White Paper

Intel Information Technology WLAN Design

Architecture and Design of a Primary Wireless Network

Intel IT created a new wireless LAN (WLAN) architecture and network design that enables us to use wireless as a primary access method for data, voice, and video services at a 5,000-user campus. Our goal was to overcome the inherent challenges presented by wireless and deliver high performance, Quality of Service (QoS), reliability, security, and manageability. Danny Nissan and Omer Ben-Shalom, Intel Corporation September 2006

IT@Intel

White Paper Architecture and Design of a Primary Wireless Network

Executive Summary
Intel IT developed a new wireless LAN (WLAN) network architecture and design that is enabling us to converge data, voice, and video onto a unified network infrastructure and use wireless as the primary access method. We have begun a groundbreaking initiative to implement this approach at a major Intel site with about 5,000 users.

This initiative shows that WLANs can achieve the performance, reliability, QoS, and manageability needed to deliver converged services within a large enterprise.

We needed the new architecture and design to overcome inherent WLAN bandwidth limitations and the many other technical challenges we faced when creating a primary wireless network on this scale. Our goals included:
Delivering high throughput while avoiding problems due to radio frequency

(RF) interference
Providing seamless roaming and Quality of Service (QoS) to support voice,

video, and data services on mobile clients

Making the network highly reliable, secure, and manageable

We adopted a standards-based approach, adding proprietary specifications where necessary. We are implementing our architecture and design using the Cisco Unified Wireless Network*. We are moving ahead to deploy voice, video, and data services over our primary WLAN to users throughout the campus. This initiative shows that WLANs can achieve the performance, reliability, QoS, and manageability needed to deliver converged services within a large enterprise.

Architecture and Design of a Primary Wireless Network White Paper

Contents
Executive Summary .................................................................................................................................................  Background ................................................................................................................................................................... 4 The Wireless Challenge......................................................................................................................................... 5 Evolving Standards ................................................................................................................................................ 6 Wireless Architecture ............................................................................................................................................. 7 Radio Frequency Spectrum Management ................................................................................................. 7 Capacity Planning ................................................................................................................................................... 8 Process and Network Prioritization.............................................................................................................. 9 Handoff and Roaming .......................................................................................................................................... 9 Reliability and Redundancy ............................................................................................................................ 10 Management........................................................................................................................................................... 10 Security ..................................................................................................................................................................... 11 Primary Wireless Design ................................................................................................................................... 1 Conclusion ................................................................................................................................................................... 15 Authors ......................................................................................................................................................................... 15 Acronyms ..................................................................................................................................................................... 15

White Paper Architecture and Design of a Primary Wireless Network

Background
Wireless is becoming the preferred network access method among our mobile users. Our existing WLANs are popular and widely deployed, but we maintain them as separate networks alongside the wired LANs and currently consider them a secondary means of network access. They provide a best-effort service level and users can always revert to the wired LAN when wireless is not available. We are developing a new architecture that integrates wired and wireless LAN infrastructure, and establishes high-performance wireless as the primary access method (diagrammed at a high level in Figure 1). We are beginning to deliver data, voice and video wirelessly to mobile users on laptops, handsets, and other devices.
We have begun a major initiative to use primary WLANs based on our new architecture at a large Intel site that consists of five buildings with about 5,000 users. This project presents many technical challenges because it breaks new ground, both as a large-scale primary wireless network and in the converged services it delivers.

Intel Environment
Primary Wireless LAN
WiFi Phones 802.11a Soft Phones and Headsets

Smart Phones WiFi/Cellular

Laptops 802.11a/g WAPs 802.11a/g

Cellular Tower

Smart Phones WiFi/Cellular

Laptop

WLAN Controllers

PBX Data Center IP PBX IP Phones

Internet Wireless Access Point (WAP) 802.11a/g

Home Ofce or Hot Spot

Figure 1. Overview of our primary wireless architecture

Architecture and Design of a Primary Wireless Network White Paper

The project is split into three successive phases for implementation: Phase One: Providing data services to a single building, supporting laptop clients Phase Two: Adding video multicast and proliferating the network across the entire campus

Phase Three: Supporting Voice over Internet Protocol (VoIP) for laptops and handheld devices This paper describes the Phase Three architecture and design of our network because it represents the complete project and therefore includes the aspects that occur in earlier phases.

The Wireless Challenge

As enterprise computing evolved, a delicate balance was achieved between system building blocks, applications, and network bandwidth, as shown in Figure 2 on the next page. As we move from switched Ethernet wired connections to shared wireless connections, we disrupt this balance and network bandwidth becomes a potentially limiting factor.
More specifically, the inherent characteristics of wireless present several related challenges: Wireless is a shared medium. Moving from switched Ethernet to shared WLAN reduces available bandwidth. Application throughput varies with the ever-changing number of clients sharing the medium and is also affected by signal quality and network availability. Signals can be received outside the building, so they can potentially be detected and analyzed, disrupted, or hijacked. Spectrum is an expensive, regulated resource. Only a small portion of the RF spectrum, with limited bandwidth, is allocated for WLAN use, and it is shared by other non-licensed technologies. To overcome these challenges, we ultimately need to focus on two technology areas: Close coordination and collaboration between mobile clients and infrastructure, including WLAN access points and controllers. Rewriting applications to be wireless network aware, so that they react to the availability and changing performance of the network. This also requires OS support. This paper describes our WLAN architecture and design, which addresses the first of these areas: coordination and collaboration between clients and infrastructure. We expect applications that are wireless network aware to further improve user experiences and productivity gains, but these applications may not be widely available for some time.

White Paper Architecture and Design of a Primary Wireless Network

Evolving Standards
Applications

WLAN technology is still maturing and this presents additional challenges. Though IEEE 802.11 WLAN standards cover key technologies, standards are still lacking in many other areas. Furthermore, many advanced features required to support WLAN

Memory

Operating System

Storage

primary access will not be available in the marketplace for two to three years. Therefore, when developing our architecture and design, we looked for existing products that implemented the maximum number

Network Traditional enterprise computing with wired LANs: A delicate balance

of features using IEEE specifications, and supplemented those standards with proprietary additions where necessary.

Applications

Memory

Operating System

Storage

Network Wireless LANs disturb the balance, limiting network bandwidth

Figure 2. Wireless disturbs the delicate balance of computing.

Architecture and Design of a Primary Wireless Network White Paper

Wireless Architecture
When developing our architecture, we needed to overcome several technical challenges created by the inherent characteristics of RF. WLANs use unlicensed spectrum that is potentially shared with other devices. They have limited bandwidth, so latency-sensitive applications such as voice must be prioritized. Each access point covers a limited area, and so we need many of them, with fast handoff between them, to support latency-sensitive applications. Locating clients needing maintenance can be challenging. And because the RF signal cannot be confined within a building, we need strong security.
Because we are building a campus-wide wireless network that will be users primary access method, our approach also addresses managing a large network with many access points and achieving a high degree of reliability. GHz band for other purposes, such as access by legacy mobile devices, guests, and suppliers. Non-WLAN technologies use the 5.2-GHz band less than the 2.4-GHz band. Also, the 5.2-GHz band provides at least eight, and potentially up to 22, non-overlapping channels, compared with three for the 2.4-GHz band. This provides several advantages: Less interference. Interference from nonWLAN technologies and between neighboring WLAN cells is less likely, making throughput easier to maximize. Auto-configuration. The infrastructure can automatically select the channel and power of access points. We also looked for products that exploited the additional channels to provide other features:

Radio Frequency Spectrum Management

WLAN spectrum may be shared with other technologies, such as mobile phones, Bluetooth* devices, and even microwave ovens, so there is potential for interference. Currently, WLANs use either of two bands: the 2.4-GHz band, used by 802.11b and 802.11g WLANs, and the 5.2-GHz band, used by 802.11a. We chose to use the 5.2-GHz band (802.11a) for primary wireless access, while also using the 2.4-

White Paper Architecture and Design of a Primary Wireless Network

Self-healing. The infrastructure responds to access point failure

30 802.11a 802.11g 802.11g/b 802.11b

by adjusting the channel and power setting of adjacent cells to compensate. Avoiding denial of service (DoS) attacks. The infrastructure can detect a DoS attack on a specific channel and dynamically change channels to avoid it.

25

Throughput (Mbps)

20

15

Capacity Planning
With a large WLAN, capacity planning is critical. Even though the 5.2-GHz band we selected provides more channels than the alternative, the number of non-overlapping channels is still small, and each channel provides low overall throughput compared with wired networks. In addition, there is potential interference
0 25 50 75 100 125 150 175 200 225 250

10

1 Distance from Access Point (Feet)

between cells that are using the same channels; called co-channel interference (CCI), this limits the available bandwidth within a closed RF environment such as a building.

80.11b Layer 1 speed 40-50 feet from access point TCP throughput 40-50 feet from access point 11 Mbps

80.11g/b 54 Mbps

80.11g 54 Mbps

80.11a 54 Mbps

One key aspect of capacity planning is deciding how many clients we want each access point to support. This issue is complex. With WLANs, throughput is greatest near the access point, and decreases as devices get farther away, as shown

6 Mbps

13 Mbps

20 Mbps

24 Mbps

in Figure 3. But placing access points close together to provide the maximum throughput also increases the potential for CCI To provide users with high performance, we planned for 20 users per access point, maintaining a minimum total connection speed of 36 Mbps in each cell. This provides the following capabilities: Estimated average throughput of more than 5 Mbps for each client, with a guaranteed minimum of 1.2 Mbps. Each access point will be able to support about seven concurrent voice calls. In other words, we are aiming to provide enough capacity to enable a third of the users supported by each access point to make simultaneous voice calls (a worstcase Erlang ratio of 1:3).

Figure 3. WLAN Transmission Control Protocol (TCP) throughput with distance from an access point.

Architecture and Design of a Primary Wireless Network White Paper

With such a high access point density, CCI becomes an issue even when we have eight or more non-overlapping channels. CCI reduces the available throughput in a cell, because the cell may be considered busy due to transmissions in a neighboring cell using the same frequency. To further overcome CCI, the infrastructure and client can dynamically set their transmit power, receive sensitivity, and clear channel assessment (CCA) threshold. Clients adjust their RF circuits as instructed by the infrastructure whenever they join the network or roam between access points, or whenever RF conditions change. This increases the total usable throughput of the RF environment. IEEE is working on the 802.11K and 802.11V specifications to address this area, but completed standards are not due for at least a year. Because of this, we decided to use Cisco Compatible Extensions* (CCX), and the highdensity features defined in the Business Class Wireless Suite specifications jointly developed by Intel and Cisco, to control both access point and client RF circuits.

right priority. This means prioritizing applications such as soft phones when sharing the resources of laptop clients and it also means prioritizing the network traffic generated by these applications. Applications that are QoS aware can ask the OS to prioritize packets by marking them, but today there is no standard mechanism to make sure this marking follows our policy for prioritizing different types of traffic. Furthermore, many applications are not QoS aware. To solve this problem, we developed clientbased policy agents to make sure applications requiring network QoS get their packets marked appropriately, using tagging based on differentiated services code point (DSCP) and 802.1p, translated to 802.11e and Wi-Fi* Multimedia (WMM). We also selected a soft phone application that utilizes the Intel and Cisco Business Class Wireless Suite voice application programming interface (API) feature, which supports admission control and simple packet marking.

Process and Network Prioritization

The limited bandwidth also means we must prioritize latency-sensitive applications over others, ensuring QoS for those applications. Some applications, such as Voice over Internet Protocol (VoIP), are highly sensitive to packet loss, delay, and jitter. To avoid poor voice quality, we have to guarantee these applications the

Handoff and Roaming

To function as our primary access method, our WLAN needs to support all applications currently carried over the wired network. This includes data, voice, and video. These applications should be supported, as appropriate, by each of the various clients that we plan to use. Some of these clients are highly mobile, which means that we need to support fast handoff as users roam between cells, so users do not experience disruption.

White Paper Architecture and Design of a Primary Wireless Network

Roaming requirements vary according to the client: Desktops. These stationary clients do not need handoff or roaming support. Laptops. In general, laptop users do not roam while using applications, so there is little need for roaming support. Tablets, personal digital assistants (PDAs), Wi-Fi phones, and other highly mobile devices. Users of these clients require application continuity while on the move. This imposes a need for fast handoff between access points and fast roaming between networks. Voice applications represent the worst-case handoff requirement, with a target handoff time of less than 100 Ms and a preferred handoff time of about 50 Ms. IEEE is working on 802.11r and other specifications to provide a standard way to support fast handoff, complementing features of 802.11i, which covers pre-authentication and primary key caching. However, IEEE is not expected to complete the specification for at least 12 months, so we decided to use CCX with Cisco Centralized Key Management* (CCKM). When coupled with the smart access point selection feature of Business Class Wireless Suite, this provides the required handoff and roaming times.

Reliability and Redundancy

Because our WLAN will provide the primary access method, it must be reliable. We are using the characteristics of WLANs to create a network architecture with an overall uptime that is, potentially, even better than wired networks. With WLANs, each access point supports multiple clients; theoretically, a single access point failure could create an outage for multiple users. However, unlike a wired LAN, a WLAN client connection to an access point is virtual. A client can switch from one access point to another dynamically, so long as the second access point supports the same service with adequate signal strength. We can use this capability to create a redundant design with overall uptime that is higher than a wired network. Consider a floor or building with multiple access points divided into two interspersed grids, which we call salt and pepper grids. Each grid is connected to a different LAN access switch. If one entire grid failsdue, for example, to failure of its access switchthe other grid will still be able to provide complete RF coverage. As a result, clients will be able to seamlessly reconnect to the second grid, although potentially with reduced throughput. Creating a salt-and-pepper arrangement requires careful configuration of the connection speeds supported by access points. For example, if the required bandwidth per access point in normal

10

Architecture and Design of a Primary Wireless Network White Paper

use is 36 Mbps, we should configure the access point to support a minimum of 24 Mbps; this will be the bandwidth available to clients if either grid fails.

preferred approach is lightweight access point architecture. In this architecture, access points do not handle management directly. Instead, we offload access point management to dedicated wireless controllers that each coordinate and manage multiple access points, helping to ensure consistent service levels across the network. To do this, we also need services that enable us to centrally manage a large number of controllers, and we need to implement a management hierarchy that matches the support structure of the company.

Management
Providing primary WLAN coverage for an entire campus involves a very large number of access pointsat least an order of magnitude greater than the LAN switches needed for a wired network of similar scale. Managing all these access points is a challenge. WLANs also present unique challenges when it comes to tracking users, and in controlling network access when clients are found to be maliciousif they become infected with malware, for example. There are also challenges in delivering a consistent level of service. Unlike LANs, which offer comparable service levels at any point on the access layer, the WLAN environment service level changes from location to location. Moving even a few feet can change the service level considerably, due to a transition to a different access point or the differing physical characteristics of the RF environment. To be able to install, upgrade, and manage this environment, and provide the required service levels, we need a completely different set of management tools and practices. Our

Security
WLANs have unique security requirements because the RF signal cannot be confined inside a building, making it easier to detect. This means that we need to pay special attention to strong authentication and encryption. It is also easier to attack a wireless network, so we need ways to automatically detect and avoid sources of interference, including malicious DoS attempts. We have addressed security by implementing a standards-based approach.

Authentication
Our architecture uses the Wi-Fi Protected Access (WPA) 1 and WPA2 specifications, incorporating the 802.1X authentication framework with Remote Authentication Dial-In User Service (RADIUS) authentication servers. One critical

11

White Paper Architecture and Design of a Primary Wireless Network

decision when implementing this framework is which Extensible Authentication Protocol (EAP) authentication method (EAP type) to select. we performed risk assessment and selected the option suited to each installation. Another important factor is the credential type used during the EAP authentication. Using the machine credential type provides LAN-like connection, with no need for user intervention, while choosing user credential requires user intervention. The 802.1X process involves mutual authentication between the access point and RADIUS server, and between the client and RADIUS server; when done, a Pairwise Master Key (PMK) is installed at the client and access point for use in data encryption

primary WLANs. DoS threats can be classified into physical layer and media access control (MAC) layer threats. Physical layer threats include intentional or unintentional RF interference from various non Wi-Fi sources. MAC layer threats include forged management frames that attack clients, access points, or both. During the risk assessment process, we consider all threats and rate them based on the likelihood that they will occur as well as their potential impactfor instance, whether they will affect a single client or RF channel. Our architecture allows for functionality to detect, alert, identify, locate, and mitigate all threats that are not lowrated. From an architecture perspective, DoS can be handled by an additional infrastructure overlay or embedded into the production WLAN infrastructure. We decided to use our production infrastructure with dedicated access points to detect DOS threats, as well as a separate location-based server to locate and track multiple threats in real time. We mitigate RF interference by using an embedded infrastructure feature that re-maps all RF channels. We mitigate MAC threats through proprietary client driver changes, though in the future we expect to use the management frame protection within Cisco CCX Version 5*

Encryption
We are using the 802.11i encryption process. The 802.11i four-way handshake includes the creation of a Transient Master Key (TMK) for encrypting unicast messages, and a Group Master Key (GMK) for encrypting multicast and broadcast messages. This process also includes the mutual authentication of client and associated access point.

Denial of Service Detection and Mitigation

Detection and mitigation of DoS attacks are critical considerations when implementing

1

Architecture and Design of a Primary Wireless Network White Paper

Primary Wireless Design

We designed a campus network based on our architecture to provide a highavailability environment with no single point of failure. It is designed to provide complete WLAN coverage across the campus, supporting a minimum connection speed of 36 Mbps in normal operations and 24 Mbps if any single part of the network fails. The environment is designed to support all client types including desktops, laptops, PDAs and Wi-Fi phones.
We have also structured our management environment to allow for easy out-of-the-box installation and control of the access points. Management servers allow us to track and, if necessary, blacklist users, and to detect and mitigate a wide variety of security offenses. Figure 4 shows the logical design of the network. It is based on Cisco Unified Wireless Network, which supports the Cisco CCX extensions and the Business Class Wireless Suite feature set developed by Intel and Cisco.

Radius Server

DHCP Server

Enterprise network management system Outer Firewall

VPNs Outer Firewall

LAN WLAN DMZ Legacy VLANs Controller 1 Trunk Trunk Controller 2 Distribution Layer LWAPP Tunnel WLAN L3 Legacy Switch

LWAPP Tunnel

Wired LAN Environment

Figure 4. Logical network design.

1

White Paper Architecture and Design of a Primary Wireless Network

Access points are split into salt-and-pepper grids, as our architecture describes. Each grid is connected to a different LAN switch, which supplies the access points with both network connectivity and power over Ethernet (PoE). Access points are connected to dedicated, building-level management virtual LANs (VLANs). They receive their addresses dynamically from DHCP directory servers, and automatically detect a controller available on this VLAN. An access point will then create Lightweight Access Point Protocol (LWAPP) control and data tunnels to the controller; the controller then automatically configures the access point based on templates. This provides the access point with the correct OS release, security settings, and other settings and services. Each access point is assigned a primary controller, a failover controller, and sometimes

also a tertiary controller. This provides another level of redundancy, allowing the access point to remain active even if its primary controller becomes unavailable. The primary wireless service is available on the 802.11a band only, with legacy services supported on the 2.4-MHz 802.11b and 802.11g band. These include our legacy WLAN, which uses Wired Equivalent Privacy (WEP) security and therefore mandates use of a Layer 3 virtual private network (VPN). These services are still provided for users who need them, and go through onsite Demilitarized Zone (DMZ) firewalls for added security. The wireless network is secured using full 802.11i encryption. Corporate RADIUS servers that are shared between LAN and WLAN perform user authentication.The campus controller distribution is a critical element of our design. Each of our larger, four-floor buildings uses two controllers

Controller

Controller Controller

Controller 1 2-story building Controller 2 Controller Proxy Mobile IP Mechanism 4-story building

2-story building Controller 1 4-story building Controller 2 4-story building

Controller 1

Controller 2

Figure 5. Campus controller distribution.

14

Architecture and Design of a Primary Wireless Network White Paper

to manage the large number of access points, as shown in Figure 5 on the previous page. Our two smaller buildings have one controller each and are grouped together into a single logical building. With our design, the whole campus becomes a single mobile environment. Clients can roam freely anywhere on campus with no interruption

to applications as they transition between access points or controllers. Within each building, the two controllers share a VLAN and clients roaming between access points within the building remain on the same IP network. When clients move between buildings they retain their IP address, despite moving into a foreign network, through a proxy mobile IP mechanism.

Conclusion
Our architecture and design are enabling a groundbreaking implementation of a largescale WLAN used as the primary access method across a 5,000-user campus. We believe this project shows that WLANs can achieve the performance, reliability, QoS, and manageability needed to deliver converged services within a large enterprise. We are moving ahead to deploy voice and data services over our primary WLAN to users throughout the campus.

Authors
Danny Nissan is a wireless LAN engineering product manager with Intel Information Technology. Omer Ben-Shalom is a wireless LAN engineer with Intel Information Technology.

Acronyms
CCA CCI CCKM CCX DHCP DMZ DoS DSCP EAP GMK MAC PDA PMK clear channel assessment co-channel interference Cisco Centralized Key Management Cisco Compatible Extensions Dynamic Host Configuration Protocol Demilitarized Zone denial of service differentiated services code point Extensible Authentication Protocol Group Master Key media access control personal digital assistant Pairwise Master Key PoE QoS RF TCP TMK VLAN VoIP VPN WEP WLAN WMM WPA power over Ethernet Quality of Service radio frequency Transmission Control Protocol Transient Master Key virtual LAN Voice over Internet Protocol virtual private network Wired Equivalent Privacy wireless LAN Wi-Fi Multimedia Wi-Fi Protected Access

RADIUS Remote Authentication Dial-In User Service

LWAPP Lightweight Access Point Protocol

15

www.intel.com/IT

This paper is for informational purposes only. THIS DOCUMENT IS PROVIDED "AS IS" WITH NO WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE. Intel disclaims all liability, including liability for infringement of any proprietary rights, relating to use of information in this specification. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted herein. Intel Corporation may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the presented subject matter. The furnishing of documents and

other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any such patents, trademarks, copyrights, or other intellectual property rights. Intel, the Intel logo, Intel. Leap ahead., and the Intel. Leap ahead. logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in other countries. * Other names and brands may be claimed as the property of others. Copyright 2006, Intel Corporation. All rights reserved. Please Recycle Order Number: 314562-001US

Printed in USA 0906/ARM/RDA/PDF