As shown in Figure 5.7, radio interface “0” has been split into “0.1” and “0.2” sub-interfaces in which unique access groups 101 and 102 have been applied.The dot “.” in the interface represents a sub-interface. Sub-interfaces are used to accom- plish multiple VLAN configurations with unique policies such as filters. According to the drawing, the Student group is bound to the interface with access list 101, which is only permitting HTTP access to be sent to the wired network from the Student wireless VLAN.The Teacher group with filter list 102 is allowed to access the World Wide Web (WWW), mail, and the File Transfer Protocol (FTP) on the wired network. Per-VLAN QOS QOS policies can be applied on a per-VLAN basis. For example, you may want to give a higher priority to the wireless IP phone’s traffic VLAN than to the student VLAN. VoIP may not work properly during congestion, therefore it is important to prioritize it. Or you may want to prioritize teachers’ communication over students or guests when an access point becomes congested.You can specify different QOS poli- cies on a per-VLAN basis where different groups are mapped. www.syngress.com 164 Chapter 5 • Wireless LAN VLANs Figure 5.7 Per-VLAN Filters CISCO AIRONET 1200I WIRELESS ACCESS POINT Teacher AP interface Dot11Radio0.1 ip access-group 101 in interface Dot11Radio0.2 ip access-group 102 in access-list 101 permit tcp any any eq www access-list 101 deny ip any any access-list 102 permit tcp any any eq www access-list 102 permit tcp any any eq smtp access-list 102 permit tcp any any eq pop3 access-list 102 permit tcp any any eq ftp access-list 102 deny ip any any Student Layer 3 Switch FTP POP3 Internet WWW Trunk Per-VLAN Authentication and Encryption Each VLAN can have its own authentication and encryption policy.You can support a guest network for your students without an authentication or WEP encryption policy, while at the same time use Cisco EAP authentication with WEP+TKIP policy for teachers. Also, your PDA devices may not support the same authentication policy as the teachers, and will require a compatible policy of its own. Just like filters and QOS, these settings are configured on per sub-interface VLAN basis. If you need to support two different groups that share identical authentication types but require different restrictions on the wired network, you need a way to pre- vent the wireless user from simply changing its SSID in order to be mapped into the restricted VLAN after passing authentication. How to mitigate such a threat is dis- cussed later in this chapter. Configuring Wireless VLANs Using the IOS: A Case Study A local university has asked you to implement wireless technology for its faculty, stu- dents, and maintenance workers. After conducting a site survey and developing secu- rity policy requirements for the university, you have come up with a solution. Since students, faculty, and maintenance workers require different security policies and restrictions, your design will include three different VLANs in every access point. Refer to Figure 5.8 for part of the network topology map used in this scenario. Faculty and students require strict per-user authentication in order to map into their specified VLANs.The faculty needs to access the Internet to surf the Web and access the student grades system to update records. Students will only be allowed to surf the Web.The maintenance workers will take advantage of the new wireless design to allow communication and report back to the maintenance server using wireless PDA devices. Refer to Table 5.1 for a listing of the requirements. www.syngress.com Wireless LAN VLANs • Chapter 5 165 Table 5.1 Table of Requirements Teacher Student Maintenance SSID Teacher Student PDA VLAN ID 10 20 30 Authentication LEAP LEAP MAC/WEP Encryption Dynamic 128-bit WEP Dynamic128-bit Static 40-bit WEP WEP Filter List Yes #101 Yes #102 Yes #103 The following steps are required to configure the access point to support the network topology from Figure 5.8. 1. Configure SSIDs for all three groups and their authentication types.The first two authentication types for VLANs 10 and 20 are configured using the EAP method. VLAN 30 is authenticated using an open static WEP and MAC address list. (Refer to Chapter 7 for details on authentication types.) AP# configure terminal AP(config)# interface DotRadio 0 AP(config-if)# ssid teacher www.syngress.com 166 Chapter 5 • Wireless LAN VLANs Figure 5.8 School Topology Teacher Student Internet WWW Trunk Student Grades System DB 150.50.15.150 RADIUS 150.50.111.100 VLAN 111 AP Router/ Firewall 10.18.20.1 School Campus PDA Maintenance Server 192.168.10.5 192.168.20.5 172.16.30.5 VLAN 30 VLAN 100 VLAN 200 172.16.30.100 VLAN 10 VLAN 20 VLAN 30 150.50.16.5 0/12 0/15 0/16 0/14 0/13 AP(config-if-ssid)# vlan 10 AP(config-if-ssid)# authentication open eap eap_methods AP(config-if-ssid)# authentication network-eap eap_methods AP(config-if-ssid)# exit AP(config-if) ssid student AP(config-if-ssid)# vlan 20 AP(config-if-ssid)# authentication open eap eap_methods AP(config-if-ssid)# authentication network-eap eap_methods AP(config-if-ssid)# exit AP(config-if) ssid pda AP(config-if-ssid)# vlan 30 AP(config-if-ssid)# authentication open mac-address 798 2. Configure the native VLAN interface.You can configure the native VLAN only on the Ethernet interface to avoid administration access directly to the access point’s IP address from wireless clients. We configure native VLAN on both the radio and Ethernet interfaces.The VLAN number is followed by the key word native. AP(config)# interface DotRadio0.1 AP(config-if)# encapsulation dot1Q 1 native AP(config-if)# bridge-group 1 AP(config-if)# exit AP(config)# interface FastEthernet0.1 AP(config-if)# encapsulation dot1Q 1 native AP(config-if)# bridge-group 1 3. Configure VLANs 10, 20, and 30 by creating sub-interfaces and enabling encapsulation on radio and Ethernet interfaces. AP(config)# interface DotRadio0.10 AP(config-if)# encapsulation dot1Q 10 AP(config-if)# bridge-group 10 AP(config-if)# exit AP(config)# interface FastEthernet0.10 AP(config-if)# encapsulation dot1Q 10 AP(config-if)# bridge-group 10 AP(config)# interface DotRadio0.20 www.syngress.com Wireless LAN VLANs • Chapter 5 167 AP(config-if)# encapsulation dot1Q 20 AP(config-if)# bridge-group 20 AP(config-if)# exit AP(config)# interface FastEthernet0.20 AP(config-if)# encapsulation dot1Q 20 AP(config-if)# bridge-group 20 AP(config)# interface DotRadio0.30 AP(config-if)# encapsulation dot1Q 30 AP(config-if)# bridge-group 30 AP(config-if)# exit AP(config)# interface FastEthernet0.30 AP(config-if)# encapsulation dot1Q 30 AP(config-if)# bridge-group 30 4. Configure WEP keys.Two 128-bit WEP keys will be used for VLANs 10 and 20.These two keys will be used for broadcast and multicast traffic only, as unicast WEP keys are dynamically derived on a per-user basis in the 802.1x EAP authentication process.There will be one static 40-bit WEP key to support the maintenance worker’s wireless PDA compatibility.This key will be used for unicast encryption between PDAs and access points. For security purposes, the broadcast key is rotated in VLANs 10 and 20 using the broadcast-key command. Broadcast key rotation is currently only supported in LEAP authentication. AP(config)# interface DotRadio 0 AP(config-if)# encryption vlan 10 key 1 size 128bit <key-here> transmit-key AP(config-if)# encryption vlan 10 mode ciphers wep128 AP(config-if)# broadcast-key vlan 10 change <# of seconds> AP(config-if)# encryption vlan 20 key 1 size 128bit <key-here> transmit-key AP(config-if)# encryption vlan 20 mode ciphers wep128 AP(config-if)# broadcast-key vlan 10 change <# of seconds> www.syngress.com 168 Chapter 5 • Wireless LAN VLANs AP(config-if)# encryption vlan 30 key 1 size 40bit <key-here> transmit-key AP(config-if)# encryption vlan 30 mode ciphers wep40 5. Configure filter lists to restrict the types of communication accepted from wireless groups into the wired network. Part of the campus requirement is to restrict student access to surf the Internet only and prevent them from accessing the student grades database. A unique filter list can be applied on each VLAN radio sub-interface. Filter lists and its configuration have been covered. (Refer to Chapter 7 for how to configure and apply filter lists to restrict or permit traffic.) 6. Apply identical configurations to the secondary radio interface. If you are using access points such as the 1200 series that support up to two installed radios such as 802.11b, 802.11g, or 802.11a, you must repeat all of the con- figurations for interface “DotRadio 1” as you configured for interface “DotRadio 0.”This includes SSIDs and the creation of sub-interfaces, WEP keys, and IP filters. NOTE In a Web-based access point administrator graphical user interface (GUI) you can use the “Apply-all” button in the interface configuration menu to apply your settings to both of the installed radios at once. The 1200 series access point supports up to two installed radios including 802.11a, 802.11b, and 802.11g. Each radio can have unique or identical settings. There is one big security concern and risk in the current school campus design called VLAN hopping.To mitigate VLAN hopping you must use a RADIUS server to authenticate VLANs.This concept is covered later in this chapter and must be considered in the design to prevent students from accessing their confidential records. In Figure 5.8, a Catalyst 3550 Layer 3-aware switch with IP routing was enabled. Part of the switch configuration is displayed below for reference purposes. Notice that the trunk port configured under the FastEthernet 0/16 interface only allows VLANs required on the wireless side. Also, access filters can be configured that can be applied on the switch VLAN interfaces to restrict traffic communication between VLANs. www.syngress.com Wireless LAN VLANs • Chapter 5 169 As shown in Figure 5.8, topology map Interface 0/12 is configured to be part of VLAN 200. interface FastEthernet0/12 description Port to Internet Router switchport access vlan 200 switchport mode access no ip address Interface 0/13 is part of VLAN 100 and is used as a student records server. interface FastEthernet0/13 description Student Records Server switchport access vlan 100 switchport mode access no ip address interface FastEthernet0/14 description Maintenance Server switchport access vlan 30 switchport mode access no ip address interface FastEthernet0/15 description Radius Server switchport access vlan 111 switchport mode access no ip address Interface 0/16 is used to establish a trunk port to carry multiple VLANs between the access point and the switch connection.The trunk is encapsulated with 802.1Q protocol to support access point compatibility. Further, VLANs that are allowed to pass the trunk with the allowed vlan command have been restricted. This will ensure that only required VLANs from the switch are allowed to cross to the wireless side. www.syngress.com 170 Chapter 5 • Wireless LAN VLANs interface FastEthernet0/16 description Trunk Port to AP switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10,20,30 switchport mode trunk no ip address Logical VLAN interfaces are assigned with IP addresses that are used for Layer 3 routing between the different VLANs.They are also used as default gateways for devices on each VLAN. interface Vlan1 ip address 10.18.20.3 255.255.255.0 interface Vlan10 ip address 192.168.10.1 255.255.255.0 interface Vlan20 ip address 192.168.20.1 255.255.255.0 interface Vlan30 ip address 172.16.30.1 255.255.255.0 interface Vlan100 ip address 150.50.15.1 255.255.255.0 interface Vlan111 ip address 150.50.111.11 255.255.255.0 interface Vlan200 ip address 150.50.16.1 255.255.255.0 The default gateway is configured with the ip route 0.0.0.0 0.0.0.0 command to match and route all traffic not directed to any specific VLAN on the switch, such as Internet browsing towards the Internet router. ip classless ip route 0.0.0.0 0.0.0.0 150.50.16.5 Broadcast Domain Segmentation Broadcast domain segmentation prevents broadcast and multicast traffic from one group from entering other segmented groups. One of the advantages of separating LANs with VLANs includes the creation of separate broadcast domains.A broadcast domain assures performance and scalability and prevents users from different logical domains from exchanging broadcast or multicast traffic. www.syngress.com Wireless LAN VLANs • Chapter 5 171 Traffic Types There are many different traffic types.To understand broadcast domain segmentation and its benefits, a review of the three fundamental traffic types—unicast, broadcast and multicast— is required. Unicast Unicast traffic is when traffic is directly directed to one individual.An example of this one-to-one relationship can be found at www.cisco.com. Only the client and the Web site are involved in receiving and sending traffic. Broadcast In a broadcast network, the client sends only one packet that is directed to everyone. This is a one-to-all relationship. As shown in Figure 5.9, one server sends a broadcast message and everyone on the LAN receives it. A broadcast can be stopped by logi- cally separating the LAN with VLANs, or by a Layer 3 device. Every client receiving broadcast messages must process them, thus lowering the overall performance of a LAN. Broadcast frames contain the broadcast MAC address (ff:ff:ff:ff:ff:ff ). When the switch sees this address it forwards it out of every LAN port. Servers make use of broadcast traffic to announce information services they provide.The broadcast domain is the group of logical network devices where broadcast messages are flooded. Multicast Multicast traffic is similar to broadcast traffic. Its intentional relationship is one-to- many. Unlike broadcast traffic, multicast traffic is sent to a set of users in a group. It is www.syngress.com 172 Chapter 5 • Wireless LAN VLANs Figure 5.9 Broadcast Traffic Sends Broadcast still forwarded like broadcast traffic; however, unlike in a broadcast environment where each device must process the broadcast, multicast devices that are not listening in to the specific multicast group being advertised will disregard the multicast traffic. How can multicast benefit your network? Unlike in unicast traffic where the server is required to send a copy of the same packet to every server it needs to communicate with, in multicast it only needs to send one multicast packet that will reach all of the users listening in on a specific multicast group. Broadcast Domain in Wireless Now that you understand the different types of traffic and benefits of broadcast domain segmentation in wired networks, we will take a closer look at broadcast seg- mentation in wireless networks. In a wired network, VLANs are used to separate broadcast domains. As discussed earlier, every packet traveling through the air can be seen by its neighbors as long as they are within signal reach.Thus, for this reason, every wireless client regardless of VLAN assignment will receive broadcast and multicast traffic.This is the difference between a wired and wireless network and their treatment of broad- casts in VLANs.You cannot prevent broadcast messages from reaching other VLAN segments on the wireless side because no physical separation (such as an Ethernet cable) exists. Not being able to prevent broadcast messages from reaching multiple wireless users from different VLANs requires a workaround solution. Cisco wireless access point devices allow you to configure a different WEP key for the broadcast traffic for each unique VLAN.This WEP key differs from the unicast traffic key and is communicated to the wireless clients. When the access point sends out a broadcast message on its wireless side, other wireless users will still receive those broadcast messages, but because they do not share the same broadcast WEP VLAN key, devices not belonging to the same VLAN will discard them. A broadcast WEP key can be dynamically derived or statically configured and is synced up between the users and the access point. A broadcast key shares some of the same ability as a WEP unicast key, including the ability to rotate when used with LEAP protocol within a configured timeout. Figure 5.10 shows a broadcast sent from the access point to the teachers VLAN. Anyone not on this broadcast VLAN will still receive the packet but will discard the broadcast traffic because they do not share a common broadcast WEP key. If this was a wired network, the students would never receive the broadcast from the teacher, as it is in different VLAN. www.syngress.com Wireless LAN VLANs • Chapter 5 173 [...]... represent each VLAN configuration You should always copy the running configuration and startup configuration to save your configuration in case the device reboots Broadcast Domain Segmentation A broadcast domain segmentation prevents broadcast-directed traffic from one VLAN reaching other VLANs that are considered to be in a separate broadcast domain Unlike in wired broadcast segmentation, in 802.11 all broadcasts... provide to the end users ■ Service Levels Committed information rate (CIR) is an example of a service level agreement (SLA).This involves the customer’s expectation of what the service provider guarantees to provide ■ Customer Base This establishes who the anticipated end users are, and what their anticipated applications and traffic patterns are ■ Operations, Management, Provisioning, and Administration... soon as the action plan is created and approved, the planning deliverables can be prepared Preparing the Planning Deliverables The last step in the plan phase is to gather all information and documentation created throughout the plan and put them into a deliverable document.This is somewhat of a sanity checkpoint, in terms of making the client fully aware of the plans you have devised and what to expect... not contain specific details about how the new network will operate—it will identify the technologies that will enable the network Creating an Integration Plan Whenever a new service, application, network component, or network is added to an existing network, an integration plan needs to be created.The integration plan will specify what systems will be integrated, where, and how. The plan should also include... access point or to the access point IP address such as SSH,Telnet, or RADIUS administration When designing VLANs it is important to remember that you need a Layer 3aware device such as a router to route between VLANs For example, you may have a DHCP server that all wireless users need to connect to on the wired network regardless of the VLAN settings Each VLAN has its own broadcast domain A broadcast... SSID and hopping to an unauthorized VLAN RADIUS works only when per-user authentication is used, such as in EAP It verifies the user’s SSID credentials that are used to map VLAN Solutions Fast Track Understanding VLANs A VLAN is used to define the logical separation of a LAN network into multiple broadcast domains Two configured VLANs cannot interact with each other unless they are routed with a Layer 3-aware... per-VLAN basis PSPF prevents wireless clients in the same VLAN from communicating with each other through the access point Q: In multiple VLAN EAP authentication, do I need to make sure that all wireless VLANs can reach the RADIUS server through a Layer 3-aware device? A: No.The RADIUS authentication that you provide for authentication is between you and the access point.The access point then initiates... who, what, when, where, and why that has compelled the network recipient to seek a change from the current network and associated application processes In this phase, keep in mind that with a wireless network, you’re dealing with three-dimensional network design impacts, not just two-dimensional impacts that commonly are associated with wireline networks So you’ll want to pay close attention to the... realized As you might have already suspected, this phase involves installing, configuring, and testing all supporting hardware and software that you have called for in your network design Although this may be an exhilarating time, where concept enters the realm of reality, it is vital that you manage this transition in an effective and efficient manner Do not assume that the implementation is always handled... environment, creating a design, finalizing it, implementing that design, and creating the necessary documentation that will act as a crucial tool as you troubleshoot Conducting the Preliminary Investigation Like a surgeon preparing to perform a major operation, so must the network design engineer take all available precautionary measures to ensure the lifeline of the network Going into the design process, . 172.16.30.1 255 . 255 . 255 .0 interface Vlan100 ip address 150 .50 . 15. 1 255 . 255 . 255 .0 interface Vlan111 ip address 150 .50 .111.11 255 . 255 . 255 .0 interface Vlan200 ip address 150 .50 .16.1 255 . 255 . 255 .0 The default. VLAN. interface Vlan1 ip address 10.18.20.3 255 . 255 . 255 .0 interface Vlan10 ip address 192.168.10.1 255 . 255 . 255 .0 interface Vlan20 ip address 192.168.20.1 255 . 255 . 255 .0 interface Vlan30 ip address. the advantages of separating LANs with VLANs includes the creation of separate broadcast domains .A broadcast domain assures performance and scalability and prevents users from different logical domains