IT@Intel
Executive Summary
Intel IT developed a new wireless LAN (WLAN) network architecture and design that is enabling us to converge data, voice, and video onto a unified network infrastructure and use wireless as the primary access method. We have begun a groundbreaking initiative to implement this approach at a major Intel site with about 5,000 users.
This initiative shows that WLANs can achieve the performance, reliability, QoS, and manageability needed to deliver converged services within a large enterprise.
We needed the new architecture and design to overcome inherent WLAN bandwidth limitations and the many other technical challenges we faced when creating a primary wireless network on this scale. Our goals included:
Delivering high throughput while avoiding problems due to radio frequency
(RF) interference
Providing seamless roaming and Quality of Service (QoS) to support voice,
We adopted a standards-based approach, adding proprietary specifications where necessary. We are implementing our architecture and design using the Cisco Unified Wireless Network*. We are moving ahead to deploy voice, video, and data services over our primary WLAN to users throughout the campus. This initiative shows that WLANs can achieve the performance, reliability, QoS, and manageability needed to deliver converged services within a large enterprise.
Contents
Executive Summary ................................................................................................................................................. Background ................................................................................................................................................................... 4 The Wireless Challenge......................................................................................................................................... 5 Evolving Standards ................................................................................................................................................ 6 Wireless Architecture ............................................................................................................................................. 7 Radio Frequency Spectrum Management ................................................................................................. 7 Capacity Planning ................................................................................................................................................... 8 Process and Network Prioritization.............................................................................................................. 9 Handoff and Roaming .......................................................................................................................................... 9 Reliability and Redundancy ............................................................................................................................ 10 Management........................................................................................................................................................... 10 Security ..................................................................................................................................................................... 11 Primary Wireless Design ................................................................................................................................... 1 Conclusion ................................................................................................................................................................... 15 Authors ......................................................................................................................................................................... 15 Acronyms ..................................................................................................................................................................... 15
Background
Wireless is becoming the preferred network access method among our mobile users. Our existing WLANs are popular and widely deployed, but we maintain them as separate networks alongside the wired LANs and currently consider them a secondary means of network access. They provide a best-effort service level and users can always revert to the wired LAN when wireless is not available. We are developing a new architecture that integrates wired and wireless LAN infrastructure, and establishes high-performance wireless as the primary access method (diagrammed at a high level in Figure 1). We are beginning to deliver data, voice and video wirelessly to mobile users on laptops, handsets, and other devices.
We have begun a major initiative to use primary WLANs based on our new architecture at a large Intel site that consists of five buildings with about 5,000 users. This project presents many technical challenges because it breaks new ground, both as a large-scale primary wireless network and in the converged services it delivers.
Intel Environment
Primary Wireless LAN
WiFi Phones 802.11a Soft Phones and Headsets
Cellular Tower
Laptop
WLAN Controllers
The project is split into three successive phases for implementation: Phase One: Providing data services to a single building, supporting laptop clients Phase Two: Adding video multicast and proliferating the network across the entire campus
Phase Three: Supporting Voice over Internet Protocol (VoIP) for laptops and handheld devices This paper describes the Phase Three architecture and design of our network because it represents the complete project and therefore includes the aspects that occur in earlier phases.
Evolving Standards
Applications
WLAN technology is still maturing and this presents additional challenges. Though IEEE 802.11 WLAN standards cover key technologies, standards are still lacking in many other areas. Furthermore, many advanced features required to support WLAN
Memory
Operating System
Storage
primary access will not be available in the marketplace for two to three years. Therefore, when developing our architecture and design, we looked for existing products that implemented the maximum number
of features using IEEE specifications, and supplemented those standards with proprietary additions where necessary.
Applications
Memory
Operating System
Storage
Wireless Architecture
When developing our architecture, we needed to overcome several technical challenges created by the inherent characteristics of RF. WLANs use unlicensed spectrum that is potentially shared with other devices. They have limited bandwidth, so latency-sensitive applications such as voice must be prioritized. Each access point covers a limited area, and so we need many of them, with fast handoff between them, to support latency-sensitive applications. Locating clients needing maintenance can be challenging. And because the RF signal cannot be confined within a building, we need strong security.
Because we are building a campus-wide wireless network that will be users primary access method, our approach also addresses managing a large network with many access points and achieving a high degree of reliability. GHz band for other purposes, such as access by legacy mobile devices, guests, and suppliers. Non-WLAN technologies use the 5.2-GHz band less than the 2.4-GHz band. Also, the 5.2-GHz band provides at least eight, and potentially up to 22, non-overlapping channels, compared with three for the 2.4-GHz band. This provides several advantages: Less interference. Interference from nonWLAN technologies and between neighboring WLAN cells is less likely, making throughput easier to maximize. Auto-configuration. The infrastructure can automatically select the channel and power of access points. We also looked for products that exploited the additional channels to provide other features:
by adjusting the channel and power setting of adjacent cells to compensate. Avoiding denial of service (DoS) attacks. The infrastructure can detect a DoS attack on a specific channel and dynamically change channels to avoid it.
25
Throughput (Mbps)
20
15
Capacity Planning
With a large WLAN, capacity planning is critical. Even though the 5.2-GHz band we selected provides more channels than the alternative, the number of non-overlapping channels is still small, and each channel provides low overall throughput compared with wired networks. In addition, there is potential interference
0 25 50 75 100 125 150 175 200 225 250
10
between cells that are using the same channels; called co-channel interference (CCI), this limits the available bandwidth within a closed RF environment such as a building.
80.11b Layer 1 speed 40-50 feet from access point TCP throughput 40-50 feet from access point 11 Mbps
80.11g/b 54 Mbps
80.11g 54 Mbps
80.11a 54 Mbps
One key aspect of capacity planning is deciding how many clients we want each access point to support. This issue is complex. With WLANs, throughput is greatest near the access point, and decreases as devices get farther away, as shown
6 Mbps
13 Mbps
20 Mbps
24 Mbps
in Figure 3. But placing access points close together to provide the maximum throughput also increases the potential for CCI To provide users with high performance, we planned for 20 users per access point, maintaining a minimum total connection speed of 36 Mbps in each cell. This provides the following capabilities: Estimated average throughput of more than 5 Mbps for each client, with a guaranteed minimum of 1.2 Mbps. Each access point will be able to support about seven concurrent voice calls. In other words, we are aiming to provide enough capacity to enable a third of the users supported by each access point to make simultaneous voice calls (a worstcase Erlang ratio of 1:3).
Figure 3. WLAN Transmission Control Protocol (TCP) throughput with distance from an access point.
With such a high access point density, CCI becomes an issue even when we have eight or more non-overlapping channels. CCI reduces the available throughput in a cell, because the cell may be considered busy due to transmissions in a neighboring cell using the same frequency. To further overcome CCI, the infrastructure and client can dynamically set their transmit power, receive sensitivity, and clear channel assessment (CCA) threshold. Clients adjust their RF circuits as instructed by the infrastructure whenever they join the network or roam between access points, or whenever RF conditions change. This increases the total usable throughput of the RF environment. IEEE is working on the 802.11K and 802.11V specifications to address this area, but completed standards are not due for at least a year. Because of this, we decided to use Cisco Compatible Extensions* (CCX), and the highdensity features defined in the Business Class Wireless Suite specifications jointly developed by Intel and Cisco, to control both access point and client RF circuits.
right priority. This means prioritizing applications such as soft phones when sharing the resources of laptop clients and it also means prioritizing the network traffic generated by these applications. Applications that are QoS aware can ask the OS to prioritize packets by marking them, but today there is no standard mechanism to make sure this marking follows our policy for prioritizing different types of traffic. Furthermore, many applications are not QoS aware. To solve this problem, we developed clientbased policy agents to make sure applications requiring network QoS get their packets marked appropriately, using tagging based on differentiated services code point (DSCP) and 802.1p, translated to 802.11e and Wi-Fi* Multimedia (WMM). We also selected a soft phone application that utilizes the Intel and Cisco Business Class Wireless Suite voice application programming interface (API) feature, which supports admission control and simple packet marking.
Roaming requirements vary according to the client: Desktops. These stationary clients do not need handoff or roaming support. Laptops. In general, laptop users do not roam while using applications, so there is little need for roaming support. Tablets, personal digital assistants (PDAs), Wi-Fi phones, and other highly mobile devices. Users of these clients require application continuity while on the move. This imposes a need for fast handoff between access points and fast roaming between networks. Voice applications represent the worst-case handoff requirement, with a target handoff time of less than 100 Ms and a preferred handoff time of about 50 Ms. IEEE is working on 802.11r and other specifications to provide a standard way to support fast handoff, complementing features of 802.11i, which covers pre-authentication and primary key caching. However, IEEE is not expected to complete the specification for at least 12 months, so we decided to use CCX with Cisco Centralized Key Management* (CCKM). When coupled with the smart access point selection feature of Business Class Wireless Suite, this provides the required handoff and roaming times.
10
use is 36 Mbps, we should configure the access point to support a minimum of 24 Mbps; this will be the bandwidth available to clients if either grid fails.
preferred approach is lightweight access point architecture. In this architecture, access points do not handle management directly. Instead, we offload access point management to dedicated wireless controllers that each coordinate and manage multiple access points, helping to ensure consistent service levels across the network. To do this, we also need services that enable us to centrally manage a large number of controllers, and we need to implement a management hierarchy that matches the support structure of the company.
Management
Providing primary WLAN coverage for an entire campus involves a very large number of access pointsat least an order of magnitude greater than the LAN switches needed for a wired network of similar scale. Managing all these access points is a challenge. WLANs also present unique challenges when it comes to tracking users, and in controlling network access when clients are found to be maliciousif they become infected with malware, for example. There are also challenges in delivering a consistent level of service. Unlike LANs, which offer comparable service levels at any point on the access layer, the WLAN environment service level changes from location to location. Moving even a few feet can change the service level considerably, due to a transition to a different access point or the differing physical characteristics of the RF environment. To be able to install, upgrade, and manage this environment, and provide the required service levels, we need a completely different set of management tools and practices. Our
Security
WLANs have unique security requirements because the RF signal cannot be confined inside a building, making it easier to detect. This means that we need to pay special attention to strong authentication and encryption. It is also easier to attack a wireless network, so we need ways to automatically detect and avoid sources of interference, including malicious DoS attempts. We have addressed security by implementing a standards-based approach.
Authentication
Our architecture uses the Wi-Fi Protected Access (WPA) 1 and WPA2 specifications, incorporating the 802.1X authentication framework with Remote Authentication Dial-In User Service (RADIUS) authentication servers. One critical
11
decision when implementing this framework is which Extensible Authentication Protocol (EAP) authentication method (EAP type) to select. we performed risk assessment and selected the option suited to each installation. Another important factor is the credential type used during the EAP authentication. Using the machine credential type provides LAN-like connection, with no need for user intervention, while choosing user credential requires user intervention. The 802.1X process involves mutual authentication between the access point and RADIUS server, and between the client and RADIUS server; when done, a Pairwise Master Key (PMK) is installed at the client and access point for use in data encryption
primary WLANs. DoS threats can be classified into physical layer and media access control (MAC) layer threats. Physical layer threats include intentional or unintentional RF interference from various non Wi-Fi sources. MAC layer threats include forged management frames that attack clients, access points, or both. During the risk assessment process, we consider all threats and rate them based on the likelihood that they will occur as well as their potential impactfor instance, whether they will affect a single client or RF channel. Our architecture allows for functionality to detect, alert, identify, locate, and mitigate all threats that are not lowrated. From an architecture perspective, DoS can be handled by an additional infrastructure overlay or embedded into the production WLAN infrastructure. We decided to use our production infrastructure with dedicated access points to detect DOS threats, as well as a separate location-based server to locate and track multiple threats in real time. We mitigate RF interference by using an embedded infrastructure feature that re-maps all RF channels. We mitigate MAC threats through proprietary client driver changes, though in the future we expect to use the management frame protection within Cisco CCX Version 5*
Encryption
We are using the 802.11i encryption process. The 802.11i four-way handshake includes the creation of a Transient Master Key (TMK) for encrypting unicast messages, and a Group Master Key (GMK) for encrypting multicast and broadcast messages. This process also includes the mutual authentication of client and associated access point.
1
Radius Server
DHCP Server
LAN WLAN DMZ Legacy VLANs Controller 1 Trunk Trunk Controller 2 Distribution Layer LWAPP Tunnel WLAN L3 Legacy Switch
LWAPP Tunnel
1
Access points are split into salt-and-pepper grids, as our architecture describes. Each grid is connected to a different LAN switch, which supplies the access points with both network connectivity and power over Ethernet (PoE). Access points are connected to dedicated, building-level management virtual LANs (VLANs). They receive their addresses dynamically from DHCP directory servers, and automatically detect a controller available on this VLAN. An access point will then create Lightweight Access Point Protocol (LWAPP) control and data tunnels to the controller; the controller then automatically configures the access point based on templates. This provides the access point with the correct OS release, security settings, and other settings and services. Each access point is assigned a primary controller, a failover controller, and sometimes
also a tertiary controller. This provides another level of redundancy, allowing the access point to remain active even if its primary controller becomes unavailable. The primary wireless service is available on the 802.11a band only, with legacy services supported on the 2.4-MHz 802.11b and 802.11g band. These include our legacy WLAN, which uses Wired Equivalent Privacy (WEP) security and therefore mandates use of a Layer 3 virtual private network (VPN). These services are still provided for users who need them, and go through onsite Demilitarized Zone (DMZ) firewalls for added security. The wireless network is secured using full 802.11i encryption. Corporate RADIUS servers that are shared between LAN and WLAN perform user authentication.The campus controller distribution is a critical element of our design. Each of our larger, four-floor buildings uses two controllers
Controller
Controller Controller
Controller 1 2-story building Controller 2 Controller Proxy Mobile IP Mechanism 4-story building
Controller 1
Controller 2
to manage the large number of access points, as shown in Figure 5 on the previous page. Our two smaller buildings have one controller each and are grouped together into a single logical building. With our design, the whole campus becomes a single mobile environment. Clients can roam freely anywhere on campus with no interruption
to applications as they transition between access points or controllers. Within each building, the two controllers share a VLAN and clients roaming between access points within the building remain on the same IP network. When clients move between buildings they retain their IP address, despite moving into a foreign network, through a proxy mobile IP mechanism.
Conclusion
Our architecture and design are enabling a groundbreaking implementation of a largescale WLAN used as the primary access method across a 5,000-user campus. We believe this project shows that WLANs can achieve the performance, reliability, QoS, and manageability needed to deliver converged services within a large enterprise. We are moving ahead to deploy voice and data services over our primary WLAN to users throughout the campus.
Authors
Danny Nissan is a wireless LAN engineering product manager with Intel Information Technology. Omer Ben-Shalom is a wireless LAN engineer with Intel Information Technology.
Acronyms
CCA CCI CCKM CCX DHCP DMZ DoS DSCP EAP GMK MAC PDA PMK clear channel assessment co-channel interference Cisco Centralized Key Management Cisco Compatible Extensions Dynamic Host Configuration Protocol Demilitarized Zone denial of service differentiated services code point Extensible Authentication Protocol Group Master Key media access control personal digital assistant Pairwise Master Key PoE QoS RF TCP TMK VLAN VoIP VPN WEP WLAN WMM WPA power over Ethernet Quality of Service radio frequency Transmission Control Protocol Transient Master Key virtual LAN Voice over Internet Protocol virtual private network Wired Equivalent Privacy wireless LAN Wi-Fi Multimedia Wi-Fi Protected Access
15
www.intel.com/IT
This paper is for informational purposes only. THIS DOCUMENT IS PROVIDED "AS IS" WITH NO WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE. Intel disclaims all liability, including liability for infringement of any proprietary rights, relating to use of information in this specification. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted herein. Intel Corporation may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the presented subject matter. The furnishing of documents and
other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any such patents, trademarks, copyrights, or other intellectual property rights. Intel, the Intel logo, Intel. Leap ahead., and the Intel. Leap ahead. logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in other countries. * Other names and brands may be claimed as the property of others. Copyright 2006, Intel Corporation. All rights reserved. Please Recycle Order Number: 314562-001US