Introduction
This document explains Cambium Networks Access Points (APs) and external network recommended configuration to facilitate wireless clients’ seamless roaming across the APs. Additionally, network best practices recommended minimizing broadcast and multicast packets processing in the network.
External network recommendation
Cambium Access Points (APs) work in the distributed architecture mode. It is important to facilitate AP to AP communication for the wireless clients seamless roaming. Access Points uses Cambium propriety XRP protocol to exchange client’s information with the neighboring APs.
-
The intermediate network switches to which APs are connected shall not block XRP messages.
XRP message packet information:
- Source MAC: APs ethernet MAC
- Destination MAC: Ethernet broadcast
- Source IP Address: APs exit interface IP address.
- Destination IP Address: 255.255.255.255 Broadcast IP address
- Protocol: UDP with the random Source Port and fixed Destination Port
XRP message Wireshark snapshot:
-
APs send XRP messages on the ethernet port’s native VLAN.
-
All the APs need to be part of the same native VLAN.
-
It is important to ensure APs have the L3 interface for the native VLAN with the valid IP address.
Access Point WLAN profile configuration recommendation
If WLAN profile is configured with WPA2 and WPA3 security, it is recommended to enable.
- 802.11r fast roaming and
- OKC
Few clients make use of 802.11k and 802.11v protocols for fast roaming, we can enable the same.
Enable client isolation with the Network Wide option to prevent clients communicating with other clients on the same L2 network.
Note: From the AP firmware version 6.6.0.2 onwards, AP drops the ARP packets when the client isolation feature is enabled. AP running with the firmware version lower than 6.6.0.2 can make use of client-isolation dynamic drop-arp
cli from the AP group User-Defined Overrides section.
AP group profile configuration recommendations
-
To avoid sticky client’s issue, enable Enhanced Roaming under AP group → RADIO configuration, set SNR threshold to 15 dBm
-
In large public Wi-Fi and campus deployment, it is very common to see large number of network discovery protocols like mDNS, LLMNR, SSDP and other service discovery packets coming from the wireless clients. It is recommended to disable these packets using “Access Control Policy.”
-
If IPv6 is not the requirement, it is recommended to disable IPv6 packets from the wireless clients using “Access Control Policy.”
-
It is recommended to use “Air Cleaner Rules.”
-
To prevent un-authorized rogue DHCP server from the wireless clients.
-
Unwanted DHCP client packets from wired network side.
-
Drop L2 broadcast packets.
-
Drop IPv4 and IPv6 multicast packets.
-
Drop ARP discovery packets from one SSID to another SSID interface.
-
It is recommended to disable mDNS packets in the default Air Cleaner rules
Note: Allow the mDNS packet to enable bonjour discovery service to work
-
Sample AP group policy with the Air Cleaner Rules
(cnMaestro screen shot for the Air-Cleaner rule with drop mDNS packets, add new rule to drop LLMNR, SSDP, DropBox, IPv6 and etc.)
User-defined rule for blocking IPV6 traffic & allowing rest traffic.
!
filter global-filter
filter precedence 14
enable
layer3-filter deny proto6 any any any any any any //BLOCK IPv6 TRAFFIC
exit
filter precedence 15
enable
layer3-filter permit ip any/any any/any any //ALLOW TRAFFIC
exit
!