Cisco WLAN design best practices

We will cover specific design aspects of the Cisco Unified WLAN solution utilizing controller-based architectures. These design best practices have been developed over the course of multiple design initiatives with the Cisco solution and primarily from lessons learned from deploying the Cisco solution. Most of the information is related to the Cisco solution, but some of the lessons learned and best practices relate to the process behind deploying the designs.

User considerations
In most organizations, the user community dictates the security architecture. It is not a one-size-fits-all approach. The recommended approach is to identify the user communities that will utilize the WLAN system and design the security accordingly.

As a foundation, the following user communities are a good place to start:

• Employees/visiting employees -- require access to corporate applications and need those applications to be secure
• Contractors -- on site temporarily, but for an extended period of time; require access to some corporate applications (other than just Internet)
• Guests -- need access to Internet only
• Voice -- users who have VoWiFi-capable phones

In most cases, security architecture designs for these user groups differ. For example, the following is a proposed security design for the above:

• Employees/visiting employees – 802.1x PEAP with single sign-on via Radius and Active Directory
• Contractors – 802.1x EAP-Fast
• Guests – daily username and password
• Voice – 802.1x EAP-Fast

Digg This!     StumbleUpon     Del.icio.us

VIEW ALL IN THIS CATEGORY

RELATED CONTENT Wireless Networks How to plan for 802.11n wireless LAN upgrades Deploying 802.11n access points: Best practices Rogue access points: Preventing, detecting and handling best practices Persistent, secure connections for roaming WiMAX, 3G and 802.11x Securing embedded 802.11n devices 802.11n's impact on WLAN security Set up secure wireless networks with 802.11x, access points and bridges How to use Netsh WLAN to configure Windows Server 2008 and Windows Vista wireless connections from the CLI How to avoid the WPA wireless security standard attack IEEE 802.11w protects wireless LAN management frames Wireless LAN Implementation University tackles large-scale 802.11n wireless network management Why is my network adapter not working after a Vista Business upgrade? How many wireless base stations can connect to 802.11g access points? 802.11n wireless APs bring IP video to sprawling Illinois high school No data cable? Wireless mesh networking the answer for Wi-Fi backhaul Integrated wireless and wired LAN: Brocade-Motorola deal ups the ante 802.11n WLAN architecture strategies: The 2.4 vs. 5 GHz band debate 802.11n upgrade: College ditches legacy network for new vendor 802.11n ratification will drive down wireless LAN prices How does Wi-Fi ad-hoc mode react when 802.11n and legacy peers are present? WLAN Security Where can I find a wire driver that unblocks recognized passwords? Will using a VPN protect me against fake wireless hotspots? Fluke gets WLAN design, management, security cred with AirMagnet Is WPA2 secure enough for a commercial business wireless network? Health center cut cost securing wireless network edge with Aerohive Wi-Fi RTLS for WLAN management, location-based security, asset tracking Wireless LAN performance management and security standards beefed up How can I hide my WLAN's SSID in an Aruba AP-61? Wireless LAN security: SonicWall joins crowded WLAN market Stolen laptop recovery using remote access and wireless network SSIDs

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 802.11a  (SearchNetworking.com) Asynchronous Pulsed Radiated Incident Light  (SearchNetworking.com) beamforming  (SearchNetworking.com) cognitive radio  (SearchNetworking.com) direct sequence spread spectrum  (SearchNetworking.com) frequency-hopping spread spectrum  (SearchNetworking.com) patch antenna  (SearchNetworking.com) phase-locked loop  (SearchNetworking.com) radio frequency  (SearchNetworking.com) wireless mesh network  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ween centralized or distributed controller architecture is another key aspect in designing Cisco's solution. Multiple factors should be considered in determining which is right for you. The Cisco solution utilizes LWAP technology for the Unified solution. In this technology, the APs build a secure tunnel back to the controller via an LWAP tunnel. The technology uses IP to do this, so the concept of Layer 2 segmentation is no longer a consideration. In fact, the Ethernet connection from the AP to the Layer 2 switch cannot be a trunked interface. The LWAP tunneling capability allows for the controller to sit across a WAN connection, thereby providing the ability to centralize the controllers. This is very compelling in large distributed environments and is the model used in many VoIP solution designs.

It is important, however, to understand that in a centralized architecture, all the APs connect to the controller. Any routing off the WLAN is done by the router connected to the controller, which can create issues in centralized deployments. For example, if a user connected to an AP wants to print a document or retrieve a file from a local printer or server, the traffic from the AP is sent all the way back to the controller, then routed back across the WAN to the server or printer. This creates WAN backhauls for traffic between local client/server and printer resources. As you can imagine, this is not desirable.

RF design
A great feature of the Unified WLAN solution is the support for mobility and VoIP, but this feature requires very robust RF coverage, capacity and throughput, as well as failover coverage by the APs. Experience has shown that very tight cell areas and additional APs are required to supply the performance, scalability and availability needed for mission-critical transport (if the solution is just for Internet access, RF design can change significantly).

The recommended practice is to pilot the RF design and use both a standard site survey and the Cisco assisted site survey to develop a process for your unique environment. Test failover and mobility extensively to determine optimal cell size and throughput requirements.

Site demographics
Site demographics play a large role in determining AP placement and AP numbers. You can have sites with the exact same dimensions and building materials but totally different AP placements, based on the number of users and applications utilized in each site. Four standard site types are:

1. Data only
2. Data and Voice
3. Manufacturing
4. Internet only

These design considerations and best practices provide a foundation for deploying a robust WLAN solution with Cisco's gear. The key is to pilot and test these things yourself, and it is highly recommended that the pilot be designed for voice mobility. If the design can support voice mobility, it can cover 99% of the other applications a WLAN can support.

About the author:
Robbie Harrell (CCIE#3873) is the National Practice Lead for Advanced Infrastructure Solutions for SBC Communications. He has more than 10 years of experience providing strategic, business and technical consulting services. Robbie lives in Atlanta and is a graduate of Clemson University. His background includes positions as a principal architect at International Network Services, Lucent, Frontway and Callisma.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.