1. Merakis support LLDP. LLDP is also part of the Colliers standard for integrated offices.

When
deploying a Corporate wireless solution, verify that LLDP is running on all Access Switches, the
Core Switch(es) and the CE Router.

2. The ports the Access Points are connected to must be configured as trunk ports, only the WIFI and
GUEST vlans should be allowed unless Colliers-Voice will be enabled, then only WIFI, GUEST and
VOICE vlans will be allowed. The Access Points are not switches so enable spanning-tree and add
the appropriate QoS taggingif Colliers-Voice is enabled. Finally, the port description must be
updated to indicate it is a wireless port. It is Colliers standard practice to always indicate the use
of the switchport via description. Note: the native vlan should always be the WIFI vlan. An example
configuration can be found below where the DATA vlan is 25, the WIFI vlan is 325 and the GUEST
vlan is 666 and is VRF isolated:

3. DHCP for the WIFI vlan should always live on the local office DHCP server. This allows for AD-
integrated DNS, similar to the DATA subnets. In locations without a local DHCP server, the core
switch may fill that role for WIFI. In either case, the IP exclusions are the same as the standard
VOICE exclusions.

4. Routing information is shared between the core switch and the router using a standard interior
routing protocol, NOT by setting a default route on the router and a static route on the L3. The
routing information shared includes the wireless subnets, but NOT guest. The standard for LAN
routing is OSPF. Legacy sites run EIGRP. To prevent the guest subnet from being redistributed
redistribute connected should NEVER be used on the router. redistribute-connected should,
however, be used on the L3 switch. Static routes should only be set on the L3 switch and should
be redistributed to the router via redistribute-static. Static routes should not be set on the router.
Below is the Ontario CE Routers interior routing (Note the loopback being explicitly defined.)

And the Ontario L3 Switch:

5. Only the 10.166.xx.0/xx and 10.165.xx.0/xx subnets are allowed to authenticate to the RADIUS
server (Corp-ca-nps01), thus only those subnets should be used for WIFI. While an exception may
be necessary, written prior approval from Erik Jacobsen, Ken McNena, Wayne Bayley or Dave
Davies must be secured.

The NPS server is configured as below (note there are some non-standard subnets any non-
standard subnet MUST be approved in writing by Erik Jacobsen, Ken McNena, Wayne Bayley or
Dave Davies PRIOR to adding to the NPS server. Subnets should NEVER be removed from the
NPS server without written approval from Erik Jacobsen or Ken McNena.):

6. For offices with MPLS, local routes are redistributed to the wan via BGP. Local subnets are
redistributed using the redistribute ospf or redistribute eigrp command in the BGP configuration
on the CE router. To prevent unwanted subnets from being redistributed, a route-map is used to
only explicitly allow the data/voice/wireless subnets. This route-map, named either OSPF-TO-BGP
or EIGRP-TO-BGP should be edited to include the wireless subnet(s). The Ontario routers BGP
configuration is below (note that the loopback and L3 subnets are explicitly defined so redistribute-
connected isnt needed.):

The Ontario EIGRP-TO-BGP route-map is below: