WLAN Design

I've inherited our current WLAN that consists of two identically configured 1121 APs in separate buildings. Authentication is WPA-TKIP PSK that requires manual configuration of all devices. Guest access is handled through a separate VLAN that has ACLs that restrict traffic from the rest of the network, authentication is WPA-TKIP PSK. The SSID determines what VLAN they connect to.
We also have a point-to-point connection using two 1310 bridges that is secured by WPA-AES CCM+TKIP and MAC authentication.
We recently purchased a Secure ACS Express 5.0 and will be purchasing 3 additional APs.
My question is, what is the best way to clean up our WLAN, increase security and manageability, and preferably provide 0-configuration wireless access to guests and employees? I'm guessing a WLC is going to be required, but since I have very little wireless design experience I want to have this done right.
The vast majority of our wireless clients are laptops using Window's wireless configuration, but we also have several smart-phones, several iPhones, a few MacBooks, and no Blackberries.
Network users should authenticate with their domain credentials, and guests should not have to authenticate (or cancel out of a prompt).
Thanks for any assistance you can provide.

Upgrading to lightweight controllers is a great way to improve scalability of your network. They provide a single point of configuration for your APs and allow for Radio Resource Management, which dynamically adjusts your radios for optimum performance.
WLCs also allow for web authentication to the network, allowing them to simply agree to a disclosure or requiring that they submit a key provided for access. Normally, one doesn't worry about encrypting guest traffic, and keys (WPA or otherwise) are simply meant to restrict who can join. If you just want people to be able to join without a key for ease of management, then you'll be allowing anyone to connect who can receive a signal. Some people don't care about that, others do, it's a business decision to make.
As for security, consider upgrading to PEAP for ease of management. You do need to deploy a certificate to the machine, but that beats out having to update every single client if the WPA-PSK password needs to be changed for security purposes.
I hope that helps!

Similar Messages

  • WLAN Design Question

    Hi all,
    I'm looking for some advice on WLAN design best practices.
    I'm "overhauling" my companies current wireless infrastructure and i'm a little unsure how to implement this following "scenario":
    I would like to segment the WLAN into 6 separate blocks (same SSID) each with the capacity to support 100 users. I have 7 subnets (1 spare) in the 10.201.x.x /24 range and have configured the wireless controller (5508) in LAG mode for redundancy.
    My preference would be to use a separate VLAN for each address block (which also represents a physical location) but I would also appreciate more experienced suggetions.
    Thanks guys.   

    Interface group is bundling subnets together. If you want a location to be designated for a vlan then AP Groups is what you need. If you require multiple subnets for a location or other locations, then you still need AP Groups but you need to create Interface groups.
    Example
    Site 1
    AP Group Site1
    WLAN 1 vlan 101
    WLAN 2 vlan 102
    Site 2
    AP Group Site2
    WLAN 1 vlan 201
    WLAN 2 vlan 202
    Site 3
    AP Group Site3
    WLAN 1 vlan 301
    WLAN 2 vlan 302,303 <- interface Group
    Sent from Cisco Technical Support iPhone App

  • WLAN Design w/ LWAPP

    I am working on WLAN design that spans single floor of a building with two data closets, an east and a west side.
    On each side of the building we are going to plug in LWAPP AP's, 1100 series, into our Cat 4500's In the data center, we are going to use the 4402 WLC to control these APs.
    Requirements:
    1) One set of users will need to access the internal LAN.
    2) Guest users will be granted only Internet access.
    3) We cannot trunk the same VLANs to each of the APs, since we are isolating each switch from the rest of the network in case of an outage.
    I was thinking that we setup a WLAN with two SSID's. (SSID 1 for internal users and SSID2 for guest users.) We then tunnel the users in SSID 2 out to our firewall via a IPSec tunnel. SSID 1 users will be dumped at the WLC and allowed access to internal resources.
    How would you go about accomplishing this?

    All I did was create VLANs for each specific WLAN and trunk them to the WLC. At the WLC, I created WLAN interfaces that were in the same subnet as the VLANs on the switch. I then created a DHCP scope that leased out to each of the WLANs and went from there. Since we are dual homed with the WLC, I have VLAN interfaces that are HSRPed between one another and the DHCP scop default gateway is the HSRP address. (On a side note, I have a guest WLAN but I cannot seem to get their ACL's to work properly in order to prevent access to the LAN.)
    Search for Cisco 440X Series Wireless LAN Controllers on Cisco.com and hit the first link that pulls up...the downloadable file should be dep.pdf
    Check that deployment guide out and let me know if you have questions. Feel free to hit me up at [email protected] and we'll take it offline.
    Stevan

  • WLAN design wireless location appliance

    Hi
    We are planning to implement a wireless network with Cisco LWAP 1240AG AP's with Cisco AIR-ANT4941 antenna.
    I understand that you should have AP's around the inside edge of the building spaced between 8-10 metres depending on the survey and then work inward with omni-directionsal antenna like the AIR-ANT4941.
    Should the AP's around the edge have directional Antenna's rather than the 4941
    Mark

    Hi Mark,
    Channel 1, 6, and 11 are just about as non-overlapping as 1, 7, and 13. There's an insignificant amount of overlap, so it's just as plausible of a solution, even in Europe. I honestly don't know why you wouldn't use the extra channels to eliminate the minor overlap - every bit helps.
    The "channel blanket" or "virtual cell" WLAN design philosophy is rapidly spreading. Cisco maintains that it's a standards violation and I've heard no talk of them purchasing the not-to-be-named company or of them adopting the same design philosophy. I sincerely hope that they do one of the two soon, however, because it's very good design that's difficult for Cisco to compete against.

  • Can WLAN designed using Bluetooth antenna

    Can WLAN be designed using Bluetooth on Bluetooth enabled mobiles (and no Wifi).  As Bluetooth and Wifi access same frequency for communication, is there any chance to use the antenna designed for Bluetooth be used for WLAN. 

    A simple no!
    ‡Thank you for hitting the Blue/Green Star button‡
    N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

  • Guest wlan design questions

    I need to setup a guest wlan on a single 5508 controller. Currently all of my ap's are in h-reap mode and all in remote buildings connected via a high speed wireless wan.
    The guest network could consist of 500 users in the near future, so i'm wondering what is the best way to configure the guest wlan so I don't have one big broadcast domain across my entire network?

    Ok. I already have my ap's in ap groups (per building) and I have different vlans in each building with the same ssid company wide. I'm doing this via h-reap.
    My question is how do I accomplish the same thing with the guest wlan, but without h-reap. Or do i use h-reap and just setup acl's to block the traffic? But then does web authentication work the same?
    The confusion for me comes in at the controller level with the guest-wlan interface I created having to be attached to a vlan. Is this not needed to do web authentication?
    Thanks,
    Dan.

  • WLAN design for 7920 phone

    If I currently have an 802.11g network that has been optimized to support data devices at 36 Mb/s or higher (i.e., AP cells a little closer to maintain higher speeds) and I now want to add 7920 wireless phone support, do I have to re-do my site survey to optimize the WLAN speed for 11 Mb/s by spacing my APs further apart so that channels using the same frequency do not interfere with each other?
    Thanks

    With 802.11g radio, would want to set 11mbps to the basic rate and only enable 18-54 or whatever higher rates you want enabled.
    Enabling lower rates will extend the cell and vice versa will reduce the cell.
    So probably a good idea to re-check the coverage, noise, signal to noise ratios.

  • Cisco 3650 Converged LAN/WLAN Design: Radius Authentication configuration example needed

    Hello Cisco-Experts,
    one of our customers would like to deploy Cisco3650-switches with integrated WLC-functionality.
    The platform is new to me and I have started to configure some basic settings.
    Unfortunately I cannot find information on how to implement 802.1x Radius authentication.
    Do You know, where I can find detail information or an example how to implement this ?
    Thank You
    Wini

    Hello Rasika,
    thank You very much for link to Your 802.1x authentication configuration
    on similar 3850 platform.
    Very useful stuff.
    Is it possible to setup the Radius -Server function on the switch itself ?
    I'm asking because I would like to test the setup in our office before rollout to customer.
    Kind regards
    Wini

  • WLAN design Questions

    I am using the AP1200(12.0t1 img) and I have been having issus regarding the root AP and repeater AP's communicating.
    1.) I have made sure the VLAN info is correct on all AP's
    2.) verefied the SSID is correct and selected to SSID 0.
    I think I might of missed something??

    Check your channel assignments.
    Make sure they are on the same channel (repeaters match the AP).
    Good Luck
    Scott

  • Help with larger sized voice wlan.... design considerations.... tips...etc...

    Hi Everyone,
         I'm hoping that you guys and gals can help me with an ongoing problem that we have at one of our sites. We're working on areas of the location due to it's size and phone load. We have an area, that I will refer to as building A, that is roughly a square that is 240' x 240'. The inside of the building has some pallets inside for storage(they allow RF to penetrate through them) and also some metal production lines. There is also a mezzanine  / elevated area in the middle that the users can walk under. It's not very large, but it would affect a phone if you walked underneath it while making a call. So, now that I have a brief description of the environment, I will tell you the equipment I'm running...
    1 x 4402 50AP Wireless Controller with 6.0.199.3 (MR3) installed.
    We currently have nine AP's installed in this area, with 4 up front so that way they cover the office areas better. Most are 1231G's, but some are 1242's.
    Since we do not have A radios everywhere (budgetary decision) we are running all of these phones on 2.4Ghz (Yikes! I know!)
    The 7920's use LEAP and the 7921's use PEAP MS-CHAP v2 with CCKM enabled on the controller.
    I also have 802.1p wired QoS enabled for the voice QoS profile and it is applied to our voice WLAN.
    We have conference rooms in the front area that will need to support roughly 20-30 maximum mixed 7920 and 7921G phones in a roughly small area. (Yikes! I know!)
    We also have a 2106 with mesh .54M installed, but it is for outdoor AP's and should not be affecting this area.
    So, I guess my questions are....
    Has anyone ever operated the 7920 and 7921G's in mixed mode?
    I'm thinking about separating the 7920s on 2.4 and tell the 7921's to prefer the A band or just use A. This will require A radios / surgery, but we've dealt with different code trains, TAC configs, and even added a few more radios. I think it's time to say we need to redesign this area. It doesn't help that phones keep getting purchased either....
    What rule of thumb would you guys / gals say would be appropriate for this phone count in terms of the number of AP's I should use?
    Since we're dealing with two different phone models, it makes it hard to simply just read the deployment guide. I know these phones can coexist, I just think we're running into over capacity and problems with 802.11B in the mix. In the conf room right now, there are most likely signals from at least two AP's. This doesn't seem like enough bandwidth for just the 2.4 Ghz range when 20 - 30 phones are in there. Not all of them are calling, but the associations / mgmt traffic alone must be horrendous since the phones are 802.11B
    We are going to do a manual survey with a 1242 since that AP will support both phone models. I think we may need to survey twice if we're going to go this route; One survey for the 7920's on 2.4Ghz with a 1242AG and one survey on 5Ghz with a 7921G. I think that will provide the info we need to get the AP's repositioned where they need to be.
    What kind of power levels should I be using in an area like that? We've originally had a survey at 50mW, but since then we turned the power down to pwr lvl 3 in some spots due to the additional AP's. I've seen references of roughly 1 AP per 3000 sq. ft at pwr level 4, but that seems overkill. 
    Can we run mixed power levels on AP's with the phones? Or will that cause one way audio due to the transmit power diffrences in the cells?
    I'm thinking that we should pick a power level, survey the -67 cell size at the power level, add more AP's so that way they are overlapped 15-20%, and then actually implement the design. I'm pretty good at getting decent channel assignments in place. I know of non-overlapping channels, RRM, etc. I also have an AirMagnet laptop with an Aironet Adapter. It is good for finding noise, interference, etc...
    I understand this is practically a book, but at this point, we've been trying a LOT of different things in order to get this to work properly. I think it's finally time for me to "strongly suggest" that we do the following...
    1. Choose ONE phone model.
    2. Choose ONE AP model.
    3. Make sure to implement the 5Ghz band for all AP's so we have complete coverage.
    4. Choose ONE power level for each band. This will affect the coverage and placement of AP's. I'd imagine that we'd need to survey with A first, and then survey with b/g. Typically we can use the 1242 and get about the same cell size on both bands, but 5Ghz is a higher frequency and may not penetrate as much as 2.4 Ghz..
    5. Come up with a new coverage map based on a manual site survey with the phones mentioned above.
    6. Implement the design.
    7. Use it.
    8. Try not to have a heart attack when the system actually supports that many phones in that area...
    So, please, let me know your thoughts and if you have any suggestions. It would be greatly appreciated. We've been slowly working out the gremlins in the phones there over the past few years. I'm more of a data wireless person myself, but I do have good luck with a low to moderate phone count (usually no more than 7 calls per AP). Once we start doing craziness like trying to get 20-30 802.11B phones to work in the same area on only one or two AP's, then things start to become a challenge, especially when we don't have the 5Ghz cells to help with the bandwidth requirements for voice....
    Thank you for your time,
    Craig 

    There's a pretty recent (last few months) Voice over Wlan design guide published (was published for the 9971 phones - but all great advice) and it recommends just about all the settings required for an off the shelf wireless voice network.
    http://www.ciscosystems.com/en/US/docs/voice_ip_comm/cuipph/9971_9951_8961/7_1_3/english/deployment/guide/9971dply.pdf

  • Wireless Design - Best Practices for Data, Voice, and LBS

    Hi,
    I am currently in the process of designing a WLAN for a new hospital and I am getting some push back from my sales team.  The requirements of the WLAN are data, voice, and location based services (RFID for medical equipment) ... needs to be 2.4 GHz for Guest and some apps/clients but primarily 5 GHz for most of the clients ... lastly needs to be N compatible for future use.
    So, I did a predictive design with 1252's on the perimeter with 2.4 and 5 GHz patch antennas and 1142's in the middle to fill gaps ... I also scoped out 2 5508 for redundancy .... total design with -65 at my edges was 169.  However, this is getting push back because of several cost issues ....
    1. The bundle that Cisco offers for 5 100 AP license 5508 WLC is cheaper than buying 2 250 AP licenses WLC's ... which doesn't make any sense to me because I think 5 devices is over kill
    2. The sales engineer is concerned about the power issues with the 1252's ... customer would rather not use power injectors ... and although they would have 6500's at there core ... they would only have basic switches in their IDF's so I wasn't sure which POE Switches would be able to handle 1252 but cost was an issue there as well
    So, for my understanding when you are doing a WLAN design for LBS it's always best to have APs or antennas on the perimeter for better triangulation ... it makes more sense to me to do that with patch instead of Omni's ... however my sales engineer wants to use all 1142's ... so my question is what are the pro and cons behind using all Omni's or using Patch and Omni's?
    Furthermore, if anyone has any documentation supporting why I would not use all Omni's that would be great because all the articles I have read on LBS just state that placement of APs is critical but doesn't give no specifics on whether it's a good practice to place them on the perimeter using a specific type of antenna or what.
    Thanks in advance for you help and any ideas about this design!!!

    1.  The 5508 is expensive because it's alot faster than the 4400 plus there are some features exclusive to the 5508 such as OfficeExtend.  As the old network design adage goes:  Your design can be done correctly, cheap or fast.  Choose two.
    2.  The 1250 requires 19.5w of power to enable FULL MCS rates to both radios.  Only the 3560E, 3750E or the Sup720 is capable of supporting that.  Upgrading the IOS of the 1250 to 12.4(10b)JDA3 will allow the AP to operate both radios at 15.4w BUT at a lower MCS rates.  Correct placement of the AP and the correct use of the antennaes will also help in the signal distribution.
    3.  Patch antennaes are mostly directional.  The 1140 is onmi-directional BUT the signal strength is not as powrful as the 1250 at full power.  The AIR-ANT2451NV is an omni-directional patch designed for the 1250.
    Cisco Aironet Antennas and Accessories Reference Guide
    http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09186a008008883b.html
    Cisco Aironet 2.4 GHz and 5 GHz Antennas and Accessories
    http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/product_data_sheet09186a008022b11b.html
    Some of the new patch antennaes for the 1250
    Cisco Aironet Dual Band MIMO Low Profile Ceiling Mount Antenna (AIR-ANT2451NV-R)
    http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2451nv.pdf
    Cisco Aironet Very Short 5-GHz Omnidirectional Antenna (AIR-ANT5135SDW-R)
    http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant5135sdw.pdf
    Cisco Aironet Very Short 2.4-GHz Omnidirectional Antenna (AIR-ANT2422SDW-R)
    http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2422sdw.pdf
    Cisco Aironet 5-dBi Diversity Omnidirectional Antenna (AIR-ANT2452V-R)
    http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2452v.pdf
    Cisco Aironet 5-GHz MIMO Wall-Mounted Omnidirectional Antenna (AIR-ANT5140NV-R)
    http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant5140nv.pdf
    Cisco Aironet 5-GHz MIMO 6-dBi Patch Antenna (AIR-ANT5160NP-R)
    http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant5160np.pdf
    Cisco Aironet 2.4-GHz MIMO Wall-Mounted Omnidirectional Antenna (AIR-ANT2450NV-R)
    http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2450nv.pdf
    Cisco Aironet 2.4-GHz MIMO 6-dBi Patch Antenna (AIR-ANT2460NP-R)
    http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2460np.pdf

  • Voice WLAN - HREAP

    Hi to all,
    I'm implementing  a WLC2106 for a small Voice WLAN environment using all the Blueprint settings defined in the CCO documents ("Voice WLAN designing" and "Cisco 7921 Implemenation Guide..").
    In these documents the Voice WLAN configuration examples are always setup using the WLAN as Local Authentication and Local Switching without mentioning if the use of H-REAP will be also fine!
    Since on my WLC I've to setup also a Data WLAN which will use H-REAP, I would live to know if H-REAP is also working fine configured on a Voice WLANs? Or should I use it only for Data WLANs?
    Tnx for the feedback
    Omar

    Hi to all,
    thanks for your info...I've rechecked again and again the WLC configuration regarding the 11a radio configuration and all is fine...
    The WLC OS and Phone FW are the same as you mentioned above...
    I've done a Site Survey using the 7921G and two other IP phone (another 7921G and a 7925G) and all were experiencing randomly disconnections from the Wireless LAN...the 7925 had the best behaviour since it had been disconnected only a couple of times...the 7921G not...
    On the Site-Survey we've seen that the 7921G had seen 2 out of 3 APs...sometimes all threes, the 7925G had seen always all 3APs...
    the strange thing is that the 7921G Site-Survey has informed me that Proxy-ARP is not supported...but from WLC Release 5.0 Proxy-ARP is enabled by default and you couldn't disabled..morever the disconnections are happening less when on the phone there is an active call..
    I'm start to thinking that these randomly disconnections are related to external interference...
    Omar

  • WLAN Controller and Location appliance graceful shutdown?

    Does anyone know if there is a supported graceful shutdown method/command for the
    4400 series WLAN Controller and 2700 Location Appliances?
    This weekend our server room will be undergoing maintenance and will experience a total power outage for a 4 hour period.  It is our intent to manually bring all equipment down (hopefully in a graceful manner) and then back up once the maintenance is completed.  As a result does anyone know if special precaution is needed to shutdown these 2 appliances, or can we simply bring down these devices hard which is the case with most other Cisco equipment?
    Thanks in advance

    Hi Mark,
    Channel 1, 6, and 11 are just about as non-overlapping as 1, 7, and 13. There's an insignificant amount of overlap, so it's just as plausible of a solution, even in Europe. I honestly don't know why you wouldn't use the extra channels to eliminate the minor overlap - every bit helps.
    The "channel blanket" or "virtual cell" WLAN design philosophy is rapidly spreading. Cisco maintains that it's a standards violation and I've heard no talk of them purchasing the not-to-be-named company or of them adopting the same design philosophy. I sincerely hope that they do one of the two soon, however, because it's very good design that's difficult for Cisco to compete against.

  • Wireless AP RF settings

    I need information about setting up an Aironet AP 1240. It seems that the configuration at RF setting does not seem to be at its peak. We use only the protocols 802.11 b\g and the speed is at 54 Mbps. My question is, what configuration should be used to provide the highest possible coverage? I am aware that the various metallic structures that make up the building structure detrimental to the efficient propagation of waves but even directly under the access point I just receive a signal whose signal\noise is -25dbm.
    Thanks.

    54 Mbps is the fastest possible speed in the 802.11g standard. If you want a faster nominal rate you'll have to install an 802.11n access point.
    WLAN design involves tradeoffs between speed and range. If you want the most possible throughput, you have to disable the slower data rates, which means your range will be reduced. If you want the maximum possible range, you have to allow slower connections which means less throughput for everyone.
    If you're having noise problems due to multipath (metal structures), an 802.11n solution will solve a lot of problems. 802.11n uses multipath to improve its performance, unlike b/g/a which degrade in a multipath environment. If that's not an option, then make sure your APs are mounted at least 1 wavelength (2 preferably) away from any metal, and test all channels to see which gives you the best performance.

  • Best Outdoors WAPs for a High School Football Field?

    Ubiquiti is my choice if you don't need any advanced features.  How many APs depends on how big the seating area is and how many people you expect to connect.  I'm also under the assumption the bleachers are metal, so you need to make sure you take that into your WLAN design.

    What access points do you recommend for an outdoors situation? We want to provide Wi-Fi to spectators at a high school football field. The seating area is restricted to a single location. Two to three APs will cover the area.
    The initial purchasing price and on-going costs are of concern. We would prefer not to have  recurring costs when it comes to the access points.
    We have looked at Meraki, Ubiquiti, Aerohive. Which ones would you recommend?
    This topic first appeared in the Spiceworks Community

Maybe you are looking for