For the purpose of this exam, Wireless LANs (WLAN) transmit using either RF or infrared frequencies, often through an access point.  One interesting point is that for the spectrums covered on the test, there are usually no additional  RF licenses required.  They are limited in physical transmission distance (ex. within a floor, department, or campus) and are considered by Cisco an extension of the wired campus network.

The Cisco Unified Wireless Network

Cisco’s wireless architecture model includes 5 layers:

1. Client devices - Wireless end clients (ex. laptop, smart phone // Note: Cisco mentions that these must be Cisco “approved” although almost all wireless devices will work)
2. Mobility platform – Access points and wireless bridges
3. Network unification – Existing wired network (Ex. routers, switch, WLAN controllers)
4. Network management – WLAN location, management and security (Cisco Wireless Control Systems [WCS] is Cisco’s solution here)
5. Mobility services (also called Unified Advanced Services) – advanced products and services like wireless IP phones, RF firewalls, and location appliances

Note:  Cisco offers wireless IP phones with the same feature set found in desk phones, including optional LEAP authentication.

The Cisco Compatible Extensions Program

The Cisco Compatible Extensions (CCX) program ensures the widespread availability of client devices that are interoperable with a Cisco WLAN infrastructure.  You may notice a “Cisco Compatible” sticker on the device or its packaging.
 

Wireless LAN Attributes

Wireless access points provide client connectivity similar to what a switch would do in a wired infrastructure.  Radio waves are the physical medium as apposed to wires and the same network and application layer protocols can run over a WLAN network (ex. IP, HTTP, etc.).

Some specific considerations

• WLANs use Carrier Sense Multiple-Access/Collision Avoidance (CSMA/CA)
• Because it is “avoidance” centric and not “detection” centric, it is half duplex.  CSMA/CA uses RTS (request to send) and CTS (clear to send) messages to avoid collisions
• RF is susceptible to interference, distortion, and noise often caused by physical structures and specific materials.
• WLAN design should include the fact that clients are often mobile and use batteries.
• Different countries have unique rules and standards regarding RF implementations.
• Antennas are characterized by polarization, gain, and directionality and antenna power is measured in dBi

SSIDs

Service Set Identifiers or SSIDs map a network, by VLAN, to a specific segment of users.  The segment of users can have specific QoS or security assigned to them when they associate with the SSID.  The SSIDs are often broadcast by wireless access points, but can also be simply statically configured on a host device.

Note:  SSID names are case sensitive, so inconsistent case in an SSID configuration can result in a failed connection.

Another important point regarding SSID configuration is when an AP is hosting multiple SSIDs (and in turn multiple VLANs), the link back to the switch must be a trunk that supports all of the VLANs.

Wireless Topologies

There are three main types of WLAN topologies used today:

• Client access (think end devices connecting to an AP )
• Point-to point (ex. building-to-building)
• Mesh

There are two modes of connection:

• Ad-hoc (a.k.a. Independent Basic Service Set [IBSS])
  • Clients communicate directly with each other without the use of an access point
  • Limited in range and function
• Infrastructure
  • Basic Service Set [BSS] – One AP to connect to clients, so the signal range (known as it’s microcell) must encompass all clients
  • Extended Service Set [ESS] – Multiple APs with overlapping microcells connected by a common distribution system
    • Microcells should overlap by 10-15% for data
    • Microcells should overlap by 15-20% for voice
    • Each AP should use a different channel

Note:  Wireless bridges allow wired devices to connect to the wireless network by plugging directly into the bridge.

• Wireless Mesh
  Wireless mesh networks are usually designed for long distances.  Only the APs on the edges of the mesh network connected to the wired infrastructure – the rest hops AP to AP, each acting as a repeater.  Each intermediate AP has multiple paths through the mesh network, all coordinated by the Adaptive Wireless Path (AWP) protocol.  AWP chooses the best path for traffic to the wired network and also select a backup path in case the preferred path fails.

Client Connectivity

The following steps define how clients connect to an access point.  Keep in mind that APs send out beacons with SSID information at regular intervals unless configured otherwise.

1. Clients sends probe request and listen for probe responses and beacons
2. AP replies to the request with a probe response
3. Client then initiates an association with the access point. During the association, 802.1x authentication and any other necessary security information is passed to the AP.
4. AP accepts the association. MAC address and SSID information is exchanged between the two.
5. AP adds client’s MAC to it’s association table

When ESS Infrastructure mode is in use, clients can roam (associate with another AP) between APs, but the access points must be configured with the same SSID/VLAN information and security settings.  Layer 2 roaming is done using Inter-Access Point Protocol (IAPP) with multicast.  Layer 3 roaming performed on different subnets using wireless LAN controllers.

Note:  VoIP over WLAN is susceptible to latency and jitter problems.  This is a particular issue when roaming between APs, so short roaming times are critical.

A client will automatically attempt to roam if any of the following are present:

• Data rate is reduced
• Misses too many beacons from the associated AP
• Max data retry count is exceeded
• If configured to search for another AP at regular intervals

Client roaming requires the following configured:

• All APs should be configured with identical VLANs
• All APs should be configured with identical subnets
• All APs should be configured with identical SSIDs

WLAN Components

Cisco supports two different types of wireless access points, autonomous and lightweight.  Autonomous systems are able to provide wireless services independently and lightweight models work in combination with a wireless controller.    Both variations can receive their power from Power over Ethernet (PoE) switches or midspan power injectors which inject power into a cable run.  Both of these options are important because they prevent the need for electrical outlets near an AP, giving more flexible location options.  Note that access points can require up to 15 Watts of power, so if you are running PoE, me sure the switch can power the number of APs connected.

Autonomous APs

Autonomous APs run Cisco IOS aNd are configured directly.  The traffic flows from client, to autonomous AP, to connected switch, to the rest of the network.  If roaming is a requirement, make sure proper VLANS and SSIDs are configured (make sure a management VLAN is included).  Also, only layer 2 roaming is possible on autonomous APs.  Make sure the switch has power and remember to configure the connected switch interface as a trunk if you are using multiple VLANs.

Redundancy is provided by multiple APs.

Repeaters

Repeaters are access points configured to extend the radio range of an existing wireless network.  The repeater AP is not connected to the wired LAN, instead it is in the signal range of an AP connected to the wired LAN.  Autonomous access points are required if you need to configure repeaters.  The SSID must match on both the root access point and the repeater AP and the recommended coverage overlap between the AP connected to the wired LAN and the repeater AP is 50%.

Because repeaters are also configured on the same channel as the LAN-connected AP, every additional repeater that is added to the chain on the same channel effectively cuts the throughput of that network in half because wireless works in half-duplex mode.  If any AP is transmitting, everyone else must wait their turn to relay the message.

Lightweight APs

When using lightweight access points, the AP and the wireless LAN controller (WLC) split the functions of layer 2, the MAC layer (sometimes referred to as “split” MAC).  The management controller includes a Wireless Control System (WCS) and location-tracking appliance. Redundancy consist of multiple WLCs.

The AP handles real-time processes and the WLC handles processes like:

• Security
• VLAN tagging
• QoS
• Forwarding traffic
• Authentication
• Client association

Controllers provide a single point of management which can be a big advantage in large-scal deployments. 

This is were is starts getting heady, especially if your a route/switch guy… but hang with me

LWAPP

LWAPP provides access point discovery, information exchange, and configuration.  LWAPP encapsulated control traffic uses UDP port 1024 as the source and UDP port 12223 as the destination. Layer 3 LWAPP uses a UDP/IP frame that requires the Cisco AP to get it’s IP address from a DHCP server.

The split MAC function is performed by LWAPP or Lightweight Access Point Protocol which uses AES-encrypted control messages , but does not encrypt data traffic (control traffic LWAPP encapsulated and encrypted / data traffic LWAPP encapsulated but not encrypted).  A newer IETF-standard that can perform the same function is CAPWAP (Control Provisioning of Wireless Access Points protocol).  Both CAPWAP and LWAPP use UPD and the controller does not have to be in the same subnet as the APs, just reachable through IP.

Lightweight APs use this process to discover their controller:

1. The AP requests a DHCP address – the response includes the management IP of one or more WLC.
2. The AP sends a Discovery Request message (using LWAPP or CAPWAP) to each WLC.
3. The WLC responds (using LWAPP or CAPWAP) with a Discovery Response that includes the number of APs associated with it.
4. The AP sends a Join Request to the WLC with the fewest APs associated to it.
5. The WLC responds with a Join Response message.  Once that is complete, the AP and controller exchange authentication information and produce encryption keys for future control messages.  The WLC then configures the AP (SSID, channels, security settings, etc.).

Step 2 (discovery request) explained:

If Layer 2 LWAPP mode is supported on the LAP, the LAP broadcasts an LWAPP discovery message in a Layer 2 LWAPP frame.   If the LAP does not support Layer 2 mode, or if the WLC or the LAP fails to receive an LWAPP discovery response to the Layer 2 LWAPP discovery message broadcast, the LAP attempts a Layer 3 LWAPP WLC discovery.

Lightweight AP Planning

When using lightweight access points, the traffic flows from the client to the AP, through the switched network, to the WLC, and finally from their to it’s destination.  Because the traffic always goes from AP to the controller, it is important that the AP has layer 3 connectivity to the WLC.

While the controllers can be distributed across the network (ex. a single controller in each building), Cisco recommends a centralized approach co-locating them (for example together in your data center).  Simplified management and user mobility are the reasons.

VLAN and SSID assignments must be configured on the controller in a lightweight AP environment as opposed to the autonomous model.  A management VLAN is used to communicate between the AP and controller.  The interface on the switch connected to the AP should be an access port using the management VLAN ID.  The interface on the switch connected to the controller should be a trunk to forward traffic for multiple subnets.  Etherchannels (portchannels) are often used to connect WLCs to the switch for redundancy and bandwidth.

When using LWAPP on a lightweight AP, the console port provides read-only access to the device.  As with the autonomous model, you should make sure the AP has power from either PoE or a power injector. 

WLC Configuration
WLCs can be configured by command-line or through a web browser and GUI interface.  There are two commands that enable the web interface modes on the controller:

To enable HTTP access

config network webmode {enable | disable}

To enable HTTPS access

config network secureweb {enable | disable}

Note:  Cisco WLAN controllers can be either an appliance, module for 6500 and 7600 series switches, or integrated into 3750G switches.  Also, while we aren’t going to get into configuring an AP, you should be aware that the virtual interface on a WLC is often used for a DHCP relay.

Hybrid Remote Edge Access Point (H-REAP)

If the wireless controllers are located across the WAN, some significant problems can result.  The traffic would have to travel over the WAN to the controller and back again.  Also, if the WAN link goes down or flaps, the APs quickly loose functionality.

H-REAP is designed to address these problems.

• Connected mode – When the controller is reachable, APs only send non-local traffic to the controller – the rest is just sent directly to the locally-attached switch for forwarding.  That prevents local traffic from having to cross the WAN.  Also, it doesn’t have to be local traffic – you can configure any VLANs you want to stay off the controller, but local VLANs make the most sense.  The AP sends only remote and authentication traffic to the controller. 

Note:  In this mode, the connection between the AP and the switch should be a trunk to carry all the VLANs.

• Disconnected mode – If the controller becomes unreachable, the AP authenticates clients itself.  Local traffic is still sent to the local switch, but remote destinations will not be reachable as the WAN would be down.

Note:  H-REAP is configured on the controllers, not the APs.

 

Switch Configuration for Wireless

• For an autonomous AP, configure it as an access port for a single VLAN or a trunk port for multiple VLANs.  Trust CoS if the link is a trunk.  Set the trunk’s native VLAN to the AP’s management VLAN.  Prioritize voice if you are using wireless VoIP phones.
• For a controller-based AP, generally use an access port and place it in the management VLAN.  Trust CoS on the port and again prioritize voice if you are using wireless VoIP phones.
• Configure the switch port connected to the controller as a trunk port (limited to only wireless and management VLANs).  Trust CoS on the port and again prioritize voice if you are using wireless VoIP phones.

 

Security Topics

Network perimeter security has long been the focus for security products and defenses such as firewalls and layer 3 attacks.  The SWITCH exam covers several different security topics in depth, but all from a layer 2 perspective.  These kind of attacks are usually launched from within a network either from legitimate or rogue devices (ex. consumer wireless access points, access switches, and hubs).

A rogue switch added to the access layer could disrupt the Spanning Tree root bridge topology and even worse, could create a loop and bring an entire segment down.

 

MAC Address Attacks

The primary MAC address attack attempts to overwhelm the CAM table.  Another layer 2 MAC attack is MAC spoofing which allow an attacking device to receive frames intended for a different network host.  Precautions include port security and port-based authentication. 

 

MAC Flooding

In a MAC flooding attack, an attacker floods a target switch with invalid source MAC addresses which quickly fill the CAM table.  Once the table is full, any frames whose MAC is not in the table are flooded out all ports causing everyone (including the attacker) to begin to see traffic on their port they would normally not.  After the attack stops, the CAM table entries eventually age out so things will return to normal, but in the mean time the attack may have collected valuable information.  Two preventative techniques for MAC flooding attacks are port security and DHCP Snooping with Dynamic ARP Inspection (DAI) – with port security being the most common solution.

 

Port Security

Port security can put limits on both what MAC addresses are allowed to be connected to a switch port and how many at any given time.  Using port security specific MACs can be statically allowed, or dynamically “learned” using the sticky command.

If you simply enable port security on an interface, it will only allow a single MAC address to connect by default.  You should specify the maximum number of MAC addresses that should connect to the port using the switchport port-security maximum command.  If you then choose to statically assign MAC addresses to that interface, only those will be allowed plus however many remaining until you reach the maximum MAC allowed.  For example, lets say you configure port security on and interface, configure it for a max of 2 MAC addresses, then statically configure a single MAC address with the  switchport port-security mac-address command.  If you try to add another device to the port it wil be accepted because you allowed two MACs with the switchport port-security maximum number command.

Note:  Port security can only be applied to access ports (including VoIP interfaces), but not trunks!

Configuring Port Security

To enable port security on the interface

Switch(config-int)# switchport port-security

Specify the maximum number of  MACs allowed (default is one)

Switch(config-int)# switchport port-security maximum number

Specify the violation action when requirements defined are not met or exceeded.  Shutdown puts int interface in err-disable state and sends an SNMP trap, Restrict will drop violator’s frames, log it and send an SNMP trap, and Protect will drop frames quietly from MACs not specified.  Shutdown is the default action.

Switch(config-int)# switchport port-security violation {shutdown | restrict | protect}

Statically assign MAC addresses (optional)

Switch(config-int)# switchport port-security mac-address MAC address

Set the aging time for each assigned MAC

Switch(config-int)# switchport port-security aging time 0-1440

*  Use this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses while still limiting the number of secure addresses on a port.  If the aging time is set to 0, aging is disabled.

Allows the switch to dynamically learn up to the maximum number of MAC addresses (optional)

Switch(config-int)# switchport port-security mac-address sticky

You can configure an interface to convert the dynamic MAC address to sticky secure MAC addresses and to add them to the running configuration by enabling sticky port security.  The sticky secure MAC addresses do not automatically become part of the start up configuration.  If, however, you save the running configuration to the start up configuration, then reboot the switch, the MACs will be saved upon reboot.

To verify the port security settings:

Switch# show port-security [interface | address]

Port security and VoIP

Port security can be applied to interfaces that use voice VLANs as well.  Because voice VLANs typically also include data traffic from a connected PC and an internal switch in the phone, Cisco recommends setting the maximum number of allowed MAC addresses to 3 when using port security in conjunction with voice VLANs.

 

VLAN Attacks

The major security concern related to VLANs is a concept commonly known as “VLAN hopping”.  VLAN hopping attacks involve an attacker sending and/or receiving traffic from a VLAN to which they are not assigned.  There are two ways this can be done, switch spoofing and double-tagging – both done by manipulating the way switches create and pass data through trunk links.

 

Switch Spoofing

Switch spoofing uses a computer to mimic a trunk tunnel with a directly connected switch using Dynamic Trunking Protocol (DTP).  DTP is enabled by default on Cisco switches and trunk ports also pass all traffic across trunks by default.  If an attacker is able to trick the switch into establishing a trunk port, they are able to access (and inject) all traffic going through the switch.

 

802.1Q Double-Tagging

A double-tagging attack is possible because 802.1Q does not tag frames sent using the native VLAN.  In this attack, the attacker sends a payload with two VLAN tags, the first assigned to the segment’s native VLAN and the second assigned to the target destination’s VLAN.  The first switch to receive the attacker’s packet strips off the native VLAN tag and forwards it out all ports (including adjacent trunk ports) because that is how 802.1Q handles native VLAN traffic.  Once the next hop switch receives the packet, it sees only the second tag and forwards it on to the target destination.

 

To Mitigate Switch Spoofing:

• Disable DTP on all ports using the switchport nonegotiate command on each port.
• Define access ports and trunk ports explicitly using commands like switchport mode access and switchport mode trunk.
• Shutdown all unused ports and assign them all to an unused VLAN (ex. something like 999)
• Define the native VLAN separate from any data VLANs
• Define explicit VLANs allowed on the trunk links, rather than the default allow all

 

VACLs

There are three types of access control lists (ACLs) that Cisco switches support:

• Traditional Router ACL (RACL)
• QoS ACL
• VACL (also referred to VLAN access-maps)

VACLs are much like route-maps in that they use match and set statements to define what actions are taken.  In this case, the set statements are “action” directives, which include forward, drop, and redirect.  Also like route-maps, VACL statements are ordered.

Below is an example configuration:

Switch(config)# access-list 10 permit ip 10.1.1.0  0.0.0.255 any
Switch(config)#mac access-list extended SERVER
Switch(config-ext-mac)# permit any host ooo0.1111.2222
Switch(config)# vlan access-map TEST 1
Switch(config-map)# match ip address 10
Switch(config-map)# action drop
Switch(config-map)# vlan access-map TEST 2
Switch(config-map)# match mac address SERVER
Switch(config-map)# action drop
Switch(config-map)# vlan access-map TEST 3
Switch(config-map)#action forward
Switch(config)# vlan filter TEST vlan-list 14,17

Note that even when using the “action forward” statement, traffic that is not explicitly defined within the access list will be dropped because of the implicit deny feature at the end of the list.  Also, it is important to remember for this exam that both routed and bridged ACLs can be applied as either inbound or outbound and that VLAN maps and router ACLs can be used in combination.
 

Spoof attacks include DHCP, MAC, and ARP spoofing – all of which I’ll briefly discuss. 

DHCP Spoofing

DHCP spoofing attacks occur when an attacker responds to DHCP requests, listing themselves as the default gateway or DNS server.  This positions them to intercept all traffic before forwarding it on to the real network gateway.  The attacker could also simply flood the DHCP server with requests, filling up the available IP space (DoS attack).

One option for preventing DHCP spoofing attacks is to statically assign ARP entries into the DHCP server so that dynamically created ARP packets cannot interfere.  A more manageable solution is to use DHCP snooping.  DHCP snooping protects against DHCP spoofing attacks and is a security feature that when enabled, only ports that uplink to an authorized DHCP server are trusted and allowed to pass all DCHP traffic.  All other ports are untrusted (default) and can only send DHCP requests.  If a DCHP response (“offer”) is heard on an untrusted interface, it is shutdown.

**DHCP snooping must be first configured globally, then on specific VLANs, and finally in any interfaces.  Remember to configure only ports that connect directly to or uplink to a DHCP server as trusted.

DHCP Snooping Configuration

Globally:

Switch(config)# ip dhcp snooping

On VLAN(s):

Switch(config)# ip dhcp snooping vlan number number

On interfaces:

Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# ip dhcp snooping limit pkts/sec (limits DoS attacks)

Verification:

Switch# show ip dhcp snooping

  

IP Source Guard

If more protection is required, IP Source Guard can be applied to access ports.  IP Source Guard keeps track of the host’s IP address and/or MAC address associated with each port – usually in conjunction with DHCP snooping enabled.  If traffic sourced from another address enters that interface, it is dropped.

 

To Configure IP Source Guard

Switch(config-if)# ip verify source (uses just IP address filtering)
Switch(config-if)# ip verify source port-security (uses IP + MAC filtering)

Switch# show ip source binding

 

ARP Spoofing

ARP spoofing is another man-in-the-middle attack exploiting the ARP protocol.  An attacker sends out an unsolicited ARP message giving the IP address of the local gateway with it’s own MAC address.  Local machines then overwrite their ARP tables and all traffic is forwarded through the attacker.

Dynamic ARP Inspection (DAI) is a security mechanism that works with DHCP snooping to define trusted and untrusted interfaces.  DAI intercepts, logs, and drops ARP messages on untrusted ports that  do not match the DHCP snooping MAC/IP bindings.  All traffic that matches is passed, all traffic that does not match is dropped.

DIA is supported on access ports, trunk ports, EtherChannels, and private VLAN interfaces.  Dynamic ARP Inspection should be only applied to ingress interfaces.  All access ports should be untrusted and all trunks (including connections to routers) should be configured as trusted.  Enable DAI on one or more VLANs, then configure the trusted interfaces.  It matches IP and MAC by default.

 

Basic DAI configuration commands

Switch(config)# ip arp inspection vlan vlan-id

Switch(conf-if)# ip arp inspection trust

 

General Switch Security Recommendations

• Use strong passwords that are not susceptible to a dictionary attack (preferably using numbers and/or symbols)
• Limit Telnet access using ACLs
• Use SSH instead of Telnet
• Physically secure the switch
• Use banners that warn intruders against unauthorized access
• Remove unused services (ex. finger, TCP and UDP small servers, service config, and HTTP server)
• Configure Syslog
• Disable DTP (Dynamic Trunking Protocol) – define trunks explicitly
• Disable CDP when it is not required
  • no cdp run (disables it globally on the switch)

 

Port-Based Authentication

802.1x is a security protocol designed to authenticate devices like computers to access ports on a switch.  When a device connects to a 802.1x enabled port, it goes through the following steps:

1. It begins in the unauthorized state – only allowing EAP over LAN (EAPOL), CDP, and STP communication.
2. The switch requests authentication or the client sends an EAPOL frame to begin authentication.
3. The switch forwards the client’s authentication information to a RADIUS server and acts as a proxy.
4. If authentication is successful, the port transitions to authorized state and traffic is permitted.

 802.1x requires three different devices be configured for port-based authentication to work properly:

• Client (or host) – must be running 802.1x compliant system software
• Authentication server – Performs the actual authentication of the clients
  ** Radius is the only supported server type!
• Switch (or authenticator) – controls physical access and acts as a proxy

To enable port-based authentication using 802.1x:

Switch(config)# aaa new-model (enables AAA globally, with default lists applied to the VTYs)
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control (globally enables 802.1x on switch)

To enable 802.1x on an individual interface

Switch(config-if)# dot1x port-control [auto | forced-authorize | force-unauthorized]

Note:  The auto is the default dot1x port-control mode, but you should be aware of the “forced-authorized” option.  When applied to an interface, it forces the port to transition directly into an authorized state and disable 802.1x authentication.  This can be applied to interfaces that you inherently trust are secure or more likely do not support any type of 802.1x exchange.

Switch# show dot1x