Chapter6 - WLAN

Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401
CHAPTER 6
WLAN
1
CHAPTER6: WIRELESS LOCAL AREA NETWORKS

- Chapter’s Agenda:
6.1 Analyze design principles of a WLAN deployment
6.1.a Wireless deployment models
(centralized, distributed, controller-less, controller based, cloud, remote branch)
6.1.b Location services in a WLAN design
6.2 Wireless
6.2.a Describe Layer 1 concepts, such as
(RF power, RSSI, SNR, interference noise, band and channels,
and wireless client devices capabilities)
6.2.b Describe AP modes and antenna types
6.2.c Describe access point discovery and join process
(discovery algorithms, WLC selection process)
6.2.d Describe the main principles and use cases for Layer 2 and Layer 3 roaming
6.2.e Troubleshoot WLAN configuration and wireless client connectivity issues
6.3 Configure and verify wireless security features
6.3.a EAP
6.3.b WebAuth
6.3.c PSK
2
6.1 WLAN Design Principles
6.1.a Deployment Models

- Autonomous Architecture
- Autonomous (Independent) Access Points
- Independent Management (GUI)
- one or more SSIDs (each = 1 VLAN)
*when having multiple SSIDs, and each will be 1 VLAN, the back link
Should be a trunk
*adding a new SSID, requires to login to each AP individually
- Split-MAC Architecture
- there is a WLC
- APs now will be called Lightweight APs (LAPs)
- WLCs will manage (RF, QoS, AAA, Policies)
- APs will (RF TX/RX of frames, RF Collision Detection,
MAC & Data Management)
3
- Cloud-Based Architecture
- also, a WLC
- but remotely (through public cloud, or private cloud)
- also, LAPs
- might be a Cisco Meraki (does self-config to the LAPs)
- or Cisco Cat. 9800-CL
*when having WLC & LAP scenario, there will be a private tunnel between them,
It will encapsulate and transfer all the control and data information between the
WLC and LAPs, it is called the “Control and Provisioning of Wireless AP”
Or “CAPWAP”
- 2 tunnels (control tunnel = UDP5246, data tunnel = UDP5247)
- control tunnel (encrypted and authenticated)
- data tunnel (not encrypted by default)
4
- Centralized WLAN Architecture

- single WLC that controls all the LAPs
- might be placed in the DC, or near the edge of the network
- all data must pass through the CAPWAP tunnel to reach the WLC
- even if the destination is closer than the WLC
- this can be fixed, using Cisco Flex Connect

- which is a mode, to be enabled on the LAPs
- especially if the LAPs like in a branch, and the WLC is in the HQ
- LAPs can now pass the traffic directly to the LAN
- LAPs can now authenticate the clients for access
- LAPs can now work even if the CAPWAP tunnel goes down
5
- Converged WLAN Architecture

- connect a WLC and an AP both, to the same switch
- the access/distribution layer switch
- now the LAPs are reaching the WLC through the switch
- multiple WLCs will be needed in such scenario
- this leads to a shorter distance CAPWAP
- hence, faster Wi-Fi, less delays
6
6.1.b Location Services

- some Cisco services (like DNAC)
- can visualize networks topologies
- including Access Points and their clients
- can ask an AP to show where a client location is!
- by sending a signal to the client and receive a reply from the client
- based on the received signal strength of the client
- a client location might be located!
- can also ask multiple AP’s to perform the same request at the same time
- this will show a much more accurate location to where a certain client is
7
6.2 Wireless
6.2.a Layer 1 Concepts

-RF power
- the amount of power an antenna will receive
- to convert it to electric power
- measured in either watts, or deciBills x MilliWatts (dBm)
- affected by barriers in the way, and get attenuated
- RF power affects signal strength
- important for “Design”, to measure, how many AP we need
to maintain signal strength
- important for “Troubleshooting, slow internet
- RSSI
- received signal strength indicator
- an indicator for the quality of all the broadcasting SSID's nearby
8
- Noise Floor and Interference

- other electro-magnetic fields roaming in the space
- conflict signals will cause interference
- SNR
- signal to noise ratio
- the difference (-) between received signal and noise floor
- Signal (-) Noise
- higher = better
- Channels
- a group, or a range of Radio Frequencies (RF)
- all are encoding and transmitting data,
- each frequency can be modulated differently (for more encoding)
- the total RF bandwidth is then called (Channel Bandwidth)
9
- Channels include Frequencies

- either from the 2.4 GHz range, Or from the 5 GHz range
- channel bandwidth: the total bandwidth of the involved frequencies
https://en.wikipedia.org/wiki/2.4_GHz_radio_use#/media/File:2.4_GHz_Wi-Fi_channels_(802.11b,g_WLAN).svg
- Client Devices Capabilities

- a client device that receives a signal and data
- should have an approximate power compared to the transmitter
- download data will be transmitted from the AP to the client
- Acknowledgments, upload data, and other communications
- will be transmitted from the client
- thus, capabilities should be approximate
- to avoid exchanging mismatch
10
6.2b AP Modes and Antenna Types
- AP Modes
- Local Mode
- the default of a LAP
- CAPWAP to the WLC
- everything passes through the CAPWAP
- if the CAPWAP fails, all clients will be disconnected
- Bridged Mode
- allows an Autonomous AP to connect as a client to the LAP
- Flex Connect Mode
- a hybrid Cisco solution for LAP’s
- Monitor Mode
- generates reports & statistics, send them to the WLC
11
- Sniffer Mode
- scan a specific channel
- send the scanning reports to the WLC
- Sensor Mode
- perform SSID tests
- send test report to the DNA Center
- Mesh Mode
- a frame might travel multiple mesh nodes
- before reaching the LAN
- uses adaptive wireless path protocol (AWPP)
- to determine the best path to a root node/AP (RAP)
12
- Antenna Types
- Dipole Antenna
- ordinary in Home-Routers
- omnidirectional
- low power gain
- horizontal streaming only
- Yagi Antenna
- linear in shape and in transmitting
- sends in only one way!!
- Patch Antenna
- also linear
- but wider than Yagi
- Parabolic-Dish Antenna
- outdoor
- long distance
- very high power gain
- P2P connections
- Hidden Antenna (inside client devices)
13
6.2c Access Point Discovery and Join Process
- CAPWAP
- Control and Provisioning of Wireless AP
- when having WLC & LAP scenario
- there will be a private tunnel between them
- it will encapsulate and transfer all the control
and data information between the WLC and LAPs
- creates 2 tunnels
- control tunnel = UDP5246, data tunnel = UDP5247
- control tunnel (encrypted and authenticated)
- data tunnel (not encrypted by default)
14
- Discovery and Join Process

- LAP tries to find and bound a CAPWAP with a WLC
- if the connection was a switch (same broadcast domain)
- the broadcast CAPWAP discovery message (Dst port = 5246)
will reach a WLC
- if the connection was a router!!
- enable port forwarding for 5246
- assign IP helper on the receiving interface
- LAP can be statically configured to join with WLC's

(after the CAPWAP discovery)
- join by name and IP of WLC
- else, try to rejoin old known WLC's
- or, enabling IP option 43 on DHCP server
- will tell the LAP about the IP of the WLC
15
- if multiple WLC were available

- the order of assignment and discovery will be
- statically configured WLC
- old previously known WLC
- a discovered WLC that is configured as a "Master Controller"
- a discovered WLC that is the freshest operated controller
16
6.2d Roaming
- having multiple AP's transmitting multiple channels

- all under the same SSID
- those multiple channels under same SSID are BSS's
- in that case it is an ExtendedSSID (ESSID)
- keeping exchanging the MGM frames (Beacons) while moving

- to change the channel, while under the same SSID
- the client does that when it sees a better BSS (better RSSI)
- L2 Roaming
- Roaming under the same broadcast domain
- same subnet/VLAN
- L3 Roaming
- Roaming under different broadcast domain
- will change DHCP, IP, privileges, and others
17
6.3 Wi-Fi Security
- Unsecured WLANs are the once with no password, free, and public
- Secured WLANs might have:
- hidden SSID
- Authentication
- Encrypt Data (from the client to the AP)
- Authentication can be done by:

- authenticating the user’s credentials
- authenticating a device’s MAC Address
- captive portal
18
- Adding Cisco vWLC to EVE-NG

- Power-up VM
- create directory for vWLC in the VM CLI
- mkdir /opt/unetlab/addons/qemu/vwlc-8.7.102
- login to the VM through FTP
- navigate the new directory
- /opt/unetlab/addons/qemu/vwlc-8.7.102
- upload the extracted .qcow2 image to the new directory
- return to the root mode
- fix the permissions
- /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
- power-up the vWLC in EVE-NG
- apply UUID
- 466028c6-3052-4895-a495-683201e576f7
19
6.3a Extensible Authentication Protocol (EAP)

- transport protocol
- carries authentication information
- can not travel directly in the network
- must be encapsulated before injected in the media
- 802.1x (Client – WLC)
- RADIUS (WLC – AAA Server)
6.3b Web Authentication (WebAuth)

- applied and enabled on a WLC
- to authenticate through a Web Browser
- carried by HTTP
- also requires 802.1X to be activated on the authenticator
- supports Pre-shared Key to encrypt user data
6.3c Pre-Shared Key
- used to encrypt data between client and AP
- same PSK can be used with all the clients connecting to the same AP
- derived from the Passphrase
20

Chapter6 - WLAN

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter6 - WLAN

Uploaded by

Copyright:

Available Formats

Cisco CCNP & CCIE Enterprise Core - ENCOR 350-401

CHAPTER6: WIRELESS LOCAL AREA NETWORKS

6.1 WLAN Design Principles

6.1.a Deployment Models

- Centralized WLAN Architecture

- this can be fixed, using Cisco Flex Connect

- Converged WLAN Architecture

6.1.b Location Services

6.2.a Layer 1 Concepts

- Noise Floor and Interference

- Channels include Frequencies

- Client Devices Capabilities

6.2b AP Modes and Antenna Types

6.2c Access Point Discovery and Join Process

- Discovery and Join Process

- LAP can be statically configured to join with WLC's

- if multiple WLC were available

- having multiple AP's transmitting multiple channels

- keeping exchanging the MGM frames (Beacons) while moving

6.3 Wi-Fi Security

- Authentication can be done by:

- Adding Cisco vWLC to EVE-NG

6.3a Extensible Authentication Protocol (EAP)

6.3b Web Authentication (WebAuth)

You might also like