Technology Considerations


The selection of a suitable WLAN technology was an easy one. As the world's leader in the manufacture of enterprise-class WLAN equipment, Cisco did not have difficulty in choosing the products to deploy. Cisco did, however, need to define, deploy, and provision a robust end-to-end solution.

Architecture Principles

When considering the architecture of your WLAN, your assessment must encompass many points. This section examines some of the factors that affected the enterprise WLAN deployment at Cisco Systems, as follows:

  • Topology

  • 802.11 wireless networking standards

  • Client-to-AP ratio

  • Signal strength

  • Roaming

  • Radio cell architecture

  • Global naming standards

  • Cisco Aironet access points

  • Cisco Secure Access Control Server (ACS)

Topology

Early in the planning stage, the Cisco IT WLAN Architecture team decided that the WLAN would be a secondary network complementing the existing wired network (that is, a separate "overlay" network). Each large building would use a single Layer 3 domain within each building to help ensure session integrity for wireless devices moving within or between floors. Effectively, each building had a unique wireless subnet, where both the access points and the wireless devices shared IP addresses from a common Class C address pool. However, in line with prudent IP address management, smaller buildings with fewer than 20 or 30 users shared a common VLAN for both wired and wireless devices.

Additionally, at the time of deployment, the Cisco Aironet product line was based solely on a distributed, autonomous access point (or so-called "Intelligent AP") model. Each access point was a unique, managed host with full intelligence and configurability. As such, the current global WLAN is a distributed model with over 3000 intelligent IOS access points in production. Figure 9-1 shows a basic topological diagram of the initial enterprise WLAN. The access points are connected directly to standard Layer 2 switches, and network management is provided by the Wireless LAN Solution Engine (WLSE) and the internally developed Enterprise Management (EMAN) toolset.

Figure 9-1. Basic Topology of the Cisco Enterprise WLAN


In 2000, the architecture standard called for Cisco Aironet 350 Series access points to be connected to the nearest access-layer switch, as shown in Figure 9-2. A separate cable provides console access to each access point to mitigate a loss of network connectivity, a practice that Cisco IT has standardized for all network devices. The console network is used for out-of-band (OOB) network management, configuration, and troubleshooting. Figure 9-2 shows how each access point is connected to the production data network and via a separate cable to the console network.

Figure 9-2. Access Points Connected to Production Data Network and Console Network


Because of ongoing developments in WLAN technologies, Cisco decided to redesign its enterprise wireless network in 2005. This project, known internally as the NexGen WLAN, will feature a combination of autonomous (IOS-based) access points and new centrally managed (LWAPP-based) access points, controlled and managed by WLAN controllers. Further information on the Cisco IT strategy can be found in the section "What the Future Holds" later in this chapter.

Note

Lightweight Access Point Protocol (LWAPP) is a protocol used to allow WLAN controllers to configure, manage, and control access points in the Cisco Centralized WLAN Solution. LWAPP introduces a split MAC, which allows real-time frame exchange and certain real-time portions of MAC management to be accomplished within the access point, while WLAN controllers handle authentication, security management, and mobility.

More detailed information on LWAPP and the Cisco Centralized WLAN Solution can be found at http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns337/networking_solutions_white_paper0900aecd802c18ee.shtml or by going to Cisco.com and searching for "Understanding the Lightweight Access Point Protocol (LWAPP)."


802.11 Wireless Networking Standards

At the time that the architecture team was designing the global WLAN, the only ratified standard was 802.11b, providing raw data rates of up to 11 Mbps in the 2.4-GHz frequency range. Therefore, this standard was adopted for the global enterprise wireless network.

Based upon internal Cisco IT policies and procedures, new products and standards must first undergo prudent and comprehensive testing and certification before they are used in the production environment. Shortly after ratification, the 802.11g standard was internally certified for use within Cisco by the architecture team. Today, therefore, Cisco is deploying 802.11g Cisco Aironet access points and client devices in its WLANs. 802.11g was selected over 802.11a because it also works in the 2.4-GHz frequency band and therefore offers seamless backward compatibility with the existing 802.11b network. Apart from limited lab and showcase sites, the 802.11a standard was not deployed in a widespread manner, but it will form part of the NexGen WLAN that is currently being designed by the architecture team; see the "What the Future Holds" section for more details.

Although 802.11g supports data rates of up to 54 Mbps in the 2.4-GHz band, these higher speeds are only available to 802.11g clients. Furthermore, 802.11g access points "step down" their speed when older 802.11b clients are associated to ensure backward compatibility. As such, it is not uncommon to find many 802.11g access points working at a maximum of 11 Mbps (effectively in 802.11b, or "legacy" mode). Such circumstances will decrease as the number of older 802.11b clients diminishes in line with the introduction of new laptops and replacement of the older devices.

Client-to-AP Ratio

After careful traffic analysis, Cisco IT built its architecture on a user-to-AP ratio of 25:1 would provide acceptable performance. At that time (early 2000), it was deemed unlikely that all 25 users would be accessing the WLAN at the same time and even more unlikely that they would all be simultaneously sending or receiving large amounts of data. Because the WLAN was an overlay network, those users who needed to use bandwidth-intensive applications such as network backups or video streaming were encouraged to use the wired network and not depend on the wireless network for these functions.

However, Cisco IT has found that adoption has been extremely high. Within 12 months of deployment, Cisco IT commissioned an internal "Voice of the Client" survey, which showed that 92 percent of staff were using the WLAN on a weekly basis; furthermore, 27 percent of users were relying upon the WLAN as their "primary or only network access medium." Even with the limitation of the 802.11b data rate of 11 Mbps (or actual throughput of 6 Mbps), day-to-day performance has not been adversely affected and is deemed perfectly acceptable for the vast majority of user activity. Comments from users have been overwhelmingly positive.

Some Cisco buildings use wireless connectivity almost exclusively. This includes network backups, software downloads, video unicast, and Cisco IP Communicator (a software-based IP phone), in addition to standard web browsing, e-mail, and calendars. Rich Gore, Cisco IT project manager, says, "With quality of service now supported over wireless, I've been taking all my phone calls over the wireless network using Cisco IP Communicator, and it's been working perfectly."

Note

Users always have the option of manually connecting their laptops to the wired network if they so wish, but this practice is by no means standard for most users.


Moving forward, a lower user to AP ratio (approximately 12:1) has been recommended as reliance upon the WLAN increases and adoption has proven to be widespread. This topic is covered in more detail in the "What the Future Holds" section later in this chapter.

Signal Strength

Cisco Aironet access points can broadcast up to 100mW (depending on the regulatory domain). When such high transmission power is used, it is possible for the WLAN coverage to extend beyond the originally desired areas, potentially reaching out into parking lots and public areas. After conducting tests, the architecture team established standards that call for using the minimum power to reach all areas within buildings, but never exceeding 20mW. That is, the "less is best" approach is taken. Access points are ideally configured to use 1mW, 2mW, 5mW, and so on, but never more than 20mW.

In some instances, directional antennas have been used to more narrowly focus the signal, reducing the power required to achieve full coverage. Where necessary, rather than increasing transmit power to exceed 20mW, additional access points are installed to cover "dead" spots.

Roaming

To more accurately control roaming, the WLAN client software (in this case, the Cisco Aironet Client Utility [ACU]) was configured to roam only under certain circumstancesthat is, when the current signal strength has dropped below a specified threshold or number of retries. This configuration reduces the tendency to reassociate to a new access point and helps avoid flip-flopping.

Each time the user switches from one access point to another, connectivity is momentarily lost, necessitating reauthentication. Numerous reauthentication requests can increase load on the authentication server, which can adversely affect service. This situation can be particularly notable in wireless voice applications, with clearly discernable "stutter" as the client reassociates and authenticates.

Radio Cell Architecture

If cells overlap too much, continual switching ("flip-flopping") is possible. Cisco adopted an overlap of about 15 percent (roughly 10 feet in most buildings) to minimize this possibility.

As we mentioned in Chapter 5, the 802.11 standard allows for devices to connect at various data rates depending on the RF environment. To minimize this effect, the architecture team locked the data rate at 11 Mbps. Thus, the user's wireless connection will never "step down" but rather will associate to a different access point when it is far enough away from the original access point. This solution controls the roaming and avoids flip-flopping between access points, which in turn greatly assists in troubleshooting and predicting client behavior.

The policy for 802.11g cells is to permit data speeds as high as possible, but never less than 802.11b (11 Mbps). This results in the ability of newer 802.11g clients to associate with the latest model 802.11g access points at higher than 11-Mbps speeds in some circumstances. However, association rates at lower than 11 Mbps are never permitted.

Global Naming Standards

Cisco uses a clear, concise, and consistent naming standard for all access points. This standard aids greatly in troubleshooting and also provides users and network engineers with useful information about their current access point.

The naming standard is as follows:

<site name>-AP<floor><AP letter>.cisco.com

For example, for the third access point on the second floor of a New York office, the access point name could be NYC-AP2c.cisco.com

Cisco IT has found that a consistent naming standard allows for easier management.

Cisco Aironet Access Points

When originally deployed, the Cisco Aironet 350 Series Access Point was selected as the standard access point. The Cisco Aironet 350 Series was the most advanced, fully featured wireless access point available. It supported the 802.11b protocol standard (the most advanced at that time), which provides data rates of up to 11 Mbps. The Cisco Aironet 350 Series also supported inline Power over Ethernet (PoE), which greatly simplifies installation and reduces costs by eliminating the need for separate, dedicated power cabling to the main supply.

PoE allows the access point to draw power through its Ethernet cable, from the switch to which it is connected. In some circumstances, where certain sites did not have switches that supported PoE, Cisco IT used standalone "power injectors." These devices sit inline between the network switch and the access point and "inject" DC power into the cable. This allowed Cisco IT to continue using PoE at all locations, even where they had older switches that did not provide PoE or that did not have sufficient power capacity to power all the access points required. Figure 9-3 shows how a power injector sits in between the access point and the switch.

Figure 9-3. Using Power Injectors to Provide PoE When It Is Not Available from the Switch


Today, Cisco IT is expanding and enhancing its initial Cisco Aironet 350 Series deployments by installing Cisco Aironet 1000, 1100, and 1200 Series access points. These access points support new 802.11 standards and additional feature enhancements and options for modular and flexible WLAN deployments, including the centralized, controller-based architecture or the distributed autonomous access point architecture. At the time of writing, approximately 25 percent of the access points were the 1200 series. This percentage will rise to 100 percent with the NexGen WLAN.

Cisco Secure Access Control Server (ACS)

The Cisco Secure ACS is used as the standard AAA server for the global WLAN and for other recently introduced services such as 802.1x-based port authentication for wired Ethernet ports in public areas and Network Access Control (NAC), part of the Cisco Self-Defending Network security strategy. Pairs of Cisco Secure ACSs were deployed at strategic locations worldwide.

The value of using a globally distributed AAA architecture instead of a single AAA server was highlighted by the WLAN deployment. Because of the greater load that a WLAN creates for AAA, due to authentications and reauthentications (as the client device roams from AP to AP), it was important to ensure that all users did not have to rely upon a single, centralized server. This would have introduced unacceptable delays for users in geographically remote areas. As such, at 13 different locations around the world, Cisco placed two ACS servers, in a load-balanced configuration, that served as AAA servers for that local geographical region.

The ACS servers are fully integrated with the Cisco Active Directory domain structure, enabling a single sign-on (SSO) capability. Effectively, AD user credentials are used not only for access to their laptops and wired network but also to provide transparent authentication to the wireless network. SSO has greatly reduced the client impact for users and has helped ensure a common, user-friendly experience across platforms and transport media. Users need only remember their normal ID and password for access to their laptop, the wired network, and the wireless network, and they only have to enter their credentials once each session regardless of the transport medium they are using.

Network Management

To date, more than 3100 Cisco Aironet access points have been deployed worldwide, supporting more than 50,000 users. This includes over 37,000 full-time Cisco employees, as well as over 10,000 temporary, contractor, and vendor staff. A WLAN as widely used as this requires a robust management capability. Because a dedicated wireless management system was not available in 2000, the Cisco wireless network was managed through EMAN, an internally developed web-based enterprise-management framework. Today, Cisco IT also uses the CiscoWorks WLSE, a Cisco appliance for managing WLAN deployments.

Client Management

Client management is a challenging area, and Cisco has implemented robust business processes to address it. Before 2004, all client devices were based upon Cisco-manufactured client adaptors, radios, and devices. However, the Cisco Client Extensions (CCX) is a technology licensing scheme that allows third-party manufacturers to produce equipment that supports Cisco value-added capabilities. With CCX, many third-party client devices and platforms have been introduced within the production environment.

To address this issue, Cisco made the decision to adopt third-party wireless software for all platforms. This adoption ensures that a common software application is used for all operating systems (Windows 2000, Windows XP, Linux, MacOS, and so on), regardless of the particular adaptor used in the relevant laptop (Cisco adaptors, Intel Centrino laptops, Macintosh PowerBooks, and so on).

The third-party supplicant also provides a consistent management toolset to allow for centralized profile management and configuration.

A centralized client management solution is also used to facilitate software distribution and updates.

Service dashboards, which are internal intranet websites, also provide service information, user communication, software, and self-service configuration utilities for all users. All Cisco staff can use dashboards for instructions on how to manually configure or update their systems. Because dashboards are based on standard HTML pages, they are platform agnostic and suitable for all platforms and clients that support HTTP.

Service and Support

Network devices, systems, and applications on the Cisco global network are managed according to levels of impact to the business. Service or support levels fall into four categories:

  • Priority 1 (P1) Immediate and severe business impact including revenue loss (actual, not postponed); inability to make or ship product; inability to develop code or product; inability to meet contractual, legal, or government-imposed processing deadlines; impact to external Cisco customers, partners, or supplier processes with negative implications for relations, market perception, or revenue; or engineering groups unable to work on a critical customer build or fix other critical account issues.

  • Priority 2 (P2) Adverse business impact including the inability of an organization (or organizations) within Cisco to perform daily operations such that it is essentially idle; or direct and critical impact to executives within the company, or to development, test, disaster-recovery, or staging environment for a P1 service or system.

  • Priority 3 (P3) Low business impact including the inability of multiple users to perform their daily tasks such that they are essentially idle; or impact to a single user under an approved, documented Service Level Agreement (SLA) requirement, or to a development, test, disaster-recovery, or staging environment for a P2 service or system.

  • Priority 4 (P4) Minor or no business impact to Cisco such as a question or new service request, or a problem that keeps one employee from performing part of a job function.

Within this support-level structure, Cisco Secure ACSs are managed as a P1 device because they are critical not only for WLAN access, but also for NAC, an element of the Cisco Self-Defending Network security strategy. The wireless network was originally managed as a P4 because it was considered a secondary network to the wired network. However, because of widespread adoption and usage within Cisco, support for the WLAN has become equivalent to P2. Cisco envisions that the NexGen WLAN, based upon more advanced and intelligent wireless networking technologies, will be formally supported on a P2 basis.

Cisco Support Team

Cisco has a four-tier support model, as follows:

  • Tier 1: Frontline Global Technical Resource Center (GTRC) This is equivalent to a standard internal helpdesk. Agents are familiar with the most common problems and work from prepared scripts and troubleshooting guides. Each GTRC hub has a nominated wireless LAN expert who is more familiar with the solution than his colleagues.

    Cases that are handled at this level are usually client configuration issues or the initial reports of service outages. Problems that cannot be solved by the GTRC are escalated to Tier 2 support.

  • Tier 2: Cisco IT WLAN network operations team These Cisco IT engineers are responsible for ongoing network and infrastructure support. The WLAN subteam is made up of engineers who usually have several years of experience supporting the solution and, in many cases, were directly involved in the original deployment and design. The IT WLAN network operations team has access to the access points, switches, routers, AAA servers, and WLAN controllers that make up the solution. This team also includes virtual members from the Cisco dedicated security organization and hosting teams (responsible for the AAA and Active Directory servers).

    Cases that are handled at this level are usually AP or controller configuration issues, service outage problems, requests for enhanced coverage, and so on. Problems that the IT WLAN network operations team cannot solve are escalated to Tier 3 support.

  • Tier 3: Cisco IT WLAN architecture team The IT WLAN architecture team is made up of several senior design engineers and solutions architects. Members of this team designed the original solution and have continued their work on evolutionary change and development over the past five years. This team holds the most technical, business, security, and program management experience on the Cisco solution.

    Cases that are handled at this level are usually fundamental design or architecture issues, requests for new services or capabilities, and new product or solution implementation. If a problem cannot be handled at this level, it is usually a result of a product bug and is escalated to Tier 4 support. This is a rare occurrence because most issues that are escalated this high relate to solution development rather than bug fixes.

  • Tier 4: Technical Assistance Center (TAC) and Wireless Networking Business Unit (WNBU) The TAC is the top level of support within Cisco and for Cisco customers. Cisco IT can also escalate directly to the WNBU within Cisco. Only officially noted bugs are escalated to this level.

A team of three and a half full time equivalent (FTE) staff makes up the Tier 2 IT WLAN network operations staff. Note that this effort is spread over several people in several countries but that the combined total is equivalent to 3.5 FTE.

A team of two and a half FTE makes up the Tier 3 IT WLAN architecture team. This includes the global program manager responsible for enterprise wireless strategy and architecture.

Cost of Support

Cisco prices each GTRC support call at US$25 per call. This results in annualized cost of frontline Tier 1 support of US$318,900.

Cisco budgets US$120,000 per annum as the fully loaded cost of an FTE. This cost includes salary, assets, workplace costs, business costs, and so on, and is not indicative of salary alone. This results in annualized cost of second-line Tier 2 support of US$420,000.

Because of the nature of the Cisco business and the maintenance of a Tier 3 architecture team, Cisco does not include these costs in the day-to-day annualized support costs. Cisco believes the maintenance of a dedicated architecture team is not indicative of a typical enterprise because not all corporations are based in the networking industry.

This results in a total annualized cost of support as reflected in Table 9-1.

Table 9-1. Cost of Support

Level of Support

Cost

Frontline support

$318,900

Second-/ Third- line support

$420,000

Total annual support costs

$738,900

Annual support cost per user (50,000 users)

$14.77





The Business Case for Enterprise-Class Wireless Lans
The Business Case for Enterprise-Class Wireless LANs
ISBN: 1587201259
EAN: 2147483647
Year: 2004
Pages: 163

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net