Wireless Lans - 2007 - 2008 - Wireless

Wireless
LANs
Module Number:
Name:
Module Leader:
Contact:
MSN Messenger Contact:
Skype:
WWW:
Test site:
C072047
Wireless LANs
Prof WJ Buchanan, School of Computing
w.buchanan@napier.ac.uk, Room: C.63
w_j_buchanan@hotmail.com
billatnapier
http://networksims.com
http://networksims.com/simtests.html
Module Specification 1
Module Definition
Module Number:
Name:
Module Leader:
Contact:
MSN Messenger Contact:
Lectures:
Practical:
Student Centered Learning:
Syllabus:
C072047
Wireless LANs
Prof WJ Buchanan, School of Computing
w.buchanan@napier.ac.uk, Room: C.63
w_j_buchanan@hotmail.com
24 hours
12 hours
114 hours
Radio
Fundamentals
(Spread
spectrum,
Modulation, Radio Wave Propagation), Ad-hoc
networks,
Wireless
Topologies,
Antennas,
Encryption (WEP, TKIP, and so on) and
Authentication (such as EAP, LEAP, Port-based
filtering, and so on), Site Security, Troubleshooting,
Emerging Technologies, Voice over Wireless,
GSM/3G Networks, Location-finding, RFID, Cisco
Wireless Tools, Wireless Certification.
Assessment:
1. Coursework assessment [50%].
2. On-line test [50%]. 10% for passing Cisco Certification, 40% for Napier Test.
Learning Outcomes:
-
Demonstrates analytical and synthesis skills in defining the key stages in the
development of a wireless solution from its specification and design to its
evaluation.
Provides an in-depth understanding of the key principles involved in the
operation of a wireless system.
Demonstrates key practical skills in the implementation, evaluation and
debugging of wireless systems.
Reference book:
Fundamentals of Wireless LANs, Cisco Press,

ISBN 1-58713-119-6.
WWW:
http://www.dcs.napier.ac.uk/~bill/wire.html
http://buchananweb.co.uk/wire.html
Software:
Networksims.com
Wireless LANs Prof B.Buchanan
Week Date
1
1 Oct
2
8 Oct
3
15 Oct
4
22 Oct
5
29 Oct
6
5 Nov
7
12 Nov
8
19 Nov
9
26 Nov
10
3 Dec
11
10 Dec
12
17 Dec
Holidays
13
7 Jan
14
14 Jan
15
21 Jan
-
Academic
1: Radio Wave Fundamentals
2: Wireless Fundamentals
3: Ad-hoc and Infrastructure Networks
4: Encryption
5: Authentication
6: Antennas
7: Filtering/8. VLANs
Napier Test (40%)
Cisco
Lab/Tutorial
Cisco Academy/Additional Material

Cisco Academy /Additional Material
Cisco Academy /Additional Material
Intro to Wireless LANs

IEEE 802.11 and NICs
Wireless Radio Technology
Wireless Topologies
Access Points
Bridges
Antennas
Security
Applications
Site Survey
Troubleshooting
Lab 1/2: Access Point Tutorial 1 (T)

Lab 3: Ad-hoc Networks
Lab 4: Infrastructure Networks
Lab 5: Remote Connections
Lab 6: Encryption/Authen
Lab 7: Filter
Lab 8: VLAN
Lab 9: VLAN/802.1Q
Lab 10: IP Routing
Lab 11: RADIUS
Lab 12: SNMP
Revision/Cram (Cisco Exam)

Emerging Technologies
Cisco Exam (10%)
Coursework/Practical (50%)
Access Point Tutorial 1. This gives a tutorial example for the configuration of a Cisco Aironet 1200 Wireless Access Point (WAP).
Ad-hoc networks. This provides a practical foundation on the configuration and evaluation of ad-hoc networks.
Infrastructure networks. This provides a practical foundation in the configuration of wireless networks using Linksys and Cisco Aironet WAPs.
Radio Configuration Settings. This provides a practical foundation in the range of additional settings on a WAP, such as the RTS.
Encryption. This provides a practical foundation in encryption using simple techniques such as WEP, and more up-to-date techniques such as TKIP.
Authentication/EAP. This provides a practical foundation to the configuration of authentication in wireless systems, included techniques such as LEAP.
Configuring Services. This provides a practical foundation to the configuration of services on a WAP, including TELNET, HTTP, and so on.
Filtering/Blocking. This provides a practical foundation in the methods used to filter and block traffic on a wireless network.
VLANs. This provides a practical foundation in how wireless networks can be segmented in order to enhance security.
Unit 1: Radio Wave Fundamentals 3
Draft Teaching Schedule

Week
1
Date
1 Oct
Teaching
1: Radio Wave Fundamentals
8 Oct
2: Wireless Fundamentals
15 Oct
3: Infrastructure Networks
22 Oct
4: Encryption
29 Oct
5: Authentication
5 Nov
6: Antennas
12 Nov
7: Filtering/ 8. VLANs
19 Nov
Napier Test (40%)
26 Nov
10
3 Dec
11
10 Dec
12
17 Dec
13
7 Jan
Cisco Academy/Additional
Material
Material
Material
14
14 Jan
15
21 Jan
Completed
Draft Cisco Academy Schedule

Each week you review the Fundamentals of Wireless LAN material.
Week
1
Date
1 Oct
Lab
8 Oct
Intro to Wireless LANs
15 Oct
IEEE 802.11 and NICs
22 Oct
Wireless Radio Technology
29 Oct
Wireless Topologies
5 Nov
Access Points
12 Nov
Bridges
19 Nov
Antennas
26 Nov
Security
10
3 Dec
Applications
11
10 Dec
Site Survey
12
17 Dec
Troubleshooting
Completed
Wireless LANs 5
Draft EMULATOR Schedule

Each week you should complete a range of emulator challenges:
Week
1
Date
2 Oct
Lab
9 Oct
Wireless Challenge 1-10
16 Oct
23 Oct
30 Oct
6 Nov
13 Nov
20 Nov
27 Nov
10
4 Dec
11
11 Dec
12
18 Dec
Completed
On-line test Specification

Module Name:
Module Number:
Module Leader:
Week:
Wireless LANs
CO72047
Prof Bill Buchanan
8
Details
The details of the test are at:
http://www.dcs.napier.ac.uk/~bill/wirelesslan_exam.htm
There are 50 questions in the test, and an outline of the questions are:
Wireless network operation
1. Define the usage of handshaking in wireless networks, using RTS/CTS.
2. Define the usage of the fragment threshold, and how it affects traffic.
3. Define the usage of the preamble.
4. Understands the reasons for using spread-spectrum in wireless communications.
5. Identifies the usage of the world-mode in wireless communications.
6. Defines how antenna diversity is used to improve wireless communications.
7. Identifies the radio frequency used in RF wireless networks.
8. Calculates the time to transmit a wireless data frame for a given frame size.
9. Calculates the time to transmit wireless data for given parameters.
WEP/TKIP encryption
10. Defines the number of encryption keys that are possible with WEP encryption.
11. Identifies the size on an ASCII key for 64-bit or 128-bit WEP.
12. Defines the weakness of the IV in WEP.
13. Identifies the maximum number of IV values.
14. Defines the result of text string with an X-OR function with a defined key.
15. Calculates the time for an IV to repeat for a given bit rate and data frame time.
16. Outlines the basics of a man-in-the-middle attack on WEP.
Authentication/801.1X
17. Outlines the weakness of open authentication.
18. Defines the layered model of 802.1X.
19. Defines the operation of TKIP.
20. Outlines how TKIP overcomes the weaknesses of WEP.
21. Defines the operation of LEAP.
22. Defines the operation of EAP-TLS.
23. Defines how a RADIUS server is used in authentication.
24. Defines the management types used with the IEEE 802.11 data frame format.
Wireless LANs 7
RF and Antennas
25. Calculates the time taken for an EM wave to travel a given distance.
26. Calculates the dB value for a given input power and output power.
27. Calculates the overall gain for an amplifier, with losses.
28. Calculates the dBm value for a given power level.
29. Calculates output power for a given input power, and cable losses, for a given
cable length.
30. Calculates the output power in dBm for a given input power, overall gain for an
amplifier, with losses.
31. Defines isotropic radiators.
32. Approximates the size of a dipole antenna for a given frequency (based on l/2).
33. Calculates the dBi of a dipole antenna with a given dBd value.
34. Defines the usage of polarization.
35. Identifies a typical radiation pattern for a given antenna type.
36. Defines antenna beamwidth.
Cisco IOS configuration
37. Defines Cisco IOS commands involved in SNMP communications.
38. Defines Cisco IOS commands involved in generating encryption keys.
39. Defines Cisco IOS command involved in SSH communications.
40. Defines Cisco IOS commands to display connected radio devices.
41. Defines Cisco IOS commands involved with LEAP authentication.
42. Defines Cisco IOS commands involved with WEP encryption.
43. Defines Cisco IOS commands involved with TKIP encryption.
44. Defines Cisco IOS commands involved with shared-key authentication.
45. Defines Cisco IOS commands for local authentication.
Future/other wireless/VLAN
46. Defines the operation of UWB.
47. Defines the type of modulation in UWB.
48. SSID associations.
49. VLAN broadcasts.
50. Defines the usage of WiMax.
Wireless Networks Assessment

Specification
Details
Module name:
Module number:
Session:
Contact:
Wireless LANs
CO72047
Semester 1, 2006/2007
Prof WJ Buchanan, C63, School of Computing
The module will be assessed as follows:
Coursework assessment [50%].

On-line test [50%]. 10% for passing Cisco Certification, 40% for Napier Test.
Coursework specification
The coursework will account for 50% of the module. An outline specification is:
Title:
Objective:
Outline:
Secure Wireless Network Design

To design a secure wireless network.
The objective of this coursework is to design a secure wireless network
which meets certain objectives, and to implement a prototype of the
system.
Submission: PDF document submitted to Web-CT by 11 January 2006.
Assessment: A grade will be assigned for the assessment, which will be returned to
the student. This grade will then be converted to a mark for the
module board.
The key elements of the report should be:
Introduction. This should define the aims of the coursework, and provide
background material. [5%]
Design. This section should present a possible wireless design for an
organisation network which supports up to 100 simultaneous users. This design
should include encryption, authentication and the required firewalling/ filtering.
Further details of the security constraints will be given in the lecture [25%]
Implementation. This section should provide a prototype of the proposed
wireless system including sample configurations, and an explanation of their
operation. [35%]
Conclusions. This should outline the main conclusions of the report. [15%]
Presentation/references. This relates to the layout and format of the report. Any
references should be given using the APA referencing standard. Do not copy any
material directly from a source. [20%]
Wireless LANs 9
The report should be up to 12 pages long, and can include other associated material.
Outline Requirements
The organisation wants to implement a wireless network for their employees, of
which the main requirements are:
10
Three main groups: Sales, Production and Engineering. Each group has 60 users,
and they should be authenticated onto the network.
The access point selected is a Cisco Aironet 1200.
The physical span of the network is similar to the corridor on C-floor beside the
C.6 lab and along the link corridor that runs along past C.27/C.28.
The Sales and Production departments should not be able to access the Web
server on any access points, but Engineering can.
The Sales department should not be able to ping any of the network, while the
Production department can ping for the access point, while the Engineering
department can ping any part of the network.
The Engineering department should be able to access SNMP information on the
access point and the router, but no other device. Sales and Production should not
be able to access any SNMP information.
Users in Engineering should be allowed to log into any access points, in a secure
way.
There should be a Web server for each of the main groups, and access should
only be allowed for each group. Access should be barred to the server which is
not defined for the department.
Access to external systems should be allowed for incoming and outgoing emails.
Overall, the network should be fairly secure and robust, in case of failures.
Wireless
LANs
Notes
Wireless LANs 11
Radio Fundamentals
1.1 Introduction
As microelectronic has made devices smaller, users now have powerful processing
devices in the palm of their hands, and there is thus an increasing need for
connections to networks to be wire-less. Unfortunately many networks still rely on
cables as they provide a degree of physical security, as the signals are contained
within the cables. They are also fairly robust, and operate without errors for many
years. Networks have thus grown into vast infrastructures of nodes connected to
switches, which are then connected to routers. Each of these connect using a vast
array of cables. The physical and logical configuration of the network can thus be
well managed, and controlled. For many reasons, such as bandwidth requirements,
robustness and security, it is sensible to have fixed networks at the core of any
networked system, but the actual connectivity of devices is likely to move away from
fixed connections towards mobile ones. This new type of connection is likely to
create many new issues, which must be overcome become wireless networking
becomes the standard way to connect to a network. The four major ones are:
Security. The signals from a wireless adaptor are available to anyone within the
wireless domain, and can thus be subjected to security breaches. The most basic
form of encryption for wireless is 40-bit WEP which can be easily decrypted. The
128-bit method is better, but it still can be cracked by military-level equipment.
Along with the problems of security is a problem with intruders using a wireless
connection to connect to the Internet. They can thus access the Internet for free, or
use it to hide their activities.
Authentication. This has become a key issue, and requires the authentication of
users and systems, so that access, and access to services, can be carefully
controlled.
Robustness. Wireless networks tend to be less robust than fixed networks,
especially as they tend to be reliant on access points and antennas, which may be
subjected to vandalism, or could be affected by other nearby equipment.
Bandwidth. It would never be possible for wireless networks to compete in
bandwidth performance with fiber optic cables, as radio waves have a limited
bandwidth of twice the frequency bandwidth of the system. This is mainly due to
the limitation in the available radio system, where, currently, many of the radio
bands have been used by other applications, such as for satellite TV, and with
military devices. Thus, a system which spans from 2GHz to 2.2GHz, has a
frequency bandwidth of 200MHz. The actual data rate bandwidth of this type of
system is typically twice the frequency bandwidth, which will be 400Mbps. Fiber
optic cables support rates of many Gbps.
Most wireless networks use a shared radio environment, where the devices can
transmit and received at a distance of up to 450 meters in an open environment. The
12
wireless network implements most of the data link and physical layer functions, and
its main functions are to:
1. Provide a path for data to flow.
2. Allow the sharing of the common medium.
3. Allow synchronization and error control to minimize errors on data
transmission.
4. Allow routing mechanisms to efficiently determine the best route for the data.
5. Allow an interface to network-based application software.
The applications of wireless technology is likely to increase over the forthcoming
years, especially with the increasing processing power of mobile devices, but typical
applications include:
Environments which have frequently change, such as in a retail environment, or

in workplaces which are continually rearranged.
High security networks. Ethernet has suffered from security problems, thus
wireless networks with encryption can overcome this.
Providing remote access to a corporate network.
Providing temporary LANs which could be used for special projects.
Remote access to databases in mobile applications, such as for medical
practitioners, or office staff.
Supporting networks in environments where cable runs are difficult, such as in
old buildings, hazardous areas, and in open spaces.
Support for users who use SOHO (Small Office and Home Office), as it provides
a quick access to networks.
Providing object identification and tracking using technologies such as RFID
(Radio Frequence Identification).
1.2 Electromagnetic wave (EM) fundamentals

An electromagnetic wave travels as both an electric field (E) and an associated
magnetic field (H), as illustrated in Figure 1.1. The E field is always at right angles to
the magnetic field, and the propagation is also a right-angles to both the E field and
the H field. This conforms to the right-hand law where E is the middle finger, H is
the thumb, and the index finger defines the direction of propagation. The direction in
which the E field propagates is important as it often defines the type of antenna used,
and on how it is aligned with the EM wave.
In free space an EM wave propagates at the speed of light, with a defined
frequency and wavelength (Figure 1.2). These are related as:
c=f
(1.1)
where f is the frequency (Hz), and is the wavelength of the wave (m). c is defined as
the speed of light and is approximately 300,000,000 (3x108) m/s. For example, if the
frequency of the wave is 2.4GHz, then, in free-space, its wavelength will be:
Wireless LANs 13
c
3 10 8
=
= 12.5cm
f 2.4 10 9
(1.2)
which is a significant wavelength, as we will see later in the module, as it typically

defines the size of the antenna used in IEEE 802.11b/g.
H (Magnetic field)
E (Electric field)
Direction of
propagation
Figure 1.1: EM wave propagation
f=
Frequency (Hz)
Wavelength (m)
c=f
c = 3 x 108 m/s
Figure 1.2: Basic formula for EM waves
1.3 EM Spectrum
The EM spectrum covers a number of wave classifications for the wave. Figure 1.3
shows the general classifications. The lowest frequency of EM waves is radio waves
which range up to 1GHz, and includes AM radio, FM radio, TV and cell phone
technologies. Generally this spectrum is congested with applications, and it has been
relatively simple to implement electronic devices which use these applications. The
microwave spectrum then sits above this spectrum, and has been used for
applications such as RADAR and microwave ovens. A small gap exists for IMS
(Industrial, Medical and Scientific), which has been allocated for new wireless LAN
standards. The characteristics of each of the wave differs, for example radio waves
propagate fairly well in free space, and can travel long distances, whereas
microwaves tend to be used in line-of-sight applications as the wave cannot bend
round large objects. Infra-red waves are generally associated with heat radiation and
are also used for fibre optic communications, also infrared and ultra-violet can be
used for laser-type applications, such as line-of-sight optics, and, because of their
14
inherently higher bandwidth carrying capabilities, can be used to transmit high data
rates over relatively short distances.
Radio Waves
Microwaves
Infra-red
Ultra-violet
X-rays
Gamma
rays
Wavelength (m)
103 102 101
101 102 103 104 105 106 107 108 109 1010 1011 1012
Infrared
Radio waves
FM radio
(88108MHz)
Microwaves
Wireless Comms
(2.4 and 5GHz)
AM radio
(535kHz
1.7MHz)
Ultraviolet
Light
Xrays
TV
(174220MHz)
GPS
(1.21.5GHz)
Cell phone
(800/900MHz)
106 107 108 109 1010 1011 1012 1013 1014 1015 1016 1017 109 1010 1011 1012
Frequency (Hz)
Figure 1.3: EM Spectrum
Generally, the higher the frequency of the wave, the higher the available bandwidth
capacity there is to transmit data. An estimatation of the available bandwidth is:
Bav =
f
bps
10
(1.3)
Thus, for example, the available bandwidth for a few radio wave are:
Radio Wave (AM)
Radio Wave (TV)
Radio Wave (Mobile phone)
Microwave (IEEE 802.11b)
Infra-red
f=1.7MHz, Bav=170kbps.
f=200MHz, Bav =20Mbps.
f=900MHz, Bav =90Mbps.
f=2.4GHz, Bav =240Mbps.
f=1013Hz, Bav =1Tbps.
This available bandwidth, though, is often split between different channels, such as
in IEEE 802.11b where there are around 14 channels, thus the available bandwidth is
a maximum of 17Mbps. Unfortunately the actual bandwidth depends on other
factors, especially noise and multipath, where the signal level must be much higher
than the noise for the communications to be received reliably. The larger the power
transmitted, normally, the larger the further the signal can be transmitted without it
being affected by noise. Figure 1.4 shows some of the EM waves and a typical noise
floor. New communication techniques, such as UWB (Ultra wideband), spreads their
signal across a wide band of frequencies. Thus the power level of UWB does not
Wireless LANs 15
affect other communications as its power in any of the bands is generally lower than
the noise floor.
Power level
FM radio
(88108MHz)
AM radio
(535kHz
1.7MHz)
GPS
(1.21.5GHz)
TV
(174220MHz)
Cell phone
(800/900MHz)
Noise floor
Wireless Comms
(2.4 and 5GHz)
UWB pulse
is spread
across the frequency
spectrum
106
107
108
109
(1GHz)
1010
Frequency (Hz)
Figure 1.4: Power levels
1.4 Radio Wave problems

Radio waves suffer from many propagation problems, along with their inherent lack
of security. Figure 1.5 illustrates three of them. The first major one is fading, where
the wave looses its strength as it propagates. This could be due to the wave
spreading out, or being absorbed, such as by moisture in the air. Along with this
radio waves suffer from reflections from metal objects, which causes multipath
problems. In Figure 1.6 it can be seen that there can be many ways that a wave can
propagate to a specific destination. If the waves arrive, and the phase of the wave has
been changed, it is possible for the multipath waves to combine and distort the
result. Luckily this type of problem can be overcome by just moving the antenna a
small amount, and this property is used in diversity aerials which is used in several
types of wireless access points. In fact, the IEEE 802.11n thrives on multipath, and
uses it to propagate different data streams, and thus increases the overall
throughput.
1.5 Radio wave identification

Devices in a wireless network typically tune-into a given frequency band, which
allows several frequencies bands to exist, and thus supports multiple simultaneous
transmissions, each of which has their own carrier frequency. One method is to use a
cellular technology in which devices associate to the strongest transmitting device in
an area, and connect with its transmission frequency. This concept is illustrated in
Figure 1.7, where only three frequencies have to be used, so that they do not overlap.
These are identified as 1, 2 and 3. As a device roams it can be handed over from one
16
cell to the next. This is the technique that mobile phones and wireless networks (IEEE
802.11) use to connect devices to a wireless infrastructure. Along with the different
channels, it is also possible to add an identifier name, that the clients associate with.
Metal
Metal
Reflection
from metal
objects
Absorption
(due to density)
NonNonconductor
conductor
Fading
Figure 1.5: Power levels
Rx
Tx
Figure 1.6: Multipath problems
1
2
2
3
3
1
2
3
3
1
Figure 1.7: Cellular technology
Wireless LANs 17
1.6 IEEE 802.11 radio specification

IEEE 802.11b uses a number of channels in frequency range around 2.4 GHz to 2.45
GHz. This high frequency allows the radio wave to propagate fairly well through
building and freespace. At 11Mbps, the maximum range is around 140 meters, but
this reduces when there are obstacles in the way. At 1Mbps, the range increases to
400 meters. As previously defined, the frequencies are split into a number of
channels, such as in Northern America, there are 11 channels, in Japan, there are 14,
and in Europe, there are 13 channels (as shown in Figure 1.8).
Operating Channels:
Operating Frequency:
Data Rate:
Media Access Protocol:
Range:
RF Technology:
Modulation:
Output Power:
Sensitivity:
11 for N. America, 14 Japan, 13 Europe (ETSI), 2 Spain, 4

France
2.412-2.462 GHz (North America), 2.412-2.484 GHz (Japan),
2.412-2.472 GHz (Europe ETSI), 2.457-2.462 GHz (Spain),
2.457-2.472 GHz (France)
1, 2, 5.5 or 11Mbps
CSMA/CA, 802.11 Compliant
11Mbps:
140m (460 feet)
5.5Mbps:
200m (656 feet)
2Mbps:
270m (885 feet)
1Mbps:
400m (1311 feet)
Direct Sequence Spread Spectrum
CCK (11Mps, 5.5Mbps), DQPSK (2Mbps), DBPSK (1Mbps)
13 dBm
11Mbps < -83 dBm
5.5Mbps < -86dBm
2Mbps < -89dBm
1Mbps < -91dBm
The concept of dBm will be discussed in the Antenna chapter.
Figure 1.8: IEEE802.11 channel setting for Europe
18
1.7 Spread spectrum

To avoid interference in the band, radio LANs (RLANs) use either Frequency
Hopping (FHSS) or Direct Sequence Spread Spectrum techniques (DSSS). These two
methods avoid, or lower, the potential for interference within the band. Spread
spectrum technologies work by spreading the actual signal over a wider bandwidth
for transmission. This provides resilience from narrow band interference and also
reduces interference to other sources using the ISM band.
Military systems have been using Spread Spectrum and Frequency Hopping for
many years to:
Avoid jamming on a certain channel.

Avoid noise on a certain channel.
Confuse the enemy as the transmitting frequency moves in a way that only the
sender and receiver known. Imagine having to move the dial of your radio
receiver, each minute to a certain frequency in a give way. Such as Radio 1 is
broadcast on 909MHz from 12:00, then 915MHz until 12:01, then 900MHz unit
12:02, and so on.
In wireless communications, the spread spectrum process spreads a signals power

over a wider band of frequencies sacrificing bandwidth in order to gain signal
strength. This opposes the conservation of frequency bandwidth, but the spreading
procedure makes the data signal much less vulnerable to electrical noise than
conventional radio modulation method.
FHSS works by splitting the ISM band into 79 1MHz channels. Data is
transmitted in a sequence over the available channels, spreading the signal across the
band according to a hopping pattern, which has been determined between the
wireless devices. Each channel can only be occupied for a limited period of time
before the system has to hop.
DSSS divides the ISM band into 13, 22MHz overlapping channels, three of which
are non-overlapping (ch1, ch7 and ch13 as shown in Figure 1.9). Unlike the FHSS
system, the channel has to be set prior to communications and is not altered. To
spread the signal, each bit of the original signal is modulated by a chip code (a fast
repetitive pattern). For example, a 2Mb/s signalling rate is modulated by an 11 chip
code (the frequency of the code is 11 times that of the data stream), which results in a
signal spread over 22MHz of bandwidth. At the receiver, the whole modulated
spread signal is demodulated by the same chip code, resulting in the original data.
Current literature suggests that only three non-overlapping channels (1, 6 and 11)
may be used when using 5.5 or 11Mbps DSSS operation. This is again due to the
increased bandwidth requirements of DSSS.
Wireless LANs 19
FHSS
Ch01
Ch02
Ch03
Ch74
CH1 - 22MHz
2400MHz
1MHz
Non
overlapping
channels
DSSS
CH7 - 22MHz
Ch75
CH13 - 22MHz
CH2 -22MHz
2483.5MHz
Figure 1.9: IEEE 802.11 frequency spectrum
Copyright statement
This unit has been designed as an integrated unit, and should not
be modified without the authors consent.
Prof Bill Buchanan, Sept 2008
20
Wireless Networks
2.1 Introduction
This unit outlines some of the issues involved in wireless networks, and which must
be considered in their design and deployment. As the world moves, slowly, towards
a massive wireless network, it is important that many of the limiting factors are
thought-about at this stage, as they may limit their eventual development. Overall
there are many problems, but data security and authentication are two of the major
ones, especially from a corporate point-of-view. These areas will be looked in a Unit
4 and Unit 5.
A key factor in the adoption of wireless networks is the standardization of them
by international standards bodies, as this allows consumers to purchase equipment
from different manufacturers without having to worry that they will not be able to
interconnect, or that they will be incompatible in any way. The leading standards
organisation for Layer 1 and Layer 2 communications are the IEEE who developed
the famous IEEE 802 standard for which IEEE 802.3 was used to define the standards
for Ethernet. It is the 802 standard that that has provide the foundation for
networking, and without it the Internet could not have developed so quickly. For
wireless networks they have defined a number of standards such as:
IEEE 802.11a. 802.11a deals with communications available in the 5GHz

frequency, and has a maximum data rate of 54 Mbps.
IEEE 802.11b. 802.11b, or Wi-Fi, is the standard that is most commonly used in
wireless LAN communications. It has a maximum bandwidth of 11Mbps, at a
frequency of 2.4GHz.
IEEE 802.11g. 802.11g is a the standard for 54Mbps maximum bandwidth over a
2.4GHz connection, which is the same frequency as the popular 802.11b
standard, and this has compatibility with it.
IEEE 802.11c. 802.11c is a group set up to deal with bridging operations when
developing access points.
IEEE 802.11f. 802.11f is concerned with standardising access point roaming which
is involved in making sure that interoperability between access points is
guaranteed.
2.2 IEEE 802.11b

The IEEE 802.11b standard is seen as the benchmark for most wireless networks, and
typically defines the lowest common standard for all wireless nodes. Unfortunately it
differs in its operation around the World, as the radio spectrum usage varies across
different countries. In the USA, for example, there is 11 available radio channels, 14
in Japan, 13 in Europe (ETSI), 2 in Spain and 4 in France. The frequency range also
varies, such as between 2.412GHz and 2.472 GHz for Europe.
IEEE 802.11b provides excellent connectivity and reliability for most
communications, and uses different modulation techniques for improved
connectivity. For this it detects the best modulation technique, depending of the
Wireless LANs 21
communication path. At 11Mbps, its maximum bandwidth, it uses CCK

(Complementary Code Keying) modulation, which changes to DQPSK (Differential
Quadrature Phase Shift Keying) at 2Mbps, and BDPSK (Differential Binary Phase
Shift Keying) at 1Mbps. These techniques automatically change as the signal strength
reduces, which is typically related to the distance that the nodes are apart, and/or the
characteristics of the communications channel. Typically 11Mbps can be used up to
140m (in an clear area with no obstacles), 5.5Mbps up to 200m, and 1Mbps for up to
400m (Figure 2.1). Thus, although the specification defines that it can reach up to
400m, it is unlikely that it will ever reach this as there is likely to be obstacles in the
path, which create multipath problems and attenuation. Also, unfortunately, the
available bandwidth is the maximum that is possible. In most cases the actual
throughput will be much less than this. Many researchers have found that it is only
possible to get up to 50% of the maximum available bandwidth as an actual
throughput. It should also be remembered that the bandwidth is also shared between
all the users using the given channel, thus it is a shared bandwidth. So, in some cases,
this can be a fairly chaotic environment, especially when the data traffic is
approaching the limit of the bandwidth.
The major problem tends relates to the design of the TCP algorithm, on which
most communications are based, as it will back-off the TCP acknowledge window as
the number of errors in transmissions increases. This can produce the sort of
characteristic shown in Figure 2.2, where the actual throughput is fairly linear when
the required throughput is much less than the bandwidth. When the required
throughput nears the actual maximum, there is more contention for network space,
and it is thus more likely to be more errors, and radio wave collisions. When it
reaches the actual maximum, the network is at saturation, and the nodes may think
there are too many retransmissions, and close their TCP acknowledge window,
where the nodes will then wait for acknowledgements to be returned from the
devices before they transmit new data packets.
11Mbps
Available
bandwidth
CCK
Max bandwidth
5.5Mbps
DQPSK
2Mbps
DBPSK
100m
200m
300m
Distance
Figure 2.1 Variation of bandwidth over distance
22
400m
1Mbps
6Mbps
Available
throughput
8Mbps
Too many errors

causes the
TCP window
to close, and reduce
throughput.
Linear increase in
actual throughput
against required
throughput
More collisions
and errors are
occurring, thus
data frames are
being deleted, causing
wasted bandwidth.
2Mbps
2Mbps
4Mbps
8Mbps
10Mbps
Required data throughput

Figure 2.2 Possible variation of available and actual throughput
2.3 Multiple media access

Networking has grown-up through nodes contending for network bandwidth. For
example the original version of Ethernet uses a contention algorithm where nodes
compete to gain access to the network, and, if two nodes try to gain access to the
network, at the same time, they back off for a random period, and one of the nodes
thus gains access in favour of the other nodes. This type of contention is inefficient in
the usage of the bandwidth, especially when traffic rates are high, and approaching
the capacity of the bandwidth. Luckily network switching has been developed which
overcomes this problem where nodes can transmit at any given time, and do not
have to contend for network access. It is thus up to the switch to either send the data
at the time that the data is being transmitted, or to buffer it for a future transmission,
such as when there is a gap in communications. Unfortunately, with wireless
communications, we are almost back in the old days, where nodes again are
contending for network access. A network switch, this time, cannot save us, as it
would be almost impossible to segment free space up into time slots, and provide
buffers which existed in free space (although the GSM/3G network uses a related
technique, and is based on the switching of packets in time). Thus the major problem
is how to allow nodes to gain access to the available media (free-space), in a fair and
even way. IEEE 802.11 can use two mechanisms for shared access:
CSMA/CA. CSMA/CA is, like standard Ethernet (IEEE 802.3) a contention-based

protocol, but uses collision avoidance rather than collision detection. It would be
impossible to use collision detection as a radio wave is always either sending or
receiving and can never do both at the same time. The nodes will thus not be able
to listen on the channel while they are transmitting, as illustrated in Figure 2.3.
Point Coordination Function (PCF). This is an optional priority-based protocol,
which provides contention-free frame transfer for transmission of time-critical
data, such as real-time video or audio. With this, the point coordinator (PC)
Wireless LANs 23
operates in the wireless access point and identifies the devices which are allowed
to transmit at any given time. Each node then, with the contention-free (CF)
period, the node polls each of the enabled PCF to determine if they wish to
transmit data frames. No other device is allowed to transmit while another node
is being polled. Thus, PCF will be contention-free and enables devices to transmit
data frames synchronously, with defined time delays between data frame
transmissions.
Listen for no activity
1
ACK
ACK
time-out
Node has gone.

Data frame has collided
with another
Data frame corrupted
with noise.
2
Figure 2.3
CSMA/CA
2.4 Wireless network connections

Wireless networks were originally developed for military operations, where it is
important to create networks without any infrastructure, thus the first type of
network to be created was an ad-hoc one, where nodes connect to each other and
create a network which has no basic infrastructure. This is known as an ad-hoc
network, where nodes can add and delete themselves from the network, as they like.
Normally, to allow many ad-hoc network to existing at the same time in the same
physical location, different frequency channels are used for each ad-hoc network
(Figure 2.4). The radio SSID (System Set ID) then defines the unique identifier from
the local area (Figure 2.5). In Europe, for example, it would be possible to create up to
14 different ad-hoc channels, within a certain range (between 100 and 400 meters,
depending on the environment, and the bit rate), each of which could have their own
SSID.
An infrastructure network uses a central point which is used as a central
communication point for all the radio nodes. Each access point transmits on a single
transmission frequency for each transmitting antenna, each of which can have
multiple SSIDs to connect to. For range, if an ad-hoc network has a range of L meters,
then an infrastructure network will have a diameter range of 2L, as illustrated in
Figure 2.6. Ad-hoc networks thus have a limited range, but with the aid of ad-hoc
24
routing protocols, which will be covered in a later unit, it is possible to span large
physical areas, where node pass data from one to the next. There major problem is
that the routing becomes extremely complex as the network span increases. There are
also security issues with ad-hoc routing in ad-hoc networks.
In both ad-hoc and infrastructure networks, clients can be setup only to connect
to one type or another, or to any of them (although, this is not recommended for
security). Ad-hoc networks have advantages in situations when no network infrastructure currently exists, or is possible. Examples of this include emergency
situations, such as where the network infrastructure has been destroyed, or, in
mobile situations, where nodes are moving. Unfortunately, there are many issues in
ad-hoc networks which make them difficult to control, especially from a security and
authentication point-of-view. Thus infrastructure networks have become the most
common type, as they are easier to control the access of nodes to the network, and to
filter their traffic. Ad-hoc networks, though, should not be dismissed and have their
applications, and may also provide a model of the Internet of the future, but, while
both modes are supported by wireless clients, it gives an alternative design method.
Ad-hoc
Infrastructure
Figure 2.4 Infrastructure network
Wireless LANs 25
SSID
defines the
connected nodes
SSID
defines the
connected nodes
Ad-hoc
Infrastructure
Figure 2.5 SSID for a wireless network
L
Figure 2.6 Span of networks
2.5 Wireless Configuration

This section outlines some of the main properties which must be configured on an
infrastructure network. One of the most popular access points for creating
infrastructure networks is the Cisco Aironet 1200 device, which is an industrystandard wireless access point. It has two main networking ports: radio port named
Dot11radio0 (D0) and an Ethernet one (E0 or FA0). Each of these ports can
configured with an IP address, but a special port named BVI1 is normally used to
define the IP address for both ports. It is this IP address that is used to provide
remote access to the device Mostly, though, the device operates at Level 1 and 2, but
filtering can be achieved at Layer 3 and above. Figure 2.7 outlines this, and how the
port is programmed.
26
dot11radio0
(or d0)
bvi 1 port is used
to configure both ports
with the same address
con
e0 (or fa0)
## config
config tt
(config)#
(config)# int
int bvi1
bvi1
(config-if)#
(config-if)# ip
ip address
address 192.168.0.1
192.168.0.1 255.255.255.0
255.255.255.0
(config-if)#
exit
(config-if)# exit
Antenna
connector
Figure 2.7 Setting the IP address of the wireless access point
2.5.1
Station-role
The wireless access point can either be a root device, where, on one side, it connects
to a fixed network, or a repeater device, which does not connect to the fixed network,
as illustrated in Figure 2.8. These are defined from within the D0 port configuration.
Another important configuration is the default-gateway which is used in order to
redirect any data packets which are not destined for the local network. For this the
wireless access point sends these data packets which have an unknown destination
to the default gateway, which will, hopefully, find a destination for them, or at least
know of another router who might be able to help on routing the packets. In most
cases the default-gateway is defined as the IP address of the router port which
connects to the Ethernet connection of the wireless access point. An example
configuration is:
# config t
(config)# ip default-gateway 192.168.1.254
Wireless LANs 27
Fixed network
Root
## config
config tt
(config)#
(config)# int
int dot11radio0
dot11radio0
(config-if)#
(config-if)# station
station role
role root
root
(config-if)#
station
role
(config-if)# station role repeater
repeater
(config-if)#
(config-if)# end
end
Repeater
Figure 2.8 Defining the role of the wireless access point
2.5.2
Channel setup
The channel setting is an important one, as it defines the basic identification of the
communications channel. In Europe there are 14 channels available which limits the
number of simultaneous connections, where each channel is numbered from 1 to 14,
each of which has their own transmission/reception frequency, as illustrated in
Figure 2.9. Careful planning of these channels is important, especially in creating
wireless domains which are overlapping as this allows users to roam around the
physical space. The example in Figure 2.9 shows that it is possible to achieve good
coverage, without overlapping domains with the same frequency, with just three
channels.
13
13
Figure 2.9
channel 12412
channel 22417
channel 32422
channel 42427
channel 52432
channel 62437
channel 72442
channel 82447
channel 92452
channel 102457
channel 112462
channel 122467
channel 132472
channel 142484
Channels in an area
The definition of the channel is defined within the D0 interface:

(config)# int dot11radio0
(config-if)# channel ?
28
<1-2472>
One of: 1 2 3 4 5 6 7 8 9 10 11 12 13 2412 2417 2422 2427

2432 2437 2442 2447 2452 2457 2462 2467 2472
least-congested Scan for best frequency
(config-if)# channel 7
(config-if)# no shutdown
2.5.3
SSID
The radio SSID (Service Set ID) uniquely identifies a wireless network within a
limited physical domain. It is setup within the access point with:
# config t
(config)# dot11 ssid fred
(config-ssid)# guest-mode
(config-ssid)# exit
(config)# int d0
(config-if)# ssid fred
(config-if-ssid)# guest-mode
which sets up an SSID of fred, and allows guest-mode. Along with the SSID it is also
possible to define a beacon time where a beacon signal is sent out at a given time
interval, such as:
# config t
(config)# int d0
(config-if)# beacon ?
dtim-period
dtim period
period
beacon period
(config-if)# beacon period ?
<20-4000> Kusec (or msec)
(config-if)# beacon period 1000
which defines the beacon period of 1000 ms (1 second). The beacon allows the access
point to send out details such as:
Beacon interval. This defines the time between the beacon transmissions.
Capability Information. This defines the capability that is supported, such as
whether WEP or TKIP must be used.
Parameter Sets. This defines signalling information, such as for FHSS and DSSS.,
and radio channel information. A beacon belonging which is in a frequency
hopping network indicates the hopping pattern and dwell time.
SSID. The defines the SSID of the connection, so that the client can detect the
range of SSIDs to connect to. For security, some SSIDs are not sent as a beacon.
Supported rates. This defines the rates that are supported suc has 1, 2, and 5.5, 11
and 52 Mbps data rates are available.
Timestamp. This allows for time synchronisation between the access point and
the client.
2.5.4
Fragment threshold
A wireless data frame can have up to 2312 data bytes in the data payload. This large
amount could hog the bandwidth, and not give an even share to all the nodes on the
network, as illustrated in Figure 2.10. Researchers have argued that creating smaller
data frames, often known as cells, is more efficient in using the available bandwidth,
and also for switching data frames. Thus wireless systems provides a fragment
Wireless LANs 29
threshold, in which the larger data frames are split into smaller parts, as illustrated in
Figure 2.11. An example of the configuration is:
# config t
(config-if)# fragment-threshold ?
<256-2346>
(config-if)# fragment-threshold 700
Data packets are split into 1500 byte data frames (MTU)
The large data frames may

allow nodes to hog the airwave
Figure 2.10
Transmission of large data frames
Data frames are fragmented into smaller frames
Possibly allows for a smoother and fairer

transmission.
Figure 2.11
2.5.5
Fragmentation of data frames
RTS/CTS threshold
The RTS threshold prevents the Hidden Node problem, where two wireless nodes are
within range of the same access point, but are not within range of each other, as
illustrated in Figure 2.12. As they do not know that they both exist on the network,
they may try to communicate with the access point at the same time. When they do,
their data frames may collide when arriving simultaneously at the access point,
which causes a loss of data frames from the nodes. The RTS threshold tries to
30
overcome this by enabling the handshaking signals of Ready To Send (RTS) and
Clear To Send (CTS). When a node wishes to communicate with the access point it
sends a RTS signal to the access point. Once the access point defines that it can then
communicate, it sends a CTS signal. The node can then send its data, as illustrated in
Figure 2.13. The RTS threshold determines the data frame size that is required, in
order for it send an RTS to the access point. The default value is 4000.
# config t
(config-if)# rts ?
retries
RTS max retries
threshold RTS threshold
(config-if)# rts threshold ?
<0-2347> threshold in bytes
(config-if)# rts threshold 2000
These nodes cannot

hear each other.
The hidden node problem

occurs when two nodes transmit
to an access point, but they are not
in communication range, thus their
signals can collide, and cause errors.
Figure 2.12
Hidden node problem
RTS (Ready To
Send)
RTS (Ready To
Send)
CTS (Clear To
Send)
Data transmitted
Figure 2.13
RTS/CTS operation
RTS retries defines the number of times that a node can transmit an RTS signal before
it stops sending the data frame. Values range from 1 to 128. For example:
Wireless LANs 31
# config t
(config-if)# rts retries ?
<1-128> max retries
(config-if)# rts retries 10
2.5.6
Power settings
The power of the access point and also of the clients are important as they will
define the coverage of the signal, and must also be within the required for health
safety limits. Thus, the more radio power that is used to transmit the signal, the
wider the scope of the wireless network. Unfortunately, the further that the signal
goes, the more chance that an intruder can pick up the signal, and, possibly, gain
access to its contents, as illustrated in Figure 2.14. To control this power, the access
point can set up its own radio power, and also is able to set the power transmission
of the client adapter. An example in setting the local power, and the power of the
client:
(config-if)# power local ?
<1-50>
One of: 1 5 20 30 50
maximum Set local power to allowed maximum
(config-if)# power local 30
(config-if)# power client ?
<1-50>
One of: 1 5 20 30 50
maximum Set client power to allowed maximum
(config-if)# power client 10
The higher the

transmitting power,
the wider the coverage.
The
Thepower
powerofofthe
theaccess
accesspoint
pointand
andalso
also
of
the
client
are
important
as
they
of the client are important as theywill
will
define
definethe
thecoverage
coverageof
ofthe
thesignal,
signal,and
andmust
must
also
alsobe
bewithin
withinthe
therequired
requiredsafety
safetylimits.
limits.
Figure 2.14 Power transmission
One the client, especially with portable devices, the power usage of the radio port is
important. Thus there are typically power settings, such as:
32
CAM (Constant awake mode). Used when power usage is not a problem.
PSP (Power save mode). Power is conserved as much as possible. The card will
typically go to sleep, and will only be awoken by the access point, or if there is
activity.
FastPSP (Fast power save mode). This uses both CAM and PSP, and is a
compromise between the two.
2.5.7
Authentication algorithm
This sets whether the client adapter uses an open system (where any node can
connect to the access point without providing any authentication details), or uses
authentication (such as using usernames and passwords or digital ceritificates). This
area will be covered in a future unit. An example of open authentication is:
# config t
(config-if-ssid)# authentication ?
client
LEAP client information
key-management key management
network-eap
leap method
open
open method
shared
shared method
(config-if-ssid)# authentication open
(config-if-ssid)# exit
(config)# int d0
2.5.8
Maximum associations
A particular problem in wireless networks is that the access point may become
overburdened with connected clients. This could be due to an attack, such as DoS
(Denial of Service), or due to poor planning. To set the maximum number of
associations, the max-associations command is used within the SSID setting:
# config t
(config-if-ssid)# max ?
<1-255> association limit
(config-if-ssid)# max 100
(config)# exit
and to show the associations for the wireless access point:

# show dot11 association
# show dot11 statistics client-traffic
# show dot11 adjacent-ap
2.5.9
Speed
In some network it is necessary to define the transmission speeds for the nodes,
especially to limit their transmission rates. For this the speed command can be used
to fix the transmit speed with:
(config-if)# speed ?
1.0
Allow 1 Mb/s rate
Wireless LANs 33
11.0
Allow 11 Mb/s rate
2.0
Allow 2 Mb/s rate
5.5
Allow 5.5 Mb/s rate
basic-1.0
Require 1 Mb/s rate
basic-11.0 Require 11 Mb/s rate
basic-2.0
Require 2 Mb/s rate
basic-5.5
Require 5.5 Mb/s rate
range
Set rates for best range
throughput Set rates for best throughput
<cr>
(config-if)# speed 1.0
2.5.10 Preamble
Preamble is sent out by a client to tell other clients that it is about to transmit. This
can either be set to long (which is the default) or short. A long preamble allows for
interoperatively with 1Mbps and 2Mbps DSSS specifications. The shorter allows for
faster operations (as the preamble is kept to a minimum) and can be used where the
transmission parameters must be maximized, and that there are no interoperatablity
problems. To set short preamble:
# config t
(config-if)# preamble-short
(config-if)# end
Preamble this is sent

before the start of the data
transmission so that nodes
can detect that it is about to transmit.
Figure 2.15
Preamble
2.6 Reference
D0 commands:
access-expression
antenna
arp
bandwidth
beacon
bridge-group
broadcast-key
carrier-delay
cdp
channel
countermeasure
crypto
34
Build a bridge boolean access expression

dot11 radio antenna setting
Set arp type (arpa, probe, snap) or timeout
Set bandwidth informational parameter
dot11 radio beacon
Transparent bridging interface parameters
Configure broadcast key rotation period
Specify delay for interface transitions
CDP interface subcommands
Set the radio frequency
countermeasure
Encryption/Decryption commands
custom-queue-list
default
delay
description
dot11
dot1x
encryption
exit
fair-queue
fragment-threshold
help
hold-queue
infrastructure-client
ip
keepalive
l2-filter
load-interval
logging
loopback
mac-address
max-reserved-bandwidth
mtu
no
ntp
packet
parent
payload-encapsulation
power
preamble-short
priority-group
random-detect
rts
service-policy
shutdown
snmp
speed
ssid
station-role
timeout
traffic-class
transmit-interface
tx-ring-limit
world-mode
Assign a custom queue list to an interface

Set a command to its defaults
Specify interface throughput delay
Interface specific description
IEEE 802.11 config interface commands
IEEE 802.1X subsystem
Configure dot11 encryption parameters
Exit from interface configuration mode
Enable Fair Queuing on an Interface
IEEE 802.11 packet fragment threshold
Description of the interactive help system
Set hold queue depth
Reserve a dot11 virtual interface for a WGB client
Interface Internet Protocol config commands
Enable keepalive
Set Layer2 ACL for packet received by upper layer
protocols
Specify interval for load calculation for an
interface
Configure logging for interface
Configure internal loopback on an interface
Manually set interface MAC address
Maximum Reservable Bandwidth on an Interface
Set the interface Maximum Transmission Unit (MTU)
Negate a command or set its defaults
Configure NTP
max packet retries
Specify parents with which to associate
IEEE 802.11 packet encapsulation
Set radio transmitter power levels
Use 802.11 short radio preamble
Assign a priority group to an interface
Enable Weighted Random Early Detection (WRED) on an
Interface
dot11 Request To Send
Configure QoS Service Policy
Shutdown the selected interface
Modify SNMP interface parameters
Set allowed radio bit rates
Configure radio service set parameters
role of the radio
Define timeout values for this interface
802.1D traffic class
Assign a transmit interface to a receive-only interface
Configure PA level transmit ring limit
Dot11 radio world mode
SSID commands:
accounting
authentication
exit
guest-mode
infrastructure-ssid
ip
max-associations
no
vlan
wpa-psk
radius accounting
authentication method
Exit from ssid sub mode
guest ssid
ssid used to associate to other infrastructure devices
IP options
set maximum associations for ssid
bind ssid to vlan
Configure Wi-Fi Protected Access pre-shared key
Copyright statement
Wireless LANs 35
Wireless Infrastructure and Access
3.1 Introduction
This unit provides a foundation in some of the key issues related to wireless
networks, especially related to the infrastructure of the network. The basic elements
of any type of network infrastructure is:
Throughput. This typically involves the creation of a hierarchal structure, where

the local traffic can be kept local, and does not effect the core of the infrastructure.
Robustness. This is a key factor in any type of network infrastructure, especially
when connecting into the core of the network. Failure in one part of the network
should, as much as possible, not have a depremental affect other parts.
Fallback. This is another important factor, especially with business critical parts
of the infrastructure, where alternative routes are provided, or backup for key
network devices.
Scalability. Few networks ever stay the same, and the demand for services and
bandwidth typically increases each year, this a good network infrastructure
typically supports scalability, where the network can grow without affecting the
current provision.
Ease of setup. This typically makes the connection of devices simple.
Ease of connection. This typically makes its easy for devices to connect,
especially in connecting to the network without complex network settings.
Support for heterogeneous systems. This typically allows for different types of
applications and systems to interconnect over the network. A good example of
this is to support an IP infrastructure, along with other addressing systems such
as NetBIOS and AppleTalk.
Security. This has become one of the most important elements of any network
infrastructure, and typically involves structing the system in order to maximum
the security. Key factors of this are to integrate authorization, authentication and
account, typically through a RADIUS or Tacacs+ server.
3.2 Three-layer model

Figure 3.1 outlines the three-layer model. If possible, the model should mirror the
requirements of the network at different levels, such as connectivity (gaining access
to the network), creating workgroups, security, policy and distribution. With this
model routers are used at each layer to limit the broadcasts to within that layer. The
layers can be defined as:
36
Core. Provides optimal transport between sites, which provides fast wide-area
connections between geographically remote sites within an organization.
Normally these are point-to-point links between routers. Typically connections
are T1/T3, ATM, Frame Relay and SMDS, and are often provided by
telecommunications provider. The core layer provides low latency connections
between remote sites, and does not generally implement any filtering of the
traffic (such as with firewalls or ACLs). If possible, there should be redundant
paths which can be switched-in when a route becomes unavailable, or slows
down. Redundant paths can also be used to share traffic loads. Along with this
there should be rapid convergence of the network.
Distribution. Provides policy-based connectivity, which connects multiple LANs
into a larger network infrastructure, such as an organiaational backbone, such as
between buildings. Typically, connections to the LANs are with Fast Ethernet, or
even Gigabit Ethernet, and to the core layer with ATM, FDDI and SMDS. This
layer also provides the demarcation point between the access and core layers and
thus helps to define the operation of the core, and isolate it from the access layer.
At this layer data packets can be filtered using a policy-based system (such as
with a firewall). At this level campus-wide networks would be implemented,
with the possibility of campus-wide servers, and to improve robustness, it is
unlikely that nodes would connect directly onto the distribution layer. In a noncampus-based network, this would be the layer at which remote sites would
connect to each other. Typical functions include: concentration of LANs, access to
core layer, VLAN routing, and media translations (such as between Frame Relay
and Ethernet) and security.
Access. For wireless clients this is the layer at which they normally connect to,
and provides workgroup and user access to the network. There can be some
policy-based filtering of network traffic at this layer, which will refine the access
control implemented at the distribution level. At this layer, the filter will typically
be based on user access (such as whether certain individuals are allowed access
to certain services). The main functions at this layer are: shared bandwidth (using
hubs), switched bandwidth (using switches); MAC-layer filtering (routing based
on MAC address, such as using in a switch or a bridge), isolating broadcast
traffic, creating workgroups, and microsegmentation.
Core
Distribution
Access
Figure 3.1
Three-layered component model
Wireless LANs 37
At present wireless devices are used mostly for access to the network infrastructure,
but, in the future, once key issues on network throughput, robustness, security and
authentication have been solved, they may move more towards the core of the
network infrastructure. In fact, with the standards for encryption and authentication
being robustly applied in wireless system, they can actually be more secure than in
traditional fixed networks.
3.3 Repeaters or root devices

A root access point is used to connect a wireless client to a fixed network, whereas a
repeater access point does not connect to a wired LAN, and basically forwards the
data frames to another repeater, or to a wireless access point which is connected to a
wired network (Figure 3.2). With a repeater, of course, the Ethernet port will not
operate, and typically associates itself with an access point which has the best
connectivity, however they can be setup to connect to a specific access point. In the
following case, the access point will associate with a parent with the specified MAC
address (1111.2222.3333):
# config t
(config)# dot11 ssid napier
(config-ssid)# infrastructure-ssid
(config-ssid)# exit
(config)# interface d0
(config-if)# ssid napier
(config-if)# station-role repeater
(config-if)# dot11 extensions aironet
(config-if)# parent 1 1111.2222.3333
(config-if)# parent 2 2222.aaaa.bbbb
(config-if)# end
It is possible to define up to four parents, so that if one fails to associate, it can use
others. In most cases the Cisco Aironet extensions must be enabled, as it aids the
association process, but this can cause incompatibility problems with non-Cisco
devices.
The repeater will start with the first parent, and, if it cannot connect, it will then try
the next parent, and so on. Overall, repeaters are fairly good at extending the range
of a wireless network, but thus reduce the throughput, as bandwidth is wasted in
relaying data from repeaters. As a best case, the actual throughput will be reduced
by at least half.
38
Fixed network
Root
## config
config tt
(config)#
(config)# int
int dot11radio0
dot11radio0
(config-if)#
station role
role root
root
(config-if)#
station role
role repeater
repeater
(config-if)#
(config-if)# end
end
Repeater
Figure 3.2 Repeater or root
3.4 Device fallback

The hot standby function provides a backup to another access point, and is
configured so that if it fails, the hot standby device becomes active, and associates the
active clients, automatically. The only setting that will differ is the IP address of the
device. In the following configuration, the MAC address of the device to be
monitored is 1111.abcd.ef10. The timeout period in which the device will
determine if the monitored device has stopped working is five seconds, and the poll
time is two seconds:
# config t
(config)# iapp standby mac 1111.abcd.ef10
(config)# iapp standby timeout 5
(config)# iapp standby polltime 2
The hot standby device has a different IP address, as it may cause a conflict when the
two devices are operating at the same time, but, for the sake of seamless operation,
the hot standby device is setup with the following settings by identical:
SSID.
IP subnet Mask.
Default gateway.
Data rates.
Encryption and authentication settings.
Wireless LANs 39
Main
device
Hot standby
Device lists
for activity
Device automatically
associate with the
standby device with
the main one fails
Figure 3.3 Repeater or root
3.5 Bridging
In the same way that an Ethernet bridge works, a wireless bridge can be used to
interconnect two or more networks. They are typically used in hard-to-wire places,
or where cable runs would spoil the look of the environment. The basic modes
include:
Point-to-point (master/slave). This is used to connect two LANs using two

bridging units, and thus provide an extended broadcast domain.
Point-to-multipoint. This allows the connection of multiple LANs using a
wireless bridge.
A good example of a wireless bridge is the Cisco Aironet 350 workgroup bridge
(WGB) which connects an Ethernet network to a wireless access point. Figure 3.4
shows an example of a remote workgroup which connect to a fixed network using a
wireless bridge. The bridge has the advantage over a repeater in that the bridge can
learn the structure of the network, and the devices which connect, and can thus learn
which data frames to forward over the bridge, and which not to. A repeater,
unfortunately, blindly forwards data frames without checking their destination. If
can be seen in Figure 3.4 that a broadcast is sent over the bridge and onto every
device within the broadcast domain. This domain is bounded by routers, which do
not forward broadcasts. Figure 3.5 shows an example of a point-to-multipoint bridge,
where three bridges are used to bridge three LANs.
40
Routers bound the

broadcast domain
Hub
(up to eight devices)
Wireless
bridge
Access
point
Broadcast domain
Figure 3.4 Point-to-point Wireless bridge
LAN B
LAN A
LAN C
Figure 3.5 Point-to-multipoint Wireless bridge
3.6 SWAN
In large campus area networks, it is important that mobile nodes are able to migrate
from one access point to another. If possible they must hand the current context from
one access point to the other.
WLCCP establishes and manages wireless network topologies in a SWAN (Smart
Wireless Architecture for Networking). It securely manages an operational context for
mobile clients, typically in a campus-type network. In the registration phase, it can
automatically create and delete network link, and securely distribute operational
context, typically with Layer 2 forwarding paths.
Wireless LANs 41
With WLCCP, a sole infrastructure node is defined as the central control point within
each subnet, and allows access points and mobile nodes to select a parent node for a
least-cost path to the backbone connection. An example is:
> enable
# config t
(config)# aaa new-model
(config)# aaa authentication login testi group radius
(config)# aaa authentication login testc group radius
(config)# wlccp wds priority 200 interface bvi1
(config)# wlccp authentication-server infrastructure testi
(config)# wlccp authentication-server client any testc
(config-wlccp-auth)# ssid testing
which defines that the authentication of infrastructure devices is done using the
server group testi, and that client devices using the testing SSID are authenticated
using the server group of testc.
3.7 Remote access

A wireless access point is typically accessible through the TELNET and/or HTTP
protocol. The HTTP service is important as it allows remote access through a Web
browser, and can be authenticated locally with:
# config
(config)
(config)
(config)
(config)
t
#
#
#
#
username fred password bert

ip http server
ip http authentication local
exit
This type of authentication is not the most secure but it offers a simple way to block
access to the access point. Thus, when the user tries to access to the wireless access
point they will not be allowed to connect, unless they have the correct username and
password, such as shown in Figure 3.6. If the user has the correct username and
password, the Web page will show the device settings (left-hand side of Figure 3.7),
otherwise there will be an authentication failure (right-hand side of Figure 3.7).
Figure 3.6
42
Local authentication
Figure 3.7 Web access success and failure
Now it is not possible to access the Web page with the standard port (80), and must
change the URL to add a colon to define the port, such as shown in Figure 3.8. Often
a new HTTP port is required (to stop users from trying to access the Web page). Thus
to change the TCP port:
# config t
(config) # ip http port 8080
(config)# ip http max-connections 7
Figure 3.8
Change of HTTP port
Access to the Web server can be restricted by defining an ACL, such as that only one
host is allowed to connect:
(config)#
(config)#
(config)#
(config)#
access-list 7 permit host 23.17.220.3

access-list 7 deny any
ip http server
ip http access-class 7
Wireless LANs 43
Along with this, HTTP is seen as an insecure protocol, such it can be replaced with
HTTPS with:
(config)# ip
% Generating
(config)# ip
<0-65535>
(config)# ip
http secure-server
1024 bit RSA keys ...[OK]
http secure-port ?
Secure port number(above 1024 or default 443)
http secure-port 443
The data transferred between the client and server will then be encrypted. To verify
the details:
ap#sh ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: flash:/c1200-k9w7-mx.1238.JA/html/level/1;zflash:/c1200-k9w7-mx.123-8.JA/html/level/1;flash:/c1200k9w7-mx.123-8.JA/html/level/15;zflash:/c1200-k9w7-mx.1238.JA/html/level/15;flash:/c1200-k9w7-mx.123-8.JA/html;zflash:/c1200-k9w7mx.123-8.JA/html;flash:
Maximum number of concurrent server connections allowed: 5
Server idle time-out: 120 seconds
Server life time-out: 120 seconds
Maximum number of requests allowed on a connection: 60
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
ap#sh ip http server conn
HTTP server current connections:
local-ipaddress:port remote-ipaddress:port in-bytes
10.0.0.1:443
10.0.0.2:1082 266
10.0.0.1:443
10.0.0.2:1083 2493
out-bytes
52587
67032
ap#sho ip http server secure status

HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4128-sha
44
Figure 3.9
HTTPS
3.8 SNMP
SNMP (Simple Network Management Protocol) is a well-supported standard which
can be used to monitor and control devices. It typically runs of hubs, switches and
bridges. Many SNMP devices provide both general network management and device
management through a serial cable, modem, or over the network from a remote
computer. It involves a primary management station communicating with different
management processes. Figure 3.10 shows an outline of an SNMP-based system. A
SNMP agent runs SNMP management software. An SNMP server sends commands
to the agent which responses back with the results. In this figure the server asks the
agent for its routing information and the agent responds with its routing table. These
responses can either be polled (the server sends a request for information) or
interrupt-driven (where the agent sends its information at given events known as
traps). A polled system tends to increase network traffic as the agent may not have
any updated information (and the server must re-poll for the information).
The SNMP (Simple Network Management Protocol) protocol was initially based
on RFC1157 and defines a simple protocol which gives network element
management information base (MIB). There are two types of MIB: MIB-1 and MIB-2.
MIB-1 was defined in 1988 and has 114 table entries, divided into two groups. MIB-2
is a 1990 enhancement which has 171 entries organized into 10 groups (RFC 1213).
Most devices are MIB-1 compliant and newer one with both MIB-1 and MIB-2.
The database contains entries with four fields:
Object type. Defines the name of the entry.

Syntax. Gives the actual value (as string or an integer).
Wireless LANs 45
Access field. Defines whether the value is read-only, read/write, write-only or not
accessible.
Status field. Contains an indication on whether the entry in the MIB is
mandatory (the managed device must implement the entry), optional (the
managed device may implement the entry) or obsolete (the entry is not used).
SNMP is a very simple protocol but suffers from the fact that it is based on
connectionless, unreliable, UDP. The two main version of SNMP are SNMP Ver. 1
and SNMP Ver. 2. SNMP has added security to stop intruders determining network
loading or the state of the network. The SNMP architecture is based on a collection
of:
Network management stations. These execute management applications which

monitor and control network elements.
Network elements. These are devices such as hosts, gateways, terminal servers,
and so on, and have management agents which perform network management
functions replying to requests from network management stations.
Routing information?
SNMP-managed devices
(runs managed agent software)
Routing table
SNMP
SNMP
agent
agent
SNMP
SNMP
agent
agent
SNMP
SNMP
agent
agent
MIB
MIB
MIB
SNMP
SNMP
server
server
software
software
Figure 3.10 SNMP architecture
3.8.1
Protocol specification
The network management protocol operates by inspecting or altering variables on an

agents MIB (management information base). They communicate by exchanging
messages within UDP datagrams, and consist of:
A Version identifier (version). An integer value defining the version number.

SNMP community name (community). An eight character string defining the
community name.
A protocol data unit (data). All SNMP implementations five PDUs:
GetRequest-PDU,
GetNextRequest-PDU,
GetResponse-PDU,
SetRequest-PDU, and Trap-PDU.
The protocol receives messages from:
46
UDP port 161. For all messages apart from report traps (Trap-PDU).
UDP port 162. Report trap Messages
MIB-2 added a number of groups, including system, interfaces, at, ip, icmp, tcp, udp,
egp, and snmp (see Figure 3.11).
At (address translation):
atTable.
SNMP
SNMP
agent
agent
System:
Interfaces:
sysObjectID.
sysUpTime.
sysContact.
sysName.
sysLocation.
MIB
ifNumber.
ifTable.
Ip:
ipForwarding.
ipDefaultTTL.
ipInReceives.
ipInHdrErrors.
Etc.
ICMP:
IcmpInMsgs.
IcmpInErrors.
Etc.
UDP:
TCP:
tcpRtoAlgorithm.
tcpRtoMin.
tcpRtoMax.
Etc.
udpInDatagrams.
udpNoPorts.
udpInErrors.
Etc.
SNMP:
snmpInPkts.
snmpOutPkts.
Etc.
Figure 3.11 MIB-2 tables
3.8.2
SNMP on a wireless access point
The SNMP is a powerful method of gaining information on the operation of the

network. The snmp-server command is used to enable SNMP monitoring, and the
snmp-server community command is used to initialise SNMP, and set the
community string (which is basically used as a type of password for SNMP access).
For example to define the read-only string to public:
# config t
(config)# snmp-server community public RO
The RO defines read-only access, while RW defines read-write access. To setup the
SNMP contact, and the location:
(config)# snmp-server contact fred smith
(config)# snmp-server location room c6
Wireless LANs 47
SNMP contains a database of monitored network conditions, such as the number of

errors in data packets, the IP addresses of the interfaces, and so on. It can also be
setup to trigger on certain traps, such as on syslog traps. To enable all of the SNMP
traps so that all the data is monitored:
(config)# snmp-server enable traps
Then to send these traps to a remote host (to www.myhost.com):

(config)# snmp-server host www.myhost.com public
To determine the status of the SNMP communications:

#
#
#
#
show
show
show
show
3.8.3
snmp
snmp engine
snmp group
snmp mib
SNMP tree structure
The MIB tree structure is defined by a long sequence of numbers separated by dots,
such as .1.3.6.1.2.1.1.4.0 (where the .0 represents an end node). This number is called
an Object Identifier (OID), and is a numerical representation of the MIB tree
structure, where each digit represents a node in this tree structure. The trunk of the
tree is on the left; the leaves are on the right, as illustrated in Figure 3.12 and Figure
3.13. Figure 3.14 shows an example of an access to a Cisco Aironet Wireless Access
Point.
.1 System MIB
.1.3.6.1.2.1.1.4.0
.0 - CCITT
.1 ISO
.3 ISO
.6 DOD
.1 Internet
.1 Directory
.2 Management
.3 Experimental
.4 Private
Figure 3.12 SNMP object ID
.1.3.6.1.2.1.1.4.0
sysDescr (1), sysObjectID (2),
sysUpTime (3), sysContact (4),
sysName (5), sysLocation (6),
sysServices (7),
48
For example a node with an ID of 1.3.6.1.2.1.5.1.0 has the following structure:
iso(1).
org(3).
dod(6).
internet(1).
mgmt(2).
mib-2(1).
icmp(5).
icmpInMsgs(1).
For a router, example objects are:

MIB name
sysName
sysUpTime
sysDescr
sysContact
sysLocation
ciscoImageString
avgBusy1
avgBusy5
freeMem
ciscoImageString.4
Description
Hostname
Uptime
System Description
System Contact
System Location
IOS Version
1-Minute CPU Util.
5-Minute CPU Util.
Free memory
IOS feature set
Object ID
.1.3.6.1.2.1.1.5.0
.1.3.6.1.2.1.1.3.0
.1.3.6.1.2.1.1.1.0
.1.3.6.1.2.1.1.4.0
.1.3.6.1.2.1.1.6.0
.1.3.6.1.4.1.9.9.25.1.1.1.2.5
.1.3.6.1.4.1.9.2.1.57.0
.1.3.6.1.4.1.9.2.1.58.0
.1.3.6.1.4.1.9.2.1.8.0
.1.3.6.1.4.1.9.9.25.1.1.1.2.4
Wireless LANs 49
In the case of Figure 3.14, some of the SNMP values and variables are:
Variable = system.sysDescr.0
Value = Cisco Internetwork Operating System Software
IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(11)JA, EARLY DEPLOYMENT
RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 23-MayVariable = interfaces.ifNumber.0, Value = 5
Variable = interfaces.ifTable.ifEntry.ifIndex.1,
Variable = interfaces.ifTable.ifEntry.ifDescr.1,
Dot11Radio0
Value
Value
Value
Value
Value
Value
Value
Value
Value
Value
=
=
=
=
=
=
=
=
=
=
1
2
3
4
5
Dot11Radio0
FastEthernet0
Null0
BVI1
Virtual-
Which shows the interfaces and the description of the system. A sample MIB
infrastructure is shown in Figure 3.15, and the basic sequence of trapping an event,
and reacting to it is shown in Figure 3.16.
Figure 3.15 Example SNMP structure
50
SNMP
Trap
Trap
Receiver
Rule
Processor
Action
Processor
Alert!
Figure 3.16 SNMP traps
3.9 Appendix
3.9.1
MIB-2: system
These include:
sysObjectID. Identifies object ID.

sysUpTime. Identifies system up time.
sysContact. Identifies the system contact.
sysName. Identifies the system name.
sysLocation. Identifies the location of the system.
sysServices. Identifies the system services.
3.9.2
MIB-2: interfaces
The interfaces table includes:
ifNumber. Number of interfaces.

ifTable. List of interface entities:
o ifIndex. Interface index value.
o ifDescr. Interface description.
o ifType. Interface type: other(1), regular1822(2), hdh1822(3), ddn-x25(4),
rfc877-x25(5),
ethernet-csmacd(6),
iso88023-csmacd(7),
iso88024tokenBus(8), iso88025-tokenRing(9), iso88026-man(10), starLan(11),
proteon-10Mbit(12), proteon-80Mbit(13), hyperchannel(14), fddi(15),
lapb(16), sdlc(17), ds1(18),
e1(19), basicISDN(20), primaryISDN(21),
ppp(23), softwareLoopback(24), eon(25), ethernet-3Mbit(26))
o ifSpeed. Speed of interface, in bits per second.
o ifPhysAddress.
Wireless LANs 51
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
3.9.3
ifAdminStatus. Administration status is Up (1), down (2) or testing (3).

ifOperStatus. Operational status is Up (1), down (2) or testing (3).
ifLastChange. Time since last change.
ifInUcastPkts.
ifInNUcastPkts.
ifInDiscards.
ifInErrors.
ifInUnknownProtos.
ifOutOctets.
ifOutUcastPkts.
ifOutNUcastPkts.
ifOutDiscards.
ifOutErrors.
ifOutQLen.
ifSpecific.
MIB-2: at
The address translations table includes:
atTable. This defines the addresses translations table, and each interface contains
one network address to physical address translation:
o atIfIndex. Interface interface.
o atPhysAddress. Physical address of the interface.
o atNetAddress. Network address of the interface.
3.9.4
MIB-2: ip
This ip table include information on IP traffic, such as:
52
ipForwarding. Defines whether the node is a gateway or not. It can be set to:
forwarding (for a gateway) or not-forwarding.
ipDefaultTTL. IP Time-to-live.
ipInReceives. The total number of IP packets (including ones in error).
ipInHdrErrors. Discarded IP packets, due to header problems.
ipInAddrErrors . Discarded IP packets, due to incorrect addresses (such as
0.0.0.0).
ipForwDatagrams. Number of IP packets which were forwarded.
ipInUnknownProtos. Number of IP packets with an unknown protocol.
ipInDiscards. Discarded packets due to processing problems, such as lack of
buffer memory.
ipInDelivers. Number of successfully IP packets.
ipOutRequests.
ipOutDiscards.
ipOutNoRoutes. Discarded IP packets, due to no router for the packets.
ipFragOKs. Number of completed fragments.
ipFragFails. Number of unsuccessful fragments.
ipFragCreates. Number of fragments created.
ipAddrTable.
ipAddrEntry:
o ipAdEntAddr. Network address.
o ipAdEntIfIndex. Address index.
o ipAdEntNetMask. Subnet mask.
o ipAdEntBcastAddr. Broadcast address.
o ipAdEntReasmMaxSize.
ipRoutingTable:
o ipRouteDest. Destination address. A value of 0.0.0.0 is defined as a default
route.
o ipRouteIfIndex Route index.
o ipRouteMetric1. Route metric 1. If it is not using the value is set to -1.
o ipRouteMetric2.
o ipRouteMetric3.
o ipRouteMetric4.
o ipRouteNextHop.
o ipRouteType. Route types are: other, invalid, direct and indirect.
o ipRouteProto. Protocol types are: other, local, netmgmt, icmp, egp, ggp,
hello, rip, is-is, es-is, ciscoIGRP. bbnSpfIgp, ospf and bgp.
o ipRouteAge.
o ipRouteMask.
o ipRouteMetric5.
ipRouteInfo:
o ipNetToMediaIfIndex. Route index.
o ipNetToMediaPhysAddress. Physical address.
o ipNetToMediaNetAddress. Network address.
o ipNetToMediaType. Set to other, invalid, dynamic or static.
3.9.5
MIB-2: icmp
The ICMP table includes:
icmpInMsgs.
icmpInErrors.
icmpInDestUnreachs.
icmpInTimeExcds
icmpInParmProbs
icmpInSrcQuenchs.
icmpInRedirects.
icmpInEchos.
icmpInEchoReps.
icmpInTimestamps.
icmpInTimestampReps.
icmpInAddrMasks.
icmpInAddrMaskReps.
icmpOutMsgs.
icmpOutErrors.
icmpOutDestUnreachs.
icmpOutTimeExcds.
Wireless LANs 53
icmpOutParmProbs.
icmpOutSrcQuenchs.
icmpOutEchos.
icmpOutEchoReps.
icmpOutTimestamps.
icmpOutTimestampReps.
icmpOutAddrMasks.
icmpOutAddrMaskReps.
3.9.6
MIB-2: Tcp
The TCP table includes:
tcpRtoAlgorithm. This is used to determine the time-out for unacknowledged

segments. This can be: other, constant, rsre or vanj (Van Jacobsons)
tcpRtoMin. Minimum retransmission time-out (in milliseconds).
tcpRtoMax Maximum retransmission time-out (in milliseconds).
tcpMaxConn. Maximum number of TCP connections.
tcpActiveOpens. Number of active TCP connections.
tcpPassiveOpens. Number of passive TCP connection.
tcpAttemptFails.
tcpEstabResets.
tcpCurrEstab.
tcpInSegs. Number of input segments.
tcpOutSegs. Number of output segments.
tcpRetransSegs. Number of retransmitted segments.
tcpConnTable:
o tcpConnState. The state can be: closed, listen, synSent, synReceived,
established, finWait1, finWait2, closeWait, lastAck, closing, timeWait or
deleteTCB.
o tcpConnLocalAddress. Local address.
o tcpConnLocalPort. Local port.
o tcpConnRemAddress. Remote address.
o tcpConnRemPort. Remote port.
3.9.7
MIB-2: Udp
The Udp table includes:
54
udpInDatagrams.
udpNoPorts.
udpInErrors
udpOutDatagrams
udpTable:
o udpLocalAddress
o udpLocalPort
3.9.8
snmp
The snmp table includes information on SNMP:
snmpInPkts.
snmpOutPkts.
snmpInBadVersions.
snmpInBadCommunityNames.
snmpInBadCommunityUses.
snmpInASNParseErrs.
snmpInTooBigs.
snmpInNoSuchNames.
snmpInBadValues.
snmpInReadOnlys.
snmpInGenErrs.
snmpInTotalReqVars.
snmpInTotalSetVars.
snmpInGetRequests.
snmpInGetNexts.
snmpInSetRequests.
snmpInGetResponses.
snmpInTraps.
snmpOutTooBigs.
snmpOutNoSuchNames.
snmpOutBadValues.
snmpOutGenErrs.
snmpOutGetRequests.
snmpOutGetNexts.
snmpOutSetRequests.
snmpOutGetResponses.
snmpOutTraps.
snmpEnableAuthenTraps.
Copyright statement
Wireless LANs 55
Wireless Security (Encryption)
4.1 Introduction
The key elements of wireless security are:
Authentication. This is used to identify the user, the wireless client and the
wireless access point.
Authorization. This is used to determine the users and wireless devices that have
the authorization to connect to the network.
Accounting. This is used to log information on the usage of the network, and
may set restrictions of the access, and, possibly, charge for the usage.
Assurance. This defines that the data that is received and transmitted has not
been changed in any way.
Confidentiality. This allows the details of the connection to be kept secret. It
typically involves securing the contents of the transmitted data, but may also
include hiding the source and destinations addresses, and the TCP ports used for
the connection, andm in most wireless networks, private key encryption either
with WEP (Wireless Encryption Protocol) or TKIP (Temporal Key Integrity
Protocol), is used to protect the confidentiality.
Data Integrity. This gives an assurance that the data that is transmitted or
retrieved is free from errors, and should be taken as the same as being the
original data. Typically data integrity is achieved at differing levels, such as error
detection bits in the data frame, check sums within the IP and TCP headers, and
also higher-level protocol errors.
One of the major problems in wireless networks is that, in certain situations, it is

possible to by-pass the main security elements of a network, such as the main
organisational firewall. This is illustrated in Figure 4.1 where a wireless access point
(WAP) allows a user to connect to the inside of the network. The position of the
WAP, thus, is often placed on the outside of the organisational network, such as in
Figure 4.2. Unfortunately this reduces the access to resources from inside the
network and shows that the wireless infrastructure needs to be embedded into the
infrastructure, rather than as an add-on.
4.2 Wireless Security Problems

Wireless networks have many problems due to the inherent openness of wireless
networks. Unlike networks based on cables, it is difficult to shield the
communications from intruders into the network, as the radio wave typically
propagates outside the main communications boundary. Improvements in
encryption and authantication have helped with this problem, but there are many
other issues which need to be carefully considered before properly implementing a
secure wireless network.
56
Gateway
Main
firewall
DMZ
External
devices get
behind the
firewall
Core
network
Wireless
Access
point
Network
access
Figure 4.1 WAP on the inside of the organizational network
Figure 4.2 WAP on the outside of the organizational network
4.2.1
Radio frequency problems
IEEE 802.11 uses frequencies around the 2.4GHz (for IEEE 802.11b) and 5GHz (for
IEEE 802.11a) radio spectrum. These frequencies can obviously be affected by other
radio equipment, and can obviously be jammed by a radio transmitter which
transmits on the radio frequencies used by a network. It is thus not recommended in
military networks (Figure 4.3), or in safety critical systems.
Wireless LANs 57
4.2.2
Denial-of-service attacks
As wireless access points are fairly public in the way that they can be accessed, they
can be open to attacks from intruders. A common one is a denial-of-service (DOS)
where an intruder continually tries to connect to a WAP, which means that the
device takes as much time to setup the connection as it does with its other
connections (Figure 4.3). The quality of service (QoS) will thus reduce for other
clients which connect to the WAP. In the most extremely case, it may be possible for
an intruder to reduce the data throughput to the WAP to almost zero. Along with a
DOS attack, it is also possible for an intruder, once connected to the WAP, to
continually upload/download files and thus use up much of the available
bandwidth. This is known as deprivation of service (DepS), and also results in a
reduction in the QoS. It can, though, be overcome by not allowing clients to connect,
unless they are a valid device, and also to monitor downloads and bandwidth usage.
A key factor for both the DoS and DepS attacks is for the administrator to setup
system logs which monitor the usage of the wireless network. This includes both
successful and unsuccessful login attempts.
Radio jamming signal

2.4GHz 2.48GHz
Wireless
Access
point
Figure 4.3 Wireless network jamming
4.2.3
Spoofing attacks
Many wireless networks use DHCP to allocate network addresses, where a device
passes a MAC address and gains an IP address it has been registered in the DHCP
database. For this only valid MAC addresses will be given an IP address.
Unfortunately this type of authorization can be breached by an intruder who
determines valid MAC addresses, and uses intruder software to pass the valid MAC
address to the WAP (Figure 4.4). It will then be allocated with a valid IP address.
Along with this, it is possible, in some wireless networks, to setup a valid IP address
on the wireless client and allows it to connect to the network.
Along with clients spoofing themselves, another problem can be were a rogue
access point is setup for clients to connect to, as many clients are setup to connect to
the access point with the strong signal strength. The rouge device can thus overcome
any encryption that a client might use.
58
Deprivation of
service
Continual
download
Denial-of-service
Continual
Connection
requests
Connect?
Wireless access point
Users
deprived of
bandwidth
Figure 4.4 Wireless deprivation of service and denial of service problems
Figure 4.5 Wireless spoofing problems
Wireless LANs 59
4.3 Wireless security standards

As wireless networks have limited physical security and also that the data
transmitted is broadcast to all the nodes in an area, it is important that the data is
encrypted and also that clients are properly authenticated when they connect to the
wireless network. For the encryption, standards such as IPSec and VPNs can be used
to allow the data to be secured for all the data transfer and not just between the
access point and the client. Unfortunately IPSec and VPNs can cause a reduction in
performance, especially where the available bandwidth is limited.
As wireless systems have evolved, new standards have been developed to
support it. For encryption the first standard was WEP, which while stopping
eavesdroppers, has been shown to have serious security flaws. Newer standards
include WPA (Wireless Protected Access) and IEEE 802.11i. For authentication there
are many different standards which can be used on a range of applications. This
includes EAPS (Extensible Authentication Protocol), LEAP (Lightweight EAP) and
EAP-TLS (EAP - Transport Layer Security), which supports a range of authentication
of devices and users using techniques such as usernames, passwords, digital
certificates, biometrics, and so on.
Wireless Security
IPSec standards
for VPNs
- Limited to IP
- Required for public
access systems.
Wireless Security Standards

Authentication
Encryption
WEP - Wireless
Encryption Protocol
EAPS - Extensible
Authentication Protocol
WPA - Wireless Protected

Access
LEAP - Lightweight EAP
IEEE 802.11i
EAP-TLS - EAP Transport Layer Security

EAP-TTLS - Tunnelled
TLS
PEAP - Protected EAP
Figure 4.6 Wireless security standards
4.4 WEP
Wireless encryption, such as WEP and TKIP, only encrypts the data between the
wireless clients, and once on a wired network it will not apply. WEP uses a shared
encryption key which produces an infinitity long bit stream key (using RC4) which is
Exclusive-OR-ed with the data stream. Unfortunately it has many weaknesses. Two
main key sizes are:
60
64-bit WEP. Data encryption with an access point using a 64-bit key.
128-bit WEP. Data encryption with an access point using a 128-bit key.
Figure 4.7 shows that that it is possible to set the encryption key as a pass phase or
manually. For 64-bit encryption, 5 alphanumeric characters or 10 hexadecimal values
are used to define the encryption key, or for 128-bits encryption, the key is specified
with 13 alphanumeric values or a 26 hexadecimal characters. The system will only
use one of the four keys for its encryption. All the stations and connected access
point, if connected, must use the same encryption key. For example a 64-bit key
could be:
Edin1
Whereas 128-bit encryption could use:
Edinburgh Net
This encryption can be optional (only use, if necessary) or mandatory (where it will
only ever use encryption).
WEP encryption key reduces

eavesdropping
40-bit
Keys
(24 bits
for IV)
It stops unauthorized access to a

Wireless Access Point (along
with the SSID, of course)
104-bit
Keys
(24 bits
for IV)
napier01
Generate key
No standard
exists to
define how
the WEP
key is
created
Figure 4.7 Wireless security standards
The 64-bit bit encryption uses a 24-bit initialization vector (IV), and a 40-bit secret
shared encryption key (Figure 4.8). WEP then uses the IV to generate the encryption
seed key. From this it uses the RC4 algorithm to generate an infinite pseudo key
(Figure 4.9) which is EX-ORed with the data stream. The IV thus lengthens the
length of the seed value, and changes the key for every data packet.
Unfortunately the IV is a 24-bit value which is sent as cleartext. There are thus
only 224 vectors (16,777,216). Thus, if we use 1500 byte packets, the time to send each
packet is:
Wireless LANs 61
15008/11e6 = 1.1ms
Thus, if the device is continually sending the same vector will repeat after:
1.1ms 16,777,216 = 18,302.4 seconds
which is 5 hours. The intruder then takes the two cipher texts which have been
encrypted with the same key, and performs a statistical analysis on it. Figure 4.104.12 show the method that packages such as AirSnort use to detect the WEP key.
Same key is used for all nodes. Thus an eavesdropper

can eventually gain the key
Initialization Vector
Encryption Key
24 bits
40 bits
This key is used for encryption

of all the data in the domain
Figure 4.10 WEP
62
WEP uses a stream cipher based on the RC4 algorithm.

- Expands a short key into an infinite pseudo-random key.
Sender
Receiver
Same shared key is used
Short-key
Short-key
Short-key
Short-key
Infinite
Infinitepseudo-random
pseudo-randomkey
key
Infinite
pseudo-randomkey
key
01111010100101000101. . .
10100101000101010101. . .
X-OR
Data stream:
10100101000101010101. . .
01111010100101000101. . .
1101111110000001000. . .
1101111110000001000. . .
X-OR
Figure 4.11 WEP
Short-key
Short-key
Infinite
pseudo-randomkey
key
C D
A B
X-OR
X-OR
10100101000101010101. . .
10100101000101010101. . .
100000010000101010. . .
1101111110000001000. . .
Eavesdropper
can detect the key
if it can read to streams
encoded with the same
key
Eavesdropper
Eavesdropper
Figure 4.12 WEP
Wireless LANs 63
Plaintext
IV=0
IV=1
Cipertext
Hello How
%4$9h-=+
76504fgh==
IV=2
5%6$79hThe eavesdropper can

now decrypt all the data
packets with the IV of
zero. Over time others
can be learnt.
Avbdc=+34d
%$9h-4=+
IV= 16,777,214
IV=16,777,215
Eavesdropper stores a
table of known keys for
each IV (15GB)
Figure 4.13
IV vectors
Another problem is that WEP is open to a man-in-the-middle attack (Figure 4.14)

where an intruder reads the message, and, if they know where the letters are in the
message, they can flip some of the bits to change the message. Thus an Integrity
Checker (IC), which is a 32-bit CRC (Cyclic Redundancy Check), is added. So, if bits
are flipped, it will not give the same CRC value, and an error is caused (Figure 14.15).
Unfortunately it is possible to still achieve the same CRC if the bits are flipped across
the 32-bit values (Figure 4.16). The same thing can also occur with the data bits in the
higher levels protocols, such as changing the IP address of the destination packet
(Figure 4.17).
Short-key
Short-key
Short-key
Short-key
Infinite
pseudo-randomkey
key
Infinite
pseudo-randomkey
key
A B
A C
X-OR
10100101000101010101. . .
01111010100101000101. . .
X-OR
1101111110000001000. . .
1101111111000001000. .
1101111111000001000. . .
Man-inMan-inthe-middle
the-middle
Man-in-the-middle can flip a few bits and

change the text. Letters can thus be
changed.
Figure 4.14 WEP
64
01010101 10101010 01010101 01010101

11010101 10101010 01010101 01010111
01010101 10111010 01010101 01110111
01010101 10101110 01010101 01010101

11010101 10101110 01010101 01010111
01010101 10111010 01010101 01110111
Figure 4.15
Plaintext
Corresponding cipertext
By performing bit flips it is possible

to change the characters in the plain-text
so that the CRC-32 stays the same.
CRC-32
Figure 4.16
Known IP/TCP headers
Message
Corresponding cipertext
Cipertext
Modified IP/TCP header
CRC
If eavesdropper knows part of

the plaintext for a corresponding cipertext
it is possible to build a correctly encrypted
cipertext
Modified Plaintext
Encrypted text
Bits are flipped

over consecutive
bit positions, so that
the overall CRC
stays the same.
CRC
The eavesdropper can

expand the method
so that they can examine
for know IP and TCP
headers.
By performing bit flips it is possible

to change the characters in the plain-text
so that the CRC-32 stays the same.
Modified IP/TCP header Message
CRC-32
By flipping bits on the IP address, the eavesdropper

can send all data packets to their machine.
Figure 4.17
CRC
Wireless LANs 65
4.4.1
Key entropy
Encryption key length is only one of the factors that can give a pointer to the security
of the encryption process. Unfortunately most encryption processes do not use the
full range of keys, as the encryption key itself is typically generated using an ASCII
password. For example in wireless systems typically use a pass phase to generate the
encryption key. Thus for 64-bit encryption, only five alphanumeric characters (40bits) are used and 13 alphanumeric characters (104 bits) are used for 128-bits
encryption1. These characters are typically defined from well-know words and
phases such as:
Nap1
Whereas 128-bit encryption could use:
NapierStaff1
Thus, this approach typically reduces the number of useable keys, as the keys
themselves will be generated from dictionaries, such as:
About
Apple
Aardvark
and keys generated from strange pass phases such as:
xyRg54d
io2Fddse
will not be common (and could maybe be checked if the standard dictionary pass
phases did not yield a result.
Entropy measures the amount of unpredictability, and in encryption it relates to
the degree of uncertainty of the encryption process. If all the keys in a 128-bit key
were equally likely, then the entropy of the keys would be 128 bits. Unfortunately, do
to the problems of generating keys through pass phrases the entropy of standard
English can be less than 1.3 bits per character, and is typically passwords at less than
4 bits per character. Thus for a 128-bit encryption key in wireless, and using standard
English gives a maximum entropy of only 16.9 bits (1.3 times 13), which is
equivalent, almost to a 17 bit encryption key length. So rather than having
202,82,409,603,651,670,423,947,251,286,016 (2104) possible keys, there is only 131,072
(217) keys.
As an example, lets say an organisation uses a 40-bit code, and that the
organisation has the following possible phases:
In wireless, a 64-bit encryption key is actually only a 40 bit key, as 24 bits is used as an
initialisation vector. The same goes for a 128-bit key, where the actual key is only 104 bits.
66
Napier, napier, napier1, Napier1, napierstaff, Napierstaff, napierSoc, napierSoC, SoC,

Computing, DCS, dcs, NapierAir, napierAir, napierair, Aironet, MyAironet,
SOCAironet, NapierUniversity, napieruniversity, NapierUni
which gives 20 different phases, thus the entropy is equal to:
Entropy (bits ) = log 2 ( N )

= log 2 (20 )
=
log10 (20 )
log10 (2 )
= 4. 3
Thus the entropy of the 40-bit code is only 4.3 bits.
Unfortunately many password systems and operating systems such as Microsoft
Windows base their encryption keys on pass-phases, where the private key is
protected by a password. This is a major problem, as a strong encryption key can be
used, but the password which protects it is open to a dictionary attack, and that the
overall entropy is low.
4.4.2
Programming WEP for a Cisco WAP
WEP is the basic encryption method used for wireless. For the key to be generated
the user must define a 10-digit hexadecimal code:
# config t
(config-if)# encryption mode wep optional
(config-if)# encryption key 1 size 40bit 1122334455 transmit-key
(config)# exit
Key
Key number 1 (three other
keys are possible)
The same can be done for 128-bit encryption, which is more secure. In this case we
require 26 hexadecimal digits.
# config t
(config-if)# encryption mode wep optional
(config-if)# encryption key 1 size 128bit 12345678901234567890123456
transmit-key
(config)# exit
Wireless LANs 67
The transmit-key option is used to select the key that the access point will use when
transmitting data (only one can be defined at a time, whereas one or more receive
keys can be used. This key must be the same for the one that the clients associate
with, but does not have to be the same as the transmit key for the clients.
4.5 TKIP
To overcome the problems of the WEP encryption method, TKIP (802.11i) adds two
things:
MIC (Message Integrity Check). This adds two new fields: sequence number and
an integrity check field. The access point rejects any sequence numbers which are
out-of-sequence. Also the integrity check has been added which is an improved
version of the IV integrity checker.
Per-packet keys. This produces WEP keys which eliminate IV reuse and weak
IVs.
Figure 4.18 outlines the operation of the existing WEP standard, and Figure 4.19
shows how it has been enhanced, but still keeps compatibility with existing wireless
hardware. It is open to bit-flipping, and a passive attack where the intruder waits for
the IV to repeat, and can then EX-OR the two cipertext streams and can determine
the plaintext.
IV
WEP key
C1=P 1 RC4(k,IV)
C2=P 2 RC4(k,IV)
If RC4(k,IV) are the sam e
then:
RC4
C1 C 2 =P 1 P 2
RC4(k,IV)
Cipertext (C)
P
IV
Plain text
Cipertext
ICV
IV sent in plaintext
Statistical attack/dictionary attack
Figure 4.18 Standard WEP
With TKIP a Packet IV (PIV) is used as a sequence number, and creates a PPK (Perpacket key) along with the shared key and the transmitters address. The sequence
number stops replay attacks as two frames with the same sequence number are
rejected (along with sequence numbers which are less than the expected sequence
number). The transmitter starts the PIV at zero, and then increments it for each
transmitted frame.
The temporal key is 128 bits long, and has a certain lifetime. This is then mixed
up with the 48-bit MAC address of the transmitted, in order that different stations
68
will produce data streams which are different. TKIP uses a re-key facility which
continually refreshes the encryption keys. Initially a master key is passed between
the access point and the station. This is created for each session, and is passed in a
secure way. This master key by the access point to pass the encryption keys. The
station and the access point then generate two temporal keys; one for each direction
of transmission. To avoid the same key for recurring the Packet IV (which is 16-bits)
will rollover each 216 packets. Thus the master key must be regenerated each 216
packets.
16 bits
128 bits
Packet IV
48 bits
Temporal key
Tx Addr
12:34:56:78:90:12
Sequence
number
Key mix
Per Packet Key
Temporal key
has a certain lifetime
RC4
128 bits
RC4(k,IV)
First 24bits
Cipertext (C)
+
P
PPK (24bits)
Plain text
Cipertext
ICV
Added for compatibility

Figure 4.19
TKIP
Master
key
shared secretkey
(generated for each session)
shared secretkey
(generated for each session)
Used to pass
encryption keys
Wireless
Access
Point
Temporal key
(sending)
Temporal key
(sending)
Temporal key
(receiving)
Temporal key
(receiving)
Master key must be
refreshed every 216 packets
16 bits
Packet IV
128 bits
Temporal key
48 bits
Tx Addr
Figure 4.20
TKIP
Wireless LANs 69
4.5.1
Configuring TKIP
TKIP is not a future solution to the problems of wireless security, but is compatible
with existing equipment, and should provide enough security for current standards.
ap(config-if)# encryption mode ?
ciphers Optional data ciphers
wep
Classic 802.11 privacy algorithm
ap(config-if)# encryption mode ciphers ?
aes-ccm
WPA AES CCMP
ckip
Cisco Per packet key hashing
ckip-cmic Cisco Per packet key hashing and MIC (MMH)
cmic
Cisco MIC (MMH)
tkip
WPA Temporal Key encryption
wep128
128 bit key
wep40
40 bit key
ap(config-if)# encryption mode ciphers tkip ?
aes-ccm WPA AES CCMP
wep128
128 bit key
wep40
40 bit key
<cr>
ap(config-if)# encryption mode ciphers tkip ?
ap1200(config-if)# encryption key 1 size 128 12345678901234567890123456
transmit-key
which configures both TKIP and WEP128 (for clients that do not support TKIP).
4.5.2
WPA-PSK
One method of TKIP is WPA-PSK (Pre-shared key), where the users defines a preshare key, which is setup on both the access point and the client. An example setup
of the WPA-PSK on a client (Figure 4.21) with the same shared key of
napieruniversity.
(config)# dot11 ssid texas
(config-ssid)# wpa-psk ascii napieruniversity
(config-ssid)# exit
(config)# int d0
(config-if)# ssid texas
Figure 4.21: WPA-PSK
70
4.6 Tutorial
1. Prove that there are 16,777,216 IV values.
2. Show that 128-bit WEP encryption requires 26 hexadecimal digits. Why does it
only require 13 ASCII digits?
3. Show that 64-bit WEP encryption requires 10 hexadecimal digits. Which of the
following of valid 64-bit WEP keys:
napier
university
soc
4. Which of the following of valid hexadecimal 64-bit WEP keys:
napier
aaaaaaaaaa
abcdefghij
5. What is the result of ABC exclusive-ORed () with 1010 1010 1010 1010 1010
1010? What is the result if the same key is used to exclusive-OR the result?
Example: D 1001 1001 gives:
0100 0100
1001 1001
1001 1101
The rules for are: 00=0, 01=1, 10=1 and 11=0.

6. Approximate the time taken for the IV value to repeat for a 54Mbps connection.
7. How is the WEP key set in a wireless access point which uses Cisco IOS?
8. Complete the wireless access point tutorial.
Copyright statement
Wireless LANs 71
4.7 Standard ASCII

Binary
00000000
00000001
00000010
00000011
00000100
00000101
00000110
00000111
00001000
00001001
00001010
00001011
00001100
00001101
00001110
00001111
Binary
00100000
00100001
00100010
00100011
00100100
00100101
00100110
00100111
00101000
00101001
00101010
00101011
00101100
00101101
00101110
00101111
Binary
01000000
01000001
01000010
01000011
01000100
01000101
01000110
01000111
01001000
01001001
01001010
01001011
01001100
01001101
01001110
01001111
Binary
01100000
01100001
01100010
01100011
01100100
01100101
01100110
01100111
01101000
01101001
01101010
01101011
01101100
01101101
01101110
01101111
72
Decimal
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Decimal
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Decimal
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
Decimal
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
Hex
00
01
02
03
04
05
06
07
08
09
0A
0B
0C
0D
0E
0F
Hex
20
21
22
23
24
25
26
27
28
29
2A
2B
2C
2D
2E
2F
Hex
40
41
42
43
44
45
46
47
48
49
4A
4B
4C
4D
4E
4F
Hex
60
61
62
63
64
65
66
67
68
69
6A
6B
6C
6D
6E
6F
Character
NUL
SOH
STX
ETX
EOT
ENQ
ACK
BEL
BS
HT
LF
VT
FF
CR
SO
SI
Character
SPACE
!
#
$
%
&
/
(
)
*
+
,
.
/
Character
@
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
Character
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
Binary
00010000
00010001
00010010
00010011
00010100
00010101
00010110
00010111
00011000
00011001
00011010
00011011
00011100
00011101
00011110
00011111
Binary
00110000
00110001
00110010
00110011
00110100
00110101
00110110
00110111
00111000
00111001
00111010
00111011
00111100
00111101
00111110
00111111
Binary
01010000
01010001
01010010
01010011
01010100
01010101
01010110
01010111
01011000
01011001
01011010
01011011
01011100
01011101
01011110
01011111
Binary
01110000
01110001
01110010
01110011
01110100
01110101
01110110
01110111
01111000
01111001
01111010
01111011
01111100
01111101
01111110
01111111
Decimal
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Decimal
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
Decimal
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
Decimal
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
Hex
10
11
12
13
14
15
16
17
18
19
1A
1B
1C
1D
1E
1F
Hex
30
31
32
33
34
35
36
37
38
39
3A
3B
3C
3D
3E
3F
Hex
50
51
52
53
54
55
56
57
58
59
5A
5B
5C
5D
5E
5F
Hex
70
71
72
73
74
75
76
77
78
79
7A
7B
7C
7D
7E
7F
Character
DLE
DC1
DC2
DC3
DC4
NAK
SYN
ETB
CAN
EM
SUB
ESC
FS
GS
RS
US
Character
0
1
2
3
4
5
6
7
8
9
:
;
<
=
>
?
Character
P
Q
R
S
T
U
V
W
X
Y
Z
[
\
]
_
Character
p
q
r
s
t
u
v
w
x
y
z
{
:
}
~
DEL
Wireless Authentication
5.1 Introduction
The key elements of security are confidentially, integrity and assurance (CIA), where
sensitive data must be kept securely, typically using encryption. Key factors, though,
are the ownership, and the access rights of data and services. Thus some form of
authentication must be applied to make sure that the users and/or devices that are
accessing services and data have the correct rights. Authentication is thus important
from many aspects, as it can be used to identify these users and devices. The first
generation of wireless networks tended not to use strong authentication, and tended
to use the MAC address of the device to authenticate. Unfortunately this method is
open of MAC and IP address spoofing, where valid MAC and IP addresses are used
to connect to the wireless network. Along with this, an authentication scheme based
purely on the device does not properly authenticate the user, thus many
authentication schemes have some form of user/group identification and verification.
The main methods used for verification include:
Network/physical addresses. These are simple methods of verifying a device,

through a network address or name that the device has, or its MAC address. The
network address, such as the IP address, can be easily spoofed, but the physical
address is less easy and is a more secure implementation. Unfortunately the
physical address can also be spoofed, either through software modifications of
the wireless data frame, or by reprogramming the network interface card.
Username and password. This uses usernames and passwords but it is open to
security breaches, especially from dictionary attacks on passwords, and from
social engineering attacks. Methods include LEAP, PEAP, EAP-FAST and EAPSRP. It is a useful method in integrating authentication with an existing
username/password system such as for a Windows NT/2000 domain.
Authentication certificate. This certificate verifies a user or a device by providing
a digital certificate which can be verified by a reputable source. Methods include
EAP-TLS.
Tokens/Smart cards. With this method a user can only gain access to the system
after they have inserted their personal smart card into a host and then enter their
PIN pass code. Methods include RSA SecurID Token Card and Smartcard EAP.
This method is particulary popular for businesses where their employees have
notebooks which have sensitive data, and will not start unless they have the
correct smart card inserted into a slot. This is then, typically, enhanced with a
password system.
Pre-shared keys. This uses a pre-defined secret key. Methods include EAPArchie. The shared keys could be generated by a pass phrase, to make them easy
to generate, and remember.
Biometrics. This is a better method than a smart card where a physical feature of
the user is scanned. The scanned parameter requires to be unchanging, such as
fingerprints, handscans, or retina images.
Wireless LANs 73
Normally the level of security applied depends on the security requirements. In a

highly secure network, smart cards and biometrics are likely to be used to
authenticate users, while in a less secure network, usernames and passwords may be
sufficient.
5.2 Authentication infrastructure

The 802.1x standard supports the authentication of users and devices onto the
network at the point of their connection. With this a supplicant connects to an
authenticator, such as a switch or a wireless access point. It then is setup to send the
request for authentication to an authentication server such as a RADIUS or Tacacs+
server (Figure 5.1). If the user/device is authenticated it sends an acceptance message
back to the authenticator, which then allows the user/device onto the network. The
authentication server is kept synchronised with the correct authentication details,
such as synchonising with a Windows domain server for usernames and passwords,
or with a PKI server for digital ceriticates. The 802.1x standard has many advantages
including that it connects to many different types of networks including 802.11
(wireless), 802.3 (Ethernet) and PPP (Serial), and support a wide range of
authentication methods, such as LEAP (username and password), PEAP
(username/password or digital certicate), and so on. A great advantage is that users
and devices are not allowed onto the network unless they have the required
credidentals, even though they have a physical or wireless connection. In the future
more network infrastructures will embed 802.1x so that no user or device connects,
unless they have the required authentication. For smaller networks, the authenticator
server could be built into the authenticator by using a local authentication server.
This is defined as local authentication.
PKI server
Wireless
access point
Centralised
RADIUS or Tacacs+
server
Authenticator
server
Supplicant
Wireless
access point
and
es
s
am
ern sword
s
U as
p
Authenticator
Windows
Domain
server
Figure 5.1
74
802.1x authentication infrastructure
5.3 802.11 frame format

The 802.11 frame format includes a 12-byte preamble (10101 1010 0000 1100 1011
1101), followed by a PLCP (Physical Layer Convergence Protocol) header (which
contains information used by the physical layer) and then by the MAC data frame
(Figure 5.1).
2 Bytes
Frame
control
Duration/
ID
6
Add 1
(Dest.)
6
Add 2
(Src)
Add 3
(SSID)
xx xx xxxx
Sequence
control
0-2312
Frame
body
Add 4
4
FCS
xx x x xx xx
Subtype
Management:
0000 Association Request
0001 Association Response
0100 Probe request (0x4)
1011 Authentication (0xB)
Control:
1011 RTS
1100 CTS
1101 - ACK
Frame type
00 Management Frame (0x0)
01 Control
10 Data
Protocol version
00 (0x0)
Figure 5.2
Order
0 Not ordered
WEP
0 No WEP
1 - WEP
MoreData
0 No more data
ToDS
PowerManagement
FromDS
Retry
MoreFrag
IEEE 802.11 frame format
There are three types of data frames (defined in the frame type bits);
Management frame. Used for management purposes, such as associating with

the access point, and in authentication.
Control frame. Used for control purposes, such as for handshaking including
RTS, CTS and ACK.
Data frame. Used to transmit data.
The types of management frames are:

0000
0010
0100
1000
1011
Association Request
Reassociation Request
Probe Request
Beacon
Authentication
0001
0011
0101
1010
1100
Association Response
Reassociation Response
Probe Response
Disassociation
Deauthentication
For a control frame:

1011 RTS, 1100 CTS, 1101- ACK
Wireless LANs 75
A sending client (or DS - Distributed System) defines whether the data frame is
forwarded. If it is not to be forwarded the ToDS and FromDS bits are set to zero. The
MoreFrag bit defines whether the data frame has been fragmented, and the Retry bit
is set when the same data frame has already been sent. A client can define that it has
power management by setting the PowerManagement bit. The MoreData bit is used
by an access point to define that there are more data frames that have been buffered
for a client. If the Order bit is set it defines that the data frames are ordered, while the
WEP bit defines if WEP is used, or not. The main phases of the connection between a
station client and a wireless access point is probe request, authentication, and
association.
5.4 Probe request

When a client station starts it sends out a probe request on each channel for a
specified SSID. All the access points which match the SSID respond with a probe
response. If it does not know the name of the SSID it will use the BROADCAST
address (FF FF FF FF FF FF). As it will not know the MAC address of the access point
it sends out a BROADCAST address (FF FF FF FF FF FF) for the destination address.
Probe request
Probe response
Authentication
request
Authentication
response
Association
request
Wireless
Access
Point
Association
response
Figure 5.3
Station operations
5.5 Authentication phase

The authentication method used typically depends on the requirments, and the range
of devices currently available. Figure 5.3 shows some of these methods for a client.
The authentication phase either uses:
76
Open authentication. In this type the client is always accepted. The open
authentication is typically used where it does not matter whether the devices are
to be authenticated, or where there are devices which cannot support complex
authentication, such as in hand-held devices. If open authentication is used, any
device can gain access to the network. Each radio port can have multiple SSID
transmissions, which can either be sent as a beacon to inform clients, or can be

hidden, so that clients will not be able to view them.
Figure 5.4
Authentication methods
Based on WEP. If WEP is used, the WEP key can be used to authenticate the
client to the access point. If it does not have the correct WEP key it will not be
allowed access to the network.
Shared-key. With this method, the access point and the client have the same
shared key. The access point then sends an authentication response which has a
challenge text. The client then encrypts the challenge with the shared WEP key,
and sends it back to the access point. If it has been correctly encrypted, the access
point sends back an authentication response (success), as illustrated in Figure 5.4.
The major problem with shared-key authentication is that it is vunerable to a
Man-in-the-middle attack, where an intruder can capture both the plain-text
challenge and the cipertext, and XOR them together to generate the key stream,
as illustrated in Figure 5.5. With the data stream, the man-in-the-middle does not
need the shared-key as they can send a message which is XORed with the
random key.
802.1x. This method implements a whole range of authentication methods, such
as TLS, LEAP, EAP-FAST, and so on, and provides a framework for them to exist.
MAC address-based. This is not a standard method used in 802.11, but is
implemented by many vendors. Initially, as illustrated in Figure 5.6, the station
client sends an association request to the access point, which then sends the MAC
address to the RADIUS server, which then checks it gainst the addresses in its
database. If it is successful, it sends a RADIUS-ACCEPT message to the access
point, after which the access point will send an associated response (Success)
message to the station client. The MAC address-based method can be defeated
with a network interface card which can be set to a MAC address which is valid
on the network.
Wireless LANs 77
Probe request
Probe response
Authentication
request
Key: ABCDEF
Authentication
response
Wireless
Access
Point
WEP data
frame
Shared WEP
key is used
to authenticate the
client
Key: ABCDEF
Figure 5.5
Shared-key authentication
Plaintext challenge (ABCDE)

ABCDE
WEP
Encrypted challenge
(#@D.F)
#@D.F
RC4
Random key
+
The maninthemiddle
EXORs the two sniffed
strings, and determines
the random key
Figure 5.6
78
ABCDE
#@D.F
Man-in-the-middle attack
Probe request
MAC address
is sent to RADIUS
server
Authentication
response (success)
Wireless
Access
Point
RADIUSaccept
RADIUS
server
Figure 5.7
MAC address-based authentication
5.6 Authentication techniques

It has been seen that standard 802.11 authentication methods can be easily overcome.
There are several standard authentication methods, some of which have been
developed by vendors, such as Cisco Systems, while others are international
standards. Basically authentication consists of an authentication framework, an
authentication algorithm and an encryption technique. The proposed enhanced
authentication method tries to split these up with:
801.1x2 authentication. This defines the authentication framework which can

support many authentication types. Ethernet network have developed so that it is
now the standard method of connecting to a wired network. The IEEE 802.1x
standard aims to extend Ethernet onto wireless networks and dialup connections.
It uses a port authentication method that could be used on a range of networks,
including 802.3 (Ethernet), 802.11 (wireless) and PPP (serial connections). IEEE
802.1x thus defines authentication and key management, while 802.11i defines
extended security. At the present the WiFi Alliance (WFA) has published the
802.11 security specification, which is known as Wi-fi Protected Access (WPA).
EAP (Extensible Authentication Protocol). This defines the actual implementation
of the authentication method. It thus provides centralized authentication and
dynamic key distribution. It has been developed by the IEEE 802.11i Task Group
as an end-to-end framework and uses 802.1x with:
o Authentication. This is of both the client and the authentication server
(such as a RADIUS server).
Note 802.1x Port-based authentication, and is not to be confused with 802.1q with
VLAN tagging and is used to provide a trunk between switches, or with 802.11x
which is any existing or developing standard in the 802.11 family.
2
Wireless LANs 79
Encryption keys. These are dynamically created after authentication.

They are not common to the whole network.
o Centralized policy control. A session time-out generates a
reauthentication and the generation of new encryption keys.
Encryption. This replaces WEP with TKIP (Temporal Key Integrity Protocol),
which is based on WEP but which overcomes its major weaknesses.
o
Figure 5.7 shows that the 802.1x framework provides an interface between many
different network types and a number of differing authentication methods (such as
LEAP, EAP-TLS, and so on). It can be see that 802.1x gets in-between the Layer 3
protocol and the link layer, which means that the device cannot directly
communicate with the network unless it has been authenticated. The framework
supports a wide range of authentication methods, and also network technologies,
and is seen as a single standard for the future of authenticated systems. As
previously mentioned, 802.1x uses three main entities:
Supplicant. This operates on the station client.

Authenticator. This operates on the access point.
Authenticator server. This operates on a RADIUS server.
Figure 5.8 shows the basic message flow for 802.1x authentication, where the
supplicant sends its identity to the access point, which is then forwarded to a
RADIUS server. The RADIUS server then authenticates the client, and vice-versa. If
these are successful the RADIUS server sends a RADIUS-ACCEPT message to the
access point, which then allows the client to join the network.
Figure 5.8
80
802.1x layers
Start
Request ID
ID
ID
RADIUS server authenticates the client

Client authenticates the RADIUS server
Broadcast key
RADIUS
server
Key length
Figure 5.9
Basic message flow for 802.1X
5.7 EAP
In most cases, a wireless client cannot gain access to the network, unless it has been
authenticated by the access point or a RADIUS server, and has encryption keys
(Figure 5.9). The main versions of EAP are:
LEAP - Lightweight EAP.

EAP-TLS - EAP-Transport Layer Security.
PEAP - Protected EAP.
EAP-TTLS - EAP-Tunnelled TLS.
EAP-SIM - EAP-Subscriber Identity Module.
The operation of EAPs is:

1. Client associates with the access point.
2. Client provides authentication details. The client detail can be either UserID and
password, or UserID and digital certification, or an one-time password.
3. RADIUS server authenticates the user.
4. User authenticates the RADIUS server.
5. Client and RADIUS server derive the unicast WEP key.
6. RADIUS server gives broadcast WEP key to access point.
7. Access point sends broadcast WEP key to client using unicast WEP key.
5.7.1
EAP-TLS
This is based on a UserID and a digital certificate. With a digital certicate, the client
uses public key encryption, such as RSA, to produce a public and a private key. The
digital certificate for the user, or the device, stores the public key, and this digital
certicate, typically, is stored on a trusted PKI server. When authenticating the client
Wireless LANs 81
Device cannot
access network
until it has been
authenticated and
has encryption keys
Corporate
Corporate
network
network
Local RADIUS
server
RADIUS
server
EAPs can either be in the

access point or
from a RADIUS server
Figure 5.10
EAP authentication
encrypts a message with the private key, and passes it to the authentication server,
which then takes the digital certicate for the device, and decrypts the encrypted
message with the public key. If the message is decrypted successfully, the digital
certicate has been valided, and the user/device is allowed onto the network (see
Section 5.8 for a further explanation). The details EAP-TLS uses are:
User Authentication:
Key size:
Encryption:
Device Authentication:
Open Standard:
User differentiation:
Certificate:
5.7.2
User ID and digital certificate

128 bits
RC4
Certificate
Yes
Group
RADIUS server/WLAN client
LEAP
LEAP is a fairly low-requirement method of authentication, and is useful in

connected to a network which has a table of usernames and paswswords. The
required details are:
Key size:
Encryption:
Open Standard:
Certificate:
User ID and password

128 bits
RC4
Not Supported
No (Cisco-derived)
Group
None
LEAP uses MS-CHAP (Microsoft Handshake Authentication Protocol) to continually

challenge the device for its ID. This is a challenge-response, mutual authentication
protocol using Message Digest 4 (MD4) and Data Encryption Standard (DES)
algorithms to encrypt responses. The authenticating device challenges the client, and
vice-versa. If either challenge is incorrect, the connection is rejected. The password is
82
converted into password hash3 using MD4, and is thus not possible for an intruder to
listen to the password.
The hashed password is then converted into a Windows NT key, which has the
advantage of being compatible with Microsoft Windows systems. Normally
authentication is achieved using the Microsoft login screen, where the user name and
the Windows NT key are passed from the client to the access point. LEAP is thus
open to attack from a dictionary attack, thus strong passwords should be used. There
are also many programs which can search for passwords and determine their hash
function.
5.7.3
Protected EAPS (PEAP)
This uses a UserID and a one-time password (Figure 5.11). A OTP allows for a single
password to be passed once, and then consquentive passwords are automatically
generated, and authenticated. The required details for PEAP are:
Key size:
Encryption:
Open Standard:
Certificate:
User ID and password or OTP (one-time password)

128 bits
RC4
Not supported
Yes
Group
Yes
Figure 5.11
PEAP authentication
A hash function is a one-way encryption process, and thus the original data cannot be
recovered.
3
Wireless LANs 83
5.8 Digital Certificates

One of the most secure methods of authentication is to use digital certificates which
are granted from a trusted reputable source, such as from a local PKI server. Figure
5.12 shows the first part of the authentication process where the sender encrypts a
known message with their private encryption key, and then, possibly, encrypts this
and the data with the recipients public key. When the encrypted message is then
received by the recipient, it will be decrypted by the recipients private key, and then
the encrypted authentication is then decrypted by reading the senders public key
which it gets from the digital certificate, as illustrated in Figure 5.13.
Public key
Some
data
Encrypted
authentication
fred
Encrypted
data
Private
key
Receiver
Sender
Figure 5.12
Adding authentication
Private key
Encrypted
data
Some
data
Encrypted
authentication
Public key
is used to
decrypt
authentication
Digital
certificate
Figure 5.13
84
fred
Authenticating
5.9 Cisco Access Point configuration

The authentication of the radio interface is defined within SSID configuration. To set
the authentication to LEAP we must define a user ID and a password:
# config t
(config-if)# dot11 ssid fred
(config-ssid)# ?
ssid configuration commands:
accounting
radius accounting
authentication
authentication method
exit
Exit from ssid sub mode
guest-mode
guest ssid
infrastructure-ssid ssid used to associate to other infrastructure devices
ip
IP options
max-associations
set maximum associations for ssid
no
vlan
bind ssid to vlan
wpa-psk
Configure Wi-Fi Protected Access pre-shared key
(config-ssid)# authentication ?
client
key-management
network-eap
open
shared

key management
leap method
open method
shared method
(config-ssid)# authentication network-eap ?

WORD
leap list name (1 -- 31 characters)
(config-ssid)# authentication network-eap joe

WORD
leap list name (1 -- 31 characters)
(config-ssid)# authentication client ?

username Specify the username for the LEAP client
(config-ssid)# authentication client username ?
WORD LEAP user name (1 -- 31 characters)
(config-ssid)# authentication client username fred password ?
0
7
LINE
Specifies an UNENCRYPTED password will follow

Specifies a HIDDEN password will follow
The UNENCRYPTED (cleartext) LEAP password
(config-ssid)# authentication client username fred password bert

(config-ssid)# exit
Set key management:

# config t
(config-ssid)# authentication key-management wpa
(config-ssid)# wpa-psk ascii ?
(config-ssid)# exit
Set authentication to LEAP:

# config t
(config-ssid)# auth ?
client
EAP client information
Wireless LANs 85
key-management key management

network-eap
leap method
open
open method
shared
shared method
(config-ssid)# auth network-eap ?
WORD leap list name (1 -- 31 characters)
(config-ssid)# authentication network-eap eap_methods
(config-ssid)# exit
Set authentication to shared:

# config t
(config-ssid)# authentication shared eap
Enable encryption key:

# config t
(config-if)# encryption mode cipher tkip wep128
(config-if)# encryption key 3 size 128bit 12345678901234567890123456
transmit-key
5.10 LEAP and RADIUS

This section contains a practical setup of LEAP and RADIUS running on a Aironet
device, and use LEAP authentication. The parameters to set on the Aironet device are
(Figure 5.15):
SSID:
IP address:
WEP key:
Authentication:
NapierSSID
192.168.1.240/24
AAAAAAAAAA (64-bit WEP key)
LEAP
Cisco Aironet 1200
192.168.1.240/24
Wireless
node
192.168.1.115/24
192.168.1.112/24
Figure 5.14
86
192.168.1.111/24
Step 1.
To setup a WEP key of AAAAAAAAAA, and IP address of 192.168.1.240, and open
authentication.
A connection is made with the Access Point, and its SSID (NapierSSID), IP address
and subnet mask can be set. This can be done either with the CLI of:
dot11 ssid NapierSSID
authentication network-eap eap_methods
exit
interface Dot11Radio0
encryption key 1 size 40bit AAAAAAAAAA transmit-key
encryption mode ciphers wep40
channel 1
guest-mode
station-role root
no shutdown
exit
interface BVI1
ip address 192.168.1.240 255.255.255.0
exit
ip http server
2. After which the AAA can be setup with:

hostname ap
aaa new-model
aaa group server radius rad_eap
server 192.168.1.240 auth-port 1812 acct-port 1813
exit
aaa authentication login eap_methods group rad_eap
aaa session-id common
3. Next RADIUS is setup as the local server with (using a shared key of sharedkey):
radius-server local
nas 192.168.1.240 key sharedkey
user aaauser password aaapass
user bbbuser password bbbpass
exit
radius-server host 192.168.1.240 auth-port 1812 acct-port 1813 key sharedkey
exit
4. Next the wireless client can be setup by first setting the WEP key (Figure 4.15).
5. Next authentication is defined with LEAP (Figure 4.16), where the username is
defined as aaauser and the password is aaapass.
6. The wireless device should be about to ping itself and the access point, such as:
C:\>ping 192.168.1.240
Pinging 192.168.1.240 with 32 bytes of data:
Wireless LANs 87
Reply
Reply
Reply
Reply
from
from
from
from
192.168.1.240:
192.168.1.240:
192.168.1.240:
192.168.1.240:
bytes=32
bytes=32
bytes=32
bytes=32
time=2ms
time=1ms
time=1ms
time=1ms
TTL=255
TTL=255
TTL=255
TTL=255
Ping statistics for 192.168.1.240:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
C:\>ping 192.168.1.115
Reply
Reply
Reply
Reply
from
from
from
from
192.168.1.115:
192.168.1.115:
192.168.1.115:
192.168.1.115:
bytes=32
bytes=32
bytes=32
bytes=32
time<1ms
time<1ms
time<1ms
time<1ms
TTL=128
TTL=128
TTL=128
TTL=128

6. The wireless access point should also be able to show the association such as:
ap#show dot11 assoc
802.11 Client Stations on Dot11Radio0:
SSID [NapierSSID] :
MAC Address
IP address
State
0090.4b54.d83a 192.168.1.115
EAP-Assoc
Others:
Device
Name
Parent
4500-radio
self
(not related to any ssid)
Figure 5.14
88
Figure 5.15
Copyright statement
Wireless LANs 89
Radio and RF
6.1 Introduction
The electromagnetic (EM) spectrum contains a wide range of electromagnetic waves,
from radio waves up to X-rays (as illustrated in Figure 6.1). Included in the spectrum
are radio waves, microwaves, infrared waves, light waves, ultraviolet waves and Xrays. Electromagnetic waves propagate at the speed of light (c) in free-space (3108
m/s 300,000,000 m/s) and vary with their frequency and wavelength. Normally
radio waves are referred to by their frequency, and waves above this are referred to
by their wavelength. The relationship between frequency and wavelength is:
c = f
(6.1)
where c is the speed of light, f is the frequency (Hz) and is the wavelength (m). For
example Radio Forth FM, which has a carrier frequency of 97.3 MHz, has a
wavelength of 3.08 m (300,000,000 divided by 97,300,000). Virgin Radio has a
frequency of 1215 kHz, which gives a wavelength of 246 m (300,000,000 divided by
1,215,000).
The RF (Radio Frequency) spectrum ranges from radio waves to microwave
frequencies. The lower the frequency the better the wave propagates around large
objects, thus AM radio frequencies tend to propagate better than FM radio. Often FM
radio, microwave transmissions and TV signals rely on line-of-sight communications,
as higher-frequency waves cannot bend around large objects. The frequencies used
for IEEE 802.11 communications are 2.4 GHz (12.5 cm) for IEEE 802.11b/11g and
5 GHz (6 cm) for IEEE 802.11a.
Wavelength (m)
103 102 101
101 102 103 104 105 106 107 108 109 1010 1011 1012
Infrared
Radio waves
FM radio
(88108MHz)
Ultraviolet
Microwaves
Wireless Comms
(2.4 and 5GHz)
TV
(174220MHz)
AM radio
GPS
(535kHz
(1.21.5GHz)
1.7MHz)
Cell phone
(800/900MHz)
Light
Xrays
106 107 108 109 1010 1011 1012 1013 1014 1015 1016 1017 109 1010 1011 1012
Frequency (Hz)
Figure 6.1 EM wave spectrum
90
An electromagnetic wave propagates with an electric field (E) and a magnetic field
(H). These are at right angles to each other, and the propagation is at right angles to
both the E and H fields. This is defined by the right-hand rule (as illustrated in
Figure 6.2).
E (Electric field)
H (Magnetic field)
Direction of
propagation
Conforms to righthand
rule:
E Middle finger
H Thumb
Propagation Index finger
Figure 6.2 EM wave propagation
6.2 Power and decibels

The unit for electrical power is Watts, which directly relates to electrical energy.
Normally in RF systems this is defined in mW (which is one-thousands of a Watt).
The gain of a system is then defined as the output power divided by the input power:
Gain =
Poutput
(6.2)
Pinput
which is a ratio. If the value is less than unity, there is a loss of power (such as in a
cable loss), and if it is greater than unity there is a gain in power (such as in an
electrical amplifier. Typically gain is defined in a logarithmic scale such as:
Poutput
Gain(dB) = 10 log10
P
input
(6.3)
Thus, for example, if the power output is doubled over the input, then the gain will
be:
2 Pinput
Gain = 10 log10
P
input
= 10 log10 2 = 3.01dB
(6.4)
Wireless LANs 91
also, if the output power is halved then we get:

0.5 Pinput
Gain = 10 log10
P
input
= 10 log10 0.5 = 3.01dB
(6.5)
Thus +3dB identifies a doubling in power, whereas a 3dB represents a halving in

power. Thus +6dB represents a four times increase in power, and +9dB represents an
eight times increase in power. By the same token, 6dB represents that the output
power is one-quarter of the input power, and so on. Figure 6.3 shows a logarithmic
plot of power in dBs against the value as a ratio. It can be seen that a gain of 10 gives
a value of 10dB, and 100 gives 20dB. Thus, as the values become large as a ratio, the
value in dBs is still relatively small.
In an electrical system with a number of gain and loss stages, the overall gain/loss
is the multiplication of each of the stage gains. For example, if the gain of an
amplifier is 20, and the loss in the cable is 0.1, then the overall gain is 2. If the system
is defined in dB, then the gain values are added to give the overall gain. Thus an
amplifier gain of 13dB, and a cable loss of -3dB will result in an overall gain of 10dB.
In the system in Figure 6.4 the gains are multiplied together as a ratio, but the gains
in dBs are added together. It can be seen that it is easier to determine the overall gain
if the values are defined in dBs. With dBs it is easy to determine the output power if
we have the gains in dBs and also the signal level in dBs. The signal power can be
referenced to 1W with the units of 1dBw. For example, for a 1W input power (0dB),
the output power will be:
Power(dBw) = 0 (input power) + 20 (gain) 3 (cable loss) 0.46 (mismatch) dBw

= 9.54dBw
Often a power value is referenced to 1mW, and is defined in dBs as:
P
Power(dBm) = 10 log 10 value3

1 10
(6.6)
Power (dB)
40
30
20
10
Power (ratio)
0
0.01 0.1
10
100
103
104
10
20
Figure 6.3 Conversion from a ratio into dBs
92
Figure 6.4 Example system
Thus 1mW is represented as 1dBm, 10mW is 10dBm, 100mW is 20dBm, and 1W is

30dBm. It is then possible to easily calculate output power if the input power and the
gain elements are defined in dBs. For example, if the input power is 100mW, and the
amplifier gain is 13dB, with a cable loss of 3dB, then the output power is:
Pout(dBm)= Pin(dBm) + Gain (dB) Losses (dB)
Pout(dBm)=30+133 = 40dBm
To convert dBms to dBs, a value of 30 is subtracted. For example: 1mW is 0dBms
thus it is -30dBw (with reference to 1W).
6.3 System losses

In the transmitter system, losses are typically caused by:
Attenuation in cables. The attenuation is normally linear, and is typically

defined in a dB loss for every meter. This varies over frequency, where the higher
the frequency, the higher the loss (due to the skin effect). For example if the cable
loss is 3dB/km, then the overall loss for a 10km will be 30dB. Typical cables for
RF communications are coaxial, which has an inner core separated from a
grounded sheath by a dielectric.
Mismatches in terminations. Cables and connections have a defined
characteristic impedance, and must always be matched to each other, in order to
minimize reflections of the terminations, and maximize the power transfer. Most
RF equipment use cables and connectors with a characteristic impedance of 75.
Any mismatch in the termination causes reflections, and can cause a distortion of
the RF signal.
Wireless LANs 93
A typical low loss cable gives a loss of 6.7 dB per 100 feet (30m). Thus for every 100
feet the signal strength reduces by:
Reduction =
1
10
6.7 / 10
= 0.213
(6.7)
which means that only around 21% of the signal remains after 100 feet.
6.4 Multipath problems

A major factor in wireless LANs is the multipath problem where waves can take
differing paths to get to a destination. These multipaths can cause fading and
distortion of the radio wave form. If different waves arrive at a receiver with
different time delays, they can distort the received signal. One of the way to
overcome this problem is to use diversity which uses more than one antenna. For
this it is likely that one of the antennas will experience less multipath problems than
the other antennas. It is thus important that diversity antennas are physically
separated from each other, and, so as to reduce the problem of null points, they can
be moved around the physical space. The antenna can be set for both the transmit
and receive options. These can be:
Diversity. With this the WAP uses the antenna which has the best signal is being
received.
Right. This where the antenna is on the right of the WAP, and is highly
directional.
Left. This where the antenna is on the left of the WAP, and is highly directional.
and the configuration is as follows:

# config t
(config-if)# antenna transmit diversity
(config-if)# antenna receive left
(config-if)# exit
(config)# exit
6.4.1
802.11n the future of wireless
Multipath path problems have always been one of the major factors in radio
networks. A new range of wireless devices now thrive on multipath propagaition
and use MIMO (Multiple-in, multiple-out) antenna, which allows the access point to
communicate with several antenna, each at the same time. These antenna then can
transmit separate bit steams, and thus multiply the available bandwidth (Figure 6.5).
The 802.11n is one of the first standards and its basic details are:
Frequency:
Max:
Range:
94
2.4 GHz or 5 GHz

540 Mbit/s
Same as 11b
802.11n sends information on two or more antennas. These signals then reflect off
objects, creating multiple paths creating multiple paths. Normally these cause
interference and fading, but with MIMO they carry different information, which are
recombined on the receiving side.
Figure 6.5 MIMO
6.5 Isotropic radiators

An antenna can produce different radiation patterns. An isotropic radiator sends out
radio waves in equal power in all direction. This type of radiator is useful when the
radiation pattern is required to reach every direction. It can be seen from Figure 6.6
that power drops off with the inverse of the square of the distance. Thus a doubling
of distance causes the power to drop by one quarter.
2R
P1(area)=R2
P2(area)=(2R)2
=4R2
Power reduces
at a rate of 1/r2
(inverse square law)
Power is thus spread

over 4 times the area
thus doubling the distance
reduces the power by .
Figure 6.6 Isotropic radiator
Wireless LANs 95
An antenna is measured for its field strength in both the azimuth and the elevation
(as illustrated in Figure 6.7). The azimuth map shows the field strength in the x-y
direction, while the elevation gives the electric field strength above the antenna (x-z
direction).
Elevation
Azimuth
x
Figure 6.7 Measurement of antenna field pattern
6.6 Monopoles and Dipoles

The isotropic radiator cannot be made practically. The nearest that it possible is an
omnidirectional antenna, as illustrated in Figure 6.8. It contains a single resonator
element, where the electric field radiates outwards in parallel to the antenna
(vertical) and the magnetic field in the loops around the antenna (horizontal). A
dipole antenna uses a center feed into two conducting elements of /4 (Figure 6.9),
which gives it a total length of /2. At 2.4 GHz, the length with be 12.5 cm, and at
5 GHz it is 6 cm. This typoe of antenna produces a doughnut shaped radiation
pattern, as illustrated in Figure 6.10.
Types:
Vertical whip.
Vertical dipole.
Monopole.
Radiation
pattern
Coverage
Figure 6.8 Omnidirectional antenna
96
/2
Figure 6.9 Dipole antenna
Figure 6.10 Pattern produced by a dipole antenna [1]
6.7 Antenna Gain

Antennas are never perfect isotropic radiators, as they encounter losses, and they
also do not typically radiate their power in every direction equally. The more focused
the radiation pattern, the higher the power will be in the beam, as compared with an
isotropic radiator. The gain of an antenna refers to the increase in power of an
antenna for a given direction as related to a perfect isotropic radiator which has the
same input power. If a direction is not given, it is normally taken as the maximum
value of the power in any given direction. It is given by:
Gain =
Pm
Pi
P
Gain(dB ) = 10 log10 m
Pi
(6.8)
(6.9)
Wireless LANs 97
For example, if the power is increased by a factor of 2:
2P
Gain(dB) = 10 log 10 i
Pi
= Gain(dB) = 10 log 10 (2 ) = 3dB
(6.10)
For example, if the power is increased by a factor of 4:
4P
Gain(dB) = 10 log10 i
Pi
= Gain(dB ) = 10 log10 (4 ) = 6dB
(6.11)
It can be seen that there is an increase in 3dB for every doubling in power. This gain
is often referred to as dBi (isotropic reference) which is the gain related to an perfect
isotropic radiator. Unfortunately isotropic antennas are impossible to produce, thus a
more useful measure is the reference to a dipole antenna, and is defined as dBd
(dipole reference). A dipole antenna has a gain of 2.14dBi, thus a dBd value can be
converted into a dBi value by adding 2.14 onto it. Thus a 1 dBd radiator has a 3.14 dBi
gain.
Gain(dBi ) = Gain(dBd ) + 2.14 dBi
Power measured
from antenna (Pm)
(6.12)
Power measured
from isotropic
antenna (Pi)
Gain= Pm/Pi
Figure 6.11 Antenna gain
6.8 Polarization
The direction of the electric field defines the polarization direction. This normally lies
along the conducting rod element in the antenna. The polarisation direction should
be at right angles to the line-of-sight direction between the transmitter and the
receiver. Normally, in wireless networks, the polarization is vertical, but it can also
be horizontal (Figure 6.12). A helix antenna creates a circularly polarized wave
(which can, of course, by right handed or left handed polarization).
98
Vertical
polarization
E field
Horizontal
polarization
Figure 6.12 Polarization
6.9 Signal attenuation

Along with signal losses in the transmitter, the radio wave fades as it propagates
through free space. The amount of this attenuation and scattering is typically related
to the amount of moisture in the air. This, of course, depends on rainfall levels and
humidity. The higher the frequency of the wave the more the attenuation is. A
typical table is (at 6GHz):
Rainfall (inch/hr)
0.15
0.7
1.5
Path loss (dB/mile)

0.015
0.1
1
6.10 EIRP
The EIRP value of a transmitter measures the maximum power from the transmitter,
and will be given by:
EIRP = transmitter power + antenna gain cable loss
This must be within the maximum limits required by the national laws. For example
a 100mW (20dBi) power source with an antenna with a 6dBi gain will give an EIRP of
26dBi. In most situations an EIRP of 36dBi should not be exceeded. In a site surey of
any deployed wireless network, it must be verfied that the EIRP does not exceed the
regulatory maximum. In Europe the maximum EIRP is 20dBm.
Wireless LANs 99
6.11 Antenna types

The following define some typical antenna used in wireless LANs [2].
Feature
ANT5959
ANT2410Y-R
ANT4941 ANT3549
ANT1729
Description
Diversity omnidirectional ceiling

mount
Yagi mast or wall Diversity patch Pillar mount

Omnidirectional
mount
wall mount
diversity
ceiling mount
omnidirectional
2.2 dBi
dipole
antenna
Patch wall
mount
Patch wall
mount
Application
Indoor unobtrusive Indoor/outdoor

antenna, best for
directional
ceiling mount.
antenna for use
Excellent throughput with Access
and coverage solution Points or Bridges
in high multipath
cells and dense
Indoor/outdoor
unobtrusive
medium range
antenna
Indoor
omnidirectional
coverage
Indoor,
unobtrusive,
long-range
antenna (can
also be used as a
medium-range
bridge antenna)
Indoor,
unobtrusive,
medium-range
antenna (can also
be used as a
medium-range
bridge antenna)
Gain
Two separate 2 dBi

omnidirectional
elements; Minimum
gain 2.0. Maximum
gain 2.35
10 dBi
6.5 dBi with two 5.2 dBi with two 5.2 dBi
radiating
radiating
elements
elements
2.2 dBi
9 dBi
6 dBi
Approximate 350 ft (105 m)

indoor range at
1 Mbps
800 ft (244 m)
547 ft (167 m)
497 ft (151 m)
497 ft (151 m)
350 ft
(106m)
Access point:
700ft (213 m)
Access point:
542ft (165 m)
Approximate 130 ft (45 m)

indoor range at
11 Mbps
230 ft (70 m)
167 ft (51m)
142 ft (44 m)
142 ft (44 m)
130 ft (40 Access

point: Access point: 155
m)
200 ft (61 m) ft (47 m) Bridge:
Bridge: 3390 ft 1900 ft (580 m)
(1032 m)
Beam width
360 H 80 V
47 H 55 V
80 H 55V
360 H 30 V
360 H 38 V
360 H 65 60 H 60 V
V
75 H 65 V
Cable length
3 ft (0.91 m)
3 ft (0.91 m)
3 ft (0.91 m)
3 ft (0.91 m)
3 ft (0.91 m)
N/A
3 ft (0.91 m)
100
ANT2012
ANT3213
Indoor,
unobtrusive
medium-range
antenna
ANT1728
Indoor mediumrange antenna,

typically hung
from crossbars of
drop ceilings
3 ft (0.91 m)
6.12 Fresnel zones

Radio waves often suffer from multipath problems. A major one is a direct line of
sight connection where an alternative path is provided where the wave is received by
the alternative path which is 180 out-of-phase with the direct line-of-sight path.
Figure 6.13 shows an example of this problem.
If this wave arrives

180 degrees out of phase
the signal receive will be cancelled
Figure 6.13 Out-of-phase reception
Fresnel zone depends an elliptical area which defines the region in which there
should not be any objects within the region which could cause a reduction in the
received signal strength (Figure 6.14).
Fresnel
zone
Figure 6.14 Fresnel zone
Overall the Fresnel zone varies as the distance between the antennas and the
operating frequency. The radius of the Fresnel zone (in meters) is given by (Figure
15):
r = 17.32
d
4 f
(6.13)
where
d is the distance (in km).
Wireless LANs 101
f is the frequency (in GHz).
d (km)
r (m)
Figure 6.15 Fresnel zone
For example, if the distance between the antennas is 1km, and the frequency is
2.4GHz, then the maximum Fresnel radius will be:
r = 17.32
1
= 5.58 m
4 2.4
(6.14)
Thus, in this case, it must be sure that there is no obstacles in the path which are
within this region.
6.13 Free-space loss

The loss due to free space propagation can be estimated with:
Free space Loss (dB) = 20 log 10 f + 20 log 10 d + 36.6 dB
(6.15)
where f is the frequency is MHz, and d is the distance in miles. For example with a
frequency of 2.4GHz and a distance of 1mile gives a free-space loss of 104.2dB.
6.14 References
[1]
[2]
http://www.trevormarshall.com/byte_articles/byte1.htm
http://www.cisco.com/univercd/cc/td/doc/pcat/ao____o1.htm
102
W.Buchanan
6.15 Tutorial
1.
Calculate the wavelength of an EM wave in free space for the following

frequencies:
(i) 100MHz
(ii) 1GHz
(iii) 5GHz
Ans: 3m, 30cm, 6cm

2.
Determine the dBm values for the following powers:

(i)
(ii)
(iii)
(iv)
(v)
1 mW
20mW
150mW
1W
0.1mW
Ans: 0dBm, 13 dBm, 21.8 dBm, 30 dBm, -10dBm

3.
Determine the mW values for the following dBm values:

(i)
(ii)
(iii)
(iv)
10 dBm
1dBm
-3dBm
20dBm
Ans: 10mW, 1.3mW, 0.5mW, 100mW

4.
Determine the output power for the following cables lengths with a 100mW
input power. Assume a cable loss of 6.7 dB per 100 feet (30m).
(i) 200 feet
(ii) 1000 feet
Ans: 6.6dBm, -47dBm.

5.
A dipole antenna is fed with 10mW. What is the maximum output power of the
antenna within the mean beam? [Ans: 2.14dBm]
6.
A dipole antenna is fed with 100mW, with a standard dipole antenna. What is
the maximum EIRP value? [Ans: 22.14dBm]
7.
How long does it take a radio wave to travel 100km? [Ans: 333.3 s]
Wireless LANs 103
8.
If two antennas are located at a distance of 5km apart, and are operating at
2.4GHz. What is the Fresnel radius? [Ans: 12.5m]
9.
If two antennas are located at a distance of 5km apart, and are operating at
5GHz. What is the Fresnel radius? [Ans: 8.66m]
10.
An antenna is placed in South Queensferry and another is placed in North

Queensferry, at the crossing near the Forth Rail Bridge. What is the minimum
high of the antenna masts so that the water is not part of the Fresnel zone for a
2.4Hz link? [Ans: 8.89m]
11.
An antenna mast is located in England, and another in France, at the widest

distance of the English Channel. What is the minimum high of the antenna
masts so that the water is not part of the Fresnel zone for a 5Hz link? [Ans:
51.96m]
12.
If two antennas are place two miles apart and operate at a frequency of 2.4GHz.
What is the free space loss? [Ans: 110.2m]
13.
If two antennas are place two miles apart and operate at a frequency of 2.4GHz.
The power transmitted is 10W (10dB). What is the received power in dBs?
[Ans: -100.2dB]
Copyright statement
104
W.Buchanan
Filtering and Firewalling
7.1 Introduction
Security is becoming a major concern in IT, and a major concern in networking and
the Internet, and wireless systems are probably more open to abuse than any other
networking system. Thus they must be designed and implemented carefully in order
that security is not comprised, and that valuable bandwidth is not wasted. With the
Aironet, the traffic can be filtered in a number of ways:
MAC addresses. This filters based on incoming and outgoing MAC addresses in
the data frame.
Source IP address. The address that the data packet was sent from.
Destination IP address. The address that the data packet is destined for.
Source TCP port. The port that the data segment originated from. Typical ports
which could be blocked are: FTP (port 21); TELNET (port 23); and WWW (port
80).
Destination TCP port. The port that the data segment is destined for.
Protocol type. This filters for UDP or TCP traffic.
On Cisco devices, access control lists (ACLs) are typically used to filter traffic.
7.2 MAC filters

The wireless access point can be used to filter MAC addresses for a source and
destination. Its format is:
access-list [<700-799> | <1100-1199>] [deny | permit] [source ac] [source
mask] [dest mac] [dest mask]
For example to disallow the node with the mac address of 0090.4b54.d83a access to
0060.b39f.cae1:
(config)# access-list 1101 deny 0090.4b54.d83a 0.0.0 0060.b39f.cae1 0.0.0
(config)# access-list 1101 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff
where the 0.0.0 element identifies that the MAC address should match the address
exactly, while the ffff.ffff.ffff defines that any address can be apply. The permit at the
end is important as the device will process the access-list rules one at a time, and if it
does not match any of the rules, it will drop the data frame. The access-list is applied
to the radio port with:
(config)# int d0
(config-if)# l2-filter bridge-group-acl
(config-if)# bridge-group input-address-list 1101
where:
Wireless LANs 105
l2-filter bridge-group-acl. Defines that a Layer 2 access control list (ACL) filter is
applied to incoming and outgoing data frames.
bridge-group input-address-list 1101. This applies the access list to an interface
(in this case, access list number 1101).
An alternative is to use:
(config-if)# bridge-group 1 output-pattern 1101
In this case an example of the ARP cache is (when the node was connected to the
clients):
ap# show arp
Protocol Address
Internet 192.168.1.110
Internet 192.168.1.101
Internet 192.168.1.103
Internet 192.168.1.115
Age (min)
1
2
1
Hardware Addr
000d.65a9.cb1b
0060.b39f.cae1
0009.7c85.87f1
0090.4b54.d83a
Type
ARPA
ARPA
ARPA
ARPA
Interface
BVI1
BVI1
BVI1
BVI1
7.3 Standard ACLs

Standard ACLs filter for a source IP address, and are grouped with an access-list
number (as this allows one or more condition to be grouped into a single condition,
which can then be applied to one or more ports). Its format of the command is:
(config)# access-list access-list-value {permit | deny} source source-mask
where the source is the source address, and source-mask defines the bits which are
checked. For example is we had a network address of 156.1.1.0 with a subnet mask of
255.255.255.0. We could bar all the traffic from the host 156.1.1.10 from gaining access
to the external network with:
(config)# access-list 1 deny 156.1.1.10 0.0.0.0
where the 0.0.0.0 part defines that all the parts of the address are checked. The
source-mask is know as the wild-card mask, where a 0 identifies that the
corresponding bit in the address field should be check, and a 1 defines that it should
be ignored. Thus if we wanted to bar all the hosts on the 156.1.1.0 subnet then we
could use:
Finally we must allow all other traffic with:

(config)# access-list 1 permit any
Once the access-list is created it can then be applied to a number of ports with the
command, such as:
(config)# interface D0
106
W.Buchanan
(config-if)# ip address 156.1.1.130 255.255.255.0

(config-if)# ip access-group 1 in
which will bar all the access from the 156.1.1.0 subnet from the D0 port on incoming
traffic (Figure 7.1).
156.1.1.2
E0
156.1.1.2
D0
156.1.1.130
Traffic from any address

rather than 156.1.1.0 can
pass
161.10.11.12
161.10.11.13
Match this part
Router# access-list 1 deny 156.1.1.0 0.0.0.255

Router# access-list 1 permit any
Ignore this part
Router (config)# interface D0
Router (config-if)# ip address 156.1.1.130 255.255.255.0
Router (config-if)# ip access-group 1 in
Figure 7.1: Standard ACL example
ACLs should be placed in the optimal place, so that they reduce the amount of
unwanted traffic on the network/Internet. As a standard ACL cannot determine the
destination address, it should be places as near as the destination that is barred, as
possible. If it was placed at the source it would block other traffic, which is not
barred (Figure 7.2).
156.1.1.2
156.1.1.2
156.1.1.130
161.10.11.12
E0
161.10.11.13
!
interface E0
ip address 120.11.12.13 255.255.255.0
ip access-group 1 in
!
access-list 1 deny 156.1.1.0 0.0.0.255
access-list 1 permit any
Standard ACLs are applied as

near to the destination as possible,
so that they do not affect
any other traffic
Figure 7.2: Placing a standard ACL
Wireless LANs 107
7.3.1
Named standard ACL
An improved method of generating a standard ACL is to use a named ACL. The

format is:
(config)#ip access-list standard ?
<1-99>
Standard IP access-list number
<1300-1999> Standard IP access-list number (expanded range)
WORD
Access-list name
where WORD is the name of the access-list is be defined. For example:

(config)#ip access-list standard Test
(config-std-nacl)# ?
Standard Access List configuration commands:
deny
Specify packets to reject
exit
Exit from access-list configuration mode
no
permit
Specify packets to forward
and to define a standard access-list:

(config-std-nacl)# deny 156.1.1.0 0.0.0.255
(config-std-nacl)# permit ?
Hostname or A.B.C.D Address to match
any
Any source host
host
A single host address
(config-std-nacl)# permit ?
any
Any source host
host
(config-std-nacl)# permit any ?
log Log matches against this entry
<cr>
(config-std-nacl)# permit any
It can then be applied with:

(config)#int e0
(config-if)# ip access-group ?
<1-199>
IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD
Access-list name
(config-if)# ip access-group Test ?
in
inbound packets
out outbound packets
(config-if)# ip access-group Test in
which applies the named standard ACL on the incoming port of E0.
7.4 Extended ACLs

Extended ACLs are a natural extension to ACLs, and allow source and destination
address to be specified. Standard ACLs uses the access-list-values from 0 to 99,
whereas extended ACLs use the values above 100. The format of the command is:
108
W.Buchanan
# access-list access-list-value {permit | deny} {test-conditions}
For example:
(config)# access-list 100 deny ip host 156.1.1.134 156.70.1.1 0.0.0.0
(config)# access-list 100 permit ip any any
This creates an access-list group with a value of 100. The first line has the syntax
which defines that the source host of 156.1.1.134 is not allowed to access the
destination of 156.70.1.1, and the last part (0.0.0.0) defines that the firewall should
match all of the bits in the destination address. Thus, in this case, the host with an IP
address of 156.1.1.134 is not allowed to access the remote computer of 156.70.1.1. It
can access any other computer thought, as the second line allows all other accesses.
We can expand this to be able to check a whole range of bits in the address. This
is achieved by defining a wild-card mask. With this we use 0s in the positions of the
address that we want to match, and 1s in the parts which are not checked. Thus if
we wanted to bar all the hosts on the 156.1.1.0 subnet from accessing the 156.70.1.0
subnet we would use the following (Figure 7.3):
(config)# access-list 100 deny ip 156.1.1.0 0.0.0.255 156.70.1.0 0.0.0.255
Thus an address from 156.1.1.1 to 156.1.1.254 will not be able to access any address
from 156.70.1.0 network.
If we have a Class B address with a subnet in the third field (such as 156.1.1.0)
and we define that we shall allow all odd IP addresses to pass though to a given
destination (such as 156.70.1.1), and bar all even IP addresses we could implement
the following:
(config)# access-list 100 deny ip 156.1.1.0 0.0.0.254 host 156.70.1.1
This will allow any host with an odd number (such as 1, 3, 5, and so on), to access the
156.70.1.1 host, but as we check the least significant bit of the address (with the
wildcard mask of 0000 0000 0000 0000 0000 0000 1111 1110) and if it is a 0 then the
condition passes, and we will deny traffic from the even numbered hosts to
156.70.1.1.
We can also bar access to complete parts of destination addresses. For example, if
we wanted to bar all odd addresses from access the 156.70.1.0 subnet:
(config)# access-list 100 deny ip 156.1.1.1 0.0.0.254 156.70.1.0 0.0.0.255
Once the access-list is created it can then be applied to a number of ports with the
command, such as:
Router (config)# interface D0
Router (config-if)# ip address 156.1.1.130 255.255.255.192
Router (config-if)# ip access-group 100 in
Wireless LANs 109
which allows the access-list of a value of 100 to port D0 on incoming traffic (that is,
traffic which is coming into this router port).
156.1.1.2
E0
156.1.1.2
D0
156.1.1.130
161.10.11.12
from
161.10.11.13
to
(config)#access-list 100 deny ip host 156.1.1.2

(config)#access-list 100 permit ip any any
70.1.2.0 0.0.0.255
Denies traffic from 156.1.1.2 to

the 70.1.2.0 network
(config)#access-list 100 deny ip 156.1.1.0 0.0.0.255 70.1.2.0 0.0.0.255
(config)#access-list 100 permit ip any any
Denies traffic from any host on

156.1.1.0 to the 70.1.2.0 network
Figure 7.3: Extended ACL example
The firewall can also filter on TCP/UDP ports, and is defined with the TCP or UDP It
has a similar syntax.
(config)# access-list access-list-value { permit | deny } {tcp | udp
| igrp} source source-mask destination destination-mask {eq | neq | lt |
gt} port
For example:
access-list 101 deny tcp 156.1.1.0 0.0.0.254 eq telnet host 156.70.1.1 eq telnet
access-list 101 permit ip any any
Denies telnet traffic from even addresses from the 156.1.1.0 subnet to the 156.70.1.1
host, with is also destined for the telnet port (port 23).
As previously defined, ACLs should be placed in the optimal place, so that they
reduce the amount of unwanted traffic on the network/Internet. As an extended ACL
allows us to check the source and the destination, the extended ACL should be
placed as near as possible to the source of the traffic (Figure 7.4).
110
W.Buchanan
Traffic blocked
to the barred site
156.1.1.2
All other traffic

can flow
156.1.1.2
156.1.1.130
161.10.11.12
161.10.11.13
!
interface D0
ip address 156.1.1.130 255.255.255.0
!
access-list 100 deny ip 156.1.1.0 0.0.0.255 140.5.6.7 0.0.0.255
Extended ACLs are applied as

near to the source as possible,
as they are more targeted
140.5.6.7
Figure 7.4: Placing an extended ACL
7.4.1
Named extended ACL
An improved method of generating a standard ACL is to use a named ACL. The

format is:
(config)#ip access-list extended ?
<100-199>
Extended IP access-list number
<2000-2699> Extended IP access-list number (expanded range)
WORD
Access-list name
where WORD is the name of the access-list is be defined. For example:

(config)#ip access-list standard Test1
(config-std-nacl)#?
Standard Access List configuration commands:
deny
exit
no
permit
and to define a standard access-list:

(config)#ip access-list extended Test1
(config-ext-nacl)#?
Ext Access List configuration commands:
default
deny
dynamic
Specify a DYNAMIC list of PERMITs or DENYs
evaluate Evaluate an access list
exit
no
permit
remark
Access list entry comment
Wireless LANs 111
(config-ext-nacl)#deny ?
<0-255> An IP protocol number
ahp
Authentication Header Protocol
eigrp
Cisco's EIGRP routing protocol
esp
Encapsulation Security Payload
gre
Cisco's GRE tunneling
icmp
Internet Control Message Protocol
igmp
Internet Gateway Message Protocol
igrp
Cisco's IGRP routing protocol
ip
Any Internet Protocol
ipinip
IP in IP tunneling
nos
KA9Q NOS compatible IP over IP tunneling
ospf
OSPF routing protocol
pcp
Payload Compression Protocol
pim
Protocol Independent Multicast
tcp
Transmission Control Protocol
udp
User Datagram Protocol
(config-ext-nacl)#deny tcp ?
A.B.C.D Source address
any
Any source host
host
A single source host
(config-ext-nacl)#deny tcp 192.168.1.0 ?
A.B.C.D Source wildcard bits
(config-ext-nacl)#deny tcp 192.168.1.0 0.0.0.255 ?
A.B.C.D Destination address
any
Any destination host
eq
Match only packets on a given port number
gt
Match only packets with a greater port number
host
A single destination host
lt
Match only packets with a lower port number
neq
Match only packets not on a given port number
range
Match only packets in the range of port numbers
(config-ext-nacl)#deny tcp 192.168.1.0 0.0.0.255
It can then be applied with:

(config)#int e0
(config-if)#ip access-group ?
<1-199>
IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD
Access-list name
(config-if)#ip access-group Test ?
in
inbound packets
(config-if)#ip access-group Test in
which applies the named standard ACL on the incoming port of E0.
7.5 ICMP filters

A major security weakness in many networks is the usage of network discovery tools
from outside the network, which allows intruders methods to discover the nodes
within a network. Thus ping and traceroute functionality is often blocked for outside
112
W.Buchanan
access. For this an ACL can be created which blocks ICMP access. An example of
blocking a ping from 192.168.1.1 to 192.168.1.110:
ip access-list extended Test
deny icmp 192.168.1.1 0.0.0.0 192.168.1.110 0.0.0.0
permit ip any any
7.6 ACL examples

Figure 7.5 shows an example router running-configuration. It can be seen that the
Dot11Radio0 port has the access-list for 104 applied to its input port (ip access-group
104 in). This denies all the even IP address on the 182.2.1.0 subnet (180.2.1.0 with a wild
card of 0.0.0.254) access to the telnet port on 180.70.1.1 (host 180.70.1.1 eq telnet). It is
thus barring all the nodes on its own subnet from accessing the 180.70.1.1 server, as
traffic from the nodes enters this port (the in direction).
The Ethernet0 port has the 102 access-list applied to it, on the input to the port.
This denies WWW access for IP addresses from (deny tcp 180.2.1.128 0.0.0.63
180.70.1.0 0.0.0.255 eq www):
180.2.1.10 xxx xxxb
as the wildcard mask is:
0.0.0. 00 11 1111b
and the address to check against is:
182.2.1.128
which is:
182.2.1.1000 0000b
Thus if we compare the two:
Address
Wild-card
Resulting
range
10110110b
0000 0000b
182
0000 0010b
0000 0000b
2
0000 0001b
0000 0000b
1
1000 0000b
0011 1111b
128 (1000 0000b)
to
191 (10 11 1111b)
The range of barred address will thus be from 182.2.1.128 to 182.2.1.191. These will be
barred WWW access on the 180.70.1.0 subnet (from 180.70.1.0 to 180.70.1.255 using
180.70.1.0 0.0.0.255 eq www)
Line
no.
1
2
Access point configuration

version 12.0
service timestamps debug uptime
Wireless LANs 113
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
service timestamps log uptime

no service password-encryption
!
hostname AP
!
enable secret 5 $1$op7P$LCHOURx5hc4Mns741ORvl/
!
ip subnet-zero
!
interface BVI1
ip address 180.2.1.130 255.255.255.192
!
channel 11
station-role root
ssid APskills
authentication open
guest-mode
!
interface Etherent0
!
!
access-list 100 deny
ip host 180.2.1.134 host 180.70.1.1
tcp 180.2.1.128 0.0.0.63 host 180.70.1.1 eq www
tcp 180.2.1.128 0.0.0.63 180.70.1.0 0.0.0.255 eq www
ip 180.70.1.0 0.0.0.255 180.2.1.128 0.0.0.63
tcp 180.2.1.0 0.0.0.254 host 180.70.1.1 eq telnet
!
line con 0
transport input none
line aux 0
line vty 0 4
Figure 7.5: Access point configuration program
7.7 Open and closed firewalls

Typically, firewalls can be defined as an open or closed firewall. An open firewall
will generally allow most traffic through, but bar certain addresses or ports (Figure
7.6). The typical style will be to deny traffic, and then permit everything else, such as:
ip host 180.2.1.134 host 180.70.1.1
Whereas a closed firewall will restrict traffic, and only allow certain network
addresses and/or ports, such as:
access-list 100 permit ip host 180.2.1.134 host 180.70.1.1
access-list 100 deny ip any any
114
W.Buchanan
access-list 101 permit .

access-list 101 deny ip any any
E0
156.1.1.2
D0
156.1.1.130
A closed firewall, permits some things, and

denies everything else
access-list 101 deny .

E0
156.1.1.2
D0
156.1.1.130
An open firewall, denies some things, and

permits everything else
161.10.11.12
161.10.11.13
Figure 7.6: Open and closed firewalls
7.8 Tutorial
For a network which has an access point at 192.168.0.110 and five wireless
clients from 192.168.0.1 to 192.168.0.5, with an SSID of APskills, complete the
following:
7.8.1
Create a firewall that blocks ping access to all other nodes on the network.
Test it, and then restore ping access.
7.8.2
Create a firewall that bars TELNET access from 192.168.0.2 to the wireless
access point. All other nodes should be able to telnet into the access point.
Next do the opposite where only the node 192.168.0.2 is allowed to TELNET
into the access point, and the rest are not.
7.8.3
Create a firewall that bars SNMP access from all the nodes on the network to
the wireless access point. All other nodes should be able to telnet into the
access point.
7.8.4
Enable the small-servers on the wireless access point, and access the time
server port (port 7), and prove that it works from each of the clients.
Implement a firewall on the wireless access point to bar time server access
from 192.168.0.1 to the access point. Make sure that all the other nodes can
still access the port.
Wireless LANs 115
7.8.5
Create a firewall which blocks all the address which have even numbered IP
addresses access to the web server on the access point, such as:
192.168.0.2 cannot access the wireless access point web server.

And so on.
7.8.6
Create a network of wireless clients where the access point has an address of
192.168.0.110, and create a firewall which blocks all the address which have
odd numbered IP addresses access to the web server on the access point, such
as:

And so on.
7.8.7
Create a network of wireless clients, which have the address: 192.168.0.1,

192.168.0.2, 192.168.0.3, 192.168.0.64, and 192.168.0.65. Define a firewall rule
that hosts with an IP address above 192.168.0.64 are allowed access to the web
server on the access point, but ones below this are barred.
For a network which has an access point at 192.168.5.254 and five wireless
clients from 192.168.5.1 to 192.168.5.253, with an SSID of APskills, complete
the following:
7.8.8
Create a firewall rule which allows hosts with address from 192.168.5.128 to
192.168.5.254 access to the Web server on the access point, and bars the rest of
the nodes.
7.8.9
Create a firewall rule which allows hosts with address from 192.168.5.64 to
192.168.5.254 access to the Web server on the access point, and bars the rest of
the nodes.
Copyright statement
116
W.Buchanan
VLANs
8.1 Introduction
Layer 2 devices, such as network switches and wireless access points can be used to
create virtual LANs (vLANs), which can enhanced network security as it can be used
to isolate one network from another, even if they connect to the same access device.
A vLAN can also be created which spans multiple access point, and can thus lead to
the concept of open-plan networks. For wireless devices they can be used to connect
users together onto the same network, no matter on which access point they connect
to.
8.2 vLANs
vLANs are a new technology, which uses software to define a broadcast domain,
rather than any physical connections. In a vLAN a message transmitted by one node
is only received by other nodes with a certain criteria to be in the domain. It is made
by logically grouping two or more nodes and a vLAN-initialized switching device,
such as intelligent switches (which use the MAC address to forward data frames) or
routers (which use the network address to route data packets). The important
concept with vLANs is that the domain is defined by software, and not by physical
connections.
There are two methods that can define the logical grouping of nodes within a
vLAN:
Implicit tagging. This uses a special tagging field which is inserted into the data
frames or within data packets. It can be based upon the MAC address, a switch
port number, protocol, or another parameter by which nodes can be logically
grouped. The main problem with implicit tagging is that different vendors create
different tags which make vendor interoperability difficult. This is known as
frame filtering.
Explicit tagging. This uses an additional field in the data frame or packet header.
This can also lead to incompatibility problems, as different vendor equipment
may not be able to read or process the additional field. This is known as frame
identification.
It is thus difficult to create truly compatible vLANs until standards for implicit and
explicit tags are standardized. One example of creating a vLAN is to map ports of a
switch to create two or more virtual LANs. For example, a switch could connect to
two servers and 16 clients. The switch could be configured so that eight of the clients
connected to one server through a vLAN, and the other eight onto the other server.
This setup is configured in software, and not by the physical connection of the
network. Figure 8.1 shows a possible implementation where nodes 1 to 8 create a
vLAN through the switch with Server1, and nodes 9 to 16 create a vLAN with
Server2. The switch would map ports to create the vLANs, where the two networks
Wireless LANs 117
are now independent broadcast domains (network segments), and will only receive
the broadcasts from each of their virtual LANs. Normally a switch would connect
any one of its ports to another port, and allow simultaneous connection. In this case,
the switch allows for multiple connections onto a segment. Now, with the vLAN,
data frames transmitted on one network segment will stay within that segment and
are not transmitted to the other vLAN.
VLAN1
PC1
Figure 8.1
Creating a vLAN
by mapping
ports of a switch
Server1
PC8
PC9
Server2
PC16
VLAN2
8.3 Advantages of vLANs

The main advantages of using vLAN are:
118
Creation of virtual networks. Just as many organizations build open-plan offices

which can be changed when required, vLANs can be used to reconfigure the
logical connections to a network without actually having to physically move any
of the resources. This is especially useful in creating workgroups where users
share the same resources, such as databases and disk storage.
Ease of administration. vLANs allow networks to be easily configured, possibly
at a distance from the configured networks. In the past reconfiguration has meant
recabling and the movement of networked resources. With vLANs the resources
can be configured with software to setup the required network connections.
Improved bandwidth usage. Normally users who work in a similar area share
resources. This is typically known as a workgroup. If workgroups can be isolated
from other workgroups then traffic which stays within each of the workgroups
does not affect other workgroups. A vLAN utilizes this concept by grouping
users who share information and configuring the networked resources around
W.Buchanan
them. This makes much better usage of bandwidth than workgroup users who
span network segments. The amount of broadcast traffic on the whole network is
also reduced, as broadcasts can be isolated within each of the workgroups. A
typical drain on network bandwidth is when network servers broadcast their
services at regular intervals (in Novell NetWare this can be once every minute,
and is known as the Service Advertising Protocol). With vLANs these broadcasts
would be contained within each of the vLANs that the server is connected to.
Microsegmentation. This involves dividing a network into smaller segments,
which will increase the overall bandwidth available to networked devices.
Enhanced security. vLANs help to isolate network traffic so that traffic which
stays within a vLAN will not be transmitted outside it. Thus it is difficult for an
external user to listen to any of the data that is transmitted across the vLAN,
unless they can get access to one of the ports of the vLAN device. This can be
difficult as this would require a physical connection, and increases the chances of
the external user being caught spying on the network.
Relocate servers into secured locations. vLANs allows for servers to be put in a
physical location in which they cannot be tampered with. This will typically be in
a secure room, which is under lock and key. The vLAN can be used to map hosts
to servers.
Easy creation of IP subnets. vLANs allow the creation of IP subnets, which are
not dependent on the physical location of a node. Users can also remain part of a
subnet, even if they move their computer.
8.4 vLAN structure

A vLAN can be created by connecting workgroups by a common backbone, where
broadcast frames are switched only between ports within the same vLAN. This
requires port-mapping to establish the broadcast domain, which is based on a port
ID, MAC address, protocol or application. Each frame is tagged with a VLAN ID.
Figure 2 illustrates that switches are one of the core components of a VLAN. Each
switch is intelligent enough to decide whether to forward data frame, based on
VLAN metrics (such as port ID, MAC address or network address), and to
communicate this information to other switches and routers within the network. The
switching is based on frame filtering or frame identification.
Most early vLANs were based on frame filters, but the IEEE 802.1q vLAN
standard is based on frame tagging, as this allows for scaleable networks. With frame
tagging, each frame has a uniquely assigned user-defined ID. A unique identifier in
the header of each frame is forwarded throughout the network backbone (vertical
cabling), as illustrated in Figure 8.3. Each switch then reads the identifier, and if the
frame is part of a network which it controls, the switch removes the identifier before
the frame is transmitted to the target node (horizontal cabling). As the switching
occurs at the data link layer, there is not a great processing time overhead.
Wireless LANs 119
Figure 8.2
vLANs using a
backbone and
switches
VLAN1
VLAN2
VLAN1
Data Frame
Data Frame
VLAN1
Data Frame
VLAN2
Figure 8.3 vLANs using frame tagging
8.5 VLAN broadcasts

vLANs rely on broadcasts to the virtual network, but they are constrained within the
virtual network, and thus are not transmitted to other virtual networks. This should
reduce the amount of overall network broadcasts (especially from broadcast storms).
The broadcast domain can be reduced by limiting the number of switched ports
which connect to a specific vLAN. The smaller the grouping, the lower the broadcast
effect.
120
W.Buchanan
8.6 vLANs and security

vLANs increase security of data as transmitted data is confined to the vLAN in
which it is transmitted. These provide natural firewalls, in which external users
cannot gain access to the data within a vLAN. This security occurs, as switch ports
can be grouped based on the application type and access privileges. Restricted
applications and resources can be placed in a secured VLAN group.
The two types of vLANs are:
Static vLANs. These are ports on a switch that are statically assigned to a VLAN.
These remain permanently assigned, until they are changed by the administrator.
Static vLANs are secure and easy to configure, and are useful where vLANs are
fairly well defined.
Dynamic VLANs. These are ports on a switch which automatically determine
their VLAN assignments. This is achieved with intelligent management software,
using MAC addresses, logical addressing, or the protocol type of the data
packets. Initially, where a node connects to the switch, the switch detects its MAC
address entry in the VLAN management database and dynamically configures
the port with the corresponding VLAN configuration. The advantage of dynamic
vLANs is that they require less setup from the administrator (but the database
must be initially created).
The broadcast domain in a vLAN is defined by each vLAN, as illustrated in Figure 4.

A node broadcasting into the vLAN will only be transmitted to nodes within its
vLAN. Nodes not connected to the same vLAN, even although they connect to the
same switch as the broadcasting node, will not receive the broadcast. The only way
for nodes to intercommunicate across differing vLANs is to be routed through a
router (as illustrated in Figure 7).
VLAN1
Broadcast domain
Broadcast domain
VLAN2
Figure 8.4 Broadcast domains for vLANs
Wireless LANs 121
Note that a broadcast domain extends the full length of the vLAN, and not onto
other vLANs. A router does not forward broadcasts, thus the vLAN is isolated from
other networks. The router provides intercommunicate between vLANs, and security
is enhanced by implement security restrictions on the ports of the router.
8.7 VLAN broadcast domains

As previously mentioned the broadcast domain is important, as nodes use it to
determine the MAC addresses of nodes within their vLAN. In Figure 8, a node on
VLAN1 could only communicate with a node on VLAN2 if would use the network
address of the node on VLAN2. For example if Node A communicates with Node B,
it would broadcast an ARP request into its vLAN for the MAC address of Node B,
which would return it back to the vLAN. Node A can then communicate with Node
B, as it uses the MAC address of Node B, and its network layer address. If Node A
wishes to communicate with Node C, it will send out an ARP request to the port on
the router to which it connects to (its gateway). This port will respond back with its
MAC address. Node A will then send out a data frame with the MAC address of the
gateway, and the destination address of Node C. The router will then forward it onto
the port which has Node C connected to it, and changes the destination MAC
address to the MAC address of Node C (if it already knows it, else it would initially
send out an ARP request for it). The router will generally test the incoming data
frame for security purposes, and will only forward it if Node A is allowed to
communicate with Node C (allowing for certain conditions).
VLAN1
VLANs
intercommunicate
through the router
Figure 8.5 Broadcast domains for vLANs
122
W.Buchanan
VLAN2
8.8 Wireless access and VLANs

The Aironet device can be setup so that it supports IEEE 802.11q tagging. Thus the
following sets up two SSIDs (MyVLAN1 and MyVLAN2):
(config)# interface BVI1
(config)# interface Dot11Radio0
(config-if)# mbssid guest-mode
(config-if)#
(config-if)#
(config-if)#
(config-if)#
encryption key 1 size 40bit aaaaaaaaaa transmit-key

encryption mode ciphers tkip wep40
ssid APskills1
exit
(config)# dot11 ssid APskills1

(config-ssid)# authentication open
(config-ssid)# dot11 ssid MyVLAN1a
(config-ssid)# vlan 1
(config-ssid)# dot11 ssid MyVLAN1a
Next the sub-interfaces for the radio port can to be defined to use IEEE 802.11q
tagging, and assign them to a bridge group:
(config)# interface Dot11Radio0.1
(config-if)# encapsulation dot1Q 1 native
(config-if)# bridge-group 1
(config-if)# interface Dot11Radio0.2
(config-if)# encapsulation dot1Q 2
Using show vlan, show that the output is in the form:

Virtual LAN ID:
1 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interfaces:

Virtual-Dot11Radio0.1
Dot11Radio0.1
This is configured as native Vlan for the following interface(s) :

Dot11Radio0
Virtual-Dot11Radio0
Protocols Configured:
Address:
Bridging
Bridge Group 1
Bridging
Bridge Group 1
Virtual LAN ID:
Received:
17
17
Transmitted:
9
9
Received:
1
1
Transmitted:
0
0

Dot11Radio0.2
Address:
Bridging
Bridge Group 2
Bridging
Bridge Group 2
Devices on each VLAN should not be able to communicate with each other. If they
did, it is possible to assign them to the same bridge-group with:
Wireless LANs 123

(config-if)# no bridge-group 2
8.9 Wireless access and VLANs

VLANs can extend into wireless domains using a wireless access point which has
IEEE 802.1Q tag awareness. Thus data frames which are destined for different
VLANs are then transmitted by the access point onto different SSIDs. Thus only
clients which are associated with the specific VLAN will receive the data frames.
Also, data frames which are destined for VLANs on a wireless network are also
tagged with 802.1Q tagged.
In a wireless system, a VLAN is identified with its VLAN ID, which must be
specified on the SSID (Figure 6). The two of the most common methods for
segmenting the wireless network are:
User groups. This is used to define different security policies for user groups,
such as between full-time staff and guests.
Device types. This could relate to different types of devices which connect, such
as between simple wireless devices which can only support simple security
methods, and more complex ones for workstations.
VLAN2
VLAN3
SSID: VLAN1
SSID: VLAN2
SSID: VLAN3
Figure 8.6 VLAN segmentation on a wireless network
124
W.Buchanan
8.10 Enabling trunking between VLANs

In the example in Figure 8.14. There are two SSIDs for each access point. The SSIDs of
Scotland, Ireland and France will connect to VLAN 1, and England, Wales and
Germany connect to VLAN 2. The switch is setup as:
# config t
(config)# int vlan 1
(config-vlan)# exit
(config-vlan)# exit
(config)# int fa0/1
(config-if)# switchport
(config-if)# int fa0/2
trunk encapsulation dot1q

trunk native vlan 1
trunk allowed vlan 1,2
mode trunk
nonegotiate
trunk native vlan 1
mode trunk
nonegotiate
trunk native vlan 1
mode trunk
nonegotiate
Aironet 1 is setup with:

# config t
(config)# dot11 ssid Scotland
(config-ssid)# mbssid guest-mode
(config-ssid)# exit
(config)# dot11 ssid England
(config-ssid)# exit
(config)# int BVI1
(config-if)# no shut
(config-if)# exit
(config)# int d0
(config-if)# mbssid
(config-if)# ssid Scotland
(config-if)# ssid England
(config-if)# exit
(config-if)# int fa0
(config-if)# exit
(config)# int d0.1
Wireless LANs 125
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
(config-if)#
encapsulation dot1q
int fa0.1
encapsulation dot1q
int d0.2
encapsulation dot1q
bridge-group 2
int fa0.2
encapsulation dot1q
bridge-group 2
exit
1 native
1 native
2
Figure 8.7 VLAN segmentation on a wireless network
126
W.Buchanan
In this case FA0/1, FA0/2 and FA0/3 on the switch is used as a trunk route, where
VLAN 1 and 2 are trunked between the ports. Thus one node on the same VLAN can
connect to another node on a different access point can communicate, if they are on
the same VLAN. On the access point, a show vlan command should identify the
connections:
Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interfaces: Dot11Radio0.1
Dot11Radio0
Virtual-Dot11Radio0
Address:
Received:
Transmitted:
Bridging
Bridge Group 1
17
9
Bridging
Bridge Group 1
17
9
Address:
Received:
Transmitted:
Bridging
Bridge Group 2
1
0
Bridging
Bridge Group 2
1
0
8.11 Enabling routing between VLANs

In the previous example two nodes can communicate if they are on the same VLAN,
and that they are on the same subnet. If two nodes are not on the same VLAN, even
if they are on the same subnet, they cannot communicate. If it is required that clients
are to intercommunicate from different VLANs, IP routing is required. On the 3550
switch the following is defined:
(config)# ip routing
(config)# vlan 1
(config-vlan)# exit
(config)# ip address 10.0.0.254 255.255.255.0
(config-vlan)# exit
(config)# vlan 2
(config-vlan)# exit
(config-if)# exit
This will then allow routing between the VLANs, so that all of the nodes should now
be able to communicate. Also the default gateway for nodes in VLAN 1 is set to
10.0.0.254, and for VLAN 2 to 10.0.1.254. This will send all the unknown traffic to the
switch.
Copyright statement
Wireless LANs 127
Other Wireless Technologies
9.1 Introduction
There are many issues that wireless factors over the next few years. These include:
More bandwidth. The demand for wireless bandwidth will increase, specially
with Voice/Video over IP.
Better use of bandwidth. The current usage of bandwidth in wireless are
inefficient, and do not provide a great deal of bandwidth for each unit of physical
space.
Mobility. This will allow users to move through wireless spaces, and keep their
connections, seamlessly.
Scalability. This will allow for large-scale networks.
Convergence. This will allow many different types of wireless systems to be
integrated together, especially for different device types and different types of
wireless (Bluetooth, UWB, IEEE 802,11, and so on).
Compatibility.
Power consumption.
Security.
This unit looks at some of the evolving technologies, including WiMax, UWB, and
4G.
9.2 Mobile, WMANs, WPANs and WLANs

There is a wide range of network, from large-scale ones, such as the mobile phone
network to small-scale ones, such as Bluetooth networks. Figure 9.1 shows the
possible integration, where Piconets create Personal WANs, which connect to WLAN
in a local connection, and then WLAN/Cellular connect for wide scale access.
Figure 9.1 Integration of wireless networks
128
W.Buchanan
The basic ranges and data rates for each of the main technologies is given in Figure
9.2. For WPAN, the technology moves from ZigBee (good coverage, low data rate) to
Bluetooth (medium data rate, low coverage) and then onto UWB (highest data rates).
IEEE 802.11 has reasonable data rates, but it was limited coverage. This gap can be
filled by IEEE 802.16 (WiMax) and/or Cellular technology (GSM 2G, 3G and now
onto 4G).
Range
Cellular
(Mobile)
3G
2G
WMAN
(Fixed)
4G
IEEE 802.16
WiFi
(100m)
WLAN
ZigBee
(300m)
WPAN
0.01
Bluetooth
(10m)
0.1
1
10
Data Rate (Mbps)
UWB
100
1000
Figure 9.2 Integration of wireless networks
9.3 WiMax
On the major problems in networking is the last mile problem, where the cables
that connect househoulds are typically poor quality, and are thus limited in the
bandwidth capacity. It provides:
a standards-based technology enabling the delivery of last mile
wireless broadband access as an alternative to cable and DSL based
IEEE 802.16
And connects devices through Wi-Fi hotspots. It also providing 4G services - highspeed mobile data and telecommunications services, and, at present, will provide
backup Internet access and mobility.
WiMax is typically a compromise of either high bandwidth, lower coverage or
high coverage, lower bandwidth. The data rates are resoanble with a rate of 70Mbps
for 70 miles (112km), but is more typically, for line-of-sight at 10Mbps
at
10km
(shared), and for non-line-of-sight it is around 10Mbps for 3km (shared). Users then
have 2, 4, 8, 10 Mbps for an available bandwidth of 100Mbps for a region. The main
application for WiMAx is likely to be to span wide areas (Figure 9.4), where the
wireless provides a backbone to local connections within homes and businesses, with
antennas relaying data for line-of-sight connections.
Wireless LANs 129
2917mm
Figure 9.3 The last mile
Figure 9.4 Connections for WiMax
130
W.Buchanan
9.4 UWB
To be covered in the lecture.
9.5 4G
9.6 Spacial bandwidth

9.7 RFID
9.8 Site Surveys

9.9 Mesh Networks

Copyright statement
Wireless LANs 131
Wireless
LANs
Challenges
132
W.Buchanan
10
Wireless Emulator (Challenges)
10.1 Introduction
The following relates to the wireless emulator challenges. Refer to:
http://networksims.com/simtests.html for Wireless test
http://networksims.com/downloads/napier.zip for the Simulator (register with your
Napier matriculation ID).
10.2 Challenge 1 (BVI 1)

The following sets up the BVI 1 port:
> enable
# config t
(config)# int bvi 1
(config-if)# description cisco
(config-if)# int e0
(config-if)# description production depart
(config-if)# speed 10
(config-if)# int d0
Explanation
One of the most popular access points for creating infrastructure networks is the
Cisco Aironet 1200 device, which is an industry-standard wireless access point. It has
two main networking ports: radio port named Dot11radio0 (D0) and an Ethernet one
(E0 or FA0). Each of these ports can programmed with an IP address, but a special
port named BVI1 is normally used to define the IP address for both ports. Figure 1
outlines this, and how the port is programmed.
Wireless LANs 133
dot11radio0
(or d0)
bvi 1 port is used
to configure both ports
with the same address
con
e0 (or fa0)
## config
config tt
(config)#
(config)# int
int bvi1
bvi1
(config-if)#
(config-if)# ip
ip address
address 192.168.0.1
192.168.0.1 255.255.255.0
255.255.255.0
(config-if)#
(config-if)# exit
exit
Antenna
connector
Figure 1
Setting the IP address of the wireless access point
10.3 Challenge 2 (E0)

The following sets up the E0 port:
> enable
# config t
(config)# int bvi 1
(config-if)# description cisco
(config-if)# int e0
(config-if)# description production depart
(config-if)# speed 10
(config-if)# speed full
(config-if)# cpd enable
10.4 Challenge 3 (D0)

The following sets up the D0 port:
> en
# config t
(config)# int bvi1
(config-if)#int d0
(config-if)# exit
(config)# hostname oslo
oslo (config)# ip default-gateway
A.B.C.D IP address of default gateway ?
oslo (config)# ip default-gateway 136.182.33.11
oslo (config)#
Explanation
134
W.Buchanan
Another important configuration is the default-gateway which is used in order to

redirect any data packets which are not destined for the local network. For this the
wireless access point will send these data packets which have an unknown
destination to the default gateway, which will, hopefully, find a destination for them,
or at least know of another router which might be able to help on routing the
packets. In most cases the default-gateway is defined as the IP address of the router
port which connects to the Ethernet connection of the wireless access point. An
example configuration is:
# config t
(config)# ip ?
(config)# ip default-gateway ?
(config)# exit
10.5 Challenge 4 (SSID and radio channel)

The following sets up the SSID and the radio channel:
> en
# config t
(config)# int d0
(config-if)# ssid minnesota
(config-if)# int d0
<1-2472>
One of: 1 2 3 4 5 6 7 8 9 10 11 12 13 2412 2417 2422 2427
2432 2437 2442 2447 2452 2457 2462 2467 2472
(config-if)# exit
(config)# ip domain-name moray.ll
(config)# hostname northdakota
Example IOS Version 12.3

> en
# config t
(config)# dot11 ssid minnesota
(config-ssid)# exit
(config)# int d0
(config-if)# ssid minnesota
(config-if)# int d0
<1-2472>
One of: 1 2 3 4 5 6 7 8 9 10 11 12 13 2412 2417 2422 2427
2432 2437 2442 2447 2452 2457 2462 2467 2472
(config-if)# exit
(config)# ip domain-name moray.ll
(config)# hostname northdakota
Note that the setting of SSID is now done in the global configuration mode, and the
SSID is then associated with the D0 port.
Explanation
Wireless LANs 135
The radio SSID (Service Set ID) uniquely identifies a wireless network within a
limited physical domain. It is setup within the access point with:
# config t
which sets up an SSID of fred, and allows guest-mode. Along with the SSID it is also
possible to define a beacon time where a beacon signal is sent out at a given time
interval, such as:
# config t
dtim-period
dtim period
period
beacon period
which defines the beacon period of 1000 ms (1 seconds).

The channel setting is an important one, as it defines the basic identification of the
communications channel. In Europe there are 14 channels available which limits the
number of simultaneous connections, where each channel is numbered from 1 to 14,
each of which has their own transmission/reception frequency, as illustrated in
Figure 1. Careful planning of these channels is important, especially in creating
wireless domains which are overlapping as this allows users to roam around the
physical space. The example in Figure 1 shows that it is possible to achieve good
coverage, without overlapping domains with the same frequency, with just three
channels.
13
channel 12412
channel 22417
channel 32422
channel 42427
channel 52432
channel 62437
channel 72442
channel 82447
channel 92452
channel 102457
channel 112462
channel 122467
channel 132472
channel 142484
13
Figure 1 Channels in an area
The definition of the channel is defined within the D0 interface:

136
W.Buchanan
<1-2472>
One of: 1 2 3 4 5 6 7 8 9 10 11 12 13 2412 2417 2422 2427

2432 2437 2442 2447 2452 2457 2462 2467 2472
10.6 Challenge 5
The following sets up radio port settings:
> en
# config t
(config)# enable ?
last-resort Define enable action if no TACACS servers respond
password
Assign the privileged level password
secret
Assign the privileged level secret
use-tacacs
Use TACACS to check enable passwords
(config)# enable password hotel
(config)# enable secret hotel
(config)# username lynn password foxtrot
(config)# ip http server
Explanation
A wireless access point is typically accessible through the TELNET and/or HTTP
proposal. The HTTP service is important as it allows remote access through a Web
browser, and can be authenticated locally with:
# config
(config)
(config)
(config)
(config)
(config)
(config)
t
#
#
#
#
#
#
username ?
username fred password bert
ip http ?
ip http server
ip http authentication local
exit
This type of authentication is not the most secure but it offers a simple way to block
access to the access point. Thus, when the user tries to access to the wireless access
point they will not be allowed to connect, unless the have the correct username and
password, such as shown in Figure 1. If the user has the correct username and
password, the Web page will show the device settings (left-hand side of Figure 2),
otherwise there will be an authentication failure (right-hand side of Figure 2).
Wireless LANs 137
Figure 1 Local authentication
Figure 2 Web access success and failure
Often a new HTTP port is required (to stop users from trying to access the Web
page). Thus to change the port:
# config t
(config) # ip http port 8080
Now we cannot access the Web page with the standard port (80), and we must
change the address with a colon to define the port, such as shown in Figure 3.
138
W.Buchanan
Figure 3 Change of HTTP port
10.7 Challenge 6
> enable
# config t
(config)# int bvi1
(config-if)# int d0
dtim-period dtim period
period
beacon period
(config-if)# power ?
client Client radio transmitter power level
local
Local radio transmitter power level
<1-50>
One of: 1 5 20 30 50
<1-50>
One of: 1 5 20 30 50
(config-if)# ?
Interface configuration commands:
access-expression
antenna
dot11 radio antenna setting
arp
bandwidth
beacon
dot11 radio beacon
bridge-group
broadcast-key
Configure broadcast key rotation period
carrier-delay
cdp
Wireless LANs 139
channel
countermeasure
custom-queue-list
dampening
default
delay
description
dot11
dot1x
encryption
exit
fair-queue
fragment-threshold
help
hold-queue
infrastructure-client
ip
keepalive
l2-filter
load-interval
logging
loopback
mac-address
max-reserved-bandwidth
mtu
no
ntp
packet
parent
payload-encapsulation
power
preamble-short
priority-group
random-detect
an
rts
service-policy
shutdown
snmp
speed
ssid
station-role
timeout
traffic-class
transmit-interface
tx-ring-limit
world-mode
(config-if)#
<cr>
(config-if)#
Set the radio frequency

countermeasure
Enable event dampening
IEEE 802.11 config interface commands
IEEE 802.1X subsystem
Configure dot11 encryption parameters
IEEE 802.11 packet fragment threshold
Reserve a dot11 virtual interface for a WGB client
Enable keepalive
protocols
interface
Maximum Reservable Bandwidth on an Interface
Configure NTP
max packet retries
Specify parents with which to associate
IEEE 802.11 packet encapsulation
Set radio transmitter power levels
Use 802.11 short radio preamble
Enable Weighted Random Early Detection (WRED) on
Interface
dot11 Request To Send
Set allowed radio bit rates
Configure radio service set parameters
role of the radio
Radio traffic class parameters
Assign a transmit interface to a receive-only
interface
Dot11 radio world mode
world-mode ?
world-mode
1.0
Allow 1 Mb/s rate
11.0
Allow 11 Mb/s rate
2.0
Allow 2 Mb/s rate
5.5
Allow 5.5 Mb/s rate
basic-1.0
Require 1 Mb/s rate
basic-11.0 Require 11 Mb/s rate
basic-2.0
Require 2 Mb/s rate
basic-5.5
Require 5.5 Mb/s rate
range
Set rates for best range
throughput Set rates for best throughput
140
W.Buchanan
<cr>
(config-if-ssid)# max-assoc ?
(config-if-ssid)# max-assoc 9

> enable
# config t
(config-ssid)# max-assoc 9
(config-ssid)# exit
(config)# int bvi1
(config-if)# int d0
(config-if)# world-mode
10.8 Challenge 7
> enable
# config t
(config)# int bvi1
(config)# int d0
(config-if)# station ?
repeater Repeater access point
root
Root access point
(config-if)# station root
(config-if)# antenna ?
receive
receive antenna setting
transmit transmit antenna setting
(config-if)# antenna receive ?
diversity antenna diversity
left
antenna left
right
antenna right
(config-if)# antenna receive diversity
(config-if)# antenna transmit left
(config-if)# ssid michigan

> enable
# config t
(config)# dot11 ssid michigan
(config-ssid)# exit
(config)# int bvi1
(config)# int d0
Wireless LANs 141
root
Root access point
(config-if)# station root
receive
receive antenna setting
transmit transmit antenna setting
(config-if)# antenna receive ?
diversity antenna diversity
left
antenna left
right
antenna right
(config-if)# antenna receive diversity
(config-if)# antenna transmit left
(config-if)# ssid michigan
A major factor in wireless LANs is the multipath problem where waves can take
differing paths to get to a destination. These multipaths can cause fading and
distortion of the radio wave form. If different waves arrive at a receiver with
different time delays they can distort the received signal. One of the way to
overcome this problem is to use diversity which uses more than one antenna. It is
likely that one of the antennas will experience less multipath problems than the other
antennas. It is thus important that diversity antennas are physically separated from
each other, and, so as to reduce the problem of null points, they can be moved
around the physical space. The antenna can be set for both the transmit and receive
options. These can be:
Diversity. With this the WAP uses the antenna in which the best signal is being
received.
directional.
Left. This where the antenna is on the left of the WAP, and is highly directional.
10.9 Challenge 8
> enable
# config t
(config)# int bvi1
(config)# int d0
(config-if)# ssid oklahoma
(config-if)# rts ?
retries
RTS max retries
(config-if)# fragment ?
<256-2346>
(config-if)# fragment 1091
142
W.Buchanan
10.10 Challenge 9
> enable
# config t
(config)# int bvi1
(config)# int d0
(config-if)# packet ?
retries retries
(config-if)# packet retries ?
<1-128> max packet retries before giving up
(config-if)# packet retries 7
(config-if)# premable-short
(config-if)# fragment ?
<256-2346>
(config-if)# fragment 1091
10.11 Challenge 10 (DHCP server)

The following sets up the DHCP server:
> en
# config t
(config)# ip dhcpd pool wyoming
(config-dhcp)# network 249.189.108.0 255.255.255.254
(config-dhcp)# dns-server 249.189.108.58
(config-dhcp)# netbios-name-server 249.189.108.61
(config-dhcp)# lease 3
(config-dhcp)# default-router 249.189.108.87
(config-dhcp)# exit
(config)# ip dhcp ?
conflict
DHCP address conflict parameters
database
Configure DHCP database agents
excluded-address
Prevent DHCP from assigning certain addresses
limited-broadcast-address Use all 1's broadcast address
ping
Specify ping parameters used by DHCP
pool
Configure DHCP address pools
relay
DHCP relay agent parameters
smart-relay
Enable Smart Relay feature
(config)#ip dhcp excluded-address 249.189.108.26
(config)# ip dhcp ping ?
packets Specify number of ping packets
timeout Specify ping timeout
(config)# ip dhcp ping timeout 350
10.12 Challenge 11 (IP Hosts)

The following sets up an IP hosts table:
> en
# config t
(config)# hostname montana
montana (config)# ip host tennessee 211.99.108.9
montana (config)# ip host kirkcaldy 154.242.2.8
montana (config)# ip host edinburgh 64.2.249.2
Wireless LANs 143
10.13 Challenge 12 (CDP)

The following sets up CDP:
# config t
(config)# cdp ?
advertise-v2
CDP sends version-2 advertisements
holdtime
Specify the holdtime (in sec) to be sent in packets
source-interface Insert the interface's IP in all CDP packets
timer
Specify the rate at which CDP packets are sent (in sec)
run
(config)# cdp run
(config)# cdp holdtime ?
<10-255> Length of time (in sec) that receiver must keep this packet
(config)# cdp holdtime 66
(config)# cdp timer ?
<5-254> Rate at which CDP packets are sent (in sec)
(config)# cdp timer 94
(config)# int e0
(config-if)# cdp enable
10.14 Challenge 13 (HTTP)

The following sets up HTTP settings:
> en
# config t
(config)# ip http port ?
<0-65535> HTTP port
(config)# ip http port 1024
(config)# ip http ?
access-class
Restrict access by access-class
authentication Set http authentication method
help-path
HTTP help root URL
path
Set base path for HTML
port
HTTP port
server
Enable HTTP server
(config)# ip http authentication ?
enable Use enable passwords
local
Use local username and passwords
tacacs Use tacacs to authorize user
(config)# ip http authentication local
(config)# ip http help-path ?
WORD root URL for help pages
(config)# ip http help-path file:///c:\wireless\help
(config)# ip http access-class 10
(config)# banner motd gorgie home
(config)# banner login welcome
(config)# banner exec admin device
10.15 Challenge 14 (CON and VTY)

The following sets up CON and VTY settings:
> en
# config t
(config)# line con 0
(config-line)# password lothian
(config-line)# timeout ?
login Timeouts related to the login sequence
(config-line)# timeout login ?
response Timeout for any user input during login sequences
144
W.Buchanan
(config-line)# timeout login response ?

<0-300> Timeout in seconds
(config-line)# timeout login response 19
(config-line)# exec-timeout ?
<0-35791> Timeout in minutes
(config-line)# exec-timeout 11
(config-line)# log
synchronous Synchronized message output
(config-line)# log synchronous
(config-line)# line vty 0 8
(config-line)# login
(config-line)# password mississippi
(config-line)# timeout login response 12
(config-line)# exec-timeout 10
10.16 Challenge 15 (Loopback)

The following sets up the loopback port:
> en
# config t
(config)# int e0
(config-if)# exit
(config)# int loopback ?
<0-2147483647> Loopback interface number
(config)# int loopback 45
10.17 Challenge 16 (Logging)

The following sets up logging:
> enable
# config t
(config)# logging
(config)# logging
(config)# logging
(config)# logging
(config)# logging
(config)# logging
(config)# logging
(config)# logging
on
212.72.52.7
buffer 440240
host 138.24.170.8
trap emergency
monitor emergency
console emergency
buffer emergency
10.18 Challenge 17 (Services)

The following sets up services:
> en
# config t
(config)# service ?
compress-config
config
dhcp
disable-ip-fast-frag
exec-callback
exec-wait
finger
hide-telnet-addresses
linenumber
nagle
Compress the configuration file

TFTP load config files
Enable DHCP server and relay agent
Disable IP particle-based fast fragmentation
Enable exec callback
Delay EXEC startup on noisy lines
Allow responses to finger requests
Hide destination addresses in telnet command
enable line number banner for each exec
Enable Nagle's congestion control algorithm
Wireless LANs 145
old-slip-prompts
pad
password-encryption
prompt
pt-vty-logging
sequence-numbers
slave-log
tcp-keepalives-in
Allow old scripts to operate with slip/ppp

Enable PAD commands
Encrypt system passwords
Enable mode specific prompt
Log significant VTY-Async events
Stamp logger messages with a sequence number
Enable log capability of slave IPs
Generate keepalives on idle incoming network
connections
tcp-keepalives-out
Generate keepalives on idle outgoing network
connections
tcp-small-servers
Enable small TCP servers (e.g., ECHO)
telnet-zeroidle
Set TCP window 0 when connection is idle
timestamps
Timestamp debug/log messages
udp-small-servers
Enable small UDP servers (e.g., ECHO)
(config)# service timestamps ?
debug Timestamp debug messages
log
Timestamp log messages
<cr>
(config)# service timestamps log ?
datetime Timestamp with date and time
uptime
Timestamp with system uptime
<cr>
(config)# service timestamps log datetime
(config)# sequence-numbers
compress-config
Compress the configuration file
config
TFTP load config files
dhcp
Enable DHCP server and relay agent
disable-ip-fast-frag
Disable IP particle-based fast fragmentation
exec-callback
Enable exec callback
exec-wait
Delay EXEC startup on noisy lines
finger
Allow responses to finger requests
hide-telnet-addresses Hide destination addresses in telnet command
linenumber
enable line number banner for each exec
nagle
Enable Nagle's congestion control algorithm
old-slip-prompts
Allow old scripts to operate with slip/ppp
pad
Enable PAD commands
password-encryption
Encrypt system passwords
prompt
Enable mode specific prompt
pt-vty-logging
Log significant VTY-Async events
sequence-numbers
Stamp logger messages with a sequence number
slave-log
Enable log capability of slave IPs
tcp-keepalives-in
Generate keepalives on idle incoming network
connections
tcp-keepalives-out
Generate keepalives on idle outgoing network
connections
tcp-small-servers
Enable small TCP servers (e.g., ECHO)
telnet-zeroidle
Set TCP window 0 when connection is idle
timestamps
Timestamp debug/log messages
udp-small-servers
Enable small UDP servers (e.g., ECHO)
(config)# service sequence-numbers
(config)# service dhcp
(config)# service finger
(config)# no service tcp-small-servers
(config)# no service udp-small-servers
(config)# service password-encryption
10.19 Challenge 18 (SNMP)

The following sets up SNMP:
> en
# config t
(config)# snmp-server ?
chassis-id
String to uniquely identify this chassis
146
W.Buchanan
community
Enable SNMP; set community string and access privs
contact
Text for mib object sysContact
enable
Enable SNMP Traps or Informs
engineID
Configure a local or remote SNMPv3 engineID
group
Define a User Security Model group
host
Specify hosts to receive SNMP notifications
ifindex
Enable ifindex persistence
inform
Configure SNMP Informs options
location
Text for mib object sysLocation
manager
Modify SNMP manager parameters
packetsize
Largest SNMP packet size
queue-length
Message queue length for each TRAP host
system-shutdown
Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap
SNMP trap options
trap-source
Assign an interface for the source address of all traps
trap-timeout
Set timeout for TRAP message retransmissions
user
Define a user who can access the SNMP engine
view
Define an SNMPv2 MIB view
(config)# snmp-server community popup
(config)# snmp-server contact june
(config)# snmp-server location glasgow
(config)# snmp-server ?
chassis-id
String to uniquely identify this chassis
community
Enable SNMP; set community string and access privs
contact
Text for mib object sysContact
enable
Enable SNMP Traps or Informs
engineID
Configure a local or remote SNMPv3 engineID
group
Define a User Security Model group
host
Specify hosts to receive SNMP notifications
ifindex
Enable ifindex persistence
inform
Configure SNMP Informs options
location
Text for mib object sysLocation
manager
Modify SNMP manager parameters
packetsize
Largest SNMP packet size
queue-length
Message queue length for each TRAP host
system-shutdown
Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap
SNMP trap options
trap-source
Assign an interface for the source address of all traps
trap-timeout
Set timeout for TRAP message retransmissions
user
Define a user who can access the SNMP engine
view
Define an SNMPv2 MIB view
(config)# snmp-server enable ?
informs Enable SNMP Informs
traps
Enable SNMP Traps
(config)# snmp-server enable traps
(config)# snmp-server chassis-id brighton
10.20 Challenge 19 (Hot standby)

The following sets up hot standby:
> en
# config t
(config)# int bvi1
(config-if)# int d0
(config-if)# int e0
(config-if)# exit
(config)# iapp ?
standby Configure AP standby mode parameters
(config)# iapp standby ?
Wireless LANs 147
mac-address
MAC address of the primary AP
poll-frequency Standby polling frequency
timeout
Standby polling timeout
(config)# iapp standby mac-address 00e0.9143.5615
(config)# iapp standby timeout
<5-600> Standby polling timeout in seconds
(config)# iapp standby timeout 234
(config)# iapp standby poll-frequency ?
<1-30> Standby polling frequency in seconds
(config)# iapp standby poll-frequency 11
10.21 Challenge 20 (Repeater)

The following sets up a repeater:
> en
# config t
(config)# int bvi1
(config-if)# int d0
(config-if)# ssid mississippi
root
Root access point
(config-if)# station repeater
(config-if)# parent ?
<1-4>
Parent number
timeout Time in seconds to look for parent
(config-if)# parent 1 ?
H.H.H Parent MAC addr
(config-if)# parent 1 00e0.4e3d.c533 ?
<cr>
(config-if)# parent 1 00e0.4e3d.c533
(config-if)# ssid mississippi
(config-if-ssid)# infrastructure-ssid
10.22 Challenge 21 (Standard ACL)

The following sets up an ACL:
> en
# config t
(config)# access-list 3 permit ?
any
Any source host
host
(config)# access-list 3 permit host 199.237.96.4
(config)# access-list 3 deny host 163.209.141.8
(config)# access-list 3 permit 48.13.112.0 ?
A.B.C.D Wildcard bits
log
Log matches against this entry
<cr>
(config)# access-list 3 permit 48.13.112.0 0.15.255.255
(config)# int e0
(config-if)# ip access-group 3
in
inbound packets
148
W.Buchanan
10.23 Challenge 22 (Extended ACL)

The following sets up an extended ACL:
> en
# config t
(config)# access-list 106 ?
deny
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit
remark
Access list entry comment
(config)# access-list 106 permit tcp host 202.33.249.1 host 162.97.253.5 eq
syslog
(config)# access-list 106 deny tcp host 197.85.151.8 host 196.123.113.4 eq
syslog
(config)# access-list 106 permit tcp 123.183.27.0 255.255.255.0 110.233.17.0
255.255.255.0 eq syslog
(config)# access-list 106 deny tcp 24.81.208.0 255.255.255.0 127.46.93.0
255.255.255.0 eq syslog
(config)# int e0
10.24 Challenge 23 (Encryption and LEAP)

The following sets up encryption and LEAP:
> en
# config t
Enter configuration commands, one per line. End with CNTL/Z.
(config)# int bvi1
(config-if)# int d0
(config-if)# encry ?
key
Set one encryption key
mode encryption mode
vlan vlan
(config-if)# encry key ?
<1-4> key number 1-4
(config-if)# encry key 1
size Key size
(config-if)# encry key 1 size ?
128bit 128-bit key
40bit
40-bit key
(config-if)# encry key 1 size 128bit ?
0
Specifies an UNENCRYPTED key will follow
7
Specifies a HIDDEN key will follow
Hex-data 26 hexadecimal digits
(config-if)# encry key 1 size 128bit ffffffffffffffffffffffffff
(config-if)# encryp mode ?
ciphers Optional data ciphers
wep
Classic 802.11 privacy algorithm
(config-if)# encryp mode ciphers ?
ckip
Cisco Per packet key hashing
ckip-cmic Cisco Per packet key hashing and MIC (MMH)
cmic
Cisco MIC (MMH)
tkip
WPA Temporal Key encryption
wep128
128 bit key
wep40
40 bit key
(config-if)# encryp mode ciphers ckip
(config-if)# ssid ohio
(config-if-ssid)# authentication ?
client
Wireless LANs 149
key-management
network-eap
open
shared
(config-if-ssid)#
WORD leap list
(config-if-ssid)#
key management
leap method
open method
shared method
authentication network-eap ?
name (1 -- 31 characters)
authentication network-eap newhampshire
10.25 Challenge 24 (AAA)

The following sets up AAA:
> en
# config t
(config)# radius-server ?
attribute
Customize selected radius attributes
authorization
Authorization processing information
challenge-noecho
Data echoing to screen is disabled during
Access-Challenge
configure-nas
Attempt to upload static routes and IP pools at
startup
deadtime
Time to stop using a server that doesn't respond
directed-request
Allow user to specify radius server to use with
`@server'
domain-stripping
Strip the domain from the username
host
Specify a RADIUS server
key
encryption key shared with the radius servers
local
Configure local RADIUS server
optional-passwords The first RADIUS request can be made without
requesting a
password
retransmit
Specify the number of retries to active server
timeout
Time to wait for a RADIUS server to reply
unique-ident
Higher order bits of Acct-Session-Id
vsa
Vendor specific attribute configuration
(config)# radius-server local
(config-radsrv)# user ?
WORD Client username
(config-radsrv)# user giraffe ?
nthash
Set NT hash of clientpassword
password Set client password
(config-radsrv)# user giraffe password root
(config-radsrv)# nas ?
A.B.C.D IP address of the NAS
(config-radsrv)# nas 42.55.230.3 ?
key Set NAS shared secret
(config-radsrv)# nas 42.55.230.3 key coconut
(config-radsrv)# exit
attribute
authorization
challenge-noecho
Access-Challenge
configure-nas
startup
deadtime
directed-request
`@server'
domain-stripping
host
key
local
requesting a
password
150
W.Buchanan
retransmit
timeout
unique-ident
vsa
(config)# radius-server host ?
Hostname or A.B.C.D IP address of RADIUS server
(config)# radius-server host 42.55.230.3
acct-port
UDP port for RADIUS accounting server (default is 1646)
alias
1-8 aliases for this server (max. 8)
auth-port
UDP port for RADIUS authentication server (default is 1645)
key
per-server encryption key (overrides default)
non-standard Parse attributes that violate the RADIUS standard
retransmit
Specify the number of retries to active server (overrides
default)
timeout
Time to wait for this RADIUS server to reply (overrides
default)
<cr>
(config)# radius-server host 42.55.230.3 auth 1812 acct 1813
10.26 Challenge 25 (Mobile IP)

The following sets up mobile IP:
> en
# config t
(config)# ip proxy-mobile ?
aap
Authoritative AP
enable Enable WLAN Proxy Mobile IP
pause
Disables Proxy Mobile IP without removing configuration
secure Security association
(config)# ip proxy-mobile enable
(config)# int bvi1
(config-if)# ?
access-expression
arp
bandwidth
bridge-group
carrier-delay
cdp
custom-queue-list
dampening
Enable event dampening
default
delay
description
duplex
Configure duplex operation.
exit
fair-queue
full-duplex
Configure full-duplex operational mode
half-duplex
Configure half-duplex and related commands
help
hold-queue
ip
keepalive
Enable keepalive
l2-filter
protocols
load-interval
interface
logging
--More------ press any key --loopback
mac-address
max-reserved-bandwidth Maximum Reservable Bandwidth on an Interface
mtu
no
ntp
Configure NTP
Wireless LANs 151
priority-group
random-detect
an

Enable Weighted Random Early Detection (WRED) on
Interface
Configure speed operation.
Assign a transmit interface to a receive-only
interface
tx-ring-limit
(config-if)# ip proxy-mobile ?
<cr>
(config-if)# ip proxy-mobile
(config-if)# int d0
(config-if)# int e0
service-policy
shutdown
snmp
speed
timeout
transmit-interface
10.27 Challenge 27 (LBS)

The following sets up LBS:
> en
# config t
(config)# dot11 lbs test
(config-ssid)# server address 10.0.0.1 port 1024
(config-ssid)# int d0
(config-ssid)# method rssi
Description
With LBS, access points monitor location packets sent by LBS positioning tags, and
thus allow assets to be tracked. On receiving a positioning packet, the access point
determines the received signal strength indication (RSSI). It then creates a UDP
packet with the RSSI value and the current time, which it then forwards to a location
server. Next the location server determines the position of the tag based on the
information received.
10.28 Challenge 28 (AAA for Local

Authentication)
> en
# config t
(config)# aaa authentication login default local
(config)# aaa authorization exec local
(config)# aaa authorization network local.
(config)# username test password bert
10.29 Challenge 29 (AAA)

152
W.Buchanan
> en
# config t
attribute
authorization
challenge-noecho
Access-Challenge
configure-nas
startup
deadtime
directed-request
`@server'
domain-stripping
host
key
local
requesting a
password
retransmit
timeout
unique-ident
vsa
(config-radsrv)# user ?
WORD Client username
(config-radsrv)# user giraffe ?
nthash
Set NT hash of clientpassword
password Set client password
(config-radsrv)# user giraffe password root
(config-radsrv)# nas ?
A.B.C.D IP address of the NAS
(config-radsrv)# nas 42.55.230.3 ?
key Set NAS shared secret
(config-radsrv)# nas 42.55.230.3 key coconut
attribute
authorization
challenge-noecho
Access-Challenge
configure-nas
startup
deadtime
directed-request
`@server'
domain-stripping
host
key
local
requesting a
password
retransmit
timeout
unique-ident
vsa
(config)# radius-server host ?
Hostname or A.B.C.D IP address of RADIUS server
(config)# radius-server host 42.55.230.3
acct-port
UDP port for RADIUS accounting server (default is 1646)
alias
1-8 aliases for this server (max. 8)
auth-port
UDP port for RADIUS authentication server (default is 1645)
key
per-server encryption key (overrides default)
non-standard Parse attributes that violate the RADIUS standard
retransmit
Specify the number of retries to active server (overrides
default)
Wireless LANs 153
timeout
Time to wait for this RADIUS server to reply (overrides

default)
<cr>
10.30 Challenge 30 (RADIUS accounting on an

SSID)
This challenge involves the configuration of and RADIUS account on an SSID.
> en
# config t
(config)# dot11 ssid test
(config-ssid)# accounting test-acc
10.31 Challenge 31 (HTTPS)

> en
# config t
(config)# hostname test
(config)# ip defaulf-gatway 192.168.0.1
(config)# ip domain-name perth.cc
(config)# ip http ?
access-class
Restrict http server access by access-class
authentication
Set http server authentication method
client
Set http client parameters
help-path
HTTP help root URL
max-connections
Set maximum number of concurrent http server
connections
path
Set base path for HTML
port
Set http server port
secure-ciphersuite Set http secure server ciphersuite
secure-client-auth Set http secure server with client authentication
secure-port
Set http secure server port number for listening
secure-server
Enable HTTP secure server
secure-trustpoint
Set http secure server certificate trustpoint
server
Enable http server
timeout-policy
Set http server time-out policy parameters
(config)# ip http secure-server
(config)# ip http secure-port ?
<0-65535> Secure port number(above 1024 or default 443)
(config)# ip http secure-port 443
10.32 Challenge 32 (TACACS+)

> en
# config t
(config)# hostname test
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
154
aaa new-model
tacacs-server host 39.100.234.1
tacacs-server key krinkle
aaa authentication login default group tacacs
aaa authentication ppp default group tacacs
aaa authorization network default group tacacs
aaa authorization exec default group tacacs
W.Buchanan
10.33 Challenge 33 (Security)

> enable
# config t
(config)# username fred
(config)# username test
(config)# access-list 9
password bert
nopassword
privilege 15
privilege 1
user-maxlinks 2
permit host 192.168.0.1
access-class 9
Explanation
The privilege levels go from level 0 to level 15, such as:
Level 0. This only includes five commands: disable, enable, exit, help and logout.
Level 1. This is the non-priviledged mode with a prompt of wap>.
Level 15. This is the highest level of privilege, and has a prompt of wap#.
Typical 1 commands are:

access-enable
clear
connect
disable
disconnect
enable
exit
help
lock
login
logout
name-connection
ping
rcommand
resume
show
systat
telnet
terminal
traceroute
tunnel
where
Create a temporary Access-List entry

Reset functions
Open a terminal connection
Turn off privileged commands
Disconnect an existing network connection
Turn on privileged commands
Exit from the EXEC
Lock the terminal
Log in as a particular user
Exit from the EXEC
Name an existing network connection
Send echo messages
Run command on remote switch
Resume an active network connection
Show running system information
Display information about terminal lines
Open a telnet connection
Set terminal line parameters
Trace route to destination
Open a tunnel connection
List active connections
Thus:
(config)# username fred privilege 15
(config)# username test privilege 1
sets the maximum privilege level for fred at 15, while test will only be able to enter
the non-privileged mode. Also:
(config)# access-list 9 permit host 192.168.0.1
(config)# username fred access-class 9
Wireless LANs 155
restricts the access for fred to a single host (192.168.0.1), so that the user will not be
able to log-in from any other host. The following:
(config)# username test user-maxlinks 2
restricts the number of connections for test to two.
10.34 Challenge 34 (Banners)

> enable
# config t
(config)# hostname amsterdam
amsterdam (config)# banner motd my device
amsterdam (config)# banner login how are you
amsterdam (config)# banner exec main device
amsterdam (config)# ip http server
10.35 Challenge 34 (SNTP)

> enable
# config t
(config)# hostname amsterdam
amsterdam (config)# sntp server 192.168.1.100
amsterdam (config)# sntp broadcast client
amsterdam (config)# exit
amsterdam # clock set 05:44
amsterdam # show sntp
SNTP server
Stratum
Version
Last Receive
192.168.1.100
16
1
never
Broadcast client mode is enabled.
10.36 Challenge 36 (MAC filter)

> enable
# config t
(config) # access-list ?
<1-99>
IP standard access list
<100-199>
IP extended access list
<1100-1199>
Extended 48-bit MAC address access list
<1300-1999>
IP standard access list (expanded range)
<200-299>
Protocol type-code access list
<2000-2699>
IP extended access list (expanded range)
<700-799>
48-bit MAC address access list
dynamic-extended Extend the dynamic ACL absolute timer
(config) # access-list 701 ?
deny
permit Specify packets to forward
(config) # access-list 701 deny ?
H.H.H 48-bit hardware address
(config) # access-list 701 deny 1111.2222.3333 ?
H.H.H 48-bit hardware address mask
<cr>
(config) # access-list 701 deny 1111.2222.3333 ffff.ffff.ffff
(config) # access-list 701 permit 0.0.0 ffff.ffff.ffff
(config) # int d0
(config-if) # l2-filter bridge-group-acl
(config-if) # bridge-group ?
<1-255> Assign an interface to a Bridge Group.
(config-if) # bridge-group 1
156
W.Buchanan
(config-if) # bridge-group 1 ?
<cr>
circuit-group
Associate serial interface with a circuit group
input-address-list
Filter packets by source address
input-lat-service-deny
Deny input LAT service advertisements matching
a
group list
input-lat-service-permit
Permit input LAT service advertisements
matching a
group list
input-lsap-list
Filter incoming IEEE 802.3 encapsulated packets
input-type-list
Filter incoming Ethernet packets by type code
lat-compression
Enable LAT compression over serial or ATM
interfaces
output-address-list
Filter packets by destination address
output-lat-service-deny
Deny output LAT service advertisements matching
a
group list
output-lat-service-permit Permit output LAT service advertisements
matching
a group list
output-lsap-list
Filter outgoing IEEE 802.3 encapsulated packets
output-type-list
Filter outgoing Ethernet packets by type code
port-protected
There will be no traffic between this interface
and other protected
subscriber-loop-control
Configure subscriber loop control
port interface in this bridge group
block-unknown-source
block traffic which come from unknown source
MAC
address
input-pattern-list
Filter input with a pattern list
output-pattern-list
Filter output with a pattern list
path-cost
Set interface path cost
priority
Set interface priority
source-learning
learn source MAC address
spanning-disabled
Disable spanning tree on a bridge group
unicast-flooding
flood packets with unknown unicast destination
MAC
addresses
(config-if) # bridge-group 1 input-address-list 701

> enable
# config t
(config) # int d0
(config-if) # bridge-group 1 output-address-list 701
10.38 Challenge 38 (MAC filter extended)

> enable
# config t
(config) # access-list 1102 deny 1111.2222.3333 0.0.0 1112.2222.3333 0.0.0
(config) # access-list 1102 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff
(config) # int d0
(config-if) # bridge-group 1 output-pattern-list ?
<1100-1199> Pattern access list number
Wireless LANs 157
(config-if) # bridge-group 1 output-pattern-list 1102
10.39 Challenge 39 (MAC filter extended)

> enable
# config t
(config) # access-list 1102 deny 1111.2222.3333 0.0.0 1112.2222.3333 0.0.0
(config) # access-list 1102 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff
(config) # int d0
(config-if) # bridge-group 1 input-pattern-list ?
<1100-1199> Pattern access list number
(config-if) # bridge-group 1 input-pattern-list 1102

> enable
# config t
(config) # int d0
(config-if) # bridge-group 1 intput-address-list 701
10.41 Challenge 41 (Cisco Extensions)

> enable
# config t
(config)# int bvi 1
(config-if)# exit
(config)# dot11 arp-cache
(config)# int d0
(config-if)# dot11 extension aironet
Explanation
The Cisco Aironet extensions are:
158
Cisco Key Integrity Protocol (CKIP). This uses a permutation method to renuew
the WEP key. If TKIP is used, CKIP is not required.
Limiting power level. This allows the Aironet to control the power level of the
clients, once they associate.
Load balancing. This allows the access point to select the best access point in
terms of signal strength, load requirements, and so on.
Message Integrity Check (MIC). This enhances WEP security again a number of
attacks.
Repeater mode. This allows the access to support repeater access points.
World mode. This allows for carrier information from the wireless device and
adjust their settings automatically.
W.Buchanan
10.42 Challenge 42 (Cisco Extensions)

> enable
# config t
(config)# int bvi 1
(config-if)# exit
(config)# no dot11 arp-cache
(config)# int d0
(config-if)# no dot11 extension aironet
10.43 Challenge 43 (Beacon)

> enable
# config t
(config)# int bvi1
(config-if)# int d0
dtim-period dtim period
period
beacon period
(config-if)# beacon dtim 50
Explanation
The beacon period is defined as the amount of time between access point beacons in
Kilomicroseconds (1 Ksec is 1,024 millseconds). The default is 100 Ksec. If the
beacon period is 1000, the time between beacons is approximately 1 second (1.024
seconds).
The Data Beacon Rate defines how often the DTIM (delivery traffic indication
message) appears in a beacon, where the DTIM tells power-save client devices that a
packet is waiting for them. The default DTIM is 2. If the DTIM is set at 5, and the
beacon period is 1000, a packet with a DTIM will be sent every 5 seconds (approx).
10.44 Challenge 44 (RTS)

> enable
# config t
(config)# int bvi1
(config-if)# int d0
Explanation
The RTS threshold prevents the Hidden Node problem, where two wireless nodes are
within range of the same access point, but are not within range of each other, as
illustrated in Figure 1. As they do not know that they both exist on the network, they
may try to communicate with the access point at the same time. When they do, their
data frames may collide when arriving simultaneously at the access point, which
causes a loss of data frames from the nodes. The RTS threshold tries to overcome this
Wireless LANs 159
by enabling the handshaking signals of Ready To Send (RTS) and Clear To Send
(CTS). When a node wishes to communicate with the access point it sends a RTS
signal to the access point. Once the access point defines that it can then communicate,
tit sends a CTS signal. The node can then send its data, as illustrated in Figure 2. RTS
threshold determines the data frame size that is required, in order for it send an RTS
to the WAP. The default value is 4000.
# config t
(config-if)# rts ?
retries
RTS max retries
These nodes cannot
hear each other.
The hidden node problem

occurs when two nodes transmit
to an access point, but they are not
in communication range, thus their
signals can collide, and cause errors.
Figure 1 Hidden node problem
RTS (Ready To
Send)
RTS (Ready To
Send)
CTS (Clear To
Send)
Data transmitted
Figure 2 RTS/CTS operation
160
W.Buchanan
RTS retries defines the number of times that an access point will transmit an RTS
signal before it stops sending the data frame. Values range from 1 to 128. For
example:
# config t
<1-128> max retries
(config-if)# end
10.45 Challenge 45 (Fragmentation)

> enable
# config t
(config)# int bvi1
(config-if)# int d0
Explanation
A wireless data frame can have up to 2312 data bytes in the data payload. This large
amount could hog the bandwidth too much, and not give an even share to all the
nodes on the network, as illustrated in Figure 1. Research has argued that creating
smaller data frames, often known as cells, is more efficient in using the available
bandwidth, and also for switching data frames. Thus wireless systems provides a
fragment threshold, in which the larger data frames are split into smaller parts, as
illustrated in Figure 2. An example of the configuration is:
# config t
(config-if)# fragment-threshold ?
<256-2346>
Data packets are split into 1500 byte data frames (MTU)
The large data frames may

allow nodes to hog the airwave
Figure 1
Transmission of large data frames
Wireless LANs 161
Data frames are fragmented into smaller frames
Possibly allows for a smoother and fairer

transmission.
Figure 2 Fragmentation of data frames
10.46 Challenge 46 (Power)

> enable
# config t
(config)# int bvi1
(config-if)# int d0
Explanation
The power of the access point and also of the clients are important as they will
define the coverage of the signal, and must also be within the required safety limits.
Thus, the more radio power that is used to transmit the signal, the wider the scope of
the wireless network. Unfortunately, the further that the signal goes, the more chance
that an intruder can pick up the signal, and, possibly, gain access to its contents, as
illustrated in Figure 1. To control this power, the access point can set up its own
radio power, and also is able to set the power transmission of the client adapter. An
example in setting the local power, and the client is shown next:
# config t
<1-50>
One of: 1 5 20 30 50
<1-50>
One of: 1 5 20 30 50
162
W.Buchanan
The higher the

transmitting power,
the wider the coverage.
The
Thepower
powerofofthe
theaccess
accesspoint
pointand
andalso
also
ofofthe
theclient
clientare
areimportant
importantas
asthey
theywill
will
define
definethe
thecoverage
coverageofofthe
thesignal,
signal,and
andmust
must
also
be
within
the
required
safety
limits.
also be within the required safety limits.
Figure 1 Power transmission
One the client, especially with portable devices, the power usage of the radio port is
important. Thus there are typically power settings, such as:
-
CAM (Constant awake mode). Used when power usage is not a problem.
PSP (Power save mode). Power is conserved as much as possible. The card will
typically go to sleep, and will only be awoken by the access point, or if there is
activity.
FastPSP (Fast power save mode). This uses both CAM and PSP, and is a
compromise between the two.
10.47 Challenge 47 (Association)

> enable
# config t
(config)# int bvi1
(config-if)# int d0
(config-if-ssid)# max-assoc ?
Explanation
A particular problem in wireless networks is that the access point may become
overburdened with connected clients. This could be due to an attack, such as DoS
(Denial of Service), or due to poor planning. To set the maximum number of
associations, the max-associations command is used within the SSID setting:
# config t
(config-if-ssid)# max ?
Wireless LANs 163

(config-if-ssid)# max 100
(config)# exit
and to show the associations for the wireless access point:

# show dot11 ?
# show dot11 association
and for associated access points:

10.48 Challenge 48 (Preamble)

This can either be set to Long (which is the default) or short. A long preamble allows
for interoperatively with 1Mbps and 2Mbps DSSS specifications. The shorter allows
for faster operations (as the preamble is kept to a minimum) and can be used where
the transmission parameters must be maximized, and that there are no
interoperatablity problems. To set short preamble:
# config t
(config-if)# end
10.49 Challenge 49 (Station role)

A root access point is used to connect a wireless client to a fix network, whereas a
repeater access point does not connect to a wired LAN, and basically forwards the
data packets to another repeater or to a wireless access point which is connected to a
wired network (Figure 1). With a repeater, of course, the Ethernet port will not
operate. The repeater access point typically associates with an access point which has
the best connectivity, however they can be setup to connect to a specific access point.
In the following case, the access point will associate with the parent with the
specified MAC address (1111.2222.3333):
# config t
(config)# interface d0
(config-if)# ssid napier
(config-ssid)# infrastructure-ssid
(config-ssid)# exit
(config-if)# station-role repeater
(config-if)# dot11 extensions aironet
(config-if)# parent 1 1111.2222.3333
(config-if)# parent 2 2222.aaaa.bbbb
(config-if)# end
It is possible to define up to four parents, so that if one fails to association, it can use
others. In most cases the Cisco Aironet extensions must be enabled, as it aids the
association process, but this can cause incompatibility problems with non-Cisco
devices.
164
W.Buchanan
Preamble this is sent

before the start of the data
transmission so that nodes
can detect that it is about to transmit.
Figure 1 Preamble
10.50 Challenge 50 (Slot time)

The throughout of a wireless network can be reduced by enabling short slot time.
When enabled it reduces the slot time from 20 microseconds to 9 microseconds. The
backoff time is the time that wireless nodes and is a random multiple of the slot-time.
Thus reducing the slot time will typically reduce the backoff time. To enable it:
(config)# int d0
(config-if)# short-time-short
Note that short slot time is only avialable in IEEE 802.11g. By default it is disabled.
10.51 Challenge 51 (MAC authentication)

> enable
# config t
(config)# int bvi1
(config-if)# exit
(config)# dot11 aaa mac-authen filter-cache
Explanation
MAC authentication cache on the access points is typically used where MACauthenticated clients roam around the network. When it is enabled it reduces the
time overhead in re-authenticating the nodes with an authentication server. When a
node is initially authenticated, its MAC address is added to the cache.
10.52 Challenge 52 (Wireless IDS)

> enable
# config t
Wireless LANs 165
(config)# int bvi1

(config-if)# int d0
(config-if)# station scanner
(config-if)# monitor frames endpoint ip address 10.0.0.1 port 1111
(config-if)# exit
(config) # wlccp ?
ap
authentication-server
wds
wnm
Enable WLCCP AP
Authentication Server
Enable Wireless Domain Service Manager
Configure Wireless Network Manager
Explanation
The scanner mode is used in WIDS where the access point listens on all of the radio
channels and reports activity. As it is used as a WIDS, it does not accept any
associations. The monitor command can then be used to forward all of the data
packets received to a specific address on a certain port, such as for 10.0.0.1 on UDP
port 1111 :
(config-if)# monitor frames endpoint ip address 10.0.0.1 port 1111
To show the captured packets:

# sh wl ap rm monitor stat
Dot11Radio0
====================
WLAN Monitoring
:
Endpoint IP address
:
Endpoint port
:
Frame Truncation Length
:
Dot11Radio1
====================
WLAN Monitoring
Enabled
10.0.0.1
1111
128 bytes
: Disabled
WLAN Monitor Statistics

==========================
Total No. of frames rx by DOT11 driver
Total No. of Dot11 no buffers
Total No. of Frames Q Failed
Current No. of frames in SCAN Q
:
:
:
:
0
0
0
0
Total
Total
Total
Total
Total
:
:
:
:
:
0
0
0
0
0
No.
No.
No.
No.
No.
of
of
of
of
of
frames captured
data frames captured
control frames captured
Mgmt frames captured
CRC errored frames captured
Total No. of UDP packets forwarded

Total No. of UDP packets forward failed
and to clear the statistics:

# clear wlccp ap rm statistics
166
W.Buchanan
: 0
: 0
10.53
Challenge 53 (Fallback)
> enable
# config t
(config)# int bvi1
(config-if)# int d0
(config-if)# station root fallback shutdown
Explanation
A major problem occurs when the Ethernet/Radio port fails, and in some situations
the radio port of the access-point should shutdown. The following shuts down the
D0 port when the Ethernet connection fails:
(config-if)# station root fallback shutdown
10.54 Challenge 54 (Web server)

By default the Web server is not enabled. To enable it:
# config t
(config)# int bvi1
(config-if)# exit
By default the Web page is then accessed by the client with (http://10.0.0.1):
Sometimes another port is used, such as 8080 with:

Wireless LANs 167
which is accessed with:
The details are then displayed with:

# sh
HTTP
HTTP
HTTP
HTTP
HTTP
ip http server all

server status: Enabled
server port: 8080
server authentication method: enable
server access class: 0
server base path: flash:/c1200-k9w7-mx.123-8.JA/html/level/1;zflash:/c1200k9w7-mx.123-8.JA/html/level/1;flash:/c1200-k9w7-mx.1238.JA/html/level/15;zflash:/c1200-k9w7-mx.1238.JA/html/level/15;flash:/c1200-k9w7-mx.123-8.JA/html;zflash:/c1200-k9w7mx.123-8.JA/html;flash:
HTTP secure server status: Disabled
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128sha
HTTP server application session modules:

Session module Name Handle Description
Homepage_Server
3
IOS Homepage Server
HTTP IFS Server
1
HTTP based IOS File Server
WEB_EXEC
2
HTTP based IOS EXEC Server
tti-petitioner
4
TTI Petitioner

10.0.0.1:8080
10.0.0.2:4066 5197
168
W.Buchanan
out-bytes
50720
HTTP server statistics:

Accepted connections total: 10
HTTP server history:

local-ipaddress:port
10.0.0.1:80
10.0.0.1:80
10.0.0.1:80
10.0.0.1:80
10.0.0.1:80
10.0.0.1:80
10.0.0.1:80
10.0.0.1:8080
10.0.0.1:8080
remote-ipaddress:port
10.0.0.2:4046
10.0.0.2:4047
10.0.0.2:4049
10.0.0.2:4048
10.0.0.2:4051
10.0.0.2:4052
10.0.0.2:4053
10.0.0.2:4064
10.0.0.2:4065
in-bytes
396
427
5352
4885
396
4878
5041
401
4343
out-bytes
192
192
52152
85094
192
86257
50737
192
85878

out-bytes
end-time
00:00:46
00:00:52
00:01:59
00:02:04
00:25:23
00:26:30
00:26:35
00:47:16
00:48:21
03/01
03/01
03/01
03/01
03/01
03/01
03/01
03/01
03/01
# sh ip http server conn
ap# sh ip http server ?

all
HTTP server
connection
HTTP server
history
HTTP server
secure
HTTP secure
session-module HTTP server
statistics
HTTP server
status
HTTP server
all information
connection information
history information
server status information
application session module information
statistics information
status information
ap# sh ip http server status

HTTP
HTTP
HTTP
HTTP
HTTP
server status: Enabled

server port: 8080
server authentication method: enable
server access class: 0
server base path: flash:/c1200-k9w7-mx.123-8.JA/html/level/1;zflash:/c1200k9w7-mx.123-8.JA/html/level/1;flash:/c1200-k9w7-mx.1238.JA/html/level/15;zflash:/c1200-k9w7-mx.1238.JA/html/level/15;flash:/c1200-k9w7-mx.123-8.JA/html;zflash:/c1200-k9w7mx.123-8.JA/html;flash:
HTTP secure server status: Disabled
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128sha
10.55 Challenge 55 (Secure Web server)

Unfortunately Web servers do not use encrypted data, thus they are a security risk,
where intruders could detect information in the data packets for the transmission of
the Web page from the device to a client. An improved method is to use a secure
HTTP protocol such as HTTPS. The configuration is thus:
# config t
(config)# int bvi1
Wireless LANs 169
(config-if)#
(config-if)#
(config)# ip
% Generating
(config)# ip
<0-65535>
(config)# ip
ip address 10.0.0.1 255.255.255.0

exit
http secure-server
1024 bit RSA keys ...[OK]
http secure-port ?
Secure port number(above 1024 or default 443)
http secure-port 443
By default the Web page is then accessed by the client with (https://10.0.0.1),
afterwhich the client responds with:
and then (the password is the default enable password):
and then:
170
W.Buchanan
The data transferred between the client and server will then be encrypted. To verify
the details:
ap#sh ip http server status
HTTP server status: Enabled
HTTP server port: 80
HTTP server authentication method: enable
HTTP server access class: 0
HTTP server base path: flash:/c1200-k9w7-mx.1238.JA/html/level/1;zflash:/c1200-k9w7-mx.1238.JA/html/level/1;flash:/c1200-k9w7-mx.1238.JA/html/level/15;zflash:/c1200-k9w7-mx.1238.JA/html/level/15;flash:/c1200-k9w7-mx.123-8.JA/html;zflash:/c1200k9w7-mx.123-8.JA/html;flash:
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5
rc4-128-sha
ap#sh ip http server conn
10.0.0.1:443
10.0.0.2:1082 266
10.0.0.1:443
10.0.0.2:1083 2493
out-bytes
52587
67032
ap#sho ip http server secure status

Wireless LANs 171
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5

rc4-128-sha
10.56 Challenge 56 (QoS)

The Aironet advertise their QoS parameters so that WLAN clients which require a
certain QoS requirement can these advertisements to associate with the required
access-point. The traffic-stream command is used to configure the radio interface for
the CAC (Call Admission Control used in Voice over Wireless) traffic stream
properties. The Aironet support traffic streams, such as:
ap# config t
Enter configuration commands, one per line.
ap(config)# int d0
ap(config-if)# traffic-stream ?
priority Apply to Priority
End with CNTL/Z.
ap(config-if)# traffic-stream pri ?

<0-7> UP Value
where the UP (user priority) is defined as:

0 (Best Effort)
1 (Background)
2 (Spare)
3 (Excellent)
4 (Controlled Load)
5 (Video)
6 (Voice)
7 (Network Control)
ap(config-if)#traffic-stream pri 0 ?
sta-rates Set rates to allow for traffic-stream
ap(config-if)#traffic-stream pri 0 sta ?
1.0
Allow 1 Mb/s rate
11.0
Allow 11 Mb/s rate
12.0
Allow 12 Mb/s rate
18.0
Allow 18 Mb/s rate
2.0
Allow 2 Mb/s rate
24.0
Allow 24 Mb/s rate
36.0
Allow 36 Mb/s rate
48.0
Allow 48 Mb/s rate
5.5
Allow 5.5 Mb/s rate
54.0
Allow 54 Mb/s rate
6.0
Allow 6 Mb/s rate
9.0
Allow 9 Mb/s rate
nom-1.0
Allow Nominal 1 Mb/s rate
nom-11.0 Allow Nominal 11 Mb/s rate
nom-2.0
nom-5.5
Allow Nominal 5.5 Mb/s rate
nom-6.0
172
W.Buchanan
ap(config-if)#traffic-stream pri 0 sta 1.0
Thus the best effort for this access point is a rate of 1.0Mbps. If this was advertised to
client, they would choose if this was the best rate for the best effort.
10.57 Challenge 57 (SSH)

The TELNET protocol is insecure as the text is passed as plain text. An improved
method is to use SSH, which encrypts data. It requires that the domain-name and an
RSA key pair:
ap# config t
Enter configuration commands, one per line.
ap(config)# ip domain-name test.com
ap(config)# crypto key generate rsa
How many bits in the modulus [512]:
% Generating 512 bit RSA keys ...[OK]
End with CNTL/Z.
To view the public key:

ap#show crypto key mypubkey rsa
% Key pair was generated at: 00:42:19
Key name: ap.test.com
Usage: General Purpose Key
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105
F1499B01 49C485A2 20C9FB37 8CD11053
32020F80 910AFBCC 6D402F90 96E8A59B
% Key pair was generated at: 00:42:21
Key name: ap.test.com.server
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105
312319CA 0E919F76 72D2D5A9 36B4710C
D07C0000 832F6A1C 81411423 BE52CBF4
AE8EFA46 282AEC54 F0909F82 466A19DD
UTC Mar 1 2002
00034B00 30480241 00DDD8C6 4B744520

039D344B 3C5BD55E E84E17C8 FD62DA08
40467A3E 8FEED18B B1020301 0001
UTC Mar 1 2002
00036B00
CC4DE0C4
ECBE417E
EBEFAEDE
30680261
080D2B47
1C3C09D1
7B4B992F
00B435A4
55970CA5
2BBC90DF
5F020301
C007251B
39F21170
8DA398DB
0001
An SSH client such as putty can then be used to connect to the access point:
Wireless LANs 173
after which the client shows the message:
and the SSH connection is made, such as:
174
W.Buchanan
To get rid of keys:

ap(config)# cryto key zero
and to set the timeout and authentication retries:

ap(config)# ip ssh time-out 60
ap(config)# ip ssh authentication-retries 2
and to prevent Telnet sessions:

ap(config)#line vty 0 4
ap(config-line)#transport input ssh
10.58 Challenge 58 (LEAP)

The following uses a local RADIUS server to authenticate using LEAP
authentication:
(config)# hostname ap
(config)# int bvi1
(config-if)# exit
(config)# dot11 ssid APskills
(config-ssid)# authentication network-eap eap_methods
(config-ssid)# exit
(config-radsrv)# nas 192.168.1.110 key sharedkey
(config-radsrv)# user aaauser password aaauser
(config)# radius-server host 192.168.1.110 auth 1812 acct 1813 key sharedkey
(config-if)interface d0
(config-if) channel 11
(config-if) station-role root
(config-if) encryption key 1 size 40bit aaaaaaaaaa transmit-key
Wireless LANs 175
(config-if) encryption mode ciphers tkip wep40

(config-if) ssid APskills
In this case the user login for LEAP will be aaauser with a password of aaauser.
Notice that the NAS is set to the local IP address, and that the Radius server is set
also as the local IP address.
Notice also that the shared key (in this case named sharedkey) must be set the same
for the NAS and the Radius server.
Next setup the clients to support LEAP authentication, as shown in Figure 1. Once
the client has associated, determine the associated devices with:
# show dot assoc
SSID [APskills] :
MAC Address
IP address
0090.4b54.d83a 192.168.1.111
Others:
Device
Name
4500-radio
Parent
self
State
EAP-Assoc
Figure 10: LEAP setup
After which the WAP will display a message such as the following on a successful
association:
*Mar
1 00:00:51.750: %DOT11-6-ASSOC:
0090.4b54.d83a Associated KEY_MGMT[WPA]
176
W.Buchanan
Interface
Dot11Radio0,
Station
10.59 Challenge 59 (Encapsulaion)

The following sets up SNAP encapsulation:
(config)# hostname ap
(config)# int bvi1
(config-if)# exit
(config)# dot11 ssid APskills
(config-ssid)# exit
(config-if)interface d0
(config-if) channel 11
(config-if) encapsulation snap
(config-if) ssid APskills
10.60 Challenge 60 (Output filter)

The filtering output includes:
show command | include word
show command | begin word
show command | exclude word
this finds all lines with word

this finds all lines which begin with word
this finds all lines without word
An example is:
#
#
#
#
#
show
show
show
show
show
running
running
running
running
running
|
|
|
|
|
include udp
include tcp
include !
begin version
exclude int
10.61 Challenge 61 (Filtering)

The filtering output includes:
show command | include word this finds all lines with word
show command | begin word
this finds all lines which begin with word
show command | exclude word this finds all lines without word
An example is:
#
#
#
#
#
show
show
show
show
show
version
version
version
version
version
|
|
|
|
|
include cisco
include product
include ver
begin power
exclude pca
Wireless LANs 177
10.62 Challenge 62 (PSPF)

Public Secure Packet Forwarding (PSPF) is used to prevent clients from associating
with an access point and inadvertently communicating with other clients which are
associated to the access point. It thus allows the clients to connect to the Internet,
without being part of the local network. Often this facility is used in public wireless
networks, such as on university campuses.
An example is:
# config t
(config)# int d0
(config-if)# bridge-port 1 ?
<cr>
circuit-group
Associate serial interface with a circuit group
input-address-list
Filter packets by source address
input-lat-service-deny
Deny input LAT service advertisements matching
a
group list
input-lat-service-permit
Permit input LAT service advertisements
matching a
group list
input-lsap-list
Filter incoming IEEE 802.3 encapsulated packets
input-type-list
Filter incoming Ethernet packets by type code
lat-compression
Enable LAT compression over serial or ATM
interfaces
output-address-list
Filter packets by destination address
output-lat-service-deny
Deny output LAT service advertisements matching
a
group list
output-lat-service-permit Permit output LAT service advertisements
matching
a group list
output-lsap-list
Filter outgoing IEEE 802.3 encapsulated packets
output-type-list
Filter outgoing Ethernet packets by type code
port-protected
There will be no traffic between this interface
and other protected
subscriber-loop-control
Configure subscriber loop control
port interface in this bridge group
block-unknown-source
block traffic which come from unknown source
MAC
address
input-pattern-list
Filter input with a pattern list
output-pattern-list
Filter output with a pattern list
path-cost
Set interface path cost
priority
Set interface priority
source-learning
learn source MAC address
spanning-disabled
Disable spanning tree on a bridge group
unicast-flooding
flood packets with unknown unicast destination
MAC
addresses
(config-if)# bridge-group 1 port-protected
10.63 Challenge 63 (MBSSID)

Up to eight basic SSIDs (BSSIDs) can be assigned, and are similar to MAC addresses.
This allows MBSSIDs to assign a DTIM setting for each SSID, and then to broadcast
multiple SSIDs in a single beacon message. Using MBSSID makes the access-point
more accessible to guests.
178
W.Buchanan
An example is:
# config t
(config-ssid)# mbssid guest-mode dtim 10
(config-ssid)# exit
(config)# int d0
(config-if)# mbssid
Note:
Large DTIM values are useful for increasing the battery life for power-save client
devices.
10.64 Challenge 66 (SSID redirect)

With IP redirection on an SSID, all the packets from clients are sent to a specific IP
address. This is typically used in applications which use handhelds, where specific
software is used to handle the data packets. For example an SSID might be
HANDHELDS, which handheld scanners connect to. When redirection is used on
this SSID, all the data packets will be set to the specified IP address, where software
can be setup to handle this. It is also possible to redirect on specific types of traffic,
but this requires ACLs.
An example is:
# config t
(config-ssid)#ip ?
redirection Redirect client data to alternate IP address
(config-ssid)#ip redirection ?
host Destination host to forward data
(config-ssid)#ip redirection host ?
A.B.C.D IP redirect destination host address
(config-ssid)# ip redirection host 192.168.1.1
(config-ssid)# exit
10.65 Challenge 67 (SSID redirect with ACLs)

With IP redirection on an SSID, all the packets from clients are sent to a specific IP
address. This is typically used in applications which use handhelds, where specific
software is used to handle the data packets. For example an SSID might be
HANDHELDS, which handheld scanners connect to. When redirection is used on
this SSID, all the data packets will be set to the specified IP address, where software
can be setup to handle this. It is also possible to redirect on specific types of traffic,
which requires the setup of an ACL which defines the traffic which will be
redirected. Note: All other traffic that isnt redirected will be dropped!
An example is:
# config t
(config)# access-list 1 permit 10.0.0.0 0.0.0.255
Wireless LANs 179
(config-ssid)#ip ?
redirection Redirect client data to alternate IP address
(config-ssid)#ip redirection ?
host Destination host to forward data
(config-ssid)#ip redirection host ?
A.B.C.D IP redirect destination host address
(config-ssid)#ip red host 1.2.3.4 ?
access-group Optional group access-list to apply
<cr>
(config-ssid)#ip red host 1.2.3.4 access-group ?
WORD Access-list number or name
(config-ssid)#ip red host 1.2.3.4 access-group 1 ?
in Apply to input interface
(config-ssid)#ip red host 1.2.3.4 access-group 1 in ?
<cr>
(config-ssid)#ip red host 1.2.3.4 access-group 1 in
(config-ssid)# exit
10.66 Challenge 68 (SSIDL)

There is only one broadcast SSID contained within a beacon from the access point.
An SSIDL information elements (SSIDL IEs) is contained within the beacon and can
contain additional SSIDs, thus clients can detect other SSIDs, along with the security
settings for that SSID.
An example is:
# config t
(config-ssid)# information-element ssidl ?
advertisement include SSID name in SSIDL IE
wps
advertise WPS capability in SSID IE
<cr>
(config-ssid)# information-element ssidl advertisement
(config-ssid)# exit
10.67 Challenge 69 (VLAN encryption)

An encryption key can be set for each VLAN, so that the traffic is encrypted over the
interconnected ports of the VLAN. Up to four keys can be defined for the encryption
key. An example is:
# config t
(config-ssid)# exit
(config)# int d0
(config-if)# encryption vlan 22 key 1 size 40 aaaaaaaaaa
which defines a 40-bit encryption key of aaaaaaaaaa (which is a hexadecimal value).

The other option is for a 128-bit key which has 32 hexadecimal digits. In this case the
interface is assigned to VLAN 22, so that all the other nodes in this VLAN will
receive broadcasts from a node in the VLAN.
10.68 Challenge 70 (VLAN encryption)

An encryption key can be set for each VLAN, so that the traffic is encrypted over the
interconnected ports of the VLAN. Most hosts now use WPA as it allows for TKIP
180
W.Buchanan
encryption. WEP suffers from many security problems, but TKIP overcomes most of
these, and is still compatible with most currently available IEEE 802.11 wireless
interfaces. The CKIP and CMIC are Cisco-derived methods, and sometimes lack
compatibility. An example for WPA using TKIP is:
# config t
(config-ssid)# exit
(config)# int d0
(config-if)# encryption vlan 22 mode cipers tkip
The two main cipher suites for authenticated key management:

CCKM (Cisco Centralized Key Management). This uses either:
wep128
wep40
ckip
cmic
ckip-cmic
tkip
WPA. This uses either:
tkip
tkip wep128
tkip wep40
10.69 Challenge 71 (VLAN broadcast)

The broadcast key rotation allows for a new key to be broadcast to the network. It is
disabled by default. It is used with 802.1x authentication, such as with LEAP, EAPTLS, or PEAP). The broadcast-key is change time is defined with:
# config t
(config-ssid)# exit
(config)# int d0
(config-if)# broadcast-key vlan 22 change 100
which enables the broadcast-key on VLAN 22, and defines that the broadcast key is
changed every 100 seconds.
10.70 Challenge 72 (MAC authentication)

# config t
Wireless LANs 181
(config-ssid)# authentication open mac-address maclist

(config-ssid)# exit
(config)# aaa authentication login maclist group radius
10.71 Challenge 73 (WPA-PSK)

Unfortunately, WEP suffers from many problems, and should not be used for
sensitive data. An improvement which keeps compatibility with WEP is TKIP. One
method is WPA-PSK (Pre-shared key), where the users defines a pre-share key,
which is setup on both the access point and the client. An example setup of the WPAPSK on a client (Figure 1) with the same shared key of napieruniversity.
> enable
# config t
(config)# dot11 ssid texas
(config-ssid)# wpa-psk ascii napieruniversity
(config-ssid)# exit
(config)# int d0
(config-if)# ssid texas
Figure 1:
10.72 Challenge 74 (Authentication holdtimes)

An example is
> enable
# config t
(config)# dot11 holdoff-time 15
(config)# dot1x timeout supp-response 10
(config)# int d0
(config-if)# dot1x reauth-period 10
(config-if)# countermeasure tkip hold-time
where:
182
W.Buchanan
(config)# dot11 holdoff-time x
This is the time that a client device must wait before it can reattempt to authenticate,
after it has failed an authentication. This occurs when the client device fails three
logins or does not reply to three authentication requests. 1-65,545 seconds.
(config)# dot1x timeout supp-response 10
This is the time that the access point waits for a reply to an EAP/dot1x message from
a client before the authentication is failed.
(config-if)# dot1x reauth-period 10
This is the time that the access point waits before it asks the client to reauthenticate
itself.
(config-if)# countermeasure tkip hold-time
This defines the TKIP MIC failure holdtime, and is caused when the access point
detects two MIC failures in a period of 60 seconds. It will then, for the holdtime
period, blocks all TKIP clients on the interface.
10.73 Challenge 75 (WLCCP)

In large campus area networks, it is important that mobile nodes are able to migrate
from one access point to another. If possible they must hand the current context from
one access point to the other.
WLCCP establishes and manages wireless network topologies in a SWAN (Smart
Wireless Architecture for Networking). It securely manages an operational context for
mobile clients, typically in a campus-type network. In the registration phase, it can
automatically create and delete network link, and securely distribute operational
context, typically with Layer 2 forwarding paths.
With WLCCP, a sole infrastructure node is defined as the central control point within
each subnet, and allows access points and mobile nodes to select a parent node for a
least-cost path to the backbone connection. An example is:
> enable
# config t
(config)# aaa authentication login testi group radius
(config)# aaa authentication login testc group radius
(config)# wlccp wds priority 200 interface bvi1
(config)# wlccp authentication-server infrastructure testi
(config)# wlccp authentication-server client any testc
(config-wlccp-auth)# ssid testing
Wireless LANs 183
which defines that the authentication of infrastructure devices is done using the
server group testi, and that client devices using the testing SSID are authenticated
using the server group of testc.
Copyright statement
This lab has been designed as an integrated unit, and should not
184
W.Buchanan
Wireless
LANs
Labs
Wireless LANs 185
11
Wireless Lab Specification (C6)
11.1 Introduction
The wireless lab in C6 is isolated from the main university network, and allows for
the development of mobile networks and applications, for both projects and
teaching. It currently contains the following:
20 wireless hosts with Belkin IEEE 802.11b/g wireless cards. Note: Do not set
the wireless cards to have an address which links to the Ethernet network
(192.168.1.x). The Ethernet network is used to allow the connection to the
Aironets, and the wireless network should have addresses which do not link to
the Ethernet network.
12 wireless hosts with Cisco Aironet IEEE 802.11g wireless cards.
One Cisco 3560 switch (C6SW2).
Seven Aironet 1200 wireless access points.
One Windows 2003 server. This server has two Ethernet cards, which allows it to
be part of the main Ethernet network (192.168.1.5), and also the Wireless network
(such as 192.168.2.x). The main connection allows it to be configured to be part of
the wireless network.
One Linux server. This server has two Ethernet cards, which allows it to be part
of the main Ethernet network (192.168.1.6), and also the Wireless network (such
as 192.168.2.x).
The main Ethernet network is located on the 192.168.1.x network, where the main
server is at 192.168.1.1, and the hosts start at 192.168.1.6 (on the left-hand side of
Bench 1) and go onto 192.168.1.25 (on right-hand side of Bench 4), as illustrated in
Figure 1.
Ethernet network
192.168.1.10
192.168.1.11
192.168.1.12
192.168.1.13
192.168.1.14
192.168.1.18
192.168.1.19
192.168.1.23
192.168.1.24
192.168.1.28
192.168.1.29
C6SW1
Bench 1
C6SW2
192.168.1.15
192.168.1.16
192.168.1.17
192.168.1.100
Console
ConsoleServer
Server
(C6CS1)
(C6CS1)
Eth
Eth
Con
Windows server:
192.168.1.5
192.168.2.x (Any)
Eth
Aironet1:
192.168.1.100 Port 2001
192.168.1.20
192.168.1.21
192.168.1.22
Bench 3
Con
Eth
Aironet2:
192.168.1.100 Port 2002
Linux server:
192.168.1.6
192.168.2.x (Any)
Aironet7:
192.168.1.100 Port 2007
Figure 1: Outline of wireless lab setup
W.Buchanan
192.168.1.25
192.168.1.26
192.168.1.27
Con
Eth
186
Bench 2
Bench 4
11.2 Example configuration

The following configuration sets up:
Device:
Remote port:
Aironet1 IP:
Aironet SSID:
Wireless client:
Windows server:
Tutorial example
[Aironet1]
[2001]
[192.168.2.3]
[bill]
[192.168.2.2]
[192.168.2.5]
Your example
[
[
[
[
[
[
]
]
]
]
]
]
Figure 2 illustrates the example setup. Please note that your connection is likely to be
different, as you want to have different IP addresses and SSIDs to other wireless
networks.
Telnet
192.168.1.100
Port: 2001
Aironet1
IP: 192.168.2.3
SSID: bill
Windows server:
192.168.2.5
Client 1
IP: 192.168.2.2
SSID: bill
Figure 2: Example setup

11.2.1 Connection to Aironets
There are currently seven Cisco Aironet 1200 wireless access points, which can be
configured by connecting to the console port of the Aironet, and using a Telnet
connection (Figure 3). These are accessed by:
Aironet1: Telnet address: 192.168.1.100
Aironet2: Telnet address: 192.168.1.100
Telnet port: 2001

Telnet port: 2002
Wireless LANs 187
Aironet3:
Aironet4:
Aironet5:
Aironet6:
Aironet7:
Telnet address: 192.168.1.100

Telnet port: 2003

Telnet port: 2004
Telnet port: 2005
Telnet port: 2006
Telnet port: 2007
Bench 1
C6SW2
192.168.1.100
Console
ConsoleServer
Server
(C6CS1)
(C6CS1)
Eth
Eth
Bench 2
Con
Windows server:
192.168.1.5
192.168.2.x
Eth
Aironet1:
192.168.1.100 Port 2001
Bench 3
Con
Eth
Aironet2:
192.168.1.100 Port 2002
Linux server:
192.168.1.6
192.168.2.x
Con
Eth
Bench 4
Aironet7:
192.168.1.100 Port 2007
Figure 3: Outline of connecting to the Aironet console ports

Figure 4 shows an example connection to [Aironet1], where the remote port is [2001].
The connection in this example uses Windows HyperTerminal (Start->Programs>Accessories->Communications->HyperTerminal). The connection to the Aironet
should then be made (such as shown in Figure 5). With this, the password should be
Cisco, after which, the main login to the Aironet is made (Figure 6), which also has a
password is Cisco.
Figure 4: Telnet connection to the Aironet (Aironet1)
188
W.Buchanan

An example setup is shown in Figure 7. The configuration is this case is:
> enable
# config t
(config) # hostname ap
(config) # dot11 ssid bill
(config-ssid) # authentication open
(config-ssid) # exit
(config) # int bvi1
(config-if) # ip address 192.168.2.3 255.255.255.0
(config-if) # exit
(config) # int d0
(config-if) # channel 6
(config-if) # ssid bill
(config-if) # no shutdown
(config-if) # exit
(config) # int fa0
(config-if) # no shutdown
(config-if) # exit
Wireless LANs 189
This sets up the IP address of the access point at [192.168.2.3] with an SSID of [Bill]
and using radio channel 6. The wireless nodes which connect to this access point will
now have an address of 192.168.2.x.

11.2.2 Setting up the Wireless client (Cisco 350)
Each of the hosts has a wireless card, such as a Belkin client (Appendix 1) or a Cisco
350 card. As an example the following sets up a connection to the [192.168.2.x]
network. Initially the Cisco Client program is used to setup a profile (Figure 8/9),
after which the SSID is set to the setup on the access point (Section 2), as shown in
Figure 10, which, in this case, is [Bill].
Figure 8: Selecting a profile
190
W.Buchanan
Figure 9: Selecting a profile
Figure 10: Editing the SSID

The IP address of the wireless card on the host can be setup by right-clicking on the
Wireless Network Connection within Network Connections (Figure 11). After which
the IP properties can be defined (Figure 12 which sets up the IP address of
[192.168.2.2]). If a Cisco 350 wireless card is used, the connection properties can then
be displayed (Figure 13), after which the client will associated with the access point
(Figure 14).
Wireless LANs 191
Figure 11: Setting up the wireless properties of the host
Figure 12: Setting up the wireless properties of the host
Figure 13: Cisco Aironet 350 status
192
W.Buchanan
Association
Figure 14: Cisco Aironet 350 association

If the access point is associated, the client should be able to ping the access point,
such as:
C:\>ping 192.168.2.3
Reply
Reply
Reply
Reply
from
from
from
from
192.168.2.3:
192.168.2.3:
192.168.2.3:
192.168.2.3:
bytes=32
bytes=32
bytes=32
bytes=32
time=2ms
time=1ms
time=1ms
time=1ms
TTL=150
TTL=150
TTL=150
TTL=150

11.2.3 Connection to the Windows 2003 server

The Windows 2003 server contains two Ethernet cards, one which connects to it the
main Ethernet network, and the other connects it to the wireless network. The
wireless connection can be used to setup things such as a Web server, a DHCP
server, a RADIUS server, a Tacacs+ server, and so on. To make a connection from one
of the hosts, use a remote desktop connection to 192.168.1.5, such as using mstsc (the
remote desktop program), such as shown in Figure 15 and Figure 16. Figure 17 then
shows the login to the server (using the login of c072047 and the password of
co72047). The IP address of the second Ethernet card can then be set to be part of the
wireless network address range [192.168.2.5], as shown in Figure 18, after which is
access point and client should be able to be pinged (Figure 19).
Wireless LANs 193
Figure 15: Running the remote desktop program
Figure 16: Connection to Windows 2003 server
Figure 17: Login to the Windows 2003 server
194
W.Buchanan
Figure 18: Setup of the IP address on the 2nd Ethernet card on the Windows 2003
server
Figure 19: Completion of the login to the Windows 2003 server
Wireless LANs 195
11.3 Appendix 1 (Belkin card connection)

First locate the Wireless card panel, and set the Network SSID and Channel (Figure
A.1). Next locate the Wireless card in Network Connections, and remove the
firewall. Next right-click on the wireless icon, and set the TCP/IP settings (from
Internet Protocols TCP/IP), as shown in Figure A.2. After this set the IP address of the
card to one which joins onto the subnet (Figure A.3).
Figure A.1: Wireless card settings
Figure A.2: Wireless card settings
196
W.Buchanan
Figure A.3: Wireless IP settings
Wireless LANs 197
198
W.Buchanan
Con
Eth
Eth
Con
Aironet7:
192.168.1.100 Port 2007
Aironet2:
192.168.1.100 Port 2002
Aironet1:
192.168.1.100 Port 2001
Con
Console
ConsoleServer
Server
(C6CS1)
(C6CS1)
192.168.1.100
C6SW2
C6SW1
Eth
Eth
Linux server:
192.168.1.6
192.168.2.x (Any)
Windows server:
192.168.1.5
192.168.2.x (Any)
Eth
192.168.1.25
192.168.1.20
192.168.1.15
192.168.1.10
192.168.1.12
192.168.1.17
192.168.1.22
192.168.1.27
Bench 4
192.168.1.26
Bench 3
192.168.1.21
Bench 2
192.168.1.16
Bench 1
192.168.1.11
Ethernet network
192.168.1.28
192.168.1.23
192.168.1.18
192.168.1.13
192.168.1.29
192.168.1.24
192.168.1.19
192.168.1.14
11.4 Appendix (Overall schematic)
The connections to C6CS1 are:

Port 1:
Port 2:
Port 3:
Port 4:
Port 5:
Port 6:
Port 7:
Aironet1 Console port [192.168.1.100 Port 2001]

The connections to C6SW2 are:

FA0/1:
FA0/2:
FA0/3:
FA0/4:
FA0/5:
FA0/6:
FA0/7:
FA0/8:
FA0/9:
FA0/10:
Aironet1 FA Ethernet port

Reserved
Reserved
Windows 2003 2nd Ethernet port used to connect to the wireless
network
Linux 2nd Ethernet port used to connect to the wireless network
FA0/11:
FA0/11-20:
FA0/21:
Console server (C6CS1)
FA0/22:
Windows 2003 1st Ethernet port (192.168.1.5)
FA0/23:
Linux 1st Ethernet port (192.168.1.6)
Login for Windows and Linux servers:
Login ID: co72047
Password: co72047
Wireless LANs 199
12 Labs
Lab 1: Access Point Tutorial
Using the Network-emulators, select the Wireless emulator, and perform the
following:
1.
You should start in the user mode:
>
2.
Go into the EXEC mode using the enable command.
> enable
How does the prompt change?
3.
From the EXEC mode go into the Global Configuration Mode, and use the
hostname command to change the hostname to MyWireless.
# ?
# config t
(config) # hostname MyWireless
How does the prompt change?
4.
Exit from the Global Configuration Mode using exit, and list the current
running-config with show running-config.
(config) # exit
# show running-conf
Outline some of the settings in the running-config:
200
W.Buchanan
12.1.1 Using the show command

5.
#
#
#
#
#
#
#
#
#
#
#
#
Complete the following command:

?
show
show
show
show
show
show
show
show
show
show
show
buffers
memory
stacks
hosts
arp
flash
history
version
interfaces
interface fa0
interface dot11radio0
Using the information from above what are the following:
Processor Board ID:
Processor Type:
Processor Clock Speed:
System image file:
Operating System Version:
File names shored in the Flash Memory:
Product/Model Number:
12.1.2 History commands

The main commands for history are:
#
#
#
#
#
terminal ?
terminal history ?
terminal history size ?
terminal history size 100
show history
12.1.3 Clock commands

The main commands for clock are:
#
#
#
#
#
#
clock
clock
clock
clock
clock
clock
?
set
set
set
set
set
?
11:00
11:00
11:00
11:00
?
11 ?
11 jun ?
11 jun 2006
12.1.4 Programming the WAP ports

6. Program the two ports of the WAP with:
# config t
(config)# int ?
(config)# int fa0
(config-if)# ?
(config-if)# ip address ?
(config-if)# ip address 207.11.12.10 ?
Wireless LANs 201

(config-if)# exit
(config-ssid)# ?
(config-ssid)# exit
(config-if)# ?
(config-if)# station-role ?
(config-if)# station-role root
(config-if)# exit
(config)# exit
WAP is the root of the wireless

network (other option: repeater)
Set radio channel

(2.442GHz)
Ping the newly defined ports (207.11.12.10 and 192.168.0.1). Are they responding?
Next go back to the ports and shut them down:

# config t
(config)# int ?
(config)# int fa0
(config-if)# shutdown
(config-if)# exit
(config-if)# shutdown
(config-if)# exit
(config)# exit
Ping the newly defined ports (207.11.12.10 and 192.168.0.1) again. Are they
responding?
To get rid of guest-mode:

# config t
(config-ssid)# no guest-mode
(config-ssid)# exit
(config-if)# exit
(config)# exit
7.
Go to the EXEC mode, and view the running-config:
# show running-config
8. The WAP can access a domain server and DNS, using the ip name-server and ip
domain-lookup commands:
# config t
(config)# ip ?
202
W.Buchanan
to
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
(config)#
9.
ip
ip
ip
ip
ip
ip
ip
domain-name ?
domain-name mydomain.com
name-server ?
name-server 160.10.11.12
domain-lookup
default-gateway ?
default-gateway 10.11.12.11
To get rid of any of these settings, insert a no in front of them, such as:
# config t
(config)# no ip
(config)# no ip
(config)# no ip
(config)# no ip
(config)# exit
# show running
10.
domain-name mydomain.com
name-server 160.10.11.12
domain-lookup
default-gateway 10.11.12.11
Setting passwords for the line console and for telnet access:
# config t
(config)# line
(config-line)#
(config-line)#
(config-line)#
(config)# line
(config-line)#
(config-line)#
(config-line)#
(config)# exit
11.
Enable DNS lookup on the

WAP
con 0
login
password fred
exit
vty 0 15
login
password fred
exit
Setting up a WWW server on the wireless access point:
# config t
(config)# exit
# show running
12.
If we need to change the port and the max number of connections on the
WWW server:
# config t
(config)# ip http max-connections 2
(config)# exit
# show running
13.
And to disable the WWW server:
# config t
(config)# no ip http server
(config)# exit
# show running
14.
Setting up a user on the wireless access point:
Wireless LANs 203
# config t
(config)# username ?
(config)# username fred ?
(config)# username fred password bert
(config)# exit
# show running
15.
To get rid of a user:
# config t
(config)# no username fred password bert
(config)# exit
# show running
16.
To setup the host table on the wireless access point:
# config t
(config)# ip host freds 172.14.10.11
(config)# ip host berts 172.14.10.12
(config)# ip host slappi 10.15.1.100
17.
It is possible to run a DHCP server to assign IP parameters to wireless nodes:
# config t
(config)# ip ?
(config)# ip dhcp ?
(config)# ip dhcp pool socpool
(config-dhcp)# ?
(config-dhcp)# network 192.168.0.0 255.255.255.0
(config-dhcp)# lease 10
(config-dhcp)# exit
(config)# exit
18.
Then to get rid of DHCP:
# config t
(config)# no ip dhcp pool socpool
(config)# exit
19.
To create a banner:
# config t
(config)# banner motd # hello #
(config)# exit
# show running
20. To get rid of the banner:

# config t
(config)# no banner motd # hello #
21.
To set the ARP method:
204
W.Buchanan
Sets the range of addresses to

be allocated, and sets the
lease for 10 days
# config t
(config-if)# arp ?
(config-if)# arp arpa
22.
CDP (Cisco Discovery Protocol) is set with the following:
# config t
(config)# cdp ?
(config)# cdp holdtime 120
(config)# cdp timer 50
(config)# end
Using the show cdp command, determine the settings for CDP:
23. To enable CDP on the WAP:

# config t
(config)# cdp run
(config)# end
24. To enable CDP on an interface:

# config t
(config)# int fa0
(config-if)# cdp enable
(config-if)# end
25.
To show CDP information:
# show cdp neighbors

# show cdp neighbors detail
# show cdp neighbors traffic
26.
To setup a local hosts table:
(config)# ip host
(config)# ip host
(config)# ip host
(config)# ip host
(config)# ip host
(config)# exit
# show hosts
# show running
LAB_A
LAB_B
LAB_C
LAB_D
LAB_E
192.5.5.1
201.100.11.2
223.8.151.1
210.93.105.1
210.93.105.2
Wireless LANs 205
Lab 2: Access-point Tutorial

27.
The power level of the access point can be set with the power command, and
the speed can be set with the speed command:
# config t
(config-if)# exit
(config)# exit
The access point can be used to

set the power levels of the
clients (in this case, 10mW)
Using the information from above what are the following:
Available power levels for access point:
Available speeds for access point:
28.
With world-mode, the access point adds channel carrier set information to its
beacon. This allows client devices with world mode to receive the carrier set
information and adjust their settings automatically. World mode is disabled by
default, to enable it:
# config t
(config-if)# ?
(config-if)# world-mode
(config-if)# exit
(config)# exit
29. The antenna can be set for both the transmit and receive options. These can be :
Diversity. With this the WAP uses the antenna in which the best signal is
being received.
directional.
Left. This where the antenna is on the left of the WAP, and is highly
directional.
# config t
(config-if)# antenna transmit ?
(config-if)# antenna transmit diversity
(config-if)# antenna receive left
(config-if)# exit
206
W.Buchanan
(config)# exit
30.
The WAP can be setup to transmit a beacon signal on which devices can
connect to (using a delivery traffic indication message - DTIM). The time period
on which it transmits is defined in Kilomicroseconds, which is 1 millisecond
(one thousands of a second). For example to set the beacon period to once every
second:
# config t
(config-if)# exit
(config)# exit
To get rid of the beacon signal:

# config t
(config-if)# no beacon period 1000
(config-if)# exit
(config)# exit
31.
PAYLOAD-ENCAPSULATION. If packets are received which are not defined

in IEEE 802.3 format, the WAP must format them using the required
encapsulation. The methods are:
802.1H (dot1h). This is the default, and is optimized for Cisco Aironet
wireless products.
RFC1042. This is used by many wireless manufacturers (SNAP), and is thus
more compatible than 802.1H.
For example:
# config t
(config-if)# payload-encapsulation ?
(config-if)# payload-encapsulation rfc1042
(config-if)# exit
(config)# exit
32.
CARRIER TEST. The WAP can show the activity on certain channels using the
carrier busy test (note that the connections to devices are dropped for about 4
seconds when these tests are made).
For example:
# show dot11 ?
# show dot11 carrier ?
# show dot11 carrier busy
Wireless LANs 207
33.
RTS. The RTS (Ready To Send) is used to handshake data between the client
and the WAP. RTS threshold is used to set the packet size at which the access
point issues a request to send (RTS) before sending the packet. Low RTS
Threshold values are useful in areas where there are many clients, or where
the clients are far apart and cannot reach each other (the hidden node
problem). The Maximum RTS Retries (1-128) defines the maximum number
of times the access point issues an RTS before abandoning the send. For
example to set the threshold at 1000 Bytes and the number of retries to 10:
# config t
(config-if)# rts ?
(config-if)# exit
(config)# exit
To set the preamble to short:

# config t
(config-if)# exit
(config)# exit
To get rid of it:

# config t
(config-if)# no preamble-short
(config-if)# exit
(config)# exit
34.
PACKET RETRIES. The maximum data retries value (1-128) defines the
number of attempts that a WAP makes before dropping the packet.
# config t
(config-if)# packet retries 5
(config-if)# exit
(config)# exit
35.
FRAGMENT-THRESHOLD. The fragmentation threshold value sets the size

at which packets are fragmented (256 B to 2338 B). Low values are good when
there are many errors in the transmitted data, as there will be more chance
that each of the fragments will be received correctly. An example is:
# config t
(config-if)# exit
(config)# exit
208
W.Buchanan
36.
IP PROXY-MOBILE. This command is applied to the interface command to

enable proxy Mobile IP operations. For example:
# config t
(config-if)# exit
(config)# exit
The basic details of the wireless access point is:

FA0
- Fast Ethernet connection to the network.
DOT11RADIO0 - 2.4GHz radio connection.
DOT11RADIO1 - 5GHz radio connection.
37.
A particular problem can be were there are too many associations with the
wireless device. To limit the number of associations, the max-association
value is set. For example to set the maximum number of associations to 20:
# config t
(config)# int d0
(config-if)# ssid
(config-if-ssid)#
(config-if-ssid)#
(config-if-ssid)#
(config-if-ssid)#
38.
fred
?
max-associations ?
max-associations 20
exit
To determine wireless nodes that have been associated with the WAP:
# show dot11 ?
# show dot11 associations
What is the IP address and the MAC address of the node has been associated with the WAP:
What is the transmitted signal strength:
What is the signal quality:
39.
To list controllers
# show controllers
!
Wireless LANs 209
Radio 350 Series, Address 0007.50d5.bf4c, BBlock version 1.59, Software

version 5.30.17
Serial number: vms061904jc
Carrier Set: EMEA (EU)
Current Frequency: 2452 Mhz Channel 9
Allowed Frequencies: 2412(1) 2417(2) 2422(3) 2427(4) 2432(5) 2437(6) 2442(7)
2447(8) 2452(9) 2457(10) 2462(11) 2467(12) 2472(13)
Current Power: 50 mW
Allowed Power Levels: 1 5 20 30 50
Current Rates: basic-1.0 basic-2.0 basic-5.5 basic-11.0
Allowed Rates: 1.0 2.0 5.5 11.0
Best Range Rates: basic-1.0 2.0 5.5 11.0
Best Throughput Rates: basic-1.0 basic-2.0 basic-5.5 basic-11.0
Default Rates: no
Radio Management (RM) Configuration:
Beacon State
1
RM Tx Setting Enabled FALSE
RM Tx Power Level 0
RM Tx Channel Number 0
Saved Tx Power
0
Saved Tx Channel
0
Priority 0 cw-min 5 cw-max 10 fixed-slot 6
Radio running mobile: temp 0 C tx_power 50 bb_code 0x0
rssi_threshold 0x0 last alarm code 0x0 gain offset 0
40. SHOW CONTROLLERS. The Show Controllers Dot11Radio0 command is used

to show the status of radio interface. For example:
# show controllers dot11radio0
An example of the output is:

!
Radio 350 Series, Address 0007.50d5.bf4c, BBlock version 1.59, Software version
5.30.17
Serial number: vms061904jc
Carrier Set: EMEA (EU)
Current Frequency: 2432 Mhz
Channel 5
Allowed Frequencies: 2412(1) 2417(2) 2422(3) 2427(4) 2432(5) 2437(6) 2442(7)

2447(8) 2452(9) 2457(10) 2462(11) 2467(12) 2472(13)
Current Power: 50 mW
Allowed Power Levels: 1 5 20 30 50
Current Rates:
basic-1.0 basic-2.0 basic-5.5 basic-11.0
Allowed Rates:
1.0 2.0 5.5 11.0
Best Range Rates:
basic-1.0 2.0 5.5 11.0
Best Throughput Rates:

Default Rates:
basic-1.0 basic-2.0 basic-5.5 basic-11.0
no
Radio Management (RM) Configuration:

Beacon State
210
RM Tx Setting Enabled FALSE
RM Tx Power Level 0
RM Tx Channel Number
Saved Tx Power
Saved Tx Channel
W.Buchanan
41.
SHOW CLIENTS. This command is used to show the details of all the
associated clients, and uses:
# show dot11 associations all-clients

Address
: 0003.6dff.2a51
Name
IP Address
: 192.168.0.11
Interface
: Dot11Radio 0
Device
State
: Assoc
Parent
: self
SSID
: tsunami
VLAN
: 0
Hops to Infra
: 1
Association Id
: 3
Software Version :
Clients Associated: 0
Repeaters associated: 0
Key Mgmt type
Encryption
Capability
: NONE
:
Rate
: 11.0
ShortHdr
Supported Rates
: 1.0 2.0 5.5 11.0
Signal Strength
: -29
Signal Quality
: 81 %
Activity Timeout : 31 seconds
Power-save
: Off
Last Activity
: 28 seconds ago
Packets Input
: 143
Packets Output
: 5
Bytes Input
: 16801
Bytes Output
: 266
Duplicates Rcvd
: 0
Data Retries
: 0
Decrypt Failed
: 0
RTS Retries
: 0
MIC Failed
: 0
MIC Missing
: 0
dBm
Connected for
: 913 seconds
42. SHOW DOT11 ASSOCIATIONS STATISTICS. This command shows the

statistics for the associations. For example:
# show dot11 associations statistics

---- DOT11 Assocation Statistics -------------
On Interface Dot11Radio0:
cDot11AssStatsAssociated
:2
cDot11AssStatsAuthenticated
:2
cDot11AssStatsRoamedIn
:0
cDot11AssStatsRoamedAway
:0
cDot11AssStatsDeauthenticated
:1
cDot11AssStatsDisassociated
:1
cur_bss_associated
:1
cur_associated
:1
Wireless LANs 211
cur_bss_repeaters
:0
cur_repeaters
:0
cur_known_ip
:1
dot11DisassociateReason
:2
dot11DisassociateStation
:0003.6dff.2a51
dot11DeauthenticateReason
:2
dot11DeauthenticateStation
:0003.6dff.2a51
dot11AuthenticateFailStatus
:0
dot11AuthenticateFailStation
:0000.0000.0000
SHOW INTERFACES DOT11RADIO0 STATISTICS. This command shows

the statistics for the radio port. For example:
43.
# show interfaces dot11radio0 statistics

DOT11 Statistics (Cumulative Total/Last 5 Seconds):
RECEIVER
Host Rx Bytes:
TRANSMITTER
41758 /
Host Tx Bytes:
Unicasts Rx:
450 /
Unicasts Tx:
Unicasts to host:
450 /
Unicasts by host:
1247 /
Beacons Rx:
0 /
Broadcasts to host:
Multicasts Rx:
Multicasts to host:
135270 /
1258 /
11 /
Broadcasts Tx:
30329 /
49
Beacons Tx:
29773 /
49
0 /
Broadcasts by host:
556 /
0 /
Multicasts Tx:
77 /
0 /
Multicasts by host:
77 /
1247 /
Mgmt Packets Tx:
1247 /
0 /
RTS transmitted:
0 /
Duplicate frames:
65 /
CTS not received:
0 /
CRC errors:
57 /
Unicast Fragments Tx:
1258 /
WEP errors:
0 /
Retries:
0 /
Buffer full:
0 /
Packets one retry:
0 /
Host buffer full:
0 /
Packets > 1 retry:
0 /
Broadcasts Rx:
Mgmt Packets Rx:

RTS received:
Header CRC errors:
656 /
Protocol defers:
Invalid header:
0 /
Energy detect defers:
0 /
52 /
Length invalid:
0 /
Jammer detected:
0 /
Incomplete fragments:
0 /
Rx Concats:
0 /
Packets aged:
0 /
Tx Concats:
0 /
RATE 11.0 Mbps

Rx Packets:
Rx Bytes:
RTS Retries:
450 /
Tx Packets:
41664 /
Tx Bytes:
0 /
Data Retries:
The full list of key interfaces are:
212
W.Buchanan
8 /
764 /
0 /
#
#
#
#
show
show
show
show
interface
interface
interface
interface
?
fa0
dot11radio0
bvi
SHOW DOT11 NETWORK-MAP. This command shows the radio network

map. For example:
44.
# show dot11 ?
# show dot11 network-map
# config t
(config)# dot11 network-map
(config)# exit
# show dot11 network-map
# show dot11 carrier ?
# show dot11 carrier busy
Which frequency is the most utilized:
45. A few other show commands are:

#
#
#
#
#
#
#
show
show
show
show
show
show
show
ip
ip ?
led
led ?
led flash
line
log
Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0

flushes, 0 overruns)
Console logging: level debugging, 31 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 32 messages logged
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 35 message lines logged
Log Buffer (4096 bytes):

*Mar
1 00:00:04.103: soap_pci_subsys_init: slot 3 found radio
*Mar
1 00:00:04.405: %LINK-5-CHANGED: Interface Dot11Radio0, changed state
to reset
*Mar
1 00:00:05.429: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Dot11Radio0, changed state to down

*Mar
1 00:00:06.432: %LINK-3-UPDOWN: Interface FastEthernet0, changed state
to up
*Mar
FastEthernet0, changed state to up
Wireless LANs 213
*Mar
FastEthernet0, changed state to down

*Mar
1 00:00:25.435: %SYS-5-RESTART: System restarted --
# show vlans
46.
#
#
#
#
#
#
#
#
Some other show commands are:
show
show
show
show
show
show
show
show
aliases
caller
cca
class-map
clock
crash
dhcp ?
dot11 ?
adjacent-ap
Display adjacent AP list
antenna-alignment
Display recent antenna alignment results
arp-cache
Arp Cache
associations
association information
carrier
Display recent carrier test results
linktest
Display recent linktest results
network-map
statistics
Network Map
statistics information

# show dot11 arp-cache
# show dot11 associations
SSID [tsunami] :
MAC Address
IP address
Device
Name
Parent
4500-radio
self
State
0090.4b54.d83a 192.168.2.2
Assoc
Others:
#
#
#
#
#
#
show
show
show
show
show
show
dot11
dot11
dot11
dot11
dot11
dot11
carrier ?
carrier busy
network-map
statistics
statistics ?
statistics client-traffic
Clients:
3-0090.4b54.d83a pak in 372 bytes in 31151 pak out 3 bytes out 262
214
W.Buchanan
dup 0 decrpyt err 0 mic mismatch 0 mic miss 0

tx retries 0 data retries 0 rts retries 0
signal strength 43 signal quality 83
47. For radio tests:

#
#
#
#
#
dot11
dot11
dot11
dot11
dot11
?
dot11radio0
dot11radio0
dot11radio0
dot11radio0
?
carrier ?
carrier busy
linktest
Wireless LANs 215
Lab 3: Ad-hoc networks

Outline:
The objective of this lab is demonstrate the principles of ad-hoc networks, especially
in joining a network and in assessing its performance. At the start of the lab you will
be given a name for your SSID, and assigned into groups.
What is the SSID that you group has been assigned:
[GroupA] [GroupB] [GroupC] [GroupD] [GroupE] [GroupF] [GroupG]
12.1.5 Setting SSID and mode

First locate the Wireless card panel, and set the Network Mode to 802.11 Ad-hoc and
the Network SSID to the name you have been assigned. The channel should also be
set to Channel 6, as shown in Figure 1.
Figure 1: Wireless card settings
12.1.6 Setting IP address

Next locate the Wireless card in Network Connections, and remove the firewall. Next
right-click on the wireless icon, and set the TCP/IP settings (from Internet Protocols
TCP/IP), as shown in Figure 2. After this set the IP address of the card to one which
joins onto the subnet (Figure 3):
192.168.10.0
Which IP address and subnet mask have you chosen, and what are the other nodes in your group
assigned as:
Why does the gateway not have to be set:
216
W.Buchanan
Figure 3: Wireless IP settings
12.1.7 Connect to your ad-hoc network

Next scan for the available networks, and connect to your SSID.
Was the connection successful?
Wireless LANs 217
Figure 4: Scanning for ad-hoc networks
Next ping your node and the others in your network, such as with:
C:\Documents and Settings\co72047.XP3>ping 192.168.10.2
Reply
Reply
Reply
Reply
from
from
from
from
192.168.10.2:
192.168.10.2:
192.168.10.2:
192.168.10.2:
bytes=32
bytes=32
bytes=32
bytes=32
time=1467ms TTL=128
time=1ms TTL=128
time<1ms TTL=128
time<1ms TTL=128

Was the ping successful to the nodes in your group:
12.1.8 Network characteristics

Next use IPCONFIG/ALL to determine the network settings of your wireless card,
such as:
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . .
Primary Dns Suffix
Node Type . . . . .
IP Routing Enabled.
WINS Proxy Enabled.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
:
:
:
:
:
XP3
c06server
Unknown
No
No
Ethernet adapter Wireless Network Connection:
218
W.Buchanan
Connection-specific
Description . . . .
Physical Address. .
Dhcp Enabled. . . .
IP Address. . . . .
Subnet Mask . . . .
Default Gateway . .
DNS
. .
. .
. .
. .
. .
. .
Suffix
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
.
.
.
.
.
:
:
:
:
:
:
:
Belkin 802.11g Wireless Card

00-11-50-15-B5-A2
No
192.168.10.1
255.255.255.0
What is the MAC address of your card:
What is the host name of your computer:
What is the IP address of the card:
12.1.9 Sharing a folder

On each of the machines within your network, create a folder, and share it to
everyone in the network, such as shown in Figure 5, 6 and 7. Next, in Figure 8, access
the shared folders within your group with the form of \\remoteIP. Create a
document, and get someone to access it remotely.
Has the sharing been successful?
Figure 5: Creating a folder
Wireless LANs 219
Figure 6: Sharing a folder
Figure 7: Sharing a folder
Figure 8: Accessing a shared folder
220
W.Buchanan
12.1.10 Viewing network traffic

Run Ethernet, as shown in Figure 9, and unset the Capture packets in promiscuous
mode, and re-ping the network, and view the result in Ethernet (Figure 10).
Did it capture the ping event:
Outline some of the information that is provided on the ping with Ethereal:
Figure 9: Ethereal
Figure 10: Ethereal
Wireless LANs 221
12.1.11 Running a performance test

On one machine run the netserver program, and, on another, run the netperf
program, and measure the data throughput. In the following, the throughput is
measured at 5.84Mbps:
C:\>netserver
Starting netserver at port 12865
C:\test111>netperf -H 192.168.10.2
TCP STREAM TEST to 192.168.10.2
Recv
Send
Send
Socket Socket Message Elapsed
Size
Size
Size
Time
Throughput
bytes bytes
bytes
secs.
10^6bits/sec
8192
8192
8192
10.00
5.84
What is the throughput in your test:
12.1.12 Client/server operation

Once the connection is working, the next thing to test is the TCP/Application layer.
For this, run the Basic Server (Figure 11) on one machine, and the Basic Client
(Figure 12) on another, and create a connection. Once connected run Ethereal and see
if you can see the data transfer.
Did the devices connect:
Can you see the data packets in Ethereal and read the contents of the conversation:
Which TCP port does the server use to communicate:
Which TCP port does the client use to communicate:
To determine the open TCP ports, run the netstat -a command, such as:
C:\> netstat -a
Active Connections
Proto Local Address
TCP
XP3:epmap
TCP
XP3:microsoft-ds
TCP
XP3:1026
TCP
XP3:netbios-ssn
TCP
XP3:1068
222
W.Buchanan
Foreign Address
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
0.0.0.0:0
192.168.10.2:1001
State
LISTENING
LISTENING
LISTENING
LISTENING
ESTABLISHED
Which line in your run relates to the client-server connection:
Figure 11: Basic server
Figure 12: Basic client
12.1.13 Encryption (64-bit)

The next setting is to define 64-bit encryption with a pass phrase of cisco (left-hand
side of Figure 13). Reconnect again (right-hand side of Figure 13), and verify that the
network stills works. Next run the performance test again, such as:
C:\>netperf -H 192.168.10.2
Recv
Send
Send
Size
Size
Size
Time
bytes bytes
bytes
secs.
8192
8192
8192
10.00
Throughput
10^6bits/sec
5.71
Wireless LANs 223
What is the throughput:
Figure 13: 64-bit WEP encryption
12.1.14 Encryption (64-bit)

The next setting is to define 128-bit encryption with a pass phrase of cisco (left-hand
side of Figure 14). Reconnect again (right-hand side of Figure 14), and verify that the
network stills works, and measure the performance, such as:
C:\>netperf -H 192.168.10.2
Recv
Send
Send
Size
Size
Size
Time
bytes bytes
bytes
secs.
8192
8192
8192
10.00
Throughput
10^6bits/sec
5.85
From the previous results, what affect does WEP encryption have on the throughput:
224
W.Buchanan
Figure 14: 128-bit WEP encryption
12.1.15 Differing connection speeds

Next we will determine if the connection speed has an affect on the throughput. For
this set the transmission rate at 1Mbps (see Figure 15), and run the performance test,
such as:
C:\test111>netperf -H 192.168.10.2
Recv
Send
Send
Size
Size
Size
Time
Throughput
bytes bytes
bytes
secs.
10^6bits/sec
8192
8192
8192
10.00
0.81
What can you conclude from this:
12.1.16 Client/server and Encryption

Run the client and server on different machines again, and connect. Run Ethernet,
and view the network traffic.
Is it now possible to view the text which is passed between the client and server:
Wireless LANs 225
12.1.17 Client/server and Encryption

As a final test, change the pass phase on one of the computers.
Can this computer now communicate with the other nodes:
Transmission
rate
226
W.Buchanan
Lab 4: Infrastructure Network

You will be assigned a group. In this lab the setup is as follows:
Group
Device
SSID
BVI
Host range
A
B
C
D
E
F
G
Aironet1
Aironet2
Aironet3
Aironet4
Aironet5
Aironet6
Aironet7
GroupA
GroupB
GroupC
GroupD
GroupE
GroupF
GroupG
192.168.2.1
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
192.168.2.7
192.168.2.10-192.168.2.12
192.168.2.13-192.168.2.14
192.168.2.15-192.168.2.17
192.168.2.18-192.168.2.19
192.168.2.20-192.168.2.22
192.168.2.23-192.168.2.24
192.168.2.25-192.168.2.27
Radio
channel
2
3
4
5
7
8
9
The setup for the Windows server is 192.168.2.8 and the Linux server is 192.168.2.9. A
diagram of the system is shown in Figure 1.
192.168.2.10
192.168.2.11
SSID: GroupA
SSID: GroupB
C6SW2
192.168.1.100
Console
ConsoleServer
Server
(C6CS1)
(C6CS1)
Eth
Eth
SSID: GroupC
SSID: GroupD
SSID: GroupE
SSID: GroupF
Con
Windows server:
192.168.2.8
Eth
Aironet1:
IP: 192.168.2.1
SSID: GroupA
Con
Eth
Aironet2:
IP: 192.168.2.2
SSID: GroupB
Linux server:
192.168.2.9
Con
Eth
SSID: GroupG
Aironet7:
IP: 192.168.2.7
SSID: GroupG
Figure 1:
An example setup for GroupA is:
hostname GroupA
dot11 ssid GroupA
authentication open
guest-mode
int bvi1
ip address 192.168.1.1 255.255.255.0
interface d0
Wireless LANs 227
channel 2
station-role root
ssid GroupA
no shutdown
interface fa0
no shutdown
1.
Configure your Aironet for the required settings for your group.
Outline the main configuration settings:
2.
Set the IP address of your wireless cards. All the hosts on your network will
connect to the same subnet (192.168.2.x), as illustrated in Figure 1. What is
your IP address?
What is your IP address, and what are the others in the group:
3.
Scan for your SSID, and connect to it.

Can you ping your own machine:
Can you ping the access point:
NOTE: Sometimes the card must be disabled and then enabled for it to fully reconnect.
An example of a ping is:
Reply from 192.168.1.100: bytes=32 time<1ms TTL=128
Reply from 192.168.1.100: bytes=32 time<1ms TTL=128
Reply from 192.168.1.240: bytes=32 time=1ms TTL=255
Reply from 192.168.1.240: bytes=32 time=1ms TTL=255
228
W.Buchanan
Figure 2: SSID scan
4.
Next access the Web page of the access point with http://192.168.2.x:
Was the connection successful?
Wireless LANs 229
Figure 3: Aironet device home page
5.
Ping all the devices in your network. Next, as with Lab 3, share a folder on
your machine with the rest of your network:
Was the sharing successful:
6.
As with Lab 3, run netperf and netserver, and determine the throughput of
the connection between two hosts:
Network throughput:
7.
As with Lab 3, run the client and server, and make a connection between two
hosts:
Network throughput:
230
W.Buchanan
8.
Once all the group have setup their wireless networks, ping all the nodes in
the network:
Can you ping all the hosts?
Can you ping the Windows server (192.168.2.8)?
9.
Using mstsc, make a remote desktop connection to the Windows server.

Can you remote desktop to the Windows server?
Wireless LANs 231
Lab 5: Remote Connections

Group
Device
SSID
BVI
Host range
A
B
C
D
E
F
G
Aironet1
Aironet2
Aironet3
Aironet4
Aironet5
Aironet6
Aironet7
GroupA
GroupB
GroupC
GroupD
GroupE
GroupF
GroupG
172.16.1.1
172.16.1.2
172.16.1.3
172.16.1.4
172.16.1.5
172.16.1.6
172.16.1.7
172.16.1.10-172.16.1.12
172.16.1.13-172.16.1.14
172.16.1.15-172.16.1.17
172.16.1.18-172.16.1.19
172.16.1.20-172.16.1.22
172.16.1.23-172.16.1.24
172.16.1.25-172.16.1.27
Radio
channel
2
3
4
5
7
8
9
The setup for the Windows server is 172.16.1.8 and the Linux server is 172.16.1.9. An
example setup for GroupA is:
hostname GroupA
dot11 ssid GroupA
authentication open
guest-mode
int bvi1
ip address 172.16.1.1 255.255.255.0
interface d0
channel 2
station-role root
ssid GroupA
no shutdown
interface fa0
no shutdown
10.
Setup your wireless network, and ping all the nodes in your network.
Can all the nodes connect to the wireless network, and can ping each other:
Use the command show dot11 assoc on the access point. What is the output:
2.
Telnet is one of the most widely use protocols for remote access of devices,
and uses port 23 by default. Enable up to 16 TELNET sessions on the access
point with the configuration:
# config t
(config)# line vty 0 15
(config-line)# transport input telnet
3.
Using the TELNET program in Windows, test if the wireless nodes can access
232
W.Buchanan
the wireless access point:

Can all the nodes TELNET into the access point:
4.
Next, using the PuTTY client, TELNET into the wireless access point (as
illustrated in Figure 3).
Can all the nodes TELNET into the access point:
5.
Next, run Ethereal, and capture the wireless traffic, and re-TELNET into the
access point. Verify that you can read the username and the password from
the network traffic (Figure 4).
Can you view the username and password:
6.
Next, create a number of usernames and passwords using a form such as:
(config)# username fred password bert

(config)# username freddy password berty
Using a username and password for each person in the group, login using
their username and password. At the same time, using Ethereal, verify that
the username and password can be determined:
Can the username and password be determined for each session:
An example login is shown next:

User Access Verification
Username: fred
Password: bert
ap>
Wireless LANs 233
Figure 11: PuTTY connection for TELNET
Figure 12: Ethereal showing the plaintext password
7.
Telnet is seen as being an insecure, and, if security is an issue, it should be

disabled as a service and replaced with SSH, which uses encryption. To
enable only SSH on the access point implement the following:
# config t
(config)# ip domain-name fred.com
(config)# crypto key generate rsa
(config)# exit
# show ip ssh
# config t
(config)# ip ssh rsa keypair-name ap.fred.com
(config-line)# transport input ssh
Do the connections work:
234
W.Buchanan
What TCP port is used, by default:
Is TELNET access possible:
8.
Next connect to the access point using SSH (with the PuTTY client), as shown
in Figure 5.
Figure 13: PuTTY connection for SSH
9. Next, using the show vty 0 command, verify that SSH is being used, such as:
# show line vty 0
*
1 VTY
335
0/0
Line 1, Location: "", Type: "xterm"

Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600
Wireless LANs 235
Status: Ready, Active, No Exit Banner, Notify Process

Capabilities: none
Modem state: Ready
Special Chars: Escape Hold Stop Start Disconnect Activation
^^x
none
none
Timeouts:
Idle EXEC
Idle Session
Modem Answer Session
00:10:00
00:01:00
none
Idle Session Disconnect Warning
never
Login-sequence User Response
00:00:30
Autoselect Initial Wait
not set
Modem type is unknown.
Session limit is not set.
Time since activation: 00:02:11
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are ssh.
Allowed output transports are telnet ssh.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters
10.
Dispatch
not set
Run Ethereal, and verify that the username and password cannot be viewed.
Is it possible to view the username and password:
11.
If necessary, both TELNET and SSH access can be allowed with:
# config t
(config-line)# transport input any
Is it possible to TELNET and also SSH from each of the nodes:
12.
An open session can be a security risk, especially if it is left unattended, as

another user could hi-jack the session. Thus a good security tip is to limit the
length of time that a session is allowed to stay inactive. In the following the
session time-out is set to one minute:
# config t
(config-line)# transport input ssh
(config-line)# session-timeout 1
and, after one minute of inactivity the session should be closed, such as:
236
W.Buchanan
User Access Verification

Username:
% Username:
timeout expired!
Connection to host lost.
Create a number of SSH sessions, and verify that after one minute of inactivity that the sessions
will time-out. Is this verified:
13.
Many firewalls block access to lower ports, such as TELNET and FTP, and
thus for TELNET/SSH access the port of the server on the access point must
be changed. In the following the port is changed to 2000:
(config)# ip ssh port 2000 rotary 0
Connect to the SSH service using port 2000 (such as shown in Figure 5). Does it connect:
Achieve the same for TELNET access using the 2001 port. Does it connect using the new port?
What configuration is used:
Figure 14: PuTTY connection for SSH
Wireless LANs 237
14.
Often the administrator wants to limit the number of TELNET sessions. In the
following case there is a limit of three TELNET/SSH sessions (0, 1 and 2):
(config)# line
(config-line)#
(config)# line
(config-line)#
vty 0 2
transport input any
vty 3 15
transport input none
Connect to the access point with more than three sessions, and verify that it does not allow any
more than three. Is it working:
238
W.Buchanan
Lab 6: Encryption/Authentication
Group
Device
SSID
BVI
Host range
A
B
C
D
E
F
G
Aironet1
Aironet2
Aironet3
Aironet4
Aironet5
Aironet6
Aironet7
GroupA
GroupB
GroupC
GroupD
GroupE
GroupF
GroupG
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5
10.0.0.6
10.0.0.7
10.0.0.10-10.0.0.12
10.0.0.13-10.0.0.14
10.0.0.15-10.0.0.17
10.0.0.18-10.0.0.19
10.0.0.20-10.0.0.22
10.0.0.23-10.0.0.24
10.0.0.25-10.0.0.27
Radio
channel
2
3
4
5
7
8
9
An example setup for GroupA is:

hostname GroupA
dot11 ssid GroupA
authentication open
guest-mode
int bvi1
ip address 10.0.0.1 255.255.255.0
interface d0
channel 2
station-role root
ssid GroupA
no shutdown
interface fa0
no shutdown
11. Setup your wireless network, and ping all the nodes in your network.
2.
Setup your access point and nodes (Figure 1) so that they use WEP
encryption. An example of the encryption settings for the access point for
GroupA could be:
hostname ap
int bvi1
ip address 10.0.0.1 255.255.255.0
exit
dot11 ssid GroupA
authentication open
guest-mode
interface d0
channel 2
station-role root
Wireless LANs 239

ssid APskills
Figure 15: WEP settings
3.
Next setup LEAP authentication, with the following (for Group A):
hostname ap
aaa new-model
exit
aaa authentication login mac_methods local
int bvi1
ip address 10.0.0.1 255.255.255.0
exit
radius-server local
user aaauser password aaauser
exit
radius-server host 10.0.0.1 auth 1812 acct 1813 key sharedkey
dot11 ssid GroupA
authentication open
guest-mode
interface d0
channel 11
station-role root
ssid GroupA
240
W.Buchanan
4.
Next setup the clients to support LEAP authentication, as shown in Figure 1.

Once the client has associated, determine the associated devices with:
# show dot assoc

SSID [APskills] :
MAC Address
IP address
0090.4b54.d83a 10.0.0.1
Others:
Device
4500-radio
Name
-
Parent
State
self
EAP-Assoc
Which devices have associated:
Did you see a message on the access point which had the following format:
*Mar 1 00:00:51.750: %DOT11-6-ASSOC: Interface Dot11Radio0, Station

5.
Next setup WPA with TKIP encryption, and LEAP authentication with (for
Group A):
hostname ap
aaa new-model
exit
aaa group server radius rad_mac
exit
aaa group server radius rad_acct
exit
Wireless LANs 241
aaa group server radius rad_admin

exit
aaa group server radius dummy
exit
aaa group server radius rad_pmip
exit
aaa authentication login mac_methods local
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
int bvi1
ip address 10.0.0.1 255.255.255.0
exit
radius-server local
exit
dot11 ssid GroupA
authentication open
auth key-management wpa
guest-mode
interface d0
channel 2
station-role root
encryption mode ciphers tkip
ssid GroupA
Which devices have associated:
Did you see a message on the access point which had the following format:
*Mar 1 00:00:51.750: %DOT11-6-ASSOC: Interface Dot11Radio0, Station

242
W.Buchanan
6.
If the client supports CCKM, then the following can be setup (for Group A):
hostname ap
aaa new-model
exit
int bvi1
ip address 10.0.0.1 255.255.255.0
exit
radius-server local
exit
dot11 ssid GroupA
authentication open
auth key-management cckm
guest-mode
interface d0
channel 2
station-role root
encryption mode ciphers tkip
ssid GroupA
Wireless LANs 243
Lab 7: Filtering/Blocking
Group
Device
SSID
BVI
Host range
A
B
C
D
E
F
G
Aironet1
Aironet2
Aironet3
Aironet4
Aironet5
Aironet6
Aironet7
GroupA
GroupB
GroupC
GroupD
GroupE
GroupF
GroupG
192.168.2.1
192.168.2.2
192.168.2.3
192.168.2.4
192.168.2.5
192.168.2.6
192.168.2.7
192.168.2.10-192.168.2.12
192.168.2.13-192.168.2.14
192.168.2.15-192.168.2.17
192.168.2.18-192.168.2.19
192.168.2.20-192.168.2.22
192.168.2.23-192.168.2.24
192.168.2.25-192.168.2.27
Radio
channel
2
3
4
5
7
8
9
The setup for the Windows server is 192.168.2.8 and the Linux server is 192.168.2.9. A
diagram of the system is shown in Figure 1.
The wireless access point can be used to filter mac addresses for a source and
destination. Its format is:
access-list [deny | permit] [source ac] [source mask] [dest mac] [dest mask]
For example to disallow the node with the mac address of 0090.4b54.d83a access to
0060.b39f.cae1:
access-list 1101 deny 0090.4b54.d83a 0.0.0 0060.b39f.cae1 0.0.0
access-list 1101 permit 0.0.0 ffff.ffff.ffff 0.0.0 ffff.ffff.ffff
and it is applied with the following:

int d0
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 output-pattern 1101
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
ap#show arp
Protocol Address
Internet 192.168.1.110
Internet 192.168.1.101
Internet 192.168.1.103
Internet 192.168.1.115
ap#
Age (min)
1
2
1
Hardware Addr
000d.65a9.cb1b
0060.b39f.cae1
0009.7c85.87f1
0090.4b54.d83a
Determine all the mac addresses on your network:
244
W.Buchanan
Type
ARPA
ARPA
ARPA
ARPA
Interface
BVI1
BVI1
BVI1
BVI1
Block the access of one computer to another. What is the access-list used:
Is the access blocked, and can the other nodes still access each other:
1.
Next remove the access list with:

no access-list 1101
and now add a new one which block access from one computer to two of the
hosts on the network.
Is the block successful:
2.
The access point supports access-lists. For example, the following blocks a
host at 192.168.1.111 access to 192.168.1.110:

deny
ip host 192.168.1.111 host 192.168.1.110
permit ip any any
dot11 ssid GroupA
authentication open
guest-mode
interface d0
channel 11
ip access-group Test in
station-role root
ssid GroupA
3.
Create a wireless network which blocks one of the nodes on the network, and
allows the other one.
What is the access-list:
Do the blocks work, and can the other nodes still communicate:
4.
Along with IP filtering it is possible to filter for the TCP port. For example the
following blocking of any source host to any destation on port 80

deny
tcp any any eq 80
Wireless LANs 245
permit ip any any

dot11 ssid GroupA
authentication open
guest-mode
end
interface d0
channel 11
ip access-group Test in
station-role root
ssid GroupA
5.
Test the above script and make sure that none of the nodes can access the web
server on the access point:
Is web access blocked:
6.
Modify the access-list so that only one node is blocked access to the web
server on the access point:
Is web access blocked:
12.
Using the client and the server program, write and access-list which will
block communications between two of the nodes on the network for clientserver communications on port 1001:
Is the access blocked:
13.
It is possible to block ICMP in the filtering, such as blocking a ping from

192.168.1.111 to 192.168.1.110:

deny icmp 192.168.1.111 0.0.0.0 192.168.1.110 0.0.0.0
permit ip any any
Block a ping from one of the nodes on the network to the access point. Can you ping the access
point from it?
Can you ping from other nodes in the network?
14.
246
Block a ping from one of the nodes on your network to another node.
W.Buchanan
Is it possible to ping the access-point from one of the nodes:
Is it possible to ping from one of the nodes to the other:
Can you ping the Windows server?
Wireless LANs 247
Lab 8: VLAN
The access point can assign VLANs, where the nodes in the same VLAN can connect
to each other, but cannot communicate directly with nodes on another VLAN. This
allows nodes to connect to each other, even though they connect to a different access
device. In a wireless system the nodes can communicate with a VLAN over different
SSID. The mechanism used is IEEE 802.1Q tagging. The setup for the lab is defined in
Figure 1.
Thus, now setup the following:
SSID Group 1: MyVLAN1a, MyVLAN2a
SSID Group 2: MyVLAN1b, MyVLAN2c
SSID Group 3: MyVLAN1c, MyVLAN2c
PC1-PC5:
192.168.0.1-5
Access point:
192.168.0.100
192.168.0.110
VLAN1: MyVLAN1
VLAN2: MyVLAN2
192.168.0.1-3
192.168.0.4,5
Figure 18: Wireless configuration
Nodes PC1, PC2 and PC3 should associate with MyVLAN1, and PC4 and PC5
should connect to MyVLAN2. Assign the MyVLAN1 SSID to VLAN 1 and
MyVLAN2 SSID to VLAN 2.
Can nodes PC1, PC2 and PC3 ping each other:
Can nodes PC4 and PC5 ping each other:
248
W.Buchanan
Show that PC4 and PC5 cannot communicate with PC1, PC2, and PC3.
What are the associations:
An example of the configuration for Group 1 is:

(config-if)# encryption key 1 size 40bit aaaaaaaaaa transmit-key
(config-if)# encryption mode ciphers tkip wep40
(config-if)# ssid APskills1
(config-ssid)# ssid MyVLAN1a
(config-ssid)# ssid MyVLAN2a
15. Now configure the sub-interfaces for the radio port and define IEEE 802.11Q
(config-if)# encapsulation dot1Q 1 native
(config-if)# encapsulation dot1Q 2

Virtual LAN ID:

Dot11Radio0.1

Dot11Radio0
Virtual-Dot11Radio0
Wireless LANs 249
Address:
Bridging
Bridge Group 1
Bridging
Bridge Group 1
Virtual LAN ID:
Received:
17
17
Transmitted:
9
9
Received:
1
1
Transmitted:
0
0

Dot11Radio0.2
Address:
Bridging
Bridge Group 2
Bridging
Bridge Group 2
16. Now we will group the VLANs together, if required, with a bridge group. Thus:
Show that PC4 and PC5 can now communicate with PC1, PC2, and PC3.
250
W.Buchanan
Lab 9: VLANs and 802.1Q

device. In a wireless system the nodes can thus communicate with a VLAN over a
different SSID. The mechanism used is IEEE 802.1Q tagging.
The setup for the lab is defined in Figure 1, and the details are:
Group Device
SSID
BVI
Host range
Aironet1
10.0.0.4
Aironet2
Aironet3
Aironet4
Scotland (VLAN 1)
England (VLAN 2)
Ireland (VLAN 1)
Wales (VLAN 2)
France (VLAN 1)
Germany (VLAN 2)
USA (VLAN 1)
Japan (VLAN 2)
10.0.0.10-10.0.0.12
10.0.1.1-10.0.1.2
10.0.0.13-10.0.0.15
10.0.1.3-10.0.1.4
10.0.0.16-10.0.0.18
10.0.1.5-10.0.1.6
10.0.0.19-10.0.0.21
10.0.1.7-10.0.1.8
10.0.0.2
10.0.0.3
10.0.0.4
Radio
channel
2
3
4
5
1. Setup the connections, so that the first three nodes (PC1, PC2 and PC3) should
associate with the first SSID (such as Scotland), and PC4 and PC5 should connect
to the second SSID (such as England).
An outline of the configuration for Group A is:
(config-ssid)# exit
(config-ssid)#exit
(config-if)# int fa0
Wireless LANs 251
Figure 1: Outline of lab
252
W.Buchanan
10.0.0.3/24
Aironet 3 (192.168.1.100 Port 2003)
SSID (VLAN 1): France

SSID (VLAN 2): Germany
10.0.0.2/24
Aironet 2 (192.168.1.100 Port 2002)
SSID (VLAN 1): Ireland

SSID (VLAN 2): Wales
10.0.0.1/24
Aironet 1 (192.168.1.100 Port 2001)
SSID (VLAN 1): Scotland

SSID (VLAN 2): England
10.0.0.20/24
VLAN 1
10.0.0.15/24
VLAN 1
10.0.0.10/24
VLAN 1
10.0.0.21/24
10.0.0.16/24
10.0.0.11/24
Bench C
10.0.0.22/24
cvz
Bench B
10.0.0.17/24
cvz
Bench A
10.0.0.12/24
cvz
10.0.0.23/24
VLAN 2
10.0.0.18/24
VLAN 2
10.0.0.13/24
VLAN 2
10.0.0.24/24
10.0.0.19/24
10.0.0.14/24
2.
Now configure the sub-interfaces for the radio port and define IEEE 802.1Q

(config-subif)# ?
arp
bandwidth
bridge-group
cdp
default
delay
description
encapsulation
Set encapsulation type for an interface
exit
ip
keepalive
Enable keepalive
logging
mtu
no
service-policy Configure QoS Service Policy
shutdown
timeout
(config-subif)# encapsulation ?
dot1Q IEEE 802.1Q Virtual LAN
(config-subif)# encapsulation dot1q ?
<1-4094> IEEE 802.1Q VLAN ID
(config-subif)# encapsulation dot1q 1 ?
native
Make this as native vlan
second-dot1q Configure this subinterface as a 1Q-in-1Q subinterface
<cr>
(config-if)# encapsulation dot1q 1 native
(config-if)# encapsulation dot1q 2

Dot11Radio0
Virtual-Dot11Radio0
Address:
Received:
Transmitted:
Bridging
Bridge Group 1
17
9
Bridging
Bridge Group 1
17
9
Address:
Received:
Transmitted:
Bridging
Bridge Group 2
1
0
Bridging
Bridge Group 2
1
0
Wireless LANs 253
Show that PC4 and PC5 can now communicate with PC1, PC2, and PC3.
4. The switch which connects the Aironets can be access from:

192.168.1.100 Port 2008
Log into the device, and view the configuration. If 802.1Q trunking is not
enhanced, you may need to add the command:
(config)# switchport trunk encapsulation dot1q
(config)# interface fa0/1
(config-if)# switchport trunk encapsulation dot1q
Now make sure that there is no bridge between the VLANs, and now conduct the
following:
Within VLAN 1 which nodes in the whole network can you ping:
Note: In native VLANs, frames in a VLAN are not modified when they are sent over
the trunk. Often these are know as Management VLAN. These frames will thus be
standard Ethernet frames, and have no additional 802.1q information.
Note: To enable multiple SSIDs to be broadcast (add by J.Graves):
dot11 ssid TEST1
mbssid guest-mode
dot11 ssid TEST2
mbssid guest-mode
then enable mbssid on the radio interface, and then add the SSIDs:
int Dot11Radio0
mbssid
ssid TEST1
ssid TEST2
254
W.Buchanan
Lab 10: IP Routing

device. In a wireless system the nodes can thus communicate with a VLAN over a
different SSID. The mechanism used is IEEE 802.1Q tagging.
Group Device
SSID
BVI
Host range
Aironet1
10.0.0.4
Aironet2
Aironet3
Aironet4
Scotland (VLAN 1)
England (VLAN 2)
Ireland (VLAN 1)
Wales (VLAN 2)
France (VLAN 1)
Germany (VLAN 2)
USA (VLAN 1)
Japan (VLAN 2)
10.0.0.10-10.0.0.12
10.0.1.1-10.0.1.2
10.0.0.13-10.0.0.15
10.0.1.3-10.0.1.4
10.0.0.16-10.0.0.18
10.0.1.5-10.0.1.6
10.0.0.19-10.0.0.21
10.0.1.7-10.0.1.8
10.0.0.2
10.0.0.3
10.0.0.5
Radio
channel
2
3
4
5
CONNECTION WITHIN A VLAN ON A SINGLE ACCESS POINT

1. Setup the connections, so that the first three nodes (PC1, PC2 and PC3) should
associate with the first SSID (such as Scotland), and PC4 and PC5 should connect
to the second SSID (such as England).
An outline of the configuration for Group A is:
# config t
(config-ssid)# exit
(config-ssid)# exit
(config)# int BVI1
(config-if)# exit
(config)# int d0
(config-if)# mbssid
(config-if)# exit
(config)# int fa0
(config-if)# exit
Wireless LANs 255
(config)# int d0.1

(config-subif)# ?
arp
bandwidth
bridge-group
cdp
default
delay
description
encapsulation
Set encapsulation type for an interface
exit
service-policy Configure QoS Service Policy

shutdown
timeout
(config-subif)# encapsulation ?
dot1Q IEEE 802.1Q Virtual LAN
(config-subif)# encapsulation dot1q ?
<1-4094> IEEE 802.1Q VLAN ID
(config-subif)# encapsulation dot1q 1 ?
native
Make this as native vlan
second-dot1q Configure this subinterface as a 1Q-in-1Q subinterface
<cr>
(config-if)# int fa0.1
(config-if)# exit
(config-if)# int d0.2
(config-if)# int fa0.2
(config-if)# exit

2. Using show vlan, show that the output is in the form:

Dot11Radio0
Virtual-Dot11Radio0
Address:
Received:
Transmitted:
Bridging
Bridge Group 1
17
9
Bridging
Bridge Group 1
17
9
Address:
Received:
Transmitted:
Bridging
Bridge Group 2
1
0
Bridging
Bridge Group 2
1
0
256
W.Buchanan
Wireless LANs 257
Can nodes PC1, PC2 and PC3 ping each other? Can nodes PC4 and PC5 ping each other?
Show that PC4 and PC5 can now communicate with PC1, PC2, and PC3. What are the associations:
Objective: You should be able to access the other VLAN on the same access point.
4. Now reassign the bridge-groups, such as:
Objective: You should not be able to access the other VLAN on the same access
point.
ENABLING TRUNKING BETWEEN VLANs
5. The switch which connects the Aironets can be accessed from 192.168.1.100 Port
2008. Log into the device, and view its configuration. 802.1q can be enabled and
trunked between the ports of the switch with:
# vlan database
(vlan)# vlan 1
(vlan)# vlan 2
(vlan)# exit
# config t
(config)# int fa0/1
(config)# exit
# exit
258
W.Buchanan

trunk native vlan 1
mode trunk
nonegotiate
trunk native vlan 1
mode trunk
nonegotiate
trunk native vlan 1
mode trunk
nonegotiate
trunk native vlan 1
mode trunk
nonegotiate
6. Now make sure that there is no bridge between the VLANs, and now conduct the
following:
All the nodes in VLAN 1 should be able to ping each other.

All the nodes in VLAN 1 should be able to ping each other.
Nodes in VLAN 1 cannot ping nodes in VLAN 2, and vice-versa.
Objective: You should be able to ping any node in your VLAN, no matter which
access point they connect to, but not in other VLANs. PLEASE NOTE IT CAN TAKE
UP TO A MINUTE FOR THE TRUNKING TO OCCUR PLEASE BE PATIENT!
ENABLING IP ROUTING BETWEEN VLANs
7. Now we can enable routing between the VLANs, at Layer 3, with modifications
on the switch:
# config t
(config)# ip routing
(config)# vlan 1
(config-vlan)# exit
(config)# ip address 10.0.0.254 255.255.255.0
(config-vlan)# exit
(config)# vlan 2
(config-vlan)# exit
(config-if)# exit
8. Now make sure that you set the default gateway for nodes in VLAN 1 to
10.0.0.254, and for VLAN 2 to 10.0.1.254. This will send all the unknown traffic to
the switch.
Objective: You should now be able to get the whole network to communicate.
Wireless LANs 259
Example configurations
Access Point 1:
config t
dot11 ssid Scotland
mbssid guest-mode
authentication open
vlan 1
exit
dot11 ssid England
mbssid guest-mode
authentication open
vlan 2
exit
int BVI1
ip address 10.0.0.4 255.255.255.0
no shut
exit
int d0
mbssid
ssid Scotland
ssid England
channel 1
no shut
exit
int fa0
no shut
exit
int d0.1
encapsulation dot1q 1 native
int fa0.1
exit
int d0.2
encapsulation dot1q 2
bridge-group 2
int fa0.2
bridge-group 2
exit
260
W.Buchanan
Access Point 2:
config t
dot11 ssid Ireland
mbssid guest-mode
authentication open
vlan 1
exit
dot11 ssid Wales
mbssid guest-mode
authentication open
vlan 2
exit
int BVI1
ip address 10.0.0.5 255.255.255.0
no shut
exit
int d0
mbssid
ssid Ireland
ssid Wales
channel 2
no shut
exit
int fa0
no shut
exit
int d0.1
int fa0.1
exit
int d0.2
bridge-group 2
int fa0.2
bridge-group 2
exit
Switch configuration
vlan database
vlan 1
vlan 2
Wireless LANs 261
exit
config t
int fa0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport nonegotiate
int fa0/2
int fa0/3
int fa0/4
exit
exit
IP Routing on switch
config t
ip routing
int vlan 1
ip address 10.0.0.254 255.255.255.0
no shutdown
int vlan 2
ip address 10.0.1.254 255.255.255.0
no shutdown
262
W.Buchanan
Lab 11: RADIUS

This lab will show you how to set up a Remote Authentication Dial In User Services
(RADIUS) server. The software used in this lab is called FreeRadius, and is a
Windows port of the popular RADIUS server for Linux. It can be downloaded at
http://www.freeradius.net/.
Although you have demonstrated an APs capability to authenticate to a RADIUS
server, this service was on the access point itself. The following procedure highlights
the manner in which a RADIUS server can be located remotely, and still provide
authentication.
There are two main components to this the access point and the radius server.
Due to topology complications, the RADIUS server will be set up on the same access
point as the authentication point. This will be achieved by using two SSIDs one for
the RADIUS server to connect to, and one for the clients to connect and authenticate
too. This is not common practice. Normally, a RADIUS server will be located
somewhere else in the infrastructure, and on a wired link. Please refer to Figure 1.
Figure 1
Group
Device
SSID
BVI
Host range
Aironet1
192.168.2.1
Aironet2
Aironet3
Aironet4
InfrastructureA (VLAN 1)
ClientA (VLAN 2)
InfrastructureB (VLAN 1)
ClientB (VLAN 2)
InfrastructureC (VLAN 1)
ClientC (VLAN 2)
InfrastructureD (VLAN 1)
ClientD (VLAN 2)
192.168.2.10192.168.2.14
192.168.2.15
192.168.2.19
192.168.2.20
192.168.2.24
192.168.2.25
192.168.2.29
192.168.2.2
192.168.2.3
192.168.2.4
Radio
channel
2
3
4
5
Wireless LANs 263
Figure 1: Setup
264
W.Buchanan
1. Configure the AP with the following commands. Note, erase the startup-config
initially, and re-boot. An outline for Group A is as follows:
int d0.1
bridge-group 1
exit
int d0.2
bridge-group 1
exit
dot11 ssid InfrastructureA
mbssid guest-mode
authentication open
vlan 1
exit
dot11 ssid ClientA
mbssid guest-mode
vlan 2
exit
int BVI1
ip address 192.168.2.1 255.255.255.0
exit
int d0
mbssid
ssid InfrastructureA
ssid ClientA
encryption vlan 2 key 2 size 40bit aaaaaaaaaa transmit-key
encryption vlan 2 mode wep mandatory
channel 2
no shut
exit
int fa0
no shut
exit
aaa new-model
radius-server host 192.168.2.10 auth-port 1812 acct-port 1813 key testing123
2. Choose a client to act as the RADIUS server. Connect it to the SSID

Infrastructure, and assign it the IP address outlined in the previous commands
for the RADIUS machine. You can use a machine with a Belkin adaptor for this.
3. Configure the Radius server. You must now configure the Clients.conf file. This is
located in C:\Program Files\FreeRADIUS.net-1.1.1-r0.0.1\etc\raddb Find a space
at the bottom of the document, and add the following:
client 192.168.2.0/24 {
secret
= testing123
shortname
= private-network-2
}
Wireless LANs 265
4. Start the RADIUS server in debug mode. Debug mode is very useful, as it will
inform you of all RADIUS authentication requests, and exactly what it does with
them. You may want to monitor this window when trying to authenticate a
machine, to check to see if it works.
C:\Program Files\FreeRADIUS.net-1.1.1-r0.0.1\bin> radiusd.exe -d ../etc/raddb AX
5. Attempt to authenticate the other client to the Client SSID. For this, you will have
to use the Cisco Aironet 350 wireless card in your machine. You must disable the
Belkin wireless adaptor for this to work properly. Once you have done so, start
the Cisco adaptor, click on the Aironet Client Utility (ACU), and youll see a
screen like this:
Click on Profile Manager, and enter a new name for the profile:
266
W.Buchanan
Click OK, and enter your Client ID into the SSID1 field.
Click on the Network Security Tab, and set the screen as follows:
Click on Configure, and set the client as follows:
Wireless LANs 267
Click OK, and select your profile. When prompted, enter the user name and
password:
Username: testuser
Password: testpw
Clear the domain box, and click OK. Your main ACU window should display
whether youve been successful or not. Once you have a successful authentication,
assign an IP address to the adaptor.
6. Show, on the access-point that you have two associations, one should be open
and the other should be through EAP-Assoc:
ap#show dot11 assoc
SSID [ClientA] :
MAC Address
IP address
0009.7cd1.9075 192.168.2.22
268
W.Buchanan
Device
350-client
Name
WLAN-PC13
Parent
self
State
EAP-Assoc
SSID [InfrastructureA] :
MAC Address
IP address
0011.5015.b71c 192.168.2.10
Device
4500-radio
Name
-
Parent
self
State
Assoc
7. Check the details of the RADIUS server, such as:

Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.1:1645, id=1, length=125
User-Name = "testuser"
Framed-MTU = 1400
Called-Station-Id = "0017.e019.9640"
Calling-Station-Id = "0009.7cd1.9075"
Service-Type = Login-User
Message-Authenticator = 0x5d54508193fc791123ba2fa9e1eccb76
EAP-Message = 0x0202000d017465737475736572
NAS-Port-Type = Wireless-802.11
NAS-Port = 265
NAS-IP-Address = 192.168.2.1
Processing the authorize section of radiusd.conf
8. Next enter an incorrect user ID, such as:
And show that the authentication is unsuccessful, such as:
9. Explore the users file, which is kept in the C:\Program Files\FreeRADIUS.net1.1.1-r0.0.1\etc\raddb directory. Try and add a few new users. Make sure you
restart the RADIUS server. An example of a new user is:
testuser
bill
User-Password == "testpw"
User-Password == "bill"
Wireless LANs 269
Can you authenticate using the new users youve added?
10. Use Ethereal to monitor the packets arriving at the RADIUS server. Look at the
RADIUS debug screen at the same time, and determine whats happening.
What does it say when you enter an incorrect username and password?
What happens when you change the server secret in the Clients.conf file?
Now monitor Ethereal while supplying correct and false information.

Can you identify the handshake process?
How does it differ when incorrect information is supplied to the RADIUS server?
11. Disable mandatory WEP on VLAN2.
Can you connect to the Radius Server now?
Why Not?
270
W.Buchanan
Lab 12: SNMP and Logging

The setup for the lab is:
Group Device
SSID
BVI
Host range
A
B
C
D
Scotland
England
Ireland
Wales
10.0.0.4
10.0.0.2
10.0.0.3
10.0.0.5
10.0.0.10-10.0.0.14
10.0.0.15-10.0.0.19
10.0.0.20-10.0.0.24
10.0.0.25-10.0.0.29
Aironet1
Aironet2
Aironet3
Aironet4
Radio
channel
2
3
4
5
1. Once you have set the network up, install NetSNMP on the Windows machines.
Enable SNMP on the Aironet with the commands:
(config)#
(config)#
(config)#
(config)#
snmp-server
snmp-server
snmp-server
snmp-server
community public
contact YOURNAME
location C6 lab bench A
chassis-id napier
2. Perform an SNMP walk on your Aironet:

C:\usr\bin> snmpwalk -Os -c public -v 1 10.0.0.4
sysDescr.0 = STRING: Wireless-G ADSL Gateway
sysObjectID.0 = OID: enterprises.3955.1.1
...
and determine the following:
SNMP Version
Community string
System Description:
MAC address of the E0 port:
MAC address of the D0 port:
Up time (s):
Contact name:
MTU (Ethernet):
MTU (D0):
Speed (D0):
IP address (BVI1):
2. Now perform an smnpget command to retrieve the values, such as:

C:\usr\bin> snmpget -Os -c public -v 1 10.0.0.4 system.sysDescr.0
3. Now use the snmpwalk command to view the contents of the tables in the MIB,
such as:
C:\usr\bin> snmpwalk -Os -c public -v 1 10.0.0.4 system
sysObjectID.0 = OID: enterprises.3955.1.1
Wireless LANs 271
sysUpTimeInstance = Timeticks: (198354) 0:33:03.54

sysContact.0 = STRING: Linksys
sysName.0 = STRING: Linksys WAG54G
sysLocation.0 = STRING:
sysServices.0 = INTEGER: 4
Outline some of the contents of:

SYSTEM:
IF:
ICMP:
TCP:
4. Now change the community string to your Napier:

(config)#
(config)#
(config)#
(config)#
snmp-server
snmp-server
snmp-server
snmp-server
community Napier
contact YOURNAME
location C6 lab
chassis-id napier
Which command would you now use to show the SYSTEM table:
5. Ping the Aironet. Now determine the entries which shows the ping:
C:\usr\bin> snmpwalk -Os -c public -v 1 10.0.0.4 icmp
icmpInMsgs.0 = Counter32: 14
icmpInErrors.0 = Counter32: 0
icmpInDestUnreachs.0 = Counter32: 2
. . .
Which entry defines the count for pings:
6. Enable SNMP on the Windows PC. Now determine:

System Description:
MAC address of the E0 port:
Up time (s):
Contact name:
MTU (Ethernet):
IP address (Ethernet):
Software installed:
Which TCP ports are listening:
272
W.Buchanan
Check these with the netstat a command.
7. Now use the snmpwalk command to view the full details of the tables in the
MIB, such as:
C:\usr\bin> snmpwalk -c public -v 1 10.0.0.10 system
SNMPv2-MIB::sysDescr.0 = STRING: Hardware: x86 Family 6 Model 13 Stepping 8
AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600
Uniprocessor Free)
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.311.1.1.3.1.1
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (662239) 1:50:22.39
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: BILL-93D44FD838
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 76
IF-MIB::ifNumber.0 = INTEGER: 5
IF-MIB::ifIndex.1 = INTEGER: 14
8. Now use snmptranslate to determine the OID numbers:

C:\usr\bin> snmptranslate -On SNMPv2-MIB::sysDescr.0
.1.3.6.1.2.1.1.1.0
Determine the OID for the following:

System name:
Up time:
Contact name:
Location:
Physical address (Ethernet card):
Physical address (Wireless card):
IP address (Ethernet card):
IP address (Wireless card):
Explain the format of the OID:
9. Enable SNMP on the switch, and determine the following:

System Description:
MAC address of the FA0/1 port:
Up time (s):
Contact name:
Wireless LANs 273
274
W.Buchanan
10. Once you have set the network up, install the NapierSNMP program on the
Windows machines. Now, using the client, view the SNMP information on the
hosts, and also on the Aironet.
Figure 2:
Note some of the details:
12.2 Logging
The use of logging is important in most networks, especially where there are
multiple devices. One method is to use a Syslog server, which can gather the alerts
from devices on the network. Along with this, this lab will investigate the TELNET
protocol, which is seen as being insecure as the password and user ID of the user is
passed through the data packet in plain text. The main objectives are:
1.
The usage of logging is important in most networks, especially where there

are multiple devices. One method is to use a Syslog server, which can gather
the alerts from devices on the network. First install the Kiwi Syslog program
Wireless LANs 275
on all the clients on the network (such as on 10.0.0.10), and start the service
with:
Manage-> Install the Syslogd service
Manage-> Start the Syslogd service
2. Next, enable logging to the Syslog server for each of the nodes with:
# config t
(config)# logging
(config)# logging
(config)# logging
(config)# logging
(config)# logging
3.
10.0.0.10
10.0.0.11
10.0.0.12
10.0.0.13
10.0.0.14
Once it has been setup, verify the operation of the Syslog server by typing in
commands, and prompting messages, such as shown in Figure 3.
Do you receive messages on the Syslog server on all the nodes:
Disable logging to 10.0.0.13. Do the messages stop apprearing on this node:
Figure 3: Syslog server
4.
The remote login is a source of insecurity, and often the device is setup so that
only certain devices can login into the access-point. In the following example,
a single device (10.0.0.10) is only allowed access to TELNET into the access
point:
(config)# access-list 1 permit 10.0.0.10

(config)# access-list 1 deny
any
(config-line)# access-class 1 in
Setup the access point so that only one device can login using TELNET. Verify it on each of the
clients. Does it work:
276
W.Buchanan
Modify it so that it excludes just one address (such as 10.0.0.11) from access, but allows any
other address. What is the configuration which achieves this:
5.
Often there are problems with intruders when they continually try to login. It
is possible to log when the deny part of the access-list is fired, such as:
(config)# access-list 1 permit 10.0.0.10

(config)# access-list 1 deny
any log
(config-line)# access-class 1 in
6.
Now, try to login using a device which is barred from TELNET access, and
verify with sh log that you get a message such as:
*Mar
00:50:44.077:
%SEC-6-IPACCESSLOGS:
list
denied
192.168.0.1
packet
Do you get this message:
Setup the access point to send this message to the Syslog server. Is it received correctly:
Modify the access-list so that the Syslog server also receives a message on a successful access.
What is the configuration used:
7.
Banners are a way to pass a message to users as they login. Typically they are
used to display a message-of-the-day, or to inform users of a change of status.
In the first example, setup the EXEC banner with:
ap(config)#banner exec #
Enter TEXT message. End with the character '#'.
You have now entered EXEC mode.
Please be careful when you access the device.
Thank you.
#
where the # symbol represents the start and end delimiter.

8. Next exit and verify that you get the following message when you login:
Wireless LANs 277
ap con0 is now available

Press RETURN to get started.
You have now entered EXEC mode.
Please be careful when you access the device.
Thank you.
ap>
9. After this change the login banner with:

ap(config)#banner login #
Enter TEXT message.
End with the character '#'.
You are accessing the aironet device.

Please try not to change the EXEC password.
Thank you#
10.
Using a TELNET or SSH session, now login to the device, and determine
where the messages are shown.
Which messages do you receive:
11.
Setup a network so that users logging into the network receive the following
message-of-the-day message:
This is a private network maintained by Napier University.
You should only use this network if you are authorized by C&IT.
Use by authorized persons is not allowed.
Additional tutorials
12.
13.
14.
15.
16.
278
Setup the previous network. Now change it so that Warning messages, and
above, are logged. Verify this.
Setup a network so that 10.0.0.10 and 10.0.0.11 can access the wireless access
point with TELNET, whereas the other nodes cannot. A successful and an
unsuccessful login should be logged on the Syslog server.
Setup a network so that 10.0.0.10 and 10.0.0.11 cannot access the wireless
access point with TELNET, whereas the other nodes cannot. A successful and
an unsuccessful login should be logged on the Syslog server.
Setup a network so that only one SSH session is possible on the wireless
access point.
Setup a network so that the Syslog server logs all the successful and
unsuccessful radio associations.
W.Buchanan
17.
Create a network which allows up to two TELNET sessions with a timeout for
each session at one minute, and up to five SSH sessions with a session
timeout of two minutes.
Wireless LANs 279

Wireless Lans - 2007 - 2008 - Wireless

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wireless Lans - 2007 - 2008 - Wireless

Uploaded by

Copyright:

Available Formats

Wireless

Fundamentals of Wireless LANs, Cisco Press,

Wireless LANs Prof B.Buchanan

Cisco Academy/Additional Material

Intro to Wireless LANs

Lab 1/2: Access Point Tutorial 1 (T)

Revision/Cram (Cisco Exam)

Unit 1: Radio Wave Fundamentals 3

Draft Teaching Schedule

Napier Test (40%)

Revision/Cram (Cisco Exam)

Wireless LANs Prof B.Buchanan

Draft Cisco Academy Schedule

Intro to Wireless LANs

IEEE 802.11 and NICs

Wireless Radio Technology

Draft EMULATOR Schedule

Wireless Challenge 1-10

Wireless Challenge 11-30

Wireless Challenge 31-50

Wireless Challenge 51-75

Wireless LANs Prof B.Buchanan

On-line test Specification

Wireless LANs Prof B.Buchanan

Wireless Networks Assessment

The module will be assessed as follows:

Coursework assessment [50%].

Secure Wireless Network Design

Wireless LANs Prof B.Buchanan

Wireless LANs Prof B.Buchanan

Environments which have frequently change, such as in a retail environment, or

1.2 Electromagnetic wave (EM) fundamentals

which is a significant wavelength, as we will see later in the module, as it typically

Figure 1.2: Basic formula for EM waves

Wireless LANs Prof B.Buchanan

Figure 1.4: Power levels

1.4 Radio Wave problems

1.5 Radio wave identification

Wireless LANs Prof B.Buchanan

Figure 1.5: Power levels

Figure 1.6: Multipath problems

Figure 1.7: Cellular technology

1.6 IEEE 802.11 radio specification

11 for N. America, 14 Japan, 13 Europe (ETSI), 2 Spain, 4

The concept of dBm will be discussed in the Antenna chapter.

Figure 1.8: IEEE802.11 channel setting for Europe

Wireless LANs Prof B.Buchanan

1.7 Spread spectrum

Avoid jamming on a certain channel.

In wireless communications, the spread spectrum process spreads a signals power

Figure 1.9: IEEE 802.11 frequency spectrum

Wireless LANs Prof B.Buchanan

IEEE 802.11a. 802.11a deals with communications available in the 5GHz

2.2 IEEE 802.11b

communication path. At 11Mbps, its maximum bandwidth, it uses CCK

Figure 2.1 Variation of bandwidth over distance

Wireless LANs Prof B.Buchanan

Too many errors

Required data throughput

2.3 Multiple media access

CSMA/CA. CSMA/CA is, like standard Ethernet (IEEE 802.3) a contention-based

Node has gone.

2.4 Wireless network connections