day 5 - switching and wireless

Understanding LAN Switching

1-2Networking Fundamentals © 2009, Velocis Systems

Switch

• It breaks the Collision Domain

• It takes the packet and forwards to destined port without any modification.

• It increases bandwidth of the network.

• Multiple devices can be connected to each interface.


Collision Domain

• All the computers which are physically connected together and their frames can collide with each other are part of a single Collision Domain.


Hubs

Ethernet 10

One device sending at a time

Hub

All nodes share 10 Mbps

• Ethernet concentrator• Works at physical layer 1


Collisions: Issues

• Sluggish network response

• Increasing user complaints

CRASHCRASH

Hub

• “I could have walked to Finance by now.”

• “I knew I should have stayed home.”

• “File transfers take forever.”

• “I’m waiting all the time.”


Hub-Based LANs

• Shared resources• Desktop connections wired to

centralized closets• Poor security within shared

segments• Routers provide scalability• Groups of users determined

by physical location

10BaseTHub

10BaseTHub


Switching Technology

• To understand Switching Technology we need to understand the following :

– Layer 2 Switching

– Address Learning

– Forward/Filtering Decisions

– Loop Avoidance

– LAN Switch Types


Switches—Layer 2

Ethernet Switch

Each Node has 10 Mbps

BackboneSwitched Ethernet 10

Multiple devices sending at the same time


Switches versus Hubs

Ethernet 10

One device sending at

a time

Hub

All nodes share 10 Mbps

Ethernet Switch

Each node has 10 Mbps

Backbone Switched Ethernet 10

Multiple devices sending at the

same time

© 2009, Velocis Systems

LAN Switching Basics


Layer 2 Switching

• This is hardware based switching• It uses MAC address to filter the network.• To build Filter Table, it uses ASICs (Application-

specific Integrated Circuits)• It is like Multiport bridge.• Layer 2 switches do not look at the Network layer

header and hence faster.• Based on hardware address it decides whether to

forward the packet or drop it.


• Layer 2 Switching provides the following:

– Wire speed • Layer 2 switch is considered faster because

no modification in the packet.– Low Latency

• Because the switching is faster

Layer 2 Switching


LAN Switching Basics

• Enables dedicated access

• Eliminates collisions and increases capacity

• Supports multiple conversations at the same time


Functions of Switchat Layer 2

• There are three main functions at Layer2

– Address Learning

– Forward / Filter Decisions

– Loop Avoidance


Address Learning

• Switches and Bridges remember the source address of each frame received on an interface and enter this information into MAC database.

– Whenever switch receives a packet it makes an entry of the source address and sends a broadcast for destination.

- The destination machine then responds to broadcast and switch receives a packet from destination.

– Switch again makes entry for the destination machine’s hardware address.

– Using this method Switch maintains a table stating that which hardware address is available at which port.


Switching Table


Forward / Filter Decisions

• When a frame is received on an interface, the switch looks at the destination hardware address and finds the exit interface in the MAC database.– When a frame is reached to the switch the destination port

is checked in MAC database to find out the exit interface.

• If found the packet will be forwarded to the mentioned port

• If not found the Broadcast is sent on all the ports and the exit port for this particular address is determined.


Broadcast / Unicast

• When packets are sent to a specific machine that is called Unicast. –It always knows the destination address

• When packets are sent to all that is called Broadcast. –It the destination address will be all 1s.


A C

B

2

4

1

10 Mbps

10 Mbps

LAN Switch Operation

• Forwards packets based on a forwarding table– Forwards based on the MAC (Layer

2) address

• Operates at OSI Layer 2• Learns a station’s location by

examining source address

– Sends out all ports when destination address is broadcast, or unknown address

– Forwards when destination is located on different interface

Interface

Stat

ions

1 2 3 4

3Data from A to B


A C

B

2

4

1

10 Mbps

10 Mbps



2) address





Interface

Stat

ions

1 2 3 4A X

3


A C

B

2

4

1

10 Mbps

10 Mbps



2) address





Interface

Stat

ions

1 2 3 4A X

3Data from A to B

Data from

A to B

Dat

a fr

om A

to B


A C

B

2

4

1

10 Mbps

10 Mbps



2) address





Interface

Stat

ions

1 2 3 4A X

3

B X

Dat

a fr

om B

to A


A C

B

2

4

1

10 Mbps

10 Mbps


• Forwards packets based on a forwarding table– Forwards based on the MAC

(Layer 2) address

• Operates at OSI Layer 2• Learns a station’s location

by examining source address– Sends out all ports when

destination address is broadcast, or unknown address


Interface

Stat

ions

1 2 3 4A XB X

3Data from B to A


LAN Switch Types

• Switching type basically effects the Latency and the reliability of your network.

• There are three Switching Types:

– Store and Forward

– Cut-through

– Fragment free


Store and Forward

• It is default in Switches• In this method the entire data is first stored, processed

for errors, if it is found error free, it is forwarded otherwise returned.

• Uses CRC for error checking.• Latency is high in this case but it is extremely reliable.

– Latency : Time involved in sending the data from one node to another.


Cut-Through

• Cut-Through switching is the fastest one, because it does not check for errors.

• It does not store data and process for error.

• It just reads the destination address and forwards it.

• It begins to forward the frame as soon as it reads the destination address and determines the outgoing interface.

• It has Lowest Latency and not reliable.

• Hence it is also called Wire Speed Switching.


Fragmentfree (Modified Cut-Through)

• It provides us both Low latency as well as Speed.

• It is a modified form of Cut Through switching.

• It reads the first 64 bytes and then forwards.

– It checks 64 bytes because most of the errors occur in these bytes only. If first 64 bytes are error free Fragment Free Switching considers entire data error free.

• If there is any error in first 64 bytes the packet will be dropped or else forwarded.

• It provides better reliability than the Cut-through with almost same Latency as in Cut through.


Loop Avoidance

• If multiple connections between switches are created for redundancy, network loops can occur. – Most commonly networks are implemented with

redundant links for fault tolerance purpose.

– These multiple links may cause loops and broadcast storm

– In a switched network some scheme should be implemented to avoid these loops.

– The Spanning-Tree Protocol (STP) is used to stop network loops and allow redundancy.


Understanding Spanning-tree

protocol(802.1d)


How does Loop occur


Loop Occurring

• In this scenario if no loop avoidance scheme is implemented the switch will generate a broadcast storm.

• A device can receive multiple copy of same frames.

• The MAC address table will be continuously updated and the table itself will be confused, because frames will be received from more than one link. This is called “thrashing” MAC Table.

• This is how loops within other loop will be generated and no switching will be performed in the network.

Note : Spanning Tree Protocol is designed to solve this problem.


Spanning-Tree Protocol

• The main function of STP is to maintain a loop free network.

– Originally STP was created by DEC

– It was modified by IEEE and was published in 802.1d specification.

– All CISCO switches run on IEEE802.1d version of STP


How STP Works

• STP continuously monitors the network for a failure or addition of a link, switch or bridge.

• Whenever there is a change in topology, it reconfigures switch or bridge to avoid a total loss of connectivity or creation of new loops.

• STP is by-default enabled in Catalyst switches.

• STP provides a loop-free network by following:

– Electing a Root Bridge

– Root Port for a Non-root Bridge

– Designated port for Each Segment


Bridge ID

• Bridge ID is used to determine the Root Bridge .• The Bridge ID is 8 bytes long.• Bridge ID includes the priority and the MAC Address of the device.• All devices running IEEE STP version has 32,768 as priority value.• To Determine Bridge ID the Priorities and MAC address are combined.

–If two switches / Bridges have the same priority then MAC Address is used to determine Bridge ID.

Eg. If switch A with MAC ID 0000.0c00.1111.1111 and switch B with MAC IS 0000.0c00.2222.2222 have the same priority then switch A will become the Root Bridge.


Electing Root Bridge

• In one Broadcast Domain only one Bridge is designated as Root Bridge.

• All Ports on the Root Bridge are in Forwarding State and are called Designated Port.

• All ports in forwarding state can send and receive traffic.• Bridge ID is used to determine the Root Bridge.• Bridge ID includes the priority and the MAC Address of

the device.


Root Port for a Non-root Bridge

• The Root Port is the lowest cost path from a Non-Root Bridge to the Root Bridge.– Spanning Tree Path Cost is an accumulated cost based on

bandwidth. • More Bandwidth - Less Cost• In the event that the cost is the same then the deciding

factor would be the lowest port no.

• Root Ports are in forwarding state.


Designated Port

• There will be one Designated Port in one Segment.

• Designated Port is selected on the bridge that has the lowest cost path to Root Bridge.

• Designated Port is in the forwarding state.

– Non-designated Ports are normally in the blocking state to break the loop topology. That means the Spanning Tree is preventing it from forwarding traffic.


Spanning Tree Path Cost

• Spanning Tree Path Cost is an accumulated total path cost based on the bandwidth of all the links in the path. Table shows some of the path costs specified in IEEE 802.1d specification

Link Speed Cost (Revised IEEE Cost (Previous IEEESpecification) Specification)

10 Gbps 2 1 1 Gbps 4 1100 Mbps 19 10 10 Mbps 100 100


Spanning Tree Example

Find out the following:•What is the Root Bridge?•What are the Designated, Nondesignated and Root Ports?•What are the Forwarding and Blocking Ports?

Switch ZMAC 0c0011110000Default Priority 32768

Switch XMAC 0c0011111100Default Priority 32768

Switch YMAC 0c0011111111Default Priority 32768

Port 1

Port 0

100BaseT

100BaseTPort 0

Port 1

Port 0


Lets verify the answers

• Root Bridge: Switch Z, Because it has the lowest bridge ID (priority and MAC address)

• Root Port: Port 0 of Switches X and Y because it is the lowest-cost path to the root.

• Designated Port: Port 0 of Switch Z. All ports on the root are designated ports. Port 1 of Switch X is a designated port. Because both Switch X and SwitchY have the same path cost to the Root Bridge, the designated port is selected to be on switch X because it has a lower bridge ID than Switch Y.

• Blocking: Port 1 of Switch Y. The nondesignated port on the segment.

• Forwarding: All designated ports and root ports are in the forwarding state.


VIRTUAL LANs


• In layer 2 switched network, broadcast packet transmitted arrives at every device on the network , whether intended or not for that device. One broadcast domain within a switch

Flat Network


Drawback of Layer 2 Switched Network

• Larger the number of Devices and Users, the more broadcasts and packets are to be handle by each device

The Solution is VLAN


VLAN

UNDERSTANDING VIRTUAL LOCAL AREA NETWORKS (VLANS)


VLAN

• We create VLANs in order to address these issues.

• A VLAN is a logical broadcast domain that can span multiple physical LAN segments.

• VLANs provide segmentation and organizational flexibility.

• You can design a VLAN structure that lets you group stations that are segmented logically by functions, project teams, and applications without regard to the physical location of the users.


VLANS CONTINUED…

• Ports in a VLAN share broadcasts; ports in different VLANs do not. Containing broadcasts in a VLAN improves the overall performance of the network.

• A VLAN can exist on a single switch or span multiple switches. VLANs can include stations in a single building or multiple-building infrastructures.


VLAN Definition

• VLAN is defined as logical grouping of network resources & Users connected to predefined ports on a Switch, defined by An Administrator.


• VLANs are used to create smaller broadcast domain within a switch.

• A Single VLAN is treated as a separate subnet or broadcast domain.

VLAN


VLANS SPANNING MULTIPLE SWITCHES


Virtual LANs

• VLANs help manage broadcast domain

• LAN switches and network management software provide a mechanism to create VLANs

• A VLAN also lets you group ports on a switch so that you can limit unicast, multicast, and broadcast traffic flooding.

Server Farm

VLAN 1VLAN 2VLAN 3


VLAN Benefits

• Reduced administrative costs– Simplify moves, adds, and changes

• Efficient bandwidth utilization– Better control of broadcasts

• Improved network security – Separate VLAN group for high-security users– Relocate servers into secured locations

• Scalability and performance– Micro segment with scalability– Distribute traffic load


Flexibility and Scalability

• Layer 2 Switches only read Frames for filtering, which causes it to forward all Broadcasts.

So, creating VLAN, means creating more Broadcast Domains.• Assigning Switch ports or users to VLAN groups on a switch, you

have the option to add selected users in the broadcast domain.

This stops Broadcast Storms caused by faulty Network Interface Card (NIC) or applications.

• VLAN can be kept on multiplying in order to efficiently utilize the bandwidth.


• In case of Inter-VLAN communication, restriction are implemented on the router.

• Restriction can also be placed on the Hardware address.

Contd..


Static VLAN

• This is the basic and most secure type for creating VLAN.

• Port assignment associated with a VLAN is maintained until and unless modified by the Administrator.

• This type of VLAN configuration is easy to Setup and Monitor.


VLAN RANGES

• Normal VLANS (1 – 1005)

• Extended VLANS ( 1006 – 4094)

• VLAN 1 is the CISCO default


VLAN Identification

• VLAN can span multiple connected switches.

• Switches must keep a track of Frames and which VLAN, these Frame belong to.

• Frame Tagging performs this function.


VLAN TRUNKING


VLAN identification modes

• TO identify which frames belongs to which VLAN, VLAN identification is required.

• Two Types of trunking methods are used:-

1) ISL

2) 802.1q


Inter-Switch Link (ISL)

• Proprietary to Cisco Switches

• Used for Fast Ethernet and Gigabit Ethernet links only


Inter-Switch Link (ISL) Protocol

• ISL is an external tagging process, which means the original frame is not altered but encapsulated with a new 26 byte ISL header.

• It also adds a second 4 byte FCS field at the end of the frame.


Drawback

• As the frame is encapsulated with information, only ISL devices can read it.

• It makes the frame heavy as it crosses the actual allowable MTU size.


IEEE 802.1q

• Created by IEEE as standard method for Frame Tagging.

• It inserts a field into Frame to identify the VLAN.

• When trunking between Cisco Switches link and different brand of Switch, it is mandatory to use 802.1q for the trunk to work.


IEEE 802.1q

• In this method of tagging a 4 byte field is added inside the frame itself for the identification of the VLAN.


Types of Links in Switched environment

Access Links :• Device attached to these links are unaware of VLAN

membership.• VLAN information from the frame are remove before it is set

to an access link device.• Access link devices are not capable of communicating to

device outside the VLAN unless the packet is routed through a router.


Trunk Links

• A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device such as a router or a switch.

• Ethernet trunks carry the traffic of multiple VLANs over a single link and allow you to extend the VLANs across an entire network.

• Cisco supports IEEE 802.1Q for FastEthernet and Gigabit Ethernet interfaces.


VLAN Configuration

• Global ModeSwitch# configure terminal Switch(config)# vlan 3 Switch(config-vlan)# name Vlan3Switch(config-vlan)# exit Switch(config)# end


VLAN Implementation Commands

• Configuring VLANs

Switch (config) # vlan 101

Switch (config-vlan) # switchport mode access

Switch (config-vlan) # switchport access vlan 101

• Verifying VLANs

Switch # show interfaces

Switch # show vlan brief


Configuring an Access VLAN

Switch(config)# vlan vlan_id

Create a VLAN.

Switch(config-vlan)# name vlan_name

Provide a VLAN name.

Switch(config-if)# switchport mode access

Place the switch port into access mode.

Switch(config-if)# switchport access vlan vlan_id

Associate the access switch port with a VLAN.


Virtual Trunking Protocol (VTP)

• Allows Administrator to add, delete, and rename VLAN, which are further propagated to all Switches (automatically).

• VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the additions, deletions, and name changes of VLANs across networks.

• It is Cisco Propriety


Benefits of VTP

• Consistent VLAN configuration across all switches in the network.

• Accurate tracking and Monitoring of VLANs.

• Dynamic reporting of adding VLAN to all Switches.

• Plug and Play VLAN adding.


• VLAN administration and configuration protocol– Reduces VLAN setup and

administration– Eliminates configuration errors

such as duplicate VLAN names – Decreases network manager’s

time adding and managing VLANs

Virtual Trunk Protocol (VTP)

ATMFabric

VLAN 2

VLAN 1

ISL

LANE

ISL

LANE

LANE

802.1Q


VTP DOMAIN

• VTP works in a Domain.

• A VTP Domain is one switch or several interconnected switches sharing the same management domain.

• By default, a Cisco Catalyst switch is in the no-management-domain state until you configure a management domain

• Configurations made to a VTP server are propagated across trunk links to all theconnected switches in the network.


VTP MODES

VTP operates in one of three modes:

1) Server

2) Client

3) Transparent


Server Mode

• The default VTP mode is server mode.

• Can create, modify, or delete VLANs and Propagates to all the switches in the Domain.

• A VTP server synchronizes its VLAN database file with other VTP servers and clients.


Client Mode

• Cannot Create, modify or delete VLANs.

• Forwards VTP Advertisements.

• A VTP client synchronizes its database with other VTP servers and clients.


Transparent mode

• Can Create, modify or delete VLANs.

• When you change the VLAN configuration in VTP transparent mode, the change affects only the local switch and does not propagate to other switches in the VTP domain.

• It forwards VTP Advertisements that it gets within the domain.

• Does not synchronize its database


VTP OPERATION

• VTP advertisements are flooded throughout the management domain.

• VTP advertisements are sent every 5 minutes or whenever VLAN configurations change.

• A configuration revision number is included in each VTP advertisement.

• A higher configuration revision number indicates that the VLAN information being advertised is more current than the stored information.


CONFIGURATION REVISION NUMBER

• One of the most critical components of VTP is the configuration revision number.

• Each time a VTP server modifies its VLAN information, the VTP server increments theconfiguration revision number by one.• VTP Server then sends the advertisement with the new revision number.• If a higher revision number is found in the received advertisement, it is overwritten with the current VLAN configuration.


VTP Configuration Guidelines

• The default VTP configuration parameters for the 2950 Switch are as follows:

• VTP domain name: None

• VTP mode: Server

• VTP password: None

• VTP pruning: Disabled


VTP CONFIGURATION COMMANDS

Use the vtp global configuration command to modify the VTP configuration, domain name,interface, and mode:

SwitchX# configure terminalSwitchX(config)# vtp mode [ server | client | transparent ]SwitchX(config)# vtp domain domain-nameSwitchX(config)# vtp password passwordSwitchX(config)# end

Note: The domain name and password are case sensitive.


VLAN CONFIGURATION COMMANDS

Use the VLAN global configuration command to create a VLAN and enter VLAN configuration mode:SwitchX# configure terminalSwitchX(config)# vlan 2SwitchX(config-vlan)# name testvlan

Note: Use the no form of this command to delete the VLAN.


VLAN PORT ASSIGNMENTSwitchX# configure terminalSwitchX(config)# interface range fastethernet 0/2 - 4SwitchX(config-if)# switchport access vlan 2SwitchX# show vlan

VLAN Name Status Ports---- -------------------------------- --------- -------------------1 default active Fa0/12 testvlan active Fa0/2,

Fa0/3, Fa0/4


Explaining Trunk Link Problems – Trunks can be configured statically or autonegotiated with DTP.

– For trunking to be autonegotiated, the switches must be in the same VTP domain.

– Some trunk configuration combinations will successfully configure a trunk, some will not.

– Will any of the above combinations result in an operational trunk?


Resolving Trunk Link Problems

– When using DTP, ensure that both ends of the link are in the same VTP domain.

– Ensure that the trunk encapsulation type configured on both ends of the link is valid.

– On links where trunking is not required, DTP should be turned off.

– Best practice is to configure trunk and nonegotiate where trunks are required.


DTP

• Trunk negotiation is managed by DTP• It is a point to point protocol.• To enable trunking to a device that does not support DTP, use Switch (config - if) # switchport mode trunkSwitch (config - if) # swicthport nonegotiateTo cause interface to become a trunk but to not generate DTP frames.Switch (config - if) # switchport mode {dynamic {auto |desirable} | trunk}dynamic auto — Set the interface to a trunk link if the neighboring interface is set to trunk or desirable mode.dynamic desirable — Set the interface to a trunk link if the neighboring interface is set to trunk, desirable, or auto mode.Trunk — Set the interface in permanent trunking mode and negotiate to convert the link to a trunk link even if the neighboring interface is not a trunk interface.


Routing Between VLANs

• In a VLAN environment, frames are switched only between ports within the same broadcastdomain.• VLANs perform network partitioning and traffic separation at Layer 2.• Inter-VLAN communication cannot occur without a Layer 3 device, such as a router.


ROUTER ON A STICK


CREATING SUB-INTERFACES

• To support 802.1Q trunking, you must subdivide the physical FastEthernet interface of the router into multiple, logical, addressable interfaces, one per VLAN.• This address will be used as the gateway for the workstations in a that VLAN.


Wireless LANs

Introducing WLANs


Wireless Data Technologies


Wireless Data Technologies (Cont.)


Wireless Data Technologies (Cont.)

PAN(Personal Area

Network)

LAN(Local Area Network)

WAN(Wide Area Network)

MAN(Metropolitan Area Network)

PAN LAN MAN WAN

Standards Bluetooth IEEE 802.11a, 802.11b, 802.11g

802.16MMDS, LMDS

GSM, GPRS,CDMA, 2.5–3G

Speed <1 Mbps 1–54+ Mbps 22+ Mbps 10–384 kbpsRange Short Medium Medium–long Long

Applications Peer to peer,device to device

Enterprise networks

Fixed, last-mile access

PDAs, mobilephones, cellular

access


Wireless LAN (WLAN)– A WLAN is a shared

network.

– An access point is a shared device and functions like a shared Ethernet hub.

– Data is transmitted over radio waves.

– Two-way radio communications (half-duplex) are used.

– The same radio frequency is used for sending and receiving.


WLAN Evolution

–Warehousing–Retail–Health care–Education–Businesses–Home


What Are WLANs?

•They are:– Local– In building or campus for

mobile users– Radio or infrared– Not required to have RF

licenses in most countries– Using equipment owned by

customers

•They are not:– WAN or MAN networks– Cellular phones networks– Packet data transmission via

celluar phone networks• Cellular digital packet data

(CDPD)• General packet radio

service (GPRS)• 2.5G to 3G services


Similarities Between WLAN and LAN

– A WLAN is an 802 LAN.• Transmits data over the air vs. data over the wire • Looks like a wired network to the user • Defines physical and data link layer• Uses MAC addresses

– The same protocols/applications run over both WLANs and LANs. • IP (network layer)• IPSec VPNs (IP-based)• Web, FTP, SNMP (applications)


Differences Between WLAN and LAN

– WLANs use radio waves as the physical layer.• WLANs use CSMA/CA instead of CSMA/CD to access the network.

– Radio waves have problems that are not found on wires.• Connectivity issues.

– Coverage problems– Multipath issues – Interference, noise

• Privacy issues.– WLANs use mobile clients.

• No physical connection.• Battery-powered.

– WLANs must meet country-specific RF regulations.


Service Set Identifier (SSID)– SSID is used to logically separate

WLANs.– The SSID must match on client and

access point.– Access point broadcasts one SSID

in beacon.– Client can be configured without

SSID.– Client association steps:

1. Client sends probe request.2. A point sends probe response.3. Client initiates association.4. A point accepts association.5. A point adds client MAC

address to association table.


WLAN Access Topology


Wireless Repeater Topology


Alternative Peer-to-Peer Topology


Service Sets and ModesAd hoc mode

• Independent Basic Service Set (IBSS)– Mobile clients connect directly

without an intermediate access point.

Infrastructure mode• Basic Service Set

– Mobile clients use a single access point for connecting to each other or to wired network resources.

• Extended Services Set– Two or more Basic Service Sets

are connected by a common distribution system.


Roaming Through Wireless Cells

Roaming


Client Roaming

• Roaming without interruption requires the same SSID on all access points.

• Maximum data retry count exceeded

• Too many beacons missed

• Data rate shifted• Periodic intervals


Unlicensed Frequency Bands

• ISM: Industry, scientific, and medical frequency band

• No license required

• No exclusive use • Best effort• Interference possible


Unlicensed Frequency Bands


Radio Frequency Transmission

– Radio frequencies are radiated into the air via an antenna, creating radio waves.

– Radio waves are absorbed when they are propagated through objects (e.g., walls).

– Radio waves are reflected by objects (e.g., metal surfaces).

– This absorption and reflection can cause areas of low signal strength or low signal quality.



– Higher data rates have a shorter transmission range.• The receiver needs more signal strength and

better SNR to retrieve information.– Higher transmit power results in greater distance.– Higher frequencies allow higher data rates.– Higher frequencies have a shorter transmission

range.


WLAN Regulation and Standardization

•Regulatory agencies– FCC (United States)– ETSI (Europe)

•Standardization– IEEE 802.11 – http://standards.ieee.org/

getieee802/•Certfication of equipment– Wi-Fi Alliance certifies

interoperability between products– Certified products can be found at

http://www.wi-fi.org.


802.11b Standard

– Standard was ratified in September 1999– Operates in the 2.4-GHz band– Specifies four data rates up to 11 Mbps

• 1, 2, 5.5, 11 Mbps– Defines basic security, encryption, and authentication for the

wireless link– Is the most commonly deployed WLAN standard


Channel

Identifier

Channel Center

Frequency

Channel Frequency

Range [MHz]

Regulatory Domain

Americas

Europe, Middle

East, and Asia

Japan

1 2412 MHz 2401 – 2423 X X X2 2417 MHz 2406 – 2428 X X X3 2422 MHz 2411 – 2433 X X X4 2427 MHz 2416 – 2438 X X X5 2432 MHz 2421 – 2443 X X X6 2437 MHz 2426 – 2448 X X X7 2442 MHz 2431 – 2453 X X X8 2447 MHz 2436 – 2458 X X X9 2452 MHz 2441 – 2463 X X X10 2457 MHz 2446 – 2468 X X X11 2462 MHz 2451 – 2473 X X X12 2467 MHz 2466 – 2478 X X13 2472 MHz 2471 – 2483 X X14 2484 MHz 2473 – 2495 X

2.4-GHz Channels


2.4-GHz Channel Use

• Each channel is 22 MHz wide.• North America: 11 channels.• Europe: 13 channels.• There are three nonoverlapping channels: 1, 6, 11.• Using any other channels will cause interference.• Three access points can occupy the same area.


802.11b/g (2.4 GHz) Channel Reuse


802.11a


802.11a Standard– Standard was ratified September 1999– Operates in the 5-GHz band– Uses orthogonal frequency-division multiplexing (OFDM)– Uses eight data rates of up to 54 Mbps

• 6, 9, 12, 18, 24, 36, 48, 54 Mbps– Has from 12 to 23 nonoverlapping channels (FCC)– Has up to 19 nonoverlapping channels (ETSI)– Regulations different across countries

• Transmit (Tx) power control and dynamic frequency selection required (802.11h)


802.11g


802.11 Standards Comparison


802.11 Standards Comparison802.11b 802.11g 802.11a

Ratified 1999 2003 1999Frequency

band 2.4 GHz 2.4 GHz 5 GHz

No of channels 3 3 Up to 23

Transmission DSSS DSSS OFDM OFDM

Data rates [Mbps]

1, 2, 5.5, 11

1, 2, 5.5, 11

6, 9, 12, 18, 24, 36,

48, 54

6, 9, 12, 18, 24, 36, 48,

54Throughput

[Mbps]Up to 6 Up to 22 Up to 28


Range Comparisons


WLAN Security


Why WLAN Security?• Wide availability and low cost of

IEEE 802.11 wireless equipment • 802.11 standard ease of use and

deployment• Availability of sniffers• Statistics on WLAN security• Media hype about

hot spots, WLAN hacking, war driving

• Nonoptimal implementation of encryption in standard Wired Equivalent Privacy (WEP) encryption

• Authentication vulnerability


WLAN Security Threats


Mitigating the Threats

Control and Integrity

Privacy and Confidentiality

Protection and Availability

Authentication EncryptionIntrusion Detection

System (IDS)Ensure that

legitimate clients associate with trusted access

points.

Protect data as it is transmitted and received.

Track and mitigate

unauthorized access and

network attacks.


Evolution of WLAN Security

• No strong authentication

• Static, breakable keys

• Not scalable

Initial (1997)

Encryption (WEP)

Interim (2001)

802.1x EAP

• Dynamic keys• Improved

encryption• User

authentication• 802.1x EAP

(LEAP, PEAP)• RADIUS

Interim (2003)

Wi-Fi Protected Access (WPA)

• Standardized• Improved

encryption• Strong, user

authentication (e.g., LEAP, PEAP, EAP-FAST)

Present

Wireless IDS

IEEE 802.11i

WPA2 (2004)

• Identification and protection against attacks, DoS

• AES strong encryption

• Authentication• Dynamic key

management


Wireless Client Association– Access points send out beacons

announcing SSID, data rates, and other information.

– Client scans all channels.– Client listens for beacons and responses

from access points.– Client associates to access point with

strongest signal.– Client will repeat scan if signal becomes

low to reassociate to another access point (roaming).

– During association SSID, MAC address and security settings are sent from the client to the access point and checked by the access point.


Access Point Homepage


Express Setup

Initial configuration of access point: hostname, IP address, SNMP

day 5 - switching and wireless

Documents