WLAN Design
Network Architecture Design
On large- and medium-sized campus networks, the WLAN typically uses the "native WAC + Fit AP" architecture. Under this architecture, switches that support native WAC functionality serve as WACs to manage APs running in Fit mode, and wireless services on APs are not configured on iMaster NCE-Campus.
On such networks, the WAC (edge node in the distributed gateway solution) is usually deployed at the same location as the user gateway. In this case, VXLAN is recommended to be deployed across core and aggregation layers for the fabric network. If VXLAN is deployed across core and access layers, access switches function as edge nodes and also act as WACs to manage APs connected to them, which dramatically increases the WLAN configuration and maintenance workload. The subsequent WLAN planning in this section is also designed based on the scenario where VXLAN is deployed across core and aggregation layers.
Control packets between the WAC and APs are forwarded through a CAPWAP tunnel. APs forward service packets of wireless users to the wired side in tunnel forwarding (centralized forwarding) or direct forwarding (local forwarding) mode.
Tunnel Forwarding
In tunnel forwarding mode, an AP encapsulates the service packets of wireless users over a CAPWAP tunnel and sends them to the WAC. The WAC then forwards these packets to other networks. Figure 2-101 shows the traffic forwarding model in the distributed gateway solution where service packets of wireless users are forwarded through a CAPWAP tunnel.
In tunnel forwarding mode, switches on the links between the WAC and APs do not need to allow service VLANs, and interfaces on the switches do not need to be added to such VLANs. This facilitates centralized control and management. However, all service traffic of wireless users needs to be forwarded by the WAC, burdening the WAC. In the distributed gateway solution, if VXLAN is deployed across core and aggregation layers, aggregation switches function as edge nodes and provide the native WAC function. In this case, east-west service traffic of wireless users needs to pass through the aggregation switches, increasing the forwarding burden.
Direct Forwarding
In direct forwarding mode, an AP directly forwards users' service packets to other networks without encapsulating them over a CAPWAP tunnel. Figure 2-102 shows the traffic forwarding model in the distributed gateway solution where service packets of wireless users are forwarded in direct forwarding mode.
In direct forwarding mode, the east-west service traffic of local wireless users can be directly forwarded by the local access switch without passing through the WAC. However, switches on the links between the WAC and APs need to allow service VLANs, and interfaces on the switches need to be added to such VLANs, making it difficult to perform centralized control and management.
Table 2-53 compares the tunnel forwarding mode with the direct forwarding mode. In the virtualization solution for a large or midsize campus network, the tunnel forwarding mode that can provide centralized traffic management and control is recommended, irrespective of which gateway solution is selected. The subsequent WLAN planning following this section is also designed based on the tunnel forwarding mode.
Forwarding Mode |
Application Scenario |
Advantage |
Disadvantage |
|---|---|---|---|
Tunnel forwarding |
Wireless user service traffic is processed and forwarded by the WAC in a centralized manner. |
The WAC forwards service traffic in a centralized manner, ensuring high security and facilitating centralized traffic management and control. |
Service traffic must be forwarded by the WAC, reducing packet forwarding efficiency and burdening the WAC. |
Direct forwarding |
Service traffic of wireless users is directly forwarded without passing through the WAC, saving AP-WAC link bandwidth. |
Service traffic does not need to be forwarded by the WAC, which improves packet forwarding efficiency and reduces the burden on the WAC. |
Service traffic cannot be managed and controlled in a centralized manner. |
AP Join Process Design
Different from the centralized gateway solution, in the distributed gateway solution, VXLAN is recommended to be deployed across core and aggregation layers for the fabric network, and policy association is deployed between the edge node and downstream devices. In this case, the edge node that functions as the WAC can establish CAPWAP tunnels with APs and enable the APs to join successfully.
Policy association moves the authentication control point up towards the aggregation or core layer. In this manner, devices at the aggregation or core layer can implement policy association with devices at the access layer through CAPWAP tunnels. This helps reduce the number of authentication control points configured and allows terminal access control at the access layer.
Figure 2-103 shows the principle diagram.
- On iMaster NCE-Campus, choose Provision > Virtual Network > Fabric Management. On the Access Management tab page of a created fabric network, set the authentication control point to an edge node, and configure the management VLAN and management IP address for policy association based on the wireless management subnet plan. After the configuration is complete, a VLANIF interface is automatically created on the edge node. Then configure the DHCP address pool function on the VLANIF interface, which is also set as the CAPWAP source interface.
- Select an interface connected to an access switch from the interfaces of the edge node, and set Connected Device Type to Extended access switch.
- Then, the interface connected to the access switch is automatically added to the management VLAN and sends a protocol packet carrying the management VLAN information to the access switch. The interfaces on the access switch are also automatically added to the management VLAN.
- In the interface list of the authentication enforcement point (access switch), select an interface connected to an AP, and set Connected Device Type to Extended AP.
- Then, the interface connected to the AP uses the management VLAN ID as the default PVID. When the AP connects to the interface in untagged mode, packets are tagged with the default PVID.
- Finally, the management channel between the edge node and AP is established. After the connected AP is authenticated, a CAPWAP tunnel is set up, and the AP successfully goes online on the edge node.
AP Group Design
An AP group is used to configure and manage APs in batches so that the APs inherit the configurations of the group to which they belong.
You can create an AP group based on the following items:
- Physical location (For example, APs on the same floor can be added to the same AP group. This mode is preferred.)
- Device model
- IP or MAC address
- Serial number (SN)
SSID and Service VLAN Design
SSID Planning
In most cases, service set identifiers (SSIDs) are planned based on user roles or service types. For example, three SSIDs can be planned for three types of wireless services in a large-scale business scenario, as shown in Figure 2-104. Employee is used for wireless office access of employees. Guest is used for Internet access of guests. Dumb is used for wireless access of dumb terminals such as printers. For an SSID that is not intended for end users, for example, the SSID used for access of printers, you can configure SSID hiding to prevent the SSID from being detected by end users.
Wireless Service VLAN Planning
When an AP receives service data from wireless users and forwards the data to the wired side, a wireless service VLAN needs to be planned to distinguish different wireless service types or user groups on the wired side. On the wireless side, SSIDs also differentiate wireless service types or user groups. Therefore, mappings between VLANs and SSIDs must be considered during WLAN planning. Two mapping relationships are applicable to different scenarios: 1:1 and 1:N, as described in Table 2-54.
SSID:VLAN Mapping |
Usage Scenario |
|---|---|
SSID:VLAN=1:1 |
An enterprise needs to provide WLAN coverage for hotspots A and B. To allow users to detect only one SSID and use the same data forwarding control policy, plan only one SSID and one VLAN, that is, SSID:VLAN = 1:1. |
SSID:VLAN = 1:N |
An enterprise needs to provide WLAN coverage for hotspots A and B. To allow users to detect only one SSID but use different data forwarding control policies for the two hotspots. In this case, plan one SSID and two VLANs to differentiate the hotspots, that is, SSID:VLAN = 1:2. |
On a large and midsize campus network, a large number of STAs exist and require area-specific policies. Typically, the SSID:VLAN = 1:N mapping policy is used.
The range of a radio broadcast domain is determined by an SSID. Therefore, in case of SSID:VLAN = 1:N, you are advised to enable broadcast-to-unicast conversion to avoid the generation of a radio broadcast domain.
User Subnet Route Design
Routes for wireless user subnets refer to the routes for communication between wireless user subnets and network service resources (such as DHCP servers), external networks, and wired user subnets in VNs. In the distributed gateway scenario, after receiving wireless user traffic from an AP over a CAPWAP tunnel, the edge node that functions as a WAC decapsulates CAPWAP packets and directly forwards the decapsulated packets to a particular VN, as illustrated in Figure 2-105.
WLAN Admission Design
NAC Authentication Control Point Design
Network Access Control (NAC) solution is applicable to both wired and wireless users. In this solution, common authentication technologies include 802.1X, MAC address, and Portal authentication. Generally, access control is performed for wired users based on access interfaces of switches, and for wireless users based on SSIDs.
In the centralized gateway solution, if the edge node functions as the native WAC, the WLAN authentication control point sits on the edge node. As demonstrated in Figure 2-106, you need to perform two steps on the authentication control point in the distributed gateway solution:
- Configure authentication, authorization, and accounting (AAA) profile resources on the WAC, including the RADIUS server template, Portal server template, and access authentication profiles. You are advised to create these profile resources through iMaster NCE-Campus and deliver them to the WAC during access management configuration for the fabric.
- Associate the configured access authentication profiles with the corresponding SSIDs on APs. You can only log in to the web system of the WAC to configure wireless services on APs.
The roadmap for selecting authentication modes for wireless users is the same as that for wired users. That is, you need to take into account different user roles or terminal types. For details, see "User Authentication Mode Design" in Access Control Design.
Security Policy Design
In addition to the traditional NAC solution, four WLAN security policies are available: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, WLAN Authentication and Privacy Infrastructure (WAPI). Each security policy has a series of security mechanisms, including link authentication used to establish a wireless link, user authentication used when users attempt to connect to a wireless network, and data encryption used during data transmission. Table 2-55 compares these WLAN security policies.
Security Policy |
Characteristics |
|---|---|
WEP |
The original 802.11 security mechanism, WEP, is vulnerable to security threats due to the limitations of its encryption algorithm. Therefore, WEP is not recommended. |
WPA/WPA2 |
WPA and WPA2 provide almost the same security. WPA/WPA2 has two editions: enterprise edition and personal edition.
|
WAPI |
WAPI is a WLAN security standard proposed in China and provides higher security than WEP and WPA. |
NAC is typically considered in conjunction with security policies to form combined network access control solutions suited to diverse scenarios. Table 2-56 lists WLAN security policies, recommended NAC authentication modes, and application scenarios.
Security Policy |
Recommended NAC Authentication Mode |
Application Scenario |
|---|---|---|
Open (no security policy configured) |
Portal/MAC address authentication |
|
WEP |
- |
|
WPA/WPA2-PSK authentication |
- |
|
WPA/WPA2-802.1X authentication |
802.1X authentication (only this authentication mode can be selected) |
|
WAPI-PSK authentication |
- |
This security policy provides higher security than WEP and requires no third-party server. Only some STAs support the protocol. |
WAPI-certificate authentication |
- |
This security policy provides high security and requires a third-party server. Only some STAs support the protocol. |
Roaming Design
WLAN roaming addresses the following issues:
- Retains users' IP addresses. After roaming, users can still access the initially associated network and continue its services.
- Avoids packet loss or service interruption caused by long-term authentication.
WLAN roaming is classified into the following types based on the STA roaming scope:
- Intra-WAC roaming
- Inter-WAC roaming at Layer 2 or Layer 3
In actual deployment, intra-WAC roaming is recommended. Inter-WAC roaming can be avoided through proper AP group management. For services with high latency requirements, such as automated guided vehicles (AGVs), in warehouses and factories, it is recommended that a separate SSID or VLAN be planned to implement Layer 2 roaming within the WAC.
In the native WAC scenario, if the number of STAs is greater than or equal to 40,000, a maximum of four native WACs can be deployed in each mobility group; if the number of STAs is less than 40,000, a maximum of 16 native WACs can be deployed in each mobility group.
In addition to the preceding basic roaming functions, Huawei WLAN supports the fast roaming function, including pairwise master key (PMK) fast roaming and 802.11r fast roaming. This function further reduces the handoff delay between APs. Table 2-57 shows the handover delay of STAs in different roaming modes.
802.11r fast roaming supports an enhanced roaming mechanism based on device-pipe synergy when working with Huawei terminals. This mechanism helps further reduce the roaming handover delay and packet loss rate. Therefore, you are advised to enable the machanism when enabling 802.11r fast roaming.
Roaming Mode |
Handover Delay (ms) |
Suggestion |
Description |
|---|---|---|---|
Open or 802.11r roaming |
< 50 ms |
If the Protected Management Frame (PMF) function is not required, it is recommended that the 802.11r fast roaming function be enabled. |
|
WPA-PSK/WPA2-PSK/802.1X fast roaming (PMK) |
< 100 ms |
This function takes effect automatically. |
PMK fast roaming requires that STAs also support this function. Currently, almost all STAs support PMK fast roaming. |
802.1X non-fast roaming: |
< 250 ms |
This is a basic function of the system which takes effect automatically. |
N/A |
RRM Design
On a WLAN, especially on the 2.4 GHz frequency band, out-of-band interference and in-band co-channel/adjacent-channel interference exist. STAs of different brands, types, and models behave differently. For optimal access services, radio resources and user access need to be managed in a coordinated manner. The specific radio resource management (RRM) capabilities include:
- Radio calibration
The radio calibration function can dynamically adjust channels and power of APs managed by the same WAC to ensure that the APs work at the optimal performance. It is recommended that scheduled radio calibration be configured so that APs perform radio calibration in off-peak hours, for example, between 00:00 am and 06:00 am.
- Band steering
Most STAs support both the 2.4 GHz and 5 GHz frequency bands. Generally, the 2.4 GHz frequency band is selected by default, on which a smaller number of channels are available. The 2.4 GHz frequency band is usually crowded and heavily loaded, and suffers high interference. In contrast, the 5 GHz frequency band with multiple channels and low interference cannot be brought into full play. The band steering function enables an AP to steer STAs to the 5 GHz radio first, which reduces traffic load and interference on the 2.4 GHz radio and improves user experience. It is recommended that this function be enabled by default.
- Smart roaming
Some outdated and dumb terminals have low roaming aggressiveness. As a result, they stick to the initially connected APs regardless of the long distance from the APs, weak signals, or low rates. The STAs do not roam to neighboring APs with better signals. Such STAs are generally called sticky STAs. The negative impact of sticky STAs is described as follows:
- The service experience of a sticky STA is poor, and the STA is always associated with the poor-signal AP. As a result, the channel rate decreases significantly.
- The overall performance of wireless channels is affected. A sticky STA may encounter frequent packet loss or retransmission caused by poor signal quality and low rates, and therefore occupies the channel for a long time. As a result, other STAs cannot obtain sufficient channel resources.
Smart roaming enables STAs to roam to neighboring APs with better signals in a timely manner, improving user experience.
- Performance improvement
Smart roaming can direct poor-signal STAs to APs with better signals, improving user service experience and overall channel performance.
- Load balancing
Smart roaming ensures that each STA is associated with the nearest AP, achieving inter-AP load balancing. It is recommended that this capability be enabled.
- STA steering
After a STA connects to an AP, the target AP selection algorithm is used to comprehensively measure the dual-band capability of the STA, AP load, and AP signal quality to steer the STA to the optimal AP. It is recommended that this capability be enabled.
Suggestions on Network Planning Practices
Network planning is an important part of WLAN project implementation. The network planning design consists of the following parts:
- Network coverage design: Determine the requirements and principles for signal coverage.
- Network capacity design: Determine the bandwidth requirements of a single user based on the service model and STA behavior, and then determine the number of APs based on the AP capability.
- AP deployment design: Determine AP installation positions based on the deployment principles.
- AP channel planning: Properly plan channels for APs in neighboring areas to reduce co-channel and adjacent-channel interference.
- AP power supply and cabling design
WLAN Coverage Design
Table 2-58 lists the field strength requirements for coverage areas to ensure good coverage.
Coverage |
Field Strength |
Typical Scenario |
|---|---|---|
Major coverage area |
-40 dBm to -65 dBm |
Dorm room, library, classroom, hotel room, lobby, office, and hall |
Common coverage area |
> -75 dBm |
Corridor, kitchen, storeroom, and dressing room |
Special coverage area |
N/A |
Areas that have limitation on or do not allow coverage or installation because of service security or property management |
The coverage suggestions in different scenarios are as follows:
- Indoor scenarios: Plan the coverage radius of 15-20 m for each AP.
- Outdoor scenarios: Plan the coverage radius of 50-80 m for each AP.
- Indoor high-density scenarios: Use small-angle directional antennas. During network planning, select AP positions and spacing based on the antenna angle.
Network Capacity Design
On a WLAN, the bandwidth capacity is calculated based on the following formula:
Total network bandwidth = Average bandwidth required by a single user x Number of users
The bandwidth required by a single STA depends on the actual network application of STAs. Table 2-59 lists the typical bandwidth requirements of common network applications.
Application Type |
Typical Bandwidth Requirement |
Description |
|---|---|---|
Web page browsing |
4 Mbit/s |
Consider images and videos on web pages. |
Video (1080p) |
5 Mbit/s |
Typical value. Bandwidth varies depending on video compression rates and frame rates. |
Audio |
64 kbit/s |
None |
8 Mbit/s |
Consider transfer of large files such as attachments. |
|
File transfer |
10 Mbit/s |
None |
Desktop sharing |
2.5 Mbit/s |
None |
Mobile gaming |
100 kbit/s |
None |
Screen projection |
9 Mbit/s |
None |
Instant messaging |
5 Mbit/s |
Consider the upload of large files such as photos. |
Table 2-60 lists the AP specifications.
Per-User Bandwidth (Mbit/s) |
Recommended Number of Concurrent STAs in Single-Band Mode (One/Two Spatial Streams) |
Recommended Number of Concurrent STAs in Dual-Band Mode (One/Two Spatial Streams) |
|---|---|---|
8 |
5/10 |
9/18 |
6 |
6/11 |
11/20 |
4 |
8/12 |
15/22 |
2 |
12/22 |
22/40 |
1 |
20/30 |
35/55 |
Based on the preceding information (bandwidth requirements of a single STA, number of STAs, and specifications of selected APs), you can calculate the number of APs required in a project.
Deployment Design
Deployment design is involved for APs and access switches on a WLAN.
AP Deployment Guidelines
Comply with the following guidelines when selecting AP deployment positions:
- When installing an AP, try to reduce the number of obstacles that signals traverse.
- Ensure that signals pass through a least number of obstacles such as walls and ceilings.
- Try to make the signals vertically pass through obstacles such as walls and ceilings.
- When an AP is close to a column and radio signals are blocked, a large radio shadow is formed behind the column. When deploying the AP, consider the impact of the column on signal coverage to avoid coverage holes or weak coverage.
- Metal objects have a strong reflection effect on wireless signals. Do not place APs or antennas behind metal ceilings.
- Ensure that the front side of an AP faces the target coverage area.
- If only one AP is required in a lobby, deploy the AP in the central position. If two APs are required, they can be placed diagonally.
- The AP deployment direction is adjustable. Ensure that the front side of an AP faces the target coverage area for good coverage.
- Add APs to the areas that require special attention to ensure signal coverage.
- Deploy APs far from interference sources.
Place APs far away from electronic devices. Do not deploy microwave ovens, wireless cameras, Wi-Fi phones, or other electronic equipment in the coverage area.
- For areas with roaming requirements, keep a 10% to 15% overlapping between the coverage areas of neighboring APs to ensure smooth STA roaming between APs.
- In common indoor scenarios without high aesthetic requirements, APs can be installed directly. In high-end office areas, APs can be installed inside the non-metal ceiling or have an enclosure installed.
The typical AP deployment solutions in different scenarios are described as follows.
- The AP spacing is 10–18 m.
- When more than three APs are required, deploy them in triangle mode.
- This scenario is a common office area scenario.
- This scenario is a school dormitory or hospital ward that features a small room area and high density.
- The agile distributed Wi-Fi solution is recommended, in which an RU or settled AP is deployed in each room.Figure 2-110 Outdoor scenario
- In an open area (with a wide view and few obstacles), deploy APs with omnidirectional antennas for coverage, with a spacing of 50–60 m.
- In areas with obstacles or long narrow areas, deploy APs with large-angle directional antennas for coverage, with a spacing of 30–40 m.
- In the road area, as shown in the left figure above, deploy APs with directional antennas for coverage, with a spacing of 120–150 m.
Access Switch Deployment Guidelines
- It is recommended that an access switch be deployed within 80 m away from the AP cabling.
- Deploy access switches away from strong electromagnetic interference, and take moisture-proof and dust-proof measures.
- Determine the total number of APs based on the number of switch ports, PoE power supply capability of the power module, and AP power consumption.
AP Channel Design
Available channels vary according to local countries and regions. Before network planning, determine locally available channels. For channels in different countries, see WLAN Country Codes and Channels Compliance.
The purpose of channel design is to maximize the distance between APs on the same channel and reduce inter-AP interference. The specific design guidelines are as follows:
- 2.4 GHz channel: In countries that support channels 1–13, channels 1, 6, and 11 are recommended when a small number of APs are deployed. If many APs are required in an area, channels 1, 5, 9, and 13 are recommended.
- 5 GHz channel: When an AP uses a single 5 GHz radio, it is recommended that high and low frequency channels of neighboring APs be staggered. When an AP uses dual 5 GHz radios, it is recommended that two 5 GHz radios be planned at low and high frequencies respectively.
- In the case of multiple floors, avoid overlapping with channels of APs at adjacent floors. If channel overlapping cannot be avoided, reduce AP power to minimize the overlapping areas.Figure 2-111 Typical channel design diagram
The following figure shows an example of 2.4 GHz channel planning for multi-floor coverage.
Figure 2-112 Example of 2.4 GHz channel planning for multi-floor coverage
AP Power Supply and Cabling Design
Power supply modes:
- Power supply by PoE devices (recommended)
A PoE switch is used for data transmission and power supply of APs, and is the main power supply mode for the APs.
- Local power supply
An independent power supply is used to supply power to APs. In most cases, a local AC power supply can be used to supply power to APs if an uplink switch does not support PoE power supply.
- Power supply by PoE adapters
Outdoor APs use optical fibers for data transmission and support only PoE power supply. In this case, PoE adapters are used to supply power to APs. In outdoor scenarios, PoE adapters must be installed in an equipment container or cabinet to meet the operating temperature, waterproof, and surge protection requirements.
Figure 2-113 AP power supply modesCabling design guidelines:
- During AP deployment, reserve around 5 m network cable for adjusting AP installation positions due to interference or poor signal coverage in the future.
- Keep network cables far away from strong electromagnetic interference.
- Confirm with customers about the cabling design in advance to prevent customers from disallowing construction for the property or appearance reason.
