Carnegie Mellon University Website Home Page
 

Deploying a Wireless Network 

This page provides answers to some frequently asked questions on deploying a Wireless Network. The questions have been compiled from interested parties outside of Carnegie Mellon University. For more information on Wireless Andrew, please visit the Wireless web page at: http://www.cmu.edu/computing/about/history/wireless

FAQs 

My question involves the construction of our new high school building. Our environment will be one in which we accommodate about 280 high school students all equipped with laptop computers in a single building. Individual classrooms will be about 500 square feet in size and class sizes are up to 20 people. The new building is a 3-floor steel frame structure. Interior walls will be stud and drywall with a layer of sheet metal separating the floors. Currently we use a wired 10Base-T hub or hubs in each classroom. Connectivity to the 100Base-FX/Gigabit Ethernet network backbone is via 1 to 3 switched 10Base-T ports in each classroom. My hope is to be able to provide wireless network access using the new 11Mbps standard so that performance will be equivalent to the wired network we now have in place. Can I expect the same performance?

Please keep in mind that 11Mbps is the raw throughput. The practical throughput is more like 5Mbps (shared). This is not unlike you 10BT hubs, but will still be at a lower speed. That said, the typical user seems to be satisfied with T1 speeds (1.5Mbs). I am assuming that achieving this will require about one wireless access point per classroom. I understand that the Lucent WaveLAN 11Mbps product uses three distinct frequency channels, and that access points using the same channel should not have overlapping coverage in order to minimize interference.

Is it realistic to expect to be able to engineer the system so that connectivity to each access point will be confined to a single classroom?

Our strategy has not been to limit spaces to single access point coverage. Rather, we try to limit the channel overlap to no more that 3 distinct channels (Channels 1,6,and 11). These can be viewed as separate collision domains in ethernet terms. If you can limit the overlap to no more that 3 APs (each one on a separate channel) then you should not have a problem. The current versions of WavePoints do not provide for load balancing of users between access points. The end user decides which Wavepoint to connect to purely on the basis of strongest perceived signal strength.

I discussed this with Brian Becker, the WaveLAN product manager for the Midwest, and he indicates that this can be done using a variety of antenna designs that Lucent provides with different radiation patterns and perhaps lengthening the feed line to provide signal attenuation. I am concerned that with only three channels rather than four, we are likely to have some adjacent rooms on the same channel. This is analogous to the four-color map theorem. I think that the sheet metal separating the floors will probably help to keep our problem mostly two-dimensional.

Agreed, we have seen the same problems. It is nearly impossible to completely limit the overlap of channels. We have found that the best approach is to predetermine which areas are key in terms of a large number of users (large group instruction areas, libraries,.) that could benefit from additional capacity, versus areas that need to have consistent capacity (important offices) versus areas where a best effort coverage is acceptable.

We have found that the best design comes from an interactive process of sample testing, rough layout testing, mapping the layout on paper with color-coded coverage patterns, and retesting until we find the best compromise in terms of coverage and capacity. We do our testing during normal hours so that any potential interferers are identified as part of the testing process (a fully occupied space will test differently than an empty/after hours space).

Do you require your users to purchase wireless network cards?

No. We do sell the cards at a slight discount through the University Store Computer Sales, but there is no requirement for any user to buy the cards.

Do you loan wireless cards to students?

We have begun discussions on this subject, perhaps through the library or other areas. We do not yet have a program in place.

How do you secure your wireless network from students sniffing traffic?

We don't. As I mentioned in the session, we prefer to put the burden of encryption on the application and not on the network.

How easily can connections be hijacked?

Not sure what you mean by hijacked. Yes, it is easier for an outsider to get on the wireless network than the wired net, but once there you have virtually the same protections and holes as the wired net. 

Can the wireless setup on a personal computer coexist with a 100Mbps switched network setup on the same computer so that one can easily change to high-bandwidth networking in the office or to wireless networking without complicated configuration changes or rebooting?

The answer to this question depends of your individual campus network architecture and the OS of the system you are using. In my case, I typically use the wireless LAN 80-90% of the time, and use my wired connection on the days I have my machine backed-up through our central backup system.

Do the higher-end solutions that you have investigated have compatible less-expensive solutions for home use? I'll like to seamlessly use my wireless-connected laptop on campus or at home, again, without having to make any configuration changes.

There are two options that I know of:

1) Zoom makes an IEEE 802.11 DSS card and they sell software and adapters that allow you to use you desktop PC as a wireless access point (wired to wireless bridge). These are each in the $250 range.

2) Apple will soon be releasing a small access point called an Airport base station. This device is in the under $300 range and is IEEE 802.11b compliant. It should work with devices other than the MacOS.

Who makes the network cards and what is the cost of each network card?

We use Lucent Technologies' WaveLAN 2 products, the cost of a card through Computer Sales of the University Store is approximately $260.00.

Is there any plan (and when) to make the cards of higher speeds than 2Mbps?

IEEE 802.11b (the 11Mbps standard) was ratified a few months back. We are in the process of learning about the differences and similarities between 802.11 as Lucent will implement it on their new cards. Most likely the present 2Mbps wireless network will be the "lowest common denominator" for our users and we will overlay 11Mbps cells as needed on campus.

For what types of buildings is this technology most useful-- academic buildings, administrative buildings, residence halls...and why/how?

We are installing the technology initially in our academic, research and administrative buildings. This is mainly due to the costs to install the Access Points in these sites (about $1K per AP). We believe the residence hall folks would like wireless as well.

If a variety of different types of buildings (academic, administrative, residence halls) were using this technology, would they use the same user support structure?

There are really no differences in support that we can see for these different areas. Some of the applications may differ, but the installation and network support issues are similar.

Does CMU assign students to different subnets than faculty, or do you create vlans in any other groupings to separate one population from another using IP subnets? If so how do you deal with users in different subnets acquiring their addresses (DHCP) via common wireless access points or getting assigned to different vlans from common access points?

While we do subnet various appropriate networks to our campus backbone (ex: dorm networks, administrative networks,...) we chose to have all of the campus wireless traffic to be contained in it's own subnet. This is mainly to allow seamless wireless LAN roaming between and within campus buildings.

We are keeping an eye on efforts/standards like Mobile IP and we may eventually be able to have the wireless access points directly attached to an individual building network. We do use DHCP for both the wired and wireless networks.

Lehigh is investigating deploying our first wireless LANs in the next few months. Does CMU have a laptop program in place? Just curious since you made the decision to support wireless everywhere. Right now we are looking at supporting it where folks typically gather. We don't have a lot of laptops on campus right now.

We do not have a formal requirement for students to own laptops. Our Graduate Business School is the only exception to this. Over the past two year, they have required (and facilitated) the purchase of IBM laptops. Other schools are considering similar requirements/recommendations. We have tracked student ownership of computers over the past 4 years. We are approaching 90% of incoming freshmen coming with computers, with an increasing percentage each year with laptops. We anticipate that the Wireless Andrew deployment will increase this percentage of laptop ownership.

Do you use any firewalls/routers to do any packet filtering or other security policy implementation between say your dorm, staff and faculty network? If so, since students, faculty and staff use the same wireless subnet and therefore the same security policy as implemented by the firewall/router, do you make the wireless subnet the lowest common denominator in terms of a security policy? Does this mean faculty or staff give up some access privileges when using wireless versus wired connections? Is there any difficulty with users accepting and getting use to this?

For the most part, we view the network as insecure and advise users accordingly. We use Kerberos for authentication to our AFS file servers and associated services. We recommend users of the network (wired or wireless) to use encrypted versions of FTP and Telnet, and we are moving more of our ket web apps to using a kerberized version (kweb). We are hoping that enhancements to wireless LANs (support of Radius or Kerberos by the Access Points) will be forthcoming and will add to the security of Wireless Andrew.

That said, our campus backbone has been traditionally a flat, bridged one. Exceptions are routed subnets to the residence halls, and some departments that wanted/supported there own subnets (CS, ECE,..). Wireless was put on it's own subnet initially for support concerns (we weren't sure how this new network type would co-exist with the campus net. We have kept wireless on it's own subnet to more easily support roaming around the campus. This will not scale beyond a 1000 nodes, so we will need to revisit this, we hope that Mobile IP will be an answer.

We are in the process of moving from our flat backbone network to a more routed subnet approach. We will complete a fair amount of this work this semester.

We are currently installing a wireless network and want to know, in regards to logistics, how you are deploying the cards to the clients?

We sell the cards through Computer Sales of the University Store (University Center lower level). Price is approximately $175 per 11Mbps card.

Question on regarding Authentication beyond the wireless units (DHCP/Authentication).

State-of-the-art today is DHCP for IP assignments, and running a closed vs. open) network (network name). Immediate futures include RADIUS authentication, preferred futures include Kerberos.

Could you please provide data on the additional costs for:

  • network management and reporting
  • repair and troubleshooting
  • support for getting connected, tech support
  • customer support -- documentation, education...
  • planning, deploying upgrades etc.

I'm afraid I can't provide a lot of good data, but here is an attempt to answer some of your questions. So far we see wireless as just another network type from the standpoint of the help center. There was a learning curve for the Help Center staff, but the data on how much of an increase is a bit because we ran a pilot for integrating our Network Help Line and Computing Services Help Center into a single point of contact last semester. So we saw an increase of around 11% in call volume to the Help Center that we believe is related to network support, but how much is related to wireless is not clear.

On the engineering and development side, the management tools are not as mature as for traditional networks with respect to supporting a large-scale deployment. Most tools assist in the management of small-scale deployments (10-20 Access Points) but large scale campus-wide deployments require tools that allow for the easy reconfiguration of multiple APs from a central management station. We expect this will happen, it just hasn't yet. Troubleshooting can also be much more of a pain because we don't have control over the medium (e.g., somebody introduces a devices on the same frequency that causes interference).

To give a comparison, we rolled out DSL and wireless as production services last fall. DSL has been a much more significant hit at the help center (with about 450 users to date) than has wireless (now at close to 1000 users). From the standpoint of the network technician and engineering side, we haven't added staff. But the staff we have are much busier than they had been (in fact, without wireless, we might have been looking at reducing by a technician, so that may be a good estimate to use).

As for upgrades (software revisions and 11Mbps radio cards), we again plan to use the existing staff and run this as a project this summer (not unlike any other network upgrade that involves physically touching units). We had to do this last summer to some wired network switches as part of Y2K prep. We are hopeful that by next summer we will have a better way to centrally admin the access points. If/when we upgrade to the next generation 802.11a, this will be a major project akin to the most recent deployment (some semi-dedicated staff).

We've hosted a few people who are interested in the nuts and bolts of wireless deployment.

Can you give me any insight as to the effort to design the placement of the AP location points? (How much time is needed for a team (how many) to do a typical (I know that there is no such thing as typical) building of how many square feet would be ideal.)

We used teams of two data communications technicians. There's a learning curve involved, but once over that we found the average to be 2wks/building for design/layout of APs. But as you note, there's huge variation based on building size as well as construction materials, etc. Our smallest building 5K sf probably took an afternoon; the largest 350K sf (constructed of concrete, marble, etc) probably took 8 weeks. In order to accelerate the project at the end, we also brought in some contractors from a company called New Horizons (based out of Seattle & Alaska, they sent a team in and helped kick out buildings much faster than our own staff, who still had to maintain some of their ongoing responsibilities despite our attempts to insulate them from other tasks). I can get you contact info for the NH group, if helpful.

What about support? What sort of additional staff is required to support the wireless users? How do you think that number is going to scale as usage increases?

So far we see wireless as just another network type from the standpoint of the help center. On the engineering and development side, the management tools are not as mature as for traditional networks with respect to supporting a large-scale deployment. Most tools assist in the management of small-scale deployments (10-20 Access Points) but large scale campus-wide deployments require tools that allow for the easy reconfiguration of multiple APs from a central management station. We expect this will happen, it just hasn't yet. Troubleshooting can also be much more of a pain because we don't have control over the medium (e.g., somebody introduces a devices on the same frequency that causes interference).

To give a comparison, we rolled out DSL and wireless as production services last fall. DSL has been a much more significant hit at the help center (with about 450 users to date) than has wireless (now at close to 1700 users). From the standpoint of the network technician and engineering side, we haven't added staff. But the staff we have are much busier than they had been (in fact, without wireless, we might have been looking at reducing by a technician, so that may be a good estimate to use).

How long a life cycle are you planning for a given technology? E.g., you are now installing the 2.4 GHz technology. When do you think you will have to replace that with the 5 GHz technology or Bluetooth or ...?

I'm guessing not for another 2 years to the 5GHz stuff. Bluetooth may come in during that time, but that will be local (IR) activity, noting of the enterprise level. Or so I'm expecting.

We have a question about wireless security. We understand that most manufacturers of 802.11b hardware and client software support WEP (Wireless Equivalent Privacy). But there is one aspect the literature does not discuss in much detail: the WEP encryption seems to be designed primarily to, in essence, password-protect and encrypt an entire wireless network, so that no unauthorized third-party wireless stations can "sniff" the traffic between the authorized members. Our question is, does WEP also prevent authorized users from sniffing each others' traffic? That is, does the WEP only protect against rogue third-party eavesdroppers, or does it also make each individual station-to-access-point conversation private?

Our take on this is that WEP closes the network to outside sniffers, but inside it appears like any shared ethernet, so yes, inside sniffing is possible.

The reason we ask is that we are looking to deploy this technology into some dorms. Even if we turn on the WEP encryption in those dorms, all the students using a given access point will obviously have to have the same password or encryption key in order to connect to the wireless network. But if that's the case, can the students eavesdrop on each other's traffic since they all have the same encryption key, or is there another layer of encryption that takes place that establishes some kind of unique encryption for all station-to-access-point pairs? (Thanks again for your offer to lend some assistance. By the way, the CMU web site was among the best sources of wireless information that we were able to find.)

A question to ask yourself: Is your campus all switched networking or is there shared ethernet on your campus. If you have a shared Ethernet environment, you have the same issues as wireless. The key difference is that wireless makes it much easier to sniff traffic.

Everything we've read and heard indicates that we should use the 802.11b, 11Mbps products from a company with significant market share, like Lucent or Cisco. We read loud and clear - from your website - the importance of "careful and exhaustive signal strength measurements" in radio design, and we're working on creating some specs or guidelines that would ensure that a contractor can and will deliver.

Here are the questions based upon where we think we should be going:

Is anything known about backward compatibility from the next generation of wireless to the IEEE 802.11b 11Mbps products e.g., is it likely that the client cards we buy will have to be replaced in order to work with next gen of AP?

The next generation of wireless in the ISM band will be at the 5Ghz end of the spectrum (IEEE 802.11a) although there is talk of trying to double the data rate of the present 802.11b 2.4Ghz standard from 11Mbps to 22Mbps). This implies a whole new radio for the clients. I can't speak for the vendors, conceptually you may be able to have a dual-mode radio card that supports both 2.3Ghz and 5Ghz. Also it is likely that the access points will be redone as well, they will likely support both the old and new radios (either concurrently or as a swap-out-upgrade).

How good are the remote management capabilities on the top products e.g., can we get up/down status, traffic stats, # of connections, etc.?

Most of our experience is with the Lucent line. For the most part, they are better than they were, but still lag behind the management capabilities of their wired cousins (we can see wired side up/down status but not on the radio side for example). I think this is an issue of market maturity, most of the effort has been in designing and deploying the IEEE standard(s) (first 2Mbps then 11Mbps and now working on 54Mbps). I believe the above statement is true for most radio products. It is hoped that as wireless moves into the legitimate network" category, companies will improve the network management side of the equation.

Are some client cards better than others, so much so that we should be recommending particular brands or models? Is there anything else you can think of that we need to watch out for?

IEEE 802.11b is a lowest common denominator as far as inter-operability of various radio cards are concerned. Vendors of both the cards and the APs can (and do) make their own proprietary improvements above the standards. It is usually best to select a single vendor for a campus deployment, but realize that inter operability of the standard allows anyone with a compatible card to communicate.

Have you had any dealings with Direct Network Services of Ayer, MA? Any outsourcing (of design and implementation) that we should definitely look at, or definitely avoid?

We have done most of the design work ourselves, the exception was to bring in New Horizons to help finish the project by this summer. For the most part we trained them in our design practices and they appear to have done a good job (they are finishing their installs this week so I'll know for sure soon how well they did). I can't speak to the merits of other consulting/design firms.

I found your name on the CMU web page describing the Wireless Andrew project. We, at the University of Chicago, are currently investigating wireless technology. I wondered if you could tell me how you enforce your ethernet registration of the wireless cards? We have concerns about the use of DHCP in various implementations wireless and wired without some form of authentication. We were wondering what you were doing in that regard.

As a rule we have all network users register their MAC address with our central organization and tie this info to the machine/user. We assign IP addresses to the MAC address and use DHCP as a way to deliver the address each time the user boots up. For the most part, the address appears as a static IP address to them, however we reserve the right to re-ip subnets and suggest to users that they should not hard code the IP address to their machines unless absolutely necessary. This is true for both the wired and wireless networks on campus (as well as remote access services like DSL).

The enforcement comes in that while you can associate (connect) to the wireless net without registering your card, you are limited to non-IP use without an IP address for that subnet (now you may be able to spoof or steal an IP address, but this is against the rules and you will be dealt with appropriately of caught).

At present, we have set up the wireless side on it's own IP subnet and if there is considerable abuse, we can disconnect the entire wireless side from the campus net while we find the source of the problem. We will be upgrading the wired side of the wireless net this summer by replacing hubs with switches to better enable us to shut down targeted areas of the wireless net if needed.

Thank you for offering to discuss our issues relating to wireless network deployment. I can't find the design guide you refer to on Lucent's web site. Do you have a specific URL?

I checked their website as well. I can't easily find it. I've attached a word document that is a draft version that is somewhat CMU specific but should be useful. Also, you can check out some archived web-based discussions on our project at:
http://www.cren.net/know/techtalk/events/wiring2.html
http://www.cren.net/know/techtalk/events/wiring.html