Roaming comes at a cost. A hacker with the right wireless components could wreak havoc on a WLAN. Unlike the physical security with wired LANs, WLANs are open and should always be secured as if they were a publicly accessible network. Preventing hackers from listening to a WLAN is not realistic. The real solution is making your WLAN data indiscernible through power and encryption security services. Too much power creates an easy target due to the signal-to-noise ratio. Too little power causes reachability problems due to the signal-to-noise ratio as well.

Privacy is addressed by 802.11 by an optional service called Wired Equivalent Privacy (WEP). WEP is based on the RC4 algorithm, which the encryption keys must match on both the client and the AP for frame exchanges to succeed. Any diligent hacker can break WEP because it is not a strong encryption method. WEP is analogous to speaking privately in a foreign language. After someone understands that language, the conversation is no longer private. So, simple abuses, such as neighbors leeching onto your Internet access, can be stopped by using WEP, but not much more than that.

Other problems may arise in the WLAN. Knowing the common issues prior to design will help mitigate them. Just as light and sound bounce off objects, so do RF signals. This means that there can be many RF paths from the transmit (Tx) to receive (Rx) antennas. These multiple signals combine to cause distortion of the signal. The higher the number of radios in a cell, the higher the noise level in the cell. Because of multipath reception, the signal strength might be strong, but it might also be distorted. Proximity does not guarantee better performance.

Coverage holes are the voids where the RF signal is not discernable. A perfect survey can get coverage holes if environmental changes are made. Such RF examples would be the addition of plants, office furniture getting moved, or walls getting changed from structural modifications. RF gets absorbed or reflected so that the signal becomes too weak for the station to pick out the signal from the noise. The closer the antennas are to each other, the stronger all paths are, including reflected paths, which increases the possibility of interference from reflected paths. The farther the antennas are from each other, the greater the difference between reflected and direct (primary) signal. So farther distance makes for decreased signal strength but also reduces the strength of any reflected signal.

Environmental factors such as reflections, refractions, and diffractions (all of which can cause multipath interference) can degrade a signal between the transmitter and receiver. Multipath interference can cause high signal strength yet low signal quality, so that the data would be unreadable. One indication that you are experiencing multipath interference is that signal strength and signal quality fluctuate drastically, even when you are moving the client only a little (inches). You can relate this to a common occurrence in your car. As you pull up to a stop sign, you might notice static on the radio. But as you move forward a few inches or feet, the station starts to come in more clearly. By rolling forward, you move the antenna slightly, away from the point where the multipath signals converge.

Interference occurs when another RF source produces a signal on the same channel. If there is severe signal interference in one area, it is possible to change to another channel and totally avoid the interference. Normally, changing channels does not happen automatically in DSSS and must be done with reconfiguration to the AP. Cisco firmware will allow an AP to search for the least-congested channel.

As the data is further compressed, it requires a stronger signal as compared to the noise level. More noise means slower speed for the data to be received correctly. The same is true in radio. As a receiver moves farther from a transmitter, the signal gets weaker, and the difference between the signal and noise decreases. At some point, the signal cannot be distinguished from the noise, and loss of communication occurs. The amount of compression (or modulation type) at which the signal is transmitted determines the amount of signal necessary to be clearly received through the noise. As transmission or modulation schemes (compression) become more complex and the data rate goes up, immunity to noise decreases and coverage goes down. Or, stated simply, when frequency and speeds are increased, the cell coverage distances are decreased.

Mobility is the freedom from constraints such as physical connections (power cords, network cables, and so on). Mobile devices contain client software to manage the WLAN client cards. WLAN client cards can have a significant impact on the battery life of a mobile device. One or two surveys will burn that into your brain. Moreover, using 802.11a drains the battery life faster than 802.11b or 802.11g.

To help reduce the battery drain problem, Cisco client cards use power save mode to preserve battery life while maintaining association. The AP buffers data during power save mode, which reduces the overall throughput.

Different countries have different regulatory bodies and may have as many as 14 channels available. Table 18-1 gives the channel set breakdown on several regulatory domains. In some countries, this might mean that the number of nonoverlapping channels is reduced to one, and an aggregate data rate of 33 Mbps might not be possible.

There are 11 channels available in the United States; however, only three of these channels (1, 6, and 11) are nonoverlapping. In the European Telecommunications Standards Institute (ETSI) domains, there are 13 available channels, but again there are only three nonoverlapping channels. In Japan, there is an additional channel located at the top end of the band. It is possible to use this along with three other channels for a total of four nonoverlapping channels.

An autonomous AP has local configurations requiring local management (for example, Telnet to each device to add an infrastructure SSID), which might make consistent configurations difficult and add to the cost of network management. The following APs are autonomous:

A lightweight AP receives control and configuration from a WLAN controller to which it is associated. This reduces the security concern of a stolen AP and provides a single point of management. The Cisco Aironet 1000 Series Lightweight AP is an 802.11a/b/g dual-band device. The following autonomous APs are lightweight capable:

The lightweight Wireless LAN Controllers communicate with Cisco 1000 Series or lightweight-capable APs over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP). These devices support automation of numerous WLAN configuration and management functions. Wireless LAN Controllers are responsible for centralized system-wide WLAN management functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. Stated simply, this is where the instructions are processed. They work in conjunction with Cisco 1000 Series Lightweight APs and the Cisco Wireless Control System (WCS) to support business-critical wireless applications. Cisco wireless LAN controllers provide the control, scalability, security, and reliability that network managers need to build secure, enterprise-scale wireless networks—from branch offices to main campuses.

Cisco Systems currently offers the following controllers:

When radio waves hit a wall, door, or any obstruction, there is attenuation of the signal, which weakens the signal and may reduce throughput.

Several natural causes impact radio waves/RF:

RF wave propagation naturally encounters the attenuation factors in the preceding list, all of which need to be considered when designing, implementing, and troubleshooting WLANs. Figure 18-12 represents each RF impact.

Figure 18-12. RF Impacts

WLANs transmit power just like radio stations do to reach listeners. The power levels for wireless are in milliwatts, whereas the power levels for radio stations are in megawatts.

Here are some units of measure to help you better understand the RF math:

The math formula used in WLANs is too complex for most people to solve without a calculator. The formula requires adding gains or losses, described in decibels, and then converting those results into an absolute power, described in milliwatts or watts.

The formula is

You can easily see, using Table 18-2, how the gains and losses relate to power levels. Refer to this table to help out whenever needed.

RF math can be made easier by understanding a few key points:

A 9-dB loss can be broken down into –3 dB + –3 dB + –3 dB. A signal level of 200 mW will be decreased to 25 mW. It can be broken down as follows:

Gain increases the RF signal amplitude. Two common sources for gain are amplifiers and antennas.

Loss is a decrease in the RF signal strength. Losses impact the WLAN design and are part of our everyday world. All the cables and connections between the AP and the antenna cause loss. Losses are the real concern, and the common causes of loss are distance, resistance of cables and connectors, mismatched impedance in cables and connectors, and objects such as the following in the path of a signal that absorb or reflect RF signals:

Antennas used in WLANs come in many shapes and sizes based on the differing RF characteristics desired. The physical dimension of an antenna is directly related to the frequency at which the antenna transmits or receives radio waves. As the gain increases, the coverage area becomes more focused. High-gain antennas offer longer coverage areas than low-gain antennas at the same input power level. As frequency increases, the wavelength and the antennas become smaller.

Antennas can be categorized into one of three types:

Designing the right WLAN solution requires using the right antenna. Table 18-3 provides a helpful generic guide to antenna selection. Each antenna type is included with its ranges for both gain and EIRP. Reviewing the manufacturers’ antenna specifications provides the specific details.

Omnidirectional antennas have the following characteristics:

Semidirectional antennas have the following characteristics:

Highly directional antennas have the following characteristics:

Antenna diversity refers to the condition under which multiple antennas are receiving signals from a single source and the AP’s ability to respond using the best antenna. Antenna diversity reduces multipath issues.

The most commonly used antenna connectors are male connectors with reverse-polarity TNC jacks (RP-TNC connectors). It is the same connector type that Cisco uses on its APs.

Cisco Airespace APs are certified for any external 2.4-GHz or 5-GHz patch antenna with 6-dBi gain or less.

Wireless is the result of organizational standards and regulatory guidelines. With hundreds of countries around the world, it is a welcome relief to have organizations and consortiums providing standards and guidelines.

Some of the wireless regulatory agencies and standards are as follows:

In the United States, the Federal Communications Commission (FCC) does the following:

2.4-GHz 802.11b/g has three nonoverlapping channels. This means that three APs could operate in the same cell area without sharing the media. An AP on channel 1 does not share time with an AP on channel 6, because they do not have common frequencies. There is no degradation in throughput when three APs are in the same cell area if the APs are each on a nonoverlapping channel. Three APs in the same cell using three non-overlapping channels provide an aggregated data rate of 33 Mbps with an aggregated throughput of 18.6 Mbps. If the same three APs shared the same channel, the aggregate data rate would still be 33 Mbps with the aggregated throughput of 7 Mbps.

All channels are known by their center frequency, and they are as follows: 1 (2412); 2 (2417); 3 (2422); 4 (2427); 5 (2432); 6 (2437); 7 (2442); 8 (2447); 9 (2452); 10 (2457); 11 (2462); 12 (2467); and 13 (2472). The top part of Figure 18-13 illustrates this information along with the starting frequency on the bottom.

Figure 18-13. 2.4-GHz Channels

The 802.11g standard was ratified in June 2003. It operates in the same 2.4-GHz band as 802.11b and uses the same three nonoverlapping channels. Moreover, there is full backward compatibility with 802.11b.

The 802.11g specification uses Orthogonal Frequency Division Multiplexing (OFDM) modulation for 802.11g data rates and Complementary Code Keying (CCK) modulation for 802.11b data rates.

The 802.11g data rates are 54, 48, 36, 24, 18, 12, 9, and 6 Mbps. The 802.11b data rates are 11, 5.5, 2, and 1 Mbps. The 2.4-GHz channels are 22-MHz wide. Figure 18-14 provides a comparison of the 2.4-GHz common data rates and ranges.

Figure 18-14. 2.4-GHz Common Data Rate Comparison

The relationships between data rates and distance for 802.11g are similar to 802.11b, but the data rates themselves are higher. The difference between 802.11b and 802.11g is how the data is transmitted over the airwaves, not in the antennas or radios themselves. One radio handles both protocols but not simultaneously.

Part of the 802.11g protocol design ensures 802.11b backward compatibility by detecting and supporting those clients who end up reducing the 802.11g throughput.

Protection mode or mixed mode is enabled when an 802.11b client associates to an 802.11g AP. Additionally, it can be enabled by another 802.11g that can hear the beacons from another 802.11g AP having an 802.11b client associated. The Non-ERP Present bit is set by an 802.11g AP when it has an 802.11b client associated to it. The Use Protection bit is set when an 802.11g AP hears a beacon with the Non-ERP Present bit set on the same channel as it is operating or it has an 802.11b client associated.

With protection, broadcasts must support 802.11b clients as well as the fact that an 802.11b client will transmit at slower data rates than an 802.11g client. Mixed environments will generally have a maximum of 18 Mbps independent of frame transmission rate for the 802.11g devices. 802.11g-only environments can obtain rates over 20 Mbps.

802.11a-compliant devices operate in the 5-GHz UNII band. 802.11a and 802.11b are not compatible due to differences in frequencies. 802.11a requires a different radio and antenna.

The 5-GHz UNII band is made up of three separate 100-MHz-wide bands known as the lower, middle, and upper bands. Within each of these three bands are four nonoverlapping channels. The FCC specifies that the lower bands be used indoors, the middle bands indoors/outdoors, and the upper bands outdoors.

The channels and center frequencies are as follows: 36 (5.180); 40 (5.200); 44 (5.220); 48 (5.240); 52 (5.260); 56 (5.280); 60 (5.300); 64 (5.320); 149 (5.745); 153 (5.765); 157 (5.785); and 161 (5.805). Figure 18-15 illustrates the channels in the UNII bands.

Figure 18-15. 5-GHz Channels

The capability to use 4, 8, or 12 nonoverlapping channels is an improvement. However, this improvement depends on the vendor’s implementation and the country-specific regulations. Having additional nonoverlapping channels is an advantage when implementing an enterprise WLAN solution. The additional channels are an advantage when dense, high-bandwidth requirements are needed.

Pico cells solve the high-density and bandwidth-requirement issues and are used in places such as stock exchanges and trading floors. Smaller than microcells and solution specific, the use of pico cells needs to be discussed first with the manufacturer’s sales team due to solution-specific configuration/supplicant.

OFDM modulation technology is less susceptible to noise and multipath issues when compared to DSSS. OFDM is a more efficient modulation technique that enables the high data rates of 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. Figure 18-16 shows the 802.11a common data rates.

Figure 18-16. 5-GHz Common Data Rates

Understanding the advantages and disadvantages of each standard helps in knowing which one to choose.

802.11a provides the better throughput because it does not deal with any backward-compatibility issues. 802.11a has more channels, which provides less overall interference. Fewer APs will be operating on the same channel.

802.11g gives most organizations an easy migration plan and backward compatibility with 802.11b. The roaming distance is greater than 802.11b, resulting in fewer APs being deployed.

Antenna selection is much greater with 802.11g than with 802.11a. Moreover, most countries support 802.11g, allowing world mode functionality. The regulatory issues with 802.11a are more complicated outside the United States.

802.11b/g networks require a well-thought-out plan. A channel reuse plan is required because only three nonoverlapping channels exist. Those channels are 1 (2412 MHz), 6 (2437 MHz), and 11 (2462 MHz).

Channel reuse eliminates microcell overlapping. You can correlate this concept to the placement of FM radio stations throughout the country. You will never find two radio stations in the same geographic area on the same channel. The same concept holds true for channels and cells. Figure 18-17 helps to depict this concept.

Figure 18-17. 2.4-GHz Channel Reuse

802.11a cells are easier to deploy because there are 12 different channels. These 12 nonoverlapping channels can provide a simpler channel reuse schema, as illustrated in Figure 18-18. Due to the size of the microcell, there are more cells on a per-area basis as compared to 802.11b/g.

Figure 18-18. 5-GHz Channel Reuse

It is recommended that neighboring cells not be placed on neighboring frequencies. Two other key points to keep in mind are as follows:

The best practices for bandwidth in an 802.11a/b/g WLAN are based on the number of users. The bandwidth requirements are different for 802.11a, 802.11b, and 802.11g because applications require more bandwidth at higher frequencies. The wireless best practices for cell bandwidth are broken down into the three IEEE standards.

The following are the 2.4-GHz 802.11b bandwidth calculations:

The following are the 2.4-GHz 802.11g bandwidth calculations:

The 5-GHz 802.11a bandwidth calculations follow:

Root bridge is the setting that is normally used for the “main” bridge that is connected to the main network. This bridge provides connectivity to the main LAN for other wireless clients or wired clients that are being connected wirelessly.

In this mode, the bridge supports the following types by default:

Only one bridge in a WLAN can be set as the root bridge. This is the default setting for Cisco Aironet bridges.

For two or more Cisco wireless bridges to communicate, you must configure one bridge to root bridge mode and the rest of the bridges to non-root mode. The function of a non-root bridge is to actively seek out a radio connection to the root bridge. This must occur before data can be transferred or bridged across a link. Recalling Figure 18-10, the black buildings were the root bridge, whereas the gray buildings were non-root bridges.

The characteristics of a root bridge (parent) are as follows:

The characteristics of a non-root bridge (child) are as follows:

A single parent bridge can support numerous child bridges. The number of child bridges that should be attached to a parent bridge is determined by usage and throughput needs. There is only one exception—a non-root bridge communicates with another non-root bridge as long as one of the non-root bridges has a root bridge in its uplink.

This setting is normally used for a bridge that is used to connect a remote wired LAN and will only communicate with another root bridge. In this mode, the bridge will refuse associations from wireless clients.

One of the most important concepts in installing bridges is line of sight. Wireless bridges are unlicensed devices and are not designed to penetrate objects such as mountains, trees, or buildings. The signal will be either absorbed or reflected, and the end result will be that the bridges will be unable to connect. If there are trees between the bridges, much of the signal will be absorbed.

For a typical 6-foot (183-cm) person, the horizon appears at about 6 miles (9.7 km). Its disappearance is determined by the height of the observer. If you have two 10-foot (305-cm) structures, the top of one will have a line of sight to the other at about 16 miles (26 km), but it will have minimum clearance at the horizon point.

The Fresnel zone is an elliptical area immediately surrounding the visual path. It varies depending on the length of the signal path and the frequency of the signal. Figure 18-19 illustrates a simple Fresnel zone between two buildings. The Fresnel zone can be calculated, and it must be taken into account when designing a wireless link. If the Fresnel zone is obstructed, then the line of sight is not clear and the link might be unreliable.

Figure 18-19. Fresnel Zone

Inline power, or Power-over-Ethernet (PoE), provides source operating current from the Ethernet port, over the Category 5 cable. It is line power configuration compliant with all Cisco line power–enabled devices. Switches and line power patch panels can reach distances up to 100 meters.

To decrease the cost and complexity of the installation, the Cisco APs can be powered over an Ethernet cable, eliminating the need to run expensive AC power to remote AP installation locations.

For 802.11b-only configurations, line power–enabled devices such as switches and patch panels may be used instead of power injectors. Remember that the standard Cat 5 cable requirements still apply (maximum 328 feet or 100 meters).

Inline power further reduces installation costs, because an electrician is not required. Anyone qualified to run Cat 5 cable can install the cabling required to power Cisco Aironet APs.

Cisco Aironet Power Injector products increase the deployment flexibility of Cisco Aironet wireless APs and bridges by providing an alternative powering option to local power, inline power–capable multiport switches, and multiport power patch panels.

An end-span device is a unit that has PoE integrated and thus does not require a midspan device. A midspan device is a standalone unit that adds the PoE capability to existing networking equipment. The unit is inserted into the LAN between the Ethernet switch and the peripherals.

The power injector for Cisco Aironet 1100 and 1200 Series APs works with the power supply provided with the AP.

The Power Injector Media Converter converts fiber media to Category 5 media and combines the resulting data signal with power for delivery to the AP or bridge. The power injector media converter accepts 48-VDC power from either the barrel connector of the local power supply or an alternative 48-VDC power source. When powered by an alternate 48-VDC power source connected using the provided power supply pigtail, the Power Injector Media Converter is UL2043 certified and suitable for installation in environmental air spaces. The local power supply is provided with the Cisco Aironet 1100 and 1200 Series APs.

The IEEE 802.3af power specification created a standard for powering devices over copper wire. Table 18-4 provides the classes defined along with the default setting.

The Cisco Airespace AP is a Class 3 device with an average draw of approximately 8W and a maximum of 10W.

Table 18-5 defines an EIA/TIA 568A and 568B standard straight-through cable.

It is easy to plug in an access point, but it is difficult to build a business-critical enterprise WLAN.

The new paradigm for IT managers will enable them to deal with limited bandwidth by making the most efficient use of it, while contending with the adverse effects of coverage holes, environmental coverage area changes, inherent security issues, and other interfering issues that crop up over time.

Here are the top ten enterprise WLAN issues at the time of this writing:

The Cisco Airespace solution attempts to address all of these issues.

As WLANs become increasingly mission-critical and evolve in terms of scale and capabilities, the way the wireless deployment is managed must evolve as well. Because each customer and each deployment is unique, Cisco provides differing feature sets and differing management paradigms to address these customer-specific requirements.

The Cisco Unified Wireless Network is a unified wired and wireless solution to address the WLAN security, deployment, management, and control issues facing enterprises. This integrated end-to-end solution addresses all layers of the WLAN, from client devices and APs, to the network infrastructure, to network management, to the delivery of mobility services. The Cisco Unified Wireless Network addresses the deployment, management, and RF challenges associated with building business-critical WLANs.

The Cisco Unified Wireless Network is deployable in corporate offices, hospitals, retail stores, manufacturing floors, warehouse environments, educational institutions, financial institutions, local and national government organizations, and other locations worldwide. It supports Wi-Fi-enabled business applications for a variety of uses, including mobile healthcare, inventory management, retail point-of-sale, video surveillance, real-time data access, asset tracking, and network visibility.

The Cisco Unified Wireless Network enables on-the-road access from venues such as public hotspots, hotels, convention centers, and airports for mobile users and traveling executives. It delivers real-time access to a variety of business environments, providing secure mobility and guest access for campus and branch offices. Customers can confidently deploy the Cisco Unified Wireless Network knowing that their investment is protected.

The five interconnecting elements of the Cisco Unified Wireless Network and their characteristics are as follows:

Cisco provides a core feature set that includes autonomous APs and the CiscoWorks Wireless LAN Solution Engine (WLSE) management appliance. The core feature set provides a base set of capabilities that are required for enterprise deployments. Core features include secure connectivity through support for 802.11i/Wi-Fi Protected Access 2 (WPA2), fast and secure Layer 2 roaming, and interfaces to a variety of third-party applications and products. Most Cisco APs are available in versions designed for autonomous operation. These devices may be upgraded in the field to lightweight mode, thereby providing customers with a smooth path from core to advanced features.

The Cisco advanced WLAN feature set is delivered by lightweight APs, wireless LAN controllers, and the WCS management application. The advanced feature set represents the most comprehensive set of capabilities in the industry, including guest access, wireless intrusion detection, scalable Layer 3 mobility, and available location services. Most Cisco Aironet APs are available in versions designed for lightweight operation.

Cisco WLAN controllers are part of the Cisco advanced WLAN feature set and are responsible for handling system-wide WLAN functions across an entire wireless network. Cisco WLAN controllers are designed to smoothly integrate into existing enterprise networks. They communicate with Cisco Aironet 1000 Series Lightweight APs over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using LWAPP.

Enterprise wireless networks must meet requirements in five fundamental areas:

Table 18-6 reflects the Cisco AP Series operational modes. The Lightweight solution combines the best elements of wireless and wired networking to deliver scalable, manageable, and secure WLANs. It includes innovative RF capabilities that enable real-time access to core business applications and provides proven enterprise-class secure connectivity. The Cisco Unified Wireless Network delivers the same level of security, scalability, reliability, ease of deployment, and management for WLANs that organizations expect from their wired LANs.

Network managers need reliable, cost-effective tools for WLAN planning, configuration, and management. These tools must be centrally available and must support simplified operations and easy-to-use graphical interfaces. Cisco Wireless LAN Management options are determined based on the type of APs deployed and the features required.

Lightweight APs may be managed with Cisco WLAN controllers and the Cisco Wireless Control System (WCS). A Cisco Wireless Location Appliance may be added for advanced features such as wireless VoIP and location services, as well as advanced wireless security features such as Network Admission Control (NAC), the Cisco Self-Defending Network, and guest access.

Autonomous APs may be configured with the CiscoWorks WLSE or the CiscoWorks WLSE Express.

Cisco provides several unified wireless products to meet the various enterprise WLAN management solutions. The sections that follow cover the Cisco Wireless Control System, Cisco Catalyst 6500 Series Wireless Services Module, Cisco wireless LAN controller Module for ISRs, CiscoWorks Wireless LAN Solution Engine, and the Cisco Wireless Location Appliance.

One way to determine a design solution is to review the requirements and compare them to the various WLAN features. While comparing features with requirements may be a design methodology, it requires extensive product knowledge. Such is the case with the Cisco Auto RF and mobility group features.

The Auto RF feature enables the Cisco Airespace controllers to “self-heal” by continually monitoring and adjusting the network. The end result is a dynamically managed network with seamless roaming capabilities throughout the WLAN. Auto RF works hand in hand with other features, which can significantly affect the network design.

One such feature is group mode, which provides dynamic grouping and has two modes: on and off. When the grouping feature is off, there is no dynamic grouping. Each controller optimizes its own Cisco Airespace AP’s parameters. When grouping is on, the controller forms groups and elects leaders to perform better dynamic parameter optimization.

Another complex feature is the mobility group. A set of controllers can be configured as a mobility group to allow seamless client roaming within a group of shared controllers. By creating a mobility group, multiple controllers can dynamically share information and forward data traffic when inter-controller or inter-subnet roaming occurs. Controllers can share the context and state of client devices and controller loading information. With this information, the network can support inter-controller WLAN roaming and controller redundancy.

In the current Cisco Airespace mobility paradigm, the client obtains its IP point of presence (IP address, subnetwork, and so on) from the controller with which it first associates (anchor) to the mobility group. If the client associates to an AP associated to another controller in the mobility group that is on a different subnetwork, a “foreign” session is established with the original “anchor” switch. Packets from the client are forwarded from the controller to the wired network normally, but packets to the client are received by the anchor controller and forwarded to the foreign controller via Ethernet over IP (EoIP) encapsulation. The foreign controller de-encapsulates the packet and forwards it to the client.

When a client attempts to associate to a Cisco Airespace controller that is part of a mobility group, the Cisco Airespace controller will confirm if the client has an active session in the mobility group based on the MAC address of the client. If it does, the session will be moved from the anchor Cisco Airespace controller to the foreign Cisco Airespace controller. The client will retain its IP address (static or DHCP) and presence on the wired network at the anchor Cisco Airespace controller.

Cisco Airespace Layer 2 Roaming

Layer 2 (intra-subnetwork) roaming can be used with a single controller or with multiple controllers in the same subnetwork. Regardless, it is transparent to the client. The client’s session is sustained during connection to the new AP. The client continues using the same DHCP-assigned or static IP address. Figure 18-20 illustrates Layer 2 roaming (intra-subnetwork).

Figure 18-20. Layer 2 Roaming (Intra-Subnetwork)

Reauthentication is required if the client sends a DHCP Discover packet with a 0.0.0.0 client IP address or a 169.254.*.* client auto-IP address or when the operator-set session timeout is exceeded.

Cisco Airespace Layer 3 Roaming

Layer 3 (inter-subnetwork) roaming can be used with multiple Cisco Airespace controllers in different subnetworks. It is still transparent to the client. The session connection to the new AP is sustained as well. Figure 18-21 illustrates Layer 3 roaming (inter-subnetwork).

Figure 18-21. Layer 3 Roaming (Inter-Subnetwork)

Tunneling requires special handling of the client traffic between the anchor and foreign controllers. Tunneling the traffic allows the client to continue using the same DHCP-assigned or client-assigned IP address while keeping an active session.

Figure 18-22 illustrates the path traffic takes when on a foreign host subnetwork. First, the client requests information from another host computer and is properly routed to that device. The return path goes back to the anchor controller and is redirected to the foreign controller for final delivery back to the client.

Figure 18-22. Foreign Host Traffic Flow

Reauthentication is required if the client sends a DHCP Discover packet with a 0.0.0.0 client IP address or a 169.254.*.* client auto-IP address or when the operator-set session timeout is exceeded.

Features such as the “split MAC” architecture allow the splitting of 802.11 protocols between the AP and the WLAN controller. The Cisco Airespace AP handling the real-time portions of the 802.11 protocols is split from the WLAN controller that handles those items that are not time sensitive.

This patent-pending architecture has revolutionized enterprise wireless networking by splitting the processing of the 802.11 data and management protocols between two devices: the AP and a centralized Cisco Airespace controller. By innovating the way that WLAN controllers handle 802.11 packets, Cisco Airespace has created a robust platform upon which enterprises can deliver business-critical wireless services.

The AP handles the portions of the protocol that have real-time requirements, which include the following:

All remaining functionality is handled in the Cisco Airespace controller, whereby time-sensitivity is not a concern and controller-wide visibility is required. Some of the MAC layer functions provided in the WLAN controller include the following:

LWAPP is an open protocol for AP management. In this mode of operation, a WLAN controller system is used to create and enforce policies across multiple different lightweight APs. All functions essential to WLAN operations are centrally controlled by WLAN controllers. In this mode of operation, Cisco APs run a simplified version of Cisco IOS. It is not possible to enter into configuration mode and configure APs individually in this mode.

LWAPP is used for low-overhead communication between the AP and Cisco Airespace controller and is used to encrypt and secure control traffic between the AP and controller.

The UDP control messages are encrypted with an X.509 PKI using Advanced Encryption Standard-Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). Data traffic is not encrypted in LWAPP and is switched at the WLAN controller. LWAPP will require 1–4 kbps overhead with associated clients.

Both data traffic and control traffic between the AP and controller are encapsulated. UDP source port 1024 is used for both control and data. Destination port 12222 is used for the data port, and 12223 is used for the control port.

An unknown AP will not be able to “spoof” a Cisco Airespace AP because an X.509 certificate is used. It is used to set up the connection, and encryption keys are dynamically set and rotated.

APs are using LWAPP to connect to the controller, so the following topics deserve a brief discussion:

Layer 2 Lightweight AP Protocol

Layer 2 LWAPP is encapsulated in an Ethernet frame. The controller and AP must be either directly connected or connected to the same VLAN/subnetwork, as illustrated in Figure 18-23.

Figure 18-23. Layer 2 LWAPP

Layer 3 Lightweight AP Protocol

Layer 3 LWAPP is encapsulated in UDP and then an IP packet. The controller and AP can be directly connected, connected to the same VLAN/subnetwork, or connected to a different VLAN/subnetwork, as illustrated in Figure 18-24.

Figure 18-24. Layer 3 LWAPP

Layer 3 LWAPP requires Cisco Airespace APs to obtain an IP address using DHCP.

Note

An AP always attempts discovery with Layer 2 mode first and then Layer 3 mode. The AP continues to alternate between Layer 2 mode and Layer 3 mode until it discovers a controller.

Although autonomous APs have a significant deployment base, companies may want to start migrating to a more centralized design. WLANs already running in autonomous mode can have a migration path to a centralized lightweight solution. Some APs may already be lightweight capable, such as the Cisco 1200, 1230AG, and 1240AG Series APs.

These APs only need to use the Cisco Autonomous to Lightweight upgrade tool. The APs are upgraded through this tool and have limited capabilities, which include disabled radios until the controller sends the full LWAPP image. The converted AP or lightweight AP is then able to participate in the WLAN via the controller.

During the configuration of the AP, the mode—either local or monitor can be selected. Local mode is the default and is used for most WLANs. Monitor mode is a listen mode for monitoring services.

The lightweight APs offer the same 802.11a/b/g solution as do the autonomous APs. The Cisco 1000 Series Lightweight AP contains a pair of high-gain internal antennas for unidirectional (180-degree) or omnidirectional (360-degree) coverage. The Cisco 1030 Series Lightweight APs are designed for remote edge deployment, and Radio Resource Management (RRM) control via a WAN link includes connectors for external antennas.

The Cisco Remote Edge Access Point (REAP) allows a remote AP to be controlled across a WAN link while keeping client bridged data local. REAPs are implemented in Layer 3 AP mode.

REAPs are designed to support remote offices by extending LWAPP control timers. Control traffic is still LWAPP encapsulated and sent to the controller. Client data is not LWAPP encapsulated but is locally bridged. All management control and RF management is available when the WAN link is up and connectivity is available to the controller. A REAP will continue to provide local connectivity even if the WAN is down.

The controller will support the same number of REAPs as local APs. REAPs can support up to 16 WLANs if controller connectivity is enabled. If controller connectivity is disabled, REAPs goes into standalone mode. REAPs associated to the same controller can provide aggressive load balancing for the wireless clients.

Wireless clients first send probe requests prior to any associations. The two methods employed to discover APs are passive and active scanning.

The passive scanning steps are as follows:

The open authentication method allows authorization and associations with or without a WEP key. If the client does not use a WEP key, the client undergoes the normal association process with the AP. The user is then granted access to the network.

If a WEP key is used, both the client and the AP must have matching WEP keys. If the client uses a WEP key that is different from the WEP key of the AP, data traffic cannot be passed because the data is encrypted. Keep in mind that the header is not encrypted; only the payload (or data) is encrypted.

Using open authentication, the client goes through the normal association process, whether or not the client is using a WEP key. Once the client is associated and data transmission begins, a client using a WEP key encrypts the data. If the WEP key on the AP does not match, then the AP is unable to decrypt the data, so it is impossible to send the data via the WLAN.

The initial connection to an AP consists of the following steps:

A wireless client using pre-shared key authentication attempts to associate with an AP. Steps 1 through 3 are the same as those for open authentication:

Pre-shared key authentication is considered less secure than open authentication because of the challenge text packet. Because this packet is sent unencrypted and then returned as an encrypted packet, it may be possible to capture both packets and determine the stream cipher.

WLAN security is one of the most important things to consider when designing a WLAN. The importance is one of the reasons so many people discuss and research it.

Enhanced 802.11 security incorporates two elements to improve upon standard or “basic” 802.11 security. Authentication and encryption are used with enhanced security both to check user credentials before granting access and to increase the security integrity of the user’s session after association to the network.

Authentication in 802.11 leverages the IEEE 802.1X standard to authenticate users and to permit policy assignment to those users as a result of the authentication transaction. Basing the authentication transaction on user rather than machine credentials reduces the risk of security compromise from lost or stolen equipment. 802.1X authentication also permits flexible credentials to be used for client authentication; password, one-time tokens, PKI certificate, or device ID may be used for authentication. Using 802.1X for wireless client authentication also has the advantage that dynamic encryption keys may be distributed to users each time that they authenticate to the network.

Encryption for 802.11 is enhanced with multiple mechanisms, to aid in protecting the system from malicious exploits against the WEP key and in protecting investment in the system by facilitating encryption improvements in existing hardware.

Temporal Key Integrity Protocol (TKIP) protects the WEP key from exploits that seek to derive the key using packet comparison. Message Integrity Check (MIC) is a mechanism for protecting the wireless system from “inductive attacks,” which seek to induce the system to send either key data or a predictable response that can be analyzed (compared) to known data to derive the WEP key.

Both TKIP and MIC are elements of the Wi-Fi Protected Access (WPA) standard, which is intended to secure a system against all known WEP key vulnerabilities. Note that Cisco implemented a pre-standard version of TKIP and MIC in late 2001 and also supports the Wi-Fi industry-standard TKIP or MIC version.

802.11i encompasses a number of security improvements, including those implemented in WPA. Additionally, 802.11i standardized on a new form of encryption for 802.11, which is wireless Advanced Encryption Standard (AES). AES is recognized as a stronger security algorithm than the RC4 stream cipher used with WEP, although AES is undeniably more processor intensive. Hardware updates will be required to move to AES encryption while maintaining comparable throughput. Table 18-7 summarizes the security evolution overview.

The Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) support 802.11a, 802.11b, and 802.11g (2.4 GHz and 5 GHz). Theses cards connect mobile computing devices to the WLAN.

The Cisco Aironet Configuration Administration Tool (ACAT) enables an administrator to install the Aironet Client Utility (ACU) across a network, eliminating the need to install and configure ACU on each wireless client. The auto-installer runs in a silent batch mode and installs and configures ACU (thus configuring the Cisco Aironet client adapter) on a computer running the Windows operating system.

The Cisco Aironet Client Administration Utility (ACAU) enables an administrator to install the Aironet Desktop Utility (ADU) across a network, eliminating the need to install and configure ADU on each wireless client. The auto-installer runs in a silent batch mode and installs and configures ADU (thereby configuring the Cisco Aironet client adapter) on a computer running the Windows operating system.

ACAU and ACAT have virtually identical abilities, just slightly different user interfaces.

On Windows XP, configuration can be done by the Cisco Aironet Wireless LAN Client Adapter through ADU or a third-party tool, such as the Microsoft Wireless Configuration Manager. Because third-party tools may not provide all of the functionality available in ADU, Cisco recommends using ADU. (Please note that a patch from Microsoft might be required to use the Microsoft tool with WPA security.)

ADU works only with the PC-CardBus card (AIR-CB21AG) and PCI card (AIR-PI21AG). The abilities of ADU are similar to those of ACU; ADU simply has a different look and feel.

ACU is a Windows GUI diagnostic and configuration utility. It allows you to upgrade firmware, edit configuration, and perform RF link testing. ACU allows the wireless client to use different profiles to connect to different WLANs. Each profile allows the user to selectively configure all parameters on the client card. The profile manager can then be used to change profiles. When the user selects a different profile, the settings for the client card are changed without requiring a reboot. ACU can accommodate a maximum of 16 profiles.

The Cisco Compatible Extensions (CCX) program for WLAN devices provides tested compatibility with licensed Cisco infrastructure innovations. Compatibility is assured through extensive, independent testing of third-party devices. The CCX program enables the widespread availability of wireless client devices that take advantage of the Cisco Aironet wireless network, accelerating the availability of innovative features while maintaining interoperability.

With the CCX program, WLAN client suppliers (the program’s participants) license, at no charge, Cisco WLAN technology innovations in a specification. Participants implement all elements of the specification and undergo extensive testing at an independent third-party test lab. The testing helps to ensure support for innovative features pioneered by Cisco Systems, as well as interoperability with Cisco WLAN infrastructure products.

The CCX program helps to ensure that client devices from a variety of suppliers can leverage Cisco-based WLANs. To make it easy to find these devices, Cisco has licensed the Cisco Compatible logo for use by participants whose products pass all tests at the independent third-party test lab. Locating approved wireless devices is as easy as looking for the logo.

The CCX program for WLAN devices provides tested compatibility with licensed Cisco infrastructure innovations.

The WLAN controller provides multiple interface options for configuration. Interfaces are logical entities on the controller. An interface has multiple parameters associated with it, including an IP address, default gateway (for the IP subnet), primary physical port, secondary physical port, VLAN identifier, and DHCP server.

These five types of interfaces are available on the controller:

Each interface is mapped to at least one primary port, and some interfaces (management and dynamic) can be mapped to an optional secondary (or backup) port. If the primary port for an interface fails, the interface automatically moves to the backup port. In addition, multiple interfaces can be mapped to a single controller port.

Connecting to the controller is similar to the standard switch connection. Configure the terminal emulator (HyperTerminal, ProComm, and so on) with the following parameters: 9600 baud, 8 data bits, 1 stop bit, no parity, and no hardware flow control.

Next, use a null-modem serial cable to connect the CLI console to the controller console port.

The initial setup for all controllers can be done through the serial port. Moreover, the Service Interface port is another setup option available only on the 4400 Series controllers.

Using the serial port requires a male DB-9 pin connector that supports pins 2, 3, and 5. This is the default port configuration.

The serial port of all WLAN controllers is dedicated to the management of the AireOS operating system. It ensures access to AireOS in the event of a network failure and can be used for initial installation too. The serial port access will only be available from the CLI—not the GUI.

On the 4400 WLAN controller, the Service Interface port is dedicated to AireOS management in addition to the Serial port. The Service Interface port ensures access to AireOS in the event of a network failure and can be used for initial configuration or out-of-band (OOB) management from the management network.

The Service Interface port is an auto-sensing 10/100BASE-TX Ethernet port. The WLAN controller is a DTE type device that requires a crossover cable for other DTE devices such as a router or end station. Standard Category 5 Ethernet cables are used when connecting to a DCE device such as a switch or modem. By default, the port IP address assigned is 192.168.1.1/24.

After the connection is made and power is applied to the WLAN controller, the boot sequence will provide additional options. The boot options available, because this is set in PROM to ensure controller recovery, are as follows:

Connection to the controller can be made from a web browser after bootup. Cisco Switch Web Configuration Wizard Login is a GUI tool with an easy-to-use interface. The initial system configuration supports only HTTP access, so if you attempt to use HTTPS, you will receive an error.

The default IP address for Cisco WLAN controllers is 192.168.1.1/24. The default username/password combination is admin/admin.

When selecting the primary or backup image at the Boot Options menu, the system automatically starts if the Esc key is not pressed. After the boot image loads, the Airespace AireOS starts up.

Watching the bootup messages enables you to follow the overall process, such as:

If there is a configuration saved on the controller, the bootup script will prompt for the administrator username and password. Once logged in to the controller AireOS, the show running configuration command provides a general summary of the configuration. It is not in a command syntax format and contains no MAC address information, which allows it to be ported to multiple controllers. Be aware of duplicate IP addresses.

As the switches have both a running-configuration and a saved-configuration, so does the controller. So the running-configuration is any command executed and not saved, whereas saved changes create the saved-configuration in NVRAM. Otherwise, a power cycle will drop all running-configuration changes.

When the controller boots at factory defaults, the bootup script runs the configuration wizard, which prompts the installer for initial configuration settings. Follow these steps to enter settings using the wizard on the CLI:

The CLI allows operators to use a VT-100 emulator to locally or remotely configure, monitor, and control a WLAN controller and its associated lightweight APs. The CLI is a simple text-based, tree-structured interface that allows up to five users with Telnet-capable terminal emulators to access the controller. The CLI basic command set is as follows:

The GUI allows up to five users to simultaneously browse into the controller http or https (http + SSL) management pages to configure, control, and monitor the operational status for the controller and its associated lightweight APs. The GUI menu bar is as follows:

After Switch Web Configuration Wizard saves the configuration and reboots the controller, HTTPS access will be enabled whereas HTTP access will be disabled by default.

Use the show 802.11 commands to display configuration parameters.

To display basic 802.11a options and settings, use the following command:

show 802.11a

Defaults: None

Related commands: show 802.11b

Use the show advanced commands to display advanced configuration parameters.

To display the 802.11a advanced options and settings, use the following command:

show advanced 802.11a summary

Defaults: None

Related commands: show advanced 802.11b summary

Use the show ap commands to display AP parameters.

To display the detailed configuration for an 802.11b/g Cisco 1000 Series Lightweight AP, use the following command:

show ap config {802.11a | 802.11b | general} Cisco_AP

Defaults: None

Related commands: show ap auto-rf, show ap bmode, show ap bhrate, show ap core-dump, show ap crash-file, show ap stats, show ap summary, show ap wlan, show arp switch, show auth-list, show boot

Use the show stats commands to display controller statistics.

To show physical port receive and transmit statistics, use the following command:

show stats port {detailed port | summary port}

Defaults: None

Related commands: show stats switch, show switchconfig, show sysinfo, show syslog, show tech-support, show time, show trapflags, show traplog, show watchlist, show wlan, show wps

show client ap {802.11a | 802.11b} Cisco_AP

show radius acct statistics

show rogue ap clients MAC

show rogue client detailed MAC