Download from www.CCNA4.

com

CCNA- Wireless Study Guide

Waves, Frequencies, and RF

Waves – Wireless starts and ends with waves, specifically radio waves. There are
different modulation techniques to encode data onto a carrier wave signal. These techniques
differ between the 3 (now 4 with N) flavors of wireless, A, B, and G. DSSS (Direct Sequence
Spread Spectrum) is the modulation technique used by 802.11b, which uses “chipping codes”
to send redundant data to allow for interference. OFDM (Orthogonal Frequency Division
Multiplexing) is the modulation technique used by 802.11a and 802.11g. This technique
divides a channel into multiple subcarriers, similar to how a T1 is divided up. Data is sent
simultaneously over these subchannels to achieve redundancy and a combined higher data
rate. MIMO (Multiple-Input Multiple-Output) is the modulation technique used by 802.11n
and allows a device to use more than 1 antenna for sending data and 1 antenna for receiving
data. This is the main thing that helps N products achieve such higher data rates than a and
b/g, along with many other advances in how signals are processed.

Frequencies – All wireless devices use unlicensed frequencies, meaning that you do not
have to apply for a license from the FCC to use them and they are subject to interference from
other devices. Within the frequencies assigned to a and b/g there are also “channels,” which
are the portion of the frequency that an individual device can use. This is less important for
802.11a devices as AP’s using 802.11a will automatically sense and choose a channel that is less
likely to conflict with the AP’s around it. A also has a lot more non-overlapping channels to
choose from – 23 within the 5GHz range of 802.11a. 802.11b only has 3 non-overlapping
channels to choose from within the 2.4Ghz range 802.11b uses. If 2 AP’s next to each other are
transmitting at on the same channel, the signal to noise ratio will rise and the bandwidth
available will decrease.

RF – Radio Frequency waves behave like light waves or any other waves. They are
subject to many issues that can degrade performance of a wireless network. Surveying before
deploying a network and periodically helps mitigate these issues. Absorbtion describes how
waves are blocked by walls or dampened by carpet. This is similar to how sound waves are
absorbed. Scattering is how waves are reflected by something in the air, like heavy rain.
Refraction describes how a wave’s path is altered by passing through something, such as think
glass. This is similar to what happens to light waves as they pass through a prism. Reflection
describes how waves bounce off of shiny or reflective objects, which can cause more noise as
wireless frames arrive out of order, causing a “multipath issue” where signals can become out
of phase and cancel each other out. Line of Sight can become an issue in wireless WAN

Download from www.CCNA4.com

Download from www.CCNA4.com

deployments as the curvature of the earth itself can become an obstacle, making taller towers
necessary. Signal-to-Noise Ratio is a measurement of how strong a signal is compared to all
the surrounding noise. This can be helpful when diagnosing issues with RF coverage or deciding
how to place AP’s.

Topologies

WPAN, WLAN, WMAN, and WWAN – A WPAN (Wireless Personal Area network) is
limited to 20ft and is primarily for peripheral devices (mice, Bluetooth devices, etc), operates on
the unlicensed 2.4GHz spectrum and is generally limited to 8 active devices. It can also be
called a “piconet.” A WLAN (Wireless Local Area Network) operates on the 2.4 or 5 GHz
spectrum, spans about 100 meters from AP to client, and is more flexible to allow more than 8
devices. WLANs and their clients are dual-band, supporting different transmission methods in
different areas. A WMAN (Wireless Metropolitan Area Network) is slower than a WLAN, but
covers more distance with speeds closer to broadband. Also includes WiMAX. Speeds decrease
with distance. A WWAN (Wireless Wide Area Network) is essentially a wireless WAN
connection with low rates, high cost and a licensed frequency.

802.11 Topologies – Originally, there were 2 modes for 802.11 networks – Ad Hoc and
Infrastructure. Ad hoc networks are made by wireless clients without a central device
controlling them, like an AP. These are also called IBSS (Independent Basic Service Set) and are
frowned upon for enterprise use for a number of issues, many of them security related.
Network Infrastructure Mode is the one most commonly used in enterprises. When there is
only 1 AP, it is called a BSA or Basic Service Area or wireless cell, if more than 1 AP is connected,
then it is called a ESA or Extended Service Area.

SSID’s – Service Set Identifiers (SSIDs) are mapped to a MAC address on the AP that you
are connecting to. The MAC address can be the MAC address of the wireless radio on the AP or
a virtual one it generates. If an AP has only 1 SSID, it is called a BSSID or Basic Service Set
Identifier. If an AP has more than one SSID, it is called a MBSSID (Multiple Basic Service Set
Identifier.

Bridges – Cisco offers 2 types of workgroup bridges, which help extend a wired network
to an area you can’t run cable to. They are point-to-point wireless connections. Autonomous
Workgroup Bridge (aWGB) and Universal Workgroup Bridge (uWGB).

Repeaters – A repeater extends the reach of a WLAN and does not require a wired
connection. Regular Cisco AP’s can act as repeaters, but there is a performance hit with each
hop.

Download from www.CCNA4.com

Download from www.CCNA4.com

Outdoor Wireless Bridges – These connect wired LANs together in either a point-to-
point connection or point-to-multipoint connection, like from building to building. Aironet
1300 bridges and Aironet 1400 bridges can do this. A 1300 series will also connect clients and
uses the 2.4 GHz range. The 1400 uses the 5 GHz range.

Outdoor Mesh Networks – This allows a bunch of AP’s to form a mesh network.
Requires controllers.

Antennas

Polarization – RF waves are electro-magnetic waves, so like a magnet, they have

polarization. This is a bigger issue for outdoor deployments than indoor, but is one of the
reasons to be careful how you position an antenna.
Diversity – The use of 2 antennas for each radio to increase the odds of getting a good
signal.
Antenna Types:

Omnidirectional – Across the Horizontal plane or Azimuth, the signal spreads fairly
evenly. In the veritical plane or Elevation plane, signal propagates mainly downward,
meaning that an AP on the ceiling will not bleed so much to the floor above. These are
generally the most common.
2.2-dBi Dipole – Similar propagation to an omnidirectional, but with a doughnut shape
in that on the Elevation plane there are some gaps in the middle. These look like short
plastic poles and usually have a hinge where they can be bent.
Directional Antennas – Give more control over RF propagation, such as parabolic dishes
and on walls.
8.5-dBi Patch, Wall Mount – Most signal is focused forward, with a little allowed to
bleed back.
13.5 Yagi Antenna – Very directed, focused RF pattern, such as a straight shot down a
hallway.
21-dBi Parabolic Dish – Very, very narrow path…must be calibrated correctly. Most
allow you to change polarity to make them easier to mount.

Antenna Connectors and Hardware:

Attenuators – reduces signal between the radio and antenna to comply with FCC regs.
Amplifiers – Adds gain to strengthen a signal between the AP and antenna.
Lightning Arrestors – Prevents surges from lightning strikes from traveling from an
antenna to a LAN and damaging equipment. Does not stop direct strikes.

Download from www.CCNA4.com

Download from www.CCNA4.com

802.11 Protocols

Original 802.11 Protocol – RF tech: FHSS (Frequency Hopping Spread Spectrum) and
DSSS (Direct Sequence Spread Spectrum), Coding: Barker 11, Not used today because it
only yields 1 to 2 Mbps.
802.11b Protocol – RF tech: DSSS, 2.4GHz spectrum, Coding: Barker 11 and CCK
(Complementary Code Keying), Modulation: DQPSK (Differential Quadrature Phase-
Shift Keying). Gives data rates of 1,2,5.5, and 11 Mbps and has 3 non-overlapping
channels of 1, 6, 11. Backwards compatible with original 802.11.
802.11g Protocol – RF tech: DSSS and OFDM (Orthogonal Frequency Division
Multiplexing), 2.4 GHz spectrum, Coding: Barker 11 and CCK, Data rates of 1, 2, 5.5, 11
Mbps with DSSS and 6, 9, 12, 18, 24, 36, 48, and 54 Mbps with OFDM and has the same
3 non-overlapping channels as b. Backwards compatible with original 802.11 and b.
802.11a Protocol – Not compatible with original 802.11, b, or g. uses 5GHz spectrum,
RF tech: OFDM, Coding: Convolution Coding, Modulation: BPSK, QPSK, and 16 or 64-
QAM. Data Rates are 6, 9, 12, 18, 24, 36, 48, and 54 Mbps with OFDM. Multiple non-
overlapping channels – AP’s automatically choose a channel not in use by adjacent AP’s.
802.11n Protocol – Backward compatible with ALL 802.11 protocols. Uses MIMO
(Multiple-Input, Multiple-Output) to achieve higher data rates even for a, b, and g
clients, Less harmed by interference and reflection. Up to 32 data rates.

Wireless Frame Transmission

Frame Types:

Management Frames – Used for association and anything else to do with leaving or
joining a BSA.
Control Frames – ACK’s for when data frames are received.
Data Frames – Duh…they contain data.

Sending Frames:

Wireless LANs use CSMA/CA (Carrier Sense Multiple Access Collision Avoidance). This
means they listen to the network and wait a designated time before attempting to send
data. This period is called the IFS (Interframe Space) and can vary according to the type
of client or data.
SIFS (Short Interframe Space) – Higher priority. Used for ACKs and others
PIFS (Point-coordination Interframe Space) – Used when an AP is going to control the
network
DIFS (Distributed-coordination Interframe Space) – The normal spacing between

Download from www.CCNA4.com

Download from www.CCNA4.com

frames. Used for data frames.

A client starts counting down a random timer. If it hears nothing during that timer, it
sends frames. If it does, it adds 45 to it’s current count and continues counting down
until it hears nothing, then sends. The total time it has to wait is called a Contention
Window.

Wireless Frame Headers:

A Wireless Frame Header can have up to 3 MAC addresses in it. The Source and
Destination MAC addresses and a BSSID, which is also a MAC address. Wireless frames
are larger than Ethernet frames and often have to be fragmented before bridged to the
wired network.

RTS/CTS – If a AP is controlling the network, the client will send a RTS or “Request to
Send” to see if it is allowed to take a turn sending frames. If it is, the AP will respond
with a CTS or “Clear To Send” response telling the client to proceed.

Other Wireless and How They Mess Your WLAN Up!

Cordless Phones – Not too common anymore, but they do interfere with wireless since
they operate either at 2.4GHz or 5.8GHz. They use TDMA (Time Division Multiple Access)
or FDMA (Frequency Division Multiple Access) to allow several devices to use the same
frequency at the same time on different “channels.”
Bluetooth – Interfers with b/g WLANs as it operates at 2.4GHz, but has limited range.
Uses FHSS (Frequency Hopping Spread Spectrum) so it will jump to a different frequency
within that range to minimize interference. Considered a piconet or WPAN. Connects
multiple slave devices to one master device for its topology.
ZigBee – Another WPAN technology, mostly used for monitoring devices. Has a funky
topology with stars and clusters with some full function devices and some coordinators
or reduced function devices.
WiMAX – Doesn’t interfere with WLAN’s, but is basically a wireless broadband solution
for WAN links to the internet.
Other Culprits of Interference – Leaky Microwaves (huge problem in real life!), Wireless
X11 cameras, Radar Systems, Motion Sensors, Fluorescent Lighting, Game Controllers
and adapters.

How Packets Get To and From a Wireless Network From a Wired Network

Association – A client either passively scans a network to see what SSID’s are being
broadcast by a beacon from the AP or actively scans sending a probe request for a

Download from www.CCNA4.com

Download from www.CCNA4.com

specific SSID that may or may not be being broadcast. If the client hears a beacon or
receives a probe response, the client sends an authentication request to the AP for the
desired SSID. The AP should respond with an authentication response. If this is
successful, the client sends an association request that includes client info like data
rates and the AP responds with an association response that contains the AP’s info like
data rates. The client chooses a data rate based on the RSSI (Received Signal Strength
Indicator) and the SNR (Signal-to-Noise Ratio). The client is now associated.

Sending to a Host on Another Subnet – 1. Client decides to send traffic to another host.
2. Client determines that the other host is not on their subnet. 3. Client decides to
send the traffic to its default gateway. 4. Client looks up gateway in ARP, but it’s not
there. 5. Client sends an ARP request to the AP for the gateway. 6. The AP sends the
ARP request to its controller using the LWAPP (Lightweight Wireless Access Point
Protocol) across the wired network, encapsulating it into a 6 byte header for the trip. 7.
The Controller opens the LWAPP frame and reads the ARP request and rewrites the ARP
request into an Ethernet frame and sends that across the wired network as a broadcast.
All the switches that receive this broadcast flood it out all ports except the one it was
received on. 8. A layer 3 device receives the ARP request broadcast and responds with
a unicast ARP response which is received by the WLAN controller. 9. The controller
rewrites the Ethernet frame into a 802.11 frame and adds a LWAPP header and sends it
to the AP. 10. The AP removes the LWAPP header and exposes the 802.11 frame which
contains the ARP response. 11. The AP buffers the frame and starts a backoff timer and
goes through the usual process of waiting for a free moment to send. It then sends the
frame to the client.

Vlans – In order for multiple SSID’s to be able to be used on an AP, a logical Vlan must
be assigned to the SSID, which allows different SSID’s to have different subnets. APs
using multiple Vlans and SSID’s need to have trunk ports between them and the switch
they are connected to. Configuring Vlan’s is covered in the CCNA, but suffice it to say an
SSID is mapped to one logical subnet and one logical Vlan.

Cisco Unified Wireless LANs

CUWN (Cisco Unified Wireless LAN) – Cisco’s Lightweight wireless infrastructure which
moves some tasks from the Access Point (AP) to the Wireless LAN Controller (WLC)
using what they call the “Split MAC Architecture.” AP’s send information to and from
the WLC using LWAPP (Lightweight Wireless Access Point Protocol) and the WLC can
make decisions boosting or weakening AP signal strength to provide better coverage,
boosting the power of AP’s around an AP that has failed, containing rogue AP’s, etc. A
WLC can manage from 6-300 AP’s. WCS (Wireless Control System) can then control

Download from www.CCNA4.com

Download from www.CCNA4.com

multiple controllers.

Cisco Controllers and AP’s:

The AP Handles – Frame exchange, beaconing, buffering and transmitting frames,
responds to probe requests, forwards notifications of receive probe requests to WLC,
provides RRM (Radio Resource Management) information regarding quality to WLC,
monitors all channels for noise and interference.
The WLC handles – Association, Reassociation when roaming occurs, Authentication,
Frame Translation and Bridging.

LWAPP Modes:
Layer 2 LWAPP Mode – Being deprecated by Cisco. WLC has to be in the same subnet
as the AP’s it controls.
Layer 3 LWAPP – Cisco’s preferred mode. LWAPP travels across subnets and the WLC
can be in a different subnet than the AP’s.

Multiple Networks

WLC’s can support up to 512 Vlan’s. All data regardless of the SSID/Vlan is sent in 1
tunnel from the AP to the WLC via LWAPP. The WLC can only have 16 SSID’s per each
AP, though.

CUWN Architecture

Clients – Aironet Client Devices, Cisco-compatible client devices, Cisco Secure Services
Client

AP’s:
1130AG – Can operate as autonomous or lightweight and H-REAP (Hybrid Remote Edge
AP). Designed for Indoor use. Supports 802.11a/b/g
1240AG – Has same features as 1130’s but only uses external antennas.
1250 Series – Supports 802.11a/b/g/n. Designed for rugged environments, uses 2x3
MIMO technology with external antennas.
1300 Series AP/Bridge – Outdoor AP or Bridge. Does not have a 5GHz radio, so only
supports 802.11b/g. Can be purchased with integrated antennas or connectors for
external antennas. Has a special power supply.
1400 Wireless Bridge – Can only operate as a bridge and cannot connect clients. Does
not support LWAPP and is autonomous only. Designed for outdoor environments and
can be purchased with an internal antenna or connectors for an external antenna.
Supports 802.11a/b/g.

Download from www.CCNA4.com

Download from www.CCNA4.com

WLC’s:
4400 Series WLC – Supports 12, 25, 50, or 100 AP’s depending on model. Can support
up to 5,000 MAC addresses in database. AP and controller must run the same code
version, but the controller will upgrade or downgrade the AP.
3750-G WLC – A WLC integrated into a small switch with the swich and WLC sharing a
backplace. Saves space and ports.
Cisco WiSM (Wireless Services Module) – Blade that installs in a 6500 or 7600 chassis,
sharing a backplane. WiSM supports up to 300 Ap’s or 150 AP’s per controller with each
blade having 2 controllers. Allows clustering of AP’s into a mobility domain.
Cisco 2106 WLC – Same form factor as ASA 5505’s. Small branch controller with 2 PoE
switchports. Supports up to 6 AP’s.
Cisco WLCM – Another small branch controller designed to be added to an ISR router as
a module. Supports 8 or 12 Ap’s, depending on model.

WCS Flavors
Runs on Windows or Linux Red Hat servers. Manages up to 3,000 lightweight AP’s and
1250 Autonomous AP’s. If you add WCS Navigator, it scales above 3,000 AP’s by letting
you navigate between several WCS servers. Also works with Wireless Location
Application to track RFID tags.

Controller Discovery and Association

LWAPP Layer 2 Transport Mode – Again, not preferred by Cisco, AP and WLC must be
on the same Subnet. All LWAPP communication is in Ethernet encapsulated frames, not
IP packets.
LWAPP Layer 3 Transport Mode – Preferred due to scalability. Frames are encapsulated
in UDP. You need to make sure any firewalls between the AP’s and the controller allow
UDP port 12222 for LWAPP data messages and UDP port 12223 for LWAPP control
messages. A 1500 MTU is assumed, but can be changed.

LWAPP AP Controller Discovery

1. Discovery Mode – An AP boots and enters Discovery Mode. It sends a layer 2
broadcast Discovery Request message. If this fails (unless we have a LWAPP layer 2
transport mode in use, it will), it goes to step 2.
2. The AP moves to layer 3 by checking its config for an IP address. If it doesn’t have
one, it uses Dhcp to get one.
3. The AP gets an IP address from the dhcp server. If the dhcp server has DHCP option
43 configured to give the AP an IP address for a controller, the AP now uses that to try
to contact one.

Download from www.CCNA4.com

Download from www.CCNA4.com

4. If no IP address for a WLC was configured on the dhcp server and no WLC has
responded to the layer 2 Discovery Request broadcast, the AP reverts back to layer2
broadcasts and tries again.

IOS-Based AP’s only do a Layer 3 Discovery, as Follows:

1. AP does a subnet broadcast to see if a controller is operating in Layer 3 mode on its
subnet.
2. The AP does an OTAP (Over-the-air-Provisioning)
3. When other AP’s exist and are in a joined state with a WLC, they send messages to
the WLC that have the IP address of the controller in them. The AP that is trying to
discover the WLC can overhear these and get the WLC IP address from them and send a
directed Discovery Message to it.
4. After an AP has associated with at least 1 WLC, the AP gets a list of other controllers
from the WLC that it can associate with. This gets stored in NVRAM and can be used to
skip straight to a directed Discovery Message the next time the AP reboots. This is
called AP Priming.

***You can also use DNS to set an entry for CISCO-LWAPP-Controller for the IP address
of a WLC management interface. The AP can use this address to send a unicast query.

Choosing a Controller
1. The AP chooses the primary controller if it has been primed.
2. The AP chooses the secondary controller, then the tertiary controller if it has been
primed.
3. If no information is available, it looks for a master controller. Each mobility group
should have 1.
4. If all the above fail, the AP looks for the least-loaded AP-Manager interface based on
the number of AP’s being managed.
5. The AP sends the WLC it has chosen a Join Message. The WLC should respond with a
Join Reply message which includes the result code, allowing them to talk, it’s certificate,
and a test payload to see if jumbo frames will work. This completes the Join Request
Phase.

Receiving a Configuration
If the AP is not running the correct software version, the controller upgrades or
downgrades it at this point. If this is necessary, the AP reboots and discovers and rejoins
the WLC. Once the software versions match, the AP prompts the WLC for a config by
sending a LWAPP config request message that contains what is already set and what can
be configured. When the WLC gets this request, it send a configure response message

Download from www.CCNA4.com

Download from www.CCNA4.com

with the values. The AP applies the config in RAM…it is never stored in flash as on an
autonomous AP.

Redundancy for APs and WLC’s

N+1 – Provides a single backup for multiple controllers. This strategy fails if more than 1
controller goes down.
N+N – Each Controller backs up another controller . Load balancing is important here.
N+N+1 – Most redundant design with every controller acting as a backup to another and
an extra backup designated as the tertiary. $$$

AP Modes
Local Mode – usual AP mode serving clients. Can also be used for site surveys
Monitor Mode – Passive and cannot send traffic or associate clients. Used for finding
rogue AP’s, troubleshooting, surveying, or IDS matches. Can be used with location
appliance to increase accuracy.
Sniffer Mode – Cannot send traffic or associate clients. Works with 3rd party sniffer
software to capture data for troubleshooting and forensics.
Rogue Detection Mode – Radios are turned off and cannot associate clients or send
traffic. Listens for ARP messages on the wired network and sends information about
rogue AP and client MAC list to controller for controller to issue alarms.
H-REAP Mode – Allows you to have lightweight AP’s across a WAN link from their
controller. Link must be faster than 128kbps and latency must be less than 100ms
roundtrip. Connected mode means the AP can reach the controller. If the WAN link
fails, the AP goes into Standalone mode and all client requests are serviced based on a
config that is local to the AP (basically, it reverts back to autonomous).
Bridge Mode – Allow point-to-point or multi-point links. Mainly used in Mesh networks.

Roaming…no Buffalo…just Roaming

Mobility Groups – A group of controllers that share information about clients that are
roaming. Think a group of controllers in one building on a campus. A client does not
need to reassociate when moving between AP’s on different controllers in a mobility
group and keeps the same IP even if the AP it roams to is in a different subnet.
Mobility Domain – A group of mobility groups or controllers in different mobility groups
that share information regarding their clients. Think of two buildings connected in a
campus…this might be 2 different mobility groups, but 1 mobility domain. Users
roaming between AP’s on different controllers in different mobility groups that are in
the same mobility domain do not need to reassociate, but they do have to get a new IP
address. Users who roam from an AP on a controller in one mobility domain to a

Download from www.CCNA4.com

Download from www.CCNA4.com

controller in a completely different mobility domain do have to reassociate completely

as if connecting for the first time and will lose connection.

Roaming Requirements – All controllers have to be in the same mobility domain. All
WLC’s must be on the same code version. All WLC’s have to operate in the same LWAPP
mode. ACL’s (Access Control Lists) in the network must be the same. The SSID must be
the same.

Layer 2 Versus Layer 3 Roaming – Layer 2 roaming takes place when a client roams from
1 AP to another that are both in the same network and the client keeps the same IP
address. Layer 3 roaming happens when a client roams from one AP on one subnet to
another AP on a completely different subnet where both AP’s have the same SSID. The
client keeps the same IP address in both cases and no data is lost as they roam.

Asymmetric Tunneling – Traffic from the client is routed to the destination, regardless
of its source address, and the new traffic is sent to its original controller, called and
anchor and is tunneled to the new controller.
Symmetric Tunneling – All traffic is tunneled from the client to the anchor controller,
sent to the destination, returned to the anchor controller, and then tunneled back to
the client via the foreign controller.

Mobility Anchors – Also called guest tunneling or anchor mobility. All the traffic that
belongs to a WLAN is tunneled to a predefined WLC or set of WLC’s. This is particularly
good to anchor guest devices to a WLC in the DMZ for security. This is done on a per
WLAN (SSID) basis.

Controller Terminology

WLAN = SSID and all its parameters

Port – Ties together a VLAN and SSIDs.

Static Interfaces:
Management Interface – The “IP Address” of the controller. AP’s use this IP to discover
the controller and mobility groups exchange information using it.
AP Manager Interface – This address is the source address for LWAPP communication
between the WLC and the AP. It has to be unique, but can be in the same subnet as the
management address.
Virtual Interface – Controls the Layer 3 security and mobility manager communications
for all the physical ports of the WLC. This interface also has the DNS gateway hostname
used by Layer 3 security and mobility managers to verify certificates. If you configure
users to have to log in to a web page to authenticate to use the network (like for guest

Download from www.CCNA4.com

Download from www.CCNA4.com

access), this is the IP address they will be redirected to.

Service Port – Out of Band management, system recovery, and maintenance purposes.
This is the only port on the controller that is active in boot mode. It does not auto-
sense.

Migrating Standalone (Autonomous) AP’s to LWAPP

The IOS to LWAPP Conversion Utility – Software that runs in windows. Will upgrade
Ap’s running version 12.3(7)JA or above for WLC’s running version 3.1 or later. Uses a
.txt file with information about the AP’s you wish to upgrade and a tftp server to send
image files to them.

Cisco Mobility Express

Small Business Communication System – Designed to be able to grow with a small

business, the hardware does not work with their enterprise systems. Allows for the
management advantages fo the CUWN without as much cost or equipment. Only
supports growth up to 12 AP’s total.
Includes:
Cisco Unified Communication 500 Series for Small Businesses – Long name, but it
includes a dhcp server and can support up to 48 users.
Cisco Unified IP Phones
Cisco Monitor Director
Cisco Mobility Solution, Including:
Cisco 526 Wireless Express Controller – Each controller can support up to 6 AP’s with 2
controllers supported. Provides guest access, Voice-over-WLAN, LWAPP, Same
authentication architectures as enterprise, wired/wireless network virtualization, and
management with CCA. (Cisco Configuration Assistant).
Cisco 521 Wireless Express Access Point – Can only communicate with the 526 Wireless
Express Controller, so it cannot be used in an enterprise environment, only supports
802.11b/g, otherwise similar to 1130AG AP’s.

Wireless Clients

Microsoft Windows Zero Configuration Utility (WZC) – Probably the least preferred,
least secure, and most troublesome way to connect. This one is fairly familiar to anyone
who has set up a windows PC for wireless. A major security hole is that, if unable to join
a broadcasting network, it will automatically attempt to create its own ad hoc network
and allow others to connect to it, in the background, with no notification to the user that
this is happening. It will also automatically connect to any ad hoc network it finds if it
cannot connect to an infrastructure network.

Download from www.CCNA4.com

Download from www.CCNA4.com

Apple AirPort Extreme – This GUI is actually pretty nice, with very intuitive settings. No
glaringly obvious security holes.

Linux NetworkManager – GUI tool available in many different Linux distros…similar to

tools for Macs and PC’s and not tested for the CCNA-Wireless

Cisco Aironet Desktop Utility (ADU) – Cisco offers cardbus and PCI card WLAN NICs and
this is the utility used to manage them on a PC. It also has a utility for the system tray
called the Aironet System Tray Utility. It’s better than the WZC, but I prefer other
utilities when I have the chance. A few advantages it has though are the ability to give a
SNR (Signal-to-Noise Ratio) reading from the client and the ability to do basic site
surveying with it. You can use the Aironet Configuration Administration Utility (ACAU)
to automate the creation of client profiles if you have a lot of these cards in your
enterprise.

Cisco Secure Services Client (SSC) – Cisco’s alternative to the WZC for those with
Wireless NICs from other vendors. Requires a license for the client and has a utility as
well to create client profiles for distribution called the SSCAU (Secure Services Client
Administration Utility).

CCX (Cisco Client Extension) Program – basically certifies that devices will work with
Cisco AP’s and infrastructure. On the AP side, using all CCX compatible clients means
the AP can change some settings on the client side and gives you more control over how
they connect.

Wireless Security

Threats Unique to WLAN’s:

Ad Hoc Networks – This allows 2 or more clients to connect to each other bypassing
corporate security policies. An attacker could form an ad hoc network and trick users to
connect to that network and steal data or use their connection to the corporate
network as a way to then gain access.
Rogue AP’s – An AP outside the corporate infrastructure that could be friendly or
malicious. You have to track them down to determine if they are just a neighboring
office building’s network or something that has been brought in from home, or part of a
malicious attack. Attackers try to get users to connect to the rogue and gain access or
steal data from them. A user may unwittingly attach an AP to the corporate network,
allowing an attacker to bypass corporate security policies and gain access to the
network.
Client Misassociation – An attacker spoofs the SSID of a network a client device has

Download from www.CCNA4.com

Download from www.CCNA4.com

already connected to and the client utilities use the cached information about that SSID
to automatically connect to the spoofed SSID, sometimes without the client’s
knowledge. This can be done by sending false beacon messages or management frame
spoofing.

Management Frame Protection (MFP) – This helps prevent a client misassociation

attack. Each management frame gets a MIC (Message Integrity Check) added to it
before the FCS (Frame Check Sequence). Each WLAN (SSID) gets a unique key sent to
each radio on the AP. If anyone tries to spoof the frames or mess with the contents and
does not have this key, it invalidates the message. Client MFP can be used with CCX
(Cisco Compatible Extensions) 5 or better on the client. Here the client can talk to the
AP and find out what the MIC is and it can also verify that the management frames it
receives match this MIC. This will also keep a neighboring AP from attacking your
network with deauthentication messages (essentially trying to contain your AP as if it
were a rogue) since clients will know that these deauth messages did not come from
your AP.

Attacks Used on Both Wired and Wireless Networks:

Reconnaissance Attacks – An attacker tries to gain info about your network (port
scanning, etc.)
Access Attacks – An attacker tries to get access to data, devices, or the network.
(Includes trying to crack pre-shared keys, etc.)
DoS (Denial of Service) Attacks – An attacker tries to prevent users from getting
services they need. An example might be someone putting AP’s at the edge of your
property and then trying to contain your AP’s as if they were rogues.

Authentication Schemes:

Open – Suitable only for guest access to a network. Pretty much no authentication.
These users should only be given internet access.
PSK (Pre-shared Key) with WEP (Wired Equivalent Privacy) – Actually considered less
secure than Open authentication. Keys are easily broken and then the attacker has
access. Uses RC4 encryption method, which is weak. Key sizes are 40bit, 104bit, and
128bit, but Windows will not support the 128 bit. All sizes are easily cracked. MAC
Address filtering helps little because MACs are easily spoofed.
EAP (Extensible Authentication Protocol)/ 802.1x – Much better authentication and
encryption. This has a 3-way handshake to authenticate and requires an external AAA
server (Radius).
EAP-TLS – Requires PKI (Public Key Infrastructure) certificates on the supplicant (client)

Download from www.CCNA4.com

Download from www.CCNA4.com

and the authentication server. Considered most secure and an encrypted tunnel
protects the user certificate.
EAP-FAST – Does not require PKI certificates, but uses a strong shared secret key called
a PAC (Protected Access Credential) that is unique on every client. Is considered the
successor to Cisco LEAP (Lightweight Extensible Authentication Protocol).
PEAP(Protected EAP) – Only a server-side certificate is needed, which is used to create
an encrypted tunnel where the real authentication takes place. PEAP uses MS-CHAPv2
or GTC (Generic Token Card) to authenticate users
LEAP – Vulnerable to an offline exploit, being deprecated.

Encryption Methods:

WPA – Uses TKIP (Temporal Key Integrity Protocol) to automatically change keys. Can
support AES (Advanced Encryption Standard) optionally. Uses stronger encryption (TKIP
vs. RC4) than WEP and a larger IV (initialization vector). 2 Modes offered – Enterprise
mode (requires a Radius server and uses TKIP with AES available) Personal – Uses PSK
(preshared keys) vs. RADIUS, so it is weaker, but more friendly to home environments.
WPA2 – Mandates AES, TKIP is not available. Only allows the AES/CCMP (Advanced
Encryption Standard-Cipher Block Chaining Message Authentication Code Protocol)
version of AES. Key Management allows keys to be cached to allow for faster
connections. Considered best.

WCS (Wireless Control System)

WCS Requirements:

Linux – Will support 3,000 AP’s and 250 Controllers with Red Hat ES/AS Linux Release 4
or better, Intel Xeon Quad 3.15-GHz CPU or better, and 8Gig RAM or better, and a
200Gig HD.
Windows – Will support 2,000 AP’s and 150 controllers with Windows Server 2003 or
better, Pentium 4/2.06 GHz or better, 2G RAM, and a 30G HD or better.
Licenses – There are 2 license options here – Base and Base with Location which allows
you to use a Location appliance for RFID tag tracking.

Features:

Templates – Allow for faster, more uniform configuration of controllers

Auto Provisioning – Allows a new, unconfigured controller to automatically grab a
configuration from the WCS server.
Heat Maps – Can be used for a basic RF prediction (Not always as accurate as a site

Download from www.CCNA4.com

Download from www.CCNA4.com

survey), and once deployed, show real-time RF info and location and status of AP’s.

Download from www.CCNA4.com