Configuring Microsoft NPS for Aerohive 802.1X Authentication

This post is a starting point for anyone who wants to use 802.1X authentication with Aerohive APs and Microsoft NPS. I will provide configuration screen shots for both of Aerohive’s management platforms and for NPS running on Microsoft Windows 2008 Server. It is not intended to be an exhaustive guide, but should be a decent starting point. Every implementation will be different in some respect, and some of these steps may not be the exact manner in which you configure Microsoft NPS. The steps for Aerohive may also be different depending on what you are trying to accomplish. I’ll make sure to note my particular scenario when appropriate.

Versions Used:

HiveManager Classic/HM6/HMOL – 6.8r7a

HiveManager NG – 11.19.99.0 (March 2017)

Microsoft Windows 2008 Server

Assumptions:

  1. Basic understanding of navigation within the HiveManager Classic and/or NG interface.
  2. No RADIUS objects or user profiles for 802.1X authentication have been configured within HiveManager Classic or NG. If you have already configured some of them, just skip the steps that cover the creation of those objects.
  3. Microsoft NPS is installed and a server certificate for the NPS machine has been issued and installed.

Scenario

Company XYZ wants to authenticate Active Directory users on a single 802.1X enabled SSID. They want to be able to treat corporate users and contractors with different security policies, QoS, time of day restrictions, etc. This will involve placing the two different types of users in separate user profiles to control access and end user experience. If a corporate user connects, that user will be placed into VLAN 202 after membership in the corporate users group in Active Directory has been verified. If a contractor user connects, that user will be placed into VLAN 203 after membership in the contractor user group in Active Directory has been verified.

Note: To skip down to the HiveManger NG configuration section, click here.

HiveManager Classic Configuration

  1. From within the Network Policy Guided Configuration, the first step is to add an 802.1X SSID. If you have not already created one, click on “Choose” and then click on “New”:

2. Another screen will open up to configure this new SSID. Name it whatever you want and select which bands it will be broadcast on. Next, ensure the “WPA/WPA2 802.1X (Enterprise)” button is selected and then click on “Save”.

3. You will be returned to the main configuration screen for the network policy and it will look something like this:

4. Now that the SSID is shown, you will need to select the RADIUS server to use. This will be the “AAA Client Settings” object that is found under the Configuration/Advanced Configuration/Authentication section within HiveManager. Since no RADIUS server is defined, you need to click on the “<RADIUS Settings>” segment and choose “New”.

5. Type in the name of this RADIUS object and give it a description if you want. You will need to create an IP address or domain name object and assign it to the “IP Address/Domain Name” field. I tend to favor using IP addresses over host names, but do whatever you prefer. You will also need to enter a shared secret that will need to match what is configured on the NPS side.

6. Click on “Apply” and it should look like this:

7. Click “Save” and it will return you the main configuration screen for the network policy. It probably looks like this:

8. Since we want to place corporate users in VLAN 202 and contractor users in VLAN 203, we need to add some user profiles for each of those VLANs and ensure the RADIUS attributes configured in NPS match the correct user profile. We’ll need to select a default user profile, and then select the user profiles for our corporate and contractor users. The default profile isn’t going to be used, but I created a restricted profile that has no access and goes into a dummy VLAN. Click on “Add/Remove” under the “User Profile” section. Next, choose your default user profile and then select the “Authentication” tab on the left and select the user profiles you want to assign authenticated users into. If those profiles do not exist, you can create them by clicking on the “New” button. I like to match the attribute value to the VLAN in user profiles. If you don’t do this, just make sure you use the attribute value in the NPS configuration and not the VLAN id. There is a way to use the actual VLAN id instead of the attribute value, but it involves using a different RADIUS attribute. In NG, this issue does not exist from a configuration perspective. Once the profiles have been selected, click on “Save” and you should see something like this:

9. Basic 802.1X setup is now complete for HiveManager Classic. Push the configuration changes to the appropriate APs. Next, we will need to configure Microsoft NPS. Click here to move to that section.

HiveManager NG Configuration

NG has an option that HiveManager Classic does not. You can step through the entire process of configuring an external RADIUS server by using the “Guided Configuration” method. On the far right side of every screen within the NG interface, there is a button that looks like this:

When you click on it, another screen appears with a list of all the guided configuration tasks available, and one of them is to create an external RADIUS server.

Here is how you do it without the guided configuration:

  1. Within the “Network Policy” configuration, after you have named the policy and selected whether it will be wireless, wired, or both, click “Next”. At the “Wireless Settings” tab, click the “Add” button and choose “All other SSIDs (standard)”.

2. Select “Enterprise” for authentication type after naming the SSID.

3. Next, you will need to define the RADIUS server, but before that, you will need to define a RADIUS server group. Click on the plus sign next to “Default RADIUS Server Group”. Name the group and then select “Add” and “External RADIUS Server”.

4. Give the RADIUS server a name and description(optional) and then click the plus sign next to the “IP Address/Host Name” field.

5. Give the object a name and type in the IP address of the RADIUS server. Click “Save”.

6. With the RADIUS server IP defined, the last thing you need to do is type in the shared secret that will match what we will configure shortly in NPS. Once that is entered, click “Save”.

7. Now that the RADIUS server is configured, you should see a screen similar to this one:

8. Click on “Save” and it should take you back to the main SSID configuration screen.

9. Scroll down the screen a bit and you will see the “User Access Settings” section, which is where you will add various user profiles that will get applied based on RADIUS attributes that are returned. You will need to check the box that says: “Apply a different user profile to various clients and user groups.” This will allow you to put a user into the correct profile based on what is returned by the RADIUS server.

10. I already had a user profile with no real access defined, so I chose that as the default. I still need to create a user profile for the corporate and contractor users, and that is done by simply clicking the “Add” button and setting a profile name and VLAN. If the VLAN each user profile will be assigned to does not exist, you will need to create the VLAN object by clicking on the plus sign next to the “Connect to VLAN” field. Here are the profiles for the corporate user and the contractor user. There are plenty of things you can set within the user profile, but those specific items will not be covered in this post.

11. Once those profiles have been created, the screen should display something like this:

12. The next step is to add assignment rules so that the RADIUS attributes are used to put the user into the appropriate user profile. Click the plus sign under “Assignment Rules” for the first user profile(CorporateUsers in my case), and then click the plus sign on the following screen that will look like this:

13. Select “RADIUS Attribute” and then put the VLAN number in the “Attribute Values” section.

14. Click “OK” and then do the same for any other user profiles you want to match up with the RADIUS response. It should look similar to this when you are done:

15. Click “Save”. Basic 802.1X setup is now complete for HiveManager NG. Push the configuration changes to the appropriate APs by stepping through the other screens in the network policy or via the Monitor tab. Next, we will need to configure Microsoft NPS. Click here to move to that section.

Microsoft NPS Configuration

  1. Open up the NPS console and expand the “RADIUS Clients and Servers” folder.

2. Right click on “RADIUS Clients” and select “New”. The following window should appear:

3. Fill in the fields as shown below with a “Friendly name” and the IP address(es) of the AP(s) that will be functioning as the authenticator for wireless clients. You can use an entire range as shown below, or you can use individual IP addresses and create multiple “RADIUS Client” objects. Make sure the shared secret matches what was configured in HiveManager. Once that is done, click on “OK”.

4. Now it should look something like this:

5. Next, expand the “Policies” section on the far left side, right click on “Connection Request Policies” and select “New”. We don’t need to get too specific in this section. We just want to ensure that our 802.1X authentication requests get processed locally.

6. Name the policy whatever you want and click “Next”.

7. The next screen is where you will need to specify a condition. Click “Add”.

8. When the next screen appears, you have several options to choose from. I just selected “NAS Port Type”, but you can choose whatever method you want. More complex environments might go a different route than this. Select the method you want to use and click “Add”.

9. For the method I chose(NAS Port Type), I just selected “Wireless – IEEE 802.11”. Make your choice and click “OK”.

 

10. You should see your condition in the “Specify Conditions” screen. Click “Next”.

11. Click “Next” at this screen. Just accept the defaults.

12. Click “Next” at this screen as well. The defaults are fine. We’ll handle the EAP type in the next section dealing with network policy. However, note that you can override the network policy settings and choose a different EAP type if you were fairly granular in terms of how you setup this connection request policy.

13. Click “Next” at this screen as well. The defaults are fine, but again, you can use this to get far more granular in how you respond to authentication requests.

14. At this final screen, just click “Finish”.

Now you should see your Connection Request Policy that was just created.

The last portion of the NPS configuration is the creation of the network policy. For this example, I will be creating two of them. One for the corporate users and one for the contractor users. Your environment may be completely different. For example, in educational organizations, I normally see this broken up into students and staff/faculty.

15. Select the “Network Policies” folder on the far left side of the screen. You should see a screen similar to this:

16. Right click on the “Network Policies” folder and select “New”. When the new window opens up, give the policy a name and click “Next”. Remember that you will be making multiple policies, so the name should reflect the group of users it will apply to, unless you are just using one user profile on the Aerohive side.

17. The next screen is going to be the “Specify Conditions” screen. This is where we will define which Active Directory group a user needs to be a member of for this policy to apply. Click the “Add” button.

18. In the “Select condition” window, choose “User Groups” and click “Add”.

19. When the “User Groups” window appears, click “Add Groups”.

20. Type in the name of the group you need to authenticate the given group. In my example, I typed in “corporate” and hit the “Check Names” button. It automatically chose the “CorporateUsers” group I had created on a previous occasion. Once the proper group is displayed, click “OK”.

21. It will take you back to the “User Groups” window, but the correct group should be shown. Click “OK”.

22. Now you should be looking at the “Specify Conditions” portion of the “New Network Policy” configuration with your Active Directory group shown. Click “Next”.

23. When the “Specify Access Permission” window appears, you can take the default “Access granted” and click “Next”. Note that you can permit or deny access, so with a wide range of Active Directory groups, you could allow a larger group of users with one network policy, but deny a smaller subset using a different group and network policy and placing the deny entry above the permit entry.

Here is where it might get a little confusing if you are unfamiliar with EAP types. If you don’t know much about EAP, here is a starting point. Basically, with NPS, you are going to configure PEAP using MSCHAP v2 or use the EAP-TLS method which involves client side certificates. This example is going to use the easier PEAP with MSCHAP v2 method. Other than generating client side certificates, there is not much difference in configuring NPS to work with EAP-TLS from the method I will illustrate below.

The following window should appear:

24. Click the “Add” button and select “Microsoft: Protected EAP (PEAP)” as the EAP type to use. Click “OK”. The screen should look like this:

25. Select “Microsoft: Protected EAP (PEAP)” in the “EAP Types” window and click on “Edit”. Ensure that the only entry in the “Eap Types” window is “Secured password (EAP-MSCHAP v2). You may have to click the “Add” button and select it. You may also have to select other entries and click “Remove” to get down to the single option. You should also see the certificate with your NPS server name selected in the “Certificate issued” field at the top of the window. If there is not one, you will need to generate one and start the “Network Policy” configuration over from the start. Click on “OK”.

26. When the “Configure Authentication Methods” window appears, uncheck everything in the “Less secure authentication methods:” section at the bottom of the window and then click “Next”.

27. At the next screen titled “Configure Constraints”, you can keep the defaults and click on “Next”. If you want to get more granular with how the client sessions are treated, there are some options here to do that.

28. The “Configure Settings” window will appear next. This is where we are going to finally define which user profile to put the corporate(in this example) users into. Two attributes should already be present for “Framed-Protocol” and “Service-Type”. You can delete both of these attributes by selecting them and clicking on “Remove”. They won’t be needed.

29. Now we are going to add the three attributes needed. Ensure “Standard” is selected under “RADIUS Attributes” and click the “Add” button. Select “802.1x” for the “Access type” and select “Tunnel-Medium-Type” under the “Attributes” section and click “Add”.

30. When the “Attribute Information” window appears, click “Add”.

31. Select “Others” and then select “IP (IP version 4)” and click on “OK”.

32. Click “OK” when the following “Attribute Information” screen appears:

33. You should see the “Add Standard RADIUS Attribute screen now. Select “802.1x” for the “Access type” if it is not already selected and select “Tunnel-Pvt-Group-ID” under the “Attributes” section and click “Add”.

34. Click “Add” when the following window appears:

35. Since this policy is for the corporate users, we are going to enter “202” for the attribute value as a string. Type in the value and click on “OK”.

36. Now your screen should display the “RADIUS Standard” attribute with a value of “202”. Click “OK”.

37. You should see the “Add Standard RADIUS Attribute screen once again. Select “802.1x” for the “Access type” if it is not already selected and select “Tunnel-Type” under the “Attributes” section and click “Add”. When the following screen appears, click “Add”:

38. Select “Generic Route Encapsulation” under the “Commonly used for Dial-Up or VPN” section and click “OK”.

39. When the following screen appears, click “OK”:

40. You should be looking at the “Configure Settings” screen with the three RADIUS attributes you configured. Click “Next”.

41. At the “Completing New Network Policy” screen, click “Finish”. You should now be taken back to the “Network Policies” screen in the main NPS window. The “Corporate Users” policy is at the bottom of the list. We want to move it to the top, so right click on the “Corporate Users” policy and select “Move Up”. Repeat until it is in the first position.

42. Next, we need to create our policy for the contractor users, but we will use a shortcut to save time. Right click on the “Corporate Users” policy and select “Duplicate Policy”.

43. When the “Copy of Corporate Users” policy appears, right click on it and select “Properties”.

44. Change the name of the policy to whatever you want it to say. For this example, I will change it to “Contractor Users”. Then, click on the “Conditions” tab at the top.

45. Select the “User Groups” condition and click on “Edit”.

46. Change the user group to whatever it should be. In this example, the group is changed to “ContractorUsers”. Once the proper group is displayed, click on the “Settings” tab.

47. On the “Settings” tab, select the “Tunnel-Pvt-Group-ID” in the “Attributes” section and click on “Edit”.

48. Edit the attribute by selecting it and clicking on “Edit”. Change it to whatever value is needed. In this example, it is changing from a value of “202” to “203”. Click on “OK” when the updated value is displayed.

49. Once that is done, you should be returned to the “Settings” screen. If everything looks right, click on “OK”.

50. You will be returned to the “Network Policies” screen in the main NPS window. Reorder the cloned policy and put it in the second position. It should look like this:

 

That’s all there is to it. You should be able to connect to the SSID and authenticate with Active Directory credentials. If you get a request to trust the certificate after typing in your username and password, don’t be too alarmed. Unless your certificate was issued by a certificate authority that your device trusts, that is going to happen. However, once you trust the certificate, that warning will go away. For example, here is what is displayed on my iPhone after successfully authenticating with a username and password for the first time:

One final note with regards to troubleshooting. If you run into authentication issues, make sure to look at what is being reported in the NPS log. You can find it under the “Custom Views/Server Roles” within Event Viewer.

If you see any sort of access denied message, it is most likely an NPS configuration issue. If you don’t see any entry after authenticating(good or bad), it is probably an Aerohive configuration issue. Additionally, if you do see access granted issues, but the client still will not connect, make sure to check for MAC filtering or other firewall policies on the Aerohive side. They tend to show up as  “incorrect username or password” errors on the device, even though that was not the problem. Ask me how I know. 🙂

Conclusion

Hopefully this will help with configuration of Aerohive APs and NPS. I need to reiterate that I am not an expert when it comes to Microsoft NPS. If you run into problems, feel free to leave a comment or ping me on Twitter(@matthewnorwood). I’ll try to help out if at all possible.

Posted in aerohive, security, wireless | Tagged , , | Leave a comment

Aerohive’s Private Pre-Shared Key Technology

ppsk-aerohiveA fairly common question I get asked when talking to people about Aerohive Networks is “what makes us different?” In other words, why should they choose Aerohive to replace their existing wireless vendor? It is a fair question. After all, plenty of vendors sell APs that can serve the most basic wireless needs. All of the vendors I compete with do a lot of the same things when it comes to general wireless.

One of the things I like to talk to potential customers about is Aerohive’s Private Pre-Shared Key(PPSK) technology. For some organizations, PPSK is not something they are interested in. Maybe they already have a pretty solid 802.1X implementation and don’t have a need for WPA2 Personal(pre-shared key) security on their wireless network. That’s perfectly fine in my book. I have other things I can always talk about with regard to an Aerohive solution. For quite a few organizations though, they see the advantage of PPSK over standard pre-shared key implementations and jump right in to using it. I wanted to briefly discuss what PPSK is and how it can be utilized with an Aerohive solution. No configuration screenshots or long demonstration videos. Just a basic overview.

Some Potential Issues With Standard PSK(WPA2 Personal)

1. The key is the same for all devices connecting to the SSID/WLAN. This means that if the key is compromised, anyone can connect to the wireless network. There are some additional things one could employ like MAC filtering(which isn’t very hard to defeat), but the one thing you will have a hard time doing is preventing someone from eavesdropping on a session, capturing the 4 way handshake, and then decrypting the traffic for that session. See the following:

psk-noppsk

2. If you fire someone, or have to change the key for any other reason, you have to change the key on all the devices that connect to that SSID/WLAN.

3. Identity is hard to determine since every device is using the same key. You could keep a running list of MAC addresses and use that to determine who a given device belongs to, but that creates an administrative burden and MAC spoofing is relatively easy to do.

Why Not Use 802.1X?

Without getting too far down into the weeds, 802.1X(WPA2 Enterprise) is more secure than pre-shared key(WPA2 Personal). The issue of key compromise is taken care of through the use of dynamic encryption keys for almost every EAP type that would be used in the authentication process and these keys are unknown to the user of the wireless client authenticating with 802.1X. Additionally, identity is going to be very easy to determine when devices authenticate with 802.1X.

The logical thought would be that every device should authenticate with 802.1X and not use the WPA2 Personal method. However, this doesn’t always occur for a number of reasons.

1. 802.1X is not the easiest thing to implement. If you are a seasoned wireless or security professional, you might disagree with that, but the IT world is not always overflowing with people that know how to setup authentication back ends using RADIUS, certificates, directory services, etc.

2. Not all devices support 802.1X. While it is getting harder to find laptops, tablets, and smart phones that don’t support 802.1X, there are literally millions(probably billions by now) of devices that don’t have 802.1X capabilities. The Internet of Things comes to mind. I have quite a few of these “dumb” devices in my home that only support WPA2 Personal and “no authentication” for their connection method.

PPSK To The Rescue!

Aerohive’s Private Pre-Shared Key technology bridges the gap between the standard PSK implementation and 802.1X.

1. You still use pre-shared keys to access the network, but under a single SSID/WLAN, you can have a bunch of different keys. Each device, or group of devices can have their own unique key. Whether you need ten keys, a thousand keys, or more; they can all exist under a single SSID/WLAN. See the following:

psk-ppsk
2. If someone gets fired or their key gets compromised, you can simply invalidate that key and not have to change the key on all devices using the same SSID/WLAN since they are using a different key. Of course, when it comes to key compromise, you would have to know that it was compromised. There are some additional things you can do on the Aerohive side to limit the damage of a key that is compromised without you knowing about it, but I will tackle that in another post.

3. Identity is tied to the key being used, so you WILL know who is connecting to the network based on the uniqueness of their key in the same way that certificates and usernames and passwords are used to determine identity with 802.1X. It just requires less complexity than an 802.1X setup.

Closing Thoughts

Like I said from the start of this post, PPSK is not something that every organization uses. For those with solid 802.1X implementations, they generally prefer to use that over PPSK. Other organizations have actually moved off of 802.1X and rolled out PPSK across their entire network. If nothing else, PPSK is another tool that Aerohive provides as something to differentiate themselves from other wireless vendors. The standard advice we give organizations is that with Aerohive, you can have your 802.1X SSID, your open guest network(if you so desire), and a catch-all PPSK SSID for anything that would connect with a pre-shared key.

In full disclosure, Ruckus Wireless has similar technology they call Dynamic PSK. I don’t have any deep insight into how Ruckus Wireless’ DPSK solution compares to Aerohive. I can only tell you how Aerohive functions, and in my next post, I am going to talk about what you can do once you determine that device identity from PPSK, or even 802.1X for that matter. In short, based on identity, you can assign different firewall policies, QoS settings, and other things, but I will leave that for the next post. While I do tend to talk about PPSK a lot in pre-sales discussions, it really just sets the stage for what can be done after the authentication happens. That’s where it really gets interesting!

Posted in aerohive, security, wireless | Tagged , , | 2 Comments

Does Aerohive Scale?

AerohiveLogo

Note: If you are a TL/DR type of person, let me give you the short answer to the title of the post: Yes! 🙂

For everyone else, I will try my hardest to keep this as short as possible. I will include as many pictures and CLI screens as I think are needed to help answer the scalability question, and no more. While I entertained the idea of making two separate posts regarding scalability, I felt it best to keep it to a single post since AP(Access Point) to AP communication and layer 3 roaming are best explained together. My wife and friends will tell you that I can be long-winded. I apologize in advance.

Let me just start by saying that I work for Aerohive Networks. I have been an employee of Aerohive for about 3 months. In that time, I have learned a tremendous amount about the overall Aerohive solution and architecture. Prior to working for Aerohive, I worked for a reseller that sold for Cisco(to include Meraki), Aruba, and Aerohive. I wasn’t unaware of Aerohive, but let’s be honest for a minute. Aerohive doesn’t have a lot of information out there around how their various protocols work. This isn’t unique to Aerohive, as plenty of vendors withhold deep technical information. It isn’t necessarily done on purpose. It just takes a lot of time and effort to get that information out there in a digestible format for customers and partners. The smaller the company, the harder that is to do. Lastly, there are plenty of people within IT that don’t really care how it works, just as long as it works.

My goal with this post is simple. I will attempt to expound on Aerohive’s scalability. This topic comes up in pre-sales discussions from time to time. I have not been an Aerohive employee long enough to have it come up more than a handful of times. I can tell you that in my former position at a reseller for multiple wireless vendors(Aerohive, Aruba, Cisco, Meraki), this topic DID come up with customers and internally among the folks within the reseller that I worked for. I suspect that in the months and years to come with me working in a pre-sales capacity at Aerohive, it will come up even more.

I’ll try to address the two biggest scalability issues. They are:

  1. AP to AP communications, to include associated client information
  2. Layer 3 roaming

Before I dive into that, a bit of initial work is needed for those unfamiliar with Aerohive and the concept of Cooperative Control. Through a set of proprietary protocols, APs talk to each other and exchange a variety of information about their current environment or settings, to include client information. For a basic overview of Cooperative Control and the protocols used within it, you can read this whitepaper on Aerohive’s website.

Got it? Good. Let’s tackle the first scalability “issue”.

AP to AP Communications

Imagine you have a building with multiple floors and about a thousand APs. You know that there are other wireless vendors with controller based systems that can support this amount of APs. You wonder how Aerohive would do the same thing with no central controller managing the RF environment and the associated clients. How can 1,000 APs manage to keep up with each other? Certainly, the controller that can handle 1,000 APs has sufficient processing power and memory to perform this task. No AP on the market would have similar processing power in a single AP. So how does Aerohive do it?

A few quick points:

  1. It is very likely that these 1,000 APs are not on the same local subnet from a management IP perspective. Maybe you divided up the APs in 2, 3 or 4 subnets for management purposes with the intent of keeping the BUM(broadcast, unknown unicast, and multicast) traffic down to a reasonable level.
  2. All 1,000 APs are not going to be within hearing distance(from an RF perspective) of each other. This is an important point to remember, so hang on to that one in the back of your mind.

The basis of AP to AP communications revolves around the Aerohive Mobility Routing Protocol, or AMRP. To take the definition from the whitepaper I linked to above:

AMRP (Aerohive Mobility Routing Protocol) – Provides HiveAPs with the ability to perform automatic neighbor discovery, MAC-layer best-path forwarding through a wireless mesh, dynamic and stateful rerouting of traffic in the event of a failure, and predictive identity information and key distribution to neighboring HiveAPs. This provides clients with fast/secure roaming capabilities between HiveAPs while maintaining their authentication state, encryption keys, firewall sessions, and QoS enforcement settings.

 Since I don’t have 1,000 APs and associated PoE switches to build out my hypothetical multi-floor building, I am going to shrink it down to 2 switches and 7 APs. 5 of the APs will be on one switch and all APs on that switch will share the same management subnet and client VLANs. The other 2 APs will be on another switch and will use the same VLAN number for wireless client access, but that VLAN will have a different IP subnet than the switch with the 5 APs on it as well as a different AP management VLAN and IP subnet. The switches will also be separated with a layer 3 boundary. My lab environment looks like this:

AerohiveLabSetup  The switches and APs will boot up and start talking to each other. I’ll deal with automatic channel and transmit power selection in another post. AMRP will ensure that all APs are talking to each other. Since I am dealing with 7 APs in relatively close proximity to each other, they will all hear each other at pretty good signal strength. I’ll drill down more into that RF range aspect shortly.

Let me connect to one of the 5 APs on switch 1. I can do this from either HiveManager, or by simply using SSH to connect to the AP locally. Alternatively, I could also use the local console port on the AP to grab this information. I am going to take a look at the neighboring APs from an AMRP perspective.

Show AMRP Neighbor

As you can see, this AP can see 4 neighboring APs. It doesn’t show the other 2 that reside on switch 2. The reason for this is due to the fact that those APs are on a different subnet from a management perspective. Even if it can hear the other APs over the air, they still don’t show up in the AMRP neighbor list. We’ll get to that when we cover layer 3 roaming.

If I connect a client to the SSID(GoFast2) these APs are all advertising, I can now see that client in the “show amrp client” CLI output. It appears on all APs within the same local subnet. In the first image, I am connected to an AP on the same local subnet, but not the one the client is directly associated to. Show AMRP Client - Foreign AP

In this second image, I am connected to the AP the client is directly associated to. You can see the output is different as it shows the interface the client is connected to and not the IP address of the AP like in the previous CLI output.

Show AMRP Client - Local AP

Just to clear up any misunderstanding, AMRP is NOT building tunnels between each AP for communications purposes. It is handled in a secure way, but it is not done via a tunnel. All connected client information will be shared among the APs on the same local management subnet via AMRP. That brings me to an important issue regarding scalability.

In order to increase scalability, Aerohive gives you the ability to ONLY share client information between APs that are within RF range of each other. By default, all APs on the same management subnet will share client information with each other. While this is perfectly fine in many environments, if there are a large number of APs on a given management subnet, you probably want to change that default setting and only have client session information sent to APs that the client can actually roam to. Keep in mind that restricting it to APs within RF range will also include any APs that a layer 3 roam could happen on. In Hive Manager NG, this is done in the following location:

Configure/Common Objects/Hives

AMRP Updates - RF Range 1

Select the Hive containing the APs you want to change. At the bottom of the screen in the Client Roaming section, just uncheck the box labeled “Update hive members in the same subnet and VLAN.” Update the configuration on your APs and you will now remove client session sharing between APs not in radio range of each other.

AMRP Updates - RF Range 2

 

So now, instead of this:

AMRP-All APs

 

You have this:

AMRP-RF Range APs

 

As a client roams from one AP to another, the AP it roams to will now share that client session with all of its APs within RF range. The AP that the client roamed off of will stop sharing that client info with APs that are in RF range of it since it no longer maintains the client session. The cycle repeats itself as the client roams to yet another AP. Using this method, the APs do not have to know about all client sessions on all APs within the same local management subnet. That allows Aerohive to scale out from a layer 2(and layer 3) roaming perspective.

Layer 3 Roaming

Layer 3 roaming is handled by another Aerohive protocol entitled Dynamic Network Extension Protocol, or DNXP. To take the definition from the whitepaper I linked to above:

DNXP (Dynamic Network Extension Protocol) – Dynamically creates tunnels on an as needed basis between HiveAPs in different subnets, giving clients the ability to seamlessly roam between subnets while preserving their IP address settings, authentication state, encryption keys, firewall sessions, and QoS enforcement settings.

 How it works is pretty interesting. To explain it, I will have to go back and talk about AMRP. On a given AP management subnet, AMRP takes after OSPF to a certain extent. If you are familiar with how OSPF works on a shared Ethernet segment, you know that there is this concept of a designated router or DR. Additionally, there is a backup designated router, or BDR. The DR and BDR exist to reduce the amount of OSPF traffic flowing between OSPF neighbors. The DR is responsible for sending updates to all the other routers to inform them of the network topology. If it fails, the BDR takes over. Using that same concept, Aerohive APs on a shared Ethernet segment(i.e. layer 2) elect a designated AP, or DA for short. They also elect a backup designated AP, or BDA. This can be seen by running the “show amrp” command on a given AP. Take a look at the following CLI output:

Show AMRP

You can see here that the DA for the shared segment these APs are on is 172.16.100.2. The DA serves several different functions, but one of things it keeps track of is the load level on all the APs within a given segment. When it comes to layer 3 roaming, this DA has a pretty important job. It decides which AP on its given Ethernet segment will spin up the tunnel required for layer 3 roaming. Instead of just spinning up tunnels from the AP the client left during the course of its layer 3 roam, it will seek out the least loaded AP on the given Ethernet segment and have that AP setup the tunnel to the AP the client roamed to. This chosen AP establishes the DNXP tunnel to the AP that the client roamed to on a different subnet and ensures that the network knows that this now roamed client is reachable through this chosen AP.

To see which APs are running as the DA or BDA, but without all the AMRP info from the previous command, you can use the “show amrp interface eth0” command, assuming your connection to the network from the AP is using eth0. It may be using a different interface.

Show AMRP Interface Eth0

I used the above AP, because it was not the DA or BDA. I wanted to show an AP that was in the “Attached” state. The APs that are not the DA or BDA will have a state of “Attached” in the same way that OSPF would show a “DROTHER” on a router that was not the DR or BDR.

An additional thing to note with regard to layer 3 roaming, is that you can restrict which clients can perform a layer 3 roam. This is controlled within the user profile, and in a given SSID, I can have multiple profiles based on a number of different classification methods. Whether you want to allow or deny layer 3 roaming, Aerohive gives you the choice and at a fairly granular level.

To turn on layer 3 roaming for a particular user profile in Hive Manager NG, you simply modify the user profile.

Configure/Common Objects/User Profiles

NG L3 Roam 1

Turn on layer 3 roaming via the Traffic Tunneling tab and if needed, adjust the idle timeout/traffic threshold values. Save the user profile and update the applicable APs.

NG L3 Roam 2

Layer 3 Roaming Test

Although AMRP only shows neighbors on the same Ethernet segment, DNXP is aware of other APs that are nearby, but use a different subnet for the AP’s management IP. You can see these APs with the “show amrp dnxp neighbor” command as shown below:

Show AMRP DNXP Neighbor - Switch 1

Notice that 4 of the APs are in an L2 state. These are the APs on the same Ethernet segment(switch 1) for the management IP. The other 2 APs are in the L3 state. The AP knows that clients could roam to these layer 3 neighbors. In order for this to work, the APs need to be a member of the same “hive”, which is a fancy name for a shared administrative domain. Think of it like an autonomous system number that you would see in routing protocols like BGP. These APs within the same hive share a common secret key, which allows them to communicate securely with each other and trade client state and other AP configuration information. If I look at an AP that resides on switch 2(separated from switch 1 via layer 3), the opposite information appears, with 1 AP in an L2 state, and 5 APs in an L3 state.

Show AMRP DNXP Neighbor - Switch 2

I still have my client connected from the previous example discussing AMRP. It is connected to the AP 390 on switch 1. The 2 APs on switch 2 are separated by a layer 3 boundary from the other 5 APs, so is it aware of the client connected to the AP 390 device? Yes. Since all APs are within RF range of each other, client information is passed between them all. However, in the case of clients separated by a layer 3 boundary, DNXP comes into play. You can see these client sessions in another subnet by looking at the DNXP cache.

Show AMRP DNXP Cache

Note that although this client has not performed a layer 3 roam, the CLI output tells you where the tunnel is going to originate from across the layer 3 boundary when it does roam. This is because the designated AP(DA) has already determined which AP is the least loaded on the subnet that the client will roam from and has assigned that least loaded AP with tunneling duties if the client needs to make a layer 3 roam.

I have moved the client closer to one of the APs on switch 2 so that it roams. I had to actually move the AP out of my office and into the hallway and moved the client into the next room so that the RSSI value on the AP it is currently connected to would be low enough for it to actually roam. As you can see in the CLI output below, the client has roamed over to the AP that resides on switch 2.

Show Station - AP250 - Switch 2

Now, I should be able to see a tunnel spun up between this AP 250 on switch 2 and the AP that the DA connected to switch 1 chose(172.16.100.6).

Here it is from the perspective of the AP the client roamed to on switch 2:

Show AMRP Tunnel - AP250 Switch 2

Here it is from the perspective of the AP(172.16.100.6) on switch 1 that was responsible for building the tunnel to connect the two subnets:

Show AMRP Tunnel - AP330 - Switch 1

Other APs on switch 1 are also aware of this tunnel:

Show AMRP Tunnel - AP390 switch 1

Let’s go one step further and add another client. I associate a client to an AP on the switch 1 side. For the purposes of maintaining some brevity, I won’t show all the CLI around that client before it roams. I moved the client into the same room as the first client and it associates to the AP 250 on switch 2. We can now take a look at how the layer 3 roam was constructed for this second client.

Show AMRP Client - L3 roam on AP250-Switch2

We can see above that both clients are attached to this AP via a layer 3 roam. This can be verified additionally with a “show amrp tunnel” command.

Show AMRP Tunnel - Both clients on AP250

If we take a look at an AP on the network(switch 1) that these clients roamed from, we see that these APs are aware of the clients and how to reach them via the AP that setup the tunnel to the other side.

Here is that view from one of the APs on switch 1:

Show AMRP Client - AP1130 switch 1 - 2clients

And the view from another AP on switch 1:

Show AMRP Client - AP130 switch 1 - 2 clients

There is one thing in particular I want you to notice. Both clients have executed a layer 3 roam and have tunnels spun up bridging these two separate subnets. However, notice that the tunnel end point on the switch 1 side is different for each client. That is because the DA told one AP to setup a tunnel for layer 3 roaming purposes for the first client, but told a different AP to setup a layer 3 roaming tunnel for the other client. Remember that the DA is aware of each AP’s load on a given subnet it is responsible for. It is spreading the load(no pun intended) among the various APs to keep from overloading any single AP. If there were a lot of clients on my home lab network and several of them performed a layer 3 roam at once, you might see tunnels originating from even more APs. It is this distribution of tunnel origination that allows layer 3 roaming to scale and not overload one particular AP.

Closing Thoughts

If you made it this far, congratulations. I told you this was going to be a long post. If nothing else, I hope I have shed a little more light on how Aerohive can scale when it comes to APs cooperating with each other and with regard to layer 3 roaming. As I mentioned earlier in the post, I did not cover automatic channel and transmit power selection. That is covered by a different protocol(ACSP) that works in conjunction with AMRP, and I hope to write another post soon showing how that works.

As with any solution, there are limits. Whether a controller based wireless network, or a cooperative control environment like Aerohive’s, at some point you can break it. It would be impossible for me to acquire the number of clients and access points to do this on my own. Not to mention the fact that I would need a decent sized building to spread out the APs enough to where they aren’t able to hear each other. I hope I was able to at least demonstrate the scalability, albeit on a smaller scale.

Let me know your thoughts or if you have any additional questions in the comments section below.

Posted in aerohive, wireless | 2 Comments

From Multi-Vendor To Single-Vendor

AerohiveLogoCareers take a funny turn a lot of times. Opportunities come up that you weren’t expecting and the timing is never as perfect as you want it to be. At least, that is how it has always been with me. I’ve learned though, that sometimes the best thing for you is to charge full speed ahead through the door, roll the dice, and take your chances. That is where I find myself right now. Having accepted an offer from Aerohive Networks to serve in a pre-sales engineering role in my local area, I am leaving behind a job and a company that I have enjoyed tremendously. Yes, there were times when I had to be talked off the ledge and keep on going. I think that comes with most jobs though. Overall, it has been a very rewarding almost 5 years working for a value added reseller(VAR) and I will miss it greatly.

In the span of a few months, I had to decide to give up the following:

1. Multi-vendor implementations and support.
2. Studying for the CCIE Wireless lab exam with 1 failed lab attempt already under my belt.
3. Involvement with other vendors courtesy of social media(blogging, Twitter, etc). – My involvement with Tech Field Day, HP, and other vendors has brought me into a whole different level of vendor interaction that I didn’t know existed.
4. Extensive travel across the greater US, which isn’t always fun, but I enjoy different locales and different networks to work on. I also haven’t paid for a hotel room or flight for my family in years.
5. Working with people and clients I have known for years.

For all that I gave up, I gained some things.

1. Being able to get really deep in a limited set of products from a single vendor.
2. Travel much closer to home and for shorter durations.
3. Potentially being able to get a better look at how products are brought to market.
4. Potentially being able to understand a vendor’s technology at a much deeper level than I ever could on the partner or end customer side(e.g. The secret sauce around RRM).
5. Potentially having more time for blogging, which I have neglected greatly over the past few years.
6. No more nights and weekends working on customer projects. – This may not totally go away, but it will decrease tremendously.
7. I have always wanted to work for a vendor to complete my overall picture of the IT industry.
8. The chance to compete against larger competitors. – It takes a lot of work to unseat incumbent vendors, or win deals against much larger competitors. Not every deal will be won, but when you can win in an ethical manner, it is a good feeling.
9. Better compensation. – None of us work for free, and I don’t want to be working until I am in my 70’s. Of course, if I can’t sell anything, I might be working until I am in my 70’s.

Which list is better? I came to the conclusion that what I was gaining would outweigh what I was giving up.

The Heart of the Matter
One thing that comes up when talking to peers is being able to go into the single vendor mode mindset after being multi-vendor for so many years. Can it be done? The short answer is yes.

I have worked with a number of networking vendors over the years. However, if I were to break down percentages and allocate them to each vendor, Cisco would have the largest share of the pie. Probably upwards of 75%. I have implemented solutions from Cisco, Meraki, HP, Brocade, Aerohive, Aruba, Meru, Sonicwall, Riverbed, Barracuda Networks, Dell, and a number of other smaller vendors. I have worked with, but not implemented, solutions from F5, Extrahop, Solarwinds, Juniper, and a few others. I wouldn’t claim to have high proficiency in any of them, except Cisco, and “high proficiency” is a rather subjective term. Put me in front of a Cisco Catalyst switch, give me a set of configuration requirements, and I can go to work right away. Put me in front of another vendor’s switch, and I have to stop and think about what needs to be done. I’ll fumble through the CLI, but eventually get it done. Does that make me multivendor proficient?

In all reality, to be proficient in more than one vendor requires consistent exposure and experience with each vendor’s products. I can tell you that even within Cisco, there are products I am very familiar with, and other products that I am not as familiar with. There are just too many products and too many caveats to function at a very low level on more than a handful of products from Cisco. That is the problem with multi-vendor work. Even if it is consistent, there are so many things to learn about each one. This was a lesson I learned when studying for the Cisco CCIE Wireless exam. I spent months on switches, wireless controllers, APs, Prime, ISE, and the MSE, and I still don’t feel like I am anywhere near an expert with those platforms. I am definitely a lot stronger with those products today than I was a year or two ago, but I still have much to learn.

Perhaps the biggest benefit to being multi-vendor focused is the awareness of each vendor’s product set. I don’t necessarily have to know how to configure each nerd knob. I just have to know what the capabilities are. In short, vendor analysis is as big a part of being multi-vendor as is doing the actual configuration and troubleshooting work. Does working for a vendor like Aerohive mean I cannot spend time learning about how wireless is done at any of their competitors? On the contrary, I think it requires that. If you are going to sell against the competition, you better know what you are selling against. If you rely on vendor competitive documents, you will get bit eventually. Those documents are rarely up to date, and I have seen them from numerous vendors working in the VAR space.

In short, I think you can be multi-vendor while working for a single vendor, but from the standpoint of understanding the competition. I know where my paycheck is coming from, so as long as I can do things in an ethical manner, I have no problems only presenting products from the company I represent. I already do that to a certain extent on the VAR side. It isn’t a foreign concept to me.

On another note, if my new job and CWNP studies allow, I plan on doing a lot more blogging. However, don’t be surprised if a fair amount of those posts are “how to’s” on Aerohive. I am VERY excited about being able to get as deep as I can in their products, since I do very little Aerohive work these days. I plan on sharing what I can when I can in the hopes that it will help someone out there. For an IT community that has given me so much, it is the least I can do to return the favor.

Posted in aerohive, career, wireless | 1 Comment

In Pursuit of the CCIE

Just a short post to let you know this blog is not dead. I have not written anything in several months. While I have several posts that are partially complete, I have not been able to finish them…..yet.

For the past several months, I have been busy studying for the CCIE Wireless lab exam. Prior to that, I was sort of working towards the CCIE Route/Switch written and lab exam. I wasn’t fully committed, so my studying was sporadic at best. My heart just wasn’t in forcing myself to learn more about IPv6, multicast, MPLS, and some of the other blueprint items.

Somewhere along the line it changed. Maybe it was having another co-worker who was serious in his pursuit of the CCIE Wireless. Maybe it was that my job working for a reseller had me doing more and more Cisco wireless work. Maybe I just liked the fact that wireless was hard. I’m not really sure. I just know that at some point, a switch flipped inside my head and I just decided to go all in on my studies. Honestly, I should have done this years ago, but the timing just didn’t seem right.

I’ve been studying most nights every week for a few months. I don’t sleep a whole lot these days. A lot of times, I fall asleep in my chair up in my office and don’t wake up until my wife comes up to check on me. On those nights when I do make it to my bed, I think about the lab blueprint until my brain finally shuts down and I drift off to dream. I have dreams about odd things like wireless authentication. My thoughts are always on the lab. Whether I am in a meeting with a client, sitting in church, or just driving down the road, it consumes me.

I’m constantly fighting off the voices in the back of my mind telling me to stop and go back to life as it was before the study urges took over. I have a wife and two kids. I have a job that demands a decent level of performance mentally. I travel a fair amount for work. I work odd hours. I am fairly active in my local church. I also make a decent living, so passing the lab doesn’t mean a massive pay raise for me. There are so many reasons I shouldn’t do this, and they almost overshadow the reasons that I should.

On the positive side, I am convinced there are doors that will not open career-wise, without the CCIE. Will I make more money after passing the lab? Probably. Will I have more recruiters and HR folks pinging me on LinkedIn? Yes. Will I have interesting career choices cross my path? Probably. I’m not planning on doing anything different work-wise after I pass, but as any of you who have CCIE digits knows, you have more options.

Those are all well and good, but if there is one reason I want to pass the lab, it is related to a quote attributed to John F. Kennedy from a speech he gave in 1962 regarding the USA’s attempts to land on the moon:

“We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard.”

That’s it in a nutshell. I need to know if I can push myself to finish something that on the surface, seems impossible. When I was 15 years old, I ran a mile(1600 meters) in 4 minutes and 56 seconds on a dirt track in Hawaii. I had been trying to break 5 minutes for a while at that point. I remember that race vividly. I had a great running coach that trained me well. I put in a lot of miles on hills and roads leading up to that point, and I only mentioned the locale(Hawaii) to give you an idea of what kind of “hills” I was referring to. It was the end of our track season and I was in peak shape. Had it been a rubber track, I could have probably run it in 5 or 6 seconds faster. It doesn’t matter though. I broke 5 minutes. For some, that is not a big deal. For a kid who had asthma at a younger age, that was huge. It will always be one of my favorite moments in my life, taking a back seat to only the birth of my children and the marriage to my wife.

I am always telling my kids that they can be anything they want to be as long as they are willing to work hard for it. I can tell them all day long. It’s better if I show them through example. I’ll find out in 18 days when I sit the lab for the first time. I may go back several more times before I pass it, but I am prepared to do that.

Nobody ever talks to me about my sub-5 minute mile I ran. In fact, my father was the only one in my family who witnessed it. When, and it is a “when”, I pass the CCIE Wireless lab, most of the people in my day to day life, outside of work, will not even know what that is. I am perfectly fine with that. I’m not doing this for accolades or pats on the back. I’m doing this for me, and also to secure a potentially greater ability to provide for my family.

When it is over, I will take a break from studying. I’ll stop reading technical books for a few months, and not think about this stuff too much outside of my work hours. I have several hundred books I have put off reading for several years. I also have 60 years of National Geographic magazines that a friend gave me that are sitting in my office closet begging to be read. After a few months and a few dozen books and magazines, I will get back on the study “horse” and push towards the Aruba ACMX.

While I would have loved to create a bunch of blog posts documenting the technical aspects of my studies, I made the decision to devote that time to studying. Anyone who has written even one technical post knows how much time those things take. I am very grateful for people like Rasika who took the time to document all of their studies. If you are studying for the CCIE Wireless as well, you are probably already familiar with his excellent site. Much of that content applies to the version 3 lab blueprint.

Just wanted to put something up here to let you know I have not abandoned this site. I’m still around. I’m just busy studying.

Posted in career, ccie, learning, wireless | 4 Comments

Aruba and HP – The Remaining Pieces

Aruba-HP-LogoI wrote previously about the Aruba and HP ecosystems. You can find that post here. I also wrote about Aruba’s culture here, and although I had planned on writing about HP’s culture as I understand it, I don’t know that I need to spend too much time on that. When you look at the difference in the two ecosystems from a wireless perspective(HP is a big company with a broad portfolio), HP is a completely different animal and that HAS to affect their company culture.

Well, what really remains to talk about? I think two things. Execution and product disposition.

Execution

Ask anyone who follows the industry about HP, and you will get a variety of thoughts. However, one of them that always seems to surface is in regards to their ability to execute. There is a history of missteps regarding HP in the executive arena over the past several years. Since Meg Whitman has taken over as CEO, I think we have seen a bit more stability in that regard. When thinking about Aruba and HP combining forces for wireless, I am reminded of a comment that Andrew vonNagy made during a Tech Field Day roundtable at the 2015 Las Vegas Atmosphere conference regarding Meg’s handling of the PayPal acquisition when she was heading up eBay. He mentions that she let PayPal run as a separate entity. Perhaps that will be the same with Aruba, and since the Aruba leadership will be running the campus networking section of HP. it is likely that would be true.

There is one other factor to consider. HP will be splitting into two companies on November 1st of this year. HP Enterprise will be headed up by Meg Whitman, and will handle servers, storage, networking, professional services, and software. HP Inc will handle the personal systems(desktops, laptops, tablets) and printing division. The conventional wisdom coming out of HP is that this will allow greater focus on products catering to specific customers. By having separate marketing, research, development, and sales teams, the two HP companies will be able to bring solutions to the marketplace in a much more focused manner. Time will tell if that is the case. The optimist in me sees this as a good thing. Maybe I am simply recalling Cisco’s attempts to play in the SMB/consumer spaces and mostly backing out of that space. I’ll admit that I don’t see the bigger picture as I am not a finance/business person, so there’s a chance that this could be a horrible disaster, and there are no shortage of articles and commentary with that viewpoint.

In short, HP’s ability to execute well with the future of Aruba’s products is yet to be determined. I suspect it will be mid-2016 before we really start to see if the new HP Enterprise company is a stronger and more nimble enterprise competitor than the legacy HP company. What I am certain of is that you cannot be good at everything. You have to pick and choose certain things and do the best you can. As my friend Devin Akin has pointed out to me, if you try and be good at everything, you will be good at nothing. Even though HP Enterprise will still be broad from a technology perspective, it will definitely have fewer things to worry about than the HP of today.

Product Disposition

When I was at HP Discover in Las Vegas last month, I was able to talk with the individual heading up the product disposition between Aruba and HP. I was told that August 18th is the official date within HP that a decision will be made around which products are staying and which products are going. It was still very early on in the evaluation process, so nothing definitive had been decided, and even if it had, that would not have been shared with me. I had some thoughts during the conference, and mostly, I think the same today as I did in early June. Here is what *I* think will happen:

HP Wireless AP’s and Controllers – These are gone. With the Aruba acquisition, there is no need to keep the HP wireless line. For wireless cloud based management, HP was already rebranding Aruba AP’s, so that should tell you something. I don’t see how the HP and Aruba product lines for AP’s and controllers could co-exist. Development was happening much faster on the Aruba side, so I don’t see why the HP product set would stay around.

Aruba Switches – I am still on the fence about these. I think they will stick around for a little bit longer, but only long enough for HP to incorporate some of their functionality into the ProCurve line that HP already sells. I don’t see why HP would keep them once AirWave and ClearPass are able to manage HP ProCurve switches in the same manner they manage Aruba switches today.

Aruba ClearPass – Although there is some overlap with HP’s IMC in terms of functionality, ClearPass is wholly focused on providing/restricting access. IMC is a much more modular system and has the ability to do a bunch of other things. I am not a user of IMC. I have never installed the product into a production environment, so my understanding of it is purely academic. However, I have used ClearPass and know that it is a very powerful product, especially when coupled with Aruba’s wireless solutions. I don’t see HP getting rid of it anytime soon.

Aruba AirWave – I am still uncertain about this product. As others pointed out to me, it was mentioned several times in keynotes during HP Discover 2015, and they would not have done that if they were going to kill it off in favor of HP’s IMC. I think there is pretty big overlap between it and HP’s IMC product, but I am sure there are things that Airwave does today that would take time to implement in IMC. It may end up being a management play for smaller customers, or it may simply co-exist with IMC.

Aruba Meridian – I don’t see this product going away. I don’t believe HP has anything similar to this in production.

Closing Thoughts

There are still many more months to go before we get to see what the results of the Aruba-HP deal will bring. August 18th will be here soon, and that will help Aruba partners and customers figure out what their future purchases should consist of. The bigger question will be answered in 2016, after HP has split into two separate companies.

Everything I have written is pure speculation. I don’t know all the things that HP and Aruba know. I don’t run companies for a living. I only see things from the field engineering level. I could be right, and I could be wrong. Unfortunately, I think we have another 6 months or so before we get a good feel for where this ship is headed. I am hoping it all works out for the best. Those of you that use or support Aruba products are probably watching this merger just as closely as I am. I hope it works out for the best for all parties. If it doesn’t, the industry will go on, but it will be worse off if a solid competitor in the wireless space fades off into obscurity.

Posted in aruba, hp, wireless | 1 Comment

Aruba and HP – The Ecosystem Is King

Aruba-HP-LogoNote: This is part of a multi-post series I am writing that compares Aruba to HP and how the integration of Aruba Networks into HP might play out. You can read my intro post here.

I am a HUGE fan of vendor ecosystems. A HUGE fan. I have written about them before. The last post I wrote on them can be found here. I really do think they are the key to driving a vendor’s success. One could argue that the large vendors have it easy. They have the resources to build those ecosystems. They can spend money that the smaller vendors cannot and can essentially buy loyalty from customers and partners. Of course, at some point, those large vendors were small ones. They did something different to propel them to the large vendor status. Their competition fell by the wayside and either drifted off into obsolescence, or just outright died.

Sorry. There is no TL/DR for this post. Buckle up. It’s a long one.

So let’s get a lay of the land when it comes to ecosystems between HP and Aruba. Let me clear about one thing. This is specific to wireless. This has nothing to do with the many things HP is doing around SDN and other areas of networking.

Let’s focus on the following topics:

Books
Certification Programs
Conferences
Design Guides
External Technical Websites
Forums
Marketing
Resellers
Social Media

The end goal of all of these things is to produce large numbers of networking professionals who are knowledgable and comfortable with the HP wireless portfolio. It carries over into other areas of networking as well. Get people fired up about one section of your product portfolio and it should translate into an uptick in sales for the other products. If they trust you in one area, there is a good chance they will trust you in another area.

HP’s Wireless Ecosystem

Books

The one area that HP has an advantage over Aruba is that of books. Although their books tend to be certification focused, they have at least begun efforts in the past few years to get technical content out there. I suspect that over time they will be able to produce more books that are technically focused outside of the certification process.

Certification Programs

The certification program with regards to HP’s wireless solutions has been up and running for some time now. If you look at the list of available certifications here, you won’t find much in the way of wireless. They do offer the Accredited Systems Engineer(ASE) certification for wireless. They also offer the Master ASE certification for wireless. Neither of these are certifications that I am very familiar with. I have no idea what the numbers are of certified professionals regarding these programs. I could not find any published numbers around either of these programs. If someone can provide those numbers, I would love to see them. Suffice to say, there is not any sort of lab-based exam regarding HP wireless that I am aware of.

Conferences

HP Discover has been going on for several years now, and occurs in multiple parts of the globe. When I attended the Las Vegas conference in 2011, I tried to attend as many networking sessions as I could. Several of them were wireless focused. However, these sessions tended to be very high level and didn’t have a whole lot of technical content. I do recall one session in 2011 that covered their wireless security solutions that had some technical content.

As for the 2015 conference in Las Vegas that I attended last week, I recall just one session that seemed to be HP wireless specific. I skipped it after learning it would not be Aruba-focused, so I am not entirely sure how much technical depth was in that session. The other sessions I attended that were wireless focused were Aruba-centric. Those sessions were relatively high level and seemed to be more of an introduction to the Aruba wireless line. I attribute that to the very short time Aruba had to prepare for the conference.

I should also point out that except for the keynotes, I didn’t see any video recording of the sessions in either the 2011 show or the 2015 show. When I went to look for past sessions, I found nothing of any significant value. As for videos, the lack of recordings of breakout sessions meant that there was nothing to watch, other than an occasional interview with HP Networking executives. A search for HP Wireless videos on YouTube, simply gave me a bunch of videos with people fixing printer problems.

As for their show floor at HP Discover, they always had their wireless gear on display, except for the 2015 show. If you wanted any sort of technical depth on HP wireless, you had to talk to the people on the show floor.

Having attended the Las Vegas Interop show a few times, I have seen HP with a large booth each year I visited. The wireless group from HP tended to be at all of those shows as well. They had all of their products on display, and if you wanted to chat with someone from the wireless unit, they were available, much like at the HP Discover show I attended in 2011.

Design Guides

I found one. It is from 2010 and can be seen here. I could not find anymore. That isn’t to say that they don’t exist. I even checked the partner site, since I work for an HP partner. If you deal with servers and storage, there is a decent amount of content on the partner site. However, for networking, I found nothing of substance.

External Technical Websites

This would be the place where I tell you about non-HP websites/blogs that write about HP wireless topics. I couldn’t find any. Of course, I don’t speak and read every language across the globe, so if a site didn’t show up in an English Google search, I missed it.

Forums

As for the forums, there are some posts on HP’s support site, but they tend to be relatively sparse. It doesn’t appear to be a very active segment of the HP support forums site.

Marketing

HP has a decent marketing machine. It appears to be directed at management though. I assume they have a pretty decent sized budget, but I am guessing a lot of that effort gets focused on the personal systems, or the server and storage side of the house. I don’t see much in the way of HP wireless, if any. It isn’t for lack of looking on my part. I get tons of e-mails from various vendors. I even allow LinkedIn to send me e-mails when people post to groups. I see an occasional e-mail about HP Networking, but never really about the wireless line.

Resellers

I don’t know how big the partner network is for HP in the realm of networking. I suspect it is the same deal as a lot of other vendor partners. Partners tend to sell big for one or two brands in the networking space and maintain a partner relationship for other vendors they don’t sell as much for. They are essentially partners in name only. Think of it as an insurance policy. If you don’t want my primary vendor(usually Cisco), I can offer you this other vendor(e.g. Juniper, Brocade, HP, etc).

Within the US, there are some big national resellers who will sell HP wireless gear, and probably some more regionally focused partners who do the same. I am familiar with all of the big players in my home market of Nashville, and I am unaware of any of them who move any HP wireless gear in substantial numbers. It may also be regionally focused. I know of one particular reseller with a presence in Nashville who does very little HP business in Tennessee, but sells a LOT of it in Florida. I fully admit I may have a limited view into the HP partner ecosystem, so I may be way off in my assessment of HP wireless sales.

Social Media

HP has a pretty large social media presence, just not in the HP wireless realm. Let me give you a quick test. Go to Twitter’s website. Search for “HP wireless”. Look at the results. Now, search for “Cisco wireless”. Look at the results. See the difference?

I realize there is more to social media than Twitter. I checked Facebook. Nothing to note. I am sure you can find something on LinkedIn, but I am guessing it is more along the lines of finding HP employees to connect with.

Aruba’s Wireless Ecosystem

Books

Sorry Aruba. You have no books to speak of. Considering you do have design guides and a fair amount of training courses, it isn’t all bad I suppose.

Certification Programs

Although not as popular as Cisco wireless certifications, Aruba does have a very healthy certification program. From the basic high-level certification like the Aruba Certified Solutions Professional(ACSP) to the Aruba Certified Mobility Expert(ACMX) and Aruba Certified Design Expert(ACDX) certifications, there is something for everyone. People with the ACMX or ACDX certifications are required to pass a lab exam and are given a number unique to them when they pass. This is not something that is trivial to setup. It takes a lot more work to setup a proctored lab exam than it does to put together 100 or so questions for a written exam.

I am sitting in an Aruba Mobility Bootcamp course this week. It is the third Aruba course I have taken in the past year or so. The courses have materials that are all branded the same, which indicates a unity in course planning and management. It is a well oiled machine. Instructor knowledge varies, but is pretty good in my limited experience. When I took the ClearPass Advanced Labs course last year, it was taught by an ACMX. You can see the full certification layout here.

Conferences

Aruba has its Atmosphere conference every year in multiple cities around the globe. The Las Vegas show is probably the biggest one. The conference is fairly heavy on the technical side. There are multiple tracks, but the Airheads track is for the technical end user.

A large number of these sessions are video recorded, and you can watch the videos on YouTube. Click here for a playlist of the 2015 Las Vegas show session videos. Additionally, as an Aruba Partner, I have access to the presentations that were restricted to Aruba partners. A lot of them were video recorded. The ones that were not recorded have the slide deck available for download.

Although I have never been to an Aruba conference, I expect all of their technology was on display at each event. I have no doubt there were plenty of Aruba experts on hand to talk about any facet of the technology. If you watch some of the breakout session videos, you will see a good amount of technical depth around their solutions.

I fully expect to see the full line of Aruba products on display at upcoming HP Discover conferences. What I will be curious about is if they have the same in depth technical breakout sessions that Atmosphere is known for.

Design Guides

I like what Aruba is doing in the way of design guides. Although just HAVING them is a good thing, they go a step further and make them publicly available to anyone without having to register on their website(You use a fake e-mail address for those sites, right?). You can see the design guides here(http://community.arubanetworks.com/t5/tkb/v2/page/blog-id/Aruba-VRDs/page/1?_ga=1.137053936.1587483989.1417455721). There are about 25 of them available as of this post.

External Technical Websites

There are several Wi-Fi professionals out there that write technical articles about Aruba Networks. I’ll mention three of them, but I can assure you there are more. I specifically mention these three because they have real-world implementation experience with Aruba. Many of us who blog about all sorts of stuff may only have lab experience or an academic understanding when it comes to certain vendors.

Chris Lyttle maintains the Wi-Fi Kiwi site, where he writes about all things wireless. He has done a fair amount of Aruba implementations, and he writes frequently about them.

Eddie Forero maintains the Wi-Fi Republic site, where he also writes about all things wireless. He has a fair amount of Aruba work under his belt as well.

Charlie Clemmer works for Aruba….errrr HP, but maintains his own personal site where he writes about……you guessed it…..Aruba Networks.

Forums

The Airheads community is a vibrant one. You can take a peek by clicking here. Lots of engineers participate in asking and answering questions. In addition to the forum posts that are primarily Q&A based, there are frequent blog posts by Aruba employees as well as by outside wireless folks. You can see the latest blog posts here. I read a lot of these posts and I can tell you that they range from high-level to very deep from a technical perspective.

In addition to just having the Airheads community, Aruba Networks saw fit to appoint Sean Rynearson as chief Airhead, to ride herd over that unruly mob of Wi-Fi geeks. When he isn’t posting his scheduled tweet about joining Airheads(I kid. I kid.), Sean posts some pretty interesting links to technical content. It is nice to be able to reach out to a known human whenever issues or general questions arise!

Marketing

Aruba does a pretty good job of marketing. They understand who they are marketing to and have a good mix of technical and high-level information. Although I am not a fan of webinars in general, Aruba has a fair amount of them available for partners and customers. As far as other marketing content, I seem to get a pretty steady stream of it via e-mail and via their YouTube page. I don’t necessarily like all of the videos, but there is a decent mix of things that would apply to managers and those that apply to more technical people.

One thing I do like in the way of marketing is their website. It is pretty straightforward and easy to navigate. On the parter side of the website, I have access to a fair amount of information. I would especially like to note the Arubapedia site that partners have access to. It is a tremendous amount of information related to all things Aruba from a technical perspective.

Resellers

There are plenty of Aruba partners out there. When it comes to supporting partners, Aruba gets it. I have access to almost anything I need from a hardware and software perspective. The Aruba account teams I work with in Tennessee are always willing to help out in order to make us more effective as a partner. Whether it is training classes, or just help when we run into issues with implementations, they have always been willing to assist. I know that as the organization grows and more partners are onboarded, it will be more difficult for Aruba to give all of them the same service that my company receives today. However, I have access to a local Aruba partner rep, so if we are overloading the account teams, that person is able to step in and help out in any way they can.

Social Media

When compared with the presence of HP Wireless in social media, Aruba has them vastly outnumbered. Consider that Aruba has representation on Twitter from the CTO down to the engineers. Marketing is on it as well. If you need to reach out to someone within Aruba, there is a good chance that you can find them via social media. Go to Twitter and search for Aruba Networks. You’ll find an active corporate Twitter account along with a large number of Aruba employees. You’ll also find them on LinkedIn.

Closing Thoughts

When it comes to ecosystem, Aruba has HP Wireless beat hands down. When I think about what Aruba is to become, being part of HP, it looks promising. I say that knowing that Dominic Orr and Keerti Melkote will lead the HP Networking campus division. They fully understand the value of the Aruba ecosystem. I can only imagine that they will keep it intact. I have to take Dominic Orr at his word when he mentioned during the Atmosphere 2015 keynote in Las Vegas, that nothing will change.

HP certainly has the resources to build a great ecosystem. With the boost to their networking division that Aruba Networks gives them, I expect that ecosystem to grow much larger than it is today. Once HP splits into two companies, more focus can be directed towards winning the business of corporate customers, and adding more resources to their existing and future partners.

Posted in aruba, hp, vendors | 1 Comment

Let’s Revisit The Aruba Networks Acquisition

Aruba-HP-LogoBack in February, I wrote a piece entitled “HP Buying Aruba?”. In that post, I provided some context around why I thought HP buying Aruba could end up being a bad idea. I also mentioned in that post that I hoped HP did right by Aruba’s customer base and didn’t put the corporate handcuffs on them.

After several months and many conversations with HP, Aruba, and my peers, I have a different take. I am not 100% ready to back off from my concerns though. The acquisition has closed. The deal is done. However, it is too early in the process to be certain of much of anything regarding the future state of Aruba, its products, and its ability to execute as they have in the past. Let’s just say I am about 75% headed in the opposite direction of my initial concerns.

This past week, I was fortunate enough to attend HP Discover in Las Vegas. HP paid for my travel and expenses for HP Discover. For that, I thank them and I can definitively tell you that I was not pressured into writing anything as a result of this trip. As luck would have it, Aruba had a decent presence at the conference. Since the acquisition of Aruba by HP just closed a few weeks ago, there was a lot that could not be done from a legal standpoint until the deal closed. When I initially registered for HP Discover, I didn’t see much of anything in the way of sessions regarding Aruba Networks on the agenda. Thankfully, that changed in short order and I was able to sit in on numerous sessions related to Aruba Networks and their products/strategy in the past few days.

Most of the sessions were very basic in nature. I attribute that to a very short amount of time that was given to Aruba to prepare, since they couldn’t really cooperate with HP until the deal was closed. Additionally, the assumption was probably made that most wireless people at HP Discover would not be existing Aruba customers. I’d say that was probably a fair assessment. The geek in me would have loved to see sessions similar to what were given at Aruba’s Atmosphere conference, but that would have taken a lot more time to prepare for, and Aruba just didn’t have that kind of time. Nevertheless, it was a valiant effort on the part of Aruba, and I think they did the best they could with the limited time they had to prepare.

Well, if I didn’t learn much in the sessions, except for the Meridian one, was I able to get any additional information at the conference? In short, yes. I had quite a few conversations with a few folks at Aruba and HP, as well as some discussions with other fellow bloggers who were there with me. Although nothing was 100% in terms of future state, I think I got a good feel for where I THINK they are headed with the combined companies.

I’d like to take some time and really expound on a few key areas like ecosystem, company culture, execution, and final Aruba/HP product disposition. However, I also think it is worthwhile to try and get a feel for who Aruba is as a company. If you are familiar with them already, then this post probably isn’t for you. Wait until my follow up posts on the key areas I just mentioned. They should be coming out this week, unless the Aruba training class I am in gets the better of me and I am mentally exhausted after each day.

If you aren’t familiar with Aruba and their company culture, here are a few video clips that may help you understand them:

The following excerpt is from the keynote address that Dominic Orr gave at Aruba’s Atmosphere 2015 conference in Las Vegas. You can watch the whole thing if you want, but I think the interesting part comes at the end when Dominic explains the HP acquisition. If you don’t want to watch it, here is a TL/DR version where I paraphrase Dominic’s comments.

1. The Airheads community is Aruba’s biggest asset.
2. All partners are an incredible asset to the company.
3. Our loyalty and dedication to you will not change. Customer first. Customer last. That aspect of Aruba’s culture will not change. That culture is an appreciation of how customers stuck their neck out and took a chance on Aruba. Aruba will not forget that.
4. Aruba will go out to battle with you. That competitive culture and commitment to being the leader in the mobile access layer will not change.

Watch video up to about 1:30.

Another video out of the same Atmosphere conference was a Tech Field Day roundtable discussion. There are some interesting points made by members of the panel, but I think the real value of this discussion starts with the audience questions. Two main things to note in this portion of the video that begins at 17min45sec into it. First, Ben Carnevale makes a VERY good point regarding company culture, and Ryan Adzima adds relevant commentary around it. Second, Eddie Forero adds on to Ben’s comment with the statement that although he trusts Dominic Orr, he wants HP to NOT make him a liar.

Closing Thoughts

Once you understand how different Aruba Networks is from HP in terms of culture, you understand why there was so much initial hesitation around this acquisition. I’m a lot more optimistic after spending last week at HP Discover, but there are still plenty of unknowns. A lot can happen in the next year. I’ll look into my crystal ball in follow up posts and see if I can make sense of how this Aruba acquisition can be a good thing. There’s also the potential for it to be a bad thing, but I think there are some good things in motion that should prevent that.

Posted in aruba, hp, vendors, wireless | 2 Comments

HP Buying Aruba?

hplogoTwo things happened today. First, Twitter blew up at some point with rumors of HP in talks to buy Aruba. Second, my shares of Aruba stock shot up about 20%. I was disappointed with the first and pleased with the second. Of course, they were directly related.

 
In Case You Weren’t Aware…..
 
HP has had some issues over the past several years. Not so much issues with their technology, which has always been good, but more so with execution. The latest attempt to right the ship has been to split the company into two distinct entities. Trim the fat off of the corporate monster so to speak. Or, maybe a better way to put it is that HP wants to become less of an “all things to all customers” type of company, and more of a “some things to some customers” type of company. Some customers will be served by one of the two HP companies, and some customers will be served by the other, or both. This allows more focus in certain areas, and focus is never a bad thing.
 
Why Does It Matter If HP Buys Aruba?
 
Although this is all speculation, allow me to continue down this road of “speculation”. I realize that neither HP nor Aruba have confirmed any of this. This is probably someone telling someone else something they weren’t supposed to tell. That person tells someone else, and next thing you know, it ends up as an article on a finance site. We all tweet about it and fuel the frenzy, along with the investors who look at balance sheets and run up the stock price of Aruba. By the time it is all over, people will form opinions based on a mix of facts and rumors and one side will have you believe the CEO’s of both companies drown kittens in their spare time. Or, those in favor will have you believe that God almighty came down from heaven and helped to broker this deal. Hopefully, we all end up somewhere in the middle.
 
To answer the question of why it matters, I have to look at it from differing points of view. The first is that of a shrewd business person. The second is that of a technical person who likes the world of technology, and especially Wi-Fi. These are MY views and mine alone. As always, I could completely misrepresent each position and could be completely wrong. I could also be right. Time will tell, and the Internet never forgets, thanks to archives. 🙂
 
Business View
 
Money. That’s it. Spare me the idealism and desire to do good for the world one widget at a time. Profit-based companies exist to return value to their shareholders, be they public or private. Jobs and philanthropy are a secondary benefit. If you are public, there are a lot of people in expensive suits poring over your books and demanding answers to why you came in at 1 cent below expectations for the quarter. Business is war, make no mistake. Pretty it up with other terms, but the goal is always market domination because that returns the most bang for the buck. Why start a profit-based business if you don’t think you have what it takes to succeed? Nobody wants to work into their 80’s just to pay the rent. We all want to retire and enjoy the fruits of our labor in our twilight years.
 
If, and this is still an “if”, Aruba sells to HP, it is for money. Aruba’s shareholders, and I am one of them, get paid. HP gets a good company with good technology, and thus, they get paid as well. The Aruba portfolio and client list will strengthen HP in the wireless arena. They are already selling Aruba wireless gear today, so it isn’t like Aruba is completely foreign to HP. Of course, so is Dell. Aruba also has semi-partnerships with Brocade and Juniper. As my friend Tom points out:
 


 
From a business perspective, this means that HP can compete a LOT more with Cisco, who teeters around the 50% market share in regards to wireless. If HP can buy Aruba at a decent price, I would say the business folks would be okay with that. Don’t ask me what a decent price is, but my guess is somewhere north of 2 billion USD.
 
Technology View
 
Aruba has good wireless technology. Ignore the silly marketing videos from Aruba and Cisco where they are smashing and drowning access points, and consider that if Aruba’s technology didn’t work, they wouldn’t be the number two player in the enterprise market. There isn’t enough lipstick in the world to put on a pig to give it that kind of market share.
 
If the technology is good, and HP buys Aruba, what is the problem? I submit to you that it is going to be a problem of execution on HP’s side. Take a look at what they are doing in wireless. Does anything stand out? How many HP wireless customers do you know of? I know they are out there. That much is true. What I can tell you is that in the 3 and a half years I have been with my current employer, I have come across one HP wireless install. It was for a school system in the area I live in(Nashville,TN). Just one. I realize that I have not been to every company in the world. I have not seen the networks running thousands of HP wireless access points. I have seen plenty of Aruba and Cisco wireless installs. I’ve come across Aerohive, Ruckus, Ubiquiti, Meraki(pre-Cisco), Extreme, and even SonicWall. In the wild, I have found AirTight, Meru, and Brocade(Motorola), but never HP.
 
Perhaps I am looking in the wrong places though. Your mileage may vary. Perhaps all you see is HP wireless installs. I HAVE seen, and worked on, plenty of HP ProCurve switches. There’s lots of those around. I just haven’t seen much HP wireless out there.
 
Back to the present day HP wireless though. Can you think of anything that sets HP apart in the wireless field? Can you describe them the same way you would Ruckus, Aerohive, or even Meru as it relates to technology that sets them apart?
 
In my mind, their wireless marketing is non-existent. You never see them out there. You never hear about them. Wireless companies with much smaller market share and marketing dollars are out there spreading their message constantly. Whether it is in social media or at technical events, they are out there. Perhaps I am in a bubble though. I fully accept the fact that I may be in a social media bubble as it relates to technology, and all of my peers that I interact with are focused on just a handful of vendors, or in some cases, just one. That is a possibility.
 
Let’s assume I am not in a bubble though. Let’s just assume that my reasoning is sound. When I think of wireless companies, I don’t rank HP in the top 5. That is not a dig on their technology. Not at all. To me, it is a matter of focus. I had the same problem with F5 dipping into the firewall space, and Riverbed dipping into the load balancer space(Sold to Brocade, by the way.). Brand recognition is important. What a company is known for is important, and changing people’s perceptions of that takes time and a whole lot of marketing.
 
When I think about HP buying Aruba, I see nothing but a slow death for Aruba’s product set within the HP machine. I fully expect them to get sucked up into a much larger corporation and get beat down with more corporate bureaucracy. I hope I am wrong though. I don’t think I am the only one who expected Meraki to get sucked up into Cisco and slowly killed off from a corporate culture standpoint. I have been surprised at how long Cisco has let them run as is, but with the Meraki founders leaving Cisco recently, maybe it wasn’t as it seemed.
 
Closing Thoughts
 
If Aruba sells to HP, I hope that they continue to flourish. I hope that they are allowed to keep doing what they do today in terms of customer and partner engagement. I can tell you that Aruba is a good company to partner with from a technical perspective. The local Aruba team my company is engaged with are good folks. There is never a problem with providing whatever hardware we need to be successful. Training has been forthcoming as well. Aruba also has a really visible online and marketing presence.
 
I also hope that HP is serious about succeeding in the wireless arena. I hope that they use the goodwill that Aruba has and make their presence felt in the market. Maybe in a few years, HP will be a name that I hear people mention when considering wireless vendors.
 
I say all of this with consideration of the fact that the overwhelming majority of wireless work I do these days are with Cisco implementations. I’m typing this post in a hotel after finishing another Cisco wireless survey. I like Cisco wireless. It’s a good product. It works. The management piece is a whole different animal. 🙂 I also like Aruba. Maybe a better way to put it is that I like competition. It makes all vendors better. If one vendor dominates a space too much, I think the wireless market as a whole suffers. While I hope that I am wrong with Aruba going off to die in HP, I can’t help but think that Cisco is all too happy to see this acquisition happen, if the rumors are true. Based on the previous years of HP missteps, I can see why this could be a good thing for Cisco.
 
I would love to hear your thoughts. Am I missing anything? Completely wrong?
 

Posted in aruba, hp, wireless | 3 Comments

Cisco Wireless Transmit Power Control

Power substation outside a VERY large data center in Atlanta,GA.

I’m going to start out by telling you something you probably already know. Every vendor has their own way of doing things. Sometimes it makes perfect sense, and other times you end up scratching your head wondering why that particular vendor implemented this feature or product. Since I have been spending a lot more time on wireless these days, I came across an issue that forced me to reconsider how transmit power control(TPC) actually works in a Cisco wireless deployment. I thought I would impart some of this information to you, dear reader, in the hopes that it may help you. If you spend a lot of time inside Cisco wireless LAN controllers, this may not be anything new to you.

The Need For TPC

If you have been around wireless long enough, you have probably dealt with wireless installs where all of the access points(AP) were functioning autonomously. While this isn’t a big deal in smaller environments, consider how much design work goes into a network with autonomous access points that number into the hundreds. It isn’t as simple as just deciding on channels and spinning all the access points up. You also have to consider the power levels of the respective access points. Failure to do so can result in the image below where the AP is clearly heard by the client device, but the AP cannot hear the client since it is transmitting at a higher power level than the client can match.

AP-TransmitPowerProblem

 

Now consider the use of a wireless LAN controller to manage all of those APs. In addition to things like dynamic channel assignment, you can also have it adjust the transmit power levels of the APs. This can come in handy when you have an AP fail and need the other APs to increase their transmit power to fill the gap that exists since that failed AP is no longer servicing clients. I should point out that proper design of a wireless network with respect to the client transmit power capabilities should NEVER be overlooked. You ALWAYS want to be aware of what power levels your clients can transmit at. It helps to reduce the problem in the image above.

There’s also the problem that can arise when too many APs can hear each other. It isn’t just about the clients. Wireless systems which adhere to the IEEE 802.11 standard are a half duplex medium. Only one device can talk at a time on a given channel. Either a client or the AP will talk, but not both at once. If an AP can hear another AP on the same channel at a usable signal, the airtime must be shared between those APs. Depending on the number of SSID’s in use, this can dramatically reduce the amount of airtime available for an AP to service a client. You can see some actual numbers with regard to SSIDs and APs in this blog post by Andrew von Nagy.

As you can see from two quick examples, there is a need to control the power level in which an AP will transmit. On controller based wireless networks(and even on the newer controller-less solutions), this is done automatically. I wouldn’t advise you turn that off unless you really know what you are doing and you have the time to plan it all out beforehand.

The Cisco Approach

On wireless LAN controllers, TPC is a function of Radio Resource Management(RRM). The specifics can be found here. I’ll spare you the read and give you the high points.

  • The TPC algorithm is only concerned with reducing power levels. Increases in power levels are covered by Coverage Hole Detection and Correction algorithm.
  • TPC runs in 10 minute intervals.
  • A minimum of 4 APs are required for TPC to work.

It is the last point that I want to focus on, because the first two are pretty self explanatory. The reasoning behind the 4 AP minimum for TPC is as follows:

“For TPC to work ( or to even have a need for TPC ) 4 APS must be in proximity of each other.  Why? Because on 2.4 GHz you only have three channels that do not overlap… Once you have a fourth AP you need to potentially adjust power down to avoid co channel interference.   With 3 APS full power will not cause this issue.”

Those are not my words. They came from someone within Cisco that is focused on wireless. Since that person didn’t know I would publish that, I will not name said person. The explanation though, makes sense.

***Update – It appears that the Cisco documentation regarding TPC is a bit murky. Jeff Rensink pointed out in the comments below that TPC will also increase power levels. Although CHD will increase based on client information, I didn’t use any clients in my testing, as Jeff rightly assumed. The power increases I saw once I started removing AP’s from the WLC could not have been attributed to CHD adjustments. Read his comment below as he makes some very valid points. The NDP reference and accompanying link in his comment is fairly interesting.

Let’s see it in action to validate what Cisco’s documentation says.

TPC Testing

I happen to have a Cisco WLC 2504 handy with 4 APs. I set it up in my home office and only maintained about 10 feet separation from the APs. Ideally, I would test it with the APs a lot farther apart, but I did put some barriers around the APs to give some extra attenuation to the signal. I also only did testing on the 5GHz band. I disabled all of the 2.4GHz radios because I don’t need to give any of my neighbors a reason to hate me. Blasting 5GHz is less disruptive to their home wireless networks than 2.4GHz is due to the signals traveling farther/less attenuation of 2.4GHz vs 5GHz signals/antenna aperture. 🙂

Here you can see the available settings for TPC in the WLC GUI. This particular controller is running 7.6 code, so your version may vary.

TPC SettingsSome notes on options:

    • You can either set TPC to run automatically, on demand, or at a fixed power rate on all APs. TPC is band specific, so if you want different settings for 2.4GHz and 5GHz respectively, you can have that.
    • Maximum and minimum settings for transmit power are available. The defaults are 30dBm for maximum power and -10dBm for minimum power.
    • The power threshold is the minimum level at which you need to hear the third AP for the TPC algorithm to run. The default is -70dBm. You can set it higher or lower depending on your needs. High density environments might require a level stronger than -70dBm, with -50dBm being the strongest level supported. If you don’t necessarily need to run things like voice, you might be able to get away with a weaker threshold, but you cannot go beyond -80dBm.

A Quick Sidebar on Maximum Transmit Power in 5GHz

I set up the WLC with 3 APs active on 5GHz only. You can see that the power levels on the 3 APs are set to 1 in the image further down, which is maximum power according to Cisco. While it seems odd that max power would be a 1 and not some higher number, consider the fact that there are multiple maximum transmit power levels depending on which UNII band you are using in 5GHz. As a general reference, 20dBm would be 100mW and 14dBm would be 25mW. You could get 200mW(23dBm) of power using a UNII-3 channel vs UNII-1, which is maxed out 32mW(15dBm). That is a HUGE difference.

      • UNII-1 power levels for channels 36-48:
        • 1 – 15dBm
        • 2 – 12dBm
        • 3 – 9dBm
        • 4 – 6dBm
        • 5 – 3dBm
      • UNII-2 power levels for channels 52-64(I didn’t test UNII-2 Extended, but I suspect it is the same:
        • 1 – 17dBm
        • 2 – 14dBm
        • 3 – 11dBm
        • 4 – 8dBm
        • 5 – 5dBm
        • 6 – 2dBm
      • UNII-3 power levels for channels 149-161:
        • 1 – 23dBm
        • 2 – 20dBm
        • 3 – 17dBm
        • 4 – 14dBm
        • 5 – 11dBm
        • 6 – 8dBm
        • 7 – 5dBm

To see the supported power levels in terms of dBm on 5GHz, you can run the following command on the CLI of the WLC:

show ap config 802.11a <ap name>

The output will look something like this after you go through a handful of screens showing other stuff:

AP Power Settings

 

 

***Update – Brian Long wrote a blog post on this very thing! You can read it here.

Back To The Testing…

You can see in the image below that with 3 APs active, they are all running at power level 1, which is the default when the radios come online.

3AP-MaxTXPower

So let’s see what happens when I add the fourth AP. If our understanding of TPC is correct, we should see the power levels come down since the APs are so close to each other and will have a signal strength of well above -70dBm between each other.

4AP-MaxTXPowerThe fourth AP now shows up, but the power levels are still maxed out at 1. The AP’s are also using channels on all 3 UNII bands, so there is a huge disparity in output power right now. After a few minutes, the following shows up in the WLC:

4AP-PowerRedux-1Now we can see TPC working. It has reduced all 4 APs to a power level of 2. Once the TPC algorithm kicks in, it will run every 10 minutes until it reaches a level where the fourth AP is just within the power threshold of -70dBm. Let’s see if it keeps reducing power.

4AP-PowerRedux-2Now we are at a power level of 3. Ten more minutes pass and I see the following:

4AP-PowerRedux-3Two of the APs have been reduced to a power level of 4. Ten more minutes passed and power levels reduced even further. At that point, I powered off one of the APs to see if the power levels would go back to 1 since there was no longer a fourth AP. I didn’t get a screen shot in time to see all 4 APs at an even lower power level, but when I did grab a screen shot of the 3 remaining APs, one of them had been dropped to a power level of 5. I believe this happened prior to my unplugging the fourth AP.

Note – Power level decreases happen in single increments only, every time the TPC algorithm runs(every 10 minutes). To put it another way, it downgrades by 3dB max each cycle. Sam Clements pointed out to me via Twitter that when power levels increase, it can happen much more rapidly since the Coverage Hole Detection(CHD) and Correction algorithm is responsible for power increases.

4AP-PowerRedux-4I waited for at least 30 minutes to see if the power levels would return to 1 for the remaining 3 APs, but they didn’t move at all. They stayed just like the above image.

If you want to see this work on the CLI in real time, you can issue the following command:

debug airewave-director power enable

After I had waited for over half an hour, I decided to power off one more AP. When I brought it back online, I saw all 3 of the APs slowly go back to a power level of 1. Here’s the first change I saw in the 3 remaining APs:

3AP-AlmostMaxPowerAnd then shortly afterward, I saw them back at max power.

3AP-MaxPowerAgain

 

It’s All In The Details

For wireless surveys, my company uses the Ekahau Site Survey product. It is a really neat survey tool and we use it for on site assessments as well as predictive surveys. When you define the requirements of the project, you can choose from a bunch of different vendor specific scenarios, or general wireless scenarios. I can apply those requirements to a predictive survey, or an on site survey where I am trying to determine if the existing coverage/capacity is good enough for the business needs.

Here’s a screen shot of the default requirements for the “Cisco Voice” scenario found in version 7.6.4 of Ekahau’s Site Survey program:

EkahauRequirementsPay careful attention to the “Number of Access Points” field. By default, it shows 2 APs with a minimum signal strength of -75dBm. If I am building a predictive survey for Cisco voice, I would need to have all of my coverage areas to see 2 APs at a signal of -75dBm or better. That’s perfectly fine, but I also have to consider the APs and how they determine, you guessed it, transmit power. If I change the value in the “Number of Access Points” field to 3 APs at -70dBm or better, I can build my predictive survey around inter-AP communication as well. In that scenario, I am not looking to cover the entire floor or building to that standard. I just need to make sure that all of my APs can see 3 or more APs at -70dBm or better. Of course, if I am not using Cisco wireless to support a Cisco voice implementation, I need to figure out how that other wireless vendor determines transmit power. Just something to consider when interpreting the results of an actual or predictive survey. It isn’t entirely about the clients and their relationship to the AP. AP to AP communication matters as well!

Closing Thoughts

Understanding how the TPC function works is pretty important when designing Cisco wireless networks. Failure to consider what all is involved in regards to transmit power on your APs could(not WILL, but COULD) lead to problems in the wireless network’s operation. However, if you want to manually set transmit power, that’s an option as well. Opinions differ on running RRM. I’m not sure there is a right or wrong answer. It depends. 🙂 I will say that I almost never see Cisco wireless implementations where RRM is not being used.

I don’t want to end this post without mentioning that some networks may be perfectly fine running APs at max power, especially on the 5GHz side. Your coverage may be enough to where there is minimal channel overlap(easily achievable in 5GHz with 20MHz channels and the use of all 3 UNII bands), and each AP can hear one or two neighboring APs at a decent level due to good cell overlap. You just might not have enough APs to trigger the TPC algorithm to run. That doesn’t mean “you are doing it wrong”. If it works for the business and all your users are fine, who am I to tell you that you need to “fix” it.

Hopefully this was beneficial to you if you needed a clearer understanding of how Cisco’s TPC function works. If you already have a good understanding of TPC and managed to read this far, feel free to shame humiliate correct me in the comments.

Posted in cisco, wireless | 11 Comments