Is there a limit to the number of wireless clients per subnet/SSID/VLAN

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Hello Aerohive community,

I have had a technician from another company come and help us with an upgrade of your switch network and they noticed our AeroHive AP's. They suggested that there is a limitation to how many wireless clients can be on a single subnet before broadcasts slow network performance? He was very concerned that we were using more than a class c network for wireless clients.

Does AeroHive have a limitation on wireless subnets like Aruba, Xirrus and other wireless access point providers? Or does AeroHive have a mechanism to overcome this limitation?

We are using 192.168.x.x/19 subnet for wireless clients.
Photo of Michael Drummond

Michael Drummond

  • 36 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
In the appropriate radio profile you can limit the number of stations (clients) that can associate to a single radio:



As with all subnets the larger you make it the more overhead occurs - this is not just a wireless issue. How much broadcast traffic do you see heading from wireless clients to the switching infrastructure? Remember that "airside only" 802.11 frames, such as beacons, are not converted into 802.3 Ethernet frames and bridged onto the switching infrastructure.
Photo of Michael Drummond

Michael Drummond

  • 36 Posts
  • 0 Reply Likes
Hello Crowdie,

We have not yet looked at wireless overheads and thought someone on this forum would be able to explain if there is a limitation. We have not experienced any network lag from a wireless perspective. (Currently around 700 college owned wireless devices using the one subnet, it is a /22 not /19 as stated above). We are trying to future proof the network for when we allow students to bring their own devices next year. (Expecting around 2000 devices)

I understand that I can limit stations per radio. But I have 60 AP's that can all associate clients to the same subnet. What happens when clients can detect other AP's or when a system on the cable network broadcasts to find where the wireless client is?

Does that mean it is best practise/your recommendation to only allow 100 stations per subnet? Or is this the mechanism that reduces the overheads?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Ethernet networks are very, very different to wireless networks and, hence, they work very differently. Therefore, you have to look at this problem is two parts:

1. Will the wireless network handle 2,000 associated clients? This is about radio channel use, access point density, QoS, load balancing, etc.

2. Will the Ethernet network handle 2,000 wireless devices. This is about IP addressing, switching infrastructure capacity, QoS, server loads, etc.

You can't look at one part without the other.

If the wireless network can handle the 2,000 concurrent devices then you need to start looking at the Ethernet network. I have spoken to some of our Ethernet engineers and they have advised that, assuming the subnet is going to be populated heavily, the biggest subnet you should use for your requirement in a /23.

As you are an educational facility can you break your users up into a logical group (maybe different group membership in AD or a different Private PSK local user group) and assign a unique /24 or /23 subnet to each logical group?
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
I've read that Cisco recommends that subnets shouldn't be larger than /23 but I remember reading that Aruba did some testing and recommended a maximum of /22
Photo of Michael Drummond

Michael Drummond

  • 36 Posts
  • 0 Reply Likes
Our plan was to define between college owned staff laptops, college owned student laptops, Staff owned BOYD (iPad's, iPhones etc) and Student Owned BYOD (laptops, iPads, iPhones etc) Which should bring us down to around 300-700 per subnet. So it sounds like the /24 or /23 should be OK.

When splitting into the logical groups I have assigned different VLANs from 1 SSID, based on RADIUS user groups from AD, is there any limitation of how many VLANs should be steered from 1 SSID?

I would think that adding more SSID's to the same AP would be more CPU load and more radio interference on the AP than having a single SSID and steering multiple VLANs.

Should I add more VLAN's or more SSID's? Or a combination of both?

But that brings another question. The AP RADIUS service says to only allow around 20-25 AP's to be able to authenticate through an AP RADIUS server.
Would I need 1 or 2 more RADIUS AP's?

Do I add RADIUS servers as backup RADIUS or should I configure a second primary RADIUS and use the logical groups to authenticate to separate RADIUS servers?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
> is there any limitation of how many VLANs should be steered from 1 SSID?

In theory only the number of VLANs supported by the edge switches and access points.

> I would think that adding more SSID's to the same AP would be more CPU load
> and more radio interference on the AP than having a single SSID and steering
> multiple VLANs

As a good rule of thumb don't exceed five SSIDs on a single access point.

> Should I add more VLAN's or more SSID's? Or a combination of both?

As long as the authentication type is the same and the SSID name is relevant I tend to add more VLANs before I add more SSIDs.

That said, my preferred option is to add additional user profiles, which sit between the SSIDs and the VLANs, and this enables you to manipulate the wireless traffic before it hits the switching infrastructure.

> The AP RADIUS service says to only allow around 20-25 AP's to be able to
> authenticate through an AP RADIUS server. Would I need 1 or 2 more
> RADIUS AP's?

I have a number of sites around 50-60 access points and I have three access points configured as RADIUS servers.

> Do I add RADIUS servers as backup RADIUS or should I configure a second
> primary RADIUS and use the logical groups to authenticate to separate
> RADIUS servers?

You could break a site into say four physical areas and configure a single access point in each of the four areas to act as a RADIUS server. The other access points in an area would have a RADIUS Proxy setting that points to the access point acting as a RADIUS server in their area and maybe one of the other access points acting as a RADIUS server as a backup.
Photo of Michael Drummond

Michael Drummond

  • 36 Posts
  • 0 Reply Likes
We were told that we should not have more than 200 devices per subnet because the overheads made it impossible to get a good wireless experience.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
That's far too simplistic a statement to mean anything, and it's simply not true therefore without qualification and metrics.

I think your answer should be to this company, demonstrate it for my environment and use case. I suspect you'll get nothing of the sort.

You appear to be looking for a problem that you probably don't have at all.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
I was once told:

"The biggest threat to a wireless network is a network enginner"

When I first started in IT you could be a "jack of all trades" and know how to build a network, configure servers, configure clients, etc. but those days are gone. There is just too much to know in these fields to be an expert in all of them. If you add in wireless, which is possibly one of the fastest moving technologies at the moment, and there is absolutely no chance that you can be an expert in all these fields.

I have had to read several times some of the comments you have got from your network enginners as they imply that there is always a default effect on the wireless network of changes in the Ethernet network and this is just always so. A large amount of the wireless network is not affected at all by the Ethernet network. I suspect that your network engineers had not deployed a seriously complicated enterprise wireless network or they wouldn't have made the comments.

Andrew Von Nagy did some excellent presentations on high density wireless design and if you have a look at these you will get a good idea of the world that wireless engineers live in:

Part 1 - Forecasting AP Capacity - https://www.youtube.com/watch?feature=...

Part 2 - RF Planning - https://www.youtube.com/watch?feature=...

Part 3 - WLAN Configuration Best Practices - https://www.youtube.com/watch?feature=...

> We were told that we should not have more than 200 devices per subnet
> because the overheads made it impossible to get a good wireless experience.

Again we need to look at this in two parts:

1. Ethernet Network

A subnet suitable for 200 devices is a class C network, which are commonly used so I can't see this being an issue.

How much capacity does the Ethernet network have? If it is a small SOHO network then adding 200 wireless devices may be more than it can handle so it may need to be upgraded.

2. Wireless Network

How many of the 200 wireless clients are going to be in which areas? Will they all be in the same room or are they spread out over a several square kilometre campus?

What device types will be connecting to the wireless network and where? Are they low powered scanners that only need a few Mbps to operate their Telnet client, iOS/Android devices capable of approximately 31 Mbps or are they three spatial stream laptops capable of 450 Mbps?

Which applications will the wireless devices be running? Telnet, Skype, GIS mapping or 1080p video streaming?

There are so many questions to ask when designing a wireless network that a comment that "200 devices per subnet because the overheads made it impossible to get a good wireless experience" is almost impossible to justify without some investigation.
Photo of Michael Drummond

Michael Drummond

  • 36 Posts
  • 0 Reply Likes
I was reading up about wireless overheads and this article was saying packet sniffers may not show the full information about wireless overheads.

Can I use HiveManager to monitor the current overheads of our live environment?

Is there a program you could suggest that we can use?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
If you download the latest version of WireShark (the most commonly used packet "sniffer") you can capture wireless traffic but you will notice that it only captures traffic to and from you. It doesn't capture traffic not involving you or wireless control and management frames so you must have a specialist 802.11 packet sniffer. Personally I use the AirMagnet WiFi Analyzer tool for packet capturing but a number of people prefer MetaGeek's products.

One very cool application MetaGeek produce is Eye P.A. (http://www.metageek.net/products/eye-pa/) that has a trial version and I would recommend it. For a quick video on the Eye P.A. product have a look at https://www.youtube.com/watch?feature=....

Another option is to user Aerohive's integrated Remote Sniffing functionality:

In order to enable remote capture capability within a HiveAP, follow these steps:

1. SSH to the HiveAP (via an SSH client or via the HM/HMOL integrated SSH client) and log in.
2. Enter the command exec capture remote-sniffer to enable remote sniffing
3. Additionally, you may enter the following optional commands:

i. Exec capture remote-sniffer user username password (if you require un/pw authentication)
ii. Exec capture remote-sniffer host-allowed X.X.X.X (if you require that only a specific IP host perform sniffing)
iii. Exec capture remote-sniffer local-port port-number (if you require a different port number for sniffing)
iv. Exec capture remote-sniffer promiscuous (if you require that the HiveAP capture all traffic that it can hear instead of only the traffic destined to/through the HiveAP itself).

4. When you have completed your sniffing, you should enter the command no exec capture remote-sniffer to disable remote sniffing.

Within HiveManager 6.0 and later you can get some excellent graphs at Dashboard -> Troubleshooting. You can get channel utilization, devices errors and retry rates.
Photo of Michael Drummond

Michael Drummond

  • 36 Posts
  • 0 Reply Likes
When I look at the Dashboard, I see retries and errors. These do appear to be very high to me. Is this the overheads that could be minimised by a smaller subnet?

Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
What data rates have you enabled for the SSIDs broadcast in the 2.4 GHz spectrum? Have you disabled the 1, 2, 5.5 and 11 Mbps data rates?

Subnets are a layer three construct so don't exist on the client's side of the access point (which is a layer two device).

Try to imagine that Ethernet networks speak French and Wireless networks speak Dutch. An access point receives traffic from a wireless device in Dutch, converts it to French and then sends it on to the Ethernet network. The response from the Ethernet network, in French, is translated to Dutch and then sent on to the wireless client.

Therefore an Ethernet subnet cannot affect retry rates on a 802.11 wireless network as the 802.11 wireless network doesn't understand what a subnet is.
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
It may also be worth checking your channel plan and power settings to make sure that these errors are not being caused by CCI or ACI
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
What Aaron means is that you should:

1. Ensure that all your 2.4 GHz radios are on channel 1, 6 or 11 (otherwise you get adjacent channel interference)

2. Ensure that no adjacent access points have 2.4 GHz radios on the same channel (otherwise you get co channel interference)

3. Check that your 2.4 GHz radios are not so loud that each radio is "shouting over the top" of the other 2.4 GHz radios.
Photo of Michael Drummond

Michael Drummond

  • 36 Posts
  • 0 Reply Likes
I have spent quite a while checking this information.

I have found that the 2.4GHz radios are set to auto channel and set to rescan every 10 minutes and can only select 1,6 or 11. Transmit power is set to 5 under each AP, the max transmit power is set to 10 and Radio Range is set to 300m in the radio profile. This was setup by our AeroHive representative many months ago (12 or more, before I started here) after many hours of spectrum analysis. There are however still adjacent AP's on the same channel. Am I better off manually setting the channel? I have seen in my many years of running my own business and helping home users that just because you can not find an SSID on that channel that the channel may not be clear and the wireless experience for the user will not be as good when you set it manually. I've seen auto channel work better in most circumstances. (depending on how well the channel scan works).

Is the "Deny 802.11b clients" where you disable the 1, 2, 5.5 and 11 Mbps data rates? Or is there another place to disable this? The radio profile mode is set to 11ng.

I assume that lowering the radio transmit power will reduce the shouting over each other. Do you have a typical range in meters in open space how far the transmit power reaches. I'm assuming that if you have the radio range set at 10000 and transmit power to 1 that it probably wont reach the far limits of the range. If the transmit power was set at 20 and the range set to 300 I would expect a lot of shouting over each other. But we have transmit power set at 5 and the range to 300m (the lowest). Would you suggest dropping the transmit power further?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
> Transmit power is set to 5 under each AP, the max transmit power is set to 10

Are your access points very close to each other as 5 dBm is a very low transmit power? (assuming you are not using a high gain external antenna).

> There are however still adjacent AP's on the same channel. Am I better off
> manually setting the channel?

If your 2.4 GHz channel design is poor then the Aerohive system will be forced to configure adjacent access points on the same channel.

Sometimes I manually configure the 2.4 GHz channels on one or two access points in an area and leave the other access points on automatic channel selection.

> Is the "Deny 802.11b clients" where you disable the 1, 2, 5.5 and 11 Mbps data
> rates?

Yes. It is under "Client Selection" in the radio profile.

> Would you suggest dropping the transmit power further?

I would reconfigure the 2.4 GHz channels before dropping the 2.4 GHz transmit power.

I would also ignore the radio range as it is not what it seems. It is used with long range outdoor access points to increase the ACK timeout period, which can be an issue with long range point to point networks.
Photo of Craig Paul Mckeown

Craig Paul Mckeown

  • 1 Post
  • 0 Reply Likes
It seems that this topic may be getting a little confused. Let me try and offer a little clarity. I work with Mike D who started this topic, and the scenario played out as follows.

We were conducting a large switching network upgrade, replacing all our switching infrastructure new for old. Using Procurve switches. The senior engineer who was doing the upgrade wanted to change our subnet mask. When I was challenging him on how the proposed changes would allow enough addresses for our wifi VLAN, he was surprised to find that we would ever exceed more than 200 clients in any VLAN.

He was more suprised that it was the wifi Vlan. He made the statement that best practice is to keep wifi subnets, or Vlans below 200. In fact when you have 100 clients in a Vlan, you experience 30% overhead in broadcaste traffic. 150 clients and you have 50% overhead. Over 200% you would suffer even more.

He then showed me network documentation for previous schools network implentation, where to overcome this, they break each year group up into a separate VLAN, keeping numbers at around 100 per VLAN. They use VLAN steering and an NPS to accomplish this.

So the question is simply is that true? Should we pursue that? We regularly experience 450+ clients connecting to wifi, in the one subnet and this will only grow significantly. We don't need to chase a problem that doesn't exist.

Best practice on max clients per WIFI VLAN.... Thoughts people?
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
So the question is not really a wireless one as VLANs are governed by the laws of the 802.3 (Ethernet) rather than the 802.11 standard.

I have spoken to a Cisco Routing and Switching CCIE and he advised that the maximum VLAN size is dependent on the traffic expected in the VLAN. If you are expecting broadcasts and multicasts then you drop the VLAN size. If the clients ignore multicasts not for them then you can increase the VLAN size.

If you are not sure what type of traffic you will see in the VLANs then I would recommend more smaller VLANs, which is probably what the senior network engineer was recommending.
Photo of Michael Drummond

Michael Drummond

  • 36 Posts
  • 0 Reply Likes
I have found another point that appears to me to change which rates are allowed.

The options are Basic, Optional or N/A. If I select N/A does that disable these rates at this point?
Photo of Michael Drummond

Michael Drummond

  • 36 Posts
  • 0 Reply Likes
To disable these low rates do I set the above options to N/A?
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
Yes. Just remember that you still need a "basic" rate.
Photo of Michael Drummond

Michael Drummond

  • 36 Posts
  • 0 Reply Likes
Sorry I'm not sure I understand your answer. You said yes I should set to N/A but then you say I need to keep basic rate.
Are current settings acceptable or what ones should I change and to what value?
Are you suggesting that I need to keep one of these low rates as "basic" and set all other low rates to N/A?
When I say low rates I am referring to the left column of the 2.4GHz spectrum.
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
Normally I would turn off 1,2,5.5,11 at a minimum (set to N/A)

Depending on how dense your APs are you can turn off other rates too. In an AP per classroom style environment, you could set the minimum "Basic" rate to be at least 12Mbps, set everything below that to N/A and everything above to Optional.

You should try this on a test SSID and test with likely client devices to makes sure that there are no issues with the higher data rates running as the basic. (Generally there isn't for Laptops, Tablets, and Smartphones - can be for other types of devices e.g. handheld scanners, older VOIP handsets, etc)

Cheers,
A
Photo of Crowdie

Crowdie, Champ

  • 904 Posts
  • 261 Reply Likes
For the people who don't know:

N/A - No data is transmitted at this data rate.
Basic - Unicast, Broadcast (including beacons) and Multicast traffic can be transmitted at this rate.
Supported - Only unicast traffic can be transmitted at this rate.

Some additional information:

1. Beacons, which advertise your WLANs and assist wireless clients during the roaming process are traditionally broadcast on the lowest basic data rate. Aerohive, and a number of other vendors, have options to transmit beacon frames on basic data rates higher than the lowest basic data rate.

2. When you transmit data at a lower data rate and keep the transmit power the same, all things being equal, the transmission should travel further.

3. You must have at lease one basic data rate otherwise no broadcast and multicast traffic can traverse the wireless network.

4. The 802.11b data rates (1, 2, 5.5 and 11 Mbps) have a different modulation type (think of it as a "language") to the 802.11g data rates (6, 9, 12, 18, 24, 36, 48 and 54 Mbps). The 802.11b modulation is older and slower and 802.11b wireless clients cause a performance reduction across the wireless network. For this reason it is recommended that you disable the 802.11b data rates, unless you have 802.11b clients that must be supported.

So careful consideration should be taken when deciding how to configure the data rates. If you make the lowest basic data rate too low the wireless clients will be reluctant to roam from one access point to another.