Difference between revisions of "Manual:CAPsMAN tips"

From MikroTik Wiki
Jump to: navigation, search
(Initial commit)
 
(Initial commit)
Line 32: Line 32:
  
 
===VLAN interfaces and bridge===
 
===VLAN interfaces and bridge===
When dealing with VLAN interfaces and bridge interfaces be careful not to configure invalid Layer 2 configuration. One of the common mistakes is putting VLAN interfaces as bridge ports. VLAN interfaces should not be added to bridges as bridge ports. However, you can make VLAN interfaces on a bridge interface.
+
When dealing with VLAN interfaces and bridge interfaces be careful not to configure invalid Layer 2 configuration. One of the common mistakes is putting VLAN interfaces as bridge ports. VLAN interfaces should not be added to bridges as bridge ports. However, you can make VLAN interfaces on a bridge interface. Also, keep your configuration as simple as possible, it will be more stable and easier to debug.
  
 
'''Wrong:'''
 
'''Wrong:'''
Line 49: Line 49:
 
Please go through other [[ Manual:Layer2_misconfiguration | common Layer 2 misconfiguration issues ]].
 
Please go through other [[ Manual:Layer2_misconfiguration | common Layer 2 misconfiguration issues ]].
  
# Todo:
+
===Multiple SSIDs===
  
* Access list with the signal strength limit
+
In CAPsMAN networks, it is common to use multiple SSIDs (slave/virtual APs) for different users, like "OFFICE", "GUEST", "MANAGEMENT", "WAREHOUSE" etc. Although, maximum theoretical count for slave access points on one master interface is 32, creating many slave interfaces can decrease the overall performance of access point. It is due to that each slave access point must act as a separate access point and has to send its own control frames like beacons and others. So available air time with each slave access point decreases. One option to separate access point users in different networks is to use WPA2-EAP and help of RADIUS and different VLANs.
* Lower tx-power
 
* Bridge mac-address
 
* VLAN interfaces in the bridge
 
* CAPsMAN static interfaces cannot be changed with configuration changes
 
* Multiple virtual interfaces
 

Revision as of 12:13, 28 June 2019

Limit clients with low signal strength in the access list

Clients with low signal strength can bring wireless performance down for all clients. If you have good coverage of access points to prevent clients with low signal strengths from connecting you use the access list.

Access list rules are evaluated in list order from the top until a suitable rule is met. For the client to be dropped by access list when it leaves the access point's zone, the client must be accepted by access list rule with signal strength. First, add a rule that accepts clients with good signal strength, then add a rule that rejects other clients.

/caps-man access-list
add action=accept signal-range=-70..120
add action=reject

Decrease TX power

In order to motivate clients to connect to the closest controlled access point (CAP), it is advised to decrease TX power. This will encourage wireless clients (phones, laptops, etc.) to connect to the closest CAP with the strongest signal. This can result in better wireless performance. It is possible to change TX power for Channel configuration, Configuration profile or for CAP Interface.

/caps-man channel set 0 tx-power=10
/caps-man configuration set 0 channel.tx-power=10
/caps-man interface set 0 channel.tx-power=10

Bridge set MAC address

Sometimes a problem arises if bridge which is used for CAPsMAN interfaces has automatic MAC address. It is always advised to set MAC address of bridge to static one. It will help to prevent loops and issues with CAPsMAN and CAP connection. Please check that your bridge interfaces have manually set MAC addresses. You can set MAC address of bridge the same as one of Ethernet interfaces that are added to this bridge as a port. Note that changing MAC address can break your setup, therefore, think through before you do it.

/interface bridge set 0 auto-mac=no admin-mac=XX:XX:XX:XX:XX:XX

VLAN interfaces and bridge

When dealing with VLAN interfaces and bridge interfaces be careful not to configure invalid Layer 2 configuration. One of the common mistakes is putting VLAN interfaces as bridge ports. VLAN interfaces should not be added to bridges as bridge ports. However, you can make VLAN interfaces on a bridge interface. Also, keep your configuration as simple as possible, it will be more stable and easier to debug.

Wrong:

/interface vlan add interface=ether1 vlan-id=10 name=CAPsMAN_vlan_10
/interface bridge add name=CAPsMAN_bridge auto-mac=no admin-mac=64:D1:54:BD:88:08
/interface bridge port add interface=CAPsMAN_vlan_10 bridge=CAPsMAN_bridge

Right:

/interface bridge add name=CAPsMAN_bridge auto-mac=no admin-mac=64:D1:54:BD:88:08
/interface bridge port add interface=ether1 bridge=CAPsMAN_bridge
/interface vlan add interface=CAPsMAN_bridge vlan-id=10 name=CAPsMAN_vlan_10

Please go through other common Layer 2 misconfiguration issues .

Multiple SSIDs

In CAPsMAN networks, it is common to use multiple SSIDs (slave/virtual APs) for different users, like "OFFICE", "GUEST", "MANAGEMENT", "WAREHOUSE" etc. Although, maximum theoretical count for slave access points on one master interface is 32, creating many slave interfaces can decrease the overall performance of access point. It is due to that each slave access point must act as a separate access point and has to send its own control frames like beacons and others. So available air time with each slave access point decreases. One option to separate access point users in different networks is to use WPA2-EAP and help of RADIUS and different VLANs.