KNet wireless CWLF 1 0 student guide vol 3 2006

8-3 Overview ...8-3Wireless Mesh Networking ...8-4Outdoor Wireless Mesh Solution Components ...8-5Adaptive Wireless Path Protocol...8-7Mesh Applications...8-9Lesson Self-Check...8-12Sum

Trang 2

Cisco Systems has more than 200 offices in the following countries and regions Addresses, phone numbers, and fax numbers are listed on the Cisco Web site at www.cisco.com/go/offices

Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica Croatia • Czech

Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary

India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands

New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey Ukraine •

United Kingdom • United States • Venezuela • Vietnam • Zimbabwe

Copyright © 2006, Cisco Systems, Inc All rights reserved CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation,

Enterprise/Solver, EtherChannel, EtherSwitch, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers

logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus,

Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc and/or its affiliates in the U.S and certain other countries

All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0201R)

Trang 3

Table of Contents

Volume 3 Module 8: Cisco Wireless Mesh Network Installation

Lesson 1: Introducing Wireless Mesh Networking 8-3

Overview 8-3Wireless Mesh Networking 8-4Outdoor Wireless Mesh Solution Components 8-5Adaptive Wireless Path Protocol 8-7Mesh Applications 8-9Lesson Self-Check 8-12Summary 8-14

Lesson 2: Introducing the Cisco Aironet 1500 Series Lightweight Outdoor Mesh Access Point 8-15

Overview 8-15The Cisco Aironet 1500 Series 8-17Power Solutions 8-18Controller Intelligence 8-20Mesh Management 8-23Lesson Self-Check 8-27Summary 8-29

Module 9: Security

Lesson 1: Introducing 802.11 Security 9-3

WLAN Security 9-4Wired Equivalent Privacy 9-8Enhanced 802.11 Security 9-11Wi-Fi Protected Access 9-21Advanced Encryption Standard Encryption 9-36Lesson Self-Check 9-37Summary 9-39

Lesson 2: Defining Vulnerabilities of WLAN Security 9-41

Overview 9-41Basic 802.11 Security Concerns 9-42Documented WEP Attacks 9-45Passive and Active Attacks 9-46Lesson Self-Check 9-51Summary 9-53

Lesson 3: Introducing Cisco Wireless Security Suite 9-55

Strong Authentication 9-56Cisco LEAP 9-58EAP-FAST 9-63EAP-PEAP 9-67

Trang 4

EAP-TLS 9-73Lesson Self-Check 9-78Summary 9-80

Lesson 4: Configuring Cisco Secure ACS 9-81

Overview 9-81Network Configuration 9-82System Configuration 9-86External User Database 9-90Group Setup 9-95User Setup 9-98Lesson Self-Check 9-106Summary 9-108

Lesson 5: Configuring Encryption and Authenticationon Autonomous

Access Points 9-109

Overview 9-109Securing the Access Point 9-111Configuring the Access Point for Encryption and Authentication 9-116Non-Root Device Configuration 9-124Configuring MAC Authentication 9-127Configuring the Client for Authentication and Encryption 9-129Lesson Self-Check 9-138Summary 9-140

Lesson 6: Configuring Encryption and Authentication on Lightweight Access Points 9-141

Overview 9-141Security Policy Considerations 9-143Open Authentication 9-144Pre-Shared Key Authentication 9-145Web Authentication 9-147Public Key Infrastructure 9-152802.1X 9-157VPN 9-160Cranite WirelessWall 9-170Airfortress Secure Client 9-172

Trang 5

Possible Problem Areas 10-16Common Questions 10-17Access Point Placement Guidelines 10-19Enterprise Wireless Planning 10-20Documentation 10-22Lesson Self-Check 10-32Summary 10-35 Preassessment Form 10-35

Lesson 2: Performing a Site Survey 10-39

Overview 10-39Preparation 10-40Access Point Placement 10-41Coverage Parameters 10-44Environmental Effects 10-49Survey Mistakes 10-51Lesson Self-Check 10-55Summary 10-57

Module 11: Manual Site Survey Tools and Utilities

Lesson 1: Identifying Site Survey Tools 11-3

Overview 11-3Types of Access Points 11-4Correct Surveying Equipment 11-5Client Cards 11-7Antennas 11-8Antenna Cable Loss 11-10Recommended Site Survey Equipment 11-11Cisco Wireless Site Survey Kit 11-17Lesson Self-Check 11-19Summary 11-22

Lesson 2: Using Site Survey Utilities 11-23

Overview 11-23Cisco Site Survey Tool 11-24Cisco Aironet Site Survey Utility 11-25AirMagnet Survey Pro Tool 11-32Cisco IP Phone 7920 Site Survey Tool 11-35Access Point Configuration 11-37Access Point Statistics 11-40Cisco 1000 Series Lightweight Access Point 11-42Lesson Self-Check 11-43Summary 11-45

Lesson 3: Using AirMagnet Site Survey Tool for a Manual Survey 11-47

Overview 11-47Determining DSA Coverage 11-48

Trang 6

DSA Coverage Audit 11-52 Using the AirMagnet Site Survey 11-56 Add an Access Point Icon 11-66 Site Viewer Display Modes 11-69 Lesson Self-Check 11-79 Summary 11-81

Trang 7

Define wireless mesh networking and concepts

Define the components, features, and functionality of the Cisco Aironet 1500 Series

Trang 9

Define wireless mesh networking

Identify Cisco wireless mesh networking components

Define Adaptive Wireless Path Protocol

Identify wireless mesh applications

Trang 10

Wireless Mesh Networking

This topic defines wireless mesh networking

Wireless Mesh Networking Defined

Mesh is a network topology where devices are connected with many redundant connections between nodes.

The Internet is a good example of a mesh network.

Mesh Controller

Mesh networking infrastructure is decentralized and inexpensive, as each node need only transmit as far as the next node Nodes act as repeaters to transmit data from nearby nodes to peers that are too far away to reach, resulting in a network that can span a large distance,

especially over rough or difficult terrain

Mesh networks are also extremely reliable, as each node is connected to several other nodes If one node drops out of the network, due to hardware failure or any other reason, its neighbors simply find another route Extra capacity can be installed by simply adding more nodes

A wireless mesh is a mesh network like any other Connections between access point nodes are formed with a radio This allows many possible paths from a given node to other nodes Paths through the mesh network can change in response to traffic loads, radio conditions, or traffic prioritization

Wireless mesh networks differ from other wireless networks in that only a subset of the nodes need to be connected to the wired network The network can cover more distance by using

Trang 11

Outdoor Wireless Mesh Solution Components

This topic identifies Cisco wireless mesh components

Outdoor Wireless Mesh Solution Components

Cisco Wireless LAN Controller Access Point Roof-top Access Point Pole-top

Cisco Wireless Control Systems

• Wireless Mesh management system

• Enables wide policy configuration and device

network-management

• Supports SNMP and Syslog

• Links the Wireless Mesh Access Points to the wired network

• Handles RF algorithms and optimization

• Seamless Layer 3 mobility

• Provides security and mobility management

• Serves as Root or

Gateway access point to the wired network

• Typically located

on roof-tops or towers

• Connects up to 32 pole-top access points using 802.11a

• Provides 802.11b/g client access

• Connects to root access point via 802.11a

• Takes AC or DC power; PoE capable

• Ethernet port for connecting peripheral devices

The Cisco Lightweight Access Point Protocol (LWAPP)-Enabled Mesh Networking Solution enables two or more indoor and/or outdoor Cisco LWAPP-enabled mesh access points to communicate with each other over one or more wireless hops to join multiple LANs or to extend IEEE 802.11b wireless coverage Cisco LWAPP-enabled mesh access points are

configured, monitored, and operated from and through any Cisco Wireless LAN Controller deployed in the Cisco Mesh Networking Solution

The wireless mesh solution is based on the Cisco Unified Wireless Networking Solution That solution consists of several components:

Cisco Wireless Control System (WCS): Easy to use and intuitive software for wireless mesh management Enables network-wide policy configuration and device management WCS provides the overall view of the wireless mesh WCS supports Simple Network Management Protocol (SNMP) and syslog

Cisco Wireless LAN Controllers: The controller is the part of the solution that allows for the unique integrated architecture whereby you have a systems level view of the network so that you are not focusing on individual access points, but rather what all of that looks like together Each access point is a radio frequency (RF) emitting device Managing a large number of these devices while mitigating interference requires a systems level view of the network This systems level view is also critical when managing security and ensuring Layer 3 mobility

— Roof-top access point’s (RAPs): This access point is connected to the wired network, and serves as root or gateway to the wired network

— Pole-top access point’s (PAPs): The PAPs are the remote access points

Trang 12

Operating Mode

The Cisco Aironet 1500 Series Lightweight Access Point Protocol (LWAPP)-enabled outdoor mesh access points can be operated in one of the following roles:

RAPs have a wired connection back to a Cisco Wireless LAN Controller They use the

backhaul wireless interface to communicate with neighboring PAPs RAPs are the parent node

to any bridging or mesh network and connect a bridge or mesh network to the wired network RAPs are typically located on roof-tops or towers, and can connect up to 32 pole-top access points During boot up, an access point will try to become a RAP if it is connected to the wired network Reversely, if a RAP loses its wired network connection, it will attempt to become a PAP and will search for an appropriate RAP

Note Do not connect a RAP directly to a Cisco Wireless LAN Controller A switch or router

between the Cisco Wireless LAN Controller and the RAP is required because Cisco Wireless LAN Controllers do not forward Ethernet traffic coming from an LWAPP-enabled port RAPs can work in Layer 2 or Layer 3 LWAPP mode

PAPs have no wired connection to a Cisco Wireless LAN Controller They can be completely wireless, supporting clients which are communicating to other PAPs or RAPs, or they can be wired and serve as a bridge to a remote wired network These access points are not connected

to the wired network, but rely on the RAP to provide a gateway to the wired network These units are typically installed in places where you cannot provide a wired connection, but you can

Trang 13

Adaptive Wireless Path Protocol

This topic defines Adaptive Wireless Path Protocol

Adaptive Wireless Path Protocol

Adaptive Wireless Path (AWP) protocol

establishes an optimal path to root

Each access point carries feasible successor or successors if topology or link health changes

AWP uses a “parent sticky” value to mitigate route flaps

Controller

Each access point runs the Adaptive Wireless Path (AWP) Protocol This is a new protocol that was designed from the ground up specifically for the wireless environment This protocol allows APs to communicate with each other to determine the best path back to the wired

network Once the optimal path is established, AWP continues to run in the background to establish alternative routes back to the RAP if the topology changes or conditions cause the link strength to diminish

This protocol takes into consideration things like interference and characteristics of the radio so that the mesh can be self-configuring and self-healing AWP has the ability to consider all elements of the wireless environment that need to be considered so that the mesh network is not disruptive and provides consistent coverage

Wireless is a very dynamic environment When there is interference or if access points are added or removed, the AWP protocol reconfigures the path back to the rooftop access point

Since wireless is a very dynamic environment, AWP uses a stickiness factor to mitigate route

flaps This will ensure that an event, such as a large truck passing through the mesh causing a temporary disruption, does not allow the mesh to change unnecessarily

Trang 14

Multiple Radios for Wireless Backhaul and Access

Each Mesh access point has multiple radios:

• 802.11b/g - access; 5 GHz - backhaul

• Hardware support for 4.9 GHz public safety band

A variety of antennas will be supported including

• 2.4 GHz - 5.5-dBi omni with N-type connector

• 4.9-5.8 GHz - 7.5-dBi 5 GHz omni with N-type connector 5.8 GHz - 9.5-dBi sector with N-type connector Additional directional and 4.9 GHz antennas coming

5 GHz 4.9 GHz

2.4 GHz

Multiple radios allow the access points to be deployed in a pico cell configuration A pico cell

configuration is used to size down an individual access point’s coverage area This allows for a minimum of interference while maintaining capacity across the mesh

Each access point is hardware ready to support the public safety band Software support will allow licensed users to upgrade and configure access points to work in this band

Trang 15

Mesh Applications

This topic identifies mesh applications

Wireless Mesh Applications

Mesh access points automatically establish connection to controller

• Roof-top access points (RAP) connects via wired connection

• Pole-top access points (PAP) connects via self-configuring backhaul

connection Cisco uses pole-top access points AWP protocol establishes best path to root

Access point authenticates to controller and downloads configuration and radio parameters

Controller

RAP

PAP

Mesh applications may be used to provide wireless coverage throughout a campus,

manufacturing environment, or city Deploying pole-top access points allows the network to extend beyond the typical boundaries that would require each access point to be wired to the LAN The Cisco AWP protocol allows each device to find a way back to the wired roof top access point and thus to the network

Access points are authenticated as they join the network, allowing the controller to send

configuration parameters

Trang 16

Applications – Indoor / Outdoor Mesh

Indoor to Outdoor Mesh Controller

AP1030 (REAP AP)

Indoor Mesh is possible with REAP

access points

Indoor Mesh

Allows multiple hops

The Cisco Aironet 1500 Series can be used in the indoor to outdoor mesh topology to provide connectivity between indoor and outdoor clients and devices Likewise an indoor mesh is possible with one hop between the wireless access point and the wired access point

Trang 17

Key Market Segments for Outdoor Wireless

• Connecting peripheral devices across the mesh

• Establishing hot zones for public safety or municipal departments

Service provider

• Hot Spots become hot zones with Wi-Fi access

Enterprise Outdoor wireless applications include:

Universities and Healthcare: Extending Wi-Fi coverage throughout the entire campus Providing access to administration, students and facilities managers

Hospitality: Indoor and outdoor mesh can open up new hospitality markets

Manufacturing: Shipping and receiving, inventory applications, hand-held scanner, radio frequency identification (RFID), and so on

Large Corporate Campuses: Creating “blanket” coverage for access and asset tracking

Utilities: Vehicle Fleets and sensor networks

Trang 18

Lesson Self-Check

Use the questions here to review what you learned in this lesson The correct answers and solutions are found in the Lesson Self-Check Answer Key

Q1) Which Mesh access point serves as the root or gateway to the network? (Choose one.)

(Source: Outdoor Wireless Mesh Components) A) Rooftop access point

B) Pole-top access point C) 1310

D) 1400 Q2) Cisco Mesh access points use what protocols? (Choose two.) (Source: Source: Outdoor

Wireless Mesh Components) A) Wireless LAN Context Control Protocol B) Lightweight Access Point Protocol C) Wireless Domain Services

D) Adaptive Wireless Path Protocol Q3) What frequency does the Public Safety Band operate in? (Source: Outdoor Wireless

Mesh Components)

Q4) The Adaptive Wireless Path Protocol (AWP) establishes an optimal path to the root

(Source: Adaptive Wireless Path) A) True

B) False Q5) The Cisco Mesh access point can be used as a bridge radio (Mesh Applications)

A) True B) False

Trang 19

Lesson Self-Check Answer Key

Trang 20

Summary

This topic summarizes the key points discussed in this lesson

Summary

• Wireless mesh networks differ from other wireless networks

in that only a subset of the nodes need to be connected to the wired network.

• A wireless mesh network can cover more distance by using nodes that are not connected to the wired network.

• The Adaptive Wireless Path was created for wireless mesh networks, and takes into consideration things like

interference and characteristics of the radio so that the mesh can be self-configuring and self-healing.

Wireless mesh networks differ from other wireless networks in that only a subset of the nodes need to be connected to the wired network A wireless mesh network can cover more distance

by using nodes that are not connected to the wired network The Adaptive Wireless Path was created for wireless mesh networks, and takes into consideration things like interference and characteristics of the radio so that the mesh can be self-configuring and self-healing

Trang 21

Define mesh networking

Explain the power options available on the Cisco Aironet 1500 Series

Define zero-touch configuration of the Cisco Wireless LAN Controller

Identify specific intelligent RF capabilities managed by Cisco Wireless LAN Controllers

Trang 22

The Cisco Aironet 1500 Series

This topic defines mesh networking

48 Ethernet-

VDC-5-GHz N-connector

Cisco Aironet 1500 Series Lightweight Outdoor Mesh Access Point

• Street light power tap

• DC power over CAT 5 (48-VDC) Wind Loads

• Sustained: 100 mph

• Gusts: 160 Temperature ranges

5312 Brd

110AC/48VDC Power

2.4-GHz N-connector

2.4 and 5.7 GHz Bi-directional Amplifiers

Weather proof outdoor enclosure

Room for expansion

AC Power

48 V DC/Ethernet AC power Antenna ports

The Cisco Aironet 1500 Series is designed specifically for outdoor environments The low profile access point is roughly the size of a shoebox and blends in public environments A swiveling mount allows the access point to be manipulated in both horizontal and vertical directions for a variety of flexible installation options

The casing is strenuously tested to ensure that water will not penetrate the housing The outdoor access point is a sealed unit, and may not be opened in the field, or it may become a hazard If the seal breaks on an outdoor access point, return it to Cisco for a replacement

Trang 23

Power Solutions

This topic explains the power options available on the Cisco Aironet 1500 Series

The rooftop outdoor access point receives inline power from the Cisco Aironet power injector

or from a 110- to 220-VAC power source The pole top access point uses a street light adapter uses a 3-prong National Electrical Manufacturers Association (NEMA) twist-lock adapter that installs between the outdoor lighting control and its fixture The NEMA twist-lock adapter is designed to be used with UL 773 listed outdoor lighting controls operating at and rated for 100 and 240 VAC 50/60 Hz

When powered by 100- to 240-VAC 50/60 Hz, connect this equipment only to a twist-lock outdoor lighting control Do not connect it to a twist-lock outdoor lighting control powered by higher voltages

When powering the product with AC power other than the street lamp power option, the power plug should be installed where it can be conveniently accessed to de-energize power from the unit Power should not be removed by disconnecting the AC power connector at the equipment itself and where it is not subjected to water or the outdoor elements This may be accomplished

by the use of UL listed power receptacles, such as Ground-Fault Circuit Interrupters (GFCI)s, provided with UL listed waterproofing covers suitable for covering the receptacle and plugs with the plugged in equipment in use

When installing the Cisco-supplied street light adapter to the outdoor access point AC power connector, always connect the outdoor access point end of the cable first When removing the Cisco-supplied street light adapter, always disconnect the outdoor access point end of the cable last

Trang 24

Powering- Over Ethernet

48-VDC Power over Ethernet For indoor installation

Inserts the power onto Ethernet (no regeneration of power)

Input 100-240 V AC ~ 1.5 A, Output 48 V, 1.2 A Total length limit of input and output cables is 330 feet

Modular IEC Cable

Military Spec Connector POWER

as inside a building The power injector also functions as an Ethernet repeater by connecting to

a Category 5 LAN backbone and using the Ethernet cable interface to the outdoor access point The power injector uses an external 48-VDC power module and injects the DC voltage into the Ethernet cables to power the outdoor access point

When you are installing the outdoor access point with an Ethernet cable, and powering through that cable, the outdoor access point must be reliably grounded using an external ground The power injector and the power module should not be placed in an unprotected outdoor

environment

Trang 25

Controller Intelligence

This topic defines zero-touch configuration of the Cisco Wireless LAN Controller

Zero-Touch Configuration

When using zero-touch, the access point will complete a series of configuration tasks:

• Establish radio role (RAP or PAP)

• Perform backhaul interface and channel discovery

• Establish data rate

• Create a temporary secure connection

• Create a secure LWAPP connection

• Perform connection maintenance

The goal for the Cisco Aironet 1500 Series is to establish a secure zero-touch configuration If you have enabled zero-touch configuration on the Cisco Wireless LAN Controller, the Cisco Aironet 1500 Series does the following to accomplish a secure zero-touch

When a Cisco Aironet 1500 Series is first installed, it attempts to establish its role

automatically If it has a wired connection to a Cisco Wireless LAN Controller, it assumes the role of the roof-top access point (RAP); otherwise it becomes a pole-top access point (PAP)

Next, the Cisco Aironet 1500 Series determines the backhaul interface and channel

— If it is a RAP, it already has a secure LWAPP connection to the Cisco Wireless LAN Controller and uses the configured RAP backhaul interface (Default: IEEE 802.11a)

to connect to Pole Top access points

— If it is a PAP, it scans the backhaul interfaces and channels for neighbor Cisco Aironet 1500 Series access points When it finds a neighbor with the same bridge group name and a path back to the Cisco Wireless LAN Controller, it makes that access point its parent If the PAP finds more than one Cisco Aironet 1500 Series, it uses a least-cost algorithm to determine which parent has the best path back to the Cisco Wireless LAN Controller

— Typical mesh access-point separation in a suburban environment should be about

300 to 350 feet for best behavior in the mess environment

All the Cisco Aironet 1500 Series access points use the configured data rate (Default: 18 Mbits per second)

Trang 26

To set up a secure LWAPP connection with the Cisco Wireless LAN Controller, the PAP sends its default shared secret key and MAC address to set up a temporary secured connection The Cisco Wireless LAN Controller validates the MAC address against the allowed devices list, and if found, it sends the shared secret key to the PAP and disconnects The PAP stores the shared secret key and uses it to set up a secure LWAPP connection

If a PAP loses connection to the Cisco Wireless LAN Controller, it searches for valid

neighbors using the Cisco Aironet 1500 Series bridge group name and scans the backhaul interfaces and channels When it finds a neighbor, it makes that access point its parent If it already has a shared secret key, it uses that key and tries to set up a secure LWAPP connection

to the Cisco Wireless LAN Controller If the shared secret key does not work, it uses the shared default secret key and attempts to get a new shared secret key

Trang 27

Controller Intelligence

Automatic Service balancing across wireless LAN controllers

load-• LWAPP communicates controller load to access points

Dynamic RF optimization

• Adaptive channel assignment

• Intelligent TX power levels

Integrated wireless intrusion detection system (IDS) per user and VLAN traffic rate limiting

Rogue AP

X

This is an example of controller based architecture The Cisco Wireless LAN Controller

provides intelligence that supports load-balancing across multiple controllers Current

controller traffic load information is communicated to access points that connect to the

controller via LWAPP

The controller architecture allows traffic rate limiting on a per user or per virtual LAN (VLAN) basis

Trang 28

Mesh Management

This topic identifies specific intelligent RF capabilities managed by Cisco Wireless LAN Controllers

Easily Adding Capacity and Services

Increase access point density add root and gateway access points

• Pole-top access points will join new rooftop access points with better path metrics

Easily add controllers

• Up to 24 controllers can be part of

an n+1 cluster

802.11e QoS capable + traffic Rate limiting for “hog”

mitigation Architecture is ready for additional radios when extra capacity is required

Police City Public Traffic

VLANs

8 Hops deep (3-4 recommended)

32 PAPs per RAP

24 Cntrls per cluster

16 MBSSIDs

The entire mesh architecture is designed to allow for easily adding access points and controllers

to increase coverage and capacity The Adaptive Wireless Path Protocol (AWP) will allow the network to self heal and incorporate the new access points and controllers seamlessly

It is designed to support 8 wireless hops back to the wired network; however, optimal

performance is provided when the wireless hop count is no more than 3 to 4 hops Through put decreases by each hop encountered on the path back to the wired network

As additional RAPs are added, pole-top access points will reconfigure their path utilizing a RAP with a better metric

Quality of service (QoS) is supported to allow traffic rate-limiting to prevent traffic hogs Multiple VLANs allow providers to segment based on user type

Trang 29

Wireless Control System (WCS)

Identical management software and

RM features as indoor solution SOAP/XML interfaces for NMS integration

Detailed access point, radio information including

• Noise and interference by channel

• Neighbors lists and RSSI detail

• Link metrics, PER, Tx/Rx detail

Link tests tools for RAP-to-PAP troubleshooting

SNR and noise floor histograms Mesh map (Future)

Use of the Wireless Control System (WCS) software V3.2 or later allows for easy to use and intuitive management WCS provides a number of benefits to a mesh deployment:

Identical management system for indoor and outdoor access points

Manage multiple controllers

Detail mesh, neighbor and link information

Histograms of signal-to-noise ratio (SNR), noise floors, and so on

Identify, avoid radio frequency (RF) interference

Optimize the coverage area

7 day temporal link information

Supports Simple Network Management Protocol (SNMP) and Syslog

Identify and eliminate the coverage holes

Trang 30

Mesh Network Link Graphs: What happed over time to the access point

Mesh Client Link Test:

Packets, error rates, signal strengths, noise

NEW

Enhancements to WCS specifically for mesh environments include:

Mesh Statistics: Each access point communicates to the WCS and is able to display which

parent it is connected to, what children access points it has and what other neighbor access points are related to this access point From a management perspective, this allows a view

of the entire mesh

Mesh Network SNR Graphs: WCS has been modified to provide signal-to-noise ratio

graphs These graphs display link details, including uplink and downlink information

Mesh Network Link Graphs: WCS has also been modified to display graphical link

graphs This allows you to understand what has happened over time to the access points and its various links, and how it has decided to choose a parent based on that information

Mesh Client Link Test: The WCS provides client testing This provides additional

troubleshooting for an installation such as a service provider that is assisting a customer who has called in with a connection issue Running a link test to the customer can help the service provider narrow down the possible causes of the issue

Trang 31

Secure control traffic between access point and controller IPSec VPNs for “confidential” mesh client traffic

Controller

VPNSM IPSec VPN

H/W AES for Backhaul Links

Over the backhaul, the access point will provide Advanced Encryption Standard (AES)

encryption for traffic moving from access point to another access point over the wireless link From a network join perspective, each access point is authenticated as it joins the network This authentication provides protection against non-authorized, imitation access points An access point that is not authenticated is not allowed to join the wireless mesh

Trang 32

Lesson Self-Check

Use the questions here to review what you learned in this lesson The correct answers and solutions are found in the Lesson Self-Check Answer Key

Q1) The Cisco Aironet 1500 Series can sustain wind loads of? (Choose one.) (Source:

Cisco 1500 Series Hardware) A) 50 mph

B) 100 mph C) 120 mph D) 160 mph Q2) What is the optimum hop count in a wireless mesh network? (Choose one.) (Source:

Controller Intelligence) A) 1-2

B) 3-4 C) 5-6 D) 7-8 Q3) What is the maximum hop count supported in the Cisco wireless mesh network?

(Source: Controller Intelligence)

Q4) What management system is used to manage the wireless mesh network? (Source:

Mesh Management) Q5) What encryption type is used to for management traffic between the mesh access point

and the controller? (Mesh Management)

Trang 33

Lesson Self-Check Answer Key

Trang 34

Summary

This topic summarizes the key points discussed in this lesson

Summary

• The Cisco Aironet 1500 Lightweight Access Point was designed specifically for the outdoor environments, and can act as either a rooftop outdoor access point or a pole top access point.

• When a Cisco Aironet 1500 Series access point is installed on the roof of a building, power can be supplied over Ethernet using a power injector Power supplied at the top of street light poles is AC power Use the Cisco Aironet street light adapter to plug the access point into this power source.

• The Cisco Aironet 1500 Series access points features configuration deployment New Cisco Aironet 1500 Series access points can be added to the network without requiring onsite configuration.

zero-• The 1500 includes a client access radio and a backhaul radio used

to connect to other access points for network connectivity.

• Security from client to access point and between access points is fully supported.

The Cisco Aironet 1500 Lightweight Access Point was designed specifically for the outdoor environments, and can act as either a rooftop outdoor access point or a pole top access point When a Cisco Aironet 1500 Series access point is installed on the roof of a building, power can

be supplied over Ethernet using a power injector Power supplied at the top of street light poles

is AC power Use the Cisco Aironet street light adapter to plug the access point into this power source The Cisco Aironet 1500 Series access points features zero-configuration deployment New Cisco Aironet 1500 Series access points can be added to the network without requiring onsite configuration The 1500 includes a client access radio and a backhaul radio used to connect to other access points for network connectivity Security from client to access point and between access points is fully supported

Trang 35

Module Summary

This topic summarizes the key points that were discussed in this module

Module Summary

• The Cisco Wireless Mesh Network design is based primarily

on the Cisco Aironet 1500 Series, which operates with Cisco Wireless LAN Controllers and Cisco WCS software,

centralizing key functions of wireless LANs to provide management and mobility between indoor and outdoor deployments.

• Designed to support zero-configuration deployments, the Cisco Aironet 1500 Series easily and securely joins the mesh network, and is available to manage and monitor the network through the controller and WCS software graphical interface

or CLIs Compatible with WPA2 and employing based AES encryption between wireless nodes, the Cisco Aironet 1500 Series provides end-to-end security.

hardware-The Cisco Wireless Mesh Network solution is based primarily on the Cisco Aironet 1500 Series, which operates with Cisco Wireless LAN Controllers and Cisco WCS software,

centralizing key functions of wireless LANs to provide scalable management, security, and mobility between indoor and outdoor deployments Designed to support zero-configuration deployments, the Cisco Aironet 1500 Series easily and securely joins the mesh network, and is available to manage and monitor the network through the controller and WCS software

graphical or command-line interfaces (CLIs) Compatible with WPA2 and employing

hardware-based AES encryption between wireless nodes, the Cisco Aironet 1500 Series

provides end-to-end security

Trang 37

Describe the feature and method used to secure a WLAN

Describe various attacks that may occur and describe the inherent vulnerabilities of 802.11 technology

Describe selecting an appropriate approach to security from strong authentication, LEAP, PEAP, EAP-TLS, WPA, IPSec, and mixed deployment

Describe configuring the Cisco Secure ACS to provide 802.1X authentication for Cisco WLAN devices

Describe configuring a core feature set WLAN for encryption and authentication

Describe configuring an advanced feature set WLAN for encryption and authentication

Trang 39

Describe the importance of WLAN security and main methods used to secure a WLAN

Describe basic 802.11 security using WEP, and distinguish between open authentication and shared key authentication

Describe how enhanced 802.11 security improves on basic 802.11 security

Describe the WPA authentication characteristics and process and the additional features of TKIP and Michael MIC

Describe features of AES encryption

Trang 40

WLAN Security

This topic describes the importance of WLAN security and main methods used to secure a WLAN

Evolution of Wireless LAN Security

INITIAL INTERIM PRESENT

First Generation Encryption (WEP)

•No strong authentication

•Static, breakable keys

•Not scalable

Wi-Fi Protected Access (WPA)

•Standardized

•Improved encryption

•Strong, user-based authentication (e.g., LEAP, PEAP, EAP- FAST)

•WPA2 provides stronger encryption through AES

The figure shows the evolution of wireless LAN (WLAN) security

Initially, IEEE 802.11 security relied on static keys for both encryption and if used

authentication The authentication method was not strong and the keys were eventually

compromised Because the keys were administered statically, this method of security was not scalable to large enterprise environments

Cisco introduced enhancements that allowed for the use of IEEE 802.1X authentication

protocols and dynamic keys Cisco also introduced methods to overcome the exploitations of the encryption keys

The 802.11 committee began the process of upgrading the security of the WLAN The Wi-Fi Alliance introduced Wi-Fi Protected Access (WPA) as an interim solution that was a subset of the expected 802.11i security standard for WLANs using 802.1X authentication and

improvements to WEP encryption

Định dạng
Số trang	360
Dung lượng	12,03 MB