1 Cisco AVVID Wireless LAN Design

Cisco AVVID Wireless LAN Design
Solutions Reference Network Design
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: 956608
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net Readiness
Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your
Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified
Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation,
Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo,
Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO
are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0303R)

Copyright 2003 Cisco Systems, Inc. All rights reserved.
C ON T E N T S
Preface
xi
Target Audience
xii
Obtaining Documentation xii

World Wide Web xii
Documentation CD-ROM xii
Ordering Documentation xii
Documentation Feedback xiii
Obtaining Technical Assistance xiii
Cisco.com xiii
Technical Assistance Center xiii
Cisco TAC Web Site xiv
Cisco TAC Escalation Center xiv
CHAPTER
WLAN Solution Overview
1-1
WLAN Solution Benefits
1-1
Enterprise WLAN Design Overview 1-2

Enterprise WLAN Design Characteristics 1-3
WLAN Architecture Considerations 1-5
Comparing Wired and WLANs 1-5
WLAN Modes of Operation 1-7
Links and References 1-8
General References 1-8
Security References 1-8
IP Multicast References 1-9
CHAPTER
WLAN Radio Frequency (RF) Design Considerations

RF Basics 2-1
Regulations 2-2
Fine Tuning 2-5
Channel Selection
2-5
IEEE 802.11 Standards
2-9
2-1
RF Spectrum Implementation 2-11

Direct Sequence Spread Spectrum 2-11
IEEE 802.11b Direct Sequence Channels 2-11
956608
iii
Contents
IEEE 802.11aOFDM Physical Layer

IEEE 802.11a Channels 2-12
2-12
Planning for RF Deployment 2-13

RF Deployment Best Practices 2-13
WLAN Data Rates Required 2-13
Client Density and Throughput Requirements
WLAN Coverage Required 2-17
Security Policy 2-17
RF Environment 2-18
CHAPTER
WLAN Technology and Product Selection

WLAN Technology Selection Considerations
Competing WLAN Standards 3-1
WLAN Capacity Considerations 3-2
Data Rate Considerations 3-3
Throughput Considerations 3-4
Performance Considerations 3-5
Range Considerations 3-7
Signal Propagation 3-8
Antenna Considerations 3-8
Technology Selection Summary 3-9
2-16
3-1
3-1
Cisco WLAN RF Product Selection Considerations 3-11

Access Points 3-11
Client Adapters 3-12
802.11a Cardbus Client Card 3-12
Enhanced Client Network Management Features with Extended Client Support
Workgroup Bridges 3-13
Wireless Bridges 3-14
CHAPTER
WLAN Security Considerations
3-12
4-1
Security Deployment Models 4-1

WLAN LAN Extension 802.1x/EAP 4-2
Security Transparency 4-2
Application Transparency 4-3
Performance Transparency 4-3
User Transparency 4-3
WLAN LAN Extension IPSec 4-3
iv
956608
Contents

WLAN Static WEP Keys 4-5
Cisco WLAN Security Options and Recommendations 4-7
Understanding Overall Network Security 4-7
Flexible WLAN Security using VLANs 4-7
Headquarters/Campus WLAN Deployment 4-8
Branch Office WLAN Deployment 4-12
Additional Security Considerations 4-13
EAP Considerations for High Availability ACS Architecture
CHAPTER
Wireless LAN VLANs

VLAN Background
5-1
5-1
Wireless VLAN Introduction 5-3

Wireless VLAN Deployment Overview
5-3
Wireless VLANsDetailed Feature Description

Configuration Parameters per VLAN 5-6
Broadcast Domain Segmentation 5-7
Native (Default) VLAN Configuration 5-7
Primary (Guest) and Secondary SSIDs 5-8
RADIUS-based VLAN Access Control 5-8
5-6
Guidelines for Deploying Wireless VLANs 5-10

Criteria for Wireless VLAN Deployment 5-10
Wireless VLAN Deployment Example 5-11
Summary of Rules for Wireless VLAN Deployment
Best-Practices for the Wired Infrastructure 5-13
CHAPTER
WLAN Quality of Service (QoS)

QoS Overview
4-14
5-13
6-1
6-1
Wireless QoS Considerations 6-2

Wireless QoS Deployment Schemes
QoS Parameters 6-3
Latency 6-3
Jitter 6-3
Loss 6-3
6-2

956608
Contents
Downstream and Upstream QoS 6-3

QoS and Network Performance 6-4
802.11 DCF 6-4
Interframe Spaces (SIFS, PIFS, and DIFS) 6-4
SIFS 6-5
PIFS 6-5
DIFS 6-5
Random Backoff (Contention Window) 6-5
CWmin, CWmax, and Retries 6-6
IEEE 802.11e 6-7
802.11e EDCF-based QoS Implementation 6-7
QoS Advertisements by WLAN Infrastructure 6-11
Deploying EDCF on Cisco IOS-based APs 6-13
Appliance-based Prioritization 6-13
CoS-based Prioritization 6-13
Class-Map Based Prioritization 6-14
VLAN-based Prioritization 6-15
Combining QoS Setting Requirements 6-15
Additional QoS Features 6-16
Guidelines for Deploying Wireless QoS 6-17
IP SoftPhone and Other PC and PDA Based VoIP Solutions
Symbol Handsets 6-17
SpectraLink Handsets 6-18
Leveraging Existing Network QoS Settings 6-18
CHAPTER
WLAN Roaming
6-17
7-1
Roaming Solution Overview 7-2

General Design Characteristics
Layer-2 Design 7-3
Caveats 7-3
7-3
Layer-2 Roaming Primer 7-4

Layer-2 Roaming Technical Overview 7-4
Roaming Events 7-5
Max Data Retry Count Exceeded 7-5
Missed Too Many Beacons 7-6
Data Rate Shift 7-6
Periodic Client Interval (If Configured) 7-7
Initial Client Startup 7-7
Roam Process 7-7
vi
956608
Contents
Layer-2 Roaming Considerations
7-8
Layer-2 Design Recommendations 7-9

Cisco AVVID Design 7-9
Sizing the Layer-2 Domain 7-10
Roaming Implementation Recommendations
CHAPTER
IP Multicast in a Wireless LAN
7-10
8-1
Multicast WLAN Deployment Recommendations
8-1
IP Multicast WLAN Configuration 8-2

Controlling IP Multicast in a WLAN with APs 8-2
Controlling IP Multicast in a P2P WLAN using Bridges
Other Considerations
Summary
CHAPTER
8-3
8-4
8-5
WLAN Rogue AP Detection and Mitigation
9-1
Rogue AP Summary and Scope of Problem 9-2

The Rogue AP Threat 9-4
Media Attention to WLAN Security Weaknesses
Truth About WLAN Security 9-5
9-4
Preventing and Detecting Rogue APs 9-6

Preventing Rogue APs 9-7
Corporate WLAN Policy 9-7
Physical Security 9-7
Supported Wireless Infrastructure 9-7
IEEE 802.1x Port-based Security to Prevent APs 9-7
Using Catalyst Switch Filters to Limit MAC Addresses per Port
Detecting Rogue APs 9-11
Detecting Rogue APs Wirelessly 9-12
Other Wireless Analyzers 9-13
Detecting Rogue AP from the Wired Network 9-15
Detecting Rogue APs Physically 9-19
CHAPTER
10
WLAN Guest Network Access
9-10
101
Benefits of Guest Network Access 103

Increased Security 103
Increased Productivity 103
Benefits of WLAN Guest Network Access
Deployment Considerations and Caveats
103
104

956608
vii
Contents
Guest WLAN Recommendations 105

Recommended 802.11 Configuration for WLAN Guest Network
VLANs and WLAN Implementation 106
105
Configuring Guest WLANs 107

Network Topology 107
AP and Switch Configuration 108
WLAN Guest VLAN Filtering 109
Terminology Notes 109
AP 1200 Configuration 1011
Configuring VLANs 1011
Configuring SSIDs 1012
AP 1100 Configuration 1014
CHAPTER
11
Cisco AVVID Enterprise WLAN Case Study
11-1
Enterprise WLAN Profile 11-2

Customer Requirements 11-3
WLAN Considerations 11-3
WLAN Performance and Coverage
RF Environment 11-3
Security 11-4
Rogue AP Mitigation 11-4
Management 11-4
Roaming 11-4
QoS 11-4
Multicast 11-4
Equipment Selection 11-5
Radio Selection 11-5
AP Selection 11-5
Estimating the Number of APs
11-3
11-5
Security Selection 11-7

Number of ACS Servers 11-8
ACS Server Placement 11-9
Branch Roaming 11-10
Rogue AP
11-11
Management
11-11
Layer-2 and Layer-3 Roaming

WLAN QoS Considerations
IP Multicast
11-12
11-14
11-14
viii
956608
Contents
WLAN Case Study Configuration 11-15

AP Configuration 11-15
Example Configuration: Config 1 11-16
Access Switch Configuration 11-16
Distribution Router Configuration 11-16

956608
ix
Contents
956608
Preface
This design guide presents recommendations intended to facilitate Enterprise Wireless Local Area
Network (WLAN) solution deployment. The emphasis in this document is with integrating WLAN
technology into environments featuring key Enterprise networking elements. Specific chapters address
the following topics:
Chapter 1, WLAN Solution OverviewSummarizes the benefits and characteristics of the Cisco
secure Enterprise WLAN solution.
Chapter 2, WLAN Radio Frequency (RF) Design ConsiderationsFocuses on radio frequency

(RF) considerations in WLAN environments.
Chapter 3, WLAN Technology and Product SelectionFocuses on technology and product

assessment and selection in WLAN environments.
Chapter 4, WLAN Security ConsiderationsProvides details regarding deployment of the Cisco

secure Enterprise WLAN solution.
Chapter 5, Wireless LAN VLANsFocuses on the implementation of virtual local area networks
(VLANs) in the context of WLAN environments.
Chapter 6, WLAN Quality of Service (QoS)Addresses Quality of Service (QoS) considerations

in the context of WLAN implementations.
Chapter 7, WLAN RoamingAddresses the WLAN design considerations when assessing Layer
2 roaming of wireless LAN clients.
Chapter 8, IP Multicast in a Wireless LANDescribes the configurations needed to control IP

Multicast traffic over a WLAN.
Chapter 9, WLAN Rogue AP Detection and MitigationOutlines the threat posed by rogue
access points (APs) in the Enterprise network and some strategies for preventing and detecting them.
Chapter 10, WLAN Guest Network AccessPresents the advantages, risks, and proposed
configuration for WLAN Guest Network Access.
Chapter 11, Cisco AVVID Enterprise WLAN Case StudyDetails an example network in the
context of the key topics presented in this document.
Where applicable, relevant configuration fragments are included.

A Cisco SAFE white paper addressing secure WLAN deployment in the enterprise is available at:
http://www.cisco.com/go/safe
The SAFE white paper covers more detail on the security-specific aspects of design, whereas this design
guide is focused on the overall WLAN solution. Although there are differences between the SAFE white
paper designs and the designs presented here, those differences are not generally considered substantive
and the designs are compatible.

956608
xi
Preface
Target Audience
Target Audience
This publication provides solution guidelines for large-scale enterprises implementing WLAN networks
with Cisco WLAN devices. The intended audiences for this design guide include network architects,
network managers, and others concerned with the implementation of secure WLAN solutions, including:
Cisco sales and support engineers
Cisco partners
Cisco customers
Obtaining Documentation
The following sections explain how to obtain documentation from Cisco Systems.
World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following URL:
Translated documentation is available at the following URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM
package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may
be more current than printed documentation. The CD-ROM package is available as a single unit or
through an annual subscription.
Ordering Documentation
Cisco documentation is available in the following ways:
Registered Cisco Direct Customers can order Cisco product documentation from the Networking
Products MarketPlace:
http://www.cisco.com/cgi-bin/order/order_root.pl
Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription
Store:
http://www.cisco.com/go/subscription
Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, elsewhere in North
America, by calling 800 553-NETS (6387).
xii
956608
Preface
Obtaining Technical Assistance
Documentation Feedback
If you are reading Cisco product documentation on Cisco.com, you can submit technical comments
electronically. Click Leave Feedback at the bottom of the Cisco Documentation home page. After you
complete the form, print it out and fax it to Cisco at 408 527-0730.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front cover of your document, or
write to the following address:
Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can
obtain documentation, troubleshooting tips, and sample configurations from online tools by using the
Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to
the technical support resources on the Cisco TAC Web Site.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open
access to Cisco information, networking solutions, services, programs, and resources at any time, from
anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a
broad range of features and services to help you to
Streamline business processes and improve productivity
Resolve technical issues with online support
Download and test software packages
Order Cisco learning materials and merchandise
Register for online skill assessment, training, and certification programs
You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com,
go to the following URL:
Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product,
technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC
Web Site and the Cisco TAC Escalation Center.
Inquiries to Cisco TAC are categorized according to the urgency of the issue:

956608
xiii
Preface
Priority level 4 (P4)You need information or assistance concerning Cisco product capabilities,
product installation, or basic product configuration.
Priority level 3 (P3)Your network performance is degraded. Network functionality is noticeably

impaired, but most business operations continue.
Priority level 2 (P2)Your production network is severely degraded, affecting significant aspects
of business operations. No workaround is available.
Priority level 1 (P1)Your production network is down, and a critical impact to business operations
will occur if service is not restored quickly. No workaround is available.
Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of
service contracts, when applicable.
Cisco TAC Web Site

The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The
site provides around-the-clock access to online tools, knowledge bases, and software. To access the
Cisco TAC Web Site, go to the following URL:
http://www.cisco.com/tac
All customers, partners, and resellers who have a valid Cisco services contract have complete access to
the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a
Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or
password, go to the following URL to register:
http://www.cisco.com/register/
If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com
registered user, you can open a case online by using the TAC Case Open tool at the following URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC
Web Site.
Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority
level 2; these classifications are assigned when severe network degradation significantly impacts
business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC
engineer will automatically open a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following
URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the level of Cisco support
services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network
Supported Accounts (NSA). In addition, please have available your service agreement number and your
product serial number.
xiv
956608
C H A P T E R

This chapter summarizes the benefits and characteristics of the Cisco Secure Enterprise Wireless Local
Area Network (WLAN) solution in the following sections:
WLAN Solution Benefits, page 1-1
Enterprise WLAN Design Overview, page 1-2
Links and References, page 1-8
WLAN Solution Benefits

Before addressing the Cisco secure Enterprise WLAN features presented in this publication, the
following review of potential WLAN benefits provides a context for WLAN implementation:
Mobility within building or campusFacilitates implementation of applications that require an

always-on network and that tend to involve movement within a campus environment.
Convenience Simplifies networking of large, wide open people areas.
FlexibilityAllows work to be done at the most appropriate or convenient place rather than where
a cable drop terminates.
Easier to set-up temporary spacesPromotes quick network setup of meeting rooms, war rooms, or
brainstorming rooms tailored to variations in the number of participants.
Lower cabling costsReduces the requirement for contingency cable plant installation because the
WLAN can be employed to fill the gaps.
Easier adds, moves, and changes and lower support and maintenance costs. Temporary networks
become much easier to set up, easing migration issues and costly last-minute fixes.
Improved efficiencyStudies show WLAN users are connected to the network for 1.75 hours longer
per day compared with hard-wired users.
Productivity gainsPromotes easier access to network connectivity, resulting in better utilization

of business productivity tools.
Easier to collaborateFacilitates access to collaboration tools from any location, such as meeting
rooms; files can be shared on the spot and requests for information handled immediately.
Improved company image and increased competitive advantageElevates a companies perceived

connectedness and responsiveness.
More efficient use of office spaceAllows greater flexibility in coping with excess numbers caused
by large team meetings.

956608
1-1
Chapter 1
Enterprise WLAN Design Overview
Reduced errorsData can be directly entered into systems as it is being collected, rather being
transcribed when network access is available.
Improved efficiency, performance, and security for enterprise partners and guestsPromoted with
the provision of guest access networks.
Improved overall securityPromoted through the provision of a controlled and secured WLAN
network, reducing the likelihood of rogue WLAN deployments.
Improved business resilienceIncreased mobility of the workforce allows rapid redeployment to

other locations with WLANs as needed.

A WLAN is generally deployed in an enterprise campus or branch office for reasons stated in WLAN
Solution Benefits section on page 1-1. WLANs have emerged as one of the most effective methods to
connect to an Enterprise Network. It is in essence an access technology intended for LAN
implementations. Figure 1-1 illustrates where the WLAN products fit in the enterprise (at the edge of the
network). The design recommendations presented in this publication propose a secure overlay WLAN
network, not the replacement of wired infrastructure with wireless infrastructure.
Two supporting sections follow the overview illustration in Figure 1-1:
Enterprise WLAN Design Characteristics, page 1-3
WLAN Architecture Considerations, page 5
1-2
956608
Chapter 1

Figure 1-1
WLAN in the Enterprise
WLAN Access
Access
Access
Distribution
Access
Distribution
Core
Distribution
Backbone
Building block
additions
WAN
Internet
PSTN
88317
Server farm
Enterprise WLAN Design Characteristics

The Enterprise WLAN design solution capabilities presented in this document adopt the following
assumptions and characteristics:
WLAN Virtual LANs (VLANs) allow the coexistence of multiple security models on the same
WLAN. This allows the combination of security models based on client requirements and/or user
policies.
The solution security model you choose depends on the security requirements of the enterprise. This
publication focuses on the two most secure solutions 802.1x/Extensible Authentication Protocol
(EAP) and IPSec VPNs, but does discuss the use Wired Equivalent Privacy (WEP) and WEP plus
Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) where applicable.
The recommended security model is 802.1x/EAP with WEP plus TKIP and MIC, because it creates
the optimum network architecture and addresses all know WLAN security threats. Examples of EAP
types suitable for use in WLANs are EAP-Cisco (formerly Lightweight EAP or LEAP),

956608
1-3
Chapter 1
EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP Tunneled TLS
(EAP-TTLS). If further 802.1x/EAP types are developed to meet business needs, the existing
architectures will accommodate them. The 802.1x/EAP type used is transparent to the AP, and only
has implications for the client software and the Remote Authentication Dial-In User Service
(RADIUS) server.
IPSec VPNs are recommended as an alternative 802.1x/EAP if the customer security requirements
mandate Triple Data Encryption Standard (3DES).
For situations in which EAP or IPSec VPNs are not possible, a combination of static WEP and
access filtering is discussed although this alternative is not a recommended security mode for
general deployment TKIP and MIC should be implemented wherever possible, including static WEP
deployments.
The design recommendations presented in this publication show a single security model (EAP,
IPSec, or static WEP), these can be combined within the one enterprise implementation using
WLAN VLAN's, and are shown separately for clarity.
The WLAN implementation does not change existing campus architectures and recommendations
WLANs should be assigned to a dedicated subnet (not one shared with wired LAN users).
A separate management VLAN should be configured for the management of WLAN APs. As a
design best practice, this VLAN should not have a WLAN appearance (meaning it does not have an
associated SSID and it cannot be directly accessed from the WLAN). Security policies should
determine where the AP managers logically and physically reside on the network.
The wired LAN is not replaced by the WLAN. The WLAN is used to enhance the current network
flexibility and accessibility by providing an extension to the existing network.
Assumes 15-to-25 users per AP. This number varies from customer-to-customer depending on usage
profiles and user density.
Seamless roaming is limited to the same Layer-2 network, unless Proxy Mobile IP or Mobile IP is
used.
WLAN QoS tools are used as required.
IP Multicast for the WLAN is bounded to ensure that multicast does not consume excessive
bandwidth, and IP multicast applications are tested for their suitability for a WLAN network.
1-4
956608
Chapter 1

WLAN Architecture Considerations

This section focuses on the following WLAN architectural implementation topics:
Comparing Wired and WLANs, page 1-5
WLAN Modes of Operation, page 1-7
Comparing Wired and WLANs

Just as a network designer needs an understanding of how switches and routers switch traffic to design
a wired network, a network designer needs an understanding of how access points (APs), wireless
bridges and workgroup bridges handle traffic in order to design a WLAN.
These WLAN devices exhibit network behavior similar to an Ethernet switch combined with a shared
Ethernet hub. Ethernet frames passing through an AP, wireless bridge, or workgroup bridge to or from
the wireless network undergo changes at Data Link Control (DLC)much as frames can when passing
through a Translation Bridge. 802.11, 802.2 DLC, and Subnetwork Access Protocol (SNAP) header
information replace Ethernet header information. Where 802.3 framing is used instead of Ethernet, the
802.11 header replaces the 802.3 header. Refer to Table 1-1. Although IP is shown as the Layer-3
protocol, this could just as easily be any protocol able to operate over Ethernet such as IPX, Appletalk,
or NetBEUI. However, IP is still required to remotely manage APs, wireless bridges, and workgroup
bridges.
Table 1-1
Wired and WLAN DLC Relationships
Wireless
Wired (802.3)
Wired Ethernet
Layer-3 Network
IP
IP
IP
Layer 2 DLC
SNAP (0800 = IP) SNAP (0800 = IP) Ethernet (0800 = IP)

IEEE 802.LLC
IEEE 802.LLC
IEEE 802.11 MAC IEEE 802.11 MAC

Within any one wireless channel, the wireless interface is a shared medium. It operates in a similar
fashion to an Ethernet hub. Within any Basic Service Set (BSS), only one station can transmit at any one
time. All wireless stations are also half-duplexthe same frequency channel is used for transmit and
receive. The actual access mechanism used is Carrier Sense Multiple Access with Collision Avoidance
(CSMA/CA). Ethernet uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD). Each
station in a CSMA network listens before talking over the air. As collision detection (CD) is difficult in
a radio-based environment, a collisions avoidance (CA) mechanism is used.
At a detailed level, there are some significant differences between 802.11 and Ethernet, but from a
network designers standpoint, the important idea to remember is the notion of a shared medium. This
difference is due to the overheads in the 802.11 protocol, and that some traffic flows may not be
occurring at the highest data rate. Taking overhead and protocol operation into account, the actual
aggregate throughput of a WLAN is less than the data rate.
Unicast Traffic
The WLAN hardware always tries to send data at the highest rate possible. There are many data rates
which can be selected. For instance, four rates are possible for 802.11b radio: 1, 2, 5.5, and 11 Mbps.
802.11a radio support 6, 9, 12, 18, 24, 36, 48 and 54 Mbps. With the AP, the Data Rates section on the
AP Radio Hardware setup page lists the options for each data rate. Refer to Figure 1-2 on page 1-6.

956608
1-5
Chapter 1
Where Yes is selected only unicast traffic is sent at this data rate.
Figure 1-2
AP Radio Hardware Setup Page
Multicast and Broadcast Traffic

Broadcast and multicast traffic are treated similarly within a WLAN network. Broadcast and multicast
traffic are sent at the data rate of the recipient with the lowest data rate. For example, consider an AP
configured with all data rates as Basic (the default) and that has clients associated at 11 Mbps and at 5.5
Mbps for 802.11b radio. In this scenario, multicast and broadcast traffic is sent at 5.5 Mbps to ensure the
frames were received by all associated clients.
1-6
956608
Chapter 1

WLAN Modes of Operation

In general, IEEE 802.11 WLANs typically operate in either of two modes:
Infrastructure Mode, page 1-7
Ad-hoc Mode, page 1-7
Infrastructure Mode
In infrastructure mode, clients communicate through an AP. The AP is the point at which wireless clients
can access the network. Figure 1-3 illustrates a typical WLAN arrangement. The AP provides
connectivity to other clients associated with that AP or to the wired LAN.
The basic service area (BSA) is the area of RF coverage provided by an APalso referred to as a
microcell. To extend the BSA, or to simply add wireless devices and extend the range of an existing
wired system, an AP can be added.
The AP attaches to the Ethernet backbone and communicates with all the wireless devices in the cell
area. The AP is the master for the cell, and controls traffic flow to and from the network. The remote
devices do not communicate directly with each otherthey communicate to the AP.
If a single cell does not provide enough coverage, any number of cells can be added to extend the range.
This is known as an extended service area (ESA).
It is recommended that the ESA cells include 10-to-15 percent overlap to allow remote users to roam
without losing RF connections.
Bordering cells should be set to different non-overlapping channels for best performance.
Typical WLAN
Wireless call
Wireless
handheld
Wireless call
Channel 1
Channel 6
Wireless
tablet
Switch
Access Point
Access Point
Overlapping
10-15%
Wireless
laptop
Wireless
laptops
Roaming
Router
Wirless
desktop
LAN/WAN
91278
Figure 1-3
Ad-hoc Mode
Ad-hoc mode is used to establish a peer-to-peer network between two or more clients. This mode is
selected through the System Type section of the System Parameters page on the Aironet Client Utility
(ACU).

956608
1-7
Chapter 1
Links and References

The following documents provide supplemental information to the design and implementation material
presented in this SRND. These references fall into several categories:
General References, page 1-8
Security References, page 1-8
IP Multicast References, page 1-9
General References
Cisco Network Solutions and Provisioned Services page:
http://www.cisco.com/en/US/netsol/index.html
Note
Access to specific information varies based on user entitlement at the Cisco Systems web site.
Security References
The Unofficial 802.11 Security Web Page:
http://www.drizzle.com/~aboba/IEEE/
Assessing Wireless Security with AiroPeek and AiroPeek NX:
http://www.wildpackets.com/elements/whitepapers/AiroPeek_Security.pdf
Netstumbler security links:
http://www.netstumbler.com/links.php?op=MostPopular
OUI list:
http://standards.ieee.org/regauth/oui/oui.txt
SANS (System Administration, Networking and Security) InstituteWireless page:
http://rr.sans.org/wireless/wireless_list.php
Securing wireless networks (enter as guest):
http://securingwireless.intranets.com/default.asp?link=
List of wireless security tools:
http://www.networkintrusion.co.uk/wireless.htm
When Dreamcasts Attack:
http://online.securityfocus.com/news/558
1-8
956608
Chapter 1

IP Multicast References
CCO IP Multicast Overview:
http://www.cisco.com/go/ipmulticast

956608
1-9
Chapter 1
1-10
956608
C H A P T E R
WLAN Radio Frequency (RF) Design

Considerations
This discussion focuses on radio frequency (RF) considerations in WLAN environments. The following
section are presented:
RF Basics, page 2-1
IEEE 802.11 Standards, page 2-9
RF Spectrum Implementation, page 2-11
Planning for RF Deployment, page 2-13
RF Basics
This section provides a summary of regulations and considerations specific to RF implementation. The
following sections are presented:
Regulations, page 2-2
Fine Tuning, page 2-5
Channel Selection, page 2-5

956608
2-1
Chapter 2
RF Basics
Regulations
Devices that operate in unlicensed bands, do not require any formal licensing process, but operations in
these bands still obligate the user to follow regulations. The governing bodies in different parts of the
world regulate these bands. WLAN devices must comply to the specifications of the relevant governing
regulatory domain. The regulatory agencies set the emission requirements for WLAN to minimize the
amount of interference a radio can generate or receive from another in the same proximity. The
regulatory requirements do not affect the interoperability of IEEE 802.11b and 802.11a compliant
products. It is the responsibility of the vendor to get the product certified from the corresponding
regulatory body.
Table 2-1 summarizes the current regulatory domains for Wi-Fi products.
Table 2-1
Regulatory Domains
Regulatory Domain
Geographic Area
Americas or FCC (United States Federal

Communication Commission)
North, South and Central America, Australia and

New Zealand, various parts of Asia and Oceania
Europe or ETSI (European Telecommunications

Standards Institute)
Europe (both EU and non EU countries), Middle

East, Africa, various parts of Asia and Oceania
Japan (MKK)
Japan
China
Peoples Republic of China (Mainland China)
Israel
Singapore
Israel
1
Taiwan2
Singapore
Republic of China (Taiwan)
1. The regulations of Singapore and Taiwan for wireless LANs are particular to these countries only for operation in the 5 GHz
band. Singapore and Taiwan are therefore only regulatory domains for 5 GHz operation, for operation in 2.4 GHz, they fall
into the ETSI and FCC domains, respectively.
2. See above.
Note
The main regulatory domains are FCC, ETSI, and MKK domains. As of this writing there is no 5 GHz
regulatory domain for China and 5 Ghz regulations vary widely from country to country.
Caution
Check the Cisco web site for compliance information and also with your local regulatory authority on
what is permitted within your country. The information provided in Table 2-2, Table 2-3, and Table 2-4
on the following pages +should be used as a general guideline. For up-to-date information on regional
requirements, check http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html#4.
2-2
956608
Chapter 2

RF Basics
Table 2-2
Operating Frequency Range for 802.11b
Lower Limit
Upper limit
Regulatory Range1
Geography
2.402 GHz
2.480 GHz
2.400 to 2.4835 GHz
North America
2.402 GHz
2.480 GHz
2.400 to 2.4835 GHz
Europe 2
2.473 GHz
2.495 GHz
2.471 to 2.497 GHz
Japan
2.447 GHz
2.473 GHz
2.445 to 2.475 GHz
Spain
2.448 GHz
2.482 GHz
2.4465 to 2.4835 GHz
France
1. The frequency ranges in this table are subject to the geographic-specific regulatory authorities.
2. Excluding Spain and France.
Table 2-3
FCC Frequency Bands and Channel Numbers for 802.11a
Regulatory Domain
Frequency Band
Channel Number
Centre frequencies
USA
U-NII lower band

(5.15 to 5.25 GHz)
36
5.180 GHz
40
5.200 GHz
44
5.220 GHz
48
5.240 GHz
52
5.260 GHz
56
5.280 GHz
60
5.300 GHz
64
5.320 GHz
149
5.745 GHz
153
5.765 GHz
157
5.785 GHz
161
5.805 GHz
USA
USA
U-NII middle band

(5.25-to-5.35 GHz)
U-NII middle band

(5.725-to-5.825 GHz)

956608
2-3
Chapter 2
RF Basics
Table 2-4
Additional Frequency Bands and Channel Numbers for Other Regulatory Domains
Regulatory Domain
Frequency Band
Channel Number
Center Frequenc7
Japan
U-NII lower band
34
5.170
38
5.190
42
5.210
|46
5.230
36
5.180
40
5.200
44
5.220
48
5.240
52
5260
56
5280
60
5300
64
5320
Singapore
U-NII lower band
Taiwan
EMEA 1
Australia
New Zealand
Same as USA
Same as USA
Same as USA
EMEA 21
U-NII lower band
36
5.180
40
5.200
44
5.220
1. Some EMEA countries, and limited to 20 mW.
Each of the bands presented in Table 2-3 is intended for different uses. The UNII-3 band is intended for
long range point-to-point and point-to-multipoint wireless bridging and may only be used outdoors. The
UNII-3 band and its usage is beyond the scope of this book. Please refer to the following URL to find
the appropriate WLAN product for your regulatory domain:
http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html
2-4
956608
Chapter 2

RF Basics
Fine Tuning
A number of factors can affect the WLAN coverage as follows:
Selected Data Rate
Power Level
Antenna choice (dipole, omni-directional, wall mount)
For a given data rate, the WLAN designer can alter power level and/or elect to use a different antenna,
to change the coverage area and/or coverage shape.
Channel Selection
Channel selection depends on the frequencies that are permitted for a particular region. For example the
North American and ETSI 2.4 GHz channel sets permit allocation of three non-overlapping channels1,
6, and 11while the 5 GHz channel set permits eight channels.
The channels should be allocated to the coverage cells as follows:
Overlapping cells should use non-overlapping channels
Where channels must be used in multiple cells, those cells should have minimal overlap with each
other. See Figure 2-1.

956608
2-5
Chapter 2
RF Basics
Channels Allocated to APs
AP1
channel #1
AP2
channel #6
AP3
channel #11
AP4
channel #1
74193
Figure 2-1
A site survey should be conducted using the same frequency plan as intended for the actual deployment.
This facilitates a more exact estimate of how a particular channel at a particular location will react to the
interference and the multipath.
Channel selection also helps in planning for co-channel and the adjacent channel interferences, and
provides information about where to you can reuse a frequency.
In multi-story buildings, check the cell overlap between floors according to these rules/guidelines. Some
re-surveying and relocating of APs might be required in some cases. Multi-story structures (such as
office towers, hospitals and university classroom buildings) introduce a third dimension to coverage
planning. The 2.4 GHz waveform of 802.11b and, when available, 802.11g can pass through floors and
ceilings as well as walls. The 5 GHz waveform of 802.11a can also pass through floors and ceilings as
well as walls, but will do so at a lesser degree due to its higher frequency. With 2.4 GHz Wi-Fi LANs in
particular, you must not only avoid overlapping cells on the same floor, but also on adjacent floors. With
only three channels, this can be achieved through careful three dimensional planning.
2-6
956608
Chapter 2

RF Basics
An AP can be configured to automatically search for the best channel on power up. This is configured
using the AP Radio Hardware menu, as shown in Figure 2-2.
Retest the site using the selected channels and check for any interference.
Figure 2-2
AP Automatic Channel Search

956608
2-7
Chapter 2
RF Basics
Note
It is possible to implement a dual-band deployment scheme as illustrated Figure 2-3. However, this
requires careful planning and implementation of the Cisco Aironet AP 1200. Refer to the Data Rate
Considerations section on page 3-3 for related information about dual-band channel deployment
considerations.
Figure 2-3
Dual Band Deployment Diagram
802.11b
6
6
11
6
11
1
6
11
1&6
11
11
3 & 11
3 & 11
1
6
11
8&1
8&1
3 & 11
802.11a
1
3
5&6
5&1
8
1
3 & 11
8&1
7&6
1&6
1&6
5
3
5
7
3 & 11
1
3
1&1
11
1&6
8&1
1
6
802.11a
802.11b
5 & 11
8
1
1
91287
2-8
956608
Chapter 2


IEEE 802.11 is the Working Group within the IEEE (Institute for Electrical and Electronics Engineers)
responsible for Wireless LAN Standards. IEEE 802.11 became a standard in July 1997 and defined two
RF technologies operating in 2.4 GHz band:
Direct Sequence Spread Spectrum (DSSS)1 Mbps and 2 Mbps
Frequency Hopping Spread Spectrum (FHSS)1 Mbps and 2 Mbps
Within the 802.11 Working Group are a number of Task Groups responsible for elements of the 802.11
WLAN Standard.
IEEE 802.11b refers to Task Group b within the 802.11 Working Group. IEEE 802.11b became an IEEE
standard in September 1999, and then higher data rates of 5.5 Mbps and 11 Mbps were introduced in the
standard using DSSS and operating in 2.4 GHz band. 802.11b defines a high performance radio and true
vendor interoperability. Table 2-5 summarizes some of task group initiatives.
Table 2-5
IEEE 802.11 Task Group Activities
Task Group
Project
Status (March 2003)
MAC
Develop one common MAC for WLANs in

conjunction with a physical layer entity (PHY)
Task Group
PHY
Develop three WLAN PHYs Infrared, 2.4 GHz Standard

FHSS, 2.4 GHz DSSS
Develop PHY for 5 GHz UNII band
Standard
Develop higher rate PHY in 2.4 GHz band
Standard
Cover bridge operation with 802.11 MACs

(spanning tree)
Standard (802.1d)
Define physical layer requirements for 802.11

operation in other regulatory domains
(countries)
Standard
Enhance 802.11 MAC for QoS
Ongoing
Develop recommended practices for Inter

Access Point Protocol (IAPP) for multi-vendor
use
Ongoing
Develop higher speed PHY extension to 802.11b Ongoing

(54 Mbps)
Enhance 802.11 MAC and 802.11a

PHY-Dynamic Frequency selection Transmit
Power control
Ongoing
Enhance 802.11 MAC security and

authentication mechanisms
Ongoing
Enhance the 802.11 standard and amendments Ongoing

to add channel selection for 4.9 GHz and 5 GHz
in Japan
Define Radio Resource Measurement

enhancements to provide interfaces to higher
layers for radio and network measurements
Ongoing

956608
2-9
Chapter 2
The IEEE ratified the 802.11a standard in 1999, but the first 802.11a-compliant products did not begin
appearing on the market until December 2001. The 802.11a standard delivers a maximum data rate of
54 Mbps and eight nonoverlapping frequency channelsresulting in increased network capacity,
improved scalability, and the ability to create microcellular deployments without interference from
adjacent cells.
Operating in the unlicensed portion of the 5 GHz radio band, 802.11a is also immune to interference
from devices that operate in the 2.4 GHz band, such as microwave ovens, cordless phones, and Bluetooth
(a short-range, low-speed, point-to-point, personal-area-network wireless standard). The 802.11a
standard is not compatible with existing 802.11b-compliant wireless devices. 2.4-GHz and 5-GHz
equipment can operate in the same physical environment without interference.
IEEE 802.11g is high performance standard in development and should be finalized by mid-year 2003.
802.11g will deliver the same 54 Mbps maximum data rate as 802.11a, but will operate in the same 2.4
GHz band as 802.11b.
Selecting between these technologies is not a one-for-one tradeoff. They are complementary
technologies and will coexist in future enterprise environments. Implementers must be able to make an
educated choice between deploying 2.4 GHz-only networks, 5 G Hz-only networks, or a combination of
both. Organizations with existing 802.11b networks cannot simply deploy a new 802.11a network on 5
GHz APs, and expect to have similar coverage with 802.11a 54 Mbps data rate as compared to 11 Mbps
of data rate with 802.11b APs. The technical characteristics of both these bands simply do not allow for
this kind of coverage interchangeability.
2-10
956608
Chapter 2

RF Spectrum Implementation
In the United States, three bands are defined as unlicensed and known as the ISM bands (Industrial,
Scientific, and Medical). The ISM bands are as follows:
900 MHz (902-to-928 MHz)
2.4 GHz (2.4-to-2.4835 GHz) IEEE 802.11
5 GHz (5.15-to-5.35 and 5.725-to-5.825 GHz) IEEE 802.11a. This band is also known as the UNII
band.
The Cisco Aironet 340 and 350 Series APs use RF spectrum in the 2.4 GHz unlicensed ISM band.
Each range has different characteristics. The lower frequencies exhibit better range, but with limited
bandwidth and hence lower data rates. The higher frequencies have less range and subject to greater
attenuation from solid objects.
Direct Sequence Spread Spectrum

The Direct Sequence Spread Spectrum approach involves encoding redundant information into the RF
signal. Every data bit is expanded to a string of chips called a chipping sequence or Barker Sequence.
The chipping rate as mandated by the IEEE 802.11 is 11 chipsBinary Phase-Shift Keying
(BPSK)/Quadrature Phase-Shift Keying (QPSK)at the 1 and 2 Mbps rates and 8 chips (CCK) at the
11 and 5.5 Mbps rate. So, at 11 Mbps, 8 bits are transmitted for every one bit of data. The chipping
sequence is transmitted in parallel across the spread spectrum frequency range.
IEEE 802.11b Direct Sequence Channels

Fourteen channels are defined in the IEEE 802.11b Direct Sequence (DS) channel set. Each DS channel
transmitted is 22 MHz wide, but the channel separation is only 5 MHz. This leads to channel overlap
such that signals from neighboring channels can interfere with each other. In a 14-channel DS system
(11 usable in the US), only three non-overlapping (and hence, non-interfering) channels25 MHz apart
are possible (such as Channels 1, 6, and 11).
This channel spacing governs the use and allocation of channels in a multi-AP environment such as an
office or campus. APs are usually deployed in cellular fashion within an enterprise where adjacent APs
are allocated non-overlapping channels. Alternatively, APs can be collocated using Channels 1, 6, and
11 to deliver 33 Mbps bandwidth to a single area (but only 11 Mbps to a single client). The channel
allocation scheme is illustrated in Figure 2-4.
Figure 2-4
IEEE 802.11b DSSS Channel Allocations
Channels
2
10
11
12
13
14
87181
2.402 GHz
22 MHz
2.483 GHz

956608
2-11
Chapter 2
IEEE 802.11aOFDM Physical Layer

IEEE 802.11a, defines requirements for PHY operating in the 5.0 GHz U-NII frequency and data rates
ranging from 6 Mbps to 54 Mbps. It uses Orthogonal Frequency Division Multiplexing (OFDM) which
is a multi-carrier system (compared to single carrier systems). OFDM allows sub-channels to overlap,
providing a high spectral efficiency. The modulation technique allowed in OFDM is more efficient than
spread spectrum techniques.
IEEE 802.11a Channels

Figure 2-5 shows the center frequency of the channels. The frequency of the channel is 10 MHz either
side of the dotted line. There is 5 MHz of separation between channels.
802.11a Channel Set
30 MHz
30 MHz
5150
5180
Lower Band Edge
5200
5220
5240
5260
20 MHz
5725
5745
Lower Band Edge
5280
5300
5320
5350
Upper Band Edge
20 MHz
5765
5785
5805
5825
Upper Band Edge
87182
Figure 2-5
For US-based 802.11a standard, the 5 GHz unlicensed band covers 300 MHz of spectrum and supports
12 non overlapping channels. As a result, the 5 GHz band is actually a conglomerate of three bands in
USA: 5.150-to-5.250 GHz (UNII 1), 5.250-to-5.350 GHz (UNII 2), and 5.725-to-5.875 GHz (UNII 3).
2-12
956608
Chapter 2

Planning for RF Deployment

Many of the RF-design considerations are interdependent and/or implementation dependent. As a result
there is no one-size-fits-all template for the majority of requirements and environments.
The RF design depends the following considerations; each is addressed briefly in individual sections that
follow:
RF Deployment Best Practices, page 2-13
WLAN Data Rates Required, page 2-13
Client Density and Throughput Requirements, page 2-16
WLAN Coverage Required, page 2-17
Security Policy, page 2-17
RF Environment, page 2-18
RF Deployment Best Practices

Some considerations can be addressed with general best practice guidelines. The following can applied
to most situations:
Note
Number of users versus throughput and a given APThe general recommended number of users per
AP is 15-to-25.
Distance between APs can cause throughput variations for clients based on distance from the
APThe recommendation is to limit the AP data rate to the higher data rates of 11 Mbps and 5.5
Mbps.
Number of APs depends on coverage and throughput requirements, which might varyFor example
Ciscos internal information systems (IS) group currently uses six APs per 38,000 square feet of
floor space.
Based upon the variability in environments it is highly recommended that a site survey be performed to
determine the number of APs required and their optimal placement.
WLAN Data Rates Required

Data rates affect cell size. Lower data rates (such as 1 Mbps) can extend farther from the AP than can
higher data rates (such as 11 Mbps). This is illustrated in Figure 2-6 (not to scale). Therefore, the data
rate (and power level) affects cell coverage and consequently the number of APs required, as illustrated
in Figure 2-7 on page 2-15.
Different data rates are achieved by sending a more redundant signal on the wireless link, allowing data
to be more easily recovered from noise. The number of symbols sent out for a packet at the 1 Mbps data
rate is greater than the number of symbols used for the same packet at 11 Mbps. This means that sending
data at the lower bit rates takes more time than sending the equivalent data at a higher bit rate.

956608
2-13
Chapter 2
Figure 2-6
Data Rate Compared with Coverage
1 Mbps
2 Mbps
5.5 Mbps
74190
11 Mbps
The diameter of the coverage (circles shown in Figure 2-6), depends upon factors such as power and
antenna gain. For example, indoors1 using the standard antennas on the NIC card and APs, the diameter
of the 1 Mbps circle is approximately 700 ft (210 m), and the diameter of the 11 Mbps circle is about
200 ft (60 m). Increasing the gain of the antenna can increase the distance and change the shape of the
radiation pattern to something more directional.
1. Typically the outdoor range is greater because there are fewer obstacles, and less interference.
2-14
956608
Chapter 2

Coverage Comparison and AP density for Different Data Rates
Surveyed at 2 Mbps
Surveyed at 5.5 Mbps
74191
Figure 2-7
The required data rate has a direct impact upon the number of APs needed in the design. The example
in Figure 2-7 illustrates this point. While six APs with a data rate of 2 Mbps might adequately service
an area, it might take twice as many APs to support a data rate of 5 Mbps, and more again to support data
rates of 11 Mbps.
The data rate chosen is dependent on the type of application to be supported. In a WLAN LAN extension
environment, the higher data rates of 11 Mbps and 5.5 Mbps are recommendedthis gives maximum
throughput and should minimize performance-related support issues. In a WLAN vertical application
environment, the data rates selected are determined by the application requirementssome clients might
not support the higher data rates and might require the use of lower data rates.
It might seem logical to choose the default configuration of APs and clientsthereby allowing all data
rates. However, there are three key reasons for limiting the data rate to the highest rate, at which full
coverage is obtained:
Broadcast and multicast are sent at the slowest data rate (to ensure that all clients can see them), this
reduces the throughput of the WLAN because traffic must wait until frames are processed at the
slower rate.
Clients that are farther away, and therefore accessing the network at a lower data rate, decrease the
overall throughput by causing delays while the lower bit rates are being serviced.
If an 11 Mbps service is specified and provisioned with APs to support all data rates, clients at lower
rates can associate with APs configured in this way which can create a coverage area greater than
planned, thereby increasing the security exposure and potentially interfering with other WLANs.

956608
2-15
Chapter 2
Client Density and Throughput Requirements

APs are similar to shared hubs and have an aggregate throughput much lesser than the data rate. With
this in mind, you must have the rough estimate of maximum suggested number of active associations
(active clients). This can be adjusted more or less according to the particular application.
Each cell provides an aggregate amount of throughput that is shared by all the client devices that are
within that cell, and associated to a given AP. This basically defines a cell as a collision domain. After
deciding on the minimum data rate, be sure to consider how much throughput should, on average, be
provided to each user of the wireless LAN.
Take an example of barcode scanners. 25 Kbps is more than enough bandwidth for such an application
Using a 802.11b AP at 11 Mbps of data rate results in an aggregate throughput of 5-to-6 Mbps. This
results in a maximum number of 200 users1 that can be supported satisfactorily. For a 1 Mbps system 20
users can utilize the same AP for similar bandwidth results.
You can increase the per user throughput by decreasing the number of users contending for the aggregate
throughput provided by a single AP. This can be done by decreasing the size of the coverage cell or
adding a second AP on a non-overlapping channel in the same cell area. To reduce the cell size, the AP
power or antenna gain can be reduced, resulting in fewer clients in that cell area. This means you will
need more APs for the same overall area, increasing the cost of deployment. An example of this is shown
in Figure 2-8. Some of the APs do not provide the settings to control transmit power and many have
limited or no options.
1. This umber would not be achieved due to 802.11 management overhead associated with the large number of clients and collisions.
2-16
956608
Chapter 2

Figure 2-8
Changing the Output Power to Increase Client Performance
ch 1
ch 6
ch 11
ch 1
ch 1
ch 6
ch 6
ch 11
ch 1
ch 1
ch 6
ch 11
ch 11
ch 1
ch 6
ch 6
ch 11
ch 1
ch 1
ch 6
74192
ch 11
180 Users per floor

30 mW transmitter power
3 Accss Points
60 users per AP
11 Mbps data rate
Note
180 Users per floor

5 mW transmitter power
18 Accss Points
10 users per AP
11 Mbps data rate
Client power should be adjusted to match the AP power settings. Maintaining a high setting on the client
does not result in higher performance and it can cause interference in nearby cells.
WLAN Coverage Required

Different enterprises have different coverage requirements. Some need a WLAN to cover specific
common areas; others need WLANs to cover each floor of a building, to cover the entire building
including stairwells and elevators, or to cover the entire campus including car parks and roads.
Apart from impacting the number of APs required, the coverage requirements can introduce other issues,
such as specialized antennas, outdoor enclosures and lightning protection.
Security Policy
RF design can be used to minimize the RF radiation in coverage areas or directions not required. For
example, if WLAN coverage is required only in the buildings, then the amount of RF coverage outside
the building can be minimized by AP placement and directional antennas.

956608
2-17
Chapter 2
RF Environment
The performance of the WLAN and its equipment depends upon its RF environment. The following are
some examples of adverse environmental variables:
2.4 GHz cordless phones
Walls fabricated from wire mesh and stucco
Filing cabinets and metal equipment racks
Transformers
Heavy duty electric motors
Fire walls and fire doors
Concrete
Refrigerators
Sulphur plasma lighting (Fusion 2.4 GHz lighting systems)
Air conditioning duct-work
Other radio equipment
Microwave ovens
Other WLAN equipment
A site survey should be performed to ensure that the required data rates are supported in all the required
areas, despite the environmental variables mentioned above.
The site survey should consider the three dimensional space occupied by the WLAN. For example a
multi-story building WLAN with different subnets per floor might require a different RF configuration
than the same building with a single WLAN subnet per building. In the multiple subnet instance, a client
attempting to roam to a different AP on the same floor might acquire an AP from an adjacent floor.
Switching APs in a multi-subnet environment changes the roaming activity from a seamless Layer 2
roam to a Layer 3 roam which in turn disrupts sessions and might require user intervention.
2-18
956608
C H A P T E R

This discussion focuses on technology and product assessment and selection in WLAN environments.
The following sections are presented:
WLAN Technology Selection Considerations, page 3-1
Cisco WLAN RF Product Selection Considerations, page 3-11

Selecting a wireless technology can be tricky. For example, wireless devices can adhere to different
standards and might not be compatible with one another or with next-generation devices.
You must understand your environments requirements (and plans for future enhancements) when
choosing a wireless technology. The sections in this chapter that address technology selection
considerations are as follows:
Competing WLAN Standards, page 3-1
WLAN Capacity Considerations, page 3-2
Data Rate Considerations, page 3-3
Throughput Considerations, page 3-4
Performance Considerations, page 3-5
Range Considerations, page 3-7
Technology Selection Summary, page 3-9
Competing WLAN Standards

Two standards dominate the WLAN marketplace:
IEEE 802.11b802.11b has been the industry standard for several years. Operating in the
unlicensed portion of the 2.4 GHz radio frequency spectrum, it delivers a maximum data rate of 11
Mbps and boasts numerous strengths. 802.11b enjoys broad user acceptance and vendor support.
Many vendors manufacture compatible devices, and this compatibility is assured through the Wi-Fi
certification program. 802.11b technology has been deployed by thousands of enterprise
organizations, that typically find its speed and performance acceptable for their current applications.

956608
3-1
Chapter 3
IEEE 802.11a802.11a operates in the uncluttered 5 GHz radio frequency spectrum. With a
maximum data rate of 54 Mbps, this standard offers a fivefold performance increase over the
802.11b standard. Therefore, it provides greater bandwidth for particularly demanding applications
As mentioned in IEEE 802.11 Standards section on page 2-9, 802.11g is another related
standardone intended for networks with high performance requirements. The 802.11g standard has
been in draft form since November 2001 and is likely to be finalized in 2003. 802.11g will deliver the
same 54 Mbps maximum data rate as 802.11a, yet it offers an additional and compelling
advantagebackward compatibility with 802.11b equipment. This means that 802.11b client cards will
work with 802.11g APs, and 802.11g client cards will work with 802.11b APs. Because 802.11g and
802.11b operate in the same 2.4 GHz unlicensed band, migrating to 802.11g will be an affordable choice
for organizations with existing 802.11b wireless infrastructures. It should be noted that 802.11b products
cannot be software upgraded to 802.11g because 802.11g radios will use a different chipset than 802.11b
in order to deliver the higher data rate. However, much like Ethernet and Fast Ethernet, 802.11g products
can be combined with 802.11b products in the same network. Because 802.11g operates in the same
unlicensed band as 802.11b, it shares the same three channels, which can limit wireless capacity and
scalability.
So, which standard should an organization select? Each has its strengths. The greatest strength of the
802.11b standard is its widespread acceptance and broad product availability, although bandwidth is
limited. In comparison, the 802.11a standard has the capability to drive the high-bandwidth applications
that will characterize the future WLAN. 802.11a also supports more channels (no overlapping
channels)making the RF deployment more flexible.
Fortunately, organizations do not need to choose between technologies when considering a WLAN
infrastructure. The Cisco Aironet 1200 Series gives wireless implementers the option of deploying both.
This wireless AP delivers:
FlexibilityThe Cisco Aironet 1200 Series is dual-band, meaning that it can concurrently support
WLANs based on both the 5 GHz 802.11a and 2.4 GHz 802.11b standards.
Scalability and Investment ProtectionThe Cisco Aironet 1200 Series ensures that an
organizations wireless network remains backward and forward compatible, with the capability to
grow both in terms of users and deployed applications.
Ease-of-Use and ManageabilityThe Cisco Aironet 1200 Series is field upgradable. Organizations
can choose to deploy 2.4 GHz technology, 5 GHz technology, or a mixture of the two. The product
also integrates seamlessly with the robust Cisco security and management infrastructure.
The Cisco Aironet 1200 Series delivers a seamless migration path for WLANs. It allows organizations
to upgrade today to robust wireless technology, while ensuring that their investments remain usable and
valuable far into the future.
WLAN Capacity Considerations

The 802.11a standard provides a substantial potential capacity improvement for a WLAN compared with
802.11b-based WLANs implementations. The 5 GHz band provides more than three times as much
spectrum as the 2.4 GHz band. A key advantage for 802.11a deployment is greater flexibility for channel
re-use and another is capacity. With a greater number of channels to select from, it is easier it is to deploy
an Enterprise WLAN. Interference in the network is reduced by avoiding two adjacent AP using the same
frequency and by increasing the distance between APs with the same frequencies (reducing co-channel
interference). This is important in that the traffic from devices in overlapping cells set to the same
channel results in mutual interferencethereby impeding performance.
3-2
956608
Chapter 3

With just three channels in the 2.4 GHz band used by 802.11b and 802.11g, this represents a shortcoming
that complicates deployments. With eight channels, 802.11a systems have an aggregate data rate of up
to 432 Mbps (54 Mbps multiplied by eight channels) in a given area. In contrast, 802.11b devices have
a maximum capacity of 33 Mbps (11 Mbps multiplied by three channels) per given area. Therefore,
organizations with large WLANs may decide to opt for an 802.11a deployment, which provides far
greater performance on a per-cell basis.
Given the difference in operating frequencies, 802.11b and 802.11a can co exist within the same
environment, allowing users to move from one to another by switching clients, or using a dual-band
client (combines both radios into a single client).This approach become more flexible by using
dual-band Cisco APs. An enterprise must conduct comprehensive site surveys for each technology to
guarantee adequate network coverage. Each frequency has different signal strength, interference, and
reflection characteristics, and each implementation must be optimized for different requirements.
Data Rate Considerations

Note
For additional related information, please refer to the WLAN Data Rates Required section on
page 2-13.
Data rates affect cell size. Lower data rates (such as 1 Mbps) can extend further from the AP than can
higher data rates (such as 54 Mbps). This is illustrated in Figure 3-1. Hence the data rate (and power
level) effects cell coverage, and consequently the number of APs required.
In general, there are pools of coverage at each data rate. What is considered an acceptable data rate,
ultimately depends upon how much bandwidth is required for the application which you want to run at
a particular location. Be sure to survey users for the minimum data rate required.
Note
The Cisco Aironet Site Survey Utility surveys at a given data rate and does not rate shift.
APs offer clients multiple data rates for the wireless link. For 802.11b, the range is from 1-to-11 Mbps
in four increments-1, 2, 5.5 and 11 Mbps, while 802.11a the range is 6-to-54 Mbps in seven
increments-6, 9, 12, 18, 24, 36, 48 and 54 Mbps. Because data rates affect range, selecting data rates
during the design stage is extremely important.
The client cards automatically switch to the fastest possible rate of the AP; how this is done varies form
vendor to vendor. Because each data rate has a unique cell of coverage (the higher the data rate, the
smaller the cell), the minimum data rate must be determined at the design stage. Cell sizes at given data
rates can be thought of as being nested concentric circles. See Figure 3-1. Selecting only the highest data
rate requires a greater number of APs to cover a given area; therefore care must be taken to develop a
compromise between required aggregate data rate and overall system cost.
With the (dual band) Cisco AP 1200, careful design can yield an aggregate data rate of 64 Mbps (54
Mbps plus 11 Mbps) per AP with room to grow to 108 Mbps when 802.11g is available.

956608
3-3
Chapter 3
Figure 3-1
802.11a Data Rates

170' @ 6Mbps
150' @ 9Mbps
140' @ 12Mbps
130' @ 18Mbps
120' @ 24Mbps
100' @ 36Mbps
80' @ 48Mbps
60' @ 54Mbps
91283
5GHz/40mw
Throughput Considerations
Note
For related information, please refer to the Client Density and Throughput Requirements section on
page 2-16.
Data rate is often confused with the aggregate data throughput. The aggregate data rate, takes into
account the overhead associated with protocol frame structure, collisions, and implementation
processing delays associated with frames processed by clients and APs. Protocol overhead includes
parameters such as RTS, CTS, ACK frames, beacon periods, back off period and propagation delays,
10 Mbps Ethernet can be faster than 11 Mbps Wi-Fi. The overhead associated with the 802.11b standard
exceeds the overhead for 802.3 Ethernet, resulting in better throughput for 10 Mbps Ethernet than 11
Mbps Wi-Fi.
An important purchasing consideration for any networking technology is the amount of bandwidth, data
rate, or throughput, it provides to each network user, and how well that throughput can support the
applications running on the network.
For clarity purposes, data rate means the amount of data able to be sent from one node on the wireless
network to another, within a given timeframe. Furthermore, the difference between data rate and
throughput is the amount of raw bits that travel from one node to another, in comparison to the bits
representing the message content. This difference is determined by a number of factors including the
latency inherent in the PHY components of the radio, the overhead and acknowledgement information
that accompany every transmission, and pauses between transmissions. A comparison table of the
wireless networks at hand and several wired benchmarks is shown in Table 3-1.
3-4
956608
Chapter 3

Table 3-1
Throughput at Maximum Data Rates
Technology
Data Rate
Average
Throughput
802.11b
11 Mbps
5-to-7 Mbps
802.11a
54 Mbps
22-to-31 Mbps
802.11g
(OFDM)
54 Mbps
TBD
802.11b offers an 11 Mbps data rate, which translates into approximately 5-to-7 Mbps of actual message
throughput (per AP). This amount is shared among all network users accessing it at the same time, and
is managed through a Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) technique
modeled on its Ethernet wired equivalent. As most network traffic is bursty, and only a few users are on
the network simultaneously, Wi-Fi network users generally experience very good connectivity speeds.
Using OFDM and 64-Quadrature Amplitude modulation, 802.11a and 802.11g will provide similar data
rate levels. However, because 802.11g must be backward compatible with 802.11b, 802.11g incurs more
overhead associated with the header information of 802.11b. As a result, 802.11g might not achieve full
parity with the throughput possible with 802.11a.
With 802.11a, there is a maximum data rate of 54 Mbps which can support high-bandwidth applications
such as CAD-CAM, streaming video, and converged voice/video/data. 802.11a and 802.11b nodes also
share the bandwidth efficiently using CSMA/CA techniques. In 802.11b roughly 15-to-25 users can be
supported per AP (at 11 Mbps). With 802.11a, more users can be supported per AP (at 54 Mbps) as more
bandwidth is available. The smaller cell size makes an increase in users unlikely. The normal impact
would be an increase in bandwidth available per user.
802.11b can be used by implementers who have a large installed base of APs, are transaction intensive,
have many roaming users to other 802.11b APs, or are cost sensitive.
802.11a can also be used by implementers requiring the higher throughput for the applications listed
above, have a small installed base of 802.11b (as 802.11b and 802.11a are not compatible), or are
concerned about interference. Interference issues are discussed in detail in the next section.
Quality of Service (QoS) enhancements to the 802.11 MAC under development within 802.11e will
enhance the ability of 802.11b, 802.11a, and 802.11g to deliver new types of time-critical data, in
addition to their traditional data packets (QoS capabilities are typically associated with IP-based
telephony/voice implementations). The IEEE 802.11e Task Group recommendations will become
commonly available to both the 2.4 GHz and 5 GHz solutions simultaneously, and most subsequently
released 802.11 networks will then be able to support them. The higher bandwidth 802.11g and 802.11a
standards will support QoS more effectively than 802.11b, mainly because of higher bandwidth, but also
because more unlicensed spectrum will be available to 5 GHz radios. This allows 5 GHz networks to
allocate a certain number of networks to voice only, and others to data.
Performance Considerations
While unlicensed spectrum is very attractive (as there is no licensing fee to use it), implementers must
factor in the potential performance degradation associated with ambient interference. 802.11a operates
in unlicensed bands in exactly the same way as 802.11b and earlier 900 MHz systems operate in
unlicensed bands. That is, there are no restrictions on the types of devices that operate in these bands
provided that they all conform to a common set of rules. The 900 MHz portion of the spectrum was
initially used by WLANs and then, far more commonly, by cordless telephones. Although these devices

956608
3-5
Chapter 3
all complied with applicable regulations, they acted upon each other as interferers, mutually degrading
performance and usability. The WLAN industry essentially abandoned the 900 MHz band and migrated
to the 2.4 GHz band. Initially, the WLAN industry had this band to themselves (with the exception of
microwave oven RF emissions). Eventually, however, the band became more crowded with an increasing
number of products, including Bluetooth devices and 2.4 GHz cordless telephones. The attractiveness of
the 2.4 GHz band to manufacturers, license-free operation on an international scale and resulting
worldwide marketability for 2.4 GHz devices, leads to a central problem for the 2.4 GHz
bandovercrowding.
This in turn leads to a principal advantage of 802.11abecause it operates in the pristine 5 GHz band,
it is (as of now) immune to interference from other devices. 802.11a products themselves are relatively
few in number. Bluetooth operates in the 2.4 GHz band and there are very few 5 GHz cordless telephones
also available in the market. The point is that today the 5 GHz band is relatively clean but there are no
restrictions on this band that do not apply equally to 900 MHz and 2.4 GHz. Over time, the 5 GHz band
might become equally crowded with interference-causing devices.
As the 2.4 GHz band is unlicensed, it is available for anyone to usewithin limits of maximum Effective
Isotropic Radiated Power (EIRP). WLAN interference can come from a number of sources. The main
sources are as follows:
Microwave Ovens The magnetron in household and commercial microwave ovens operates over
tens of megahertz in the 2.4-to-2.483 GHz band. While microwave ovens operate at about
700-to-1000 W, the maximum allowed radiated power (EIRP) for WLAN devices is between 0.1 and
4 W. WLAN equipment such as APs should not be located near microwave ovens.
Co-channel InterferenceInterference can from radios in adjacent cells on the same frequency.
Effective site surveying and WLAN cell planning should minimize the effect of this interference. As
WLANs become more prevalent, interference from sources outside enterprise control may become
more of an issue, such as in multiple tenancy situations (shopping centers, apartment blocks, and the
like). Proper cell planning of the channel frequency and careful layout of the AP can minimize the
interference.
BluetoothBluetooth is a Wireless Personal Area Network technology sharing the same 2.4 GHz
spectrum as 802.11b. Bluetooth uses FHSS and is a shorter range and lower bandwidth technology
than 802.11b. FHSS systems use frequently changing, narrow bands over all channels. It is
important to manage the concurrent operation of 802.11b WLANs and Bluetooth within the
enterprise. Task Group 2 of the IEEE 802.15 Working Group is looking at the coexistence issues of
IEEE 802.11b WLANs and Bluetooth. Multiple companies have researched the issue and concluded
that if the two technologies are separated by two meters or more, there is no significant interference.
2.4 GHz Cordless Telephones Some of the newer household and office cordless telephones
operate in the 2.4 GHz range (DSSS and FHSS). Depending on the conditions and the manufacturer,
degradation to the WLAN can vary from unnoticeable to a total loss of association between the
client and the AP. Interference from the WLAN can also impact the voice quality. Users are
encouraged to use 900 MHz Cordless Phones in instances where they must coexist with WLANs. If
this is not possible, separate the AP from the phone base station as far as possible and perform some
rudimentary degradation tests. Note that DSSS cordless phones are more likely to cause degradation
than FHSS types.
Shared Internet AccessWireless local loop (WLL) and systems like Metricom-Ricochet (again
coming back in the market) and T-Mobile also use the same band. So they can be a source of
interference. Interference can also come from other systems such as neighboring DSSS and FHSS
WLAN networks.
3-6
956608
Chapter 3

Range Considerations
Table 3-2 provides a comparison of the relative data rates and ranges associated with 802.11a and
802.11b WLANs. These are typical maximum ranges, but range varies (normally downward) depending
upon the environment. As more obstructions are encountered (such as a metallic building structure)
range is reduced.
Table 3-2
Comparison of Bit-Rate and Range for 802.11a and 802.11b
Bit Rate (in Mbps)
Range for 802.11b (in feet)
Range for 802.11a (in feet)
350
250
5.5
180
170
150
11
140
12
140
18
130
24
120
36
100
48
80
54
60
Figure 3-2 on page 3-8 illustrates the coverage area of an 802.11b AP at a maximum bit rate of 11 Mbps,
overlaid with 802.11a APs at a maximum bit rate of 54 Mbps. This comparison shows the impact of the
different ranges of 802.11b and 802.11a. Ten 802.11a APs are required to cover a similar area as the one
802.11b AP.
Coverage range alone is not the only story here. A comparison of the capacity of the 802.11a coverage
and 802.11b coverage shows the 802.11b capacity at 11 Mbps; while the capacity of the 802.11a solution
at 540 Mbps. This difference represents a potential gain of approximately 49 times.
In summary, more 802.11a APs are required to support a given area in comparison to 802.11b APs, but
the capacity of the 802.11a network is significantly greater.

956608
3-7
Chapter 3
Figure 3-2
Difference in Coverage between 802.11a and 802.11b
280' @ 11Mbps
87880
120' @ 54Mbps
Signal Propagation
A 5 GHz wave is about half the length of a 2.4 GHz wave. These shorter waves tend to pass through
water rather than be captured by it. Human body is over 95 percent water. So, in areas with a high density
of people, such as a stock trading floor, devices like 802.11a WLANs that operate at 5 GHz may have
an advantage in terms of signal propagation and resulting range than devices like 802.11b WLANs that
operate at 2.4 GHz The relatively shorter 5 GHz wave that provides the advantage outlined above also
leads to a principal disadvantage of 802.11a relative to 802.11b. In particular, 5 GHz waves are more
vulnerable to absorption by building materials, such as drywall and concrete.
Antenna Considerations
Antennae options vary greatly for 5 GHz and 2.4 GHz devices. Currently, regulations mandate that
antennae must be integral to some 5 GHz transmitting devices. Therefore, vendors can only sell 802.11a
devices with antennae that are attached toand not removable fromthe device itself. On the other
hand, organizations can select from a wide variety of antennae options for 2.4 GHz devices. These
antennae may be attached to the transmitting device or can exist separately, attached via a cable. This
antennae placement can seriously impact system installation and range. For instance, with a 2.4 GHz
network, organizations have the option to securely locate APs out of site, and cable out to a remote
antenna. They also have the ability to house the device in a protective enclosure, which can prolong its
life. The antennae restrictions imposed upon 5 GHz devices remove these options. Therefore, installation
might be more complicated, overall range might be reduced, and implementation costs might be higher.
3-8
956608
Chapter 3

Most of the vendors are making products that can operate in UNII-1 and UNII-2 bands either separately
or simultaneously. When operating simultaneously, FCC regulations for fixed UNII-1 antennas apply to
such products.
Assuming equivalent environmentsand holding transmitter, antenna gain, and data rates constant2.4
GHz offers roughly double the range than 5 GHz. This is explained by the physics of radio wave
propagation, which dictates that all other things being equal, a higher frequency signal will have a
reduced range compared to a lower frequency signal.
Technology Selection Summary

In general, 2.4 GHz 802.11b technology has an advantage over 802.11a, primarily because
802.11b-compliant devices deliver a greater range than 802.11a technology (see Table 3-3, Table 3-4and
Figure 3-3). There are several reasons for this difference:
2.4 GHz wave is about double the length of the 5 GHz wave.
5 GHz waves are more vulnerable to absorption by building materials, such as drywall and concrete.
Regulations restrict the transmit power and antenna possibilities in the 5 GHz range.
With reduced range, companies may have to deploy a greater number of 802.11a-compliant APs to
cover a designated area, which can lead to higher hardware costs.
Combined, these factors favor 802.11b devices.

Implementers are allowed five times less power in the 5 GHz band (compared with 2.4 GHz
implementations) and face more stringent Es/No requirements in 802.11a due to higher data rate. The
receiver sensitivity falls to 68 dBm with a 54 Mbps data ratecompared to -85 dBm for a 11 Mbps data
rate. There is just more attenuation in the air for the 5 GHz spectrum. However, if you use standard
Rubber Duck antennas (2.2. dBi) with 802.11b product as compared to 6 dBi attached antennas for
802.11a (and use similar data rates in 802.11a and 802.11b, such as 12 Mbps for 5 GHz and 11 Mbps for
2.4 Ghz), range and throughput are similar. One contributing factor here is that the gain on the 802.11b
client card is almost 0 dB. And gain on the 802.11a card bus is 5 dBi. Also on the AP side, the 6 dBi
antenna in 5 GHz spectrum is usedcompared to 2.2 dBi antenna in 2.4 GHz. Above all, OFDM
modulation fights for multipath more effectively.
Table 3-3
Typical Values of Ranges for 802.11b with Rubber Duck Antenna
Data Rates (Mbps)
Indoor Range (Feet)
Outdoor Range (Feet)
350
2000
11
150
800
Table 3-4
Typical Values of Ranges for 802.11a with Omni Antenna
Data Rates (Mbps)
Indoor Range (Feet)
Outdoor Range (Feet)
6.0
170
1000
18.0
130
600
54.0
60
100

956608
3-9
Chapter 3
Figure 3-3
Range Comparisons for 802.11a and 802.11b with Cisco AP

170' @ 6Mbps
150' @ 9Mbps
140' @ 12Mbps
130' @ 18Mbps
120' @ 24Mbps
100' @ 36Mbps
80' @ 48Mbps
60' @ 54Mbps
350' @
1Mbps
250' @ 180' @ 140' @

2Mbps 5.5Mbps 11Mbps
5GHz/40mw
91286
2.4GHz/100mw
802.11g will use the same band as 802.11b, so the same 802.11b regulations apply. the draft is still under
developmentand there is no available product 802.11g will not have better range than 802.11b due
to higher Es/No requirements (associated with inherently higher available data rates).
Organizations must weigh each factor when selecting a wireless technology. In some cases, sheer
performance and capacity favor the 802.11a standard implementation. In other cases, vendor support,
range and implementation advantages lead to a selection of 802.11b technology. The decision depends
on the organizations type of activity, mission, and plans for the futurewhile weighing cost and
function requirements.
These competing wireless standards leave many companies wondering which wireless technology to
embrace. The Cisco Aironet 1200 Series eliminates this concern. The dual-band design supports both
established and emerging wireless standards, letting companies implement WLANs without
compromise. With the Cisco Aironet 1200 Series, organizations are assured that they will have the right
technology both for today and far into the future.
3-10
956608
Chapter 3

Cisco WLAN RF Product Selection Considerations

The Cisco Aironet WLAN suite consists of a number of products designed for a variety of WLAN
applications. This section presents summaries of the following Cisco WLAN product types:
Note
Access Points, page 3-11
Client Adapters, page 3-12
Workgroup Bridges, page 3-13
Wireless Bridges, page 3-14
The Cisco Aironet WLAN portfolio is constantly changing. Please refer to the Cisco Product Catalog
for up-to-date information.
Different products can be seen on Wireless Network Business Unit web site
http://www.cisco.com/en/US/products/hw/wireless/index.htmll
Access Points
An access point (AP) is typically the center point in a wireless network and the connection point between
a wired and wireless network. Multiple APs can be placed throughout an area to provide freedom of
movement to users equipped with WLAN client adapters.
Cisco Aironet Series APs offer state of the art features which are very convenient in different deployment
scenarios:
Key features are:
100 mW 802.11b radio with configurable transmit power (1, 5, 20, 30, 50, and 100 mW).
40 mW 802.11a radio with configurable transmit power (40, 30, 20, 20, 10, 5 mW).
Auto selecting or configurable data rates.
Supports inline power over Ethernet and standard power (power injector module is supplied as
standard for cases where inline power is not available). Cisco AP currently use Cisco Power
Discovery method (802.3af is not a standard yet). Cisco intends to support both modes.
Cisco 802.11a APs offer a unique 5 GHz articulating antenna incorporating high-gain,
omni-directional, diversity antennas and hemispherical patch antennas to deliver two distinct
coverage patterns depending on the antenna position.
802.11b diversity antenna options include either non-removable 2.2 dBi diversity dipoles (internal
antennas) or remote antenna connections via two RP-TNC connectors).
Diversity antennas for both the 2.4 GHz and 5 GHz radios ensures optimum
performance in high-multipath environments such as offices, warehouses, and
other indoor installations.
Auto-sensing 10/100BaseT Ethernet connection.
IEEE 802.1x based security architecture.
Auto-roaming between APs within a single network (subnet or VLAN).
World ModeEnables clients to transparently roam to other countries with different channel
frequencies and transmit power regulations.

956608
3-11
Chapter 3
As it is a wireless communication, security features in the Cisco Aironet Series APs provide support for
the latest 802.1x security standards. In addition, the inherent upgradability of the Cisco Aironet Series
AP facilitates adopting new wireless security standards as they become available (by upgrading the
firmware or radios).
Note
Please see the associated data sheets at http://www.cisco.com for specific product information.
Client Adapters
Client adapters connect to a variety of devices in a WLAN. Based on Direct Sequence Spread Spectrum
(DSSS) technology and operating in the 2.4 GHz band, the Cisco Aironet 350 Series client adapters
comply with the IEEE 802.11b standardensuring interoperability with all other compliant WLAN
products. For 2.4 GHz 802.11b cards, two form factors are supported:
PCMCIA for Notebook PCs and PDAThis is a standard PCMCIA product with attached end cap
antenna.
PCI for Desktop PCsThe PCI card has the standard Cisco Aironet RP-TNC connector and can be
used with all of the Cisco Aironet external antennas.
802.11a Cardbus Client Card

The Cisco Aironet 5 GHz 54 Mbps WLAN client adapter is (IEEE) 802.11a-compliant CardBus adapter
that operates in the UNII-1 and UNII-2 bands. The client adapter complements the Cisco Aironet 1200
Series 802.11a AP, providing a solution that combines performance and mobility with the security and
manageability that enterprises require. The integrated 5 dBi gain patch antenna optimizes range.
Note
The 802.11a card bus has greater antenna gain (5 dBi) as compared to 0 dBi gain in 802.11b cards.
Enhanced Client Network Management Features with Extended Client Support

All Cisco wireless client adapters include the Cisco Aironet Client Utility (ACU), a tool with a graphical
user interface for configuring, monitoring, and managing an adapter. The ACU includes site survey tools
that produce detailed graphical information, including signal strength, to assist in the correct placement
of APs. The ACU provides improved, quantifiable dataincluding signal-to-noise ratio measured in
decibels (dB), and signal level and noise level measured in decibels per milliwatt (dBm). Using the ACU,
a user can create a profile of settings for each environment, such as the office or home, making it simple
for telecommuters and business travelers to reconfigure the adapter when moving from one environment
to another. A user can now configure channel selection, service set identifier (SSID), WEP key, and
authentication method for these different locations.
A broad suite of device drivers provides support for all popular operating systems, including Windows
98, Windows 2000, Windows ME, Windows CE, Mac OS 9.x, Mac OS X, and Linux.
3-12
956608
Chapter 3

Workgroup Bridges
Workgroup bridges provide wired network connectivity to workgroups through a wireless network
connection to a central site. The Cisco Aironet 350 Series Workgroup Bridge supports up to eight
downstream devicessuch as PCs, printers and notebook computersthrough an Ethernet hub or
switch connected to the Ethernet port. This is a MAC address limitation, so the workgroup can be
extended beyond eight devices by placing a router between the workgroup bridge and the hub.
The workgroup bridge can peer wirelessly with either an AP or a wireless bridge. The workgroup bridge
to wireless bridge configuration is applicable to outdoor point-to-point campus connections. The
workgroup bridge to AP configuration is applicable to shorter range, multi-access solutions where the
AP may peer with other workgroup bridges and client adapters.
The various applications of workgroup bridges are illustrated in Figure 3-4 and Figure 3-5.
Figure 3-4
Mobile Ethernet Enabled User
Internet
Switch
Workgroup
bridge
Wired network
backbone
Wireless
Access Point
91280
Ethernet-enabled
Laptop

956608
3-13
Chapter 3
Figure 3-5
Remote Workgroup
Workgroup
Bridge
Switch
Wired network
backbone
PC
PC
PC
Laptop
Wireless
Access Point
Point-of-sale
register
Server
PC
Printer
Laptop
91281
Hub
Wireless Bridges
Wireless bridges (or simply bridges) are used to wirelessly connect two networks (usually in different
buildings). Refer to Figure 3-6. With appropriate selection of antennas and clear line of sight, range can
extend up to 25 miles at 11 Mbps. It should be noted that only bridges have this extended range
capability. The extended range is achieved by operating outside the IEEE 802.11 timing specifications.
APs (conforming to 802.11b) to any client are limited to a one-mile range; irrespective of transmit
power, cable, and antenna combinations.
Cisco Aironet Bridges support a superset of AP functionality and can operate in either bridge or AP
mode depending upon the requirement.
3-14
956608
Chapter 3

Typical Bridge Application Connecting Buildings Across a Campus or Metro Area
91282
Figure 3-6
Note
APs cannot be used to bridge two wired networks.

956608
3-15
Chapter 3
3-16
956608
C H A P T E R

As network administrators begin to deploy WLANs, they are faced with the challenge of trying to secure
these environments while providing maximum flexibility for their users. This chapter provides details
regarding deployment of the Cisco Secure Enterprise WLAN solution. It is divided into the following
separate sections:
Security Deployment Models, page 4-1
Cisco WLAN Security Options and Recommendations, page 4-7
Security Deployment Models

The security model selected for a given WLAN implementation has a substantial impact on the overall
WLAN design. Three enterprise-oriented WLAN Extension security models are presented in this design
guide:
WLAN LAN Extension 802.1x/EAP, page 4-2
WLAN LAN Extension IPSec, page 4-3
WLAN Static WEP Keys, page 4-5
The goal of a WLAN LAN Extension network is for the WLAN access network to transparently provide
the same applications and services as the wired access network. Each WLAN Extension discussion that
follows addresses the following types of transparency:
Security TransparencyDo the selected security capabilities seamlessly provide WLAN network
security equivalent to wired networks?
Application TransparencyAre the supported WLAN network applications identical to

applications on a wired network?
Performance TransparencyDoes the WLAN deliver application performance that matches wired
network performance?
User TransparencyAre users of the WLAN forced to perform network-specific operations to use
the WLAN?

956608
4-1
Chapter 4
WLAN LAN Extension 802.1x/EAP

This discussion presents WLAN Extension 802.1x/EAP deployment in terms of the following key topics:
Security Transparency, page 4-2
Application Transparency, page 4-3
Performance Transparency, page 4-3
User Transparency, page 4-3
Security Transparency
An 802.1x/EAP implementation of WLAN LAN Extension operates at the link layer (Layer 2) to provide
authentication, authorization, accounting, and encryption. Figure 4-1 shows a schematic of the
802.1x/EAP WLAN.
The security level provided is beyond that provided on most wired networks, providing link layer
encryption and Authentication, Authorization, and Accounting (AAA) access control. This is provided
as follows:
Authentication occurs between the client and the authentication server. Several different EAP types
(EAP-Cisco, EAP-TLS, EAP-TTLS, PEAP) are supported, allowing the Enterprise to choose the
authentication type that best suits its needs.
Encryption is at the link layer between the WLAN client and the AP. The current encryption
mechanisms available are Wired Equivalent Privacy (WEP) and WEP plus TKIP and MIC. Future
mechanisms include Wi-Fi Protected Access (WPA) and Advanced Encryption Standard (AES). The
encryption keys are automatically derived during the authentication process.
Authorization is controlled by the VLAN membership in combination with the access controls
applied at the access router terminating the VLAN.
Accounting is provided by the RADIUS accounting communicated by the APs to the RADIUS
server.
Figure 4-1
Authentication
Accounting
Encryption
802.1x
EAP
Si
Enterprise
network
87198
Authorization
4-2
956608
Chapter 4

Application Transparency
As illustrated in Figure 4-1, the WLAN connects at the access layer. Once the WLAN client traffic leaves
the AP, it is the same as wired trafficsubject to the same access control, queuing, and routing. This
achieves the WLAN LAN extension goal of supporting the same applications as the wired network. Any
inability to run applications from the wired network over the WLAN network would be the result of
policies or the fundamental limitations of the WLANnot due to the 802.1x/EAP architecture.
Performance Transparency
WLAN has a lower bit rate and a lower throughput than most Enterprise wired LANs. Therefore
providing equivalent performance for all applications over the WLAN can be a challenge. The strategy
to minimize differences in application performance between the wired and wireless network is to utilize
the QoS tools available on the WLAN and the APs. Those applications identified as being sensitive to
network throughput and delay can be classified and scheduled as required. Load balancing and
admission control tools on the WLAN can optimize the usage of the available WLAN resources.
User Transparency
The different EAP types in 802.1x/EAP allow enterprises to choose an authentication mechanism that
best matches security requirements. This allows the integration of the 802.1x/EAP into existing user
behavior. Many organizations enforce stronger authentication mechanisms on WLAN networks
(compared to wired networks), due to reduced physical security in the WLAN. Authentication on the
wired network is expected to catch up with WLAN networks, with organizations using 802.1x/EAP
mechanisms to enhance wired network security.
WLAN LAN Extension IPSec

The use of IPSec VPN tunnels is an alternative to 802.1x/EAP implementation. Network designers might
choose this implementation over and 802.1x/EAP solution due to security policy reasons. IPSec is a
well-established standard that is endorsed by a number of security organizations. IPSec is a regulatory
requirement in some situations.
The primary advantage of an IPSec-based VPN solution is the encryption mechanism. IPSec includes
support of Triple Data Encryption Standard (3DES) and AES encryptions, whereas 802.1x/EAP
currently relies upon WEP or proprietary WEP plus TKIP and MIC.
A WLAN LAN Extension IPSec solution is considered more difficult to implement than an 802.1x/EAP
solution. The network topology up to the VPN concentrator is considered untrusted and an appropriate
security policy must be created, configured, and maintained at all points that touch this untrusted
network.
The remainder of this discussion presents WLAN Extension IPSec deployment in terms of the following
topics:

956608
4-3
Chapter 4
WLAN LAN Extension via IPSec provides AAA-equivalent features to 802.1x/EAP solutions. Refer to
Figure 4-2. Key elements are as follows:
Authentication occurs between the client and the VPN concentrator. Multiple authentication types
are supported with in the IPSec framework.
Encryption is at the network layer using 3DES or AES, and is negotiated between the client and the
VPN concentrator.
In addition to the inherent WLAN LAN Extension IPSec security features associated with this
implementation, VPN capabilities provide additional AAA-related security capabilities:
Authorization is controlled by the VPN concentrator and is determined at the time of authentication.
Policy is provided by the authentication server.
Accounting is provided by RADIUS accounting software on both the VPN concentrator and the
authentication server.
Figure 4-2
Authentication
Encryption
IPSec
Accounting
Si
Authorization
87199
Enterprise
network
As can be seen in Figure 4-2, WLAN traffic is transported over an IPSec tunnel to the VPN concentrator.
This can affect application transparency:
Protocol LimitationsOnly the IP protocol is supported; the network is not multi-protocol
Address TranslationThe IPSec client performs a form of address translation between its local IP
address and that allocated by the VPN concentrator. This can impact the operation of some
applications.
No MulticastThe connection to the VPN concentrator is point-to-point; multicast applications are

not supported.
Providing equivalent performance for all applications over the WLAN can be a challenge, because a
WLAN has a lower bit rate and a lower throughput than most Enterprise wired LANs. The use of IPSec
VPN tunnels introduces some additional considerations:
4-4
956608
Chapter 4

MTU sizeThe MTU size of packets must be adjusted to incorporate IPSec overhead.
Processing OverheadClients incur processing overhead from IPSec VPN. However, this should
not be noticeable on most target platforms.
Traffic Classification and QoS ConsiderationsType of Service (ToS) and

differentiated-services-code-point (DSCP) values are projected from client packets into the IPSec
packets. As a result, QoS preference can be acted upon, but no classification of traffic is possible
while the traffic is IPSec encrypted.
Traffic SchedulingAll queuing at the VPN concentrator is handled on a first-in-first-out basis.
User Transparency
The Cisco IPSec VPN client has a number of features that aid user transparency, thereby providing
equivalent services to those available with 802.1x/EAP solutions:
Auto InitiationThe VPN client can be configured to automatically launch for particular address
ranges. In an enterprise, this would be configured to launch within the Enterprise WLAN address
ranges.
OS IntegrationThe VPN client can capture username and password information at login and use
these as part of the VPN client login. This is similar to the process used in EAP-Cisco. As an
alternative, the VPN client can use stored certificates associated with a specific user, similar to
EAP-TLS. These features coupled with Auto Initiation should provide a high level of user
transparency.
WLAN Static WEP Keys

Static WEP key implementation (see Figure 4-3) is not recommended for general purpose WLAN LAN
Extension networks because of known weaknesses in the WEP encryption algorithmsand because of
the difficulty in configuring and maintaining of static keys. Certain client devices are only capable of
supporting static keys. These clients should be put on a separate WLAN VLAN and have their
authorization limited to addresses and protocols specific to the application supported by the Static WEP
client. If possible, WEP plus TKIP and MIC should be used in preference to WEP, because WEP plus
TKIP and MIC provides increased security features.
The remainder of this discussion presents WLAN Static WEP key deployment in terms of the following
topics:

956608
4-5
Chapter 4
Figure 4-3
WLAN Static WEP
Encryption
Si
Enterprise
network
87200
Authorization
Security issues related to static WEP key implementations:
Weak AuthenticationAny hardware device with a matching configuration and WEP key may join
the network. The Static WEP key authenticates a group of devicesnever individual users.
Encryption LimitationEncryption is at the link layer between the WLAN client and the AP. The
current encryption mechanisms available are WEP and WEP plus TKIP and MIC. If possible WEP
plus TKIP and MIC should be used.
Authorization LimitationAuthorization is controlled by the VLAN membership associated with

the static WEP key.
AccountingNot available.
As illustrated in Figure 4-3 the WLAN connects at the access layer. Once the WLAN client traffic leaves
the AP, it is the same as wired network trafficsubject to the same access control, queuing, and routing.
WLAN Static WEP solutions should be limited to the specialized applications that the Static WEP client
supports. The network would appear transparent to this application, but to all other applications access
should be blocked.
To minimize differences in application performance between the wired and wireless network, utilize the
QoS tools available on the WLAN and the APs. Those applications identified as being sensitive to
network throughput and delay can be classified and scheduled as required. Load balancing and
admission control tools on the WLAN can optimize the usage of the available WLAN resources.
User Transparency
Static WEP requires no authentication and should be transparent to the supported applications and users.
The static WEP key only becomes an issue for the user if required to change it.
4-6
956608
Chapter 4

Cisco WLAN Security Options and Recommendations

This section provides a high-level overview of Ciscos various WLAN security options and presents
recommendations for secure deployments in Enterprise networks. This overview of WLAN security
options consist of the following sections:
Understanding Overall Network Security, page 4-7
Flexible WLAN Security using VLANs, page 4-7
Headquarters/Campus WLAN Deployment, page 4-8
Branch Office WLAN Deployment, page 4-12
Additional Security Considerations, page 4-13
Understanding Overall Network Security

The key to understanding WLAN security is to understand the overall picture of the network to be
secured. This discussion focuses on Enterprise security by addressing the following topics:
Flexible WLAN Security using VLANs section on page 4-7
Headquarters/Campus WLAN Deployment section on page 4-8
Branch Office WLAN Deployment section on page 4-12
A WLAN can be looked at as another access technology in the overall network architecture. It integrates
into the overall end-to-end Cisco AVVID architecture. In addition, Ciscos WLAN architecture
integrates into Ciscos overall 802.1x / EAP Identity-Based Networking architecture.
Ciscos WLAN security provides the following benefits:
Flexible model allowing dynamic or static WEP key-management.
802.1x user authentication for networking devices. This model is also used for wired connectivity.
Enhancements beyond the basic security model defined in 802.11. This includes user-based
authentication, mutual-authentication, dynamic WEP-key rotation, and TKIP and MIC to prevent
WEP key spoofing and hacking.
These features combine to provide Cisco with the most flexible WLAN security offering in the industry,
allowing implementers to choose the architecture that best matches specific security requirements and
deployed equipment.
Flexible WLAN Security using VLANs

Just as Ciscos AVVID architecture provides enhanced QoS for VoIP using dedicated VLANs for voice
and data, VLAN support on the APs and Catalyst Switches allows multiple WLAN security domains to
be created. This allows multiple types of WLAN security to be mixed and matched on the same Cisco
AVVID network infrastructure. Refer to Figure 4-4.

956608
4-7
Chapter 4
Figure 4-4
Using VLANS to Create Multiple WLAN Security Domains
Cisco secure ACS3.1
Developer
PE
VL
AN
10
_A
uth
en
tica
ti
AP
on
Si
VLAN 30
EAP-Cisco_Authentication
Human resources
Au
th
AN
99
he
ut
_A
EP
Op
tio
a
tic
en_
21
VL
N
LA
87190
Teleworker
Guest or contractor
In addition to VLANs having the flexibility to create multiple WLAN security domains for flexible
deployments, they also allow flexible migrations from older WLAN security to updated standards or
products. This is not only possible because of VLANs, but also because Cisco APs and Cisco Secure
ACS support simultaneous WLAN security such as EAP-Cisco, EAP-TLS, PEAP and EAP-Subscriber
Identity Module (EAP-SIM). In addition, Cisco Aironet 802.11 NICs support multiple types of WLAN
security, including EAP-Cisco and PEAP.
Headquarters/Campus WLAN Deployment

The 802.11 standard specifies 40-bit WEP as the security mechanism for WLAN networks.
Unfortunately, many independent security reports have proven that by itself, WEPs security can be
compromised. Because of this, several steps must be taken to allow WLAN network to be securely
deployed.
The limitations of WEP include the following:
WEP does not define a mechanism for dynamic key-management. This means that the WEP keys
must be manually configured on each device and if a device is lost or stolen, all devices must be
revisited to update the WEP key.
WEP does not provide a mechanism to provide user-based authentication, only device-based. This
means that the network authentication is based on the physical device, which could be stolen or lost.
4-8
956608
Chapter 4

WEP does not define a mechanism to dynamically rotate the WEP keys. This means that if a WEP
key is hacked or stolen, it can be used by a hacker to falsely authenticate with the network.
WEP does not prevent man-in-the-middle or bit-flipping attacks. This means that a hacker could
intercept data between two users and manipulate the content of that data.
It has been demonstrated that a key can be derived by passively capturing and processing a sufficient
number of WEP-encrypted packets.
To overcome these limitations, Cisco implemented WLAN security based on 802.1x and EAP
Authentication. 802.1x provides a Layer 2 authentication mechanism and carries the user authentication
that is passed with EAP. Refer to Figure 4-5.
WLAN Security based on 802.1x and EAP Authentication
RADIUS
EAP
802.1x
802.11
Si
RADIUS
EAP
802.1x
Ethernet
EAP_Authentication
EAP_Authentication
Cisco secure
ACS 3.1
87191
Figure 4-5
Guest or contractor
While Ciscos APs and CiscoSecure ACS support multiple EAP authentication types1, EAP-Cisco,
EAP-TLS and PEAP are currently supported end-to-end when using Cisco Aironet or Partner NICs.
EAP-Cisco provides extensions to EAP to provide user-based authentication, mutual authentication and
integration with Windows user-databases. EAP-Cisco is supported on all Cisco WLAN products, and is
also licensed to several partners including Apple and Symbol.
PEAP and EAP-TLS are IETF drafts that have been proposed by Cisco, Microsoft and RSA (refer to
http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-05.txt). PEAP provides a
multi-vendor authentication mechanism that provides a superset of functionality beyond EAP-Cisco. It
works with multiple vendors equipment, as well as multiple types of user-databases including
Microsoft, LDAP, OTP, RADIUS and NDS. EAP-TLS uses certificate based authentication (refer to
http://www.ietf.org/rfc/rfc2486.txt?number=2486). EAP-TLS is a multi-vendor authentication
mechanism that provides authentication based on user and server certificates, and effectively integrates
into an existing networking scheme employing a Public-Key Infrastructure (PKI).
Note
Not all OSs currently support 802.1x and EAP supplicants (clients). It is currently supported in
WindowsXP and will be available via Service Packs on other Windows OS. With this in mind, Cisco
recommends using EAP-Cisco or PEAP as the security mechanism for headquarter/campus WLAN
deployments.
Beyond overcoming the limitations of WEP, network administrators must also be concerned with three
issues in WLAN deployments in the campus:
1. EAP-SIM is also supported, but would not normally used in Enterprise environments.

956608
4-9
Chapter 4
Providing integration with the rest of the wired network.
Preventing rogue APs from being deployed in their network.
Providing guest access to non-company users (such as contractors and vendors).
These questions are answered by using 802.1x authentication. 802.1x authentication provides a linklayer authentication to network devices, which is verified against a RADIUS server (Cisco Secure ACS).
Figure 4-6 presents a generalized illustration of an ACS-based environment.
802.1x is available on Cisco Catalyst Switches. It allows ports on the Catalyst Switches to determine
whether connected devices (such as PCs and IP phones) should gain access to the network based on their
user credentials. 802.1x is also used between WLAN clients and Aironet APs to pass user-authentication
information for EAP-Cisco. This use of 802.1x, EAP and RADIUS provides the integrated link-layer
authentication that is the foundation for Identity-Based Networking and Secure WLAN deployments.
Figure 4-6
Ciscos 802.1x/EAP Architecture for Wired and Wireless Networks
Si
Si
Si
Si
Si
Si
Si
Cisco ACS
87192
Cisco ACS
Si
In addition to user authentication, 802.1x can be used as a mechanism to prevent rogue APs from being
added into the network. Currently, Cisco Aironet APs do not support an 802.1x supplicant (802.1x
client), but the expectation is that they would be deployed in a 20:1-to-25:1 ratio per user. This means
that the number of wired devices supporting 802.1x would be considerably greater than the number of
4-10
956608
Chapter 4

APs deployed. With this in mind, 802.1x can be enabled on all Catalyst Switch ports except for those
connected to Cisco Aironet APs. This will force all rogue APs to authenticate via 802.1x. This will cause
them to fail and the Catalyst Switch port to block access to the network. Refer to Figure 4-7.
Figure 4-7
Preventing Rogue APs using 802.1x on Cisco Catalyst Switches
802.1x disabled only on all

Authorized AP switch ports
802.1x pushed to WLAN edge
Authorized AP
Rogue AP locked
out after failed
Authentication
87193
Si
Rogue AP
Finally, by combining the VLAN functionality and 802.1x authentication on the Cisco Catalyst Switches
and Aironet APs, guest access can be provided to non-authorized users and devices. Some Catalyst
Switches can support only allow and deny, while others support allow, deny, guest, and VLAN selection
based on the 802.1x authentication. The ability to change the VLAN of the switch port allows network
administrators the ability to design certain VLANs for guest access (refer to Figure 4-8). This guest
access can then be further filtered or firewalled to only allow Internet or other restricted network access
to the specific users. Refer Chapter 10, WLAN Guest Network Access to for more information about
Guest Access WLANs.

956608
4-11
Chapter 4
Figure 4-8
Providing Guest Access using VLANs and 802.1x on Cisco Catalyst Switches and APs
Cisco secure ACS3.1
Developer
En
VL
AN
gin
ee
rin
10
g_
VL
AN
Si
VLAN 30
HR_VLAN
Human resources
21
AN
VL
AN
VL
_
or
ct
tra
87194
n
Co
Guest or contractor
Branch Office WLAN Deployment

Branch office WLAN deployments (see Figure 4-9) are an extension of the headquarters campus WLAN
deployment. The WLAN security requirements for branch office implementations should match those of
the headquarters campus:
Dynamic WEP-key management and authentication via 802.1x and EAP-Cisco/PEAP
802.1x for rogue AP detection
802.1x and VLANs for guest access
4-12
956608
Chapter 4

Figure 4-9
Branch Office WLAN Deployments
Headquarters
Branch office
IP Telephony/services
IP
M
Core Backbone
V3PN-SP
IP
IP
87195
T1
The one additional consideration for the branch office implementation is determining whether the Cisco
ACS servers should be deployed only at the central site or at remote sites. This determination should be
made according to the WAN bandwidth (possibly affecting authentication response times), size of
deployment (possibly affecting the scalability of branch offices and branch users with respect to a central
ACS), and the administrative capabilities at the branch office.
Additional Security Considerations

This document has highlighted two concepts:
VLANs allow multiple types of WLAN security to be deployed over a Cisco AVVID infrastructure.
802.1x, EAP-Cisco/PEAP and WEP plus TKIP and MIC combine to provide a secure environment
for WLAN deployment with the foundation for moving to updated standards as they become
available.
In addition to the recommendations for the headquarters campus and branch deployments discussed
here, several other Cisco technologies can be used to enhance WLAN security. These include IPSec
VPNs, firewalls, and intrusion detection systems (IDS). Refer to Figure 4-10.

956608
4-13
Chapter 4
Figure 4-10 Enhancing WLAN Security with IPSec VPNs, Firewalls and IDS
Cisco secure ACS3.1
IPSec VPN tunnel

VPN 3000
VLAN 12
Si
Secured corporate
network
WEP_Authentication
VL
99
at
ic
t
en
Corporate
network
t
Au
_
n
pe
87197
AN
on
The Cisco SAFE architecture defines how VPNs, firewalls and IDS should be deployed for both wired
and wireless networks. Refer to:
http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html
IPSec VPNs offer an enhancement for administrators that cannot provide enough native security (using,
for example, open authentication, static WEP) with the inherent WLAN environment. This might involve
PC users launching the CiscoSecure VPN Client, or having all traffic from a VLAN being placed into an
IPSec VPN which is then routed outside of the corporate firewall or to a specific internal server
application.
EAP Considerations for High Availability ACS Architecture

The ACS redundancy and reliability is meant to address two issues:
The ACS server should not represent a single point of failure
A network failure should not impact a users ability to log on
The first issue is a good reason to replicate the ACS database to a secondary server, allowing for failover
and maintenance. This redundancy configuration should be implemented in almost all cases.
The second issue is instance in which it is critical to use the local WLAN even in the event of a network
failure preventing access to a remote ACS server. Implementation of this second use of replication
depends on the application architecture of the enterprise. For example, if the applications that the users
want to reach are also remote, little is to be gained by being able to use the WLAN.
4-14
956608
Chapter 4

The ACS Architecture

The ACS strategy must consider how the entire enterprise will be structured, rather than just the campus.
A key consideration is the location of AAA databases. It is essential thatassuming a database that is
distributed across the enterprisethe ACS strategy reflect an approach in which the elements of the ACS
architecture are carefully analyzed, designed, and implemented for authentication systems associated
with file services throughout the enterprise. This assessment should be the starting point for the ACS
deployment strategy. In an ideal situation, the existing infrastructure can provide the usernames,
passwords, and profiles to the ACS servers. The implementation of an ACS architecture-based
infrastructure is currently limited to systems that store the password using MS-CHAP, such as Microsoft
servers.
The main point to be aware of in this strategy is that the ACS model is a replication model, not a
synchronization model. This model might conflict with the administration processes currently in place,
as updates must be made on the root server, and administrators on this server have global rights.
Example Architecture
Figure 4-11 shows an example of what ACS architecture might look like. Campus A holds the
authoritative ACS database server. This server is replicated to the other Enterprise ACS servers. APs
communicate to the two local ACS servers.
Campus Bbecause of its size and distance from Campus Ahas opted for another two ACS servers
(thus providing its own backup). Campus Cbeing smaller and closer to Campus Ahas opted to have
only one server, and relies on Campus A for backup. The branch offices use the ACS servers that are the
shortest network distance from them.

956608
4-15
Chapter 4
Figure 4-11 Example Enterprise ACS Architecture
Campus B
ACS
ACS
Campus C
ACS
Branch
Offices
Replication
ACS
ACS
74211
AP-ACS
Communication
Campus A
4-16
956608
C H A P T E R
Wireless LAN VLANs

This chapter focuses on the implementation of virtual local area networks (VLANs) in the context of
WLAN environments. The following sections summarize key WLAN VLAN considerations:
VLAN Background, page 5-1
Wireless VLAN Introduction, page 5-3
Wireless VLANsDetailed Feature Description, page 5-6
Guidelines for Deploying Wireless VLANs, page 5-10
VLAN Background
VLANs define broadcast domains in a Layer-2 network. Legacy networks use routers to define broadcast
domain boundaries. Layer-2 switches create broadcast domains based on the configuration of the switch.
Switches are multi-port bridges that allow the creation of multiple broadcast domains. Each broadcast
domain is a distinct virtual bridge within a switch.
VLANs have the same attributes as physical LANs with the additional capability to group end stations
physically to the same LAN segment regardless of the end stations geographical location. Figure 5-1
shows an example of three wired VLANs in logically defined networks.

956608
5-1
Chapter 5
Wireless LAN VLANs
VLAN Background
Figure 5-1
Example Deployment of Wired VLANs
Switch 3
Engineering
VLAN
HR
VLAN
Marketing
VLAN
Floor 3
802.1Q Trunk
Switch 2
Router
Floor 2
802.1Q Trunk
802.1Q Trunk
Switch 1
87183
Floor 1
Single or multiple virtual bridges can be defined within a switch. Each virtual bridge created in the
switch defines a new broadcast domain (VLAN). Switch interfaces assigned to VLANs manually are
referred to as interface-based or static membership-based VLANs. This type of VLAN is often
associated with IP subnetworks. For example, when all of the end stations in a particular IP subnet
belong to the same VLAN, traffic cannot pass directly to another VLAN (between broadcast domains)
within the switch or between two switches. Traffic between VLANs must be routed.
To interconnect two different VLANs, routers are used. These routers execute inter-VLAN routing or
routing of traffic between VLANs. Broadcast traffic is then terminated and isolated by these Layer-3
devices (a router or Layer-3 Switch will not route broadcast traffic from one VLAN to another).
The two most common VLAN trunking protocols used on Cisco switches and routers are Inter-Switch
Link (ISL) and IEEE 802.1Q. ISL (Cisco-proprietary protocol) and 802.1Q (IEEE standard) are
encapsulation standards used to interconnect multiple switches and routers via trunking. For more
information on these VLAN trunking protocols, please refer to the following URL:
http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:Trunking
5-2
956608
Chapter 5
Wireless LAN VLANs

Wireless VLAN Introduction

The concept of Layer-2 wired VLANs is extended to the WLAN with wireless VLANs. As with wired
LANS, wireless VLANs define broadcast domains and segregate broadcast/multicast traffic between
VLANs. When VLANs are not used, an IT administrator must install additional WLAN infrastructure
to segment traffic between user groups or device groups. For example, to segment traffic between
employee and guest VLANs, an IT administrator must install two APs at each location throughout an
Enterprise WLAN network (as shown in Figure 5-2). However, with the use of Wireless VLANs, one AP
at each location can be used to provide access to both groups.
Figure 5-2
User Segmentation without Wireless VLANs
SSID=Employee
AP_2A
AP_1A
VLAN 15
SSID=Employee
AP_2B
VLAN 15
VLAN 20
SSID=Guest
VLAN 20
Enterprise
network
AP_1B
87184
SSID=Guest
With VxWorks firmware release 12.00T or Cisco IOS firmware release 12.2.4-JA, an 802.1Q trunk can
be terminated on an AP (AP 1200, AP 1100, AP 350, and AP 340) or on a bridge (BR 350), allowing
access up to 16 wired VLANs. A unique Service Set Identifier (SSID) defines a wireless VLAN on the
AP and the bridge. Each SSID is mapped to a VLAN-id on the wired side (default SSID-to-VLAN-id
mapping).
Additionally, with WLANs, a per-VLAN security policy can be defined on the AP and on the bridge by
the IT administrator. Refer to the Configuration Parameters per VLAN section on page 5-6 for
additional information regarding per-VLAN security configuration.
Wireless VLAN Deployment Overview

Wireless VLAN deployments are different for indoor and outdoor environments. For indoor deployments
(see Figure 5-3), the AP is generally configured to map several wired VLANs to the WLAN. Whereas,
for outdoor environments (please refer to Figure 5-4 on page 5-5), 802.1Q trunks are deployed between
bridges with each bridge terminating and extending as an 802.1Q trunk, and participating in the
802.1d-based spanning-tree protocol (STP) process.
Note
For related information regarding spanning-tree design and implementation considerations please refer
to the Cisco AVVID Network InfrastructureImplementing 802.1w and 802.1s in Campus Networks
SRND.

956608
5-3
Chapter 5
Wireless LAN VLANs
Figure 5-3
Indoor Wireless VLANs Deployment
AP_2
SSID=Full-Time
Native VLAN=10
802.1Q Truck
SSID=Part-Time
Management
VLAN
(VLAN-id 10
AP_1
802.1Q Truck
Enterprise
network
SSID=Maintenance
RADIUS
server
87189
SSID=Guest
In the indoor WLAN deployment scenario shown in Figure 5-3, four wireless VLANs are provisioned
across the campus to provide WLAN access to full-time employees (segmented into Engineering,
Marketing, and Human Resources user groups) and guests. Also, as shown in Table 5-1, each wireless
VLAN is configured with an appropriate security policy and mapped to a wired VLAN. An IT
administrator enforces the appropriate security policies within the wired network for these four different
user groups.
Table 5-1
Configuration for Wireless VLANs in Figure 5-3
SSID
VLAN-id
Security Policy
Engineering
14
802.1x with Dynamic WEP + TKIP
Marketing
24
HR
34
Guest
44
Open/no WEP
An outdoor WLAN deployment scenario is shown in Figure 5-4. In this example, wireless trunking is
used to connect the root bridge to the non-root bridges. The root and non-root bridges terminate the
802.1Q trunk and participate in the spanning-tree protocol (STP) process of bridging networks together.
Note
SRND.
5-4
956608
Chapter 5
Wireless LAN VLANs

Figure 5-4
Outdoor Wireless VLANs deployment
SSID=VLAN_14
VLAN 11
VLAN 11
Bridge_3
(non-Root)
802.1Q Trunk
Switch_1
802.1Q
802.1Q
Trunk
Bridge_1
(Root)
VLAN 14
Switch_2
Trunk
802.1Q Trunk
Bridge_2
(non-Root)
VLAN 12
87186
VLAN 12

956608
5-5
Chapter 5
Wireless LAN VLANs

This section details the VLAN features available with VxWorks firmware release 12.00T and Cisco IOS
firmware release 12.2.4-JA. With these releases, an 802.1Q trunk can be enabled between the AP/bridge
and the wired infrastructure allowing up to 16 wired VLANs to be extended to the WLAN. The
discussion is split into the following sections:
Configuration Parameters per VLAN, page 5-6
Broadcast Domain Segmentation, page 5-7
Native (Default) VLAN Configuration, page 5-7
Primary (Guest) and Secondary SSIDs, page 5-8
RADIUS-based VLAN Access Control, page 5-8
Configuration Parameters per VLAN

As discussed in the Wireless VLAN Introduction section on page 5-3, a per VLAN security policy can
be defined on the AP to allow the IT administrator to define appropriate restrictions per VLAN. The
following parameters are configurable on the SSID (wireless VLAN):
SSID NameConfigures a unique name per wireless VLAN.
Default VLAN IDDefault VLAN-ID mapping on the wired-side.
Authentication TypesOpen, Shared, and Network-EAP types.
Media Access Control (MAC) AuthenticationUnder Open, Shared, and Network-EAP.
EAP AuthenticationUnder Open and Shared authentication types.
Maximum Number of AssociationsAbility to limit maximum number of WLAN clients per SSID.
The following parameters are configurable on the wired VLAN-side:
Encryption KeyThis is the key used for broadcast/multicast traffic segmentation per VLAN. It is
also used for static WEP clients (for both unicast and multicast traffic). The IT administrator must
define a unique encryption key per VLAN. This is discussed more in detail in Broadcast Domain
Segmentation section on page 5-7.
Enhanced Message Integrity Check (MIC) Verification for WEPEnables MIC per VLAN.
Temporal Key Integrity Protocol (TKIP)Enables per-packet key hashing per VLAN.
WEP (Broadcast) Key Rotation IntervalEnables Broadcast WEP key rotation per VLAN. This is
only supported for wireless VLANs with 802.1x protocols enabled (such as EAP-Cisco, EAP-TLS,
PEAP, EAP-SIM, and the like.)
Default Policy GroupApplies policy-group (set of Layer-2, -3, and -44 filters) per VLAN. Each
filter (within a policy group) is configurable to allow or deny certain type of traffic.
Default PriorityApplies default CoS priority per VLAN.
With an encryption key configured, the VLAN supports standardized WEP. However, Cisco
TKIP/MIC/Broadcast Key rotation features are optionally configurable as noted above. Table 5-2 lists
the SSID and VLAN-ID configuration parameters.
5-6
956608
Chapter 5
Wireless LAN VLANs

Table 5-2
SSID and VLAN-ID Configuration Parameter
Parameter Description
SSID Parameter
Authentication Types
Maximum number of Associations
VLAN-ID Parameter
Encryption key (Broadcast Key)
TKIP/MIC
WEP (Broadcast) Key rotation Interval
Policy Group
Default Priority (CoS mapping)
Broadcast Domain Segmentation

All Layer-2 broadcast and multicast messages are propagated over the air. Thus, each WLAN client
receives broadcast/multicast traffic belonging to different VLANs. This is different from wired VLAN
broadcast/multicast traffic. A wired client receives Layer-2 broadcast/multicast traffic only for its own
VLAN. Thus, a unique encryption (broadcast/multicast) key per VLAN is used to segment the Layer-2
broadcast domains on the WLAN. This unique encryption key must be configured during initial VLAN
setup. If Broadcast Key rotation is enabled, this encryption key is generated dynamically and delivered
to WLAN clients in 802.1x messages.
The requirement to segment broadcast domains the wireless side restricts the use of unencrypted VLAN
per WLAN Extended Sub System (ESS). A maximum of one VLAN can be unencrypted per WLAN ESS.
Also, the behavior of a WLAN client on an encrypted VLAN should be to discard unencrypted Layer-2
broadcast/multicast traffic.
Native (Default) VLAN Configuration

The APs (or the bridges) native VLAN (default VLAN) must be set to the native VLAN of the wired
trunk. This allows the AP or bridge to receive and communicate using the Inter-Access Point Protocol
(IAPP) with other APs or bridges in the same WLAN ESS. It is a requirement that all APs and bridges
in an ESS must use the same native VLAN-ID. All Telnet and Hypertext Transfer Protocol (HTTP)
management trafficas well as the RADIUS trafficis routed to the AP via the native VLAN. Cisco
recommends that IT managers restrict user access to the native/default VLAN of the APs and bridges
with the use of Layer-3 access control lists (ACLs) and policies on the wired infrastructure side.
The IT administrator may or may not wish to map the native VLAN of the AP/bridge to an SSID (the
WLAN ESS). Scenarios where the native VLAN should be mapped to an SSID include:
An associated workgroup bridge is treated as an infrastructure device
Connection of a root bridge to a non-root bridge
In the above scenarios, Cisco recommends configuring an Infrastructure SSID per AP or bridge.
Figure 5-5 illustrates the combined deployment of infrastructure devices (such as workgroup bridges,
non-root bridges, and repeaters) along with non-infrastructure devices (such as WLAN clients) in an
Enterprise WLAN. The native VLAN of the AP is mapped to the Infrastructure SSID. WEP encryption
along with TKIP (at least per-packet key hashing) should be enabled for the Infrastructure SSID.
Configuration of a secondary SSID as the Infrastructure SSID is also recommended. The concepts of
primary and secondary SSIDs are explained in the next section.

956608
5-7
Chapter 5
Wireless LAN VLANs
Figure 5-5
Combined Deployment of Infrastructure and Non-Infrastructure Devices
Branch
office
Bridge
(non-Root)
Infrastructure SSID: VLAN-id 10
802.1Q Trunk
(native VLAN=10)
802.1Q Trunk
(native VLAN=10)
Bridge
(Root)
802.1Q Trunk
(native VLAN=10)
Root AP
802.1Q Trunk
(native VLAN=10)
Management
VLAN
Enterprise
network
SSID=Guest
WGB/repeater
SSID=infrastructure
RADIUS
server
87187
SSID=Employee
Primary (Guest) and Secondary SSIDs

When enabling multiple wireles802.1xs VLANs on the AP or bridge, multiple SSIDs are created with
each SSID mapping to a default VLAN-ID on the wired side. However, as per the 802.11 specifications,
only one SSID can be broadcast in the beacons. The IT administrator defines a primary (Guest) SSID
that is broadcasted in the 802.11 beacon management frames. All other SSIDs are secondary SSIDs and
are not broadcasted in the 802.11 beacon management frames.
If a client or infrastructure device (such as a workgroup bridge) is to send a probe request with a
secondary SSID, the AP or bridge responds with a probe response with that secondary SSID.
An IT administrator can also map the primary SSID to the VLAN-ID on the wired infrastructure in
different ways. For example, in an Enterprise rollout scenario, the primary SSID might be mapped to the
unencrypted VLAN on the wired-side to provide Guest VLAN access.
RADIUS-based VLAN Access Control

As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator
might wish to impose backend-based (such as RADIUS) VLAN access control using 802.1x or MAC
address authentication mechanisms. For example, if the WLAN is setup such that all VLANs use 802.1x
and similar encryption mechanisms for WLAN user access, then a user can hop from one VLAN to
another by simply changing the SSID and successfully authenticating to the AP (using 802.1x). This may
not be preferred if the WLAN user is confined to a particular VLAN.
There are two different ways to implement RADIUS-based VLAN access control features:
5-8
956608
Chapter 5
Wireless LAN VLANs

RADIUS-based SSID Access ControlUpon successful 802.1x or MAC address authentication, the
RADIUS server passes back the allowed SSID-list for the WLAN user to the AP or bridge. If the
user used an SSID on the allowed SSID-list, then the user is allowed to associate to the WLAN.
Otherwise, the user is disassociated from the AP or bridge.
RADIUS-based VLAN AssignmentUpon successful 802.1x or MAC address authentication, the

RADIUS server assigns the user to a pre-determined VLAN-ID on the wired side. The SSID used
for WLAN access does not matter because the user is always assigned to this pre-determined
VLAN-ID.
Figure 5-6 illustrates both RADIUS-based VLAN access control methods. Both Engineering and
Marketing VLANs are configured to allow only 802.1x authentication (such as EAP-Cisco, EAP-TLS
or PEAP). As shown in Figure 5-6, when John uses the Engineering SSID to gain access to the WLAN,
the RADIUS server maps John to VLAN-ID 24. This might or might not be the default VLAN-ID
mapping for the Engineering SSID. Using this method, a user is mapped to a fixed wired VLAN
throughout an Enterprise network.
Figure 5-6 illustrates an example of RADIUS-based SSID access control. David uses the Marketing
SSID to gain access to the WLAN. However, the permitted SSID-list sent back by the RADIUS server
indicates that David is only allowed access to the Engineering SSID. Upon receipt of this information,
the AP disassociates David from the WLAN network. Using this method, a user is given access to only
one or pre-determined SSIDs throughout an Enterprise network.
Figure 5-6
RADIUS-based VLAN Access Control
SSID=Engineering
EAP-
Requ
est (u
ser-id
EAP-Succes
hn, VLAN-id=2
RADIUS
server
4)
802.1Q Trunk
EAP-Success
eering)
, SSID=Engin
(user-id: David
Enterprise
network
vid)
-id: Da
t (use
eques
EAP-R
Management
VLAN
87188
s (user-id: Jo
AP/bridge
SSID=Guest
: John
SSID=Marketing
RADIUS user attributes used for VLAN-ID assignment are:
IETF 64 (Tunnel Type)Set this to VLAN,
IETF 65 (Tunnel Medium Type)Set this to 802
IETF 81 (Tunnel Private Group ID)Set this to VLAN-ID.
RADIUS user attribute used for SSID access control is:
Cisco IOS/PIX RADIUS Attribute, 009\001 cisco-av-pair

ExampleConfigure the above attribute to allow a user to access the WLAN using Engineering and
Marketing SSIDs only:
ssid=Engineering
ssid=Marketing

956608
5-9
Chapter 5
Wireless LAN VLANs
Guidelines for Deploying Wireless VLANs

In order to properly deploy wireless VLANs, IT administrators should evaluate the need for deploying
wireless VLANs in their own environment. Existing wired VLAN deployment rules and policies should
also be reviewed. Existing wired VLAN policies can be used as the basis for wireless VLAN deployment
policies.
This section is split into three discussions:
Criteria for Wireless VLAN Deployment, page 5-10Details selection criteria for wireless VLAN
deployment.
Wireless VLAN Deployment Example, page 5-11Provides a deployment example, summarizes

the of rules for WLAN VLANs deployment.
Summary of Rules for Wireless VLAN Deployment, page 5-13Provides best-practices to use on
the wired infrastructure when deploying wireless VLANs.
Criteria for Wireless VLAN Deployment

While the full criteria for each wireless VLAN deployment are likely to be unique, some standard criteria
exist for most rollouts. These include:
Common applications used by all WLAN users. The IT administrator should define
Wired network resources (such as servers) commonly accessed by WLAN users
Quality of Service (QoS) level needed by each application [such as default class of service
(CoS) or Voice CoS]
Common devices used to access the WLAN. The IT administrator should define:
Security mechanismsStatic-WEP, MAC authentication, EAP authentication (such as
EAP-Cisco, EAP-TLS, or PEAP, VPN, and the like} supported by each device type
Wired network resources (such as Servers) commonly accessed by WLAN device groups
QoS level needed by each device group (such as default CoS or Voice CoS)
Revise the existing Wired VLAN deployment design guidelines:

Existing policies for VLAN access (determine whether specific policies are implemented for
different user groups)

Localized wired VLANs with Layer-3 core or flat Layer-2 switched network
After the wireless VLAN deployment criteria are defined, the deployment strategy must be determined.
Two standard deployment strategies are:
Segmentation by User GroupsSegmentation of the WLAN user community and enforcement of

specific security policies per user group. For example, three wired and wireless VLANs in an
enterprise environment might be created for full-time employee, part-time employee, and guest
access.
Segmentation by Device TypesSegmentation of the WLAN to allow different devices with

different security levels to access the WLAN. For example, it is not recommended to have handheld
devices that support only 40/128-bit static-WEP co-exist with other WLAN client devices using
802.1x with dynamic WEP in the same VLAN. In this scenario, devices are grouped and isolated
with different levels of security into separate VLANs.
5-10
956608
Chapter 5
Wireless LAN VLANs

Implementation criteria such as those listed below is then defined:
Use of policy group (set of filters) to map wired policies to the wireless side.
Use of 802.1x to control user access to VLANs using either RADIUS-based VLAN assignment or
RADIUS-based SSID access control.
Use of separate VLANs to implement different CoS.
Wireless VLAN Deployment Example

A wireless VLAN deployment example is outlined below. The IT administrator of company XYZ
determines the need for WLANs in his network. Utilizing the guidelines as described in Criteria for
Wireless VLAN Deployment section on page 5-10, his findings are as follows:
Three different user groups are commonly present across Company XYZ: full-time employees;
contract employees; and, guests.
Full-time and contract employees use company supplied PCs to access the wireless network. These
PCs are capable of supporting 802.1x authentication methods for accessing the WLAN.
Full-time employees need full access to the wired network resources. The IT department has
implemented application level privileges for each user via Microsoft Windows NT or Active
Directory (AD) mechanisms.
Part-time employees are not allowed access to certain wired resources (such as human resource
servers and data storage servers). Furthermore, the IT department has implemented application level
privileges for part-time employees (using Microsoft Windows NT or AD mechanisms).
Guest users need access to the Internet to launch a VPN tunnel back to their company headquarters.
Maintenance personal (electrical, facilities, and others) use specialized handheld devices that
support static 40 or 128 bit encryption to access trouble ticket information via an application server
VLAN.
Existing wired VLANs deployment:

Wired VLANs are localized per building (use of unique VLAN-IDs per building).
Layer-3 policies are implemented on all VLANs to prevent users from accessing critical
applications such as network management servers).

In the above case, the IT administrator can deploy wireless VLANs by creating four wireless VLANs as
follows:
Step 1
For Full-Time and Part-Time VLANs, implement 802.1x with dynamic WEP along with TKIP
functionality for WLAN access. Tie user-login on the RADIUS server with Microsoft back-end user
database to enable single sign-on for WLAN users.
Implement RADIUS-based SSID access control for both Full-Time and Part-Time employees to access
WLAN. This is recommended to prevent part-time employees from VLAN hopping (trying to access the
WLAN using Full-Time VLAN).
Note
In this deployment scenario, VLANs are localized per building with user group mapping to
wired VLAN-IDs different for each building. In order to enable users to access the WLAN from
anywhere on campus, SSID access control is recommended rather than fixed VLAN-ID
assignments.

956608
5-11
Chapter 5
Wireless LAN VLANs
Step 2
Create a Guest VLAN. Implement Open/No WEP access with a Broadcast SSID by using the primary
SSID for the Guest VLAN. Enforce policies on the wired network side to force all Guest VLAN access
to an Internet gateway and deny access into the corporate network.
Step 3
Create a Maintenance VLAN. Implement Open/with WEP plus MAC authentication for this VLAN.
Enforce policies on the wired infrastructure to only allow access to the maintenance server on the
application servers VLAN.
Figure 5-7 illustrates this sample WLAN deployment scenario. Table 5-3 lists the configuration details
for Figure 5-7 VLANs.
Figure 5-7
Wireless VLAN Deployment Example
AP_2
SSID=Engineering
Native VLAN=10
802.1Q Trunk
SSID=Marketing
AP_1
802.1Q Trunk
SSID=HR
Management
VLAN
Enterprise
network
RADIUS
server
Table 5-3
87185
SSID=Guest
Configuration for VLANs in Figure 5-7
RADIUS-based VLAN
Access Control
SSID
VLAN-id
Security Policy
Full-Time
16
802.1x with Dynamic WEP + TKIP/MIC Yes
Part-Time
26
802.1x with Dynamic WEP + TKIP/MIC Yes
Maintenance
36
Open/with WEP + MAC authentication
No
Guest
46
Open/no WEP
No
5-12
956608
Chapter 5
Wireless LAN VLANs

Summary of Rules for Wireless VLAN Deployment

This section summarizes the VLAN rules and guidelines discussed in this document. Key rules to
following when deploying wireless VLANs:
802.1Q VLAN trunking (hybrid mode only) supported between the switch and the AP or bridge.
A maximum of 16 VLANs per ESS are supported with each wireless VLAN represented with a
unique SSID name.
IT administrator must configure a unique encryption key per VLAN.
A maximum of one unencrypted VLAN per ESS is supported.
A maximum of one primary/guest SSID per ESS is supported.
TKIP, MIC, and Broadcast key rotation can be enabled per VLAN.
Open, Shared-Key, MAC, network-EAP (EAP-Cisco), and EAP authentication types are supported
per SSID.
Shared-Key Authentication is supported only on the SSID mapped to the native VLAN (this is most
likely to be the Infrastructure SSID).
One unique policy group (set of Layer-2, Layer-3, and Layer-4 filters) is allowed per VLAN.
Each SSID is mapped to a default wired VLAN where the ability to override this default SSID to
VLAN-ID mapping is provided via RADIUS-based VLAN access control mechanisms.
RADIUS-based VLAN-ID assignment per user is supported.
RADIUS-based SSID access control per user is supported.
The ability to assign a CoS mapping per VLAN with eight different levels of priorities is supported.
The ability to control number of clients per SSID is supported.
All APs and bridges in the same ESS must use the same native VLAN-ID to facilitate IAPP
communication between APs and bridges.
All WLAN security policies should be mapped to the wired LAN security policies on the switches
and routers.
Best-Practices for the Wired Infrastructure

The following best practices are recommended for the wired infrastructure when 802.1Q trunking is
extended to the APs and bridges:
Limit broadcast/multicast traffic to the AP and bridge by enabling VLAN filtering and Internet
Group Management Protocol (IGMP) snooping on the switch ports. On the 802.1Q trunks to the AP
and bridge, filter to allow only active VLANs in the ESS. Enabling IGMP snooping prevents the
switch from flooding all switch ports with Layer-3 multicast traffic.
Map wireless security policies to the wired infrastructure with Access Control Lists (ACLs) and
other mechanisms
The AP does not support the VLAN Trunking Protocol (VTP) or the GARP VLAN Registration
Protocol (GVRP) for dynamic management of VLANs because the AP acts as a stub node. The IT
administrator must use the wired infrastructure to maintain and manage the wired VLANs.
Enforce security policies via Layer-3 ACLs on the Guest and Management VLANs (recommended).
The IT administrator might implement ACLs on the wired infrastructure to force all Guest
VLAN traffic to the Internet Gateway.

956608
5-13
Chapter 5
Wireless LAN VLANs
The IT administrator should restrict user access to the native/default VLAN of the APs and
bridges with the use of Layer-3 ACLs and policies on the wired infrastructure.
Example: Traffic to APs and bridges via the native/default VLAN is only allowed to and from
the management VLAN where all the management servers resideincluding the RADIUS
server.
Note
For more details refer to the WLAN VLAN deployment guide.:

http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a008
01444a1.html
5-14
956608
C H A P T E R

This chapter addresses Quality of Service (QoS) concerns in the context of WLAN implementations. It
is separated into the following primary sections:
QoS Overview, page 6-1
Wireless QoS Considerations, page 6-2
802.11 DCF, page 6-4
IEEE 802.11e, page 6-7
Deploying EDCF on Cisco IOS-based APs, page 6-13
Guidelines for Deploying Wireless QoS, page 6-17
QoS Overview
Quality of Service (QoS) refers to the capability of a network to provide better service to selected
network traffic over various network technologies. QoS technologies provide the building blocks for
business multimedia and voice applications used in campus, WAN, and service provider networks. QoS
allows network managers to establish service level agreements (SLAs) with network users.
QoS enables network resources to be shared more efficiently and expedites the handling of
mission-critical applications. QoS manages time-sensitive multimedia and voice application traffic to
ensure that this traffic receives higher priority, greater bandwidth and less delay than best effort data
traffic. With QoS, bandwidth can be managed more efficiently across LANs and WANs.
QoS provides enhanced and predictable network service by:
Supporting dedicated bandwidth for critical users and applications
Controlling jitter and latency (required by real-time traffic)
Managing and minimizing network congestion
Shaping network traffic to smooth the traffic flow
Setting network traffic priorities

956608
6-1
Chapter 6
Wireless QoS Considerations

This section addresses the following topics:
Wireless QoS Deployment Schemes, page 6-2
QoS Parameters, page 6-3
Downstream and Upstream QoS, page 6-3
QoS and Network Performance, page 6-4
Wireless QoS Deployment Schemes

In the past, WLANs were mainly used to transport low-bandwidth, data-application traffic. Today, with
the expansion of WLANs into vertical (such as retail, finance, and education) and Enterprise
environments, WLANs are used to transport high-bandwidth, data applications in conjunction with
time-sensitive, multi-media applications. This requirement led to the necessity for wireless QoS.
Several vendors support proprietary wireless QoS schemes for voice applications. To speed up the rate
of QoS adoption and to support multi-vendor time-sensitive applications, a unified approach to wireless
QoS is necessary. The IEEE 802.11e working group within the IEEE 802.11 standards committee is
working on a wireless QoS standard that is expected to be finalized in 2003. Cisco Aironet products
support QoS based on the IEEE 802.11e Draft standard specifications as of November 2002. Cisco IOS
release 12.2(4)JA for the Cisco Aironet 1100 Series and Cisco Aironet VxWorks release 12.00T for
Cisco Aironet 1200, 350, and 340 Series products support IEEE 802.11e Enhanced Distributed
Coordination Function (EDCF)-based wireless QoS.
An example deployment of wireless QoS based on Cisco IOS and VxWorks features is shown in
Figure 6-1.
Figure 6-1
Wireless QoS Deployment Example
EDCF-based
QoS
AP1100
EDCF-based
QoS
AP1200
Cisco CallManager
M
Enterprise
Network
IP
Streaming
Video
91226
AP provides EDCF-baed
mechanisms for Down Stream
Wireless QoS, based upon
handset registration, CoS, or DSCP
VoIP
phone
6-2
956608
Chapter 6

QoS Parameters
QoS is defined as the measure of performance for a transmission system that reflects its transmission
quality and service availability. Service availability is a crucial foundational element of QoS. Before
QoS can be successfully implemented, the network infrastructure must be highly available. The network
transmission quality is determined by the following factors:
Latency, page 6-3
Jitter, page 6-3
Loss, page 6-3
Latency
Latency (or delay) is the amount of time it takes a packet to reach the receiving endpoint after being
transmitted from the sending endpoint. This time period is termed the end-to-end delay and can be
broken into two areas: fixed network delay and variable network delay.
Fixed network delay includes encoding/decoding time (for voice and video), as well as the finite amount
of time required for the electrical/optical pulses to traverse the media en route to their destination.
Variable network delay generally refers to network conditions, such as congestion, that may affect the
overall time required for transit.
Jitter
Jitter (or delay-variance) is the difference in the end-to-end latency between packets. For example, if one
packet required 100 msec to traverse the network from the source-endpoint to the destination-endpoint
and the following packet required 125 msec to make the same trip, then the jitter is calculated as 25 msec.
Loss
Loss (or packet loss) is a comparative measure of packets faithfully transmitted and received to the total
number that were transmitted. Loss is expressed as the percentage of packets that were dropped.
Downstream and Upstream QoS

Figure 6-2 illustrates the definition of QoS radio upstream and downstream.
Figure 6-2
Upstream and Downstream QoS
Radio Downstream
Ethernet Downstream
Radio Upstream
Ethernet Upstream
91227
Network
The notation in Figure 6-2 refers to the following:
Radio Downstream QoS refers to the traffic leaving the AP and traveling to the WLAN clients.
Radio Downstream QoS is the primary focus of this deployment guide.

956608
6-3
Chapter 6
802.11 DCF
Radio Upstream QoS refers to traffic leaving the WLAN clients and traveling to the AP. No vendor
support is currently available for radio upstream QoS features for WLAN clients. This support is
specified in the 802.11e draft, but has not yet been implemented.
Ethernet Downstream refers to traffic leaving the switch/router traveling to the AP. QoS may be
applied at this point to prioritize and rate limit traffic to the AP. Configuration of Ethernet
downstream QoS is not discussed in this design guide.
Ethernet Upstream refers to traffic leaving the AP traveling to the switch. The AP classifies traffic
from the AP to the upstream network according to the traffic classification.
QoS and Network Performance

The application of QoS features may not be easily detected on a lightly loaded network. Indeed, if
latency, jitter and loss are noticeable when the media is lightly loaded it is as an indication of a system
fault or that an applications latency, jitter and loss requirements are not a good match for the network.
QoS features start to impact application performance as the load on the network increases. QoS works
to keep latency, jitter and loss for selected traffic types with in acceptable bounds.
By providing downstream prioritization from the AP, upstream client traffic is treated as best effort. A
client must compete with other clients for (upstream) transmission as well as competing with best effort
(downstream) transmission from the AP. Under certain load conditions, a client can experience upstream
congestion and the performance of QoS sensitive applications may be unacceptable despite the QoS
features on the AP.
802.11 DCF
Data frames in 802.11 are sent using the Distributed Coordination Function (DCF). The DCF is
composed of two main components:
Interframe Spaces (SIFS, PIFS, and DIFS), page 6-4
Random Backoff (Contention Window), page 6-5
DCF is used in 802.11 networks to manage access to the RF medium. A baseline understanding of DCF
is necessary in order to deploy 802.11e based EDCF. Please read the IEEE 802.11 specification for more
information on DCF.
Interframe Spaces (SIFS, PIFS, and DIFS)

Interframe Spaces (Figure 6-3) allow 802.11 to control which traffic gets first access to the channel once
carrier sense declares the channel to be free.
6-4
956608
Chapter 6

802.11 DCF
Figure 6-3
Interframe Spaces (IFS)1
DIFS
DIFS
PIFS
Contention window
SIFS
Busy medium
Backoff window
Next frame
(t)
Defer access
Select slot and decrement backoff

as long as the medium is idle
91228
Slot time
802.11 currently defines three interframe spaces:
Short Interframe Space (SIFS) 10 s
Point Interframe Space (PIFS) SIFS + 1 x slot time = 30 s
Distributed Interframe Space (DIFS) 50 s SIFS + 2 x slot time = 50 s
SIFS
Important frames such as acknowledgments wait the SIFS before transmitting. There is no random
backoff when using the SIFS, as frames using the SIFS are used in instances where multiple stations
would not be trying to send frames at the same time. The SIFS provides a short and deterministic delay
for packets that must go through as soon as possible. The SIFS is not available for use by data frames.
Only 802.11 management and control frames use SIFS.
PIFS
An optional portion of the 802.11 standard defines priority mechanisms for traffic that uses PIFS. There
is no random back mechanism associated with PIFS, as it relies upon a polling mechanism to control
which station is transmitting. The option is not widely adopted2 due to the associated overhead, and lack
of flexibility in its application.
DIFS
Data frames wait the DIFS before beginning the random backoff procedure that is part of the Distributed
Coordination Function (DCF). This longer wait ensures that traffic using the SIFS or PIFS timing always
gets an opportunity to send before any traffic using the DIFS attempts to send.
Random Backoff (Contention Window)

When a data frame using DCF (Figure 6-4) is ready to be sent, it goes through the following steps:
1.
Generate a random backoff number between 0 and a minimum Contention Window (CWmin).
2.
Wait until the channel is free for a DIFS interval.
3.
If the channel is still free begin decrementing the random backoff number, for every slot time (20
s) the channel remains free.
1. Figures quoted are for 802.11b; not 802.11a

2. No known vendor claims to support Profile Connection Files (PCF).

956608
6-5
Chapter 6
802.11 DCF
4.
If the channel becomes busy (another station got to 0 before your station) decrementing stops and
steps 2 through 4 are repeated.
5.
If the channel remains free until the random backoff number reaches 0 the frame may be sent.
Figure 6-4
Distributed Coordination Function (DCF) Example
DIFS
Station A
DIFS
DIFS
Frame
Station B
Station C
Deter
Deter
Station D
Deter
Station E
Frame
Deter
Deter
Deter
Frame
Frame
Deter
Deter
Backoff time remaining
91229
Backoff time
Figure 6-4 shows a simplified example of how the DCF process works. In this simplified DCF process,
no acknowledgements are shown and no fragmentation occurs
DCF steps illustrated in Figure 6-4 work as follows:
1.
Station A successfully sends a frame, and three other stations also wish to send frames but must
defer to Station As traffic.
2.
Upon Station A completes transmission, all the stations must still defer for the DIFS. Once the DIFS
is complete, stations wishing to send a frame can begin decrementing their backoff counter, once
every slot time, and may send their frame.
3.
Station Bs backoff counter reaches zero before Stations C and D, and therefore Station B begins
transmitting its frame.
4.
Once Station C and D detect that Station B is transmitting, they must stop decrementing their
backoff counters and again defer until the frame is transmitted and a DIFS has passed.
5.
During the time that Station B is transmitting a frame, Station E gets a frame to transmit, but as
Station B is sending a frame it must defer in the same manner as Stations C and D
6.
Once Station B completes transmission and the DIFS has passed, stations with frames to send begin
decrementing their backoff counters again. In this case, Station Ds backoff counter reaches zero
first and it begins transmission of its frame.
7.
The process continues as traffic arrives on different stations.
CWmin, CWmax, and Retries

DCF uses a Contention Window (CW) to control the size of the random backoff. The contention window
is defined by two parameters:
aCWmin
aCWmax
6-6
956608
Chapter 6

IEEE 802.11e
The random number used in the random backoff is initially a number between 0 and aCWmin. If the
initial random backoff expires without successfully sending the frame, the station or AP increments the
retry counter, and doubles the value random backoff window size. This doubling in size continues until
the size equals aCWmax. The retries continue until the maximum retries or Time To Live (TTL) is
reached. This process of doubling the backoff window is often referred to as a binary exponential
backoff, and is illustrated in Figure 6-5.
Figure 6-5
Growth in Random Backoff Range with Retries
1023 1023 1023
511
aCWmax
255
63
31
retries
91230
127
aCWmin
IEEE 802.11e
This section discusses two 802.11e implementations:
802.11e EDCF-based QoS Implementation, page 6-7
QoS Advertisements by WLAN Infrastructure, page 6-11
802.11e EDCF-based QoS Implementation

The current IEEE 802.11e draft contains EDCF. This is the feature supported in the current AP code
release. The EDCF is an enhancement of the DCF described above. The enhancement is the adjustment
of the variable CWmin and CWmax random backoff values based upon traffic classification. Figure 6-6
shows the different settings for the CWmin and CWmax of each traffic class as illustrated by the Cisco
Aironet software. These figures are based on those proposed in the 802.11e draft.

956608
6-7
Chapter 6
IEEE 802.11e
Do not alter these settings for production networks without significant tests specific to the applications
in question. For example, having a CWmax value less that the CWmin of another class might cause
starvation of the other traffic class, as the worst case random backoff of the preferred class would be
better than the best-case random backoff the less favored class. It should also be noted that the traffic
has been queued based on its traffic classification by the AP before the CWmin and CWmax values are
applied at the radio. Refer to Figure 6-6.
Figure 6-6
Default CWmin and CWmax Values of Different Traffic Categories
Figure 6-7 shows the principle behind different CWmin values per traffic classification. All traffic waits
the same DIFS, but the CWmin value used to generate the random backoff number depends upon the
traffic classification. High priority traffic has a small CWmin value, giving as short random backoff,
whereas best effort traffic has a large CWmin value that on average gives a large random backoff number.
6-8
956608
Chapter 6

IEEE 802.11e
Figure 6-7
EDCF Random Backoff and Traffic Classification
CWmin [0]
CWmin [7]
CWmin [6]
Voice random backoff range

Voice random backoff range
Best effort random backoff range
DIFS
Contention window
Busy medium
Backoff window
(t)
Next frame
Defer access
Decrement backoff as long as

the medium is idle
91231
Slot time
Figure 6-8 shows an example of how the different CWmin values impact traffic priority.
Figure 6-8
Example of Impact of Traffic Classification
DIFS
Station X
DIFS
DIFS
Frame
Voice 1
Deter
Best Effort 1
DIFS
Deter
Voice 2
Deter
Best effort 2
Deter
Frame
Deter
Deter
Voice 3
Deter
Deter
Deter
Frame
Deter
Deter
Deter
Deter
Frame
Deter
Frame
Backoff time remaining
91232
Backoff time
The process illustrated in Figure 6-8 follows this sequence:

1.
While Station X is transmitting its frame three other stations determine that they must send a frame.
Each station defers as a frame was already being transmitted, and each station generates a random
backoff.
2.
As stations Voice 1 and Voice 2 have a traffic classification of voice, they use an initial CWmin of
3, and therefore have short random backoff values. Best Effort 1 and Best Effort 2 generate longer
random backoff times, as their CWmin value is 31.

956608
6-9
Chapter 6
IEEE 802.11e
3.
Voice 1 has the shortest random backoff time, and therefore starts transmitting first. When Voice 1
starts transmitting all other stations defer. While Voice 1 station is transmitting station Voice 3 finds
that it needs to send a frame, and generates a random backoff number, but defers due to station Voice
1s transmission.
4.
Once Voice Station 1 finishes transmitting, all stations wait the DIFS, and then begin decrementing
their random backoff counters again.
5.
Station Voice 2 completes decrementing its random backoff counter first and begins transmission.
All other stations defer.
6.
Once Voice Station 2 has finished transmitting, all stations wait the DIFS, and then begin
decrementing their random backoff counters again.
7.
Best Effort 2 completes decrementing its random backoff counter first and begins transmission. All
other stations defer. This happens even though there is a voice station waiting to transmit. This
shows that best effort traffic is not starved by voice traffic as the random backoff decrementing
process eventually brings the best effort backoff down to similar sizes as high priority traffic, and
that the random process might, on occasion, generate a small random backoff number for best effort
traffic.
8.
Once Best Effort 2 finishes transmitting, all stations wait the DIFS, and then begin decrementing
their random backoff counters again.
9.
Station Voice 3 completes decrementing its random backoff counter first and begins transmission.
All other stations defer.
10. The process continues as other traffic enters the system.
The overall impact of the different CWmin and CWmax values is difficult to show well in the timing
diagrams used thus far, as their impact is more statistical in nature. It is simpler to compare two
examples, and show the impact of these different values in the average times that should be generated
by the random backoff counters.
If we compare interactive voice and interactive video, these traffic categories have CWmin values of 3
and 15, and CWmax values of 32 and 63 respectively. This gives the averages for the random backoff
counters shown in Table 6-1.
Table 6-1
Random Backoff Averages
CWmin
CWmax
Average
Minimum
Average
Maximum
Interactive Voice
31
1.5
15.5
Interactive Video
15
63
7.5
31.5
Best Effort
31
255
15.5
127.5
These averages show that an interactive voice frame would only have an average random backoff time
of 30 s, where as the average random backoff time for interactive video frame would be 150 s. If
interactive voice and interactive video stations began trying to transmit at the same time the interactive
voice frame would normally be transmitted first, and with a very small delay.
The average maximum gives an indication of how quickly and how large the random backoff counter
would grow in the event of a retransmission. The smaller the average maximum value is an indication of
how aggressive traffic classification behaves. No matter how many times it has retried, Interactive
Voices random backoff delay should not, on average, be above that of the minimum delay of best effort
traffic. This means that the average worst-case backoff delay for interactive voice traffic would be the
same as the average best case for best effort traffic.
6-10
956608
Chapter 6

IEEE 802.11e
Note
In this EDCF implementation, all WLAN clients are treated equally for upstream transmission (from the
WLAN clients to the AP) unless a client (such as a SpectraLink Voice over IP device) implements a
proprietary mechanism of obtaining the channel faster compared to the others.
QoS Advertisements by WLAN Infrastructure

The WLAN infrastructure devices (such as APs) advertise QoS parameters. WLAN clients with QoS
requirements use these advertised QoS parameters to determine the best AP with which to associate.
Cisco Aironet software release 12.00T for VxWorks AP and bridges and Cisco IOS release 12.2(4)JA
for Cisco 1100 Series APs support two mechanisms to advertise QoS parameters:
Symbol Technologies, Inc. Extensions (Symbol NetVision handsets only)
QoS Basis Service Set (QBSS)Based on IEEE 802.11e DRAFT version 3.3
Figure 6-9 shows the QBSS Information Element (IE) advertised by a Cisco AP. The channel utilization
field indicates the portion of available bandwidth currently used to transport data within the WLAN. The
frame loss rate field indicates the portion of transmitted frames that require retransmission or are
discarded as undeliverable.
QBSS Information Element (IE) Implementation: IEEE 802.11e Draft version 3.3
Element ID
(11)
Length
(6)
Station Count
(2 octets)
Channel
Utilization
(1 octet)
Frame
loss rate
(1 octet)
91233
Figure 6-9
Figure 6-10 and Figure 6-11 illustrate the mechanism for enabling QoS advertisements on VxWorks APs
and bridges and Cisco IOS-based APs.

956608
6-11
Chapter 6
IEEE 802.11e
Figure 6-10 Enabling QoS Advertisements on a VxWorks AP
Figure 6-11 Enabling QoS Advertisements on a Cisco IOS AP
6-12
956608
Chapter 6

Deploying EDCF on Cisco IOS-based APs

This section discusses the mechanisms available on the Cisco Aironet 1100 Series AP for applying traffic
classification to particular traffic. The Cisco IOS-based Aironet 1100 Series AP has significant QoS
operational differences as compared to the VxWorks-based Cisco Aironet 1200, 350 and 340 Series.
However, because it is Cisco IOS based, the Aironet 1100 Series AP is consistent with current Cisco IOS
implementations. Users familiar with configuring Cisco switch and router QoS settings should find the
commands and configuration familiar.
Note
For information about deployment and configuration using VxWorks-based APs, please refer to WLAN
QoS Deployment Guide at the location:
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a008014449
8.html
This section presents EDCF implementation considerations for Cisco IOS-based APs in the following
specific sections:
Appliance-based Prioritization, page 6-13
CoS-based Prioritization, page 6-13
Class-Map Based Prioritization, page 6-14
VLAN-based Prioritization, page 6-15
Combining QoS Setting Requirements, page 6-15
Additional QoS Features, page 6-16
Appliance-based Prioritization
The Cisco IOS-based AP can prioritize traffic based upon a WLAN clients request for a particular traffic
classification because of its appliance type. Currently, Cisco APs support only VoIP appliances. These
VoIP appliances use proprietary registration messages to identify themselves. The best example of this
process is the negotiation that occurs between the AP and a Symbol VoIP WLAN handset. A protocol
defined by Symbol allows the handset to be identified, and provide down stream traffic to these handsets
with an interactive voice classification.
The VxWorks-based AP allows a per-station classification of traffic which allows these handsets to
identify themselves and automatically classify traffic.
The Cisco IOS AP supports the registration of the handsets to the AP through the global command line
interface (CLI) command:
dot11 phone
CoS-based Prioritization
Traffic that arrives at the AP over an Ethernet trunk (if already classified by its CoS settings within IEEE
802.1D) will have that classification mapped to EDCF and applied unless the Per Appliance
classification applies a subsequent classification.

956608
6-13
Chapter 6
Class-Map Based Prioritization

Traffic flows are identified by IP Type of Service (TOS), DSCP, or protocol settings with class-map
based prioritization. An identified down stream traffic flow is given a specific CoS applied over the radio
interface. This process is consistent with current Cisco IOS implementations.
Figure 6-12 illustrates an example setting of a class-map based QoS policy via the 1100 Series AP web
interface. The policy name is example. Example creates classification rules based upon IP precedence,
DSCP values, and an IP protocol. These classification rules are then applied on the radio interface.
Note
The IP Protocol 119 setting provides ongoing support on the AP for SpectraLink IEEE 802.11 handsets.
Figure 6-12 Class-Map based QoS Policy Example
After applying the class-map based QoS policy, the changes are reflected in the AP CLI.
class-map match-all _class_example2
match ip protocol 119
match ip precedence 2
match ip dscp 46
policy-map example
class _class_example0
set cos 5
set cos 5
set cos 0
6-14
956608
Chapter 6

class class-default
set cos 0
interface Dot11Radio0.825
service-policy output example
VLAN-based Prioritization
Figure 6-13 illustrates the default priority (CoS) set using a class-map definition on an Cisco IOS-based
AP. This class-map is applied to an interface or a VLAN and the specified priority is applied to all traffic,
unless the priority is overridden by one of the mechanisms described above (Per Station, 802.1p/802.1D
CoS, or Class-Map based IP TOS/DSCP/Protocol).
Figure 6-13 Default CoS Setting Using a Class-Map on an Cisco IOS AP
Combining QoS Setting Requirements

The EDCF settings shown in Figure 6-15 on page 6-16 are applied by the radio, and are determined by
the classification applied at the radio.
Network engineers must be aware of where the traffic classification is applied in order to plan and design
the QoS settings appropriately. The first classification that occurs is the one that is selected and used.
The precedence process sequence is as follows:
1.
If a station identifies itself as a particular CoS, this is used (Per-Appliance QoSan example is a
Symbol VoIP device).
2.
If the frame arrives at the AP with a CoS setting via IEEE 802.1p/802.1D, this is what is used.

956608
6-15
Chapter 6
3.
If a class-map based classification (IP TOS, IP DSCP, IP Protocol, or default CoS) is defined per
VLAN or interface, CoS defined by the class-map based QoS policy is assigned to the specified
traffic flow (example: SpectraLink VoIP device).
4.
If none of the above mechanisms are viable, the default CoS setting for the VLAN is used for all
traffic.
Figure 6-14 illustrates the QoS classification precedence described in the above list.
Figure 6-14 QoS Classification Precedence on Cisco IOS-Based APs
Traffic flow into inress
Per-appliance QoS?
Yes
No
By CoS value
(8o2.1p marked)?
Yes
No
Class-map defined per
interface or VLAN?
Map to CoS
Yes
Send to
transit
queue
Apply default CoS

(CoS=0)
91235
No
Additional QoS Features

The Cisco 1100 Series AP allows the setting of the different CWmin and CWmax values depending on
the traffic classification, as shown in Figure 6-15.
Figure 6-15 Class to CWmin and CWmax settings
6-16
956608
Chapter 6

Guidelines for Deploying Wireless QoS
In addition to the CWmin and CWmax values shown in Figure 6-15, a Fixed Slot Time setting is
available. The Fixed Slot Time is referred to as the Arbitration Inter Frame Space (AIFS) in the IEEE
802.11e Draft. The AIFS is a variable DCF value. The standard DCF time equals two slots times. Traffic
classifications with a slot time greater than two must wait the additional slot times before sending or
beginning to begin decrementing their random backoff counters. Giving further precedence to traffic
with low CWmin and DCF timing.

The same rules for Deploying QoS in a wired network apply to deploying QoS in a wireless network.
The first and most important guideline in QoS deployment is: know your traffic. Know your protocols,
applications sensitivity to delay, and traffic bandwidth. QoS does not create additional bandwidth it
simply gives more control of where the bandwidth is allocated.
Voice traffic is probably the QoS application that is most familiar. The following are examples of how
the QoS for voice is applied to different applications. When using the traffic classification schemes in
the AP, remember that once the classification is changed from a default station, the application of any
further mechanisms does not further alter the classification.
This discussion of wireless QoS deployment considerations is split into the following four sections:
IP SoftPhone and Other PC and PDA Based VoIP Solutions, page 6-17
Symbol Handsets, page 6-17
SpectraLink Handsets, page 6-18
Leveraging Existing Network QoS Settings, page 6-18
IP SoftPhone and Other PC and PDA Based VoIP Solutions

With IP SoftPhone and other PC-based and PDA-based VoIP solutions, the AP might not connect to the
wired Ethernet via IEEE 802.1q. VLANs might not be configured. In this case, the frames from the wired
network do not contain CoS information for the AP.
If the wired network is using IP Type of Service (ToS) or IP DSCP to mark traffic, these marks can be
recognized by the AP through the APs DSCP-to-CoS mapping feature using class-map based
prioritization (Cisco IOS) as shown in Figure 6-12 on page 6-14.
If VLANs are used, the AP can use the CoS settings within IEEE 802.1p, and the DSCP-to-CoS mapping
is done by the upstream device. If the CoS settings of IEEE 802.1p are not utilized, the AP uses the DSCP
settings. If the switch infrastructure does not mark frames/packets with IEEE 802.1p CoS or IP
TOS/DSCP, then the VLAN default CoS on the AP is used to apply a specific wireless CoS.
Symbol Handsets
If Symbol handsets are used in the WLAN, the Symbol Extensions should be enabled.

956608
6-17
Chapter 6
SpectraLink Handsets
The SpectraLink Voice Protocol (SVP) is prioritized in the same manner as in the pre-WLAN QoS AP
configuration because the AP has a default filter to classify all SpectraLink voice traffic with voice
priority.
The difference between the current AP prioritization scheme and the previously released AP
prioritization method is that the prior version was limited to prioritizing within the queuing internal to
the AP. With the QoS enhancements, traffic can now be prioritized over the radio interface.
Figure 6-16 illustrates the SVP architecture for 12.00T VxWorks and 12.2(4)JA Cisco IOS QoS features:
Figure 6-16 SpectraLink VoIP Deployment
EDCF-based
QoS
AP1100
EDCF-based
QoS
AP1200
Cisco CallManager
M
Enterprise
Network
IP
VoIP
phone
AP provides EDCF-baed
mechanisms for Down Stream
Wireless QoS
NetLink wireless
telephones
91236
NetLink
SVP server
Leveraging Existing Network QoS Settings

Support for IEEE 802.1p and DSCP allows the AP to leverage the existing QoS classification and
prioritization in the wired network. For more information on the design and configuration of QoS for a
Cisco AVVID Network, refer to: Cisco AVVID Network Infrastructure Enterprise Quality of Service
Design on CCO web site at http://www.cisco.com.
6-18
956608
C H A P T E R
WLAN Roaming
This chapter addresses the WLAN design considerations when assessing Layer-2 roaming of WLAN
clients. The process of a WLAN client station roaming from one AP to another AP is discussed in some
detail. Although this chapter focuses on roaming at Layer-2 (same IP subnet), the implications of
campus-wide roaming at Layer-2 and Layer-3 are also considered.
The following primary sections are presented in this chapter:
Roaming Solution Overview, page 7-2
Layer-2 Roaming Primer, page 7-4
Layer-2 Design Recommendations, page 7-9

7-1
Chapter 7
WLAN Roaming
Roaming Solution Overview

Networks are normally partitioned into discrete Layer-2 domains corresponding to IP subnets. The
difference between Layer-2 and Layer-3 roaming is shown in Figure 7-1. Layer-2 roaming occurs when
a WLAN client moves between Wireless APs that are part of the same IP subnet.
Figure 7-1
Layer-2 and Layer-3 Roaming Compared
Layer 3
Subnet A
Subnet B
L3 roaming
(mobile IP)
88456
L2 roaming
Layer-3 roaming will be covered in a separate design guide, which will be added to the set of design
guides available from http://www.cisco.com.
WLANs can provide the ability to connect to the network from any location within the enterprise. The
desire to move from one location to another while maintaining an application session is a natural
extension of this extended network reach.
The trend towards wireless laptop computers and personal digital assistants (PDA) will further accelerate
the desire for seamless network access while moving between locations.
The benefits of WLANs in general are documented in the Chapter 1, WLAN Solution Overview. Some
of the WLAN benefits specific to mobility are:
Innovative Application DeploymentFacilitates implementation of new and innovative applications

that require always-on network connectivity (such as actionable alerts, messaging, and workflow
applications).
Improved Efficiency and ProductivityContinuous connectivity allows work to be performed at any

time without interruption.
Increased AccuracyEnabling data to be captured or updated immediately from any location

increases data accuracy.
7-2
956608
Chapter 7
WLAN Roaming
General Design Characteristics

Cisco AVVID provides a comprehensive campus network architecture. In most cases, WLANs will be
an incrementally applied as an overlay to the existing Cisco AVVID architecture.
Where possible, the existing Cisco AVVID three-layer architecture should be maintained. WLANs
should be deployed as an additional, dedicated, wireless subnet per wiring closet. Additional campus
WLAN design guidance is provided at http://www.cisco.com.
Layer-2 Design
Mobile IP capability is required to provide seamless roaming across Layer-3 subnet boundaries. Layer-3
roaming will be covered in a separate design guide, but note that every Layer-3 roam is preceded by a
Layer-2 (link-layer) roam.
Caveats
Deploying WLANs as recommended in this document might result in multiple Layer-2 subnets on the
same floor of a building. Some form of mobile IP will be required to roam seamlessly between the
Layer-2 subnets this design recommends.

956608
7-3
Chapter 7
WLAN Roaming
Layer-2 Roaming Primer

This section introduces you to the underlying issues and considerations when addressing Layer-2
roaming in WLANs. The following discussion is divided into four sections:
Layer-2 Roaming Technical Overview, page 7-4
Roaming Events, page 7-5
Roam Process, page 7-7
Layer-2 Roaming Considerations, page 7-8
Layer-2 Roaming Technical Overview

A Layer-2 roam occurs when a WLAN station moves from one AP to another AP. If the new AP is on a
different IP subnet, Layer-3 roaming occurs after the Layer-2 roam is completed. Figure 7-2 illustrates
the sequence of events associated with a Layer-2 roam.
Figure 7-2
Sequence of Events for Layer-2 Roam
Wired LAN connecting

Access Points
(Intra-subnet roaming)
3
P
Access Point
B
4
IAPP
Inter Access
Point Protocol
2
88457
Access Point A
The arrows in Figure 7-2 indicate the following events:

1.
A Client moves from AP A coverage area into AP B coverage area (both APs in same subnet).
As the client moves out of AP A range a Roaming Event will be triggered (such as Max Retries).
2.
The client then scans all 802.11 channels for alternative APs. In this case, the client discovers AP
B and re-authenticates and re-associates to it.
3.
AP B sends a null MAC multicast using the source address of the client. This updates the Content
Addressable Memory (CAM) tables in upstream switches and directs further LAN traffic for the
client to AP B, and not AP A.
4.
AP B sends a MAC multicast using its own source address telling the old AP that AP B now
has the client associated to it. AP A receives this multicast and removes the client MAC address
from its association table.
The main focus in this chapter is on events 1 and 2 in Figure 7-2. Events 3, and 4 are post-roam actions
taken as part of Ciscos proprietary Inter Access Point Protocol (IAPP).
It is important to note that roaming is always a client station decision. The client station is responsible
for detecting, evaluating, and roaming to an alternative AP.
7-4
956608
Chapter 7
WLAN Roaming
Event 1 in Figure 7-2 will be discussed in more detail in the Roaming Events section on page 7-5 of
this document. Roaming Events describes the events that cause a client to initiate the roam process.
Event 2 in Figure 7-2 is covered in the Roam Process section on page 7-7. The process of discovering
evaluating and roaming to an alternative AP is discussed in that section.
Roaming Events
This section details the events that cause a client to roam. The roam process itself is described in he
Roam Process section on page 7-7. Roaming is always initiated by the client and is caused by one of
the following events (each is covered in a separate section):
Max Data Retry Count Exceeded, page 7-5
Missed Too Many Beacons, page 7-6
Data Rate Shift, page 7-6
Periodic Client Interval (If Configured), page 7-7
Initial Client Startup, page 7-7
Max Data Retry Count Exceeded

When a client station retries a packet more than the Max Data Retry Count, the station initiates a roam.
The max retry count defaults to 16, and is configured in the Aironet Client Utility (ACU) under the RF
Network tab for the currently active profile. A sample screen is shown in Figure 7-3.
Figure 7-3
Setting Max Data Retries in the ACU

956608
7-5
Chapter 7
WLAN Roaming
Missed Too Many Beacons

All clients associated to an AP should receive a periodic beacon. By default, APs send a beacon every
100 msec. The beacon period setting on an AP is shown in Figure 7-4.
Figure 7-4
Max Data Retries, Beacon Period and Data Rate Settings
Clients learn the APs beacon interval from an element in the beacon. If a client misses eight consecutive
beacons, a roaming event is deemed to have occurred and the roam process detailed in the Roam
Process section on page 7-7 is initiated.
By continuously monitoring for received beacons, even an otherwise idle client is able to detect a loss
of wireless link quality and is able to initiate a roam.
Data Rate Shift

Packets are normally transmitted at the APs default rate. The default rate is the highest rate set to basic
or yes on the AP. The configuration of data rate on an AP is shown in Figure 7-4.
A rate-shift occurs when a frame is retransmitted three times and RTS/CTS is used to send the last two
retransmissions.
Every time a packet must be retransmitted at a lower rate, a count is increased by 3. For each packet
successfully transmitted at the default rate, the count is decreased by 1until it is 0. If the count reaches
12 one of the following occurs:
7-6
956608
Chapter 7
WLAN Roaming
If the client has not attempted to roam in the last 30 seconds then the roam process as described in
the Roam Process section on page 7-7 occurs.
If the client has already attempted to roam in the last 30 seconds, the data rate for that client is set
to the next lower rate.
A client transmitting at less than the default rate increases the data rate back to the next-higher rate after
a short time interval if transmissions are successful.
Periodic Client Interval (If Configured)

The latest version of ACU, client driver, and firmware allow the client to periodically scan for a better
AP when its signal strength gets low. This capability is configured in the ACU for the selected profile
under the RF Network tab as shown in Figure 7-5. The periodic scan is a roaming event that causes the
roam process described in Roam Process section on page 7-7 to occur.
Figure 7-5
ACU ConfigurationPeriodic Scan for a Better AP
Initial Client Startup

When a client starts up it goes through the roam process described in the Roam Process section on
page 7-7, to scan for (and associate with) the most appropriate AP.
Roam Process
the Roaming Events section on page 7-5 described the events that can occur to cause a client to decide
that it needs to roam. This section addresses actions taken by a client station when it roams.

956608
7-7
Chapter 7
WLAN Roaming
When a roaming event occurs the client station scans each 802.11 channel (the client scans all 802.11
channels valid in the country in which the client is operating). On each channel, the client station sends a
probe and waits for a probe-response or beacon from APs on that channel. The probe responses and
beacons received from other APs are discarded unless the conditions list in Table 7-1 are met.
Table 7-1
AP Conditions Required to be Considered as a Roam Target
Client Station with Aironet Extensions Enabled1
Client Station without Aironet Extensions
APs signal strength is:
UnknownImplementation dependent
Greater than 20 percent
If 20+ percent weaker than current AP, then

absolute signal strength must be at least 50
percent
If the AP is in repeater mode and is more radio

hops from the backbone than the current AP, its
signal strength must be more than 20 percent
greater than the current AP
Not ApplicableRadio hop information is Cisco

proprietary element in beacons
The new AP must not have more than a 10 percent Not ApplicableAP transmitter load information
worse transmitter load than the current AP
is Cisco proprietary element in beacons
1. Probe-responses/beacons must satisfy all conditions.
If the conditions in Table 7-1 are satisfied, then a client roams to a new AP that best meets one of the
conditions specified in Table 7-2.
Table 7-2
Choosing from Eligible Roam Targets
Client Station with Aironet Extensions Enabled

(AP Must satisfy Any Condition)
Client Station without Aironet Extensions (AP

must Satisfy All Conditions)
Signal strength is more than 20 percent stronger
UnknownImplementation dependent
Fewer hops to the backbone
Not ApplicableBackbone hops information is

Cisco proprietary element in beacons
4 (or more) less clients associated to it
Not ApplicableAP client association load

information is Cisco proprietary element in
beacons
20+ percent less transmitter load1
Not Applicable AP transmitter load

information is Cisco proprietary element in
beacons
1.
Transmitter load is an indication of whether an AP radio is busy sending frames.
Layer-2 Roaming Considerations

A Layer-2 roam is a disruptive event for a WLAN client. WLAN radios are designed to transmit and
receive on only one of the 802.11 channels at a time. Because the wireless station is only receiving on
one of the eleven 802.11 channels, it is not generally aware of other APs on alternative channels.
7-8
956608
Chapter 7
WLAN Roaming
Layer-2 Design Recommendations
Note
There are 11 channels available in the US. There are 13 channels defined by the 802.11 specification.
Their usage varies from country to country.
To find out if a better AP is available, the client must cease transmitting and receiving on the current
channel and move sequentially through each of the possible alternative channels.
The following actions need to occur on each of the channels scanned:
1.
Radio hardware needs to move to and settle on new channel.
2.
Client needs to listen to the new channel long enough to avoid a collision as per the CSMA/CA
media access implemented in 802.11.
3.
Client transmits a probe frame.
4.
Client receives a probe-response or a beacon frame.

This section provides design guidance for architecting and deploying a network as it applies to Layer-2
roaming considerations. Additional WLAN design guidance is provided at http://www.cisco.com.
Layer-2 design recommendations are addressed in the following sections:
Cisco AVVID Design, page 7-9
Sizing the Layer-2 Domain, page 7-10
Roaming Implementation Recommendations, page 7-10
Cisco AVVID Design

Cisco provides comprehensive campus network architecture guidance. WLANs should be an
incremental addition to the existing Cisco AVVID network infrastructure. Please refer to campus design
content provided at http://www.cisco.com.
The existing Cisco AVVID three-layer architecture should be maintained, and WLANs should be
deployed as an additional, dedicated, wireless subnet per wiring closet. Figure 7-6 shows a typical Cisco
AVVID architecture to which a WLAN subnet was added to each access layer switch.
Adding WLAN to Cisco AVVID Architecture
HSRP Active
VLAN 20.41,140
10.1.20.0
10.1.21.0
10.1.120.0
VLAN 20 Data
VLAN 21 WLAN
VLAN 120 Voice
Layer 3
HSRP Active
VLAN 40.21,120
10.1.40.0
10.1.41.0
10.1.140.0
VLAN 40 Data
VLAN 41 WLAN
VLAN 140 Voice
88460
Figure 7-6

956608
7-9
Chapter 7
WLAN Roaming
Sizing the Layer-2 Domain

In Figure 7-6, each access-layer switch represents a separate wiring closet. To each switch a dedicated
VLAN for WLAN APs is added. APs are connected to a dedicated VLAN in order to keep the broadcast
domain as small as possible; WLANs are a shared half-duplex media and broadcasts have a bigger
impact on APs than on most devises connected to switch ports.
Some organizations may decide to extend the Layer-2 network to provide Layer-2 mobility across a
greater section of the enterprise. For these organizations, Ciscos advanced spanning tree features such
as Rapid Spanning Tree Protocol (RSTP) will prove useful.
Note
SRND.
Roaming Implementation Recommendations

Ciscos IAPP provides seamless mobility within a single subnet only.
In the absence of mobile IP, when a WLAN client moves to an AP on a different subnet, the IP address
must be renewedWindows2000/XP does this automatically. Renewing the IP address causes
application sessions using that IP address to break.
Some applications, such as email, and web-based applications may recover and continue to operate
normally when their IP addresses change (either automatically by Windows2000/XP, or manually if
using a different operating system).
Other applications such as telnet, FTP, and any other connection-based application fail and must be
manually restarted.
Mobile IP is the solution to these application problems, as it will maintain a constant IP address for host
applications across Layer-3 subnet boundaries. Mobile IP deployment will be the subject of a
forthcoming Cisco Enterprise Solutions Engineering design guide.
7-10
956608
C H A P T E R

This chapter describes the configurations needed to control IP Multicast traffic over a WLAN and
includes the following sections:
Multicast WLAN Deployment Recommendations, page 8-1
IP Multicast WLAN Configuration, page 8-2
Other Considerations, page 8-4
Summary, page 8-5
Tip
For information about IP multicast theory, deployment, and configuration, please see the Cisco AVVID
Network Infrastructure IP Multicast Design SRND.
Note
This chapter uses MoH and IP/TV in the examples. It does not, however, provide configurations and
designs for MoH and IP/TV. Also, other types of IP multicast implementations, such as IP multicast for
financial deployments, are not covered.
Multicast WLAN Deployment Recommendations

By default, IP multicast traffic is permitted to stream across a WLAN. However, because WLANs use
shared bandwidth, certain measures should be taken to prevent saturation of the available bandwidth. If
IP multicast traffic is not required on the wireless network, it is recommended that a boundary be
configured to block the multicast traffic. The best place to control IP Multicast traffic is on the routers
and switches that connect to the APs and bridges. If a Layer-3 device is not available for use in deploying
the configurations described in this chapter, then see the Cisco AVVID Network Infrastructure Wireless
LAN Design SRND for recommendations for using AP and bridge MAC and IP filters to block traffic.
Note
Filters on the AP and bridge do not provide the flexibility needed for true multicast control.
If IP Multicast is to be deployed and streamed across the wireless network, then the following
recommendations should be implemented:
Prevent unwanted multicast traffic from being sent out on the air interface.
Place the WLAN in its own subnet.

956608
8-1
Chapter 8
IP Multicast WLAN Configuration
Control which multicast groups are allowed by implementing multicast boundaries on the egress
Layer 3 interface connecting to the VLAN or interface to the AP or bridge.
To gain the highest AP/bridge performance for multicast traffic and data traffic, configure the APs
and bridges to run at the highest possible fixed data rate. This removes the requirement for multicast
to clock out at a slower rate, which can impact the range of the AP/bridge and must be taken into
account in the site survey.
If multicast reliability is a problem (seen as dropped packets), ignore the preceding recommendation
and use a slower data rate (base rate) for multicast. This gives the multicast a better signal-to-noise
ratio and can reduce the number of dropped packets.
Test the multicast application for suitability in the WLAN environment. Determine the application
and user performance effects when packet loss is higher than that seen on wired networks.

The ip multicast boundary command configures an administratively scoped boundary on an interface
for multicast group addresses found in the range defined by an access list. No multicast packets are
allowed to flow across the boundary from either direction, except those packets explicitly allowed by the
access list.
Controlling IP Multicast in a WLAN with APs

Figure 8-1 shows the topology for a WLAN using an AP. The IP multicast source is the IP/TV server
(10.5.10.22). There are two multicast streams being sourced from the IP/TV server.
239.255.0.1 is a high-rate (1.4 Mbps) video stream.
239.192.248.1 is a low-rate (100 Kbps) video stream.
The low-rate stream is allowed and the high-rate stream is disallowed on the WLAN link. A multicast
boundary is used to control multicast forwarding and IGMP packets.
Figure 8-1
Testbed for Wireless LAN using an Access Point
10.5.10.22
IP/TV server
Source For:
239.255.0.1high-rate stream
239.192.248.1Low-rate stream
VLAN 200
10.1.200.x
.1
L3-Switch
.100
350
AccessPoint
.101
87046
Campus
PC with
350 PC Card
In this configuration:
8-2
956608
Chapter 8

L3-SWITCH connects to the campus network and the Cisco Aironet 350 Access Point
(10.1.200.100).
The VLAN 200 interface on L3-SWITCH has the IP address of 10.1.200.1 and is the interface that
provides the boundary for IP multicast.
The laptop computer (10.1.200.101) has a Cisco Aironet 350 PC Card and is running the IP/TV
Viewer software.
Below is the configuration is for L3-SWITCH.
interface Vlan200
description WLAN VLAN
ip address 10.1.200.1 255.255.255.0
ip pim sparse-mode
ip multicast boundary IPMC-WLAN
!
ip access-list standard IPMC-WLAN
permit 239.192.248.1
Enables PIM on the interface.

Boundary refers to named ACL IPMC-WLAN and controls
multicast forwarding AND IGMP packets.
Permits low-rate stream (239.192.248.1).
Controlling IP Multicast in a P2P WLAN using Bridges

The same boundary that was deployed in the AP scenario is used with the bridge scenario. Figure 8-2
shows the topology for a WLAN using a bridge for a Point-to-Point (P2P) connection. The IP/TV server
(10.5.10.22) is sourcing the same groups as in the previous example:
239.255.0.1 is a high-rate (1.4 Mbps) video stream.
239.192.248.1 is a low-rate (100 Kbps) video stream.
The low-rate stream is allowed and the high-rate stream is disallowed on the P2P wireless link. To
control what multicast traffic passes over the P2P link, only the ip multicast boundary configuration
on ROUTER is needed. Because the multicast boundary prevents hosts from joining unwanted groups,
the network never knows to forward unwanted traffic over the P2P link.
Figure 8-2
Testbed for Point-to-Point Wireless Network using Bridges
PC with
350 PC Card
10.5.10.22
IP/TV server
Source For:
239.255.0.1high-rate stream
239.192.248.1Low-rate stream
Campus
.2
10.1.101.x
L2-Switch-PWR
VLAN 100
10.1.100.x
.1
L3-Switch
.100
350-Bridge-L
.101
350-Bridge-R
87047
.1
.2
Router
In this configuration:

956608
8-3
Chapter 8
L3-SWITCH (VLAN 100-10.1.100.1) connects to the campus network and the P2P wireless
network.
The P2P wireless link is made possible by two Cisco Aironet 350 Bridges, 350-Bridge-L
(10.1.100.100) and 350-Bridge-R (10.1.100.101).
ROUTER (10.1.100.2) connects to the P2P wireless network and the remote site network
(10.1.101.1) via L2-SWITCH-PWR.
The laptop computer (10.1.101.2) is running the IP/TV Viewer software.
If the remote side of the P2P link has a Layer 2 switch and no Layer 3 switch or router, then a boundary
can be placed on the VLAN 100 interface of L3-SWITCH2. Also, in a Point-to-Multipoint (P2MP)
deployment, a mix of both may be needed. Both configurations are shown here for reference.
Following is the configuration for L3-SWITCH.
interface Vlan100
description VLAN for P2P Bridge
ip address 10.1.100.1 255.255.255.0
ip pim sparse-mode
ip multicast boundary IPMC-BRIDGE
!
ip access-list standard IPMC-BRIDGE
permit 239.192.248.1

Boundary refers to named ACL IPMC-BRIDGE.
To prevent unwanted IGMP messaging and multicast traffic from traversing the P2P wireless link on the
receiver side (remote LAN - 10.1.101.x), an ip multicast boundary is configured on the Fast Ethernet
0/1 interface of ROUTER.
Following is the configuration for ROUTER.
interface FastEthernet
description Local LAN
ip address 10.1.101.1
ip pim sparse-mode
ip multicast boundary
0/1
in Remote Site
255.255.255.0
IPMC-BRIDGE
ip access-list standard IPMC-BRIDGE

permit 239.192.248.1

Boundary refers to named ACL IPMC-BRIDGE.
The following additional considerations apply to deploying IP multicast in a WLAN environment:
The WLAN LAN extension via EAP and WLAN static WEP solutions can support multicast traffic
on the WLAN; the WLAN LAN extension via IPSec solution cannot.
The WLAN has an 11 Mbps available bit rate that must be shared by all clients of an AP. If the AP
is configured to operate at multiple bit-rates, multicasts and broadcasts are sent at the lowest rate to
ensure that all clients receive them. This reduces the available throughput of the network because
traffic must queue behind traffic that is being clocked out at a slower rate.
8-4
956608
Chapter 8

Summary
Cisco Group Management Protocol (CGMP) and/or Internet Group Management Protocol (IGMP)
should be used to limit the multicast traffic on each AP to the traffic required by associated clients.
If a client roams with these features configured on an upstream switch, the multicast stream might
not be delivered to the new AP. To address this, the Cisco AP can be configured to generate a general
IGMP query when a client associates or disassociates. This allows the upstream switch to learn
which multicast groups are required on that AP.
Multicast and broadcast from the AP are sent without requiring link-layer acknowledgement. Every
unicast packet is acknowledged and retransmitted if unacknowledged. The purpose of the
acknowledgement is to overcome the inherent unreliable nature of wireless links. Broadcasts and
multicasts are unacknowledged due to the difficulty in managing and scaling the acknowledgements.
This means that a network that is seen as operating well for unicast applications, can experience
degraded performance in multicast applications.
Enterprise customers who are using WLAN in laptops would normally use (Constant Awake Mode)
CAM as the Power-Save Mode. If delay-sensitive multicast traffic is being sent over the WLAN,
customers should ensure that only the CAM configuration is used on their WLAN clients. Based on
the 802.11 standard, if the client is in power-save mode, then the AP will buffer broadcast and
multicast traffic until the next beacon period that contains a delivery traffic information map (DTIM)
transmission. The default period is 200ms. Enterprises that use WLAN on small handheld devices
will most likely need to use the WLAN power-save features (Max or Fast) and should not attempt
to run delay-sensitive multicast traffic over the same WLAN.
Summary
In summary, when using IP multicast in the WLAN, follow these recommendations.
Place the WLAN AP or bridge on a separate VLAN or Layer 3 interface so multicast boundaries can
be implemented.
Use the ip multicast boundary command to prevent IGMP joins and multicast forwarding on
denied multicast groups.
In a WLAN using AP, the boundary should be placed on the VLAN or Layer 3 interface connecting
to the AP.
In a WLAN using bridges, the boundary is placed on the VLAN or Layer 3 interface connecting to
the remote receiver side. If no Layer 3 capable device is used at the remote site, the boundary is
placed on the VLAN or Layer 3 interface connecting to the bridge at the main site. Also, a
combination of a boundary at the receiver side and bridge connection at the main site, may be needed
in a P2MP deployment.
Set the highest possible fixed data rate on the APs and bridges to ensure the best possible
performance for multicast and data traffic.
If dropped packets occur and impact the performance of the application, the fixed data rate on the
APs and bridges may need to be reduced to ensure a better signal-to-noise ratio, which can reduce
dropped packets.

956608
8-5
Chapter 8
Summary
8-6
956608
C H A P T E R

This appendix outlines the threat posed by rogue APs in the Enterprise Network and some strategies for
preventing and detecting them. It is preferable to prevent rogue APs rather than detect them once created.
The following methods summarize the keys to prevention:
Provide enterprise employees with a secure WLAN infrastructure supported by an enterprise IT

department. This removes the motivation for rogue AP installation.
Implement 802.1x on enterprise edge switches to provide complete rogue AP prevention.
Methods for detecting rogue APs in the enterprise include wireless methods such as using the free
Boingo WLAN hotspot locator client to detect WLANs and the use of sophisticated analysis tools on the
Ethernet backbone. None of the available tools for detecting rogue APs guarantees the detection of all
rogue APs and a combination of tools should be used to raise the probability of detection.
This appendix outlines the threat posed by rogue APs in the Enterprise Network and some strategies for
preventing and detecting them. The following section are presented:
Rogue AP Summary and Scope of Problem, page 9-2
Preventing and Detecting Rogue APs, page 9-6

956608
9-1
Chapter 9
Rogue AP Summary and Scope of Problem

Rogue APs are APs that have been installed on an Enterprise Network without the authorization of the
enterprise IT department. Figure 9-1 illustrates the generalized rogue AP threat in the context of an
enterprise environment. Refer to Table 9-1 for threat details.
Figure 9-1
Preventing Rogue APs
Layer 3
Subnet
A
91296
Subnet
B
This appendix does not consider a misconfigured production AP to be a rogue AP. Ciscos Wireless LAN
Solution Engine (WLSE) is capable of checking the configuration on production APs. The Aptools
program mentioned in Using MAC Addresses to Detect Rogue AP section on page 9-16 is also capable
of checking the security configuration on discovered APs. This appendix divides people installing rogue
APs into one of the categories described in Table 9-1.
9-2
956608
Chapter 9

Table 9-1
Typical Rogue AP Threats
Rogue AP Threat
Threat Description
Malicious Hacker (James Bond)
Someone who, having penetrated physical

security once, installs an AP in order to access the
Enterprise Network from outside the physical
parameter in the future.
Very difficult to detect because the intruder can
customize the wireless AP to disguise it from
tools designed to detect it.
Rogue AP prevention techniques such as physical
security and 802.1x port-based security are most
effective against this class of threat.
This class of user is more likely to install a
specialized network device than an AP. An AP
requires a hacker to be within range of the AP in
order to use it. This is both inconvenient and
dangerous for a hacker who is more likely to
install a specialized device that establishes a
tunnel outbound from the enterprise to another
device somewhere on the Internet. The hacker
might then use the pre-established tunnel to
access the Enterprise Network from anywhere on
the Internet. (see When Dreamcasts Attack in the
Security References section on page 1-8).
Frustrated Insider (James from Accounting)
Someone who installs an unauthorized AP in

order to provide wireless coverage where none is
officially available. For example, enabling
wireless networking in a meeting room, cafeteria,
outdoor space, or other common area.
The wide availability of low-cost APs makes this
installation type very easy.
The threat posed by this class of installer is that
the person installing the AP is often ignorant of
security features that are necessary to prevent
outsiders from accessing the Enterprise Network,
and the consumer grade AP commonly used in
this installation does not have the features to
provide an enterprise level of security.
This appendix discusses a variety of ways in which an enterprise can prevent and detect rogue AP
installations. The focus here is on the Frustrated Insider class of user as they are considered to be the
most common source of rogue AP installations and are the easiest to detect. Some of the techniques
mentioned may detect the malicious hacker class of user, but as mentioned previously, it is best to
concentrate on preventing this class of user through physical security and 802.1x. Rogue AP detection
is broken into wireless, wired, and physical observation methods. A combination of these methods is
necessary to be most effective.

956608
9-3
Chapter 9
The Rogue AP Threat

Media attention has focused on the dangers posed by the tools and techniques available for detecting and
gaining access to WLAN networks.
Most rogue APs are not installed securely and can be used by outsiders to gain access to an Enterprise
Network. Some of the shortcomings of most rogue AP installations are:
They often use well-known manufacturer default settings that provide little or no security
They do not have WEP (encryption) enabled
If WEP is enabled, the Cisco enhancements such as TKIP and MIC are not available or enabled
If VPN protection is the company security policy for WLANs, rogue APs may be placed on the
internal network instead of on the WLAN DMZ
The end result of these security shortcomings is that outsiders have a method to connect to the Enterprise
Network without the need to first bypass physical security mechanisms such as locked doors, security
guards, and vigilant employees.
Outsiders may wish to gain WLAN access for the following purposes:
To gain free access to the Internet (via the Enterprise Networks connection)
To gain access to the Enterprise Network, possibly to launch attacks on other enterprise resources
such as servers containing confidential information or running mission-critical applications.
To observe confidential Enterprise WLAN traffic.
Media Attention to WLAN Security Weaknesses

A Google (http://www.google.com/) search on the term wardriving produces thousands of links
describing the practice of using inexpensive off-the-shelf WLAN equipment, to discover and map
WLAN networks. Wardrivers can use a GPS to record the location of all WLAN networks found, and
can upload this information to websites that track and make available the location and basic security
settings for all WLAN networks discovered.
If a Frustrated Insider installs a poorly secured WLAN AP, it can be easily detected, mapped, and listed
online by a wardriver.
In general, media attention has focused on tools summarized inTable 9-2, both of which can be
downloaded from the Internet free of charge.
Table 9-2
Wireless Detection Tools
Tool
Description
Netstumbler
http://www.netstumbler.com/
Free Windows and WinCE software that scans for
wireless APs. Provides information about SSID,
WEP enabled, 802.11 channel, signal strength,
location (if used with GPS) and more.
Airsnort
Free WLAN tool that recovers encryption keys.

AirSnort operates by passively monitoring
transmissions, computing the encryption key
when enough packets have been gathered. WEP
plus TKIP and MIC strengthens WEP, preventing
key recovery
9-4
956608
Chapter 9

With Netstumbler, an outsider can discover the existence of an insecure wireless LAN, and can then
access the WLAN to gain access to the Enterprise Network or to observe confidential WLAN traffic.
If Netstumbler shows that WEP is being used to encrypt WLAN traffic, Airsnort can be used to determine
the WEP key.
If Netstumbler shows that the WLAN has been installed with no WEP enabled, then network access can
be gained just by configuring the client to match the detected network.
Figure 9-2 illustrates a screen capture taken from a Pocket PC during a commute to work. Netstumbler
identified 68 access-points. The first column of the display indicates whether or not WEP is enabled for
each AP discovered. Other information such as 802.11 channel, Signal-to-Noise Ratio (SNR), and (if a
GPS is connected) longitude and latitude can also be displayed.
Figure 9-2
Netstumbler on PPC (MiniStumbler)
The Netstumbler capture shown in Figure 9-2 was taken from within a moving car with no specialized
equipment such as an external antenna necessary.
Another phenomenon receiving media attention is warchalking where chalk symbols are placed on
buildings signifying the presence and characteristics of wireless LAN networks. For more information
on warchalking perform a Google search on warchalk, or go to following website:
http://www.blackbeltjones.com/warchalking/index2.html
Truth About WLAN Security

WLAN can be deployed securely using standards-based EAP mechanisms such as EAP-Cisco,
EAP-TLS, EAP-TTLS, or by using VPNs to segregate the WLAN from the rest of the Enterprise
Network.
The threat posed by rogue APs can be mitigated. This appendix provides recommendations aimed at
minimizing the risk rogue APs represent to Enterprise Networks. The emphasis of this discussion
focuses on the following topics:
Prevention

956608
9-5
Chapter 9
Preventing and Detecting Rogue APs
Corporate Policy
Physical security
Supported WLAN infrastructure
802.1x port based security on edge switches
Detection
Using wireless analyzers/sniffers
Using scripted tools on the wired infrastructure
By physically observing WLAN AP placement and usage

Figure 9-3 summarizes the primary options in preventing and detecting rogue APs. Suggestions for
specific actions are detailed in the following sections:
Figure 9-3
Preventing Rogue APs, page 9-7
Detecting Rogue APs Wirelessly, page 9-12
Rogue AP Prevention and Detection
Prevention
Secure/supported
WLAN infrastructure
provided
Detection
Regular scripted
Audits
Layer 3
Prevention
802.1x on switches
Prevention
WLAN policy
Physical Security
Subnet
A
Detection
Active Wireless Audit
Detection
Physical Observation
91297
Subnet
B
9-6
956608
Chapter 9

Preventing Rogue APs

The first priority for Enterprise IT security departments should be to prevent rogue APs. The following
sections present prevention suggestions:
Corporate WLAN Policy, page 9-7
Physical Security, page 9-7
Supported Wireless Infrastructure, page 9-7
IEEE 802.1x Port-based Security to Prevent APs, page 9-7
Using Catalyst Switch Filters to Limit MAC Addresses per Port, page 9-10
Corporate WLAN Policy

An enterprise policy concerning WLAN installations is an essential first step in preventing rogue APs.
The WLAN policy should include a list of IT staff authorized to install WLAN AP and details of
mandatory security policies to be followed with when WLANs are installed.
Physical Security
Physical security also plays a part in rogue AP prevention. Physical security standards should be in place
to prevent an intruder from gaining unauthorized access to the enterprise premises or to detect the
intruder if physical access is gained.
Supported Wireless Infrastructure

Given that almost all rogue APs are installed by the Frustrated Insider class of user, the best way to
prevent such rogue installs is to remove the motivation for them. Installing a managed, supported, and
secure WLAN network throughout the enterprise removes the motivation for employees to install rogue
APs.
A WLAN network provides proven productivity gains as well as removing the motivation for almost all
rogue AP installations.
IEEE 802.1x Port-based Security to Prevent APs

Cisco switches support an IEEE standard called 802.1x which provides port-based security. With 802.1x
enabled on switches and APs at the edge of the network, no device can be connected unless the device
is able to 802.1x authenticate to a RADIUS server behind the switch.

956608
9-7
Chapter 9
Figure 9-4
Preventing Rogue APs with 802.1x Port-based Security
802.1x disabled only on all

Authorized AP switch ports
802.1x pushed to WLAN edge.
Rogue
AccessPoint
SI
91298
Authorized
AccessPoint
How IEEE 802.1x Port Based Security Works

The IEEE 802.1x standard allows the implementation of port-based network access control to a network
device. The mechanism relies on the 802.1x link-layer protocol to transport EAP messages to the
authenticator device. In this case a Cisco Catalyst switch is usedwhich in turn relays the received EAP
information to a CiscoSecure Access Control Server using the RADIUS protocol.
The Network Access Control and Policy Enforcement solution from Cisco provides the network with the
following services and abilities:
User and/or device authentication.
Granting or denying network access at an individual port level, based on configured authorization
policy.
Enforcing additional applicable policies, such as resource access and quality of service, on any
access granted.
These abilities are introduced when a Cisco end-to-end solution is implemented with the following
features and technologies:
Cisco Catalyst 4000 or 6000 family switches
Cisco Catalyst 2950 or 3550 switches
CiscoSecure Access Control Server (ACS) for Windows v3.1
An 802.1x compliant client operating system, such as Microsoft Windows XP, Windows 2000, or
Windows 98 (see below for details)
Optionally, for strong authentication, an X.509 Public Key Infrastructure (PKI) certificate
architecture
By configuring 802.1x compliant client software with a PKI certificate, or username and password, the
Cisco Catalyst family switches running 802.1x features authenticate the requesting user or system in
conjunction with a back-end CiscoSecure ACS server. Figure 9-5 illustrates these concepts.
9-8
956608
Chapter 9

Figure 9-5
802.1x Operation
6 Switch enable port
1 Login Request
2 Login Info
Check with
Policy DB
Login good! 5
Allow access
John Doe is
allowed access
92199
4 This is John Doe!
User or device credentials and reference information is processed by the CiscoSecure ACS server.
CiscoSecure ACS is able to reference user or device policy profile information either internally using
the integrated user database or from external database sources such as Microsoft Active Directory,
LDAP, Novell NDS, or Oracle Databases. This allows for the integration of the solution into exiting user
management structures and schemes, thereby simplifying overall management.
Table 9-3 summarizes 802.1x authentication types supported and available on Cisco switches and APs.
Table 9-3
Supported/Available 802.1x Authentication Types (Cisco Switches and APs)
Wireless ports
Wired Ports
EAP-Cisco
Protected-EAP
Protected EAP
EAP-TLS
EAP-TLS
EAP-MD5 (not suitable for wireless due to lack of
mutual authentication support)
802.1x Client Support

The 802.1x client device requires a stack that supports 802.1x. This client code is called an 802.1x
supplicant. The following are current 802.1x supplicants:
Microsoft Windows XP Professional (Integrated)
Microsoft Windows 2000 and 2000 Server, NT4.0, ME, 98 and 98SE (Microsoft add-on)
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;313664
Linux (Open Source add-on)
Sun Solaris (Open Source add-on)
EAP-Cisco client (wireless only)
Funk client http://www.funk.com/
MeetingHouse Client http://www.mtghouse.com/products/client/index.shtml

956608
9-9
Chapter 9
Although the above client stacks allow enterprises to enable 802.1x on most PCs, there are likely to be
some network-attached devices that lack 802.1x support. Non 802.1x capable devices include:
IP phones
Printers
Note
HP has support in wireless Jet-Direct printers and is considering support for wired printers
WLAN APs
Enabling 802.1x Support on the Switch

By default, 802.1x is disabled on CatOS switches. In order to enable it, the following command must be
issued.
set dot1x system-auth-control enable
This enables the 802.1x authentication control feature globally.
Catalyst switches allow the configuration of various per port options with regards to 802.1x behavior.
Amongst those options are the ability to enable/disable port authentication, enable/disable periodic
re-authentication, or enable/disable 802.1x multiple host mode. The following is an example
configuration command line segment illustrating these features:
# Port Level 802.1x configuration
# Setting port-control to auto requires 802.1x login for that port.
set port dot1x 3/2 port-control auto
# Setting the port-control state to force-authorized disables login requirements.
set port dot1x 3/1,3/3-48 port-control force-authorized
# Multiple host allowance per port can be enabled with the following command. By default
only one host is allowed per port.
set port dot1x 3/2 multiple-host enable
set port dot1x 3/1,3/3-48 multiple-host disable
# Periodic re-authentication may be enabled for added security. By default
re-authentication is disabled.
set port dot1x 3/2 re-authentication enable
set port dot1x 3/1,3/3-48 re-authentication disable
Using Catalyst Switch Filters to Limit MAC Addresses per Port

The set port security command allows an administrator to restrict the number of MAC addresses that
can be associated with a switch port, and the action to take if more than that number of MACs are seen
(shutdown or deny additional).
Note
This command is not necessary if 802.1x is used to provide port-based security as 802.1x limits the
number of MAC addresses per-port by default.
With this command, it is possible to limit the number of MAC addresses to one (for user PC) or two (for
user IP phone and PC). With this command enabled, it might be possible to connect a rogue AP to the
network (instead of a phone or a PC), but it would not be possible to use the AP.
9-10
956608
Chapter 9

Configuring Catalyst Switch Filters to Limit MAC Addresses per Port

If you enter the set port security enable command but do not specify a MAC address, the first MAC
address seen on the port becomes the secure MAC address.
If you enter the set port security enable maximum num_of_mac command, you can specify the number
of MAC addresses to secure on a port.
Limitations of Using Catalyst Switch Filters to Limit MAC Addresses per Port
In an IP phone environment, two MAC addresses are needed per port. One is required for the phone and
one for the user PC. If a rogue AP was plugged into an unused port on the network 1 wireless client could
associate to it without being blocked by the port filter.
Detecting Rogue APs

In addition to the rogue AP prevention mechanisms mentioned in Preventing Rogue APs section on
page 9-7, a combination of the following rogue AP detection methods should also be used by the IT
security administrator:
Detecting Rogue APs Wirelessly, page 9-12
Other Wireless Analyzers, page 9-13
Detecting Rogue AP from the Wired Network, page 9-15
Detecting Rogue APs Physically, page 9-19
Figure 9-6 summarizes these detection options.

Detecting Rogue APs
Detection
Regular scripted
Audits
Layer 3
Subnet
A
Subnet
B
Detection
Active Wireless Audit
Detection
Physical Observation
91300
Figure 9-6

956608
9-11
Chapter 9
Detecting Rogue APs Wirelessly

Detecting rogue APs wirelessly is the process of using WLAN hardware and software to detect rogue
APs. Table 9-4 summarizes the advantages and disadvantages wireless detection of rogue APs.
Table 9-4
Advantages and Disadvantages of Wireless Detection of Rogue APs
Wireless Detection Advantages
Wireless Detection Caveats
Often picks up APs that the other rogue AP

detection methods miss.
You must be within range of an AP to be able to

detect it. Requires labor intensive walking around
with an analyzer.
Very effective at detecting APs installed by the

Frustrated Insider class of installer (default
security options/broadcast SSID).
Many tools do not see APs that do not broadcast

their SSID.
Cannot easily survey remote sites.
WLAN AP signals are often difficult to pick up
due to building materials blocking 802.11 signals.
Using Boingo for AP Detection

Boingo is a free client utility that can be downloaded from http://www.boingo.com/. The Boingo client
is intended to sniff for WLAN hotspots and provides an easy way for users to connect to hotspots that
are part of the Boingo network.
The Boingo client detects most WLAN networks and displays their presence, even if they are not part of
the Boingo network. This makes Boingo an ideal tool for very lightweight rogue AP detection.
Boingo needs to be able to see the WLAN SSID in order to be able to display it. Boingo can detect the
SSID in one of two ways
The WLAN is Broadcasting its SSIDThe Frustrated Insider class of user is responsible for the vast
majority of rogue AP installs and this type of user is unlikely to have the sophistication or intent to
turn broadcast SSID off.
The WLAN is not Broadcasting its SSIDFor Boingo to be able to detect a non-broadcast SSID the
WLAN must be active enough for the Boingo client to observe a probe-request/Probe-response
sequence. The WLAN SSID is always visible in this sequence of frames. This sequence of frames
does not happen very often and is unlikely to be detected during a one-time audit of an area with a
lightly loaded rogue AP.
Installing Boingo
The Boingo download is about 10 Mbytes. The install is quick and simple and does not normally require
the PC to be rebooted.
Once installed, Boingo starts automatically when Windows is started. Boingo has some impact on
normal WLAN operation because it briefly stops transmitting WLAN frames in order to scan all 802.11
channels for WLAN networks. After installation, users might wish to prevent Boingo from auto-starting
with windows by removing it from the Start>Programs>Startup folder. Boingo can then be started
manually, as required.
9-12
956608
Chapter 9

Using Boingo
When Boingo is running, it is visible as a white letter B icon on the task bar. Double-clicking this Icon
launches the Boingo application where all visible 802.11 WLAN networks are displayed. A sample
Boingo screen is displayed in Figure 9-7.
Figure 9-7
Sample Boingo Screen
Other Wireless Analyzers

There are many other WLAN analyzers available, which are to various degrees capable of detecting
rogue APs. Table 9-2 outlines several wireless analyzers.
Table 9-5
Summary of Wireless Analyzers
Wireless Analyzer
Web Location, Description and Comments
Airmagnet
www.airmagnet.com
A full-featured WLAN site-survey tool running on an Compaq iPaq.
A commercial product.
Netstumbler
www.netstumbler.org/
Free software that can be downloaded from the Internet. Detects WLAN APs and displays
information about them. Very popular and well known.
Sniffer
www.sniffer.com
Professional wireless analyzer.
It can be used to help look for rogue APs:
By defining filters to look for beacons, but to exclude authorized SSIDs.
By defining filters to look for the MAC OUIs of known AP vendors.

956608
9-13
Chapter 9
Table 9-5
Wireless Analyzer
Wildpackets
www.wildpackets.com/products/airopeek
Professional wireless analyzer.
Observer
www.networkinstruments.com/
Finisar Surveyor
By defining filters to look for the MAC OUIs of known AP vendors
www.gofinisar.com/products/protocol/wireless/surveyor_w.html
Wellenreiter
www.remote-exploit.org/
Similar to Netstumbler.
Detects WLAN APs and displays information about them. Less popular or well known than
Netstumbler.
Kizmet
www.kismetwireless.net/
Open source Wireless sniffer.
It can be used to help look for rogue APs by defining filters to look for beacons, but to exclude
authorized SSIDs.
dachb0den
www.dachb0den.com/projects/bsd-airtools.html
Seems to be a combination of Netstumbler and Airsnort functionality.
Not very well known.
Hornet
www.bvsystems.com/Products/WLAN/Hornet/hornet.htm
Dedicated hardware that looks for a list of AP MAC addresses configured and downloaded from
a PC
9-14
956608
Chapter 9

Table 9-5
Wireless Analyzer
IBM Distributed Wireless

Security Auditor
www.research.ibm.com/gsal/dwsa/
Prototype onlynot for sale.
Uses client software on enterprise NICs to detect and report on all detected APs and their
security system. A back end system compares the list of detected APs with a list of authorized
APs and alerts on unknown APs.
IBM TP GeneralIBM
Access Connections for
Windows 2000/XP
www.pc.ibm.com/qtechinfo/MIGR-4ZLNJB.html
Access Connections is a connectivity assistant program for your ThinkPad computer. It enables
you to quickly switch the network settings and Internet settings by selecting a location profile.
You can define the network settings and Internet settings in the Location Profile for
modem/wired LAN/Wireless LAN network devices and then restore that profile whenever you
need it. By switching the location profile, you can connect to the network instantly without
reconfiguring your settings when you move from office to home or on the road.
Once a WLAN analyzer has detected a suspected rogue AP, a direction antenna on the analyzer is a very
useful aid in locating the AP.
A host of WLAN tools is maintained on the NetworkIntrusion link pointed to in the Links and
References section on page 1-8.
Detecting Rogue AP from the Wired Network

A combination of the following rogue AP detection methods should be used by IT security
administrators:
Using MAC Addresses to Detect Rogue AP, page 9-16
Using Operating System Fingerprinting to Detect Rogue APs, page 9-17
Using SNMP to Detect Rogue APs, page 9-18
Using Cisco Emergency Responder to Locate AP-based on MAC Address, page 9-18
Using Intrusion Detection to Detect Rogue APs, page 9-18
A large number of software tools are available to aid in detecting rogue APs from a wired management
station on the Ethernet portion of the network.
Table 9-6 summarizes the advantages and disadvantages wired detection of rogue APs.
Table 9-6
Advantages and Disadvantages of Wired Rogue AP Detection
Advantages
Disadvantages
Easier to monitor networks on a more real-time

basis.
Can miss some rogue APs.
AutomatedLess manpower intensive.

Easier to survey remote sites.
Most of the software is immature and/or not

specifically written to detect rogue APs.
May create false-positives on intrusion detection
systems and personal firewalls.

956608
9-15
Chapter 9
Using MAC Addresses to Detect Rogue AP

Some tools rely on detecting rogue APs by looking for known MAC address, or by cataloging all
authorized MAC addresses in the network and looking for new ones.
The latter approach has the advantage of alerting IT administrators when an unauthorized non-AP device
(such as an unauthorized laptop) is connected to the network. This approach leads to more
false-positives.
Known AP MAC Addresses
Table 9-7 provides a partial list of MAC OUIs used by AP vendors. This table was obtained from the
aptools site at aptools.sourceforge.net.
Table 9-7
Partial Listing of MAC OUIs
Manufacturer
MAC Address Range
3Com
0001.03|0004.76|0050.da|0800.02
Addtron
0040.33|0090.d1
Advanced Multimedia Internet
0050.18
Apple
0030.65
Aironet
0040.96
Atmel
0004.25
Bay Networks
0020.d8
BreezeNet
0010.e7
Cabletron (Enterasys)
0001.f4|00e0.63
Camtec
0000.ff
Compaq
0050.8b
D-Link
0005.5d|0040.05|0090.4b
Delta Networks
0030.ab
Intel
0002.b3
Linksys
0003.2f|0004.5a
Lucent
0002.2d|0060.1d|0202.2d
Nokia
00e0.03
Samsung
0000.f0|0002.78
Senao Intl
0002.6f
SMC
00e0.29|0090.d1
SOHOware
0080.c6
Sony
0800.46
Symbol
00a0.f8|00a0.0f
Z-Com
0060.b3
Zoom
0040.36
9-16
956608
Chapter 9

Known MAC Addresses Monitoring Tools
Table 0-8 presents a summary of monitoring tools for APs based on known MAC addresses.
Table 0-8
Summary of Monitoring Tools for APs Based on Known MAC Addresses
Monitoring Tool
APTools
aptools.sourceforge.net
aptools.sourceforge.net/wireless.ppt
Can discover APs based on MAC address, then
determine whether it is an AP (not a wireless NIC)
via HTTP.
Can also check security settings (WEP), and
SNMP settings via HTML.
arpwatch
www-nrg.ee.lbl.gov
Arpwatch is a tool that monitors Ethernet activity
and keeps a database of Ethernet/IP address
pairings.
It also reports certain changes via email.
Using Operating System Fingerprinting to Detect Rogue APs

Operating system (OS) fingerprinting tools are typically used by hackers to learn more about a host
behind an IP address. This knowledge is usually desired so that the hacker is better able to launch attacks
at any known or identified weak spots for that host OS.
OS fingerprinting works by observing particular characteristics of individual OSs such as the way they
respond to TCP packets with obscure TCP flags and options enabled.
OS fingerprinting tools are capable of correctly identifying some APs, but have not been tested for this
publication. Table 9-9 lists known OS fingerprinting tools.

956608
9-17
Chapter 9
Table 9-9
Summary of Known OS Fingerprinting Tools
OS Fingerprinting Tool
NMAP
www.insecure.org/nmap/index.html
www.insecure.org/nmap/nmap-fingerprinting-article.html
Very well known, popular and respected tool.
Unproven as a rogue AP detection tool, but may be useful in conjunction
with other rogue AP detection techniques.
Generates alerts in intrusion detection and personal firewall systems.
xprobe
www.sys-security.com/html/projects/X.html
Xprobe 1 combines various remote active operating system fingerprinting
methods using the ICMP protocolwhich were discovered during the ICMP
Usage in Scanning research projectinto a simple, fast, efficient and
powerful way to detect the underlying OS of a targeted host.
Xprobe2 is an active operating system fingerprinting tool with a different
approach to operating system fingerprinting. Xprobe2 relies on fuzzy
signature matching, probabilistic guesses, multiple matches simultaneously,
and a signature database.
Unproven as a rogue AP detection tool, but may be useful in conjunction
with other rogue AP detection techniques
Generates alerts in intrusion detection and personal firewall systems.
Using SNMP to Detect Rogue APs

SNMP is not thought to be a very effective way to detect rogue APs. Most rogue APs probably would
not have SNMP enabled. Even if they did, SNMP community strings would probably be unknown.
If an SNMP tool is required for rogue AP detection, CiscoWorks for Windows would be a suitable tool.
Refer to the following URL for more information:
http://www.cisco.com/en/US/products/sw/cscowork/ps2406/index.html
Using Cisco Emergency Responder to Locate AP-based on MAC Address

Cisco Emergency Responder provides a system for tracking and maintaining the exact location of every
Ethernet switch port termination.
The location information available from the Cisco Emergency Responder can be useful in quickly
locating and apprehending people connecting unauthorized equipment such as rogue APs into an
Enterprise Network.
More information on the Cisco Emergency Responder is available at the following URL:
http://www.cisco.com/en/US/products/sw/voicesw/ps842/index.html
Using Intrusion Detection to Detect Rogue APs

Cisco has an extensive line of network intrusion detection equipment. At this time, Cisco does not have
intrusion detection equipment capable of detecting the presence of rogue APs.
Intrusion detection equipment is still necessary to detect any suspicious activity that might result from
unauthorized use of a rogue AP.
9-18
956608
Chapter 9

More information on Cisco Intrusion Detection is available:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/index.html
Detecting Rogue APs Physically

IT security personnel can also detect unauthorized WLAN activity by physically observing the work
environment. IT security personnel should be alert for the following:
Unauthorized WLAN APs in visible locations.
Employees using WLAN access in location when WLAN access should not be available.
Warchalk symbols denoting WLAN availability. See http://www.warchalking.org/ for more

information.

956608
9-19
Chapter 9
9-20
956608
C H A P T E R
10

This chapter presents the advantages, risks, and proposed configuration for a WLAN Guest Network
access and addresses the following key topics:
Reasons for providing Guest Network access
WLAN as one of the best mechanisms for providing Guest Network access
Caveats to consider in a WLAN Guest Network implementation
Example configurations for Cisco AP350s and AP1100s
The need for guest access has evolved as the needs of guests have evolved. Once it was sufficient to
provide guests a chair and a phone; now in the age of laptops, networked application, and digital phone
lines the guest is disconnected while visiting your enterprise.
Guest Networks are network connections provided by an enterprise to allow their guest to gain access to
the Internet, and the guests own enterprise without compromising the security of the host enterprise.
Figure 10-1 illustrates the Guess Access Network concept. Guests are within the Enterprise Network,
but are only able to access the Internet; enterprise employees have full access to the enterprise
applications and the Internet.
This chapter addresses Guest Access WLANs in the following sections:
Benefits of Guest Network Access, page 10-3
Deployment Considerations and Caveats, page 10-4
Guest WLAN Recommendations, page 10-5
Configuring Guest WLANs, page 10-7

956608
10-1
Chapter 10
Figure 10-1 Guess Access Network
Fixed network provides

a wired guest network
back to the internet
Internet
Enterprise AP, uses WLAN

VLANs to provide both
enterprise and guest WLANs
Enterprise Apps
Enterprise Apps
Guests
Enterprise Network
90588
Employees
Employees
10-2
956608
Chapter 10

Benefits of Guest Network Access
Benefits of Guest Network Access

At first blush the lack of network access for guests may not seem to be an issue, but we need to remember
that the guest is there because we want them there. The guest may be a business partner, a technician, or
salesperson that has been brought to the enterprise to perform a task, and without Guest Network access
their performance is degraded. As businesses become more networked, with outsourcing of non-core
activities, this degradation increases if the network access is not provided.
The primary benefits of Guest Network access are presented in the following discussions:
Increased Security, page 10-3
Increased Productivity, page 10-3
Benefits of WLAN Guest Network Access, page 10-3
Increased Security
It may appear counter-intuitive that Guest Network access increases security, but the reality is that Guest
Network access occurs in Enterprise Networks now, but in an uncontrolled manner. These guests are not
hackers; they are simply highly motivated people trying to get their job done. The main concern with
these guests is that they are a potential source of viruses, worms, and Trojans. The PC with which they
connect to the Enterprise Network might not have the security systems that exist on the local enterprise
PCs.
Guest Network access provides guests of this type with a way to connect to an Enterprise Network in
order to be more productive, while limiting the risk to the host organization. Why risk violating policy
and risk the relationship with the host when there is a credible solution?
Increased Productivity
The guest of an enterprise is there for a reason, because the enterprise wants them to perform a task.
The more efficiently this task is performed the better it is for both enterprises. If a service technician is
visiting the enterprise, it is in the enterprises interest for that service/repair to happen within the
minimum amount of time and with the least amount of disruption
If a salesperson is visiting the enterprise, it is in the enterprises interest that the presentation be accurate
and up-to-date. By having immediate access to information, the salesperson is able to position products
appropriately and answer as many questions as possible while at the enterprise. This immediate
responsiveness could potentially lead to orders being placed while on-site.
Benefits of WLAN Guest Network Access

WLAN technology can provide Guest Network access because of the following characteristics:
Provides wide coverage, including areas such as lobby and waiting rooms that may not traditionally
have cabling
Removes the need to have a dedicated location for guest access
Allows partners to access their network resources while in meeting rooms, offices, giving them the
productivity benefits that WLAN gives the enterprise employees.

956608
10-3
Chapter 10

The greater range of WLANs that are an advantage in deploying Guest Networks also introduces issues:
User AuthenticationPeople who are not guests may access the Guest Network through their
physical proximity to the WLAN Guest Network. This is not an issue in a wired network, as the
guest has to be brought past the physical security. This means that the WLAN Guest Network
requires user authentication, authorization and accounting, above that required for the wired
network.
Authentication OptionsThere are currently two models for authenticating guests:

The use of a web interface such as Cisco Building Broadband Service Manager (BBSM) or
Cisco IOS Authentication Proxy.

The use of a specialized client such as 802.1x/EAP clients or IPSec clients.
Web AuthenticationWeb interface authentication relies on the ubiquity of HTML browsers. Prior
to using the Guest Network, users must launch their HTML browser, and try to access a web site.
The users HTML browser is forced to an authentication page, and the users must enter their
authentication details before access is granted. The HTML browser authentication does not generate
dynamic per session encryption keys andin order to make the WLAN easy to use and easy to
supportno static encryption is used on the WLAN link. This means that authenticated users are
only distinguishable from unauthenticated users through their IP addresses and MAC addresses (if
on the same Layer-2 network). As the IP address and MAC address are sent in clear text they are
open to exploitation through IP address and MAC address spoofing.
The BBSM is specifically designed for guest access applications, and apart from providing a
sophisticated HTML controlled user interface, it provides MAC-level authentication if the client is
on the same Layer-2 network as the BBSM, and uses switch and AP management interfaces to
control where and when a client can use the network.
Cisco IOS Authentication ProxyIncluded in the Cisco IOS firewall feature set; provides a simple
HTML interface; and controls access based upon a clients IP address.
Specialized ClientsIdeally guests should use 802.1x/EAP to authenticate to the Enterprise

Network, and generate a dynamic encryption key for their wireless session. This would be the
preferred solution as it provides authentication, authorization and privacy. Given that different
enterprises are at different stages in their 802.1x/EAP maturity, guests cannot (yet) be expected to
have compatible 802.1x/EAP clients on their PCs.
IPSec VPN ClientsAnother client that offers strong authentication, authorization and privacy and
could potentially be used as a Guest Network access client. The major barrier in this case would be
the installation of an appropriate client on guest machines, and the interaction of two IPSec VPN
clientsone client providing guest access and the other client providing secured access across the
Internet to the guests home network.
Time of Day ControlJust as physical security can control who has access to the wired network, it
can also control who is present at a particular time of day. As WLAN cannot rely upon physical
security to control users it cannot stop users from accessing the network outside of permitted hours.
This means that the WLAN Guest Network must provide time of day control over when the service
is made available.
Additional SecurityGiven the weakness described above, the WLAN Guest Network could not be
considered as secure as the wired network and might require additional policies, processes,
configuration, and equipment to ensure that an attack on the Enterprise Network through the WLAN
Guest Network is not successful.
10-4
956608
Chapter 10

Guest WLAN Recommendations
Wired NetworkThe WLAN Guest Network is simply a WLAN VLAN configuration; the wired
network contains the key components that control the Guest Network. Guest get authenticated
access to the Internet, while ensuring that guests are not able to access the host enterprises systems.
There are three primary configurations in the wired network:
VLAN controlled access, where the wired Guest VLAN is extended all the way to the
authentication device and the Internet.

ACL controlled access, where guest traffic shares the same Layer-3 network as enterprise traffic
to get to the internet, but is prevented from accessing the Enterprise Network through the use of
ACLs routing table and separation (where Guest Network traffic uses separate routing tables on
the Enterprise Network to prevent access to the Enterprise Network).
The choice of which wired-network configuration is best depends on the existing Enterprise
Network. The configuration of the wired Enterprise Network to provide Guest Network access and
the transport of Guest Network traffic is discussed in Chapter 5, Wireless LAN VLANs.
Other Considerations from Wired NetworkEven though the WLAN Guest Network is primarily a
WLAN extension of a wired Guest Network, the lack of control of physical access and the possible
spoofing legitimate users to gain access heighten the security risk associated with Guest Networks.
Therefore additional toolssuch as Intrusion Detection Systems (IDS)should be considered to
detect suspicious behavior.

The following actions are key Guest WLAN setup recommendations:
1.
Create a Guest WLAN VLAN with no encryption, open authentication, and a broadcast SSID.
2.
Choose a Wired Guest Network model that best fits your Enterprise Network.
3.
Choose an HTML authentication service that best fits your needs and topology.
4.
Add application filters, time of day controls and IDS as required.
Key Guest WLAN recommendation considerations follow:
Recommended 802.11 Configuration for WLAN Guest Network, page 10-5
VLANs and WLAN Implementation, page 10-6
Recommended 802.11 Configuration for WLAN Guest Network

The biggest challenge in WLAN Guest Network access is to support the widest number of possible
guests without having to provide IT support for the guests. It is recommended that WLAN Guest
Network access use:
A Broadcast SSIDSome WLAN clients only operate with a broadcast SSID.
Open AuthenticationThe default configuration.
No EncryptionThe entry and format of the WEP key varies from client to client, users can easily
incorrectly enter the WEP key, and the WEP key would quickly become compromised as it is being
distributed in an uncontrolled manner.
This allows the Guest Access WLAN to adopt the minimum configuration while serving the widest range
of WLAN clients. It also matches the configuration most used in WLAN hotspots today.

956608
10-5
Chapter 10
Figure 10-2 shows the Aironet Client Utility (ACU) configuration that would be used to gain access to
the Guest Network. The key features of this setup are as follows:
The SSID ID is configured to match the SSID that is broadcast by the enterprise WLAN Guest
Network, a blank entry would also suffice if the AP is configured as recommended in this document.
Network Security Type is none; this is Open Authentication.
No WEP is selected.
Figure 10-2 ACU Configuration
VLANs and WLAN Implementation

It is assumed that enterprise employees as well as guests are using the WLAN. This means that a WLAN
VLAN must be configured on the APs to allow efficient use of the WLAN infrastructure, and wired
VLANs are used on the wired network access layer to separate Guest Network traffic from enterprise
employee network traffic.
10-6
956608
Chapter 10

Configuring Guest WLANs

This section presents the following discussions addressing Guest WLAN configuration:
Network Topology, page 10-7
AP and Switch Configuration, page 10-8
AP 1200 Configuration, page 10-11
AP 1100 Configuration, page 10-14
Network Topology
Figure 10-1 on page 10-2 shows a general schematic illustrating how Guest Network traffic is tunneled
across the Enterprise Network. This tunnel can be achieved via multiple technologies depending on the
Enterprise Network architecture and requirements.
Figure 10-3 shows a schematic of three different tunnel possibilities:
VLAN SeparationThe Guest VLAN is extended all the way to DMZ.
ACL SeparationThe Guest VLAN is terminated at an access router; ACLs are used to ensure that
Guest Network traffic is unable to go to enterprise addresses.
Routing Table SeparationThe Guest VLAN terminate at the access router and separate routing
tables ensure that Guest Network traffic is able to go nowhere but the DMZ.
In each of the tunneling possibilities Guest Network users are authenticated by a BBSM before gaining
access to the DMZ. Authentication of users of the Guest Network is needed to prevent the Guest Network
being used for non-authorized purposes. The BBSM is an example of a Cisco Product designed for this
purpose, but other tools such as Cisco IOS and PIX authentication proxy may be used and their location
in the network might be closer to the access network, such that users may be authenticated at the access
router.

956608
10-7
Chapter 10
Figure 10-3 General Guest Network Topology
Tunnel
DMZ
Guest traffic
authenticated
Guest VLAN is separate

from enterprise VLANs
Guest VLAN is separate

from enterprise VLANs
WLAN
VLAN separation
Guest traffic
authenticated
Route Maps to apply

different policy to
guest addresses
ACLs block guest

access to enterprise
addresses
Enterprise Network
ACL separation
Guest traffic
authenticated
MPLS or VRF used

route guest traffic
separately from
enterprise traffic
MPLS or VRF used

route guest traffic
separately from
enterprise traffic
Guest Network
Routing table separation
90589
Enterprise Network
AP and Switch Configuration

For the purpose of this example, these configurations deal with the configuration of a Guest Network
access WLAN VLAN on an AP that also supports three other WLAN VLANsnamed PEAP, IPSec and
LEAP (with the VLAN name LEAP here used to represent an EAP-Cisco implementation)that map to
VLANs on the Ethernet interface of the AP.
The configuration of PEAP, IPSec, and LEAP is not discussed in this application note, and for
information on WLAN AP and Client configuration refer to:
http://www.cisco.com/en/US/products/hw/wireless/ps458/prod_instructions_guides.html
Figure 10-4 shows a schematic of the example configuration used in this chapter that has four WLAN
VLANs and five VLANs on the AP. The difference in number of VLANs is due to the addition of a
wire only VLAN for the administration of the AP.
10-8
956608
Chapter 10

Figure 10-4 Multiple VLANs including a Guest Network VLAN
Guest
PEAP
IPSec
LEAP
90587
Guest
PEAP
IPSec
LEAP
Admin
The configuration fragment below shows an example configuration for the switch connecting the AP to
the Enterprise Network. Points to note include:
The Admin VLAN is VLAN 825 which is the native VLAN
The VLANs allowed for the AP connection are limited to the mandatory VLANs (1, 1002-1005) and
the VLANs used on the AP (10, 20, 30, 40 and 85).
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 40
switchport trunk allowed vlan 1,10,20,30,40,825,1002-1005
switchport mode trunk
As VLANs are supported on two different platforms with different user interfaces, and structure the
configuration examples are broken into two sections: the VxWorks-based AP 1200 (supported on the AP
340 as well); and, the Cisco IOS-based AP 1100.
WLAN Guest VLAN Filtering

When applying network access control filters, a general rule is that these filters should be placed as close
as possible to the users whose access is being controlled.
In the case of WLAN guest networking, the closest point at which access control filters can be placed is
the WLAN VLAN on the AP.
Although the filtering that can be applied is limited by the need to support the applications accessible by
guests, there are simple filters that can be applied:
Protocol FiltersGuests would be expected to use specific protocols, such as ARP and IP; all other
protocols on the WLAN guest VLAN can be blocked.
Source AddressThe users on the WLAN guest VLAN will have IP addresses assigned through
DHCP, and the AP (Cisco IOS APs only); as a result, network administrators can apply address
filters to permit access by specific network addresses, while block others.
Terminology Notes
The introduction of VLANs to the APs introduces a number of new definitions such as:
Default VLANThis is the VLAN associated by default with an SSID, the name allows for the
RADIUS server to provide a different VLAN number based on the group membership of a user.
Primary SSIDThe AP is only capable of sending one set of information in its beacons; the
information that is sent in the beacons is that of the VLAN associated with the Primary SSID.
Guest SSIDThe AP can only have a single VLAN that accepts unencrypted traffic. The SSID
associated with this VLAN is called the Guest SSID.

956608
10-9
Chapter 10
Infrastructure SSIDInfrastructure such as repeaters and workgroup bridges can be associated with
the AP on one particular VLAN. The SSID associated with this VLAN is called the Infrastructure
SSID.
Native VLAN802.1q allows for one of the VLANs in the trunk to be native thereby not requiring
802.1q encapsulation and making it possible to remain connected with the AP when trunking is
enabled on the switch before it is on the AP, or visa versa. The VLAN that is given this capability
is called the Native VLAN.
10-10
956608
Chapter 10

AP 1200 Configuration
The key AP 1200 configuration processes are presented in the following sections:
Configuring VLANs, page 10-11
Configuring SSIDs, page 10-12
Configuring VLANs
The first step in configuring the AP is the creation of the VLANs. To ensure contiguous communication
with the AP, care should be taken to have a Native VLAN configured before 802.1Q tagging is enabled.
Figure 10-5 shows the VLAN Setup screen, this allows individual VLANs to be created or removed, and
the Native VLAN, and Unencrypted VLAN (Guest VLAN) to be set. In this example:
VLANs are enabled by selecting 802.1Q tagging
The Native VLAN (VLAN 40) is the VLAN that will have the APs IP interface
VLAN 10 is the unencrypted VLAN used by guests
Figure 10-5 Creating VLANs and Assigning the Native and Guest VLANs
When the Add New button creates a new VLAN, the screen automatically changes to a VLAN security
screen shown in Figure 10-6. This allows the VLAN WEP configuration to be entered. In the example
shown in Figure 10-6 the Guest VLAN is being configured and there is no WEP data entered; all of the
other settings in this case have been left at default.

956608
10-11
Chapter 10
Figure 10-6 Guest Access VLAN with Null Encryption
Configuring SSIDs
Once the VLANs have been created and configured with the appropriate WEP settings, the Service Sets
Identifiers (SSIDs) can be entered and associated with the appropriate VLAN.
Figure 10-7 shows the AP Radio Service Sets screen. Four SSIDs have been entered and SSID 3 (LEAP)
has been nominated as the Infrastructure SSID. From Figure 10-7 is can be seen that SSID 1 is the
Primary SSID.
The Primary SSID is configured on the AP 1200 through the standard SSID configuration mechanism
(through the SSID configuration fields in the Express Setup screen or the AP Radio Identification
screen). The default Primary SSID for example is tsunami (the name guest was simply entered as an
example).
Note
The Primary SSID is the one advertised in beacons. Since a broadcast SSID is recommended for guest
use, this is the SSID that should be made primary. To ensure successful configuration this should be the
first SSID configuration made, because ownership of the Primary SSID cannot be transferred to another
SSID.
Figure 10-7 shows the SSID used for Infrastructure Stations. The Guest VLAN should not be used for
Infrastructure Stations, and therefore another VLAN must be chosen (VLAN 3 in this case), and
Infrastructure Stations on other VLANs disallowed.
10-12
956608
Chapter 10

Figure 10-7 Service Set Configuration
When an SSID is added or edited, the screen shown in Figure 10-8 appears. This allows the
authentication mechanism for the SSID and the VLAN associated to that SSID to be set. The example
shown in Figure 10-8 is the Primary SSID configuration. The important settings are:
The SSIDIn this case guest is used, but the SSID can be anything the enterprise thinks is
appropriate.
Open Authentication selected.

956608
10-13
Chapter 10
Figure 10-8 Setting the SSID Values
AP 1100 Configuration
The configuration of the AP 1100 follows a similar sequence to that of the AP 1200. Figure 10-9 shows
the creation of the different VLAN numbers for the selection of the default VLAN. To create a VLAN:
Enter the VLAN number in the VLAN ID: Text Box.
Press the Add button.
If an SSID already exists for this VLAN, and association between the two can be build by selecting that
SSID from the SSID: drop box, before pressing Add.
10-14
956608
Chapter 10

Figure 10-9 Entering VLANs and Setting the Default VLAN
Once the VLANs have been created, the user must go to the WEP Key Manager and configure the
appropriate WEP settings for each VLAN.
Figure 10-10 shows the settings for the VLAN that will become the Guest Network VLAN.
Figure 10-11 shows the WEP configuration for the VLAN that will become the IPSec VLAN.
Note
Even though the IPSec VLAN does not need WEP encryption for privacy, it must be configured with
WEP to provide VLAN separation at the radio interface.
Figure 10-10 Guest Access VLAN with No Encryption

956608
10-15
Chapter 10
Figure 10-11 IPSec VLAN with Mandatory Encryption
Once the VLANs have been created and had their WEP properties configured, SSIDs can be created,
authentication methods set, and the SSIDs paired with the appropriate VLANs.
Figure 10-12 shows the configuration of the guest SSID, with open authentication, and pairing it with
VLAN 10. In the lower portion of Figure 10-12, the Guest Mode SSID and Infrastructure SSIDs are set.
The Guest Mode SSID determines whether the SSID will be broadcast in AP beacons, and therefore the
example SSID of guest is selected.
10-16
956608
Chapter 10

Figure 10-12 Setting per SSID Authentication and Global SSID Properties
Figure 10-13 shows a summary page on the AP 1100 that shows a view of the different SSID and VLAN
number pairings, along with their authentication mechanisms.
Figure 10-13 SSID VLAN Summary Page

956608
10-17
Chapter 10
10-18
956608
C H A P T E R
11

The following Enterprise WLAN case study details an example network in the context of the following
discussions:
Enterprise WLAN Profile, page 11-2
Equipment Selection, page 11-5
Security Selection, page 11-7
Rogue AP, page 11-11
Management, page 11-11
Layer-2 and Layer-3 Roaming, page 11-12
WLAN QoS Considerations, page 11-14
IP Multicast, page 11-14
WLAN Case Study Configuration, page 11-15

956608
11-1
Chapter 11
Enterprise WLAN Profile

The organization used to illustrate an example Enterprise WLAN in this case study is a global enterprise
of approximately 30 000 employees. The company has four campuses in the Americas, three in Europe,
and one in the Asia Pacific region.
In addition to the campuses there are 15 major offices (multiple floors in the one building), and 140
branch offices (single or partial floor). Table 11-1 shows the distribution of offices and employee
population
Table 11-1
Distribution of Offices and Employees
Campus
Major Office
Branch Office < 20

people
12000
2 x 110
70
3000
5 x 80
Americas
500
500
Totals
16000
620
1400
Grand total
18020
3 x 80
50
240
1000
2000
4 x 200
20
1500
1 x 160
Total
3500
960
Grand Total
4860
Europe, Middle East, and Africa
1200
1000
500
Total
2700
Grand Total
3940
Asia Pacific
400
The campuses and major offices have local network servers and some degree of local technical support;
branch offices are supported remotely. Almost all offices have resilient network connections.
The network is IP only, and is Quality of Service (QoS) enabled
Current application authentication mechanism within network is usernames and passwords, network
operating system is Microsoft Active Directory, current local access is control by physical security, and
remote access is through IPSec virtual private networks (VPNs) authenticated with one-time passwords
(OTP).
Wired network is the primary network; WLAN network is to be an overlay network in most cases. Where
the WLAN is used in manufacturing and warehouse it is the primary network.
11-2
956608
Chapter 11

Customer Requirements
The organization requires the WLAN for employee laptop computers and requires it to provide the same
application support as its wired LAN, this includes QoS and multicast support.
In addition to laptop support the organization requires:
Support for Windows XP and Windows 2000 laptops (the majority of users) throughout the
enterprise.
Support for Linux laptops throughout the enterprise.
The organization plans to have 802.11 integrated into future laptop computer purchases.
Integration with Microsoft Active Directory infrastructure
Support for wireless barcode scanners at selected locations (manufacturing and warehouse)
Support for WLAN guest access at selected locations.
Rogue AP mitigation.
WLAN Considerations
This case study presents an example environment that addresses a variety of WLAN-specific
considerations. These are summarized in the following sections:
WLAN Performance and Coverage, page 11-3
RF Environment, page 11-3
Security, page 11-4
Rogue AP Mitigation, page 11-4
Management, page 11-4
Roaming, page 11-4
QoS, page 11-4
Multicast, page 11-4
WLAN Performance and Coverage

The organization expects reasonably high use of the WLAN as the majority of its employees are involved
in projects and work in cross functional teams. Employees might spend approximately 25 percent of their
day using the WLAN.
RF Environment
The majority of this organization buildings are office space, but there are sections which would be
considered light industrial. The office buildings are not thought to have any extraordinary sources or RF
interference, but the light industrial area may.
The organization is a concerned about radio frequency (RF) interference from the WLANs of other
enterprises, particularly when the office is in a multi-tenant building.

956608
11-3
Chapter 11
Security
The organization wishes to maintain its privacy and preserve the integrity of its network, but it has no
regulatory requirement to use a specific encryption or authentication mechanism.
Ease off use is a major consideration, and integration with existing authentication mechanisms is a
requirement.
Rogue AP Mitigation
The organization found unauthorized WLAN installations within its enterprise and this is one of the
motivations for pursuing a formal WLAN installation. The organization wishes to investigate other
means of rogue AP mitigation.
Management
The organization has an existing Simple Network Management Protocol (SNMP) management system.
The WLAN management must integrate into this system, but must have tools to minimize the
management overhead of additional network devices introduced by the WLAN.
Roaming
The majority of the WLAN users are nomadic roamers. Clients will not be running Mobile IP, and there
is not a requirement to maintain sessions when roaming between floors or buildings.
QoS
The organization enabled QoS within its network and requires the WLAN to honor these QoS settings.
Multicast
A limited multicast deployment is planned.
11-4
956608
Chapter 11

Equipment Selection
Equipment Selection
Note
For related information, please refer to Chapter 3, WLAN Technology and Product Selection.
WLAN product selection considerations include:
Radio Selection, page 11-5
AP Selection, page 11-5
Radio Selection
The two current radio types available in 802.11 are 802.11a (5 GHz), and 802.11b (2.5 GHz). 802.11b
is recommended due to its wider availability and RF licensing. 802.11a will be considered in areas
subject to high-level of interference in the 802.11b frequency bands or where the density of users and
their throughput requirements exceeds what can be provided by 802.11b.
The 802.11b equipment must be upgradable to 802.11g.
AP Selection
Cisco has three AP variations available:
AP 1200Dual mode supporting 802.11a and 802.11b, RP-TNC RP antenna connections; field
upgradable to 802.11g.
AP 1100802.11b field upgradable to 802.11g, Cisco IOS operating system, and fixed antenna.
AP 350802.11b, available in both in either fixed antenna or RP-TNC antenna connections
As the organization wants upgradability to 11g, the AP 350 is excluded from the AP choices.
Cisco AP 1200 is recommended for the campus and larger officesallowing for greater flexibility in
antenna selection that might be necessary for RF deployments in multi-story and multi-tenant buildings.
These are locations that are most likely to require 802.11a in the future.
The Cisco AP 1100 is recommended for branch offices as a lower cost alternative. The branch offices
are expected to have lower throughput requirements and are less likely to require the additional channels
or different frequency bands of 802.11a.
Estimating the Number of APs

The ultimate number of APs used in the implementation depends upon the site survey results, and the
distribution of users within the enterprise.
A working number of the APs required can be determined by using an average of 15 employees per AP
in the campus and large offices (this takes into account the potentially higher usage, additional coverage
areas, and the breaking up of bulk users on a per floor basis), and one AP per branch office. The results
are shown in Table 11-2.

956608
11-5
Chapter 11
Equipment Selection
Table 11-2
Estimate of Number of APs by Region and by Office Type
Campus (APs)
Major Office (APs)
Branch Office < 20

People (APs)
12000 (800)
2 x 110 (16)
70 (70)
3000 (200)
5 x 80 (30)
Americas
500 (34)
500 (34)
Americas APs Subtotals
1068
Americas APs Total
1184
46
70
3 x 80 (18)
50 (50)
18
50
2000 (134)
4 x 200 (56)
20 (20)
1500 (100)
1 x 160 (11)
Asia Pacific APs subtotal
234
67
20
Asia Pacific APs Total
321
AP Subtotal
1483
131
140
AP Total
1754
Europe, Middle East, and

Africa (EMEA)
1200 (80)
1000 (67)
500 (34)
EMAE APs subtotal
181
EMEA APs Total
249
Asia Pacific
This gives an estimate of 1614 x AP 1200s and 140 AP 1100s.
11-6
956608
Chapter 11

Security Selection
Security Selection
Note
For related information, please refer to Chapter 4, WLAN Security Considerations.

The organizations QoS and multicast requirements suggest that the WLAN LAN Extension (IPSec) is
not a good choice for this WLAN, and that the organization would be better served by an 802.1x/EAP
solution. This decision is made easier by having no security restrictions that specify encryption
mechanisms that are only currently available in IPSec.
It is recommended that the organization also implement the TKIP and MIC extensions to WEP that
address all current known attacks on WEP. This restricts the organization to Cisco Compatible
eXtensions (CCX) network interface cards (NIC), until industry standard versions of TKIP and MIC are
available through the Wireless Ethernet Compatibility Alliance (WECA) Wi-Fi Protected Access (WPA)
standard.
Whether the organization selects Cisco NICs, or those provided by a CCX vendor, it should standardize
upon only one or two NICs to minimize the testing of client drivers and firmware.
The organization has a choice of EAP/802.1x solutions:
EAP-Cisco
EAP/TLS
EAP/TTLS
PEAP
All of these options offer some degree of integration with Microsofts directory and authentication
infrastructure, and the organization plans to use the Access Control Server (ACS) external database
group membership mapping to control which members of the Active Directory are given WLAN access.
EAP-Cisco is recommended because it supports Windows, supports 802.1x/EAP for other PC operating
systems (lacking 802.1x/EAP), and supports 802.1x/EAP for handheld devices. The case study
organization is interested in PEAP, due to support of multiple authentication types, but is still in the
process of assessing its ongoing authentication requirements.
It is recommended that WLAN VLANs be used to separate the different client types. This allows the
partitioning of clients with different security capabilities. For example, the handheld devices might
support EAP-Cisco, but might not support Ciscos implementation of TKIP and MIC, or the handheld
might have inadequate protection for the local usernames and passwords.
The different client types are to be separated into different VLANs by membership in an Active
Directory group. The mapping of these Active Directory groups and ACS groups is shown in
Figure 11-1.
The following sections summarize several ACS implementation consideration for this case study:
Number of ACS Servers, page 11-8
ACS Server Placement, page 11-9
Branch Roaming, page 11-10

956608
11-7
Chapter 11
Security Selection
Figure 11-1 ACS External User Database Group Mapping
Number of ACS Servers

Using the Americas as a region, the number of clients is expected to be 18,200. This is well within the
capacity of an ACS database. The number of clients is not a scaling factor.
Because the organization is using CTKIP and MIC, reauthentication and re-keying of users is expected
to be required only once per hour. Using EAP-Cisco performance figures, the ACS can perform 60
authentications per second on its specified platform. This is 216,000 authentications per hour. This
shows that a single ACS server could easily support the all of the Americas region and all its re-keying
requirements.
Re-keying is not the only time that an authentication would be required. Roaming also requires
authentications. It is difficult to estimate how often users would roam from one AP to another, but from
the number of authentications per hour figure from above, it can be seen that every client could roam
every five minutes. An ACS server would have sufficient capacity to authenticate all these users.
The numbers derived above are conservative as they assume that all enterprise employees are using the
WLAN simultaneously. The main point to be taken from these numbers is that the ACS capacity is not
the major design consideration in this Enterprise Network deployment.
The design considerations that are the prime design considerations for ACS placement are speed of
authentication, resilience, location of user database information, and management.
11-8
956608
Chapter 11

Security Selection
ACS Server Placement

For ease-of-management and optimal performance, the location of the ACS RADIUS servers is critical.
A reauthentication is required whenever a client roams from one AP to another. For this roam to appear
seamless, the authentication must be performed quickly enough to ensure client applications show no
noticeable impact.
Another consideration is the resilience of the ACS RADIUS infrastructure. If an ACS server is not
available when a client tries to authenticate this mean that new clients cannot join a WLAN, and clients
roaming from AP to AP will lose their WLAN connection. To overcome this, a backup ACS server is
required for each AP.
The organizations global network is segmented into different logical domains for its network
operations, and the ACS deployment reflects this, with a separate managed ACS network for each region.
Clients from different regions of the enterprise may still use the WLAN in any region, but the
management of the ACS servers is done upon a regional basis.
Figure 11-2 shows the planned location of the ACS servers within the US region. The ACS servers are
located at campus locations. These locations also contain Active Directory Domain Controllers. The
locations with two ACS servers are the two largest campuses; these servers are used by local campus
APs and by APs located in branch offices in the region. The locations with only one ACS server use the
nearest large campus location ACS as a backup. Branch offices use the nearest campus-based ACS server
for authentication. Branch clients will experience slower authentication than campus clients. This delay
should not be an issue when logging in, but might be an issue when roaming. The amount of roaming in
branches is thought to be less and in branches with only one AP there will be no roaming.
Figure 11-2 ACS Server Placement
ACS
DC
ACS
DC
ACS
ACS
ACS
DC
91303
ACS
DC
Figure 11-3 shows the proposed AP Authentication server management configuration. Servers
10.10.10.10 and 10.10.11.11 are the RADIUS servers used for client authentication. Servers 10.12.12.12
and 10.12.12.13 are the TACACS+ plus servers.
The preferred RADIUS server is the highest in the list (10.10.10.10), if the AP gets no response from
this server in two minutes, it will use the alternate server and the primary server will be put on the dead
server list for 30 minutes.

956608
11-9
Chapter 11
Security Selection
The choice of the timeout values and Dead Server List times reflect the preferred configuration for a
branch office and are based upon two assumptions:
The primary RADIUS server is the closest and therefore gives the best authentication performance.
In the event of a primary WLAN link failure, there is time taken to detect the failure and converge
on the backup link. Events such as this should not result in a change in RADIUS server.
In the campus AP configurations, the RADIUS server timeout can be adjusted to a lower value, to reflect
the smaller penalty in switching from primary to secondary servers.
Figure 11-3 AP Server Management
Branch Roaming
To ensure that authentication and roaming times are optimal for the branchs prioritization of traffic,
authentication of traffic is handled as described in the 802.1x and EAP-Based Authentication Across
Congested WAN Links application note.
ACS-server user databases are replicated by a single server within the region, Figure 11-4 shows the
replication plan for the US region. Because the WLAN is using Active Directory databases, this
replication may be unnecessary depending on whether EAP-Cisco devices are placed in the Active
Directory databases or the ACS.
11-10
956608
Chapter 11

Rogue AP
Figure 11-4 ACS Server Replication
Data
Data
Data
91304
Data
Rogue AP
Note
For related information, please refer to Chapter 9, WLAN Rogue AP Detection and Mitigation.
Concerns about rogue AP deployments are one of the motivators for this WLAN deployment, apart from
the ROI associated with WLAN.
In addition to this WLAN deployment the enterprise plans the following:
Publishing the policy against rogue APs as part of the organizations communication about the
WLAN deployment.
Looking for rogue APs as part of the site survey process.
Investigating rogue AP detection tools that integrate with WLAN deployment.
Integrating rogue APs into to the security strategy of protecting against unauthorized access. This is
part of a separate project using 802.1x to authenticate clients connecting to both the wired and
wireless network and using an intrusion detection system (IDS) to detect in inappropriate behavior
on the network.
Management
The organization plans to deploy the Wireless LAN Solution Engine (WLSE) to manage its APs. This
helps deploy and maintain consistent AP configuration, monitor the system performance, and aid in
capacity planning and troubleshooting.
The WLSE manages 500 APs in the proposed WLSE deployment shown in Figure 11-5. WLSE
placement has capacity for 2500 APs. The dual WLSE deployment was implemented to meet capacity
requirements at the largest campus. Additional WLSE deployments reflect the local administration and
authentication domains, allowing the WLSE to monitor the EAP-Cisco authentication performance in all
of the regional campuses and to use and maintain configuration templates appropriate for the region.

956608
11-11
Chapter 11
Figure 11-5 WLSE Placement
WLSE
WLSE
WLSE
WLSE
91305
WLSE
For configuration details for the WLSE see the Configuration Guide for the CiscoWorks 1105 Wireless
LAN Solution Engine available at http://www.cisco.com.
The main WLAN client management issue for this enterprise are software version control and WEP-key
management. The use of EAP-Cisco solves the WEP-key management issue and the organization is
planning to integrate the bundled software client software packages into software distribution system.
The enterprise is planning to permit users to control the ACU, because users might require other WLAN
profiles and there is likely to be fewer client configuration issues if these WLAN configurations are
controlled in one location.

Note
For related information, please refer to Chapter 7, WLAN Roaming.

The organization roaming requirement is for nomadic roaming. There is no plan to provide seamless
roaming between buildings within a campus or between floors of the same building.
This helps determine where Layer-3 boundaries are placed. Because seamless roaming is not required
between buildings, WLAN networks in different buildings may be on different subnets, as shown in
Figure 11-6. Although seamless roaming is not required between floors, the organization decided to
make each buildings WLAN network a single subnet, as shown in Figure 11-7. This decision removes
any issues associated with clients roaming to APs on different floors. That the organization has no
buildings more than six floors high makes this decision easier.
11-12
956608
Chapter 11

Figure 11-6 Campus Subnetting
WLAN
Subnet Y
WLAN
Subnet Z
91306
WLAN
Subnet X
WLAN
WLAN WLAN
WLAN
Subnet A Subnet B Subnet C Subnet D
Figure 11-7 Building Subnetting
91307
WLAN
Subnet C
The roaming requirements and the subnet boundaries limit the organizations roaming focus to Layer-2
roaming. Layer-3 roaming is not required. If Layer-3 roaming was required, the organization would need
Mobile IP clients to be installed on the clients requiring this degree of mobility, because the planned use
of WLAN VLANs within the organizations network means that Proxy Mobile IP cannot be used.

956608
11-13
Chapter 11

Note
For related information, please refer to Chapter 6, WLAN Quality of Service (QoS).
The organization already has QoS enabled on networkusing DSCP values to mark the traffic priorities.
It plans to use the QoS features of the APs to reflect these priorities on the WLAN.
The organization plans to trial WLAN VoIP in some locations once the WLAN network is deployed, but
this is considered a separate project.
For details on the configuring QOS, refer to the Wireless Quality of Service Deployment Guide.
IP Multicast
Note
For related information, please refer to Chapter 8, IP Multicast in a Wireless LAN.

The organization wishes to deploy some multicast applications on its WLAN. As the subnets of the
WLAN span multiple floors of buildings, and the WLAN would have less capacity than a wired network,
every effort must be made to limit the multicast load of the WLAN.
As the multicast applications to be supported are known, multicast boundaries can be configured at
WLAN interface of the access routers.
To limit unnecessary multicasts on the WLAN VLAN, Internet Group Management Protocol (IGMP)
snooping will be turned on the access switches.
IGMP snooping on access switches can be an issue when a client roams from one AP to another and a
multicast stream is not flowing on the switch port of the new AP. To ensure that a multicast stream is
forwarded by the new switch port, the AP can be made to send a general IGMP query whenever a client
associates or reassociates. When the client responds to the general IGMP query the upstream switch can
learn the required multicast stream. Figure 11-8 shows the configuration of the IGMP snooping feature
on an AP.
Figure 11-8 IGMP Snooping
11-14
956608
Chapter 11

WLAN Case Study Configuration

The following sections summarizes configurations considerations for the network discussed in this case
study:
AP Configuration, page 11-15
Access Switch Configuration, page 11-16
Distribution Router Configuration, page 11-16
AP Configuration
Figure 11-9 shows the proposed VLAN configuration of the WLAN network. The AP is configured with
three VLANs, a PC VLAN, a Handheld VLAN, and a Management VLAN. The management VLAN is
the default VLAN for the AP and does not have an associated WLAN VLAN. This prevents management
of the APs from the WLAN. This management VLAN would normally be the management VLAN used
on the access layer switches. The WLAN VLANs dedicated for WLANs and would be separate from the
wired VLANs on the access switch.
Figure 11-9 AP VLAN's
Si
Si
VLAN 10 Management
VLAN 20 PCs
VLAN 30 Handhelds
VLAN 40 PCs
VLAN 50 Voice
W
PC
ld
he
nd N
Ha LA
W
LA
N
VLAN 10 Management
VLAN 20 PCs
VLAN 30 Handhelds
91308
IP
Figure 11-10 and the Example Configuration: Config 1 section on page 11-16 show an excerpt from
the AP radio configuration. Note that VLAN 10 has encryption defined, but does not have a SSID
associated with it. This is because VLAN 10 has been configured as the management VLAN, and is only
meant to exist on the wired network.

956608
11-15
Chapter 11
Figure 11-10 Cisco 1100 VLANs
Example Configuration: Config 1

interface Dot11Radio0
no ip address
no ip route-cache
encryption mode wep mandatory mic key-hash
!
encryption vlan 20 mode wep mandatory mic key-hash
!
encryption vlan 30 mode wep mandatory mic key-hash
!
broadcast-key vlan 20 change 1000
broadcast-key vlan 30 change 1000
!
ssid PCS
vlan 20
authentication open eap eap_methods
authentication network-eap eap_methods
!
ssid scanners
vlan 30
authentication open eap eap_methods
authentication network-eap eap_methods
!
For detailed WLAN VLAN configuration, including authentication based VLAN mapping information,
see the Wireless Virtual LAN Deployment Guide.
Access Switch Configuration

The access switch configuration is the same as that applied in the Cisco AVVID Network Infrastructure
Campus Design Solutions Reference Network Design, with the addition of the WLAN VLANs.
Distribution Router Configuration

The Distribution Router configuration is the same as that applied in the Cisco AVVID Network
Infrastructure Campus Design Solutions Reference Network Design with the addition of the WLAN
VLANs.
11-16
956608
I N D EX
access
Numerics
guest network
3DES
Access Control Server. See ACS.
4-4
access point. See AP.
802.11
DCF
access switch
6-4
case study notes
interframe spaces
6-4
11-16
ACS
Task Group activities (table)
2-9
architecture
802.11a
4-15
example architecture
channels
2-12
OFDM
2-12
summary
4-15
example server placement
11-9
aCWmax
range comparison (table)
3-10
contention window control
3-2
contention window control
channels
2-11
retries
range comparison (table)

summary
3-10
6-7
AES
802.11e
future support
6-2
4-2
antenna considerations
IEEE QoS working group
6-2
3-8
AP
6-7
controlling IP multicast
802.1x
deployment planning
Cisco Catalyst Switches

EAP authentication
4-10
example configuration
4-2
product selection
guest access implementation
4-11
headquarters/campus deployment
Layer-2 authentication
rogue AP prevention
4-9
4-10
VLAN support
4-9
8-2
2-13
11-15
3-11
4-7
AP 1100
guest network configuration
1014
AP 1200
1011
architecture
considerations
1-5
authentication
AAA
database location
6-6
Advanced Encryption Standard. See AES.
3-1
implementations
6-6
aCWmin
802.11b
EDCF
103
4-15
static WEP
4-6
956608
956608
IN-1
Index

4-2
customer requirements
distribution router configuration notes
4-4
Authentication, Authorization and Accounting. See AAA.
Enterprise profile
authorization
equipment selection
static WEP
4-6

4-2
IP multicast
11-14
management
11-11
nomadic roaming
4-4
radio selection
11-5
11-12
11-14
11-5
rogue AP concerns
security selection
benefits
2-13
wired infrastructure
wired VLAN
5-13
2-12
802.11b
2-11
2-5
Cisco Aironet 1200

dual band
11-10
3-2
Cisco AVVID
bridge
controlling IP multicast in P2P WLAN
8-3
WLAN design notes

Cisco IOS
3-14
workgroup
7-9
6-13
QoS advertisement
3-13
6-11
wireless QoS deployment
broadcast
traffic
802.11a
RF
4-12
branch roaming
wireless
11-3
channel selection
5-13
branch deployment
case study
11-7
channels
best practices
RF
11-11
WLAN considerations
1-1
11-16
11-2
QoS considerations
WLAN
11-3
6-2
client adapter
1-6
broadcast domain segmentation
5-7
product selection
3-12
client density
effects
2-16
throughput
capacity considerations
3-2
2-16
configuration
802.11 WLAN guest network
case study
ACS server placement
ACS servers
11-8
AP configuration
AP selection
11-9
11-15
content summary
1014
AP 1200 (guest network)
1011
11-15
distribution router notes
11-10
configuration summary
11-16
AP 1100 (guest network)

case study
11-5
branch roaming
access switch notes
11-15
11-1
105
guest network AP
11-16
108
guest network SSID

guest network switch
1012
108
IN-2
956608
Index
IP multicast WLAN
wireless QoS
8-2
contention
6-2
wireless QoS guidelines
aCWmax
6-6
wireless VLAN criteria
aCWmin
6-6
wireless VLAN example
Contention Window. See CW.

coverage requirements
5-10
5-11
deployment planning
2-17
CW
parameters
6-17
AP
2-13
RF
2-13
design
6-6
size of random backoff
characteristics
6-6
CWmax
overview
average values (table)
1-2
Differentiated Services Code Point. See DSCP.
6-10
DIFS
CWmin
average values (table)
1-3
6-5
Direct Sequence Spread Spectrum. See DSSS.
6-10
Distributed Coordination Function. See DCF.

Distributed Interframe Space. See DIFS.
downstream
data rate considerations
QoS
3-3
DSSS
data rates
effects
data rate
2-13
802.11
Cisco Aironet 1200
6-5
6-5
deployment
EAP
4-9
best practices, wired VLAN

branch
2-8
6-6
random backoff
802.1x
3-2
deployment diagram
6-6
process
2-11
dual band
6-4
contention window
EAP
2-9
spectrum implementation
DCF
CW
6-3
5-13
802.1x security
4-2
headquarters campus deployment
4-12
high availability ACS architecture
4-9
EAP-Cisco
4-8
recommendations
4-9
EDCF on APs
EAP-Cisco
6-13
guest network considerations

headquarters/campus
QoS, Cisco IOS
QoS, VxWorks
RF best practices
4-8
VLAN guidelines
EAP-TLS
6-2
PKI
2-13
5-10
1-3
4-2, 4-8
EAP-SIM
4-14
4-9
4-8
EAP-Subscriber Identity Module. See EAP-SIM.
6-2
rules, wireless VLAN
104
4-9
5-13
4-2, 4-8, 4-9
4-9
EAP-Transport Layer Security. See EAP-TLS.

EAP-TTLS
4-2
956608
IN-3
Index
EAP Tunneled TLS. See EAP-TTLS.
EDCF
802.11e
headquarters/campus
6-2
AP deployment
deployment
6-13
deployment, Cisco IOS

deployment, VxWorks
QoS
6-13
6-13
6-2
random backoff (figure)
IAPP
6-9
traffic classification (figure)
post-roam processes
6-9
traffic classification effects example (figure)

EDCS deployment
4-8
6-9
7-4
IGMP
snooping
6-13
11-14
Enhanced Distributed Coordination Function. See EDCF.
Inter Access Point Protocol. See IAPP.
Extensible Authentication Protocol. See EAP.
interference sources
3-6
interframe spaces
802.11
6-4
Internet Group Management Protocol. See IGMP.

IP multicast
FHSS
data rate
case study
2-9
controlling via APs
fine tuning
RF
11-14
8-2
controlling via bridging P2P WLAN
2-5
WLAN configuration
Frequency Hopping Spread Spectrum. See FHSS.
8-2
WLAN considerations
8-4
WLAN recommendations
G
guest access
802.1x
SSID
8-3
8-1
4-11
jitter
5-8
6-3
guest network
AP configuration
benefits
108
103
configuring WLAN
latency
107
considerations and caveats

switch configuration
topology
Layer-2 roaming
104
compared with Layer-3 roaming
108
107
VLAN and WLAN implementation

WLAN
106
considerations
7-8
domain sizing
7-10
events
101
WLAN 802.11 configuration

WLAN recommendations
6-3
105
105
11-12
7-5
implementation recommendations
nomadic roaming
7-10
11-12
IN-4
956608
Index
overview
primer
performance considerations
7-3
PIFS
7-4
process
3-5
6-5
PKI
7-7
process overview
7-4
recommendations
7-9
LEAP. Please refer to EAP-Cisco (renamed).
EAP-TLS
4-9
planning
RF deployment
2-13
Lightweight EAP. See LEAP.
Point Interframe Space. See PIFS.
links and references
prioritization
loss
1-8
6-3
appliance-based
6-13
class-map based
6-14
CoS-based
VLAN-based
Message Integrity Check. See MIC.

WEP
summary
modes of operation
1-7
3-11
3-14
workgroup bridge
3-13
Protected EAP. See PEAP.
multicast
traffic
Public-Key Infrastructure. See PKI.
1-6
native VLAN
QBSS
configuration
5-7
5-7
network performance
QoS
3-12
wireless bridge
1-7
infrastructure mode
3-11
client adapter
1-3, 4-2, 4-3, 4-5
ad-hoc mode
6-15
product selection
AP
MIC
SSID
6-13
Information Element
QoS
advertisement
case study
6-4
6-11
6-11
11-14
combining requirements
6-15
downstream and upstream
EDCF
6-2
jitter
OFDM
802.11a
2-12
Orthogonal Frequency Division Multiplexing. See OFDM.
6-3
latency
loss
6-3
6-3
network performance
overview
parameters
PEAP
4-2, 4-8, 4-9
retries
6-3
6-4
6-1
6-3
6-7
wireless considerations
6-2

956608
IN-5
Index
wireless deployment guidelines

wireless deployment schemes
regulations
6-17
6-2
QoS advertisement
Cisco IOS
2-11
roaming
caveats
6-11
VxWorks
2-2
7-3
characteristics
6-11
7-3
QoS Basis Service Set. See QBSS.
Cisco AVVID design notes
Quality of Service. See QoS.
design
7-3
Layer 2
7-3
Layer-2 considerations
Layer-2 events
radio frequency (RF). See RF.
Layer-2 process
RADIUS
overview
SSID
user attributes, SSID access control

user attributes, VLAN-ID
VLAN access control
5-9
7-7
7-2
7-9
rogue AP
case study notes
5-9
5-8
random backoff
averages (figure)
11-11
Catalyst switch filters
9-10
detecting with Boingo
9-12
detecting with MAC addresses
6-10
6-5
detecting with OS
range considerations
detection overview
DCF
802.11a/802.11b comparison
antenna considerations
signal propagation
policy
3-8
9-7
preventing
105
9-7
9-7
scope of problem
7-9
9-2
wired network detection
regulations
wireless analyzers (table)
2-2
Remote Authentication Dial-In User Service. See

RADIUS.
wireless detection
9-15
9-13
9-12
router
RF
basics
9-7
port-based security
Layer-2 roaming
RF
9-11
9-19
physical security
3-8
9-16
9-17
physical detection
3-7, 3-10
recommendations
guest WLAN
7-8
7-5
recommendations
5-8
7-9
case study notes
11-16
2-1
best practices
2-13
channel selection
2-5
deployment planning
2-13
security
dual-band deployment (diagram)

environmental considerations
fine tuning
2-8
2-18
2-5
IEEE standards
additional considerations
options and recommendations

overview of models
2-9
4-13
policy
4-7
4-1
2-17
IN-6
956608
Index
static WEP keys

VLAN
traffic classification
4-5
process
4-7

4-2
Short Interframe Space. See SIFS.

6-5
U
unicast
signal propagation
3-8
traffic
DSSS
Triple Data Encryption Standard. See 3DES.
4-3
Service Set Identifier. See SSID.

SIFS
6-9
1-5
upstream
2-11
QoS
6-3
SSID
mapped to VLAN
native VLAN
primary
1012
5-3
5-7
Virtual Local Area Network. See VLAN.
5-8
RADIUS
VLAN
5-8
secondary
5-8
VLAN configuration
5-6
4-7
background
5-1
best practices, wired infrastructure
standards
RF
AP support
2-9
broadcast domain segmentation
5-7
configuring wireless parameters
5-6
deployment guidelines
guest WLAN
5-10
106
native VLAN configuration

technology
selection
RADIUS
3-1
summary
SSID configuration
3-9
5-7
5-8
rules, wireless deployment
technology selection
SSID mapping
5-13
5-6
5-3
Temporal Key Integrity Protocol. See TKIP.
wireless deployment criteria
throughput
wireless deployment overview
client density
2-16
throughput considerations
TKIP
WEP
3-4
wireless example
5-11
wireless features
5-6
wireless introduction
1-3, 4-2, 4-3, 4-5
topology
WLAN security
5-10
5-3
5-3
4-7
VPN
guest network
traffic
107
4-4
VxWorks
broadcast
1-6
EDCF deployment
6-13
multicast
1-6
QoS advertisement
6-11
unicast
5-13
1-5
956608
IN-7
Index
wireless QoS deployment
6-2
1-7
interference sources
3-6
IP multicast
8-1
modes of operation
WEP
1-7
4-8
native VLAN configuration
5-7
1-3, 4-2, 4-3, 4-5
performance considerations
3-5
limitations
MIC
infrastructure mode
security vulnerabilities
4-5
QoS considerations
1-3, 4-2, 4-3, 4-5
range considerations
static keys
TKIP
product selection considerations
4-6
4-2
roaming
3-7
7-2
rules, wireless VLAN
Wired Equivalent Privacy. See WEP.
security considerations
wired infrastructure
security models
5-13
4-13
4-1
security options and recommendations
5-13
wired LAN
compared to WLAN
1-5
standards, competing
3-1
technology selection
3-1
throughput considerations
wireless bridge
product selection
VLAN configuration
3-14
5-6
VLAN deployment overview
wireless local area network
VLAN example
3-2
802.11b
3-1
802.1x/EAP
ad-mode
1-7
IPSec
3-2
3DES
4-4
authorization
compared to wired LAN
1-5
configuring guest WLAN
107
coverage requirements
2-17
data rate considerations
3-3
VPN
4-4
4-4
WLSE
case study example
design characteristics
1-3
1-2
11-11
workgroup bridge
product selection
2-13
guest network
4-2
4-12
11-1
design overview
4-3
authorization
1-1
capacity considerations
data rates
4-2
1-5
branch deployment
case study
5-3
WLAN LAN Extension
802.11a
benefits
5-6
wireless VLAN introduction
WLAN
5-3
5-11
wireless VLAN features
See WLAN.
4-7
3-4
Wireless LAN Solution Engine. See WLSE.
architecture
3-11
6-2
Wi-Fi Protected Access. See WPA.
best practices
4-8
3-13
WPA
future support
4-2
101
IN-8
956608

1 Cisco AVVID Wireless LAN Design

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1 Cisco AVVID Wireless LAN Design

Uploaded by

Copyright:

Available Formats

Cisco AVVID Wireless LAN Design

Solutions Reference Network Design

Customer Order Number: 956608

Cisco AVVID Wireless LAN Design

Obtaining Documentation xii

WLAN Solution Overview

WLAN Solution Benefits

Enterprise WLAN Design Overview 1-2

WLAN Radio Frequency (RF) Design Considerations

IEEE 802.11 Standards

RF Spectrum Implementation 2-11

IEEE 802.11aOFDM Physical Layer

Planning for RF Deployment 2-13

WLAN Technology and Product Selection

Cisco WLAN RF Product Selection Considerations 3-11

WLAN Security Considerations

Security Deployment Models 4-1

Performance Transparency 4-4

Wireless LAN VLANs

Wireless VLAN Introduction 5-3

Wireless VLANsDetailed Feature Description

Guidelines for Deploying Wireless VLANs 5-10

WLAN Quality of Service (QoS)

Wireless QoS Considerations 6-2

Cisco AVVID Wireless LAN Design

Downstream and Upstream QoS 6-3

Roaming Solution Overview 7-2

Layer-2 Roaming Primer 7-4

Layer-2 Roaming Considerations

Layer-2 Design Recommendations 7-9

IP Multicast in a Wireless LAN

Multicast WLAN Deployment Recommendations

IP Multicast WLAN Configuration 8-2

WLAN Rogue AP Detection and Mitigation

Rogue AP Summary and Scope of Problem 9-2

Preventing and Detecting Rogue APs 9-6

WLAN Guest Network Access

Benefits of Guest Network Access 103

Cisco AVVID Wireless LAN Design

Guest WLAN Recommendations 105

Configuring Guest WLANs 107

Cisco AVVID Enterprise WLAN Case Study

Enterprise WLAN Profile 11-2

Security Selection 11-7

Layer-2 and Layer-3 Roaming

Cisco AVVID Wireless LAN Design

WLAN Case Study Configuration 11-15

Cisco AVVID Wireless LAN Design

Cisco AVVID Wireless LAN Design

Chapter 2, WLAN Radio Frequency (RF) Design ConsiderationsFocuses on radio frequency

Chapter 3, WLAN Technology and Product SelectionFocuses on technology and product

Chapter 4, WLAN Security ConsiderationsProvides details regarding deployment of the Cisco

Chapter 6, WLAN Quality of Service (QoS)Addresses Quality of Service (QoS) considerations

Chapter 8, IP Multicast in a Wireless LANDescribes the configurations needed to control IP

Where applicable, relevant configuration fragments are included.

Cisco AVVID Wireless LAN Design

Cisco sales and support engineers

World Wide Web

Cisco AVVID Wireless LAN Design

Obtaining Technical Assistance

Streamline business processes and improve productivity

Resolve technical issues with online support

Download and test software packages