Cisco Systems 0L-11350-01 Configuring WDS

12-7

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Configuring WDS

access points. The WLSE examines the BRIDGE MIB of each CDP-discovered switch to determine

if they contain any of the target MAC addresses. If CDP finds any of the MAC addresses, WLSE

suppresses the corresponding switch port number.

•Excessive management frame detection—Excessive management frames indicate an attack on your

wireless LAN. An attacker might carry out a denial-of-service attack by injecting excessive

management frames over the radio to overwhelm access points which have to process the frames.

As part of the WIDS feature set, access points in scanning mode and root access points monitor radio

signals and detect excessive management frames. When they detect excessive management frames,

the access points generate a fault and send it through the WDS to the WLSE.

•Authentication/protection failure detection—Authentication/protection failure detection looks for

attackers who are either trying to overcome the initial authentication phase on a wireless LAN or to

compromise the ongoing link protection. These detection mechanisms address specific

authentication attacks:

–

EAPOL flood detection

–

MIC/encryption failures detection

–

MAC spoofing detection

•Frame capture mode—In frame capture mode, a scanner access point collects 802.11 frames and

forwards them to the address of a WIDS engine on your network.

Note See the “Configuring Access Points to Participate in WIDS” section on page 12-31 for

instructions on configuring the access point to participate in WIDS and Configuring

Management Frame Protection, page12-25 for instructions on configuring the access point for

MFP.

•802.11 Management Frame Protection (MFP)—Wireless is an inherently broadcast medium

enabling any device to eavesdrop and participate either as a legitimate or rogue device. Since control

and management frames are used by client stations to select and initiate a session with an AP, these

frames must be open. While management frames cannot be encrypted, they must be protected from

forgery. MFP is a means by which the 802.11 management frames can be integrity protected.

Note MFP requires WLSE for reporting intrusion events.

Note MFP is available only on 32 Mb platforms: 1130 and 1240 series access points, and 1300

series access points in AP mode.

Configuring WDS

This section describes how to configure WDS on your network. This section contains these sections:

•Guidelines for WDS, page12-8

•Requirements for WDS, page12-8

•Configuration Overview, page12-8

•Configuring Access Points as Potential WDS Devices, page12-9

•Configuring Access Points to use the WDS Device, page12-14