Wired Network Best Practices

Applies To: WatchGuard Cloud-managed Access Points (AP130, AP330, AP332CR, AP430CR, AP432)

This section provides suggestions on how to deploy the wired network infrastructure to support a high performance wireless deployment for enterprise environments.

Access Point Power Requirements

Lower PoE (802.3af) power can result in reduced performance and range for devices that require PoE+ (802.3at).

  • Some WatchGuard access point models, such as the AP130, only require standard Power over Ethernet (PoE, 802.3af).
  • The AP330, AP332CR, AP430CR, and AP432 models must use full PoE+ (802.3at) power.

For most deployments, we recommend you install switches that support PoE+ (802.3at) or higher (802.3bt) to support current and future deployments. Make sure network switches have the PoE power budget and capacity for all connected access points.

Access Point Network Uplink Capacity

You must correctly design the switching infrastructure to take full advantage of the increased throughput capacity the latest access point technologies. To make sure that there are no network bottlenecks, you must correctly size the network from the access and distribution switches to the core switch.

  • Newer 802.11 standards can exceed 1 Gbps throughput
  • Many new 802.11ax access points support 2.5 Gbps or higher network interfaces. We recommend your uplink switches at minimum support this throughput for current and future deployment capacity.

Here is a summary of the recommended uplink capacities for 802.11ax wireless networks and higher:

  • Minimum 1 Gbps and recommended 2.5 Gbps or higher to the access/edge switch
  • 10 Gbps or higher from the access switch to the distribution switch and between core switches

Access Point Cabling

While Cat 5e cabling supports up to 1 Gbps data rates, for current and future deployments, we recommend that you deploy at minimum Cat6a cables to support the greater throughput (> 1 Gbps) of 802.11ax and higher access points.

Cable Category Reference

Cable Category

Max Data Rate

Bandwidth

Max Distance (Meters)

Max Distance (Feet)

Cat 5

100 Mbps

100 MHz

100 Meters

328 Feet

Cat 5e

1 Gbps

100 MHz

50 Meters

164 Feet

Cat 6

10 Gbps

250 MHz

50 Meters

164 Feet

Cat 6a

10 Gbps

500 MHz

100 Meters

328 Feet

Cat 7

10 Gbps

600 MHz

100 Meters

328 Feet

VLAN Design

With Wi-Fi in WatchGuard Cloud, there is no local network controller considerations for network separation. You can configure VLANs at the access switch layer of the network to restrict VLAN networks to specific locations to reduce the amount of broadcast and multicast traffic in the VLAN, and enable seamless roaming in the building.

We also recommend you create separate VLANs for your private SSID and Guest SSID wireless networks to separate guest traffic from your internal private network resources.

You configure VLANs in the SSID wireless settings in WatchGuard Cloud.

If you use Enterprise RADIUS authentication, you can also use Dynamic VLANs to assign a VLAN to clients based on the user information provided by the RADIUS server after successful authentication.

For more information, see Access Points and VLANs.

Screen shot of the SSID settings with a VLAN configured

Network Services

We recommend you review your network service configuration to support a Wi-Fi in WatchGuard Cloud deployment in an enterprise environment.

Make sure the following work correctly in your network:

  • DNS for domain name resolution
  • DHCP for IP address network allocation
  • NAT for network address translation
  • Firewall policies (to enable access point management traffic)

The access points use TCP port 443 to connect to WatchGuard Cloud.

Access points must also be able to connect to these destinations:

  • *.watchguard.io for product activation and feature key updates
  • *.watchguard.com for WatchGuard Cloud registration and connections
  • Content filtering (for guest and internal wireless users) to control access to content and malicious sites
  • (Optional) RADIUS authentication if you enable WPA2 or WPA3 Enterprise authentication for an SSID
  • (Optional) Traffic shaping and Quality of Service (QoS) to prevent wireless guest networks from affecting performance of your private internal wireless and wired networks.