Home > Articles > Certification > Cisco Certification > CCENT

This chapter is from the book

Deploying WLANs

WLAN security is one of the more important features of WLANs, and for good reason. The same security exposures exist on WLANs as for Ethernet LANs, plus WLANs are exposed to many more vulnerabilities than wired Ethernet LANs. For example, someone could park outside a building and pick up the WLAN signals from inside the building, reading the data. Therefore, all production WLAN deployments should include the currently best security options for that WLAN.

Although security is vitally important, the installation of a new WLAN should begin with just getting the WLAN working. As soon as a single wireless device is talking to an AP, security configuration can be added and tested. Following that same progression, this section examines the process of planning and implementing a WLAN, with no security enabled. The final major section of this chapter, "Wireless LAN Security," examines the concepts behind WLAN security.

Wireless LAN Implementation Checklist

The following basic checklist can help guide the installation of a new BSS WLAN:

  • Step 1 Verify that the existing wired network works, including DHCP services, VLANs, and Internet connectivity.
  • Step 2 Install the AP and configure/verify its connectivity to the wired network, including the AP's IP address, mask, and default gateway.
  • Step 3 Configure and verify the AP's wireless settings, including Service Set Identifier (SSID), but no security.
  • Step 4 Install and configure one wireless client (for example, a laptop), again with no security.
  • Step 5 Verify that the WLAN works from the laptop.
  • Step 6 Configure wireless security on the AP and client.
  • Step 7 Verify that the WLAN works again, in the presence of the security features.

This section examines the first five tasks. The last major section of this chapter discusses the concepts behind WLAN security but does not explain the large number of detailed options for configuring WLAN security.

Step 1: Verify the Existing Wired Network

Most of the other chapters in this book explain the details of how to understand, plan, design, and implement the switches and routers that create the rest of the network, so there is no need to repeat those details here. However, it can be helpful to consider a couple of items related to testing an existing wired network before connecting a new WLAN.

First, the Ethernet switch port to which the AP's Ethernet port connects typically is a switch access port, meaning that it is assigned to a particular VLAN. Also, in an ESS design with multiple APs, all the Ethernet switch ports to which the APs attach should be in the same VLAN. Figure 11-8 shows a typical ESS design for a WLAN, with the VLAN IDs listed.

Figure 11-8

Figure 11-8 ESS WLAN with All APs in Ethernet VLAN 2

To test the existing network, you could simply connect a laptop Ethernet NIC to the same Ethernet cable that will be used for the AP. If the laptop can acquire an IP address, mask, and other information using DHCP, and communicate with other hosts, the existing wired network is ready to accept the AP.

Step 2: Install and Configure the AP's Wired and IP Details

Just like an Ethernet switch, wireless APs operate at Layer 2 and do not need an IP address to perform their main functions. However, just as an Ethernet switch in an Enterprise network should have an IP address so that it can be easily managed, APs deployed in an Enterprise network should also have an IP address.

The IP configuration details on an AP are the same items needed on an Ethernet switch, as covered in the section "Configuring the Switch IP Address" in Chapter 9, "Ethernet Switch Configuration." In particular, the AP needs an IP address, subnet mask, default gateway IP address, and possibly the IP address of a DNS server.

The AP uses a straight-through Ethernet cable to connect to the LAN switch. Although any speed Ethernet interface works, when using the faster WLAN speeds, using a Fast Ethernet interface on a switch helps improve overall performance.

Step 3: Configure the AP's WLAN Details

Most of the time, WLAN APs can be installed with no configuration, and they work. For example, many homes have consumer-grade wireless APs installed, connected to a high-speed Internet connection. Often, the AP, router, and cable connection terminate in the same device, such as the Linksys Dual-Band Wireless A+G Broadband Router. (Linksys is a division of Cisco Systems that manufactures and distributes consumer networking devices.) Many people just buy these devices, plug in the power and the appropriate cables for the wired part of the connection, and leave the default WLAN settings, and the AP works.

Both consumer-grade and Enterprise-grade APs can be configured with a variety of parameters. The following list highlights some of the features mentioned earlier in this chapter that may need to be configured:

  • IEEE standard (a, b, g, or multiple)
  • Wireless channel
  • Service Set Identifier (SSID, a 32-character text identifier for the WLAN)
  • Transmit power

This chapter has already explained most of the concepts behind these four items, but the SSID is new. Each WLAN needs a unique name to identify the WLAN. Because a simple WLAN with a single AP is called a Basic Service Set (BSS), and a WLAN with multiple APs is called an Extended Service Set (ESS), the term for the identifier of a WLAN is the Service Set Identifier (SSID). The SSID is a 32-character ASCII text value. When you configure an ESS WLAN, each of the APs should be configured with the same SSID, which allows for roaming between APs, but inside the same WLAN.

Also note that many APs today support multiple WLAN standards. In some cases, they can support multiple standards on the same AP at the same time. However, these mixed-mode implementations, particularly with 802.11b/g in this same AP, tend to slow down the WLAN. In practice, deploying some 802.11g-only APs and some mixed-mode b/g APs in the same coverage area may provide better performance than using only APs configured in b/g mixed mode.

Step 4: Install and Configure One Wireless Client

A wireless client is any wireless device that associates with an AP to use a WLAN. To be a WLAN client, the device simply needs a WLAN NIC that supports the same WLAN standard as the AP. The NIC includes a radio, which can tune to the frequencies used by the supported WLAN standard(s), and an antenna. For example, laptop computer manufacturers typically integrate a WLAN NIC into every laptop, and you can then use a laptop to associate with an AP and send frames.

The AP has several required configuration settings, but the client may not need anything configured. Typically, clients by default do not have any security enabled. When the client starts working, it tries to discover all APs by listening on all frequency channels for the WLAN standards it supports by default. For example, if a client were using the WLAN shown in Figure 11-6, with three APs, each using a different channel, the client might actually discover all three APs. The client would then use the AP from which the client receives the strongest signal. Also, the client learns the SSID from the AP, again removing the need for any client configuration.

WLAN clients may use wireless NICs from a large number of vendors. To help ensure that the clients can work with Cisco APs, Cisco started the Cisco Compatible Extensions Program (CCX). This Cisco-sponsored program allows any WLAN manufacturer to send its products to a third-party testing lab, with the lab performing tests to see if the WLAN NIC works well with Cisco APs. Cisco estimates that 95 percent of the wireless NICs on the market have been certified through this program.

With Microsoft operating systems, the wireless NIC may not need to be configured because of the Microsoft Zero Configuration Utility (ZCF). This utility, part of the OS, allows the PC to automatically discover the SSIDs of all WLANs whose APs are within range on the NIC. The user can choose the SSID to connect to. Or the ZCF utility can automatically pick the AP with the strongest signal, thereby automatically connecting to a wireless LAN without the user's needing to configure anything.

Note that most NIC manufacturers also provide software that can control the NIC instead of the operating system's built-in tools such as Microsoft ZCF.

Step 5: Verify That the WLAN Works from the Client

The first step to verify proper operation of the first WLAN client is to check whether the client can access the same hosts used for testing in Step 1 of this installation process. (The laptop's wired Ethernet connection should be disconnected so that the laptop uses only its WLAN connection.) At this point, if the laptop can get a response from another host, such as by pinging or browsing a web page on a web server, the WLAN at least works.

If this test does not work, a wide variety of tasks could be performed. Some of the tasks relate to work that is often done in the planning stages, generally called a site survey. During a wireless site survey, engineers tour the site for a new WLAN, looking for good AP locations, transmitting and testing signal strength throughout the site. In that same line of thinking, if the new client cannot communicate, you might check the following:

  • Is the AP at the center of the area in which the clients reside?
  • Is the AP or client right next to a lot of metal?
  • Is the AP or client near a source of interference, such as a microwave oven or gaming system?
  • Is the AP's coverage area wide enough to reach the client?

In particular, you could take a laptop with a wireless card and, using the NIC's tools, walk around while looking at signal quality measurement. Most WLAN NIC software shows signal strength and quality, so by walking around the site with the laptop, you can gauge whether any dead spots exist and where clients should have no problems hearing from the AP.

Besides the site survey types of work, the following list notes a few other common problems with a new installation:

  • Check to make sure that the NIC and AP's radios are enabled. In particular, most laptops have a physical switch with which to enable or disable the radio, as well as a software setting to enable or disable the radio. This allows the laptop to save power (and extend the time before it must be plugged into a power outlet again). It also can cause users to fail to connect to an AP, just because the radio is turned off.
  • Check the AP to ensure that it has the latest firmware. AP firmware is the OS that runs in the AP.
  • Check the AP configuration—in particular, the channel configuration—to ensure that it does not use a channel that overlaps with other APs in the same location.

This completes the explanations of the first five steps of installing a simple wireless LAN. The final major section of this chapter examines WLAN security, which also completes the basic installation steps.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020