Professional Documents
Culture Documents
com
Wireless Characteristics
80.11b
This is an original wireless standard that supports a maximum data rate of
11 Mbps using the 2.4 GHz unlicensed band. There are well-known sources
of interference from commercial devices in that frequency band. Some
common examples include microwaves, cordless phones, Bluetooth and
other wireless devices. Channel allocation is quite limited with only three
non-overlapping channels of 1, 6 and 11. The only selectable channel width
available is 20 MHz. The available data rates of 1, 2, 5.5, and 11 Mbps.
802.11g
This is an enhancement to 802.11b wireless standard with support for a
maximum data rate of 54 Mbps using the same 2.4 GHz frequency band.
802.11g wireless has higher throughput and increased cell coverage. There
are the same interference problems however within that 2.4 GHz band. The
same non-overlapping channels 1, 6 and 11 are assignable and channel
width of 20 MHz. The modulation enable higher data rates of 1, 2, 5.5, 6, 9,
11, 12, 18, 24, 36 and 48 Mbps.
802.11a
This wireless standard is based on 5 GHz frequency band where there is
much less interference. The wider frequency spectrum enables up to 23
non-overlapping channels with the same native channel width of 20 MHz.
There is support for a maximum data rate of 54 Mbps. The increased
number of non-overlapping channels with less interference enables higher
average throughput. The disadvantage however is that higher frequency
creates smaller cells and less coverage. Deployment of additional access
points for extended cell coverage is required.
802.11n
802.11n wireless standard was approved as a paradigm shift in wireless
infrastructure. There is support for dual-band operation in both 2.4 GHz and
5 GHz bands. New features such as MIMO antenna and channel bonding
has increased data rates from 300+ Mbps to 900 Mbps. The wired-side
uplink from access point to network switch is faster Gigabit Ethernet speed.
Channel bonding creates a single 40 MHz channel from adjacent 20 MHz
channels for additional bandwidth.
www.cisconetsolutions.com
802.11ac
This wireless standard is an extension to the current 802.11n with higher
data rates. It has native support for 5 GHz band and that is where highest
data rates are available. Channel bonding width of 80 MHz and 160 MHz
are available along with more MIMO spatial streams. 802.11ac does have
backward compatibility with 2.4 GHz band however at lower data rates.
Wireless operation within 2.4 GHz band is equivalent to an 802.11n access
point. From a practical perspective, 802.11ac is the first access point to
approach Gigabit Ethernet cell performance.
RF Cell Characteristics
There are significant differences between wired and wireless network
media. RF wireless cells are shared media with only half-duplex data
transmission. Half-duplex mode decreases throughput by 50% compared
with wired switch port full-duplex mode. Collisions are eliminated on Gigabit
interfaces where there is a collision domain created per port.
Wireless CSMA/CA
This is the wireless media contention protocol that controls when a desktop
can send and receive data. It is designed to avoid collisions for half-duplex
connectivity to the access point. When the cell is busy, there is a random
wait time assigned before transmission.
www.cisconetsolutions.com
Wireless LAN (WLAN) employ an older less effective carrier sense multiple
access with collision avoidance (CSMA/CA). It is required to manage
wireless client access to an RF cell. Figure 1 shows CSMA/CA operation
when multiple clients want to transmit packets. The effect of RF shared
media is higher network latency and lower throughput.
Channel Assignment
Cisco wireless infrastructure supports both automatic and manual channel
assignment. Select Dynamic Channel Assignment (DCA) on wireless
controllers for best results. Configuration of a radio policy assigns a
frequency band to an RF cell.
Anytime you first assign an SSID, there is Basic SSID (BSSID) assigned to
that SSID. It is the base MAC address of an access point. The purpose of
BSSID is to identify wireless clients with a physical access point. There are
often multiple access points and SSID within a wireless domain. Each
additional SSID is also associated with a unique BSSID that is calculated by
incrementing the base MAC address by one. Cisco supports 32 SSID and
32 BSSID per radio.
www.cisconetsolutions.com
Access Point
The wireless access point only forwards frames to a controller. Exception is
autonomous access points that communicate directly with a switch. They
are similar in operation to an older bridge.
Wireless AP Modes
Cisco wireless architecture supports a variety of AP modes. That refers to
operational modes and how access points communicate within any wireless
domain. The primary modes include traditional autonomous mode, LAP
modes, AP controller mode cloud mode.
Autonomous Mode
This is an older operational mode that is still used in public hotspots and
home office. It is deployed to any location where controller architecture is
not required or cost-effective. Each access point is locally configured similar
to any network device. There is no centralized management of configuration
or wireless RF settings. Autonomous mode access points can be upgraded
to support controller mode with IOS software.
Network Interfaces
Cisco access points connect to a switch as shown with Figure 3. The switch
port is configured as a trunk when autonomous access points have multiple
VLANs. LAP mode is based on a Layer 3 CAPWAP tunnel to controller. The
switch port mode is irrelevant since it is Layer 3 interface. Configure bridge
groups on the access point for each VLAN and assign to radio interfaces.
Local Mode
This is the Cisco default mode for communication with wireless controllers.
The controller is responsible for centralized switching of all access point
traffic. When the connection to controller is dropped, the access point stops
forwarding traffic. There is a discovery process started again for access
point to identify another controller.
www.cisconetsolutions.com
Flex-Connect Mode
Traffic is centrally switched at the local access point instead of wireless
controller. There is still communication with the controller however it is for
management purposes only. In this mode, access points continue working
when there is no communication to the centralized controller.
Monitor Mode
This troubleshooting mode is used only for detecting rogue access points on
the wireless network. Client traffic is not forwarded from any access point in
monitor mode. It is common to allocate access points for rogue detection
across a large wireless network for security purposes. There is a reboot of
access point required when monitor mode is enabled.
Bridge Mode
This is a transport mode only to forward frames between access points on
point-to-point mesh connection. The most common application for bridge
mode is for outdoor deployments.
Cloud Mode
Cisco acquired Meraki for cloud-based management of wireless access
points. There are no controllers deployed with this architecture. Wireless
domain is managed from software in the cloud. Advantages are ease of
deployment, management and redundancy of cloud architecture. User
authentication is sourced from a local RADIUS server. All access points
connect via switch trunk interfaces for multiple VLANs to a cloud uplink.
The wireless controller strips off and rewrites frame header between access
point and wired network. Source and destination MAC address are rewritten
and forwarded to IP default gateway. (L3 switch or router)
Outer IP Header
For packets sent from access point to WLC, the source IP address is
access point and destination IP address is WLC.
For packets sent from WLC to access point, the source IP address is
WLC and destination IP address is access point.
Inner IP Header
For packets sent from wireless client to server, source IP address is the
wireless client and destination IP address is the server.
For packets sent from server to wireless client, source IP address is the
server and destination IP address is the wireless client.
The source MAC address of the outbound frame is the wireless client. The
destination MAC address is wireless LAN controller (WLC). The source
MAC address is assigned to the wireless network interface of the host. The
destination MAC address is the device MAC address of WLC.
Wireless Security
There has been considerable improvements to wireless security with newer
authentication and encryption protocols. Wireless access points enable
access to network services on the private network. Cisco access points are
configurable for various security levels based on requirements. The purpose
of wireless security is authentication of user credentials. In addition, data
privacy and integrity is enabled across the wireless network with encryption.
SSID Association
Initial communication from wireless client to access point is with SSID.
Configuration of any access point starts with creating one or multiple
WLANs and assigning a unique SSID to each. There is the option to
broadcast SSID name from an access point or select to disable SSID
broadcasts. Clients must be configured with the SSID name to associate
with an access point. The association of client to an access point is not
considered part of any effective security solution. You are permitted access
to the wired network unless additional security is enabled.
Open Authentication
This type of authentication security is based on null authentication algorithm.
There is essentially no device authentication or user authentication. In fact,
wireless clients are granted network access if they know the access point
SSID only. Open authentication has an option for configuring static WEP
keys as well. The wireless client and access point are configured with the
same key string for device authentication. It provides only authentication of
client endpoint devices. WEP keys must match between access point and
wireless client for network access to be granted. The WEP key is used to
encrypt and decrypt client data.
WPA2-PSK (Personal)
The minimum recommended wireless security today is pre-shared keys.
Cisco pre-shared key security is branded as WPA2-PSK. It is wireless
security that is based on a static passphrase configured on an access point
and clients. The static passphrase authenticates client devices through a
request/response challenge. The passphrase is used as well to generate
dynamic session keys by AES to encrypt user data. It should be at least 27
characters to defend against dictionary attacks. Cisco recommends that
WPA2-PSK is deployed only for small office/home office (SOHO).
www.cisconetsolutions.com
Local Authentication
In the wireless enterprise domain, Cisco supports client authentication
based on controller local authentication or external RADIUS server. There
are 802.1x EAP authentication protocols that manage user authentication.
Local EAP option on wireless controllers authenticate wireless clients when
RADIUS server is not deployed or available. If you have selected Local
Authentication when configuring the controller, then Local EAP is the
default. There is an EAP type selected as well for communication between
controller and wireless client. EAP authentication protocols include LEAP,
EAP-FAST, EAP-TLS and PEAP.