WLAN Deployment Scenarios

Given the growing popularity of wireless technologies, opportunity abounds for IT staff and SMB users to come up with creative WLAN deployment scenarios. Health care, education, retail, manufacturing, and general administrative office environments are only a few of the SMB types for which WLANs are prime candidates.

Consider the following generic scenarios that approach WLAN design based on the size of the WLAN infrastructure and the anticipated number of users and their activities, rather than the size or type of the business itself:

• A small office or a workgroup deployment

• An enterprise deployment

• A telecommuters deployment

A Small Office or Workgroup Deployment

In a small office or a workgroup deployment, one or at most two APs are installed. The coverage area is limited, and the number of clients is relatively small. The deployment could involve a single conference room at a large enterprise, a high-school classroom, a small warehouse housing an SMB's inventory, or a small administrative office where there is considerable mobility among the employees.

The topology criterion is to provide coverage for one of the following:

• A group of users with notebook computers coming together temporarily in a relatively small area (for a meeting or for instruction)

• One or more users being able to move freely throughout the entire coverage area:

  - A forklift driver receiving requests for inventory deliveries in a warehouse of a manufacturing facility

  - An employee visiting others in an administrative environment

Conference Room or Classroom Scenario

Let's consider the conference room or classroom scenario. Those present need Internet access for browsing and document downloading. They might need to exchange files and use e-mail during the meeting. High performance is naturally preferable, given the nature of the anticipated traffic. Security is of reasonable but not paramount concern given that the WLAN will be used mostly for Internet and web-based e-mail. Clients are limited to notebook computers. No mobile IP phones or wireless cameras are in use. What is the solution?

An Aironet 1200 series AP that is placed directly in the conference room or the classroom and equipped with the 802.11a radio and an integrated omnidirectional antenna providing data rates of 54 Mbps at up to 60 feet addresses the performance criterion. Depending on the size of the room, consider placing two APs to maximize performance. If you are using 802.11g with two APs, be sure to configure them with nonoverlapping channels. Given the reasonable but not paramount security concerns, connect the APs to the rest of network outside of the firewall, and don't perform 802.1x mutual authentication.

If the users need to get onto the corporate network, they can do so by using the VPN through the firewall. Use DHCP to maximize convenience for the users, but don't use default SSIDs, which would allow casual bystanders or passersby to easily connect. Turn off power to the APs when the conference room or the classroom is not in use to prevent unauthorized users from forming an association to gain access to the network. Verify the coverage area and lower the AP transmit power settings if the coverage extends too far outside the room. The requirement is to have coverage in the room and not anywhere else.

Warehouse or Mobile Office Scenario

Let's now look at a warehouse or mobile office scenario. In a warehouse, the volume of transmitted information is relatively small, so the design driver here is proper coverage throughout the warehouse, even if it is at lower data rates. 802.11b/g technology might be better suited for this scenario than 802.11a. In general, lower frequencies provide a larger coverage area, but at lower data rates. An RF survey should definitely be conducted to map out the coverage topology. In the classroom/conference room scenario, you might be able to avoid an RF survey, although performing one is a recommended WLAN deployment practice, especially if the WLAN were to expand beyond the single room. In a warehouse, you don't have the option of turning off power to the AP(s) because operations are ongoing 24 × 7. What is the solution? Consider the following:

• Equipment might be similar to the conference room/classroom scenario, but the design/deployment approach varies.

• Greater care is needed in mapping out the coverage area via a detailed RF survey.

• Multiple APs might be needed to ensure that all of the required locations are covered.

• Security is of paramount concern because the APs connect to the inside network, and the interception or alteration of transmitted information might compromise SMB operations. The strongest mutual authentication available between the client and the AP should be configured (PEAP, for example, if supported on the client), with the encryption relying on the 128-bit WEP key, WPA, or the 802.11i standard.

An Enterprise Deployment

A generic enterprise scenario combines as follows all of the wireless infrastructure components and a wider range of clients than small office or workgroup deployments:

• The coverage topology is larger.

• Dozens of APs might be involved.

• Wireless links between locations via bridges have been identified as a requirement.

• Security is to be maximized.

• A wider range of clients from multiple vendors needs to be supported.

Which SMBs are potential candidates for enterprise deployments? Again, the total size of the business might be far less relevant than the group of users within the business being served by the deployment or the convenience that is offered by not having to rely on a wire-based WAN infrastructure like Frame Relay or leased lines.

A candidate for multi-AP deployment might be a university library that wants to offer both Internet and internal network access for students who combine more traditional forms of research and learning with online access. A candidate for wireless bridge deployment might be a small city government with LOS between the buildings of the various agencies.

The branches of car rental agencies or manufacturing facilities using robotics are candidates for enterprise deployments. Another example where enterprise deployment would be appropriate is hospitals, where doctors or nurses need access to applications and patient data right at the patient's bed, and the data might need to be moved quickly, depending on the patient's needs. Is there a single enterprise solution? No, but there are numerous choices to meet a wide range of enterprise deployment requirements.

University Library Wireless Deployment

Assume that the requirements have been identified through the recommended design process. The need for a larger coverage area at a university library to support different standards within a wide spectrum of clients is met through one or a combination of the following:

• Multiple dual-mode APs

• The designation of certain areas of the library to support only a specific standard

The 1200 series APs support 802.11a/b/g in dual or single mode. Use of diversity antennae with the APs minimizes the potential for multipath distortion. Repeater APs can be set up to extend the coverage topology as needed, even if performance might suffer as a result. Multiple VLANs can be configured to facilitate user differentiation through varying authentication mechanisms that afford different access levels to the internal network. Some APs that are configured for specific VLANs might connect to the wired infrastructure in front of the firewall to allow Internet access with minimal security considerations. Those APs connecting to the inside network should use the strongest 802.1x/EAP authentication method available.

Wireless WAN Link Deployment

How about a wireless deployment, without wireless clients, which addresses only the WAN link requirements? Be it a city government linking various buildings, a financial institution that needs a link between two high rises, or a university campus that wants to interconnect a group of departments, Cisco 1400 series bridges or even the earlier 350 series models can extend the wired network topology in scenarios in which the wire-based WAN is either too expensive or is simply impractical to deploy. The wireless WAN topology can, of course, be extended with wireless client workgroups or full-scale wireless coverage for the enterprise.

Key Design Considerations for Wireless Enterprise Deployments

The following points summarize the key design considerations for wireless enterprise deployments:

• Identify the coverage areas, number of users, and performance requirements. Remember the tight coupling between performance and topology in wireless deployments. Higher AP density can improve performance, but remember to have only three nonoverlapping channels for adjacent APs using the 802.11b/g radios.

• Perform an RF survey for the required coverage areas and decide what WLAN management tools to deploy.

• Identify the client connection requirements and provide a mix of 802.11/a/b/g if necessary to accommodate clients complying with varying standards.

• Determine if any wireless point-to-point links are required. Choose antennae with the highest gain for longer distances.

• Identify the required level of security. Wireless security mechanisms boil down to the method of authentication and the type of encryption. Multiple authentication mechanisms allow for client differentiation. Use the strongest encryption available (WEP with 128-bit key, WPA, or 802.11i), depending on availability and need.

Unless the performance and topology requirements for network deployment are simply outside the scope of wireless standards, there is hardly a WLAN deployment scenario that cannot be accommodated with wireless WLAN products from Cisco.

A Telecommuters Deployment

For wireless telecommuters, the most significant design consideration is probably security, because, in all likelihood, the telecommuter is connecting to a corporate network via a public infrastructure while using a wireless client. Consider a telecommuter in a SOHO environment with an AP that is interfaced to a broadband router and a wireless client in the form of a telecommuter's notebook computer. If the telecommuter's notebook is equipped with a personal firewall and an IPSec-capable VPN software client, VPN security extends from the client to the corporate network, and the wireless security options and/or configuration are less, if at all, relevant.

On the other hand, if the VPN is implemented via hardware that sits between the AP and the router, or the VPN capability is incorporated into the router, the portion of the overall connection between the client and the AP remains vulnerable to attack, and it ought to be protected via the available means for securing wireless networks. Assuming that the AP supports any or all of the EAP variants for authentication, and that it also supports encryption via WEP, WEP with TKIP, WPA, or 802.11i, use any one of these methods to implement both the authentication and the encryption that are in compliance with the SMB's security policy.