Good catch @PhilipDAth , I didn't even notice that snippit

it was the request from Higher up so we don't run out of IP in the scope. Concurrently - we have close to 180 users connected to the access points.

180 users will fit into a single /24 - so that really is not a biggy.

 

Are your WiFi users all in a single subnet or multiple subnets at the moment?

Are your users in a single building, or spread out over a campus and many buildings?

2 VLANS

 

1 vlan to IDF 2nd floor subnet

1 vlan to IDF first floor subnet

Can users roam between these two floors without loosing their WiFi connection, or do they loose and then re-connect when moving between floors?

Users are able to roam successfully to other APs between upstairs and downstairs. The only timeout / drop I get is when I am upstairs heading into the stairwell to go downstairs and vice versa but my device immediately connects back to nearest AP.

stair wells are usually 100% brick/concrete. Your not going to have a smooth roam between floors usually. If you did managed to have smooth roaming, you still might have issues because your going from one subnet to another, by issues i mean with real-time applications. If you can make it a /23 or /22 then that would minimize any disconnects due to having to get a new IP on the new subnet etc.

Not sure if that matters though if there is no smooth roaming between floors.

Actually might matter if the floor to floor seperation is weak. so clients on floor 2 might connect to an AP on floor 1 and vice versa. Floor is just a fancy word for wall afterall 😃

I could see if that happens then it would cause real-time stuff to suffer since its differnet subnets

Also the reign in your TX power level, to add to that. Create a min/max (usually something like 11-17 dBm for 5GHz for example, and 8-11 for 2.4GHz etc.) Depends on the layout and how the survey was done. You won't want an AP blasting

---

@Brons2 wrote:

Which is another thing - you have different SSIDs for different floors?  Why?  If I have a meeting on another floor, I have to go join another wireless network?  That seems unnecessary to me.  Roaming to a different Meraki AP in our network is pretty transparent.

 

---

I don't think he has different SSIDs per floor. He's probably just using the Per-AP multiple VLAN tagging, see here: https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/VLAN_Tagging_on_MR_Access_Points)

Previously we were using APs that did not have roaming capabilities. The goal was to have users be able to walk from one area of the building to another for meetings in conference rooms seamlessly without dropping off the network while still holding on to the IP they had.

 

We do not have different SSID names for 1st and 2nd floor. They are all the same name. I am using the Per-AP multiple VLAN tagging. 

 

I changed the channel width from 80 to 40 for the 5GHZ.

 

 

I've never tested it but I'm pretty sure that the Per-AP VLAN Tagging will not allow smooth roaming. Its going from one subnet to another (one vlan to another), which is forcing the clients to grab a new IP etc.

Your best option (what I do) is use a /23 or /22 for the entire 'building' and the SSID drops onto that VLAN which spans everywhere. Assuming your core-to-access layer allows for such a thing

I just tested this successfully - when I walked upstairs and around the building, my IP from downstairs stayed the same. the only thing that changed was the VLAN Number. I connected to each of the 17 access points.


I have a feeling the TX power is causing an issue with one of our devices disconnecting and reconnecting because a few are 200 feet apart from each other. I have the same two viziocasttvs with two different mac addresses trying to connect to 3 APs...

Mon Oct 28, 2019, 09:54:44
viziocasttv
Association
type='Association attempts' num='3959' associated='true' radio='1' vap='1'
Mon Oct 28, 2019, 09:52:54
viziocasttv
Authentication
type='WPA-PSK auth fail' associated='false' radio='1' vap='1'
Mon Oct 28, 2019, 09:52:34
viziocasttv
Association
type='Association attempts' num='3958' associated='true' radio='1' vap='1'
Mon Oct 28, 2019, 09:51:34
viziocasttv
Authentication
type='WPA-PSK auth fail' associated='false' radio='1' vap='1'

---

@SLR wrote:
I just tested this successfully - when I walked upstairs and around the building, my IP from downstairs stayed the same. the only thing that changed was the VLAN Number. I connected to each of the 17 access points.

---

That's thanks to the L3 roaming, with that you keep your original IP address. This is a good article describing L3 roaming more in detail:

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

 

As @PhilipDAth and @NolanHerring already mentioned, L3 roaming is not always the solution. Especially if you have a "smaller" network you'll be better of with one L2 domain. That's when you'll be able to leverage roaming optimizations like OKC and 802.11r.

 

Regarding the Auth failed error. I assume the TVs are using the correct password? I'd try temporarily adding a separate SSID to test the TVs with a really simple password, just to make sure it's not a bug in the TV OS causing it to use a wrong password.

 

Also, what is your minimum bitrate slider set to for that SSID?

Slider set at 11 - 54.

 

Should that be changed? 

Should be fine. But if you do setup that test SSID for the TVs, lowering it on that SSID is one of the things you could try if you can't get them to connect.

Thank you. I will try that.

I pondered "Per-AP multiple VLAN tagging" a bit more over the weekend.

 

It seems to me that, from a network design standpoint, that this feature would only be desirable if you were running the same SSID across multiple physical sites/branches, something to where a large flat network would not be desirable due to latency.

 

Am I missing something?

WEP key?  WEP has been insecure since, oh, 2001.

 

"Depending on the amount of network traffic, and thus the number of packets available for inspection, a successful key recovery could take as little as one minute"

https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy

 

Perhaps you meant WPA.  I hope so. 

 

If not - I'm not surprised Meraki couldn't fix it.  They probably have no interest in fixing it, what with WiFi 6 and WPA3 coming out.  It doesn't make much sense to support deprecated, insecure protocols, in my opinion.