%Infrastructure% Archives %%page%%

« Older Entries

Tag Archive for 'Infrastructure'

BSCI Design Foundation – Network Models

Published

Deon Botha

on July 25, 2008

in BSCI, BSCI Notes, Certification, Cisco Systems, Concepts and Constructs, ECNM, Enterprise Architecture, IIN and SONA

. 0 Comments

Design – Hierarchical

Where networks once were non-hierarchical (layer-1 design, layer-2 design, layer-3 design) they are generally now three-layer hierarchical in design (above). Cisco has been using this model for years and it gave a high-level overview of how a reliable network could be conceived but was largely conceptual because it did not provide specific guidance on “how-to” implement certain things, like:

Implementing redundancy,
Adding Internet Access,
Accounting for remote users,
Locating workgroup and enterprise services

Design – Enterprise Composite Network Model (ECNM)

Revisions to the hierarchical design showed redundant distribution and core devices and connections to make the hierarchical model more fault tolerant. The switch block design (above) explained how redundancy fit into a network, but still did not really adequately specify other parts of the network design. This lead to the Enterprise Composite Network Model (ECNM) development to address the failures of both the hierarchical model and switch block model.

This ECNM is broken into three large pieces:

Enterprise Campus,
Enterprise Edge,
Service Provider Edge.

Enterprise Composite Network Model

ECNM – Campus

The enterprise campus looks very much like the above switch block design with some added details:

Campus Backbone (like the core layer of the hierarchical model),
Building Distribution,
Building Access,
Management,
Server Farm (Enterprise Services).

The ECNM Campus builds onto the Switch block design but gives specific guidance as to where to place servers and management equipment. Take note that the servers look like a switch block and are redundantly attached (dual-homed) to the switches (not really shown nicely in the diagram).

ECNM – Enterprise Edge

The Enterprise edge shows the connections that the enterprise has with the wide area (other networks) and include:

E-Commerce,
Remote Access,
Internet Connectivity,
WAN (Internal links to other branches).

ECNM – Service Provider Edge

The service provider edge includes the public networks that facilitate wide area (other networks) connectivity:

Internet Service Provider (ISP),
Public Switched Telephone Network (PSTN) for dialup,
Frame Relay, ATM, and PPP for private connections.

Multiplexing

Historically voice traffic used one set of circuits and data traffic another. Also if you wanted more than one “number” the telecommunications company installed another physical line to your premises. If you wanted access to a data network they installed a data line for that purpose.

With line technologies like the T-carrier system (USA, Japan, Korea) 24 pulse-code modulated (I don’t know need to ask one the engineers about this), time-division multiplexed speech signals are carried over 2 copper pairs. This type of technology saved the telecommunications companies a lot of money in building out subscriber lines. The problem with T1 as a technology is that it cannot adjust as the customer usage requirements changes (see E-carrier system for Europe and other countries).

As technology changes so does the requirements from that technology; Modern networks are designed to carry voice, video, enterprise applications, normal LAN traffic and management traffic all on the same single secure infrastructure (convergence). The traffic is forced (statistically multiplexed) to share access to the network.

Service-Orientated Network Architecture (SONA) and Intelligent Information Network (IIN)

As covered above “Multiplexing” described the idea of a converged network as a system that integrates what was previously disparate systems (voice, video, data). The traffic types usually found on a converged network would include, but may not be limited to:

voice signalling and bearer traffic,
Core application traffic (ERP and CRM),
Transactional traffic related to database interactions (SQL),
Network management traffic for monitoring and maintaining the network structure (including routing protocol traffic),
Multicast multimedia,
Other traffic (web, e-mail, file transfer).

Each of the above traffic types has its own requirements and expectations that govern its successful execution. These requirements include security, QoS, transmission capacity, and delay.

To support this kind of multiplexed traffic, Cisco routers are able to implement filtering, compression, prioritization, and policing (dedicating network capacity). Except for the filtering process these processes are collectively known as QoS.

As an alternative to QoS, Cisco has an ideal called the Intelligent Information Network (IIN). This vision describes a network that integrates network and application functionality cooperatively allowing the network to be “smart” about how it handles traffic to minimize the footprint of applications. The IIN evolution is described in three phases:

Phase 1: Integrated Transport, deals with a converged network, built along a similar fashion of the ECNM and based on open standards (cross-compatibility)
Phase 2: Integrated Services, posits virtualization of resources such as servers, storage and network access; to move to an “on-demand” model. Don’t think marketing/advertising “virtualization” think practical virtualization the ISR routers (routing, switching, voice, network management, security and wireless) designed as an aio (all-in-one) appliance and Vitalizing Servers (if you have proper designed for the job servers) you can’t be trying this on SMB servers or try recycling 10 year old technology and thinking “bargain let’s load 5 operating systems on this”.
Phase 3: Integrated Applications, using application orientated networking (AON) to make the network “aware” allowing the network to actively monitor and participate in service delivery.

Service-Orientated Network Architecture (SONA) is the practical application or “how-to” of IIN in enterprise networks. SONA breaks down IIN into three layers;

SONA Infrastructure Layer is basically the same as IIN Phase 1,
SONA interactive Services Layer maps to IIN Phase 2,
SONA Application Layer has the same concepts as IIN Phase 3.

Resources:

Aragoen Celtdra on BSCI: Network Architecture and Design

Notes and Notices:

This is a part of my personal BSCI notes and research to assist myself in learning and understanding the concepts and theory for the BSCI exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BSCI Certification.

Cisco and DDNS

Published

Deon Botha

on June 4, 2008

in Cisco Systems, Concepts and Constructs, DDNS and Support

. 3 Comments

A little off-topic (switching being topic at the moment) but I ran into this today again and wanted to jot it down quick.

WARNINGS: The commands below enable public access to internal resources. This should not be done if you do not understand Access Control Lists (ACL) and/or have a proper Firewall (not windows Firewall) installed maybe a PIX or ASA even ISA Server would do. I prefer not doing this at all because it creates a rather obvious place for network attacks to happen. You must know that these commands are what I know to work, you may disagree and I would love to hear what you do/use. I take no responsibility whatsoever as to how you use these commands and you shall be responsible for your losses or your clients losses if you do not implement this correctly or data/information is stolen.

Dynamic Domain Name Service (DDNS) is a service that lets anyone on the internet gain access to resources on a local network when that local network is connected to the internet through a Dynamic (constantly changing) IP Address connection (most ADSL connections).

To understand the concept Domain Name Service (DNS) is the mapping of IP Addresses (192.168.0.1) to human-readable computer hostnames (www.companyweb.org) that is used by routers and other networking infrastructure to delivery information as needed. The internet uses DNS so that we can go to www.google.co.za and not have to remember the IP Address for google and the million other sites online.

DDNS makes it possible for Small, Medium Business (SMB) to allow employees, customers, partners and other stakeholders access to internal resources (mail, intranet, pricelists, documents, etc) without the requirement to pay for static IP address access to the internet. This is not limited to SMB as some larger companies have dynamic connections and also use the service. There are of course security concerns and problems with DDNS.

By enabling DDNS you allow external (untrusted) access to internal (trusted) resources. This leads to not just known (employees, customers, partners and other stakeholders) visitors but unknown (random hits, hackers, etc). If you do not implement the proper security you may and probably will lose information and data without even knowing it.

On the SMB range Cisco Series Routers upward the DDNS command is supported and services like Dyndns can be configured without much hassle. There are some small things to watch out for though that I will cover below.

Step 1: Open an Account with DynDNS (Other services work with Cisco Routers). I however have only used DynDNS and I am happy with them. Check the config guide from Cisco for the other commands. Once you have the DynDNS account setup a free DynDNS hostname they have many options like your-option.domain.com and write down this and your username and password.

Step 2: Add DynDNS.org to your Host list and Statically apply your ISP DNS servers. This works best, you could just not do this but it works better if you do.

Router(config)#ip host members.dyndns.org 63.208.196.96 Router(config)#ip name-server xxx.xxx.xxx.xxx Router(config)#ip name-server xxx.xxx.xxx.xxx

Things to change xxx.xxx.xxx.xxx is your ISP DNS Server address, primary first address, secondary address second.

For those with ISPs that love changing their DNSs regularly (I know some ISPs change their DNS servers monthly, they have a list of DNSs and the active ones any given month would be any persons lucky assumption) this is great if you charge by the hour and bad for your client because they will see you every month (i.e. bad for Cisco’s image because a client thinks his Cisco kit breaks every month).

Via Etherealmind you can give OpenDNS a try. OpenDNS is DNS with a little extra as they inlcude Phising protection and spelling correction in their service.

Step 3: This is tricky because it uses a special character, play around with this and see what happens. When you get to the special character in the line press Ctrl+V to allow for the character input in IOS

Router(config)#ip ddns update method dyndns Router(DDNS-update-method)#HTTP Router(DDNS-HTTP)#http://DYNDNS-USERNAME:DYNDNS-PASSWORD@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a> Router(DDNS-update-method)#interval maximum 0 28 0 0

If you don’t get it, the special character I mentioned is the question mark, which won’t be allowed to be input without the CTRL+V. Things to Change DYNDNS-USERNAME is your DynDNS Username and DYNDNS-PASSWORD is your DynDNS Password

Step 4: On the Dialer interface (not the ATM, fastethernet, gigabitethernet interfaces). This could also be put on the Serial interface (say for a flapping link, if you have a Leased line for internet but then you would probably have a static IP address) why you would use DDNS then I dont know but it could and would probably work.

Router(config)#interface Dialer1 Router(config-if)#ip ddns update hostname your-option.domain.com Router(config-if)#ip ddns update dyndns host members.dyndns.org

Things to change your-option.domain.com is the choice for the domain you made at DynDNS like game-server.dyndns.org.

Step 5: We are doing this for a reason and the reason behind DDNS is to have a private resource available to the public internet. To achieve this in IPv4 NAT or PAT is used when a single Internet connection is available. NAT basically takes multiple internal addresses and allows all those addresses to access the internet at once through a single internet connection. For this to work you need to configure your NAT inside and NAT outside.

Router(config)#interface Dialer1 Router(config-if)#nat outside Router(config-if)#exit Router(config)#interface vlan VLAN-Number Router(config-if)#nat inside

I use a VLAN and map the VLAN to an fastethernet or gigabitethernet interface, you may or may not do it this way.

Step 6: Configure NAT extend a internal resource to the public. I am say doing this for Small Business Server 2003 (SBS) for Exchange Outlook Web Access (OWA). This uses HTTP port 80 and HTTPS port 443. Consider only doing this if you have Premium Edition (comes with ISA Server) so that you can excercise some control over what you publish and what you dont publish.

Router(config-if)#ip nat inside source list 101 interface Dialer1 overload Router(config-if)#ip nat inside source static tcp xxx.xxx.xxx.xxx 80 interface Dialer1 80 Router(config-if)#ip nat inside source static tcp xxx.xxx.xxx.xxx 443 interface Dialer1 443

Things to change here would be the xxx.xxx.xxx.xxx which is the SBS IP address (default is 192.168.16.2)

Step 7: Disable the Router HTTP and HTTPS server so that you won’t be getting the routers login page when you try access the your-option.domain.com. Which is both annoying, could break the functionality and also is a security risk.

Router(config-if)#no ip http server Router(config-if)#no ip http secure-server

This command will disable the WEB GUI!!!! If this is a problem consider not configuring DDNS. This command may break functionality because it also uses HTTP port 80 meaning that if you type the url the router wont know whether to give you OWA or WEB GUI. It’s a security problem because everyime someone comes to the external website on port 80 the router will ask for level 15 login and password (Cisco specific information and anyone that knows network kit knows this means Cisco kit lurks yonder) and they may well actually get into the router and factory-reset it for you should they be able to login or you haven’t chosen a secure password (which is not good).

Step 8: Configure ACLs (at least) for WAN traffic). Some ISR routers come with options of Firewall consider configuring that too. Disable CDP on external facing interfaces etc (IOW take due care and dilligence in setting up a proper secure router plus some more because you are letting the outside world into the private network).

Step 9: To Verify DDNS using the show commands

Router(config)#show ip ddns update

Alternatively you can use the debug command

Router(config-if)#debug ip ddns update

Step 10 :I’m not paranoid (all this talk of security), I just don’t like gambling with lady luck. Exposing any part of the internal network to the outside world is a security risk that can be mitigated (not totally) but controlled. Consider this and how to mitigate the risk before exposing something like SBS (which by all accounts is the Business Nervous System in a SMB).

Notes and Notices:

Anything free is meant to be taken with a pound of salt. I take no responsibility for loss or damage from implementation of the above commands on routers or networks without proper consultation and documentation done by myself in person with end-users. I do not suggest this configuration, by writing this I do not imply that this is a good idea to implement or configure in all situations.

In good afrikaans “Die is als voets-toets”.

Switch Security Layer-2 Attacks – Four

Published

Deon Botha

on May 28, 2008

in ACL, BCMSN, CDP, Certification, Cisco Systems, Concepts and Constructs, SSH, Telnet and VTY

. 0 Comments

CDP

Cisco Discovery Protocol (CDP) is a useful and great protocol when you are sitting on the other side of the office/country/planet and don’t know what you are working with on a network but CDP has some holes for attackers to leverage that can cause problems.

CDP uses clear-text and unauthenticated to send information about network topology between network devices. An attacker can use a packet sniffer to get information about network infrastructure that we don’t really want them to have.

CDP isn’t needed on ports that no network management is done (this isn’t the case for Cisco IP Phones). You can also go ballistic and disable CDP totally thats up to you. To disable CDP use the following commands

CDP per-port

switch(config)#configure terminal switch(configp)#interface gigabitethernet 0/1 switch(config-if)#no cdp enable

CDP Globally

switch(config)#configure terminal switch(config)#no cdp run

Be careful with this, CDP is used in conjunction with or as support for other Cisco protocols

Telnet

Telnet has a few problems:

All usernames, passwords, and data sent over a public network (read: Internet) is sent in clear text and is thus vulnerable.
A user with an account on the system can gain elevated privelages.
A remote attacker could crash the Telnet service, preventing legitimate service rendering.
A remote attacker could find an enabled guest account that may be present anywhere in the trusted domain of the server.

iow Dont Telnet over the internet

SSH

SSH is a client and server protocol used to log in to another computer over a network. It provides strong authentication and secure communication over a public communication network. SSH may be “more” secure many vendors implementations of SSH is vulnerable.

switch(config)#configure terminal switch(config)#line vty 0-15 switch(config-line)#transport input ssh

VTY Access Control Lists (ACL)

One can associate ACLs to permit or deny access to a vty port to a switch.

The Number of VTYs differ make sure you get it right and configure an ACL on ALL the VTY connections and don’t leave one open

switch(config)#configure terminal switch(config)#access-list 12 permit 192.168.0.0 0.0.255.255 switch(config)#line vty 0 15 switch(config-line)#access-class 12 in

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

Planning Voice on a Data Network

Published

Deon Botha

on May 21, 2008

in BCMSN, Certification, Cisco Systems and VoIP

. 0 Comments

There are numerous benefits to packet switched telephony:

More efficient use of bandwidth and kit: Traditional telephony networks use a 64-kbps (For argument lets say 1B Channel on a ISDN line) channel for every voice call. Packet telephony shares bandwidth among multiple logical connections and offloads traffic volumes from existing voice switches.
Lower costs for telephony network transmissions: A substantial amount of equipment is needed to combine 64-kbps (ISDN) channels into a high-speed link for transport across a network (Lets say an ISDN PRI). Packet telephony statistically multiplexes voice traffic alongside data traffic. This consolidation represents substantial savings on CAPEX and OPEX.
Consolidated voice and data network expenses: Data networks functioning separately from voice networks become major traffic carriers. The underlying voice networks can be converted to utilize the packet-switched architecture to create a single integrated communications network with a common switching and transmission system. The benefit is CAPEX and OPEX savings.
Increased revenues from new services: Packet telephony enables new integrated services, such as broadcast-quality audio, unified messaging, and real-time voice and data collaboration. These services increase employees productivity and profit margins well above those of basic voice services. In addition, these services enable companies and service providers to differentiate themselves and improve their market position.
Greater innovation in services: Unified communications use the IP infrastructure to consolidate communications methods that were previously independent (Fax, voicemail, email, wireline telephone, cellular phone, and the web). The IP Infrastructure provides users with a common method to access messages and initiate real-time communications – independent of time, location, or device.
Adding to new communications devices acket technology can reach devices that are largely inaccessible to the time-division multiplexing (TDM) infrastructures of today (pcs, wireless devices, household appliances, PDAs). Access to these devices enable companies and service providers to increase the volume of communications they deliver, the breadth of service they offer, and the number of subscribers they serve. Packet technology, therefore, enables companies to market new devices, including videophones, multimedia terminals, and advanced IP Phones.
Flexible new pricing structures: Companies and services providers with packet-switched networks can transform their service and pricing models. Because network bandwidth can be dynamically allocated, network usage no longer needs to be measured in minutes or distance. Dynamic allocation gives service providers the flexibility to meet the needs of their customers in ways that bring them the greatest benefits.

The basic components for voice on a IP network are as follows:

IP Phones: The end-device on desks
Gatekeeper: Provides Connection Admission Control (CAC), bandwidth control and management and address translation.
Gateway: Provides translation between voice over Internet Protocol (VoIP) and non-VoIP networks, such as the public switched telephone network (PSTN). It provides physical access for local analog and digital devices (telephones, fax machines, and PBXs)
Multipoint Control Unit: Provides real-time connectivity for participants in multiple locations to attend the same videoconference or meeting.
Call Agent: Provides call control for IP Phones, CAC, bandwidth control and management, and address translation.
Application Server: Provides services such as voicemail, unified messaging, and Cisco CallManager Attendant Console.
Videoconference Station: Provides access for end-users participation in videoconferencing. This station has a video camera and a microphone. The user can view video streams and hear the audio that originates from the remote user station.

There are other components not listed here like voice applications, interactive voice response (IVR) systems, and softphones that meet the specific needs of enterprise.

Voice and Data Traffic Characteristics

Voice traffic has extremely stringent QoS requirements (because it is extremely delay sensitive). Voice traffic generates a smooth demand on bandwidth and has minimal impact on other traffic (60 – 120 bytes), as long as voice traffic is managed. Because of the resulting time sensitive nature User Datagram Protocol (UDP) is used to package voice packets; TCP retransmit capabilities have no value (because if it needs to be retransmitted then there is delay in the actual conversation occuring NOW).

For voice quality, delay should be no more than 150ms (one-way) and less than 1% packet loss. A typical voice call requires 17 – 106 kbps of guaranteed priority bandwidth, plus additional 150bps per call for voice-control traffic. Multiplying this out for the maximum calls expected during busiest times the overall bandwidth requirements for voice traffic can be calculated.

Because Data traffic is not as delay sensitive and can tolearate high drop rates the restransmit capabilities of TCP has become important, as a result many applications use by default TCP.

In networks, important business critical applications are ussually easy to identify. Most applications can be identified based on TCP or UDP port numbers (HTTP, HTTPS, FTP, TELNET, SQL, ETC). Some application use dynamic port numbers that, to some extent, make classification more difficult. Cisco IOS software supports network-based application recognition (NBAR), which can be used to recognize dynamic port applications.

VoIP Call Flow

As I mentioned in a previous post (see HSRP Accross Trunk Links) and some other places its best practice to setup voice and data on separate VLANs (I did in my own network). This is done so that QoS can be applied to prioritize the VoIP traffic as it traverses the network. If this is not done then voice and data traffic contend for available traffic without consideration for other devices (one or the other is going to suffer).

A major component of designing a successful IP Telephony network is bandwidth provisioning. The bandwidth requirement is calculated by adding the total required bandwidth for voice, video and data together; the sum should not be more than 75% of the link total.

For a traffic perspective IP Telephony consists of two types of traffic:

Voice Carrier Stream consists of Real-Time Transport Protocol (RTP) packets that contain actual voice samples.
Call Control Signaling that contains packets belonging to one of several protocols used to set up, maintain, tear down, or redirect calls. Depending on the end-point this could be H.323 or Media Gateway Control Protocol (MGCP)

Auxiliary VLANs

Some Cisco Catalyst switches offer a unique feature called “Auxiliary VLAN“. This feature allows one to overlay a voice topology over an existing data network. One can segment phones into a separate logical network, even though the data and voice network are physically the same.

The auxiliary VLAN feature places the phones into their own VLANs without any end-user configuration. Additionally VLAN assignment can be maintained even if the phone is moved.

How this works is that when a phone is plugged into the switch (whichever port), the phone will request a DHCP address, and the phone is placed in a VLAN automatically. With phones in their own VLANs administrators can troubleshoot and identify problems easily. This also makes enforcement of QoS and security policies easier.

QoS

QoS is the application of features and functionality required to actively manage and satisfy the networking requirements of applications that are sensitive to loss, delay and delay variations (jitter). QoS allows preference to be given to critical application flows for the available bandwidth.

Cisco IOS implementations allows for QoS to provid these features:

Priority access to resources: QoS allows administrators to control which traffic it allows to access specific network resources such as bandwidth, kit, and WAN links.
Efficient management of network resources: If network management and accounting tools indicate that specific traffic is experiencing latency, jitter, and packet loss, then QoS tools can be used to adjust how traffic is handled.
Tailored service: The control provided by QoS enables Internet Service Providers to offer carefully tailored grades of service to their customers.
Coexistance of mission-citical applications: QoS technologies ensure that mission-critical applications receive priority access to network resources while providing adequate processing for applications that are not delay sensitive.

High Availability

Traditional Telephony networks strive to provide 99.999 (5.25 minutes) of downtime a year. This is less downtime than most data networks. To provide the same experience this means choosing hardware and software with a low mean time between failure (MTBF) or installing redundant links and hardware.

Availability is when a user wants to make a call the network is able to respond to that need. Efforts to ensure availability would include proactive management to predict failure and taking steps to correct problems in design of the network as it grows. When the converged network goes down things downtime can be minutes, hours or days. This is unacceptable in a converged network where downtime means no phone calls. Providing for uninterpretable power supplies (UPS), lighting arrestors and other means to ensure availability at all costs.

High Availability encompases many areas of a network. In a fully redundant network these components need to be duplicated:

Servers and call managers,
Acces layer devices (layer-2 switches)
Distribution layer devices (routers or Layer-3 switches)
Core layer devices (layer-3 switches)
Interconnections (WAN links, PSTN Gateways, ISP links)
Power supplies and UPSs

Notes and Notices:

Implementation of a WLAN

Published

Deon Botha

on May 20, 2008

in 802.11, Access Point, BCMSN, Certification, Cisco Systems, Concepts and Constructs and Wireless

. 0 Comments

This post brings together the theory into a more practical setting. This post covers the two types of Wireless Local Area Network (WLAN) implementations that Cisco offers namely autonomous WLAN Access Points (AP) and lightweight APs (LAP) with WLAN Controller (WLC).

For ease of my own use and understanding, I am going to use the proper acronums an Autonomous Access Point (AP), a lightweight Access Point (LAP) this is however not to be confused (NB) with Lightweight Access Point Protocol (LWAPP).

So take note of when I talk about hardware and the protocol in my notes. So to round up an AP is a full IOS Access Point able to be used in a stand-alone environment and can be downgraded for use (in most cases) to become an LAP; a LAP is a less extensive IOS feature-set and needs to be used in conjunction with a Wireless LAN Controller (WLC), then finally LWAPP is the protocol.

Autonomous APs

Jumping right in an AP implementation has various components, some of which are considered needed and some of which are considered optional:

A Cisco AP that uses Cisco IOS Software. To show this in an example the Cisco product code AIR-AP1131AG-x-K9 is a Aironet (AIR) product, is an autonomous Access Point (AP) of the 1131 product range at least Wireless 802.11 A and G capable (AG) this example product code is non region specific (x) and is an export restricted product range due to cryptology information resident in IOS (K9). If this was region specific the (x) would change to A=FCC, C=China, E=ETSI, I=Israel, J=TELEC (Japan), K=Korea, N=North America (Excluding FCC), P=Japan2, S=Singapore, or T=Taiwan.
Network infrastructure like switches and routers. Switches with Power over Ethernet (PoE) can provide power to AP.
Wireless Domain Services (WDS) for radio frequency (RF) management and fast, secure roaming. You can run Cisco Structured Wireless Aware Network (SWAN) WDS on Cisco Aironet APs, Cisco Catalyst Switches and Cisco Routers. The following list supports SWAN WDS Aironet 1230 AG, 1240AG, 1200, 1130 AG 1100 Series APs, Catalyst 6500 Series Wireless LAN Services Module (WLSM), Cisco 3800, 3700 Series Integrates Services Routers (ISR) and some models of 2800 and 2600 series ISR that run Cisco IOS version 12.3(11)T or later.
CiscoWorks Wireless LAN Solution Engine (WLSE) for Management (optional).
Cisco Secure Access Control Server (ACS) for security using RADIUS and TACACS+ protocols.

Lightweight APs

A Cisco Lightweight Access Point (LAP) that uses Cisco IOS Software. To show this in an example the Cisco product code AIR-LAP1131AG-x-K9 is a Aironet (AIR) product, is an Lightweight Access Point (LAP) of the 1131 product range at least Wireless 802.11 A and G capable (AG) this example product code is non region specific (x) and is an export restricted product range due to cryptology information resident in IOS (K9). If this was region specific the (x) would change to A=FCC, C=China, E=ETSI, I=Israel, J=TELEC (Japan), K=Korea, N=North America (Excluding FCC), P=Japan2, S=Singapore, or T=Taiwan.
Network infrastructure like switches and routers. Switches with Power over Ethernet (PoE) can provide power to AP.
Cisco Wireless LAN Controller (WLC) for configuration of the Access Points.
Cisco Wireless Control System (WCS) for management (optional).
Cisco Wireless Location Appliance for location tracking
Cisco Secure Access Control Server (ACS) for security using RADIUS and TACACS+ protocols.

Comparison of WLAN Solutions

The above two bullet lists should show that autonomous and lightweight WLAN solutions have some differences.

The main difference being in Autonomous mode the Cisco IOS feature set is more extensive and as the name denotes autonomy meaning “the right to govern itself” so each AP is configured individually and manage themselves (this can and probably will at some point lead to configuration errors if there are more than a couple of APs). Centralized management is possible through WLSE. Redundancy is achieved at the AP level (do the math if its cheaper to add APs than to add a WLC then this is the option).

In Lightweight mode a Wireless LAN Controller takes the centralized configuration and means the APs are dependant on the WLC (read point of failure) and pushed the configs to the APs. This gives congruence between the APs on the network without much hard work. Centralized management is possible through WCS. Redundancy is achieved at the WLC level (do the math if its cheaper to add a WLC than to just add APs then this is the option).

LAP Solution

LAP architecture splits processing of the 802.11 protocol between two devices; the LAP and the WLC. The processing of the 802.11 data and management protocols and the AP functionality is also divided between the two devices. This approach is called split MAC.

The LAP handles the portions of the protocol that have real-time requirements:

Frame Exchange handshake between a end-device and AP when transferring a frame over the air.
Transmission of beacon frames.
Buffering and transmission of frames for end-devices in power save operation
Response to probe request frames from end-devices
Forwarding notifications of received probe requests to the controller
Providing real-time signal quality information to the controller with every received frame.
Monitoring each radio channel for noise, interference, and presence of other WLANs.
Monitoring of presence of other LAPs.

The remaining functions are all handled by the WLC because either the function is not time-sensitive or a system wide visibility is required by the function.

802.11 authentication
802.11 association and re-association (mobility)
802.11 frame translation and bridging

The control (management) traffic between the AP and the WLC is encapsulated using LWAPP and encrypted using Advanced Encryption Standard (AES); the data from the LAP and the WLC is also encapsulated using LWAPP but not encrypted. The data is switched once it reaches the WLC where it receives VLAN tagging, quality of service (QoS).

Layer-2 and Layer-3 Mode of LWAPP

Layer-2 LWAPP is in an Ethernet Frame. For layer-2 mode, the WLC and WLAP must be in the same broadcast domain and IP subnet.

Layer-3 LWAPP is in a User Datagram Protocol (UDP)/IP Packet. The WLC and WLAP can be in the same or different broadcast domains and IP Subnets. For layer-3 operation WLAP need IP Addresses. They must obtain these IP Addresses via DHCP.

So to bring this together; think of a network in your mind, if the network is flat/or the WLAP and WLC are located on the same network segment; iow is a switched network then the LAWPs can use either layer-2 or layer-3 mode. If the WLAPs and the WLC find themselves spread across the enterprise (physically) meaning that they would be in different subnets and on different segments (I’m thinking big business) you must use layer-3 mode.

LAP Association

There is a nice explanation on this document. A LAP will search for a WLC first using LWAPP layer-2 mode, then layer-3 mode. The process runs as followings; the LAP requests an IP Address via DHCP, the LAP then sends a LWAPP discovery request to the management IP address of the WLC via a broadcast.

The LWC responds with a discovery response from the management IP Address. This response includes the number of AP associated to the Access Point Manager interface and the Access Point Manager IP address.

The LAP then chooses the Access Point Manager with the least number of associated APs and sends a join request.

All following communication between the LAP and the WLC is done via the Access Point Manager IP Address.

Cisco Aironet WLC

The Cisco Aironet standalone WLCs range (2106, 4402 and 4404) are designed for Small and medium enterprise/business (SMB) to medium to large enterprise.

The 2106 Series allows Small and medium sized enterprise/business (SMB) environments to support up to six LAPs and are fairly cost effective (this is objective). With integrated DHCP services, zero-touch AP configuration, the Cisco 2106 is built for SMB companies that don’t have on-site IT support, like branch offices with distributed offices (i.e. corporate infrastructure and support teams to lean on when things go wrong).

The Cisco 4400 series is built for medium to large enterprise/business.

Cisco 4402
- 2 GigabitEthernet (GE) ports
- Configurations that support 12, 25, and 50 APs
- One Expansion Slot
Cisco 4404
- 4 GE ports
- Support for 100 APs
- Two Expansion slots

Optional redundant power supplies to ensure maximum availability can be purchased for the 4400 Series.

WLC are also available for the Cisco Catalyst 6500 and Cisco Integrated Sercies Routers (ISR) in the form of Integrated Controllers of Controller Modules.

Notes and Notices:

WLAN Standards

Published

Deon Botha

on May 15, 2008

in 802.11, Access Point, BCMSN, Certification, Cisco Systems, Concepts and Constructs and Wireless

. 0 Comments

This is a generally a nice to know topic; if you don’t want to know the basics on “how” it works but rather just care that it works this might not be “light” reading.

There are “generally” (dependant on your country) unlicensed bands:

900-MHz Industrial, Scientific and Medical (ISM) Band (902-MHz to 928-MHz)
2.4-GHz Industrial, Scientific and Medical (ISM) Band (2400-MHz to 2483-MHz) (Japan to 2495-MHz)
5.7-GHz Unlicensed National Information Infrastructure (UNII) Band (5150-MHz to 5350/5725/5825 MHz) (Not all countries support 802.11a)

Radio Frequency Transmission (for dummies i.e. with no electric/electronic engineering background a.k.a ME):

Radio Frequencies (RF) are radiated (why does this not make me feel better I’ve seen what a microwave do when it radiates things) into the air by antennas that create radio waves. When radio waves are propagated through objects, they may be absorbed (walls) or reflected (metal). This absorption may cause areas of low-signal.

Radio wave transmission is affected by the three factors:

Reflection: when RF waves bounce of objects (metal, glass)
Scattering: when RF waves strike uneven surfaces and are reflected in many directions
Absorption: when RF waves are absorbed by objects (concrete, bricks, walls)

Data Transmission over Radio Waves (for dummies i.e. with no eletric/electronic engineering background a.k.a ME):

Higher data rates (faster connection) have shorter range because the receiver needs a stronger signal with a better signal-to-noise ratio (SNR) to retrieve the information.
Higher transmit power results in greater range. To double the range, the power has to be increased by a factor of 4 (four).
Higher data rates require more bandwidth. Increased bandwidth is possible with higher frequencies.
Higher frequencies have shorter range through higher degradation and absorption. More efficient antennas can compensate for this effect.

WLAN Regulations and Standardizations:

Regulatory Agencies control the use and enjoyment of RF bands. The two main regulatory agencies are the FCC (USA) and ETSI (Europe) (South Africa and EMEA region if in doubt follow ETSI).

The network (802) standardization is done by the IEEE. The wireless (802.11) standards are part of the network standard these include 802.11 a/b/g and soon to be finalized/ratified n.

Finally the Wi-Fi Alliance offers certification for vendors of 802.11 products so that their products are interoperable. The Wi-Fi Alliance certifications include all three 802.11 RF technologies and Wi-Fi Protected Access (WPA) security model (2003) based on IEEE 802.11i (ratified 2004).

IEEE 802.11b

Ratified Sept 1999

Operates in the 2.4-GHz ISM Band

Specifies direct sequence spread spectrum (DSSS)

Specifies four data rates up to 11-Mbps (1, 2, 5.5, and 11-Mbps)

Throughput Mbps * 1024/Users = X kbps Bandwidth per user

2.4-GHz Channels

Up until this point Wireless channels might not have made “sense” if you weren’t as I joked “previously advantaged” with a electrical or electronic engineering qualification. Those ladies and gents are force fed this amongst other things for at the very least a semester in university so they know this kind of thing backwards (I know how they complained about it). If you are like myself a business grad then this is all new.

What this graph shows (pay attention to the grey highlight) is 3 non-overlapping Channels (except for Japan). If you are in Japan you can use the 14th channel along with 3 others to have access to 4 total channels.

This information is region specific and then also country specific (I know South Africa in general follows ETSI which falls under EMEA). Some countries may allow 14 channels while others may only allow 1 channel.

At a Cisco Tech-Update (I can’t remember the speaker forgive me) Wireless channel usage was explained using the below diagram and it made all the above fall into place for me.

What the diagram shows is the 2.4-Ghz frequency (visually) with the channels laid out how all the channels overlap. This is what 802.11 b/g “looks” like with the 3 non-overlapping channels (black).

Example: Three non-overlapping channels (1, 6, and 11) that do not share RFs. There would be no degradation in throughput if 3 APs were to operate in the same cell using channels 1, 6, and 11.

To show the maths 3 APs on 3 non-overlapping channels (2, 6, and 11) provide an aggregate data-rate for a cell of 33-Mbps (11-Mbps x 3), with an aggregated throughput of approx. 16-Mbps (33-Mbps/2).

Example: Three APs sharing the same channel, in the same cell.

To show the math 3 APs on the same channel(1, 1, and 1) provide an aggregate data rate a 11-Mbps but an aggregated throughput of 6-Mbps. This results from APs sharing a cell.

Example: Three APs sharing overlapping channels, in the same cell.

To show the math 3 APs on overlapping channels (1, 2, and 3) the throughput could drop to well below 1-Mbps due to interference.

Channel Reuse

At the same Tech Update they explained how using the non-overlapping channels a deployment can be done where none of the same channels border. Imagine the cells from top down on an overaly of an office plan looking like the diagram below.

Data Rates

WLAN clients (end-devices) can shift data rates as they move. The closer you are to a AP the better coverage will be (11-Mbps), as you move away from the AP coverage will get worse (5.5-Mbps) and worse (2-Mbps) and worse (1-Mbps) until there is no signal. This data rate shifting occurs without user interaction or connection loss.

This rate shifting also happens on a transmission-by-transmission basis; whereby the AP can support multiple clients at multiple speeds (meaning transmissions 1 might be 11-Mbps and transmission 2 might be 1-Mbps depending on the end-user location).

IEEE 802.11a

Ratified Sept 1999

Operates in the 5-GHz ISM Band

Uses orthogonal frequency-division multiplexing (OFDM)

Specifies eight data rates up to 54-Mbps (6, 9, 12, 18, 24, 36, 48, 54-Mbps)

FCC – 12 to 23 non-overlapping channels

ETSI – up to 19 non-overlapping channels

Regulatory differences across countries

802.11a requires Transmit (Tx) power control and dynamic frequency selection (802.11h)

Throughput Mbps * 1024/Users = X kbps Bandwidth per user

5-GHz Channels

802.11a must comply with two features in 802.11h namely Transmit Power Control (TPC) and Dynamic Frequency Selection (DFS).

TPC links back to the basics, the more Transmit Power pumped into an AP the greater the range (greater range = less data-rate). TPC is where an AP exchanges transmit power information with end-device adapters. This has a twofold advantage:

end-device adapters use only enough power to maintain association with APs at any given data rate. In turn conserving energy (good for mobile devices and at current Eksom).
end-devices contribute less to adjacent cell interference.

DFS is where the AP monitors the available 5-Ghz RF spectrum radar installations in the environment and if found flags the appropriate channel(s) as unavailable. DFS continually monitors the operating environment for changes during operation.

IEEE 802.11g

Ratified June 2003

Operates in the 2.4-GHz ISM Band as 802.11b

Uses direct sequence spread spectrum (DSSS) complementary code keying (CKK) and orthogonal frequency-division multiplexing (OFDM)

Specifies twelve data rates up to 54-Mbps (1, 2, 5.5, 11-Mbps DSSS/802.11b and 6, 9, 12, 18, 24, 36, 48, 54-Mbps OFDM).

Throughput Mbps * 1024/Users = X kbps Bandwidth per user

Security and Mitigation of Wireless Risks

Linking back to the beginning of this post and why Wireless could potentially be a security threat. The process of Wireless is “Radio Frequencies (RF) (that) are radiated into the air by antennas that create radio waves” and in turn your network data travels across radio waves from source (server or point A) to destination (end-device or point B).

This wireless communication if left unsecured, leaves a wide open method of access to anyone that wants to enter, use and abuse your enterprise infrastructure. With the low cost of IEEE 802.11 wireless equipment these days adoption is gaining in the mass market (home, small office/home office (SOHO), small medium business (SMB)). With greater adoption of the mass market the products are easier to use and deploy and implement (graphical user interface (GUI) deployments and out the box operation). This large adoption also makes for sub-business class consumer grade products making a regular appearance in server-rooms, business settings and other environments where they are definitely not meant to be (don’t get me wrong consumer products work great for a family of 5 people but aren’t built or designed to handle with an office of 10 people or a department of 50 people).

There are many large telco (Telkom) companies that offer pre-configured Wi-Fi combination routers with the DSL accounts. Most if not the majority of users literally plug and play (plug it in and use it with default settings). This is a very conducive environment for “war driving” for the single purpose of free Internet, collecting sensitive information through the use of various freely available tools and applications.

The Process

Anyone implementing Wireless needs to at the very least consider security which is a three step process of Authentication (802.1x or Extensible Authentication Protocol (EAP)), Encryption (Wi-Fi Protected Access (WPA – TKIP, WPA2 – AES or TKIP)) and Intrusion Detection and Protection (IDS and IPS).

Wireless Association

Looking at how end-devices (clients like notebooks, smartphones, PDAs) associate with APs then something I mentioned in a previous post will crystallize.

APs broadcast (send out) beacons with SSIDs (one or many), data rates (depending on distance from AP) and other information. The end-device scans the available channels looking for beacons and responses from APs. The end-device then in turn associates with the AP with the strongest signal.

If you are using a mobile device and moving with your device and signal becomes weak this process will repeat.

It is during this association process that SSID, MAC address and security settings are sent from end-device to the AP and checked. This is what we are going to be talking about in the next couple of paragraphs.

Authentication

When an end-device attempts to associate this is done via the 802.1x protocol. The end-device is called a supplicant which communicates with an autonomous AP* (called the authenticator) that communicates and in turn authenticates to an Authentication, Authorization and Accounting Server (AAA Server) like RADIUS/TACACS+ or Cisco Secure ACS.

*LWAPP uses the WLAN controller that acts as the Athenticator that in turn communicates and authenticates with the AAA Server.

Encryption

After authentication is successful (if unsuccessful the connection is denied) data between the end-device and the AP is sent encrypted in either TKIP or AES encryption.

Definitions

Signal-to-Noise

Notes and Notices:

WLAN Infrastructure Topologies

Published

Deon Botha

on May 14, 2008

in 802.11, Access Point, BCMSN, Certification, Cisco Systems, Concepts and Constructs and Wireless

. 2 Comments

As talked about in the previous post the difference between a wired LAN and a Wireless Local Area Networks (WLANs) is that the Layer-1 transmission medium of a traditional wired local area network (LAN) (CAT-5 cable) is replaced with Radio Frequency (RF) transmissions.

What follows is the pimping of Cisco Aironet products and where they fit into three main wireless categories:

Wireless in-building LANs for client Access: The Cisco Aironet products can plug into an existing wired infrastructure and function like an overlay to the existing LAN or even replace the wired LAN.

Wireless Building-to-Building bridges: The Cisco Aironet products can provide wireless bridging to connect two or more networks that are physically separated to be connected on one LAN without the time or expense required to get physical lines to be installed.

Wireless mesh networks: Mesh networking is a mixture of the above two categories. Mesh networking provide dynamic, redundant, fault-tolerant links for building and client access.

Service Set Identifier (SSID)

Myth: Hidden (not broadcasting) the SSID makes a wireless network secure.

The SSID is the “name” of a wireless cell, this name is used to logically separate WLANs. The SSID must match exactly between the client and the access point for them to connect. The Access Point (AP) sends the SSID out in beacons.

The beacons are broadcasts that an AP sends to advertise available services, these beacons go out whether SSID is hidden or not (Clients can be configured without a SSID, where they learn the SSID from the beacons of the AP).

The Topology Basic

Extended Services Set: Two or more Basic Serve sets (Mobile clients use a single AP to connect) are connected by a common distribution system (backbone) An Extended Service Set includes a common SSID to allow roaming from AP to AP without client config.

The diagram shows the WLAN topology with 2 APs and some devices (Microsoft Icons) that I know to be Wi-Fi capable (from left to right tablet notebook, projector, PDA, smartphone, notebook).

Wireless Cell: The basic area is the RF coverage provided by an AP (Channel 1 or Channel 2 NOT both). This area is also called the “microcell“. To extend/enlarge/make bigger the basic area one simply adds APs (Recently microcell has moved to picocell reducing AP coverage by reducing power and increasing total number of AP deployed).

The basic area of an AP is called the service set, the basic area of the combined APs is called the extended services set (There is a recommended 10 – 15 % overlap between cells for data networks to allow roaming without losing RF connection. There is a 15 – 20% overlap for voice/data/video networks). Bordering cells should be set to different non-overlapping channels for best performance (more on this later).

Access Point: The name is self explanatory reverse the name Point “of” Access. As the name denotes this is the point at which client-devices connect/access the wireless network. The APs connect to then to the Ethernet backbone and facilitate the communication between wired and wireless networks

The AP is the master of a given cell and manages/controls traffic to and from the network (remote devices do not communicate with each other they communicate through the AP).

Picocell: the benefit of a picocell is better coverage, less interference, higher data rates, and fault tolerance through convergence. When an AP goes down, the neighbouring AP expands coverage by increasing power (this increases the RF range) to cover for the lost AP. (Look into WLAN Controllers cause this gets complicated to do manually quickly with say more than 5 APs)

Wireless Repeater

In environments (factory floors, doctors room, large retail, wholesale storehouses) where its just not practical to put down a wired LAN or the application of the network wouldn’t work with a wired system a wireless repeater can be put down.

A wireless repeater is a AP that is not connected to the Wired LAN (Requires 50% overlap of the AP on the Wired LAN side). This setup however has a large throughput impact where throughput is decreased by half due to the receive and retransmit time.

The SSID of the AP (the one on the left) must be configured on the wireless repeater (the one on the right). The wireless repeater uses the same channel as the AP (NB not all implementations support this).

Workgroup Bridge

Cisco Wireless Workgroup Bridge (WGB) (Reference Cisco Q&A Document) that connects to the Ethernet (RJ-45) port of any end-device (if it has a Ethernet port and is therefore network-able) that doesn’t have a WLAN Network Interface Card (NIC) (either because the end-device doesn’t have the option of a Peripheral Component Interconnect (PCI) slot, Personal Computer Memory Card International Association (PCMCIA) slot or USB slot, or software for WLAN connectivity).

A WGB provides a single MAC address connection into an AP and in turn then onto the Wired LAN backbone (The WGB cannot work in peer-to-peer mode). Another option is to connect a remote workgroups wired LAN. To implement a remote workgroup installation (i.e. multiple MAC addresses) the WGB is connected to a hub/switch switch with a Ethernet patch cable (for single MAC Address use a crossover cable) (NB not all implementations support this).

Ad-hoc mode

Wireless Ad Hoc Mode

Ad-Hoc Mode: This is called Independant Basic Service Set (IBSS). Mobile clients connect directly without an AP.

Peer-to-Peer (P2P) a.k.a Ad-hoc mode networking is the opposite of a Server-Client model (duh). This can be in a wired or wireless environment and is where a group of end-devices come together and form an ad-hoc/P2P network with each other to share files, pictures, music, movies and applications (The ease and current application (Kazaa and Torrents) of this type of network is the main reason the RIAA hates ad-hoc/P2P networks).

In a WLAN the coverage is very limited; where all users must be in wireless reception distance of each other. There are a couple of problems with P2P “office” networks one being that security is almost non-existent, other problems being that there is no central location for any files, applications, or printing.

In most P2P environments I have found that the receptionist is given the “server-role” Pc which creates other larger problems. The person at the front desk in a company is the receptionist, in case of a theft the first computer out the door is the server. In most cases the most “spam” is received by a receptionist (classing teddy-bears, hearts and hugs, chain-mail, friend-mail, etc. as spam) being on numerous forwarding lists increases the risk of virus, trojan, worm infection. If the company allows internet access to employees its only a matter of time before the “server” begins doing its own thing.

In a WLAN it is not a good idea (iow just don’t do it) to connect a Server, or a Server-Role computer using Wireless

Roaming

Wireless Roaming

The roaming “feature” on wireless allows a mobile user to move from one cell to another without a drop in signal or need to manually change network settings. Roaming is enabled by complete coverage with wireless cells.

Seamless roaming allows for users to move around from one cell to another.
Power management lengthens the battery life of portable devices (i.e. they don’t have to search for wireless networks all the time)
Dynamic Load Balancing distributes users among access points to increase throughput for each user.
AP with overlapping coverage cells and redundant switches provide fault tolerant WLAN networks.

A user experiences “roaming” when one of the following conditions is met:

The maximum data retry count is exceeded.
The client has missed too many beacons from the access point.
The client has reduced the data rate.
The client intends to search for a new AP at periodic intervals.

Roaming without service interruption requires identical SSIDs, VLANs and IP subnets on all APs. The client initiates the roaming when he/she searches for another AP with the same SSID and then sends a re-authentication request (for voice and video short roaming times are important).

Layer-2 and Layer-3 Roaming

Wireless Layer-2 and Layer-3 Roaming

Roaming from one AP to another AP on the same subnet (Cell 1 to Cell 2) would be considered Layer-2 roaming (data link layer). Roaming between APs that reside on different subnets (Cell 1 to Cell3) would be considered Layer-3 roaming (network layer).

Layer-2 roaming is managed by the AP, using mulicast packets that inform switches that a devices has moved. The protocol between the APs is called Inter-Access Point Protocol (IAPP).

Layer-3 roaming is managed by either Mobile IP or Lightweight Access Point Protocol (LWAPP) with a WLAN controller.

Mobile IP: allows fixed IP addresses in an IP Subnet of a network. It relies on devices like routers (home agents and foreign agents), to runel traffic for a mobile device. This was used in Legacy WLANs.

Wireless VLAN Support

Switches use VLANs to separate traffic. WLAN APs can in turn extend the VLANs by mapping VLANs to SSIDs. The VLANs then share the same wireless cell and channel end result being virtualization of the AP.

Through the use of trunking (ISL or 802.1q) the VLANs can be mapped to APs from a/the switch allowing roaming throughout the enterprise. A Cisco Aironet AP can be configured with 8 – 16 VLANs for system design flexibility. (Some client NICs require SSID broadcast, the AP can be configured for SSID broadcast per VLAN).

Wireless Enterprise (read business) Voice Architecture

Wired LAN Voice (IP Phone) networks can be extended using the 802.11e standard that specifies QoS upstream and downstram for WLAN networks. This is very important because of the delay sensitive nature of voice.

Wireless Mes Networks

A Mesh network infrastructure is decentralized and inexpensive because each node needs to transmit only as far as the next node (WirelessAfrica). The nodes act as repeaters to transmit data from nearby nodes to peers that are too far away to reach. The result is a network that can span a large area (cost effectively if each node is owned by individuals).

Mesh Networks are reliable because each node connects to several other nodes. Wireless Mesh networks differ from conventional infrastructure wireless networks in that only a subset of nodes need to be directly connected to the wired network. Extra capacity can be added by installing more nodes. Through the use of Cisco Adaptive Wireless Path Protocol (AWP(P)) each device can find a way back to wired APs and thus by extension the network. Paths (of which there are multiple) through the network can change in response traffic load, radio conditions, or traffic prioritization. The network can cover more distance by using wireless to wireless connectivity. Unlicensed bandwidth (cheap) and wireless routing allow microcells to interconnect over wireless backhaul links.

AWP Protocol

AWP allows APs to communicate with each other to determine the best path back to the wired network. After optimal path selection is estalbished, AWP continues to run as a background service to establish alternate paths to the wired network or if topology changes or other conditions causes the link streghth to diminish. (AWP runs on each AP)

AWP is a wireless protocol by design and takes into consideration wireless radio factors like interference to make a mesh network self-configuring and self-healing. Because wireless is dynamic, addition to the network causes AWP to reconfigure paths back to the wired network automatically. AWP also uses stickiness to mitigate route flaps (disconnection/temporary disruption doesnt cause mesh change).

Notes and Notices:

Wireless and WLANs and related Technologies

Published

Deon Botha

on May 12, 2008

in 802.11, Access Point, BCMSN, Certification, Cisco Systems and Wireless

. 1 Comment

You will all probably see that I have no love lost for Wireless as I do these notes, I really love to hate and hate to love Wireless. Its maybe because its so unpredictable, I don’t know. But without further ado, lets get right into the thick of things.

There are various types of Wireless without being specific. What follows below is the list of “Wireless” data Technologies available:

Wireless-Data-Technologies

Moving swiftly forward; thinking back to CCNA studies the different type(s) of network(s) and respective sizes that defined and characterized those networks now becomes important. A wireless Technology is defined by its tangible and intangible characteristics, think carefully about that statement and its application.

I won’t have a UMTS network (no matter how cool it would on the bragging rights) as my home network or Small Office Network. Even if it might/could/would support voice, video and data just like my 802.11 a/b/g/n network. (I’m not going to start on how fried your brain might get)

Personal Area Networks (PAN): This is marketing and advertising buzz (at least consider it as such). This technologies are Infrared (IR) and Bluetooth. The distance is painfully short and designed to cover your personal work-space environment. Think mobile to headset, notebook to printer, mobile to mobile (all peer-to-peer and device to device) and in the case of IR line of sight. In this category you own the products and therefore there is no charge for “airtime”.

Local Area Networks (LAN): Like a wired LAN, the Wireless LAN (WLAN) is enterprise-based allowing the same enterprise (company) applications to be used without wires. WLANs since 802.11n have reached and surpassed 10/100 spec wired networks with connectivity speed of 300 Mbps maximum (this I think is marketing for when the wind is blowing in the right direction, you are standing on one leg, there is no interference and no other users on the network). WLANs are the same as PANs where the customer owns 100% of the network thus there are no “airtime” charges.

Metropolitan Area Networks (MAN): These Wireless networks are deployed inside an urban area and allow connection within that area without the use of wires. Wireless MANs can connect up to the speed of DSL broadband (define broadband) but not much faster. These networks can be run and maintained by a licensed carrier requiring customers to purchase airtime or by a entity (public mostly) like the police, emergency services, etc. Examples are multichannel multipoint distribution service (MMDS) and local multipoint distribution service (LMDS).

Wide Area Network (WAN): The Wireless WAN is typically slower with more coverage than the “smaller” network technologies. These networks usually cover rural areas or a larger scale areas. Due to the infrastructure requirements, scale and scope of the network they all require the purchase of airtime for data transmission. Examples are packet radio service (GPRS), and code division multiple access (CDMA).

WLANs

A Wireless Local Area Network (WLAN) is similar to a Ethernet network in many ways. WLANs are shared networks as are Ethernet Networks. An Access Point (AP) functions like a Ethernet HUB aggregating and sending for all intents and purposes network information to and from end-devices. In any wireless cell only one station can transmit data at any time; while all others listen.

The transmission setup of wireless is similar to that of coax cable or half-duplex Ethernet working through a Ethernet hub. The average data rate per station is the total bandwidth divided by the total number of stations connected to that AP. Now in reality the actual data throughput is less because of wireless specific issues and the above mentioned calculation.

Use

WLANs are meant for local networks and not WANs. They are used inside buildings, line of sight outdoor building bridging connections (combination of both). There is no license required for WLANs (country specific). A WLAN is not a cellular network. It does not provide packet data transmission for cellular phones.

Similarities

WLANs are 802 LANs (802.11 to get specific). The data in WLANs is sent over radio waves while wired LANs send data over wires (duh). Both WLANs and Wired LANs define physical and data link layers and use MAC addresses. The same applications can be used on WLANs and Wired LANs.

Differences

In WLANs Radio Frequencies (RF) are used as the physical layer of the network. WLANs use carrier sense multiple access collision avoidance (CSMA/CA) and not carrier sense multiple access collision detection (CSMA/CD). This is because collision detection is not possible because a sending station can’t receive at the same time that it is transmitting thus cannot detect a collision. Instead Request to Send (RTS) and Clear to Send (CTS) protocols are used to avoid collisions. Additionally to this WLANs use different frame formats needing more information in the layer-2 header of the frame.

Radio Waves have problems (read lots of) not found with wires. Connectivity issues in WLANs can be caused by several problems, RF transmission, multipath distortion, and interference from other wireless services or other WLANs. There is security and privacy issues because a radio frequency doesn’t stop at the end of a property and can therefore be picked up by someone off-site.

In WLANs mobile clients are used to connect to the network, these mobile devices don’t have a physical wired connection to the network and often run on battery power as opposed to mains.

WLANs must meet country specific RF regulations where wired LANs don’t have these country specific regulations.

History

WLAN technology evolution started in the 1980s using 800-MHz direct sequence spread spectrum (DSSS) technology. DSSS was easy as it required no licenses to use and a single AP could cover large areas. The single biggest problem with DSSS was that few countries allowed the technology. As time passed, need for speed, open standards, and global adoption forced manufacturers to engineer products in the 2.4-GHz band sometime in the 1990s.

The 2.4GHz band put Wireless into a cleaner RF this meant less interference from other “devices” but higher speeds and higher frequency had a range drawback requiring more APs to be placed but the 860 kbps to 1-2 Mbps speed made up for this. The only problem still remaining with Wireless was the proprietary nature of the technology. In 1992 the IEEE drafted the 802.11 standard making the WLAN standard open.

In July 1997, the IEEE ratified the 2.4-GHz standard to include DSSS technology t the physical layer. The standard specified 1 Mbps standard speed and 2 Mbps as “turbo” speed.

In September 1999 the IEEE ratified the IEEE 802.11 a standard (5-GHz at 54 Mbps) and IEEE 802.11b standard (2.4-GHz at 11 Mbps). Then in June 2003 the IEEE ratified 802.11g (2.4-GHz at 54 Mbps). The 802.11b and 802.11g standard are backward compatible (both use 2.4-GHz). Then sometime November 2008 the IEEE should maybe finalize an amendment to IEEE 802.11 for 802.11n (2.4-GHz and/or 5-Ghz at 300 Mbps (2 streams)).

Terms:

Last Mile Access:From CCNA studies referring to the cable connects a customers premises to the telco equipment. The right term for the telco kit would be their Central Office (CO) Customer Premises to the Central Office of the telco.

Resources:

Pretoria Wireless Project

Notes and Notices:

VLAN Trunk Protocol

Published

Deon Botha

on April 10, 2008

in BCMSN, Certification, Cisco Systems, VLAN and VTP

. 1 Comment

VLAN Trunk Protocol (VTP) is what manages a consistent list of VLANs between switches on the enterprise network. All switches that share common information are grouped in VTP management domains. The “global” VLAN information shared between switches are VLAN number, name and description thereby keeping the same VLAN information shared between enterprise switches; more particular information like port assignments is kept local to each switch.

What this means is that you will have VLAN informaiton consistent on all switches of the enterprise but port assignment will have to be done manually on each switch.

Switches within a VTP Domain synchronize their VLAN databases by sending and receiving VTP advertisements over trunk links. VTP advertisements are flooded throughout a VTP domain by switches (every 5 minutes or when a change happens) over VLAN 1 (Cisco default NATIVE VLAN) using layer-2 multicast frame.

Describing the VTP:

VTP is a layer-2 messaging protocol that maintains VLAN configuration consistency between switches by managing the additions, deletions, and name changes of VLANs on all switches in a VTP domain. VTP runs over trunk links allowing interconnected switches to exchange layer-2 frames, synchronizing a single list of configured VLANS.

These are the attributes of VTP:

VTP is a Cisco Proprietary protocol.
VTP will advertise VLANs 1-1005 only.
VTP updates are exchanges only across trunk links.
Each switch operates in a given VTP mode (server, client, transparent) which determines how VTP updates re sent from and received by that switch.

These are the attributes of a VTP Domain:

A switch can only belong to one one VTP Domain.
A VTP Domain may be as small as only one switch.
VTP Updates will be exchanged only with other switches in the same domain.
The way VLAN information is exchanged between switches in the same domain depends upon the VTP mode on the switch (server, client, transparent).
By default, a Cisco Catalyst switch is in the no-management-domain state until it receives an advertisement for a domain over a trunk link, or until a management domain is configured.

These are the attributes of a VTP Modes:

VTP Mode	Feature
Server	Creates, Modifies, and deletes VLANs at the CLI Generate and forwards VTP advertisements from other switches in the same management domain. May update its own VLAN database with information received from other serves in the management domain Saves VLAN configuration information in “vlan.dat” file in Flash memory
Client	Cannot create, modify, or delete VLANs at the CLI Forwards VTP advertisements received Synchronizes its own VLAN database with latest information received from VTP server in the management domain VLAN information in RAM only, not stored in NVRAM or FLASH; must be repopulated from VTP Server if switch powered down
Transparent	Creates, modifies, and deletes VLANs for the VLAN database on the local switch only Does not generate VTP advertisements Does not update its VLAN database information received from VTP servers in the same management domain Forwards VTP advertisements received from VTP servers in the same VTP domain Always has configuration revision number of 0 Saves VLAN configuration to NVRAM

VTP Versions:

Version 2:

Supports Token Ring Switches.
Consistency checks on new VTP and VLAN configuration parameters.
Propagation of VTP updates that have an unrecognized type, length, or value.
Forwarding of VTP updates from transparent mode switches without checking the version number.

Version 3:

Support for extended VLANs.
Support for the creation and advertisement of private VLANs.
Support for VLAN instances and Multiple Spanning Tree (MSTP) mapping propagation instances.
Improved server authentication.
Protection from the wrong database accidentally being inserted into a VTP domain
Interaction with VTP Version 1 and VTP Version 2.
Ability to be configured on a per-port basis.

VTP Pruning

By default a trunk link carries all traffic for all VLANs in a VTP management domain. It is common however that all switches in the enterprise does not have all VLANs configured on all ports. VTP Pruning increases availability of bandwidth by decreasing traffic on trunk links through restriction of flooded traffic by network devices.

VTP Confiruation Revision Number

When VTP is initially configured the VTP configuration revision number is 0 (zero). Each time a VTP server modifies its VLAN information the configuration revision number is incremented by one. This new revision number is then sent out with the new VTP information and all switches with a lower configuration revision number are updated.

ECNM

There are some guidlines to using VTP in the Campus Infrastructure Model:

VTP Domain is restricted to the building Switch blocks.
VTP keeps VLAN information consistent between building distribution layer and building access layer switches.
VTP configuration errors or failures will be confined to the distribution and access layer switches.
Knowledge of all VLANs does not need to exist on all switches within the Campus infrastructure model.

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

The Two Ways of the VLAN

Published

Deon Botha

on April 9, 2008

in Addressing, BCMSN, Certification, Cisco Systems, Concepts and Constructs and VLAN

. 1 Comment

End-to-End VLAN

The term end-to-end VLAN refers to a single VLAN that spans the entire campus network; this means that switch ports accross the campus are associated with that VLAN that may be widely dispersed throughout the network. If there are many of these end-to-end then there are trunks that carry all the traffic between switches.

End-to-End VLAN(s) have these characteristics:

The VLAN is geographically dispersed
Users are grouped in a VLAN regardless of physical location in a VLAN
As users move throughout the campus, VLAN membership of that user remains the same
Users are typically associated with a given VLAN for management purposes
All devices on a given VLAN have addresses on the same IP subnet

Reasons for End-to-End VLAN design could be:

Grouping Users: Users can be grouped on a common IP segment, even if they are dispersed geographically.

Security: A VLAN may contain resources that should not be accessible to all users on the network, or there may be a reason to confine certain traffic to a particular VLAN.

Applying QoS: Traffic from a given VLAN can be given higher or lower priority access to network resources.

Routing Avoidance: If much of the traffic is destined for devices on that same VLAN, and routing to these devices is not desided, users can access resources on their VLAN without their traffic being routed off the VLAN.

Special purpose VLAN: Sometimes a VLAN is provisioned to carry a single type of traffic that must be dispersed through the campus (multicast, voice, visitor)

Poor design: For no clear purpose (sales gimick executive VLAN) users are placed in VLAN(s) that span the campus or even span WANs.

Considerations:

Switch ports are provisioned for each user and associated with a given VLAN, because a user on an end-to-end VLAN can be anywhere on the network, all switches must be aware of that VLAN. this means all switches must carry traffic for that VLAN and have the same database (VTP).

Because all switches carry the same database all flooded traffic for the VLAN is, as by default, passed to every switch even if no active port is currently found on that switch.

Finally management and troubleshooting can become cumbersome because traffic for a single VLAN traverse multiple switches in a large area of the campus.

Local VLAN(s):

Local servers are consolidated in central locations (Server farms) on the network and access to external resources (Enterprise Edge) like the Internet (Corporate Internet) is provided by one or two paths on the network because the bulk of traffic traverses a number of segments. The rule is therefore that 20% of traffic is passed between local segments while 80% of traffic is passed between segments (20/80).

Also with the use of DHCP the configuration of IP addresses at each desktop is seamless thus extending a VLAN throughout the enterprise has no real benefit.

Added to the fact that it is often more efficient to group users by geographically common switches rather than job function especially from a troubleshooting perspective.

Thus Local VLAN(s) are more efficient and easier to troubleshoot.

Benefits of Local VLAN(s):

Deterministic traffic flow: Using the ECNM you get predictable layer-2 and layer-3 traffic paths. In the event of a failure that is not mitigated by redundancy features, the simplicity of the model facilitates expedient problem isolation and resolution within the switch block.

Active Redundant paths: when implementing Per VLAN Spanning Tree (PVST) or Multiple Spanning Tree Protocol (MSTP), all inks can be used to make use of the paths.

High Availability: Redundant paths exist at all infrastructure levels. local VLAN traffic on access switches can be passed to building distribution switches across an alternative layer-2 path in the event of primary path failure. Router Redundancy protocols can provide failover should the default gateway for the access VLAN fail. When both the Spanning Tree instance and VLAN are confined to a specific access and distribution block, layer-2 and layer-3 redundancy measures and protocols can be configured to failover in a coordinated manner.

Finite failure domain: If VLAN(s) are local to a switch block, and the number of devices on each VLAN is kept small, failures at layer-2 are confined to a small subset of users.

Scalable Designs: Following the ECNM design, new access switches can be easily incorporated, and new sub-modules can be added when needed.

Guidelines for Local VLAN(s):

Local VLAN(s) should be created with physical boundaries in mind. This would mean Floor 1, Office Park Building 1 and not Marketing, Advertising, Accounting, etc. This then means a VLAN or group of VLANs will be localized to a switch or access switch block in a wiring closet.
Traffic from a local VLAN is routed to reach its destination on another network. This happens at the Distribution layer (or in small networks at the nearest layer-3 appliance).
Any single VLAN does not extend beyond the boundary of the Distribution Sub-module. This means that the core is used primarily for efficient switching and fast transfer of traffic.
VLAN(s) on a given Access Switch should not be advertised to all other switches in the network.

Notes and Notices:

References I want to remember:

Hucaby, D. (2007). CCNP Self-Study: CCNP BCMSN Official Exam Certification Guide, Fourth Ed, Virtual LANs (page. 114). Indianapolis: Cisco Press.

Hucaby, D. (2007). CCNP Self-Study: CCNP BCMSN Official Exam Certification Guide, Fourth Ed, Virtual LANs (page. 118). Indianapolis: Cisco Press.

Network Ninja

Tag Archive for 'Infrastructure'

BSCI Design Foundation – Network Models

Cisco and DDNS

Switch Security Layer-2 Attacks – Four

Planning Voice on a Data Network

Implementation of a WLAN

WLAN Standards

WLAN Infrastructure Topologies

Wireless and WLANs and related Technologies

VLAN Trunk Protocol

The Two Ways of the VLAN

Search

About

Latest

Archives

Categories