Professional Documents
Culture Documents
1 Cisco AVVID Wireless LAN Design
1 Cisco AVVID Wireless LAN Design
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net Readiness
Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your
Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified
Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation,
Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo,
Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO
are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0303R)
C ON T E N T S
Preface
xi
Target Audience
xii
CHAPTER
1-1
1-1
CHAPTER
2-5
2-9
2-1
iii
Contents
2-12
CHAPTER
2-16
3-1
3-1
CHAPTER
3-12
4-1
iv
956608
Contents
CHAPTER
5-1
5-1
5-3
5-6
CHAPTER
4-14
5-13
6-1
6-1
6-2
Contents
CHAPTER
WLAN Roaming
6-17
7-1
7-3
vi
956608
Contents
7-8
CHAPTER
7-10
8-1
8-1
CHAPTER
8-3
8-4
8-5
9-1
9-4
CHAPTER
10
9-10
101
103
104
vii
Contents
105
CHAPTER
11
11-1
11-3
11-5
11-11
Management
11-11
11-12
11-14
11-14
viii
956608
Contents
ix
Contents
956608
Preface
This design guide presents recommendations intended to facilitate Enterprise Wireless Local Area
Network (WLAN) solution deployment. The emphasis in this document is with integrating WLAN
technology into environments featuring key Enterprise networking elements. Specific chapters address
the following topics:
Chapter 1, WLAN Solution OverviewSummarizes the benefits and characteristics of the Cisco
secure Enterprise WLAN solution.
Chapter 5, Wireless LAN VLANsFocuses on the implementation of virtual local area networks
(VLANs) in the context of WLAN environments.
Chapter 7, WLAN RoamingAddresses the WLAN design considerations when assessing Layer
2 roaming of wireless LAN clients.
Chapter 9, WLAN Rogue AP Detection and MitigationOutlines the threat posed by rogue
access points (APs) in the Enterprise network and some strategies for preventing and detecting them.
Chapter 10, WLAN Guest Network AccessPresents the advantages, risks, and proposed
configuration for WLAN Guest Network Access.
Chapter 11, Cisco AVVID Enterprise WLAN Case StudyDetails an example network in the
context of the key topics presented in this document.
http://www.cisco.com/go/safe
The SAFE white paper covers more detail on the security-specific aspects of design, whereas this design
guide is focused on the overall WLAN solution. Although there are differences between the SAFE white
paper designs and the designs presented here, those differences are not generally considered substantive
and the designs are compatible.
xi
Preface
Target Audience
Target Audience
This publication provides solution guidelines for large-scale enterprises implementing WLAN networks
with Cisco WLAN devices. The intended audiences for this design guide include network architects,
network managers, and others concerned with the implementation of secure WLAN solutions, including:
Cisco partners
Cisco customers
Obtaining Documentation
The following sections explain how to obtain documentation from Cisco Systems.
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM
package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may
be more current than printed documentation. The CD-ROM package is available as a single unit or
through an annual subscription.
Ordering Documentation
Cisco documentation is available in the following ways:
Registered Cisco Direct Customers can order Cisco product documentation from the Networking
Products MarketPlace:
http://www.cisco.com/cgi-bin/order/order_root.pl
Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription
Store:
http://www.cisco.com/go/subscription
Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, elsewhere in North
America, by calling 800 553-NETS (6387).
xii
956608
Preface
Obtaining Technical Assistance
Documentation Feedback
If you are reading Cisco product documentation on Cisco.com, you can submit technical comments
electronically. Click Leave Feedback at the bottom of the Cisco Documentation home page. After you
complete the form, print it out and fax it to Cisco at 408 527-0730.
You can e-mail your comments to bug-doc@cisco.com.
To submit your comments by mail, use the response card behind the front cover of your document, or
write to the following address:
Cisco Systems
Attn: Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open
access to Cisco information, networking solutions, services, programs, and resources at any time, from
anywhere in the world.
Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a
broad range of features and services to help you to
You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com,
go to the following URL:
http://www.cisco.com
xiii
Preface
Obtaining Technical Assistance
Priority level 4 (P4)You need information or assistance concerning Cisco product capabilities,
product installation, or basic product configuration.
Priority level 2 (P2)Your production network is severely degraded, affecting significant aspects
of business operations. No workaround is available.
Priority level 1 (P1)Your production network is down, and a critical impact to business operations
will occur if service is not restored quickly. No workaround is available.
Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of
service contracts, when applicable.
xiv
956608
C H A P T E R
FlexibilityAllows work to be done at the most appropriate or convenient place rather than where
a cable drop terminates.
Easier to set-up temporary spacesPromotes quick network setup of meeting rooms, war rooms, or
brainstorming rooms tailored to variations in the number of participants.
Lower cabling costsReduces the requirement for contingency cable plant installation because the
WLAN can be employed to fill the gaps.
Easier adds, moves, and changes and lower support and maintenance costs. Temporary networks
become much easier to set up, easing migration issues and costly last-minute fixes.
Improved efficiencyStudies show WLAN users are connected to the network for 1.75 hours longer
per day compared with hard-wired users.
Easier to collaborateFacilitates access to collaboration tools from any location, such as meeting
rooms; files can be shared on the spot and requests for information handled immediately.
More efficient use of office spaceAllows greater flexibility in coping with excess numbers caused
by large team meetings.
1-1
Chapter 1
Reduced errorsData can be directly entered into systems as it is being collected, rather being
transcribed when network access is available.
Improved efficiency, performance, and security for enterprise partners and guestsPromoted with
the provision of guest access networks.
Improved overall securityPromoted through the provision of a controlled and secured WLAN
network, reducing the likelihood of rogue WLAN deployments.
1-2
956608
Chapter 1
Figure 1-1
WLAN Access
Access
Access
Distribution
Access
Distribution
Core
Distribution
Backbone
Building block
additions
WAN
Internet
PSTN
88317
Server farm
WLAN Virtual LANs (VLANs) allow the coexistence of multiple security models on the same
WLAN. This allows the combination of security models based on client requirements and/or user
policies.
The solution security model you choose depends on the security requirements of the enterprise. This
publication focuses on the two most secure solutions 802.1x/Extensible Authentication Protocol
(EAP) and IPSec VPNs, but does discuss the use Wired Equivalent Privacy (WEP) and WEP plus
Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) where applicable.
The recommended security model is 802.1x/EAP with WEP plus TKIP and MIC, because it creates
the optimum network architecture and addresses all know WLAN security threats. Examples of EAP
types suitable for use in WLANs are EAP-Cisco (formerly Lightweight EAP or LEAP),
1-3
Chapter 1
EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP Tunneled TLS
(EAP-TTLS). If further 802.1x/EAP types are developed to meet business needs, the existing
architectures will accommodate them. The 802.1x/EAP type used is transparent to the AP, and only
has implications for the client software and the Remote Authentication Dial-In User Service
(RADIUS) server.
IPSec VPNs are recommended as an alternative 802.1x/EAP if the customer security requirements
mandate Triple Data Encryption Standard (3DES).
For situations in which EAP or IPSec VPNs are not possible, a combination of static WEP and
access filtering is discussed although this alternative is not a recommended security mode for
general deployment TKIP and MIC should be implemented wherever possible, including static WEP
deployments.
The design recommendations presented in this publication show a single security model (EAP,
IPSec, or static WEP), these can be combined within the one enterprise implementation using
WLAN VLAN's, and are shown separately for clarity.
The WLAN implementation does not change existing campus architectures and recommendations
WLANs should be assigned to a dedicated subnet (not one shared with wired LAN users).
A separate management VLAN should be configured for the management of WLAN APs. As a
design best practice, this VLAN should not have a WLAN appearance (meaning it does not have an
associated SSID and it cannot be directly accessed from the WLAN). Security policies should
determine where the AP managers logically and physically reside on the network.
The wired LAN is not replaced by the WLAN. The WLAN is used to enhance the current network
flexibility and accessibility by providing an extension to the existing network.
Assumes 15-to-25 users per AP. This number varies from customer-to-customer depending on usage
profiles and user density.
Seamless roaming is limited to the same Layer-2 network, unless Proxy Mobile IP or Mobile IP is
used.
IP Multicast for the WLAN is bounded to ensure that multicast does not consume excessive
bandwidth, and IP multicast applications are tested for their suitability for a WLAN network.
1-4
956608
Chapter 1
Wireless
Wired (802.3)
Wired Ethernet
Layer-3 Network
IP
IP
IP
Layer 2 DLC
IEEE 802.LLC
Unicast Traffic
The WLAN hardware always tries to send data at the highest rate possible. There are many data rates
which can be selected. For instance, four rates are possible for 802.11b radio: 1, 2, 5.5, and 11 Mbps.
802.11a radio support 6, 9, 12, 18, 24, 36, 48 and 54 Mbps. With the AP, the Data Rates section on the
AP Radio Hardware setup page lists the options for each data rate. Refer to Figure 1-2 on page 1-6.
1-5
Chapter 1
Where Yes is selected only unicast traffic is sent at this data rate.
Figure 1-2
1-6
956608
Chapter 1
Infrastructure Mode
In infrastructure mode, clients communicate through an AP. The AP is the point at which wireless clients
can access the network. Figure 1-3 illustrates a typical WLAN arrangement. The AP provides
connectivity to other clients associated with that AP or to the wired LAN.
The basic service area (BSA) is the area of RF coverage provided by an APalso referred to as a
microcell. To extend the BSA, or to simply add wireless devices and extend the range of an existing
wired system, an AP can be added.
The AP attaches to the Ethernet backbone and communicates with all the wireless devices in the cell
area. The AP is the master for the cell, and controls traffic flow to and from the network. The remote
devices do not communicate directly with each otherthey communicate to the AP.
If a single cell does not provide enough coverage, any number of cells can be added to extend the range.
This is known as an extended service area (ESA).
It is recommended that the ESA cells include 10-to-15 percent overlap to allow remote users to roam
without losing RF connections.
Bordering cells should be set to different non-overlapping channels for best performance.
Typical WLAN
Wireless call
Wireless
handheld
Wireless call
Channel 1
Channel 6
Wireless
tablet
Switch
Access Point
Access Point
Overlapping
10-15%
Wireless
laptop
Wireless
laptops
Roaming
Router
Wirless
desktop
LAN/WAN
91278
Figure 1-3
Ad-hoc Mode
Ad-hoc mode is used to establish a peer-to-peer network between two or more clients. This mode is
selected through the System Type section of the System Parameters page on the Aironet Client Utility
(ACU).
1-7
Chapter 1
General References
Cisco Network Solutions and Provisioned Services page:
http://www.cisco.com/en/US/netsol/index.html
Note
Access to specific information varies based on user entitlement at the Cisco Systems web site.
Security References
The Unofficial 802.11 Security Web Page:
http://www.drizzle.com/~aboba/IEEE/
Assessing Wireless Security with AiroPeek and AiroPeek NX:
http://www.wildpackets.com/elements/whitepapers/AiroPeek_Security.pdf
Netstumbler security links:
http://www.netstumbler.com/links.php?op=MostPopular
OUI list:
http://standards.ieee.org/regauth/oui/oui.txt
SANS (System Administration, Networking and Security) InstituteWireless page:
http://rr.sans.org/wireless/wireless_list.php
Securing wireless networks (enter as guest):
http://securingwireless.intranets.com/default.asp?link=
List of wireless security tools:
http://www.networkintrusion.co.uk/wireless.htm
When Dreamcasts Attack:
http://online.securityfocus.com/news/558
1-8
956608
Chapter 1
IP Multicast References
CCO IP Multicast Overview:
http://www.cisco.com/go/ipmulticast
1-9
Chapter 1
1-10
956608
C H A P T E R
RF Basics
This section provides a summary of regulations and considerations specific to RF implementation. The
following sections are presented:
2-1
Chapter 2
RF Basics
Regulations
Devices that operate in unlicensed bands, do not require any formal licensing process, but operations in
these bands still obligate the user to follow regulations. The governing bodies in different parts of the
world regulate these bands. WLAN devices must comply to the specifications of the relevant governing
regulatory domain. The regulatory agencies set the emission requirements for WLAN to minimize the
amount of interference a radio can generate or receive from another in the same proximity. The
regulatory requirements do not affect the interoperability of IEEE 802.11b and 802.11a compliant
products. It is the responsibility of the vendor to get the product certified from the corresponding
regulatory body.
Table 2-1 summarizes the current regulatory domains for Wi-Fi products.
Table 2-1
Regulatory Domains
Regulatory Domain
Geographic Area
Japan (MKK)
Japan
China
Israel
Singapore
Israel
1
Taiwan2
Singapore
Republic of China (Taiwan)
1. The regulations of Singapore and Taiwan for wireless LANs are particular to these countries only for operation in the 5 GHz
band. Singapore and Taiwan are therefore only regulatory domains for 5 GHz operation, for operation in 2.4 GHz, they fall
into the ETSI and FCC domains, respectively.
2. See above.
Note
The main regulatory domains are FCC, ETSI, and MKK domains. As of this writing there is no 5 GHz
regulatory domain for China and 5 Ghz regulations vary widely from country to country.
Caution
Check the Cisco web site for compliance information and also with your local regulatory authority on
what is permitted within your country. The information provided in Table 2-2, Table 2-3, and Table 2-4
on the following pages +should be used as a general guideline. For up-to-date information on regional
requirements, check http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html#4.
2-2
956608
Chapter 2
Table 2-2
Lower Limit
Upper limit
Regulatory Range1
Geography
2.402 GHz
2.480 GHz
North America
2.402 GHz
2.480 GHz
Europe 2
2.473 GHz
2.495 GHz
Japan
2.447 GHz
2.473 GHz
Spain
2.448 GHz
2.482 GHz
France
1. The frequency ranges in this table are subject to the geographic-specific regulatory authorities.
2. Excluding Spain and France.
Table 2-3
Regulatory Domain
Frequency Band
Channel Number
Centre frequencies
USA
36
5.180 GHz
40
5.200 GHz
44
5.220 GHz
48
5.240 GHz
52
5.260 GHz
56
5.280 GHz
60
5.300 GHz
64
5.320 GHz
149
5.745 GHz
153
5.765 GHz
157
5.785 GHz
161
5.805 GHz
USA
USA
2-3
Chapter 2
RF Basics
Table 2-4
Additional Frequency Bands and Channel Numbers for Other Regulatory Domains
Regulatory Domain
Frequency Band
Channel Number
Center Frequenc7
Japan
34
5.170
38
5.190
42
5.210
|46
5.230
36
5.180
40
5.200
44
5.220
48
5.240
52
5260
56
5280
60
5300
64
5320
Singapore
Taiwan
EMEA 1
Australia
New Zealand
Same as USA
Same as USA
Same as USA
EMEA 21
36
5.180
40
5.200
44
5.220
Each of the bands presented in Table 2-3 is intended for different uses. The UNII-3 band is intended for
long range point-to-point and point-to-multipoint wireless bridging and may only be used outdoors. The
UNII-3 band and its usage is beyond the scope of this book. Please refer to the following URL to find
the appropriate WLAN product for your regulatory domain:
http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html
2-4
956608
Chapter 2
Fine Tuning
A number of factors can affect the WLAN coverage as follows:
Power Level
For a given data rate, the WLAN designer can alter power level and/or elect to use a different antenna,
to change the coverage area and/or coverage shape.
Channel Selection
Channel selection depends on the frequencies that are permitted for a particular region. For example the
North American and ETSI 2.4 GHz channel sets permit allocation of three non-overlapping channels1,
6, and 11while the 5 GHz channel set permits eight channels.
The channels should be allocated to the coverage cells as follows:
Where channels must be used in multiple cells, those cells should have minimal overlap with each
other. See Figure 2-1.
2-5
Chapter 2
RF Basics
AP1
channel #1
AP2
channel #6
AP3
channel #11
AP4
channel #1
74193
Figure 2-1
A site survey should be conducted using the same frequency plan as intended for the actual deployment.
This facilitates a more exact estimate of how a particular channel at a particular location will react to the
interference and the multipath.
Channel selection also helps in planning for co-channel and the adjacent channel interferences, and
provides information about where to you can reuse a frequency.
In multi-story buildings, check the cell overlap between floors according to these rules/guidelines. Some
re-surveying and relocating of APs might be required in some cases. Multi-story structures (such as
office towers, hospitals and university classroom buildings) introduce a third dimension to coverage
planning. The 2.4 GHz waveform of 802.11b and, when available, 802.11g can pass through floors and
ceilings as well as walls. The 5 GHz waveform of 802.11a can also pass through floors and ceilings as
well as walls, but will do so at a lesser degree due to its higher frequency. With 2.4 GHz Wi-Fi LANs in
particular, you must not only avoid overlapping cells on the same floor, but also on adjacent floors. With
only three channels, this can be achieved through careful three dimensional planning.
2-6
956608
Chapter 2
An AP can be configured to automatically search for the best channel on power up. This is configured
using the AP Radio Hardware menu, as shown in Figure 2-2.
Retest the site using the selected channels and check for any interference.
Figure 2-2
2-7
Chapter 2
RF Basics
Note
It is possible to implement a dual-band deployment scheme as illustrated Figure 2-3. However, this
requires careful planning and implementation of the Cisco Aironet AP 1200. Refer to the Data Rate
Considerations section on page 3-3 for related information about dual-band channel deployment
considerations.
Figure 2-3
802.11b
6
6
11
6
11
1
6
11
1&6
11
11
3 & 11
3 & 11
1
6
11
8&1
8&1
3 & 11
802.11a
1
3
5&6
5&1
8
1
3 & 11
8&1
7&6
1&6
1&6
5
3
5
7
3 & 11
1
3
1&1
11
1&6
8&1
1
6
802.11a
802.11b
5 & 11
8
1
1
91287
2-8
956608
Chapter 2
Within the 802.11 Working Group are a number of Task Groups responsible for elements of the 802.11
WLAN Standard.
IEEE 802.11b refers to Task Group b within the 802.11 Working Group. IEEE 802.11b became an IEEE
standard in September 1999, and then higher data rates of 5.5 Mbps and 11 Mbps were introduced in the
standard using DSSS and operating in 2.4 GHz band. 802.11b defines a high performance radio and true
vendor interoperability. Table 2-5 summarizes some of task group initiatives.
Table 2-5
Task Group
Project
MAC
PHY
Standard
Standard
Standard (802.1d)
Standard
Ongoing
Ongoing
Ongoing
Ongoing
Ongoing
2-9
Chapter 2
The IEEE ratified the 802.11a standard in 1999, but the first 802.11a-compliant products did not begin
appearing on the market until December 2001. The 802.11a standard delivers a maximum data rate of
54 Mbps and eight nonoverlapping frequency channelsresulting in increased network capacity,
improved scalability, and the ability to create microcellular deployments without interference from
adjacent cells.
Operating in the unlicensed portion of the 5 GHz radio band, 802.11a is also immune to interference
from devices that operate in the 2.4 GHz band, such as microwave ovens, cordless phones, and Bluetooth
(a short-range, low-speed, point-to-point, personal-area-network wireless standard). The 802.11a
standard is not compatible with existing 802.11b-compliant wireless devices. 2.4-GHz and 5-GHz
equipment can operate in the same physical environment without interference.
IEEE 802.11g is high performance standard in development and should be finalized by mid-year 2003.
802.11g will deliver the same 54 Mbps maximum data rate as 802.11a, but will operate in the same 2.4
GHz band as 802.11b.
Selecting between these technologies is not a one-for-one tradeoff. They are complementary
technologies and will coexist in future enterprise environments. Implementers must be able to make an
educated choice between deploying 2.4 GHz-only networks, 5 G Hz-only networks, or a combination of
both. Organizations with existing 802.11b networks cannot simply deploy a new 802.11a network on 5
GHz APs, and expect to have similar coverage with 802.11a 54 Mbps data rate as compared to 11 Mbps
of data rate with 802.11b APs. The technical characteristics of both these bands simply do not allow for
this kind of coverage interchangeability.
2-10
956608
Chapter 2
RF Spectrum Implementation
In the United States, three bands are defined as unlicensed and known as the ISM bands (Industrial,
Scientific, and Medical). The ISM bands are as follows:
5 GHz (5.15-to-5.35 and 5.725-to-5.825 GHz) IEEE 802.11a. This band is also known as the UNII
band.
The Cisco Aironet 340 and 350 Series APs use RF spectrum in the 2.4 GHz unlicensed ISM band.
Each range has different characteristics. The lower frequencies exhibit better range, but with limited
bandwidth and hence lower data rates. The higher frequencies have less range and subject to greater
attenuation from solid objects.
Channels
2
10
11
12
13
14
87181
2.402 GHz
22 MHz
2.483 GHz
2-11
Chapter 2
RF Spectrum Implementation
30 MHz
30 MHz
5150
5180
Lower Band Edge
5200
5220
5240
5260
20 MHz
5725
5745
Lower Band Edge
5280
5300
5320
5350
Upper Band Edge
20 MHz
5765
5785
5805
5825
Upper Band Edge
87182
Figure 2-5
For US-based 802.11a standard, the 5 GHz unlicensed band covers 300 MHz of spectrum and supports
12 non overlapping channels. As a result, the 5 GHz band is actually a conglomerate of three bands in
USA: 5.150-to-5.250 GHz (UNII 1), 5.250-to-5.350 GHz (UNII 2), and 5.725-to-5.875 GHz (UNII 3).
2-12
956608
Chapter 2
Note
Number of users versus throughput and a given APThe general recommended number of users per
AP is 15-to-25.
Distance between APs can cause throughput variations for clients based on distance from the
APThe recommendation is to limit the AP data rate to the higher data rates of 11 Mbps and 5.5
Mbps.
Number of APs depends on coverage and throughput requirements, which might varyFor example
Ciscos internal information systems (IS) group currently uses six APs per 38,000 square feet of
floor space.
Based upon the variability in environments it is highly recommended that a site survey be performed to
determine the number of APs required and their optimal placement.
2-13
Chapter 2
Figure 2-6
1 Mbps
2 Mbps
5.5 Mbps
74190
11 Mbps
The diameter of the coverage (circles shown in Figure 2-6), depends upon factors such as power and
antenna gain. For example, indoors1 using the standard antennas on the NIC card and APs, the diameter
of the 1 Mbps circle is approximately 700 ft (210 m), and the diameter of the 11 Mbps circle is about
200 ft (60 m). Increasing the gain of the antenna can increase the distance and change the shape of the
radiation pattern to something more directional.
1. Typically the outdoor range is greater because there are fewer obstacles, and less interference.
2-14
956608
Chapter 2
Surveyed at 2 Mbps
74191
Figure 2-7
The required data rate has a direct impact upon the number of APs needed in the design. The example
in Figure 2-7 illustrates this point. While six APs with a data rate of 2 Mbps might adequately service
an area, it might take twice as many APs to support a data rate of 5 Mbps, and more again to support data
rates of 11 Mbps.
The data rate chosen is dependent on the type of application to be supported. In a WLAN LAN extension
environment, the higher data rates of 11 Mbps and 5.5 Mbps are recommendedthis gives maximum
throughput and should minimize performance-related support issues. In a WLAN vertical application
environment, the data rates selected are determined by the application requirementssome clients might
not support the higher data rates and might require the use of lower data rates.
It might seem logical to choose the default configuration of APs and clientsthereby allowing all data
rates. However, there are three key reasons for limiting the data rate to the highest rate, at which full
coverage is obtained:
Broadcast and multicast are sent at the slowest data rate (to ensure that all clients can see them), this
reduces the throughput of the WLAN because traffic must wait until frames are processed at the
slower rate.
Clients that are farther away, and therefore accessing the network at a lower data rate, decrease the
overall throughput by causing delays while the lower bit rates are being serviced.
If an 11 Mbps service is specified and provisioned with APs to support all data rates, clients at lower
rates can associate with APs configured in this way which can create a coverage area greater than
planned, thereby increasing the security exposure and potentially interfering with other WLANs.
2-15
Chapter 2
1. This umber would not be achieved due to 802.11 management overhead associated with the large number of clients and collisions.
2-16
956608
Chapter 2
Figure 2-8
ch 1
ch 6
ch 11
ch 1
ch 1
ch 6
ch 6
ch 11
ch 1
ch 1
ch 6
ch 11
ch 11
ch 1
ch 6
ch 6
ch 11
ch 1
ch 1
ch 6
74192
ch 11
Note
Client power should be adjusted to match the AP power settings. Maintaining a high setting on the client
does not result in higher performance and it can cause interference in nearby cells.
Security Policy
RF design can be used to minimize the RF radiation in coverage areas or directions not required. For
example, if WLAN coverage is required only in the buildings, then the amount of RF coverage outside
the building can be minimized by AP placement and directional antennas.
2-17
Chapter 2
RF Environment
The performance of the WLAN and its equipment depends upon its RF environment. The following are
some examples of adverse environmental variables:
Transformers
Concrete
Refrigerators
Microwave ovens
A site survey should be performed to ensure that the required data rates are supported in all the required
areas, despite the environmental variables mentioned above.
The site survey should consider the three dimensional space occupied by the WLAN. For example a
multi-story building WLAN with different subnets per floor might require a different RF configuration
than the same building with a single WLAN subnet per building. In the multiple subnet instance, a client
attempting to roam to a different AP on the same floor might acquire an AP from an adjacent floor.
Switching APs in a multi-subnet environment changes the roaming activity from a seamless Layer 2
roam to a Layer 3 roam which in turn disrupts sessions and might require user intervention.
2-18
956608
C H A P T E R
IEEE 802.11b802.11b has been the industry standard for several years. Operating in the
unlicensed portion of the 2.4 GHz radio frequency spectrum, it delivers a maximum data rate of 11
Mbps and boasts numerous strengths. 802.11b enjoys broad user acceptance and vendor support.
Many vendors manufacture compatible devices, and this compatibility is assured through the Wi-Fi
certification program. 802.11b technology has been deployed by thousands of enterprise
organizations, that typically find its speed and performance acceptable for their current applications.
3-1
Chapter 3
IEEE 802.11a802.11a operates in the uncluttered 5 GHz radio frequency spectrum. With a
maximum data rate of 54 Mbps, this standard offers a fivefold performance increase over the
802.11b standard. Therefore, it provides greater bandwidth for particularly demanding applications
As mentioned in IEEE 802.11 Standards section on page 2-9, 802.11g is another related
standardone intended for networks with high performance requirements. The 802.11g standard has
been in draft form since November 2001 and is likely to be finalized in 2003. 802.11g will deliver the
same 54 Mbps maximum data rate as 802.11a, yet it offers an additional and compelling
advantagebackward compatibility with 802.11b equipment. This means that 802.11b client cards will
work with 802.11g APs, and 802.11g client cards will work with 802.11b APs. Because 802.11g and
802.11b operate in the same 2.4 GHz unlicensed band, migrating to 802.11g will be an affordable choice
for organizations with existing 802.11b wireless infrastructures. It should be noted that 802.11b products
cannot be software upgraded to 802.11g because 802.11g radios will use a different chipset than 802.11b
in order to deliver the higher data rate. However, much like Ethernet and Fast Ethernet, 802.11g products
can be combined with 802.11b products in the same network. Because 802.11g operates in the same
unlicensed band as 802.11b, it shares the same three channels, which can limit wireless capacity and
scalability.
So, which standard should an organization select? Each has its strengths. The greatest strength of the
802.11b standard is its widespread acceptance and broad product availability, although bandwidth is
limited. In comparison, the 802.11a standard has the capability to drive the high-bandwidth applications
that will characterize the future WLAN. 802.11a also supports more channels (no overlapping
channels)making the RF deployment more flexible.
Fortunately, organizations do not need to choose between technologies when considering a WLAN
infrastructure. The Cisco Aironet 1200 Series gives wireless implementers the option of deploying both.
This wireless AP delivers:
FlexibilityThe Cisco Aironet 1200 Series is dual-band, meaning that it can concurrently support
WLANs based on both the 5 GHz 802.11a and 2.4 GHz 802.11b standards.
Scalability and Investment ProtectionThe Cisco Aironet 1200 Series ensures that an
organizations wireless network remains backward and forward compatible, with the capability to
grow both in terms of users and deployed applications.
Ease-of-Use and ManageabilityThe Cisco Aironet 1200 Series is field upgradable. Organizations
can choose to deploy 2.4 GHz technology, 5 GHz technology, or a mixture of the two. The product
also integrates seamlessly with the robust Cisco security and management infrastructure.
The Cisco Aironet 1200 Series delivers a seamless migration path for WLANs. It allows organizations
to upgrade today to robust wireless technology, while ensuring that their investments remain usable and
valuable far into the future.
3-2
956608
Chapter 3
With just three channels in the 2.4 GHz band used by 802.11b and 802.11g, this represents a shortcoming
that complicates deployments. With eight channels, 802.11a systems have an aggregate data rate of up
to 432 Mbps (54 Mbps multiplied by eight channels) in a given area. In contrast, 802.11b devices have
a maximum capacity of 33 Mbps (11 Mbps multiplied by three channels) per given area. Therefore,
organizations with large WLANs may decide to opt for an 802.11a deployment, which provides far
greater performance on a per-cell basis.
Given the difference in operating frequencies, 802.11b and 802.11a can co exist within the same
environment, allowing users to move from one to another by switching clients, or using a dual-band
client (combines both radios into a single client).This approach become more flexible by using
dual-band Cisco APs. An enterprise must conduct comprehensive site surveys for each technology to
guarantee adequate network coverage. Each frequency has different signal strength, interference, and
reflection characteristics, and each implementation must be optimized for different requirements.
For additional related information, please refer to the WLAN Data Rates Required section on
page 2-13.
Data rates affect cell size. Lower data rates (such as 1 Mbps) can extend further from the AP than can
higher data rates (such as 54 Mbps). This is illustrated in Figure 3-1. Hence the data rate (and power
level) effects cell coverage, and consequently the number of APs required.
In general, there are pools of coverage at each data rate. What is considered an acceptable data rate,
ultimately depends upon how much bandwidth is required for the application which you want to run at
a particular location. Be sure to survey users for the minimum data rate required.
Note
The Cisco Aironet Site Survey Utility surveys at a given data rate and does not rate shift.
APs offer clients multiple data rates for the wireless link. For 802.11b, the range is from 1-to-11 Mbps
in four increments-1, 2, 5.5 and 11 Mbps, while 802.11a the range is 6-to-54 Mbps in seven
increments-6, 9, 12, 18, 24, 36, 48 and 54 Mbps. Because data rates affect range, selecting data rates
during the design stage is extremely important.
The client cards automatically switch to the fastest possible rate of the AP; how this is done varies form
vendor to vendor. Because each data rate has a unique cell of coverage (the higher the data rate, the
smaller the cell), the minimum data rate must be determined at the design stage. Cell sizes at given data
rates can be thought of as being nested concentric circles. See Figure 3-1. Selecting only the highest data
rate requires a greater number of APs to cover a given area; therefore care must be taken to develop a
compromise between required aggregate data rate and overall system cost.
With the (dual band) Cisco AP 1200, careful design can yield an aggregate data rate of 64 Mbps (54
Mbps plus 11 Mbps) per AP with room to grow to 108 Mbps when 802.11g is available.
3-3
Chapter 3
Figure 3-1
91283
5GHz/40mw
Throughput Considerations
Note
For related information, please refer to the Client Density and Throughput Requirements section on
page 2-16.
Data rate is often confused with the aggregate data throughput. The aggregate data rate, takes into
account the overhead associated with protocol frame structure, collisions, and implementation
processing delays associated with frames processed by clients and APs. Protocol overhead includes
parameters such as RTS, CTS, ACK frames, beacon periods, back off period and propagation delays,
10 Mbps Ethernet can be faster than 11 Mbps Wi-Fi. The overhead associated with the 802.11b standard
exceeds the overhead for 802.3 Ethernet, resulting in better throughput for 10 Mbps Ethernet than 11
Mbps Wi-Fi.
An important purchasing consideration for any networking technology is the amount of bandwidth, data
rate, or throughput, it provides to each network user, and how well that throughput can support the
applications running on the network.
For clarity purposes, data rate means the amount of data able to be sent from one node on the wireless
network to another, within a given timeframe. Furthermore, the difference between data rate and
throughput is the amount of raw bits that travel from one node to another, in comparison to the bits
representing the message content. This difference is determined by a number of factors including the
latency inherent in the PHY components of the radio, the overhead and acknowledgement information
that accompany every transmission, and pauses between transmissions. A comparison table of the
wireless networks at hand and several wired benchmarks is shown in Table 3-1.
3-4
956608
Chapter 3
Table 3-1
Technology
Data Rate
Average
Throughput
802.11b
11 Mbps
5-to-7 Mbps
802.11a
54 Mbps
22-to-31 Mbps
802.11g
(OFDM)
54 Mbps
TBD
802.11b offers an 11 Mbps data rate, which translates into approximately 5-to-7 Mbps of actual message
throughput (per AP). This amount is shared among all network users accessing it at the same time, and
is managed through a Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) technique
modeled on its Ethernet wired equivalent. As most network traffic is bursty, and only a few users are on
the network simultaneously, Wi-Fi network users generally experience very good connectivity speeds.
Using OFDM and 64-Quadrature Amplitude modulation, 802.11a and 802.11g will provide similar data
rate levels. However, because 802.11g must be backward compatible with 802.11b, 802.11g incurs more
overhead associated with the header information of 802.11b. As a result, 802.11g might not achieve full
parity with the throughput possible with 802.11a.
With 802.11a, there is a maximum data rate of 54 Mbps which can support high-bandwidth applications
such as CAD-CAM, streaming video, and converged voice/video/data. 802.11a and 802.11b nodes also
share the bandwidth efficiently using CSMA/CA techniques. In 802.11b roughly 15-to-25 users can be
supported per AP (at 11 Mbps). With 802.11a, more users can be supported per AP (at 54 Mbps) as more
bandwidth is available. The smaller cell size makes an increase in users unlikely. The normal impact
would be an increase in bandwidth available per user.
802.11b can be used by implementers who have a large installed base of APs, are transaction intensive,
have many roaming users to other 802.11b APs, or are cost sensitive.
802.11a can also be used by implementers requiring the higher throughput for the applications listed
above, have a small installed base of 802.11b (as 802.11b and 802.11a are not compatible), or are
concerned about interference. Interference issues are discussed in detail in the next section.
Quality of Service (QoS) enhancements to the 802.11 MAC under development within 802.11e will
enhance the ability of 802.11b, 802.11a, and 802.11g to deliver new types of time-critical data, in
addition to their traditional data packets (QoS capabilities are typically associated with IP-based
telephony/voice implementations). The IEEE 802.11e Task Group recommendations will become
commonly available to both the 2.4 GHz and 5 GHz solutions simultaneously, and most subsequently
released 802.11 networks will then be able to support them. The higher bandwidth 802.11g and 802.11a
standards will support QoS more effectively than 802.11b, mainly because of higher bandwidth, but also
because more unlicensed spectrum will be available to 5 GHz radios. This allows 5 GHz networks to
allocate a certain number of networks to voice only, and others to data.
Performance Considerations
While unlicensed spectrum is very attractive (as there is no licensing fee to use it), implementers must
factor in the potential performance degradation associated with ambient interference. 802.11a operates
in unlicensed bands in exactly the same way as 802.11b and earlier 900 MHz systems operate in
unlicensed bands. That is, there are no restrictions on the types of devices that operate in these bands
provided that they all conform to a common set of rules. The 900 MHz portion of the spectrum was
initially used by WLANs and then, far more commonly, by cordless telephones. Although these devices
3-5
Chapter 3
all complied with applicable regulations, they acted upon each other as interferers, mutually degrading
performance and usability. The WLAN industry essentially abandoned the 900 MHz band and migrated
to the 2.4 GHz band. Initially, the WLAN industry had this band to themselves (with the exception of
microwave oven RF emissions). Eventually, however, the band became more crowded with an increasing
number of products, including Bluetooth devices and 2.4 GHz cordless telephones. The attractiveness of
the 2.4 GHz band to manufacturers, license-free operation on an international scale and resulting
worldwide marketability for 2.4 GHz devices, leads to a central problem for the 2.4 GHz
bandovercrowding.
This in turn leads to a principal advantage of 802.11abecause it operates in the pristine 5 GHz band,
it is (as of now) immune to interference from other devices. 802.11a products themselves are relatively
few in number. Bluetooth operates in the 2.4 GHz band and there are very few 5 GHz cordless telephones
also available in the market. The point is that today the 5 GHz band is relatively clean but there are no
restrictions on this band that do not apply equally to 900 MHz and 2.4 GHz. Over time, the 5 GHz band
might become equally crowded with interference-causing devices.
As the 2.4 GHz band is unlicensed, it is available for anyone to usewithin limits of maximum Effective
Isotropic Radiated Power (EIRP). WLAN interference can come from a number of sources. The main
sources are as follows:
Microwave Ovens The magnetron in household and commercial microwave ovens operates over
tens of megahertz in the 2.4-to-2.483 GHz band. While microwave ovens operate at about
700-to-1000 W, the maximum allowed radiated power (EIRP) for WLAN devices is between 0.1 and
4 W. WLAN equipment such as APs should not be located near microwave ovens.
Co-channel InterferenceInterference can from radios in adjacent cells on the same frequency.
Effective site surveying and WLAN cell planning should minimize the effect of this interference. As
WLANs become more prevalent, interference from sources outside enterprise control may become
more of an issue, such as in multiple tenancy situations (shopping centers, apartment blocks, and the
like). Proper cell planning of the channel frequency and careful layout of the AP can minimize the
interference.
BluetoothBluetooth is a Wireless Personal Area Network technology sharing the same 2.4 GHz
spectrum as 802.11b. Bluetooth uses FHSS and is a shorter range and lower bandwidth technology
than 802.11b. FHSS systems use frequently changing, narrow bands over all channels. It is
important to manage the concurrent operation of 802.11b WLANs and Bluetooth within the
enterprise. Task Group 2 of the IEEE 802.15 Working Group is looking at the coexistence issues of
IEEE 802.11b WLANs and Bluetooth. Multiple companies have researched the issue and concluded
that if the two technologies are separated by two meters or more, there is no significant interference.
2.4 GHz Cordless Telephones Some of the newer household and office cordless telephones
operate in the 2.4 GHz range (DSSS and FHSS). Depending on the conditions and the manufacturer,
degradation to the WLAN can vary from unnoticeable to a total loss of association between the
client and the AP. Interference from the WLAN can also impact the voice quality. Users are
encouraged to use 900 MHz Cordless Phones in instances where they must coexist with WLANs. If
this is not possible, separate the AP from the phone base station as far as possible and perform some
rudimentary degradation tests. Note that DSSS cordless phones are more likely to cause degradation
than FHSS types.
Shared Internet AccessWireless local loop (WLL) and systems like Metricom-Ricochet (again
coming back in the market) and T-Mobile also use the same band. So they can be a source of
interference. Interference can also come from other systems such as neighboring DSSS and FHSS
WLAN networks.
3-6
956608
Chapter 3
Range Considerations
Table 3-2 provides a comparison of the relative data rates and ranges associated with 802.11a and
802.11b WLANs. These are typical maximum ranges, but range varies (normally downward) depending
upon the environment. As more obstructions are encountered (such as a metallic building structure)
range is reduced.
Table 3-2
350
250
5.5
180
170
150
11
140
12
140
18
130
24
120
36
100
48
80
54
60
Figure 3-2 on page 3-8 illustrates the coverage area of an 802.11b AP at a maximum bit rate of 11 Mbps,
overlaid with 802.11a APs at a maximum bit rate of 54 Mbps. This comparison shows the impact of the
different ranges of 802.11b and 802.11a. Ten 802.11a APs are required to cover a similar area as the one
802.11b AP.
Coverage range alone is not the only story here. A comparison of the capacity of the 802.11a coverage
and 802.11b coverage shows the 802.11b capacity at 11 Mbps; while the capacity of the 802.11a solution
at 540 Mbps. This difference represents a potential gain of approximately 49 times.
In summary, more 802.11a APs are required to support a given area in comparison to 802.11b APs, but
the capacity of the 802.11a network is significantly greater.
3-7
Chapter 3
Figure 3-2
280' @ 11Mbps
87880
120' @ 54Mbps
Signal Propagation
A 5 GHz wave is about half the length of a 2.4 GHz wave. These shorter waves tend to pass through
water rather than be captured by it. Human body is over 95 percent water. So, in areas with a high density
of people, such as a stock trading floor, devices like 802.11a WLANs that operate at 5 GHz may have
an advantage in terms of signal propagation and resulting range than devices like 802.11b WLANs that
operate at 2.4 GHz The relatively shorter 5 GHz wave that provides the advantage outlined above also
leads to a principal disadvantage of 802.11a relative to 802.11b. In particular, 5 GHz waves are more
vulnerable to absorption by building materials, such as drywall and concrete.
Antenna Considerations
Antennae options vary greatly for 5 GHz and 2.4 GHz devices. Currently, regulations mandate that
antennae must be integral to some 5 GHz transmitting devices. Therefore, vendors can only sell 802.11a
devices with antennae that are attached toand not removable fromthe device itself. On the other
hand, organizations can select from a wide variety of antennae options for 2.4 GHz devices. These
antennae may be attached to the transmitting device or can exist separately, attached via a cable. This
antennae placement can seriously impact system installation and range. For instance, with a 2.4 GHz
network, organizations have the option to securely locate APs out of site, and cable out to a remote
antenna. They also have the ability to house the device in a protective enclosure, which can prolong its
life. The antennae restrictions imposed upon 5 GHz devices remove these options. Therefore, installation
might be more complicated, overall range might be reduced, and implementation costs might be higher.
3-8
956608
Chapter 3
Most of the vendors are making products that can operate in UNII-1 and UNII-2 bands either separately
or simultaneously. When operating simultaneously, FCC regulations for fixed UNII-1 antennas apply to
such products.
Assuming equivalent environmentsand holding transmitter, antenna gain, and data rates constant2.4
GHz offers roughly double the range than 5 GHz. This is explained by the physics of radio wave
propagation, which dictates that all other things being equal, a higher frequency signal will have a
reduced range compared to a lower frequency signal.
2.4 GHz wave is about double the length of the 5 GHz wave.
5 GHz waves are more vulnerable to absorption by building materials, such as drywall and concrete.
Regulations restrict the transmit power and antenna possibilities in the 5 GHz range.
With reduced range, companies may have to deploy a greater number of 802.11a-compliant APs to
cover a designated area, which can lead to higher hardware costs.
350
2000
11
150
800
Table 3-4
6.0
170
1000
18.0
130
600
54.0
60
100
3-9
Chapter 3
Figure 3-3
350' @
1Mbps
91286
2.4GHz/100mw
802.11g will use the same band as 802.11b, so the same 802.11b regulations apply. the draft is still under
developmentand there is no available product 802.11g will not have better range than 802.11b due
to higher Es/No requirements (associated with inherently higher available data rates).
Organizations must weigh each factor when selecting a wireless technology. In some cases, sheer
performance and capacity favor the 802.11a standard implementation. In other cases, vendor support,
range and implementation advantages lead to a selection of 802.11b technology. The decision depends
on the organizations type of activity, mission, and plans for the futurewhile weighing cost and
function requirements.
These competing wireless standards leave many companies wondering which wireless technology to
embrace. The Cisco Aironet 1200 Series eliminates this concern. The dual-band design supports both
established and emerging wireless standards, letting companies implement WLANs without
compromise. With the Cisco Aironet 1200 Series, organizations are assured that they will have the right
technology both for today and far into the future.
3-10
956608
Chapter 3
Note
The Cisco Aironet WLAN portfolio is constantly changing. Please refer to the Cisco Product Catalog
for up-to-date information.
Different products can be seen on Wireless Network Business Unit web site
http://www.cisco.com/en/US/products/hw/wireless/index.htmll
Access Points
An access point (AP) is typically the center point in a wireless network and the connection point between
a wired and wireless network. Multiple APs can be placed throughout an area to provide freedom of
movement to users equipped with WLAN client adapters.
Cisco Aironet Series APs offer state of the art features which are very convenient in different deployment
scenarios:
Key features are:
100 mW 802.11b radio with configurable transmit power (1, 5, 20, 30, 50, and 100 mW).
40 mW 802.11a radio with configurable transmit power (40, 30, 20, 20, 10, 5 mW).
Supports inline power over Ethernet and standard power (power injector module is supplied as
standard for cases where inline power is not available). Cisco AP currently use Cisco Power
Discovery method (802.3af is not a standard yet). Cisco intends to support both modes.
Cisco 802.11a APs offer a unique 5 GHz articulating antenna incorporating high-gain,
omni-directional, diversity antennas and hemispherical patch antennas to deliver two distinct
coverage patterns depending on the antenna position.
802.11b diversity antenna options include either non-removable 2.2 dBi diversity dipoles (internal
antennas) or remote antenna connections via two RP-TNC connectors).
Diversity antennas for both the 2.4 GHz and 5 GHz radios ensures optimum
performance in high-multipath environments such as offices, warehouses, and
other indoor installations.
World ModeEnables clients to transparently roam to other countries with different channel
frequencies and transmit power regulations.
3-11
Chapter 3
As it is a wireless communication, security features in the Cisco Aironet Series APs provide support for
the latest 802.1x security standards. In addition, the inherent upgradability of the Cisco Aironet Series
AP facilitates adopting new wireless security standards as they become available (by upgrading the
firmware or radios).
Note
Please see the associated data sheets at http://www.cisco.com for specific product information.
Client Adapters
Client adapters connect to a variety of devices in a WLAN. Based on Direct Sequence Spread Spectrum
(DSSS) technology and operating in the 2.4 GHz band, the Cisco Aironet 350 Series client adapters
comply with the IEEE 802.11b standardensuring interoperability with all other compliant WLAN
products. For 2.4 GHz 802.11b cards, two form factors are supported:
PCMCIA for Notebook PCs and PDAThis is a standard PCMCIA product with attached end cap
antenna.
PCI for Desktop PCsThe PCI card has the standard Cisco Aironet RP-TNC connector and can be
used with all of the Cisco Aironet external antennas.
Note
The 802.11a card bus has greater antenna gain (5 dBi) as compared to 0 dBi gain in 802.11b cards.
3-12
956608
Chapter 3
Workgroup Bridges
Workgroup bridges provide wired network connectivity to workgroups through a wireless network
connection to a central site. The Cisco Aironet 350 Series Workgroup Bridge supports up to eight
downstream devicessuch as PCs, printers and notebook computersthrough an Ethernet hub or
switch connected to the Ethernet port. This is a MAC address limitation, so the workgroup can be
extended beyond eight devices by placing a router between the workgroup bridge and the hub.
The workgroup bridge can peer wirelessly with either an AP or a wireless bridge. The workgroup bridge
to wireless bridge configuration is applicable to outdoor point-to-point campus connections. The
workgroup bridge to AP configuration is applicable to shorter range, multi-access solutions where the
AP may peer with other workgroup bridges and client adapters.
The various applications of workgroup bridges are illustrated in Figure 3-4 and Figure 3-5.
Figure 3-4
Internet
Switch
Workgroup
bridge
Wired network
backbone
Wireless
Access Point
91280
Ethernet-enabled
Laptop
3-13
Chapter 3
Figure 3-5
Remote Workgroup
Workgroup
Bridge
Switch
Wired network
backbone
PC
PC
PC
Laptop
Wireless
Access Point
Point-of-sale
register
Server
PC
Printer
Laptop
91281
Hub
Wireless Bridges
Wireless bridges (or simply bridges) are used to wirelessly connect two networks (usually in different
buildings). Refer to Figure 3-6. With appropriate selection of antennas and clear line of sight, range can
extend up to 25 miles at 11 Mbps. It should be noted that only bridges have this extended range
capability. The extended range is achieved by operating outside the IEEE 802.11 timing specifications.
APs (conforming to 802.11b) to any client are limited to a one-mile range; irrespective of transmit
power, cable, and antenna combinations.
Cisco Aironet Bridges support a superset of AP functionality and can operate in either bridge or AP
mode depending upon the requirement.
3-14
956608
Chapter 3
91282
Figure 3-6
Note
3-15
Chapter 3
3-16
956608
C H A P T E R
The goal of a WLAN LAN Extension network is for the WLAN access network to transparently provide
the same applications and services as the wired access network. Each WLAN Extension discussion that
follows addresses the following types of transparency:
Security TransparencyDo the selected security capabilities seamlessly provide WLAN network
security equivalent to wired networks?
Performance TransparencyDoes the WLAN deliver application performance that matches wired
network performance?
User TransparencyAre users of the WLAN forced to perform network-specific operations to use
the WLAN?
4-1
Chapter 4
Security Transparency
An 802.1x/EAP implementation of WLAN LAN Extension operates at the link layer (Layer 2) to provide
authentication, authorization, accounting, and encryption. Figure 4-1 shows a schematic of the
802.1x/EAP WLAN.
The security level provided is beyond that provided on most wired networks, providing link layer
encryption and Authentication, Authorization, and Accounting (AAA) access control. This is provided
as follows:
Authentication occurs between the client and the authentication server. Several different EAP types
(EAP-Cisco, EAP-TLS, EAP-TTLS, PEAP) are supported, allowing the Enterprise to choose the
authentication type that best suits its needs.
Encryption is at the link layer between the WLAN client and the AP. The current encryption
mechanisms available are Wired Equivalent Privacy (WEP) and WEP plus TKIP and MIC. Future
mechanisms include Wi-Fi Protected Access (WPA) and Advanced Encryption Standard (AES). The
encryption keys are automatically derived during the authentication process.
Authorization is controlled by the VLAN membership in combination with the access controls
applied at the access router terminating the VLAN.
Accounting is provided by the RADIUS accounting communicated by the APs to the RADIUS
server.
Figure 4-1
Authentication
Accounting
Encryption
802.1x
EAP
Si
Enterprise
network
87198
Authorization
4-2
956608
Chapter 4
Application Transparency
As illustrated in Figure 4-1, the WLAN connects at the access layer. Once the WLAN client traffic leaves
the AP, it is the same as wired trafficsubject to the same access control, queuing, and routing. This
achieves the WLAN LAN extension goal of supporting the same applications as the wired network. Any
inability to run applications from the wired network over the WLAN network would be the result of
policies or the fundamental limitations of the WLANnot due to the 802.1x/EAP architecture.
Performance Transparency
WLAN has a lower bit rate and a lower throughput than most Enterprise wired LANs. Therefore
providing equivalent performance for all applications over the WLAN can be a challenge. The strategy
to minimize differences in application performance between the wired and wireless network is to utilize
the QoS tools available on the WLAN and the APs. Those applications identified as being sensitive to
network throughput and delay can be classified and scheduled as required. Load balancing and
admission control tools on the WLAN can optimize the usage of the available WLAN resources.
User Transparency
The different EAP types in 802.1x/EAP allow enterprises to choose an authentication mechanism that
best matches security requirements. This allows the integration of the 802.1x/EAP into existing user
behavior. Many organizations enforce stronger authentication mechanisms on WLAN networks
(compared to wired networks), due to reduced physical security in the WLAN. Authentication on the
wired network is expected to catch up with WLAN networks, with organizations using 802.1x/EAP
mechanisms to enhance wired network security.
4-3
Chapter 4
Security Transparency
WLAN LAN Extension via IPSec provides AAA-equivalent features to 802.1x/EAP solutions. Refer to
Figure 4-2. Key elements are as follows:
Authentication occurs between the client and the VPN concentrator. Multiple authentication types
are supported with in the IPSec framework.
Encryption is at the network layer using 3DES or AES, and is negotiated between the client and the
VPN concentrator.
In addition to the inherent WLAN LAN Extension IPSec security features associated with this
implementation, VPN capabilities provide additional AAA-related security capabilities:
Authorization is controlled by the VPN concentrator and is determined at the time of authentication.
Policy is provided by the authentication server.
Accounting is provided by RADIUS accounting software on both the VPN concentrator and the
authentication server.
Figure 4-2
Authentication
Encryption
IPSec
Accounting
Si
Authorization
87199
Enterprise
network
Application Transparency
As can be seen in Figure 4-2, WLAN traffic is transported over an IPSec tunnel to the VPN concentrator.
This can affect application transparency:
Address TranslationThe IPSec client performs a form of address translation between its local IP
address and that allocated by the VPN concentrator. This can impact the operation of some
applications.
Performance Transparency
Providing equivalent performance for all applications over the WLAN can be a challenge, because a
WLAN has a lower bit rate and a lower throughput than most Enterprise wired LANs. The use of IPSec
VPN tunnels introduces some additional considerations:
4-4
956608
Chapter 4
MTU sizeThe MTU size of packets must be adjusted to incorporate IPSec overhead.
Processing OverheadClients incur processing overhead from IPSec VPN. However, this should
not be noticeable on most target platforms.
User Transparency
The Cisco IPSec VPN client has a number of features that aid user transparency, thereby providing
equivalent services to those available with 802.1x/EAP solutions:
Auto InitiationThe VPN client can be configured to automatically launch for particular address
ranges. In an enterprise, this would be configured to launch within the Enterprise WLAN address
ranges.
OS IntegrationThe VPN client can capture username and password information at login and use
these as part of the VPN client login. This is similar to the process used in EAP-Cisco. As an
alternative, the VPN client can use stored certificates associated with a specific user, similar to
EAP-TLS. These features coupled with Auto Initiation should provide a high level of user
transparency.
4-5
Chapter 4
Figure 4-3
Encryption
Si
Enterprise
network
87200
Authorization
Security Transparency
Security issues related to static WEP key implementations:
Weak AuthenticationAny hardware device with a matching configuration and WEP key may join
the network. The Static WEP key authenticates a group of devicesnever individual users.
Encryption LimitationEncryption is at the link layer between the WLAN client and the AP. The
current encryption mechanisms available are WEP and WEP plus TKIP and MIC. If possible WEP
plus TKIP and MIC should be used.
AccountingNot available.
Application Transparency
As illustrated in Figure 4-3 the WLAN connects at the access layer. Once the WLAN client traffic leaves
the AP, it is the same as wired network trafficsubject to the same access control, queuing, and routing.
WLAN Static WEP solutions should be limited to the specialized applications that the Static WEP client
supports. The network would appear transparent to this application, but to all other applications access
should be blocked.
Performance Transparency
To minimize differences in application performance between the wired and wireless network, utilize the
QoS tools available on the WLAN and the APs. Those applications identified as being sensitive to
network throughput and delay can be classified and scheduled as required. Load balancing and
admission control tools on the WLAN can optimize the usage of the available WLAN resources.
User Transparency
Static WEP requires no authentication and should be transparent to the supported applications and users.
The static WEP key only becomes an issue for the user if required to change it.
4-6
956608
Chapter 4
A WLAN can be looked at as another access technology in the overall network architecture. It integrates
into the overall end-to-end Cisco AVVID architecture. In addition, Ciscos WLAN architecture
integrates into Ciscos overall 802.1x / EAP Identity-Based Networking architecture.
Ciscos WLAN security provides the following benefits:
802.1x user authentication for networking devices. This model is also used for wired connectivity.
Enhancements beyond the basic security model defined in 802.11. This includes user-based
authentication, mutual-authentication, dynamic WEP-key rotation, and TKIP and MIC to prevent
WEP key spoofing and hacking.
These features combine to provide Cisco with the most flexible WLAN security offering in the industry,
allowing implementers to choose the architecture that best matches specific security requirements and
deployed equipment.
4-7
Chapter 4
Figure 4-4
Developer
PE
VL
AN
10
_A
uth
en
tica
ti
AP
on
Si
VLAN 30
EAP-Cisco_Authentication
Human resources
Au
th
AN
99
he
ut
_A
EP
Op
tio
a
tic
en_
21
VL
N
LA
87190
Teleworker
Guest or contractor
In addition to VLANs having the flexibility to create multiple WLAN security domains for flexible
deployments, they also allow flexible migrations from older WLAN security to updated standards or
products. This is not only possible because of VLANs, but also because Cisco APs and Cisco Secure
ACS support simultaneous WLAN security such as EAP-Cisco, EAP-TLS, PEAP and EAP-Subscriber
Identity Module (EAP-SIM). In addition, Cisco Aironet 802.11 NICs support multiple types of WLAN
security, including EAP-Cisco and PEAP.
WEP does not define a mechanism for dynamic key-management. This means that the WEP keys
must be manually configured on each device and if a device is lost or stolen, all devices must be
revisited to update the WEP key.
WEP does not provide a mechanism to provide user-based authentication, only device-based. This
means that the network authentication is based on the physical device, which could be stolen or lost.
4-8
956608
Chapter 4
WEP does not define a mechanism to dynamically rotate the WEP keys. This means that if a WEP
key is hacked or stolen, it can be used by a hacker to falsely authenticate with the network.
WEP does not prevent man-in-the-middle or bit-flipping attacks. This means that a hacker could
intercept data between two users and manipulate the content of that data.
It has been demonstrated that a key can be derived by passively capturing and processing a sufficient
number of WEP-encrypted packets.
To overcome these limitations, Cisco implemented WLAN security based on 802.1x and EAP
Authentication. 802.1x provides a Layer 2 authentication mechanism and carries the user authentication
that is passed with EAP. Refer to Figure 4-5.
WLAN Security based on 802.1x and EAP Authentication
RADIUS
EAP
802.1x
802.11
Si
RADIUS
EAP
802.1x
Ethernet
EAP_Authentication
EAP_Authentication
Cisco secure
ACS 3.1
87191
Figure 4-5
Guest or contractor
While Ciscos APs and CiscoSecure ACS support multiple EAP authentication types1, EAP-Cisco,
EAP-TLS and PEAP are currently supported end-to-end when using Cisco Aironet or Partner NICs.
EAP-Cisco provides extensions to EAP to provide user-based authentication, mutual authentication and
integration with Windows user-databases. EAP-Cisco is supported on all Cisco WLAN products, and is
also licensed to several partners including Apple and Symbol.
PEAP and EAP-TLS are IETF drafts that have been proposed by Cisco, Microsoft and RSA (refer to
http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-05.txt). PEAP provides a
multi-vendor authentication mechanism that provides a superset of functionality beyond EAP-Cisco. It
works with multiple vendors equipment, as well as multiple types of user-databases including
Microsoft, LDAP, OTP, RADIUS and NDS. EAP-TLS uses certificate based authentication (refer to
http://www.ietf.org/rfc/rfc2486.txt?number=2486). EAP-TLS is a multi-vendor authentication
mechanism that provides authentication based on user and server certificates, and effectively integrates
into an existing networking scheme employing a Public-Key Infrastructure (PKI).
Note
Not all OSs currently support 802.1x and EAP supplicants (clients). It is currently supported in
WindowsXP and will be available via Service Packs on other Windows OS. With this in mind, Cisco
recommends using EAP-Cisco or PEAP as the security mechanism for headquarter/campus WLAN
deployments.
Beyond overcoming the limitations of WEP, network administrators must also be concerned with three
issues in WLAN deployments in the campus:
1. EAP-SIM is also supported, but would not normally used in Enterprise environments.
4-9
Chapter 4
These questions are answered by using 802.1x authentication. 802.1x authentication provides a linklayer authentication to network devices, which is verified against a RADIUS server (Cisco Secure ACS).
Figure 4-6 presents a generalized illustration of an ACS-based environment.
802.1x is available on Cisco Catalyst Switches. It allows ports on the Catalyst Switches to determine
whether connected devices (such as PCs and IP phones) should gain access to the network based on their
user credentials. 802.1x is also used between WLAN clients and Aironet APs to pass user-authentication
information for EAP-Cisco. This use of 802.1x, EAP and RADIUS provides the integrated link-layer
authentication that is the foundation for Identity-Based Networking and Secure WLAN deployments.
Figure 4-6
Si
Si
Si
Si
Si
Si
Si
Cisco ACS
87192
Cisco ACS
Si
In addition to user authentication, 802.1x can be used as a mechanism to prevent rogue APs from being
added into the network. Currently, Cisco Aironet APs do not support an 802.1x supplicant (802.1x
client), but the expectation is that they would be deployed in a 20:1-to-25:1 ratio per user. This means
that the number of wired devices supporting 802.1x would be considerably greater than the number of
4-10
956608
Chapter 4
APs deployed. With this in mind, 802.1x can be enabled on all Catalyst Switch ports except for those
connected to Cisco Aironet APs. This will force all rogue APs to authenticate via 802.1x. This will cause
them to fail and the Catalyst Switch port to block access to the network. Refer to Figure 4-7.
Figure 4-7
Authorized AP
Rogue AP locked
out after failed
Authentication
87193
Si
Rogue AP
Finally, by combining the VLAN functionality and 802.1x authentication on the Cisco Catalyst Switches
and Aironet APs, guest access can be provided to non-authorized users and devices. Some Catalyst
Switches can support only allow and deny, while others support allow, deny, guest, and VLAN selection
based on the 802.1x authentication. The ability to change the VLAN of the switch port allows network
administrators the ability to design certain VLANs for guest access (refer to Figure 4-8). This guest
access can then be further filtered or firewalled to only allow Internet or other restricted network access
to the specific users. Refer Chapter 10, WLAN Guest Network Access to for more information about
Guest Access WLANs.
4-11
Chapter 4
Figure 4-8
Providing Guest Access using VLANs and 802.1x on Cisco Catalyst Switches and APs
Developer
En
VL
AN
gin
ee
rin
10
g_
VL
AN
Si
VLAN 30
HR_VLAN
Human resources
21
AN
VL
AN
VL
_
or
ct
tra
87194
n
Co
Guest or contractor
4-12
956608
Chapter 4
Figure 4-9
Headquarters
Branch office
IP Telephony/services
IP
M
Core Backbone
V3PN-SP
IP
IP
87195
T1
The one additional consideration for the branch office implementation is determining whether the Cisco
ACS servers should be deployed only at the central site or at remote sites. This determination should be
made according to the WAN bandwidth (possibly affecting authentication response times), size of
deployment (possibly affecting the scalability of branch offices and branch users with respect to a central
ACS), and the administrative capabilities at the branch office.
VLANs allow multiple types of WLAN security to be deployed over a Cisco AVVID infrastructure.
802.1x, EAP-Cisco/PEAP and WEP plus TKIP and MIC combine to provide a secure environment
for WLAN deployment with the foundation for moving to updated standards as they become
available.
In addition to the recommendations for the headquarters campus and branch deployments discussed
here, several other Cisco technologies can be used to enhance WLAN security. These include IPSec
VPNs, firewalls, and intrusion detection systems (IDS). Refer to Figure 4-10.
4-13
Chapter 4
Figure 4-10 Enhancing WLAN Security with IPSec VPNs, Firewalls and IDS
Secured corporate
network
WEP_Authentication
VL
99
at
ic
t
en
Corporate
network
t
Au
_
n
pe
87197
AN
on
The Cisco SAFE architecture defines how VPNs, firewalls and IDS should be deployed for both wired
and wireless networks. Refer to:
http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html
IPSec VPNs offer an enhancement for administrators that cannot provide enough native security (using,
for example, open authentication, static WEP) with the inherent WLAN environment. This might involve
PC users launching the CiscoSecure VPN Client, or having all traffic from a VLAN being placed into an
IPSec VPN which is then routed outside of the corporate firewall or to a specific internal server
application.
The first issue is a good reason to replicate the ACS database to a secondary server, allowing for failover
and maintenance. This redundancy configuration should be implemented in almost all cases.
The second issue is instance in which it is critical to use the local WLAN even in the event of a network
failure preventing access to a remote ACS server. Implementation of this second use of replication
depends on the application architecture of the enterprise. For example, if the applications that the users
want to reach are also remote, little is to be gained by being able to use the WLAN.
4-14
956608
Chapter 4
Example Architecture
Figure 4-11 shows an example of what ACS architecture might look like. Campus A holds the
authoritative ACS database server. This server is replicated to the other Enterprise ACS servers. APs
communicate to the two local ACS servers.
Campus Bbecause of its size and distance from Campus Ahas opted for another two ACS servers
(thus providing its own backup). Campus Cbeing smaller and closer to Campus Ahas opted to have
only one server, and relies on Campus A for backup. The branch offices use the ACS servers that are the
shortest network distance from them.
4-15
Chapter 4
Campus B
ACS
ACS
Campus C
ACS
Branch
Offices
Replication
ACS
ACS
74211
AP-ACS
Communication
Campus A
4-16
956608
C H A P T E R
VLAN Background
VLANs define broadcast domains in a Layer-2 network. Legacy networks use routers to define broadcast
domain boundaries. Layer-2 switches create broadcast domains based on the configuration of the switch.
Switches are multi-port bridges that allow the creation of multiple broadcast domains. Each broadcast
domain is a distinct virtual bridge within a switch.
VLANs have the same attributes as physical LANs with the additional capability to group end stations
physically to the same LAN segment regardless of the end stations geographical location. Figure 5-1
shows an example of three wired VLANs in logically defined networks.
5-1
Chapter 5
VLAN Background
Figure 5-1
Switch 3
Engineering
VLAN
HR
VLAN
Marketing
VLAN
Floor 3
802.1Q Trunk
Switch 2
Router
Floor 2
802.1Q Trunk
802.1Q Trunk
Switch 1
87183
Floor 1
Single or multiple virtual bridges can be defined within a switch. Each virtual bridge created in the
switch defines a new broadcast domain (VLAN). Switch interfaces assigned to VLANs manually are
referred to as interface-based or static membership-based VLANs. This type of VLAN is often
associated with IP subnetworks. For example, when all of the end stations in a particular IP subnet
belong to the same VLAN, traffic cannot pass directly to another VLAN (between broadcast domains)
within the switch or between two switches. Traffic between VLANs must be routed.
To interconnect two different VLANs, routers are used. These routers execute inter-VLAN routing or
routing of traffic between VLANs. Broadcast traffic is then terminated and isolated by these Layer-3
devices (a router or Layer-3 Switch will not route broadcast traffic from one VLAN to another).
The two most common VLAN trunking protocols used on Cisco switches and routers are Inter-Switch
Link (ISL) and IEEE 802.1Q. ISL (Cisco-proprietary protocol) and 802.1Q (IEEE standard) are
encapsulation standards used to interconnect multiple switches and routers via trunking. For more
information on these VLAN trunking protocols, please refer to the following URL:
http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:Trunking
5-2
956608
Chapter 5
SSID=Employee
AP_2A
AP_1A
VLAN 15
SSID=Employee
AP_2B
VLAN 15
VLAN 20
SSID=Guest
VLAN 20
Enterprise
network
AP_1B
87184
SSID=Guest
With VxWorks firmware release 12.00T or Cisco IOS firmware release 12.2.4-JA, an 802.1Q trunk can
be terminated on an AP (AP 1200, AP 1100, AP 350, and AP 340) or on a bridge (BR 350), allowing
access up to 16 wired VLANs. A unique Service Set Identifier (SSID) defines a wireless VLAN on the
AP and the bridge. Each SSID is mapped to a VLAN-id on the wired side (default SSID-to-VLAN-id
mapping).
Additionally, with WLANs, a per-VLAN security policy can be defined on the AP and on the bridge by
the IT administrator. Refer to the Configuration Parameters per VLAN section on page 5-6 for
additional information regarding per-VLAN security configuration.
Note
For related information regarding spanning-tree design and implementation considerations please refer
to the Cisco AVVID Network InfrastructureImplementing 802.1w and 802.1s in Campus Networks
SRND.
5-3
Chapter 5
Figure 5-3
AP_2
SSID=Full-Time
Native VLAN=10
802.1Q Truck
SSID=Part-Time
Management
VLAN
(VLAN-id 10
AP_1
802.1Q Truck
Enterprise
network
SSID=Maintenance
RADIUS
server
87189
SSID=Guest
In the indoor WLAN deployment scenario shown in Figure 5-3, four wireless VLANs are provisioned
across the campus to provide WLAN access to full-time employees (segmented into Engineering,
Marketing, and Human Resources user groups) and guests. Also, as shown in Table 5-1, each wireless
VLAN is configured with an appropriate security policy and mapped to a wired VLAN. An IT
administrator enforces the appropriate security policies within the wired network for these four different
user groups.
Table 5-1
SSID
VLAN-id
Security Policy
Engineering
14
Marketing
24
HR
34
Guest
44
Open/no WEP
An outdoor WLAN deployment scenario is shown in Figure 5-4. In this example, wireless trunking is
used to connect the root bridge to the non-root bridges. The root and non-root bridges terminate the
802.1Q trunk and participate in the spanning-tree protocol (STP) process of bridging networks together.
Note
For related information regarding spanning-tree design and implementation considerations please refer
to the Cisco AVVID Network InfrastructureImplementing 802.1w and 802.1s in Campus Networks
SRND.
5-4
956608
Chapter 5
Figure 5-4
SSID=VLAN_14
VLAN 11
VLAN 11
Bridge_3
(non-Root)
802.1Q Trunk
Switch_1
802.1Q
802.1Q
Trunk
Bridge_1
(Root)
VLAN 14
Switch_2
Trunk
802.1Q Trunk
Bridge_2
(non-Root)
VLAN 12
87186
VLAN 12
5-5
Chapter 5
Maximum Number of AssociationsAbility to limit maximum number of WLAN clients per SSID.
Encryption KeyThis is the key used for broadcast/multicast traffic segmentation per VLAN. It is
also used for static WEP clients (for both unicast and multicast traffic). The IT administrator must
define a unique encryption key per VLAN. This is discussed more in detail in Broadcast Domain
Segmentation section on page 5-7.
Enhanced Message Integrity Check (MIC) Verification for WEPEnables MIC per VLAN.
Temporal Key Integrity Protocol (TKIP)Enables per-packet key hashing per VLAN.
WEP (Broadcast) Key Rotation IntervalEnables Broadcast WEP key rotation per VLAN. This is
only supported for wireless VLANs with 802.1x protocols enabled (such as EAP-Cisco, EAP-TLS,
PEAP, EAP-SIM, and the like.)
Default Policy GroupApplies policy-group (set of Layer-2, -3, and -44 filters) per VLAN. Each
filter (within a policy group) is configurable to allow or deny certain type of traffic.
With an encryption key configured, the VLAN supports standardized WEP. However, Cisco
TKIP/MIC/Broadcast Key rotation features are optionally configurable as noted above. Table 5-2 lists
the SSID and VLAN-ID configuration parameters.
5-6
956608
Chapter 5
Table 5-2
Parameter Description
SSID Parameter
Authentication Types
VLAN-ID Parameter
TKIP/MIC
Policy Group
In the above scenarios, Cisco recommends configuring an Infrastructure SSID per AP or bridge.
Figure 5-5 illustrates the combined deployment of infrastructure devices (such as workgroup bridges,
non-root bridges, and repeaters) along with non-infrastructure devices (such as WLAN clients) in an
Enterprise WLAN. The native VLAN of the AP is mapped to the Infrastructure SSID. WEP encryption
along with TKIP (at least per-packet key hashing) should be enabled for the Infrastructure SSID.
Configuration of a secondary SSID as the Infrastructure SSID is also recommended. The concepts of
primary and secondary SSIDs are explained in the next section.
5-7
Chapter 5
Figure 5-5
Branch
office
Bridge
(non-Root)
Infrastructure SSID: VLAN-id 10
802.1Q Trunk
(native VLAN=10)
802.1Q Trunk
(native VLAN=10)
Bridge
(Root)
802.1Q Trunk
(native VLAN=10)
Root AP
802.1Q Trunk
(native VLAN=10)
Management
VLAN
Enterprise
network
SSID=Guest
WGB/repeater
SSID=infrastructure
RADIUS
server
87187
SSID=Employee
5-8
956608
Chapter 5
RADIUS-based SSID Access ControlUpon successful 802.1x or MAC address authentication, the
RADIUS server passes back the allowed SSID-list for the WLAN user to the AP or bridge. If the
user used an SSID on the allowed SSID-list, then the user is allowed to associate to the WLAN.
Otherwise, the user is disassociated from the AP or bridge.
Figure 5-6 illustrates both RADIUS-based VLAN access control methods. Both Engineering and
Marketing VLANs are configured to allow only 802.1x authentication (such as EAP-Cisco, EAP-TLS
or PEAP). As shown in Figure 5-6, when John uses the Engineering SSID to gain access to the WLAN,
the RADIUS server maps John to VLAN-ID 24. This might or might not be the default VLAN-ID
mapping for the Engineering SSID. Using this method, a user is mapped to a fixed wired VLAN
throughout an Enterprise network.
Figure 5-6 illustrates an example of RADIUS-based SSID access control. David uses the Marketing
SSID to gain access to the WLAN. However, the permitted SSID-list sent back by the RADIUS server
indicates that David is only allowed access to the Engineering SSID. Upon receipt of this information,
the AP disassociates David from the WLAN network. Using this method, a user is given access to only
one or pre-determined SSIDs throughout an Enterprise network.
Figure 5-6
SSID=Engineering
EAP-
Requ
est (u
ser-id
EAP-Succes
hn, VLAN-id=2
RADIUS
server
4)
802.1Q Trunk
EAP-Success
eering)
, SSID=Engin
(user-id: David
Enterprise
network
vid)
-id: Da
t (use
eques
EAP-R
Management
VLAN
87188
s (user-id: Jo
AP/bridge
SSID=Guest
: John
SSID=Marketing
5-9
Chapter 5
Criteria for Wireless VLAN Deployment, page 5-10Details selection criteria for wireless VLAN
deployment.
Summary of Rules for Wireless VLAN Deployment, page 5-13Provides best-practices to use on
the wired infrastructure when deploying wireless VLANs.
Common applications used by all WLAN users. The IT administrator should define
Wired network resources (such as servers) commonly accessed by WLAN users
Quality of Service (QoS) level needed by each application [such as default class of service
Common devices used to access the WLAN. The IT administrator should define:
Security mechanismsStatic-WEP, MAC authentication, EAP authentication (such as
EAP-Cisco, EAP-TLS, or PEAP, VPN, and the like} supported by each device type
Wired network resources (such as Servers) commonly accessed by WLAN device groups
QoS level needed by each device group (such as default CoS or Voice CoS)
After the wireless VLAN deployment criteria are defined, the deployment strategy must be determined.
Two standard deployment strategies are:
5-10
956608
Chapter 5
Use of policy group (set of filters) to map wired policies to the wireless side.
Use of 802.1x to control user access to VLANs using either RADIUS-based VLAN assignment or
RADIUS-based SSID access control.
Three different user groups are commonly present across Company XYZ: full-time employees;
contract employees; and, guests.
Full-time and contract employees use company supplied PCs to access the wireless network. These
PCs are capable of supporting 802.1x authentication methods for accessing the WLAN.
Full-time employees need full access to the wired network resources. The IT department has
implemented application level privileges for each user via Microsoft Windows NT or Active
Directory (AD) mechanisms.
Part-time employees are not allowed access to certain wired resources (such as human resource
servers and data storage servers). Furthermore, the IT department has implemented application level
privileges for part-time employees (using Microsoft Windows NT or AD mechanisms).
Guest users need access to the Internet to launch a VPN tunnel back to their company headquarters.
Maintenance personal (electrical, facilities, and others) use specialized handheld devices that
support static 40 or 128 bit encryption to access trouble ticket information via an application server
VLAN.
For Full-Time and Part-Time VLANs, implement 802.1x with dynamic WEP along with TKIP
functionality for WLAN access. Tie user-login on the RADIUS server with Microsoft back-end user
database to enable single sign-on for WLAN users.
Implement RADIUS-based SSID access control for both Full-Time and Part-Time employees to access
WLAN. This is recommended to prevent part-time employees from VLAN hopping (trying to access the
WLAN using Full-Time VLAN).
Note
In this deployment scenario, VLANs are localized per building with user group mapping to
wired VLAN-IDs different for each building. In order to enable users to access the WLAN from
anywhere on campus, SSID access control is recommended rather than fixed VLAN-ID
assignments.
5-11
Chapter 5
Step 2
Create a Guest VLAN. Implement Open/No WEP access with a Broadcast SSID by using the primary
SSID for the Guest VLAN. Enforce policies on the wired network side to force all Guest VLAN access
to an Internet gateway and deny access into the corporate network.
Step 3
Create a Maintenance VLAN. Implement Open/with WEP plus MAC authentication for this VLAN.
Enforce policies on the wired infrastructure to only allow access to the maintenance server on the
application servers VLAN.
Figure 5-7 illustrates this sample WLAN deployment scenario. Table 5-3 lists the configuration details
for Figure 5-7 VLANs.
Figure 5-7
AP_2
SSID=Engineering
Native VLAN=10
802.1Q Trunk
SSID=Marketing
AP_1
802.1Q Trunk
SSID=HR
Management
VLAN
Enterprise
network
RADIUS
server
Table 5-3
87185
SSID=Guest
RADIUS-based VLAN
Access Control
SSID
VLAN-id
Security Policy
Full-Time
16
Part-Time
26
Maintenance
36
No
Guest
46
Open/no WEP
No
5-12
956608
Chapter 5
802.1Q VLAN trunking (hybrid mode only) supported between the switch and the AP or bridge.
A maximum of 16 VLANs per ESS are supported with each wireless VLAN represented with a
unique SSID name.
TKIP, MIC, and Broadcast key rotation can be enabled per VLAN.
Open, Shared-Key, MAC, network-EAP (EAP-Cisco), and EAP authentication types are supported
per SSID.
Shared-Key Authentication is supported only on the SSID mapped to the native VLAN (this is most
likely to be the Infrastructure SSID).
One unique policy group (set of Layer-2, Layer-3, and Layer-4 filters) is allowed per VLAN.
Each SSID is mapped to a default wired VLAN where the ability to override this default SSID to
VLAN-ID mapping is provided via RADIUS-based VLAN access control mechanisms.
RADIUS-based VLAN-ID assignment per user is supported.
RADIUS-based SSID access control per user is supported.
The ability to assign a CoS mapping per VLAN with eight different levels of priorities is supported.
All APs and bridges in the same ESS must use the same native VLAN-ID to facilitate IAPP
communication between APs and bridges.
All WLAN security policies should be mapped to the wired LAN security policies on the switches
and routers.
Limit broadcast/multicast traffic to the AP and bridge by enabling VLAN filtering and Internet
Group Management Protocol (IGMP) snooping on the switch ports. On the 802.1Q trunks to the AP
and bridge, filter to allow only active VLANs in the ESS. Enabling IGMP snooping prevents the
switch from flooding all switch ports with Layer-3 multicast traffic.
Map wireless security policies to the wired infrastructure with Access Control Lists (ACLs) and
other mechanisms
The AP does not support the VLAN Trunking Protocol (VTP) or the GARP VLAN Registration
Protocol (GVRP) for dynamic management of VLANs because the AP acts as a stub node. The IT
administrator must use the wired infrastructure to maintain and manage the wired VLANs.
Enforce security policies via Layer-3 ACLs on the Guest and Management VLANs (recommended).
The IT administrator might implement ACLs on the wired infrastructure to force all Guest
5-13
Chapter 5
The IT administrator should restrict user access to the native/default VLAN of the APs and
bridges with the use of Layer-3 ACLs and policies on the wired infrastructure.
Example: Traffic to APs and bridges via the native/default VLAN is only allowed to and from
the management VLAN where all the management servers resideincluding the RADIUS
server.
Note
5-14
956608
C H A P T E R
QoS Overview
Quality of Service (QoS) refers to the capability of a network to provide better service to selected
network traffic over various network technologies. QoS technologies provide the building blocks for
business multimedia and voice applications used in campus, WAN, and service provider networks. QoS
allows network managers to establish service level agreements (SLAs) with network users.
QoS enables network resources to be shared more efficiently and expedites the handling of
mission-critical applications. QoS manages time-sensitive multimedia and voice application traffic to
ensure that this traffic receives higher priority, greater bandwidth and less delay than best effort data
traffic. With QoS, bandwidth can be managed more efficiently across LANs and WANs.
QoS provides enhanced and predictable network service by:
6-1
Chapter 6
EDCF-based
QoS
AP1100
EDCF-based
QoS
AP1200
Cisco CallManager
M
Enterprise
Network
IP
Streaming
Video
91226
AP provides EDCF-baed
mechanisms for Down Stream
Wireless QoS, based upon
handset registration, CoS, or DSCP
VoIP
phone
6-2
956608
Chapter 6
QoS Parameters
QoS is defined as the measure of performance for a transmission system that reflects its transmission
quality and service availability. Service availability is a crucial foundational element of QoS. Before
QoS can be successfully implemented, the network infrastructure must be highly available. The network
transmission quality is determined by the following factors:
Latency
Latency (or delay) is the amount of time it takes a packet to reach the receiving endpoint after being
transmitted from the sending endpoint. This time period is termed the end-to-end delay and can be
broken into two areas: fixed network delay and variable network delay.
Fixed network delay includes encoding/decoding time (for voice and video), as well as the finite amount
of time required for the electrical/optical pulses to traverse the media en route to their destination.
Variable network delay generally refers to network conditions, such as congestion, that may affect the
overall time required for transit.
Jitter
Jitter (or delay-variance) is the difference in the end-to-end latency between packets. For example, if one
packet required 100 msec to traverse the network from the source-endpoint to the destination-endpoint
and the following packet required 125 msec to make the same trip, then the jitter is calculated as 25 msec.
Loss
Loss (or packet loss) is a comparative measure of packets faithfully transmitted and received to the total
number that were transmitted. Loss is expressed as the percentage of packets that were dropped.
Radio Downstream
Ethernet Downstream
Radio Upstream
Ethernet Upstream
91227
Network
Radio Downstream QoS refers to the traffic leaving the AP and traveling to the WLAN clients.
Radio Downstream QoS is the primary focus of this deployment guide.
6-3
Chapter 6
802.11 DCF
Radio Upstream QoS refers to traffic leaving the WLAN clients and traveling to the AP. No vendor
support is currently available for radio upstream QoS features for WLAN clients. This support is
specified in the 802.11e draft, but has not yet been implemented.
Ethernet Downstream refers to traffic leaving the switch/router traveling to the AP. QoS may be
applied at this point to prioritize and rate limit traffic to the AP. Configuration of Ethernet
downstream QoS is not discussed in this design guide.
Ethernet Upstream refers to traffic leaving the AP traveling to the switch. The AP classifies traffic
from the AP to the upstream network according to the traffic classification.
802.11 DCF
Data frames in 802.11 are sent using the Distributed Coordination Function (DCF). The DCF is
composed of two main components:
DCF is used in 802.11 networks to manage access to the RF medium. A baseline understanding of DCF
is necessary in order to deploy 802.11e based EDCF. Please read the IEEE 802.11 specification for more
information on DCF.
6-4
956608
Chapter 6
Figure 6-3
DIFS
DIFS
PIFS
Contention window
SIFS
Busy medium
Backoff window
Next frame
(t)
Defer access
91228
Slot time
SIFS
Important frames such as acknowledgments wait the SIFS before transmitting. There is no random
backoff when using the SIFS, as frames using the SIFS are used in instances where multiple stations
would not be trying to send frames at the same time. The SIFS provides a short and deterministic delay
for packets that must go through as soon as possible. The SIFS is not available for use by data frames.
Only 802.11 management and control frames use SIFS.
PIFS
An optional portion of the 802.11 standard defines priority mechanisms for traffic that uses PIFS. There
is no random back mechanism associated with PIFS, as it relies upon a polling mechanism to control
which station is transmitting. The option is not widely adopted2 due to the associated overhead, and lack
of flexibility in its application.
DIFS
Data frames wait the DIFS before beginning the random backoff procedure that is part of the Distributed
Coordination Function (DCF). This longer wait ensures that traffic using the SIFS or PIFS timing always
gets an opportunity to send before any traffic using the DIFS attempts to send.
Generate a random backoff number between 0 and a minimum Contention Window (CWmin).
2.
3.
If the channel is still free begin decrementing the random backoff number, for every slot time (20
s) the channel remains free.
6-5
Chapter 6
802.11 DCF
4.
If the channel becomes busy (another station got to 0 before your station) decrementing stops and
steps 2 through 4 are repeated.
5.
If the channel remains free until the random backoff number reaches 0 the frame may be sent.
Figure 6-4
DIFS
Station A
DIFS
DIFS
Frame
Station B
Station C
Deter
Deter
Station D
Deter
Station E
Frame
Deter
Deter
Deter
Frame
Frame
Deter
Deter
91229
Backoff time
Figure 6-4 shows a simplified example of how the DCF process works. In this simplified DCF process,
no acknowledgements are shown and no fragmentation occurs
DCF steps illustrated in Figure 6-4 work as follows:
1.
Station A successfully sends a frame, and three other stations also wish to send frames but must
defer to Station As traffic.
2.
Upon Station A completes transmission, all the stations must still defer for the DIFS. Once the DIFS
is complete, stations wishing to send a frame can begin decrementing their backoff counter, once
every slot time, and may send their frame.
3.
Station Bs backoff counter reaches zero before Stations C and D, and therefore Station B begins
transmitting its frame.
4.
Once Station C and D detect that Station B is transmitting, they must stop decrementing their
backoff counters and again defer until the frame is transmitted and a DIFS has passed.
5.
During the time that Station B is transmitting a frame, Station E gets a frame to transmit, but as
Station B is sending a frame it must defer in the same manner as Stations C and D
6.
Once Station B completes transmission and the DIFS has passed, stations with frames to send begin
decrementing their backoff counters again. In this case, Station Ds backoff counter reaches zero
first and it begins transmission of its frame.
7.
aCWmin
aCWmax
6-6
956608
Chapter 6
The random number used in the random backoff is initially a number between 0 and aCWmin. If the
initial random backoff expires without successfully sending the frame, the station or AP increments the
retry counter, and doubles the value random backoff window size. This doubling in size continues until
the size equals aCWmax. The retries continue until the maximum retries or Time To Live (TTL) is
reached. This process of doubling the backoff window is often referred to as a binary exponential
backoff, and is illustrated in Figure 6-5.
Figure 6-5
511
aCWmax
255
63
31
retries
91230
127
aCWmin
IEEE 802.11e
This section discusses two 802.11e implementations:
6-7
Chapter 6
IEEE 802.11e
Do not alter these settings for production networks without significant tests specific to the applications
in question. For example, having a CWmax value less that the CWmin of another class might cause
starvation of the other traffic class, as the worst case random backoff of the preferred class would be
better than the best-case random backoff the less favored class. It should also be noted that the traffic
has been queued based on its traffic classification by the AP before the CWmin and CWmax values are
applied at the radio. Refer to Figure 6-6.
Figure 6-6
Figure 6-7 shows the principle behind different CWmin values per traffic classification. All traffic waits
the same DIFS, but the CWmin value used to generate the random backoff number depends upon the
traffic classification. High priority traffic has a small CWmin value, giving as short random backoff,
whereas best effort traffic has a large CWmin value that on average gives a large random backoff number.
6-8
956608
Chapter 6
Figure 6-7
CWmin [0]
CWmin [7]
CWmin [6]
DIFS
Contention window
Busy medium
Backoff window
(t)
Next frame
Defer access
91231
Slot time
Figure 6-8 shows an example of how the different CWmin values impact traffic priority.
Figure 6-8
DIFS
Station X
DIFS
DIFS
Frame
Voice 1
Deter
Best Effort 1
DIFS
Deter
Voice 2
Deter
Best effort 2
Deter
Frame
Deter
Deter
Voice 3
Deter
Deter
Deter
Frame
Deter
Deter
Deter
Deter
Frame
Deter
Frame
91232
Backoff time
While Station X is transmitting its frame three other stations determine that they must send a frame.
Each station defers as a frame was already being transmitted, and each station generates a random
backoff.
2.
As stations Voice 1 and Voice 2 have a traffic classification of voice, they use an initial CWmin of
3, and therefore have short random backoff values. Best Effort 1 and Best Effort 2 generate longer
random backoff times, as their CWmin value is 31.
6-9
Chapter 6
IEEE 802.11e
3.
Voice 1 has the shortest random backoff time, and therefore starts transmitting first. When Voice 1
starts transmitting all other stations defer. While Voice 1 station is transmitting station Voice 3 finds
that it needs to send a frame, and generates a random backoff number, but defers due to station Voice
1s transmission.
4.
Once Voice Station 1 finishes transmitting, all stations wait the DIFS, and then begin decrementing
their random backoff counters again.
5.
Station Voice 2 completes decrementing its random backoff counter first and begins transmission.
All other stations defer.
6.
Once Voice Station 2 has finished transmitting, all stations wait the DIFS, and then begin
decrementing their random backoff counters again.
7.
Best Effort 2 completes decrementing its random backoff counter first and begins transmission. All
other stations defer. This happens even though there is a voice station waiting to transmit. This
shows that best effort traffic is not starved by voice traffic as the random backoff decrementing
process eventually brings the best effort backoff down to similar sizes as high priority traffic, and
that the random process might, on occasion, generate a small random backoff number for best effort
traffic.
8.
Once Best Effort 2 finishes transmitting, all stations wait the DIFS, and then begin decrementing
their random backoff counters again.
9.
Station Voice 3 completes decrementing its random backoff counter first and begins transmission.
All other stations defer.
The overall impact of the different CWmin and CWmax values is difficult to show well in the timing
diagrams used thus far, as their impact is more statistical in nature. It is simpler to compare two
examples, and show the impact of these different values in the average times that should be generated
by the random backoff counters.
If we compare interactive voice and interactive video, these traffic categories have CWmin values of 3
and 15, and CWmax values of 32 and 63 respectively. This gives the averages for the random backoff
counters shown in Table 6-1.
Table 6-1
CWmin
CWmax
Average
Minimum
Average
Maximum
Interactive Voice
31
1.5
15.5
Interactive Video
15
63
7.5
31.5
Best Effort
31
255
15.5
127.5
These averages show that an interactive voice frame would only have an average random backoff time
of 30 s, where as the average random backoff time for interactive video frame would be 150 s. If
interactive voice and interactive video stations began trying to transmit at the same time the interactive
voice frame would normally be transmitted first, and with a very small delay.
The average maximum gives an indication of how quickly and how large the random backoff counter
would grow in the event of a retransmission. The smaller the average maximum value is an indication of
how aggressive traffic classification behaves. No matter how many times it has retried, Interactive
Voices random backoff delay should not, on average, be above that of the minimum delay of best effort
traffic. This means that the average worst-case backoff delay for interactive voice traffic would be the
same as the average best case for best effort traffic.
6-10
956608
Chapter 6
Note
In this EDCF implementation, all WLAN clients are treated equally for upstream transmission (from the
WLAN clients to the AP) unless a client (such as a SpectraLink Voice over IP device) implements a
proprietary mechanism of obtaining the channel faster compared to the others.
QoS Basis Service Set (QBSS)Based on IEEE 802.11e DRAFT version 3.3
Figure 6-9 shows the QBSS Information Element (IE) advertised by a Cisco AP. The channel utilization
field indicates the portion of available bandwidth currently used to transport data within the WLAN. The
frame loss rate field indicates the portion of transmitted frames that require retransmission or are
discarded as undeliverable.
QBSS Information Element (IE) Implementation: IEEE 802.11e Draft version 3.3
Element ID
(11)
Length
(6)
Station Count
(2 octets)
Channel
Utilization
(1 octet)
Frame
loss rate
(1 octet)
91233
Figure 6-9
Figure 6-10 and Figure 6-11 illustrate the mechanism for enabling QoS advertisements on VxWorks APs
and bridges and Cisco IOS-based APs.
6-11
Chapter 6
IEEE 802.11e
6-12
956608
Chapter 6
Note
For information about deployment and configuration using VxWorks-based APs, please refer to WLAN
QoS Deployment Guide at the location:
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a008014449
8.html
This section presents EDCF implementation considerations for Cisco IOS-based APs in the following
specific sections:
Appliance-based Prioritization
The Cisco IOS-based AP can prioritize traffic based upon a WLAN clients request for a particular traffic
classification because of its appliance type. Currently, Cisco APs support only VoIP appliances. These
VoIP appliances use proprietary registration messages to identify themselves. The best example of this
process is the negotiation that occurs between the AP and a Symbol VoIP WLAN handset. A protocol
defined by Symbol allows the handset to be identified, and provide down stream traffic to these handsets
with an interactive voice classification.
The VxWorks-based AP allows a per-station classification of traffic which allows these handsets to
identify themselves and automatically classify traffic.
The Cisco IOS AP supports the registration of the handsets to the AP through the global command line
interface (CLI) command:
dot11 phone
CoS-based Prioritization
Traffic that arrives at the AP over an Ethernet trunk (if already classified by its CoS settings within IEEE
802.1D) will have that classification mapped to EDCF and applied unless the Per Appliance
classification applies a subsequent classification.
6-13
Chapter 6
Note
The IP Protocol 119 setting provides ongoing support on the AP for SpectraLink IEEE 802.11 handsets.
Figure 6-12 Class-Map based QoS Policy Example
After applying the class-map based QoS policy, the changes are reflected in the AP CLI.
class-map match-all _class_example2
match ip protocol 119
class-map match-all _class_example0
match ip precedence 2
class-map match-all _class_example1
match ip dscp 46
policy-map example
class _class_example0
set cos 5
class _class_example1
set cos 5
class _class_example2
set cos 0
6-14
956608
Chapter 6
class class-default
set cos 0
interface Dot11Radio0.825
VLAN-based Prioritization
Figure 6-13 illustrates the default priority (CoS) set using a class-map definition on an Cisco IOS-based
AP. This class-map is applied to an interface or a VLAN and the specified priority is applied to all traffic,
unless the priority is overridden by one of the mechanisms described above (Per Station, 802.1p/802.1D
CoS, or Class-Map based IP TOS/DSCP/Protocol).
Figure 6-13 Default CoS Setting Using a Class-Map on an Cisco IOS AP
If a station identifies itself as a particular CoS, this is used (Per-Appliance QoSan example is a
Symbol VoIP device).
2.
If the frame arrives at the AP with a CoS setting via IEEE 802.1p/802.1D, this is what is used.
6-15
Chapter 6
3.
If a class-map based classification (IP TOS, IP DSCP, IP Protocol, or default CoS) is defined per
VLAN or interface, CoS defined by the class-map based QoS policy is assigned to the specified
traffic flow (example: SpectraLink VoIP device).
4.
If none of the above mechanisms are viable, the default CoS setting for the VLAN is used for all
traffic.
Figure 6-14 illustrates the QoS classification precedence described in the above list.
Figure 6-14 QoS Classification Precedence on Cisco IOS-Based APs
Per-appliance QoS?
Yes
No
By CoS value
(8o2.1p marked)?
Yes
No
Class-map defined per
interface or VLAN?
Map to CoS
Yes
Send to
transit
queue
91235
No
6-16
956608
Chapter 6
In addition to the CWmin and CWmax values shown in Figure 6-15, a Fixed Slot Time setting is
available. The Fixed Slot Time is referred to as the Arbitration Inter Frame Space (AIFS) in the IEEE
802.11e Draft. The AIFS is a variable DCF value. The standard DCF time equals two slots times. Traffic
classifications with a slot time greater than two must wait the additional slot times before sending or
beginning to begin decrementing their random backoff counters. Giving further precedence to traffic
with low CWmin and DCF timing.
IP SoftPhone and Other PC and PDA Based VoIP Solutions, page 6-17
Symbol Handsets
If Symbol handsets are used in the WLAN, the Symbol Extensions should be enabled.
6-17
Chapter 6
SpectraLink Handsets
The SpectraLink Voice Protocol (SVP) is prioritized in the same manner as in the pre-WLAN QoS AP
configuration because the AP has a default filter to classify all SpectraLink voice traffic with voice
priority.
The difference between the current AP prioritization scheme and the previously released AP
prioritization method is that the prior version was limited to prioritizing within the queuing internal to
the AP. With the QoS enhancements, traffic can now be prioritized over the radio interface.
Figure 6-16 illustrates the SVP architecture for 12.00T VxWorks and 12.2(4)JA Cisco IOS QoS features:
Figure 6-16 SpectraLink VoIP Deployment
EDCF-based
QoS
AP1100
EDCF-based
QoS
AP1200
Cisco CallManager
M
Enterprise
Network
IP
VoIP
phone
AP provides EDCF-baed
mechanisms for Down Stream
Wireless QoS
NetLink wireless
telephones
91236
NetLink
SVP server
6-18
956608
C H A P T E R
WLAN Roaming
This chapter addresses the WLAN design considerations when assessing Layer-2 roaming of WLAN
clients. The process of a WLAN client station roaming from one AP to another AP is discussed in some
detail. Although this chapter focuses on roaming at Layer-2 (same IP subnet), the implications of
campus-wide roaming at Layer-2 and Layer-3 are also considered.
The following primary sections are presented in this chapter:
7-1
Chapter 7
WLAN Roaming
Layer 3
Subnet A
Subnet B
L3 roaming
(mobile IP)
88456
L2 roaming
Layer-3 roaming will be covered in a separate design guide, which will be added to the set of design
guides available from http://www.cisco.com.
WLANs can provide the ability to connect to the network from any location within the enterprise. The
desire to move from one location to another while maintaining an application session is a natural
extension of this extended network reach.
The trend towards wireless laptop computers and personal digital assistants (PDA) will further accelerate
the desire for seamless network access while moving between locations.
The benefits of WLANs in general are documented in the Chapter 1, WLAN Solution Overview. Some
of the WLAN benefits specific to mobility are:
7-2
956608
Chapter 7
WLAN Roaming
Roaming Solution Overview
Layer-2 Design
Mobile IP capability is required to provide seamless roaming across Layer-3 subnet boundaries. Layer-3
roaming will be covered in a separate design guide, but note that every Layer-3 roam is preceded by a
Layer-2 (link-layer) roam.
Caveats
Deploying WLANs as recommended in this document might result in multiple Layer-2 subnets on the
same floor of a building. Some form of mobile IP will be required to roam seamlessly between the
Layer-2 subnets this design recommends.
7-3
Chapter 7
WLAN Roaming
3
P
Access Point
B
4
IAPP
Inter Access
Point Protocol
2
88457
Access Point A
A Client moves from AP A coverage area into AP B coverage area (both APs in same subnet).
As the client moves out of AP A range a Roaming Event will be triggered (such as Max Retries).
2.
The client then scans all 802.11 channels for alternative APs. In this case, the client discovers AP
B and re-authenticates and re-associates to it.
3.
AP B sends a null MAC multicast using the source address of the client. This updates the Content
Addressable Memory (CAM) tables in upstream switches and directs further LAN traffic for the
client to AP B, and not AP A.
4.
AP B sends a MAC multicast using its own source address telling the old AP that AP B now
has the client associated to it. AP A receives this multicast and removes the client MAC address
from its association table.
The main focus in this chapter is on events 1 and 2 in Figure 7-2. Events 3, and 4 are post-roam actions
taken as part of Ciscos proprietary Inter Access Point Protocol (IAPP).
It is important to note that roaming is always a client station decision. The client station is responsible
for detecting, evaluating, and roaming to an alternative AP.
7-4
956608
Chapter 7
WLAN Roaming
Layer-2 Roaming Primer
Event 1 in Figure 7-2 will be discussed in more detail in the Roaming Events section on page 7-5 of
this document. Roaming Events describes the events that cause a client to initiate the roam process.
Event 2 in Figure 7-2 is covered in the Roam Process section on page 7-7. The process of discovering
evaluating and roaming to an alternative AP is discussed in that section.
Roaming Events
This section details the events that cause a client to roam. The roam process itself is described in he
Roam Process section on page 7-7. Roaming is always initiated by the client and is caused by one of
the following events (each is covered in a separate section):
7-5
Chapter 7
WLAN Roaming
Clients learn the APs beacon interval from an element in the beacon. If a client misses eight consecutive
beacons, a roaming event is deemed to have occurred and the roam process detailed in the Roam
Process section on page 7-7 is initiated.
By continuously monitoring for received beacons, even an otherwise idle client is able to detect a loss
of wireless link quality and is able to initiate a roam.
7-6
956608
Chapter 7
WLAN Roaming
Layer-2 Roaming Primer
If the client has not attempted to roam in the last 30 seconds then the roam process as described in
the Roam Process section on page 7-7 occurs.
If the client has already attempted to roam in the last 30 seconds, the data rate for that client is set
to the next lower rate.
A client transmitting at less than the default rate increases the data rate back to the next-higher rate after
a short time interval if transmissions are successful.
Roam Process
the Roaming Events section on page 7-5 described the events that can occur to cause a client to decide
that it needs to roam. This section addresses actions taken by a client station when it roams.
7-7
Chapter 7
WLAN Roaming
When a roaming event occurs the client station scans each 802.11 channel (the client scans all 802.11
channels valid in the country in which the client is operating). On each channel, the client station sends a
probe and waits for a probe-response or beacon from APs on that channel. The probe responses and
beacons received from other APs are discarded unless the conditions list in Table 7-1 are met.
Table 7-1
UnknownImplementation dependent
The new AP must not have more than a 10 percent Not ApplicableAP transmitter load information
worse transmitter load than the current AP
is Cisco proprietary element in beacons
1. Probe-responses/beacons must satisfy all conditions.
If the conditions in Table 7-1 are satisfied, then a client roams to a new AP that best meets one of the
conditions specified in Table 7-2.
Table 7-2
UnknownImplementation dependent
1.
7-8
956608
Chapter 7
WLAN Roaming
Layer-2 Design Recommendations
Note
There are 11 channels available in the US. There are 13 channels defined by the 802.11 specification.
Their usage varies from country to country.
To find out if a better AP is available, the client must cease transmitting and receiving on the current
channel and move sequentially through each of the possible alternative channels.
The following actions need to occur on each of the channels scanned:
1.
2.
Client needs to listen to the new channel long enough to avoid a collision as per the CSMA/CA
media access implemented in 802.11.
3.
4.
HSRP Active
VLAN 20.41,140
10.1.20.0
10.1.21.0
10.1.120.0
VLAN 20 Data
VLAN 21 WLAN
VLAN 120 Voice
Layer 3
HSRP Active
VLAN 40.21,120
10.1.40.0
10.1.41.0
10.1.140.0
VLAN 40 Data
VLAN 41 WLAN
VLAN 140 Voice
88460
Figure 7-6
7-9
Chapter 7
WLAN Roaming
Note
For related information regarding spanning-tree design and implementation considerations please refer
to the Cisco AVVID Network InfrastructureImplementing 802.1w and 802.1s in Campus Networks
SRND.
7-10
956608
C H A P T E R
Tip
For information about IP multicast theory, deployment, and configuration, please see the Cisco AVVID
Network Infrastructure IP Multicast Design SRND.
Note
This chapter uses MoH and IP/TV in the examples. It does not, however, provide configurations and
designs for MoH and IP/TV. Also, other types of IP multicast implementations, such as IP multicast for
financial deployments, are not covered.
Note
Filters on the AP and bridge do not provide the flexibility needed for true multicast control.
If IP Multicast is to be deployed and streamed across the wireless network, then the following
recommendations should be implemented:
Prevent unwanted multicast traffic from being sent out on the air interface.
Place the WLAN in its own subnet.
8-1
Chapter 8
Control which multicast groups are allowed by implementing multicast boundaries on the egress
To gain the highest AP/bridge performance for multicast traffic and data traffic, configure the APs
and bridges to run at the highest possible fixed data rate. This removes the requirement for multicast
to clock out at a slower rate, which can impact the range of the AP/bridge and must be taken into
account in the site survey.
If multicast reliability is a problem (seen as dropped packets), ignore the preceding recommendation
and use a slower data rate (base rate) for multicast. This gives the multicast a better signal-to-noise
ratio and can reduce the number of dropped packets.
Test the multicast application for suitability in the WLAN environment. Determine the application
and user performance effects when packet loss is higher than that seen on wired networks.
The low-rate stream is allowed and the high-rate stream is disallowed on the WLAN link. A multicast
boundary is used to control multicast forwarding and IGMP packets.
Figure 8-1
10.5.10.22
IP/TV server
Source For:
239.255.0.1high-rate stream
239.192.248.1Low-rate stream
VLAN 200
10.1.200.x
.1
L3-Switch
.100
350
AccessPoint
.101
87046
Campus
PC with
350 PC Card
In this configuration:
8-2
956608
Chapter 8
L3-SWITCH connects to the campus network and the Cisco Aironet 350 Access Point
(10.1.200.100).
The VLAN 200 interface on L3-SWITCH has the IP address of 10.1.200.1 and is the interface that
provides the boundary for IP multicast.
The laptop computer (10.1.200.101) has a Cisco Aironet 350 PC Card and is running the IP/TV
Viewer software.
interface Vlan200
description WLAN VLAN
ip address 10.1.200.1 255.255.255.0
ip pim sparse-mode
ip multicast boundary IPMC-WLAN
!
ip access-list standard IPMC-WLAN
permit 239.192.248.1
The low-rate stream is allowed and the high-rate stream is disallowed on the P2P wireless link. To
control what multicast traffic passes over the P2P link, only the ip multicast boundary configuration
on ROUTER is needed. Because the multicast boundary prevents hosts from joining unwanted groups,
the network never knows to forward unwanted traffic over the P2P link.
Figure 8-2
PC with
350 PC Card
10.5.10.22
IP/TV server
Source For:
239.255.0.1high-rate stream
239.192.248.1Low-rate stream
Campus
.2
10.1.101.x
L2-Switch-PWR
VLAN 100
10.1.100.x
.1
L3-Switch
.100
350-Bridge-L
.101
350-Bridge-R
87047
.1
.2
Router
In this configuration:
8-3
Chapter 8
Other Considerations
L3-SWITCH (VLAN 100-10.1.100.1) connects to the campus network and the P2P wireless
network.
The P2P wireless link is made possible by two Cisco Aironet 350 Bridges, 350-Bridge-L
(10.1.100.100) and 350-Bridge-R (10.1.100.101).
ROUTER (10.1.100.2) connects to the P2P wireless network and the remote site network
(10.1.101.1) via L2-SWITCH-PWR.
If the remote side of the P2P link has a Layer 2 switch and no Layer 3 switch or router, then a boundary
can be placed on the VLAN 100 interface of L3-SWITCH2. Also, in a Point-to-Multipoint (P2MP)
deployment, a mix of both may be needed. Both configurations are shown here for reference.
Following is the configuration for L3-SWITCH.
interface Vlan100
description VLAN for P2P Bridge
ip address 10.1.100.1 255.255.255.0
ip pim sparse-mode
ip multicast boundary IPMC-BRIDGE
!
ip access-list standard IPMC-BRIDGE
permit 239.192.248.1
To prevent unwanted IGMP messaging and multicast traffic from traversing the P2P wireless link on the
receiver side (remote LAN - 10.1.101.x), an ip multicast boundary is configured on the Fast Ethernet
0/1 interface of ROUTER.
Following is the configuration for ROUTER.
interface FastEthernet
description Local LAN
ip address 10.1.101.1
ip pim sparse-mode
ip multicast boundary
0/1
in Remote Site
255.255.255.0
IPMC-BRIDGE
Other Considerations
The following additional considerations apply to deploying IP multicast in a WLAN environment:
The WLAN LAN extension via EAP and WLAN static WEP solutions can support multicast traffic
on the WLAN; the WLAN LAN extension via IPSec solution cannot.
The WLAN has an 11 Mbps available bit rate that must be shared by all clients of an AP. If the AP
is configured to operate at multiple bit-rates, multicasts and broadcasts are sent at the lowest rate to
ensure that all clients receive them. This reduces the available throughput of the network because
traffic must queue behind traffic that is being clocked out at a slower rate.
8-4
956608
Chapter 8
Cisco Group Management Protocol (CGMP) and/or Internet Group Management Protocol (IGMP)
should be used to limit the multicast traffic on each AP to the traffic required by associated clients.
If a client roams with these features configured on an upstream switch, the multicast stream might
not be delivered to the new AP. To address this, the Cisco AP can be configured to generate a general
IGMP query when a client associates or disassociates. This allows the upstream switch to learn
which multicast groups are required on that AP.
Multicast and broadcast from the AP are sent without requiring link-layer acknowledgement. Every
unicast packet is acknowledged and retransmitted if unacknowledged. The purpose of the
acknowledgement is to overcome the inherent unreliable nature of wireless links. Broadcasts and
multicasts are unacknowledged due to the difficulty in managing and scaling the acknowledgements.
This means that a network that is seen as operating well for unicast applications, can experience
degraded performance in multicast applications.
Enterprise customers who are using WLAN in laptops would normally use (Constant Awake Mode)
CAM as the Power-Save Mode. If delay-sensitive multicast traffic is being sent over the WLAN,
customers should ensure that only the CAM configuration is used on their WLAN clients. Based on
the 802.11 standard, if the client is in power-save mode, then the AP will buffer broadcast and
multicast traffic until the next beacon period that contains a delivery traffic information map (DTIM)
transmission. The default period is 200ms. Enterprises that use WLAN on small handheld devices
will most likely need to use the WLAN power-save features (Max or Fast) and should not attempt
to run delay-sensitive multicast traffic over the same WLAN.
Summary
In summary, when using IP multicast in the WLAN, follow these recommendations.
Place the WLAN AP or bridge on a separate VLAN or Layer 3 interface so multicast boundaries can
be implemented.
Use the ip multicast boundary command to prevent IGMP joins and multicast forwarding on
denied multicast groups.
In a WLAN using AP, the boundary should be placed on the VLAN or Layer 3 interface connecting
to the AP.
In a WLAN using bridges, the boundary is placed on the VLAN or Layer 3 interface connecting to
the remote receiver side. If no Layer 3 capable device is used at the remote site, the boundary is
placed on the VLAN or Layer 3 interface connecting to the bridge at the main site. Also, a
combination of a boundary at the receiver side and bridge connection at the main site, may be needed
in a P2MP deployment.
Set the highest possible fixed data rate on the APs and bridges to ensure the best possible
performance for multicast and data traffic.
If dropped packets occur and impact the performance of the application, the fixed data rate on the
APs and bridges may need to be reduced to ensure a better signal-to-noise ratio, which can reduce
dropped packets.
8-5
Chapter 8
Summary
8-6
956608
C H A P T E R
Methods for detecting rogue APs in the enterprise include wireless methods such as using the free
Boingo WLAN hotspot locator client to detect WLANs and the use of sophisticated analysis tools on the
Ethernet backbone. None of the available tools for detecting rogue APs guarantees the detection of all
rogue APs and a combination of tools should be used to raise the probability of detection.
This appendix outlines the threat posed by rogue APs in the Enterprise Network and some strategies for
preventing and detecting them. The following section are presented:
9-1
Chapter 9
Layer 3
Subnet
A
91296
Subnet
B
This appendix does not consider a misconfigured production AP to be a rogue AP. Ciscos Wireless LAN
Solution Engine (WLSE) is capable of checking the configuration on production APs. The Aptools
program mentioned in Using MAC Addresses to Detect Rogue AP section on page 9-16 is also capable
of checking the security configuration on discovered APs. This appendix divides people installing rogue
APs into one of the categories described in Table 9-1.
9-2
956608
Chapter 9
Table 9-1
Rogue AP Threat
Threat Description
This appendix discusses a variety of ways in which an enterprise can prevent and detect rogue AP
installations. The focus here is on the Frustrated Insider class of user as they are considered to be the
most common source of rogue AP installations and are the easiest to detect. Some of the techniques
mentioned may detect the malicious hacker class of user, but as mentioned previously, it is best to
concentrate on preventing this class of user through physical security and 802.1x. Rogue AP detection
is broken into wireless, wired, and physical observation methods. A combination of these methods is
necessary to be most effective.
9-3
Chapter 9
They often use well-known manufacturer default settings that provide little or no security
If WEP is enabled, the Cisco enhancements such as TKIP and MIC are not available or enabled
If VPN protection is the company security policy for WLANs, rogue APs may be placed on the
internal network instead of on the WLAN DMZ
The end result of these security shortcomings is that outsiders have a method to connect to the Enterprise
Network without the need to first bypass physical security mechanisms such as locked doors, security
guards, and vigilant employees.
Outsiders may wish to gain WLAN access for the following purposes:
To gain free access to the Internet (via the Enterprise Networks connection)
To gain access to the Enterprise Network, possibly to launch attacks on other enterprise resources
such as servers containing confidential information or running mission-critical applications.
Tool
Description
Netstumbler
http://www.netstumbler.com/
Free Windows and WinCE software that scans for
wireless APs. Provides information about SSID,
WEP enabled, 802.11 channel, signal strength,
location (if used with GPS) and more.
Airsnort
9-4
956608
Chapter 9
With Netstumbler, an outsider can discover the existence of an insecure wireless LAN, and can then
access the WLAN to gain access to the Enterprise Network or to observe confidential WLAN traffic.
If Netstumbler shows that WEP is being used to encrypt WLAN traffic, Airsnort can be used to determine
the WEP key.
If Netstumbler shows that the WLAN has been installed with no WEP enabled, then network access can
be gained just by configuring the client to match the detected network.
Figure 9-2 illustrates a screen capture taken from a Pocket PC during a commute to work. Netstumbler
identified 68 access-points. The first column of the display indicates whether or not WEP is enabled for
each AP discovered. Other information such as 802.11 channel, Signal-to-Noise Ratio (SNR), and (if a
GPS is connected) longitude and latitude can also be displayed.
Figure 9-2
The Netstumbler capture shown in Figure 9-2 was taken from within a moving car with no specialized
equipment such as an external antenna necessary.
Another phenomenon receiving media attention is warchalking where chalk symbols are placed on
buildings signifying the presence and characteristics of wireless LAN networks. For more information
on warchalking perform a Google search on warchalk, or go to following website:
http://www.blackbeltjones.com/warchalking/index2.html
Prevention
9-5
Chapter 9
Corporate Policy
Physical security
Supported WLAN infrastructure
802.1x port based security on edge switches
Detection
Using wireless analyzers/sniffers
Using scripted tools on the wired infrastructure
By physically observing WLAN AP placement and usage
Figure 9-3
Prevention
Secure/supported
WLAN infrastructure
provided
Detection
Regular scripted
Audits
Layer 3
Prevention
802.1x on switches
Prevention
WLAN policy
Physical Security
Subnet
A
Detection
Active Wireless Audit
Detection
Physical Observation
91297
Subnet
B
9-6
956608
Chapter 9
Using Catalyst Switch Filters to Limit MAC Addresses per Port, page 9-10
Physical Security
Physical security also plays a part in rogue AP prevention. Physical security standards should be in place
to prevent an intruder from gaining unauthorized access to the enterprise premises or to detect the
intruder if physical access is gained.
9-7
Chapter 9
Figure 9-4
Rogue
AccessPoint
SI
91298
Authorized
AccessPoint
Granting or denying network access at an individual port level, based on configured authorization
policy.
Enforcing additional applicable policies, such as resource access and quality of service, on any
access granted.
These abilities are introduced when a Cisco end-to-end solution is implemented with the following
features and technologies:
An 802.1x compliant client operating system, such as Microsoft Windows XP, Windows 2000, or
Windows 98 (see below for details)
Optionally, for strong authentication, an X.509 Public Key Infrastructure (PKI) certificate
architecture
By configuring 802.1x compliant client software with a PKI certificate, or username and password, the
Cisco Catalyst family switches running 802.1x features authenticate the requesting user or system in
conjunction with a back-end CiscoSecure ACS server. Figure 9-5 illustrates these concepts.
9-8
956608
Chapter 9
Figure 9-5
802.1x Operation
1 Login Request
2 Login Info
Check with
Policy DB
Login good! 5
Allow access
John Doe is
allowed access
92199
User or device credentials and reference information is processed by the CiscoSecure ACS server.
CiscoSecure ACS is able to reference user or device policy profile information either internally using
the integrated user database or from external database sources such as Microsoft Active Directory,
LDAP, Novell NDS, or Oracle Databases. This allows for the integration of the solution into exiting user
management structures and schemes, thereby simplifying overall management.
Table 9-3 summarizes 802.1x authentication types supported and available on Cisco switches and APs.
Table 9-3
Wireless ports
Wired Ports
EAP-Cisco
Protected-EAP
Protected EAP
EAP-TLS
EAP-TLS
EAP-MD5 (not suitable for wireless due to lack of
mutual authentication support)
Microsoft Windows 2000 and 2000 Server, NT4.0, ME, 98 and 98SE (Microsoft add-on)
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;313664
9-9
Chapter 9
Although the above client stacks allow enterprises to enable 802.1x on most PCs, there are likely to be
some network-attached devices that lack 802.1x support. Non 802.1x capable devices include:
IP phones
Printers
Note
HP has support in wireless Jet-Direct printers and is considering support for wired printers
WLAN APs
Note
This command is not necessary if 802.1x is used to provide port-based security as 802.1x limits the
number of MAC addresses per-port by default.
With this command, it is possible to limit the number of MAC addresses to one (for user PC) or two (for
user IP phone and PC). With this command enabled, it might be possible to connect a rogue AP to the
network (instead of a phone or a PC), but it would not be possible to use the AP.
9-10
956608
Chapter 9
Limitations of Using Catalyst Switch Filters to Limit MAC Addresses per Port
In an IP phone environment, two MAC addresses are needed per port. One is required for the phone and
one for the user PC. If a rogue AP was plugged into an unused port on the network 1 wireless client could
associate to it without being blocked by the port filter.
Detection
Regular scripted
Audits
Layer 3
Subnet
A
Subnet
B
Detection
Active Wireless Audit
Detection
Physical Observation
91300
Figure 9-6
9-11
Chapter 9
The WLAN is Broadcasting its SSIDThe Frustrated Insider class of user is responsible for the vast
majority of rogue AP installs and this type of user is unlikely to have the sophistication or intent to
turn broadcast SSID off.
The WLAN is not Broadcasting its SSIDFor Boingo to be able to detect a non-broadcast SSID the
WLAN must be active enough for the Boingo client to observe a probe-request/Probe-response
sequence. The WLAN SSID is always visible in this sequence of frames. This sequence of frames
does not happen very often and is unlikely to be detected during a one-time audit of an area with a
lightly loaded rogue AP.
Installing Boingo
The Boingo download is about 10 Mbytes. The install is quick and simple and does not normally require
the PC to be rebooted.
Once installed, Boingo starts automatically when Windows is started. Boingo has some impact on
normal WLAN operation because it briefly stops transmitting WLAN frames in order to scan all 802.11
channels for WLAN networks. After installation, users might wish to prevent Boingo from auto-starting
with windows by removing it from the Start>Programs>Startup folder. Boingo can then be started
manually, as required.
9-12
956608
Chapter 9
Using Boingo
When Boingo is running, it is visible as a white letter B icon on the task bar. Double-clicking this Icon
launches the Boingo application where all visible 802.11 WLAN networks are displayed. A sample
Boingo screen is displayed in Figure 9-7.
Figure 9-7
Wireless Analyzer
Airmagnet
www.airmagnet.com
A full-featured WLAN site-survey tool running on an Compaq iPaq.
A commercial product.
Netstumbler
www.netstumbler.org/
Free software that can be downloaded from the Internet. Detects WLAN APs and displays
information about them. Very popular and well known.
Sniffer
www.sniffer.com
Professional wireless analyzer.
It can be used to help look for rogue APs:
9-13
Chapter 9
Table 9-5
Wireless Analyzer
Wildpackets
www.wildpackets.com/products/airopeek
Professional wireless analyzer.
It can be used to help look for rogue APs:
Observer
www.networkinstruments.com/
It can be used to help look for rogue APs:
Finisar Surveyor
www.gofinisar.com/products/protocol/wireless/surveyor_w.html
It can be used to help look for rogue APs:
Wellenreiter
www.remote-exploit.org/
Similar to Netstumbler.
Detects WLAN APs and displays information about them. Less popular or well known than
Netstumbler.
Kizmet
www.kismetwireless.net/
Open source Wireless sniffer.
It can be used to help look for rogue APs by defining filters to look for beacons, but to exclude
authorized SSIDs.
dachb0den
www.dachb0den.com/projects/bsd-airtools.html
Seems to be a combination of Netstumbler and Airsnort functionality.
Not very well known.
Hornet
www.bvsystems.com/Products/WLAN/Hornet/hornet.htm
Dedicated hardware that looks for a list of AP MAC addresses configured and downloaded from
a PC
9-14
956608
Chapter 9
Table 9-5
Wireless Analyzer
www.research.ibm.com/gsal/dwsa/
Prototype onlynot for sale.
Uses client software on enterprise NICs to detect and report on all detected APs and their
security system. A back end system compares the list of detected APs with a list of authorized
APs and alerts on unknown APs.
IBM TP GeneralIBM
Access Connections for
Windows 2000/XP
www.pc.ibm.com/qtechinfo/MIGR-4ZLNJB.html
Access Connections is a connectivity assistant program for your ThinkPad computer. It enables
you to quickly switch the network settings and Internet settings by selecting a location profile.
You can define the network settings and Internet settings in the Location Profile for
modem/wired LAN/Wireless LAN network devices and then restore that profile whenever you
need it. By switching the location profile, you can connect to the network instantly without
reconfiguring your settings when you move from office to home or on the road.
Once a WLAN analyzer has detected a suspected rogue AP, a direction antenna on the analyzer is a very
useful aid in locating the AP.
A host of WLAN tools is maintained on the NetworkIntrusion link pointed to in the Links and
References section on page 1-8.
Using Cisco Emergency Responder to Locate AP-based on MAC Address, page 9-18
A large number of software tools are available to aid in detecting rogue APs from a wired management
station on the Ethernet portion of the network.
Table 9-6 summarizes the advantages and disadvantages wired detection of rogue APs.
Table 9-6
Advantages
Disadvantages
9-15
Chapter 9
Table 9-7 provides a partial list of MAC OUIs used by AP vendors. This table was obtained from the
aptools site at aptools.sourceforge.net.
Table 9-7
Manufacturer
3Com
0001.03|0004.76|0050.da|0800.02
Addtron
0040.33|0090.d1
0050.18
Apple
0030.65
Aironet
0040.96
Atmel
0004.25
Bay Networks
0020.d8
BreezeNet
0010.e7
Cabletron (Enterasys)
0001.f4|00e0.63
Camtec
0000.ff
Compaq
0050.8b
D-Link
0005.5d|0040.05|0090.4b
Delta Networks
0030.ab
Intel
0002.b3
Linksys
0003.2f|0004.5a
Lucent
0002.2d|0060.1d|0202.2d
Nokia
00e0.03
Samsung
0000.f0|0002.78
Senao Intl
0002.6f
SMC
00e0.29|0090.d1
SOHOware
0080.c6
Sony
0800.46
Symbol
00a0.f8|00a0.0f
Z-Com
0060.b3
Zoom
0040.36
9-16
956608
Chapter 9
Table 0-8 presents a summary of monitoring tools for APs based on known MAC addresses.
Table 0-8
Monitoring Tool
APTools
aptools.sourceforge.net
aptools.sourceforge.net/wireless.ppt
Can discover APs based on MAC address, then
determine whether it is an AP (not a wireless NIC)
via HTTP.
Can also check security settings (WEP), and
SNMP settings via HTML.
arpwatch
www-nrg.ee.lbl.gov
Arpwatch is a tool that monitors Ethernet activity
and keeps a database of Ethernet/IP address
pairings.
It also reports certain changes via email.
9-17
Chapter 9
Table 9-9
OS Fingerprinting Tool
NMAP
www.insecure.org/nmap/index.html
www.insecure.org/nmap/nmap-fingerprinting-article.html
Very well known, popular and respected tool.
Unproven as a rogue AP detection tool, but may be useful in conjunction
with other rogue AP detection techniques.
Generates alerts in intrusion detection and personal firewall systems.
xprobe
www.sys-security.com/html/projects/X.html
Xprobe 1 combines various remote active operating system fingerprinting
methods using the ICMP protocolwhich were discovered during the ICMP
Usage in Scanning research projectinto a simple, fast, efficient and
powerful way to detect the underlying OS of a targeted host.
Xprobe2 is an active operating system fingerprinting tool with a different
approach to operating system fingerprinting. Xprobe2 relies on fuzzy
signature matching, probabilistic guesses, multiple matches simultaneously,
and a signature database.
Unproven as a rogue AP detection tool, but may be useful in conjunction
with other rogue AP detection techniques
Generates alerts in intrusion detection and personal firewall systems.
9-18
956608
Chapter 9
Employees using WLAN access in location when WLAN access should not be available.
9-19
Chapter 9
9-20
956608
C H A P T E R
10
WLAN as one of the best mechanisms for providing Guest Network access
The need for guest access has evolved as the needs of guests have evolved. Once it was sufficient to
provide guests a chair and a phone; now in the age of laptops, networked application, and digital phone
lines the guest is disconnected while visiting your enterprise.
Guest Networks are network connections provided by an enterprise to allow their guest to gain access to
the Internet, and the guests own enterprise without compromising the security of the host enterprise.
Figure 10-1 illustrates the Guess Access Network concept. Guests are within the Enterprise Network,
but are only able to access the Internet; enterprise employees have full access to the enterprise
applications and the Internet.
This chapter addresses Guest Access WLANs in the following sections:
10-1
Chapter 10
Internet
Enterprise Apps
Enterprise Apps
Guests
Enterprise Network
90588
Employees
Employees
10-2
956608
Chapter 10
Increased Security
It may appear counter-intuitive that Guest Network access increases security, but the reality is that Guest
Network access occurs in Enterprise Networks now, but in an uncontrolled manner. These guests are not
hackers; they are simply highly motivated people trying to get their job done. The main concern with
these guests is that they are a potential source of viruses, worms, and Trojans. The PC with which they
connect to the Enterprise Network might not have the security systems that exist on the local enterprise
PCs.
Guest Network access provides guests of this type with a way to connect to an Enterprise Network in
order to be more productive, while limiting the risk to the host organization. Why risk violating policy
and risk the relationship with the host when there is a credible solution?
Increased Productivity
The guest of an enterprise is there for a reason, because the enterprise wants them to perform a task.
The more efficiently this task is performed the better it is for both enterprises. If a service technician is
visiting the enterprise, it is in the enterprises interest for that service/repair to happen within the
minimum amount of time and with the least amount of disruption
If a salesperson is visiting the enterprise, it is in the enterprises interest that the presentation be accurate
and up-to-date. By having immediate access to information, the salesperson is able to position products
appropriately and answer as many questions as possible while at the enterprise. This immediate
responsiveness could potentially lead to orders being placed while on-site.
Provides wide coverage, including areas such as lobby and waiting rooms that may not traditionally
have cabling
Allows partners to access their network resources while in meeting rooms, offices, giving them the
productivity benefits that WLAN gives the enterprise employees.
10-3
Chapter 10
User AuthenticationPeople who are not guests may access the Guest Network through their
physical proximity to the WLAN Guest Network. This is not an issue in a wired network, as the
guest has to be brought past the physical security. This means that the WLAN Guest Network
requires user authentication, authorization and accounting, above that required for the wired
network.
Web AuthenticationWeb interface authentication relies on the ubiquity of HTML browsers. Prior
to using the Guest Network, users must launch their HTML browser, and try to access a web site.
The users HTML browser is forced to an authentication page, and the users must enter their
authentication details before access is granted. The HTML browser authentication does not generate
dynamic per session encryption keys andin order to make the WLAN easy to use and easy to
supportno static encryption is used on the WLAN link. This means that authenticated users are
only distinguishable from unauthenticated users through their IP addresses and MAC addresses (if
on the same Layer-2 network). As the IP address and MAC address are sent in clear text they are
open to exploitation through IP address and MAC address spoofing.
The BBSM is specifically designed for guest access applications, and apart from providing a
sophisticated HTML controlled user interface, it provides MAC-level authentication if the client is
on the same Layer-2 network as the BBSM, and uses switch and AP management interfaces to
control where and when a client can use the network.
Cisco IOS Authentication ProxyIncluded in the Cisco IOS firewall feature set; provides a simple
HTML interface; and controls access based upon a clients IP address.
IPSec VPN ClientsAnother client that offers strong authentication, authorization and privacy and
could potentially be used as a Guest Network access client. The major barrier in this case would be
the installation of an appropriate client on guest machines, and the interaction of two IPSec VPN
clientsone client providing guest access and the other client providing secured access across the
Internet to the guests home network.
Time of Day ControlJust as physical security can control who has access to the wired network, it
can also control who is present at a particular time of day. As WLAN cannot rely upon physical
security to control users it cannot stop users from accessing the network outside of permitted hours.
This means that the WLAN Guest Network must provide time of day control over when the service
is made available.
Additional SecurityGiven the weakness described above, the WLAN Guest Network could not be
considered as secure as the wired network and might require additional policies, processes,
configuration, and equipment to ensure that an attack on the Enterprise Network through the WLAN
Guest Network is not successful.
10-4
956608
Chapter 10
Wired NetworkThe WLAN Guest Network is simply a WLAN VLAN configuration; the wired
network contains the key components that control the Guest Network. Guest get authenticated
access to the Internet, while ensuring that guests are not able to access the host enterprises systems.
There are three primary configurations in the wired network:
VLAN controlled access, where the wired Guest VLAN is extended all the way to the
to get to the internet, but is prevented from accessing the Enterprise Network through the use of
ACLs routing table and separation (where Guest Network traffic uses separate routing tables on
the Enterprise Network to prevent access to the Enterprise Network).
The choice of which wired-network configuration is best depends on the existing Enterprise
Network. The configuration of the wired Enterprise Network to provide Guest Network access and
the transport of Guest Network traffic is discussed in Chapter 5, Wireless LAN VLANs.
Other Considerations from Wired NetworkEven though the WLAN Guest Network is primarily a
WLAN extension of a wired Guest Network, the lack of control of physical access and the possible
spoofing legitimate users to gain access heighten the security risk associated with Guest Networks.
Therefore additional toolssuch as Intrusion Detection Systems (IDS)should be considered to
detect suspicious behavior.
Create a Guest WLAN VLAN with no encryption, open authentication, and a broadcast SSID.
2.
Choose a Wired Guest Network model that best fits your Enterprise Network.
3.
Choose an HTML authentication service that best fits your needs and topology.
4.
No EncryptionThe entry and format of the WEP key varies from client to client, users can easily
incorrectly enter the WEP key, and the WEP key would quickly become compromised as it is being
distributed in an uncontrolled manner.
This allows the Guest Access WLAN to adopt the minimum configuration while serving the widest range
of WLAN clients. It also matches the configuration most used in WLAN hotspots today.
10-5
Chapter 10
Figure 10-2 shows the Aironet Client Utility (ACU) configuration that would be used to gain access to
the Guest Network. The key features of this setup are as follows:
The SSID ID is configured to match the SSID that is broadcast by the enterprise WLAN Guest
Network, a blank entry would also suffice if the AP is configured as recommended in this document.
No WEP is selected.
10-6
956608
Chapter 10
Network Topology
Figure 10-1 on page 10-2 shows a general schematic illustrating how Guest Network traffic is tunneled
across the Enterprise Network. This tunnel can be achieved via multiple technologies depending on the
Enterprise Network architecture and requirements.
Figure 10-3 shows a schematic of three different tunnel possibilities:
ACL SeparationThe Guest VLAN is terminated at an access router; ACLs are used to ensure that
Guest Network traffic is unable to go to enterprise addresses.
Routing Table SeparationThe Guest VLAN terminate at the access router and separate routing
tables ensure that Guest Network traffic is able to go nowhere but the DMZ.
In each of the tunneling possibilities Guest Network users are authenticated by a BBSM before gaining
access to the DMZ. Authentication of users of the Guest Network is needed to prevent the Guest Network
being used for non-authorized purposes. The BBSM is an example of a Cisco Product designed for this
purpose, but other tools such as Cisco IOS and PIX authentication proxy may be used and their location
in the network might be closer to the access network, such that users may be authenticated at the access
router.
10-7
Chapter 10
Tunnel
DMZ
Guest traffic
authenticated
WLAN
VLAN separation
Guest traffic
authenticated
Enterprise Network
ACL separation
Guest traffic
authenticated
90589
Enterprise Network
10-8
956608
Chapter 10
Guest
PEAP
IPSec
LEAP
90587
Guest
PEAP
IPSec
LEAP
Admin
The configuration fragment below shows an example configuration for the switch connecting the AP to
the Enterprise Network. Points to note include:
The VLANs allowed for the AP connection are limited to the mandatory VLANs (1, 1002-1005) and
the VLANs used on the AP (10, 20, 30, 40 and 85).
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 40
switchport trunk allowed vlan 1,10,20,30,40,825,1002-1005
switchport mode trunk
As VLANs are supported on two different platforms with different user interfaces, and structure the
configuration examples are broken into two sections: the VxWorks-based AP 1200 (supported on the AP
340 as well); and, the Cisco IOS-based AP 1100.
Protocol FiltersGuests would be expected to use specific protocols, such as ARP and IP; all other
protocols on the WLAN guest VLAN can be blocked.
Source AddressThe users on the WLAN guest VLAN will have IP addresses assigned through
DHCP, and the AP (Cisco IOS APs only); as a result, network administrators can apply address
filters to permit access by specific network addresses, while block others.
Terminology Notes
The introduction of VLANs to the APs introduces a number of new definitions such as:
Default VLANThis is the VLAN associated by default with an SSID, the name allows for the
RADIUS server to provide a different VLAN number based on the group membership of a user.
Primary SSIDThe AP is only capable of sending one set of information in its beacons; the
information that is sent in the beacons is that of the VLAN associated with the Primary SSID.
Guest SSIDThe AP can only have a single VLAN that accepts unencrypted traffic. The SSID
associated with this VLAN is called the Guest SSID.
10-9
Chapter 10
Infrastructure SSIDInfrastructure such as repeaters and workgroup bridges can be associated with
the AP on one particular VLAN. The SSID associated with this VLAN is called the Infrastructure
SSID.
Native VLAN802.1q allows for one of the VLANs in the trunk to be native thereby not requiring
802.1q encapsulation and making it possible to remain connected with the AP when trunking is
enabled on the switch before it is on the AP, or visa versa. The VLAN that is given this capability
is called the Native VLAN.
10-10
956608
Chapter 10
AP 1200 Configuration
The key AP 1200 configuration processes are presented in the following sections:
Configuring VLANs
The first step in configuring the AP is the creation of the VLANs. To ensure contiguous communication
with the AP, care should be taken to have a Native VLAN configured before 802.1Q tagging is enabled.
Figure 10-5 shows the VLAN Setup screen, this allows individual VLANs to be created or removed, and
the Native VLAN, and Unencrypted VLAN (Guest VLAN) to be set. In this example:
The Native VLAN (VLAN 40) is the VLAN that will have the APs IP interface
Figure 10-5 Creating VLANs and Assigning the Native and Guest VLANs
When the Add New button creates a new VLAN, the screen automatically changes to a VLAN security
screen shown in Figure 10-6. This allows the VLAN WEP configuration to be entered. In the example
shown in Figure 10-6 the Guest VLAN is being configured and there is no WEP data entered; all of the
other settings in this case have been left at default.
10-11
Chapter 10
Configuring SSIDs
Once the VLANs have been created and configured with the appropriate WEP settings, the Service Sets
Identifiers (SSIDs) can be entered and associated with the appropriate VLAN.
Figure 10-7 shows the AP Radio Service Sets screen. Four SSIDs have been entered and SSID 3 (LEAP)
has been nominated as the Infrastructure SSID. From Figure 10-7 is can be seen that SSID 1 is the
Primary SSID.
The Primary SSID is configured on the AP 1200 through the standard SSID configuration mechanism
(through the SSID configuration fields in the Express Setup screen or the AP Radio Identification
screen). The default Primary SSID for example is tsunami (the name guest was simply entered as an
example).
Note
The Primary SSID is the one advertised in beacons. Since a broadcast SSID is recommended for guest
use, this is the SSID that should be made primary. To ensure successful configuration this should be the
first SSID configuration made, because ownership of the Primary SSID cannot be transferred to another
SSID.
Figure 10-7 shows the SSID used for Infrastructure Stations. The Guest VLAN should not be used for
Infrastructure Stations, and therefore another VLAN must be chosen (VLAN 3 in this case), and
Infrastructure Stations on other VLANs disallowed.
10-12
956608
Chapter 10
When an SSID is added or edited, the screen shown in Figure 10-8 appears. This allows the
authentication mechanism for the SSID and the VLAN associated to that SSID to be set. The example
shown in Figure 10-8 is the Primary SSID configuration. The important settings are:
The SSIDIn this case guest is used, but the SSID can be anything the enterprise thinks is
appropriate.
10-13
Chapter 10
AP 1100 Configuration
The configuration of the AP 1100 follows a similar sequence to that of the AP 1200. Figure 10-9 shows
the creation of the different VLAN numbers for the selection of the default VLAN. To create a VLAN:
If an SSID already exists for this VLAN, and association between the two can be build by selecting that
SSID from the SSID: drop box, before pressing Add.
10-14
956608
Chapter 10
Once the VLANs have been created, the user must go to the WEP Key Manager and configure the
appropriate WEP settings for each VLAN.
Figure 10-10 shows the settings for the VLAN that will become the Guest Network VLAN.
Figure 10-11 shows the WEP configuration for the VLAN that will become the IPSec VLAN.
Note
Even though the IPSec VLAN does not need WEP encryption for privacy, it must be configured with
WEP to provide VLAN separation at the radio interface.
Figure 10-10 Guest Access VLAN with No Encryption
10-15
Chapter 10
Once the VLANs have been created and had their WEP properties configured, SSIDs can be created,
authentication methods set, and the SSIDs paired with the appropriate VLANs.
Figure 10-12 shows the configuration of the guest SSID, with open authentication, and pairing it with
VLAN 10. In the lower portion of Figure 10-12, the Guest Mode SSID and Infrastructure SSIDs are set.
The Guest Mode SSID determines whether the SSID will be broadcast in AP beacons, and therefore the
example SSID of guest is selected.
10-16
956608
Chapter 10
Figure 10-12 Setting per SSID Authentication and Global SSID Properties
Figure 10-13 shows a summary page on the AP 1100 that shows a view of the different SSID and VLAN
number pairings, along with their authentication mechanisms.
Figure 10-13 SSID VLAN Summary Page
10-17
Chapter 10
10-18
956608
C H A P T E R
11
11-1
Chapter 11
Campus
Major Office
12000
2 x 110
70
3000
5 x 80
Americas
500
500
Totals
16000
620
1400
Grand total
18020
3 x 80
50
240
1000
2000
4 x 200
20
1500
1 x 160
Total
3500
960
Grand Total
4860
1200
1000
500
Total
2700
Grand Total
3940
Asia Pacific
400
The campuses and major offices have local network servers and some degree of local technical support;
branch offices are supported remotely. Almost all offices have resilient network connections.
The network is IP only, and is Quality of Service (QoS) enabled
Current application authentication mechanism within network is usernames and passwords, network
operating system is Microsoft Active Directory, current local access is control by physical security, and
remote access is through IPSec virtual private networks (VPNs) authenticated with one-time passwords
(OTP).
Wired network is the primary network; WLAN network is to be an overlay network in most cases. Where
the WLAN is used in manufacturing and warehouse it is the primary network.
11-2
956608
Chapter 11
Customer Requirements
The organization requires the WLAN for employee laptop computers and requires it to provide the same
application support as its wired LAN, this includes QoS and multicast support.
In addition to laptop support the organization requires:
Support for Windows XP and Windows 2000 laptops (the majority of users) throughout the
enterprise.
The organization plans to have 802.11 integrated into future laptop computer purchases.
Support for wireless barcode scanners at selected locations (manufacturing and warehouse)
Rogue AP mitigation.
WLAN Considerations
This case study presents an example environment that addresses a variety of WLAN-specific
considerations. These are summarized in the following sections:
RF Environment
The majority of this organization buildings are office space, but there are sections which would be
considered light industrial. The office buildings are not thought to have any extraordinary sources or RF
interference, but the light industrial area may.
The organization is a concerned about radio frequency (RF) interference from the WLANs of other
enterprises, particularly when the office is in a multi-tenant building.
11-3
Chapter 11
Security
The organization wishes to maintain its privacy and preserve the integrity of its network, but it has no
regulatory requirement to use a specific encryption or authentication mechanism.
Ease off use is a major consideration, and integration with existing authentication mechanisms is a
requirement.
Rogue AP Mitigation
The organization found unauthorized WLAN installations within its enterprise and this is one of the
motivations for pursuing a formal WLAN installation. The organization wishes to investigate other
means of rogue AP mitigation.
Management
The organization has an existing Simple Network Management Protocol (SNMP) management system.
The WLAN management must integrate into this system, but must have tools to minimize the
management overhead of additional network devices introduced by the WLAN.
Roaming
The majority of the WLAN users are nomadic roamers. Clients will not be running Mobile IP, and there
is not a requirement to maintain sessions when roaming between floors or buildings.
QoS
The organization enabled QoS within its network and requires the WLAN to honor these QoS settings.
Multicast
A limited multicast deployment is planned.
11-4
956608
Chapter 11
Equipment Selection
Note
For related information, please refer to Chapter 3, WLAN Technology and Product Selection.
WLAN product selection considerations include:
Radio Selection
The two current radio types available in 802.11 are 802.11a (5 GHz), and 802.11b (2.5 GHz). 802.11b
is recommended due to its wider availability and RF licensing. 802.11a will be considered in areas
subject to high-level of interference in the 802.11b frequency bands or where the density of users and
their throughput requirements exceeds what can be provided by 802.11b.
The 802.11b equipment must be upgradable to 802.11g.
AP Selection
Cisco has three AP variations available:
AP 1200Dual mode supporting 802.11a and 802.11b, RP-TNC RP antenna connections; field
upgradable to 802.11g.
AP 1100802.11b field upgradable to 802.11g, Cisco IOS operating system, and fixed antenna.
As the organization wants upgradability to 11g, the AP 350 is excluded from the AP choices.
Cisco AP 1200 is recommended for the campus and larger officesallowing for greater flexibility in
antenna selection that might be necessary for RF deployments in multi-story and multi-tenant buildings.
These are locations that are most likely to require 802.11a in the future.
The Cisco AP 1100 is recommended for branch offices as a lower cost alternative. The branch offices
are expected to have lower throughput requirements and are less likely to require the additional channels
or different frequency bands of 802.11a.
11-5
Chapter 11
Equipment Selection
Table 11-2
Campus (APs)
12000 (800)
2 x 110 (16)
70 (70)
3000 (200)
5 x 80 (30)
Americas
500 (34)
500 (34)
Americas APs Subtotals
1068
1184
46
70
3 x 80 (18)
50 (50)
18
50
2000 (134)
4 x 200 (56)
20 (20)
1500 (100)
1 x 160 (11)
234
67
20
321
AP Subtotal
1483
131
140
AP Total
1754
1200 (80)
1000 (67)
500 (34)
EMAE APs subtotal
181
249
Asia Pacific
11-6
956608
Chapter 11
Security Selection
Note
EAP-Cisco
EAP/TLS
EAP/TTLS
PEAP
All of these options offer some degree of integration with Microsofts directory and authentication
infrastructure, and the organization plans to use the Access Control Server (ACS) external database
group membership mapping to control which members of the Active Directory are given WLAN access.
EAP-Cisco is recommended because it supports Windows, supports 802.1x/EAP for other PC operating
systems (lacking 802.1x/EAP), and supports 802.1x/EAP for handheld devices. The case study
organization is interested in PEAP, due to support of multiple authentication types, but is still in the
process of assessing its ongoing authentication requirements.
It is recommended that WLAN VLANs be used to separate the different client types. This allows the
partitioning of clients with different security capabilities. For example, the handheld devices might
support EAP-Cisco, but might not support Ciscos implementation of TKIP and MIC, or the handheld
might have inadequate protection for the local usernames and passwords.
The different client types are to be separated into different VLANs by membership in an Active
Directory group. The mapping of these Active Directory groups and ACS groups is shown in
Figure 11-1.
The following sections summarize several ACS implementation consideration for this case study:
11-7
Chapter 11
Security Selection
11-8
956608
Chapter 11
ACS
DC
ACS
DC
ACS
ACS
ACS
DC
91303
ACS
DC
Figure 11-3 shows the proposed AP Authentication server management configuration. Servers
10.10.10.10 and 10.10.11.11 are the RADIUS servers used for client authentication. Servers 10.12.12.12
and 10.12.12.13 are the TACACS+ plus servers.
The preferred RADIUS server is the highest in the list (10.10.10.10), if the AP gets no response from
this server in two minutes, it will use the alternate server and the primary server will be put on the dead
server list for 30 minutes.
11-9
Chapter 11
Security Selection
The choice of the timeout values and Dead Server List times reflect the preferred configuration for a
branch office and are based upon two assumptions:
The primary RADIUS server is the closest and therefore gives the best authentication performance.
In the event of a primary WLAN link failure, there is time taken to detect the failure and converge
on the backup link. Events such as this should not result in a change in RADIUS server.
In the campus AP configurations, the RADIUS server timeout can be adjusted to a lower value, to reflect
the smaller penalty in switching from primary to secondary servers.
Figure 11-3 AP Server Management
Branch Roaming
To ensure that authentication and roaming times are optimal for the branchs prioritization of traffic,
authentication of traffic is handled as described in the 802.1x and EAP-Based Authentication Across
Congested WAN Links application note.
ACS-server user databases are replicated by a single server within the region, Figure 11-4 shows the
replication plan for the US region. Because the WLAN is using Active Directory databases, this
replication may be unnecessary depending on whether EAP-Cisco devices are placed in the Active
Directory databases or the ACS.
11-10
956608
Chapter 11
Data
Data
Data
91304
Data
Rogue AP
Note
For related information, please refer to Chapter 9, WLAN Rogue AP Detection and Mitigation.
Concerns about rogue AP deployments are one of the motivators for this WLAN deployment, apart from
the ROI associated with WLAN.
In addition to this WLAN deployment the enterprise plans the following:
Publishing the policy against rogue APs as part of the organizations communication about the
WLAN deployment.
Integrating rogue APs into to the security strategy of protecting against unauthorized access. This is
part of a separate project using 802.1x to authenticate clients connecting to both the wired and
wireless network and using an intrusion detection system (IDS) to detect in inappropriate behavior
on the network.
Management
The organization plans to deploy the Wireless LAN Solution Engine (WLSE) to manage its APs. This
helps deploy and maintain consistent AP configuration, monitor the system performance, and aid in
capacity planning and troubleshooting.
The WLSE manages 500 APs in the proposed WLSE deployment shown in Figure 11-5. WLSE
placement has capacity for 2500 APs. The dual WLSE deployment was implemented to meet capacity
requirements at the largest campus. Additional WLSE deployments reflect the local administration and
authentication domains, allowing the WLSE to monitor the EAP-Cisco authentication performance in all
of the regional campuses and to use and maintain configuration templates appropriate for the region.
11-11
Chapter 11
WLSE
WLSE
WLSE
WLSE
91305
WLSE
For configuration details for the WLSE see the Configuration Guide for the CiscoWorks 1105 Wireless
LAN Solution Engine available at http://www.cisco.com.
The main WLAN client management issue for this enterprise are software version control and WEP-key
management. The use of EAP-Cisco solves the WEP-key management issue and the organization is
planning to integrate the bundled software client software packages into software distribution system.
The enterprise is planning to permit users to control the ACU, because users might require other WLAN
profiles and there is likely to be fewer client configuration issues if these WLAN configurations are
controlled in one location.
11-12
956608
Chapter 11
WLAN
Subnet Y
WLAN
Subnet Z
91306
WLAN
Subnet X
WLAN
WLAN WLAN
WLAN
Subnet A Subnet B Subnet C Subnet D
91307
WLAN
Subnet C
The roaming requirements and the subnet boundaries limit the organizations roaming focus to Layer-2
roaming. Layer-3 roaming is not required. If Layer-3 roaming was required, the organization would need
Mobile IP clients to be installed on the clients requiring this degree of mobility, because the planned use
of WLAN VLANs within the organizations network means that Proxy Mobile IP cannot be used.
11-13
Chapter 11
For related information, please refer to Chapter 6, WLAN Quality of Service (QoS).
The organization already has QoS enabled on networkusing DSCP values to mark the traffic priorities.
It plans to use the QoS features of the APs to reflect these priorities on the WLAN.
The organization plans to trial WLAN VoIP in some locations once the WLAN network is deployed, but
this is considered a separate project.
For details on the configuring QOS, refer to the Wireless Quality of Service Deployment Guide.
IP Multicast
Note
11-14
956608
Chapter 11
AP Configuration
Figure 11-9 shows the proposed VLAN configuration of the WLAN network. The AP is configured with
three VLANs, a PC VLAN, a Handheld VLAN, and a Management VLAN. The management VLAN is
the default VLAN for the AP and does not have an associated WLAN VLAN. This prevents management
of the APs from the WLAN. This management VLAN would normally be the management VLAN used
on the access layer switches. The WLAN VLANs dedicated for WLANs and would be separate from the
wired VLANs on the access switch.
Figure 11-9 AP VLAN's
Si
Si
VLAN 10 Management
VLAN 20 PCs
VLAN 30 Handhelds
VLAN 40 PCs
VLAN 50 Voice
W
PC
ld
he
nd N
Ha LA
W
LA
N
VLAN 10 Management
VLAN 20 PCs
VLAN 30 Handhelds
91308
IP
Figure 11-10 and the Example Configuration: Config 1 section on page 11-16 show an excerpt from
the AP radio configuration. Note that VLAN 10 has encryption defined, but does not have a SSID
associated with it. This is because VLAN 10 has been configured as the management VLAN, and is only
meant to exist on the wired network.
11-15
Chapter 11
For detailed WLAN VLAN configuration, including authentication based VLAN mapping information,
see the Wireless Virtual LAN Deployment Guide.
11-16
956608
I N D EX
access
Numerics
guest network
3DES
4-4
802.11
DCF
access switch
6-4
interframe spaces
6-4
11-16
ACS
2-9
architecture
802.11a
4-15
example architecture
channels
2-12
OFDM
2-12
summary
4-15
11-9
aCWmax
3-10
3-2
channels
2-11
retries
3-10
6-7
AES
802.11e
future support
6-2
4-2
antenna considerations
6-2
3-8
AP
6-7
controlling IP multicast
802.1x
deployment planning
4-10
example configuration
4-2
product selection
4-11
headquarters/campus deployment
Layer-2 authentication
rogue AP prevention
4-9
4-10
VLAN support
4-9
8-2
2-13
11-15
3-11
4-7
AP 1100
guest network configuration
1014
AP 1200
guest network configuration
1011
architecture
considerations
1-5
authentication
AAA
database location
6-6
3-1
implementations
6-6
aCWmin
802.11b
EDCF
103
4-15
static WEP
4-6
956608
956608
IN-1
Index
4-2
customer requirements
4-4
Enterprise profile
authorization
equipment selection
static WEP
4-6
4-2
IP multicast
11-14
management
11-11
nomadic roaming
4-4
radio selection
11-5
11-12
11-14
11-5
rogue AP concerns
security selection
benefits
2-13
wired infrastructure
wired VLAN
5-13
2-12
802.11b
2-11
2-5
11-10
3-2
Cisco AVVID
bridge
controlling IP multicast in P2P WLAN
8-3
3-14
workgroup
7-9
6-13
QoS advertisement
3-13
6-11
broadcast
traffic
802.11a
RF
4-12
branch roaming
wireless
11-3
channel selection
5-13
branch deployment
case study
11-7
channels
best practices
RF
11-11
WLAN considerations
1-1
11-16
11-2
QoS considerations
WLAN
11-3
6-2
client adapter
1-6
5-7
product selection
3-12
client density
effects
2-16
throughput
capacity considerations
3-2
2-16
configuration
802.11 WLAN guest network
case study
ACS server placement
ACS servers
11-8
AP configuration
AP selection
11-9
11-15
content summary
1014
1011
11-15
11-10
configuration summary
11-16
11-5
branch roaming
11-15
11-1
105
guest network AP
11-16
108
1012
108
IN-2
956608
Index
IP multicast WLAN
wireless QoS
8-2
contention
6-2
aCWmax
6-6
aCWmin
6-6
5-10
5-11
deployment planning
2-17
CW
parameters
6-17
AP
2-13
RF
2-13
design
6-6
characteristics
6-6
CWmax
overview
1-2
6-10
DIFS
CWmin
average values (table)
1-3
6-5
6-10
downstream
QoS
3-3
DSSS
data rates
effects
data rate
2-13
802.11
6-5
6-5
deployment
EAP
4-9
2-8
6-6
random backoff
802.1x
3-2
deployment diagram
6-6
process
2-11
dual band
6-4
contention window
EAP
2-9
spectrum implementation
DCF
CW
6-3
5-13
802.1x security
4-2
4-12
4-9
EAP-Cisco
4-8
recommendations
4-9
EDCF on APs
EAP-Cisco
6-13
4-8
VLAN guidelines
EAP-TLS
6-2
PKI
2-13
5-10
1-3
4-2, 4-8
headquarters/campus deployment
EAP-SIM
4-14
4-9
4-8
6-2
104
4-9
5-13
4-9
4-2
Cisco AVVID Wireless LAN Design
956608
IN-3
Index
EDCF
802.11e
headquarters/campus
6-2
AP deployment
deployment
6-13
6-13
6-13
6-2
IAPP
6-9
post-roam processes
6-9
4-8
6-9
7-4
IGMP
snooping
6-13
11-14
interference sources
3-6
interframe spaces
802.11
6-4
FHSS
data rate
case study
2-9
fine tuning
RF
11-14
8-2
2-5
WLAN configuration
8-2
WLAN considerations
8-4
WLAN recommendations
G
guest access
802.1x
SSID
8-3
8-1
4-11
jitter
5-8
6-3
guest network
AP configuration
benefits
108
103
configuring WLAN
latency
107
Layer-2 roaming
104
108
107
106
considerations
7-8
domain sizing
7-10
events
101
6-3
105
105
11-12
7-5
implementation recommendations
nomadic roaming
7-10
11-12
IN-4
956608
Index
overview
primer
performance considerations
7-3
PIFS
7-4
process
3-5
6-5
PKI
7-7
process overview
7-4
recommendations
7-9
EAP-TLS
4-9
planning
RF deployment
2-13
prioritization
loss
1-8
6-3
appliance-based
6-13
class-map based
6-14
CoS-based
VLAN-based
summary
modes of operation
1-7
3-11
3-14
workgroup bridge
3-13
multicast
traffic
1-6
native VLAN
QBSS
configuration
5-7
5-7
network performance
QoS
3-12
wireless bridge
1-7
infrastructure mode
3-11
client adapter
ad-hoc mode
6-15
product selection
AP
MIC
SSID
6-13
Information Element
QoS
advertisement
case study
6-4
6-11
6-11
11-14
combining requirements
6-15
EDCF
6-2
jitter
OFDM
802.11a
2-12
6-3
latency
loss
6-3
6-3
network performance
overview
parameters
PEAP
retries
6-3
6-4
6-1
6-3
6-7
wireless considerations
6-2
IN-5
Index
regulations
6-17
spectrum implementation
6-2
QoS advertisement
Cisco IOS
2-11
roaming
caveats
6-11
VxWorks
2-2
7-3
characteristics
6-11
7-3
design
7-3
Layer 2
7-3
Layer-2 considerations
Layer-2 events
Layer-2 process
RADIUS
overview
SSID
5-9
7-7
7-2
7-9
rogue AP
case study notes
5-9
5-8
random backoff
averages (figure)
11-11
9-10
9-12
6-10
6-5
detecting with OS
range considerations
detection overview
DCF
802.11a/802.11b comparison
antenna considerations
signal propagation
policy
3-8
9-7
preventing
105
9-7
9-7
scope of problem
7-9
9-2
regulations
2-2
wireless detection
9-15
9-13
9-12
router
RF
basics
9-7
port-based security
Layer-2 roaming
RF
9-11
9-19
physical security
3-8
9-16
9-17
physical detection
3-7, 3-10
recommendations
guest WLAN
7-8
7-5
recommendations
5-8
7-9
11-16
2-1
best practices
2-13
channel selection
2-5
deployment planning
2-13
security
2-8
2-18
2-5
IEEE standards
additional considerations
2-9
4-13
policy
4-7
4-1
2-17
IN-6
956608
Index
traffic classification
4-5
process
4-7
4-2
U
unicast
signal propagation
3-8
traffic
spectrum implementation
DSSS
4-3
6-9
1-5
upstream
2-11
QoS
6-3
SSID
guest network configuration
mapped to VLAN
native VLAN
primary
1012
5-3
5-7
5-8
RADIUS
VLAN
5-8
secondary
5-8
VLAN configuration
5-6
4-7
background
5-1
standards
RF
AP support
2-9
5-7
5-6
deployment guidelines
guest WLAN
5-10
106
RADIUS
3-1
summary
SSID configuration
3-9
5-7
5-8
technology selection
SSID mapping
5-13
5-6
5-3
throughput
client density
2-16
throughput considerations
TKIP
WEP
3-4
wireless example
5-11
wireless features
5-6
wireless introduction
1-3, 4-2, 4-3, 4-5
topology
WLAN security
5-10
5-3
5-3
4-7
VPN
guest network
traffic
107
4-4
VxWorks
broadcast
1-6
EDCF deployment
6-13
multicast
1-6
QoS advertisement
6-11
unicast
5-13
1-5
Cisco AVVID Wireless LAN Design
956608
IN-7
Index
headquarters/campus deployment
6-2
1-7
interference sources
3-6
IP multicast
8-1
modes of operation
WEP
1-7
4-8
5-7
performance considerations
3-5
limitations
MIC
infrastructure mode
security vulnerabilities
4-5
QoS considerations
range considerations
static keys
TKIP
4-6
4-2
roaming
3-7
7-2
security considerations
wired infrastructure
security models
5-13
4-13
4-1
5-13
wired LAN
compared to WLAN
1-5
standards, competing
3-1
technology selection
3-1
throughput considerations
wireless bridge
product selection
VLAN configuration
3-14
5-6
VLAN example
3-2
802.11b
3-1
802.1x/EAP
ad-mode
1-7
IPSec
3-2
3DES
4-4
authorization
1-5
107
coverage requirements
2-17
3-3
VPN
4-4
4-4
WLSE
case study example
design characteristics
1-3
1-2
11-11
workgroup bridge
product selection
2-13
guest network
4-2
4-12
11-1
design overview
4-3
authorization
1-1
capacity considerations
data rates
4-2
1-5
branch deployment
case study
5-3
802.11a
benefits
5-6
WLAN
5-3
5-11
See WLAN.
4-7
3-4
architecture
3-11
6-2
best practices
4-8
3-13
WPA
future support
4-2
101
IN-8
956608