Aaron's Worthless Words » campus

ONT Notes – WLAN Management

Aaron Conaway — Sat, 13 Feb 2010 19:22:42 +0000

Elements of Cisco Unified Wireless Network

Client devices – Cisco compatible extensions on WLAN clients
Mobility platform – allows configuration of LWAPs through WLCs
Network unification – integration into the rest of the network with WLCs doing RF management, IPS, etc.
World-class network management – centralized management through WCS
Unified advanced services – supports advanced technologies and threat detection

WLAN Implementation

Autonomous and LWAP

Category	Autonomous	LWAP
Access Point	Autonomous APs	LWAPs
Control	Individual configurations	Configuration through WLCs
Dependency	Independent operations	Dependent on WLC
Management	CiscoWorks WLSE and WDS	WCS
Redundancy	Through APs	Through WLCs

Wireless LAN Services Engine (WLSE)

Part of CiscoWorks
Manages autonomous APs
Centralized configuration, firmware, and radio management
Autoconfig of new APs
Misconfiguration and rogue AP alerts
Proactive monitoring of APs, bridges, and 802.1x servers
Supports SSH, HTTP, CDP, SNMP for up to 2500 APs
WLSE Express supports 100 devices in either automatic or manual setups

Wireless Control System (WCS)

Supports 50 WLCs and 1500 APs
Three versions
- Base – can determine with which APs a devices in associated
- Location – Base plus RF fingerprinting
- Location + 2700 Series Wireless Location Appliance – Tracks devices in real time and stores historical location data

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

ONT Notes – 802.1x and Encryption on LWAPs

Aaron Conaway — Fri, 12 Feb 2010 21:33:28 +0000

Traditional WLAN weaknesses
- SSID for security
- Vulnerable to rogue APs
- MAC filtering for security
- WEP
WEP weaknesses
- Disribution of static keys is not scalable
- WEP keys can be cracked easily
- Vulnerable to dictionary attacks
- No protection against rogue APs
Benefits of 802.1x
- Centralized authentication through Radius via AAA
- Mutual authentication between client and auth server
- Can use multiple encryption algorithms (AES, WPA, TKIP, WEP)
- Automatic dynamic WEP keys
- Roaming
Requirements of 802.1x
- EAP-capable client (supplicant)
- 802.1x-capable AP (authenticator)
- EAP-capable auth server

Table 1. Characteristics of the EAP variants
Feature	Cisco LEAP	EAP-FAST	EAP-TLS	PEAP-GTC	PEAP-MSCHAPv2
User authentication DB	AD	AD, LDAP	OTP, LDAP, NDS, AD	OTP, LDAP, NDS, AD	AD
Requires server certs	No	No	Yes	Yes	Yes
Requires client certs	No	No	Yes	No	No
Single sign-on	Yes	Yes	Yes	No	Yes
Roaming	Yes	Yes	No	No	No
Works with WPA/WPA2	Yes	Yes	Yes	Yes	Yes

WPA
- Features
  - Authenticated key management – auths prior to key management
  - Unicast and broadcast key management – keys are distributed and stored on the client and the AP
  - TKIP and MIC
    - Temporal Key Integrity Protocol (TKIP) – per-packet keying
    - Message Integrity Checking (MIC) – integrity checking
  - Initialization vector (IV) expansion – from 24 bits to 48 bits
- Shortcomings
  - Relies on RC4
  - Firmware support required in NICs, APs
  - Susceptible to DoS attacks
  - Dictionary attacks can discover PSKs
WPA2
- Features
  - 802.1x authentication or PSK
  - Key distribution and renewal
  - Proactive Key Caching (PKC) – allows roaming
  - IDS for rogue APs and attacks
- Shortcomings
  - Supplicant must have WPA2-compliance firmware
  - AAA server must support EAP
  - WPA2 uses more CPU, so a hardware upgrade may be required
  - Older devices may not be upgradeable and must be replaced

Table 2. WPA/WPA2 Enterprise and Personal Modes
Mode	WPA	WPA2
Enterprise	Auth: 802.1x/EAP Encryption: TKIP/MIC	Auth: 802.1x/EAP Encryption: AES-CCMP
Personal	Auth: PSK Encryption: TKIP/MIC	Auth: PSK Encryption: AES-CCMP

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

ONT Notes – QoS On Wireless Networks

Aaron Conaway — Thu, 11 Feb 2010 03:05:23 +0000

Wireless LANs (WLANs)
- Extensions to wired LANs
- Carrier sense multiple access collision avoidance (CSMA/CA) as media access method
- Uses distributed coordinated function (DCF) for collision avoidance
- DCF is based on RF carrier sense, inter-frame spacing (IFS), and random wait timers
Wifi QoS standards
- 802.11e
  - IEEE standard
  - 0-7 priority levels
- Wifi Multimedia (WMM)
  - Four access categories
    - Platinum (voice) – 6 or 7 802.11e
    - Gold (video) – 4 or 5 802.11e
    - Silver (BE) – 0 or 3 802.11e
    - Bronze (Background) – 1 or 2 802.11e
- WMM and 802.11e replace DCF with EDCF
Cisco Split-MAC
- Splits functions between Lightweight access points (LWAPs) and WLAN controllers (WLCs)
- LWAPs handle real-time functions
  - Beacon generation
  - Probe transmission and response
  - Power management
  - 802.11e/WMM scheduling and queuing
  - Packet buffering
  - Encryption/decryption
  - Control frame/message processing
- WLCs handle non-real-time functions
  - Association/disassociation/reassociation
  - 802.11e/WMM resource reservation
  - 802.1x EAP
  - Key management
  - Authentication
  - Fragmentation
  - Ethernet-WLAN bridging
End-to-end QoS
- Step 1: WLC copies DSCP from switch to outer DSCP and outer 802.1p and sends to LWAP over LWAPP tunnel
- Step 2: LWAP copies outer DSCP from WLC to 802.11e/WMM field and sent to client
- Step 3: LWAP copies 802.11e/WMM value from the client to outer DSCP and sends it to WLC
- Step 4: WLC copies outer DSCP from WLAP to 802.1p (CoS) fields and sends it to the switch
Web interface (do you even need to know this?)
- Controller>QoS Profiles
  - Per-User Bandwidth Contracts – set avg data rate, burst data rate, avg real-time rate, and burst real-time rate
  - Over the Air QoS
    - Maximum RF usage per AP (%)
    - Queue Depth – queue size before dropping packets
    - Wired QoS Protocol – 802.1p or None
- Controller>WLANs>Edit
  - For each WLAN ID, set the QoS value: plat, gold, silver, bronze
  - WMM Policy
    - Disabled – 802.11e/WMM QoS requests are ignored
    - Allowed – 802.11e/WMM QoS requests are sent
    - Required – 802.11e/WMM QoS requests are required

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

ONT Notes – AutoQoS

Aaron Conaway — Wed, 10 Feb 2010 23:02:04 +0000

AutoQoS benefits
- Automates QoS for most deployments
- Protects business-critical apps to maximize availability
- Simplifies QoS deployments
- Reduces configuration errors
- Cheaper, faster, and simpler deployments
- Follows DiffServ
- Allows complete control over QoS configs
- Allows modification of auto-generated configs
AutoQoS phases of evolution
- AutoQoS VOIP – Early version that configures the basics without discovery
- AutoQoS for Enterprise – Second version that only runs on routers and uses two-step process
  - Autodiscovery using NBAR
  - Generation of class maps
AutoQoS key elements
- Application classification
- Policy generation
- Configuration
- Monitoring and reporting
- Consistency
Interfaces that you can configure AutoQoS on
- Serial ifs with PPP and HDLC
- FR point-to-point subifs (NOT multipoint)
- ATM point-to-point subifs
- FR-to-ATM links
Prerequsites
- No Qos policy already configured on if
- CEF enabled on if
- Correct bandwidth configured on if
- IP address on low-speed if
Configuring AutoQoS Enterprise on a router (NOT a switch)
- auto qos discovery – begins discovery process
- auto qos – generates and applies MQC-based policies
Configuring AutoQoS VOIP
- auto qos voip [ trust | cisco-phone ]
Verifying AutoQoS on router
- show auto discovery qos – get autodiscovery results
- show auto qos – examine configuration generated
  - Number of classes
  - Classification options
  - Marking options
  - Queuing mechanisms
  - Other QoS mechanisms
  - If, subif, PVC where policy is applied
- show policy-map interface – look at if stats
Verify AutoQoS VOIP
- show auto qos
- show policy-map interface
- show mls qos maps – shows CoS to DSCP mappings
Possible issues with AutoQoS
- Too many traffic classes – manually consolidate some
- Configuration doesn’t change – rerun AutoQoS
- Configuration may not fit your situation – fine-tune it by hand
Fine-tuning AutoQoS
- Use QPM
- CLI
- copy policy into editor, change, reapply
AutoQoS can match on characteristics besides ACLs and NBAR
- match input interface
- match cos
- match ip precedence
- match ip dscp
- match ip rtp

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts

ONT Notes – Pre-classify and End-to-end QoS

Aaron Conaway — Thu, 04 Feb 2010 03:13:53 +0000

VPNs (Didn’t ISCW cover this?)
- Provide
  - Confidentiality
  - Integrity
  - Authentication
- Types
  - Remote-access
    - Client-initiated
    - NAS-initiated
  - Site-to-site
    - LAN-to-LAN
    - Extranet
L3 Tunneling protocols
- GRE
- IPSec
Pre-classify allows traffic to be classified before being sent across a tunnel or crypto-ed.
- qos pre-classify
- Provides a view into the original IP headers
- To classify on pre-tunnel header, apply the policy to the tunnel interface WITHOUT pre-classify.
- To classify on post-tunnel header, apply the policy to the physical interface WITHOUT pre-classify.
- To classify on pre-tunnel header, apply the policy to the physical interface WITH pre-classify.
SLA – agreement with provider to guarantee QoS mechanisms across their network based on your markings.
- Assures availability, loss, throughput, delay, and jitter.
End-to-end QoS
- To be effective, each hop in the path must have QoS configured similarly.
- Necessary in three locations
  - Campus – within the customer network
  - The edges – customer facing the provider, provider facing customer
  - On the provider network
QoS tasks
- Campus access switches
  - Speed/duplex settings
  - Classification
  - Trust
  - Phone/access switch configs
  - Multiple queues on switch ports, including priority for VOIP
- Campus distribution
  - L3 policing and marking
  - Multiple queues on switch ports, including priority for VOIP
  - WRED
- WAN edge
  - SLA definitions
  - LLQ
  - LFI
  - WRED
  - Shaping
- Provider cloud
  - Capacity planning
  - PHB
  - LLQ
  - WRED
Enterprise campus QoS implementation
- Implement multiple queues to avoid congestion
- Assign VOIP and video to highest priority queue
- Esablish trust boundaries
- Use policing to rate-limit excess traffic
- Use hardware QoS when possible
Control Plane Policing (CoPP)
- Applies QoS policy to traffic destined for the router
  - Routing protocols
  - Management protocols
- Can be used to avoid DOS attacks
- Applied to control-plane in global config

Aaron Conaway

I like to lean my head to the left, hit it with the palm of my right hand, and document what knowledge falls out.

Website - More Posts