White Paper

Intel Information Technology

Architecture and Design of a
WLAN Design
Primary Wireless Network
Intel IT created a new wireless LAN (WLAN) architecture and network design
that enables us to use wireless as a primary access method for data, voice, and
video services at a 5,000-user campus. Our goal was to overcome the inherent
challenges presented by wireless and deliver high performance, Quality of Service
(QoS), reliability, security, and manageability.

Danny Nissan and Omer Ben-Shalom, Intel Corporation

September 2006

IT@Intel
White Paper Architecture and Design of a Primary Wireless Network
This initiative shows
that WLANs can achieve
the performance,
reliability, QoS, and
manageability needed
to deliver converged
services within a large
enterprise.

Executive Summary
Intel IT developed a new wireless LAN (WLAN) network architecture and design
that is enabling us to converge data, voice, and video onto a unified network
infrastructure and use wireless as the primary access method. We have begun
a groundbreaking initiative to implement this approach at a major Intel site with
about 5,000 users.
We needed the new architecture and design to overcome inherent WLAN
bandwidth limitations and the many other technical challenges we faced
when creating a primary wireless network on this scale. Our goals included:
• Delivering high throughput while avoiding problems due to radio frequency
(RF) interference
• Providing seamless roaming and Quality of Service (QoS) to support voice,
video, and data services on mobile clients
• Making the network highly reliable, secure, and manageable
We adopted a standards-based approach, adding proprietary specifications
where necessary. We are implementing our architecture and design using the
Cisco Unified Wireless Network*.
We are moving ahead to deploy voice, video, and data services over our primary
WLAN to users throughout the campus. This initiative shows that WLANs can
achieve the performance, reliability, QoS, and manageability needed to deliver
converged services within a large enterprise.
 Architecture and Design of a Primary Wireless Network White Paper

Contents
Executive Summary.................................................................................................................................................. 2

Background.................................................................................................................................................................... 4

The Wireless Challenge.......................................................................................................................................... 5

Evolving Standards................................................................................................................................................. 6

Wireless Architecture.. ............................................................................................................................................ 7

Radio Frequency Spectrum Management.................................................................................................. 7
Capacity Planning.................................................................................................................................................... 8
Process and Network Prioritization............................................................................................................... 9
Handoff and Roaming........................................................................................................................................... 9
Reliability and Redundancy.. ........................................................................................................................... 10
Management............................................................................................................................................................ 10
Security...................................................................................................................................................................... 11

Primary Wireless Design.................................................................................................................................... 13

Conclusion.................................................................................................................................................................... 15

Authors.......................................................................................................................................................................... 15

Acronyms.. .................................................................................................................................................................... 15


White Paper Architecture and Design of a Primary Wireless Network

Background
Wireless is becoming the preferred network access method among our mobile
users. Our existing WLANs are popular and widely deployed, but we maintain them
as separate networks alongside the wired LANs and currently consider them a
secondary means of network access. They provide a “best-effort” service level and
users can always revert to the wired LAN when wireless is not available.

We are developing a new architecture that integrates wired and wireless LAN
infrastructure, and establishes high-performance wireless as the primary access
method (diagrammed at a high level in Figure 1). We are beginning to deliver data,
voice and video wirelessly to mobile users on laptops, handsets, and other devices.

We have begun a major initiative to use primary technical challenges because it breaks new
WLANs based on our new architecture at a large ground, both as a large-scale primary wireless
Intel site that consists of five buildings with network and in the converged services it delivers.
about 5,000 users. This project presents many

Intel Environment
Primary Wireless LAN

WiFi Phones Soft Phones

802.11a and Headsets

Smart Phones
WiFi/Cellular
Laptops
802.11a/g

WAPs
Cellular Tower 802.11a/g

WLAN Controllers
Smart Phones Laptop
WiFi/Cellular

PBX

Data
Internet
Center
Wireless Access Point (WAP)
802.11a/g IP PBX IP Phones

Home Office or Hot Spot

Figure 1. Overview of our primary wireless architecture



The project is split into three successive phases
for implementation:
• Phase One: Providing data services to a single
building, supporting laptop clients
• Phase Two: Adding video multicast
and proliferating the network across
the entire campus
The Wireless Challenge
As enterprise computing evolved, a delicate balance was achieved between system
building blocks, applications, and network bandwidth, as shown in Figure 2 on
the next page. As we move from switched Ethernet wired connections to shared
wireless connections, we disrupt this balance and network bandwidth becomes a
potentially limiting factor.
More specifically, the inherent characteristics of
wireless present several related challenges:
• Wireless is a shared medium. Moving from
switched Ethernet to shared WLAN reduces
available bandwidth. Application throughput
varies with the ever-changing number
of clients sharing the medium and is also
affected by signal quality and network
availability.
• Signals can be received outside the building,
so they can potentially be detected and
analyzed, disrupted, or hijacked.
• Spectrum is an expensive, regulated resource.
Only a small portion of the RF spectrum, with
limited bandwidth, is allocated for WLAN
use, and it is shared by other non-licensed
technologies.
Architecture and Design of a Primary Wireless Network White Paper
• Phase Three: Supporting Voice over
Internet Protocol (VoIP) for laptops and
handheld devices
This paper describes the Phase Three architecture
and design of our network because it represents
the complete project and therefore includes the
aspects that occur in earlier phases.
To overcome these challenges, we ultimately
need to focus on two technology areas:
• Close coordination and collaboration between
mobile clients and infrastructure, including
WLAN access points and controllers.
• Rewriting applications to be wireless network
aware, so that they react to the availability
and changing performance of the network.
This also requires OS support.
This paper describes our WLAN architecture and
design, which addresses the first of these areas:
coordination and collaboration between clients
and infrastructure. We expect applications that
are wireless network aware to further improve
user experiences and productivity gains, but
these applications may not be widely available
for some time.

White Paper Architecture and Design of a Primary Wireless Network

Evolving Standards
Applications WLAN technology is still maturing and this presents additional
challenges. Though IEEE 802.11 WLAN standards cover key
technologies, standards are still lacking in many other areas.
Furthermore, many advanced features required to support WLAN
Operating primary access will not be available in the marketplace for two to
Memory Storage
System
three years.

Therefore, when developing our architecture and design, we looked

for existing products that implemented the maximum number
Network of features using IEEE specifications, and supplemented those
standards with proprietary additions where necessary.
Traditional enterprise computing with wired LANs:
A delicate balance

Applications

Operating
Memory Storage
System

Network

Wireless LANs disturb the balance,

limiting network bandwidth

Figure 2. Wireless disturbs the delicate balance of

computing.


 Architecture and Design of a Primary Wireless Network White Paper

Wireless Architecture
When developing our architecture, we needed to overcome several technical
challenges created by the inherent characteristics of RF. WLANs use unlicensed
spectrum that is potentially shared with other devices. They have limited bandwidth,
so latency-sensitive applications such as voice must be prioritized. Each access
point covers a limited area, and so we need many of them, with fast handoff
between them, to support latency-sensitive applications. Locating clients needing
maintenance can be challenging. And because the RF signal cannot be confined
within a building, we need strong security.

Because we are building a campus-wide wireless GHz band for other purposes, such as access by
network that will be users’ primary access legacy mobile devices, guests, and suppliers.
method, our approach also addresses managing
Non-WLAN technologies use the 5.2-GHz band
a large network with many access points and
less than the 2.4-GHz band. Also, the 5.2-GHz
achieving a high degree of reliability.
band provides at least eight, and potentially up
to 22, non-overlapping channels, compared with
Radio Frequency Spectrum three for the 2.4-GHz band. This provides several
Management advantages:
WLAN spectrum may be shared with other
• Less interference. Interference from non-
technologies, such as mobile phones, Bluetooth*
WLAN technologies and between neighboring
devices, and even microwave ovens, so there is
WLAN cells is less likely, making throughput
potential for interference.
easier to maximize.
Currently, WLANs use either of two bands: the
• Auto-configuration. The infrastructure can
2.4-GHz band, used by 802.11b and 802.11g
automatically select the channel and power of
WLANs, and the 5.2-GHz band, used by 802.11a.
access points.
We chose to use the 5.2-GHz band (802.11a) for
We also looked for products that exploited the
primary wireless access, while also using the 2.4-
additional channels to provide other features:


 White Paper Architecture and Design of a Primary Wireless Network

• Self-healing. The infrastructure responds to access point failure

30 by adjusting the channel and power setting of adjacent cells to
802.11a
802.11g compensate.
802.11g/b
25 802.11b
• Avoiding denial of service (DoS) attacks. The infrastructure
can detect a DoS attack on a specific channel and dynamically
20
change channels to avoid it.
Throughput (Mbps)

15
Capacity Planning
10 With a large WLAN, capacity planning is critical. Even though
the 5.2-GHz band we selected provides more channels than the
5 alternative, the number of non-overlapping channels is still small,
and each channel provides low overall throughput compared
1 with wired networks. In addition, there is potential interference
0 25 50 75 100 125 150 175 200 225 250 between cells that are using the same channels; called co-channel
Distance from Access Point (Feet) interference (CCI), this limits the available bandwidth within a
closed RF environment such as a building.
802.11b 802.11g/b 802.11g 802.11a
One key aspect of capacity planning is deciding how many clients
Layer 1 speed
we want each access point to support.
40-50 feet from 11 Mbps 54 Mbps 54 Mbps 54 Mbps
access point
This issue is complex. With WLANs, throughput is greatest near the
TCP throughput access point, and decreases as devices get farther away, as shown
40-50 feet from 6 Mbps 13 Mbps 20 Mbps 24 Mbps in Figure 3. But placing access points close together to provide the
access point
maximum throughput also increases the potential for CCI

Figure 3. WLAN Transmission Control Protocol (TCP) To provide users with high performance, we planned for 20 users
throughput with distance from an access point. per access point, maintaining a minimum total connection speed of
36 Mbps in each cell. This provides the following capabilities:

• Estimated average throughput of more than 5 Mbps for each

client, with a guaranteed minimum of 1.2 Mbps.

• Each access point will be able to support about seven

concurrent voice calls. In other words, we are aiming to provide
enough capacity to enable a third of the users supported by
each access point to make simultaneous voice calls (a worst-
case Erlang ratio of 1:3).



With such a high access point density, CCI
becomes an issue even when we have eight or
more non-overlapping channels. CCI reduces the
available throughput in a cell, because the cell
may be considered busy due to transmissions in
a neighboring cell using the same frequency.
To further overcome CCI, the infrastructure and
client can dynamically set their transmit power,
receive sensitivity, and clear channel assessment
(CCA) threshold. Clients adjust their RF circuits
as instructed by the infrastructure whenever
they join the network or roam between access
points, or whenever RF conditions change. This
increases the total usable throughput of the RF
environment.
IEEE is working on the 802.11K and 802.11V
specifications to address this area, but
completed standards are not due for at least a
year. Because of this, we decided to use Cisco
Compatible Extensions* (CCX), and the high-
density features defined in the Business Class
Wireless Suite specifications jointly developed by
Intel and Cisco, to control both access point and
client RF circuits.
Process and Network
Prioritization
The limited bandwidth also means we must
prioritize latency-sensitive applications over
others, ensuring QoS for those applications.
Some applications, such as Voice over Internet
Protocol (VoIP), are highly sensitive to packet
loss, delay, and jitter. To avoid poor voice quality,
we have to guarantee these applications the
Architecture and Design of a Primary Wireless Network White Paper
right priority. This means prioritizing applications
such as soft phones when sharing the resources
of laptop clients and it also means prioritizing
the network traffic generated by these
applications.
Applications that are QoS aware can ask the OS
to prioritize packets by marking them, but today
there is no standard mechanism to make sure
this marking follows our policy for prioritizing
different types of traffic. Furthermore, many
applications are not QoS aware.
To solve this problem, we developed client-
based policy agents to make sure applications
requiring network QoS get their packets
marked appropriately, using tagging based
on differentiated services code point (DSCP)
and 802.1p, translated to 802.11e and Wi-Fi*
Multimedia (WMM). We also selected a soft
phone application that utilizes the Intel and Cisco
Business Class Wireless Suite voice application
programming interface (API) feature, which
supports admission control and simple packet
marking.
Handoff and Roaming
To function as our primary access method, our
WLAN needs to support all applications currently
carried over the wired network. This includes data,
voice, and video. These applications should be
supported, as appropriate, by each of the various
clients that we plan to use. Some of these clients
are highly mobile, which means that we need to
support fast handoff as users roam between cells,
so users do not experience disruption.

White Paper Architecture and Design of a Primary Wireless Network
Roaming requirements vary according to the client:
• Desktops. These stationary clients do not
need handoff or roaming support.
• Laptops. In general, laptop users do not roam
while using applications, so there is little need
for roaming support.
• Tablets, personal digital assistants (PDAs),
Wi-Fi phones, and other highly mobile
devices. Users of these clients require
application continuity while on the move.
This imposes a need for fast handoff
between access points and fast roaming
between networks.
Voice applications represent the worst-case
handoff requirement, with a target handoff
time of less than 100 Ms and a preferred
handoff time of about 50 Ms.
IEEE is working on 802.11r and other
specifications to provide a standard way to
support fast handoff, complementing features
of 802.11i, which covers pre-authentication
and primary key caching. However, IEEE is not
expected to complete the specification for at
least 12 months, so we decided to use CCX with
Cisco Centralized Key Management* (CCKM).
When coupled with the smart access point
selection feature of Business Class Wireless
Suite, this provides the required handoff and
roaming times.
10
Reliability and Redundancy
Because our WLAN will provide the primary
access method, it must be reliable. We are
using the characteristics of WLANs to create a
network architecture with an overall uptime that
is, potentially, even better than wired networks.
With WLANs, each access point supports multiple
clients; theoretically, a single access point failure
could create an outage for multiple users. However,
unlike a wired LAN, a WLAN client connection to
an access point is virtual. A client can switch from
one access point to another dynamically, so long as
the second access point supports the same service
with adequate signal strength.
We can use this capability to create a redundant
design with overall uptime that is higher than
a wired network. Consider a floor or building
with multiple access points divided into two
interspersed grids, which we call ‘salt’ and
‘pepper’ grids. Each grid is connected to a
different LAN access switch. If one entire grid
fails—due, for example, to failure of its access
switch—the other grid will still be able to provide
complete RF coverage. As a result, clients will be
able to seamlessly reconnect to the second grid,
although potentially with reduced throughput.
Creating a salt-and-pepper arrangement requires
careful configuration of the connection speeds
supported by access points. For example, if the
required bandwidth per access point in normal

use is 36 Mbps, we should configure the access
point to support a minimum of 24 Mbps; this will
be the bandwidth available to clients if either
grid fails.
Management
Providing primary WLAN coverage for an entire
campus involves a very large number of access
points—at least an order of magnitude greater
than the LAN switches needed for a wired
network of similar scale. Managing all these
access points is a challenge.
WLANs also present unique challenges when
it comes to tracking users, and in controlling
network access when clients are found to be
malicious—if they become infected with malware,
for example.
There are also challenges in delivering a
consistent level of service. Unlike LANs, which
offer comparable service levels at any point
on the access layer, the WLAN environment
service level changes from location to location.
Moving even a few feet can change the service
level considerably, due to a transition to a
different access point or the differing physical
characteristics of the RF environment.
To be able to install, upgrade, and manage
this environment, and provide the required
service levels, we need a completely different
set of management tools and practices. Our
Architecture and Design of a Primary Wireless Network White Paper
preferred approach is lightweight access point
architecture. In this architecture, access points
do not handle management directly. Instead, we
offload access point management to dedicated
wireless controllers that each coordinate and
manage multiple access points, helping to ensure
consistent service levels across the network. To
do this, we also need services that enable us to
centrally manage a large number of controllers,
and we need to implement a management
hierarchy that matches the support structure of
the company.
Security
WLANs have unique security requirements
because the RF signal cannot be confined inside
a building, making it easier to detect. This means
that we need to pay special attention to strong
authentication and encryption. It is also easier
to attack a wireless network, so we need ways
to automatically detect and avoid sources of
interference, including malicious DoS attempts.
We have addressed security by implementing a
standards-based approach.
Authentication
Our architecture uses the Wi-Fi Protected Access
(WPA) 1 and WPA2 specifications, incorporating
the 802.1X authentication framework with
Remote Authentication Dial-In User Service
(RADIUS) authentication servers. One critical
11
White Paper Architecture and Design of a Primary Wireless Network
decision when implementing this framework is
which Extensible Authentication Protocol (EAP)
authentication method (EAP type) to select.
we performed risk assessment and selected
the option suited to each installation. Another
important factor is the credential type used
during the EAP authentication. Using the machine
credential type provides LAN-like connection, with
no need for user intervention, while choosing user
credential requires user intervention.
The 802.1X process involves mutual
authentication between the access point and
RADIUS server, and between the client and
RADIUS server; when done, a Pairwise Master
Key (PMK) is installed at the client and access
point for use in data encryption
Encryption
We are using the 802.11i encryption process.
The 802.11i “four-way handshake” includes
the creation of a Transient Master Key (TMK)
for encrypting unicast messages, and a Group
Master Key (GMK) for encrypting multicast
and broadcast messages. This process also
includes the mutual authentication of client and
associated access point.
Denial of Service Detection
and Mitigation
Detection and mitigation of DoS attacks are
critical considerations when implementing
12
primary WLANs. DoS threats can be classified
into physical layer and media access control
(MAC) layer threats. Physical layer threats include
intentional or unintentional RF interference from
various non Wi-Fi sources. MAC layer threats
include forged management frames that attack
clients, access points, or both.
During the risk assessment process, we consider
all threats and rate them based on the likelihood
that they will occur as well as their potential
impact—for instance, whether they will affect
a single client or RF channel. Our architecture
allows for functionality to detect, alert, identify,
locate, and mitigate all threats that are not low-
rated. From an architecture perspective, DoS
can be handled by an additional infrastructure
overlay or embedded into the production WLAN
infrastructure. We decided to use our production
infrastructure with dedicated access points
to detect DOS threats, as well as a separate
location-based server to locate and track
multiple threats in real time.
We mitigate RF interference by using an
embedded infrastructure feature that re-maps all
RF channels. We mitigate MAC threats through
proprietary client driver changes, though in the
future we expect to use the management frame
protection within Cisco CCX Version 5*
 Architecture and Design of a Primary Wireless Network White Paper

Primary Wireless Design

We designed a campus network based on our architecture to provide a high-
availability environment with no single point of failure. It is designed to provide
complete WLAN coverage across the campus, supporting a minimum connection
speed of 36 Mbps in normal operations and 24 Mbps if any single part of the
network fails. The environment is designed to support all client types including
desktops, laptops, PDAs and Wi-Fi phones.
We have also structured our management Figure 4 shows the logical design of the
environment to allow for easy “out-of-the-box” network. It is based on Cisco Unified Wireless
installation and control of the access points. Network, which supports the Cisco CCX
Management servers allow us to track and, if extensions and the Business Class Wireless
necessary, blacklist users, and to detect and Suite feature set developed by Intel and Cisco.
mitigate a wide variety of security offenses.

Radius DHCP
Enterprise network
Server Server VPNs
management system

Outer Outer
Firewall Firewall

LAN
WLAN
DMZ
Legacy VLANs

Trunk Trunk
Controller 1 Controller 2 WLAN L3
Distribution
Legacy Switch
Layer
LWAPP Tunnel LWAPP Tunnel

Wired LAN Environment

Figure 4. Logical network design.

13
White Paper Architecture and Design of a Primary Wireless Network
Access points are split into salt-and-pepper
grids, as our architecture describes. Each grid
is connected to a different LAN switch, which
supplies the access points with both network
connectivity and power over Ethernet (PoE).
Access points are connected to dedicated,
building-level management virtual LANs (VLANs).
They receive their addresses dynamically from
DHCP directory servers, and automatically detect
a controller available on this VLAN. An access
point will then create Lightweight Access Point
Protocol (LWAPP) control and data tunnels to
the controller; the controller then automatically
configures the access point based on templates.
This provides the access point with the correct
OS release, security settings, and other settings
and services.
Each access point is assigned a primary
controller, a failover controller, and sometimes
Controller
Controller
2-story building
Proxy Mobile
Controller
IP Mechanism
2-story building
Controller 1
Controller 2
4-story building
Figure 5. Campus controller distribution.
14
also a tertiary controller. This provides another
level of redundancy, allowing the access point
to remain active even if its primary controller
becomes unavailable.
The primary wireless service is available on
the 802.11a band only, with legacy services
supported on the 2.4-MHz 802.11b and
802.11g band. These include our legacy WLAN,
which uses Wired Equivalent Privacy (WEP)
security and therefore mandates use of a
Layer 3 virtual private network (VPN). These
services are still provided for users who need
them, and go through onsite Demilitarized
Zone (DMZ) firewalls for added security. The
wireless network is secured using full 802.11i
encryption. Corporate RADIUS servers that are
shared between LAN and WLAN perform user
authentication.The campus controller distribution
is a critical element of our design. Each of our
larger, four-floor buildings uses two controllers
Controller
Controller 1
Controller 2
4-story building
Controller 1
Controller 2
4-story building
 Architecture and Design of a Primary Wireless Network White Paper

to manage the large number of access points, as
shown in Figure 5 on the previous page. Our two
smaller buildings have one controller each and are
grouped together into a single logical building.
With our design, the whole campus becomes
a single mobile environment. Clients can roam
freely anywhere on campus with no interruption
to applications as they transition between
access points or controllers. Within each building,
the two controllers share a VLAN and clients
roaming between access points within the
building remain on the same IP network. When
clients move between buildings they retain
their IP address, despite moving into a “foreign”
network, through a proxy mobile IP mechanism.

Conclusion
Our architecture and design are enabling a groundbreaking implementation of a large-
scale WLAN used as the primary access method across a 5,000-user campus. We
believe this project shows that WLANs can achieve the performance, reliability, QoS,
and manageability needed to deliver converged services within a large enterprise. We
are moving ahead to deploy voice and data services over our primary WLAN to users
throughout the campus.

Authors
Danny Nissan is a wireless LAN engineering product manager with Intel Information Technology.
Omer Ben-Shalom is a wireless LAN engineer with Intel Information Technology.

Acronyms
CCA clear channel assessment PoE power over Ethernet
CCI co-channel interference QoS Quality of Service
CCKM Cisco Centralized Key Management RF radio frequency
CCX Cisco Compatible Extensions RADIUS Remote Authentication Dial-In User Service
DHCP Dynamic Host Configuration Protocol TCP Transmission Control Protocol
DMZ Demilitarized Zone TMK Transient Master Key
DoS denial of service VLAN virtual LAN
DSCP differentiated services code point VoIP Voice over Internet Protocol
EAP Extensible Authentication Protocol VPN virtual private network
GMK Group Master Key WEP Wired Equivalent Privacy
LWAPP Lightweight Access Point Protocol WLAN wireless LAN
MAC media access control WMM Wi-Fi Multimedia
PDA personal digital assistant WPA Wi-Fi Protected Access
PMK Pairwise Master Key

15
www.intel.com/IT

This paper is for informational purposes only. THIS DOCUMENT IS
PROVIDED "AS IS" WITH NO WARRANTIES WHATSOEVER, INCLUDING
ANY WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT,
FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY
OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR
SAMPLE. Intel disclaims all liability, including liability for infringement
of any proprietary rights, relating to use of information in this
specification. No license, express or implied, by estoppel or otherwise,
to any intellectual property rights is granted herein.
Intel Corporation may have patents or pending patent applications,
trademarks, copyrights, or other intellectual property rights that relate
to the presented subject matter. The furnishing of documents and
other materials and information does not provide any license, express
or implied, by estoppel or otherwise, to any such patents, trademarks,
copyrights, or other intellectual property rights.
Intel, the Intel logo, Intel. Leap ahead., and the Intel. Leap ahead. logo
are trademarks or registered trademarks of Intel Corporation or its
subsidiaries in other countries.
* Other names and brands may be claimed as the property of others.
Copyright 2006, Intel Corporation. All rights reserved.
Printed in USA Please Recycle
0906/ARM/RDA/PDF Order Number: 314562-001US