SonicPoint Deployment Best Practices

This section provides SonicWALL recommendations and best practices regarding the design, installation, deployment, and configuration issues for SonicWALL’s SonicPoint wireless access points. The information covered allows site administrators to properly deploy SonicPoints in environments of any size. This section also covers related external issues that are required for successful operation and deployment.

IMPORTANT: Dell SonicWALL cannot provide any direct technical support for any of the third-party Ethernet switches referenced in this section. The material is also subject to change without Dell SonicWALL’s knowledge when the switch manufacturer releases new models or firmware that might invalidate the information contained herein.

Further information about SonicPoint best practices can be found in the SonicPoint Deployment Best Practices Guide at https://support.software.dell.com/.

Topics:

•	Prerequisites

•	Tested Switches

•	Wiring Considerations

•	Site Survey and Planning

•

Channels

•

PoE

•	Spanning-Tree

•	VTP and GVRP

•	Port-Aggregation

•	Broadcast Throttling/Broadcast Storm

•	Speed and Duplex

•	Troubleshooting Older SonicPoints

•	Virtual Access Point (VAP) Issues

Prerequisites

The following are required for a successful SonicPoint deployment:

•	SonicOS requires public Internet access for the UTM appliance to download and update the SonicPoint firmware images. If the device does not have public Internet access, you will need to obtain and download the SonicPoint firmware manually.

•	One or more Dell SonicWALL SonicPoint wireless access points.

•	If you are using a PoE switch to power the SonicPoint, it must be one of the following:

•	An 802.3at compliant Ethernet switch for SonicPoint AC/N2

•	An 802.3af compliant Ethernet switch for other SonicPoint models

•	Vendor-specific switch programming notes can be found towards the end of this section for HP, Cisco, Dell, and D-Link. If not, you will need to use the power adapter that ships with the SonicPoint or SonicWALL’s PoE Injector. See the SonicWALL Power over Ethernet (PoE) Injector User’s Guide.

•	It is strongly recommended you obtain a support contract for your Dell SonicWALL network security appliance as well as the PoE switch. The contract allows you to update to new versions if issues are found on the switch side, on the firewall side, or when new features are released.

•	Be sure do conduct a full site survey before installation (see Site Survey and Planning ).

•	Check wiring and cable infrastructure to verify that end-to-end runs between SonicPoints and the Ethernet switches are CAT5, CAT5e, or CAT6.

•	Check building codes for install points, and work with the building’s facilities staff, as some desired install points may violate regulations.

Tested Switches

•	Most Cisco switches work well; however, SonicWALL does not recommend deploying SonicPoints using the Cisco Express switch line.

•	SonicWALL does not recommend deploying SonicPoints using Netgear PoE switches.

•	If you are using D-Link PoE switches, you will need to shut off all their proprietary broadcast control and storm control mechanisms, as they will interfere with the provisioning and acquisition mechanisms in the SonicPoint (see PoE regarding this).

•	Dell – make sure to configure STP for fast start on SonicPoint ports.

•	Extreme – make sure to configure STP for fast start on SonicPoint ports.

•	Foundry – make sure to configure STP for fast start on SonicPoint ports.

•	HP ProCurve – make sure to configure STP for fast start on SonicPoint ports.

Wiring Considerations

•	Make sure wiring is CAT5, CAT5e, or CAT6 end to end.

•	Due to signaling limitations in 802.3af, and 802.3at for SonicPoint AC appliances, Ethernet cable runs should not extend over 100 meters between the PoE switch and the SonicPoint.

•	You will need to account for PoE power loss as the cable run becomes longer; this can be up to 16 percent. For longer cable runs, the port will require more power to be supplied.

Site Survey and Planning

•

Conduct a full site walk of all areas where SonicPoints will be deployed with a wireless spectrum scanner. Note any existing access points (APs) and the channels they are broadcasting on. SonicWALL currently recommends using Fluke or AirMagnet products to conduct full site surveys. You may also wish to try out NetStumbler/MiniStumbler, which while free does a decent job of surveying, providing it works with your wireless card.

•

Blueprints of floor plans are helpful; here you can mark the position of APs and the range of the wireless cell. Make multiple copies of these as the site-survey results may cause the original design not to be the best and a new start will be needed. Also, you see where walls, halls, and elevators are located, which can influence the signal. Areas in which users are—and are not—located can be seen. During the site-survey, keep an eye open for electrical equipment that may cause interference (microwaves, CAT Scan equipment, etc.) In area’s were a lot of electrical equipment is placed, also take a look at the cabling being used. In areas with a lot of electrical equipment, also take a look at the cabling being used.

•	Survey three dimensionally, as wireless signals cross over to different floors.

•	Determine where you can locate APs based on power and cabling. Remember that you should not place APs close to metal or concrete walls, and you should put them as close to the ceiling as possible.

•	Use the wireless scanning tool to check signal strengths and noise. Signal-to-noise ratio should at least be 10 dB (minimum requirements for 11 Mbps), however, 20 dB is preferred. Both factors influence the quality of the service.

•	Relocate the APs and re-test, depending of the results of your survey.

•	Save settings, logs and note the location of the APs for future reference.

•

When using older SonicPoint models, if you find that certain areas, or all areas, are saturated with existing overlapping 802.11b/g channels, you may wish to deploy SonicPoints using the 802.11a radio. This provides a much larger array of channels to broadcast on, although the range of 802.11a is limited, and the SonicPoint does not allow for the addition of external antennas.

•

When planning, make sure you note the distance of cable runs from where the SonicPoint will be mounted; this must be no more than 100 feet. If you are not using PoE switches, you will also need to consider a power adapter or PoE injector for the SonicPoint. Make sure you are not creating an electrical fire hazard.

•	Be wary of broadcasting your wireless signal into areas that you do not control; check for areas where people might be able to leach signal and tune the SonicPoints accordingly.

•	For light use, you can plan for 15-20 users for each SonicPoint. For business use, you should plan for 5-10 users for each SonicPoint.

•	Plan accordingly for roaming users—this will require tuning the power on each SonicPoint so that the signal overlap is minimal. Multiple SonicPoints broadcasting the same SSID in areas with significant overlap can cause ongoing client connectivity issues.

•	Use the scheduling feature in SonicOS to shut off SonicPoints when not in use—it’s recommended that you do not operate your SonicPoints during non-business-hours (off nights and weekends).

Channels

The default setting of SonicPoints is auto-channel. When this is set, at boot-up the SonicPoint will do a scan to check if there are other wireless devices transmitting. Then, it will try to find an unused channel to use for transmission. Especially in larger deployments, this process can cause trouble. In large deployments, it is recommended to assign fixed channels to each SonicPoint. A diagram of the SonicPoints and their MAC Addresses helps to avoid overlaps. It is recommended is to mark the location of the SonicPoints and MAC Addresses on a floor-plan.

Wireless Card Tuning

If you are experiencing connectivity issues with laptops, check to see if the laptop has an Intel embedded wireless adapter. The following Intel chip sets are publicly known and acknowledged by Intel to have disconnect issues with third-party wireless access points:

•	Intel PRO/Wireless 2100 Network Connection

•	Intel PRO/Wireless 2100A Network Connection

•	Intel PRO/Wireless 2200BG Network Connection

•	Intel PRO/Wireless 2915ABG Network Connection

•	Intel PRO/Wireless 3945ABG Network Connection

These wireless cards are provided to OEM laptop manufacturers and are often rebranded under the manufacturers name—for example, both Dell and IBM use the above wireless cards, but the drivers are branded under their own name.

To identify the adapter, go to Intel’s support site and do a search for Intel Network Connection ID Tool. Install and run this tool on any laptop experiencing frequent wireless disconnect issues. The tool will identify which Intel adapter is installed inside the laptop.

After you have identified the Intel wireless adapter, go to Intel’s support site and download the newest software package for that adapter—it is recommended that you download and install the full Intel PRO/Set package and allow it to manage the wireless card, instead of Windows or any OEM-provided wireless network card management program previously used. SonicWALL recommends that you use version 10.5.2.0 or newer of the full Intel PRO/Set Wireless software driver/manager.

Be sure to use the Intel wireless management utility and to disable Microsoft’s Wireless Zero Config management service—the Intel utility should control the card, not the OS.

In the Advanced section, disable the power management by clearing the checkbox next to Use default value, then move the slider under it to Highest. This instructs the wireless card to operate at full strength and not go into sleep mode. When you are done, click on the OK button to save and activate the change. Reboot the laptop.

In the Advanced section, adjust the roaming aggressiveness by clearing the checkbox next to Use default value, then move the slider under it to Lowest. This instructs the wireless card to stay stuck to the AP it’s associated with as long as possible, and only roam if the signal is significantly degraded. This is extremely helpful in environments with large numbers of access points broadcasting the same SSID. When you are done, click on the OK button to save and activate the change. Reboot the laptop.

If you continue to have issues, you may also try adjusting the Preamble Mode on the wireless card. By default the Intel wireless cards above are set to auto. All SonicWALL wireless products by default are set to use a Long preamble, although this can be adjusted in the Management GUI. To adjust the Intel wireless card’s preamble setting, go to the Advanced section and clear the checkbox next to Use default value, then select Long Tx Preamble from the drop-down menu below it. When you are done, click on the OK button to save and activate the change. Reboot the laptop.

PoE

Long cable runs cause loss of power; 100-meter runs between SonicPoint and PoE switch may incur up to 16 percent power/signal degradation; because of this, the PoE switch needs to supply more power to the port to keep the SonicPoint operational.

SonicPoint ACe/ACi/N2

Full 802.3at compliance is required on any switch supplying PoE to SonicPoint ACe/ACi/N2. Do not operate SonicPoints on non-compliant switches as Dell SonicWALL does not support it.

Turn off pre-802.3at-spec detection as it may cause connectivity issues.

SonicPoint ACs (Type 1) can be set to Class 0, 1, 2, or 3 PD. SonicPoint ACs (Type 2) are set to Class 4 PD. The minimum and maximum power output values are as follows:

•	Type 1, Class 0 PD uses 0.5 W minimum to 15.4 W maximum

•	Type 1, Class 1 PD uses 0.5 W minimum to 4.0 W maximum

•	Type 1, Class 2 PD uses 4.0 W minimum to 7.0 W maximum

•	Type 1, Class 3 PD uses 7.0 W minimum to 15.4 W maximum

•	Type 2, Class 4 PD uses 15.4 W minimum to 30 W maximum

 

IMPORTANT: A mismatch in Class will cause confusion in the handshake and reboot the SonicPoint.

Ensure each SonicPoint AC/SonicPoint N2 is guaranteed to get 25 watts.

Be particularly careful to ensure all PoE switches can provide a minimum of 25 watts of power to each of its PoE ports. For example, a port that supports a SonicPoint ACs or SonicPoint N2 needs 25 watts of power. If a switch cannot guarantee each port 25 watts to each port, an external redundant power supply must be added. You need to work closely with the manufacturer of the PoE switch to ensure that enough power is supplied to the switch to power all of your PoE devices.

Legacy and SonicPoint N/Ni/Ne/NDR

Legacy SonicPoints and SonicPoint N/Ni/Ne/NDR are set to Class 0 PD, which uses 0.44W minimum up to 12.95W maximum power.

Full 802.3af compliance is required on any switch supplying PoE to legacy SonicPoints and SonicPoint N/Ni/Ne/NDR. Do not operate SonicPoints on non-compliant switches as Dell SonicWALL does not support it.

Turn off pre-802.3af-spec detection as it may cause connectivity issues.

Ensure each port can get 10 watts guaranteed, and set the PoE priority to critical or high.

Spanning-Tree

When an Ethernet port becomes electrically active, most switches by default will activate the spanning-tree protocol on the port to determine if there are loops in the network topology. During this detection period of 50-60 seconds, the port does not pass any traffic—this feature is well-known to cause problems with SonicPoints.

If you do not need spanning-tree, disable it globally on the switch, or disable it on each port connected to a SonicPoint device. If this is not possible, check with the switch manufacturer to determine if they allow for fast spanning-tree detection, which is a method that runs spanning-tree in a shortened time so as to not cause connectivity issues. Refer to Sample Dell switch configuration (per interface) for programming samples on how to do this.

VTP and GVRP

Turn these trunking protocols off on ports connected directly to SonicPoints as they have been known to cause issues with SonicPoints, especially the high-end Cisco Catalyst series switches.

Port-Aggregation

•	Many switches have port aggregation turned on by default, which causes a lot of issues. Port aggregation should be deactivated on ports connected directly to SonicPoints.

•	PAGP/Fast EtherChannel/EtherChannel should be turned off on the ports going to SonicPoints.

•	LACP should be turned off on the ports going to SonicPoints.

Broadcast Throttling/Broadcast Storm

This feature is an issue on some switches, especially D-Link. Disable on per port basis if possible, if not, disable globally.

Speed and Duplex

•	At present, auto-negotiation of speed and duplex is the only option for SonicPoints.

•	Locking speed and duplex on the switch and rebooting the SonicPoint may help with connectivity issues.

•	Check the port for errors, as this is the best way to determine if there is a duplex issue (the port will also experience degraded throughput).

Virtual Access Point (VAP) Issues

Only VLAN-supported SonicWALL platforms can offer VAP features for existing releases. Each SSID should be associated with the unique VLAN ID to segment traffic in different broadcast domains. SDP/SSPP protocol packets must be untagged before reaching SonicWALL WLAN interface or SonicPoint.

The switch between the Dell SonicWALL network security appliance and the SonicPoint must be configured properly to allow both untagged SDP/SSPP traffic and tagged traffic with VLAN ID for each VAP SSID.

If at all possible assign each VAP to its own VLAN/Security Zone—this will provide maximum security and, although not explicitly required for PCI compliance, puts you solidly in the "green" zone.

NOTE: If you use VLANs, do not use the parent interface and do not use the default VLAN.

Troubleshooting

•

When creating a Wireless zone and interface, make sure to configure the interface for the number of SonicPoints you wish to support—new interfaces are set to No SonicPoints by default. If you do not do this, the UTM appliance will not create the necessary DHCP scope and will not acquire any SonicPoints added to the interface.

•	If you added SonicPoints and only a certain number were detected and acquired, check interface settings as noted above, as it might be set for too few SonicPoints.

•

If throughput seems sluggish, check to see how many SonicPoints you have on an interface — in large deployments it’s advisable to spread them across more than one. Try to limit the interfaces to a 4-to-1 oversubscription ratio. For example, if you have a 100Mbps, you can safely attach up to 20 SonicPoints to it and expect reasonable performance.

•	The throughput speed on SonicPoints can vary and is limited by the specifications found in the IEEE 802.11 standards: 802.11a/b/g/n/ac.

•	Make sure your security zone (the default WLAN, or your own custom wireless zone) has the right settings—they might be blocking traffic for various reasons.

•	If the SonicPoints are not being acquired, check the DHCP scopes; they might be off or missing entirely.

•	Stuck in provisioning mode? Unplug, clear the profile configuration, reboot, and plug back in.

•	For a SonicPoint to be discovered and provisioned, the Dell SonicWALL network security appliance must be connected to the Internet.

•	On older model SonicPoints, it is NOT advisable to use the same SSID for the 802.11bg and the 802.11a radios, as clients with tri-band cards might experience disconnect issues—name them separately.

•	If a SonicPoint cannot find a Dell SonicWALL network security appliance, you might have issues as all of the SonicPoints revert to the same default IP address of 192.168.1.20/24.

•

When troubleshooting wireless issues, logging, Syslog, and SNMP are your friends—SonicWALL’s Global Management System (GMS) package can centralize all of these for all of your SonicWALL devices, regardless of location. A free alternative is Kiwi’s Syslog Server that can accept Syslog streams and SNMP traps from all SonicWALL UTM appliances. The most current version can be found here: http://www.kiwisyslog.com/

•	Check the network cabling: Is shielded or unshielded TP cable being used?

Troubleshooting Older SonicPoints

If you have an older SonicPoint and it’s consistently port flapping, doesn’t power up at all, is stuck reboot cycling, or reports in the GUI as stuck in provisioning, check to see if you are running a current version of the firmware and the Dell SonicWALL network appliance has public internet access. You may need a newer SonicPoint.

Resetting the SonicPoint

The SonicPoint has a reset switch inside a small hole in the back of the unit, next to the console port. You can reset the SonicPoint at any time by pressing the reset switch with a straightened paperclip, a tooth pick, or other small, straight object.

The reset button resets the configuration of the mode the SonicPoint is operating in to the factory defaults. It does not reset the configuration for the other mode. Depending on the mode the SonicPoint is operating in, and the amount of time you press the reset button, the SonicPoint behaves in one of the following ways:

•	Press the reset button for at least three seconds, and less than eight seconds with the SonicPoint operating in Managed Mode to reset the Managed Mode configuration to factory defaults and reboot the SonicPoint.

•	Press the reset button for more than eight seconds with the SonicPoint operating in Managed Mode to reset the Managed Mode configuration to factory defaults and reboot the SonicPoint in SafeMode.

Switch Programming Tips

Topics:

•	Sample HP ProCurve switch commands (per-interface)

•	Sample Dell switch configuration (per interface)

•	Sample D-Link switch configuration

Sample HP ProCurve switch commands (per-interface)

•	name ‘link to SonicPoint X’

•

no lacp

•

no cdp

•	power critical

•	no power-pre-std-detect (note: global command)

•	speed-duplex 100-half (note: only if you are seeing FCS errors)

•	spanning-tree xx admin-edge-port (note: replace xx with port number)

•	mdix-mode mdix

Sample Dell switch configuration (per interface)

•	spanning-tree portfast

•	no back-pressure

•	no channel-group

•	duplex half (note: only if you are seeing FCS errors)

•

speed 100

•	no flowcontrol

•	no gvrp enable

•	no lldp enable

•

mdix on

•

mdix auto

•	no port storm-control broadcast enable

Sample D-Link switch configuration

The D-Link PoE switches do not have a CLI, so you will need to use their web GUI.

NOTE: If you are using multicast in your environment, check with D-Link for the recommended firmware version.

Disable spanning-tree, broadcast storm control, LLDP and the Safeguard Engine on the switch before adding SonicPoints to the switch, as all may impact their successful provisioning, configuration, and functionality.