FortiWLC

FortiWLC is Fortinet's wireless controller platform.


Best Practices

The following section presents the best practice configuration applicable for general deployments of FortiWLC. Best practices arent necessarily applicable to all deployment cases, but aim to represent the majority. As always, consult with skilled FortiWLC experts for recommendations appropriate for your specific deployment.


Initial Setup

AP Discovery: L2 vs L3

Operation in L3 mode is recommended for general deployments. The default for the controller is L2 operation. Please read through the options available for L3 discovery to be deployed - there are DNS, DHCP (option 138) and init script methods to achieve this. L3 operation is required for AP packet capture and spectrum analysis to function correctly.

The following is a sample init script that can be configured to automatically provision all joining APs for preferred L3 operation with a hardcoded controller IP:

ip config l2l3 l3preferred
ip config controller name 192.168.129.5
ip config save

This script can be configured under Maintenance/File Management/File Management/AP Init Script:

The script is then configured as the default init script under Configuration/Device/Controller: It is activated upon reboot of the APs, which needs to occur twice to take effect as the first reboot will load the script post-discovery and not proceed to force discovery to L3 automatically.


ESS Configuration

Data Rates

While the default ESS data rates are generally adequate, environments with higher AP density and closely meshed clients can benefit from disabling lower rates assuming they are not needed in support of legacy clients. The following screenshots show recommended rates:

Virtual Cell

Virtual cell is a technology which controls client roaming at the controller level, in a similar manner to how mobile technologies like LTE operate. It accomplishes this by using a single channel for a given ESS and uses the same BSSID for all access points. It is an ideal technology to ensure fast, totally transparent roaming of clients and helps with devices that exhibit AP stickiness and do not roam aggressively enough. Common environments benefiting from this are warehouses, telephony, industrial and where device mobility is constant. While it inherently does not accommodate high density high throughput environments, it still provides substantial advantages for those environments where those criteria as not as important. It is commonly combined with native cell (conventional) ESS to service distinct types of devices in the same environment.

Adequate Signal Threshold

By default, Virtual Cell will consider roaming clients with a signal strength of -45 and lower, which generally is too aggressive for most environments. It is recommended that this be adjusted based on how dense each environment is and what is assessed as a generally acceptable signal level. As a general guidance value, this parameter should generally be adjusted to -55 for most environments. The parameter can be changed under Configuration/Devices/Controller:


How to Properly Deploy WLC VM image in ESXi

From the Wireless Technical Newsletter February 2019

Basic ESXi Best Practices for WLC VM

To know how to properly deploy WLC VM image, please follow exactly the deployment guide on docs. These important steps are sometimes overlooked specifically with ESXi. Please make sure that:

  • your vSwitch is linked with the physical NIC and should NOT have Security parameters changed for the WLC VM.
  • a Port Group is created with ALL Security parameters as “Accept” (Promiscuous mode, MAC address changes and Forged transmits).
  • the FGT or FortiSwitch Ethernet port facing the ESXi interface has its native vlan in the management vlan of the FWLC, and allows for all vlans used by WLC to be trunked to the vSwitch.
  • VLAN ID 4095 is created on the Port Group, to allow the Port Group to become a Trunk Port for the multiple VLANs of WLC, with the native administrative VLAN for WLC management untagged.

Best Practices for Dual Bonding Configurations on WLC VM

If you plan to have multiple Network adapters and do dual-bonding configurations, Ethernet0 and Ethernet1 should both be in bond0 and go to vSwitch X and physical NIC 1; Eth3/eth4 should be in bond1 and go to vSwitch Y and physical NIC 2. Trying to bond interfaces differently will result in very unstable behavior.


How to properly configure Port Aggregation / LACP on FortiAP-U managed by WLC

From the Wireless Technical Newsletter February 2019

This process must be properly followed step by step for success. You first need to make sure that the combined Patch for 8.4-3 released in February 2019 is installed. This AP consolidated patch includes an important Tx stuck fix also.

Step 1:

  • Make sure both Switch ports have LACP disabled then
  • Connect AP LAN 2 port
  • Ensure AP comes fully Enabled/Online on WLC
  • Connect LAN 1 only then – it will appear in Disabled state
  • On GUI, go to ‘Configuration→Devices→APs’, select the AP→Ethernet interface, and eventually click interface 1 and enable LACP:

You should see this below output where LAN2 will be the uplink and LAN1 will be the LACP port:

WLC(15)# sh interfaces Ethernet ap 801
Type ID Name IfIndex MTU MAC Address Admin State Op State Last Change Uplink Type   LACP
ap 801 AP-801 2 1500 00:0c:e6:35:5e:40 Up Enabled 28/02/2019 16:15:45 Uplink       disable
ap 801 AP-801 1 1500 00:0c:e6:35:5e:1e Up Disabled 28/02/201916:16:46 Uplink-lacp  enable

Step 2:

  • Unplug both the cables from the AP or switch
  • Connect AP LAN1 port first
  • Ensure AP comes fully Enabled/Online on WLC
  • Connect LAN 2 only then – it will appear in Disabled state
  • On GUI, go to ‘Configuration→Devices→APs’, select the AP→Ethernet interface, and eventually click interface 2 and enable LACP.

You should see below output where LAN1 will be the uplink and LAN2 will be the lacp.

WLC(15)# sh interfaces Ethernet ap 801
Type ID Name IfIndex MTU MAC Address Admin State Op State Last Change Uplink Type  LACP
ap 801 AP-801 2 1500 00:0c:e6:35:5e:1e Up Disabled 28/02/2019 16:21:07 Uplink-lacp enable
ap 801 AP-801 1 1500 00:0c:e6:35:5e:40 Up Enabled  28/02/2019 16:19:22 Uplink      enable

Step 3:

  • Remove both LAN1 and LAN2 and reconnect both cables back to the switch, and wait for the AP to come back online.

Step 4:

  • Configure lacp active on the switch now.
  • Verify that both ports of AP are operationally UP by connecting to the AP through WLC or console:
ap 801> config show ethernet
Ethernet 0 MAC parameters
----------------------------------------
MAC address = 00:0c:e6:35:5e:40
Default destination = 00:bb:00:bb:00:bb
MTU = 1500
Speed = 1 Gbps
Duplexity = Full Duplex
Operational State = Up
Uplink = 0
Bonding = ENABLE
AP MAC Assignment = ETH0
Ethernet 1 MAC parameters
----------------------------------------
MAC address = 00:0c:e6:35:5e:40
Default destination = 00:bb:00:bb:00:bb
MTU = 1500
Speed = 1 Gbps
Duplexity = Full Duplex
Operational State = Up
Uplink = 2
Bonding = ENABLE
AP MAC Assignment = ETH0