Ask The Experts: Wi-Fi Tips About Aerohive Deployments
Have questions about Wi-Fi? We've got answers. Over the past few months, we've been collecting Wi-Fi tips from experts, and have thrown them together in a series of easy-to-read posts. Some tips are Aerohive-specific, some are about general Wi-Fi, and we've broken them into three posts: Aerohive deployments, pre-deployment (general), and post-deployment (general).
All tips are intended to help you out."Wi-Fi Tips" is a project in motion, so if you you have anything to add, tweet @Aerohive and let us know!
AP Firewall Tip
If you have a firewall policy with a mix of rules for network and application services, put all the network services first if possible. Filtering by network service is faster because it consumes less CPU resources, so if something matches a rule with a network service, the firewall permits or denies it and doesn’t need to filter by application service.
Roles-Based Access Control
With roles-based access control in HiveManager NG, users can be assigned levels of network access. There are administrator roles for operators, monitors, and guest managers, with each role providing access with a different set of permissions.
AVC On Older APs
AP110, AP120, and AP170 devices running HiveOS 6.x software support IP firewall policy rules with application services. Which services a device supports is based on the version of the application signature file uploaded to it.
AP CPU Power
Typically with most firewall vendors, rules with higher hit counts get promoted so common packet patterns get processed, thus reducing CPU cycles. There is currently no feature like this in Aerohive’s APs, though.
Aerohive IP firewalls are stateful, so an AP applies a firewall to any packet it receives that does not already belong to an existing IP session before creating a new session. It then forwards subsequent packets in that session directly, thus reducing CPU cycles in this way. You can also manually position rules that apply to more common traffic types higher in a policy (when possible) so that the firewall does not have to check through rules for less common types before finding a match.
Number of Firewall Rule Recommendation
Ideally, you want to limit firewall rules to as few as possible, because the more packet filtering there is, the more impact it can have on throughput. However, APs will still function well even when applying the maximum of 64 rules per policy. (Note that positioning rules for common traffic types higher in a policy can help accelerate packet processing and thereby improve throughput.)
Bonjour Gateway Tips
Bonjour gateway allows you to put all your infrastructure devices in one VLAN/subnet and make advertised Bonjour services like AirPrint and AirPlay available to users in other VLANs/subnets.
For this tip to work, APs must be in separate management VLANs. Because Hive members in the same management VLAN elect a single BDD. If they are all in the same management VLAN, there will just be one BDD for the entire hive.
To limit the number of BDDs (Bonjour Gateway Designated Devices) with which a BDD shares Bonjour service advertisements, create multiple management VLANs and set the maximum number of wireless hops to 1.
On the other hand, if each Hive member is in a separate management VLAN, then each will be a BDD. Another option would be to have several management VLANs in your hive and manually set an AP on the outer edge of each one to be the BDD. If that BDD is outside radio range from any neighboring BDDs in other management VLANs, and with the maximum wireless hop length set at 1, it will be unable to share services with them. As a result, a BDD will only share Bonjour services with the APs in its own management VLAN.
The Max Wireless Hop setting is in Bonjour Gateway filter rules (Configuration > Advanced Configuration > Common Objects > Bonjour Gateway Settings > bonjour_gateway_profile_name).
Why would one use this? Restricting the BDDs with which one Bonjour Gateway shares services can shorten the list of services that users see. For example, if there are a lot of Apple TVs in a high school, the list of Apple TVs that users see when mirroring their iPads can become very long when, actually, all they really need to see are just those Apple TVs in their immediate area.
Use band-steering to 'urge' devices onto the 5 GHz band. This reduces traffic in the lower performing 2.4GHz space and solves some problems where devices drop their connection. To set this, open your 2.4GHz radio profile form and visit the 'optimizing management traffic settings' section.
Addendum: Most of the client devices do not have the preferred band-selection capability and steering them to 5GHz can improve the client and overall system performance. Use band-steering to 'urge' devices onto the 5GHz band. This reduces traffic in the lower performing 2.4GHz space and solves some problems where devices drop their connection. To set this, open your 2.4GHz radio profile form and visit the 'optimizing management traffic settings' section. Most of the client devices do not have the preferred band selection capability and steering them to 5GHz can improve the client and overall system performance.
Full Configuration Push
Delta configuration upload should be the default, as it does not require the reboot. Some major changes in the configuration benefit from the full configuration upload. Keep in mind that full upload requires the reboot and should be used outside of business hours.
All Posts in this series