Cisco on Cisco

Wireless Case Study: How Cisco Upgraded Its Wireless Infrastructure


Next-generation WLAN provides expanded coverage, greater cost savings, improved security, and increased productivity gains.
BACKGROUND

In 2000, CiscoŽ IT designed and deployed a global WLAN infrastructure that serves all Cisco offices. Originally designed as a secondary network for intermittent data usage, the WLAN proved very popular with Cisco's highly mobile workforce. Within two years, nearly 25 percent of Cisco employees were using the WLAN as their primary network access medium, and many were also using a variety of wireless voice services.

By 2005, it was clear that an upgrade of the WLAN infrastructure was necessary as user adoption continued to increase. What was originally a secondary network was now deemed business-critical by the majority of Cisco employees, with 81 percent of users describing the WLAN as "critical" or "extremely important" for their day-to-day productivity. The original infrastructure was reaching the end of its useful lifetime, and many components were no longer sold or supported. Additionally, Cisco business managers were calling for improvements in service availability and operations; business objectives for the upgraded infrastructure included reduced support costs, enhanced stability and security, and an increased Service Level Agreement. Perhaps most importantly in today's business environment, the existing WLAN could not offer the performance and stability required for high levels of wireless voice and video traffic.

CHALLENGE

The challenge for Cisco IT was to continue providing a global wireless LAN that could serve as a primary access medium and deliver more bandwidth and coverage to more users, while satisfying the company's business requirements. The next-generation WLAN would also need to provide native support for wireless voice and video, with high levels of accessibility, availability, and security to reduce service-impacting incidents. (Table 1)

Table 1. Cisco IT Objectives for the Next-generation WLAN Architecture
Accessibility Availability Security

Increase WLAN coverage, accessibility, and performance for more than 60,000 active users

Support WLAN use as a primary access medium for all business applications, on a variety of devices, and with a user experience close to that of the wired network

Give visitors managed, secured, authorized, and Cisco-branded access to the Internet

Provide outdoor coverage in selected campus areas

Implement a new WLAN network management tool suite that provides visibility into service-impacting incidents

Support new features such as fast Layer 2 roaming, Call Admission Control (CAC), and Quality of Service (QoS)

Implement a self-configuring, self-healing WLAN infrastructure to increase service availability and reduce total cost of ownership through a lower need for operational support

Limit vulnerability to security attacks and loss of intellectual property by detecting rogue access points through radio-based scanning

Support 802.11i security standards

Support Wi-Fi Protected Access (WPA) and WPA2 security interoperability standards

"Our goal was to deploy an enterprise-class, on-demand wireless network that is suitable as a primary access medium," says Oisín Mac Alasdair, Cisco IT program manager for wireless strategy and architecture. "In the short term, we want to support at least 50 percent of our users adopting wireless as their regular network access method. Over the longer term, that percentage should continue to rise."

SOLUTION

The Cisco Next-Generation WLAN program, which began in May 2006, will evolve Cisco IT's existing indoor wireless network infrastructure into a more available, stable, and secure network. Cisco IT will increase the number of access points - from 3100 to more than 6000 - in more than 300 Cisco locations worldwide and deploy the latest intelligent and fully integrated Cisco wireless products.

Figure 1. The overall architecture for the Cisco WLAN upgrade reaches from the Cisco headquarters campus to small sales offices.

Click on Image to Enlarge popup

The next-generation WLAN is based on the Cisco Unified Wireless Network solution, which combines centralized Cisco Wireless LAN Controllers with Lightweight Access Point Protocol (LWAPP)-enabled access points, and distributed, autonomous access points based on Cisco IOS Software. (Figure 1)

Campus sites. At main campuses, the new WLAN design uses 100 or more Cisco Aironet® 1130AG Series access points. The Cisco Aironet 1130AG Series is an ideal choice for these large sites, because it offers enterprise-class features such as high-performance 802.11a and 802.11g radios, integrated antennas, and 802.11i security compliance.

Campus buildings are served by two or more Cisco Catalyst® 6500 Series switches with Wireless Services Modules (WiSMs). Authorized user traffic is carried over LWAPP tunnels, while guest traffic is carried in a generic routing encapsulation (GRE) tunnel.

The WLAN is managed with internal systems and the Cisco Wireless Control System (WCS), which provides comprehensive tools for planning, monitoring, and control. (Figure 2) Location servers installed in a Cisco data center enable delivery and management of location-based services for users.

Figure 2. Design for a campus site in the Cisco next-generation WLAN architecture.

Click on Image to Enlarge popup

Large and midsized field sales offices. Large and midsized field offices will also use a centralized WLAN solution, with up to 98 Cisco Aironet 1130AG Series access points that are controlled by dual Cisco 4400 Series Wireless LAN Controller appliances and managed by the Cisco WCS. (Figure 3) The Cisco 4400 Series controllers manage officewide WLAN functions such as security policies, intrusion prevention, Auto RF, QoS, and mobility.

Small field sales offices. The smallest offices will use up to four Cisco Aironet 1200 Series access points running Cisco IOS Software. No local WLAN controller is required because a dedicated access point provides wireless domain services. These small office WLANs will be managed with the Cisco Wireless LAN Solution Engine (WLSE). (Figure 4)

Wireless clients. In conjunction with the global upgrade of the WLAN architecture, the Cisco Secure Services Client will be supported on all client endpoints. The adoption of a single authentication framework allows Cisco IT to standardize on a single client for all devices, which simplifies support and reduces the company's total cost of ownership for wireless networking. The Cisco Secure Services Client is also compatible with a wide range of wireless adaptors that support the Cisco Certified Extensions (CCX) program.

Figure 3. The WLAN design for large and midsized field offices is also based on a centralized architecture.

Click on Image to Enlarge popup

New capabilities.The new WLAN architecture supports enhanced capabilities such as location-based services; improved guest access; enhanced wireless voice services for dual-band phones and other user devices; and outdoor coverage on campus sites. The architecture also enables security through an integrated wireless intrusion detection system (IDS), improved detection of rogue access points, as well as the security features Wi-Fi Protected Access (WPA2) and wireless network admission control (NAC).



RESULTS
"Our major goal was to deploy an enterprise-class, on-demand wireless network that is suitable as a primary access medium. In the short term, we want to support at least 50 percent of our users adopting wireless as their regular network access method. Over the longer term, that percentage should continue to rise."

Oisín Mac Alasdair
Cisco IT Program Manager, Wireless Strategy and Architecture

As of late 2006, the WLAN upgrade was complete for the Cisco headquarters campus in San Jose, California, and deployment was under way in other locations. With nearly 40 percent of Cisco employees working at the headquarters site, the early results achieved at this campus indicate the value to be obtained from the remaining deployments.

With the next-generation WLAN and Cisco Unified Wireless Network solutions, Cisco employees will experience a better wireless network. In addition, Cisco will gain the benefits of cost savings, greater network stability, and continued productivity gains.

User bandwidth increases by 600 percent. One of the program's main benefits is a 600 percent increase in aggregate wireless bandwidth, achieved by nearly doubling the number of access points at each location and using higher-bandwidth protocols. Previously, the Cisco WLAN was based on the 802.11b standard, which provides up to 11 Mbps of bandwidth, with approximately 6 Mbps data throughput in real-world circumstances. In addition, the user-to-access point ratio was 25:1, which yielded approximately 245 kbps bandwidth per user on a fully utilized access point.

Figure 4. In small offices, the WLAN is implemented with a distributed design for autonomous operation and management.

Click on Image to Enlarge popup

The next-generation WLAN infrastructure supports the 802.11a and 802.11g standards, which provide up to 54 Mbps bandwidth with around 25 Mbps throughput in real-world circumstances. By increasing the number of access points at each location, the user-to-access point ratio will be 15:1 in most circumstances. This configuration yields approximately 2.3 Mbps bandwidth per user on a single radio interface.

The new WLAN will also gain bandwidth by supporting both 2.4 and 5 GHz bands for clients and access points. In comparison, the initial WLAN supported only 2.4 GHz band communications.

Greater availability and reliability. Several factors contribute to higher availability and reliability for the WLAN. The new WLAN architecture is designed for greater resilience, which improves the wireless network stability and security. Response time for reported problems is now faster (at a priority 2 service level), because the WLAN is considered important to daily operations. Initial data indicate the new WLAN delivered a 95 percent reduction in incidents that affect service to users. This result is significantly higher than the Cisco IT target of a 75 percent reduction in service-impacting incidents, and has provided an estimated cost avoidance in excess of US$1.4 million per year. In addition, the next-generation WLAN has more flexible administration functions, as well as the ability to self-heal and detect threats such as unauthorized access points.

Operational optimization. "We expect to achieve a sustained 30 percent reduction in operational expense, far more than our projected savings of 10 percent," says Mac Alasdair. These cost savings, in excess of US$120,000 in personnel costs alone, are obtained primarily by using the Cisco WCS, which enables proactive WLAN support. Additional cost reduction measures include improved mean time to repair (MTTR), fewer support cases opened and escalated, and improved security and manageability of the wireless network.

New security capabilities. The upgrade introduces wireless intrusion detection and prevention capabilities and RF-based detection of rogue access points, while maintaining current systems and protocols for user authorization and authentication. Also introduced is support for Management Frame Protection (MFP) and integration with the Cisco Security Monitoring, Analysis and Response System (Cisco Security MARS).

New services for users.. "The next-generation wireless LAN will enable us to pursue several new technologies in our Cisco IT plan, such as location-based services and RF-based rogue AP detection," says Sergey Shitov, a Cisco IT engineer and the technical track lead for the next-generation WLAN project. "Wireless access will also be available in certain outdoor areas for the first time, allowing employees to continue communications as they move between buildings." Mac Alasdair says, "To support wireless voice and video, you need a much more robust network that can deliver the quality expected by users. Our new wireless LAN natively supports quality features such as fast Layer 2 roaming, call admission control, and QoS, that could not be delivered by our previous implementation."

Table 2 shows the differences between Cisco's original WLAN deployment and the next-generation WLAN upgrade.

Table 2. Characteristics of Cisco's Original and Upgraded Wireless Networks
Solution Area Cisco Internal WLAN in 2005 Cisco Next-Generation WLAN in 2007
Infrastructure

3100+ access points: 75 percent Cisco Aironet 350 Series models, 25 percent Cisco Aironet 1200 Series models

6000+ access points, Cisco Unified Wireless Network solution with LWAPP-based and Cisco IOS Software-based access points

Coverage

380+ buildings/sites in 85+ countries Over 50,000 active wireless users; 25 users per access point

Expanded coverage within buildings as well as outdoor coverage on major campuses

Over 60,000 users with a variety of access devices; 15 users per access point

Quality of Service

Proprietary Enhanced Distributed Coordination Function (EDCF)

Wi-Fi Multimedia (WMM) and planned migration to 802.11e standard

User devices

Approximately 60,000 wireless PC clients and approximately 2000 Cisco 7920 IP Phone wireless handsets. Primarily Cisco adaptors, but Cisco Compatible eXtensions (CCX) clients are appearing; nearly 3000 PDAs

CCX-compliant devices such as PCs and PDAs

802.11 a/b/g wireless IP phones

Security

Cisco Secure Access Control Server for user authentication, authorization, and accounting (AAA), Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST), Cisco Key Integrity Protocol (CKIP), and WPA/Temporal Key Integrity Protocol (WPA/TKIP)

802.11i-compliant wireless intrusion detection systems (WIDS); RF-based rogue AP detection; Management Frame Protection (MFP); integration with Cisco CS-MARS; continued support for security solutions including EAP-FAST, WPA/TKIP, and WPA2/Advanced Encryption Standard (WPA2/AES)

Guest access

Hotspot.cisco.com portal, a global solution that uses Cisco Building Broadband Service Managers (BBSM) for guest networking

Integration with current solutions for guest networking

Management

Internal systems and Cisco WLSE

 

Continued productivity gains. An internal survey conducted by Cisco IT in 2005 found that, on average, Cisco employees gain almost one and one-half hours of productive time every day by using wireless access. This productivity gain is an enormous benefit to the company, yielding a value of more than US$24,000 per user annually.

The new WLAN will sustain the ongoing benefits of productivity, reduced cabling costs, and the ability for employees to share work spaces. Cisco IT expects that improved coverage and increased stability of the WLAN will create time savings of an additional 20 minutes per day for primary WLAN users. For the 12,500 new users who are expected to be served by the WLAN upgrade, these time savings have a value of approximately US$5700 per new user per year, for a total new productivity gain valued at US$71 million annually.

For more survey results, see the Cisco IT case study "Wireless LAN Benefits" at: http://www.cisco.com/web/about/ciscoitatwork/mobility/wireless_lan_benefits.html

LESSONS LEARNED

Cisco customers can benefit from the lessons learned by Cisco IT during the initial WLAN deployment and the next-generation upgrade.

Regulatory issues. Different access points and wireless interface cards are required in certain parts of the world because the 802.11a standard may not be approved in some countries, or not yet approved in its most recent version. Particularly in emerging market countries, regulatory requirements are more complex, and wireless standards are more controlled. As a result of these issues, Cisco has not been able to use the same access point model in every country. This difference has not significantly affected the support requirements or benefits achievable from the new WLAN.

Transition resources. Certain operational and support resources were required during the deployment of the new WLAN solutions. During the architecture and design phases of the project, several network design engineers created and tested the design, and all required documentation using local and remote labs. In addition, several network operations engineers implemented the proposed design at pilot sites for limited-duration tests and Cisco network management personnel created the interface to Cisco IT's internal network management systems. Additional Cisco IT staff created technical documentation and conducted training globally for the implementation and support engineers.

During the implementation phase, several project managers monitored the implementation schedule and activity. The installation of the new wireless equipment was performed by both Cisco employees and outsourcers.

Indoor and outdoor deployments.Cisco IT developed separate deployment plans for indoor and outdoor coverage, reflecting differences in scope, architecture design, and user needs and expectations for service levels. Upgrading indoor coverage was given a higher priority than installing new outdoor access.

NEXT STEPS

The rollout of the new wireless LAN solutions across the company is expected to be finished by mid-2007. After the initial deployment is complete, Cisco IT plans to undertake enhancements such as the following:

  • Deploying the Cisco Secure Services Client software to replace current wireless clients.
  • Increasing security, problem detection, and self-healing capabilities for service-impacting incidents.
  • Delivering wireless voice (Wi-Fi VoIP) with the same quality as wired VoIP on a wide variety of user devices.
  • Supporting Layer 3 roaming services for continuity of coverage among wireless networks.
  • Reporting the presence status of live devices and RFID Wi-Fi tags, as well as interacting with client devices to collect metrics and troubleshoot problems.
  • Enabling the WLAN to deliver streaming video services.