The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
The T-Mobile HotSpot@Home
UMA Service on a University or
Enterprise WLAN
The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
Table of Contents
Enterprise FMC and the T-Mobile HotSpot@Home service 3
Students, faculty and staff save on their personal cellular bills 3
University employees and faculty trim the university’s budget 4
Improved coverage 4
Improved, low-cost data services 5
HotSpot@Home is for some users, but not all 5
Technical considerations when deploying HotSpot@Home in enterprise 6
Authentication requirements 7
‘Inside the firewall’ access 7
‘Guest’ access 8
Advertising a suitable SSID 8
Pre-configured SSIDs 8
User-configured SSIDs 9
Implementing firewall rules 9
End-to-end quality of service (QoS) 11
Over the air QoS 11
Wired LAN QoS 11
Internet QoS 12
QoS in the T-Mobile core network and beyond 12
Upstream WLAN requirements 12
Downstream WLAN requirements 13
Bandwidth requirements and Call Admissions Control 13
Call admissions control 13
Delay and jitter considerations 14
Emergency call handling 15
Enabling voice service on an existing Aruba wireless LAN 15
Sample configuration for use in Aruba WLAN networks 16
Conclusion 16
About Aruba Networks, Inc. 17
Aruba Networks, Inc. 2
The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
Enterprise FMC and the T-Mobile HotSpot@Home service
In recent years the features of dual-mode devices (cellular voice and data clients with additional Wi-Fi radios) have
grown increasingly sophisticated. The burgeoning capabilities of these devices have attracted the attention of IT
staff at enterprises and universities with campus environments because of potential synergies with already installed
wireless LANs. More specifically, the potential exists for a user to carry a single device that leverages Wi-Fi
coverage where cellular reception is poor, thereby lowering telecom expenses and improving the user browsing
experience because of Wi-Fi’s higher data rates.
Analysts such as ABI Research see a bright future for dual-mode Wi-Fi/cellular technology (see right). As volumes
increase and the cost of adding Wi-Fi to a cellphone falls, increasing numbers of handset manufacturers are
supporting Wi-Fi on a wide range of devices.
The T-Mobile HotSpot@Home service supports a range of dual-mode client devices that implement the Unlicensed
Mobile Access (UMA) protocol, an ITU/3GPP standard. UMA is a form of fixed-mobile convergence (FMC) in
which the phone has a single number for both cellular and Wi-Fi networks, and automatically hands over to
Wi-Fi when it detects good reception from a suitable access point, returning to cellular when the device loses a
usable Wi-Fi signal. UMA is one of many forms of FMC, and due to lack of integration with the PBX, is most
suitable for organizations that do not rely on PBX-based 4- or 5-digit numbering plans. A companion paper,
Fixed-Mobile Convergence with UMA for Enterprises, discusses different FMC architectures and their suitability
for different organizations.
No other national cellular operator in the U.S. offers a comparable service, putting T-Mobile in a unique position to
benefit students, schools and enterprises alike.
In this guide we discuss features required by a network engineer in order to develop reliable support for the
HotSpot@Home service using an Aruba wireless LAN. Key technical considerations discussed include:
• Authentication requirements;
• Advertising a suitable SSID;
• Implementing firewall rules;
• End-to-end quality of service;
• Bandwidth requirements and call admissions control;
• Emergency call handling.
Before diving into the technical details, let’s examine why enterprises, and universities in particular, would find this
service of interest.
Students, faculty and staff save on their personal cellular bills
Students were traditionally significant customers of universities’ telecoms groups because everyone needed
fixed lines to their dorm rooms and long-distance plans. Today students favor cellphones over fixed lines, and
Skype or other free VoIP services over traditional long distance services. This change represents a loss of
significant revenue for universities’ telecoms groups.
A service such as HotSpot@Home offers a cost-reduction path from which students, faculty, and staff who pay
their own cellular bills will benefit. Users that purchase a suitable phone and subscribe to the HotSpot@Home
service for $10/month can make free local and national calls over Wi-Fi (including home access points and
T-Mobile hotspots). Since these calls do not accrue towards monthly air-time minutes, this plan can yield
considerable savings for garrulous users.
Aruba Networks, Inc. 3
The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
While the increase in voice traffic over a university’s WLAN does not directly benefit the school, it may be
possible for the university to negotiate incentives with the carrier.
BlackBerry 8820 BlackBerry Curve Samsung t409 Samsung Katalyst
802.11a/b/g 802.11b/g 802.11b/g 802.11b/g
WPA2-enterprise WPA2-enterprise WPA2-personal WPA2-personal
WMM QoS WMM QoS WMM QoS WMM QoS
WMM power save WMM power save WMM power save WMM power save
Figure 1. A selection of HotSpot@Home handsets
University employees and faculty trim the university’s budget
The section above targeted students, but all members of the university community who work on-campus but
pay their own cellular bills would benefit in the same way. As noted, the benefits to the user are direct, while the
university’s are indirect.
Conversely, any user whose cellular bill is paid or reimbursed by the university represents an immediate
opportunity for cost savings by the telecom department. By converting that user from a standard cellphone
contract to HotSpot@Home, the university can ensure that calls made and received on-campus, at a T-Mobile
hotspot or at home near a HotSpot@Home-configured Wi-Fi access point are free, and do not count in the
monthly usage contract.
International roaming represents a most promising opportunity for savings. If a faculty member travels
internationally to another university served by a HotSpot@Home-enabled WLAN, all calls made and received
when on Wi-Fi will be free, instead of incurring international roaming charges. The calls will be delivered over
Wi-Fi and VoIP via the Internet to the T-Mobile UMA gateway.
Improved coverage
Beyond cost savings, an additional benefit of the HotSpot@Home service is that a university can add voice
coverage in areas where cellular signals are weak, a common issue on large campuses. Previously this
problem was addressed by installing additional cellular base stations, a very expensive proposition. With
HotSpot@Home, coverage holes can be filled by the university’s telecom/datacom group as part of the
normal WLAN build-out.
Aruba Networks, Inc. 4
The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
Note that it is possible to use HotSpot@Home with a standard T-Mobile SIM card installed in a HotSpot@Home
handset, without subscribing to the extra $10/month HotSpot@Home ‘talk forever’ service. In this case minutes
used are deducted from the subscriber’s plan in the usual way, but there is no supplementary monthly
charge. This may be attractive where the desired benefit of the Wi-Fi service is improved coverage rather than
cost savings.
Improved, low-cost data services
For those users who access university data services, HotSpot@Home phones can be configured to connect
directly over Wi-Fi to the university LAN. This means that data services can be delivered over the WLAN instead
of the cellular network, yielding higher speeds, lower latency and an opportunity to save on data plan expenses.
HotSpot@Home is for some users, but not all
The UMA FMC technology used by HotSpot@Home demonstrates characteristics that are ideal for some, but
not all, users. These include:
• Single (cellular) number and public dial plan. HotSpot@Home has a very straightforward architecture in which
all calls are controlled by the T-Mobile core network, regardless of whether they pass over Wi-Fi or the cellular
network. This means HotSpot@Home phones only use public (10-digit) numbers, and do not integrate with
PBXs using 4- or 5-digit numbering plans. For instance, other FMC clients may allow the user to dial ‘6543’
to reach another employee’s desk phone directly, whereas on HotSpot@Home the caller would have to dial
‘408-345-6543’ for this destination. However, this is no different from normal cellphone usage, and for these
users one benefit of HotSpot@Home is that no retraining or change in user behavior is required;
• No PBX integration or PBX/UC services. HotSpot@Home can be considered an overlay communications
network, an extension of the cellular network that does not touch the PBX. This means PBX features are not
available on HotSpot@Home phones, whereas most PBX-attached FMC architectures support enterprise-
based Unified Communications services. The features available on HotSpot@Home phones, whether on Wi-Fi
or cellular connections, are the familiar features available on cellphones. HotSpot@Home emphasizes simplicity
over sophistication, and in so doing avoids the extra complexity associated with PBX integration;
• Telco dependency and control. This is an age-old tradeoff similar to the Centrex vs. PBX debate. Some
universities may prefer to maintain control over their own communications infrastructure, as they find they can
control costs, switch or mix telcos and introduce features more flexibly when they own and manage the PBX.
A sizable minority, however, will find that the simplicity and lack of on-premise equipment allows them to save
considerable capital and operating expenses while still offering good service to their users. Many organizations
will adopt a mixed FMC environment where some users are served by HotSpot@Home, while others are a better
match for alternative FMC architectures.
In summary, HotSpot@Home service is good for users who already use cellphones on the job because it is
simple, reduces costs, and requires no learning or changes in user behavior. Organizations in which all calls are
delivered via the PBX, especially those using advanced features such as Unified Communications, will not be
good candidates for HotSpot@Home service, although certain users may benefit even in this environment. In
those cases HotSpot@Home can be adopted on user-by-user basis, as there is no extra hardware to purchase
or install.
Aruba Networks, Inc. 5The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
Technical considerations when deploying HotSpot@Home in enterprise
The following sections consider how to protect the enterprise network, and what functionality is required to
deliver a satisfying user experience. The diagram below shows that HotSpot@Home handsets operate as
standard cellular devices while outside Wi-Fi coverage. When a suitable WLAN is detected the handset
automatically authenticates, tunnels all its signaling and media traffic over IP, and reaches the cellular core
network over the Internet.
Cellular core
(HLR, AuC, MSC, etc.)
Security Gateway
& UNC
Cellular Cellular
Internet
Corporate firewall
Cellular Cellular
Mobility Controller
LAN
Wi-Fi access point Wi-Fi access point
Cellular service Cellular service
Cellular – Wi-Fi hnadover Wi-Fi – Cellular hnadover
Wi-Fi service with AP – AP handover
Figure 2. HotSpot@Home network architecture and roaming
Aruba Networks, Inc. 6The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
Authentication requirements
HotSpot@Home handsets use UMA-specified protocols including IKE, IPSec and EAP-SIM to authenticate with
the T-Mobile core network and obtain T-Mobile’s ‘dial-tone’. However, the campus WLAN manager may require
devices to first authenticate with the enterprise network before proceeding to T-Mobile. All HotSpot@Home
handsets are capable of this two-stage authentication, however, some only support WPA2 with pre-shared
keys (PSK), while others (such as the BlackBerry 8820) can perform full WPA2-enterprise (WPA2/802.1x)
authentication for WLAN access. The relevant architectures are discussed in more detail in the companion
paper Fixed-Mobile Convergence with UMA for Enterprises.
T-Mobile
Wi-Fi Firewall & NAT gateway
access point
Mobility Controller
Corporate SSID 105
LAN Internet
PWR ENET 11A/N 11B/G/N
Full authentication, followed by
full LAN access
RADIUS authentication
Figure 3. Inside the firewall access for a HotSpot@Home handset
‘Inside the firewall’ access
If users require access to data services on the corporate LAN, or if the network manager wishes to restrict
access to only authorized devices using the most stringent authentication, the best course of action is to
configure handsets for WPA2/802.1x. In this scenario, HotSpot@Home handsets will be subject to the same
security regime as other Wi-Fi devices such as notebook PCs. Authentication is based on a RADIUS server,
with pre-configured credentials.
The primary benefits of this form of authentication are:
• Most stringent security and access control: only specifically authorized users will be able to connect to the
enterprise WLAN;
• Uniform implementation: an existing SSID may be suitable, as the HotSpot@Home devices will use the same
standard protocols as other devices such as notebook PCs, e.g., PEAP-MSCHAPv2 or other EAP types.
Handsets gain access directly to the corporate LAN and can use corporate data services without ‘hairpinning’
traffic back via the Internet or the T-Mobile UMA gateway. This avoids the need for VPN client usage when on
Wi-Fi, and improves performance with higher data rates and lower latency. ‘Inside the firewall’ access may be
understood as two-stage authentication: first to the enterprise network, and then to T-Mobile.
The drawback of this approach is that every user, and possibly every device depending on the authentication
used, must be configured individually. For PEAP-MSCHAPv2 this requires that the network certificate be
loaded on the phone, and userid and password configured, just as for a WLAN-connected notebook PC.
Aruba Networks, Inc. 7The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
‘Guest’ access
No authentication, nor access
to the LAN
‘Guest’ SSID 105
PWR ENET 11A/N 11B/G/N
Wi-Fi Mobility T-Mobile
access point Controller Gateway
Corporate SSID Internet
LAN
105
PWR ENET 11A/N 11B/G/N
Firewall & NAT
Figure 4. Outside the firewall ( ‘guest ’) access for a HotSpot@Home handset
An alternate ‘guest’ access scenario connects users to the WLAN with relatively few obstacles, but their traffic
will pass directly to the Internet, and hence to the T-Mobile UMA gateway. Within this class of access, there are
a number of alternatives:
• Open guest access: an SSID is provided (see next section) with no authentication requirement. This is easy to
implement, but will allow any member of the public to connect to the Wi-Fi access point. Some organizations
may require more stringent restrictions on access to or via their WLAN than an open SSID provides;
• Open guest access backed by firewall restrictions: an open SSID as discussed above can be backed up by
a firewall to ensure that the only traffic allowed via that SSID is bona fide HotSpot@Home traffic. This can be
accomplished either using the integrated firewall provided in Aruba’s multi-service mobility controller, or by
configuring other enterprise firewalls. See below for the required firewall rules;
• Protected guest access with a Captive Portal: A Captive Portal is an intercepting Web page on which the user
must enter a credential (or at the least acknowledge the conditions for access). The more sophisticated UMA
handsets can be pre-configured to accomplish Captive Portal access, while simpler phones at present need
some user intervention during every access attempt, which might prove impractical. Aruba’s multi-service
mobility controllers offer the Captive Portal functionality, or external servers may be used.
Advertising a suitable SSID
HotSpot@Home phones will only connect to configured SSIDs, so the options are generally to advertise one of
the pre-configured SSIDS which all HotSpot@Home phones seek, or to configure the phone with a new SSID,
either locally or by pushing a configuration profile from the BlackBerry Enterprise Server.
Pre-configured SSIDs
All T-Mobile HotSpot@Home devices are pre-configured with two SSIDs, using profiles that cannot be deleted
or edited by the user:
• HotSpot profile. This seeks an SSID ‘tmobile’, and is aimed at T-Mobile public hotspots
• @Home profile. This seeks an SSID ‘@Home_****’, where **** can be any ASCII string
Aruba Networks, Inc. 8The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
Either of these SSIDs can be implemented, though the second is probably more appropriate as it will attract
only HotSpot@Home clients and not hotspot data service users. For instance, Pembroke College might set up
an SSID named ‘@Home_Pembroke. If this approach is followed, all HotSpot@Home devices will attempt to
connect to this SSID without any re-configuration being necessary.
User-configured SSIDs
If the WLAN manager does not wish to advertise one of the pre-configured SSIDs, any other may be chosen.
Indeed, an existing SSID for secure or guest access is suitable so long as the authentication capabilities are
appropriate. All new T-Mobile BlackBerries are capable of full WPA2-enterprise security, but not all phones sold
with the service are so advanced - some only support pre-shared keys.
If this scheme is chosen, HotSpot@Home users will be informed which SSID they should use, and given
instructions to configure their clients. Alternately, a profile may be constructed at the enterprise’s or university’s
BlackBerry Enterprise Server, and pushed to internal (not visiting) HotSpot@Home devices.
Implementing firewall rules
Since the HotSpot@Home service is driven from the T-Mobile core network, handsets must be able to access a
T-Mobile UMA gateway in order to draw ‘dial-tone’. This means the handset must be able to authenticate, and
ultimately set up an IPSec tunnel via the enterprise LAN and the Internet.
After the handset has successfully associated with the enterprise Wi-Fi network, it follows a well-defined
sequence of protocols to establish this IPSec tunnel. Aruba’s integrated stateful firewall may be configured
to tightly restrict any traffic originating from devices on the ‘HotSpot@Home’ SSID, ensuring it is indeed
HotSpot@Home traffic. Alternately, the corporate firewall(s) at Internet portals may be configured with
similar rules.
The sequence of protocols used is explained below. Note that some of the information, such as the list of IP
addresses, while provided in good faith, is not guaranteed by T-Mobile and may change in the future. It is
accurate to the best of our knowledge as of this writing. Note that the handset saves information to its SIM card
periodically, and as a consequence may not exhibit repeatable behavior as it moves to different locations. The
protocol information includes the following:
Provisioning
3 DNS lookup for Serving DNS Security Gateway
Security Gateway
1 DNS lookup for Provisioning
Provisioning
Security Gateway & UNC UNC Serving
Wi-Fi Security Gateway
access point Wi-Fi
Mobility Controller
Wi-Fi 105 Internet
LAN
PWR ENET 11A/N 11B/G/N
Firewall & NAT Serving
UNC
2 IKEv2 exchange & IPSec tunnel with
Provisioning Security Gateway & 4 Connect to Serving Security
FQDN of Serving Security Gateway Gateway. Establish IPSec tunnel.
Figure 5. Discovery and registration sequence for a HotSpot@Home handset
Aruba Networks, Inc. 9The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
• Authentication and association to the WLAN & DHCP;
• Discovery of the Provisioning Security Gateway (psgw). In some cases, such as initial connection from a new
location, the handset may need to use DNS to find the Provisioning Security Gateway and the Provisioning UNC. If
this is required, DNS lookups to psgw.t-mobilesgws.com will be observed;
• If the handset has already made a successful UMA connection, it will usually go straight to the previously-used IP
address as stored on the SIM card. It then uses IKEv2 with UDP port 500 for an initial ISAKMP exchange, followed
by UDP 4500, i.e., the Provisioning Security Gateway’s IP address is 208.54.3.1in the example below. At the end
of this phase, the handset will be redirected to a particular Serving Security Gateway (several Serving Security
Gateways exist), identified by an FQDN;
• The handset then uses DNS to find the address of the Serving Security Gateway, with an FQDN such as n37.
w122.t-mobilesgws.com. This is resolved to the IP address of the Security Gateway used for the service. Thus far,
these IP addresses have been logged: 208.54.3.1, 208.54.4.1, 208.54.6.1, 208.54.7.1, 208.54.8.1, 208.54.83.1.
208.54.84.1, 208.54.85.1, 208.54.86.1, 208.54.87.1, 208.54.88.1, 208.54.90.1;
• IKEv2 authentication completes with the Serving Security Gateway using UDP port 500;
• Subsequent traffic is within the IPSec tunnel to the Security Gateway using UDP port 4500. The handset connects
through the tunnel to the Serving UNC, but this traffic is encrypted and not visible to the observer.
The following is a packet capture of an 8820 starting up and connecting to the Security Gateway. Note that
following a certain stage, information is encrypted and not visible to an on-premise network analyzer.
Figure 6
Aruba Networks, Inc. 10The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
End-to-end quality of service (QoS)
Voice services require good quality of service: low delay and jitter, and low rates of packet errors and drops.
Quality of service is a network requirement, end-to-end: overall quality suffers if any link of the call introduces
impairment. The end-to-end chain for the HotSpot@Home service starts at the handset and covers the
following bi-directional links:
• Over the air, handset to Wi-Fi access point;
• Over the LAN, access point to Internet connection across the enterprise network;
• Internet path to the T-Mobile UMA gateway;
• Within the T-Mobile core network;
• From the T-Mobile network to the destination.
We will discuss each in turn.
Over the air QoS
The over the air link from the handset to the Wi-Fi access point is likely to be the most challenging in the overall
voice connection. Wi-Fi quality is dependent of factors such as signal strength and interference, both of which
can be controlled by good Wi-Fi network design practices. Aruba’s enterprise WLANs are typically deployed
with access points spaced relatively closely (50-70 foot spacing) to provide continuous coverage with good
signal-to-noise characteristics and automatic coverage in the event of an access point failure. The network
access points also perform double duty as RF monitors to detect and mitigate interference. This allows
handsets to move around the network without losing the Wi-Fi signal. Aruba’s design tools and guidelines
assist in implementing good network designs.
Once the RF environment has been addressed, it is important that voice traffic transmitted over-the-air is given
priority. If one client has voice traffic to transmit, and another data traffic, the former must be able to transmit
when required to avoid degrading voice quality due to jitter or dropped frames.
QoS over Wi-Fi is achieved by implementing the Wi-Fi Alliance Wireless Multi Media (WMM) certification. WMM
uses four priority levels that map to the 8 levels defined in the 802.1d standard. Priority is set per-packet
rather than per-flow, and so is similar to diff-serv rather than int-serv. The correct priority for upstream
(towards the access point) traffic is WMM ‘voice,’ the highest level. Handsets must queue all voice frames
as ‘voice,’ and usually signalling frames are similarly tagged. Downstream traffic (transmitted by the
access point over the air) must also be queued and transmitted at ‘voice’ priority from the access point.
Downstream prioritization is the responsibility of the WLAN, rather than the handset, and is implemented in all
state-of-the-art enterprise WLANs.
Wired LAN QoS
Good QoS for wired LANs is required of all VoIP systems, and if the enterprise is already using an IP PBX or
other VoIP system, HotSpot@Home traffic will be well-served. As above, packets are given priority according to
the tags on their headers. At L2 this will be 802.1p, while at L3 an IP TOS (DSCP) tag is necessary.
Performance should be good provided that the wired LAN gives priority to traffic tagged (according to 802.1d)
at level 6 (voice) or 7 (network control). All modern LAN switches and routers are capable of QoS and should be
configured appropriately.
Aruba Networks, Inc. 11The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
Internet QoS
Once HotSpot@Home traffic leaves the enterprise or university LAN, it must traverse the Internet to the
T-Mobile HotSpot@Home gateway. The public Internet is not generally priority-aware, however, given
sufficient bandwidth on the access link, VoIP over the Internet can be successfully accomplished, and is now
well-accepted and in everyday use. Once a link has been tested and proven, performance is likely to remain
good. This is especially true of organizations with high-speed Internet access links, as congestion most often
occurs on lower bandwidth connections.
QoS in the T-Mobile core network and beyond
The T-Mobile core network is, of course, properly engineered for VoIP traffic. Once the connection leaves this
network, it can take many paths in the same way that a call from a cellphone traverses many networks to reach
its destination.
Corporate firewall & NAT
Wi-Fi Mobility controller
LAN
Wi-Fi
Internet
Wi-Fi
access point T-Mobile
1 Handset transmits 2 AP transfers voice priority 3 LAN must be QoS-aware 4 Mobility controller maintains 5 QoS awareness should be
voice frames @ WMM to outer envelope of GRE/IPSec for L2 L3 QoS tags. priority as it unpacks the supported as far as possible,
priority 3 (VOI). tunnel to controller (firewall rule voice packet. especially on low-bandwidth
can over-write original tag). access links.
Figure 7. Upstream QoS chain for Aruba networks carrying HotSpot@Home traffic
Upstream WLAN requirements
In the upstream direction, all HotSpot@Home handsets transmit frames with WMM ‘voice’ priority, even though
the frames are encapsulated in an IPSec tunnel. This ensures preferential access to the air for best QoS.
Once frames reach the Aruba WLAN access point, the 802.11 headers are stripped away but the priority tag is
maintained (using a mapping defined in WMM) and checked against a ‘user priority’ field in the 802.11 header
that defines the original 802.1d priority level. A matching priority tag is then attached to the outer header of the
L2 or L3 tunnel carrying the frame to the Aruba multi-service mobility controller. The mapping is configured in
Aruba software, but unless over-ridden by a firewall rule, the access point will map according to the following
rule: WMM level 3 (‘voice’) = DSCP code 46 = 802.1d (802.1p) priority 6. Provided the LAN recognizes and
correctly handles these tags, VoIP priority will be maintained between the Aruba access point and controller. A
similar mapping is used when the frame has been decrypted in the controller and directed to the enterprise
core LAN.
Aruba Networks, Inc. 12The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
Downstream WLAN requirements
Corporate firewall & NAT
Wi-Fi Mobility controller
LAN
Wi-Fi
Internet
Wi-Fi
access point T-Mobile
5 Handset receives 4 AP transfers voice priority to 3 LAN must be QoS-aware 2 Firewall rules in mobility controller 1 It must be assumed
frame. WMM ‘voice’ priority, queues for L2 L3 QoS tags. identify UMA traffic, tag packets that packets received
and transmits with priority. with ‘voice’ priorityon outside of from the Internet are
GRE/IPSec tunnel to AP. not priority-tagged.
Figure 8. Downstream QoS chain for Aruba Networks carrying HotSpot@Home traffic
In the downstream direction, it is likely that packets will lose their QoS tags as they traverse the Internet.
Therefore it is important that packets are re-tagged as soon as possible after entry to the enterprise network.
This can be accomplished by a firewall using a rule that recognizes IPSec protocol from one of the source
addresses identified above. Even if such a firewall is not available, the Aruba multi-service mobility controller
can be configured to recognize HotSpot@Home traffic and assign it ‘voice’ priority as above.
Bandwidth requirements and Call Admissions Control
Although HotSpot@Home traffic is VoIP with the additional overhead of an IPSec tunnel, the bandwidth
overhead is relatively low because the codec used is the GSM AMR (selected rates from 4.75 – 12.2 kbps)
rather than the more common G.711 PCM (64 kbps). Over the air, HotSpot@Home voice frames are 222 B long.
They will be somewhat shorter on Ethernet due to the smaller header.
Voice frames are sent every 20 milliseconds (50 frames/sec) yielding a rate of 88.8 kbps in each direction of the
call. Thus, a single HotSpot@Home call takes close to 180 kbps over the air. On Ethernet, 140 kbps per call is
more typical, due to the shorter headers.
The GSM-AMR codec uses silence suppression, so if the caller is not speaking it sends only keepalive frames
that consume just 52-54 bytes every 40 or 50 milliseconds. But for the purposes of LAN dimensioning, the
engineer should assume constant speech, the ‘worst case’ setting.
When HotSpot@Home traffic shares LAN links with enterprise traffic, QoS tagging ensures it receives
preferential treatment when competing with data frames for limited link bandwidth. Assuming the networking
devices are correctly configured, voice traffic will maintain priority. That is, data frames will be delayed and
dropped before voice frames if the combined voice and data traffic load exceeds the link capacity.
Call admissions control
As discussed above, voice in the presence of data will always gain priority in a QoS-enabled network, both over
the air and over the wire. However, network engineers should consider the maximum expected voice loading,
both per-AP and per-link on the wired LAN, to ensure that voice traffic in total will not overload any given link.
Aruba Networks, Inc. 13The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
The calculations above indicate that each over-the-air HotSpot@Home voice connection will consume
180 kbps. This is less than for most Wi-Fi handsets using the G.711 codec, which has a raw rate of 64 kbps,
and after overhead requires about 240 kbps per connection. There are many considerations when estimating
maximum call limits, but for this traffic each access point (assuming it is working at 802.11a or 802.11g rates)
can support 20 to 25 calls. Therefore the network designer should ensure that there is little likelihood of
exceeding 20 simultaneous active calls (as opposed to handsets in the region of the AP) because there is
currently no accurate call admissions control (CAC) mechanism for UMA traffic.
Note that the estimate of 20+ calls per access point is an extremely high figure for a wireless LAN deployment
scenario: it is challenging to gather 60-80 people in a single access point’s area, in order to generate 20+ active
calls. Adding access points to load-balance in areas with very high voice traffic is the best way to mitigate
access point loading, so crowded halls are usually served by several access points. Aruba’s load-balancing
algorithm moves handsets and other clients to adjacent access points with available capacity as traffic rises.
It may also be helpful to set a bandwidth contract for each access point for IPSec traffic in Aruba software. This
mechanism allows the network engineer to guarantee a minimum or maximum bandwidth for the total traffic in
a certain category, in this case traffic using the IPSec protocol. As long as the traffic is within its limit, it will be
given as much bandwidth are it needs: if, it exceeds its contract it will be buffered and throttled to that rate.
Thus bandwidth contracts can be used either to place a per-access point ceiling on HotSpot@Home traffic, or
to place a ceiling on all other traffic, so guaranteeing a minimum bandwidth for HotSpot@Home.
Delay and jitter considerations
The delay and jitter of the UMA chain over Wi-Fi and the Internet is generally comparable to that of the cellular
network. The Wi-Fi link itself introduces negligible delay in VoIP terms, where one-way, end-to-end delay
should be kept within 200-250 msec for best quality.
Delay is comprised of the cumulative total of all links in the call listed above. The most significant contributions
will be in the order of 20 msec for packetization and 50 msec for the dejitter buffer, for a minimum end-to-end
latency in the order of 70 msec, to which the delays through all switches and routers in the path, and the
propagation delay of links, primarily the Internet link, should be added. It should be safe to assume a worst
case of around 100-150 msec between the handset and the T-Mobile core network.
Jitter is accounted for in the jitter buffer, effectively becoming extra latency on the connection. In practice,
figures ofThe T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
Emergency call handling
Although it’s not clear whether FCC mandates apply to Wi-Fi-connected handsets, operators are working to
implement E911 functionality equivalent to the cellular network. The two most important aspects of emergency
calling are to direct the call to the correct (usually nearest) Public Safety Answering Point (PSAP), and to
provide that PSAP, if it is E911-enabled, with the location of the caller. Since UMA technology allows calls to be
made from any Internet-connected access point, the network uses a number of factors to determine the caller’s
identity and location, and to populate the information required. If the handset is within cellular coverage, a GSM
emergency call may be made in the usual way. In cases in which the handset is on Wi-Fi but out of reach of the
cellular network, a variety of input data is used, including:
• The last known GSM cell site detected by the handset;
• The registered address of the purchaser of UMA service, provided at point-of-sale;
• The MAC address of the associated AP (particularly useful for T-Mobile hotspots);
• The IP address assigned to the handset.
These input data, and the algorithms used to derive a corresponding location, are not yet standardized, but
together they provide a framework for correct emergency call handling that is more advanced and effective
than for PBX-connected Wi-Fi handsets. Customers will want to consult their T-Mobile representative for a
comprehensive and up-to-date explanation of state-of-the-art E911 services over HotSpot@Home.
Enabling voice service on an existing Aruba wireless LAN
Most enterprises installing Wi-Fi networks today do so with the expectation that they will be able to support
voice services, either immediately or in the future. Aruba’s product line has incorporated voice over Wi-Fi
features for the entire history of the company, and our experience is that when customers come to add voice
to an existing Wi-Fi network, even one that was installed some years previously, there is seldom a need to
re-engineer the network. The main considerations are:
• Consider upgrading to the latest software when deploying voice on a previously data-only network, to take
advantage of current features.
• Purchase the Voice Services Module, a software license enabling a number of useful voice-related features.
• Review the network’s coverage, as voice users may require a Wi-Fi signal in previously unserved locations such
a stairwells, lobby and outdoor areas. However, in already-covered areas it is seldom necessary to reduce AP
spacing, as most Aruba networks are already designed for high-capacity, pervasive coverage.
• Consider whether to add a new SSID to the network. While voice and data traffic can coexist on a single
SSID, battery-saving features can be more aggressively implemented on an SSID targeted at handheld,
battery-powered clients.
• Review the 2.4 GHz and 5 GHz channel plans. The 5 GHz band is preferred for voice because there are fewer
interfering devices such as microwave ovens, cordless phones and Bluetooth transmitters. However, as most
handsets are only capable of 2.4 GHz operation, it may be necessary to use that band for voice, in which case
grooming some or all data-only devices to the 5 GHz band may the best policy for optimum bandwidth use.
Complete recommendations for voice services over Aruba wireless LANs are available in the ‘Voice design and
implementation guide’.
Aruba Networks, Inc. 15The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
Sample configuration for use in Aruba WLAN networks
Sample rules used to restrict access and set QoS for an Aruba Multi-Service Mobility Controller are shown
below. The netdestination list permits traffic only to the identified T-Mobile network. The access-list sets all IKE
and NAT-T traffic to high priority for the uplink and downlink, regardless of its tagging when it reaches the
controller or access point. The ‘disable-scanning’ command prevents the access point from going offchannel to
monitor other RF channels when HotSpot@Home traffic is present, as would be configured for other types of
voice traffic. In Aruba’s architecture, the user role allows any user this type of access, separate from
authentication and not linked to a specific SSID or VLAN. For instance, an open guest SSID could have this
restriction behind it, allowing HotSpot@Home traffic to bypass the captive portal.
netdestination tmobile-uma-svc
host 208.54.3.1 255.255.255.0
host 208.54.4.1 255 255.255.0
host 208.54.6.1 255 255.255.0
host 208.54.7.1 255 255.255.0
host 208.54.8.1 255.255.255.0
host 208.54.83.1 255.255.255.0
host 208.54.84.1 255 255.255.0
host 208.54.85.1 255 255.255.0
host 208.54.86.1 255 255.255.0
host 208.54.87.1 255 255.255.0
host 208.54.88.1 255 255.255.0
host 208.54.90.1 255 255.255.0
!
ip access-list session tmobile-uma
user alias tmobile-uma svc-esp permit disable-scanning queue high
user alias tmobile-uma svc-ike permit disable-scanning queue high
user alias tmobile-uma svc-natt permit disable-scanning queue high
!
User-role logon
Session-acl tmobile-uma position 1
!
All packets destined for the HotSpot@Home handset will have appropriate ‘voice’ priority tags, and should be
given good QoS in the same way as the uplink. The Aruba controller will use these tags outside the tunnel
header for all such traffic transmitted to an access point, and the access point, in turn, will use WMM ‘voice’
priority to queue and transmit frames over the air to the handset.
Conclusion
UMA is a very successful technology, and more than one million handsets were activated worldwide in 2007 by
just a handful of GSM carriers including T-Mobile’s HotSpot@Home service in the U.S. Considerably more UMA
handsets are in use than any other form of FMC.
The initial target market for UMA was residential customers leveraging their home access points and public
hotspots for Wi-Fi coverage. However, a significant number of enterprise and university telecoms users can
benefit from this service by obtaining better coverage, data performance, reduced expenses, and/or
favorable tariffs.
Aruba Networks, Inc. 16The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN Aruba White Paper
There are many paths to enterprise FMC, and HotSpot@Home is one approach among many. In its favor it is
simple to adopt, requires no new user behavior, and offers a very clean single-number solution. A substantial
percentage of organizations and users would benefit from deploying HotSpot@Home over an Aruba wireless
LAN, and this guide was intended to inform network administrators about the advantages of such a
deployment. These benefits can accrue whether one is implementing a single-access point based residential
service or enabling an enterprise WLAN.
About Aruba Networks, Inc.
Aruba Networks is a leading provider of next-generation network access solutions for the mobile enterprise. The
company’s Mobile Virtual Enterprise (MOVE) architecture unifies wired and wireless network infrastructures into one
seamless access solution for corporate headquarters, mobile business professionals, remote workers and guests.
This unified approach to access networks enables IT organizations and users to securely address the Bring Your
Own Device (BYOD) phenomenon, dramatically improving productivity and lowering capital and operational costs.
Listed on the NASDAQ and Russell 2000® Index, Aruba is based in Sunnyvale, California, and has operations
throughout the Americas, Europe, Middle East, Africa and Asia Pacific regions. To learn more, visit Aruba at
http://www.arubanetworks.com. For real-time news updates follow Aruba on Twitter and Facebook, and for the
latest technical discussions on mobility and Aruba products visit Airheads Social at http://community.
arubanetworks.com.
www.arubanetworks.com
1344 Crossman Avenue. Sunnyvale, CA 94089
1-866-55-ARUBA | Tel. +1 408.227.4500 | Fax. +1 408.227.4550 | info@arubanetworks.com
© 2013 Aruba Networks, Inc. Aruba Networks’ trademarks include AirWave®, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility
Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, and Green Island®. All rights reserved. All other trademarks are the property of their respective
owners. WP_TMobileHotSpot_011513You can also read
