WLAN Design
Network Architecture Design
On a large or midsize campus network, the WLAN typically adopts the "WAC + Fit AP" architecture. Under this architecture, APs work in Fit mode and are centrally managed by the WAC. As shown in Figure 2-34, in the centralized gateway solution, you are advised to use the border node that comes with the native WAC functionality. Given campus network reconstruction scenarios where an existing standalone WAC needs to be used, you are advised to connect the WAC to a border node in off-path mode.
Control packets between the WAC and APs are forwarded through a CAPWAP tunnel. APs forward service packets of wireless users to the wired side in tunnel forwarding (centralized forwarding) or direct forwarding (local forwarding) mode.
Tunnel Forwarding
In tunnel forwarding mode, an AP encapsulates the service packets of wireless users over a CAPWAP tunnel and sends them to the WAC. The WAC then forwards these packets to other networks. Figure 2-35 shows the traffic forwarding model in the centralized gateway solution where service packets of wireless users are forwarded through a CAPWAP tunnel.
In tunnel forwarding mode, switches on the links between the WAC and APs do not need to allow service VLANs, and interfaces on the switches do not need to be added to such VLANs. This facilitates centralized control and management. However, the disadvantage is that the service traffic of all wireless users is centrally forwarded by the WAC, which imposes a heavy workload on the WAC.
Direct Forwarding
In direct forwarding mode, an AP directly forwards users' service packets to other networks without encapsulating them over a CAPWAP tunnel. Figure 2-36 demonstrates the wireless user service traffic model in direct forwarding mode in the centralized gateway solution.
In direct forwarding mode, the east-west service traffic of local wireless users can be directly forwarded by the local access switch without passing through the WAC. However, switches on the links between the WAC and APs need to allow service VLANs, and interfaces on the switches need to be added to such VLANs, making it difficult to perform centralized control and management.
Table 2-17 compares the tunnel forwarding mode with the direct forwarding mode. In the virtualization solution for a large or midsize campus network, the tunnel forwarding mode that can provide centralized traffic management and control is recommended, irrespective of which gateway solution is selected. The subsequent WLAN planning following this section is also designed based on the tunnel forwarding mode.
Forwarding Mode |
Application Scenario |
Advantage |
Disadvantage |
|---|---|---|---|
Tunnel forwarding |
Wireless user service traffic is processed and forwarded by the WAC in a centralized manner. |
The WAC forwards service traffic in a centralized manner, ensuring high security and facilitating centralized traffic management and control. |
Service traffic must be forwarded by the WAC, reducing packet forwarding efficiency and burdening the WAC. |
Direct forwarding |
Service traffic of wireless users is directly forwarded without passing through the WAC, saving AP-WAC link bandwidth. |
Service traffic does not need to be forwarded by the WAC, which improves packet forwarding efficiency and reduces the burden on the WAC. |
Service traffic cannot be managed and controlled in a centralized manner. |
AP Join Process Design
In the "WAC + Fit AP" architecture, to enable APs to join the WAC, you need to configure the WAC as the DHCP server first. Thus, APs each can automatically obtain a management IP address through DHCP, establishing a management channel with the WAC. Then, associate APs with the WAC and configure the CAPWAP source interface. If an AP tries to access the network, the WAC verifies the MAC address or ESN of the AP. If the WAC finds it an authorized AP, it establishes a CAPWAP tunnel with the AP. In this way, the AP successfully joins the WAC.
Management IP Address Planning for APs
In the "WAC + Fit AP" architecture, to improve deployment efficiency, APs usually use the DHCP mode for obtaining an IP address. After a DHCP server is configured, APs act as DHCP clients to request a management IP address from the DHCP server. In the centralized gateway solution, the border node functions as the DHCP server of the wired and wireless management subnets to automatically assign management IP addresses to access and aggregation switches as well as APs. The first-time AP join process and management VLAN switching are planned together with switches. For details, see Deployment Design.
Planning for AP Association with the WAC
Associating APs with the WAC is to ensure that associated APs are authorized. If the information about an AP that connects to the network does not match that on the associated WAC, the AP is not allowed to come online. In the centralized gateway scenario of the virtualization solution for large- and medium-sized campus networks, you need to associate APs with the WAC on iMaster NCE-Campus.
- First, enter the ESNs of APs when adding devices to a campus site. There are a large number of APs on a large or midsize campus network. Therefore, you are advised to use the network plan import function to add the ESNs of APs to a site when importing physical link data using a template.
- After the ESNs of APs are recorded, you can view the APs that can be associated with the WAC on the Manage Fit AP tab of the Network Configuration page on iMaster NCE-Campus. In the WAC list, select the row where the core switch resides, and click Add in the lower right corner to add APs for management by the core switch.
CAPWAP Source Interface Planning
In the virtualization solution for a large or midsize campus network that uses the "WAC + Fit AP" architecture, APs' wireless services are centrally configured through the web system or CLI of the WAC, including the configuration of the CAPWAP source interface used to establish a CAPWAP tunnel between the WAC and AP.
AP Group Design
An AP group is used to configure and manage APs in batches so that the APs inherit the configurations of the group to which they belong.
You can create an AP group based on the following items:
- Physical location (For example, APs on the same floor can be added to the same AP group. This mode is preferred.)
- Device model
- IP or MAC address
- Serial number (SN)
SSID and Service VLAN Design
SSID Planning
In most cases, service set identifiers (SSIDs) are planned based on user roles or service types. For example, three SSIDs can be planned for three types of wireless services in a large-scale business scenario, as shown in Figure 2-37. Employee is used for wireless office access of employees. Guest is used for Internet access of guests. Dumb is used for wireless access of dumb terminals such as printers. For an SSID that is not intended for end users, for example, the SSID used for access of printers, you can configure SSID hiding to prevent the SSID from being detected by end users.
Wireless Service VLAN Planning
When an AP receives service data from wireless users and forwards the data to the wired side, a wireless service VLAN needs to be planned to distinguish different wireless service types or user groups on the wired side. On the wireless side, SSIDs also differentiate wireless service types or user groups. Therefore, mappings between VLANs and SSIDs must be considered during WLAN planning. Two mapping relationships are applicable to different scenarios: 1:1 and 1:N, as described in Table 2-18.
SSID:VLAN Mapping |
Usage Scenario |
|---|---|
SSID:VLAN=1:1 |
An enterprise needs to provide WLAN coverage for hotspots A and B. To allow users to detect only one SSID and use the same data forwarding control policy, plan only one SSID and one VLAN, that is, SSID:VLAN = 1:1. |
SSID:VLAN = 1:N |
An enterprise needs to provide WLAN coverage for hotspots A and B. To allow users to detect only one SSID but use different data forwarding control policies for the two hotspots. In this case, plan one SSID and two VLANs to differentiate the hotspots, that is, SSID:VLAN = 1:2. |
On a large and midsize campus network, a large number of STAs exist and require area-specific policies. Typically, the SSID:VLAN = 1:N mapping policy is used.
The range of a radio broadcast domain is determined by an SSID. Therefore, in case of SSID:VLAN = 1:N, you are advised to enable broadcast-to-unicast conversion to avoid the generation of a radio broadcast domain.
User Subnet Route Design
Routes for wireless user subnets refer to the routes for communication between wireless user subnets and network service resources (such as DHCP servers), external networks, and wired user subnets in VNs. This section uses the native WAC as an example to describe two roadmaps for planning routes for wireless user subnets in the centralized gateway solution. The planning roadmaps are similar in the scenario where a standalone WAC is connected to a border node in off-path mode. The difference is that you need to configure routes on the standalone WAC to divert wireless service traffic to the border node.
Wireless user subnets do not connect to VNs and use static routes for communication
In this mode, you need to run commands on the core switch (native WAC) to manually configure the required static routes for wireless user subnets. In addition, you need to query the VPN instances on iMaster NCE-Campus that are delivered when configuring the network service resources of a fabric as well as creating VNs, as shown in Figure 2-38.
Wireless user subnets connect to VNs, and unified wired and wireless access management is implemented
In this mode, you need to create a wireless service subnet on the core switch that functions as the WAC through iMaster NCE-Campus, log in to the CLI of the core switch, and bind the VLANIF interface of the wireless service subnet to a VN instance (Alternatively, you can associate the given service VLAN to a BD and then bind the BD to a VN instance). If the service packets of wireless users are forwarded to the WAC through the CAPWAP tunnel, the WAC decapsulates the CAPWAP packets and then forwards the decapsulated packets based on the configured subnet, as shown in Figure 2-39.
WLAN Admission Design
NAC Authentication Control Point Design
Network Access Control (NAC) solution is applicable to both wired and wireless users. In this solution, common authentication technologies include 802.1X, MAC address, and Portal authentication. Generally, access control is performed for wired users based on access interfaces of switches, and for wireless users based on SSIDs. The roadmap for selecting authentication modes for wireless users is the same as that for wired users. That is, you need to take into account different user roles or terminal types. For details, see "User Authentication Mode Design" in Access Control Design.
On a WLAN using the "WAC + Fit AP" architecture, the WAC serves as the wireless authentication control point. In the centralized gateway solution, the deployment process of the wireless authentication control point varies according to the WAC type.
- Standalone WAC (connected to a border node in off-path mode)
In the centralized gateway solution, if a standalone WAC is connected to a border node in off-path mode, you need to log in to the WAC's web system to centrally perform settings on the wireless authentication control point, as demonstrated in Figure 2-40. The following describes the configuration process:
- Configure authentication, authorization, and accounting (AAA) profile resources on the WAC, including the RADIUS server template, Portal server template, and access authentication profiles.
- Associate the configured access authentication profiles with the corresponding SSIDs on APs.
- Native WAC (integrated with a border node)
If the border node serves as the native WAC in the centralized gateway solution, you can log in to the WAC's web system to configure authentication templates. Alternatively, you can configure these templates on iMaster NCE-Campus and deliver them to the native WAC on the Site Configuration tab page, as shown in Figure 2-41. The following describes the configuration process:
- Create template resources and deliver them to the WAC on the Site Configuration tab page iMaster NCE-Campus.
- Associate the configured access authentication profiles with the corresponding SSIDs on APs. You can only log in to the web system of the WAC to configure wireless services on APs.
Figure 2-41 Configuration on the wireless authentication control point (native WAC integrated with a border node)In the centralized gateway solution, access authentication is configured on the Site Configuration tab page. If the native WAC is used, you can deliver authentication templates to the WAC during the configuration. If the built-in authentication server of iMaster NCE-Campus is used for wireless access authentication, access authentication must be configured to enable iMaster NCE-Campus to record the mapping between authentication control points, SSIDs, and authentication templates.
Security Policy Design
In addition to the traditional NAC solution, four WLAN security policies are available: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, WLAN Authentication and Privacy Infrastructure (WAPI). Each security policy has a series of security mechanisms, including link authentication used to establish a wireless link, user authentication used when users attempt to connect to a wireless network, and data encryption used during data transmission. Table 2-19 compares these WLAN security policies.
Security Policy |
Characteristics |
|---|---|
WEP |
The original 802.11 security mechanism, WEP, is vulnerable to security threats due to the limitations of its encryption algorithm. Therefore, WEP is not recommended. |
WPA/WPA2 |
WPA and WPA2 provide almost the same security. WPA/WPA2 has two editions: enterprise edition and personal edition.
|
WAPI |
WAPI is a WLAN security standard proposed in China and provides higher security than WEP and WPA. |
NAC is typically considered in conjunction with security policies to form combined network access control solutions suited to diverse scenarios. Table 2-20 lists WLAN security policies, recommended NAC authentication modes, and application scenarios.
Security Policy |
Recommended NAC Authentication Mode |
Application Scenario |
|---|---|---|
Open (no security policy configured) |
Portal/MAC address authentication |
|
WEP |
- |
|
WPA/WPA2-PSK authentication |
- |
|
WPA/WPA2-802.1X authentication |
802.1X authentication (only this authentication mode can be selected) |
|
WAPI-PSK authentication |
- |
This security policy provides higher security than WEP and requires no third-party server. Only some STAs support the protocol. |
WAPI-certificate authentication |
- |
This security policy provides high security and requires a third-party server. Only some STAs support the protocol. |
Roaming Design
WLAN roaming addresses the following issues:
- Retains users' IP addresses. After roaming, users can still access the initially associated network and continue its services.
- Avoids packet loss or service interruption caused by long-term authentication.
WLAN roaming is classified into the following types based on the STA roaming scope:
- Intra-WAC roaming
- Inter-WAC roaming at Layer 2 or Layer 3
In actual deployment, intra-WAC roaming is recommended. Inter-WAC roaming can be avoided through proper AP group management. For services with high latency requirements, such as automated guided vehicles (AGVs), in warehouses and factories, it is recommended that a separate SSID or VLAN be planned to implement Layer 2 roaming within the WAC.
In the native WAC scenario, if the number of STAs is greater than or equal to 40,000, a maximum of four native WACs can be deployed in each mobility group; if the number of STAs is less than 40,000, a maximum of 16 native WACs can be deployed in each mobility group.
In addition to the preceding basic roaming functions, Huawei WLAN supports the fast roaming function, including pairwise master key (PMK) fast roaming and 802.11r fast roaming. This function further reduces the handoff delay between APs. Table 2-21 shows the handover delay of STAs in different roaming modes.
802.11r fast roaming supports an enhanced roaming mechanism based on device-pipe synergy when working with Huawei terminals. This mechanism helps further reduce the roaming handover delay and packet loss rate. Therefore, you are advised to enable the machanism when enabling 802.11r fast roaming.
Roaming Mode |
Handover Delay (ms) |
Suggestion |
Description |
|---|---|---|---|
Open or 802.11r roaming |
< 50 ms |
If the Protected Management Frame (PMF) function is not required, it is recommended that the 802.11r fast roaming function be enabled. |
|
WPA-PSK/WPA2-PSK/802.1X fast roaming (PMK) |
< 100 ms |
This function takes effect automatically. |
PMK fast roaming requires that STAs also support this function. Currently, almost all STAs support PMK fast roaming. |
802.1X non-fast roaming: |
< 250 ms |
This is a basic function of the system which takes effect automatically. |
N/A |
RRM Design
On a WLAN, especially on the 2.4 GHz frequency band, out-of-band interference and in-band co-channel/adjacent-channel interference exist. STAs of different brands, types, and models behave differently. For optimal access services, radio resources and user access need to be managed in a coordinated manner. The specific radio resource management (RRM) capabilities include:
- Radio calibration
The radio calibration function can dynamically adjust channels and power of APs managed by the same WAC to ensure that the APs work at the optimal performance. It is recommended that scheduled radio calibration be configured so that APs perform radio calibration in off-peak hours, for example, between 00:00 am and 06:00 am.
- Band steering
Most STAs support both the 2.4 GHz and 5 GHz frequency bands. Generally, the 2.4 GHz frequency band is selected by default, on which a smaller number of channels are available. The 2.4 GHz frequency band is usually crowded and heavily loaded, and suffers high interference. In contrast, the 5 GHz frequency band with multiple channels and low interference cannot be brought into full play. The band steering function enables an AP to steer STAs to the 5 GHz radio first, which reduces traffic load and interference on the 2.4 GHz radio and improves user experience. It is recommended that this function be enabled by default.
- Smart roaming
Some outdated and dumb terminals have low roaming aggressiveness. As a result, they stick to the initially connected APs regardless of the long distance from the APs, weak signals, or low rates. The STAs do not roam to neighboring APs with better signals. Such STAs are generally called sticky STAs. The negative impact of sticky STAs is described as follows:
- The service experience of a sticky STA is poor, and the STA is always associated with the poor-signal AP. As a result, the channel rate decreases significantly.
- The overall performance of wireless channels is affected. A sticky STA may encounter frequent packet loss or retransmission caused by poor signal quality and low rates, and therefore occupies the channel for a long time. As a result, other STAs cannot obtain sufficient channel resources.
Smart roaming enables STAs to roam to neighboring APs with better signals in a timely manner, improving user experience.
- Performance improvement
Smart roaming can direct poor-signal STAs to APs with better signals, improving user service experience and overall channel performance.
- Load balancing
Smart roaming ensures that each STA is associated with the nearest AP, achieving inter-AP load balancing. It is recommended that this capability be enabled.
- STA steering
After a STA connects to an AP, the target AP selection algorithm is used to comprehensively measure the dual-band capability of the STA, AP load, and AP signal quality to steer the STA to the optimal AP. It is recommended that this capability be enabled.
Suggestions on Network Planning Practices
Network planning is an important part of WLAN project implementation. The network planning design consists of the following parts:
- Network coverage design: Determine the requirements and principles for signal coverage.
- Network capacity design: Determine the bandwidth requirements of a single user based on the service model and STA behavior, and then determine the number of APs based on the AP capability.
- AP deployment design: Determine AP installation positions based on the deployment principles.
- AP channel planning: Properly plan channels for APs in neighboring areas to reduce co-channel and adjacent-channel interference.
- AP power supply and cabling design
WLAN Coverage Design
Table 2-22 lists the field strength requirements for coverage areas to ensure good coverage.
Coverage |
Field Strength |
Typical Scenario |
|---|---|---|
Major coverage area |
-40 dBm to -65 dBm |
Dorm room, library, classroom, hotel room, lobby, office, and hall |
Common coverage area |
> -75 dBm |
Corridor, kitchen, storeroom, and dressing room |
Special coverage area |
N/A |
Areas that have limitation on or do not allow coverage or installation because of service security or property management |
The coverage suggestions in different scenarios are as follows:
- Indoor scenarios: Plan the coverage radius of 15-20 m for each AP.
- Outdoor scenarios: Plan the coverage radius of 50-80 m for each AP.
- Indoor high-density scenarios: Use small-angle directional antennas. During network planning, select AP positions and spacing based on the antenna angle.
Network Capacity Design
On a WLAN, the bandwidth capacity is calculated based on the following formula:
Total network bandwidth = Average bandwidth required by a single user x Number of users
The bandwidth required by a single STA depends on the actual network application of STAs. Table 2-23 lists the typical bandwidth requirements of common network applications.
Application Type |
Typical Bandwidth Requirement |
Description |
|---|---|---|
Web page browsing |
4 Mbit/s |
Consider images and videos on web pages. |
Video (1080p) |
5 Mbit/s |
Typical value. Bandwidth varies depending on video compression rates and frame rates. |
Audio |
64 kbit/s |
None |
8 Mbit/s |
Consider transfer of large files such as attachments. |
|
File transfer |
10 Mbit/s |
None |
Desktop sharing |
2.5 Mbit/s |
None |
Mobile gaming |
100 kbit/s |
None |
Screen projection |
9 Mbit/s |
None |
Instant messaging |
5 Mbit/s |
Consider the upload of large files such as photos. |
Table 2-24 lists the AP specifications.
Per-User Bandwidth (Mbit/s) |
Recommended Number of Concurrent STAs in Single-Band Mode (One/Two Spatial Streams) |
Recommended Number of Concurrent STAs in Dual-Band Mode (One/Two Spatial Streams) |
|---|---|---|
8 |
5/10 |
9/18 |
6 |
6/11 |
11/20 |
4 |
8/12 |
15/22 |
2 |
12/22 |
22/40 |
1 |
20/30 |
35/55 |
Based on the preceding information (bandwidth requirements of a single STA, number of STAs, and specifications of selected APs), you can calculate the number of APs required in a project.
Deployment Design
Deployment design is involved for APs and access switches on a WLAN.
AP Deployment Guidelines
Comply with the following guidelines when selecting AP deployment positions:
- When installing an AP, try to reduce the number of obstacles that signals traverse.
- Ensure that signals pass through a least number of obstacles such as walls and ceilings.
- Try to make the signals vertically pass through obstacles such as walls and ceilings.
- When an AP is close to a column and radio signals are blocked, a large radio shadow is formed behind the column. When deploying the AP, consider the impact of the column on signal coverage to avoid coverage holes or weak coverage.
- Metal objects have a strong reflection effect on wireless signals. Do not place APs or antennas behind metal ceilings.
- Ensure that the front side of an AP faces the target coverage area.
- If only one AP is required in a lobby, deploy the AP in the central position. If two APs are required, they can be placed diagonally.
- The AP deployment direction is adjustable. Ensure that the front side of an AP faces the target coverage area for good coverage.
- Add APs to the areas that require special attention to ensure signal coverage.
- Deploy APs far from interference sources.
Place APs far away from electronic devices. Do not deploy microwave ovens, wireless cameras, Wi-Fi phones, or other electronic equipment in the coverage area.
- For areas with roaming requirements, keep a 10% to 15% overlapping between the coverage areas of neighboring APs to ensure smooth STA roaming between APs.
- In common indoor scenarios without high aesthetic requirements, APs can be installed directly. In high-end office areas, APs can be installed inside the non-metal ceiling or have an enclosure installed.
The typical AP deployment solutions in different scenarios are described as follows.
- The AP spacing is 10–18 m.
- When more than three APs are required, deploy them in triangle mode.
- This scenario is a common office area scenario.
- This scenario is a school dormitory or hospital ward that features a small room area and high density.
- The agile distributed Wi-Fi solution is recommended, in which an RU or settled AP is deployed in each room.Figure 2-45 Outdoor scenario
- In an open area (with a wide view and few obstacles), deploy APs with omnidirectional antennas for coverage, with a spacing of 50–60 m.
- In areas with obstacles or long narrow areas, deploy APs with large-angle directional antennas for coverage, with a spacing of 30–40 m.
- In the road area, as shown in the left figure above, deploy APs with directional antennas for coverage, with a spacing of 120–150 m.
Access Switch Deployment Guidelines
- It is recommended that an access switch be deployed within 80 m away from the AP cabling.
- Deploy access switches away from strong electromagnetic interference, and take moisture-proof and dust-proof measures.
- Determine the total number of APs based on the number of switch ports, PoE power supply capability of the power module, and AP power consumption.
AP Channel Design
Available channels vary according to local countries and regions. Before network planning, determine locally available channels. For channels in different countries, see WLAN Country Codes and Channels Compliance.
The purpose of channel design is to maximize the distance between APs on the same channel and reduce inter-AP interference. The specific design guidelines are as follows:
- 2.4 GHz channel: In countries that support channels 1–13, channels 1, 6, and 11 are recommended when a small number of APs are deployed. If many APs are required in an area, channels 1, 5, 9, and 13 are recommended.
- 5 GHz channel: When an AP uses a single 5 GHz radio, it is recommended that high and low frequency channels of neighboring APs be staggered. When an AP uses dual 5 GHz radios, it is recommended that two 5 GHz radios be planned at low and high frequencies respectively.
- In the case of multiple floors, avoid overlapping with channels of APs at adjacent floors. If channel overlapping cannot be avoided, reduce AP power to minimize the overlapping areas.Figure 2-46 Typical channel design diagram
The following figure shows an example of 2.4 GHz channel planning for multi-floor coverage.
Figure 2-47 Example of 2.4 GHz channel planning for multi-floor coverage
AP Power Supply and Cabling Design
Power supply modes:
- Power supply by PoE devices (recommended)
A PoE switch is used for data transmission and power supply of APs, and is the main power supply mode for the APs.
- Local power supply
An independent power supply is used to supply power to APs. In most cases, a local AC power supply can be used to supply power to APs if an uplink switch does not support PoE power supply.
- Power supply by PoE adapters
Outdoor APs use optical fibers for data transmission and support only PoE power supply. In this case, PoE adapters are used to supply power to APs. In outdoor scenarios, PoE adapters must be installed in an equipment container or cabinet to meet the operating temperature, waterproof, and surge protection requirements.
Figure 2-48 AP power supply modesCabling design guidelines:
- During AP deployment, reserve around 5 m network cable for adjusting AP installation positions due to interference or poor signal coverage in the future.
- Keep network cables far away from strong electromagnetic interference.
- Confirm with customers about the cabling design in advance to prevent customers from disallowing construction for the property or appearance reason.
