Wireless networks can be designed in a variety of ways. The number and type of components in the network, the way the components are physically and logically connected, along with the method by which the components are controlled is the wireless architecture. As you are designing your wireless network and RFP, deciding on the density of APs and the best controller architecture for your environment are important decisions.

What you will learn:

  • How to design for high density Wi-Fi
  • Importance of a site survey and proper design
  • How to choose the right controller architecture for your environment

High Density Wi-Fi Design

The number of APs that you need depends on whether you want to design for coverage or for user density and technology usage. In the past, many districts designed their networks and placed APs to fully blanket the buildings with Wi-Fi, but just barely. A single AP would cover multiple classrooms, sometimes up to four or five. Today, with the number of devices and the demand for bandwidth skyrocketing, designs are changing so that the network can accommodate students having up to three devices. To meet today’s demands, APs need to be installed more densely than in the past so that each AP doesn’t get overloaded with too many user devices. The exception to this rule is multi-radio APs, like Xirrus’s arrays. If an AP has more than one radio per band and smart antenna technology to direct and extend the signal, fewer APs are needed.

Many districts have experienced coverage issues when they moved from single band 2.4 GHz APs to dual band APs. Because of its higher frequency, the 5 GHz band has a smaller cell size and does not penetrate walls as well as the 2.4 GHz band. If you are designing for coverage only, you will need slightly more APs if you are moving from a single band to a dual band model. However, if you are designing for density, by design the cell sizes are going to be significantly smaller than in a coverage model so the difference between 2.4 GHz penetration and 5 GHz penetration is no longer a major factor in determining how many APs you need. Instead, your client location, type, and density is what determines the number of APs required.

Key Decision: How Many APs Do You Need to Support 1:1?

If your district currently has 1:1 learning or is planning to move to a 1:1 environment within the next 3-5 years, the question on your mind is probably "What type of wireless system do I need to support 1:1?" Luckily, most wireless solutions, if installed with the correct density can support a 1:1 environment.


There is a lot of debate about the correct number of APs per classroom. Many 1:1 districts have installed less than one AP per classroom in a saw tooth pattern and have achieved perfectly acceptable performance. Other districts swear that one AP per classroom is needed to handle their constantly growing bandwidth demands. Ultimately, it all comes down to a good site survey. Without the site survey, which takes all of the variables into consideration (building construction, number of user devices, type of user traffic, interference levels, 802.11n vs 802.11ac, and more), it is difficult to make a blanket statement about how many APs every district in the country needs.

Many districts have found that, with a tight budget, they have had to start with fewer APs to provide coverage instead of density (one AP per every two or three classrooms), and begin to increase density each year as they are able to purchase more APs. This strategy is fine as long as the vendor is aware of this strategy when performing the site survey such that they can suggest an appropriate strategy to add APs each year.


EducationSuperHighway has recommendations (see chart below) about the number of APs per classroom that a typical district may need for high-density Wi-Fi. These recommendations are meant to be used as planning and budgeting guidelines, but they are not intended to replace a good site survey and should not be used as a specification in your RFP otherwise you may end up buying more than you need. Your RFP should require that the vendor perform a site survey and base the design on their results.

Controller-Based Architecture

A controller-based architecture is a wireless design in which every AP is managed by some type of controller.

  • The controller can have many forms: it can be a standalone hardware appliance, it can integrate into another platform, such as a multi-service switch or router, it can be software installed on a server, or it can be a cloud-based service.
  • The APs operate with limited configuration residing on the APs themselves; instead, the configuration resides on the controller and any changes to the configuration are pushed out to each individual AP. These limited configuration APs are known as lightweight or "dumb" APs.
  • There are two types of traffic between the controller and the APs: the control plane (management and configuration traffic) and the data plane (user data traffic). These two types of traffic are treated differently and can take different routes to reach their destination, depending on the controller configuration.
  • Often there is a secure tunnel between each AP and the controller such that traffic is tunneled directly from AP to controller before being placed onto the appropriate Virtual Local Area Network (VLAN). Manufacturers apply different strategies when it comes to this tunnel. Some tunnel both the control plane and the data plane to the controller, where security and bandwidth policies are applied to the traffic before it is placed onto the general network.
  • Other configurations tunnel only the control plane and allow the data plane to be placed onto the appropriate VLAN at the AP instead of at the controller. Depending on the layout of your network, you will want to consider whether or not you want your data plane traffic tunneled to the controller.
  • If your district relies heavily on hosted content or content caching, this can dramatically change traffic patterns. You should consider where the bulk of your traffic is coming from when deciding on a controller architecture.
  • There are three ways to design a controller-based network, dictating where the controller is located in the network. The controller can be located centrally in the network, distributed at each school, or virtual/cloud based. Your first decision is whether your environment is best suited for a physical controller or not.
Key Decision: Should You Choose a Physical or Cloud-based Controller Solution?

Modern wireless networks all implement the concept of centralized control of the APs. The centralized control can be done via a physical controller or a cloud-based controller (for now, let’s say that controller-less and virtual controller systems fall in this category). Physical controller architectures have been around for years and have been proven to be very stable and secure. Cloud-based architectures are newer but have become very popular over the last few years among school districts because of their simplicity. Either are good options for districts of any size.


Physical controller architectures benefit from having somewhat more local control over the user traffic. The controller can process every packet of data, so some administrators consider this design to be more secure and better at providing visibility into the traffic. Also, the physical controller is situated within your district’s network, so you are not relinquishing control of uptime or usage data to the manufacturer hosting the controller.

Cloud-based solutions rely on the manufacturer who is hosting the controller to maintain a high level of uptime. While this was initially a concern for customers, the uptimes have been extraordinary so this argument has become less important over time. The main benefit of cloud-based solutions is their simplicity to install, configure, and maintain. They also tend to have more straightforward purchasing and licensing models.


If you have an existing physical controller infrastructure that you like or if you have controllers that are not yet at their end of life, you may want to take advantage of your existing investment and continue with a physical controller architecture. Or, if you like the added control and security of a physical controller you should consider a physical controller architecture.

If you are not really sure where to start or are looking for a quick and easy solution while still having a straightforward management experience, a cloud-based architecture may be the best approach for you. However, due to high ongoing licensing costs, these solutions may not be an option for districts on an extremely tight budget.

Ideally, you should talk to your vendor to discuss the architectures and their associated price tags might be best for you.

Depending on what you decide, you will still need to make some deeper architecture decisions. Continue to either Which physical controller based architecture is right for you? or Should you consider a controller-less or cloud based controller architecture?

Key Decision: Which Physical Controller Based Architecture is Right for You?
Centralized Controller

In this architecture, the controller(s) resides at the district office (or any central location) and all of the remote school APs are controlled across the wide area network (WAN). If a district has multiple small schools, a central district office, and a reliable high-speed WAN with low latency, a centralized controller model may be a cost effective design.

Distributed Controller

In this architecture, controllers reside at each school (or at large schools) rather than centrally at the district office. If a district has large schools or an unreliable WAN this is a smart choice.

Recently "converged access" is becoming more prevalent. This means that the switch acts as a local controller for directly attached APs.

Centralized Controller
  • This architecture should only be implemented if the district has a very reliable and high-speed WAN with low latency.
  • In this situation, you must think carefully about whether you want your data plane traffic tunneled to the controller and whether traffic may have to cross the WAN unnecessarily because of the data plane tunnel. For example, consider the situation where a teacher is trying to download a large file that resides on a server at their school. With data plane tunneling enabled, the download request will look like it is coming from the central controller (the end of the tunnel) so the large file will traverse the WAN twice when it didn’t need to cross the WAN at all.
  • If you have a lot of locally hosted content or a caching server at the school, much of your wireless traffic will remain local at the school so you should consider split tunneling. This means that you would configure the controller to tunnel only the control plane and not the data plane, such that user traffic is not forced to cross the WAN unnecessarily. If your hosted content or caching server is located centrally, this data will traverse the WAN no matter the controller configuration.
  • Central or single controllers are easier to manage and less expensive than several distributed controllers, but the performance implications may not make this design suitable for many districts.
Distributed Controller
  • Distributed controller architectures may be a little more expensive because of the additional hardware costs, but if a WAN circuit is not reliable or if there is high latency across the WAN, local controllers may be the best option to avoid disconnecting the APs from their controller frequently.
  • In the case of multiple distributed controllers (four or more), management of the different controllers can become time consuming, so you should consider installing a central management console to manage the controllers. It is important to be aware that this third level management console is typically not eligible for an E-rate subsidy.
  • Converged access designs may be a good option if you are looking to upgrade your wireless and switch infrastructure at the same time. Since the controller is built into the switch, the cost of the switch increases but typically not equivalent to the cost of a stand alone controller.

Consider your traffic flows, stability and capacity of WAN, content caching, budget, management capability, and high priority features before choosing a controller architecture.

Every district has very different WAN infrastructure, requirements, and budget so your choice of architectures should take these into consideration. If you have a highly reliable and low latency WAN, you can consider a centralized controller solution because it is easier to manage and less expensive. If you do not have a reliable WAN, you should consider a distributed controller but be aware that this will increase the cost of the network.

Ultimately, it is important to understand that every school district is different. We recommend that you seek input from your vendor before making a decision.

High Throughput Controller Interfaces

If you have a controller-based architecture with a data plane tunnel from each AP to the controller, the controller will need to have multiple high capacity interfaces to avoid becoming the bottleneck in the wireless network. The traffic from several APs being tunneled to the controller can quickly add up to multiple gigabits of data, so several Gigabit Ethernet (GbE) ports or 10 GbE ports may be necessary.

Split Tunnel

Split tunneling is a concept in which tunneled traffic flows are split depending on their destination. In the case of a wireless controller architecture, this means that some traffic will traverse the tunnel from the AP to the controller (typically the control plane), while other traffic will stay local and be placed onto the appropriate VLAN at the AP (typically the data plane). This feature is most useful when the controller is installed centrally, but much of the user traffic will stay local, thus avoiding the case where traffic traverses the WAN twice unnecessarily.

Key Decision: Should You Choose a Controller-less or Cloud-based Architecture?
Standalone AP architecture

Autonomous APs (frequently known as heavy or fat APs) maintain their own individual configuration and do not receive configuration changes from a controller.

Controller-less architecture

Sometimes called the distributed controller architecture, coordinated control functionality (equivalent to what a controller provides) is split up amongst all of the APs. This may sound similar to the standalone architecture, but controller-less systems are much more sophisticated such that the APs work together to create a dynamic network, much like in a controller environment. Though the controller functionality is a part of the AP, these solutions typically use management software to manage and monitor the APs and clients.

There are a limited number of controller-less systems on the market, but the ones that exist are very good and should not be ignored simply because they do not use a controller. Examples of controller-less systems are:

  1. Aerohive: HiveOS
  2. Xirrus: ArrayOS
Cloud based or virtual controller

A cloud controller is a controller that is hosted by the manufacturer and your configuration/AP management are all done by logging into your district’s management interface using a web browser.

A virtual controller is controller software that can be installed on any system, either locally or cloud based. This controller does not necessarily have to be available 24/7 to manage the network.

Cloud based controllers are becoming more popular so many manufacturers are starting to release their own cloud product lines. It may take some time for these new products to stabilize, so be sure to check for customer references if you are considering one of the newer products.

Standalone AP architecture
  • Standalone APs are considered an antiquated technology because they do not talk to each other so they are not able to coordinate system wide changes. For example, the APs cannot compensate for each other in the case of a channel overlap, AP failure, or client roam.
  • This design can be more cost effective because the expensive controller does not need to be purchased, but be aware of the time and complexity of configuring each AP individually. Each time the IT team wants to make a change to the wireless network, they must log into each AP to make the change.
Controller-less architecture
  • These solutions are attractive because they are easy to install and manage.
  • The APs maintain a local configuration, but the APs are in constant communication with each other and with the management platform, so they are able to quickly make adjustments when there is a change in the network. For example, when a client is roaming from one AP to another.
  • The APs are typically monitored and configured by a central management system, but the APs maintain 100% functionality if they lose connection to the management system.
  • This design can appear to be cost effective because the expensive controller does not need to be purchased. However, there is usually a per AP license, which - over the course of 3-5 years - can be as expensive as a controller.
  • This is a good option for districts of any shape or size.
Cloud-based or virtual controller
  • Cloud-based solutions are attractive because they are easy to deploy and manage.
  • Most cloud-based solutions have easy to use monitoring and reporting features, which makes maintaining the network simple.
  • In the case that the cloud/virtual controller fails or is unreachable, normal user traffic will continue to flow. In some solutions there are features that are no longer functional without connectivity to the controller (for example, Guest Captive Portal) so you must be aware and ask your vendor which features no longer function in the event of a problem with the cloud controller.
  • Though these solutions do not require the purchase of controller hardware, most of them do require a per AP license, which - over the course of 3-5 years - can be as expensive as a controller appliance.
  • This is a good option for districts of any shape or size.

Standalone AP architectures are outdated and do not provide nearly the same number of features, functionality, or performance than other types of architectures. No matter how small the wireless installation, it is worth the extra money for the advanced management features that come with the either a controller-less architecture or a cloud-based controller.

The differences between the controller-less and cloud-based controller systems are all "under the hood" so users and administrators will generally not be able to tell the difference between the two. Both of these designs are good options for districts of any size. They are straightforward to design, install, manage, and monitor. It is important to be aware that both may require a per AP license so be sure to ask about this when exploring these options.

Manufacturer Terminology: Cloud/Virtual Controllers
AerohiveHive OS (Controller-less)
Aruba (HP)Aruba (HP) Central
CiscoVirtual Controller
ExtremeVirtual Wireless Appliance
HPCloud Managed Networking
Cisco MerakiCloud Controller
Meru (Fortinet)Virtual Mobility Controller
Zebra (Motorola)WLAN Cloud Services
Ruckus (Brocade)Virtual SmartCell Gateway (Carrier/Managed Service Provider grade)
UbiquitiUnifi Controller
XirrusArrayOS (Controller-less)

Continue to Performance