Wireless intrusion prevention: the very name brings to mind security. But many WIPS products can also be used to monitor WLAN performance, providing valuable insight for troubleshooting, service assurance, fine-tuning and usage planning. How can you leverage your WIPS get more from your WLAN?
WLAN performance analysis and tools
There are many occasions to analyze a WLAN's performance, from initial design and debugging newly-installed devices to optimizing coverage and planning expansions. Many tools can prove helpful during this lifecycle, including site survey tools, RF planners, spectrum analyzers and wireless traffic analyzers.
A wireless traffic analyzer is essential for capturing and decoding 802.11 traffic, then reassembling packets into associations and RF device relationships. An analyzer helps you understand what's happening under your WLAN's hood, at a specific location, during a finite period. But there will also be times where you need to step back and see a broader picture of WLAN traffic, gathered over a longer stretch of time. This is where your WIPS can help.
A WIPS monitors an entire WLAN, forwarding traffic summaries, captured by distributed sensors, to a central server. Those summaries are aggregated, correlated and analyzed for security events. The resulting alerts may be displayed, forwarded to another system or logged in a database for future reference. Of course, these summaries can also be used to monitor WLAN performance.
WIPS performance analysis and alert capabilities vary, but here is a sampling of performance alerts that your WIPS may be capable of monitoring:
- AP overloaded by stations
- Channel overloaded by APs or traffic
- Excessive management overhead
- Constant traffic sent/received by client
- Improper or inconsistent AP configuration
- Simultaneous PCF/DCF operation
- AP power save DTIM violation
- 802.11n AP not using protection near 802.11g AP
- 802.11g AP incorrectly offering short time slot
- QoS disabled on 802.11n AP
- 40 MHz channel detected in 2.4 GHz band
- AP offering non-standard data rates
- Excessive retries or CRC errors
- Excessive roaming or re-association
- Excessive low-speed transmission
- Excessive fragmentation
- Hidden station detected
- Radar interference detected
- Channel with high noise level
Some alerts suggest possible configuration errors (e.g., protection), while others indicate potential implementation errors (e.g., DTIM violation, 40 MHz channel use) that can degrade performance. Alerts that pertain to overloading or RF interference may be resolved through WLAN expansion or channel re-assignment. Alerts that are based on thresholds may require tuning, using baseline measurements that reflect what is "normal" for your WLAN (e.g., anticipated number of stations per AP, typical channel utilization). You will want to disable any WIPS alerts that are not relevant for your WLAN (e.g., 2.4 GHz 802.11b/g alerts if you use only 802.11a/n at 5 GHz).
A WIPS sensor in scan mode may spot performance problems, but diagnosis may require a more comprehensive traffic sample. To facilitate this, many WIPS are capable of using a remote sensor to create a traffic capture file. Results can usually be imported into a wireless traffic analyzer for detailed review.
Troubleshooting often requires active tools. For example, AirMagnet Enterprise lets you drill-down from a WIPS console to a remote sensor, where you can associate to a target AP and run network diagnostic tools like ping and traceroute. You can also watch near-real-time channel performance graphs that plot signal strength, noise, CRC errors, retries, utilization, etc, just as though you were running AirMagnet Laptop at the sensor's location.
Investigation from a central location can be a time-saver, but some performance problems still require on-site investigation, using a mobile wireless analyzer. Integration between your WIPS and wireless analyzer can speed investigation by starting from what you've already learned. For example, Aruba Networks RFprotect Mobile can share information with RFprotect Distributed, so that on-site readings taken by Mobile can be fed back into Distributed's database, creating one consolidated "noise map" for a given location.
Ultimately, your goal is not just to spot potential performance problems, but to fix them. In WLANs that support mission critical applications, rapid response to performance problems can play an essential role in network service assurance. To that end, your WIPS may provide recommended actions for a given alert or test result. For example, AirTight Enterprise includes a knowledge-based troubleshooting wizard to help you solve client performance problems.
Information gathered by a WIPS also creates a history database that can be used for health reporting and capacity planning. WIPS performance reports may include top 10 APs with performance alerts, number of active stations plotted over time, spectrum usage and performance summaries, and performance alert trends by type, location, or device.
For example, the top 10 report may call your attention to a troubled AP. Trending performance alerts for that AP may show whether problems are new, intermittent, or increasing. Drilling down into recent and past alerts can also show whether thresholded values like utilization or errors are holding steady. Examining alerts for other APs in the same location may help to differentiate between a single failing device and environmental conditions that affect every AP in the area. On the other hand, comparing alerts for similar APs across multiple sites can suggest performance problems caused by a particular product, firmware version, or configuration option.
A WIPS is designed primarily to monitor and respond to monitored events. When it comes to performance management, a WIPS will not replace your handy wireless traffic analyzer. But a WIPS can complement a mobile analyzer's deep, focused view by offering a broader perspective on performance problems. Those responsible for large enterprise WLANs may prefer to invest in a distributed network traffic analysis platform like WildPackets OmniPeek or Network Instruments Network Observer Expert. Such products enable traffic monitoring for all kinds of networks (including WLANs), with application-level protocol analysis and reporting.
This was first published in July 2009