You are on page 1of 8

IT@Intel White Paper

Intel Information Technology


Business Solutions
April 2010

Managing a Global Wireless LAN

Executive Overview
The combination of central Intel IT developed a new management and support structure for wireless
IT engineering expertise, a LANs (WLANs). We consolidated first-level support and centralized the WLAN

set of global guidelines, and a engineer workgroup as well as device management. We manage the WLAN as

centralized management platform an integrated service that enables centralized control of the WLAN, using global

allows us to deliver a highly tools for centralized monitoring, reporting, and configuration. This approach
provides all stakeholders with a common view of the components of the WLAN
available service with minimal
service and the network.
support staff.
Our centralized WLAN management system inventories and wireless adoption trends,
offers several benefits to IT. to IT and other Intel groups, supporting
informed business decisions.
• Increases efficiency. Previously, local
WLAN configuration changes required • Enables us to be supplier-independent.
five minutes per access point; the central The system’s simple user interface allows
WLAN management system reduces non-specialists to monitor and diagnose
this to just five minutes per building. simple WLAN problems without learning
Replicated across 150 sites, we can supplier- and equipment-specific commands.
greatly improve efficiency. We can add new equipment and OS versions
with minimal retraining of personnel.
Mike Mauch • Uses global configuration templates.
IT Manager, Intel IT Common templates apply to the entire Our WLAN management system is the first
global network, which enables us to wholly centralized managed service within Intel
Gary Veum efficiently make configuration changes, IT. The combination of central IT engineering
Network Specialist, Intel IT verify configurations, and monitor for expertise, a set of global guidelines, and a
unauthorized configuration changes. centralized management platform allows
us to deliver a highly available service with
Mario Vallejo • Enables reporting. Provides useful
minimal support staff.
WLAN Service Owner, Intel IT information, such as WLAN device
IT@Intel White Paper Managing a Global Wireless LAN

Contents BACKGROUND WLANs also pose some human-factor


management issues. First, Intel IT has a
Executive Overview............................. 1 Over the past decade, Intel has
relatively small number of people with WLAN
increasingly adopted Wi-Fi* technology
expertise; however, this small group must
Background. ........................................... 2 to support a highly mobile global
manage globally deployed devices. Also,
workforce, and employees have
Solution................................................... 2 we have traditionally monitored WLANs by
become reliant on it for office network
Implementing a Central WLAN region, with each site managing its own
connectivity. From an initial installation
Management System........................ 2 WLAN—which can lead to non-standard
of 250 access points (APs) in 2001,
Managing a Global Network............ 4 configurations and an unreliable user
the Intel network now includes
experience. Finally, our traditional approach
Providing Reports and Statistics. ... 7 wireless LANs (WLANs) at 150 sites in
to configuration and maintenance, which
Results................................................. 8 63 countries. While some sites have
involves updating or configuring each device
as few as two APs, one of our main
Conclusion. ............................................. 8 individually, is labor-intensive and prone to
campuses has 480 APs that provide
user errors.
Acronyms................................................ 8 continuous coverage over 2.6 million
square feet. We needed a new approach to WLAN
management that enabled us to efficiently
Intel’s WLAN currently supports about 80,000 deal with the technical challenges while
employees worldwide, with more than 32,000 making the best use of our WLAN
individual clients connecting simultaneously engineering resources.
every day. Employees appreciate how easy
and convenient it is to connect to the Intel
network through the WLAN. SOLUTION
Although WLANs are an excellent productivity Intel IT has implemented a distributed
tool, they present several unique technical wireless infrastructure that uses
management challenges compared to LANs: multiple designs and suppliers.
• Intel IT must support multiple WLAN To support this infrastructure, we
generations, architectures, and suppliers. developed a new philosophy focused on
managing the WLAN as a service, not as
• As WLAN clients move, they must be able to
a collection of disparate components.
seamlessly connect on different floors and
Our WLAN management system is
in different buildings and Intel locations.
the first wholly centralized managed
• WLAN connectivity is dependent on service within our organization.
user authentication with our Remote
Authentication Dial-In User Service Because WLAN expertise is a highly
(RADIUS) system and corporate directory specialized skill, building a central monitoring
services, which adds a layer of complexity. and management structure makes the best
IT@INTEL • Disturbances in radio signal propagation
use of our WLAN resources while also cutting
IT@Intel is a resource that enables IT support costs. Our WLAN engineers can
cannot be easily seen or measured, but
professionals, managers, and executives quickly view deployed WLAN devices and
to engage with peers in the Intel IT instantly affect users. Calls to the Service
specific details on individual users worldwide.
organization—and with thousands of Desk are often the first indication that a
other industry IT leaders—so you can problem exists.
gain insights into the tools, methods,
Implementing a Central WLAN
• We cannot track WLAN clients by the port
strategies, and best practices that are Management System
to which they connect, as their connection
proving most successful in addressing Our central WLAN management system uses
points change as they roam. Therefore, the
today’s tough IT challenges. Visit us a main console and management server
traditional method of LAN management—
today at www.intel.com/IT or contact clusters to monitor and control our global
managing ports—is not sufficient for WLANs.
your local Intel representative if you’d WLAN, as shown in Figure 1.
like to learn more.

2 www.intel.com/IT
Managing a Global Wireless LAN IT@Intel White Paper

Central access to the WLAN management INDEPENDENT OF SUPPLIERS, EQUIPMENT Because our central WLAN management
Web interface allows valuable WLAN MODELS, AND ARCHITECTURES system is supplier-independent, if we determine
expertise to be applied across the entire Our central WLAN management system that a new supplier’s WLAN equipment offers
network. Because the WLAN depends on can accommodate multiple connectivity advantages, we can add that new equipment
many technologies and components, it is standards, suppliers, generations of with minimal retraining of those responsible
critical to give support engineers an end-to- equipment, and architectures, as shown for monitoring or troubleshooting the WLAN.
end view of all functionality. in Figure 2. The management view of the network remains
unchanged for the support engineers.

Master Console

Administrator
Connects to master console
or any individual server

Server 1 Server 2 Server 3 Server 4 Server 5 Server 6 Server 7

Americas Europe Asia


Access Points (APs) and APs and APs and
Wireless LAN (WLAN) Controllers WLAN Controllers WLAN Controllers

Figure 1. All network functions are routed through management server clusters to the central wireless LAN (WLAN) console.

Wireless LAN (WLAN) Network


Management Servers
High-level Management Interface
• Service Owner and WLAN Engineering View
• Network Operations View
• Service Desk View

Site A Site B
Autonomous Access Points
WLAN Controller
(no controller)

802.11g 802.11a 802.11n

Access Access Access Access Access Access


Point Point Point Point Point Point
Supplier A Supplier B Supplier C Supplier D Supplier E Supplier F

Figure 2. Our system supports multiple suppliers, architectures, and connectivity standards. All network activity is routed to a single set of management servers.

www.intel.com/IT 3
IT@Intel White Paper Managing a Global Wireless LAN

DEVICE CONNECTION The central WLAN management system troubleshoot issues. Previously, identifying a
Each WLAN device on the network is organizes geographic sites into folders. user’s WLAN controller and AP could take 15
connected to the network manager using It is possible to set permissions so that minutes or more when the support engineers
Simple Network Management Protocol some regional network engineers can make had to connect to WLAN devices directly, but
(SNMP), Telnet, and/or Secure Shell (SSH), changes to only certain sites, although they with the central WLAN management system
and sends status updates through SNMP can see all sites. it takes just a minute or two.
trap alerts. We use SNMP to retrieve most If the Service Desk’s first-level support Support engineers can also use the WLAN
software and configuration information, team cannot resolve a problem they feel management tools to isolate issues for more
although some information requires using SSH resides in the WLAN infrastructure, the team accurate escalation. For example, a problem
and a command-line interface (CLI). Software escalates a trouble ticket to the network with authentication may involve the client,
upgrades and configuration changes use the operations group—a team of individuals a configuration issue, RADIUS, or even the
same combination of CLI and SNMP. who are the point people for day-to-day WAN. Support engineers can now diagnose
WLAN installations, management, and the problem’s subsystem and subsequently
SERVER REQUIREMENTS troubleshooting. If network operations needs escalate the problem to the correct specialist
WLAN management software is processor- assistance, they in turn escalate to the support group.
and RAM-intensive, so we refreshed our service owner, who is also responsible for
The system also helps first- and second-level
management servers to use Intel® Xeon® training, planning, and new deployments. The
support engineers close the greatest number
processor X5570. Taking advantage of this WLAN engineering team is the final step
of tickets possible, rather than escalate. Tool
processor’s built-in intelligent performance within Intel IT; however both the service
usage data indicates that support engineers,
and power management features enables us owner and WLAN engineering can open
as well as the service owner and WLAN
to regulate power consumption and minimize tickets with WLAN suppliers if necessary.
engineering team involved in escalations, now
the number of servers needed to run the
On average, from the almost 200 trouble depend on the WLAN central management
management software.
tickets that the Service Desk opens annually, to view user connection details and historical
only 3 to 5 percent are escalated to the service associations when dealing with a new
Managing a Global Network owner and WLAN engineering. Out of this 3 to problem—a trend that does not occur for all
The WLAN is Intel IT’s only centrally
5 percent, we further escalate about 5 percent Intel IT management consoles.
managed global network service. Other
of tickets to suppliers for additional support.
services have local management systems We plan to enhance the interface to the
or none at all. Additionally, the WLAN is trouble ticket system by providing a quick
SERVICE DESK method to cut and paste information for use
the only service that provides an instant
From the global scope and comprehensive in trouble tickets.
inventory, with all components, switches, and
network view that the central WLAN
APs enumerated on one screen and easily
management system provides, Service Desk Solving connectivity issues
available for detailed reports.
engineers can determine whether their current The most common WLAN-related Service
Role-based administration of the central ticket is an isolated instance or part of a Desk calls at Intel are related to connectivity
WLAN manager allows for multiple views wider pattern. issues. The central WLAN management
of the WLAN:
Additionally, the system’s global search system is especially helpful in diagnosing
• Global Service Desk engineers engine and graphical data representation help WLAN connectivity problems, as it provides
• Regional network engineers, who engineers identify a user’s location, media a view of all supporting systems. Figure 3
provide installation, day-to-day support, access control (MAC) address, client machine shows an example of a diagnostic screen
and alert consolidation information, current AP and roaming history, after a user reported poor performance. The
and other relevant information. The ability root cause was initially unclear, and neither
• High-level users, including the WLAN
to capture this information quickly, with a the client software nor the WLAN controllers
management group, WLAN engineering,
minimum of user interaction, has improved were able to provide any data pointers to help
and the service owner
the ability of Service Desk engineers to with troubleshooting.

4 www.intel.com/IT
Managing a Global Wireless LAN IT@Intel White Paper

However, the WLAN central management a local support engineer, who must find the Host Configuration Protocol (DHCP), and
system showed the client AP association rogue AP. The accurate location on a floor our Domain Name System (DNS), it is often
history and the low signal levels at which plan of each rogue AP helps the local person, difficult to determine the root cause of
the user was connecting. The support who may not be an IT engineer and therefore problems. In many cases, a single problem
engineer was then able to recommend that may not readily recognize Wi-Fi devices, find causes multiple alerts that obscure the
the radio frequency (RF) power levels of the the offending APs. original outage, and false alerts are also a
existing APs needed to be increased and problem. The central WLAN management
that 802.11a radios needed to be added Managing alerts screen consolidates related alerts so they can
to the existing APs due to the excessive Because the WLAN is dependent on so be double-checked for accuracy.
interference in the 2.4 GHz band from APs many subsystems, such as RADIUS, Dynamic
in surrounding buildings.

Managing rogue access points Diagnostics for 00:21:5C:85:BD:0B


Rogue APs—users turning on unauthorized
Possible Issues
APs within an Intel building or plugging
into an Ethernet wall jack—are also a Issue Ideal Actual
Low signal quality: >=20 27
significant problem.
Excessive roaming in last two hours: <=10 roams 0
High user bandwidth: <=50% of radio capacity 318 kbps (0.13%)
Most enterprise WLAN equipment can be set
Unauthenticated user: Authenticated EAP
up to detect rogue APs, but several issues High user load on AP/radio: <=15 14
make removing these information security High AP/radio bandwidth: <=75% of radio capacity 1670 kbps (0.67%)
threats time-consuming. First, many false 802.11b users associated to 802.11bg radio: None 1
802.11bg or 802.11a users associated to 802.11n radio: None 1
alerts are generated in cases where smaller
High FCS error rate: <=100 0
Intel offices are adjacent to other buildings
in which tenants run their own WLANs. Diagnostic Summary
Also, several Intel development and quality-
Current Last Hour Last 2 Hours Last 4 Hours
assurance groups use Wi-Fi in the course of
User Bandwidth 318 kbps (0.13%) 318 kbps (0.13%) 318 kbps (0.13%) 318 kbps (0.13%)
their daily work but outside Intel IT’s control. Radio Bandwidth 1670 kbps (0.67%) 1722 kbps (0.69%) 2533 kbps (1.02%) 3314 kbps (1.34%)
AP Bandwidth 1672 kbps (0.34%) 1724 kbps (0.35%) 2535 kbps (0.51%) 3315 kbps (0.67%)
Our solution is to apply a set of tests to
Radio User Count 6 7 7 8
determine whether the unknown AP is AP User Count 14 14 14 14
indeed connected to an Intel LAN and to Signal Quality 27 36 38 51

filter out authorized equipment. To assist


in this process, we use an Intel intranet Current User Counts

site that allows lab Wi-Fi users to register User Count on AP User Count on Radio
a cohabitation agreement, allowing them 802.11g 6 0
to use certain RF channels and service set 802.11n (5 GHz) 5 5
802.11a 1 1
identifiers (SSIDs). Local support engineers
802.11b 1 0
validate cohabitation agreements, which are Total 13 6
valid for 12 months, and the appropriate
information is electronically exported to the AP Information
central WLAN management system. Name: AL1
Uptime: 10 days 21 hrs 20 mins
Once the rogue AP list has been limited
Location: -
to suspicious devices, the central WLAN Type: Model X
management system applies simple filtering Controller IP Address: XX.X.X.XXX

rules, such as signal strength levels, and


identifies the source of transmissions on a Figure 3. The wireless LAN (WLAN) management system diagostics screen enables Service Desk
building floor plan, which is then e-mailed to engineers to quickly pinpoint the cause of connectivity problems.

www.intel.com/IT 5
IT@Intel White Paper Managing a Global Wireless LAN

Alerts are escalated from the central WLAN configuration control and global inventory
Trigger
management system to the Service Desk management as well.
Type: AP User Count
central event console—the point at which
Severity: Normal
Normal LAN, WAN, RADIUS, DHCP, WLAN, and other Limiting the number of standard designs
Duration: Warning
Minor
alerts are consolidated and parsed. Our WLAN design was developed by the
e.g. ‘15 minutes’,
‘45 seconds’, ‘1 hr 15 mins’ Major WLAN engineering group and is based on
Critical WLAN alerts are crucial to enabling the WLAN
four evolving WLAN generations. Limiting
Conditions support engineers to respond to WLAN
the number of standard designs allows
Available Conditions: User Count issues before they affect users. For example,
the engineering team to thoroughly test
if too many users are connected to one AP,
Add New Trigger Condition and understand each design prior to site
performance can degrade rapidly. To avoid
installations. Troubleshooting is easier, too,
this scenario, the central WLAN management
Option Condition Value because we have instituted a global set of
system can send out an alert if more than
User Count >= 25
configuration parameters.
25 users connect to an AP, as shown in
Figure 4. The network team can then Table 1 summarizes our current WLAN
Trigger Restrictions
evaluate AP coverage in that area and add design. Although we are transitioning to the
Folder: Top
an additional AP if needed. This proactive 802.11n standard, we manage the current
Include Subfolders: Yes No
approach minimizes support calls and three designs simultaneously because it
Group: - All Groups
increases user confidence in the WLAN. would be cost prohibitive to upgrade all
Alert Notifications sites whenever a new design is introduced.
Another important type of alert relates
Additional Notification Email Our central WLAN management system
Options: NMS to information and network security. Our
enables us to efficiently and successfully
Select All - Unselect All
central WLAN management system collects
manage several designs because it provides
WLAN user information that is then stored
NMS Trap Destinations: XX.XX.X.X a consolidated view of the entire WLAN,
in our configuration management database.
Select All - Unselect All including all equipment and software.
If suspicious activity is detected on the
Sender Address: network, operations can monitor the time
Centralizing revision control
Enter multiple email addresses of the form and origin of connection. If the suspicious
user@domain separated by spaces, commas, Managing three designs at the same time
or semicolons.
activity is related to a specific file, the user’s
can cause difficulties, because each design
historical record shows the amount of data
Recipient Email Addresses: is subject to its own operational bugs,
downloaded, which can then be tied to the
upgrade requirements, and hardware revisions.
size of the suspicious file.
Centralizing revision control allows at-a-glance
Logged Alert Visibility: verification of the many different components
STANDARD SITE DESIGN AND
underlying each configuration model, whether
Suppress Until Acknowledged: CHANGE MANAGEMENT
we are installing a new WLAN site or making
A global management system is a
revisions to an existing site.
requirement not just for our global WLAN
support organization, but for revision and
Figure 4. Specific situations trigger the
wireless LAN (WLAN) management system Table 1. Standard Intel IT Wireless LAN (WLAN) Designs
to generate automatic alerts, supporting
proactive problem management. Generation Variations
2 • Supplier A’s autonomous access point (AP) model using 802.11g with 802.1x, with no WLAN controller

3 • Supplier A’s AP model using 802.11a/g with WLAN controller


• Supplier B’s AP model using 802.11a/g with WLAN controller

4 • Supplier A’s AP model using 802.11a/g/n with WLAN controller

6 www.intel.com/IT
Managing a Global Wireless LAN IT@Intel White Paper

36
Peak Demand
30 Off-Peak Demand
Users in Thousands

24

18

12

0
January March May July September November January

Figure 5. Usage reports can highlight where the wireless LAN (WLAN) is congested. For illustrative purposes only.

• New WLAN sites. The final step in Centralized WLAN management has also Engineers who spend more time trouble-
commissioning a new WLAN site is to enabled us to implement standard templates shooting WLAN issues take the WLAN
add the devices to the central WLAN for operational configuration. Rather than supplier’s, installer’s, or maintainer’s courses,
management system. Registration with setting parameters locally at the AP, the as appropriate. They also receive a four-hour,
and verification by the central WLAN template resides on the central WLAN instructor-led course on the central WLAN
management system allows the WLAN management server and all changes are management system.
service owner to check the configuration programmed and enforced network-wide.
Both training courses specifically address two
against the standardized configuration and The system’s auto-repair application runs
issues that can be problematic:
design. The system flags discrepancies overnight, checking that site configurations
for correction. Registration is the critical have not been changed locally. This • Timestamps. To provide global support,
difference between autonomous and central synchronizes sites with the templates and all timestamps must be consistent. The
control, and forces compliance checks that discourages local reconfiguration; changes system sets all timestamps to Greenwich
might otherwise be circumvented. not made through the central management Mean Time (GMT), which can be confusing
system are automatically reversed. to local support teams at first.
• Existing WLAN sites. We manage
software revisions centrally, using • Mindset. Engineers need to become
the network manager’s subsystem to TRAINING SUPPORT ENGINEERS accustomed to using a remote network
schedule and update each site and deliver We offer in-house training to support manager to obtain information from a
reports showing snapshots of all sites engineers and also encourage them to take local WLAN controller
and current revisions. This has allowed training courses from suppliers.
revision management to become a routine, Providing Reports and
We developed a two-hour, self-paced, Web-
controlled process rather than a highly based course for people who use the WLAN
Statistics
cumbersome engineer-intensive and management system infrequently and don’t The central WLAN management system
error-prone exercise. need comprehensive information. This course collects and summarizes WLAN usage
is targeted for management station views statistics, allowing support engineers
Prior to implementing the central WLAN
of the network rather than the intricacies of to easily prepare reports on bandwidth
management system, even a minor
each WLAN controller or AP type. The course utilization, simultaneous users, and usage
configuration update could take five minutes
uses an intuitive user interface and a simple trends. One trend is shown in Figure 5.
per AP. But our central WLAN configuration
reduced this to only five minutes per building. conceptual management model independent WLAN statistics are also useful to other
Replicated over 150 sites, this represents a of the underlying hardware generation. groups at Intel:
considerable potential for savings.

www.intel.com/IT 7
• Several teams have asked for wireless • Improved network security with easy
adoption trends, turning to Intel IT for access to user connection data. ACRONYMS
indicative statistics. • Ability to quickly troubleshoot WLAN issues, AP access point
• Site inventory reports are used frequently, regardless of where they occur geographically. CLI command-line interface
providing the number of APs or controllers • Ability to proactively resolve WLAN issues DHCP Dynamic Host Configuration
of a particular type or model. before they affect WLAN users. Protocol
• When planning upgrade cycles, the service • Ability to obtain a holistic view of overall DNS Domain Name System
owner can determine how many sites are WLAN health. GMT Greenwich Mean Time
running each WLAN model, allowing each
MAC media access control
site to make informed financial decisions
and use their resources effectively. RADIUS Remote Authentication Dial-In

• Inventory reports provide a list of CONCLUSION User Service


RF radio frequency
equipment in service, helping to identify From just a few access points in 2001,
equipment that has been replaced and can SNMP Simple Network Management
Intel’s WLAN has grown to support
Protocol
be removed from the appropriate supplier about 80,000 mobile employees at
maintenance contract. 150 sites worldwide. We manage SSH Secure Shell
the WLAN as an integrated service SSID Service Set Identifier
Results characterized by a set of global tools, WLAN wireless LAN
Our central WLAN management system has centralized monitoring and reporting,
the potential to significantly reduce the time and centralized control of the WLAN,
and effort we spend on WLAN configuration which provides all stakeholders with
updates—from five minutes per AP previously a common view of the components of
to five minutes per building now. We can the WLAN service and the network
realize substantial savings by replicating this
efficiency across 150 sites. To support this service model, we rigorously
centralized management of all WLAN
Other benefits of the central WLAN
installations and adopted enforceable global
management system include:
templates for configuration models. The
• Supplier independence—we can add new system’s simple user interface allows non-
equipment with minimal retraining specialists to monitor and diagnose simple
of engineers. WLAN problems without learning supplier-
• Ability to push equipment configuration and equipment-specific commands.
changes globally. The combination of central IT engineering
• Ability to track WLAN assets by serial expertise, a set of global guidelines, and a
numbers and locations, which helps centralized management platform allows
maintain accurate inventory data. us to deliver a highly available service with
minimal support staff.

This paper is for informational purposes only. THIS DOCUMENT IS Intel, the Intel logo, and Xeon are trademarks of Intel Corporation in the
PROVIDED “AS IS” WITH NO WARRANTIES WHATSOEVER, INCLUDING U.S. and other countries.
ANY WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT, FITNESS
* Other names and brands may be claimed as the property of others.
FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE
ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE. Intel Copyright © 2010 Intel Corporation. All rights reserved.
disclaims all liability, including liability for infringement of any proprietary
rights, relating to use of information in this specification. No license, express Printed in USA Please Recycle
or implied, by estoppel or otherwise, to any intellectual property rights is 0410/JLG/KC/PDF 322971-001US
granted herein.

You might also like