Cisco Systems OL-7426-03 About Cisco Wlan Solution Wired Security, Operational Requirements

•The Cisco WLAN Solution also uses manual and automated Disabling to block access to network services. In manual Disabling, the operator blocks access using client MAC addresses. In automated Disabling, which is always active, the Operating System software automatically blocks access to network services for an operator-defined period of time when a client fails to authenticate for a fixed number of consecutive attempts. This can be used to deter brute-force login attacks.

These and other Cisco WLAN Solution Security features use industry-standard authorization and authentication methods to ensure the highest possible security for your business-critical wireless LAN traffic.

For information about Cisco WLAN Solution wired security, refer to Cisco WLAN Solution Wired Security.

About Cisco WLAN Solution Wired Security

Many traditional Access Point vendors concentrate on security for the Wireless interface similar to that described in the Operating System Security section. However, for secure Cisco Wireless LAN Controller Service Interfaces (Cisco Wireless Control System, Web User Interface, and Command Line Interface), Cisco Wireless LAN Controller to AP, and inter-Cisco Wireless LAN Controller communications during device servicing and Client Roaming, the Operating System includes built-in security.

Each Cisco Wireless LAN Controller and Cisco 1000 Series lightweight access point is manufactured with a unique, signed X.509 certificate. This certificate is used to authenticate IPSec tunnels between devices. These IPSec tunnels ensure secure communications for mobility and device servicing.

Cisco Wireless LAN Controllers and Cisco 1000 Series lightweight access points also use the signed certificates to verify downloaded code before it is loaded, ensuring that hackers do not download malicious code into any Cisco Wireless LAN Controller or Cisco 1000 Series lightweight access point.

For information about Cisco WLAN Solution wireless security, refer to Operating System Security.

Layer 2 and Layer 3 LWAPP Operation

The LWAPP communications between Cisco Wireless LAN Controller and Cisco 1000 Series lightweight access points can be conducted at ISO Data Link Layer 2 or Network Layer 3.

Operational Requirements

The requirement for Layer 2 LWAPP communications is that the Cisco Wireless LAN Controller and Cisco 1000 Series lightweight access points must be connected to each other through Layer 2 devices on the same subnet. This is the default operational mode for the Cisco WLAN Solution. Note that when the Cisco Wireless LAN Controller and Cisco 1000 Series lightweight access points are on different subnets, these devices must be operated in Layer 3 mode.

The requirement for Layer 3 LWAPP communications is that the Cisco Wireless LAN Controllers and Cisco 1000 Series lightweight access points can be connected through Layer 2 devices on the same subnet, or connected through Layer 3 devices across subnets.

Note that all Cisco Wireless LAN Controllers in an Cisco WLAN Solution Mobility Group must use the same LWAPP Layer 2 or Layer 3 mode, or you will defeat the Mobility software algorithm.

Configuration Requirements

When you are operating the Cisco WLAN Solution in Layer 2 mode, you must configure a Management Interface to control your Layer 2 communications.

When you are operating the Cisco WLAN Solution in Layer 3 mode, you must configure a Management Interface to control your Layer 2 communications, and an AP-Manager Interface to control Cisco 1000 Series lightweight access point-to-Cisco Wireless LAN Controller Layer 3 communications.