Deploying 802.11 Wireless LANs

WHITE PAPER Deploying 802.11 Wireless LANs Deploying 802.11 Wireless LANs Executive Summary This paper demonstrates how you can successfully deploy Wi-Fi wireless LANs (WLANs) within your company. It illustrates the business drivers and the tangible benefits that you can realize. In addition, this paper examines issues involved in deploying wireless networks to help you make the right decisions when planning and purchasing a WLAN solution. Whether you are adding wireless extensions to your existing LAN or installing a wireless network from scratch, this white paper will help you overcome potential pitfalls and address the issues you may face. structure, which will help satisfy the needs of your network users more easily. Business Drivers Increased Productivity CONTENTS Executive Summary.................................1 Introduction............................................1 Business Drivers ......................................1 Deployment Considerations....................3 Why 3Com? .........................................12 Deployment Examples ..........................14 Introduction Not so long ago, wireless networking was a technology accessible only to specific vertical industries. Warehousing, retail, and healthcare were among the first industries where wireless networking brought functional advantages and made economic sense. Today, technology has developed to the point where WLANs are now being deployed across all industry sectors from small businesses to large enterprises. The worldwide business 802.11x WLAN hardware unit shipments are in the middle of a tremendous growth surging from 2.6 million units shipped in 2000 to an estimated 41.7 million in 2006.1 It is not difficult to see why. WLAN technology is one of the most effective IT tools there is to establish a competitive advantage for your company. Adding WLAN elements to your current network will bring dramatic increases in workforce productivity. There will be demonstrable cost savings from more efficient use of resources and infrastructure. Not least of all, the flexibility it will add to your IT infra1 WLANs enable workers to be more productive with access to the Internet, e-mail, and network files wherever they are in the business campus. This is especially useful when working away from the primary office location. Ten minutes idle-time between meetings can be used to deal with important e-mails. Many job functions get huge productivity benefits from immediate access to critical information. For example, doctors can retrieve patient information from anywhere within a hospital, or logistics managers can query detailed inventory information from any place in a warehouse. More Efficient Meeting Data can be shared between users and accessed on the corporate network more easily from within conference rooms, cafeterias or corridors. This saves time and helps decision-making in formal meetings, and delivers onthe-spot information to support productive informal meetings anywhere in the building. New Services WLAN connectivity enables companies to deliver new services over their networks. For example, instant messaging can be used to communicate and make time-critical business decisions anytime anywhere. Existing network services can also be used more productively, for instance, IT administrators equipped with laptops are able to provide desktop support to users from any place in the company. Source 2002 In-Stat/MDR Group DEPLOYING 802.11 WIRELESS LANS 1 Ease of New Installations WLANs dramatically reduces the time and cost of adding PCs and laptops to an established network. For small and medium companies a complete wireless network can be set up within hours, with minimal disruption to the business. Out-of-office Connectivity ing number of employees will share resources even more efficiently using the WLAN network. For larger campus-based companies, multiple buildings up to 16.9 km (10 miles)2 apart can be connected via WiFi links using wireless building-tobuilding bridges. These also allow a single link to replace T1/E1 links costing thousands of dollars per month. ROI from Increased Productivity A laptop or PDA with WLAN capability allows mobile employees to be more productive by working from public “hot spots” at airports, hotels, and coffee bars. Temporary LAN. Campus style networked communication can be achieved with minimal time and effort through WLAN connectivity at off-site training sessions, trade shows, or for mission-critical applications during disaster recovery. Cost Savings A simple example shows there should be no doubt that a WLAN provides significant productivity returns. Take the case of office-based employees using WLAN-enabled laptops. Assume the typical knowledge worker salary is $60,000, equating to $90,000 after benefits and other costs to the employer. An average worker puts in 2,000 hours over 50 weeks so the hourly cost is $45 per hour. If a wireless LAN provides an additional productivity of 15 minutes per week for this worker, the total productivity gain would be $562.50 per year. Wireless LAN costs for this employee are $150 composed of $100 for the client device (PC Card in a notebook) and $50 share of an access point (assume a conservative 8 users per access point, $400 total cost for the whole AP). Greater Flexibility For more information about wireless technologies and 3Com wireless solutions, visit www.3Com.com/wireless Tangible cost savings will come primarily from three areas. Reduced Installation Costs The cost of running cabling varies, but averages $150 per drop. Environments where it is difficult to pull wires may cost as much as $250 per drop—and even more in such hard-to-reach areas as cafeterias, lobbies, or within older buildings. For businesses with established networks where the wiring is inadequate, or businesses installing a new LAN from scratch, this alone is more than enough to justify the incremental cost of equipping new desktop PCs with a wireless adapter, or adding a wireless workgroup bridge to connect to desktops. In this way, wireless can present a significantly lower installation cost. Return on Investment through More Efficient Use of Resources Small and medium businesses installing a WLAN can share resources such as printers and scanners. They can also save on ongoing telecommunications costs by sharing a single broadband connection for Internet access. ROI increases as the business expands because the grow2 It is much easier to add new clients to a network using WLAN connections. Network users can roam throughout the company, and are free to work from various locations or sites without burdening IT administration resources. Equipment such as PCs and printers can be re-arranged within the office without the need for a support call. Additionally, customers and other visitors will be able to access the Internet or their own corporate networks with minimal support. As long as certain key issues are addressed when deploying WLAN technology, you can more easily satisfy the needs of your network users while also gaining cost and productivity benefits. Local regulations outside of the United States may limit the authorized radiated power output of building-to-building bridges. The maximum range expected outside of the United States is approximately 1.6 km (1 mile). 2 DEPLOYING 802.11 WIRELESS LANS Deployment Considerations There are more and more laptop computers with embedded Wi-Fi clients, as well as an increasing number of public hot spots. The result is that Wi-Fi enabled products will become more prevalent, even within companies that have no WLAN. So it is important to reap the rewards offered by WLANs, but at the same time understand the issues associated with well-managed deployment. Standards the Wi-Fi CERTIFIED logo that ensures 802.11 compatibility and multi-vendor interoperability. The original 802.11 standard established in June 1997 defined a 2.4 GHz system with a maximum data rate of 2 Mbps. This technology still exists in legacy wireless LANs, but should not be considered for new deployment. Today there are two basic categories of IEEE 802.11 WLAN standards. First are those that specify the fundamental protocols for the complete Wi-Fi system. These are called 802.11a, 802.11b, and 802.11g. Second, there are extensions that address weaknesses or provide additional functionality to these standards. These are 802.11d, e, f, h, i, and j. The following table shows the three fundamental 802.11 standards at a glance: Among the most fundamental steps to take when planning a wireless LAN is to learn about the various IEEE 802.11 standards, decide which ones are appropriate for your application requirements, and plan your deployment accordingly. 802.11 systems are generically called “Wi-Fi”. The Wi-Fi Alliance is responsible for awarding TA B L E 1 . T h re e F u n d a m e n t a l 8 0 2 . 1 1 S t a n d a rd s Standard More established standard Radio Band Modulation Max. Link Coverage Max. Data Rate Max. # Nonoverlapping channels Other Issues 802.11b 802.11a 802.11g 2.4 GHz 5 GHz 2.4 GHz DSSS OFDM OFDM 100m/328ft 50m/164ft 100m/328ft 11 Mbps 54 Mbps 54 Mbps 3 12 (fewer in some regions) 3 - 802.11b networks have the largest installed base. - Needs 802.11 extensions to be used in some regions (e.g., EMEA) - Backward-compatible with 802.11b - Fully ratified Newer standard 802.11b should be considered if: - you do not intend to use highbandwidth applications. - you need a wider coverage area. - price is a primary consideration. An 802.11b WLAN costs roughly a quarter as much as an 802.11a network covering the same area at the same data rate. The main disadvantage of 802.11b is its lower maximum link rate. And since it occupies the 2.4 GHz band used by other technologies (e.g., Bluetooth and cordless telephones), this rate may be reduced further due to interference issues. 802.11a should be considered if: - you need to run higher-bandwidth applications such as voice or video. - you have small densely packed concentrations of users. The greater number of non-overlapping channels allows access points to be placed closer together without interference. The main disadvantages of 802.11a are that it is not compatible with the older 802.11b WLAN standard and costs roughly four times as much to cover the same area. DEPLOYING 802.11 WIRELESS LANS 3 802.11g should be considered if: - you need to run higher-bandwidth applications and also need a wide coverage area. - you need backward compatibility with 802.11b equipment. The main disadvantage of 802.11g is that maximum data throughput is reduced when 802.11g and 802.11b equipment shares the same network. Finally since it uses the same 2.4 GHz band as 802.11b it faces the same interference issues. The following 802.11 extensions (except .11h and .11j) apply to all variants of Wi-Fi: 802.11d addresses regulatory considerations in countries that do not yet have rules in place for the operation of 802.11 LANs. .11d ensures interoperability of WLANs in those countries. 802.11e 802.11i provides enhanced security. It includes the use of 802.1X authentication protocol, an improved key distribution framework and stronger encryption via AES (Advanced Encryption Standard). The 802.11i standard is due to be ratified by late 2003. 802.11j addresses adding channel 4.9 GHz to 5 GHz for 802.11a in Japan. Security defines quality of service (QoS) levels for applications such as voice and video. Although the standard is not yet ratified, this is expected to happen in third or fourth quarter of 2003, and 802.11 access points should be upgradeable via new firmware in the future. is the Inter Access Point Protocol (IAPP). It improves the handover mechanism in 802.11 between access points and switched segments as users roam between them. 802.11f is not yet ratified (expected late in third quarter of 2003) but products implementing IAPP have started to ship. Before 802.11f is ratified you should ensure that your access points are Wi-Fi Certified to achieve interoperability. There is a widespread perception that wireless LANs are insecure, but that concern is resolved if the appropriate mechanisms are in place. It is true that due to the nature of RF transmission and its inherent risks, WLANs require additional security considerations. However, your wireless LAN can be just as secure as the rest of your LAN. As described in the previous section, 802.11i is an extension to the current WEP security standard that will bring greater security to Wi-Fi networks through improved encryption, key distribution, authentication, and a range of other features most appropriate to wireless networks. However, this will not be ratified until late 2003. In the meantime, there are some very simple steps that can be taken to make WLANs more secure. Turn on WEP 802.11f 802.11h adds better control over transmission power and radio channel selection to 802.11a. This standard is primarily to address the requirements of European regulatory bodies. 802.11h is expected to be ratified by the end of 2003 and will increase the availability of 802.11a products within EMEA. WEP (Wired Equivalent Privacy) is the standard 802.11b wireless security protocol. Designed to provide wiredlike protection by encrypting wireless data as it is transmitted, WEP provides a baseline level of security that can be very effective when used in conjunction with other security mechanisms. First, WEP should be enabled, with the WEP key changed from the default. Ideally, WEP keys should be generated dynamically when a user logs on, making access to wireless data a moving target for hackers. Session-based and user-based WEP keys offer the best protection and add another layer of deterrence. 4 DEPLOYING 802.11 WIRELESS LANS Use Secure Authentication (preferably 802.1X-based authentication) 802.1X is the new standard for Layer 2 authentication. It defines a generic framework for port-based authentication. Instead of checking a local MAC list, this feature allows wireless clients to associate with the wireless access point and authenticate with a RADIUS server that has been set up on the wired network. The IEEE 802.1X standard is used for the client authentication communications, and ensures that only authorized wireless clients are permitted to access the wireless LAN. The 802.1X standard is a framework based on the Extensible Authentication Protocol (EAP), which can support multiple implementation methods, including EAP-MD5, EAPTLS (Transport Layer Security), PEAP (Protected EAP), etc. Keep an Eye on Emerging Standards WEP and TKIP encrypt frames on the wireless link (layer 2) only, layer 3 VPNs such as IPSec can be used to encrypt data end-to-end from the remote access clients to security gateways at the private network edge. Minimize RF Leakage WEP is one security layer of many and should not be relied on as the sole security measure. Wi-Fi Protected Access (WPA) is a subset of the current 802.11i draft, taking certain pieces of the 802.11i draft that are ready to bring to market today, such as its implementation of 802.1X and TKIP. To improve data encryption, WPA utilizes Temporal Key Integrity Protocol (TKIP). TKIP enhances WEP to provide a per-packet re-keying mechanism, adds a Message Integrity Check (MIC) field to packet, and uses 802.1X. WEP has almost no user authentication mechanism. To strengthen user authentication, WPA implements 802.1X and EAP. Together, these implementations provide for stronger data encryption, key management and user authentication. Employ VPNs Steps should be taken in the configuration of your WLAN to minimize the risk of potential eavesdroppers outside company buildings from accessing your WLAN. The simplest method is to ensure that appropriate antennas are used and RF signals are directed at the intended area of coverage. Signals should not be boosted needlessly. Besides the inexpensive option to scale down the output power, the additional, and more expensive, step of shielding external walls prevents radio traffic leaking outside the walls of your building, and again offers an excellent method of helping secure your network. Check for Unauthorized Access Points Many Wi-Fi products are now easy to install. In an enterprise network, there is a possibility that rogue access points may be connected to the network by well-intentioned users unbeknownst to the IT organization. However, without correct configuration or management these could pose a serious risk to security. Regular physical inspections should be made and, preferably, network management tools should be used to routinely scan for the presence of rogue access points. Management A Virtual Private Network (VPN) is a security enhancement option that provides an excellent higher layer of security and an alternative to 802.1X. In this approach all wireless clients are treated in the same way as remote access VPN clients. The VPN provides a secure, end-to-end tunnel over an “un-trusted” network—which in this case is the WLAN and in the case of remote users is the Internet. Whereas Effective use of network management is essential in larger enterprise networks but is good practice in businesses of all sizes. This is especially true for WLANs, which have the particular management needs described in this section. With business drivers set to fuel tremendous growth in Wi-Fi, it is important that the right tools and mechanisms are adopted from the start to ensure a well-managed approach to deployment. DEPLOYING 802.11 WIRELESS LANS 5 Traffic Analysis Although monitoring and analysis of network traffic is important in wired networks, a wireless LAN is a much more fluid environment. Users are free to move throughout the network and capacity demands shift. For example, there may be company meetings or training sessions where an exceptionally high number of users are accessing the network from a single location. Monitoring tools can be used to indicate which access points are being used the most (or least) and highlight the need for moves or additions. In the presence of interference, a performance drop may be reported by users, or indeed observed through traffic analysis. In these cases, benchmarking of throughput and the effects of adjusting optional configuration settings in MIB (e.g., CTS/RTS described in the following section) provides a method of dealing with such problems. Discovery and Configuration discover, manage, and upgrade access points across the network. If they are not already using another SNMPbased central management tool, organizations that require this functionality should look to their WLAN vendor to provide it. Embedded Web Server that works with any Web browser that supports HTML and Java Script is an added plus for easy configuration and management. Support for SNMPv3-compliant management is critical for secure management of access points. A centralized approach also allows for increased levels of functionality and bandwidth management. IT departments can organize the WLAN by domains, granting privileges and access rights to different user groups as they see fit. For larger networks, this function can be automated and centralized such that when a wireless user is authenticated via 802.1X and RADIUS, the enterprise access point automatically assigns the user to the appropriate VLAN. Security breaches can be automatically detected with access points flagging security breaches or configuration errors to the management console. Also, unauthorized access points can be tracked down and removed or properly configured. Eventually, the goal for larger enterprises should be to incorporate management of their wireless LANs within their overall network management system, such as HP OpenView. Some vendors are already making this possible. Smaller businesses not wanting to employ centralized management should consider deploying Wi-Fi equipment web-based management capabilities. This will give them the ability to perform upgrades, reconfiguration, and simple performance monitoring over the network via a standard web browser. Performance For larger wireless networks, administrators need to have tools that allow them to discover various wireless devices within the network segment, configure parameters, run diagnostics, monitor performance, view device properties, and select a device for individual configuration. It is recommended that you protect each network infrastructure access point by setting up a username and password to control access to the configuration settings. To ease administrative burden for larger networks, capabilities such as “save and load facility” are useful because they allow you to configure one device and propagate the same configuration to similar devices on the network. Migration to a Centralized Management Scheme As the number of wireless users begins to grow, and Wi-Fi is used for high-speed and mission-critical applications, it becomes increasingly important for management of the WLAN to be centralized, providing network administrators the ability to There are several key reasons why 802.11 technology is now being embraced by such a wide user base: 6 DEPLOYING 802.11 WIRELESS LANS performance has reached levels similar to wired Ethernet. 2. The silicon technology today allows to implement more sophisticated algorithm schemes for equalizers to be embedded in the wireless chipset. 3. Large production volumes help drive down the cost of underlying silicon. However, it is important to consider the factors affecting performance and how this can be appropriately handled to suit your needs. Choose the Appropriate Wi-Fi Type 1. Wireless needed. 802.11b should then be used to provide blanket coverage for the entire facility. Access points that provide configurable dual modes (for example, 802.11a and 802.11b) of operation are ultimately the best solution, because you can mix and match radio bands to meet different coverage and bandwidth needs within the same area. Such configurations are now readily available. IP Address Management The choice of 802.11 variant is a fundamental decision. The advantages and disadvantages of 11b, 11a, and 11g are outlined in the earlier section “Standards,” but there are some additional considerations affecting performance. As with conventional Ethernet technologies, quoted “data rates” of 11 Mbps (11b) and 54 Mbps (11a and 11g) are theoretical maximum signaling rates and exclude protocol overheads. Estimates of realistic maximum data throughput are: - 5 Mbps to 6 Mbps for 11b - 27 Mbps to 30 Mbps for 11a and 11g It should be noted that this is the total shared throughput available to a single user communicating through a single access point operating using a particular frequency channel. This throughput subsequently decreases as more users connect to the access point. Each Wi-Fi variant defines a multiple number of non-overlapping radio channels. If there is another access point within range using a different non-overlapping channel, it provides additional throughput capacity for these users. 802.11a provides twelve non-overlapping radio channels. However, the 802.11b and 802.11g standards define three non-overlapping channels. A good implementation today is to use 802.11a access points in areas occupied by densely packed users such as “hot desk” areas or meeting rooms where a higher throughput may be To ease integration into the existing network environment, the access point may act as a DHCP server to the clients that are wirelessly associated with it. Alternatively, the DHCP server of the access point should have the ability to defer to any other DHCP servers that exist on the network, so that it can only become active if the access point does not detect another DHCP server. Properly Set Channels You must ensure that the channel selected is compatible with the channel ranges supported by the wireless clients that will be associating with the access point. To ease administrative burden, look for an access point that can automatically scan the spectrum of all available regulatory channels, and select the one with least interference. The best channel available is the channel where no other wireless devices are causing interference on the radio frequency (RF). Clever architectures to suit the range and density requirements can be constructed using the non-overlapping channels of 802.11a and 802.11b. For instance, “cellular architectures” can be deployed by mixing the three nonoverlapping channels (channels 1, 6, and 11) of the 802.11b standard, while minimizing the risk of inter-access point interference. Provide Adequate Coverage The maximum data rate is only available within a limited distance from an access point. Typically this is 100ft/30m for 802.11b and 802.11g and 30ft/10m for 802.11a. If a client moves farther away, data speed is DEPLOYING 802.11 WIRELESS LANS 7 reduced. For example, an 802.11b client’s performance will diminish from 5.5 Mbps to 2 Mbps and finally to 1 Mbps as a user moves away from an access point. It is therefore important that access points are not placed too far apart. Attenuation due to obstacles such as interior walls can reduce coverage, as well. This is more of a problem for 802.11a, which is inherently less able to penetrate such obstacles. For larger sites, or for buildings with solid interior walls, an RF site survey is a valuable tool in coverage planning. Site Survey Configure Optional Settings CTS/RTS is an optional 802.11 protocol setting that can help improve performance in cases when clients are hidden from each other (e.g., due to physical obstacles). In these cases, excessive collisions and re-transmissions can waste bandwidth and reduce throughput. CTS/RTS resolves this by introducing a hand-shaking mechanism between client and access point. The CTS/RTS uses a threshold that can be adjusted until throughput is maximized. This type of tool is invaluable in deciding the best place to position a new access point. The tool provides statistics on the transmission performance of the access point in each proposed location, making it easy to compare and choose the best location. Minimize RF Interference Effects This is another issue that primarily affects 802.11b and 802.11g. These standards use the 2.4 GHz band that is also used by other technologies such as Bluetooth and cordless phones. Although Bluetooth and Wi-Fi are complementary technologies, and they both operate in the 2.4 GHz band, each has different technical and usage characteristics. Bluetooth uses a quick Frequency Hopping (1600 hops per second) and Spread Spectrum (FHSS) technology. Most implementations support a range of up to 10 meters (30 feet) at a data throughput of 0.721 Mbps. 802.11b is a Direct Sequence Spread Spectrum (DSSS) technology, and offers speeds of 1, 2, 5.5, and 11 Mpbs, covering a range of about 100 meters indoors. As Wi-Fi and Bluetooth activity grows in public areas and enterprises, interference issues may need to be alleviated. Possible solutions to the problem include separating the two devices by more than 3.5 meters. Then as Bluetooth units hop over the full ISM band, they will overlap with the 802.11b signal for about 25 percent of the hop frequencies while the 75 percent that do not overlap will not be a problem. Fragmentation is another optional 802.11 protocol setting that helps improve performance in cases where interference is reducing throughput by causing bit errors and re-transmissions. Frames are broken into smaller fragments before transmission to reduce the chances of errors. Again, this can be implemented within individual client devices by adjusting the threshold to provide the best throughput. 802.11a Turbo Mode is another feature of some current products. If both the access point and client support turbo mode, which is vendor specific, it boosts maximum data rate to 108 Mbps. Quality of Service QoS is defined as the control of four network categories: bandwidth, latency, jitter, and traffic loss. Bandwidth is defined as the total network capacity. Networks must provide sufficient bandwidth for each application’s throughput requirements. Latency is the total time it takes for a frame to travel from a sender to a receiver. Latency is crucial for receivers with QoS requirements. Packets arriving too early require buffering or worse may be dropped. Packets arriving too late are not useful and must be discarded. Jitter is the variation in the latency among a group of packets between two nodes. Jitter requires a receiver to perform complex buffering operations, so that packets are presented to higher levels with a uniform latency. Traffic loss refers to the packets that never arrive at the receiver. 8 DEPLOYING 802.11 WIRELESS LANS The introduction of wireless channels to the overall networking fabric introduces variability to these main QoS performance parameters. In addition, roaming and other capabilities create problems that do not exist in wired networks. Therefore, individual companies and IEEE 802.11 TGe are striving to endow wireless LANs with mechanisms for effectively managing QoS parameters as well as wireless characteristics. There are several factors that make QoS a requirement in 802.11. One is the wireless transmission of home entertainment via a Wi-Fi WLAN. Another is the trend in the corporate environment to converge voice and data on a single wired communications infrastructure. If this were extended to the WLAN environment, company networks could carry wireless voice communications—creating possibilities for a range of new applications and delivering significant cost savings. As described earlier, a new extension (802.11e) will define quality of service (QoS) levels for applications such as voice and video. However this will not be ratified until third or fourth quarter of 2003. Therefore it is essential that current products from reputable vendors should be firmware upgradeable to provide this functionality in the future. While there are some proprietary QoS schemes on the market today, it is important to remember that an effective solution needs end-to-end implementation. Proprietary chipsets may not be compatible with mainstream Wi-Fi products when a standardized solution is available. Mobility Location-Dependent Configuration A mobile employee using their Wi-Fi enabled laptop will need the capability to connect to a number of different network types and configurations. Different sites within the company will usually be consistent, but when connecting at home or from public wireless hotspots there could be the need to reconfigure various client settings. This can be difficult and inconvenient for users, and as a result it is worth considering some form of profile management solution. Inter-Access Point Roaming As a user roams within the wireless LAN there needs to be a system of seamless movement among access points. Until recently, this was achieved by proprietary mechanisms from particular vendors. However, industry progress is evident based on recommended implementation of IEEE Std.802.11f/D2.2, December 2001 draft on Inter-Access Point Protocol (IAPP). The goal of IAPP is to facilitate seamless roaming in between access points from different vendors as long as the access points are part of a Distribution System (DS) implementing IAPP. IAPP handles the registration of APs within a network and exchange of information when a user is roaming among coverage areas supported by different vendor’s access points. It will help with fast hand-off from AP to AP. The 802.11f standard specifying IAPP is soon to be ratified and products are now shipping compatible with it. Roaming and Security Roaming is a critical component of the mobility equation. Wireless clients must be able to roam among all access points within the same subnet on the user’s LAN segment, as well as across subnets, without discernable interruption of data communications and security controls. If a user is using 802.1X for authentication and dynamic key management then IAPP roaming is required in order for the user to roam from one AP to the other without the need to re-authenticate. An alternative for sites that are not 802.1X enabled is to maintain a consistent username and password database locally within each access point to which a client could potentially roam. This would enable the client to roam without having to re-enter credentials. DEPLOYING 802.11 WIRELESS LANS 9 Extended Roaming While Layer 2 roaming refers to the users’ capability to roam from one AP to another without crossing router boundaries (i.e., within the same IP sub-net), layer 3 roaming refers to the users’ ability to roam across router boundaries as they move about the enterprise campus. One of the implementations for Layer 3 roaming can be achieved through the renewal of its Dynamic Host Configuration Protocol (DHCP) lease for its IP address. This can be undertaken either manually or automatically. A manual DHCP implementation does require user intervention, where the users perform a manual “release/renew” using the Windows WINIPCFG utility. For enterprise environments where native DHCP services are not available, the embedded DHCP server within a local host can take the role of automatically assigning a valid IP address as the client roams across router boundaries. In the future, this implementation would become easier as IPv6 becomes widely deployed, and as all devices needed in the implementation support IPv6. RF Issues These provide 360 degrees cell coverage around the axis of the antenna and will be suitable for most deployments. It should be noted that office spaces contain obstacles to radio transmissions, in particular metal objects such as partition frames and wall studs. These can reflect RF signals and cause a phenomenon known as multipath distortion. To help overcome this, access points that use a diversity antenna system (two identical antennas a small distance apart) should be used wherever possible since they will provide enhanced coverage to the same geographic area. There may be instances where the antenna supplied with the access point is not suitable. For example the best position for the antenna might be on a ceiling or a wall where positioning an access point would be difficult. In these cases an add-on ceiling or wall-mounted aerial can usually be used connected to the access point by an appropriate cable. Also, there are cases when an omnidirectional antenna might be inappropriate. Where there are restrictions in locating access point or within an awkwardly shaped office space it might unnecessarily radiate signals outside exterior walls presenting a possible security risk. Also in 802.11b and .11g networks, a toowide coverage might interfere with adjacent cells on the same channel. In these cases a “sector-panel” (or “patch”) aerial can be used to directionally focus cell coverage. These antennas are usually housed in flat boxes and mounted flush onto walls. They will produce hemispherical coverage, spreading away from the mount point at a width of between 30 and 180 degrees (depending on the particular antenna). Antennas do not boost signal power but concentrate the power in a certain direction, which gives more focused coverage pattern by trading-off the width (or angle) of the cell. A yagi antenna provides a more directional beam for long corridors and tunnels, and a parabolic aerial can be used for Before a WLAN is deployed, a wireless site survey will show the level of interference from other 2.4Ghz devices such as cordless phones and other WLANs. It will also identify the required location of each access point and the antennas necessary to provide adequate cell coverage and bandwidth capacity and to avoid co-channel interference between access points. For a larger enterprise, a wireless site survey from a professional wireless LAN consultant will usually provide the most satisfactory solution. However for a smaller company this may not be necessary, especially when only one or two access points are needed. In any case it is helpful to understand the basic RF (radio frequency) issues when planning a WLAN deployment. Antennas Access points are usually supplied with omnidirectional dipole antennas. 10 DEPLOYING 802.11 WIRELESS LANS long-distance, highly directional connections between buildings. Building-to-Building Bridges there are some general guidelines that will help with planning: 1. In A building-to-building bridge can be used to link buildings with 802.11b. Such bridges will usually require an aerial placed outdoors on an external wall or roof. The choice of aerial depends upon the nature of the connections required. For example, a campus requiring wireless connection between several buildings in close proximity may use an omnidirectional or sector-panel antenna; but a longer point-to-point connection between two buildings may need a more directional yagi or parabolic antenna. In order to avoid signal degradation over long distance wireless links, there should be an obstacle-free zone wider than the point-to-point line of sight. The Fresnel (pronounced “frenel”) zone is an elliptical area immediately surrounding the visual path into which the RF signal will spread. The Fresnel zone can be calculated from the length of the signal path and the frequency of the signal, and it must be taken into account when designing a wireless link. Country-specific regulations will also restrict the length and type of building-to-building links, so they should be consulted before designing wireless inter-building links. Coverage Planning an open plan office such as those with cubicles, there should be little attenuation of the radio signal. An 802.11b or 802.11g access point with an omnidirectional antenna will provide a cell with radius of around 328ft/100m (100ft/30m of this at maximum data rate). An 802.11a access point will cover an area with an approximate radius of 164ft/50m (30ft/10m at the maximum data rate). 2. 2.4 GHz (802.11b and 11g) WLAN signals will generally penetrate internal walls although there may be some signal attenuation, especially if the walls are made from cinderblock. It is worth noting that internal walls often have part-metal construction and this can increase signal attenuation, too. 3. 5 An essential goal in WLAN deployment is to ensure all areas are adequately covered. The coverage of each wireless cell depends on the location of the access point and the antenna used. Office spaces often have internal walls and obstacles and are rarely circular. A careful plan is necessary to maximize coverage and performance with the fewest possible access points and least susceptibility to co-channel interference. Due to variability in the composition and thickness of building materials the only guaranteed way of determining the cell coverage area of an access point is by on-site measurement. However, GHz (802.11a) signals do not penetrate interior walls well and this should be taken into account when planning. 4. In a multi-floor building, there may be some signal leakage between floors. For example, an access point mounted midway between the floor and ceiling on the second floor may radiate signals through to adjacent floors depending on the gain and coverage of the antenna. This can be especially relevant for the floor above a ceiling-mounted antenna. 5. Penetration through brick or stone walls by Wi-Fi of either band is possible but unreliable. So any plan should not be based on the assumption of signals penetrating walls. 6. Metal walls or floors will not be penetrated by Wi-Fi signals and need to be planned around. This also applies to elevator shafts that will present an obstacle to WLAN signals. DEPLOYING 802.11 WIRELESS LANS 11 Why 3Com? So far this paper has outlined the business benefits driving the need for wireless networking, and has examined the issues you will need to consider during deployment. This section highlights just some of 3Com’s wireless solution features that will help successfully address these issues. Security XJACK® connector The XJACK connector on 3Com client devices provides a simple but highly effective method of securing data on laptops by turning off the radio when it is not required Management 3Com offers a number of different options to manage WLAN devices. SNMP Support As described earlier, the key to effective WLAN security is to utilize a combination of appropriate security mechanisms. 3Com today delivers industry-leading wired and wireless security options, so that you can deploy the solution most appropriate to the level of security required for your network. Standards-based Encryption WLAN products can be integrated into an enterprise-class network management system such as HP Openview. 3Com Network Supervisor This is a powerful yet easy-to-use PCbased management tool that offers many of the benefits of centralized management identified in an earlier section. It is included in the price of the product. Web-based Management 3Com products support 40-bit (sometimes called 64-bit) and 128-bit WEP. By turning on WEP and managing keys effectively, a base line level of security can be achieved that discourages casual wireless eavesdroppers. Dynamic Security Link Individual devices can be securely monitored, configured and upgraded using a standard web-browser. Save and Load Cloning 3Com provides an enhanced method of encryption and key management that addresses the main weakness within WEP, namely a manual static key. Instead a unique 128-bit key is dynamically assigned to each user, and this is changed for every new session. Additionally, a local username and password database maintained inside of each access point enables a more secure user-based authentication mechanism. Secure Authentication Options 3Com access points can be added to an existing network with maximum ease by cloning configuration settings from another access point. Performance Autonomous Load Balancing 802.1X port-based authentication is supported for different EAP types, including EAP-MD5, EAP-TLS, EAPTTLS, and PEAP. 3Com supports 802.1X for non-XP clients including Windows NT and Windows2000 systems. MAC address authentication is also supported, either locally within the access point or via a RADIUS authentication server. This feature is unique to 3Com’s client devices and helps maximize traffic capacity of the wireless network without user intervention. 3Com’s WLAN clients are smart enough to automatically associate with the access point providing the highest available throughput, not just the closest one. This is especially effective at improving performance for high-bandwidth users located in more densely packed areas of the network served by multiple access points. Clear Channel Select 3Com’s access points can be set to scan the available radio channels and automatically use the least loaded one. Performance-reducing co-channel interference is minimized. This simpli- 12 DEPLOYING 802.11 WIRELESS LANS fies placement planning and channel selection of access points, especially for 802.11b technology which inherently only has three non-overlapping channels. Dual-band Radio Products Inter-Access Point Protocol (IAPP) The ideal solution of maximum geographical coverage with highest performance at minimum cost could be achieved through blanket deployment of 802.11b with pockets of 802.11a or 802.11g. Even if the higher performance is not needed today, it should be the network-planner’s goal to allow for smooth future migration. 3Com’s access points now ship with dual-slot modular 802.11a/ 802.11b support (802.11g available from June 2003). 802.11a Turbo Mode 802.11f describes the handover process for mobile users using IAPP that allows them to roam between different vendors’ access points. Although this standard will not be ratified until later in 2003, 3Com’s new access points have begun to ship supporting IAPP. On earlier models, the Auto Network Connect function allowed users to roam between 3Com access points; future firmware upgrades will allow IAPP support on these products. For maximum throughput, 3Com’s 802.11a access points and client devices support “turbo mode,” which boosts performance from 54 Mbps to 108 Mbps. Mobility Client Profile Management 3Com’s client devices can be configured with profiles specifying appropriate configuration settings for multiple locations. As the user moves between head office, branch office, home or public hotspots, the client device will automatically detect the location and activate the correct profile. The device will also launch a VPN session if determined by the particular profile. DEPLOYING 802.11 WIRELESS LANS 13 Deployment Examples This section shows two scenarios of how WLANs have been effectively deployed. Figure 1 shows a WLAN deployment in a large multi-sited company manufacturing volume IT products. One of the regional sales offices is a newly acquired site and has 10 officebased staff and a “hot desk” area for regional sales executives normally on the road. A WLAN was newly installed from scratch to serve all client devices including desktops. It was the ideal place to begin the corporate 802.11 rollout. One 3Com Access Point 8200 was installed to initially provide 802.11b connectivity giving all employees access to the Internet and the corporate network and e-mail system. An 802.11a module was added to the Access Point 8200 to serve the hot desk area with higher throughput for downloading of large presentations, product details, and emails from the corporate network. At the head office campus, some legacy 1 Mbps 802.11 had been used in the distribution warehouse to help with basic stock control. This was upgraded to 802.11b using the 3Com Access Point 8200 providing higher bandwidth and greater coverage. This has facilitated the use of an up-to-date inventory management system with FIGURE 1. WLAN Deployment in a Large Multi-sited Company Head Office Campus 00 AP82 3Com .11b card 02 1x8 00 AP82 3Com .11b card x 802 1 and-h less h Wire tops d lap an elds TM e Offic le Wire /b/g ® 11 a s 3Com PC Card K XJAC ss Head quar ters /RAD IUS se rver BX 3Com tack 3 N rS Supe N ss LA irele ge bps W ing Brid 11M d -Buil Com 3 - to ding Buil LAN TM 00 AP82 3Com .11b card 02 1x8 ® k 3 00 AP82 3Com .11b card 02 1x8 TM 3 3C17203 SuperStack 3 3C17203 SuperStack ) gacy w) d (le e Wire less (n wire ents and cli top desk rStac Supe 3Com 4400 itch Sw N ss LA irele ge bps W ing Brid 11M ild 3Com g- to-Bu uildin B Dis nter r pri Lase tion tribu War ehou se 3Com tack 3 rS Supe ll a Firew TM bps 11 M 3Com ss LAN le Wire roup g Work e Bridg 3Com NBX Phon e 00 AP85 3Com .11a card 02 1 x 8 .11b card 02 1x8 802.11b coverage 802.11b & 802.11a coverage fing/ r Brie s) ll ome Cust lded wa (shie in Train g Ro om 1 T1/E Link Co Main 00 AP85 3Com .11a card 02 1x8 ence nfer Room 00 AP82 3Com .11a card 02 1 x 8 .11b card 02 1x8 with s tops rd Desk CI ca less P wire Volume IT product manufacturer Head Office Campus and New Regional Sales Office Hot desk area with s tops rd Desk CI ca less P wire 3 3C17203 SuperStack (New ) na Regio l Sale s Off ice 14 DEPLOYING 802.11 WIRELESS LANS connectivity for warehouse personnel using hand-held devices, and senior managers using laptops. A 3Com 11 Mbps Building-to-Building Bridge provides the warehouse with a highspeed connection into the corporate network. A smooth future transition to 802.11a or 802.11g in the warehouse is made possible by the Access Point 8200’s modular capability. The main office headquarters already had an established wired network. However, the use of the 3Com Wireless LAN Access Point 8200, that can be upgraded to dual-mode with 11a/11b/11g radios, throughout the campus provides benefits of increased productivity and greater flexibility described earlier in this white paper, especially for the high proportion of mobile employees. The 3Com 11a/b/g wireless LAN PC Cards with XJACK antennae provide maximum flexibility with support for all three IEEE 802.11 standards – 11a, 11b and 11g – and enhanced security including 128-bit AES and WEP encryption and WPA support to help keep data private. This card helps provide a complete enterprise wireless offering when combined with the 8200, 8500, or 8700 access points. In the main conference room, a 3Com Wireless LAN Access Point 8500 provides localized 802.11a connectivity. Fast access to up-to-date sales information, reports and inventory information means senior management meetings are more informed and decision-making is more collaborative. A new training room for sales executives served by high-bandwidth 802.11a means sessions can be more interactive and new information such as product specifications and sales presentations can be delivered to them on the spot. This room also serves as a new customer briefing center. It has screened walls and is connected to the rest of the network via 3Com SuperStack® 3 Firewall. The 3Com Wireless LAN Access Point 8500 provides dual band Wi-Fi coverage for maximum compatibility with customers’ laptops. 3Com Wireless LAN Workgroup Bridge wirelessly links to the office headquarters’ 3Com Access Point 8200 and provides additional wireless connectivity for up to four Ethernet enabled devices including an NBX phone, desktop PC and laptop without an available PCI or PC card slot, and network printer. There are plans for deployment of several new network services. For example wireless instant messaging will bring real-time sharing of information communication and decision-making across all company sites. Figure 2 shows a WLAN deployment in a small private finance company. There are thirty employees at a single location, with several remote employees telecommuting from home offices most of the time. The WLAN was a new network installation, and it was more economical to provide connectivity to office desktop PCs and laptops using a wireless connection. A single 3Com OfficeConnect® 11g Wireless Access Point provides up to 100 meters (328 feet) of coverage for up to 128 users, at the maximum data rate of 54 Mbps. Among the first products in the industry to ship fully compliant with the newly ratified IEEE 802.11g standard, the 3Com solution offers reliable wireless networking at speeds up to 54 Mbps. The 3Com OfficeConnect Wireless 11g Access Point supports 802.11b as well as 802.11g notebooks, PCs, and other wireless client devices. Advanced 256-bit WPA (Wi-Fi Protected Access) encryption provides maximum security to the wireless LAN, while 40/64- and 128-bit WEP (Wireless Encryption Protocol) sharedkey encryption helps protect data, and retains privacy of wireless transmissions with legacy wireless clients that do not support WPA. The ability to deliver support for VPN tunnel initiation and termination, industry-standard Stateful Packet Inspection (SPI) firewall, NAT protection, built-in LAN ports, and broadband access is delivered through the OfficeConnect Cable/DSL Secure Gateway, located at the small-office network perimeter. DEPLOYING 802.11 WIRELESS LANS 15 FIGURE 2. WLAN Deployment in a Small Private Finance Company Main Office TM TM h 3C C wit pter a top P Desk ss PCI Ad le Wire 1M om 1 bps TM ® ect Conn Point ffice ® m O ss Access 3Co le Wire 11g ne eCon Offic s with rd tops 1g PC Ca Lap less 1 Wire ct h C wit bps top P ect 11 M pter a Desk Conn USB Ad ffice N O A less L Wire nect eCon Gateway Offic re 3Com SL Secu le/D Cab ed rovid dem ISP p and mo db broa Inter 802.11b/g coverage VPN Tunnel ed rovid dem ISP p and mo db broa net Private Finance Company Single Site Office with telecommuter access ay nect atew eCon / DSL G Offic ble 3Com ss 11g Ca le Wire TM ec Conn ffice ith O rd top w 1g PC Ca Lap less 1 Wire ily’s Fam PC e Hom t Tele com mute r For telecommuters, mixed wired and wireless environments, and simultaneous users on a single cable or DSL Internet connection, a small office and home office wireless LAN provided by the 3Com OfficeConnect Wireless 11g Cable/DSL Gateway provides a broadband connection (via the ISP supplied modem) to the main office from a laptop or a desktop PC anywhere in the small office and home office. A highspeed routing engine, 54 Mbps wireless connection for users with For more information about wireless technologies and 3Com wireless solutions, visit www.3Com.com/wireless 802.11g-equipped PCs and laptops, combined with an integrated 10/100 four-port switch and backward compatible with 802.11b wireless LAN equipment make it an ideal solution for telecommuter wireless broadband Internet sharing. VPN pass-through permits secure connections to remote offices, including Stateful Packet Inspection firewall, hacker pattern detection, and URL filtering. 16 DEPLOYING 802.11 WIRELESS LANS 3Com Corporation, Corporate Headquarters, 5500 Great America Parkway, P.O. Box 58145, Santa Clara, CA 95052-8145 To learn more about 3Com solutions, visit www.3com.com. 3Com Corporation is publicly traded on Nasdaq under the symbol COMS. The information contained in this document represents the current view of 3Com Corporation on the issues discussed as of the date of publication. Because 3Com must respond to changing market conditions, this paper should not be interpreted to be a commitment on the part of 3Com, and 3Com cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only; 3Com makes no warranties, express or implied, in this document. Copyright © 2003 3Com Corporation. All rights reserved. 3Com, the 3Com logo, OfficeConnect, SuperStack, and XJACK are registered trademarks of 3Com Corporation. Possible made practical is a trademark of 3Com Corporation. All other company and product names may be trademarks of their respective companies. While every effort is made to ensure the information given is accurate, 3Com does not accept liability for any errors or mistakes which may arise. Specifications and other information in this document may be subject to change without notice. 503126-001 07/03