Iuwne10 S02 L04

601 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
601
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
76
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Iuwne10 S02 L04

  1. 1. Basic Cisco WLAN Installation Describing Access Point Operational Modes
  2. 2. AP Mode: Wireless > Access Points > All APs > Detail
  3. 3. Access Point Local Mode <ul><li>Default mode for an AP, providing: </li></ul><ul><ul><li>Data services </li></ul></ul><ul><ul><li>Monitoring services </li></ul></ul><ul><ul><ul><li>AP will scan all channels over 180 seconds by default </li></ul></ul></ul><ul><ul><ul><li>Only management packets are inspected for intrusion detection system (IDS) signature matches </li></ul></ul></ul><ul><ul><li>Can be used for site surveys </li></ul></ul>
  4. 4. Access Point Local Mode Monitor Timing
  5. 5. Access Point Monitor Mode <ul><li>Software configuration to reduce AP capabilities to perform only WLAN monitoring on a per-AP basis: </li></ul><ul><ul><li>Trusted AP policies </li></ul></ul><ul><ul><li>Rogue policies </li></ul></ul><ul><ul><li>Signatures </li></ul></ul><ul><ul><ul><li>Both data and management packets are inspected for IDS signature matches </li></ul></ul></ul><ul><ul><ul><li>AP will scan all channels for 1.1 seconds </li></ul></ul></ul><ul><ul><li>AP only a beacon device </li></ul></ul>
  6. 6. Access Point Monitor Mode Monitor Timing
  7. 7. <ul><ul><li>Works in conjunction with products like AiroPeek or AirMagnet to monitor a single wireless channel </li></ul></ul><ul><ul><li>Requires an external server to capture the packets </li></ul></ul><ul><ul><li>Gathers the following data </li></ul></ul><ul><ul><ul><li>Time stamp </li></ul></ul></ul><ul><ul><ul><li>Signal strength </li></ul></ul></ul><ul><ul><ul><li>Packet size </li></ul></ul></ul>Access Point Sniffer Mode
  8. 8. AP Sniffer Mode Operation
  9. 9. Access Point Rogue Detector Mode <ul><li>Software configuration to reduce AP capabilities to perform only rogue detection on a per-AP basis </li></ul><ul><ul><li>Listens for rogue devices on the wired network </li></ul></ul><ul><ul><li>Compares ARP request heard on the network to rogue MAC address reported by the controller </li></ul></ul><ul><ul><li>Generates an alarm when a wireless rogue is seen on the wired side </li></ul></ul><ul><ul><li>Does not allow client connectivity – radios are shut down, 100% of CPU dedicated to rogue detection </li></ul></ul><ul><ul><li>Does not perform rogue containment </li></ul></ul>
  10. 10. Hybrid REAP <ul><li>H-REAP AP can be controlled across WAN links: </li></ul><ul><ul><li>Designed to support remote offices </li></ul></ul><ul><ul><li>Control traffic still LWAPP-encapsulated and sent to Cisco Wireless LAN Controller (WLC); client data can be locally bridged </li></ul></ul><ul><li>All management control and RF management is available when WAN link is up and connectivity is available to Cisco WLC. </li></ul><ul><li>H-REAP can remain operational when unable to communicate with a controller during a WAN outage. </li></ul>
  11. 11. H-REAP <ul><ul><li>When operating in LWAPP, H-REAP-compatible APs have two possible modes: </li></ul></ul><ul><ul><ul><li>Connected mode (connected state): When H-REAP can reach the controller, it gets help from the controller to complete client authentication </li></ul></ul></ul><ul><ul><ul><li>Standalone mode (disconnected state): When the AP cannot reach the controller, it processes client requests based on local settings and rules </li></ul></ul></ul>
  12. 12. <ul><ul><li>Once an AP is configured as H-REAP, the controller will inform the AP of the mode change through an LWAPP control message. The AP saves this information in NVRAM and boots with the new mode. </li></ul></ul><ul><ul><li>In connected mode, H-REAP traffic can be backhauled to the controller or locally bridged. </li></ul></ul>H-REAP in Connected Mode
  13. 13. HREAP in Standalone Mode <ul><ul><li>Standalone mode (disconnected): When the controller is not reachable by H-REAP, it goes into standalone mode and performs client authentication by itself </li></ul></ul><ul><ul><li>All the following authentication types are supported in standalone mode: Open, WPA-PSK, WPA2-PSK, 802.1X </li></ul></ul><ul><ul><ul><li>Central-switched WLANs will shut down </li></ul></ul></ul><ul><ul><ul><li>Local-switched WLANs will remain up: </li></ul></ul></ul><ul><ul><ul><ul><li>Authentication of local WLANs continues to operate normally </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Existing 802.1x authenticated clients continue sessions until they roam or trigger session reauthentication </li></ul></ul></ul></ul><ul><ul><ul><ul><li>New 802.1x clients are authenticated on the AP, from a local user list </li></ul></ul></ul></ul><ul><ul><li>Unsupported features when in standalone mode: </li></ul></ul><ul><ul><ul><li>RRM, Cisco Centralized Key Management , WIDS, LBS, AP modes </li></ul></ul></ul><ul><ul><ul><li>WebAuth, NAC </li></ul></ul></ul>
  14. 14. AP Bridging Mode <ul><ul><li>Available on Cisco 1130, 1240, and 1500 APs </li></ul></ul><ul><ul><li>Mode used to set up mesh network, either indoor or outdoor </li></ul></ul><ul><ul><li>Allows AP to act as a wireless LWAPP bridge </li></ul></ul><ul><ul><li>Only shows up on supported hardware </li></ul></ul><ul><ul><li>An additional protocol, Adaptive Wireless Path Protocol (AWPP) is used by the AP to determine the best route to the network </li></ul></ul>
  15. 15. Summary <ul><ul><li>An access point can be configured to operate in different modes. </li></ul></ul><ul><ul><li>In local mode, it provides data services on one channel while still monitoring the other channels. </li></ul></ul><ul><ul><li>In monitor mode, it scans all the channels permanently. </li></ul></ul><ul><ul><li>In sniffer mode, it captures frames on one channel and redirects them to a station. </li></ul></ul><ul><ul><li>In rogue detector mode, it detects wireless rogues on the wired network. </li></ul></ul><ul><ul><li>Some access points can be configured to H-REAP Mode, where they can provide access without being in the same network as their controller. </li></ul></ul><ul><ul><li>Some access points can be configured to bridge mode to build mesh networks. </li></ul></ul>

×