Wired Network Best Practices
AP Power Requirements
Not all WatchGuard APs have the same power requirements. Some models, such as the AP125 or AP225W, are fully functional with standard Power over Ethernet (PoE, 802.3af). For most deployments, we recommend you install switches that support PoE+ (802.3at), even if you currently do not have plans to deploy an AP that requires PoE+. The use of PoE+ switches enables you to support Wave 2 APs.
|
Model |
Description |
Recommended Use |
Power |
Notes |
|---|---|---|---|---|
|
AP120 (Legacy model) |
Dual radio, 802.11ac Wave 1, 2x2, Indoor |
Low density / throughput areas |
PoE |
Fully functional with PoE |
|
AP320 (Legacy model) |
Dual radio, 802.11ac Wave 1, 3x3, Indoor |
Medium to high density / throughput areas |
PoE |
Fully functional with PoE |
|
AP322 (Legacy model) |
Dual radio, 802.11ac Wave 1, 3x3, Outdoor |
Outdoors |
PoE+ |
Requires PoE+ |
|
AP125 |
Dual radio, 802.11ac Wave 2, 2x2, Indoor |
Low density / throughput areas |
PoE |
Fully functional with PoE |
|
AP225W |
Tri-radio, 802.11ac Wave 2, 2x2, Indoor, Wall plate |
Low / medium density / throughput areas |
PoE |
Fully functional with PoE |
|
AP325 |
Tri-radio, 802.11ac Wave 2, 2x2, Indoor |
Low / medium density / throughput areas |
PoE+ |
Requires PoE+ |
|
AP327X |
Dual radio, 802.11ac Wave 2 2x2, Outdoor |
Outdoors |
PoE+ |
Requires PoE+ |
|
AP420 |
Tri-radio, 802.11ac Wave 2, 4x4, Indoor |
High density / throughput areas |
PoE+ |
Requires PoE+ |
AP325 and AP420 models must use full PoE+ power or be connected to a power adapter for the third WIPS scanning radio to be fully effective. Lower PoE power results in reduced performance and effectiveness of WIPS scanning and intrusion prevention functions.
In addition, make sure that LLDP-capable switches provide appropriate PoE+ power for APs:
- You must enable LLDP on the switch
- Disable static allocation of maximum power of 30W (if previously configured)
For more information, see WatchGuard APs and PoE+ power with switches and LLDP.
AP Uplink Capacity
In lab tests, the dual band throughput of 802.11ac Wave 1 APs has exceeded 1 Gbps. The maximum theoretical data rate in the 5 GHz band is 1.3 Gbps (802.11ac 3x3). In the 2.4G Hz band (802.11n 3x3) it is 450 Mbps.
In production, throughput rarely exceeds the 1 Gbps barrier. With Wave 2 APs, such as the AP420 that supports 4 spatial streams with a combined maximum data rate of 2.3 Gbps (1.7 Mbps for 5 GHz and 600 Mbps for 2.4 GHz), it is likely that throughput in a production environment can exceed the 1 Gbps throughput barrier in some use cases.
Link Aggregation
WatchGuard recommends that you enable this feature in a device template so that you can connect two Ethernet cables to each supported AP and a compatible switch with link aggregation enabled. The AP can then load balance upstream traffic across an aggregated 2 Gbps connection. Both links should use CAT6 Ethernet cabling.
AP Cabling
At a minimum, 802.11ac APs require Cat5e cables.
For fully 802.11ac Wave 2 deployments, we recommend that you deploy Cat6a cables because Wave 2 APs have Ethernet ports that support rates greater than 1 Gbps.
|
Cable Category Reference |
||||
|---|---|---|---|---|
|
Cable Category |
Max Data Rate |
Bandwidth |
Max Distance (Meters) |
Max Distance (Feet) |
|
Cat 5 |
100 Mbps |
100 MHz |
100 Meters |
328 Feet |
|
Cat 5e |
1 Gbps |
100 MHz |
50 Meters |
164 Feet |
|
Cat 6 |
10 Gbps |
250 MHz |
50 Meters |
164 Feet |
|
Cat 6a |
10 Gbps |
500 MHz |
100 Meters |
328 Feet |
|
Cat 7 |
10 Gbps |
600 MHz |
100 Meters |
328 Feet |
Access Network Uplink
You must correctly design the switching infrastructure to take full advantage of the increased throughput capacity of 802.11ac APs. To make sure that there are no network bottlenecks, you must correctly size the network from the access and distribution switches to the core switch.
Here is a summary of the recommended uplink capacities for 802.11ac wireless networks:
- 1 Gbps for Wave 1 APs to the access/edge switch
- Consider 2 x 1 Gbps for Wave 2 APs to the access/edge switch
- 10 Gbps from the access switch to the distribution switch
- Consider dual-homed/redundant 10 Gbps uplink between the access and distribution switches
- Multi-homed/redundant 10 Gbps between core switches
VLAN Design
With WatchGuard Wi-Fi Cloud, it is not necessary to tunnel traffic through VLANs to a wireless controller located in the core of the network. This enables you to configure VLANs at the access switch layer of the network.
In this example, each building has a unique VLAN configured for SSID-1. You can restrict a VLAN to a single building to reduce the amount of broadcast and multicast traffic in the VLAN, and enable seamless roaming in the building.
Jumbo Frames
With the enhanced frame aggregation capabilities in the 802.11ac standard, the switching network must support jumbo frames to benefit from frame aggregation. If Jumbo Frame support is not enabled end-to-end in your network, fragmentation can occur in the network path, which can adversely affect performance.
Summary of Wired Network Recommendations
This table provides a summary of the recommendations for your wired network.
|
Feature |
Minimum |
Recommended |
Notes |
|---|---|---|---|
|
AP Power |
PoE |
PoE+ |
AP322, AP325, AP327X, and AP420 devices require PoE+ LLDP enabled on switches to ensure PoE+ connectivity |
|
AP Uplink Capacity |
1 Gbps |
Consider 2 x 1 Gbps for link aggregation |
|
|
Ethernet Cabling |
Cat5e |
Cat6a |
|
|
Access Network Uplink Capacity |
10 Gbps |
2 x 10 Gbps |
Multi-homed / Fault Tolerant |
|
VLAN Design |
Wireless network VLANs on access switches |
Route at the distribution layer |
|
|
Jumbo Frames |
A-MPDU and A-MSDU frame aggregation enabled on APs |
Enable support for Jumbo Frames throughout the entire switching infrastructure |
|
|
QoS |
Make sure all switches, from access switches to core switches, honor QoS tags |
Deploy switches and routers that support Application Visibility and Control (AVC) |
|