Small Business Wireless LAN
By David M.
Piscitello, President, Core
Wireless LANs can reduce small business, network-related
expenses in many ways, such as:
- Eliminating the cost of wired Ethernet connections during or after
- Expediting the changes you'll make to your Ethernet topology as your
organization grows and office space changes.
- Saving you from leaving most of your Ethernet cabling investment if
These kinds of considerations have made WLANs enormously appealing. Two
constraints you should consider, however, are capacity and coverage. A
single, properly located 802.11 b/g access point can serve about 20
employees over an unobstructed span of 100 to 200 feet indoors, with the
convenience of being "always connected, anywhere." Walls, doors, and other
obstructions reduce a single Access Point's (AP's) reach, and throughput
declines with distance.
So what do you do when your office outgrows your one and only access
point? You add more. The rest of this article explains when and how.
When do I add a second Access Point?
Capacity and coverage commonly dictate when organizations add access
points. An industry rule of thumb is that a 54 Mbps AP will yield (at
best) about 25-27 Mbps. Combine this with a second rule of thumb: allow 1
Mbps per user for normal Internet activities; and increase your per-user
allocation if they run bandwidth-hungry applications.
While this is a reasonable starting point, consider other factors as
well. Consider the impact of signal strength. Obstructions and station
distance from your AP affect the data rate at which stations operate.
Stations at some locations in your facility may still only achieve 1 Mbps,
even when your AP's maximum data rate is 54 Mbps. Actual application
throughput will be (at best) about half of the station's current data
rate, further declining as multiple stations contend for each AP's shared
When you need to meet the needs of additional office space and
employees, or need to increase capacity for existing employees, it's time
to add an AP.
Where do I add a second Access Point?
Consider taking a new site
survey to determine the best locations for your multiple-AP
deployment. Each access point will provide its own radius of transmission,
often called a cell. To allow seamless roaming across your AP
cells, allow slight overlap between cells. WLAN stations will
automatically associate with the AP that offers the best combination of
signal strength and quality.
Position your APs so that cells reach all your stations, plus all areas
where users may roam. You might need to relocate your original AP. In
fact, the optimal AP placement might be someplace where power and
wired Ethernet connections from your APs to your "wiring closet" are not
available! In such situations, before you invest in new wiring of any
kind, consider using Power over Ethernet (POE)
or Ethernet over Powerline (HomePlug
Try to contain your APs' radio signals within the physical envelope of
your offices. This minimizes the threat of eavesdropping on your network,
and prevents your network from interfering with nearby networks. Provide
sufficient overlap for clients to roam, but not so much that clients will
struggle to choose the stronger of two signals, or they'll flip-flop
between the APs and perform poorly.
Setting up the airlink
Now that your physical devices are in place, let's move up to the link
layer. To create a WLAN environment where clients can associate with the
access point offering the highest signal quality and users can
maintain IP connectivity as they roam, set each AP to operate on a unique,
non-overlapping channel within the 2.4 Ghz ISM spectrum. For
example, you might set your Firebox Edge Wireless to operate at channel 1,
and a second AP to operate at channel 11.
Achieve airlink connectivity before you try to tune performance. Leave
WLAN parameters such as fragmentation length, Request to Send (RTS)
threshold, Deliver Traffic Indication (DTM) intervals, and transmission
power at their defaults until your network functions properly. My
experience is that you should not suppress network name (SSID) broadcast
in beacon frames. Suppressing SSID beaconing is a weak security measure at
best, and will simply cause your stations to probe for APs with the
desired SSID. WLAN parameters sent in beacon and probe response frames --
802.11b compatibility mode and available link speeds, for example -- help
stations determine if they are able to associate as they discover new APs.
Obviously, though, you should change the SSIDs from their factory
defaults, since hackers share lists of known authentication credentials.
Configure APs and client workstations in your network to use the same
SSID, authentication, and encryption parameters. You may want to begin
with an open system (no encryption) until you are confident your network
operates as you intended. Ideally, use Wi-Fi Protected Access version 2
(WPA2) with the Advanced Encryption Standard (AES) for link protection. If
WPA2 is not available, use WPA version 1 with the Temporal Key Integrity
Protocol (TKIP). If WEP is the only encryption alternative available to
all adapters and APs in your WLAN, use WEP, but seriously consider
enabling encrypted MUVPN connections for wireless clients from your
Firebox X Edge Wireless.
When AES or TKIP is used, each client workstation must use an
encryption key that is known to your AP. In larger enterprises,
per-station keys can be delivered using 802.1X. Small business needs can
be met by having all stations and the AP use the same pre-shared key
(PSK). Make it at least 20 characters long and not easily guessed. In
Windows XP environments, stations can be individually configured, or you
can use the Wireless Network Setup Wizard available with Service Pack 2 to
create a configuration installer program on a removable (USB) device. Run
the program from the USB device to install the same wireless configuration
(including PSK) on every wireless station you permit to access your
internal network, thus reducing the likelihood of misconfiguration.
Setting up seamless inter-AP roaming
Now let's consider IP configuration issues. When a wireless station
"goes mobile," it temporarily drops its airlink connection as it
disassociates with one AP and associates with another. At the IP level,
DHCP-enabled stations will renew IP information (IP address, subnet mask,
default gateway...), but in many cases, stations will re-acquire the same
IP address. That means application sessions might persist through this
sequence of events. (Note: you can enhance the probability of IP
persistence by using the DHCP Reservations option.) If a client roams from
one IP subnet to another, however, the IP address must change, and
application sessions will always be disrupted. The situation is worse for
clients with static IP address assignments: if they associate with an AP
in a different subnet, the fixed address they have is incompatible with
the new IP subnet, so they lose IP connectivity altogether.
Avoid network-layer roaming (and consequent disruption) by
bridging rather than routing between APs. To create a
bridged network that spans several APs and Ethernet LANs, you must
"uplink" your APs to a common Ethernet hub or switch. For example, if you
are using a Firebox X Edge Wireless, connect all 802.11 b/g access points
to the Edge's Ethernet hublet. From the Firebox X Edge Wireless
Configuration, set the Network assignment to Bridge to Trusted
Network. All devices connected to the Edge hublet ports, including any
stations that associate with your second "standalone" AP, will be part of
a bridged LAN that includes stations associated with the Edge's internal
Be certain that whatever system hosts DHCP services for your network is
accessible from all APs in your bridged network. You may choose to run a
DHCP service on your Firebox X, or on a Windows 2003 server protected by
your firewall. Choose the service that provides the DHCP options that best
satisfy your policy needs. Many DHCP standard options are available from
Firebox X series firewalls (e.g., restrict access by MAC address, DHCP
Reservations). It is possible to:
- Use more than one DHCP server
- Relay DHCP service through a Firebox X Edge to a Windows server
- Use different address pools from the same IP subnet.
But such advanced deployment considerations require careful planning
and are not typically required in small business networks.
To tap the potential of wireless, many small businesses will
(eventually) require multiple APs to fulfill performance and coverage
needs. Deploying a multi-AP WLAN may require more planning than a
single-AP WLAN, but taking a systematic approach can help your company
achieve optimal results with minimal effort. If you really want to ensure
adequate radio coverage, minimal interference, and glitch-free roaming
between all APs in your office, make sure that your WLAN design addresses
physical, link layer, and network layer requirements. Work from the bottom
up, and you'll do fine.
Lisa Phifer's excellent article explaining how an 802.11 station
associates with an AP: " Moving
Freely between WLAN Access Points" (requires free Tech Target
Bernard Aboba's Unofficial 802.11 Security Web
Copyrightę 2005, WatchGuard Technologies, Inc. All rights
reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks
or registered trademarks of WatchGuard Technologies, Inc. in the United
States and other countries.