Retail Wireless Networks Validated Reference Design
Retail Wireless Networks Validated Reference Design
Retail Wireless Networks Validated Reference Design
Solution Guide
Copyright
© 2008 Aruba Networks, Inc. AirWave®, Aruba Networks®, Aruba Mobility Management System®, Bluescanner, For Wireless That
Works®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect, The All Wireless Workplace Is Now Open For
Business, Green Island, and The Mobile Edge Company® are trademarks of Aruba Networks, Inc. All rights reserved. All other
trademarks are the property of their respective owners.
Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU
General Public License (“GPL”), GNU Lesser General Public License (“LGPL”), or other Open Source Licenses. The Open Source code
used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate other vendors' VPN
client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba
Networks, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those
vendors.
Warranty
This hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information, refer to the
ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS.
Altering this device (such as painting it) voids the warranty.
www.arubanetworks.com
1344 Crossman Avenue
Sunnyvale, California 94089
Phone: 408.227.4500
Fax 408.227.4550
Retail Wireless Networks Validated Reference Design | Solution Guide December 2008
Contents
Chapter 1 Introduction 9
About Aruba Networks 9
Aruba Reference Architectures 9
Reference Documents 10
Wireless Retail Applications 10
Technical Challenges for Retailers 11
Security and PCI Compliance 11
Reliability 11
Interference from Non-802.11 Devices 12
Business Challenges for Retailers 12
Improving Operations 12
The Store of the Future 12
The Shift to 802.11n 12
Value Proposition for Retailers 13
Contacting Aruba Networks 14
Introduction
This Retail Wireless Networks Validated Reference Design (VRD) will enable you to plan a successful
Aruba deployment for common retail facility types including large footprint stores, small footprint
stores, warehouses, distribution centers (DCs), and fulfillment centers (FCs). You will also learn how to
plan for and successfully provide wireless coverage in common types of hardened areas including cold
storage and outdoor yards.
Reliability
Retailers must make sure that their WLANs deliver consistent coverage throughout their facilities,
operate without dropping sessions, and run with virtually no down time. Wireless networks should
operate as a service with defined objectives for availability and performance.
Reliability encompasses both the RF domain and the network infrastructure domain. Good RF design
results in predictable communication between wireless devices and the WLAN infrastructure. Careful
network engineering is also required to deploy wireless controllers and thin access points (APs) that
work together as a system over existing IP networks. Controller clustering, AP redundancy systems,
and load balancing are integral to modern wireless architectures.
1. http://www.corporate.visa.com/md/nr/press667.jsp
Improving Operations
The retail industry runs on smaller gross profit margins than many other industries, and managers are
on a never-ending quest to decrease costs. WLANs offer a means to reduce network deployment costs
and operating expenses. The Aruba centralized WLAN architecture automates management of both
local and remote store networks, reducing the burden on IT organizations. The Aruba WLAN also
provides a single multipurpose platform that supports business-critical data, voice, and video
applications, and interoperates with legacy core networking and security infrastructure to substantially
reduce future capital expenses.
EMEA [email protected]
Telephone Support
Support
The retail industry was one of the first to adopt and deploy enterprise WLAN technology on a wide
scale. Early generations of WLANs used autonomous or “fat” access points (APs) with Frequency-
Hopping Spread Spectrum (FHSS) or Direct Sequence Spread Spectrum (DSSS) radios. Later
generations used 802.11b technology, and more recent generations were based on 802.11a/b/g. Retailers
operate a diverse mix of clients on these networks, including Voice over Wi-Fi (VoFi) and radio
frequency identification (RFID). In many ways, the retail industry pioneered the use of WLANs and is
doing so again today with the rollout of 802.11n technology.
Today, retailers need both robust connectivity and stringent security against network breaches that can
put sensitive business and payment card data at risk. Retailers also need to support and manage
hundreds or thousands of remote sites. The advent of state-of-the-art centralized WLAN controller-
based architectures and thin APs address these requirements, and help retailers enjoy greater cost
efficiencies and improved in-store customer experiences.
Define
Operate
Design
Deploy
Retail_110
Retail Wireless Networks Validated Reference Design | Solution Guide Wireless LAN Lifecycle | 15
Each new evolution of the WLAN lifecycle begins by defining the objectives, requirements, and
constraints facing the retailer. The Define phase also includes pre-deployment site surveys.
The requirements definition process addresses the broad WLAN project-level, infrastructure-level, and
application-level drivers and dependencies. Common examples (explored in depth in Chapter 3,
“Defining WLAN Requirements for Retailers” ) include:
Mobile client applications and use cases
Client device types
Store facility types, locations, and RF coverage zones
Hardened environment types and locations
User authentication modes and device types
Summary of voice and QoS design choices
Quantification of key design or scale parameters
Financial, technical, and scheduling design constraints.
Pre-deployment site surveys provide vital engineering data during the RF design portion of the Design
phase. The site survey process has changed significantly over the years to accommodate centralized
WLAN controller-based architectures that use densely-deployed, centrally-managed, or “thin,” APs.
Chapter 4, “RF Site Surveys” provides guidance on how to use targeted site surveys to assess whether
pre-existing RF plans and cabling plants can successfully be reused with thin APs.
16 | Wireless LAN Lifecycle Retail Wireless Networks Validated Reference Design | Solution Guide
Voice, Video, and QoS Design. Merchants have used voice and video for years, despite the serious
quality and performance issues. Now, Aruba centralized WLAN technology can address retailer
needs with significant improvements in call quality and reliability. Some voice features require
architecture planning, as described in Chapter 8, “QoS Design for Voice and Data Devices” .
Retailers face deployment challenges when they are required to migrate technology and refresh
software. Hundreds or thousands of locations must be installed, typically in narrow nighttime time
windows, by technicians with limited IT skills, and at the lowest possible cost. Project management and
logistics excellence are required.
Aruba controllers and APs offer system administrators a set of provisioning features specifically
designed to enable retailers to successfully undertake rollouts with tens of thousands of APs. These
features allow Aruba to offer three different deployment methodology options for retailers. The choice
of methodology is driven by the number of locations, geography, and availability of VPN access to each
site. See Chapter 9, “Deployment Methodologies” to determine the best methodology for your
organization. Site-specific deployment and certification procedures are covered in that chapter.
To reduce the workload of network administrators who must manage far-flung equipment and respond
promptly to alerts and notifications, the Aruba controller-based architecture provides automated
dynamic RF management of channel and power settings, blacklisting of rogue devices, and network-
awareness of individual user sessions and roaming states.
Rapid resolution of WLAN user issues is a basic function of any retail support desk. Support personnel
must obtain actionable information about the health of specific client device connections in order to
resolve problems. Long-term trending is necessary for accurate capacity planning.
Automation is a key requirement for merchants because their IT organizations must support large
numbers of distribution centers (DCs), fulfillment centers (FCs), and stores with very limited
personnel. New PCI, SOX, and related compliance requirements impose reporting burdens that further
tax retailers human resources. The AirWave Wireless Management Suite offers powerful centralized
reporting, management, and forensic tools that enable retailers to support tens of thousands of AP
locations. See Chapter 10, “Operations and Management” for a discussion of AirWave Wireless
Management Suite capabilities.
Retail Wireless Networks Validated Reference Design | Solution Guide Wireless LAN Lifecycle | 17
18 | Wireless LAN Lifecycle Retail Wireless Networks Validated Reference Design | Solution Guide
Chapter 3
Defining WLAN
Requirements for Retailers
This chapter presents the structured four-step process used by retail organizations to define the
fundamental requirements that drive the design of an Aruba WLAN solution. The information
gathered in this process helps you prepare to design the technology infrastructure to support
your desired applications, throughput needs, encryption modes, user authentication types and
reporting levels.
The PCI monitoring option entails installing the AirWave Wireless Management Suite (AWMS) in the
headquarters (HQ) or data center, so that all remote locations and stores can be monitored in
compliance with PCI requirements. Designed to assist you in inventorying, monitoring, and managing
multi-vendor wireless networks, AWMS represents the most cost-effective approach to addressing
applications in which legacy wireless networks are already in place. No hardware or software is
required at any remote location.
The PCI monitoring option enables merchants to outfit existing networks with wireless monitoring
capabilities without replacing or re-architecting existing equipment.
Retail Wireless Networks Validated Reference Design | Solution Guide Defining WLAN Requirements for Retailers | 19
The Wireless Intrusion Detection System (WIDS) option requires dedicated air monitoring sensors to be
installed in all remote locations. The sensor scans all the wireless channels and forwards captured
traffic to an Aruba Multi-Service Mobility Controller in the headquarters or data center for analysis. The
controller compares wired and wireless traffic, identifies and locates any rogue devices or attacks
originating from outside the building, and automatically blocks the rogue devices and attacks. The
number of sensors required varies with the size of each facility. Chapter 6, “RF Design” explains how to
compute the required number of sensors.
As with the Category 1 solution, AirWave with WIDS enables merchants to add additional wireless
security capabilities to existing networks without replacing or re-architecting those existing wired and
wireless networks.
The wireless LAN with WIDS and role-based access control option integrates intrusion detection
functionality with the advantages of a centralized wireless LAN, built-in stateful firewall, and AirWave
monitoring. Aruba controllers in the data center and remote locations are managed centrally through
the AirWave Management Platform, which aggregates all wireless network information and provides
PCI compliance reports.
The integrated Aruba WLAN provides all of the security controls necessary to meet wireless-specific
PCI requirements, offers controls for some wired LAN requirements, and includes controls that go
beyond PCI requirements to help prevent breaches. Competing solutions require three to four times the
amount of hardware and software to provide comparable functionality.
Aruba access points (APs) are multiple-function devices. They provide secure wireless LAN coverage
for data, voice, and video applications. In addition, they can function as a wireless IPS sensor, a
wireless mesh node, and a remote access VPN client. Aruba APs, installed in each remote location or
store, send all traffic to a centralized controller in the HQ or data center via an encrypted tunnel.
Air monitoring sensors can be deployed in either dedicated or hybrid mode. Dedicated air monitors
provide the highest level of security by continuously monitoring and responding to threats. Hybrid-
mode APs perform monitoring on a part-time basis in between serving client requests. Chapter 6, “RF
Design” provides detailed guidance on choosing between these modes.
The central controller aggregates all traffic which is then inspected via role-based stateful firewall
segmentation to confirm compliance with security policies, encryption/decryption requirements, and
wireless intrusion detection and prevention services. Firewall segmentation can isolate and protect
vulnerable legacy WEP or WPA-PSK devices.
The Category 3 solution should appeal to merchants who need to replace existing legacy wireless LANs
in order to comply with security, management, and application requirements. The bulk of this Validated
20 | Defining WLAN Requirements for Retailers Retail Wireless Networks Validated Reference Design | Solution Guide
Reference Design (VRD) details the design and deployment of a Category 3 solution for retail
customers.
4.1.1: No WEP
Retail Wireless Networks Validated Reference Design | Solution Guide Defining WLAN Requirements for Retailers | 21
Step 2 - Inventory Wireless Applications and Devices
For retailers choosing the Category 3 solution, this section describes common retail wireless
applications that run on an Aruba secure WLAN. Completing an inventory of present and future
applications and the devices on which those applications run is the second step in the planning process.
The inventory assists you in properly forecasting device populations, bandwidth needs, and other key
design drivers.
Retailers choosing Category 1 or Category 2 solutions may proceed to Step 3 - Quantify Facility
Coverage Requirements on page 25.
Inventory Management
Inventory control at stores and warehouses, a basic retail function, often relies on mobile wireless
devices. You can use different inventory applications at different locations within the same facility.
Receiving dock terminals. In the shipping and receiving area, you can use wireless scanners and
terminals linked to back-end systems to receive merchandise pallets into inventory.
Floor terminals. Store associates using wireless-enabled handheld computers can easily and
quickly perform inventory management tasks. For example, you can use barcode scanners during
restocking periods to track how much product is on the floor and how much was moved to the floor
from the storeroom. With the addition of wireless printers, price updates can also be performed on
the spot.
22 | Defining WLAN Requirements for Retailers Retail Wireless Networks Validated Reference Design | Solution Guide
Customer Service Kiosks
Customer service is a critical priority for every retailer. Some retailers use the following wireless-
enabled technologies to improve the customer experience.
Price verification kiosks. These have become very popular with retailers and tech-savvy
customers to conveniently look up prices. Wireless kiosks can be moved as needed.
Self-help kiosks. You can place these around a store, giving customers touch-screen access to
store directories, inventory information for nearby stores in a chain, current sales, and product
information. Some retailers have augmented these self-help kiosks with a “get help” button to page
an associate to the customer’s location.
Wireless Video
Retailers have long-term investments in video surveillance equipment and cabling infrastructure. New
in-store video marketing programs and new security technologies are driving some retailers to redesign
their video plants. The challenge is how to deliver more in-store video without having to install more
cable.
Video surveillance. Wireless IP video surveillance solutions allow retailers to monitor people and
assets in real-time, while enabling easy addition of camera locations.
In-store video programming. Wireless LANs link LCD television monitors to a central server for
in-store video programming. This technology allows the placement of screens conveniently
throughout the store for customer viewing.
Retail Wireless Networks Validated Reference Design | Solution Guide Defining WLAN Requirements for Retailers | 23
Application Inventory Worksheet
Complete a worksheet that captures all current and future wireless application use. You can use the
example application summary listed below as a tool to facilitate meetings between IT, store managers,
warehouse managers, and executive management.
For each application identified, note the facilities in which it is used and on which device types. Be sure
to capture anticipated future devices as well as current devices. Estimate the average number of users
in each facility type today, as well as several years into the future. Finally, assign every application a
minimum 802.11 performance criteria, either a minimum data rate or a minimum signal-to-noise ratio
(SNR). This information will be used to complete the Physical/Logical Design in Chapter 5, “Physical
and Logical Network Design” and the RF Design in Chapter 6, “RF Design” .
Minimum 802.11
Device Users per Facility
Facility Type(s) Performance
Application Type(s) Used (Average)
# Deployed Requirement
Description (from
(from Table 3)
Table 2)
Current Future Data Rate SNR
24 | Defining WLAN Requirements for Retailers Retail Wireless Networks Validated Reference Design | Solution Guide
Step 3 - Quantify Facility Coverage Requirements
To generate the equipment bill of materials for any of the three PCI compliance categories, you need to
know the number, size, and type of facilities that will be covered. Be sure to include areas requiring
special treatment, such as freezers or outdoor yards during this step. Later, you will use this
information to estimate the amount of equipment required for each of the three PCI Compliance
Categories:
Category 1: Number of legacy APs to be monitored
Category 2: Number of Air Monitors and Controllers
Category 3: Number of APs, Air Monitors, and Controllers
This information is used to construct the logical and physical architecture in Chapter 5, “Physical and
Logical Network Design” and the RF Design in Chapter 6, “RF Design” . The equipment requirements
for the various PCI categories can also be combined with facility counts in order to estimate the labor
required to deploy the solution.
Retail Wireless Networks Validated Reference Design | Solution Guide Defining WLAN Requirements for Retailers | 25
Construct a worksheet similar to the sample table below to capture the answers to these questions.
WAN
Facility Average Max Digital Country/ WAN
Link Local
Facility Type Qty Addresses Square Ceiling Floor Plan Regulatory Backhaul
Type/ Controller
/ Store IDs Footage Height Available Domain Speed
Latency
Distribution Centers
Size Band 1 104 See Excel 7,500 sf2 15 ft 80% USA 128 Kbps 50 ms 1
listing
Size Band 2 43 15,000 sf2 15 ft 60% USA 128 Kbps 50 ms 1
26 | Defining WLAN Requirements for Retailers Retail Wireless Networks Validated Reference Design | Solution Guide
Use the worksheet format shown in Table 4 with a row for every hardened area in each facility type.
Use multiple rows if several hardened areas exist in the same facility.
Hardened
Thermal 5 GHz
Hardened Area Area Average 2.4GHz AP
Limits Antenna
Facility Type Type(s) Per Count(s) Square AP Model Antenna Model Backhaul
(Min or Model &
Location Per Footage & Mount Method
Max) Mount
Location
Distribution Centers
Size Band 3 Cooler 1 3,000 sf2 +32ºF AP65 Bleed OK Bleed OK PoE
Size Band 4 Cooler 2 5,000 sf2 +32ºF AP65 Bleed OK Bleed OK PoE
Size Band 4 Garden Store 1 5,000 sf2 +110ºF AP85 ANT-80D ANT-86D PoE
Size Band 4 Cooler 1 4,000 sf2 +32ºF AP65 Bleed OK Bleed OK PoE
Retail Wireless Networks Validated Reference Design | Solution Guide Defining WLAN Requirements for Retailers | 27
User Authentication Modes and Device Types
This step defines the different authentication modes and device types required by the retailer facility. In
merchant environments, managers often have individualized login credentials, while team members
may not. Some mobile device models may not support every modern encryption type. These factors
drive the design of the AAA infrastructure integration.
Authentication levels and SSIDs are chosen so that wireless users and devices such as scanners and
voice handsets can gain the appropriate level of secure access to the network. Normally, we see some
or all of the following SSIDs in a retail setting:
A high security SSID (WPA2/802.1x) for store managers with individual login IDs and devices such
as POS terminals and newer inventory devices.
A preshared key SSID (WPA/WPA2-PSK) for store employees that may not have individual accounts.
A voice SSID (WPA/WPA2 with PSK) to support voice handsets optimized for QoS and battery
conservation.
A guest SSID (captive portal authentication with no encryption) for vendors or customers to access
the Internet. This SSID has explicit firewall access control lists (ACLs) applied to limit access to
unauthorized networks and has bandwidth contracts to limit airtime usage.
The following example shows the user authentication and device type requirements for a generic
retailer to help you determine your particular SSID requirements. Merchants frequently employ
different SSID designs in warehouses and in stores. Aruba recommends completing worksheets
separately for each facility type.
Preshared
Voice
High-Security Key Security Legacy Security Captive Portal
(WPA/WPA2
(WPA2/802.1x) (WPA/WPA2 (WEP with PSK) (no PSK)
with PSK)
with PSK
Inventory Device — — — — —
(Legacy)
28 | Defining WLAN Requirements for Retailers Retail Wireless Networks Validated Reference Design | Solution Guide
Summary of Voice and QoS Design Choices
Optimizing handset configuration is vital to providing a high level of service to users in each store or
warehouse. In an Aruba WLAN, the controller can be set up for specific device QoS levels. Use the
worksheet below to record this information for use in your deployment.
QoS Configuration
Handset Capability
Controller Configuration Handset Configuration
(see Table 2)
Band Selection 802.11b only Enable band steering to Default (no action)
maximize bandwidth by shifting
other data devices to 5 GHz
Set basic rates to 1 and 2Mbps.
Set supported rates to 1, 2,
5.5 and 11Mbps
Separate SSIDs Preferred DTIM = 10 Enable separate SSID for device Default (no action)
Design Parameters
Set DTIM = 10
VLAN Settings No special requirements Use /24 subnets to restrict Default (no action)
broadcast domain
Battery Life UAPSD not supported Default (no action) Default (no action)
WMM not supported
Capacity Planning 802.11b only Limit devices per AP to Default (no action)
maximum of 12
Retail Wireless Networks Validated Reference Design | Solution Guide Defining WLAN Requirements for Retailers | 29
Mapping Inventory Worksheets to the Design Process
Each of the worksheets presented in the requirements definition phase records information used in one
or more of the design chapters later in this VRD. Most of these design steps cannot be completed
without having this data available to the wireless designer.
Category #1
Chapter 10
PCI Operations &
Monitoring Management
Design
Table 3 Table 4 Chapter 4
Hardened
Facility RF Site
Environment
Inventory Inventory Surveys
Category #2
Choose Wireless
PCI Compliance IDS
Category Overlay
Chapter 5 Chapter 6
Logical & Physical RF Design
Infrastructure
Design
Chapter 9
Category #3
Deployment
Secure WLAN + Processes &
Wireless IDS + Project Plan
PCI Monitoring Table 1 Table 2 Table 5 Table 6
Application Client Device Authentication QoS Setting
Inventory Inventory Mode Matrix Inventory
Chapter 7 Chapter 8
WLAN Voice & QoS
Retail_143
Authentication & Design
Security Design
The basic flow of this guide is shown in the diagram. The selection of a PCI Compliance Category drives
which inventory worksheets need to be completed. Each worksheet links to specific aspects of the
WLAN design, such as Logical and Physical Network Design, or RF Design. Once the WLAN design is
complete, the program management team that is responsible for the deployment can assemble the
processes and plans needed for successful rollout.
30 | Defining WLAN Requirements for Retailers Retail Wireless Networks Validated Reference Design | Solution Guide
Chapter 4
RF Site Surveys
With the retailer’s business and technical requirements identified, we can proceed to the RF Site
Survey part of the Design Phase. This step presents two key challenges for a retailer. First, the
traditional site survey methodology changes considerably when moving to a thin access point
(AP) architecture. Second, retailers operate facilities that require specialized RF design, but have
very limited operating and capital budgets to finance technology migrations. Labor and lift costs
create a powerful financial incentive to try to reuse AP locations and cabling from the previous
generation of equipment. Sometimes this reuse is appropriate, but often it is not.
This chapter addresses both of these challenges. We begin by providing a clear understanding of how
the site survey process changes with a controller-based WLAN architecture and the minimum site
survey data that is needed for the Design Phase. Then we explain the technical and business tradeoffs
involved in reusing pre-existing cable plants, and provide clear guidance on how to apply this
knowledge to your organization. In Chapter 6, “RF Design” , we will use the information gathered by
site surveys to complete a full RF design.
11 1 11
1 6 1
6 11 6
Retail_112
Retail Wireless Networks Validated Reference Design | Solution Guide RF Site Surveys | 31
RF coverage in the actual world differs significantly from theoretical RF coverage, due to
environmental conditions like obstructions and interference.
The purpose of a site survey is to provide a factual understanding of the RF propagation environment in
a given facility to enable professional engineers to select optimal locations for the wireless APs. During
the survey, factors such as which applications will be supported by the wireless network are also taken
into consideration.
11 1 6 11 1 6
11 1 6 11 1 6
Coverage Design with 1 Mbps Cell Edge Capacity Design with 54 Mbps Cell Edge
32 | RF Site Surveys Retail Wireless Networks Validated Reference Design | Solution Guide
Today, much has changed. Retailers depend on voice handsets for low-cost communication inside their
stores and distribution centers. They want to deliver wireless video streams to in-store displays and to
backhaul IP-based security video to storage servers. The number of data-only devices has increased to
support the array of applications listed in Chapter 3, “Defining WLAN Requirements for Retailers” .
DOS-based terminal applications are giving way to both thin clients and thick clients running on full-
featured Windows operating systems. These devices need a wireless network that can support large
numbers of devices at much higher data rates than required in the past for simple scanner and data
applications.
Controller-based WLAN systems, such as those offered by Aruba Networks, were designed to automate
the management of large numbers of APs. By moving the intelligence into the controller, the APs
become “thin” and are not required to be anything more than secure, network-attached radios. This
reduces their cost and makes dense deployment possible. Whereas a coverage model might use one AP
to serve 25,000-50,000 square feet and provide at best 1Mbps data rate, modern 802.11a/b/g/n thin APs
typically serve smaller areas (2,500-10,000 square feet) and provide up to 300 Mbps data rates in each
cell.
This model is known as a “capacity” or “dense” WLAN architecture model.
Retail Wireless Networks Validated Reference Design | Solution Guide RF Site Surveys | 33
Figure 6 Cell Radius Varies with Data Rate and Transmission Frequency
4 = SNR
802.11b/g 1 Mbps
(2.4 GHz)
6
2 Mbps
8
5.5 Mbps
10
18 Mbps
12
24 Mbps
16
36 Mbps
20
48 Mbps
21
54 Mbps
54 Mbps 21
48 Mbps 20
36 Mbps
16
24 Mbps
12
18 Mbps
10
12 Mbps
8 802.11a
Retail_129
9 Mbps (5 GHz)
6
6 Mbps
SNR = 4
When more than one frequency band will be used, such as both 5 GHz and 2.4 GHz, retailers should
make sure that each facility is RF planned for a 5 GHz AP density. In general, this means that each non-
overlapping AP serves no more than 10,000 square feet. Cell overlap of 25-50% is strongly recommended
to enhance roaming and RF redundancy, and is discussed in Chapter 6, “RF Design” . If the existing APs
were designed with 5 GHz in mind, the existing AP locations may be suitable. This practice is not
common, however. Attempting to deploy 802.11a/n at 5 GHz using an AP density for 2.4 GHz will not be
successful.
In addition, higher frequencies have more difficulty penetrating walls, shelving, freezers, containers,
and other typical obstructions in a retail setting. Denser product types reduce signal strength more than
less dense products. For example, a palette of milk or butter will obstruct more signal than a palette of
light bulbs. Therefore, in certain facility types it is still a best practice to perform traditional “active” RF
testing to measure how far signals travel at the desired frequencies.
34 | RF Site Surveys Retail Wireless Networks Validated Reference Design | Solution Guide
Site Survey Varieties
”Site survey” is an umbrella term that means different things to different people. Consulting firms and
wireless integrators that provide engineering services generally offer four different types of RF site
surveys. This section addresses the following questions:
What kinds of surveys are there?
Which survey is right for me?
What process do I follow to perform a site survey?
Spectrum
Virtual Survey Passive Survey Active Survey
Clearing Survey
Description Uses customer-supplied Involves passive data Involves active testing of Same as Active Survey, but
building drawings in JPG, collection of the ambient real APs throughout a also includes a spectrum
PDF, or DWG format to RF environment to facility (indoor or outdoor) analysis (using a portable or
place APs. validate coverage or to determine the actual AP handheld spectrum analyzer)
identify interference. coverage footprint and at each active test location
throughput levels. to locate and measure
interference sources.
Deliverables Marked-up JPG file Heat maps of existing Heat maps of test APs Same as Active Survey
indicating AP locations 2.4 GHz and 5 GHz RF with actual measured but including 2.4 GHz
and controller location environment. coverage. and 5 GHz noise and
codes. Marked-up JPG file Marked-up JPG file interference sources,
Site bill of materials showing AP locations. showing AP locations. locations and duty
Summary narrative Detailed data analysis. cycles.
analysis.
Retail Wireless Networks Validated Reference Design | Solution Guide RF Site Surveys | 35
Which Survey is Right for Me?
Aruba recommends that retailers use the following decision tree to determine what site survey types
are required for their facilities, and whether existing cable plant and AP locations are suitable for the
performance requirements of the new Aruba network.
Is 5 GHz
band required during No
useful life of network?
Yes
No Yes
Retail_114
Retail RF Design remediation plan. performance.
Best Practices.
36 | RF Site Surveys Retail Wireless Networks Validated Reference Design | Solution Guide
What Process Do I Follow to Perform a Site Survey?
Each of the four types of site surveys has its own process and equipment requirements. A general
overview of each type follows.
Figure 8 Indoor Virtual Surveys with Aruba RF Plan and AirWave VisualRF
Retail Wireless Networks Validated Reference Design | Solution Guide RF Site Surveys | 37
For outdoor deployments, you can use the Aruba Outdoor RF Coverage Planner, available through your
Aruba systems engineer, to model antenna coverage in 3D space using integration with Google Earth.
This planner supports the entire line of Aruba APs and antennas.
Figure 10 Passive Survey with Ekahau Site Survey Professional Version 4.4
38 | RF Site Surveys Retail Wireless Networks Validated Reference Design | Solution Guide
To perform a passive survey:
1. Obtain the current electronic floor plan of the facility.
2. Using the site survey software application, walk through the coverage area and sample the RF path
every few feet.
3. Analyze the data to produce heat maps of the existing coverage and to look for sources of external
interference.
4. Ensure that coverage exceeds the minimum targeted needs for the facility.
5. Have an experienced WLAN engineer assess the passive survey data to validate the choice of AP
locations.
Retail Wireless Networks Validated Reference Design | Solution Guide RF Site Surveys | 39
Site survey software makes hundreds of RF measurements throughout each active test, which are then
visualized by superimposing their values in color over the relevant facility map. The images below are
sample heat maps at 2.4 GHz and 5 GHz generated with AirMagnet during a post-installation survey in
the grocery store depicted in Figure 8 on page 37. In this case, five APs were set up in the locations
shown in Figure 8. Because voice communications are being used, the customer requirement is for 48
Mbps cell edge data rate (equivalent to a signal-to-noise ratio [SNR] of 20 dBm or -65 dBm minimum
signal strength in the 2.4 GHz and 5 GHz bands). Using a -65 dBm display filter, areas falling below this
threshold will appear gray and areas that exceed it are in color. Because almost the entire floor is in
color at 2.4 GHz, the survey shows that coverage meets the requirement in that band.
40 | RF Site Surveys Retail Wireless Networks Validated Reference Design | Solution Guide
However, in the 5 GHz band, a gray area appears in the middle of the store, indicating that higher AP
density is required. This is due in part to Free Space Path Loss (FSPL) which increases with frequency,
so radio signals in the 5 GHz band travel approximately half as far as 2.4 GHz signals, at the same power
level. In addition, this part of the grocery store contains freezers, which significantly attenuate the
signal. This is an excellent example of how the AP density that is appropriate for 2.4 GHz is
inappropriate for 5 GHz.
Retail Wireless Networks Validated Reference Design | Solution Guide RF Site Surveys | 41
Spectrum Clearing Survey Methodology
By its very nature, the unlicensed 2.4 GHz and 5 GHz spectrum is shared by a multitude of devices
creating interference for one another. This can result in poor 802.11 network performance. Common
examples of such devices include APs in neighboring stores or warehouses, cordless phones, analog
and digital video cameras, Bluetooth devices, and microwave ovens in break areas. When designing a
wireless network, it is important to understand the overall RF environment typical of the facility type
where the network will be deployed in order to mitigate any interference problems. Spectrum clearing
refers to the use of a portable spectrum analyzer to discover and pinpoint interference sources prior to
network deployment.
42 | RF Site Surveys Retail Wireless Networks Validated Reference Design | Solution Guide
4. If interferers are found, pinpoint them using the following steps:
a. Attach a directional RF antenna to the spectrum analyzer.
b. Slowly rotate the antenna until you see an interfering source of RF energy in the 2.5 or 5 GHz
band.
c. Attempt to determine the RF channel number of the interference and whether or not it impacts
your proposed network coverage.
d. If it does impact your coverage, move the antenna closer to or farther away from the source of
the signal.
e. Using this signal, identify the offending device and determine its exact location.
f. Decide what to do about the interferer (remove it or shield it, for example).
The next figure shows results from a spectrum analyzer showing the presence of DECT cordless
phones in the 2.4 GHz band.
The following figure demonstrates interference from paired Bluetooth devices. Each of the peaks in the
real time display corresponds to a Bluetooth channel, while the frequency hopping nature of the
technology is apparent in the swept spectrogram view.
Retail Wireless Networks Validated Reference Design | Solution Guide RF Site Surveys | 43
The next figure shows the significant interference effect of a microwave oven in the area.
Active surveys typically cost more due to the highly skilled labor and cost of the specialized diagnostic
equipment. However, these surveys only need to be done when standard wireless LAN diagnostic steps
have failed to resolve a recurring connectivity issue.
44 | RF Site Surveys Retail Wireless Networks Validated Reference Design | Solution Guide
Chapter 5
Physical and
Logical Network Design
Aruba user-centric enterprise wireless networks are designed to support large numbers of users
at large numbers of sites with mission-critical applications. To enable IT network architects to
successfully plan deployments, Aruba has developed a WLAN Validated Reference Design that
leverages the experience of several thousand customer deployments, peer review by Aruba
engineers, and extensive laboratory performance testing. This reference design leverages and
extends the familiar wired core/distribution/access model in order to deploy an Aruba WLAN
as an overlay.
A complete Aruba wireless VRD typically consists of four major design elements:
Logical and physical network design
RF design
Authentication and security design
Quality of Service (QoS) design
In this chapter, we discuss the first design element, logical and physical network design. This element
encompasses the number and location of Aruba controllers, the layer 2 and layer 3 design for how
access point (AP) tunnels traverse the network, the layer 2 and layer 3 design for the VLANs that are
offered to various secure user roles, redundancy, and regulatory compliance for international networks.
The logical and physical network design has a significant impact on the choice of deployment
methodology, staging and installation processes, and site validation methods. Aruba recommends the
general architecture shown in this chapter as a best practice for retailers. It presents the optimal
combination of cost savings, performance, and reliability.
Physical Architecture
The diagram on the next page shows the physical architecture reference design that is recommended by
Aruba and spans all major merchant environments:
Warehouse/distribution center
Large footprint store (controller present in store)
Small footprint store (Remote AP via wired WAN link)
Small footprint store (Remote AP via 3G wireless WAN link)
Retail Wireless Networks Validated Reference Design | Solution Guide Physical and Logical Network Design | 45
Each type of branch office communicates to a corporate data center, as shown in Figure 16. The small
stores without local controllers home to the DMZ.
Data Center
Master Master DMZ for
File
active standby POS
Remote AP Controllers
PBX
AirWave
RADIUS
Wireless Local active
Management
Suite
Firewall
Local active
Retail_101
Air
monitor
46 | Physical and Logical Network Design Retail Wireless Networks Validated Reference Design | Solution Guide
AMs are used, a ratio of one AM for every four APs deployed is recommended. AMs handle many of
the IDS-related duties for the network, and will assist in drawing accurate heat maps displaying
graphical RF data. Aruba considers dedicated AMs to be a security best practice because they
provide full time surveillance of the air.
AirWave Wireless Management Suite. The AirWave console provides a single user interface that
enables administrators, help desk staff, security analysts, and other IT staff to have full visibility into
and control over the wireless network and users. For more information, see Chapter 10, “Operations
and Management” .
Data Center
Because data centers are mission critical and support facilities that run three shifts, Aruba recommends
deploying two master controllers that provide full 1+1 redundancy. Aruba recommends a master
controller pair in an active-standby configuration in the data center. In the retail VRD, the master
controllers do not terminate APs except under failover scenarios or unless remote APs are used for
small footprint stores. These controllers are sized to provide N:1 redundancy for a selected number of
store APs that are likely to need continuous service during scheduled maintenance windows of store
controllers. The AirWave appliances are also located in the data center.
Warehouse/Distribution Center
In a warehouse or distribution center, Aruba recommends using two mobility controllers in a 1+1
redundancy configuration to assure full local redundancy. The controllers may be configured as either
masters or locals depending on whether the retailer’s IT staff wishes to permit discrete configuration at
the facility level.
Each AP and AM receives power from and can reach either controller through existing Power over
Ethernet (PoE) switches. In the event of a controller failure, the APs and AMs will failover
automatically to the surviving controller.
Retail Wireless Networks Validated Reference Design | Solution Guide Physical and Logical Network Design | 47
Required Equipment
To adapt the general physical design shown in Figure 16 for your organization, you must make a series
of hardware selections. Aruba recommends that you work up from the AP level to the local controller
and then to the master controller. Follow this decision tree as you work through the process.
Total
AP Counts and Local
Controller Counts
served by each Master
Select
Master Controller Model
equal to 150% of
Total APs & Locals
served by each Data Center
Select
Airwave Server Appliance
Retail_153
equal to 150% of
All APs & Controllers
48 | Physical and Logical Network Design Retail Wireless Networks Validated Reference Design | Solution Guide
Access Points
Warehouses & DCs
Warehouses and distribution centers almost always have ceilings of 30 feet or higher. In Chapter 6, “RF
Design” we strongly recommend the use of external downtilt or “squint” omnidirectional antennas in
these environments. This VRD assumes the use of dual-band APs with external antenna connectors for
this reason.
AP-70 - Aruba 70 Wireless Access Point (802.11a/b/g)
AP-124 - Aruba 124 Wireless Access Point (802.11a/n + b/g/n)
AP-124abg – Aruba 124 (802.11n capable; software restricted to 802.11a/b/g)
Aruba strongly recommends full antenna diversity in warehouse & distribution center environments.
Use the Aruba Antenna Line Matrix available from our web site to select the appropriate antenna model
for each AP that will be installed.
Local Controllers
To build the Aruba VRD as shown in Figure 16 on page 46, an appropriately sized local controller is
required for warehouses and large footprint stores. Local controllers terminate AP tunnels and serve as
an enforcement point for security policies. If 1+1 redundancy is selected, two identically configured
local controllers are required at each location.
Controller Sizing
This Retail Wireless Networks VRD assumes the use of one of Aruba’s family of 1U controller
appliances for warehouse and store deployments. These models fit easily into congested equipment
closets and have low power draws. Choose the model from the table below that will accommodate
150% of the entire AP population at each facility type. As we will discuss later in this chapter, in full 1+1
Retail Wireless Networks Validated Reference Design | Solution Guide Physical and Logical Network Design | 49
redundancy deployments, each controller must be capable of assuming the entire load of APs in the
facility.
For customers that do not currently have PoE available, three of the models in the table include 802.3af
PoE support. They are the MC-804 (4 ports), MC-800 (8 ports), and MC-2400 (24 PoE ports).
For large Remote AP deployments, the VRD assumes the use of either the SC-256-C2 or M3-series
controller blade in an A6000-series chassis with redundant 400W power supplies. Two identically
configured chassis are installed in the DMZ in a 1+1 redundancy model. Up to 4 M3 blades can be
installed in a single chassis to serve even larger numbers of stores.
Max number of users per 100 256 255 768 512 1,024 2,048
controller
A quantity of the appropriate SFP and/or XFP modules may also be required; Aruba offers a complete
line of modules on its price list.
Master Controllers
Master controllers offload network management, wireless IDS (WIDS), and RF decision making from
the local controllers. This VRD assumes either the SC-256-C2 or M3-series controller blade in its 6000-
series chassis with redundant 400W power supplies.
50 | Physical and Logical Network Design Retail Wireless Networks Validated Reference Design | Solution Guide
Controller Sizing
The proper size of a master controller is determined by both the number of local controllers it manages
as well as the number of APs managed by all of the downstream locals. Even though AP tunnels do not
terminate on the Master, each AP transmits WIDS and RF telemetry directly to the Master. Aruba has
thoroughly tested all of its controller models in a master role supporting various AP and local controller
loads.
M3 Blade 700
MMC-3600 500
MMC-3400 400
MMC-3200 250
Table 11 Maximum Number of APs and Users per Master Controller Model
The local controller and AP limits from these tables can be combined in a matrix. Use the table below to
select the appropriate controller model for your deployment. Use the same model for both the active
master and the standby master.
Store Count
(Local Controller Count = Store Count)
Very large deployments that require multiple M3 blades should be divided into clusters of locals, each
with its own Master. Use one M3 blade configured as the active master for each cluster, with a second
M3 blade configured as a Standby Master. Up to four active masters or standby masters can be installed
in a single A6000 chassis. Aruba does not recommend collocating active and standby masters in the
same chassis.
Retail Wireless Networks Validated Reference Design | Solution Guide Physical and Logical Network Design | 51
International Regulatory Compliance
Country code restrictions for Aruba chassis-based controllers are enforced at the chassis level, rather
than the blade level. The available chassis SKUs are as follows (the blade remains the same):
6000-400-US — Aruba 6000 Base System, SPoE Power, US Restricted Regulatory Domain
6000-400-IL — Aruba 6000 Base System, SPoE Power, Israel Restricted Regulatory Domain
6000-400 — Aruba 6000 Base System, SPoE Power, Unrestricted Regulatory Domain
AirWave Appliance
AirWave offers two different hardware appliance models. They are sized based on the number of APs
and controllers being managed. For large deployments, you purchase and deploy multiple AirWave
appliances, and the software will automatically cluster the controllers together and distribute the
processing workload appropriately. The SKUs are: AWMS-HW-ENT, AirWave Server Appliance for
managing up to 2,500 devices AWMS-HW-PRO, AirWave Server Appliance for managing up to 1,000
devices
Required Licenses
Aruba offers a family of software licenses that run on its purpose-built, high-performance controllers.
Both the master and local controllers must have the same types of licenses installed on them; however,
the size of the licenses varies depending on the role played by the controller. Depending on the license,
either AP count or user count may be used as a licensing metric. To ensure sufficient extra capacity at
all times, Aruba recommends purchasing licenses equal to 150% of the applicable metric.
All controllers in a Master/Local cluster must run the same version of software.
NOTE
52 | Physical and Logical Network Design Retail Wireless Networks Validated Reference Design | Solution Guide
Small Footprint Stores (Remote AP)
Small footprint stores with fewer than 4 APs do not require a local controller. Instead, the AP tunnels
cross an untrusted WAN and terminate on large local controllers located in the retailer’s DMZ. In the
VRD, we assume two locals are deployed in an active/active redundancy configuration similar to the
warehouse design. Both local controllers must have Remote AP licenses to provide IPSec encryption
and split-tunnel features.
Each DMZ local controller requires the following licenses, assuming 512 Aruba Remote APs being
managed, with an M3-series controller acting as a backup to a second M3 blade:
LIC-512-RAP Remote Access Point License (512 Remote APs)
LIC-WIP-512 Wireless Intrusion Protection Module License (512 AP Support)
LIC-PEF-1024 Policy Enforcement Firewall Module License (1024 Users)
The DMZ local controllers do not require AP licenses if they are only terminating Remote APs. The ratio
of PEF users to Remote APs is 2:1 and is determined by the number of devices accessing the network
through each Remote AP.
A single MMC-6000 chassis in the DMZ can support four M3-series blades for a total of 2,048
Remote APs.
NOTE
Each Remote AP terminating on a DMZ local counts as one (1) Remote AP License, while each SSID on
each radio plus each wired port in use counts as one (1) tunnel against the total Concurrent Tunnel
capacity of the local controller. Concurrent Tunnel capacity is indicated on the datasheet for each
Aruba controller.
Retail Wireless Networks Validated Reference Design | Solution Guide Physical and Logical Network Design | 53
AirWave Appliance
The AirWave Wireless Management Suite is licensed using the same sizing criteria as the hardware
appliance:
AWMS-ENT, AirWave Wireless Management Suite Software for a single server with no limit on
processor cores. Recommended for managing up to 2500 devices such as controllers, wireless
access points, switches, and so on.
AWMS-PRO, AirWave Wireless Management Suite Software for a single server with up to four
processor cores. Recommended for managing up to 1000 devices such as controllers, wireless
access points, or switches.
Both SKUs include the full selection of AirWave modules, including the AirWave Management Platform
(AMP), Visualization and mapping software module (Visual RF), and RAPIDS (Rogue detection
software).
54 | Physical and Logical Network Design Retail Wireless Networks Validated Reference Design | Solution Guide
Controller Compliance
When ordering an Aruba controller, customers specify a geographic region: United States, Israel, or
Rest of World (ROW).
Aruba controllers sold in the United States or Israel are physically restricted from managing APs in
other regulatory domains; administrators cannot assign another regulatory domain to the APs that
terminate at these controllers. However, a ROW controller can properly manage APs from any
unrestricted country and enforce the correct regulatory radio rules.
For example, a US-based controller may not terminate or manage APs based in Canada or Mexico, nor
can it failover using VRRP to a non-US controller. But a ROW controller may failover to an identically
configured ROW controller for redundancy purposes.
Figure 18 United States controllers cannot manage Remote APs in other countries
Rest-Of-World controller
managing APs in
multiple regional domains
UK_AP_group
FRG_AP_group
ROW
controller
USA
controller
France_AP_group
Spain_AP_group
arun_071
Retail Wireless Networks Validated Reference Design | Solution Guide Physical and Logical Network Design | 55
A single Aruba ROW controller can manage APs in France, Germany, Italy, and Spain as long as the APs
in each country are properly assigned to separate AP Groups. Each AP Group must be assigned an RF
Management Profile with the correct country code corresponding to the physical location of the APs.
UK_AP_group
FRG_AP_group
ROW
controller
Rest-Of-World controller
managing APs in
multiple regional domains
Italy_AP_group
France_AP_group
Spain_AP_group
arun_070
56 | Physical and Logical Network Design Retail Wireless Networks Validated Reference Design | Solution Guide
Aruba WLAN Logical Architecture for Retail
This section describes the validated reference logical architecture for a distributed Aruba wireless LAN
for merchants with hundreds or thousands of sites. As with the physical architecture, each type of
facility communicates to a corporate data center. However, due to the significant differences in the
designs for warehouses, large footprint stores, and small footprint stores, we will consider the logical
designs for each separately.
Retail Wireless Networks Validated Reference Design | Solution Guide Physical and Logical Network Design | 57
Warehouse/Distribution Center Logical Design
The following diagram shows the logical architecture for a warehouse or distribution center for normal
operation.
Data Center
AirWave Wireless Master Master File
Management Management Suite active standby POS
PBX
RADIUS
Control
Aggregation
Local Local
active active
Data
Network
Access
Air Monitor
Retail_107
Distribution Center or Warehouse
The diagram shows several APs in the network access layer connected by GRE tunnels to redundant
Active local controllers in the aggregation layer. The dedicated air monitor continuously scans all of the
legal channels within its regulatory domain and coordinates channel and power settings on all APs
through the mobility controller.
The controllers in the aggregation layer communicate control messages through tunnels to an active/
standby master controller pair in the management plane. 802.1x authentication, logging, DHCP/DNS
service, and management console operation are also provided in the data center. Redundancy design
for warehouses is discussed later in this section.
58 | Physical and Logical Network Design Retail Wireless Networks Validated Reference Design | Solution Guide
Large Footprint Store Logical Design
The following diagram shows the logical architecture for a large footprint store for normal operation
and in an outage condition.
Data Center
Management
Master
Master standby
active
Da
ta
ARM
l
Contro
+ WIP
Aggregation etry
Telem
Local Local
trye
ta
Da
Network
Access
Retail_104
Normal Operation Controller Outage
During normal operation, the AP tunnels terminate on the Active local controller in the store, while
AMs transmit RF and WIDS telemetry data directly to the active master in the data center. The active
local controller securely exchanges control information with the active master controller in the data
center as necessary.
The N:1 redundancy model is most cost-effective for large stores. If the store local controller fails, the
APs are configured to automatically build new tunnels directly to the active master in the data center,
as shown at the right side of the network access layer in the diagram. After the store local controller
comes back online, the APs can revert to it automatically using VRRP pre-emption. In this case,
tunneling operation resumes as shown at the left side of the network access layer.
Retail Wireless Networks Validated Reference Design | Solution Guide Physical and Logical Network Design | 59
Small Footprint Store Logical Design
The following diagram shows the logical architecture for a small footprint store for normal operation
and in an outage condition. This is a remote AP configuration, because the APs at the remote location
do not connect to an onsite controller. Remote AP solutions involve configuring a standard thin AP to
provide a customer-defined level of service to the user by tunneling securely back to the DMZ in the
data center over a WAN. The WAN can be either be a private network such as a frame relay or Multi
Protocol Label Switching (MPLS) network, a public network such as a commercial broadband Internet
service, or public “third generation” (3G) wireless broadband service.
Data Center
DMZ Control
Aggregation
Local Local
active active
? Retrying
ta
Da ?
Network
Access
Retail_105
Small Footprint Store (Remote AP) Small Footprint Store (Remote AP)
Normal Operation WAN Link Failure
As shown in the diagram, the aggregation layer is now located at the DMZ instead of at the store
location. This is because in a small footprint store there are no controllers at the store locations, so the
APs in the network access layer tunnel directly to the active local controller in the DMZ.
60 | Physical and Logical Network Design Retail Wireless Networks Validated Reference Design | Solution Guide
If the WAN connection is lost, the AP/AMs constantly attempt to rebuild the connection without
interrupting local WLAN connectivity.
Data Center
AirWave Wireless Master Master
Management Suite active standby File
Web
PBX
RADIUS
Retail_154
The master is also responsible for processing wireless intrusion detection system events and presenting
the event and the corresponding wireless vulnerability and exploit (WVE) identifier. The master is also
responsible for handling location services correlation algorithms that compute the position of clients as
well as rogue APs using signal strength measurements from APs in the network.
Unless Remote APs are in use, APs should never terminate on the master controller during normal
operation; they should only terminate on local controllers.
NOTE
If the master becomes unreachable, the network will continue to operate as expected, but without the
ability to perform operations such as configuration, heat map analysis, or location services, until
connection to the master controller is restored.
While the master controller is needed to perform configuration and reporting, it is not a single point
of failure in the network.
NOTE
Retail Wireless Networks Validated Reference Design | Solution Guide Physical and Logical Network Design | 61
Remote AP Deployment Considerations
Corporate HQ
Remote Location
Guest
SSID Websites
Corporate
Remote AP SSID
(no firewall) Firewall /
NAT-T
Internet Traffic
Corporate
SSID
IPSec Internet
Tunnel Voice
Voice SSID
SSID
Retail_155
Split Tunnel. When the AP is configured to perform split tunneling, the AP performs decryption of
wireless traffic and bridges traffic locally when it is bound for a non-corporate address, and re-
encrypts the session using IPSec from the remote AP to the controller. The Internet connection is
protected with the same stateful firewall available on the mobility controllers to protect the user
from inbound traffic.
Remote Location
Guest
SSID Websites
Corporate
Remote AP SSID
(with firewall) Internet Traffic Firewall /
NAT-T
(Split Tunnel)
Corporate
SSID
IPSec Internet
Tunnel Voice
Voice SSID
SSID
Retail_156
62 | Physical and Logical Network Design Retail Wireless Networks Validated Reference Design | Solution Guide
Direct Bridge. All WLAN traffic is locally bridged at the AP to allow access to local devices on the
LAN, such as printers and local servers. This functionality allows continued service to users at
branch offices in the absence of connectivity to the data center.
Remote Location
Corporate HQ
Remote AP
Corporate (Bridge Mode) Firewall /
SSID
NAT-T
(PSK)
Internet
Voice
SSID
(PSK)
Retail_142
Remote AP Operating Modes
Each SSID on a remote AP has both a forwarding mode and an operating mode. The operating mode
governs AP availability when the controller is not reachable, with a corresponding impact on the
authentication types supported. For tunnel and split-tunnel mode, the standard operating mode applies.
For bridge mode, the network engineer has a selection of three different operating modes from which
to choose. These are summarized in the following table.
Description Classic Aruba thin Provides SSID continuity Provides a backup SSID Provides an SSID that is
AP operation during temporary for local access only always available for local
controller outages when controller is access
unreachable
ESSID Availability Up only when controller Must reach controller Up only when controller Always up when the
is reachable to come up; stays up cannot be reached AP is up, regardless of
if connectivity is controller accessibility.
temporarily disrupted.
Authentication 802.1x supported 802.1x supported PSK ESSID only PSK ESSID only
Modes Supported
SSID Configuration Obtained from controller Obtained from controller Stored in AP Stored in AP
flash memory flash memory
Retail Wireless Networks Validated Reference Design | Solution Guide Physical and Logical Network Design | 63
AP/AM Data and Control Tunnels
Aruba APs and AMs maintain a variety of data and control tunnels with their active local controller. It is
important for network engineers to understand the various types of tunnels and where they terminate
inside an Aruba architecture.
AP Tunnels
Figure 24 shows a Remote AP configuration with a mix of SSIDs and Forwarding modes that various
client devices use to connect. Data from these devices is tunneled through to the local controller in the
DMZ using GRE data tunnels. The AM function uses Proprietary Access Protocol Interface (PAPI)
control channels for ARM and Wireless Intrusion Detection System (WIDS) air monitoring
communication to the master controller. A separate PAPI control channel connects to the local where
the SSID tunnels terminate.
Management
Master
IPSec
Aggregation Tunnel
Ada
WIP
ptiv
Dete
Local
e Ra
ctio
dio
n&
Man
Con
age
UDP 4500
tain
men
men
t Tra
GRE Data PAPI Control
t Tra
Tunnels Channel
ffic
ffic
Network
Access
Tunnel Mode Tunnel Mode Split Tunnel Split Tunnel Bridge Mode Bridge Mode
Mode Mode
64 | Physical and Logical Network Design Retail Wireless Networks Validated Reference Design | Solution Guide
The number of tunnels that the AP constructs depends on the forwarding mode on each SSID.
Tunnel mode: One GRE tunnel per SSID per radio
Split-Tunnel mode: All Split-Tunnel SSIDs are multiplexed onto a single GRE tunnel after the
decrypt/encrypt process
Bridge mode: No GRE tunnel. PAPI control channel only.
Split-Tunnel and Bridge mode are only available for Remote APs. All campus-connected APs with
onsite local controllers use Tunnel mode.
NOTE
Each GRE tunnel and each PAPI control channel has a separate heartbeat mechanism used to assess
the health of the AP connection. The control overhead is approximately 1 Kbps per tunnel/channel. Be
sure to factor this in when planning for Remote AP deployments over slow speed or high-latency links.
AM Tunnels
APs are typically deployed in a “hybrid” configuration where they perform AM services in addition to
serving clients. For increased security, dedicated air monitors are recommended as a best practice.
Remote AP deployments with only one Remote AP at each location must use hybrid mode.
In either case, the air monitor process running on the AP constructs two PAPI control tunnels directly
back to the Active master controller. One control tunnel is used for telemetry used by the Aruba ARM
system to select the clearest radio channel for each AP. The second PAPI tunnel transmits information
used by the Aruba WIDS to guard against wireless threats.
Redundancy
Active Standby
Periodic Database
Master Synchronization Master
GRE
VRRP
Keepalives
Retail_043
PAPI Keepalives
The two controllers will synchronize databases and RF planning diagrams, and will run a VRRP
instance between them accessed by a Virtual IP (VIP) address. This is the address given to APs
attempting to discover a mobility controller, and is the address used for network administration.
One mobility controller is always the active master controller, and the other one is always the standby
master controller. Users managing the system will always log into the active master. Enabling
preemption is not recommended on this setup. This configuration is known as “active-standby”
redundancy.
Retail Wireless Networks Validated Reference Design | Solution Guide Physical and Logical Network Design | 65
In the Aruba VRD, the recommended network attachment method is to have each controller configured
in a full mesh with redundant links to separate data center distribution switches.
A standby master cannot be used to terminate GRE tunnels from APs. If an active master fails, the
standby will assume its current load.
NOTE
Keepalives
Local Local
Retail_044
Air monitor
Using this model, two local controllers terminate APs on two separate VRRP virtual IP (VIP) addresses.
Each mobility controller is the active local controller for one VIP address and the standby local
controller for the other VIP address. The controllers each terminate 50% of their AP load. The APs are
configured in two different AP groups, each with a different VIP as the LMS IP address.
66 | Physical and Logical Network Design Retail Wireless Networks Validated Reference Design | Solution Guide
When one active local controller becomes unreachable, as shown in the next figure, APs connected to
the unreachable controller failover to the standby local controller loading that controller to 100%
capacity.
Local Local
Retail_045
Air Monitor
Therefore, each controller must have sufficient processing power and licenses to accommodate all of
the APs served by the entire cluster. In this model, you enable preemption to force the APs to fail back
to the original primary controller when it comes back online.
VLAN Design
After you deploy the hardware, several design decisions are required before you can complete a
working retail environment production network. This includes VLAN and IP network design, as well as
the loopback IP address selection and spanning tree usage. Many of the decisions will logically follow
from where the network architect chooses to place the AP and controller in relation to one another for
the retail environment.
When performing VLAN planning it helps to remember that VLANs are used in two logically different
places on an Aruba controller at the aggregation layer. The first is the AP access side of the controller,
where APs will terminate their GRE tunnels. These VLANs carry encrypted traffic back and forth
between APs and the controllers. The second is the user access side, where user VLANs will exist and
where traffic will flow to and from the user. During authentication, a process called ‘role derivation’
assigns the proper VLAN to each user and forwards traffic to the wired network if allowed.
Retail Wireless Networks Validated Reference Design | Solution Guide Physical and Logical Network Design | 67
The user and access VLANs can also be visualized separately. As shown in Figure 28, the AP uses VLAN
100 for access. This represents the physical connection of the AP to the network.
Local
Mobility
100
Controller
100
100
Retail_053a
In Figure 29, the client device is placed into VLAN 200 by the controller following completion of the role
derivation process.
200
Local
Mobility
Controller
Retail_053b
200
The user VLAN design will have implications for user connectivity and mobility across the network. To
make sure that users do not overwhelm a single subnet, multiple VLANs can be configured to form a
VLAN Pool in the mobility controller which users will be load balanced into dynamically. ‘User mobility’
is the ability of the user to roam between APs while remaining connected and not breaking user
sessions through IP address changes.
68 | Physical and Logical Network Design Retail Wireless Networks Validated Reference Design | Solution Guide
Do Not Make Aruba the Default Router
The mobility controller is a layer 3 switch that does not run routing protocols and should not be the
default router for the VLANs on the network. The existing routers should remain the default gateways,
with the mobility controller as a layer 2 switched solution extending from the distribution layer.
Retail Wireless Networks Validated Reference Design | Solution Guide Physical and Logical Network Design | 69
70 | Physical and Logical Network Design Retail Wireless Networks Validated Reference Design | Solution Guide
Chapter 6
RF Design
Properly designed Radio Frequency (RF) coverage is one of the most critical success factors in a
wireless deployment. Many merchants report inconsistent performance of their thick access
point (AP) based wireless systems, despite considerable investments in manual site surveys and
powerful antennas. While it is very true that retail facilities present special RF challenges,
excellent performance can be achieved by combining proper RF design with thin APs that are
managed by wireless controllers as an integrated system.
This chapter brings together scientific knowledge and practical deployment experience to enable retail
customers to design a high performance WLAN for any type of facility. Having designed and installed
numerous WLANs for retail organizations, Aruba Networks has significant experience with RF
coverage strategies. In this chapter, we explain why traditional RF designs sometimes underperform in
relation to expectations, and we present a novel design strategy that yields consistently better results.
RF Challenges in Retail
Designing and deploying a WLAN in retail stores, warehouses, and distribution centers requires the
wireless designer to address the following types of challenges:
Cost of conducting manual site surveys for every one of a retailer’s locations is often prohibitive
Desire to reuse network cabling to control cost, limiting radio density and locations
Real-time character-based applications that are intolerant of network delays
Older client devices with a wide range of operating systems, radios, and antennas
Long, narrow aisles obstructed by people and moving equipment
High racking and shelving that obstructs line-of-sight (LOS) between adjacent aisles
Tall ceilings that reduce effectiveness of standard antennas at ground level
Constantly changing product mix that alters ambient RF properties
Dense concentrations of products such as lumber or liquids that absorb RF
Heavy dependence on hands-free voice communication
Moving vehicles with permanently attached data terminals
Presence of “legacy” frequency-hopping radios in the 802.11 frequency band
Unusual sources of electromagnetic interference
Hardened areas that require coverage inside, such as freezers
Outdoor coverage requirements of trailer yards and remote buildings
To overcome these challenges, wireless integrators have developed a common “toolkit” of RF design
tactics over the years. These tactics include:
Installing additional APs in persistent trouble spots
Employing antenna diversity
Using external antennas on mobile clients
Mounting high-gain antennas indoors on walls to cover long aisles
Mounting high-gain antennas outdoors on rooftops to cover yard areas
Covering the same area with both horizontally and vertically polarized antennas
Client Density
Every AP can support a limited number of clients simultaneously. The limit varies based on the type of
associated clients and the characteristics of their data flows. In general, an AP can support fewer voice
clients than data clients due to the precise timing requirements imposed by voice protocols. The limit
varies from moment to moment based on the actual mix of clients currently transmitting.
Legacy APs did not support any type of admission control mechanism. This refers to the ability to
actually control the number of clients that associate to a given AP. As a result, overall performance for
all clients would suffer as more devices associated the same AP and attempted to utilize the same
channel. If the legacy AP also had a hard limit, clients beyond that limit would be denied service.
Retail_123
The lack of admission control on legacy APs was not usually seen as a problem for two reasons:
Wireless device populations were relatively limited and so the total client capacity ceiling of the APs
was rarely exceeded.
Autonomous APs are not capable of shifting load to neighboring APs so there was no point to having
such a feature.
As a result, wireless designers rarely considered client density in legacy AP deployments. Some
retailers did encounter problems with AP oversubscription in specific areas. The only available solution
with Legacy APs is to place another AP in the general area on another channel. However, this solution
often increased overall co-channel interference by upsetting the carefully planned static channel plan.
Channel 6 Channel 11
Channel 11 Channel
anne 1 Channel 6
Channel 6 Channel 11
Retail_124
Legacy AP Design Summary
Legacy APs have employed RF designs that were generally static to provide service to limited numbers
of clients. The number of APs was driven by the choice of a coverage or capacity strategy. RF plans
were developed from the bottom up, one AP at a time, often using an active survey process. Finally,
such designs had limited ability to respond to adverse events such as oversubscription, failure, or
blockage of individual APs. Retailers have long wished that RF design had less art and more science to
it. Until recently, this was the best achievable result.
Thin AP Architectures
The wireless industry has responded to these needs by developing intelligent controller-based WLAN
systems and thin APs that work together as a system to manage performance and respond to RF
problems in real time. Thin APs are essentially just network-attached radios that are managed by an
appliance in a secure environment with high-speed wired network connectivity. This is the same
strategy used by cellular telephone operators to provide reliable voice and data services over wide
areas. In Chapter 5, “Physical and Logical Network Design” , we considered the design of applicable
physical and logical thin AP architectures that are used by retailers.
Bandwidth Plane
Client Plane
Redundancy Plane
Retail_125
A coverage zone can be an entire facility, or a single facility may be subdivided into multiple zones to
accommodate different requirements in each one. The Gartner Group refers to these zones as
microenvironments1. For example, a room full of charging cradles for mobile scanners in a distribution
center may require a higher client peak objective than the rest of the DC.
To accommodate these variations, the Aruba RF planning methodology for thin AP systems begins by Retail_126
dividing facilities into separate zones based on bandwidth, client, and redundancy density differences.
1. WLAN Microenvironments Address Different Application Needs in Enterprises, Gartner Group, October 2008
) e
b/g 1 6 11 E dg
11 ell
(802. C
z 11 1 6 b ps
GH 4M
2.4 1 6 11 5
e
n) Edg
1a/ 36 44 149 ell
2.1 ps
C
z (80 149 36 40 b
GH 30 0M
5 165 40 44
Retail_128
Figure 34 shows a hypothetical dense dual-band radio 802.11a/g/n AP125 deployment with overlapping
high data-rate cells (e.g., 54 Mbps edge rate in 2.4 GHz and 300 Mbps edge rate in 5 GHz). To create
roughly equal physical cell sizes for the two radios, the WLAN controller reduces the transmit power of
the 2.4 GHz radio by 6dB (roughly 75%). This compensates for the higher free space path loss in the 5
GHz band.
In an Aruba WLAN, all of the APs that service each coverage zone work together as a system to
maximize the performance of the client devices. Aruba Adaptive Radio Management (ARM) 2.0
technology automatically load balances clients between nearby APs. ARM 2.0 is capable of “band
steering”, which forces 5 GHz-capable clients to the higher frequency band with its greater number of
channels and lower interference levels.
For planning purposes, wireless designers generally assume that the targeted minimum data rate is
distributed uniformly throughout each cell. For real-world cell sizes and edge data rates to match a
virtual RF survey, the noise floor must be low enough to allow sufficient SNR to overcome the co-
channel interference present from other APs on the same channel nearby.
5 GHz values should always be used for area computations because of the reduced signal range.
This makes sure that the RF design will work well in either band and will future-proof the RF Plan
NOTE against cabling costs for future 802.11n deployments.
Table 13 Cell Radius and Area for Top 5 Data Rates at 20 dBm Output Power
54 Mbps 21 149 ft. 63 ft. 69,478 sq. ft2 12,400 sq. ft2
48 Mbps 20 163 ft. 69 ft. 83,531 sq. ft2 14,909 sq. ft2
36 Mbps 16 236 ft. 100 ft. 174,520 sq. ft2 31,148 sq. ft2
24 Mbps 12 341 ft. 144 ft. 364,625 sq. ft2 65,078 sq. ft2
18 Mbps 9 449 ft. 190 ft. 633,645 sq. ft2 113,093 sq. ft2
802.11a/b/g 802.11n
AP (Cell) Count 9 9
Radios Per AP 2 2
The table shows the projected bandwidth and throughput available per area and per user, assuming that
each AP covers 3600 square feet and there are 200 total users.
Table 15 Typical minimum required SNR for proper detection of 802.11 rates
SNR (dB) 4 6 8 10 4 5 7 9 12 16 20 21
Signal Level (dBm) -81 -79 -77 -75 -81 -80 -78 -76 -73 -69 -65 -64
Using this table, we can easily convert minimum SNR criteria into bandwidth. This allows the wireless
designer to minimize the number of units that are being worked with. Aruba recommends converting
each device whose manufacturer stipulates minimum performance criteria in terms of RSSI or SNR,
12 dBm
Output
20 dBm
Output
Retail_130
20 dBm Output
When considering the floor-to-ceiling shelving commonly used indoors at retail facilities, or the large
outdoor yard environments that often surround them, it is tempting to think in terms of maximizing
power. But high-power APs will not achieve the desired result unless the transmit power at the antenna
port is relatively equalized, as shown in Figure 36.
12 dBm
Output
20 dBm
Output
Retail_131
12 dBm Output
Table 16 5.8 GHz Cell Radius and Area for Various Data Rates and Output Power Valuesa
54 Mbps 36 ft. 48 ft. 63 ft. 4,106 ft2 7,136 ft2 12,400 ft2
36 Mbps 57 ft. 76 ft. 100 ft. 10,314 ft2 17,924 ft2 31,148 ft2
24 Mbps 83 ft. 109 ft. 144 ft. 21,549 ft2 37,448 ft2 65,078 ft2
18 Mbps 109 ft. 144 ft. 190 ft. 37,448 ft2 65,078 ft2 113,093 ft2
a. Assumes 3dBi passive gain on each radio, 6dB design margin, and path loss exponent equal to 2.5.
Wireless engineers who are used to active surveys can quickly confirm these values by modifying their
survey process. Active site surveys can easily be adjusted to account for client/AP power mismatches.
The important thing is to survey using the transmit power of the least capable client device rather than
the full available power of the AP, which may be significantly higher. The wireless engineer can choose
one of these two methods:
1. Reduce transmit power (TX) on the AP to match the expected maximum client transmit power
2. Monitor the RSSI of the client as reported on the controller during the survey, instead of looking
solely at the received AP RSSI at the client device (a type of “reverse survey”)
RF Redundancy Plane
The RF redundancy goal for a coverage zone is typically expressed as an overlap percentage. It is
measured as the percentage of the cell edge radius that is common between one or more APs. Cells
with 0% overlap will fail to meet the minimum data rate target in the event of an AP failure. Cells with
100% overlap will maintain the minimum target data rate even if an AP fails. The cell radius used to
compute the overlap corresponds to the distance from the AP to the edge of minimum target data rate.
r r r
Retail_145
Coverage hole detection and mitigation is a key feature of controller-based WLAN systems. Today, this
primarily involves adjusting AP power levels to compensate for AP failures. In the future, with the
ratification of the 802.11k standard that enables APs and clients to exchange information on RF
AP 1 AP 2 AP 3
Channel A Channel B Channel A
Retail_146
Associated Handover Handover
to AP 1 to AP 2 to AP 3
For this reason, Aruba recommends a minimum cell overlap of 25% for all coverage zones even if no RF
redundancy is required.
Retail deployments always benefit from increased overlap for another reason: Due to the potential for
new obstructions to appear in a changing environment, (such as forklifts, new stacks of goods, or
changes in the density of goods stored) it is always recommended that a client be able to reach at least
2 APs from any location in the coverage area. This deployment is beneficial because if the path from
one AP is obstructed for some reason, the client will not lose coverage because it can associate to
another AP.
Estimate
Lookup
Estimate Match AP to Client
Max Clients
Area of Zone Client Power Population
Per Channel
in Zone
Lookup
Cell Area
for Target
Data Rate
Multiply Larger
Value by Desired
Overlap Factor
AP Count
per Zone
Retail_147
Benefits of 802.11n
802.11n includes a number of complex technological advances which are explored in detail in the Aruba
whitepaper, Designed for Speed: Network Infrastructure in an 802.11n World. These advances can be
summarized as follows:
Increased capacity. 802.11n enables increased data rates, improving the usable data throughput of
a cell from perhaps 15-20 Mbps with 802.11a/g to 100-200 Mbps. Given that this capacity will be
spread over a number of simultaneous users, performance should match or exceed that of a wired
100 Mbps Ethernet connection.
Improved range. 802.11n supports increased range through multiple-input, multiple-output
(MIMO) techniques which involve using multiple antennas (or ‘antenna chains’) on the AP and the
client.
More uniform ‘reliable’ coverage. Coverage in Wi-Fi networks is notoriously spotty due to
multipath interference and LOS obstructions. A user may have a good signal at some point, but
moving the client device a short distance, stepping in front of it, or even opening a door across the
room can significantly affect the signal strength. The MIMO technology in 802.11n is extremely
effective in reducing the effects of multipath nulls and obstructed RF paths.
Security Benefits
802.11n classification and containment: 802.11a/b/g APs cannot detect or contain 802.11n AP traffic.
For this reason, retailers are strongly encouraged to deploy dedicated AMs that are 802.11n
compatible, even if the APs are 802.11a/b/g only.
Faster rogue AP classification and containment: Enhanced security monitoring enables faster
response to these security breaches by performing the following functions:
Classification. Rogue classification is the ability to determine whether a rogue AP is connected
to the wired network, and, if so, where it is connected. The longer the AP or AM can spend on a
channel sampling data, the more accurate the classification algorithm will be and the more
accurate and timely the results will be. Scanning APs that are servicing clients can also classify
rogue APs, but they are much slower because they must dedicate time to the clients.
RF Plan adds 100% to the overlap factor discussed under RF Redundancy earlier in this chapter.
NOTE
Creating an AM Model
If dedicated AMs will be used, the AM Modeling page allows you to enter the information necessary to
determine the number and placement of AMs in your buildings. You may also explicitly specify the
number of AMs you wish to deploy. Two radio buttons on the page allow you to choose the model by
which the number of AMs is determined.
Use the Coverage model to configure the AMs in your WLAN based on desired WLAN coverage. RF
Plan calculates the number of AMs required based on the information you provide.
Use the Custom model to manually specify the number of AMs you wish to deploy.
Aruba recommends that retailers use the Coverage model and select the lowest 5 GHz Monitor Rate.
Side Coverage
Wasted Wasted
signal AP A signal AP B
60° Ceiling
3dB
beamwidth
Retail_133
Served by Served by
AP B AP A
Overhead Coverage
Overhead coverage refers to the use of “squint” or “downtilt” omnidirectional antennas that face
downwards but are electrically designed to provide a full 360 degrees of coverage with standard vertical
polarization, as shown in Figure 43. All of the antenna gain is focused in the direction of the clients
underneath. This advantage is offset by the additional cost of an AP that supports external antennas, as
well as the cost of the antennas themselves.
Overhead Coverage
120° 120°
Retail_134
Viewed from the azimuth, or overhead, both antennas provide full 360 degree coverage in a circular
shape. However, the downtilt omni will have a smaller, tighter pattern, whereas the side coverage AP
will spread its signal further out.
4 ft
18 ft
dB
20 d
B -20
-
8 ft
dB
-20
dB dB
-20 0
-2 18 ft
dB 14 ft
0 dB -20
-2
Retail_151
35 ft
25 ft
35 ft
= = 70 ft
sin(30°)
25 ft
15 ft 60° = = 50 ft
sin(30°)
15 ft
= = 30 ft
sin(30°)
90°
30°
Retail_135
26 ft
43 ft
60 ft
In summary, for steep down angles and mounting heights over about 20 feet in warehouse or container
facilities, the low-gain squint omnidirectional antenna is ideal:
Low-gain limits range to a predictable area around each AP and reduces AP-to-AP interference
Low-gain reduces client density per AP by employing more, smaller cells
Antenna pattern provides users at ground level with a higher signal than APs see to each other
Adaptive radio management functionality is improved for auto-calibration of the RF network and
automation of ongoing operations.
A more detailed look at the RF properties of standard omni antennas and squint/downtilt omni
antennas may be found in Appendix A, “RF Concepts and Terminology”.
The 3D view shows the difference in vertical coverage clearly. The use of the high-gain antenna results
in substantially less vertical coverage, which is a problem especially close-in to the antenna as the
signal does not yet reach the floor. When viewed from the overhead, or azimuth, perspective, we can
see that very little of the main lobe of the high-gain antenna reaches the ground. The darker areas do
not contact the ground, with the coverage hole of the higher-gain antenna extending nearly 25% of the
way down the aisle.
2.4 GHz
Freezer Walls 20 dB
Figure 48 Elliptical Cell Effect of RSSI Falloff Due to Dry Goods Attenuation
Attenuation
creates elliptical
cell shape
AP location
RF Model of
Staggered Elliptical Cells
Rapid signal
falloff between
aisles
In a high-shelving environment, the normal circular AP cell shape essentially becomes elliptical. This
effect can be seen using Aruba 3D antenna modeling tools. In the following example, APs have been
placed at alternating sides of every other aisle, one-third of the way down. The cell edge isocontour is
computed using a loss value of 20 dB for each aisle and an SNR target of 15 dB.
Variability of Goods
Inventories change on a daily basis, and store layouts or merchandising plans may vary on a weekly,
monthly, or seasonal basis. The attenuation between an AP and the same client in the same spot may
change as a result. For this reason, Aruba strongly recommends that retail customers plan for a
minimum bandwidth capacity of 18 Mbps (e.g., SNR >=9 dB). This permits some variability in the loss
(absorption) characteristics of the goods stored.
In addition, uncertainty in RF models increases with each obstruction between an AP and a client.
Every row of goods causes a discontinuity in a wireless signal that varies with the construction of the
shelving and the goods currently stored on it. Each discontinuity increases the risk in the RF design, as
illustrated in Figure 49:
North
Signal
Lost
-10dB -30dB -20dB -15dB
Retail_152
South
Both the north and south ends of the above aisles have an average RF loss per aisle of 18.75 dB.
However, differences in the order of the stacking of the goods causes more rapid loss at the south ends
of the aisles, resulting in an unusable signal after aisle #2. By contrast, the north end of the row does not
lose coverage until aisle #4. Therefore, using average loss values to make general coverage predictions
is inherently risky when planning RF coverage in retail facilities. Each stack of goods is more
appropriately viewed as a discontinuity that adds uncertainty and risk during the planning process for
any coverage “across” the direction of the aisles. Thus, the more coverage “across” aisles is relied upon,
the more risky the design will be for coverage reliability if the goods stored vary in density from day to
day.
This design strategy provides overlapping coverage through goods on the shelving from adjacent row
APs. Adjustments can be made when shelving is not floor to ceiling and clear LOS is available to more
than 1 row over.
DO DO NOT
Retail_136
DO place interior APs 10-15 feet down from the endcap, or one-third of the way down the aisle,
whichever is less. This placement provides smoother RSSI gradients in the center of the store and
avoids areas of weaker signal at the end of a long aisle.
DO DO NOT
Retail_137
100 | RF Design Retail Wireless Networks Validated Reference Design | Solution Guide
DO NOT base coverage strategy on diagonal coverage across rows. Instead, follow the natural aisle
pattern of the store, using a mix of corner and interior APs to create uniform RSSI to handheld
clients. Signal attenuation on diagonals is higher.
Figure 54 Use the Natural Pattern of the Store and Minimize Aisle Crossings
DO DO NOT
Retail_138
DO NOT put an AP above a shelf to straddle two aisles. Place APs in the center of aisles wherever
possible to create a clear LOS to clients.
Retail Wireless Networks Validated Reference Design | Solution Guide RF Design | 101
Retail Deployment Scenario Examples
Armed with the appropriate AP densities and an understanding of antenna placement strategies, it is
time to apply them to common retail environments.
AP #2 covers
AP #1 with Stockroom near
LOS to Freezer Doors
Receiving 1 2
Office and
Stockroom
AP #3 gives
3
LOS into
Bakery, plus
7 5 down ends
Interior APs AP #4 in
15’ in from Frozen Aisle
endcaps on 6 4 (also with
alternating LOS to Deli)
ends
8
Anchored
from Frozen
Aisle AP
Last AP (#8) in
Retail_158
corner opposite Avoid Wi-Fi
AP #3 Hotspot on Ch. 6
Successfully planning a retail store requires finding the right balance among numerous variables. To
simplify the process, always start with the Critical Coverage areas. Once these are handled, the strategy
for the rest of the store quickly becomes obvious.
102 | RF Design Retail Wireless Networks Validated Reference Design | Solution Guide
Small Footprint Store (Low Shelving)
A small retail store or a convenience store will often have the following characteristics:
Low ceilings
Relatively small sales floor area, with good LOS throughout store
Small stockroom in the back
May or may not have a separate receiving area.
Coverage in a small store will be achieved with a low number of APs, usually with integrated antennas.
Typically these APs can be placed anywhere near the center of the sales floor and coverage will be
adequate. Here are placement rules for stores requiring up to two APs.
AP #1. Place near center of stockroom
Should have clear LOS to receiving area if there is a separate entrance
AP #2. Place in center of store
Should have maximum clear LOS possible down aisles of store
For stores large enough to require up to 4 APs:
AP #3. Place one-third of the way between the upper right and lower left corner of store
AP #4. Place two-thirds of the way between AP #3 and AP #4
In all cases, the APs on the sales floor should have maximum clear LOS possible down store aisles.
Figure 56 shows a sample RF plan for a small footprint store.
1 Retail_159
Retail Wireless Networks Validated Reference Design | Solution Guide RF Design | 103
Warehouse (High Shelving)
This example highlights a typical dry goods storage warehouse. The design choices would be equally
valid in any facility with high ceilings that also has shelving or racking that extends nearly all the way
up. The sample facility is 400x1400 feet, and contains 33 APs. The AP model has external antenna ports,
and an Aruba downtilt omni is mounted next to each AP.
104 | RF Design Retail Wireless Networks Validated Reference Design | Solution Guide
Chapter 7
Goal Requirements
Build and Maintain Requirement 1: Install and maintain a firewall configuration to protect
a Secure Network cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords
and other security parameters.
Retail Wireless Networks Validated Reference Design | Solution Guide Authentication and Security | 105
Table 19 PCI Compliance Requirements (Continued)
Goal Requirements
Regularly Monitor Requirement 10: Track and monitor all access to network resources and
and Test Networks cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Requirement 12: Maintain a policy that addresses information security.
Security Policy
You can download the complete PCI DSS v1.2 standard from this web URL: https://
www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
What Are the Differences between PCI DSS v1.1 and v1.2?
PCI DSS v1.2 includes clarifying modifications to several requirements that more precisely explain the
controls that need to be implemented. Wireless LAN security is one of the topics that was modified. The
following excerpt summarizes the updated wireless LAN security objective:
“If wireless technology is used to store, process, or transmit cardholder data (for example,
point-of-sale transactions, “line-busting”), or if a wireless local area network (LAN) is
connected to or part of the cardholder data environment (for example, not clearly separated by
a firewall), the PCI DSS requirements and testing procedures for wireless environments apply
and must be performed as well…”
PCI DSS v1.2 compliance necessitates using firewalls, encryption, authentication, and wireless LAN
intrusion detection (IDS) for all wireless LANs. Some of these safeguards are also required even if the
wireless LAN is not used to transmit cardholder data. The wireless LAN requirements that were
modified as a part of PCI DSS v1.2 include explicit firewall wireless LAN configuration, elimination of
WEP, and the use of wireless IDS:
1. Firewall wireless LAN. Requirement 1.2.3 states that a perimeter firewall must be used between
any wireless LANs and networks that transmit cardholder data. The term “firewall” is defined to
include “stateful inspection” or “dynamic packet filtering.”
2. WEP is forbidden. Requirement 4.1.1 prohibits WEP security starting March 31, 2009 for all new
wireless LANs, and starting June 30, 2010 for all existing wireless LANs. This requirement applies to
all wireless LANs transmitting or otherwise associated with cardholder data.
3. Wireless IDS is mandatory. Requirement 11.1 states that all stores, warehouses, and offices that
have credit and debit card processing systems must be analyzed or scanned for unauthorized
wireless devices. Wireless IDS systems are now an approved alternative to quarterly handheld
wireless analyses.
We will look at these requirements in detail later in this chapter. A summary of all differences between
PCI DSS v1.1 and v1.2 is available at https://www.pcisecuritystandards.org/pdfs/
pci_dss_summary_of_changes_v1-2.pdf.
106 | Authentication and Security Retail Wireless Networks Validated Reference Design | Solution Guide
PCI Requirements for Wireless LANs: Quick Reference
PCI requirements specific to wireless LANs have been sorted into three levels of implementation in the
following illustration. These requirements correspond to the three PCI Compliance Categories
introduced in Chapter 3, “Defining WLAN Requirements for Retailers” . Each category has a different
risk profile and a distinct level of mandatory security controls. The PCI DSS v1.2 requirements that
apply to merchants in each of the three categories are shown in Figure 59.
Retail_118
9.1.3: Physical Security 9.1.3: Physical Security
In Chapter 3, “Defining WLAN Requirements for Retailers” , Aruba-based solutions to fully meet each of
the three compliance categories were introduced:
Category 1 – Centralized wireless IDS monitoring with AirWave
Category 2 – Distributed wireless IDS using Aruba Air Monitors and Controllers
Category 3 – Secure WLAN with wireless IDS and role-based access control
Organizations that choose PCI compliance category 3 will deploy a secure Aruba thin AP solution at
selected facilities. The solution must comply with requirement 7.2 regarding role-based access control,
and requirement 1.2.3 having to do with wireless perimeter firewalls.
Retail Wireless Networks Validated Reference Design | Solution Guide Authentication and Security | 107
public kiosk, or an employee on a shared-use terminal. Aruba logically separates all traffic and permits
access only to the level specifically granted by the administrator based on business needs.
Aruba wireless LANs also integrate with existing user databases to look up and enforce access
privileges on managed devices. For unmanaged devices, the Aruba wireless LAN pushes a captive
portal Web page to identify the user and restrict access for specified users, locations and time. We will
look at this in some detail in SSIDs, VLANs, and Role Derivation for Secure WLANs on page 112.
For administrative and IT access to wireless LAN equipment, AirWave Wireless Management Suite
(AWMS) offers flexible, role-based administrative access so the level of access available to each IT
administrator correlates to job function, (e.g., read-write privileges for network engineers or read-only
privileges for the help desk).
108 | Authentication and Security Retail Wireless Networks Validated Reference Design | Solution Guide
Wireless Intrusion Detection System Operation and Design
This section discusses the operation of the Aruba wireless intrusion detection system (WIDS) and how
it meets the requirements for a PCI-compliant WIDS configuration for retail environments.
Retail Wireless Networks Validated Reference Design | Solution Guide Authentication and Security | 109
To correctly classify and contain rogue APs, each Aruba AP and AM must also see specific traffic on the
wire. Special VLANs should not be used to aggregate Aruba APs and AMs. When placed on isolated “AP
VLANs”, the WIDS system cannot correlate wired and wireless traffic. In addition to scanning the air,
they scan the wire, recording MAC addresses and looking for routers and gateways. Gateways are used
for classification. They are the default gateways used by the APs. Their MAC addresses are propagated
by the Aruba controller to all of the APs in the RF vicinity. Routers are detected by inspecting the time-
to-live (TTL) of received traffic. If the TTL is 31, 63, 127, or 254, the sender is most likely a router.
Routers are possible wireless gateways (layer 3 APs). They have to be manually inspected by the user to
determine if they are valid devices.
Each AP and AM maintains a list of all other APs, stations, gateways, and wired MAC addresses it can
see. Each AP and AM also maintains a list of associations (which stations are associated to which APs).
The amount of information stored is capped and this information is aged out when the specific device is
inactive for a configurable period of time. This allows the AP to conserve its memory and eventually
stop any containment activities.
AP Type Description
Valid AP An AP that has bootstrapped with a local or master controller or have been
manually marked as valid. Valid stations have passed encrypted traffic with a
valid AP.
Interfering AP An AP that is not valid but has not been classified as a rogue. All non-valid
stations are always classified as interfering.
Suspect Unsecured AP An AP that could be a rogue, but the certainty is not 100%.
Rogue AP An interfering AP that transmits frames from valid wired MAC addresses (if an
L2 AP), or transmits beacons that are adjacent to a wired MAC addresses (if an
L3 AP).
110 | Authentication and Security Retail Wireless Networks Validated Reference Design | Solution Guide
Containment of Rogue APs
There are two ways to contain rogue APs. One is in the air using deauths (a deauth is an 802.11 control
frame that instructs a wireless device to terminate its session). The second is on the wire using ARP
poisoning. Using both increases the odds that the rogue AP will in fact be successfully contained. They
can be enabled separately if desired.
Wireless Containment
Most containment is done through the air. When an AP is classified as a rogue, Aruba APs and AMs that
can hear the AP will send wireless deauths to the AP and any associated stations. Specifically, the
Aruba AP or AM will send a deauth to the AP on behalf of each station, and a deauth to each station on
behalf of the rogue AP. The deauth frames are sent in response to data and a as a subset of management
frames that are seen between the AP and the client.
APs and AMs contain rogues differently because they scan differently. If the rogue-AP-aware Adaptive
Radio Management option is disabled, an AP will only contain a rogue when it scans the channel that
the rogue is on. If the ARM option is enabled, the AP will switch to the channel that the rogue is on and
contain it by continually sending deauths. The ARM option assignment must be enabled. Also, if a rogue
AP is already on the channel the AP is on, the AP will not switch to another channel where another
rogue might reside.
Wireless containment only works when the rogue AP is servicing a channel within the Aruba AP’s
regulatory domain. It is illegal to send wireless frames on channels outside the regulatory domain.
Wired containment must be used to contain rogues outside the regulatory domain.
Wired Containment
For wired containment, attempts are made to contain the station associated to the rogue AP. Each IP
address (AP or station) is contained by ARP poisoning every second. Specifically, an ARP request is
sent for the AP’s default gateway from the IP address being contained, and the ARP response is even
sent on behalf of the default gateway. All relevant MAC addresses are locally administered so that the
traffic will be dropped. This exchange attempts to fool both the device being contained and the default
gateway. This is also known as a man-in-the middle (MITM) attack against the rogue AP.
Retail Wireless Networks Validated Reference Design | Solution Guide Authentication and Security | 111
SSIDs, VLANs, and Role Derivation for Secure WLANs
Each Aruba Access Point has the ability to appear to wireless users as multiple physical APs. Each of
these virtual APs has their own Basic Service Set Identifier (BSSID) that identifies the AP and the
network name, or Service Set Identifier (SSID).
SSIDs
SSIDs appear as the name of the network displayed in the Available Wireless Networks screen on a
wireless client. While many APs in the same network will share the same SSID, each will have a unique
BSSID. This feature is often used to let users know which SSID they should attempt to associate to, and
to provide different levels of security to each of the SSIDs, such as WPA, WPA2, and Captive Portal.
Clients typically make roaming decisions based on the received signal strength of the audible BSSIDs
they can hear.
High Security
Guest
SSID
SSID
Retail_144
Preshared Key Voice/Video
SSID SSID
Figure 60 shows the most common SSID design for retail organizations, which includes four different
SSIDs in the store environment. Warehouses and distribution centers typically use all but the Guest
SSID:
High Security SSID. A strong authentication and encryption combination (WPA2/802.1x) is used
for newer store data terminals (in this case, WPA2 – Enterprise). The network administrator might
choose a name such as “Retailer Employee” for this SSID.
Preshared Key Security SSID. This design is used for older store data terminals not capable of
modern high authentication and encryption levels. This SSID is temporary until the retailer can
complete its next refresh to phase out these devices. In this case, the mobility controller uses an
SSID such as “Retailer-Legacy” and uses the strongest authentication and encryption suite
supported by the devices; in this case, WPA-PSK (pre-shared key).
Voice/Video SSID. This design is used for wireless phones and in-store television monitors. In this
case, the mobility controller uses an SSID such as “Retailer Voice.” Wireless phones and video
monitors connect on a separate, dedicated SSID and are given high priority through Quality of
Service (QoS) and differentiated services code point (DSCP), and use WPA/WPA2 with PSK.
112 | Authentication and Security Retail Wireless Networks Validated Reference Design | Solution Guide
Guest SSID. SSID is used to provide guest access to the network for customers or vendors. This
SSID will not run any encryption and will require guests to authenticate using the Captive Portal
capability that is built into the Aruba Mobility Controller. The guest users can authenticate against a
centralized authentication server or the built-in local database on the mobility controller.
The strongest available level of security for a given class of devices should always be used. Use Table 2
on page 24 to select the appropriate authentication and encryption level for each SSID. Always update
the firmware or operating system to the most current version. You can use the Aruba interoperability
matrix as a handy reference to determine device capabilities (see Appendix B, “Client Device
Interoperability Matrix”).
VLANs
Network flow, security, and performance policies are applied to all traffic from users who have
successfully authenticated into any of the four SSIDs. You define policies by means of a role derivation
process utilizing the configuration profiles in the AP group assigned to that AP. You place the high-
security and legacy users on a VLAN with access to internal network resources; you can further refine
this setup with sophisticated firewall rules applied on a per-packet basis. For example, a dual-mode Wi-
Fi voice device is placed on a voice-only VLAN and only permitted to contact a SIP server and transmit
RTP traffic. Any attempt by the device to do something else would automatically ‘blacklist’ that device
from the network. Finally, guest users are placed onto a guest-only VLAN with access only to the
default gateway leading to the Internet. No other store or company network access is allowed.
Role Derivation
Aruba uses the term role derivation to describe the process of determining which role is to be assigned
to a user. The system can take into account the user’s credentials, location, time of day, and
authentication type when deciding which role to assign. This system can be as detailed or as general as
the administrator prefers. The role derivation process determines the following:
What class of service is provided to user traffic
Which firewall ACLs are applied to the user’s traffic
Which VLAN the user is placed into
For detailed information on configuring Roles and Policies, see Volume 4 of the Aruba OS User Guide.
Retail Wireless Networks Validated Reference Design | Solution Guide Authentication and Security | 113
state from the active user database. If the user was not active previously, the mobility controller will
proceed to authenticate the user via the authentication mode for the SSID. With 802.1x, it is coupled
with back-end authentications mechanisms such as Remote Authentication Dial-In User Service
(RADIUS), Active Directory, or Lightweight Directory Access Protocol (LDAP).
The mobility controller can perform user authentication in multiple ways to suit the varying needs of an
enterprise and the Authentication, Authorization, and Accounting (AAA) infrastructure currently in use.
The typical authentication methods employed on Aruba networks can be summarized as:
WPA2 or WPA with PSK
802.1x based user authentication with a backend server
802.1x PEAP termination on the controller
Captive portal based user authentication
A combination of authentication methods such as 802.1x followed by captive portal, or WEP
authentication followed by VPN.
Use Table 5 on page 28 to finalize the SSID and Authentication mode combinations for each of your
facility types. Although the Aruba mobility controller contains a scalable local database for users and
guests, it is a best practice to use the existing authentication infrastructure, which is typically
engineered for redundancy and high performance. Aruba supports integration with external RADIUS,
Active Directory, and LDAP servers.
114 | Authentication and Security Retail Wireless Networks Validated Reference Design | Solution Guide
Complying with the WEP Phase-Out Requirement
In the PCI DSS v1.2 standard, use of WEP must either be phased out or segmented by a compliant
firewall solution.
Requirement 4.1.1: Make sure wireless networks transmitting cardholder data or connected to the
cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement
strong encryption for authentication and transmission. For new wireless implementations, it is
prohibited to implement WEP after March 31, 2009. For current wireless implementations, it is
prohibited to use WEP after June 30, 2010.
This requirement specifies the use of strong encryption for wireless transmission, whether or not credit
and debit card data are transmitted, and strict timelines on the elimination of the compromised security
mechanism, WEP. Prior to PCI DSS v1.2, this requirement applied only if the wireless networks were
transmitting credit card data.
There are two approaches to complying with Requirement 4.1.1.
1. Eliminate the WEP security by reconfiguring existing wireless networks to use 802.11i-specified
security such as WPA or WPA2. Given hardware and software restrictions of legacy devices in use,
this approach may require a replacement of certain wireless devices such as barcode scanners and
embedded wireless devices.
2. Segment the wireless network and devices to quarantine WEP-based devices from the cardholder
environment using PCI-defined segmentation techniques. Doing so shifts WEP-only devices out-of-
scope of PCI compliance. This approach can shield merchants from the cost and complexity of
replacing legacy systems already in place.
Aruba specifically recommends against the use of WEP because of security concerns. To this end, an
Aruba wireless LAN simultaneously supports all of the following encryption and authentication
protocols:
WPA. 802.1x authentication with Temporal Key Integrity Protocol [TKIP] encryption
WPA2. 802.1x authentication with Advanced Encryption Standard (AES)-Combined Cipher Machine
(CCM) encryption
IPSEC. Triple Data Encryption Standard (3DES) AES-CBC Encryption
Peer-to-Peer Tunneling Protocol (PPTP). VPN technology using Microsoft Point-to-Point Encryption
(MPPE) encryption
xSec. 802.1x authentication with AES-CBC-256 encryption designed for federal and sensitive
commercial applications.
Legacy barcode scanners present a specific challenge with respect to WEP, and in many cases legacy
scanners do not support alternate encryption and authentication protocols. Aruba’s integrated ICSA-
certified, role-based firewall can segment these WEP devices and thereby move them outside the scope
of PCI compliance. The role-based firewall also enables Aruba to prevent unauthorized access to the
cardholder environment, blacklisting any unauthorized devices that attempt to penetrate the Aruba
wireless LAN.
Retail Wireless Networks Validated Reference Design | Solution Guide Authentication and Security | 115
Authenticating with 802.1x
802.1x is the most secure method of wireless security; however, it requires client devices that are
capable of supporting 802.1x, and a back-end authentication infrastructure with unique login
credentials for each user. This may be a challenge in many present retail environments. Unique logins
are often assigned only to store managers, and team member turnover may make the use of PSK more
economical for certain applications.
802.1x was developed to secure wired ports by placing the port in a ‘blocking’ state until authentication
completed using Extensible Authentication Protocol (EAP). EAP is a framework that allows many
different authentication types to take place within the EAP system; Protected EAP (PEAP) is most
commonly used in wireless. In this mode, a Transport Layer Security (TLS) tunnel is created and user
credentials are passed to the authentication server within the tunnel. When the authentication is
complete, the client and the mobility controller both have copies of the keys used to protect the user
session.
Associate
Associate response
EAP response
EAP exchange
Key1
Station Key2 AP
Key3
Key4
Retail_057
802.11 Association 802.1x Authentication 4-way Handshake
116 | Authentication and Security Retail Wireless Networks Validated Reference Design | Solution Guide
Using RADIUS and a WPA2-protected connection as an example, authentication occurs using 802.1x.
The mobility controller forwards the request to the RADIUS server, which performs the actual
authentication and sends a response to the mobility controller. Once authentication completes
successfully, encryption keys are passed to the mobility controller from the RADIUS server, along with
the user’s access policies. The mobility controller then completes the role derivation process and adds
the new user, along with all the relevant state information, into the active user database and completes
the authentication process. A security context is created, and for encrypted links, key exchange occurs
where all traffic is now encrypted.
WLAN L2/L3
Switch Switch
3 5
2
3 4
Corporate
AP Backbone
1
Retail_056
5. WLAN switch decrypts data, processes packets, applies
services and forwards packets based on .11 MAC
If the user already exists in the active user database and attempts to associate to a new AP, the mobility
controller will understand that an active user has moved and will restore the user’s connectivity state
and initiate mobility processing.
For distribution center, warehouse, and large footprint store deployments, a compatible AAA server
must exist in order to utilize 802.1x authentication. If a centralized AAA infrastructure exists that is
queried across the retailer WAN, it can easily be used for wireless authentication. This is the more
reliable solution with the least administrative cost for the retailer. On the other hand, if the AAA server
is located in the store or warehouse, each local controller must be configured with appropriate IP
address information during the staging process. Verification of 802.1x authentication to the production
AAA server is recommended either during staging or on the night of the installation.
For Remote AP deployments in small footprint stores, Aruba recommends using a centralized AAA
server for 802.1x SSIDs. You can co-locate this server at the retail data center where the DMZ with the
local controllers is installed.
ArubaOS uniquely supports AAA FastConnect, which allows the encrypted portions of the 802.1x
authentication exchanges to terminate on the mobility controller. Here the Aruba hardware encryption
engine dramatically increases authentication scalability and performance. Supported for
PEAPMSCHAPv2, PEAP-GTC, and EAP-TLS, AAA FastConnect removes the requirement for external
authentication servers to be 802.1x-capable and increases authentication server scalability by
permitting several hundred authentication requests per second to be processed.
Retail Wireless Networks Validated Reference Design | Solution Guide Authentication and Security | 117
Authenticating with Captive Portal
For temporary store visitors, including customers and vendors, Aruba supports a Web-based captive
portal that provides secure browser-based authentication. Captive portal authentication is encrypted
using Secure Sockets Layer (SSL), and can support both registered users with a login and password or
guest users who supply only an email address.
The user connects to the SSID, which requires no authentication, and is placed in a state that requires a
login. When the user opens a web browser, a captive portal screen appears, asking them to enter either
the credentials chosen by the retailer for access, such as an email address, or to simply accept a set of
service terms.
118 | Authentication and Security Retail Wireless Networks Validated Reference Design | Solution Guide
At the store and distribution center level, users will most likely be placed in a single user subnet that
has access to internal resources at that location only.
No access
after hours
Retail_060
Access controlled
Configure additional policies to limit the use of the network for guests. The first policy is a time-of-day
restriction. The user should be limited to accessing the network during normal store hours. Accounts
should be set to expire automatically, typically at the end of each business day.
Mobility
controller
Data Controlled
data
Retail_061
A rate limit can be put on each guest user to keep the user from using up the limited wireless
bandwidth. Employee users should always have first priority to the wireless medium for conducting
company business. Remember to leave enough bandwidth to keep the system usable by guests. Aruba
recommends a minimum of 10% bandwidth. Guests can always burst when the medium is idle.
Retail Wireless Networks Validated Reference Design | Solution Guide Authentication and Security | 119
With appropriate levels of encryption and authentication for different users, the system is completely
secured. The unique combination of these security mechanisms and Aruba Role-Based Access Control
(RBAC) gives an Aruba WLAN far more control and granularity of user traffic than simply demanding a
particular type of authentication and encryption. Aruba uniquely meets the requirements of PCI
compliance while allowing for a smooth and seamless transition from legacy devices and applications
to those that support the strongest encryption and authentication provided by WPA2 and 802.11i.
What Is A Profile?
A profile is defined as a logical container consisting of a number of related configuration settings. There
are nearly 30 different types of profiles available. To bring up a basic working SSID with limited
security on an AP, only a SSID Profile is required. More complex configurations require more profiles to
be defined, such as for high security SSIDs using 802.1x authentication. In this case, a AAA Profile is
also required as shown in Figure 66.
Properties Properties
Every profile must be assigned a unique name; names cannot contain any white space characters. The
example SSID Profile on the left contains related values whose purpose is to define a specific 802.11
SSID that will be available for a specific group of users, in this case employees who typically
authenticate against an organization’s AAA infrastructure. The example AAA profile on the right defines
the configuration of the RADIUS or LDAP server. As we have discussed, in a retail deployment it is
common to have separate SSID profiles for PSK devices, voice devices, and guests. Guests typically
may authenticate through a captive portal, which would require other profiles be defined to configure
its operation. SSID profiles and AAA profiles can then be combined as desired to use different
authentication servers for different groups of users.
120 | Authentication and Security Retail Wireless Networks Validated Reference Design | Solution Guide
Profiles are realized on the mobility controller through the GUI or the CLI. In the web GUI, each type of
profile has its own page, with all relevant parameters that are accessed through the Profiles tab on the
Configuration page. Figure 67 shows the GUI for the SSID Profile example above, along with a CLI
excerpt from the startup-config file for the same profile:
Profile names, AP names, and AP Group names must not contain any spaces or other white space
characters.
NOTE
Retail Wireless Networks Validated Reference Design | Solution Guide Authentication and Security | 121
Aggregating Profiles into a Complete Configuration
Profiles are combined in a building-block fashion to produce the desired functionality. In addition, most
profiles are portable and reusable, allowing the administrator to reduce configuration complexity while
simultaneously permitting almost any combination of profiles.
A basic example is the virtual AP profile which includes both virtual AP settings and other profiles in a
hierarchical fashion. A virtual AP profile contains the VLAN number, a valid SSID profile, and possibly
an AAA profile. Figure 68 shows how a common AP group for a retailer can be visualized.
Figure 68 Typical AP Group for Retail Store SSIDs with Nested VAP Profiles
AP Group
“Retail_Store_Group”
Retail_079
122 | Authentication and Security Retail Wireless Networks Validated Reference Design | Solution Guide
You can configure and apply multiple instances of virtual AP profiles to an AP group or to an individual
AP using the Configuration tab on the Controller GUI as shown in Figure 69.
Consult the ArubaOS 3.3.1 User Guide Volume 4, “Configuring Wireless Encryption and
Authentication” for detailed information about configuring profiles.
Retail Wireless Networks Validated Reference Design | Solution Guide Authentication and Security | 123
Example 802.1x Profile Configuration for Retail
This is an example deployment which will set up a new SSID, “High Security.” It will run WPA2 and
authenticate against a RADIUS server and a backup server. Authenticated users will be placed in the
user role “Employees” on VLAN 200.
The procedure to build profiles is divided into three parts: basic setup, creation of security profiles, and
creation of WLAN profiles, and is performed in this order.
Basic Setup
Create the VLAN and Employee user role and its related policies.
124 | Authentication and Security Retail Wireless Networks Validated Reference Design | Solution Guide
Best Practices for Wireless LAN Profiles
Profiles can be divided into one of two basic types: Wireless LAN definition and Wireless security
definition.
As part of the building block approach to profile creation, we recommend that you create the minimum
number of profiles required with the maximum amount of profile reuse. This approach can be
generalized as follows:
SSID Configuration
When planning SSIDs for a WLAN:
1. Use the minimum SSIDs possible to keep radio beacons and RF contention and management to a
minimum.
2. Use the Aruba firewall and user roles to keep different groups of users separated from each other or
from network resources.
3. Do not mix different types of wireless security on the same SSID. For example: 802.1x and WPA
security on the same SSID.
4. Do not change the basic rates or default 802.11 advanced settings for any reason.
5. If you want to eliminate some of the slower transmit rates supported by an SSID, allow at least two
speeds. Do not remove all but the highest rate.
Virtual APs
Do not enable strict compliance unless you have legacy wireless equipment.
Retail Wireless Networks Validated Reference Design | Solution Guide Authentication and Security | 125
126 | Authentication and Security Retail Wireless Networks Validated Reference Design | Solution Guide
Chapter 8
Toll quality in-store voice over 802.11 wireless networks is a critical application for many
retailers. The Aruba WLAN controller contains significant voice-specific quality of service (QoS)
features that provide dramatic increases in call security, quality, and reliability when compared
to previous generations of technology.
This chapter will show you how to make key voice and QoS design decisions including:
When to use a separate service set identifier (SSID) for voice
What is the encryption and authentication mechanism that should be enabled
Should voice have a dedicated VLAN
How can battery life be improved
What RF settings should be used
Tagging and QoS features
Call capacity planning.
These topics will be covered in this chapter. Several of the tables that were collected in Chapter 3,
“Defining WLAN Requirements for Retailers” as part of the Define phase contain information needed to
complete a QoS design.
Retail Wireless Networks Validated Reference Design | Solution Guide QoS Design for Voice and Data Devices | 127
802.11b capable devices only
If the majority of the handsets deployed are only capable of 802.11b, make sure that:
You limit all other non-voice devices on the 802.11b band. Most data devices are 802.11a/b/g
capable. By broadcasting the data SSIDs on the 802.11a band alone, the data devices can be
limited to the 5 GHz band, freeing the 2.4 GHz 802.11b channels.
There may be some data devices on the 802.11b/g band that are not 802.11a capable. Limit the
bandwidth and number of client associations to control congestion.
802.11b/g capable devices
Most voice capable devices in the industry today are 802.11b and 802.11g capable. Using only
802.11g devices in the 2.4 GHz band improves the performance of the band by 20% or more
compared to using a mix of both 802.11b and 802.11g devices in the band.
Use 802.11g if the handsets support both 802.11b and 802.11g. If the handset allows you to
disable 802.11b and operate using only 802.11g, then this option is recommended because it will
allow more handsets to be supported simultaneously.
Limit 802.11b/g traffic in the 2.4 GHz band. Limit the number of 802.11b/g-only clients in the 2.4
GHz band.
Move all end points that support 802.11a/b/g to 802.11a
If the handset supports only 802.11b, set the basic rates to 1 and 2, and set the supported rates on
the access points (APs) to 1, 2, 5.5, and 11. Lower basic rates increase reliability in certain case
where the client may have issues receiving acknowledgements at higher rates in a dense
environment, or if the client is at the cell border.
15 20
18 30
128 | QoS Design for Voice and Data Devices Retail Wireless Networks Validated Reference Design | Solution Guide
Separate SSIDs For Voice Clients
The decision here is whether or not to use a dedicated SSID for the voice devices. This choice should be
based more on the device’s RF capabilities than on security (see Appendix B, “Client Device
Interoperability Matrix” for a quick reference for these capabilities). The dedicated firewall integrated
into the Aruba controller allows the administrator to isolate the SSID used for connectivity from the
security and QoS policies, which are based on the user profile and traffic type.
A dedicated SSID should be used for the voice devices if and only if the following apply:
The device operates with Delivery Traffic Indication Message (DTIM) settings of 3 or greater. The
battery save settings (Power Save and DTIM settings) on the handset can be optimized to larger
DTIM values to improve battery life without adversely affecting the handset operations. Changes in
these values do affect data device performance.
The encryption and authentication levels supported by the handsets do not match the encryption
and authentication mechanisms enforced on the data clients.
The encryption and authentication methods supported by the handsets match the security enforced
on the data devices, but these settings adversely affect handset roaming due to the handset driver
behavior or processing power.
The voice solution selected demands a dedicated VLAN as it does not support L3 connectivity back
to the call servers.
If none of these criteria match, it should be possible to use the same SSIDs and the same encryption and
authentication methods that the data devices use. Different levels of QoS can be enforced based on the
traffic type without requiring a separate SSID.
WPA-PSK and WPA2-PSK Supported by all the handsets in the industry today. WPA-PSK and
WPA2-PSK have reliable roam times and shorter key exchange times.
WPA2-AES with OKC The most optimal authentication/encryption type because it offers low
roam times and strong security.
WPA-TKIP Enterprise These types can also be used, provided that the roam times are low
for these encryption and authentication methods.
When using WPA or WPA2, set the wpa-key-period timer to 100 ms.
NOTE
Retail Wireless Networks Validated Reference Design | Solution Guide QoS Design for Voice and Data Devices | 129
As far as authentication is concerned if dynamic encryption is a mandate then 802.1x or 802.11i is the
preferred choice. The preferred Extensible Authentication Protocol (EAP) type should be chosen
according to the vendor’s recommendations or according to certification lab recommendations.
Virtual AP Design
VLAN Settings
Some voice deployments require that both the handsets and the servers reside in the same broadcast
domain. This is because the handsets use broadcast or multicast traffic for registration to find the
server or for other voice-server based features to limit the traffic in the VLAN to voice traffic. This may
also be done to make sure that the broadcast domain is contained. If the number of devices in a single
broadcast domain is greater than 200, the handsets may experience call quality issues. This is not likely
to be an issue in most retail stores. However, large distribution centers could have hundreds of active
voice users at one time.
If the voice client supports layer 3 communications between the server and the handset and the number
of devices exceeds 200, it is recommended to use VLAN pooling to load balance all the devices
associated with the SSID across a number of dedicated voice VLANs. Alternatively, the voice devices
can also co-exist with the data devices in the data VLAN provided that the devices and the VLANs are
secured.
Max-Retries
A general best practice for voice deployments is to set the retries on the controller and handset to 2.
Because VoIP is delay sensitive, after the packet is delayed, retrying in order to successfully transmit a
packet may just add to the latency in the network.
In noisy wireless environments, try increasing this value slightly to improve reliability.
NOTE
130 | QoS Design for Voice and Data Devices Retail Wireless Networks Validated Reference Design | Solution Guide
Some handsets also use probe requests to identify available APs and these probe requests may be
broadcast probe requests. When using these handsets, be sure to enable Infrastructure Response to the
broadcast probe requests for the voice SSID. Otherwise, disable the broadcast probe requests for the
voice SSID. Another good practice is to not hide the beacons for the voice SSID.
Downstream traffic
Retail_117
Upstream traffic
Retail Wireless Networks Validated Reference Design | Solution Guide QoS Design for Voice and Data Devices | 131
Wireless QoS Recommendations
If the client supports WMM, then enable WMM on the Aruba system and the handset. Verify that the
client tags the voice (and data traffic) appropriately.
WMM queues map to different DSCP and ToS tags. Unless otherwise recommended by the handset
manufacturer, use the default WMM mappings.
Make sure that the traffic prioritization is such that voice receives the highest priority, followed by
video. Data should receive the lowest priority. The priority levels for each of the applications are set
according the delay, retry, jitter, and loss tolerance of the application.
Make sure that the protocols for voice data traffic (for example, RTP) and control traffic (for
example, SIP) are prioritized. Control traffic is used for call setup and the voice data traffic needs to
be prioritized to provide good call quality.
In the absence of WMM support on the handset, make sure that voice uses the high-priority queue
and all the other applications use the low-priority queue.
Capacity Planning
The 802.11 wireless networking protocols are half-duplex by nature and use a contention based
algorithm. As a result, there is a limit to the optimal number of voice clients per AP, depending on the
overhead of the VoIP protocol headers, packet sizes, and the encryption used.
High
Handoff
Capacity
Reservation
Threshold
Retail_157
Figure 71 illustrates the potential call capacity of an AP. The top horizontal line in the figure represents
the total gross call capacity of the AP and the bottom horizontal line represents a call capacity of zero.
The gross call capacity of the AP is diminished by the following areas shown in the figure:
Data reservation (top of figure). This amount of the gross call capacity is reserved for data
applications. Subtracting out the Data Reservation leaves the total voice call capacity (labeled Total
Call Capacity in the figure).
High capacity threshold and handoff reservation. These two shared areas on the diagram
further diminish the call capacity. The High Capacity Threshold area is the amount of capacity
reserved for peak calling activity so that calls are not dropped during high call demand periods. The
Handoff Reservation area is the amount of capacity kept on standby for roaming users who are
coming from one AP to another AP.
The net resulting average call capacity of the AP is labeled Call Capacity in the figure.
132 | QoS Design for Voice and Data Devices Retail Wireless Networks Validated Reference Design | Solution Guide
The recommended maximum per-AP call capacities for clients using G.711 and SIP are listed in
Table 22.
802.11b 12 calls
Call capacity with codecs such as G.729 yield up to a 20% improvement over the call capacities just
listed. G.711 is widely supported. G.711 is the recommended choice for VoFi because it marginally
improves voice quality.
Enabling call admission control (CAC) on an AP helps make sure that the AP is not overwhelmed by
simultaneous calls beyond a specified capacity. Aruba CAC is aware of the call status of the client (the
on-hook/on-call status), which allows the algorithm to make intelligent call balancing and capacity
control decisions with minimal impact to the call quality.
Aruba strongly recommends enabling CAC for production voice deployments. The maximum number of
calls supported per AP is a configurable parameter and should be set depending on the other traffic
bandwidth requirements on the AP on the same band as the voice clients. CAC is implemented on a per-
AP, per-radio basis. Set the handoff reservations and the high capacity threshold value to 20%.
These call-based CAC settings are recommended for a single-controller environment only. CAC also
supports TSpec based bandwidth reservation for voice clients, allowing voice clients that don’t support
TSpec to coexist with the clients that do. TSpec based CAC can be enabled in a single-controller
environment in addition to the call based CAC for handsets that support TSpec.
In a multi-controller environment, CAC can be enforced on clients that roam from one controller to
another if and only if the clients support TSpec signaling and TSpec signaling is enabled. The
recommended setting in a multi-controller environment is to enable both call based CAC for intra-
controller CAC enforcement, and TSpec based CAC for both intra- and inter-controller CAC
enforcement. The TSpec based CAC enforcement for an inter-controller environment is available as of
ArubaOS version 3.2.
Retail Wireless Networks Validated Reference Design | Solution Guide QoS Design for Voice and Data Devices | 133
A layer 2 mobility event is when the client moves from one AP to another and retains its VLAN (layer 2)
association. This mobility event could be across APs connected to the same controller or across
multiple controllers. In case of a multi-controller deployment, layer 2 mobility requires the controllers
to be layer 2 connected for the voice VLAN. Using layer 2 mobility in a multi-controller scenario is
recommended only if the voice protocol in use does not require session awareness, such as the
Spectralink SVP Protocol.
When layer 2 mobility is used, layer 3 mobility should be disabled for the SSID/virtual AP group.
NOTE
Internet
Data Center VoiceNet1
VoiceNet1
VLAN 4 VLAN 3
Closets
VLAN 1 VLAN 2
Network
Access
VoiceNet1 VoiceNet1
Retail_119
Layer 2 Mobility Event
In a layer 2 mobility design, the network is designed such that the client maintains its IP address as it
roams across controllers and is always assigned an address from the same IP subnet irrespective of the
controller or AP it associates to. A general rule of thumb is to limit the number of devices per subnet to
200. However, this number can vary depending on the voice protocol used and the amount of broadcast
or multicast traffic generated by the protocol.
Voice clients should be assigned an IP address using SSID-based VLAN assignment or role-based
VLAN assignment along with OUI- or MAC-based role assignment.
Enable layer 2 mobility on the Aruba Controller (this is the default setting).
In case of a multi-controller design:
Permit all traffic from and to the handsets and the call servers.
Enable layer 2 mobility on all controllers (default setting).
Make sure that the controllers are L2 connected.
Make sure that the voice VLAN and subnet is active on all the controllers and the handsets are
assigned the Voice VLAN when connecting to the APs on each of the controllers.
134 | QoS Design for Voice and Data Devices Retail Wireless Networks Validated Reference Design | Solution Guide
Layer 3 (IP) Mobility
Layer 3 mobility is the best choice when the voice servers and the voice user equipment can
communicate with each other over a layer 3 network and the voice protocol used is a dynamic port-
based protocol. Layer 3 mobility can also be used if the voice devices are spread over multiple subnets
and roam between the subnets, and there are two or more layer 3 connected controllers.
Examples of layer 3 mobility protocols include SIP, NoE, and SCCP.
A layer 3 mobility event occurs when a device moves from one AP to another and its IP context
changes. In the case of layer 3 mobility, the new subnet assigned to the client will be different from its
subnet prior to the move. Normally, a change in IP address requires the handset to re-register with the
call server. If a call is active, a layer 3 mobility event could result in the call dropping. Aruba supports IP
Mobility, a feature that allows the client to retain its previous IP address as it moves across different IP
contexts without affecting the call status. This is achieved by tunneling all the client traffic from the
new foreign subnet to the home subnet from which it can then be routed normally.
VoiceNet1 VoiceNet2
Traffic Pattern post roam. The redirection of traffic from the foreign agent
to the home agent helps preserve the L3 context of the client.
Retail Wireless Networks Validated Reference Design | Solution Guide QoS Design for Voice and Data Devices | 135
136 | QoS Design for Voice and Data Devices Retail Wireless Networks Validated Reference Design | Solution Guide
Chapter 9
Deployment Methodologies
This section describes the available WLAN deployment methodologies, processes, and project
management requirements to successfully roll out an Aruba secure wireless solution for
retailers.
Retail_100
Step 1 – Install Test Store
Retailer IT organizations typically maintain a test store that contains an exact copy of the network
infrastructure, application servers, and client devices that are deployed in one of their stores. The test
store is likely to be in a controlled IT environment, but depending on the size of the retailer, it could be
an actual store location that is either simulated or open to customers. Sometimes the retailer operates
multiple test stores, for instance if it has acquired multiple brands over the years and each one has its
own IT footprint.
Aruba recommends that merchants begin the deployment process by setting up an Aruba infrastructure
in the test store in order to design and test the system configuration and client interoperability that will
eventually be installed in the field. This confirms that controller and access point configurations are
working and that the proper software images are running on the client devices to achieve optimum
performance. The customer can learn to configure the AirWave Wireless Management Suite, and the
chosen redundancy model (such as 1+1 or N:1) can be validated. Due to the prevalence of VSAT and
private WANs with 64Kbps links from remote store locations to the DC, Aruba strongly recommends
that failover and image upgrades be validated using the same type of backhaul that exists in the actual
retail stores or DCs. The time spent in the test store verifying equipment, configuration, and
connectivity is a good investment to avoid wasted time and expense in the field during the deployment
cycle.
Retail Wireless Networks Validated Reference Design | Solution Guide Deployment Methodologies | 137
In order to bring up the Aruba components at the data center, integration is required with infrastructure
elements, including core routers, distribution switches, firewalls, authentication servers, DHCP and
DNS servers, and syslog servers. For voice deployments, integration with the appropriate call manager
system and/or private branch exchange (PBX) is also required. The specific configuration changes on
each of these elements are generally developed as part of building the test store.
138 | Deployment Methodologies Retail Wireless Networks Validated Reference Design | Solution Guide
Plan to achieve the following critical objectives during this phase:
1. Perfect the physical and logical network design
2. Perfect the RF design
3. Finalize the “golden” controller configuration
4. Finalize configuration changes needed in site routers or switches
5. Identify the optimal client device settings
Performance of the master/local design over the wide-area network should be evaluated in the pilot.
This is also an excellent opportunity to test controller and AP failover.
Operating pilot stores greatly reduces the project risks during the Full Deployment phase. Once full
deployment commences, the cost of making changes to controller or client device configurations at
completed stores becomes very high.
Retail Wireless Networks Validated Reference Design | Solution Guide Deployment Methodologies | 139
Recommended Deployment Methodologies
Merchants can adopt any of three principal deployment methodologies as best practices for Aruba
rollouts. The choice of methodology is driven by store geography, VPN access to the stores, and the size
of the rollout. The available methodologies are:
APs Controllers
APs Controllers
ship
ship
Integrator
Operations
Retail_103
Center (IOC) Provision APs in AirWave
Preprovisioning refers to the process of provisioning the APs before they arrive at a store. Provisioning
refers to the process of programming the APs to find their controller, and of assigning their physical
location on the store floor plan in order to show real-time heat maps in the controller. This is normally
done at a retailer or system integrator staging center. Postprovisioning refers to the process of
provisioning APs remotely after they are installed in a store. This is performed through VPN access
from the retailer network operations center (NOC) to the controller located at each store.
Local Deployment
A local deployment is appropriate for smaller merchants in which all stores and warehouses are within
250 miles of each other and the IT staff is directly responsible for turn-up of each site. In this situation,
it is most cost-effective to configure the controllers onsite at each local retail store. The pace of the
rollout schedule is typically gated by the size of the retailer’s IT department.
From a process perspective, local deployment is similar to the postprovisioned model described below.
The controllers are typically preconfigured in an IT lab before being driven to each site. A structured
cabling vendor with experience installing APs and antennas typically mounts each AP and pulls any
required cable runs. The retailer IT team then provisions the APs directly into the controller while they
are onsite.
140 | Deployment Methodologies Retail Wireless Networks Validated Reference Design | Solution Guide
Multi-City Deployment with Preprovisioned APs
The preprovisioned AP methodology is used as a best practice for medium sized merchants in a
deployment model where controllers and APs are installed in multiple cities that are not in close
proximity. In addition, APs must be preprovisioned in the following three cases regardless of the size of
the deployment:
When there is no possibility of VPN access to the in-store network from a central NOC.
When stores do not use local onsite controllers; instead, remote APs are implemented. In this case,
the APs are located at the store and the controller is located at the data center.
When the customer requires that APs be statically configured (this is discouraged but required in
some customer layer 3 network designs).
The APs would normally be shipped to a retailer or integrator staging center to be preprovisioned, after
which they are shipped to the actual store location. In this case, there needs to be VPN access from the
staging center to the data center to bring each newly staged controller up in AirWave. VPN access is
also required for Remote APs to establish communication and encryption keys with the controllers that
will be managing the Remote APs.
Each AP has a unique MAC address. When APs are preprovisioned, each one is pre-assigned to a
specific location in the store.
With preprovisioning, when the install team actually places the APs in the store, it is vital that they be
placed in accordance with the floor plan map that has already been developed.
NOTE
Each local controller uses the MAC address of the APs to make adjustments to important AP
parameters. If an AP is placed in the wrong location, proper management is not possible and the
management console will not display accurate information. Therefore, to avoid mistakes,
preprovisioning is generally recommended for customers with a moderate number of locations (less
than 200 stores), with traveling installation teams that can be counted on to install each and every
preprovisioned AP in the right place each and every time.
Retail Wireless Networks Validated Reference Design | Solution Guide Deployment Methodologies | 141
At the IOC/NOC, a network engineer logs into the store controller across the VPN and completes the
provisioning process using the information from the install crew. The Operations Center releases the
install crew to leave the site once all APs are provisioned and verified.
Preprovisioning Methodology
This section describes the general steps to follow if using the Preprovision model with the controllers
and APs that are shipped from Aruba to the staging center. These procedures are provided to help
customers and their systems integrators prepare for a successful Aruba deployment. The procedures
should be customized for the unique needs of each customer.
In this model, the controllers are provisioned first, followed by the APs. The controllers and APs are
then shipped to the store location. If Remote APs are being implemented, they communicate with the
master controllers that are preinstalled at the retailer data center. Then, at the store location, the APs
are mounted in their pre-assigned locations according to their MAC address. In this situation, there is
no need for a NOC to have access to the APs or controllers after they are installed in the store because
all of the work that was done in the staging center. Assuming all the APs are mounted in the intended
location, the system will operate just as it did during staging.
Retain all original packing materials and note the packing details. Use the original packing materials
and method for repacking to prevent any product damage when reshipping to the final destination.
NOTE
142 | Deployment Methodologies Retail Wireless Networks Validated Reference Design | Solution Guide
Staging the APs
Once the controllers have been staged, follow this general procedure:
1. Unpack all APs for a given location.
2. Check all the APs to make sure they power up.
3. Connect all the APs to a PoE switch.
4. Use the store controller in the staging center to provision the APs.
If you are implementing remote APs, the staging center needs VPN connectivity to the master
controller in the data center. A controller at the staging center is not required.
NOTE
The installers will most likely be working during a graveyard shift and likely have limited experience
installing APs.
NOTE
7. Repack and ship all the controllers and APs to the store location. Make sure the MAC addresses and
location IDs are marked on each box or AP.
Store Installation
Follow this general procedure to install the equipment in the store:
1. Unpack the controllers and APs.
2. Install the APs, making sure that each AP is installed according to its location and MAC address as
noted on the floor plan.
3. Install the controllers (if implementing remote APs, no store controllers are installed).
4. Complete the Site Validation procedure.
Postprovisioning Methodology
This section describes the general steps to follow to Postprovision controllers and APs. These
procedures are provided to help customers and their systems integrators prepare for a successful
Aruba deployment. They should be customized for the unique needs of each customer.
In this scenario, the controllers are shipped from Aruba to the staging center and the APs are shipped
directly to the store. The controllers are provisioned and shipped to the store. During the installation at
the store, any AP can be mounted in any location, and their locations and MAC addresses are carefully
noted on the floor plan. This is generally done by pasting the MAC address sticker from each AP into a
prepared table, and noting the AP code on the floor plan. Both the table and the floor plan are then
faxed or emailed to the IOC/NOC, which then provisions them using a VPN connection directly to the
store.
Retail Wireless Networks Validated Reference Design | Solution Guide Deployment Methodologies | 143
Staging the Controllers
Follow the same preprovisioning procedure process for controllers as described in Staging the
Controllers on page 142.
Store Installation
1. Unpack the controllers and APs.
2. Install the APs as desired, making sure that the MAC address and location of each AP is carefully
noted on the floor plan.
3. Install the controllers.
Controller Validation
In the case where controllers are located at the store (remote APs are not implemented), you can do the
following to verify proper operation:
Log in to the controller GUI and verify that all APs are up and the controller is showing normal
operation.
Review the controller logs for boot-phase or other error messages.
Verify with the customer NOC that the controllers are visible on the AirWave management console.
Repeat the verification for any backup controller.
Manually test VRRP failover for any backup controller.
144 | Deployment Methodologies Retail Wireless Networks Validated Reference Design | Solution Guide
Cabling and AP Validation
Perform the following cabling tasks when new wiring is required to complete the installation:
Require the installer to scope each pulled run and print the test results.
Require the installer to TDR any installed antenna or RF cable and print the test results.
Perform a visual inspection of all APs and external antennas to make sure that cables are dressed in,
the AP status lights are correct, and all antennas are extended and oriented properly.
If outdoor antennas are installed, complete a visual inspection to make sure that lightning arrestors
are properly inserted and grounded, and that all connectors have been weather sealed.
RF Validation
Use the following verification methods to make sure that RF signals meet the criteria specified by the
design team:
Use RF Live on the controller console to review a heat map for the facility to check that channel and
power settings are within expected tolerances.
Complete a passive RF survey with AirMagnet, Ekahau, RFProtect Mobile, or other site survey tool
to generate the “heat map” of store coverage.
If there is no budget for a tool such as AirMagnet or Ekahau, you can perform a less comprehensive
validation by using Netstumbler during a walkabout to check for received signal strength indication
(RSSI) values. This method does not produce a heat map.
For stores that do not pass certification testing, use APs from the reserve/spare pool to close coverage
holes. In this case, you should perform a site survey to measure the location and area of holes.
Retail Wireless Networks Validated Reference Design | Solution Guide Deployment Methodologies | 145
Post-Deployment PCI Reassessment
The remediation phase of the PCI compliance process often requires the implementation of a new
process or technology. Aruba WLAN deployments are usually conducted as part of this phase.
Upon the completion of an Aruba deployment, the cardholder data environment is considered “post-
remediation” and is reassessed against the PCI DSS. A PCI-defined report of compliance (ROC)
document is created and submitted to the pertinent bank or credit card brand, together with
documentation listed below. Level 1 merchants must use the PCI-approved QSA for the ROC.
Merchants at others levels may instead use a self-answered questionnaire.
Vulnerability scan(s) must completed by a PCI-Approved Scanning Vendor (ASV), and evidence of
passing scan(s) must be submitted with the ROC.
A PCI-specified Attestation of Compliance document must be completed and submitted with the
ROC.
Any other required supporting documentation must be submitted.
Each merchant must repeat the PCI compliance process annually as well as conduct quarterly network
security scans using automated tools. Any compensating controls must be reviewed and validated
annually.
146 | Deployment Methodologies Retail Wireless Networks Validated Reference Design | Solution Guide
Chapter 10
Retail organizations are actively building some of the largest wireless networks in the world,
often fielding 30,000 or more wireless access points (APs). Managing those large scale Wi-Fi
networks involves challenges a traditional campus-based enterprise does not encounter, even
though the Wi-Fi hardware is exactly the same. The network is larger and more distributed,
operating environments are more varied, onsite support resources are limited or nonexistent,
and network security is critical.
The Aruba AirWave Wireless Management Suite (AWMS) provides the level of control IT needs to
successfully manage a large, distributed WLAN with many APs and controllers, and to meet the newest
PCI data security standard without additional hardware investment.
AirWave is specifically designed with features that meet the specific needs of merchants:
Manageability – Supports centralized configuration and control of the Wi-Fi infrastructure
regardless of vendor or architecture.
Security – Detects devices and enforces security policies across all Wi-Fi devices automatically.
Visibility – Allows viewing of real-time information on every user and device as well as historical
trend reports for planning and diagnostics.
Flexibility – Fits the Wi-Fi management solution to the existing network architecture.
PCI Compliance – Meets PCI v1.1 data security standard, consisting of nine WLAN specific
requirements.
With the AWMS, retailers can effectively control the largest wireless LANs in the world, in thousands of
remote locations.
Remote Management
In the retail environment, especially where each store is relatively small, local IT support does not exist,
and onsite staff may not be able to diagnose or resolve network issues on their own. Efficient remote
support has to come through a centralized NOC or operating costs will mount with each local service
call.
Using the AWMS, remote IT staff gain the same type of information IT personnel would get as if they
were standing in the store. Through a combination of RF monitoring using authorized APs and wired
network scans, AWMS shows IT exactly who is connected to the network, what signal they are
receiving, how much bandwidth they are using and how the network is performing locally.
AWMS provides a flexible grouping mechanism that enables logical segmentation of devices based on
location, security, or even device type. Flexible grouping coupled with robust searching capabilities
allows IT to quickly locate and drill into detailed data for a single device, a group of devices, an
individual user, a group of users, a floor plan, or a building. Using the AirWave VisualRF module, IT sees
where each user or Wi-Fi tag is located and can assess the RF environment for likely sources of
interference. With this data, IT can diagnose problems quickly to determine whether the issue is related
to the client AP, controller, or wired network.
Retail Wireless Networks Validated Reference Design | Solution Guide Operations and Management | 147
Figure 76 shows an example of a user diagnostic page within AWMS that combines all upstream data
and indicates potential bottlenecks or problems highlighted in red.
This diagnostic enables help desk personnel to quickly diagnose a problem or create an incident for a
Level II support engineer. Help Desk personnel can correlate and capture this page or any page in
AWMS to the incident. This capability makes sure that the Level II engineer can view the user’s
experience as it was when the incident was created.
148 | Operations and Management Retail Wireless Networks Validated Reference Design | Solution Guide
Planning and Location Services
Merchants with hundreds or thousands of stores need the ability to view real-time RF information at
each location to ensure optimization and efficiently diagnose problems. A key feature, location services
assist retailers in reducing costs and increasing productivity. Efficient stocking and inventory control
benefit from the ability to quickly locate handheld guns and printers. Wi-Fi tag tracking helps reduce
shrinkage by tracking high ticket items from dock to showcase.
An easy-to-use planning and provisioning tool, VisualRF reduces the time required for importing floor
plans and provisioning APs. VisualRF provides a simple, intuitive, interface to guide even an RF novice
through the process.
In a sample planning and provisioning scenario for a typical retailer, a typical procedure would take
less than 15 minutes per store using VisualRF:
Import floor plan CAD file (DWG formats are converted automatically with dimensions and layers).
Associate floor plan with floor number and building.
Remove non-vital layers (cubes, writing, …).
Crop white space.
Draw external walls.
Auto provision APs by drawing provisioning region.
If using the Preprovisioning deployment methodology for store rollouts that is described in this chapter,
the actual APs could be configured directly in AirWave at the retailer’s staging center. If using the
Postprovisioning methodology, first install the stores, then return to the AirWave floor plan for each
store and match the previously planned APs to actual APs.
This work produces an easy to use 3-D navigation capability as shown in Figure 78. This navigation
capability enables all IT personnel quick access to location and diagnostic services within VisualRF
without having to know the physical or logical network topology. AirWave uses the hierarchy of the
network, campus, and building to organize floor plans. A campus is a collection of buildings; there is no
requirement that they be physically near one another. Therefore, retailers often map their store
Districts into the campus concept within AirWave, with each district loaded as a separate campus.
Districts and stores can be named with their identifying numbers as well as the city or geographic
region they cover.
VisualRF also provides auto import capability from MMS, AOS (Aruba controllers), RFPlan, and WCS. If
you have already loaded your floor plans and placed your APs, you will not have to repeat the process
when you install AWMS.
Retail Wireless Networks Validated Reference Design | Solution Guide Operations and Management | 149
From the building view you can select the floor of interest and obtain diagnostic and location
information, as shown in Figure 79.
From this view you can also focus on a client or AP, view Wi-Fi tag locations, view rogue devices, view
roaming history, view heat maps, view data rates, view channel overlap, perform remote site surveys,
adjust antenna properties, and view neighboring APs.
150 | Operations and Management Retail Wireless Networks Validated Reference Design | Solution Guide
PCI Reporting
Retail IT must guarantee the security of the network and corporate data. In order to comply with PCI
standards and Visa’s Cardholder Information Security Plan (CISP) requirements, security policies must
be properly defined and enforced. Non-compliance can result in substantial financial penalties and
sanctions, including the prohibition to process Visa transactions.
The AirWave Management Platform helps retail organizations meet strict PCI/CISP standards that
protect cardholder data with the following wireless network provisions.
PCI/CISP 11.1: Detect and locate rogue APs
The AirWave RAPIDS™ module uses both RF and wired network-scanning techniques to discover
any unauthorized wireless APs connected to the retailers' network or broadcasting in the airspace.
RAPIDS wireline network scans are a reliable way to check for rogue devices in store locations that
do not have wireless APs or RF sensors.
From the Rogue Detail page, shown in Figure 80, a user can quickly ascertain the radio
interfaces, LAN interfaces, manufacturer, signal, SSID, IP, operating systems, switch, port, all
devices that heard the rogue, and the physical location.
Retail Wireless Networks Validated Reference Design | Solution Guide Operations and Management | 151
You can configure the AirWave software to scan your network using factory default credentials to
make sure that no devices are responding.
PCI 2.2/CISP: Establish and maintain clear configuration policies
AWMS provides a central location where wireless configuration policies are defined and enforced.
AWMS continually audits all Wi-Fi devices to detect any policy violations and automatically restores
the correct settings. An automated daily report lists all detected violations.
AWMS provides an audit log of every change to every device including date, time, user of record
making the change, and the actual settings that were changed.
AWMS provides the ability to mandate and push a minimum firmware version for each manufacture
and model. If a device is out of compliance AWMS will alert and automatically bring it back into
compliance.
PCI 4.1.1/CISP: Use WPA whenever possible; if WEP is used, rotate shared keys quarterly and when
personnel changes occur
AWMS allows IT to specify that WPA must be used on all Wi-Fi APs and to indicate which
authentication servers will control access on that segment of the network. If WEP is used, AWMS
makes it easy to update keys on all APs as needed.
PCI 1.1.2/CISP: Maintain accurate network inventories
AWMS provides alerts when any new device is discovered on the network as well as a daily new
device report listing every new device discovered during the previous 24 hours.
AWMS provides alerts for down devices. This provides immediate notification if an AP is physically
removed from the network or the premise.
The AirWave device inventory report, shown in Figure 81, provides a complete list of every
component of your wireless infrastructure, including brand, model, version, IP address, MAC
address, SSID, notes on physical location, and more.
VisualRF software shows the physical location of each device on a floor plan or longitude and
latitude for outdoor devices.
152 | Operations and Management Retail Wireless Networks Validated Reference Design | Solution Guide
Role-Based Management
In a typical retail organization, dozens or even hundreds of IT employees need access to information
about the wireless LAN. A management solution designed only for network engineers cannot meet the
diverse needs of all IT staff members.
Helpdesk staff typically fields calls from retail-store employees reporting network problems. The
help desk needs to locate the remote user quickly (preferably by username), determine which store
he is in, view real-time performance and usage data, and access historical information for diagnostic
purposes. One help desk group may be responsible for all stores or the responsibility may be
assigned to multiple, smaller help desks. This team usually has no administrative privileges for
changing network settings or security policies.
AWMS has Help Desk specific screens that provide a snapshot of incidents, allowing staff the ability
to quickly drill down and diagnose an end user-reported issue. 3-D navigation works very well if the
help desk knows the location. Otherwise, the search mechanism will find all instances of a user on
the network.
Network engineers need to manage device configurations on their segment of the network.
Individual network engineers responsible for a geographic region or a specific set of stores should
not have administrative access to other network segments.
Corporate network administrators need to define network and security policies across the entire
network, as well as see detailed trend reports and exception reports.
Network planners need detailed trend reporting, by store and other logical groupings, in order to
plan wireless network expansion to assure performance and security.
Installers (often contractors) need detailed installation reports and forms to fill in site-specific
information, but typically should not be able to configure or monitor Wi-Fi devices on an ongoing
basis.
IT security and audit teams must be alerted when device configurations violate policies or when
rogue devices are discovered, and need to view audit trails and log files as needed.
Retail Wireless Networks Validated Reference Design | Solution Guide Operations and Management | 153
AWMS allows the IT organization to tailor permissions and views to match the responsibilities of these
various IT users:
Password-protected user permissions can be set to ‘view-only’ levels for users who only need to
monitor data, while ‘read-write’ administrative access is granted to network engineers. Users can be
given permission to view data across the entire WLAN infrastructure or be restricted to those groups
or devices for which they are responsible.
AWMS reports are automatically delivered to specified email distribution lists to make sure staff
members receive job-appropriate information. The audit group can receive configuration-
compliance reports and rogue-device reports, without administrative access to the system. Network
planners can receive usage reports and trend data without accessing the AWMS system.
VisualRF provides special bill of material reports for installers without giving them access to any
configuration data, ensuring security of the network and data.
Scalability
For a merchant with hundreds or thousands of store locations, installing two or three APs per store
means the IT organization must manage a WLAN with thousands of APs. When corporate headquarters,
distribution facilities, and local offices are included, it is not unusual for a retailer to have 30,000 or
more APs (and tens of thousands of wireless devices) on its network.
Most management solutions are designed for smaller wireless networks, with limits on the number of
APs or controllers that can be managed. This forces IT to manage their wireless LAN as multiple
separate stand-alone networks. To operate a large, mission-critical wireless network, retail IT needs
enterprise-grade features such as many-to-one automated failover, TACACS integration, and more.
The AWMS is designed for maximum scalability, and can routinely manage networks with 30,000-plus
wireless APs. The AirWave Management Platform (AMP) is a software-only solution that allows the
user to select a hardware platform that meets its needs rather than using a one-size-fits-all appliance
with limited scalability.
AWMS also employs a distributed architecture that allows IT to install the software on multiple servers,
and to manage and monitor the software from a unified, web-based Master Console. These servers can
be co-located in a single NOC or distributed in multiple locations, as appropriate. As a result, AWMS has
nearly unlimited scalability: more servers can be added as the WLAN grows without sacrificing
centralized control and manageability.
154 | Operations and Management Retail Wireless Networks Validated Reference Design | Solution Guide
Trend Reporting
When a merchant decides to add another wireless AP to a standard store configuration, the decision
impacts not one store but thousands; the cost is not a few hundred dollars, but several hundred
thousand dollars. With so many remote locations, retailers tend to standardize their network
environments to keep operational costs low. As a result, the successful retail IT organization needs to
know not just real-time information on network utilization and performance in each store, but detailed
trending data on individual users and devices:
Which APs are most heavily loaded, the APs on the shop floor or those on the shipping docks?
How variable are usage patterns? Are there peak usage times at certain points in the day or year, or
is usage fairly steady?
Which users are causing the network traffic to increase? Was there a significant utilization increase
in the 10 stores where you are testing wireless VoIP?
Are there seasonal patterns to network usage? Was there a spike in usage during the holiday season
last year that would indicate that IT should plan for a comparable spike this year?
Only with reliable historical trending data added to real-time information can IT make informed,
intelligent decisions about when, where, and how to grow their wireless networks.
The AMP provides both the real-time and historical information that retailers need. AWMS retains
historical user and performance data for a year or more, enabling the IT staff to run detailed trending
reports for specific groups of stores or globally across the entire network. AWMS also uses a flexible
folder UI design that allows IT to examine retail shop-floor APs separately from back-office APs to get
more granular trend and performance data.
Retail Wireless Networks Validated Reference Design | Solution Guide Operations and Management | 155
Diverse WAN Environments
On a campus network, a reliable broadband connection is nearly always available, so bandwidth and
latency are not significant concerns. In a highly distributed retail environment, some stores may use a
T1 connection and others may have a DSL connection—or even an intermittent satellite connection.
Even if the primary connection is a broadband line, the emergency backup link typically is not.
Retailers need management solutions that can adapt to the available bandwidth rather than forcing IT
to re-architect their entire network infrastructure simply to support wireless.
AWMS provides maximum flexibility to support nearly any network environment, whether stand-alone
or lightweight APs are deployed. Using Group-based parameters, IT can configure AWMS to poll
network locations with a broadband connection frequently to provide near real-time monitoring data. In
other locations, where bandwidth is more of a concern, the polling interval can be longer to minimize
network traffic.
Similarly, the AWMS triggers and alert thresholds can be configured to reflect network design and
support high-latency networks. On a high-latency network, for example, AWMS can be configured to
wait longer for a response to a polling query. Instead of treating all network locations the same, AWMS
provides IT maximum flexibility, fine-tuning management settings for each type of location.
156 | Operations and Management Retail Wireless Networks Validated Reference Design | Solution Guide
Appendix A
RF Concepts and
Terminology
Frequency
For wireless LANs, an antenna is tuned for either 2.4 GHz (802.11b) or 5 GHz (802.11a). An antenna will
only work efficiently if the frequencies of the antenna and radio match. Some antennas are “dual band”
which means that they are rated for transmission in both the 2.4 GHz and 5 GHz frequency ranges. In a
mixed 802.11a/b/g deployment, the use of dual band antennas can simplify installation as there is a
reduced chance for error due to connection of the wrong antenna to the wrong radio. Dual band
antennas also allow for the ability to re-provision single radio APs to service 802.11a versus 802.11bg
clients from the Aruba Controller without having to physically connect a different antenna.
Retail Wireless Networks Validated Reference Design | Solution Guide RF Concepts and Terminology | 157
Antenna Gain and Pattern
The gain of an antenna is specified in dBi, which is the directional gain of the antenna compared to an
isotropic antenna. An isotropic antenna is an ideal (theoretical) antenna that spreads energy in all
directions (in a sphere) with equal power.
Antenna gain is often confused with power because the gain of an antenna can increase the transmitted
or received signal levels. However, it is important to note that gain is usually only stated as a maximum
value and this value will increase signal levels only in a particular direction. This is because antenna
gain is achieved only by compressing the radiated power into a tighter region in 3D space, and antennas
(by themselves) do not create increased power. Antenna gain is more correctly described as a focusing
of radiated power rather than an amplification of it. This means that any antenna with gain > 1 dBi will
provide higher signal levels than the isotropic radiator in some directions, but will actually reduce
signal levels in other directions. With increasing maximum gain, the area in 3D space with reduced
signal level grows inversely with increasing gain. This means that higher gain antennas focus the power
into a tighter and tighter region of space, which can actually result in much worse coverage if clients
are not in the region of higher gain.
Free-Space RF Propagation
The RF signals emitted by an antenna go through significant attenuation, even in free space (i.e., no
obstructions between the transmitter and the receiver), before they reach the intended recipient. The
free-space propagation loss in dB is given by the formula:
158 | RF Concepts and Terminology Retail Wireless Networks Validated Reference Design | Solution Guide
Noise
The noise at the radio receiver consists of the thermal noise and the noise figure of the receiver. The
thermal noise at room temperature is a known quantity, -174 dBm/Hz. Because 802.11 operates on 20
MHz channels, the thermal noise floor at room temperature is -174 dBm + 73 dB = -101 dBm. The
typical noise figure of an 802.11 receiver varies from 4 dB to 10 dB. The noise figure of the receiver
depends on the type and quality of the components used in the design (e.g., amplifiers). Based on these
numbers, the typical minimum noise floor of an 802.11 device is in the range of -97 dBm to -91 dBm. The
IEEE 802.11a standard specifies that the noise figure due to components, design and implementation be
kept at or below 15 dB, thereby requiring a maximum noise floor of – 86 dBm.
Introduction of additional thermal noise or components with higher noise figures would alter the noise
floor of the receiver. In addition, noise floor may also be affected by certain types of interference
sources, though not all interference types result in increased noise floor. Since noise floor of a receiver
may be affected by a variety of factors and may change with the operating environment, an 802.11
wireless device typically recalibrates the noise floor at periodic intervals (e.g., every 30 or 60 seconds).
This is especially useful for client devices, where the noise floor may vary depending on the noise
introduced by components used in the computer or client device. Since a client may be mobile, the
external sources of noise from the environment may also change over time. It is also a good practice to
periodically recalibrate the fixed wireless devices (e.g., Access Points), as the noise floor may change
over time due to external or thermal factors.
Table 23 Typical minimum required SNR for proper detection of 802.11 rates
SNR (dB) 4 6 8 10 4 5 7 9 12 16 20 21
Receive Sensitivity
The receive sensitivity of a receiver is the minimum power required at the receiver for reliable
detection. In other words, the Rx sensitivity indicates the weakest signal the receiver can reliably
decode. Similar to the SNR, the Rx sensitivity depends on the modulation and the bit rate. The design of
the radio also plays a role in the Rx sensitivity, as some radios may have better (lower) Rx sensitivity
than others for the same bit rate. The typical Rx sensitivity values for 802.11 vary from -91 (±3) dBm at
1 Mbps to -67 (±4) dBm at 54 Mbps. The lower the Rx sensitivity, the better the radio is. It should be
noted that the Rx sensitivity alone is not a good indication of the weakest signal that can be reliably
decoded. If the SNR is not sufficient due to higher noise floor, the system may be limited by the noise
floor rather than the Rx sensitivity.
Retail Wireless Networks Validated Reference Design | Solution Guide RF Concepts and Terminology | 159
Link Budget Analysis
Because each bit rate requires a specific minimum receiver sensitivity for a given radio, any wireless
network (simply referred to as link for the purpose of this discussion) design must estimate the
available link budget in dB to make sure that the link budget is at least 0 dB for the highest bit rate
desired. It is also a good practice to leave some reasonable margin (e.g., 10 dB) in the link budget to
accommodate any variations in signal strength caused by interferers or reflectors and to increase the
reliability of the link. Use the link budget analysis to estimate the range or capacity or to select an
antenna.
The first step in the calculation of the link budget is to calculate the received power at the receiver.
The received power is given as:
The equivalent isotropic radiated power (EIRP) is the correct technical term) in dBm is given as:
The path loss can be calculated using the appropriate path loss formula, as discussed earlier, and may
include attenuations caused by other objects in the path, if known. The Receiver Gain is given as:
Receiver Gain = Receive Antenna Gain (dBi) — Cable/Connector/Switch Loss (dB) at Receiver
When the received power (or signal strength) is known, the link budget can be calculated by
subtracting the receive sensitivity of the receiver from the received power:
The noise floor at the receiver can be subtracted from the received power to calculate the SNR. If the
noise is lower than the Rx sensitivity, the link will be limited by the Rx sensitivity. Otherwise, the link
will be limited by the noise floor.
For example, with 30 dBm EIRP (e.g., 23 dBm transmit power, 10 dBi antenna gain, and 3 dB cable/
connector loss) in 2.4 GHz, the signal attenuates to -50 dBm at 100 meters in free space. For a receiver
with receive gain of 0 dB (e.g., 2 dBi Receiver antenna and 2 dB cable/connector loss), the received
power is -50 dBm. If the receive sensitivity is -91 dBm for 1 Mbps, then the link margin is 41 dB.
However, if the noise floor is -85 dBm, then the SNR is 35 dB. In either case, the signal is more than
enough to decode 1 Mbps. However, as the distance increases the noise floor will be the limiting factor
in this specific example.
The choice of an antenna and transmit power are dictated by the specific requirements of the wireless
system. For example, in order to create symmetric links (i.e., each end of the wireless link can talk to
the other end with same bit rate at the same reliability), the transmit power at both ends should be kept
the same, assuming the RX sensitivity and noise floor are identical at both ends. The range of the
system for such symmetric networks should be increased by selecting the appropriate antennas on both
ends, rather than increasing the transmit power at one end (which increases the range in only one
direction). It is also important to calculate the link budget in both directions separately to make sure
that the bidirectional system requirements are met, given the system parameters in each direction.
160 | RF Concepts and Terminology Retail Wireless Networks Validated Reference Design | Solution Guide
Target Data Rates, Client Bandwidth, and Required SNR
As we have seen, the range and coverage of each AP will depend on a number of RF considerations:
1. The lesser of AP or Client device power
2. The sum of the AP and Client antenna gains
3. The pattern of the AP antenna and client antennas
4. The receive sensitivity of the AP and Client radios
5. The target data rate and associated 802.11 required SNR
6. Consideration of Absorption and losses
In order to simplify the planning process, the above is typically reduced by making the following
assumptions:
1. The client power will be lower than the AP power; typically, 12 dBm maximum is recommended to
be used for planning purposes. Even in cases when the client power is known or advertised to be
higher, it is not recommended to assume higher power unless verified by performance testing. There
are many different ways to measure power, and maximum power is also dependent on the
modulation and data pattern. The 12 dBm maximum is typical of many portable 802.11 client devices
based on measurements.
2. The client antenna gain will be low (2 dBi). Many client devices will claim a higher gain antenna, but
the pattern information is much less often provided for client devices. In many cases, higher gain on
a client device can actually decrease the reliability of the signals because the use of higher gain
omnidirectional or directional antennas means that gain is reduced in directions away from the
maximum. Because in general the direction from the AP to the client is not known, the use of a
lower gain antenna on the client will provide approximately uniform performance regardless of the
client location relative to the AP. When a higher gain antenna is used on the client, and it cannot be
guaranteed that the AP will be in the direction of the increased gain, the gain must be de-rated. Thus,
2 dBi is a good assumption for client antenna performance of any client antenna in the range of 2-5
dBi, unless there is a fixed and known directional relationship between the clients and the APs. For
clients that will have a fixed direction to the AP, a higher gain antenna can be useful to improve
performance, range and connection reliability.
3. The receive sensitivity is approximately equal (client and AP) and range will be determined by SNR
using an assumed maximum noise floor of -90 to -85 dBm.
After using the above assumptions, we can now focus on target data rate and SNR in order to determine
per-AP coverage. Table 24 provides the required SNR by data rate. Using an assumed noise floor of -85
dBm, the table shows the required receive signal levels to achieve various data rates.
Table 24 Typical rates, SNR, and Signal Levels for Typical -85 dBm Noise Floor Planning
SNR (dB) 4 6 8 10 4 5 7 9 12 16 20 21
Signal Level (dBm) -81 -79 -77 -75 -81 -80 -78 -76 -73 -69 -65 -64
Retail Wireless Networks Validated Reference Design | Solution Guide RF Concepts and Terminology | 161
Unfortunately, 802.11a/b/g standards are stated in terms of the physical layer data rates and do not
represent actual expected throughput. The following charts (Figure 86 and Figure 87) provide a
correlation between expected actual throughput as a function of SNR and packet size:
20
15
RSSI at AP (dB)
10
Packet Size
64
5
512
1500
0
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Throughput (Mbit/s)
20
15
RSSI at AP (dB)
Packet Size
64b
512b
10 1500b
64G
512G
1500G
5
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Throughput (Mbit/s)
162 | RF Concepts and Terminology Retail Wireless Networks Validated Reference Design | Solution Guide
Determining how much bandwidth each user will need depends on the applications. The bandwidth
calculations will define the user experience as well as the number of APs required. A good rule of
thumb for an 802.11a network is to allow for 2 Mbps downstream and upstream (4 Mbps total) per user,
which delivers about the same user experience as being on a wired LAN. For an 802.11b network, a rule
of thumb is to allow for 500 Kbps each way (1 Mbps total), which delivers a user experience similar to a
broadband DSL connection.
Rate 1 5.5 11 6 18 36 54
SNR 4 8 10 4 9 16 21
Signal Level (dBm) -81 -77 -75 -81 -76 -69 -64
Rate 6 18 36 54
SNR 4 9 16 21
Retail Wireless Networks Validated Reference Design | Solution Guide RF Concepts and Terminology | 163
Comparing Dipole and Downtilt Antennas
The pattern plots of an antenna provide more complete information about its pattern-focusing effects.
In general, there are two antenna types that both provide gain over the isotropic radiator:
omnidirectional antennas and directional (also called sector) antennas. A special case of the
omnidirectional antenna is called the down-tilt omnidirectional (or squint), and is described here
because of its importance for many retail applications.
Figure 88 shows the horizontal and vertical patterns of three omnidirectional antennas. Note that
omnidirectional is a reference to the pattern in the horizontal (azimuth) plane, which is equal in all
directions. However, amongst these three omnidirectional antennas, there is various stated maximum
gain, ranging from a low-gain (3 dBi) down-tilt omnidirectional to a high-gain (10 dBi) omnidirectional.
The figure shows that for omnidirectional antennas, gain is achieved by focusing the vertical pattern of
the antenna. The higher the gain, the more tightly focused the coverage in the vertical direction.
Vertical Horizontal
164 | RF Concepts and Terminology Retail Wireless Networks Validated Reference Design | Solution Guide
In typical indoor office deployments with only a few feet separation vertically from the clients to the
APs, high-gain omnidirectional antennas were often recommended since the horizontal range is
increased and the clients are primarily in the horizontal direction.
However, in many retail environments, the available mounting locations for APs and antennas may be
separated significantly in the vertical direction from the client locations. For example, if the antennas
are ceiling mounted the APs and antennas may be all in the same horizontal plane (at the ceiling height)
but separated by 30 to 40 feet from the clients in the vertical direction. In this case, the down-tilt
omnidirectional antenna is recommended because it achieves two goals:
1. The direction of maximum gain is at 45 degrees downward from the antenna location (directed
toward the clients).
2. The signal level directed at other antennas/APs is lowered, which helps to reduce AP to AP
interference.
The example below shows the details of how antenna pattern and gain are inter-related. In this
example, it is shown how a 3 dBi antenna (the downtilt or “squint” omnidirectional) can provide a
stronger signal to the clients than the 10 dBi high-gain omnidirectional antenna. The high-gain antenna
is commonly called a “stick omni” because it is tall and thin.
Case Study
This case study addresses the question: When does a 3 dBi antenna provide a stronger signal than a 10
dBi antenna?
A common oversight in RF planning is to select antennas based on stated gain without consideration of
the antenna pattern. This example illustrates how gain and pattern should be considered together for
the case of ceiling mounted antennas in a warehouse. The conclusion is not trivial: the low-gain
omnidirectional (3 dBi) actually provides a 20 dB stronger signal in both directions to the clients than
the high-gain 10 dBi omnidirectional antenna. At the same time AP-AP interference is reduced
significantly.
The squint is technically a directional antenna, because it faces down. However, the antenna is
electronically designed to provide standard vertical polarization and in the horizontal plane operates as
a full 360 degree omnidirectional. The antenna has a very low-gain (3-5dBi depending on frequency).
This creates a tight, well-formed “cell” with the bulk of the signal focused down towards clients. This
can be visualized as follows.
Retail Wireless Networks Validated Reference Design | Solution Guide RF Concepts and Terminology | 165
The horizontal range of the squint antenna is much less than the high-gain antenna due to the lower
gain. Note that above plots are for two APs operating on the same channel, 54 Mbps coverage, and at a
reduced power setting (10 dBm). Figure 90 shows the vertical coverage of the same two antennas,
which are mounted at a 40 foot height.
The elevation view shows the vertical pattern of both antennas when mounted at the same height. A
more detailed analysis of the 2D pattern plots can show the performance difference in another way.
Figure 91 shows the pattern plot for the high-gain antenna.
120 240
105 255
75 285
45 315
Highest gain is directed at next AP
30 330 instead of clients!
15 0 345
10 dBi - 20 dBi =
-10 dBi at 80°
This figure shows that the gain in the direction of other APs at the same mounting height is 10 dBi.
However, the gain in the direction of clients (defined as -20º to -80º down angle) ranges from 0 dBi to
-10 dBi.
For the low gain, squint omnidirectional antenna, the nominal gain is lower, but the direction of
maximum gain is directed at 45º downward in the vertical plane and the vertical beamwidth is wider.
166 | RF Concepts and Terminology Retail Wireless Networks Validated Reference Design | Solution Guide
The same pattern analysis as above for the high-gain antenna shows that the signal directed at clients
ranges from -2 dBi (at -80º) to + 3dBi (at -45º down angle). Thus, the signal in the direction of the clients
(-20º to -80º down angle) is the same at -20º and up to 13 dB stronger elsewhere in this range than the
high-gain omnidirectional antenna.
270 90
210 150
180
Direction of maximum gain
at -45° to ceiling,
max gain = +3 dBi
Retail_116
3 dBi - 5 dBi = Max gain is directed to clients!
-2 dBi at -80°
The squint omnidirectional antenna overcomes all of the limitations of high-gain directional antennas
for high-elevation installations. It provides more uniform coverage throughout the target area, and
reduces multipath distortion. However, to achieve these benefits requires a more dense deployment
due to the tighter pattern of the cells and more uniform signal strength. The amount of density and cell
overlap are determined by two factors. One is the minimum data rate required by the client devices, and
the second is the amount of RF high availability desired by the customer.
Retail Wireless Networks Validated Reference Design | Solution Guide RF Concepts and Terminology | 167
With respect, professional wireless designers generally think in terms of 2D pattern plots, and often do
not fully consider or have the tools to model 3D behavior. In this section we attempt to help explain and
visualize issues that specifically affect these deployment scenarios.
Plan View
Elevation View
168 | RF Concepts and Terminology Retail Wireless Networks Validated Reference Design | Solution Guide
Note how narrow the vertical beamwidth of the high-gain antenna is and that the main lobe does not
touch the ground. And while the wider vertical beamwidth of the lower-gain antenna does touch the
ground, it is only the bottom portion of the main lobe, meaning that most of the signal is wasted
overhead. Both antennas could benefit from mechanical downtilt.
Elevation View
12 dBi (ANT-82)
7 dBi (ANT-83)
The first surprise is that one can see that the narrow vertical beamwidth antenna on the left sacrifices
close-in coverage in order to achieve greater range. This is the “null” area underneath the antenna before
the pattern hits the ground. Mechanical downtilt cannot fully compensate for this. This is not an issue on
the right, where more of the main lobe of the wide vertical beamwidth antenna now hits the ground.
Retail Wireless Networks Validated Reference Design | Solution Guide RF Concepts and Terminology | 169
In Figure 95, we increase the mechanical downtilt to 15 degrees. One can see that at 10 degrees, the
wide vertical beamwidth antenna on the right was already optimized for the target area. Increasing to 15
degrees just starts reducing coverage. For the narrow vertical beamwidth antenna on the left, 15
degrees still leaves a large gap near the antenna and the range (distance) advantage is no longer
present. Note that the main lobe of the high-gain antenna now completely bisects the ground before the
end of the coverage zone.
Plan View
Further increasing down-tilt to 30 degrees (as shown in Figure 96) for the narrow vertical beamwidth
antenna in attempt to get better coverage close to the AP results in a distorted and narrow coverage
pattern (lighter shaded area only is at ground level in above).
170 | RF Concepts and Terminology Retail Wireless Networks Validated Reference Design | Solution Guide
The second surprise is that at relatively modest mounting heights (e.g., 40-50 feet and common in this
facility type) and small mechanical downtilts (10-15 degrees) the narrow vertical beamwidth antenna
ends up painting only a small stripe on the ground. This is the opposite of what the wireless designer
intended, which was to provide uniform coverage throughout the coverage area.
Retail_139
447 m
1,500 m
This diagram is typical of a 12-14 dBi antenna with an 8 degree vertical beamwidth. It is assumed to be
mounted at 30 meters with no downtilt.
We contrast this with a wide vertical beamwidth directional, in this case a 5 dBi, 60 degree sector,
which has a null zone of just 50 meters or so from the same mounting height (See Figure 98). This will
increase the gain by a little more than 2X results in a 9X increase in the size of the null zone.
Ground level
Retail_140
53 m
600 m
Retail Wireless Networks Validated Reference Design | Solution Guide RF Concepts and Terminology | 171
Assuming that the wireless designer is determined to use the narrow vertical beamwidth antenna, there
are two methods available to reduce the size of the null area:
1. Use mechanical downtilt. However, as we have seen, relatively small amounts of downtilt (just 15
degrees) produce the striping effect and effectively reduce the overall coverage area.
2. Reduce the mounting height. This is the only effective way to maximize the coverage area of a
narrow vertical beamwidth antenna while minimizing the null. For this reason, Aruba recommends
that high-gain directionals used for client coverage (as opposed to point-to-point links) should never
be mounted higher than about 30 feet with a maximum of about 5 degrees of mechanical downtilt.
Unfortunately, reducing the mounting height of a narrow vertical beamwidth directional also renders
the main lobe more vulnerable to LOS obstructions.
Conclusions
Here is a short summary of the key points from this section:
High-gain antennas are primarily intended for long-distance, point-to-point connections, not close-in
client coverage.
Vertical beamwidth is more important than horizontal beamwidth in determining the experience of
clients.
Mechanical downtilt is not a good solution to compensate for narrow vertical beamwidth, and it has
the effect of reducing the size of the main antenna lobe that reaches the ground.
High mounting heights are not compatible with narrow vertical beamwidth antennas due to the size
of the null zone between the antenna and 3 dB points.
Low mounting heights are easily obstructed by container stacks and mobile equipment.
More power creates more reflections, increasing the overall amount of RF distortion.
An effective alternative overhead strategy uses low-gain “squint” omnis in intermodal facilities.
Summary of Differences
It is a basic fact of physics that lower frequency radio energy travels farther though cables, through the
air, and through and around ground clutter like trees, hills, and buildings. Here are some examples of
propagation loss in three commonly used unlicensed frequency bands. Because these are expressed in
172 | RF Concepts and Terminology Retail Wireless Networks Validated Reference Design | Solution Guide
terms of loss, they are independent of initial Equivalent Isotropically Radiated Power (EIRP) from a
transmitter/antenna combination.
Free Space Loss. The loss due to radio energy passing through air with a clear Fresnel zone.1
Generally, a 900 MHz signal travels through air with much less loss than does a higher frequency
signal.
Cable Loss. The loss expected due to radio energy passing through RF cables2
Wall and Glass Loss. The loss expected due to radio energy being absorbed or reflected while
passing through the walls and windows of a building. The amount of absorption or reflection varies
depending on the construction materials and thickness of the material. Generally, more energy is
absorbed at the higher frequencies.
In addition to differences in propagation losses, 900 MHz enjoys certain constructive advantages that
are not present, or may be destructive to RF energy at higher frequencies due to shorter wavelengths.
These include:
Gains from Reflection. In the real world, radio energy does not follow just one path from the
transmitter to the receiver. In a cluttered NLOS environment (e.g., lots of buildings surrounding the
receiving modem), the received signal is really the sum of many signals that have reflected off
surrounding buildings, the ground, trees etc. With higher frequencies, more of the signal gets
absorbed during a reflection. With lower frequency 900 MHz signals, more energy will ultimately
reach the receiving antenna, benefiting from the reflections.
1. See http://www.timesmicrowave.com/calculators/index.htm
2. Use the common formula: Free Space Loss = 20Log10(Frequency in MHz) + 20Log10 (Distance in km) + 32.4
Retail Wireless Networks Validated Reference Design | Solution Guide RF Concepts and Terminology | 173
174 | RF Concepts and Terminology Retail Wireless Networks Validated Reference Design | Solution Guide
Appendix B
Client Device
Interoperability Matrix
Mobile applications in the extended retail industry (retail stores, warehouses, and factory floors) are
unique in that they are not run on traditional Windows-based laptop-type devices. On the contrary,
mobile applications run on a wide variety of application-specific devices (ASDs) that differ in form,
input and output capabilities, operating systems, security capabilities, radio types, and more. Fifteen
years and three generations of mobile device technology have further added to the mix of mobile
devices that must be supported on the mobility infrastructure.
To validate Aruba device agnostic architecture, the Aruba solution is tested with a broad set of
application-specific devices for interoperability, security, and mobility performance metrics. The
following sections outline the devices tested, the security modes supported, and mobility performance
metric measured.
This Interoperability Matrix is updated periodically. The most recent version may be found at:
http://www.arubanetworks.com/support/interoperability.php
Tested Devices
Table 27 lists all of the mobile devices tested with the Aruba mobility infrastructure. The list includes
relevant details such as vendor, model, operating system and software version for each device.
Retail Wireless Networks Validated Reference Design | Solution Guide Client Device Interoperability Matrix | 175
Table 27 List of Devices Tested on Aruba Infrastructure (Continued)
Vendor Device Type Static WEP WEP + .1x WPA-PSK WPA + .1x WPA2-PSK WPA2 +.1x
Symbol PPT8800 x x x x x
Symbol PPT8100 x x x x x
Symbol MK2000 x x x x x
Symbol WT4090 w/PEAP w/PEAP x x
176 | Client Device Interoperability Matrix Retail Wireless Networks Validated Reference Design | Solution Guide
Table 28 Security Mode Matrix (Continued)
Vendor Device Type Static WEP WEP + .1x WPA-PSK WPA + .1x WPA2-PSK WPA2 +.1x
Symbol PDT6800 x x x x x
Intermec T2425 x x x x x
Vocollect Talkman T5 x x x x
Zebra RW220 x x x x
Standby Load
Vendor Device Type Fast Roaming PSP Support Battery Boost
Roaming Balancing
Symbol MC3000
Symbol MC50
Symbol MC70
Symbol MC9000
Retail Wireless Networks Validated Reference Design | Solution Guide Client Device Interoperability Matrix | 177
Table 29 Mobility Performance Matrix (Continued)
Standby Load
Vendor Device Type Fast Roaming PSP Support Battery Boost
Roaming Balancing
Symbol PPT8800
Symbol PPT8100
Symbol VC5090
Symbol MK2000
Symbol WT4090
Symbol PDT6800
Intermec CN2
Intermec CN3
Intermec CK31
Intermec CK60
Intermec T2425
Intermec T2455
Intermec CV60
Teklogix 7530
Teklogix 7535
Vocollect Talkman T5
Zebra QL220
178 | Client Device Interoperability Matrix Retail Wireless Networks Validated Reference Design | Solution Guide
Appendix C
Worksheets
Minimum 802.11
Device Users per Facility
Facility Type(s) Performance
Application Type(s) Used (Average)
# Deployed Requirement
Description (from
(from Table 3)
Table 2)
Current Future Data Rate SNR
10
Retail Wireless Networks Validated Reference Design | Solution Guide Worksheets | 179
Table 32 Facility Inventory Worksheet
WAN
Facility Average Max Digital Country/ WAN
Link Local
Facility Type Qty Addresses Square Ceiling Floor Plan Regulatory Backhaul
Type/ Controller
/ Store IDs Footage Height Available Domain Speed
Latency
Distribution Centers
Size Band 1
Size Band 2
Size Band 3
Size Band 4
Size Band 5
Size Band 6
Size Band 1
Size Band 2
Size Band 3
Size Band 4
Size Band 5
Size Band 6
Size Band 1
Size Band 2
Size Band 3
Size Band 4
Size Band 5
Size Band 6
180 | Worksheets Retail Wireless Networks Validated Reference Design | Solution Guide
Table 33 Hardened Environment Inventory Worksheet
Hardened
Thermal 2.4GHz 5 GHz
Hardened Area Area Average AP
Limits Antenna Antenna
Facility Type Type(s) Per Count(s) Square AP Model Backhaul
(Min or Model & Model &
Location Per Footage Method
Max) Mount Mount
Location
Distribution Centers
Size Band 1
Size Band 2
Size Band 3
Size Band 4
Size Band 5
Size Band 6
Size Band 1
Size Band 2
Size Band 3
Size Band 4
Size Band 5
Size Band 6
Size Band 1
Size Band 2
Size Band 3
Size Band 4
Size Band 5
Size Band 6
Retail Wireless Networks Validated Reference Design | Solution Guide Worksheets | 181
Table 34 User Device Types and Authentication Modes Matrix
Preshared
Voice
High-Security Key Security Legacy Security Captive Portal
(WPA/WPA2 with
(WPA2/802.1x) (WPA/WPA2 with (WEP with PSK) (no PSK)
PSK)
PSK
Manager
Device
POS Terminal
Inventory
Device
(New)
Inventory
Device
(Legacy)
Guest Device
User Device Types
Voice
Handset
Device #7
Device #8
Device #9
Device #10
Device #11
Device #12
182 | Worksheets Retail Wireless Networks Validated Reference Design | Solution Guide
Table 35 QoS Settings Inventory
QoS Configuration
Handset Capability
Controller Configuration Handset Configuration
(see Table 2)
Band Selection
Adaptive Radio
Management
Separate SSIDs
Authentication
Design Parameters
VLAN Settings
Battery Life
RF Management
Capacity Planning
Retail Wireless Networks Validated Reference Design | Solution Guide Worksheets | 183
184 | Worksheets Retail Wireless Networks Validated Reference Design | Solution Guide