www.cisconetsolutions.

com

Wireless Characteristics

80.11b
This is an original wireless standard that supports a maximum data rate of
11 Mbps using the 2.4 GHz unlicensed band. There are well-known sources
of interference from commercial devices in that frequency band. Some
common examples include microwaves, cordless phones, Bluetooth and
other wireless devices. Channel allocation is quite limited with only three
non-overlapping channels of 1, 6 and 11. The only selectable channel width
available is 20 MHz. The available data rates of 1, 2, 5.5, and 11 Mbps.

802.11g
This is an enhancement to 802.11b wireless standard with support for a
maximum data rate of 54 Mbps using the same 2.4 GHz frequency band.
802.11g wireless has higher throughput and increased cell coverage. There
are the same interference problems however within that 2.4 GHz band. The
same non-overlapping channels 1, 6 and 11 are assignable and channel
width of 20 MHz. The modulation enable higher data rates of 1, 2, 5.5, 6, 9,
11, 12, 18, 24, 36 and 48 Mbps.

802.11a
This wireless standard is based on 5 GHz frequency band where there is
much less interference. The wider frequency spectrum enables up to 23
non-overlapping channels with the same native channel width of 20 MHz.
There is support for a maximum data rate of 54 Mbps. The increased
number of non-overlapping channels with less interference enables higher
average throughput. The disadvantage however is that higher frequency
creates smaller cells and less coverage. Deployment of additional access
points for extended cell coverage is required.

802.11n
802.11n wireless standard was approved as a paradigm shift in wireless
infrastructure. There is support for dual-band operation in both 2.4 GHz and
5 GHz bands. New features such as MIMO antenna and channel bonding
has increased data rates from 300+ Mbps to 900 Mbps. The wired-side
uplink from access point to network switch is faster Gigabit Ethernet speed.
Channel bonding creates a single 40 MHz channel from adjacent 20 MHz
channels for additional bandwidth.
 www.cisconetsolutions.com

802.11ac
This wireless standard is an extension to the current 802.11n with higher
data rates. It has native support for 5 GHz band and that is where highest
data rates are available. Channel bonding width of 80 MHz and 160 MHz
are available along with more MIMO spatial streams. 802.11ac does have
backward compatibility with 2.4 GHz band however at lower data rates.
Wireless operation within 2.4 GHz band is equivalent to an 802.11n access
point. From a practical perspective, 802.11ac is the first access point to
approach Gigabit Ethernet cell performance.

Table 1 Wireless Network Standards

Standard Band Data Rate *Channels Channel Width

802.11b 2.4 GHz 11 Mbps 1,6,11 20 MHz

802.11g 2.4 GHz 54 Mbps 1,6,11 20 MHz

802.11a 5 GHz 54 Mbps 23 20 MHz

2.4 GHz 300 Mbps 1,6,11

802.11n 20 MHz, 40 MHz
5 GHz 450 Mbps 23
20 MHz, 40 MHz
802.11ac 5 GHz 900+ Mbps 23
80 MHz, 160 MHz

* Non-overlapping channels represents the number of assignable channels

based on minimum channel width selected.

RF Cell Characteristics
There are significant differences between wired and wireless network
media. RF wireless cells are shared media with only half-duplex data
transmission. Half-duplex mode decreases throughput by 50% compared
with wired switch port full-duplex mode. Collisions are eliminated on Gigabit
interfaces where there is a collision domain created per port.

Wireless CSMA/CA
This is the wireless media contention protocol that controls when a desktop
can send and receive data. It is designed to avoid collisions for half-duplex
connectivity to the access point. When the cell is busy, there is a random
wait time assigned before transmission.
 www.cisconetsolutions.com

Figure 1 Wireless CSMA/CA

Wireless LAN (WLAN) employ an older less effective carrier sense multiple
access with collision avoidance (CSMA/CA). It is required to manage
wireless client access to an RF cell. Figure 1 shows CSMA/CA operation
when multiple clients want to transmit packets. The effect of RF shared
media is higher network latency and lower throughput.

Data Rate, Distance and Frequency

The average data rate will decrease as wireless clients move further from an
access point. The solution is to increase coverage with more access points
so that maximum bandwidth is available. The network range will decrease
as well for 5 GHz compared with 2.4 GHz radios. That is a characteristic of
higher frequency signals that do not pass through building structure as easy
as lower frequencies.

Increasing transmit power on an access point radio will actually decrease

range at higher data rates. The effective range is extended although with
lower data rates. Faster rates are transmitted at lower transmit power. That
does not apply to wireless clients. Transmit power of clients should be
set at maximum for best results since the return path determines
practical range. The network maximum distance is 100 meters from access
point to switch. Mixed environments such as 802.11b and 802.11g will
decrease throughput for both clients as well on the same WLAN assigned.
 www.cisconetsolutions.com

Channel Assignment
Cisco wireless infrastructure supports both automatic and manual channel
assignment. Select Dynamic Channel Assignment (DCA) on wireless
controllers for best results. Configuration of a radio policy assigns a
frequency band to an RF cell.

As mentioned there are only three (1,6,11) non-overlapping channels

assignable from 2.4 GHz band. Channel separation of 20 MHz is required to
avoid channel overlap interference. Selecting the wider 5 GHz band will
allow more channels for assignment. 5 GHz enables channel bonding of
adjacent channels for higher bandwidth (data rate). That reduces the
number of non-overlapping channels assignable.

Service Set Identifier (SSID)

Network addressing is a key CCNA topic that extends to wireless
infrastructure. The concept of a wireless LAN (WLAN) is defined with a
network name called SSID. It advertises an access point presence over a
wireless cell to clients. Any wireless clients that are compatible with the
access point and know the SSID can associate.
Figure 2 Service Set Identifier (SSID)

Typically there is a wired VLAN that is mapped to an SSID. For example,

guest users from Figure 2 would associate to AP-2 using SSID Guest. That
same SSID is then mapped to wired VLAN 100 on the wired switch. There is
support as well for mapping multiple SSID to a single VLAN.
 www.cisconetsolutions.com

Anytime you first assign an SSID, there is Basic SSID (BSSID) assigned to
that SSID. It is the base MAC address of an access point. The purpose of
BSSID is to identify wireless clients with a physical access point. There are
often multiple access points and SSID within a wireless domain. Each
additional SSID is also associated with a unique BSSID that is calculated by
incrementing the base MAC address by one. Cisco supports 32 SSID and
32 BSSID per radio.
 www.cisconetsolutions.com

Cisco Wireless Architecture

The proliferation of wireless infrastructure is the result of newer endpoint
devices and popularity of mobility. There is network access that is now
available from wired and wireless clients. Cisco has recently shifted to a
controller-based infrastructure architecture for deploying and managing
wireless devices.

The primary components of any wireless network include wireless clients,

access points, wireless LAN controller and wired switch. There are various
network interfaces as well such as access port, trunk and LAG. The switch
is a central hub connecting components to the wired network.

Access Point
The wireless access point only forwards frames to a controller. Exception is
autonomous access points that communicate directly with a switch. They
are similar in operation to an older bridge.

On the wireless side, clients associate to a compatible access point across

a shared RF collision domain. Wireless clients communicate via wireless
radios that transmit and receive data. The wireless RF cell media is not
equivalent to a dedicated Ethernet port on a network switch. It is based on
half-duplex transmission. The result is that collisions occur across the
media. CSMA/CA is required to detect collisions and manage access to the
wireless cell for endpoints.

Cisco currently supports Gigabit Ethernet interfaces on an access point.

That is the wired-side interface that connects to the wired switch. In fact,
access points are similar to IP phones where PortFast can be enabled at the
access layer.

Wireless LAN (WLAN)

The access point is configured with at least one wireless LAN (WLAN). It is
used to create a logical grouping of wireless clients. Each WLAN is
assigned an SSID (Service Set Identifier). Wireless clients associate to an
access point based on an SSID. Each SSID is additionally mapped to a
unique VLAN as a bridge to the wired network. The common practice is to
assign a single SSID to a wired VLAN. That creates a broadcast domain per
SSID when multiple SSID are defined. The access point forwards traffic
from each SSID to the correct VLAN on the upstream wired switch.
 www.cisconetsolutions.com

Wireless Client Access Point Association

The following describes how wireless client associates to an access point.

Step 1: Client sends probe to all access points.

Step 2: Access point sends information frame with data rate etc.
Step 3: Client selects nearest matching access point.
Step 4: Client scans all access points - 802.11a, 802.11b then 802.11g
Step 5: Data rate is selected.
Step 6: Client associates to access point with SSID.
Step 7: Client authenticates to access point based on security enabled.

Table 2 Wireless Client Compatibility Matrix

Standard 802.11b 802.11g 802.11a 802.11n

802.11b yes yes no yes

802.11g yes yes no yes

802.11a no no yes yes

 Client transmits signal based on wireless adapter (802.11a/b/g/n)

 Nearest access point that supports client wireless radio responds
 www.cisconetsolutions.com

Wireless AP Modes
Cisco wireless architecture supports a variety of AP modes. That refers to
operational modes and how access points communicate within any wireless
domain. The primary modes include traditional autonomous mode, LAP
modes, AP controller mode cloud mode.

Autonomous Mode
This is an older operational mode that is still used in public hotspots and
home office. It is deployed to any location where controller architecture is
not required or cost-effective. Each access point is locally configured similar
to any network device. There is no centralized management of configuration
or wireless RF settings. Autonomous mode access points can be upgraded
to support controller mode with IOS software.

Controller (LAP) Mode

The popularity of wireless mobility has led to more controller-based wireless
infrastructure. Enterprise access points are now managed from wireless
LAN controllers (WLC). The operational mode is referred to as LAP mode.
There are multiple LAP modes that are configurable.

Figure 3 Cisco Wireless LAN Controller Architecture

On startup, there is a discovery process where access point registers with a

controller. The access point obtains an IP address from a DHCP server if
that is enabled. Controller then does a push of the LAP configuration and
policy settings.
 www.cisconetsolutions.com

Advantages of Wireless LAN Controllers

 Easier management and deployment of access points.
 Configuration of wireless user policies across the network.
 Dynamic RF cell management and channel assignment.

Standard network services available include DHCP server, DHCP relay,

frame switching, and proxy ARP. It is a peer of network switches for the
switching domain and supports STP.

Network Interfaces
Cisco access points connect to a switch as shown with Figure 3. The switch
port is configured as a trunk when autonomous access points have multiple
VLANs. LAP mode is based on a Layer 3 CAPWAP tunnel to controller. The
switch port mode is irrelevant since it is Layer 3 interface. Configure bridge
groups on the access point for each VLAN and assign to radio interfaces.

Link Aggregation Group (LAG)

Cisco wireless controllers support Link Aggregation Group (LAG) to bundle
multiple physical ports into a logical EtherChannel. The advantage is higher
bandwidth, redundancy and load balancing. The controllers have multiple
Ethernet ports available for network switch connectivity. There is support for
configuring only a single LAG group per controller. There is no support for
dynamic EtherChannel (LACP) on the controller port. The switch-side port
must be configured for static EtherChannel (on) mode. Typically the LAG
interface is enabled for trunking to forward multiple VLANs between wired
and wireless network.

Wireless Controller LAP Modes

There are various lightweight access point (LAP) operational modes
configurable within the centralized controller deployment model. They
enable different methods for communication with controller along with
failover redundancy.

Local Mode
This is the Cisco default mode for communication with wireless controllers.
The controller is responsible for centralized switching of all access point
traffic. When the connection to controller is dropped, the access point stops
forwarding traffic. There is a discovery process started again for access
point to identify another controller.
 www.cisconetsolutions.com

Flex-Connect Mode
Traffic is centrally switched at the local access point instead of wireless
controller. There is still communication with the controller however it is for
management purposes only. In this mode, access points continue working
when there is no communication to the centralized controller.

FlexConnect is typically enabled at remote and branch offices with access

points where the controller is hosted at a data center. User authentication
requests are based on local authentication or RADIUS server. The user
accounts can be defined locally on an access point or from a local RADIUS
server. Requests can be sent to RADIUS server at the data center as well
when there is no communication with controller.

Monitor Mode
This troubleshooting mode is used only for detecting rogue access points on
the wireless network. Client traffic is not forwarded from any access point in
monitor mode. It is common to allocate access points for rogue detection
across a large wireless network for security purposes. There is a reboot of
access point required when monitor mode is enabled.

Rogue Detector Mode

Cisco access point radio interface is shut down in this mode. The access
point monitors wired traffic only from multiple VLANs. It compares any MAC
addresses reported from access points with the list it has compiled. It is a
method to detect rogue access points.

Bridge Mode
This is a transport mode only to forward frames between access points on
point-to-point mesh connection. The most common application for bridge
mode is for outdoor deployments.

Dual Controller/AP Mode

Cisco Mobility Express architecture now support dual role Controller/AP for
a distributed management architecture. Designate AP mode (default) to
enable LAP where access point operation is normal. There is controller
mode as well where the access point is also a wireless controller for a
domain. The access point can both respond to requests from wireless
clients and manage access points.
 www.cisconetsolutions.com

Cloud Mode
Cisco acquired Meraki for cloud-based management of wireless access
points. There are no controllers deployed with this architecture. Wireless
domain is managed from software in the cloud. Advantages are ease of
deployment, management and redundancy of cloud architecture. User
authentication is sourced from a local RADIUS server. All access points
connect via switch trunk interfaces for multiple VLANs to a cloud uplink.

Controller Frame Rewrite

The wired switch is based on Ethernet frames and access points use
wireless 802.11 frames. The source and destination MAC address are
rewritten (updated) for each data message. Consider that wireless access
points and switches do not rewrite source and destination MAC address.
The destination MAC address is never to an access point or switch.

The wireless controller strips off and rewrites frame header between access
point and wired network. Source and destination MAC address are rewritten
and forwarded to IP default gateway. (L3 switch or router)

Controller  Default Gateway

For outbound data message, frame rewrite occurs at the wireless
controller. The 802.11 wireless header is stripped off at controller and
replaced with an Ethernet frame header. The source MAC address is
wireless controller and destination MAC address is default gateway.

Controller  Default Gateway

For inbound data messages, frame rewrite occurs at the default gateway.
The source MAC address is that of the default gateway and destination
MAC address is the wireless controller. Ethernet frame header is stripped off
at controller and replaced with an 802.11 wireless header.

CAPWAP Tunnel Addressing

The data communication between access point and wireless controller is via
Layer 3 CAPWAP tunnel through wired switch. It is essentially a direct
connection to the controller with an outer IP header and inner IP header.
The inner IP header enables communication between wireless client and
server. The outer IP header is CAPWAP tunnel through the switch between
access point and controller. There is a management IP address on wireless
devices used for that purpose. IP addressing enables tunneling between
access point and controller.
 www.cisconetsolutions.com

Outer IP Header
 For packets sent from access point to WLC, the source IP address is
access point and destination IP address is WLC.

 For packets sent from WLC to access point, the source IP address is
WLC and destination IP address is access point.

Inner IP Header
 For packets sent from wireless client to server, source IP address is the
wireless client and destination IP address is the server.

 For packets sent from server to wireless client, source IP address is the
server and destination IP address is the wireless client.

 The inner IP header is unaltered between source and destination as per

standard addressing and routing rules.

Example: Frame Rewrite

Refer to the network drawing. What is the source and destination MAC
address of data messages outbound from 172.16.1.1/24 wireless client?

Figure 4 Wireless LAN Controller Frame Rewrite

 www.cisconetsolutions.com

The source MAC address of the outbound frame is the wireless client. The
destination MAC address is wireless LAN controller (WLC). The source
MAC address is assigned to the wireless network interface of the host. The
destination MAC address is the device MAC address of WLC.

 Source MAC address = wireless client adapter

 Destination MAC address = wireless LAN controller (WLC)
 Source IP address = wireless client
 Destination IP address = server
 www.cisconetsolutions.com

Wireless Security
There has been considerable improvements to wireless security with newer
authentication and encryption protocols. Wireless access points enable
access to network services on the private network. Cisco access points are
configurable for various security levels based on requirements. The purpose
of wireless security is authentication of user credentials. In addition, data
privacy and integrity is enabled across the wireless network with encryption.

SSID Association
Initial communication from wireless client to access point is with SSID.
Configuration of any access point starts with creating one or multiple
WLANs and assigning a unique SSID to each. There is the option to
broadcast SSID name from an access point or select to disable SSID
broadcasts. Clients must be configured with the SSID name to associate
with an access point. The association of client to an access point is not
considered part of any effective security solution. You are permitted access
to the wired network unless additional security is enabled.

Open Authentication
This type of authentication security is based on null authentication algorithm.
There is essentially no device authentication or user authentication. In fact,
wireless clients are granted network access if they know the access point
SSID only. Open authentication has an option for configuring static WEP
keys as well. The wireless client and access point are configured with the
same key string for device authentication. It provides only authentication of
client endpoint devices. WEP keys must match between access point and
wireless client for network access to be granted. The WEP key is used to
encrypt and decrypt client data.

WPA Security Protocols

There are significant differences between wired and wireless media that
affect network security. For example, wireless is an open, public, shared
media. There is the problem of signal overrun as well where a signal
extends beyond the building. Open, shared media is vulnerable to rogue
access points as well that advertise SSID to endpoints. Any connection to a
rogue server would expose user credentials and data. It is important to have
the same unified consistent security from network edge to internet routers.
Some of the well-known security attacks include man-in-the middle, and
dictionary attacks.
 www.cisconetsolutions.com

Wi-Fi Protected Access (WPA)

The current wireless standards provide authentication, privacy and message
integrity with enhanced security protocols. Cisco enables a variety of options
based on your design. Consider as well that each WLAN (SSID) is assigned
a specific security protocol and configuration. For example, you could have
different security protocol configurations and radio policies for each SSID.

 Authentication of user and endpoint device

 Encryption of security credentials and data
 Message authenticity and integrity

WPA is an older security protocol that improved on 64-bit/128-bit static WEP

keys. It was the first wireless security protocol to enable user authentication
via EAP methods. In addition, dynamic session keys were used instead of
static keys. TKIP dynamically generated 128-bit encryption key per packet
and message integrity check (MIC) detected changes in packet content.

Wi-Fi Protected Access 2 (WPA2)

WPA2 protocol standard is backward compatible with older versions. This
newer standard improves upon the original WPA with advanced encryption
and message integrity check. AES-CCMP (encryption mode) is a single
protocol that replaces TKIP for WPA2. There is support for 802.1x EAP
authentication of user and wireless endpoints.

WPA2 Pre-Shared Keys (WPA2-PSK)

Cisco wireless infrastructure is primarily for most enterprise deployment,
however small office/home office (SOHO) is supported as well. It includes
remote users, hotspots and small branch. There are less stringent security
requirements for SOHO deployments. As a result, pre-shared keys was
developed as part of the WPA standard.

WPA2-PSK is based on a static passphrase key that must be configured on

wireless clients and access points. There is 128-bit dynamic session key
generated from the 256-bit shared key. That is used to encrypt session data
from wireless clients. Static passphrase rules permit 8-63 ACII characters.
Only wireless device (endpoint) authentication is enabled with pre-shared
keys. The same AES encryption is supported since it is WPA2 however it is
only client machine authentication. All clients with the same passphrase will
generate the same session encryption keys as opposed to WPA2 enterprise
dynamic rotating keys.
 www.cisconetsolutions.com

Table 3 WPA Certification Standards

Feature WPA WPA2 WPA2-PSK WPA3

Device
EAP EAP PSK EAP
authentication
User
EAP EAP - EAP
authentication
Encryption mode TKIP AES-CCMP AES-CCMP CGMP-256

Encryption key 128-bit 128-bit 128-bit 256-bit

Key management dynamic dynamic dynamic dynamic

Message integrity MIC AES-CCMP AES-CCMP SHA-2

Wi-Fi Protected Access 3 (WPA3)

The most current wireless standard is WPA3 with improved encryption,
message integrity (SHA-2) and newer 192-bit session keys. That was
developed to counter increased internet hacker attacks. Data encryption is
now 256-bit and based on GCMP-256. SAE protocol replaces pre-shared
keys for SOHO deployments. WPA3 is designed to make dictionary attacks
much more difficult along with other well-known hacker attacks. There is a
maximum login attempts feature that prevents Cisco is currently in the
process of WPA3 certification for wireless hardware.

Cisco Wireless Brands

WPA2 is the current security standard for all Cisco wireless infrastructure.
There is either SOHO (Personal) or Enterprise brand that is selected when
deploying wireless equipment. In addition, within Enterprise option, there is
local authentication or RADIUS server.

WPA2-PSK (Personal)
The minimum recommended wireless security today is pre-shared keys.
Cisco pre-shared key security is branded as WPA2-PSK. It is wireless
security that is based on a static passphrase configured on an access point
and clients. The static passphrase authenticates client devices through a
request/response challenge. The passphrase is used as well to generate
dynamic session keys by AES to encrypt user data. It should be at least 27
characters to defend against dictionary attacks. Cisco recommends that
WPA2-PSK is deployed only for small office/home office (SOHO).
 www.cisconetsolutions.com

Local Authentication
In the wireless enterprise domain, Cisco supports client authentication
based on controller local authentication or external RADIUS server. There
are 802.1x EAP authentication protocols that manage user authentication.
Local EAP option on wireless controllers authenticate wireless clients when
RADIUS server is not deployed or available. If you have selected Local
Authentication when configuring the controller, then Local EAP is the
default. There is an EAP type selected as well for communication between
controller and wireless client. EAP authentication protocols include LEAP,
EAP-FAST, EAP-TLS and PEAP.

The wireless controller local database is configured with multiple username

and password account credentials. This security option is only available with
Cisco WPA-Enterprise brand. Security control is extended to permit or deny
specific individuals and/or groups. Client data is still encrypted with dynamic
(WPA2) session keys based on AES after user credentials are confirmed.
TKIP is no longer supported with Cisco wireless for WPA2 security.

Table 4 EAP Authentication Types

Feature LEAP PEAP EAP-FAST EAP-TLS

Mutual authenticate yes yes yes yes
Digital certificates no server-side PAC client/server
Tunneling no yes yes no
Security level low medium high high

 LEAP is older, easy to deploy, no certificates.

 PEAP only has server-side certificate.
 EAP-FAST is faster than PEAP and replaces LEAP.
 EAP-TLS certificate management is a disadvantage.

RADIUS Server Authentication

This is a preferred alternative to local authentication with the most stringent
security available. Clients authenticate to an external RADIUS server where
user accounts are configured. This security option is only available with
Cisco WPA-Enterprise. The RADIUS server is configured with EAP protocol
authentication and EAP type. There is also a secret shared key configured
on wireless controller and RADIUS server for device authentication. Network
access request from clients are forwarded from controller to RADIUS server.
 www.cisconetsolutions.com

There is mutual authentication of client and RADIUS server based on digital

certificates or PAC (shared secret) credentials. The digital certificates are
associated with endpoints. Table 4 compares EAP protocol types and how
authentication is enabled. The following describes how a wireless client
authenticates to an external RADIUS server with EAP-TLS.

RADIUS Server Authentication

1. Client associates with access point SSID.
2. Client authenticates RADIUS server certificate.
3. RADIUS server authenticates client certificate.
4. RADIUS sends username and encrypted password request to client.
5. Client sends username and encrypted password to RADIUS server.
6. RADIUS server and wireless client derive dynamic session key.
7. RADIUS server sends dynamic session key to controller.
8. Controller encrypts broadcast key with session key sent to client.
9. Client and access point use session key to encrypt/decrypt packets.

Figure 5 RADIUS Authentication