Managing and securing a Cisco SWAN

[email protected]

Over the last few years, Syngress has published many best-selling and

critically acclaimed books, including Tom Shinder’s Configuring ISA

Server 2000, Brian Caswell and Jay Beale’s Snort 2.0 Intrusion

Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal

Packet Sniffing. One of the reasons for the success of these books has

been our unique [email protected] program. Through this

site, we’ve been able to provide readers a real time extension to the

printed book.

As a registered owner of this book, you will qualify for free access to

our members-only [email protected] program. Once you have

registered, you will enjoy several benefits, including:

■ Four downloadable e-booklets on topics related to the book.

Each booklet is approximately 20-30 pages in Adobe PDF

format. They have been selected by our editors from other

best-selling Syngress books as providing topic coverage that

is directly related to the coverage in this book.

■ A comprehensive FAQ page that consolidates all of the key

points of this book into an easy to search web page, pro￾viding you with the concise, easy to access data you need to

perform your job.

■ A “From the Author” Forum that allows the authors of this

book to post timely updates links to related sites, or addi￾tional topic coverage that may have been requested by

readers.

Just visit us at www.syngress.com/solutions and follow the simple

registration process. You will need to have this book with you when

you register.

Thank you for giving us the opportunity to serve your needs. And be

sure to let us know if there is anything else we can do to make your

job easier.

Register for Free Membership to

283_CSWAN_FM.qxd 3/31/04 4:51 PM Page i

283_CSWAN_FM.qxd 3/31/04 4:52 PM Page ii

Cisco®

Structured

Wireless-Aware

Network

Managing and Securing a

David Wall CCSI, Technical Editor

Jan Kanclirz Jr. CCIE #12136

Youhao Jing CCIE#5253

Jeremy Faircloth

Joel Barrett

283_CSWAN_FM.qxd 3/31/04 4:52 PM Page iii

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc￾tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be

obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is

sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to

state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other

incidental or consequential damages arising out from the Work or its contents. Because some states do not

allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation

may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working

with computers, networks, data, and files.

Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author

UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The

Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is

to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned

in this book are trademarks or service marks of their respective companies.

Noted figures in chapter 6 have been reproduced by Syngress Publishing, Inc. with the permission of

Cisco Systems Inc. COPYRIGHT © 2004 CISCO SYSTEMS, INC. ALL RIGHTS RESERVED.

KEY SERIAL NUMBER

001 HJIRTCV764

002 PO9873D5FG

003 829KM8NJH2

004 TLP678MA21

005 CVPLQ6WQ23

006 VBP965T5T5

007 HJJJ863WD3E

008 2987GVTWMK

009 629MP5SDJT

010 IMWQ295T6T

PUBLISHED BY

Syngress Publishing, Inc.

800 Hingham Street

Rockland, MA 02370

Managing and Securing a Cisco® Structured Wireless-Aware Network

Copyright © 2004 by Syngress Publishing, Inc.All rights reserved. Printed in the United States of

America. Except as permitted under the Copyright Act of 1976, no part of this publication may be repro￾duced or distributed in any form or by any means, or stored in a database or retrieval system, without the

prior written permission of the publisher, with the exception that the program listings may be entered,

stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

1-932266-91-7

Acquisitions Editor: Christine Kloiber Cover Designer: Michael Kavish

Technical Editor: David Wall Copy Editor: Judy Eby

Page Layout and Art: Patricia Lupien Indexer: J. Edmund Rush

Distributed by O’Reilly & Associates in the United States and Jaguar Book Group in Canada.

283_CSWAN_FM.qxd 3/31/04 4:52 PM Page iv

Acknowledgments

v

We would like to acknowledge the following people for their kindness and support in

making this book possible.

Syngress books are now distributed in the United States by O’Reilly & Associates, Inc.

The enthusiasm and work ethic at ORA is incredible and we would like to thank

everyone there for their time and efforts to bring Syngress books to market:Tim

O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie

Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve

Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle

Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina

Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier,

Sue Willing, Mark Jacobsen, Betsy Waliszewski, Dawn Mann, Cindy Wetterlund,

Kathryn Barrett, and to all the others who work with us.A thumbs up to Rob

Bullington for all his help of late.

The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, Ian

Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother,

Miguel Sanchez, Klaus Beran, Emma Wyatt, Rosie Moss, Chris Hossack, and Krista

Leppiko, for making certain that our vision remains worldwide in scope.

David Buckland, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan,

Pang Ai Hua, and Joseph Chan of STP Distributors for the enthusiasm with which

they receive our books.

Kwon Sung June at Acorn Publishing for his support.

Jackie Gross, Gayle Voycey,Alexia Penny,Anik Robitaille, Craig Siddall, Iolanda Miller,

Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and

enthusiasm representing our product in Canada.

Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar

Book Group for their help with distribution of Syngress books in Canada.

David Scott,Tricia Wilden, Marilla Burgess,Annette Scott, Geoff Ebbs, Hedley Partis,

Bec Lowe,Andrew Swaffer, Stephen O’Donoghue and Mark Langley of Woodslane for

distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji

Tonga, Solomon Islands, and the Cook Islands.

Winston Lim of Global Publishing for his help and support with distribution of Syngress

books in the Philippines.

283_CSWAN_FM.qxd 3/31/04 4:52 PM Page v

283_CSWAN_FM.qxd 3/31/04 4:52 PM Page vi

vii

Contributors

Jan Kanclirz Jr. (CCIE #12136-Security, CCSP, CCNP, CCIP,

CCNA, CCDA, INFOSEC Professional) is a Senior Network

Information Security Engineer working for IBM Global Services.

Currently, he is responsible for strategic and technical evolution of a

large, multi-customer/multi-data center networks and their security

environment. Jan specializes in multi-vendor, hands-on implementa￾tions and architectures of network technologies such as routers,

switches, firewalls, intrusion sensors, content networking, and wire￾less networks. Beyond network design and engineering, Jan’s back￾ground includes extensive experience with Linux and BSD

administration and security implementations.

In addition to Jan’s full time position at IBM G.S., he is involved

in many different projects such as MakeSecure.com, where he dedi￾cates his time to security awareness. Jan also runs a small Internet

Service Provider (ISP), where he provides several services such as

network consulting and Linux server hosting solutions.

Jan would like to acknowledge the understanding and support of

his family and friends during the writing of the book,“Thank You”.

Youhao Jing (CCIE#5253) is currently Director of Product

Management and Consulting at Alcatel IP Division, responsible for

defining the company’s carrier class IP product strategy with a focus

on the Asia Pacific market. He has held various senior level con￾sulting positions at AT&T, Procket, Juniper Networks, and ICG

Netcom, where he was responsible for new service and solution

development, network and product architecture, design consulting

for large-scale converged multi-service IP/MPLS networks.

Youhao Jing received his M.S degree from UC Berkeley and

pursued further study on high performance networking systems at

Stanford University. He lives with his wife Jane and two sons,Albert

and Geoffrey, in Sunnyvale, CA

283_CSWAN_FM.qxd 3/31/04 4:52 PM Page vii

viii

Jeremy Faircloth (Security+, CCNA, MCSE, MCP+I,A+, etc.) is a

Staff Systems Administrator for EchoStar Satellite L.L.C., where he

architects and maintains enterprise-wide client/server and Web-based

technologies. He also acts as a technical resource for other IT profes￾sionals, using his expertise to help others expand their knowledge.As

a systems engineer with over 12 years of real world IT experience, he

has become an expert in many areas including Web development,

database administration, enterprise security, network design, and pro￾ject management. Jeremy has contributed to several Syngress books

including C# for Java Programmers (ISBN: 1-931836-54-X), Snort 2.0

Intrusion Detection (ISBN: 1-931836-74-4), and Security+ Study Guide

& DVD Training System (ISBN: 1-931836-72-8).

Jeremy currently resides in Colorado Springs, CO and wishes to

thank his wife and son, Christina and Austin, for their support in his

various technical endeavors.

Joel Barrett (CCNP, CCDP, CWNA, MCSE, and Novell’s Master

CNE) is a wireless specialist with Cisco Systems, Inc. He supports

Cisco’s wireless partners and developers throughout the southeast

United States, assisting partner executives to develop technical go-to

market strategies. Joel also educates partner engineering teams with

a full understanding of wireless LAN technologies and solutions

With over fifteen years of IT experience, Joel has earned Cisco’s

and Planet3’s certifications. Joel serves as the team leader for the

Channels Technology Advisory Team for Mobility, an advisor for the

Enterprise Mobility Virtual Team, and a member of Cisco’s Enterprise

Mobility Technology Leadership Program. He is a board member for

the Wireless Technology Forum in Atlanta, and a speaker for the

Georgia Wireless Users Group. He is also the facilitator for the Atlanta

Cisco Study Group, helping over 200 network engineers attain Cisco

certifications.

Joel was co-author and principle technical editor for several

wireless LAN and IT books, including Certified Wireless Security

Professional (CWSP) Official Study Guide, Wireless Networks First-Step,

and the Cisco Advanced Wireless training course. Joel and his wife,

283_CSWAN_FM.qxd 3/31/04 4:52 PM Page viii

ix

Barbara Kurth, live near Atlanta, Georgia with Barbara’s son and

daughter, Shane and Paige, and Joel’s daughter,Ashley.

Donald Lloyd (CISSP), author of Syngress Publishing’s Designing a

Wireless Network (1-928994-45-8) is a senior consultant for

International Network Services, Inc. (INS) and a regional leader for

their Fixed Wireless Practice. His specialties include network secu￾rity architecture and wireless network design. In addition to

“unwiring” corporate offices, Donald spends considerable time

designing and deploying secure wireless networks in remote oil and

gas fields, airports, municipalities, and warehouses.

This is the third book that Donald has co-authored with

Syngress, and Donald wishes to thank INS for their patience while

finishing this book. He also sends a BIG hug to the pride and joy of

his life, his son.

Lev Shklover (CCNP, CCDP, Cisco WLAN Design and Support

Specialist, Certified Solaris Administrator, Nortel Networks Router

and Network Management Specialist) is a Senior Consultant with

International Network Services, Inc (INS); a leading global com￾puter networking and security consultancy. He has over 13 years of

experience in designing and implementing large computer networks

for major U.S. and International corporations.

Lev’s other specialization is lab testing of network designs, net￾work devices and network protocols to maintain network reliability.

He started working with Cisco WLAN hardware in early 2000,

right after Cisco’s acquisition of Aironet Communications.As a

member of INS’s Wireless Networking Practice, Lev has designed

and deployed numerous Cisco 802.11a/b/g solutions for various

clients, including a WLAN for a 44-story building.

Lev graduated from the Technical University of Radio

Electronics and Automation in Moscow, Russia with a MS Degree

in Optical Engineering. He currently resides in NJ with his wife

and two children.

283_CSWAN_FM.qxd 3/31/04 4:52 PM Page ix

x

David Wall (CCSI #22530), author of Multi-Tier Application

Programming with PHP:A Practical Guide for Architects and Programmers,

contributes regularly to technical and general-interest publications

and reviews books for online bookseller Amazon.com. David also

works as a consultant, specializing in voice over IP applications and

network design.A Cisco Certified Systems Instructor, David teaches

engineers and salespeople about technologies from Cisco Systems.

David’s other professional interests include hosting applications

for small businesses, and the integration of disparate systems using

open-source technologies.

A pilot, David enjoys flying around eastern Australia. David

maintains a Web presence at http://www.davidwall.com.

Technical Editor

283_CSWAN_FM.qxd 3/31/04 4:52 PM Page x

xi

Contents

Foreword xxiii

Chapter 1 Wired versus Wireless and

Wireless-aware LANs 1

Introduction 2

What is a WLAN? 2

How does a Wireless LAN Work? 3

WLAN Benefits 9

WLAN Design Considerations 12

Attenuation 12

Attenuation Due to Antenna Cabling 13

Attenuation Due to Exterior Considerations 13

Accounting for the Fresnel Zone and Earth Bulge 18

Radio Frequency Interference 19

Interference from Radio Transmitters 20

Harmonics 21

Application Considerations 22

Structural Considerations 22

Security Considerations 25

Network Management Considerations 26

WLAN Modes of Operation 27

What is a Wireless-aware LAN? 30

Wireless-aware LAN Benefits 31

Integrated Wired and WLAN Services using the Cisco

Infrastructure and Cisco IOS Software 32

CiscoWorks WLAN Solution Engine 32

Wireless Domain Services for IEEE 802.1X Local

Authentication Service and Fast Secure

Roaming Support 33

283_CSWAN_TOC.qxd 3/31/04 4:56 PM Page xi

xii Contents

Rogue AP Detection and Location 34

Interference Detection to Isolate and Locate Network

Interference 35

Simplified WLAN Deployment Processes with Assisted

Site Surveys 35

Streamlined WLAN Management and Operations

Support 36

Seamless Delivery of Enhanced Network Security

Solutions 38

Wireless-aware Design Considerations 39

Summary 40

Solutions Fast Track 41

Frequently Asked Questions 44

Chapter 2 Designing Wireless-Aware LANs 47

Introduction 48

Radio Frequency (RF) Basics 48

Transmitting Radio Signals over EM Waves 48

Anatomy of a Waveform 49

Propagating a Strong Radio Signal 57

Understanding Signal Power and S/N Ratio 57

Attenuation 58

Bouncing 61

Refracting 63

Line of Sight 64

Penetration 64

Understanding the Wireless Elements 66

Generic Radio Components 66

Laws, Regulations, and Environmental Considerations 70

Regulatory Agencies 70

The Need to Know 71

Regulations for Low Power, Unlicensed Transmitters 71

Environmental Considerations 72

IEEE 802.11 Standards 73

Does the 802.11 Standard Guarantee Compatibility

across Different Vendors? 77

DSSS 78

283_CSWAN_TOC.qxd 3/31/04 4:56 PM Page xii

Contents xiii

IEEE 802.11b Direct Sequence Channels 78

IEEE 802.11a OFDM Physical Layer 80

IEEE 802.11a Channels 80

Planning for RF Deployment 81

WLAN Coverage 81

WLAN Data Rates 85

Client Density and Throughput 85

Antenna Options 87

Omnidirectional Antennas 87

Directional Antennas 88

Interference Detection 93

Conducting Site Surveys 93

Preparation 94

Other Preparations 97

Infrastructure Awareness 100

Preparing a Site Survey Kit 105

Performing an Interior Wireless Site Survey 115

Performing an Exterior Wireless Site Survey 124

Summary 129

Solutions Fast Track 129

Frequently Asked Questions 131

Chapter 3 WLAN Roaming 133

Introduction 134

Cisco L2 Roaming Solutions 135

Beacon Frames 137

Probe Frames 143

Roaming Decisions and Criteria 149

Roaming Target Selection Process 151

Roaming Behavior of Cisco 7920 WVoIP Phones 153

Cisco Solutions to Speed the L2 Roaming Process 160

Improved Client Channel Scanning 160

Fast Reauthentication Using CCKM 162

Cisco L3 Roaming Solutions 165

Mobile IP 166

Proxy Mobile IP 170

WLAN Design Considerations 171

283_CSWAN_TOC.qxd 3/31/04 4:56 PM Page xiii

xiv Contents

Summary 174

Solutions Fast Track 174

Frequently Asked Questions 176

Chapter 4 IP Multicast in a Wireless LAN 179

Introduction 180

The OSI Model Overview 180

Data Communication Methods 182

The Unicast Method 182

Multicast WLAN Deployment Recommendations 186

Configuring Multicast and Broadcast Minimum

Data Rate Settings in IOS 188

IP Multicast WLAN Configuration 190

Controlling IP Multicast in a WLAN with APs 191

Protocol Filters 192

Controlling IP Multicast in a Peer-to-peer WLAN

using Bridges 193

Point-to-point Bridging 193

Point-to-multipoint Bridging 194

Configuring Reliable Multicast for Workgroup Bridges 195

Summary 197

Solutions Fast Track 197

Frequently Asked Questions 199

Chapter 5 WLAN Guest Network Access 201

Introduction 202

Guest WLANs 202

Designing a Guest VLAN 202

Design 203

Topology 203

Deployment 204

Guest WLAN Recommendations 204

Configuring Guest WLANs 205

Access Point and Switch Configuration 207

WLAN Guest VLAN Filtering 208

Summary 209

Solutions Fast Track 209

Frequently Asked Questions 210

283_CSWAN_TOC.qxd 3/31/04 4:56 PM Page xiv