KNet wireless CWLAT 1 0 student guide vol 1 2006

Cisco Wireless LAN Advanced Topics Course Goal Upon completing this course, you will be able to meet these objectives: Describe detailed technical features, functions and benefits of

Trang 2

Cisco Systems has more than 200 offices in the following countries and regions Addresses, phone numbers, and fax numbers are listed on the Cisco Web site at www.cisco.com/go/offices

Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica Croatia • Czech

Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary

India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands

New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • Saudi Arabia Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey Ukraine •

United Kingdom • United States • Venezuela • Vietnam • Zimbabwe

Copyright © 2006, Cisco Systems, Inc All rights reserved CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Fast Step, Follow Me Browsing, FormShare, Internet Quotient, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation,

Enterprise/Solver, EtherChannel, EtherSwitch, GigaStack, IOS, IP/TV, LightStream, MGX, MICA, the Networkers

logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast, StrataView Plus,

Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc and/or its affiliates in the U.S and certain other countries

All other trademarks mentioned in this document or Web site are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company (0201R)

Trang 3

Table of Contents

Volume 1

Course Introduction 1

Overview 1

Course Goal and Objectives 3

Course Flow 4

Additional References 5

Cisco Unified Wireless Network Concepts 1-1 Describing Cisco Aironet Autonomous Access Points 1-3

Overview 1-3 Features and Components 1-4 Cisco Integrated Services Routers 1-16 Lesson Self-Check 1-19 Summary 1-21

Describing the Cisco Unified Wireless Network 1-23

Overview 1-23 Dynamic RF Management 1-25 Security and VLANs 1-26 Link Aggregation 1-31 Guest Tunnel and Anchor Mobility 1-39 Dynamic Frequency Selection 1-56 QoS 1-72 Multicast 1-86 WiSM 1-93 Cisco Wireless LAN Controller Module 1-99 Cisco Enhanced Security Module 1-108 Mesh Support 1-112 Lesson Self-Check 1-114 Summary 1-116

Describing WLAN Controller and Lightweight Access Point Architecture 1-117

Overview 1-117 Lightweight Access Point Protocol 1-118 WLAN Controller Hunting, Discovery, and Join Process 1-125 Implementation Basics 1-131 Advanced Deployment Concepts 1-137 Controller Placement and Deployment Strategies 1-144 Lesson Self-Check 1-150 Summary 1-152

Trang 4

Implementing the WLAN with Cisco WCS 2-1 Installing the Cisco WLAN Controller 2-3

Overview 2-3 Controller Initial Setup using the Console Port 2-4 Controller Initial Setup using the Service Port 2-7 Lesson Self-Check 2-18

Summary 2-20

Installing the Cisco Wireless Control System 2-21

Overview 2-21 Cisco Wireless Control System Overview 2-23 Installing the Cisco WCS 2-35 Cisco WCS Browser Overview 2-41 Administer the Cisco WCS 2-46 Populate the Cisco WCS Database 2-55 Adding Maps to the Cisco WCS 2-60 Viewing Maps 2-71 Editing Maps on the Cisco WCS 2-75 Configure the WLAN 2-86 Lesson Self-Check 2-106 Summary 2-109

The Cisco Core Feature Set 3-1 Introducing the Cisco Core Feature Set based on Autonomous Access Points 3-3

Overview 3-3 Configure the CiscoWorks WLSE Network Information 3-5 Switch and Router Setup 3-6 AAA Server Setup 3-8 Connecting to the Device 3-12 Login with Setup 3-13 Enter Setup Prompts 3-14 Enter SSL Certification Configuration Information 3-15 Verify Configuration 3-16 Configure Fast Secure Roaming for Voice 3-39 Lesson Self-Check 3-54

Summary 3-56

Implementing Radio Management for Cisco Autonomous Access Points 3-57

Overview 3-57

RM Theory of Operation 3-59 CiscoWorks WLSE RM Operation 3-68

Trang 5

Location Manager and Assisted Site Survey 3-89Antenna Support 3-109WDS Radio Management Verifier 3-122Lesson Self-Check 3-124Summary 3-126

Trang 7

Learner Prerequisite Skills and Knowledge

This subtopic lists the skills and knowledge that learners must possess to benefit fully from the course The subtopic also includes recommended Cisco learning offerings that learners should first complete to benefit fully from this course

Trang 8

Learner Skills and Knowledge

• Basic Computer Literacy

• Knowledge of fundamental networking components and terminology

• Knowledge of the Open Systems Interconnection (OSI) reference model

• Knowledge of basic LAN components and functions

Trang 9

Course Goal and Objectives

This topic describes the course goal and objectives

“To provide System Engineers and Field Engineers with a more in-depth understanding of the most innovative and comprehensive suite of WLAN solutions in the industry, spanning a wide range of customer sizes and needs”

Cisco Wireless LAN Advanced Topics

Course Goal

Upon completing this course, you will be able to meet these objectives:

Describe detailed technical features, functions and benefits of the WLAN product offerings available from Cisco

Install advanced feature set hardware so that it functions optimally

Install and manage the CiscoWorks WLSE and infrastructure devices so that it functions optimally

Install and administer WLAN management devices

Troubleshoot and maintain a wireless network

Administer security so that the network is safe from attack

Trang 10

Course Flow

This topic presents the suggested flow of the course materials

Course Flow

Cisco Unified Wireless Network Concepts

Course Introduction

Lunch

A M

P M

Implementing the WLAN with Cisco WCS

The Cisco Core Feature Set

Wireless Network Troubleshooting

Cisco WLAN Security

Implementing the WLAN with Cisco WCS (Cont.)

WLAN Management

WLAN Management (Cont.)

Wireless Network Troubleshooting (Cont.)

Cisco WLAN Security (Cont.)

The schedule reflects the recommended structure for this course This structure allows enough time for the instructor to present the course information and for you to work through the lab activities The exact timing of the subject materials and labs depends on the pace of your specific class

Trang 11

Additional References

This topic presents the Cisco icons and symbols that are used in this course, as well as

information on where to find additional technical references

Cisco Icons and SymbolsRouter

CiscoWorks Workstation

Network Management Appliance

Workgroup Switch

Access Point

Laptop

File Server

Line: Ethernet

Wireless Connectivity

Wireless Dual Mode Access Point

Network Cloud, White Tablet

Cisco 5500 Family

Access point Wireless Dual

Mode Access Point WLAN Controller

Cisco Glossary of Terms

For additional information on Cisco terminology, refer to the Cisco Internetworking Terms and Acronyms glossary of terms at http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/index.htm

Trang 13

Determine the components and basic configurations of Cisco core feature set

Determine the components and basic configurations of the Cisco WLAN Controllers and lightweight access points

Describe the architecture of the WLAN controller and lightweight access point WLAN

Trang 15

Lesson 1

Describing Cisco Aironet

Autonomous Access Points

Overview

This lesson discusses implementing a WLAN solution using Cisco Aironet autonomous access points

Objectives

Upon completing this lesson, you will be able to determine the components and basic

configurations of Cisco core feature set This ability includes being able to meet these

Trang 16

Features and Components

This topic describes the features and components of the WLAN core products using

autonomous access points

WLAN Core Products Components

Hardware components:

• Cisco Aironet series autonomous access points

• Cisco Integrated Service Routers

• CiscoWorks WLSE

• Cisco Secure ACS

• Optional: Cisco Aironet Wireless LAN client adapters, Cisco Compatible Extensions client devices, and third-party

Software requirements:

• Cisco IOS software release 12.2.(15)XR for Cisco Aironet 1100 Series and

1200 Series access points

• Cisco IOS software release 12.3(2)JA for Aironet 1130 Series and 1230 Series access points

• Cisco IOS software release 12.3(7)JA1 for Aironet 1240 Series access points

• Release 2.7(1) for CiscoWorks Wireless LAN Solution Engine (WLSE)

• Support for all EAP types requires Secure ACS release 3.2.3 or higher

Cisco WLAN core products include:

Cisco Aironet series autonomous access points or bridges

Cisco Integrated Service Routers

CiscoWorks WLSE

Cisco Secure ACS

Optional: Cisco Aironet wireless LAN client adapters, Cisco Compatible Extensions client devices, and third-party non-Cisco client adapters

Note The Cisco Compatible Extensions program provides third-party verification of Cisco Aironet

wireless infrastructure products and wireless client devices from third-party companies Additional information about the Cisco Compatible Extensions program can be found at http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_brochure.html

In addition to the hardware requirements, the minimal software requirements for this solution are the following:

Cisco IOS software release 12.2.(15)XR for Cisco Aironet 1100 Series and 1200 Series access points, Cisco IOS software release 12.3(2)JA for Aironet 1130 Series and 1230 Series access points, Cisco IOS software release 12.3(7)JA for Aironet 1240 Series access

Trang 17

CiscoWorks WLSE 1130 Hardware

Rack-mounted server Support 5000 RF interfaces per CiscoWorks WLSE

• Single-band access points count as 1 RF interface

• Dual-band access points count as 2 RF interface

• 2500 dual-mode access points may be supported by WLSE

Supports 3600 RF interfaces when Radio Management (RM) is being used

• Single-band access points count as 1 RF interface

• Dual-band access points count as 2 RF interface

• 1800 dual-mode access points may be supported by WLSE

The following outlines the technical specifications of CiscoWorks WLSE

Front side bus

Intel Pentium IV processor, 3.06 GHz

533 MHz

CD-ROM drive Disk drive

One 40-GB Integrated Drive Electronics (IDE) hard drive Slim type, low-profile IDE CD-ROM drive

One 3.5-inch, 1.44-MB disk drive

USB RJ-45

One 9-pin connector One USB connector in front and two in rear Two RJ-45 connectors for connection to two 10/100/1000 Ethernet controllers

wattage

AC power supply voltage

System battery

230 W 100-120V at 50-60 Hz; 200-240V at 50-60 Hz CR2032 3V lithium coin cell

Height Depth Weight

1 rack unit 1.68 in (4.27 cm)

23 in (58.4 cm) 28.6 lb (13 kg) maximum

Environmental Operating

temperature Storage temperature

50 to 95°F (10 to 35°C) -40 to 149°F (-40 to 65°C)

Trang 18

Radio Management Overview

AP Radio Scan

Rogue AP Detection

Radio Monitoring (AP and Client)

Calibrated Path-Loss Model

Client Walkabout Data

Radio Parameters

RF Data per Radio Location

Radio Manager Database

AP Radio Scan

Interference Detection

Auto Re-Site Survey

Radio Parameter Generation

Self Healing Scanning-Only AP Ad-Hoc network Detection

The Radio Manager consists of:

Procedures that gather data about the radio environment

The Radio Manager database, which contains radio data and parameters

Features that use the information in the database

Access point radio scan is used to calculate a calibrated path-loss model of all the access points Client walk-about data is used to fine-tune the radio frequency (RF) information The

calibrated path-loss model and client walkabout data are used to create RF data per location and generate radio parameters

This information is then used for the following:

Rogue access point detection

Interference detection

Radio parameter generation

Auto re-site survey

Self healing

Scanning-only access points

Ad-hoc network detection

Trang 19

Radio Parameter Generation

Use to recommend optimal

• Radio transmit power

Use selections under the Radio Manager (RM) or Location Manager tabs to recommend

optimal radio transmit power, channel selection, and beacon interval (optional) for each access point, and then apply these configuration settings There are two ways to generate radio

parameters and configure your access points:

RM Assisted Configuration

— Use this option after you have collected data from an AP radio scanning and a client walkabout

Assisted Site Survey Wizard

— Use this option, which is part of Location Manager, when you want to use a wizard interface to step through AP radio scan, client walkabout, and radio parameter generation

The Radio Parameter Generation (RPG) operation is a non-real-time process where previously gathered measurements are used to calculate RF design parameters for the WLAN network The RF measurements and client loading requirements are taken as the inputs to the RPG, and the RF settings for the system’s access points are the output

Trang 20

Radio Parameter Generation (Cont.)

Gives administrator an

RF deployment plan This same type of data

is generated with an RF Site Survey

The RM assisted configuration calculates the optimal radio transmit power, channel selection, and beacon interval (optional), and then applies these configuration settings to the access points,

if desired

Also, CiscoWorks Wireless LAN Solution Engine (WLSE) gives the administrator the option

of previewing the configuration before applying to the system

This differs from many WLAN radio control implementations, where the system applies

configuration to the access points without any administrative control WLSE permits

supervisory control of RF settings

Trang 21

RF Coverage Display

Coverage display changes upon any changes in RF performance Coverage may be displayed by:

measurements, it is possible to detect areas of higher signal attenuation and show reduced RF signal reach in these areas

Note that all areas cannot be explicitly measured (on the outer fringe of a coverage area where access points are not deployed) thus there is no inter-access point measurement possible In these areas, CiscoWorks WLSE uses an RF propagation model to predict the RF coverage This predicted coverage is also shown in cases where the access points have not yet taken any measurements

Trang 22

Self Healing WLANs

Runs on WLSE Performs two actions

• Monitors the floor

• Takes action if an access point is determined to be down

Wireless Network Manager (WNM) CiscoWorks WLSE

Self Healing runs on the CiscoWorks WLSE and uses Simple Network Management Protocol (SNMP) to adjust neighboring access points in response to a downed access point To

determine if a radio is down, Self Healing uses beacon information that was obtained using Wireless LAN Context Communication Protocol (WLCCP) via the Wireless Domain Services (WDS[s])

Self Healing performs two actions:

Monitors the floor

— Self Healing uses path loss data collected from access point Radio Scan and Radio Monitoring and WDS registration information to determine a set of radio links for monitoring purposes If all monitored links to a given access point are missing for more than three measurement report intervals and the access point was not administratively shut down, a self-healing event is triggered

Takes action if an access point is determined to be down

— Using the information previously gathered from AP Radio Scans and Radio Monitoring, Radio Manager adjusts the transmit power levels of neighboring access points (which might or might not be on the same floor as the failed access point) to cover the potential areas of lost coverage, then generates a self healing fault

Note Note that the network must initially be deployed with less than full power in the access points

to permit access points to have their power adjusted up to compensate for a loss in coverage from an adjacent access point

Trang 23

Layer 2 Roaming

Subnet A

Subnet B Layer 3

Trang 24

Voice and Traditional Roaming

Cisco ACS AAA server

WAN

AP1 AP2

1 802.1X Initial Authentication Transaction

2 802.1X Reauthentication After Roaming

A wireless IP phone reauthenticates every time it roams to a new access point Additional latency is introduced when this reauthentication requires a RADIUS server

Step 1 Initially, a client authenticates to an access point Lightweight Extensible

Authentication Protocol (LEAP) takes anywhere from 200 ms to 1.2 seconds

Step 2 A Cisco Aironet client takes between 400 ms and 600 ms to roam at Layer 2 The

802.1X authentication adds even more latency (if it is enabled) 802.1X authentication requires a roaming client to reauthenticate, adding an additional 500+

ms to the roam

Roaming delay is not a big problem for most applications But real-time applications such as voice need delays of less than 150 ms end to end to maintain good voice quality

Trang 25

Fast Secure Layer 2 Roaming

Transparent Layer 2 roaming between access points

Cisco ACS Radius Server

Fast secure roaming at Layer 2 allows the client to roam from one access point to another without having to reauthenticate to the authentication, authorization, and accounting (AAA) server When the client roams, it informs the WDS that it has roamed and the WDS forwards the keying material to the new access point

CCKM is an authentication method that permits the negotiation of session key from a cached master key

As an example, a client authenticates using 802.1X The access point forwards the request to the WDS which acts as the AAA client The WDS forwards the request to the AAA server Once the AAA server and the client have authenticated each other, the following occurs

Step 2 The WDS forwards the key to the access point and the keying material to the client

Step 3 The client roams to a new access point

Step 4 The client requests the key be sent to the new access point and the WDS forwards

the key to the new access point

Note Fast Roam Times: Typical access point-to-access point roaming latency of <100 ms for a

WDS-access point

Note WAN Link Survivability: Because the local WDS handles reauthentication during roam, in

the event that the AAA server is located remotely over a WAN link, the WAN link is not required, so the WLAN will continue to operate even if the link goes down

Trang 26

Non-Participating Devices

Non-WDS capable devices

No Radio Management or Fast Secure Roaming support

• Cisco Aironet 1400 Series Wireless Bridge

• Cisco Aironet 1300 Series Wireless Bridge (in Bridge Mode)

May still use WLSE network management capabilities and Cisco Secure ACS for authentication

Linksys or other non-Cisco devices do not operate with WDS or WLSE

Cisco Aironet 1300 Series Outdoor Access Point/Bridge in bridge mode, and Cisco Aironet

1400 Series Wireless Bridge, are not capable of participation in fast secure roaming or other radio management operations However, the network management capabilities of the

CiscoWorks WLSE may still be used to control the equipment Non-Cisco devices do not operate within the core feature set framework As of version 2.12, Cisco VxWorks devices are

no longer supported by CiscoWorks WLSE

Trang 27

Cisco IOS Software for WDS Support

Requires 12.2(11)JA or later software

• 12.2(13) required for Radio Management Supported only with WDS

• 30 access points when access point serving as WDS also services 802.11 traffic

• 60 access points when access point serving as WDS has radio disabled (WDS server ONLY, access point function disabled

WDS server is not supported on Cisco 350 Series access point (IOS)

WDS server is supported on Cisco 1310 Series Bridge in AP mode

• 1310 supports WDS server with 12.3(4)JA and above

Wireless Domain Services operating on an access point is restricted to Layer 2 operation Once an access point is selected as the WDS during setup, it then advertises that it is the WDS via a broadcast mechanism

Note that additional access points can be configured as WDS-capable (and will operate as standby WDS) but only one access point per subnet may be active WDS at a time

Fast secure roaming and radio management features are supported by Cisco IOS access points running as WDS

Cisco Aironet 1300 Series Bridge in AP mode does support WDS service as of IOS version 12.3(4)JA

Due to access point WDS processing and memory limitations, Cisco fast secure roaming currently supports:

Limit of 30 access points if access point is acting as a WDS and accepting client

associations

Limit of 60 access points if access point is only acting as a WDS

Trang 28

Cisco IOS Software for Local Authentication

WAN link remote site survivability Local authentication

• MAC requires 12.2(11)JA or later software

• LEAP requires 12.2(11)JA or later software

• EAP-FAST requires 12.3(4)JA or later software

50 user data base RADIUS authentication port – 1812 RADIUS accounting port - 1813

Cisco Aironet autonomous access points support remote site survivability This capability is enabled via the autonomous access point's IEEE 802.1X local authentication service With IEEE 802.1X local authentication service, Cisco Aironet autonomous access points are

configured to act as a local authentication server to authenticate wireless clients when the AAA server is not available This provides secure authentication services for remote or branch office WLANs without a RADIUS server and backup authentication services, for access to local resources such as file servers or printers, during a wide area network (WAN) link or server failure

Trang 29

Cisco Integrated Services Routers

This topic identifies Cisco Integrated Services Routers that support Wireless Domain Services

Small Branch

Initial Wireless Domain Services support in 12.3(11)T

• Fast, secure Layer 2 roaming

Trang 30

Integrated Services Routers with WDS

50 5

Cisco 2600XM

100 10

Cisco 2821 Cisco 2811 Cisco 2691

200 20

Cisco 2851

250 25

Cisco 3725

500 50

Cisco 3825 Cisco 3745

1000 clients

100 APs Cisco 3845

Local Authentication Client Database

Access Points Supported

The Cisco wireless-aware integrated services routers enable enterprise-wide deployment of secure, manageable wireless LANs with Cisco Aironet series access points These routers deliver integrated WDS capabilities optimized for remote sites and branch offices, including: fast, secure mobility site-wide Layer 2 mobility allows authenticated clients to roam securely from one access point to another without any perceptible delay during reassociation Wireless-aware integrated services routers enable latency-sensitive applications through fast secure mobility for up to 100 access points

Survivable Authentication: Local authentication services allow the router to act as a backup RADIUS server enabling up to 1000 wireless clients to access the network when the primary authentication server is not accessible

Simplified Deployment and Management: Router-integrated wireless capabilities eliminate the need for dedicated wireless appliances at each site

Trang 31

Integrated Services Router WDS Support

Applicable software- Cisco IOS software release 12.3(11)T or later with one of the following feature sets:

• Cisco IOS software advanced enterprise services (K9) feature set

• Cisco IOS software advanced IP services (K9) feature set

• Cisco IOS software advanced security (K9) feature set

• Cisco IOS software SP services (K9) feature set

• Cisco IOS software enterprise services (K9) feature set

The Cisco IOS software release 12.3(11)T or later with at least one of the following feature sets:

Cisco IOS software Advanced Enterprise Services (K9)- Full Cisco IOS software

Cisco IOS software Advanced IP Services (K9) - Includes Internet Protocol Version 6 (IPv6), Advanced Security, and SP Services

Cisco IOS software Advanced Security (K9) - Includes Cisco ISO firewall, IDS, Secure Shell (SSH), IP Security (IPSec), Border Gateway Protocol (BGP)

Cisco IOS software Service Provider (SP) Services (K9) – Includes Multiprotocol Label Switching (MPLS), SSH, Asynchronous Transfer Mode (ATM) voice over ATM (VoATM)

Cisco IOS software Enterprise Services (K9) – Includes, IPv6, Enterprise Base, full IBM support and SP Services

Trang 32

Lesson Self-Check

Use the questions here to review what you learned in this lesson The correct answers and solutions are found in the Lesson Self-Check Answer Key

Q1) Which of the following provides aggregation of radio management data from the

infrastructure access point and client layer? (Choose one.) (Source: Features and Components)

A) WLSE B) ACS C) WDS D) WCS Q2) Local authentication services allow the 3725 router to act as a backup RADIUS server

enabling up to how many wireless clients to access the network when the primary authentication server is not accessible? (Choose one.)(Source: Cisco Integrated Services Router)

A) 200 B) 250 C) 500 D) 1000

Trang 33

Lesson Self-Check Answer Key

Q1) C

Q2) B

Trang 34

Summary

This topic summarizes the key points discussed in this lesson

Summary

This lesson discussed the features and components

of the core feature set WLAN solution It discussed WDS, WLCCP, the CiscoWorks WLSE and Cisco Secure ACS

Layer 2 fast secure roaming, and radio management were also discussed.

In addition, the WLAN capabilities of the Cisco integrated services routers were discussed.

This lesson discussed the features and components of the core feature set WLAN solution It discussed WDS, WLCCP, the CiscoWorks WLSE and Cisco Secure ACS

Layer 2 fast secure roaming, and radio management were also discussed

In addition, the WLAN capabilities of the Cisco integrated services routers were discussed

Trang 35

Upon completing this lesson, you will be able to determine the components and basic

configurations of the Cisco WLAN Controllers and lightweight access points This ability includes being able to meet these objectives:

Describe dynamic radio management features

Describe security and VLAN support

Describe Link aggregation feature of the Cisco WLAN Controller

Describe guest tunneling and Anchor mobility support

Describe dynamic frequency selection support

Describe the importance of quality of service with differentiated services code point

Describe multicast performance available on Cisco Unified Wireless Networks

Describe the feature and functionality of the Cisco Catalyst 6500 Series Wireless Services Module

Describe the feature and functionality of the Cisco Wireless LAN Controller Module

Describe the feature and functionality of the Cisco 4400 Series WLAN controller Enhanced Security Module

Describe the support for wireless Mesh networks

Trang 36

Dynamic RF Management

This topic describes dynamic radio management features

Dynamic RF Management

Channel assignment Transmit power adjustment Interference avoidance Coverage hole management Load balancing

to balance access points such that they see their neighbors at -65 dBm, based on best practices experience

If a failed access point is detected, power can be automatically increased on surrounding access points to fill the gap created by the loss in coverage WLAN solutions that only allow for static configuration of transmit power are severely limited in their ability to support dynamic network requirements

The Cisco Wireless LAN Controller provides a centralized view of client loads on all access

Trang 37

Security and VLANs

This topic describes security and VLAN support

Security - Standards

IEEE 802.11i Supports the Wi-Fi Alliance security certifications

• Wi-Fi Protected Access (WPA)

• Wi-Fi Protected Access 2 (WPA2) IEEE 802.1X

Data encryption:

• Advanced Encryption Standard (AES) – (IEEE802.11i/WPA2)

• Temporal Key Integrity Protocol (TKIP) – (WPA)

• Wired Equivalent Privacy (WEP) – (802.11)

• Static WEP (40/64 and 104/128 bit keys) VPN termination

• Enhanced Security Module for 4400 Series

• IPSec VPN Services Module (VPNSM) – WiSM/Catalyst 6500

The Cisco WLAN Controller and lightweight access points support the following standards:

Based on the IEEE 802.1X standard for port-based network access, the Cisco Wireless Security Suite takes advantage of the Extensible Authentication Protocol (EAP) framework for user-based authentication This solution also supports Wi-Fi Protected Access (WPA), the Wi-Fi Alliance specification for interoperable, standards-based wireless LAN security

The Cisco Wireless Security Suite interoperates with a range of client devices It supports most 802.1X authentication types, including Extensible Authentication Protocol-Flexible Authentication via Secure Tunnel (EAP-FAST), Extensible Authentication Protocol-Cisco Wireless (LEAP), Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and types that operate over EAP-TLS, such as Protected Extensible Authentication Protocol (PEAP), EAP-Tunneled TLS (EAP-TTLS) and EAP-Subscriber Identity Module (EAP-SIM) A wide selection of RADIUS servers, such as the Cisco Secure Access Control Server (ACS), can be used for enterprise-class centralized user management that includes:

— Strong, mutual authentication to ensure that only legitimate clients associate with legitimate and authorized network RADIUS servers via authorized access points

— Dynamic per-user, per-session encryption keys that automatically change on a configurable basis to protect the privacy of transmitted data

VPN Termination – The IPSec VPN Services Module (VPNSM) for the Catalyst 6500 supports IPSec (RFC 2401-2411, 2451) It supports Extended Services Processor (ESP), DES, and 3DES (RFC 2406, 2451) encryption It supports X.509 digital certificates (RSA signatures), Preshared keys, Simple Certificate Enrollment Protocol (SCEP), RADIUS (RFC 2138),

TACACS+ and Challenge Handshake Authentication Protocol/Password Authentication

Protocol (RFC 1994) authentication methods

Trang 38

Advanced Feature Security

RF Security Wireless LAN Intrusion Prevention and Location Identity-Based Networking

Network Admission Control (NAC) Secure Mobility

Identity-Based Networking - IT staff must support many different user access rights, device

formats, and application requirements when securing wireless LANs The Cisco based wireless LAN system enables enterprises to deliver individualized security policies to wireless users or groups of users These include:

Controller- Layer 2 security - 802.1X (PEAP, LEAP, TTLS), WPA, 802.11i (WPA2) and Layer Two Tunnel Protocol (L2TP)

Layer 3 security (and above) - IPSec, web authentication

Virtual LAN (VLAN) assignments

Access control lists (ACLs) - IP restrictions, protocol types, port, and differentiated

services code point (DSCP) value

Quality of service (QoS) - multiple service levels, bandwidth contracts, traffic shaping and

RF utilization

Authentication, Authorization, and Accounting (AAA)/RADIUS - User session policies and rights management

Network Admission Control (NAC) - Enforce policies pertaining to client configuration and

behavior, to ensure that only end-user devices with appropriate security utilities can gain access

to the network

Trang 39

Guest Tunneling - Provides additional security for access to the corporate network by guest

users It ensures that guest users are unable to access the corporate network without first

passing through the corporate firewall

Trang 40

Security: Cisco Catalyst 6500 Series Wireless Services Module (WiSM)

Integrates with other Catalyst 6500 Series Service Modules

Firewall Services Module (FWSM) Intrusion Detection Services Module (IDSM) Network Analysis Module (NAM)

IPSec VPN Services Module (VPNSM)

The Cisco Catalyst 6500 Series Wireless Services Module (WiSM) extends intelligent network services to the wireless edge As an integrated part of the widely deployed series, the Cisco WiSM uses the full range of Cisco Catalyst 6500 Series hardware- and software-based

intelligent switching services It supports interoperability with Cisco Catalyst 6500 Series integrated services modules such as the Firewall Services Module (FWSM), Intrusion

Detection Services Module (IDSM), Network Analysis Module (NAM), and VPNSM

Định dạng
Số trang	410
Dung lượng	19,36 MB