NAC/Wireless Design

Similar Messages

• Question regarding Wireless design

  Hi,
  I am planning for a wireless design for a new site and would like to understand the following
  1. Should I go with the Access Point (AP) that support 2.4 GHz or 5 GHz or both
  2. What is the average coverage area in meters or feet for both the frequencies
  3. If the overall area is 2000 Sq. feet with few walls in between, how many access points will be required approximately
  4. What is the leading practice on the number of users per AP
  5. What are the circumstances when a Wireless controller need to be deployed. Is it purely based upon the number of AP's to manage?
  6. Should there be a separate DHCP scope for each AP? If not, how to AP's communicate with each other if there is no controller deployed?
  Your time for answering these will be highly appreciated. Thank you.

  Hi Manoj,
  Here is my responses to your qurey.
  1. Should I go with the Access Point (AP) that support 2.4 GHz or 5 GHz or both
  BOTH
  2. What is the average coverage area in meters or feet for both the frequencies
  These days coverage is not the primary criteria, its capacity. Roughly you need to put a AP for each 20-25 devices for normal data usage.
  3. If the overall area is 2000 Sq. feet with few walls in between, how many access points will be required approximately
  Based on the number of devices expected in each area you can determine that. If you do a survey do it in 5GHz which is lower cell size.
  4. What is the leading practice on the number of users per AP
  If it is typical data usage (email, browsing,etc) then 20-25 users per AP. If you require Video/voice then this number comes down to around 10.
  5. What are the circumstances when a Wireless controller need to be deployed. Is it purely based upon the number of AP's to manage?
  Always go for a Controller managed solutions. It is very hard to control RF environment if you go to manage then individually.(like autonomous AP)
  6. Should there be a separate DHCP scope for each AP? If not, how to AP's communicate with each other if there is no controller deployed?
  No, you can have single DHCP scope for AP. As long as AP & WLC have layer 3 reachability it will comunicate with each other using CAPWAP protocol.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Cisco Wireless NAC Appliance - Design Practices ??

  Hi,
  I have a new Cisco WIreless NAC appliance, the purpose of which is to manage the Guest users access to network. I have been searching for some best practices related to the design of this appliance but havent found one.
  Can anybody help me in sharing his design experience or any docuement which would be guiding in deciding over the design / placement of this NAC device in network.
  Thank You.

  Hi,
  there is nothing such as "Wireless Nac appliance".
  The question is "do you have the NAC Guest Server" or the "Nac appliance Server and Nac appliance Manager (CAS/CAM)" ?
  Because those are just not the same at all.
  Then on the wireless side, do you have autonomous APs or a WLC ?
  Sorry to ask, but there's just so many possibilities you could be asking that we need to clarify.
  My bet is that you are either looking for this :
  http://www.cisco.com/en/US/partner/products/ps6128/products_configuration_example09186a0080a138cc.shtml
  or for this :
  http://www.cisco.com/en/US/partner/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html#wp1092277
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• Question about Wireless Design and Controller

  Hi Everyone,
  Although I am not new to Cisco, I have somewhat limited experience with Wireless in general.  I was hoping to get your help with the following:
  We currently have a total of 8 1130AG, 4 on each floor.  They were configured a few years ago, and now we are looking to update the design a bit.  Each AP has its own SSID, and just provide internet access.  Looking at the configuration, I noticed that they are not configured to use proper channels, just random channels (9, 10, 11, instead of 1, 6, 11, etc.).  I noticed that when I roam between one AP to another, I lose about 4-8 pings before I re-establish connectivity again.
  Here are my questions:
  1.  Do I need a controller in order to use just one SSID for the whole setup instead of the 8 seprate ones we currently have?
  2.  Will the controller helps in providing seamless transition when a client roams between AP's?
  3.  Is it normal to loose connectivity roaming around?
  4.  Can I reconfigure the current setup to use just one SSID and provide better transition between AP without the use of a controller?
  5.  Which controller would you recommend?
  We don't have a need to anything fancy ,I am aware that I can enable multiple SSID, VLAN's, etc.  Just trying to keep it as simple as possible, yet reliable.
  Your input is appreciate.
  Thanks

  1.  With 8 AP's only, a WLC would be nice-to-have but not necessary. You can configure WLSE and it will do some limited functions.
  2.  This depends on the signal strengths, wireless coverage and configuration.  If you enable WLSE, for instance, and you have no wireless black spots, then roaming should be no issues.
  3.  See #2.
  4.  You can configure multiple SSID (up to 16 are broadcasted) but if one AP doesn't have the SSID you use for roaming, the association will drop when the client tries to join that particular AP.  It's like mobile phone towers.  If your carrier is not in the area, you sure won't be able to use your mobile phone in that area.
  5.  For 8 1130 APs, I'd recommend the smallest of the lot:  2106 with either 6, 12 or 25 AP licenses.  I'd recommend you the 25 AP licenses.  If your finances allow you something bigger, then consider either the 4402 (25 AP licenses) or the 5508.
  Cisco 2100 Series Wireless LAN Controllers
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps7206/ps7221/product_data_sheet0900aecd805aaab9.html
  Cisco 4400 Series Wireless LAN Controllers
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps6307/product_data_sheet0900aecd802570b0_ps6366_Products_Data_Sheet.html
  Cisco 5500 Series Wireless Controllers Data Sheet
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps10315/data_sheet_c78-521631.html

• Wireless design guide/help

  Hi guys........just have  few qestions about designing WLC 5508
  The  scenario is  that currently one of the client has a firewall Tiering T1 internet facing and T2 internal whioch has multiple DMZ connected.
  T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.
  Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)
  Now my question is as follwow.
  1- Keeping in mind that there is only one WLC where should i physically put it?
  2- How guest users will work ? How the authentication will be done?
  3-There are 8 SFP ports in WLC how physical topology will look like?
  4-How many Vlans i have to make for wirless users  will that be 10? (1 at each site) ?
  my last question is that how these ports work on WLC are they just like swicth e.g  one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfces concept)
  Thanks guy and hope to get a response ASAP.

  1- Keeping in mind that there is only one WLC where should i physically put it?
  Well since you will also be supporting Corporate and I'm guessing that is where the WLC sites, it should be in the inside network.  You would just need to allow udp 5246 & 5247
  2- How guest users will work ? How the authentication will be done?
  Guest users can use webauth in which the credentials will be stored on the WLC.
  3-There are 8 SFP ports in WLC how physical topology will look like?
  This is the tricky part.  You can either lag or not lag.  You can't split up the lag (etherchannel).  So you can either use all 8 if you with and create an etherchannel and then acl the guest traffic out the internet or you can put the guest on a layer 2 vlan in which you would connect that out to the dmz.  Or you can use one port for the management and also have a backup port, one for your internal wireless and also have a backup port and the same for guest.  SO it would look like this:
  Management primary port 1 backup port 2
  SSID primary port 3 backup port 4
  Guest primary port 5 guest port 6
  OR
  Management & SSID's primary port 1 backup port 2
  Guest primary port 3 guest port 4
  4-How many Vlans i have to make for wireless users will that be 10? (1 at each site) ?
  If you use local switching which I would think you would, the vlans for the SSID at the remote site will be created locally at each remote site.  If you want to centrally switch, means all traffic will come back to the WLC, then you will need at least one.  Now you can use a large subnet or have a subnet for each site, its up to you.  You would use AP Groups for that.
  my last question is that how these ports work on WLC are they just like switch e.g one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interface concept)
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Wireless design help

  Hi guys........just have  few qestions about designing WLC 5508
  The  scenario is  that currently one of the client has a firewall Tiering T1 internet facing and T2 internal whioch has multiple DMZ connected.
  T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.
  Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)
  Now my question is as follwow.
  1- Keeping in mind that there is only one WLC where should i physically put it?
  2- How guest users will work ? How the authentication will be done?
  3-There are 8 SFP ports in WLC how physical topology will look like?
  4-How many Vlans i have to make for wirless users  will that be 10? (1 at each site) ?
  my last question is that how these ports work on WLC are they just like swicth e.g  one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfces concept)
  Thanks guy and hope to get a response ASAP.

         OSITAN N Many thanks  please comment
                                      Internet
                                                 FW 1
                                                     !                                                        <---------------------Traffic comming this way
                                                  FW2--------DMZ--------------SW---------- Router -----------------IP MPLS-----------------
                            ------Trusted-----  !                                                                                                        !
                                                     !                                                     ------Branch Router------->               RT 
                                  !           !               !                                                                                               SW
                               DSN      AD            DHCP                                                                                          !
                                                                                                                                                              AP  
                                                                                                                                                            USER
  1 Where WLC Place so that Guest trafice dont go to Trusted area?
  2. Its gona be H-Reap so DHCP would be local for branch
  3. Voce user  Qos? priority how ? example
  4 Guest Firewall rules to use only internet ?

• Wireless Design - Best Practices for Data, Voice, and LBS

  Hi,
  I am currently in the process of designing a WLAN for a new hospital and I am getting some push back from my sales team.  The requirements of the WLAN are data, voice, and location based services (RFID for medical equipment) ... needs to be 2.4 GHz for Guest and some apps/clients but primarily 5 GHz for most of the clients ... lastly needs to be N compatible for future use.
  So, I did a predictive design with 1252's on the perimeter with 2.4 and 5 GHz patch antennas and 1142's in the middle to fill gaps ... I also scoped out 2 5508 for redundancy .... total design with -65 at my edges was 169.  However, this is getting push back because of several cost issues ....
  1. The bundle that Cisco offers for 5 100 AP license 5508 WLC is cheaper than buying 2 250 AP licenses WLC's ... which doesn't make any sense to me because I think 5 devices is over kill
  2. The sales engineer is concerned about the power issues with the 1252's ... customer would rather not use power injectors ... and although they would have 6500's at there core ... they would only have basic switches in their IDF's so I wasn't sure which POE Switches would be able to handle 1252 but cost was an issue there as well
  So, for my understanding when you are doing a WLAN design for LBS it's always best to have APs or antennas on the perimeter for better triangulation ... it makes more sense to me to do that with patch instead of Omni's ... however my sales engineer wants to use all 1142's ... so my question is what are the pro and cons behind using all Omni's or using Patch and Omni's?
  Furthermore, if anyone has any documentation supporting why I would not use all Omni's that would be great because all the articles I have read on LBS just state that placement of APs is critical but doesn't give no specifics on whether it's a good practice to place them on the perimeter using a specific type of antenna or what.
  Thanks in advance for you help and any ideas about this design!!!

  1.  The 5508 is expensive because it's alot faster than the 4400 plus there are some features exclusive to the 5508 such as OfficeExtend.  As the old network design adage goes:  Your design can be done correctly, cheap or fast.  Choose two.
  2.  The 1250 requires 19.5w of power to enable FULL MCS rates to both radios.  Only the 3560E, 3750E or the Sup720 is capable of supporting that.  Upgrading the IOS of the 1250 to 12.4(10b)JDA3 will allow the AP to operate both radios at 15.4w BUT at a lower MCS rates.  Correct placement of the AP and the correct use of the antennaes will also help in the signal distribution.
  3.  Patch antennaes are mostly directional.  The 1140 is onmi-directional BUT the signal strength is not as powrful as the 1250 at full power.  The AIR-ANT2451NV is an omni-directional patch designed for the 1250.
  Cisco Aironet Antennas and Accessories Reference Guide
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09186a008008883b.html
  Cisco Aironet 2.4 GHz and 5 GHz Antennas and Accessories
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09186a008022b11b.html
  Some of the new patch antennaes for the 1250
  Cisco Aironet Dual Band MIMO Low Profile Ceiling Mount Antenna (AIR-ANT2451NV-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2451nv.pdf
  Cisco Aironet Very Short 5-GHz Omnidirectional Antenna (AIR-ANT5135SDW-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant5135sdw.pdf
  Cisco Aironet Very Short 2.4-GHz Omnidirectional Antenna (AIR-ANT2422SDW-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2422sdw.pdf
  Cisco Aironet 5-dBi Diversity Omnidirectional Antenna (AIR-ANT2452V-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2452v.pdf
  Cisco Aironet 5-GHz MIMO Wall-Mounted Omnidirectional Antenna (AIR-ANT5140NV-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant5140nv.pdf
  Cisco Aironet 5-GHz MIMO 6-dBi Patch Antenna (AIR-ANT5160NP-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant5160np.pdf
  Cisco Aironet 2.4-GHz MIMO Wall-Mounted Omnidirectional Antenna (AIR-ANT2450NV-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2450nv.pdf
  Cisco Aironet 2.4-GHz MIMO 6-dBi Patch Antenna (AIR-ANT2460NP-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2460np.pdf

• ISE and NAC wireless guest networks

  I have a wireless network that is NAC controlled and use lobby ambassador for guest wireless. What is the best way to migrate to ISE for guest. Are there problems running NAC and ISE on the same controller?
  Sent from Cisco Technical Support iPad App

  Hello,
  For your query regarding ISE and NAC following are my  findings, which might help you in order to solve your query.
  for your first question:-
  ISE is a free software upgrade for customers who have NAC appliance or NAC profiler. This is for both for the base and advance licenses.
  ISE is a 50% software discount for customers who have  NAC guest server. The 50% discount is a migration part for the base license only. The advance features license will not be impacted by this discount.
  for your second question:-
  There should be no issues running NAC and ISE on the same controller until and unless you are using two SSIDs.

• ISE wireless design

  Hi all,
  Designing on an ISE wireless case, i would like seek idea about:
  1. My design goal is differentiate domain user are only capable to connect to Employee_AP; while guest connect to Guest_AP. What rule's condition should i do ?
  2. What is the best practice for BYOD's policies to permit each employee access are only able to use 2 units of personal devices. Says one notebook and one handheld device. Anyway i can enforce this rule on ISE?
  Million thanks
  Noel

  If you are already authenticating your wireless users and anchoring them to a DMZ you can do the same with wired users as long as you have a foreign controller layer 2 adjacent to the wired guests.  
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/99470-config-wiredguest-00.html
  You would just need to set the VLAN on the port for the guest users, or if you want you can use ISE wired AuthZ policy to place the guest users into the correct VLAN, or FlexAuth using guest VLANs.  

• Wireless Design Question

  I am a CCNA supporting a few offices that have VPN connections through local ISP to a central site. I have one site that is remote and unable to get a broadband connection. It is aprox. 1.5 miles from a site that has a broadband connection. I wouls like to set up a wireless connection. Because of the topology I think I would need a bridge between the sites most likely on a tower. I am thinking that I would need a bridge at the remote site a bridge in the middle and a bridge at the wired office.Am I on the right track . Can this be done and what sort of antennae woud I need. Please email me at [email protected] Thnak you

  I don't see a point in putting a bridge in the middle. Hardware/Technology is available to cover 1.5 miles.
  However, if you can manage a bridge in the middle and your hardware specs support the design, go for it.
  Thanks.

• NAC Appliance design question

  I have a customer with a central site and two branch office. Routing is configured on the WAN to connect all three locations. All servers and internet access are on the central site.
  Customer wants to install NAC appliance. Do I need a NAC apliance at each location? Or do I just install it at the central location and use that NAC appliance for access control to the two remote sites as well.
  Also how does NAC appliance apply access control to users coming into the network via Citrix or Cisco VPN Clients?
  Thanks

  NAC Appliance (CAM & CAS = Clean Access Manager/Server) can be used in a Layer 3 Out Of Band design. This will provide you with centralized control.
  It works by placing all unauthenticated switch ports into a unathentication VLAN. When a switch port goes up/up, the NAC CAS follows a set of rules you have established on the CAM to make decisions about the computer and user. It then will place that switch port into a VLAN 'dynamically' as dictated by the rules. Your switches must support these features (IOS level) and only Cisco products work with the CAM/CAS (well some others might, but it's a short list). When the port goes down/down the CAS senses this and returns the port to the unauthenticated VLAN.
  For instance, if a user is a vendor, only requiring Internet access, you will have a VLAN for this purpose on all your switches and routed/trunked to your Internet Point of Presence. The CAS will see the switch port he/she jacks into come up/up. It will query the user and the computer and based upon the rules in the CAM, dynamically assign the wire port to the VLAN from the go-no-where unauthenticated VLAN.
  If it were a company user, you could set it to check Anti-virus, levels of service packs, etc. before they were allowed on the network. It could also be set up to allow the person access to only the 'Finance' VLAN (for example) based upon their role in the company. It can do this remotely.
  If you were to remediate VPN users, you could not do this in a dynamic, Out of Band fashion. You would need a second CAS (but not CAM) to operate In Band. This would then allow users in one Interface, traverse the CAS on out another interface on the appropriate VLAN. This is because it's impossible to apply multiple rules to a single port shared by multiple users. You would need a means to make decision on what VLAN the users accesses at the concentrator and move them off dynamically at the virtual interface. It's not supported.
  Remember, NAC is performed at the switch port level. Citrix users would be regarded as local users. You could perform certain rule checking to allow them only onto your Citrix VLAN.
  There is a Cisco Chalk Talk series on the NAC, use the URL below. It will teach you as much as you can absorb on the NAC appliances, how to use them and recommend their purchase to your clients.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

• Secure Wireless Design Guide 1.0

  Has there been any update to this document?  This document is dated July 11, 2007.
  http://www.cisco.com/application/pdf/en/us/guest/netsol/ns386/c649/ccmigration_09186a0080871da5.pdf
  Does anyone have a link to other reference material for designing Wireless Security; integrating WLCs with other Cisco security appliances and software?
  Thank you for your help.

  You can check the Wireless and Network Security Integration Solution Design Guide on the link below:
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/secwlandg20/sw2dg.html
          "niLz"
  Nilo Noguera Jr.
  | Specialist, Virtual Engineering - Partner Helpline Organization
  together we are the human network

• Wireless design - Cisco 5508

  Just recently bought a couple of 5508's, one for lab and one for production.
  So I am at early stage design here.
  I have a few questions
  I would like to create one vlan, that is trunked across all 8 floors of company, distrubution switches and associated AP's per floor.
       Once a client tries to connect I would like them to be able to use their domain credentials (LDAP) to authenticate against the wireless
       infrastructure. Once they authenticate, they are granted access to the wireless vlan which has connectivity back to the network.
       From a design perspective is this the best way to go about doing this ? I see that there is a section for LDAP authentication, if they
       are already logged into the domain and then undock their laptop and connect over wireless will they have to retype in the username and password ?
       Seamless would be nice
  From a guest (in house consultant) perspective, how do I design for just allowing them wireless access but only to the internet and not have access to rest of internal network. Is there a way to differnetiate via vlan assigment is they are a guest or an authenticated user ?
  Pretty new to this 5508, but so far it looks great. Any advice / help would be appreciated.
  Cheers
  Dave

  Let's try to do it point by point.
  If you are to accept guests, you are better with a separate SSID with no authentication. That separate SSID will be on a separate vlan so you just have to configure ACLs on your network to prevent internal network access.
  With regards to authentication, LDAP is a user database. You still need an authentication server. WLC can act as one but it's not as good as a real aaa/radius server.
  So the best is to have WLC using a radius server (Microsoft NPS/IAS or Cisco ACS or whatever) that will do PEAP authentication and will use Active Directory as the database (The radius server is using AD as database, not WLC).
  This allows to dynamically assign vlans and funny stuff that radius server allows.
  To have it "seemless" you can pre-configure the client supplicants to do PEAP and automatically use Windows login credentials, so they won't be prompted if all goes well.
  For specific questions, I think all is covered in the WLC config guide but this should be a good set of pointers for you to know where to look.
  Hope this clarifies.
  Nicolas

• Wireless Design - WLC Configuration

  Soon to be working on a design for a Wireless installation across one of our buildings. The wireless survery has been completed, and we'll be installing 175 APs, across the 3 floors of the
  building.
  With regards to the back-end WLC setup, I have a few queries around the WLC configuration. We're looking at implementing the 4400 series of devices, and due to us having nearly 200 APs, we'll need at least 2 x 4404 or 4 x 4402 - I'm assuming its simpler to have fewer devices to make management simpler.
  Also, looking at the Cisco reference material, they recommend that a 4404 can support up to 100 APs, with regards configuring the ports on the box, would I need to configure LAG across the WLC
  ports in order for it to accomodate all of the Access Points. If we were to go with a scenario of using 2 x 4404 devices, would we be in a position whereby if we lost a Controller, we'd lose
  all of the Access Points associated with that Controller? In order for us to have full resiliency, we'd need an additional 4404 controller for the APs to failover on too?
  From a licensing perspective, we'll be purchasing a licence to cover 200 APs.
  TIA

  Do you think that the phone carrier change the Android OS kernel and removed the proxy setting option before they sell it to consumers? If it's so why would they do such thing?
  As far as I'm aware, no.  Phone carriers don't care about wi-fi proxy.  They won't make any money if they do and they equally won't make money if they don't.  This "proxy" issue came straight from the developers of the Android OS themselves.  It's been highlighted since day one of the Android release.  This is why some browsers have incorporated proxy settings to their application because the Android OS developers are not interested to fix this shortfall.
  RE: iPhone and iPad users if you use Windows proxy server and intergrated Windows authentication is enabled the credential should not be prompted for user if it's already entered in their devices.
  Unfortunately, I don't have the details with me right now but I'll try to see if I still have this information when I go back to work.

• High Density Meraki Wireless - "Design Guide".

  Hi All
  Im looking for a discussion / thoughts of how to implement a Meraki Wireless network for many clients on a single location.
  I have read Mearkis Whitepaper on : "Successful WiFi Deployment for Large Events", and it has a lot of good points.
  https://meraki.cisco.com/lib/pdf/meraki_whitepaper_large_events.pdf
  (even though I would not set a bandwidth limit today at 100Kbit/sec - the paper is from 2011 a lot has happened since then). 
  But my top concern is broadcast and multicast traffic, because this traffic is sent at low datarates.
  Is there a way to disable broadcast and multicast on Meraki Wireless solution, like on a Cisco "Classic" Wireless LAN Controller solution ? (Proxy ARP and so on.)
  I am not that concerned about the physical layer (AP placement, Antennas, Channels and Transmit power).
  How would you design a Meraki Wireless network for many clients (1,2 maybe 3K connected clients in peak hours) ?
  What I am thinking:
  Im thinking about setting the Meraki APs up in NAT mode, to avoid being flooded with Broadcast and Multicast traffic from that many clients, like in a "normal" bridged mode solution from the wired / wireless network.
  But is this the best solution ?
  How does Merakis Layer 3 (with and without MX appliance) work when factoring in broadcast and multicast ?
  I cant seem to find any design / configuration guides explaining this.
  Anyone care to share their thoughts ?

  Nicolas is right on with his assement; but there are a couple other potential pit-falls with this scenario. I did a venue that was about half the size I'd say and one of the biggest issues I encountered was that there were soo many client devices trying to transmit that the spectrum was flooded with beacons, and association requests and the like. Now I am not saying that it's not possible to cover this area, but it is certainly more difficult if your only utilizing the 2.4ghz band since there are only 3 channels you can choose to use.
  For what it's worth in my installation I used direction patch antennas (as narrow as I could find) and mounted them on the ceiling (about 60' high) and estimated their anticpated coverage at a very very low transmit power (1mw to  3 mw I believe). to estimate the coverage I took the beam width of the antenna (42 degrees vertical, 80 degrees horizontal) and then figure out at 60' how wide would that area be that gave me a rough idea of the basic coverage area and from that I could determine how many clients that AP would see, and from there I could atleast set one up and test the actual coverage and also estimate the number of AP and possibly placement so you can review the channelization and such. If too many clients could potentially be in the coverage zone you may need to use a different antenna or change positions, etc. Does that make sense?
  This is no definitive template for this, many people would do this many different ways.
  Hope this helps you out.