Download ppt - Iuwne10 S02 L04

© 2008 Cisco Systems, Inc. All rights reserved. IUWNE v1.0—2-1

Basic Cisco WLAN Installation

Describing Access Point Operational Modes


AP Mode: Wireless > Access Points > All APs > Detail


Access Point Local Mode

Default mode for an AP, providing: Data services Monitoring services

– AP will scan all channels over 180 seconds by default– Only management packets are inspected for intrusion

detection system (IDS) signature matches Can be used for site surveys


Access Point Local Mode Monitor Timing


Access Point Monitor Mode

Software configuration to reduce AP capabilities to perform only WLAN monitoring on a per-AP basis: Trusted AP policies Rogue policies Signatures

– Both data and management packets are inspected for IDS signature matches

– AP will scan all channels for 1.1 seconds AP only a beacon device


Access Point Monitor Mode Monitor Timing


Works in conjunction with products like AiroPeek or AirMagnet to monitor a single wireless channel

Requires an external server to capture the packets Gathers the following data

– Time stamp– Signal strength– Packet size

Access Point Sniffer Mode


AP Sniffer Mode Operation


Access Point Rogue Detector Mode

Software configuration to reduce AP capabilities to perform only rogue detection on a per-AP basis Listens for rogue devices on the wired network Compares ARP request heard on the network to rogue MAC

address reported by the controller Generates an alarm when a wireless rogue is seen on the wired

side Does not allow client connectivity – radios are shut down, 100%

of CPU dedicated to rogue detection Does not perform rogue containment


Hybrid REAPH-REAP AP can be controlled across WAN links: Designed to support remote offices Control traffic still LWAPP-encapsulated and sent to Cisco Wireless LAN

Controller (WLC); client data can be locally bridged

All management control and RF management is available when WAN link is up and connectivity is available to Cisco WLC.H-REAP can remain operational when unable to communicate with a controller during a WAN outage.


H-REAP

When operating in LWAPP, H-REAP-compatible APs have two possible modes:– Connected mode (connected state): When H-REAP can reach

the controller, it gets help from the controller to complete client authentication

– Standalone mode (disconnected state): When the AP cannot reach the controller, it processes client requests based on local settings and rules


Once an AP is configured as H-REAP, the controller will inform the AP of the mode change through an LWAPP control message. The AP saves this information in NVRAM and boots with the new mode.

In connected mode, H-REAP traffic can be backhauled to the controller or locally bridged.

H-REAP in Connected Mode


HREAP in Standalone Mode Standalone mode (disconnected): When the controller is not

reachable by H-REAP, it goes into standalone mode and performs client authentication by itself

All the following authentication types are supported in standalone mode: Open, WPA-PSK, WPA2-PSK, 802.1X– Central-switched WLANs will shut down– Local-switched WLANs will remain up:

Authentication of local WLANs continues to operate normally Existing 802.1x authenticated clients continue sessions until

they roam or trigger session reauthentication New 802.1x clients are authenticated on the AP, from a local

user list Unsupported features when in standalone mode:

– RRM, Cisco Centralized Key Management , WIDS, LBS, AP modes

– WebAuth, NAC


AP Bridging Mode

Available on Cisco 1130, 1240, and 1500 APs Mode used to set up mesh network, either indoor or outdoor Allows AP to act as a wireless LWAPP bridge Only shows up on supported hardware An additional protocol, Adaptive Wireless Path Protocol (AWPP)

is used by the AP to determine the best route to the network


Summary

An access point can be configured to operate in different modes. In local mode, it provides data services on one channel while still

monitoring the other channels. In monitor mode, it scans all the channels permanently. In sniffer mode, it captures frames on one channel and redirects

them to a station. In rogue detector mode, it detects wireless rogues on the wired

network. Some access points can be configured to H-REAP Mode, where

they can provide access without being in the same network as their controller.

Some access points can be configured to bridge mode to build mesh networks.
