Early one morning, I came into the office, filled my coffee cup and started looking through the network issues that happened while I slept. Interesting…an issue with wireless connectivity for users across our campus. Clients were experiencing high latency connecting to corporate resources, phone calls were failing on softphones, and browsers were timing out trying to connect to the Internet. What caught my eye that morning—and is the reason I’m writing this article—was an email from one of the service desk technicians.
“We’re troubleshooting this wireless issue, but I can’t seem to find 10.131.64.45 or 10.131.65.200 anywhere in the building. Can you tell me where these subnets are located?”
These were the two hosts initially reporting the problem and the service desk focused on them. That is fine to help isolate problem domains but not knowing where subnets were assigned wasn’t good. Not only did that mean our documentation was lacking, but it also meant there were some presuppositions that needed to be clarified regarding IP address allocation within the wireless architecture.
Architecture Overview
Your address plan should be created in conjunction with your wireless design. Wireless APs within your four-building campus, managed by controllers in your off-campus data center, will have address allocation considerably different from a global environment with controllers in each office. Additionally, forcing all wireless traffic through a tagged VLAN on your centrally located controllers rather than dumping traffic local to the end-user LAN changes the plan and troubleshooting methods.
As I work through an address plan for wireless, I approach it in IP address-to-User ratios based on SSID function and region. Sound odd? Follow me on this.
- Corporate-user SSID: Most corporate users have a laptop, company-issued cell phone and maybe a tablet. Expect that each of those devices will connect to the wireless network simultaneously each consuming an IP address. If there are 400 employees in the campus connecting to that SSID, you’ll need at least a 4:1 ratio for coverage. In this example, that’s 1,600 addresses so you should reserve a /21.
- Vendor SSID: For your vendor guests giving presentations, you can expect each user will have a laptop and a mobile phone (2:1 ratio). How frequently these guests show up to your office is something for you to investigate but plan for an average of one-hour meetings. Add an additional 30 minutes to that time, shorten the DHCP lease to avoid address exhaustion and you can avoid DHCP exhaustion. If you carved out a /24 you would likely have enough addresses. It would be hard to imagine a region hosting 255 simultaneous devices.
- Guest SSID: Guest access gets a little tricky. For the corporate environment I plan a similar ratio as I do vendor access. For the service industry—bars, restaurants and retail—I’ll consider only mobile devices, and maybe add a “point” for the occasional dude that is “working from home.” The nice thing about the service industry is you know the absolute maximum amount of bodies you must support. Look above the doorway and you’ll see the fire marshals required, “maximum occupancy” sign. If it’s 100 people, use a 1.5:1 ratio. That means a /24 would work for your operation.
The CIDR mask may change depending on how wireless traffic is offloaded to the local area network. When I mentioned the off-site controllers handling all the campus access points, you would likely need a complete /21 for 400 users with four devices. The situation changes if you offload that traffic locally to the building, though the address block may stay the same.
In that case, you may only need a /24 per building to service those DHCP needs and you take that from your supernet. It’s important to know the function, estimated device count and where wireless is offloaded on a per SSID basis when considering your address allocations.
Carving Out Space
When I start planning an address scheme in a brown field environment, I like to start with the existing IP address usage. Let’s use the medium-sized campus example. There is an off-site data center, but Wi-Fi traffic is offloaded to the wire closest to the client. Let’s further assume that there are five branch offices connected via a wide area network.
In the figure, I show IP address blocks in use for this example. For Wi-Fi, I would open a new block within the RFC 1918 space for wireless clients. Remember to keep your subnets within the natural CIDR boundaries so that your route lookups and summarization is optimal.
Within the campus you could expect 100 users per building and at a 4:1 ratio, that’s 400 IP addresses per building for your corporate wireless SSID. I would reserve a /23 for each building. Your WAN connected offices are a little smaller and a /24 would meet their needs, even at the device ratio we’re considering. With a remote data center, you wouldn’t expect a lot of wireless devices at one time. Planning a /25 with 126-usable addresses, or a /26 with 62-useable addresses would be enough for engineers needing to work in the data center.
I suggest utilizing address space outside the “normal” corporate wired network blocks. In the figure I showed usage within 10.0.0.0/8. If this were my network, I’d assign wireless to 192.168.0.0/16 or 172.16.0.0/12. When I log into a router to check routes, seeing the 172’s or 192’s in the route table immediately informs me these are wireless networks. It’s just one of those “hints” that help me with troubleshooting and I’ll take all the hints I can get at 3am!
This exercise obviously applies to IPv4. If you want to get ambitious, reserve and assign IPv6 address space for your Wi-Fi clients…then you only think about subnets rather than host IPs. But that’s another discussion.
Parting Thoughts
Some of these ratios won’t apply to your organization. I wouldn’t expect them to. What I’m trying to do in this article is give some ideas about proper planning. In my experience, improper planning causes large issues but is one that is most easily avoided.
I have worked in organizations that owned large swaths of non-RFC 1918 subnets which they used internally. You wouldn’t need to re-IP your data center for an unforeseen IP conflict. But I never wanted to burn that space for wireless. Using RFC 1918 blocks for wireless seemed like a good idea because it was easy to adjust in the event of an overlap and you conserved valuable IPv4 addresses. Your situation may vary, but the idea is still the same.
The troubleshooting problem at the beginning of this article related to a) offloading all wireless traffic in the data center rather than on the local LAN, b) junior staff assuming all subnets were /24’s, and c) poorly documented global address assignments. Your address plan needs to be thought out, documented, and flexible. Especially in the IPv4 space. If you’re adjusting your Wi-Fi infrastructure, have all the heat maps, all the BOMs, but leave address planning to chance and you’re hurting yourself and the guys who help fix problems.
Read My Other Blogs
Cutting the Cable: Where Do You Start?
Wireless Design: Turn up the Heat(map)
Voice over Wi-Fi Doesn't Have to Be Trouble
Understanding Wi-Fi Authentication
