+ All Categories
Home > Documents > 1-Cisco AVVID Wireless LAN Design

1-Cisco AVVID Wireless LAN Design

Date post: 31-Dec-2015
Category:
Upload: felipe-mejia
View: 49 times
Download: 0 times
Share this document with a friend
Popular Tags:
184
Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Cisco AVVID Wireless LAN Design Solutions Reference Network Design Customer Order Number: 956608
Transcript
Page 1: 1-Cisco AVVID Wireless LAN Design

Cisco AVVID Wireless LAN DesignSolutions Reference Network Design

Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 526-4100

Customer Order Number: 956608

Page 2: 1-Cisco AVVID Wireless LAN Design

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco AVVID Wireless LAN DesignCopyright © 2003 Cisco Systems, Inc. All rights reserved.

CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net Readiness Scorecard, Networking Academy, and ScriptShare are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0303R)

Page 3: 1-Cisco AVVID Wireless LAN Design

956608

C O N T E N T S

Preface xi

Target Audience xii

Obtaining Documentation xii

World Wide Web xii

Documentation CD-ROM xii

Ordering Documentation xii

Documentation Feedback xiii

Obtaining Technical Assistance xiii

Cisco.com xiii

Technical Assistance Center xiii

Cisco TAC Web Site xiv

Cisco TAC Escalation Center xiv

C H A P T E R 1 WLAN Solution Overview 1-1

WLAN Solution Benefits 1-1

Enterprise WLAN Design Overview 1-2

Enterprise WLAN Design Characteristics 1-3

WLAN Architecture Considerations 1-5

Comparing Wired and WLANs 1-5

WLAN Modes of Operation 1-7

Links and References 1-8

General References 1-8

Security References 1-8

IP Multicast References 1-9

C H A P T E R 2 WLAN Radio Frequency (RF) Design Considerations 2-1

RF Basics 2-1

Regulations 2-2

Fine Tuning 2-5

Channel Selection 2-5

IEEE 802.11 Standards 2-9

RF Spectrum Implementation 2-11

Direct Sequence Spread Spectrum 2-11

IEEE 802.11b Direct Sequence Channels 2-11

iiiCisco AVVID Wireless LAN Design

Page 4: 1-Cisco AVVID Wireless LAN Design

Contents

IEEE 802.11a—OFDM Physical Layer 2-12

IEEE 802.11a Channels 2-12

Planning for RF Deployment 2-13

RF Deployment Best Practices 2-13

WLAN Data Rates Required 2-13

Client Density and Throughput Requirements 2-16

WLAN Coverage Required 2-17

Security Policy 2-17

RF Environment 2-18

C H A P T E R 3 WLAN Technology and Product Selection 3-1

WLAN Technology Selection Considerations 3-1

Competing WLAN Standards 3-1

WLAN Capacity Considerations 3-2

Data Rate Considerations 3-3

Throughput Considerations 3-4

Performance Considerations 3-5

Range Considerations 3-7

Signal Propagation 3-8

Antenna Considerations 3-8

Technology Selection Summary 3-9

Cisco WLAN RF Product Selection Considerations 3-11

Access Points 3-11

Client Adapters 3-12

802.11a Cardbus Client Card 3-12

Enhanced Client Network Management Features with Extended Client Support 3-12

Workgroup Bridges 3-13

Wireless Bridges 3-14

C H A P T E R 4 WLAN Security Considerations 4-1

Security Deployment Models 4-1

WLAN LAN Extension 802.1x/EAP 4-2

Security Transparency 4-2

Application Transparency 4-3

Performance Transparency 4-3

User Transparency 4-3

WLAN LAN Extension IPSec 4-3

Security Transparency 4-4

Application Transparency 4-4

ivCisco AVVID Wireless LAN Design

956608

Page 5: 1-Cisco AVVID Wireless LAN Design

Contents

Performance Transparency 4-4

User Transparency 4-5

WLAN Static WEP Keys 4-5

Security Transparency 4-6

Application Transparency 4-6

Performance Transparency 4-6

User Transparency 4-6

Cisco WLAN Security Options and Recommendations 4-7

Understanding Overall Network Security 4-7

Flexible WLAN Security using VLANs 4-7

Headquarters/Campus WLAN Deployment 4-8

Branch Office WLAN Deployment 4-12

Additional Security Considerations 4-13

EAP Considerations for High Availability ACS Architecture 4-14

C H A P T E R 5 Wireless LAN VLANs 5-1

VLAN Background 5-1

Wireless VLAN Introduction 5-3

Wireless VLAN Deployment Overview 5-3

Wireless VLANs—Detailed Feature Description 5-6

Configuration Parameters per VLAN 5-6

Broadcast Domain Segmentation 5-7

Native (Default) VLAN Configuration 5-7

Primary (Guest) and Secondary SSIDs 5-8

RADIUS-based VLAN Access Control 5-8

Guidelines for Deploying Wireless VLANs 5-10

Criteria for Wireless VLAN Deployment 5-10

Wireless VLAN Deployment Example 5-11

Summary of Rules for Wireless VLAN Deployment 5-13

Best-Practices for the Wired Infrastructure 5-13

C H A P T E R 6 WLAN Quality of Service (QoS) 6-1

QoS Overview 6-1

Wireless QoS Considerations 6-2

Wireless QoS Deployment Schemes 6-2

QoS Parameters 6-3

Latency 6-3

Jitter 6-3

Loss 6-3

vCisco AVVID Wireless LAN Design

956608

Page 6: 1-Cisco AVVID Wireless LAN Design

Contents

Downstream and Upstream QoS 6-3

QoS and Network Performance 6-4

802.11 DCF 6-4

Interframe Spaces (SIFS, PIFS, and DIFS) 6-4

SIFS 6-5

PIFS 6-5

DIFS 6-5

Random Backoff (Contention Window) 6-5

CWmin, CWmax, and Retries 6-6

IEEE 802.11e 6-7

802.11e EDCF-based QoS Implementation 6-7

QoS Advertisements by WLAN Infrastructure 6-11

Deploying EDCF on Cisco IOS-based APs 6-13

Appliance-based Prioritization 6-13

CoS-based Prioritization 6-13

Class-Map Based Prioritization 6-14

VLAN-based Prioritization 6-15

Combining QoS Setting Requirements 6-15

Additional QoS Features 6-16

Guidelines for Deploying Wireless QoS 6-17

IP SoftPhone and Other PC and PDA Based VoIP Solutions 6-17

Symbol Handsets 6-17

SpectraLink Handsets 6-18

Leveraging Existing Network QoS Settings 6-18

C H A P T E R 7 WLAN Roaming 7-1

Roaming Solution Overview 7-2

General Design Characteristics 7-3

Layer-2 Design 7-3

Caveats 7-3

Layer-2 Roaming Primer 7-4

Layer-2 Roaming Technical Overview 7-4

Roaming Events 7-5

Max Data Retry Count Exceeded 7-5

Missed Too Many Beacons 7-6

Data Rate Shift 7-6

Periodic Client Interval (If Configured) 7-7

Initial Client Startup 7-7

Roam Process 7-7

viCisco AVVID Wireless LAN Design

956608

Page 7: 1-Cisco AVVID Wireless LAN Design

Contents

Layer-2 Roaming Considerations 7-8

Layer-2 Design Recommendations 7-9

Cisco AVVID Design 7-9

Sizing the Layer-2 Domain 7-10

Roaming Implementation Recommendations 7-10

C H A P T E R 8 IP Multicast in a Wireless LAN 8-1

Multicast WLAN Deployment Recommendations 8-1

IP Multicast WLAN Configuration 8-2

Controlling IP Multicast in a WLAN with APs 8-2

Controlling IP Multicast in a P2P WLAN using Bridges 8-3

Other Considerations 8-4

Summary 8-5

C H A P T E R 9 WLAN Rogue AP Detection and Mitigation 9-1

Rogue AP Summary and Scope of Problem 9-2

The Rogue AP Threat 9-4

Media Attention to WLAN Security Weaknesses 9-4

Truth About WLAN Security 9-5

Preventing and Detecting Rogue APs 9-6

Preventing Rogue APs 9-7

Corporate WLAN Policy 9-7

Physical Security 9-7

Supported Wireless Infrastructure 9-7

IEEE 802.1x Port-based Security to Prevent APs 9-7

Using Catalyst Switch Filters to Limit MAC Addresses per Port 9-10

Detecting Rogue APs 9-11

Detecting Rogue APs Wirelessly 9-12

Other Wireless Analyzers 9-13

Detecting Rogue AP from the Wired Network 9-15

Detecting Rogue APs Physically 9-19

C H A P T E R 10 WLAN Guest Network Access 101

Benefits of Guest Network Access 103

Increased Security 103

Increased Productivity 103

Benefits of WLAN Guest Network Access 103

Deployment Considerations and Caveats 104

viiCisco AVVID Wireless LAN Design

956608

Page 8: 1-Cisco AVVID Wireless LAN Design

Contents

Guest WLAN Recommendations 105

Recommended 802.11 Configuration for WLAN Guest Network 105

VLANs and WLAN Implementation 106

Configuring Guest WLANs 107

Network Topology 107

AP and Switch Configuration 108

WLAN Guest VLAN Filtering 109

Terminology Notes 109

AP 1200 Configuration 1011

Configuring VLANs 1011

Configuring SSIDs 1012

AP 1100 Configuration 1014

C H A P T E R 11 Cisco AVVID Enterprise WLAN Case Study 11-1

Enterprise WLAN Profile 11-2

Customer Requirements 11-3

WLAN Considerations 11-3

WLAN Performance and Coverage 11-3

RF Environment 11-3

Security 11-4

Rogue AP Mitigation 11-4

Management 11-4

Roaming 11-4

QoS 11-4

Multicast 11-4

Equipment Selection 11-5

Radio Selection 11-5

AP Selection 11-5

Estimating the Number of APs 11-5

Security Selection 11-7

Number of ACS Servers 11-8

ACS Server Placement 11-9

Branch Roaming 11-10

Rogue AP 11-11

Management 11-11

Layer-2 and Layer-3 Roaming 11-12

WLAN QoS Considerations 11-14

IP Multicast 11-14

viiiCisco AVVID Wireless LAN Design

956608

Page 9: 1-Cisco AVVID Wireless LAN Design

Contents

WLAN Case Study Configuration 11-15

AP Configuration 11-15

Example Configuration: Config 1 11-16

Access Switch Configuration 11-16

Distribution Router Configuration 11-16

ixCisco AVVID Wireless LAN Design

956608

Page 10: 1-Cisco AVVID Wireless LAN Design

Contents

xCisco AVVID Wireless LAN Design

956608

Page 11: 1-Cisco AVVID Wireless LAN Design

Preface

This design guide presents recommendations intended to facilitate Enterprise Wireless Local Area Network (WLAN) solution deployment. The emphasis in this document is with integrating WLAN technology into environments featuring key Enterprise networking elements. Specific chapters address the following topics:

• Chapter 1, “WLAN Solution Overview”—Summarizes the benefits and characteristics of the Cisco secure Enterprise WLAN solution.

• Chapter 2, “WLAN Radio Frequency (RF) Design Considerations”—Focuses on radio frequency (RF) considerations in WLAN environments.

• Chapter 3, “WLAN Technology and Product Selection”—Focuses on technology and product assessment and selection in WLAN environments.

• Chapter 4, “WLAN Security Considerations”—Provides details regarding deployment of the Cisco secure Enterprise WLAN solution.

• Chapter 5, “Wireless LAN VLANs”—Focuses on the implementation of virtual local area networks (VLANs) in the context of WLAN environments.

• Chapter 6, “WLAN Quality of Service (QoS)”—Addresses Quality of Service (QoS) considerations in the context of WLAN implementations.

• Chapter 7, “WLAN Roaming”—Addresses the WLAN design considerations when assessing Layer 2 roaming of wireless LAN clients.

• Chapter 8, “IP Multicast in a Wireless LAN”—Describes the configurations needed to control IP Multicast traffic over a WLAN.

• Chapter 9, “WLAN Rogue AP Detection and Mitigation”—Outlines the threat posed by rogue access points (APs) in the Enterprise network and some strategies for preventing and detecting them.

• Chapter 10, “WLAN Guest Network Access”—Presents the advantages, risks, and proposed configuration for WLAN Guest Network Access.

• Chapter 11, “Cisco AVVID Enterprise WLAN Case Study”—Details an example network in the context of the key topics presented in this document.

Where applicable, relevant configuration fragments are included.

A Cisco SAFE white paper addressing secure WLAN deployment in the enterprise is available at:

• http://www.cisco.com/go/safe

The SAFE white paper covers more detail on the security-specific aspects of design, whereas this design guide is focused on the overall WLAN solution. Although there are differences between the SAFE white paper designs and the designs presented here, those differences are not generally considered substantive and the designs are compatible.

xiCisco AVVID Wireless LAN Design

956608

Page 12: 1-Cisco AVVID Wireless LAN Design

PrefaceTarget Audience

Target AudienceThis publication provides solution guidelines for large-scale enterprises implementing WLAN networks with Cisco WLAN devices. The intended audiences for this design guide include network architects, network managers, and others concerned with the implementation of secure WLAN solutions, including:

• Cisco sales and support engineers

• Cisco partners

• Cisco customers

Obtaining DocumentationThe following sections explain how to obtain documentation from Cisco Systems.

World Wide WebYou can access the most current Cisco documentation on the World Wide Web at the following URL:

http://www.cisco.com

Translated documentation is available at the following URL:

http://www.cisco.com/public/countries_languages.shtml

Documentation CD-ROMCisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual subscription.

Ordering DocumentationCisco documentation is available in the following ways:

• Registered Cisco Direct Customers can order Cisco product documentation from the Networking Products MarketPlace:

http://www.cisco.com/cgi-bin/order/order_root.pl

• Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

http://www.cisco.com/go/subscription

• Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).

xiiCisco AVVID Wireless LAN Design

956608

Page 13: 1-Cisco AVVID Wireless LAN Design

PrefaceObtaining Technical Assistance

Documentation FeedbackIf you are reading Cisco product documentation on Cisco.com, you can submit technical comments electronically. Click Leave Feedback at the bottom of the Cisco Documentation home page. After you complete the form, print it out and fax it to Cisco at 408 527-0730.

You can e-mail your comments to [email protected].

To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:

Cisco SystemsAttn: Document Resource Connection170 West Tasman DriveSan Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical AssistanceCisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools by using the Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.comCisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you to

• Streamline business processes and improve productivity

• Resolve technical issues with online support

• Download and test software packages

• Order Cisco learning materials and merchandise

• Register for online skill assessment, training, and certification programs

You can self-register on Cisco.com to obtain customized information and service. To access Cisco.com, go to the following URL:

http://www.cisco.com

Technical Assistance CenterThe Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available through the Cisco TAC: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Inquiries to Cisco TAC are categorized according to the urgency of the issue:

xiiiCisco AVVID Wireless LAN Design

956608

Page 14: 1-Cisco AVVID Wireless LAN Design

PrefaceObtaining Technical Assistance

• Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration.

• Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably impaired, but most business operations continue.

• Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

• Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

Which Cisco TAC resource you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

The Cisco TAC Web Site allows you to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to the following URL:

http://www.cisco.com/tac

All customers, partners, and resellers who have a valid Cisco services contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to the following URL to register:

http://www.cisco.com/register/

If you cannot resolve your technical issues by using the Cisco TAC Web Site, and you are a Cisco.com registered user, you can open a case online by using the TAC Case Open tool at the following URL:

http://www.cisco.com/tac/caseopen

If you have Internet access, it is recommended that you open P3 and P4 cases through the Cisco TAC Web Site.

Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses issues that are classified as priority level 1 or priority level 2; these classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer will automatically open a case.

To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to the following URL:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

Before calling, please check with your network operations center to determine the level of Cisco support services to which your company is entitled; for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). In addition, please have available your service agreement number and your product serial number.

xivCisco AVVID Wireless LAN Design

956608

Page 15: 1-Cisco AVVID Wireless LAN Design

956608

C H A P T E R 1

WLAN Solution Overview

This chapter summarizes the benefits and characteristics of the Cisco Secure Enterprise Wireless Local Area Network (WLAN) solution in the following sections:

• WLAN Solution Benefits, page 1-1

• Enterprise WLAN Design Overview, page 1-2

• Links and References, page 1-8

WLAN Solution BenefitsBefore addressing the Cisco secure Enterprise WLAN features presented in this publication, the following review of potential WLAN benefits provides a context for WLAN implementation:

• Mobility within building or campus—Facilitates implementation of applications that require an always-on network and that tend to involve movement within a campus environment.

• Convenience— Simplifies networking of large, wide open people areas.

• Flexibility—Allows work to be done at the most appropriate or convenient place rather than where a cable drop terminates.

• Easier to set-up temporary spaces—Promotes quick network setup of meeting rooms, war rooms, or brainstorming rooms tailored to variations in the number of participants.

• Lower cabling costs—Reduces the requirement for contingency cable plant installation because the WLAN can be employed to fill the gaps.

• Easier adds, moves, and changes and lower support and maintenance costs. Temporary networks become much easier to set up, easing migration issues and costly last-minute fixes.

• Improved efficiency—Studies show WLAN users are connected to the network for 1.75 hours longer per day compared with hard-wired users.

• Productivity gains—Promotes easier access to network connectivity, resulting in better utilization of business productivity tools.

• Easier to collaborate—Facilitates access to collaboration tools from any location, such as meeting rooms; files can be shared on the spot and requests for information handled immediately.

• Improved company image and increased competitive advantage—Elevates a companies perceived connectedness and responsiveness.

• More efficient use of office space—Allows greater flexibility in coping with excess numbers caused by large team meetings.

1-1Cisco AVVID Wireless LAN Design

Page 16: 1-Cisco AVVID Wireless LAN Design

Chapter 1 WLAN Solution OverviewEnterprise WLAN Design Overview

• Reduced errors—Data can be directly entered into systems as it is being collected, rather being transcribed when network access is available.

• Improved efficiency, performance, and security for enterprise partners and guests—Promoted with the provision of guest access networks.

• Improved overall security—Promoted through the provision of a controlled and secured WLAN network, reducing the likelihood of rogue WLAN deployments.

• Improved business resilience—Increased mobility of the workforce allows rapid redeployment to other locations with WLANs as needed.

Enterprise WLAN Design OverviewA WLAN is generally deployed in an enterprise campus or branch office for reasons stated in “WLAN Solution Benefits” section on page 1-1. WLANs have emerged as one of the most effective methods to connect to an Enterprise Network. It is in essence an access technology intended for LAN implementations. Figure 1-1 illustrates where the WLAN products fit in the enterprise (at the edge of the network). The design recommendations presented in this publication propose a secure overlay WLAN network, not the replacement of wired infrastructure with wireless infrastructure.

Two supporting sections follow the overview illustration in Figure 1-1:

• Enterprise WLAN Design Characteristics, page 1-3

• WLAN Architecture Considerations, page 5

1-2Cisco AVVID Wireless LAN Design

956608

Page 17: 1-Cisco AVVID Wireless LAN Design

Chapter 1 WLAN Solution OverviewEnterprise WLAN Design Overview

Figure 1-1 WLAN in the Enterprise\

Enterprise WLAN Design CharacteristicsThe Enterprise WLAN design solution capabilities presented in this document adopt the following assumptions and characteristics:

• WLAN Virtual LANs (VLANs) allow the coexistence of multiple security models on the same WLAN. This allows the combination of security models based on client requirements and/or user policies.

• The solution security model you choose depends on the security requirements of the enterprise. This publication focuses on the two most secure solutions —802.1x/Extensible Authentication Protocol (EAP) and IPSec VPNs, but does discuss the use Wired Equivalent Privacy (WEP) and WEP plus Temporal Key Integrity Protocol (TKIP) and Message Integrity Check (MIC) where applicable.

• The recommended security model is 802.1x/EAP with WEP plus TKIP and MIC, because it creates the optimum network architecture and addresses all know WLAN security threats. Examples of EAP types suitable for use in WLANs are EAP-Cisco (formerly Lightweight EAP or LEAP),

WAN Internet PSTN 8831

7

Core

AccessAccess

DistributionDistribution

Backbone

Building blockadditions

Server farm

Access

Distribution

WLAN Access

1-3Cisco AVVID Wireless LAN Design

956608

Page 18: 1-Cisco AVVID Wireless LAN Design

Chapter 1 WLAN Solution OverviewEnterprise WLAN Design Overview

EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP Tunneled TLS (EAP-TTLS). If further 802.1x/EAP types are developed to meet business needs, the existing architectures will accommodate them. The 802.1x/EAP type used is transparent to the AP, and only has implications for the client software and the Remote Authentication Dial-In User Service (RADIUS) server.

• IPSec VPNs are recommended as an alternative 802.1x/EAP if the customer security requirements mandate Triple Data Encryption Standard (3DES).

• For situations in which EAP or IPSec VPNs are not possible, a combination of static WEP and access filtering is discussed although this alternative is not a recommended security mode for general deployment TKIP and MIC should be implemented wherever possible, including static WEP deployments.

• The design recommendations presented in this publication show a single security model (EAP, IPSec, or static WEP), these can be combined within the one enterprise implementation using WLAN VLAN's, and are shown separately for clarity.

• The WLAN implementation does not change existing campus architectures and recommendations

• WLANs should be assigned to a dedicated subnet (not one shared with wired LAN users).

• A separate management VLAN should be configured for the management of WLAN APs. As a design best practice, this VLAN should not have a WLAN appearance (meaning it does not have an associated SSID and it cannot be directly accessed from the WLAN). Security policies should determine where the AP managers logically and physically reside on the network.

• The wired LAN is not replaced by the WLAN. The WLAN is used to enhance the current network flexibility and accessibility by providing an extension to the existing network.

• Assumes 15-to-25 users per AP. This number varies from customer-to-customer depending on usage profiles and user density.

• Seamless roaming is limited to the same Layer-2 network, unless Proxy Mobile IP or Mobile IP is used.

• WLAN QoS tools are used as required.

• IP Multicast for the WLAN is bounded to ensure that multicast does not consume excessive bandwidth, and IP multicast applications are tested for their suitability for a WLAN network.

1-4Cisco AVVID Wireless LAN Design

956608

Page 19: 1-Cisco AVVID Wireless LAN Design

Chapter 1 WLAN Solution OverviewEnterprise WLAN Design Overview

WLAN Architecture ConsiderationsThis section focuses on the following WLAN architectural implementation topics:

• Comparing Wired and WLANs, page 1-5

• WLAN Modes of Operation, page 1-7

Comparing Wired and WLANs

Just as a network designer needs an understanding of how switches and routers switch traffic to design a wired network, a network designer needs an understanding of how access points (APs), wireless bridges and workgroup bridges handle traffic in order to design a WLAN.

These WLAN devices exhibit network behavior similar to an Ethernet switch combined with a shared Ethernet hub. Ethernet frames passing through an AP, wireless bridge, or workgroup bridge to or from the wireless network undergo changes at Data Link Control (DLC)—much as frames can when passing through a Translation Bridge. 802.11, 802.2 DLC, and Subnetwork Access Protocol (SNAP) header information replace Ethernet header information. Where 802.3 framing is used instead of Ethernet, the 802.11 header replaces the 802.3 header. Refer to Table 1-1. Although IP is shown as the Layer-3 protocol, this could just as easily be any protocol able to operate over Ethernet such as IPX, Appletalk, or NetBEUI. However, IP is still required to remotely manage APs, wireless bridges, and workgroup bridges.

Within any one wireless channel, the wireless interface is a shared medium. It operates in a similar fashion to an Ethernet hub. Within any Basic Service Set (BSS), only one station can transmit at any one time. All wireless stations are also half-duplex—the same frequency channel is used for transmit and receive. The actual access mechanism used is Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). Ethernet uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD). Each station in a CSMA network listens before talking over the air. As collision detection (CD) is difficult in a radio-based environment, a collisions avoidance (CA) mechanism is used.

At a detailed level, there are some significant differences between 802.11 and Ethernet, but from a network designer’s standpoint, the important idea to remember is the notion of a shared medium. This difference is due to the overheads in the 802.11 protocol, and that some traffic flows may not be occurring at the highest data rate. Taking overhead and protocol operation into account, the actual aggregate throughput of a WLAN is less than the data rate.

Unicast Traffic

The WLAN hardware always tries to send data at the highest rate possible. There are many data rates which can be selected. For instance, four rates are possible for 802.11b radio: 1, 2, 5.5, and 11 Mbps. 802.11a radio support 6, 9, 12, 18, 24, 36, 48 and 54 Mbps. With the AP, the Data Rates section on the AP Radio Hardware setup page lists the options for each data rate. Refer to Figure 1-2 on page 1-6.

Table 1-1 Wired and WLAN DLC Relationships

Wireless Wired (802.3) Wired Ethernet

Layer-3 Network IP IP IP

Layer 2 DLC SNAP (0800 = IP) SNAP (0800 = IP) Ethernet (0800 = IP)

IEEE 802.LLC IEEE 802.LLC

IEEE 802.11 MAC IEEE 802.11 MAC

1-5Cisco AVVID Wireless LAN Design

956608

Page 20: 1-Cisco AVVID Wireless LAN Design

Chapter 1 WLAN Solution OverviewEnterprise WLAN Design Overview

Where Yes is selected only unicast traffic is sent at this data rate.

Figure 1-2 AP Radio Hardware Setup Page

Multicast and Broadcast Traffic

Broadcast and multicast traffic are treated similarly within a WLAN network. Broadcast and multicast traffic are sent at the data rate of the recipient with the lowest data rate. For example, consider an AP configured with all data rates as Basic (the default) and that has clients associated at 11 Mbps and at 5.5 Mbps for 802.11b radio. In this scenario, multicast and broadcast traffic is sent at 5.5 Mbps to ensure the frames were received by all associated clients.

1-6Cisco AVVID Wireless LAN Design

956608

Page 21: 1-Cisco AVVID Wireless LAN Design

Chapter 1 WLAN Solution OverviewEnterprise WLAN Design Overview

WLAN Modes of Operation

In general, IEEE 802.11 WLANs typically operate in either of two modes:

• Infrastructure Mode, page 1-7

• Ad-hoc Mode, page 1-7

Infrastructure Mode

In infrastructure mode, clients communicate through an AP. The AP is the point at which wireless clients can access the network. Figure 1-3 illustrates a typical WLAN arrangement. The AP provides connectivity to other clients associated with that AP or to the wired LAN.

The basic service area (BSA) is the area of RF coverage provided by an AP—also referred to as a microcell. To extend the BSA, or to simply add wireless devices and extend the range of an existing wired system, an AP can be added.

The AP attaches to the Ethernet backbone and communicates with all the wireless devices in the cell area. The AP is the master for the cell, and controls traffic flow to and from the network. The remote devices do not communicate directly with each other—they communicate to the AP.

If a single cell does not provide enough coverage, any number of cells can be added to extend the range. This is known as an extended service area (ESA).

It is recommended that the ESA cells include 10-to-15 percent overlap to allow remote users to roam without losing RF connections.

Bordering cells should be set to different non-overlapping channels for best performance.

Figure 1-3 Typical WLAN

Ad-hoc Mode

Ad-hoc mode is used to establish a peer-to-peer network between two or more clients. This mode is selected through the System Type section of the System Parameters page on the Aironet Client Utility (ACU).

Channel 1 Channel 6Wirelesshandheld

Wirelesstablet

Access Point Access Point

Wirelesslaptops

Wirelesslaptop

Wirlessdesktop

Overlapping10-15%

Roaming

Switch

LAN/WAN

Router

Wireless call Wireless call

9127

8

1-7Cisco AVVID Wireless LAN Design

956608

Page 22: 1-Cisco AVVID Wireless LAN Design

Chapter 1 WLAN Solution OverviewLinks and References

Links and ReferencesThe following documents provide supplemental information to the design and implementation material presented in this SRND. These references fall into several categories:

• General References, page 1-8

• Security References, page 1-8

• IP Multicast References, page 1-9

General ReferencesCisco Network Solutions and Provisioned Services page:

http://www.cisco.com/en/US/netsol/index.html

Note Access to specific information varies based on user entitlement at the Cisco Systems web site.

Security ReferencesThe Unofficial 802.11 Security Web Page:

http://www.drizzle.com/~aboba/IEEE/

Assessing Wireless Security with AiroPeek and AiroPeek NX:

http://www.wildpackets.com/elements/whitepapers/AiroPeek_Security.pdf

Netstumbler security links:

http://www.netstumbler.com/links.php?op=MostPopular

OUI list:

http://standards.ieee.org/regauth/oui/oui.txt

SANS (System Administration, Networking and Security) Institute—Wireless page:

http://rr.sans.org/wireless/wireless_list.php

Securing wireless networks (enter as guest):

http://securingwireless.intranets.com/default.asp?link=

List of wireless security tools:

http://www.networkintrusion.co.uk/wireless.htm

When Dreamcasts Attack:

http://online.securityfocus.com/news/558

1-8Cisco AVVID Wireless LAN Design

956608

Page 23: 1-Cisco AVVID Wireless LAN Design

Chapter 1 WLAN Solution OverviewLinks and References

IP Multicast ReferencesCCO IP Multicast Overview:

http://www.cisco.com/go/ipmulticast

1-9Cisco AVVID Wireless LAN Design

956608

Page 24: 1-Cisco AVVID Wireless LAN Design

Chapter 1 WLAN Solution OverviewLinks and References

1-10Cisco AVVID Wireless LAN Design

956608

Page 25: 1-Cisco AVVID Wireless LAN Design

956608

C H A P T E R 2

WLAN Radio Frequency (RF) Design Considerations

This discussion focuses on radio frequency (RF) considerations in WLAN environments. The following section are presented:

• RF Basics, page 2-1

• IEEE 802.11 Standards, page 2-9

• RF Spectrum Implementation, page 2-11

• Planning for RF Deployment, page 2-13

RF BasicsThis section provides a summary of regulations and considerations specific to RF implementation. The following sections are presented:

• Regulations, page 2-2

• Fine Tuning, page 2-5

• Channel Selection, page 2-5

2-1Cisco AVVID Wireless LAN Design

Page 26: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsRF Basics

RegulationsDevices that operate in unlicensed bands, do not require any formal licensing process, but operations in these bands still obligate the user to follow regulations. The governing bodies in different parts of the world regulate these bands. WLAN devices must comply to the specifications of the relevant governing regulatory domain. The regulatory agencies set the emission requirements for WLAN to minimize the amount of interference a radio can generate or receive from another in the same proximity. The regulatory requirements do not affect the interoperability of IEEE 802.11b and 802.11a compliant products. It is the responsibility of the vendor to get the product certified from the corresponding regulatory body.

Table 2-1 summarizes the current regulatory domains for Wi-Fi products.

Note The main regulatory domains are FCC, ETSI, and MKK domains. As of this writing there is no 5 GHz regulatory domain for China and 5 Ghz regulations vary widely from country to country.

Caution Check the Cisco web site for compliance information and also with your local regulatory authority on what is permitted within your country. The information provided in Table 2-2, Table 2-3, and Table 2-4 on the following pages +should be used as a general guideline. For up-to-date information on regional requirements, check http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html#4.

Table 2-1 Regulatory Domains

Regulatory Domain Geographic Area

Americas or FCC (United States Federal Communication Commission)

North, South and Central America, Australia and New Zealand, various parts of Asia and Oceania

Europe or ETSI (European Telecommunications Standards Institute)

Europe (both EU and non EU countries), Middle East, Africa, various parts of Asia and Oceania

Japan (MKK) Japan

China People’s Republic of China (Mainland China)

Israel Israel

Singapore1

1. The regulations of Singapore and Taiwan for wireless LANs are particular to these countries only for operation in the 5 GHz band. Singapore and Taiwan are therefore only regulatory domains for 5 GHz operation, for operation in 2.4 GHz, they fall into the ETSI and FCC domains, respectively.

Singapore

Taiwan2

2. See above.

Republic of China (Taiwan)

2-2Cisco AVVID Wireless LAN Design

956608

Page 27: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsRF Basics

Table 2-2 Operating Frequency Range for 802.11b

Lower Limit Upper limit Regulatory Range1

1. The frequency ranges in this table are subject to the geographic-specific regulatory authorities.

Geography

2.402 GHz 2.480 GHz 2.400 to 2.4835 GHz North America

2.402 GHz 2.480 GHz 2.400 to 2.4835 GHz Europe2

2. Excluding Spain and France.

2.473 GHz 2.495 GHz 2.471 to 2.497 GHz Japan

2.447 GHz 2.473 GHz 2.445 to 2.475 GHz Spain

2.448 GHz 2.482 GHz 2.4465 to 2.4835 GHz France

Table 2-3 FCC Frequency Bands and Channel Numbers for 802.11a

Regulatory Domain Frequency Band Channel Number Centre frequencies

USA U-NII lower band (5.15 to 5.25 GHz)

36

40

44

48

5.180 GHz

5.200 GHz

5.220 GHz

5.240 GHz

USA U-NII middle band (5.25-to-5.35 GHz)

52

56

60

64

5.260 GHz

5.280 GHz

5.300 GHz

5.320 GHz

USA U-NII middle band (5.725-to-5.825 GHz)

149

153

157

161

5.745 GHz

5.765 GHz

5.785 GHz

5.805 GHz

2-3Cisco AVVID Wireless LAN Design

956608

Page 28: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsRF Basics

Each of the bands presented in Table 2-3 is intended for different uses. The UNII-3 band is intended for long range point-to-point and point-to-multipoint wireless bridging and may only be used outdoors. The UNII-3 band and its usage is beyond the scope of this book. Please refer to the following URL to find the appropriate WLAN product for your regulatory domain:

http://www.cisco.com/warp/public/779/smbiz/wireless/approvals.html

Table 2-4 Additional Frequency Bands and Channel Numbers for Other Regulatory Domains

Regulatory Domain Frequency Band Channel Number Center Frequenc7

Japan U-NII lower band 34

38

42

|46

5.170

5.190

5.210

5.230

Singapore U-NII lower band 36

40

44

48

5.180

5.200

5.220

5.240

Taiwan 52

56

60

64

5260

5280

5300

5320

EMEA 1AustraliaNew Zealand

Same as USA Same as USA Same as USA

EMEA 21

1. Some EMEA countries, and limited to 20 mW.

U-NII lower band 36

40

44

5.180

5.200

5.220

2-4Cisco AVVID Wireless LAN Design

956608

Page 29: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsRF Basics

Fine TuningA number of factors can affect the WLAN coverage as follows:

• Selected Data Rate

• Power Level

• Antenna choice (dipole, omni-directional, wall mount)

For a given data rate, the WLAN designer can alter power level and/or elect to use a different antenna, to change the coverage area and/or coverage shape.

Channel SelectionChannel selection depends on the frequencies that are permitted for a particular region. For example the North American and ETSI 2.4 GHz channel sets permit allocation of three non-overlapping channels—1, 6, and 11—while the 5 GHz channel set permits eight channels.

The channels should be allocated to the coverage cells as follows:

• Overlapping cells should use non-overlapping channels

• Where channels must be used in multiple cells, those cells should have minimal overlap with each other. See Figure 2-1.

2-5Cisco AVVID Wireless LAN Design

956608

Page 30: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsRF Basics

Figure 2-1 Channels Allocated to APs

A site survey should be conducted using the same frequency plan as intended for the actual deployment. This facilitates a more exact estimate of how a particular channel at a particular location will react to the interference and the multipath.

Channel selection also helps in planning for co-channel and the adjacent channel interferences, and provides information about where to you can reuse a frequency.

In multi-story buildings, check the cell overlap between floors according to these rules/guidelines. Some re-surveying and relocating of APs might be required in some cases. Multi-story structures (such as office towers, hospitals and university classroom buildings) introduce a third dimension to coverage planning. The 2.4 GHz waveform of 802.11b and, when available, 802.11g can pass through floors and ceilings as well as walls. The 5 GHz waveform of 802.11a can also pass through floors and ceilings as well as walls, but will do so at a lesser degree due to its higher frequency. With 2.4 GHz Wi-Fi LANs in particular, you must not only avoid overlapping cells on the same floor, but also on adjacent floors. With only three channels, this can be achieved through careful three dimensional planning.

7419

3

AP1channel #1

AP2channel #6

AP3channel #11

AP4channel #1

2-6Cisco AVVID Wireless LAN Design

956608

Page 31: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsRF Basics

An AP can be configured to automatically search for the best channel on power up. This is configured using the AP Radio Hardware menu, as shown in Figure 2-2.

Retest the site using the selected channels and check for any interference.

Figure 2-2 AP Automatic Channel Search

2-7Cisco AVVID Wireless LAN Design

956608

Page 32: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsRF Basics

Note It is possible to implement a dual-band deployment scheme as illustrated Figure 2-3. However, this requires careful planning and implementation of the Cisco Aironet AP 1200. Refer to the “Data Rate Considerations” section on page 3-3 for related information about dual-band channel deployment considerations.

Figure 2-3 Dual Band Deployment Diagram

6

1

11

6

6

1

11

6

11

6

1

11

11

6

1

11

6

1

11

6

802.11b

1

8

3

11

35

3

8

5

1

53

38

7

802.11a

802.11a802.11b

1

8

1 & 1

8 & 1

3 & 11

1 & 61 & 6

3 & 11

5 & 6

3 & 11

8 & 1

5 & 11

1 & 6

5 & 1

3 & 11

3 & 11

8 & 1

7 & 6

1 & 6

8 & 1

9128

7

2-8Cisco AVVID Wireless LAN Design

956608

Page 33: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsIEEE 802.11 Standards

IEEE 802.11 StandardsIEEE 802.11 is the Working Group within the IEEE (Institute for Electrical and Electronics Engineers) responsible for Wireless LAN Standards. IEEE 802.11 became a standard in July 1997 and defined two RF technologies operating in 2.4 GHz band:

• Direct Sequence Spread Spectrum (DSSS)—1 Mbps and 2 Mbps

• Frequency Hopping Spread Spectrum (FHSS)—1 Mbps and 2 Mbps

Within the 802.11 Working Group are a number of Task Groups responsible for elements of the 802.11 WLAN Standard.

IEEE 802.11b refers to Task Group b within the 802.11 Working Group. IEEE 802.11b became an IEEE standard in September 1999, and then higher data rates of 5.5 Mbps and 11 Mbps were introduced in the standard using DSSS and operating in 2.4 GHz band. 802.11b defines a high performance radio and true vendor interoperability. Table 2-5 summarizes some of task group initiatives.

Table 2-5 IEEE 802.11 Task Group Activities

Task Group Project Status (March 2003)

MAC Develop one common MAC for WLANs in conjunction with a physical layer entity (PHY) Task Group

PHY Develop three WLAN PHYs – Infrared, 2.4 GHz FHSS, 2.4 GHz DSSS

Standard

a Develop PHY for 5 GHz UNII band Standard

b Develop higher rate PHY in 2.4 GHz band Standard

c Cover bridge operation with 802.11 MACs (spanning tree)

Standard (802.1d)

d Define physical layer requirements for 802.11 operation in other regulatory domains (countries)

Standard

e Enhance 802.11 MAC for QoS Ongoing

f Develop recommended practices for Inter Access Point Protocol (IAPP) for multi-vendor use

Ongoing

g Develop higher speed PHY extension to 802.11b (54 Mbps)

Ongoing

h Enhance 802.11 MAC and 802.11a PHY-Dynamic Frequency selection Transmit Power control

Ongoing

i Enhance 802.11 MAC security and authentication mechanisms

Ongoing

j Enhance the 802.11 standard and amendments to add channel selection for 4.9 GHz and 5 GHz in Japan

Ongoing

k Define Radio Resource Measurement enhancements to provide interfaces to higher layers for radio and network measurements

Ongoing

2-9Cisco AVVID Wireless LAN Design

956608

Page 34: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsIEEE 802.11 Standards

The IEEE ratified the 802.11a standard in 1999, but the first 802.11a-compliant products did not begin appearing on the market until December 2001. The 802.11a standard delivers a maximum data rate of 54 Mbps and eight nonoverlapping frequency channels—resulting in increased network capacity, improved scalability, and the ability to create microcellular deployments without interference from adjacent cells.

Operating in the unlicensed portion of the 5 GHz radio band, 802.11a is also immune to interference from devices that operate in the 2.4 GHz band, such as microwave ovens, cordless phones, and Bluetooth (a short-range, low-speed, point-to-point, personal-area-network wireless standard). The 802.11a standard is not compatible with existing 802.11b-compliant wireless devices. 2.4-GHz and 5-GHz equipment can operate in the same physical environment without interference.

IEEE 802.11g is high performance standard in development and should be finalized by mid-year 2003. 802.11g will deliver the same 54 Mbps maximum data rate as 802.11a, but will operate in the same 2.4 GHz band as 802.11b.

Selecting between these technologies is not a one-for-one tradeoff. They are complementary technologies and will coexist in future enterprise environments. Implementers must be able to make an educated choice between deploying 2.4 GHz-only networks, 5 G Hz-only networks, or a combination of both. Organizations with existing 802.11b networks cannot simply deploy a new 802.11a network on 5 GHz APs, and expect to have similar coverage with 802.11a 54 Mbps data rate as compared to 11 Mbps of data rate with 802.11b APs. The technical characteristics of both these bands simply do not allow for this kind of coverage interchangeability.

2-10Cisco AVVID Wireless LAN Design

956608

Page 35: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsRF Spectrum Implementation

RF Spectrum ImplementationIn the United States, three bands are defined as unlicensed and known as the ISM bands (Industrial, Scientific, and Medical). The ISM bands are as follows:

• 900 MHz (902-to-928 MHz)

• 2.4 GHz (2.4-to-2.4835 GHz) —IEEE 802.11

• 5 GHz (5.15-to-5.35 and 5.725-to-5.825 GHz) —IEEE 802.11a. This band is also known as the UNII band.

The Cisco Aironet 340 and 350 Series APs use RF spectrum in the 2.4 GHz unlicensed ISM band.

Each range has different characteristics. The lower frequencies exhibit better range, but with limited bandwidth and hence lower data rates. The higher frequencies have less range and subject to greater attenuation from solid objects.

Direct Sequence Spread SpectrumThe Direct Sequence Spread Spectrum approach involves encoding redundant information into the RF signal. Every data bit is expanded to a string of chips called a chipping sequence or Barker Sequence. The chipping rate as mandated by the IEEE 802.11 is 11 chips—Binary Phase-Shift Keying (BPSK)/Quadrature Phase-Shift Keying (QPSK)—at the 1 and 2 Mbps rates and 8 chips (CCK) at the 11 and 5.5 Mbps rate. So, at 11 Mbps, 8 bits are transmitted for every one bit of data. The chipping sequence is transmitted in parallel across the spread spectrum frequency range.

IEEE 802.11b Direct Sequence ChannelsFourteen channels are defined in the IEEE 802.11b Direct Sequence (DS) channel set. Each DS channel transmitted is 22 MHz wide, but the channel separation is only 5 MHz. This leads to channel overlap such that signals from neighboring channels can interfere with each other. In a 14-channel DS system (11 usable in the US), only three non-overlapping (and hence, non-interfering) channels—25 MHz apart —are possible (such as Channels 1, 6, and 11).

This channel spacing governs the use and allocation of channels in a multi-AP environment such as an office or campus. APs are usually deployed in cellular fashion within an enterprise where adjacent APs are allocated non-overlapping channels. Alternatively, APs can be collocated using Channels 1, 6, and 11 to deliver 33 Mbps bandwidth to a single area (but only 11 Mbps to a single client). The channel allocation scheme is illustrated in Figure 2-4.

Figure 2-4 IEEE 802.11b DSSS Channel Allocations

22 MHz

1 2 3 4 5 6 7 8 9 10 11 12 13 14

2.402 GHz 2.483 GHz

Channels

8718

1

2-11Cisco AVVID Wireless LAN Design

956608

Page 36: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsRF Spectrum Implementation

IEEE 802.11a—OFDM Physical LayerIEEE 802.11a, defines requirements for PHY operating in the 5.0 GHz U-NII frequency and data rates ranging from 6 Mbps to 54 Mbps. It uses Orthogonal Frequency Division Multiplexing (OFDM) which is a multi-carrier system (compared to single carrier systems). OFDM allows sub-channels to overlap, providing a high spectral efficiency. The modulation technique allowed in OFDM is more efficient than spread spectrum techniques.

IEEE 802.11a ChannelsFigure 2-5 shows the center frequency of the channels. The frequency of the channel is 10 MHz either side of the dotted line. There is 5 MHz of separation between channels.

Figure 2-5 802.11a Channel Set

For US-based 802.11a standard, the 5 GHz unlicensed band covers 300 MHz of spectrum and supports 12 non overlapping channels. As a result, the 5 GHz band is actually a conglomerate of three bands in USA: 5.150-to-5.250 GHz (UNII 1), 5.250-to-5.350 GHz (UNII 2), and 5.725-to-5.875 GHz (UNII 3).

30 MHz 30 MHz

Lower Band Edge Upper Band Edge5150 5180 5200 5220 5240 5260 5280 5300 5320 5350

8718

2

20 MHz 20 MHz

Lower Band Edge Upper Band Edge5725 5745 5765 5785 5805 5825

2-12Cisco AVVID Wireless LAN Design

956608

Page 37: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsPlanning for RF Deployment

Planning for RF DeploymentMany of the RF-design considerations are interdependent and/or implementation dependent. As a result there is no one-size-fits-all template for the majority of requirements and environments.

The RF design depends the following considerations; each is addressed briefly in individual sections that follow:

• RF Deployment Best Practices, page 2-13

• WLAN Data Rates Required, page 2-13

• Client Density and Throughput Requirements, page 2-16

• WLAN Coverage Required, page 2-17

• Security Policy, page 2-17

• RF Environment, page 2-18

RF Deployment Best PracticesSome considerations can be addressed with general best practice guidelines. The following can applied to most situations:

• Number of users versus throughput and a given AP—The general recommended number of users per AP is 15-to-25.

• Distance between APs can cause throughput variations for clients based on distance from the AP—The recommendation is to limit the AP data rate to the higher data rates of 11 Mbps and 5.5 Mbps.

• Number of APs depends on coverage and throughput requirements, which might vary—For example Cisco’s internal information systems (IS) group currently uses six APs per 38,000 square feet of floor space.

Note Based upon the variability in environments it is highly recommended that a site survey be performed to determine the number of APs required and their optimal placement.

WLAN Data Rates RequiredData rates affect cell size. Lower data rates (such as 1 Mbps) can extend farther from the AP than can higher data rates (such as 11 Mbps). This is illustrated in Figure 2-6 (not to scale). Therefore, the data rate (and power level) affects cell coverage and consequently the number of APs required, as illustrated in Figure 2-7 on page 2-15.

Different data rates are achieved by sending a more redundant signal on the wireless link, allowing data to be more easily recovered from noise. The number of symbols sent out for a packet at the 1 Mbps data rate is greater than the number of symbols used for the same packet at 11 Mbps. This means that sending data at the lower bit rates takes more time than sending the equivalent data at a higher bit rate.

2-13Cisco AVVID Wireless LAN Design

956608

Page 38: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsPlanning for RF Deployment

Figure 2-6 Data Rate Compared with Coverage

The diameter of the coverage (circles shown in Figure 2-6), depends upon factors such as power and antenna gain. For example, indoors1 using the standard antennas on the NIC card and APs, the diameter of the 1 Mbps circle is approximately 700 ft (210 m), and the diameter of the 11 Mbps circle is about 200 ft (60 m). Increasing the gain of the antenna can increase the distance and change the shape of the radiation pattern to something more directional.

1 Mbps

2 Mbps

5.5 Mbps

11 Mbps

7419

0

1. Typically the outdoor range is greater because there are fewer obstacles, and less interference.

2-14Cisco AVVID Wireless LAN Design

956608

Page 39: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsPlanning for RF Deployment

Figure 2-7 Coverage Comparison and AP density for Different Data Rates

The required data rate has a direct impact upon the number of APs needed in the design. The example in Figure 2-7 illustrates this point. While six APs with a data rate of 2 Mbps might adequately service an area, it might take twice as many APs to support a data rate of 5 Mbps, and more again to support data rates of 11 Mbps.

The data rate chosen is dependent on the type of application to be supported. In a WLAN LAN extension environment, the higher data rates of 11 Mbps and 5.5 Mbps are recommended—this gives maximum throughput and should minimize performance-related support issues. In a WLAN vertical application environment, the data rates selected are determined by the application requirements—some clients might not support the higher data rates and might require the use of lower data rates.

It might seem logical to choose the default configuration of APs and clients—thereby allowing all data rates. However, there are three key reasons for limiting the data rate to the highest rate, at which full coverage is obtained:

• Broadcast and multicast are sent at the slowest data rate (to ensure that all clients can see them), this reduces the throughput of the WLAN because traffic must wait until frames are processed at the slower rate.

• Clients that are farther away, and therefore accessing the network at a lower data rate, decrease the overall throughput by causing delays while the lower bit rates are being serviced.

• If an 11 Mbps service is specified and provisioned with APs to support all data rates, clients at lower rates can associate with APs configured in this way which can create a coverage area greater than planned, thereby increasing the security exposure and potentially interfering with other WLANs.

Surveyed at 2 Mbps Surveyed at 5.5 Mbps 7419

1

2-15Cisco AVVID Wireless LAN Design

956608

Page 40: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsPlanning for RF Deployment

Client Density and Throughput RequirementsAPs are similar to shared hubs and have an aggregate throughput much lesser than the data rate. With this in mind, you must have the rough estimate of maximum suggested number of active associations (active clients). This can be adjusted more or less according to the particular application.

Each cell provides an aggregate amount of throughput that is shared by all the client devices that are within that cell, and associated to a given AP. This basically defines a cell as a collision domain. After deciding on the minimum data rate, be sure to consider how much throughput should, on average, be provided to each user of the wireless LAN.

Take an example of barcode scanners. 25 Kbps is more than enough bandwidth for such an application Using a 802.11b AP at 11 Mbps of data rate results in an aggregate throughput of 5-to-6 Mbps. This results in a maximum number of 200 users1 that can be supported satisfactorily. For a 1 Mbps system 20 users can utilize the same AP for similar bandwidth results.

You can increase the per user throughput by decreasing the number of users contending for the aggregate throughput provided by a single AP. This can be done by decreasing the size of the coverage cell or adding a second AP on a non-overlapping channel in the same cell area. To reduce the cell size, the AP power or antenna gain can be reduced, resulting in fewer clients in that cell area. This means you will need more APs for the same overall area, increasing the cost of deployment. An example of this is shown in Figure 2-8. Some of the APs do not provide the settings to control transmit power and many have limited or no options.

1. This umber would not be achieved due to 802.11 management overhead associated with the large num-ber of clients and collisions.

2-16Cisco AVVID Wireless LAN Design

956608

Page 41: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsPlanning for RF Deployment

Figure 2-8 Changing the Output Power to Increase Client Performance

Note Client power should be adjusted to match the AP power settings. Maintaining a high setting on the client does not result in higher performance and it can cause interference in nearby cells.

WLAN Coverage RequiredDifferent enterprises have different coverage requirements. Some need a WLAN to cover specific common areas; others need WLANs to cover each floor of a building, to cover the entire building including stairwells and elevators, or to cover the entire campus including car parks and roads.

Apart from impacting the number of APs required, the coverage requirements can introduce other issues, such as specialized antennas, outdoor enclosures and lightning protection.

Security PolicyRF design can be used to minimize the RF radiation in coverage areas or directions not required. For example, if WLAN coverage is required only in the buildings, then the amount of RF coverage outside the building can be minimized by AP placement and directional antennas.

180 Users per floor30 mW transmitter power

3 Accss Points60 users per AP

11 Mbps data rate

180 Users per floor5 mW transmitter power

18 Accss Points10 users per AP

11 Mbps data rate

7419

2

ch 1

ch 1 ch 6 ch 11

ch 1 ch 1 ch 6

ch 6 ch 11 ch 1

ch 1 ch 6 ch 11

ch 11 ch 1 ch 6

ch 6 ch 11 ch 1

ch 6

ch 11

2-17Cisco AVVID Wireless LAN Design

956608

Page 42: 1-Cisco AVVID Wireless LAN Design

Chapter 2 WLAN Radio Frequency (RF) Design ConsiderationsPlanning for RF Deployment

RF Environment The performance of the WLAN and its equipment depends upon its RF environment. The following are some examples of adverse environmental variables:

• 2.4 GHz cordless phones

• Walls fabricated from wire mesh and stucco

• Filing cabinets and metal equipment racks

• Transformers

• Heavy duty electric motors

• Fire walls and fire doors

• Concrete

• Refrigerators

• Sulphur plasma lighting (Fusion 2.4 GHz lighting systems)

• Air conditioning duct-work

• Other radio equipment

• Microwave ovens

• Other WLAN equipment

A site survey should be performed to ensure that the required data rates are supported in all the required areas, despite the environmental variables mentioned above.

The site survey should consider the three dimensional space occupied by the WLAN. For example a multi-story building WLAN with different subnets per floor might require a different RF configuration than the same building with a single WLAN subnet per building. In the multiple subnet instance, a client attempting to roam to a different AP on the same floor might acquire an AP from an adjacent floor. Switching APs in a multi-subnet environment changes the roaming activity from a seamless Layer 2 roam to a Layer 3 roam which in turn disrupts sessions and might require user intervention.

2-18Cisco AVVID Wireless LAN Design

956608

Page 43: 1-Cisco AVVID Wireless LAN Design

956608

C H A P T E R 3

WLAN Technology and Product Selection

This discussion focuses on technology and product assessment and selection in WLAN environments. The following sections are presented:

• WLAN Technology Selection Considerations, page 3-1

• Cisco WLAN RF Product Selection Considerations, page 3-11

WLAN Technology Selection ConsiderationsSelecting a wireless technology can be tricky. For example, wireless devices can adhere to different standards and might not be compatible with one another or with next-generation devices.

You must understand your environment’s requirements (and plans for future enhancements) when choosing a wireless technology. The sections in this chapter that address technology selection considerations are as follows:

• Competing WLAN Standards, page 3-1

• WLAN Capacity Considerations, page 3-2

• Data Rate Considerations, page 3-3

• Throughput Considerations, page 3-4

• Performance Considerations, page 3-5

• Range Considerations, page 3-7

• Technology Selection Summary, page 3-9

Competing WLAN StandardsTwo standards dominate the WLAN marketplace:

• IEEE 802.11b—802.11b has been the industry standard for several years. Operating in the unlicensed portion of the 2.4 GHz radio frequency spectrum, it delivers a maximum data rate of 11 Mbps and boasts numerous strengths. 802.11b enjoys broad user acceptance and vendor support. Many vendors manufacture compatible devices, and this compatibility is assured through the Wi-Fi certification program. 802.11b technology has been deployed by thousands of enterprise organizations, that typically find its speed and performance acceptable for their current applications.

3-1Cisco AVVID Wireless LAN Design

Page 44: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionWLAN Technology Selection Considerations

• IEEE 802.11a—802.11a operates in the uncluttered 5 GHz radio frequency spectrum. With a maximum data rate of 54 Mbps, this standard offers a fivefold performance increase over the 802.11b standard. Therefore, it provides greater bandwidth for particularly demanding applications

As mentioned in “IEEE 802.11 Standards” section on page 2-9, 802.11g is another related standard—one intended for networks with high performance requirements. The 802.11g standard has been in draft form since November 2001 and is likely to be finalized in 2003. 802.11g will deliver the same 54 Mbps maximum data rate as 802.11a, yet it offers an additional and compelling advantage—backward compatibility with 802.11b equipment. This means that 802.11b client cards will work with 802.11g APs, and 802.11g client cards will work with 802.11b APs. Because 802.11g and 802.11b operate in the same 2.4 GHz unlicensed band, migrating to 802.11g will be an affordable choice for organizations with existing 802.11b wireless infrastructures. It should be noted that 802.11b products cannot be software upgraded to 802.11g because 802.11g radios will use a different chipset than 802.11b in order to deliver the higher data rate. However, much like Ethernet and Fast Ethernet, 802.11g products can be combined with 802.11b products in the same network. Because 802.11g operates in the same unlicensed band as 802.11b, it shares the same three channels, which can limit wireless capacity and scalability.

So, which standard should an organization select? Each has its strengths. The greatest strength of the 802.11b standard is its widespread acceptance and broad product availability, although bandwidth is limited. In comparison, the 802.11a standard has the capability to drive the high-bandwidth applications that will characterize the future WLAN. 802.11a also supports more channels (no overlapping channels)—making the RF deployment more flexible.

Fortunately, organizations do not need to choose between technologies when considering a WLAN infrastructure. The Cisco Aironet 1200 Series gives wireless implementers the option of deploying both. This wireless AP delivers:

• Flexibility—The Cisco Aironet 1200 Series is dual-band, meaning that it can concurrently support WLANs based on both the 5 GHz 802.11a and 2.4 GHz 802.11b standards.

• Scalability and Investment Protection—The Cisco Aironet 1200 Series ensures that an organization’s wireless network remains backward and forward compatible, with the capability to grow both in terms of users and deployed applications.

• Ease-of-Use and Manageability—The Cisco Aironet 1200 Series is field upgradable. Organizations can choose to deploy 2.4 GHz technology, 5 GHz technology, or a mixture of the two. The product also integrates seamlessly with the robust Cisco security and management infrastructure.

The Cisco Aironet 1200 Series delivers a seamless migration path for WLANs. It allows organizations to upgrade today to robust wireless technology, while ensuring that their investments remain usable and valuable far into the future.

WLAN Capacity ConsiderationsThe 802.11a standard provides a substantial potential capacity improvement for a WLAN compared with 802.11b-based WLANs implementations. The 5 GHz band provides more than three times as much spectrum as the 2.4 GHz band. A key advantage for 802.11a deployment is greater flexibility for channel re-use and another is capacity. With a greater number of channels to select from, it is easier it is to deploy an Enterprise WLAN. Interference in the network is reduced by avoiding two adjacent AP using the same frequency and by increasing the distance between APs with the same frequencies (reducing co-channel interference). This is important in that the traffic from devices in overlapping cells set to the same channel results in mutual interference—thereby impeding performance.

3-2Cisco AVVID Wireless LAN Design

956608

Page 45: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionWLAN Technology Selection Considerations

With just three channels in the 2.4 GHz band used by 802.11b and 802.11g, this represents a shortcoming that complicates deployments. With eight channels, 802.11a systems have an aggregate data rate of up to 432 Mbps (54 Mbps multiplied by eight channels) in a given area. In contrast, 802.11b devices have a maximum capacity of 33 Mbps (11 Mbps multiplied by three channels) per given area. Therefore, organizations with large WLANs may decide to opt for an 802.11a deployment, which provides far greater performance on a per-cell basis.

Given the difference in operating frequencies, 802.11b and 802.11a can co exist within the same environment, allowing users to move from one to another by switching clients, or using a dual-band client (combines both radios into a single client).This approach become more flexible by using dual-band Cisco APs. An enterprise must conduct comprehensive site surveys for each technology to guarantee adequate network coverage. Each frequency has different signal strength, interference, and reflection characteristics, and each implementation must be optimized for different requirements.

Data Rate Considerations

Note For additional related information, please refer to the “WLAN Data Rates Required” section on page 2-13.

Data rates affect cell size. Lower data rates (such as 1 Mbps) can extend further from the AP than can higher data rates (such as 54 Mbps). This is illustrated in Figure 3-1. Hence the data rate (and power level) effects cell coverage, and consequently the number of APs required.

In general, there are pools of coverage at each data rate. What is considered an acceptable data rate, ultimately depends upon how much bandwidth is required for the application which you want to run at a particular location. Be sure to survey users for the minimum data rate required.

Note The Cisco Aironet Site Survey Utility surveys at a given data rate and does not rate shift.

APs offer clients multiple data rates for the wireless link. For 802.11b, the range is from 1-to-11 Mbps in four increments-1, 2, 5.5 and 11 Mbps, while 802.11a the range is 6-to-54 Mbps in seven increments-6, 9, 12, 18, 24, 36, 48 and 54 Mbps. Because data rates affect range, selecting data rates during the design stage is extremely important.

The client cards automatically switch to the fastest possible rate of the AP; how this is done varies form vendor to vendor. Because each data rate has a unique cell of coverage (the higher the data rate, the smaller the cell), the minimum data rate must be determined at the design stage. Cell sizes at given data rates can be thought of as being nested concentric circles. See Figure 3-1. Selecting only the highest data rate requires a greater number of APs to cover a given area; therefore care must be taken to develop a compromise between required aggregate data rate and overall system cost.

With the (dual band) Cisco AP 1200, careful design can yield an aggregate data rate of 64 Mbps (54 Mbps plus 11 Mbps) per AP with room to grow to 108 Mbps when 802.11g is available.

3-3Cisco AVVID Wireless LAN Design

956608

Page 46: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionWLAN Technology Selection Considerations

Figure 3-1 802.11a Data Rates

Throughput Considerations

Note For related information, please refer to the “Client Density and Throughput Requirements” section on page 2-16.

Data rate is often confused with the aggregate data throughput. The aggregate data rate, takes into account the overhead associated with protocol frame structure, collisions, and implementation processing delays associated with frames processed by clients and APs. Protocol overhead includes parameters such as RTS, CTS, ACK frames, beacon periods, back off period and propagation delays,

10 Mbps Ethernet can be faster than 11 Mbps Wi-Fi. The overhead associated with the 802.11b standard exceeds the overhead for 802.3 Ethernet, resulting in better throughput for 10 Mbps Ethernet than 11 Mbps Wi-Fi.

An important purchasing consideration for any networking technology is the amount of bandwidth, data rate, or throughput, it provides to each network user, and how well that throughput can support the applications running on the network.

For clarity purposes, data rate means the amount of data able to be sent from one node on the wireless network to another, within a given timeframe. Furthermore, the difference between data rate and throughput is the amount of raw bits that travel from one node to another, in comparison to the bits representing the message content. This difference is determined by a number of factors including the latency inherent in the PHY components of the radio, the overhead and acknowledgement information that accompany every transmission, and pauses between transmissions. A comparison table of the wireless networks at hand and several wired benchmarks is shown in Table 3-1.

5GHz/40mw

60' @ 54Mbps

80' @ 48Mbps

100' @ 36Mbps

120' @ 24Mbps130' @ 18Mbps140' @ 12Mbps

150' @ 9Mbps

170' @ 6Mbps

9128

3

3-4Cisco AVVID Wireless LAN Design

956608

Page 47: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionWLAN Technology Selection Considerations

802.11b offers an 11 Mbps data rate, which translates into approximately 5-to-7 Mbps of actual message throughput (per AP). This amount is shared among all network users accessing it at the same time, and is managed through a Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) technique modeled on its Ethernet wired equivalent. As most network traffic is bursty, and only a few users are on the network simultaneously, Wi-Fi network users generally experience very good connectivity speeds.

Using OFDM and 64-Quadrature Amplitude modulation, 802.11a and 802.11g will provide similar data rate levels. However, because 802.11g must be backward compatible with 802.11b, 802.11g incurs more overhead associated with the header information of 802.11b. As a result, 802.11g might not achieve full parity with the throughput possible with 802.11a.

With 802.11a, there is a maximum data rate of 54 Mbps which can support high-bandwidth applications such as CAD-CAM, streaming video, and converged voice/video/data. 802.11a and 802.11b nodes also share the bandwidth efficiently using CSMA/CA techniques. In 802.11b roughly 15-to-25 users can be supported per AP (at 11 Mbps). With 802.11a, more users can be supported per AP (at 54 Mbps) as more bandwidth is available. The smaller cell size makes an increase in users unlikely. The normal impact would be an increase in bandwidth available per user.

802.11b can be used by implementers who have a large installed base of APs, are transaction intensive, have many roaming users to other 802.11b APs, or are cost sensitive.

802.11a can also be used by implementers requiring the higher throughput for the applications listed above, have a small installed base of 802.11b (as 802.11b and 802.11a are not compatible), or are concerned about interference. Interference issues are discussed in detail in the next section.

Quality of Service (QoS) enhancements to the 802.11 MAC under development within 802.11e will enhance the ability of 802.11b, 802.11a, and 802.11g to deliver new types of time-critical data, in addition to their traditional data packets (QoS capabilities are typically associated with IP-based telephony/voice implementations). The IEEE 802.11e Task Group recommendations will become commonly available to both the 2.4 GHz and 5 GHz solutions simultaneously, and most subsequently released 802.11 networks will then be able to support them. The higher bandwidth 802.11g and 802.11a standards will support QoS more effectively than 802.11b, mainly because of higher bandwidth, but also because more unlicensed spectrum will be available to 5 GHz radios. This allows 5 GHz networks to allocate a certain number of networks to voice only, and others to data.

Performance ConsiderationsWhile unlicensed spectrum is very attractive (as there is no licensing fee to use it), implementers must factor in the potential performance degradation associated with ambient interference. 802.11a operates in unlicensed bands in exactly the same way as 802.11b and earlier 900 MHz systems operate in unlicensed bands. That is, there are no restrictions on the types of devices that operate in these bands provided that they all conform to a common set of rules. The 900 MHz portion of the spectrum was initially used by WLANs and then, far more commonly, by cordless telephones. Although these devices

Table 3-1 Throughput at Maximum Data Rates

Technology Data RateAverage Throughput

802.11b 11 Mbps 5-to-7 Mbps

802.11a 54 Mbps 22-to-31 Mbps

802.11g (OFDM)

54 Mbps TBD

3-5Cisco AVVID Wireless LAN Design

956608

Page 48: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionWLAN Technology Selection Considerations

all complied with applicable regulations, they acted upon each other as interferers, mutually degrading performance and usability. The WLAN industry essentially abandoned the 900 MHz band and migrated to the 2.4 GHz band. Initially, the WLAN industry had this band to themselves (with the exception of microwave oven RF emissions). Eventually, however, the band became more crowded with an increasing number of products, including Bluetooth devices and 2.4 GHz cordless telephones. The attractiveness of the 2.4 GHz band to manufacturers, license-free operation on an international scale and resulting worldwide marketability for 2.4 GHz devices, leads to a central problem for the 2.4 GHz band—overcrowding.

This in turn leads to a principal advantage of 802.11a—because it operates in the pristine 5 GHz band, it is (as of now) immune to interference from other devices. 802.11a products themselves are relatively few in number. Bluetooth operates in the 2.4 GHz band and there are very few 5 GHz cordless telephones also available in the market. The point is that today the 5 GHz band is relatively clean but there are no restrictions on this band that do not apply equally to 900 MHz and 2.4 GHz. Over time, the 5 GHz band might become equally crowded with interference-causing devices.

As the 2.4 GHz band is unlicensed, it is available for anyone to use—within limits of maximum Effective Isotropic Radiated Power (EIRP). WLAN interference can come from a number of sources. The main sources are as follows:

• Microwave Ovens— The magnetron in household and commercial microwave ovens operates over tens of megahertz in the 2.4-to-2.483 GHz band. While microwave ovens operate at about 700-to-1000 W, the maximum allowed radiated power (EIRP) for WLAN devices is between 0.1 and 4 W. WLAN equipment such as APs should not be located near microwave ovens.

• Co-channel Interference—Interference can from radios in adjacent cells on the same frequency. Effective site surveying and WLAN cell planning should minimize the effect of this interference. As WLANs become more prevalent, interference from sources outside enterprise control may become more of an issue, such as in multiple tenancy situations (shopping centers, apartment blocks, and the like). Proper cell planning of the channel frequency and careful layout of the AP can minimize the interference.

• Bluetooth—Bluetooth is a Wireless Personal Area Network technology sharing the same 2.4 GHz spectrum as 802.11b. Bluetooth uses FHSS and is a shorter range and lower bandwidth technology than 802.11b. FHSS systems use frequently changing, narrow bands over all channels. It is important to manage the concurrent operation of 802.11b WLANs and Bluetooth within the enterprise. Task Group 2 of the IEEE 802.15 Working Group is looking at the coexistence issues of IEEE 802.11b WLANs and Bluetooth. Multiple companies have researched the issue and concluded that if the two technologies are separated by two meters or more, there is no significant interference.

• 2.4 GHz Cordless Telephones —Some of the newer household and office cordless telephones operate in the 2.4 GHz range (DSSS and FHSS). Depending on the conditions and the manufacturer, degradation to the WLAN can vary from unnoticeable to a total loss of association between the client and the AP. Interference from the WLAN can also impact the voice quality. Users are encouraged to use 900 MHz Cordless Phones in instances where they must coexist with WLANs. If this is not possible, separate the AP from the phone base station as far as possible and perform some rudimentary degradation tests. Note that DSSS cordless phones are more likely to cause degradation than FHSS types.

• Shared Internet Access—Wireless local loop (WLL) and systems like Metricom-Ricochet (again coming back in the market) and T-Mobile also use the same band. So they can be a source of interference. Interference can also come from other systems such as neighboring DSSS and FHSS WLAN networks.

3-6Cisco AVVID Wireless LAN Design

956608

Page 49: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionWLAN Technology Selection Considerations

Range ConsiderationsTable 3-2 provides a comparison of the relative data rates and ranges associated with 802.11a and 802.11b WLANs. These are typical maximum ranges, but range varies (normally downward) depending upon the environment. As more obstructions are encountered (such as a metallic building structure) range is reduced.

Figure 3-2 on page 3-8 illustrates the coverage area of an 802.11b AP at a maximum bit rate of 11 Mbps, overlaid with 802.11a APs at a maximum bit rate of 54 Mbps. This comparison shows the impact of the different ranges of 802.11b and 802.11a. Ten 802.11a APs are required to cover a similar area as the one 802.11b AP.

Coverage range alone is not the only story here. A comparison of the capacity of the 802.11a coverage and 802.11b coverage shows the 802.11b capacity at 11 Mbps; while the capacity of the 802.11a solution at 540 Mbps. This difference represents a potential gain of approximately 49 times.

In summary, more 802.11a APs are required to support a given area in comparison to 802.11b APs, but the capacity of the 802.11a network is significantly greater.

Table 3-2 Comparison of Bit-Rate and Range for 802.11a and 802.11b

Bit Rate (in Mbps) Range for 802.11b (in feet) Range for 802.11a (in feet)

1 350 -

2 250 -

5.5 180 -

6 - 170

9 - 150

11 140

12 - 140

18 - 130

24 - 120

36 - 100

48 - 80

54 - 60

3-7Cisco AVVID Wireless LAN Design

956608

Page 50: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionWLAN Technology Selection Considerations

Figure 3-2 Difference in Coverage between 802.11a and 802.11b

Signal Propagation

A 5 GHz wave is about half the length of a 2.4 GHz wave. These shorter waves tend to pass through water rather than be captured by it. Human body is over 95 percent water. So, in areas with a high density of people, such as a stock trading floor, devices like 802.11a WLANs that operate at 5 GHz may have an advantage in terms of signal propagation and resulting range than devices like 802.11b WLANs that operate at 2.4 GHz The relatively shorter 5 GHz wave that provides the advantage outlined above also leads to a principal disadvantage of 802.11a relative to 802.11b. In particular, 5 GHz waves are more vulnerable to absorption by building materials, such as drywall and concrete.

Antenna Considerations

Antennae options vary greatly for 5 GHz and 2.4 GHz devices. Currently, regulations mandate that antennae must be integral to some 5 GHz transmitting devices. Therefore, vendors can only sell 802.11a devices with antennae that are attached to—and not removable from—the device itself. On the other hand, organizations can select from a wide variety of antennae options for 2.4 GHz devices. These antennae may be attached to the transmitting device or can exist separately, attached via a cable. This antennae placement can seriously impact system installation and range. For instance, with a 2.4 GHz network, organizations have the option to securely locate APs out of site, and cable out to a remote antenna. They also have the ability to house the device in a protective enclosure, which can prolong its life. The antennae restrictions imposed upon 5 GHz devices remove these options. Therefore, installation might be more complicated, overall range might be reduced, and implementation costs might be higher.

8788

0

280' @ 11Mbps

120' @ 54Mbps

3-8Cisco AVVID Wireless LAN Design

956608

Page 51: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionWLAN Technology Selection Considerations

Most of the vendors are making products that can operate in UNII-1 and UNII-2 bands either separately or simultaneously. When operating simultaneously, FCC regulations for fixed UNII-1 antennas apply to such products.

Assuming equivalent environments—and holding transmitter, antenna gain, and data rates constant—2.4 GHz offers roughly double the range than 5 GHz. This is explained by the physics of radio wave propagation, which dictates that all other things being equal, a higher frequency signal will have a reduced range compared to a lower frequency signal.

Technology Selection SummaryIn general, 2.4 GHz 802.11b technology has an advantage over 802.11a, primarily because 802.11b-compliant devices deliver a greater range than 802.11a technology (see Table 3-3, Table 3-4and Figure 3-3). There are several reasons for this difference:

• 2.4 GHz wave is about double the length of the 5 GHz wave.

• 5 GHz waves are more vulnerable to absorption by building materials, such as drywall and concrete.

• Regulations restrict the transmit power and antenna possibilities in the 5 GHz range.

• With reduced range, companies may have to deploy a greater number of 802.11a-compliant APs to cover a designated area, which can lead to higher hardware costs.

Combined, these factors favor 802.11b devices.

Implementers are allowed five times less power in the 5 GHz band (compared with 2.4 GHz implementations) and face more stringent Es/No requirements in 802.11a due to higher data rate. The receiver sensitivity falls to –68 dBm with a 54 Mbps data rate—compared to -85 dBm for a 11 Mbps data rate. There is just more attenuation in the air for the 5 GHz spectrum. However, if you use standard Rubber Duck antennas (2.2. dBi) with 802.11b product as compared to 6 dBi attached antennas for 802.11a (and use similar data rates in 802.11a and 802.11b, such as 12 Mbps for 5 GHz and 11 Mbps for 2.4 Ghz), range and throughput are similar. One contributing factor here is that the gain on the 802.11b client card is almost 0 dB. And gain on the 802.11a card bus is 5 dBi. Also on the AP side, the 6 dBi antenna in 5 GHz spectrum is used—compared to 2.2 dBi antenna in 2.4 GHz. Above all, OFDM modulation fights for multipath more effectively.

Table 3-3 Typical Values of Ranges for 802.11b with Rubber Duck Antenna

Data Rates (Mbps) Indoor Range (Feet) Outdoor Range (Feet)

1 350 2000

11 150 800

Table 3-4 Typical Values of Ranges for 802.11a with Omni Antenna

Data Rates (Mbps) Indoor Range (Feet) Outdoor Range (Feet)

6.0 170 1000

18.0 130 600

54.0 60 100

3-9Cisco AVVID Wireless LAN Design

956608

Page 52: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionWLAN Technology Selection Considerations

Figure 3-3 Range Comparisons for 802.11a and 802.11b with Cisco AP

802.11g will use the same band as 802.11b, so the same 802.11b regulations apply. the draft is still under development—and there is no available product —802.11g will not have better range than 802.11b due to higher Es/No requirements (associated with inherently higher available data rates).

Organizations must weigh each factor when selecting a wireless technology. In some cases, sheer performance and capacity favor the 802.11a standard implementation. In other cases, vendor support, range and implementation advantages lead to a selection of 802.11b technology. The decision depends on the organization’s type of activity, mission, and plans for the future—while weighing cost and function requirements.

These competing wireless standards leave many companies wondering which wireless technology to embrace. The Cisco Aironet 1200 Series eliminates this concern. The dual-band design supports both established and emerging wireless standards, letting companies implement WLANs without compromise. With the Cisco Aironet 1200 Series, organizations are assured that they will have the right technology both for today and far into the future.

5GHz/40mw2.4GHz/100mw

60' @ 54Mbps80' @ 48Mbps

100' @ 36Mbps120' @ 24Mbps130' @ 18Mbps140' @ 12Mbps150' @ 9Mbps170' @ 6Mbps

350' @1Mbps

250' @2Mbps

180' @5.5Mbps

140' @11Mbps

9128

6

3-10Cisco AVVID Wireless LAN Design

956608

Page 53: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionCisco WLAN RF Product Selection Considerations

Cisco WLAN RF Product Selection ConsiderationsThe Cisco Aironet WLAN suite consists of a number of products designed for a variety of WLAN applications. This section presents summaries of the following Cisco WLAN product types:

• Access Points, page 3-11

• Client Adapters, page 3-12

• Workgroup Bridges, page 3-13

• Wireless Bridges, page 3-14

Note The Cisco Aironet WLAN portfolio is constantly changing. Please refer to the Cisco Product Catalog for up-to-date information.

Different products can be seen on Wireless Network Business Unit web site

• http://www.cisco.com/en/US/products/hw/wireless/index.htmll

Access PointsAn access point (AP) is typically the center point in a wireless network and the connection point between a wired and wireless network. Multiple APs can be placed throughout an area to provide freedom of movement to users equipped with WLAN client adapters.

Cisco Aironet Series APs offer state of the art features which are very convenient in different deployment scenarios:

Key features are:

• 100 mW 802.11b radio with configurable transmit power (1, 5, 20, 30, 50, and 100 mW).

• 40 mW 802.11a radio with configurable transmit power (40, 30, 20, 20, 10, 5 mW).

• Auto selecting or configurable data rates.

• Supports inline power over Ethernet and standard power (power injector module is supplied as standard for cases where inline power is not available). Cisco AP currently use Cisco Power Discovery method (802.3af is not a standard yet). Cisco intends to support both modes.

• Cisco 802.11a APs offer a unique 5 GHz articulating antenna incorporating high-gain, omni-directional, diversity antennas and hemispherical patch antennas to deliver two distinct coverage patterns depending on the antenna position.

• 802.11b diversity antenna options include either non-removable 2.2 dBi diversity dipoles (internal antennas) or remote antenna connections via two RP-TNC connectors).

• Diversity antennas for both the 2.4 GHz and 5 GHz radios ensures optimum performance in high-multipath environments such as offices, warehouses, and other indoor installations.

• Auto-sensing 10/100BaseT Ethernet connection.

• IEEE 802.1x based security architecture.

• Auto-roaming between APs within a single network (subnet or VLAN).

• World Mode—Enables clients to transparently roam to other countries with different channel frequencies and transmit power regulations.

3-11Cisco AVVID Wireless LAN Design

956608

Page 54: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionCisco WLAN RF Product Selection Considerations

As it is a wireless communication, security features in the Cisco Aironet Series APs provide support for the latest 802.1x security standards. In addition, the inherent upgradability of the Cisco Aironet Series AP facilitates adopting new wireless security standards as they become available (by upgrading the firmware or radios).

Note Please see the associated data sheets at http://www.cisco.com for specific product information.

Client AdaptersClient adapters connect to a variety of devices in a WLAN. Based on Direct Sequence Spread Spectrum (DSSS) technology and operating in the 2.4 GHz band, the Cisco Aironet 350 Series client adapters comply with the IEEE 802.11b standard—ensuring interoperability with all other compliant WLAN products. For 2.4 GHz 802.11b cards, two form factors are supported:

• PCMCIA for Notebook PCs and PDA—This is a standard PCMCIA product with attached end cap antenna.

• PCI for Desktop PCs—The PCI card has the standard Cisco Aironet RP-TNC connector and can be used with all of the Cisco Aironet external antennas.

802.11a Cardbus Client Card

The Cisco Aironet 5 GHz 54 Mbps WLAN client adapter is (IEEE) 802.11a-compliant CardBus adapter that operates in the UNII-1 and UNII-2 bands. The client adapter complements the Cisco Aironet 1200 Series 802.11a AP, providing a solution that combines performance and mobility with the security and manageability that enterprises require. The integrated 5 dBi gain patch antenna optimizes range.

Note The 802.11a card bus has greater antenna gain (5 dBi) as compared to 0 dBi gain in 802.11b cards.

Enhanced Client Network Management Features with Extended Client Support

All Cisco wireless client adapters include the Cisco Aironet Client Utility (ACU), a tool with a graphical user interface for configuring, monitoring, and managing an adapter. The ACU includes site survey tools that produce detailed graphical information, including signal strength, to assist in the correct placement of APs. The ACU provides improved, quantifiable data—including signal-to-noise ratio measured in decibels (dB), and signal level and noise level measured in decibels per milliwatt (dBm). Using the ACU, a user can create a profile of settings for each environment, such as the office or home, making it simple for telecommuters and business travelers to reconfigure the adapter when moving from one environment to another. A user can now configure channel selection, service set identifier (SSID), WEP key, and authentication method for these different locations.

A broad suite of device drivers provides support for all popular operating systems, including Windows 98, Windows 2000, Windows ME, Windows CE, Mac OS 9.x, Mac OS X, and Linux.

3-12Cisco AVVID Wireless LAN Design

956608

Page 55: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionCisco WLAN RF Product Selection Considerations

Workgroup BridgesWorkgroup bridges provide wired network connectivity to workgroups through a wireless network connection to a central site. The Cisco Aironet 350 Series Workgroup Bridge supports up to eight downstream devices—such as PCs, printers and notebook computers—through an Ethernet hub or switch connected to the Ethernet port. This is a MAC address limitation, so the workgroup can be extended beyond eight devices by placing a router between the workgroup bridge and the hub.

The workgroup bridge can peer wirelessly with either an AP or a wireless bridge. The workgroup bridge to wireless bridge configuration is applicable to outdoor point-to-point campus connections. The workgroup bridge to AP configuration is applicable to shorter range, multi-access solutions where the AP may peer with other workgroup bridges and client adapters.

The various applications of workgroup bridges are illustrated in Figure 3-4 and Figure 3-5.

Figure 3-4 Mobile Ethernet Enabled User

Ethernet-enabledLaptop

Workgroupbridge

WirelessAccess Point

Switch

Wired networkbackbone

Internet

9128

0

3-13Cisco AVVID Wireless LAN Design

956608

Page 56: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionCisco WLAN RF Product Selection Considerations

Figure 3-5 Remote Workgroup

Wireless BridgesWireless bridges (or simply bridges) are used to wirelessly connect two networks (usually in different buildings). Refer to Figure 3-6. With appropriate selection of antennas and clear line of sight, range can extend up to 25 miles at 11 Mbps. It should be noted that only bridges have this extended range capability. The extended range is achieved by operating outside the IEEE 802.11 timing specifications. APs (conforming to 802.11b) to any client are limited to a one-mile range; irrespective of transmit power, cable, and antenna combinations.

Cisco Aironet Bridges support a superset of AP functionality and can operate in either bridge or AP mode depending upon the requirement.

Wired networkbackbone

9128

1

WirelessAccess Point

Switch

ServerPoint-of-saleregister

PC

PC

PC

Laptop

PC

Printer

Laptop

WorkgroupBridge

Hub

3-14Cisco AVVID Wireless LAN Design

956608

Page 57: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionCisco WLAN RF Product Selection Considerations

Figure 3-6 Typical Bridge Application Connecting Buildings Across a Campus or Metro Area

Note APs cannot be used to bridge two wired networks.

9128

2

3-15Cisco AVVID Wireless LAN Design

956608

Page 58: 1-Cisco AVVID Wireless LAN Design

Chapter 3 WLAN Technology and Product SelectionCisco WLAN RF Product Selection Considerations

3-16Cisco AVVID Wireless LAN Design

956608

Page 59: 1-Cisco AVVID Wireless LAN Design

956608

C H A P T E R 4

WLAN Security Considerations

As network administrators begin to deploy WLANs, they are faced with the challenge of trying to secure these environments while providing maximum flexibility for their users. This chapter provides details regarding deployment of the Cisco Secure Enterprise WLAN solution. It is divided into the following separate sections:

• Security Deployment Models, page 4-1

• Cisco WLAN Security Options and Recommendations, page 4-7

Security Deployment ModelsThe security model selected for a given WLAN implementation has a substantial impact on the overall WLAN design. Three enterprise-oriented WLAN Extension security models are presented in this design guide:

• WLAN LAN Extension 802.1x/EAP, page 4-2

• WLAN LAN Extension IPSec, page 4-3

• WLAN Static WEP Keys, page 4-5

The goal of a WLAN LAN Extension network is for the WLAN access network to transparently provide the same applications and services as the wired access network. Each WLAN Extension discussion that follows addresses the following types of transparency:

• Security Transparency—Do the selected security capabilities seamlessly provide WLAN network security equivalent to wired networks?

• Application Transparency—Are the supported WLAN network applications identical to applications on a wired network?

• Performance Transparency—Does the WLAN deliver application performance that matches wired network performance?

• User Transparency—Are users of the WLAN forced to perform network-specific operations to use the WLAN?

4-1Cisco AVVID Wireless LAN Design

Page 60: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsSecurity Deployment Models

WLAN LAN Extension 802.1x/EAPThis discussion presents WLAN Extension 802.1x/EAP deployment in terms of the following key topics:

• Security Transparency, page 4-2

• Application Transparency, page 4-3

• Performance Transparency, page 4-3

• User Transparency, page 4-3

Security Transparency

An 802.1x/EAP implementation of WLAN LAN Extension operates at the link layer (Layer 2) to provide authentication, authorization, accounting, and encryption. Figure 4-1 shows a schematic of the 802.1x/EAP WLAN.

The security level provided is beyond that provided on most wired networks, providing link layer encryption and Authentication, Authorization, and Accounting (AAA) access control. This is provided as follows:

• Authentication occurs between the client and the authentication server. Several different EAP types (EAP-Cisco, EAP-TLS, EAP-TTLS, PEAP) are supported, allowing the Enterprise to choose the authentication type that best suits its needs.

• Encryption is at the link layer between the WLAN client and the AP. The current encryption mechanisms available are Wired Equivalent Privacy (WEP) and WEP plus TKIP and MIC. Future mechanisms include Wi-Fi Protected Access (WPA) and Advanced Encryption Standard (AES). The encryption keys are automatically derived during the authentication process.

• Authorization is controlled by the VLAN membership in combination with the access controls applied at the access router terminating the VLAN.

• Accounting is provided by the RADIUS accounting communicated by the APs to the RADIUS server.

Figure 4-1 WLAN LAN Extension 802.1x/EAP

Enterprisenetwork

8719

8

802.1xEAP

Encryption

Si

Authorization

Accounting

Authentication

4-2Cisco AVVID Wireless LAN Design

956608

Page 61: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsSecurity Deployment Models

Application Transparency

As illustrated in Figure 4-1, the WLAN connects at the access layer. Once the WLAN client traffic leaves the AP, it is the same as wired traffic—subject to the same access control, queuing, and routing. This achieves the WLAN LAN extension goal of supporting the same applications as the wired network. Any inability to run applications from the wired network over the WLAN network would be the result of policies or the fundamental limitations of the WLAN—not due to the 802.1x/EAP architecture.

Performance Transparency

WLAN has a lower bit rate and a lower throughput than most Enterprise wired LANs. Therefore providing equivalent performance for all applications over the WLAN can be a challenge. The strategy to minimize differences in application performance between the wired and wireless network is to utilize the QoS tools available on the WLAN and the APs. Those applications identified as being sensitive to network throughput and delay can be classified and scheduled as required. Load balancing and admission control tools on the WLAN can optimize the usage of the available WLAN resources.

User Transparency

The different EAP types in 802.1x/EAP allow enterprises to choose an authentication mechanism that best matches security requirements. This allows the integration of the 802.1x/EAP into existing user behavior. Many organizations enforce stronger authentication mechanisms on WLAN networks (compared to wired networks), due to reduced physical security in the WLAN. Authentication on the wired network is expected to catch up with WLAN networks, with organizations using 802.1x/EAP mechanisms to enhance wired network security.

WLAN LAN Extension IPSecThe use of IPSec VPN tunnels is an alternative to 802.1x/EAP implementation. Network designers might choose this implementation over and 802.1x/EAP solution due to security policy reasons. IPSec is a well-established standard that is endorsed by a number of security organizations. IPSec is a regulatory requirement in some situations.

The primary advantage of an IPSec-based VPN solution is the encryption mechanism. IPSec includes support of Triple Data Encryption Standard (3DES) and AES encryptions, whereas 802.1x/EAP currently relies upon WEP or proprietary WEP plus TKIP and MIC.

A WLAN LAN Extension IPSec solution is considered more difficult to implement than an 802.1x/EAP solution. The network topology up to the VPN concentrator is considered untrusted and an appropriate security policy must be created, configured, and maintained at all points that touch this untrusted network.

The remainder of this discussion presents WLAN Extension IPSec deployment in terms of the following topics:

• Security Transparency, page 4-4

• Application Transparency, page 4-4

• Performance Transparency, page 4-4

• User Transparency, page 4-5

4-3Cisco AVVID Wireless LAN Design

956608

Page 62: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsSecurity Deployment Models

Security Transparency

WLAN LAN Extension via IPSec provides AAA-equivalent features to 802.1x/EAP solutions. Refer to Figure 4-2. Key elements are as follows:

• Authentication occurs between the client and the VPN concentrator. Multiple authentication types are supported with in the IPSec framework.

• Encryption is at the network layer using 3DES or AES, and is negotiated between the client and the VPN concentrator.

In addition to the inherent WLAN LAN Extension IPSec security features associated with this implementation, VPN capabilities provide additional AAA-related security capabilities:

• Authorization is controlled by the VPN concentrator and is determined at the time of authentication. Policy is provided by the authentication server.

• Accounting is provided by RADIUS accounting software on both the VPN concentrator and the authentication server.

Figure 4-2 WLAN LAN Extension IPSec

Application Transparency

As can be seen in Figure 4-2, WLAN traffic is transported over an IPSec tunnel to the VPN concentrator. This can affect application transparency:

• Protocol Limitations—Only the IP protocol is supported; the network is not multi-protocol

• Address Translation—The IPSec client performs a form of address translation between its local IP address and that allocated by the VPN concentrator. This can impact the operation of some applications.

• No Multicast—The connection to the VPN concentrator is point-to-point; multicast applications are not supported.

Performance Transparency

Providing equivalent performance for all applications over the WLAN can be a challenge, because a WLAN has a lower bit rate and a lower throughput than most Enterprise wired LANs. The use of IPSec VPN tunnels introduces some additional considerations:

8719

9

Enterprisenetwork

AccountingEncryption

IPSec

Authorization

Authentication

Si

4-4Cisco AVVID Wireless LAN Design

956608

Page 63: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsSecurity Deployment Models

• MTU size—The MTU size of packets must be adjusted to incorporate IPSec overhead.

• Processing Overhead—Clients incur processing overhead from IPSec VPN. However, this should not be noticeable on most target platforms.

• Traffic Classification and QoS Considerations—Type of Service (ToS) and differentiated-services-code-point (DSCP) values are projected from client packets into the IPSec packets. As a result, QoS preference can be acted upon, but no classification of traffic is possible while the traffic is IPSec encrypted.

• Traffic Scheduling—All queuing at the VPN concentrator is handled on a first-in-first-out basis.

User Transparency

The Cisco IPSec VPN client has a number of features that aid user transparency, thereby providing equivalent services to those available with 802.1x/EAP solutions:

• Auto Initiation—The VPN client can be configured to automatically launch for particular address ranges. In an enterprise, this would be configured to launch within the Enterprise WLAN address ranges.

• OS Integration—The VPN client can capture username and password information at login and use these as part of the VPN client login. This is similar to the process used in EAP-Cisco. As an alternative, the VPN client can use stored certificates associated with a specific user, similar to EAP-TLS. These features coupled with Auto Initiation should provide a high level of user transparency.

WLAN Static WEP KeysStatic WEP key implementation (see Figure 4-3) is not recommended for general purpose WLAN LAN Extension networks because of known weaknesses in the WEP encryption algorithms—and because of the difficulty in configuring and maintaining of static keys. Certain client devices are only capable of supporting static keys. These clients should be put on a separate WLAN VLAN and have their authorization limited to addresses and protocols specific to the application supported by the Static WEP client. If possible, WEP plus TKIP and MIC should be used in preference to WEP, because WEP plus TKIP and MIC provides increased security features.

The remainder of this discussion presents WLAN Static WEP key deployment in terms of the following topics:

• Security Transparency, page 4-6

• Application Transparency, page 4-6

• Performance Transparency, page 4-6

• User Transparency, page 4-6

4-5Cisco AVVID Wireless LAN Design

956608

Page 64: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsSecurity Deployment Models

Figure 4-3 WLAN Static WEP

Security Transparency

Security issues related to static WEP key implementations:

• Weak Authentication—Any hardware device with a matching configuration and WEP key may join the network. The Static WEP key authenticates a group of devices—never individual users.

• Encryption Limitation—Encryption is at the link layer between the WLAN client and the AP. The current encryption mechanisms available are WEP and WEP plus TKIP and MIC. If possible WEP plus TKIP and MIC should be used.

• Authorization Limitation—Authorization is controlled by the VLAN membership associated with the static WEP key.

• Accounting—Not available.

Application Transparency

As illustrated in Figure 4-3 the WLAN connects at the access layer. Once the WLAN client traffic leaves the AP, it is the same as wired network traffic—subject to the same access control, queuing, and routing. WLAN Static WEP solutions should be limited to the specialized applications that the Static WEP client supports. The network would appear transparent to this application, but to all other applications access should be blocked.

Performance Transparency

To minimize differences in application performance between the wired and wireless network, utilize the QoS tools available on the WLAN and the APs. Those applications identified as being sensitive to network throughput and delay can be classified and scheduled as required. Load balancing and admission control tools on the WLAN can optimize the usage of the available WLAN resources.

User Transparency

Static WEP requires no authentication and should be transparent to the supported applications and users. The static WEP key only becomes an issue for the user if required to change it.

8720

0

Encryption

EnterprisenetworkSi

Authorization

4-6Cisco AVVID Wireless LAN Design

956608

Page 65: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsCisco WLAN Security Options and Recommendations

Cisco WLAN Security Options and RecommendationsThis section provides a high-level overview of Cisco’s various WLAN security options and presents recommendations for secure deployments in Enterprise networks. This overview of WLAN security options consist of the following sections:

• Understanding Overall Network Security, page 4-7

• Flexible WLAN Security using VLANs, page 4-7

• Headquarters/Campus WLAN Deployment, page 4-8

• Branch Office WLAN Deployment, page 4-12

• Additional Security Considerations, page 4-13

Understanding Overall Network SecurityThe key to understanding WLAN security is to understand the overall picture of the network to be secured. This discussion focuses on Enterprise security by addressing the following topics:

• “Flexible WLAN Security using VLANs” section on page 4-7

• “Headquarters/Campus WLAN Deployment” section on page 4-8

• “Branch Office WLAN Deployment” section on page 4-12

A WLAN can be looked at as another access technology in the overall network architecture. It integrates into the overall end-to-end Cisco AVVID architecture. In addition, Cisco’s WLAN architecture integrates into Cisco’s overall 802.1x / EAP Identity-Based Networking architecture.

Cisco’s WLAN security provides the following benefits:

• Flexible model allowing dynamic or static WEP key-management.

• 802.1x user authentication for networking devices. This model is also used for wired connectivity.

• Enhancements beyond the basic security model defined in 802.11. This includes user-based authentication, mutual-authentication, dynamic WEP-key rotation, and TKIP and MIC to prevent WEP key spoofing and hacking.

These features combine to provide Cisco with the most flexible WLAN security offering in the industry, allowing implementers to choose the architecture that best matches specific security requirements and deployed equipment.

Flexible WLAN Security using VLANsJust as Cisco’s AVVID architecture provides enhanced QoS for VoIP using dedicated VLANs for voice and data, VLAN support on the APs and Catalyst Switches allows multiple WLAN security domains to be created. This allows multiple types of WLAN security to be mixed and matched on the same Cisco AVVID network infrastructure. Refer to Figure 4-4.

4-7Cisco AVVID Wireless LAN Design

956608

Page 66: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsCisco WLAN Security Options and Recommendations

Figure 4-4 Using VLANS to Create Multiple WLAN Security Domains

In addition to VLANs having the flexibility to create multiple WLAN security domains for flexible deployments, they also allow flexible migrations from older WLAN security to updated standards or products. This is not only possible because of VLANs, but also because Cisco APs and Cisco Secure ACS support simultaneous WLAN security such as EAP-Cisco, EAP-TLS, PEAP and EAP-Subscriber Identity Module (EAP-SIM). In addition, Cisco Aironet 802.11 NICs support multiple types of WLAN security, including EAP-Cisco and PEAP.

Headquarters/Campus WLAN DeploymentThe 802.11 standard specifies 40-bit WEP as the security mechanism for WLAN networks. Unfortunately, many independent security reports have proven that by itself, WEP’s security can be compromised. Because of this, several steps must be taken to allow WLAN network to be securely deployed.

The limitations of WEP include the following:

• WEP does not define a mechanism for dynamic key-management. This means that the WEP keys must be manually configured on each device and if a device is lost or stolen, all devices must be revisited to update the WEP key.

• WEP does not provide a mechanism to provide user-based authentication, only device-based. This means that the network authentication is based on the physical device, which could be stolen or lost.

8719

0

Cisco secure ACS3.1

Teleworker

Guest or contractor

VLA

N 9

9O

pen_

Auth

Developer

Human resources

VLAN 10PEAP_Authentication

VLAN 210

WEP_Authenticatio

n

VLAN 30

EAP-Cisco_Authentication

Si

4-8Cisco AVVID Wireless LAN Design

956608

Page 67: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsCisco WLAN Security Options and Recommendations

• WEP does not define a mechanism to dynamically rotate the WEP keys. This means that if a WEP key is hacked or stolen, it can be used by a hacker to falsely authenticate with the network.

• WEP does not prevent man-in-the-middle or bit-flipping attacks. This means that a hacker could intercept data between two users and manipulate the content of that data.

• It has been demonstrated that a key can be derived by passively capturing and processing a sufficient number of WEP-encrypted packets.

To overcome these limitations, Cisco implemented WLAN security based on 802.1x and EAP Authentication. 802.1x provides a Layer 2 authentication mechanism and carries the user authentication that is passed with EAP. Refer to Figure 4-5.

Figure 4-5 WLAN Security based on 802.1x and EAP Authentication

While Cisco’s APs and CiscoSecure ACS support multiple EAP authentication types1, EAP-Cisco, EAP-TLS and PEAP are currently supported end-to-end when using Cisco Aironet or Partner NICs.

EAP-Cisco provides extensions to EAP to provide user-based authentication, mutual authentication and integration with Windows user-databases. EAP-Cisco is supported on all Cisco WLAN products, and is also licensed to several partners including Apple and Symbol.

PEAP and EAP-TLS are IETF drafts that have been proposed by Cisco, Microsoft and RSA (refer to http://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-05.txt). PEAP provides a multi-vendor authentication mechanism that provides a superset of functionality beyond EAP-Cisco. It works with multiple vendors’ equipment, as well as multiple types of user-databases including Microsoft, LDAP, OTP, RADIUS and NDS. EAP-TLS uses certificate based authentication (refer to http://www.ietf.org/rfc/rfc2486.txt?number=2486). EAP-TLS is a multi-vendor authentication mechanism that provides authentication based on user and server certificates, and effectively integrates into an existing networking scheme employing a Public-Key Infrastructure (PKI).

Note Not all OSs currently support 802.1x and EAP supplicants (clients). It is currently supported in WindowsXP and will be available via Service Packs on other Windows OS. With this in mind, Cisco recommends using EAP-Cisco or PEAP as the security mechanism for headquarter/campus WLAN deployments.

Beyond overcoming the limitations of WEP, network administrators must also be concerned with three issues in WLAN deployments in the campus:

8719

1

Si

Cisco secureACS 3.1

Guest or contractor

RADIUS EAP_Authentication

RADIUS EAP_AuthenticationEAP802.1x802.11 EAP

802.1xEthernet

1. EAP-SIM is also supported, but would not normally used in Enterprise environments.

4-9Cisco AVVID Wireless LAN Design

956608

Page 68: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsCisco WLAN Security Options and Recommendations

• Providing integration with the rest of the wired network.

• Preventing rogue APs from being deployed in their network.

• Providing guest access to non-company users (such as contractors and vendors).

These questions are answered by using 802.1x authentication. 802.1x authentication provides a link- layer authentication to network devices, which is verified against a RADIUS server (Cisco Secure ACS). Figure 4-6 presents a generalized illustration of an ACS-based environment.

802.1x is available on Cisco Catalyst Switches. It allows ports on the Catalyst Switches to determine whether connected devices (such as PCs and IP phones) should gain access to the network based on their user credentials. 802.1x is also used between WLAN clients and Aironet APs to pass user-authentication information for EAP-Cisco. This use of 802.1x, EAP and RADIUS provides the integrated link-layer authentication that is the foundation for Identity-Based Networking and Secure WLAN deployments.

Figure 4-6 Cisco’s 802.1x/EAP Architecture for Wired and Wireless Networks

In addition to user authentication, 802.1x can be used as a mechanism to prevent rogue APs from being added into the network. Currently, Cisco Aironet APs do not support an 802.1x supplicant (802.1x client), but the expectation is that they would be deployed in a 20:1-to-25:1 ratio per user. This means that the number of wired devices supporting 802.1x would be considerably greater than the number of

Cisco ACSCisco ACS

8719

2

Si Si

Si Si

Si Si Si Si

4-10Cisco AVVID Wireless LAN Design

956608

Page 69: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsCisco WLAN Security Options and Recommendations

APs deployed. With this in mind, 802.1x can be enabled on all Catalyst Switch ports except for those connected to Cisco Aironet APs. This will force all rogue APs to authenticate via 802.1x. This will cause them to fail and the Catalyst Switch port to block access to the network. Refer to Figure 4-7.

Figure 4-7 Preventing Rogue APs using 802.1x on Cisco Catalyst Switches

Finally, by combining the VLAN functionality and 802.1x authentication on the Cisco Catalyst Switches and Aironet APs, guest access can be provided to non-authorized users and devices. Some Catalyst Switches can support only allow and deny, while others support allow, deny, guest, and VLAN selection based on the 802.1x authentication. The ability to change the VLAN of the switch port allows network administrators the ability to design certain VLANs for guest access (refer to Figure 4-8). This guest access can then be further filtered or firewalled to only allow Internet or other restricted network access to the specific users. Refer Chapter 10, “WLAN Guest Network Access” to for more information about Guest Access WLANs.

Si

802.1x disabled only on allAuthorized AP switch ports

802.1x pushed to WLAN edge

Rogue AP lockedout after failedAuthentication

8719

3

Rogue AP

Authorized AP

4-11Cisco AVVID Wireless LAN Design

956608

Page 70: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsCisco WLAN Security Options and Recommendations

Figure 4-8 Providing Guest Access using VLANs and 802.1x on Cisco Catalyst Switches and APs

Branch Office WLAN DeploymentBranch office WLAN deployments (see Figure 4-9) are an extension of the headquarters campus WLAN deployment. The WLAN security requirements for branch office implementations should match those of the headquarters campus:

• Dynamic WEP-key management and authentication via 802.1x and EAP-Cisco/PEAP

• 802.1x for rogue AP detection

• 802.1x and VLANs for guest access

8719

4

Cisco secure ACS3.1

Guest or contractor

Developer

Human resources

VLAN 10Engineering_VLAN

VLAN 210

Contracto

r_VLAN

VLAN 30

HR_VLAN

Si

4-12Cisco AVVID Wireless LAN Design

956608

Page 71: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsCisco WLAN Security Options and Recommendations

Figure 4-9 Branch Office WLAN Deployments

The one additional consideration for the branch office implementation is determining whether the Cisco ACS servers should be deployed only at the central site or at remote sites. This determination should be made according to the WAN bandwidth (possibly affecting authentication response times), size of deployment (possibly affecting the scalability of branch offices and branch users with respect to a central ACS), and the administrative capabilities at the branch office.

Additional Security ConsiderationsThis document has highlighted two concepts:

• VLANs allow multiple types of WLAN security to be deployed over a Cisco AVVID infrastructure.

• 802.1x, EAP-Cisco/PEAP and WEP plus TKIP and MIC combine to provide a secure environment for WLAN deployment with the foundation for moving to updated standards as they become available.

In addition to the recommendations for the headquarters campus and branch deployments discussed here, several other Cisco technologies can be used to enhance WLAN security. These include IPSec VPNs, firewalls, and intrusion detection systems (IDS). Refer to Figure 4-10.

T1

MIP

IP IP

Core BackboneV3PN-SP

Branch office Headquarters

IP Telephony/services

8719

5

4-13Cisco AVVID Wireless LAN Design

956608

Page 72: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsCisco WLAN Security Options and Recommendations

Figure 4-10 Enhancing WLAN Security with IPSec VPNs, Firewalls and IDS

The Cisco SAFE architecture defines how VPNs, firewalls and IDS should be deployed for both wired and wireless networks. Refer to:

http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html

IPSec VPNs offer an enhancement for administrators that cannot provide enough native security (using, for example, open authentication, static WEP) with the inherent WLAN environment. This might involve PC users launching the CiscoSecure VPN Client, or having all traffic from a VLAN being placed into an IPSec VPN which is then routed outside of the corporate firewall or to a specific internal server application.

EAP Considerations for High Availability ACS Architecture

The ACS redundancy and reliability is meant to address two issues:

• The ACS server should not represent a single point of failure

• A network failure should not impact a user’s ability to log on

The first issue is a good reason to replicate the ACS database to a secondary server, allowing for failover and maintenance. This redundancy configuration should be implemented in almost all cases.

The second issue is instance in which it is critical to use the local WLAN even in the event of a network failure preventing access to a remote ACS server. Implementation of this second use of replication depends on the application architecture of the enterprise. For example, if the applications that the users want to reach are also remote, little is to be gained by being able to use the WLAN.

Corporatenetwork

8719

7

Cisco secure ACS3.1

VLAN 9

9

Open_

Authe

ntica

tion

VLAN 12

WEP_Authentication

VPN 3000

Secured corporatenetwork

IPSec VPN tunnel

Si

4-14Cisco AVVID Wireless LAN Design

956608

Page 73: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsCisco WLAN Security Options and Recommendations

The ACS Architecture

The ACS strategy must consider how the entire enterprise will be structured, rather than just the campus. A key consideration is the location of AAA databases. It is essential that—assuming a database that is distributed across the enterprise—the ACS strategy reflect an approach in which the elements of the ACS architecture are carefully analyzed, designed, and implemented for authentication systems associated with file services throughout the enterprise. This assessment should be the starting point for the ACS deployment strategy. In an ideal situation, the existing infrastructure can provide the usernames, passwords, and profiles to the ACS servers. The implementation of an ACS architecture-based infrastructure is currently limited to systems that store the password using MS-CHAP, such as Microsoft servers.

The main point to be aware of in this strategy is that the ACS model is a replication model, not a synchronization model. This model might conflict with the administration processes currently in place, as updates must be made on the root server, and administrators on this server have global rights.

Example Architecture

Figure 4-11 shows an example of what ACS architecture might look like. Campus A holds the authoritative ACS database server. This server is replicated to the other Enterprise ACS servers. APs communicate to the two local ACS servers.

Campus B—because of its size and distance from Campus A—has opted for another two ACS servers (thus providing its own backup). Campus C—being smaller and closer to Campus A—has opted to have only one server, and relies on Campus A for backup. The branch offices use the ACS servers that are the shortest network distance from them.

4-15Cisco AVVID Wireless LAN Design

956608

Page 74: 1-Cisco AVVID Wireless LAN Design

Chapter 4 WLAN Security ConsiderationsCisco WLAN Security Options and Recommendations

Figure 4-11 Example Enterprise ACS Architecture

Replication

Campus B

ACS

ACSACS

ACS

BranchOffices

ACS

Campus A

AP-ACSCommunication

7421

1

Campus C

4-16Cisco AVVID Wireless LAN Design

956608

Page 75: 1-Cisco AVVID Wireless LAN Design

956608

C H A P T E R 5

Wireless LAN VLANs

This chapter focuses on the implementation of virtual local area networks (VLANs) in the context of WLAN environments. The following sections summarize key WLAN VLAN considerations:

• VLAN Background, page 5-1

• Wireless VLAN Introduction, page 5-3

• Wireless VLANs—Detailed Feature Description, page 5-6

• Guidelines for Deploying Wireless VLANs, page 5-10

VLAN BackgroundVLANs define broadcast domains in a Layer-2 network. Legacy networks use routers to define broadcast domain boundaries. Layer-2 switches create broadcast domains based on the configuration of the switch. Switches are multi-port bridges that allow the creation of multiple broadcast domains. Each broadcast domain is a distinct virtual bridge within a switch.

VLANs have the same attributes as physical LANs with the additional capability to group end stations physically to the same LAN segment regardless of the end station’s geographical location. Figure 5-1 shows an example of three wired VLANs in logically defined networks.

5-1Cisco AVVID Wireless LAN Design

Page 76: 1-Cisco AVVID Wireless LAN Design

Chapter 5 Wireless LAN VLANsVLAN Background

Figure 5-1 Example Deployment of Wired VLANs

Single or multiple virtual bridges can be defined within a switch. Each virtual bridge created in the switch defines a new broadcast domain (VLAN). Switch interfaces assigned to VLANs manually are referred to as interface-based or static membership-based VLANs. This type of VLAN is often associated with IP subnetworks. For example, when all of the end stations in a particular IP subnet belong to the same VLAN, traffic cannot pass directly to another VLAN (between broadcast domains) within the switch or between two switches. Traffic between VLANs must be routed.

To interconnect two different VLANs, routers are used. These routers execute inter-VLAN routing or routing of traffic between VLANs. Broadcast traffic is then terminated and isolated by these Layer-3 devices (a router or Layer-3 Switch will not route broadcast traffic from one VLAN to another).

The two most common VLAN trunking protocols used on Cisco switches and routers are Inter-Switch Link (ISL) and IEEE 802.1Q. ISL (Cisco-proprietary protocol) and 802.1Q (IEEE standard) are encapsulation standards used to interconnect multiple switches and routers via trunking. For more information on these VLAN trunking protocols, please refer to the following URL:

http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:Trunking

8718

3

Switch 1

Router

802.1Q Trunk

Floor 1

EngineeringVLAN

HRVLAN

MarketingVLAN

Floor 3

Floor 2

Switch 3

Switch 2

802.1Q Trunk

802.1Q Trunk

5-2Cisco AVVID Wireless LAN Design

956608

Page 77: 1-Cisco AVVID Wireless LAN Design

Chapter 5 Wireless LAN VLANsWireless VLAN Introduction

Wireless VLAN IntroductionThe concept of Layer-2 wired VLANs is extended to the WLAN with wireless VLANs. As with wired LANS, wireless VLANs define broadcast domains and segregate broadcast/multicast traffic between VLANs. When VLANs are not used, an IT administrator must install additional WLAN infrastructure to segment traffic between user groups or device groups. For example, to segment traffic between employee and guest VLANs, an IT administrator must install two APs at each location throughout an Enterprise WLAN network (as shown in Figure 5-2). However, with the use of Wireless VLANs, one AP at each location can be used to provide access to both groups.

Figure 5-2 User Segmentation without Wireless VLANs

With VxWorks firmware release 12.00T or Cisco IOS firmware release 12.2.4-JA, an 802.1Q trunk can be terminated on an AP (AP 1200, AP 1100, AP 350, and AP 340) or on a bridge (BR 350), allowing access up to 16 wired VLANs. A unique Service Set Identifier (SSID) defines a wireless VLAN on the AP and the bridge. Each SSID is mapped to a VLAN-id on the wired side (default SSID-to-VLAN-id mapping).

Additionally, with WLANs, a per-VLAN security policy can be defined on the AP and on the bridge by the IT administrator. Refer to the “Configuration Parameters per VLAN” section on page 5-6 for additional information regarding per-VLAN security configuration.

Wireless VLAN Deployment OverviewWireless VLAN deployments are different for indoor and outdoor environments. For indoor deployments (see Figure 5-3), the AP is generally configured to map several wired VLANs to the WLAN. Whereas, for outdoor environments (please refer to Figure 5-4 on page 5-5), 802.1Q trunks are deployed between bridges with each bridge terminating and extending as an 802.1Q trunk, and participating in the 802.1d-based spanning-tree protocol (STP) process.

Note For related information regarding spanning-tree design and implementation considerations please refer to the Cisco AVVID Network Infrastructure—Implementing 802.1w and 802.1s in Campus Networks SRND.

VLAN 15

VLAN 20

VLAN 15

VLAN 20

8718

4

AP_1A

Enterprisenetwork

SSID=Employee

SSID=Employee

SSID=Guest

SSID=Guest AP_1B

AP_2A

AP_2B

5-3Cisco AVVID Wireless LAN Design

956608

Page 78: 1-Cisco AVVID Wireless LAN Design

Chapter 5 Wireless LAN VLANsWireless VLAN Introduction

Figure 5-3 Indoor Wireless VLANs Deployment

In the indoor WLAN deployment scenario shown in Figure 5-3, four wireless VLANs are provisioned across the campus to provide WLAN access to full-time employees (segmented into Engineering, Marketing, and Human Resources user groups) and guests. Also, as shown in Table 5-1, each wireless VLAN is configured with an appropriate security policy and mapped to a wired VLAN. An IT administrator enforces the appropriate security policies within the wired network for these four different user groups.

An outdoor WLAN deployment scenario is shown in Figure 5-4. In this example, wireless trunking is used to connect the root bridge to the non-root bridges. The root and non-root bridges terminate the 802.1Q trunk and participate in the spanning-tree protocol (STP) process of bridging networks together.

Note For related information regarding spanning-tree design and implementation considerations please refer to the Cisco AVVID Network Infrastructure—Implementing 802.1w and 802.1s in Campus Networks SRND.

8718

9

AP_1

Enterprisenetwork

SSID=Full-Time

SSID=Part-Time

SSID=Maintenance

SSID=Guest

AP_2

802.1Q Truck

ManagementVLAN

(VLAN-id 10

RADIUSserver

802.1Q Truck

Native VLAN=10

Table 5-1 Configuration for Wireless VLANs in Figure 5-3

SSID VLAN-id Security Policy

Engineering 14 802.1x with Dynamic WEP + TKIP

Marketing 24 802.1x with Dynamic WEP + TKIP

HR 34 802.1x with Dynamic WEP + TKIP

Guest 44 Open/no WEP

5-4Cisco AVVID Wireless LAN Design

956608

Page 79: 1-Cisco AVVID Wireless LAN Design

Chapter 5 Wireless LAN VLANsWireless VLAN Introduction

Figure 5-4 Outdoor Wireless VLANs deployment

802.1Q

Trunk

8718

6

SSID=VLAN_14

802.1Q

TrunkBridge_1

(Root)

802.1Q Trunk

Bridge_2(non-Root)

Switch_2

Bridge_3(non-Root)

VLAN 11

VLAN 14

VLAN 12

VLAN 11

VLAN 12

802.1Q TrunkSwitch_1

5-5Cisco AVVID Wireless LAN Design

956608

Page 80: 1-Cisco AVVID Wireless LAN Design

Chapter 5 Wireless LAN VLANsWireless VLANs—Detailed Feature Description

Wireless VLANs—Detailed Feature DescriptionThis section details the VLAN features available with VxWorks firmware release 12.00T and Cisco IOS firmware release 12.2.4-JA. With these releases, an 802.1Q trunk can be enabled between the AP/bridge and the wired infrastructure allowing up to 16 wired VLANs to be extended to the WLAN. The discussion is split into the following sections:

• Configuration Parameters per VLAN, page 5-6

• Broadcast Domain Segmentation, page 5-7

• Native (Default) VLAN Configuration, page 5-7

• Primary (Guest) and Secondary SSIDs, page 5-8

• RADIUS-based VLAN Access Control, page 5-8

Configuration Parameters per VLANAs discussed in the “Wireless VLAN Introduction” section on page 5-3, a per VLAN security policy can be defined on the AP to allow the IT administrator to define appropriate restrictions per VLAN. The following parameters are configurable on the SSID (wireless VLAN):

• SSID Name—Configures a unique name per wireless VLAN.

• Default VLAN ID—Default VLAN-ID mapping on the wired-side.

• Authentication Types—Open, Shared, and Network-EAP types.

• Media Access Control (MAC) Authentication—Under Open, Shared, and Network-EAP.

• EAP Authentication—Under Open and Shared authentication types.

• Maximum Number of Associations—Ability to limit maximum number of WLAN clients per SSID.

The following parameters are configurable on the wired VLAN-side:

• Encryption Key—This is the key used for broadcast/multicast traffic segmentation per VLAN. It is also used for static WEP clients (for both unicast and multicast traffic). The IT administrator must define a unique encryption key per VLAN. This is discussed more in detail in “Broadcast Domain Segmentation” section on page 5-7.

• Enhanced Message Integrity Check (MIC) Verification for WEP—Enables MIC per VLAN.

• Temporal Key Integrity Protocol (TKIP)—Enables per-packet key hashing per VLAN.

• WEP (Broadcast) Key Rotation Interval—Enables Broadcast WEP key rotation per VLAN. This is only supported for wireless VLANs with 802.1x protocols enabled (such as EAP-Cisco, EAP-TLS, PEAP, EAP-SIM, and the like.)

• Default Policy Group—Applies policy-group (set of Layer-2, -3, and -44 filters) per VLAN. Each filter (within a policy group) is configurable to allow or deny certain type of traffic.

• Default Priority—Applies default CoS priority per VLAN.

With an encryption key configured, the VLAN supports standardized WEP. However, Cisco TKIP/MIC/Broadcast Key rotation features are optionally configurable as noted above. Table 5-2 lists the SSID and VLAN-ID configuration parameters.

5-6Cisco AVVID Wireless LAN Design

956608

Page 81: 1-Cisco AVVID Wireless LAN Design

Chapter 5 Wireless LAN VLANsWireless VLANs—Detailed Feature Description

Broadcast Domain SegmentationAll Layer-2 broadcast and multicast messages are propagated over the air. Thus, each WLAN client receives broadcast/multicast traffic belonging to different VLANs. This is different from wired VLAN broadcast/multicast traffic. A wired client receives Layer-2 broadcast/multicast traffic only for its own VLAN. Thus, a unique encryption (broadcast/multicast) key per VLAN is used to segment the Layer-2 broadcast domains on the WLAN. This unique encryption key must be configured during initial VLAN setup. If Broadcast Key rotation is enabled, this encryption key is generated dynamically and delivered to WLAN clients in 802.1x messages.

The requirement to segment broadcast domains the wireless side restricts the use of unencrypted VLAN per WLAN Extended Sub System (ESS). A maximum of one VLAN can be unencrypted per WLAN ESS. Also, the behavior of a WLAN client on an encrypted VLAN should be to discard unencrypted Layer-2 broadcast/multicast traffic.

Native (Default) VLAN ConfigurationThe AP’s (or the bridge’s) native VLAN (default VLAN) must be set to the native VLAN of the wired trunk. This allows the AP or bridge to receive and communicate using the Inter-Access Point Protocol (IAPP) with other APs or bridges in the same WLAN ESS. It is a requirement that all APs and bridges in an ESS must use the same native VLAN-ID. All Telnet and Hypertext Transfer Protocol (HTTP) management traffic—as well as the RADIUS traffic—is routed to the AP via the native VLAN. Cisco recommends that IT managers restrict user access to the native/default VLAN of the APs and bridges with the use of Layer-3 access control lists (ACLs) and policies on the wired infrastructure side.

The IT administrator may or may not wish to map the native VLAN of the AP/bridge to an SSID (the WLAN ESS). Scenarios where the native VLAN should be mapped to an SSID include:

• An associated workgroup bridge is treated as an infrastructure device

• Connection of a root bridge to a non-root bridge

In the above scenarios, Cisco recommends configuring an Infrastructure SSID per AP or bridge.

Figure 5-5 illustrates the combined deployment of infrastructure devices (such as workgroup bridges, non-root bridges, and repeaters) along with non-infrastructure devices (such as WLAN clients) in an Enterprise WLAN. The native VLAN of the AP is mapped to the Infrastructure SSID. WEP encryption along with TKIP (at least per-packet key hashing) should be enabled for the Infrastructure SSID. Configuration of a secondary SSID as the Infrastructure SSID is also recommended. The concepts of primary and secondary SSIDs are explained in the next section.

Table 5-2 SSID and VLAN-ID Configuration Parameter

Parameter Description SSID Parameter VLAN-ID Parameter

Authentication Types X

Maximum number of Associations X

Encryption key (Broadcast Key) X

TKIP/MIC X

WEP (Broadcast) Key rotation Interval X

Policy Group X

Default Priority (CoS mapping) X

5-7Cisco AVVID Wireless LAN Design

956608

Page 82: 1-Cisco AVVID Wireless LAN Design

Chapter 5 Wireless LAN VLANsWireless VLANs—Detailed Feature Description

Figure 5-5 Combined Deployment of Infrastructure and Non-Infrastructure Devices

Primary (Guest) and Secondary SSIDsWhen enabling multiple wireles802.1xs VLANs on the AP or bridge, multiple SSIDs are created with each SSID mapping to a default VLAN-ID on the wired side. However, as per the 802.11 specifications, only one SSID can be broadcast in the beacons. The IT administrator defines a primary (Guest) SSID that is broadcasted in the 802.11 beacon management frames. All other SSIDs are secondary SSIDs and are not broadcasted in the 802.11 beacon management frames.

If a client or infrastructure device (such as a workgroup bridge) is to send a probe request with a secondary SSID, the AP or bridge responds with a probe response with that secondary SSID.

An IT administrator can also map the primary SSID to the VLAN-ID on the wired infrastructure in different ways. For example, in an Enterprise rollout scenario, the primary SSID might be mapped to the unencrypted VLAN on the wired-side to provide Guest VLAN access.

RADIUS-based VLAN Access ControlAs discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator might wish to impose backend-based (such as RADIUS) VLAN access control using 802.1x or MAC address authentication mechanisms. For example, if the WLAN is setup such that all VLANs use 802.1x and similar encryption mechanisms for WLAN user access, then a user can hop from one VLAN to another by simply changing the SSID and successfully authenticating to the AP (using 802.1x). This may not be preferred if the WLAN user is confined to a particular VLAN.

There are two different ways to implement RADIUS-based VLAN access control features:

Branchoffice

8718

7

Root AP

Enterprisenetwork

SSID=Employee

SSID=infrastructure

SSID=Guest

ManagementVLAN

RADIUSserver

802.1Q Trunk(native VLAN=10)

Bridge(Root)

Bridge(non-Root)

Infrastructure SSID: VLAN-id 10

WGB/repeater

802.1Q Trunk(native VLAN=10)

802.1Q Trunk(native VLAN=10)

802.1Q Trunk(native VLAN=10)

5-8Cisco AVVID Wireless LAN Design

956608

Page 83: 1-Cisco AVVID Wireless LAN Design

Chapter 5 Wireless LAN VLANsWireless VLANs—Detailed Feature Description

• RADIUS-based SSID Access Control—Upon successful 802.1x or MAC address authentication, the RADIUS server passes back the allowed SSID-list for the WLAN user to the AP or bridge. If the user used an SSID on the allowed SSID-list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the AP or bridge.

• RADIUS-based VLAN Assignment—Upon successful 802.1x or MAC address authentication, the RADIUS server assigns the user to a pre-determined VLAN-ID on the wired side. The SSID used for WLAN access does not matter because the user is always assigned to this pre-determined VLAN-ID.

Figure 5-6 illustrates both RADIUS-based VLAN access control methods. Both Engineering and Marketing VLANs are configured to allow only 802.1x authentication (such as EAP-Cisco, EAP-TLS or PEAP). As shown in Figure 5-6, when John uses the Engineering SSID to gain access to the WLAN, the RADIUS server maps John to VLAN-ID 24. This might or might not be the default VLAN-ID mapping for the Engineering SSID. Using this method, a user is mapped to a fixed wired VLAN throughout an Enterprise network.

Figure 5-6 illustrates an example of RADIUS-based SSID access control. David uses the Marketing SSID to gain access to the WLAN. However, the permitted SSID-list sent back by the RADIUS server indicates that David is only allowed access to the Engineering SSID. Upon receipt of this information, the AP disassociates David from the WLAN network. Using this method, a user is given access to only one or pre-determined SSIDs throughout an Enterprise network.

Figure 5-6 RADIUS-based VLAN Access Control

RADIUS user attributes used for VLAN-ID assignment are:

• IETF 64 (Tunnel Type)—Set this to “VLAN”,

• IETF 65 (Tunnel Medium Type)—Set this to “802”

• IETF 81 (Tunnel Private Group ID)—Set this to VLAN-ID.

RADIUS user attribute used for SSID access control is:

• Cisco IOS/PIX RADIUS Attribute, 009\001 cisco-av-pair

Example—Configure the above attribute to allow a user to access the WLAN using Engineering and Marketing SSIDs only:

– ssid=Engineering

– ssid=Marketing

Enterprisenetwork

8718

8

AP/bridge

SSID=Engineering

SSID=Marketing

SSID=Guest

ManagementVLAN

RADIUSserver

802.1Q Trunk

EAP-Request (user-id: John)EAP-Success (user-id: John, VLAN-id=24)

EAP-Success (user-id: David, SSID=Engineering)

EAP-Request (user-id: David)X

5-9Cisco AVVID Wireless LAN Design

956608

Page 84: 1-Cisco AVVID Wireless LAN Design

Chapter 5 Wireless LAN VLANsGuidelines for Deploying Wireless VLANs

Guidelines for Deploying Wireless VLANsIn order to properly deploy wireless VLANs, IT administrators should evaluate the need for deploying wireless VLANs in their own environment. Existing wired VLAN deployment rules and policies should also be reviewed. Existing wired VLAN policies can be used as the basis for wireless VLAN deployment policies.

This section is split into three discussions:

• Criteria for Wireless VLAN Deployment, page 5-10—Details selection criteria for wireless VLAN deployment.

• Wireless VLAN Deployment Example, page 5-11—Provides a deployment example, summarizes the of rules for WLAN VLANs deployment.

• Summary of Rules for Wireless VLAN Deployment, page 5-13—Provides best-practices to use on the wired infrastructure when deploying wireless VLANs.

Criteria for Wireless VLAN DeploymentWhile the full criteria for each wireless VLAN deployment are likely to be unique, some standard criteria exist for most rollouts. These include:

• Common applications used by all WLAN users. The IT administrator should define

– Wired network resources (such as servers) commonly accessed by WLAN users

– Quality of Service (QoS) level needed by each application [such as default class of service (CoS) or Voice CoS]

• Common devices used to access the WLAN. The IT administrator should define:

– Security mechanisms—Static-WEP, MAC authentication, EAP authentication (such as EAP-Cisco, EAP-TLS, or PEAP, VPN, and the like} supported by each device type

– Wired network resources (such as Servers) commonly accessed by WLAN device groups

– QoS level needed by each device group (such as default CoS or Voice CoS)

• Revise the existing Wired VLAN deployment design guidelines:

– Existing policies for VLAN access (determine whether specific policies are implemented for different user groups)

– Localized wired VLANs with Layer-3 core or flat Layer-2 switched network

After the wireless VLAN deployment criteria are defined, the deployment strategy must be determined. Two standard deployment strategies are:

• Segmentation by User Groups—Segmentation of the WLAN user community and enforcement of specific security policies per user group. For example, three wired and wireless VLANs in an enterprise environment might be created for full-time employee, part-time employee, and guest access.

• Segmentation by Device Types—Segmentation of the WLAN to allow different devices with different security levels to access the WLAN. For example, it is not recommended to have handheld devices that support only 40/128-bit static-WEP co-exist with other WLAN client devices using 802.1x with dynamic WEP in the same VLAN. In this scenario, devices are grouped and isolated with different levels of security into separate VLANs.

5-10Cisco AVVID Wireless LAN Design

956608

Page 85: 1-Cisco AVVID Wireless LAN Design

Chapter 5 Wireless LAN VLANsGuidelines for Deploying Wireless VLANs

Implementation criteria such as those listed below is then defined:

• Use of policy group (set of filters) to map wired policies to the wireless side.

• Use of 802.1x to control user access to VLANs using either RADIUS-based VLAN assignment or RADIUS-based SSID access control.

• Use of separate VLANs to implement different CoS.

Wireless VLAN Deployment ExampleA wireless VLAN deployment example is outlined below. The IT administrator of company XYZ determines the need for WLANs in his network. Utilizing the guidelines as described in “Criteria for Wireless VLAN Deployment” section on page 5-10, his findings are as follows:

• Three different user groups are commonly present across Company XYZ: full-time employees; contract employees; and, guests.

• Full-time and contract employees use company supplied PCs to access the wireless network. These PCs are capable of supporting 802.1x authentication methods for accessing the WLAN.

• Full-time employees need full access to the wired network resources. The IT department has implemented application level privileges for each user via Microsoft Windows NT or Active Directory (AD) mechanisms.

• Part-time employees are not allowed access to certain wired resources (such as human resource servers and data storage servers). Furthermore, the IT department has implemented application level privileges for part-time employees (using Microsoft Windows NT or AD mechanisms).

• Guest users need access to the Internet to launch a VPN tunnel back to their company headquarters.

• Maintenance personal (electrical, facilities, and others) use specialized handheld devices that support static 40 or 128 bit encryption to access trouble ticket information via an application server VLAN.

• Existing wired VLANs deployment:

– Wired VLANs are localized per building (use of unique VLAN-IDs per building).

– Layer-3 policies are implemented on all VLANs to prevent users from accessing critical applications such as network management servers).

In the above case, the IT administrator can deploy wireless VLANs by creating four wireless VLANs as follows:

Step 1 For Full-Time and Part-Time VLANs, implement 802.1x with dynamic WEP along with TKIP functionality for WLAN access. Tie user-login on the RADIUS server with Microsoft back-end user database to enable single sign-on for WLAN users.

Implement RADIUS-based SSID access control for both Full-Time and Part-Time employees to access WLAN. This is recommended to prevent part-time employees from VLAN hopping (trying to access the WLAN using Full-Time VLAN).

Note In this deployment scenario, VLANs are localized per building with user group mapping to wired VLAN-IDs different for each building. In order to enable users to access the WLAN from anywhere on campus, SSID access control is recommended rather than fixed VLAN-ID assignments.

5-11Cisco AVVID Wireless LAN Design

956608

Page 86: 1-Cisco AVVID Wireless LAN Design

Chapter 5 Wireless LAN VLANsGuidelines for Deploying Wireless VLANs

Step 2 Create a Guest VLAN. Implement Open/No WEP access with a Broadcast SSID by using the primary SSID for the Guest VLAN. Enforce policies on the wired network side to force all Guest VLAN access to an Internet gateway and deny access into the corporate network.

Step 3 Create a Maintenance VLAN. Implement Open/with WEP plus MAC authentication for this VLAN. Enforce policies on the wired infrastructure to only allow access to the maintenance server on the application server’s VLAN.

Figure 5-7 illustrates this sample WLAN deployment scenario. Table 5-3 lists the configuration details for Figure 5-7 VLANs.

Figure 5-7 Wireless VLAN Deployment Example

8718

5

AP_1

Enterprisenetwork

SSID=Engineering

SSID=Marketing

SSID=HR

SSID=Guest

AP_2

802.1Q Trunk

ManagementVLAN

RADIUSserver

802.1Q Trunk

Native VLAN=10

Table 5-3 Configuration for VLANs in Figure 5-7

SSID VLAN-id Security PolicyRADIUS-based VLAN Access Control

Full-Time 16 802.1x with Dynamic WEP + TKIP/MIC Yes

Part-Time 26 802.1x with Dynamic WEP + TKIP/MIC Yes

Maintenance 36 Open/with WEP + MAC authentication No

Guest 46 Open/no WEP No

5-12Cisco AVVID Wireless LAN Design

956608

Page 87: 1-Cisco AVVID Wireless LAN Design

Chapter 5 Wireless LAN VLANsGuidelines for Deploying Wireless VLANs

Summary of Rules for Wireless VLAN DeploymentThis section summarizes the VLAN rules and guidelines discussed in this document. Key rules to following when deploying wireless VLANs:

• 802.1Q VLAN trunking (hybrid mode only) supported between the switch and the AP or bridge.

• A maximum of 16 VLANs per ESS are supported with each wireless VLAN represented with a unique SSID name.

• IT administrator must configure a unique encryption key per VLAN.

• A maximum of one unencrypted VLAN per ESS is supported.

• A maximum of one primary/guest SSID per ESS is supported.

• TKIP, MIC, and Broadcast key rotation can be enabled per VLAN.

• Open, Shared-Key, MAC, network-EAP (EAP-Cisco), and EAP authentication types are supported per SSID.

• Shared-Key Authentication is supported only on the SSID mapped to the native VLAN (this is most likely to be the Infrastructure SSID).

• One unique policy group (set of Layer-2, Layer-3, and Layer-4 filters) is allowed per VLAN.

• Each SSID is mapped to a default wired VLAN where the ability to override this default SSID to VLAN-ID mapping is provided via RADIUS-based VLAN access control mechanisms.

– RADIUS-based VLAN-ID assignment per user is supported.

– RADIUS-based SSID access control per user is supported.

• The ability to assign a CoS mapping per VLAN with eight different levels of priorities is supported.

• The ability to control number of clients per SSID is supported.

• All APs and bridges in the same ESS must use the same native VLAN-ID to facilitate IAPP communication between APs and bridges.

• All WLAN security policies should be mapped to the wired LAN security policies on the switches and routers.

Best-Practices for the Wired InfrastructureThe following best practices are recommended for the wired infrastructure when 802.1Q trunking is extended to the APs and bridges:

• Limit broadcast/multicast traffic to the AP and bridge by enabling VLAN filtering and Internet Group Management Protocol (IGMP) snooping on the switch ports. On the 802.1Q trunks to the AP and bridge, filter to allow only active VLANs in the ESS. Enabling IGMP snooping prevents the switch from flooding all switch ports with Layer-3 multicast traffic.

• Map wireless security policies to the wired infrastructure with Access Control Lists (ACLs) and other mechanisms

• The AP does not support the VLAN Trunking Protocol (VTP) or the GARP VLAN Registration Protocol (GVRP) for dynamic management of VLANs because the AP acts as a stub node. The IT administrator must use the wired infrastructure to maintain and manage the wired VLANs.

• Enforce security policies via Layer-3 ACLs on the Guest and Management VLANs (recommended).

– The IT administrator might implement ACLs on the wired infrastructure to force all Guest VLAN traffic to the Internet Gateway.

5-13Cisco AVVID Wireless LAN Design

956608

Page 88: 1-Cisco AVVID Wireless LAN Design

Chapter 5 Wireless LAN VLANsGuidelines for Deploying Wireless VLANs

– The IT administrator should restrict user access to the native/default VLAN of the APs and bridges with the use of Layer-3 ACLs and policies on the wired infrastructure.

Example: Traffic to APs and bridges via the native/default VLAN is only allowed to and from the management VLAN where all the management servers reside—including the RADIUS server.

Note For more details refer to the WLAN VLAN deployment guide.:http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html

5-14Cisco AVVID Wireless LAN Design

956608

Page 89: 1-Cisco AVVID Wireless LAN Design

956608

C H A P T E R 6

WLAN Quality of Service (QoS)

This chapter addresses Quality of Service (QoS) concerns in the context of WLAN implementations. It is separated into the following primary sections:

• QoS Overview, page 6-1

• Wireless QoS Considerations, page 6-2

• 802.11 DCF, page 6-4

• IEEE 802.11e, page 6-7

• Deploying EDCF on Cisco IOS-based APs, page 6-13

• Guidelines for Deploying Wireless QoS, page 6-17

QoS OverviewQuality of Service (QoS) refers to the capability of a network to provide better service to selected network traffic over various network technologies. QoS technologies provide the building blocks for business multimedia and voice applications used in campus, WAN, and service provider networks. QoS allows network managers to establish service level agreements (SLAs) with network users.

QoS enables network resources to be shared more efficiently and expedites the handling of mission-critical applications. QoS manages time-sensitive multimedia and voice application traffic to ensure that this traffic receives higher priority, greater bandwidth and less delay than best effort data traffic. With QoS, bandwidth can be managed more efficiently across LANs and WANs.

QoS provides enhanced and predictable network service by:

• Supporting dedicated bandwidth for critical users and applications

• Controlling jitter and latency (required by real-time traffic)

• Managing and minimizing network congestion

• Shaping network traffic to smooth the traffic flow

• Setting network traffic priorities

6-1Cisco AVVID Wireless LAN Design

Page 90: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)Wireless QoS Considerations

Wireless QoS ConsiderationsThis section addresses the following topics:

• Wireless QoS Deployment Schemes, page 6-2

• QoS Parameters, page 6-3

• Downstream and Upstream QoS, page 6-3

• QoS and Network Performance, page 6-4

Wireless QoS Deployment SchemesIn the past, WLANs were mainly used to transport low-bandwidth, data-application traffic. Today, with the expansion of WLANs into vertical (such as retail, finance, and education) and Enterprise environments, WLANs are used to transport high-bandwidth, data applications in conjunction with time-sensitive, multi-media applications. This requirement led to the necessity for wireless QoS.

Several vendors support proprietary wireless QoS schemes for voice applications. To speed up the rate of QoS adoption and to support multi-vendor time-sensitive applications, a unified approach to wireless QoS is necessary. The IEEE 802.11e working group within the IEEE 802.11 standards committee is working on a wireless QoS standard that is expected to be finalized in 2003. Cisco Aironet products support QoS based on the IEEE 802.11e Draft standard specifications as of November 2002. Cisco IOS release 12.2(4)JA for the Cisco Aironet 1100 Series and Cisco Aironet VxWorks release 12.00T for Cisco Aironet 1200, 350, and 340 Series products support IEEE 802.11e Enhanced Distributed Coordination Function (EDCF)-based wireless QoS.

An example deployment of wireless QoS based on Cisco IOS and VxWorks features is shown in Figure 6-1.

Figure 6-1 Wireless QoS Deployment Example

MEnterpriseNetwork

Cisco CallManager

EDCF-basedQoS

EDCF-basedQoS

StreamingVideo

AP1200

AP1100

VoIPphone

IP

AP provides EDCF-baedmechanisms for Down Stream Wireless QoS, based uponhandset registration, CoS, or DSCP

9122

6

6-2Cisco AVVID Wireless LAN Design

956608

Page 91: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)Wireless QoS Considerations

QoS ParametersQoS is defined as the measure of performance for a transmission system that reflects its transmission quality and service availability. Service availability is a crucial foundational element of QoS. Before QoS can be successfully implemented, the network infrastructure must be highly available. The network transmission quality is determined by the following factors:

• Latency, page 6-3

• Jitter, page 6-3

• Loss, page 6-3

Latency

Latency (or delay) is the amount of time it takes a packet to reach the receiving endpoint after being transmitted from the sending endpoint. This time period is termed the end-to-end delay and can be broken into two areas: fixed network delay and variable network delay.

Fixed network delay includes encoding/decoding time (for voice and video), as well as the finite amount of time required for the electrical/optical pulses to traverse the media en route to their destination.

Variable network delay generally refers to network conditions, such as congestion, that may affect the overall time required for transit.

Jitter

Jitter (or delay-variance) is the difference in the end-to-end latency between packets. For example, if one packet required 100 msec to traverse the network from the source-endpoint to the destination-endpoint and the following packet required 125 msec to make the same trip, then the jitter is calculated as 25 msec.

Loss

Loss (or packet loss) is a comparative measure of packets faithfully transmitted and received to the total number that were transmitted. Loss is expressed as the percentage of packets that were dropped.

Downstream and Upstream QoSFigure 6-2 illustrates the definition of QoS radio upstream and downstream.

Figure 6-2 Upstream and Downstream QoS

The notation in Figure 6-2 refers to the following:

• Radio Downstream QoS refers to the traffic leaving the AP and traveling to the WLAN clients. Radio Downstream QoS is the primary focus of this deployment guide.

Network

Radio Downstream Ethernet Downstream

Radio Upstream Ethernet Upstream

9122

7

6-3Cisco AVVID Wireless LAN Design

956608

Page 92: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)802.11 DCF

• Radio Upstream QoS refers to traffic leaving the WLAN clients and traveling to the AP. No vendor support is currently available for radio upstream QoS features for WLAN clients. This support is specified in the 802.11e draft, but has not yet been implemented.

• Ethernet Downstream refers to traffic leaving the switch/router traveling to the AP. QoS may be applied at this point to prioritize and rate limit traffic to the AP. Configuration of Ethernet downstream QoS is not discussed in this design guide.

• Ethernet Upstream refers to traffic leaving the AP traveling to the switch. The AP classifies traffic from the AP to the upstream network according to the traffic classification.

QoS and Network PerformanceThe application of QoS features may not be easily detected on a lightly loaded network. Indeed, if latency, jitter and loss are noticeable when the media is lightly loaded it is as an indication of a system fault or that an application’s latency, jitter and loss requirements are not a good match for the network.

QoS features start to impact application performance as the load on the network increases. QoS works to keep latency, jitter and loss for selected traffic types with in acceptable bounds.

By providing downstream prioritization from the AP, upstream client traffic is treated as best effort. A client must compete with other clients for (upstream) transmission as well as competing with best effort (downstream) transmission from the AP. Under certain load conditions, a client can experience upstream congestion and the performance of QoS sensitive applications may be unacceptable despite the QoS features on the AP.

802.11 DCFData frames in 802.11 are sent using the Distributed Coordination Function (DCF). The DCF is composed of two main components:

• Interframe Spaces (SIFS, PIFS, and DIFS), page 6-4

• Random Backoff (Contention Window), page 6-5

DCF is used in 802.11 networks to manage access to the RF medium. A baseline understanding of DCF is necessary in order to deploy 802.11e based EDCF. Please read the IEEE 802.11 specification for more information on DCF.

Interframe Spaces (SIFS, PIFS, and DIFS)Interframe Spaces (Figure 6-3) allow 802.11 to control which traffic gets first access to the channel once carrier sense declares the channel to be free.

6-4Cisco AVVID Wireless LAN Design

956608

Page 93: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)802.11 DCF

Figure 6-3 Interframe Spaces (IFS)1

802.11 currently defines three interframe spaces:

• Short Interframe Space (SIFS) 10 µs

• Point Interframe Space (PIFS) SIFS + 1 x slot time = 30 µs

• Distributed Interframe Space (DIFS) 50 µs SIFS + 2 x slot time = 50 µs

SIFS

Important frames such as acknowledgments wait the SIFS before transmitting. There is no random backoff when using the SIFS, as frames using the SIFS are used in instances where multiple stations would not be trying to send frames at the same time. The SIFS provides a short and deterministic delay for packets that must go through as soon as possible. The SIFS is not available for use by data frames. Only 802.11 management and control frames use SIFS.

PIFS

An optional portion of the 802.11 standard defines priority mechanisms for traffic that uses PIFS. There is no random back mechanism associated with PIFS, as it relies upon a polling mechanism to control which station is transmitting. The option is not widely adopted2 due to the associated overhead, and lack of flexibility in its application.

DIFS

Data frames wait the DIFS before beginning the random backoff procedure that is part of the Distributed Coordination Function (DCF). This longer wait ensures that traffic using the SIFS or PIFS timing always gets an opportunity to send before any traffic using the DIFS attempts to send.

Random Backoff (Contention Window)When a data frame using DCF (Figure 6-4) is ready to be sent, it goes through the following steps:

1. Generate a random backoff number between 0 and a minimum Contention Window (CWmin).

2. Wait until the channel is free for a DIFS interval.

3. If the channel is still free begin decrementing the random backoff number, for every slot time (20 µs) the channel remains free.

1. Figures quoted are for 802.11b; not 802.11a

DIFS

Defer access

Slot time

Contention window

DIFS

PIFS

SIFS

Busy medium Next frame

Select slot and decrement backoffas long as the medium is idle

(t)Backoff window

9122

8

2. No known vendor claims to support Profile Connection Files (PCF).

6-5Cisco AVVID Wireless LAN Design

956608

Page 94: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)802.11 DCF

4. If the channel becomes busy (another station got to 0 before your station) decrementing stops and steps 2 through 4 are repeated.

5. If the channel remains free until the random backoff number reaches 0 the frame may be sent.

Figure 6-4 Distributed Coordination Function (DCF) Example

Figure 6-4 shows a simplified example of how the DCF process works. In this simplified DCF process, no acknowledgements are shown and no fragmentation occurs

DCF steps illustrated in Figure 6-4 work as follows:

1. Station A successfully sends a frame, and three other stations also wish to send frames but must defer to Station A’s traffic.

2. Upon Station A completes transmission, all the stations must still defer for the DIFS. Once the DIFS is complete, stations wishing to send a frame can begin decrementing their backoff counter, once every slot time, and may send their frame.

3. Station B’s backoff counter reaches zero before Stations C and D, and therefore Station B begins transmitting its frame.

4. Once Station C and D detect that Station B is transmitting, they must stop decrementing their backoff counters and again defer until the frame is transmitted and a DIFS has passed.

5. During the time that Station B is transmitting a frame, Station E gets a frame to transmit, but as Station B is sending a frame it must defer in the same manner as Stations C and D

6. Once Station B completes transmission and the DIFS has passed, stations with frames to send begin decrementing their backoff counters again. In this case, Station D’s backoff counter reaches zero first and it begins transmission of its frame.

7. The process continues as traffic arrives on different stations.

CWmin, CWmax, and Retries

DCF uses a Contention Window (CW) to control the size of the random backoff. The contention window is defined by two parameters:

• aCWmin

• aCWmax

DIFS DIFS DIFS

Station A

Station B

Station C

Station D

Station E

Frame

Frame

Frame

Frame

Deter

Deter Deter Deter

Deter

Deter

Deter

Deter

Backoff time

Backoff time remaining

9122

9

6-6Cisco AVVID Wireless LAN Design

956608

Page 95: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)IEEE 802.11e

The random number used in the random backoff is initially a number between 0 and aCWmin. If the initial random backoff expires without successfully sending the frame, the station or AP increments the retry counter, and doubles the value random backoff window size. This doubling in size continues until the size equals aCWmax. The retries continue until the maximum retries or Time To Live (TTL) is reached. This process of doubling the backoff window is often referred to as a binary exponential backoff, and is illustrated in Figure 6-5.

Figure 6-5 Growth in Random Backoff Range with Retries

IEEE 802.11eThis section discusses two 802.11e implementations:

• 802.11e EDCF-based QoS Implementation, page 6-7

• QoS Advertisements by WLAN Infrastructure, page 6-11

802.11e EDCF-based QoS ImplementationThe current IEEE 802.11e draft contains EDCF. This is the feature supported in the current AP code release. The EDCF is an enhancement of the DCF described above. The enhancement is the adjustment of the variable CWmin and CWmax random backoff values based upon traffic classification. Figure 6-6 shows the different settings for the CWmin and CWmax of each traffic class as illustrated by the Cisco Aironet software. These figures are based on those proposed in the 802.11e draft.

aCWmin

aCWmax

3163

127

255

511

1023 1023 1023

retries

9123

0

6-7Cisco AVVID Wireless LAN Design

956608

Page 96: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)IEEE 802.11e

Do not alter these settings for production networks without significant tests specific to the applications in question. For example, having a CWmax value less that the CWmin of another class might cause starvation of the other traffic class, as the worst case random backoff of the preferred class would be better than the best-case random backoff the less favored class. It should also be noted that the traffic has been queued based on its traffic classification by the AP before the CWmin and CWmax values are applied at the radio. Refer to Figure 6-6.

Figure 6-6 Default CWmin and CWmax Values of Different Traffic Categories

Figure 6-7 shows the principle behind different CWmin values per traffic classification. All traffic waits the same DIFS, but the CWmin value used to generate the random backoff number depends upon the traffic classification. High priority traffic has a small CWmin value, giving as short random backoff, whereas best effort traffic has a large CWmin value that on average gives a large random backoff number.

6-8Cisco AVVID Wireless LAN Design

956608

Page 97: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)IEEE 802.11e

Figure 6-7 EDCF Random Backoff and Traffic Classification

Figure 6-8 shows an example of how the different CWmin values impact traffic priority.

Figure 6-8 Example of Impact of Traffic Classification

The process illustrated in Figure 6-8 follows this sequence:

1. While Station X is transmitting its frame three other stations determine that they must send a frame. Each station defers as a frame was already being transmitted, and each station generates a random backoff.

2. As stations Voice 1 and Voice 2 have a traffic classification of voice, they use an initial CWmin of 3, and therefore have short random backoff values. Best Effort 1 and Best Effort 2 generate longer random backoff times, as their CWmin value is 31.

Defer access

Slot time

Contention window

DIFS

Busy medium Next frame

Decrement backoff as long asthe medium is idle

(t)Backoff window

9123

1

Voice random backoff rangeVoice random backoff range

Best effort random backoff range

0 CWmin [0]

CWmin [7]

CWmin [6]

DIFS DIFS DIFS DIFS

Station X

Voice 1

Best Effort 1

Voice 2

Best effort 2

Voice 3

Frame

Frame

Frame

Frame

Frame

Deter

Deter Deter Deter

Deter

Deter

Deter

Deter

Deter

Deter Deter

Deter Deter

Deter

Backoff time

Backoff time remaining 9123

2

6-9Cisco AVVID Wireless LAN Design

956608

Page 98: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)IEEE 802.11e

3. Voice 1 has the shortest random backoff time, and therefore starts transmitting first. When Voice 1 starts transmitting all other stations defer. While Voice 1 station is transmitting station Voice 3 finds that it needs to send a frame, and generates a random backoff number, but defers due to station Voice 1’s transmission.

4. Once Voice Station 1 finishes transmitting, all stations wait the DIFS, and then begin decrementing their random backoff counters again.

5. Station Voice 2 completes decrementing its random backoff counter first and begins transmission. All other stations defer.

6. Once Voice Station 2 has finished transmitting, all stations wait the DIFS, and then begin decrementing their random backoff counters again.

7. Best Effort 2 completes decrementing its random backoff counter first and begins transmission. All other stations defer. This happens even though there is a voice station waiting to transmit. This shows that best effort traffic is not starved by voice traffic as the random backoff decrementing process eventually brings the best effort backoff down to similar sizes as high priority traffic, and that the random process might, on occasion, generate a small random backoff number for best effort traffic.

8. Once Best Effort 2 finishes transmitting, all stations wait the DIFS, and then begin decrementing their random backoff counters again.

9. Station Voice 3 completes decrementing its random backoff counter first and begins transmission. All other stations defer.

10. The process continues as other traffic enters the system.

The overall impact of the different CWmin and CWmax values is difficult to show well in the timing diagrams used thus far, as their impact is more statistical in nature. It is simpler to compare two examples, and show the impact of these different values in the average times that should be generated by the random backoff counters.

If we compare interactive voice and interactive video, these traffic categories have CWmin values of 3 and 15, and CWmax values of 32 and 63 respectively. This gives the averages for the random backoff counters shown in Table 6-1.

These averages show that an interactive voice frame would only have an average random backoff time of 30 µs, where as the average random backoff time for interactive video frame would be 150 µs. If interactive voice and interactive video stations began trying to transmit at the same time the interactive voice frame would normally be transmitted first, and with a very small delay.

The average maximum gives an indication of how quickly and how large the random backoff counter would grow in the event of a retransmission. The smaller the average maximum value is an indication of how aggressive traffic classification behaves. No matter how many times it has retried, Interactive Voice’s random backoff delay should not, on average, be above that of the minimum delay of best effort traffic. This means that the average worst-case backoff delay for interactive voice traffic would be the same as the average best case for best effort traffic.

Table 6-1 Random Backoff Averages

CWmin CWmaxAverage Minimum

Average Maximum

Interactive Voice 3 31 1.5 15.5

Interactive Video 15 63 7.5 31.5

Best Effort 31 255 15.5 127.5

6-10Cisco AVVID Wireless LAN Design

956608

Page 99: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)IEEE 802.11e

Note In this EDCF implementation, all WLAN clients are treated equally for upstream transmission (from the WLAN clients to the AP) unless a client (such as a SpectraLink® Voice over IP device) implements a proprietary mechanism of obtaining the channel faster compared to the others.

QoS Advertisements by WLAN InfrastructureThe WLAN infrastructure devices (such as APs) advertise QoS parameters. WLAN clients with QoS requirements use these advertised QoS parameters to determine the best AP with which to associate.

Cisco Aironet software release 12.00T for VxWorks AP and bridges and Cisco IOS release 12.2(4)JA for Cisco 1100 Series APs support two mechanisms to advertise QoS parameters:

• Symbol Technologies, Inc. Extensions (Symbol® NetVision handsets only)

• QoS Basis Service Set (QBSS)—Based on IEEE 802.11e DRAFT version 3.3

Figure 6-9 shows the QBSS Information Element (IE) advertised by a Cisco AP. The channel utilization field indicates the portion of available bandwidth currently used to transport data within the WLAN. The frame loss rate field indicates the portion of transmitted frames that require retransmission or are discarded as undeliverable.

Figure 6-9 QBSS Information Element (IE) Implementation: IEEE 802.11e Draft version 3.3

Figure 6-10 and Figure 6-11 illustrate the mechanism for enabling QoS advertisements on VxWorks APsand bridges and Cisco IOS-based APs.

Element ID(11)

Length(6)

Station Count(2 octets)

ChannelUtilization(1 octet)

Frameloss rate(1 octet)

9123

3

6-11Cisco AVVID Wireless LAN Design

956608

Page 100: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)IEEE 802.11e

Figure 6-10 Enabling QoS Advertisements on a VxWorks AP

Figure 6-11 Enabling QoS Advertisements on a Cisco IOS AP

6-12Cisco AVVID Wireless LAN Design

956608

Page 101: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)Deploying EDCF on Cisco IOS-based APs

Deploying EDCF on Cisco IOS-based APsThis section discusses the mechanisms available on the Cisco Aironet 1100 Series AP for applying traffic classification to particular traffic. The Cisco IOS-based Aironet 1100 Series AP has significant QoS operational differences as compared to the VxWorks-based Cisco Aironet 1200, 350 and 340 Series. However, because it is Cisco IOS based, the Aironet 1100 Series AP is consistent with current Cisco IOS implementations. Users familiar with configuring Cisco switch and router QoS settings should find the commands and configuration familiar.

Note For information about deployment and configuration using VxWorks-based APs, please refer to WLAN QoS Deployment Guide at the location:

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a0080144498.html

This section presents EDCF implementation considerations for Cisco IOS-based APs in the following specific sections:

• Appliance-based Prioritization, page 6-13

• CoS-based Prioritization, page 6-13

• Class-Map Based Prioritization, page 6-14

• VLAN-based Prioritization, page 6-15

• Combining QoS Setting Requirements, page 6-15

• Additional QoS Features, page 6-16

Appliance-based PrioritizationThe Cisco IOS-based AP can prioritize traffic based upon a WLAN client’s request for a particular traffic classification because of its appliance type. Currently, Cisco APs support only VoIP appliances. These VoIP appliances use proprietary registration messages to identify themselves. The best example of this process is the negotiation that occurs between the AP and a Symbol VoIP WLAN handset. A protocol defined by Symbol allows the handset to be identified, and provide down stream traffic to these handsets with an interactive voice classification.

The VxWorks-based AP allows a per-station classification of traffic which allows these handsets to identify themselves and automatically classify traffic.

The Cisco IOS AP supports the registration of the handsets to the AP through the global command line interface (CLI) command:

dot11 phone

CoS-based PrioritizationTraffic that arrives at the AP over an Ethernet trunk (if already classified by its CoS settings within IEEE 802.1D) will have that classification mapped to EDCF and applied unless the Per Appliance classification applies a subsequent classification.

6-13Cisco AVVID Wireless LAN Design

956608

Page 102: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)Deploying EDCF on Cisco IOS-based APs

Class-Map Based PrioritizationTraffic flows are identified by IP Type of Service (TOS), DSCP, or protocol settings with class-map based prioritization. An identified down stream traffic flow is given a specific CoS applied over the radio interface. This process is consistent with current Cisco IOS implementations.

Figure 6-12 illustrates an example setting of a class-map based QoS policy via the 1100 Series AP web interface. The policy name is example. Example creates classification rules based upon IP precedence, DSCP values, and an IP protocol. These classification rules are then applied on the radio interface.

Note The IP Protocol 119 setting provides ongoing support on the AP for SpectraLink IEEE 802.11 handsets.

Figure 6-12 Class-Map based QoS Policy Example

After applying the class-map based QoS policy, the changes are reflected in the AP CLI.

class-map match-all _class_example2 match ip protocol 119class-map match-all _class_example0 match ip precedence 2 class-map match-all _class_example1 match ip dscp 46…policy-map example class _class_example0 set cos 5 class _class_example1 set cos 5 class _class_example2 set cos 0

6-14Cisco AVVID Wireless LAN Design

956608

Page 103: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)Deploying EDCF on Cisco IOS-based APs

class class-default set cos 0…interface Dot11Radio0.825 … service-policy output example

VLAN-based PrioritizationFigure 6-13 illustrates the default priority (CoS) set using a class-map definition on an Cisco IOS-based AP. This class-map is applied to an interface or a VLAN and the specified priority is applied to all traffic, unless the priority is overridden by one of the mechanisms described above (Per Station, 802.1p/802.1D CoS, or Class-Map based IP TOS/DSCP/Protocol).

Figure 6-13 Default CoS Setting Using a Class-Map on an Cisco IOS AP

Combining QoS Setting RequirementsThe EDCF settings shown in Figure 6-15 on page 6-16 are applied by the radio, and are determined by the classification applied at the radio.

Network engineers must be aware of where the traffic classification is applied in order to plan and design the QoS settings appropriately. The first classification that occurs is the one that is selected and used. The precedence process sequence is as follows:

1. If a station identifies itself as a particular CoS, this is used (Per-Appliance QoS—an example is a Symbol VoIP device).

2. If the frame arrives at the AP with a CoS setting via IEEE 802.1p/802.1D, this is what is used.

6-15Cisco AVVID Wireless LAN Design

956608

Page 104: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)Deploying EDCF on Cisco IOS-based APs

3. If a class-map based classification (IP TOS, IP DSCP, IP Protocol, or default CoS) is defined per VLAN or interface, CoS defined by the class-map based QoS policy is assigned to the specified traffic flow (example: SpectraLink VoIP device).

4. If none of the above mechanisms are viable, the default CoS setting for the VLAN is used for all traffic.

Figure 6-14 illustrates the QoS classification precedence described in the above list.

Figure 6-14 QoS Classification Precedence on Cisco IOS-Based APs

Additional QoS FeaturesThe Cisco 1100 Series AP allows the setting of the different CWmin and CWmax values depending on the traffic classification, as shown in Figure 6-15.

Figure 6-15 Class to CWmin and CWmax settings

Traffic flow into inress

Per-appliance QoS?

By CoS value(8o2.1p marked)?

Class-map defined perinterface or VLAN?

Apply default CoS(CoS=0)

Send totransitqueue

Map to CoS

Yes

Yes

Yes

No

No

No

9123

5

6-16Cisco AVVID Wireless LAN Design

956608

Page 105: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)Guidelines for Deploying Wireless QoS

In addition to the CWmin and CWmax values shown in Figure 6-15, a Fixed Slot Time setting is available. The Fixed Slot Time is referred to as the Arbitration Inter Frame Space (AIFS) in the IEEE 802.11e Draft. The AIFS is a variable DCF value. The standard DCF time equals two slots times. Traffic classifications with a slot time greater than two must wait the additional slot times before sending or beginning to begin decrementing their random backoff counters. Giving further precedence to traffic with low CWmin and DCF timing.

Guidelines for Deploying Wireless QoSThe same rules for Deploying QoS in a wired network apply to deploying QoS in a wireless network. The first and most important guideline in QoS deployment is: know your traffic. Know your protocols, application’s sensitivity to delay, and traffic bandwidth. QoS does not create additional bandwidth it simply gives more control of where the bandwidth is allocated.

Voice traffic is probably the QoS application that is most familiar. The following are examples of how the QoS for voice is applied to different applications. When using the traffic classification schemes in the AP, remember that once the classification is changed from a default station, the application of any further mechanisms does not further alter the classification.

This discussion of wireless QoS deployment considerations is split into the following four sections:

• IP SoftPhone and Other PC and PDA Based VoIP Solutions, page 6-17

• Symbol Handsets, page 6-17

• SpectraLink Handsets, page 6-18

• Leveraging Existing Network QoS Settings, page 6-18

IP SoftPhone and Other PC and PDA Based VoIP SolutionsWith IP SoftPhone and other PC-based and PDA-based VoIP solutions, the AP might not connect to the wired Ethernet via IEEE 802.1q. VLANs might not be configured. In this case, the frames from the wired network do not contain CoS information for the AP.

If the wired network is using IP Type of Service (ToS) or IP DSCP to mark traffic, these marks can be recognized by the AP through the AP’s DSCP-to-CoS mapping feature using class-map based prioritization (Cisco IOS) as shown in Figure 6-12 on page 6-14.

If VLANs are used, the AP can use the CoS settings within IEEE 802.1p, and the DSCP-to-CoS mapping is done by the upstream device. If the CoS settings of IEEE 802.1p are not utilized, the AP uses the DSCP settings. If the switch infrastructure does not mark frames/packets with IEEE 802.1p CoS or IP TOS/DSCP, then the VLAN default CoS on the AP is used to apply a specific wireless CoS.

Symbol HandsetsIf Symbol handsets are used in the WLAN, the Symbol Extensions should be enabled.

6-17Cisco AVVID Wireless LAN Design

956608

Page 106: 1-Cisco AVVID Wireless LAN Design

Chapter 6 WLAN Quality of Service (QoS)Guidelines for Deploying Wireless QoS

SpectraLink HandsetsThe SpectraLink Voice Protocol (SVP) is prioritized in the same manner as in the pre-WLAN QoS AP configuration because the AP has a default filter to classify all SpectraLink voice traffic with voice priority.

The difference between the current AP prioritization scheme and the previously released AP prioritization method is that the prior version was limited to prioritizing within the queuing internal to the AP. With the QoS enhancements, traffic can now be prioritized over the radio interface.

Figure 6-16 illustrates the SVP architecture for 12.00T VxWorks and 12.2(4)JA Cisco IOS QoS features:

Figure 6-16 SpectraLink VoIP Deployment

Leveraging Existing Network QoS SettingsSupport for IEEE 802.1p and DSCP allows the AP to leverage the existing QoS classification and prioritization in the wired network. For more information on the design and configuration of QoS for a Cisco AVVID Network, refer to: Cisco AVVID Network Infrastructure Enterprise Quality of Service Design on CCO web site at http://www.cisco.com.

MEnterpriseNetwork

Cisco CallManager

EDCF-basedQoS

EDCF-basedQoS

AP1200

AP1100

VoIPphone

IP

AP provides EDCF-baedmechanisms for Down Stream Wireless QoS

9123

6

NetLinkSVP server

NetLink wirelesstelephones

6-18Cisco AVVID Wireless LAN Design

956608

Page 107: 1-Cisco AVVID Wireless LAN Design

Cisco AVVID Wireless LAN Design

C H A P T E R 7

WLAN Roaming

This chapter addresses the WLAN design considerations when assessing Layer-2 roaming of WLAN clients. The process of a WLAN client station roaming from one AP to another AP is discussed in some detail. Although this chapter focuses on roaming at Layer-2 (same IP subnet), the implications of campus-wide roaming at Layer-2 and Layer-3 are also considered.

The following primary sections are presented in this chapter:

• Roaming Solution Overview, page 7-2

• Layer-2 Roaming Primer, page 7-4

• Layer-2 Design Recommendations, page 7-9

7-1Cisco AVVID Wireless LAN Design

Page 108: 1-Cisco AVVID Wireless LAN Design

Chapter 7 WLAN RoamingRoaming Solution Overview

Roaming Solution OverviewNetworks are normally partitioned into discrete Layer-2 domains corresponding to IP subnets. The difference between Layer-2 and Layer-3 roaming is shown in Figure 7-1. Layer-2 roaming occurs when a WLAN client moves between Wireless APs that are part of the same IP subnet.

Figure 7-1 Layer-2 and Layer-3 Roaming Compared

Layer-3 roaming will be covered in a separate design guide, which will be added to the set of design guides available from http://www.cisco.com.

WLANs can provide the ability to connect to the network from any location within the enterprise. The desire to move from one location to another while maintaining an application session is a natural extension of this extended network reach.

The trend towards wireless laptop computers and personal digital assistants (PDA) will further accelerate the desire for seamless network access while moving between locations.

The benefits of WLANs in general are documented in the Chapter 1, “WLAN Solution Overview.” Some of the WLAN benefits specific to mobility are:

• Innovative Application Deployment—Facilitates implementation of new and innovative applications that require always-on network connectivity (such as actionable alerts, messaging, and workflow applications).

• Improved Efficiency and Productivity—Continuous connectivity allows work to be performed at any time without interruption.

• Increased Accuracy—Enabling data to be captured or updated immediately from any location increases data accuracy.

8845

6

Subnet ASubnet A Subnet BSubnet BSubnet A Subnet B

L2 roaming

L3 roaming(mobile IP)

Layer 3

7-2Cisco AVVID Wireless LAN Design

956608

Page 109: 1-Cisco AVVID Wireless LAN Design

Chapter 7 WLAN RoamingRoaming Solution Overview

General Design CharacteristicsCisco AVVID provides a comprehensive campus network architecture. In most cases, WLANs will be an incrementally applied as an overlay to the existing Cisco AVVID architecture.

Where possible, the existing Cisco AVVID three-layer architecture should be maintained. WLANs should be deployed as an additional, dedicated, wireless subnet per wiring closet. Additional campus WLAN design guidance is provided at http://www.cisco.com.

Layer-2 Design

Mobile IP capability is required to provide seamless roaming across Layer-3 subnet boundaries. Layer-3 roaming will be covered in a separate design guide, but note that every Layer-3 roam is preceded by a Layer-2 (link-layer) roam.

Caveats

Deploying WLANs as recommended in this document might result in multiple Layer-2 subnets on the same floor of a building. Some form of mobile IP will be required to roam seamlessly between the Layer-2 subnets this design recommends.

7-3Cisco AVVID Wireless LAN Design

956608

Page 110: 1-Cisco AVVID Wireless LAN Design

Chapter 7 WLAN RoamingLayer-2 Roaming Primer

Layer-2 Roaming PrimerThis section introduces you to the underlying issues and considerations when addressing Layer-2 roaming in WLANs. The following discussion is divided into four sections:

• Layer-2 Roaming Technical Overview, page 7-4

• Roaming Events, page 7-5

• Roam Process, page 7-7

• Layer-2 Roaming Considerations, page 7-8

Layer-2 Roaming Technical OverviewA Layer-2 roam occurs when a WLAN station moves from one AP to another AP. If the new AP is on a different IP subnet, Layer-3 roaming occurs after the Layer-2 roam is completed. Figure 7-2 illustrates the sequence of events associated with a Layer-2 roam.

Figure 7-2 Sequence of Events for Layer-2 Roam

The arrows in Figure 7-2 indicate the following events:

1. A Client moves from AP “A” coverage area into AP “B” coverage area (both APs in same subnet). As the client moves out of AP “A” range a “Roaming Event” will be triggered (such as Max Retries).

2. The client then scans all 802.11 channels for alternative APs. In this case, the client discovers AP “B” and re-authenticates and re-associates to it.

3. AP “B” sends a null MAC multicast using the source address of the client. This updates the Content Addressable Memory (CAM) tables in upstream switches and directs further LAN traffic for the client to AP “B”, and not AP “A”.

4. AP “B” sends a MAC multicast using its own source address telling the “old” AP that AP “B” now has the client associated to it. AP “A” receives this multicast and removes the client MAC address from its association table.

The main focus in this chapter is on events 1 and 2 in Figure 7-2. Events 3, and 4 are post-roam actions taken as part of Cisco’s proprietary Inter Access Point Protocol (IAPP).

It is important to note that roaming is always a client station decision. The client station is responsible for detecting, evaluating, and roaming to an alternative AP.

8845

7

Access Point A Access PAccess Point BAccess Point B

Wired LAN connectingAccess Points

(Intra-subnet roaming)

IAPPInter Access

Point Protocol

1

2

3

4

7-4Cisco AVVID Wireless LAN Design

956608

Page 111: 1-Cisco AVVID Wireless LAN Design

Chapter 7 WLAN RoamingLayer-2 Roaming Primer

Event 1 in Figure 7-2 will be discussed in more detail in the “Roaming Events” section on page 7-5 of this document. “Roaming Events” describes the events that cause a client to initiate the roam process.

Event 2 in Figure 7-2 is covered in the “Roam Process” section on page 7-7. The process of discovering evaluating and roaming to an alternative AP is discussed in that section.

Roaming EventsThis section details the events that cause a client to roam. The roam process itself is described in he “Roam Process” section on page 7-7. Roaming is always initiated by the client and is caused by one of the following events (each is covered in a separate section):

• Max Data Retry Count Exceeded, page 7-5

• Missed Too Many Beacons, page 7-6

• Data Rate Shift, page 7-6

• Periodic Client Interval (If Configured), page 7-7

• Initial Client Startup, page 7-7

Max Data Retry Count Exceeded

When a client station retries a packet more than the Max Data Retry Count, the station initiates a roam. The max retry count defaults to 16, and is configured in the Aironet Client Utility (ACU) under the RF Network tab for the currently active profile. A sample screen is shown in Figure 7-3.

Figure 7-3 Setting Max Data Retries in the ACU

7-5Cisco AVVID Wireless LAN Design

956608

Page 112: 1-Cisco AVVID Wireless LAN Design

Chapter 7 WLAN RoamingLayer-2 Roaming Primer

Missed Too Many Beacons

All clients associated to an AP should receive a periodic beacon. By default, APs send a beacon every 100 msec. The beacon period setting on an AP is shown in Figure 7-4.

Figure 7-4 Max Data Retries, Beacon Period and Data Rate Settings

Clients learn the AP’s beacon interval from an element in the beacon. If a client misses eight consecutive beacons, a roaming event is deemed to have occurred and the roam process detailed in the “Roam Process” section on page 7-7 is initiated.

By continuously monitoring for received beacons, even an otherwise idle client is able to detect a loss of wireless link quality and is able to initiate a roam.

Data Rate Shift

Packets are normally transmitted at the AP’s default rate. The default rate is the highest rate set to basic or yes on the AP. The configuration of data rate on an AP is shown in Figure 7-4.

A rate-shift occurs when a frame is retransmitted three times and RTS/CTS is used to send the last two retransmissions.

Every time a packet must be retransmitted at a lower rate, a count is increased by 3. For each packet successfully transmitted at the default rate, the count is decreased by 1—until it is 0. If the count reaches 12 one of the following occurs:

7-6Cisco AVVID Wireless LAN Design

956608

Page 113: 1-Cisco AVVID Wireless LAN Design

Chapter 7 WLAN RoamingLayer-2 Roaming Primer

• If the client has not attempted to roam in the last 30 seconds then the roam process as described in the “Roam Process” section on page 7-7 occurs.

• If the client has already attempted to roam in the last 30 seconds, the data rate for that client is set to the next lower rate.

A client transmitting at less than the default rate increases the data rate back to the next-higher rate after a short time interval if transmissions are successful.

Periodic Client Interval (If Configured)

The latest version of ACU, client driver, and firmware allow the client to periodically scan for a better AP when its signal strength gets low. This capability is configured in the ACU for the selected profile under the RF Network tab as shown in Figure 7-5. The periodic scan is a roaming event that causes the roam process described in “Roam Process” section on page 7-7 to occur.

Figure 7-5 ACU Configuration—Periodic Scan for a Better AP

Initial Client Startup

When a client starts up it goes through the roam process described in the “Roam Process” section on page 7-7, to scan for (and associate with) the most appropriate AP.

Roam Processthe “Roaming Events” section on page 7-5 described the events that can occur to cause a client to decide that it needs to roam. This section addresses actions taken by a client station when it roams.

7-7Cisco AVVID Wireless LAN Design

956608

Page 114: 1-Cisco AVVID Wireless LAN Design

Chapter 7 WLAN RoamingLayer-2 Roaming Primer

When a roaming event occurs the client station scans each 802.11 channel (the client scans all 802.11 channels valid in the country in which the client is operating). On each channel, the client station sends a probe and waits for a probe-response or beacon from APs on that channel. The probe responses and beacons received from other APs are discarded unless the conditions list in Table 7-1 are met.

If the conditions in Table 7-1 are satisfied, then a client roams to a new AP that best meets one of the conditions specified in Table 7-2.

Layer-2 Roaming ConsiderationsA Layer-2 roam is a disruptive event for a WLAN client. WLAN radios are designed to transmit and receive on only one of the 802.11 channels at a time. Because the wireless station is only receiving on one of the eleven 802.11 channels, it is not generally aware of other APs on alternative channels.

Table 7-1 AP Conditions Required to be Considered as a Roam Target

Client Station with Aironet Extensions Enabled1

1. Probe-responses/beacons must satisfy all conditions.

Client Station without Aironet Extensions

APs signal strength is:

• Greater than 20 percent

• If 20+ percent weaker than current AP, then absolute signal strength must be at least 50 percent

Unknown—Implementation dependent

If the AP is in repeater mode and is more radio hops from the backbone than the current AP, its signal strength must be more than 20 percent greater than the current AP

Not Applicable—Radio hop information is Cisco proprietary element in beacons

The new AP must not have more than a 10 percent worse transmitter load than the current AP

Not Applicable—AP transmitter load information is Cisco proprietary element in beacons

Table 7-2 Choosing from Eligible Roam Targets

Client Station with Aironet Extensions Enabled (AP Must satisfy Any Condition)

Client Station without Aironet Extensions (AP must Satisfy All Conditions)

Signal strength is more than 20 percent stronger Unknown—Implementation dependent

Fewer hops to the backbone Not Applicable—Backbone hops information is Cisco proprietary element in beacons

4 (or more) less clients associated to it Not Applicable—AP client association load information is Cisco proprietary element in beacons

20+ percent less transmitter load1

1. Transmitter load is an indication of whether an AP radio is busy sending frames.

Not Applicable —AP transmitter load information is Cisco proprietary element in beacons

7-8Cisco AVVID Wireless LAN Design

956608

Page 115: 1-Cisco AVVID Wireless LAN Design

Chapter 7 WLAN RoamingLayer-2 Design Recommendations

Note There are 11 channels available in the US. There are 13 channels defined by the 802.11 specification. Their usage varies from country to country.

To find out if a better AP is available, the client must cease transmitting and receiving on the current channel and move sequentially through each of the possible alternative channels.

The following actions need to occur on each of the channels scanned:

1. Radio hardware needs to move to and settle on new channel.

2. Client needs to listen to the new channel long enough to avoid a collision as per the CSMA/CA media access implemented in 802.11.

3. Client transmits a probe frame.

4. Client receives a probe-response or a beacon frame.

Layer-2 Design RecommendationsThis section provides design guidance for architecting and deploying a network as it applies to Layer-2 roaming considerations. Additional WLAN design guidance is provided at http://www.cisco.com.

Layer-2 design recommendations are addressed in the following sections:

• Cisco AVVID Design, page 7-9

• Sizing the Layer-2 Domain, page 7-10

• Roaming Implementation Recommendations, page 7-10

Cisco AVVID DesignCisco provides comprehensive campus network architecture guidance. WLANs should be an incremental addition to the existing Cisco AVVID network infrastructure. Please refer to campus design content provided at http://www.cisco.com.

The existing Cisco AVVID three-layer architecture should be maintained, and WLANs should be deployed as an additional, dedicated, wireless subnet per wiring closet. Figure 7-6 shows a typical Cisco AVVID architecture to which a WLAN subnet was added to each access layer switch.

Figure 7-6 Adding WLAN to Cisco AVVID Architecture

8846

0

Layer 3HSRP ActiveVLAN 20.41,140

HSRP ActiveVLAN 40.21,120

10.1.20.0 VLAN 20 Data10.1.21.0 VLAN 21 WLAN

10.1.120.0 VLAN 120 Voice

10.1.40.0 VLAN 40 Data10.1.41.0 VLAN 41 WLAN

10.1.140.0 VLAN 140 Voice

7-9Cisco AVVID Wireless LAN Design

956608

Page 116: 1-Cisco AVVID Wireless LAN Design

Chapter 7 WLAN RoamingLayer-2 Design Recommendations

Sizing the Layer-2 DomainIn Figure 7-6, each access-layer switch represents a separate wiring closet. To each switch a dedicated VLAN for WLAN APs is added. APs are connected to a dedicated VLAN in order to keep the broadcast domain as small as possible; WLANs are a shared half-duplex media and broadcasts have a bigger impact on APs than on most devises connected to switch ports.

Some organizations may decide to extend the Layer-2 network to provide Layer-2 mobility across a greater section of the enterprise. For these organizations, Cisco’s advanced spanning tree features such as Rapid Spanning Tree Protocol (RSTP) will prove useful.

Note For related information regarding spanning-tree design and implementation considerations please refer to the Cisco AVVID Network Infrastructure—Implementing 802.1w and 802.1s in Campus Networks SRND.

Roaming Implementation RecommendationsCisco’s IAPP provides seamless mobility within a single subnet only.

In the absence of mobile IP, when a WLAN client moves to an AP on a different subnet, the IP address must be renewed—Windows2000/XP does this automatically. Renewing the IP address causes application sessions using that IP address to break.

Some applications, such as email, and web-based applications may recover and continue to operate normally when their IP addresses change (either automatically by Windows2000/XP, or manually if using a different operating system).

Other applications such as telnet, FTP, and any other connection-based application fail and must be manually restarted.

Mobile IP is the solution to these application problems, as it will maintain a constant IP address for host applications across Layer-3 subnet boundaries. Mobile IP deployment will be the subject of a forthcoming Cisco Enterprise Solutions Engineering design guide.

7-10Cisco AVVID Wireless LAN Design

956608

Page 117: 1-Cisco AVVID Wireless LAN Design

956608

C H A P T E R 8

IP Multicast in a Wireless LAN

This chapter describes the configurations needed to control IP Multicast traffic over a WLAN and includes the following sections:

• Multicast WLAN Deployment Recommendations, page 8-1

• IP Multicast WLAN Configuration, page 8-2

• Other Considerations, page 8-4

• Summary, page 8-5

Tip For information about IP multicast theory, deployment, and configuration, please see the Cisco AVVID Network Infrastructure IP Multicast Design SRND.

Note This chapter uses MoH and IP/TV in the examples. It does not, however, provide configurations and designs for MoH and IP/TV. Also, other types of IP multicast implementations, such as IP multicast for financial deployments, are not covered.

Multicast WLAN Deployment RecommendationsBy default, IP multicast traffic is permitted to stream across a WLAN. However, because WLANs use shared bandwidth, certain measures should be taken to prevent saturation of the available bandwidth. If IP multicast traffic is not required on the wireless network, it is recommended that a boundary be configured to block the multicast traffic. The best place to control IP Multicast traffic is on the routers and switches that connect to the APs and bridges. If a Layer-3 device is not available for use in deploying the configurations described in this chapter, then see the Cisco AVVID Network Infrastructure Wireless LAN Design SRND for recommendations for using AP and bridge MAC and IP filters to block traffic.

Note Filters on the AP and bridge do not provide the flexibility needed for true multicast control.

If IP Multicast is to be deployed and streamed across the wireless network, then the following recommendations should be implemented:

• Prevent unwanted multicast traffic from being sent out on the air interface.

– Place the WLAN in its own subnet.

8-1Cisco AVVID Wireless LAN Design

Page 118: 1-Cisco AVVID Wireless LAN Design

Chapter 8 IP Multicast in a Wireless LANIP Multicast WLAN Configuration

– Control which multicast groups are allowed by implementing multicast boundaries on the egress Layer 3 interface connecting to the VLAN or interface to the AP or bridge.

• To gain the highest AP/bridge performance for multicast traffic and data traffic, configure the APs and bridges to run at the highest possible fixed data rate. This removes the requirement for multicast to clock out at a slower rate, which can impact the range of the AP/bridge and must be taken into account in the site survey.

• If multicast reliability is a problem (seen as dropped packets), ignore the preceding recommendation and use a slower data rate (base rate) for multicast. This gives the multicast a better signal-to-noise ratio and can reduce the number of dropped packets.

• Test the multicast application for suitability in the WLAN environment. Determine the application and user performance effects when packet loss is higher than that seen on wired networks.

IP Multicast WLAN ConfigurationThe ip multicast boundary command configures an administratively scoped boundary on an interface for multicast group addresses found in the range defined by an access list. No multicast packets are allowed to flow across the boundary from either direction, except those packets explicitly allowed by the access list.

Controlling IP Multicast in a WLAN with APsFigure 8-1 shows the topology for a WLAN using an AP. The IP multicast source is the IP/TV server (10.5.10.22). There are two multicast streams being sourced from the IP/TV server.

• 239.255.0.1 is a high-rate (1.4 Mbps) video stream.

• 239.192.248.1 is a low-rate (100 Kbps) video stream.

The low-rate stream is allowed and the high-rate stream is disallowed on the WLAN link. A multicast boundary is used to control multicast forwarding and IGMP packets.

Figure 8-1 Testbed for Wireless LAN using an Access Point

In this configuration:

8704

6

IP/TV server

350AccessPoint PC with

350 PC Card

VLAN 20010.1.200.x

.1 .100

Source For:239.255.0.1–high-rate stream239.192.248.1–Low-rate stream

10.5.10.22

.101

Campus

L3-Switch

8-2Cisco AVVID Wireless LAN Design

956608

Page 119: 1-Cisco AVVID Wireless LAN Design

Chapter 8 IP Multicast in a Wireless LANIP Multicast WLAN Configuration

• L3-SWITCH connects to the campus network and the Cisco Aironet 350 Access Point (10.1.200.100).

• The VLAN 200 interface on L3-SWITCH has the IP address of 10.1.200.1 and is the interface that provides the boundary for IP multicast.

• The laptop computer (10.1.200.101) has a Cisco Aironet 350 PC Card and is running the IP/TV Viewer software.

Below is the configuration is for L3-SWITCH.

interface Vlan200 description WLAN VLAN ip address 10.1.200.1 255.255.255.0 ip pim sparse-mode Enables PIM on the interface.ip multicast boundary IPMC-WLAN Boundary refers to named ACL “IPMC-WLAN” and controls

! multicast forwarding AND IGMP packets.ip access-list standard IPMC-WLAN permit 239.192.248.1 Permits low-rate stream (239.192.248.1).

Controlling IP Multicast in a P2P WLAN using BridgesThe same boundary that was deployed in the AP scenario is used with the bridge scenario. Figure 8-2 shows the topology for a WLAN using a bridge for a Point-to-Point (P2P) connection. The IP/TV server (10.5.10.22) is sourcing the same groups as in the previous example:

• 239.255.0.1 is a high-rate (1.4 Mbps) video stream.

• 239.192.248.1 is a low-rate (100 Kbps) video stream.

The low-rate stream is allowed and the high-rate stream is disallowed on the P2P wireless link. To control what multicast traffic passes over the P2P link, only the ip multicast boundary configuration on ROUTER is needed. Because the multicast boundary prevents hosts from joining unwanted groups, the network never knows to forward unwanted traffic over the P2P link.

Figure 8-2 Testbed for Point-to-Point Wireless Network using Bridges

In this configuration:

8704

7

IP/TV server

PC with350 PC Card

VLAN 10010.1.100.x

.1 .101

10.5.10.22

.2

350-Bridge-L

.100

350-Bridge-R Router

.1

.2

10.1.101.x

Source For:239.255.0.1–high-rate stream239.192.248.1–Low-rate stream

Campus

L3-Switch

L2-Switch-PWR

8-3Cisco AVVID Wireless LAN Design

956608

Page 120: 1-Cisco AVVID Wireless LAN Design

Chapter 8 IP Multicast in a Wireless LANOther Considerations

• L3-SWITCH (VLAN 100-10.1.100.1) connects to the campus network and the P2P wireless network.

• The P2P wireless link is made possible by two Cisco Aironet 350 Bridges, 350-Bridge-L (10.1.100.100) and 350-Bridge-R (10.1.100.101).

• ROUTER (10.1.100.2) connects to the P2P wireless network and the remote site network (10.1.101.1) via L2-SWITCH-PWR.

• The laptop computer (10.1.101.2) is running the IP/TV Viewer software.

If the remote side of the P2P link has a Layer 2 switch and no Layer 3 switch or router, then a boundary can be placed on the VLAN 100 interface of L3-SWITCH2. Also, in a Point-to-Multipoint (P2MP) deployment, a mix of both may be needed. Both configurations are shown here for reference.

Following is the configuration for L3-SWITCH.

interface Vlan100 description VLAN for P2P Bridge ip address 10.1.100.1 255.255.255.0 ip pim sparse-mode Enables PIM on the interface.ip multicast boundary IPMC-BRIDGE Boundary refers to named ACL “IPMC-BRIDGE.”

!ip access-list standard IPMC-BRIDGE permit 239.192.248.1 Permits low-rate stream (239.192.248.1).

To prevent unwanted IGMP messaging and multicast traffic from traversing the P2P wireless link on the receiver side (remote LAN - 10.1.101.x), an ip multicast boundary is configured on the Fast Ethernet 0/1 interface of ROUTER.

Following is the configuration for ROUTER.

interface FastEthernet 0/1description Local LAN in Remote Siteip address 10.1.101.1 255.255.255.0ip pim sparse-mode Enables PIM on the interface.ip multicast boundary IPMC-BRIDGE Boundary refers to named ACL “IPMC-BRIDGE.”

ip access-list standard IPMC-BRIDGEpermit 239.192.248.1 Permits low-rate stream (239.192.248.1).

Other ConsiderationsThe following additional considerations apply to deploying IP multicast in a WLAN environment:

• The WLAN LAN extension via EAP and WLAN static WEP solutions can support multicast traffic on the WLAN; the WLAN LAN extension via IPSec solution cannot.

• The WLAN has an 11 Mbps available bit rate that must be shared by all clients of an AP. If the AP is configured to operate at multiple bit-rates, multicasts and broadcasts are sent at the lowest rate to ensure that all clients receive them. This reduces the available throughput of the network because traffic must queue behind traffic that is being clocked out at a slower rate.

8-4Cisco AVVID Wireless LAN Design

956608

Page 121: 1-Cisco AVVID Wireless LAN Design

Chapter 8 IP Multicast in a Wireless LANSummary

• Cisco Group Management Protocol (CGMP) and/or Internet Group Management Protocol (IGMP) should be used to limit the multicast traffic on each AP to the traffic required by associated clients. If a client roams with these features configured on an upstream switch, the multicast stream might not be delivered to the new AP. To address this, the Cisco AP can be configured to generate a general IGMP query when a client associates or disassociates. This allows the upstream switch to learn which multicast groups are required on that AP.

• Multicast and broadcast from the AP are sent without requiring link-layer acknowledgement. Every unicast packet is acknowledged and retransmitted if unacknowledged. The purpose of the acknowledgement is to overcome the inherent unreliable nature of wireless links. Broadcasts and multicasts are unacknowledged due to the difficulty in managing and scaling the acknowledgements. This means that a network that is seen as operating well for unicast applications, can experience degraded performance in multicast applications.

• Enterprise customers who are using WLAN in laptops would normally use (Constant Awake Mode) CAM as the Power-Save Mode. If delay-sensitive multicast traffic is being sent over the WLAN, customers should ensure that only the CAM configuration is used on their WLAN clients. Based on the 802.11 standard, if the client is in power-save mode, then the AP will buffer broadcast and multicast traffic until the next beacon period that contains a delivery traffic information map (DTIM) transmission. The default period is 200ms. Enterprises that use WLAN on small handheld devices will most likely need to use the WLAN power-save features (Max or Fast) and should not attempt to run delay-sensitive multicast traffic over the same WLAN.

SummaryIn summary, when using IP multicast in the WLAN, follow these recommendations.

• Place the WLAN AP or bridge on a separate VLAN or Layer 3 interface so multicast boundaries can be implemented.

• Use the ip multicast boundary command to prevent IGMP joins and multicast forwarding on denied multicast groups.

• In a WLAN using AP, the boundary should be placed on the VLAN or Layer 3 interface connecting to the AP.

• In a WLAN using bridges, the boundary is placed on the VLAN or Layer 3 interface connecting to the remote receiver side. If no Layer 3 capable device is used at the remote site, the boundary is placed on the VLAN or Layer 3 interface connecting to the bridge at the main site. Also, a combination of a boundary at the receiver side and bridge connection at the main site, may be needed in a P2MP deployment.

• Set the highest possible fixed data rate on the APs and bridges to ensure the best possible performance for multicast and data traffic.

• If dropped packets occur and impact the performance of the application, the fixed data rate on the APs and bridges may need to be reduced to ensure a better signal-to-noise ratio, which can reduce dropped packets.

8-5Cisco AVVID Wireless LAN Design

956608

Page 122: 1-Cisco AVVID Wireless LAN Design

Chapter 8 IP Multicast in a Wireless LANSummary

8-6Cisco AVVID Wireless LAN Design

956608

Page 123: 1-Cisco AVVID Wireless LAN Design

956608

C H A P T E R 9

WLAN Rogue AP Detection and Mitigation

This appendix outlines the threat posed by rogue APs in the Enterprise Network and some strategies for preventing and detecting them. It is preferable to prevent rogue APs rather than detect them once created. The following methods summarize the keys to prevention:

• Provide enterprise employees with a secure WLAN infrastructure supported by an enterprise IT department. This removes the motivation for rogue AP installation.

• Implement 802.1x on enterprise edge switches to provide complete rogue AP prevention.

Methods for detecting rogue APs in the enterprise include wireless methods such as using the free Boingo WLAN hotspot locator client to detect WLANs and the use of sophisticated analysis tools on the Ethernet backbone. None of the available tools for detecting rogue APs guarantees the detection of all rogue APs and a combination of tools should be used to raise the probability of detection.

This appendix outlines the threat posed by rogue APs in the Enterprise Network and some strategies for preventing and detecting them. The following section are presented:

• Rogue AP Summary and Scope of Problem, page 9-2

• Preventing and Detecting Rogue APs, page 9-6

9-1Cisco AVVID Wireless LAN Design

Page 124: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationRogue AP Summary and Scope of Problem

Rogue AP Summary and Scope of ProblemRogue APs are APs that have been installed on an Enterprise Network without the authorization of the enterprise IT department. Figure 9-1 illustrates the generalized rogue AP threat in the context of an enterprise environment. Refer to Table 9-1 for threat details.

Figure 9-1 Preventing Rogue APs

This appendix does not consider a misconfigured production AP to be a rogue AP. Cisco’s Wireless LAN Solution Engine (WLSE) is capable of checking the configuration on production APs. The Aptools program mentioned in “Using MAC Addresses to Detect Rogue AP” section on page 9-16 is also capable of checking the security configuration on discovered APs. This appendix divides people installing rogue APs into one of the categories described in Table 9-1.

SubnetA

SubnetB

Layer 3

9129

6

9-2Cisco AVVID Wireless LAN Design

956608

Page 125: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationRogue AP Summary and Scope of Problem

This appendix discusses a variety of ways in which an enterprise can prevent and detect rogue AP installations. The focus here is on the Frustrated Insider class of user as they are considered to be the most common source of rogue AP installations and are the easiest to detect. Some of the techniques mentioned may detect the malicious hacker class of user, but as mentioned previously, it is best to concentrate on preventing this class of user through physical security and 802.1x. Rogue AP detection is broken into wireless, wired, and physical observation methods. A combination of these methods is necessary to be most effective.

Table 9-1 Typical Rogue AP Threats

Rogue AP Threat Threat Description

Malicious Hacker (James Bond) Someone who, having penetrated physical security once, installs an AP in order to access the Enterprise Network from outside the physical parameter in the future.

Very difficult to detect because the intruder can customize the wireless AP to disguise it from tools designed to detect it.

Rogue AP prevention techniques such as physical security and 802.1x port-based security are most effective against this class of threat.

This class of user is more likely to install a specialized network device than an AP. An AP requires a hacker to be within range of the AP in order to use it. This is both inconvenient and dangerous for a hacker who is more likely to install a specialized device that establishes a tunnel outbound from the enterprise to another device somewhere on the Internet. The hacker might then use the pre-established tunnel to access the Enterprise Network from anywhere on the Internet. (see When Dreamcasts Attack in the “Security References” section on page 1-8).

Frustrated Insider (James from Accounting) Someone who installs an unauthorized AP in order to provide wireless coverage where none is officially available. For example, enabling wireless networking in a meeting room, cafeteria, outdoor space, or other common area.

The wide availability of low-cost APs makes this installation type very easy.

The threat posed by this class of installer is that the person installing the AP is often ignorant of security features that are necessary to prevent outsiders from accessing the Enterprise Network, and the consumer grade AP commonly used in this installation does not have the features to provide an enterprise level of security.

9-3Cisco AVVID Wireless LAN Design

956608

Page 126: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationRogue AP Summary and Scope of Problem

The Rogue AP ThreatMedia attention has focused on the dangers posed by the tools and techniques available for detecting and gaining access to WLAN networks.

Most rogue APs are not installed securely and can be used by outsiders to gain access to an Enterprise Network. Some of the shortcomings of most rogue AP installations are:

• They often use well-known manufacturer default settings that provide little or no security

• They do not have WEP (encryption) enabled

• If WEP is enabled, the Cisco enhancements such as TKIP and MIC are not available or enabled

• If VPN protection is the company security policy for WLANs, rogue APs may be placed on the internal network instead of on the WLAN DMZ

The end result of these security shortcomings is that outsiders have a method to connect to the Enterprise Network without the need to first bypass physical security mechanisms such as locked doors, security guards, and vigilant employees.

Outsiders may wish to gain WLAN access for the following purposes:

• To gain free access to the Internet (via the Enterprise Networks connection)

• To gain access to the Enterprise Network, possibly to launch attacks on other enterprise resources such as servers containing confidential information or running mission-critical applications.

• To observe confidential Enterprise WLAN traffic.

Media Attention to WLAN Security Weaknesses

A Google (http://www.google.com/) search on the term wardriving produces thousands of links describing the practice of using inexpensive off-the-shelf WLAN equipment, to discover and map WLAN networks. Wardrivers can use a GPS to record the location of all WLAN networks found, and can upload this information to websites that track and make available the location and basic security settings for all WLAN networks discovered.

If a Frustrated Insider installs a poorly secured WLAN AP, it can be easily detected, mapped, and listed online by a wardriver.

In general, media attention has focused on tools summarized inTable 9-2, both of which can be downloaded from the Internet free of charge.

Table 9-2 Wireless Detection Tools

Tool Description

Netstumbler http://www.netstumbler.com/

Free Windows and WinCE software that scans for wireless APs. Provides information about SSID, WEP enabled, 802.11 channel, signal strength, location (if used with GPS) and more.

Airsnort Free WLAN tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. WEP plus TKIP and MIC strengthens WEP, preventing key recovery

9-4Cisco AVVID Wireless LAN Design

956608

Page 127: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationRogue AP Summary and Scope of Problem

With Netstumbler, an outsider can discover the existence of an insecure wireless LAN, and can then access the WLAN to gain access to the Enterprise Network or to observe confidential WLAN traffic.

If Netstumbler shows that WEP is being used to encrypt WLAN traffic, Airsnort can be used to determine the WEP key.

If Netstumbler shows that the WLAN has been installed with no WEP enabled, then network access can be gained just by configuring the client to match the detected network.

Figure 9-2 illustrates a screen capture taken from a Pocket PC during a commute to work. Netstumbler identified 68 access-points. The first column of the display indicates whether or not WEP is enabled for each AP discovered. Other information such as 802.11 channel, Signal-to-Noise Ratio (SNR), and (if a GPS is connected) longitude and latitude can also be displayed.

Figure 9-2 Netstumbler on PPC (MiniStumbler)

The Netstumbler capture shown in Figure 9-2 was taken from within a moving car with no specialized equipment such as an external antenna necessary.

Another phenomenon receiving media attention is warchalking where chalk symbols are placed on buildings signifying the presence and characteristics of wireless LAN networks. For more information on warchalking perform a Google search on warchalk, or go to following website:

http://www.blackbeltjones.com/warchalking/index2.html

Truth About WLAN Security WLAN can be deployed securely using standards-based EAP mechanisms such as EAP-Cisco, EAP-TLS, EAP-TTLS, or by using VPNs to segregate the WLAN from the rest of the Enterprise Network.

The threat posed by rogue APs can be mitigated. This appendix provides recommendations aimed at minimizing the risk rogue APs represent to Enterprise Networks. The emphasis of this discussion focuses on the following topics:

• Prevention

9-5Cisco AVVID Wireless LAN Design

956608

Page 128: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

– Corporate Policy

– Physical security

– Supported WLAN infrastructure

– 802.1x port based security on edge switches

• Detection

– Using wireless analyzers/sniffers

– Using scripted tools on the wired infrastructure

– By physically observing WLAN AP placement and usage

Preventing and Detecting Rogue APsFigure 9-3 summarizes the primary options in preventing and detecting rogue APs. Suggestions for specific actions are detailed in the following sections:

• Preventing Rogue APs, page 9-7

• Detecting Rogue APs Wirelessly, page 9-12

Figure 9-3 Rogue AP Prevention and Detection

SubnetA Subnet

B

Layer 3

9129

7DetectionActive Wireless Audit

DetectionPhysical Observation

DetectionRegular scripted

Audits

PreventionSecure/supported

WLAN infrastructureprovided

Prevention802.1x on switches

PreventionWLAN policy

Physical Security

9-6Cisco AVVID Wireless LAN Design

956608

Page 129: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

Preventing Rogue APsThe first priority for Enterprise IT security departments should be to prevent rogue APs. The following sections present prevention suggestions:

• Corporate WLAN Policy, page 9-7

• Physical Security, page 9-7

• Supported Wireless Infrastructure, page 9-7

• IEEE 802.1x Port-based Security to Prevent APs, page 9-7

• Using Catalyst Switch Filters to Limit MAC Addresses per Port, page 9-10

Corporate WLAN Policy

An enterprise policy concerning WLAN installations is an essential first step in preventing rogue APs. The WLAN policy should include a list of IT staff authorized to install WLAN AP and details of mandatory security policies to be followed with when WLANs are installed.

Physical Security

Physical security also plays a part in rogue AP prevention. Physical security standards should be in place to prevent an intruder from gaining unauthorized access to the enterprise premises or to detect the intruder if physical access is gained.

Supported Wireless Infrastructure

Given that almost all rogue APs are installed by the Frustrated Insider class of user, the best way to prevent such rogue installs is to remove the motivation for them. Installing a managed, supported, and secure WLAN network throughout the enterprise removes the motivation for employees to install rogue APs.

A WLAN network provides proven productivity gains as well as removing the motivation for almost all rogue AP installations.

IEEE 802.1x Port-based Security to Prevent APs

Cisco switches support an IEEE standard called 802.1x which provides port-based security. With 802.1x enabled on switches and APs at the edge of the network, no device can be connected unless the device is able to 802.1x authenticate to a RADIUS server behind the switch.

9-7Cisco AVVID Wireless LAN Design

956608

Page 130: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

Figure 9-4 Preventing Rogue APs with 802.1x Port-based Security

How IEEE 802.1x Port Based Security Works

The IEEE 802.1x standard allows the implementation of port-based network access control to a network device. The mechanism relies on the 802.1x link-layer protocol to transport EAP messages to the authenticator device. In this case a Cisco Catalyst switch is used—which in turn relays the received EAP information to a CiscoSecure Access Control Server using the RADIUS protocol.

The Network Access Control and Policy Enforcement solution from Cisco provides the network with the following services and abilities:

• User and/or device authentication.

• Granting or denying network access at an individual port level, based on configured authorization policy.

• Enforcing additional applicable policies, such as resource access and quality of service, on any access granted.

These abilities are introduced when a Cisco end-to-end solution is implemented with the following features and technologies:

• Cisco Catalyst 4000 or 6000 family switches

• Cisco Catalyst 2950 or 3550 switches

• CiscoSecure Access Control Server (ACS) for Windows v3.1

• An 802.1x compliant client operating system, such as Microsoft Windows XP, Windows 2000, or Windows 98 (see below for details)

• Optionally, for strong authentication, an X.509 Public Key Infrastructure (PKI) certificate architecture

By configuring 802.1x compliant client software with a PKI certificate, or username and password, the Cisco Catalyst family switches running 802.1x features authenticate the requesting user or system in conjunction with a back-end CiscoSecure ACS server. Figure 9-5 illustrates these concepts.

AuthorizedAccessPoint

RogueAccessPoint

SI

802.1x disabled only on allAuthorized AP switch ports

802.1x pushed to WLAN edge.

9129

8

9-8Cisco AVVID Wireless LAN Design

956608

Page 131: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

Figure 9-5 802.1x Operation

User or device credentials and reference information is processed by the CiscoSecure ACS server. CiscoSecure ACS is able to reference user or device policy profile information either internally using the integrated user database or from external database sources such as Microsoft Active Directory, LDAP, Novell NDS, or Oracle Databases. This allows for the integration of the solution into exiting user management structures and schemes, thereby simplifying overall management.

Table 9-3 summarizes 802.1x authentication types supported and available on Cisco switches and APs.

802.1x Client Support

The 802.1x client device requires a stack that supports 802.1x. This client code is called an 802.1x supplicant. The following are current 802.1x supplicants:

• Microsoft Windows XP Professional (Integrated)

• Microsoft Windows 2000 and 2000 Server, NT4.0, ME, 98 and 98SE (Microsoft add-on)http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp http://support.microsoft.com/default.aspx?scid=kb;en-us;313664

• Linux (Open Source add-on)

• Sun Solaris (Open Source add-on)

• EAP-Cisco client (wireless only)

• Funk client http://www.funk.com/

• MeetingHouse Client http://www.mtghouse.com/products/client/index.shtml

3

5

4

1

2

6

Login Request

Login Info

Login good!Allow access

Check withPolicy DB

This is John Doe!John Doe is

allowed access

Switch enable port

9219

9

Table 9-3 Supported/Available 802.1x Authentication Types (Cisco Switches and APs)

Wireless ports Wired Ports

EAP-Cisco

Protected-EAP Protected EAP

EAP-TLS EAP-TLS

EAP-MD5 (not suitable for wireless due to lack of mutual authentication support)

9-9Cisco AVVID Wireless LAN Design

956608

Page 132: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

Although the above client stacks allow enterprises to enable 802.1x on most PCs, there are likely to be some network-attached devices that lack 802.1x support. Non 802.1x capable devices include:

• IP phones

• Printers

Note HP has support in wireless Jet-Direct printers and is considering support for wired printers

• WLAN APs

Enabling 802.1x Support on the Switch

By default, 802.1x is disabled on CatOS switches. In order to enable it, the following command must be issued.

set dot1x system-auth-control enable

This enables the 802.1x authentication control feature globally.

Catalyst switches allow the configuration of various per port options with regards to 802.1x behavior. Amongst those options are the ability to enable/disable port authentication, enable/disable periodic re-authentication, or enable/disable 802.1x multiple host mode. The following is an example configuration command line segment illustrating these features:

# Port Level 802.1x configuration# Setting “port-control” to “auto” requires 802.1x login for that port.set port dot1x 3/2 port-control auto

# Setting the port-control state to force-authorized disables login requirements.set port dot1x 3/1,3/3-48 port-control force-authorized

# Multiple host allowance per port can be enabled with the following command. By default only one host is allowed per port.set port dot1x 3/2 multiple-host enableset port dot1x 3/1,3/3-48 multiple-host disable

# Periodic re-authentication may be enabled for added security. By default re-authentication is disabled.set port dot1x 3/2 re-authentication enableset port dot1x 3/1,3/3-48 re-authentication disable

Using Catalyst Switch Filters to Limit MAC Addresses per Port

The set port security command allows an administrator to restrict the number of MAC addresses that can be associated with a switch port, and the action to take if more than that number of MACs are seen (shutdown or deny additional).

Note This command is not necessary if 802.1x is used to provide port-based security as 802.1x limits the number of MAC addresses per-port by default.

With this command, it is possible to limit the number of MAC addresses to one (for user PC) or two (for user IP phone and PC). With this command enabled, it might be possible to connect a rogue AP to the network (instead of a phone or a PC), but it would not be possible to use the AP.

9-10Cisco AVVID Wireless LAN Design

956608

Page 133: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

Configuring Catalyst Switch Filters to Limit MAC Addresses per Port

If you enter the set port security enable command but do not specify a MAC address, the first MAC address seen on the port becomes the secure MAC address.

If you enter the set port security enable maximum num_of_mac command, you can specify the number of MAC addresses to secure on a port.

Limitations of Using Catalyst Switch Filters to Limit MAC Addresses per Port

In an IP phone environment, two MAC addresses are needed per port. One is required for the phone and one for the user PC. If a rogue AP was plugged into an unused port on the network 1 wireless client could associate to it without being blocked by the port filter.

Detecting Rogue APsIn addition to the rogue AP prevention mechanisms mentioned in “Preventing Rogue APs” section on page 9-7, a combination of the following rogue AP detection methods should also be used by the IT security administrator:

• Detecting Rogue APs Wirelessly, page 9-12

• Other Wireless Analyzers, page 9-13

• Detecting Rogue AP from the Wired Network, page 9-15

• Detecting Rogue APs Physically, page 9-19

Figure 9-6 summarizes these detection options.

Figure 9-6 Detecting Rogue APs

SubnetA Subnet

B

Layer 3

9130

0DetectionActive Wireless Audit

DetectionPhysical Observation

DetectionRegular scripted

Audits

9-11Cisco AVVID Wireless LAN Design

956608

Page 134: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

Detecting Rogue APs Wirelessly

Detecting rogue APs wirelessly is the process of using WLAN hardware and software to detect rogue APs. Table 9-4 summarizes the advantages and disadvantages wireless detection of rogue APs.

Using Boingo for AP Detection

Boingo is a free client utility that can be downloaded from http://www.boingo.com/. The Boingo client is intended to sniff for WLAN hotspots and provides an easy way for users to connect to hotspots that are part of the Boingo network.

The Boingo client detects most WLAN networks and displays their presence, even if they are not part of the Boingo network. This makes Boingo an ideal tool for very lightweight rogue AP detection.

Boingo needs to be able to see the WLAN SSID in order to be able to display it. Boingo can detect the SSID in one of two ways

• The WLAN is Broadcasting its SSID—The Frustrated Insider class of user is responsible for the vast majority of rogue AP installs and this type of user is unlikely to have the sophistication or intent to turn broadcast SSID off.

• The WLAN is not Broadcasting its SSID—For Boingo to be able to detect a non-broadcast SSID the WLAN must be active enough for the Boingo client to observe a probe-request/Probe-response sequence. The WLAN SSID is always visible in this sequence of frames. This sequence of frames does not happen very often and is unlikely to be detected during a one-time audit of an area with a lightly loaded rogue AP.

Installing Boingo

The Boingo download is about 10 Mbytes. The install is quick and simple and does not normally require the PC to be rebooted.

Once installed, Boingo starts automatically when Windows is started. Boingo has some impact on normal WLAN operation because it briefly stops transmitting WLAN frames in order to scan all 802.11 channels for WLAN networks. After installation, users might wish to prevent Boingo from auto-starting with windows by removing it from the Start>Programs>Startup folder. Boingo can then be started manually, as required.

Table 9-4 Advantages and Disadvantages of Wireless Detection of Rogue APs

Wireless Detection Advantages Wireless Detection Caveats

Often picks up APs that the other rogue AP detection methods miss.

Very effective at detecting APs installed by the Frustrated Insider class of installer (default security options/broadcast SSID).

You must be within range of an AP to be able to detect it. Requires labor intensive walking around with an analyzer.

Many tools do not see APs that do not broadcast their SSID.

Cannot easily survey remote sites.

WLAN AP signals are often difficult to pick up due to building materials blocking 802.11 signals.

9-12Cisco AVVID Wireless LAN Design

956608

Page 135: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

Using Boingo

When Boingo is running, it is visible as a white letter B icon on the task bar. Double-clicking this Icon launches the Boingo application where all visible 802.11 WLAN networks are displayed. A sample Boingo screen is displayed in Figure 9-7.

Figure 9-7 Sample Boingo Screen

Other Wireless Analyzers

There are many other WLAN analyzers available, which are to various degrees capable of detecting rogue APs. Table 9-2 outlines several wireless analyzers.

Table 9-5 Summary of Wireless Analyzers

Wireless Analyzer Web Location, Description and Comments

Airmagnet www.airmagnet.com

A full-featured WLAN site-survey tool running on an Compaq iPaq.

A commercial product.

Netstumbler www.netstumbler.org/

Free software that can be downloaded from the Internet. Detects WLAN APs and displays information about them. Very popular and well known.

Sniffer www.sniffer.com

Professional wireless analyzer.

It can be used to help look for rogue APs:

• By defining filters to look for beacons, but to exclude authorized SSIDs.

• By defining filters to look for the MAC OUIs of known AP vendors.

9-13Cisco AVVID Wireless LAN Design

956608

Page 136: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

Wildpackets www.wildpackets.com/products/airopeek

Professional wireless analyzer.

It can be used to help look for rogue APs:

• By defining filters to look for beacons, but to exclude authorized SSIDs.

• By defining filters to look for the MAC OUIs of known AP vendors.

Observer www.networkinstruments.com/

It can be used to help look for rogue APs:

• By defining filters to look for beacons, but to exclude authorized SSIDs.

• By defining filters to look for the MAC OUIs of known AP vendors

Finisar Surveyor www.gofinisar.com/products/protocol/wireless/surveyor_w.html

It can be used to help look for rogue APs:

• By defining filters to look for beacons, but to exclude authorized SSIDs.

• By defining filters to look for the MAC OUIs of known AP vendors.

Wellenreiter www.remote-exploit.org/

Similar to Netstumbler.

Detects WLAN APs and displays information about them. Less popular or well known than Netstumbler.

Kizmet www.kismetwireless.net/

Open source Wireless sniffer.

It can be used to help look for rogue APs by defining filters to look for beacons, but to exclude authorized SSIDs.

dachb0den www.dachb0den.com/projects/bsd-airtools.html

Seems to be a combination of Netstumbler and Airsnort functionality.

Not very well known.

Hornet www.bvsystems.com/Products/WLAN/Hornet/hornet.htm

Dedicated hardware that looks for a list of AP MAC addresses configured and downloaded from a PC

Table 9-5 Summary of Wireless Analyzers

Wireless Analyzer Web Location, Description and Comments

9-14Cisco AVVID Wireless LAN Design

956608

Page 137: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

Once a WLAN analyzer has detected a suspected rogue AP, a direction antenna on the analyzer is a very useful aid in locating the AP.

A host of WLAN tools is maintained on the NetworkIntrusion link pointed to in the “Links and References” section on page 1-8.

Detecting Rogue AP from the Wired Network

A combination of the following rogue AP detection methods should be used by IT security administrators:

• Using MAC Addresses to Detect Rogue AP, page 9-16

• Using Operating System Fingerprinting to Detect Rogue APs, page 9-17

• Using SNMP to Detect Rogue APs, page 9-18

• Using Cisco Emergency Responder to Locate AP-based on MAC Address, page 9-18

• Using Intrusion Detection to Detect Rogue APs, page 9-18

A large number of software tools are available to aid in detecting rogue APs from a wired management station on the Ethernet portion of the network.

Table 9-6 summarizes the advantages and disadvantages wired detection of rogue APs.

IBM Distributed Wireless Security Auditor

www.research.ibm.com/gsal/dwsa/

Prototype only—not for sale.

Uses client software on enterprise NICs to detect and report on all detected APs and their security system. A back end system compares the list of detected APs with a list of authorized APs and alerts on unknown APs.

IBM TP General—IBM Access Connections for Windows 2000/XP

www.pc.ibm.com/qtechinfo/MIGR-4ZLNJB.html

Access Connections is a connectivity assistant program for your ThinkPad computer. It enables you to quickly switch the network settings and Internet settings by selecting a location profile.

You can define the network settings and Internet settings in the Location Profile for modem/wired LAN/Wireless LAN network devices and then restore that profile whenever you need it. By switching the location profile, you can connect to the network instantly without reconfiguring your settings when you move from office to home or on the road.

Table 9-5 Summary of Wireless Analyzers

Wireless Analyzer Web Location, Description and Comments

Table 9-6 Advantages and Disadvantages of Wired Rogue AP Detection

Advantages Disadvantages

Easier to monitor networks on a more real-time basis.

Automated—Less manpower intensive.

Easier to survey remote sites.

Can miss some rogue APs.

Most of the software is immature and/or not specifically written to detect rogue APs.

May create false-positives on intrusion detection systems and personal firewalls.

9-15Cisco AVVID Wireless LAN Design

956608

Page 138: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

Using MAC Addresses to Detect Rogue AP

Some tools rely on detecting rogue APs by looking for known MAC address, or by cataloging all authorized MAC addresses in the network and looking for new ones.

The latter approach has the advantage of alerting IT administrators when an unauthorized non-AP device (such as an unauthorized laptop) is connected to the network. This approach leads to more false-positives.

Known AP MAC Addresses

Table 9-7 provides a partial list of MAC OUIs used by AP vendors. This table was obtained from the aptools site at aptools.sourceforge.net.

Table 9-7 Partial Listing of MAC OUIs

Manufacturer MAC Address Range

3Com 0001.03|0004.76|0050.da|0800.02

Addtron 0040.33|0090.d1

Advanced Multimedia Internet 0050.18

Apple 0030.65

Aironet 0040.96

Atmel 0004.25

Bay Networks 0020.d8

BreezeNet 0010.e7

Cabletron (Enterasys) 0001.f4|00e0.63

Camtec 0000.ff

Compaq 0050.8b

D-Link 0005.5d|0040.05|0090.4b

Delta Networks 0030.ab

Intel 0002.b3

Linksys 0003.2f|0004.5a

Lucent 0002.2d|0060.1d|0202.2d

Nokia 00e0.03

Samsung 0000.f0|0002.78

Senao Intl 0002.6f

SMC 00e0.29|0090.d1

SOHOware 0080.c6

Sony 0800.46

Symbol 00a0.f8|00a0.0f

Z-Com 0060.b3

Zoom 0040.36

9-16Cisco AVVID Wireless LAN Design

956608

Page 139: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

Known MAC Addresses Monitoring Tools

Table 0-8 presents a summary of monitoring tools for APs based on known MAC addresses.

Using Operating System Fingerprinting to Detect Rogue APs

Operating system (OS) fingerprinting tools are typically used by hackers to learn more about a host behind an IP address. This knowledge is usually desired so that the hacker is better able to launch attacks at any known or identified weak spots for that host OS.

OS fingerprinting works by observing particular characteristics of individual OSs such as the way they respond to TCP packets with obscure TCP flags and options enabled.

OS fingerprinting tools are capable of correctly identifying some APs, but have not been tested for this publication. Table 9-9 lists known OS fingerprinting tools.

Table 0-8 Summary of Monitoring Tools for APs Based on Known MAC Addresses

Monitoring Tool Web Location, Description and Comments

APTools aptools.sourceforge.net

aptools.sourceforge.net/wireless.ppt

Can discover APs based on MAC address, then determine whether it is an AP (not a wireless NIC) via HTTP.

Can also check security settings (WEP), and SNMP settings via HTML.

arpwatch www-nrg.ee.lbl.gov

Arpwatch is a tool that monitors Ethernet activity and keeps a database of Ethernet/IP address pairings.

It also reports certain changes via email.

9-17Cisco AVVID Wireless LAN Design

956608

Page 140: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

Using SNMP to Detect Rogue APs

SNMP is not thought to be a very effective way to detect rogue APs. Most rogue APs probably would not have SNMP enabled. Even if they did, SNMP community strings would probably be unknown.

If an SNMP tool is required for rogue AP detection, CiscoWorks for Windows would be a suitable tool. Refer to the following URL for more information:

http://www.cisco.com/en/US/products/sw/cscowork/ps2406/index.html

Using Cisco Emergency Responder to Locate AP-based on MAC Address

Cisco Emergency Responder provides a system for tracking and maintaining the exact location of every Ethernet switch port termination.

The location information available from the Cisco Emergency Responder can be useful in quickly locating and apprehending people connecting unauthorized equipment such as rogue APs into an Enterprise Network.

More information on the Cisco Emergency Responder is available at the following URL:

http://www.cisco.com/en/US/products/sw/voicesw/ps842/index.html

Using Intrusion Detection to Detect Rogue APs

Cisco has an extensive line of network intrusion detection equipment. At this time, Cisco does not have intrusion detection equipment capable of detecting the presence of rogue APs.

Intrusion detection equipment is still necessary to detect any suspicious activity that might result from unauthorized use of a rogue AP.

Table 9-9 Summary of Known OS Fingerprinting Tools

OS Fingerprinting Tool Web Location, Description and Comments

NMAP www.insecure.org/nmap/index.html

www.insecure.org/nmap/nmap-fingerprinting-article.html

Very well known, popular and respected tool.

Unproven as a rogue AP detection tool, but may be useful in conjunction with other rogue AP detection techniques.

Generates alerts in intrusion detection and personal firewall systems.

xprobe www.sys-security.com/html/projects/X.html

Xprobe 1 combines various remote active operating system fingerprinting methods using the ICMP protocol—which were discovered during the ICMP Usage in Scanning research project—into a simple, fast, efficient and powerful way to detect the underlying OS of a targeted host.

Xprobe2 is an active operating system fingerprinting tool with a different approach to operating system fingerprinting. Xprobe2 relies on fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database.

Unproven as a rogue AP detection tool, but may be useful in conjunction with other rogue AP detection techniques

Generates alerts in intrusion detection and personal firewall systems.

9-18Cisco AVVID Wireless LAN Design

956608

Page 141: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

More information on Cisco Intrusion Detection is available:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/index.html

Detecting Rogue APs Physically

IT security personnel can also detect unauthorized WLAN activity by physically observing the work environment. IT security personnel should be alert for the following:

• Unauthorized WLAN APs in visible locations.

• Employees using WLAN access in location when WLAN access should not be available.

• Warchalk symbols denoting WLAN availability. See http://www.warchalking.org/ for more information.

9-19Cisco AVVID Wireless LAN Design

956608

Page 142: 1-Cisco AVVID Wireless LAN Design

Chapter 9 WLAN Rogue AP Detection and MitigationPreventing and Detecting Rogue APs

9-20Cisco AVVID Wireless LAN Design

956608

Page 143: 1-Cisco AVVID Wireless LAN Design

956608

C H A P T E R 10

WLAN Guest Network Access

This chapter presents the advantages, risks, and proposed configuration for a WLAN Guest Network access and addresses the following key topics:

• Reasons for providing Guest Network access

• WLAN as one of the best mechanisms for providing Guest Network access

• Caveats to consider in a WLAN Guest Network implementation

• Example configurations for Cisco AP350s and AP1100s

The need for guest access has evolved as the needs of guests have evolved. Once it was sufficient to provide guests a chair and a phone; now in the age of laptops, networked application, and digital phone lines the guest is disconnected while visiting your enterprise.

Guest Networks are network connections provided by an enterprise to allow their guest to gain access to the Internet, and the guest’s own enterprise without compromising the security of the host enterprise. Figure 10-1 illustrates the Guess Access Network concept. Guests are within the Enterprise Network, but are only able to access the Internet; enterprise employees have full access to the enterprise applications and the Internet.

This chapter addresses Guest Access WLANs in the following sections:

• Benefits of Guest Network Access, page 10-3

• Deployment Considerations and Caveats, page 10-4

• Guest WLAN Recommendations, page 10-5

• Configuring Guest WLANs, page 10-7

10-1Cisco AVVID Wireless LAN Design

Page 144: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network Access

Figure 10-1 Guess Access Network

Internet

Enterprise Apps

Fixed network providesa wired guest network

back to the internet

Enterprise AP, uses WLANVLANs to provide both

enterprise and guest WLANs

Employees

Enterprise Network

Employees

Guests

905

88

Enterprise Apps

10-2Cisco AVVID Wireless LAN Design

956608

Page 145: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessBenefits of Guest Network Access

Benefits of Guest Network AccessAt first blush the lack of network access for guests may not seem to be an issue, but we need to remember that the guest is there because we want them there. The guest may be a business partner, a technician, or salesperson that has been brought to the enterprise to perform a task, and without Guest Network access their performance is degraded. As businesses become more networked, with outsourcing of non-core activities, this degradation increases if the network access is not provided.

The primary benefits of Guest Network access are presented in the following discussions:

• Increased Security, page 10-3

• Increased Productivity, page 10-3

• Benefits of WLAN Guest Network Access, page 10-3

Increased SecurityIt may appear counter-intuitive that Guest Network access increases security, but the reality is that Guest Network access occurs in Enterprise Networks now, but in an uncontrolled manner. These guests are not hackers; they are simply highly motivated people trying to get their job done. The main concern with these guests is that they are a potential source of viruses, worms, and Trojans. The PC with which they connect to the Enterprise Network might not have the security systems that exist on the local enterprise PCs.

Guest Network access provides guests of this type with a way to connect to an Enterprise Network in order to be more productive, while limiting the risk to the host organization. Why risk violating policy and risk the relationship with the host when there is a credible solution?

Increased ProductivityThe guest of an enterprise is there for a reason, because the enterprise wants them to perform a task. The more efficiently this task is performed the better it is for both enterprises. If a service technician is visiting the enterprise, it is in the enterprise’s interest for that service/repair to happen within the minimum amount of time and with the least amount of disruption

If a salesperson is visiting the enterprise, it is in the enterprise’s interest that the presentation be accurate and up-to-date. By having immediate access to information, the salesperson is able to position products appropriately and answer as many questions as possible while at the enterprise. This immediate responsiveness could potentially lead to orders being placed while on-site.

Benefits of WLAN Guest Network AccessWLAN technology can provide Guest Network access because of the following characteristics:

• Provides wide coverage, including areas such as lobby and waiting rooms that may not traditionally have cabling

• Removes the need to have a dedicated location for guest access

• Allows partners to access their network resources while in meeting rooms, offices, giving them the productivity benefits that WLAN gives the enterprise employees.

10-3Cisco AVVID Wireless LAN Design

956608

Page 146: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessDeployment Considerations and Caveats

Deployment Considerations and CaveatsThe greater range of WLANs that are an advantage in deploying Guest Networks also introduces issues:

• User Authentication—People who are not guests may access the Guest Network through their physical proximity to the WLAN Guest Network. This is not an issue in a wired network, as the guest has to be brought past the physical security. This means that the WLAN Guest Network requires user authentication, authorization and accounting, above that required for the wired network.

• Authentication Options—There are currently two models for authenticating guests:

– The use of a web interface such as Cisco Building Broadband Service Manager (BBSM) or Cisco IOS Authentication Proxy.

– The use of a specialized client such as 802.1x/EAP clients or IPSec clients.

• Web Authentication—Web interface authentication relies on the ubiquity of HTML browsers. Prior to using the Guest Network, users must launch their HTML browser, and try to access a web site. The user’s HTML browser is forced to an authentication page, and the users must enter their authentication details before access is granted. The HTML browser authentication does not generate dynamic per session encryption keys and—in order to make the WLAN easy to use and easy to support—no static encryption is used on the WLAN link. This means that authenticated users are only distinguishable from unauthenticated users through their IP addresses and MAC addresses (if on the same Layer-2 network). As the IP address and MAC address are sent in clear text they are open to exploitation through IP address and MAC address spoofing.

• The BBSM is specifically designed for guest access applications, and apart from providing a sophisticated HTML controlled user interface, it provides MAC-level authentication if the client is on the same Layer-2 network as the BBSM, and uses switch and AP management interfaces to control where and when a client can use the network.

• Cisco IOS Authentication Proxy—Included in the Cisco IOS firewall feature set; provides a simple HTML interface; and controls access based upon a clients IP address.

• Specialized Clients—Ideally guests should use 802.1x/EAP to authenticate to the Enterprise Network, and generate a dynamic encryption key for their wireless session. This would be the preferred solution as it provides authentication, authorization and privacy. Given that different enterprises are at different stages in their 802.1x/EAP maturity, guests cannot (yet) be expected to have compatible 802.1x/EAP clients on their PCs.

• IPSec VPN Clients—Another client that offers strong authentication, authorization and privacy and could potentially be used as a Guest Network access client. The major barrier in this case would be the installation of an appropriate client on guest machines, and the interaction of two IPSec VPN clients—one client providing guest access and the other client providing secured access across the Internet to the guest’s home network.

• Time of Day Control—Just as physical security can control who has access to the wired network, it can also control who is present at a particular time of day. As WLAN cannot rely upon physical security to control users it cannot stop users from accessing the network outside of permitted hours. This means that the WLAN Guest Network must provide time of day control over when the service is made available.

• Additional Security—Given the weakness described above, the WLAN Guest Network could not be considered as secure as the wired network and might require additional policies, processes, configuration, and equipment to ensure that an attack on the Enterprise Network through the WLAN Guest Network is not successful.

10-4Cisco AVVID Wireless LAN Design

956608

Page 147: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessGuest WLAN Recommendations

• Wired Network—The WLAN Guest Network is simply a WLAN VLAN configuration; the wired network contains the key components that control the Guest Network. Guest get authenticated access to the Internet, while ensuring that guests are not able to access the host enterprise’s systems. There are three primary configurations in the wired network:

– VLAN controlled access, where the wired Guest VLAN is extended all the way to the authentication device and the Internet.

– ACL controlled access, where guest traffic shares the same Layer-3 network as enterprise traffic to get to the internet, but is prevented from accessing the Enterprise Network through the use of ACLs routing table and separation (where Guest Network traffic uses separate routing tables on the Enterprise Network to prevent access to the Enterprise Network).

The choice of which wired-network configuration is best depends on the existing Enterprise Network. The configuration of the wired Enterprise Network to provide Guest Network access and the transport of Guest Network traffic is discussed in Chapter 5, “Wireless LAN VLANs.”

• Other Considerations from Wired Network—Even though the WLAN Guest Network is primarily a WLAN extension of a wired Guest Network, the lack of control of physical access and the possible spoofing legitimate users to gain access heighten the security risk associated with Guest Networks. Therefore additional tools—such as Intrusion Detection Systems (IDS)—should be considered to detect suspicious behavior.

Guest WLAN RecommendationsThe following actions are key Guest WLAN setup recommendations:

1. Create a Guest WLAN VLAN with no encryption, open authentication, and a broadcast SSID.

2. Choose a Wired Guest Network model that best fits your Enterprise Network.

3. Choose an HTML authentication service that best fits your needs and topology.

4. Add application filters, time of day controls and IDS as required.

Key Guest WLAN recommendation considerations follow:

• Recommended 802.11 Configuration for WLAN Guest Network, page 10-5

• VLANs and WLAN Implementation, page 10-6

Recommended 802.11 Configuration for WLAN Guest NetworkThe biggest challenge in WLAN Guest Network access is to support the widest number of possible guests without having to provide IT support for the guests. It is recommended that WLAN Guest Network access use:

• A Broadcast SSID—Some WLAN clients only operate with a broadcast SSID.

• Open Authentication—The default configuration.

• No Encryption—The entry and format of the WEP key varies from client to client, users can easily incorrectly enter the WEP key, and the WEP key would quickly become compromised as it is being distributed in an uncontrolled manner.

This allows the Guest Access WLAN to adopt the minimum configuration while serving the widest range of WLAN clients. It also matches the configuration most used in WLAN hotspots today.

10-5Cisco AVVID Wireless LAN Design

956608

Page 148: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessGuest WLAN Recommendations

Figure 10-2 shows the Aironet Client Utility (ACU) configuration that would be used to gain access to the Guest Network. The key features of this setup are as follows:

• The SSID ID is configured to match the SSID that is broadcast by the enterprise WLAN Guest Network, a blank entry would also suffice if the AP is configured as recommended in this document.

• Network Security Type is none; this is “Open Authentication”.

• No WEP is selected.

Figure 10-2 ACU Configuration

VLANs and WLAN ImplementationIt is assumed that enterprise employees as well as guests are using the WLAN. This means that a WLAN VLAN must be configured on the APs to allow efficient use of the WLAN infrastructure, and wired VLANs are used on the wired network access layer to separate Guest Network traffic from enterprise employee network traffic.

10-6Cisco AVVID Wireless LAN Design

956608

Page 149: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessConfiguring Guest WLANs

Configuring Guest WLANsThis section presents the following discussions addressing Guest WLAN configuration:

• Network Topology, page 10-7

• AP and Switch Configuration, page 10-8

• AP 1200 Configuration, page 10-11

• AP 1100 Configuration, page 10-14

Network TopologyFigure 10-1 on page 10-2 shows a general schematic illustrating how Guest Network traffic is tunneled across the Enterprise Network. This tunnel can be achieved via multiple technologies depending on the Enterprise Network architecture and requirements.

Figure 10-3 shows a schematic of three different tunnel possibilities:

• VLAN Separation—The Guest VLAN is extended all the way to DMZ.

• ACL Separation—The Guest VLAN is terminated at an access router; ACLs are used to ensure that Guest Network traffic is unable to go to enterprise addresses.

• Routing Table Separation—The Guest VLAN terminate at the access router and separate routing tables ensure that Guest Network traffic is able to go nowhere but the DMZ.

In each of the tunneling possibilities Guest Network users are authenticated by a BBSM before gaining access to the DMZ. Authentication of users of the Guest Network is needed to prevent the Guest Network being used for non-authorized purposes. The BBSM is an example of a Cisco Product designed for this purpose, but other tools such as Cisco IOS and PIX authentication proxy may be used and their location in the network might be closer to the access network, such that users may be authenticated at the access router.

10-7Cisco AVVID Wireless LAN Design

956608

Page 150: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessConfiguring Guest WLANs

Figure 10-3 General Guest Network Topology

AP and Switch ConfigurationFor the purpose of this example, these configurations deal with the configuration of a Guest Network access WLAN VLAN on an AP that also supports three other WLAN VLANs—named PEAP, IPSec and LEAP (with the VLAN name LEAP here used to represent an EAP-Cisco implementation)—that map to VLANs on the Ethernet interface of the AP.

The configuration of PEAP, IPSec, and LEAP is not discussed in this application note, and for information on WLAN AP and Client configuration refer to:

http://www.cisco.com/en/US/products/hw/wireless/ps458/prod_instructions_guides.html

Figure 10-4 shows a schematic of the example configuration used in this chapter that has four WLAN VLANs and five VLANs on the AP. The difference in number of VLANs is due to the addition of a wire only VLAN for the administration of the AP.

Enterprise Network

VLAN separation

ACL separation

Guest trafficauthenticated

Guest VLAN is separatefrom enterprise VLANs

Guest VLAN is separatefrom enterprise VLANs

Route Maps to applydifferent policy toguest addresses

ACLs block guestaccess to enterprise

addresses

MPLS or VRF usedroute guest trafficseparately fromenterprise traffic

MPLS or VRF usedroute guest trafficseparately fromenterprise traffic

9058

9

Enterprise Network

Guest Network

Routing table separation

Tunnel

WLAN

Guest trafficauthenticated

Guest trafficauthenticated

DMZ

10-8Cisco AVVID Wireless LAN Design

956608

Page 151: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessConfiguring Guest WLANs

Figure 10-4 Multiple VLANs including a Guest Network VLAN

The configuration fragment below shows an example configuration for the switch connecting the AP to the Enterprise Network. Points to note include:

• The Admin VLAN is VLAN 825 which is the native VLAN

• The VLANs allowed for the AP connection are limited to the mandatory VLANs (1, 1002-1005) and the VLANs used on the AP (10, 20, 30, 40 and 85).

interface FastEthernet0/3 switchport trunk encapsulation dot1q switchport trunk native vlan 40 switchport trunk allowed vlan 1,10,20,30,40,825,1002-1005 switchport mode trunk

As VLANs are supported on two different platforms with different user interfaces, and structure the configuration examples are broken into two sections: the VxWorks-based AP 1200 (supported on the AP 340 as well); and, the Cisco IOS-based AP 1100.

WLAN Guest VLAN Filtering

When applying network access control filters, a general rule is that these filters should be placed as close as possible to the users whose access is being controlled.

In the case of WLAN guest networking, the closest point at which access control filters can be placed is the WLAN VLAN on the AP.

Although the filtering that can be applied is limited by the need to support the applications accessible by guests, there are simple filters that can be applied:

• Protocol Filters—Guests would be expected to use specific protocols, such as ARP and IP; all other protocols on the WLAN guest VLAN can be blocked.

• Source Address—The users on the WLAN guest VLAN will have IP addresses assigned through DHCP, and the AP (Cisco IOS APs only); as a result, network administrators can apply address filters to permit access by specific network addresses, while block others.

Terminology Notes

The introduction of VLANs to the APs introduces a number of new definitions such as:

• Default VLAN—This is the VLAN associated by default with an SSID, the name allows for the RADIUS server to provide a different VLAN number based on the group membership of a user.

• Primary SSID—The AP is only capable of sending one set of information in its beacons; the information that is sent in the beacons is that of the VLAN associated with the Primary SSID.

• Guest SSID—The AP can only have a single VLAN that accepts unencrypted traffic. The SSID associated with this VLAN is called the Guest SSID.

905

87

GuestPEAPIPSecLEAP

GuestPEAPIPSecLEAPAdmin

10-9Cisco AVVID Wireless LAN Design

956608

Page 152: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessConfiguring Guest WLANs

• Infrastructure SSID—Infrastructure such as repeaters and workgroup bridges can be associated with the AP on one particular VLAN. The SSID associated with this VLAN is called the Infrastructure SSID.

• Native VLAN—802.1q allows for one of the VLANs in the trunk to be native— thereby not requiring 802.1q encapsulation and making it possible to remain connected with the AP when trunking is enabled on the switch before it is on the AP, or visa versa. The VLAN that is given this capability is called the Native VLAN.

10-10Cisco AVVID Wireless LAN Design

956608

Page 153: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessConfiguring Guest WLANs

AP 1200 ConfigurationThe key AP 1200 configuration processes are presented in the following sections:

• Configuring VLANs, page 10-11

• Configuring SSIDs, page 10-12

Configuring VLANs

The first step in configuring the AP is the creation of the VLANs. To ensure contiguous communication with the AP, care should be taken to have a Native VLAN configured before 802.1Q tagging is enabled. Figure 10-5 shows the VLAN Setup screen, this allows individual VLANs to be created or removed, and the Native VLAN, and Unencrypted VLAN (Guest VLAN) to be set. In this example:

• VLANs are enabled by selecting 802.1Q tagging

• The Native VLAN (VLAN 40) is the VLAN that will have the AP’s IP interface

• VLAN 10 is the unencrypted VLAN used by guests

Figure 10-5 Creating VLANs and Assigning the Native and Guest VLANs

When the Add New button creates a new VLAN, the screen automatically changes to a VLAN security screen shown in Figure 10-6. This allows the VLAN WEP configuration to be entered. In the example shown in Figure 10-6 the Guest VLAN is being configured and there is no WEP data entered; all of the other settings in this case have been left at default.

10-11Cisco AVVID Wireless LAN Design

956608

Page 154: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessConfiguring Guest WLANs

Figure 10-6 Guest Access VLAN with Null Encryption

Configuring SSIDs

Once the VLANs have been created and configured with the appropriate WEP settings, the Service Sets Identifiers (SSIDs) can be entered and associated with the appropriate VLAN.

Figure 10-7 shows the AP Radio Service Sets screen. Four SSIDs have been entered and SSID 3 (LEAP) has been nominated as the Infrastructure SSID. From Figure 10-7 is can be seen that SSID 1 is the Primary SSID.

The Primary SSID is configured on the AP 1200 through the standard SSID configuration mechanism (through the SSID configuration fields in the Express Setup screen or the AP Radio Identification screen). The default Primary SSID for example is tsunami (the name guest was simply entered as an example).

Note The Primary SSID is the one advertised in beacons. Since a broadcast SSID is recommended for guest use, this is the SSID that should be made primary. To ensure successful configuration this should be the first SSID configuration made, because ownership of the Primary SSID cannot be transferred to another SSID.

Figure 10-7 shows the SSID used for Infrastructure Stations. The Guest VLAN should not be used for Infrastructure Stations, and therefore another VLAN must be chosen (VLAN 3 in this case), and Infrastructure Stations on other VLANs disallowed.

10-12Cisco AVVID Wireless LAN Design

956608

Page 155: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessConfiguring Guest WLANs

Figure 10-7 Service Set Configuration

When an SSID is added or edited, the screen shown in Figure 10-8 appears. This allows the authentication mechanism for the SSID and the VLAN associated to that SSID to be set. The example shown in Figure 10-8 is the Primary SSID configuration. The important settings are:

• The SSID—In this case guest is used, but the SSID can be anything the enterprise thinks is appropriate.

• Open Authentication selected.

10-13Cisco AVVID Wireless LAN Design

956608

Page 156: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessConfiguring Guest WLANs

Figure 10-8 Setting the SSID Values

AP 1100 ConfigurationThe configuration of the AP 1100 follows a similar sequence to that of the AP 1200. Figure 10-9 shows the creation of the different VLAN numbers for the selection of the default VLAN. To create a VLAN:

• Enter the VLAN number in the VLAN ID: Text Box.

• Press the Add button.

If an SSID already exists for this VLAN, and association between the two can be build by selecting that SSID from the SSID: drop box, before pressing Add.

10-14Cisco AVVID Wireless LAN Design

956608

Page 157: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessConfiguring Guest WLANs

Figure 10-9 Entering VLANs and Setting the Default VLAN

Once the VLANs have been created, the user must go to the WEP Key Manager and configure the appropriate WEP settings for each VLAN.

Figure 10-10 shows the settings for the VLAN that will become the Guest Network VLAN.

Figure 10-11 shows the WEP configuration for the VLAN that will become the IPSec VLAN.

Note Even though the IPSec VLAN does not need WEP encryption for privacy, it must be configured with WEP to provide VLAN separation at the radio interface.

Figure 10-10 Guest Access VLAN with No Encryption

10-15Cisco AVVID Wireless LAN Design

956608

Page 158: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessConfiguring Guest WLANs

Figure 10-11 IPSec VLAN with Mandatory Encryption

Once the VLANs have been created and had their WEP properties configured, SSIDs can be created, authentication methods set, and the SSIDs paired with the appropriate VLANs.

Figure 10-12 shows the configuration of the guest SSID, with open authentication, and pairing it with VLAN 10. In the lower portion of Figure 10-12, the Guest Mode SSID and Infrastructure SSIDs are set. The Guest Mode SSID determines whether the SSID will be broadcast in AP beacons, and therefore the example SSID of guest is selected.

10-16Cisco AVVID Wireless LAN Design

956608

Page 159: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessConfiguring Guest WLANs

Figure 10-12 Setting per SSID Authentication and Global SSID Properties

Figure 10-13 shows a summary page on the AP 1100 that shows a view of the different SSID and VLAN number pairings, along with their authentication mechanisms.

Figure 10-13 SSID VLAN Summary Page

10-17Cisco AVVID Wireless LAN Design

956608

Page 160: 1-Cisco AVVID Wireless LAN Design

Chapter 10 WLAN Guest Network AccessConfiguring Guest WLANs

10-18Cisco AVVID Wireless LAN Design

956608

Page 161: 1-Cisco AVVID Wireless LAN Design

956608

C H A P T E R 11

Cisco AVVID Enterprise WLAN Case Study

The following Enterprise WLAN case study details an example network in the context of the following discussions:

• Enterprise WLAN Profile, page 11-2

• Equipment Selection, page 11-5

• Security Selection, page 11-7

• Rogue AP, page 11-11

• Management, page 11-11

• Layer-2 and Layer-3 Roaming, page 11-12

• WLAN QoS Considerations, page 11-14

• IP Multicast, page 11-14

• WLAN Case Study Configuration, page 11-15

11-1Cisco AVVID Wireless LAN Design

Page 162: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudyEnterprise WLAN Profile

Enterprise WLAN ProfileThe organization used to illustrate an example Enterprise WLAN in this case study is a global enterprise of approximately 30 000 employees. The company has four campuses in the Americas, three in Europe, and one in the Asia Pacific region.

In addition to the campuses there are 15 major offices (multiple floors in the one building), and 140 branch offices (single or partial floor). Table 11-1 shows the distribution of offices and employee population

The campuses and major offices have local network servers and some degree of local technical support; branch offices are supported remotely. Almost all offices have resilient network connections.

The network is IP only, and is Quality of Service (QoS) enabled

Current application authentication mechanism within network is usernames and passwords, network operating system is Microsoft Active Directory, current local access is control by physical security, and remote access is through IPSec virtual private networks (VPNs) authenticated with one-time passwords (OTP).

Wired network is the primary network; WLAN network is to be an overlay network in most cases. Where the WLAN is used in manufacturing and warehouse it is the primary network.

Table 11-1 Distribution of Offices and Employees

Campus Major OfficeBranch Office < 20 people

Americas

12000 2 x 110 70

3000 5 x 80

500

500

Totals 16000 620 1400

Grand total 18020

Europe, Middle East, and Africa

1200 3 x 80 50

1000

500

Total 2700 240 1000

Grand Total 3940

Asia Pacific

2000 4 x 200 20

1500 1 x 160

Total 3500 960 400

Grand Total 4860

11-2Cisco AVVID Wireless LAN Design

956608

Page 163: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudyEnterprise WLAN Profile

Customer RequirementsThe organization requires the WLAN for employee laptop computers and requires it to provide the same application support as its wired LAN, this includes QoS and multicast support.

In addition to laptop support the organization requires:

• Support for Windows XP and Windows 2000 laptops (the majority of users) throughout the enterprise.

• Support for Linux laptops throughout the enterprise.

• The organization plans to have 802.11 integrated into future laptop computer purchases.

• Integration with Microsoft Active Directory infrastructure

• Support for wireless barcode scanners at selected locations (manufacturing and warehouse)

• Support for WLAN guest access at selected locations.

• Rogue AP mitigation.

WLAN ConsiderationsThis case study presents an example environment that addresses a variety of WLAN-specific considerations. These are summarized in the following sections:

• WLAN Performance and Coverage, page 11-3

• RF Environment, page 11-3

• Security, page 11-4

• Rogue AP Mitigation, page 11-4

• Management, page 11-4

• Roaming, page 11-4

• QoS, page 11-4

• Multicast, page 11-4

WLAN Performance and Coverage

The organization expects reasonably high use of the WLAN as the majority of its employees are involved in projects and work in cross functional teams. Employees might spend approximately 25 percent of their day using the WLAN.

RF Environment

The majority of this organization buildings are office space, but there are sections which would be considered light industrial. The office buildings are not thought to have any extraordinary sources or RF interference, but the light industrial area may.

The organization is a concerned about radio frequency (RF) interference from the WLANs of other enterprises, particularly when the office is in a multi-tenant building.

11-3Cisco AVVID Wireless LAN Design

956608

Page 164: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudyEnterprise WLAN Profile

Security

The organization wishes to maintain its privacy and preserve the integrity of its network, but it has no regulatory requirement to use a specific encryption or authentication mechanism.

Ease off use is a major consideration, and integration with existing authentication mechanisms is a requirement.

Rogue AP Mitigation

The organization found unauthorized WLAN installations within its enterprise and this is one of the motivations for pursuing a formal WLAN installation. The organization wishes to investigate other means of rogue AP mitigation.

Management

The organization has an existing Simple Network Management Protocol (SNMP) management system. The WLAN management must integrate into this system, but must have tools to minimize the management overhead of additional network devices introduced by the WLAN.

Roaming

The majority of the WLAN users are nomadic roamers. Clients will not be running Mobile IP, and there is not a requirement to maintain sessions when roaming between floors or buildings.

QoS

The organization enabled QoS within its network and requires the WLAN to honor these QoS settings.

Multicast

A limited multicast deployment is planned.

11-4Cisco AVVID Wireless LAN Design

956608

Page 165: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudyEquipment Selection

Equipment Selection

Note For related information, please refer to Chapter 3, “WLAN Technology and Product Selection.”

WLAN product selection considerations include:

• Radio Selection, page 11-5

• AP Selection, page 11-5

Radio SelectionThe two current radio types available in 802.11 are 802.11a (5 GHz), and 802.11b (2.5 GHz). 802.11b is recommended due to its wider availability and RF licensing. 802.11a will be considered in areas subject to high-level of interference in the 802.11b frequency bands or where the density of users and their throughput requirements exceeds what can be provided by 802.11b.

The 802.11b equipment must be upgradable to 802.11g.

AP SelectionCisco has three AP variations available:

• AP 1200—Dual mode supporting 802.11a and 802.11b, RP-TNC RP antenna connections; field upgradable to 802.11g.

• AP 1100—802.11b field upgradable to 802.11g, Cisco IOS operating system, and fixed antenna.

• AP 350—802.11b, available in both in either fixed antenna or RP-TNC antenna connections

As the organization wants upgradability to 11g, the AP 350 is excluded from the AP choices.

Cisco AP 1200 is recommended for the campus and larger offices—allowing for greater flexibility in antenna selection that might be necessary for RF deployments in multi-story and multi-tenant buildings. These are locations that are most likely to require 802.11a in the future.

The Cisco AP 1100 is recommended for branch offices as a lower cost alternative. The branch offices are expected to have lower throughput requirements and are less likely to require the additional channels or different frequency bands of 802.11a.

Estimating the Number of APs

The ultimate number of APs used in the implementation depends upon the site survey results, and the distribution of users within the enterprise.

A working number of the APs required can be determined by using an average of 15 employees per AP in the campus and large offices (this takes into account the potentially higher usage, additional coverage areas, and the breaking up of bulk users on a per floor basis), and one AP per branch office. The results are shown in Table 11-2.

11-5Cisco AVVID Wireless LAN Design

956608

Page 166: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudyEquipment Selection

This gives an estimate of 1614 x AP 1200s and 140 AP 1100s.

Table 11-2 Estimate of Number of APs by Region and by Office Type

Campus (APs) Major Office (APs)Branch Office < 20 People (APs)

Americas

12000 (800) 2 x 110 (16) 70 (70)

3000 (200) 5 x 80 (30)

500 (34)

500 (34)

Americas APs Subtotals 1068 46 70

Americas APs Total 1184

Europe, Middle East, and Africa (EMEA)

1200 (80) 3 x 80 (18) 50 (50)

1000 (67)

500 (34)

EMAE APs subtotal 181 18 50

EMEA APs Total 249

Asia Pacific

2000 (134) 4 x 200 (56) 20 (20)

1500 (100) 1 x 160 (11)

Asia Pacific APs subtotal 234 67 20

Asia Pacific APs Total 321

AP Subtotal 1483 131 140

AP Total 1754

11-6Cisco AVVID Wireless LAN Design

956608

Page 167: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudySecurity Selection

Security Selection

Note For related information, please refer to Chapter 4, “WLAN Security Considerations.”

The organization’s QoS and multicast requirements suggest that the WLAN LAN Extension (IPSec) is not a good choice for this WLAN, and that the organization would be better served by an 802.1x/EAP solution. This decision is made easier by having no security restrictions that specify encryption mechanisms that are only currently available in IPSec.

It is recommended that the organization also implement the TKIP and MIC extensions to WEP that address all current known attacks on WEP. This restricts the organization to Cisco Compatible eXtensions (CCX) network interface cards (NIC), until industry standard versions of TKIP and MIC are available through the Wireless Ethernet Compatibility Alliance (WECA) Wi-Fi Protected Access (WPA) standard.

Whether the organization selects Cisco NICs, or those provided by a CCX vendor, it should standardize upon only one or two NICs to minimize the testing of client drivers and firmware.

The organization has a choice of EAP/802.1x solutions:

• EAP-Cisco

• EAP/TLS

• EAP/TTLS

• PEAP

All of these options offer some degree of integration with Microsoft’s directory and authentication infrastructure, and the organization plans to use the Access Control Server (ACS) external database group membership mapping to control which members of the Active Directory are given WLAN access.

EAP-Cisco is recommended because it supports Windows, supports 802.1x/EAP for other PC operating systems (lacking 802.1x/EAP), and supports 802.1x/EAP for handheld devices. The case study organization is interested in PEAP, due to support of multiple authentication types, but is still in the process of assessing its ongoing authentication requirements.

It is recommended that WLAN VLANs be used to separate the different client types. This allows the partitioning of clients with different security capabilities. For example, the handheld devices might support EAP-Cisco, but might not support Cisco’s implementation of TKIP and MIC, or the handheld might have inadequate protection for the local usernames and passwords.

The different client types are to be separated into different VLANs by membership in an Active Directory group. The mapping of these Active Directory groups and ACS groups is shown in Figure 11-1.

The following sections summarize several ACS implementation consideration for this case study:

• Number of ACS Servers, page 11-8

• ACS Server Placement, page 11-9

• Branch Roaming, page 11-10

11-7Cisco AVVID Wireless LAN Design

956608

Page 168: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudySecurity Selection

Figure 11-1 ACS External User Database Group Mapping

Number of ACS ServersUsing the Americas as a region, the number of clients is expected to be 18,200. This is well within the capacity of an ACS database. The number of clients is not a scaling factor.

Because the organization is using CTKIP and MIC, reauthentication and re-keying of users is expected to be required only once per hour. Using EAP-Cisco performance figures, the ACS can perform 60 authentications per second on its specified platform. This is 216,000 authentications per hour. This shows that a single ACS server could easily support the all of the “Americas” region and all its re-keying requirements.

Re-keying is not the only time that an authentication would be required. Roaming also requires authentications. It is difficult to estimate how often users would roam from one AP to another, but from the number of authentications per hour figure from above, it can be seen that every client could roam every five minutes. An ACS server would have sufficient capacity to authenticate all these users.

The numbers derived above are conservative as they assume that all enterprise employees are using the WLAN simultaneously. The main point to be taken from these numbers is that the ACS capacity is not the major design consideration in this Enterprise Network deployment.

The design considerations that are the prime design considerations for ACS placement are speed of authentication, resilience, location of user database information, and management.

11-8Cisco AVVID Wireless LAN Design

956608

Page 169: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudySecurity Selection

ACS Server PlacementFor ease-of-management and optimal performance, the location of the ACS RADIUS servers is critical. A reauthentication is required whenever a client roams from one AP to another. For this roam to appear seamless, the authentication must be performed quickly enough to ensure client applications show no noticeable impact.

Another consideration is the resilience of the ACS RADIUS infrastructure. If an ACS server is not available when a client tries to authenticate this mean that new clients cannot join a WLAN, and clients roaming from AP to AP will lose their WLAN connection. To overcome this, a backup ACS server is required for each AP.

The organization’s global network is segmented into different logical domains for its network operations, and the ACS deployment reflects this, with a separate managed ACS network for each region. Clients from different regions of the enterprise may still use the WLAN in any region, but the management of the ACS servers is done upon a regional basis.

Figure 11-2 shows the planned location of the ACS servers within the US region. The ACS servers are located at campus locations. These locations also contain Active Directory Domain Controllers. The locations with two ACS servers are the two largest campuses; these servers are used by local campus APs and by APs located in branch offices in the region. The locations with only one ACS server use the nearest large campus location ACS as a backup. Branch offices use the nearest campus-based ACS server for authentication. Branch clients will experience slower authentication than campus clients. This delay should not be an issue when logging in, but might be an issue when roaming. The amount of roaming in branches is thought to be less and in branches with only one AP there will be no roaming.

Figure 11-2 ACS Server Placement

Figure 11-3 shows the proposed AP Authentication server management configuration. Servers 10.10.10.10 and 10.10.11.11 are the RADIUS servers used for client authentication. Servers 10.12.12.12 and 10.12.12.13 are the TACACS+ plus servers.

The preferred RADIUS server is the highest in the list (10.10.10.10), if the AP gets no response from this server in two minutes, it will use the alternate server and the primary server will be put on the dead server list for 30 minutes.

DC

ACS

ACS

DCACS

DCACS

DC

ACS

ACS

9130

3

11-9Cisco AVVID Wireless LAN Design

956608

Page 170: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudySecurity Selection

The choice of the timeout values and Dead Server List times reflect the preferred configuration for a branch office and are based upon two assumptions:

• The primary RADIUS server is the closest and therefore gives the best authentication performance.

• In the event of a primary WLAN link failure, there is time taken to detect the failure and converge on the backup link. Events such as this should not result in a change in RADIUS server.

In the campus AP configurations, the RADIUS server timeout can be adjusted to a lower value, to reflect the smaller penalty in switching from primary to secondary servers.

Figure 11-3 AP Server Management

Branch RoamingTo ensure that authentication and roaming times are optimal for the branch’s prioritization of traffic, authentication of traffic is handled as described in the 802.1x and EAP-Based Authentication Across Congested WAN Links application note.

ACS-server user databases are replicated by a single server within the region, Figure 11-4 shows the replication plan for the US region. Because the WLAN is using Active Directory databases, this replication may be unnecessary depending on whether EAP-Cisco devices are placed in the Active Directory databases or the ACS.

11-10Cisco AVVID Wireless LAN Design

956608

Page 171: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudyRogue AP

Figure 11-4 ACS Server Replication

Rogue AP

Note For related information, please refer to Chapter 9, “WLAN Rogue AP Detection and Mitigation.”

Concerns about rogue AP deployments are one of the motivators for this WLAN deployment, apart from the ROI associated with WLAN.

In addition to this WLAN deployment the enterprise plans the following:

• Publishing the policy against rogue APs as part of the organization’s communication about the WLAN deployment.

• Looking for rogue APs as part of the site survey process.

• Investigating rogue AP detection tools that integrate with WLAN deployment.

• Integrating rogue APs into to the security strategy of protecting against unauthorized access. This is part of a separate project using 802.1x to authenticate clients connecting to both the wired and wireless network and using an intrusion detection system (IDS) to detect in inappropriate behavior on the network.

ManagementThe organization plans to deploy the Wireless LAN Solution Engine (WLSE) to manage its APs. This helps deploy and maintain consistent AP configuration, monitor the system performance, and aid in capacity planning and troubleshooting.

The WLSE manages 500 APs in the proposed WLSE deployment shown in Figure 11-5. WLSE placement has capacity for 2500 APs. The dual WLSE deployment was implemented to meet capacity requirements at the largest campus. Additional WLSE deployments reflect the local administration and authentication domains, allowing the WLSE to monitor the EAP-Cisco authentication performance in all of the regional campuses and to use and maintain configuration templates appropriate for the region.

Data

Data

Data

9130

4

Data

11-11Cisco AVVID Wireless LAN Design

956608

Page 172: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudyLayer-2 and Layer-3 Roaming

Figure 11-5 WLSE Placement

For configuration details for the WLSE see the Configuration Guide for the CiscoWorks 1105 Wireless LAN Solution Engine available at http://www.cisco.com.

The main WLAN client management issue for this enterprise are software version control and WEP-key management. The use of EAP-Cisco solves the WEP-key management issue and the organization is planning to integrate the bundled software client software packages into software distribution system.

The enterprise is planning to permit users to control the ACU, because users might require other WLAN profiles and there is likely to be fewer client configuration issues if these WLAN configurations are controlled in one location.

Layer-2 and Layer-3 Roaming

Note For related information, please refer to Chapter 7, “WLAN Roaming.”

The organization roaming requirement is for nomadic roaming. There is no plan to provide seamless roaming between buildings within a campus or between floors of the same building.

This helps determine where Layer-3 boundaries are placed. Because seamless roaming is not required between buildings, WLAN networks in different buildings may be on different subnets, as shown in Figure 11-6. Although seamless roaming is not required between floors, the organization decided to make each building’s WLAN network a single subnet, as shown in Figure 11-7. This decision removes any issues associated with clients roaming to APs on different floors. That the organization has no buildings more than six floors high makes this decision easier.

9130

5

WLSE WLSE

WLSE

WLSE

WLSE

11-12Cisco AVVID Wireless LAN Design

956608

Page 173: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudyLayer-2 and Layer-3 Roaming

Figure 11-6 Campus Subnetting

Figure 11-7 Building Subnetting

The roaming requirements and the subnet boundaries limit the organization’s roaming focus to Layer-2 roaming. Layer-3 roaming is not required. If Layer-3 roaming was required, the organization would need Mobile IP clients to be installed on the clients requiring this degree of mobility, because the planned use of WLAN VLANs within the organization’s network means that Proxy Mobile IP cannot be used.

WLANSubnet A

WLANSubnet B

WLANSubnet C

WLANSubnet D

WLANSubnet X

WLANSubnet Z

WLANSubnet Y

9130

6WLANSubnet C

9130

7

11-13Cisco AVVID Wireless LAN Design

956608

Page 174: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudyWLAN QoS Considerations

WLAN QoS Considerations

Note For related information, please refer to Chapter 6, “WLAN Quality of Service (QoS).”

The organization already has QoS enabled on network—using DSCP values to mark the traffic priorities. It plans to use the QoS features of the APs to reflect these priorities on the WLAN.

The organization plans to trial WLAN VoIP in some locations once the WLAN network is deployed, but this is considered a separate project.

For details on the configuring QOS, refer to the Wireless Quality of Service Deployment Guide.

IP Multicast

Note For related information, please refer to Chapter 8, “IP Multicast in a Wireless LAN.”

The organization wishes to deploy some multicast applications on its WLAN. As the subnets of the WLAN span multiple floors of buildings, and the WLAN would have less capacity than a wired network, every effort must be made to limit the multicast load of the WLAN.

As the multicast applications to be supported are known, multicast boundaries can be configured at WLAN interface of the access routers.

To limit unnecessary multicasts on the WLAN VLAN, Internet Group Management Protocol (IGMP) snooping will be turned on the access switches.

IGMP snooping on access switches can be an issue when a client roams from one AP to another and a multicast stream is not flowing on the switch port of the new AP. To ensure that a multicast stream is forwarded by the new switch port, the AP can be made to send a general IGMP query whenever a client associates or reassociates. When the client responds to the general IGMP query the upstream switch can learn the required multicast stream. Figure 11-8 shows the configuration of the IGMP snooping feature on an AP.

Figure 11-8 IGMP Snooping

11-14Cisco AVVID Wireless LAN Design

956608

Page 175: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudyWLAN Case Study Configuration

WLAN Case Study ConfigurationThe following sections summarizes configurations considerations for the network discussed in this case study:

• AP Configuration, page 11-15

• Access Switch Configuration, page 11-16

• Distribution Router Configuration, page 11-16

AP ConfigurationFigure 11-9 shows the proposed VLAN configuration of the WLAN network. The AP is configured with three VLANs, a PC VLAN, a Handheld VLAN, and a Management VLAN. The management VLAN is the default VLAN for the AP and does not have an associated WLAN VLAN. This prevents management of the APs from the WLAN. This management VLAN would normally be the management VLAN used on the access layer switches. The WLAN VLANs dedicated for WLANs and would be separate from the wired VLANs on the access switch.

Figure 11-9 AP VLAN's

Figure 11-10 and the “Example Configuration: Config 1” section on page 11-16 show an excerpt from the AP radio configuration. Note that VLAN 10 has encryption defined, but does not have a SSID associated with it. This is because VLAN 10 has been configured as the management VLAN, and is only meant to exist on the wired network.

VLAN 10 ManagementVLAN 20 PCsVLAN 30 Handhelds

VLAN 10 ManagementVLAN 20 PCsVLAN 30 HandheldsVLAN 40 PCsVLAN 50 Voice

IP

PCW

LAN

Handheld

WLAN

Si Si

9130

8

11-15Cisco AVVID Wireless LAN Design

956608

Page 176: 1-Cisco AVVID Wireless LAN Design

Chapter 11 Cisco AVVID Enterprise WLAN Case StudyWLAN Case Study Configuration

Figure 11-10 Cisco 1100 VLANs

Example Configuration: Config 1

interface Dot11Radio0 no ip address no ip route-cache encryption mode wep mandatory mic key-hash ! encryption vlan 20 mode wep mandatory mic key-hash ! encryption vlan 30 mode wep mandatory mic key-hash ! broadcast-key vlan 20 change 1000 broadcast-key vlan 30 change 1000 ! ssid PCS vlan 20 authentication open eap eap_methods authentication network-eap eap_methods ! ssid scanners vlan 30 authentication open eap eap_methods authentication network-eap eap_methods ! …

For detailed WLAN VLAN configuration, including authentication based VLAN mapping information, see the Wireless Virtual LAN Deployment Guide.

Access Switch ConfigurationThe access switch configuration is the same as that applied in the Cisco AVVID Network Infrastructure Campus Design Solutions Reference Network Design, with the addition of the WLAN VLANs.

Distribution Router ConfigurationThe Distribution Router configuration is the same as that applied in the Cisco AVVID Network Infrastructure Campus Design Solutions Reference Network Design with the addition of the WLAN VLANs.

11-16Cisco AVVID Wireless LAN Design

956608

Page 177: 1-Cisco AVVID Wireless LAN Design

956608

I N D E X

Numerics

3DES

WLAN LAN Extension IPSec 4-4

802.11

DCF 6-4

interframe spaces 6-4

Task Group activities (table) 2-9

802.11a

channels 2-12

OFDM 2-12

range comparison (table) 3-10

summary 3-2

802.11b

channels 2-11

range comparison (table) 3-10

summary 3-1

802.11e

EDCF 6-2

IEEE QoS working group 6-2

implementations 6-7

802.1x

Cisco Catalyst Switches 4-10

EAP authentication 4-2

guest access implementation 4-11

headquarters/campus deployment 4-9

Layer-2 authentication 4-9

rogue AP prevention 4-10

A

AAA

database location 4-15

access

guest network 103

Access Control Server. See ACS.

access point. See AP.

access switch

case study notes 11-16

ACS

architecture 4-15

example architecture 4-15

example server placement 11-9

aCWmax

contention window control 6-6

aCWmin

contention window control 6-6

retries 6-7

Advanced Encryption Standard. See AES.

AES

future support 4-2

antenna considerations 3-8

AP

controlling IP multicast 8-2

deployment planning 2-13

example configuration 11-15

product selection 3-11

VLAN support 4-7

AP 1100

guest network configuration 1014

AP 1200

guest network configuration 1011

architecture

considerations 1-5

authentication

static WEP 4-6

IN-1956608

Page 178: 1-Cisco AVVID Wireless LAN Design

Index

WLAN LAN Extension 802.1x/EAP 4-2

WLAN LAN Extension IPSec 4-4

Authentication, Authorization and Accounting. See AAA.

authorization

static WEP 4-6

WLAN LAN Extension 802.1x/EAP 4-2

WLAN LAN Extension IPSec 4-4

B

benefits

WLAN 1-1

best practices

RF 2-13

wired infrastructure 5-13

wired VLAN 5-13

branch deployment 4-12

branch roaming

case study 11-10

bridge

controlling IP multicast in P2P WLAN 8-3

wireless 3-14

workgroup 3-13

broadcast

traffic 1-6

broadcast domain segmentation 5-7

C

capacity considerations 3-2

case study

ACS server placement 11-9

ACS servers 11-8

AP configuration 11-15

AP selection 11-5

branch roaming 11-10

configuration summary 11-15

content summary 11-1

IN-2Cisco AVVID Wireless LAN Design

customer requirements 11-3

distribution router configuration notes 11-16

Enterprise profile 11-2

equipment selection 11-5

IP multicast 11-14

management 11-11

nomadic roaming 11-12

QoS considerations 11-14

radio selection 11-5

rogue AP concerns 11-11

security selection 11-7

WLAN considerations 11-3

channels

802.11a 2-12

802.11b 2-11

channel selection

RF 2-5

Cisco Aironet 1200

dual band 3-2

Cisco AVVID

WLAN design notes 7-9

Cisco IOS 6-13

QoS advertisement 6-11

wireless QoS deployment 6-2

client adapter

product selection 3-12

client density

effects 2-16

throughput 2-16

configuration

802.11 WLAN guest network 105

access switch notes 11-16

AP 1100 (guest network) 1014

AP 1200 (guest network) 1011

case study 11-15

distribution router notes 11-16

guest network AP 108

guest network SSID 1012

guest network switch 108

956608

Page 179: 1-Cisco AVVID Wireless LAN Design

Index

IP multicast WLAN 8-2

contention

aCWmax 6-6

aCWmin 6-6

Contention Window. See CW.

coverage requirements 2-17

CW

parameters 6-6

size of random backoff 6-6

CWmax

average values (table) 6-10

CWmin

average values (table) 6-10

D

data rate considerations 3-3

data rates

effects 2-13

DCF

802.11 6-4

contention window 6-5

CW 6-6

process 6-6

random backoff 6-5

deployment

802.1x 4-9

best practices, wired VLAN 5-13

branch 4-12

EAP 4-9

EAP-Cisco 4-9

EDCF on APs 6-13

guest network considerations 104

headquarters/campus 4-8

QoS, Cisco IOS 6-2

QoS, VxWorks 6-2

RF best practices 2-13

rules, wireless VLAN 5-13

VLAN guidelines 5-10

956608

wireless QoS 6-2

wireless QoS guidelines 6-17

wireless VLAN criteria 5-10

wireless VLAN example 5-11

deployment planning

AP 2-13

RF 2-13

design

characteristics 1-3

overview 1-2

Differentiated Services Code Point. See DSCP.

DIFS 6-5

Direct Sequence Spread Spectrum. See DSSS.

Distributed Coordination Function. See DCF.

Distributed Interframe Space. See DIFS.

downstream

QoS 6-3

DSSS

data rate 2-9

spectrum implementation 2-11

dual band

Cisco Aironet 1200 3-2

deployment diagram 2-8

E

EAP 4-8

802.1x security 4-2

headquarters campus deployment 4-9

high availability ACS architecture 4-14

recommendations 1-3

EAP-Cisco 4-2, 4-8

headquarters/campus deployment 4-9

EAP-SIM 4-8

EAP-Subscriber Identity Module. See EAP-SIM.

EAP-TLS 4-2, 4-8, 4-9

PKI 4-9

EAP-Transport Layer Security. See EAP-TLS.

EAP-TTLS 4-2

IN-3Cisco AVVID Wireless LAN Design

Page 180: 1-Cisco AVVID Wireless LAN Design

Index

EAP Tunneled TLS. See EAP-TTLS.

EDCF

802.11e 6-2

AP deployment 6-13

deployment, Cisco IOS 6-13

deployment, VxWorks 6-13

QoS 6-2

random backoff (figure) 6-9

traffic classification (figure) 6-9

traffic classification effects example (figure) 6-9

EDCS deployment 6-13

Enhanced Distributed Coordination Function. See EDCF.

Extensible Authentication Protocol. See EAP.

F

FHSS

data rate 2-9

fine tuning

RF 2-5

Frequency Hopping Spread Spectrum. See FHSS.

G

guest access

802.1x 4-11

SSID 5-8

guest network

AP configuration 108

benefits 103

configuring WLAN 107

considerations and caveats 104

switch configuration 108

topology 107

VLAN and WLAN implementation 106

WLAN 101

WLAN 802.11 configuration 105

WLAN recommendations 105

IN-4Cisco AVVID Wireless LAN Design

H

headquarters/campus

deployment 4-8

I

IAPP

post-roam processes 7-4

IGMP

snooping 11-14

Inter Access Point Protocol. See IAPP.

interference sources 3-6

interframe spaces

802.11 6-4

Internet Group Management Protocol. See IGMP.

IP multicast

case study 11-14

controlling via APs 8-2

controlling via bridging P2P WLAN 8-3

WLAN configuration 8-2

WLAN considerations 8-4

WLAN recommendations 8-1

J

jitter 6-3

L

latency 6-3

Layer-2 roaming

compared with Layer-3 roaming 11-12

considerations 7-8

domain sizing 7-10

events 7-5

implementation recommendations 7-10

nomadic roaming 11-12

956608

Page 181: 1-Cisco AVVID Wireless LAN Design

Index

overview 7-3

primer 7-4

process 7-7

process overview 7-4

recommendations 7-9

LEAP. Please refer to EAP-Cisco (renamed).

Lightweight EAP. See LEAP.

links and references 1-8

loss 6-3

M

Message Integrity Check. See MIC.

MIC

WEP 1-3, 4-2, 4-3, 4-5

modes of operation

ad-hoc mode 1-7

infrastructure mode 1-7

multicast

traffic 1-6

N

native VLAN

configuration 5-7

SSID 5-7

network performance

QoS 6-4

O

OFDM

802.11a 2-12

Orthogonal Frequency Division Multiplexing. See OFDM.

P

PEAP 4-2, 4-8, 4-9

956608

performance considerations 3-5

PIFS 6-5

PKI

EAP-TLS 4-9

planning

RF deployment 2-13

Point Interframe Space. See PIFS.

prioritization

appliance-based 6-13

class-map based 6-14

CoS-based 6-13

VLAN-based 6-15

product selection

AP 3-11

client adapter 3-12

summary 3-11

wireless bridge 3-14

workgroup bridge 3-13

Protected EAP. See PEAP.

Public-Key Infrastructure. See PKI.

Q

QBSS

Information Element 6-11

QoS

advertisement 6-11

case study 11-14

combining requirements 6-15

downstream and upstream 6-3

EDCF 6-2

jitter 6-3

latency 6-3

loss 6-3

network performance 6-4

overview 6-1

parameters 6-3

retries 6-7

wireless considerations 6-2

IN-5Cisco AVVID Wireless LAN Design

Page 182: 1-Cisco AVVID Wireless LAN Design

Index

wireless deployment guidelines 6-17

wireless deployment schemes 6-2

QoS advertisement

Cisco IOS 6-11

VxWorks 6-11

QoS Basis Service Set. See QBSS.

Quality of Service. See QoS.

R

radio frequency (RF). See RF.

RADIUS

SSID 5-8

user attributes, SSID access control 5-9

user attributes, VLAN-ID 5-9

VLAN access control 5-8

random backoff

averages (figure) 6-10

DCF 6-5

range considerations

802.11a/802.11b comparison 3-7, 3-10

antenna considerations 3-8

signal propagation 3-8

recommendations

guest WLAN 105

Layer-2 roaming 7-9

regulations

RF 2-2

Remote Authentication Dial-In User Service. See RADIUS.

RF

basics 2-1

best practices 2-13

channel selection 2-5

deployment planning 2-13

dual-band deployment (diagram) 2-8

environmental considerations 2-18

fine tuning 2-5

IEEE standards 2-9

IN-6Cisco AVVID Wireless LAN Design

regulations 2-2

spectrum implementation 2-11

roaming

caveats 7-3

characteristics 7-3

Cisco AVVID design notes 7-9

design 7-3

Layer 2 7-3

Layer-2 considerations 7-8

Layer-2 events 7-5

Layer-2 process 7-7

overview 7-2

recommendations 7-9

rogue AP

case study notes 11-11

Catalyst switch filters 9-10

detecting with Boingo 9-12

detecting with MAC addresses 9-16

detecting with OS 9-17

detection overview 9-11

physical detection 9-19

physical security 9-7

policy 9-7

port-based security 9-7

preventing 9-7

scope of problem 9-2

wired network detection 9-15

wireless analyzers (table) 9-13

wireless detection 9-12

router

case study notes 11-16

S

security

additional considerations 4-13

options and recommendations 4-7

overview of models 4-1

policy 2-17

956608

Page 183: 1-Cisco AVVID Wireless LAN Design

Index

static WEP keys 4-5

VLAN 4-7

WLAN LAN Extension 802.1x/EAP 4-2

WLAN LAN Extension IPSec 4-3

Service Set Identifier. See SSID.

Short Interframe Space. See SIFS.

SIFS 6-5

signal propagation 3-8

spectrum implementation

DSSS 2-11

SSID

guest network configuration 1012

mapped to VLAN 5-3

native VLAN 5-7

primary 5-8

RADIUS 5-8

secondary 5-8

VLAN configuration 5-6

standards

RF 2-9

T

technology

selection 3-1

technology selection

summary 3-9

Temporal Key Integrity Protocol. See TKIP.

throughput

client density 2-16

throughput considerations 3-4

TKIP

WEP 1-3, 4-2, 4-3, 4-5

topology

guest network 107

traffic

broadcast 1-6

multicast 1-6

unicast 1-5

956608

traffic classification

process 6-9

Triple Data Encryption Standard. See 3DES.

U

unicast

traffic 1-5

upstream

QoS 6-3

V

Virtual Local Area Network. See VLAN.

VLAN

AP support 4-7

background 5-1

best practices, wired infrastructure 5-13

broadcast domain segmentation 5-7

configuring wireless parameters 5-6

deployment guidelines 5-10

guest WLAN 106

native VLAN configuration 5-7

RADIUS 5-8

rules, wireless deployment 5-13

SSID configuration 5-6

SSID mapping 5-3

wireless deployment criteria 5-10

wireless deployment overview 5-3

wireless example 5-11

wireless features 5-6

wireless introduction 5-3

WLAN security 4-7

VPN

WLAN LAN Extension IPSec 4-4

VxWorks

EDCF deployment 6-13

QoS advertisement 6-11

IN-7Cisco AVVID Wireless LAN Design

Page 184: 1-Cisco AVVID Wireless LAN Design

Index

wireless QoS deployment 6-2

W

WEP

limitations 4-8

MIC 1-3, 4-2, 4-3, 4-5

security vulnerabilities 4-6

static keys 4-5

TKIP 1-3, 4-2, 4-3, 4-5

WLAN LAN Extension 802.1x/EAP 4-2

Wi-Fi Protected Access. See WPA.

Wired Equivalent Privacy. See WEP.

wired infrastructure

best practices 5-13

wired LAN

compared to WLAN 1-5

wireless bridge

product selection 3-14

Wireless LAN Solution Engine. See WLSE.

wireless local area network

See WLAN.

WLAN

802.11a 3-2

802.11b 3-1

ad-mode 1-7

architecture 1-5

benefits 1-1

branch deployment 4-12

capacity considerations 3-2

case study 11-1

compared to wired LAN 1-5

configuring guest WLAN 107

coverage requirements 2-17

data rate considerations 3-3

data rates 2-13

design characteristics 1-3

design overview 1-2

guest network 101

IN-8Cisco AVVID Wireless LAN Design

headquarters/campus deployment 4-8

infrastructure mode 1-7

interference sources 3-6

IP multicast 8-1

modes of operation 1-7

native VLAN configuration 5-7

performance considerations 3-5

product selection considerations 3-11

QoS considerations 6-2

range considerations 3-7

roaming 7-2

rules, wireless VLAN 5-13

security considerations 4-13

security models 4-1

security options and recommendations 4-7

standards, competing 3-1

technology selection 3-1

throughput considerations 3-4

VLAN configuration 5-6

VLAN deployment overview 5-3

VLAN example 5-11

wireless VLAN features 5-6

wireless VLAN introduction 5-3

WLAN LAN Extension

802.1x/EAP 4-2

IPSec 4-3

WLAN LAN Extension 802.1x/EAP

authorization 4-2

WLAN LAN Extension IPSec

3DES 4-4

authorization 4-4

VPN 4-4

WLSE

case study example 11-11

workgroup bridge

product selection 3-13

WPA

future support 4-2

956608


Recommended