Wi-Fi is a Passion


Designing for Branch offices

When designing for a branch office, you need to implement WAN connections, VPNs, and authentication services.

WAN connection
There are three types of WAN connections. You can select a leased line, an internet based connection, or wireless bridges. Leased lines have monthly fees, and the faster the connection needs to be, the higher the cost will be. It is a dedicated line between the HQ and the branch office and no local internet is needed. With internet based connections, the cost is less, but you need a VPN connection for security, since it uses the internet to connect to the HQ. With a wireless bridge, the connection between the HQ and the branch office is through the air. I have written another blog about designing for Mesh and bridge links.

Since you are using the internet, you might not get the throughput you expected. Take a look at if the uplink and downlink speeds are equal or not. Most of the time branch offices download more than they upload. They do a request for data to the servers located in the HQ and the server sends the large data to the branch office.

With VPN, you need to make a decision between tunneled forwarding and split tunnel forwarding. Split tunneling means that the data that needs to go to the internet goes locally to the internet and all the data for the HQ goes through the tunnel. The disadvantage is that if you have any filters between HQ and the internet, those filters need to be in place at all the branch offices as well, since there is a local breakout for internet traffic.

AP selection and configuration
I already have a blog about this in general, however, with branch offices it is a little bit different. You can have a local wireless LAN controller at the branch office, but you see also solutions like HREAP or similar protocols. Client traffic is switched local and the management/control traffic is tunneled over the WAN link to the HQ. Authentication can be done locally when the controller is not available and the data can be tunneled across the WAN link as well.

Some Cisco states of the controller:
Central authentication, central switching – Everything is handled centrally. The authentication and the client data is tunneled to the controller that is in the HQ or a datacenter.
Central authentication, local switching – The authentication is done on the central controller, and the data packages are local. When the client is authenticated, the controller tells the client that the switching is done locally.
Local authentication, local switching – This is the standalone mode. Authentication and data packages are handled locally by the access point. Authentication down, switch down – the controller disassociates all the clients and does not send any beacon or probe request frames. Authentication down, local switching – new clients will be rejected, but it keeps the current clients alive and data is done locally.

In a connected mode, the controller does not have the following information from the access point:
- Policy Type
- Access VLAN
- VLAN name
- Supported rates
- Encryption cipher

Authentication Services
When you have branch offices it can be a risk not to implement a local RADIUS and LDAP server. When the WAN link is down and those services are not locally installed, new authentications cannot be done.

If you do not install them locally, you can install a RADIUS proxy at the branch office and rely on a remote RADIUS server at the HQ. Other option is a remote RADIUS and using the WAN link to authenticate. As said, in both cases there will be high latency that will interfere with roaming. In this case a local SSID with PSK needs to be selected for Voice clients.