For the purpose of this exam, Wireless LANs (WLAN) transmit using either RF or infrared frequencies, often through an access point.  One interesting point is that for the spectrums covered on the test, there are usually no additional  RF licenses required.  They are limited in physical transmission distance (ex. within a floor, department, or campus) and are considered by Cisco an extension of the wired campus network.

The Cisco Unified Wireless Network

Cisco’s wireless architecture model includes 5 layers:

1. Client devices- Wireless end clients (ex. laptop, smart phone // Note: Cisco mentions that these must be Cisco “approved” although almost all wireless devices will work)
2. Mobility platform – Access points and wireless bridges
3. Network unification – Existing wired network (Ex. routers, switch, WLAN controllers)
4. Network management- WLAN location, management and security (Cisco Wireless Control Systems [WCS] is Cisco’s solution here)
5. Mobility services (also called Unified Advanced Services) – advanced products and services like wireless IP phones, RF firewalls, and location appliances

Note:  Cisco offers wireless IP phones with the same feature set found in desk phones, including optional LEAP authentication.

The Cisco Compatible Extensions Program

The Cisco Compatible Extensions (CCX) program ensures the widespread availability of client devices that are interoperable with a Cisco WLAN infrastructure.  You may notice a “Cisco Compatible” sticker on the device or its packaging.
 

Wireless LAN Attributes

Wireless access points provide client connectivity similar to what a switch would do in a wired infrastructure.  Radio waves are the physical medium as apposed to wires and the same network and application layer protocols can run over a WLAN network (ex. IP, HTTP, etc.).

Some specific considerations

• WLANs use Carrier Sense Multiple-Access/Collision Avoidance (CSMA/CA)
• Because it is “avoidance” centric and not “detection” centric, it is half duplex.  CSMA/CA uses RTS (request to send) and CTS (clear to send) messages to avoid collisions
• RF is susceptible to interference, distortion, and noise often caused by physical structures and specific materials.
• WLAN design should include the fact that clients are often mobile and use batteries.
• Different countries have unique rules and standards regarding RF implementations.
• Antennas are characterized by polarization, gain, and directionality and antenna power is measured in dBi

SSIDs

Service Set Identifiers or SSIDs map a network, by VLAN, to a specific segment of users.  The segment of users can have specific QoS or security assigned to them when they associate with the SSID.  The SSIDs are often broadcast by wireless access points, but can also be simply statically configured on a host device.

Note:  SSID names are case sensitive, so inconsistent case in an SSID configuration can result in a failed connection.

Another important point regarding SSID configuration is when an AP is hosting multiple SSIDs (and in turn multiple VLANs), the link back to the switch must be a trunk that supports all of the VLANs.

Wireless Topologies

There are three main types of WLAN topologies used today:

• Client access (think end devices connecting to an AP )
• Point-to point (ex. building-to-building)
• Mesh

There are two modes of connection:

• Ad-hoc (a.k.a. Independent Basic Service Set [IBSS])
  • Clients communicate directly with each other without the use of an access point
  • Limited in range and function
• Infrastructure
  • Basic Service Set [BSS] – One AP to connect to clients, so the signal range (known as it’s microcell) must encompass all clients
  • Extended Service Set [ESS] – Multiple APs with overlapping microcells connected by a common distribution system
    • Microcells should overlap by 10-15% for data
    • Microcells should overlap by 15-20% for voice
    • Each AP should use a different channel

Note:  Wireless bridges allow wired devices to connect to the wireless network by plugging directly into the bridge.

• Wireless Mesh
  Wireless mesh networks are usually designed for long distances.  Only the APs on the edges of the mesh network connected to the wired infrastructure – the rest hops AP to AP, each acting as a repeater.  Each intermediate AP has multiple paths through the mesh network, all coordinated by the Adaptive Wireless Path (AWP) protocol.  AWP chooses the best path for traffic to the wired network and also select a backup path in case the preferred path fails.

Client Connectivity

The following steps define how clients connect to an access point.  Keep in mind that APs send out beacons with SSID information at regular intervals unless configured otherwise.

1. Clients sends probe request and listens for probe responses and beacons
2. AP replies to the request with a probe response
3. Client then initiates an association with the access point.During the association, 802.1x authentication and any other necessary security information is passed to the AP.
4. AP accepts the association. MAC address and SSID information is exchanged between the two.
5. AP adds client’s MAC to it’s association table

When ESS Infrastructure mode is in use, clients can roam (associate with another AP) between APs, but the access points must be configured with the same SSID/VLAN information and security settings.  Layer 2 roaming is done using Inter-Access Point Protocol (IAPP) with multicast.  Layer 3 roaming performed on different subnets using wireless LAN controllers.

Note:  VoIP over WLAN is susceptible to latency and jitter problems.  This is a particular issue when roaming between APs, so short roaming times are critical.

A client will automatically attempt to roam if any of the following are present:

• Data rate is reduced
• Misses too many beacons from the associated AP
• Max data retry count is exceeded
• If configured to search for another AP at regular intervals

Client roaming requires the following configured:

• All APs should be configured with identical VLANs
• All APs should be configured with identical subnets
• All APs should be configured with identical SSIDs

WLAN Components

Cisco supports two different types of wireless access points, autonomous and lightweight.  Autonomous systems are able to provide wireless services independently and lightweight models work in combination with a wireless controller.    Both variations can receive their power from Power over Ethernet (PoE) switches or midspan power injectors which inject power into a cable run.  Both of these options are important because they prevent the need for electrical outlets near an AP, giving more flexible location options.  Note that access points can require up to 15 Watts of power, so if you are running PoE, me sure the switch can power the number of APs connected.

Autonomous APs

Autonomous APs run Cisco IOS ad are configured directly.  The traffic flows from client, to autonomous AP, to connected switch, to the rest of the network.  If roaming is a requirement, make sure proper VLANS and SSIDs are configured (make sure a management VLAN is included).  Also, only layer 2 roaming is possible on autonomous APs.  Make sure the switch has power and remember to configure the connected switch interface as a trunk if you are using multiple VLANs.

Redundancy is provided by multiple APs.

Repeaters

Repeaters are access points configured to extend the radio range of an existing wireless network.  The repeater AP is not connected to the wired LAN, instead it is in the signal range of an AP connected to the wired LAN.  Autonomous access points are required if you need to configure repeaters.  The SSID must match on both the root access point and the repeater AP and the recommended coverage overlap between the AP connected to the wired LAN and the repeater AP is 50%.

Because repeaters are also configured on the same channel as the LAN-connected AP, every additional repeater that is added to the chain on the same channel effectively cuts the throughput of that network in half because wireless works in half-duplex mode.  If any AP is transmitting, everyone else must wait their turn to relay the message.

Lightweight APs

When using lightweight access points, the AP and the wireless LAN controller (WLC) split the functions of layer 2, the MAC layer (sometimes referred to as “split” MAC).  The management controller includes a Wireless Control System (WCS) and location-tracking appliance.Redundancy consist of multiple WLCs.

The AP handles real-time processes and the WLC handles processes like:

• Security
• VLAN tagging
• QoS
• Forwarding traffic
• Authentication
• Client association

Controllers provide a single point of management which can be a big advantage in large-scal deployments. 

This is were is starts getting heady, especially if your a route/switch guy… but hang with me

LWAPP

LWAPP provides access point discovery, information exchange, and configuration.  LWAPP encapsulated control traffic using UDP port 1024 as the source and UDP port 12223 as the destination. Layer 3 LWAPP uses a UDP/IP frame to that requires the CIsco AP to get it’s IP address from a DHCP server.

The split MAC function is performed by LWAPP or Lightweight Access Point Protocol which uses AES-encrypted control messages , but does not encrypt data traffic (control traffic LWAPP encapsulated and encrypted / data traffic LWAPP encapsulated but not encrypted).  A newer IETF-standard that can perform the same function is CAPWAP (Control Provisioning of Wireless Access Points protocol).  Both CAPWAP and LWAPP use UPD and the controller does not have to be in the same subnet as the APs, just reachable through IP.

Lightweight APs use this process to discover their controller:

1. The AP requests a DHCP address – the response includes the management IP of on or more WLC.
2. The AP sends a Discovery Request message (using LWAPP or CAPWAP) to each WLC.
3. The WLC responds (using LWAPP or CAPWAP) with a Discovery Responsethat includes the number of APs associated with it.
4. The AP sends a Join Requestto the WLC with the fewest APs associated to it.
5. The WLC responds with a Join Response message.  Once that is complete, the AP and controller exchange authentication information and produce encryption keys for future control messages.  The WLC then configures the AP (SSID, channels, security settings, etc.).

Step 2 (discovery request) explained:

If Layer 2 LWAPP mode is supported on the LAP, the LAP broadcasts an LWAPP discovery message in a Layer 2 LWAPP frame.   If the LAP does not support Layer 2 mode, or if the WLC or the LAP fails to receive an LWAPP discovery response to the Layer 2 LWAPP discovery message broadcast, the LAP attempts a Layer 3 LWAPP WLC discovery.

Lightweight AP Planning

When using lightweight access points, the traffic flows from the client to the AP, through the switched network, to the WLC, and finally from their to it’s destination.  Because the traffic always goes from AP to the controller, it is important that the AP has layer 3 connectivity to the WLC.

While the controllers can be distributed across the network (ex. a single controller in each building), Cisco recommends a centralized approach co-locating them for example together in your data center.  Simplified management and user mobility are the reasons.

VLAN and SSID assignments must be configured on the controller in a AP environment as opposed to the autonomous model.  A management VLAN is used to communicate between the AP and controller.  The interface on the switch connected to the AP should be an access port using the management VLAN ID.  The interface on the switch connected to the controller should be a trunk to forward traffic for multiple subnets.  Etherchannels (portchannels) are often used to connect WLCs to the switch for redundancy and bandwidth.

When using LWAPP on a lightweight AP, the console port provides read-only access to the device.  As with the autonomous model, you should make sure the AP has power from either PoE or a power injector. 

WLC Configuration
WLCs can be configured by command-line or through a web browser and GUI interface.  There are two commands that enable the web interface modes on the controller:

To enable HTTP access
config network webmode {enable | disable}

To enable HTTPS access
config network secureweb {enable | disable}

Note:  Cisco WLAN controllers can be either an appliance, module for 6500 and 7600 series switches, or integrated into 3750G switches.  Also, while we aren’t going to get into configuring an AP, you should be aware that the virtual interface on a WLC is often used for a DHCP relay.

Hybrid Remote Edge Access Point (H-REAP)

If the wireless controllers are located across the WAN, some significant problems can result.  The traffic would have to travel over the WAN to the controller and back again.  Also, if the WAN link goes down or flaps, the APs quickly loose functionality.

H-REAP is designed to address these problems.

• Connected mode- When the controller is reachable, APs only send non-local traffic to the controller – the rest is just sent directly to the locally-attached switch for forwarding.  That prevents local traffic from having to cross the WAN.  Also, it doesn’t have to be local traffic – you can configure any VLANs you want to stay off the controller, but local VLANs make the most sense.  The AP sends only remote and authentication traffic to the controller. 

Note:  In this mode, the connection between the AP and the switch should be a trunk to carry all the VLANs.

• Disconnected mode- If the controller becomes unreachable, the AP authenticates clients itself.  Local traffic is still sent to the local switch, but remote destinations will not be reachable as the WAN would be down.

Note:  H-REAP is configured on the controllers, not the APs.

Switch Configuration for Wireless

• For an autonomous AP, configure it as an access port for a single VLAN or a trunk port for multiple VLANs.  Trust CoS if the link is a trunk.  Set the trunk’s native VLAN to the AP’s management VLAN.  Prioritize voice if you are using wireless VoIP phones.
• For a controller-based AP, generally use an access port and place it in the management VLAN.  Trust CoS on the port and again prioritize voice if you are using wireless VoIP phones.
• Configure the switch port connected to the controller as a trunk port (limited to only wireless and management VLANs).  Trust CoS on the port and again prioritize voice if you are using wireless VoIP phones.