Cisco Systems 350 Network Router User Manual

C H A P T E R
1
Overview
Cisco Aironet Bridges are wireless LAN transceivers that connect two or more remote networks into a
single LAN. The 350 Series Bridge can also be used as a rugged access point, providing network access
to wireless client devices.
The bridge uses a browser-based management system, but you can also configure the bridge using a
terminal emulator, a Telnet session, Secure Shell (SSH), or Simple Network Management Protocol
(SNMP).
This chapter provides information on the following topics:
•
Key Features, page 1-2
•
Management Options, page 1-3
•
Roaming Client Devices, page 1-3
•
Quality of Service Support, page 1-3
•
VLAN Support, page 1-4
•
Role in a Wireless Network, page 1-9
Cisco Aironet 350 Series Bridge Software Configuration Guide
OL-1410-07
1-1
Chapter 1
Overview
Key Features
Key Features
This section describes the key features of the bridge firmware. The following are the key features of
version 12.01T:
•
Multiple IEEE 802.11 service set identifiers (SSIDs) to create different levels of network access and
to access virtual LANs (VLANs)—You can configure up to 16 separate SSIDs to support up to 16
VLANs on your network. Each VLAN can have a different wireless security configuration so that
the devices that support the latest Cisco security enhancements can exist alongside legacy devices.
This additional bridge functionality enables a variety of users having different security levels to
access different parts of the network.
•
Quality of service (QoS) to allow various devices on the network to communicate more
effectively—The bridge now supports QoS for wireless Voice over IP (VoIP) telephones and
downlink prioritized channel access for streaming audio and video traffic. Filters can also be set to
prioritize traffic based on VLAN, VoIP address-based filters, protocol, or port.
•
Centralized administrator authentication uses an AAA server to authenticate users if the user
administration feature is enabled on the bridge. The AAA server verifies the user login and passes
back the appropriate privileges for the user or an administrator.
•
Best handling of lost Ethernet links allows a number of actions to be executed when a bridge loses
backbone connectivity:
– No action—the bridge continues to maintain associations with clients and manages traffic
between them, but traffic to the backbone is not passed. When the backbone is restored, the
bridge begins passing traffic to and from the wired network.
– Switch to repeater mode—the bridge tries to connect to a root access point using any of the
configured SSIDs. If it cannot connect, all clients are disassociated and the bridge removes itself
from the wireless network until connectivity is restored.
– Shut the radio off—all clients are disassociated and the bridge removes itself from the wireless
network until backbone connectivity is restored.
– Restrict to SSID—the bridge allows association using a restricted SSID (for administrator
troubleshooting and diagnosis purposes).
•
Authentication server management includes two new features in release 12.01T:
– Display of active authentication servers—for each authentication type: 802.1x/LEAP, MAC, or
Admin Authentication (if enabled), the active server is identified by a green color.
– Automatic return to primary authentication server—if the selected RADIUS server (primary) is
not reachable after a predetermined period of time-out and retries, the bridge uses the next
server listed.
Reporting bridges that fail authentication with LEAP provide a passive method of detecting rogue
bridges in a LEAP enabled network. It is passive because bridges do not actively look for or detect
a rogue bridge in the wireless network. Instead, the bridge depends on LEAP enabled clients to
report rouge bridges.
•
Secure Shell (SSH) support for providing a strong user authentication and encryption of
management traffic. SSH is a software package that provides a cryptographically secure replacement
for or an alternative to Telnet. It provides strong host-to-host and user authentication as well as
secure encrypted communications over a non secure network. The feature operates as follows:
– The SSH server on the access point listens to its TCP port 22 for requests.
– When a request from a client is received, the access point sends a public key, supported cipher
specification details, and supported authentication type (password only) to the client.
Cisco Aironet 350 Series Bridge Software Configuration Guide
1-2
OL-1410-07
Chapter 1
Overview
Management Options
– The client generates a double encrypted session key and sends it to the access point along with
the chosen cipher specification.
– The access point authenticates the client based on a user ID and password when the user
manager feature is enabled.
– If authentication is successful, all management traffic between the client and access point is
encrypted using the session key.
Management Options
You can use the bridge management system through the following interfaces:
•
A web-browser interface
•
A command-line interface (CLI)
•
Simple Network Management Protocol (SNMP)
The bridge’s management system pages are organized the same way for the web- browser interface and
the CLI. The examples in this manual are all taken from the web-browser interface. Chapter 2, “Using
the Management Interfaces” provides a detailed description of each management option.
Roaming Client Devices
If you have more than one bridge or access point in your wireless LAN, wireless client devices can roam
seamlessly from one bridge or access point to another. The roaming functionality is based on signal
quality, not proximity. When a client’s signal quality drops, it roams to another bridge or access point.
Wireless LAN users are sometimes concerned when a client device stays associated to a distant bridge
or access point instead of roaming to a closer bridge or access point. However, if a client’s signal to a
distant bridge or access point remains strong, the client will not roam to a closer bridge or access point.
If client devices checked constantly for closer bridges and access points, the extra radio traffic would
slow throughput on the wireless LAN.
Quality of Service Support
The bridge now supports Cisco’s QoS, primarily in the area of wireless VoIP telephones from
Spectralink and Symbol Technologies Corporation. The bridge also provides priority classification,
prioritized queueing, and prioritized channel access for other downlink IEEE 802.11 traffic such as
streaming audio or video traffic.
With this software release, the bridge does not include any QoS enhancements in Cisco IEEE 802.11
client software.
What is QoS?
QoS refers to the ability of a network to provide improved service to selected network traffic over various
underlying technologies including Ethernet and wireless LANs. In particular, QoS features provide
improved and more predictable network service by providing the following services:
•
Improving loss characteristics
Cisco Aironet 350 Series Bridge Software Configuration Guide
OL-1410-07
1-3
Chapter 1
Overview
VLAN Support
•
Avoiding and managing network congestion
•
Prioritizing service to different kinds of network traffic
•
Shaping network traffic
•
Setting traffic priorities across the network
Limitations and Restrictions
The QoS implementation on the bridge has the following limitations and restrictions:
•
Provides only prioritized QoS for downlink traffic on IEEE 802.11 links and does not support a
general purpose QoS signalling protocol, uniform admission control, guaranteed bandwidth, and
other features that are generally associated with parametized QoS.
•
Supports rudimentary admission control mechanisms for Spectralink and Symbol VoIP phones.
•
Does not provide a method for prioritizing uplink traffic on IEEE 802.11 links.
•
Does not offer 802.1X authentication for Symbol VoIP phones because those phones do not support
an 802.1X type such as LEAP or EAP-TLS.
•
The DTIM beacon period must be small to support jitter-sensitive streaming multicast audio and
video applications.
•
Supports IEEE 802.11e EDCF-like channel access prioritization but does not support IEEE 802.11e
QoS frame formats.
Related Documents
The following documents provide more detailed information pertaining to QoS design and
configuration:
•
Cisco Internetworking Technology Handbook
•
Cisco IOS Quality of Service Solutions Command Reference, Version 12.2
These documents are available on Cisco.com.
VLAN Support
Version 12.01T supports VLAN technology by mapping SSIDs to VLANs. With the multiple-SSID
capability, the bridge can support up to 16 VLAN subnets.
What is a VLAN?
A switched network can be logically segmented into virtual local-area networks (VLANs), on a physical
or geographical basis, or by functions, project teams, or applications. For example, all workstations and
servers used by a particular workgroup team can be connected to the same VLAN regardless of their
physical connections to the network or the fact that they might be intermingled with devices for other
teams. Reconfiguration of VLANs can be done through software rather than physically unplugging and
moving devices or wires.
Cisco Aironet 350 Series Bridge Software Configuration Guide
1-4
OL-1410-07
Chapter 1
Overview
VLAN Support
A VLAN can be thought of as a broadcast domain that exists within a defined set of switches. A VLAN
consists of a number of end systems, either hosts or network equipment (such as bridges and routers),
connected by a single bridging domain. The bridging domain is supported on various pieces of network
equipment; for example, LAN switches that operate bridging protocols between them with a separate
group for each VLAN.
VLANs are created to provide the segmentation services traditionally provided by routers in LAN
configurations. Routers in VLAN topologies provide broadcast filtering, security, address
summarization, and traffic-flow management. None of the switches within the defined group will bridge
any frames, not even broadcast frames, between two VLANs.
Several key issues must be considered when designing and building switched LAN networks.
•
LAN segmentation
•
Security
•
Broadcast control
•
Performance
•
Network management
•
Communication between VLANs
VLANs are extended into the wireless realm by adding IEEE 802.1Q tag awareness to the bridge. Frames
destined for wireless LAN clients on different VLANs are transmitted by the bridge on different SSIDs
with different WEP keys. The only clients that can receive and process packets are those with the correct
WEP keys. Conversely, packets coming from a client associated with a certain VLAN are 802.1Q tagged
before they are forwarded onto the wired network.
Figure 1-1 illustrates the difference between traditional physical LAN segmentation and logical VLAN
segmentation with wireless devices connected.
Cisco Aironet 350 Series Bridge Software Configuration Guide
OL-1410-07
1-5
Chapter 1
Overview
VLAN Support
Figure 1-1
LAN Segmentation and VLAN Segmentation with Wireless Components
VLAN Segmentation
Traditional LAN Segmentation
VLAN 1
VLAN 2
VLAN 3
LAN 1
Catalyst
VLAN switch
Shared hub
Floor 3
LAN 2
Catalyst
VLAN switch
Shared hub
Floor 2
LAN 3
SSID 0
SSID 0
Floor 1
Catalyst
VLAN
switch
SSID 0
Trunk
port
SSID 1
SSID 1 = VLAN 1
SSID 2 = VLAN 2
SSID 3 = VLAN 3
SSID 2
81652
Shared
hub
SSID 3
Related Documents
The following documents provide more detailed information pertaining to VLAN design and
configuration:
•
Cisco IOS Switching Services Configuration Guide
•
Cisco Internetworking Design Guide
•
Cisco Internetworking Technology Handbook
•
Cisco Internetworking Troubleshooting Guide
Incorporating Wireless Devices into VLANs
A WLAN is generally deployed in an enterprise campus or branch office for increased efficiency and
flexibility. WLANs are one of the most effective methods to connect to an enterprise network. With
version 12.01T, you can configure your wireless devices to operate in a VLAN.
The basic wireless components of a VLAN consist of an bridge and a set of clients associated to it using
wireless technology. The bridge is physically connected through a trunk port to the network switch on
which the VLAN is configured. The physical connection to the VLAN switch is through the bridge’s
Ethernet port.
Cisco Aironet 350 Series Bridge Software Configuration Guide
1-6
OL-1410-07
Chapter 1
Overview
VLAN Support
In fundamental terms, the key to configuring an bridge to connect to a specific VLAN is by configuring
an SSID to map to that VLAN. Because VLANs are identified by a VLAN ID, it follows that if an SSID
on an bridge is configured to map to a specific VLAN ID, a connection to the VLAN is established. When
this connection is made, associated wireless client devices having the same SSID are able to access the
VLAN through the bridge. The VLAN processes data to and from the clients the same way that it
processes data to and from wired connections. The fact that the client is wireless has no impact on the
VLAN.
The VLAN feature now enables users to deploy wireless devices with greater efficiency and flexibility.
For example, one bridge can now handle the specific requirements of multiple users having widely varied
network access and permissions. Without VLAN capability, multiple bridges, one for each VLAN,
would have to be employed to serve classes of users based on the access and permissions they were
assigned.
A VLAN Example
The following simplified example shows how wireless devices can be used effectively in a VLAN
environment on a college campus. In this example, three levels of access are available through VLANs
configured on the physical network:
•
Student access—Lowest level of access; ability to access school’s Intranet, obtain class schedules
and grades, make appointments, and perform other student-related activities
•
Faculty access—Medium level of access; ability to access internal files, read to and write from
student databases, access the intranet and Internet, and access internal information such as human
resources and payroll information
•
Management access—Highest level of access; ability to access all internal drives and files, and
perform management activities
In this scenario, a minimum of three VLAN connections would be required: one for each level of access
discussed above. The bridge can handle up to 16 SSIDs; therefore, the following basic design could be
employed as shown in Table 1-1.
Table 1-1
Access Level SSID and VLAN Assignment
Level of Access
SSID
VLAN ID
Student
Student
01
Faculty
Faculty
02
Management
Management
03
Using this design, setting up the clients is based on the level of access each user requires. A typical
network diagram using this design would look like the one shown in Figure 1-2.
Cisco Aironet 350 Series Bridge Software Configuration Guide
OL-1410-07
1-7
Chapter 1
Overview
VLAN Support
Figure 1-2
VLAN Example
VLAN segmentation
VLAN 1
VLAN 2
VLAN 3
Catalyst
VLAN switch
Catalyst
VLAN switch
Router
Catalyst
VLAN switch
81661
Trunk
port
Access
point
SSID: Student
SSID: Faculty
Student SSID = VLAN 1
Faculty SSID = VLAN 2
Management SSID = VLAN 3
SSID: Management
Cisco Aironet 350 Series Bridge Software Configuration Guide
1-8
OL-1410-07
Chapter 1
Overview
Role in a Wireless Network
Role in a Wireless Network
Root and Non-root Bridges
The typical bridge configuration consists of two or more bridges. One bridge is connected to the main
wired LAN and set to root, and the other bridge or bridges are attached to remote LAN segments and set
to non-root. A root bridge can communicate only with non-root bridges, but non-root bridges can
communicate with each other. Figure 1-3 shows a typical bridge configuration.
Figure 1-3
Bridges on a Wired LAN
File server
ES
RI
C
IS
W
C
O
IR
E
A
L
E
S
S
SE
0
5 IN
3 O
T P
E S
N S
O CE
IR AC
T
TY
VI
TI
AC US
AT
ET ST
RN N
IO
HE
AT
ET CI VITY
SO TI
AS AC
O
DI
RA
LAN segment A
LEFT
SERIAL PORT
ONLINE
POWER
RIGHT/PRIMAR
Y
ETHERNET
Bridge
(root unit)
ES
RI
C
IS
W
C
O
IR
E
A
L
E
S
S
SE
0
5 IN
3 O
T P
E S
N S
O CE
IR AC
T
TY
VI
TI
AC US
AT
ET ST
RN N
IO
HE
AT
ET CI VITY
SO TI
AS AC
O
DI
RA
Workstation A
LEFT
SERIAL PORT
ONLINE
POWER
RIGHT/PRIMAR
Y
ETHERNET
Bridge
(non-root)
S
S
E
L
E
A
C
IS
W
C
O
IR
0
5 IN
3 O
T P
E S
N S
O CE
IR AC
ES
RI
SE T
TY
VI
TI
AC US
AT
ET ST
RN N
IO
HE
AT
ET CI VITY
SO TI
AS AC
O
DI
RA
LAN segment B
Workstation B
LEFT
SERIAL PORT
LAN segment C
ONLINE
POWER
RIGHT/PRIMAR
Y
ETHERNET
Workstation C
53089
Bridge
(non-root)
Cisco Aironet 350 Series Bridge Software Configuration Guide
OL-1410-07
1-9
Chapter 1
Overview
Role in a Wireless Network
Repeater Bridge
You can also use a bridge as a repeater. A repeater bridge is placed between two bridges to extend the
range of your infrastructure or to overcome an obstacle that blocks radio communication. The repeater
bridge may or may not be attached to a LAN segment.
The repeater forwards traffic between wired LAN segments by sending packets to another bridge.
Figure 1-4 shows a bridge set up as a repeater.
Figure 1-4
Repeater Bridge
File server
ES
RI
C
IS
W
C
O
IR
E
A
L
E
S
S
SE
0
5 IN
3 O
T P
E S
N S
O CE
IR AC
T
TY
VI
TI
AC US
AT
ET ST
RN N
IO
HE
AT
ET CI VITY
SO TI
AS AC
O
DI
RA
LAN segment A
LEFT
SERIAL PORT
ONLINE
POWER
RIGHT/PRIMAR
Y
ETHERNET
Bridge
(root unit)
ES
RI
C
IS
W
C
O
IR
E
A
L
E
S
S
SE
0
5 IN
3 O
T P
E S
N S
O CE
IR AC
T
TY
VI
TI
AC US
AT
ET ST
RN N
IO
HE
AT
ET CI VITY
SO TI
AS AC
O
DI
RA
Workstation A
LEFT
SERIAL PORT
ONLINE
Bridge
(non-root)
POWER
RIGHT/PRIMAR
Y
ETHERNET
ES
RI
C
IS
W
C
O
IR
E
A
L
E
S
S
SE
0
5 IN
3 O
T P
E S
N S
O CE
IR AC
T
TY
VI
TI
AC US
AT
ET ST
RN N
IO
HE
AT
ET CI VITY
SO TI
AS AC
O
DI
RA
Bridge
(repeater)
LEFT
SERIAL PORT
ONLINE
POWER
RIGHT/PRIMAR
Y
ETHERNET
Workstation B
53088
LAN segment B
You can set up a chain of repeater bridges, but throughput across the repeater chain will be quite low.
Because each repeater must receive and then re-transmit each packet on the same channel, throughput is
cut in half for each repeater you add to the chain. For example, throughput is halved for data sent from
workstation B to workstation A in Figure 1-4.
Rugged Access Point
The bridge has a metal housing, so you can install it in surroundings that would be too harsh for a bridge
or an access point with a plastic housing. The bridge must be protected from water, but it will operate in
extreme temperatures. Refer to the “Role in Radio Network” section on page 3-4 for instructions on
setting up the bridge as an access point. Figure 1-5 shows a bridge functioning as a rugged access point.
Cisco Aironet 350 Series Bridge Software Configuration Guide
1-10
OL-1410-07
Chapter 1
Overview
Role in a Wireless Network
Figure 1-5
Bridge Functioning as Rugged Access Point
File server
ES
RI
C
IS
W
C
O
IR
E
A
L
E
S
S
SE
0
5 IN
3 O
T P
E S
N S
O CE
IR AC
T
TY
VI
TI
AC US
AT
ET ST
RN N
IO
HE
AT
ET CI VITY
SO TI
AS AC
O
DI
RA
LAN segment A
LEFT
SERIAL PORT
ONLINE
POWER
RIGHT/PRIMAR
Y
ETHERNET
Bridge
(root unit)
53090
Workstation A
Workstation
Laptop
Workstation
Cisco Aironet 350 Series Bridge Software Configuration Guide
OL-1410-07
1-11
Chapter 1
Overview
Role in a Wireless Network
Cisco Aironet 350 Series Bridge Software Configuration Guide
1-12
OL-1410-07