Manuals / Cisco Systems / Computer Equipment / Network Router

Cisco Systems DL-2159-05 manual Criteria for Deploying Wireless VLANs, Vlan

Models: DL-2159-05

1 332

Download 332 pages 33.19 Kb

Page 74

Chapter 4 Configuring VLANs

Criteria for Deploying Wireless VLANs

Figure 4-4 RADIUS-Based VLAN Access Control

SSID = Engineering

SSID = Guest

EAP-	EAP-	Request
EAP-		Request		(user-
	Success			(user-
			(user-id:		id:		John)
			(user-id:		John,		John)
					John,	VLAN-
						VLAN-
							id=24)

Access

point/bridge Enterprise network

RADIUS server

802.1Q trunk			SSID=Engineering)
			SSID=Engineering)
		id:	David)
		id:
		-	Management
-Request		(user	Management
-Request		David,		VLAN
EAP	id:
EAP	-
	(user
-Success
EAP
SSID = Marketing				81663
SSID = Marketing

RADIUS user attributes used for VLAN ID assignment are:

•IETF 64 (Tunnel Type)—Set this to VLAN

•IETF 65 (Tunnel Medium Type)—Set this to 802

•IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID

The Cisco IOS/PIX/RADIUS Attribute (009\001 cisco-av-pair) user attribute is used for SSID control. For example, this attribute allows a user to access the WLAN using the Engineering and Marketing SSIDs only.

Criteria for Deploying Wireless VLANs

You should evaluate the need for deploying wireless VLANs in their own environment. Cisco recommends that you review the VLAN deployment rules and policies before considering wireless VLAN deployment and that you use similar policies to extend wired VLANs to the wireless LAN. This section details criteria for wireless VLAN deployment, a summary of rules for wireless LAN (WLAN) VLAN deployment, and best practices to use on the wired infrastructure side when you deploy wireless VLANs.

Criteria for wireless VLAN deployment are likely to be different for each scenario. The following are the most likely criteria:

•Common resources being used by the WLAN:

–Wired network resources, such as servers, commonly accessed by wireless users

–QoS level needed by each application (default CoS, voice CoS, etc.)

Cisco Aironet 1200 Series Access Point Software Configuration Guide

4-8	OL-2159-05

Image 74

Cisco Systems DL-2159-05 manual Criteria for Deploying Wireless VLANs, Vlan

Contents

Corporate Headquarters Text Part Number OL-2159-05Copyright 2001-2003, Cisco Systems, Inc All rights reserved N T E N T S IiiNavigating Using the Map Windows Native Vlan ID WEP Not Set on the Wireless Phone Settings on the Authenticator Configuration ViiEvent Notifications Setup ViiiSetting Up Administrator Authorization Snmp Setup Ssid Xii Xiii Audience and ScopeOrganization Xiv ConventionsTip Means the following are useful tips Cisco.com Related PublicationsObtaining Documentation Documentation Feedback Documentation CD-ROMOrdering Documentation XviTAC Case Priority Definitions Obtaining Technical AssistanceCisco TAC Website Opening a TAC Case XviiObtaining Additional Publications and Information XviiiOverview A P T E RKey Features Roaming Client Devices Quality of Service SupportManagement Options Related Documents What is QoS?Limitations and Restrictions These documents are available on Cisco.comWhat is a VLAN? Vlan SupportIncorporating Wireless Devices into VLANs Level of Access Vlan ExampleNetwork Configuration Examples Root Unit on a Wired LANRepeater Unit that Extends Wireless Range Access Points as Root Units on a Wired LANCentral Unit in an All-Wireless Network Access Point as RepeaterUsing the Management Interfaces Using the Management Pages in the Web-Browser Interface Using the Web-Browser InterfaceUsing the Web-Browser Interface for the First Time Button/Link DescriptionNavigating Using the Map Windows Map Window with Network Ports Pages ExpandedUsing the Command-Line Interface Preparing to Use a Terminal EmulatorSetting Up the Terminal Emulator Changing Settings with the CLIConnecting the Serial Cable Selecting Pages and Settings Function DescriptionApplying Changes to the Configuration Using SnmpUsing a Telnet Session Supported MIBs Radio Configuration and Basic Settings Basic Settings Express SetupSystem Name Entering Basic SettingsExpress Setup page contains the following settings MAC AddressDefault IP Subnet Mask Configuration Server ProtocolDefault IP Address Default GatewayRoot-Unit Access Points Security Setup Link Radio Network Optimization Optimize Radio Network ForRadio Network Compatibility Ensure Compatibility With Radio ConfigurationSnmp Admin. Community Settings on the AP Radio Identification Entering Identity InformationDefault IP Subnet Mask Primary Port SettingsDefault IP Address Service Set ID SsidLeap Password Entering Radio Hardware InformationAllow Broadcast Ssid to Associate? Settings on the AP Radio HardwareAP Radio Hardware page contains the following settings Enable World Mode Data RatesRTS Threshold Transmit PowerFrag. Threshold Max. RTS RetriesRestrict Searched Channels Default Radio ChannelSearch for Less-Congested Radio Channel Entering Advanced Configuration Information Receive Antenna and Transmit AntennaAP Radio Advanced Page for Internal Radio Requested Status Settings on the AP Radio AdvancedAP Radio Advanced pages contain the following settings Packet ForwardingRadio Cell Role Default Multicast Address FiltersMaximum Multicast Packets/Second Ssid For Use By Infrastructure StationsUse Aironet Extensions Classify Workgroup Bridges as Network InfrastructureRequire Use of Radio Firmware Quality of Service Setup LinkVlan Setup Link Ethernet Encapsulation TransformTemporal Key Integrity Protocol Advanced Primary Ssid Setup LinkPreferred Access Points Broadcast WEP Key rotation interval secRadio Modulation Radio PreambleEthernet Configuration Non-Root MobilitySettings on the Ethernet Identification Entering Ethernet Hardware InformationSpeed Settings on the Ethernet HardwareEthernet Hardware page contains the following settings Loss of Backbone Connectivity Ssid Loss of Backbone Connectivity # of SecsLoss of Backbone Connectivity Action Settings on the Ethernet Advanced Ethernet Advanced page contains the following settingsDefault Unicast and Multicast Address Filters Optimize Ethernet for Default Unicast Address FilterAlways Unblock Ethernet When STP is Disabled OL-2159-05 Configuring VLANs Entering Vlan Information Settings on the Vlan SetupVlan setup page contains the following settings Vlan Summary Status Link 802.1Q Encapsulation ModeMaximum Number of Enabled Vlan IDs Vlan 802.1Q TaggingOptionally allow Encrypted packets on the unencrypted Vlan Vlan Security PolicySingle Vlan ID which allows Unencrypted packets Vlan NameParameter Native Vlan ConfigurationBroadcast Domain Segmentation TKIP/MICPrimary and Secondary SSIDs Deployment of Infrastructure and Non infrastructure DevicesRADIUS-Based Vlan Access Control Vlan IDCriteria for Deploying Wireless VLANs VlanWireless Vlan Deployment Example 5shows the wireless Vlan deployment scenario described above Creating and Configuring VLANs on the Access Point Using the Configuration ScreensObtaining and Recording Vlan ID and Setup Information Creating the Native VlanVlan Setup Vlan ID #1 Setup Creating the Full- and Part-Time VLANs Creating the Maintenance Vlan Creating the Guest VlanCreating and Configuring the SSIDs AP Radio Internal Service Sets Configuring VLANs Wireless Vlan Deployment Example Enabling Vlan 802.1Q Tagging and Identifying the Native Vlan 11 AP Radio Service Sets Guidelines for Wireless Vlan Deployment Creating an Ssid for Infrastructure DevicesOL-2159-05 Configuring Filters and QoS Filter Setup Protocol FilteringCreating a Protocol Filter Enter a descriptive filter set name in the Set Name fieldFilter Set Enabling a Protocol Filter MAC Address Filtering Address FiltersCreating a MAC Address Filter AP Radio Advanced AP Radio Primary Ssid QoS Configuration Generate Qbss Element Settings on the Quality of Service SetupUse Symbol Extensions Send Igmp General Query Applying QoSBy Station Traffic Category10 Protocol Filters Setup By Vlan 12 Vlan ID13 Filters Priority Setting By FilterBy CoS Value By Dscp ValueWireless QoS Deployment Example 17 Vlan Setup18 Vlan ID #xx WEP Set on the Wireless Phone WEP Not Set on the Wireless Phone20 AP Radio Internal Service Sets 21 AP Radio Internal Service Sets OL-2159-05 Configuring Proxy Mobile IP Proxy Mobile IP Introduction to Mobility in IPMobile IP Explained Nomadic ApproachMobile Approach Mobile IP Environment Proxy Mobile IP Explained Mobile IP Traffic PatternBefore Deploying Proxy Mobile IP Issues to Consider While Deploying Proxy Mobile IP Components of a Proxy Mobile IP NetworkHow Proxy Mobile IP Works Agent DiscoverySubnet Map Exchange Home Agent Subnet MaskRegistration TunnelingProxy Mobile IP Setup Proxy Mobile IP SecurityProxy Mobile IP Setup GeneralEnable Proxy Mobile IP Authentication ServerSettings on the Proxy Mobile IP General Authoritative AP nSettings on the Authenticator Configuration Settings on the Local SA Bindings Local SA BindingsSettings on the Proxy Mobile IP Statistics StatisticsActive AAP Authentication Failures for HAAuthentication Failures for FA MN IP AddressesView Subnet Map Table Configuring Proxy Mobile IPSettings on the Subnet Map Table Configuring Proxy Mobile IP on Your Wired LAN 11 a Sample Network 13 AP Radio Internal Service Sets 15 Proxy Mobile IP General 17 Subnet Map Table 18 Authenticator Configuration 20 Network Configuration Screen for an Access Point Client 22 Passed Authentication Screen Configuring Other Settings Server Setup Entering Time Server SettingsSettings on the Time Server Setup Boot Server Setup page contains the following settings Entering Boot Server SettingsSettings on the Boot Server Setup Bootp Server Timeout sec Configuration Server ProtocolUse Previous Configuration Server Settings Dhcp Multiple-Offer Timeout secDhcp Client Identifier Type Dhcp Requested Lease Duration minDhcp Minimum Lease Duration min Option DefinitionDhcp Client Identifier Value Settings on the Web Server SetupWeb Server Setup page contains the following settings Dhcp Class IdentifierAllow Non-Console Browsing Default Help Root URLDefault Web Root URL Http PortDefault Domain Entering Name Server SettingsSettings on the Name Server Setup Domain Name SystemFTP Setup page contains the following settings Entering FTP SettingsSettings on the FTP Setup Domain Name ServersRouting Setup Routing Setup page contains the following settings Entering Routing SettingsNew Network Route Settings Association Table Filters Association Table Display SetupInstalled Network Routes list Configuring Other Settings Association Table Display Setup Fields to Show Settings on the Association Table FiltersStations to Show Bytes To/From Station Association Table AdvancedPackets To/From Station Primary SortSettings on the Association Table Advanced Association Table AdvancedMaximum number of bytes stored per Station Alert packet Rogue AP Alert Timeout minutesHandle Station Alerts as Severity Level Maximum Number of Forwarding Table EntriesSettings on the Event Display Setup Event Notification SetupEvent Display Setup Default Activity Timeout seconds Per Device ClassSeverity Level at which to display events How should time generally be displayed?How should Event Elapsed non-wall-clock Time be displayed? Severity Level DescriptionEvent Handling Setup 10 The Event Handling Setup Handle Station Events as Severity Level Settings on the Event Handling SetupDisposition of Events Maximum number of bytes stored per Alert packetPurge Trace Buffer Event Notifications SetupClear Alert Statistics Snmp Trap Destination Settings on the Event Notifications SetupShould Notify-Disposition Events generate Snmp Traps? Snmp Trap CommunitySyslog Facility Number Should Syslog Messages use the Cisco Emblem Format?Syslog Destination Address Ieee Snmp Traps Should Generate the Following NotificationsSecurity Setup Levels of Security Encrypting Radio Signals with WEPSecurity Overview Additional WEP Security Features Network Authentication TypesSequence for EAP Authentication Wired LAN Client Combining MAC-Based, EAP, and Open Authentication Sequence for Open AuthenticationSetting Up WEP Protecting the Access Point Configuration with User ManagerKey Access Point Associated Device Transmit? Key ContentsNot set Enabling Message Integrity Check MIC Enabling Additional WEP Security FeaturesUsing Snmp to Set Up WEP Snmp Variable WEP Full WEP OffAP Radio Advanced Page for Internal Radio Enabling Temporal Key Integrity Protocol Tkip Enabling Broadcast WEP Key Rotation Setting Up Open or Shared Key Authentication Setting Up EAP Authentication Enabling EAP on the Access PointFirmware Version Draft 802.1x-2001 Access Point EAP Settings for Various Client Configurations Click Add New Access Server Enabling EAP in Cisco Secure ACSSetting Up a Repeater Access Point As a Leap Client Setting a Session-Based WEP Key TimeoutAP Radio Identification Page for Internal Radio Setting Up MAC-Based Authentication Enabling MAC-Based Authentication on the Access Point11 Authenticator Configuration Security Setup Setting Up MAC-Based Authentication 12 AP Radio Advanced Authenticating Client Devices Using MAC Addresses or EAP Enabling MAC-Based Authentication in Cisco Secure ACS Leap Summary of Settings for Authentication TypesAuthentication Types Required Settings EAP-TLS, EAP-MD5 Radius Attributes Sent by the Access Point Attribute ID DescriptionAcct-Authentic Acct-Delay-TimeAcct-Session-Id VSA attribute Nas-location Vlan-id Auth-algo-typeSetting Up Backup Authentication Servers Acct-Terminate-CauseSetting Up Administrator Authorization 14 Security Setup Creating a List of Authorized Management System Users16 User Management Window Click Add New User. The User Management window appears Setting up Centralized Administrator AuthenticationClick User Information. The User Information page appears Click Apply. You are returned to the User Information18 Authenticator Configuration System Flow Notes Authorization Parameters Network Management Browsing to Network Devices Using the Association TableSetting the Display Options Using Station Pages StationInformation on Station Pages Station Identification and StatusFrom Station Information Rate, Signal, and Status InformationTo Station Information Performing a Ping Performing Pings and Link TestsHops and Timing Information Performing a Link Test Click Link TestClearing and Updating Statistics Using the Network Map WindowDeauthenticating and Disassociating Client Devices Using Cisco Discovery Protocol Settings on the CDP Setup MIB for CDPAssigning Network Ports Port AssignmentsEnabling Wireless Network Accounting Settings on the Port AssignmentsSettings on the Accounting Setup Accounting SetupAccounting Attributes Attribute DefinitionRadiusipadr OL-2159-05 Managing Firmware and Configurations 10-1Updating with the Browser from a Local Drive Full Update of the Firmware ComponentsUpdating Firmware 10-2Selective Update of the Firmware Components 10-3Updating from a File Server 10-4Update All Firmware From File Server 10-5Update Firmware From File Server 10-6Retrieving Firmware and Web Page Files 10-7Distributing Firmware 10-8Distributing a Configuration 10-9Limiting Distributions 10-10Downloading the Current Configuration 10-11Uploading from a File Server Uploading a ConfigurationUploading from a Local Drive 10-12Resetting the Configuration 10-13Restarting the Access Point 10-14Management System Setup 11-111-2 Snmp SetupSettings on the Snmp Setup 11-3 Using the Database QuerySettings on the Database Query 11-4 Console and Telnet SetupChanging Settings with the Database Query 11-5 Settings on the Console/TelnetUsing Secure Shell 11-6 Special Configurations 12-1Setting Up a Repeater Access Point 12-212-3 12-4 Using Hot Standby Mode 12-512-6 12-7 12-8 Sections in this chapter include 13-1Selections on the Network Diagnostics Using Diagnostic PagesNetwork Diagnostics 13-2Radio Diagnostics Tests 13-313-4 Vlan Summary StatusSSIDs Int, Mod Network Ports 13-513-6 Identifying Information and StatusData Received 13-7 Data TransmittedEthernet Port 13-8 Configuration InformationReceive Statistics 13-9 AP RadioTransmit Statistics 13-10 AP Radio Port13-11 Display Options 13-1213-13 Display SettingsEvent Log Event Log Summary Log HeadingsSaving the Log 13-1413-15 Using Command-Line DiagnosticsCommand Information Displayed Entering Diagnostic Commands 13-1613-17 Diagnostic Command ResultsEapdiag1on 13-18 Eapdiag2onVxdiagarpshow 13-19 Vxdiagcheckstack 13-20Vxdiaghostshow 13-21Vxdiagi 13-22Vxdiagipstatshow 13-23Vxdiagmemshow 13-24Vxdiagmuxshow 13-25Vxdiagrouteshow 13-26Vxdiagtcpstatshow 13-27Vxdiagudpstatshow Reserving Access Point Memory for a Packet Trace Log FileTracing Packets 13-28Tracing Packets for Specific Devices 13-29Packets Stored in a Log File Tracing Packets for Ethernet and Radio PortsViewing Packet Trace Data 13-3013-31 Checking the Top Panel IndicatorsPackets Displayed on the CLI Message Ethernet Status Radio Meaning Type Indicator 13-32Finding an Access Point by Blinking the Top Panel Indicators 13-33WEP Keys Checking Basic SettingsEAP Authentication Requires Matching 802.1x Protocol Drafts 13-34Firmware Version Draft 13-35Resetting to the Default Configuration 13-3613-37 13-38 Channels, Power Levels, and Antenna Gains Regulatory Domains ChannelsIeee 802.11a Maximum Power Levels and Antenna Gains Ieee 802.11bRegulatory Domain With 6-dBi Antenna Gain Maximum Power Level mWRegulatory Domain Antenna Gain dBi Maximum Power Level mW Americas -A 100 Eirp maximum 13.5 Emea -E MW Eirp maximumRegulatory Domain Antenna Gain dBi Maximum Power Level mW OL-2159-05 Protocol Filter Lists Protocol ISO DesignatorSVP UDP XNS-IDP ISO-TP4 ISO-CNLP CnlpVines SmtpTsap TftpHttp POP2IRC CmotBGP RIPRFE RadiusCVS Event Log Messages Cisco Emblem Format Default FormatMessage Formats With a timestamp, messages look like this exampleLogemerg LoginfoSyslog Severity Emblem Severity LogalertSeverity Event Description Mnemonic Recommended Action Message DescriptionsPossible Cause or ReasonDevice HostIfDescr NewaddrSrchost Desthost length pktLen Srchost to port ifDescrReqlen bytes Desthost on port ifDescr IfDescr error= errornumPacket from srchost to desthost Srchost to desthost on port IfDescr error=erronumFor procedure on port ifDescr From srchost to desthost on portSrchost on port ifDescr Desthost VersionSrchost to desthost of unknown Admin SysrebootRebootinf PrtrarpipPort device Status IfDescr errno=errno PktLenXidexp ENC WEPUnenc EtherconMedia port Frame bytes FramePort devName unit Username FailedUsername UnitAssoclost 1XVERHstndbyen HstndbyethAmngrreq InstkeyAcctcon NulsesNoaserv NorbufNosbuf OpenVlanID IfIndex MIB IfIndex AwcmibTaskfailed NomibdkeyBadsize TaskstartedSsidIdx Statuses and Reasons Appendix C Event Log Messages Statuses and Reasons OL-2159-05 Numerics IN-1CLI CDP MIBDhcp DtimIN-3 IN-4 Ethernet Locate unit by flashing LEDsRadio traffic Pspf IN-5IN-6 SSHVlan Warm restart IN-7IN-8