Вы находитесь на странице: 1из 37

The Bryant Advantage CCNP SWITCH Study Guide

Chris Bryant, CCIE #12933 http://www.thebryantadvantage.com

Back To Index


Wireless Networking Basics

The Association Process
Roaming Users
WLAN Authentication
Standards, Ranges, and Frequencies
Antenna Types
Cisco Compatible Extension
Lightweight APs and LWAPP
Wireless LAN Controllers (WLC)
Wireless Control System & The Location Appliance
Wireless LAN Solution Engine (WLSE)
Wireless Repeaters
Aironet Desktop Utility

Aironet System Tray Utility

Introduction To Mesh Networks

Wireless Basics
Hard to believe there was once a time when a laptop or PC had to be
connected to an outlet to access the Internet, isn't it? Wireless is
becoming a larger and larger part of everyday life, to the point where
people expect to be able to access the Net or connect to their network
while eating lunch.
Wireless networks are generally created by configuring Wireless Access
Points (WAP or AP, depending on documentation). If you're connecting
to the Internet or your company's network from a hotel or restaurant,
you're connected to a lily pad network.
Unlike the physical networks we've discussed previously in this course, the
WAPs in a lily pad network can be owned by different companies. The
WAPs create hotspots where Internet access is available to anyone with a
wireless host - and hopefully, a username and password is required as
WAPs are not required to create a wireless network. In an ad hoc WLAN
("wireless LAN"), the wireless devices communicate with no WAP
involved. Ad hoc networks are also called Independent Basic Service Sets
(iBSS or IBSS, depending on whose documentation you're reading).
There are two kinds of infrastructure WLANs. While a Basic Service Set
(BSS) will have a single AP, Extended Service Set WLANs (ESS), have
multiple access points. An ESS is essentially a series of interconnected
Hosts successfully connecting to the WAP in a BSS are said to have
formed an association with the WAP. Forming this association usually
requires the host to present required authentication and/or the correct
Service Set Identifier (SSID). The SSID is the public name of the wireless
network. SSIDs are case-sensitive text strings and can be up to 32
characters in length.

Cisco uses the term AP instead of WAP in much of their documentation;

just be prepared to see this term expressed either way on your exam and
in network documentation. I'll call it an AP for the rest of this section.
A BSS operates much like a hub-and-spoke network in that all
communication must go through the hub, which in this case is the AP.
We went over three different service set types in that section, so to

Independent Basic Service Sets have no APs; the few wireless

devices involved interact directly. An IBSS network is also called an
ad hoc network.
Basic Service Sets have a single AP.
Extended Service Sets have multiple APs, which allow for a larger
coverage area than the other two types and also allow roaming users
to fully utilize the WLAN.

Creating An Association
There's quite a bit going on when a client forms an association with an
AP, but here's an overview of the entire process. The client is going to
transmit Probe Requests, and in turn the AP response with Probe
Basically, the Probe Request is the client yelling "Anybody out there?"
and the Probe Response is the AP saying "I'm Over Here!"

When the client learns about the AP, the client then begins the process of
association. The exact information the client sends depends on the
configuration of the client and the AP, but it will include authentication
information such as a pre-shared key.

If the client passes the authentication process, the AP then records the
client's MAC address and accepts the association with the client.
Roamin', Roamin', Roamin'
APs can also be arranged in such a way that a mobile user, or roaming
user, will (theoretically) always be in the provider's coverage area. Those
of us who are roaming users understand the "theoretical" part!
Roaming is performed by the wireless client. Under certain circumstances
that we'll discuss in just a moment, the client will actively search for
another AP with the same SSID as the AP it's currently connected to.
There are two different methods the client can use to find the next AP active scanning and passive scanning. With active scanning, the client
sends Probe Request frames and then waits to hear Probe Responses. If
multiple Probe Responses are heard, the client chooses the most
appropriate WAP to use in accordance with vendor standards.
Passive scanning is just what it sounds like - the client listens for beacon
frames from APs. No Probe Request frames are sent.
Roaming networks use multiple APs to create overlapping areas of
coverage called cells. While your signal may occasionally get weak near
the point of overlapping, the ESS allows roaming users to hit the network

at any time. (We hope!)

Roaming is made possible by the Inter-Access Point Protocol (IAPP).

For roaming users to remain connected to the same network as they
roam, the APs must be configured with the same SSIDs and have
knowledge of the same IP subnets and VLANs (assuming VLANs are in
use, which they probably are).
How does our client decide it's time to move from one AP to another?
Any one of the following events can trigger that move, according to
Cisco's website:

Client has not received a beacon from an AP for a given amount of

The maximum data retry count has been reached
A change in the data rate

Why would the data rate change? With wireless, the lower the data rate,
the greater the range. The 802.11 standard will automatically reduce the
data rate as the association with an AP deteriorates.
L2 Roaming vs. L3 Roaming
The difference between the two is straightforward - L2 roaming is
performed when the APs the client is roaming are on the same IP subnet,
while L3 roaming occurs when the APs are on different IP subnets.
Service Set Identifier (SSID)

When you configure a name for your WLAN, you've just configured a
SSID. The SSID theory is simple enough - if the wireless client's SSID
matches that of the access point, communication can proceed. The SSID
is case-sensitive and it has a maximum length of 32 characters.

A laptop can be configured with a null SSID, resulting in the client

basically asking the AP for its SSID; if the AP is configured to broadcast
its SSID, it will answer and communication can proceed.

A classic "gotcha" with SSIDs is to configured the AP to not broadcast its

SSID. This would seem to be a great move for your WLAN's security ...
but is it?

As you've already guessed, this is not an effective security measure,

because the SSID sent by the client is not encrypted. It's quite easy to
steal, and obviously no unencryption is needed!
WLAN Authentication (And Lack of Same)
Of course, you don't want just any wireless client connecting to your

WLAN! The 802.11 WLAN standards have two different authentication

schemes - open system and shared key. They're both pretty much what
they sound like.
Open system is basically one station asking the receiving station "Hey, do
you recognize me?"
Hopefully, shared key is the authentication system you're more familiar
with, since open system is a little too open! Shared key uses Wired
Equivalent Privacy (WEP) to provide a higher level of security than open
There's just one little problem with WEP. Okay, a big problem. It can be
broken in seconds by software that's readily available on the Web.
Another problem is the key itself. It's not just a shared key, it's a static
key, and when any key or password remains the same for a long time, the
chances of it being successfully hacked increase substantially.
These two factors make WEP unacceptable for our network's security.
Luckily, we've got options...
A Giant LEAP Forward
The Extensible Authentication Protocol (EAP) was actually developed
originally for PPP authentication, but has been successfully adapted for
use in wireless networks. RFC 3748 defines EAP.
Cisco's proprietary version of EAP is LEAP, the Lightweight Extensible
Authentication Protocol. LEAP has several advantages over WEP:

There is two-way authentication between the AP and the client

The AP uses a RADIUS server to authenticate the client
The keys are dynamic, not static, so a different key is generated upon
every authentication

Recognizing the weaknesses inherent in WEP, the Wi-Fi Alliance (their

home page is http://wi-fi.org) saw the need for stronger security features in
the wireless world. Their answer was Wi-Fi Protected Access (WPA), a
higher standard for wireless security.
Basically, WPA was adopted by many wireless equipment vendors while
the IEEE was working on a higher standard as well, 802.11i - but it wasn't
adopted by every vendor. As a result, WPA is considered to work

universally with wireless NICs, but not with all early APs.
When the IEEE issued 802.11i, the Wi-Fi Alliance improved the original
WPA standards, and came up with WPA2. As you might expect, not all
older wireless cards will work with WPA2.
To put it lightly, both WPA and WPA2 are major improvements over
WEP. Many wireless devices, particularly those designed for home use,
offer WEP as the default protection - so don't just click on all the defaults
when you're setting up a home wireless network! The WPA or WPA2
password will be longer as well - they're actually referred to as
passphrases. Sadly, many users will prefer WEP simply because the
password is shorter.
Wireless Networking Standards, Ranges, and Frequencies
Along with the explosion of wireless is a rapidly-expanding range of
wireless standards. Some of these standards play well together, others
do not. Let's take a look at the wireless standards you'll need to know to
pass the exam and to work with wireless in today's networks.
The standards listed here are all part of the 802.11x standards developed
by the IEEE.
802.11a has a typical data rate of 25 MBPS, but can reach speeds of 54
MBPS. Indoor range is 100 feet. Operating frequency is 5 GHz.
802.11b has a typical data rate of 6.5 MBPS, but can reach speeds of 11
MBPS. Indoor range is 100 feet. Operating frequency is 2.4 GHz.
802.11g has a typical data rate of 25 MBPS, a peak data rate of 54
MBPS, and an indoor range of 100 feet. Operating frequency is 2.4 GHz.
802.11g is fully backwards-compatible with 802.11b, and many routers
and cards that use these standards are referred to as "802.11b/g", or just
"b/g". .11g and .11b even have the same number of non-overlapping
channels (three).
You can have trouble with 802.11g from an unexpected source - popcorn!
Well, not directly, but microwave ovens also share the 2.4 GHz band, and
the presence of a microwave in an office can actually cause connectivity
issues. (And you thought they were just annoying when people burn
popcorn in the office microwave!) Solid objects such as walls and other
buildings can disturb the signal in any bandwidth.

802.11n has a typical data rate of 200 MBPS, a peak data rate of 540
MBPS, and an indoor range of 160 feet. Operating frequency is either 2.4
GHz or 5 GHz.
Infrared Data Association (IrDA)
The IrDA is another body that defines specifications, but the IrDA is
concerned with standards for transmitting data over infrared light. IrDA 1.0
only allowed for a range of 1 meter and transmitted data at approximately
115 KBPS. The transmission speed was greatly improved with IrDA 1.1,
which has a theoretical maximum speed of 4 MBPS. The two standards
are compatible.
Keep in mind that neither IrDA standard has anything to do with radio
frequencies - only infrared light streams.
The IrDA notes that to reach that 4 MBPS speed, the hardware must be
1.1 compliant, and even that might not be enough - the software may have
to be modified as well. Which doesn't sound like fun.
Antenna Types
A Yagi antenna (technically, the full name is "Yagi-Uda antenna") sends its
signal in a single direction, which means it must be aligned correctly and
kept that way. Yagi antennas are sometimes called directional antennas,
since they send their signal in a particular direction.

In contrast, an Omni ("omnidirectional") antenna sends a signal in all

directions on a particular plane.
Since this is networking, we can't just call these antennae by one name!
Yagis are also known as point-to-point and directional antennas; Omni

antennas are also known as omnidirectional and point-to-multipoint

Both Yagi and Omni antennas have their place in wireless networks. The
unidirectional signal a Yagi antenna sends makes it particularly helpful in
bridging the distance between APs. The multidirectional signal sent by
Omni antennas help connect hosts to APs, including roaming laptop
Courtesy of wikipedia.org, here are some "antenna terms" you should be
familiar with:
Gain refers to the directionality of an antenna. Antennae with low gains
emit radiation at the same power in all directions, where a high-gain
antenna will focus its power in a particular direction or directions.
dBi stands for Decibel(isotropic), and I won't go far into this territory, I
promise! dBi is a common value used to truly measure the gain of a given
antenna when compared to a fictional antenna that distributes energy in
all directions.
And you thought we had it bad with BGP. :)
Bandwidth refers to the range of frequencies over which the antenna is
effective. There are several methods of increasing bandwidth, including
the use of thicker wires and combining multiple antennas into a single
Polarization refers to the physical positioning and orientation of the
From your CCNA studies, you know all about how a "Wired LAN" avoids
collisions. Through the use of IEEE 802.3, CSMA/CD (Carrier Sense
Multiple Access with Collision Detection), only one host can transmit at a
time - and even if multiple hosts transmit data onto a shared segment at
once, jam signals and random timers help to minimize the damage.
With "Wireless LANs", life isn't so simple. Wireless LANs can't listen and
send at the same time - they're half-duplex - so traditional collision
detection techniques cannot work. Instead, wireless LANs will use IEEE
standard 802.11, CSMA/CA, (Carrier Sense Multiple Access with Collision

Let's walk through an example of Wireless LAN access, and you'll see
where the "avoidance" part of CSMA/CA comes in.
The foundation of CSMA/CA is the Distributed Coordination Function
(DCF). The key rule of DCF is that when a station wants to send data,
the station must wait for the Distributed Interframe Space (DIFS) time
interval to expire before doing so. In our example, Host A finds the
wireless channel to be idle, waits for the DIFS timer to expire, and then
sends frames.

Host B and Host C now want to send frames, but they find the channel to
be busy with Host A's data.

The potential issue here is that Host B and Host C will simultaneously
realize Host A is no longer transmitting, so they will then both transmit,
which will lead to a collision. To help avoid (there's the magic word!) this,
DCF requires stations finding the busy channel to also invoke a random
timer before checking to see if the channel is still busy.
In DCF-speak, this random amount of time is the Backoff Time. The

formula for computing Backoff Time is beyond the scope of the exam, but
the computation does involve a random number, and that random value
helps avoid collisions.
The Cisco Compatible Extensions Program
When you're looking to start or add to your wireless network, you may just
"How The $&!(*% Can I Figure Out Which Equipment Supports Which
A valid question!
Thankfully, Cisco's got a great tool to help you out - the Cisco Compatible
Extension (CCX) website. Cisco certification isn't just for you and I - Cisco
also certifies wireless devices that are guaranteed to run a desired
wireless feature.
The website name is a little long to put here, and it may well change, so I
recommend you simply enter "cisco compatible extension" into your
favorite search engine - you'll find the site quickly. Don't just enter "CCX"
in there - you'll get the Chicago Climate Exchange. I'm sure they're great
at what they do, but don't trust them to verify wireless capabilities!
Lightweight Access Points and LWAPP
Originally, most access points were autonomous - they didn't depend on
any other device in order to do its job. The BSS we looked at earlier in
this section was a good example of an autonomous AP.

The problem with autonomous APs is that as your wireless network grows
- and it will! - it becomes more difficult to have a uniform set of policies
applied to all APs in your network. It's imperative that each AP in your
network enforce a consistent policy when it comes to security and Quality
of Service - but sometimes this just doesn't happen.
Many WLANs start small and end up being not so small! At first,
centralizing your security policies doesn't seem like such a big deal,
especially when you've only got one access point.

As your network grows larger and more access points are added, having
a central policy does become more important. The more WAPs you have,
the bigger the chance of security policies differing between them - and the
bigger the chance of a security breach.
Let's say you add two WAPs to the WLAN network shown above. Maybe
they're configured months apart, maybe they're configured by different
people - but the result can be a radically different set of security

We've now got three very different WLAN security protocols in place, and
the difference between the three is huge, as you'll soon see. Depending
on which WAP the laptop uses to authenticate to the WLAN, we could
have a secure connection - or a very non-secure connection.
This simple example shows us the importance of a standard security
policy, and that's made possible through the concept of the Cisco Unified
Wireless Network, which has two major components - Lightweight Access
Points (LAP or WLAP) and WLAN Controllers (WLC).
The WLC brings several benefits to the table:

Centralization, management, and distribution of security policies and

Allows mobile users to receive a consistent level of service and
security from any AP in the network
Detection of rogue APs

Configuring the access points as LAPs allows us to configure a central

device, the WLAN Controller, to give each of the LAPs the same security
policy. The protocol used to do so, the aptly-named Lightweight Wireless
Access Point Protocol (LWAPP), detects rogue (fake) access points as
How does the WLC perform this rogue AP detection? The LAP and
WLC actually have digital certificates installed when they're built - X.509

certificates, to be exact. A rogue AP will not have this certificate, and

therefore can't authenticate to become part of the network. These
certificates are technically referred to as MICs, short for Manufacturing
Installed Certificates.
The WLC is basically the manager of the WLAN, with the LAPs serving as
the workers. The WLAN Controller will be configured with security
procedures, Quality of Service (QoS) policies, mobile user policies, and
more. The WLC then informs the LAPs of these policies and procedures,
ensuring that each LAP is consistently enforcing the same set of wireless
network access rules and regulations.
LAPs cannot function independently, as Autonomous APs can. LAPs are
dependent on the presence of a WLC and cannot function properly without
one. Conversely, Autonomous APs cannot work with a WLC, since
Autonomous APs do not speak LWAPP.
(LWAPP is Cisco-proprietary; the industry standard is CAPWAP, the
Control and Provisioning of Wireless Access Points.)
LAPs can be configured with static IP addresses, but it's common to have
an LAP use DHCP to acquire an IP address in the same fashion a host
device would use. If the LAP is configured to get its IP address via DHCP
and the first attempt to do so fails, the LAP will continue to send DHCP
Discovery messages until a DHCP Server replies.
Now the LAP must associate with a WLC. The LAP will use the
Lightweight Wireless Access Point Protocol (LWAPP) to do so.
We have two modes for LWAPP - L2 mode and L3 mode. If the LAP is
running L2 mode, the LAP will send an L2 LWAPP Discovery message in
an attempt to find a WLC that is running L2 LWAPP.

If a WLC receives that Discovery message and is running L2 LWAPP, it

will respond with a LWAPP L2 Discovery Response.

If the LAP does not receive an L2 LWAPP Discovery Response, or if the

LAP doesn't support L2 LWAPP in the first place, it'll send an L3 LWAPP
Discovery message.

If that doesn't work, the entire process begins again with the LAP sending
a DHCP Discovery message.
Now the LAP needs to associate with one of the WLCs it has discovered.
To do so, the LAP sends a LWAPP Join Request, and the WLC returns a
LWAPP Join Response.

How does the LAP know where to send that LWAPP Join Request? After
receiving an IP address of its own via DHCP, the LAP must learn the IP
address of the WLC via DHCP or DNS. To use DHCP, the DHCP Server
must be configured to use DHCP Option 43.
When Option 43 is in effect, the DHCP Server will include the IP
addresses of WLCs in the Option 43 field of the DHCP Offer packet. The
LAP can then send L3 LWAPP Discovery Request messages to each of
the WLCs.
The LAP can also broadcast that Join Request to its own IP subnet, but

obviously that's only going to work if the WLC is actually on the subnet
local to the LAP.
Once this Join has taken place, a comparison is made of the software
revision number on both the LAP and WLC. If they have different
versions, the LAP will download the version stored on the WLC.
There will be two forms of traffic exchanged between the LAP and WLC:

Control traffic
Data traffic

While LWAPP L2 traffic is encapsulated in an Ethernet frame (EtherType

0xBBBB), L3 LWAPP traffic uses UDP source port 1024 and the
following destination ports for control and data traffic:

Control traffic: Destination UDP port is 12223

Data traffic: Destination UDP port is 12222

LWAPP uses secure key distribution to ensure the security of the control
connection between the two - the control messages will be both encrypted
and authenticated. The encryption is performed by the AES-CCM
protocol. (The previously mentioned LWAPP Join Request and Response
messages are not encrypted.)
The data packets passed between the LAP and WLC will be LWAPPencapsulated - essentially, LWAPP creates a tunnel through which the
data is sent - but no other encryption or security exists by default.
Just as we had L2 and L3 roaming, we also have LWAPP L2 and L3
mode. A lightweight AP will first use LWAPP L2 mode to attempt to
locate a WLC; if none is found, the AP will then use LWAPP L3 mode.
Many networks will have more than one WLC, which is great for
redundancy, but how does the AP decide which WLC to associate with if it
finds more than one? The AP will simply use the WLC with the fewest
associated APs. This prevents one WLC from being overloaded with
associations while another WLC in the same network remains relatively
Many Cisco Aironet access points can operate autonomously or as an
LAP. Here are a few of those models:

1230 AG Series
1240 AG Series
1130 AG Series

Sounds simple enough, but there are some serious restrictions to APs that
have been converted from Autonomous mode to Lightweight mode.
Courtesy of Cisco's website, here are the major restrictions:
Roaming users cannot roam between Lightweight and Autonomous
Wireless Domain Services (WDS) cannot support APs converted
from Autonomous to Lightweight. Those Lightweight APs will use
WLCs, as we discussed earlier.
The console port on a converted Lightweight AP is read-only.
Converted APs do not support L2 LWAPP.
Converted APs must be assigned an IP address and discover the IP
address of the WLC via one of three methods:

A broadcast to its own IP subnet

You can telnet into lightweight APs if the WLC is running software
release 5.0 or later.
You can convert the Lightweight AP back to Autonomous mode.
Check Cisco's website for directions. If tech forums are any
indication, this can be more of an art form than a science.
Some other Aironet models have circumstances under which they cannot
operate as LAPs - make sure to do your research before purchasing!
The Cisco Wireless Control System and Wireless Location Appliance
The examples in this section have shown only one WLC, but it's common
to have more than one in a wireless network, due to either the sheer
number of LAPs and/or the desire for redundancy. We don't want our
entire wireless network to go down due to a WLC issue and a lack of a

To monitor those WLCs and the LAPs as well, you can use the Cisco
Wireless Control System. There's a little hype in this description, but
here's how Cisco's website describes the WCS:
"The Cisco WCS is an optional network component that works in
conjunction with Cisco Aironet Lightweight Access Points, Cisco wireless
LAN controllers and the Cisco Wireless Location Appliance.
With Cisco WCS, network administrators have a single solution for RF
prediction, policy provisioning, network optimization, troubleshooting, user
tracking, security monitoring, and wireless LAN systems management.
Robust graphical interfaces make wireless LAN deployment and
operations simple and cost-effective. Detailed trending and analysis
reports make Cisco WCS vital to ongoing network operations.
Cisco WCS includes tools for wireless LAN planning and design, RF
management, location tracking, Intrusion Prevention System (IPS), and
wireless LAN systems configuration, monitoring, and management. "
The Wireless Location Appliance mentioned in that description actually
tracks the physical location of your wireless network users.
The Location Appliance And RF Fingerprinting
Your fingerprints can prove who you are; they can also prove who you are
not. In a similar vein, a device's RF Fingerprint can prove that it is a
legitimate access point - or prove that it is not!
All of the devices in our WLAN have a role in RF Fingerprinting. The APs
themselves will collect Received Signal Strength Indicator information, and
will send that information to the WLAN Controller (WLC) via LWAPP.

In turn, the WLAN Controller will send the RSSI information it receives
from the APs to the Location Appliance. Note that Simple Network
Management Protocol is used to do this; make sure not to block SNMP
communications between the two devices.

What else can be tracked in the Location Appliance?

Laptop and palm clients

RFID Asset Tags (Radio Frequency Identifier)
VoIP clients

The CiscoWorks Wireless LAN Solution Engine

There is an easier way to manage autonomous networks - the CiscoWorks
Wireless LAN Solution Engine (WLSE). Cisco's website defines this
product as "a centralized, systems-level application for managing and
controlling an entire autonomous Cisco WLAN infrastructure".
The CiscoWorks WLSE acts as the manager of the autonomous APs. If
there's a need to change the config on the APs, we've got two choices:

Perform them on each individual AP

Perform the change on the WLSE

Not much of a choice there! CiscoWorks WLSE has quite a few features
to help make our WLANs run smoothly:

Proactive monitoring of thresholds and alerting the admin to potential

issues before they become critical, which assists with capacity

planning and monitoring network performance as new clients are

Reporting and tracking features to help with problem diagnosis,
troubleshooting, and resolution
Centralized AP configs allow us to change multiple AP configs
Execute multiple firmware upgrades simultaneously
Creation of templates that can be used to quickly configure new APs
Very effective at detecting rogue APs and either shut the rogue down
or alert the admin and let the admin handle the rogue shutdown
When an AP is lost, WLSE will tell that AP's neighbors to increase
their cell coverage ("self-healing network")

There are two versions of WLSE. The full version (generally referred to
as simply "WLSE") can manage a maximum of 2500 devices. WLSE
Express is for smaller networks that have 100 or fewer devices to
If you're using WLSE Express, you'll need to set up an AAA server.
Once the deployment is complete, the infrastructure APs are
communicating with the WDS AP, and the WDS AP is in turn sending any
necessary information to CiscoWorks WLSE.

The limit on the number of APs is determined by the device in use as the

If the WDS device is an AP, the limit is 60.

If it's an Integrated Services Router, the limit is 100.
If it's a switch running WLSM (Wireless LAN Services Module), the
limit is 600.

Remember that all limits are theoretical and your mileage may vary!
Wireless Repeaters
You don't see many "wired" repeaters in today's networks, but wireless
repeaters are a common sight in today's wireless networks.
From the Linksys website, here's their description / sales pitch for one of
their wireless repeaters:
"Unlike adding a traditional access point to your network to expand
wireless coverage, the <wireless repeater > does not need to be
connected to the network by a data cable. Just put it within range of your
main access point or wireless router, and it "bounces" the signals out to
remote wireless devices.
This "relay station" or "repeater" approach saves wiring costs and helps to
build wireless infrastructure by driving signals into even those distant,
reflective corners and hard-to-reach areas where wireless coverage is
spotty and cabling is impractical."
We all know that when it comes to range and throughput capabilities,
vendors do tend to state maximum values. Having said that, the following
values are commonly accepted as true when it comes to wireless
The overlap of coverage between a wireless repeater and a wired AP
should be much greater than the overlap between two APs. The
repeater and AP coverage should overlap by at least 50 percent.
From personal experience, I can vouch for the fact that this is a
The repeater must use the same RF channel as the wired AP, and
naturally must share the same SSID.

Since the repeater must receive and repeat every frame on the same
channel, there is a sharp decrease in overall performance. You
should expect the throughput to be cut by about 50%.
An Autonomous AP can serve as a wireless repeater, but a
Lightweight AP cannot.
The Cisco Aironet Desktop Utility
The ADU is a very popular choice for connecting to APs, so let's take a
detailed look at our options with this GUI. As you'll see in the following
pages, the ADU allows us to do the following:
Configure an encryption scheme
Establish an association between the client and one or more APs, as
well as listing the APs in order of preference for that association
Configure authentication methods and passphrases
Enable or disable the local client's radio capabilities
The install process is much like any other software program, but here's a
specific warning I'd like you to see.

After clicking Next, you'll be prompted to decide if you're using the ADU or
the Microsoft tool. While the MS tool is okay - you can still see the Tray
Utility, which we'll discuss later, and perform some other basic tasks using the ADU does give you config options and capabilities that the MS
tool does not.
For example, you can use disable the radio capability of the client with the
ADU, but not with the Microsoft tool. I've used both and I much prefer the
Once the install's done, we launch ADU, which opens to the Current
Status tab.
Note: If you print this section, you may see some choices that look lighter
than others. That simply means they're grayed out in the application, and
it's a good idea to note when certain choices are available and when
they're not!

Clicking on the Advanced tab shows more detailed information regarding

the APs, including the AP Name, IP address, and MAC address.

The Profile Management tab allows us to create additional profiles as well

as editing the Default profile.

One limitation of this particular software is that only one card can be used
at a time - but we can create up to 16 profiles! This allows you to create
one profile for office use, another for home, another for hot spots, etc.
In this example, we'll look at the options for modifying the Default profile.
After clicking Modify, we'll see these tabs:

The Security tab is what we're most interested in, since we have quite a
few options there. Here's the default setting...None.

In ADU, all drop-down and check boxes are only enabled if they're related
to the security option you've chosen. Since None is selected by default,
everything else on the screen is disabled.

When I select WPA/WPA2/CCKM, some options become available.

(CCKM is Cisco Centralized Key Management, which allows roaming
users to roam between APs very quickly - according to their website, in
less than 150 milliseconds.)

I clicked on the drop-down box to illustrate that the WPA/WPA2/CCKM

EAP choices are now available. You can't see it due to that drop-down
box, but the 802.1x choices are still unavailable.
After clicking Configure, here are the options we're presented with.

The next available security option was WPA/WPA2 Passphrase. Note

that once I choose that option, both EAP drop-down boxes are again

Clicking Configure presents us with only one option, and it's the one we'd

Let's go back to the main window and select 802.1x.

Note the WPA/WPA2/CCKM EAP selections are still disabled, but the
dot1x EAP window is now enabled. If we click Configure, the EAP
choices are the same as they were when we selected WPA/WPA2/CCKM
EAP - except for Host-Based EAP, which is only available with 802.1x.

The previous methods have the authentication server generate a key and
then pass that key to the client, but what if we want to configure the keys

ourselves? We simply use the aptly-named Pre-Shared Key option.

Let's take a look at the Pre-Shared Key values. I went back to the main
screen, chose Pre-Shared Key, and again both EAP drop-down boxes
were disabled. I then clicked Configure and here's the result - simple

Naturally, a WEP key configured here must match that of the AP you want
the client to associate with. Ad Hoc networks are fairly rare today, but if
you're working without an IP and using WEP keys, the key must be
agreed upon by each client in the Ad Hoc network. (This tends to be the
trickiest part of configuring an Ad Hoc network!)
A couple of points to remember from the Security Options tab..
The default is None
Drop-down boxes are enabled only if you choose an option related to
that box - when we chose WPA/WPA2/CCKM, the dot1x EAP box
was disabled, and vice versa
The Advanced tab has some options that you'll generally leave at the
defaults, but let's take a look at them anyway!

If you want to list your APs in order of preference, click Preferred APs and
then enter their MAC addresses in the following fields.

Configuring preferred APs does not mean that your client is limited to
these APs. If your client is unable to form an association with any APs
specified here, the client can still form an association with other APs.

The Aironet System Tray Utility

We're all familiar with the generic icon on a laptop or PC that shows us
how strong (or weak) our wireless signal is. The Aironet System Tray
Utility (ASTU) gives us that information and a lot more. Instead of just
indicating how strong the wireless signal is, the icon will change color to
indicate signal strength and other important information.
At the beginning of the ADU install, we saw this window, following by a
prompt to choose the Cisco tool or a third-party tool:

A reminder - you can still see the ASTU if you're working with the
Microsoft utility, but the ADU's overall capabilities are diminished.
Naturally, Cisco recommends you use the ADU. Having used both, I
The only problem with the ASTU is that the colors aren't exactly intuitive,
so we better know what they mean. Here's a list of ASTU icon colors and
their meanings.
Red - This does not mean that you don't have a connection to an access
point! It means that you do have connectivity to an AP, and you are
authenticated via EAP if necessary, but that the signal strength is low.

Yellow - Again, you are connected to an AP and are authenticated if

necessary, but signal strength is fair.
Green - Connection to AP is present, EAP authentication is in place if
necessary, and signal strength is very good.
Light Gray - Connection to AP is present, but you are *not* EAPauthenticated.
Dark Gray - No connection to AP is present.
White - Client adapter is disabled.
If you're connecting to an ad hoc network, just substitute "remote client"
for "AP" in the above list. The key is to know that red, green, and yellow
are referring to signal strength, light gray indicates a lack of EAP
authentication, dark gray means there is no connection to an AP or
remote client, and white means the adapter is disabled.
Interpreting The Lights On A Cisco Aironet Adapter Card
We have two lights on a Cisco Aironet card. The green light is the Status
LED, and the amber light is the Activity LED. We've got quite a few
combinations with those two lights, so let's take a look at what each of the
following LED readouts indicates.
Status off, Activity off - Naturally, this means the card isn't getting power!
Status blinking slowly, Activity off - the adapter's in Power Save mode.
Status on, Activity off - adapter has come out of Power Save mode.
Both lights blinking in an alternating fashion - adapter is scanning for its
Both lights blinking slowly at the same time - adapter has successfully
associated with an AP (or other client if you have an Ad Hoc network)
Both lights blinking quickly at the same time - adapter is associated and is
sending or receiving data
Tips On Configuring The WLAN Controller
Many Cisco products can now be configured via a GUI or at the CLI, and

WLAN Controllers are no exception. The GUI is actually built into the
controller, and allows up to five admins to browse the controller
Real-world note: If you're on a controller with four other admins, make
sure you're all talking to each other while you're on there. Nothing more
annoying than configuring something and having someone else remove
the config.
The GUI allows you to use HTTP or HTTPS, but Cisco recommends you
enable only HTTPS and disable HTTP access.
To enable or disable HTTP access, use the config network webmode
( enable / disable) command.
To enable or disable HTTPS access, use the config network secureweb
(enable / disable) command.
Cisco has an excellent online PDF you can use as a guide to get started
with a WLAN controller configuration - how to connect, console default
settings, etc. Links tend to change so I will not post it here, but to get a
copy, just do a quick search on "cisco wireless lan controller configuration
guide". It's not required reading for the exam, but to learn more about
WLAN controllers, it's an excellent read.
An Introduction To Mesh Networks - And An Age-Old Problem
A wireless mesh network is really just what it sounds like - a collection of
access points that are logically connected in a mesh topology, such as the

Real-world note: Not all APs can serve as a mesh AP. The most popular
mesh AP today is probably the Cisco Aironet 1500 series.
This is obviously a very small mesh network, but several APs have
multiple paths to the AP that has a connection to the WLC. From our
CCNA studies, we already know that we need a protocol to determine the
optimal path - and it's not the Spanning Tree Protocol.
The Cisco-proprietary Adaptive Wireless Path Protocol (AWPP) will
discover neighboring APs and decide on the best path to the wired
network by determining the quality of each path and choosing the highestquality path.
Much like STP, AWPP will continue to run even after the optimal path (the
"root path") to the wired network from a given AP is chosen. AWPP will
continually calculate the quality of the available paths, and if another path
becomes more attractive, that path will be chosen as the root path.
Likewise, if the root path becomes unavailable, AWPP can quickly select
another root path.
Avoid A Heap Of Trouble With H-REAP
The almost-ridiculously named Hybrid Remote Edge Access Point can
really help a remote location keep its wireless access when its access
point loses sight of its Controller.
The H-REAP is an atypical controller-based AP. When your average AP
can't see its own WLC any longer, it can't offer wireless to its clients.

When a H-REAP encounters that situation, it begins to act like an

autonomous AP - an AP that can offer wireless with no help from anyone
or anything else.
Config of an H-REAP is beyond the scope of the CCNP SWITCH exam,
but if you have need for a wireless solution for remote sites that can't
afford to have wireless services unavailable, check this solution out!

Copyright 2010 The Bryant Advantage. All Rights Reserved.