Register for Free Membership to

Over the last few years, Syngress has published many best-selling and
critically acclaimed books, including Tom Shinder’s Configuring ISA
Server 2000, Brian Caswell and Jay Beale’s Snort 2.0 Intrusion
Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal
Packet Sniffing. One of the reasons for the success of these books has
been our unique program. Through this
site, we’ve been able to provide readers a real time extension to the
printed book.
As a registered owner of this book, you will qualify for free access to
our members-only program. Once you have
registered, you will enjoy several benefits, including:
■

Four downloadable e-booklets on topics related to the book.
Each booklet is approximately 20-30 pages in Adobe PDF
format. They have been selected by our editors from other
best-selling Syngress books as providing topic coverage that
is directly related to the coverage in this book.

■

A comprehensive FAQ page that consolidates all of the key
points of this book into an easy to search web page, providing you with the concise, easy to access data you need to
perform your job.

■

A “From the Author” Forum that allows the authors of this

book to post timely updates links to related sites, or additional topic coverage that may have been requested by
readers.

Just visit us at www.syngress.com/solutions and follow the simple
registration process. You will need to have this book with you when
you register.
Thank you for giving us the opportunity to serve your needs. And be
sure to let us know if there is anything else we can do to make your
job easier.



Managing and Securing a

Cisco Structured
Wireless-Aware
Network
®

David Wall CCSI, Technical Editor
Jan Kanclirz Jr. CCIE #12136
Youhao Jing CCIE#5253
Jeremy Faircloth
Joel Barrett


Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be
obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is
sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to

state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do not
allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation
may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The
Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is
to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned
in this book are trademarks or service marks of their respective companies.
Noted figures in chapter 6 have been reproduced by Syngress Publishing, Inc. with the permission of
Cisco Systems Inc. COPYRIGHT © 2004 CISCO SYSTEMS, INC. ALL RIGHTS RESERVED.
KEY
001
002
003
004
005
006
007
008
009
010

SERIAL NUMBER
HJIRTCV764
PO9873D5FG
829KM8NJH2

TLP678MA21
CVPLQ6WQ23
VBP965T5T5
HJJJ863WD3E
2987GVTWMK
629MP5SDJT
IMWQ295T6T

PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Managing and Securing a Cisco® Structured Wireless-Aware Network

Copyright © 2004 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the
prior written permission of the publisher, with the exception that the program listings may be entered,
stored, and executed in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
1-932266-91-7
Acquisitions Editor: Christine Kloiber
Technical Editor: David Wall
Page Layout and Art: Patricia Lupien

Cover Designer: Michael Kavish
Copy Editor: Judy Eby
Indexer: J. Edmund Rush

Distributed by O’Reilly & Associates in the United States and Jaguar Book Group in Canada.



Acknowledgments
We would like to acknowledge the following people for their kindness and support in
making this book possible.
Syngress books are now distributed in the United States by O’Reilly & Associates, Inc.
The enthusiasm and work ethic at ORA is incredible and we would like to thank
everyone there for their time and efforts to bring Syngress books to market:Tim
O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie
Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve
Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle
Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina
Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier,
Sue Willing, Mark Jacobsen, Betsy Waliszewski, Dawn Mann, Cindy Wetterlund,
Kathryn Barrett, and to all the others who work with us. A thumbs up to Rob
Bullington for all his help of late.
The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, Ian
Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother,
Miguel Sanchez, Klaus Beran, Emma Wyatt, Rosie Moss, Chris Hossack, and Krista
Leppiko, for making certain that our vision remains worldwide in scope.
David Buckland, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan,
Pang Ai Hua, and Joseph Chan of STP Distributors for the enthusiasm with which
they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Iolanda Miller,
Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and
enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar
Book Group for their help with distribution of Syngress books in Canada.
David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis,

Bec Lowe, Andrew Swaffer, Stephen O’Donoghue and Mark Langley of Woodslane for
distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji
Tonga, Solomon Islands, and the Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution of Syngress
books in the Philippines.
v



Contributors
Jan Kanclirz Jr. (CCIE #12136-Security, CCSP, CCNP, CCIP,
CCNA, CCDA, INFOSEC Professional) is a Senior Network
Information Security Engineer working for IBM Global Services.
Currently, he is responsible for strategic and technical evolution of a
large, multi-customer/multi-data center networks and their security
environment. Jan specializes in multi-vendor, hands-on implementations and architectures of network technologies such as routers,
switches, firewalls, intrusion sensors, content networking, and wireless networks. Beyond network design and engineering, Jan’s background includes extensive experience with Linux and BSD
administration and security implementations.
In addition to Jan’s full time position at IBM G.S., he is involved
in many different projects such as MakeSecure.com, where he dedicates his time to security awareness. Jan also runs a small Internet
Service Provider (ISP), where he provides several services such as
network consulting and Linux server hosting solutions.
Jan would like to acknowledge the understanding and support of
his family and friends during the writing of the book,“Thank You”.
Youhao Jing (CCIE#5253) is currently Director of Product
Management and Consulting at Alcatel IP Division, responsible for
defining the company’s carrier class IP product strategy with a focus
on the Asia Pacific market. He has held various senior level consulting positions at AT&T, Procket, Juniper Networks, and ICG
Netcom, where he was responsible for new service and solution
development, network and product architecture, design consulting

for large-scale converged multi-service IP/MPLS networks.
Youhao Jing received his M.S degree from UC Berkeley and
pursued further study on high performance networking systems at
Stanford University. He lives with his wife Jane and two sons, Albert
and Geoffrey, in Sunnyvale, CA
vii


Jeremy Faircloth (Security+, CCNA, MCSE, MCP+I, A+, etc.) is a
Staff Systems Administrator for EchoStar Satellite L.L.C., where he
architects and maintains enterprise-wide client/server and Web-based
technologies. He also acts as a technical resource for other IT professionals, using his expertise to help others expand their knowledge. As
a systems engineer with over 12 years of real world IT experience, he
has become an expert in many areas including Web development,
database administration, enterprise security, network design, and project management. Jeremy has contributed to several Syngress books
including C# for Java Programmers (ISBN: 1-931836-54-X), Snort 2.0
Intrusion Detection (ISBN: 1-931836-74-4), and Security+ Study Guide
& DVD Training System (ISBN: 1-931836-72-8).
Jeremy currently resides in Colorado Springs, CO and wishes to
thank his wife and son, Christina and Austin, for their support in his
various technical endeavors.
Joel Barrett (CCNP, CCDP, CWNA, MCSE, and Novell’s Master
CNE) is a wireless specialist with Cisco Systems, Inc. He supports
Cisco’s wireless partners and developers throughout the southeast
United States, assisting partner executives to develop technical go-to
market strategies. Joel also educates partner engineering teams with
a full understanding of wireless LAN technologies and solutions
With over fifteen years of IT experience, Joel has earned Cisco’s
and Planet3’s certifications. Joel serves as the team leader for the
Channels Technology Advisory Team for Mobility, an advisor for the

Enterprise Mobility Virtual Team, and a member of Cisco’s Enterprise
Mobility Technology Leadership Program. He is a board member for
the Wireless Technology Forum in Atlanta, and a speaker for the
Georgia Wireless Users Group. He is also the facilitator for the Atlanta
Cisco Study Group, helping over 200 network engineers attain Cisco
certifications.
Joel was co-author and principle technical editor for several
wireless LAN and IT books, including Certified Wireless Security
Professional (CWSP) Official Study Guide, Wireless Networks First-Step,
and the Cisco Advanced Wireless training course. Joel and his wife,
viii


Barbara Kurth, live near Atlanta, Georgia with Barbara’s son and
daughter, Shane and Paige, and Joel’s daughter, Ashley.
Donald Lloyd (CISSP), author of Syngress Publishing’s Designing a
Wireless Network (1-928994-45-8) is a senior consultant for
International Network Services, Inc. (INS) and a regional leader for
their Fixed Wireless Practice. His specialties include network security architecture and wireless network design. In addition to
“unwiring” corporate offices, Donald spends considerable time
designing and deploying secure wireless networks in remote oil and
gas fields, airports, municipalities, and warehouses.
This is the third book that Donald has co-authored with
Syngress, and Donald wishes to thank INS for their patience while
finishing this book. He also sends a BIG hug to the pride and joy of
his life, his son.
Lev Shklover (CCNP, CCDP, Cisco WLAN Design and Support
Specialist, Certified Solaris Administrator, Nortel Networks Router
and Network Management Specialist) is a Senior Consultant with
International Network Services, Inc (INS); a leading global computer networking and security consultancy. He has over 13 years of

experience in designing and implementing large computer networks
for major U.S. and International corporations.
Lev’s other specialization is lab testing of network designs, network devices and network protocols to maintain network reliability.
He started working with Cisco WLAN hardware in early 2000,
right after Cisco’s acquisition of Aironet Communications. As a
member of INS’s Wireless Networking Practice, Lev has designed
and deployed numerous Cisco 802.11a/b/g solutions for various
clients, including a WLAN for a 44-story building.
Lev graduated from the Technical University of Radio
Electronics and Automation in Moscow, Russia with a MS Degree
in Optical Engineering. He currently resides in NJ with his wife
and two children.

ix


Technical Editor
David Wall (CCSI #22530), author of Multi-Tier Application
Programming with PHP: A Practical Guide for Architects and Programmers,
contributes regularly to technical and general-interest publications
and reviews books for online bookseller Amazon.com. David also
works as a consultant, specializing in voice over IP applications and
network design. A Cisco Certified Systems Instructor, David teaches
engineers and salespeople about technologies from Cisco Systems.
David’s other professional interests include hosting applications
for small businesses, and the integration of disparate systems using
open-source technologies.
A pilot, David enjoys flying around eastern Australia. David
maintains a Web presence at .


x


Contents

Foreword
Chapter 1 Wired versus Wireless and
Wireless-aware LANs
Introduction
What is a WLAN?
How does a Wireless LAN Work?
WLAN Benefits
WLAN Design Considerations
Attenuation
Attenuation Due to Antenna Cabling
Attenuation Due to Exterior Considerations
Accounting for the Fresnel Zone and Earth Bulge
Radio Frequency Interference
Interference from Radio Transmitters
Harmonics
Application Considerations
Structural Considerations
Security Considerations
Network Management Considerations
WLAN Modes of Operation
What is a Wireless-aware LAN?
Wireless-aware LAN Benefits
Integrated Wired and WLAN Services using the Cisco
Infrastructure and Cisco IOS Software
CiscoWorks WLAN Solution Engine

Wireless Domain Services for IEEE 802.1X Local
Authentication Service and Fast Secure
Roaming Support

xxiii
1
2
2
3
9
12
12
13
13
18
19
20
21
22
22
25
26
27
30
31
32
32

33
xi



xii

Contents

Rogue AP Detection and Location
Interference Detection to Isolate and Locate Network
Interference
Simplified WLAN Deployment Processes with Assisted
Site Surveys
Streamlined WLAN Management and Operations
Support
Seamless Delivery of Enhanced Network Security
Solutions
Wireless-aware Design Considerations
Summary
Solutions Fast Track
Frequently Asked Questions

34

Chapter 2 Designing Wireless-Aware LANs
Introduction
Radio Frequency (RF) Basics
Transmitting Radio Signals over EM Waves
Anatomy of a Waveform
Propagating a Strong Radio Signal
Understanding Signal Power and S/N Ratio
Attenuation

Bouncing
Refracting
Line of Sight
Penetration
Understanding the Wireless Elements
Generic Radio Components
Laws, Regulations, and Environmental Considerations
Regulatory Agencies
The Need to Know
Regulations for Low Power, Unlicensed Transmitters
Environmental Considerations
IEEE 802.11 Standards
Does the 802.11 Standard Guarantee Compatibility
across Different Vendors?
DSSS

47
48
48
48
49
57
57
58
61
63
64
64
66
66

70
70
71
71
72
73

35
35
36
38
39
40
41
44

77
78


Contents

IEEE 802.11b Direct Sequence Channels
IEEE 802.11a OFDM Physical Layer
IEEE 802.11a Channels
Planning for RF Deployment
WLAN Coverage
WLAN Data Rates
Client Density and Throughput
Antenna Options

Omnidirectional Antennas
Directional Antennas
Interference Detection
Conducting Site Surveys
Preparation
Other Preparations
Infrastructure Awareness
Preparing a Site Survey Kit
Performing an Interior Wireless Site Survey
Performing an Exterior Wireless Site Survey
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 3 WLAN Roaming
Introduction
Cisco L2 Roaming Solutions
Beacon Frames
Probe Frames
Roaming Decisions and Criteria
Roaming Target Selection Process
Roaming Behavior of Cisco 7920 WVoIP Phones
Cisco Solutions to Speed the L2 Roaming Process
Improved Client Channel Scanning
Fast Reauthentication Using CCKM
Cisco L3 Roaming Solutions
Mobile IP
Proxy Mobile IP
WLAN Design Considerations

78

80
80
81
81
85
85
87
87
88
93
93
94
97
100
105
115
124
129
129
131
133
134
135
137
143
149
151
153
160
160

162
165
166
170
171

xiii


xiv

Contents

Summary
Solutions Fast Track
Frequently Asked Questions

174
174
176

Chapter 4 IP Multicast in a Wireless LAN
179
Introduction
180
The OSI Model Overview
180
Data Communication Methods
182
The Unicast Method

182
Multicast WLAN Deployment Recommendations
186
Configuring Multicast and Broadcast Minimum
Data Rate Settings in IOS
188
IP Multicast WLAN Configuration
190
Controlling IP Multicast in a WLAN with APs
191
Protocol Filters
192
Controlling IP Multicast in a Peer-to-peer WLAN
using Bridges
193
Point-to-point Bridging
193
Point-to-multipoint Bridging
194
Configuring Reliable Multicast for Workgroup Bridges 195
Summary
197
Solutions Fast Track
197
Frequently Asked Questions
199
Chapter 5 WLAN Guest Network Access
Introduction
Guest WLANs
Designing a Guest VLAN

Design
Topology
Deployment
Guest WLAN Recommendations
Configuring Guest WLANs
Access Point and Switch Configuration
WLAN Guest VLAN Filtering
Summary
Solutions Fast Track
Frequently Asked Questions

201
202
202
202
203
203
204
204
205
207
208
209
209
210


Contents

Chapter 6 Implementing Cisco Wireless LANs

Introduction
The Cisco Wireless and Wireless-aware Vision
The Cisco Structured Wireless-aware Network
Product Line
APs
Aironet Bridges
Client Adapters
Cisco IOS
Wireless LAN Solution Engine
Wireless Security Suite
Access Control Server
Cisco Wireless LAN Switches and Routers
Cisco Wireless Antennas and Accessories
Ceiling Mount Omnidirectional
Antenna 2.4 GHz (AIR-ANT1728)
Mast Mount Omnidirectional
Antenna 2.4 GHz (AIR-ANT2506)
High-Gain Mast Mount Omnidirectional
Antenna 2.4 GHz (AIR-ANT24120)
Pilar Mount Diversity Omnidirectional
Antenna 2.4 GHz (AIR-ANT3213)
POS Diversity Dipole Omnidirectional
Antenna 2.4 GHz (AIR-ANT3351)
Diversity Ceiling Mount Omnidirectional
Patch Antenna 2.4 GHz (AIR-ANT5959)
Directional Wall Mount Patch Antenna
2.4 GHz (AIR-ANT3549, AIR-ANT1729)
Diversity Directional Wall Mount
Patch Antenna 2.4 GHz (AIR-ANT2012)
Yagi Antenna 2.4 GHz (AIR-ANT1949)

Dish Antenna 2.4 GHz (AIR-ANT3338)
Cisco’s 2.4 GHz Antennas Summary
5 GHz Antennas
Cisco Wireless IP Phone
Cisco IOS and WLANs

211
212
212
213
214
214
215
215
215
216
216
216
217
219
219
219
220
220
221
221
222
222
222
223

224
225
226

xv


xvi

Contents

Upgrading from VxWorks to IOS
227
Using the Aironet Conversion Tool for Cisco
IOS Software v2.0
227
Using Browser and VxWorks
228
Using CiscoWorks WLSE for IOS Conversion
229
Cisco Aironet Access Points (APS)
229
Aironet 1200 AP
229
First-Time Basic Configuration
233
Aironet 1100 AP
235
Aironet 350 AP
237

Cisco Aironet WLAN Client Adapters
240
Cisco Aironet 350 Series Client Adapters
240
Cisco Aironet 5GHz Client Adapter
242
Cisco Aironet 802.11a/b/g Client Adapters
242
CiscoWorks WLSE 2.x
243
Fault Monitoring
245
Device Management
247
Device Configuration and Firmware Upgrades
247
Configuration Tab
247
Firmware Tab
249
Reports
249
Radio Manager
251
Cisco Wireless Security Suite
252
Mitigating Vulnerabilities with the Cisco Security
Suite
253
Cisco Secure Access Control Server (ACS) 3.2

254
Enhanced Client Network Management Features with Extended
Client Support
257
Workgroup Bridges
259
Aironet 350 Workgroup Bridge
259
Aironet 340 Workgroup Bridge
262
Wireless Bridges
263
Cisco Aironet 1400 Wireless Bridge
263
Cisco Aironet 350 Wireless Bridge
266


Contents

Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 7 WLAN Security Considerations
Introduction
Network Security in General
Why We Need Security
Security Threats
Understanding Reconnaissance Attacks
Unauthorized Access

Understanding DoS and DDoS Attacks
Data Sniffing
Data Manipulation
Continuing the Security Cycle
Securing
Monitoring
Testing
Improving Security
How Wireless Technology Changes Network Security
Overview of 802.11 Standards
Shared Network Model
Protecting the Data Link and Physical Layers
Tracking and Attacking Anonymity
Attacks on Wireless Networks
Authentication
Physical Security
Preventing War Driving and Unauthorized Use of
Legitimate Access Points
Devices Required in War Driving
Wi-Fi Client Adapter
Antenna
GPS
War Driving Software
Protecting Against War Drivers
Disabling SSID Broadcasts
Protecting Against Unauthorized Wireless Access

270
271
275

277
278
279
280
281
281
284
286
287
288
288
289
290
290
291
292
292
293
294
294
294
295
295
296
297
297
297
298
299
300

300
301

xvii


xviii

Contents

Open Authentication
Shared Authentication
EAP Authentication
MAC Address Authentication
VPN Authentication
Protecting Against Unauthorized Access Point Access
Changing the Default Settings
Disabling Unwanted Services
Exploring Rogue Access Points
Detecting and Protecting against Rogue Access Points
Corporate Policy and User Awareness
Mutual Authentication
Sniffers
Cisco Rogue Detection by Client Reports
Physical Detection
Wired Detection
Designing for Security
Creating a Security Policy
Risk Assessment
The Big Three

Logging and Accounting
Hot Standby
Configuring Hot Standby
Implementing Firewalls for Additional Security
Public Secure Packet Forwarding
Filters
WLAN LAN Extension 802.1x/EAP
EAP
EAP Packet Format
EAP Request and Response
EAP Success and Failure
802.1x
EAP Types
EAP Message Digest 5
EAP Generic Token Cards
EAP TLS

301
301
302
302
303
304
304
304
304
305
305
305
306

306
307
307
308
308
308
308
309
309
310
311
312
313
313
314
314
315
315
316
317
317
317
317


Contents

Cisco EAP
Implementing LEAP
Configuring ACS

Configuring Access Points
Configuring the Client
WLAN LAN Extension IPSec
Standards Used in IPSec
IKE
AH
ESP
Implementing IPSec over WLAN
VPN Device List in WLAN
Configuring VPN Gateway
Configuring an Access Point
Configuring a VPN Client
WLAN Static WEP Keys
WEP
IV WEP Vulnerable
IV and RC4 Vulnerabilities
Mitigating WEP Vulnerability
TKIP
Configure Static 128-bit WEP with TKIP
Using a Web Browser for Access Point Configuration
Configuring the Client
WLAN Security with VLANs
VLAN in Aironet
VLAN by SSID
VLAN by RADIUS
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 8 WLAN Rogue Access Point Detection
and Mitigation

Introduction
The Problem with Rogue Access Points
A Rogue Access Point is Your Weakest Security Link

318
320
321
323
326
328
329
329
331
332
332
334
334
336
339
341
341
342
342
343
343
344
344
345
346
347

347
347
348
349
353
355
356
356
358

xix


xx

Contents

An Intruder’s Rogue Access Point
359
Preventing and Detecting Rogue Access Points
360
Preventing Rogue Access Points with a Security Policy 360
Provide a Secure, Available Wireless Network
360
Sniffing Radio Frequency to Detect and Locate Rogue
Access Points
361
Cisco’s Rogue Access Point Detection
363
Central Management withWLSE to Detect Rogue

Access Points
364
IEEE 802.1x Port-based Security to Prevent Rogue
Access Points
367
Prevent Users from Using Rogue Access Points with
802.1x
367
Preventing Rogue Access Point from Connecting to Wired
Network with 802.1x
369
Understanding Devices and their Roles in Wired
802.1x Implementation
370
Configuring 802.1x Authentication on a
Supported Switch
371
Detecting a Rogue Access Point from the Wired
Network
374
Detecting a Rogue Access Point with a Port Scanner 374
Using Catalyst Switch Filters to Limit MAC Addresses
per Port
376
MAC Addresses in Port Security
376
Static MAC
377
Dynamic MAC
377

Sticky MAC
377
Security Violation
377
Protect Mode
378
Restrict Mode
378
Shutdown Mode
378
Configuring Port Security in an IOS Catalyst Switch 378
Summary
382
Solutions Fast Track
383
Frequently Asked Questions
385


Contents

Chapter 9 Wireless LAN VLANs
Introduction
Understanding VLANs
VTP in a Wired Network
VTP Modes
Dealing with Trunk Ports
VLANs in a Wireless Environment
Per-VLAN Settings
VTP in a Wireless Network

Trunk Ports
Trunk Ports between Bridges
Wireless VLAN Deployment
Native VLAN
Routing between VLANs
Per-VLAN Filters
Per-VLAN QOS
Per-VLAN Authentication and Encryption
Configuring Wireless VLANs Using the IOS: A Case Study
Broadcast Domain Segmentation
Traffic Types
Unicast
Broadcast
Multicast
Broadcast Domain in Wireless
Primary (Guest) and Secondary SSIDs
Guest SSID
Using RADIUS for VLAN Access Control
Configuring RADIUS Control
Summary
Solutions Fast Track
Frequently Asked Questions

387
388
389
393
393
394
395

396
398
398
398
399
399
399
400
401
401
401
408
408
408
408
409
409
410
411
411
413
415
416
418

Chapter 10 WLAN Quality of Service (QoS)
Introduction
The Requirement for Service Quality
Bandwidth
Latency


421
422
423
423
423

xxi


xxii

Contents

Jitter
Packet Loss
Network Availability
QoS
How Wireless Changes QoS
Extending QoS Support to WLAN Wireless Network
Integrating QoS in Wireless and Wired Networks
WLAN QoS Design Guidelines
Dimensioning WLAN Network for Sufficient Capacity
Handling Roaming Introduced Delay
Configuring for Wireless QoS in IOS
MetroWiFi integrated QoS Design
Configuring EDCF Frame Prioritization Scheme
Configuring Traffic Classification for EDCF
Prioritization Scheme
Using Existing Network QoS Configuration

Summary
Solutions Fast Track
Frequently Asked Questions
Index

424
424
424
425
427
428
430
432
432
434
435
435
438
439
442
443
443
445
449


Foreword

Wireless networking is all about freedom. Freedom is a worthy goal in its own
right, and freedom in an organizational context pays dividends.

It’s tremendously cool to be able to sit down in an office or conference
room, open your portable computer, and have instant connectivity to the
resources you need to do your job.With wireless networking in place, there’s
no need to fiddle with Ethernet cables and the associated software settings —
you just get on with whatever you want to do. Simple, mobile connectivity like
this makes you more efficient and more capable.
Considered from a manager’s point of view, wireless networking is an
empowering technology, a “force multiplier” if you want to use the military
term. A given number of people, given a method of working more efficiently
than usual, can do the work of a larger number of people.The fact that wireless
networking enables people to connect to the network from anywhere in their
work area, without any overhead, means that they can spend more time doing
their jobs and not getting stressed out about hooking up to the network.
If you consider that wireless networking makes possible new modes of
work, the advantages become even more apparent. Quite a few organizations
are using wireless devices to scan items (for inventory management and
tracking, to cite the two main examples) and report the scanned data to a central repository in near-real time.This makes more current—and therefore more
valuable—information available to the people who need it.That wouldn’t be
possible without wireless networking. A few shops are already experimenting
with wireless telephone service, in which users can roam all over their workplace while maintaining connectivity to the organizational telephone switch via
a portable handset.This means they can be reached at their usual phone extension wherever they go, with no need to configure forwarding.The next generation of such portable phones will be able to connect to the wireless LAN when
xxiii


xxiv

Foreword

a suitable one is available, and switch over to the public cellular network when
the user goes out of range.Wireless networking is not a gimmick. It is a productivity-enhancing, profit-enhancing infrastructure element that makes businesses stronger.

What’s more, wireless networking makes it easy for an organization to do a
bit of public service. By installing an access point that covers a portion of a public
park or a nearby café—where the organization’s employees would probably want
to work from time to time anyway—it’s possible to give wireless Internet access
(under proper control, of course) to anyone who cares to connect.That’s the kind
of corporate philanthropy that people appreciate, and it’ll do more for the company image than putting the logo on a theater program.
Critics of wireless networking call attention to security worries. A network
with wireless service is subject to attack over the airwaves by anyone within
radio range. Stripping unauthorized modems from the network and keeping
intruders out of the building is no longer sufficient.The problem is complicated by the fact that anyone with 50 bucks to spare can plug a cheap access
point, meant for home use, into an Ethernet port and start providing potentially
unregulated access to the company network. (The fact that people are very
often willing to part with 50 bucks to provide themselves with wireless service
at the office says a lot about the value of wireless connectivity, by the way.)
That is why you need to take a managed approach to wireless networking.
Rather than let rogue access points sprout haphazardly, and rather than allow
access to your corporate network without proper authentication and auditing,
you need to design your network to give the people of your organization what
they need to do their jobs happily (and maybe a bit more, just to see what they
do with the extra capability). If you’re going to allow guest access, and maybe
even some public use, you need to build that in.You need, however, to be precisely aware of what you’re allowing, and use the best tools you can to prevent
the kind of network activity that would do harm to your organization.
The Structured Wireless-Aware Networking (SWAN) solutions from Cisco
Systems are excellent tools, and they’re the subject of this book.With Cisco’s
hardware and software—some of it specific to the wireless portions of your network, some of it part of the Internetwork Operating System (IOS) and the
routers on which it runs—you can allow the kind of access you want to allow,
and prevent unauthorized access. It’s a technical challenge, and Cisco’s products
go a long way toward providing a solution.

www.syngress.com