Upload
wasapol-pooritanasarn
View
228
Download
0
Embed Size (px)
Citation preview
8/2/2019 Wlan Design
1/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-1
Copyright 20051
Wireless LAN (WLAN) Design
Dr. Peter J. Welcher,Chesapeake Netcraftsmen
Copyright 20052
About the Speaker
Dr. Pete Welcher
Cisco CCIE #1773, CCSI #94014, CCIP
Network design & management consulting, manymajor customers
Specialties: QoS, MPLS, Wireless, Large-ScaleRouting & Switching
Taught many of the Cisco courses
Reviewer for many Cisco Press books, proposals
Over 118 Enterprise Networking Magazinearticles
http://www.netcraftsmen.net/welcher/papers
8/2/2019 Wlan Design
2/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-2
Copyright 20053
Half of our technology expertspossess a CCIE
7.6 Cisco certs per person onaverage
Cisco Specializations: IP Telephony
Network Management
Wireless
Security
(Routing and Switching)
Expertise in other areas aswell
Netcraftsmen Cisco Certifications
Copyright 20054
Objectives
Upon completion of this seminar, you will:
Know some of the customer requirements to askabout when conducting a WLAN design
Know how to improve the quality of your WLANdesigns
Understand various common WLAN design models,their pros and cons
Understand Cisco technical capabilities, their pros
and cons Understand gotchas, interactions between features
Understand a flowchart for determining WLANcustomer requirements
8/2/2019 Wlan Design
3/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-3
Copyright 20055
Rationale
WLAN designs and installations are not all the same,different designs fit different needs
Not just picking up a bunch of Linksys WAPs at Best Buy andscattering them around
Costly to built WLAN then have to redo to supportnew/changed requirements
Internal / customer WLAN requirements interact withthe design.
Best to get all the possibilities out on the table up-front!
Still need to do a site survey to get # & locations of
WAPs You do need to know is how thorough the site survey has to
be
Copyright 20056
Topics
Previous and Current Common WLANDesigns
WLSM Module: Added Capabilities
Determining WLAN Requirements
WLAN Gotchas
Other Parts of the Solution
Conclusion
8/2/2019 Wlan Design
4/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-4
Copyright 20057
Starting Assumptions
Not going to discuss site survey, going tofocus on higher-level, features and topology
Good to avoid large Spanning Tree Protocol(STP) domains and large-scale L2 approaches
Standard routing gives traffic a chance tobreach isolation, requiring extensive ACLs orother measures for security
WLAN security level and authenticationshould match the WIRED network
This represents my opinions, not specificallyapproved or endorsed by Cisco!
Copyright 20058
WLAN within the Cisco Family
Positioning
Where would you use the following in yourdesign?
Linksys
Airespace (recent acquisition)
Cisco WAPs but not WLSM
Cisco WAPs and WLSM
8/2/2019 Wlan Design
5/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-5
Copyright 20059
CD1: Physical Isolation Network
Copyright 200510
CD1: Discussion
Pro
Secure, in the sense of isolating WAPs and mobile users
Does allow ACL controls at point of attachment to WIREDnetwork
Con
Does not in itself secure WLAN authentication or provideconfidentiality
Cost
Separate wiring infrastructure (cost)
More equipment to manage (cost) Secure management of WLAN switches?
Overkill?
8/2/2019 Wlan Design
6/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-6
Copyright 200511
CD1B: Cell Phone/WAP Antenna Network
This is a variant of physical isolation, usingdedicated coax and fiber
Provides selective cell phone coverage withinbuildings (single cell phone vendor?)
Coax connects in-building antennas tobuilding aggregation box
WAPs connect to coax via aggregation box
Does allow centralization of WAP chassis
Fiber connects aggregation box to central cellphone access box
Copyright 200512
CD1B: Discussion
Pro If youre doing this sort of thing for cell phones,
leveraging it for WAPs may make sense
Con Cost high
Divergent wiring infrastructure (opposite ofconvergence?)
The products dont seem to use IP or even normalnetworking on the coax and fiber(troubleshooting?)
Youre doing something non-standard: risk
Still leaves data-side connectivity of WAPs up inthe air (so to speak) really more about antennas
8/2/2019 Wlan Design
7/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-7
Copyright 200513
CD2A: WAP Isolation VLAN(s)
Isolation VLANs
separate WLAN
from WIRED traffic
Copyright 200514
CD2A: Discussion
This used to be a very common approach for thosewho knew of WEPs vulnerabilities
Pro
Simple
Can work well for Internet access for guests, mobile users
Allows IDS monitoring of WLAN user traffic
Can work reasonably well for collapsed core campuses
Can use one isolation VLAN per floor for smaller STP domains
Con
Tempting to create large STP domains for roaming, whichweve seen cause instability
Connecting to the firewall is problematic in routed corecampuses see below
8/2/2019 Wlan Design
8/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-8
Copyright 200515
CD2B: Isolation VLANs and IPsec
Internet
Internet router
Firewall
VPN Concentrator Outer switch
Servers
CoreSwitches
Trunks
IPsec VPN
IsolationVLAN
Copyright 200516
CD2B: Discussion
This is the form in which isolation VLANs are usuallyused
The graphic shows use of several isolation VLANs
Older design approach, but still valid
Pro
Reduce authentication and confidentiality to a provenapproach (IPsec), already supported
Handles requirement (guest Internet) and (employeesecurely internal net) reasonably well
Con The VPN Concentrator can be a bottleneck
PDAs, phones & IPsec???
Contractor, consultant support (internal/external; VPN client?)
8/2/2019 Wlan Design
9/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-9
Copyright 200517
CD2C: WAP Isolation + Access ControlDevice
Isolation VLANs run
to WLAN switch
for authentication,
ACLs, etc.
WLANSwitch
Copyright 200518
CD2C: Discussion
Notes Some WLAN switches provide for a remote switch, e.g. in
data center
Find out if they use tunneling (L2, GRE, IPsec, other) betweenWAP and WLAN switch? Configured how? How secure?
Questions to ask the vendor Is it a:
Switch
Firewall and NAT point
NAS or authentication server
IDS Etc.
Vendors skills in ALL of these areas?
How many of these do you really need? How many areduplicative of what you already have?
8/2/2019 Wlan Design
10/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-10
Copyright 200519
CD2C: Discussion
Pro
Web authentication and per-user/group access controls aresimple, can leverage SSH for secure authentication
Con
Wireless-side confidentiality?
Some need one box per L2 domain
They assume flat world model, with one WLAN VLANsite-wide
Multiple WAP VLAN approach requires more boxes
Cost; management complexity
More total boxes to manage, plus more vendors Potential bottleneck (failover, behavior under DDoS, etc.?)
Copyright 200520
Degree of NAT and ACL Controls?
Per-user ACLs at point of entry may not besufficiently flexible
Enterasys WAPs also use this approach
May well be fine for smaller networks (a few switches) orsimple policies (employees everywhere, guests to Internet)
All the intelligence has to be in one ACL in the point of entry
That may require greater complexity in the ACL
Per-user group NAT or address assignment wouldalleviate this concern
Meaningful addresses for filtering at other points in thenetwork
Does any vendor do this?
8/2/2019 Wlan Design
11/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-11
Copyright 200521
WLAN Access Control Device Alternatives
Cisco IOS web auth-proxy Router CBAC/firewall feature set only
May be coming to switches
Cisco BBSM
Blue Socket
Vernier
Bradford Software device (see below, it does abit more)
Airespace* (?) [Docs not visible online, yet] WLSM, below, is a clean alternative but can
act as a large-scale choke point
Copyright 200522
CD3: Infrastructural WAPs
Use strong
authentication and
encryption: no need
for isolation
8/2/2019 Wlan Design
12/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-12
Copyright 200523
CD3: Discussion
Can do separate WLAN VLANs, but theyre for STPreasons, not isolation protect wired STP stability
As of WPA and 802.11i, WAP authentication / cryptoare now quite acceptable (at most sites) Non-snooped / cracked login & password
Confidentiality of data on wireless link
Pro Best throughput
Avoids MTU and other IPsec issues
Con Driver support for older PCs, NICs, etc.
Device support while PDAs, phones catch up
Should some WLAN technology security issue show up (howlikely?), theres no easy way to quickly apply ACLs, IDS, etc.for monitoring, control, or cutoff of wireless user traffic
Copyright 200524
CD4A: SSIDs and VLANs w/ Infrastructure
Trunks or
routed links
VLAN basedon SSID
8/2/2019 Wlan Design
13/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-13
Copyright 200525
CD4A: Discussion
Cisco technology insights: Can use different VLANs and SSIDs to support devices with
different authentication and encryption capabilities
Can then apply different ACLs to control traffic based on VLAN /subnet, restrict less-trusted devices traffic
Pro Flexible accommodation of devices with different capabilities
More critical as 802.1x & NAC added to WPA, 802.11i
More secure than one SSID/VLAN fits all
Con More complex
Does lead to IP subnet multiplication, see also Clever AddressingSchemes, athttp://www.netcraftsmen.net/welcher/papers/addressing.html
If the distribution / core is routed, potential for ACL proliferation (cf.WLSM below, however)
Copyright 200526
CD4B: 802.1x and Dynamic VLANs
Trunks or
routed links
VLAN based onauthentication(login, group)
8/2/2019 Wlan Design
14/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-14
Copyright 200527
CD4B: Discussion
This is similar to static SSIDs/VLANs, except that theVLANs are assigned dynamically based on 802.1xlogin (user/group info), based on RADIUS server
Can do this for both WIRED and WLAN networks
WIRED does require 3550, 3750, 4500, 6500
Pro
Very powerful for heavily mobile user base and flexibility
No client-side SSID reconfiguration if group VLAN mappingchanges
Can combine with MS login
Con Adds one more thing to troubleshoot
Routed links present the same issue in larger networks
Copyright 200528
CD4C: Bradford Campus Manager
Trunks or
routed links
VLAN assignedby centralserver(s)
8/2/2019 Wlan Design
15/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-15
Copyright 200529
What is Bradford?
www.bradford-sw.com
Combines NetReg functionality with dynamic VLANassignment across vendors (switches, WAPs)
Colleges adapted Bradford heavily this past Fall
Reviews mixed You do need to do your homework
Rapid development lead to some bugs
Bradford swamped by new customers
May have scaling issues (5000+?)
Uses SNMP traps to the box to trigger port VLANassignment (via CLI or RADIUS) Does DHCP into walled garden VLAN for pre-scan (virus,
vulnerabilities, etc.), then re-assign VLAN and re-DHCP
Registers MACs for permanent dynamic VLAN assignmentand subsequent connections
Copyright 200530
CD4C: Discussion
Pro
Solves several problems for colleges
Forced pre-admission virus / worm scan
Forced patch application
Lack of client-side drivers supporting 802.1x etc.
Con
Complex
They did some smart things to scale but are counting onreliably receiving SNMP traps as PCs connect may not be a
good foundation, especially at high-volume times Supports L3 core (mostly) but started out in the VLAN-spans-
the-campus (students, faculty, admin) world
8/2/2019 Wlan Design
16/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-16
Copyright 200531
But What About a Routed Core?
Trunks or
routed links
Guest /
contractor
with Internet-
only access
Copyright 200532
WAP VLANs and L3 Core/Distribution
Potential issue #1: roaming, re-associationtime
If not same VLAN, have to re-DHCP
Probably ok for carrying laptop around
Not ok for walking with wireless phone
Large VLANs lead to STP issues
Even in same VLAN, have to re-authenticate toWAP to associate
Ok on campus
Can be slow if enterprise RADIUS server remote,across WAN
8/2/2019 Wlan Design
17/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-17
Copyright 200533
Potential issue #2: Routing Containment
Every router provides the chance for traffic to escape
Makes it awkward to force guest VLAN traffic to only go toInternet
Running isolation VLANs across the routed core can get ugly
Tends to lead to ACLs on every campus interface
L2 work-arounds can get ugly (plumbing)
Can try PBR for this, it gets as ugly or uglier
Copyright 200534
Routing Containment, contd
What you have is really a routing issue: want differentVLANs and user groups to have different routesavailable to them
Can use MPLS-based VRF-Lite technology for per-VLAN routing tables
It provides per-logical interface private routing tables
Avoids most of the complexity of MPLS
Requires newer gear supporting this
I have yet to see anyone do this
Common Design CD5: WLSM, see below Can combine some of the above models with WLSM to address
these issues with routed distribution/core
8/2/2019 Wlan Design
18/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-18
Copyright 200535
Topics
Previous and Current Common WLAN Designs
WLSM Module: Added Capabilities
Determining WLAN Requirements
WLAN Gotchas
Other Parts of the Solution
Conclusion
Copyright 200536
WLSM!
Cisco Networkers 2004 slides about WLSM
Sources:
http://www.networkers04.com/published/ACC-
2011/ACC-2011.pdf
http://www.networkers04.com/published/RST-
2506/RST-2506.zip
WLSM does require 6500 w/ 720 engine
Other requirements: WAP code version
WLSE code version
See documentation for details
8/2/2019 Wlan Design
19/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-19
Copyright 200537
WLSM: Things to Watch For
Fast Secure Roaming (FSR) caches keys
FSR requires CCKM (Cisco Centralized Key Management):TKIP or WPA with CCKM
See the documents for compatible cipher suites
Supported for LEAP or EAP-FAST (as of 2004)
Cisco or CCX compatible clients
L3 FSR roaming is fast for unicast, not as fast formulticast
Need join to wired network, etc.: some delay
But can deliver high multicast rates using mostly wired paths
Need to watch the WLSM scaling numbers No inter-WLSM blade roaming!
Keep an eye on AAA scaling (not as big a concern)
Copyright 200538
Other WLSM Factoids
Read the Design and Deployment Guide (RTDDG)
URL is on the next slide
Cf. page 35 re MTU and GRE
Cf. page 39, PING doesnt work in a couple of cases
Can do HSRP-like redundancy, state lost on failover
Without CCKM, roaming works but re-association isslow
L2 broadcast apps wont work with WLSM
Cant have NAT in between WAP and WLSM, WLCCP
message not fixed up (yet) QoS takes some configuration effort
Limited QoS in hardware for GRE tunnels, prior tothe PFC-3B
8/2/2019 Wlan Design
20/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-20
Copyright 200539
References: WLSM
WLSM links can seem well-hidden Some are under switch services modules, some under WAP
1200 alternative: use Search to find them
Services module page (includes video clip): http://www.cisco.com/en/US/products/ps5865/index.html
WLSM Deployment Guide: http://www.cisco.com/en/US/products/hw/wireless/ps430/prod
_technical_reference09186a0080362bd0.html
WLSM Detailed Design and Implementation Guide: http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/
networking_solutions_implementation_guide09186a008038906c.html
Copyright 200540
Topics
Previous and Current Common WLAN Designs
WLSM Module: Added Capabilities
Determining WLAN Requirements
WLAN Gotchas
Other Parts of the Solution
Conclusion
8/2/2019 Wlan Design
21/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-21
Copyright 200541
Get Wired
Collect informationabout any existing orplanned WIREDinfrastructure
L3 to access? Howfar?
Security: matchWIRED
802.1x or NAC?
IPsec in use for remote
access? CS/ACS in place?
PoE: match WIRED
Start A successful design must consider requirements for thenext 2 or more years to minimize the risk and costs of
substantial infrastructure changes
Doesthe WIRED
design use a L3core?
Layer 3 core & distribution switches: consider WLSM inlight of other requirements.
To Page-2
Gather Requirements Information
Doesthe WIRED design
provide PoE?
WAP power alternatives:1) All switch blades: IPT deployment2) Add a PoE blade to support WAPs3) Add power injectors at closet4) Add power circuits to point of WAP deployment (time,cost)
Will the WIREDnetwork be using802.1x or NAC?
It usually makes sense to have WAP authentication andadmission control match the wired network.
Copyright 200542
Roaming,
Authentication Gather info about any
near-term roaming,mobility requirements
Ask about sources ofpotential wirelessauthentication issues(PDA, phone, etc.)
Listen to whetherdesktop drivers may
be an issue
Consider VoIP over WLAN, wireless PDA, etc.Determine L2 vs. L3 mobility needs. Consider WLSM.VoWLAN also increases site survey complexity and
costs, and equipment costs.
Deviceauthentication
limitations?
Consider PDAs, phones, bar code scanners,WLAN smoke detectors, etc.
May need multiple SSIDs, VLANs. Determinecapabilities and needs.
Mobilityrequired? What
kind ofroaming?
From Page-1
Gather Requirements Information (contd)
Desktopauthenticationlimitations, e.g.
drivers,support?
Colleges, etc. may not want to deal withdesktop drivers for 802.1x, etc.
To Page-3
8/2/2019 Wlan Design
22/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-22
Copyright 200543
Mobility and Roaming
Be sure to gather infoand think about:
L2 vs L3 Fast SecureRoaming
How tight a time forroaming to occur(VoWLAN?)
Scope for L2 roaming
Scope for L3 roaming
Do people really typewhile they walk? Talk onphone & walk?
Copyright 200544
Mobility and Roaming 2
WAP can do smallerscale WDS, L2mobility
New 2800/3800routers can dolarger scale WDS,only L2 FSRmobility at present
Need WLSM forlargest-scale WDSand L2/L3 FSRmobility right now
8/2/2019 Wlan Design
23/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-23
Copyright 200545
Security
Listen to managementconcerning wirelesssecurity fears, needs,requirements
Look at existing securitypolicy, if available
Examine potential risks(snooping, adversepublicity, etc.)
Find out if multiple static ordynamic VLANs match sitesecurity needs
Listen for any other securityneeds that might interactwith the WLAN
Document requirements,cycle with customer
Documentcustomer
requirements
Customerapproval of reqts
document?
To Page-4
Revisit requirementsfrom the top
Want802.1x user
group dynamicVLANs?
Need guest orother groupisolation?
OK withInfrastructural
WLAN?
From Page-2
Gather Requirements Information (contd)
Degreeof severity of
guestisolation?
Other WLANsecurity needs?
Document Requirements & Revise
Copyright 200546
Security
Really need to understand customer securityrequirements and plans, on the WIRED as wellas the WLAN side
Web login?
802.1x & NAC?
Dynamic VLANs? (Which form of them?)
Needs regarding secure WLAN authentication
Needs concerning WLAN confidentiality
Risks and needs and policies concerningguest & contractor access
Risks and fears concerning WLAN, liability
8/2/2019 Wlan Design
24/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-24
Copyright 200547
Basic WLAN Risk Model
Do you trust WLAN authentication to be atleast as secure as your wired portauthentication technique? Have you thought about conference rooms and
unused wall ports lately?
Visitor controls?
Do you want to isolate the WLANs in casefuture security issues turn up?
Do you have WLAN guest users?
Consider personal firewall for WLAN users(home or away)!!!
Copyright 200548
Securing WLAN Secure Management
Need secure way to manage WLANinfrastructure switches and WAPs
Cisco WLAN Solution Engine (WLSE)
Separate management VLAN
ACLs restricting traffic to/from mgmtVLAN
SSH instead of telnet
TFTP: no authentication, but must beenabled to launch image transfer
8/2/2019 Wlan Design
25/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-25
Copyright 200549
Design
After determiningrequirements and otherfactors, build a design
First make big choice(WLSM or not)
Then layout topology
Then fill in high-levelfeatures to be used
Site survey: there arechoices on this
Document design andrationale, and cyclewith customer
Complete WLAN Design Details
DocumentWLAN design,
review bycustomer, etc.
Include WLSM if appropriate.
Consider VoWLAN needs insite survey planning
Consider PoE versus powerinjection or power to WAPs
Determine WLANtopology layout
Determine WLAN high-level configuration
details
From Page-3
Determine supportingequipment needs:
WLSE, WLSM, ACS,PoE, etc.
Rough site survey toestimate # of WAPs
SSIDs, VLANs, dynamicVLANs, addressing,
authentication, encryption,roaming support, etc.
Copyright 200550
Topics
Previous and Current Common WLAN Designs
WLSM Module: Added Capabilities
Determining WLAN Requirements
WLAN Gotchas
Other Parts of the Solution
Conclusion
8/2/2019 Wlan Design
26/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-26
Copyright 200551
Gotcha #1: IPsec Is Not a Panacea
IPsec is tempting when youre getting started
Good authentication, fairly simple, well-understood,already supported
But it doesnt scale as usage grows
Wired replacement with WLAN means youhave a lot of VPN clients and throughput
Stresses VPN Concentrators
Need more VPN Concentrators ($$$$)
Encrypted traffic & QoS? Alternative
Infrastructure plus VLANs, WLSM?
Copyright 200552
Gotcha #2: Not All Devices Are Created Equal
What else might you want on your WLAN?
Wireless phones
802.11-capable cell phone of the near future
PDA with 802.11
Sensors with PoE and 802.11 (HVAC, smoke, door,etc.)
Potential issue: authentication andencryption!
This is where the flexibility of multiple SSIDsand VLANs provides future-proofing
8/2/2019 Wlan Design
27/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-27
Copyright 200553
Gotcha #3: Site Surveys
Site surveys come in different degrees of costand rigorousness: Thanks, Ill save $$ and do it myself
You may get what you pay for?
SWAG WAP count, buy some extras, locate, fine-tune (perhaps using WLSE assisted walkthrough)
Does take time, still
Professional light (locates potential interferenceand other problems up front)
Professional heavy (for VoWLAN support)
See URL on VoWLAN slide (next), the 7920phone document has a lot of good info in it
Copyright 200554
Gotcha #4: VoWLAN
Good thing, very popular in medicalenvironments
But needs to be done right, as VoWLAN ismore demanding
Site survey requirements and care ininstallation tighter See Cisco Wireless IP Phone 7920 Design and
Deployment Guide
http://www.cisco.com/en/US/products/hw/phones/ps379/products_implementation_design_guide_book09186a00802a029a.html
Consider QoS, Security, and other issues
8/2/2019 Wlan Design
28/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-28
Copyright 200555
Gotcha #5: Mismatch with Wired Security
You made your WLAN very secure
But the WIRED network is wide-open???
Contractors, guests, etc.?
Suggestions:
Dont get overly uptight about WLAN security andoverlook WIRED security
Do consider using similar authentication for both,e.g. 802.1x
WLAN does need encryption on wirelesstransmissions for confidentiality
Copyright 200556
Minor Gotcha #6: CCX Version 2
Needed with WLSE for assisted walkabout,client-side rogue detection, etc.
Seehttp://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html for vendor support
Should be fairly well supported
8/2/2019 Wlan Design
29/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-29
Copyright 200557
Topics
Previous and Current Common WLAN Designs
WLSM Module: Added Capabilities
Determining WLAN Requirements
WLAN Gotchas
Other Parts of the Solution
Conclusion
Copyright 200558
Other: WLSE
Management of WAPs
Configuration archival
Templates to send out configlets to WAPs
WAP Fault Management
WAP Performance Exception Management
RF management, assisted walk-through, rogue WAP tracking
Required forWLSM
If you have WLSM,
you probably haveenough WAPs youreally need WLSEanyway
http://whatever:1741
8/2/2019 Wlan Design
30/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-30
Copyright 200559
Other: Power Over Ethernet (PoE)
The alternatives Get electrical circuits and junction boxes installed at WAP
locations
More costly than youd first think
Inflexible as to (re-) location of WAPs
UPS??
Use power injectors
Slight amount of cabling complexity
Use PoE blade in switch to support WAPs
Cost-effective, flexible
Careful: switch power supply big enough?
Full PoE in closets Due to cost, this is probably done as part of preparation
for IP phone deployment
Copyright 200560
Other: Security Devices & Blades
CiscoSecure ACS
Needed for WLSE / WDS in WLANdeployment
VPN Concentrator
Consider VPN Service Module for 6500
IDS
Consider IDS Services Module for 6500
Firewall Consider Firewall Services Module for 6500
8/2/2019 Wlan Design
31/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-31
Copyright 200561
Topics
Previous and Current Common WLAN Designs
WLSM Module: Added Capabilities
Determining WLAN Requirements
WLAN Gotchas
Other Parts of the Solution
Conclusion
Copyright 200562
References: Networkers 2004
Networkers 2004 had numerous presentationson WLAN, see
http://www.networkers04.com/catalog/controller/catalog
8/2/2019 Wlan Design
32/33
Copyright 2005, Chesapeake Netcraftsmen Handout Page-32
Copyright 200563
WLAN Book References
OReilly Press 802.11 Wireless Networks: The Definitive Guide (O'Reilly Networking)
by Matthew Gast
http://www.amazon.com/exec/obidos/tg/detail/-/0596001835/qid=1105022925
Cisco Press Cisco Wireless LAN Security by Krishna Sankar, Sri Sundaralingam,
Darrin Miller, Andrew Balinsky
http://www.amazon.com/exec/obidos/tg/detail/-/1587051540/qid=1105022925
802.11 Wireless Network Site Surveying and Installationby Bruce Alexander
http://www.amazon.com/exec/obidos/tg/detail/-
/1587051648/qid=1105022925/ Wireless Local-Area Network Fundamentals
by Pejman Roshan, Jonathan Leary
http://www.amazon.com/exec/obidos/tg/detail/-/1587050773/qid=1105023211/
Copyright 200564
Summary
Having completed this seminar, you should now:
Know some of the customer requirements to askabout when conducting a WLAN design
Know how to improve the quality of your WLANdesigns
Understand various common WLAN design models,their pros and cons
Understand Cisco technical capabilities, their prosand cons
Understand gotchas, interactions between features Understand a flowchart for determining WLAN
customer requirements
Thanks for coming!
8/2/2019 Wlan Design
33/33
Copyright 200565
Any Questions?
For a presentation copy, please email [email protected] Chesapeake Netcraftsmen Can Provide
Network design review: how to make what you have work better Periodic strategic advice: whats the next step for your network or
staff Network management tools & procedures advice: whats right for you Implementation guidance (your staff does the details) or full
implementation
Chesapeake Netcraftsmen does Small- and Large-Scale Routing and Switching (design, health check,
etc.) Security design and management (IDS, firewalls, VPN, enterprise-scale
security information management, security reviews)
QoS (strategy, design and implementation) IP Telephony (preparedness survey, design, and implementation) Call Manager deployment Network Management (design, installation, tuning, tech transfer, etc.)