Wireless Network Design
This chapter will cover various aspects involved in wireless networks design, including a presentation of the different wireless technologies, Cisco wireless solutions, and wireless LAN design concepts, including the following topics:
- Wireless LAN Technologies
- CISCO Unified Wireless Solution
- Wireless LAN Design Considerations
We cover wireless networking in great detail in our CWNA certification course.
Wireless LAN Technologies
Wireless technologies are rapidly advancing in enterprise networks, and Cisco is a major player in this area because of their own internal developments and series of strategic acquisitions.
Network designers should understand basic wireless LAN concepts to prepare for possible network upgrades, even if the network is not initially designed to integrate wireless technologies.
Wireless networks can include a wide variety of technologies, including the following:
- Mobile wireless that allows data to be sent via mobile phones:
- GSM – low data rates (9600 bps)
- GPRS – up to 128 kbps
- 3G/UMTS – several Mbps
- Wireless Local Area Network (WLAN) technologies – the focus of CCDA specialists
- Bridge wireless (point-to-point)
Bridge wireless involves a simple design of setting up two antennas on two different buildings and pointing them at each other to bridge two LANs. This technology can usually scale up to 50 Mbps.
Wireless LAN Overview
WLAN technologies replace Layer 1 physical wiring and the Layer 2 transport technologies with wireless. One advantage of this replacement is that upper layer protocols, such as IP, TCP, and UDP, are not usually affected. The most often encountered wireless issues include signal interference or obstruction that is not common for wired environments.
Wireless networks have many similarities to the legacy Ethernet solutions, such as Layer 2 addressing that uses MAC addresses and WLANs’ shared media, in that wireless LAN access points (APs) act as hub devices that use the same radio frequencies (RF) to transmit and receive packets, which results in half-duplex communication and allows collisions to occur.
Note: Wireless LAN technologies are based on a set of standards called IEEE 802.11, which define computer communication in the 2.4, 3.6, and 5 GHz frequency bands.
802.11 Protocol Family
The original 802.11 standard was defined in 1997 by the IEEE and it uses the following two types of RF technologies operating in the 2.4 GHz range:
- Frequency Hopping Spread Spectrum (FHSS), which operates only at 1 or 2 Mbps
- Direct Sequence Spread Spectrum (DSSS), which also operates only at 1 or 2 Mbps
Modern enterprise environments usually use the 802.11a, 802.11b, 802.11g, and 802.11n standards. The 802.11b standard was defined in 1999 and its major features include the following:
- It can use DSSS in the 2.4 GHz range.
- It uses Barker 11 and Complementary Code Keying (CCK) encoding.
- It uses Differential Binary Phase-Shift Keying (DBPSK) and Differential Quadrature Phase-Shift Keying (DQPSK) modulation types.
- It supports data rates of 1, 2, 5.5, and 11 Mbps (the 5.5 and 11 Mbps rates use CCK and DQPSK).
- It offers three non-overlapping channels: 1, 6, and 11.
The 802.11g standard was defined in 2001, is backward compatible, and can be used in the same environment with 802.11b. The downside in this scenario is that interoperability demands the use of the lower-level 802.11b. The main features offered by 802.11g include the following:
- It uses the DSSS RF technology and operates in the 2.4 GHz spectrum for low rates (1, 2, 5.5, and 11 Mbps).
- It uses the Orthogonal Frequency Division Multiplexing (OFDM) modulation technology for high data rates (6, 9, 12, 18, 24, 36, 48, and 54 Mbps).
- It offers three non-overlapping channels: 1, 6, and 11.
The 802.11a was defined in 1999, and it is not as widely deployed as 802.11b and 802.11g. It has the following characteristics:
- It operates in the 5 GHz range; therefore, it is incompatible with 802.11, 802.11b, and 802.11g. This allows it to avoid interference with devices that use those protocols, as well as microwaves, Bluetooth devices, and cordless phones.
- It support 12 to 23 non-overlapping channels (opposed to the three non-overlapping channels supported by 802.11b and 802.11g), because it uses OFDM, where sub-channels can overlap.
- It uses several modulation types: BPSK, QPSK, 16-QAM, or 64-QAM.
- It supports a wide range of data rates: 6, 9, 12, 18, 24, 36, 48, and 54 Mbps.
802.11n is an amendment that improves upon the previous 802.11 standards by adding multiple-input-multiple-output (MIMO) antennas, with a significant increase in the maximum data rate, from 54 Mbps to 600 Mbps. 802.11n operates on both the 2.4 GHz band and the lesser used 5 GHz band. The IEEE approved the amendment and it was published in October 2009. MIMO comes in three types: pre-coding, spatial multiplexing, and diversity coding
Note: The data rate offered is influenced by the number of hosts served by the specific access point and by the distance between the host and the access point (i.e., high distances reduce the signal and the data rate).
Collision Avoidance
Wireless LAN technologies do not allow for collision detection, unlike in Ethernet environments. Stations cannot hear jam signals because they cannot listen and send at the same time (i.e., they have half-duplex functionality).
In order to suppress the negative effects of the half-duplex transmission, WLANs rely on the Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) mechanism. Stations in the wireless LAN attempt to avoid collisions before they happen by using a Distributed Coordinated Function (DCF) that utilizes random backoff timers.
DCF requires a station wishing to transmit to listen for the channel status for a predefined interval. If the channel is busy during that interval, the station defers its transmission. In a network where a number of stations contend for the wireless medium, if multiple stations sense the channel is busy and defer their access, they will simultaneously find that the channel is released and then they will try to seize the channel. As a result, collisions may occur. In order to avoid such collisions, DCF also specifies random backoff, which forces a station to defer its access to the channel for an extra period.
The AP is responsible for acknowledging client data and responds to successful transmissions by sending ACK packets.
WLAN SSIDs
Wireless network designers must fully understand the concept of Service Set Identifiers (SSIDs). This concept defines an identifier for the logical wireless LAN and is similar in some ways to the concept of Ethernet VLANs, which define who can talk to each other in a LAN based on the broadcast domain. With WLANs, everyone is in the same collision and broadcast domain, so stations can receive everyone’s traffic. This situation generated the need for SSID usage that logically split WLANs. Two devices that are in different SSIDs will ignore each other’s traffic, but this does not affect the collision domain.
One major misconception that exists about wireless area networking is the fact that the SSID logical structures are similar to collision domains. This is not true because every device is in the same collision and broadcast domain with other devices in the same signal range. SSIDs cause the different stations to ignore the frames received from different SSIDs.
When considering the SSID concept, the infrastructure can be built into two modes over three different categories, based on who participates in the WLAN, which are as follows:
- Independent Basic Service Set (IBSS)
- Basic Service Set (BSS)
- Extended Service Set (ESS)
IBSS is not used very much in modern networks, as it uses the ad-hoc mode, whereas wireless uses WiFi capability without the use of any APs. An example of an ad-hoc network would be two workstations establishing a direct wireless connection without the use of an intermediary AP (the equivalent of directly connecting two workstations through an Ethernet path cord). The BSS approach, also called wireless infrastructure mode, is much more common. This involves APs that act as traffic hubs, as described earlier.
ESS (which also operates in infrastructure mode) involves multiple APs that are servicing the same SSID. This allows individuals to cover a larger distance with their wireless devices in a transparent and seamless manner. In addition, the users can move from AP to AP, keeping the same SSID identifiers.
Wireless Association
Devices go through a wireless negotiation process, called association, with an AP in order to participate in the WiFi network and infrastructure mode, as illustrated in Figure 10.1 below:
Figure 10.1 – Wireless Association Process
In order to accomplish this association, the client device sends a probe request in the network to find the AP. The AP that receives the probe request will send a probe response, and then the client will initiate the association, indicating whether it accepts or rejects the AP. If the association is successful, the AP will install the client’s MAC address. The wireless association process is very similar to a DCHP handshake.
WLAN Topologies
Once the association is complete, the AP’s main job is to bridge traffic, either wired-to-wireless or wireless-to-wireless. Wireless LANs, similar to Non-Broadcast Multi-Access (NBMA) technologies, can be implemented and configured under many different topologies. In wireless LAN environments, APs can perform the following roles:
- Bridges
- Repeaters
- Mesh topologies
Wireless bridges function in the following ways (illustrated in Figure 10.2 below):
- They accept traffic from traditional LANs and forward it to wireless clients. This process involves translation between wired and wireless networks, also called multipoint bridging.
- They can work in point-to-point mode in order to connect two buildings (LANs).
- They can work in point-to-multipoint mode in order to connect multiple buildings.
Figure 10.2 – WLAN Bridge Topology
Note: When using wireless bridge functionality in a point-to-point mode, the two buildings/areas must have line-of-sight connectivity.
APs can function as repeaters, accepting a weak RF signal and strengthening (amplifying) it, and then resend it. This operation is used to extend the range of wireless networks, as illustrated in Figure 10.3 below:
Figure 10.3 – WLAN Repeaters Topology
The mesh AP topology is the most sophisticated and widely used wireless topology. When used in this type of topology, the AP can function as a repeater or as a bridge, as needed, based on RFs. This technology allows network designers to use wireless technologies to cover large geographical areas and it ensures features such as the following (illustrated in Figure 10.4 below):
- Fault tolerance
- Load distribution
- Transparent roaming
Figure 10.4 – WLAN Mesh Access Point Topology
Note: In addition to their use in the enterprise sector, wireless mesh technologies are also used in the public sector to ensure Wi-Fi access in certain urban areas.
Wireless VLAN Support
Modern enterprise APs support multiple SSIDs per AP, which can be mapped to VLANs and then trunked back to the LAN via 802.1Q. The SSID-to-VLAN mapping can occur automatically based on the security settings. This does not separate the broadcast or collision domain, it only creates different logical segments.
For example, you can have an SSID called “guest” that has no security and another SSID called “private” that uses WPA2 security. When users connect to the “guest” SSID, they will be mapped to a guest VLAN automatically and when they connect to the “private” SSID, they will be mapped to another (secured) VLAN automatically. In this way, users authenticated as guests receive access only to specific resources, and corporate employees can receive access to other (more sensitive) resources. This concept is illustrated in Figure 10.5 below:
Figure 10.5 – WLAN VLAN Topology
Note: The Cisco wireless solutions portfolio includes Aironet APs (designed for enterprise usage) and Linksys APs (designed for small office/home office usage).
WLAN Security Design
Security is one of the essential aspects of WLAN that a network designer should consider. The original 802.11 standard was not built with great security features in mind. The first WLAN security mechanism was Wireless Equivalent Privacy (WEP) and it emerged with the 802.11b standard. WEP is a faulty security mechanism vulnerable to several types of attacks because it is built on the RC4 protocol.
Wi-Fi Protected Access (WPA) became available in 2003 and was intended as an intermediate measure in anticipation of the availability of the more secure and complex WPA2. The recommended WLAN security protocol is WPA2, based on the 802.11i architecture. WPA2 can be integrated with the 802.1X architecture that can work on top of either an 802.3 (wired) or an 802.11 (wireless) environment. This allows individual users and devices to authenticate using the Extensible Authentication Protocol (EAP) and an authentication server (i.e., RADIUS or TACACS+). The authentication server can be an open standard solution or the Cisco Access Control Server (ACS). WPA2 and 802.11i also involve the Robust Security Network (RSN) concept that is used to keep track of the associations to the APs.
For confidentiality, integrity, and origin authentication, you should go beyond the Data Encryption Standard (DES) algorithm and employ the Advanced Encryption Standard (AES) for strong encryption at the enterprise level (128 bit, 256 bit, or beyond).
Another security design issue you must deal with is unauthorized access. In wireless networks, there are no physical boundaries, so attackers can get access from outside the physical security perimeter. Attackers can introduce rogue APs or soft APs on laptops or handheld devices that can breach security policies. Since wireless signals are not easily controlled or contained, this could create security issues for the network designer.
MAC address security can be used to allow only certain devices to associate with the APs, but this cannot prevent MAC address spoofing techniques. Another solution would involve MAC address filtering, but this is not very scalable when dealing with a large number of wireless clients. The most efficient solution to this problem is using 802.1X port-based authentication. This is an authentication standard for both wired and wireless LANs, as illustrated in Figure 10.6 below:
Figure 10.6 – 802.1X Functionality
802.1X works by authenticating the user before allowing access to the network and involves the following three components:
- Supplicant (client)
- Authenticator (AP or switch)
- Authentication server (Cisco ACS)
The client workstation can run client software known as a supplicant, which can be either a Windows client or a Cisco client software supplicant. The client software requests access to different services and it uses EAP to communicate with the AP (or LAN switch), which is the authenticator. The authenticator will then verify the client information against an authentication server such as RADIUS.
EAP is available in the following five types:
- Transport Layer Security (EAP-TLS)
- Protected Extensible Authentication Protocol (PEAP)
- EAP Tunneled Transport Layer Security (EAP-TTLS)
- Lightweight EAP (LEAP)
- Flexible Authentication via Secure Tunneling (EAP-FAST)
EAP-TLS is a commonly used EAP method in wireless solutions that requires a certificate to be installed on both the supplicant and authentication server. The key pairs must first be generated and then signed by a local or a remote Certificate Authority (CA) server. The key communication process used by EAP-TLS is similar to SSL encryption, in that the user’s certificate is sent through an encrypted tunnel. EAP-TLS is one of the most secure authentication methods, but it is also very expensive and difficult to implement.
PEAP requires only a server-side certificate that will be used to create the encrypted tunnel. The authentication process takes place inside that tunnel. PEAP was jointly developed by Cisco, Microsoft, and RSA, so it is heavily used in Microsoft Windows environments. PEAP uses the Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2) or Generic Token Card (GTC) to authenticate the user inside the encrypted tunnel.
EAP-TTLS is much like PEAP, as it uses a TLS tunnel to protect the less secure authentication mechanisms. This might include protocols such as Password Authentication Protocol (PAP), CHAP, MS-CHAPv2, or EAP Message Digest 5 (MD5). EAP-TTLS is not widely used in enterprise networks, but it can be found in legacy environments that contain older authentication systems (e.g., Windows NT).
LEAP was created by Cisco as a proprietary solution for their equipment and systems. It is still supported by a variety of operating systems, such as Windows and Linux, but it is no longer considered secure because a series of vulnerabilities that affect it were identified.
EAP-FAST is also a Cisco-developed EAP type that aimed to address the weaknesses in LEAP. When using EAP-FAST, server certificates are optional but it offers a lower cost implementation than a full-blown PEAP or EAP-TTLS. EAP-FAST uses a Protected Access Credential (PAC) technique to establish the TLS tunnel for the protection of the credential tunnel. PAC is a strong shared secret key that is unique for every client.
Note: The most commonly used EAP solutions for small business networks are PEAP and EAP-FAST and for large enterprise solutions, it is EAP-TLS.
Another important security aspect in WLAN networks involves controlling WLAN access to servers. Just as you would place DNS servers that are accessible from the Internet in a DMZ segment, you should apply the same strategy to RADIUS/TACACS+ and DHCP servers used in the WLAN solution. These servers should be placed into their own VLAN that has a strictly controlled network access policy. These servers should also be protected against DoS attacks by using IPS solutions.
Cisco Unified Wireless Solution
The Cisco unified wireless network concept includes the following elements:
- Wireless clients: This component includes laptops, workstations, PDAs, IP phones, smartphones, tablets, and manufacturing devices that have embedded wireless technology.
- Access points: This component provides access to the wireless network and it should be placed strategically in the correct locations to get the best performance and minimal interference.
- Network management: Network management is accomplished through the network wireless control system. This is the central management tool that allows the design, control, and monitoring of wireless networks.
- Network unification: The wireless LAN system should be able to support wireless applications by offering unified security policies, QoS, IPS, and RF management. Cisco Wireless LAN Controllers (WLCs) offer this unified integration functionality to all of its major switching platforms and routing platforms.
- Network services: Wireless network services are also referred to as mobility services and include guest access, voice services, location services, and threat detection and mitigation.
One of the advantages of using the Cisco unified wireless solution is that as a centralized control architecture, it offers reduced TCO, improved visibility, dynamic RF management, enhanced WLAN security, enterprise mobility, and improved productivity and collaboration.
Standalone versus Lightweight Access Points
Standalone APs are also known as autonomous APs. They are easy to install but they can be difficult to manage in large deployments. They are not as desirable as the lightweight APs from Cisco because they must be managed individually. In addition, different parameters must be configured manually on each device; this includes the SSID, VLAN information, and security features.
The Cisco Unified Wireless Network (CUWN) introduced the concept of lightweight APs (LWAPs) and wireless LAN controllers (WLCs). These two types of wireless devices divide the responsibilities and the functionalities that an autonomous AP would perform on its own. This technology adds scalability by separating the WLAN data plane from the control plane into a split-MAC design, as illustrated in Figure 10.7 below.
LWAPs focus only on the actual RF transmissions and the necessary real-time control operations, such as beaconing, probing, or buffering. At the same time, WLCs manage all non real-time tasks, such as the following:
- SSID management
- VLAN management
- Access points association management
- Authentication
- Wireless QoS
Figure 10.7 – WLAN Split-MAC Operation
Modern LWAPs have plug-and-play capabilities and require WLCs for operation. They can be connected directly to the network without the need for additional configuration. The management logic and the way it functions are dictated by the WLC configuration. This makes the implementation process much easier than would be the case if autonomous APs were used.
LWAP to WLC Communication
When using LWAPs, all RF traffic they receive must first go to the WLC device that manages the specific AP. This changes the way in which traditional WLAN communications work, even for hosts associated to the same AP.
The RF communication between LWAPs and WLCs is handled (tunneled) using the Lightweight Access Point Protocol (LWAPP). The LWAP tunnel can operate either in Layer 2 or Layer 3 mode. In Layer 2 mode, the AP and the WLC share the same VLAN, subnet, and functions with the LWAP, receiving 802.11 frames and encapsulating them inside Ethernet toward the WLC. When the LWAP tunnel operates in Layer 3 mode, the LWAP receives 802.11 frames and encapsulates them inside UDP toward the WLC. This implies the WLC can be anywhere, as long as it is reachable by the AP.
The LWAP Protocol
The LWAP protocol (LWAPP) allows the moving of intelligence away from the AP and sharing it with WLCs. WLCs handle the wireless policies, the control messaging setup, authentication, and wireless operations. WLCs can also be considered the bridge between wireless networks and wired networks. WLC devices can manage multiple APs, providing configuration information as well as firmware updates on an ad-hoc basis.
LWAPP is an IETF draft standard for wireless LAN control messaging between APs and the WLCs. It can operate at both Layer 2 and Layer 3, but the Layer 3 LWAPP is far more popular.
Note: The APs and the WLCs exchange control messages over the wired backbone network.
The LWAPP Layer 2 functions include the following:
- 11 beacons and probe responses
- Packet control
- Packet acknowledgement and transmission
- Frame queuing and packet prioritization
- 11i MAC layer data encryption and decryption
The WLC Layer 2 functions include the following:
- 11 MAC management
- 11e resource reservation
- 11e authentication and key management
Layer 3 LWAP tunnels are used between APs and WLCs to transmit control messages, using UDP port 12223 for control and UDP port 12222 for data messages. Cisco LWAPP can operate in the following six modes:
- Local mode
- REAP (Remote Edge Access Point) mode
- Monitor
- Rogue detector (RD) mode
- Sniffer mode
- Bridge mode
Local mode is the default mode of operation of LWAPP. Every 180 seconds, the AP spends 60 ms on channels on which it does not operate. During the 60 ms time period, the AP performs noise and interference measurements and scans for intrusion detection events.
The REAP mode allows the LWAP to reside across a LAN link and still be able to communicate with the WLC and provide the functionality of a regular LWAP. REAP mode is not supported on all LWAP models.
Monitor mode is a special feature that allows LWAP-enabled APs to exclude themselves from dealing with data traffic between clients and the infrastructure. Instead, they act as dedicated sensors for location-based services, rogue AP detection, and intrusion detection systems. APs in monitor mode cannot serve clients because they continuously cycle through all available channels, listening for each channel for approximately 60 ms.
In RD mode, the LWAP monitors for rogue APs. The goal of rogue detection of APs is to see all the VLANs in the network because rogue APs can be connected to any of these VLANs. The switch sends all the rogue AP client MAC address lists to the RD AP, which forwards these to the WLC to compare them with the MAC addresses of legitimate clients. If MAC addresses match, the controller knows that the rogue AP dealing with those clients is on the wired network.
Sniffer mode allows the LWAP to capture and forward all the packets on a particular channel to a remote machine that is running packet capturing and analysis software. These packets include timestamps, packet size, and signal strength information.
The bridge mode typically operates on outdoor APs that function in a mesh topology. This cost-effective high-bandwidth wireless bridging connectivity mechanism includes point-to-point or point-to-multipoint bridging.
Wireless LAN Controllers
WLCs have the following three components:
- Wireless LAN
- Interfaces
- Ports
The wireless LAN is the SSID network name. Every wireless LAN is assigned to an interface in the WLC, and each wireless LAN is configured with policies for RF, QoS, and other wireless LAN attributes.
The WLC interfaces are logical connections that map to a VLAN on the wired network. Every interface is configured with a unique IP address, a default gateway, physical ports, VLAN tagging, and a DHCP server. WLCs support the following five interface types:
- The management interface, used for in-band management, connectivity to an AAA server, and Layer 2 discovery and association
- An optional service port interface for out-of-band management that is statically configured
- The AP manager interface, used for Layer 3 discovery and association (the static WLC IP address will be configured on this interface)
- Dynamic interfaces (these are the VLANs designated for wireless LAN clients data)
- Virtual interfaces, used for Layer 3 security authentication, DHCP relay support, and management of mobility features
The port is a physical connection to the neighboring switch or router; by default, each port is a .1Q trunk port. WLCs might have multiple ports that go into a single port-channel interface (link aggregation can be applied to these ports). Some WLCs also have a service port that is used for out-of-band management.
Note: Different WLC platforms can support up to several hundred APs.
Roaming and Mobility
One of the main features of a WLAN solution is the users’ ability to access network resources from different areas, including zones where it is difficult to install cables. Another reason for using WLANs would be organizational policies that allow guest access only wirelessly. Sometimes a wireless LAN solution is built as a transition network until the complete wired network is implemented.
Considering the scenarios mentioned above, end-users will most likely move from one location to another. The solution to this issue is offered by the roaming and mobility features that enable users to access the network from different locations.
Roaming occurs when wireless clients change their association from one LWAP to another without losing connectivity. Designers should scale the wireless network carefully to allow for the client roaming process. Wireless roaming can be divided into the following two categories (illustrated in Figure 10.8 below):
- Intra-controller roaming
- Inter-controller roaming (Layer 2 or Layer 3)
Figure 10.8 – WLAN Mobility
Intra-controller roaming occurs when a client moves its association from one AP to another access point controlled by the same WLC. At that moment, the WLC will update the client database with the new association and it will not change the client’s IP address.
Inter-controller roaming can operate in either Layer 2 or Layer 3. In Layer 2 inter-controller roaming, users move from AP to AP and from WLC to WLC, but they remain in the same subnet. Layer 3 inter-controller roaming is more difficult to implement and because users can move from AP to AP, from WLC to WLC, and from subnet to subnet. In this scenario, the WLCs must be configured with mobility groups to communicate and exchange information about the roaming user’s status.
A very important advantage of Layer 3 inter-controller roaming is that users can maintain their original IP address. The two wireless LAN controllers are connected through an IP connection. In this situation, the traffic is bridged to a different IP subnet. When the client associates to the new AP, the new WLC exchanges mobility information with the old WLC. The original client database is not moved to the new WLC. Instead, the old WLC will mark the client in its database entry (anchor entry) and this entry is copied to the new WLC database that will mark this entry as a foreign entry. The wireless client keeps its original IP address and it is re-authenticated as soon as a new security session is established.
Wireless LAN Controllers are assigned to mobility groups in order to exchange Mobility messages and tunnel data over the IP connection dynamically. Mobility groups use the following ports to exchange data:
- LWAPP control: UDP 12223
- LWAPP data: UDP 12222
- WLC exchange un-encrypt messages: UDP 16666
- WLC exchange encrypt messages: UDP 16667
Wireless LAN Design Consideration
Some key issues must be considered when designing a wireless LAN environment. First, the controller redundancy design should be analyzed carefully. WLCs can be configured for dynamic redundancy or deterministic redundancy. With deterministic redundancy, the AP is configured with a primary controller, a secondary controller, and a tertiary controller. This requires much planning but it offers good predictability and faster failover times. Dynamic controller redundancy uses LWAPP to load balance APs across WLCs.
Another issue that must be analyzed in the design process involves radio channels management and radio groups. For example, the 802.11b and 802.11g standards offer three non-overlapping channels (1, 6, and 11) so you can use Cisco Radio Resource Management (RRM) to manage AP RF channels and power configurations. WLCs use the RRM algorithm for automatic configuration and optimization. Radio groups (RG) are clusters of WLCs that coordinate their RRM calculations. When a WLC is placed in a radio group, the RRM calculation will scale up from a single WLC to multiple floors, buildings, or even a campus.
The RF site survey should be accomplished in the WLAN design phase by certified wireless professionals. The RF site survey contains the following five steps:
- Define the customer requirements.
- Identify coverage areas and user density.
- Determine the preliminary locations and requirements of the APs (including necessary antenna types and wired connections).
- Accomplish the actual survey and identify elements that might interfere with the WLAN signal and components.
- Document the process (including AP location, data, and signal rates).
From a network design standpoint, you might also be in a situation of having to configure and plan an outdoor wireless mesh configuration. This includes the following components:
- The wireless control system
- Wireless LAN controllers
- External AP bridge (rooftop AP)
- Outdoor mesh APs
An important design for outdoor wireless mesh scenarios refers to the existence of a 2 to 3 ms latency value per hop, so fewer than 4 hops is recommended to ensure a good level of performance. Another recommendation is having no more than 20 mesh AP nodes per external AP bridge for best performance.
The most important wireless campus design considerations include the following:
- The number of APs: Sufficient APs should be included to ensure RF coverage for all the wireless clients in all enterprise areas. Cisco recommends 20 data devices per AP.
- The placement of APs: APs should be placed in central locations of different enterprise areas in order to ensure proper user connectivity.
- Power options for APs: APs can be powered by traditional methods or by using PoE capabilities.
- The number of WLCs: The number of WLCs depends on the chosen redundancy model (based on the client requirements) or the number of APs. The recommended redundancy model is deterministic redundancy.
- The placement of WLCs: WLCs should be placed in secured wiring closets, server rooms, or data centers. WLCs can be placed in a central location or they can be distributed throughout the campus Distribution Layer. Inter-controller roaming should be minimized.
Summary
Wireless networks are experiencing widespread growth because of their availability, flexibility, and service offerings. Wireless local-area networks (WLANs) offer network access via radio waves. Wireless clients (such as a PC or PDA) access a wireless access point (AP), using half-duplex communication. The wireless AP allows a wireless client to reach the rest of the network.
Traditional WLANs use an AP in autonomous mode, where the AP is configured with a service set identifier (SSID), radio frequency (RF) channel, and RF power settings. However, having an autonomous AP tasked with all these responsibilities can limit scalability.
The major components of the Cisco Unified Wireless Network (CUWN) architecture are as follows:
- Wireless clients
- Access points
- Network management
- Network unification
- Network services
Aside from autonomous mode, CUWNs can operate alternatively in split-MAC mode. With split-MAC operation, an AP is considered a lightweight access point (LWAP), which cannot function without a wireless LAN controller (WLC).
Specifically, a wireless LAN client sending traffic to the wired LAN sends a packet to a LWAP, which encapsulates the packet using the Lightweight Access Point Protocol (LWAPP). The encapsulated traffic is sent over an LWAP tunnel to a WLC. LWAP data traffic uses a destination port of 12222; LWAP control traffic uses a destination port of 12223.
The LWAP performs functions such as beaconing, packet transmission, and frame queuing; the WLC assumes roles such as authentication, key management, and resource reservation.
The operation of the wireless AP discussed thus far is referred to as local mode. However, several other AP modes exist, as follows:
- REAP (Remote Edge Access Point) mode
- Monitor
- Rogue detector (RD) mode
- Sniffer mode
- Bridge mode
After a wireless client, such as a PC, associates with its AP, the AP allows the client to communicate only with the authentication server until the client successfully logs in and is authenticated.
The WLC uses the Extensible Authentication Protocol (EAP) to communicate with the authentication server. Cisco Secure Access Control Server (ACS) could act as the authentication server, for example. Supported EAP types include the following:
- EAP-Transport Layer Security (EAP-TLS)
- EAP-Protected EAP (EAP-PEAP)
- EAP Tunneled Transport Layer Security (EAP-TTLS)
- Cisco Lightweight Extensible Authentication Protocol (LEAP)
- Cisco EAP-Flexible Authentication via Secure Tunneling (EAP-FAST)
Wireless LAN controllers consist of the following components:
- Ports
- Interfaces
- WLANs
Wireless networks offer users mobility, where users can physically move throughout a campus. As the users move, their wireless clients update their AP association to the most appropriate AP, based on location.
With Layer 2 roaming, the WLCs with which the APs associate are in the same subnet. However, with Layer 3 roaming, the APs associate with WLCs on different subnets.
When a wireless client associates with a new AP, the new AP’s WLC exchanges Mobility messages with the old AP’s WLC. The client entry is not moved from the client database of the old WLC to the new WLC. Instead, the old WLC marks the client with an anchor entry and the database entry is copied to the new WLC client database where it is marked as a foreign entry.
Cisco offers an array of WLCs that support either dynamic or deterministic redundancy. Different controllers support a different number of APs.
When designing a wireless network, one of the first steps in the design process is to conduct an RF site survey. A site survey provides the network designer with a better understanding of an environment’s RF characteristics (e.g., coverage areas and RF interference). Based on the results of the RF site survey, the network designer can position the wireless infrastructure devices strategically.
Conducting an RF site survey involves the following five procedures:
- Define the customer requirements.
- Identify coverage areas and user density.
- Determine the preliminary locations and requirements of the APs (including necessary antenna types and wired connections).
- Accomplish the actual survey and identify elements that might interfere with the WLAN signal and components.
- Document the process (including AP location, data, and signal rates).
Many wireless networks also need to support connectivity for guests, without permitting guests full access to network resources. One approach to guest access is to isolate guest traffic on a separate VLAN.
Wireless network design might also need to address outdoor wireless connectivity (e.g., wirelessly interconnecting buildings). Traditionally, buildings were wirelessly interconnected using point-to-point bridging or point-to-multipoint bridging. CUWN, which is the basis of the wireless mesh network, is composed of the following elements:
- The wireless control system
- Wireless LAN controllers
- External AP bridge (rooftop AP)
- Outdoor mesh APs
When designing a wireless network for an enterprise campus, a designer should determine the following:
- The number of APs
- The placement of APs
- Power options for the APs
- The number of WLCs
- The placement of WLCs