Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Introducing the Cisco Unified Wireless Network
Wireless local-area networks (WLAN) offer network access via radio waves. Wireless
clients (such as PCs or PDAs) access a WAP using half-duplex communication. The WAP
allows a wireless client to communicate with the wired portion of a network.
Five primary components comprise the Cisco Unified Wireless Network architecture:
■ Wireless clients: A wireless client device is typically an end-user device (such as a
PC) that accesses a wireless network.
■ WAP:WAPs offer network access for wireless clients.
■ Wireless network unification: To offer wireless clients access to the resources of
an organization, a wireless network needs to be integrated (that is, unified) with a
wired LAN. This functionality is referred to as network unification.
■ Wireless network management: Just as enterprise LANs benefit from network
management solutions, a wireless LAN can use network management solutions to
enhance security and reliability and offer assistance inWLAN deployments. An
example of a wireless network management solution is the Cisco Wireless Control
System (WCS).
■ Wireless Mobility: Wireless mobility services include security threat detection,
voice services, location services, and guest access.
Traditional WLANs use an access point in autonomous mode, where the access point is
configured with a service set identifier (SSID), radio frequency (RF) channel, and RF
power settings. However, having an autonomous access point tasked with all these responsibilities
can limit scalability and hinder the addition of advanced wireless services.
Aside from autonomous mode, Cisco Unified Wireless Networks can alternatively operate
in split-MAC mode. With split-MAC operation, an access point is considered a
lightweight access point, which cannot function without a WLC.
Specifically, a WLAN client sending traffic to the wired LAN sends a packet to a lightweight
access point, which encapsulates the packet using Lightweight Access Point Protocol
(LWAPP). The encapsulated traffic is sent over an LWAPP tunnel to a WLC. LWAPP
sends packets in a Layer 2 frame with an Ethertype of 0xBBBB. LWAPP data traffic uses a
UDP destination port of 12222, whereas LWAPP control traffic uses a UDP destination
port of 12223.
A lightweight access point, as shown in Figure 13-5, performs functions such as beaconing,
packet transmission, and frame queuing, whereas the WLC assumes roles such as authentication,
key management, and resource reservation.
Chapter 9, “Security Troubleshooting,” introduced 802.1X as a means of authenticating
users attempting to gain access to a network. Wireless networks often leverage 802.1X
technologies to authenticate wireless clients.
Key
Topic
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
436 CCNP TSHOOT 642-832 Official Certification Guide
LWAPP Tunnel
Wireless LAN
Controller
Ethernet
Switch
Lightweight
Access Point
Split-MAC Architecture
Wireless
Client
to Wired
Network
Figure 13-5 Split-MAC Wireless Architecture
Specifically, after a wireless client, such as a PC, associates with its access point, the access
point only allows the client to communicate with the authentication server until the
client successfully logs in and is authenticated, as illustrated in Figure 13-6. The WLC
uses an Extensible Authentication Protocol (EAP) to communicate with the authentication
server. Cisco Secure Access Control Server (ACS) can, for example, act as an authentication
server.
EAP Client
Authentication
Server
Supplicant
802.1X WLC
EAP/RADIUS
Tunnel
Lightweight
Access Point
802.1X Authentication
Key Management Key Distribution
Secured Data
Authenticator
Figure 13-6 Wireless Network Using 802.1X
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 13: Advanced Services Troubleshooting 437
Supported EAP types include the following:
■ EAP-Transport Layer Security (EAP-TLS): Wireless clients and authentication
servers mutually authenticate using digital certificates.
■ EAP-Protected EAP (EAP-PEAP): The authentication server (that is, a RADIUS
server) is authenticated over a Transport Layer Security (TLS) tunnel using a digital
certificate, whereas wireless clients are authenticated via Extensible Authentication
Protocol—Generic Token Card (EAP-GTC) or Extensible Authentication Protocol—
Microsoft Challenge Handshake Authentication Protocol version 2 (EAPMSCHAPv2).
■ EAP Tunneled Transport Layer Security (EAP-TTLS): The RADIUS server is authenticated
over a TLS tunnel using the certificate of the server, and wireless clients
authenticate using username and password credentials.
■ Cisco Lightweight Extensible Authentication Protocol (LEAP): Cisco developed
LEAP as an early and proprietary EAP method; however, LEAP’s vulnerability
to a dictionary attack represents a major LEAP weakness.
■ Cisco EAP-Flexible Authentication via Secure Tunneling (EAP-FAST): Cisco
proposed EAP-FAST to address weaknesses of LEAP.
Wireless network troubleshooters should also understand the following three WLAN controller
components:
■ Ports: A port on a WLAN controller physically connects the WLAN controller to
the wired network (for example, to a Cisco Catalyst switch port).
■ Interfaces: An interface of a WLAN controller logically maps to a VLAN on a
wired network.
■ WLANs: A WLAN can be configured with security features, QoS mechanisms,
and other wireless network parameters. Also, a WLAN associates an SSID to a
WLC interface.
Wired Network Issues Impacting Wireless Networks
Many issues that might be perceived as wireless problems result from underlying issues
on the wired network. Examples of these issues include PoE, VLANs, security, DHCP,
and QoS.
PoE
WAPs (in either an autonomous or split-MAC architecture) require power; however, these
access points might need to be installed away from power outlets. For example, to provide
appropriate coverage, an access point might be located in a drop ceiling. One option for
providing power to such an access point is PoE (which was introduced in Chapter 11),
where a Cisco Catalyst switch provides power to an attached device over the Ethernet
leads in an unshielded twisted-pair (UTP) cable.
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
438 CCNP TSHOOT 642-832 Official Certification Guide
If the Cisco Catalyst switch is not appropriately configured to provide PoE, or if the
switch has no additional power available, an attached WAP might fail to power on. In addition
to verifying proper PoE configuration on the Cisco Catalyst switch, another troubleshooting
aid is the Cisco Power Calculator, an online tool available at http://tools.cisco.
com/cpc/launch.jsp. This tool can help determine the power capacity of a switch. Note
that appropriate Cisco login credentials are required to access this tool.
VLANs
Traffic in a wireless network often belongs to its own VLAN; however, wireless users might
experience connectivity issues if traffic from their wireless VLAN is not permitted over a
trunk in the wired network. Therefore, trunk configurations on Cisco Catalyst switches
might need to be inspected as part of troubleshooting wireless connectivity issues.
Chapter 4, “Basic Cisco Catalyst Switch Troubleshooting,” introduced the troubleshooting
of VLANs and trunks. As a review, Table 13-3 provides commands for gathering information
about VLAN and trunk configuration information on a Cisco Catalyst switch.
Security
Chapter 9 discussed how ACLs might inadvertently be configured to block traffic that
should be permitted on a network. In the case of wireless networks configured in a split-
MAC architecture, recall that UDP ports 12222 and 12223 (that is, the ports used by
LWAPP) should be permitted between a WAP and a WLC. You can issue the show accesslists
command to verify the access list configuration used on a router.
DHCP
Because an inherent characteristic of wireless networks is the mobility of wireless clients,
those clients might need to roam from one subnet to another. In such an instance, a loss of
wireless connectivity might result from a DHCP issue.
Chapter 10, “IP Services Troubleshooting,” discussed troubleshooting DHCP; however, as
a review, Table 13-4 offers a collection of show, clear, and debug commands useful in
troubleshooting DHCP problems.
Key
Topic
Table 13-3 VLAN and Trunk Troubleshooting Commands for a Cisco Catalyst Switch
Command Description
show vlan Shows to which VLANs the ports of a switch belong
show interfaces
trunk
Displays which VLANs are permitted on a switch’s trunk ports, and
which switch ports are configured as trunks
show interfaces
switchport
Displays summary information for the ports on a switch, including
VLAN and trunk configuration information
www.CareerCert.info
www.CareerCert.info
www - CareerCert - info
Chapter 13: Advanced Services Troubleshooting 439
Key
Topic
QoS
Latency-sensitive traffic traveling over a wireless network (for example, Voice over Wireless
LAN [VoWLAN]) might suffer from poor performance if QoS markings are not preserved
as traffic crosses the boundary between the wireless and wired portions of a
network.
You might want to review Chapter 11 for a more detailed discussion of QoS troubleshooting.
The mls qos trust dscp interface configuration mode command, however, was not discussed
in Chapter 11. You can issue this command on a Cisco Catalyst switch to cause an
interface to trust incoming DSCP markings. To preserve priority markings on wireless
traffic as it enters a wired network, you can issue this command on a Cisco Catalyst
switch port that connects to a WLC.
No comments:
Post a Comment