Wlan Design

download Wlan Design

of 33

Transcript of Wlan Design

  • 8/2/2019 Wlan Design

    1/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-1

    Copyright 20051

    Wireless LAN (WLAN) Design

    Dr. Peter J. Welcher,Chesapeake Netcraftsmen

    Copyright 20052

    About the Speaker

    Dr. Pete Welcher

    Cisco CCIE #1773, CCSI #94014, CCIP

    Network design & management consulting, manymajor customers

    Specialties: QoS, MPLS, Wireless, Large-ScaleRouting & Switching

    Taught many of the Cisco courses

    Reviewer for many Cisco Press books, proposals

    Over 118 Enterprise Networking Magazinearticles

    http://www.netcraftsmen.net/welcher/papers

  • 8/2/2019 Wlan Design

    2/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-2

    Copyright 20053

    Half of our technology expertspossess a CCIE

    7.6 Cisco certs per person onaverage

    Cisco Specializations: IP Telephony

    Network Management

    Wireless

    Security

    (Routing and Switching)

    Expertise in other areas aswell

    Netcraftsmen Cisco Certifications

    Copyright 20054

    Objectives

    Upon completion of this seminar, you will:

    Know some of the customer requirements to askabout when conducting a WLAN design

    Know how to improve the quality of your WLANdesigns

    Understand various common WLAN design models,their pros and cons

    Understand Cisco technical capabilities, their pros

    and cons Understand gotchas, interactions between features

    Understand a flowchart for determining WLANcustomer requirements

  • 8/2/2019 Wlan Design

    3/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-3

    Copyright 20055

    Rationale

    WLAN designs and installations are not all the same,different designs fit different needs

    Not just picking up a bunch of Linksys WAPs at Best Buy andscattering them around

    Costly to built WLAN then have to redo to supportnew/changed requirements

    Internal / customer WLAN requirements interact withthe design.

    Best to get all the possibilities out on the table up-front!

    Still need to do a site survey to get # & locations of

    WAPs You do need to know is how thorough the site survey has to

    be

    Copyright 20056

    Topics

    Previous and Current Common WLANDesigns

    WLSM Module: Added Capabilities

    Determining WLAN Requirements

    WLAN Gotchas

    Other Parts of the Solution

    Conclusion

  • 8/2/2019 Wlan Design

    4/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-4

    Copyright 20057

    Starting Assumptions

    Not going to discuss site survey, going tofocus on higher-level, features and topology

    Good to avoid large Spanning Tree Protocol(STP) domains and large-scale L2 approaches

    Standard routing gives traffic a chance tobreach isolation, requiring extensive ACLs orother measures for security

    WLAN security level and authenticationshould match the WIRED network

    This represents my opinions, not specificallyapproved or endorsed by Cisco!

    Copyright 20058

    WLAN within the Cisco Family

    Positioning

    Where would you use the following in yourdesign?

    Linksys

    Airespace (recent acquisition)

    Cisco WAPs but not WLSM

    Cisco WAPs and WLSM

  • 8/2/2019 Wlan Design

    5/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-5

    Copyright 20059

    CD1: Physical Isolation Network

    Copyright 200510

    CD1: Discussion

    Pro

    Secure, in the sense of isolating WAPs and mobile users

    Does allow ACL controls at point of attachment to WIREDnetwork

    Con

    Does not in itself secure WLAN authentication or provideconfidentiality

    Cost

    Separate wiring infrastructure (cost)

    More equipment to manage (cost) Secure management of WLAN switches?

    Overkill?

  • 8/2/2019 Wlan Design

    6/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-6

    Copyright 200511

    CD1B: Cell Phone/WAP Antenna Network

    This is a variant of physical isolation, usingdedicated coax and fiber

    Provides selective cell phone coverage withinbuildings (single cell phone vendor?)

    Coax connects in-building antennas tobuilding aggregation box

    WAPs connect to coax via aggregation box

    Does allow centralization of WAP chassis

    Fiber connects aggregation box to central cellphone access box

    Copyright 200512

    CD1B: Discussion

    Pro If youre doing this sort of thing for cell phones,

    leveraging it for WAPs may make sense

    Con Cost high

    Divergent wiring infrastructure (opposite ofconvergence?)

    The products dont seem to use IP or even normalnetworking on the coax and fiber(troubleshooting?)

    Youre doing something non-standard: risk

    Still leaves data-side connectivity of WAPs up inthe air (so to speak) really more about antennas

  • 8/2/2019 Wlan Design

    7/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-7

    Copyright 200513

    CD2A: WAP Isolation VLAN(s)

    Isolation VLANs

    separate WLAN

    from WIRED traffic

    Copyright 200514

    CD2A: Discussion

    This used to be a very common approach for thosewho knew of WEPs vulnerabilities

    Pro

    Simple

    Can work well for Internet access for guests, mobile users

    Allows IDS monitoring of WLAN user traffic

    Can work reasonably well for collapsed core campuses

    Can use one isolation VLAN per floor for smaller STP domains

    Con

    Tempting to create large STP domains for roaming, whichweve seen cause instability

    Connecting to the firewall is problematic in routed corecampuses see below

  • 8/2/2019 Wlan Design

    8/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-8

    Copyright 200515

    CD2B: Isolation VLANs and IPsec

    Internet

    Internet router

    Firewall

    VPN Concentrator Outer switch

    Servers

    CoreSwitches

    Trunks

    IPsec VPN

    IsolationVLAN

    Copyright 200516

    CD2B: Discussion

    This is the form in which isolation VLANs are usuallyused

    The graphic shows use of several isolation VLANs

    Older design approach, but still valid

    Pro

    Reduce authentication and confidentiality to a provenapproach (IPsec), already supported

    Handles requirement (guest Internet) and (employeesecurely internal net) reasonably well

    Con The VPN Concentrator can be a bottleneck

    PDAs, phones & IPsec???

    Contractor, consultant support (internal/external; VPN client?)

  • 8/2/2019 Wlan Design

    9/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-9

    Copyright 200517

    CD2C: WAP Isolation + Access ControlDevice

    Isolation VLANs run

    to WLAN switch

    for authentication,

    ACLs, etc.

    WLANSwitch

    Copyright 200518

    CD2C: Discussion

    Notes Some WLAN switches provide for a remote switch, e.g. in

    data center

    Find out if they use tunneling (L2, GRE, IPsec, other) betweenWAP and WLAN switch? Configured how? How secure?

    Questions to ask the vendor Is it a:

    Switch

    Firewall and NAT point

    NAS or authentication server

    IDS Etc.

    Vendors skills in ALL of these areas?

    How many of these do you really need? How many areduplicative of what you already have?

  • 8/2/2019 Wlan Design

    10/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-10

    Copyright 200519

    CD2C: Discussion

    Pro

    Web authentication and per-user/group access controls aresimple, can leverage SSH for secure authentication

    Con

    Wireless-side confidentiality?

    Some need one box per L2 domain

    They assume flat world model, with one WLAN VLANsite-wide

    Multiple WAP VLAN approach requires more boxes

    Cost; management complexity

    More total boxes to manage, plus more vendors Potential bottleneck (failover, behavior under DDoS, etc.?)

    Copyright 200520

    Degree of NAT and ACL Controls?

    Per-user ACLs at point of entry may not besufficiently flexible

    Enterasys WAPs also use this approach

    May well be fine for smaller networks (a few switches) orsimple policies (employees everywhere, guests to Internet)

    All the intelligence has to be in one ACL in the point of entry

    That may require greater complexity in the ACL

    Per-user group NAT or address assignment wouldalleviate this concern

    Meaningful addresses for filtering at other points in thenetwork

    Does any vendor do this?

  • 8/2/2019 Wlan Design

    11/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-11

    Copyright 200521

    WLAN Access Control Device Alternatives

    Cisco IOS web auth-proxy Router CBAC/firewall feature set only

    May be coming to switches

    Cisco BBSM

    Blue Socket

    Vernier

    Bradford Software device (see below, it does abit more)

    Airespace* (?) [Docs not visible online, yet] WLSM, below, is a clean alternative but can

    act as a large-scale choke point

    Copyright 200522

    CD3: Infrastructural WAPs

    Use strong

    authentication and

    encryption: no need

    for isolation

  • 8/2/2019 Wlan Design

    12/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-12

    Copyright 200523

    CD3: Discussion

    Can do separate WLAN VLANs, but theyre for STPreasons, not isolation protect wired STP stability

    As of WPA and 802.11i, WAP authentication / cryptoare now quite acceptable (at most sites) Non-snooped / cracked login & password

    Confidentiality of data on wireless link

    Pro Best throughput

    Avoids MTU and other IPsec issues

    Con Driver support for older PCs, NICs, etc.

    Device support while PDAs, phones catch up

    Should some WLAN technology security issue show up (howlikely?), theres no easy way to quickly apply ACLs, IDS, etc.for monitoring, control, or cutoff of wireless user traffic

    Copyright 200524

    CD4A: SSIDs and VLANs w/ Infrastructure

    Trunks or

    routed links

    VLAN basedon SSID

  • 8/2/2019 Wlan Design

    13/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-13

    Copyright 200525

    CD4A: Discussion

    Cisco technology insights: Can use different VLANs and SSIDs to support devices with

    different authentication and encryption capabilities

    Can then apply different ACLs to control traffic based on VLAN /subnet, restrict less-trusted devices traffic

    Pro Flexible accommodation of devices with different capabilities

    More critical as 802.1x & NAC added to WPA, 802.11i

    More secure than one SSID/VLAN fits all

    Con More complex

    Does lead to IP subnet multiplication, see also Clever AddressingSchemes, athttp://www.netcraftsmen.net/welcher/papers/addressing.html

    If the distribution / core is routed, potential for ACL proliferation (cf.WLSM below, however)

    Copyright 200526

    CD4B: 802.1x and Dynamic VLANs

    Trunks or

    routed links

    VLAN based onauthentication(login, group)

  • 8/2/2019 Wlan Design

    14/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-14

    Copyright 200527

    CD4B: Discussion

    This is similar to static SSIDs/VLANs, except that theVLANs are assigned dynamically based on 802.1xlogin (user/group info), based on RADIUS server

    Can do this for both WIRED and WLAN networks

    WIRED does require 3550, 3750, 4500, 6500

    Pro

    Very powerful for heavily mobile user base and flexibility

    No client-side SSID reconfiguration if group VLAN mappingchanges

    Can combine with MS login

    Con Adds one more thing to troubleshoot

    Routed links present the same issue in larger networks

    Copyright 200528

    CD4C: Bradford Campus Manager

    Trunks or

    routed links

    VLAN assignedby centralserver(s)

  • 8/2/2019 Wlan Design

    15/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-15

    Copyright 200529

    What is Bradford?

    www.bradford-sw.com

    Combines NetReg functionality with dynamic VLANassignment across vendors (switches, WAPs)

    Colleges adapted Bradford heavily this past Fall

    Reviews mixed You do need to do your homework

    Rapid development lead to some bugs

    Bradford swamped by new customers

    May have scaling issues (5000+?)

    Uses SNMP traps to the box to trigger port VLANassignment (via CLI or RADIUS) Does DHCP into walled garden VLAN for pre-scan (virus,

    vulnerabilities, etc.), then re-assign VLAN and re-DHCP

    Registers MACs for permanent dynamic VLAN assignmentand subsequent connections

    Copyright 200530

    CD4C: Discussion

    Pro

    Solves several problems for colleges

    Forced pre-admission virus / worm scan

    Forced patch application

    Lack of client-side drivers supporting 802.1x etc.

    Con

    Complex

    They did some smart things to scale but are counting onreliably receiving SNMP traps as PCs connect may not be a

    good foundation, especially at high-volume times Supports L3 core (mostly) but started out in the VLAN-spans-

    the-campus (students, faculty, admin) world

  • 8/2/2019 Wlan Design

    16/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-16

    Copyright 200531

    But What About a Routed Core?

    Trunks or

    routed links

    Guest /

    contractor

    with Internet-

    only access

    Copyright 200532

    WAP VLANs and L3 Core/Distribution

    Potential issue #1: roaming, re-associationtime

    If not same VLAN, have to re-DHCP

    Probably ok for carrying laptop around

    Not ok for walking with wireless phone

    Large VLANs lead to STP issues

    Even in same VLAN, have to re-authenticate toWAP to associate

    Ok on campus

    Can be slow if enterprise RADIUS server remote,across WAN

  • 8/2/2019 Wlan Design

    17/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-17

    Copyright 200533

    Potential issue #2: Routing Containment

    Every router provides the chance for traffic to escape

    Makes it awkward to force guest VLAN traffic to only go toInternet

    Running isolation VLANs across the routed core can get ugly

    Tends to lead to ACLs on every campus interface

    L2 work-arounds can get ugly (plumbing)

    Can try PBR for this, it gets as ugly or uglier

    Copyright 200534

    Routing Containment, contd

    What you have is really a routing issue: want differentVLANs and user groups to have different routesavailable to them

    Can use MPLS-based VRF-Lite technology for per-VLAN routing tables

    It provides per-logical interface private routing tables

    Avoids most of the complexity of MPLS

    Requires newer gear supporting this

    I have yet to see anyone do this

    Common Design CD5: WLSM, see below Can combine some of the above models with WLSM to address

    these issues with routed distribution/core

  • 8/2/2019 Wlan Design

    18/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-18

    Copyright 200535

    Topics

    Previous and Current Common WLAN Designs

    WLSM Module: Added Capabilities

    Determining WLAN Requirements

    WLAN Gotchas

    Other Parts of the Solution

    Conclusion

    Copyright 200536

    WLSM!

    Cisco Networkers 2004 slides about WLSM

    Sources:

    http://www.networkers04.com/published/ACC-

    2011/ACC-2011.pdf

    http://www.networkers04.com/published/RST-

    2506/RST-2506.zip

    WLSM does require 6500 w/ 720 engine

    Other requirements: WAP code version

    WLSE code version

    See documentation for details

  • 8/2/2019 Wlan Design

    19/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-19

    Copyright 200537

    WLSM: Things to Watch For

    Fast Secure Roaming (FSR) caches keys

    FSR requires CCKM (Cisco Centralized Key Management):TKIP or WPA with CCKM

    See the documents for compatible cipher suites

    Supported for LEAP or EAP-FAST (as of 2004)

    Cisco or CCX compatible clients

    L3 FSR roaming is fast for unicast, not as fast formulticast

    Need join to wired network, etc.: some delay

    But can deliver high multicast rates using mostly wired paths

    Need to watch the WLSM scaling numbers No inter-WLSM blade roaming!

    Keep an eye on AAA scaling (not as big a concern)

    Copyright 200538

    Other WLSM Factoids

    Read the Design and Deployment Guide (RTDDG)

    URL is on the next slide

    Cf. page 35 re MTU and GRE

    Cf. page 39, PING doesnt work in a couple of cases

    Can do HSRP-like redundancy, state lost on failover

    Without CCKM, roaming works but re-association isslow

    L2 broadcast apps wont work with WLSM

    Cant have NAT in between WAP and WLSM, WLCCP

    message not fixed up (yet) QoS takes some configuration effort

    Limited QoS in hardware for GRE tunnels, prior tothe PFC-3B

  • 8/2/2019 Wlan Design

    20/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-20

    Copyright 200539

    References: WLSM

    WLSM links can seem well-hidden Some are under switch services modules, some under WAP

    1200 alternative: use Search to find them

    Services module page (includes video clip): http://www.cisco.com/en/US/products/ps5865/index.html

    WLSM Deployment Guide: http://www.cisco.com/en/US/products/hw/wireless/ps430/prod

    _technical_reference09186a0080362bd0.html

    WLSM Detailed Design and Implementation Guide: http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/

    networking_solutions_implementation_guide09186a008038906c.html

    Copyright 200540

    Topics

    Previous and Current Common WLAN Designs

    WLSM Module: Added Capabilities

    Determining WLAN Requirements

    WLAN Gotchas

    Other Parts of the Solution

    Conclusion

  • 8/2/2019 Wlan Design

    21/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-21

    Copyright 200541

    Get Wired

    Collect informationabout any existing orplanned WIREDinfrastructure

    L3 to access? Howfar?

    Security: matchWIRED

    802.1x or NAC?

    IPsec in use for remote

    access? CS/ACS in place?

    PoE: match WIRED

    Start A successful design must consider requirements for thenext 2 or more years to minimize the risk and costs of

    substantial infrastructure changes

    Doesthe WIRED

    design use a L3core?

    Layer 3 core & distribution switches: consider WLSM inlight of other requirements.

    To Page-2

    Gather Requirements Information

    Doesthe WIRED design

    provide PoE?

    WAP power alternatives:1) All switch blades: IPT deployment2) Add a PoE blade to support WAPs3) Add power injectors at closet4) Add power circuits to point of WAP deployment (time,cost)

    Will the WIREDnetwork be using802.1x or NAC?

    It usually makes sense to have WAP authentication andadmission control match the wired network.

    Copyright 200542

    Roaming,

    Authentication Gather info about any

    near-term roaming,mobility requirements

    Ask about sources ofpotential wirelessauthentication issues(PDA, phone, etc.)

    Listen to whetherdesktop drivers may

    be an issue

    Consider VoIP over WLAN, wireless PDA, etc.Determine L2 vs. L3 mobility needs. Consider WLSM.VoWLAN also increases site survey complexity and

    costs, and equipment costs.

    Deviceauthentication

    limitations?

    Consider PDAs, phones, bar code scanners,WLAN smoke detectors, etc.

    May need multiple SSIDs, VLANs. Determinecapabilities and needs.

    Mobilityrequired? What

    kind ofroaming?

    From Page-1

    Gather Requirements Information (contd)

    Desktopauthenticationlimitations, e.g.

    drivers,support?

    Colleges, etc. may not want to deal withdesktop drivers for 802.1x, etc.

    To Page-3

  • 8/2/2019 Wlan Design

    22/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-22

    Copyright 200543

    Mobility and Roaming

    Be sure to gather infoand think about:

    L2 vs L3 Fast SecureRoaming

    How tight a time forroaming to occur(VoWLAN?)

    Scope for L2 roaming

    Scope for L3 roaming

    Do people really typewhile they walk? Talk onphone & walk?

    Copyright 200544

    Mobility and Roaming 2

    WAP can do smallerscale WDS, L2mobility

    New 2800/3800routers can dolarger scale WDS,only L2 FSRmobility at present

    Need WLSM forlargest-scale WDSand L2/L3 FSRmobility right now

  • 8/2/2019 Wlan Design

    23/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-23

    Copyright 200545

    Security

    Listen to managementconcerning wirelesssecurity fears, needs,requirements

    Look at existing securitypolicy, if available

    Examine potential risks(snooping, adversepublicity, etc.)

    Find out if multiple static ordynamic VLANs match sitesecurity needs

    Listen for any other securityneeds that might interactwith the WLAN

    Document requirements,cycle with customer

    Documentcustomer

    requirements

    Customerapproval of reqts

    document?

    To Page-4

    Revisit requirementsfrom the top

    Want802.1x user

    group dynamicVLANs?

    Need guest orother groupisolation?

    OK withInfrastructural

    WLAN?

    From Page-2

    Gather Requirements Information (contd)

    Degreeof severity of

    guestisolation?

    Other WLANsecurity needs?

    Document Requirements & Revise

    Copyright 200546

    Security

    Really need to understand customer securityrequirements and plans, on the WIRED as wellas the WLAN side

    Web login?

    802.1x & NAC?

    Dynamic VLANs? (Which form of them?)

    Needs regarding secure WLAN authentication

    Needs concerning WLAN confidentiality

    Risks and needs and policies concerningguest & contractor access

    Risks and fears concerning WLAN, liability

  • 8/2/2019 Wlan Design

    24/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-24

    Copyright 200547

    Basic WLAN Risk Model

    Do you trust WLAN authentication to be atleast as secure as your wired portauthentication technique? Have you thought about conference rooms and

    unused wall ports lately?

    Visitor controls?

    Do you want to isolate the WLANs in casefuture security issues turn up?

    Do you have WLAN guest users?

    Consider personal firewall for WLAN users(home or away)!!!

    Copyright 200548

    Securing WLAN Secure Management

    Need secure way to manage WLANinfrastructure switches and WAPs

    Cisco WLAN Solution Engine (WLSE)

    Separate management VLAN

    ACLs restricting traffic to/from mgmtVLAN

    SSH instead of telnet

    TFTP: no authentication, but must beenabled to launch image transfer

  • 8/2/2019 Wlan Design

    25/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-25

    Copyright 200549

    Design

    After determiningrequirements and otherfactors, build a design

    First make big choice(WLSM or not)

    Then layout topology

    Then fill in high-levelfeatures to be used

    Site survey: there arechoices on this

    Document design andrationale, and cyclewith customer

    Complete WLAN Design Details

    DocumentWLAN design,

    review bycustomer, etc.

    Include WLSM if appropriate.

    Consider VoWLAN needs insite survey planning

    Consider PoE versus powerinjection or power to WAPs

    Determine WLANtopology layout

    Determine WLAN high-level configuration

    details

    From Page-3

    Determine supportingequipment needs:

    WLSE, WLSM, ACS,PoE, etc.

    Rough site survey toestimate # of WAPs

    SSIDs, VLANs, dynamicVLANs, addressing,

    authentication, encryption,roaming support, etc.

    Copyright 200550

    Topics

    Previous and Current Common WLAN Designs

    WLSM Module: Added Capabilities

    Determining WLAN Requirements

    WLAN Gotchas

    Other Parts of the Solution

    Conclusion

  • 8/2/2019 Wlan Design

    26/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-26

    Copyright 200551

    Gotcha #1: IPsec Is Not a Panacea

    IPsec is tempting when youre getting started

    Good authentication, fairly simple, well-understood,already supported

    But it doesnt scale as usage grows

    Wired replacement with WLAN means youhave a lot of VPN clients and throughput

    Stresses VPN Concentrators

    Need more VPN Concentrators ($$$$)

    Encrypted traffic & QoS? Alternative

    Infrastructure plus VLANs, WLSM?

    Copyright 200552

    Gotcha #2: Not All Devices Are Created Equal

    What else might you want on your WLAN?

    Wireless phones

    802.11-capable cell phone of the near future

    PDA with 802.11

    Sensors with PoE and 802.11 (HVAC, smoke, door,etc.)

    Potential issue: authentication andencryption!

    This is where the flexibility of multiple SSIDsand VLANs provides future-proofing

  • 8/2/2019 Wlan Design

    27/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-27

    Copyright 200553

    Gotcha #3: Site Surveys

    Site surveys come in different degrees of costand rigorousness: Thanks, Ill save $$ and do it myself

    You may get what you pay for?

    SWAG WAP count, buy some extras, locate, fine-tune (perhaps using WLSE assisted walkthrough)

    Does take time, still

    Professional light (locates potential interferenceand other problems up front)

    Professional heavy (for VoWLAN support)

    See URL on VoWLAN slide (next), the 7920phone document has a lot of good info in it

    Copyright 200554

    Gotcha #4: VoWLAN

    Good thing, very popular in medicalenvironments

    But needs to be done right, as VoWLAN ismore demanding

    Site survey requirements and care ininstallation tighter See Cisco Wireless IP Phone 7920 Design and

    Deployment Guide

    http://www.cisco.com/en/US/products/hw/phones/ps379/products_implementation_design_guide_book09186a00802a029a.html

    Consider QoS, Security, and other issues

  • 8/2/2019 Wlan Design

    28/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-28

    Copyright 200555

    Gotcha #5: Mismatch with Wired Security

    You made your WLAN very secure

    But the WIRED network is wide-open???

    Contractors, guests, etc.?

    Suggestions:

    Dont get overly uptight about WLAN security andoverlook WIRED security

    Do consider using similar authentication for both,e.g. 802.1x

    WLAN does need encryption on wirelesstransmissions for confidentiality

    Copyright 200556

    Minor Gotcha #6: CCX Version 2

    Needed with WLSE for assisted walkabout,client-side rogue detection, etc.

    Seehttp://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html for vendor support

    Should be fairly well supported

  • 8/2/2019 Wlan Design

    29/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-29

    Copyright 200557

    Topics

    Previous and Current Common WLAN Designs

    WLSM Module: Added Capabilities

    Determining WLAN Requirements

    WLAN Gotchas

    Other Parts of the Solution

    Conclusion

    Copyright 200558

    Other: WLSE

    Management of WAPs

    Configuration archival

    Templates to send out configlets to WAPs

    WAP Fault Management

    WAP Performance Exception Management

    RF management, assisted walk-through, rogue WAP tracking

    Required forWLSM

    If you have WLSM,

    you probably haveenough WAPs youreally need WLSEanyway

    http://whatever:1741

  • 8/2/2019 Wlan Design

    30/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-30

    Copyright 200559

    Other: Power Over Ethernet (PoE)

    The alternatives Get electrical circuits and junction boxes installed at WAP

    locations

    More costly than youd first think

    Inflexible as to (re-) location of WAPs

    UPS??

    Use power injectors

    Slight amount of cabling complexity

    Use PoE blade in switch to support WAPs

    Cost-effective, flexible

    Careful: switch power supply big enough?

    Full PoE in closets Due to cost, this is probably done as part of preparation

    for IP phone deployment

    Copyright 200560

    Other: Security Devices & Blades

    CiscoSecure ACS

    Needed for WLSE / WDS in WLANdeployment

    VPN Concentrator

    Consider VPN Service Module for 6500

    IDS

    Consider IDS Services Module for 6500

    Firewall Consider Firewall Services Module for 6500

  • 8/2/2019 Wlan Design

    31/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-31

    Copyright 200561

    Topics

    Previous and Current Common WLAN Designs

    WLSM Module: Added Capabilities

    Determining WLAN Requirements

    WLAN Gotchas

    Other Parts of the Solution

    Conclusion

    Copyright 200562

    References: Networkers 2004

    Networkers 2004 had numerous presentationson WLAN, see

    http://www.networkers04.com/catalog/controller/catalog

  • 8/2/2019 Wlan Design

    32/33

    Copyright 2005, Chesapeake Netcraftsmen Handout Page-32

    Copyright 200563

    WLAN Book References

    OReilly Press 802.11 Wireless Networks: The Definitive Guide (O'Reilly Networking)

    by Matthew Gast

    http://www.amazon.com/exec/obidos/tg/detail/-/0596001835/qid=1105022925

    Cisco Press Cisco Wireless LAN Security by Krishna Sankar, Sri Sundaralingam,

    Darrin Miller, Andrew Balinsky

    http://www.amazon.com/exec/obidos/tg/detail/-/1587051540/qid=1105022925

    802.11 Wireless Network Site Surveying and Installationby Bruce Alexander

    http://www.amazon.com/exec/obidos/tg/detail/-

    /1587051648/qid=1105022925/ Wireless Local-Area Network Fundamentals

    by Pejman Roshan, Jonathan Leary

    http://www.amazon.com/exec/obidos/tg/detail/-/1587050773/qid=1105023211/

    Copyright 200564

    Summary

    Having completed this seminar, you should now:

    Know some of the customer requirements to askabout when conducting a WLAN design

    Know how to improve the quality of your WLANdesigns

    Understand various common WLAN design models,their pros and cons

    Understand Cisco technical capabilities, their prosand cons

    Understand gotchas, interactions between features Understand a flowchart for determining WLAN

    customer requirements

    Thanks for coming!

  • 8/2/2019 Wlan Design

    33/33

    Copyright 200565

    Any Questions?

    For a presentation copy, please email [email protected] Chesapeake Netcraftsmen Can Provide

    Network design review: how to make what you have work better Periodic strategic advice: whats the next step for your network or

    staff Network management tools & procedures advice: whats right for you Implementation guidance (your staff does the details) or full

    implementation

    Chesapeake Netcraftsmen does Small- and Large-Scale Routing and Switching (design, health check,

    etc.) Security design and management (IDS, firewalls, VPN, enterprise-scale

    security information management, security reviews)

    QoS (strategy, design and implementation) IP Telephony (preparedness survey, design, and implementation) Call Manager deployment Network Management (design, installation, tuning, tech transfer, etc.)