• Increase font size
  • Default font size
  • Decrease font size
 

A simple ROBO/SOHO WLAN network design

The problem

The company's offices are located in a single location that houses 20 users on two floors. The company does not have a consistent WLAN network policy and there are only two access points installed. The APs are the low-cost SOHO grade, that support IEEE 802.11b and IEEE 802.11g wireless standards. They are made by two different vendors, which results in more network management than necessary. The first one is located at the reception and the second one in the meeting room. They're connected directly into the local area network, so there's no real control over the wireless traffic access. The users connect to the APs using a pre-shared key and a WPA-PSK encryption. Recently, a new UTM firewall, that also has wireless AP controller functionality (CAPWAPP), was installed, but the current APs are not CAPWAPP compatible.

The company would like to have the ability to use the WLAN network on their entire rent space and to have a better control over the WLAN. The new WLAN network should have a single function – to allow an easy way to connect to the Internet. The WLAN should not have any access to the LAN network. The meeting room should have a ticketing system that makes WLAN access expire at the end of the business day.

WLAN SOHO :: WLAN SOHO

 

The solution

The wireless survey has revealed that 6 APs are needed to cover the required floors. As the installed UTM firewall also has wireless AP controller functionality (CAPWAPP), we propose the use of enterprise grade thin APs that use CAPWAPP tunnels to connect to the already installed UTM firewall through LAN. The APs support IEEE 802.11g and the IEEE 802.11n-2009 WLAN standards which will give the wireless users more bandwidth.

The APs will be locally connected into the LAN network, but will have their own VLAN. The CAPWAPP tunnelling will limit network access, so that the wireless network traffic will only have access to the Internet. Users will use WPA2-AES encryption for wireless access. The pre-shared key for internal users should be changed every year or more often, if needed.

Conference room and the reception area will use a separate SSID for WLAN access (the encryption will be the same type as for the local users). It’s pre-shared key will be changed daily. A guest user will receive the daily pre-shared key on request at the reception.

All the installed equipment is fully IPv6 ready.

The advantages

The redesigned WLAN network will enable the use of Internet throughout the company, but the wireless users won't have access to the LAN's resources. Temporary wireless access for guest users will also be possible. As now thin APs are used this enables a single point of management by using the wireless AP controller, which will result in less work for the network administrator.

The new network will be more secure and it will offer instant wireless Internet access.