|< Day Day Up >|
Will the WLAN you're about to implement support roaming and/or bandwidth-intensive applications? If so, consider building the WLAN upon a virtual local area network (VLAN) architecture. Adding VLAN capabilities to an existing WLAN, or deploying a new WLAN using VLAN technology, enables wireless
When VLANs were introduced in the late 1990s, they were touted as a way to simplify address management by letting IT departments physically deploy servers and PCs
Most of today's VLANs are based on the IEEE 802.1Q and 802.1P standards. 802.1Q provides a standard method for inserting VLAN membership information into Ethernet
A VLAN architecture, whether in a wired, wireless, or mixed network environment, can provide the following benefits:
Network organization based on function:
VLANs allow logical network topologies to overlay the physical switched infrastructure, such that any arbitrary collection of LAN ports can be combined into an autonomous
Common broadcast domains:
By offering common broadcast domains, there can be complete isolation between VLANs. Just as switches isolate collision domains for attached
Not only can firewall protection be provided for individual VLANs,
A VLAN supports logical grouping of users. Thus it is possible to improve general network performance through traffic segmentation, e.g. isolating groups with high bandwidth usage that can slow down other users sharing the network. This in
The majority of WLAN products and technology available today focus only on the Data Link Layer and on solving discrete security and mobility problems. None provide the comprehensive capabilities needed to help
Figure 8.3: User segmentation without wireless VLANs. Graphic
However, with the use of wireless VLANs, one access point at each location can provide access to both groups. VLAN architecture can also be of great help in a WLAN infrastructure where there are roaming difficulties. VLANs can provide a means for wireless clients to roam among 802.11 (a, b or g) access points without losing connectivity.
Consider Bridgewater State College in Massachusetts, which deployed more than 100 Enterasys Networks RoamAbout 802.11
Figure 8.4: An indoor wireless VLAN deployment where four wireless VLANs are provisioned across a campus to provide WLAN access to
To properly deploy wireless VLANs, the deployment team must evaluate the need for VLANs within the existing or proposed WLAN architecture. The evaluation should include, but not be limited to:
A review of any existing wired VLAN deployment rules and policies, since existing wired VLAN policies can be used as the basis for wireless VLAN deployment policies.
Identification of the common applications used by all WLAN users, e.g. wired network resources (such as servers). Then determine the Quality of Service (QoS) level needed for each application.
A list of the common devices used to access the wireless LAN.
Once the data is gathered, determine (1) what security mechanisms, e.g. static WEP, MAC authentication, Extensible Authentication Protocol (EAP) authentication (LEAP, EAP-TLS or PEAP), virtual private networking, and so forth, are supported by each device; (2) which wired network resources (such as servers), are accessed by each WLAN device group; and (3) the QoS level needed to support each device group.
After completing the evaluation, determine the VLAN deployment strategy for your WLAN. There are two standard deployment strategies. One is segmentation by user groups. For example, three separate wired and wireless VLANs could be created-one for R&D, another for accounting, and a third for guest access. The other is segmentation by device type. This allows a variety of different devices with different access-security "levels" to access the WLAN. For example, handheld computers that support only 40/128-bit static-WEP shouldn't coexist in the same VLAN with WLAN client devices that support 802.1X with dynamic WEP. Instead, group and isolate these devices by their different "levels" of access security into separate VLANs.
The criteria for a wireless VLAN deployment
Each wireless VLAN is configured with appropriate network policies and mapped to a wired VLAN. A network manager enforces the appropriate network policies within the wired network for each different user group.
A VLAN architecture ups the WLAN's security
Figure 8.5: An outdoor wireless VLAN deployment scenario. Wireless trunking connects the root bridge to the non-root bridges. The root and non-root bridges terminate the 802.1Q trunk and participate in the Spanning-Tree Protocol process of bridging the networks together. Graphic courtesy of Cisco Systems, Inc .
Cisco Systems offers an example of configurable parameters on a SSID wireless VLAN and on the wired VLAN side. SSID wireless VLAN parameters include:
SSID name-configures a unique
Default VLAN-ID mapping on the wired side.
MAC authentication-under open, shared, and network-EAP.
EAP authentication-under open and shared authentication types.
Maximum number of associations-ability to limit maximum number of WLAN clients per SSID.
Symbol Technologies Inc., a big provider of wireless and wireless LAN products, offers a Mobius Axon Wireless Switch that delivers centralized wireless connectivity through Mobius Axon Access Ports. The switch supports 802.11b, 802.11a, 802.11g, and legacy Symbol wireless protocols. Existing wireless LAN products require customers to integrate and manage separate products for wireless connectivity, security, and management.
The product uses a virtual LAN architecture and policy-based networking to deliver bandwidth, security, and networking services by device, by user, by application, and by location, all from a single access port. It
There are two hardware components: the Mobius Axon Wireless Switch and Mobius Axon Access Ports. Software
The wired VLAN parameters are:
Encryption key-this key is used for broadcast and multicast traffic segmentation per VLAN. (It is also used for static WEP clients.) Network managers must define a unique encryption key per VLAN. With an encryption key configured, the VLAN supports standardized WEP.
Enhanced Message Integrity Check (MIC) verification for WEP-enables MIC per VLAN.
Temporal Key Integrity Protocol (TKIP)-enables
WEP (broadcast) key rotation interval-enables broadcast WEP key rotation per VLAN. This is only supported for wireless VLANs with IEEE 802.1X EAP protocols enabled (such as EAP Cisco Wireless [LEAP], EAP-Transport Layer Security [EAP-TLS], Protected Extensible Authentication Protocol [PEAP], and EAP-Subscriber Identity Module [EAP-SIM]).
Default policy group-applies policy group (set of Layer 2, 3, and 4 filters) per VLAN. Each filter (within a policy group) is configurable to allow or deny certain types of traffic.
Default priority-applies default class of service (CoS) priority per VLAN.
|< Day Day Up >|