Wireless Local Area Networks - Design and Implementation

Today we have 802.11n wireless networks with up to 150 Mbps data rates but still we hardly see wireless implementations as an alternative to wired LANs. Why? Is it because wireless networks are unreliable? Or is it because of the data rates?

May be it is because many organizations have wired LAN infrastructure already implemented and not willing to invest on wireless LANs. But what if you want to expand your local area network? Will it not be cheaper to expand using wireless LANs? Whichever the case, in this book I try to give an insight to designing and implementing a wireless LAN. This was done as an assignment when I was at university three years ago so the devices and prices may have changed.

Chapter 1 - Rationale

The company is having two buildings, separated by open space distance of 500 metres which have the same architecture with five floors where width of the walls on each building is 100 metres.

The fourth floor is an open plan area and the top floor incorporates an atrium. The ground, second and third floors are partitioned into four equal segments and the second and third floors are reserved for training course programmes.

Each training room is having 20 terminals making a total of 80 on a floor and summing up a 160 in both second and third floors. Fourth and fifth floor are having a total of 40 terminals giving access to guests making it 20 terminals in each floor and the ground floor house 20 administrative and training staff. So in total there are 220 terminals in each building.

In addition to these wired terminals, the fourth and fifth floors are required to have wireless access for guests with internet and intranet web access and for company employees who has access to the internal systems.

The conference delegates are offered Video-on-demand presentations of the conferences and training sessions via the wired and wireless networks.

The two building are named as building A and building B for explanation purpose.

1.1 Assumptions

  • There will be a maximum of 100 guests or conference delegates who will gain access through 40 terminals located in fourth and fifth floors and through wireless access. Therefore it is assumed that there won’t be more than 80 wireless guests at any time.
  • Since it is not given how many employees will use wireless connections, it is also assumed that there won’t be more than 80 employees at any given time.
  • The server farm is located in the ground floor in each building and the server segments of LANs in each building are required to be connected.
  • The two new buildings are having no wiring limitations and have no nearby WLANs bridging any other buildings.
  • All the servers including DHCP servers are bought and configured by the company IT team.
  • The internet link is leased and managed by the company IT team giving required bandwidth for Video-on-demand and internet access.
  • It is assumed that the cable lengths won’t exceed the maximum of 100m, thus repeaters won’t be in need.

Chapter 2 - Network Design

To facilitate 220 terminals and wireless users in a building eight switches are used. All of these switches provide Fast Ethernet (100Mbps) ports with additional Gigabit Ethernet (1000Mbps) uplink ports giving 100Mbps access layer with a 1000Mbps backbone.

As shown in Figure 2-1 these switches are cascaded if needed and connected to a router (RT_DIST).

 

Backbone Network 
Figure 2-1

 

The router (RT_DIST) performs routing and controls traffic for logical LAN segments and for the internet link.

All the servers are connected to the switch SW_SVR. This switch is then connected to the router RT_DIST with its 1000Mbps uplink. Figure 2-2 shows the network design for the server farm. Switch SW_SVR is also connected to the access point WBR, mounted on top of the building with Cisco 13.5 dBi Yagi antenna, which is configured as a bridge to connect the two server segments of LANs in the two buildings.

The servers are allocated the IP addresses from the subnet 10.0.0.0/8. For easy administration, servers in building A is allocated IP addresses from 10.0.1.1/8 to 10.0.1.252/8 and building B is allocated IP addresses from 10.0.2.1/8 10.0.2.252/8. The WBR bridging access points are allocated 10.0.1.253/8 and 10.0.2.253/8 IP addresses. 

 

Server Farm

Figure 2-2

 

All the 20 ground floor terminals are connected to the switch SW_GND and that switch is connected to the switch SW_EMP located in fourth floor, which is connected to the wireless access points giving access to only the company employees. This connectivity is shown Figure 2-1 and Figure 2-3 exhibits the ground floor network design.

Switch SW_GND is connected to a DHCP server which assigns IP addresses for employees (including wireless clients) from the subnet 192.168.1.0/24 for building A and from the subnet 192.168.11.0/24 for building B.

Second and third floors are having the same network designs which are shown in Figure 2-4 and Figure 2-5. On second floor the terminals are connected to SW_2ND1 and SW_2ND2 which are connected together with 1000Mbps uplinks. SW_2ND1 is connected to a DHCP server which assigns IP addresses to terminals in classrooms on second and third floors from the subnet 192.168.2.0/24 for building A and 192.168.12.0/24 for building B.

All the terminals on third floor classrooms are connected to switches SW_3RD1 and SW_3RD2 which are connected together with 1000Mbps uplinks. Additionally the SW_3RD1 is connected to SW_2ND2 with a 1000Mbps uplink port.

 

Ground Floor

Figure 2-3

 

2nd Floor

Figure 2-4

 

3rd Floor

Figure 2-5

 

The 40 terminals giving access to guests on fourth and fifth floors are connected to the switch SW_OPEN_48. A DHCP server connected to SW_OPEN_48 assigns IP addresses for all the 40 guest terminals and wireless guests from the subnet 192.168.4.0/24 for building A and 192.168.14.0/24 for building B.

In order to give wireless access to both guests and employees there are 3 wireless access points configured for guest access and 3 access points configured with WEP security for employee access in the fourth floor. And in fifth floor there are 4 access points giving guest access and 4 access points configured for employee access with WEP security.

In fourth floor, except for two all the other access points are mounted on the ceiling with Cisco 2.2 dBi ceiling mount diversity patch antennas. Two access points are mounted on the West side wall with Cisco 8.5 dBi patch antennas.

Access points on fifth floor are mounted on the four walls with Cisco 8.5 dBi patch antennas on East and West side walls and Cisco 6 dBi diversity patch antennas on North and South walls.

Figure 2-6 shows the network design for fourth floor and Figure 2-7 shown the network design for fifth floor. Figure 2-8 and Figure 2-9 exhibits wireless coverage for fourth and fifth floors respectively.

 

4th Floor

Figure 2-6

 

5th Floor

Figure 2-7

 

4th Floor - Access Point Coverage

Figure 2-8

 

5th Floor - Access Point Coverage

Figure 2-9

 

All the access points on both fourth and fifth floors are configures to operate in 802.11a and 802.11g standards with all the data rates below 11Mbps blocked.

As shown in Figure 2-8, wireless coverage is accomplished by three non-overlapping channels in fourth floor. And in fifth floor (Figure 2-9), North and South wall mounted access points operate in the same channel and East and West wall mounted access points operate in another two non-overlapping channels.

All the access points are powered through the Ethernet cables.

 

2.1 Costs

Table 2.1-1 gives the details of networking equipment, models, quantity and associated costs for a single building.

Name

Equipment/Part

Qty

Price

 

 

 

 

RT_DIST

Cisco 3745

1

£5,854

SW_SVR

Cisco Catalyst 2950T-24

1

£457

SW_GND

Cisco Catalyst 2950T-24

1

£457

SW_2NDX

Cisco Catalyst 2960-48TT-L

2

£1,474

SW_3RDX

Cisco Catalyst 2960-48TT-L

2

£1,474

SW_OPEN_48

Cisco Catalyst 2960-48TT-L

1

£737

SW_EMP

Cisco Catalyst 2950T-24

1

£457

WBR

Cisco Aironet 1242AG

1

£264

Access Points

Cisco Aironet 1242AG

14

£3,696

 

 

 

 

 

Cisco 2.2 dBi Ceiling Mount Diversity Patch Antenna

4

£392

 

Cisco 8.5 dBi Patch antenna

6

£498

 

Cisco 6 dBi Diversity Patch Antenna

4

£300

 

Cisco 13.5dBi Yagi Mast Mount

1

£125

 

Lightning Arrestor

1

£74

 

 

 

 

 

24 Way Cat5e Patch Panel (rear cable managed)

16

£672

 

45u Universal Open Rack

1

£230

 

15u 540mm Deep Boss Cabinet

3

£596

 

 

 

 

 

Cat5e cable (305m Box)

5

£235

 

RJ45 UTP Cat5e 8 Way Plug (100 pack)

8

£88

 

RJ45 Strain Relief Boots (100 pack)

8

£92

 

 

 

 

 

 

Total

£18,172

 

Table 2.1-1

Chapter 3 - Configuration Scripts

This chapter lists all the configuration scripts for the Cisco equipment.

3.1 Guest access points

Configuration script for guest access points;

!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1200_GUEST
!
enable secret 5 $1$z3QP$sjhCnlQOlQCnpHcwVRSGu0
!
ip subnet-zero
ip name-server 10.1.1.3
!
!
no aaa new-model
!
dot11 ssid Guest
   authentication open
   guest-mode
!
!
!
username Cisco password 7 072C285F4D06
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
ssid Guest
!
speed basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2427
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
ssid Guest
!
speed 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.4.100 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.4.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
contr...
1 route ip
!
!
!
line con 0
transport preferred all
transport output all
line vty 0 4
login local
transport preferred all
transport input all
transport output all
line vty 5 15
login
transport preferred all
transport input all
transport output all
!
end

 

Guest access points are configured with open authentication and without any encryption. Both 802.11a and 802.11g radios are enabled with SSID ‘Guest’ and the default channel for 802.11g radio is specified to avoid overlapping channel interfering. Therefore, conference delegates can get connect to the access points without any hassle. The DHCP server connected to the switch SW_OPEN_48 will provide IP addressing for the guest wireless clients.

All lower data rates are disabled in both radios (6 Mbps is disabled in 802.11a and all the data rates below 11Mbps are disabled in 802.11g) and this will prevent from lower data rate clients from associating with the access point and creating a communication bottleneck.

3.2 Employee access points

Configuration script for employee access point;

!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1200_EMP
!
enable secret 5 $1$Ep//$s41KXpGpr63yh38CTfb9h/
!
ip subnet-zero
ip domain name fwl.com
!
!
no aaa new-model
!
dot11 ssid EMP
   authentication open
   guest-mode
!
!
!
username Cisco password 7 047802150C2E
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 40bit 7 A24CE13E0AEB transmit-key
encryption mode wep mandatory
!
ssid EMP
!
speed basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption key 1 size 40bit 7 33242F7756FC transmit-key
encryption mode wep mandatory
!
ssid EMP
!
speed basic-9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.1.200 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
contr...
1 route ip
!
!
!
line con 0
transport preferred all
transport output all
line vty 0 4
login local
transport preferred all
transport input all
transport output all
line vty 5 15
login
transport preferred all
transport input all
transport output all
!
end

 

The access points giving wireless connectivity for the employees are configured with open authentication but with 40 bit WEP encryption. Therefore wireless clients have to be pre-configured with the WEP key.

Both 802.11a and 802.11b radios are enabled with the SSID ‘EMP’, with lower data rates disabled as in for guest access points.  The default channel for 802.11g radio is specified so that there won’t be any overlapping channels interfering each other. The DHCP server connected to the switch SW_GND will provide IP addressing.

3.3 Root bridge

Configuration script for Root Bridge;

!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1200_A
!
enable secret 5 $1$XX43$dI2rl7kPQG5eedxakEp0H0
!
ip subnet-zero
ip name-server 10.1.1.3
!
!
no aaa new-model
!
dot11 ssid WBR
   authentication open
   guest-mode
!
!
!
username Cisco password 7 02250D480809
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 40bit 7 7205172F11ED transmit-key
encryption mode wep mandatory
!
ssid WBR
!
speed basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root bridge
antenna receive right
antenna transmit right
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
!
encryption key 1 size 40bit 7 1FD63DD64C3C transmit-key
encryption mode wep mandatory
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
no dot11 extension aironet
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.0.1.253 255.0.0.0
no ip route-cache
!
ip default-gateway 10.0.1.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
contr...
1 route ip
!
!
!
line con 0
transport preferred all
transport output all
line vty 0 4
login local
transport preferred all
transport input all
transport output all
line vty 5 15
login
transport preferred all
transport input all
transport output all
!
end

 

This access point is configured as Root on. Only the 802.11g radio is enabled with SSID ‘WBR’ providing open authentication with 40 bit WEP encryption. Since a Yagi antenna is used with this bridging access point, only the primary antenna is enabled for both transmitting and receiving. 

 

3.4 Non-Root Bridge

Configuration script for the Non-Root Bridge;

!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1200_B
!
enable secret 5 $1$VtNA$MUHDhK1NGJrzNyr60ksfK0
!
ip subnet-zero
ip domain name fwl.com
!
!
no aaa new-model
!
dot11 ssid WBR
   authentication open
   guest-mode
   infrastructure-ssid
!
!
!
username Cisco password 7 062506324F41
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 40bit 7 6E7B167840EB transmit-key
encryption mode wep mandatory
!
ssid WBR
!
parent 1 0015.fa2c.aaf0
speed basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role non-root bridge
antenna receive right
antenna transmit right
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
!
encryption key 1 size 40bit 7 9A1D630A7985 transmit-key
encryption mode wep mandatory
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
no dot11 extension aironet
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.0.2.253 255.0.0.0
no ip route-cache
!
ip default-gateway 10.0.2.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
contr...
1 route ip
!
!
!
line con 0
transport preferred all
transport output all
line vty 0 4
login local
transport preferred all
transport input all
transport output all
line vty 5 15
login
transport preferred all
transport input all
transport output all
!
end

 

This access point is configured as Root off (Non Root) and associating parent MAC address. Therefore this will associate with the Root access point located in the other building providing a wireless bridge.

To match the Root access point, only the 802.11g radio is enabled with SSID ‘WBR’ and 40-bit WEP encryption. And since a Yagi antenna is used only the primary antenna is used for both transmitting and receiving.

3.5 Router (RT_DIST)

Configuration script for the router (RT_DIST);

!
version 12.2
no service password-encryption
!
hostname RT_DIST
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
shutdown
!
interface Serial2/0
no ip address
shutdown
!
interface Serial3/0
no ip address
shutdown
!
interface GigabitEthernet4/0
ip address 10.0.1.254 255.0.0.0
duplex auto
speed auto
!
interface GigabitEthernet5/0
ip address 192.168.1.254 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet6/0
ip address 192.168.2.254 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet7/0
ip address 192.168.4.254 255.255.255.0
ip access-group 100 in
duplex auto
speed auto
!
ip classless
!
access-list 100 permit tcp 192.168.0.0 0.0.255.255 10.0.0.0 0.0.255.255 eq www
!
!
!
line con 0
line vty 0 4
login
!
!
end

 

The router (RT_DIST) interfaces are configured with relevant IP addresses. Specifically an access-list is configured to permit only web traffic. This access-list is used to prevent guests from accessing internal servers and resources except internet and intranet web.

3.6 Switches

Switches are not needed to specifically configure with configuration scripts thus the initial configuration is sufficient.

Chapter 4 - Critical Evaluation

All the guest access is provided by a single switch (SW_OPEN_48) giving a separate logical LAN segment for the guests. Thus the network design isolates guests and other company users. This makes it much easier to implement security and control access to the guests.

Wireless access is provided by 14 access points operating in 802.11a and 802.11b radios located in fourth and fifth floors. This provides adequate wireless coverage and maintains wireless network performance by not overloading any access point with many users.

Lower data rates are disabled on both 802.11a and 802.11b radios, thus prevents from a low data rate client from associating and introducing a communication bottleneck.

Two server segments of the two building are bridged using wireless media, thus making it possible to take advantage of distributed computing by locating servers on both buildings.

To provide wireless security using static WEP encryption is not acceptable since it can be easily hacked. To provide advanced authentication a RADIUS server has to be in operation. But due to limited resources, the network configuration is limited to WEP encryption only.

A Cisco 3745 router performs all the packet forwarding at the distribution layer of the LAN with four Gigabit Ethernet interfaces and route packets for internet connectivity.

Instead of the router a Gigabit Ethernet switch such as Cisco Catalyst 4912G could have been used for the distribution layer. Using a switch will increase network performance for highly congested networks but for internet usage a router has to be used, thus having to make an extra investment. Since this network is for typical usage, using a single router for the distribution layer and internet connectivity is acceptable. Another advantage of using a router is being able to use advance network traffic management features such as Access Control Lists.

The network design includes dedicated access points for guest access and employee access making a total of 14 access points in operation. Instead of 14 access points it is possible to use 7 access points and provide both guest and employee access in the same access point. This will save costs for 7 access points.

If common access points are used, to provide limited access to guests and implement security VLANs should be used and instead of static WEP encryption with open authentication, advanced authentication and encryption (e.g.: EAP/WPA) is desired. A disadvantage of overloading access points arise when using 7 access points instead of 14.

The network design does not concern about limiting access to the company users as it is not in the specification but if need access-lists can be used which can be configured in the router.

The internet link is not configured because of lack of information about the internet connectivity, but it can be simply configured in the router RT_DIST.

The network design provides adequate bandwidth for Video-on-demand services but if the traffic volume is high QoS can be configured to give priority.

Wireless bridging is provided with Cisco Aironet 1200 access points using 13.5 dBi Yagi antennas. Using access points instead of outdoor bridges saves costs and since the distance between the two building are only 500m access points provides acceptable performance. The bridging access points are configured to use 802.11g radio and since a 13.5 dBi Yagi antenna is used it is possible to acquire 54Mbps data rates making it an acceptable wireless connectivity. 

All networking devices are mounted on racks and cabinets and cabled with assistance of patch panels making a neat, manageable and upgradeable network design.