This article expands on a Wireless Application Guidelines article providing an overview of EtherNet/IP operation in a wireless environment. It focuses on the networking and inter-networking configurations recommended to give the best chance of success.
1 VLAN and SSID Segmentation
Recommendations for a single VLAN / SSID topology are:
- Same VLAN should be used for all switch ports that connect APs with a common SSID (in other words, same wireless application). This ensures Layer 2 roaming (within the same IP subnet) between the APs. Layer 3 roaming (between IP subnets) is not supported in the autonomous architecture.
- A dedicated VLAN for each wireless application is recommended, according to best practices for the Cell/Area zone VLAN segmentation.
Recommendations for a topology with multiple VLAN / SSID are:
- One SSID per AP radio and per channel is normally used for IACS applications. Multiple SSIDs on the same channel provide logical segmentation but still have to share the same amount of bandwidth.
- Separate radio channel in 2.4 GHz band is preferred for operator and maintenance personnel access on a separate VLAN / SSID.
- A native VLAN should be used for the traffic to the AP management interface. This may be different from the native VLAN used for trunking between switches.
- WGBs should not be configured to use VLANs since they do not support VLAN tagging on the radio interfaces. WGB management traffic will be placed in the same VLAN in the wired infrastructure as the data traffic.
2 Wireless QoS
Traffic classification based on the DSCP field is recommended for more granular QoS policy.
Wireless QoS policy should follow the ODVA guidelines for Layer-3 QoS field (DSCP) and relative priority for various types of IACS network traffic.
Wireless QoS parameters for radio interfaces should be configured as follows.
3 Wireless Security
WPA2 security with AES encryption is the only mechanism recommended for IACS wireless applications. AES encryption is implemented in hardware and does not significantly affect application performance.
MAC address authentication is not a secure method by itself since MAC addresses can be spoofed.
It should only be used with other methods such as pre-shared key or 802.1x authentication.
WPA2-PSK is the most common method of authentication in WGB-based topologies.
EAP-FAST is the recommended 802.1X-based protocol for IACS wireless networks due to reduced complexity and support for local authentication.
For more configuration guidance on EtherNet/IP in wireless applications, sign up for the Industrial IP Advantage industrial network design training here.