Cisco AVVID Wireless LAN Design

Citation preview

Cisco AV V ID Wireless LA N D esign Solutions Reference Netw ork Design

Corporat e Headquart ers Cisco System s, Inc. 170 West Tasm an Drive San Jose, CA 95134-1706 USA http://w w w .cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100

Custom er Order Num ber: 956608

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net Readiness Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0303R)

Cisco AVVID Wireless LAN Design Copyright © 2003 Cisco Systems, Inc. All rights reserved.

C O N T E N T S Preface

xi

Target Audience

xii

Obtaining Documentation W orld W ide W eb

xii

xii

Documentation CD-ROM

xii

Ordering Documentation

xii

Documentation Feedback

xiii

Obtaining Technical Assistance Cisco.com

xiii

xiii

Technical Assistance Center Cisco TAC W eb Site

xiii

xiv

Cisco TAC Escalation Center

CH A P TER

1

W LAN Solution Overview

xiv

1-1

W LAN Solution Benefits

1-1

Enterprise W LAN Design Overview

1-2

Enterprise W LAN Design Characteristics W LAN Architecture Considerations

1-5

Comparing W ired and W LANs

1-5

W LAN M odes of Operation Links and References

2

1-7

1-8

General References

1-8

Security References

1-8

IP M ulticast References

CH A P TER

1-3

1-9

W LAN Radio Frequency (RF) Design Considerations RF Basics

2-1

2-1

Regulations

2-2

Fine Tuning

2-5

Channel Selection

2-5

IEEE 802.11 Standards

2-9

RF Spectrum Implementation

2-11

Direct Sequence Spread Spectrum

2-11

IEEE 802.11b Direct Sequence Channels

2-11

Cisco AVVID W ireless LAN Design 956608

iii

Contents

IEEE 802.11a— OFDM Physical Layer IEEE 802.11a Channels

2-12

Planning for RF Deployment

2-13

RF Deployment Best Practices

2-12

2-13

W LAN Data Rates Required

2-13

Client Density and Throughput Requirements W LAN Coverage Required Security Policy

3

2-17

2-17

RF Environment

CH A P TER

2-18

W LAN Technology and Product Selection W LAN Technology Selection Considerations Competing W LAN Standards Data Rate Considerations

3-1

3-2

3-3

Throughput Considerations

3-4

Performance Considerations Range Considerations

3-1

3-1

W LAN Capacity Considerations

3-5

3-7

Signal Propagation

3-8

Antenna Considerations

3-8

Technology Selection Summary

3-9

Cisco W LAN RF Product Selection Considerations Access Points

2-16

3-11

3-11

Client Adapters

3-12

802.11a Cardbus Client Card

3-12

Enhanced Client Netw ork M anagement Features w ith Extended Client Support W orkgroup Bridges W ireless Bridges

CH A P TER

4

3-12

3-13 3-14

W LAN Security Considerations

4-1

Security Deployment M odels

4-1

W LAN LAN Extension 802.1x/ EAP Security Transparency

4-2

Application Transparency

4-3

Performance Transparency User Transparency

4-2

4-3

4-3

W LAN LAN Extension IPSec Security Transparency

4-3 4-4

Application Transparency

4-4

Cisco AVVID W ireless LAN Design

iv

956608

Contents

Performance Transparency User Transparency

4-4

4-5

W LAN Static W EP Keys

4-5

Security Transparency

4-6

Application Transparency

4-6

Performance Transparency User Transparency

4-6

4-6

Cisco W LAN Security Options and Recommendations Understanding Overall Netw ork Security Flexible W LAN Security using VLANs

4-7

4-7

Headquarters/ Campus W LAN Deployment Branch Office W LAN Deployment

4-7

4-8

4-12

Additional Security Considerations

4-13

EAP Considerations for High Availability ACS Architecture

CH A P TER

5

W ireless LAN VLANs

5-1

VLAN Background

5-1

Wireless VLAN Introduction

5-3

W ireless VLAN Deployment Overview

5-3

W ireless VLANs— Detailed Feature Description Configuration Parameters per VLAN Broadcast Domain Segmentation

5-6

5-6 5-7

Native (Default) VLAN Configuration

5-7

Primary (Guest) and Secondary SSIDs

5-8

RADIUS-based VLAN Access Control

5-8

Guidelines for Deploying W ireless VLANs

5-10

Criteria for Wireless VLAN Deployment W ireless VLAN Deployment Example

5-10 5-11

Summary of Rules for W ireless VLAN Deployment Best-Practices for the W ired Infrastructure

CH A P TER

6

W LAN Quality of Service (QoS) QoS Overview

5-13

6-1

6-2

W ireless QoS Deployment Schemes QoS Parameters Latency Loss

5-13

6-1

W ireless QoS Considerations

Jitter

4-14

6-2

6-3

6-3 6-3

6-3 Cisco AVVID W ireless LAN Design

956608

v

Contents

Dow nstream and Upstream QoS

6-3

QoS and Netw ork Performance 802.11 DCF

6-4

6-4

Interframe Spaces (SIFS, PIFS, and DIFS) SIFS

6-5

PIFS

6-5

DIFS

6-5

Random Backoff (Contention W indow ) CW min, CW max, and Retries IEEE 802.11e

6-4

6-5

6-6

6-7

802.11e EDCF-based QoS Implementation

6-7

QoS Advertisements by W LAN Infrastructure Deploying EDCF on Cisco IOS-based APs Appliance-based Prioritization CoS-based Prioritization

6-11

6-13

6-13

6-13

Class-M ap Based Prioritization VLAN-based Prioritization

6-14

6-15

Combining QoS Setting Requirements Additional QoS Features

6-15

6-16

Guidelines for Deploying W ireless QoS

6-17

IP SoftPhone and Other PC and PDA Based VoIP Solutions Symbol Handsets

6-17

SpectraLink Handsets

6-18

Leveraging Existing Netw ork QoS Settings

CH A P TER

7

W LAN Roaming

6-17

6-18

7-1

Roaming Solution Overview

7-2

General Design Characteristics Layer-2 Design Caveats

7-3

7-3

7-3

Layer-2 Roaming Primer

7-4

Layer-2 Roaming Technical Overview Roaming Events

7-4

7-5

M ax Data Retry Count Exceeded M issed Too M any Beacons Data Rate Shift

7-5

7-6

7-6

Periodic Client Interval (If Configured) Initial Client Startup Roam Process

7-7

7-7

7-7

Cisco AVVID W ireless LAN Design

vi

956608

Contents

Layer-2 Roaming Considerations Layer-2 Design Recommendations Cisco AVVID Design

7-8 7-9

7-9

Sizing the Layer-2 Domain

7-10

Roaming Implementation Recommendations

CH A P TER

8

IP M ulticast in a W ireless LAN

7-10

8-1

M ulticast W LAN Deployment Recommendations IP M ulticast WLAN Configuration

8-1

8-2

Controlling IP M ulticast in a W LAN w ith APs

8-2

Controlling IP M ulticast in a P2P WLAN using Bridges Other Considerations Summary

CH A P TER

9

8-3

8-4

8-5

W LAN Rogue AP Detection and M itigation Rogue AP Summary and Scope of Problem The Rogue AP Threat

9-1 9-2

9-4

M edia Attention to W LAN Security W eaknesses Truth About W LAN Security

9-5

Preventing and Detecting Rogue APs Preventing Rogue APs

9-6

9-7

Corporate W LAN Policy Physical Security

9-4

9-7

9-7

Supported W ireless Infrastructure

9-7

IEEE 802.1x Port-based Security to Prevent APs

9-7

Using Catalyst Sw itch Filters to Limit M AC Addresses per Port Detecting Rogue APs

9-11

Detecting Rogue APs W irelessly Other W ireless Analyzers

9-12

9-13

Detecting Rogue AP from the W ired Netw ork Detecting Rogue APs Physically

CH A P TER

10

W LAN Guest Netw ork Access

9-15

9-19

101

Benefits of Guest Netw ork Access Increased Security

9-10

103

103

Increased Productivity

103

Benefits of W LAN Guest Netw ork Access Deployment Considerations and Caveats

103

104

Cisco AVVID W ireless LAN Design 956608

vii

Contents

Guest W LAN Recommendations

105

Recommended 802.11 Configuration for W LAN Guest Netw ork VLANs and W LAN Implementation Configuring Guest W LANs Netw ork Topology

107 108

W LAN Guest VLAN Filtering Terminology Notes

109

109

AP 1200 Configuration

1011

Configuring VLANs

11

106

107

AP and Sw itch Configuration

CH A P TER

1011

Configuring SSIDs

1012

AP 1100 Configuration

1014

Cisco AVVID Enterprise W LAN Case Study Enterprise W LAN Profile

11-1

11-2

Customer Requirements W LAN Considerations

11-3 11-3

W LAN Performance and Coverage RF Environment Security

11-4

M anagement Roaming

11-4

11-4

11-4

11-4

M ulticast

11-4

Equipment Selection

11-5

Radio Selection

11-5

AP Selection

11-5

Estimating the Number of APs Security Selection

11-5

11-7

Number of ACS Servers ACS Server Placement Branch Roaming Rogue AP

11-3

11-3

Rogue AP M itigation

QoS

105

11-8 11-9

11-10

11-11

M anagement

11-11

Layer-2 and Layer-3 Roaming W LAN QoS Considerations IP M ulticast

11-12 11-14

11-14

Cisco AVVID W ireless LAN Design

viii

956608

Contents

W LAN Case Study Configuration AP Configuration

11-15

11-15

Example Configuration: Config 1 Access Sw itch Configuration

11-16

11-16

Distribution Router Configuration

11-16

Cisco AVVID W ireless LAN Design 956608

ix

Contents

Cisco AVVID W ireless LAN Design

x

956608

Preface This design guide presents recommendations intended to facilitate Enterprise Wireless Local Area Network (WLAN) solution deployment. The emphasis in this document is with integrating WLAN technology into environments featuring key Enterprise networking elements. Specific chapters address the following topics: •

Chapter 1, “WLAN Solution Overview”—Summarizes the benefits and characteristics of the Cisco secure Enterprise WLAN solution.

•

Chapter 2, “WLAN Radio Frequency (RF) Design Considerations”—Focuses on radio frequency (RF) considerations in WLAN environments.

•

Chapter 3, “WLAN Technology and Product Selection”—Focuses on technology and product assessment and selection in WLAN environments.

•

Chapter 4, “WLAN Security Considerations”—Provides details regarding deployment of the Cisco secure Enterprise WLAN solution.

•

Chapter 5, “Wireless LAN VLANs”—Focuses on the implementation of virtual local area networks (VLANs) in the context of WLAN environments.

•

Chapter 6, “WLAN Quality of Service (QoS)”—Addresses Quality of Service (QoS) considerations in the context of WLAN implementations.

•

Chapter 7, “WLAN Roaming”—Addresses the WLAN design considerations when assessing Layer 2 roaming of wireless LAN clients.

•

Chapter 8, “IP Multicast in a Wireless LAN”—Describes the configurations needed to control IP Multicast traffic over a WLAN.

•

Chapter 9, “WLAN Rogue AP Detection and Mitigation”—Outlines the threat posed by rogue access points (APs) in the Enterprise network and some strategies for preventing and detecting them.

•

Chapter 10, “WLAN Guest Network Access”—Presents the advantages, risks, and proposed configuration for WLAN Guest Network Access.

•

Chapter 11, “Cisco AVVID Enterprise WLAN Case Study”—Details an example network in the context of the key topics presented in this document.

Where applicable, relevant configuration fragments are included. A Cisco SAFE white paper addressing secure WLAN deployment in the enterprise is available at: •

http://www.cisco.com/go/safe

The SAFE white paper covers more detail on the security-specific aspects of design, whereas this design guide is focused on the overall WLAN solution. Although there are differences between the SAFE white paper designs and the designs presented here, those differences are not generally considered substantive and the designs are compatible.

Cisco AVVID W ireless LAN Design 956608

xi

Preface Target Audience

Target Audience This publication provides solution guidelines for large-scale enterprises implementing WLAN networks with Cisco WLAN devices. The intended audiences for this design guide include network architects, network managers, and others concerned with the implementation of secure WLAN solutions, including: •

Cisco sales and support engineers

•

Cisco partners

•

Cisco customers

Obtaining Documentation The following sections explain how to obtain documentation from Cisco Systems.

W orld W ide W eb You can access the most current Cisco documentation on the World Wide Web at the following URL: http://www.cisco.com Translated documentation is available at the following URL: http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROM Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Ordering Documentation Cisco documentation is available in the following ways: •

Registered Cisco Direct Customers can order Cisco product documentation from the Networking Products MarketPlace: http://www.cisco.com/cgi-bin/order/order_root.pl

•

Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store: http://www.cisco.com/go/subscription

•

Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

Cisco AVVID W ireless LAN Design

xii

956608

Preface Obtaining Technical Assistance

Documentation Feedback If you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click Leave Feedback at the bottom of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730. You can e-mail your comments to [email protected]. To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address: Cisco Systems Attn: Document Resource Connection 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments.

Obtaining Technical Assistance Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.com Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world. Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to •

Streamline business processes and improve productivity

•

Resolve technical issues with online support

•

Download and test software packages

•

Order Cisco learning materials and merchandise

•

Register for online skill assessment, training, and certification programs

You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL: http://www.cisco.com

Technical Assistance Center The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center. Inquiries to Cisco TAC are categorized according to the urgency of the issue:

Cisco AVVID W ireless LAN Design 956608

xiii

Preface Obtaining Technical Assistance

•

Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

•

Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

•

Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

•

Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC W eb Site The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL: http://www.cisco.com/tac All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register: http://www.cisco.com/register/ If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL: http://www.cisco.com/tac/caseopen If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.

Cisco TAC Escalation Center The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case. To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following URL: http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.

Cisco AVVID W ireless LAN Design

xiv

956608

C H A P T E R

1

W LAN Solution Overview This chapter summarizes the benefits and characteristics of the Cisco Secure Enterprise Wireless Local Area Network (WLAN) solution in the following sections: •

WLAN Solution Benefits, page 1-1

•

Enterprise WLAN Design Overview, page 1-2

•

Links and References, page 1-8

W LAN Solution Benefits Before addressing the Cisco secure Enterprise WLAN features presented in this publication, the following review of potential WLAN benefits provides a context for WLAN implementation: •

Mobility within building or campus—Facilitates implementation of applications that require an always-on network and that tend to involve movement within a campus environment.

•

Convenience— Simplifies networking of large, wide open people areas.

•

Flexibility—Allows work to be done at the most appropriate or convenient place rather than where a cable drop terminates.

•

Easier to set-up temporary spaces—Promotes quick network setup of meeting rooms, war rooms, or brainstorming rooms tailored to variations in the number of participants.

•

Lower cabling costs—Reduces the requirement for contingency cable plant installation because the WLAN can be employed to fill the gaps.

•

Easier adds, moves, and changes and lower support and maintenance costs. Temporary networks become much easier to set up, easing migration issues and costly last-minute fixes.

•

Improved efficiency—Studies show WLAN users are connected to the network for 1.75 hours longer per day compared with hard-wired users.

•

Productivity gains—Promotes easier access to network connectivity, resulting in better utilization of business productivity tools.

•

Easier to collaborate—Facilitates access to collaboration tools from any location, such as meeting rooms; files can be shared on the spot and requests for information handled immediately.

•

Improved company image and increased competitive advantage—Elevates a companies perceived connectedness and responsiveness.

•

More efficient use of office space—Allows greater flexibility in coping with excess numbers caused by large team meetings.

Cisco AVVID W ireless LAN Design 956608

1-1

Chapter 1

W LAN Solution Overview

Enterprise W LAN Design Overview

•

Reduced errors—Data can be directly entered into systems as it is being collected, rather being transcribed when network access is available.

•

Improved efficiency, performance, and security for enterprise partners and guests—Promoted with the provision of guest access networks.

•

Improved overall security—Promoted through the provision of a controlled and secured WLAN network, reducing the likelihood of rogue WLAN deployments.

•

Improved business resilience—Increased mobility of the workforce allows rapid redeployment to other locations with WLANs as needed.

Enterprise W LAN Design Overview A WLAN is generally deployed in an enterprise campus or branch office for reasons stated in “WLAN Solution Benefits” section on page 1-1. WLANs have emerged as one of the most effective methods to connect to an Enterprise Network. It is in essence an access technology intended for LAN implementations. Figure 1-1 illustrates where the WLAN products fit in the enterprise (at the edge of the network). The design recommendations presented in this publication propose a secure overlay WLAN network, not the replacement of wired infrastructure with wireless infrastructure. Two supporting sections follow the overview illustration in Figure 1-1: •

Enterprise WLAN Design Characteristics, page 1-3

•

WLAN Architecture Considerations, page 5

Cisco AVVID W ireless LAN Design

1-2

956608

Chapter 1

W LAN Solution Overview Enterprise W LAN Design Overview

Figure 1-1

WLAN in the Enterprise

\

WLAN Access Access

Access

Distribution

Access

Distribution

Core

Distribution

Backbone

Building block additions

WAN

Internet

PSTN

88317

Server farm

Enterprise W LAN Design Characteristics The Enterprise WLAN design solution capabilities presented in this document adopt the following assumptions and characteristics: •

WLAN Virtual LANs (VLANs) allow the coexistence of multiple security models on the same WLAN. This allows the combination of security models based on client requirements and/or user policies.

•

The solution security model you choose depends on the security requirements of the enterprise. This publication focuses on the two most secure solutions —802.1x/Extensible Authentication Protocol (EAP) and IPSec VPNs, but does discuss the use Wired Equivalent Privacy (WEP) and WEP plus Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) where applicable.

•

The recommended security model is 802.1x/EAP with WEP plus TKIP and MIC, because it creates the optimum network architecture and addresses all know WLAN security threats. Examples of EAP types suitable for use in WLANs are EAP-Cisco (formerly Lightweight EAP or LEAP),

Cisco AVVID W ireless LAN Design 956608

1-3

Chapter 1

W LAN Solution Overview

Enterprise W LAN Design Overview

EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP Tunneled TLS (EAP-TTLS). If further 802.1x/EAP types are developed to meet business needs, the existing architectures will accommodate them. The 802.1x/EAP type used is transparent to the AP, and only has implications for the client software and the Remote Authentication Dial-In User Service (RADIUS) server. •

IPSec VPNs are recommended as an alternative 802.1x/EAP if the customer security requirements mandate Triple Data Encryption Standard (3DES).

•

For situations in which EAP or IPSec VPNs are not possible, a combination of static WEP and access filtering is discussed although this alternative is not a recommended security mode for general deployment TKIP and MIC should be implemented wherever possible, including static WEP deployments.

•

The design recommendations presented in this publication show a single security model (EAP, IPSec, or static WEP), these can be combined within the one enterprise implementation using WLAN VLAN's, and are shown separately for clarity.

•

The WLAN implementation does not change existing campus architectures and recommendations

•

WLANs should be assigned to a dedicated subnet (not one shared with wired LAN users).

•

A separate management VLAN should be configured for the management of WLAN APs. As a design best practice, this VLAN should not have a WLAN appearance (meaning it does not have an associated SSID and it cannot be directly accessed from the WLAN). Security policies should determine where the AP managers logically and physically reside on the network.

•

The wired LAN is not replaced by the WLAN. The WLAN is used to enhance the current network flexibility and accessibility by providing an extension to the existing network.

•

Assumes 15-to-25 users per AP. This number varies from customer-to-customer depending on usage profiles and user density.

•

Seamless roaming is limited to the same Layer-2 network, unless Proxy Mobile IP or Mobile IP is used.

•

WLAN QoS tools are used as required.

•

IP Multicast for the WLAN is bounded to ensure that multicast does not consume excessive bandwidth, and IP multicast applications are tested for their suitability for a WLAN network.

Cisco AVVID W ireless LAN Design

1-4

956608

Chapter 1

W LAN Solution Overview Enterprise W LAN Design Overview

W LAN Architecture Considerations This section focuses on the following WLAN architectural implementation topics: •

Comparing Wired and WLANs, page 1-5

•

WLAN Modes of Operation, page 1-7

Comparing W ired and W LANs Just as a network designer needs an understanding of how switches and routers switch traffic to design a wired network, a network designer needs an understanding of how access points (APs), wireless bridges and workgroup bridges handle traffic in order to design a WLAN. These WLAN devices exhibit network behavior similar to an Ethernet switch combined with a shared Ethernet hub. Ethernet frames passing through an AP, wireless bridge, or workgroup bridge to or from the wireless network undergo changes at Data Link Control (DLC)—much as frames can when passing through a Translation Bridge. 802.11, 802.2 DLC, and Subnetwork Access Protocol (SNAP) header information replace Ethernet header information. Where 802.3 framing is used instead of Ethernet, the 802.11 header replaces the 802.3 header. Refer to Table 1-1. Although IP is shown as the Layer-3 protocol, this could just as easily be any protocol able to operate over Ethernet such as IPX, Appletalk, or NetBEUI. However, IP is still required to remotely manage APs, wireless bridges, and workgroup bridges. Table 1-1

Wired and WLAN DLC Relationships

W ireless

W ired (802.3)

W ired Ethernet

Layer-3 Netw ork

IP

IP

IP

Layer 2 DLC

SNAP (0800 = IP) SNAP (0800 = IP) Ethernet (0800 = IP) IEEE 802.LLC

IEEE 802.LLC

IEEE 802.11 MAC IEEE 802.11 MAC Within any one wireless channel, the wireless interface is a shared medium. It operates in a similar fashion to an Ethernet hub. Within any Basic Service Set (BSS), only one station can transmit at any one time. All wireless stations are also half-duplex—the same frequency channel is used for transmit and receive. The actual access mechanism used is Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). Ethernet uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD). Each station in a CSMA network listens before talking over the air. As collision detection (CD) is difficult in a radio-based environment, a collisions avoidance (CA) mechanism is used. At a detailed level, there are some significant differences between 802.11 and Ethernet, but from a network designer’s standpoint, the important idea to remember is the notion of a shared medium. This difference is due to the overheads in the 802.11 protocol, and that some traffic flows may not be occurring at the highest data rate. Taking overhead and protocol operation into account, the actual aggregate throughput of a WLAN is less than the data rate.

Unicast Traffic The WLAN hardware always tries to send data at the highest rate possible. There are many data rates which can be selected. For instance, four rates are possible for 802.11b radio: 1, 2, 5.5, and 11 Mbps. 802.11a radio support 6, 9, 12, 18, 24, 36, 48 and 54 Mbps. With the AP, the Data Rates section on the AP Radio Hardware setup page lists the options for each data rate. Refer to Figure 1-2 on page 1-6.

Cisco AVVID W ireless LAN Design 956608

1-5

Chapter 1

W LAN Solution Overview

Enterprise W LAN Design Overview

Where Yes is selected only unicast traffic is sent at this data rate. Figure 1-2

AP Radio Hardware Setup Page

M ulticast and Broadcast Traffic Broadcast and multicast traffic are treated similarly within a WLAN network. Broadcast and multicast traffic are sent at the data rate of the recipient with the lowest data rate. For example, consider an AP configured with all data rates as Basic (the default) and that has clients associated at 11 Mbps and at 5.5 Mbps for 802.11b radio. In this scenario, multicast and broadcast traffic is sent at 5.5 Mbps to ensure the frames were received by all associated clients.

Cisco AVVID W ireless LAN Design

1-6

956608

Chapter 1

W LAN Solution Overview Enterprise W LAN Design Overview

W LAN M odes of Operation In general, IEEE 802.11 WLANs typically operate in either of two modes: •

Infrastructure Mode, page 1-7

•

Ad-hoc Mode, page 1-7

Infrastructure M ode In infrastructure mode, clients communicate through an AP. The AP is the point at which wireless clients can access the network. Figure 1-3 illustrates a typical WLAN arrangement. The AP provides connectivity to other clients associated with that AP or to the wired LAN. The basic service area (BSA) is the area of RF coverage provided by an AP—also referred to as a microcell. To extend the BSA, or to simply add wireless devices and extend the range of an existing wired system, an AP can be added. The AP attaches to the Ethernet backbone and communicates with all the wireless devices in the cell area. The AP is the master for the cell, and controls traffic flow to and from the network. The remote devices do not communicate directly with each other—they communicate to the AP. If a single cell does not provide enough coverage, any number of cells can be added to extend the range. This is known as an extended service area (ESA). It is recommended that the ESA cells include 10-to-15 percent overlap to allow remote users to roam without losing RF connections. Bordering cells should be set to different non-overlapping channels for best performance. Typical WLAN

Wireless call

Wireless handheld

Wireless call

Channel 1

Channel 6

Wireless tablet

Switch

Access Point Access Point Overlapping 10-15%

Wireless laptop

Wireless laptops Roaming

Router

Wirless desktop LAN/WAN

91278

Figure 1-3

Ad-hoc M ode Ad-hoc mode is used to establish a peer-to-peer network between two or more clients. This mode is selected through the System Type section of the System Parameters page on the Aironet Client Utility (ACU).

Cisco AVVID W ireless LAN Design 956608

1-7

Chapter 1

W LAN Solution Overview

Links and References

Links and References The following documents provide supplemental information to the design and implementation material presented in this SRND. These references fall into several categories: •

General References, page 1-8

•

Security References, page 1-8

•

IP Multicast References, page 1-9

General References Cisco Network Solutions and Provisioned Services page: http://www.cisco.com/en/US/netsol/index.html

Note

Access to specific information varies based on user entitlement at the Cisco Systems web site.

Security References The Unofficial 802.11 Security Web Page: http://www.drizzle.com/~aboba/IEEE/ Assessing Wireless Security with AiroPeek and AiroPeek NX: http://www.wildpackets.com/elements/whitepapers/AiroPeek_Security.pdf Netstumbler security links: http://www.netstumbler.com/links.php?op=MostPopular OUI list: http://standards.ieee.org/regauth/oui/oui.txt SANS (System Administration, Networking and Security) Institute—Wireless page: http://rr.sans.org/wireless/wireless_list.php Securing wireless networks (enter as guest): http://securingwireless.intranets.com/default.asp?link= List of wireless security tools: http://www.networkintrusion.co.uk/wireless.htm When Dreamcasts Attack: http://online.securityfocus.com/news/558

Cisco AVVID W ireless LAN Design

1-8

956608

Chapter 1

W LAN Solution Overview Links and References

IP M ulticast References CCO IP Multicast Overview: http://www.cisco.com/go/ipmulticast

Cisco AVVID W ireless LAN Design 956608

1-9

Chapter 1

W LAN Solution Overview

Links and References

Cisco AVVID W ireless LAN Design

1-10

956608

C H A P T E R

2

W LAN Radio Frequency (RF) Design Considerations This discussion focuses on radio frequency (RF) considerations in WLAN environments. The following section are presented: •

RF Basics, page 2-1

•

IEEE 802.11 Standards, page 2-9

•

RF Spectrum Implementation, page 2-11

•

Planning for RF Deployment, page 2-13

RF Basics This section provides a summary of regulations and considerations specific to RF implementation. The following sections are presented: •

Regulations, page 2-2

•

Fine Tuning, page 2-5

•

Channel Selection, page 2-5

Cisco AVVID W ireless LAN Design 956608

2-1

Chapter 2

W LAN Radio Frequency (RF) Design Considerations

RF Basics

Regulations Devices that operate in unlicensed bands, do not require any formal licensing process, but operations in these bands still obligate the user to follow regulations. The governing bodies in different parts of the world regulate these bands. WLAN devices must comply to the specifications of the relevant governing regulatory domain. The regulatory agencies set the emission requirements for WLAN to minimize the amount of interference a radio can generate or receive from another in the same proximity. The regulatory requirements do not affect the interoperability of IEEE 802.11b and 802.11a compliant products. It is the responsibility of the vendor to get the product certified from the corresponding regulatory body. Table 2-1 summarizes the current regulatory domains for Wi-Fi products. Table 2-1

Regulatory Domains

Regulatory Domain

Geographic Area

Americas or FCC (United States Federal Communication Commission)

North, South and Central America, Australia and New Zealand, various parts of Asia and Oceania

Europe or ETSI (European Telecommunications Standards Institute)

Europe (both EU and non EU countries), Middle East, Africa, various parts of Asia and Oceania

Japan (MKK)

Japan

China

People’s Republic of China (Mainland China)

Israel Singapore

Israel 1

Taiwan2

Singapore Republic of China (Taiwan)

1. The regulations of Singapore and Taiwan for wireless LANs are particular to these countries only for operation in the 5 GHz band. Singapore and Taiwan are therefore only regulatory domains for 5 GHz operation, for operation in 2.4 GHz, they fall into the ETSI and FCC domains, respectively. 2. See above.

Note

The main regulatory domains are FCC, ETSI, and MKK domains. As of this writing there is no 5 GHz regulatory domain for China and 5 Ghz regulations vary widely from country to country.

Caution

Check the Cisco web site for compliance information and also with your local regulatory authority on what is permitted within your country. The information provided in Table 2-2, Table 2-3, and Table 2-4 on the following pages +should be used as a general guideline. For up-to-date information on regional requirements, check http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html#4.

Cisco AVVID W ireless LAN Design

2-2

956608

Chapter 2

W LAN Radio Frequency (RF) Design Considerations RF Basics

Table 2-2

Operating Frequency Range for 802.11b

Low er Limit

Upper limit

Regulatory Range 1

Geography

2.402 GHz

2.480 GHz

2.400 to 2.4835 GHz

North America

2.402 GHz

2.480 GHz

2.400 to 2.4835 GHz

Europe 2

2.473 GHz

2.495 GHz

2.471 to 2.497 GHz

Japan

2.447 GHz

2.473 GHz

2.445 to 2.475 GHz

Spain

2.448 GHz

2.482 GHz

2.4465 to 2.4835 GHz

France

1. The frequency ranges in this table are subject to the geographic-specific regulatory authorities. 2. Excluding Spain and France.

Table 2-3

FCC Frequency Bands and Channel Numbers for 802.11a

Regulatory Domain

Frequency Band

Channel Number

Centre frequencies

USA

U-NII lower band (5.15 to 5.25 GHz)

36

5.180 GHz

40

5.200 GHz

44

5.220 GHz

48

5.240 GHz

52

5.260 GHz

56

5.280 GHz

60

5.300 GHz

64

5.320 GHz

149

5.745 GHz

153

5.765 GHz

157

5.785 GHz

161

5.805 GHz

USA

USA

U-NII middle band (5.25-to-5.35 GHz)

U-NII middle band (5.725-to-5.825 GHz)

Cisco AVVID W ireless LAN Design 956608

2-3

Chapter 2

W LAN Radio Frequency (RF) Design Considerations

RF Basics

Table 2-4

Additional Frequency Bands and Channel Numbers for Other Regulatory Domains

Regulatory Domain

Frequency Band

Channel Number

Center Frequenc7

Japan

U-NII lower band

34

5.170

38

5.190

42

5.210

|46

5.230

36

5.180

40

5.200

44

5.220

48

5.240

52

5260

56

5280

60

5300

64

5320

Singapore

U-NII lower band

Taiwan

EMEA 1 Australia New Zealand

Same as USA

Same as USA

Same as USA

EMEA 21

U-NII lower band

36

5.180

40

5.200

44

5.220

1. Some EMEA countries, and limited to 20 mW.

Each of the bands presented in Table 2-3 is intended for different uses. The UNII-3 band is intended for long range point-to-point and point-to-multipoint wireless bridging and may only be used outdoors. The UNII-3 band and its usage is beyond the scope of this book. Please refer to the following URL to find the appropriate WLAN product for your regulatory domain: http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html

Cisco AVVID W ireless LAN Design

2-4

956608

Chapter 2

W LAN Radio Frequency (RF) Design Considerations RF Basics

Fine Tuning A number of factors can affect the WLAN coverage as follows: •

Selected Data Rate

•

Power Level

•

Antenna choice (dipole, omni-directional, wall mount)

For a given data rate, the WLAN designer can alter power level and/or elect to use a different antenna, to change the coverage area and/or coverage shape.

Channel Selection Channel selection depends on the frequencies that are permitted for a particular region. For example the North American and ETSI 2.4 GHz channel sets permit allocation of three non-overlapping channels—1, 6, and 11—while the 5 GHz channel set permits eight channels. The channels should be allocated to the coverage cells as follows: •

Overlapping cells should use non-overlapping channels

•

Where channels must be used in multiple cells, those cells should have minimal overlap with each other. See Figure 2-1.

Cisco AVVID W ireless LAN Design 956608

2-5

Chapter 2

W LAN Radio Frequency (RF) Design Considerations

RF Basics

Channels Allocated to APs

AP1 channel #1

AP2 channel #6

AP3 channel #11

AP4 channel #1

74193

Figure 2-1

A site survey should be conducted using the same frequency plan as intended for the actual deployment. This facilitates a more exact estimate of how a particular channel at a particular location will react to the interference and the multipath. Channel selection also helps in planning for co-channel and the adjacent channel interferences, and provides information about where to you can reuse a frequency. In multi-story buildings, check the cell overlap between floors according to these rules/guidelines. Some re-surveying and relocating of APs might be required in some cases. Multi-story structures (such as office towers, hospitals and university classroom buildings) introduce a third dimension to coverage planning. The 2.4 GHz waveform of 802.11b and, when available, 802.11g can pass through floors and ceilings as well as walls. The 5 GHz waveform of 802.11a can also pass through floors and ceilings as well as walls, but will do so at a lesser degree due to its higher frequency. With 2.4 GHz Wi-Fi LANs in particular, you must not only avoid overlapping cells on the same floor, but also on adjacent floors. With only three channels, this can be achieved through careful three dimensional planning.

Cisco AVVID W ireless LAN Design

2-6

956608

Chapter 2

W LAN Radio Frequency (RF) Design Considerations RF Basics

An AP can be configured to automatically search for the best channel on power up. This is configured using the AP Radio Hardware menu, as shown in Figure 2-2. Retest the site using the selected channels and check for any interference. Figure 2-2

AP Automatic Channel Search

Cisco AVVID W ireless LAN Design 956608

2-7

Chapter 2

W LAN Radio Frequency (RF) Design Considerations

RF Basics

Note

It is possible to implement a dual-band deployment scheme as illustrated Figure 2-3. However, this requires careful planning and implementation of the Cisco Aironet AP 1200. Refer to the “Data Rate Considerations” section on page 3-3 for related information about dual-band channel deployment considerations. Figure 2-3

Dual Band Deployment Diagram

802.11b 6

6 11

1

6 11

1 6

11

1&6

1

11

11

3 & 11

3 & 11

1 6

11

6

8&1

8&1

3 & 11

802.11a 1 3

5&6

5&1

8 1

8

3 & 11 8&1

7&6

1&6

1&6

5 3

5 7

3 & 11

3

1 3

1&1

11 1&6

8

8&1

6

1 6

802.11a 802.11b

3

5 & 11

8 1

1 91287

5

Cisco AVVID W ireless LAN Design

2-8

956608

Chapter 2

W LAN Radio Frequency (RF) Design Considerations IEEE 802.11 Standards

IEEE 802.11 Standards IEEE 802.11 is the Working Group within the IEEE (Institute for Electrical and Electronics Engineers) responsible for Wireless LAN Standards. IEEE 802.11 became a standard in July 1997 and defined two RF technologies operating in 2.4 GHz band: •

Direct Sequence Spread Spectrum (DSSS)—1 Mbps and 2 Mbps

•

Frequency Hopping Spread Spectrum (FHSS)—1 Mbps and 2 Mbps

Within the 802.11 Working Group are a number of Task Groups responsible for elements of the 802.11 WLAN Standard. IEEE 802.11b refers to Task Group b within the 802.11 Working Group. IEEE 802.11b became an IEEE standard in September 1999, and then higher data rates of 5.5 Mbps and 11 Mbps were introduced in the standard using DSSS and operating in 2.4 GHz band. 802.11b defines a high performance radio and true vendor interoperability. Table 2-5 summarizes some of task group initiatives. Table 2-5

IEEE 802.11 Task Group Activities

Task Group

Project

Status (M arch 2003)

MAC

Develop one common MAC for WLANs in conjunction with a physical layer entity (PHY) Task Group

PHY

Develop three WLAN PHYs – Infrared, 2.4 GHz Standard FHSS, 2.4 GHz DSSS

a

Develop PHY for 5 GHz UNII band

Standard

b

Develop higher rate PHY in 2.4 GHz band

Standard

c

Cover bridge operation with 802.11 MACs (spanning tree)

Standard (802.1d)

d

Define physical layer requirements for 802.11 operation in other regulatory domains (countries)

Standard

e

Enhance 802.11 MAC for QoS

Ongoing

f

Develop recommended practices for Inter Access Point Protocol (IAPP) for multi-vendor use

Ongoing

g

Develop higher speed PHY extension to 802.11b Ongoing (54 Mbps)

h

Enhance 802.11 MAC and 802.11a PHY-Dynamic Frequency selection Transmit Power control

Ongoing

i

Enhance 802.11 MAC security and authentication mechanisms

Ongoing

j

Enhance the 802.11 standard and amendments Ongoing to add channel selection for 4.9 GHz and 5 GHz in Japan

k

Define Radio Resource Measurement enhancements to provide interfaces to higher layers for radio and network measurements

Ongoing

Cisco AVVID W ireless LAN Design 956608

2-9

Chapter 2

W LAN Radio Frequency (RF) Design Considerations

IEEE 802.11 Standards

The IEEE ratified the 802.11a standard in 1999, but the first 802.11a-compliant products did not begin appearing on the market until December 2001. The 802.11a standard delivers a maximum data rate of 54 Mbps and eight nonoverlapping frequency channels—resulting in increased network capacity, improved scalability, and the ability to create microcellular deployments without interference from adjacent cells. Operating in the unlicensed portion of the 5 GHz radio band, 802.11a is also immune to interference from devices that operate in the 2.4 GHz band, such as microwave ovens, cordless phones, and Bluetooth (a short-range, low-speed, point-to-point, personal-area-network wireless standard). The 802.11a standard is not compatible with existing 802.11b-compliant wireless devices. 2.4-GHz and 5-GHz equipment can operate in the same physical environment without interference. IEEE 802.11g is high performance standard in development and should be finalized by mid-year 2003. 802.11g will deliver the same 54 Mbps maximum data rate as 802.11a, but will operate in the same 2.4 GHz band as 802.11b. Selecting between these technologies is not a one-for-one tradeoff. They are complementary technologies and will coexist in future enterprise environments. Implementers must be able to make an educated choice between deploying 2.4 GHz-only networks, 5 G Hz-only networks, or a combination of both. Organizations with existing 802.11b networks cannot simply deploy a new 802.11a network on 5 GHz APs, and expect to have similar coverage with 802.11a 54 Mbps data rate as compared to 11 Mbps of data rate with 802.11b APs. The technical characteristics of both these bands simply do not allow for this kind of coverage interchangeability.

Cisco AVVID W ireless LAN Design

2-10

956608

Chapter 2

W LAN Radio Frequency (RF) Design Considerations RF Spectrum Implementation

RF Spectrum Implementation In the United States, three bands are defined as unlicensed and known as the ISM bands (Industrial, Scientific, and Medical). The ISM bands are as follows: •

900 MHz (902-to-928 MHz)

•

2.4 GHz (2.4-to-2.4835 GHz) —IEEE 802.11

•

5 GHz (5.15-to-5.35 and 5.725-to-5.825 GHz) —IEEE 802.11a. This band is also known as the UNII band.

The Cisco Aironet 340 and 350 Series APs use RF spectrum in the 2.4 GHz unlicensed ISM band. Each range has different characteristics. The lower frequencies exhibit better range, but with limited bandwidth and hence lower data rates. The higher frequencies have less range and subject to greater attenuation from solid objects.

Direct Sequence Spread Spectrum The Direct Sequence Spread Spectrum approach involves encoding redundant information into the RF signal. Every data bit is expanded to a string of chips called a chipping sequence or Barker Sequence. The chipping rate as mandated by the IEEE 802.11 is 11 chips—Binary Phase-Shift Keying (BPSK)/Quadrature Phase-Shift Keying (QPSK)—at the 1 and 2 Mbps rates and 8 chips (CCK) at the 11 and 5.5 Mbps rate. So, at 11 Mbps, 8 bits are transmitted for every one bit of data. The chipping sequence is transmitted in parallel across the spread spectrum frequency range.

IEEE 802.11b Direct Sequence Channels Fourteen channels are defined in the IEEE 802.11b Direct Sequence (DS) channel set. Each DS channel transmitted is 22 MHz wide, but the channel separation is only 5 MHz. This leads to channel overlap such that signals from neighboring channels can interfere with each other. In a 14-channel DS system (11 usable in the US), only three non-overlapping (and hence, non-interfering) channels—25 MHz apart —are possible (such as Channels 1, 6, and 11). This channel spacing governs the use and allocation of channels in a multi-AP environment such as an office or campus. APs are usually deployed in cellular fashion within an enterprise where adjacent APs are allocated non-overlapping channels. Alternatively, APs can be collocated using Channels 1, 6, and 11 to deliver 33 Mbps bandwidth to a single area (but only 11 Mbps to a single client). The channel allocation scheme is illustrated in Figure 2-4. Figure 2-4

IEEE 802.11b DSSS Channel Allocations

Channels 2

3

4

5

6

7

8

9

10

11

12

13

14

87181

1

2.402 GHz

22 MHz

2.483 GHz

Cisco AVVID W ireless LAN Design 956608

2-11

Chapter 2

W LAN Radio Frequency (RF) Design Considerations

RF Spectrum Implementation

IEEE 802.11a— OFDM Physical Layer IEEE 802.11a, defines requirements for PHY operating in the 5.0 GHz U-NII frequency and data rates ranging from 6 Mbps to 54 Mbps. It uses Orthogonal Frequency Division Multiplexing (OFDM) which is a multi-carrier system (compared to single carrier systems). OFDM allows sub-channels to overlap, providing a high spectral efficiency. The modulation technique allowed in OFDM is more efficient than spread spectrum techniques.

IEEE 802.11a Channels Figure 2-5 shows the center frequency of the channels. The frequency of the channel is 10 MHz either side of the dotted line. There is 5 MHz of separation between channels. 802.11a Channel Set

30 MHz

30 MHz

5150 5180 Lower Band Edge

5200

5220

5240

5260

20 MHz

5725 5745 Lower Band Edge

5280

5300

5320

5350 Upper Band Edge

20 MHz

5765

5785

5805 5825 Upper Band Edge

87182

Figure 2-5

For US-based 802.11a standard, the 5 GHz unlicensed band covers 300 MHz of spectrum and supports 12 non overlapping channels. As a result, the 5 GHz band is actually a conglomerate of three bands in USA: 5.150-to-5.250 GHz (UNII 1), 5.250-to-5.350 GHz (UNII 2), and 5.725-to-5.875 GHz (UNII 3).

Cisco AVVID W ireless LAN Design

2-12

956608

Chapter 2

W LAN Radio Frequency (RF) Design Considerations Planning for RF Deployment

Planning for RF Deployment Many of the RF-design considerations are interdependent and/or implementation dependent. As a result there is no one-size-fits-all template for the majority of requirements and environments. The RF design depends the following considerations; each is addressed briefly in individual sections that follow: •

RF Deployment Best Practices, page 2-13

•

WLAN Data Rates Required, page 2-13

•

Client Density and Throughput Requirements, page 2-16

•

WLAN Coverage Required, page 2-17

•

Security Policy, page 2-17

•

RF Environment, page 2-18

RF Deployment Best Practices Some considerations can be addressed with general best practice guidelines. The following can applied to most situations:

Note

•

Number of users versus throughput and a given AP—The general recommended number of users per AP is 15-to-25.

•

Distance between APs can cause throughput variations for clients based on distance from the AP—The recommendation is to limit the AP data rate to the higher data rates of 11 Mbps and 5.5 Mbps.

•

Number of APs depends on coverage and throughput requirements, which might vary—For example Cisco’s internal information systems (IS) group currently uses six APs per 38,000 square feet of floor space.

Based upon the variability in environments it is highly recommended that a site survey be performed to determine the number of APs required and their optimal placement.

W LAN Data Rates Required Data rates affect cell size. Lower data rates (such as 1 Mbps) can extend farther from the AP than can higher data rates (such as 11 Mbps). This is illustrated in Figure 2-6 (not to scale). Therefore, the data rate (and power level) affects cell coverage and consequently the number of APs required, as illustrated in Figure 2-7 on page 2-15. Different data rates are achieved by sending a more redundant signal on the wireless link, allowing data to be more easily recovered from noise. The number of symbols sent out for a packet at the 1 Mbps data rate is greater than the number of symbols used for the same packet at 11 Mbps. This means that sending data at the lower bit rates takes more time than sending the equivalent data at a higher bit rate.

Cisco AVVID W ireless LAN Design 956608

2-13

Chapter 2

W LAN Radio Frequency (RF) Design Considerations

Planning for RF Deployment

Figure 2-6

Data Rate Compared w ith Coverage

1 Mbps 2 Mbps 5.5 Mbps

74190

11 Mbps

The diameter of the coverage (circles shown in Figure 2-6), depends upon factors such as power and antenna gain. For example, indoors1 using the standard antennas on the NIC card and APs, the diameter of the 1 Mbps circle is approximately 700 ft (210 m), and the diameter of the 11 Mbps circle is about 200 ft (60 m). Increasing the gain of the antenna can increase the distance and change the shape of the radiation pattern to something more directional.

1. Typically the outdoor range is greater because there are fewer obstacles, and less interference.

Cisco AVVID W ireless LAN Design

2-14

956608

Chapter 2

W LAN Radio Frequency (RF) Design Considerations Planning for RF Deployment

Coverage Comparison and AP density for Different Data Rates

Surveyed at 2 Mbps

Surveyed at 5.5 Mbps

74191

Figure 2-7

The required data rate has a direct impact upon the number of APs needed in the design. The example in Figure 2-7 illustrates this point. While six APs with a data rate of 2 Mbps might adequately service an area, it might take twice as many APs to support a data rate of 5 Mbps, and more again to support data rates of 11 Mbps. The data rate chosen is dependent on the type of application to be supported. In a WLAN LAN extension environment, the higher data rates of 11 Mbps and 5.5 Mbps are recommended—this gives maximum throughput and should minimize performance-related support issues. In a WLAN vertical application environment, the data rates selected are determined by the application requirements—some clients might not support the higher data rates and might require the use of lower data rates. It might seem logical to choose the default configuration of APs and clients—thereby allowing all data rates. However, there are three key reasons for limiting the data rate to the highest rate, at which full coverage is obtained: •

Broadcast and multicast are sent at the slowest data rate (to ensure that all clients can see them), this reduces the throughput of the WLAN because traffic must wait until frames are processed at the slower rate.

•

Clients that are farther away, and therefore accessing the network at a lower data rate, decrease the overall throughput by causing delays while the lower bit rates are being serviced.

•

If an 11 Mbps service is specified and provisioned with APs to support all data rates, clients at lower rates can associate with APs configured in this way which can create a coverage area greater than planned, thereby increasing the security exposure and potentially interfering with other WLANs.

Cisco AVVID W ireless LAN Design 956608

2-15

Chapter 2

W LAN Radio Frequency (RF) Design Considerations

Planning for RF Deployment

Client Density and Throughput Requirements APs are similar to shared hubs and have an aggregate throughput much lesser than the data rate. With this in mind, you must have the rough estimate of maximum suggested number of active associations (active clients). This can be adjusted more or less according to the particular application. Each cell provides an aggregate amount of throughput that is shared by all the client devices that are within that cell, and associated to a given AP. This basically defines a cell as a collision domain. After deciding on the minimum data rate, be sure to consider how much throughput should, on average, be provided to each user of the wireless LAN. Take an example of barcode scanners. 25 Kbps is more than enough bandwidth for such an application Using a 802.11b AP at 11 Mbps of data rate results in an aggregate throughput of 5-to-6 Mbps. This results in a maximum number of 200 users1 that can be supported satisfactorily. For a 1 Mbps system 20 users can utilize the same AP for similar bandwidth results. You can increase the per user throughput by decreasing the number of users contending for the aggregate throughput provided by a single AP. This can be done by decreasing the size of the coverage cell or adding a second AP on a non-overlapping channel in the same cell area. To reduce the cell size, the AP power or antenna gain can be reduced, resulting in fewer clients in that cell area. This means you will need more APs for the same overall area, increasing the cost of deployment. An example of this is shown in Figure 2-8. Some of the APs do not provide the settings to control transmit power and many have limited or no options.

1. This umber would not be achieved due to 802.11 management overhead associated with the large number of clients and collisions.

Cisco AVVID W ireless LAN Design

2-16

956608

Chapter 2

W LAN Radio Frequency (RF) Design Considerations Planning for RF Deployment

Figure 2-8

Changing the Output Power to Increase Client Performance

ch 1

ch 6

ch 11

ch 1

ch 1

ch 6

ch 6

ch 11

ch 1

ch 1

ch 6

ch 11

ch 11

ch 1

ch 6

ch 6

ch 11

ch 1

ch 1

ch 6

74192

ch 11

180 Users per floor 30 mW transmitter power 3 Accss Points 60 users per AP 11 Mbps data rate

Note

180 Users per floor 5 mW transmitter power 18 Accss Points 10 users per AP 11 Mbps data rate

Client power should be adjusted to match the AP power settings. Maintaining a high setting on the client does not result in higher performance and it can cause interference in nearby cells.

W LAN Coverage Required Different enterprises have different coverage requirements. Some need a WLAN to cover specific common areas; others need WLANs to cover each floor of a building, to cover the entire building including stairwells and elevators, or to cover the entire campus including car parks and roads. Apart from impacting the number of APs required, the coverage requirements can introduce other issues, such as specialized antennas, outdoor enclosures and lightning protection.

Security Policy RF design can be used to minimize the RF radiation in coverage areas or directions not required. For example, if WLAN coverage is required only in the buildings, then the amount of RF coverage outside the building can be minimized by AP placement and directional antennas.

Cisco AVVID W ireless LAN Design 956608

2-17

Chapter 2

W LAN Radio Frequency (RF) Design Considerations

Planning for RF Deployment

RF Environment The performance of the WLAN and its equipment depends upon its RF environment. The following are some examples of adverse environmental variables: •

2.4 GHz cordless phones

•

Walls fabricated from wire mesh and stucco

•

Filing cabinets and metal equipment racks

•

Transformers

•

Heavy duty electric motors

•

Fire walls and fire doors

•

Concrete

•

Refrigerators

•

Sulphur plasma lighting (Fusion 2.4 GHz lighting systems)

•

Air conditioning duct-work

•

Other radio equipment

•

Microwave ovens

•

Other WLAN equipment

A site survey should be performed to ensure that the required data rates are supported in all the required areas, despite the environmental variables mentioned above. The site survey should consider the three dimensional space occupied by the WLAN. For example a multi-story building WLAN with different subnets per floor might require a different RF configuration than the same building with a single WLAN subnet per building. In the multiple subnet instance, a client attempting to roam to a different AP on the same floor might acquire an AP from an adjacent floor. Switching APs in a multi-subnet environment changes the roaming activity from a seamless Layer 2 roam to a Layer 3 roam which in turn disrupts sessions and might require user intervention.

Cisco AVVID W ireless LAN Design

2-18

956608

C H A P T E R

3

W LAN Technology and Product Selection This discussion focuses on technology and product assessment and selection in WLAN environments. The following sections are presented: •

WLAN Technology Selection Considerations, page 3-1

•

Cisco WLAN RF Product Selection Considerations, page 3-11

W LAN Technology Selection Considerations Selecting a wireless technology can be tricky. For example, wireless devices can adhere to different standards and might not be compatible with one another or with next-generation devices. You must understand your environment’s requirements (and plans for future enhancements) when choosing a wireless technology. The sections in this chapter that address technology selection considerations are as follows: •

Competing WLAN Standards, page 3-1

•

WLAN Capacity Considerations, page 3-2

•

Data Rate Considerations, page 3-3

•

Throughput Considerations, page 3-4

•

Performance Considerations, page 3-5

•

Range Considerations, page 3-7

•

Technology Selection Summary, page 3-9

Competing W LAN Standards Two standards dominate the WLAN marketplace: •

IEEE 802.11b—802.11b has been the industry standard for several years. Operating in the unlicensed portion of the 2.4 GHz radio frequency spectrum, it delivers a maximum data rate of 11 Mbps and boasts numerous strengths. 802.11b enjoys broad user acceptance and vendor support. Many vendors manufacture compatible devices, and this compatibility is assured through the Wi-Fi certification program. 802.11b technology has been deployed by thousands of enterprise organizations, that typically find its speed and performance acceptable for their current applications.

Cisco AVVID W ireless LAN Design 956608

3-1

Chapter 3

W LAN Technology and Product Selection

W LAN Technology Selection Considerations

•

IEEE 802.11a—802.11a operates in the uncluttered 5 GHz radio frequency spectrum. With a maximum data rate of 54 Mbps, this standard offers a fivefold performance increase over the 802.11b standard. Therefore, it provides greater bandwidth for particularly demanding applications

As mentioned in “IEEE 802.11 Standards” section on page 2-9, 802.11g is another related standard—one intended for networks with high performance requirements. The 802.11g standard has been in draft form since November 2001 and is likely to be finalized in 2003. 802.11g will deliver the same 54 Mbps maximum data rate as 802.11a, yet it offers an additional and compelling advantage—backward compatibility with 802.11b equipment. This means that 802.11b client cards will work with 802.11g APs, and 802.11g client cards will work with 802.11b APs. Because 802.11g and 802.11b operate in the same 2.4 GHz unlicensed band, migrating to 802.11g will be an affordable choice for organizations with existing 802.11b wireless infrastructures. It should be noted that 802.11b products cannot be software upgraded to 802.11g because 802.11g radios will use a different chipset than 802.11b in order to deliver the higher data rate. However, much like Ethernet and Fast Ethernet, 802.11g products can be combined with 802.11b products in the same network. Because 802.11g operates in the same unlicensed band as 802.11b, it shares the same three channels, which can limit wireless capacity and scalability. So, which standard should an organization select? Each has its strengths. The greatest strength of the 802.11b standard is its widespread acceptance and broad product availability, although bandwidth is limited. In comparison, the 802.11a standard has the capability to drive the high-bandwidth applications that will characterize the future WLAN. 802.11a also supports more channels (no overlapping channels)—making the RF deployment more flexible. Fortunately, organizations do not need to choose between technologies when considering a WLAN infrastructure. The Cisco Aironet 1200 Series gives wireless implementers the option of deploying both. This wireless AP delivers: •

Flexibility—The Cisco Aironet 1200 Series is dual-band, meaning that it can concurrently support WLANs based on both the 5 GHz 802.11a and 2.4 GHz 802.11b standards.

•

Scalability and Investment Protection—The Cisco Aironet 1200 Series ensures that an organization’s wireless network remains backward and forward compatible, with the capability to grow both in terms of users and deployed applications.

•

Ease-of-Use and Manageability—The Cisco Aironet 1200 Series is field upgradable. Organizations can choose to deploy 2.4 GHz technology, 5 GHz technology, or a mixture of the two. The product also integrates seamlessly with the robust Cisco security and management infrastructure.

The Cisco Aironet 1200 Series delivers a seamless migration path for WLANs. It allows organizations to upgrade today to robust wireless technology, while ensuring that their investments remain usable and valuable far into the future.

W LAN Capacity Considerations The 802.11a standard provides a substantial potential capacity improvement for a WLAN compared with 802.11b-based WLANs implementations. The 5 GHz band provides more than three times as much spectrum as the 2.4 GHz band. A key advantage for 802.11a deployment is greater flexibility for channel re-use and another is capacity. With a greater number of channels to select from, it is easier it is to deploy an Enterprise WLAN. Interference in the network is reduced by avoiding two adjacent AP using the same frequency and by increasing the distance between APs with the same frequencies (reducing co-channel interference). This is important in that the traffic from devices in overlapping cells set to the same channel results in mutual interference—thereby impeding performance.

Cisco AVVID W ireless LAN Design

3-2

956608

Chapter 3

W LAN Technology and Product Selection W LAN Technology Selection Considerations

With just three channels in the 2.4 GHz band used by 802.11b and 802.11g, this represents a shortcoming that complicates deployments. With eight channels, 802.11a systems have an aggregate data rate of up to 432 Mbps (54 Mbps multiplied by eight channels) in a given area. In contrast, 802.11b devices have a maximum capacity of 33 Mbps (11 Mbps multiplied by three channels) per given area. Therefore, organizations with large WLANs may decide to opt for an 802.11a deployment, which provides far greater performance on a per-cell basis. Given the difference in operating frequencies, 802.11b and 802.11a can co exist within the same environment, allowing users to move from one to another by switching clients, or using a dual-band client (combines both radios into a single client).This approach become more flexible by using dual-band Cisco APs. An enterprise must conduct comprehensive site surveys for each technology to guarantee adequate network coverage. Each frequency has different signal strength, interference, and reflection characteristics, and each implementation must be optimized for different requirements.

Data Rate Considerations Note

For additional related information, please refer to the “WLAN Data Rates Required” section on page 2-13. Data rates affect cell size. Lower data rates (such as 1 Mbps) can extend further from the AP than can higher data rates (such as 54 Mbps). This is illustrated in Figure 3-1. Hence the data rate (and power level) effects cell coverage, and consequently the number of APs required. In general, there are pools of coverage at each data rate. What is considered an acceptable data rate, ultimately depends upon how much bandwidth is required for the application which you want to run at a particular location. Be sure to survey users for the minimum data rate required.

Note

The Cisco Aironet Site Survey Utility surveys at a given data rate and does not rate shift. APs offer clients multiple data rates for the wireless link. For 802.11b, the range is from 1-to-11 Mbps in four increments-1, 2, 5.5 and 11 Mbps, while 802.11a the range is 6-to-54 Mbps in seven increments-6, 9, 12, 18, 24, 36, 48 and 54 Mbps. Because data rates affect range, selecting data rates during the design stage is extremely important. The client cards automatically switch to the fastest possible rate of the AP; how this is done varies form vendor to vendor. Because each data rate has a unique cell of coverage (the higher the data rate, the smaller the cell), the minimum data rate must be determined at the design stage. Cell sizes at given data rates can be thought of as being nested concentric circles. See Figure 3-1. Selecting only the highest data rate requires a greater number of APs to cover a given area; therefore care must be taken to develop a compromise between required aggregate data rate and overall system cost. With the (dual band) Cisco AP 1200, careful design can yield an aggregate data rate of 64 Mbps (54 Mbps plus 11 Mbps) per AP with room to grow to 108 Mbps when 802.11g is available.

Cisco AVVID W ireless LAN Design 956608

3-3

Chapter 3

W LAN Technology and Product Selection

W LAN Technology Selection Considerations

Figure 3-1

802.11a Data Rates 170' @ 6Mbps 150' @ 9Mbps 140' @ 12Mbps 130' @ 18Mbps 120' @ 24Mbps 100' @ 36Mbps 80' @ 48Mbps 60' @ 54Mbps

91283

5GHz/40mw

Throughput Considerations Note

For related information, please refer to the “Client Density and Throughput Requirements” section on page 2-16. Data rate is often confused with the aggregate data throughput. The aggregate data rate, takes into account the overhead associated with protocol frame structure, collisions, and implementation processing delays associated with frames processed by clients and APs. Protocol overhead includes parameters such as RTS, CTS, ACK frames, beacon periods, back off period and propagation delays, 10 Mbps Ethernet can be faster than 11 Mbps Wi-Fi. The overhead associated with the 802.11b standard exceeds the overhead for 802.3 Ethernet, resulting in better throughput for 10 Mbps Ethernet than 11 Mbps Wi-Fi. An important purchasing consideration for any networking technology is the amount of bandwidth, data rate, or throughput, it provides to each network user, and how well that throughput can support the applications running on the network. For clarity purposes, data rate means the amount of data able to be sent from one node on the wireless network to another, within a given timeframe. Furthermore, the difference between data rate and throughput is the amount of raw bits that travel from one node to another, in comparison to the bits representing the message content. This difference is determined by a number of factors including the latency inherent in the PHY components of the radio, the overhead and acknowledgement information that accompany every transmission, and pauses between transmissions. A comparison table of the wireless networks at hand and several wired benchmarks is shown in Table 3-1.

Cisco AVVID W ireless LAN Design

3-4

956608

Chapter 3

W LAN Technology and Product Selection W LAN Technology Selection Considerations

Table 3-1

Throughput at M aximum Data Rates

Technology

Data Rate

Average Throughput

802.11b

11 Mbps

5-to-7 Mbps

802.11a

54 Mbps

22-to-31 Mbps

802.11g (OFDM)

54 Mbps

TBD

802.11b offers an 11 Mbps data rate, which translates into approximately 5-to-7 Mbps of actual message throughput (per AP). This amount is shared among all network users accessing it at the same time, and is managed through a Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) technique modeled on its Ethernet wired equivalent. As most network traffic is bursty, and only a few users are on the network simultaneously, Wi-Fi network users generally experience very good connectivity speeds. Using OFDM and 64-Quadrature Amplitude modulation, 802.11a and 802.11g will provide similar data rate levels. However, because 802.11g must be backward compatible with 802.11b, 802.11g incurs more overhead associated with the header information of 802.11b. As a result, 802.11g might not achieve full parity with the throughput possible with 802.11a. With 802.11a, there is a maximum data rate of 54 Mbps which can support high-bandwidth applications such as CAD-CAM, streaming video, and converged voice/video/data. 802.11a and 802.11b nodes also share the bandwidth efficiently using CSMA/CA techniques. In 802.11b roughly 15-to-25 users can be supported per AP (at 11 Mbps). With 802.11a, more users can be supported per AP (at 54 Mbps) as more bandwidth is available. The smaller cell size makes an increase in users unlikely. The normal impact would be an increase in bandwidth available per user. 802.11b can be used by implementers who have a large installed base of APs, are transaction intensive, have many roaming users to other 802.11b APs, or are cost sensitive. 802.11a can also be used by implementers requiring the higher throughput for the applications listed above, have a small installed base of 802.11b (as 802.11b and 802.11a are not compatible), or are concerned about interference. Interference issues are discussed in detail in the next section. Quality of Service (QoS) enhancements to the 802.11 MAC under development within 802.11e will enhance the ability of 802.11b, 802.11a, and 802.11g to deliver new types of time-critical data, in addition to their traditional data packets (QoS capabilities are typically associated with IP-based telephony/voice implementations). The IEEE 802.11e Task Group recommendations will become commonly available to both the 2.4 GHz and 5 GHz solutions simultaneously, and most subsequently released 802.11 networks will then be able to support them. The higher bandwidth 802.11g and 802.11a standards will support QoS more effectively than 802.11b, mainly because of higher bandwidth, but also because more unlicensed spectrum will be available to 5 GHz radios. This allows 5 GHz networks to allocate a certain number of networks to voice only, and others to data.

Performance Considerations While unlicensed spectrum is very attractive (as there is no licensing fee to use it), implementers must factor in the potential performance degradation associated with ambient interference. 802.11a operates in unlicensed bands in exactly the same way as 802.11b and earlier 900 MHz systems operate in unlicensed bands. That is, there are no restrictions on the types of devices that operate in these bands provided that they all conform to a common set of rules. The 900 MHz portion of the spectrum was initially used by WLANs and then, far more commonly, by cordless telephones. Although these devices

Cisco AVVID W ireless LAN Design 956608

3-5

Chapter 3

W LAN Technology and Product Selection

W LAN Technology Selection Considerations

all complied with applicable regulations, they acted upon each other as interferers, mutually degrading performance and usability. The WLAN industry essentially abandoned the 900 MHz band and migrated to the 2.4 GHz band. Initially, the WLAN industry had this band to themselves (with the exception of microwave oven RF emissions). Eventually, however, the band became more crowded with an increasing number of products, including Bluetooth devices and 2.4 GHz cordless telephones. The attractiveness of the 2.4 GHz band to manufacturers, license-free operation on an international scale and resulting worldwide marketability for 2.4 GHz devices, leads to a central problem for the 2.4 GHz band—overcrowding. This in turn leads to a principal advantage of 802.11a—because it operates in the pristine 5 GHz band, it is (as of now) immune to interference from other devices. 802.11a products themselves are relatively few in number. Bluetooth operates in the 2.4 GHz band and there are very few 5 GHz cordless telephones also available in the market. The point is that today the 5 GHz band is relatively clean but there are no restrictions on this band that do not apply equally to 900 MHz and 2.4 GHz. Over time, the 5 GHz band might become equally crowded with interference-causing devices. As the 2.4 GHz band is unlicensed, it is available for anyone to use—within limits of maximum Effective Isotropic Radiated Power (EIRP). WLAN interference can come from a number of sources. The main sources are as follows: •

Microwave Ovens— The magnetron in household and commercial microwave ovens operates over tens of megahertz in the 2.4-to-2.483 GHz band. While microwave ovens operate at about 700-to-1000 W, the maximum allowed radiated power (EIRP) for WLAN devices is between 0.1 and 4 W. WLAN equipment such as APs should not be located near microwave ovens.

•

Co-channel Interference—Interference can from radios in adjacent cells on the same frequency. Effective site surveying and WLAN cell planning should minimize the effect of this interference. As WLANs become more prevalent, interference from sources outside enterprise control may become more of an issue, such as in multiple tenancy situations (shopping centers, apartment blocks, and the like). Proper cell planning of the channel frequency and careful layout of the AP can minimize the interference.

•

Bluetooth—Bluetooth is a Wireless Personal Area Network technology sharing the same 2.4 GHz spectrum as 802.11b. Bluetooth uses FHSS and is a shorter range and lower bandwidth technology than 802.11b. FHSS systems use frequently changing, narrow bands over all channels. It is important to manage the concurrent operation of 802.11b WLANs and Bluetooth within the enterprise. Task Group 2 of the IEEE 802.15 Working Group is looking at the coexistence issues of IEEE 802.11b WLANs and Bluetooth. Multiple companies have researched the issue and concluded that if the two technologies are separated by two meters or more, there is no significant interference.

•

2.4 GHz Cordless Telephones —Some of the newer household and office cordless telephones operate in the 2.4 GHz range (DSSS and FHSS). Depending on the conditions and the manufacturer, degradation to the WLAN can vary from unnoticeable to a total loss of association between the client and the AP. Interference from the WLAN can also impact the voice quality. Users are encouraged to use 900 MHz Cordless Phones in instances where they must coexist with WLANs. If this is not possible, separate the AP from the phone base station as far as possible and perform some rudimentary degradation tests. Note that DSSS cordless phones are more likely to cause degradation than FHSS types.

•

Shared Internet Access—Wireless local loop (WLL) and systems like Metricom-Ricochet (again coming back in the market) and T-Mobile also use the same band. So they can be a source of interference. Interference can also come from other systems such as neighboring DSSS and FHSS WLAN networks.

Cisco AVVID W ireless LAN Design

3-6

956608

Chapter 3

W LAN Technology and Product Selection W LAN Technology Selection Considerations

Range Considerations Table 3-2 provides a comparison of the relative data rates and ranges associated with 802.11a and 802.11b WLANs. These are typical maximum ranges, but range varies (normally downward) depending upon the environment. As more obstructions are encountered (such as a metallic building structure) range is reduced. Table 3-2

Comparison of Bit-Rate and Range for 802.11a and 802.11b

Bit Rate (in M bps)

Range for 802.11b (in feet)

Range for 802.11a (in feet)

1

350

-

2

250

-

5.5

180

-

6

-

170

9

-

150

11

140

12

-

140

18

-

130

24

-

120

36

-

100

48

-

80

54

-

60

Figure 3-2 on page 3-8 illustrates the coverage area of an 802.11b AP at a maximum bit rate of 11 Mbps, overlaid with 802.11a APs at a maximum bit rate of 54 Mbps. This comparison shows the impact of the different ranges of 802.11b and 802.11a. Ten 802.11a APs are required to cover a similar area as the one 802.11b AP. Coverage range alone is not the only story here. A comparison of the capacity of the 802.11a coverage and 802.11b coverage shows the 802.11b capacity at 11 Mbps; while the capacity of the 802.11a solution at 540 Mbps. This difference represents a potential gain of approximately 49 times. In summary, more 802.11a APs are required to support a given area in comparison to 802.11b APs, but the capacity of the 802.11a network is significantly greater.

Cisco AVVID W ireless LAN Design 956608

3-7

Chapter 3

W LAN Technology and Product Selection

W LAN Technology Selection Considerations

Figure 3-2

Difference in Coverage between 802.11a and 802.11b

280' @ 11Mbps

87880

120' @ 54Mbps

Signal Propagation A 5 GHz wave is about half the length of a 2.4 GHz wave. These shorter waves tend to pass through water rather than be captured by it. Human body is over 95 percent water. So, in areas with a high density of people, such as a stock trading floor, devices like 802.11a WLANs that operate at 5 GHz may have an advantage in terms of signal propagation and resulting range than devices like 802.11b WLANs that operate at 2.4 GHz The relatively shorter 5 GHz wave that provides the advantage outlined above also leads to a principal disadvantage of 802.11a relative to 802.11b. In particular, 5 GHz waves are more vulnerable to absorption by building materials, such as drywall and concrete.

Antenna Considerations Antennae options vary greatly for 5 GHz and 2.4 GHz devices. Currently, regulations mandate that antennae must be integral to some 5 GHz transmitting devices. Therefore, vendors can only sell 802.11a devices with antennae that are attached to—and not removable from—the device itself. On the other hand, organizations can select from a wide variety of antennae options for 2.4 GHz devices. These antennae may be attached to the transmitting device or can exist separately, attached via a cable. This antennae placement can seriously impact system installation and range. For instance, with a 2.4 GHz network, organizations have the option to securely locate APs out of site, and cable out to a remote antenna. They also have the ability to house the device in a protective enclosure, which can prolong its life. The antennae restrictions imposed upon 5 GHz devices remove these options. Therefore, installation might be more complicated, overall range might be reduced, and implementation costs might be higher.

Cisco AVVID W ireless LAN Design

3-8

956608

Chapter 3

W LAN Technology and Product Selection W LAN Technology Selection Considerations

Most of the vendors are making products that can operate in UNII-1 and UNII-2 bands either separately or simultaneously. When operating simultaneously, FCC regulations for fixed UNII-1 antennas apply to such products. Assuming equivalent environments—and holding transmitter, antenna gain, and data rates constant—2.4 GHz offers roughly double the range than 5 GHz. This is explained by the physics of radio wave propagation, which dictates that all other things being equal, a higher frequency signal will have a reduced range compared to a lower frequency signal.

Technology Selection Summary In general, 2.4 GHz 802.11b technology has an advantage over 802.11a, primarily because 802.11b-compliant devices deliver a greater range than 802.11a technology (see Table 3-3, Table 3-4and Figure 3-3). There are several reasons for this difference: •

2.4 GHz wave is about double the length of the 5 GHz wave.

•

5 GHz waves are more vulnerable to absorption by building materials, such as drywall and concrete.

•

Regulations restrict the transmit power and antenna possibilities in the 5 GHz range.

•

With reduced range, companies may have to deploy a greater number of 802.11a-compliant APs to cover a designated area, which can lead to higher hardware costs.

Combined, these factors favor 802.11b devices. Implementers are allowed five times less power in the 5 GHz band (compared with 2.4 GHz implementations) and face more stringent Es/No requirements in 802.11a due to higher data rate. The receiver sensitivity falls to –68 dBm with a 54 Mbps data rate—compared to -85 dBm for a 11 Mbps data rate. There is just more attenuation in the air for the 5 GHz spectrum. However, if you use standard Rubber Duck antennas (2.2. dBi) with 802.11b product as compared to 6 dBi attached antennas for 802.11a (and use similar data rates in 802.11a and 802.11b, such as 12 Mbps for 5 GHz and 11 Mbps for 2.4 Ghz), range and throughput are similar. One contributing factor here is that the gain on the 802.11b client card is almost 0 dB. And gain on the 802.11a card bus is 5 dBi. Also on the AP side, the 6 dBi antenna in 5 GHz spectrum is used—compared to 2.2 dBi antenna in 2.4 GHz. Above all, OFDM modulation fights for multipath more effectively. Table 3-3

Typical Values of Ranges for 802.11b w ith Rubber Duck Antenna

Data Rates (M bps)

Indoor Range (Feet)

Outdoor Range (Feet)

1

350

2000

11

150

800

Table 3-4

Typical Values of Ranges for 802.11a w ith Omni Antenna

Data Rates (M bps)

Indoor Range (Feet)

Outdoor Range (Feet)

6.0

170

1000

18.0

130

600

54.0

60

100

Cisco AVVID W ireless LAN Design 956608

3-9

Chapter 3

W LAN Technology and Product Selection

W LAN Technology Selection Considerations

Figure 3-3

Range Comparisons for 802.11a and 802.11b w ith Cisco AP 170' @ 6Mbps 150' @ 9Mbps 140' @ 12Mbps 130' @ 18Mbps 120' @ 24Mbps 100' @ 36Mbps 80' @ 48Mbps 60' @ 54Mbps

350' @ 1Mbps

250' @ 180' @ 140' @ 2Mbps 5.5Mbps 11Mbps 5GHz/40mw

91286

2.4GHz/100mw

802.11g will use the same band as 802.11b, so the same 802.11b regulations apply. the draft is still under development—and there is no available product —802.11g will not have better range than 802.11b due to higher Es/No requirements (associated with inherently higher available data rates). Organizations must weigh each factor when selecting a wireless technology. In some cases, sheer performance and capacity favor the 802.11a standard implementation. In other cases, vendor support, range and implementation advantages lead to a selection of 802.11b technology. The decision depends on the organization’s type of activity, mission, and plans for the future—while weighing cost and function requirements. These competing wireless standards leave many companies wondering which wireless technology to embrace. The Cisco Aironet 1200 Series eliminates this concern. The dual-band design supports both established and emerging wireless standards, letting companies implement WLANs without compromise. With the Cisco Aironet 1200 Series, organizations are assured that they will have the right technology both for today and far into the future.

Cisco AVVID W ireless LAN Design

3-10

956608

Chapter 3

W LAN Technology and Product Selection Cisco W LAN RF Product Selection Considerations

Cisco W LAN RF Product Selection Considerations The Cisco Aironet WLAN suite consists of a number of products designed for a variety of WLAN applications. This section presents summaries of the following Cisco WLAN product types:

Note

•

Access Points, page 3-11

•

Client Adapters, page 3-12

•

Workgroup Bridges, page 3-13

•

Wireless Bridges, page 3-14

The Cisco Aironet WLAN portfolio is constantly changing. Please refer to the Cisco Product Catalog for up-to-date information. Different products can be seen on Wireless Network Business Unit web site •

http://www.cisco.com/en/US/products/hw/wireless/index.htmll

Access Points An access point (AP) is typically the center point in a wireless network and the connection point between a wired and wireless network. Multiple APs can be placed throughout an area to provide freedom of movement to users equipped with WLAN client adapters. Cisco Aironet Series APs offer state of the art features which are very convenient in different deployment scenarios: Key features are: •

100 mW 802.11b radio with configurable transmit power (1, 5, 20, 30, 50, and 100 mW).

•

40 mW 802.11a radio with configurable transmit power (40, 30, 20, 20, 10, 5 mW).

•

Auto selecting or configurable data rates.

•

Supports inline power over Ethernet and standard power (power injector module is supplied as standard for cases where inline power is not available). Cisco AP currently use Cisco Power Discovery method (802.3af is not a standard yet). Cisco intends to support both modes.

•

Cisco 802.11a APs offer a unique 5 GHz articulating antenna incorporating high-gain, omni-directional, diversity antennas and hemispherical patch antennas to deliver two distinct coverage patterns depending on the antenna position.

•

802.11b diversity antenna options include either non-removable 2.2 dBi diversity dipoles (internal antennas) or remote antenna connections via two RP-TNC connectors).

•

Diversity antennas for both the 2.4 GHz and 5 GHz radios ensures optimum performance in high-multipath environments such as offices, warehouses, and other indoor installations.

•

Auto-sensing 10/100BaseT Ethernet connection.

•

IEEE 802.1x based security architecture.

•

Auto-roaming between APs within a single network (subnet or VLAN).

•

World Mode—Enables clients to transparently roam to other countries with different channel frequencies and transmit power regulations.

Cisco AVVID W ireless LAN Design 956608

3-11

Chapter 3

W LAN Technology and Product Selection

Cisco W LAN RF Product Selection Considerations

As it is a wireless communication, security features in the Cisco Aironet Series APs provide support for the latest 802.1x security standards. In addition, the inherent upgradability of the Cisco Aironet Series AP facilitates adopting new wireless security standards as they become available (by upgrading the firmware or radios).

Note

Please see the associated data sheets at http://www.cisco.com for specific product information.

Client Adapters Client adapters connect to a variety of devices in a WLAN. Based on Direct Sequence Spread Spectrum (DSSS) technology and operating in the 2.4 GHz band, the Cisco Aironet 350 Series client adapters comply with the IEEE 802.11b standard—ensuring interoperability with all other compliant WLAN products. For 2.4 GHz 802.11b cards, two form factors are supported: •

PCMCIA for Notebook PCs and PDA—This is a standard PCMCIA product with attached end cap antenna.

•

PCI for Desktop PCs—The PCI card has the standard Cisco Aironet RP-TNC connector and can be used with all of the Cisco Aironet external antennas.

802.11a Cardbus Client Card The Cisco Aironet 5 GHz 54 Mbps WLAN client adapter is (IEEE) 802.11a-compliant CardBus adapter that operates in the UNII-1 and UNII-2 bands. The client adapter complements the Cisco Aironet 1200 Series 802.11a AP, providing a solution that combines performance and mobility with the security and manageability that enterprises require. The integrated 5 dBi gain patch antenna optimizes range.

Note

The 802.11a card bus has greater antenna gain (5 dBi) as compared to 0 dBi gain in 802.11b cards.

Enhanced Client Netw ork M anagement Features w ith Extended Client Support All Cisco wireless client adapters include the Cisco Aironet Client Utility (ACU), a tool with a graphical user interface for configuring, monitoring, and managing an adapter. The ACU includes site survey tools that produce detailed graphical information, including signal strength, to assist in the correct placement of APs. The ACU provides improved, quantifiable data—including signal-to-noise ratio measured in decibels (dB), and signal level and noise level measured in decibels per milliwatt (dBm). Using the ACU, a user can create a profile of settings for each environment, such as the office or home, making it simple for telecommuters and business travelers to reconfigure the adapter when moving from one environment to another. A user can now configure channel selection, service set identifier (SSID), WEP key, and authentication method for these different locations. A broad suite of device drivers provides support for all popular operating systems, including Windows 98, Windows 2000, Windows ME, Windows CE, Mac OS 9.x, Mac OS X, and Linux.

Cisco AVVID W ireless LAN Design

3-12

956608

Chapter 3

W LAN Technology and Product Selection Cisco W LAN RF Product Selection Considerations

W orkgroup Bridges Workgroup bridges provide wired network connectivity to workgroups through a wireless network connection to a central site. The Cisco Aironet 350 Series Workgroup Bridge supports up to eight downstream devices—such as PCs, printers and notebook computers—through an Ethernet hub or switch connected to the Ethernet port. This is a MAC address limitation, so the workgroup can be extended beyond eight devices by placing a router between the workgroup bridge and the hub. The workgroup bridge can peer wirelessly with either an AP or a wireless bridge. The workgroup bridge to wireless bridge configuration is applicable to outdoor point-to-point campus connections. The workgroup bridge to AP configuration is applicable to shorter range, multi-access solutions where the AP may peer with other workgroup bridges and client adapters. The various applications of workgroup bridges are illustrated in Figure 3-4 and Figure 3-5. Figure 3-4

M obile Ethernet Enabled User

Internet Switch Workgroup bridge

Wired network backbone Wireless Access Point

91280

Ethernet-enabled Laptop

Cisco AVVID W ireless LAN Design 956608

3-13

Chapter 3

W LAN Technology and Product Selection

Cisco W LAN RF Product Selection Considerations

Figure 3-5

Remote Workgroup

Workgroup Bridge

Switch Wired network backbone

PC

PC

PC

Laptop

Wireless Access Point Point-of-sale register

Server

PC

Printer

Laptop

91281

Hub

W ireless Bridges Wireless bridges (or simply bridges) are used to wirelessly connect two networks (usually in different buildings). Refer to Figure 3-6. With appropriate selection of antennas and clear line of sight, range can extend up to 25 miles at 11 Mbps. It should be noted that only bridges have this extended range capability. The extended range is achieved by operating outside the IEEE 802.11 timing specifications. APs (conforming to 802.11b) to any client are limited to a one-mile range; irrespective of transmit power, cable, and antenna combinations. Cisco Aironet Bridges support a superset of AP functionality and can operate in either bridge or AP mode depending upon the requirement.

Cisco AVVID W ireless LAN Design

3-14

956608

Chapter 3

W LAN Technology and Product Selection Cisco W LAN RF Product Selection Considerations

Typical Bridge Application Connecting Buildings Across a Campus or M etro Area

91282

Figure 3-6

Note

APs cannot be used to bridge two wired networks.

Cisco AVVID W ireless LAN Design 956608

3-15

Chapter 3

W LAN Technology and Product Selection

Cisco W LAN RF Product Selection Considerations

Cisco AVVID W ireless LAN Design

3-16

956608

C H A P T E R

4

W LAN Security Considerations As network administrators begin to deploy WLANs, they are faced with the challenge of trying to secure these environments while providing maximum flexibility for their users. This chapter provides details regarding deployment of the Cisco Secure Enterprise WLAN solution. It is divided into the following separate sections: •

Security Deployment Models, page 4-1

•

Cisco WLAN Security Options and Recommendations, page 4-7

Security Deployment M odels The security model selected for a given WLAN implementation has a substantial impact on the overall WLAN design. Three enterprise-oriented WLAN Extension security models are presented in this design guide: •

WLAN LAN Extension 802.1x/EAP, page 4-2

•

WLAN LAN Extension IPSec, page 4-3

•

WLAN Static WEP Keys, page 4-5

The goal of a WLAN LAN Extension network is for the WLAN access network to transparently provide the same applications and services as the wired access network. Each WLAN Extension discussion that follows addresses the following types of transparency: •

Security Transparency—Do the selected security capabilities seamlessly provide WLAN network security equivalent to wired networks?

•

Application Transparency—Are the supported WLAN network applications identical to applications on a wired network?

•

Performance Transparency—Does the WLAN deliver application performance that matches wired network performance?

•

User Transparency—Are users of the WLAN forced to perform network-specific operations to use the WLAN?

Cisco AVVID W ireless LAN Design 956608

4-1

Chapter 4

W LAN Security Considerations

Security Deployment M odels

W LAN LAN Extension 802.1x/EAP This discussion presents WLAN Extension 802.1x/EAP deployment in terms of the following key topics: •

Security Transparency, page 4-2

•

Application Transparency, page 4-3

•

Performance Transparency, page 4-3

•

User Transparency, page 4-3

Security Transparency An 802.1x/EAP implementation of WLAN LAN Extension operates at the link layer (Layer 2) to provide authentication, authorization, accounting, and encryption. Figure 4-1 shows a schematic of the 802.1x/EAP WLAN. The security level provided is beyond that provided on most wired networks, providing link layer encryption and Authentication, Authorization, and Accounting (AAA) access control. This is provided as follows: •

Authentication occurs between the client and the authentication server. Several different EAP types (EAP-Cisco, EAP-TLS, EAP-TTLS, PEAP) are supported, allowing the Enterprise to choose the authentication type that best suits its needs.

•

Encryption is at the link layer between the WLAN client and the AP. The current encryption mechanisms available are Wired Equivalent Privacy (WEP) and WEP plus TKIP and MIC. Future mechanisms include Wi-Fi Protected Access (WPA) and Advanced Encryption Standard (AES). The encryption keys are automatically derived during the authentication process.

•

Authorization is controlled by the VLAN membership in combination with the access controls applied at the access router terminating the VLAN.

•

Accounting is provided by the RADIUS accounting communicated by the APs to the RADIUS server.

Figure 4-1

WLAN LAN Extension 802.1x/ EAP

Authentication Accounting Encryption 802.1x EAP Si

Enterprise network

87198

Authorization

Cisco AVVID W ireless LAN Design

4-2

956608

Chapter 4

W LAN Security Considerations Security Deployment M odels

Application Transparency As illustrated in Figure 4-1, the WLAN connects at the access layer. Once the WLAN client traffic leaves the AP, it is the same as wired traffic—subject to the same access control, queuing, and routing. This achieves the WLAN LAN extension goal of supporting the same applications as the wired network. Any inability to run applications from the wired network over the WLAN network would be the result of policies or the fundamental limitations of the WLAN—not due to the 802.1x/EAP architecture.

Performance Transparency WLAN has a lower bit rate and a lower throughput than most Enterprise wired LANs. Therefore providing equivalent performance for all applications over the WLAN can be a challenge. The strategy to minimize differences in application performance between the wired and wireless network is to utilize the QoS tools available on the WLAN and the APs. Those applications identified as being sensitive to network throughput and delay can be classified and scheduled as required. Load balancing and admission control tools on the WLAN can optimize the usage of the available WLAN resources.

User Transparency The different EAP types in 802.1x/EAP allow enterprises to choose an authentication mechanism that best matches security requirements. This allows the integration of the 802.1x/EAP into existing user behavior. Many organizations enforce stronger authentication mechanisms on WLAN networks (compared to wired networks), due to reduced physical security in the WLAN. Authentication on the wired network is expected to catch up with WLAN networks, with organizations using 802.1x/EAP mechanisms to enhance wired network security.

W LAN LAN Extension IPSec The use of IPSec VPN tunnels is an alternative to 802.1x/EAP implementation. Network designers might choose this implementation over and 802.1x/EAP solution due to security policy reasons. IPSec is a well-established standard that is endorsed by a number of security organizations. IPSec is a regulatory requirement in some situations. The primary advantage of an IPSec-based VPN solution is the encryption mechanism. IPSec includes support of Triple Data Encryption Standard (3DES) and AES encryptions, whereas 802.1x/EAP currently relies upon WEP or proprietary WEP plus TKIP and MIC. A WLAN LAN Extension IPSec solution is considered more difficult to implement than an 802.1x/EAP solution. The network topology up to the VPN concentrator is considered untrusted and an appropriate security policy must be created, configured, and maintained at all points that touch this untrusted network. The remainder of this discussion presents WLAN Extension IPSec deployment in terms of the following topics: •

Security Transparency, page 4-4

•

Application Transparency, page 4-4

•

Performance Transparency, page 4-4

•

User Transparency, page 4-5

Cisco AVVID W ireless LAN Design 956608

4-3

Chapter 4

W LAN Security Considerations

Security Deployment M odels

Security Transparency WLAN LAN Extension via IPSec provides AAA-equivalent features to 802.1x/EAP solutions. Refer to Figure 4-2. Key elements are as follows: •

Authentication occurs between the client and the VPN concentrator. Multiple authentication types are supported with in the IPSec framework.

•

Encryption is at the network layer using 3DES or AES, and is negotiated between the client and the VPN concentrator.

In addition to the inherent WLAN LAN Extension IPSec security features associated with this implementation, VPN capabilities provide additional AAA-related security capabilities: •

Authorization is controlled by the VPN concentrator and is determined at the time of authentication. Policy is provided by the authentication server.

•

Accounting is provided by RADIUS accounting software on both the VPN concentrator and the authentication server.

Figure 4-2

WLAN LAN Extension IPSec

Authentication Encryption

IPSec

Accounting

Si

Authorization

87199

Enterprise network

Application Transparency As can be seen in Figure 4-2, WLAN traffic is transported over an IPSec tunnel to the VPN concentrator. This can affect application transparency: •

Protocol Limitations—Only the IP protocol is supported; the network is not multi-protocol

•

Address Translation—The IPSec client performs a form of address translation between its local IP address and that allocated by the VPN concentrator. This can impact the operation of some applications.

•

No Multicast—The connection to the VPN concentrator is point-to-point; multicast applications are not supported.

Performance Transparency Providing equivalent performance for all applications over the WLAN can be a challenge, because a WLAN has a lower bit rate and a lower throughput than most Enterprise wired LANs. The use of IPSec VPN tunnels introduces some additional considerations:

Cisco AVVID W ireless LAN Design

4-4

956608

Chapter 4

W LAN Security Considerations Security Deployment M odels

•

MTU size—The MTU size of packets must be adjusted to incorporate IPSec overhead.

•

Processing Overhead—Clients incur processing overhead from IPSec VPN. However, this should not be noticeable on most target platforms.

•

Traffic Classification and QoS Considerations—Type of Service (ToS) and differentiated-services-code-point (DSCP) values are projected from client packets into the IPSec packets. As a result, QoS preference can be acted upon, but no classification of traffic is possible while the traffic is IPSec encrypted.

•

Traffic Scheduling—All queuing at the VPN concentrator is handled on a first-in-first-out basis.

User Transparency The Cisco IPSec VPN client has a number of features that aid user transparency, thereby providing equivalent services to those available with 802.1x/EAP solutions: •

Auto Initiation—The VPN client can be configured to automatically launch for particular address ranges. In an enterprise, this would be configured to launch within the Enterprise WLAN address ranges.

•

OS Integration—The VPN client can capture username and password information at login and use these as part of the VPN client login. This is similar to the process used in EAP-Cisco. As an alternative, the VPN client can use stored certificates associated with a specific user, similar to EAP-TLS. These features coupled with Auto Initiation should provide a high level of user transparency.

W LAN Static W EP Keys Static WEP key implementation (see Figure 4-3) is not recommended for general purpose WLAN LAN Extension networks because of known weaknesses in the WEP encryption algorithms—and because of the difficulty in configuring and maintaining of static keys. Certain client devices are only capable of supporting static keys. These clients should be put on a separate WLAN VLAN and have their authorization limited to addresses and protocols specific to the application supported by the Static WEP client. If possible, WEP plus TKIP and MIC should be used in preference to WEP, because WEP plus TKIP and MIC provides increased security features. The remainder of this discussion presents WLAN Static WEP key deployment in terms of the following topics: •

Security Transparency, page 4-6

•

Application Transparency, page 4-6

•

Performance Transparency, page 4-6

•

User Transparency, page 4-6

Cisco AVVID W ireless LAN Design 956608

4-5

Chapter 4

W LAN Security Considerations

Security Deployment M odels

Figure 4-3

WLAN Static WEP

Encryption

Si

Enterprise network

87200

Authorization

Security Transparency Security issues related to static WEP key implementations: •

Weak Authentication—Any hardware device with a matching configuration and WEP key may join the network. The Static WEP key authenticates a group of devices—never individual users.

•

Encryption Limitation—Encryption is at the link layer between the WLAN client and the AP. The current encryption mechanisms available are WEP and WEP plus TKIP and MIC. If possible WEP plus TKIP and MIC should be used.

•

Authorization Limitation—Authorization is controlled by the VLAN membership associated with the static WEP key.

•

Accounting—Not available.

Application Transparency As illustrated in Figure 4-3 the WLAN connects at the access layer. Once the WLAN client traffic leaves the AP, it is the same as wired network traffic—subject to the same access control, queuing, and routing. WLAN Static WEP solutions should be limited to the specialized applications that the Static WEP client supports. The network would appear transparent to this application, but to all other applications access should be blocked.

Performance Transparency To minimize differences in application performance between the wired and wireless network, utilize the QoS tools available on the WLAN and the APs. Those applications identified as being sensitive to network throughput and delay can be classified and scheduled as required. Load balancing and admission control tools on the WLAN can optimize the usage of the available WLAN resources.

User Transparency Static WEP requires no authentication and should be transparent to the supported applications and users. The static WEP key only becomes an issue for the user if required to change it.

Cisco AVVID W ireless LAN Design

4-6

956608

Chapter 4

W LAN Security Considerations Cisco W LAN Security Options and Recommendations

Cisco W LAN Security Options and Recommendations This section provides a high-level overview of Cisco’s various WLAN security options and presents recommendations for secure deployments in Enterprise networks. This overview of WLAN security options consist of the following sections: •

Understanding Overall Network Security, page 4-7

•

Flexible WLAN Security using VLANs, page 4-7

•

Headquarters/Campus WLAN Deployment, page 4-8

•

Branch Office WLAN Deployment, page 4-12

•

Additional Security Considerations, page 4-13

Understanding Overall Netw ork Security The key to understanding WLAN security is to understand the overall picture of the network to be secured. This discussion focuses on Enterprise security by addressing the following topics: •

“Flexible WLAN Security using VLANs” section on page 4-7

•

“Headquarters/Campus WLAN Deployment” section on page 4-8

•

“Branch Office WLAN Deployment” section on page 4-12

A WLAN can be looked at as another access technology in the overall network architecture. It integrates into the overall end-to-end Cisco AVVID architecture. In addition, Cisco’s WLAN architecture integrates into Cisco’s overall 802.1x / EAP Identity-Based Networking architecture. Cisco’s WLAN security provides the following benefits: •

Flexible model allowing dynamic or static WEP key-management.

•

802.1x user authentication for networking devices. This model is also used for wired connectivity.

•

Enhancements beyond the basic security model defined in 802.11. This includes user-based authentication, mutual-authentication, dynamic WEP-key rotation, and TKIP and MIC to prevent WEP key spoofing and hacking.

These features combine to provide Cisco with the most flexible WLAN security offering in the industry, allowing implementers to choose the architecture that best matches specific security requirements and deployed equipment.

Flexible W LAN Security using VLANs Just as Cisco’s AVVID architecture provides enhanced QoS for VoIP using dedicated VLANs for voice and data, VLAN support on the APs and Catalyst Switches allows multiple WLAN security domains to be created. This allows multiple types of WLAN security to be mixed and matched on the same Cisco AVVID network infrastructure. Refer to Figure 4-4.

Cisco AVVID W ireless LAN Design 956608

4-7

Chapter 4

W LAN Security Considerations

Cisco W LAN Security Options and Recommendations

Figure 4-4

Using VLANS to Create M ultiple WLAN Security Domains

Cisco secure ACS3.1

Developer PE

VL

AN 10 _A uth en tica ti

AP

on Si

VLAN 30 EAP-Cisco_Authentication Human resources

0

Au th

99 AN

n

he

ut _A

EP

Op

W

tio

a tic

en_

V

n

21

VL

N LA

87190

Teleworker

Guest or contractor

In addition to VLANs having the flexibility to create multiple WLAN security domains for flexible deployments, they also allow flexible migrations from older WLAN security to updated standards or products. This is not only possible because of VLANs, but also because Cisco APs and Cisco Secure ACS support simultaneous WLAN security such as EAP-Cisco, EAP-TLS, PEAP and EAP-Subscriber Identity Module (EAP-SIM). In addition, Cisco Aironet 802.11 NICs support multiple types of WLAN security, including EAP-Cisco and PEAP.

Headquarters/Campus W LAN Deployment The 802.11 standard specifies 40-bit WEP as the security mechanism for WLAN networks. Unfortunately, many independent security reports have proven that by itself, WEP’s security can be compromised. Because of this, several steps must be taken to allow WLAN network to be securely deployed. The limitations of WEP include the following: •

WEP does not define a mechanism for dynamic key-management. This means that the WEP keys must be manually configured on each device and if a device is lost or stolen, all devices must be revisited to update the WEP key.

•

WEP does not provide a mechanism to provide user-based authentication, only device-based. This means that the network authentication is based on the physical device, which could be stolen or lost.

Cisco AVVID W ireless LAN Design

4-8

956608

Chapter 4

W LAN Security Considerations Cisco W LAN Security Options and Recommendations

•

WEP does not define a mechanism to dynamically rotate the WEP keys. This means that if a WEP key is hacked or stolen, it can be used by a hacker to falsely authenticate with the network.

•

WEP does not prevent man-in-the-middle or bit-flipping attacks. This means that a hacker could intercept data between two users and manipulate the content of that data.

•

It has been demonstrated that a key can be derived by passively capturing and processing a sufficient number of WEP-encrypted packets.

To overcome these limitations, Cisco implemented WLAN security based on 802.1x and EAP Authentication. 802.1x provides a Layer 2 authentication mechanism and carries the user authentication that is passed with EAP. Refer to Figure 4-5. WLAN Security based on 802.1x and EAP Authentication

RADIUS

EAP 802.1x 802.11

Si

RADIUS EAP 802.1x Ethernet

EAP_Authentication

EAP_Authentication

Cisco secure ACS 3.1

87191

Figure 4-5

Guest or contractor

While Cisco’s APs and CiscoSecure ACS support multiple EAP authentication types1, EAP-Cisco, EAP-TLS and PEAP are currently supported end-to-end when using Cisco Aironet or Partner NICs. EAP-Cisco provides extensions to EAP to provide user-based authentication, mutual authentication and integration with Windows user-databases. EAP-Cisco is supported on all Cisco WLAN products, and is also licensed to several partners including Apple and Symbol. PEAP and EAP-TLS are IETF drafts that have been proposed by Cisco, Microsoft and RSA (refer to http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-05.txt). PEAP provides a multi-vendor authentication mechanism that provides a superset of functionality beyond EAP-Cisco. It works with multiple vendors’ equipment, as well as multiple types of user-databases including Microsoft, LDAP, OTP, RADIUS and NDS. EAP-TLS uses certificate based authentication (refer to http://www.ietf.org/rfc/rfc2486.txt?number=2486). EAP-TLS is a multi-vendor authentication mechanism that provides authentication based on user and server certificates, and effectively integrates into an existing networking scheme employing a Public-Key Infrastructure (PKI).

Note

Not all OSs currently support 802.1x and EAP supplicants (clients). It is currently supported in WindowsXP and will be available via Service Packs on other Windows OS. With this in mind, Cisco recommends using EAP-Cisco or PEAP as the security mechanism for headquarter/campus WLAN deployments. Beyond overcoming the limitations of WEP, network administrators must also be concerned with three issues in WLAN deployments in the campus: 1. EAP-SIM is also supported, but would not normally used in Enterprise environments.

Cisco AVVID W ireless LAN Design 956608

4-9

Chapter 4

W LAN Security Considerations

Cisco W LAN Security Options and Recommendations

•

Providing integration with the rest of the wired network.

•

Preventing rogue APs from being deployed in their network.

•

Providing guest access to non-company users (such as contractors and vendors).

These questions are answered by using 802.1x authentication. 802.1x authentication provides a linklayer authentication to network devices, which is verified against a RADIUS server (Cisco Secure ACS). Figure 4-6 presents a generalized illustration of an ACS-based environment. 802.1x is available on Cisco Catalyst Switches. It allows ports on the Catalyst Switches to determine whether connected devices (such as PCs and IP phones) should gain access to the network based on their user credentials. 802.1x is also used between WLAN clients and Aironet APs to pass user-authentication information for EAP-Cisco. This use of 802.1x, EAP and RADIUS provides the integrated link-layer authentication that is the foundation for Identity-Based Networking and Secure WLAN deployments. Figure 4-6

Cisco’s 802.1x/ EAP Architecture for Wired and Wireless Networks

Si

Si

Si

Si

Si

Si

Si

Cisco ACS 87192

Cisco ACS

Si

In addition to user authentication, 802.1x can be used as a mechanism to prevent rogue APs from being added into the network. Currently, Cisco Aironet APs do not support an 802.1x supplicant (802.1x client), but the expectation is that they would be deployed in a 20:1-to-25:1 ratio per user. This means that the number of wired devices supporting 802.1x would be considerably greater than the number of

Cisco AVVID W ireless LAN Design

4-10

956608

Chapter 4

W LAN Security Considerations Cisco W LAN Security Options and Recommendations

APs deployed. With this in mind, 802.1x can be enabled on all Catalyst Switch ports except for those connected to Cisco Aironet APs. This will force all rogue APs to authenticate via 802.1x. This will cause them to fail and the Catalyst Switch port to block access to the network. Refer to Figure 4-7. Figure 4-7

Preventing Rogue APs using 802.1x on Cisco Catalyst Sw itches

802.1x disabled only on all Authorized AP switch ports 802.1x pushed to WLAN edge

Authorized AP

Rogue AP locked out after failed Authentication

87193

Si

Rogue AP

Finally, by combining the VLAN functionality and 802.1x authentication on the Cisco Catalyst Switches and Aironet APs, guest access can be provided to non-authorized users and devices. Some Catalyst Switches can support only allow and deny, while others support allow, deny, guest, and VLAN selection based on the 802.1x authentication. The ability to change the VLAN of the switch port allows network administrators the ability to design certain VLANs for guest access (refer to Figure 4-8). This guest access can then be further filtered or firewalled to only allow Internet or other restricted network access to the specific users. Refer Chapter 10, “WLAN Guest Network Access” to for more information about Guest Access WLANs.

Cisco AVVID W ireless LAN Design 956608

4-11

Chapter 4

W LAN Security Considerations

Cisco W LAN Security Options and Recommendations

Figure 4-8

Providing Guest Access using VLANs and 802.1x on Cisco Catalyst Sw itches and APs

Cisco secure ACS3.1

Developer En

VL

AN

gin

ee

rin

10

g_

VL AN Si

VLAN 30 HR_VLAN Human resources

0

21

AN

VL

AN

VL

_ or

ct

tra

87194

n Co

Guest or contractor

Branch Office W LAN Deployment Branch office WLAN deployments (see Figure 4-9) are an extension of the headquarters campus WLAN deployment. The WLAN security requirements for branch office implementations should match those of the headquarters campus: •

Dynamic WEP-key management and authentication via 802.1x and EAP-Cisco/PEAP

•

802.1x for rogue AP detection

•

802.1x and VLANs for guest access

Cisco AVVID W ireless LAN Design

4-12

956608

Chapter 4

W LAN Security Considerations Cisco W LAN Security Options and Recommendations

Figure 4-9

Branch Office WLAN Deployments

Headquarters

Branch office

IP Telephony/services IP M

Core Backbone V3PN-SP

IP

IP

87195

T1

The one additional consideration for the branch office implementation is determining whether the Cisco ACS servers should be deployed only at the central site or at remote sites. This determination should be made according to the WAN bandwidth (possibly affecting authentication response times), size of deployment (possibly affecting the scalability of branch offices and branch users with respect to a central ACS), and the administrative capabilities at the branch office.

Additional Security Considerations This document has highlighted two concepts: •

VLANs allow multiple types of WLAN security to be deployed over a Cisco AVVID infrastructure.

•

802.1x, EAP-Cisco/PEAP and WEP plus TKIP and MIC combine to provide a secure environment for WLAN deployment with the foundation for moving to updated standards as they become available.

In addition to the recommendations for the headquarters campus and branch deployments discussed here, several other Cisco technologies can be used to enhance WLAN security. These include IPSec VPNs, firewalls, and intrusion detection systems (IDS). Refer to Figure 4-10.

Cisco AVVID W ireless LAN Design 956608

4-13

Chapter 4

W LAN Security Considerations

Cisco W LAN Security Options and Recommendations

Figure 4-10 Enhancing WLAN Security w ith IPSec VPNs, Firewalls and IDS

Cisco secure ACS3.1

IPSec VPN tunnel VPN 3000 VLAN 12 Si

Secured corporate network

WEP_Authentication

VL

99

i

at

ic

t en

Corporate network

h

t Au _ n

pe

O

87197

AN

on

The Cisco SAFE architecture defines how VPNs, firewalls and IDS should be deployed for both wired and wireless networks. Refer to: http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html IPSec VPNs offer an enhancement for administrators that cannot provide enough native security (using, for example, open authentication, static WEP) with the inherent WLAN environment. This might involve PC users launching the CiscoSecure VPN Client, or having all traffic from a VLAN being placed into an IPSec VPN which is then routed outside of the corporate firewall or to a specific internal server application.

EAP Considerations for High Availability ACS Architecture The ACS redundancy and reliability is meant to address two issues: •

The ACS server should not represent a single point of failure

•

A network failure should not impact a user’s ability to log on

The first issue is a good reason to replicate the ACS database to a secondary server, allowing for failover and maintenance. This redundancy configuration should be implemented in almost all cases. The second issue is instance in which it is critical to use the local WLAN even in the event of a network failure preventing access to a remote ACS server. Implementation of this second use of replication depends on the application architecture of the enterprise. For example, if the applications that the users want to reach are also remote, little is to be gained by being able to use the WLAN.

Cisco AVVID W ireless LAN Design

4-14

956608

Chapter 4

W LAN Security Considerations Cisco W LAN Security Options and Recommendations

The ACS Architecture The ACS strategy must consider how the entire enterprise will be structured, rather than just the campus. A key consideration is the location of AAA databases. It is essential that—assuming a database that is distributed across the enterprise—the ACS strategy reflect an approach in which the elements of the ACS architecture are carefully analyzed, designed, and implemented for authentication systems associated with file services throughout the enterprise. This assessment should be the starting point for the ACS deployment strategy. In an ideal situation, the existing infrastructure can provide the usernames, passwords, and profiles to the ACS servers. The implementation of an ACS architecture-based infrastructure is currently limited to systems that store the password using MS-CHAP, such as Microsoft servers. The main point to be aware of in this strategy is that the ACS model is a replication model, not a synchronization model. This model might conflict with the administration processes currently in place, as updates must be made on the root server, and administrators on this server have global rights.

Example Architecture Figure 4-11 shows an example of what ACS architecture might look like. Campus A holds the authoritative ACS database server. This server is replicated to the other Enterprise ACS servers. APs communicate to the two local ACS servers. Campus B—because of its size and distance from Campus A—has opted for another two ACS servers (thus providing its own backup). Campus C—being smaller and closer to Campus A—has opted to have only one server, and relies on Campus A for backup. The branch offices use the ACS servers that are the shortest network distance from them.

Cisco AVVID W ireless LAN Design 956608

4-15

Chapter 4

W LAN Security Considerations

Cisco W LAN Security Options and Recommendations

Figure 4-11 Example Enterprise ACS Architecture

Campus B

ACS ACS

Campus C ACS

Branch Offices Replication

ACS

ACS

74211

AP-ACS Communication

Campus A

Cisco AVVID W ireless LAN Design

4-16

956608

C H A P T E R

5

W ireless LAN VLANs This chapter focuses on the implementation of virtual local area networks (VLANs) in the context of WLAN environments. The following sections summarize key WLAN VLAN considerations: •

VLAN Background, page 5-1

•

Wireless VLAN Introduction, page 5-3

•

Wireless VLANs—Detailed Feature Description, page 5-6

•

Guidelines for Deploying Wireless VLANs, page 5-10

VLAN Background VLANs define broadcast domains in a Layer-2 network. Legacy networks use routers to define broadcast domain boundaries. Layer-2 switches create broadcast domains based on the configuration of the switch. Switches are multi-port bridges that allow the creation of multiple broadcast domains. Each broadcast domain is a distinct virtual bridge within a switch. VLANs have the same attributes as physical LANs with the additional capability to group end stations physically to the same LAN segment regardless of the end station’s geographical location. Figure 5-1 shows an example of three wired VLANs in logically defined networks.

Cisco AVVID W ireless LAN Design 956608

5-1

Chapter 5

W ireless LAN VLANs

VLAN Background

Figure 5-1

Example Deployment of Wired VLANs

Switch 3

Engineering VLAN

HR VLAN

Marketing VLAN Floor 3

802.1Q Trunk Switch 2

Router

Floor 2

802.1Q Trunk 802.1Q Trunk Switch 1

87183

Floor 1

Single or multiple virtual bridges can be defined within a switch. Each virtual bridge created in the switch defines a new broadcast domain (VLAN). Switch interfaces assigned to VLANs manually are referred to as interface-based or static membership-based VLANs. This type of VLAN is often associated with IP subnetworks. For example, when all of the end stations in a particular IP subnet belong to the same VLAN, traffic cannot pass directly to another VLAN (between broadcast domains) within the switch or between two switches. Traffic between VLANs must be routed. To interconnect two different VLANs, routers are used. These routers execute inter-VLAN routing or routing of traffic between VLANs. Broadcast traffic is then terminated and isolated by these Layer-3 devices (a router or Layer-3 Switch will not route broadcast traffic from one VLAN to another). The two most common VLAN trunking protocols used on Cisco switches and routers are Inter-Switch Link (ISL) and IEEE 802.1Q. ISL (Cisco-proprietary protocol) and 802.1Q (IEEE standard) are encapsulation standards used to interconnect multiple switches and routers via trunking. For more information on these VLAN trunking protocols, please refer to the following URL: http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:Trunking

Cisco AVVID W ireless LAN Design

5-2

956608

Chapter 5

W ireless LAN VLANs W ireless VLAN Introduction

W ireless VLAN Introduction The concept of Layer-2 wired VLANs is extended to the WLAN with wireless VLANs. As with wired LANS, wireless VLANs define broadcast domains and segregate broadcast/multicast traffic between VLANs. When VLANs are not used, an IT administrator must install additional WLAN infrastructure to segment traffic between user groups or device groups. For example, to segment traffic between employee and guest VLANs, an IT administrator must install two APs at each location throughout an Enterprise WLAN network (as shown in Figure 5-2). However, with the use of Wireless VLANs, one AP at each location can be used to provide access to both groups. Figure 5-2

User Segmentation w ithout Wireless VLANs

SSID=Employee

AP_2A AP_1A VLAN 15

SSID=Employee

AP_2B

VLAN 15 VLAN 20

SSID=Guest

VLAN 20 Enterprise network AP_1B 87184

SSID=Guest

With VxWorks firmware release 12.00T or Cisco IOS firmware release 12.2.4-JA, an 802.1Q trunk can be terminated on an AP (AP 1200, AP 1100, AP 350, and AP 340) or on a bridge (BR 350), allowing access up to 16 wired VLANs. A unique Service Set Identifier (SSID) defines a wireless VLAN on the AP and the bridge. Each SSID is mapped to a VLAN-id on the wired side (default SSID-to-VLAN-id mapping). Additionally, with WLANs, a per-VLAN security policy can be defined on the AP and on the bridge by the IT administrator. Refer to the “Configuration Parameters per VLAN” section on page 5-6 for additional information regarding per-VLAN security configuration.

W ireless VLAN Deployment Overview Wireless VLAN deployments are different for indoor and outdoor environments. For indoor deployments (see Figure 5-3), the AP is generally configured to map several wired VLANs to the WLAN. Whereas, for outdoor environments (please refer to Figure 5-4 on page 5-5), 802.1Q trunks are deployed between bridges with each bridge terminating and extending as an 802.1Q trunk, and participating in the 802.1d-based spanning-tree protocol (STP) process.

Note

For related information regarding spanning-tree design and implementation considerations please refer to the Cisco AVVID Network Infrastructure—Implementing 802.1w and 802.1s in Campus Networks SRND.

Cisco AVVID W ireless LAN Design 956608

5-3

Chapter 5

W ireless LAN VLANs

W ireless VLAN Introduction

Figure 5-3

Indoor Wireless VLANs Deployment

AP_2 SSID=Full-Time

Native VLAN=10 802.1Q Truck

SSID=Part-Time

Management VLAN (VLAN-id 10

AP_1 802.1Q Truck

Enterprise network

SSID=Maintenance

RADIUS server 87189

SSID=Guest

In the indoor WLAN deployment scenario shown in Figure 5-3, four wireless VLANs are provisioned across the campus to provide WLAN access to full-time employees (segmented into Engineering, Marketing, and Human Resources user groups) and guests. Also, as shown in Table 5-1, each wireless VLAN is configured with an appropriate security policy and mapped to a wired VLAN. An IT administrator enforces the appropriate security policies within the wired network for these four different user groups. Table 5-1

Configuration for Wireless VLANs in Figure 5-3

SSID

VLAN-id

Security Policy

Engineering

14

802.1x with Dynamic WEP + TKIP

Marketing

24

802.1x with Dynamic WEP + TKIP

HR

34

802.1x with Dynamic WEP + TKIP

Guest

44

Open/no WEP

An outdoor WLAN deployment scenario is shown in Figure 5-4. In this example, wireless trunking is used to connect the root bridge to the non-root bridges. The root and non-root bridges terminate the 802.1Q trunk and participate in the spanning-tree protocol (STP) process of bridging networks together.

Note

For related information regarding spanning-tree design and implementation considerations please refer to the Cisco AVVID Network Infrastructure—Implementing 802.1w and 802.1s in Campus Networks SRND.

Cisco AVVID W ireless LAN Design

5-4

956608

Chapter 5

W ireless LAN VLANs W ireless VLAN Introduction

Figure 5-4

Outdoor Wireless VLANs deployment

SSID=VLAN_14

VLAN 11

VLAN 11 Bridge_3 (non-Root)

802.1Q Trunk Switch_1

802.1Q

802.1Q Trunk Bridge_1 (Root)

VLAN 14

Switch_2

Trunk

802.1Q Trunk Bridge_2 (non-Root)

VLAN 12

87186

VLAN 12

Cisco AVVID W ireless LAN Design 956608

5-5

Chapter 5

W ireless LAN VLANs

W ireless VLANs— Detailed Feature Description

W ireless VLANs— Detailed Feature Description This section details the VLAN features available with VxWorks firmware release 12.00T and Cisco IOS firmware release 12.2.4-JA. With these releases, an 802.1Q trunk can be enabled between the AP/bridge and the wired infrastructure allowing up to 16 wired VLANs to be extended to the WLAN. The discussion is split into the following sections: •

Configuration Parameters per VLAN, page 5-6

•

Broadcast Domain Segmentation, page 5-7

•

Native (Default) VLAN Configuration, page 5-7

•

Primary (Guest) and Secondary SSIDs, page 5-8

•

RADIUS-based VLAN Access Control, page 5-8

Configuration Parameters per VLAN As discussed in the “Wireless VLAN Introduction” section on page 5-3, a per VLAN security policy can be defined on the AP to allow the IT administrator to define appropriate restrictions per VLAN. The following parameters are configurable on the SSID (wireless VLAN): •

SSID Name—Configures a unique name per wireless VLAN.

•

Default VLAN ID—Default VLAN-ID mapping on the wired-side.

•

Authentication Types—Open, Shared, and Network-EAP types.

•

Media Access Control (MAC) Authentication—Under Open, Shared, and Network-EAP.

•

EAP Authentication—Under Open and Shared authentication types.

•

Maximum Number of Associations—Ability to limit maximum number of WLAN clients per SSID.

The following parameters are configurable on the wired VLAN-side: •

Encryption Key—This is the key used for broadcast/multicast traffic segmentation per VLAN. It is also used for static WEP clients (for both unicast and multicast traffic). The IT administrator must define a unique encryption key per VLAN. This is discussed more in detail in “Broadcast Domain Segmentation” section on page 5-7.

•

Enhanced Message Integrity Check (MIC) Verification for WEP—Enables MIC per VLAN.

•

Temporal Key Integrity Protocol (TKIP)—Enables per-packet key hashing per VLAN.

•

WEP (Broadcast) Key Rotation Interval—Enables Broadcast WEP key rotation per VLAN. This is only supported for wireless VLANs with 802.1x protocols enabled (such as EAP-Cisco, EAP-TLS, PEAP, EAP-SIM, and the like.)

•

Default Policy Group—Applies policy-group (set of Layer-2, -3, and -44 filters) per VLAN. Each filter (within a policy group) is configurable to allow or deny certain type of traffic.

•

Default Priority—Applies default CoS priority per VLAN.

With an encryption key configured, the VLAN supports standardized WEP. However, Cisco TKIP/MIC/Broadcast Key rotation features are optionally configurable as noted above. Table 5-2 lists the SSID and VLAN-ID configuration parameters.

Cisco AVVID W ireless LAN Design

5-6

956608

Chapter 5

W ireless LAN VLANs W ireless VLANs— Detailed Feature Description

Table 5-2

SSID and VLAN-ID Configuration Parameter

Parameter Description

SSID Parameter

Authentication Types

X

Maximum number of Associations

X

VLAN-ID Parameter

Encryption key (Broadcast Key)

X

TKIP/MIC

X

WEP (Broadcast) Key rotation Interval

X

Policy Group

X

Default Priority (CoS mapping)

X

Broadcast Domain Segmentation All Layer-2 broadcast and multicast messages are propagated over the air. Thus, each WLAN client receives broadcast/multicast traffic belonging to different VLANs. This is different from wired VLAN broadcast/multicast traffic. A wired client receives Layer-2 broadcast/multicast traffic only for its own VLAN. Thus, a unique encryption (broadcast/multicast) key per VLAN is used to segment the Layer-2 broadcast domains on the WLAN. This unique encryption key must be configured during initial VLAN setup. If Broadcast Key rotation is enabled, this encryption key is generated dynamically and delivered to WLAN clients in 802.1x messages. The requirement to segment broadcast domains the wireless side restricts the use of unencrypted VLAN per WLAN Extended Sub System (ESS). A maximum of one VLAN can be unencrypted per WLAN ESS. Also, the behavior of a WLAN client on an encrypted VLAN should be to discard unencrypted Layer-2 broadcast/multicast traffic.

Native (Default) VLAN Configuration The AP’s (or the bridge’s) native VLAN (default VLAN) must be set to the native VLAN of the wired trunk. This allows the AP or bridge to receive and communicate using the Inter-Access Point Protocol (IAPP) with other APs or bridges in the same WLAN ESS. It is a requirement that all APs and bridges in an ESS must use the same native VLAN-ID. All Telnet and Hypertext Transfer Protocol (HTTP) management traffic—as well as the RADIUS traffic—is routed to the AP via the native VLAN. Cisco recommends that IT managers restrict user access to the native/default VLAN of the APs and bridges with the use of Layer-3 access control lists (ACLs) and policies on the wired infrastructure side. The IT administrator may or may not wish to map the native VLAN of the AP/bridge to an SSID (the WLAN ESS). Scenarios where the native VLAN should be mapped to an SSID include: •

An associated workgroup bridge is treated as an infrastructure device

•

Connection of a root bridge to a non-root bridge

In the above scenarios, Cisco recommends configuring an Infrastructure SSID per AP or bridge. Figure 5-5 illustrates the combined deployment of infrastructure devices (such as workgroup bridges, non-root bridges, and repeaters) along with non-infrastructure devices (such as WLAN clients) in an Enterprise WLAN. The native VLAN of the AP is mapped to the Infrastructure SSID. WEP encryption along with TKIP (at least per-packet key hashing) should be enabled for the Infrastructure SSID. Configuration of a secondary SSID as the Infrastructure SSID is also recommended. The concepts of primary and secondary SSIDs are explained in the next section.

Cisco AVVID W ireless LAN Design 956608

5-7

Chapter 5

W ireless LAN VLANs

W ireless VLANs— Detailed Feature Description

Figure 5-5

Combined Deployment of Infrastructure and Non-Infrastructure Devices

Branch office

Bridge (non-Root) Infrastructure SSID: VLAN-id 10

802.1Q Trunk (native VLAN=10) 802.1Q Trunk (native VLAN=10) Bridge (Root) 802.1Q Trunk (native VLAN=10)

Root AP

802.1Q Trunk (native VLAN=10)

Management VLAN Enterprise network

SSID=Guest

WGB/repeater

SSID=infrastructure

RADIUS server 87187

SSID=Employee

Primary (Guest) and Secondary SSIDs When enabling multiple wireles802.1xs VLANs on the AP or bridge, multiple SSIDs are created with each SSID mapping to a default VLAN-ID on the wired side. However, as per the 802.11 specifications, only one SSID can be broadcast in the beacons. The IT administrator defines a primary (Guest) SSID that is broadcasted in the 802.11 beacon management frames. All other SSIDs are secondary SSIDs and are not broadcasted in the 802.11 beacon management frames. If a client or infrastructure device (such as a workgroup bridge) is to send a probe request with a secondary SSID, the AP or bridge responds with a probe response with that secondary SSID. An IT administrator can also map the primary SSID to the VLAN-ID on the wired infrastructure in different ways. For example, in an Enterprise rollout scenario, the primary SSID might be mapped to the unencrypted VLAN on the wired-side to provide Guest VLAN access.

RADIUS-based VLAN Access Control As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator might wish to impose backend-based (such as RADIUS) VLAN access control using 802.1x or MAC address authentication mechanisms. For example, if the WLAN is setup such that all VLANs use 802.1x and similar encryption mechanisms for WLAN user access, then a user can hop from one VLAN to another by simply changing the SSID and successfully authenticating to the AP (using 802.1x). This may not be preferred if the WLAN user is confined to a particular VLAN. There are two different ways to implement RADIUS-based VLAN access control features:

Cisco AVVID W ireless LAN Design

5-8

956608

Chapter 5

W ireless LAN VLANs W ireless VLANs— Detailed Feature Description

•

RADIUS-based SSID Access Control—Upon successful 802.1x or MAC address authentication, the RADIUS server passes back the allowed SSID-list for the WLAN user to the AP or bridge. If the user used an SSID on the allowed SSID-list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the AP or bridge.

•

RADIUS-based VLAN Assignment—Upon successful 802.1x or MAC address authentication, the RADIUS server assigns the user to a pre-determined VLAN-ID on the wired side. The SSID used for WLAN access does not matter because the user is always assigned to this pre-determined VLAN-ID.

Figure 5-6 illustrates both RADIUS-based VLAN access control methods. Both Engineering and Marketing VLANs are configured to allow only 802.1x authentication (such as EAP-Cisco, EAP-TLS or PEAP). As shown in Figure 5-6, when John uses the Engineering SSID to gain access to the WLAN, the RADIUS server maps John to VLAN-ID 24. This might or might not be the default VLAN-ID mapping for the Engineering SSID. Using this method, a user is mapped to a fixed wired VLAN throughout an Enterprise network. Figure 5-6 illustrates an example of RADIUS-based SSID access control. David uses the Marketing SSID to gain access to the WLAN. However, the permitted SSID-list sent back by the RADIUS server indicates that David is only allowed access to the Engineering SSID. Upon receipt of this information, the AP disassociates David from the WLAN network. Using this method, a user is given access to only one or pre-determined SSIDs throughout an Enterprise network. Figure 5-6

RADIUS-based VLAN Access Control

SSID=Engineering EAP-

Requ est (u

ser-id : John

EAP-Succes

hn, VLAN-id=2

AP/bridge

RADIUS server

4)

802.1Q Trunk

EAP-Success

eering)

, SSID=Engin

(user-id: David

Enterprise network

vid) -id: Da

r

t (use

eques

EAP-R

Management VLAN

87188

X

SSID=Guest

)

s (user-id: Jo

SSID=Marketing

RADIUS user attributes used for VLAN-ID assignment are: •

IETF 64 (Tunnel Type)—Set this to “VLAN”,

•

IETF 65 (Tunnel Medium Type)—Set this to “802”

•

IETF 81 (Tunnel Private Group ID)—Set this to VLAN-ID.

RADIUS user attribute used for SSID access control is: •

Cisco IOS/PIX RADIUS Attribute, 009\001 cisco-av-pair Example—Configure the above attribute to allow a user to access the WLAN using Engineering and Marketing SSIDs only: – ssid=Engineering – ssid=Marketing

Cisco AVVID W ireless LAN Design 956608

5-9

Chapter 5

W ireless LAN VLANs

Guidelines for Deploying W ireless VLANs

Guidelines for Deploying W ireless VLANs In order to properly deploy wireless VLANs, IT administrators should evaluate the need for deploying wireless VLANs in their own environment. Existing wired VLAN deployment rules and policies should also be reviewed. Existing wired VLAN policies can be used as the basis for wireless VLAN deployment policies. This section is split into three discussions: •

Criteria for Wireless VLAN Deployment, page 5-10—Details selection criteria for wireless VLAN deployment.

•

Wireless VLAN Deployment Example, page 5-11—Provides a deployment example, summarizes the of rules for WLAN VLANs deployment.

•

Summary of Rules for Wireless VLAN Deployment, page 5-13—Provides best-practices to use on the wired infrastructure when deploying wireless VLANs.

Criteria for W ireless VLAN Deployment While the full criteria for each wireless VLAN deployment are likely to be unique, some standard criteria exist for most rollouts. These include: •

Common applications used by all WLAN users. The IT administrator should define – Wired network resources (such as servers) commonly accessed by WLAN users – Quality of Service (QoS) level needed by each application [such as default class of service

(CoS) or Voice CoS] •

Common devices used to access the WLAN. The IT administrator should define: – Security mechanisms—Static-WEP, MAC authentication, EAP authentication (such as

EAP-Cisco, EAP-TLS, or PEAP, VPN, and the like} supported by each device type – Wired network resources (such as Servers) commonly accessed by WLAN device groups – QoS level needed by each device group (such as default CoS or Voice CoS) •

Revise the existing Wired VLAN deployment design guidelines: – Existing policies for VLAN access (determine whether specific policies are implemented for

different user groups) – Localized wired VLANs with Layer-3 core or flat Layer-2 switched network

After the wireless VLAN deployment criteria are defined, the deployment strategy must be determined. Two standard deployment strategies are: •

Segmentation by User Groups—Segmentation of the WLAN user community and enforcement of specific security policies per user group. For example, three wired and wireless VLANs in an enterprise environment might be created for full-time employee, part-time employee, and guest access.

•

Segmentation by Device Types—Segmentation of the WLAN to allow different devices with different security levels to access the WLAN. For example, it is not recommended to have handheld devices that support only 40/128-bit static-WEP co-exist with other WLAN client devices using 802.1x with dynamic WEP in the same VLAN. In this scenario, devices are grouped and isolated with different levels of security into separate VLANs.

Cisco AVVID W ireless LAN Design

5-10

956608

Chapter 5

W ireless LAN VLANs Guidelines for Deploying W ireless VLANs

Implementation criteria such as those listed below is then defined: •

Use of policy group (set of filters) to map wired policies to the wireless side.

•

Use of 802.1x to control user access to VLANs using either RADIUS-based VLAN assignment or RADIUS-based SSID access control.

•

Use of separate VLANs to implement different CoS.

W ireless VLAN Deployment Example A wireless VLAN deployment example is outlined below. The IT administrator of company XYZ determines the need for WLANs in his network. Utilizing the guidelines as described in “Criteria for Wireless VLAN Deployment” section on page 5-10, his findings are as follows: •

Three different user groups are commonly present across Company XYZ: full-time employees; contract employees; and, guests.

•

Full-time and contract employees use company supplied PCs to access the wireless network. These PCs are capable of supporting 802.1x authentication methods for accessing the WLAN.

•

Full-time employees need full access to the wired network resources. The IT department has implemented application level privileges for each user via Microsoft Windows NT or Active Directory (AD) mechanisms.

•

Part-time employees are not allowed access to certain wired resources (such as human resource servers and data storage servers). Furthermore, the IT department has implemented application level privileges for part-time employees (using Microsoft Windows NT or AD mechanisms).

•

Guest users need access to the Internet to launch a VPN tunnel back to their company headquarters.

•

Maintenance personal (electrical, facilities, and others) use specialized handheld devices that support static 40 or 128 bit encryption to access trouble ticket information via an application server VLAN.

•

Existing wired VLANs deployment: – Wired VLANs are localized per building (use of unique VLAN-IDs per building). – Layer-3 policies are implemented on all VLANs to prevent users from accessing critical

applications such as network management servers). In the above case, the IT administrator can deploy wireless VLANs by creating four wireless VLANs as follows: Step 1

For Full-Time and Part-Time VLANs, implement 802.1x with dynamic WEP along with TKIP functionality for WLAN access. Tie user-login on the RADIUS server with Microsoft back-end user database to enable single sign-on for WLAN users. Implement RADIUS-based SSID access control for both Full-Time and Part-Time employees to access WLAN. This is recommended to prevent part-time employees from VLAN hopping (trying to access the WLAN using Full-Time VLAN).

Note

In this deployment scenario, VLANs are localized per building with user group mapping to wired VLAN-IDs different for each building. In order to enable users to access the WLAN from anywhere on campus, SSID access control is recommended rather than fixed VLAN-ID assignments.

Cisco AVVID W ireless LAN Design 956608

5-11

Chapter 5

W ireless LAN VLANs

Guidelines for Deploying W ireless VLANs

Step 2

Create a Guest VLAN. Implement Open/No WEP access with a Broadcast SSID by using the primary SSID for the Guest VLAN. Enforce policies on the wired network side to force all Guest VLAN access to an Internet gateway and deny access into the corporate network.

Step 3

Create a Maintenance VLAN. Implement Open/with WEP plus MAC authentication for this VLAN. Enforce policies on the wired infrastructure to only allow access to the maintenance server on the application server’s VLAN.

Figure 5-7 illustrates this sample WLAN deployment scenario. Table 5-3 lists the configuration details for Figure 5-7 VLANs. Figure 5-7

Wireless VLAN Deployment Example

AP_2 SSID=Engineering Native VLAN=10 802.1Q Trunk SSID=Marketing AP_1 802.1Q Trunk SSID=HR

Management VLAN Enterprise network

RADIUS server

Table 5-3

87185

SSID=Guest

Configuration for VLANs in Figure 5-7

RADIUS-based VLAN Access Control

SSID

VLAN-id

Security Policy

Full-Time

16

802.1x with Dynamic WEP + TKIP/MIC Yes

Part-Time

26

802.1x with Dynamic WEP + TKIP/MIC Yes

Maintenance

36

Open/with WEP + MAC authentication

No

Guest

46

Open/no WEP

No

Cisco AVVID W ireless LAN Design

5-12

956608

Chapter 5

W ireless LAN VLANs Guidelines for Deploying W ireless VLANs

Summary of Rules for W ireless VLAN Deployment This section summarizes the VLAN rules and guidelines discussed in this document. Key rules to following when deploying wireless VLANs: •

802.1Q VLAN trunking (hybrid mode only) supported between the switch and the AP or bridge.

•

A maximum of 16 VLANs per ESS are supported with each wireless VLAN represented with a unique SSID name.

•

IT administrator must configure a unique encryption key per VLAN.

•

A maximum of one unencrypted VLAN per ESS is supported.

•

A maximum of one primary/guest SSID per ESS is supported.

•

TKIP, MIC, and Broadcast key rotation can be enabled per VLAN.

•

Open, Shared-Key, MAC, network-EAP (EAP-Cisco), and EAP authentication types are supported per SSID.

•

Shared-Key Authentication is supported only on the SSID mapped to the native VLAN (this is most likely to be the Infrastructure SSID).

•

One unique policy group (set of Layer-2, Layer-3, and Layer-4 filters) is allowed per VLAN.

•

Each SSID is mapped to a default wired VLAN where the ability to override this default SSID to VLAN-ID mapping is provided via RADIUS-based VLAN access control mechanisms. – RADIUS-based VLAN-ID assignment per user is supported. – RADIUS-based SSID access control per user is supported.

•

The ability to assign a CoS mapping per VLAN with eight different levels of priorities is supported.

•

The ability to control number of clients per SSID is supported.

•

All APs and bridges in the same ESS must use the same native VLAN-ID to facilitate IAPP communication between APs and bridges.

•

All WLAN security policies should be mapped to the wired LAN security policies on the switches and routers.

Best-Practices for the W ired Infrastructure The following best practices are recommended for the wired infrastructure when 802.1Q trunking is extended to the APs and bridges: •

Limit broadcast/multicast traffic to the AP and bridge by enabling VLAN filtering and Internet Group Management Protocol (IGMP) snooping on the switch ports. On the 802.1Q trunks to the AP and bridge, filter to allow only active VLANs in the ESS. Enabling IGMP snooping prevents the switch from flooding all switch ports with Layer-3 multicast traffic.

•

Map wireless security policies to the wired infrastructure with Access Control Lists (ACLs) and other mechanisms

•

The AP does not support the VLAN Trunking Protocol (VTP) or the GARP VLAN Registration Protocol (GVRP) for dynamic management of VLANs because the AP acts as a stub node. The IT administrator must use the wired infrastructure to maintain and manage the wired VLANs.

•

Enforce security policies via Layer-3 ACLs on the Guest and Management VLANs (recommended). – The IT administrator might implement ACLs on the wired infrastructure to force all Guest

VLAN traffic to the Internet Gateway.

Cisco AVVID W ireless LAN Design 956608

5-13

Chapter 5

W ireless LAN VLANs

Guidelines for Deploying W ireless VLANs

– The IT administrator should restrict user access to the native/default VLAN of the APs and

bridges with the use of Layer-3 ACLs and policies on the wired infrastructure. Example: Traffic to APs and bridges via the native/default VLAN is only allowed to and from the management VLAN where all the management servers reside—including the RADIUS server.

Note

For more details refer to the WLAN VLAN deployment guide.: http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a008 01444a1.html

Cisco AVVID W ireless LAN Design

5-14

956608

C H A P T E R

6

W LAN Quality of Service (QoS) This chapter addresses Quality of Service (QoS) concerns in the context of WLAN implementations. It is separated into the following primary sections: •

QoS Overview, page 6-1

•

Wireless QoS Considerations, page 6-2

•

802.11 DCF, page 6-4

•

IEEE 802.11e, page 6-7

•

Deploying EDCF on Cisco IOS-based APs, page 6-13

•

Guidelines for Deploying Wireless QoS, page 6-17

QoS Overview Quality of Service (QoS) refers to the capability of a network to provide better service to selected network traffic over various network technologies. QoS technologies provide the building blocks for business multimedia and voice applications used in campus, WAN, and service provider networks. QoS allows network managers to establish service level agreements (SLAs) with network users. QoS enables network resources to be shared more efficiently and expedites the handling of mission-critical applications. QoS manages time-sensitive multimedia and voice application traffic to ensure that this traffic receives higher priority, greater bandwidth and less delay than best effort data traffic. With QoS, bandwidth can be managed more efficiently across LANs and WANs. QoS provides enhanced and predictable network service by: •

Supporting dedicated bandwidth for critical users and applications

•

Controlling jitter and latency (required by real-time traffic)

•

Managing and minimizing network congestion

•

Shaping network traffic to smooth the traffic flow

•

Setting network traffic priorities

Cisco AVVID W ireless LAN Design 956608

6-1

Chapter 6

W LAN Quality of Service (QoS)

W ireless QoS Considerations

W ireless QoS Considerations This section addresses the following topics: •

Wireless QoS Deployment Schemes, page 6-2

•

QoS Parameters, page 6-3

•

Downstream and Upstream QoS, page 6-3

•

QoS and Network Performance, page 6-4

W ireless QoS Deployment Schemes In the past, WLANs were mainly used to transport low-bandwidth, data-application traffic. Today, with the expansion of WLANs into vertical (such as retail, finance, and education) and Enterprise environments, WLANs are used to transport high-bandwidth, data applications in conjunction with time-sensitive, multi-media applications. This requirement led to the necessity for wireless QoS. Several vendors support proprietary wireless QoS schemes for voice applications. To speed up the rate of QoS adoption and to support multi-vendor time-sensitive applications, a unified approach to wireless QoS is necessary. The IEEE 802.11e working group within the IEEE 802.11 standards committee is working on a wireless QoS standard that is expected to be finalized in 2003. Cisco Aironet products support QoS based on the IEEE 802.11e Draft standard specifications as of November 2002. Cisco IOS release 12.2(4)JA for the Cisco Aironet 1100 Series and Cisco Aironet VxWorks release 12.00T for Cisco Aironet 1200, 350, and 340 Series products support IEEE 802.11e Enhanced Distributed Coordination Function (EDCF)-based wireless QoS. An example deployment of wireless QoS based on Cisco IOS and VxWorks features is shown in Figure 6-1. Figure 6-1

Wireless QoS Deployment Example

EDCF-based QoS AP1100

EDCF-based QoS AP1200 Cisco CallManager M

Enterprise Network

IP

Streaming Video

91226

AP provides EDCF-baed mechanisms for Down Stream Wireless QoS, based upon handset registration, CoS, or DSCP

VoIP phone

Cisco AVVID W ireless LAN Design

6-2

956608

Chapter 6

W LAN Quality of Service (QoS) W ireless QoS Considerations

QoS Parameters QoS is defined as the measure of performance for a transmission system that reflects its transmission quality and service availability. Service availability is a crucial foundational element of QoS. Before QoS can be successfully implemented, the network infrastructure must be highly available. The network transmission quality is determined by the following factors: •

Latency, page 6-3

•

Jitter, page 6-3

•

Loss, page 6-3

Latency Latency (or delay) is the amount of time it takes a packet to reach the receiving endpoint after being transmitted from the sending endpoint. This time period is termed the end-to-end delay and can be broken into two areas: fixed network delay and variable network delay. Fixed network delay includes encoding/decoding time (for voice and video), as well as the finite amount of time required for the electrical/optical pulses to traverse the media en route to their destination. Variable network delay generally refers to network conditions, such as congestion, that may affect the overall time required for transit.

Jitter Jitter (or delay-variance) is the difference in the end-to-end latency between packets. For example, if one packet required 100 msec to traverse the network from the source-endpoint to the destination-endpoint and the following packet required 125 msec to make the same trip, then the jitter is calculated as 25 msec.

Loss Loss (or packet loss) is a comparative measure of packets faithfully transmitted and received to the total number that were transmitted. Loss is expressed as the percentage of packets that were dropped.

Dow nstream and Upstream QoS Figure 6-2 illustrates the definition of QoS radio upstream and downstream. Figure 6-2

Upstream and Dow nstream QoS

Radio Downstream

Ethernet Downstream

Radio Upstream

Ethernet Upstream

91227

Network

The notation in Figure 6-2 refers to the following: •

Radio Downstream QoS refers to the traffic leaving the AP and traveling to the WLAN clients. Radio Downstream QoS is the primary focus of this deployment guide.

Cisco AVVID W ireless LAN Design 956608

6-3

Chapter 6

W LAN Quality of Service (QoS)

802.11 DCF

•

Radio Upstream QoS refers to traffic leaving the WLAN clients and traveling to the AP. No vendor support is currently available for radio upstream QoS features for WLAN clients. This support is specified in the 802.11e draft, but has not yet been implemented.

•

Ethernet Downstream refers to traffic leaving the switch/router traveling to the AP. QoS may be applied at this point to prioritize and rate limit traffic to the AP. Configuration of Ethernet downstream QoS is not discussed in this design guide.

•

Ethernet Upstream refers to traffic leaving the AP traveling to the switch. The AP classifies traffic from the AP to the upstream network according to the traffic classification.

QoS and Netw ork Performance The application of QoS features may not be easily detected on a lightly loaded network. Indeed, if latency, jitter and loss are noticeable when the media is lightly loaded it is as an indication of a system fault or that an application’s latency, jitter and loss requirements are not a good match for the network. QoS features start to impact application performance as the load on the network increases. QoS works to keep latency, jitter and loss for selected traffic types with in acceptable bounds. By providing downstream prioritization from the AP, upstream client traffic is treated as best effort. A client must compete with other clients for (upstream) transmission as well as competing with best effort (downstream) transmission from the AP. Under certain load conditions, a client can experience upstream congestion and the performance of QoS sensitive applications may be unacceptable despite the QoS features on the AP.

802.11 DCF Data frames in 802.11 are sent using the Distributed Coordination Function (DCF). The DCF is composed of two main components: •

Interframe Spaces (SIFS, PIFS, and DIFS), page 6-4

•

Random Backoff (Contention Window), page 6-5

DCF is used in 802.11 networks to manage access to the RF medium. A baseline understanding of DCF is necessary in order to deploy 802.11e based EDCF. Please read the IEEE 802.11 specification for more information on DCF.

Interframe Spaces (SIFS, PIFS, and DIFS) Interframe Spaces (Figure 6-3) allow 802.11 to control which traffic gets first access to the channel once carrier sense declares the channel to be free.

Cisco AVVID W ireless LAN Design

6-4

956608

Chapter 6

W LAN Quality of Service (QoS) 802.11 DCF

Figure 6-3

Interframe Spaces (IFS)1

DIFS

DIFS PIFS SIFS Busy medium

Contention window Backoff window

Next frame

(t)

Defer access

Select slot and decrement backoff as long as the medium is idle

91228

Slot time

802.11 currently defines three interframe spaces: •

Short Interframe Space (SIFS) 10 µs

•

Point Interframe Space (PIFS) SIFS + 1 x slot time = 30 µs

•

Distributed Interframe Space (DIFS) 50 µs SIFS + 2 x slot time = 50 µs

SIFS Important frames such as acknowledgments wait the SIFS before transmitting. There is no random backoff when using the SIFS, as frames using the SIFS are used in instances where multiple stations would not be trying to send frames at the same time. The SIFS provides a short and deterministic delay for packets that must go through as soon as possible. The SIFS is not available for use by data frames. Only 802.11 management and control frames use SIFS.

PIFS An optional portion of the 802.11 standard defines priority mechanisms for traffic that uses PIFS. There is no random back mechanism associated with PIFS, as it relies upon a polling mechanism to control which station is transmitting. The option is not widely adopted2 due to the associated overhead, and lack of flexibility in its application.

DIFS Data frames wait the DIFS before beginning the random backoff procedure that is part of the Distributed Coordination Function (DCF). This longer wait ensures that traffic using the SIFS or PIFS timing always gets an opportunity to send before any traffic using the DIFS attempts to send.

Random Backoff (Contention W indow ) When a data frame using DCF (Figure 6-4) is ready to be sent, it goes through the following steps: 1. Generate a random backoff number between 0 and a minimum Contention Window (CWmin). 2. Wait until the channel is free for a DIFS interval. 3. If the channel is still free begin decrementing the random backoff number, for every slot time (20

µs) the channel remains free. 1. Figures quoted are for 802.11b; not 802.11a 2. No known vendor claims to support Profile Connection Files (PCF).

Cisco AVVID W ireless LAN Design 956608

6-5

Chapter 6

W LAN Quality of Service (QoS)

802.11 DCF

4. If the channel becomes busy (another station got to 0 before your station) decrementing stops and

steps 2 through 4 are repeated. 5. If the channel remains free until the random backoff number reaches 0 the frame may be sent. Figure 6-4

Distributed Coordination Function (DCF) Example

DIFS Station A

DIFS

DIFS

Frame

Station B Station C

Deter Deter

Station D

Deter

Station E

Frame Deter Deter

Deter

Frame

Frame

Deter

Deter

Backoff time remaining

91229

Backoff time

Figure 6-4 shows a simplified example of how the DCF process works. In this simplified DCF process, no acknowledgements are shown and no fragmentation occurs DCF steps illustrated in Figure 6-4 work as follows: 1. Station A successfully sends a frame, and three other stations also wish to send frames but must

defer to Station A’s traffic. 2. Upon Station A completes transmission, all the stations must still defer for the DIFS. Once the DIFS

is complete, stations wishing to send a frame can begin decrementing their backoff counter, once every slot time, and may send their frame. 3. Station B’s backoff counter reaches zero before Stations C and D, and therefore Station B begins

transmitting its frame. 4. Once Station C and D detect that Station B is transmitting, they must stop decrementing their

backoff counters and again defer until the frame is transmitted and a DIFS has passed. 5. During the time that Station B is transmitting a frame, Station E gets a frame to transmit, but as

Station B is sending a frame it must defer in the same manner as Stations C and D 6. Once Station B completes transmission and the DIFS has passed, stations with frames to send begin

decrementing their backoff counters again. In this case, Station D’s backoff counter reaches zero first and it begins transmission of its frame. 7. The process continues as traffic arrives on different stations.

CW min, CW max, and Retries DCF uses a Contention Window (CW) to control the size of the random backoff. The contention window is defined by two parameters: •

aCWmin

•

aCWmax

Cisco AVVID W ireless LAN Design

6-6

956608

Chapter 6

W LAN Quality of Service (QoS) IEEE 802.11e

The random number used in the random backoff is initially a number between 0 and aCWmin. If the initial random backoff expires without successfully sending the frame, the station or AP increments the retry counter, and doubles the value random backoff window size. This doubling in size continues until the size equals aCWmax. The retries continue until the maximum retries or Time To Live (TTL) is reached. This process of doubling the backoff window is often referred to as a binary exponential backoff, and is illustrated in Figure 6-5. Figure 6-5

Grow th in Random Backoff Range w ith Retries

1023 1023 1023

511

aCWmax

255

63 31

retries

91230

127

aCWmin

IEEE 802.11e This section discusses two 802.11e implementations: •

802.11e EDCF-based QoS Implementation, page 6-7

•

QoS Advertisements by WLAN Infrastructure, page 6-11

802.11e EDCF-based QoS Implementation The current IEEE 802.11e draft contains EDCF. This is the feature supported in the current AP code release. The EDCF is an enhancement of the DCF described above. The enhancement is the adjustment of the variable CWmin and CWmax random backoff values based upon traffic classification. Figure 6-6 shows the different settings for the CWmin and CWmax of each traffic class as illustrated by the Cisco Aironet software. These figures are based on those proposed in the 802.11e draft.

Cisco AVVID W ireless LAN Design 956608

6-7

Chapter 6

W LAN Quality of Service (QoS)

IEEE 802.11e

Do not alter these settings for production networks without significant tests specific to the applications in question. For example, having a CWmax value less that the CWmin of another class might cause starvation of the other traffic class, as the worst case random backoff of the preferred class would be better than the best-case random backoff the less favored class. It should also be noted that the traffic has been queued based on its traffic classification by the AP before the CWmin and CWmax values are applied at the radio. Refer to Figure 6-6. Figure 6-6

Default CWmin and CWmax Values of Different Traffic Categories

Figure 6-7 shows the principle behind different CWmin values per traffic classification. All traffic waits the same DIFS, but the CWmin value used to generate the random backoff number depends upon the traffic classification. High priority traffic has a small CWmin value, giving as short random backoff, whereas best effort traffic has a large CWmin value that on average gives a large random backoff number.

Cisco AVVID W ireless LAN Design

6-8

956608

Chapter 6

W LAN Quality of Service (QoS) IEEE 802.11e

Figure 6-7

EDCF Random Backoff and Traffic Classification

0

CWmin [0] CWmin [7] CWmin [6]

Voice random backoff range Voice random backoff range Best effort random backoff range

DIFS

Contention window Busy medium

Backoff window

(t)

Next frame

Defer access

Decrement backoff as long as the medium is idle

91231

Slot time

Figure 6-8 shows an example of how the different CWmin values impact traffic priority. Figure 6-8

Example of Impact of Traffic Classification

DIFS Station X

DIFS

DIFS

Frame

Voice 1

Deter

Best Effort 1

DIFS

Deter

Voice 2

Deter

Best effort 2

Deter

Frame Deter Deter

Voice 3

Deter

Deter

Deter

Frame

Deter

Deter

Deter

Deter

Frame Deter

Frame

Backoff time remaining

91232

Backoff time

The process illustrated in Figure 6-8 follows this sequence: 1. While Station X is transmitting its frame three other stations determine that they must send a frame.

Each station defers as a frame was already being transmitted, and each station generates a random backoff. 2. As stations Voice 1 and Voice 2 have a traffic classification of voice, they use an initial CWmin of

3, and therefore have short random backoff values. Best Effort 1 and Best Effort 2 generate longer random backoff times, as their CWmin value is 31.

Cisco AVVID W ireless LAN Design 956608

6-9

Chapter 6

W LAN Quality of Service (QoS)

IEEE 802.11e

3. Voice 1 has the shortest random backoff time, and therefore starts transmitting first. When Voice 1

starts transmitting all other stations defer. While Voice 1 station is transmitting station Voice 3 finds that it needs to send a frame, and generates a random backoff number, but defers due to station Voice 1’s transmission. 4. Once Voice Station 1 finishes transmitting, all stations wait the DIFS, and then begin decrementing

their random backoff counters again. 5. Station Voice 2 completes decrementing its random backoff counter first and begins transmission.

All other stations defer. 6. Once Voice Station 2 has finished transmitting, all stations wait the DIFS, and then begin

decrementing their random backoff counters again. 7. Best Effort 2 completes decrementing its random backoff counter first and begins transmission. All

other stations defer. This happens even though there is a voice station waiting to transmit. This shows that best effort traffic is not starved by voice traffic as the random backoff decrementing process eventually brings the best effort backoff down to similar sizes as high priority traffic, and that the random process might, on occasion, generate a small random backoff number for best effort traffic. 8. Once Best Effort 2 finishes transmitting, all stations wait the DIFS, and then begin decrementing

their random backoff counters again. 9. Station Voice 3 completes decrementing its random backoff counter first and begins transmission.

All other stations defer. 10. The process continues as other traffic enters the system.

The overall impact of the different CWmin and CWmax values is difficult to show well in the timing diagrams used thus far, as their impact is more statistical in nature. It is simpler to compare two examples, and show the impact of these different values in the average times that should be generated by the random backoff counters. If we compare interactive voice and interactive video, these traffic categories have CWmin values of 3 and 15, and CWmax values of 32 and 63 respectively. This gives the averages for the random backoff counters shown in Table 6-1. Table 6-1

Random Backoff Averages

CW min

CW max

Average M inimum

Average M aximum

Interactive Voice

3

31

1.5

15.5

Interactive Video

15

63

7.5

31.5

Best Effort

31

255

15.5

127.5

These averages show that an interactive voice frame would only have an average random backoff time of 30 µs, where as the average random backoff time for interactive video frame would be 150 µs. If interactive voice and interactive video stations began trying to transmit at the same time the interactive voice frame would normally be transmitted first, and with a very small delay. The average maximum gives an indication of how quickly and how large the random backoff counter would grow in the event of a retransmission. The smaller the average maximum value is an indication of how aggressive traffic classification behaves. No matter how many times it has retried, Interactive Voice’s random backoff delay should not, on average, be above that of the minimum delay of best effort traffic. This means that the average worst-case backoff delay for interactive voice traffic would be the same as the average best case for best effort traffic.

Cisco AVVID W ireless LAN Design

6-10

956608

Chapter 6

W LAN Quality of Service (QoS) IEEE 802.11e

Note

In this EDCF implementation, all WLAN clients are treated equally for upstream transmission (from the WLAN clients to the AP) unless a client (such as a SpectraLink® Voice over IP device) implements a proprietary mechanism of obtaining the channel faster compared to the others.

QoS Advertisements by W LAN Infrastructure The WLAN infrastructure devices (such as APs) advertise QoS parameters. WLAN clients with QoS requirements use these advertised QoS parameters to determine the best AP with which to associate. Cisco Aironet software release 12.00T for VxWorks AP and bridges and Cisco IOS release 12.2(4)JA for Cisco 1100 Series APs support two mechanisms to advertise QoS parameters: •

Symbol Technologies, Inc. Extensions (Symbol® NetVision handsets only)

•

QoS Basis Service Set (QBSS)—Based on IEEE 802.11e DRAFT version 3.3

Figure 6-9 shows the QBSS Information Element (IE) advertised by a Cisco AP. The channel utilization field indicates the portion of available bandwidth currently used to transport data within the WLAN. The frame loss rate field indicates the portion of transmitted frames that require retransmission or are discarded as undeliverable. QBSS Information Element (IE) Implementation: IEEE 802.11e Draft version 3.3

Element ID (11)

Length (6)

Station Count (2 octets)

Channel Utilization (1 octet)

Frame loss rate (1 octet)

91233

Figure 6-9

Figure 6-10 and Figure 6-11 illustrate the mechanism for enabling QoS advertisements on VxWorks APs and bridges and Cisco IOS-based APs.

Cisco AVVID W ireless LAN Design 956608

6-11

Chapter 6

W LAN Quality of Service (QoS)

IEEE 802.11e

Figure 6-10 Enabling QoS Advertisements on a VxWorks AP

Figure 6-11 Enabling QoS Advertisements on a Cisco IOS AP

Cisco AVVID W ireless LAN Design

6-12

956608

Chapter 6

W LAN Quality of Service (QoS) Deploying EDCF on Cisco IOS-based APs

Deploying EDCF on Cisco IOS-based APs This section discusses the mechanisms available on the Cisco Aironet 1100 Series AP for applying traffic classification to particular traffic. The Cisco IOS-based Aironet 1100 Series AP has significant QoS operational differences as compared to the VxWorks-based Cisco Aironet 1200, 350 and 340 Series. However, because it is Cisco IOS based, the Aironet 1100 Series AP is consistent with current Cisco IOS implementations. Users familiar with configuring Cisco switch and router QoS settings should find the commands and configuration familiar.

Note

For information about deployment and configuration using VxWorks-based APs, please refer to WLAN QoS Deployment Guide at the location: http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a008014449 8.html This section presents EDCF implementation considerations for Cisco IOS-based APs in the following specific sections: •

Appliance-based Prioritization, page 6-13

•

CoS-based Prioritization, page 6-13

•

Class-Map Based Prioritization, page 6-14

•

VLAN-based Prioritization, page 6-15

•

Combining QoS Setting Requirements, page 6-15

•

Additional QoS Features, page 6-16

Appliance-based Prioritization The Cisco IOS-based AP can prioritize traffic based upon a WLAN client’s request for a particular traffic classification because of its appliance type. Currently, Cisco APs support only VoIP appliances. These VoIP appliances use proprietary registration messages to identify themselves. The best example of this process is the negotiation that occurs between the AP and a Symbol VoIP WLAN handset. A protocol defined by Symbol allows the handset to be identified, and provide down stream traffic to these handsets with an interactive voice classification. The VxWorks-based AP allows a per-station classification of traffic which allows these handsets to identify themselves and automatically classify traffic. The Cisco IOS AP supports the registration of the handsets to the AP through the global command line interface (CLI) command: dot11 phone

CoS-based Prioritization Traffic that arrives at the AP over an Ethernet trunk (if already classified by its CoS settings within IEEE 802.1D) will have that classification mapped to EDCF and applied unless the Per Appliance classification applies a subsequent classification.

Cisco AVVID W ireless LAN Design 956608

6-13

Chapter 6

W LAN Quality of Service (QoS)

Deploying EDCF on Cisco IOS-based APs

Class-M ap Based Prioritization Traffic flows are identified by IP Type of Service (TOS), DSCP, or protocol settings with class-map based prioritization. An identified down stream traffic flow is given a specific CoS applied over the radio interface. This process is consistent with current Cisco IOS implementations. Figure 6-12 illustrates an example setting of a class-map based QoS policy via the 1100 Series AP web interface. The policy name is example. Example creates classification rules based upon IP precedence, DSCP values, and an IP protocol. These classification rules are then applied on the radio interface.

Note

The IP Protocol 119 setting provides ongoing support on the AP for SpectraLink IEEE 802.11 handsets. Figure 6-12 Class-M ap based QoS Policy Example

After applying the class-map based QoS policy, the changes are reflected in the AP CLI. class-map match-all _class_example2 match ip protocol 119 class-map match-all _class_example0 match ip precedence 2 class-map match-all _class_example1 match ip dscp 46 … policy-map example class _class_example0 set cos 5 class _class_example1 set cos 5 class _class_example2 set cos 0

Cisco AVVID W ireless LAN Design

6-14

956608

Chapter 6

W LAN Quality of Service (QoS) Deploying EDCF on Cisco IOS-based APs

class class-default set cos 0 … interface Dot11Radio0.825 … service-policy output example

VLAN-based Prioritization Figure 6-13 illustrates the default priority (CoS) set using a class-map definition on an Cisco IOS-based AP. This class-map is applied to an interface or a VLAN and the specified priority is applied to all traffic, unless the priority is overridden by one of the mechanisms described above (Per Station, 802.1p/802.1D CoS, or Class-Map based IP TOS/DSCP/Protocol). Figure 6-13 Default CoS Setting Using a Class-M ap on an Cisco IOS AP

Combining QoS Setting Requirements The EDCF settings shown in Figure 6-15 on page 6-16 are applied by the radio, and are determined by the classification applied at the radio. Network engineers must be aware of where the traffic classification is applied in order to plan and design the QoS settings appropriately. The first classification that occurs is the one that is selected and used. The precedence process sequence is as follows: 1. If a station identifies itself as a particular CoS, this is used (Per-Appliance QoS—an example is a

Symbol VoIP device). 2. If the frame arrives at the AP with a CoS setting via IEEE 802.1p/802.1D, this is what is used.

Cisco AVVID W ireless LAN Design 956608

6-15

Chapter 6

W LAN Quality of Service (QoS)

Deploying EDCF on Cisco IOS-based APs

3. If a class-map based classification (IP TOS, IP DSCP, IP Protocol, or default CoS) is defined per

VLAN or interface, CoS defined by the class-map based QoS policy is assigned to the specified traffic flow (example: SpectraLink VoIP device). 4. If none of the above mechanisms are viable, the default CoS setting for the VLAN is used for all

traffic. Figure 6-14 illustrates the QoS classification precedence described in the above list. Figure 6-14 QoS Classification Precedence on Cisco IOS-Based APs

Traffic flow into inress

Per-appliance QoS?

Yes

No By CoS value (8o2.1p marked)?

Yes

No Class-map defined per interface or VLAN?

Map to CoS Yes

Send to transit queue

Apply default CoS (CoS=0)

91235

No

Additional QoS Features The Cisco 1100 Series AP allows the setting of the different CWmin and CWmax values depending on the traffic classification, as shown in Figure 6-15. Figure 6-15 Class to CWmin and CWmax settings

Cisco AVVID W ireless LAN Design

6-16

956608

Chapter 6

W LAN Quality of Service (QoS) Guidelines for Deploying W ireless QoS

In addition to the CWmin and CWmax values shown in Figure 6-15, a Fixed Slot Time setting is available. The Fixed Slot Time is referred to as the Arbitration Inter Frame Space (AIFS) in the IEEE 802.11e Draft. The AIFS is a variable DCF value. The standard DCF time equals two slots times. Traffic classifications with a slot time greater than two must wait the additional slot times before sending or beginning to begin decrementing their random backoff counters. Giving further precedence to traffic with low CWmin and DCF timing.

Guidelines for Deploying W ireless QoS The same rules for Deploying QoS in a wired network apply to deploying QoS in a wireless network. The first and most important guideline in QoS deployment is: know your traffic. Know your protocols, application’s sensitivity to delay, and traffic bandwidth. QoS does not create additional bandwidth it simply gives more control of where the bandwidth is allocated. Voice traffic is probably the QoS application that is most familiar. The following are examples of how the QoS for voice is applied to different applications. When using the traffic classification schemes in the AP, remember that once the classification is changed from a default station, the application of any further mechanisms does not further alter the classification. This discussion of wireless QoS deployment considerations is split into the following four sections: •

IP SoftPhone and Other PC and PDA Based VoIP Solutions, page 6-17

•

Symbol Handsets, page 6-17

•

SpectraLink Handsets, page 6-18

•

Leveraging Existing Network QoS Settings, page 6-18

IP SoftPhone and Other PC and PDA Based VoIP Solutions With IP SoftPhone and other PC-based and PDA-based VoIP solutions, the AP might not connect to the wired Ethernet via IEEE 802.1q. VLANs might not be configured. In this case, the frames from the wired network do not contain CoS information for the AP. If the wired network is using IP Type of Service (ToS) or IP DSCP to mark traffic, these marks can be recognized by the AP through the AP’s DSCP-to-CoS mapping feature using class-map based prioritization (Cisco IOS) as shown in Figure 6-12 on page 6-14. If VLANs are used, the AP can use the CoS settings within IEEE 802.1p, and the DSCP-to-CoS mapping is done by the upstream device. If the CoS settings of IEEE 802.1p are not utilized, the AP uses the DSCP settings. If the switch infrastructure does not mark frames/packets with IEEE 802.1p CoS or IP TOS/DSCP, then the VLAN default CoS on the AP is used to apply a specific wireless CoS.

Symbol Handsets If Symbol handsets are used in the WLAN, the Symbol Extensions should be enabled.

Cisco AVVID W ireless LAN Design 956608

6-17

Chapter 6

W LAN Quality of Service (QoS)

Guidelines for Deploying W ireless QoS

SpectraLink Handsets The SpectraLink Voice Protocol (SVP) is prioritized in the same manner as in the pre-WLAN QoS AP configuration because the AP has a default filter to classify all SpectraLink voice traffic with voice priority. The difference between the current AP prioritization scheme and the previously released AP prioritization method is that the prior version was limited to prioritizing within the queuing internal to the AP. With the QoS enhancements, traffic can now be prioritized over the radio interface. Figure 6-16 illustrates the SVP architecture for 12.00T VxWorks and 12.2(4)JA Cisco IOS QoS features: Figure 6-16 SpectraLink VoIP Deployment

EDCF-based QoS AP1100 EDCF-based QoS AP1200 Cisco CallManager M

Enterprise Network

IP VoIP phone

AP provides EDCF-baed mechanisms for Down Stream Wireless QoS

NetLink wireless telephones 91236

NetLink SVP server

Leveraging Existing Netw ork QoS Settings Support for IEEE 802.1p and DSCP allows the AP to leverage the existing QoS classification and prioritization in the wired network. For more information on the design and configuration of QoS for a Cisco AVVID Network, refer to: Cisco AVVID Network Infrastructure Enterprise Quality of Service Design on CCO web site at http://www.cisco.com.

Cisco AVVID W ireless LAN Design

6-18

956608

C H A P T E R

7

W LAN Roaming This chapter addresses the WLAN design considerations when assessing Layer-2 roaming of WLAN clients. The process of a WLAN client station roaming from one AP to another AP is discussed in some detail. Although this chapter focuses on roaming at Layer-2 (same IP subnet), the implications of campus-wide roaming at Layer-2 and Layer-3 are also considered. The following primary sections are presented in this chapter: •

Roaming Solution Overview, page 7-2

•

Layer-2 Roaming Primer, page 7-4

•

Layer-2 Design Recommendations, page 7-9

Cisco AVVID W ireless LAN Design Cisco AVVID W ireless LAN Design

7-1

Chapter 7

W LAN Roaming

Roaming Solution Overview

Roaming Solution Overview Networks are normally partitioned into discrete Layer-2 domains corresponding to IP subnets. The difference between Layer-2 and Layer-3 roaming is shown in Figure 7-1. Layer-2 roaming occurs when a WLAN client moves between Wireless APs that are part of the same IP subnet. Figure 7-1

Layer-2 and Layer-3 Roaming Compared

Layer 3

Subnet A

Subnet B

L3 roaming (mobile IP)

88456

L2 roaming

Layer-3 roaming will be covered in a separate design guide, which will be added to the set of design guides available from http://www.cisco.com. WLANs can provide the ability to connect to the network from any location within the enterprise. The desire to move from one location to another while maintaining an application session is a natural extension of this extended network reach. The trend towards wireless laptop computers and personal digital assistants (PDA) will further accelerate the desire for seamless network access while moving between locations. The benefits of WLANs in general are documented in the Chapter 1, “WLAN Solution Overview.” Some of the WLAN benefits specific to mobility are: •

Innovative Application Deployment—Facilitates implementation of new and innovative applications that require always-on network connectivity (such as actionable alerts, messaging, and workflow applications).

•

Improved Efficiency and Productivity—Continuous connectivity allows work to be performed at any time without interruption.

•

Increased Accuracy—Enabling data to be captured or updated immediately from any location increases data accuracy.

Cisco AVVID W ireless LAN Design

7-2

956608

Chapter 7

W LAN Roaming Roaming Solution Overview

General Design Characteristics Cisco AVVID provides a comprehensive campus network architecture. In most cases, WLANs will be an incrementally applied as an overlay to the existing Cisco AVVID architecture. Where possible, the existing Cisco AVVID three-layer architecture should be maintained. WLANs should be deployed as an additional, dedicated, wireless subnet per wiring closet. Additional campus WLAN design guidance is provided at http://www.cisco.com.

Layer-2 Design Mobile IP capability is required to provide seamless roaming across Layer-3 subnet boundaries. Layer-3 roaming will be covered in a separate design guide, but note that every Layer-3 roam is preceded by a Layer-2 (link-layer) roam.

Caveats Deploying WLANs as recommended in this document might result in multiple Layer-2 subnets on the same floor of a building. Some form of mobile IP will be required to roam seamlessly between the Layer-2 subnets this design recommends.

Cisco AVVID W ireless LAN Design 956608

7-3

Chapter 7

W LAN Roaming

Layer-2 Roaming Primer

Layer-2 Roaming Primer This section introduces you to the underlying issues and considerations when addressing Layer-2 roaming in WLANs. The following discussion is divided into four sections: •

Layer-2 Roaming Technical Overview, page 7-4

•

Roaming Events, page 7-5

•

Roam Process, page 7-7

•

Layer-2 Roaming Considerations, page 7-8

Layer-2 Roaming Technical Overview A Layer-2 roam occurs when a WLAN station moves from one AP to another AP. If the new AP is on a different IP subnet, Layer-3 roaming occurs after the Layer-2 roam is completed. Figure 7-2 illustrates the sequence of events associated with a Layer-2 roam. Figure 7-2

Sequence of Events for Layer-2 Roam

Wired LAN connecting Access Points (Intra-subnet roaming)

3 P Access Point B

4 IAPP Inter Access Point Protocol

1

2 88457

Access Point A

The arrows in Figure 7-2 indicate the following events: 1. A Client moves from AP “A” coverage area into AP “B” coverage area (both APs in same subnet).

As the client moves out of AP “A” range a “Roaming Event” will be triggered (such as Max Retries). 2. The client then scans all 802.11 channels for alternative APs. In this case, the client discovers AP

“B” and re-authenticates and re-associates to it. 3. AP “B” sends a null MAC multicast using the source address of the client. This updates the Content

Addressable Memory (CAM) tables in upstream switches and directs further LAN traffic for the client to AP “B”, and not AP “A”. 4. AP “B” sends a MAC multicast using its own source address telling the “old” AP that AP “B” now

has the client associated to it. AP “A” receives this multicast and removes the client MAC address from its association table. The main focus in this chapter is on events 1 and 2 in Figure 7-2. Events 3, and 4 are post-roam actions taken as part of Cisco’s proprietary Inter Access Point Protocol (IAPP). It is important to note that roaming is always a client station decision. The client station is responsible for detecting, evaluating, and roaming to an alternative AP.

Cisco AVVID W ireless LAN Design

7-4

956608

Chapter 7

W LAN Roaming Layer-2 Roaming Primer

Event 1 in Figure 7-2 will be discussed in more detail in the “Roaming Events” section on page 7-5 of this document. “Roaming Events” describes the events that cause a client to initiate the roam process. Event 2 in Figure 7-2 is covered in the “Roam Process” section on page 7-7. The process of discovering evaluating and roaming to an alternative AP is discussed in that section.

Roaming Events This section details the events that cause a client to roam. The roam process itself is described in he “Roam Process” section on page 7-7. Roaming is always initiated by the client and is caused by one of the following events (each is covered in a separate section): •

Max Data Retry Count Exceeded, page 7-5

•

Missed Too Many Beacons, page 7-6

•

Data Rate Shift, page 7-6

•

Periodic Client Interval (If Configured), page 7-7

•

Initial Client Startup, page 7-7

M ax Data Retry Count Exceeded When a client station retries a packet more than the Max Data Retry Count, the station initiates a roam. The max retry count defaults to 16, and is configured in the Aironet Client Utility (ACU) under the RF Network tab for the currently active profile. A sample screen is shown in Figure 7-3. Figure 7-3

Setting M ax Data Retries in the ACU

Cisco AVVID W ireless LAN Design 956608

7-5

Chapter 7

W LAN Roaming

Layer-2 Roaming Primer

M issed Too M any Beacons All clients associated to an AP should receive a periodic beacon. By default, APs send a beacon every 100 msec. The beacon period setting on an AP is shown in Figure 7-4. Figure 7-4

M ax Data Retries, Beacon Period and Data Rate Settings

Clients learn the AP’s beacon interval from an element in the beacon. If a client misses eight consecutive beacons, a roaming event is deemed to have occurred and the roam process detailed in the “Roam Process” section on page 7-7 is initiated. By continuously monitoring for received beacons, even an otherwise idle client is able to detect a loss of wireless link quality and is able to initiate a roam.

Data Rate Shift Packets are normally transmitted at the AP’s default rate. The default rate is the highest rate set to basic or yes on the AP. The configuration of data rate on an AP is shown in Figure 7-4. A rate-shift occurs when a frame is retransmitted three times and RTS/CTS is used to send the last two retransmissions. Every time a packet must be retransmitted at a lower rate, a count is increased by 3. For each packet successfully transmitted at the default rate, the count is decreased by 1—until it is 0. If the count reaches 12 one of the following occurs:

Cisco AVVID W ireless LAN Design

7-6

956608

Chapter 7

W LAN Roaming Layer-2 Roaming Primer

•

If the client has not attempted to roam in the last 30 seconds then the roam process as described in the “Roam Process” section on page 7-7 occurs.

•

If the client has already attempted to roam in the last 30 seconds, the data rate for that client is set to the next lower rate.

A client transmitting at less than the default rate increases the data rate back to the next-higher rate after a short time interval if transmissions are successful.

Periodic Client Interval (If Configured) The latest version of ACU, client driver, and firmware allow the client to periodically scan for a better AP when its signal strength gets low. This capability is configured in the ACU for the selected profile under the RF Network tab as shown in Figure 7-5. The periodic scan is a roaming event that causes the roam process described in “Roam Process” section on page 7-7 to occur. Figure 7-5

ACU Configuration—Periodic Scan for a Better AP

Initial Client Startup When a client starts up it goes through the roam process described in the “Roam Process” section on page 7-7, to scan for (and associate with) the most appropriate AP.

Roam Process the “Roaming Events” section on page 7-5 described the events that can occur to cause a client to decide that it needs to roam. This section addresses actions taken by a client station when it roams.

Cisco AVVID W ireless LAN Design 956608

7-7

Chapter 7

W LAN Roaming

Layer-2 Roaming Primer

When a roaming event occurs the client station scans each 802.11 channel (the client scans all 802.11 channels valid in the country in which the client is operating). On each channel, the client station sends a probe and waits for a probe-response or beacon from APs on that channel. The probe responses and beacons received from other APs are discarded unless the conditions list in Table 7-1 are met. Table 7-1

AP Conditions Required to be Considered as a Roam Target

Client Station w ith Aironet Extensions Enabled1

Client Station w ithout Aironet Extensions

APs signal strength is:

Unknown—Implementation dependent

•

Greater than 20 percent

•

If 20+ percent weaker than current AP, then absolute signal strength must be at least 50 percent

If the AP is in repeater mode and is more radio hops from the backbone than the current AP, its signal strength must be more than 20 percent greater than the current AP

Not Applicable—Radio hop information is Cisco proprietary element in beacons

The new AP must not have more than a 10 percent Not Applicable—AP transmitter load information worse transmitter load than the current AP is Cisco proprietary element in beacons 1. Probe-responses/beacons must satisfy all conditions.

If the conditions in Table 7-1 are satisfied, then a client roams to a new AP that best meets one of the conditions specified in Table 7-2. Table 7-2

Choosing from Eligible Roam Targets

Client Station w ith Aironet Extensions Enabled (AP M ust satisfy Any Condition)

Client Station w ithout Aironet Extensions (AP must Satisfy All Conditions)

Signal strength is more than 20 percent stronger

Unknown—Implementation dependent

Fewer hops to the backbone

Not Applicable—Backbone hops information is Cisco proprietary element in beacons

4 (or more) less clients associated to it

Not Applicable—AP client association load information is Cisco proprietary element in beacons

20+ percent less transmitter load1

Not Applicable —AP transmitter load information is Cisco proprietary element in beacons

1.

Transmitter load is an indication of whether an AP radio is busy sending frames.

Layer-2 Roaming Considerations A Layer-2 roam is a disruptive event for a WLAN client. WLAN radios are designed to transmit and receive on only one of the 802.11 channels at a time. Because the wireless station is only receiving on one of the eleven 802.11 channels, it is not generally aware of other APs on alternative channels.

Cisco AVVID W ireless LAN Design

7-8

956608

Chapter 7

W LAN Roaming Layer-2 Design Recommendations

Note

There are 11 channels available in the US. There are 13 channels defined by the 802.11 specification. Their usage varies from country to country. To find out if a better AP is available, the client must cease transmitting and receiving on the current channel and move sequentially through each of the possible alternative channels. The following actions need to occur on each of the channels scanned: 1. Radio hardware needs to move to and settle on new channel. 2. Client needs to listen to the new channel long enough to avoid a collision as per the CSMA/CA

media access implemented in 802.11. 3. Client transmits a probe frame. 4. Client receives a probe-response or a beacon frame.

Layer-2 Design Recommendations This section provides design guidance for architecting and deploying a network as it applies to Layer-2 roaming considerations. Additional WLAN design guidance is provided at http://www.cisco.com. Layer-2 design recommendations are addressed in the following sections: •

Cisco AVVID Design, page 7-9

•

Sizing the Layer-2 Domain, page 7-10

•

Roaming Implementation Recommendations, page 7-10

Cisco AVVID Design Cisco provides comprehensive campus network architecture guidance. WLANs should be an incremental addition to the existing Cisco AVVID network infrastructure. Please refer to campus design content provided at http://www.cisco.com. The existing Cisco AVVID three-layer architecture should be maintained, and WLANs should be deployed as an additional, dedicated, wireless subnet per wiring closet. Figure 7-6 shows a typical Cisco AVVID architecture to which a WLAN subnet was added to each access layer switch. Adding WLAN to Cisco AVVID Architecture

HSRP Active VLAN 20.41,140

10.1.20.0 10.1.21.0 10.1.120.0

VLAN 20 Data VLAN 21 WLAN VLAN 120 Voice

Layer 3

HSRP Active VLAN 40.21,120

10.1.40.0 10.1.41.0 10.1.140.0

VLAN 40 Data VLAN 41 WLAN VLAN 140 Voice

88460

Figure 7-6

Cisco AVVID W ireless LAN Design 956608

7-9

Chapter 7

W LAN Roaming

Layer-2 Design Recommendations

Sizing the Layer-2 Domain In Figure 7-6, each access-layer switch represents a separate wiring closet. To each switch a dedicated VLAN for WLAN APs is added. APs are connected to a dedicated VLAN in order to keep the broadcast domain as small as possible; WLANs are a shared half-duplex media and broadcasts have a bigger impact on APs than on most devises connected to switch ports. Some organizations may decide to extend the Layer-2 network to provide Layer-2 mobility across a greater section of the enterprise. For these organizations, Cisco’s advanced spanning tree features such as Rapid Spanning Tree Protocol (RSTP) will prove useful.

Note

For related information regarding spanning-tree design and implementation considerations please refer to the Cisco AVVID Network Infrastructure—Implementing 802.1w and 802.1s in Campus Networks SRND.

Roaming Implementation Recommendations Cisco’s IAPP provides seamless mobility within a single subnet only. In the absence of mobile IP, when a WLAN client moves to an AP on a different subnet, the IP address must be renewed—Windows2000/XP does this automatically. Renewing the IP address causes application sessions using that IP address to break. Some applications, such as email, and web-based applications may recover and continue to operate normally when their IP addresses change (either automatically by Windows2000/XP, or manually if using a different operating system). Other applications such as telnet, FTP, and any other connection-based application fail and must be manually restarted. Mobile IP is the solution to these application problems, as it will maintain a constant IP address for host applications across Layer-3 subnet boundaries. Mobile IP deployment will be the subject of a forthcoming Cisco Enterprise Solutions Engineering design guide.

Cisco AVVID W ireless LAN Design

7-10

956608

C H A P T E R

8

IP M ulticast in a W ireless LAN This chapter describes the configurations needed to control IP Multicast traffic over a WLAN and includes the following sections: •

Multicast WLAN Deployment Recommendations, page 8-1

•

IP Multicast WLAN Configuration, page 8-2

•

Other Considerations, page 8-4

•

Summary, page 8-5

Tip

For information about IP multicast theory, deployment, and configuration, please see the Cisco AVVID Network Infrastructure IP Multicast Design SRND.

Note

This chapter uses MoH and IP/TV in the examples. It does not, however, provide configurations and designs for MoH and IP/TV. Also, other types of IP multicast implementations, such as IP multicast for financial deployments, are not covered.

M ulticast W LAN Deployment Recommendations By default, IP multicast traffic is permitted to stream across a WLAN. However, because WLANs use shared bandwidth, certain measures should be taken to prevent saturation of the available bandwidth. If IP multicast traffic is not required on the wireless network, it is recommended that a boundary be configured to block the multicast traffic. The best place to control IP Multicast traffic is on the routers and switches that connect to the APs and bridges. If a Layer-3 device is not available for use in deploying the configurations described in this chapter, then see the Cisco AVVID Network Infrastructure Wireless LAN Design SRND for recommendations for using AP and bridge MAC and IP filters to block traffic.

Note

Filters on the AP and bridge do not provide the flexibility needed for true multicast control. If IP Multicast is to be deployed and streamed across the wireless network, then the following recommendations should be implemented: •

Prevent unwanted multicast traffic from being sent out on the air interface. – Place the WLAN in its own subnet.

Cisco AVVID W ireless LAN Design 956608

8-1

Chapter 8

IP M ulticast in a W ireless LAN

IP M ulticast W LAN Configuration

– Control which multicast groups are allowed by implementing multicast boundaries on the egress

Layer 3 interface connecting to the VLAN or interface to the AP or bridge. •

To gain the highest AP/bridge performance for multicast traffic and data traffic, configure the APs and bridges to run at the highest possible fixed data rate. This removes the requirement for multicast to clock out at a slower rate, which can impact the range of the AP/bridge and must be taken into account in the site survey.

•

If multicast reliability is a problem (seen as dropped packets), ignore the preceding recommendation and use a slower data rate (base rate) for multicast. This gives the multicast a better signal-to-noise ratio and can reduce the number of dropped packets.

•

Test the multicast application for suitability in the WLAN environment. Determine the application and user performance effects when packet loss is higher than that seen on wired networks.

IP M ulticast W LAN Configuration The ip multicast boundary command configures an administratively scoped boundary on an interface for multicast group addresses found in the range defined by an access list. No multicast packets are allowed to flow across the boundary from either direction, except those packets explicitly allowed by the access list.

Controlling IP M ulticast in a W LAN w ith APs Figure 8-1 shows the topology for a WLAN using an AP. The IP multicast source is the IP/TV server (10.5.10.22). There are two multicast streams being sourced from the IP/TV server. •

239.255.0.1 is a high-rate (1.4 Mbps) video stream.

•

239.192.248.1 is a low-rate (100 Kbps) video stream.

The low-rate stream is allowed and the high-rate stream is disallowed on the WLAN link. A multicast boundary is used to control multicast forwarding and IGMP packets. Figure 8-1

Testbed for Wireless LAN using an Access Point

10.5.10.22 IP/TV server Source For: 239.255.0.1–high-rate stream 239.192.248.1–Low-rate stream

VLAN 200 10.1.200.x .1 L3-Switch

.100

350 AccessPoint

.101

87046

Campus

PC with 350 PC Card

In this configuration:

Cisco AVVID W ireless LAN Design

8-2

956608

Chapter 8

IP M ulticast in a W ireless LAN IP M ulticast W LAN Configuration

•

L3-SWITCH connects to the campus network and the Cisco Aironet 350 Access Point (10.1.200.100).

•

The VLAN 200 interface on L3-SWITCH has the IP address of 10.1.200.1 and is the interface that provides the boundary for IP multicast.

•

The laptop computer (10.1.200.101) has a Cisco Aironet 350 PC Card and is running the IP/TV Viewer software.

Below is the configuration is for L3-SWITCH.

interface Vlan200 description WLAN VLAN ip address 10.1.200.1 255.255.255.0 ip pim sparse-mode ip multicast boundary IPMC-WLAN ! ip access-list standard IPMC-WLAN permit 239.192.248.1

Enables PIM on the interface. Boundary refers to named ACL “IPMC-WLAN” and controls multicast forwarding AND IGMP packets. Permits low-rate stream (239.192.248.1).

Controlling IP M ulticast in a P2P W LAN using Bridges The same boundary that was deployed in the AP scenario is used with the bridge scenario. Figure 8-2 shows the topology for a WLAN using a bridge for a Point-to-Point (P2P) connection. The IP/TV server (10.5.10.22) is sourcing the same groups as in the previous example: •

239.255.0.1 is a high-rate (1.4 Mbps) video stream.

•

239.192.248.1 is a low-rate (100 Kbps) video stream.

The low-rate stream is allowed and the high-rate stream is disallowed on the P2P wireless link. To control what multicast traffic passes over the P2P link, only the ip multicast boundary configuration on ROUTER is needed. Because the multicast boundary prevents hosts from joining unwanted groups, the network never knows to forward unwanted traffic over the P2P link. Figure 8-2

Testbed for Point-to-Point Wireless Network using Bridges

PC with 350 PC Card

10.5.10.22 IP/TV server Source For: 239.255.0.1–high-rate stream 239.192.248.1–Low-rate stream Campus

.2 10.1.101.x L2-Switch-PWR

VLAN 100 10.1.100.x

.1 L3-Switch

.100 350-Bridge-L

.101 350-Bridge-R

87047

.1 .2 Router

In this configuration:

Cisco AVVID W ireless LAN Design 956608

8-3

Chapter 8

IP M ulticast in a W ireless LAN

Other Considerations

•

L3-SWITCH (VLAN 100-10.1.100.1) connects to the campus network and the P2P wireless network.

•

The P2P wireless link is made possible by two Cisco Aironet 350 Bridges, 350-Bridge-L (10.1.100.100) and 350-Bridge-R (10.1.100.101).

•

ROUTER (10.1.100.2) connects to the P2P wireless network and the remote site network (10.1.101.1) via L2-SWITCH-PWR.

•

The laptop computer (10.1.101.2) is running the IP/TV Viewer software.

If the remote side of the P2P link has a Layer 2 switch and no Layer 3 switch or router, then a boundary can be placed on the VLAN 100 interface of L3-SWITCH2. Also, in a Point-to-Multipoint (P2MP) deployment, a mix of both may be needed. Both configurations are shown here for reference. Following is the configuration for L3-SWITCH.

interface Vlan100 description VLAN for P2P Bridge ip address 10.1.100.1 255.255.255.0 ip pim sparse-mode ip multicast boundary IPMC-BRIDGE ! ip access-list standard IPMC-BRIDGE permit 239.192.248.1

Enables PIM on the interface. Boundary refers to named ACL “IPMC-BRIDGE.” Permits low-rate stream (239.192.248.1).

To prevent unwanted IGMP messaging and multicast traffic from traversing the P2P wireless link on the receiver side (remote LAN - 10.1.101.x), an ip multicast boundary is configured on the Fast Ethernet 0/1 interface of ROUTER. Following is the configuration for ROUTER.

interface FastEthernet description Local LAN ip address 10.1.101.1 ip pim sparse-mode ip multicast boundary

0/1 in Remote Site 255.255.255.0 IPMC-BRIDGE

ip access-list standard IPMC-BRIDGE permit 239.192.248.1

Enables PIM on the interface. Boundary refers to named ACL “IPMC-BRIDGE.” Permits low-rate stream (239.192.248.1).

Other Considerations The following additional considerations apply to deploying IP multicast in a WLAN environment: •

The WLAN LAN extension via EAP and WLAN static WEP solutions can support multicast traffic on the WLAN; the WLAN LAN extension via IPSec solution cannot.

•

The WLAN has an 11 Mbps available bit rate that must be shared by all clients of an AP. If the AP is configured to operate at multiple bit-rates, multicasts and broadcasts are sent at the lowest rate to ensure that all clients receive them. This reduces the available throughput of the network because traffic must queue behind traffic that is being clocked out at a slower rate.

Cisco AVVID W ireless LAN Design

8-4

956608

Chapter 8

IP M ulticast in a W ireless LAN Summary

•

Cisco Group Management Protocol (CGMP) and/or Internet Group Management Protocol (IGMP) should be used to limit the multicast traffic on each AP to the traffic required by associated clients. If a client roams with these features configured on an upstream switch, the multicast stream might not be delivered to the new AP. To address this, the Cisco AP can be configured to generate a general IGMP query when a client associates or disassociates. This allows the upstream switch to learn which multicast groups are required on that AP.

•

Multicast and broadcast from the AP are sent without requiring link-layer acknowledgement. Every unicast packet is acknowledged and retransmitted if unacknowledged. The purpose of the acknowledgement is to overcome the inherent unreliable nature of wireless links. Broadcasts and multicasts are unacknowledged due to the difficulty in managing and scaling the acknowledgements. This means that a network that is seen as operating well for unicast applications, can experience degraded performance in multicast applications.

•

Enterprise customers who are using WLAN in laptops would normally use (Constant Awake Mode) CAM as the Power-Save Mode. If delay-sensitive multicast traffic is being sent over the WLAN, customers should ensure that only the CAM configuration is used on their WLAN clients. Based on the 802.11 standard, if the client is in power-save mode, then the AP will buffer broadcast and multicast traffic until the next beacon period that contains a delivery traffic information map (DTIM) transmission. The default period is 200ms. Enterprises that use WLAN on small handheld devices will most likely need to use the WLAN power-save features (Max or Fast) and should not attempt to run delay-sensitive multicast traffic over the same WLAN.

Summary In summary, when using IP multicast in the WLAN, follow these recommendations. •

Place the WLAN AP or bridge on a separate VLAN or Layer 3 interface so multicast boundaries can be implemented.

•

Use the ip multicast boundary command to prevent IGMP joins and multicast forwarding on denied multicast groups.

•

In a WLAN using AP, the boundary should be placed on the VLAN or Layer 3 interface connecting to the AP.

•

In a WLAN using bridges, the boundary is placed on the VLAN or Layer 3 interface connecting to the remote receiver side. If no Layer 3 capable device is used at the remote site, the boundary is placed on the VLAN or Layer 3 interface connecting to the bridge at the main site. Also, a combination of a boundary at the receiver side and bridge connection at the main site, may be needed in a P2MP deployment.

•

Set the highest possible fixed data rate on the APs and bridges to ensure the best possible performance for multicast and data traffic.

•

If dropped packets occur and impact the performance of the application, the fixed data rate on the APs and bridges may need to be reduced to ensure a better signal-to-noise ratio, which can reduce dropped packets.

Cisco AVVID W ireless LAN Design 956608

8-5

Chapter 8

IP M ulticast in a W ireless LAN

Summary

Cisco AVVID W ireless LAN Design

8-6

956608

C H A P T E R

9

W LAN Rogue AP Detection and M itigation This appendix outlines the threat posed by rogue APs in the Enterprise Network and some strategies for preventing and detecting them. It is preferable to prevent rogue APs rather than detect them once created. The following methods summarize the keys to prevention: •

Provide enterprise employees with a secure WLAN infrastructure supported by an enterprise IT department. This removes the motivation for rogue AP installation.

•

Implement 802.1x on enterprise edge switches to provide complete rogue AP prevention.

Methods for detecting rogue APs in the enterprise include wireless methods such as using the free Boingo WLAN hotspot locator client to detect WLANs and the use of sophisticated analysis tools on the Ethernet backbone. None of the available tools for detecting rogue APs guarantees the detection of all rogue APs and a combination of tools should be used to raise the probability of detection. This appendix outlines the threat posed by rogue APs in the Enterprise Network and some strategies for preventing and detecting them. The following section are presented: •

Rogue AP Summary and Scope of Problem, page 9-2

•

Preventing and Detecting Rogue APs, page 9-6

Cisco AVVID W ireless LAN Design 956608

9-1

Chapter 9

W LAN Rogue AP Detection and M itigation

Rogue AP Summary and Scope of Problem

Rogue AP Summary and Scope of Problem Rogue APs are APs that have been installed on an Enterprise Network without the authorization of the enterprise IT department. Figure 9-1 illustrates the generalized rogue AP threat in the context of an enterprise environment. Refer to Table 9-1 for threat details. Figure 9-1

Preventing Rogue APs

Layer 3

Subnet A

91296

Subnet B

This appendix does not consider a misconfigured production AP to be a rogue AP. Cisco’s Wireless LAN Solution Engine (WLSE) is capable of checking the configuration on production APs. The Aptools program mentioned in “Using MAC Addresses to Detect Rogue AP” section on page 9-16 is also capable of checking the security configuration on discovered APs. This appendix divides people installing rogue APs into one of the categories described in Table 9-1.

Cisco AVVID W ireless LAN Design

9-2

956608

Chapter 9

W LAN Rogue AP Detection and M itigation Rogue AP Summary and Scope of Problem

Table 9-1

Typical Rogue AP Threats

Rogue AP Threat

Threat Description

M alicious Hacker (James Bond)

Someone who, having penetrated physical security once, installs an AP in order to access the Enterprise Network from outside the physical parameter in the future. Very difficult to detect because the intruder can customize the wireless AP to disguise it from tools designed to detect it. Rogue AP prevention techniques such as physical security and 802.1x port-based security are most effective against this class of threat. This class of user is more likely to install a specialized network device than an AP. An AP requires a hacker to be within range of the AP in order to use it. This is both inconvenient and dangerous for a hacker who is more likely to install a specialized device that establishes a tunnel outbound from the enterprise to another device somewhere on the Internet. The hacker might then use the pre-established tunnel to access the Enterprise Network from anywhere on the Internet. (see When Dreamcasts Attack in the “Security References” section on page 1-8).

Frustrated Insider (James from Accounting)

Someone who installs an unauthorized AP in order to provide wireless coverage where none is officially available. For example, enabling wireless networking in a meeting room, cafeteria, outdoor space, or other common area. The wide availability of low-cost APs makes this installation type very easy. The threat posed by this class of installer is that the person installing the AP is often ignorant of security features that are necessary to prevent outsiders from accessing the Enterprise Network, and the consumer grade AP commonly used in this installation does not have the features to provide an enterprise level of security.

This appendix discusses a variety of ways in which an enterprise can prevent and detect rogue AP installations. The focus here is on the Frustrated Insider class of user as they are considered to be the most common source of rogue AP installations and are the easiest to detect. Some of the techniques mentioned may detect the malicious hacker class of user, but as mentioned previously, it is best to concentrate on preventing this class of user through physical security and 802.1x. Rogue AP detection is broken into wireless, wired, and physical observation methods. A combination of these methods is necessary to be most effective.

Cisco AVVID W ireless LAN Design 956608

9-3

Chapter 9

W LAN Rogue AP Detection and M itigation

Rogue AP Summary and Scope of Problem

The Rogue AP Threat Media attention has focused on the dangers posed by the tools and techniques available for detecting and gaining access to WLAN networks. Most rogue APs are not installed securely and can be used by outsiders to gain access to an Enterprise Network. Some of the shortcomings of most rogue AP installations are: •

They often use well-known manufacturer default settings that provide little or no security

•

They do not have WEP (encryption) enabled

•

If WEP is enabled, the Cisco enhancements such as TKIP and MIC are not available or enabled

•

If VPN protection is the company security policy for WLANs, rogue APs may be placed on the internal network instead of on the WLAN DMZ

The end result of these security shortcomings is that outsiders have a method to connect to the Enterprise Network without the need to first bypass physical security mechanisms such as locked doors, security guards, and vigilant employees. Outsiders may wish to gain WLAN access for the following purposes: •

To gain free access to the Internet (via the Enterprise Networks connection)

•

To gain access to the Enterprise Network, possibly to launch attacks on other enterprise resources such as servers containing confidential information or running mission-critical applications.

•

To observe confidential Enterprise WLAN traffic.

M edia Attention to W LAN Security W eaknesses A Google (http://www.google.com/) search on the term wardriving produces thousands of links describing the practice of using inexpensive off-the-shelf WLAN equipment, to discover and map WLAN networks. Wardrivers can use a GPS to record the location of all WLAN networks found, and can upload this information to websites that track and make available the location and basic security settings for all WLAN networks discovered. If a Frustrated Insider installs a poorly secured WLAN AP, it can be easily detected, mapped, and listed online by a wardriver. In general, media attention has focused on tools summarized inTable 9-2, both of which can be downloaded from the Internet free of charge. Table 9-2

Wireless Detection Tools

Tool

Description

Netstumbler

http://www.netstumbler.com/ Free Windows and WinCE software that scans for wireless APs. Provides information about SSID, WEP enabled, 802.11 channel, signal strength, location (if used with GPS) and more.

Airsnort

Free WLAN tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. WEP plus TKIP and MIC strengthens WEP, preventing key recovery

Cisco AVVID W ireless LAN Design

9-4

956608

Chapter 9

W LAN Rogue AP Detection and M itigation Rogue AP Summary and Scope of Problem

With Netstumbler, an outsider can discover the existence of an insecure wireless LAN, and can then access the WLAN to gain access to the Enterprise Network or to observe confidential WLAN traffic. If Netstumbler shows that WEP is being used to encrypt WLAN traffic, Airsnort can be used to determine the WEP key. If Netstumbler shows that the WLAN has been installed with no WEP enabled, then network access can be gained just by configuring the client to match the detected network. Figure 9-2 illustrates a screen capture taken from a Pocket PC during a commute to work. Netstumbler identified 68 access-points. The first column of the display indicates whether or not WEP is enabled for each AP discovered. Other information such as 802.11 channel, Signal-to-Noise Ratio (SNR), and (if a GPS is connected) longitude and latitude can also be displayed. Figure 9-2

Netstumbler on PPC (M iniStumbler)

The Netstumbler capture shown in Figure 9-2 was taken from within a moving car with no specialized equipment such as an external antenna necessary. Another phenomenon receiving media attention is warchalking where chalk symbols are placed on buildings signifying the presence and characteristics of wireless LAN networks. For more information on warchalking perform a Google search on warchalk, or go to following website: http://www.blackbeltjones.com/warchalking/index2.html

Truth About W LAN Security WLAN can be deployed securely using standards-based EAP mechanisms such as EAP-Cisco, EAP-TLS, EAP-TTLS, or by using VPNs to segregate the WLAN from the rest of the Enterprise Network. The threat posed by rogue APs can be mitigated. This appendix provides recommendations aimed at minimizing the risk rogue APs represent to Enterprise Networks. The emphasis of this discussion focuses on the following topics: •

Prevention

Cisco AVVID W ireless LAN Design 956608

9-5

Chapter 9

W LAN Rogue AP Detection and M itigation

Preventing and Detecting Rogue APs

– Corporate Policy – Physical security – Supported WLAN infrastructure – 802.1x port based security on edge switches •

Detection – Using wireless analyzers/sniffers – Using scripted tools on the wired infrastructure – By physically observing WLAN AP placement and usage

Preventing and Detecting Rogue APs Figure 9-3 summarizes the primary options in preventing and detecting rogue APs. Suggestions for specific actions are detailed in the following sections:

Figure 9-3

•

Preventing Rogue APs, page 9-7

•

Detecting Rogue APs Wirelessly, page 9-12

Rogue AP Prevention and Detection

Prevention Secure/supported WLAN infrastructure provided

Detection Regular scripted Audits

Layer 3

Prevention 802.1x on switches Prevention WLAN policy Physical Security

Subnet A

Detection Active Wireless Audit

Detection Physical Observation

91297

Subnet B

Cisco AVVID W ireless LAN Design

9-6

956608

Chapter 9

W LAN Rogue AP Detection and M itigation Preventing and Detecting Rogue APs

Preventing Rogue APs The first priority for Enterprise IT security departments should be to prevent rogue APs. The following sections present prevention suggestions: •

Corporate WLAN Policy, page 9-7

•

Physical Security, page 9-7

•

Supported Wireless Infrastructure, page 9-7

•

IEEE 802.1x Port-based Security to Prevent APs, page 9-7

•

Using Catalyst Switch Filters to Limit MAC Addresses per Port, page 9-10

Corporate W LAN Policy An enterprise policy concerning WLAN installations is an essential first step in preventing rogue APs. The WLAN policy should include a list of IT staff authorized to install WLAN AP and details of mandatory security policies to be followed with when WLANs are installed.

Physical Security Physical security also plays a part in rogue AP prevention. Physical security standards should be in place to prevent an intruder from gaining unauthorized access to the enterprise premises or to detect the intruder if physical access is gained.

Supported W ireless Infrastructure Given that almost all rogue APs are installed by the Frustrated Insider class of user, the best way to prevent such rogue installs is to remove the motivation for them. Installing a managed, supported, and secure WLAN network throughout the enterprise removes the motivation for employees to install rogue APs. A WLAN network provides proven productivity gains as well as removing the motivation for almost all rogue AP installations.

IEEE 802.1x Port-based Security to Prevent APs Cisco switches support an IEEE standard called 802.1x which provides port-based security. With 802.1x enabled on switches and APs at the edge of the network, no device can be connected unless the device is able to 802.1x authenticate to a RADIUS server behind the switch.

Cisco AVVID W ireless LAN Design 956608

9-7

Chapter 9

W LAN Rogue AP Detection and M itigation

Preventing and Detecting Rogue APs

Figure 9-4

Preventing Rogue APs w ith 802.1x Port-based Security 802.1x disabled only on all Authorized AP switch ports 802.1x pushed to WLAN edge.

Rogue AccessPoint

SI

91298

Authorized AccessPoint

How IEEE 802.1x Port Based Security W orks The IEEE 802.1x standard allows the implementation of port-based network access control to a network device. The mechanism relies on the 802.1x link-layer protocol to transport EAP messages to the authenticator device. In this case a Cisco Catalyst switch is used—which in turn relays the received EAP information to a CiscoSecure Access Control Server using the RADIUS protocol. The Network Access Control and Policy Enforcement solution from Cisco provides the network with the following services and abilities: •

User and/or device authentication.

•

Granting or denying network access at an individual port level, based on configured authorization policy.

•

Enforcing additional applicable policies, such as resource access and quality of service, on any access granted.

These abilities are introduced when a Cisco end-to-end solution is implemented with the following features and technologies: •

Cisco Catalyst 4000 or 6000 family switches

•

Cisco Catalyst 2950 or 3550 switches

•

CiscoSecure Access Control Server (ACS) for Windows v3.1

•

An 802.1x compliant client operating system, such as Microsoft Windows XP, Windows 2000, or Windows 98 (see below for details)

•

Optionally, for strong authentication, an X.509 Public Key Infrastructure (PKI) certificate architecture

By configuring 802.1x compliant client software with a PKI certificate, or username and password, the Cisco Catalyst family switches running 802.1x features authenticate the requesting user or system in conjunction with a back-end CiscoSecure ACS server. Figure 9-5 illustrates these concepts.

Cisco AVVID W ireless LAN Design

9-8

956608

Chapter 9

W LAN Rogue AP Detection and M itigation Preventing and Detecting Rogue APs

Figure 9-5

802.1x Operation

6 Switch enable port

1 Login Request 2 Login Info

3

Check with Policy DB

Login good! 5 Allow access

John Doe is allowed access

92199

4 This is John Doe!

User or device credentials and reference information is processed by the CiscoSecure ACS server. CiscoSecure ACS is able to reference user or device policy profile information either internally using the integrated user database or from external database sources such as Microsoft Active Directory, LDAP, Novell NDS, or Oracle Databases. This allows for the integration of the solution into exiting user management structures and schemes, thereby simplifying overall management. Table 9-3 summarizes 802.1x authentication types supported and available on Cisco switches and APs. Table 9-3

Supported/ Available 802.1x Authentication Types (Cisco Sw itches and APs)

W ireless ports

W ired Ports

EAP-Cisco Protected-EAP

Protected EAP

EAP-TLS

EAP-TLS EAP-MD5 (not suitable for wireless due to lack of mutual authentication support)

802.1x Client Support The 802.1x client device requires a stack that supports 802.1x. This client code is called an 802.1x supplicant. The following are current 802.1x supplicants: •

Microsoft Windows XP Professional (Integrated)

•

Microsoft Windows 2000 and 2000 Server, NT4.0, ME, 98 and 98SE (Microsoft add-on) http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp http://support.microsoft.com/default.aspx?scid=kb;en-us;313664

•

Linux (Open Source add-on)

•

Sun Solaris (Open Source add-on)

•

EAP-Cisco client (wireless only)

•

Funk client http://www.funk.com/

•

MeetingHouse Client http://www.mtghouse.com/products/client/index.shtml

Cisco AVVID W ireless LAN Design 956608

9-9

Chapter 9

W LAN Rogue AP Detection and M itigation

Preventing and Detecting Rogue APs

Although the above client stacks allow enterprises to enable 802.1x on most PCs, there are likely to be some network-attached devices that lack 802.1x support. Non 802.1x capable devices include: •

IP phones

•

Printers

Note •

HP has support in wireless Jet-Direct printers and is considering support for wired printers WLAN APs

Enabling 802.1x Support on the Sw itch By default, 802.1x is disabled on CatOS switches. In order to enable it, the following command must be issued. set dot1x system-auth-control enable This enables the 802.1x authentication control feature globally. Catalyst switches allow the configuration of various per port options with regards to 802.1x behavior. Amongst those options are the ability to enable/disable port authentication, enable/disable periodic re-authentication, or enable/disable 802.1x multiple host mode. The following is an example configuration command line segment illustrating these features: # Port Level 802.1x configuration # Setting “port-control” to “auto” requires 802.1x login for that port. set port dot1x 3/2 port-control auto # Setting the port-control state to force-authorized disables login requirements. set port dot1x 3/1,3/3-48 port-control force-authorized # Multiple host allowance per port can be enabled with the following command. By default only one host is allowed per port. set port dot1x 3/2 multiple-host enable set port dot1x 3/1,3/3-48 multiple-host disable # Periodic re-authentication may be enabled for added security. By default re-authentication is disabled. set port dot1x 3/2 re-authentication enable set port dot1x 3/1,3/3-48 re-authentication disable

Using Catalyst Sw itch Filters to Limit M AC Addresses per Port The set port security command allows an administrator to restrict the number of MAC addresses that can be associated with a switch port, and the action to take if more than that number of MACs are seen (shutdown or deny additional).

Note

This command is not necessary if 802.1x is used to provide port-based security as 802.1x limits the number of MAC addresses per-port by default. With this command, it is possible to limit the number of MAC addresses to one (for user PC) or two (for user IP phone and PC). With this command enabled, it might be possible to connect a rogue AP to the network (instead of a phone or a PC), but it would not be possible to use the AP.

Cisco AVVID W ireless LAN Design

9-10

956608

Chapter 9

W LAN Rogue AP Detection and M itigation Preventing and Detecting Rogue APs

Configuring Catalyst Sw itch Filters to Limit M AC Addresses per Port If you enter the set port security enable command but do not specify a MAC address, the first MAC address seen on the port becomes the secure MAC address. If you enter the set port security enable maximum num_of_mac command, you can specify the number of MAC addresses to secure on a port.

Limitations of Using Catalyst Sw itch Filters to Limit M AC Addresses per Port In an IP phone environment, two MAC addresses are needed per port. One is required for the phone and one for the user PC. If a rogue AP was plugged into an unused port on the network 1 wireless client could associate to it without being blocked by the port filter.

Detecting Rogue APs In addition to the rogue AP prevention mechanisms mentioned in “Preventing Rogue APs” section on page 9-7, a combination of the following rogue AP detection methods should also be used by the IT security administrator: •

Detecting Rogue APs Wirelessly, page 9-12

•

Other Wireless Analyzers, page 9-13

•

Detecting Rogue AP from the Wired Network, page 9-15

•

Detecting Rogue APs Physically, page 9-19

Figure 9-6 summarizes these detection options. Detecting Rogue APs

Detection Regular scripted Audits

Layer 3

Subnet A

Subnet B

Detection Active Wireless Audit

Detection Physical Observation

91300

Figure 9-6

Cisco AVVID W ireless LAN Design 956608

9-11

Chapter 9

W LAN Rogue AP Detection and M itigation

Preventing and Detecting Rogue APs

Detecting Rogue APs W irelessly Detecting rogue APs wirelessly is the process of using WLAN hardware and software to detect rogue APs. Table 9-4 summarizes the advantages and disadvantages wireless detection of rogue APs. Table 9-4

Advantages and Disadvantages of Wireless Detection of Rogue APs

W ireless Detection Advantages

W ireless Detection Caveats

Often picks up APs that the other rogue AP detection methods miss.

You must be within range of an AP to be able to detect it. Requires labor intensive walking around with an analyzer.

Very effective at detecting APs installed by the Frustrated Insider class of installer (default security options/broadcast SSID).

Many tools do not see APs that do not broadcast their SSID. Cannot easily survey remote sites. WLAN AP signals are often difficult to pick up due to building materials blocking 802.11 signals.

Using Boingo for AP Detection Boingo is a free client utility that can be downloaded from http://www.boingo.com/. The Boingo client is intended to sniff for WLAN hotspots and provides an easy way for users to connect to hotspots that are part of the Boingo network. The Boingo client detects most WLAN networks and displays their presence, even if they are not part of the Boingo network. This makes Boingo an ideal tool for very lightweight rogue AP detection. Boingo needs to be able to see the WLAN SSID in order to be able to display it. Boingo can detect the SSID in one of two ways •

The WLAN is Broadcasting its SSID—The Frustrated Insider class of user is responsible for the vast majority of rogue AP installs and this type of user is unlikely to have the sophistication or intent to turn broadcast SSID off.

•

The WLAN is not Broadcasting its SSID—For Boingo to be able to detect a non-broadcast SSID the WLAN must be active enough for the Boingo client to observe a probe-request/Probe-response sequence. The WLAN SSID is always visible in this sequence of frames. This sequence of frames does not happen very often and is unlikely to be detected during a one-time audit of an area with a lightly loaded rogue AP.

Installing Boingo The Boingo download is about 10 Mbytes. The install is quick and simple and does not normally require the PC to be rebooted. Once installed, Boingo starts automatically when Windows is started. Boingo has some impact on normal WLAN operation because it briefly stops transmitting WLAN frames in order to scan all 802.11 channels for WLAN networks. After installation, users might wish to prevent Boingo from auto-starting with windows by removing it from the Start>Programs>Startup folder. Boingo can then be started manually, as required.

Cisco AVVID W ireless LAN Design

9-12

956608

Chapter 9

W LAN Rogue AP Detection and M itigation Preventing and Detecting Rogue APs

Using Boingo When Boingo is running, it is visible as a white letter B icon on the task bar. Double-clicking this Icon launches the Boingo application where all visible 802.11 WLAN networks are displayed. A sample Boingo screen is displayed in Figure 9-7. Figure 9-7

Sample Boingo Screen

Other W ireless Analyzers There are many other WLAN analyzers available, which are to various degrees capable of detecting rogue APs. Table 9-2 outlines several wireless analyzers. Table 9-5

Summary of Wireless Analyzers

W ireless Analyzer

W eb Location, Description and Comments

Airmagnet

www.airmagnet.com A full-featured WLAN site-survey tool running on an Compaq iPaq. A commercial product.

Netstumbler

www.netstumbler.org/ Free software that can be downloaded from the Internet. Detects WLAN APs and displays information about them. Very popular and well known.

Sniffer

www.sniffer.com Professional wireless analyzer. It can be used to help look for rogue APs: •

By defining filters to look for beacons, but to exclude authorized SSIDs.

•

By defining filters to look for the MAC OUIs of known AP vendors.

Cisco AVVID W ireless LAN Design 956608

9-13

Chapter 9

W LAN Rogue AP Detection and M itigation

Preventing and Detecting Rogue APs

Table 9-5

Summary of Wireless Analyzers

W ireless Analyzer

W eb Location, Description and Comments

Wildpackets

www.wildpackets.com/products/airopeek Professional wireless analyzer. It can be used to help look for rogue APs: •

By defining filters to look for beacons, but to exclude authorized SSIDs.

•

By defining filters to look for the MAC OUIs of known AP vendors.

www.networkinstruments.com/

Observer

It can be used to help look for rogue APs:

Finisar Surveyor

•

By defining filters to look for beacons, but to exclude authorized SSIDs.

•

By defining filters to look for the MAC OUIs of known AP vendors

www.gofinisar.com/products/protocol/wireless/surveyor_w.html It can be used to help look for rogue APs:

Wellenreiter

•

By defining filters to look for beacons, but to exclude authorized SSIDs.

•

By defining filters to look for the MAC OUIs of known AP vendors.

www.remote-exploit.org/ Similar to Netstumbler. Detects WLAN APs and displays information about them. Less popular or well known than Netstumbler.

Kizmet

www.kismetwireless.net/ Open source Wireless sniffer. It can be used to help look for rogue APs by defining filters to look for beacons, but to exclude authorized SSIDs.

dachb0den

www.dachb0den.com/projects/bsd-airtools.html Seems to be a combination of Netstumbler and Airsnort functionality. Not very well known.

Hornet

www.bvsystems.com/Products/WLAN/Hornet/hornet.htm Dedicated hardware that looks for a list of AP MAC addresses configured and downloaded from a PC

Cisco AVVID W ireless LAN Design

9-14

956608

Chapter 9

W LAN Rogue AP Detection and M itigation Preventing and Detecting Rogue APs

Table 9-5

Summary of Wireless Analyzers

W ireless Analyzer

W eb Location, Description and Comments

IBM Distributed Wireless Security Auditor

www.research.ibm.com/gsal/dwsa/ Prototype only—not for sale. Uses client software on enterprise NICs to detect and report on all detected APs and their security system. A back end system compares the list of detected APs with a list of authorized APs and alerts on unknown APs.

IBM TP General—IBM Access Connections for Windows 2000/XP

www.pc.ibm.com/qtechinfo/MIGR-4ZLNJB.html Access Connections is a connectivity assistant program for your ThinkPad computer. It enables you to quickly switch the network settings and Internet settings by selecting a location profile. You can define the network settings and Internet settings in the Location Profile for modem/wired LAN/Wireless LAN network devices and then restore that profile whenever you need it. By switching the location profile, you can connect to the network instantly without reconfiguring your settings when you move from office to home or on the road.

Once a WLAN analyzer has detected a suspected rogue AP, a direction antenna on the analyzer is a very useful aid in locating the AP. A host of WLAN tools is maintained on the NetworkIntrusion link pointed to in the “Links and References” section on page 1-8.

Detecting Rogue AP from the W ired Netw ork A combination of the following rogue AP detection methods should be used by IT security administrators: •

Using MAC Addresses to Detect Rogue AP, page 9-16

•

Using Operating System Fingerprinting to Detect Rogue APs, page 9-17

•

Using SNMP to Detect Rogue APs, page 9-18

•

Using Cisco Emergency Responder to Locate AP-based on MAC Address, page 9-18

•

Using Intrusion Detection to Detect Rogue APs, page 9-18

A large number of software tools are available to aid in detecting rogue APs from a wired management station on the Ethernet portion of the network. Table 9-6 summarizes the advantages and disadvantages wired detection of rogue APs. Table 9-6

Advantages and Disadvantages of Wired Rogue AP Detection

Advantages

Disadvantages

Easier to monitor networks on a more real-time basis.

Can miss some rogue APs.

Automated—Less manpower intensive. Easier to survey remote sites.

Most of the software is immature and/or not specifically written to detect rogue APs. May create false-positives on intrusion detection systems and personal firewalls.

Cisco AVVID W ireless LAN Design 956608

9-15

Chapter 9

W LAN Rogue AP Detection and M itigation

Preventing and Detecting Rogue APs

Using M AC Addresses to Detect Rogue AP Some tools rely on detecting rogue APs by looking for known MAC address, or by cataloging all authorized MAC addresses in the network and looking for new ones. The latter approach has the advantage of alerting IT administrators when an unauthorized non-AP device (such as an unauthorized laptop) is connected to the network. This approach leads to more false-positives. Know n AP M AC Addresses

Table 9-7 provides a partial list of MAC OUIs used by AP vendors. This table was obtained from the aptools site at aptools.sourceforge.net. Table 9-7

Partial Listing of M AC OUIs

M anufacturer

M AC Address Range

3Com

0001.03|0004.76|0050.da|0800.02

Addtron

0040.33|0090.d1

Advanced Multimedia Internet

0050.18

Apple

0030.65

Aironet

0040.96

Atmel

0004.25

Bay Networks

0020.d8

BreezeNet

0010.e7

Cabletron (Enterasys)

0001.f4|00e0.63

Camtec

0000.ff

Compaq

0050.8b

D-Link

0005.5d|0040.05|0090.4b

Delta Networks

0030.ab

Intel

0002.b3

Linksys

0003.2f|0004.5a

Lucent

0002.2d|0060.1d|0202.2d

Nokia

00e0.03

Samsung

0000.f0|0002.78

Senao Intl

0002.6f

SMC

00e0.29|0090.d1

SOHOware

0080.c6

Sony

0800.46

Symbol

00a0.f8|00a0.0f

Z-Com

0060.b3

Zoom

0040.36

Cisco AVVID W ireless LAN Design

9-16

956608

Chapter 9

W LAN Rogue AP Detection and M itigation Preventing and Detecting Rogue APs

Know n M AC Addresses M onitoring Tools

Table 0-8 presents a summary of monitoring tools for APs based on known MAC addresses. Table 0-8

Summary of M onitoring Tools for APs Based on Know n M AC Addresses

M onitoring Tool

Web Location, Description and Comments

APTools

aptools.sourceforge.net aptools.sourceforge.net/wireless.ppt Can discover APs based on MAC address, then determine whether it is an AP (not a wireless NIC) via HTTP. Can also check security settings (WEP), and SNMP settings via HTML.

arpwatch

www-nrg.ee.lbl.gov Arpwatch is a tool that monitors Ethernet activity and keeps a database of Ethernet/IP address pairings. It also reports certain changes via email.

Using Operating System Fingerprinting to Detect Rogue APs Operating system (OS) fingerprinting tools are typically used by hackers to learn more about a host behind an IP address. This knowledge is usually desired so that the hacker is better able to launch attacks at any known or identified weak spots for that host OS. OS fingerprinting works by observing particular characteristics of individual OSs such as the way they respond to TCP packets with obscure TCP flags and options enabled. OS fingerprinting tools are capable of correctly identifying some APs, but have not been tested for this publication. Table 9-9 lists known OS fingerprinting tools.

Cisco AVVID W ireless LAN Design 956608

9-17

Chapter 9

W LAN Rogue AP Detection and M itigation

Preventing and Detecting Rogue APs

Table 9-9

Summary of Know n OS Fingerprinting Tools

OS Fingerprinting Tool

W eb Location, Description and Comments

NMAP

www.insecure.org/nmap/index.html www.insecure.org/nmap/nmap-fingerprinting-article.html Very well known, popular and respected tool. Unproven as a rogue AP detection tool, but may be useful in conjunction with other rogue AP detection techniques. Generates alerts in intrusion detection and personal firewall systems.

xprobe

www.sys-security.com/html/projects/X.html Xprobe 1 combines various remote active operating system fingerprinting methods using the ICMP protocol—which were discovered during the ICMP Usage in Scanning research project—into a simple, fast, efficient and powerful way to detect the underlying OS of a targeted host. Xprobe2 is an active operating system fingerprinting tool with a different approach to operating system fingerprinting. Xprobe2 relies on fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database. Unproven as a rogue AP detection tool, but may be useful in conjunction with other rogue AP detection techniques Generates alerts in intrusion detection and personal firewall systems.

Using SNM P to Detect Rogue APs SNMP is not thought to be a very effective way to detect rogue APs. Most rogue APs probably would not have SNMP enabled. Even if they did, SNMP community strings would probably be unknown. If an SNMP tool is required for rogue AP detection, CiscoWorks for Windows would be a suitable tool. Refer to the following URL for more information: http://www.cisco.com/en/US/products/sw/cscowork/ps2406/index.html

Using Cisco Emergency Responder to Locate AP-based on M AC Address Cisco Emergency Responder provides a system for tracking and maintaining the exact location of every Ethernet switch port termination. The location information available from the Cisco Emergency Responder can be useful in quickly locating and apprehending people connecting unauthorized equipment such as rogue APs into an Enterprise Network. More information on the Cisco Emergency Responder is available at the following URL: http://www.cisco.com/en/US/products/sw/voicesw/ps842/index.html

Using Intrusion Detection to Detect Rogue APs Cisco has an extensive line of network intrusion detection equipment. At this time, Cisco does not have intrusion detection equipment capable of detecting the presence of rogue APs. Intrusion detection equipment is still necessary to detect any suspicious activity that might result from unauthorized use of a rogue AP.

Cisco AVVID W ireless LAN Design

9-18

956608

Chapter 9

W LAN Rogue AP Detection and M itigation Preventing and Detecting Rogue APs

More information on Cisco Intrusion Detection is available: http://www.cisco.com/en/US/products/sw/secursw/ps2113/index.html

Detecting Rogue APs Physically IT security personnel can also detect unauthorized WLAN activity by physically observing the work environment. IT security personnel should be alert for the following: •

Unauthorized WLAN APs in visible locations.

•

Employees using WLAN access in location when WLAN access should not be available.

•

Warchalk symbols denoting WLAN availability. See http://www.warchalking.org/ for more information.

Cisco AVVID W ireless LAN Design 956608

9-19

Chapter 9

W LAN Rogue AP Detection and M itigation

Preventing and Detecting Rogue APs

Cisco AVVID W ireless LAN Design

9-20

956608

C H A P T E R

10

W LAN Guest Netw ork Access This chapter presents the advantages, risks, and proposed configuration for a WLAN Guest Network access and addresses the following key topics: •

Reasons for providing Guest Network access

•

WLAN as one of the best mechanisms for providing Guest Network access

•

Caveats to consider in a WLAN Guest Network implementation

•

Example configurations for Cisco AP350s and AP1100s

The need for guest access has evolved as the needs of guests have evolved. Once it was sufficient to provide guests a chair and a phone; now in the age of laptops, networked application, and digital phone lines the guest is disconnected while visiting your enterprise. Guest Networks are network connections provided by an enterprise to allow their guest to gain access to the Internet, and the guest’s own enterprise without compromising the security of the host enterprise. Figure 10-1 illustrates the Guess Access Network concept. Guests are within the Enterprise Network, but are only able to access the Internet; enterprise employees have full access to the enterprise applications and the Internet. This chapter addresses Guest Access WLANs in the following sections: •

Benefits of Guest Network Access, page 10-3

•

Deployment Considerations and Caveats, page 10-4

•

Guest WLAN Recommendations, page 10-5

•

Configuring Guest WLANs, page 10-7

Cisco AVVID W ireless LAN Design 956608

10-1

Chapter 10

W LAN Guest Netw ork Access

Figure 10-1 Guess Access Network

Fixed network provides a wired guest network back to the internet

Internet

Enterprise AP, uses WLAN VLANs to provide both enterprise and guest WLANs

Enterprise Apps

Enterprise Apps

Guests

Enterprise Network

90588

Employees

Employees

Cisco AVVID W ireless LAN Design

10-2

956608

Chapter 10

W LAN Guest Netw ork Access Benefits of Guest Netw ork Access

Benefits of Guest Netw ork Access At first blush the lack of network access for guests may not seem to be an issue, but we need to remember that the guest is there because we want them there. The guest may be a business partner, a technician, or salesperson that has been brought to the enterprise to perform a task, and without Guest Network access their performance is degraded. As businesses become more networked, with outsourcing of non-core activities, this degradation increases if the network access is not provided. The primary benefits of Guest Network access are presented in the following discussions: •

Increased Security, page 10-3

•

Increased Productivity, page 10-3

•

Benefits of WLAN Guest Network Access, page 10-3

Increased Security It may appear counter-intuitive that Guest Network access increases security, but the reality is that Guest Network access occurs in Enterprise Networks now, but in an uncontrolled manner. These guests are not hackers; they are simply highly motivated people trying to get their job done. The main concern with these guests is that they are a potential source of viruses, worms, and Trojans. The PC with which they connect to the Enterprise Network might not have the security systems that exist on the local enterprise PCs. Guest Network access provides guests of this type with a way to connect to an Enterprise Network in order to be more productive, while limiting the risk to the host organization. Why risk violating policy and risk the relationship with the host when there is a credible solution?

Increased Productivity The guest of an enterprise is there for a reason, because the enterprise wants them to perform a task. The more efficiently this task is performed the better it is for both enterprises. If a service technician is visiting the enterprise, it is in the enterprise’s interest for that service/repair to happen within the minimum amount of time and with the least amount of disruption If a salesperson is visiting the enterprise, it is in the enterprise’s interest that the presentation be accurate and up-to-date. By having immediate access to information, the salesperson is able to position products appropriately and answer as many questions as possible while at the enterprise. This immediate responsiveness could potentially lead to orders being placed while on-site.

Benefits of W LAN Guest Netw ork Access WLAN technology can provide Guest Network access because of the following characteristics: •

Provides wide coverage, including areas such as lobby and waiting rooms that may not traditionally have cabling

•

Removes the need to have a dedicated location for guest access

•

Allows partners to access their network resources while in meeting rooms, offices, giving them the productivity benefits that WLAN gives the enterprise employees.

Cisco AVVID W ireless LAN Design 956608

10-3

Chapter 10

W LAN Guest Netw ork Access

Deployment Considerations and Caveats

Deployment Considerations and Caveats The greater range of WLANs that are an advantage in deploying Guest Networks also introduces issues: •

User Authentication—People who are not guests may access the Guest Network through their physical proximity to the WLAN Guest Network. This is not an issue in a wired network, as the guest has to be brought past the physical security. This means that the WLAN Guest Network requires user authentication, authorization and accounting, above that required for the wired network.

•

Authentication Options—There are currently two models for authenticating guests: – The use of a web interface such as Cisco Building Broadband Service Manager (BBSM) or

Cisco IOS Authentication Proxy. – The use of a specialized client such as 802.1x/EAP clients or IPSec clients. •

Web Authentication—Web interface authentication relies on the ubiquity of HTML browsers. Prior to using the Guest Network, users must launch their HTML browser, and try to access a web site. The user’s HTML browser is forced to an authentication page, and the users must enter their authentication details before access is granted. The HTML browser authentication does not generate dynamic per session encryption keys and—in order to make the WLAN easy to use and easy to support—no static encryption is used on the WLAN link. This means that authenticated users are only distinguishable from unauthenticated users through their IP addresses and MAC addresses (if on the same Layer-2 network). As the IP address and MAC address are sent in clear text they are open to exploitation through IP address and MAC address spoofing.

•

The BBSM is specifically designed for guest access applications, and apart from providing a sophisticated HTML controlled user interface, it provides MAC-level authentication if the client is on the same Layer-2 network as the BBSM, and uses switch and AP management interfaces to control where and when a client can use the network.

•

Cisco IOS Authentication Proxy—Included in the Cisco IOS firewall feature set; provides a simple HTML interface; and controls access based upon a clients IP address.

•

Specialized Clients—Ideally guests should use 802.1x/EAP to authenticate to the Enterprise Network, and generate a dynamic encryption key for their wireless session. This would be the preferred solution as it provides authentication, authorization and privacy. Given that different enterprises are at different stages in their 802.1x/EAP maturity, guests cannot (yet) be expected to have compatible 802.1x/EAP clients on their PCs.

•

IPSec VPN Clients—Another client that offers strong authentication, authorization and privacy and could potentially be used as a Guest Network access client. The major barrier in this case would be the installation of an appropriate client on guest machines, and the interaction of two IPSec VPN clients—one client providing guest access and the other client providing secured access across the Internet to the guest’s home network.

•

Time of Day Control—Just as physical security can control who has access to the wired network, it can also control who is present at a particular time of day. As WLAN cannot rely upon physical security to control users it cannot stop users from accessing the network outside of permitted hours. This means that the WLAN Guest Network must provide time of day control over when the service is made available.

•

Additional Security—Given the weakness described above, the WLAN Guest Network could not be considered as secure as the wired network and might require additional policies, processes, configuration, and equipment to ensure that an attack on the Enterprise Network through the WLAN Guest Network is not successful.

Cisco AVVID W ireless LAN Design

10-4

956608

Chapter 10

W LAN Guest Netw ork Access Guest W LAN Recommendations

•

Wired Network—The WLAN Guest Network is simply a WLAN VLAN configuration; the wired network contains the key components that control the Guest Network. Guest get authenticated access to the Internet, while ensuring that guests are not able to access the host enterprise’s systems. There are three primary configurations in the wired network: – VLAN controlled access, where the wired Guest VLAN is extended all the way to the

authentication device and the Internet. – ACL controlled access, where guest traffic shares the same Layer-3 network as enterprise traffic

to get to the internet, but is prevented from accessing the Enterprise Network through the use of ACLs routing table and separation (where Guest Network traffic uses separate routing tables on the Enterprise Network to prevent access to the Enterprise Network). The choice of which wired-network configuration is best depends on the existing Enterprise Network. The configuration of the wired Enterprise Network to provide Guest Network access and the transport of Guest Network traffic is discussed in Chapter 5, “Wireless LAN VLANs.” •

Other Considerations from Wired Network—Even though the WLAN Guest Network is primarily a WLAN extension of a wired Guest Network, the lack of control of physical access and the possible spoofing legitimate users to gain access heighten the security risk associated with Guest Networks. Therefore additional tools—such as Intrusion Detection Systems (IDS)—should be considered to detect suspicious behavior.

Guest W LAN Recommendations The following actions are key Guest WLAN setup recommendations: 1. Create a Guest WLAN VLAN with no encryption, open authentication, and a broadcast SSID. 2. Choose a Wired Guest Network model that best fits your Enterprise Network. 3. Choose an HTML authentication service that best fits your needs and topology. 4. Add application filters, time of day controls and IDS as required.

Key Guest WLAN recommendation considerations follow: •

Recommended 802.11 Configuration for WLAN Guest Network, page 10-5

•

VLANs and WLAN Implementation, page 10-6

Recommended 802.11 Configuration for W LAN Guest Netw ork The biggest challenge in WLAN Guest Network access is to support the widest number of possible guests without having to provide IT support for the guests. It is recommended that WLAN Guest Network access use: •

A Broadcast SSID—Some WLAN clients only operate with a broadcast SSID.

•

Open Authentication—The default configuration.

•

No Encryption—The entry and format of the WEP key varies from client to client, users can easily incorrectly enter the WEP key, and the WEP key would quickly become compromised as it is being distributed in an uncontrolled manner.

This allows the Guest Access WLAN to adopt the minimum configuration while serving the widest range of WLAN clients. It also matches the configuration most used in WLAN hotspots today.

Cisco AVVID W ireless LAN Design 956608

10-5

Chapter 10

W LAN Guest Netw ork Access

Guest W LAN Recommendations

Figure 10-2 shows the Aironet Client Utility (ACU) configuration that would be used to gain access to the Guest Network. The key features of this setup are as follows: •

The SSID ID is configured to match the SSID that is broadcast by the enterprise WLAN Guest Network, a blank entry would also suffice if the AP is configured as recommended in this document.

•

Network Security Type is none; this is “Open Authentication”.

•

No WEP is selected.

Figure 10-2 ACU Configuration

VLANs and W LAN Implementation It is assumed that enterprise employees as well as guests are using the WLAN. This means that a WLAN VLAN must be configured on the APs to allow efficient use of the WLAN infrastructure, and wired VLANs are used on the wired network access layer to separate Guest Network traffic from enterprise employee network traffic.

Cisco AVVID W ireless LAN Design

10-6

956608

Chapter 10

W LAN Guest Netw ork Access Configuring Guest W LANs

Configuring Guest W LANs This section presents the following discussions addressing Guest WLAN configuration: •

Network Topology, page 10-7

•

AP and Switch Configuration, page 10-8

•

AP 1200 Configuration, page 10-11

•

AP 1100 Configuration, page 10-14

Netw ork Topology Figure 10-1 on page 10-2 shows a general schematic illustrating how Guest Network traffic is tunneled across the Enterprise Network. This tunnel can be achieved via multiple technologies depending on the Enterprise Network architecture and requirements. Figure 10-3 shows a schematic of three different tunnel possibilities: •

VLAN Separation—The Guest VLAN is extended all the way to DMZ.

•

ACL Separation—The Guest VLAN is terminated at an access router; ACLs are used to ensure that Guest Network traffic is unable to go to enterprise addresses.

•

Routing Table Separation—The Guest VLAN terminate at the access router and separate routing tables ensure that Guest Network traffic is able to go nowhere but the DMZ.

In each of the tunneling possibilities Guest Network users are authenticated by a BBSM before gaining access to the DMZ. Authentication of users of the Guest Network is needed to prevent the Guest Network being used for non-authorized purposes. The BBSM is an example of a Cisco Product designed for this purpose, but other tools such as Cisco IOS and PIX authentication proxy may be used and their location in the network might be closer to the access network, such that users may be authenticated at the access router.

Cisco AVVID W ireless LAN Design 956608

10-7

Chapter 10

W LAN Guest Netw ork Access

Configuring Guest W LANs

Figure 10-3 General Guest Network Topology

Tunnel

DMZ

Guest traffic authenticated

Guest VLAN is separate from enterprise VLANs

Guest VLAN is separate from enterprise VLANs

WLAN

VLAN separation

Guest traffic authenticated

ACLs block guest access to enterprise addresses

Route Maps to apply different policy to guest addresses

Enterprise Network

ACL separation

Guest traffic authenticated

MPLS or VRF used route guest traffic separately from enterprise traffic

MPLS or VRF used route guest traffic separately from enterprise traffic Guest Network

Routing table separation

90589

Enterprise Network

AP and Sw itch Configuration For the purpose of this example, these configurations deal with the configuration of a Guest Network access WLAN VLAN on an AP that also supports three other WLAN VLANs—named PEAP, IPSec and LEAP (with the VLAN name LEAP here used to represent an EAP-Cisco implementation)—that map to VLANs on the Ethernet interface of the AP. The configuration of PEAP, IPSec, and LEAP is not discussed in this application note, and for information on WLAN AP and Client configuration refer to: http://www.cisco.com/en/US/products/hw/wireless/ps458/prod_instructions_guides.html Figure 10-4 shows a schematic of the example configuration used in this chapter that has four WLAN VLANs and five VLANs on the AP. The difference in number of VLANs is due to the addition of a wire only VLAN for the administration of the AP.

Cisco AVVID W ireless LAN Design

10-8

956608

Chapter 10

W LAN Guest Netw ork Access Configuring Guest W LANs

Figure 10-4 M ultiple VLANs including a Guest Network VLAN

Guest PEAP IPSec LEAP 90587

Guest PEAP IPSec LEAP Admin

The configuration fragment below shows an example configuration for the switch connecting the AP to the Enterprise Network. Points to note include: •

The Admin VLAN is VLAN 825 which is the native VLAN

•

The VLANs allowed for the AP connection are limited to the mandatory VLANs (1, 1002-1005) and the VLANs used on the AP (10, 20, 30, 40 and 85).

interface FastEthernet0/3 switchport trunk encapsulation dot1q switchport trunk native vlan 40 switchport trunk allowed vlan 1,10,20,30,40,825,1002-1005 switchport mode trunk

As VLANs are supported on two different platforms with different user interfaces, and structure the configuration examples are broken into two sections: the VxWorks-based AP 1200 (supported on the AP 340 as well); and, the Cisco IOS-based AP 1100.

W LAN Guest VLAN Filtering When applying network access control filters, a general rule is that these filters should be placed as close as possible to the users whose access is being controlled. In the case of WLAN guest networking, the closest point at which access control filters can be placed is the WLAN VLAN on the AP. Although the filtering that can be applied is limited by the need to support the applications accessible by guests, there are simple filters that can be applied: •

Protocol Filters—Guests would be expected to use specific protocols, such as ARP and IP; all other protocols on the WLAN guest VLAN can be blocked.

•

Source Address—The users on the WLAN guest VLAN will have IP addresses assigned through DHCP, and the AP (Cisco IOS APs only); as a result, network administrators can apply address filters to permit access by specific network addresses, while block others.

Terminology Notes The introduction of VLANs to the APs introduces a number of new definitions such as: •

Default VLAN—This is the VLAN associated by default with an SSID, the name allows for the RADIUS server to provide a different VLAN number based on the group membership of a user.

•

Primary SSID—The AP is only capable of sending one set of information in its beacons; the information that is sent in the beacons is that of the VLAN associated with the Primary SSID.

•

Guest SSID—The AP can only have a single VLAN that accepts unencrypted traffic. The SSID associated with this VLAN is called the Guest SSID.

Cisco AVVID W ireless LAN Design 956608

10-9

Chapter 10

W LAN Guest Netw ork Access

Configuring Guest W LANs

•

Infrastructure SSID—Infrastructure such as repeaters and workgroup bridges can be associated with the AP on one particular VLAN. The SSID associated with this VLAN is called the Infrastructure SSID.

•

Native VLAN—802.1q allows for one of the VLANs in the trunk to be native— thereby not requiring 802.1q encapsulation and making it possible to remain connected with the AP when trunking is enabled on the switch before it is on the AP, or visa versa. The VLAN that is given this capability is called the Native VLAN.

Cisco AVVID W ireless LAN Design

10-10

956608

Chapter 10

W LAN Guest Netw ork Access Configuring Guest W LANs

AP 1200 Configuration The key AP 1200 configuration processes are presented in the following sections: •

Configuring VLANs, page 10-11

•

Configuring SSIDs, page 10-12

Configuring VLANs The first step in configuring the AP is the creation of the VLANs. To ensure contiguous communication with the AP, care should be taken to have a Native VLAN configured before 802.1Q tagging is enabled. Figure 10-5 shows the VLAN Setup screen, this allows individual VLANs to be created or removed, and the Native VLAN, and Unencrypted VLAN (Guest VLAN) to be set. In this example: •

VLANs are enabled by selecting 802.1Q tagging

•

The Native VLAN (VLAN 40) is the VLAN that will have the AP’s IP interface

•

VLAN 10 is the unencrypted VLAN used by guests

Figure 10-5 Creating VLANs and Assigning the Native and Guest VLANs

When the Add New button creates a new VLAN, the screen automatically changes to a VLAN security screen shown in Figure 10-6. This allows the VLAN WEP configuration to be entered. In the example shown in Figure 10-6 the Guest VLAN is being configured and there is no WEP data entered; all of the other settings in this case have been left at default.

Cisco AVVID W ireless LAN Design 956608

10-11

Chapter 10

W LAN Guest Netw ork Access

Configuring Guest W LANs

Figure 10-6 Guest Access VLAN w ith Null Encryption

Configuring SSIDs Once the VLANs have been created and configured with the appropriate WEP settings, the Service Sets Identifiers (SSIDs) can be entered and associated with the appropriate VLAN. Figure 10-7 shows the AP Radio Service Sets screen. Four SSIDs have been entered and SSID 3 (LEAP) has been nominated as the Infrastructure SSID. From Figure 10-7 is can be seen that SSID 1 is the Primary SSID. The Primary SSID is configured on the AP 1200 through the standard SSID configuration mechanism (through the SSID configuration fields in the Express Setup screen or the AP Radio Identification screen). The default Primary SSID for example is tsunami (the name guest was simply entered as an example).

Note

The Primary SSID is the one advertised in beacons. Since a broadcast SSID is recommended for guest use, this is the SSID that should be made primary. To ensure successful configuration this should be the first SSID configuration made, because ownership of the Primary SSID cannot be transferred to another SSID. Figure 10-7 shows the SSID used for Infrastructure Stations. The Guest VLAN should not be used for Infrastructure Stations, and therefore another VLAN must be chosen (VLAN 3 in this case), and Infrastructure Stations on other VLANs disallowed.

Cisco AVVID W ireless LAN Design

10-12

956608

Chapter 10

W LAN Guest Netw ork Access Configuring Guest W LANs

Figure 10-7 Service Set Configuration

When an SSID is added or edited, the screen shown in Figure 10-8 appears. This allows the authentication mechanism for the SSID and the VLAN associated to that SSID to be set. The example shown in Figure 10-8 is the Primary SSID configuration. The important settings are: •

The SSID—In this case guest is used, but the SSID can be anything the enterprise thinks is appropriate.

•

Open Authentication selected.

Cisco AVVID W ireless LAN Design 956608

10-13

Chapter 10

W LAN Guest Netw ork Access

Configuring Guest W LANs

Figure 10-8 Setting the SSID Values

AP 1100 Configuration The configuration of the AP 1100 follows a similar sequence to that of the AP 1200. Figure 10-9 shows the creation of the different VLAN numbers for the selection of the default VLAN. To create a VLAN: •

Enter the VLAN number in the VLAN ID: Text Box.

•

Press the Add button.

If an SSID already exists for this VLAN, and association between the two can be build by selecting that SSID from the SSID: drop box, before pressing Add.

Cisco AVVID W ireless LAN Design

10-14

956608

Chapter 10

W LAN Guest Netw ork Access Configuring Guest W LANs

Figure 10-9 Entering VLANs and Setting the Default VLAN

Once the VLANs have been created, the user must go to the WEP Key Manager and configure the appropriate WEP settings for each VLAN. Figure 10-10 shows the settings for the VLAN that will become the Guest Network VLAN. Figure 10-11 shows the WEP configuration for the VLAN that will become the IPSec VLAN.

Note

Even though the IPSec VLAN does not need WEP encryption for privacy, it must be configured with WEP to provide VLAN separation at the radio interface. Figure 10-10 Guest Access VLAN w ith No Encryption

Cisco AVVID W ireless LAN Design 956608

10-15

Chapter 10

W LAN Guest Netw ork Access

Configuring Guest W LANs

Figure 10-11 IPSec VLAN w ith M andatory Encryption

Once the VLANs have been created and had their WEP properties configured, SSIDs can be created, authentication methods set, and the SSIDs paired with the appropriate VLANs. Figure 10-12 shows the configuration of the guest SSID, with open authentication, and pairing it with VLAN 10. In the lower portion of Figure 10-12, the Guest Mode SSID and Infrastructure SSIDs are set. The Guest Mode SSID determines whether the SSID will be broadcast in AP beacons, and therefore the example SSID of guest is selected.

Cisco AVVID W ireless LAN Design

10-16

956608

Chapter 10

W LAN Guest Netw ork Access Configuring Guest W LANs

Figure 10-12 Setting per SSID Authentication and Global SSID Properties

Figure 10-13 shows a summary page on the AP 1100 that shows a view of the different SSID and VLAN number pairings, along with their authentication mechanisms. Figure 10-13 SSID VLAN Summary Page

Cisco AVVID W ireless LAN Design 956608

10-17

Chapter 10

W LAN Guest Netw ork Access

Configuring Guest W LANs

Cisco AVVID W ireless LAN Design

10-18

956608

C H A P T E R

11

Cisco AVVID Enterprise W LAN Case Study The following Enterprise WLAN case study details an example network in the context of the following discussions: •

Enterprise WLAN Profile, page 11-2

•

Equipment Selection, page 11-5

•

Security Selection, page 11-7

•

Rogue AP, page 11-11

•

Management, page 11-11

•

Layer-2 and Layer-3 Roaming, page 11-12

•

WLAN QoS Considerations, page 11-14

•

IP Multicast, page 11-14

•

WLAN Case Study Configuration, page 11-15

Cisco AVVID W ireless LAN Design 956608

11-1

Chapter 11

Cisco AVVID Enterprise W LAN Case Study

Enterprise W LAN Profile

Enterprise W LAN Profile The organization used to illustrate an example Enterprise WLAN in this case study is a global enterprise of approximately 30 000 employees. The company has four campuses in the Americas, three in Europe, and one in the Asia Pacific region. In addition to the campuses there are 15 major offices (multiple floors in the one building), and 140 branch offices (single or partial floor). Table 11-1 shows the distribution of offices and employee population Table 11-1

Distribution of Offices and Employees

Campus

M ajor Office

Branch Office < 20 people

12000

2 x 110

70

3000

5 x 80

Americas

500 500 Totals

16000

620

1400

Grand total

18020

3 x 80

50

240

1000

2000

4 x 200

20

1500

1 x 160

Total

3500

960

Grand Total

4860

Europe, M iddle East, and Africa

1200 1000 500 Total

2700

Grand Total

3940

Asia Pacific

400

The campuses and major offices have local network servers and some degree of local technical support; branch offices are supported remotely. Almost all offices have resilient network connections. The network is IP only, and is Quality of Service (QoS) enabled Current application authentication mechanism within network is usernames and passwords, network operating system is Microsoft Active Directory, current local access is control by physical security, and remote access is through IPSec virtual private networks (VPNs) authenticated with one-time passwords (OTP). Wired network is the primary network; WLAN network is to be an overlay network in most cases. Where the WLAN is used in manufacturing and warehouse it is the primary network.

Cisco AVVID W ireless LAN Design

11-2

956608

Chapter 11

Cisco AVVID Enterprise W LAN Case Study Enterprise W LAN Profile

Customer Requirements The organization requires the WLAN for employee laptop computers and requires it to provide the same application support as its wired LAN, this includes QoS and multicast support. In addition to laptop support the organization requires: •

Support for Windows XP and Windows 2000 laptops (the majority of users) throughout the enterprise.

•

Support for Linux laptops throughout the enterprise.

•

The organization plans to have 802.11 integrated into future laptop computer purchases.

•

Integration with Microsoft Active Directory infrastructure

•

Support for wireless barcode scanners at selected locations (manufacturing and warehouse)

•

Support for WLAN guest access at selected locations.

•

Rogue AP mitigation.

W LAN Considerations This case study presents an example environment that addresses a variety of WLAN-specific considerations. These are summarized in the following sections: •

WLAN Performance and Coverage, page 11-3

•

RF Environment, page 11-3

•

Security, page 11-4

•

Rogue AP Mitigation, page 11-4

•

Management, page 11-4

•

Roaming, page 11-4

•

QoS, page 11-4

•

Multicast, page 11-4

W LAN Performance and Coverage The organization expects reasonably high use of the WLAN as the majority of its employees are involved in projects and work in cross functional teams. Employees might spend approximately 25 percent of their day using the WLAN.

RF Environment The majority of this organization buildings are office space, but there are sections which would be considered light industrial. The office buildings are not thought to have any extraordinary sources or RF interference, but the light industrial area may. The organization is a concerned about radio frequency (RF) interference from the WLANs of other enterprises, particularly when the office is in a multi-tenant building.

Cisco AVVID W ireless LAN Design 956608

11-3

Chapter 11

Cisco AVVID Enterprise W LAN Case Study

Enterprise W LAN Profile

Security The organization wishes to maintain its privacy and preserve the integrity of its network, but it has no regulatory requirement to use a specific encryption or authentication mechanism. Ease off use is a major consideration, and integration with existing authentication mechanisms is a requirement.

Rogue AP M itigation The organization found unauthorized WLAN installations within its enterprise and this is one of the motivations for pursuing a formal WLAN installation. The organization wishes to investigate other means of rogue AP mitigation.

M anagement The organization has an existing Simple Network Management Protocol (SNMP) management system. The WLAN management must integrate into this system, but must have tools to minimize the management overhead of additional network devices introduced by the WLAN.

Roaming The majority of the WLAN users are nomadic roamers. Clients will not be running Mobile IP, and there is not a requirement to maintain sessions when roaming between floors or buildings.

QoS The organization enabled QoS within its network and requires the WLAN to honor these QoS settings.

M ulticast A limited multicast deployment is planned.

Cisco AVVID W ireless LAN Design

11-4

956608

Chapter 11

Cisco AVVID Enterprise W LAN Case Study Equipment Selection

Equipment Selection Note

For related information, please refer to Chapter 3, “WLAN Technology and Product Selection.” WLAN product selection considerations include: •

Radio Selection, page 11-5

•

AP Selection, page 11-5

Radio Selection The two current radio types available in 802.11 are 802.11a (5 GHz), and 802.11b (2.5 GHz). 802.11b is recommended due to its wider availability and RF licensing. 802.11a will be considered in areas subject to high-level of interference in the 802.11b frequency bands or where the density of users and their throughput requirements exceeds what can be provided by 802.11b. The 802.11b equipment must be upgradable to 802.11g.

AP Selection Cisco has three AP variations available: •

AP 1200—Dual mode supporting 802.11a and 802.11b, RP-TNC RP antenna connections; field upgradable to 802.11g.

•

AP 1100—802.11b field upgradable to 802.11g, Cisco IOS operating system, and fixed antenna.

•

AP 350—802.11b, available in both in either fixed antenna or RP-TNC antenna connections

As the organization wants upgradability to 11g, the AP 350 is excluded from the AP choices. Cisco AP 1200 is recommended for the campus and larger offices—allowing for greater flexibility in antenna selection that might be necessary for RF deployments in multi-story and multi-tenant buildings. These are locations that are most likely to require 802.11a in the future. The Cisco AP 1100 is recommended for branch offices as a lower cost alternative. The branch offices are expected to have lower throughput requirements and are less likely to require the additional channels or different frequency bands of 802.11a.

Estimating the Number of APs The ultimate number of APs used in the implementation depends upon the site survey results, and the distribution of users within the enterprise. A working number of the APs required can be determined by using an average of 15 employees per AP in the campus and large offices (this takes into account the potentially higher usage, additional coverage areas, and the breaking up of bulk users on a per floor basis), and one AP per branch office. The results are shown in Table 11-2.

Cisco AVVID W ireless LAN Design 956608

11-5

Chapter 11

Cisco AVVID Enterprise W LAN Case Study

Equipment Selection

Table 11-2

Estimate of Number of APs by Region and by Office Type

Campus (APs)

M ajor Office (APs)

Branch Office < 20 People (APs)

12000 (800)

2 x 110 (16)

70 (70)

3000 (200)

5 x 80 (30)

Americas

500 (34) 500 (34) Americas APs Subtotals

1068

Americas APs Total

1184

46

70

3 x 80 (18)

50 (50)

18

50

2000 (134)

4 x 200 (56)

20 (20)

1500 (100)

1 x 160 (11)

Asia Pacific APs subtotal

234

67

20

Asia Pacific APs Total

321

AP Subtotal

1483

131

140

AP Total

1754

Europe, M iddle East, and Africa (EM EA)

1200 (80) 1000 (67) 500 (34) EM AE APs subtotal

181

EM EA APs Total

249

Asia Pacific

This gives an estimate of 1614 x AP 1200s and 140 AP 1100s.

Cisco AVVID W ireless LAN Design

11-6

956608

Chapter 11

Cisco AVVID Enterprise W LAN Case Study Security Selection

Security Selection Note

For related information, please refer to Chapter 4, “WLAN Security Considerations.” The organization’s QoS and multicast requirements suggest that the WLAN LAN Extension (IPSec) is not a good choice for this WLAN, and that the organization would be better served by an 802.1x/EAP solution. This decision is made easier by having no security restrictions that specify encryption mechanisms that are only currently available in IPSec. It is recommended that the organization also implement the TKIP and MIC extensions to WEP that address all current known attacks on WEP. This restricts the organization to Cisco Compatible eXtensions (CCX) network interface cards (NIC), until industry standard versions of TKIP and MIC are available through the Wireless Ethernet Compatibility Alliance (WECA) Wi-Fi Protected Access (WPA) standard. Whether the organization selects Cisco NICs, or those provided by a CCX vendor, it should standardize upon only one or two NICs to minimize the testing of client drivers and firmware. The organization has a choice of EAP/802.1x solutions: •

EAP-Cisco

•

EAP/TLS

•

EAP/TTLS

•

PEAP

All of these options offer some degree of integration with Microsoft’s directory and authentication infrastructure, and the organization plans to use the Access Control Server (ACS) external database group membership mapping to control which members of the Active Directory are given WLAN access. EAP-Cisco is recommended because it supports Windows, supports 802.1x/EAP for other PC operating systems (lacking 802.1x/EAP), and supports 802.1x/EAP for handheld devices. The case study organization is interested in PEAP, due to support of multiple authentication types, but is still in the process of assessing its ongoing authentication requirements. It is recommended that WLAN VLANs be used to separate the different client types. This allows the partitioning of clients with different security capabilities. For example, the handheld devices might support EAP-Cisco, but might not support Cisco’s implementation of TKIP and MIC, or the handheld might have inadequate protection for the local usernames and passwords. The different client types are to be separated into different VLANs by membership in an Active Directory group. The mapping of these Active Directory groups and ACS groups is shown in Figure 11-1. The following sections summarize several ACS implementation consideration for this case study: •

Number of ACS Servers, page 11-8

•

ACS Server Placement, page 11-9

•

Branch Roaming, page 11-10

Cisco AVVID W ireless LAN Design 956608

11-7

Chapter 11

Cisco AVVID Enterprise W LAN Case Study

Security Selection

Figure 11-1 ACS External User Database Group M apping

Number of ACS Servers Using the Americas as a region, the number of clients is expected to be 18,200. This is well within the capacity of an ACS database. The number of clients is not a scaling factor. Because the organization is using CTKIP and MIC, reauthentication and re-keying of users is expected to be required only once per hour. Using EAP-Cisco performance figures, the ACS can perform 60 authentications per second on its specified platform. This is 216,000 authentications per hour. This shows that a single ACS server could easily support the all of the “Americas” region and all its re-keying requirements. Re-keying is not the only time that an authentication would be required. Roaming also requires authentications. It is difficult to estimate how often users would roam from one AP to another, but from the number of authentications per hour figure from above, it can be seen that every client could roam every five minutes. An ACS server would have sufficient capacity to authenticate all these users. The numbers derived above are conservative as they assume that all enterprise employees are using the WLAN simultaneously. The main point to be taken from these numbers is that the ACS capacity is not the major design consideration in this Enterprise Network deployment. The design considerations that are the prime design considerations for ACS placement are speed of authentication, resilience, location of user database information, and management.

Cisco AVVID W ireless LAN Design

11-8

956608

Chapter 11

Cisco AVVID Enterprise W LAN Case Study Security Selection

ACS Server Placement For ease-of-management and optimal performance, the location of the ACS RADIUS servers is critical. A reauthentication is required whenever a client roams from one AP to another. For this roam to appear seamless, the authentication must be performed quickly enough to ensure client applications show no noticeable impact. Another consideration is the resilience of the ACS RADIUS infrastructure. If an ACS server is not available when a client tries to authenticate this mean that new clients cannot join a WLAN, and clients roaming from AP to AP will lose their WLAN connection. To overcome this, a backup ACS server is required for each AP. The organization’s global network is segmented into different logical domains for its network operations, and the ACS deployment reflects this, with a separate managed ACS network for each region. Clients from different regions of the enterprise may still use the WLAN in any region, but the management of the ACS servers is done upon a regional basis. Figure 11-2 shows the planned location of the ACS servers within the US region. The ACS servers are located at campus locations. These locations also contain Active Directory Domain Controllers. The locations with two ACS servers are the two largest campuses; these servers are used by local campus APs and by APs located in branch offices in the region. The locations with only one ACS server use the nearest large campus location ACS as a backup. Branch offices use the nearest campus-based ACS server for authentication. Branch clients will experience slower authentication than campus clients. This delay should not be an issue when logging in, but might be an issue when roaming. The amount of roaming in branches is thought to be less and in branches with only one AP there will be no roaming. Figure 11-2 ACS Server Placement

ACS

DC

ACS DC

ACS ACS ACS DC 91303

ACS

DC

Figure 11-3 shows the proposed AP Authentication server management configuration. Servers 10.10.10.10 and 10.10.11.11 are the RADIUS servers used for client authentication. Servers 10.12.12.12 and 10.12.12.13 are the TACACS+ plus servers. The preferred RADIUS server is the highest in the list (10.10.10.10), if the AP gets no response from this server in two minutes, it will use the alternate server and the primary server will be put on the dead server list for 30 minutes.

Cisco AVVID W ireless LAN Design 956608

11-9

Chapter 11

Cisco AVVID Enterprise W LAN Case Study

Security Selection

The choice of the timeout values and Dead Server List times reflect the preferred configuration for a branch office and are based upon two assumptions: •

The primary RADIUS server is the closest and therefore gives the best authentication performance.

•

In the event of a primary WLAN link failure, there is time taken to detect the failure and converge on the backup link. Events such as this should not result in a change in RADIUS server.

In the campus AP configurations, the RADIUS server timeout can be adjusted to a lower value, to reflect the smaller penalty in switching from primary to secondary servers. Figure 11-3 AP Server M anagement

Branch Roaming To ensure that authentication and roaming times are optimal for the branch’s prioritization of traffic, authentication of traffic is handled as described in the 802.1x and EAP-Based Authentication Across Congested WAN Links application note. ACS-server user databases are replicated by a single server within the region, Figure 11-4 shows the replication plan for the US region. Because the WLAN is using Active Directory databases, this replication may be unnecessary depending on whether EAP-Cisco devices are placed in the Active Directory databases or the ACS.

Cisco AVVID W ireless LAN Design

11-10

956608

Chapter 11

Cisco AVVID Enterprise W LAN Case Study Rogue AP

Figure 11-4 ACS Server Replication

Data Data

Data

91304

Data

Rogue AP Note

For related information, please refer to Chapter 9, “WLAN Rogue AP Detection and Mitigation.” Concerns about rogue AP deployments are one of the motivators for this WLAN deployment, apart from the ROI associated with WLAN. In addition to this WLAN deployment the enterprise plans the following: •

Publishing the policy against rogue APs as part of the organization’s communication about the WLAN deployment.

•

Looking for rogue APs as part of the site survey process.

•

Investigating rogue AP detection tools that integrate with WLAN deployment.

•

Integrating rogue APs into to the security strategy of protecting against unauthorized access. This is part of a separate project using 802.1x to authenticate clients connecting to both the wired and wireless network and using an intrusion detection system (IDS) to detect in inappropriate behavior on the network.

M anagement The organization plans to deploy the Wireless LAN Solution Engine (WLSE) to manage its APs. This helps deploy and maintain consistent AP configuration, monitor the system performance, and aid in capacity planning and troubleshooting. The WLSE manages 500 APs in the proposed WLSE deployment shown in Figure 11-5. WLSE placement has capacity for 2500 APs. The dual WLSE deployment was implemented to meet capacity requirements at the largest campus. Additional WLSE deployments reflect the local administration and authentication domains, allowing the WLSE to monitor the EAP-Cisco authentication performance in all of the regional campuses and to use and maintain configuration templates appropriate for the region.

Cisco AVVID W ireless LAN Design 956608

11-11

Chapter 11

Cisco AVVID Enterprise W LAN Case Study

Layer-2 and Layer-3 Roaming

Figure 11-5 WLSE Placement

WLSE WLSE

WLSE

WLSE

91305

WLSE

For configuration details for the WLSE see the Configuration Guide for the CiscoWorks 1105 Wireless LAN Solution Engine available at http://www.cisco.com. The main WLAN client management issue for this enterprise are software version control and WEP-key management. The use of EAP-Cisco solves the WEP-key management issue and the organization is planning to integrate the bundled software client software packages into software distribution system. The enterprise is planning to permit users to control the ACU, because users might require other WLAN profiles and there is likely to be fewer client configuration issues if these WLAN configurations are controlled in one location.

Layer-2 and Layer-3 Roaming Note

For related information, please refer to Chapter 7, “WLAN Roaming.” The organization roaming requirement is for nomadic roaming. There is no plan to provide seamless roaming between buildings within a campus or between floors of the same building. This helps determine where Layer-3 boundaries are placed. Because seamless roaming is not required between buildings, WLAN networks in different buildings may be on different subnets, as shown in Figure 11-6. Although seamless roaming is not required between floors, the organization decided to make each building’s WLAN network a single subnet, as shown in Figure 11-7. This decision removes any issues associated with clients roaming to APs on different floors. That the organization has no buildings more than six floors high makes this decision easier.

Cisco AVVID W ireless LAN Design

11-12

956608

Chapter 11

Cisco AVVID Enterprise W LAN Case Study Layer-2 and Layer-3 Roaming

Figure 11-6 Campus Subnetting

WLAN Subnet Y

WLAN Subnet Z

91306

WLAN Subnet X

WLAN WLAN WLAN WLAN Subnet A Subnet B Subnet C Subnet D

Figure 11-7 Building Subnetting

91307

WLAN Subnet C

The roaming requirements and the subnet boundaries limit the organization’s roaming focus to Layer-2 roaming. Layer-3 roaming is not required. If Layer-3 roaming was required, the organization would need Mobile IP clients to be installed on the clients requiring this degree of mobility, because the planned use of WLAN VLANs within the organization’s network means that Proxy Mobile IP cannot be used.

Cisco AVVID W ireless LAN Design 956608

11-13

Chapter 11

Cisco AVVID Enterprise W LAN Case Study

W LAN QoS Considerations

W LAN QoS Considerations Note

For related information, please refer to Chapter 6, “WLAN Quality of Service (QoS).” The organization already has QoS enabled on network—using DSCP values to mark the traffic priorities. It plans to use the QoS features of the APs to reflect these priorities on the WLAN. The organization plans to trial WLAN VoIP in some locations once the WLAN network is deployed, but this is considered a separate project. For details on the configuring QOS, refer to the Wireless Quality of Service Deployment Guide.

IP M ulticast Note

For related information, please refer to Chapter 8, “IP Multicast in a Wireless LAN.” The organization wishes to deploy some multicast applications on its WLAN. As the subnets of the WLAN span multiple floors of buildings, and the WLAN would have less capacity than a wired network, every effort must be made to limit the multicast load of the WLAN. As the multicast applications to be supported are known, multicast boundaries can be configured at WLAN interface of the access routers. To limit unnecessary multicasts on the WLAN VLAN, Internet Group Management Protocol (IGMP) snooping will be turned on the access switches. IGMP snooping on access switches can be an issue when a client roams from one AP to another and a multicast stream is not flowing on the switch port of the new AP. To ensure that a multicast stream is forwarded by the new switch port, the AP can be made to send a general IGMP query whenever a client associates or reassociates. When the client responds to the general IGMP query the upstream switch can learn the required multicast stream. Figure 11-8 shows the configuration of the IGMP snooping feature on an AP. Figure 11-8 IGM P Snooping

Cisco AVVID W ireless LAN Design

11-14

956608

Chapter 11

Cisco AVVID Enterprise W LAN Case Study W LAN Case Study Configuration

W LAN Case Study Configuration The following sections summarizes configurations considerations for the network discussed in this case study: •

AP Configuration, page 11-15

•

Access Switch Configuration, page 11-16

•

Distribution Router Configuration, page 11-16

AP Configuration Figure 11-9 shows the proposed VLAN configuration of the WLAN network. The AP is configured with three VLANs, a PC VLAN, a Handheld VLAN, and a Management VLAN. The management VLAN is the default VLAN for the AP and does not have an associated WLAN VLAN. This prevents management of the APs from the WLAN. This management VLAN would normally be the management VLAN used on the access layer switches. The WLAN VLANs dedicated for WLANs and would be separate from the wired VLANs on the access switch. Figure 11-9 AP VLAN's

Si

Si VLAN 10 Management VLAN 20 PCs VLAN 30 Handhelds VLAN 40 PCs VLAN 50 Voice

W PC

ld he nd N Ha LA W

LA N

VLAN 10 Management VLAN 20 PCs VLAN 30 Handhelds

91308

IP

Figure 11-10 and the “Example Configuration: Config 1” section on page 11-16 show an excerpt from the AP radio configuration. Note that VLAN 10 has encryption defined, but does not have a SSID associated with it. This is because VLAN 10 has been configured as the management VLAN, and is only meant to exist on the wired network.

Cisco AVVID W ireless LAN Design 956608

11-15

Chapter 11

Cisco AVVID Enterprise W LAN Case Study

W LAN Case Study Configuration

Figure 11-10 Cisco 1100 VLANs

Example Configuration: Config 1 interface Dot11Radio0 no ip address no ip route-cache encryption mode wep mandatory mic key-hash ! encryption vlan 20 mode wep mandatory mic key-hash ! encryption vlan 30 mode wep mandatory mic key-hash ! broadcast-key vlan 20 change 1000 broadcast-key vlan 30 change 1000 ! ssid PCS vlan 20 authentication open eap eap_methods authentication network-eap eap_methods ! ssid scanners vlan 30 authentication open eap eap_methods authentication network-eap eap_methods ! …

For detailed WLAN VLAN configuration, including authentication based VLAN mapping information, see the Wireless Virtual LAN Deployment Guide.

Access Sw itch Configuration The access switch configuration is the same as that applied in the Cisco AVVID Network Infrastructure Campus Design Solutions Reference Network Design, with the addition of the WLAN VLANs.

Distribution Router Configuration The Distribution Router configuration is the same as that applied in the Cisco AVVID Network Infrastructure Campus Design Solutions Reference Network Design with the addition of the WLAN VLANs.

Cisco AVVID W ireless LAN Design

11-16

956608

I N D EX

access

N um erics

guest network 3DES

Access Control Server. See ACS.

WLAN LAN Extension IPSec

4-4

access point. See AP.

802.11 DCF

access switch 6-4

case study notes

interframe spaces

6-4

11-16

ACS

Task Group activities (table)

2-9

architecture

802.11a

4-15

example architecture

channels

2-12

OFDM

2-12

summary

4-15

example server placement

11-9

aCWmax

range comparison (table)

3-10

contention window control

3-2

contention window control

channels

2-11

retries

range comparison (table) summary

3-10

6-6

6-7

Advanced Encryption Standard. See AES.

3-1

AES

802.11e

future support 6-2

4-2

antenna considerations

IEEE QoS working group implementations

6-6

aCWmin

802.11b

EDCF

103

6-2

3-8

AP

6-7

controlling IP multicast

802.1x

deployment planning

Cisco Catalyst Switches EAP authentication

4-10

example configuration

4-2

product selection

guest access implementation

4-11

headquarters/campus deployment Layer-2 authentication rogue AP prevention

4-9 4-10

VLAN support 4-9

8-2

2-13 11-15

3-11 4-7

AP 1100 guest network configuration

1014

AP 1200 guest network configuration

1011

architecture

A

considerations authentication

AAA database location

1-5

4-15

static WEP

4-6

956608 956608

IN-1

Index

WLAN LAN Extension 802.1x/EAP WLAN LAN Extension IPSec

4-2

customer requirements

distribution router configuration notes

4-4

Authentication, Authorization and Accounting. See AAA.

Enterprise profile

authorization

equipment selection

static WEP

4-6

WLAN LAN Extension 802.1x/EAP WLAN LAN Extension IPSec

4-2

IP multicast

11-14

management

11-11

nomadic roaming

4-4

radio selection

B

11-5

11-12 11-14

11-5

rogue AP concerns security selection

benefits

2-13

wired infrastructure wired VLAN

5-13

2-12

802.11b

2-11

2-5

Cisco Aironet 1200 dual band

11-10

3-2

Cisco AVVID

bridge controlling IP multicast in P2P WLAN

8-3

WLAN design notes Cisco IOS

3-14

workgroup

7-9

6-13

QoS advertisement

3-13

6-11

wireless QoS deployment

broadcast traffic

802.11a

RF

4-12

branch roaming

wireless

11-3

channel selection

5-13

branch deployment case study

11-7

channels

best practices RF

11-11

WLAN considerations

1-1

11-16

11-2

QoS considerations

WLAN

11-3

6-2

client adapter

1-6

broadcast domain segmentation

5-7

product selection

3-12

client density effects

C

2-16

throughput

capacity considerations

3-2

2-16

configuration 802.11 WLAN guest network

case study ACS server placement ACS servers

11-8

AP configuration AP selection

11-9

11-15

content summary

1014

AP 1200 (guest network)

1011

11-15

distribution router notes

11-10

configuration summary

11-16

AP 1100 (guest network) case study

11-5

branch roaming

access switch notes

11-15

11-1

105

guest network AP

11-16

108

guest network SSID guest network switch

1012 108

Cisco AVVID W ireless LAN Design

IN-2

956608

Index

IP multicast WLAN

wireless QoS

8-2

contention

6-2

wireless QoS guidelines

aCWmax

6-6

wireless VLAN criteria

aCWmin

6-6

wireless VLAN example

Contention Window. See CW. coverage requirements

5-10 5-11

deployment planning

2-17

CW parameters

6-17

AP

2-13

RF

2-13

design

6-6

size of random backoff

characteristics

6-6

CWmax

overview

average values (table)

1-2

Differentiated Services Code Point. See DSCP.

6-10

DIFS

CWmin average values (table)

1-3

6-5

Direct Sequence Spread Spectrum. See DSSS.

6-10

Distributed Coordination Function. See DCF. Distributed Interframe Space. See DIFS.

D

downstream

data rate considerations

QoS

3-3

DSSS

data rates effects

data rate

2-13

802.11

Cisco Aironet 1200

6-5

6-5

E

deployment

EAP

4-9

best practices, wired VLAN branch

2-8

6-6

random backoff 802.1x

3-2

deployment diagram

6-6

process

2-11

dual band

6-4

contention window

EAP

2-9

spectrum implementation

DCF

CW

6-3

5-13

802.1x security

4-2

headquarters campus deployment

4-12

high availability ACS architecture

4-9

EAP-Cisco

4-8

recommendations

4-9

EDCF on APs

EAP-Cisco

6-13

guest network considerations headquarters/campus QoS, Cisco IOS QoS, VxWorks RF best practices

4-8

VLAN guidelines

EAP-TLS

6-2

PKI

2-13

5-10

1-3

4-2, 4-8

headquarters/campus deployment EAP-SIM

4-14

4-9

4-8

EAP-Subscriber Identity Module. See EAP-SIM.

6-2

rules, wireless VLAN

104

4-9

5-13

4-2, 4-8, 4-9

4-9

EAP-Transport Layer Security. See EAP-TLS. EAP-TTLS

4-2 Cisco AVVID W ireless LAN Design

956608

IN-3

Index

EAP Tunneled TLS. See EAP-TTLS.

H

EDCF 802.11e

headquarters/campus

6-2

AP deployment

deployment

6-13

deployment, Cisco IOS deployment, VxWorks QoS

6-13 6-13

I

6-2

random backoff (figure)

IAPP

6-9

traffic classification (figure)

post-roam processes

6-9

traffic classification effects example (figure) EDCS deployment

4-8

6-9

7-4

IGMP snooping

6-13

11-14

Enhanced Distributed Coordination Function. See EDCF.

Inter Access Point Protocol. See IAPP.

Extensible Authentication Protocol. See EAP.

interference sources

3-6

interframe spaces 802.11

F

6-4

Internet Group Management Protocol. See IGMP. IP multicast

FHSS data rate

case study

2-9

controlling via APs

fine tuning RF

11-14 8-2

controlling via bridging P2P WLAN

2-5

WLAN configuration

Frequency Hopping Spread Spectrum. See FHSS.

8-3

8-2

WLAN considerations

8-4

WLAN recommendations

8-1

G guest access 802.1x SSID

J

4-11

jitter

5-8

6-3

guest network AP configuration benefits

108

L

103

configuring WLAN

latency

107

considerations and caveats switch configuration topology

Layer-2 roaming

104

compared with Layer-3 roaming

108

107

VLAN and WLAN implementation WLAN

106

considerations

7-8

domain sizing

7-10

events

101

WLAN 802.11 configuration WLAN recommendations

6-3

105

105

11-12

7-5

implementation recommendations nomadic roaming

7-10

11-12

Cisco AVVID W ireless LAN Design

IN-4

956608

Index

overview primer

performance considerations

7-3

PIFS

7-4

process

3-5

6-5

PKI

7-7

process overview

7-4

recommendations

7-9

LEAP. Please refer to EAP-Cisco (renamed).

EAP-TLS

4-9

planning RF deployment

2-13

Lightweight EAP. See LEAP.

Point Interframe Space. See PIFS.

links and references

prioritization

loss

1-8

6-3

appliance-based

6-13

class-map based

6-14

CoS-based

M

VLAN-based

Message Integrity Check. See MIC. WEP

summary

modes of operation 1-7

3-11 3-14

workgroup bridge

3-13

Protected EAP. See PEAP.

multicast traffic

Public-Key Infrastructure. See PKI.

1-6

N

Q

native VLAN

QBSS

configuration

5-7

5-7

network performance QoS

3-12

wireless bridge

1-7

infrastructure mode

3-11

client adapter

1-3, 4-2, 4-3, 4-5

ad-hoc mode

6-15

product selection AP

MIC

SSID

6-13

Information Element QoS advertisement case study

6-4

6-11

6-11

11-14

combining requirements

6-15

downstream and upstream

O

EDCF

6-2

jitter

OFDM 802.11a

2-12

Orthogonal Frequency Division Multiplexing. See OFDM.

6-3

latency loss

6-3

6-3

network performance overview

P

parameters

PEAP

4-2, 4-8, 4-9

retries

6-3

6-4

6-1 6-3

6-7

wireless considerations

6-2

Cisco AVVID W ireless LAN Design 956608

IN-5

Index

wireless deployment guidelines wireless deployment schemes

regulations

6-17

spectrum implementation

6-2

QoS advertisement Cisco IOS

2-11

roaming caveats

6-11

VxWorks

2-2

7-3

characteristics

6-11

7-3

QoS Basis Service Set. See QBSS.

Cisco AVVID design notes

Quality of Service. See QoS.

design

7-3

Layer 2

7-3

Layer-2 considerations

R

Layer-2 events

radio frequency (RF). See RF.

Layer-2 process

RADIUS

overview

SSID

user attributes, SSID access control user attributes, VLAN-ID VLAN access control

5-9

7-7

7-2 7-9

rogue AP case study notes

5-9

5-8

random backoff averages (figure)

11-11

Catalyst switch filters

9-10

detecting with Boingo

9-12

detecting with MAC addresses

6-10

6-5

detecting with OS

range considerations

detection overview

DCF

802.11a/802.11b comparison antenna considerations signal propagation

policy

3-8

9-7

preventing

105

9-7

9-7

scope of problem

7-9

9-2

wired network detection

regulations

wireless analyzers (table)

2-2

Remote Authentication Dial-In User Service. See RADIUS.

wireless detection

9-15 9-13

9-12

router

RF basics

9-7

port-based security

Layer-2 roaming RF

9-11 9-19

physical security

3-8

9-16

9-17

physical detection

3-7, 3-10

recommendations guest WLAN

7-8

7-5

recommendations

5-8

7-9

case study notes

11-16

2-1

best practices

2-13

channel selection

S

2-5

deployment planning

2-13

security

dual-band deployment (diagram) environmental considerations fine tuning

2-8

2-18

2-5

IEEE standards

additional considerations

options and recommendations overview of models

2-9

4-13

policy

4-7

4-1

2-17

Cisco AVVID W ireless LAN Design

IN-6

956608

Index

static WEP keys VLAN

traffic classification

4-5

process

4-7

WLAN LAN Extension 802.1x/EAP WLAN LAN Extension IPSec

4-2

Short Interframe Space. See SIFS. 6-5

U unicast

signal propagation

3-8

traffic

spectrum implementation DSSS

Triple Data Encryption Standard. See 3DES.

4-3

Service Set Identifier. See SSID. SIFS

6-9

1-5

upstream

2-11

QoS

6-3

SSID guest network configuration mapped to VLAN native VLAN primary

1012

V

5-3

5-7

Virtual Local Area Network. See VLAN.

5-8

RADIUS

VLAN

5-8

secondary

5-8

VLAN configuration

5-6

4-7

background

5-1

best practices, wired infrastructure

standards RF

AP support

2-9

broadcast domain segmentation

5-7

configuring wireless parameters

5-6

deployment guidelines guest WLAN

T

5-10

106

native VLAN configuration technology selection

RADIUS 3-1

summary

SSID configuration

3-9

5-7

5-8

rules, wireless deployment

technology selection

SSID mapping

5-13

5-6

5-3

Temporal Key Integrity Protocol. See TKIP.

wireless deployment criteria

throughput

wireless deployment overview

client density

2-16

throughput considerations TKIP WEP

3-4

wireless example

5-11

wireless features

5-6

wireless introduction 1-3, 4-2, 4-3, 4-5

topology

WLAN security

5-10 5-3

5-3

4-7

VPN

guest network traffic

107

WLAN LAN Extension IPSec

4-4

VxWorks

broadcast

1-6

EDCF deployment

6-13

multicast

1-6

QoS advertisement

6-11

unicast

5-13

1-5 Cisco AVVID W ireless LAN Design

956608

IN-7

Index

wireless QoS deployment

headquarters/campus deployment

6-2

W

1-7

interference sources

3-6

IP multicast

8-1

modes of operation

WEP

1-7

4-8

native VLAN configuration

5-7

1-3, 4-2, 4-3, 4-5

performance considerations

3-5

limitations MIC

infrastructure mode

security vulnerabilities 4-5

QoS considerations

1-3, 4-2, 4-3, 4-5

range considerations

static keys TKIP

product selection considerations

4-6

WLAN LAN Extension 802.1x/EAP

4-2

roaming

3-7

7-2

rules, wireless VLAN

Wired Equivalent Privacy. See WEP.

security considerations

wired infrastructure

security models

5-13 4-13

4-1

security options and recommendations

5-13

wired LAN compared to WLAN

1-5

standards, competing

3-1

technology selection

3-1

throughput considerations

wireless bridge product selection

VLAN configuration

3-14

5-6

VLAN deployment overview

wireless local area network

VLAN example

3-2

802.11b

3-1

802.1x/EAP

ad-mode

1-7

IPSec

3-2

3DES

4-4

authorization

compared to wired LAN

1-5

configuring guest WLAN

107

coverage requirements

2-17

data rate considerations

3-3

VPN

4-4

4-4

WLSE case study example

design characteristics

1-3

1-2

11-11

workgroup bridge product selection

2-13

guest network

4-2

WLAN LAN Extension IPSec

4-12

11-1

design overview

4-3

authorization

1-1

capacity considerations

data rates

4-2

WLAN LAN Extension 802.1x/EAP

1-5

branch deployment case study

5-3

WLAN LAN Extension

802.11a

benefits

5-6

wireless VLAN introduction

WLAN

5-3

5-11

wireless VLAN features

See WLAN.

4-7

3-4

Wireless LAN Solution Engine. See WLSE.

architecture

3-11

6-2

Wi-Fi Protected Access. See WPA.

best practices

4-8

3-13

WPA future support

4-2

101

Cisco AVVID W ireless LAN Design

IN-8

956608