CCNA Wireless Summary Notes: Understanding the CUWN Architecture

Wireless 3 Minutes

AP traffic is divided into the following:

  • Data Plane traffic – end user traffic
  • Control Plane traffic – control, configure, manage, and monitor the AP

Recall that autonomous APs bridge traffic between a wireless BSS and a wired VLAN. An Autonomous AP performs the following combined functions

  • Lightweight AP functions (Real Time functions)
    • RF Transmit/Receive
    • MAC Management
    • Encryption
  • WLC Functions (Management functions)
    • RF Management
    • Association & Roaming Management
    • Client Authentication
    • Security Management
    • QoS

The Cisco Unified Wireless Network (CUWN) is a centralized, unified approach. In the CUWN, a lightweight access point (LAP) performs only the real-time 802.11
operation. Management is performed on the WLC. The LAP-WLC division of labor is known as a split-MAC architecture. The Control and Provisioning of Wireless Access Points (CAPWAP – RFCs 5415, 5416, 5417, and 5418) tunneling protocol enables the AP and the WLC to communicate despite their location. It encapsulates the data between the APs and the WLC. UDP port 5246 transports CAPWAP control data to the WLC. CAPWAP data uses UDP port 5247 and is not encrypted by default. Encrypted packets are protected by Datagram Transport Layer Security (DTLS).

Every LAP and WLC must also authenticate each other with X.509 digital certificates.

Activities performed by the WLC:

  • Dynamic channel assignment
  • Automatically sets the power for each LAP according to the coverage area needed
  • Self-healing wireless coverage incase a LAP dies by increasing power for remaining LAPSю able to pinpoint and recover from external problems dynamically.
  • L2 and L3 client roaming
  • Dynamic client load balancing
  • RF Monitoring
  • Security management
  • Wireless intrusion protection system

For Autonomous APs, traffic from client to client passes through the LAP then to the next client. For LAP, The client traffic  usually travels through the CAPWAP tunnel and passes through the WLC before making a return trip back through the tunnel to the other client. Clients may use DLS to communicate directly, without passing through the AP and controller; LAPs can also be configured in FlexConnect mode, so that traffic can be forwarded locally at the AP if needed.

Flexconnect: remote site LAPs are able to locally switch the traffic without traversing the CAPWAP tunnel. FlexConnect allows the LAP to keep switching traffic locally to maintain wireless connectivity available inside the remote site.

Cisco WLCs

2014_07_25_19_18_03_CCNA_Wireless_640_722_Official_Cert_Guide_SECURED_Adobe_Reader2014_07_25_19_16_10_CCNA_Wireless_640_722_Official_Cert_Guide_SECURED_Adobe_Reader

The vWLC cannot support any APs in local mode; all APs must be configured for FlexConnect instead.

Cisco APs. 

2014_07_25_19_23_21_CCNA_Wireless_640_722_Official_Cert_Guide_SECURED_Adobe_Reader 2014_07_25_19_23_36_CCNA_Wireless_640_722_Official_Cert_Guide_SECURED_Adobe_Reader

CleanAir – allows an AP to perform spectrum analysis on the wireless channels to detect non-802.11 interference.

As the number of radios and spatial streams increases, the AP is able to provide a greater throughput for its clients.

AP Operation Modes:

  • Local (Default). During times that it is not transmitting, the LAP will scan  the other channels to measure the noise floor, measure interference, discover rogue
    devices, and match against intrusion detection system (IDS) events.
  • Monitor Mode. No transmission of traffic. but its receiver is enabled to act  as a dedicated sensor. The LAP checks for IDS events, detects rogue access points,
    and determines the position of stations through location-based services (LBS).
  • Flexconnect (HREAP). LAP can locally switch traffic between an SSID and a VLAN if its CAPWAP tunnel to the  WLC is down or configured to.
  • Sniffer Mode. Acts as packet sniffer and passes traffic to software analyzers like wireshark
  • Rogue detector.
  • OfficeExtend AP (OEAP).  LAP connects to the local broadband service and builds  a CAPWAP tunnel to the central WLC. User data can be encrypted over the
    CAPWAP data tunnel using DTLS.
  • SE-Connect for spectrum analysis.

CUWN Management

  • Wireless Control System (WCS)
    • Dedicated appliance
    • WLAN management or configuration tasks
    • RF planning
    • wireless user tracking, troubleshooting, and monitoring
    • display predictive “heatmap” representations of coverage
    • locate a wireless client  to within a few meters by triangulating the client’s signal as received by multiple LAPs.
    • with Cisco Wireless Location Appliance it could track client location
    • The WCS Navigator product provided a single portal to manage up to 20 instances  of WCS and up to 30,000 APs
  • Cisco Prime Network Control System (NCS)
    • Either dedicated appliance or vMware
    • wireless device management
    • switch management
    • dynamic RF coverage heatmaps
    • with MSE it could provide client location tracking
  • Cisco Prime Infrastructure (PI)
    • offers converged management  of both wireless and wired network devices
    • integration with wireless intrusion  prevention services,
    • spectrum analysis,
    • tracking of users, interferers, and rogue devices.

Published by CyberSecFaith

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s