Cisco Designated VIP George Stefanick is a wireless architect employed by Houston Methodist Hospital System. George manages a large and complex wireless network that includes more than 2500 access points and upward of 11,000 concurrent Wi-Fi clients. George has been in wireless communications since 1997 and holds various vendor and vendor-neutral certifications. He focuses on high-density indoor deployments in the healthcare vertical, thereby using his hands-on experience in site survey, RFID, and voice design. As a consultant, George has consulted with Fortune 500 companies using his real-world hands-on experience to meet the needs and challenges in today’s enterprise environments. George is a Cisco Support Community VIP 2012, 2013, and 2014 and Aruba MVP 2014.
Q: Any medical equipment supporting 802.11b?
A: Try to avoid 802.11b devices if you can. The reason is they have much slower modulation. We need to accommodate that and it will scroll the network. We can also check white paper on the same with the name the ripple effect. If we try to connect our 802.11b client, we need backward compatibility between 802.11G that sometimes causes network outage. From medical devices point of view, it is tested but try to avoid 802.11bn wherever you can.
Q: NAV attack looks like great DDoS for wireless. Does Management Frame Protection feature protects WiFi from this?
A: Indeed. But like most DoS, you can only detect it and block the offender. MFP only is a signature to validate that a given management frame really comes from the station mentioned in the source mac field. It does not prevent misbehavior by client. So basically, your best action is to have a good WIDS/WIPS system and to exclude the client that would start a big NAV attack. The best dDos is anyway to jam the RF channel impossible to prevent.
Q: Is there 00-0F-AC vendor specific OUI? Or is it in the standard?
A: 00-0F-AC is booked by the IEEE, so normally there should not be any device using that range out there.
Q: Is this attack is same as a man in the middle attack?
A: If you refer to the Pineapple answering probe request about people home/office network, yes. The idea is to pretend to be the person's favorite network and then be a man in the middle.
Q: If my device has saved home and work networks and I go to airport, does it sends directed probe request first and then null probe to find the wireless network at the airport?
A: Yes, it's like that on most clients. This behavior depends on the supplicant.
Q: Is the multicast/broadcast group ccmp shared key handed out by the AP? If so, by what mechanism?
A: It is actually handed out by the Access point. The client joins the access point through the association phase. The key is already on the access point and during the association process, it goes into RSN information or WPA information and then the key is pushed to the client and that time the client install it. However it is configurable so if you go to the autonomous access point and rotate those keys by time or by transmission i.e. send the million frames and then change it and also in the new code that we will see the gtk key option and from there we can actually change how often we want to rotate the key.
Q: What does the entire packet capture look like and how much digging through individual packets do you need to do to get to this information? In other words, for these few slides, how many packets did you need to dig through?
A: It depends what kind of issue we need to troubleshoot. If you have knowledge how a perfect network looks like and understand how association request and response packets, authentication request and response packets, sniffers works, it will be helpful in troubleshooting. But we need to perform the basic troubleshooting first like checking the Prime and client configuration. Check the debugs, check GUI logs and even if we are not able to detect the issue, then it is advisable to capture the sniffers. Usually with few frames we can observe a pattern and if the pattern doesn't look normal then focus on what is abnormal.
Q: Does roaming between APs require a re-authentication at the EAP layer each time?
A: There are mechanisms to recalculate the keys during roaming. If all the keys match the actual EAP authentication is skipped. There are different protocols to achieve this, WPA2 does it but you can also enable CCKM for example.
Q: Can you advise for any material to read for learning to ready 802.11 captures better?
A: The CWAP book from the certificate with the same name is very nice. It's vendor neutral and focused only on the protocol. I was very happy with the last edition of that book.
Q: When you roam from AP between subnets from AP to AP. Are you now then technically using up 2 IP's one from each subnet since you keep your original IP assigned? When you implement high availability roaming is that something that is considered?
A: That is a confusing question to answer. If the wireless is properly configured, the client always keeps the same IP. It does not matter if the new AP is in a new subnet, it will tunnel traffic back to the original controller.
Q: Do we have resource somewhere for fine tune controller config at one place?
A: There's not a straight answer to this question. It depends on what you're looking for exactly. The configuration guide is always the best place to start.
Q: Would it be possible to re explained the NAV mechanism?
A: In very short, when transmitting a frame, the sender has to say for how long he will keep the medium busy (calculation between frame length and transmission speed). During that time, everyone knows they should stay silent.
Q: So in reference to my last question inter controller roaming the supplicant obviously keeps the original assigned IP. It does not encapsulate the packet in an IP borrowed from the newly connected subnet as well?
A: No. Supplicant has no idea it actually roamed to another subnet. The new AP encapsulates the data in CAPWAP and sends to its own controller. That controller actually tunnels traffic back to the original controller But for the client, it's as if his packets were magically teleported on the original WLC he was connected to originally with its own an unique ip.
Q: As we deploy 2.4 AP radios closer for throughput, could you explain the best tools to determine CCA issues, We are using cisco 3600?
A: 2.4ghz is a legacy protocol. Make sure all your designs are 5Ghz, deploy SSID’s or wireless networks that only support 5ghz. Don’t do 2.4 and 5 ghz and give clients the option to chose which frequency to go to. Lot more beneficial as an operation to the whole, more channels to select from, less interference, less port channel contention. If you have 2.4 and you start to add density, you will have lot of chatter going on.
Q: What was that white paper name, the ripple effect?
Q: If we are using WebAuth for a guest net, does that mean the data payload is unencrypted?
A: Normally, yes. You could always configure WPA as L2 authentication and webauth as L3, but this is not common. Typically, guest networks (with webauth) are unencrypted.
Q: From which packet analyzing tool are slides provided?
A: OmniPeek deep packet inspection.
Q: What do you think about Wireshark for sniffer?
A: It is a good and popular tool and it is free. It can be used with windows or linux. It has many features and easy to use.
Q: From which tools are coming the screenshots displayed in the slides?
A: Deep packet inspection with Omnipeek and wall packets. Airmagnet for survey, wifi analyzer from design prospective.
Q: What tool showed the whole connection flow with bars and macs and such?
A: This is the OmniPeek but there are other means to capture frames like we can use Wireshark with Linux or load backtrack.
Q: The screenshot shown previously, is that from ISE or Prime?
A: The screenshots shared are from cisco wireless LAN controller and OmniPeek tool.
Q: How are you finding 802.11ac AP deployment different from 802.11n?
A: It is my opinion; from a deployment point, 802.11ac is direct replacement of 802.11n Ap as far as self-coverage is concern. Also the higher transmission rate allows us to send more bits and look back the constellations we talked about and that’s why we see higher transmission powers. But we are still trying to design for lower power clients i.e. is the client is using 25 milliwatt, we need to design it for 25 milli watt. However if the client is close to the access point, then it can pickup and power, change the modulation and amplitude so wit can send more bits. So for me the deployment is one for one. The biggest challenge with 802.11ac deployment is how to sniff the frames? We need special adapter or we need to use an AP at this point of time beyond some spaces. So we can’t carry an AP in our bag everywhere if we need to sniff the packets and this is the challenge we have for the time being.
Q: What different test cases we should run for pre production deployment for 802.11ac?
A: We need to understand what is the need for 802.11ac. Most of the chip manufacturers will produce 802.11ac going forward. So whether we need it or not, we will get it because most of the AP’s are coming with that and since most of us want to keep our network up to date with latest devices. In my opinion the site survey hasn’t changed a lot even with 802.11ac. In extremely high dense environment 802.11ac will be helpful. You will be getting more stations and more air time to transmit. So in cafeteria and conference rooms, I will do study before 802.11ac with traffic characteristics and after 802.11ac deployment. More and more 802.11ac devices are coming now e.g. android phones, new lenovo’s, 7260’s etc. So soon we will see all those clients will be transmitting the data quicker.
Q: About How many clients can be accommodated on 802.11ac AP's simultaneously using media rich application?
A: Everything is common what we have been doing with 802.11a or n but the only value come in my mind for 802.11ac is, we can trigger the frames faster than we have done it ever before which allow the media to be free for other devices. So we can have up to 30 phone conversations over a single access point, once we go to 32 or 33, we started to break. The quality goes down like a lot of jitter. So these access points phone calls are going to other phone calls going on this access points with 7925 phones. So it is very impressive from a phone perspective.
Q: Is 802.11ac phase 2 going to change everything again - should we wait to upgrade?
A: Current hardware will not be capable of doing phase 2. So waiting for upgrade depends on the speed you want to obtain and the urgency of you getting it. Phase 2 is the same protocol, simply with more data rates, more channels, more features.
Current 11ac phase 1 clients/APs will continue to work great in parallel (just like 11n was not allergic to 11g APs/clients).
An 8x8 MIMO AP for phase 2 will most likely be expensive too. 8 dual-band radios will not come cheap.
Q: Wireless attacks on 802.11ac. If I have a N wireless network and someone tries to attack my network from an AC radio , can MSE still detect and mitigate against it ? I'm assuming it can since 802.11ac is basically a bunch of 20 Mhz channels?
A: If the AP is only capable of doing 802.11n it would detect interference on the channel, but it wouldn't be able to demodulate the signal.
Q: Do you recommend enabling MFP to protect management frame data and does it cause many incompatibility issues?
A: Yes. The only drawback might be false positive alerts in case of bug. But it does not cause incompatibility issues with clients.
Q: This is off topic except that I am from a hospital vertical and struggle with numerous devices. Do you have a procedure or recommended process for device testing? I found your intro really resonated with me and some of my trials and tribulations in Michigan.
A: We need to firstly partner with security, facility and bio management to control the faucet and once it is done, educate those people and try not to be a roadblock and make them understand that why you need to test the device and why it may fail. Why you need the packet capture, they may not understand all technical words but try to explain them in bits and pieces. Also work with vendors and do testing. Weather the association, authentication and roaming between one-access points to another access point is working. Check interference, use jammer to disconnect the device and see if it reconnects automatically or not, if it doesn't then we know that before we deploy it. So we know that there is interference and there is certain level of interference, which needs to be taken care before deployment. We have a list with 40 things check box with questioner about all sorts of questions like what was the behavior or result of certain test and we use that internal list and it keeps on growing as we see new devices coming into the network.
Q: What have been your biggest BYOD challenges? If you have intel issues you have to troubleshoot, how do you approach having to troubleshoot android and apple?
A: We use ISE with our own designs, configurations, deployments and troubleshooting including ISE. We adopted ISE and BYOD very early. The challenges are many when we have apple devices. They don't necessarily behave right; let me share one example with you. So if you have a SSID using for years and you want to support FT 802.11r roaming, then we just check box on it, what we found that we lost some legacy devices, they drop off and in that case to facilitate apple roaming we need to create a new SSID with 5ghz. So all our business machines moved to new ssid with 5ghz with FT enabled and we test our business machines before we deploy them to make sure they support FT but again very challenging environment.
Q: What are your experience with RX-SOP? Can you share some info about real life use? I'm using in HDX environments, but I want to hear other opinions about this.
A: In case we have used 1300 or 1400 bridges, we can change the RX-SOP. Now it is important because for years we have used signal in the form of how loud the cell is. So if you are sending it at 100 milliwatt so you will have a cell at certain size. If you transmit at 50 milliwatt, the cell size will be smaller but that doesn't necessarily prevent us from what we are hearing. So if we see the receive sensitivity specs, and cisco publishes these, our radio you can see how well your access point hears and access points hears relatively very well. So on CB radio if you are on channel 1, it is listening to all the frames that are ear sharp of that receive sensitivity level. Now if I move the receive sensitivity level and neg from 85 to 80, I am longer hearing those transmissions which I may not necessarily want to hear. So we need to use RX-SOP very carefully. If you tune it down, you will see RX-SOP will go down if you don't have the design and the client will be at cell edge. The client might be at neg 80 and transmitting, the AP is going to drop it once it hear it and respond that I am not suppose to listen these packet and drop. We need to have very strong understanding of RX-SOP before we deploy it. Before we tweak the knobs, make sure the design supports it.
Q: Multiple APs on a switch has the potential to overwhelm the switch so does the wireless client back off using upper layer protocols?
A: Yes. It's similar to having Gigabit ports at the access layer and one 10-Gig uplink for possibly 48 1 gig ports. There is no difference with wireless, it will be the upper protocol buffering the bottleneck.
Q: I saw on my wireless driver settings CTS to self is used by default.how will my client decide when to use RTS/CTS or CTS to self?
A: This is an egocentric behavior of the driver. This means that all data sent by that laptop will be very protected and respected by others (since there is a clear CTS booking the medium for the whole length).
But overall, if everyone does that, it does not speed up the overall throughput. A "free-for all" fight is the best to have everyone having equal chances. Typically drivers, start doing CTS to self when they detect high interference. It really depends on the driver implementation.
Quality of Service (QoS)
Q: Regarding all the QoS, QoS must to be implemented on the wired side?
A: we have QoS on wireless and wired. In wireless, when the device mark the packet with QoS, small contention window is created and it gives higher probability to that frame to travel over the air as compared to the device, which doesn't have the QoS. Once those packets reach the wired network like control, we can use AVC to mark the packets or put policy maps. Ideally we should have QoS throughout upstream and downstream. Packet captures are critical to that because we actually see whether the client is marking the packets and taking advantage of smaller contention windows.
Q: QoS Data Null frames confuses me. What are the purpose of those?
A: QoS frames for data, it simply means that client is negotiating and supporting QoS. So if QoS is implemented and the clients are attached to it, the frames will be marked as QoS data frames. If client is not capable, then it will send simple data frames and not QoS headers.
Q: In the situation without QoS in Jabber applications over the air will I have only traffic prioritization after the controller with the 802.1p? And The AVC can help us only in the DSCP with many protocols,not in 802.1p, correct?
A: Pretty correct yes. If you only have DSCP tag set, it will only have effect once WLC decapsulates the CAPWAP packet coming from AP that includes the original wireless frame. At that moment in time if the infra trusts DSCP, Qos will be followed.
The critical section is really the wireless (as Qos frames have much better priority on other frames and will avoid retries and interference more easily) and that does not deliver it at all. Same thing for AVC or SIP snooping. It does not help over the air.
Q: Is the dataframes sent by applications like skype from windows marked with QOS on wireless?
A: Unfortunately no. Those applications mark DSCP EF, but this has no effect until the packet hits the wired side. Sending Qos over the air requires the application to send commands directly to the wireless driver, and most don't do that.
Q: Will I need with the AVC configured at WLC to trust in the DSCP and not more in the CoS at the switch?
A: No DSCP/CoS trust has nothing to do with AVC. The Qos profile (platinum) and 802.1p configure takes care of that AVC is to detect a type of traffic and add a tag that was not present to it for example.
Q: The applications like Jabber working in the smartphones apply QoS over the air in the wireless frames?
A: Definitely no. I was checking a wireless sniffer of Jabber on Iphone the other day and it doesn't do over-the-air QoS.
Q: is it possible for George to pls share the checklist he just mentioned.
A: It will be posted on Cisco support community.
Q: Are there any bad experiences regarding virtual wireless controller in productive environment. where are planning a guest network with one vWLC and ISE.?
A: I only use virtual controller in lab environment and never got a chance to use it in production.
Q: So 3700 series won't support phase 2?
A: No, it won't. New hardware will be needed to support the new data rates.