Enterprise Mesh Troubleshooting

Viewing Mesh Topology

The WebUI provides a Mesh Topology view to quickly assess the current mesh deployment. To access it, navigate to Configuration > Wireless > Mesh > [select mesh] > Mesh Topology.

Within the Mesh Topology tab, click the displayed mesh nodes to expand the tree and view connections between the various nodes.

Enterprise Mesh Troubleshooting

Problem-Solution Chart

Enterprise Mesh Troubleshooting

Configuring VLAN in MESH

Mesh APs now supports VLAN trunking.

Before you enable VLAN trunking on a mesh network, follow the recommendations listed below:

• Secondary redundancy network is not support and hence use mesh rediscovery to achieve redundancy.
• The gateway AP in a VLAN mesh should use ESS and port profile in tunnel mode if the profiles contain VLAN tags.

Enabling VLAN Trunk

Using CLI

controller(15)# configure terminal controller(15)(config)# port‐profile vlantrunk controller(15)(config‐port‐profile)# enable controller(15)(config‐port‐profile)# vlantrunk enable controller(15)(config‐port‐profile)# multicast‐enable controller(15)(config‐port‐profile)# end controller(15)(config)# mesh vlantest controller(15)(config‐mesh)# admin‐mode enable controller(15)(config‐mesh)# psk key 12345678 controller(15)(config‐mesh)# meshvlantrunk enable controller(15)(config‐mesh)# end

Configuring VLAN in MESH

controller(15)# controller(15)# sh mesh‐profile

Name              Description       Admin Mode     PlugNPlay Status VLAN Trunking St vlantrunk                           enable         disable          enable           testvlan                            enable         disable          enable           vlantest                            enable         disable          enable          

        Mesh Configuration(3) controller(15)# configure terminal controller(15)(config)# mesh‐profile vlantest controller(15)(config‐mesh)# mesh‐ap 65 controller(15)(config‐mesh‐mesh‐ap)# end controller(15)# controller(15)# sh port‐profile

Profile Name                     Enable/Disable VlanTrunk      Dataplane Mode VLAN Name   Security Profile Allow Multicast IPv6 Bridging  

default                          enable         enable         bridged                                     on              off            

vlantrunk                        enable         enable         bridged                                     off             off            

        Port Table(2)

Installing and Configuring an Enterprise Mesh System

Determine Antenna Placement

An Enterprise Mesh uses APs (as repeaters) to extend the range of wireless coverage. An AP in a Enterprise Mesh configuration is directed to look for a signal from a Parent AP. As such, antenna placement and reception is important for the optimum performance of the system.

If there are obstacles in the radio path, the quality and strength of the radio signal are degraded. Calculating the maximum clearance from objects on a path is important and should affect the decision on antenna placement and height. It is especially critical for long-distance links, where the radio signal could easily be lost.

When planning the radio path for a wireless hop, consider these factors:

• Be cautious of trees or other foliage that may be near the path between nodes, or ones that may grow to obstruct the path.
• Be sure there is enough clearance from buildings and that no building construction may eventually block the path.
• Check the topology of the land between the antennas using topographical maps, aerial photos, or even satellite image data (software packages are available that may include this information for your area).
• Avoid a path that may incur temporary blockage due to the movement of cars, trains, or aircraft.

Installing the Fortinet Enterprise Mesh

Enterprise Mesh APs are configured in five phases.

These steps assume that the deployment is not being configured via the PlugNPlay functionality. See “Adding Mesh APs Via PlugNPlay” on page 440 for additional details.

• Phase 1: Connect Controller and APs with an Ethernet Switch
• Phase 2: Create a Mesh Profile
• Phase 3: Add APs to the Mesh
• Phase 4: Configure the APs for Mesh Operation
• Phase 5: Remove the Cables and Deploy the APs

Phase 1: Connect Controller and APs with an Ethernet Switch

In a standard initial mesh setup, the user can configure all mesh APs desired at once via wired connection through a local switch. (This configuration is intended to happen prior to remote deployment.) For an alternative mechanism that allows APs to be deployed remotely prior to them being configured locally, refer to Adding Mesh APs Via PlugNPlay.

1. Connect all APs directly to a controller through a switch or hub.
2. Power on the controller.
3. Connect the APs to a power source using either separate power supplies or Power over Ethernet (PoE) connections.
4. If the controller does not have an assigned IP address, configure with the following; otherwise, skip to step 5:
   • Connect a computer to the controller using a serial cable.
   • Using a PC terminal program with the settings 115200 baud, 8 bit, no parity, access the controller and log in with the default admin/admin username/password.
   • Use the setup command to assign the controller an IP address. Reboot the controller and log in again as admin.
5. Log into the controller’s CLI under the admin account (if not already logged in).
6. For the APs that will be in the Enterprise mesh, verify they are connected to the controller (enabled and online) and ensure that their runtime version is the same version of FortiWLC (SD) as the controller’s:
   • Check the FortiWLC (SD) version with the command show controller
   • Verify the APs with the command show ap

Phase 2: Create a Mesh Profile

A single controller can manage multiple separate meshes as desired. Follow these steps to create a mesh profile.

1. From the WebUI (accessed by opening an Internet browser and navigating to your controller’s IP address), navigate to Configuration > Wireless > Mesh. The Mesh Configuration screen appears. (The screen will be empty unless a mesh profile is already present.)
2. Click Add.
3. On the Mesh Configuration – Add screen, provide the following details:
   • Name: Enter a name for the mesh profile.
   • Description: Enter a brief description for the profile (e.g., its location).
   • Pre-shared Key: Enter an encryption key for mesh communications. This key will be shared automatically between APs that have been added to the mesh profile; the user will not be required to input it manually later on. This key must be between 8 and 63 characters.
   • Admin Mode: Setting this field to Enable activates the mesh profile. If the profile needs to be disabled for any reason, set this field to Disable.
   • PlugNPlay Status: This option allows APs to be added to the mesh by eliminating the need to have them wired connected during mesh configuration. See Adding Mesh APs Via PlugNPlay for details.
4. Click OK when all fields have been configured. The new mesh profile is listed in the mesh table.

Phase 3: Add APs to the Mesh

Now that the mesh has been created, you can add your APs to it. Follow the instructions below.

The mesh APs must exist in the controller’s AP table (i.e., they must be added manually or have been connected to the controller as performed in previous steps) before they can be added to the mesh.

1. From the Configuration > Wireless > Mesh screen, check the box alongside the mesh profile to be modified and click Settings. A summary of the configured mesh settings will be displayed.

Figure 74: Modifying the Mesh

2. Click the Mesh AP Table tab provided. Since no APs have been added yet, the table will be blank.
3. Click Add.
4. In the resulting page, use the AP ID drop-down to specify the desired AP.
5. Click OK to add the AP. It will be displayed in the Mesh AP table.

Repeat these steps for all desired APs. Once all APs have been added, they can be configured to utilize mesh operation.

Phase 4: Configure the APs for Mesh Operation

Despite the fact that the APs have been added to a mesh profile, they still must be configured to utilize mesh operation. Follow the steps below.

1. From the WebUI, navigate to Configuration > Devices > APs.
2. Check the box alongside one of the mesh APs and click the pencil icon.
3. Click the Wireless Interface tab to display the available wireless interfaces on the AP.
4. Check the box alongside one of the interfaces and click Settings. Either interface can be selected, but dual interface mesh is not currently supported.
5. From the Wireless Interface tab, click the drop-down box for Mesh Service Admin Status and select Enable.

Figure 75: Enabling Mesh Service

6. Click OK to save the configuration change.

Repeat these steps for all APs that are part of the mesh. Verify that they are all displayed in the Mesh-AP member table, as shown in Figure 76. Figure 76: Mesh AP Member Table

Phase 5: Remove the Cables and Deploy the APs

Phase 5 consists of removing the cables, deploying the APs in their final locations, and turning them on. They will then be picked up by the controller as wireless APs.

To deploy the APs, follow these steps:

1. Ensure that each AP has a power source; if you are using PoE, you need to provide a power adapter for mesh nodes before they can be activated.
2. Unplug the APs and physically install them in the desired locations.
3. Power up the APs in order (i.e., power up the gateway AP first, then any mesh nodes connecting directly to the gateway, etc.). Make sure each AP is online before powering up the next one.
4. From the controller’s CLI, use the copy running-config startup-config command to save your configuration.
5. Create ESSIDs for clients and connect clients. Try pinging, browsing, etc. with the clients.

Once deployed, the APs will automatically determine the appropriate parent configurations to provide backhaul access. Provided the APs are in range with each other as per design, they should appear online automatically with no further settings. Your installation is complete.

Adding Mesh APs Via PlugNPlay

As mentioned in “Phase 2: Create a Mesh Profile” on page 437, the PlugNPlay option allows mesh nodes to be connected to an existing mesh, without requiring them to be wired directly to the controller. This function is disabled by default.

With PlugNPlay enabled on an existing mesh, deploying a mesh-capable AP to its intended location allows the AP to automatically seek out a mesh within range and add itself to the controller. In effect, this means that a user can set up a mesh profile with only one AP configured for mesh service (by following the instructions earlier in this chapter) and then install additional mesh-capable APs to their intended locations. Once the new APs are powered up, they will link with the previously-configured mesh AP and add themselves to the controller’s AP database.

This does not mean that the new AP automatically assumes mesh operation. PlugNPlay operation allows it to add itself to the database directly, but it must still be added to the Mesh AP table on the controller and configured for mesh operation. PlugNPlay simply allows the AP to sync with the controller without requiring a physical connection.

Follow the steps below to install a new mesh AP using the PlugNPlay mechanism. Note that this scenario assumes that a mesh profile has already been created and has at least one active mesh AP added to it and configured via the steps detailed in “Phase 2: Create a Mesh Profile” on page 437 and “Phase 3: Add APs to the Mesh” on page 438 above.

1. Unbox the new mesh-capable AP and install it within range of the existing mesh node.
2. Connect its power source and allow it to come online. Note that since it will connect to the controller automatically, it may require some time to download new firmware and configurations.
3. Use a computer to access the controller’s WebUI.
4. From the web browser, navigate to Configuration > Wireless > Mesh.
5. Check the box next to your existing mesh and click Settings.
6. Click the Mesh AP Table tab.
7. Click Add and select the newly-added AP from the drop-down list. Since it has just been connected, it is likely the most recent (or highest) AP ID number in the list.
8. Click OK to add the new AP to the table.

Now that the AP is part of the mesh, you can enable mesh service on it by performing the following steps.

1. Navigate to Configuration > Devices > APs.
2. Check the box alongside the new mesh AP and click Settings.

3. Click the Wireless Interface tab to display the available wireless interfaces on the AP.
4. Check the box alongside one of the interfaces and click Settings. Either interface can be selected, but dual interface mesh is not currently supported.
5. From the Wireless Interface Configuration – Update screen, click the drop-down box for Mesh Service Admin Status and select Enable as shown in Figure 75
6. Click OK to save the configuration change.

These steps can be repeated for as many new mesh nodes need to be configured. Once all the desired nodes have been added, it is recommended that PlugNPlay be disabled on the mesh until additional nodes are needed.

Mesh Network

Enterprise Mesh is an optional wireless alternative for the Ethernet links connecting APs to controllers. Deploy the Enterprise Mesh system to replace a switched wired backbone with a completely wireless 802.11 backbone, while providing similar levels of throughput, QoS, and service fidelity.

The following are Enterprise Mesh features:

• Hierarchical bandwidth architecture
• Dynamic allocation and balancing of the RF spectrum
• Full duplex capability
• Extend virtual cell, QoS, and RF coordination over backbone
• Wireless DS-to-DS (WDS) encapsulation of the Enterprise Mesh traffic
• Dataplane Encryption (affects performance because encryption/decryption is in software)

Mesh deployments are not intended for use in:

• Metropolitan or municipal Wi-Fi networks
• High throughput, density, or quality video/audio applications

Mesh Restrictions

The following restrictions apply to the design and implementation of Fortinet mesh networks.

• Enterprise Mesh APs require L3 connectivity to the controller.
• Monitoring of backhaul links via SAM is not supported.
• A radio that is not actively used for mesh cannot be used for SAM purposes.
• Bridged mode is not supported for wireless clients in Enterprise Mesh—only tunneled mode is supported.
• Gateway and mesh APs support a maximum of 4 backhaul links.
• From the gateway (i.e., an AP physically connected to the network), a maximum of 3 hops is supported with no more than 16 APs per cloud.
• A maximum of 500 stations can be active on a mesh cloud at any given time.
• Minimum channel separation guidelines are to use non-overlapping channels.

431

• Mesh operation on DFS channels is not recommended.
• Aggregation of multiple uplink connections is not supported.
• A single AP cannot be assigned to multiple mesh clouds.
• A maximum of 64 mesh profiles can be created on a controller. Each mesh profile can contain a maximum 16 APs.
• Since OAP832 has only radio 1 in 5GHz, mesh can be established only on that radio.

Enterprise Mesh Design

Enterprise Mesh is typically composed of hub-and-spoke configurations (as shown in Figure 72), chain configurations (as shown in Figure 73), or a variation of these.

In a dense network, hub-and-spoke (all APs point to the gateway) is the best topology, although collisions can occur.

• For optimal performance, avoid collisions between adjacent small clouds by creating each cloud on a separate channel. A cloud is defined as a set of APs communicating along a backhaul topology path to/from a gateway AP.

Figure 72: Enterprise Mesh Network – Hub and Spoke Design

Figure 73: Three Hop Enterprise Mesh – Chain Design

Gateway APs

A gateway AP is located at the wired edge of the Enterprise Mesh network, and provides the link between wired and wireless service. The gateway AP is the only AP that has a wired connection to the network.

Mesh APs

Mesh APs refer to all APs that are not acting as gateway APs. They can provide intermediate service between other mesh APs or used as the endpoint in a mesh chain (as shown in Figure 73).Mesh APs can have wired connection to the network.

The unused Ethernet port on a Mesh AP can be configured and used in the same manner as a wired port on an Ethernet switch. As such, users can connect a hub/switch with other wired devices to it in order to access the corporate network. In order to use the port, a Port Profile must be configured for it. Refer to Configuring Port Profiles for details.

Leaf APs

An AP that is connected to the controller via a wireless back haul connection but cannot provide wireless back haul service to other nodes.

Wired Clients

Unused Ethernet port (interface 1) of an AP400, AP332, AP122, AP832, AP832, AP822 and FAP-U421EV, and FAP-U423EV configured as a Mesh AP can be used to connect up to 512 wired clients.

Equipment Requirements

Any controller model can be used for a mesh deployment. The following AP models currently support mesh operation:

• AP1000 series
• AP332e/i
• AP832, AP800
• AP433
• FAP-U421EV
• FAP-U423EV

Mesh Discovery

The following are the various discovery scenarios in a mesh network:

Scenario 1: Regular Discovery

In a regular discovery process, a mesh AP uses the process as mentioned in the “CAPWAP and Legacy Reference” on page 335 .

Scenario 2: L2/L3 discovery failure.

In L2/L3 discovery failure, the AP switches to mesh discovery. In this mode, the AP searches (on 5G for AP122, 822, FAP-U4xx, OAP832 and for other supported APs, on 5G and then followed by 2.4G) for a mesh beacon (a hidden ESS-Id). When it finds this hidden ESS-Id, it creates an association. After the association is complete, the AP starts the DHCP process to get an IP address from the controller. However, this AP (mesh AP) must be in the same mesh cloud in order to establish a connection.

NOTE: Backhaul links are always encrypted.

Refer to the online help for more information on creating mesh cloud

Scenario 3: AP is Unable to find a suitable backhaul service

If the AP is unable to find a suitable backhaul service or if key exchange fails, the AP scans to wireless medium for recovery service.

When a recovery service is found, the AP completes key exchange and 4-way handshake to discover the controller. After the discovery is complete, the configuration is downloaded. However, this AP does not provide any WLAN services.

To enable WLAN services, this AP must be added to a mesh cloud.

NOTE: A mesh AP can be part of only one cloud at a time.

Failover / Re-discovery

In a mesh cloud, if a mesh AP or a leaf AP loses contact with its parent, the AP switches to discovery mode. The discovery process begins with scenario 1-regular AP discovery process..

Parent Selection Mechanism

In a mesh cloud, an AP selects its best parent AP using a match to the following parameters and values.

• snr-weight: 3
• child-weight: 1
• hop-weight: 10

The above are default values and they can be customized to your RF environment using the following AP-CLI commands: mesh {parent_selection | psel}

Set/Get weights for parent selection parameters

To set:

mesh parent_selection [snr|child|hop] <integer>

To get:

mesh parent_selection

To reset:

mesh parent_selection reset

DSCP Marking for Management Packets

You can apply Differentiated Services Code Point (DSCP) values to management and application traffic (see Application Visibility Enhancements section). DSCP value is a selectable field that can be used to assign various levels of precedence to network traffic.

By default, traffic packets contained an EF value and with the introduction of this feature you can change the priority bit from EF to an appropriate DSCP value that meets your requirements.

Management traffic between the following can be assigned DSCP values:

DSCP Marking for Management Packets

• AP to Controller
• Controller to AP
• Controller to Network Manager

Enable DSCP Value

To configure DSCP from WebUI, go to Configuration > Policies > QoS  Settings > Marking Management Packets (tab).

Select the DSCP values for each traffic and click the SAVE button.

DSCP Marking for Management Packets

Load Balancing for APs in Virtual Cell

You can configure load balancing to effectively distribute wireless clients to alternate access points. The load balancing is performed by the controller based on two factors; Current Load of the AP and RSSI value of the client.

• Current load of an AP – Current load represents the number of clients assigned to an AP. Load Balancing for APs in Virtual Cell
• RSSI value of the Client – The RSSI value of the client is received by the controller.

When a new client joins the network, the controller will connect the client to an AP that is running below its maximum load threshold and providing the best RSSI value.

To enable load balancing, configure the Load Threshold for the access point. Go to Configuration > Wireless > Load Balance.

1. Load Balancing vCell: Select On to activate this functionality.
2. Load Threshold: Specify the load threshold. This value denotes the number (in percentage) of clients that can connect to an AP. Example, if the optimum capacity of an AP is 80 clients, and the threshold is set to 90%, then a maximum of 72 clients are allowed to connect.
3. RSSI Threshold- Configurable via CLI (load‐balance‐vcell rssi‐threshold <rssivalue>). Specify the RSSI value of the best and an alternate AP. Load balance is activated for a value below the configured RSSI value. The default value is -65dbm and the configurable range is -75dbm to -45dbm. The following table provides the recommended RSSI threshold for various modes and channel bandwidth:

Load Balancing for APs in Virtual Cell

nPlus1 Support: The load balance feature allows the clients to connect to the best available access point during roaming in an nplus1 set up.

The following table illustrates various load balancing scenarios between two APs (AP1 and AP2) and the expected result when a client tries to join the network. :

• L1 represents the load on AP1; L2 represents the load on AP2. The value ‘1’ represents AP1 has reached its load threshold.
• R1 represents RSSI value on AP1, and R2 represents RSSI value of AP2, The value ‘1’ represents an RSSI value that is higher than the configured value.