From the blog.

Managing Digital Racket
The more I tune out, the less I miss it. But that has presented me with some complex choices for a nuanced approach to curb
Complexity – My Friend, My Enemy
Over my years of network engineering, I've learned that the fewer features you can implement while still achieving a business goal, the better. Why? Fewer

OECG – Chapter 23

755 Words. Plan about 5 minute(s) to read this.

It’s early on a Saturday morning, and I’m at work supporting system maintenance going on at one of our data centers.  I didn’t get too much sleep last night, because I was helping to fix a problem I’d spotted and instructed a sysadmin to preemptively fix a couple of weeks ago.  You know, BEFORE it became a problem that would impact customers.  But my advice was ignored, and it became a customer impacting problem.  Sweet.  Nice way to spend my Friday night…at least an hour of it.  I had been out at a friend’s, mowing down burgers and dogs like I was never going to eat again.  I just got home, when the cell went off…but my partner in crime was already on the mission, just needed a second set of eyes.  I ended up reliving all of the same things he’d already checked, before he thought of what ended up to be the resolution to the issue.  My response was something like, “Well, I’d told so-and-so and so-and-so to deal with that a couple of weeks ago.  They assured me they had it covered.”  LOL.  Yep.  Not so covered.  Ah, well.  So you get the idea, I’m tired, I’m grumpy (for real, my boss says I’m always grumpy, but I really am this morning), and I’m not my normally lucid self.  So we’ll see how the blogging goes today.  I really need to get Chapters 23 and 24 (both short and lightweight) done today, so that I can focus on the MPLS appendix (not short and not lightweight) next week before vacation.

This chapter is an overview of Cisco-specific offerings in the wireless LAN arena.   It’s fairly short, with a number of largish illustrations.  So without further ado…

Cisco Structured Wireless-Aware Network (SWAN) – this is a comprehensive methodology for deploying integrated wired and wireless LANs using products in Cisco’s lineup.  The points below review the key elements of the SWAN architecture.

  • Wireless Domain Services (WDS) – IOS features that make the life of the wireless LAN user and administrator easier.
    • Fast Secure Roaming (FSR) – allows time-sensitive applications to roam from one AP to another within 50ms (fast enough to support VoIP, in other words).
      • Secure roaming between the same subnet or different subnets.
      • Enhanced channel scanning.
      • Fast 802.1X rekeying.
      • This works as follows:
        • First, a client associates to an AP via 802.1X authentication via AAA to the WDS box.  (500ms)
        • The client will tell the WDS that it is roaming.  WDS will send the appropriate key to the AP the client just roamed to.  (50ms)
    • Radio managment aggregation – eliminates redundant radio management information, reducing the amount of bandwidth used for this task.  Radio management information gets sent to CiscoWorks WLSE, and is used for monitoring and functions such as rogue AP detection and location.
    • Client tracking – Client authentication and roaming events are recorded and sent to the CiscoWorks WLSE.  WLSE will track associations to APs.
  • Intrusion Detection System – SWAN includes the “Wireless LAN Threat Defense Solution” (why do I feel like a sales engineer all of a sudden?) that includes IDS functionality.
    • Detection and suppression of rogue access points.  Rogue APs are not allowed to authenticate.
    • Unassociated wireless LAN radio cards are tracked via MAC address association tables.
    • Optionally, Aironet APs and Cisco-compatible devices can be used in conjuction with clients to scan RF and measure activity.  This aids in detecting rogue APs.  This is done through the “radio management” element of the client, sending infomation back to WDS like SSIDs and MAC addresses that the WDS would be able to identify as rogue.
  • Cisco SWAN Hardware – naturally, Cisco defines what sort of hardware is required to deploy all the features of SWAN.  (Okay, REALLY feeling like an SE now.)
    • Cisco Aironet APs – mandatory.  APs running IOS allow for roaming and interconnection to the wired LAN.
    • Management and security servers – mandatory.  CiscoWorks Wireless LAN Solution Engine (WLSE) and an 802.1X authentication server (like Cisco ACS) are both required for management and security purposes.
    • Wireless LAN client devices – mandatory, WiFi certified, and/or 802.11 compliant.  Cisco Aironet and Cisco-compatible devices are optional, but offer enhancements for security, interoperability and radio management.
    • Infrastructure devices – optional.  The Catalyst 6500 Wireless LAN Services Module (WLSM) creates an aware wired network-layer that works in the context of SWAN APs.  WLSM allows client to roam from AP to AP in a large campus environment through different L3 networks with no loss of connectivity.  WLSMs support as many as 300 APs and 6000 wireless clients.