Professional Documents
Culture Documents
Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net Readiness Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0303R)
Cisco AVVID Wireless LAN Design Copyright 2003 Cisco Systems, Inc. All rights reserved.
C ON T E N T S
Preface
xi xii
Target Audience
Obtaining Documentation xii World Wide Web xii Documentation CD-ROM xii Ordering Documentation xii Documentation Feedback xiii Obtaining Technical Assistance xiii Cisco.com xiii Technical Assistance Center xiii Cisco TAC Web Site xiv Cisco TAC Escalation Center xiv
1
CHAPTER
1-1 1-1
Enterprise WLAN Design Overview 1-2 Enterprise WLAN Design Characteristics 1-3 WLAN Architecture Considerations 1-5 Comparing Wired and WLANs 1-5 WLAN Modes of Operation 1-7 Links and References 1-8 General References 1-8 Security References 1-8 IP Multicast References 1-9
2
CHAPTER
WLAN Radio Frequency (RF) Design Considerations RF Basics 2-1 Regulations 2-2 Fine Tuning 2-5 Channel Selection IEEE 802.11 Standards
2-1
2-5 2-9
RF Spectrum Implementation 2-11 Direct Sequence Spread Spectrum 2-11 IEEE 802.11b Direct Sequence Channels 2-11
Cisco AVVID Wireless LAN Design 956608
iii
Contents
2-12
Planning for RF Deployment 2-13 RF Deployment Best Practices 2-13 WLAN Data Rates Required 2-13 Client Density and Throughput Requirements WLAN Coverage Required 2-17 Security Policy 2-17 RF Environment 2-18
3
2-16
CHAPTER
WLAN Technology and Product Selection WLAN Technology Selection Considerations Competing WLAN Standards 3-1 WLAN Capacity Considerations 3-2 Data Rate Considerations 3-3 Throughput Considerations 3-4 Performance Considerations 3-5 Range Considerations 3-7 Signal Propagation 3-8 Antenna Considerations 3-8 Technology Selection Summary 3-9
3-1 3-1
Cisco WLAN RF Product Selection Considerations 3-11 Access Points 3-11 Client Adapters 3-12 802.11a Cardbus Client Card 3-12 Enhanced Client Network Management Features with Extended Client Support Workgroup Bridges 3-13 Wireless Bridges 3-14
4
3-12
CHAPTER
4-1
Security Deployment Models 4-1 WLAN LAN Extension 802.1x/EAP 4-2 Security Transparency 4-2 Application Transparency 4-3 Performance Transparency 4-3 User Transparency 4-3 WLAN LAN Extension IPSec 4-3 Security Transparency 4-4 Application Transparency 4-4
Cisco AVVID Wireless LAN Design
iv
956608
Contents
Performance Transparency 4-4 User Transparency 4-5 WLAN Static WEP Keys 4-5 Security Transparency 4-6 Application Transparency 4-6 Performance Transparency 4-6 User Transparency 4-6 Cisco WLAN Security Options and Recommendations 4-7 Understanding Overall Network Security 4-7 Flexible WLAN Security using VLANs 4-7 Headquarters/Campus WLAN Deployment 4-8 Branch Office WLAN Deployment 4-12 Additional Security Considerations 4-13 EAP Considerations for High Availability ACS Architecture
5
4-14
CHAPTER
5-1 5-1
5-3 5-6
Wireless VLANsDetailed Feature Description Configuration Parameters per VLAN 5-6 Broadcast Domain Segmentation 5-7 Native (Default) VLAN Configuration 5-7 Primary (Guest) and Secondary SSIDs 5-8 RADIUS-based VLAN Access Control 5-8
Guidelines for Deploying Wireless VLANs 5-10 Criteria for Wireless VLAN Deployment 5-10 Wireless VLAN Deployment Example 5-11 Summary of Rules for Wireless VLAN Deployment Best-Practices for the Wired Infrastructure 5-13
6
5-13
CHAPTER
6-1
Wireless QoS Considerations 6-2 Wireless QoS Deployment Schemes QoS Parameters 6-3 Latency 6-3 Jitter 6-3 Loss 6-3
6-2
Contents
Downstream and Upstream QoS 6-3 QoS and Network Performance 6-4 802.11 DCF 6-4 Interframe Spaces (SIFS, PIFS, and DIFS) 6-4 SIFS 6-5 PIFS 6-5 DIFS 6-5 Random Backoff (Contention Window) 6-5 CWmin, CWmax, and Retries 6-6 IEEE 802.11e 6-7 802.11e EDCF-based QoS Implementation 6-7 QoS Advertisements by WLAN Infrastructure 6-11 Deploying EDCF on Cisco IOS-based APs 6-13 Appliance-based Prioritization 6-13 CoS-based Prioritization 6-13 Class-Map Based Prioritization 6-14 VLAN-based Prioritization 6-15 Combining QoS Setting Requirements 6-15 Additional QoS Features 6-16 Guidelines for Deploying Wireless QoS 6-17 IP SoftPhone and Other PC and PDA Based VoIP Solutions Symbol Handsets 6-17 SpectraLink Handsets 6-18 Leveraging Existing Network QoS Settings 6-18
7
6-17
CHAPTER
WLAN Roaming
7-1
Roaming Solution Overview 7-2 General Design Characteristics Layer-2 Design 7-3 Caveats 7-3
7-3
Layer-2 Roaming Primer 7-4 Layer-2 Roaming Technical Overview 7-4 Roaming Events 7-5 Max Data Retry Count Exceeded 7-5 Missed Too Many Beacons 7-6 Data Rate Shift 7-6 Periodic Client Interval (If Configured) 7-7 Initial Client Startup 7-7 Roam Process 7-7
Cisco AVVID Wireless LAN Design
vi
956608
Contents
7-8
Layer-2 Design Recommendations 7-9 Cisco AVVID Design 7-9 Sizing the Layer-2 Domain 7-10 Roaming Implementation Recommendations
8
7-10
CHAPTER
8-1 8-1
IP Multicast WLAN Configuration 8-2 Controlling IP Multicast in a WLAN with APs 8-2 Controlling IP Multicast in a P2P WLAN using Bridges Other Considerations Summary
9
8-5 8-4
8-3
CHAPTER
9-1
Rogue AP Summary and Scope of Problem 9-2 The Rogue AP Threat 9-4 Media Attention to WLAN Security Weaknesses Truth About WLAN Security 9-5
9-4
Preventing and Detecting Rogue APs 9-6 Preventing Rogue APs 9-7 Corporate WLAN Policy 9-7 Physical Security 9-7 Supported Wireless Infrastructure 9-7 IEEE 802.1x Port-based Security to Prevent APs 9-7 Using Catalyst Switch Filters to Limit MAC Addresses per Port Detecting Rogue APs 9-11 Detecting Rogue APs Wirelessly 9-12 Other Wireless Analyzers 9-13 Detecting Rogue AP from the Wired Network 9-15 Detecting Rogue APs Physically 9-19
10
9-10
CHAPTER
101
Benefits of Guest Network Access 103 Increased Security 103 Increased Productivity 103 Benefits of WLAN Guest Network Access Deployment Considerations and Caveats
104
103
vii
Contents
Guest WLAN Recommendations 105 Recommended 802.11 Configuration for WLAN Guest Network VLANs and WLAN Implementation 106 Configuring Guest WLANs 107 Network Topology 107 AP and Switch Configuration 108 WLAN Guest VLAN Filtering 109 Terminology Notes 109 AP 1200 Configuration 1011 Configuring VLANs 1011 Configuring SSIDs 1012 AP 1100 Configuration 1014
11
105
CHAPTER
Cisco AVVID Enterprise WLAN Case Study Enterprise WLAN Profile 11-2 Customer Requirements 11-3 WLAN Considerations 11-3 WLAN Performance and Coverage RF Environment 11-3 Security 11-4 Rogue AP Mitigation 11-4 Management 11-4 Roaming 11-4 QoS 11-4 Multicast 11-4 Equipment Selection 11-5 Radio Selection 11-5 AP Selection 11-5 Estimating the Number of APs Security Selection 11-7 Number of ACS Servers 11-8 ACS Server Placement 11-9 Branch Roaming 11-10 Rogue AP
11-11 11-11 11-12 11-14
11-1
11-3
11-5
Management
viii
956608
Contents
WLAN Case Study Configuration 11-15 AP Configuration 11-15 Example Configuration: Config 1 11-16 Access Switch Configuration 11-16 Distribution Router Configuration 11-16
ix
Contents
956608
Preface
This design guide presents recommendations intended to facilitate Enterprise Wireless Local Area Network (WLAN) solution deployment. The emphasis in this document is with integrating WLAN technology into environments featuring key Enterprise networking elements. Specific chapters address the following topics:
Chapter 1, WLAN Solution OverviewSummarizes the benefits and characteristics of the Cisco secure Enterprise WLAN solution. Chapter 2, WLAN Radio Frequency (RF) Design ConsiderationsFocuses on radio frequency (RF) considerations in WLAN environments. Chapter 3, WLAN Technology and Product SelectionFocuses on technology and product assessment and selection in WLAN environments. Chapter 4, WLAN Security ConsiderationsProvides details regarding deployment of the Cisco secure Enterprise WLAN solution. Chapter 5, Wireless LAN VLANsFocuses on the implementation of virtual local area networks (VLANs) in the context of WLAN environments. Chapter 6, WLAN Quality of Service (QoS)Addresses Quality of Service (QoS) considerations in the context of WLAN implementations. Chapter 7, WLAN RoamingAddresses the WLAN design considerations when assessing Layer 2 roaming of wireless LAN clients. Chapter 8, IP Multicast in a Wireless LANDescribes the configurations needed to control IP Multicast traffic over a WLAN. Chapter 9, WLAN Rogue AP Detection and MitigationOutlines the threat posed by rogue access points (APs) in the Enterprise network and some strategies for preventing and detecting them. Chapter 10, WLAN Guest Network AccessPresents the advantages, risks, and proposed configuration for WLAN Guest Network Access. Chapter 11, Cisco AVVID Enterprise WLAN Case StudyDetails an example network in the context of the key topics presented in this document.
Where applicable, relevant configuration fragments are included. A Cisco SAFE white paper addressing secure WLAN deployment in the enterprise is available at:
http://www.cisco.com/go/safe
The SAFE white paper covers more detail on the security-specific aspects of design, whereas this design guide is focused on the overall WLAN solution. Although there are differences between the SAFE white paper designs and the designs presented here, those differences are not generally considered substantive and the designs are compatible.
xi
Target Audience
This publication provides solution guidelines for large-scale enterprises implementing WLAN networks with Cisco WLAN devices. The intended audiences for this design guide include network architects, network managers, and others concerned with the implementation of secure WLAN solutions, including:
Obtaining Documentation
The following sections explain how to obtain documentation from Cisco Systems.
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.
Ordering Documentation
Cisco documentation is available in the following ways:
Registered Cisco Direct Customers can order Cisco product documentation from the Networking Products MarketPlace: http://www.cisco.com/cgi-bin/order/order_root.pl
Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store: http://www.cisco.com/go/subscription
Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
xii
956608
Documentation Feedback
If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click Leave Feedback at the bottom of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730. You can e-mail your comments to bug-doc@cisco.com. To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address: Cisco Systems Attn: Document Resource Connection 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world. Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to
Streamline business processes and improve productivity Resolve technical issues with online support Download and test software packages Order Cisco learning materials and merchandise Register for online skill assessment, training, and certification programs
You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL: http://www.cisco.com
xiii
Priority level 4 (P4)You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration. Priority level 3 (P3)Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue. Priority level 2 (P2)Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available. Priority level 1 (P1)Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.
Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.
xiv
956608
C H A P T E R
WLAN Solution Benefits, page 1-1 Enterprise WLAN Design Overview, page 1-2 Links and References, page 1-8
Mobility within building or campusFacilitates implementation of applications that require an always-on network and that tend to involve movement within a campus environment. Convenience Simplifies networking of large, wide open people areas. FlexibilityAllows work to be done at the most appropriate or convenient place rather than where a cable drop terminates. Easier to set-up temporary spacesPromotes quick network setup of meeting rooms, war rooms, or brainstorming rooms tailored to variations in the number of participants. Lower cabling costsReduces the requirement for contingency cable plant installation because the WLAN can be employed to fill the gaps. Easier adds, moves, and changes and lower support and maintenance costs. Temporary networks become much easier to set up, easing migration issues and costly last-minute fixes. Improved efficiencyStudies show WLAN users are connected to the network for 1.75 hours longer per day compared with hard-wired users. Productivity gainsPromotes easier access to network connectivity, resulting in better utilization of business productivity tools. Easier to collaborateFacilitates access to collaboration tools from any location, such as meeting rooms; files can be shared on the spot and requests for information handled immediately. Improved company image and increased competitive advantageElevates a companies perceived connectedness and responsiveness. More efficient use of office spaceAllows greater flexibility in coping with excess numbers caused by large team meetings.
1-1
Reduced errorsData can be directly entered into systems as it is being collected, rather being transcribed when network access is available. Improved efficiency, performance, and security for enterprise partners and guestsPromoted with the provision of guest access networks. Improved overall securityPromoted through the provision of a controlled and secured WLAN network, reducing the likelihood of rogue WLAN deployments. Improved business resilienceIncreased mobility of the workforce allows rapid redeployment to other locations with WLANs as needed.
Enterprise WLAN Design Characteristics, page 1-3 WLAN Architecture Considerations, page 5
1-2
956608
Chapter 1
Figure 1-1
\
Distribution
Distribution
Distribution
Core
Backbone
Server farm
WAN
Internet
PSTN
WLAN Virtual LANs (VLANs) allow the coexistence of multiple security models on the same WLAN. This allows the combination of security models based on client requirements and/or user policies. The solution security model you choose depends on the security requirements of the enterprise. This publication focuses on the two most secure solutions 802.1x/Extensible Authentication Protocol (EAP) and IPSec VPNs, but does discuss the use Wired Equivalent Privacy (WEP) and WEP plus Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) where applicable. The recommended security model is 802.1x/EAP with WEP plus TKIP and MIC, because it creates the optimum network architecture and addresses all know WLAN security threats. Examples of EAP types suitable for use in WLANs are EAP-Cisco (formerly Lightweight EAP or LEAP),
1-3
88317
EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP Tunneled TLS (EAP-TTLS). If further 802.1x/EAP types are developed to meet business needs, the existing architectures will accommodate them. The 802.1x/EAP type used is transparent to the AP, and only has implications for the client software and the Remote Authentication Dial-In User Service (RADIUS) server.
IPSec VPNs are recommended as an alternative 802.1x/EAP if the customer security requirements mandate Triple Data Encryption Standard (3DES). For situations in which EAP or IPSec VPNs are not possible, a combination of static WEP and access filtering is discussed although this alternative is not a recommended security mode for general deployment TKIP and MIC should be implemented wherever possible, including static WEP deployments. The design recommendations presented in this publication show a single security model (EAP, IPSec, or static WEP), these can be combined within the one enterprise implementation using WLAN VLAN's, and are shown separately for clarity. The WLAN implementation does not change existing campus architectures and recommendations WLANs should be assigned to a dedicated subnet (not one shared with wired LAN users). A separate management VLAN should be configured for the management of WLAN APs. As a design best practice, this VLAN should not have a WLAN appearance (meaning it does not have an associated SSID and it cannot be directly accessed from the WLAN). Security policies should determine where the AP managers logically and physically reside on the network. The wired LAN is not replaced by the WLAN. The WLAN is used to enhance the current network flexibility and accessibility by providing an extension to the existing network. Assumes 15-to-25 users per AP. This number varies from customer-to-customer depending on usage profiles and user density. Seamless roaming is limited to the same Layer-2 network, unless Proxy Mobile IP or Mobile IP is used. WLAN QoS tools are used as required. IP Multicast for the WLAN is bounded to ensure that multicast does not consume excessive bandwidth, and IP multicast applications are tested for their suitability for a WLAN network.
1-4
956608
Chapter 1
Comparing Wired and WLANs, page 1-5 WLAN Modes of Operation, page 1-7
Wireless
Layer-3 Network Layer 2 DLC IP
Wired (802.3)
IP
Wired Ethernet
IP
SNAP (0800 = IP) SNAP (0800 = IP) Ethernet (0800 = IP) IEEE 802.LLC IEEE 802.LLC IEEE 802.11 MAC IEEE 802.11 MAC
Within any one wireless channel, the wireless interface is a shared medium. It operates in a similar fashion to an Ethernet hub. Within any Basic Service Set (BSS), only one station can transmit at any one time. All wireless stations are also half-duplexthe same frequency channel is used for transmit and receive. The actual access mechanism used is Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). Ethernet uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD). Each station in a CSMA network listens before talking over the air. As collision detection (CD) is difficult in a radio-based environment, a collisions avoidance (CA) mechanism is used. At a detailed level, there are some significant differences between 802.11 and Ethernet, but from a network designers standpoint, the important idea to remember is the notion of a shared medium. This difference is due to the overheads in the 802.11 protocol, and that some traffic flows may not be occurring at the highest data rate. Taking overhead and protocol operation into account, the actual aggregate throughput of a WLAN is less than the data rate.
Unicast Traffic
The WLAN hardware always tries to send data at the highest rate possible. There are many data rates which can be selected. For instance, four rates are possible for 802.11b radio: 1, 2, 5.5, and 11 Mbps. 802.11a radio support 6, 9, 12, 18, 24, 36, 48 and 54 Mbps. With the AP, the Data Rates section on the AP Radio Hardware setup page lists the options for each data rate. Refer to Figure 1-2 on page 1-6.
1-5
Where Yes is selected only unicast traffic is sent at this data rate.
Figure 1-2 AP Radio Hardware Setup Page
1-6
956608
Chapter 1
Infrastructure Mode
In infrastructure mode, clients communicate through an AP. The AP is the point at which wireless clients can access the network. Figure 1-3 illustrates a typical WLAN arrangement. The AP provides connectivity to other clients associated with that AP or to the wired LAN. The basic service area (BSA) is the area of RF coverage provided by an APalso referred to as a microcell. To extend the BSA, or to simply add wireless devices and extend the range of an existing wired system, an AP can be added. The AP attaches to the Ethernet backbone and communicates with all the wireless devices in the cell area. The AP is the master for the cell, and controls traffic flow to and from the network. The remote devices do not communicate directly with each otherthey communicate to the AP. If a single cell does not provide enough coverage, any number of cells can be added to extend the range. This is known as an extended service area (ESA). It is recommended that the ESA cells include 10-to-15 percent overlap to allow remote users to roam without losing RF connections. Bordering cells should be set to different non-overlapping channels for best performance.
Figure 1-3 Typical WLAN
Wireless call
Wireless handheld
Channel 1
Channel 6
Switch
Router
Wireless laptop
Wirless desktop
91278
LAN/WAN
Ad-hoc Mode
Ad-hoc mode is used to establish a peer-to-peer network between two or more clients. This mode is selected through the System Type section of the System Parameters page on the Aironet Client Utility (ACU).
1-7
General References, page 1-8 Security References, page 1-8 IP Multicast References, page 1-9
General References
Cisco Network Solutions and Provisioned Services page: http://www.cisco.com/en/US/netsol/index.html
Note
Access to specific information varies based on user entitlement at the Cisco Systems web site.
Security References
The Unofficial 802.11 Security Web Page: http://www.drizzle.com/~aboba/IEEE/ Assessing Wireless Security with AiroPeek and AiroPeek NX: http://www.wildpackets.com/elements/whitepapers/AiroPeek_Security.pdf Netstumbler security links: http://www.netstumbler.com/links.php?op=MostPopular OUI list: http://standards.ieee.org/regauth/oui/oui.txt SANS (System Administration, Networking and Security) InstituteWireless page: http://rr.sans.org/wireless/wireless_list.php Securing wireless networks (enter as guest): http://securingwireless.intranets.com/default.asp?link= List of wireless security tools: http://www.networkintrusion.co.uk/wireless.htm When Dreamcasts Attack: http://online.securityfocus.com/news/558
1-8
956608
Chapter 1
IP Multicast References
CCO IP Multicast Overview: http://www.cisco.com/go/ipmulticast
1-9
1-10
956608
C H A P T E R
RF Basics, page 2-1 IEEE 802.11 Standards, page 2-9 RF Spectrum Implementation, page 2-11 Planning for RF Deployment, page 2-13
RF Basics
This section provides a summary of regulations and considerations specific to RF implementation. The following sections are presented:
Regulations, page 2-2 Fine Tuning, page 2-5 Channel Selection, page 2-5
2-1
Chapter 2 RF Basics
Regulations
Devices that operate in unlicensed bands, do not require any formal licensing process, but operations in these bands still obligate the user to follow regulations. The governing bodies in different parts of the world regulate these bands. WLAN devices must comply to the specifications of the relevant governing regulatory domain. The regulatory agencies set the emission requirements for WLAN to minimize the amount of interference a radio can generate or receive from another in the same proximity. The regulatory requirements do not affect the interoperability of IEEE 802.11b and 802.11a compliant products. It is the responsibility of the vendor to get the product certified from the corresponding regulatory body. Table 2-1 summarizes the current regulatory domains for Wi-Fi products.
Table 2-1 Regulatory Domains
Regulatory Domain Americas or FCC (United States Federal Communication Commission) Europe or ETSI (European Telecommunications Standards Institute) Japan (MKK) China Israel Singapore Taiwan
2 1
Geographic Area North, South and Central America, Australia and New Zealand, various parts of Asia and Oceania Europe (both EU and non EU countries), Middle East, Africa, various parts of Asia and Oceania Japan Peoples Republic of China (Mainland China) Israel Singapore Republic of China (Taiwan)
1. The regulations of Singapore and Taiwan for wireless LANs are particular to these countries only for operation in the 5 GHz band. Singapore and Taiwan are therefore only regulatory domains for 5 GHz operation, for operation in 2.4 GHz, they fall into the ETSI and FCC domains, respectively. 2. See above.
Note
The main regulatory domains are FCC, ETSI, and MKK domains. As of this writing there is no 5 GHz regulatory domain for China and 5 Ghz regulations vary widely from country to country.
Caution
Check the Cisco web site for compliance information and also with your local regulatory authority on what is permitted within your country. The information provided in Table 2-2, Table 2-3, and Table 2-4 on the following pages +should be used as a general guideline. For up-to-date information on regional requirements, check http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html#4.
2-2
956608
Chapter 2
Table 2-2
Lower Limit 2.402 GHz 2.402 GHz 2.473 GHz 2.447 GHz 2.448 GHz
Upper limit 2.480 GHz 2.480 GHz 2.495 GHz 2.473 GHz 2.482 GHz
Regulatory Range1 2.400 to 2.4835 GHz 2.400 to 2.4835 GHz 2.471 to 2.497 GHz 2.445 to 2.475 GHz 2.4465 to 2.4835 GHz
1. The frequency ranges in this table are subject to the geographic-specific regulatory authorities. 2. Excluding Spain and France.
Table 2-3
Channel Number 36 40 44 48
Centre frequencies 5.180 GHz 5.200 GHz 5.220 GHz 5.240 GHz 5.260 GHz 5.280 GHz 5.300 GHz 5.320 GHz 5.745 GHz 5.765 GHz 5.785 GHz 5.805 GHz
USA
52 56 60 64
USA
2-3
Chapter 2 RF Basics
Table 2-4
Additional Frequency Bands and Channel Numbers for Other Regulatory Domains
Center Frequenc7 5.170 5.190 5.210 5.230 5.180 5.200 5.220 5.240 5260 5280 5300 5320 Same as USA
Singapore
36 40 44 48
Taiwan
52 56 60 64
Same as USA
Same as USA
36 40 44
Each of the bands presented in Table 2-3 is intended for different uses. The UNII-3 band is intended for long range point-to-point and point-to-multipoint wireless bridging and may only be used outdoors. The UNII-3 band and its usage is beyond the scope of this book. Please refer to the following URL to find the appropriate WLAN product for your regulatory domain: http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html
2-4
956608
Chapter 2
Fine Tuning
A number of factors can affect the WLAN coverage as follows:
Selected Data Rate Power Level Antenna choice (dipole, omni-directional, wall mount)
For a given data rate, the WLAN designer can alter power level and/or elect to use a different antenna, to change the coverage area and/or coverage shape.
Channel Selection
Channel selection depends on the frequencies that are permitted for a particular region. For example the North American and ETSI 2.4 GHz channel sets permit allocation of three non-overlapping channels1, 6, and 11while the 5 GHz channel set permits eight channels. The channels should be allocated to the coverage cells as follows:
Overlapping cells should use non-overlapping channels Where channels must be used in multiple cells, those cells should have minimal overlap with each other. See Figure 2-1.
2-5
Chapter 2 RF Basics
Figure 2-1
AP1 channel #1
AP2 channel #6
AP4 channel #1
A site survey should be conducted using the same frequency plan as intended for the actual deployment. This facilitates a more exact estimate of how a particular channel at a particular location will react to the interference and the multipath. Channel selection also helps in planning for co-channel and the adjacent channel interferences, and provides information about where to you can reuse a frequency. In multi-story buildings, check the cell overlap between floors according to these rules/guidelines. Some re-surveying and relocating of APs might be required in some cases. Multi-story structures (such as office towers, hospitals and university classroom buildings) introduce a third dimension to coverage planning. The 2.4 GHz waveform of 802.11b and, when available, 802.11g can pass through floors and ceilings as well as walls. The 5 GHz waveform of 802.11a can also pass through floors and ceilings as well as walls, but will do so at a lesser degree due to its higher frequency. With 2.4 GHz Wi-Fi LANs in particular, you must not only avoid overlapping cells on the same floor, but also on adjacent floors. With only three channels, this can be achieved through careful three dimensional planning.
2-6
74193
956608
Chapter 2
An AP can be configured to automatically search for the best channel on power up. This is configured using the AP Radio Hardware menu, as shown in Figure 2-2. Retest the site using the selected channels and check for any interference.
Figure 2-2 AP Automatic Channel Search
2-7
Chapter 2 RF Basics
Note
It is possible to implement a dual-band deployment scheme as illustrated Figure 2-3. However, this requires careful planning and implementation of the Cisco Aironet AP 1200. Refer to the Data Rate Considerations section on page 3-3 for related information about dual-band channel deployment considerations.
Figure 2-3 Dual Band Deployment Diagram
802.11b 6 11 1 6 11 1 6 11 6 11 11 1 6 1 6 11 6 11 1 6
802.11a 802.11b 1&6 3 & 11 8&1 1&6 8&1 5&6 3 & 11 5&1 7&6 1&6 5 & 11 8&1 1&6 3 & 11 3 & 11 1&1 8&1
802.11a 1 3 8 1 3 5 7 1 5 3 8 1 8 5 3 3 1 8
3 & 11
2-8
91287
956608
Chapter 2
Direct Sequence Spread Spectrum (DSSS)1 Mbps and 2 Mbps Frequency Hopping Spread Spectrum (FHSS)1 Mbps and 2 Mbps
Within the 802.11 Working Group are a number of Task Groups responsible for elements of the 802.11 WLAN Standard. IEEE 802.11b refers to Task Group b within the 802.11 Working Group. IEEE 802.11b became an IEEE standard in September 1999, and then higher data rates of 5.5 Mbps and 11 Mbps were introduced in the standard using DSSS and operating in 2.4 GHz band. 802.11b defines a high performance radio and true vendor interoperability. Table 2-5 summarizes some of task group initiatives.
Table 2-5 IEEE 802.11 Task Group Activities
Project Develop one common MAC for WLANs in conjunction with a physical layer entity (PHY) Task Group
PHY a b c d
Develop three WLAN PHYs Infrared, 2.4 GHz Standard FHSS, 2.4 GHz DSSS Develop PHY for 5 GHz UNII band Develop higher rate PHY in 2.4 GHz band Cover bridge operation with 802.11 MACs (spanning tree) Define physical layer requirements for 802.11 operation in other regulatory domains (countries) Enhance 802.11 MAC for QoS Develop recommended practices for Inter Access Point Protocol (IAPP) for multi-vendor use Standard Standard Standard (802.1d) Standard
e f
Ongoing Ongoing
g h
Develop higher speed PHY extension to 802.11b Ongoing (54 Mbps) Enhance 802.11 MAC and 802.11a PHY-Dynamic Frequency selection Transmit Power control Enhance 802.11 MAC security and authentication mechanisms Ongoing
i j
Ongoing
Enhance the 802.11 standard and amendments Ongoing to add channel selection for 4.9 GHz and 5 GHz in Japan Define Radio Resource Measurement enhancements to provide interfaces to higher layers for radio and network measurements Ongoing
2-9
The IEEE ratified the 802.11a standard in 1999, but the first 802.11a-compliant products did not begin appearing on the market until December 2001. The 802.11a standard delivers a maximum data rate of 54 Mbps and eight nonoverlapping frequency channelsresulting in increased network capacity, improved scalability, and the ability to create microcellular deployments without interference from adjacent cells. Operating in the unlicensed portion of the 5 GHz radio band, 802.11a is also immune to interference from devices that operate in the 2.4 GHz band, such as microwave ovens, cordless phones, and Bluetooth (a short-range, low-speed, point-to-point, personal-area-network wireless standard). The 802.11a standard is not compatible with existing 802.11b-compliant wireless devices. 2.4-GHz and 5-GHz equipment can operate in the same physical environment without interference. IEEE 802.11g is high performance standard in development and should be finalized by mid-year 2003. 802.11g will deliver the same 54 Mbps maximum data rate as 802.11a, but will operate in the same 2.4 GHz band as 802.11b. Selecting between these technologies is not a one-for-one tradeoff. They are complementary technologies and will coexist in future enterprise environments. Implementers must be able to make an educated choice between deploying 2.4 GHz-only networks, 5 G Hz-only networks, or a combination of both. Organizations with existing 802.11b networks cannot simply deploy a new 802.11a network on 5 GHz APs, and expect to have similar coverage with 802.11a 54 Mbps data rate as compared to 11 Mbps of data rate with 802.11b APs. The technical characteristics of both these bands simply do not allow for this kind of coverage interchangeability.
2-10
956608
Chapter 2
RF Spectrum Implementation
In the United States, three bands are defined as unlicensed and known as the ISM bands (Industrial, Scientific, and Medical). The ISM bands are as follows:
900 MHz (902-to-928 MHz) 2.4 GHz (2.4-to-2.4835 GHz) IEEE 802.11 5 GHz (5.15-to-5.35 and 5.725-to-5.825 GHz) IEEE 802.11a. This band is also known as the UNII band.
The Cisco Aironet 340 and 350 Series APs use RF spectrum in the 2.4 GHz unlicensed ISM band. Each range has different characteristics. The lower frequencies exhibit better range, but with limited bandwidth and hence lower data rates. The higher frequencies have less range and subject to greater attenuation from solid objects.
Channels 1 2 3 4 5 6 7 8 9 10 11 12 13 14
2.402 GHz
22 MHz
2.483 GHz
2-11
87181
30 MHz
30 MHz
5200
5220
5240
5260
5280
5300
5320
20 MHz
20 MHz
5765
5785
For US-based 802.11a standard, the 5 GHz unlicensed band covers 300 MHz of spectrum and supports 12 non overlapping channels. As a result, the 5 GHz band is actually a conglomerate of three bands in USA: 5.150-to-5.250 GHz (UNII 1), 5.250-to-5.350 GHz (UNII 2), and 5.725-to-5.875 GHz (UNII 3).
2-12
956608
87182
Chapter 2
RF Deployment Best Practices, page 2-13 WLAN Data Rates Required, page 2-13 Client Density and Throughput Requirements, page 2-16 WLAN Coverage Required, page 2-17 Security Policy, page 2-17 RF Environment, page 2-18
Number of users versus throughput and a given APThe general recommended number of users per AP is 15-to-25. Distance between APs can cause throughput variations for clients based on distance from the APThe recommendation is to limit the AP data rate to the higher data rates of 11 Mbps and 5.5 Mbps. Number of APs depends on coverage and throughput requirements, which might varyFor example Ciscos internal information systems (IS) group currently uses six APs per 38,000 square feet of floor space.
Note
Based upon the variability in environments it is highly recommended that a site survey be performed to determine the number of APs required and their optimal placement.
2-13
Figure 2-6
The diameter of the coverage (circles shown in Figure 2-6), depends upon factors such as power and antenna gain. For example, indoors1 using the standard antennas on the NIC card and APs, the diameter of the 1 Mbps circle is approximately 700 ft (210 m), and the diameter of the 11 Mbps circle is about 200 ft (60 m). Increasing the gain of the antenna can increase the distance and change the shape of the radiation pattern to something more directional.
1. Typically the outdoor range is greater because there are fewer obstacles, and less interference.
2-14
74190
956608
Chapter 2
Figure 2-7
Surveyed at 2 Mbps
The required data rate has a direct impact upon the number of APs needed in the design. The example in Figure 2-7 illustrates this point. While six APs with a data rate of 2 Mbps might adequately service an area, it might take twice as many APs to support a data rate of 5 Mbps, and more again to support data rates of 11 Mbps. The data rate chosen is dependent on the type of application to be supported. In a WLAN LAN extension environment, the higher data rates of 11 Mbps and 5.5 Mbps are recommendedthis gives maximum throughput and should minimize performance-related support issues. In a WLAN vertical application environment, the data rates selected are determined by the application requirementssome clients might not support the higher data rates and might require the use of lower data rates. It might seem logical to choose the default configuration of APs and clientsthereby allowing all data rates. However, there are three key reasons for limiting the data rate to the highest rate, at which full coverage is obtained:
Broadcast and multicast are sent at the slowest data rate (to ensure that all clients can see them), this reduces the throughput of the WLAN because traffic must wait until frames are processed at the slower rate. Clients that are farther away, and therefore accessing the network at a lower data rate, decrease the overall throughput by causing delays while the lower bit rates are being serviced. If an 11 Mbps service is specified and provisioned with APs to support all data rates, clients at lower rates can associate with APs configured in this way which can create a coverage area greater than planned, thereby increasing the security exposure and potentially interfering with other WLANs.
74191
2-15
1. This umber would not be achieved due to 802.11 management overhead associated with the large number of clients and collisions.
2-16
956608
Chapter 2
Figure 2-8
ch 1 ch 1 ch 1
ch 6
ch 11
ch 1
ch 6
ch 6 ch 6 ch 1
ch 11
ch 1
ch 6
ch 11
ch 11 ch 11 ch 6
ch 1
ch 6
ch 11
ch 1
74192
180 Users per floor 30 mW transmitter power 3 Accss Points 60 users per AP 11 Mbps data rate
180 Users per floor 5 mW transmitter power 18 Accss Points 10 users per AP 11 Mbps data rate
Note
Client power should be adjusted to match the AP power settings. Maintaining a high setting on the client does not result in higher performance and it can cause interference in nearby cells.
Security Policy
RF design can be used to minimize the RF radiation in coverage areas or directions not required. For example, if WLAN coverage is required only in the buildings, then the amount of RF coverage outside the building can be minimized by AP placement and directional antennas.
2-17
RF Environment
The performance of the WLAN and its equipment depends upon its RF environment. The following are some examples of adverse environmental variables:
2.4 GHz cordless phones Walls fabricated from wire mesh and stucco Filing cabinets and metal equipment racks Transformers Heavy duty electric motors Fire walls and fire doors Concrete Refrigerators Sulphur plasma lighting (Fusion 2.4 GHz lighting systems) Air conditioning duct-work Other radio equipment Microwave ovens Other WLAN equipment
A site survey should be performed to ensure that the required data rates are supported in all the required areas, despite the environmental variables mentioned above. The site survey should consider the three dimensional space occupied by the WLAN. For example a multi-story building WLAN with different subnets per floor might require a different RF configuration than the same building with a single WLAN subnet per building. In the multiple subnet instance, a client attempting to roam to a different AP on the same floor might acquire an AP from an adjacent floor. Switching APs in a multi-subnet environment changes the roaming activity from a seamless Layer 2 roam to a Layer 3 roam which in turn disrupts sessions and might require user intervention.
2-18
956608
C H A P T E R
WLAN Technology Selection Considerations, page 3-1 Cisco WLAN RF Product Selection Considerations, page 3-11
Competing WLAN Standards, page 3-1 WLAN Capacity Considerations, page 3-2 Data Rate Considerations, page 3-3 Throughput Considerations, page 3-4 Performance Considerations, page 3-5 Range Considerations, page 3-7 Technology Selection Summary, page 3-9
IEEE 802.11b802.11b has been the industry standard for several years. Operating in the unlicensed portion of the 2.4 GHz radio frequency spectrum, it delivers a maximum data rate of 11 Mbps and boasts numerous strengths. 802.11b enjoys broad user acceptance and vendor support. Many vendors manufacture compatible devices, and this compatibility is assured through the Wi-Fi certification program. 802.11b technology has been deployed by thousands of enterprise organizations, that typically find its speed and performance acceptable for their current applications.
3-1
IEEE 802.11a802.11a operates in the uncluttered 5 GHz radio frequency spectrum. With a maximum data rate of 54 Mbps, this standard offers a fivefold performance increase over the 802.11b standard. Therefore, it provides greater bandwidth for particularly demanding applications
As mentioned in IEEE 802.11 Standards section on page 2-9, 802.11g is another related standardone intended for networks with high performance requirements. The 802.11g standard has been in draft form since November 2001 and is likely to be finalized in 2003. 802.11g will deliver the same 54 Mbps maximum data rate as 802.11a, yet it offers an additional and compelling advantagebackward compatibility with 802.11b equipment. This means that 802.11b client cards will work with 802.11g APs, and 802.11g client cards will work with 802.11b APs. Because 802.11g and 802.11b operate in the same 2.4 GHz unlicensed band, migrating to 802.11g will be an affordable choice for organizations with existing 802.11b wireless infrastructures. It should be noted that 802.11b products cannot be software upgraded to 802.11g because 802.11g radios will use a different chipset than 802.11b in order to deliver the higher data rate. However, much like Ethernet and Fast Ethernet, 802.11g products can be combined with 802.11b products in the same network. Because 802.11g operates in the same unlicensed band as 802.11b, it shares the same three channels, which can limit wireless capacity and scalability. So, which standard should an organization select? Each has its strengths. The greatest strength of the 802.11b standard is its widespread acceptance and broad product availability, although bandwidth is limited. In comparison, the 802.11a standard has the capability to drive the high-bandwidth applications that will characterize the future WLAN. 802.11a also supports more channels (no overlapping channels)making the RF deployment more flexible. Fortunately, organizations do not need to choose between technologies when considering a WLAN infrastructure. The Cisco Aironet 1200 Series gives wireless implementers the option of deploying both. This wireless AP delivers:
FlexibilityThe Cisco Aironet 1200 Series is dual-band, meaning that it can concurrently support WLANs based on both the 5 GHz 802.11a and 2.4 GHz 802.11b standards. Scalability and Investment ProtectionThe Cisco Aironet 1200 Series ensures that an organizations wireless network remains backward and forward compatible, with the capability to grow both in terms of users and deployed applications. Ease-of-Use and ManageabilityThe Cisco Aironet 1200 Series is field upgradable. Organizations can choose to deploy 2.4 GHz technology, 5 GHz technology, or a mixture of the two. The product also integrates seamlessly with the robust Cisco security and management infrastructure.
The Cisco Aironet 1200 Series delivers a seamless migration path for WLANs. It allows organizations to upgrade today to robust wireless technology, while ensuring that their investments remain usable and valuable far into the future.
3-2
956608
Chapter 3
With just three channels in the 2.4 GHz band used by 802.11b and 802.11g, this represents a shortcoming that complicates deployments. With eight channels, 802.11a systems have an aggregate data rate of up to 432 Mbps (54 Mbps multiplied by eight channels) in a given area. In contrast, 802.11b devices have a maximum capacity of 33 Mbps (11 Mbps multiplied by three channels) per given area. Therefore, organizations with large WLANs may decide to opt for an 802.11a deployment, which provides far greater performance on a per-cell basis. Given the difference in operating frequencies, 802.11b and 802.11a can co exist within the same environment, allowing users to move from one to another by switching clients, or using a dual-band client (combines both radios into a single client).This approach become more flexible by using dual-band Cisco APs. An enterprise must conduct comprehensive site surveys for each technology to guarantee adequate network coverage. Each frequency has different signal strength, interference, and reflection characteristics, and each implementation must be optimized for different requirements.
For additional related information, please refer to the WLAN Data Rates Required section on page 2-13. Data rates affect cell size. Lower data rates (such as 1 Mbps) can extend further from the AP than can higher data rates (such as 54 Mbps). This is illustrated in Figure 3-1. Hence the data rate (and power level) effects cell coverage, and consequently the number of APs required. In general, there are pools of coverage at each data rate. What is considered an acceptable data rate, ultimately depends upon how much bandwidth is required for the application which you want to run at a particular location. Be sure to survey users for the minimum data rate required.
Note
The Cisco Aironet Site Survey Utility surveys at a given data rate and does not rate shift. APs offer clients multiple data rates for the wireless link. For 802.11b, the range is from 1-to-11 Mbps in four increments-1, 2, 5.5 and 11 Mbps, while 802.11a the range is 6-to-54 Mbps in seven increments-6, 9, 12, 18, 24, 36, 48 and 54 Mbps. Because data rates affect range, selecting data rates during the design stage is extremely important. The client cards automatically switch to the fastest possible rate of the AP; how this is done varies form vendor to vendor. Because each data rate has a unique cell of coverage (the higher the data rate, the smaller the cell), the minimum data rate must be determined at the design stage. Cell sizes at given data rates can be thought of as being nested concentric circles. See Figure 3-1. Selecting only the highest data rate requires a greater number of APs to cover a given area; therefore care must be taken to develop a compromise between required aggregate data rate and overall system cost. With the (dual band) Cisco AP 1200, careful design can yield an aggregate data rate of 64 Mbps (54 Mbps plus 11 Mbps) per AP with room to grow to 108 Mbps when 802.11g is available.
3-3
Figure 3-1
5GHz/40mw
Throughput Considerations
Note
For related information, please refer to the Client Density and Throughput Requirements section on page 2-16. Data rate is often confused with the aggregate data throughput. The aggregate data rate, takes into account the overhead associated with protocol frame structure, collisions, and implementation processing delays associated with frames processed by clients and APs. Protocol overhead includes parameters such as RTS, CTS, ACK frames, beacon periods, back off period and propagation delays, 10 Mbps Ethernet can be faster than 11 Mbps Wi-Fi. The overhead associated with the 802.11b standard exceeds the overhead for 802.3 Ethernet, resulting in better throughput for 10 Mbps Ethernet than 11 Mbps Wi-Fi. An important purchasing consideration for any networking technology is the amount of bandwidth, data rate, or throughput, it provides to each network user, and how well that throughput can support the applications running on the network. For clarity purposes, data rate means the amount of data able to be sent from one node on the wireless network to another, within a given timeframe. Furthermore, the difference between data rate and throughput is the amount of raw bits that travel from one node to another, in comparison to the bits representing the message content. This difference is determined by a number of factors including the latency inherent in the PHY components of the radio, the overhead and acknowledgement information that accompany every transmission, and pauses between transmissions. A comparison table of the wireless networks at hand and several wired benchmarks is shown in Table 3-1.
3-4
91283
956608
Chapter 3
Table 3-1
802.11b offers an 11 Mbps data rate, which translates into approximately 5-to-7 Mbps of actual message throughput (per AP). This amount is shared among all network users accessing it at the same time, and is managed through a Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) technique modeled on its Ethernet wired equivalent. As most network traffic is bursty, and only a few users are on the network simultaneously, Wi-Fi network users generally experience very good connectivity speeds. Using OFDM and 64-Quadrature Amplitude modulation, 802.11a and 802.11g will provide similar data rate levels. However, because 802.11g must be backward compatible with 802.11b, 802.11g incurs more overhead associated with the header information of 802.11b. As a result, 802.11g might not achieve full parity with the throughput possible with 802.11a. With 802.11a, there is a maximum data rate of 54 Mbps which can support high-bandwidth applications such as CAD-CAM, streaming video, and converged voice/video/data. 802.11a and 802.11b nodes also share the bandwidth efficiently using CSMA/CA techniques. In 802.11b roughly 15-to-25 users can be supported per AP (at 11 Mbps). With 802.11a, more users can be supported per AP (at 54 Mbps) as more bandwidth is available. The smaller cell size makes an increase in users unlikely. The normal impact would be an increase in bandwidth available per user. 802.11b can be used by implementers who have a large installed base of APs, are transaction intensive, have many roaming users to other 802.11b APs, or are cost sensitive. 802.11a can also be used by implementers requiring the higher throughput for the applications listed above, have a small installed base of 802.11b (as 802.11b and 802.11a are not compatible), or are concerned about interference. Interference issues are discussed in detail in the next section. Quality of Service (QoS) enhancements to the 802.11 MAC under development within 802.11e will enhance the ability of 802.11b, 802.11a, and 802.11g to deliver new types of time-critical data, in addition to their traditional data packets (QoS capabilities are typically associated with IP-based telephony/voice implementations). The IEEE 802.11e Task Group recommendations will become commonly available to both the 2.4 GHz and 5 GHz solutions simultaneously, and most subsequently released 802.11 networks will then be able to support them. The higher bandwidth 802.11g and 802.11a standards will support QoS more effectively than 802.11b, mainly because of higher bandwidth, but also because more unlicensed spectrum will be available to 5 GHz radios. This allows 5 GHz networks to allocate a certain number of networks to voice only, and others to data.
Performance Considerations
While unlicensed spectrum is very attractive (as there is no licensing fee to use it), implementers must factor in the potential performance degradation associated with ambient interference. 802.11a operates in unlicensed bands in exactly the same way as 802.11b and earlier 900 MHz systems operate in unlicensed bands. That is, there are no restrictions on the types of devices that operate in these bands provided that they all conform to a common set of rules. The 900 MHz portion of the spectrum was initially used by WLANs and then, far more commonly, by cordless telephones. Although these devices
3-5
all complied with applicable regulations, they acted upon each other as interferers, mutually degrading performance and usability. The WLAN industry essentially abandoned the 900 MHz band and migrated to the 2.4 GHz band. Initially, the WLAN industry had this band to themselves (with the exception of microwave oven RF emissions). Eventually, however, the band became more crowded with an increasing number of products, including Bluetooth devices and 2.4 GHz cordless telephones. The attractiveness of the 2.4 GHz band to manufacturers, license-free operation on an international scale and resulting worldwide marketability for 2.4 GHz devices, leads to a central problem for the 2.4 GHz bandovercrowding. This in turn leads to a principal advantage of 802.11abecause it operates in the pristine 5 GHz band, it is (as of now) immune to interference from other devices. 802.11a products themselves are relatively few in number. Bluetooth operates in the 2.4 GHz band and there are very few 5 GHz cordless telephones also available in the market. The point is that today the 5 GHz band is relatively clean but there are no restrictions on this band that do not apply equally to 900 MHz and 2.4 GHz. Over time, the 5 GHz band might become equally crowded with interference-causing devices. As the 2.4 GHz band is unlicensed, it is available for anyone to usewithin limits of maximum Effective Isotropic Radiated Power (EIRP). WLAN interference can come from a number of sources. The main sources are as follows:
Microwave Ovens The magnetron in household and commercial microwave ovens operates over tens of megahertz in the 2.4-to-2.483 GHz band. While microwave ovens operate at about 700-to-1000 W, the maximum allowed radiated power (EIRP) for WLAN devices is between 0.1 and 4 W. WLAN equipment such as APs should not be located near microwave ovens. Co-channel InterferenceInterference can from radios in adjacent cells on the same frequency. Effective site surveying and WLAN cell planning should minimize the effect of this interference. As WLANs become more prevalent, interference from sources outside enterprise control may become more of an issue, such as in multiple tenancy situations (shopping centers, apartment blocks, and the like). Proper cell planning of the channel frequency and careful layout of the AP can minimize the interference. BluetoothBluetooth is a Wireless Personal Area Network technology sharing the same 2.4 GHz spectrum as 802.11b. Bluetooth uses FHSS and is a shorter range and lower bandwidth technology than 802.11b. FHSS systems use frequently changing, narrow bands over all channels. It is important to manage the concurrent operation of 802.11b WLANs and Bluetooth within the enterprise. Task Group 2 of the IEEE 802.15 Working Group is looking at the coexistence issues of IEEE 802.11b WLANs and Bluetooth. Multiple companies have researched the issue and concluded that if the two technologies are separated by two meters or more, there is no significant interference. 2.4 GHz Cordless Telephones Some of the newer household and office cordless telephones operate in the 2.4 GHz range (DSSS and FHSS). Depending on the conditions and the manufacturer, degradation to the WLAN can vary from unnoticeable to a total loss of association between the client and the AP. Interference from the WLAN can also impact the voice quality. Users are encouraged to use 900 MHz Cordless Phones in instances where they must coexist with WLANs. If this is not possible, separate the AP from the phone base station as far as possible and perform some rudimentary degradation tests. Note that DSSS cordless phones are more likely to cause degradation than FHSS types. Shared Internet AccessWireless local loop (WLL) and systems like Metricom-Ricochet (again coming back in the market) and T-Mobile also use the same band. So they can be a source of interference. Interference can also come from other systems such as neighboring DSSS and FHSS WLAN networks.
3-6
956608
Chapter 3
Range Considerations
Table 3-2 provides a comparison of the relative data rates and ranges associated with 802.11a and 802.11b WLANs. These are typical maximum ranges, but range varies (normally downward) depending upon the environment. As more obstructions are encountered (such as a metallic building structure) range is reduced.
Table 3-2 Comparison of Bit-Rate and Range for 802.11a and 802.11b
Range for 802.11a (in feet) 170 150 140 130 120 100 80 60
Figure 3-2 on page 3-8 illustrates the coverage area of an 802.11b AP at a maximum bit rate of 11 Mbps, overlaid with 802.11a APs at a maximum bit rate of 54 Mbps. This comparison shows the impact of the different ranges of 802.11b and 802.11a. Ten 802.11a APs are required to cover a similar area as the one 802.11b AP. Coverage range alone is not the only story here. A comparison of the capacity of the 802.11a coverage and 802.11b coverage shows the 802.11b capacity at 11 Mbps; while the capacity of the 802.11a solution at 540 Mbps. This difference represents a potential gain of approximately 49 times. In summary, more 802.11a APs are required to support a given area in comparison to 802.11b APs, but the capacity of the 802.11a network is significantly greater.
3-7
Figure 3-2
Signal Propagation
A 5 GHz wave is about half the length of a 2.4 GHz wave. These shorter waves tend to pass through water rather than be captured by it. Human body is over 95 percent water. So, in areas with a high density of people, such as a stock trading floor, devices like 802.11a WLANs that operate at 5 GHz may have an advantage in terms of signal propagation and resulting range than devices like 802.11b WLANs that operate at 2.4 GHz The relatively shorter 5 GHz wave that provides the advantage outlined above also leads to a principal disadvantage of 802.11a relative to 802.11b. In particular, 5 GHz waves are more vulnerable to absorption by building materials, such as drywall and concrete.
Antenna Considerations
Antennae options vary greatly for 5 GHz and 2.4 GHz devices. Currently, regulations mandate that antennae must be integral to some 5 GHz transmitting devices. Therefore, vendors can only sell 802.11a devices with antennae that are attached toand not removable fromthe device itself. On the other hand, organizations can select from a wide variety of antennae options for 2.4 GHz devices. These antennae may be attached to the transmitting device or can exist separately, attached via a cable. This antennae placement can seriously impact system installation and range. For instance, with a 2.4 GHz network, organizations have the option to securely locate APs out of site, and cable out to a remote antenna. They also have the ability to house the device in a protective enclosure, which can prolong its life. The antennae restrictions imposed upon 5 GHz devices remove these options. Therefore, installation might be more complicated, overall range might be reduced, and implementation costs might be higher.
3-8
87880
956608
Chapter 3
Most of the vendors are making products that can operate in UNII-1 and UNII-2 bands either separately or simultaneously. When operating simultaneously, FCC regulations for fixed UNII-1 antennas apply to such products. Assuming equivalent environmentsand holding transmitter, antenna gain, and data rates constant2.4 GHz offers roughly double the range than 5 GHz. This is explained by the physics of radio wave propagation, which dictates that all other things being equal, a higher frequency signal will have a reduced range compared to a lower frequency signal.
2.4 GHz wave is about double the length of the 5 GHz wave. 5 GHz waves are more vulnerable to absorption by building materials, such as drywall and concrete. Regulations restrict the transmit power and antenna possibilities in the 5 GHz range. With reduced range, companies may have to deploy a greater number of 802.11a-compliant APs to cover a designated area, which can lead to higher hardware costs.
Combined, these factors favor 802.11b devices. Implementers are allowed five times less power in the 5 GHz band (compared with 2.4 GHz implementations) and face more stringent Es/No requirements in 802.11a due to higher data rate. The receiver sensitivity falls to 68 dBm with a 54 Mbps data ratecompared to -85 dBm for a 11 Mbps data rate. There is just more attenuation in the air for the 5 GHz spectrum. However, if you use standard Rubber Duck antennas (2.2. dBi) with 802.11b product as compared to 6 dBi attached antennas for 802.11a (and use similar data rates in 802.11a and 802.11b, such as 12 Mbps for 5 GHz and 11 Mbps for 2.4 Ghz), range and throughput are similar. One contributing factor here is that the gain on the 802.11b client card is almost 0 dB. And gain on the 802.11a card bus is 5 dBi. Also on the AP side, the 6 dBi antenna in 5 GHz spectrum is usedcompared to 2.2 dBi antenna in 2.4 GHz. Above all, OFDM modulation fights for multipath more effectively.
Table 3-3 Typical Values of Ranges for 802.11b with Rubber Duck Antenna
Table 3-4
3-9
Figure 3-3
350' @ 1Mbps
802.11g will use the same band as 802.11b, so the same 802.11b regulations apply. the draft is still under developmentand there is no available product 802.11g will not have better range than 802.11b due to higher Es/No requirements (associated with inherently higher available data rates). Organizations must weigh each factor when selecting a wireless technology. In some cases, sheer performance and capacity favor the 802.11a standard implementation. In other cases, vendor support, range and implementation advantages lead to a selection of 802.11b technology. The decision depends on the organizations type of activity, mission, and plans for the futurewhile weighing cost and function requirements. These competing wireless standards leave many companies wondering which wireless technology to embrace. The Cisco Aironet 1200 Series eliminates this concern. The dual-band design supports both established and emerging wireless standards, letting companies implement WLANs without compromise. With the Cisco Aironet 1200 Series, organizations are assured that they will have the right technology both for today and far into the future.
3-10
91286
956608
Chapter 3
WLAN Technology and Product Selection Cisco WLAN RF Product Selection Considerations
Access Points, page 3-11 Client Adapters, page 3-12 Workgroup Bridges, page 3-13 Wireless Bridges, page 3-14
Note
The Cisco Aironet WLAN portfolio is constantly changing. Please refer to the Cisco Product Catalog for up-to-date information. Different products can be seen on Wireless Network Business Unit web site
http://www.cisco.com/en/US/products/hw/wireless/index.htmll
Access Points
An access point (AP) is typically the center point in a wireless network and the connection point between a wired and wireless network. Multiple APs can be placed throughout an area to provide freedom of movement to users equipped with WLAN client adapters. Cisco Aironet Series APs offer state of the art features which are very convenient in different deployment scenarios: Key features are:
100 mW 802.11b radio with configurable transmit power (1, 5, 20, 30, 50, and 100 mW). 40 mW 802.11a radio with configurable transmit power (40, 30, 20, 20, 10, 5 mW). Auto selecting or configurable data rates. Supports inline power over Ethernet and standard power (power injector module is supplied as standard for cases where inline power is not available). Cisco AP currently use Cisco Power Discovery method (802.3af is not a standard yet). Cisco intends to support both modes. Cisco 802.11a APs offer a unique 5 GHz articulating antenna incorporating high-gain, omni-directional, diversity antennas and hemispherical patch antennas to deliver two distinct coverage patterns depending on the antenna position. 802.11b diversity antenna options include either non-removable 2.2 dBi diversity dipoles (internal antennas) or remote antenna connections via two RP-TNC connectors). Diversity antennas for both the 2.4 GHz and 5 GHz radios ensures optimum performance in high-multipath environments such as offices, warehouses, and other indoor installations. Auto-sensing 10/100BaseT Ethernet connection. IEEE 802.1x based security architecture. Auto-roaming between APs within a single network (subnet or VLAN). World ModeEnables clients to transparently roam to other countries with different channel frequencies and transmit power regulations.
3-11
As it is a wireless communication, security features in the Cisco Aironet Series APs provide support for the latest 802.1x security standards. In addition, the inherent upgradability of the Cisco Aironet Series AP facilitates adopting new wireless security standards as they become available (by upgrading the firmware or radios).
Note
Please see the associated data sheets at http://www.cisco.com for specific product information.
Client Adapters
Client adapters connect to a variety of devices in a WLAN. Based on Direct Sequence Spread Spectrum (DSSS) technology and operating in the 2.4 GHz band, the Cisco Aironet 350 Series client adapters comply with the IEEE 802.11b standardensuring interoperability with all other compliant WLAN products. For 2.4 GHz 802.11b cards, two form factors are supported:
PCMCIA for Notebook PCs and PDAThis is a standard PCMCIA product with attached end cap antenna. PCI for Desktop PCsThe PCI card has the standard Cisco Aironet RP-TNC connector and can be used with all of the Cisco Aironet external antennas.
Note
The 802.11a card bus has greater antenna gain (5 dBi) as compared to 0 dBi gain in 802.11b cards.
3-12
956608
Chapter 3
WLAN Technology and Product Selection Cisco WLAN RF Product Selection Considerations
Workgroup Bridges
Workgroup bridges provide wired network connectivity to workgroups through a wireless network connection to a central site. The Cisco Aironet 350 Series Workgroup Bridge supports up to eight downstream devicessuch as PCs, printers and notebook computersthrough an Ethernet hub or switch connected to the Ethernet port. This is a MAC address limitation, so the workgroup can be extended beyond eight devices by placing a router between the workgroup bridge and the hub. The workgroup bridge can peer wirelessly with either an AP or a wireless bridge. The workgroup bridge to wireless bridge configuration is applicable to outdoor point-to-point campus connections. The workgroup bridge to AP configuration is applicable to shorter range, multi-access solutions where the AP may peer with other workgroup bridges and client adapters. The various applications of workgroup bridges are illustrated in Figure 3-4 and Figure 3-5.
Figure 3-4 Mobile Ethernet Enabled User
Internet Switch Ethernet-enabled Laptop Workgroup bridge Wireless Access Point Wired network backbone
91280
3-13
Figure 3-5
Remote Workgroup
Workgroup Bridge
Hub
PC
PC
PC
PC
Printer
Wireless Bridges
Wireless bridges (or simply bridges) are used to wirelessly connect two networks (usually in different buildings). Refer to Figure 3-6. With appropriate selection of antennas and clear line of sight, range can extend up to 25 miles at 11 Mbps. It should be noted that only bridges have this extended range capability. The extended range is achieved by operating outside the IEEE 802.11 timing specifications. APs (conforming to 802.11b) to any client are limited to a one-mile range; irrespective of transmit power, cable, and antenna combinations. Cisco Aironet Bridges support a superset of AP functionality and can operate in either bridge or AP mode depending upon the requirement.
3-14
91281
Laptop
Laptop
956608
Chapter 3
WLAN Technology and Product Selection Cisco WLAN RF Product Selection Considerations
Figure 3-6
Note
91282
3-15
3-16
956608
C H A P T E R
Security Deployment Models, page 4-1 Cisco WLAN Security Options and Recommendations, page 4-7
WLAN LAN Extension 802.1x/EAP, page 4-2 WLAN LAN Extension IPSec, page 4-3 WLAN Static WEP Keys, page 4-5
The goal of a WLAN LAN Extension network is for the WLAN access network to transparently provide the same applications and services as the wired access network. Each WLAN Extension discussion that follows addresses the following types of transparency:
Security TransparencyDo the selected security capabilities seamlessly provide WLAN network security equivalent to wired networks? Application TransparencyAre the supported WLAN network applications identical to applications on a wired network? Performance TransparencyDoes the WLAN deliver application performance that matches wired network performance? User TransparencyAre users of the WLAN forced to perform network-specific operations to use the WLAN?
4-1
Security Transparency, page 4-2 Application Transparency, page 4-3 Performance Transparency, page 4-3 User Transparency, page 4-3
Security Transparency
An 802.1x/EAP implementation of WLAN LAN Extension operates at the link layer (Layer 2) to provide authentication, authorization, accounting, and encryption. Figure 4-1 shows a schematic of the 802.1x/EAP WLAN. The security level provided is beyond that provided on most wired networks, providing link layer encryption and Authentication, Authorization, and Accounting (AAA) access control. This is provided as follows:
Authentication occurs between the client and the authentication server. Several different EAP types (EAP-Cisco, EAP-TLS, EAP-TTLS, PEAP) are supported, allowing the Enterprise to choose the authentication type that best suits its needs. Encryption is at the link layer between the WLAN client and the AP. The current encryption mechanisms available are Wired Equivalent Privacy (WEP) and WEP plus TKIP and MIC. Future mechanisms include Wi-Fi Protected Access (WPA) and Advanced Encryption Standard (AES). The encryption keys are automatically derived during the authentication process. Authorization is controlled by the VLAN membership in combination with the access controls applied at the access router terminating the VLAN. Accounting is provided by the RADIUS accounting communicated by the APs to the RADIUS server.
WLAN LAN Extension 802.1x/EAP
Figure 4-1
Enterprise network
Authorization
87198
4-2
956608
Chapter 4
Application Transparency
As illustrated in Figure 4-1, the WLAN connects at the access layer. Once the WLAN client traffic leaves the AP, it is the same as wired trafficsubject to the same access control, queuing, and routing. This achieves the WLAN LAN extension goal of supporting the same applications as the wired network. Any inability to run applications from the wired network over the WLAN network would be the result of policies or the fundamental limitations of the WLANnot due to the 802.1x/EAP architecture.
Performance Transparency
WLAN has a lower bit rate and a lower throughput than most Enterprise wired LANs. Therefore providing equivalent performance for all applications over the WLAN can be a challenge. The strategy to minimize differences in application performance between the wired and wireless network is to utilize the QoS tools available on the WLAN and the APs. Those applications identified as being sensitive to network throughput and delay can be classified and scheduled as required. Load balancing and admission control tools on the WLAN can optimize the usage of the available WLAN resources.
User Transparency
The different EAP types in 802.1x/EAP allow enterprises to choose an authentication mechanism that best matches security requirements. This allows the integration of the 802.1x/EAP into existing user behavior. Many organizations enforce stronger authentication mechanisms on WLAN networks (compared to wired networks), due to reduced physical security in the WLAN. Authentication on the wired network is expected to catch up with WLAN networks, with organizations using 802.1x/EAP mechanisms to enhance wired network security.
Security Transparency, page 4-4 Application Transparency, page 4-4 Performance Transparency, page 4-4 User Transparency, page 4-5
4-3
Security Transparency
WLAN LAN Extension via IPSec provides AAA-equivalent features to 802.1x/EAP solutions. Refer to Figure 4-2. Key elements are as follows:
Authentication occurs between the client and the VPN concentrator. Multiple authentication types are supported with in the IPSec framework. Encryption is at the network layer using 3DES or AES, and is negotiated between the client and the VPN concentrator.
In addition to the inherent WLAN LAN Extension IPSec security features associated with this implementation, VPN capabilities provide additional AAA-related security capabilities:
Authorization is controlled by the VPN concentrator and is determined at the time of authentication. Policy is provided by the authentication server. Accounting is provided by RADIUS accounting software on both the VPN concentrator and the authentication server.
WLAN LAN Extension IPSec
Figure 4-2
Authentication Encryption
Accounting
IPSec
Si
Enterprise network
87199
Authorization
Application Transparency
As can be seen in Figure 4-2, WLAN traffic is transported over an IPSec tunnel to the VPN concentrator. This can affect application transparency:
Protocol LimitationsOnly the IP protocol is supported; the network is not multi-protocol Address TranslationThe IPSec client performs a form of address translation between its local IP address and that allocated by the VPN concentrator. This can impact the operation of some applications. No MulticastThe connection to the VPN concentrator is point-to-point; multicast applications are not supported.
Performance Transparency
Providing equivalent performance for all applications over the WLAN can be a challenge, because a WLAN has a lower bit rate and a lower throughput than most Enterprise wired LANs. The use of IPSec VPN tunnels introduces some additional considerations:
4-4
956608
Chapter 4
MTU sizeThe MTU size of packets must be adjusted to incorporate IPSec overhead. Processing OverheadClients incur processing overhead from IPSec VPN. However, this should not be noticeable on most target platforms. Traffic Classification and QoS ConsiderationsType of Service (ToS) and differentiated-services-code-point (DSCP) values are projected from client packets into the IPSec packets. As a result, QoS preference can be acted upon, but no classification of traffic is possible while the traffic is IPSec encrypted. Traffic SchedulingAll queuing at the VPN concentrator is handled on a first-in-first-out basis.
User Transparency
The Cisco IPSec VPN client has a number of features that aid user transparency, thereby providing equivalent services to those available with 802.1x/EAP solutions:
Auto InitiationThe VPN client can be configured to automatically launch for particular address ranges. In an enterprise, this would be configured to launch within the Enterprise WLAN address ranges. OS IntegrationThe VPN client can capture username and password information at login and use these as part of the VPN client login. This is similar to the process used in EAP-Cisco. As an alternative, the VPN client can use stored certificates associated with a specific user, similar to EAP-TLS. These features coupled with Auto Initiation should provide a high level of user transparency.
Security Transparency, page 4-6 Application Transparency, page 4-6 Performance Transparency, page 4-6 User Transparency, page 4-6
4-5
Figure 4-3
Encryption
Si
Enterprise network
Authorization
87200
Security Transparency
Security issues related to static WEP key implementations:
Weak AuthenticationAny hardware device with a matching configuration and WEP key may join the network. The Static WEP key authenticates a group of devicesnever individual users. Encryption LimitationEncryption is at the link layer between the WLAN client and the AP. The current encryption mechanisms available are WEP and WEP plus TKIP and MIC. If possible WEP plus TKIP and MIC should be used. Authorization LimitationAuthorization is controlled by the VLAN membership associated with the static WEP key. AccountingNot available.
Application Transparency
As illustrated in Figure 4-3 the WLAN connects at the access layer. Once the WLAN client traffic leaves the AP, it is the same as wired network trafficsubject to the same access control, queuing, and routing. WLAN Static WEP solutions should be limited to the specialized applications that the Static WEP client supports. The network would appear transparent to this application, but to all other applications access should be blocked.
Performance Transparency
To minimize differences in application performance between the wired and wireless network, utilize the QoS tools available on the WLAN and the APs. Those applications identified as being sensitive to network throughput and delay can be classified and scheduled as required. Load balancing and admission control tools on the WLAN can optimize the usage of the available WLAN resources.
User Transparency
Static WEP requires no authentication and should be transparent to the supported applications and users. The static WEP key only becomes an issue for the user if required to change it.
4-6
956608
Chapter 4
Understanding Overall Network Security, page 4-7 Flexible WLAN Security using VLANs, page 4-7 Headquarters/Campus WLAN Deployment, page 4-8 Branch Office WLAN Deployment, page 4-12 Additional Security Considerations, page 4-13
Flexible WLAN Security using VLANs section on page 4-7 Headquarters/Campus WLAN Deployment section on page 4-8 Branch Office WLAN Deployment section on page 4-12
A WLAN can be looked at as another access technology in the overall network architecture. It integrates into the overall end-to-end Cisco AVVID architecture. In addition, Ciscos WLAN architecture integrates into Ciscos overall 802.1x / EAP Identity-Based Networking architecture. Ciscos WLAN security provides the following benefits:
Flexible model allowing dynamic or static WEP key-management. 802.1x user authentication for networking devices. This model is also used for wired connectivity. Enhancements beyond the basic security model defined in 802.11. This includes user-based authentication, mutual-authentication, dynamic WEP-key rotation, and TKIP and MIC to prevent WEP key spoofing and hacking.
These features combine to provide Cisco with the most flexible WLAN security offering in the industry, allowing implementers to choose the architecture that best matches specific security requirements and deployed equipment.
4-7
Figure 4-4
Developer
PE AP
AN 10 _A uth en tica ti
VL
on
Si
Teleworker
Op
en_
VL
AN
t Au P_
99
Au th
VL
AN
21
0 ic nt
at
ion
he
Guest or contractor
In addition to VLANs having the flexibility to create multiple WLAN security domains for flexible deployments, they also allow flexible migrations from older WLAN security to updated standards or products. This is not only possible because of VLANs, but also because Cisco APs and Cisco Secure ACS support simultaneous WLAN security such as EAP-Cisco, EAP-TLS, PEAP and EAP-Subscriber Identity Module (EAP-SIM). In addition, Cisco Aironet 802.11 NICs support multiple types of WLAN security, including EAP-Cisco and PEAP.
WEP does not define a mechanism for dynamic key-management. This means that the WEP keys must be manually configured on each device and if a device is lost or stolen, all devices must be revisited to update the WEP key. WEP does not provide a mechanism to provide user-based authentication, only device-based. This means that the network authentication is based on the physical device, which could be stolen or lost.
4-8
87190
956608
Chapter 4
WEP does not define a mechanism to dynamically rotate the WEP keys. This means that if a WEP key is hacked or stolen, it can be used by a hacker to falsely authenticate with the network. WEP does not prevent man-in-the-middle or bit-flipping attacks. This means that a hacker could intercept data between two users and manipulate the content of that data. It has been demonstrated that a key can be derived by passively capturing and processing a sufficient number of WEP-encrypted packets.
To overcome these limitations, Cisco implemented WLAN security based on 802.1x and EAP Authentication. 802.1x provides a Layer 2 authentication mechanism and carries the user authentication that is passed with EAP. Refer to Figure 4-5.
Figure 4-5 WLAN Security based on 802.1x and EAP Authentication
RADIUS
EAP_Authentication
Si
EAP_Authentication
Guest or contractor
While Ciscos APs and CiscoSecure ACS support multiple EAP authentication types1, EAP-Cisco, EAP-TLS and PEAP are currently supported end-to-end when using Cisco Aironet or Partner NICs. EAP-Cisco provides extensions to EAP to provide user-based authentication, mutual authentication and integration with Windows user-databases. EAP-Cisco is supported on all Cisco WLAN products, and is also licensed to several partners including Apple and Symbol. PEAP and EAP-TLS are IETF drafts that have been proposed by Cisco, Microsoft and RSA (refer to http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-05.txt). PEAP provides a multi-vendor authentication mechanism that provides a superset of functionality beyond EAP-Cisco. It works with multiple vendors equipment, as well as multiple types of user-databases including Microsoft, LDAP, OTP, RADIUS and NDS. EAP-TLS uses certificate based authentication (refer to http://www.ietf.org/rfc/rfc2486.txt?number=2486). EAP-TLS is a multi-vendor authentication mechanism that provides authentication based on user and server certificates, and effectively integrates into an existing networking scheme employing a Public-Key Infrastructure (PKI).
Note
Not all OSs currently support 802.1x and EAP supplicants (clients). It is currently supported in WindowsXP and will be available via Service Packs on other Windows OS. With this in mind, Cisco recommends using EAP-Cisco or PEAP as the security mechanism for headquarter/campus WLAN deployments. Beyond overcoming the limitations of WEP, network administrators must also be concerned with three issues in WLAN deployments in the campus: 1. EAP-SIM is also supported, but would not normally used in Enterprise environments.
87191
4-9
Providing integration with the rest of the wired network. Preventing rogue APs from being deployed in their network. Providing guest access to non-company users (such as contractors and vendors).
These questions are answered by using 802.1x authentication. 802.1x authentication provides a linklayer authentication to network devices, which is verified against a RADIUS server (Cisco Secure ACS). Figure 4-6 presents a generalized illustration of an ACS-based environment. 802.1x is available on Cisco Catalyst Switches. It allows ports on the Catalyst Switches to determine whether connected devices (such as PCs and IP phones) should gain access to the network based on their user credentials. 802.1x is also used between WLAN clients and Aironet APs to pass user-authentication information for EAP-Cisco. This use of 802.1x, EAP and RADIUS provides the integrated link-layer authentication that is the foundation for Identity-Based Networking and Secure WLAN deployments.
Figure 4-6 Ciscos 802.1x/EAP Architecture for Wired and Wireless Networks
Si
Si
Si
Si
Si
Si
Si
Si
Cisco ACS
Cisco ACS
87192
In addition to user authentication, 802.1x can be used as a mechanism to prevent rogue APs from being added into the network. Currently, Cisco Aironet APs do not support an 802.1x supplicant (802.1x client), but the expectation is that they would be deployed in a 20:1-to-25:1 ratio per user. This means that the number of wired devices supporting 802.1x would be considerably greater than the number of
4-10
956608
Chapter 4
APs deployed. With this in mind, 802.1x can be enabled on all Catalyst Switch ports except for those connected to Cisco Aironet APs. This will force all rogue APs to authenticate via 802.1x. This will cause them to fail and the Catalyst Switch port to block access to the network. Refer to Figure 4-7.
Figure 4-7 Preventing Rogue APs using 802.1x on Cisco Catalyst Switches
802.1x disabled only on all Authorized AP switch ports 802.1x pushed to WLAN edge
Authorized AP
Si
Rogue AP
Finally, by combining the VLAN functionality and 802.1x authentication on the Cisco Catalyst Switches and Aironet APs, guest access can be provided to non-authorized users and devices. Some Catalyst Switches can support only allow and deny, while others support allow, deny, guest, and VLAN selection based on the 802.1x authentication. The ability to change the VLAN of the switch port allows network administrators the ability to design certain VLANs for guest access (refer to Figure 4-8). This guest access can then be further filtered or firewalled to only allow Internet or other restricted network access to the specific users. Refer Chapter 10, WLAN Guest Network Access to for more information about Guest Access WLANs.
87193
4-11
Figure 4-8
Providing Guest Access using VLANs and 802.1x on Cisco Catalyst Switches and APs
Developer
En gin
VL ee
AN g_
rin
10
VL AN
Si
VL Co
AN
21
0 r L _V
AN
c tra
to
Guest or contractor
Dynamic WEP-key management and authentication via 802.1x and EAP-Cisco/PEAP 802.1x for rogue AP detection 802.1x and VLANs for guest access
4-12
87194
956608
Chapter 4
Figure 4-9
Branch office
Headquarters IP Telephony/services IP
M
T1
The one additional consideration for the branch office implementation is determining whether the Cisco ACS servers should be deployed only at the central site or at remote sites. This determination should be made according to the WAN bandwidth (possibly affecting authentication response times), size of deployment (possibly affecting the scalability of branch offices and branch users with respect to a central ACS), and the administrative capabilities at the branch office.
VLANs allow multiple types of WLAN security to be deployed over a Cisco AVVID infrastructure. 802.1x, EAP-Cisco/PEAP and WEP plus TKIP and MIC combine to provide a secure environment for WLAN deployment with the foundation for moving to updated standards as they become available.
In addition to the recommendations for the headquarters campus and branch deployments discussed here, several other Cisco technologies can be used to enhance WLAN security. These include IPSec VPNs, firewalls, and intrusion detection systems (IDS). Refer to Figure 4-10.
4-13
87195
IP
IP
Figure 4-10 Enhancing WLAN Security with IPSec VPNs, Firewalls and IDS
VL
O pe
AN
99
he
ic nt
at
on
ut _A
The Cisco SAFE architecture defines how VPNs, firewalls and IDS should be deployed for both wired and wireless networks. Refer to: http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html IPSec VPNs offer an enhancement for administrators that cannot provide enough native security (using, for example, open authentication, static WEP) with the inherent WLAN environment. This might involve PC users launching the CiscoSecure VPN Client, or having all traffic from a VLAN being placed into an IPSec VPN which is then routed outside of the corporate firewall or to a specific internal server application.
The ACS server should not represent a single point of failure A network failure should not impact a users ability to log on
The first issue is a good reason to replicate the ACS database to a secondary server, allowing for failover and maintenance. This redundancy configuration should be implemented in almost all cases. The second issue is instance in which it is critical to use the local WLAN even in the event of a network failure preventing access to a remote ACS server. Implementation of this second use of replication depends on the application architecture of the enterprise. For example, if the applications that the users want to reach are also remote, little is to be gained by being able to use the WLAN.
4-14
87197
956608
Chapter 4
Example Architecture
Figure 4-11 shows an example of what ACS architecture might look like. Campus A holds the authoritative ACS database server. This server is replicated to the other Enterprise ACS servers. APs communicate to the two local ACS servers. Campus Bbecause of its size and distance from Campus Ahas opted for another two ACS servers (thus providing its own backup). Campus Cbeing smaller and closer to Campus Ahas opted to have only one server, and relies on Campus A for backup. The branch offices use the ACS servers that are the shortest network distance from them.
4-15
Campus B
ACS ACS
Campus C ACS
Campus A
4-16
74211
956608
C H A P T E R
VLAN Background, page 5-1 Wireless VLAN Introduction, page 5-3 Wireless VLANsDetailed Feature Description, page 5-6 Guidelines for Deploying Wireless VLANs, page 5-10
VLAN Background
VLANs define broadcast domains in a Layer-2 network. Legacy networks use routers to define broadcast domain boundaries. Layer-2 switches create broadcast domains based on the configuration of the switch. Switches are multi-port bridges that allow the creation of multiple broadcast domains. Each broadcast domain is a distinct virtual bridge within a switch. VLANs have the same attributes as physical LANs with the additional capability to group end stations physically to the same LAN segment regardless of the end stations geographical location. Figure 5-1 shows an example of three wired VLANs in logically defined networks.
5-1
Figure 5-1
Switch 3
Engineering VLAN
HR VLAN
Switch 2 Floor 2
Single or multiple virtual bridges can be defined within a switch. Each virtual bridge created in the switch defines a new broadcast domain (VLAN). Switch interfaces assigned to VLANs manually are referred to as interface-based or static membership-based VLANs. This type of VLAN is often associated with IP subnetworks. For example, when all of the end stations in a particular IP subnet belong to the same VLAN, traffic cannot pass directly to another VLAN (between broadcast domains) within the switch or between two switches. Traffic between VLANs must be routed. To interconnect two different VLANs, routers are used. These routers execute inter-VLAN routing or routing of traffic between VLANs. Broadcast traffic is then terminated and isolated by these Layer-3 devices (a router or Layer-3 Switch will not route broadcast traffic from one VLAN to another). The two most common VLAN trunking protocols used on Cisco switches and routers are Inter-Switch Link (ISL) and IEEE 802.1Q. ISL (Cisco-proprietary protocol) and 802.1Q (IEEE standard) are encapsulation standards used to interconnect multiple switches and routers via trunking. For more information on these VLAN trunking protocols, please refer to the following URL: http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:Trunking
5-2
956608
Chapter 5
SSID=Employee AP_1A
AP_2A
VLAN 15 SSID=Employee VLAN 15 VLAN 20 SSID=Guest VLAN 20 Enterprise network SSID=Guest AP_1B
87184
AP_2B
With VxWorks firmware release 12.00T or Cisco IOS firmware release 12.2.4-JA, an 802.1Q trunk can be terminated on an AP (AP 1200, AP 1100, AP 350, and AP 340) or on a bridge (BR 350), allowing access up to 16 wired VLANs. A unique Service Set Identifier (SSID) defines a wireless VLAN on the AP and the bridge. Each SSID is mapped to a VLAN-id on the wired side (default SSID-to-VLAN-id mapping). Additionally, with WLANs, a per-VLAN security policy can be defined on the AP and on the bridge by the IT administrator. Refer to the Configuration Parameters per VLAN section on page 5-6 for additional information regarding per-VLAN security configuration.
Note
For related information regarding spanning-tree design and implementation considerations please refer to the Cisco AVVID Network InfrastructureImplementing 802.1w and 802.1s in Campus Networks SRND.
5-3
Figure 5-3
AP_2 SSID=Full-Time
RADIUS server
87189
SSID=Guest
In the indoor WLAN deployment scenario shown in Figure 5-3, four wireless VLANs are provisioned across the campus to provide WLAN access to full-time employees (segmented into Engineering, Marketing, and Human Resources user groups) and guests. Also, as shown in Table 5-1, each wireless VLAN is configured with an appropriate security policy and mapped to a wired VLAN. An IT administrator enforces the appropriate security policies within the wired network for these four different user groups.
Table 5-1 Configuration for Wireless VLANs in Figure 5-3
VLAN-id 14 24 34 44
Security Policy 802.1x with Dynamic WEP + TKIP 802.1x with Dynamic WEP + TKIP 802.1x with Dynamic WEP + TKIP Open/no WEP
An outdoor WLAN deployment scenario is shown in Figure 5-4. In this example, wireless trunking is used to connect the root bridge to the non-root bridges. The root and non-root bridges terminate the 802.1Q trunk and participate in the spanning-tree protocol (STP) process of bridging networks together.
Note
For related information regarding spanning-tree design and implementation considerations please refer to the Cisco AVVID Network InfrastructureImplementing 802.1w and 802.1s in Campus Networks SRND.
5-4
956608
Chapter 5
Figure 5-4
SSID=VLAN_14
VLAN 11
802.1Q Trunk VLAN 12 Switch_1 802.1Q Trunk Bridge_1 (Root) 802.1Q Trunk Bridge_2 (non-Root) 802.1Q Trunk Switch_2
VLAN 14
87186
VLAN 12
5-5
Configuration Parameters per VLAN, page 5-6 Broadcast Domain Segmentation, page 5-7 Native (Default) VLAN Configuration, page 5-7 Primary (Guest) and Secondary SSIDs, page 5-8 RADIUS-based VLAN Access Control, page 5-8
SSID NameConfigures a unique name per wireless VLAN. Default VLAN IDDefault VLAN-ID mapping on the wired-side. Authentication TypesOpen, Shared, and Network-EAP types. Media Access Control (MAC) AuthenticationUnder Open, Shared, and Network-EAP. EAP AuthenticationUnder Open and Shared authentication types. Maximum Number of AssociationsAbility to limit maximum number of WLAN clients per SSID.
Encryption KeyThis is the key used for broadcast/multicast traffic segmentation per VLAN. It is also used for static WEP clients (for both unicast and multicast traffic). The IT administrator must define a unique encryption key per VLAN. This is discussed more in detail in Broadcast Domain Segmentation section on page 5-7. Enhanced Message Integrity Check (MIC) Verification for WEPEnables MIC per VLAN. Temporal Key Integrity Protocol (TKIP)Enables per-packet key hashing per VLAN. WEP (Broadcast) Key Rotation IntervalEnables Broadcast WEP key rotation per VLAN. This is only supported for wireless VLANs with 802.1x protocols enabled (such as EAP-Cisco, EAP-TLS, PEAP, EAP-SIM, and the like.) Default Policy GroupApplies policy-group (set of Layer-2, -3, and -44 filters) per VLAN. Each filter (within a policy group) is configurable to allow or deny certain type of traffic. Default PriorityApplies default CoS priority per VLAN.
With an encryption key configured, the VLAN supports standardized WEP. However, Cisco TKIP/MIC/Broadcast Key rotation features are optionally configurable as noted above. Table 5-2 lists the SSID and VLAN-ID configuration parameters.
5-6
956608
Chapter 5
Table 5-2
Parameter Description Authentication Types Maximum number of Associations Encryption key (Broadcast Key) TKIP/MIC WEP (Broadcast) Key rotation Interval Policy Group Default Priority (CoS mapping)
SSID Parameter X X
VLAN-ID Parameter
X X X X X
An associated workgroup bridge is treated as an infrastructure device Connection of a root bridge to a non-root bridge
In the above scenarios, Cisco recommends configuring an Infrastructure SSID per AP or bridge. Figure 5-5 illustrates the combined deployment of infrastructure devices (such as workgroup bridges, non-root bridges, and repeaters) along with non-infrastructure devices (such as WLAN clients) in an Enterprise WLAN. The native VLAN of the AP is mapped to the Infrastructure SSID. WEP encryption along with TKIP (at least per-packet key hashing) should be enabled for the Infrastructure SSID. Configuration of a secondary SSID as the Infrastructure SSID is also recommended. The concepts of primary and secondary SSIDs are explained in the next section.
5-7
Figure 5-5
Branch office 802.1Q Trunk (native VLAN=10) 802.1Q Trunk (native VLAN=10) Bridge (Root) 802.1Q Trunk (native VLAN=10)
SSID=Employee
Root AP
SSID=Guest
WGB/repeater
SSID=infrastructure
5-8
956608
Chapter 5
RADIUS-based SSID Access ControlUpon successful 802.1x or MAC address authentication, the RADIUS server passes back the allowed SSID-list for the WLAN user to the AP or bridge. If the user used an SSID on the allowed SSID-list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the AP or bridge. RADIUS-based VLAN AssignmentUpon successful 802.1x or MAC address authentication, the RADIUS server assigns the user to a pre-determined VLAN-ID on the wired side. The SSID used for WLAN access does not matter because the user is always assigned to this pre-determined VLAN-ID.
Figure 5-6 illustrates both RADIUS-based VLAN access control methods. Both Engineering and Marketing VLANs are configured to allow only 802.1x authentication (such as EAP-Cisco, EAP-TLS or PEAP). As shown in Figure 5-6, when John uses the Engineering SSID to gain access to the WLAN, the RADIUS server maps John to VLAN-ID 24. This might or might not be the default VLAN-ID mapping for the Engineering SSID. Using this method, a user is mapped to a fixed wired VLAN throughout an Enterprise network. Figure 5-6 illustrates an example of RADIUS-based SSID access control. David uses the Marketing SSID to gain access to the WLAN. However, the permitted SSID-list sent back by the RADIUS server indicates that David is only allowed access to the Engineering SSID. Upon receipt of this information, the AP disassociates David from the WLAN network. Using this method, a user is given access to only one or pre-determined SSIDs throughout an Enterprise network.
Figure 5-6 RADIUS-based VLAN Access Control
SSID=Engineering
EAPRequ est (u ser-id
: John
EAP-Succes
s (user-id: Jo
hn, VLAN-id=2
4)
AP/bridge
802.1Q Trunk
, SSID=Engin
SSID=Guest
EAP-Success
(user-id: David
SSID=Marketing
IETF 64 (Tunnel Type)Set this to VLAN, IETF 65 (Tunnel Medium Type)Set this to 802 IETF 81 (Tunnel Private Group ID)Set this to VLAN-ID.
Cisco IOS/PIX RADIUS Attribute, 009\001 cisco-av-pair ExampleConfigure the above attribute to allow a user to access the WLAN using Engineering and Marketing SSIDs only:
ssid=Engineering ssid=Marketing
5-9
87188
eq EAP-R
uest (
user
vid) -id: Da
Enterprise network
Criteria for Wireless VLAN Deployment, page 5-10Details selection criteria for wireless VLAN deployment. Wireless VLAN Deployment Example, page 5-11Provides a deployment example, summarizes the of rules for WLAN VLANs deployment. Summary of Rules for Wireless VLAN Deployment, page 5-13Provides best-practices to use on the wired infrastructure when deploying wireless VLANs.
Common applications used by all WLAN users. The IT administrator should define
Wired network resources (such as servers) commonly accessed by WLAN users Quality of Service (QoS) level needed by each application [such as default class of service
Common devices used to access the WLAN. The IT administrator should define:
Security mechanismsStatic-WEP, MAC authentication, EAP authentication (such as
EAP-Cisco, EAP-TLS, or PEAP, VPN, and the like} supported by each device type
Wired network resources (such as Servers) commonly accessed by WLAN device groups QoS level needed by each device group (such as default CoS or Voice CoS)
After the wireless VLAN deployment criteria are defined, the deployment strategy must be determined. Two standard deployment strategies are:
Segmentation by User GroupsSegmentation of the WLAN user community and enforcement of specific security policies per user group. For example, three wired and wireless VLANs in an enterprise environment might be created for full-time employee, part-time employee, and guest access. Segmentation by Device TypesSegmentation of the WLAN to allow different devices with different security levels to access the WLAN. For example, it is not recommended to have handheld devices that support only 40/128-bit static-WEP co-exist with other WLAN client devices using 802.1x with dynamic WEP in the same VLAN. In this scenario, devices are grouped and isolated with different levels of security into separate VLANs.
5-10
956608
Chapter 5
Use of policy group (set of filters) to map wired policies to the wireless side. Use of 802.1x to control user access to VLANs using either RADIUS-based VLAN assignment or RADIUS-based SSID access control. Use of separate VLANs to implement different CoS.
Three different user groups are commonly present across Company XYZ: full-time employees; contract employees; and, guests. Full-time and contract employees use company supplied PCs to access the wireless network. These PCs are capable of supporting 802.1x authentication methods for accessing the WLAN. Full-time employees need full access to the wired network resources. The IT department has implemented application level privileges for each user via Microsoft Windows NT or Active Directory (AD) mechanisms. Part-time employees are not allowed access to certain wired resources (such as human resource servers and data storage servers). Furthermore, the IT department has implemented application level privileges for part-time employees (using Microsoft Windows NT or AD mechanisms). Guest users need access to the Internet to launch a VPN tunnel back to their company headquarters. Maintenance personal (electrical, facilities, and others) use specialized handheld devices that support static 40 or 128 bit encryption to access trouble ticket information via an application server VLAN. Existing wired VLANs deployment:
Wired VLANs are localized per building (use of unique VLAN-IDs per building). Layer-3 policies are implemented on all VLANs to prevent users from accessing critical
applications such as network management servers). In the above case, the IT administrator can deploy wireless VLANs by creating four wireless VLANs as follows:
Step 1
For Full-Time and Part-Time VLANs, implement 802.1x with dynamic WEP along with TKIP functionality for WLAN access. Tie user-login on the RADIUS server with Microsoft back-end user database to enable single sign-on for WLAN users. Implement RADIUS-based SSID access control for both Full-Time and Part-Time employees to access WLAN. This is recommended to prevent part-time employees from VLAN hopping (trying to access the WLAN using Full-Time VLAN).
Note
In this deployment scenario, VLANs are localized per building with user group mapping to wired VLAN-IDs different for each building. In order to enable users to access the WLAN from anywhere on campus, SSID access control is recommended rather than fixed VLAN-ID assignments.
5-11
Step 2
Create a Guest VLAN. Implement Open/No WEP access with a Broadcast SSID by using the primary SSID for the Guest VLAN. Enforce policies on the wired network side to force all Guest VLAN access to an Internet gateway and deny access into the corporate network. Create a Maintenance VLAN. Implement Open/with WEP plus MAC authentication for this VLAN. Enforce policies on the wired infrastructure to only allow access to the maintenance server on the application servers VLAN.
Step 3
Figure 5-7 illustrates this sample WLAN deployment scenario. Table 5-3 lists the configuration details for Figure 5-7 VLANs.
Figure 5-7 Wireless VLAN Deployment Example
AP_2 SSID=Engineering Native VLAN=10 802.1Q Trunk SSID=Marketing AP_1 802.1Q Trunk SSID=HR Management VLAN Enterprise network SSID=Guest
RADIUS server
87185
Table 5-3
VLAN-id 16 26 36 46
Security Policy
802.1x with Dynamic WEP + TKIP/MIC Yes 802.1x with Dynamic WEP + TKIP/MIC Yes Open/with WEP + MAC authentication Open/no WEP No No
5-12
956608
Chapter 5
802.1Q VLAN trunking (hybrid mode only) supported between the switch and the AP or bridge. A maximum of 16 VLANs per ESS are supported with each wireless VLAN represented with a unique SSID name. IT administrator must configure a unique encryption key per VLAN. A maximum of one unencrypted VLAN per ESS is supported. A maximum of one primary/guest SSID per ESS is supported. TKIP, MIC, and Broadcast key rotation can be enabled per VLAN. Open, Shared-Key, MAC, network-EAP (EAP-Cisco), and EAP authentication types are supported per SSID. Shared-Key Authentication is supported only on the SSID mapped to the native VLAN (this is most likely to be the Infrastructure SSID). One unique policy group (set of Layer-2, Layer-3, and Layer-4 filters) is allowed per VLAN. Each SSID is mapped to a default wired VLAN where the ability to override this default SSID to VLAN-ID mapping is provided via RADIUS-based VLAN access control mechanisms.
RADIUS-based VLAN-ID assignment per user is supported. RADIUS-based SSID access control per user is supported.
The ability to assign a CoS mapping per VLAN with eight different levels of priorities is supported. The ability to control number of clients per SSID is supported. All APs and bridges in the same ESS must use the same native VLAN-ID to facilitate IAPP communication between APs and bridges. All WLAN security policies should be mapped to the wired LAN security policies on the switches and routers.
Limit broadcast/multicast traffic to the AP and bridge by enabling VLAN filtering and Internet Group Management Protocol (IGMP) snooping on the switch ports. On the 802.1Q trunks to the AP and bridge, filter to allow only active VLANs in the ESS. Enabling IGMP snooping prevents the switch from flooding all switch ports with Layer-3 multicast traffic. Map wireless security policies to the wired infrastructure with Access Control Lists (ACLs) and other mechanisms The AP does not support the VLAN Trunking Protocol (VTP) or the GARP VLAN Registration Protocol (GVRP) for dynamic management of VLANs because the AP acts as a stub node. The IT administrator must use the wired infrastructure to maintain and manage the wired VLANs. Enforce security policies via Layer-3 ACLs on the Guest and Management VLANs (recommended).
The IT administrator might implement ACLs on the wired infrastructure to force all Guest
5-13
The IT administrator should restrict user access to the native/default VLAN of the APs and
bridges with the use of Layer-3 ACLs and policies on the wired infrastructure. Example: Traffic to APs and bridges via the native/default VLAN is only allowed to and from the management VLAN where all the management servers resideincluding the RADIUS server.
Note
For more details refer to the WLAN VLAN deployment guide.: http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a008 01444a1.html
5-14
956608
C H A P T E R
QoS Overview, page 6-1 Wireless QoS Considerations, page 6-2 802.11 DCF, page 6-4 IEEE 802.11e, page 6-7 Deploying EDCF on Cisco IOS-based APs, page 6-13 Guidelines for Deploying Wireless QoS, page 6-17
QoS Overview
Quality of Service (QoS) refers to the capability of a network to provide better service to selected network traffic over various network technologies. QoS technologies provide the building blocks for business multimedia and voice applications used in campus, WAN, and service provider networks. QoS allows network managers to establish service level agreements (SLAs) with network users. QoS enables network resources to be shared more efficiently and expedites the handling of mission-critical applications. QoS manages time-sensitive multimedia and voice application traffic to ensure that this traffic receives higher priority, greater bandwidth and less delay than best effort data traffic. With QoS, bandwidth can be managed more efficiently across LANs and WANs. QoS provides enhanced and predictable network service by:
Supporting dedicated bandwidth for critical users and applications Controlling jitter and latency (required by real-time traffic) Managing and minimizing network congestion Shaping network traffic to smooth the traffic flow Setting network traffic priorities
6-1
Wireless QoS Deployment Schemes, page 6-2 QoS Parameters, page 6-3 Downstream and Upstream QoS, page 6-3 QoS and Network Performance, page 6-4
Enterprise Network
IP VoIP phone
6-2
91226
AP provides EDCF-baed mechanisms for Down Stream Wireless QoS, based upon handset registration, CoS, or DSCP
Streaming Video
956608
Chapter 6
QoS Parameters
QoS is defined as the measure of performance for a transmission system that reflects its transmission quality and service availability. Service availability is a crucial foundational element of QoS. Before QoS can be successfully implemented, the network infrastructure must be highly available. The network transmission quality is determined by the following factors:
Latency
Latency (or delay) is the amount of time it takes a packet to reach the receiving endpoint after being transmitted from the sending endpoint. This time period is termed the end-to-end delay and can be broken into two areas: fixed network delay and variable network delay. Fixed network delay includes encoding/decoding time (for voice and video), as well as the finite amount of time required for the electrical/optical pulses to traverse the media en route to their destination. Variable network delay generally refers to network conditions, such as congestion, that may affect the overall time required for transit.
Jitter
Jitter (or delay-variance) is the difference in the end-to-end latency between packets. For example, if one packet required 100 msec to traverse the network from the source-endpoint to the destination-endpoint and the following packet required 125 msec to make the same trip, then the jitter is calculated as 25 msec.
Loss
Loss (or packet loss) is a comparative measure of packets faithfully transmitted and received to the total number that were transmitted. Loss is expressed as the percentage of packets that were dropped.
Radio Downstream
Radio Upstream
Ethernet Upstream
Radio Downstream QoS refers to the traffic leaving the AP and traveling to the WLAN clients. Radio Downstream QoS is the primary focus of this deployment guide.
91227
6-3
Radio Upstream QoS refers to traffic leaving the WLAN clients and traveling to the AP. No vendor support is currently available for radio upstream QoS features for WLAN clients. This support is specified in the 802.11e draft, but has not yet been implemented. Ethernet Downstream refers to traffic leaving the switch/router traveling to the AP. QoS may be applied at this point to prioritize and rate limit traffic to the AP. Configuration of Ethernet downstream QoS is not discussed in this design guide. Ethernet Upstream refers to traffic leaving the AP traveling to the switch. The AP classifies traffic from the AP to the upstream network according to the traffic classification.
802.11 DCF
Data frames in 802.11 are sent using the Distributed Coordination Function (DCF). The DCF is composed of two main components:
Interframe Spaces (SIFS, PIFS, and DIFS), page 6-4 Random Backoff (Contention Window), page 6-5
DCF is used in 802.11 networks to manage access to the RF medium. A baseline understanding of DCF is necessary in order to deploy 802.11e based EDCF. Please read the IEEE 802.11 specification for more information on DCF.
6-4
956608
Chapter 6
Figure 6-3
DIFS
DIFS PIFS Contention window SIFS Busy medium Backoff window Slot time
91228
Next frame
(t)
Defer access
Short Interframe Space (SIFS) 10 s Point Interframe Space (PIFS) SIFS + 1 x slot time = 30 s Distributed Interframe Space (DIFS) 50 s SIFS + 2 x slot time = 50 s
SIFS
Important frames such as acknowledgments wait the SIFS before transmitting. There is no random backoff when using the SIFS, as frames using the SIFS are used in instances where multiple stations would not be trying to send frames at the same time. The SIFS provides a short and deterministic delay for packets that must go through as soon as possible. The SIFS is not available for use by data frames. Only 802.11 management and control frames use SIFS.
PIFS
An optional portion of the 802.11 standard defines priority mechanisms for traffic that uses PIFS. There is no random back mechanism associated with PIFS, as it relies upon a polling mechanism to control which station is transmitting. The option is not widely adopted2 due to the associated overhead, and lack of flexibility in its application.
DIFS
Data frames wait the DIFS before beginning the random backoff procedure that is part of the Distributed Coordination Function (DCF). This longer wait ensures that traffic using the SIFS or PIFS timing always gets an opportunity to send before any traffic using the DIFS attempts to send.
Generate a random backoff number between 0 and a minimum Contention Window (CWmin). Wait until the channel is free for a DIFS interval. If the channel is still free begin decrementing the random backoff number, for every slot time (20 s) the channel remains free.
1. Figures quoted are for 802.11b; not 802.11a 2. No known vendor claims to support Profile Connection Files (PCF).
6-5
4. 5.
If the channel becomes busy (another station got to 0 before your station) decrementing stops and steps 2 through 4 are repeated. If the channel remains free until the random backoff number reaches 0 the frame may be sent.
Distributed Coordination Function (DCF) Example
Figure 6-4
DIFS
DIFS
Frame
Deter Deter Deter Deter
Frame
Frame
Deter
Figure 6-4 shows a simplified example of how the DCF process works. In this simplified DCF process, no acknowledgements are shown and no fragmentation occurs DCF steps illustrated in Figure 6-4 work as follows:
1. 2.
Station A successfully sends a frame, and three other stations also wish to send frames but must defer to Station As traffic. Upon Station A completes transmission, all the stations must still defer for the DIFS. Once the DIFS is complete, stations wishing to send a frame can begin decrementing their backoff counter, once every slot time, and may send their frame. Station Bs backoff counter reaches zero before Stations C and D, and therefore Station B begins transmitting its frame. Once Station C and D detect that Station B is transmitting, they must stop decrementing their backoff counters and again defer until the frame is transmitted and a DIFS has passed. During the time that Station B is transmitting a frame, Station E gets a frame to transmit, but as Station B is sending a frame it must defer in the same manner as Stations C and D Once Station B completes transmission and the DIFS has passed, stations with frames to send begin decrementing their backoff counters again. In this case, Station Ds backoff counter reaches zero first and it begins transmission of its frame. The process continues as traffic arrives on different stations.
3. 4. 5. 6.
7.
aCWmin aCWmax
6-6
956608
Chapter 6
The random number used in the random backoff is initially a number between 0 and aCWmin. If the initial random backoff expires without successfully sending the frame, the station or AP increments the retry counter, and doubles the value random backoff window size. This doubling in size continues until the size equals aCWmax. The retries continue until the maximum retries or Time To Live (TTL) is reached. This process of doubling the backoff window is often referred to as a binary exponential backoff, and is illustrated in Figure 6-5.
Figure 6-5 Growth in Random Backoff Range with Retries
511
aCWmax
255
127
aCWmin
31
retries
IEEE 802.11e
This section discusses two 802.11e implementations:
802.11e EDCF-based QoS Implementation, page 6-7 QoS Advertisements by WLAN Infrastructure, page 6-11
91230
63
6-7
Do not alter these settings for production networks without significant tests specific to the applications in question. For example, having a CWmax value less that the CWmin of another class might cause starvation of the other traffic class, as the worst case random backoff of the preferred class would be better than the best-case random backoff the less favored class. It should also be noted that the traffic has been queued based on its traffic classification by the AP before the CWmin and CWmax values are applied at the radio. Refer to Figure 6-6.
Figure 6-6 Default CWmin and CWmax Values of Different Traffic Categories
Figure 6-7 shows the principle behind different CWmin values per traffic classification. All traffic waits the same DIFS, but the CWmin value used to generate the random backoff number depends upon the traffic classification. High priority traffic has a small CWmin value, giving as short random backoff, whereas best effort traffic has a large CWmin value that on average gives a large random backoff number.
6-8
956608
Chapter 6
Figure 6-7
Voice random backoff range Voice random backoff range Best effort random backoff range
DIFS
Next frame
(t)
Defer access
Figure 6-8 shows an example of how the different CWmin values impact traffic priority.
Figure 6-8 Example of Impact of Traffic Classification
DIFS Station X Voice 1 Best Effort 1 Voice 2 Best effort 2 Voice 3 Frame
Deter Deter Deter Deter
DIFS
DIFS
DIFS
Frame
Deter Deter Deter Deter Deter Deter Deter
Frame
Deter Deter
Frame
Deter
Frame
While Station X is transmitting its frame three other stations determine that they must send a frame. Each station defers as a frame was already being transmitted, and each station generates a random backoff. As stations Voice 1 and Voice 2 have a traffic classification of voice, they use an initial CWmin of 3, and therefore have short random backoff values. Best Effort 1 and Best Effort 2 generate longer random backoff times, as their CWmin value is 31.
2.
6-9
3.
Voice 1 has the shortest random backoff time, and therefore starts transmitting first. When Voice 1 starts transmitting all other stations defer. While Voice 1 station is transmitting station Voice 3 finds that it needs to send a frame, and generates a random backoff number, but defers due to station Voice 1s transmission. Once Voice Station 1 finishes transmitting, all stations wait the DIFS, and then begin decrementing their random backoff counters again. Station Voice 2 completes decrementing its random backoff counter first and begins transmission. All other stations defer. Once Voice Station 2 has finished transmitting, all stations wait the DIFS, and then begin decrementing their random backoff counters again. Best Effort 2 completes decrementing its random backoff counter first and begins transmission. All other stations defer. This happens even though there is a voice station waiting to transmit. This shows that best effort traffic is not starved by voice traffic as the random backoff decrementing process eventually brings the best effort backoff down to similar sizes as high priority traffic, and that the random process might, on occasion, generate a small random backoff number for best effort traffic. Once Best Effort 2 finishes transmitting, all stations wait the DIFS, and then begin decrementing their random backoff counters again. Station Voice 3 completes decrementing its random backoff counter first and begins transmission. All other stations defer.
4. 5. 6. 7.
8. 9.
The overall impact of the different CWmin and CWmax values is difficult to show well in the timing diagrams used thus far, as their impact is more statistical in nature. It is simpler to compare two examples, and show the impact of these different values in the average times that should be generated by the random backoff counters. If we compare interactive voice and interactive video, these traffic categories have CWmin values of 3 and 15, and CWmax values of 32 and 63 respectively. This gives the averages for the random backoff counters shown in Table 6-1.
Table 6-1 Random Backoff Averages
CWmax 31 63 255
These averages show that an interactive voice frame would only have an average random backoff time of 30 s, where as the average random backoff time for interactive video frame would be 150 s. If interactive voice and interactive video stations began trying to transmit at the same time the interactive voice frame would normally be transmitted first, and with a very small delay. The average maximum gives an indication of how quickly and how large the random backoff counter would grow in the event of a retransmission. The smaller the average maximum value is an indication of how aggressive traffic classification behaves. No matter how many times it has retried, Interactive Voices random backoff delay should not, on average, be above that of the minimum delay of best effort traffic. This means that the average worst-case backoff delay for interactive voice traffic would be the same as the average best case for best effort traffic.
6-10
956608
Chapter 6
Note
In this EDCF implementation, all WLAN clients are treated equally for upstream transmission (from the WLAN clients to the AP) unless a client (such as a SpectraLink Voice over IP device) implements a proprietary mechanism of obtaining the channel faster compared to the others.
Symbol Technologies, Inc. Extensions (Symbol NetVision handsets only) QoS Basis Service Set (QBSS)Based on IEEE 802.11e DRAFT version 3.3
Figure 6-9 shows the QBSS Information Element (IE) advertised by a Cisco AP. The channel utilization field indicates the portion of available bandwidth currently used to transport data within the WLAN. The frame loss rate field indicates the portion of transmitted frames that require retransmission or are discarded as undeliverable.
Figure 6-9 QBSS Information Element (IE) Implementation: IEEE 802.11e Draft version 3.3
Figure 6-10 and Figure 6-11 illustrate the mechanism for enabling QoS advertisements on VxWorks APs and bridges and Cisco IOS-based APs.
6-11
91233
Element ID (11)
Length (6)
6-12
956608
Chapter 6
Note
For information about deployment and configuration using VxWorks-based APs, please refer to WLAN QoS Deployment Guide at the location: http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a008014449 8.html This section presents EDCF implementation considerations for Cisco IOS-based APs in the following specific sections:
Appliance-based Prioritization, page 6-13 CoS-based Prioritization, page 6-13 Class-Map Based Prioritization, page 6-14 VLAN-based Prioritization, page 6-15 Combining QoS Setting Requirements, page 6-15 Additional QoS Features, page 6-16
Appliance-based Prioritization
The Cisco IOS-based AP can prioritize traffic based upon a WLAN clients request for a particular traffic classification because of its appliance type. Currently, Cisco APs support only VoIP appliances. These VoIP appliances use proprietary registration messages to identify themselves. The best example of this process is the negotiation that occurs between the AP and a Symbol VoIP WLAN handset. A protocol defined by Symbol allows the handset to be identified, and provide down stream traffic to these handsets with an interactive voice classification. The VxWorks-based AP allows a per-station classification of traffic which allows these handsets to identify themselves and automatically classify traffic. The Cisco IOS AP supports the registration of the handsets to the AP through the global command line interface (CLI) command: dot11 phone
CoS-based Prioritization
Traffic that arrives at the AP over an Ethernet trunk (if already classified by its CoS settings within IEEE 802.1D) will have that classification mapped to EDCF and applied unless the Per Appliance classification applies a subsequent classification.
6-13
Note
The IP Protocol 119 setting provides ongoing support on the AP for SpectraLink IEEE 802.11 handsets.
Figure 6-12 Class-Map based QoS Policy Example
After applying the class-map based QoS policy, the changes are reflected in the AP CLI.
class-map match-all _class_example2 match ip protocol 119 class-map match-all _class_example0 match ip precedence 2 class-map match-all _class_example1 match ip dscp 46 policy-map example class _class_example0 set cos 5 class _class_example1 set cos 5 class _class_example2 set cos 0
6-14
956608
Chapter 6
VLAN-based Prioritization
Figure 6-13 illustrates the default priority (CoS) set using a class-map definition on an Cisco IOS-based AP. This class-map is applied to an interface or a VLAN and the specified priority is applied to all traffic, unless the priority is overridden by one of the mechanisms described above (Per Station, 802.1p/802.1D CoS, or Class-Map based IP TOS/DSCP/Protocol).
Figure 6-13 Default CoS Setting Using a Class-Map on an Cisco IOS AP
If a station identifies itself as a particular CoS, this is used (Per-Appliance QoSan example is a Symbol VoIP device). If the frame arrives at the AP with a CoS setting via IEEE 802.1p/802.1D, this is what is used.
6-15
3.
If a class-map based classification (IP TOS, IP DSCP, IP Protocol, or default CoS) is defined per VLAN or interface, CoS defined by the class-map based QoS policy is assigned to the specified traffic flow (example: SpectraLink VoIP device). If none of the above mechanisms are viable, the default CoS setting for the VLAN is used for all traffic.
4.
Figure 6-14 illustrates the QoS classification precedence described in the above list.
Figure 6-14 QoS Classification Precedence on Cisco IOS-Based APs
Per-appliance QoS? No By CoS value (8o2.1p marked)? No Class-map defined per interface or VLAN? No Apply default CoS (CoS=0)
Yes
6-16
91235
956608
Chapter 6
In addition to the CWmin and CWmax values shown in Figure 6-15, a Fixed Slot Time setting is available. The Fixed Slot Time is referred to as the Arbitration Inter Frame Space (AIFS) in the IEEE 802.11e Draft. The AIFS is a variable DCF value. The standard DCF time equals two slots times. Traffic classifications with a slot time greater than two must wait the additional slot times before sending or beginning to begin decrementing their random backoff counters. Giving further precedence to traffic with low CWmin and DCF timing.
IP SoftPhone and Other PC and PDA Based VoIP Solutions, page 6-17 Symbol Handsets, page 6-17 SpectraLink Handsets, page 6-18 Leveraging Existing Network QoS Settings, page 6-18
Symbol Handsets
If Symbol handsets are used in the WLAN, the Symbol Extensions should be enabled.
6-17
SpectraLink Handsets
The SpectraLink Voice Protocol (SVP) is prioritized in the same manner as in the pre-WLAN QoS AP configuration because the AP has a default filter to classify all SpectraLink voice traffic with voice priority. The difference between the current AP prioritization scheme and the previously released AP prioritization method is that the prior version was limited to prioritizing within the queuing internal to the AP. With the QoS enhancements, traffic can now be prioritized over the radio interface. Figure 6-16 illustrates the SVP architecture for 12.00T VxWorks and 12.2(4)JA Cisco IOS QoS features:
Figure 6-16 SpectraLink VoIP Deployment
Enterprise Network
IP NetLink SVP server AP provides EDCF-baed mechanisms for Down Stream Wireless QoS VoIP phone NetLink wireless telephones
91236
6-18
956608
C H A P T E R
WLAN Roaming
This chapter addresses the WLAN design considerations when assessing Layer-2 roaming of WLAN clients. The process of a WLAN client station roaming from one AP to another AP is discussed in some detail. Although this chapter focuses on roaming at Layer-2 (same IP subnet), the implications of campus-wide roaming at Layer-2 and Layer-3 are also considered. The following primary sections are presented in this chapter:
Roaming Solution Overview, page 7-2 Layer-2 Roaming Primer, page 7-4 Layer-2 Design Recommendations, page 7-9
Cisco AVVID Wireless LAN Design Cisco AVVID Wireless LAN Design
7-1
WLAN Roaming
Layer 3
Subnet A
Subnet B
Layer-3 roaming will be covered in a separate design guide, which will be added to the set of design guides available from http://www.cisco.com. WLANs can provide the ability to connect to the network from any location within the enterprise. The desire to move from one location to another while maintaining an application session is a natural extension of this extended network reach. The trend towards wireless laptop computers and personal digital assistants (PDA) will further accelerate the desire for seamless network access while moving between locations. The benefits of WLANs in general are documented in the Chapter 1, WLAN Solution Overview. Some of the WLAN benefits specific to mobility are:
Innovative Application DeploymentFacilitates implementation of new and innovative applications that require always-on network connectivity (such as actionable alerts, messaging, and workflow applications). Improved Efficiency and ProductivityContinuous connectivity allows work to be performed at any time without interruption. Increased AccuracyEnabling data to be captured or updated immediately from any location increases data accuracy.
7-2
956608
Chapter 7
Layer-2 Design
Mobile IP capability is required to provide seamless roaming across Layer-3 subnet boundaries. Layer-3 roaming will be covered in a separate design guide, but note that every Layer-3 roam is preceded by a Layer-2 (link-layer) roam.
Caveats
Deploying WLANs as recommended in this document might result in multiple Layer-2 subnets on the same floor of a building. Some form of mobile IP will be required to roam seamlessly between the Layer-2 subnets this design recommends.
7-3
WLAN Roaming
Layer-2 Roaming Technical Overview, page 7-4 Roaming Events, page 7-5 Roam Process, page 7-7 Layer-2 Roaming Considerations, page 7-8
3
Access Point A
4
IAPP Inter Access Point Protocol
P Access Point B
2
88457
1
The arrows in Figure 7-2 indicate the following events:
1. 2. 3.
A Client moves from AP A coverage area into AP B coverage area (both APs in same subnet). As the client moves out of AP A range a Roaming Event will be triggered (such as Max Retries). The client then scans all 802.11 channels for alternative APs. In this case, the client discovers AP B and re-authenticates and re-associates to it. AP B sends a null MAC multicast using the source address of the client. This updates the Content Addressable Memory (CAM) tables in upstream switches and directs further LAN traffic for the client to AP B, and not AP A. AP B sends a MAC multicast using its own source address telling the old AP that AP B now has the client associated to it. AP A receives this multicast and removes the client MAC address from its association table.
4.
The main focus in this chapter is on events 1 and 2 in Figure 7-2. Events 3, and 4 are post-roam actions taken as part of Ciscos proprietary Inter Access Point Protocol (IAPP). It is important to note that roaming is always a client station decision. The client station is responsible for detecting, evaluating, and roaming to an alternative AP.
7-4
956608
Chapter 7
Event 1 in Figure 7-2 will be discussed in more detail in the Roaming Events section on page 7-5 of this document. Roaming Events describes the events that cause a client to initiate the roam process. Event 2 in Figure 7-2 is covered in the Roam Process section on page 7-7. The process of discovering evaluating and roaming to an alternative AP is discussed in that section.
Roaming Events
This section details the events that cause a client to roam. The roam process itself is described in he Roam Process section on page 7-7. Roaming is always initiated by the client and is caused by one of the following events (each is covered in a separate section):
Max Data Retry Count Exceeded, page 7-5 Missed Too Many Beacons, page 7-6 Data Rate Shift, page 7-6 Periodic Client Interval (If Configured), page 7-7 Initial Client Startup, page 7-7
7-5
WLAN Roaming
Clients learn the APs beacon interval from an element in the beacon. If a client misses eight consecutive beacons, a roaming event is deemed to have occurred and the roam process detailed in the Roam Process section on page 7-7 is initiated. By continuously monitoring for received beacons, even an otherwise idle client is able to detect a loss of wireless link quality and is able to initiate a roam.
7-6
956608
Chapter 7
If the client has not attempted to roam in the last 30 seconds then the roam process as described in the Roam Process section on page 7-7 occurs. If the client has already attempted to roam in the last 30 seconds, the data rate for that client is set to the next lower rate.
A client transmitting at less than the default rate increases the data rate back to the next-higher rate after a short time interval if transmissions are successful.
Roam Process
the Roaming Events section on page 7-5 described the events that can occur to cause a client to decide that it needs to roam. This section addresses actions taken by a client station when it roams.
7-7
WLAN Roaming
When a roaming event occurs the client station scans each 802.11 channel (the client scans all 802.11 channels valid in the country in which the client is operating). On each channel, the client station sends a probe and waits for a probe-response or beacon from APs on that channel. The probe responses and beacons received from other APs are discarded unless the conditions list in Table 7-1 are met.
Table 7-1 AP Conditions Required to be Considered as a Roam Target
Client Station with Aironet Extensions Enabled1 APs signal strength is:
Greater than 20 percent If 20+ percent weaker than current AP, then absolute signal strength must be at least 50 percent Not ApplicableRadio hop information is Cisco proprietary element in beacons
If the AP is in repeater mode and is more radio hops from the backbone than the current AP, its signal strength must be more than 20 percent greater than the current AP
The new AP must not have more than a 10 percent Not ApplicableAP transmitter load information worse transmitter load than the current AP is Cisco proprietary element in beacons
1. Probe-responses/beacons must satisfy all conditions.
If the conditions in Table 7-1 are satisfied, then a client roams to a new AP that best meets one of the conditions specified in Table 7-2.
Table 7-2 Choosing from Eligible Roam Targets
Client Station with Aironet Extensions Enabled (AP Must satisfy Any Condition) Signal strength is more than 20 percent stronger Fewer hops to the backbone 4 (or more) less clients associated to it
Client Station without Aironet Extensions (AP must Satisfy All Conditions) UnknownImplementation dependent Not ApplicableBackbone hops information is Cisco proprietary element in beacons Not ApplicableAP client association load information is Cisco proprietary element in beacons Not Applicable AP transmitter load information is Cisco proprietary element in beacons
1.
7-8
956608
Chapter 7
Note
There are 11 channels available in the US. There are 13 channels defined by the 802.11 specification. Their usage varies from country to country. To find out if a better AP is available, the client must cease transmitting and receiving on the current channel and move sequentially through each of the possible alternative channels. The following actions need to occur on each of the channels scanned:
1. 2. 3. 4.
Radio hardware needs to move to and settle on new channel. Client needs to listen to the new channel long enough to avoid a collision as per the CSMA/CA media access implemented in 802.11. Client transmits a probe frame. Client receives a probe-response or a beacon frame.
Cisco AVVID Design, page 7-9 Sizing the Layer-2 Domain, page 7-10 Roaming Implementation Recommendations, page 7-10
Layer 3
88460
7-9
WLAN Roaming
Note
For related information regarding spanning-tree design and implementation considerations please refer to the Cisco AVVID Network InfrastructureImplementing 802.1w and 802.1s in Campus Networks SRND.
7-10
956608
C H A P T E R
Multicast WLAN Deployment Recommendations, page 8-1 IP Multicast WLAN Configuration, page 8-2 Other Considerations, page 8-4 Summary, page 8-5
Tip
For information about IP multicast theory, deployment, and configuration, please see the Cisco AVVID Network Infrastructure IP Multicast Design SRND.
Note
This chapter uses MoH and IP/TV in the examples. It does not, however, provide configurations and designs for MoH and IP/TV. Also, other types of IP multicast implementations, such as IP multicast for financial deployments, are not covered.
Note
Filters on the AP and bridge do not provide the flexibility needed for true multicast control. If IP Multicast is to be deployed and streamed across the wireless network, then the following recommendations should be implemented:
Prevent unwanted multicast traffic from being sent out on the air interface.
Place the WLAN in its own subnet.
8-1
Control which multicast groups are allowed by implementing multicast boundaries on the egress
To gain the highest AP/bridge performance for multicast traffic and data traffic, configure the APs and bridges to run at the highest possible fixed data rate. This removes the requirement for multicast to clock out at a slower rate, which can impact the range of the AP/bridge and must be taken into account in the site survey. If multicast reliability is a problem (seen as dropped packets), ignore the preceding recommendation and use a slower data rate (base rate) for multicast. This gives the multicast a better signal-to-noise ratio and can reduce the number of dropped packets. Test the multicast application for suitability in the WLAN environment. Determine the application and user performance effects when packet loss is higher than that seen on wired networks.
239.255.0.1 is a high-rate (1.4 Mbps) video stream. 239.192.248.1 is a low-rate (100 Kbps) video stream.
The low-rate stream is allowed and the high-rate stream is disallowed on the WLAN link. A multicast boundary is used to control multicast forwarding and IGMP packets.
Figure 8-1 Testbed for Wireless LAN using an Access Point
10.5.10.22 IP/TV server Source For: 239.255.0.1high-rate stream 239.192.248.1Low-rate stream Campus
.1 L3-Switch
.100
350 AccessPoint
In this configuration:
8-2
87046
956608
Chapter 8
L3-SWITCH connects to the campus network and the Cisco Aironet 350 Access Point (10.1.200.100). The VLAN 200 interface on L3-SWITCH has the IP address of 10.1.200.1 and is the interface that provides the boundary for IP multicast. The laptop computer (10.1.200.101) has a Cisco Aironet 350 PC Card and is running the IP/TV Viewer software.
interface Vlan200 description WLAN VLAN ip address 10.1.200.1 255.255.255.0 ip pim sparse-mode ip multicast boundary IPMC-WLAN ! ip access-list standard IPMC-WLAN permit 239.192.248.1
Enables PIM on the interface. Boundary refers to named ACL IPMC-WLAN and controls multicast forwarding AND IGMP packets. Permits low-rate stream (239.192.248.1).
239.255.0.1 is a high-rate (1.4 Mbps) video stream. 239.192.248.1 is a low-rate (100 Kbps) video stream.
The low-rate stream is allowed and the high-rate stream is disallowed on the P2P wireless link. To control what multicast traffic passes over the P2P link, only the ip multicast boundary configuration on ROUTER is needed. Because the multicast boundary prevents hosts from joining unwanted groups, the network never knows to forward unwanted traffic over the P2P link.
Figure 8-2 Testbed for Point-to-Point Wireless Network using Bridges
10.5.10.22 IP/TV server Source For: 239.255.0.1high-rate stream 239.192.248.1Low-rate stream Campus VLAN 100 10.1.100.x
.2 10.1.101.x L2-Switch-PWR
In this configuration:
8-3
L3-SWITCH (VLAN 100-10.1.100.1) connects to the campus network and the P2P wireless network. The P2P wireless link is made possible by two Cisco Aironet 350 Bridges, 350-Bridge-L (10.1.100.100) and 350-Bridge-R (10.1.100.101). ROUTER (10.1.100.2) connects to the P2P wireless network and the remote site network (10.1.101.1) via L2-SWITCH-PWR. The laptop computer (10.1.101.2) is running the IP/TV Viewer software.
If the remote side of the P2P link has a Layer 2 switch and no Layer 3 switch or router, then a boundary can be placed on the VLAN 100 interface of L3-SWITCH2. Also, in a Point-to-Multipoint (P2MP) deployment, a mix of both may be needed. Both configurations are shown here for reference. Following is the configuration for L3-SWITCH.
interface Vlan100 description VLAN for P2P Bridge ip address 10.1.100.1 255.255.255.0 ip pim sparse-mode ip multicast boundary IPMC-BRIDGE ! ip access-list standard IPMC-BRIDGE permit 239.192.248.1
Enables PIM on the interface. Boundary refers to named ACL IPMC-BRIDGE. Permits low-rate stream (239.192.248.1).
To prevent unwanted IGMP messaging and multicast traffic from traversing the P2P wireless link on the receiver side (remote LAN - 10.1.101.x), an ip multicast boundary is configured on the Fast Ethernet 0/1 interface of ROUTER. Following is the configuration for ROUTER.
interface FastEthernet description Local LAN ip address 10.1.101.1 ip pim sparse-mode ip multicast boundary
Enables PIM on the interface. Boundary refers to named ACL IPMC-BRIDGE. Permits low-rate stream (239.192.248.1).
Other Considerations
The following additional considerations apply to deploying IP multicast in a WLAN environment:
The WLAN LAN extension via EAP and WLAN static WEP solutions can support multicast traffic on the WLAN; the WLAN LAN extension via IPSec solution cannot. The WLAN has an 11 Mbps available bit rate that must be shared by all clients of an AP. If the AP is configured to operate at multiple bit-rates, multicasts and broadcasts are sent at the lowest rate to ensure that all clients receive them. This reduces the available throughput of the network because traffic must queue behind traffic that is being clocked out at a slower rate.
8-4
956608
Chapter 8
Cisco Group Management Protocol (CGMP) and/or Internet Group Management Protocol (IGMP) should be used to limit the multicast traffic on each AP to the traffic required by associated clients. If a client roams with these features configured on an upstream switch, the multicast stream might not be delivered to the new AP. To address this, the Cisco AP can be configured to generate a general IGMP query when a client associates or disassociates. This allows the upstream switch to learn which multicast groups are required on that AP. Multicast and broadcast from the AP are sent without requiring link-layer acknowledgement. Every unicast packet is acknowledged and retransmitted if unacknowledged. The purpose of the acknowledgement is to overcome the inherent unreliable nature of wireless links. Broadcasts and multicasts are unacknowledged due to the difficulty in managing and scaling the acknowledgements. This means that a network that is seen as operating well for unicast applications, can experience degraded performance in multicast applications. Enterprise customers who are using WLAN in laptops would normally use (Constant Awake Mode) CAM as the Power-Save Mode. If delay-sensitive multicast traffic is being sent over the WLAN, customers should ensure that only the CAM configuration is used on their WLAN clients. Based on the 802.11 standard, if the client is in power-save mode, then the AP will buffer broadcast and multicast traffic until the next beacon period that contains a delivery traffic information map (DTIM) transmission. The default period is 200ms. Enterprises that use WLAN on small handheld devices will most likely need to use the WLAN power-save features (Max or Fast) and should not attempt to run delay-sensitive multicast traffic over the same WLAN.
Summary
In summary, when using IP multicast in the WLAN, follow these recommendations.
Place the WLAN AP or bridge on a separate VLAN or Layer 3 interface so multicast boundaries can be implemented. Use the ip multicast boundary command to prevent IGMP joins and multicast forwarding on denied multicast groups. In a WLAN using AP, the boundary should be placed on the VLAN or Layer 3 interface connecting to the AP. In a WLAN using bridges, the boundary is placed on the VLAN or Layer 3 interface connecting to the remote receiver side. If no Layer 3 capable device is used at the remote site, the boundary is placed on the VLAN or Layer 3 interface connecting to the bridge at the main site. Also, a combination of a boundary at the receiver side and bridge connection at the main site, may be needed in a P2MP deployment. Set the highest possible fixed data rate on the APs and bridges to ensure the best possible performance for multicast and data traffic. If dropped packets occur and impact the performance of the application, the fixed data rate on the APs and bridges may need to be reduced to ensure a better signal-to-noise ratio, which can reduce dropped packets.
8-5
Chapter 8 Summary
8-6
956608
C H A P T E R
Provide enterprise employees with a secure WLAN infrastructure supported by an enterprise IT department. This removes the motivation for rogue AP installation. Implement 802.1x on enterprise edge switches to provide complete rogue AP prevention.
Methods for detecting rogue APs in the enterprise include wireless methods such as using the free Boingo WLAN hotspot locator client to detect WLANs and the use of sophisticated analysis tools on the Ethernet backbone. None of the available tools for detecting rogue APs guarantees the detection of all rogue APs and a combination of tools should be used to raise the probability of detection. This appendix outlines the threat posed by rogue APs in the Enterprise Network and some strategies for preventing and detecting them. The following section are presented:
Rogue AP Summary and Scope of Problem, page 9-2 Preventing and Detecting Rogue APs, page 9-6
9-1
Layer 3
Subnet A Subnet B
This appendix does not consider a misconfigured production AP to be a rogue AP. Ciscos Wireless LAN Solution Engine (WLSE) is capable of checking the configuration on production APs. The Aptools program mentioned in Using MAC Addresses to Detect Rogue AP section on page 9-16 is also capable of checking the security configuration on discovered APs. This appendix divides people installing rogue APs into one of the categories described in Table 9-1.
9-2
91296
956608
Chapter 9
WLAN Rogue AP Detection and Mitigation Rogue AP Summary and Scope of Problem
Table 9-1
Rogue AP Threat
Malicious Hacker (James Bond)
Threat Description Someone who, having penetrated physical security once, installs an AP in order to access the Enterprise Network from outside the physical parameter in the future. Very difficult to detect because the intruder can customize the wireless AP to disguise it from tools designed to detect it. Rogue AP prevention techniques such as physical security and 802.1x port-based security are most effective against this class of threat. This class of user is more likely to install a specialized network device than an AP. An AP requires a hacker to be within range of the AP in order to use it. This is both inconvenient and dangerous for a hacker who is more likely to install a specialized device that establishes a tunnel outbound from the enterprise to another device somewhere on the Internet. The hacker might then use the pre-established tunnel to access the Enterprise Network from anywhere on the Internet. (see When Dreamcasts Attack in the Security References section on page 1-8).
Someone who installs an unauthorized AP in order to provide wireless coverage where none is officially available. For example, enabling wireless networking in a meeting room, cafeteria, outdoor space, or other common area. The wide availability of low-cost APs makes this installation type very easy. The threat posed by this class of installer is that the person installing the AP is often ignorant of security features that are necessary to prevent outsiders from accessing the Enterprise Network, and the consumer grade AP commonly used in this installation does not have the features to provide an enterprise level of security.
This appendix discusses a variety of ways in which an enterprise can prevent and detect rogue AP installations. The focus here is on the Frustrated Insider class of user as they are considered to be the most common source of rogue AP installations and are the easiest to detect. Some of the techniques mentioned may detect the malicious hacker class of user, but as mentioned previously, it is best to concentrate on preventing this class of user through physical security and 802.1x. Rogue AP detection is broken into wireless, wired, and physical observation methods. A combination of these methods is necessary to be most effective.
9-3
They often use well-known manufacturer default settings that provide little or no security They do not have WEP (encryption) enabled If WEP is enabled, the Cisco enhancements such as TKIP and MIC are not available or enabled If VPN protection is the company security policy for WLANs, rogue APs may be placed on the internal network instead of on the WLAN DMZ
The end result of these security shortcomings is that outsiders have a method to connect to the Enterprise Network without the need to first bypass physical security mechanisms such as locked doors, security guards, and vigilant employees. Outsiders may wish to gain WLAN access for the following purposes:
To gain free access to the Internet (via the Enterprise Networks connection) To gain access to the Enterprise Network, possibly to launch attacks on other enterprise resources such as servers containing confidential information or running mission-critical applications. To observe confidential Enterprise WLAN traffic.
Tool Netstumbler
Description http://www.netstumbler.com/ Free Windows and WinCE software that scans for wireless APs. Provides information about SSID, WEP enabled, 802.11 channel, signal strength, location (if used with GPS) and more.
Airsnort
Free WLAN tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. WEP plus TKIP and MIC strengthens WEP, preventing key recovery
9-4
956608
Chapter 9
WLAN Rogue AP Detection and Mitigation Rogue AP Summary and Scope of Problem
With Netstumbler, an outsider can discover the existence of an insecure wireless LAN, and can then access the WLAN to gain access to the Enterprise Network or to observe confidential WLAN traffic. If Netstumbler shows that WEP is being used to encrypt WLAN traffic, Airsnort can be used to determine the WEP key. If Netstumbler shows that the WLAN has been installed with no WEP enabled, then network access can be gained just by configuring the client to match the detected network. Figure 9-2 illustrates a screen capture taken from a Pocket PC during a commute to work. Netstumbler identified 68 access-points. The first column of the display indicates whether or not WEP is enabled for each AP discovered. Other information such as 802.11 channel, Signal-to-Noise Ratio (SNR), and (if a GPS is connected) longitude and latitude can also be displayed.
Figure 9-2 Netstumbler on PPC (MiniStumbler)
The Netstumbler capture shown in Figure 9-2 was taken from within a moving car with no specialized equipment such as an external antenna necessary. Another phenomenon receiving media attention is warchalking where chalk symbols are placed on buildings signifying the presence and characteristics of wireless LAN networks. For more information on warchalking perform a Google search on warchalk, or go to following website: http://www.blackbeltjones.com/warchalking/index2.html
Prevention
9-5
Corporate Policy Physical security Supported WLAN infrastructure 802.1x port based security on edge switches
Detection
Using wireless analyzers/sniffers Using scripted tools on the wired infrastructure By physically observing WLAN AP placement and usage
Preventing Rogue APs, page 9-7 Detecting Rogue APs Wirelessly, page 9-12
Prevention Secure/supported WLAN infrastructure provided Prevention 802.1x on switches Prevention WLAN policy Physical Security
Layer 3
Subnet A
Subnet B
9-6
91297
956608
Chapter 9
WLAN Rogue AP Detection and Mitigation Preventing and Detecting Rogue APs
Corporate WLAN Policy, page 9-7 Physical Security, page 9-7 Supported Wireless Infrastructure, page 9-7 IEEE 802.1x Port-based Security to Prevent APs, page 9-7 Using Catalyst Switch Filters to Limit MAC Addresses per Port, page 9-10
Physical Security
Physical security also plays a part in rogue AP prevention. Physical security standards should be in place to prevent an intruder from gaining unauthorized access to the enterprise premises or to detect the intruder if physical access is gained.
9-7
Figure 9-4
802.1x disabled only on all Authorized AP switch ports 802.1x pushed to WLAN edge.
Authorized AccessPoint
SI
Rogue AccessPoint
User and/or device authentication. Granting or denying network access at an individual port level, based on configured authorization policy. Enforcing additional applicable policies, such as resource access and quality of service, on any access granted.
These abilities are introduced when a Cisco end-to-end solution is implemented with the following features and technologies:
Cisco Catalyst 4000 or 6000 family switches Cisco Catalyst 2950 or 3550 switches CiscoSecure Access Control Server (ACS) for Windows v3.1 An 802.1x compliant client operating system, such as Microsoft Windows XP, Windows 2000, or Windows 98 (see below for details) Optionally, for strong authentication, an X.509 Public Key Infrastructure (PKI) certificate architecture
By configuring 802.1x compliant client software with a PKI certificate, or username and password, the Cisco Catalyst family switches running 802.1x features authenticate the requesting user or system in conjunction with a back-end CiscoSecure ACS server. Figure 9-5 illustrates these concepts.
9-8
91298
956608
Chapter 9
WLAN Rogue AP Detection and Mitigation Preventing and Detecting Rogue APs
Figure 9-5
802.1x Operation
User or device credentials and reference information is processed by the CiscoSecure ACS server. CiscoSecure ACS is able to reference user or device policy profile information either internally using the integrated user database or from external database sources such as Microsoft Active Directory, LDAP, Novell NDS, or Oracle Databases. This allows for the integration of the solution into exiting user management structures and schemes, thereby simplifying overall management. Table 9-3 summarizes 802.1x authentication types supported and available on Cisco switches and APs.
Table 9-3 Supported/Available 802.1x Authentication Types (Cisco Switches and APs)
Wired Ports Protected EAP EAP-TLS EAP-MD5 (not suitable for wireless due to lack of mutual authentication support)
Microsoft Windows XP Professional (Integrated) Microsoft Windows 2000 and 2000 Server, NT4.0, ME, 98 and 98SE (Microsoft add-on) http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp http://support.microsoft.com/default.aspx?scid=kb;en-us;313664 Linux (Open Source add-on) Sun Solaris (Open Source add-on) EAP-Cisco client (wireless only) Funk client http://www.funk.com/ MeetingHouse Client http://www.mtghouse.com/products/client/index.shtml
9-9
Although the above client stacks allow enterprises to enable 802.1x on most PCs, there are likely to be some network-attached devices that lack 802.1x support. Non 802.1x capable devices include:
IP phones Printers
Note
HP has support in wireless Jet-Direct printers and is considering support for wired printers WLAN APs
Note
This command is not necessary if 802.1x is used to provide port-based security as 802.1x limits the number of MAC addresses per-port by default. With this command, it is possible to limit the number of MAC addresses to one (for user PC) or two (for user IP phone and PC). With this command enabled, it might be possible to connect a rogue AP to the network (instead of a phone or a PC), but it would not be possible to use the AP.
9-10
956608
Chapter 9
WLAN Rogue AP Detection and Mitigation Preventing and Detecting Rogue APs
Limitations of Using Catalyst Switch Filters to Limit MAC Addresses per Port
In an IP phone environment, two MAC addresses are needed per port. One is required for the phone and one for the user PC. If a rogue AP was plugged into an unused port on the network 1 wireless client could associate to it without being blocked by the port filter.
Detecting Rogue APs Wirelessly, page 9-12 Other Wireless Analyzers, page 9-13 Detecting Rogue AP from the Wired Network, page 9-15 Detecting Rogue APs Physically, page 9-19
Layer 3
Subnet A
Subnet B
91300
9-11
Wireless Detection Advantages Often picks up APs that the other rogue AP detection methods miss. Very effective at detecting APs installed by the Frustrated Insider class of installer (default security options/broadcast SSID).
Wireless Detection Caveats You must be within range of an AP to be able to detect it. Requires labor intensive walking around with an analyzer. Many tools do not see APs that do not broadcast their SSID. Cannot easily survey remote sites. WLAN AP signals are often difficult to pick up due to building materials blocking 802.11 signals.
The WLAN is Broadcasting its SSIDThe Frustrated Insider class of user is responsible for the vast majority of rogue AP installs and this type of user is unlikely to have the sophistication or intent to turn broadcast SSID off. The WLAN is not Broadcasting its SSIDFor Boingo to be able to detect a non-broadcast SSID the WLAN must be active enough for the Boingo client to observe a probe-request/Probe-response sequence. The WLAN SSID is always visible in this sequence of frames. This sequence of frames does not happen very often and is unlikely to be detected during a one-time audit of an area with a lightly loaded rogue AP.
Installing Boingo
The Boingo download is about 10 Mbytes. The install is quick and simple and does not normally require the PC to be rebooted. Once installed, Boingo starts automatically when Windows is started. Boingo has some impact on normal WLAN operation because it briefly stops transmitting WLAN frames in order to scan all 802.11 channels for WLAN networks. After installation, users might wish to prevent Boingo from auto-starting with windows by removing it from the Start>Programs>Startup folder. Boingo can then be started manually, as required.
9-12
956608
Chapter 9
WLAN Rogue AP Detection and Mitigation Preventing and Detecting Rogue APs
Using Boingo
When Boingo is running, it is visible as a white letter B icon on the task bar. Double-clicking this Icon launches the Boingo application where all visible 802.11 WLAN networks are displayed. A sample Boingo screen is displayed in Figure 9-7.
Figure 9-7 Sample Boingo Screen
Web Location, Description and Comments www.airmagnet.com A full-featured WLAN site-survey tool running on an Compaq iPaq. A commercial product.
Netstumbler
www.netstumbler.org/ Free software that can be downloaded from the Internet. Detects WLAN APs and displays information about them. Very popular and well known.
Sniffer
www.sniffer.com Professional wireless analyzer. It can be used to help look for rogue APs:
By defining filters to look for beacons, but to exclude authorized SSIDs. By defining filters to look for the MAC OUIs of known AP vendors.
9-13
Table 9-5
Web Location, Description and Comments www.wildpackets.com/products/airopeek Professional wireless analyzer. It can be used to help look for rogue APs:
By defining filters to look for beacons, but to exclude authorized SSIDs. By defining filters to look for the MAC OUIs of known AP vendors.
Observer
By defining filters to look for beacons, but to exclude authorized SSIDs. By defining filters to look for the MAC OUIs of known AP vendors
Finisar Surveyor
By defining filters to look for beacons, but to exclude authorized SSIDs. By defining filters to look for the MAC OUIs of known AP vendors.
Wellenreiter
www.remote-exploit.org/ Similar to Netstumbler. Detects WLAN APs and displays information about them. Less popular or well known than Netstumbler.
Kizmet
www.kismetwireless.net/ Open source Wireless sniffer. It can be used to help look for rogue APs by defining filters to look for beacons, but to exclude authorized SSIDs.
dachb0den
www.dachb0den.com/projects/bsd-airtools.html Seems to be a combination of Netstumbler and Airsnort functionality. Not very well known.
Hornet
www.bvsystems.com/Products/WLAN/Hornet/hornet.htm Dedicated hardware that looks for a list of AP MAC addresses configured and downloaded from a PC
9-14
956608
Chapter 9
WLAN Rogue AP Detection and Mitigation Preventing and Detecting Rogue APs
Table 9-5
Web Location, Description and Comments www.research.ibm.com/gsal/dwsa/ Prototype onlynot for sale. Uses client software on enterprise NICs to detect and report on all detected APs and their security system. A back end system compares the list of detected APs with a list of authorized APs and alerts on unknown APs.
www.pc.ibm.com/qtechinfo/MIGR-4ZLNJB.html Access Connections is a connectivity assistant program for your ThinkPad computer. It enables you to quickly switch the network settings and Internet settings by selecting a location profile. You can define the network settings and Internet settings in the Location Profile for modem/wired LAN/Wireless LAN network devices and then restore that profile whenever you need it. By switching the location profile, you can connect to the network instantly without reconfiguring your settings when you move from office to home or on the road.
Once a WLAN analyzer has detected a suspected rogue AP, a direction antenna on the analyzer is a very useful aid in locating the AP. A host of WLAN tools is maintained on the NetworkIntrusion link pointed to in the Links and References section on page 1-8.
Using MAC Addresses to Detect Rogue AP, page 9-16 Using Operating System Fingerprinting to Detect Rogue APs, page 9-17 Using SNMP to Detect Rogue APs, page 9-18 Using Cisco Emergency Responder to Locate AP-based on MAC Address, page 9-18 Using Intrusion Detection to Detect Rogue APs, page 9-18
A large number of software tools are available to aid in detecting rogue APs from a wired management station on the Ethernet portion of the network. Table 9-6 summarizes the advantages and disadvantages wired detection of rogue APs.
Table 9-6 Advantages and Disadvantages of Wired Rogue AP Detection
Advantages Easier to monitor networks on a more real-time basis. AutomatedLess manpower intensive. Easier to survey remote sites.
Disadvantages Can miss some rogue APs. Most of the software is immature and/or not specifically written to detect rogue APs. May create false-positives on intrusion detection systems and personal firewalls.
9-15
Table 9-7 provides a partial list of MAC OUIs used by AP vendors. This table was obtained from the aptools site at aptools.sourceforge.net.
Table 9-7 Partial Listing of MAC OUIs
Manufacturer 3Com Addtron Advanced Multimedia Internet Apple Aironet Atmel Bay Networks BreezeNet Cabletron (Enterasys) Camtec Compaq D-Link Delta Networks Intel Linksys Lucent Nokia Samsung Senao Intl SMC SOHOware Sony Symbol Z-Com Zoom
MAC Address Range 0001.03|0004.76|0050.da|0800.02 0040.33|0090.d1 0050.18 0030.65 0040.96 0004.25 0020.d8 0010.e7 0001.f4|00e0.63 0000.ff 0050.8b 0005.5d|0040.05|0090.4b 0030.ab 0002.b3 0003.2f|0004.5a 0002.2d|0060.1d|0202.2d 00e0.03 0000.f0|0002.78 0002.6f 00e0.29|0090.d1 0080.c6 0800.46 00a0.f8|00a0.0f 0060.b3 0040.36
9-16
956608
Chapter 9
WLAN Rogue AP Detection and Mitigation Preventing and Detecting Rogue APs
Table 0-8 presents a summary of monitoring tools for APs based on known MAC addresses.
Table 0-8 Summary of Monitoring Tools for APs Based on Known MAC Addresses
Web Location, Description and Comments aptools.sourceforge.net aptools.sourceforge.net/wireless.ppt Can discover APs based on MAC address, then determine whether it is an AP (not a wireless NIC) via HTTP. Can also check security settings (WEP), and SNMP settings via HTML.
arpwatch
www-nrg.ee.lbl.gov Arpwatch is a tool that monitors Ethernet activity and keeps a database of Ethernet/IP address pairings. It also reports certain changes via email.
9-17
Table 9-9
Web Location, Description and Comments www.insecure.org/nmap/index.html www.insecure.org/nmap/nmap-fingerprinting-article.html Very well known, popular and respected tool. Unproven as a rogue AP detection tool, but may be useful in conjunction with other rogue AP detection techniques. Generates alerts in intrusion detection and personal firewall systems.
xprobe
www.sys-security.com/html/projects/X.html Xprobe 1 combines various remote active operating system fingerprinting methods using the ICMP protocolwhich were discovered during the ICMP Usage in Scanning research projectinto a simple, fast, efficient and powerful way to detect the underlying OS of a targeted host. Xprobe2 is an active operating system fingerprinting tool with a different approach to operating system fingerprinting. Xprobe2 relies on fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database. Unproven as a rogue AP detection tool, but may be useful in conjunction with other rogue AP detection techniques Generates alerts in intrusion detection and personal firewall systems.
9-18
956608
Chapter 9
WLAN Rogue AP Detection and Mitigation Preventing and Detecting Rogue APs
Unauthorized WLAN APs in visible locations. Employees using WLAN access in location when WLAN access should not be available. Warchalk symbols denoting WLAN availability. See http://www.warchalking.org/ for more information.
9-19
9-20
956608
C H A P T E R
10
Reasons for providing Guest Network access WLAN as one of the best mechanisms for providing Guest Network access Caveats to consider in a WLAN Guest Network implementation Example configurations for Cisco AP350s and AP1100s
The need for guest access has evolved as the needs of guests have evolved. Once it was sufficient to provide guests a chair and a phone; now in the age of laptops, networked application, and digital phone lines the guest is disconnected while visiting your enterprise. Guest Networks are network connections provided by an enterprise to allow their guest to gain access to the Internet, and the guests own enterprise without compromising the security of the host enterprise. Figure 10-1 illustrates the Guess Access Network concept. Guests are within the Enterprise Network, but are only able to access the Internet; enterprise employees have full access to the enterprise applications and the Internet. This chapter addresses Guest Access WLANs in the following sections:
Benefits of Guest Network Access, page 10-3 Deployment Considerations and Caveats, page 10-4 Guest WLAN Recommendations, page 10-5 Configuring Guest WLANs, page 10-7
10-1
Chapter 10
Internet
Enterprise AP, uses WLAN VLANs to provide both enterprise and guest WLANs
Enterprise Apps
Enterprise Apps
Guests
Employees
90588
10-2
956608
Chapter 10
Increased Security, page 10-3 Increased Productivity, page 10-3 Benefits of WLAN Guest Network Access, page 10-3
Increased Security
It may appear counter-intuitive that Guest Network access increases security, but the reality is that Guest Network access occurs in Enterprise Networks now, but in an uncontrolled manner. These guests are not hackers; they are simply highly motivated people trying to get their job done. The main concern with these guests is that they are a potential source of viruses, worms, and Trojans. The PC with which they connect to the Enterprise Network might not have the security systems that exist on the local enterprise PCs. Guest Network access provides guests of this type with a way to connect to an Enterprise Network in order to be more productive, while limiting the risk to the host organization. Why risk violating policy and risk the relationship with the host when there is a credible solution?
Increased Productivity
The guest of an enterprise is there for a reason, because the enterprise wants them to perform a task. The more efficiently this task is performed the better it is for both enterprises. If a service technician is visiting the enterprise, it is in the enterprises interest for that service/repair to happen within the minimum amount of time and with the least amount of disruption If a salesperson is visiting the enterprise, it is in the enterprises interest that the presentation be accurate and up-to-date. By having immediate access to information, the salesperson is able to position products appropriately and answer as many questions as possible while at the enterprise. This immediate responsiveness could potentially lead to orders being placed while on-site.
Provides wide coverage, including areas such as lobby and waiting rooms that may not traditionally have cabling Removes the need to have a dedicated location for guest access Allows partners to access their network resources while in meeting rooms, offices, giving them the productivity benefits that WLAN gives the enterprise employees.
10-3
User AuthenticationPeople who are not guests may access the Guest Network through their physical proximity to the WLAN Guest Network. This is not an issue in a wired network, as the guest has to be brought past the physical security. This means that the WLAN Guest Network requires user authentication, authorization and accounting, above that required for the wired network. Authentication OptionsThere are currently two models for authenticating guests:
The use of a web interface such as Cisco Building Broadband Service Manager (BBSM) or
Web AuthenticationWeb interface authentication relies on the ubiquity of HTML browsers. Prior to using the Guest Network, users must launch their HTML browser, and try to access a web site. The users HTML browser is forced to an authentication page, and the users must enter their authentication details before access is granted. The HTML browser authentication does not generate dynamic per session encryption keys andin order to make the WLAN easy to use and easy to supportno static encryption is used on the WLAN link. This means that authenticated users are only distinguishable from unauthenticated users through their IP addresses and MAC addresses (if on the same Layer-2 network). As the IP address and MAC address are sent in clear text they are open to exploitation through IP address and MAC address spoofing. The BBSM is specifically designed for guest access applications, and apart from providing a sophisticated HTML controlled user interface, it provides MAC-level authentication if the client is on the same Layer-2 network as the BBSM, and uses switch and AP management interfaces to control where and when a client can use the network. Cisco IOS Authentication ProxyIncluded in the Cisco IOS firewall feature set; provides a simple HTML interface; and controls access based upon a clients IP address. Specialized ClientsIdeally guests should use 802.1x/EAP to authenticate to the Enterprise Network, and generate a dynamic encryption key for their wireless session. This would be the preferred solution as it provides authentication, authorization and privacy. Given that different enterprises are at different stages in their 802.1x/EAP maturity, guests cannot (yet) be expected to have compatible 802.1x/EAP clients on their PCs. IPSec VPN ClientsAnother client that offers strong authentication, authorization and privacy and could potentially be used as a Guest Network access client. The major barrier in this case would be the installation of an appropriate client on guest machines, and the interaction of two IPSec VPN clientsone client providing guest access and the other client providing secured access across the Internet to the guests home network. Time of Day ControlJust as physical security can control who has access to the wired network, it can also control who is present at a particular time of day. As WLAN cannot rely upon physical security to control users it cannot stop users from accessing the network outside of permitted hours. This means that the WLAN Guest Network must provide time of day control over when the service is made available. Additional SecurityGiven the weakness described above, the WLAN Guest Network could not be considered as secure as the wired network and might require additional policies, processes, configuration, and equipment to ensure that an attack on the Enterprise Network through the WLAN Guest Network is not successful.
10-4
956608
Chapter 10
Wired NetworkThe WLAN Guest Network is simply a WLAN VLAN configuration; the wired network contains the key components that control the Guest Network. Guest get authenticated access to the Internet, while ensuring that guests are not able to access the host enterprises systems. There are three primary configurations in the wired network:
VLAN controlled access, where the wired Guest VLAN is extended all the way to the
to get to the internet, but is prevented from accessing the Enterprise Network through the use of ACLs routing table and separation (where Guest Network traffic uses separate routing tables on the Enterprise Network to prevent access to the Enterprise Network). The choice of which wired-network configuration is best depends on the existing Enterprise Network. The configuration of the wired Enterprise Network to provide Guest Network access and the transport of Guest Network traffic is discussed in Chapter 5, Wireless LAN VLANs.
Other Considerations from Wired NetworkEven though the WLAN Guest Network is primarily a WLAN extension of a wired Guest Network, the lack of control of physical access and the possible spoofing legitimate users to gain access heighten the security risk associated with Guest Networks. Therefore additional toolssuch as Intrusion Detection Systems (IDS)should be considered to detect suspicious behavior.
Create a Guest WLAN VLAN with no encryption, open authentication, and a broadcast SSID. Choose a Wired Guest Network model that best fits your Enterprise Network. Choose an HTML authentication service that best fits your needs and topology. Add application filters, time of day controls and IDS as required.
Recommended 802.11 Configuration for WLAN Guest Network, page 10-5 VLANs and WLAN Implementation, page 10-6
A Broadcast SSIDSome WLAN clients only operate with a broadcast SSID. Open AuthenticationThe default configuration. No EncryptionThe entry and format of the WEP key varies from client to client, users can easily incorrectly enter the WEP key, and the WEP key would quickly become compromised as it is being distributed in an uncontrolled manner.
This allows the Guest Access WLAN to adopt the minimum configuration while serving the widest range of WLAN clients. It also matches the configuration most used in WLAN hotspots today.
10-5
Figure 10-2 shows the Aironet Client Utility (ACU) configuration that would be used to gain access to the Guest Network. The key features of this setup are as follows:
The SSID ID is configured to match the SSID that is broadcast by the enterprise WLAN Guest Network, a blank entry would also suffice if the AP is configured as recommended in this document. Network Security Type is none; this is Open Authentication. No WEP is selected.
10-6
956608
Chapter 10
Network Topology, page 10-7 AP and Switch Configuration, page 10-8 AP 1200 Configuration, page 10-11 AP 1100 Configuration, page 10-14
Network Topology
Figure 10-1 on page 10-2 shows a general schematic illustrating how Guest Network traffic is tunneled across the Enterprise Network. This tunnel can be achieved via multiple technologies depending on the Enterprise Network architecture and requirements. Figure 10-3 shows a schematic of three different tunnel possibilities:
VLAN SeparationThe Guest VLAN is extended all the way to DMZ. ACL SeparationThe Guest VLAN is terminated at an access router; ACLs are used to ensure that Guest Network traffic is unable to go to enterprise addresses. Routing Table SeparationThe Guest VLAN terminate at the access router and separate routing tables ensure that Guest Network traffic is able to go nowhere but the DMZ.
In each of the tunneling possibilities Guest Network users are authenticated by a BBSM before gaining access to the DMZ. Authentication of users of the Guest Network is needed to prevent the Guest Network being used for non-authorized purposes. The BBSM is an example of a Cisco Product designed for this purpose, but other tools such as Cisco IOS and PIX authentication proxy may be used and their location in the network might be closer to the access network, such that users may be authenticated at the access router.
10-7
Tunnel Guest traffic authenticated Guest VLAN is separate from enterprise VLANs Guest VLAN is separate from enterprise VLANs
DMZ
WLAN
VLAN separation
Enterprise Network
ACL separation MPLS or VRF used route guest traffic separately from enterprise traffic Guest Network Enterprise Network Routing table separation
90589
MPLS or VRF used route guest traffic separately from enterprise traffic
10-8
956608
Chapter 10
The configuration fragment below shows an example configuration for the switch connecting the AP to the Enterprise Network. Points to note include:
The Admin VLAN is VLAN 825 which is the native VLAN The VLANs allowed for the AP connection are limited to the mandatory VLANs (1, 1002-1005) and the VLANs used on the AP (10, 20, 30, 40 and 85).
interface FastEthernet0/3 switchport trunk encapsulation dot1q switchport trunk native vlan 40 switchport trunk allowed vlan 1,10,20,30,40,825,1002-1005 switchport mode trunk
As VLANs are supported on two different platforms with different user interfaces, and structure the configuration examples are broken into two sections: the VxWorks-based AP 1200 (supported on the AP 340 as well); and, the Cisco IOS-based AP 1100.
Protocol FiltersGuests would be expected to use specific protocols, such as ARP and IP; all other protocols on the WLAN guest VLAN can be blocked. Source AddressThe users on the WLAN guest VLAN will have IP addresses assigned through DHCP, and the AP (Cisco IOS APs only); as a result, network administrators can apply address filters to permit access by specific network addresses, while block others.
Terminology Notes
The introduction of VLANs to the APs introduces a number of new definitions such as:
Default VLANThis is the VLAN associated by default with an SSID, the name allows for the RADIUS server to provide a different VLAN number based on the group membership of a user. Primary SSIDThe AP is only capable of sending one set of information in its beacons; the information that is sent in the beacons is that of the VLAN associated with the Primary SSID. Guest SSIDThe AP can only have a single VLAN that accepts unencrypted traffic. The SSID associated with this VLAN is called the Guest SSID.
90587
10-9
Infrastructure SSIDInfrastructure such as repeaters and workgroup bridges can be associated with the AP on one particular VLAN. The SSID associated with this VLAN is called the Infrastructure SSID. Native VLAN802.1q allows for one of the VLANs in the trunk to be native thereby not requiring 802.1q encapsulation and making it possible to remain connected with the AP when trunking is enabled on the switch before it is on the AP, or visa versa. The VLAN that is given this capability is called the Native VLAN.
10-10
956608
Chapter 10
AP 1200 Configuration
The key AP 1200 configuration processes are presented in the following sections:
Configuring VLANs
The first step in configuring the AP is the creation of the VLANs. To ensure contiguous communication with the AP, care should be taken to have a Native VLAN configured before 802.1Q tagging is enabled. Figure 10-5 shows the VLAN Setup screen, this allows individual VLANs to be created or removed, and the Native VLAN, and Unencrypted VLAN (Guest VLAN) to be set. In this example:
VLANs are enabled by selecting 802.1Q tagging The Native VLAN (VLAN 40) is the VLAN that will have the APs IP interface VLAN 10 is the unencrypted VLAN used by guests
Figure 10-5 Creating VLANs and Assigning the Native and Guest VLANs
When the Add New button creates a new VLAN, the screen automatically changes to a VLAN security screen shown in Figure 10-6. This allows the VLAN WEP configuration to be entered. In the example shown in Figure 10-6 the Guest VLAN is being configured and there is no WEP data entered; all of the other settings in this case have been left at default.
10-11
Configuring SSIDs
Once the VLANs have been created and configured with the appropriate WEP settings, the Service Sets Identifiers (SSIDs) can be entered and associated with the appropriate VLAN. Figure 10-7 shows the AP Radio Service Sets screen. Four SSIDs have been entered and SSID 3 (LEAP) has been nominated as the Infrastructure SSID. From Figure 10-7 is can be seen that SSID 1 is the Primary SSID. The Primary SSID is configured on the AP 1200 through the standard SSID configuration mechanism (through the SSID configuration fields in the Express Setup screen or the AP Radio Identification screen). The default Primary SSID for example is tsunami (the name guest was simply entered as an example).
Note
The Primary SSID is the one advertised in beacons. Since a broadcast SSID is recommended for guest use, this is the SSID that should be made primary. To ensure successful configuration this should be the first SSID configuration made, because ownership of the Primary SSID cannot be transferred to another SSID. Figure 10-7 shows the SSID used for Infrastructure Stations. The Guest VLAN should not be used for Infrastructure Stations, and therefore another VLAN must be chosen (VLAN 3 in this case), and Infrastructure Stations on other VLANs disallowed.
10-12
956608
Chapter 10
When an SSID is added or edited, the screen shown in Figure 10-8 appears. This allows the authentication mechanism for the SSID and the VLAN associated to that SSID to be set. The example shown in Figure 10-8 is the Primary SSID configuration. The important settings are:
The SSIDIn this case guest is used, but the SSID can be anything the enterprise thinks is appropriate. Open Authentication selected.
10-13
AP 1100 Configuration
The configuration of the AP 1100 follows a similar sequence to that of the AP 1200. Figure 10-9 shows the creation of the different VLAN numbers for the selection of the default VLAN. To create a VLAN:
Enter the VLAN number in the VLAN ID: Text Box. Press the Add button.
If an SSID already exists for this VLAN, and association between the two can be build by selecting that SSID from the SSID: drop box, before pressing Add.
10-14
956608
Chapter 10
Once the VLANs have been created, the user must go to the WEP Key Manager and configure the appropriate WEP settings for each VLAN. Figure 10-10 shows the settings for the VLAN that will become the Guest Network VLAN. Figure 10-11 shows the WEP configuration for the VLAN that will become the IPSec VLAN.
Note
Even though the IPSec VLAN does not need WEP encryption for privacy, it must be configured with WEP to provide VLAN separation at the radio interface.
Figure 10-10 Guest Access VLAN with No Encryption
10-15
Once the VLANs have been created and had their WEP properties configured, SSIDs can be created, authentication methods set, and the SSIDs paired with the appropriate VLANs. Figure 10-12 shows the configuration of the guest SSID, with open authentication, and pairing it with VLAN 10. In the lower portion of Figure 10-12, the Guest Mode SSID and Infrastructure SSIDs are set. The Guest Mode SSID determines whether the SSID will be broadcast in AP beacons, and therefore the example SSID of guest is selected.
10-16
956608
Chapter 10
Figure 10-12 Setting per SSID Authentication and Global SSID Properties
Figure 10-13 shows a summary page on the AP 1100 that shows a view of the different SSID and VLAN number pairings, along with their authentication mechanisms.
Figure 10-13 SSID VLAN Summary Page
10-17
10-18
956608
C H A P T E R
11
Enterprise WLAN Profile, page 11-2 Equipment Selection, page 11-5 Security Selection, page 11-7 Rogue AP, page 11-11 Management, page 11-11 Layer-2 and Layer-3 Roaming, page 11-12 WLAN QoS Considerations, page 11-14 IP Multicast, page 11-14 WLAN Case Study Configuration, page 11-15
11-1
Campus
Americas
620
1400
3 x 80
50
240
1000
2000 1500
Total Grand Total 3500 4860
4 x 200 1 x 160
960
20
400
The campuses and major offices have local network servers and some degree of local technical support; branch offices are supported remotely. Almost all offices have resilient network connections. The network is IP only, and is Quality of Service (QoS) enabled Current application authentication mechanism within network is usernames and passwords, network operating system is Microsoft Active Directory, current local access is control by physical security, and remote access is through IPSec virtual private networks (VPNs) authenticated with one-time passwords (OTP). Wired network is the primary network; WLAN network is to be an overlay network in most cases. Where the WLAN is used in manufacturing and warehouse it is the primary network.
11-2
956608
Chapter 11
Customer Requirements
The organization requires the WLAN for employee laptop computers and requires it to provide the same application support as its wired LAN, this includes QoS and multicast support. In addition to laptop support the organization requires:
Support for Windows XP and Windows 2000 laptops (the majority of users) throughout the enterprise. Support for Linux laptops throughout the enterprise. The organization plans to have 802.11 integrated into future laptop computer purchases. Integration with Microsoft Active Directory infrastructure Support for wireless barcode scanners at selected locations (manufacturing and warehouse) Support for WLAN guest access at selected locations. Rogue AP mitigation.
WLAN Considerations
This case study presents an example environment that addresses a variety of WLAN-specific considerations. These are summarized in the following sections:
WLAN Performance and Coverage, page 11-3 RF Environment, page 11-3 Security, page 11-4 Rogue AP Mitigation, page 11-4 Management, page 11-4 Roaming, page 11-4 QoS, page 11-4 Multicast, page 11-4
RF Environment
The majority of this organization buildings are office space, but there are sections which would be considered light industrial. The office buildings are not thought to have any extraordinary sources or RF interference, but the light industrial area may. The organization is a concerned about radio frequency (RF) interference from the WLANs of other enterprises, particularly when the office is in a multi-tenant building.
11-3
Security
The organization wishes to maintain its privacy and preserve the integrity of its network, but it has no regulatory requirement to use a specific encryption or authentication mechanism. Ease off use is a major consideration, and integration with existing authentication mechanisms is a requirement.
Rogue AP Mitigation
The organization found unauthorized WLAN installations within its enterprise and this is one of the motivations for pursuing a formal WLAN installation. The organization wishes to investigate other means of rogue AP mitigation.
Management
The organization has an existing Simple Network Management Protocol (SNMP) management system. The WLAN management must integrate into this system, but must have tools to minimize the management overhead of additional network devices introduced by the WLAN.
Roaming
The majority of the WLAN users are nomadic roamers. Clients will not be running Mobile IP, and there is not a requirement to maintain sessions when roaming between floors or buildings.
QoS
The organization enabled QoS within its network and requires the WLAN to honor these QoS settings.
Multicast
A limited multicast deployment is planned.
11-4
956608
Chapter 11
Equipment Selection
Note
For related information, please refer to Chapter 3, WLAN Technology and Product Selection. WLAN product selection considerations include:
Radio Selection
The two current radio types available in 802.11 are 802.11a (5 GHz), and 802.11b (2.5 GHz). 802.11b is recommended due to its wider availability and RF licensing. 802.11a will be considered in areas subject to high-level of interference in the 802.11b frequency bands or where the density of users and their throughput requirements exceeds what can be provided by 802.11b. The 802.11b equipment must be upgradable to 802.11g.
AP Selection
Cisco has three AP variations available:
AP 1200Dual mode supporting 802.11a and 802.11b, RP-TNC RP antenna connections; field upgradable to 802.11g. AP 1100802.11b field upgradable to 802.11g, Cisco IOS operating system, and fixed antenna. AP 350802.11b, available in both in either fixed antenna or RP-TNC antenna connections
As the organization wants upgradability to 11g, the AP 350 is excluded from the AP choices. Cisco AP 1200 is recommended for the campus and larger officesallowing for greater flexibility in antenna selection that might be necessary for RF deployments in multi-story and multi-tenant buildings. These are locations that are most likely to require 802.11a in the future. The Cisco AP 1100 is recommended for branch offices as a lower cost alternative. The branch offices are expected to have lower throughput requirements and are less likely to require the additional channels or different frequency bands of 802.11a.
11-5
Table 11-2
Campus (APs)
Americas
46
70
3 x 80 (18)
50 (50)
18
50
20 (20)
20
AP Subtotal AP Total
1483 1754
131
140
11-6
956608
Chapter 11
Security Selection
Note
For related information, please refer to Chapter 4, WLAN Security Considerations. The organizations QoS and multicast requirements suggest that the WLAN LAN Extension (IPSec) is not a good choice for this WLAN, and that the organization would be better served by an 802.1x/EAP solution. This decision is made easier by having no security restrictions that specify encryption mechanisms that are only currently available in IPSec. It is recommended that the organization also implement the TKIP and MIC extensions to WEP that address all current known attacks on WEP. This restricts the organization to Cisco Compatible eXtensions (CCX) network interface cards (NIC), until industry standard versions of TKIP and MIC are available through the Wireless Ethernet Compatibility Alliance (WECA) Wi-Fi Protected Access (WPA) standard. Whether the organization selects Cisco NICs, or those provided by a CCX vendor, it should standardize upon only one or two NICs to minimize the testing of client drivers and firmware. The organization has a choice of EAP/802.1x solutions:
All of these options offer some degree of integration with Microsofts directory and authentication infrastructure, and the organization plans to use the Access Control Server (ACS) external database group membership mapping to control which members of the Active Directory are given WLAN access. EAP-Cisco is recommended because it supports Windows, supports 802.1x/EAP for other PC operating systems (lacking 802.1x/EAP), and supports 802.1x/EAP for handheld devices. The case study organization is interested in PEAP, due to support of multiple authentication types, but is still in the process of assessing its ongoing authentication requirements. It is recommended that WLAN VLANs be used to separate the different client types. This allows the partitioning of clients with different security capabilities. For example, the handheld devices might support EAP-Cisco, but might not support Ciscos implementation of TKIP and MIC, or the handheld might have inadequate protection for the local usernames and passwords. The different client types are to be separated into different VLANs by membership in an Active Directory group. The mapping of these Active Directory groups and ACS groups is shown in Figure 11-1. The following sections summarize several ACS implementation consideration for this case study:
Number of ACS Servers, page 11-8 ACS Server Placement, page 11-9 Branch Roaming, page 11-10
11-7
11-8
956608
Chapter 11
DC
Figure 11-3 shows the proposed AP Authentication server management configuration. Servers 10.10.10.10 and 10.10.11.11 are the RADIUS servers used for client authentication. Servers 10.12.12.12 and 10.12.12.13 are the TACACS+ plus servers. The preferred RADIUS server is the highest in the list (10.10.10.10), if the AP gets no response from this server in two minutes, it will use the alternate server and the primary server will be put on the dead server list for 30 minutes.
91303
11-9
The choice of the timeout values and Dead Server List times reflect the preferred configuration for a branch office and are based upon two assumptions:
The primary RADIUS server is the closest and therefore gives the best authentication performance. In the event of a primary WLAN link failure, there is time taken to detect the failure and converge on the backup link. Events such as this should not result in a change in RADIUS server.
In the campus AP configurations, the RADIUS server timeout can be adjusted to a lower value, to reflect the smaller penalty in switching from primary to secondary servers.
Figure 11-3 AP Server Management
Branch Roaming
To ensure that authentication and roaming times are optimal for the branchs prioritization of traffic, authentication of traffic is handled as described in the 802.1x and EAP-Based Authentication Across Congested WAN Links application note. ACS-server user databases are replicated by a single server within the region, Figure 11-4 shows the replication plan for the US region. Because the WLAN is using Active Directory databases, this replication may be unnecessary depending on whether EAP-Cisco devices are placed in the Active Directory databases or the ACS.
11-10
956608
Chapter 11
Data Data
Data Data
91304
Rogue AP
Note
For related information, please refer to Chapter 9, WLAN Rogue AP Detection and Mitigation. Concerns about rogue AP deployments are one of the motivators for this WLAN deployment, apart from the ROI associated with WLAN. In addition to this WLAN deployment the enterprise plans the following:
Publishing the policy against rogue APs as part of the organizations communication about the WLAN deployment. Looking for rogue APs as part of the site survey process. Investigating rogue AP detection tools that integrate with WLAN deployment. Integrating rogue APs into to the security strategy of protecting against unauthorized access. This is part of a separate project using 802.1x to authenticate clients connecting to both the wired and wireless network and using an intrusion detection system (IDS) to detect in inappropriate behavior on the network.
Management
The organization plans to deploy the Wireless LAN Solution Engine (WLSE) to manage its APs. This helps deploy and maintain consistent AP configuration, monitor the system performance, and aid in capacity planning and troubleshooting. The WLSE manages 500 APs in the proposed WLSE deployment shown in Figure 11-5. WLSE placement has capacity for 2500 APs. The dual WLSE deployment was implemented to meet capacity requirements at the largest campus. Additional WLSE deployments reflect the local administration and authentication domains, allowing the WLSE to monitor the EAP-Cisco authentication performance in all of the regional campuses and to use and maintain configuration templates appropriate for the region.
11-11
WLSE
WLSE 91305
For configuration details for the WLSE see the Configuration Guide for the CiscoWorks 1105 Wireless LAN Solution Engine available at http://www.cisco.com. The main WLAN client management issue for this enterprise are software version control and WEP-key management. The use of EAP-Cisco solves the WEP-key management issue and the organization is planning to integrate the bundled software client software packages into software distribution system. The enterprise is planning to permit users to control the ACU, because users might require other WLAN profiles and there is likely to be fewer client configuration issues if these WLAN configurations are controlled in one location.
For related information, please refer to Chapter 7, WLAN Roaming. The organization roaming requirement is for nomadic roaming. There is no plan to provide seamless roaming between buildings within a campus or between floors of the same building. This helps determine where Layer-3 boundaries are placed. Because seamless roaming is not required between buildings, WLAN networks in different buildings may be on different subnets, as shown in Figure 11-6. Although seamless roaming is not required between floors, the organization decided to make each buildings WLAN network a single subnet, as shown in Figure 11-7. This decision removes any issues associated with clients roaming to APs on different floors. That the organization has no buildings more than six floors high makes this decision easier.
11-12
956608
Chapter 11
Cisco AVVID Enterprise WLAN Case Study Layer-2 and Layer-3 Roaming
WLAN Subnet X
WLAN Subnet Y
WLAN Subnet Z
WLAN Subnet C
The roaming requirements and the subnet boundaries limit the organizations roaming focus to Layer-2 roaming. Layer-3 roaming is not required. If Layer-3 roaming was required, the organization would need Mobile IP clients to be installed on the clients requiring this degree of mobility, because the planned use of WLAN VLANs within the organizations network means that Proxy Mobile IP cannot be used.
91307
91306
11-13
For related information, please refer to Chapter 6, WLAN Quality of Service (QoS). The organization already has QoS enabled on networkusing DSCP values to mark the traffic priorities. It plans to use the QoS features of the APs to reflect these priorities on the WLAN. The organization plans to trial WLAN VoIP in some locations once the WLAN network is deployed, but this is considered a separate project. For details on the configuring QOS, refer to the Wireless Quality of Service Deployment Guide.
IP Multicast
Note
For related information, please refer to Chapter 8, IP Multicast in a Wireless LAN. The organization wishes to deploy some multicast applications on its WLAN. As the subnets of the WLAN span multiple floors of buildings, and the WLAN would have less capacity than a wired network, every effort must be made to limit the multicast load of the WLAN. As the multicast applications to be supported are known, multicast boundaries can be configured at WLAN interface of the access routers. To limit unnecessary multicasts on the WLAN VLAN, Internet Group Management Protocol (IGMP) snooping will be turned on the access switches. IGMP snooping on access switches can be an issue when a client roams from one AP to another and a multicast stream is not flowing on the switch port of the new AP. To ensure that a multicast stream is forwarded by the new switch port, the AP can be made to send a general IGMP query whenever a client associates or reassociates. When the client responds to the general IGMP query the upstream switch can learn the required multicast stream. Figure 11-8 shows the configuration of the IGMP snooping feature on an AP.
Figure 11-8 IGMP Snooping
11-14
956608
Chapter 11
Cisco AVVID Enterprise WLAN Case Study WLAN Case Study Configuration
AP Configuration, page 11-15 Access Switch Configuration, page 11-16 Distribution Router Configuration, page 11-16
AP Configuration
Figure 11-9 shows the proposed VLAN configuration of the WLAN network. The AP is configured with three VLANs, a PC VLAN, a Handheld VLAN, and a Management VLAN. The management VLAN is the default VLAN for the AP and does not have an associated WLAN VLAN. This prevents management of the APs from the WLAN. This management VLAN would normally be the management VLAN used on the access layer switches. The WLAN VLANs dedicated for WLANs and would be separate from the wired VLANs on the access switch.
Figure 11-9 AP VLAN's
Si
Si VLAN 10 Management VLAN 20 PCs VLAN 30 Handhelds VLAN 40 PCs VLAN 50 Voice
ld he nd N Ha LA W
IP
91308
Figure 11-10 and the Example Configuration: Config 1 section on page 11-16 show an excerpt from the AP radio configuration. Note that VLAN 10 has encryption defined, but does not have a SSID associated with it. This is because VLAN 10 has been configured as the management VLAN, and is only meant to exist on the wired network.
PC
LA N
11-15
For detailed WLAN VLAN configuration, including authentication based VLAN mapping information, see the Wireless Virtual LAN Deployment Guide.
11-16
956608
I N D EX
Numerics
3DES WLAN LAN Extension IPSec 802.11 DCF
6-4 6-4 2-9 4-4
Access Control Server. See ACS. access point. See AP. access switch case study notes ACS architecture
4-15 4-15 11-9 11-16
interframe spaces 802.11a channels OFDM summary 802.11b channels summary 802.11e EDCF
6-2 2-11 2-12 2-12
example server placement contention window control aCWmin contention window control retries
3-10 6-7
6-6
6-6
antenna considerations
6-2
IEEE QoS working group implementations 802.1x Cisco Catalyst Switches EAP authentication
4-2 6-7
4-10
headquarters/campus deployment
1014
1011
A
AAA database location
4-15
956608 956608
IN-1
Index
WLAN LAN Extension 802.1x/EAP WLAN LAN Extension IPSec authorization static WEP
4-6 4-4
4-2
11-3 11-16
4-2
management
11-14
B
benefits WLAN RF
2-13 5-13 1-1
WLAN considerations
best practices wired infrastructure wired VLAN branch roaming case study bridge controlling IP multicast in P2P WLAN wireless broadcast traffic
1-6 5-7 3-14 3-13 8-3 11-10 5-13 4-12
channel selection Cisco Aironet 1200 dual band Cisco AVVID WLAN design notes Cisco IOS
6-13 6-11 6-2 7-9 3-2
branch deployment
workgroup
C
capacity considerations case study ACS server placement ACS servers AP selection
11-8 11-15 11-9 3-2
throughput configuration
105
AP configuration
11-5
11-10 11-15
distribution router notes guest network AP guest network SSID guest network switch
108 1012
11-16
configuration summary
11-1
108
IN-2
956608
Index
8-2
wireless QoS
wireless QoS guidelines wireless VLAN criteria wireless VLAN example deployment planning AP RF
6-6 6-6 2-13 2-13 2-17
Contention Window. See CW. coverage requirements CW parameters CWmax average values (table) CWmin average values (table)
6-10 6-10
Differentiated Services Code Point. See DSCP. Direct Sequence Spread Spectrum. See DSSS. Distributed Coordination Function. See DCF. Distributed Interframe Space. See DIFS. downstream QoS DSSS
6-3
D
data rate considerations data rates effects DCF 802.11 CW
6-6 6-6 6-5 6-4 6-5 2-13 3-3
2-9 2-11
random backoff
E
EAP
5-13 4-8 4-2 4-9 4-14
802.1x security
EAP-Cisco
EDCF on APs
guest network considerations headquarters/campus QoS, Cisco IOS QoS, VxWorks RF best practices VLAN guidelines
6-2 6-2 2-13 5-13
4-9
956608
IN-3
Index
H
headquarters/campus deployment
4-8
AP deployment
I
IAPP
6-9 6-9
6-9
7-4
Enhanced Distributed Coordination Function. See EDCF. Extensible Authentication Protocol. See EAP.
Inter Access Point Protocol. See IAPP. interference sources interframe spaces 802.11
6-4 3-6
F
FHSS data rate fine tuning RF
2-5 2-9
WLAN considerations
G
guest access 802.1x SSID
4-11 5-8
WLAN recommendations
J
jitter
6-3
L
latency
6-3
7-10
IN-4
956608
Index
7-3
3-5
7-4 7-7
EAP-TLS planning
4-9
LEAP. Please refer to EAP-Cisco (renamed). Lightweight EAP. See LEAP. links and references loss
6-3 1-8
2-13
M
Message Integrity Check. See MIC. MIC WEP
1-3, 4-2, 4-3, 4-5
6-15
3-12
wireless bridge
3-14 3-13
infrastructure mode
workgroup bridge
N
native VLAN configuration SSID QoS
5-7 5-7
Q
QBSS Information Element QoS advertisement case study
6-11 11-14 6-15 6-3 6-11
network performance
6-4
O
OFDM 802.11a
2-12
6-3 6-4
P
PEAP
4-2, 4-8, 4-9
parameters retries
6-7
wireless considerations
6-2
IN-5
Index
wireless deployment guidelines wireless deployment schemes QoS advertisement Cisco IOS VxWorks
6-11 6-11
6-17 6-2
2-2 2-11
spectrum implementation
7-3 7-9
QoS Basis Service Set. See QBSS. Quality of Service. See QoS.
R
radio frequency (RF). See RF. RADIUS SSID
5-8 5-9
Layer-2 considerations Layer-2 events Layer-2 process overview rogue AP case study notes
11-11 7-2 7-9 7-5 7-7
7-8
recommendations
user attributes, SSID access control user attributes, VLAN-ID VLAN access control random backoff averages (figure) DCF
6-5 6-10 5-8 5-9
Catalyst switch filters detecting with Boingo detecting with OS detection overview
3-7, 3-10 9-17
range considerations 802.11a/802.11b comparison antenna considerations signal propagation recommendations guest WLAN regulations RF
2-2 105 7-9 3-8 3-8
9-7
Layer-2 roaming
scope of problem
wired network detection wireless analyzers (table) wireless detection router case study notes
11-16 9-12
best practices
channel selection
S
security additional considerations overview of models
4-1 4-13 4-7 2-18
deployment planning
IEEE standards
IN-6
956608
Index
4-5
WLAN LAN Extension 802.1x/EAP WLAN LAN Extension IPSec Service Set Identifier. See SSID. Short Interframe Space. See SIFS. SIFS
6-5 3-8
U
unicast traffic upstream QoS
6-3 1-5
spectrum implementation
guest network configuration mapped to VLAN native VLAN primary RADIUS secondary standards RF
2-9 5-8 5-8 5-8 5-6 5-7 5-3
1012
V
Virtual Local Area Network. See VLAN. VLAN AP support background
4-7 5-1 5-13
VLAN configuration
best practices, wired infrastructure broadcast domain segmentation configuring wireless parameters deployment guidelines
5-10 5-7
5-6
T
technology selection summary throughput client density TKIP WEP topology guest network traffic broadcast multicast unicast
1-6 1-6 1-5 107 1-3, 4-2, 4-3, 4-5 2-16 3-4 3-1
106 5-7
native VLAN configuration rules, wireless deployment SSID configuration SSID mapping
5-3 5-6
5-13
technology selection
3-9
wireless deployment criteria wireless deployment overview wireless example wireless features WLAN security VPN WLAN LAN Extension IPSec VxWorks EDCF deployment QoS advertisement
6-13 6-11 5-11 5-6 5-3
5-10 5-3
throughput considerations
wireless introduction
4-7
4-4
IN-7
Index
6-2
4-8
W
WEP limitations MIC
4-8 1-3, 4-2, 4-3, 4-5 4-6
modes of operation
WLAN LAN Extension 802.1x/EAP Wi-Fi Protected Access. See WPA. Wired Equivalent Privacy. See WEP. wired infrastructure best practices wired LAN compared to WLAN wireless bridge product selection
3-14 1-5 5-13
roaming
security options and recommendations standards, competing technology selection VLAN configuration VLAN example
5-11 5-6 5-3 3-1 3-1 3-4
4-7
throughput considerations
5-6
Wireless LAN Solution Engine. See WLSE. wireless local area network See WLAN. WLAN 802.11a 802.11b ad-mode benefits
3-2 3-1 1-7 1-5
VLAN deployment overview wireless VLAN features WLAN LAN Extension 802.1x/EAP IPSec
4-3 4-2
5-3
architecture
1-1
WLAN LAN Extension IPSec 3DES VPN WLSE case study example workgroup bridge product selection
3-13 11-11 4-4 4-4
capacity considerations compared to wired LAN configuring guest WLAN coverage requirements data rate considerations data rates
2-13
authorization
1-5 107 4-4
2-17 3-3
1-3
IN-8
956608