local ap log files (does not clear them off the AP)
clitree      Remove clitree.html (created by the save-cli command)
cores        Remove all core files
dumps        Remove all dump files
panics       Remove all kernel panic files
securitymgr  Securitymgr parameters
RFS7000*#>service clear all
RFS7000#

Cheers!