White Paper

Intel Information Technology

Architecture and Design of a
WLAN Design
Primary Wireless Network
Intel IT created a new wireless LAN (WLAN) architecture and network design
that enables us to use wireless as a primary access method for data, voice, and
video services at a 5,000-user campus. Our goal was to overcome the inherent
challenges presented by wireless and deliver high performance, Quality of Service
(QoS), reliability, security, and manageability.

Danny Nissan and Omer Ben-Shalom, Intel Corporation

September 2006

IT@Intel
White Paper Architecture and Design of a Primary Wireless Network

Executive Summary
Intel IT developed a new wireless LAN (WLAN) network architecture and design
that is enabling us to converge data, voice, and video onto a unified network
infrastructure and use wireless as the primary access method. We have begun
a groundbreaking initiative to implement this approach at a major Intel site with
about 5,000 users.

This initiative shows We needed the new architecture and design to overcome inherent WLAN
that WLANs can achieve bandwidth limitations and the many other technical challenges we faced
the performance, when creating a primary wireless network on this scale. Our goals included:
reliability, QoS, and • Delivering high throughput while avoiding problems due to radio frequency
manageability needed (RF) interference
to deliver converged • Providing seamless roaming and Quality of Service (QoS) to support voice,
services within a large video, and data services on mobile clients
enterprise.
• Making the network highly reliable, secure, and manageable

We adopted a standards-based approach, adding proprietary specifications

where necessary. We are implementing our architecture and design using the
Cisco Unified Wireless Network*.

We are moving ahead to deploy voice, video, and data services over our primary
WLAN to users throughout the campus. This initiative shows that WLANs can
achieve the performance, reliability, QoS, and manageability needed to deliver
converged services within a large enterprise.


 Architecture and Design of a Primary Wireless Network White Paper

Contents
Executive Summary.................................................................................................................................................. 2

Background.................................................................................................................................................................... 4

The Wireless Challenge.......................................................................................................................................... 5

Evolving Standards................................................................................................................................................. 6

Wireless Architecture.. ............................................................................................................................................ 7

Radio Frequency Spectrum Management.................................................................................................. 7
Capacity Planning.................................................................................................................................................... 8
Process and Network Prioritization............................................................................................................... 9
Handoff and Roaming........................................................................................................................................... 9
Reliability and Redundancy.. ........................................................................................................................... 10
Management............................................................................................................................................................ 10
Security...................................................................................................................................................................... 11

Primary Wireless Design.................................................................................................................................... 13

Conclusion.................................................................................................................................................................... 15

Authors.......................................................................................................................................................................... 15

Acronyms.. .................................................................................................................................................................... 15


White Paper Architecture and Design of a Primary Wireless Network

Background
Wireless is becoming the preferred network access method among our mobile
users. Our existing WLANs are popular and widely deployed, but we maintain them
as separate networks alongside the wired LANs and currently consider them a
secondary means of network access. They provide a “best-effort” service level and
users can always revert to the wired LAN when wireless is not available.

We are developing a new architecture that integrates wired and wireless LAN
infrastructure, and establishes high-performance wireless as the primary access
method (diagrammed at a high level in Figure 1). We are beginning to deliver data,
voice and video wirelessly to mobile users on laptops, handsets, and other devices.

We have begun a major initiative to use primary technical challenges because it breaks new
WLANs based on our new architecture at a large ground, both as a large-scale primary wireless
Intel site that consists of five buildings with network and in the converged services it delivers.
about 5,000 users. This project presents many

Intel Environment
Primary Wireless LAN

WiFi Phones Soft Phones

802.11a and Headsets

Smart Phones
WiFi/Cellular
Laptops
802.11a/g

WAPs
Cellular Tower 802.11a/g

WLAN Controllers
Smart Phones Laptop
WiFi/Cellular

PBX

Data
Internet
Center
Wireless Access Point (WAP)
802.11a/g IP PBX IP Phones

Home Office or Hot Spot

Figure 1. Overview of our primary wireless architecture


 Architecture and Design of a Primary Wireless Network White Paper

The project is split into three successive phases • Phase Three: Supporting Voice over
for implementation: Internet Protocol (VoIP) for laptops and
handheld devices
• Phase One: Providing data services to a single
building, supporting laptop clients This paper describes the Phase Three architecture
and design of our network because it represents
• Phase Two: Adding video multicast
the complete project and therefore includes the
and proliferating the network across
aspects that occur in earlier phases.
the entire campus

The Wireless Challenge

As enterprise computing evolved, a delicate balance was achieved between system
building blocks, applications, and network bandwidth, as shown in Figure 2 on
the next page. As we move from switched Ethernet wired connections to shared
wireless connections, we disrupt this balance and network bandwidth becomes a
potentially limiting factor.

More specifically, the inherent characteristics of To overcome these challenges, we ultimately

wireless present several related challenges: need to focus on two technology areas:

• Wireless is a shared medium. Moving from • Close coordination and collaboration between
switched Ethernet to shared WLAN reduces mobile clients and infrastructure, including
available bandwidth. Application throughput WLAN access points and controllers.
varies with the ever-changing number
• Rewriting applications to be wireless network
of clients sharing the medium and is also
aware, so that they react to the availability
affected by signal quality and network
and changing performance of the network.
availability.
This also requires OS support.
• Signals can be received outside the building,
This paper describes our WLAN architecture and
so they can potentially be detected and
design, which addresses the first of these areas:
analyzed, disrupted, or hijacked.
coordination and collaboration between clients
• Spectrum is an expensive, regulated resource. and infrastructure. We expect applications that
Only a small portion of the RF spectrum, with are wireless network aware to further improve
limited bandwidth, is allocated for WLAN user experiences and productivity gains, but
use, and it is shared by other non-licensed these applications may not be widely available
technologies. for some time.


White Paper Architecture and Design of a Primary Wireless Network

Evolving Standards
Applications WLAN technology is still maturing and this presents additional
challenges. Though IEEE 802.11 WLAN standards cover key
technologies, standards are still lacking in many other areas.
Furthermore, many advanced features required to support WLAN
Operating primary access will not be available in the marketplace for two to
Memory Storage
System
three years.

Therefore, when developing our architecture and design, we looked

for existing products that implemented the maximum number
Network of features using IEEE specifications, and supplemented those
standards with proprietary additions where necessary.
Traditional enterprise computing with wired LANs:
A delicate balance

Applications

Operating
Memory Storage
System

Network

Wireless LANs disturb the balance,

limiting network bandwidth

Figure 2. Wireless disturbs the delicate balance of

computing.


 Architecture and Design of a Primary Wireless Network White Paper

Wireless Architecture
When developing our architecture, we needed to overcome several technical
challenges created by the inherent characteristics of RF. WLANs use unlicensed
spectrum that is potentially shared with other devices. They have limited bandwidth,
so latency-sensitive applications such as voice must be prioritized. Each access
point covers a limited area, and so we need many of them, with fast handoff
between them, to support latency-sensitive applications. Locating clients needing
maintenance can be challenging. And because the RF signal cannot be confined
within a building, we need strong security.

Because we are building a campus-wide wireless GHz band for other purposes, such as access by
network that will be users’ primary access legacy mobile devices, guests, and suppliers.
method, our approach also addresses managing
Non-WLAN technologies use the 5.2-GHz band
a large network with many access points and
less than the 2.4-GHz band. Also, the 5.2-GHz
achieving a high degree of reliability.
band provides at least eight, and potentially up
to 22, non-overlapping channels, compared with
Radio Frequency Spectrum three for the 2.4-GHz band. This provides several
Management advantages:
WLAN spectrum may be shared with other
• Less interference. Interference from non-
technologies, such as mobile phones, Bluetooth*
WLAN technologies and between neighboring
devices, and even microwave ovens, so there is
WLAN cells is less likely, making throughput
potential for interference.
easier to maximize.
Currently, WLANs use either of two bands: the
• Auto-configuration. The infrastructure can
2.4-GHz band, used by 802.11b and 802.11g
automatically select the channel and power of
WLANs, and the 5.2-GHz band, used by 802.11a.
access points.
We chose to use the 5.2-GHz band (802.11a) for
We also looked for products that exploited the
primary wireless access, while also using the 2.4-
additional channels to provide other features:


 White Paper Architecture and Design of a Primary Wireless Network

• Self-healing. The infrastructure responds to access point failure

30 by adjusting the channel and power setting of adjacent cells to
802.11a
802.11g compensate.
802.11g/b
25 802.11b
• Avoiding denial of service (DoS) attacks. The infrastructure
can detect a DoS attack on a specific channel and dynamically
20
change channels to avoid it.
Throughput (Mbps)

15
Capacity Planning
10 With a large WLAN, capacity planning is critical. Even though
the 5.2-GHz band we selected provides more channels than the
5 alternative, the number of non-overlapping channels is still small,
and each channel provides low overall throughput compared
1 with wired networks. In addition, there is potential interference
0 25 50 75 100 125 150 175 200 225 250 between cells that are using the same channels; called co-channel
Distance from Access Point (Feet) interference (CCI), this limits the available bandwidth within a
closed RF environment such as a building.
802.11b 802.11g/b 802.11g 802.11a
One key aspect of capacity planning is deciding how many clients
Layer 1 speed
we want each access point to support.
40-50 feet from 11 Mbps 54 Mbps 54 Mbps 54 Mbps
access point
This issue is complex. With WLANs, throughput is greatest near the
TCP throughput access point, and decreases as devices get farther away, as shown
40-50 feet from 6 Mbps 13 Mbps 20 Mbps 24 Mbps in Figure 3. But placing access points close together to provide the
access point
maximum throughput also increases the potential for CCI

Figure 3. WLAN Transmission Control Protocol (TCP) To provide users with high performance, we planned for 20 users
throughput with distance from an access point. per access point, maintaining a minimum total connection speed of
36 Mbps in each cell. This provides the following capabilities:

• Estimated average throughput of more than 5 Mbps for each

client, with a guaranteed minimum of 1.2 Mbps.

• Each access point will be able to support about seven

concurrent voice calls. In other words, we are aiming to provide
enough capacity to enable a third of the users supported by
each access point to make simultaneous voice calls (a worst-
case Erlang ratio of 1:3).


 Architecture and Design of a Primary Wireless Network White Paper

With such a high access point density, CCI right priority. This means prioritizing applications
becomes an issue even when we have eight or such as soft phones when sharing the resources
more non-overlapping channels. CCI reduces the of laptop clients and it also means prioritizing
available throughput in a cell, because the cell the network traffic generated by these
may be considered busy due to transmissions in applications.
a neighboring cell using the same frequency.
Applications that are QoS aware can ask the OS
To further overcome CCI, the infrastructure and to prioritize packets by marking them, but today
client can dynamically set their transmit power, there is no standard mechanism to make sure
receive sensitivity, and clear channel assessment this marking follows our policy for prioritizing
(CCA) threshold. Clients adjust their RF circuits different types of traffic. Furthermore, many
as instructed by the infrastructure whenever applications are not QoS aware.
they join the network or roam between access
To solve this problem, we developed client-
points, or whenever RF conditions change. This
based policy agents to make sure applications
increases the total usable throughput of the RF
requiring network QoS get their packets
environment.
marked appropriately, using tagging based
IEEE is working on the 802.11K and 802.11V on differentiated services code point (DSCP)
specifications to address this area, but and 802.1p, translated to 802.11e and Wi-Fi*
completed standards are not due for at least a Multimedia (WMM). We also selected a soft
year. Because of this, we decided to use Cisco phone application that utilizes the Intel and Cisco
Compatible Extensions* (CCX), and the high- Business Class Wireless Suite voice application
density features defined in the Business Class programming interface (API) feature, which
Wireless Suite specifications jointly developed by supports admission control and simple packet
Intel and Cisco, to control both access point and marking.
client RF circuits.
Handoff and Roaming
Process and Network To function as our primary access method, our
Prioritization WLAN needs to support all applications currently
The limited bandwidth also means we must carried over the wired network. This includes data,
prioritize latency-sensitive applications over voice, and video. These applications should be
others, ensuring QoS for those applications. supported, as appropriate, by each of the various
clients that we plan to use. Some of these clients
Some applications, such as Voice over Internet
are highly mobile, which means that we need to
Protocol (VoIP), are highly sensitive to packet
support fast handoff as users roam between cells,
loss, delay, and jitter. To avoid poor voice quality,
so users do not experience disruption.
we have to guarantee these applications the


White Paper Architecture and Design of a Primary Wireless Network

Roaming requirements vary according to the client: Reliability and Redundancy

• Desktops. These stationary clients do not Because our WLAN will provide the primary
need handoff or roaming support. access method, it must be reliable. We are
using the characteristics of WLANs to create a
• Laptops. In general, laptop users do not roam
network architecture with an overall uptime that
while using applications, so there is little need
is, potentially, even better than wired networks.
for roaming support.
With WLANs, each access point supports multiple
• Tablets, personal digital assistants (PDAs),
clients; theoretically, a single access point failure
Wi-Fi phones, and other highly mobile
could create an outage for multiple users. However,
devices. Users of these clients require
unlike a wired LAN, a WLAN client connection to
application continuity while on the move.
an access point is virtual. A client can switch from
This imposes a need for fast handoff
one access point to another dynamically, so long as
between access points and fast roaming
the second access point supports the same service
between networks.
with adequate signal strength.
Voice applications represent the worst-case
We can use this capability to create a redundant
handoff requirement, with a target handoff
design with overall uptime that is higher than
time of less than 100 Ms and a preferred
a wired network. Consider a floor or building
handoff time of about 50 Ms.
with multiple access points divided into two
IEEE is working on 802.11r and other interspersed grids, which we call ‘salt’ and
specifications to provide a standard way to ‘pepper’ grids. Each grid is connected to a
support fast handoff, complementing features different LAN access switch. If one entire grid
of 802.11i, which covers pre-authentication fails—due, for example, to failure of its access
and primary key caching. However, IEEE is not switch—the other grid will still be able to provide
expected to complete the specification for at complete RF coverage. As a result, clients will be
least 12 months, so we decided to use CCX with able to seamlessly reconnect to the second grid,
Cisco Centralized Key Management* (CCKM). although potentially with reduced throughput.
When coupled with the smart access point
Creating a salt-and-pepper arrangement requires
selection feature of Business Class Wireless
careful configuration of the connection speeds
Suite, this provides the required handoff and
supported by access points. For example, if the
roaming times.
required bandwidth per access point in normal

10
 Architecture and Design of a Primary Wireless Network White Paper

use is 36 Mbps, we should configure the access preferred approach is lightweight access point
point to support a minimum of 24 Mbps; this will architecture. In this architecture, access points
be the bandwidth available to clients if either do not handle management directly. Instead, we
grid fails. offload access point management to dedicated
wireless controllers that each coordinate and
Management manage multiple access points, helping to ensure
consistent service levels across the network. To
Providing primary WLAN coverage for an entire
do this, we also need services that enable us to
campus involves a very large number of access
centrally manage a large number of controllers,
points—at least an order of magnitude greater
and we need to implement a management
than the LAN switches needed for a wired
hierarchy that matches the support structure of
network of similar scale. Managing all these
the company.
access points is a challenge.

WLANs also present unique challenges when Security

it comes to tracking users, and in controlling
WLANs have unique security requirements
network access when clients are found to be
because the RF signal cannot be confined inside
malicious—if they become infected with malware,
a building, making it easier to detect. This means
for example.
that we need to pay special attention to strong
There are also challenges in delivering a authentication and encryption. It is also easier
consistent level of service. Unlike LANs, which to attack a wireless network, so we need ways
offer comparable service levels at any point to automatically detect and avoid sources of
on the access layer, the WLAN environment interference, including malicious DoS attempts.
service level changes from location to location. We have addressed security by implementing a
Moving even a few feet can change the service standards-based approach.
level considerably, due to a transition to a
different access point or the differing physical Authentication
characteristics of the RF environment. Our architecture uses the Wi-Fi Protected Access
To be able to install, upgrade, and manage (WPA) 1 and WPA2 specifications, incorporating
this environment, and provide the required the 802.1X authentication framework with
service levels, we need a completely different Remote Authentication Dial-In User Service
set of management tools and practices. Our (RADIUS) authentication servers. One critical

11
White Paper Architecture and Design of a Primary Wireless Network

decision when implementing this framework is primary WLANs. DoS threats can be classified
which Extensible Authentication Protocol (EAP) into physical layer and media access control
authentication method (EAP type) to select. (MAC) layer threats. Physical layer threats include
we performed risk assessment and selected intentional or unintentional RF interference from
the option suited to each installation. Another various non Wi-Fi sources. MAC layer threats
important factor is the credential type used include forged management frames that attack
during the EAP authentication. Using the machine clients, access points, or both.
credential type provides LAN-like connection, with
During the risk assessment process, we consider
no need for user intervention, while choosing user
all threats and rate them based on the likelihood
credential requires user intervention.
that they will occur as well as their potential
The 802.1X process involves mutual impact—for instance, whether they will affect
authentication between the access point and a single client or RF channel. Our architecture
RADIUS server, and between the client and allows for functionality to detect, alert, identify,
RADIUS server; when done, a Pairwise Master locate, and mitigate all threats that are not low-
Key (PMK) is installed at the client and access rated. From an architecture perspective, DoS
point for use in data encryption can be handled by an additional infrastructure
overlay or embedded into the production WLAN
Encryption infrastructure. We decided to use our production
infrastructure with dedicated access points
We are using the 802.11i encryption process.
to detect DOS threats, as well as a separate
The 802.11i “four-way handshake” includes
location-based server to locate and track
the creation of a Transient Master Key (TMK)
multiple threats in real time.
for encrypting unicast messages, and a Group
Master Key (GMK) for encrypting multicast We mitigate RF interference by using an
and broadcast messages. This process also embedded infrastructure feature that re-maps all
includes the mutual authentication of client and RF channels. We mitigate MAC threats through
associated access point. proprietary client driver changes, though in the
future we expect to use the management frame
Denial of Service Detection protection within Cisco CCX Version 5*
and Mitigation
Detection and mitigation of DoS attacks are
critical considerations when implementing

12
 Architecture and Design of a Primary Wireless Network White Paper

Primary Wireless Design

We designed a campus network based on our architecture to provide a high-
availability environment with no single point of failure. It is designed to provide
complete WLAN coverage across the campus, supporting a minimum connection
speed of 36 Mbps in normal operations and 24 Mbps if any single part of the
network fails. The environment is designed to support all client types including
desktops, laptops, PDAs and Wi-Fi phones.
We have also structured our management Figure 4 shows the logical design of the
environment to allow for easy “out-of-the-box” network. It is based on Cisco Unified Wireless
installation and control of the access points. Network, which supports the Cisco CCX
Management servers allow us to track and, if extensions and the Business Class Wireless
necessary, blacklist users, and to detect and Suite feature set developed by Intel and Cisco.
mitigate a wide variety of security offenses.

Radius DHCP
Enterprise network
Server Server VPNs
management system

Outer Outer
Firewall Firewall

LAN
WLAN
DMZ
Legacy VLANs

Trunk Trunk
Controller 1 Controller 2 WLAN L3
Distribution
Legacy Switch
Layer
LWAPP Tunnel LWAPP Tunnel

Wired LAN Environment

Figure 4. Logical network design.

13
White Paper Architecture and Design of a Primary Wireless Network

Access points are split into salt-and-pepper also a tertiary controller. This provides another
grids, as our architecture describes. Each grid level of redundancy, allowing the access point
is connected to a different LAN switch, which to remain active even if its primary controller
supplies the access points with both network becomes unavailable.
connectivity and power over Ethernet (PoE).
The primary wireless service is available on
Access points are connected to dedicated, the 802.11a band only, with legacy services
building-level management virtual LANs (VLANs). supported on the 2.4-MHz 802.11b and
They receive their addresses dynamically from 802.11g band. These include our legacy WLAN,
DHCP directory servers, and automatically detect which uses Wired Equivalent Privacy (WEP)
a controller available on this VLAN. An access security and therefore mandates use of a
point will then create Lightweight Access Point Layer 3 virtual private network (VPN). These
Protocol (LWAPP) control and data tunnels to services are still provided for users who need
the controller; the controller then automatically them, and go through onsite Demilitarized
configures the access point based on templates. Zone (DMZ) firewalls for added security. The
This provides the access point with the correct wireless network is secured using full 802.11i
OS release, security settings, and other settings encryption. Corporate RADIUS servers that are
and services. shared between LAN and WLAN perform user
authentication.The campus controller distribution
Each access point is assigned a primary
is a critical element of our design. Each of our
controller, a failover controller, and sometimes
larger, four-floor buildings uses two controllers

Controller
Controller
Controller

Controller 1

2-story building

Controller 2

Proxy Mobile 4-story building

Controller
IP Mechanism

Controller 1
2-story building

Controller 1 Controller 2

4-story building
Controller 2

4-story building

Figure 5. Campus controller distribution.

14
 Architecture and Design of a Primary Wireless Network White Paper

to manage the large number of access points, as to applications as they transition between
shown in Figure 5 on the previous page. Our two access points or controllers. Within each building,
smaller buildings have one controller each and are the two controllers share a VLAN and clients
grouped together into a single logical building. roaming between access points within the
building remain on the same IP network. When
With our design, the whole campus becomes
clients move between buildings they retain
a single mobile environment. Clients can roam
their IP address, despite moving into a “foreign”
freely anywhere on campus with no interruption
network, through a proxy mobile IP mechanism.

Conclusion
Our architecture and design are enabling a groundbreaking implementation of a large-
scale WLAN used as the primary access method across a 5,000-user campus. We
believe this project shows that WLANs can achieve the performance, reliability, QoS,
and manageability needed to deliver converged services within a large enterprise. We
are moving ahead to deploy voice and data services over our primary WLAN to users
throughout the campus.

Authors
Danny Nissan is a wireless LAN engineering product manager with Intel Information Technology.
Omer Ben-Shalom is a wireless LAN engineer with Intel Information Technology.

Acronyms
CCA clear channel assessment PoE power over Ethernet
CCI co-channel interference QoS Quality of Service
CCKM Cisco Centralized Key Management RF radio frequency
CCX Cisco Compatible Extensions RADIUS Remote Authentication Dial-In User Service
DHCP Dynamic Host Configuration Protocol TCP Transmission Control Protocol
DMZ Demilitarized Zone TMK Transient Master Key
DoS denial of service VLAN virtual LAN
DSCP differentiated services code point VoIP Voice over Internet Protocol
EAP Extensible Authentication Protocol VPN virtual private network
GMK Group Master Key WEP Wired Equivalent Privacy
LWAPP Lightweight Access Point Protocol WLAN wireless LAN
MAC media access control WMM Wi-Fi Multimedia
PDA personal digital assistant WPA Wi-Fi Protected Access
PMK Pairwise Master Key

15
www.intel.com/IT

This paper is for informational purposes only. THIS DOCUMENT IS other materials and information does not provide any license, express
PROVIDED "AS IS" WITH NO WARRANTIES WHATSOEVER, INCLUDING or implied, by estoppel or otherwise, to any such patents, trademarks,
ANY WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, copyrights, or other intellectual property rights.
FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY
Intel, the Intel logo, Intel. Leap ahead., and the Intel. Leap ahead. logo
OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR
are trademarks or registered trademarks of Intel Corporation or its
SAMPLE. Intel disclaims all liability, including liability for infringement
subsidiaries in other countries.
of any proprietary rights, relating to use of information in this
specification. No license, express or implied, by estoppel or otherwise, * Other names and brands may be claimed as the property of others.
to any intellectual property rights is granted herein.
Copyright 2006, Intel Corporation. All rights reserved.
Intel Corporation may have patents or pending patent applications,
trademarks, copyrights, or other intellectual property rights that relate Printed in USA Please Recycle
to the presented subject matter. The furnishing of documents and 0906/ARM/RDA/PDF Order Number: 314562-001US